Skip to content

Commit e66dde8

Browse files
DarthTonDarthTon
committed
Driver: refactored PTE_BASE/PDE_BASE; fixed DarthTon#336 
1 parent 911c62f commit e66dde8

File tree

4 files changed

+426
-113
lines changed

4 files changed

+426
-113
lines changed

src/BlackBoneDrv/BlackBoneDrv.c

Lines changed: 14 additions & 112 deletions
Original file line numberDiff line numberDiff line change
@@ -11,14 +11,12 @@ NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING registr
1111
NTSTATUS BBInitDynamicData( IN OUT PDYNAMIC_DATA pData );
1212
NTSTATUS BBGetBuildNO( OUT PULONG pBuildNo );
1313
NTSTATUS BBScanSection( IN PCCHAR section, IN PCUCHAR pattern, IN UCHAR wildcard, IN ULONG_PTR len, OUT PVOID* ppFound );
14-
NTSTATUS BBLocatePageTables( IN OUT PDYNAMIC_DATA pData );
1514
VOID BBUnload( IN PDRIVER_OBJECT DriverObject );
1615

1716
#pragma alloc_text(INIT, DriverEntry)
1817
#pragma alloc_text(INIT, BBInitDynamicData)
1918
#pragma alloc_text(INIT, BBGetBuildNO)
2019
#pragma alloc_text(INIT, BBScanSection)
21-
#pragma alloc_text(INIT, BBLocatePageTables)
2220

2321
/*
2422
*/
@@ -32,6 +30,7 @@ NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING Registr
3230
UNREFERENCED_PARAMETER( RegistryPath );
3331

3432
// Get OS Dependant offsets
33+
InitializeDebuggerBlock( &g_KdBlock );
3534
status = BBInitDynamicData( &dynData );
3635
if (!NT_SUCCESS( status ))
3736
{
@@ -373,8 +372,6 @@ NTSTATUS BBInitDynamicData( IN OUT PDYNAMIC_DATA pData )
373372
pData->MiAllocPage = 0;
374373
if (NT_SUCCESS( BBScanSection( "PAGE", (PCUCHAR)"\x48\x8D\x7D\x18\x48\x8B", 0xCC, 6, (PVOID)&pData->ExRemoveTable ) ))
375374
pData->ExRemoveTable -= 0x60;
376-
377-
status = BBLocatePageTables( pData );
378375
break;
379376
}
380377
else if (verInfo.dwBuildNumber == 15063)
@@ -392,8 +389,6 @@ NTSTATUS BBInitDynamicData( IN OUT PDYNAMIC_DATA pData )
392389
pData->MiAllocPage = 0;
393390
if (NT_SUCCESS( BBScanSection( "PAGE", (PCUCHAR)"\x48\x8B\x47\x20\x48\x83\xC7\x18", 0xCC, 8, (PVOID)&pData->ExRemoveTable ) ))
394391
pData->ExRemoveTable -= 0x34;
395-
396-
status = BBLocatePageTables( pData );
397392
break;
398393
}
399394
else if (verInfo.dwBuildNumber == 16299)
@@ -411,8 +406,6 @@ NTSTATUS BBInitDynamicData( IN OUT PDYNAMIC_DATA pData )
411406
pData->MiAllocPage = 0;
412407
if (NT_SUCCESS( BBScanSection( "PAGE", (PCUCHAR)"\x48\x83\xC7\x18\x48\x8B\x17", 0xCC, 7, (PVOID)&pData->ExRemoveTable ) ))
413408
pData->ExRemoveTable -= 0x34;
414-
415-
status = BBLocatePageTables( pData );
416409
break;
417410
}
418411
else if (verInfo.dwBuildNumber == 17134)
@@ -430,8 +423,6 @@ NTSTATUS BBInitDynamicData( IN OUT PDYNAMIC_DATA pData )
430423
pData->MiAllocPage = 0;
431424
if (NT_SUCCESS( BBScanSection( "PAGE", (PCUCHAR)"\x48\x83\xC7\x18\x48\x8B\x17", 0xCC, 7, (PVOID)&pData->ExRemoveTable ) ))
432425
pData->ExRemoveTable -= 0x34;
433-
434-
status = BBLocatePageTables( pData );
435426
break;
436427
}
437428
else if (verInfo.dwBuildNumber == 17763)
@@ -449,8 +440,6 @@ NTSTATUS BBInitDynamicData( IN OUT PDYNAMIC_DATA pData )
449440
pData->MiAllocPage = 0;
450441
if (NT_SUCCESS( BBScanSection( "PAGE", (PCUCHAR)"\x48\x83\xC7\x18\x48\x8B\x17", 0xCC, 7, (PVOID)&pData->ExRemoveTable ) ))
451442
pData->ExRemoveTable -= 0x34;
452-
453-
status = BBLocatePageTables( pData );
454443
break;
455444
}
456445
else
@@ -464,114 +453,27 @@ NTSTATUS BBInitDynamicData( IN OUT PDYNAMIC_DATA pData )
464453
if (pData->ExRemoveTable != 0)
465454
pData->correctBuild = TRUE;
466455

