nganhkhoa/lpus-driver
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

find proc chunk successfully

Browse Source
This commit is contained in:
nganhkhoa 2020-02-20 03:40:25 +07:00
parent 9a39e6f3c1
commit 949507ba16
4 changed files with 245 additions and 398 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

342
KMDF Driver2/Driver.cpp
View File

@ -8,7 +8,7 @@
extern "C" DRIVER_INITIALIZE DriverEntry; extern "C" DRIVER_INITIALIZE DriverEntry;
extern "C" DRIVER_UNLOAD UnloadRoutine; extern "C" DRIVER_UNLOAD UnloadRoutine;
extern "C" PDBGKD_GET_VERSION64 FindKdVersionBlock(void); // extern "C" PDBGKD_GET_VERSION64 FindKdVersionBlock(void);
#define NT_DEVICE_NAME L"\\Device\\poolscanner" #define NT_DEVICE_NAME L"\\Device\\poolscanner"
#define DOS_DEVICE_NAME L"\\DosDevices\\poolscanner" #define DOS_DEVICE_NAME L"\\DosDevices\\poolscanner"
@ -21,26 +21,19 @@ extern "C" PDBGKD_GET_VERSION64 FindKdVersionBlock(void);
#define CHUNK_SIZE 16 // 64 bit #define CHUNK_SIZE 16 // 64 bit
// #define PAGE_SIZE 4096 // 4KB // #define PAGE_SIZE 4096 // 4KB
PVOID SelfAllocKernelBuffer = nullptr;
PVOID ChunkAddr = nullptr;
constexpr ULONG POOL_TAG = 'NakD';
NTSTATUS NTSTATUS
DriverEntry( DriverEntry(
_In_ PDRIVER_OBJECT DriverObject, _In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING /* RegistryPath */ _In_ PUNICODE_STRING /* RegistryPath */
) { ) {
DbgPrint("[NAK] :: [+] Hello from Kernel\n"); DbgPrint("[NAK] :: [ ] Hello from Kernel, setup a few things\n");
NTSTATUS returnStatus = STATUS_SUCCESS; NTSTATUS returnStatus = STATUS_SUCCESS;
UNICODE_STRING ntUnicodeString; UNICODE_STRING ntUnicodeString;
UNICODE_STRING ntWin32NameString; UNICODE_STRING ntWin32NameString;
PDEVICE_OBJECT deviceObject = nullptr; PDEVICE_OBJECT deviceObject = nullptr;
constexpr SIZE_T POOL_BUFFER_SIZE = 0x100; // a small chunk
// PVOID kernelBuffer = nullptr;
DriverObject->DriverUnload = UnloadRoutine; DriverObject->DriverUnload = UnloadRoutine;
RtlInitUnicodeString(&ntUnicodeString, NT_DEVICE_NAME); RtlInitUnicodeString(&ntUnicodeString, NT_DEVICE_NAME);
returnStatus = IoCreateDevice( returnStatus = IoCreateDevice(
DriverObject, // Our Driver Object DriverObject, // Our Driver Object
@ -55,6 +48,8 @@ DriverEntry(
return returnStatus; return returnStatus;
} }
DbgPrint("[NAK] :: [+] Setup completed, GO GO GO !!!!\n");
RtlInitUnicodeString(&ntWin32NameString, DOS_DEVICE_NAME); RtlInitUnicodeString(&ntWin32NameString, DOS_DEVICE_NAME);
returnStatus = IoCreateSymbolicLink(&ntWin32NameString, &ntUnicodeString); returnStatus = IoCreateSymbolicLink(&ntWin32NameString, &ntUnicodeString);
if (!NT_SUCCESS(returnStatus)) { if (!NT_SUCCESS(returnStatus)) {
@ -62,81 +57,94 @@ DriverEntry(
IoDeleteDevice(deviceObject); IoDeleteDevice(deviceObject);
} }
DbgPrint("[NAK] :: [+] GO GO GO !"); OSVERSIONINFOW windowsVersionInfo;
RtlGetVersion(&windowsVersionInfo);
DbgPrint("[NAK] :: [ ] Windows version : %lu.%lu.%lu\n",
windowsVersionInfo.dwMajorVersion, windowsVersionInfo.dwMinorVersion, windowsVersionInfo.dwBuildNumber);
// DbgPrint("[NAK] :: [+] Allocating a chunk in NonPagedPool...\n"); if (windowsVersionInfo.dwMajorVersion != 10) {
SelfAllocKernelBuffer = ExAllocatePoolWithTag(NonPagedPool, POOL_BUFFER_SIZE, POOL_TAG); DbgPrint("[NAK] :: [-] Windows version outside 10 is not supported yet!");
PVOID kernelBuffer = SelfAllocKernelBuffer; return returnStatus;
}
// if (!kernelBuffer) { // https://en.wikipedia.org/wiki/Windows_10_version_history
// DbgPrint("[NAK] :: [-] Unable to allocate Pool chunk\n"); VERSION_BY_POOL windowsVersionByPool = WINDOWS_NOT_SUPPORTED;
