Manual mapper that uses PTE manipulation, Virtual Address Descriptor (VAD) manipulation, and forceful memory allocation to hide executable pages. (VAD hide / NX bit swapping)

Overview

Stealthy Kernel-mode Injector

Manual mapper that uses PTE manipulation, Virtual Address Descriptor (VAD) manipulation, and forceful memory allocation to hide executable pages.

Injector

To hide our exectuable pages, the injector supports the following techniques:

  • Spoof page protection by modifying PTE execute bit or VAD protection flags
  • Remove created VAD entries after allocation
  • Forcefully allocate and write our DLL to wherever we want in the process address space

Manipulating the VAD or underlying PTEs is desired in order to spoof page protection from API functions which rely on the VAD such as NtQueryVirtualMemory. In the case of this injector, we use VAD and PTE manipulation interchangely as they are both used to fake the protections specified by the VAD.

Rather than "randomly" allocating memory by using an API function such as NtAllocateVirtualMemory, forcefully allocating memory via the VAD is used to write our DLL to an "unconventional" location in a processes address space. Anti-tampering solutions using heuristics to detect unwanted executable pages outside signed modules may avoid searching some memory regions to prevent false positives. This injector will allocate memory behind the thread stack.

To execute our DLL, the injector will use SetWindowsHookEx to load a valid DLL such as ntdll.dll, then use the hook procedure to hijack control flow to call our DLL entry point.

Driver

Stealthy communication between our user-mode client and kernel-mode driver is achieved by placing a series of PatchGuard safe function hooks inside the windows kernel. An initial hook is placed on a function that is callable from user-mode using a syscall. Then, instead of immediately redirecting execution to our driver, the hook will lead to another function within the same kernel image, which we then hook to be redirected to our driver.

The reason why we go through this process is to make it difficult to verify the integrity of ntoskrnl.exe. Since there are few usable functions inside ntoskrnl.exe suitable for communication, a separate driver looking to prevent tampering of ntoskrnl.exe could manually verify functions known to be used for user to kernel-mode communication by checking if they lead to an address outside a valid kernel image. However, if we chain hooks within the same kernel image the amount of possible functions an anti-tampering driver would need to verify increases significantly.

The driver is meant to be mapped into the kernel and includes some functionality to hide that a mapper was ever loaded. This includes clearing the PiDDBCacheTable, MmUnloadedDrivers, and g_KernelHashBucketList.

Strings in the driver and user-mode client are encrypted at compile time using skCrypter

Showcase

The following images show the process memory map of each setting after the DLL is mapped. The memory regions of the mapped DLL are highlighted.


Generic manual mapping with no attempt to hide our DLL

Spoof execution permission using PTE manipulation

Spoof execution permission using VAD manipulation

Remove created nodes from VAD tree

Forcefully allocate and write DLL behind thread stack

Usage

  1. Load the driver
  2. Run Client.exe from the command line
Usage: Client.exe <Window class name> <DLL> <Spoof page protection> <Remove VAD node> <Allocate behind thread stack>
<Spoof Page Protection>:
	0 - Do not spoof page protection
	1 - Spoof page protection via PTE manipulation
    2 - Spoof page protection via VAD manipulation
<Remove VAD node>:
	0 - Do not remove VAD node
	1 - Remove VAD node
<Allocate behind thread stack>:
	0 - Randomly allocate memory
	1 - Allocate memory behind thread stack

Build

Build using Visual Studio 2019 and the Windows Driver Kit

Note

The binaries were only tested on Windows 10 21H1

Only supports injection of a x64 DLL into a x64 process

The hooks placed on ntoskrnl.exe are not HVCI compatible

Credits

Blackbone by DarthTon

modmap by btbd

FACE Injector by busybox10

skCrypter by skadro

kdmapper by z175 and TheCruZ

Comments
  • PE headers missing?

    PE headers missing?

    It seems like PE headers does not get mapped properly I cannot seem to find the reason for it, WriteSections and everything seems to be correctly but yet PE Headers get skipped magically.

    opened by rohybnol 0
  • Errors while building

    Errors while building

    I'm using Release/x64, when I build I get 22 compiler errors. Errors are these: Main.cpp, line 9 (C2220, the following warning was treated as an error), IA32.h line 249 (C2220, the following warning was treated as an error), Communication.cpp line 156/157/166/167/176/177/ (C2065, 'TIME': undeclared identifier), Hide.cpp line 40/41/56/57/156/157/174/175/225/233/234/ (C2065, 'TIME': undeclared identifier). @charliewolfe

    opened by malvo-lorne 0
  • Nice Idea

    Nice Idea

    Firstly thanks for the neat ideas in that project which you share publicly, I tried it out and it works flawlessly for a messagebox sample. I tried a sample dll from me, however it seems that it is not possible to create a thread inside when choosing your execution over hook? Is it needed to go over the SetWindowsHooks and a hook in general, or would it be possible to call the dll entry point itself oldshool?

