├── Example
    ├── Example.vcxproj.user
    ├── main.cpp
    ├── Example.vcxproj.filters
    └── Example.vcxproj
├── Driver
    ├── cleaning.h
    ├── driver.vcxproj.user
    ├── util.h
    ├── core.h
    ├── stdafx.h
    ├── util.cpp
    ├── driver.vcxproj.filters
    ├── cleaning.cpp
    ├── main.cpp
    ├── driver.vcxproj
    ├── core.cpp
    └── structs.h
├── README.md
├── Usermode
    ├── memory.h
    └── memory.cpp
└── DoubleDataPointer.sln


/Example/Example.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/Driver/cleaning.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "stdafx.h"
3 | 
4 | namespace Cleaning
5 | {
6 | 	NTSTATUS NullPageFrameNumbers(uint64_t start, uint32_t size);
7 | 	NTSTATUS CleanFromBigPools(uint64_t start);
8 | }


--------------------------------------------------------------------------------
/Driver/driver.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
4 |     <SignMode>Off</SignMode>
5 |   </PropertyGroup>
6 | </Project>


--------------------------------------------------------------------------------
/Driver/util.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include "stdafx.h"
 3 | 
 4 | 
 5 | //https://ntdiff.github.io/
 6 | #define WINDOWS_1803 17134
 7 | #define WINDOWS_1809 17763
 8 | #define WINDOWS_1903 18362
 9 | #define WINDOWS_1909 18363
10 | #define WINDOWS_2004 19041
11 | #define WINDOWS_20H2 19569
12 | #define WINDOWS_21H1 20180
13 | 
14 | namespace Util {
15 | 
16 | 	PIMAGE_NT_HEADERS getHeader(PVOID module);
17 | 	PBYTE FindPattern(PVOID base, LPCSTR pattern, LPCSTR mask);
18 | }


--------------------------------------------------------------------------------
/Example/main.cpp:
--------------------------------------------------------------------------------
 1 | // Example.cpp : This file contains the 'main' function. Program execution begins and ends there.
 2 | //
 3 | 
 4 | #include <iostream>
 5 | #include <Windows.h>
 6 | #include "..\Usermode\memory.h"
 7 | 
 8 | Memory* pMem = nullptr;
 9 | int main()
10 | {
11 |     LoadLibraryA("user32.dll");
12 | 
13 |     uint32_t processId = GetCurrentProcessId();
14 |     pMem = new Memory(processId, { "user32.dll" });
15 | 
16 |     std::cout << "Process Base: " << pMem->base  << std::endl;
17 |     std::cout << "user32.dll Base: " << pMem->moduleBases["user32.dll"] << std::endl;
18 | 
19 |     int x = 100;
20 |     std::cout << "Rpm: " << pMem->Rpm<int>((uint64_t)&x) << std::endl;
21 | 
22 |     pMem->Wpm<int>((uint64_t)&x, 15);
23 |     std::cout << "After Wpm: " << x << std::endl;
24 | 
25 |     return 0;
26 | }


--------------------------------------------------------------------------------
/Driver/core.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include "stdafx.h"
 3 | 
 4 | namespace Core {
 5 | 	PVOID GetSystemModuleBase(LPCSTR moduleName);
 6 | 
 7 | 
 8 | 	//Sketch
 9 | 	ULONG_PTR GetKernelDirBase();
10 | 	ULONG_PTR GetProcessCr3(PEPROCESS pProcess);
11 | 	NTSTATUS ReadVirtual(uint64_t dirbase, uint64_t address, uint8_t* buffer, SIZE_T size, SIZE_T* read);
12 | 	NTSTATUS WriteVirtual(uint64_t dirbase, uint64_t address, uint8_t* buffer, SIZE_T size, SIZE_T* written);
13 | 
14 | 	//Safe Guarded Calls
15 | 	NTSTATUS GetModuleBaseAddress(int processId, const char* moduleName, uint64_t* baseAddress);
16 | 	NTSTATUS GetProcessBaseAddress(int pid, uint64_t* Address);
17 | 	NTSTATUS ReadProcessMemory(int pid, uint64_t Address, uint64_t AllocatedBuffer, SIZE_T size, SIZE_T* read);
18 | 	NTSTATUS WriteProcessMemory(int pid, uint64_t Address, uint64_t AllocatedBuffer, SIZE_T size, SIZE_T* written);
19 | 
20 | 
21 | 	ULONG_PTR GetKernelDirBase();
22 | }


--------------------------------------------------------------------------------
/Example/Example.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Memory">
 5 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
 6 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Project">
 9 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
10 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
11 |     </Filter>
12 |   </ItemGroup>
13 |   <ItemGroup>
14 |     <ClCompile Include="..\Usermode\memory.cpp">
15 |       <Filter>Memory</Filter>
16 |     </ClCompile>
17 |     <ClCompile Include="main.cpp">
18 |       <Filter>Project</Filter>
19 |     </ClCompile>
20 |   </ItemGroup>
21 |   <ItemGroup>
22 |     <ClInclude Include="..\Usermode\memory.h">
23 |       <Filter>Memory</Filter>
24 |     </ClInclude>
25 |   </ItemGroup>
26 | </Project>


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # DoubleDataPointer
 2 | Double data pointer communication in to the kernel mode, the driver should be manually mapped into the kernel. Useful for bypassing Anti-Cheat solutions.
 3 | 
 4 | This project points a data pointer at another data pointer which is pointed to memory inside of the driver. This allows a user to send commands through a uncommonly used windows API, and execute commands at a kernel permission level.
 5 | 
 6 | # Features
 7 | - Read Memory
 8 | - Write Memory
 9 | - Nulls Page Frame numbers of the driver (so it is harder to find the pages with the driver stub)
10 | - Clears Big pools (Usually ExAllocatePool is used to allocate the driver when manually mapping, this takes the driver out of the pig pool tables)
11 | - Physical Memory Read/Write (KeStackAttach can be detected, which is used inside of MmCopyVirtualMemory)
12 | - Uses 2 data pointers so that a surface level check on the first pointer is not outside of a valid module
13 | 
14 | # Limitations/Detections
15 | - RIP will be outisde of a valid memory region whenever a stack frame is captured from NMI callbacks. This way anticheats can flag you.
16 | - This project creates alertable threads that can be indexed and captured, later anylyzed or checked for abnormalities.
17 | - The data pointer itself can be directly verified to point to a specific region.
18 | 
19 | This project was created ages ago, it is most definetly detected.
20 | 


--------------------------------------------------------------------------------
/Driver/stdafx.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include <ntifs.h>
 3 | #include <ntddk.h>
 4 | #include <windef.h>
 5 | #include <ntimage.h>
 6 | 
 7 | #include "structs.h"
 8 | 
 9 | #define RVA(addr, size)			((PBYTE)(addr + *(DWORD*)(addr + ((size) - 4)) + size))
10 | #define printf(text, ...)		(DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, text, ##__VA_ARGS__))
11 | //#define WINVER_2004				(19041)
12 | #define COMMUNICATION_KEY		(0xDEADBEEF)
13 | 
14 | 
15 | typedef signed char        int8_t;
16 | typedef short              int16_t;
17 | typedef int                int32_t;
18 | typedef long long          int64_t;
19 | typedef unsigned char      uint8_t;
20 | typedef unsigned short     uint16_t;
21 | typedef unsigned int       uint32_t;
22 | typedef unsigned long long uint64_t;
23 | 
24 | enum Request {
25 | 	GETBASE = 0,
26 | 	GETMODULEBASE = 1,
27 | 	READPROCESSMEMORY = 2,
28 | 	WRITEPROCESSMEMORY = 3,
29 | 	SIGSCAN = 4
30 | };
31 | 
32 | 
33 | 
34 | struct Communication {
35 | 
36 | 	uint64_t key;
37 | 	Request request;
38 | 
39 | 	int processID;
40 | 
41 | 	uint64_t address;
42 | 	const char* moduleName;
43 | 
44 | 	uint64_t buffer;
45 | 	size_t size;
46 | 
47 | 	union
48 | 	{
49 | 		size_t written;
50 | 		size_t read;
51 | 	};
52 | };
53 | 
54 | struct EntryParams
55 | {
56 | 	uint64_t poolBase;
57 | 	uint32_t entryPoint;
58 | 	uint32_t size;
59 | };
60 | 
61 | extern "C" NTSTATUS ZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS systemInformationClass, PVOID systemInformation, ULONG systemInformationLength, PULONG returnLength);
62 | extern "C" NTKERNELAPI PVOID PsGetProcessSectionBaseAddress(PEPROCESS Process);
63 | extern "C" NTKERNELAPI PPEB NTAPI PsGetProcessPeb(IN PEPROCESS Process);
64 | 
65 | #include "memory.h"
66 | #include "util.h"
67 | #include "core.h"


--------------------------------------------------------------------------------
/Driver/util.cpp:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include "util.h"
 3 | 
 4 | 
 5 | namespace Util {
 6 | 
 7 |     PIMAGE_NT_HEADERS getHeader(PVOID module) {
 8 |         return (PIMAGE_NT_HEADERS)((PBYTE)module + PIMAGE_DOS_HEADER(module)->e_lfanew);
 9 |     }
10 | 
11 |     PBYTE FindPattern(PVOID module, DWORD size, LPCSTR pattern, LPCSTR mask) {
12 | 
13 |         auto checkMask = [](PBYTE buffer, LPCSTR pattern, LPCSTR mask) -> BOOL
14 |         {
15 |             for (auto x = buffer; *mask; pattern++, mask++, x++) {
16 |                 auto addr = *(BYTE*)(pattern);
17 |                 if (addr != *x && *mask != '?')
18 |                     return FALSE;
19 |             }
20 | 
21 |             return TRUE;
22 |         };
23 | 
24 |         for (auto x = 0; x < size - strlen(mask); x++) {
25 | 
26 |             auto addr = (PBYTE)module + x;
27 |             if (checkMask(addr, pattern, mask))
28 |                 return addr;
29 |         }
30 | 
31 |         return NULL;
32 |     }
33 | 
34 |     PBYTE FindPattern(PVOID base, LPCSTR pattern, LPCSTR mask) {
35 | 
36 |         auto header = getHeader(base);
37 |         auto section = IMAGE_FIRST_SECTION(header);
38 | 
39 |         for (auto x = 0; x < header->FileHeader.NumberOfSections; x++, section++) {
40 | 
41 |             /*
42 |             * Avoids non paged memory,
43 |             * As well as greatly speeds up the process of scanning 30+ sections.
44 |             */
45 |             if (!memcmp(section->Name, ".text", 5) || !memcmp(section->Name, "PAGE", 4)) {
46 |                 auto addr = FindPattern((PBYTE)base + section->VirtualAddress, section->Misc.VirtualSize, pattern, mask);
47 |                 if (addr) {
48 |                     printf("[mapper] Found in Section -> [ %s ]", section->Name);
49 |                     return addr;
50 |                 }
51 |             }
52 |         }
53 | 
54 |         return NULL;
55 |     }
56 | 
57 | }
58 | 


--------------------------------------------------------------------------------
/Usermode/memory.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include <Windows.h>
 3 | #include <vector>
 4 | #include <map>
 5 | 
 6 | class Memory
 7 | {
 8 | public:
 9 | 	Memory(int32_t pid, std::vector<std::string> ModuleNames = {});
10 | 
11 | 	template<typename T>
12 | 	T Rpm(uint64_t address);
13 | 	bool Rpm(uint64_t address, void* buffer, size_t size);
14 | 
15 | 	template<typename T>
16 | 	void Wpm(uint64_t address, T value);
17 | 	bool Wpm(uint64_t address, void* buffer, size_t size);
18 | 
19 | 
20 | 
21 | 	std::map<std::string, uint64_t> moduleBases;
22 | 
23 | 	uint64_t base = 0;
24 | private:
25 | 	/*
26 | 	* Communication
27 | 	*/
28 | #define COMMUNICATION_KEY 0xDEADBEEF
29 | 	int32_t processId = 0;
30 | 
31 | 	enum Request {
32 | 		GETBASE = 0,
33 | 		GETMODULEBASE = 1,
34 | 		READPROCESSMEMORY = 2,
35 | 		WRITEPROCESSMEMORY = 3,
36 | 		SIGSCAN = 4
37 | 	};
38 | 	struct Communication {
39 | 
40 | 		uint64_t key;
41 | 		Request request;
42 | 
43 | 		int processID;
44 | 
45 | 		uint64_t address;
46 | 		const char* moduleName;
47 | 
48 | 		uint64_t buffer;
49 | 		size_t size;
50 | 
51 | 		union
52 | 		{
53 | 			size_t written;
54 | 			size_t read;
55 | 		};
56 | 	};
57 | 
58 | 	BOOL Setup(LPCSTR routineName);
59 | 	bool GetProcessBaseAddressFromKernel(int processID, uint64_t* baseAddress);
60 | 	bool GetModuleBaseAddressFromKernel(int processID, const char* moduleName, uint64_t* baseAddress);
61 | 	bool ReadMemoryFromKernel(int processId, uint64_t address, void* buffer, size_t size);
62 | 	bool WriteMemoryFromKernel(int processId, uint64_t address, void* buffer, size_t size);
63 | }; extern Memory* pMem;
64 | 
65 | template<typename T>
66 | inline T Memory::Rpm(uint64_t address)
67 | {
68 | 	T buffer;
69 | 	Rpm(address, &buffer, sizeof(T));
70 | 	return buffer;
71 | }
72 | 
73 | template<typename T>
74 | inline void Memory::Wpm(uint64_t address, T value)
75 | {
76 | 	Wpm(address, &value, sizeof(T));
77 | }
78 | 