// returnStatus = STATUS_NO_MEMORY; // TODO: automatically get from parsed PDB file
// return returnStatus; ULONG64 eprocessNameOffset = 0;
// } ULONG64 eprocessLinkOffset = 0;
ULONG64 listBLinkOffset = 0;
ULONG64 processHeadOffset = 0;
ULONG64 miStateOffset = 0;
ULONG64 hardwareOffset = 0;
ULONG64 systemNodeOffset = 0;
ULONG64 firstVaOffset = 0;
ULONG64 lastVaOffset = 0;
// DbgPrint("[NAK] :: [+] Successfully allocated a chunk in NonPagedPool"); // setup offset
ChunkAddr = (PVOID)((long long int)kernelBuffer - POOL_HEADER_SIZE); if (windowsVersionInfo.dwBuildNumber == 17134 || windowsVersionInfo.dwBuildNumber == 17763) {
POOL_HEADER p; // use one POOL_HEADER to index DbgPrint("[NAK] :: [ ] Detected windows : 2018\n");
toPoolHeader(&p, ChunkAddr); windowsVersionByPool = WINDOWS_2018;
printChunkInfo(&p); }
else if (windowsVersionInfo.dwBuildNumber == 18362 || windowsVersionInfo.dwBuildNumber == 18363) {
DbgPrint("[NAK] :: [ ] Detected windows : 2019\n");
windowsVersionByPool = WINDOWS_2019;
}
else if (windowsVersionInfo.dwBuildNumber == 19041) {
DbgPrint("[NAK] :: [ ] Detected windows : 2020\n");
windowsVersionByPool = WINDOWS_2020;
}
else if (windowsVersionInfo.dwBuildNumber >= 19536) {
DbgPrint("[NAK] :: [ ] Detected windows : 2020 Fast Ring\n");
windowsVersionByPool = WINDOWS_2020_FASTRING;
eprocessNameOffset = 0x5a8;
eprocessLinkOffset = 0x448;
listBLinkOffset = 0x8;
processHeadOffset = 0xc1f970;
miStateOffset = 0xc4f200;
hardwareOffset = 0x1580;
systemNodeOffset = 0x20;
firstVaOffset = 0x60;
lastVaOffset = 0x68;
}
// if (p.tag == 'NakD') { if (windowsVersionByPool == WINDOWS_NOT_SUPPORTED) {
// DbgPrint("[NAK] :: [+] tag == 'NakD'"); DbgPrint("[NAK] :: [-] Windows 10 with this build number is not supported yet!");
// } return returnStatus;
// else if (p.tag == 'DkaN') { }
// DbgPrint("[NAK] :: [+] tag == 'DkaN'");
// }
// else {
// DbgPrint("[NAK] :: [-] tag equals something else");
// }
// Try to find `MmNonPagedPoolStart` and `MmNonPagedPoolEnd` /**
// https://web.archive.org/web/20061110120809/http://www.rootkit.com/newsread.php?newsid=153 * Try to find `MmNonPagedPoolStart` and `MmNonPagedPoolEnd`
// KPCR->Version Data->Debugger Data List Entry->Flink *
ULONG64 nonPagedPoolStart = 0; * https://web.archive.org/web/20061110120809/http://www.rootkit.com/newsread.php?newsid=153
ULONG64 nonPagedPoolEnd = 0; * KPCR->KdVersionBlock->Debugger Data List Entry->Flink
*
PDBGKD_GET_VERSION64 kdVersionBlock = nullptr; * This technique is old and cannot be used in Windows 10, Windows 7/8 may fail too,
// PKDDEBUGGER_DATA64 dbgBlock = nullptr; * After research, the result is summary into this README
* https://github.com/nganhkhoa/pdb_for_nonpagedpool
kdVersionBlock = (PDBGKD_GET_VERSION64) FindKdVersionBlock(); *
DbgPrint("[NAK] :: [ ] KdVersionBlock : 0x%p\n", kdVersionBlock); * Basically, find ntoskrnl.exe module address (kernel base) in memory and use offsets parsed from PDB file,
* Finding the kernel base by shellcode is not usable in Windows 2020 Insider Preview,
if (kdVersionBlock == nullptr) { * I use IoGetCurrentProcess and traverse the ActiveProcessLinks linked list,
// The below can be summarized in these few lines of this README * Luckily, the process returned by IoGetCurrentProcess is System (the first process), so the BLINK is nt!PsActiveProcessHead
// https://github.com/nganhkhoa/pdb_for_nonpagedpool * With offset of nt!PsActiveProcessHead parsed from PDB file, we can get the kernel base by subtracting.
