├── .gitattributes
├── .gitignore
├── README.md
├── TraceCleaner.sln
└── TraceCleaner
    ├── Main.cpp
    ├── ReadMe.txt
    ├── TraceCleaner.inf
    ├── TraceCleaner.vcxproj
    ├── TraceCleaner.vcxproj.douglas2.nvuser
    ├── TraceCleaner.vcxproj.filters
    ├── clean.hpp
    └── struct.h


/.gitattributes:
--------------------------------------------------------------------------------
 1 | ###############################################################################
 2 | # Set default behavior to automatically normalize line endings.
 3 | ###############################################################################
 4 | * text=auto
 5 | 
 6 | ###############################################################################
 7 | # Set default behavior for command prompt diff.
 8 | #
 9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs     diff=csharp
14 | 
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following 
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln       merge=binary
26 | #*.csproj    merge=binary
27 | #*.vbproj    merge=binary
28 | #*.vcxproj   merge=binary
29 | #*.vcproj    merge=binary
30 | #*.dbproj    merge=binary
31 | #*.fsproj    merge=binary
32 | #*.lsproj    merge=binary
33 | #*.wixproj   merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj   merge=binary
36 | #*.wwaproj   merge=binary
37 | 
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg   binary
44 | #*.png   binary
45 | #*.gif   binary
46 | 
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | # 
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the 
52 | # entries below.
53 | ###############################################################################
54 | #*.doc   diff=astextplain
55 | #*.DOC   diff=astextplain
56 | #*.docx  diff=astextplain
57 | #*.DOCX  diff=astextplain
58 | #*.dot   diff=astextplain
59 | #*.DOT   diff=astextplain
60 | #*.pdf   diff=astextplain
61 | #*.PDF   diff=astextplain
62 | #*.rtf   diff=astextplain
63 | #*.RTF   diff=astextplain
64 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | 
  4 | # User-specific files
  5 | *.suo
  6 | *.user
  7 | *.userosscache
  8 | *.sln.docstates
  9 | 
 10 | # User-specific files (MonoDevelop/Xamarin Studio)
 11 | *.userprefs
 12 | 
 13 | # Build results
 14 | [Dd]ebug/
 15 | [Dd]ebugPublic/
 16 | [Rr]elease/
 17 | [Rr]eleases/
 18 | x64/
 19 | x86/
 20 | bld/
 21 | [Bb]in/
 22 | [Oo]bj/
 23 | [Ll]og/
 24 | 
 25 | # Visual Studio 2015 cache/options directory
 26 | .vs/
 27 | # Uncomment if you have tasks that create the project's static files in wwwroot
 28 | #wwwroot/
 29 | 
 30 | # MSTest test Results
 31 | [Tt]est[Rr]esult*/
 32 | [Bb]uild[Ll]og.*
 33 | 
 34 | # NUNIT
 35 | *.VisualState.xml
 36 | TestResult.xml
 37 | 
 38 | # Build Results of an ATL Project
 39 | [Dd]ebugPS/
 40 | [Rr]eleasePS/
 41 | dlldata.c
 42 | 
 43 | # DNX
 44 | project.lock.json
 45 | project.fragment.lock.json
 46 | artifacts/
 47 | 
 48 | *_i.c
 49 | *_p.c
 50 | *_i.h
 51 | *.ilk
 52 | *.meta
 53 | *.obj
 54 | *.pch
 55 | *.pdb
 56 | *.pgc
 57 | *.pgd
 58 | *.rsp
 59 | *.sbr
 60 | *.tlb
 61 | *.tli
 62 | *.tlh
 63 | *.tmp
 64 | *.tmp_proj
 65 | *.log
 66 | *.vspscc
 67 | *.vssscc
 68 | .builds
 69 | *.pidb
 70 | *.svclog
 71 | *.scc
 72 | 
 73 | # Chutzpah Test files
 74 | _Chutzpah*
 75 | 
 76 | # Visual C++ cache files
 77 | ipch/
 78 | *.aps
 79 | *.ncb
 80 | *.opendb
 81 | *.opensdf
 82 | *.sdf
 83 | *.cachefile
 84 | *.VC.db
 85 | *.VC.VC.opendb
 86 | 
 87 | # Visual Studio profiler
 88 | *.psess
 89 | *.vsp
 90 | *.vspx
 91 | *.sap
 92 | 
 93 | # TFS 2012 Local Workspace
 94 | $tf/
 95 | 
 96 | # Guidance Automation Toolkit
 97 | *.gpState
 98 | 
 99 | # ReSharper is a .NET coding add-in
100 | _ReSharper*/
101 | *.[Rr]e[Ss]harper
102 | *.DotSettings.user
103 | 
104 | # JustCode is a .NET coding add-in
105 | .JustCode
106 | 
107 | # TeamCity is a build add-in
108 | _TeamCity*
109 | 
110 | # DotCover is a Code Coverage Tool
111 | *.dotCover
112 | 
113 | # NCrunch
114 | _NCrunch_*
115 | .*crunch*.local.xml
116 | nCrunchTemp_*
117 | 
118 | # MightyMoose
119 | *.mm.*
120 | AutoTest.Net/
121 | 
122 | # Web workbench (sass)
123 | .sass-cache/
124 | 
125 | # Installshield output folder
126 | [Ee]xpress/
127 | 
128 | # DocProject is a documentation generator add-in
129 | DocProject/buildhelp/
130 | DocProject/Help/*.HxT
131 | DocProject/Help/*.HxC
132 | DocProject/Help/*.hhc
133 | DocProject/Help/*.hhk
134 | DocProject/Help/*.hhp
135 | DocProject/Help/Html2
136 | DocProject/Help/html
137 | 
138 | # Click-Once directory
139 | publish/
140 | 
141 | # Publish Web Output
142 | *.[Pp]ublish.xml
143 | *.azurePubxml
144 | # TODO: Comment the next line if you want to checkin your web deploy settings
145 | # but database connection strings (with potential passwords) will be unencrypted
146 | #*.pubxml
147 | *.publishproj
148 | 
149 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
150 | # checkin your Azure Web App publish settings, but sensitive information contained
151 | # in these scripts will be unencrypted
152 | PublishScripts/
153 | 
154 | # NuGet Packages
155 | *.nupkg
156 | # The packages folder can be ignored because of Package Restore
157 | **/packages/*
158 | # except build/, which is used as an MSBuild target.
