ULONG_PTR kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(ULONG_PTR pSecurityStruct, ULONG LUIDoffset, PLUID luidToFind) { PVOID buffer; ULONG_PTR resultat = 0, pStruct = 0; if(buffer = LocalAlloc(LPTR, LUIDoffset + sizeof(LUID))) { if(ReadMemory(pSecurityStruct, &pStruct, sizeof(PVOID), NULL)) { while(pStruct != pSecurityStruct) { if(ReadMemory(pStruct, buffer, LUIDoffset + sizeof(LUID), NULL)) { if(RtlEqualLuid(luidToFind, (PLUID) ((PBYTE) buffer + LUIDoffset))) { resultat = pStruct; break; } pStruct = (ULONG_PTR) ((PLIST_ENTRY) buffer)->Flink; } else break; } } LocalFree(buffer); } return resultat; }
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_kerberos(IN ULONG_PTR pKerbGlobalLogonSessionTable, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData) { KIWI_KERBEROS_LOGON_SESSION session; UNICODE_STRING pinCode; KIWI_KERBEROS_KEYS_LIST_6 keyList; PKERB_HASHPASSWORD_6 pHashPassword; DWORD i; ULONG_PTR ptr; if(ptr = kuhl_m_sekurlsa_utils_pFromAVLByLuid(pKerbGlobalLogonSessionTable, FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier), pData->LogonId)) { if(ReadMemory(ptr, &session, sizeof(KIWI_KERBEROS_LOGON_SESSION), NULL)) { kuhl_m_sekurlsa_genericCredsOutput(&session.credentials, pData->LogonId, 0); if(session.pinCode) if(ReadMemory((ULONG_PTR) session.pinCode, &pinCode, sizeof(UNICODE_STRING), NULL)) kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) &pinCode, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE); if(session.pKeyList) if(ReadMemory((ULONG_PTR) session.pKeyList, &keyList, sizeof(KIWI_KERBEROS_KEYS_LIST_6) - sizeof(KERB_HASHPASSWORD_6), NULL)) if(pHashPassword = (PKERB_HASHPASSWORD_6) LocalAlloc(LPTR, keyList.cbItem * sizeof(KERB_HASHPASSWORD_6))) { if(ReadMemory((ULONG_PTR) session.pKeyList + sizeof(KIWI_KERBEROS_KEYS_LIST_6) - sizeof(KERB_HASHPASSWORD_6), pHashPassword, keyList.cbItem * sizeof(KERB_HASHPASSWORD_6), NULL)) { dprintf("\n\t * Key List"); for(i = 0; i < keyList.cbItem; i++) kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) (pHashPassword + i), pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST); } LocalFree(pHashPassword); } } } else dprintf("KO"); }
static PVOID GetPsGetCurrentProcess(HBITMAP hManager, HBITMAP hWorker, PEPROCESS_OFFSETS offsets) { PVOID systemProcess; LIST_ENTRY ActiveProcessLinks; ULONG64 UniqueProcessId; PVOID currentProcess; systemProcess = GetPsInitialSystemProcess(hManager, hWorker); if (ReadMemory(hManager, hWorker, (PVOID)((ULONG64)systemProcess + offsets->UniqueProcessId + sizeof(ULONG64)), &ActiveProcessLinks, sizeof(LIST_ENTRY)) == FALSE) { LOG("[-] Unable To Read Initial System Process ActiveProcessLinks\n"); return NULL; } do { currentProcess = (PVOID)((ULONG64)ActiveProcessLinks.Flink - offsets->UniqueProcessId - sizeof(ULONG64)); ReadMemory(hManager, hWorker, (PVOID)((ULONG64)currentProcess + offsets->UniqueProcessId), &UniqueProcessId, sizeof(ULONG64)); if (GetCurrentProcessId() == UniqueProcessId) { return currentProcess; } ReadMemory(hManager, hWorker, (PVOID)((ULONG64)currentProcess + offsets->UniqueProcessId + sizeof(ULONG64)), &ActiveProcessLinks, sizeof(LIST_ENTRY)); } while (currentProcess != (PVOID)((ULONG64)ActiveProcessLinks.Flink - offsets->UniqueProcessId - sizeof(ULONG64))); LOG("[-] Unable To Locate The Current Process In The List\n"); return NULL; }