--------------------------------------------------------------------------------
/Driver/driver.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |     <Filter Include="Driver Files">
17 |       <UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
18 |       <Extensions>inf;inv;inx;mof;mc;</Extensions>
19 |     </Filter>
20 |   </ItemGroup>
21 |   <ItemGroup>
22 |     <ClCompile Include="core.cpp">
23 |       <Filter>Source Files</Filter>
24 |     </ClCompile>
25 |     <ClCompile Include="main.cpp">
26 |       <Filter>Source Files</Filter>
27 |     </ClCompile>
28 |     <ClCompile Include="util.cpp">
29 |       <Filter>Source Files</Filter>
30 |     </ClCompile>
31 |     <ClCompile Include="cleaning.cpp">
32 |       <Filter>Source Files</Filter>
33 |     </ClCompile>
34 |   </ItemGroup>
35 |   <ItemGroup>
36 |     <ClInclude Include="core.h">
37 |       <Filter>Driver Files</Filter>
38 |     </ClInclude>
39 |     <ClInclude Include="stdafx.h">
40 |       <Filter>Driver Files</Filter>
41 |     </ClInclude>
42 |     <ClInclude Include="structs.h">
43 |       <Filter>Driver Files</Filter>
44 |     </ClInclude>
45 |     <ClInclude Include="util.h">
46 |       <Filter>Driver Files</Filter>
47 |     </ClInclude>
48 |     <ClInclude Include="cleaning.h">
49 |       <Filter>Driver Files</Filter>
50 |     </ClInclude>
51 |   </ItemGroup>
52 | </Project>


--------------------------------------------------------------------------------
/Usermode/memory.cpp:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | #include "memory.h"
  3 | 
  4 | /*
  5 | * __int64 __fastcall NtUserSetProcessWindowStation(struct _DEVICE_OBJECT *a1)
  6 | */
  7 | static NTSTATUS(*NtUserCloseWindowStation)(PVOID a1) = nullptr;
  8 | 
  9 | 
 10 | Memory::Memory(int32_t pid, std::vector<std::string> moduleNames)
 11 | {
 12 | 	LoadLibraryA("user32.dll");
 13 | 	Setup("NtUserSetProcessWindowStation");
 14 | 
 15 | 	processId = pid;
 16 | 
 17 | 	for (const auto & moduleName : moduleNames)
 18 | 	{
 19 | 		uint64_t baseAddress = NULL;
 20 | 		if (GetModuleBaseAddressFromKernel(processId, moduleName.c_str(), &baseAddress))
 21 | 			moduleBases.at(moduleName) = baseAddress;
 22 | 			
 23 | 	}
 24 | 
 25 | 	GetProcessBaseAddressFromKernel(pid, &this->base);
 26 | }
 27 | 
 28 | bool Memory::Rpm(uint64_t address, void* buffer, size_t size)
 29 | {
 30 | 	return ReadMemoryFromKernel(processId, address, buffer, size);
 31 | }
 32 | 
 33 | bool Memory::Wpm(uint64_t address, void* buffer, size_t size)
 34 | {
 35 | 	return WriteMemoryFromKernel(processId, address, buffer, size);
 36 | }
 37 | 
 38 | 
 39 | 
 40 | BOOL Memory::Setup(LPCSTR routineName) {
 41 | 	auto win32u = LoadLibraryA("win32u.dll");
 42 | 	if (!win32u) {
 43 | 		return FALSE;
 44 | 	}
 45 | 
 46 | 	auto addr = GetProcAddress(win32u, routineName);
 47 | 	if (!addr) {
 48 | 		return FALSE;
 49 | 	}
 50 | 
 51 | 	*(PVOID*)&NtUserCloseWindowStation = addr;
 52 | 	return TRUE;
 53 | }
 54 | 
 55 | bool Memory::GetProcessBaseAddressFromKernel(int processID, uint64_t* baseAddress)
 56 | {
 57 | 	Communication request = {};
 58 | 	SecureZeroMemory(&request, sizeof(Communication));
 59 | 	request.request = Request::GETBASE;
 60 | 	request.key = COMMUNICATION_KEY;
 61 | 	request.processID = processID;
 62 | 	request.buffer = 0;
 63 | 	NtUserCloseWindowStation(&request);
 64 | 
 65 | 	*baseAddress = request.buffer;
 66 | 	return (request.buffer != NULL);
 67 | }
 68 | 
 69 | bool Memory::GetModuleBaseAddressFromKernel(int processID, const char* moduleName, uint64_t* baseAddress)
 70 | {
 71 | 	Communication request = {};
 72 | 	SecureZeroMemory(&request, sizeof(Communication));
 73 | 	request.request = Request::GETMODULEBASE;
 74 | 	request.key = COMMUNICATION_KEY;
 75 | 	request.processID = processID;
 76 | 	request.moduleName = moduleName;
 77 | 	request.buffer = 0;
 78 | 	NtUserCloseWindowStation(&request);
 79 | 
 80 | 	*baseAddress = request.buffer;
 81 | 	return (request.buffer != NULL);
 82 | }
 83 | 
 84 | 
 85 | bool Memory::ReadMemoryFromKernel(int processId, uint64_t address, void* buffer, size_t size)
 86 | {
 87 | 	size_t read = NULL;
 88 | 	Communication request = {};
 89 | 	SecureZeroMemory(&request, sizeof(Communication));
 90 | 
 91 | 	request.request = Request::READPROCESSMEMORY;
 92 | 	request.key = COMMUNICATION_KEY;
 93 | 	request.address = address;
 94 | 	request.buffer = (uint64_t)buffer;
 95 | 	request.size = size;
 96 | 	request.processID = processId;
 97 | 	request.read = read;
 98 | 
 99 | 	NtUserCloseWindowStation(&request);
100 | 	return (buffer != NULL);
101 | }
102 | 
103 | bool Memory::WriteMemoryFromKernel(int processId, uint64_t address, void* buffer, size_t size)
104 | {
105 | 	size_t written = NULL;
106 | 	Communication request = {};
107 | 	SecureZeroMemory(&request, sizeof(Communication));
108 | 
109 | 	request.request = Request::WRITEPROCESSMEMORY;
110 | 	request.key = COMMUNICATION_KEY;
111 | 	request.address = address;
112 | 	request.buffer = (uint64_t)buffer;
113 | 	request.size = size;
114 | 	request.processID = processId;
115 | 	request.read = written;
116 | 
117 | 	NtUserCloseWindowStation(&request);
118 | 	return (buffer != NULL);
119 | }
120 | 


--------------------------------------------------------------------------------
/Driver/cleaning.cpp:
--------------------------------------------------------------------------------
  1 | #include "cleaning.h"
  2 | #include "util.h"
  3 | 
  4 | NTSTATUS NullPageFrameNumbersFromMdl(PMDL mdl)
  5 | {
  6 | 	PPFN_NUMBER mdl_pages = MmGetMdlPfnArray(mdl);
  7 | 	if (!mdl_pages) { return STATUS_UNSUCCESSFUL; }
  8 | 
  9 | 	ULONG mdl_page_count = ADDRESS_AND_SIZE_TO_SPAN_PAGES(MmGetMdlVirtualAddress(mdl), MmGetMdlByteCount(mdl));
 10 | 
 11 | 	ULONG null_pfn = 0x0;
 12 | 	MM_COPY_ADDRESS source_address = { 0 };
 13 | 	source_address.VirtualAddress = &null_pfn;
 14 | 
 15 | 	for (ULONG i = 0; i < mdl_page_count; i++)
 16 | 	{
 17 | 		size_t bytes = 0;
 18 | 		MmCopyMemory(&mdl_pages[i], source_address, sizeof(ULONG), MM_COPY_MEMORY_VIRTUAL, &bytes);
 19 | 	}
 20 | 	return STATUS_SUCCESS;
 21 | }
 22 | 
 23 | NTSTATUS Cleaning::NullPageFrameNumbers(uint64_t start, uint32_t size)
 24 | {
 25 | 	NTSTATUS status = STATUS_UNSUCCESSFUL;
 26 | 	PMDL mdl = IoAllocateMdl((PVOID)start, (ULONG)size, FALSE, FALSE, NULL);
 27 | 
 28 | 	if (!mdl)
 29 | 	{
 30 | 		printf("[mapper] Failed to allocate Mdl\n");
 31 | 		return status;
 32 | 	}
 33 | 
 34 | 	status = NullPageFrameNumbersFromMdl(mdl);
 35 | 
 36 | 	IoFreeMdl(mdl);
 37 | 
 38 | 	return status;
 39 | }
 40 | 
 41 | PVOID resolve_relative_address(PVOID Instruction, ULONG OffsetOffset, ULONG InstructionSize) //lol paste you got me. IDK the pointers were fucked up somewhere and I'm too lazy to go and manually reread it.
 42 | {
 43 | 	ULONG_PTR Instr = (ULONG_PTR)Instruction;
 44 | 	LONG RipOffset = *(PLONG)(Instr + OffsetOffset);
 45 | 	PVOID ResolvedAddr = (PVOID)(Instr + InstructionSize + RipOffset);
 46 | 
 47 | 	return ResolvedAddr;
 48 | }
 49 | 
 50 | NTSTATUS FindBigPoolTable(uint64_t* pPoolBigPageTable, uint64_t* pPoolBigPageTableSize)
 51 | {
 52 | 	PVOID ntoskrnl = Core::GetSystemModuleBase("\\SystemRoot\\system32\\ntoskrnl.exe");
 53 | 
 54 | 	if (!ntoskrnl)
 55 | 	{
 56 | 		printf("[mapper] Failed to get ntoskrnl.exe base Address!\n");
 57 | 		return STATUS_UNSUCCESSFUL;
 58 | 	}
 59 | 	printf("[mapper] ntoskrnl.exe -> 0x%p\n", ntoskrnl);
 60 | 
 61 | 	PVOID ExProtectPoolExCallInstructionsAddress = (PVOID)Util::FindPattern(ntoskrnl, "\xE8\x00\x00\x00\x00\x83\x67\x0C\x00", "x????xxxx");
 62 | 
 63 | 	PVOID ExProtectPoolExAddress = resolve_relative_address(ExProtectPoolExCallInstructionsAddress, 1, 5);
 64 | 
 65 | 	if (!ExProtectPoolExAddress)
 66 | 		return false;
 67 | 
 68 | 	PVOID PoolBigPageTableInstructionAddress = (PVOID)((ULONG64)ExProtectPoolExAddress + 0x95);
 69 | 	*pPoolBigPageTable = (UINT64)resolve_relative_address(PoolBigPageTableInstructionAddress, 3, 7);
 70 | 
 71 | 	PVOID PoolBigPageTableSizeInstructionAddress = (PVOID)((ULONG64)ExProtectPoolExAddress + 0x8E);
 72 | 	*pPoolBigPageTableSize = (UINT64)resolve_relative_address(PoolBigPageTableSizeInstructionAddress, 3, 7);
 73 | 
 74 | 	return STATUS_SUCCESS;
 75 | }
 76 | 
 77 | NTSTATUS Cleaning::CleanFromBigPools(uint64_t start)
 78 | {
 79 | 	uint64_t pPoolBigPageTable = 0;
 80 | 	uint64_t pPoolBigPageTableSize = 0;
 81 | 
 82 | 	if (NT_SUCCESS(FindBigPoolTable(&pPoolBigPageTable, &pPoolBigPageTableSize)))
 83 | 	{
 84 | 		PPOOL_TRACKER_BIG_PAGES PoolBigPageTable = 0;
 85 | 		RtlCopyMemory(&PoolBigPageTable, (PVOID)pPoolBigPageTable, 8);
 86 | 		SIZE_T PoolBigPageTableSize = 0;
 87 | 		RtlCopyMemory(&PoolBigPageTableSize, (PVOID)pPoolBigPageTableSize, 8);
 88 | 
 89 | 		for (int i = 0; i < PoolBigPageTableSize; i++)
 90 | 		{
 91 | 			if (PoolBigPageTable[i].Va == start || PoolBigPageTable[i].Va == (start + 0x1))
 92 | 			{
 93 | 				PoolBigPageTable[i].Va = 0x1;
 94 | 				PoolBigPageTable[i].NumberOfBytes = 0x0;
 95 | 				return STATUS_SUCCESS;
 96 | 			}
 97 | 		}
 98 | 
 99 | 		return STATUS_UNSUCCESSFUL;
100 | 	}
101 | 
102 | 	return STATUS_UNSUCCESSFUL;
103 | }
104 | 


