add tag to ScanRange

This commit is contained in:
nganhkhoa 2020-05-19 04:24:23 +07:00
parent 439f691d56
commit 7e009b6bfe
3 changed files with 7 additions and 6 deletions

View File

@ -126,7 +126,7 @@ DriverControl(PDEVICE_OBJECT /* DriverObject */, PIRP Irp) {
outputData = (POUTPUT_DATA)MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority | MdlMappingNoExecute); outputData = (POUTPUT_DATA)MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority | MdlMappingNoExecute);
scanRange = &(inputData->scanRange); scanRange = &(inputData->scanRange);
DbgPrint("[NAK] :: Range: %llx - %llx", scanRange->start, scanRange->end); DbgPrint("[NAK] :: Range: %llx - %llx", scanRange->start, scanRange->end);
(outputData->poolChunk).addr = (ULONG64)scanRemote(scanRange->start, scanRange->end); (outputData->poolChunk).addr = (ULONG64)scanRemote(scanRange->start, scanRange->end, scanRange->tag);
DbgPrint("[NAK] :: Found: %llx", (outputData->poolChunk).addr); DbgPrint("[NAK] :: Found: %llx", (outputData->poolChunk).addr);
break; break;
case DEREFERENCE_ADDRESS: case DEREFERENCE_ADDRESS:
@ -575,7 +575,7 @@ scanLargePool(PVOID /* largePageTableArray */, ULONG64 /* largePageTableSize */)
} }
PVOID PVOID
scanRemote(ULONG64 startAddress, ULONG64 endAddress) { scanRemote(ULONG64 startAddress, ULONG64 endAddress, ULONG tag) {
POOL_HEADER p; POOL_HEADER p;
PVOID currentAddr = (PVOID)startAddress; PVOID currentAddr = (PVOID)startAddress;
while (true) { while (true) {
@ -592,9 +592,9 @@ scanRemote(ULONG64 startAddress, ULONG64 endAddress) {
if (p.tag == 0) continue; if (p.tag == 0) continue;
if (!validTag(&p)) continue; if (!validTag(&p)) continue;
if (!validPool(&p)) continue; // if (!validPool(&p)) continue;
if (p.tag != 'Proc' && p.tag != 'corP') if (p.tag != tag)
continue; continue;
return p.addr; return p.addr;

View File

@ -46,7 +46,7 @@ VOID
scanLargePool(PVOID largePageTableArray, ULONG64 largePageTableSize); scanLargePool(PVOID largePageTableArray, ULONG64 largePageTableSize);
PVOID PVOID
scanRemote(ULONG64 startAddress, ULONG64 endAddress); scanRemote(ULONG64 startAddress, ULONG64 endAddress, ULONG tag);
VOID VOID
hideProcess(CHAR* name, ULONG64 size); hideProcess(CHAR* name, ULONG64 size);

View File

@ -76,6 +76,7 @@ typedef struct _DEREF_ADDR {
typedef struct _SCAN_RANGE { typedef struct _SCAN_RANGE {
ULONG64 start; ULONG64 start;
ULONG64 end; ULONG64 end;
ULONG tag;
} SCAN_RANGE, *PSCAN_RANGE; } SCAN_RANGE, *PSCAN_RANGE;
typedef struct _HIDE_PROCESS { typedef struct _HIDE_PROCESS {