HyperDbg Debugger
Loading...
Searching...
No Matches
Functions
Layout.c File Reference

Functions for working with memory layouts. More...

#include "pch.h"

Functions

_Use_decl_annotations_ CR3_TYPE LayoutGetCr3ByProcessId (UINT32 ProcessId)
 Converts pid to kernel cr3.
 
CR3_TYPE LayoutGetCurrentProcessCr3 ()
 Get cr3 of the target running process.
 
CR3_TYPE LayoutGetExactGuestProcessCr3 ()
 Get cr3 of the target running process.
 
UINT64 LayoutGetSystemDirectoryTableBase ()
 Find cr3 of system process.
 

Detailed Description

Functions for working with memory layouts.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.2
Date
2023-04-27
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ LayoutGetCr3ByProcessId()

_Use_decl_annotations_ CR3_TYPE LayoutGetCr3ByProcessId ( UINT32 ProcessId)

Converts pid to kernel cr3.

this function should NOT be called from vmx-root

Parameters
ProcessIdProcessId to switch
Returns
CR3_TYPE The cr3 of the target process
25{
26 PEPROCESS TargetEprocess;
27 CR3_TYPE ProcessCr3 = {0};
28
29 if (PsLookupProcessByProcessId((HANDLE)ProcessId, &TargetEprocess) != STATUS_SUCCESS)
30 {
31 //
32 // There was an error, probably the process id was not found
33 //
34 return ProcessCr3;
35 }
36
37 //
38 // Due to KVA Shadowing, we need to switch to a different directory table base
39 // if the PCID indicates this is a user mode directory table base.
40 //
41 NT_KPROCESS * CurrentProcess = (NT_KPROCESS *)(TargetEprocess);
42 ProcessCr3.Flags = CurrentProcess->DirectoryTableBase;
43
44 ObDereferenceObject(TargetEprocess);
45
46 return ProcessCr3;
47}
_CR3_TYPE
CR3 Structure.
Definition BasicTypes.h:130
_CR3_TYPE::Flags
UINT64 Flags
Definition BasicTypes.h:133
_NT_KPROCESS
KPROCESS Brief structure.
Definition Common.h:265
_NT_KPROCESS::DirectoryTableBase
ULONG_PTR DirectoryTableBase
Definition Common.h:268

◆ LayoutGetCurrentProcessCr3()

CR3_TYPE LayoutGetCurrentProcessCr3 ( )

Get cr3 of the target running process.

Returns
CR3_TYPE Returns the cr3 of running process
56{
57 CR3_TYPE GuestCr3;
58
59 //
60 // Due to KVA Shadowing, we need to switch to a different directory table base
61 // if the PCID indicates this is a user mode directory table base.
62 //
63 NT_KPROCESS * CurrentProcess = (NT_KPROCESS *)(PsGetCurrentProcess());
64 GuestCr3.Flags = CurrentProcess->DirectoryTableBase;
65
66 return GuestCr3;
67}

◆ LayoutGetExactGuestProcessCr3()

CR3_TYPE LayoutGetExactGuestProcessCr3 ( )

Get cr3 of the target running process.

Returns
CR3_TYPE Returns the cr3 of running process
76{
77 CR3_TYPE GuestCr3 = {0};
78
79 __vmx_vmread(VMCS_GUEST_CR3, &GuestCr3.Flags);
80
81 return GuestCr3;
82}

◆ LayoutGetSystemDirectoryTableBase()

UINT64 LayoutGetSystemDirectoryTableBase ( )

Find cr3 of system process.

Returns
UINT64 Returns cr3 of System process (pid=4)
91{
92 //
93 // Return CR3 of the system process.
94 //
95 NT_KPROCESS * SystemProcess = (NT_KPROCESS *)(PsInitialSystemProcess);
96 return SystemProcess->DirectoryTableBase;
97}