--------------------------------------------------------------------------------
/DoubleDataPointer.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.30907.101
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "driver", "Driver\driver.vcxproj", "{4A9C2A65-D849-44DB-AFB5-207F816B23A2}"
 7 | EndProject
 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Example", "Example\Example.vcxproj", "{136B1D30-4A9A-4635-8D4C-01A050F1D50D}"
 9 | EndProject
10 | Global
11 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | 		Debug|ARM = Debug|ARM
13 | 		Debug|ARM64 = Debug|ARM64
14 | 		Debug|x64 = Debug|x64
15 | 		Debug|x86 = Debug|x86
16 | 		Release|ARM = Release|ARM
17 | 		Release|ARM64 = Release|ARM64
18 | 		Release|x64 = Release|x64
19 | 		Release|x86 = Release|x86
20 | 	EndGlobalSection
21 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
22 | 		{4A9C2A65-D849-44DB-AFB5-207F816B23A2}.Debug|ARM.ActiveCfg = Debug|ARM
23 | 		{4A9C2A65-D849-44DB-AFB5-207F816B23A2}.Debug|ARM.Build.0 = Debug|ARM
24 | 		{4A9C2A65-D849-44DB-AFB5-207F816B23A2}.Debug|ARM.Deploy.0 = Debug|ARM
25 | 		{4A9C2A65-D849-44DB-AFB5-207F816B23A2}.Debug|ARM64.ActiveCfg = Debug|ARM64
26 | 		{4A9C2A65-D849-44DB-AFB5-207F816B23A2}.Debug|ARM64.Build.0 = Debug|ARM64
27 | 		{4A9C2A65-D849-44DB-AFB5-207F816B23A2}.Debug|ARM64.Deploy.0 = Debug|ARM64
28 | 		{4A9C2A65-D849-44DB-AFB5-207F816B23A2}.Debug|x64.ActiveCfg = Debug|x64
29 | 		{4A9C2A65-D849-44DB-AFB5-207F816B23A2}.Debug|x64.Build.0 = Debug|x64
30 | 		{4A9C2A65-D849-44DB-AFB5-207F816B23A2}.Debug|x64.Deploy.0 = Debug|x64
31 | 		{4A9C2A65-D849-44DB-AFB5-207F816B23A2}.Debug|x86.ActiveCfg = Debug|Win32
32 | 		{4A9C2A65-D849-44DB-AFB5-207F816B23A2}.Debug|x86.Build.0 = Debug|Win32
33 | 		{4A9C2A65-D849-44DB-AFB5-207F816B23A2}.Debug|x86.Deploy.0 = Debug|Win32
34 | 		{4A9C2A65-D849-44DB-AFB5-207F816B23A2}.Release|ARM.ActiveCfg = Release|ARM
35 | 		{4A9C2A65-D849-44DB-AFB5-207F816B23A2}.Release|ARM.Build.0 = Release|ARM
36 | 		{4A9C2A65-D849-44DB-AFB5-207F816B23A2}.Release|ARM.Deploy.0 = Release|ARM
37 | 		{4A9C2A65-D849-44DB-AFB5-207F816B23A2}.Release|ARM64.ActiveCfg = Release|ARM64
38 | 		{4A9C2A65-D849-44DB-AFB5-207F816B23A2}.Release|ARM64.Build.0 = Release|ARM64
39 | 		{4A9C2A65-D849-44DB-AFB5-207F816B23A2}.Release|ARM64.Deploy.0 = Release|ARM64
40 | 		{4A9C2A65-D849-44DB-AFB5-207F816B23A2}.Release|x64.ActiveCfg = Release|x64
41 | 		{4A9C2A65-D849-44DB-AFB5-207F816B23A2}.Release|x64.Build.0 = Release|x64
42 | 		{4A9C2A65-D849-44DB-AFB5-207F816B23A2}.Release|x64.Deploy.0 = Release|x64
43 | 		{4A9C2A65-D849-44DB-AFB5-207F816B23A2}.Release|x86.ActiveCfg = Release|Win32
44 | 		{4A9C2A65-D849-44DB-AFB5-207F816B23A2}.Release|x86.Build.0 = Release|Win32
45 | 		{4A9C2A65-D849-44DB-AFB5-207F816B23A2}.Release|x86.Deploy.0 = Release|Win32
46 | 		{136B1D30-4A9A-4635-8D4C-01A050F1D50D}.Debug|ARM.ActiveCfg = Debug|Win32
47 | 		{136B1D30-4A9A-4635-8D4C-01A050F1D50D}.Debug|ARM64.ActiveCfg = Debug|Win32
48 | 		{136B1D30-4A9A-4635-8D4C-01A050F1D50D}.Debug|x64.ActiveCfg = Debug|x64
49 | 		{136B1D30-4A9A-4635-8D4C-01A050F1D50D}.Debug|x64.Build.0 = Debug|x64
50 | 		{136B1D30-4A9A-4635-8D4C-01A050F1D50D}.Debug|x86.ActiveCfg = Debug|Win32
51 | 		{136B1D30-4A9A-4635-8D4C-01A050F1D50D}.Debug|x86.Build.0 = Debug|Win32
52 | 		{136B1D30-4A9A-4635-8D4C-01A050F1D50D}.Release|ARM.ActiveCfg = Release|Win32
53 | 		{136B1D30-4A9A-4635-8D4C-01A050F1D50D}.Release|ARM64.ActiveCfg = Release|Win32
54 | 		{136B1D30-4A9A-4635-8D4C-01A050F1D50D}.Release|x64.ActiveCfg = Release|x64
55 | 		{136B1D30-4A9A-4635-8D4C-01A050F1D50D}.Release|x64.Build.0 = Release|x64
56 | 		{136B1D30-4A9A-4635-8D4C-01A050F1D50D}.Release|x86.ActiveCfg = Release|Win32
57 | 		{136B1D30-4A9A-4635-8D4C-01A050F1D50D}.Release|x86.Build.0 = Release|Win32
58 | 	EndGlobalSection
59 | 	GlobalSection(SolutionProperties) = preSolution
60 | 		HideSolutionNode = FALSE
61 | 	EndGlobalSection
62 | 	GlobalSection(ExtensibilityGlobals) = postSolution
63 | 		SolutionGuid = {0A506531-E5B8-46D7-9AD9-4CCD1D3C1CFB}
64 | 	EndGlobalSection
65 | EndGlobal
66 | 


--------------------------------------------------------------------------------
/Example/Example.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{136b1d30-4a9a-4635-8d4c-01a050f1d50d}</ProjectGuid>
 25 |     <RootNamespace>Example</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v142</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v142</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v142</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v142</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <LinkIncremental>true</LinkIncremental>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 77 |     <LinkIncremental>false</LinkIncremental>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 80 |     <LinkIncremental>true</LinkIncremental>
 81 |   </PropertyGroup>
 82 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 83 |     <LinkIncremental>false</LinkIncremental>
 84 |   </PropertyGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 86 |     <ClCompile>
 87 |       <WarningLevel>Level3</WarningLevel>
 88 |       <SDLCheck>true</SDLCheck>
 89 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 90 |       <ConformanceMode>true</ConformanceMode>
 91 |     </ClCompile>
 92 |     <Link>
 93 |       <SubSystem>Console</SubSystem>
 94 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 95 |     </Link>
 96 |   </ItemDefinitionGroup>
 97 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 98 |     <ClCompile>
 99 |       <WarningLevel>Level3</WarningLevel>
100 |       <FunctionLevelLinking>true</FunctionLevelLinking>
101 |       <IntrinsicFunctions>true</IntrinsicFunctions>
102 |       <SDLCheck>true</SDLCheck>
103 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
104 |       <ConformanceMode>true</ConformanceMode>
105 |     </ClCompile>
106 |     <Link>
107 |       <SubSystem>Console</SubSystem>
108 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
109 |       <OptimizeReferences>true</OptimizeReferences>
110 |       <GenerateDebugInformation>true</GenerateDebugInformation>
111 |     </Link>
112 |   </ItemDefinitionGroup>
113 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
114 |     <ClCompile>
115 |       <WarningLevel>Level3</WarningLevel>
116 |       <SDLCheck>true</SDLCheck>
117 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
118 |       <ConformanceMode>true</ConformanceMode>
119 |     </ClCompile>
120 |     <Link>
121 |       <SubSystem>Console</SubSystem>
122 |       <GenerateDebugInformation>true</GenerateDebugInformation>
123 |     </Link>
124 |   </ItemDefinitionGroup>
125 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
126 |     <ClCompile>
127 |       <WarningLevel>Level3</WarningLevel>
128 |       <FunctionLevelLinking>true</FunctionLevelLinking>
129 |       <IntrinsicFunctions>true</IntrinsicFunctions>
130 |       <SDLCheck>true</SDLCheck>
131 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
132 |       <ConformanceMode>true</ConformanceMode>
133 |     </ClCompile>
134 |     <Link>
135 |       <SubSystem>Console</SubSystem>
136 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
137 |       <OptimizeReferences>true</OptimizeReferences>
138 |       <GenerateDebugInformation>true</GenerateDebugInformation>
139 |     </Link>
140 |   </ItemDefinitionGroup>
141 |   <ItemGroup>
142 |     <ClCompile Include="..\Usermode\memory.cpp" />
143 |     <ClCompile Include="main.cpp" />
144 |   </ItemGroup>
145 |   <ItemGroup>
146 |     <ClInclude Include="..\Usermode\memory.h" />
147 |   </ItemGroup>
148 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
149 |   <ImportGroup Label="ExtensionTargets">
150 |   </ImportGroup>
151 | </Project>