467-
DPRINT(
468-
"BlackBone: Dynamic search status: SSDT - %s, ExRemoveTable - %s\n",
469-
GetSSDTBase() != NULL ? "SUCCESS" : "FAIL",
456+
DPRINT( "BlackBone: Dynamic search status: SSDT - %s, ExRemoveTable - %s\n",
457+
GetSSDTBase() != NULL ? "SUCCESS" : "FAIL",
470458
pData->ExRemoveTable != 0 ? "SUCCESS" : "FAIL"
471459
);
472-
473-
return (pData->VadRoot != 0 ? status : STATUS_INVALID_KERNEL_INFO_VERSION);
474-
}
475-
476-
return status;
477-
}
478-
479-
/// <summary>
480-
/// PDE/PTE dynamic code offsets
481-
/// </summary>
482-
typedef struct _TABLE_OFFSETS
483-
{
484-
int PDE;
485-
int PTE;
486-
} TABLE_OFFSETS, *PTABLE_OFFSETS;
487-
488-
/// <summary>
489-
/// Pre/Post 'meltdown' patch offsets
490-
/// </summary>
491-
typedef struct _TABLE_OFFSETS_MELT
492-
{
493-
// selector[0] - offsets for builds before 'meltdown' patch
494-
// selector[1] - offsets for builds after 'meltdown' patch
495-
TABLE_OFFSETS selector[2];
496-
} TABLE_OFFSETS_MELT, *PTABLE_OFFSETS_MELT;
497-
498-
/// <summary>
499-
/// Get relocated PTE and PDE bases
500-
/// </summary>
501-
/// <param name="pData">Dynamic data</param>
502-
/// <returns>Status code</returns>
503-
NTSTATUS BBLocatePageTables( IN OUT PDYNAMIC_DATA pData )
504-
{
505-
ASSERT( pData->ver >= WINVER_10_RS1 );
506460