159 | !**/packages/build/
160 | # Uncomment if necessary however generally it will be regenerated when needed
161 | #!**/packages/repositories.config
162 | # NuGet v3's project.json files produces more ignoreable files
163 | *.nuget.props
164 | *.nuget.targets
165 | 
166 | # Microsoft Azure Build Output
167 | csx/
168 | *.build.csdef
169 | 
170 | # Microsoft Azure Emulator
171 | ecf/
172 | rcf/
173 | 
174 | # Windows Store app package directories and files
175 | AppPackages/
176 | BundleArtifacts/
177 | Package.StoreAssociation.xml
178 | _pkginfo.txt
179 | 
180 | # Visual Studio cache files
181 | # files ending in .cache can be ignored
182 | *.[Cc]ache
183 | # but keep track of directories ending in .cache
184 | !*.[Cc]ache/
185 | 
186 | # Others
187 | ClientBin/
188 | ~$*
189 | *~
190 | *.dbmdl
191 | *.dbproj.schemaview
192 | *.jfm
193 | *.pfx
194 | *.publishsettings
195 | node_modules/
196 | orleans.codegen.cs
197 | 
198 | # Since there are multiple workflows, uncomment next line to ignore bower_components
199 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
200 | #bower_components/
201 | 
202 | # RIA/Silverlight projects
203 | Generated_Code/
204 | 
205 | # Backup & report files from converting an old project file
206 | # to a newer Visual Studio version. Backup files are not needed,
207 | # because we have git ;-)
208 | _UpgradeReport_Files/
209 | Backup*/
210 | UpgradeLog*.XML
211 | UpgradeLog*.htm
212 | 
213 | # SQL Server files
214 | *.mdf
215 | *.ldf
216 | 
217 | # Business Intelligence projects
218 | *.rdl.data
219 | *.bim.layout
220 | *.bim_*.settings
221 | 
222 | # Microsoft Fakes
223 | FakesAssemblies/
224 | 
225 | # GhostDoc plugin setting file
226 | *.GhostDoc.xml
227 | 
228 | # Node.js Tools for Visual Studio
229 | .ntvs_analysis.dat
230 | 
231 | # Visual Studio 6 build log
232 | *.plg
233 | 
234 | # Visual Studio 6 workspace options file
235 | *.opt
236 | 
237 | # Visual Studio LightSwitch build output
238 | **/*.HTMLClient/GeneratedArtifacts
239 | **/*.DesktopClient/GeneratedArtifacts
240 | **/*.DesktopClient/ModelManifest.xml
241 | **/*.Server/GeneratedArtifacts
242 | **/*.Server/ModelManifest.xml
243 | _Pvt_Extensions
244 | 
245 | # Paket dependency manager
246 | .paket/paket.exe
247 | paket-files/
248 | 
249 | # FAKE - F# Make
250 | .fake/
251 | 
252 | # JetBrains Rider
253 | .idea/
254 | *.sln.iml
255 | 
256 | # CodeRush
257 | .cr/
258 | 
259 | # Python Tools for Visual Studio (PTVS)
260 | __pycache__/
261 | *.pyc


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # TraceCleaner
2 | This is a very simple example of cleaning MmUnloadedDrivers and PiDDBCacheTable.
3 | 
4 | Launch this with a driver manual mapper
5 | 


--------------------------------------------------------------------------------
/TraceCleaner.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 15
 4 | VisualStudioVersion = 15.0.28307.757
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TraceCleaner", "TraceCleaner\TraceCleaner.vcxproj", "{BACA280A-599C-48DA-8F0B-7BC95BD91EEA}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|ARM = Debug|ARM
11 | 		Debug|ARM64 = Debug|ARM64
12 | 		Debug|x64 = Debug|x64
13 | 		Debug|x86 = Debug|x86
14 | 		Release|ARM = Release|ARM
15 | 		Release|ARM64 = Release|ARM64
16 | 		Release|x64 = Release|x64
17 | 		Release|x86 = Release|x86
18 | 	EndGlobalSection
19 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
20 | 		{BACA280A-599C-48DA-8F0B-7BC95BD91EEA}.Debug|ARM.ActiveCfg = Debug|ARM
21 | 		{BACA280A-599C-48DA-8F0B-7BC95BD91EEA}.Debug|ARM.Build.0 = Debug|ARM
22 | 		{BACA280A-599C-48DA-8F0B-7BC95BD91EEA}.Debug|ARM.Deploy.0 = Debug|ARM
23 | 		{BACA280A-599C-48DA-8F0B-7BC95BD91EEA}.Debug|ARM64.ActiveCfg = Debug|ARM64
24 | 		{BACA280A-599C-48DA-8F0B-7BC95BD91EEA}.Debug|ARM64.Build.0 = Debug|ARM64
25 | 		{BACA280A-599C-48DA-8F0B-7BC95BD91EEA}.Debug|ARM64.Deploy.0 = Debug|ARM64
26 | 		{BACA280A-599C-48DA-8F0B-7BC95BD91EEA}.Debug|x64.ActiveCfg = Debug|x64
27 | 		{BACA280A-599C-48DA-8F0B-7BC95BD91EEA}.Debug|x64.Build.0 = Debug|x64
28 | 		{BACA280A-599C-48DA-8F0B-7BC95BD91EEA}.Debug|x64.Deploy.0 = Debug|x64
29 | 		{BACA280A-599C-48DA-8F0B-7BC95BD91EEA}.Debug|x86.ActiveCfg = Debug|Win32
30 | 		{BACA280A-599C-48DA-8F0B-7BC95BD91EEA}.Debug|x86.Build.0 = Debug|Win32
31 | 		{BACA280A-599C-48DA-8F0B-7BC95BD91EEA}.Debug|x86.Deploy.0 = Debug|Win32
32 | 		{BACA280A-599C-48DA-8F0B-7BC95BD91EEA}.Release|ARM.ActiveCfg = Release|ARM
33 | 		{BACA280A-599C-48DA-8F0B-7BC95BD91EEA}.Release|ARM.Build.0 = Release|ARM
34 | 		{BACA280A-599C-48DA-8F0B-7BC95BD91EEA}.Release|ARM.Deploy.0 = Release|ARM
35 | 		{BACA280A-599C-48DA-8F0B-7BC95BD91EEA}.Release|ARM64.ActiveCfg = Release|ARM64
36 | 		{BACA280A-599C-48DA-8F0B-7BC95BD91EEA}.Release|ARM64.Build.0 = Release|ARM64
37 | 		{BACA280A-599C-48DA-8F0B-7BC95BD91EEA}.Release|ARM64.Deploy.0 = Release|ARM64
38 | 		{BACA280A-599C-48DA-8F0B-7BC95BD91EEA}.Release|x64.ActiveCfg = Release|x64
39 | 		{BACA280A-599C-48DA-8F0B-7BC95BD91EEA}.Release|x64.Build.0 = Release|x64
40 | 		{BACA280A-599C-48DA-8F0B-7BC95BD91EEA}.Release|x64.Deploy.0 = Release|x64
41 | 		{BACA280A-599C-48DA-8F0B-7BC95BD91EEA}.Release|x86.ActiveCfg = Release|Win32
42 | 		{BACA280A-599C-48DA-8F0B-7BC95BD91EEA}.Release|x86.Build.0 = Release|Win32
43 | 		{BACA280A-599C-48DA-8F0B-7BC95BD91EEA}.Release|x86.Deploy.0 = Release|Win32
44 | 	EndGlobalSection
45 | 	GlobalSection(SolutionProperties) = preSolution
46 | 		HideSolutionNode = FALSE
47 | 	EndGlobalSection
48 | 	GlobalSection(ExtensibilityGlobals) = postSolution
49 | 		SolutionGuid = {8FCF94E0-6F36-45D3-95F4-99292F073331}
50 | 	EndGlobalSection
51 | EndGlobal
52 | 


--------------------------------------------------------------------------------
/TraceCleaner/Main.cpp:
--------------------------------------------------------------------------------
 1 | #include "clean.hpp"
 2 | extern "C" NTSTATUS DriverEntry(
 3 | 	PDRIVER_OBJECT  driver_object,
 4 | 	PUNICODE_STRING registry_path
 5 | )
 6 | {
 7 | 	// These are invalid for mapped drivers.
 8 | 	UNREFERENCED_PARAMETER(driver_object);
 9 | 	UNREFERENCED_PARAMETER(registry_path);
10 | 	UNICODE_STRING driver_name = RTL_CONSTANT_STRING(L"Capcom.sys");//Capcom.sys 0x57cd1415 (timeDateStamp)
11 | 	log("Hello from Kernel Mode");
12 | 	clear::clearCache(driver_name, 0x57cd1415);
13 | 	FindMmDriverData();
14 | 	if (clear::ClearUnloadedDriver(&driver_name, true) == STATUS_SUCCESS) {
15 | 		log("ClearUnloadedDriver sucessful");
16 | 	}
17 | 	else {
18 | 		log("ClearUnloadedDriver failed (Not found) ");
19 | 	}
20 | 	return STATUS_SUCCESS;
21 | }


--------------------------------------------------------------------------------
/TraceCleaner/ReadMe.txt:
--------------------------------------------------------------------------------
 1 | ========================================================================
 2 |     TraceCleaner Project Overview
 3 | ========================================================================
 4 | 
 5 | This file contains a summary of what you will find in each of the files that make up your project.