PDLL_INFO AddDllToList( HANDLE hProcess, ULONG DllAddr, LPSTR DllName, ULONG DllSize ) { IMAGE_DOS_HEADER dh; IMAGE_NT_HEADERS nh; ULONG i; PDLL_INFO DllInfo; // // first look to see if the dll is already in the list // DllInfo = FindDllByAddress( DllAddr ); if (!DllSize) { // // read the pe image headers to get the image size // if (!ReadMemory( hProcess, (PVOID) DllAddr, &dh, sizeof(dh) )) { return NULL; } if (dh.e_magic == IMAGE_DOS_SIGNATURE) { if (!ReadMemory( hProcess, (PVOID)(DllAddr + dh.e_lfanew), &nh, sizeof(nh) )) { return NULL; } DllSize = nh.OptionalHeader.SizeOfImage; } else { DllSize = 0; } } DllInfo = FindAvailDll(); if (!DllInfo) { return NULL; } DllInfo->Size = DllSize; strncat( DllInfo->Name, DllName, MAX_NAME_SZ-1 ); DllInfo->BaseAddress = DllAddr; DllInfo->InList = FALSE; DllInfo->Enabled = TRUE; return DllInfo; }
trap_retval ReqChecksum_mem( void ) /******************************/ { trap_elen len; int i; trap_elen read; checksum_mem_req *acc; checksum_mem_ret *ret; char buffer[256]; _DBG1(( "AccChkSum\n" )); acc = GetInPtr( 0 ); ret = GetOutPtr( 0 ); len = acc->len; ret->result = 0; while( len >= sizeof( buffer ) ) { read = ReadMemory( &acc->in_addr, buffer, sizeof( buffer ) ); for( i = 0; i < read; ++i ) { ret->result += buffer[ i ]; } if( read != sizeof( buffer ) ) return( sizeof( *ret ) ); len -= sizeof( buffer ); acc->in_addr.offset += sizeof( buffer ); } if( len != 0 ) { read = ReadMemory( &acc->in_addr, buffer, len ); for( i = 0; i < read; ++i ) { ret->result += buffer[ i ]; } } return( sizeof( ret ) ); }
trap_retval ReqChecksum_mem( void ) { unsigned len; int i; int read; checksum_mem_req *acc; checksum_mem_ret *ret; _DBG1(( "AccChkSum" )); acc = GetInPtr( 0 ); ret = GetOutPtr( 0 ); len = acc->len; ret->result = 0; while( len >= BUFF_SIZE ) { read = ReadMemory( &acc->in_addr, (byte *)&UtilBuff, BUFF_SIZE ); acc->in_addr.offset += BUFF_SIZE; for( i = 0; i < read; ++i ) { ret->result += UtilBuff[ i ]; } if( read != BUFF_SIZE ) return( sizeof( *ret ) ); len -= BUFF_SIZE; } if( len != 0 ) { read = ReadMemory( &acc->in_addr, (byte *)&UtilBuff, len ); if( read == len ) { for( i = 0; i < len; ++i ) { ret->result += UtilBuff[ i ]; } } } return( sizeof( *ret ) ); }
bool CPathOfExile::GetPlayerExp(PLAYEREXP* exp) { DWORD dwPlayerBase = GetPlayerBase(); if ( dwPlayerBase ) { DWORD arOffsets[] = { 0x14 }; DWORD dwStatsPtr = GetMultiLevelPointer32(dwPlayerBase + 0x4, arOffsets); if ( dwStatsPtr ) { DWORD dwValue = 0; ReadMemory(dwStatsPtr + 0x34, &dwValue, sizeof(dwValue)); exp->Current = dwValue; ReadMemory(dwStatsPtr + 0x44, &dwValue, sizeof(dwValue)); exp->CurrentLevel = dwValue; exp->Minimum = s_ExperienceThresholds[exp->CurrentLevel]; exp->Maximum = s_ExperienceThresholds[exp->CurrentLevel + 1]; return true; } } return false; }
