Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NtLockVirtualMemory fix #5

Merged
merged 4 commits into from
Nov 25, 2024
Merged

NtLockVirtualMemory fix #5

merged 4 commits into from
Nov 25, 2024

Conversation

Lafko
Copy link
Contributor

@Lafko Lafko commented Nov 25, 2024

NtLockVirtualMemory is not initialized

Lafko added 3 commits November 25, 2024 12:34
@Lafko
Update winternlex.cpp
ec6b641 
NtLockVirtualMemory is not initialized
@Lafko
Update data.h
ffa6d73 
Add offset
@Lafko
Update Setup.hpp
f36b4c4 
Init offset NtLockVirtualMemory
@cutecatsandvirtualmachines
Copy link
Owner

It's unused.

@Lafko
Copy link
Contributor Author

Lafko commented Nov 25, 2024

its used here

https://github.com/cutecatsandvirtualmachines/CheatDriver/blob/189ebbfe9891981835cdd62a09b689b47c8810d3/CheatDriver/src/comms.cpp#L583

https://github.com/cutecatsandvirtualmachines/CheatDriver/blob/189ebbfe9891981835cdd62a09b689b47c8810d3/CheatDriver/src/comms.cpp#L692

https://github.com/cutecatsandvirtualmachines/CheatDriver/blob/189ebbfe9891981835cdd62a09b689b47c8810d3/CheatDriver/src/comms.cpp#L982

@Lafko
Copy link
Contributor Author

Lafko commented Nov 25, 2024
edited
Loading

I don't know where to report this, but when I try to create a ShadowHook on functions that are distributed across different memory pages, the hook crashes the application. Even if I add an additional +PAGE_SIZE.

For example
uintptr_t dxgi = (uintptr_t)nt(GetModuleHandleA)("dxgi.dll"e); + ULONG64 Resize = parser.GetSymbolRVA(L"CDXGISwapChain::ResizeBuffers"e);

or

HMODULE gdi32 = nt(GetModuleHandleA)("gdi32.dll"e);
uintptr_t o_bitb = (uintptr_t)((uintptr_t)nt(GetProcAddress)(gdi32, "BitBlt"e));

ida64_esVM1dB1a8
BitBl start at 0x7FFED4B63E50 page start at 0x7FFED4B63000
0x1000 - 0xE50 = 0x1B0 = 432(bytes)
BitBl func size is 1028(bytes)
And that means 1028 - 432 = 596(bytes) need hook
I add 0x1000 to size and its do not help

It's different on different versions of Windows, but I think you understand what I mean.

@cutecatsandvirtualmachines
Copy link
Owner

I don't remember exactly the cause as I haven't touched this in a year now, but by default cross page hooks are unsupported. The crash is probably due to either an unpatched bug in the public version of the hv or some condition with usermode EPT vmexit handling. Either way the whole usermode EPT hook is basically a PoC to show it's possible to have them without lagging like a maniac like many other hv projects do, and can be done portably across amd and intel. You're on your own to fix this

cutecatsandvirtualmachines
cutecatsandvirtualmachines requested changes Nov 25, 2024
View reviewed changes
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where is DbgMsg2?

@cutecatsandvirtualmachines cutecatsandvirtualmachines merged commit 8967631 into cutecatsandvirtualmachines:master Nov 25, 2024
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cutecatsandvirtualmachines cutecatsandvirtualmachines cutecatsandvirtualmachines requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Lafko @cutecatsandvirtualmachines