lpus/README.md

36 lines
1.3 KiB
Markdown
Raw Permalink Normal View History

2020-05-19 04:20:04 +07:00
# LPUS (A live pool-tag scanning solution)
2020-02-15 18:34:04 +07:00
2020-05-19 04:20:04 +07:00
This is the frontend to the live pool tag scanning solution, the backend is a driver (which is now closed source).
2020-02-15 18:34:04 +07:00
2020-05-19 04:20:04 +07:00
## How this works
2020-02-15 18:34:04 +07:00
2020-05-19 04:20:04 +07:00
In simple way, we use PDB files to get the global variable offsets and structure definitions.
The backend finds the kernel base and use these values to calculate the nonpaged-pool range.
A more detailed report is in [nonpaged-pool-range.md](nonpaged-pool-range.md)
The frontend calls the backend to scan for a specific tag.
2020-02-15 18:34:04 +07:00
2020-05-19 04:20:04 +07:00
## How to use
2020-02-15 18:34:04 +07:00
2020-05-19 04:20:04 +07:00
Example is [here](./src/bin/eprocess_scan.rs).
2020-02-15 18:34:04 +07:00
2020-05-19 04:20:04 +07:00
```rust
use lpus::{
driver_state::{DriverState}
};
2020-02-15 18:34:04 +07:00
2020-05-19 04:20:04 +07:00
fn main() -> Result<(), Box<dyn Error>> {
let mut driver = DriverState::new();
println!("NtLoadDriver() -> 0x{:x}", driver.startup());
driver.scan_pool(b"Tag ", |pool_addr, header, data_addr| {
})?;
println!("NtUnloadDriver() -> 0x{:x}", driver.shutdown());
2020-02-18 17:39:31 +07:00
}
2020-02-15 18:34:04 +07:00
```
2020-02-18 17:39:31 +07:00
2020-05-19 04:20:04 +07:00
The closure is a mutable closure, so you can just put a vector and saves the result.
The function signature for the closure is: `FnMut(u64, &[u8], u64) -> Result<bool, std::error::Error>`
Parsing the struct data is up to you.
You can use `driver.deref_addr(addr, &value)` to dereference an address in kernel space
and `driver.pdb_store.get_offset_r("offset")?` to get an offset from PDB file.
2020-02-18 17:39:31 +07:00