1765203475-VmWareThrough-main
通过研究这份代码发现,在vmware配置内存大小的时候会有一个提示,超过此内存可能会发生内存交换,如果选择了大内存,那么就会发生内存交换,就会导致无法在内核中搜索到数据
看下面的函数
BOOLEAN VMFindKernel() {
char buffer[0x1000] = { 0 };
for (DWORD64 i = (gNtProcessData.MemoryKernelEntry & ~0x1fffff) + 0x20000000;
i > gNtProcessData.MemoryKernelEntry - 0x200000000; i -= 0x1000) {
if (!VMReadVmVirtualAddr(buffer, gNtProcessData.MemoryKernelDirbase, i, 0x1000)) {
continue;
}
if ((*(short*)(void*)(buffer) == IMAGE_DOS_SIGNATURE)) {
int kdbg = 0, poolCode = 0;
for (int u = 0; u < 0x1000; u++) {
kdbg = kdbg ||
*(DWORD64*)(void*)(buffer + u) ==
0x4742444b54494e49; // INITKDBG:
// InitKDBG节保存了PG保护的主要检测的逻辑
poolCode = poolCode || *(DWORD64*)(void*)(buffer + u) ==
0x45444f434c4f4f50; // POOLCODE
if (kdbg & poolCode) {
printf("MemoryKernelBase:%p\n", (void*)i);
gNtProcessData.MemoryKernelBase = i;
gNtProcessData.SystemProcessEprocess = (DWORD64)VMGetExportsFunAddr(
gNtProcessData.MemoryKernelBase, "PsInitialSystemProcess", FALSE);
gNtProcessData.PsLoadedModuleListPtr = VMGetExportsFunAddr(gNtProcessData.MemoryKernelBase, "PsLoadedModuleList", TRUE);
return (gNtProcessData.SystemProcessEprocess && gNtProcessData.PsLoadedModuleListPtr) ? TRUE : FALSE;
}
}
}
}
return FALSE;
}
Comments NOTHING