init

init

Author: Sentient111

FindKernelFunctionUm/Exports.h

@@ -0,0 +1,176 @@
+#pragma once
+#include <Windows.h>
+#include <iostream>
+#include <string>
+#include <fstream>
+
+#include "QueryModuleInformation.h"
+
+UINT64 LoadFileToMemory(std::string path)
+{
+	std::ifstream inputPeFile(path, std::ios::binary);
+	if (!inputPeFile.is_open())
+	{
+		printf("[PE] failed to open %s\n", path.c_str());
+		return 0;
+	}
+
+	inputPeFile.seekg(0, std::ios::end);
+	int fileSize = inputPeFile.tellg();
+	inputPeFile.seekg(0, std::ios::beg);
+
+	if (!fileSize)
+	{
+		printf("[PE] following driver has a invalid file size\n");
+		printf("%s\n", path.c_str());
+		inputPeFile.close();
+		return 0;
+	}
+
+	UINT64 fileBuffer = (UINT64)VirtualAlloc(NULL, fileSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+	if (!fileBuffer)
+	{
+		printf("[PE] failed to allocate memory for file buffer %x\n", GetLastError());
+		inputPeFile.close();
+		return 0;
+	}
+
+	inputPeFile.read((char*)fileBuffer, fileSize);
+	inputPeFile.close();
+	
+
+	return fileBuffer;
+}
+
+
+UINT64 TranslateVa(UINT64 rva, PVOID ntHeaders, UINT64 fileBuffer)
+{
+	PIMAGE_FILE_HEADER fileHeader = &((PIMAGE_NT_HEADERS)ntHeaders)->FileHeader;
+
+	PIMAGE_SECTION_HEADER currentSection = IMAGE_FIRST_SECTION((PIMAGE_NT_HEADERS32)ntHeaders);
+
+	for (size_t i = 0; i < ((PIMAGE_NT_HEADERS32)ntHeaders)->FileHeader.NumberOfSections; ++i, ++currentSection)
+	{
+		if (rva >= currentSection->VirtualAddress && rva < currentSection->VirtualAddress + currentSection->Misc.VirtualSize)
+		{
+			return fileBuffer + currentSection->PointerToRawData + (rva - currentSection->VirtualAddress);
+		}
+	}
+	return 0;
+}
+
+
+UINT64 GetExport(UINT64 fileBuffer, const char* functionName)
+{
+	PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)(fileBuffer);
+	PIMAGE_NT_HEADERS64 ntHeaders = (PIMAGE_NT_HEADERS64)(fileBuffer + dosHeader->e_lfanew);
+
+	UINT64 exportDirVa = ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
+	if (!exportDirVa)
+	{
+		printf("Failed to find export dir\n");
+		return 0;
+	}
+
+	PIMAGE_EXPORT_DIRECTORY exportDir = (PIMAGE_EXPORT_DIRECTORY)(TranslateVa(exportDirVa, ntHeaders, fileBuffer));
+
+	if (!exportDir)
+	{
+		printf("Failed to translate export dir\n");
+		return 0;
+	}
+
+	DWORD* peat = (DWORD*)(TranslateVa(exportDir->AddressOfFunctions, ntHeaders, fileBuffer));
+	DWORD* pent = (DWORD*)(TranslateVa(exportDir->AddressOfNames, ntHeaders, fileBuffer));
+	WORD* peot = (WORD*)(TranslateVa(exportDir->AddressOfNameOrdinals, ntHeaders, fileBuffer));
+
+	WORD ordinal = 0;
+
+
+	for (DWORD i = 0; i < exportDir->NumberOfNames; ++i)
+	{
+
+		printf("%s\n", (char*)(TranslateVa(pent[i], ntHeaders, fileBuffer)));
+
+	}
+
+	return 0;
+}
+
+UINT64 GetExportFromFile(UINT64 fileBuffer, const char* functionName)
+{
+	PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)(fileBuffer);
+	PIMAGE_NT_HEADERS64 ntHeaders = (PIMAGE_NT_HEADERS64)(fileBuffer + dosHeader->e_lfanew);
+
+	if (!dosHeader || !ntHeaders)
+	{
+		printf("File buffer has invalid pe headers\n");
+		return 0;
+	}
+
+	UINT64 exportDirVa = ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
+	if (!exportDirVa)
+	{
+		printf("Failed to find export dir\n");
+		return 0;
+	}
+
+	PIMAGE_EXPORT_DIRECTORY exportDir = (PIMAGE_EXPORT_DIRECTORY)(TranslateVa(exportDirVa, ntHeaders, fileBuffer));
+
+	if (!exportDir)
+	{
+		printf("Failed to translate export dir\n");
+		return 0;
+	}
+
+	DWORD* functionList = (DWORD*)(TranslateVa(exportDir->AddressOfFunctions, ntHeaders, fileBuffer));
+	DWORD* nameList = (DWORD*)(TranslateVa(exportDir->AddressOfNames, ntHeaders, fileBuffer));
+	WORD* ordinalList = (WORD*)(TranslateVa(exportDir->AddressOfNameOrdinals, ntHeaders, fileBuffer));
+
+	for (int i = 0; i < exportDir->NumberOfNames; ++i)
+	{
+		char* currExportName = (char*)(TranslateVa(nameList[i], ntHeaders, fileBuffer));
+		if (!strcmp(currExportName, functionName))
+		{
+			return functionList[ordinalList[i]] - ntHeaders->OptionalHeader.ImageBase;
+		}
+	}
+
+	return 0;
+}
+
+PVOID GetExportAddrFromDisk(const char* moduleName, const char* functionName)
+{
+	std::string fullModulePath = GetKernelModuleFilePath(moduleName);
+	if (!fullModulePath.length())
+	{
+		printf("failed to get module path\n");
+		return 0;
+	}
+
+	UINT64 fileBuffer = LoadFileToMemory(fullModulePath);
+	if (!fileBuffer)
+	{
+		printf("failed to load file to memory\n");
+		return 0;
+	}
+
+	PVOID kernelModuleBase = GetSystemModuleBase(moduleName);
+	if (!kernelModuleBase)
+	{
+		printf("failed to get kernel module base\n");
+		return 0;
+	}
+
+	UINT64 functionOffset = GetExportFromFile(fileBuffer, functionName);
+	if (!kernelModuleBase)
+	{
+		printf("failed to find export from disk\n");
+		return 0;
+	}
+
+	VirtualFree((PVOID)fileBuffer, NULL, MEM_RELEASE);
+
+	return (PVOID)((UINT64)kernelModuleBase + functionOffset);
+}
+