ULONG_PTR kuhl_m_sekurlsa_utils_pFromAVLByLuidRec(ULONG_PTR pTable, ULONG LUIDoffset, PLUID luidToFind) { ULONG_PTR resultat = 0; PVOID buffer; RTL_AVL_TABLE maTable; if(ReadMemory(pTable, &maTable, sizeof(RTL_AVL_TABLE), NULL)) { if(pTable = (ULONG_PTR) maTable.OrderedPointer) { if(buffer = LocalAlloc(LPTR, LUIDoffset + sizeof(LUID))) { if(ReadMemory(pTable, buffer, LUIDoffset + sizeof(LUID), NULL)) { if(RtlEqualLuid(luidToFind, (PLUID) ((PBYTE) buffer + LUIDoffset))) resultat = (ULONG_PTR) maTable.OrderedPointer; } LocalFree(buffer); } } if(!resultat && (pTable = (ULONG_PTR) maTable.BalancedRoot.LeftChild)) resultat = kuhl_m_sekurlsa_utils_pFromAVLByLuidRec(pTable, LUIDoffset, luidToFind); if(!resultat && (pTable = (ULONG_PTR) maTable.BalancedRoot.RightChild)) resultat = kuhl_m_sekurlsa_utils_pFromAVLByLuidRec(pTable, LUIDoffset, luidToFind); } return resultat; }
unsigned ReqChecksum_mem() { unsigned short len; int i; unsigned short read; checksum_mem_req *acc; checksum_mem_ret *ret; _DBG1(( "AccChkSum\n" )); acc = GetInPtr( 0 ); ret = GetOutPtr( 0 ); len = acc->len; ret->result = 0; while( len >= BUFF_SIZE ) { read = ReadMemory( (addr48_ptr *)&acc->in_addr, &UtilBuff, BUFF_SIZE ); for( i = 0; i < read; ++i ) { ret->result += UtilBuff[ i ]; } if( read != BUFF_SIZE ) return( sizeof( *ret ) ); len -= BUFF_SIZE; } if( len != 0 ) { read = ReadMemory( (addr48_ptr *)&acc->in_addr, &UtilBuff, len ); if( read == len ) { for( i = 0; i < len; ++i ) { ret->result += UtilBuff[ i ]; } } } return( sizeof( ret ) ); }
void tenkValidate(PVOID heapHandle) { struct HPool *heap; struct DestroyStruct dStruct; struct HeapChunk *curChunk; ULONG chunkPtr; ULONG i, nextIndex; BOOL screwed = FALSE; heap = getHeap(&heapModel, heapHandle); i = heap->inUseHead; while (i != NULLNODE) { if (CHUNK(i).free) { // CHUNK(i).nextInUse must be equal to the next ptr if(!ReadMemory((ULONG64)(CHUNK(i).addr)+4, (PVOID) &chunkPtr, 4, NULL)) { dprintf("[T] Unable to read memory at address 0x%08x\n!"); return; } // Find next free chunk - continue if there are no more nextIndex = CHUNK(i).nextInUse; while (nextIndex != NULLNODE && !(CHUNK(nextIndex).free)) nextIndex = CHUNK(nextIndex).nextInUse; if (nextIndex == NULLNODE) { i = CHUNK(i).nextInUse; continue; } // Validate next free chunk if (CHUNK(nextIndex).addr != (PVOID) chunkPtr) { dprintf("[T] Corruped next pointer for chunk at 0x%08x\n", CHUNK(i).addr); dprintf(">\tGot: 0x%08x\tExpected: 0x%08x\n", chunkPtr, CHUNK(nextIndex).addr); screwed = TRUE; } // next free chunk prev, must equal CHUNK(i).addr if(!ReadMemory((ULONG64)CHUNK(nextIndex).addr, (PVOID) &chunkPtr, 4, NULL)) { dprintf("[T] Unable to read memory at address 0x%08x\n!"); return; } if ((PVOID) chunkPtr != CHUNK(i).addr) { dprintf("[T] Corruped prev pointer for chunk at 0x%08x\n", CHUNK(nextIndex).addr); dprintf(">\tGot: 0x%08x\tExpected: 0x%08x\n", chunkPtr, CHUNK(i).addr); screwed = TRUE; } } else { } i = CHUNK(i).nextInUse; } dprintf("[T] Validation complete: "); if (!screwed) dprintf("all known free chunks are correct\n"); else dprintf("errors found\n"); }
