search

TheCruZ / kdmapper

KDMapper is a simple tool that exploits iqvw64e.sys Intel driver to manually map non-signed drivers in memory
MIT License
1.98k stars 501 forks source link

Failed to get ntoskrnl.exe #120

Closed iPigTW closed 11 months ago

iPigTW commented 11 months ago

image Running on WIN11 23H2 25992.1000

TheCruZ commented 11 months ago

You are using Windows Insider build version, latest version for public usage is still, 22631, since Windows 11 insider versions have constants changes until become a release i will not check further the issue, make sure you are not using any other thing like an antivirus that can intercept or block the NtQuerySystemInformation and try to fix your self, you are open to write down here what is going on with the fix and i will be glad to add to the main repository image

ordinary-github-user commented 7 months ago

2 solutions to grab ntoskrnl virtual address from user mode

  1. find a driver that reads msr msr(0xc0000082) = virtual address of KiSystemCall64 pattern scan ntoskrnl.exe from disk to grab rva of KiSystemCall64 (virtual address of KiSystemCall64) - (rva of KiSystemCall64) = ntoskrnl virtual address
  2. find a driver that reads physical memory/maps physical memory to user mode (MmMapIoSpace wont work because it cant map pages that contains page tables) enumerate possible kernel cr3 values -> enumerate possible ntoskrnl virtual address using cr3 as page table base -> verify cr3+ntrosknl pair pseudocode 
    for(uint64 cr3 = 0; cr3 < highestPhysicalAddress; cr3+=0x1000)
for(uint64 pNtoskrnl: allReadExecutePagesOf(cr3))//this is actually a 4 level for loop to walk page tables that starts from cr3
    if(verify(cr3, pNtoskrnl))
        return {cr3, pNtoskrnl};
return not_found;
mmkingdestroye commented 3 months ago

This issue will be fixed by granting Debug Privilege

mmkingdestroye commented 3 months ago

png

EasyAntiCheatEos commented 2 months ago

hard code that shit