--------------------------------------------------------------------------------
/Driver/main.cpp:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | #include "stdafx.h"
  3 | #include "cleaning.h"
  4 | 
  5 | //these things need thier own file hooks.h and hooks.cpp
  6 | PVOID(__fastcall* oApiSetEditionSetProcessWindowStationEntryPointPointer)(PVOID);
  7 | PVOID(__fastcall* oApiSetEnsurePointerDeviceHasMonitorPointer)(PVOID);
  8 | 
  9 | /* 
 10 |   * FOR CHAINING: 
 11 |   *	ApiSetEnsurePointerDeviceHasMonitor(PDEVICE_OBJECT a1)
 12 |   * sig: \xE8\x00\x00\x00\x00\x85\xC0\x75\x43, x????xxxx (RVA 5)
 13 |   *		qword offset: (+0x78) (RVA 7)
 14 |   *		qword_1C0258DD0(PDEVICE_OBJECT)
 15 |   *
 16 |   * FOR USERMODE CALL:
 17 |   * __int64 __fastcall NtUserSetProcessWindowStation(struct _DEVICE_OBJECT *a1)
 18 |   * 
 19 |   * ApiSetEditionSetProcessWindowStationEntryPoint(PDEVICE_OBJECT)
 20 |   * sig: \xE8\x00\x00\x00\x00\x48\x98\x48\x83\xC4\x28\xC3\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\x48\x8B\xC4\x48\x89\x58\x08\x48\x89\x70\x10, x????xxxxxxxxxxxxxxxxxxxxxxxxxx
 21 |   *		qword offset: (+0x5E) (RVA 7)
 22 |   *		qword_1C0258DD0(PDEVICE_OBJECT)
 23 |   *
 24 | */
 25 | 
 26 | 
 27 | PVOID ApiSetEnsurePointerDeviceHasMonitorHook(PDEVICE_OBJECT DeviceObject) 
 28 | {
 29 | 
 30 | #pragma region Validation
 31 | 	{
 32 | 		if (ExGetPreviousMode() != UserMode) {
 33 | 			return oApiSetEditionSetProcessWindowStationEntryPointPointer(DeviceObject);
 34 | 		}
 35 | 
 36 | 		Communication comm = {};
 37 | 		size_t read;
 38 | 
 39 | 
 40 | 		if (!NT_SUCCESS(Core::ReadVirtual(Core::GetKernelDirBase(), (uint64_t)DeviceObject, (uint8_t*)&comm, sizeof(Communication), &read)) || comm.key != COMMUNICATION_KEY) {
 41 | 			printf("[mapper] Invalid Usermode Call\n");
 42 | 			return oApiSetEditionSetProcessWindowStationEntryPointPointer(DeviceObject);
 43 | 		}
 44 | 	}
 45 | #pragma endregion
 46 | 
 47 | 	auto comm = (Communication*)DeviceObject;
 48 | 
 49 | 	printf("[mapper] called w reason -> 0x%p\n", comm->key);
 50 | 	printf("[mapper] called w request -> 0x%p\n", comm->request);
 51 | 
 52 | 	switch (comm->request) 
 53 | 	{
 54 | 		case Request::READPROCESSMEMORY: 
 55 | 		{
 56 | 			if (!NT_SUCCESS(Core::ReadProcessMemory(comm->processID,
 57 | 				comm->address,
 58 | 				comm->buffer,
 59 | 				comm->size,
 60 | 				&comm->read)))
 61 | 			{
 62 | 				printf("[mapper] failed a read to -> 0x%llx\n", comm->address);
 63 | 			}
 64 | 
 65 | 		} break;
 66 | 		case Request::WRITEPROCESSMEMORY:
 67 | 		{
 68 | 
 69 | 			if (!NT_SUCCESS(Core::WriteProcessMemory(comm->processID,
 70 | 				comm->address,
 71 | 				comm->buffer,
 72 | 				comm->size,
 73 | 				&comm->written)))
 74 | 			{
 75 | 				printf("[mapper] failed a write to -> 0x%llx\n", comm->address);
 76 | 			};
 77 | 		} break;
 78 | 		case Request::GETMODULEBASE:
 79 | 		{
 80 | 			printf("comm->processID: %d, comm->moduleName: %s\n", comm->processID, comm->moduleName);
 81 | 			uint64_t baseAddress = NULL;
 82 | 			if (NT_SUCCESS(Core::GetModuleBaseAddress(comm->processID, comm->moduleName, &baseAddress)))
 83 | 				comm->buffer = (uint64_t)baseAddress;
 84 | 			else
 85 | 				printf("[mapper] failed to find %s in %d\n", comm->moduleName, comm->processID);
 86 | 		} break;
 87 | 		case Request::GETBASE:
 88 | 		{
 89 | 			uint64_t baseAddress = NULL;
 90 | 			if (NT_SUCCESS(Core::GetProcessBaseAddress(comm->processID, &baseAddress)))
 91 | 				comm->buffer = (uint64_t)baseAddress;
 92 | 			else
 93 | 				printf("[mapper] process id: %d base: %p", comm->processID, baseAddress);
 94 | 		} break;
 95 | 		//we need a command to restore the original pointers, AND THATS ALL.
 96 | 	}
 97 | 	return NULL;
 98 | }
 99 | 
100 | void* GetFunctionDataPointer(void* FunctionAddress, uint64_t DataPointerOffset)
101 | {
102 | 
103 | 	return 0;
104 | }
105 | 
106 | void CleanTraces(EntryParams* params)
107 | {
108 | 	uint64_t entryPoint = params->entryPoint;
109 | 	uint32_t poolBase = params->poolBase;
110 | 	uint32_t size = params->size;
111 | 
112 | 	if (NT_SUCCESS(Cleaning::NullPageFrameNumbers(poolBase, size)))
113 | 		printf("[mapper] Nulled Page Frame Number\n");
114 | 	else
115 | 		printf("[mapper] Failed to Null Page Frame Numbers\n");
116 | 
117 | 	if (NT_SUCCESS(Cleaning::CleanFromBigPools(params->poolBase)))
118 | 		printf("[mapper] Cleaned from Bigpools\n");
119 | 	else
120 | 		printf("[mapper] Failed to clean from Bigpools\n");
121 | }
122 | 
123 | 
124 | NTSTATUS DriverEntry(EntryParams* params) //damn this needs serious fixing... it's clunky
125 | {
126 | 	if (!params)
127 | 		return STATUS_FAILED_DRIVER_ENTRY;
128 | 
129 | 	printf("[mapper] Driver Entry: %xll Image Base: %xll Size: %xll\n", params->entryPoint, params->poolBase, params->size);
130 | 
131 | #pragma region win32base.sys
132 | 	auto win32kbase = Core::GetSystemModuleBase("\\SystemRoot\\System32\\win32kbase.sys");
133 | 	{
134 | 
135 | 		if (!win32kbase) 
136 | 		{
137 | 			printf("[mapper] Failed to get Base Address!\n");
138 | 			return STATUS_FAILED_DRIVER_ENTRY;
139 | 		}
140 | 
141 | 		printf("[mapper] win32kbase.sys -> 0x%p\n", win32kbase);
142 | 	}
143 | #pragma endregion
144 | #pragma region ApiSetEditionSetProcessWindowStationEntryPoint
145 | 
146 | 	auto ApiSetEditionSetProcessWindowStationEntryPointAddress = Util::FindPattern(
147 | 		win32kbase, 
148 | 		"\xE8\x00\x00\x00\x00\x48\x98\x48\x83\xC4\x28\xC3\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\x48\x8B\xC4\x48\x89\x58\x08\x48\x89\x70\x10", 
149 | 		"x????xxxxxxxxxxxxxxxxxxxxxxxxxx");
150 | 	{
151 | 		if (!ApiSetEditionSetProcessWindowStationEntryPointAddress)
152 | 		{
153 | 			printf("[mapper] Unable to find ApiSetEditionSetProcessWindowStationEntryPoint signature!\n");
154 | 			return STATUS_FAILED_DRIVER_ENTRY;
155 | 		}
156 | 		ApiSetEditionSetProcessWindowStationEntryPointAddress = RVA(ApiSetEditionSetProcessWindowStationEntryPointAddress, 5);
157 | 		printf("[mapper] ApiSetEditionSetProcessWindowStationEntryPoint -> 0x%p\n", ApiSetEditionSetProcessWindowStationEntryPointAddress);
158 | 	}
159 | 
160 | 	auto ApiSetEditionSetProcessWindowStationEntryPointDataPointer = RVA(ApiSetEditionSetProcessWindowStationEntryPointAddress + 0x5E, 7);
161 | 	{
162 | 		if (!ApiSetEditionSetProcessWindowStationEntryPointDataPointer)
163 | 		{
164 | 			printf("[mapper] Invalid ApiSetEditionSetProcessWindowStationEntryPoint Data Pointer!\n");
165 | 			return STATUS_FAILED_DRIVER_ENTRY;
166 | 		}
167 | 		printf("[mapper] ApiSetEditionSetProcessWindowStationEntryPoint Data Pointer -> 0x%p\n", 
168 | 			ApiSetEditionSetProcessWindowStationEntryPointAddress);
169 | 	}
170 | #pragma endregion
171 | #pragma region ApiSetEnsurePointerDeviceHasMonitor
172 | 	auto ApiSetEnsurePointerDeviceHasMonitorAddress = Util::FindPattern(win32kbase, "\xE8\x00\x00\x00\x00\x85\xC0\x75\x43", "x????xxxx");
173 | 	{
174 | 		if (!ApiSetEnsurePointerDeviceHasMonitorAddress) 
175 | 		{
176 | 			printf("[mapper] Unable to find ApiSetEnsurePointerDeviceHasMonitor signature!\n");
177 | 			return STATUS_FAILED_DRIVER_ENTRY;
178 | 		}
179 | 		ApiSetEnsurePointerDeviceHasMonitorAddress = RVA(ApiSetEnsurePointerDeviceHasMonitorAddress, 5);
180 | 		printf("[mapper] ApiSetEnsurePointerDeviceHasMonitor -> 0x%p\n", ApiSetEnsurePointerDeviceHasMonitorAddress);
181 | 	}
182 | 
183 | 	auto ApiSetEnsurePointerDeviceHasMonitorDataPointer = RVA(ApiSetEnsurePointerDeviceHasMonitorAddress + 0x78, 7);
184 | 	{
185 | 		if (!ApiSetEnsurePointerDeviceHasMonitorDataPointer) 
186 | 		{
187 | 			printf("[mapper] Invalid ApiSetEnsurePointerDeviceHasMonitor Data Pointer!\n");
188 | 			return STATUS_FAILED_DRIVER_ENTRY;
189 | 		}
190 | 		printf("[mapper] ApiSetEnsurePointerDeviceHasMonitor Data Pointer -> 0x%p\n", ApiSetEnsurePointerDeviceHasMonitorDataPointer);
191 | 	}
192 | 
193 | #pragma endregion
194 | #pragma region PointerSwapping
195 | 	{
196 | 		*(PVOID*)&oApiSetEnsurePointerDeviceHasMonitorPointer = InterlockedExchangePointer(
197 | 				(volatile PVOID*)ApiSetEnsurePointerDeviceHasMonitorDataPointer,
198 | 				ApiSetEnsurePointerDeviceHasMonitorHook);
199 | 
200 | 		printf("[mapper] swapped pointer -> 0x%p to 0x%p\n", 
201 | 			ApiSetEnsurePointerDeviceHasMonitorDataPointer, ApiSetEnsurePointerDeviceHasMonitorHook);
202 | 	}
203 | 
204 | 	{
205 | 		*(PVOID*)&oApiSetEditionSetProcessWindowStationEntryPointPointer = InterlockedExchangePointer(
206 | 				(volatile PVOID*)ApiSetEditionSetProcessWindowStationEntryPointDataPointer,
207 | 				ApiSetEnsurePointerDeviceHasMonitorAddress);
208 | 
209 | 		printf("[mapper] swapped pointer -> 0x%p to 0x%p\n", 
210 | 			ApiSetEditionSetProcessWindowStationEntryPointDataPointer, ApiSetEnsurePointerDeviceHasMonitorAddress);
211 | 	}
212 | 
213 | #pragma endregion
214 | 
215 | 
216 | 	CleanTraces(params); //This should be NTSTATUS
217 | 
218 | 	return STATUS_SUCCESS;
219 | }
220 | 