507-
if (pData->ver >= WINVER_10_RS4)
508-
{
509-
const int index = pData->ver - WINVER_10_RS4 + (pData->ver >= WINVER_10_RS4 && pData->buildNo >= 195 ? 1 : 0);
510-
TABLE_OFFSETS offsets[] = {
511-
{ 0x32D, 0x6A9 },
512-
{ 0x82E, 0x1C82 },
513-
{ 0x10A9, 0x1158 },
514-
};
515-
516-
UNICODE_STRING uName = RTL_CONSTANT_STRING( L"ExFreePoolWithTag" );
517-
PUCHAR pExFreePoolWithTag = MmGetSystemRoutineAddress( &uName );
518-
if (pExFreePoolWithTag)
461+
if (pData->ver >= WINVER_10_RS1)
519462
{
520-
pData->DYN_PDE_BASE = *(PULONG_PTR)(pExFreePoolWithTag + offsets[index].PDE + 2);
521-
pData->DYN_PTE_BASE = *(PULONG_PTR)(pExFreePoolWithTag + offsets[index].PTE + 2);
522-
523-
DPRINT( "BlackBone: PDE_BASE: %p, PTE_BASE: %p\n", pData->DYN_PDE_BASE, pData->DYN_PTE_BASE );
524-
if (pData->DYN_PDE_BASE < MI_SYSTEM_RANGE_START || pData->DYN_PTE_BASE < MI_SYSTEM_RANGE_START)
525-
{
526-
DPRINT( "BlackBone: Invalid PDE/PTE base, aborting\n" );
527-
return STATUS_UNSUCCESSFUL;
528-
}
529-
530-
return STATUS_SUCCESS;
463+
ULONGLONG mask = (1ll << (PHYSICAL_ADDRESS_BITS - 1)) - 1;
464+
dynData.DYN_PTE_BASE = (ULONG_PTR)g_KdBlock->PteBase;
465+
dynData.DYN_PDE_BASE = (ULONG_PTR)((g_KdBlock->PteBase & ~mask) | ((g_KdBlock->PteBase >> 9) & mask));
531466
}
532-
}
533-
else
534-
{
535-
const int index = pData->ver & 0xFF;
536-
const TABLE_OFFSETS_MELT offsets[] =
537-
{
538-
{ 0, 0, 0, 0 }, // No updates
539-
{ 0x49, 0x56, 0x52, 0x5F }, // WINVER_10_RS1
540-
{ 0x43, 0x50, 0x4B, 0x58 }, // WINVER_10_RS2
541-
{ 0x41, 0x4E, 0x4B, 0x58 } // WINVER_10_RS3
542-
};
543467

544-
const ULONG patchThreshold[] =
468+
DPRINT( "BlackBone: PDE_BASE: %p, PTE_BASE: %p\n", pData->DYN_PDE_BASE, pData->DYN_PTE_BASE );
469+
if (pData->DYN_PDE_BASE < MI_SYSTEM_RANGE_START || pData->DYN_PTE_BASE < MI_SYSTEM_RANGE_START)
545470
{
546-
0, // No updates
547-
2007, // WINVER_10_RS1
548-
850, // WINVER_10_RS2
549-
192 // WINVER_10_RS3
550-
};
551-
552-
UNICODE_STRING uName = RTL_CONSTANT_STRING( L"MmGetPhysicalAddress" );
553-
PUCHAR pMmGetPhysicalAddress = MmGetSystemRoutineAddress( &uName );
554-
if (pMmGetPhysicalAddress)
555-
{
556-
PUCHAR pMiGetPhysicalAddress = *(PLONG)(pMmGetPhysicalAddress + 0xE + 1) + pMmGetPhysicalAddress + 0xE + 5;
557-
558-
// Meltdown fix check
559-
const int melt = (pData->buildNo >= patchThreshold[index]) ? 1 : 0;
560-
561-
pData->DYN_PDE_BASE = *(PULONG_PTR)(pMiGetPhysicalAddress + offsets[index].selector[melt].PDE + 2);
562-
pData->DYN_PTE_BASE = *(PULONG_PTR)(pMiGetPhysicalAddress + offsets[index].selector[melt].PTE + 2);
563-
564-
DPRINT( "BlackBone: PDE_BASE: %p, PTE_BASE: %p\n", pData->DYN_PDE_BASE, pData->DYN_PTE_BASE );
565-
if (pData->DYN_PDE_BASE < MI_SYSTEM_RANGE_START || pData->DYN_PTE_BASE < MI_SYSTEM_RANGE_START)
566-
{
567-
DPRINT( "BlackBone: Invalid PDE/PTE base, aborting\n" );
568-
return STATUS_UNSUCCESSFUL;
569-
}
570-
571-
return STATUS_SUCCESS;
471+
DPRINT( "BlackBone: Invalid PDE/PTE base, aborting\n" );
472+
return STATUS_UNSUCCESSFUL;
572473
}
474+
475+
return (pData->VadRoot != 0 ? status : STATUS_INVALID_KERNEL_INFO_VERSION);
573476
}
574477

575-
DPRINT( "BlackBone: PDE_BASE/PTE_BASE not found \n" );
576-
return STATUS_NOT_FOUND;
478+
return status;
577479
}

0 commit comments

Comments
 (0)