 6 | 
 7 | TraceCleaner.vcxproj
 8 |     This is the main project file for projects generated using an Application Wizard.
 9 |     It contains information about the version of the product that generated the file, and
10 |     information about the platforms, configurations, and project features selected with the
11 |     Application Wizard.
12 | 
13 | TraceCleaner.vcxproj.filters
14 |     This is the filters file for VC++ projects generated using an Application Wizard.
15 |     It contains information about the association between the files in your project
16 |     and the filters. This association is used in the IDE to show grouping of files with
17 |     similar extensions under a specific node (for e.g. ".cpp" files are associated with the
18 |     "Source Files" filter).
19 | 
20 | Public.h
21 |     Header file to be shared with applications.
22 | 
23 | Driver.c & Driver.h
24 |     DriverEntry and WDFDRIVER related functionality and callbacks.
25 | 
26 | Device.c & Device.h
27 |     WDFDEVICE related functionality and callbacks.
28 | 
29 | Queue.c & Queue.h
30 |     WDFQUEUE related functionality and callbacks.
31 | 
32 | Trace.h
33 |     Definitions for WPP tracing.
34 | 
35 | /////////////////////////////////////////////////////////////////////////////
36 | 
37 | Learn more about Kernel Mode Driver Framework here:
38 | 
39 | http://msdn.microsoft.com/en-us/library/ff544296(v=VS.85).aspx
40 | 
41 | /////////////////////////////////////////////////////////////////////////////
42 | 


--------------------------------------------------------------------------------
/TraceCleaner/TraceCleaner.inf:
--------------------------------------------------------------------------------
 1 | ;
 2 | ; TraceCleaner.inf
 3 | ;
 4 | 
 5 | [Version]
 6 | Signature="$WINDOWS NT$"
 7 | Class=Sample ; TODO: edit Class
 8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid
 9 | Provider=%ManufacturerName%
10 | CatalogFile=TraceCleaner.cat
11 | DriverVer= ; TODO: set DriverVer in stampinf property pages
12 | 
13 | [DestinationDirs]
14 | DefaultDestDir = 12
15 | TraceCleaner_Device_CoInstaller_CopyFiles = 11
16 | 
17 | ; ================= Class section =====================
18 | 
19 | [ClassInstall32]
20 | Addreg=SampleClassReg
21 | 
22 | [SampleClassReg]
23 | HKR,,,0,%ClassName%
24 | HKR,,Icon,,-5
25 | 
26 | [SourceDisksNames]
27 | 1 = %DiskName%,,,""
28 | 
29 | [SourceDisksFiles]
30 | TraceCleaner.sys  = 1,,
31 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames
32 | 
33 | ;*****************************************
34 | ; Install Section
35 | ;*****************************************
36 | 
37 | [Manufacturer]
38 | %ManufacturerName%=Standard,NT$ARCH$
39 | 
40 | [Standard.NT$ARCH$]
41 | %TraceCleaner.DeviceDesc%=TraceCleaner_Device, Root\TraceCleaner ; TODO: edit hw-id
42 | 
43 | [TraceCleaner_Device.NT]
44 | CopyFiles=Drivers_Dir
45 | 
46 | [Drivers_Dir]
47 | TraceCleaner.sys
48 | 
49 | ;-------------- Service installation
50 | [TraceCleaner_Device.NT.Services]
51 | AddService = TraceCleaner,%SPSVCINST_ASSOCSERVICE%, TraceCleaner_Service_Inst
52 | 
53 | ; -------------- TraceCleaner driver install sections
54 | [TraceCleaner_Service_Inst]
55 | DisplayName    = %TraceCleaner.SVCDESC%
56 | ServiceType    = 1               ; SERVICE_KERNEL_DRIVER
57 | StartType      = 3               ; SERVICE_DEMAND_START
58 | ErrorControl   = 1               ; SERVICE_ERROR_NORMAL
59 | ServiceBinary  = %12%\TraceCleaner.sys
60 | 
61 | ;
62 | ;--- TraceCleaner_Device Coinstaller installation ------
63 | ;
64 | 
65 | [TraceCleaner_Device.NT.CoInstallers]
66 | AddReg=TraceCleaner_Device_CoInstaller_AddReg
67 | CopyFiles=TraceCleaner_Device_CoInstaller_CopyFiles
68 | 
69 | [TraceCleaner_Device_CoInstaller_AddReg]
70 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller"
71 | 
72 | [TraceCleaner_Device_CoInstaller_CopyFiles]
73 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll
74 | 
75 | [TraceCleaner_Device.NT.Wdf]
76 | KmdfService =  TraceCleaner, TraceCleaner_wdfsect
77 | [TraceCleaner_wdfsect]
78 | KmdfLibraryVersion = $KMDFVERSION$
79 | 
80 | [Strings]
81 | SPSVCINST_ASSOCSERVICE= 0x00000002
82 | ManufacturerName="<Your manufacturer name>" ;TODO: Replace with your manufacturer name
83 | ClassName="Samples" ; TODO: edit ClassName
84 | DiskName = "TraceCleaner Installation Disk"
85 | TraceCleaner.DeviceDesc = "TraceCleaner Device"
86 | TraceCleaner.SVCDESC = "TraceCleaner Service"
87 | 


--------------------------------------------------------------------------------
/TraceCleaner/TraceCleaner.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |     <ProjectConfiguration Include="Debug|ARM">
 21 |       <Configuration>Debug</Configuration>
 22 |       <Platform>ARM</Platform>
 23 |     </ProjectConfiguration>
 24 |     <ProjectConfiguration Include="Release|ARM">
 25 |       <Configuration>Release</Configuration>
 26 |       <Platform>ARM</Platform>
 27 |     </ProjectConfiguration>
 28 |     <ProjectConfiguration Include="Debug|ARM64">
 29 |       <Configuration>Debug</Configuration>
 30 |       <Platform>ARM64</Platform>
 31 |     </ProjectConfiguration>
 32 |     <ProjectConfiguration Include="Release|ARM64">
 33 |       <Configuration>Release</Configuration>
 34 |       <Platform>ARM64</Platform>
 35 |     </ProjectConfiguration>
 36 |   </ItemGroup>
 37 |   <ItemGroup>
 38 |     <None Include="ReadMe.txt" />
 39 |   </ItemGroup>
 40 |   <ItemGroup>
 41 |     <Inf Include="TraceCleaner.inf" />
 42 |   </ItemGroup>
 43 |   <PropertyGroup Label="Globals">
 44 |     <ProjectGuid>{BACA280A-599C-48DA-8F0B-7BC95BD91EEA}</ProjectGuid>
 45 |     <TemplateGuid>{497e31cb-056b-4f31-abb8-447fd55ee5a5}</TemplateGuid>
 46 |     <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
 47 |     <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
 48 |     <Configuration>Debug</Configuration>
 49 |     <Platform Condition="'$(Platform)' == ''">Win32</Platform>
 50 |     <RootNamespace>TraceCleaner</RootNamespace>
 51 |     <WindowsTargetPlatformVersion>$(LatestTargetPlatformVersion)</WindowsTargetPlatformVersion>
 52 |   </PropertyGroup>
 53 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 54 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 55 |     <TargetVersion>Windows10</TargetVersion>
 56 |     <UseDebugLibraries>true</UseDebugLibraries>
 57 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 58 |     <ConfigurationType>Driver</ConfigurationType>
 59 |     <DriverType>KMDF</DriverType>
 60 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 61 |   </PropertyGroup>
 62 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 63 |     <TargetVersion>Windows10</TargetVersion>
 64 |     <UseDebugLibraries>false</UseDebugLibraries>
 65 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 66 |     <ConfigurationType>Driver</ConfigurationType>
 67 |     <DriverType>KMDF</DriverType>
 68 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 69 |   </PropertyGroup>
 70 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 71 |     <TargetVersion>Windows10</TargetVersion>
 72 |     <UseDebugLibraries>true</UseDebugLibraries>
 73 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 74 |     <ConfigurationType>Driver</ConfigurationType>
 75 |     <DriverType>KMDF</DriverType>
 76 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 77 |   </PropertyGroup>
 78 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 79 |     <TargetVersion>Windows10</TargetVersion>
 80 |     <UseDebugLibraries>false</UseDebugLibraries>
 81 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 82 |     <ConfigurationType>Driver</ConfigurationType>
 83 |     <DriverType>WDM</DriverType>
 84 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 85 |     <CharacterSet>
 86 |     </CharacterSet>
 87 |   </PropertyGroup>
 88 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
 89 |     <TargetVersion>Windows10</TargetVersion>
 90 |     <UseDebugLibraries>true</UseDebugLibraries>
 91 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 92 |     <ConfigurationType>Driver</ConfigurationType>
 93 |     <DriverType>KMDF</DriverType>
 94 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 95 |   </PropertyGroup>
 96 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
 97 |     <TargetVersion>Windows10</TargetVersion>
 98 |     <UseDebugLibraries>false</UseDebugLibraries>
 99 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
100 |     <ConfigurationType>Driver</ConfigurationType>
101 |     <DriverType>KMDF</DriverType>
102 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
103 |   </PropertyGroup>
104 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
105 |     <TargetVersion>Windows10</TargetVersion>