--------------------------------------------------------------------------------
/Driver/driver.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |     <ProjectConfiguration Include="Debug|ARM">
 21 |       <Configuration>Debug</Configuration>
 22 |       <Platform>ARM</Platform>
 23 |     </ProjectConfiguration>
 24 |     <ProjectConfiguration Include="Release|ARM">
 25 |       <Configuration>Release</Configuration>
 26 |       <Platform>ARM</Platform>
 27 |     </ProjectConfiguration>
 28 |     <ProjectConfiguration Include="Debug|ARM64">
 29 |       <Configuration>Debug</Configuration>
 30 |       <Platform>ARM64</Platform>
 31 |     </ProjectConfiguration>
 32 |     <ProjectConfiguration Include="Release|ARM64">
 33 |       <Configuration>Release</Configuration>
 34 |       <Platform>ARM64</Platform>
 35 |     </ProjectConfiguration>
 36 |   </ItemGroup>
 37 |   <PropertyGroup Label="Globals">
 38 |     <ProjectGuid>{4A9C2A65-D849-44DB-AFB5-207F816B23A2}</ProjectGuid>
 39 |     <TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
 40 |     <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
 41 |     <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
 42 |     <Configuration>Debug</Configuration>
 43 |     <Platform Condition="'$(Platform)' == ''">Win32</Platform>
 44 |     <RootNamespace>driver</RootNamespace>
 45 |     <ProjectName>driver</ProjectName>
 46 |     <WindowsTargetPlatformVersion>$(LatestTargetPlatformVersion)</WindowsTargetPlatformVersion>
 47 |   </PropertyGroup>
 48 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 49 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 50 |     <TargetVersion>Windows10</TargetVersion>
 51 |     <UseDebugLibraries>true</UseDebugLibraries>
 52 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 53 |     <ConfigurationType>Driver</ConfigurationType>
 54 |     <DriverType>KMDF</DriverType>
 55 |     <DriverTargetPlatform>Desktop</DriverTargetPlatform>
 56 |     <ALLOW_DATE_TIME>1</ALLOW_DATE_TIME>
 57 |   </PropertyGroup>
 58 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 59 |     <TargetVersion>Windows10</TargetVersion>
 60 |     <UseDebugLibraries>false</UseDebugLibraries>
 61 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 62 |     <ConfigurationType>Driver</ConfigurationType>
 63 |     <DriverType>KMDF</DriverType>
 64 |     <DriverTargetPlatform>Desktop</DriverTargetPlatform>
 65 |     <ALLOW_DATE_TIME>1</ALLOW_DATE_TIME>
 66 |   </PropertyGroup>
 67 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 68 |     <TargetVersion>Windows10</TargetVersion>
 69 |     <UseDebugLibraries>true</UseDebugLibraries>
 70 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 71 |     <ConfigurationType>Driver</ConfigurationType>
 72 |     <DriverType>KMDF</DriverType>
 73 |     <DriverTargetPlatform>Desktop</DriverTargetPlatform>
 74 |     <ALLOW_DATE_TIME>1</ALLOW_DATE_TIME>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 77 |     <TargetVersion>Windows10</TargetVersion>
 78 |     <UseDebugLibraries>false</UseDebugLibraries>
 79 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 80 |     <ConfigurationType>Driver</ConfigurationType>
 81 |     <DriverType>KMDF</DriverType>
 82 |     <DriverTargetPlatform>Desktop</DriverTargetPlatform>
 83 |     <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
 84 |     <ALLOW_DATE_TIME>1</ALLOW_DATE_TIME>
 85 |   </PropertyGroup>
 86 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
 87 |     <TargetVersion>Windows10</TargetVersion>
 88 |     <UseDebugLibraries>true</UseDebugLibraries>
 89 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 90 |     <ConfigurationType>Driver</ConfigurationType>
 91 |     <DriverType>KMDF</DriverType>
 92 |     <DriverTargetPlatform>Desktop</DriverTargetPlatform>
 93 |     <ALLOW_DATE_TIME>1</ALLOW_DATE_TIME>
 94 |   </PropertyGroup>
 95 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
 96 |     <TargetVersion>Windows10</TargetVersion>
 97 |     <UseDebugLibraries>false</UseDebugLibraries>
 98 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 99 |     <ConfigurationType>Driver</ConfigurationType>
100 |     <DriverType>KMDF</DriverType>
101 |     <DriverTargetPlatform>Desktop</DriverTargetPlatform>
102 |     <ALLOW_DATE_TIME>1</ALLOW_DATE_TIME>
103 |   </PropertyGroup>
104 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
105 |     <TargetVersion>Windows10</TargetVersion>
106 |     <UseDebugLibraries>true</UseDebugLibraries>
107 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
108 |     <ConfigurationType>Driver</ConfigurationType>
109 |     <DriverType>KMDF</DriverType>
110 |     <DriverTargetPlatform>Desktop</DriverTargetPlatform>
111 |     <ALLOW_DATE_TIME>1</ALLOW_DATE_TIME>
112 |   </PropertyGroup>
113 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
114 |     <TargetVersion>Windows10</TargetVersion>
115 |     <UseDebugLibraries>false</UseDebugLibraries>
116 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
117 |     <ConfigurationType>Driver</ConfigurationType>
118 |     <DriverType>KMDF</DriverType>
119 |     <DriverTargetPlatform>Desktop</DriverTargetPlatform>
120 |     <ALLOW_DATE_TIME>1</ALLOW_DATE_TIME>
121 |   </PropertyGroup>
122 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
123 |   <ImportGroup Label="ExtensionSettings">
124 |   </ImportGroup>
125 |   <ImportGroup Label="PropertySheets">
126 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
127 |   </ImportGroup>
128 |   <PropertyGroup Label="UserMacros" />
129 |   <PropertyGroup />
130 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
131 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
132 |   </PropertyGroup>
133 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
134 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
135 |   </PropertyGroup>
136 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
137 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
138 |   </PropertyGroup>
139 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
140 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
141 |     <EnableInf2cat>false</EnableInf2cat>
142 |   </PropertyGroup>
143 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
144 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
145 |   </PropertyGroup>
146 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
147 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
148 |   </PropertyGroup>
149 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
150 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
151 |   </PropertyGroup>
152 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
153 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
154 |   </PropertyGroup>
155 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
156 |     <ClCompile>
157 |       <WarningLevel>TurnOffAllWarnings</WarningLevel>
158 |     </ClCompile>
159 |   </ItemDefinitionGroup>
160 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
161 |     <ClCompile>
162 |       <TreatWarningAsError>false</TreatWarningAsError>
163 |       <BufferSecurityCheck>false</BufferSecurityCheck>
164 |       <LanguageStandard>stdcpp17</LanguageStandard>
165 |     </ClCompile>
166 |     <Link>
167 |       <GenerateDebugInformation>false</GenerateDebugInformation>
168 |     </Link>
169 |     <Link>
170 |       <ProgramDatabaseFile />
171 |       <EntryPointSymbol>DriverEntry</EntryPointSymbol>
172 |     </Link>
173 |   </ItemDefinitionGroup>
174 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
175 |     <ClCompile>
176 |       <TreatWarningAsError>false</TreatWarningAsError>
177 |       <LanguageStandard>stdcpp17</LanguageStandard>
178 |     </ClCompile>
179 |     <Link>
180 |       <EntryPointSymbol>DriverEntry</EntryPointSymbol>
181 |     </Link>
182 |   </ItemDefinitionGroup>
183 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
184 |     <ClCompile>
185 |       <TreatWarningAsError>false</TreatWarningAsError>
186 |       <LanguageStandard>stdcpp17</LanguageStandard>
187 |     </ClCompile>
188 |     <Link>
189 |       <EntryPointSymbol>DriverEntry</EntryPointSymbol>
190 |     </Link>
191 |   </ItemDefinitionGroup>
192 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
193 |     <ClCompile>
194 |       <TreatWarningAsError>false</TreatWarningAsError>
195 |       <LanguageStandard>stdcpp17</LanguageStandard>
196 |     </ClCompile>
197 |     <Link>
198 |       <EntryPointSymbol>DriverEntry</EntryPointSymbol>
199 |     </Link>
200 |   </ItemDefinitionGroup>
201 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
202 |     <ClCompile>
203 |       <TreatWarningAsError>false</TreatWarningAsError>
204 |       <LanguageStandard>stdcpp17</LanguageStandard>
205 |     </ClCompile>
206 |     <Link>
207 |       <EntryPointSymbol>DriverEntry</EntryPointSymbol>
208 |     </Link>
209 |   </ItemDefinitionGroup>
210 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
211 |     <ClCompile>
212 |       <TreatWarningAsError>false</TreatWarningAsError>
213 |       <LanguageStandard>stdcpp17</LanguageStandard>
214 |     </ClCompile>
215 |     <Link>
216 |       <EntryPointSymbol>DriverEntry</EntryPointSymbol>
217 |     </Link>
218 |   </ItemDefinitionGroup>
219 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
220 |     <ClCompile>
221 |       <TreatWarningAsError>false</TreatWarningAsError>
222 |       <LanguageStandard>stdcpp17</LanguageStandard>
223 |     </ClCompile>
224 |     <Link>
225 |       <EntryPointSymbol>DriverEntry</EntryPointSymbol>
226 |     </Link>
227 |   </ItemDefinitionGroup>
228 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
229 |     <ClCompile>
230 |       <TreatWarningAsError>false</TreatWarningAsError>
231 |       <LanguageStandard>stdcpp17</LanguageStandard>
232 |     </ClCompile>
233 |     <Link>
234 |       <EntryPointSymbol>DriverEntry</EntryPointSymbol>
235 |     </Link>
236 |   </ItemDefinitionGroup>
237 |   <ItemGroup>
238 |     <FilesToPackage Include="$(TargetPath)" />
239 |   </ItemGroup>
240 |   <ItemGroup>
241 |     <ClCompile Include="cleaning.cpp" />
242 |     <ClCompile Include="core.cpp" />
243 |     <ClCompile Include="main.cpp" />
244 |     <ClCompile Include="util.cpp" />
245 |   </ItemGroup>
246 |   <ItemGroup>
247 |     <ClInclude Include="cleaning.h" />
248 |     <ClInclude Include="core.h" />
249 |     <ClInclude Include="stdafx.h" />
250 |     <ClInclude Include="structs.h" />
251 |     <ClInclude Include="util.h" />
252 |   </ItemGroup>
253 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
254 |   <ImportGroup Label="ExtensionTargets">
255 |   </ImportGroup>
256 | </Project>