DbgPrint("[NAK] :: [ ] Cannot get KdVersionBlock try ntoskrnl+pdb\n"); *
* Then offset to find NonPagedPool{First,Last}Va
// https://www.unknowncheats.me/forum/general-programming-and-reversing/259921-finding-kernel-function-address-user-mode.html *
* In Windows 10, we must use nt!MiState and look into Hardware->NodeInfo,
// seems like this shellcode is wrong for Windows insider Feb 2020 upgrade * there is a slightly different layout/offset to each version of Windows by year?
// shellcode: https://gist.github.com/Barakat/34e9924217ed81fd78c9c92d746ec9c6 * 2015 -> 2016 -> 2018 -> 2019 -> 2020 all have a slight (or big) different
// shellcode is useless in Windows internal 2020 *
// static const UCHAR getNtoskrnlBaseShellcode[] = { **/
// 0x65, 0x48, 0x8B, 0x04, 0x25, 0x38, 0x00, 0x00, 0x00, 0xB9, 0x4D, 0x5A, 0x00, 0x00, 0x48, 0x8B,
// 0x40, 0x04, 0x48, 0x25, 0x00, 0xF0, 0xFF, 0xFF, 0xEB, 0x06, 0x48, 0x2D, 0x00, 0x10, 0x00, 0x00,
// 0x66, 0x39, 0x08, 0x75, 0xF5, 0xC3
// };
// const auto shellPool = ExAllocatePoolWithTag(NonPagedPoolExecute, sizeof(getNtoskrnlBaseShellcode), 'NakD');
// RtlCopyMemory(shellPool, getNtoskrnlBaseShellcode, sizeof(getNtoskrnlBaseShellcode));
// const auto get_ntoskrnl_base_address = reinterpret_cast<void *(*)()>(shellPool);
// PVOID ntosbase = get_ntoskrnl_base_address();
// IoGetCurrentProcess -> PEPROCESS -> ActiveProcessLinks -> FLINK until ImageFileName == "ntoskrnl.exe", get Peb->ImageBaseAddress
// because this is driver, so it will return the System, as the system loads the driver
// system is the first key in ProcessLinks so go back to get the PsActiveProcessHead
// minus the offset from pdb to get the ntoskrnl
// TODO: Exception?????
PVOID eprocess = (PVOID)IoGetCurrentProcess(); PVOID eprocess = (PVOID)IoGetCurrentProcess();
DbgPrint("[NAK] :: [ ] eprocess : 0x%p, [%15s]\n", eprocess, (char*)((ULONG64)eprocess + 0x5a8)); DbgPrint("[NAK] :: [ ] eprocess : 0x%p, [%15s]\n", eprocess, (char*)((ULONG64)eprocess + eprocessNameOffset));
PVOID processHead = (PVOID)(*(ULONG64*)((ULONG64)eprocess + 0x448 + 0x8)); PVOID processHead = (PVOID)(*(ULONG64*)((ULONG64)eprocess + eprocessLinkOffset + listBLinkOffset));
DbgPrint("[NAK] :: [ ] PsActiveProcessHead : 0x%p\n", processHead); DbgPrint("[NAK] :: [ ] PsActiveProcessHead : 0x%p\n", processHead);
PVOID ntosbase = (PVOID)((ULONG64)processHead - 0xc1f970); PVOID ntosbase = (PVOID)((ULONG64)processHead - processHeadOffset);
DbgPrint("[NAK] :: [ ] ntoskrnl.exe : 0x%p\n", ntosbase); DbgPrint("[NAK] :: [ ] ntoskrnl.exe : 0x%p\n", ntosbase);
// ExFreePoolWithTag(shellPool, 'NakD'); // TODO: Check if ntosbase is a PE, and the name is ntoskrnl.exe
// parsing PE file
// https://stackoverflow.com/a/4316804 // https://stackoverflow.com/a/4316804
// https://stackoverflow.com/a/47898643 // https://stackoverflow.com/a/47898643
// https://github.com/Reetus/RazorRE/blob/42f441093bd85443b39fcff5d2a02069b524b114/Crypt/Misc.cpp#L63 // https://github.com/Reetus/RazorRE/blob/42f441093bd85443b39fcff5d2a02069b524b114/Crypt/Misc.cpp#L63
@ -149,38 +157,50 @@ DriverEntry(
// } // }
// } // }
// In Windows 10, the global debug is MiState /**
// dt (_MI_SYSTEM_NODE_NONPAGED_POOL*) (<nt!MiState> + <HARDWHARE_OFFSET> + <NODE_INFO_OFFSET>) * In Windows 10 Insider Preview Feb 2020, the global debug is MiState, try this in windbg and see
// Sample output * `x nt!MiState` to get address of MiState
