Update lpus

File scan printing update
Update values sent to driver in ioctl for Windows 10 2019/2018
This commit is contained in:
nganhkhoa 2020-06-02 16:27:29 +07:00
parent 4bf2bb71ff
commit c8ce82e8a7
2 changed files with 21 additions and 4 deletions

View File

@ -40,13 +40,14 @@ fn main() -> Result<(), Box<dyn Error>> {
println!("pool: 0x{:x} | file object: 0x{:x} | offsetby: 0x{:x}", pool_addr, fob_addr, fob_addr - pool_addr);
if read_ok == 0 {
println!(" [NOT READABLE]");
return Ok(true);
}
if let Ok(filename) = driver.get_unicode_string(fob_addr + fob_filename_offset, true) {
else if let Ok(filename) = driver.get_unicode_string(fob_addr + fob_filename_offset, true) {
println!(" {}", filename);
return Ok(true);
}
Ok(false)
else {
println!(" [NOT A VALID _UNICODE_STRING]");
}
Ok(true)
})?;
println!("NtUnloadDriver() -> 0x{:x}", driver.shutdown());

View File

@ -36,7 +36,23 @@ impl OffsetData {
large_page_size_offset: pdb_store.get_offset("PoolBigPageTableSize").unwrap_or(0u64),
pool_chunk_size: pdb_store.get_offset("_POOL_HEADER.struct_size").unwrap_or(0u64),
},
WindowsVersion::Windows10_2019 |
WindowsVersion::Windows10_2018 => Self {
eprocess_name_offset: pdb_store.get_offset("_EPROCESS.ImageFileName").unwrap_or(0u64),
eprocess_link_offset: pdb_store.get_offset("_EPROCESS.ActiveProcessLinks").unwrap_or(0u64),
list_blink_offset: pdb_store.get_offset("_LIST_ENTRY.Blink").unwrap_or(0u64),
process_head_offset: pdb_store.get_offset("PsActiveProcessHead").unwrap_or(0u64),
mistate_offset: pdb_store.get_offset("MiState").unwrap_or(0u64),
hardware_offset: pdb_store.get_offset("_MI_SYSTEM_INFORMATION.Hardware").unwrap_or(0u64),
system_node_offset: pdb_store.get_offset("_MI_HARDWARE_STATE.SystemNodeInformation").unwrap_or(0u64),
first_va_offset: pdb_store.get_offset("_MI_SYSTEM_NODE_INFORMATION.NonPagedPoolFirstVa").unwrap_or(0u64),
last_va_offset: pdb_store.get_offset("_MI_SYSTEM_NODE_INFORMATION.NonPagedPoolLastVa").unwrap_or(0u64),
large_page_table_offset: pdb_store.get_offset("PoolBigPageTable").unwrap_or(0u64),
large_page_size_offset: pdb_store.get_offset("PoolBigPageTableSize").unwrap_or(0u64),
pool_chunk_size: pdb_store.get_offset("_POOL_HEADER.struct_size").unwrap_or(0u64),
},
// TODO: Add other version of Windows here
// TODO: Warn user of unknown windows version, because BSOD will occur
_ => Self {
eprocess_name_offset: 0u64,
eprocess_link_offset: 0u64,