Version 4.16.2

ufrisk · Sep 4, 2023 · 640abac · 640abac
1 parent 1500df7
commit 640abac
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 14 deletions.
diff --git a/includes/vmmdll.h b/includes/vmmdll.h
@@ -630,7 +630,7 @@ typedef struct tdVMMDLL_PLUGIN_REGINFO {
     // Optional forensic plugin functionality for forensic (more comprehensive)
     // analysis of various data. Functions are optional.
     // Functions are called in the below order and way.
-    // 1: pfnInitialize()            - single-threaded.
+    // 1: pfnInitialize()            - multi-threaded (between plugins).
     // 2: (multiple types see below) - multi-threaded (between plugins).
     //    pfnLogCSV()
     //    pfnLogJSON()

diff --git a/pcileech/kmd.c b/pcileech/kmd.c
@@ -424,7 +424,7 @@ QWORD KMD_Linux48KernelBaseSeek()
     PPAGE_STATISTICS pPageStat = NULL;
     BYTE pb[0x1000], pbCMPcc[0x400], pbCMP90[0x400], pbCMP00[0x100];
     QWORD qwA, qwAddrMax, i;
-    BOOL isAuthenticAMD, isGenuineIntel;
+    BOOL isAuthenticAMD, isGenuineIntel, isOK;
     memset(pbCMPcc, 0xcc, 0x400);
     memset(pbCMP90, 0x90, 0x400);
     memset(pbCMP00, 0x00, 0x100);
@@ -454,17 +454,15 @@ QWORD KMD_Linux48KernelBaseSeek()
         if(!LcRead(ctxMain->hLC, qwA, 0x1000, pb) || (memcmp(pb + 0xc00, pbCMP90, 0x400) && memcmp(pb + 0xc00, pbCMPcc, 0x400))) {
             continue;
         }
-        // read kernel base +0x1000/+0x2000 (hypercall page?) and check that it ends with at least 0x100 0x00.
-        // alternatively that it ends with a number of (0x90+0xC3)NOP+RET
-        if(!LcRead(ctxMain->hLC, qwA + 0x1000, 0x1000, pb) || memcmp(pb + 0xf00, pbCMP00, 0x100)) {
-            if(!LcRead(ctxMain->hLC, qwA + 0x2000, 0x1000, pb) || memcmp(pb + 0xf00, pbCMP00, 0x100)) {
-                if(memcmp(pb + 0xfe0, pbCMP90, 0x1f)) {
-                    continue;
-                }
-            }
+        // read kernel base +0x1000/+0x2000 (hypercall page?) and check that it ends/contains:
+        isOK = (LcRead(ctxMain->hLC, qwA + 0x1000, 0x1000, pb) && !memcmp(pb + 0xf00, pbCMP00, 0x100));             // at least 0x100 0x00
+        isOK = isOK || (LcRead(ctxMain->hLC, qwA + 0x2000, 0x1000, pb) && !memcmp(pb + 0xf00, pbCMP00, 0x100));     // at least 0x100 0x00
+        isOK = isOK || !memcmp(pb + 0xfe0, pbCMP90, 0x1f);                                                          // ends with a number of (0x90+0xC3)NOP+RET
+        isOK = isOK || ((pb[0xfe0] == 0xc3) && !memcmp(pb + 0xfe1, pbCMPcc, 0x1f));                                 // ends with a number of (0xCC+0xC3)INT3+RET
+        if(isOK) {
+            PageStatClose(&pPageStat);
+            return qwA;
         }
-        PageStatClose(&pPageStat);
-        return qwA;
     }
     PageStatClose(&pPageStat);
     return 0;

diff --git a/pcileech/version.h b/pcileech/version.h
@@ -3,8 +3,8 @@
 
 #define VERSION_MAJOR               4
 #define VERSION_MINOR               16
-#define VERSION_REVISION            1
-#define VERSION_BUILD               38
+#define VERSION_REVISION            2
+#define VERSION_BUILD               39
 
 #define VER_FILE_DESCRIPTION_STR    "The PCILeech Direct Memory Access Attack Toolkit"
 #define VER_FILE_VERSION            VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

diff --git a/readme.md b/readme.md
@@ -289,3 +289,4 @@ v4.1
 
 Latest:
 * I/O BAR support.
+* Linux KMD signature update (LINUX_X64_48) to support kernel 5.15.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -289,3 +289,4 @@ v4.1

		Latest:
		* I/O BAR support.
		* Linux KMD signature update (LINUX_X64_48) to support kernel 5.15.