Before describing the question itself, I will describe the essence of my project to make it easier for you to understand I have
how to add kernel api/code to user mode app
my application has these privileges to execute it
(so that this application can execute kernal code you need to make a usb flash drive create in it a folder EFI in it a folder boot with a file bootx64.efi, to get it compile the github project – https://github. com/ekknod/SubGetVariable, I have not tested on Intel processors and it works only with SECURE BOOT OFF and it was tested also only on windows 22h2 I DO NOT RECOMMEND YOU TO START THIS EFI FILE Just make sure USER MODE APPLICATION COMPILES AND STARTS).
For example my usermode app code:
main cpp (the code itself for usermode app):
#include “km.h”
//
// hello world
//
std::vector<QWORD> km::global_export_list;
NTOSKRNL_EXPORT(PsGetCurrentProcess);
NTOSKRNL_EXPORT(PsGetCurrentProcessId);
int main(void)
{
if (!km::initialize())
{
return 0;
}
LOG(“current process: %llxn”, km::call(PsGetCurrentProcess));
LOG(“current process id: %lldn”, km::call(PsGetCurrentProcessId));
}
km.h (responsible for communication between efi and user mode application for kernal code execution)
extern "C" NTSTATUS NTAPI RtlAdjustPrivilege(ULONG, BOOLEAN, BOOLEAN, PBOOLEAN);
extern "C" NTSTATUS NTAPI NtQuerySystemEnvironmentValueEx(PUNICODE_STRING, LPGUID, PVOID, PULONG, PULONG);
namespace km
{
extern std::vector<QWORD> global_export_list;
class DLL_EXPORT
{
QWORD address;
public:
DLL_EXPORT(QWORD address) : address(address)
{
global_export_list.push_back((QWORD)&this->address);
}
operator QWORD () const { return address; }
};
QWORD call(QWORD kernel_address, QWORD r1 = 0, QWORD r2 = 0, QWORD r3 = 0, QWORD r4 = 0, QWORD r5 = 0, QWORD r6 = 0, QWORD r7 = 0)
{
#pragma pack(push,1)
typedef struct {
QWORD param_1;
QWORD param_2;
QWORD param_3;
QWORD param_4;
QWORD param_5;
QWORD param_6;
QWORD param_7;
} PAYLOAD ;
#pragma pack(pop)
PAYLOAD parameters;
parameters.param_1 = r1;
parameters.param_2 = r2;
parameters.param_3 = r3;
parameters.param_4 = r4;
parameters.param_5 = r5;
parameters.param_6 = r6;
parameters.param_7 = r7;
QWORD peb = __readgsqword(0x60);
peb = *(QWORD*)(peb + 0x18);
peb = *(QWORD*)(peb + 0x20);
*(QWORD*)(peb + 0x18) = kernel_address;
*(QWORD*)(peb + 0x10) = (QWORD)¶meters;
UNICODE_STRING string;
RtlInitUnicodeString(&string, L"SecureBoot");
ULONG ret = 0;
ULONG ret_len = 1;
ULONG attributes = 0;
GUID gEfiGlobalVariableGuid = { 0x8BE4DF61, 0x93CA, 0x11D2, { 0xAA, 0x0D, 0x00, 0xE0, 0x98, 0x03, 0x2B, 0x8C }};
NTSTATUS status = NtQuerySystemEnvironmentValueEx(&string,
&gEfiGlobalVariableGuid,
&ret,
&ret_len,
&attributes);
QWORD rax = *(QWORD*)(peb + 0x18);
*(QWORD*)(peb + 0x18) = 0;
*(QWORD*)(peb + 0x10) = 0;
if (NT_SUCCESS(status))
return 0;
return rax;
}
template <typename T>
T call(QWORD kernel_address, QWORD r1 = 0, QWORD r2 = 0, QWORD r3 = 0, QWORD r4 = 0, QWORD r5 = 0, QWORD r6 = 0, QWORD r7 = 0)
{
QWORD ret = call(kernel_address, r1, r2, r3, r4, r5, r6, r7);
return *(T*)&ret;
}
BOOL initialize(void)
{
QWORD ntoskrnl_base = 0;
for (auto &drv : get_kernel_modules())
{
if (!_strcmpi(drv.name.c_str(), "ntoskrnl.exe"))
{
ntoskrnl_base = drv.base;
break;
}
}
if (ntoskrnl_base == 0)
{
LOG("ntoskrnl.exe base address not foundn");
return 0;
}
for (auto &i : global_export_list)
{
QWORD temp = *(QWORD*)i;
*(QWORD*)i = get_kernel_export(ntoskrnl_base, "ntoskrnl.exe", (PCSTR)temp);
if (*(QWORD*)i == 0)
{
LOG("export %s not foundn", (PCSTR)temp);
return 0;
}
}
BOOLEAN privs=1;
if (RtlAdjustPrivilege(22, 1, 0, &privs) != 0l)
{
LOG("run as adminn");
return 0;
}
return 1;
}
}
and I have also kernal code of another application and I want it to be executed in this application (hope I haven’t confused you yet) also in C++ – –
https://github.com/danielkrupinski/KernelPID/blob/master/KernelPID/Driver.c
How can I compile my user mod app with the functions of this app when?
0