FindKernelFunctionUm/FindKernelFunctionUm.cpp

@@ -0,0 +1,8 @@
+#include "Exports.h"
+
+int main()
+{
+	PVOID fnAddr = GetExportAddrFromDisk("ntoskrnl.exe", "NtQueryInformationFile");
+	printf("function addr 0x%p\n", fnAddr);
+	return 0;
+}

FindKernelFunctionUm/FindKernelFunctionUm.sln

@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.32228.343
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FindKernelFunctionUm", "FindKernelFunctionUm.vcxproj", "{EFFC98E2-7587-4A98-A502-6D78C0BA453F}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{EFFC98E2-7587-4A98-A502-6D78C0BA453F}.Debug|x64.ActiveCfg = Debug|x64
+		{EFFC98E2-7587-4A98-A502-6D78C0BA453F}.Debug|x64.Build.0 = Debug|x64
+		{EFFC98E2-7587-4A98-A502-6D78C0BA453F}.Debug|x86.ActiveCfg = Debug|Win32
+		{EFFC98E2-7587-4A98-A502-6D78C0BA453F}.Debug|x86.Build.0 = Debug|Win32
+		{EFFC98E2-7587-4A98-A502-6D78C0BA453F}.Release|x64.ActiveCfg = Release|x64
+		{EFFC98E2-7587-4A98-A502-6D78C0BA453F}.Release|x64.Build.0 = Release|x64
+		{EFFC98E2-7587-4A98-A502-6D78C0BA453F}.Release|x86.ActiveCfg = Release|Win32
+		{EFFC98E2-7587-4A98-A502-6D78C0BA453F}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {55FE5FE9-2009-4E0A-A132-BC0E7C7A8762}
+	EndGlobalSection
+EndGlobal

FindKernelFunctionUm/FindKernelFunctionUm.vcxproj

@@ -0,0 +1,152 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>16.0</VCProjectVersion>
+    <Keyword>Win32Proj</Keyword>
+    <ProjectGuid>{effc98e2-7587-4a98-a502-6d78c0ba453f}</ProjectGuid>
+    <RootNamespace>FindKernelFunctionUm</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="FindKernelFunctionUm.cpp" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="Nt.h" />
+    <ClInclude Include="Exports.h" />
+    <ClInclude Include="QueryModuleInformation.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>