* `dt _MI_SYSTEM_INFORMATION` to get offset to Hardware
* `dt _MI_HARDWARE_STATE` to get offset to SystemNodeNonPagedPool
* with those offset, use the following command to list the NonPagedPool{First,Last}Va
* `dt (_MI_SYSTEM_NODE_NONPAGED_POOL*) (<nt!MiState> + <HARDWHARE_OFFSET> + <NODE_INFO_OFFSET>)`
* Sample output
*
* +0x000 DynamicBitMapNonPagedPool : _MI_DYNAMIC_BITMAP
* +0x048 CachedNonPagedPoolCount : 0
* +0x050 NonPagedPoolSpinLock : 0
* +0x058 CachedNonPagedPool : (null)
* +0x060 NonPagedPoolFirstVa : 0xffffe580`00000000 Void
* +0x068 NonPagedPoolLastVa : 0xfffff580`00000000 Void
* +0x070 SystemNodeInformation : 0xffffe58f`9283b050 _MI_SYSTEM_NODE_INFORMATION
*
**/
// +0x000 DynamicBitMapNonPagedPool : _MI_DYNAMIC_BITMAP PVOID miState = (PVOID)((ULONG64)ntosbase + miStateOffset);
// +0x048 CachedNonPagedPoolCount : 0
// +0x050 NonPagedPoolSpinLock : 0
// +0x058 CachedNonPagedPool : (null)
// +0x060 NonPagedPoolFirstVa : 0xffffe580`00000000 Void
// +0x068 NonPagedPoolLastVa : 0xfffff580`00000000 Void
// +0x070 SystemNodeInformation : 0xffffe58f`9283b050 _MI_SYSTEM_NODE_INFORMATION
PVOID miState = (PVOID)((ULONG64)ntosbase + 0xc4f200);
PVOID systemNonPageInfo = (PVOID)*(ULONG64*)((ULONG64)miState + 0x1580 + 0x20);
DbgPrint("[NAK] :: [ ] nt!MiState : 0x%p\n", miState); DbgPrint("[NAK] :: [ ] nt!MiState : 0x%p\n", miState);
PVOID systemNonPageInfo = nullptr;
ULONG64 nonPagedPoolStart = 0;
ULONG64 nonPagedPoolEnd = 0;
// use defined formula by windows build number to get those two values
switch (windowsVersionByPool) {
case WINDOWS_2020_FASTRING:
systemNonPageInfo = (PVOID)*(ULONG64*)((ULONG64)miState + hardwareOffset + systemNodeOffset);
DbgPrint("[NAK] :: [ ] &systemNonPageInfo : 0x%p\n", systemNonPageInfo); DbgPrint("[NAK] :: [ ] &systemNonPageInfo : 0x%p\n", systemNonPageInfo);
DbgPrint("[NAK] :: [ ] &NonPagedPoolFirstVa : 0x%p\n", (ULONG64*)((ULONG64)systemNonPageInfo + 0x60)); DbgPrint("[NAK] :: [ ] &NonPagedPoolFirstVa : 0x%p\n", (ULONG64*)((ULONG64)systemNonPageInfo + firstVaOffset));
DbgPrint("[NAK] :: [ ] &NonPagedPoolLastVa : 0x%p\n", (ULONG64*)((ULONG64)systemNonPageInfo + 0x68)); DbgPrint("[NAK] :: [ ] &NonPagedPoolLastVa : 0x%p\n", (ULONG64*)((ULONG64)systemNonPageInfo + lastVaOffset));
nonPagedPoolStart = *(ULONG64*)((ULONG64)systemNonPageInfo + 0x60); nonPagedPoolStart = *(ULONG64*)((ULONG64)systemNonPageInfo + firstVaOffset);
nonPagedPoolEnd = *(ULONG64*)((ULONG64)systemNonPageInfo + 0x68); nonPagedPoolEnd = *(ULONG64*)((ULONG64)systemNonPageInfo + lastVaOffset);
} else { break;
// x32 windows, KdVersionBlock get is usable default:
DbgPrint("[NAK] :: [ ] Successfully get KdVersionBlock, not sure whether this works\n"); break;
// dbgBlock = (PKDDEBUGGER_DATA64) ((PLIST_ENTRY)kdVersionBlock->DebuggerDataList)->Flink;
} }
DbgPrint("[NAK] :: [ ] nonPagedPoolStart : 0x%llx\n", nonPagedPoolStart); DbgPrint("[NAK] :: [+] nonPagedPoolStart : 0x%llx\n", nonPagedPoolStart);
DbgPrint("[NAK] :: [ ] nonPagedPoolEnd : 0x%llx\n", nonPagedPoolEnd); DbgPrint("[NAK] :: [+] nonPagedPoolEnd : 0x%llx\n", nonPagedPoolEnd);
// now wait for user call to scan scan(nonPagedPoolStart, nonPagedPoolEnd);
// current debug mode, scan now
// scan(&p, nonPagedPoolStart, nonPagedPoolEnd);
return returnStatus; return returnStatus;
} }
@ -190,10 +210,6 @@ UnloadRoutine(_In_ PDRIVER_OBJECT DriverObject) {
