Skip to content

Commit 9b565f4

Browse files
DarthTonDarthTon
committed
Driver: resolved DarthTon#145 
1 parent b3d5c10 commit 9b565f4

File tree

2 files changed

+16
-13
lines changed

2 files changed

+16
-13
lines changed

src/BlackBoneDrv/BlackBoneDrv.c

Lines changed: 13 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -369,17 +369,17 @@ NTSTATUS BBInitDynamicData( IN OUT PDYNAMIC_DATA pData )
369369
else if (verInfo.dwBuildNumber == 15063)
370370
{
371371
pData->ver = WINVER_10_CU;
372-
pData->KExecOpt = 0x0;
373-
pData->Protection = 0x0;
374-
pData->ObjTable = 0x0;
375-
pData->VadRoot = 0x620;
376-
pData->NtCreateThdIndex = 0x0;
377-
pData->NtTermThdIndex = 0x0;
378-
pData->PrevMode = 0x0;
379-
pData->ExitStatus = 0x0;
372+
pData->KExecOpt = 0x1BF;
373+
pData->Protection = 0x6CA;
374+
pData->ObjTable = 0x418;
375+
pData->VadRoot = 0x628;
376+
pData->NtCreateThdIndex = 0xB9;
377+
pData->NtTermThdIndex = 0x53;
378+
pData->PrevMode = 0x232;
379+
pData->ExitStatus = 0x6F8;
380380
pData->MiAllocPage = 0;
381-
if (NT_SUCCESS(BBScanSection("PAGE", (PCUCHAR)"\x48\x8D\x7D\x18\x48\x8B", 0xCC, 6, (PVOID)&pData->ExRemoveTable)))
382-
pData->ExRemoveTable -= 0x60;
381+
if (NT_SUCCESS(BBScanSection("PAGE", (PCUCHAR)"\x48\x8B\x47\x20\x48\x83\xC7\x18", 0xCC, 8, (PVOID)&pData->ExRemoveTable)))
382+
pData->ExRemoveTable -= 0x34;
383383

384384
status = BBLocatePageTables( pData );
385385
break;
@@ -429,8 +429,11 @@ NTSTATUS BBLocatePageTables( IN OUT PDYNAMIC_DATA pData )
429429
pData->DYN_PDE_BASE = *(PULONG_PTR)(pMiGetPhysicalAddress + 0x49 + 2);
430430
pData->DYN_PTE_BASE = *(PULONG_PTR)(pMiGetPhysicalAddress + 0x56 + 2);
431431
}
432+
433+
DPRINT( "BlackBone: PDE_BASE: %p, PTE_BASE: %p\n", pData->DYN_PDE_BASE, pData->DYN_PTE_BASE );
432434
return STATUS_SUCCESS;
433435
}
434436

437+
DPRINT( "BlackBone: PDE_BASE/PTE_BASE not found \n" );
435438
return STATUS_NOT_FOUND;
436439
}

src/BlackBoneDrv/Private.h

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -166,10 +166,10 @@ typedef struct _DYNAMIC_DATA
166166
ULONG PrevMode; // KTHREAD::PreviousMode
167167
ULONG ExitStatus; // ETHREAD::ExitStatus
168168
ULONG MiAllocPage; // MiAllocateDriverPage offset
169-
ULONG ExRemoveTable; // ExRemoveHandleTable offset
169+
ULONG ExRemoveTable; // Ex(p)RemoveHandleTable offset
170170

171-
ULONG_PTR DYN_PDE_BASE; // Win10 AU relocated PDE base VA
172-
ULONG_PTR DYN_PTE_BASE; // Win10 AU relocated PTE base VA
171+
ULONG_PTR DYN_PDE_BASE; // Win10 AU+ relocated PDE base VA
172+
ULONG_PTR DYN_PTE_BASE; // Win10 AU+ relocated PTE base VA
173173
} DYNAMIC_DATA, *PDYNAMIC_DATA;
174174

175175

0 commit comments

Comments
 (0)