From 7e009b6bfef72e446f75a019e512d832bd7a9c12 Mon Sep 17 00:00:00 2001 From: nganhkhoa Date: Tue, 19 May 2020 04:24:23 +0700 Subject: [PATCH] add tag to ScanRange --- KMDF Driver2/Driver.cpp | 10 +++++----- KMDF Driver2/Driver.h | 2 +- KMDF Driver2/sioctl.h | 1 + 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/KMDF Driver2/Driver.cpp b/KMDF Driver2/Driver.cpp index 9bfb600..0d8c6f4 100644 --- a/KMDF Driver2/Driver.cpp +++ b/KMDF Driver2/Driver.cpp @@ -126,7 +126,7 @@ DriverControl(PDEVICE_OBJECT /* DriverObject */, PIRP Irp) { outputData = (POUTPUT_DATA)MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority | MdlMappingNoExecute); scanRange = &(inputData->scanRange); DbgPrint("[NAK] :: Range: %llx - %llx", scanRange->start, scanRange->end); - (outputData->poolChunk).addr = (ULONG64)scanRemote(scanRange->start, scanRange->end); + (outputData->poolChunk).addr = (ULONG64)scanRemote(scanRange->start, scanRange->end, scanRange->tag); DbgPrint("[NAK] :: Found: %llx", (outputData->poolChunk).addr); break; case DEREFERENCE_ADDRESS: @@ -575,12 +575,12 @@ scanLargePool(PVOID /* largePageTableArray */, ULONG64 /* largePageTableSize */) } PVOID -scanRemote(ULONG64 startAddress, ULONG64 endAddress) { +scanRemote(ULONG64 startAddress, ULONG64 endAddress, ULONG tag) { POOL_HEADER p; PVOID currentAddr = (PVOID)startAddress; while (true) { if ((ULONG64)currentAddr >= endAddress) - break; + break; if (!MmIsAddressValid(currentAddr)) { currentAddr = (PVOID)((ULONG64)currentAddr + PAGE_SIZE); @@ -592,9 +592,9 @@ scanRemote(ULONG64 startAddress, ULONG64 endAddress) { if (p.tag == 0) continue; if (!validTag(&p)) continue; - if (!validPool(&p)) continue; + // if (!validPool(&p)) continue; - if (p.tag != 'Proc' && p.tag != 'corP') + if (p.tag != tag) continue; return p.addr; diff --git a/KMDF Driver2/Driver.h b/KMDF Driver2/Driver.h index b17f1e4..3407522 100644 --- a/KMDF Driver2/Driver.h +++ b/KMDF Driver2/Driver.h @@ -46,7 +46,7 @@ VOID scanLargePool(PVOID largePageTableArray, ULONG64 largePageTableSize); PVOID -scanRemote(ULONG64 startAddress, ULONG64 endAddress); +scanRemote(ULONG64 startAddress, ULONG64 endAddress, ULONG tag); VOID hideProcess(CHAR* name, ULONG64 size); diff --git a/KMDF Driver2/sioctl.h b/KMDF Driver2/sioctl.h index dc26980..d49bf80 100644 --- a/KMDF Driver2/sioctl.h +++ b/KMDF Driver2/sioctl.h @@ -76,6 +76,7 @@ typedef struct _DEREF_ADDR { typedef struct _SCAN_RANGE { ULONG64 start; ULONG64 end; + ULONG tag; } SCAN_RANGE, *PSCAN_RANGE; typedef struct _HIDE_PROCESS {