search

3499409631 / ReadPhysicalMemory-Without-API

This project can bypass most of the AC except for some perverts that enable VT to monitor page tables
39 stars 27 forks source link

When the data is on a different page #3

Closed BaiFeng666 closed 5 months ago

BaiFeng666 commented 5 months ago

`void ReadPhysicalAddress(const UINT32 pageIndex, const ULONG64 targetAddress, const PVOID buffer, const SIZE_T size) { const ULONG pageOffset = targetAddress % PAGE_SIZE; const ULONG64 pageStartPhysical = targetAddress - pageOffset;

_PAGE* pageInfo = &PageList[pageIndex];
const ULONG64 OldPFN = pageInfo->PTE->PFN;

pageInfo->PTE->PFN = PAGE_TO_PFN(pageStartPhysical);
__invlpg(pageInfo->VirtualAddress);

const PVOID virtualAddress = (PVOID)(((ULONG64)(pageInfo->VirtualAddress) + pageOffset));

// 计算跨页情况下需要读取的数据大小
SIZE_T firstPageSize = PAGE_SIZE - pageOffset;
SIZE_T secondPageSize = size - firstPageSize;

// 读取第一页的数据
memcpy(buffer, virtualAddress, firstPageSize);

// 如果跨页,继续读取第二页的数据
if (secondPageSize > 0) {
    // 计算第二页的起始地址
    const PVOID secondPageVirtualAddress = (PVOID)(((ULONG64)(pageInfo->VirtualAddress) + PAGE_SIZE));
    memcpy((char*)buffer + firstPageSize, secondPageVirtualAddress, secondPageSize);
}

pageInfo->PTE->PFN = OldPFN;
__invlpg(pageInfo->VirtualAddress);

}`

Maybe it could be optimized