Skip to content
This repository has been archived by the owner on Sep 1, 2024. It is now read-only.

Add CPUID Password Protection and User-Mode Hook Management #26

Merged
merged 24 commits into from
May 19, 2024
Merged

Add CPUID Password Protection and User-Mode Hook Management #26

merged 24 commits into from
May 19, 2024

Conversation

memN0ps
Copy link
Owner

@memN0ps memN0ps commented May 19, 2024
edited
Loading

  • Client-Hypervisor Communication: Implemented CPUID password protection for secure client communication with the hypervisor.
  • User-Mode Hooks: Enabled hooking and unhooking from user-mode via function hash.
  • Testing Requirements: Need to test at least 5-10 hooks, including multiple hooks on the same page.
  • KernelHook Struct Update: Major updates to the KernelHook struct to track all ntoskrnl.exe function VAs and syscalls.
  • Kernel Inline Hooks: Replacing all function names starting with "Zw" with "Nt" in the export map and sorting keys by their values to extract SSNs.
  • Kernel EPT Hook Function: Unified hook enabling and disabling into a single kernel_ept_hook function.
  • Commands Module Update: commands.rs now handles 2 commands, passing them to KernelHooks which interacts with HookManager.
  • Testing Flexibility: New functionalities can be tested at boot time or from user-mode.

Mostly helps solves: #20 and #21

memN0ps added 24 commits May 18, 2024 20:50
@memN0ps
testing
33313cd
@memN0ps
Added shared library
6bc398c
@memN0ps
Update lib.rs
58d4e1b
@memN0ps
Updated client to take function name as param
43e49d5
@memN0ps
Update Cargo.toml
9e88d8d
@memN0ps
Update lib.rs
6866046
@memN0ps
Update commands.rs
f837f39
@memN0ps
Update pe.rs
2bb41fc
@memN0ps
Update syscall.rs
14cae25
@memN0ps
Update pe.rs
144014f
@memN0ps
Added pre-allocated buffer for kernel exports
270d24a
@memN0ps
Bug Fix: Increase stack size to support heapless
d6a3b5d
@memN0ps
Using Strings for storing all exports now
aaf5a5d
@memN0ps
Added function to replace_zw_with_nt_and_sort
31ec9ae
@memN0ps
Made more efficient and removed code reuse
5f31cef
@memN0ps
Updated kernel inline hook to ept hook
e17f48e
@memN0ps
Removed client's PE and winapi libs, done in hv
e058d18
@memN0ps
Updated Shared Lib to work with hv and client
d5be955
@memN0ps
Added ept unhook & updated handle commands
13e8e85
@memN0ps
Bug fix: Syntax
b642c7a
@memN0ps
Update kernel.rs
fa1a2ab
@memN0ps
Bug Fix: KernelHook Clone crash fix
5646c9b
@memN0ps
Enable works, disable does not. Bug TODO
5d2eadc
@memN0ps
Bug Fix: Added DisableKernelInlineHook
ebd2449
@memN0ps memN0ps merged commit abe01ca into main May 19, 2024
1 check passed
@memN0ps memN0ps deleted the development branch May 20, 2024 01:35
@memN0ps
Copy link
Owner Author

memN0ps commented May 21, 2024

SSDT is still needed for syscall hooks, accidentally removed it and currently performing NTOS hooks instead. Both would be nice to have…

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@memN0ps