    TLDR: I am not able to get other dlls to properly inject with your injector for everything else then a sample message box and I am asking why, as there is no crash or something, just the execution stucks which I guess is cause of the CreateThread in the dll.

    btw I am on 21H2 but the offsets and patterns seems fine too

    opened by rohybnol 0
  • Problems with PTE Spoofing

    Problems with PTE Spoofing

    Sometimes cheat will crash after X amount of time, I heard this can be fixed by locking the pages first with MmProbeAndLockPages, how and where would I implement this? Kind regards

    opened by Wearwolfy 0
  • Failed to allocate memory

    Failed to allocate memory

    Mapped with kdmapper and then tried injecting with the client into notepad and edge browser, only to get "Failed to allocate memory". Im on windows 20H2. Any ideas?

    opened by git-eternal 1
Owner
Charlie Wolfe
Charlie Wolfe
A simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows

WindowsPermsPoC A simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows You can build i

Lorenzo Maffia 55 Jul 21, 2022
Invoke functions with a spoofed return address. For 32-bit Windows binaries

Invoke functions with a spoofed return address. For 32-bit Windows binaries. Supports __fastcall, __thiscall, __stdcall and __cdecl calling conventions. Written in C++17.

Daniel Krupiński 86 Nov 25, 2022
Memory Process File System (MemProcFS) is an easy and convenient way of viewing physical memory as files in a virtual file system

The Memory Process File System (MemProcFS) is an easy and convenient way of viewing physical memory as files in a virtual file system.

Ulf Frisk 1.7k Dec 2, 2022
C Program to input a string and adjust memory allocation according to the length of the string.

C-String C Program to input a string and adjust memory allocation according to the length of the string. With the help of this program, we have replic

Kunal Kumar Sahoo 1 Jan 20, 2022
Get Next Line is a project at 42. It is a function that reads a file and allows you to read a line ending with a newline character from a file descriptor

Get Next Line is a project at 42. It is a function that reads a file and allows you to read a line ending with a newline character from a file descriptor. When you call the function again on the same file, it grabs the next line

Mhamed Ajjig 5 Nov 15, 2022
this project is a function in c to take the next line of a file or a file descriptor. this is a project of 42 school.

Get Next Line of 42. Make with ❤︎ for Luiz Cezario ?? Index What's this Repo? List of Archives Technologies How to Run Find a Bug? Or somenthing need

Luiz lima cezario 7 Nov 28, 2022
Second project for 42 : Reading text available on the file descriptor one line at a time.

get_next_line Initial commit This project will not only allow you to add a very convenient function to your collection, but it will also allow you to

Dieau 1 Mar 28, 2022
Reading a line on a file descriptor is way too tedious.

Get_next_line 1337's PROJECT : Reading a line on a fd is way too tedious In this repo you will find all the codes developed during the get_next_line 1

Abdessamad Laamimi 0 Feb 16, 2022
DRAGEN open-source mapper

Dragmap Dragmap is the Dragen mapper/aligner Open Source Software. Installation Prerequisites Compilation was tested on CentOS 7 C++11 compatible comp

Illumina 114 Nov 28, 2022
x64 Windows kernel driver mapper, inject unsigned driver using anycall

anymapper x64 Windows kernel driver mapper, inject unsigned driver using anycall This project is WIP. Todo Fix: Can't make API calls from IAT nor func

Kento Oki 71 Nov 26, 2022
SinMapper - usermode driver mapper that forcefully loads any signed kernel driver

usermode driver mapper that forcefully loads any signed kernel driver (legit cert) with a big enough section (example: .data, .rdata) to map your driver over. the main focus of this project is to prevent modern anti-cheats (BattlEye, EAC) from finding your driver and having the power to hook anything due to being inside of legit memory (signed legit driver).

null 166 Nov 25, 2022
A video input (V4L2) to NDI converter that works with Raspberry Pi (32-bit and 64-bit), and Intel/AMD CPUs

V4L2 to NDI V4L2 to NDI is an application that connects to attached V4L2 devices and encodes the video signal into NDI It uses the NDI library, allowi

Luke Plassman 49 Nov 12, 2022
Professor Terence Parr has taught us how to create a virtual machine Now it is time to pwn virtual machine

My First real world CTF Simple Virtual Machine Challenge description Professor Terence Parr has taught us how to create a virtual machine Now it is ti

null 1 Feb 17, 2022
Formatted C++20 stdlib man pages (cppreference)

C++ stdlib man pages stdman is a tool that parses archived HTML files from cppreference and generates groff-formatted manual pages for Unix-based syst

Jeaye Wilkerson 862 Nov 25, 2022
This is kdmapper but it doesn't use ExAllocatePool instead it allocates pages to avoid being in BigPoolTable,

KDMapper without allocating memory in BigPoolTable Original creator https://github.com/z175 Improved by https://github.com/TheCruZ TheCruz has intergr

tygo lokum 35 Nov 22, 2022
Remap ELF LOAD segments to huge pages

Quick start Not recommended as a production solution, but it's a very fast way to benchmark if your application benefits from remapping your text and

null 17 Oct 18, 2022
Bypass Roblox's Trustcheck via the JNZ address of it

What is a Trustcheck? Roblox has a check to see if the URL that was inputted is trusted by them or not, this can be bypassed via 2 options. You can ei

Rexi 5 Sep 25, 2022
A faster,smaller,Address Sanitizer,200X Faster,95% Smaller.

FirASAN(Fir Address Sanitizer) A faster,smaller,Address Sanitizer 200X Faster,95% Smaller. FirASAN 结论: 内存消耗 CPU消耗 ASAN原版 +100-150% +200%以上 FirASAN +5%

null 11 Aug 16, 2022
Bitcoin/Ethereum Address Prefix Finder

VanitySearch A small modification of VanitySearch Added private key random between minimum and maximum hash values. Example for CPU Run: VanitySearch.

Fialka M-125 11 Jun 17, 2022