106 |     <UseDebugLibraries>true</UseDebugLibraries>
107 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
108 |     <ConfigurationType>Driver</ConfigurationType>
109 |     <DriverType>KMDF</DriverType>
110 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
111 |   </PropertyGroup>
112 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
113 |     <TargetVersion>Windows10</TargetVersion>
114 |     <UseDebugLibraries>false</UseDebugLibraries>
115 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
116 |     <ConfigurationType>Driver</ConfigurationType>
117 |     <DriverType>KMDF</DriverType>
118 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
119 |   </PropertyGroup>
120 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
121 |   <ImportGroup Label="ExtensionSettings">
122 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
123 |   </ImportGroup>
124 |   <ImportGroup Label="PropertySheets">
125 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
126 |   </ImportGroup>
127 |   <PropertyGroup Label="UserMacros" />
128 |   <PropertyGroup />
129 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
130 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
131 |   </PropertyGroup>
132 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
133 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
134 |   </PropertyGroup>
135 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
136 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
137 |   </PropertyGroup>
138 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
139 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
140 |     <IncludePath>$(VC_IncludePath);$(IncludePath)</IncludePath>
141 |     <LibraryPath>$(VC_LibraryPath_x64);$(LibraryPath)</LibraryPath>
142 |   </PropertyGroup>
143 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
144 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
145 |   </PropertyGroup>
146 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
147 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
148 |   </PropertyGroup>
149 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
150 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
151 |   </PropertyGroup>
152 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
153 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
154 |   </PropertyGroup>
155 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
156 |     <ClCompile>
157 |       <WppEnabled>true</WppEnabled>
158 |       <WppRecorderEnabled>true</WppRecorderEnabled>
159 |       <WppScanConfigurationData Condition="'%(ClCompile.ScanConfigurationData)' == ''">trace.h</WppScanConfigurationData>
160 |       <WppKernelMode>true</WppKernelMode>
161 |     </ClCompile>
162 |   </ItemDefinitionGroup>
163 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
164 |     <ClCompile>
165 |       <WppEnabled>true</WppEnabled>
166 |       <WppRecorderEnabled>true</WppRecorderEnabled>
167 |       <WppScanConfigurationData Condition="'%(ClCompile.ScanConfigurationData)' == ''">trace.h</WppScanConfigurationData>
168 |       <WppKernelMode>true</WppKernelMode>
169 |     </ClCompile>
170 |   </ItemDefinitionGroup>
171 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
172 |     <ClCompile>
173 |       <WppEnabled>true</WppEnabled>
174 |       <WppRecorderEnabled>true</WppRecorderEnabled>
175 |       <WppScanConfigurationData Condition="'%(ClCompile.ScanConfigurationData)' == ''">trace.h</WppScanConfigurationData>
176 |       <WppKernelMode>true</WppKernelMode>
177 |     </ClCompile>
178 |   </ItemDefinitionGroup>
179 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
180 |     <ClCompile>
181 |       <WppEnabled>false</WppEnabled>
182 |       <WppRecorderEnabled>true</WppRecorderEnabled>
183 |       <WppScanConfigurationData Condition="'%(ClCompile.ScanConfigurationData)' == ''">trace.h</WppScanConfigurationData>
184 |       <WppKernelMode>true</WppKernelMode>
185 |       <CompileAs>CompileAsCpp</CompileAs>
186 |       <TreatWarningAsError>false</TreatWarningAsError>
187 |       <BufferSecurityCheck>false</BufferSecurityCheck>
188 |     </ClCompile>
189 |     <Link>
190 |       <EntryPointSymbol>DriverEntry</EntryPointSymbol>
191 |       <AdditionalDependencies>%(AdditionalDependencies)</AdditionalDependencies>
192 |     </Link>
193 |   </ItemDefinitionGroup>
194 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
195 |     <ClCompile>
196 |       <WppEnabled>true</WppEnabled>
197 |       <WppRecorderEnabled>true</WppRecorderEnabled>
198 |       <WppScanConfigurationData Condition="'%(ClCompile.ScanConfigurationData)' == ''">trace.h</WppScanConfigurationData>
199 |       <WppKernelMode>true</WppKernelMode>
200 |     </ClCompile>
201 |   </ItemDefinitionGroup>
202 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
203 |     <ClCompile>
204 |       <WppEnabled>true</WppEnabled>
205 |       <WppRecorderEnabled>true</WppRecorderEnabled>
206 |       <WppScanConfigurationData Condition="'%(ClCompile.ScanConfigurationData)' == ''">trace.h</WppScanConfigurationData>
207 |       <WppKernelMode>true</WppKernelMode>
208 |     </ClCompile>
209 |   </ItemDefinitionGroup>
210 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
211 |     <ClCompile>
212 |       <WppEnabled>true</WppEnabled>
213 |       <WppRecorderEnabled>true</WppRecorderEnabled>
214 |       <WppScanConfigurationData Condition="'%(ClCompile.ScanConfigurationData)' == ''">trace.h</WppScanConfigurationData>
215 |       <WppKernelMode>true</WppKernelMode>
216 |     </ClCompile>
217 |   </ItemDefinitionGroup>
218 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
219 |     <ClCompile>
220 |       <WppEnabled>true</WppEnabled>
221 |       <WppRecorderEnabled>true</WppRecorderEnabled>
222 |       <WppScanConfigurationData Condition="'%(ClCompile.ScanConfigurationData)' == ''">trace.h</WppScanConfigurationData>
223 |       <WppKernelMode>true</WppKernelMode>
224 |     </ClCompile>
225 |   </ItemDefinitionGroup>
226 |   <ItemGroup>
227 |     <FilesToPackage Include="$(TargetPath)" />
228 |   </ItemGroup>
229 |   <ItemGroup>
230 |     <ClInclude Include="clean.hpp" />
231 |     <ClInclude Include="struct.h" />
232 |   </ItemGroup>
233 |   <ItemGroup>
234 |     <ClCompile Include="Main.cpp" />
235 |   </ItemGroup>
236 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
237 |   <ImportGroup Label="ExtensionTargets">
238 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
239 |   </ImportGroup>
240 | </Project>


--------------------------------------------------------------------------------
/TraceCleaner/TraceCleaner.vcxproj.douglas2.nvuser:
--------------------------------------------------------------------------------
1 | <ProjectSettingsModel DefinitionId="a218e900-1199-4ab1-a767-7976786f04d4" DisplayName="Nexus Project User Settings" xmlns="clr-namespace:Ark.PropertyModel;assembly=Ark">
2 |     <SettingsPointModel DefinitionId="3eb7ba04-016d-475e-b0ff-daa5f0e59a08" DisplayName="Launch">
3 |         <Property Name="LaunchSettingsModifiedByUser" Value="True" />
4 |     </SettingsPointModel>
5 | </ProjectSettingsModel>


--------------------------------------------------------------------------------
/TraceCleaner/TraceCleaner.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |     <Filter Include="Driver Files">
17 |       <UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
18 |       <Extensions>inf;inv;inx;mof;mc;</Extensions>
19 |     </Filter>
20 |   </ItemGroup>
21 |   <ItemGroup>
22 |     <None Include="ReadMe.txt" />
23 |   </ItemGroup>
24 |   <ItemGroup>
25 |     <Inf Include="TraceCleaner.inf">
26 |       <Filter>Driver Files</Filter>
27 |     </Inf>
28 |   </ItemGroup>
29 |   <ItemGroup>
30 |     <ClInclude Include="clean.hpp">
31 |       <Filter>Header Files</Filter>
32 |     </ClInclude>
33 |     <ClInclude Include="struct.h">
34 |       <Filter>Header Files</Filter>
35 |     </ClInclude>
36 |   </ItemGroup>
37 |   <ItemGroup>
38 |     <ClCompile Include="Main.cpp">
39 |       <Filter>Source Files</Filter>
40 |     </ClCompile>
41 |   </ItemGroup>
42 | </Project>


--------------------------------------------------------------------------------
/TraceCleaner/clean.hpp:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | #include "struct.h"
  3 | #define log(format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, format, __VA_ARGS__)
  4 | #define BB_POOL_TAG 'enoB'
  5 | UCHAR PiDDBLockPtr_sig[] = "\x48\x8D\x0D\x00\x00\x00\x00\xE8\x00\x00\x00\x00\x4C\x8B\x8C";
  6 | UCHAR PiDDBCacheTablePtr_sig[] = "\x66\x03\xD2\x48\x8D\x0D";
  7 | //you can also put the sig within the function, but some of the sig ends up on the stack and in the .text section, and causes issues when zeroing the sig memory.