void poolDumpHive( IN PCMHIVE pHive ) { CMHIVE CmHive; ULONG BytesRead; WCHAR FileName[HBASE_NAME_ALLOC/2 + 1]; CHAR buf[512]; ULONG cb; dprintf("\ndumping hive at %lx ",pHive); ReadMemory((DWORD)pHive, &CmHive, sizeof(CmHive), &BytesRead); if (BytesRead < sizeof(CmHive)) { dprintf("\tRead %lx bytes from %lx\n",BytesRead,pHive); return; } ReadMemory((DWORD)&CmHive.Hive.BaseBlock->FileName, FileName, sizeof(FileName), &BytesRead); if (BytesRead < sizeof(FileName)) { wcscpy(FileName, L"UNKNOWN"); } else { if (FileName[0]==L'\0') { wcscpy(FileName, L"NONAME"); } else { FileName[HBASE_NAME_ALLOC/2]=L'\0'; } } dprintf("(%ws)\n",FileName); dprintf(" %d KCBs open\n",CmHive.KcbCount); dprintf(" Stable Length = %lx\n",CmHive.Hive.Storage[Stable].Length); if (SavePages) { sprintf(buf, "%ws %d %d\n", FileName, CmHive.Hive.Storage[Stable].Length, CmHive.Hive.Storage[Volatile].Length); WriteFile( TempFile, buf, strlen(buf), &cb, NULL ); } poolDumpMap(CmHive.Hive.Storage[Stable].Length, CmHive.Hive.Storage[Stable].Map); dprintf(" Volatile Length = %lx\n",CmHive.Hive.Storage[Volatile].Length); poolDumpMap(CmHive.Hive.Storage[Volatile].Length, CmHive.Hive.Storage[Volatile].Map); }
VOID DumpIrpContextFromThread ( IN ULONG Thread, IN ULONG Options ) /*++ Routine Description: Dump an IrpContext given a Thread. Arguments: Address - Gives the address of the Thread where the IrpContext can be found Return Value: None --*/ { ULONG Result; ULONG OurStackAddress; PIRP_CONTEXT pIrpContext; dprintf( "\n Thread @ %08lx", Thread ); if (!ReadMemory( (DWORD) (Thread + 0x214), &OurStackAddress, sizeof(OurStackAddress), &Result)) { dprintf( "%08lx: Could not read Thread + 0x214\n", Thread + 0x214 ); return; } dprintf( "\n Our stack @ %08lx", OurStackAddress ); if (!ReadMemory( (DWORD) (OurStackAddress + 0x18), &pIrpContext, sizeof(pIrpContext), &Result)) { dprintf( "%08lx: Could not read OurStackAddress + 0x18\n", OurStackAddress + 0x18 ); return; } DumpIrpContext( (ULONG) pIrpContext, Options ); dprintf( "\n" ); return; }
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_credman(IN ULONG_PTR reserved, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData) { KIWI_CREDMAN_SET_LIST_ENTRY setList; KIWI_CREDMAN_LIST_STARTER listStarter; DWORD nbCred = 0; ULONG_PTR pCur, pRef; KIWI_GENERIC_PRIMARY_CREDENTIAL kiwiCreds; ULONG CredOffsetIndex; PBYTE buffer; if(NtBuildNumber < KULL_M_WIN_BUILD_7) CredOffsetIndex = 0; else CredOffsetIndex = 1; if(pData->pCredentialManager) { if(ReadMemory((ULONG_PTR) pData->pCredentialManager, &setList, sizeof(KIWI_CREDMAN_SET_LIST_ENTRY), NULL)) { if(setList.list1) { pRef = (ULONG_PTR) setList.list1 + FIELD_OFFSET(KIWI_CREDMAN_LIST_STARTER, start); if(ReadMemory((ULONG_PTR) setList.list1, &listStarter, sizeof(KIWI_CREDMAN_LIST_STARTER), NULL)) { if(buffer = (PBYTE) LocalAlloc(LPTR, credhelper[CredOffsetIndex].structSize)) { if(pCur = (ULONG_PTR) listStarter.start) { while(pCur != pRef) { pCur -= credhelper[CredOffsetIndex].offsetFLink; if(ReadMemory(pCur, buffer, credhelper[CredOffsetIndex].structSize, NULL)) { dprintf("\n\t [%08x]", nbCred); kiwiCreds.UserName = *(PUNICODE_STRING) (buffer + credhelper[CredOffsetIndex].offsetUsername); kiwiCreds.Domaine = *(PUNICODE_STRING) (buffer + credhelper[CredOffsetIndex].offsetDomain); kiwiCreds.Password.Length = kiwiCreds.Password.MaximumLength = *(PUSHORT) (buffer + credhelper[CredOffsetIndex].offsetCbPassword);; kiwiCreds.Password.Buffer = *(PWSTR *) (buffer + credhelper[CredOffsetIndex].offsetPassword); kuhl_m_sekurlsa_genericCredsOutput(&kiwiCreds, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_CREDMANPASS); pCur = (ULONG_PTR) *(PVOID *) (buffer + credhelper[CredOffsetIndex].offsetFLink); } else break; nbCred++; } } LocalFree(buffer); } } } } } }