PDEVICE_OBJECT deviceObject = DriverObject->DeviceObject; PDEVICE_OBJECT deviceObject = DriverObject->DeviceObject;
UNICODE_STRING uniWin32NameString; UNICODE_STRING uniWin32NameString;
if (SelfAllocKernelBuffer != nullptr) {
ExFreePoolWithTag(SelfAllocKernelBuffer, POOL_TAG);
}
RtlInitUnicodeString(&uniWin32NameString, DOS_DEVICE_NAME); RtlInitUnicodeString(&uniWin32NameString, DOS_DEVICE_NAME);
IoDeleteSymbolicLink(&uniWin32NameString); IoDeleteSymbolicLink(&uniWin32NameString);
@ -204,34 +220,24 @@ UnloadRoutine(_In_ PDRIVER_OBJECT DriverObject) {
DbgPrint("[NAK] :: [+] Goodbye from Kernel\n"); DbgPrint("[NAK] :: [+] Goodbye from Kernel\n");
} }
PPOOL_HEADER VOID
toPoolHeader(PPOOL_HEADER p, PVOID chunkAddr) { toPoolHeader(PPOOL_HEADER p, PVOID chunkAddr) {
p->addr = chunkAddr; p->addr = chunkAddr;
__try { p->prevBlockSize = *(USHORT*)((ULONG64) chunkAddr + 0x0) & 0xff;
p->prevBlockSize = *(USHORT*)((long long int) chunkAddr + 0x0) & 0xff; p->poolIndex = *(USHORT*)((ULONG64) chunkAddr + 0x0) >> 8;
p->poolIndex = *(USHORT*)((long long int) chunkAddr + 0x0) >> 8; p->blockSize = *(USHORT*)((ULONG64) chunkAddr + 0x2) & 0xff;
p->blockSize = *(USHORT*)((long long int) chunkAddr + 0x2) & 0xff; p->poolType = *(USHORT*)((ULONG64) chunkAddr + 0x2) >> 8;
p->poolType = *(USHORT*)((long long int) chunkAddr + 0x2) >> 8; p->tag = *(ULONG*)((ULONG64) chunkAddr + 0x4);
p->tag = *(ULONG*)((long long int) chunkAddr + 0x4);
}
__except(EXCEPTION_EXECUTE_HANDLER) {
p->prevBlockSize = 0;
p->poolIndex = 0;
p->poolType = 0;
p->tag = 0;
}
return p;
} }
PPOOL_HEADER VOID
tryNextChunk(PPOOL_HEADER p) { tryNextChunk(PPOOL_HEADER p) {
return toPoolHeader(p, (PVOID)((long long int)p->addr + CHUNK_SIZE)); toPoolHeader(p, (PVOID)((ULONG64)p->addr + CHUNK_SIZE));
} }
bool bool
validTag(PPOOL_HEADER p) { validTag(PPOOL_HEADER p) {
// I know the compiler will optimize for me, so meeh :) // I know the compiler will optimize for me, so meeh :)
__try {
const char a = (char)(p->tag & 0xff); const char a = (char)(p->tag & 0xff);
const char b = (char)((p->tag & 0xff00) >> 8); const char b = (char)((p->tag & 0xff00) >> 8);
const char c = (char)((p->tag & 0xff0000) >> 16); const char c = (char)((p->tag & 0xff0000) >> 16);
@ -244,10 +250,6 @@ validTag(PPOOL_HEADER p) {
!(c >= 0x20 && c <= 0x7e) || !(c >= 0x20 && c <= 0x7e) ||
!(d >= 0x20 && d <= 0x7e)) !(d >= 0x20 && d <= 0x7e))
return false; return false;
}
__except(EXCEPTION_EXECUTE_HANDLER) {
return false;
}
return true; return true;
} }
@ -274,46 +276,68 @@ printChunkInfo(PPOOL_HEADER p) {
} }
VOID VOID
scan(PPOOL_HEADER p, ULONG64 /* nonPagedPoolStart */, ULONG64 /* nonPagedPoolEnd */) { scan(ULONG64 nonPagedPoolStart, ULONG64 nonPagedPoolEnd) {
DbgPrint("[NAK] :: [+] Scanning\n"); DbgPrint("[NAK] :: [+] Scanning\n");
// scan by moving up and down 16 bytes? /*
// Or by moving by BlockSize and PreviousBlockSize? * The name nonpaged pool is quite misunderstanding,
* the correct definition of a nonpaged pool is a pool which remains on the nonpaged region
* nonpaged region is a range of address inside the kernel virtual address that has
* a correspoding page in the physical memory (RAM)
*
* Which is, if there is a **valid** page in nonpaged pool, there is a correspoding page in RAM
* The OS will allocate a page in this nonpaged region with a page in RAM when a new page
* is requested to be nonpaged and there is no space left in current allocated nonpaged region.