  8 | 
  9 | EXTERN_C PVOID ResolveRelativeAddress(
 10 | 	_In_ PVOID Instruction,
 11 | 	_In_ ULONG OffsetOffset,
 12 | 	_In_ ULONG InstructionSize
 13 | )
 14 | {
 15 | 	ULONG_PTR Instr = (ULONG_PTR)Instruction;
 16 | 	LONG RipOffset = *(PLONG)(Instr + OffsetOffset);
 17 | 	PVOID ResolvedAddr = (PVOID)(Instr + InstructionSize + RipOffset);
 18 | 
 19 | 	return ResolvedAddr;
 20 | }
 21 | 
 22 | NTSTATUS BBSearchPattern(IN PCUCHAR pattern, IN UCHAR wildcard, IN ULONG_PTR len, IN const VOID* base, IN ULONG_PTR size, OUT PVOID* ppFound, int index = 0)
 23 | {
 24 | 	ASSERT(ppFound != NULL && pattern != NULL && base != NULL);
 25 | 	if (ppFound == NULL || pattern == NULL || base == NULL)
 26 | 		return STATUS_ACCESS_DENIED; //STATUS_INVALID_PARAMETER;
 27 | 	int cIndex = 0;
 28 | 	for (ULONG_PTR i = 0; i < size - len; i++)
 29 | 	{
 30 | 		BOOLEAN found = TRUE;
 31 | 		for (ULONG_PTR j = 0; j < len; j++)
 32 | 		{
 33 | 			if (pattern[j] != wildcard && pattern[j] != ((PCUCHAR)base)[i + j])
 34 | 			{
 35 | 				found = FALSE;
 36 | 				break;
 37 | 			}
 38 | 		}
 39 | 
 40 | 		if (found != FALSE && cIndex++ == index)
 41 | 		{
 42 | 			*ppFound = (PUCHAR)base + i;
 43 | 			return STATUS_SUCCESS;
 44 | 		}
 45 | 	}
 46 | 
 47 | 	return STATUS_NOT_FOUND;
 48 | }
 49 | 
 50 | PVOID g_KernelBase = NULL;
 51 | ULONG g_KernelSize = 0;
 52 | PVOID GetKernelBase(OUT PULONG pSize)
 53 | {
 54 | 	NTSTATUS status = STATUS_SUCCESS;
 55 | 	ULONG bytes = 0;
 56 | 	PRTL_PROCESS_MODULES pMods = NULL;
 57 | 	PVOID checkPtr = NULL;
 58 | 	UNICODE_STRING routineName;
 59 | 
 60 | 	// Already found
 61 | 	if (g_KernelBase != NULL)
 62 | 	{
 63 | 		if (pSize)
 64 | 			*pSize = g_KernelSize;
 65 | 		return g_KernelBase;
 66 | 	}
 67 | 
 68 | 	RtlUnicodeStringInit(&routineName, L"NtOpenFile");
 69 | 
 70 | 	checkPtr = MmGetSystemRoutineAddress(&routineName);
 71 | 	if (checkPtr == NULL)
 72 | 		return NULL;
 73 | 
 74 | 	// Protect from UserMode AV
 75 | 	status = ZwQuerySystemInformation(SystemModuleInformation, 0, bytes, &bytes);
 76 | 	if (bytes == 0)
 77 | 	{
 78 | 		log("Invalid SystemModuleInformation size");
 79 | 		return NULL;
 80 | 	}
 81 | 
 82 | 	pMods = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPool, bytes, BB_POOL_TAG);
 83 | 	RtlZeroMemory(pMods, bytes);
 84 | 
 85 | 	status = ZwQuerySystemInformation(SystemModuleInformation, pMods, bytes, &bytes);
 86 | 
 87 | 	if (NT_SUCCESS(status))
 88 | 	{
 89 | 		PRTL_PROCESS_MODULE_INFORMATION pMod = pMods->Modules;
 90 | 
 91 | 		for (ULONG i = 0; i < pMods->NumberOfModules; i++)
 92 | 		{
 93 | 			// System routine is inside module
 94 | 			if (checkPtr >= pMod[i].ImageBase &&
 95 | 				checkPtr < (PVOID)((PUCHAR)pMod[i].ImageBase + pMod[i].ImageSize))
 96 | 			{
 97 | 				g_KernelBase = pMod[i].ImageBase;
 98 | 				g_KernelSize = pMod[i].ImageSize;
 99 | 				if (pSize)
100 | 					*pSize = g_KernelSize;
101 | 				break;
102 | 			}
103 | 		}
104 | 	}
105 | 
106 | 	if (pMods)
107 | 		ExFreePoolWithTag(pMods, BB_POOL_TAG);
108 | 	log("g_KernelBase: %x", g_KernelBase);
109 | 	log("g_KernelSize: %x", g_KernelSize);
110 | 	return g_KernelBase;
111 | }
112 | 
113 | NTSTATUS BBScanSection(IN PCCHAR section, IN PCUCHAR pattern, IN UCHAR wildcard, IN ULONG_PTR len, OUT PVOID* ppFound, PVOID base = nullptr)
114 | {
115 | 	//ASSERT(ppFound != NULL);
116 | 	if (ppFound == NULL)
117 | 		return STATUS_ACCESS_DENIED; //STATUS_INVALID_PARAMETER
118 | 
119 | 	if (nullptr == base)
120 | 		base = GetKernelBase(&g_KernelSize);
121 | 	if (base == nullptr)
122 | 		return STATUS_ACCESS_DENIED; //STATUS_NOT_FOUND;
123 | 
124 | 	PIMAGE_NT_HEADERS64 pHdr = RtlImageNtHeader(base);
125 | 	if (!pHdr)
126 | 		return STATUS_ACCESS_DENIED; // STATUS_INVALID_IMAGE_FORMAT;
127 | 
128 | 	//PIMAGE_SECTION_HEADER pFirstSection = (PIMAGE_SECTION_HEADER)(pHdr + 1);
129 | 	PIMAGE_SECTION_HEADER pFirstSection = (PIMAGE_SECTION_HEADER)((uintptr_t)&pHdr->FileHeader + pHdr->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER));
130 | 
131 | 	for (PIMAGE_SECTION_HEADER pSection = pFirstSection; pSection < pFirstSection + pHdr->FileHeader.NumberOfSections; pSection++)
132 | 	{
133 | 		//DbgPrint("section: %s\r\n", pSection->Name);
134 | 		ANSI_STRING s1, s2;
135 | 		RtlInitAnsiString(&s1, section);
136 | 		RtlInitAnsiString(&s2, (PCCHAR)pSection->Name);
137 | 		if (RtlCompareString(&s1, &s2, TRUE) == 0)
138 | 		{
139 | 			PVOID ptr = NULL;
140 | 			NTSTATUS status = BBSearchPattern(pattern, wildcard, len, (PUCHAR)base + pSection->VirtualAddress, pSection->Misc.VirtualSize, &ptr);
141 | 			if (NT_SUCCESS(status)) {
142 | 				*(PULONG64)ppFound = (ULONG_PTR)(ptr); //- (PUCHAR)base
143 | 				//DbgPrint("found\r\n");
144 | 				return status;
145 | 			}
146 | 			//we continue scanning because there can be multiple sections with the same name.
