Closed BaiFeng666 closed 5 months ago
3499409631
commented
5 months ago because of the eac changed the cr3 of the apex So what you need is get the real cr3 and then you can use this code Watch this post https://github.com/Rythorndoran/enum_real_dirbase/
BaiFeng666
commented
5 months ago because of the eac changed the cr3 of the apex So what you need is get the real cr3 and then you can use this code Watch this post https://github.com/Rythorndoran/enum_real_dirbase/
Thanks for the reply, I'm not sure which one in the project is "read cr3", is it "dirbase"?
Then should I replace it with cr3.Value = __readcr3(); in your project?
I'm still learning the kernel and don't know a lot about it..
BaiFeng666
commented
5 months ago i can get real cr3 now, but there seem mistake (x64 can't use _invlpg()) `auto readphysaddressV2(PVOID address, PVOID buffer, SIZE_T size, SIZE_T* read) -> void { if (!address) return;
PHYSICAL_ADDRESS addr = { 0 };
addr.QuadPart = (LONGLONG)address;
auto mapped_mem = MmMapIoSpaceEx(addr, size, PAGE_READWRITE);
if (!mapped_mem)
return;
memcpy(buffer, mapped_mem, size);
*read = size;
MmUnmapIoSpace(mapped_mem, size);}`
I use a similar code, but it doesn't read apex