*
* That is, if the address lies in the nonpaged region but is not allocated yet to have a
* backed paged on RAM, then a bug check will occur. The name is `PAGE FAULT IN NONPAGED AREA`
*
**/
// Also, when to stop? POOL_HEADER p;
const ULONG64 headerSize = 0x10;
PVOID currentAddr = (PVOID)(nonPagedPoolStart);
while (true) {
if ((ULONG64)currentAddr >= nonPagedPoolEnd)
break;
// int i = 0; /*
for (p = tryNextChunk(p); * BOOLEAN MmIsAddressValid(PVOID)
(long long int)p->addr < 0xFFFFFFFFFFFFFFFF; *
p = tryNextChunk(p)) * Warning We do not recommend using this function.
{ *
// if (i++ >= 100000) break; * If no page fault would occur from reading or writing at the given virtual address,
if (p->tag == 0) continue; * MmIsAddressValid returns TRUE.
if (!validTag(p)) continue; *
* Even if MmIsAddressValid returns TRUE, accessing the address can cause page faults
printChunkInfo(p); * unless the memory has been locked down or the address **is a valid nonpaged pool address**.
*
// if (p->poolIndex == 0) { * Well, we got a nonpaged pool address, so it is good
// DbgPrint("[NAK] :: [+] Seems like we hit the first pool chunk"); *
// break; **/
// } if (!MmIsAddressValid(currentAddr)) {
if (p->tag != 'Proc' && p->tag != 'corP') // Because a chunk pool reside on a page, so we check on page alignment
currentAddr = (PVOID)((ULONG64)currentAddr + PAGE_SIZE);
continue; continue;
}
// TODO: perform scan in one page, use BlockSize/PreviousBlockSize
toPoolHeader(&p, (PVOID)currentAddr);
currentAddr = (PVOID)((ULONG64)currentAddr + headerSize);
if (p.tag == 0) continue;
if (!validTag(&p)) continue;
if (p.tag != 'Proc' && p.tag != 'corP')
continue;
// TODO: Parse data as _EPROCESS
// The first Proc found seems to be the EPROCESS from IoGetCurrentProcess
// But it was offset 0x40
printChunkInfo(&p);
DbgPrint("[NAK] :: [+] HEY EPROCESS POOL CHUNK"); DbgPrint("[NAK] :: [+] HEY EPROCESS POOL CHUNK");
break; break;
} }
DbgPrint("[NAK] :: [+] Finish scanning"); DbgPrint("[NAK] :: [+] Finish scanning");
// go up
// for (;
// KernelBuffer = (PVOID)((long long int)chunk_addr + blockSize);
// ) {
// }
// go down
// for (;
// KernelBuffer = (PVOID)((long long int)chunk_addr - prevBlockSize);
// ) {
// }
} }

220
KMDF Driver2/Driver.h
View File

@ -10,220 +10,18 @@ typedef struct _POOL_HEADER {
ULONG tag; ULONG tag;
} POOL_HEADER, *PPOOL_HEADER; } POOL_HEADER, *PPOOL_HEADER;
struct _MI_SYSTEM_NODE_NONPAGED_POOL { enum VERSION_BY_POOL {
char reserved[0x60]; WINDOWS_2018,
PVOID NonPagedPoolFirstVa; WINDOWS_2019,
PVOID NonPagedPoolLastVa; WINDOWS_2020,
WINDOWS_2020_FASTRING,
WINDOWS_NOT_SUPPORTED
}; };
typedef struct _DBGKD_GET_VERSION64 { VOID
USHORT MajorVersion;
USHORT MinorVersion;
UCHAR ProtocolVersion;
UCHAR KdSecondaryVersion;
USHORT Flags;
USHORT MachineType;
UCHAR MaxPacketType;
UCHAR MaxStateChange;
UCHAR MaxManipulate;
UCHAR Simulation;
USHORT Unused[1];
ULONG64 KernBase;
ULONG64 PsLoadedModuleList;
ULONG64 DebuggerDataList;
} DBGKD_GET_VERSION64, *PDBGKD_GET_VERSION64;
typedef struct _DBGKD_DEBUG_DATA_HEADER64 {
LIST_ENTRY64 List;
ULONG OwnerTag;
ULONG Size;
} DBGKD_DEBUG_DATA_HEADER64, *PDBGKD_DEBUG_DATA_HEADER64;
