Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How cound i use ShpEnablePageShadowingForRW hide kernel memory? #46

Closed
LYingSiMon opened this issue Nov 29, 2022 · 5 comments
Closed

How cound i use ShpEnablePageShadowingForRW hide kernel memory? #46

LYingSiMon opened this issue Nov 29, 2022 · 5 comments

Comments

@LYingSiMon
Copy link

LYingSiMon commented Nov 29, 2022
edited
Loading

Hello, the question has bothered me for a long time, I tried to use ShpEnablePageShadowingForRW ShEnablePageShadowing function to hide the nt! The memory of NtCreateFile looks like this:

_Use_decl_annotations_ NTSTATUS ShEnablePageShadowing(
    EptData* ept_data, const SharedShadowHookData* shared_sh_data) {
  //HYPERPLATFORM_COMMON_DBG_BREAK();

  // ======== mycode
  __debugbreak();
  HookInformation HookInfo = {0};
  PVOID64 vAddr = ExAllocatePoolWithTag(NonPagedPool, 0x1000, 'lysd');
  RtlZeroMemory(vAddr, 0x1000);

  HookInfo.patch_address = (void*)0xfffff8021caefa50;  // nt!NtCreateFile:
  HookInfo.pa_base_for_rw = UtilPaFromVa(vAddr);

  ShpEnablePageShadowingForRW(HookInfo, ept_data);
  // ======== mycode

  for (auto& info : shared_sh_data->hooks) {
    ShpEnablePageShadowingForExec(*info, ept_data);
  }

  return STATUS_SUCCESS;
}

The good news is that it works, the bad news is that it bluescreens 😅
image

the dump file(os version is win10 1909 x64)
112922-9890-01.zip

Please give me some advice,thank you 🙂
@tandasat
Copy link
Owner

It seems as though hiding is not working proper to me. Crash dump should not be able to view actual contents at NtCreateFile, like your screenshot.
image

Did you try adding NtCreateFile-entry into g_ddimonp_hook_targets? Code is structured to depend on that list for adding new hooks

@LYingSiMon
Copy link
Author

LYingSiMon commented Dec 1, 2022
edited
Loading

It seems as though hiding is not working proper to me. Crash dump should not be able to view actual contents at NtCreateFile, like your screenshot. image

Did you try adding NtCreateFile-entry into g_ddimonp_hook_targets? Code is structured to depend on that list for adding new hooks

Thank you for your reply.

Sorry my bad English . The NtCreateFile in your screenshot is not hidden. Why is that? Do you mean that the hiding failed, or is windbg's display problem?

I think it should be a display error, because when I blue screen, NtCreateFile NtWriteFile's memory is hidden (their address is closer), while NtWriteFile's memory is normal
image

@LYingSiMon
Copy link
Author

LYingSiMon commented Dec 1, 2022
edited
Loading

I don't add anything in g_ddimonp_hook_targets because my final goal is not to Hook the NtCreateFile , but to hide the memory of NtCreateFile . I don't know how to write the handler function, which makes me confused 🤔

Or, maybe I should write handler as null?
image
like this?
image

@tandasat
Copy link
Owner

tandasat commented Dec 1, 2022

Fair enough. I am not sure if that's easy to achieve with modification of DdiMon, as it is written for hooking. You might have to hack around and fight against with existing code. I suggest you to spend more time to study code and potentially rewrite it for yourself.

@LYingSiMon
Copy link
Author

I see. Thank you. It seems that I need more study

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tandasat @LYingSiMon