ULONG GetAddressState( IN PVOID VirtualAddress ) { ULONG Address; ULONG result; ULONG flags = 0; PMMPTE Pte; PMMPTE Pde; ULONG PdeContents; ULONG PteContents; if (MI_IS_PHYSICAL_ADDRESS (VirtualAddress)) { return ADDRESS_VALID; } Address = (ULONG)VirtualAddress; Pde = (PMMPTE)MiGetPdeAddress (Address); Pte = (PMMPTE)MiGetPteAddress (Address); if ( !ReadMemory( (DWORD)Pde, &PdeContents, sizeof(ULONG), &result) ) { dprintf("%08lx: Unable to get PDE\n",Pde); return ADDRESS_NOT_VALID; } if (PdeContents & MM_PTE_VALID_MASK) { if (PdeContents & MM_PTE_LARGE_PAGE_MASK) { return ADDRESS_VALID; } if ( !ReadMemory( (DWORD)Pte, &PteContents, sizeof(ULONG), &result) ) { dprintf("%08lx: Unable to get PTE\n",Pte); return ADDRESS_NOT_VALID; } if (PteContents & MM_PTE_VALID_MASK) { return ADDRESS_VALID; } if (PteContents & MM_PTE_TRANSITION_MASK) { if (!(PteContents & MM_PTE_PROTOTYPE_MASK)) { return ADDRESS_TRANSITION; } } } return ADDRESS_NOT_VALID; }
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_livessp(IN ULONG_PTR pLiveGlobalLogonSessionList, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData) { KIWI_LIVESSP_LIST_ENTRY credentials; KIWI_LIVESSP_PRIMARY_CREDENTIAL primaryCredential; ULONG_PTR ptr; if(ptr = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(pLiveGlobalLogonSessionList, FIELD_OFFSET(KIWI_LIVESSP_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId)) { if(ReadMemory(ptr, &credentials, sizeof(KIWI_LIVESSP_LIST_ENTRY), NULL)) if(ptr = (ULONG_PTR) credentials.suppCreds) if(ReadMemory(ptr, &primaryCredential, sizeof(KIWI_LIVESSP_PRIMARY_CREDENTIAL), NULL)) kuhl_m_sekurlsa_genericCredsOutput(&primaryCredential.credentials, pData->LogonId, (NtBuildNumber != 9431) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT); } else dprintf("KO"); }
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_tspkg(IN ULONG_PTR pTSGlobalCredTable, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData) { KIWI_TS_CREDENTIAL credentials; KIWI_TS_PRIMARY_CREDENTIAL primaryCredential; ULONG_PTR ptr; if(ptr = kuhl_m_sekurlsa_utils_pFromAVLByLuid(pTSGlobalCredTable, FIELD_OFFSET(KIWI_TS_CREDENTIAL, LocallyUniqueIdentifier), pData->LogonId)) { if(ReadMemory(ptr, &credentials, sizeof(KIWI_TS_CREDENTIAL), NULL)) if(ReadMemory((ULONG_PTR) credentials.pTsPrimary, &primaryCredential, sizeof(KIWI_TS_PRIMARY_CREDENTIAL), NULL)) kuhl_m_sekurlsa_genericCredsOutput(&primaryCredential.credentials, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN); } else dprintf("KO"); }
VOID WinDbgExtensionDllInit( PWINDBG_EXTENSION_APIS lpExtensionApis, USHORT MajorVersion, USHORT MinorVersion ) { ULONG_PTR offKeProcessorArchitecture; ULONG Result; ExtensionApis = *lpExtensionApis; SavedMajorVersion = MajorVersion; SavedMinorVersion = MinorVersion; bDebuggingChecked = (SavedMajorVersion == 0x0c); usProcessorArchitecture = (USHORT)-1; offKeProcessorArchitecture = GetExpression("KeProcessorArchitecture"); if (offKeProcessorArchitecture != 0) ReadMemory(offKeProcessorArchitecture, &usProcessorArchitecture, sizeof(USHORT), &Result); if (usProcessorArchitecture >= cArchitecture) { #ifdef IA64 GetEProcessData = GetEProcessData_IA64; #else GetEProcessData = GetEProcessData_X86; #endif } else { GetEProcessData = aGetEProcessDataFunc[usProcessorArchitecture]; } // // Read the user probe address from the target system. // // N.B. The user probe address is constant on MIPS, Alpha, and the PPC. // On the x86, it may not be defined for the target system if it // does not contain the code to support 3gb of user address space. // UserProbeAddress = GetExpression("MmUserProbeAddress"); if ((UserProbeAddress == 0) || (ReadMemory(UserProbeAddress, &UserProbeAddress, sizeof(UserProbeAddress), &Result) == FALSE)) { UserProbeAddress = 0x7fff0000; } return; }
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_tspkg(IN ULONG_PTR pTSGlobalCredTable, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData) { KIWI_TS_PRIMARY_CREDENTIAL primaryCredential; ULONG_PTR ptr; PVOID buffer; LONG TsOffsetIndex = (NtBuildNumber < KULL_M_WIN_BUILD_10_1607) ? 0 : 1; if(ptr = kuhl_m_sekurlsa_utils_pFromAVLByLuid(pTSGlobalCredTable, tsCredentialHelper[TsOffsetIndex].offsetToLuid, pData->LogonId)) { if(ReadMemory(ptr + tsCredentialHelper[TsOffsetIndex].offsetToTsPrimary, &buffer, sizeof(PVOID), NULL)) if(ReadMemory((ULONG_PTR) buffer, &primaryCredential, sizeof(KIWI_TS_PRIMARY_CREDENTIAL), NULL)) kuhl_m_sekurlsa_genericCredsOutput(&primaryCredential.credentials, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN); } else dprintf("KO"); }
bool CrashInfo::GetDSOInfo() { Phdr* phdrAddr = reinterpret_cast<Phdr*>(m_auxvValues[AT_PHDR]); int phnum = m_auxvValues[AT_PHNUM]; assert(m_auxvValues[AT_PHENT] == sizeof(Phdr)); if (phnum <= 0 || phdrAddr == nullptr) { return false; } TRACE("DSO: phdr %p phnum %d\n", phdrAddr, phnum); // Search for the program PT_DYNAMIC header ElfW(Dyn)* dynamicAddr = nullptr; for (int i = 0; i < phnum; i++, phdrAddr++) { Phdr ph; if (!ReadMemory(phdrAddr, &ph, sizeof(ph))) { return false; } TRACE("DSO: phdr %p type %d (%x) vaddr %016lx memsz %016lx offset %016lx\n", phdrAddr, ph.p_type, ph.p_type, ph.p_vaddr, ph.p_memsz, ph.p_offset); if (ph.p_type == PT_DYNAMIC) { dynamicAddr = reinterpret_cast<ElfW(Dyn)*>(ph.p_vaddr); } else if (ph.p_type == PT_GNU_EH_FRAME)
void D3D::Update() { ReadMemory(0); //// Camera //projection->_11 = projection->_22 / (windowWidth / windowHeight); //viewMatrix = CreateConstantBuffer(sizeof(XMFLOAT4X4), view); //projectionMatrix = CreateConstantBuffer(sizeof(XMFLOAT4X4), projection); //// Indices //D3D11_BUFFER_DESC cbDesc; //cbDesc.ByteWidth = sizeof(int) * 6; //cbDesc.Usage = D3D11_USAGE_DYNAMIC; //cbDesc.BindFlags = D3D11_BIND_INDEX_BUFFER; //cbDesc.CPUAccessFlags = D3D11_CPU_ACCESS_WRITE; //cbDesc.MiscFlags = 0; //cbDesc.StructureByteStride = 0; //D3D11_SUBRESOURCE_DATA cbInitData; //cbInitData.pSysMem = meshes.back().indices.data(); //cbInitData.SysMemPitch = 0; //cbInitData.SysMemSlicePitch = 0; //device->CreateBuffer(&cbDesc, &cbInitData, &meshes.back().meshesBuffer[0]); createBool = true; }