147 | 		}
148 | 	}
149 | 
150 | 	return STATUS_ACCESS_DENIED; //STATUS_NOT_FOUND;
151 | }
152 | extern "C" bool LocatePiDDB(PERESOURCE* lock, PRTL_AVL_TABLE* table)
153 | {
154 | 	PVOID PiDDBLockPtr = nullptr, PiDDBCacheTablePtr = nullptr;
155 | 	if (!NT_SUCCESS(BBScanSection("PAGE", PiDDBLockPtr_sig, 0, sizeof(PiDDBLockPtr_sig) - 1, reinterpret_cast<PVOID*>(&PiDDBLockPtr)))) {
156 | 		log("Unable to find PiDDBLockPtr sig.");
157 | 		return false;
158 | 	}
159 | 
160 | 	if (!NT_SUCCESS(BBScanSection("PAGE", PiDDBCacheTablePtr_sig, 0, sizeof(PiDDBCacheTablePtr_sig) - 1, reinterpret_cast<PVOID*>(&PiDDBCacheTablePtr)))) {
161 | 		log("Unable to find PiDDBCacheTablePtr sig");
162 | 		return false;
163 | 	}
164 | 
165 | 	PiDDBCacheTablePtr = PVOID((uintptr_t)PiDDBCacheTablePtr + 3);
166 | 
167 | 	*lock = (PERESOURCE)(ResolveRelativeAddress(PiDDBLockPtr, 3, 7));
168 | 	*table = (PRTL_AVL_TABLE)(ResolveRelativeAddress(PiDDBCacheTablePtr, 3, 7));
169 | 
170 | 	return true;
171 | }
172 | 
173 | 
174 | 
175 | 
176 | 
177 | PMM_UNLOADED_DRIVER MmUnloadedDrivers;
178 | PULONG				MmLastUnloadedDriver;
179 | 
180 | BOOLEAN bDataCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
181 | {
182 | 	for (; *szMask; ++szMask, ++pData, ++bMask)
183 | 		if (*szMask == 'x' && *pData != *bMask)
184 | 			return 0;
185 | 
186 | 	return (*szMask) == 0;
187 | }
188 | 
189 | UINT64 FindPattern(UINT64 dwAddress, UINT64 dwLen, BYTE *bMask, char * szMask)
190 | {
191 | 	for (UINT64 i = 0; i < dwLen; i++)
192 | 		if (bDataCompare((BYTE*)(dwAddress + i), bMask, szMask))
193 | 			return (UINT64)(dwAddress + i);
194 | 
195 | 	return 0;
196 | }
197 | NTSTATUS FindMmDriverData(
198 | 	VOID
199 | )
200 | {
201 | 	/*
202 | 	 *	nt!MmLocateUnloadedDriver:
203 | 	 *	fffff801`51c70394 4c8b15a57e1500  mov     r10,qword ptr [nt!MmUnloadedDrivers (fffff801`51dc8240)]
204 | 	 *	fffff801`51c7039b 4c8bc9          mov     r9 ,rcx
205 | 	 */
206 | 	PVOID MmUnloadedDriversInstr = (PVOID)FindPattern((UINT64)g_KernelBase, g_KernelSize,
207 | 		(BYTE*)"\x4C\x8B\x15\x00\x00\x00\x00\x4C\x8B\xC9",
208 | 		"xxx????xxx"
209 | 	);
210 | 
211 | 	/*
212 | 	 *	nt!MiRememberUnloadedDriver+0x59:
213 | 	 *	fffff801`5201a4c5 8b057ddddaff    mov     eax,dword ptr [nt!MmLastUnloadedDriver (fffff801`51dc8248)]
214 | 	 *	fffff801`5201a4cb 83f832          cmp     eax,32h
215 | 	*/
216 | 	PVOID MmLastUnloadedDriverInstr = (PVOID)FindPattern((UINT64)g_KernelBase, g_KernelSize,
217 | 		(BYTE*)"\x8B\x05\x00\x00\x00\x00\x83\xF8\x32",
218 | 		"xx????xxx"
219 | 	);
220 | 
221 | 	if (MmUnloadedDriversInstr == NULL || MmLastUnloadedDriverInstr == NULL)
222 | 	{
223 | 		return STATUS_NOT_FOUND;
224 | 	}
225 | 
226 | 	MmUnloadedDrivers = *(PMM_UNLOADED_DRIVER*)ResolveRelativeAddress(MmUnloadedDriversInstr, 3, 7);
227 | 	MmLastUnloadedDriver = (PULONG)ResolveRelativeAddress(MmLastUnloadedDriverInstr, 2, 6);
228 | 	/*log("MmUnloadedDrivers ModuleEnd: %x", MmUnloadedDrivers->ModuleEnd);
229 | 	log("MmUnloadedDrivers ModuleStart: %x", MmUnloadedDrivers->ModuleStart);
230 | 	log("MmUnloadedDrivers Name: %s", MmUnloadedDrivers->Name);
231 | 	log("MmUnloadedDrivers UnloadTime: %x", MmUnloadedDrivers->UnloadTime);*/
232 | 
233 | 	log("MmUnloadedDrivers Addr: %x", MmUnloadedDrivers);
234 | 	log("MmLastUnloadedDriver Addr: %x", MmLastUnloadedDriver);
235 | 	return STATUS_SUCCESS;
236 | }
237 | 
238 | BOOLEAN IsUnloadedDriverEntryEmpty(
239 | 	_In_ PMM_UNLOADED_DRIVER Entry
240 | )
241 | {
242 | 	if (Entry->Name.MaximumLength == 0 ||
243 | 		Entry->Name.Length == 0 ||
244 | 		Entry->Name.Buffer == NULL)
245 | 	{
246 | 		return TRUE;
247 | 	}
248 | 
249 | 	return FALSE;
250 | }
251 | 
252 | BOOLEAN IsMmUnloadedDriversFilled(
253 | 	VOID
254 | )
255 | {
256 | 	for (ULONG Index = 0; Index < MM_UNLOADED_DRIVERS_SIZE; ++Index)
257 | 	{
258 | 		PMM_UNLOADED_DRIVER Entry = &MmUnloadedDrivers[Index];
259 | 		if (IsUnloadedDriverEntryEmpty(Entry))
260 | 		{
261 | 			return FALSE;
262 | 		}
263 | 	}