--------------------------------------------------------------------------------
/Driver/core.cpp:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | #include "core.h"
  3 | #include "structs.h"
  4 | 
  5 | namespace Core {
  6 | 
  7 |     NTSTATUS GetProcessBaseAddress(int pid, uint64_t* Address)
  8 |     {
  9 |         PEPROCESS pProcess = NULL;
 10 |         if (pid < 1) 
 11 |             return STATUS_UNSUCCESSFUL;
 12 | 
 13 |         if (!NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)pid, &pProcess)))
 14 |             return STATUS_UNSUCCESSFUL;
 15 | 
 16 | 
 17 |         *Address = (uint64_t)PsGetProcessSectionBaseAddress(pProcess);
 18 | 
 19 |         ObDereferenceObject(pProcess);
 20 |         return STATUS_SUCCESS;
 21 |     }
 22 | 
 23 |     DWORD GetUserDirectoryTableBaseOffset()
 24 |     {
 25 |         RTL_OSVERSIONINFOW ver = { 0 };
 26 |         RtlGetVersion(&ver);
 27 | 
 28 |         switch (ver.dwBuildNumber)
 29 |         {
 30 |         case WINDOWS_1803:
 31 |             return 0x0278;
 32 |             break;
 33 |         case WINDOWS_1809:
 34 |             return 0x0278;
 35 |             break;
 36 |         case WINDOWS_1903:
 37 |             return 0x0280;
 38 |             break;
 39 |         case WINDOWS_1909:
 40 |             return 0x0280;
 41 |             break;
 42 |         case WINDOWS_2004:
 43 |             return 0x0388;
 44 |             break;
 45 |         case WINDOWS_20H2:
 46 |             return 0x0388;
 47 |             break;
 48 |         case WINDOWS_21H1:
 49 |             return 0x0388;
 50 |             break;
 51 |         default:
 52 |             return 0x0388;
 53 |         }
 54 |     }
 55 | 
 56 |     //check normal dirbase if 0 then get from UserDirectoryTableBas
 57 |     ULONG_PTR GetProcessCr3(PEPROCESS pProcess)
 58 |     {
 59 |         PUCHAR process = (PUCHAR)pProcess;
 60 |         ULONG_PTR process_dirbase = *(PULONG_PTR)(process + 0x28); //dirbase x64, 32bit is 0x18
 61 |         if (process_dirbase == 0)
 62 |         {
 63 |             DWORD UserDirOffset = GetUserDirectoryTableBaseOffset();
 64 |             ULONG_PTR process_userdirbase = *(PULONG_PTR)(process + UserDirOffset);
 65 |             return process_userdirbase;
 66 |         }
 67 |         return process_dirbase;
 68 |     }
 69 |     ULONG_PTR GetKernelDirBase()
 70 |     {
 71 |         PUCHAR process = (PUCHAR)PsGetCurrentProcess();
 72 |         ULONG_PTR cr3 = *(PULONG_PTR)(process + 0x28); //dirbase x64, 32bit is 0x18
 73 |         return cr3;
 74 |     }
 75 |     uint64_t TranslateLinearAddress(uint64_t directoryTableBase, uint64_t virtualAddress);
 76 |     NTSTATUS ReadPhysicalAddress(uint64_t TargetAddress, PVOID lpBuffer, SIZE_T Size, SIZE_T* BytesRead);
 77 |     NTSTATUS WritePhysicalAddress(uint64_t TargetAddress, PVOID lpBuffer, SIZE_T Size, SIZE_T* BytesWritten);
 78 | 
 79 |     NTSTATUS ReadVirtual(uint64_t dirbase, uint64_t address, uint8_t* buffer, SIZE_T size, SIZE_T* read)
 80 |     {
 81 |         uint64_t paddress = TranslateLinearAddress(dirbase, address);
 82 |         return ReadPhysicalAddress(paddress, buffer, size, read);
 83 |     }
 84 | 
 85 |     NTSTATUS WriteVirtual(uint64_t dirbase, uint64_t address, uint8_t* buffer, SIZE_T size, SIZE_T* written)
 86 |     {
 87 |         uint64_t paddress = TranslateLinearAddress(dirbase, address);
 88 |         return WritePhysicalAddress(paddress, buffer, size, written);
 89 |     }
 90 | 
 91 |     NTSTATUS ReadPhysicalAddress(uint64_t TargetAddress, PVOID lpBuffer, SIZE_T Size, SIZE_T* BytesRead)
 92 |     {
 93 |         MM_COPY_ADDRESS AddrToRead = { 0 };
 94 |         AddrToRead.PhysicalAddress.QuadPart = TargetAddress;
 95 |         return MmCopyMemory(lpBuffer, AddrToRead, Size, MM_COPY_MEMORY_PHYSICAL, BytesRead);
 96 |     }
 97 | 
 98 |     //MmMapIoSpaceEx limit is page 4096 byte
 99 |     NTSTATUS WritePhysicalAddress(uint64_t TargetAddress, PVOID lpBuffer, SIZE_T Size, SIZE_T* BytesWritten)
100 |     {
101 |         if (!TargetAddress)
102 |             return STATUS_UNSUCCESSFUL;
103 | 
104 |         PHYSICAL_ADDRESS AddrToWrite = { 0 };
105 |         AddrToWrite.QuadPart = TargetAddress;
106 | 
107 |         PVOID pmapped_mem = MmMapIoSpaceEx(AddrToWrite, Size, PAGE_READWRITE);
108 | 
109 |         if (!pmapped_mem)
110 |             return STATUS_UNSUCCESSFUL;
111 | 
112 |         memcpy(pmapped_mem, lpBuffer, Size);
113 | 
114 |         *BytesWritten = Size;
115 |         MmUnmapIoSpace(pmapped_mem, Size);
116 |         return STATUS_SUCCESS;
117 |     }
118 | 
119 | #define PAGE_OFFSET_SIZE 12
120 |     static const uint64_t PMASK = (~0xfull << 8) & 0xfffffffffull;
121 | 
122 |     uint64_t TranslateLinearAddress(uint64_t directoryTableBase, uint64_t virtualAddress) {
123 |         directoryTableBase &= ~0xf;
124 | 
125 |         uint64_t pageOffset = virtualAddress & ~(~0ul << PAGE_OFFSET_SIZE);
126 |         uint64_t pte = ((virtualAddress >> 12) & (0x1ffll));
127 |         uint64_t pt = ((virtualAddress >> 21) & (0x1ffll));
128 |         uint64_t pd = ((virtualAddress >> 30) & (0x1ffll));
129 |         uint64_t pdp = ((virtualAddress >> 39) & (0x1ffll));
130 | 
131 |         SIZE_T readsize = 0;
132 |         uint64_t pdpe = 0;
133 |         ReadPhysicalAddress(directoryTableBase + 8 * pdp, &pdpe, sizeof(pdpe), &readsize);
134 |         if (~pdpe & 1)
135 |             return 0;
136 | 
137 |         uint64_t pde = 0;
138 |         ReadPhysicalAddress((pdpe & PMASK) + 8 * pd, &pde, sizeof(pde), &readsize);
139 |         if (~pde & 1)
140 |             return 0;
141 | 
142 |         /* 1GB large page, use pde's 12-34 bits */
143 |         if (pde & 0x80)
144 |             return (pde & (~0ull << 42 >> 12)) + (virtualAddress & ~(~0ull << 30));
145 | 
146 |         uint64_t pteAddr = 0;
147 |         ReadPhysicalAddress((pde & PMASK) + 8 * pt, &pteAddr, sizeof(pteAddr), &readsize);
148 |         if (~pteAddr & 1)
149 |             return 0;
150 | 
151 |         /* 2MB large page */
152 |         if (pteAddr & 0x80)
153 |             return (pteAddr & PMASK) + (virtualAddress & ~(~0ull << 21));
154 | 
155 |         virtualAddress = 0;
156 |         ReadPhysicalAddress((pteAddr & PMASK) + 8 * pte, &virtualAddress, sizeof(virtualAddress), &readsize);
157 |         virtualAddress &= PMASK;
158 | 
159 |         if (!virtualAddress)
160 |             return 0;
161 | 
162 |         return virtualAddress + pageOffset;
163 |     }
164 | 
165 | 
166 |     //
167 |     NTSTATUS ReadProcessMemory(int pid, uint64_t Address, uint64_t AllocatedBuffer, SIZE_T size, SIZE_T* read)
168 |     {
169 |         PEPROCESS pProcess = NULL;
170 |         if (pid == 0) return STATUS_UNSUCCESSFUL;
171 | 
172 |         NTSTATUS NtRet = PsLookupProcessByProcessId((HANDLE)pid, &pProcess);
173 |         if (NtRet != STATUS_SUCCESS) return NtRet;
174 | 
175 |         ULONG_PTR process_dirbase = GetProcessCr3(pProcess);
176 |         ObDereferenceObject(pProcess);
177 | 
178 |         SIZE_T CurOffset = 0;
179 |         SIZE_T TotalSize = size;
180 |         while (TotalSize)
181 |         {
182 | 
183 |             uint64_t CurPhysAddr = TranslateLinearAddress(process_dirbase, (ULONG64)Address + CurOffset);
184 |             if (!CurPhysAddr) return STATUS_UNSUCCESSFUL;
185 | 
186 |             ULONG64 ReadSize = min(PAGE_SIZE - (CurPhysAddr & 0xFFF), TotalSize);
187 |             SIZE_T BytesRead = 0;
188 |             NtRet = ReadPhysicalAddress(CurPhysAddr, (PVOID)((ULONG64)AllocatedBuffer + CurOffset), ReadSize, &BytesRead);
189 |             TotalSize -= BytesRead;
190 |             CurOffset += BytesRead;
191 |             if (NtRet != STATUS_SUCCESS) break;
192 |             if (BytesRead == 0) break;
193 |         }
194 | 
195 |         *read = CurOffset;
196 |         return NtRet;
197 |     }
198 | 
199 |     NTSTATUS WriteProcessMemory(int pid, uint64_t Address, uint64_t AllocatedBuffer, SIZE_T size, SIZE_T* written)
200 |     {
201 |         PEPROCESS pProcess = NULL;
202 |         if (pid == 0) return STATUS_UNSUCCESSFUL;
203 | 
204 |         NTSTATUS NtRet = PsLookupProcessByProcessId((HANDLE)pid, &pProcess);
205 |         if (NtRet != STATUS_SUCCESS) return NtRet;
206 | 
207 |         ULONG_PTR process_dirbase = GetProcessCr3(pProcess);
208 |         ObDereferenceObject(pProcess);
209 | 
210 |         SIZE_T CurOffset = 0;
211 |         SIZE_T TotalSize = size;
212 |         while (TotalSize)
213 |         {
214 |             uint64_t CurPhysAddr = TranslateLinearAddress(process_dirbase, (ULONG64)Address + CurOffset);
215 |             if (!CurPhysAddr) return STATUS_UNSUCCESSFUL;
216 | 
217 |             ULONG64 WriteSize = min(PAGE_SIZE - (CurPhysAddr & 0xFFF), TotalSize);
218 |             SIZE_T BytesWritten = 0;
219 |             NtRet = WritePhysicalAddress(CurPhysAddr, (PVOID)((ULONG64)AllocatedBuffer + CurOffset), WriteSize, &BytesWritten);
220 |             TotalSize -= BytesWritten;
221 |             CurOffset += BytesWritten;
222 |             if (NtRet != STATUS_SUCCESS) break;
223 |             if (BytesWritten == 0) break;
224 |         }
225 | 
226 |         *written = CurOffset;
227 |         return NtRet;
228 |     }
229 | 
230 |     //NTSTATUS GetModuleBaseAddress(int processId, const char* moduleName, uint64_t* baseAddress)
231 |     //{
232 |     //    printf("Trying to Find: %s\n", moduleName);
233 |     //    if (!moduleName)
234 |     //        return STATUS_UNSUCCESSFUL;
235 | 
236 | 
237 |     //    /*PEPROCESS process = NULL;
238 |     //    if (!NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)processId, &process)))
239 |     //        return STATUS_UNSUCCESSFUL;
240 | 
241 |     //    printf("Found PEPROCESS\n\n", moduleName);
242 | 
243 |     //    PPEB pPeb = PsGetProcessPeb(process);
244 | 
245 |     //    if (!pPeb)
246 |     //        return STATUS_UNSUCCESSFUL;
247 | 
248 |     //    printf("Found PEB\n\n", moduleName);*/
249 | 
250 |     //    ANSI_STRING ansiString = { 0 };
251 |     //    RtlInitAnsiString(&ansiString, moduleName);
252 | 
253 |     //    if (ansiString.Length < 3)
254 |     //        return STATUS_UNSUCCESSFUL;
255 | 
256 |     //    UNICODE_STRING compareString = { 0 };
257 |     //    RtlAnsiStringToUnicodeString(&compareString, &ansiString, TRUE);
258 | 
259 |     //    if (compareString.Length < 3)
260 |     //        return STATUS_UNSUCCESSFUL;
261 | 
262 |     //    PEPROCESS pProcess = NULL;
263 |     //    NTSTATUS status = STATUS_UNSUCCESSFUL;
264 |     //    if (NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)processId, &pProcess)))
265 |     //    {
266 |     //        KAPC_STATE state;
267 |     //        KeStackAttachProcess(pProcess, &state);
268 |     //        PPEB pPeb = PsGetProcessPeb(pProcess);
269 | 
270 |     //        for (PLIST_ENTRY pListEntry = pPeb->Ldr->InMemoryOrderModuleList.Flink; pListEntry != &pPeb->Ldr->InMemoryOrderModuleList; pListEntry = pListEntry->Flink)
271 |     //        {
272 |     //            PLDR_DATA_TABLE_ENTRY pEntry = CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
273 |     //            if (RtlCompareUnicodeString(&pEntry->BaseDllName, &compareString, TRUE) == 0) {
274 |     //                *baseAddress = (uint64_t)pEntry->DllBase;
275 |     //                status = STATUS_SUCCESS;
276 |     //                break;
277 |     //            }
278 |     //        }
279 | 
280 |     //        KeUnstackDetachProcess(&state);
281 |     //    }
282 |     //    return status;
283 |     //}
284 | 
285 |     NTSTATUS GetModuleBaseAddress(int processId, const char* moduleName, uint64_t* baseAddress)
286 |     {
287 |         ANSI_STRING ansiString;
288 |         UNICODE_STRING compareString;
289 |         KAPC_STATE state;
290 |         NTSTATUS status = STATUS_UNSUCCESSFUL;
291 |         PEPROCESS process = NULL;
292 |         PPEB pPeb = NULL;
293 | 
294 |         RtlInitAnsiString(&ansiString, moduleName);
295 |         RtlAnsiStringToUnicodeString(&compareString, &ansiString, TRUE);
296 | 
297 |         printf("Looking for module %d\n", processId);
298 | 
299 |         if (!NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)processId, &process)))
300 |             return STATUS_UNSUCCESSFUL;
301 | 
302 |         printf("Found process %d\n", processId);
303 | 
304 |         KeStackAttachProcess(process, &state);
305 |         pPeb = PsGetProcessPeb(process);
306 | 
307 |         if (pPeb)
308 |         {
309 |             PPEB_LDR_DATA pLdr = (PPEB_LDR_DATA)pPeb->Ldr;
310 | 
311 |             if (pLdr)
312 |             {
313 |                 for (PLIST_ENTRY list = (PLIST_ENTRY)pLdr->InMemoryOrderModuleList.Flink; list != &pLdr->InMemoryOrderModuleList; list = (PLIST_ENTRY)list->Flink)
314 |                 {
315 |                     PLDR_DATA_TABLE_ENTRY pEntry = CONTAINING_RECORD(list, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
316 |                     printf("%wZ\n", pEntry->BaseDllName);
317 |                     if (RtlCompareUnicodeString(&pEntry->BaseDllName, &compareString, TRUE) == 0)
318 |                     {
319 |                         *baseAddress = (uint64_t)pEntry->DllBase;
320 |                         status = STATUS_SUCCESS;
321 |                         break;
322 |                     }
323 |                 }
324 |             }
325 |         }
326 |         KeUnstackDetachProcess(&state);
327 |         RtlFreeUnicodeString(&compareString);
328 |         return status;
329 |     }
330 | 
331 |     PVOID GetSystemModuleBase(LPCSTR moduleName) {
332 | 
333 |         PVOID moduleBase = NULL;
334 |         ULONG info = 0;
335 | 
336 |         NTSTATUS status = ZwQuerySystemInformation(SystemModuleInformation, 0, info, &info);
337 | 
338 |         if (!info) {
339 |             return moduleBase;
340 |         }
341 | 
342 |         PRTL_PROCESS_MODULES modules = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPool, info, 0x89109929301);
343 | 
344 |         status = ZwQuerySystemInformation(SystemModuleInformation, modules, info, &info);
345 | 
346 |         if (!NT_SUCCESS(status)) {
347 |             return moduleBase;
348 |         }
349 | 
350 |         PRTL_PROCESS_MODULE_INFORMATION module = modules->Modules;
351 | 
352 | 
353 |         if (modules->NumberOfModules > 0) {
354 | 
355 |             if (!moduleName) {
356 |                 moduleBase = modules->Modules[0].ImageBase;
357 |             }
358 |             else {
359 | 
360 |                 for (auto i = 0; i < modules->NumberOfModules; i++) {
361 |                     printf("module[i].FullPathName: %s", module[i].FullPathName);
362 |                     if (!strcmp((CHAR*)module[i].FullPathName, moduleName)) {
363 |                         moduleBase = module[i].ImageBase;
364 |                     }
365 |                 }
366 |             }
367 |         }
368 | 
369 |         if (modules) {
370 |             ExFreePoolWithTag(modules, 0x89109929301);
371 |         }
372 | 
373 |         return moduleBase;
374 |     }
375 | 
376 | }