bool ExtensionInit() { char FDP_SHMNameBuffer[256]; ULONG ulMemoryRead = 0; dprintf("Extension initialization...\n"); if (InitializeIDebug() == false){ dprintf("Failed to InitializeIDebug\n"); return false; } dprintf("Getting FDP SHM from Winbagility...\n"); ReadMemory(0xDEADCACABABECAFE, FDP_SHMNameBuffer, 256, &ulMemoryRead); dprintf("Trying to connect to FDP %s\n", FDP_SHMNameBuffer); pFDP = FDP_OpenSHM(FDP_SHMNameBuffer); if (pFDP != NULL){ dprintf("Connected to %s\n", FDP_SHMNameBuffer); return true; } else{ dprintf("Failed to connect to FDP %s\n", FDP_SHMNameBuffer); return false; } return false; }
unsigned ReqSet_watch() { watch *curr; set_watch_req *acc; set_watch_ret *ret; int i; int needed; _DBG1(( "AccSetWatch\n" )); acc = GetInPtr( 0 ); ret = GetOutPtr( 0 ); ret->multiplier = 5000; ret->err = 0; curr = WatchPoints + WatchCount; curr->addr.segment = acc->watch_addr.segment; curr->addr.offset = acc->watch_addr.offset; curr->linear = DPMIGetSegmentBaseAddress( curr->addr.segment ) + curr->addr.offset; curr->len = acc->size; curr->dregs = ( curr->linear & (curr->len-1) ) ? 2 : 1; curr->handle = -1; curr->handle2 = -1; curr->value = 0; ReadMemory( (addr48_ptr *)&acc->watch_addr, (byte far *)&curr->value, curr->len ); ++WatchCount; needed = 0; for( i = 0; i < WatchCount; ++i ) { needed += WatchPoints[ i ].dregs; } if( needed <= 4 ) ret->multiplier |= USING_DEBUG_REG; return( sizeof( *ret ) ); }
BOOL IsTransmitIrpBusy( PIRP Irp ) { IRP localIrp; ULONG result; if( Irp == NULL ) { return FALSE; } if( !ReadMemory( (DWORD)Irp, &localIrp, sizeof(localIrp), &result ) ) { return FALSE; } return localIrp.UserIosb != 0; } // IsTransmitIrpBusy
VOID SetDepthLookaside ( IN ULONG Address, IN PUCHAR Name, IN ULONG Depth ) /*++ Routine Description: Set the depth of a specific lookaside list. Arguments: Address - Gives the address of the lookaside list to reset Name - Gives an optional name of to print in case of errors Depth - Supplies the depth to set the lookaside list to Return Value: None --*/ { NPAGED_LOOKASIDE_LIST Lookaside; ULONG Results; // // Read the lookaside list from memory // if (!ReadMemory( (ULONG)Address, &Lookaside, sizeof(NPAGED_LOOKASIDE_LIST), &Results ) || (Results < sizeof(NPAGED_LOOKASIDE_LIST))) { dprintf("Can't read lookaside \"%s\" at 0x%08lx\n", Name, Address); } // // Set the depth // Lookaside.L.Depth = (USHORT)Depth; // // Write it back out // if (!WriteMemory( (ULONG)Address, &Lookaside, sizeof(NPAGED_LOOKASIDE_LIST), &Results ) || (Results < sizeof(NPAGED_LOOKASIDE_LIST))) { dprintf("Can't write lookaside \"%s\" at 0x%08lx\n", Name, Address); } return; }
BOOL kuhl_m_sekurlsa_utils_getSid(IN PSID * pSid) { BOOL status = FALSE; BYTE nbAuth; DWORD sizeSid; ULONG_PTR buffer = (ULONG_PTR) *pSid; *pSid = NULL; if(ReadMemory(buffer + 1, &nbAuth, sizeof(BYTE), NULL)) { sizeSid = 4 * nbAuth + 6 + 1 + 1; if(*pSid = LocalAlloc(LPTR, sizeSid)) status = ReadMemory(buffer, *pSid, sizeSid, NULL); } return status; }
CStringW ReadMemoryStringW( size_t address, SIZE_T max ) { auto buffer = std::make_unique<wchar_t[ ]>( max + 1 ); SIZE_T bytesRead; if ( ReadMemory( (PVOID) address, buffer.get( ), max * sizeof( wchar_t ), &bytesRead ) != 0 ) { bytesRead /= sizeof( wchar_t ); for ( int i = 0; i < bytesRead; i++ ) { if ( !( iswprint( buffer[ i ] ) ) && buffer[ i ] != '\0' ) buffer[ i ] = '.'; } buffer[ bytesRead ] = '\0'; return CStringW( buffer.get( ) ); } else { #ifdef _DEBUG PrintOut( _T( "[ReadMemoryString]: Failed to read memory, GetLastError() = %s" ), Utils::GetLastErrorString( ).GetString( ) ); #endif return CStringW( L".." ); } }