264 | 
265 | 	return TRUE;
266 | }
267 | 
268 | 
269 | 
270 | ERESOURCE PsLoadedModuleResource;
271 | 
272 | 
273 | 
274 | 
275 | namespace clear {
276 | 	void clearCache(UNICODE_STRING DriverName, ULONG timeDateStamp) {
277 | 		// first locate required variables
278 | 		PERESOURCE PiDDBLock; PRTL_AVL_TABLE PiDDBCacheTable;
279 | 		if (!LocatePiDDB(&PiDDBLock, &PiDDBCacheTable)) {
280 | 			log("ClearCache Failed");
281 | 			return;
282 | 		}
283 | 
284 | 		log("Found PiDDBLock and PiDDBCacheTable");
285 | 		log("Found PiDDBLock %x", PiDDBLock);
286 | 		log("Found PiDDBCacheTable %x", PiDDBCacheTable);
287 | 		// build a lookup entry
288 | 		PiDDBCacheEntry lookupEntry = { };
289 | 		lookupEntry.DriverName = DriverName;
290 | 		lookupEntry.TimeDateStamp = timeDateStamp;
291 | 
292 | 		// acquire the ddb resource lock
293 | 		ExAcquireResourceExclusiveLite(PiDDBLock, TRUE);
294 | 
295 | 		// search our entry in the table
296 | 		auto pFoundEntry = (PiDDBCacheEntry*)RtlLookupElementGenericTableAvl(PiDDBCacheTable, &lookupEntry);
297 | 		if (pFoundEntry == nullptr)
298 | 		{
299 | 			// release the ddb resource lock
300 | 			ExReleaseResourceLite(PiDDBLock);
301 | 			log("ClearCache Failed (Not found)");
302 | 			return;
303 | 		}
304 | 
305 | 		// first, unlink from the list
306 | 		RemoveEntryList(&pFoundEntry->List);
307 | 		// then delete the element from the avl table
308 | 		RtlDeleteElementGenericTableAvl(PiDDBCacheTable, pFoundEntry);
309 | 
310 | 		// release the ddb resource lock
311 | 		ExReleaseResourceLite(PiDDBLock);
312 | 		log("ClearCache Sucessful");
313 | 	}
314 | 
315 | 
316 | 
317 | 
318 | 	NTSTATUS ClearUnloadedDriver(
319 | 		_In_ PUNICODE_STRING	DriverName,
320 | 		_In_ BOOLEAN			AccquireResource
321 | 	)
322 | 	{
323 | 		if (AccquireResource)
324 | 		{
325 | 			ExAcquireResourceExclusiveLite(&PsLoadedModuleResource, TRUE);
326 | 		}
327 | 
328 | 		BOOLEAN Modified = FALSE;
329 | 		BOOLEAN Filled = IsMmUnloadedDriversFilled();
330 | 
331 | 		for (ULONG Index = 0; Index < MM_UNLOADED_DRIVERS_SIZE; ++Index)
332 | 		{
333 | 			PMM_UNLOADED_DRIVER Entry = &MmUnloadedDrivers[Index];
334 | 			if (Modified)
335 | 			{
336 | 				//
337 | 				// Shift back all entries after modified one.
338 | 				//
339 | 				PMM_UNLOADED_DRIVER PrevEntry = &MmUnloadedDrivers[Index - 1];
340 | 				RtlCopyMemory(PrevEntry, Entry, sizeof(MM_UNLOADED_DRIVER));
341 | 
342 | 				//
343 | 				// Zero last entry.
344 | 				//
345 | 				if (Index == MM_UNLOADED_DRIVERS_SIZE - 1)
346 | 				{
347 | 					RtlFillMemory(Entry, sizeof(MM_UNLOADED_DRIVER), 0);
348 | 				}
349 | 			}
350 | 			else if (RtlEqualUnicodeString(DriverName, &Entry->Name, TRUE))
351 | 			{
352 | 				//
353 | 				// Erase driver entry.
354 | 				//
355 | 				PVOID BufferPool = Entry->Name.Buffer;
356 | 				RtlFillMemory(Entry, sizeof(MM_UNLOADED_DRIVER), 0);
357 | 				ExFreePoolWithTag(BufferPool, 'TDmM');
358 | 
359 | 				//
360 | 				// Because we are erasing last entry we want to set MmLastUnloadedDriver to 49
361 | 				// if list have been already filled.
362 | 				//
363 | 				*MmLastUnloadedDriver = (Filled ? MM_UNLOADED_DRIVERS_SIZE : *MmLastUnloadedDriver) - 1;
364 | 				Modified = TRUE;
365 | 			}
366 | 		}
367 | 
368 | 		if (Modified)
369 | 		{
370 | 			ULONG64 PreviousTime = 0;
371 | 
372 | 			//
373 | 			// Make UnloadTime look right.
374 | 			//
375 | 			for (LONG Index = MM_UNLOADED_DRIVERS_SIZE - 2; Index >= 0; --Index)
376 | 			{
377 | 				PMM_UNLOADED_DRIVER Entry = &MmUnloadedDrivers[Index];
378 | 				if (IsUnloadedDriverEntryEmpty(Entry))
379 | 				{
380 | 					continue;
381 | 				}
382 | 
383 | 				if (PreviousTime != 0 && Entry->UnloadTime > PreviousTime)
384 | 				{
385 | 					//
386 | 					// Decrease by random value here maybe.
387 | 					//
388 | 					Entry->UnloadTime = PreviousTime - 100;
389 | 				}
390 | 
391 | 				PreviousTime = Entry->UnloadTime;
392 | 			}
393 | 
394 | 			//
395 | 			// Clear remaining entries.
