More progress

2025-07-01 16:51:51 +00:00 · 2022-04-14 20:47:40 +02:00
parent 2acac5bee2
commit e2f73e0aeb
10 changed files with 60 additions and 28 deletions
--- a/src/driver/driver_main.cpp
+++ b/src/driver/driver_main.cpp
@ -126,7 +126,7 @@ namespace
 		};

 		auto* target = reinterpret_cast<uint8_t*>(&NtCreateFile);
-		if (memcmp(target, fixup, sizeof(fixup)))
+		if (memcmp(target, fixup, sizeof(fixup)) != 0)
 		{
 			debug_log("Fixup is invalid\n");
 			return nullptr;
--- a/src/driver/ept.cpp
+++ b/src/driver/ept.cpp
@ -106,9 +106,7 @@ namespace vmx
 		}
 	}

-	ept::ept()
-	{
-	}
+	ept::ept() = default;

 	ept::~ept()
 	{
--- a/src/driver/hypervisor.cpp
+++ b/src/driver/hypervisor.cpp
@ -192,6 +192,11 @@ void hypervisor::disable_all_ept_hooks() const
 	});
 }

+hypervisor* hypervisor::get_instance()
+{
+	return instance;
+}
+
 void hypervisor::enable()
 {
 	const auto cr3 = __readcr3();
--- a/src/driver/hypervisor.hpp
+++ b/src/driver/hypervisor.hpp
@ -22,6 +22,8 @@ public:
 	bool install_ept_hook(void* destination, const void* source, size_t length);
 	void disable_all_ept_hooks() const;

+	static hypervisor* get_instance();
+
 private:
 	uint32_t vm_state_count_{0};
 	vmx::state** vm_states_{nullptr};
--- a/src/driver/irp.cpp
+++ b/src/driver/irp.cpp
@ -7,6 +7,8 @@

 #include <irp_data.hpp>

+#include "process.hpp"
+
 namespace
 {
 	_Function_class_(DRIVER_DISPATCH) NTSTATUS not_supported_handler(PDEVICE_OBJECT /*device_object*/, const PIRP irp)
@ -40,12 +42,26 @@ namespace
 		const auto aligned_address = address & (PAGE_SIZE - 1);
 		const auto offset = address - aligned_address;

-		debug_log("Original: %s\n", request->target_address);
+		debug_log("Pid: %d | Address: %p\n", request->process_id, request->target_address);

-		static uint8_t buffer[PAGE_SIZE * 2]{0};
-		memory::query_process_physical_page(request->process_id, reinterpret_cast<void*>(aligned_address), buffer);
+		auto current_proc = process::get_current_process();
+		if (current_proc)
+		{
+			debug_log("Current: %p\n", current_proc.get_id());
+		}

-		debug_log("Data: %s\n", buffer + offset);
+		//debug_log("Current: %lld\n",PsGetCurrentProcessId());
+
+		/*const auto process_handle = process::find_process_by_id(request->process_id);
+		if(process_handle && process_handle.is_alive())
+		{
+			debug_log("Bad process\n");
+			return;
+		}
+
+		process::scoped_process_attacher attacher{process_handle};
+
+		debug_log("Original: %s\n", request->target_address);*/
 	}

 	_Function_class_(DRIVER_DISPATCH) NTSTATUS io_ctl_handler(
@ -68,7 +84,7 @@ namespace
 				debug_log("Hello from the Driver!\n");
 				break;
 			case HOOK_DRV_IOCTL:
-				//apply_hook(static_cast<hook_request*>(irp_sp->Parameters.DeviceIoControl.Type3InputBuffer));
+				apply_hook(static_cast<hook_request*>(irp_sp->Parameters.DeviceIoControl.Type3InputBuffer));
 				break;
 			default:
 				debug_log("Invalid IOCTL Code: 0x%X\n", ioctr_code);
--- a/src/driver/memory.cpp
+++ b/src/driver/memory.cpp
@ -112,15 +112,4 @@ namespace memory
 		copy_address.PhysicalAddress.QuadPart = static_cast<int64_t>(address);
 		MmCopyMemory(destination, copy_address, length,  MM_COPY_MEMORY_PHYSICAL, &result);
 	}
-
-	uint64_t query_process_physical_page(const uint32_t process_id, void* address,
-	                                             uint8_t buffer[PAGE_SIZE])
-	{
-		const auto process_handle = process::find_process_by_id(process_id);
-
-		process::scoped_process_attacher attacher{process_handle};
-
-		memcpy(buffer, address, PAGE_SIZE);
-		return get_physical_address(address);
-	}
 }
--- a/src/driver/memory.hpp
+++ b/src/driver/memory.hpp
@ -25,8 +25,6 @@ namespace memory

 	void copy_physical_data(uint64_t address, void* destination, size_t length);

-	uint64_t query_process_physical_page(uint32_t process_id, void* address, uint8_t buffer[PAGE_SIZE]);
-
 	template <typename T, typename... Args>
 	T* allocate_aligned_object(Args ... args)
 	{
--- a/src/driver/process.cpp
+++ b/src/driver/process.cpp
@ -47,12 +47,27 @@ namespace process

 	bool process_handle::is_alive() const
 	{
+		if(!this->handle_)
+		{
+			return false;
+		}
+
 		LARGE_INTEGER zero_time{};
 		zero_time.QuadPart = 0;

 		return KeWaitForSingleObject(this->handle_, Executive, KernelMode, FALSE, &zero_time) != STATUS_WAIT_0;
 	}

+	HANDLE process_handle::get_id() const
+	{
+		if(!this->handle_)
+		{
+			return 0;
+		}
+
+		PsGetProcessId(this->handle_);
+	}
+
 	const char* process_handle::get_image_filename() const
 	{
 		if (!this->handle_)
@ -77,7 +92,8 @@ namespace process
 	process_handle find_process_by_id(const uint32_t process_id)
 	{
 		PEPROCESS process{};
-		if (PsLookupProcessByProcessId(HANDLE(process_id), &process) != STATUS_SUCCESS)
+		const uint64_t process_id_long = process_id;
+		if (PsLookupProcessByProcessId(HANDLE(process_id_long), &process) != STATUS_SUCCESS)
 		{
 			return {};
 		}
--- a/src/driver/process.hpp
+++ b/src/driver/process.hpp
@ -19,6 +19,7 @@ namespace process
 		operator PEPROCESS() const;

 		bool is_alive() const;
+		HANDLE get_id() const;

 		const char* get_image_filename() const;