trap_retval ReqRead_mem( void ) /**************************/ { read_mem_req *acc; acc = GetInPtr( 0 ); return( ReadMemory( &acc->mem_addr, GetOutPtr( 0 ), acc->len ) ); }
VOID DumpIrpContext ( IN ULONG Address, IN ULONG Options ) /*++ Routine Description: Dump an IrpContext. Arguments: Address - Gives the address of the IrpContext to dump Return Value: None --*/ { ULONG Result; PIRP_CONTEXT pIrpContext; IRP_CONTEXT IrpContext; dprintf( "\n IrpContext @ %08lx", Address ); pIrpContext = (PIRP_CONTEXT) Address; if ( !ReadMemory( (DWORD) pIrpContext, &IrpContext, sizeof( IrpContext ), &Result) ) { dprintf( "%08lx: Unable to read pIrpContext\n", pIrpContext ); return; } if (IrpContext.NodeTypeCode != NTFS_NTC_IRP_CONTEXT) { dprintf( "\nIRP_CONTEXT signature does not match, probably not an IRP_CONTEXT" ); return; } if (Options >= 1) { DumpFileObjectFromIrp( (ULONG) IrpContext.OriginatingIrp, Options - 1 ); } dprintf( "\n" ); return; }
DUMPED_PE GetRemotePE(DWORD dwPid) { ULONG64 dwBaseAddress = 0; ULONG64 dwImageSize = 0; HANDLE HProcess; DUMPED_PE DumpedPE; DumpedPE.pDump = NULL; DumpedPE.dwImageSize = 0; if ((HProcess = GetHandleProcess(dwPid)) == NULL) return DumpedPE; dwBaseAddress = GetRemoteBaseAddress(HProcess); dwImageSize = GetModuleSize(dwPid, dwBaseAddress); printf("[+] dwBaseAddress : 0x%016llX\n", dwBaseAddress); printf("[+] dwImageSize : 0x%016llX\n", dwImageSize); DumpedPE.dwImageSize = dwImageSize; DumpedPE.pDump = (PBYTE)VirtualAlloc(NULL, (SIZE_T)dwImageSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); printf("[+] VirtualAlloc: %08X\n", DumpedPE.pDump); printf("[+] dwImageSize: %08X\n", dwImageSize); printf("[+] VirtualAlloc + dwImageSize: %08X\n", (DWORD)DumpedPE.pDump + dwImageSize); if (DumpedPE.pDump == NULL) { fprintf(stderr, "[-] VirtualAlloc failed\n"); return DumpedPE; } if (Is64BitProcess(HProcess) == TRUE) { if (ReadMemory(HProcess, (PVOID64)(dwBaseAddress), DumpedPE.pDump, (SIZE_T)dwImageSize) == FALSE) { fprintf(stderr, "[-] GetRemotePE - ReadMemory failed\n"); VirtualFree(DumpedPE.pDump, (SIZE_T)dwImageSize, 0); DumpedPE.pDump = NULL; return DumpedPE; } } else { if (ReadMemory(HProcess, (LPCVOID)(dwBaseAddress), DumpedPE.pDump, (SIZE_T)dwImageSize) == FALSE) { fprintf(stderr, "[-] GetRemotePE - ReadMemory failed\n"); VirtualFree(DumpedPE.pDump, (SIZE_T)dwImageSize, 0); DumpedPE.pDump = NULL; return DumpedPE; } } return DumpedPE; }
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_wdigest(IN ULONG_PTR pl_LogSessList, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData) { ULONG_PTR ptr; BYTE buffer[offsetWDigestPrimary + sizeof(KIWI_GENERIC_PRIMARY_CREDENTIAL)]; if(ptr = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(pl_LogSessList, FIELD_OFFSET(KIWI_WDIGEST_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId)) { if(ReadMemory(ptr, buffer, sizeof(buffer), NULL)) kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) (buffer + offsetWDigestPrimary), pData->LogonId, 0); } else dprintf("KO"); }