kernel mode scan process pattern

syedatharhussain

Заглянувший
Заглянувший
S

syedatharhussain

Заглянувший
Заглянувший
Сообщения
11
Реакции
3
C++:
BOOLEAN bDataCompare(const UCHAR* pData, const UCHAR* bMask, const char* szMask)
{
    for (; *szMask; ++szMask, ++pData, ++bMask)
        if (*szMask == 'x' && *pData != *bMask)
            return 0;
 
    return (*szMask) == 0;
}
 
UINT64 FindPattern(UINT64 dwAddress, UINT64 dwLen, UCHAR* bMask, char* szMask)
{
    for (UINT64 i = 0; i < dwLen; i++)
    {
        if (MmIsAddressValid((PVOID)(dwAddress + i)) && bDataCompare((UCHAR*)(dwAddress + i), bMask, szMask))
        {
            return (UINT64)(dwAddress + i);
        }
    }
    return 0;
}
C++:
NTSTATUS SearchPattern(IN HANDLE ProcessID, IN PVOID BaseAddress , IN PVOID patten , IN char* pmask, OUT PVOID ppFound)
{
    NTSTATUS status = STATUS_SUCCESS;
    PEPROCESS pEProcess = NULL;
    KAPC_STATE KAPC;
    PMDL temp_pMdl = NULL;
    PVOID temp_address1 = NULL;
    SIZE_T ulRet = 0;
    UINT64 uRex = 0;
 
    status = PsLookupProcessByProcessId(ProcessID, &pEProcess);
    if (!NT_SUCCESS(status))
    {
        DbgPrintEx(0, 0, ("process not found \n"));
        return STATUS_NOTHING;
    }
 
    __try
    {
        temp_pMdl = IoAllocateMdl(ppFound, 8 , 0, 0, NULL);
        if (temp_pMdl != NULL)
        {
            MmBuildMdlForNonPagedPool(temp_pMdl);
            temp_address1 = MmMapLockedPages(temp_pMdl, KernelMode);
            if (temp_address1 != NULL)
            {
                MEMORY_BASIC_INFORMATION mbi = { 0 };
 
                KeStackAttachProcess(pEProcess, &KAPC);
                ULONG_PTR ulBase = (ULONG_PTR)BaseAddress;
 
                do
                {
                    status = ZwQueryVirtualMemory(NtCurrentProcess(), (PVOID)ulBase , MemoryBasicInformation, &mbi, sizeof(MEMORY_BASIC_INFORMATION), &ulRet);
                    if (NT_SUCCESS(status))
                    {
                        DbgPrintEx(0, 0, "[info] Protect Mode = %X \n", mbi.Protect);
                        if (mbi.Protect == PAGE_EXECUTE_READWRITE || mbi.Protect == PAGE_EXECUTE_READ)
                        {
                            uRex = FindPattern((UINT64)ulBase, mbi.RegionSize, patten, pmask);
                            DbgPrintEx(0, 0, "[info] pattern scan scan addr = %llX, %llX\n", (UINT64)ulBase, uRex);
                            if(uRex) break;
                        }
                        ulBase += mbi.RegionSize;
                    }
                    else
                    {
                        ulBase += PAGE_SIZE;
                    }
                } while (ulBase < 0x7FFFFFFFFFFFFFFF);
                KeUnstackDetachProcess(&KAPC);
 
                DbgPrintEx(0, 0, "[info] scan done,return.\n");
 
                MmUnmapLockedPages(temp_address1, temp_pMdl);
                IoFreeMdl(temp_pMdl);
            }
        }
    }
    __except (EXCEPTION_EXECUTE_HANDLER)
    {
        return STATUS_UNHANDLED_EXCEPTION;
    }
    ObDereferenceObject(pEProcess);
    return STATUS_NOT_FOUND;
}
 

Сверху Снизу