typedef struct _KDDEBUGGER_DATA64 {
DBGKD_DEBUG_DATA_HEADER64 Header;
ULONG64 KernBase;
ULONG64 BreakpointWithStatus;
ULONG64 SavedContext;
USHORT ThCallbackStack;
USHORT NextCallback;
USHORT FramePointer;
USHORT PaeEnabled:1;
// https://web.archive.org/web/20061110120809/http://www.rootkit.com/newsread.php?newsid=153
ULONG64 KiCallUserMode;
ULONG64 KeUserCallbackDispatcher;
ULONG64 PsLoadedModuleList;
ULONG64 PsActiveProcessHead;
ULONG64 PspCidTable;
ULONG64 ExpSystemResourcesList;
ULONG64 ExpPagedPoolDescriptor;
ULONG64 ExpNumberOfPagedPools;
ULONG64 KeTimeIncrement;
ULONG64 KeBugCheckCallbackListHead;
ULONG64 KiBugcheckData;
ULONG64 IopErrorLogListHead;
ULONG64 ObpRootDirectoryObject;
ULONG64 ObpTypeObjectType;
ULONG64 MmSystemCacheStart;
ULONG64 MmSystemCacheEnd;
ULONG64 MmSystemCacheWs;
ULONG64 MmPfnDatabase;
ULONG64 MmSystemPtesStart;
ULONG64 MmSystemPtesEnd;
ULONG64 MmSubsectionBase;
ULONG64 MmNumberOfPagingFiles;
ULONG64 MmLowestPhysicalPage;
ULONG64 MmHighestPhysicalPage;
ULONG64 MmNumberOfPhysicalPages;
ULONG64 MmMaximumNonPagedPoolInBytes;
ULONG64 MmNonPagedSystemStart;
ULONG64 MmNonPagedPoolStart;
ULONG64 MmNonPagedPoolEnd;
ULONG64 MmPagedPoolStart;
ULONG64 MmPagedPoolEnd;
ULONG64 MmPagedPoolInformation;
ULONG64 MmPageSize;
ULONG64 MmSizeOfPagedPoolInBytes;
ULONG64 MmTotalCommitLimit;
ULONG64 MmTotalCommittedPages;
ULONG64 MmSharedCommit;
ULONG64 MmDriverCommit;
ULONG64 MmProcessCommit;
ULONG64 MmPagedPoolCommit;
ULONG64 MmExtendedCommit;
ULONG64 MmZeroedPageListHead;
ULONG64 MmFreePageListHead;
ULONG64 MmStandbyPageListHead;
ULONG64 MmModifiedPageListHead;
ULONG64 MmModifiedNoWritePageListHead;
ULONG64 MmAvailablePages;
ULONG64 MmResidentAvailablePages;
ULONG64 PoolTrackTable;
ULONG64 NonPagedPoolDescriptor;
ULONG64 MmHighestUserAddress;
ULONG64 MmSystemRangeStart;
ULONG64 MmUserProbeAddress;
ULONG64 KdPrintCircularBuffer;
ULONG64 KdPrintCircularBufferEnd;
ULONG64 KdPrintWritePointer;
ULONG64 KdPrintRolloverCount;
ULONG64 MmLoadedUserImageList;
// NT 5.1 Addition
ULONG64 NtBuildLab;
ULONG64 KiNormalSystemCall;
// NT 5.0 QFE addition
ULONG64 KiProcessorBlock;
ULONG64 MmUnloadedDrivers;
ULONG64 MmLastUnloadedDriver;
ULONG64 MmTriageActionTaken;
ULONG64 MmSpecialPoolTag;
ULONG64 KernelVerifier;
ULONG64 MmVerifierData;
ULONG64 MmAllocatedNonPagedPool;
ULONG64 MmPeakCommitment;
ULONG64 MmTotalCommitLimitMaximum;
ULONG64 CmNtCSDVersion;
// NT 5.1 Addition
ULONG64 MmPhysicalMemoryBlock;
ULONG64 MmSessionBase;
ULONG64 MmSessionSize;
ULONG64 MmSystemParentTablePage;
// Server 2003 addition
ULONG64 MmVirtualTranslationBase;
USHORT OffsetKThreadNextProcessor;
USHORT OffsetKThreadTeb;
USHORT OffsetKThreadKernelStack;
USHORT OffsetKThreadInitialStack;
USHORT OffsetKThreadApcProcess;
USHORT OffsetKThreadState;
USHORT OffsetKThreadBStore;
USHORT OffsetKThreadBStoreLimit;
USHORT SizeEProcess;
USHORT OffsetEprocessPeb;
USHORT OffsetEprocessParentCID;
USHORT OffsetEprocessDirectoryTableBase;
USHORT SizePrcb;
USHORT OffsetPrcbDpcRoutine;
USHORT OffsetPrcbCurrentThread;
USHORT OffsetPrcbMhz;
USHORT OffsetPrcbCpuType;
USHORT OffsetPrcbVendorString;