--------------------------------------------------------------------------------
/Driver/structs.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | #include "stdafx.h"
  3 | 
  4 | typedef enum _SYSTEM_INFORMATION_CLASS
  5 | {
  6 | 	SystemInformationClassMin = 0,
  7 | 	SystemBasicInformation = 0,
  8 | 	SystemProcessorInformation = 1,
  9 | 	SystemPerformanceInformation = 2,
 10 | 	SystemTimeOfDayInformation = 3,
 11 | 	SystemPathInformation = 4,
 12 | 	SystemNotImplemented1 = 4,
 13 | 	SystemProcessInformation = 5,
 14 | 	SystemProcessesAndThreadsInformation = 5,
 15 | 	SystemCallCountInfoInformation = 6,
 16 | 	SystemCallCounts = 6,
 17 | 	SystemDeviceInformation = 7,
 18 | 	SystemConfigurationInformation = 7,
 19 | 	SystemProcessorPerformanceInformation = 8,
 20 | 	SystemProcessorTimes = 8,
 21 | 	SystemFlagsInformation = 9,
 22 | 	SystemGlobalFlag = 9,
 23 | 	SystemCallTimeInformation = 10,
 24 | 	SystemNotImplemented2 = 10,
 25 | 	SystemModuleInformation = 11,
 26 | 	SystemLocksInformation = 12,
 27 | 	SystemLockInformation = 12,
 28 | 	SystemStackTraceInformation = 13,
 29 | 	SystemNotImplemented3 = 13,
 30 | 	SystemPagedPoolInformation = 14,
 31 | 	SystemNotImplemented4 = 14,
 32 | 	SystemNonPagedPoolInformation = 15,
 33 | 	SystemNotImplemented5 = 15,
 34 | 	SystemHandleInformation = 16,
 35 | 	SystemObjectInformation = 17,
 36 | 	SystemPageFileInformation = 18,
 37 | 	SystemPagefileInformation = 18,
 38 | 	SystemVdmInstemulInformation = 19,
 39 | 	SystemInstructionEmulationCounts = 19,
 40 | 	SystemVdmBopInformation = 20,
 41 | 	SystemInvalidInfoClass1 = 20,
 42 | 	SystemFileCacheInformation = 21,
 43 | 	SystemCacheInformation = 21,
 44 | 	SystemPoolTagInformation = 22,
 45 | 	SystemInterruptInformation = 23,
 46 | 	SystemProcessorStatistics = 23,
 47 | 	SystemDpcBehaviourInformation = 24,
 48 | 	SystemDpcInformation = 24,
 49 | 	SystemFullMemoryInformation = 25,
 50 | 	SystemNotImplemented6 = 25,
 51 | 	SystemLoadImage = 26,
 52 | 	SystemUnloadImage = 27,
 53 | 	SystemTimeAdjustmentInformation = 28,
 54 | 	SystemTimeAdjustment = 28,
 55 | 	SystemSummaryMemoryInformation = 29,
 56 | 	SystemNotImplemented7 = 29,
 57 | 	SystemNextEventIdInformation = 30,
 58 | 	SystemNotImplemented8 = 30,
 59 | 	SystemEventIdsInformation = 31,
 60 | 	SystemNotImplemented9 = 31,
 61 | 	SystemCrashDumpInformation = 32,
 62 | 	SystemExceptionInformation = 33,
 63 | 	SystemCrashDumpStateInformation = 34,
 64 | 	SystemKernelDebuggerInformation = 35,
 65 | 	SystemContextSwitchInformation = 36,
 66 | 	SystemRegistryQuotaInformation = 37,
 67 | 	SystemLoadAndCallImage = 38,
 68 | 	SystemPrioritySeparation = 39,
 69 | 	SystemPlugPlayBusInformation = 40,
 70 | 	SystemNotImplemented10 = 40,
 71 | 	SystemDockInformation = 41,
 72 | 	SystemNotImplemented11 = 41,
 73 | 	SystemInvalidInfoClass2 = 42,
 74 | 	SystemProcessorSpeedInformation = 43,
 75 | 	SystemInvalidInfoClass3 = 43,
 76 | 	SystemCurrentTimeZoneInformation = 44,
 77 | 	SystemTimeZoneInformation = 44,
 78 | 	SystemLookasideInformation = 45,
 79 | 	SystemSetTimeSlipEvent = 46,
 80 | 	SystemCreateSession = 47,
 81 | 	SystemDeleteSession = 48,
 82 | 	SystemInvalidInfoClass4 = 49,
 83 | 	SystemRangeStartInformation = 50,
 84 | 	SystemVerifierInformation = 51,
 85 | 	SystemAddVerifier = 52,
 86 | 	SystemSessionProcessesInformation = 53,
 87 | 	SystemInformationClassMax
 88 | } SYSTEM_INFORMATION_CLASS;
 89 | 
 90 | typedef struct _RTL_PROCESS_MODULE_INFORMATION
 91 | {
 92 | 	HANDLE Section;
 93 | 	PVOID MappedBase;
 94 | 	PVOID ImageBase;
 95 | 	ULONG ImageSize;
 96 | 	ULONG Flags;
 97 | 	USHORT LoadOrderIndex;
 98 | 	USHORT InitOrderIndex;
 99 | 	USHORT LoadCount;
100 | 	USHORT OffsetToFileName;
101 | 	UCHAR  FullPathName[256];
102 | 
103 | } RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION;
104 | 
105 | typedef struct _RTL_PROCESS_MODULES
106 | {
107 | 	ULONG NumberOfModules;
108 | 	RTL_PROCESS_MODULE_INFORMATION Modules[1];
109 | 
110 | } RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES;
111 | 
112 | //0x7c8 bytes (sizeof)
113 | struct _PEB
114 | {
115 |     UCHAR InheritedAddressSpace;                                            //0x0
116 |     UCHAR ReadImageFileExecOptions;                                         //0x1
117 |     UCHAR BeingDebugged;                                                    //0x2
118 |     union
119 |     {
120 |         UCHAR BitField;                                                     //0x3
121 |         struct
122 |         {
123 |             UCHAR ImageUsesLargePages : 1;                                    //0x3
124 |             UCHAR IsProtectedProcess : 1;                                     //0x3
125 |             UCHAR IsImageDynamicallyRelocated : 1;                            //0x3
126 |             UCHAR SkipPatchingUser32Forwarders : 1;                           //0x3
127 |             UCHAR IsPackagedProcess : 1;                                      //0x3
128 |             UCHAR IsAppContainer : 1;                                         //0x3
129 |             UCHAR IsProtectedProcessLight : 1;                                //0x3
130 |             UCHAR IsLongPathAwareProcess : 1;                                 //0x3
131 |         };
132 |     };
133 |     UCHAR Padding0[4];                                                      //0x4
134 |     VOID* Mutant;                                                           //0x8
135 |     VOID* ImageBaseAddress;                                                 //0x10
136 |     struct _PEB_LDR_DATA* Ldr;                                              //0x18
137 |     struct _RTL_USER_PROCESS_PARAMETERS* ProcessParameters;                 //0x20
138 |     VOID* SubSystemData;                                                    //0x28
139 |     VOID* ProcessHeap;                                                      //0x30
140 |     struct _RTL_CRITICAL_SECTION* FastPebLock;                              //0x38
141 |     union _SLIST_HEADER* volatile AtlThunkSListPtr;                         //0x40
142 |     VOID* IFEOKey;                                                          //0x48
143 |     union
144 |     {
145 |         ULONG CrossProcessFlags;                                            //0x50
146 |         struct
147 |         {
148 |             ULONG ProcessInJob : 1;                                           //0x50
149 |             ULONG ProcessInitializing : 1;                                    //0x50
150 |             ULONG ProcessUsingVEH : 1;                                        //0x50
151 |             ULONG ProcessUsingVCH : 1;                                        //0x50
152 |             ULONG ProcessUsingFTH : 1;                                        //0x50
153 |             ULONG ProcessPreviouslyThrottled : 1;                             //0x50
154 |             ULONG ProcessCurrentlyThrottled : 1;                              //0x50
155 |             ULONG ProcessImagesHotPatched : 1;                                //0x50
156 |             ULONG ReservedBits0 : 24;                                         //0x50
157 |         };
158 |     };
159 |     UCHAR Padding1[4];                                                      //0x54
160 |     union
161 |     {
162 |         VOID* KernelCallbackTable;                                          //0x58
163 |         VOID* UserSharedInfoPtr;                                            //0x58
164 |     };
165 |     ULONG SystemReserved;                                                   //0x60
166 |     ULONG AtlThunkSListPtr32;                                               //0x64
167 |     VOID* ApiSetMap;                                                        //0x68
168 |     ULONG TlsExpansionCounter;                                              //0x70
169 |     UCHAR Padding2[4];                                                      //0x74
170 |     VOID* TlsBitmap;                                                        //0x78
171 |     ULONG TlsBitmapBits[2];                                                 //0x80
172 |     VOID* ReadOnlySharedMemoryBase;                                         //0x88
173 |     VOID* SharedData;                                                       //0x90
174 |     VOID** ReadOnlyStaticServerData;                                        //0x98
175 |     VOID* AnsiCodePageData;                                                 //0xa0
176 |     VOID* OemCodePageData;                                                  //0xa8
177 |     VOID* UnicodeCaseTableData;                                             //0xb0
178 |     ULONG NumberOfProcessors;                                               //0xb8
179 |     ULONG NtGlobalFlag;                                                     //0xbc
180 |     union _LARGE_INTEGER CriticalSectionTimeout;                            //0xc0
181 |     ULONGLONG HeapSegmentReserve;                                           //0xc8
182 |     ULONGLONG HeapSegmentCommit;                                            //0xd0
183 |     ULONGLONG HeapDeCommitTotalFreeThreshold;                               //0xd8
184 |     ULONGLONG HeapDeCommitFreeBlockThreshold;                               //0xe0
185 |     ULONG NumberOfHeaps;                                                    //0xe8
186 |     ULONG MaximumNumberOfHeaps;                                             //0xec
187 |     VOID** ProcessHeaps;                                                    //0xf0
188 |     VOID* GdiSharedHandleTable;                                             //0xf8
189 |     VOID* ProcessStarterHelper;                                             //0x100
190 |     ULONG GdiDCAttributeList;                                               //0x108
191 |     UCHAR Padding3[4];                                                      //0x10c
192 |     struct _RTL_CRITICAL_SECTION* LoaderLock;                               //0x110
193 |     ULONG OSMajorVersion;                                                   //0x118
194 |     ULONG OSMinorVersion;                                                   //0x11c
195 |     USHORT OSBuildNumber;                                                   //0x120
196 |     USHORT OSCSDVersion;                                                    //0x122
197 |     ULONG OSPlatformId;                                                     //0x124
198 |     ULONG ImageSubsystem;                                                   //0x128
199 |     ULONG ImageSubsystemMajorVersion;                                       //0x12c
200 |     ULONG ImageSubsystemMinorVersion;                                       //0x130
201 |     UCHAR Padding4[4];                                                      //0x134
202 |     ULONGLONG ActiveProcessAffinityMask;                                    //0x138
203 |     ULONG GdiHandleBuffer[60];                                              //0x140
204 |     VOID(*PostProcessInitRoutine)();                                       //0x230
205 |     VOID* TlsExpansionBitmap;                                               //0x238
206 |     ULONG TlsExpansionBitmapBits[32];                                       //0x240
207 |     ULONG SessionId;                                                        //0x2c0
208 |     UCHAR Padding5[4];                                                      //0x2c4
209 |     union _ULARGE_INTEGER AppCompatFlags;                                   //0x2c8
210 |     union _ULARGE_INTEGER AppCompatFlagsUser;                               //0x2d0
211 |     VOID* pShimData;                                                        //0x2d8
212 |     VOID* AppCompatInfo;                                                    //0x2e0
213 |     struct _UNICODE_STRING CSDVersion;                                      //0x2e8
214 |     struct _ACTIVATION_CONTEXT_DATA* ActivationContextData;                 //0x2f8
215 |     struct _ASSEMBLY_STORAGE_MAP* ProcessAssemblyStorageMap;                //0x300
216 |     struct _ACTIVATION_CONTEXT_DATA* SystemDefaultActivationContextData;    //0x308
217 |     struct _ASSEMBLY_STORAGE_MAP* SystemAssemblyStorageMap;                 //0x310
218 |     ULONGLONG MinimumStackCommit;                                           //0x318
219 |     VOID* SparePointers[4];                                                 //0x320
220 |     ULONG SpareUlongs[5];                                                   //0x340
221 |     VOID* WerRegistrationData;                                              //0x358
222 |     VOID* WerShipAssertPtr;                                                 //0x360
223 |     VOID* pUnused;                                                          //0x368
224 |     VOID* pImageHeaderHash;                                                 //0x370
225 |     union
226 |     {
227 |         ULONG TracingFlags;                                                 //0x378
228 |         struct
229 |         {
230 |             ULONG HeapTracingEnabled : 1;                                     //0x378
231 |             ULONG CritSecTracingEnabled : 1;                                  //0x378
232 |             ULONG LibLoaderTracingEnabled : 1;                                //0x378
233 |             ULONG SpareTracingBits : 29;                                      //0x378
234 |         };
235 |     };
236 |     UCHAR Padding6[4];                                                      //0x37c
237 |     ULONGLONG CsrServerReadOnlySharedMemoryBase;                            //0x380
238 |     ULONGLONG TppWorkerpListLock;                                           //0x388
239 |     struct _LIST_ENTRY TppWorkerpList;                                      //0x390
240 |     VOID* WaitOnAddressHashTable[128];                                      //0x3a0
241 |     VOID* TelemetryCoverageHeader;                                          //0x7a0
242 |     ULONG CloudFileFlags;                                                   //0x7a8
243 |     ULONG CloudFileDiagFlags;                                               //0x7ac
244 |     CHAR PlaceholderCompatibilityMode;                                      //0x7b0
245 |     CHAR PlaceholderCompatibilityModeReserved[7];                           //0x7b1
246 |     struct _LEAP_SECOND_DATA* LeapSecondData;                               //0x7b8
247 |     union
248 |     {
249 |         ULONG LeapSecondFlags;                                              //0x7c0
250 |         struct
251 |         {
252 |             ULONG SixtySecondEnabled : 1;                                     //0x7c0
253 |             ULONG Reserved : 31;                                              //0x7c0
254 |         };
255 |     };
256 |     ULONG NtGlobalFlag2;                                                    //0x7c4
257 | };
258 | 
259 | 
260 | //0x58 bytes (sizeof)
261 | typedef struct _PEB_LDR_DATA
262 | {
263 |     ULONG Length;                                                           //0x0
264 |     UCHAR Initialized;                                                      //0x4
265 |     VOID* SsHandle;                                                         //0x8
266 |     struct _LIST_ENTRY InLoadOrderModuleList;                               //0x10
267 |     struct _LIST_ENTRY InMemoryOrderModuleList;                             //0x20
268 |     struct _LIST_ENTRY InInitializationOrderModuleList;                     //0x30
269 |     VOID* EntryInProgress;                                                  //0x40
270 |     UCHAR ShutdownInProgress;                                               //0x48
271 |     VOID* ShutdownThreadId;                                                 //0x50
272 | } _PEB_LDR_DATA, * PPEB_LDR_DATA;
273 | 
274 | //0x120 bytes (sizeof)
275 | typedef struct _LDR_DATA_TABLE_ENTRY
276 | {
277 |     struct _LIST_ENTRY InLoadOrderLinks;                                    //0x0
278 |     struct _LIST_ENTRY InMemoryOrderLinks;                                  //0x10
279 |     struct _LIST_ENTRY InInitializationOrderLinks;                          //0x20
280 |     VOID* DllBase;                                                          //0x30
281 |     VOID* EntryPoint;                                                       //0x38
282 |     ULONG SizeOfImage;                                                      //0x40
283 |     struct _UNICODE_STRING FullDllName;                                     //0x48
