Add windows build checker

GDATASoftwareAG · Aug 24, 2023 · bef0526 · bef0526
1 parent ceffab7
commit bef0526
Show file tree

Hide file tree

Showing 9 changed files with 32 additions and 5 deletions.
diff --git a/vmicore/src/include/vmicore/vmi/IIntrospectionAPI.h b/vmicore/src/include/vmicore/vmi/IIntrospectionAPI.h
@@ -56,6 +56,8 @@ namespace VmiCore
 
         [[nodiscard]] virtual OperatingSystem getOsType() = 0;
 
+        [[nodiscard]] virtual uint16_t getWindowsBuild() = 0;
+
         [[nodiscard]] virtual addr_t getOffset(const std::string& name) = 0;
 
         [[nodiscard]] virtual addr_t getKernelStructOffset(const std::string& structName,

diff --git a/vmicore/src/lib/os/windows/Constants.h b/vmicore/src/lib/os/windows/Constants.h
@@ -4,6 +4,7 @@
 namespace VmiCore::Windows
 {
     constexpr pid_t SYSTEM_PID = 4;
+    constexpr uint16_t winBuildRedstone3 = 17134;
 }
 
 #endif // VMICORE_WINDOWS_CONSTANTS_H
diff --git a/vmicore/src/lib/os/windows/KernelAccess.cpp b/vmicore/src/lib/os/windows/KernelAccess.cpp
@@ -116,7 +116,7 @@ namespace VmiCore::Windows
 
     addr_t KernelAccess::extractKernelDirectoryTableBase(addr_t eprocessBase) const
     {
-        return vmiInterface->read64VA(eprocessBase + kernelOffsets.kprocess.kernelDirectoryTableBase,
+        return vmiInterface->read64VA(eprocessBase + kernelOffsets.kprocess.directoryTableBase,
                                       vmiInterface->convertPidToDtb(SYSTEM_PID));
     }
 

diff --git a/vmicore/src/lib/os/windows/KernelOffsets.cpp b/vmicore/src/lib/os/windows/KernelOffsets.cpp
@@ -1,4 +1,5 @@
 #include "KernelOffsets.h"
+#include "Constants.h"
 #include <fmt/core.h>
 
 namespace VmiCore::Windows
@@ -45,13 +46,25 @@ namespace VmiCore::Windows
                                 .Right = vmiInterface->getKernelStructOffset("_RTL_BALANCED_NODE", "Right")},
             .fileObject = {.FileName = vmiInterface->getKernelStructOffset("_FILE_OBJECT", "FileName")},
             .section = {.controlArea = vmiInterface->getKernelStructOffset("_SECTION", "u1")},
-            .kprocess = {.kernelDirectoryTableBase =
-                             vmiInterface->getKernelStructOffset("_KPROCESS", "DirectoryTableBase"),
+            .kprocess = {.directoryTableBase = vmiInterface->getKernelStructOffset("_KPROCESS", "DirectoryTableBase"),
                          .userDirectoryTableBase =
-                             vmiInterface->getKernelStructOffset("_KPROCESS", "UserDirectoryTableBase")},
+                             vmiInterface->getKernelStructOffset("_KPROCESS", "DirectoryTableBase")},
             .subSection = {.ControlArea = vmiInterface->getKernelStructOffset("_SUBSECTION", "ControlArea")},
             .exFastRef = {.Object = vmiInterface->getKernelStructOffset("_EX_FAST_REF", "Object")}};
 
+        if (vmiInterface->getWindowsBuild() >= winBuildRedstone3)
+        {
+            // Will fail for Windows 10 versions below "Win 10 1803 Redstone 4"
+            auto userDTB =
+                vmiInterface->getKernelStructOffset("_KPROCESS", "UserDirectoryTableBase");
+
+            // KPTI is implemented but not activated
+            if (userDTB != 0)
+            {
+                kernelOffsets.kprocess.userDirectoryTableBase = userDTB;
+            }
+        }
+
         return kernelOffsets;
     }
 }
diff --git a/vmicore/src/lib/os/windows/KernelOffsets.h b/vmicore/src/lib/os/windows/KernelOffsets.h
@@ -27,7 +27,7 @@ namespace VmiCore::Windows
 
         using _kprocess = struct _kprocess
         {
-            addr_t kernelDirectoryTableBase;
+            addr_t directoryTableBase;
             addr_t userDirectoryTableBase;
         };
 

diff --git a/vmicore/src/lib/vmi/LibvmiInterface.cpp b/vmicore/src/lib/vmi/LibvmiInterface.cpp
@@ -469,6 +469,11 @@ namespace VmiCore
         return size;
     }
 
+    uint16_t LibvmiInterface::getWindowsBuild()
+    {
+        return vmi_get_win_buildnumber(vmiInstance);
+    }
+
     bool LibvmiInterface::isInitialized() const
     {
         return vmiInstance != nullptr;

diff --git a/vmicore/src/lib/vmi/LibvmiInterface.h b/vmicore/src/lib/vmi/LibvmiInterface.h
@@ -120,6 +120,8 @@ namespace VmiCore
 
         [[nodiscard]] OperatingSystem getOsType() override;
 
+        [[nodiscard]] uint16_t getWindowsBuild() override;
+
         template <typename T> std::unique_ptr<T> readVa(const addr_t virtualAddress, const addr_t cr3)
         {
             auto accessContext = createVirtualAddressAccessContext(virtualAddress, cr3);

diff --git a/vmicore/test/include/vmicore_test/vmi/mock_IntrospectionAPI.h b/vmicore/test/include/vmicore_test/vmi/mock_IntrospectionAPI.h
@@ -51,6 +51,8 @@ namespace VmiCore
 
         MOCK_METHOD(OperatingSystem, getOsType, (), (override));
 
+        MOCK_METHOD(uint16_t, getWindowsBuild, (), (override));
+
         MOCK_METHOD(uint64_t, getOffset, (const std::string&), (override));
 
         MOCK_METHOD(addr_t, getKernelStructOffset, (const std::string&, const std::string&), (override));

diff --git a/vmicore/test/lib/vmi/mock_LibvmiInterface.h b/vmicore/test/lib/vmi/mock_LibvmiInterface.h
@@ -69,6 +69,8 @@ namespace VmiCore
 
         MOCK_METHOD(OperatingSystem, getOsType, (), (override));
 
+        MOCK_METHOD(uint16_t, getWindowsBuild, (), (override));
+
         MOCK_METHOD(uint64_t, getOffset, (const std::string&), (override));
 
         MOCK_METHOD(addr_t, getKernelStructOffset, (const std::string&, const std::string&), (override));