USHORT OffsetPrcbProcStateContext;
USHORT OffsetPrcbNumber;
USHORT SizeEThread;
ULONG64 KdPrintCircularBufferPtr;
ULONG64 KdPrintBufferSize;
ULONG64 KeLoaderBlock;
USHORT SizePcr;
USHORT OffsetPcrSelfPcr;
USHORT OffsetPcrCurrentPrcb;
USHORT OffsetPcrContainedPrcb;
USHORT OffsetPcrInitialBStore;
USHORT OffsetPcrBStoreLimit;
USHORT OffsetPcrInitialStack;
USHORT OffsetPcrStackLimit;
USHORT OffsetPrcbPcrPage;
USHORT OffsetPrcbProcStateSpecialReg;
USHORT GdtR0Code;
USHORT GdtR0Data;
USHORT GdtR0Pcr;
USHORT GdtR3Code;
USHORT GdtR3Data;
USHORT GdtR3Teb;
USHORT GdtLdt;
USHORT GdtTss;
USHORT Gdt64R3CmCode;
USHORT Gdt64R3CmTeb;
ULONG64 IopNumTriageDumpDataBlocks;
ULONG64 IopTriageDumpDataBlocks;
// Longhorn addition
ULONG64 VfCrashDataBlock;
} KDDEBUGGER_DATA64, *PKDDEBUGGER_DATA64;
PPOOL_HEADER
toPoolHeader(PPOOL_HEADER p, PVOID chunkAddr); toPoolHeader(PPOOL_HEADER p, PVOID chunkAddr);
PPOOL_HEADER VOID
tryNextChunk(PPOOL_HEADER p); tryNextChunk(PPOOL_HEADER p);
bool bool
@ -236,6 +34,6 @@ VOID
printChunkInfo(PPOOL_HEADER p); printChunkInfo(PPOOL_HEADER p);
VOID VOID
scan(PPOOL_HEADER p, ULONG64 nonPagedPoolStart, ULONG64 nonPagedPoolEnd); scan(ULONG64 nonPagedPoolStart, ULONG64 nonPagedPoolEnd);
#endif #endif

1
KMDF Driver2/KMDF Driver2.vcxproj
View File

@ -124,6 +124,7 @@
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor> <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<Inf2CatUseLocalTime>true</Inf2CatUseLocalTime>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor> <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>

24
first_proc_chunk.txt Normal file
View File

@ -0,0 +1,24 @@
00000001 0.00000000 [NAK] :: [ ] Hello from Kernel, setup a few things
00000002 0.00001790 [NAK] :: [+] Setup completed, GO GO GO !!!!
00000003 0.00003500 [NAK] :: [ ] Windows version : 10.0.19564
00000004 0.00003650 [NAK] :: [ ] Detected windows : 2020 Fast Ring
00000005 0.00003880 [NAK] :: [ ] eprocess : 0xFFFFB0078D8BE040, [ System]
00000006 0.00004050 [NAK] :: [ ] PsActiveProcessHead : 0xFFFFF80465E1F970
00000007 0.00004200 [NAK] :: [ ] ntoskrnl.exe : 0xFFFFF80465200000
00000008 0.00004350 [NAK] :: [ ] nt!MiState : 0xFFFFF80465E4F200
00000009 0.00004500 [NAK] :: [ ] &systemNonPageInfo : 0xFFFFD10180016010
00000010 0.00004640 [NAK] :: [ ] &NonPagedPoolFirstVa : 0xFFFFD10180016070
00000011 0.00004790 [NAK] :: [ ] &NonPagedPoolLastVa : 0xFFFFD10180016078
00000012 0.00004970 [NAK] :: [+] nonPagedPoolStart : 0xffffb00000000000
00000013 0.00005130 [NAK] :: [+] nonPagedPoolEnd : 0xffffc00000000000
00000014 0.00005230 [NAK] :: [+] Scanning
00000015 0.08150540 [NAK] :: [+] ==== PoolStart 0xFFFFB0078D8BE000 ====
00000016 0.08150930 [NAK] :: [|] PreviousSize : 0x0
00000017 0.08151110 [NAK] :: [|] PoolIndex : 0xfb
00000018 0.08151260 [NAK] :: [|] BlockSize : 0xf00
00000019 0.08151400 [NAK] :: [|] PoolType : 0x2
00000020 0.08151630 [NAK] :: [|] PoolTag : 0x636f7250 [Proc]
00000021 0.08151850 [NAK] :: [+] ==== PoolEnd 0xFFFFB0078D8BE000 ====
00000022 0.08152020 [NAK] :: [+] HEY EPROCESS POOL CHUNK
00000023 0.08152160 [NAK] :: [+] Finish scanning
00000024 2.03572369 [NAK] :: [+] Goodbye from Kernel