284 |     struct _UNICODE_STRING BaseDllName;                                     //0x58
285 |     union
286 |     {
287 |         UCHAR FlagGroup[4];                                                 //0x68
288 |         ULONG Flags;                                                        //0x68
289 |         struct
290 |         {
291 |             ULONG PackagedBinary : 1;                                         //0x68
292 |             ULONG MarkedForRemoval : 1;                                       //0x68
293 |             ULONG ImageDll : 1;                                               //0x68
294 |             ULONG LoadNotificationsSent : 1;                                  //0x68
295 |             ULONG TelemetryEntryProcessed : 1;                                //0x68
296 |             ULONG ProcessStaticImport : 1;                                    //0x68
297 |             ULONG InLegacyLists : 1;                                          //0x68
298 |             ULONG InIndexes : 1;                                              //0x68
299 |             ULONG ShimDll : 1;                                                //0x68
300 |             ULONG InExceptionTable : 1;                                       //0x68
301 |             ULONG ReservedFlags1 : 2;                                         //0x68
302 |             ULONG LoadInProgress : 1;                                         //0x68
303 |             ULONG LoadConfigProcessed : 1;                                    //0x68
304 |             ULONG EntryProcessed : 1;                                         //0x68
305 |             ULONG ProtectDelayLoad : 1;                                       //0x68
306 |             ULONG ReservedFlags3 : 2;                                         //0x68
307 |             ULONG DontCallForThreads : 1;                                     //0x68
308 |             ULONG ProcessAttachCalled : 1;                                    //0x68
309 |             ULONG ProcessAttachFailed : 1;                                    //0x68
310 |             ULONG CorDeferredValidate : 1;                                    //0x68
311 |             ULONG CorImage : 1;                                               //0x68
312 |             ULONG DontRelocate : 1;                                           //0x68
313 |             ULONG CorILOnly : 1;                                              //0x68
314 |             ULONG ChpeImage : 1;                                              //0x68
315 |             ULONG ReservedFlags5 : 2;                                         //0x68
316 |             ULONG Redirected : 1;                                             //0x68
317 |             ULONG ReservedFlags6 : 2;                                         //0x68
318 |             ULONG CompatDatabaseProcessed : 1;                                //0x68
319 |         };
320 |     };
321 |     USHORT ObsoleteLoadCount;                                               //0x6c
322 |     USHORT TlsIndex;                                                        //0x6e
323 |     struct _LIST_ENTRY HashLinks;                                           //0x70
324 |     ULONG TimeDateStamp;                                                    //0x80
325 |     struct _ACTIVATION_CONTEXT* EntryPointActivationContext;                //0x88
326 |     VOID* Lock;                                                             //0x90
327 |     struct _LDR_DDAG_NODE* DdagNode;                                        //0x98
328 |     struct _LIST_ENTRY NodeModuleLink;                                      //0xa0
329 |     struct _LDRP_LOAD_CONTEXT* LoadContext;                                 //0xb0
330 |     VOID* ParentDllBase;                                                    //0xb8
331 |     VOID* SwitchBackContext;                                                //0xc0
332 |     struct _RTL_BALANCED_NODE BaseAddressIndexNode;                         //0xc8
333 |     struct _RTL_BALANCED_NODE MappingInfoIndexNode;                         //0xe0
334 |     ULONGLONG OriginalBase;                                                 //0xf8
335 |     union _LARGE_INTEGER LoadTime;                                          //0x100
336 |     ULONG BaseNameHashValue;                                                //0x108
337 |     enum _LDR_DLL_LOAD_REASON LoadReason;                                   //0x10c
338 |     ULONG ImplicitPathOptions;                                              //0x110
339 |     ULONG ReferenceCount;                                                   //0x114
340 |     ULONG DependentLoadFlags;                                               //0x118
341 |     UCHAR SigningLevel;                                                     //0x11c
342 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
343 | 
344 | 
345 | //0x18 bytes (sizeof)
346 | typedef struct _POOL_TRACKER_BIG_PAGES
347 | {
348 |     volatile ULONGLONG Va;                                                  //0x0
349 |     ULONG Key;                                                              //0x8
350 |     ULONG Pattern : 8;                                                        //0xc
351 |     ULONG PoolType : 12;                                                      //0xc
352 |     ULONG SlushSize : 12;                                                     //0xc
353 |     ULONGLONG NumberOfBytes;                                                //0x10
354 | }POOL_TRACKER_BIG_PAGES, * PPOOL_TRACKER_BIG_PAGES;
355 | 
356 | //0x7c8 bytes (sizeof)
357 | typedef struct _PEB64
358 | {
359 |     UCHAR InheritedAddressSpace;                                            //0x0
360 |     UCHAR ReadImageFileExecOptions;                                         //0x1
361 |     UCHAR BeingDebugged;                                                    //0x2
362 |     union
363 |     {
364 |         UCHAR BitField;                                                     //0x3
365 |         struct
366 |         {
367 |             UCHAR ImageUsesLargePages : 1;                                    //0x3
368 |             UCHAR IsProtectedProcess : 1;                                     //0x3
369 |             UCHAR IsImageDynamicallyRelocated : 1;                            //0x3
370 |             UCHAR SkipPatchingUser32Forwarders : 1;                           //0x3
371 |             UCHAR IsPackagedProcess : 1;                                      //0x3
372 |             UCHAR IsAppContainer : 1;                                         //0x3
373 |             UCHAR IsProtectedProcessLight : 1;                                //0x3
374 |             UCHAR IsLongPathAwareProcess : 1;                                 //0x3
375 |         };
376 |     };
377 |     UCHAR Padding0[4];                                                      //0x4
378 |     ULONGLONG Mutant;                                                       //0x8
379 |     ULONGLONG ImageBaseAddress;                                             //0x10
380 |     ULONGLONG Ldr;                                                          //0x18
381 |     ULONGLONG ProcessParameters;                                            //0x20
382 |     ULONGLONG SubSystemData;                                                //0x28
383 |     ULONGLONG ProcessHeap;                                                  //0x30
384 |     ULONGLONG FastPebLock;                                                  //0x38
385 |     ULONGLONG AtlThunkSListPtr;                                             //0x40
386 |     ULONGLONG IFEOKey;                                                      //0x48
387 |     union
388 |     {
389 |         ULONG CrossProcessFlags;                                            //0x50
390 |         struct
391 |         {
392 |             ULONG ProcessInJob : 1;                                           //0x50
393 |             ULONG ProcessInitializing : 1;                                    //0x50
394 |             ULONG ProcessUsingVEH : 1;                                        //0x50
395 |             ULONG ProcessUsingVCH : 1;                                        //0x50
396 |             ULONG ProcessUsingFTH : 1;                                        //0x50
397 |             ULONG ProcessPreviouslyThrottled : 1;                             //0x50
398 |             ULONG ProcessCurrentlyThrottled : 1;                              //0x50
399 |             ULONG ProcessImagesHotPatched : 1;                                //0x50
400 |             ULONG ReservedBits0 : 24;                                         //0x50
401 |         };
402 |     };
403 |     UCHAR Padding1[4];                                                      //0x54
404 |     union
405 |     {
406 |         ULONGLONG KernelCallbackTable;                                      //0x58
407 |         ULONGLONG UserSharedInfoPtr;                                        //0x58
408 |     };
409 |     ULONG SystemReserved;                                                   //0x60
410 |     ULONG AtlThunkSListPtr32;                                               //0x64
411 |     ULONGLONG ApiSetMap;                                                    //0x68
412 |     ULONG TlsExpansionCounter;                                              //0x70
413 |     UCHAR Padding2[4];                                                      //0x74
414 |     ULONGLONG TlsBitmap;                                                    //0x78
415 |     ULONG TlsBitmapBits[2];                                                 //0x80
416 |     ULONGLONG ReadOnlySharedMemoryBase;                                     //0x88
417 |     ULONGLONG SharedData;                                                   //0x90
418 |     ULONGLONG ReadOnlyStaticServerData;                                     //0x98
419 |     ULONGLONG AnsiCodePageData;                                             //0xa0
420 |     ULONGLONG OemCodePageData;                                              //0xa8
421 |     ULONGLONG UnicodeCaseTableData;                                         //0xb0
422 |     ULONG NumberOfProcessors;                                               //0xb8
423 |     ULONG NtGlobalFlag;                                                     //0xbc
424 |     union _LARGE_INTEGER CriticalSectionTimeout;                            //0xc0
425 |     ULONGLONG HeapSegmentReserve;                                           //0xc8
426 |     ULONGLONG HeapSegmentCommit;                                            //0xd0
427 |     ULONGLONG HeapDeCommitTotalFreeThreshold;                               //0xd8
428 |     ULONGLONG HeapDeCommitFreeBlockThreshold;                               //0xe0
429 |     ULONG NumberOfHeaps;                                                    //0xe8
430 |     ULONG MaximumNumberOfHeaps;                                             //0xec
431 |     ULONGLONG ProcessHeaps;                                                 //0xf0
432 |     ULONGLONG GdiSharedHandleTable;                                         //0xf8
433 |     ULONGLONG ProcessStarterHelper;                                         //0x100
434 |     ULONG GdiDCAttributeList;                                               //0x108
435 |     UCHAR Padding3[4];                                                      //0x10c
436 |     ULONGLONG LoaderLock;                                                   //0x110
437 |     ULONG OSMajorVersion;                                                   //0x118
438 |     ULONG OSMinorVersion;                                                   //0x11c
439 |     USHORT OSBuildNumber;                                                   //0x120
440 |     USHORT OSCSDVersion;                                                    //0x122
441 |     ULONG OSPlatformId;                                                     //0x124
442 |     ULONG ImageSubsystem;                                                   //0x128
443 |     ULONG ImageSubsystemMajorVersion;                                       //0x12c
444 |     ULONG ImageSubsystemMinorVersion;                                       //0x130
445 |     UCHAR Padding4[4];                                                      //0x134
446 |     ULONGLONG ActiveProcessAffinityMask;                                    //0x138
447 |     ULONG GdiHandleBuffer[60];                                              //0x140
448 |     ULONGLONG PostProcessInitRoutine;                                       //0x230
449 |     ULONGLONG TlsExpansionBitmap;                                           //0x238
450 |     ULONG TlsExpansionBitmapBits[32];                                       //0x240
451 |     ULONG SessionId;                                                        //0x2c0
452 |     UCHAR Padding5[4];                                                      //0x2c4
453 |     union _ULARGE_INTEGER AppCompatFlags;                                   //0x2c8
454 |     union _ULARGE_INTEGER AppCompatFlagsUser;                               //0x2d0
455 |     ULONGLONG pShimData;                                                    //0x2d8
456 |     ULONGLONG AppCompatInfo;                                                //0x2e0
457 |     struct _STRING64 CSDVersion;                                            //0x2e8
458 |     ULONGLONG ActivationContextData;                                        //0x2f8
459 |     ULONGLONG ProcessAssemblyStorageMap;                                    //0x300
460 |     ULONGLONG SystemDefaultActivationContextData;                           //0x308
461 |     ULONGLONG SystemAssemblyStorageMap;                                     //0x310
462 |     ULONGLONG MinimumStackCommit;                                           //0x318
463 |     ULONGLONG SparePointers[4];                                             //0x320
464 |     ULONG SpareUlongs[5];                                                   //0x340
465 |     ULONGLONG WerRegistrationData;                                          //0x358
466 |     ULONGLONG WerShipAssertPtr;                                             //0x360
467 |     ULONGLONG pUnused;                                                      //0x368
468 |     ULONGLONG pImageHeaderHash;                                             //0x370
469 |     union
470 |     {
471 |         ULONG TracingFlags;                                                 //0x378
472 |         struct
473 |         {
474 |             ULONG HeapTracingEnabled : 1;                                     //0x378
475 |             ULONG CritSecTracingEnabled : 1;                                  //0x378
476 |             ULONG LibLoaderTracingEnabled : 1;                                //0x378
477 |             ULONG SpareTracingBits : 29;                                      //0x378
478 |         };
479 |     };
480 |     UCHAR Padding6[4];                                                      //0x37c
481 |     ULONGLONG CsrServerReadOnlySharedMemoryBase;                            //0x380
482 |     ULONGLONG TppWorkerpListLock;                                           //0x388
483 |     struct LIST_ENTRY64 TppWorkerpList;                                     //0x390
484 |     ULONGLONG WaitOnAddressHashTable[128];                                  //0x3a0
485 |     ULONGLONG TelemetryCoverageHeader;                                      //0x7a0
486 |     ULONG CloudFileFlags;                                                   //0x7a8
487 |     ULONG CloudFileDiagFlags;                                               //0x7ac
488 |     CHAR PlaceholderCompatibilityMode;                                      //0x7b0
489 |     CHAR PlaceholderCompatibilityModeReserved[7];                           //0x7b1
490 |     ULONGLONG LeapSecondData;                                               //0x7b8
491 |     union
492 |     {
493 |         ULONG LeapSecondFlags;                                              //0x7c0
494 |         struct
495 |         {
496 |             ULONG SixtySecondEnabled : 1;                                     //0x7c0
497 |             ULONG Reserved : 31;                                              //0x7c0
498 |         };
499 |     };
500 |     ULONG NtGlobalFlag2;                                                    //0x7c4
501 | }PEB64, *PPEB64;


--------------------------------------------------------------------------------