396 | 			//
397 | 			ClearUnloadedDriver(DriverName, FALSE);
398 | 		}
399 | 
400 | 		if (AccquireResource)
401 | 		{
402 | 			ExReleaseResourceLite(&PsLoadedModuleResource);
403 | 		}
404 | 
405 | 		return Modified ? STATUS_SUCCESS : STATUS_NOT_FOUND;
406 | 	}
407 | }


--------------------------------------------------------------------------------
/TraceCleaner/struct.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | #include <ntdef.h>
  3 | #include <ntifs.h>
  4 | #include <ntddk.h>
  5 | #include <ntimage.h>
  6 | #include <ntstrsafe.h>
  7 | 
  8 | typedef unsigned char       BYTE;
  9 | typedef struct _RTL_PROCESS_MODULE_INFORMATION
 10 | {
 11 | 	HANDLE Section;         // Not filled in
 12 | 	PVOID MappedBase;
 13 | 	PVOID ImageBase;
 14 | 	ULONG ImageSize;
 15 | 	ULONG Flags;
 16 | 	USHORT LoadOrderIndex;
 17 | 	USHORT InitOrderIndex;
 18 | 	USHORT LoadCount;
 19 | 	USHORT OffsetToFileName;
 20 | 	UCHAR  FullPathName[MAXIMUM_FILENAME_LENGTH];
 21 | } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
 22 | typedef struct _RTL_PROCESS_MODULES
 23 | {
 24 | 	ULONG NumberOfModules;
 25 | 	RTL_PROCESS_MODULE_INFORMATION Modules[1];
 26 | } RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
 27 | struct PiDDBCacheEntry
 28 | {
 29 | 	LIST_ENTRY		List;
 30 | 	UNICODE_STRING	DriverName;
 31 | 	ULONG			TimeDateStamp;
 32 | 	NTSTATUS		LoadStatus;
 33 | 	char			_0x0028[16]; // data from the shim engine, or uninitialized memory for custom drivers
 34 | };
 35 | typedef enum _SYSTEM_INFORMATION_CLASS
 36 | {
 37 | 	SystemBasicInformation = 0x0,
 38 | 	SystemProcessorInformation = 0x1,
 39 | 	SystemPerformanceInformation = 0x2,
 40 | 	SystemTimeOfDayInformation = 0x3,
 41 | 	SystemPathInformation = 0x4,
 42 | 	SystemProcessInformation = 0x5,
 43 | 	SystemCallCountInformation = 0x6,
 44 | 	SystemDeviceInformation = 0x7,
 45 | 	SystemProcessorPerformanceInformation = 0x8,
 46 | 	SystemFlagsInformation = 0x9,
 47 | 	SystemCallTimeInformation = 0xa,
 48 | 	SystemModuleInformation = 0xb,
 49 | 	SystemLocksInformation = 0xc,
 50 | 	SystemStackTraceInformation = 0xd,
 51 | 	SystemPagedPoolInformation = 0xe,
 52 | 	SystemNonPagedPoolInformation = 0xf,
 53 | 	SystemHandleInformation = 0x10,
 54 | 	SystemObjectInformation = 0x11,
 55 | 	SystemPageFileInformation = 0x12,
 56 | 	SystemVdmInstemulInformation = 0x13,
 57 | 	SystemVdmBopInformation = 0x14,
 58 | 	SystemFileCacheInformation = 0x15,
 59 | 	SystemPoolTagInformation = 0x16,
 60 | 	SystemInterruptInformation = 0x17,
 61 | 	SystemDpcBehaviorInformation = 0x18,
 62 | 	SystemFullMemoryInformation = 0x19,
 63 | 	SystemLoadGdiDriverInformation = 0x1a,
 64 | 	SystemUnloadGdiDriverInformation = 0x1b,
 65 | 	SystemTimeAdjustmentInformation = 0x1c,
 66 | 	SystemSummaryMemoryInformation = 0x1d,
 67 | 	SystemMirrorMemoryInformation = 0x1e,
 68 | 	SystemPerformanceTraceInformation = 0x1f,
 69 | 	SystemObsolete0 = 0x20,
 70 | 	SystemExceptionInformation = 0x21,
 71 | 	SystemCrashDumpStateInformation = 0x22,
 72 | 	SystemKernelDebuggerInformation = 0x23,
 73 | 	SystemContextSwitchInformation = 0x24,
 74 | 	SystemRegistryQuotaInformation = 0x25,
 75 | 	SystemExtendServiceTableInformation = 0x26,
 76 | 	SystemPrioritySeperation = 0x27,
 77 | 	SystemVerifierAddDriverInformation = 0x28,
 78 | 	SystemVerifierRemoveDriverInformation = 0x29,
 79 | 	SystemProcessorIdleInformation = 0x2a,
 80 | 	SystemLegacyDriverInformation = 0x2b,
 81 | 	SystemCurrentTimeZoneInformation = 0x2c,
 82 | 	SystemLookasideInformation = 0x2d,
 83 | 	SystemTimeSlipNotification = 0x2e,
 84 | 	SystemSessionCreate = 0x2f,
 85 | 	SystemSessionDetach = 0x30,
 86 | 	SystemSessionInformation = 0x31,
 87 | 	SystemRangeStartInformation = 0x32,
 88 | 	SystemVerifierInformation = 0x33,
 89 | 	SystemVerifierThunkExtend = 0x34,
 90 | 	SystemSessionProcessInformation = 0x35,
 91 | 	SystemLoadGdiDriverInSystemSpace = 0x36,
 92 | 	SystemNumaProcessorMap = 0x37,
 93 | 	SystemPrefetcherInformation = 0x38,
 94 | 	SystemExtendedProcessInformation = 0x39,
 95 | 	SystemRecommendedSharedDataAlignment = 0x3a,
 96 | 	SystemComPlusPackage = 0x3b,
 97 | 	SystemNumaAvailableMemory = 0x3c,
 98 | 	SystemProcessorPowerInformation = 0x3d,
 99 | 	SystemEmulationBasicInformation = 0x3e,
100 | 	SystemEmulationProcessorInformation = 0x3f,
101 | 	SystemExtendedHandleInformation = 0x40,
102 | 	SystemLostDelayedWriteInformation = 0x41,
103 | 	SystemBigPoolInformation = 0x42,
104 | 	SystemSessionPoolTagInformation = 0x43,
105 | 	SystemSessionMappedViewInformation = 0x44,
106 | 	SystemHotpatchInformation = 0x45,
107 | 	SystemObjectSecurityMode = 0x46,
108 | 	SystemWatchdogTimerHandler = 0x47,
109 | 	SystemWatchdogTimerInformation = 0x48,
110 | 	SystemLogicalProcessorInformation = 0x49,
111 | 	SystemWow64SharedInformationObsolete = 0x4a,
112 | 	SystemRegisterFirmwareTableInformationHandler = 0x4b,
113 | 	SystemFirmwareTableInformation = 0x4c,
114 | 	SystemModuleInformationEx = 0x4d,
115 | 	SystemVerifierTriageInformation = 0x4e,
116 | 	SystemSuperfetchInformation = 0x4f,
117 | 	SystemMemoryListInformation = 0x50,
118 | 	SystemFileCacheInformationEx = 0x51,
119 | 	SystemThreadPriorityClientIdInformation = 0x52,
120 | 	SystemProcessorIdleCycleTimeInformation = 0x53,
121 | 	SystemVerifierCancellationInformation = 0x54,
122 | 	SystemProcessorPowerInformationEx = 0x55,
123 | 	SystemRefTraceInformation = 0x56,
124 | 	SystemSpecialPoolInformation = 0x57,
125 | 	SystemProcessIdInformation = 0x58,
126 | 	SystemErrorPortInformation = 0x59,
127 | 	SystemBootEnvironmentInformation = 0x5a,
128 | 	SystemHypervisorInformation = 0x5b,
129 | 	SystemVerifierInformationEx = 0x5c,
130 | 	SystemTimeZoneInformation = 0x5d,
131 | 	SystemImageFileExecutionOptionsInformation = 0x5e,
132 | 	SystemCoverageInformation = 0x5f,
133 | 	SystemPrefetchPatchInformation = 0x60,
134 | 	SystemVerifierFaultsInformation = 0x61,
135 | 	SystemSystemPartitionInformation = 0x62,
136 | 	SystemSystemDiskInformation = 0x63,
137 | 	SystemProcessorPerformanceDistribution = 0x64,
138 | 	SystemNumaProximityNodeInformation = 0x65,
139 | 	SystemDynamicTimeZoneInformation = 0x66,
140 | 	SystemCodeIntegrityInformation = 0x67,
141 | 	SystemProcessorMicrocodeUpdateInformation = 0x68,
142 | 	SystemProcessorBrandString = 0x69,
143 | 	SystemVirtualAddressInformation = 0x6a,
144 | 	SystemLogicalProcessorAndGroupInformation = 0x6b,
145 | 	SystemProcessorCycleTimeInformation = 0x6c,
146 | 	SystemStoreInformation = 0x6d,
147 | 	SystemRegistryAppendString = 0x6e,
148 | 	SystemAitSamplingValue = 0x6f,
149 | 	SystemVhdBootInformation = 0x70,
150 | 	SystemCpuQuotaInformation = 0x71,
151 | 	SystemNativeBasicInformation = 0x72,
152 | 	SystemErrorPortTimeouts = 0x73,
153 | 	SystemLowPriorityIoInformation = 0x74,
154 | 	SystemBootEntropyInformation = 0x75,
155 | 	SystemVerifierCountersInformation = 0x76,
156 | 	SystemPagedPoolInformationEx = 0x77,
157 | 	SystemSystemPtesInformationEx = 0x78,
158 | 	SystemNodeDistanceInformation = 0x79,
159 | 	SystemAcpiAuditInformation = 0x7a,
160 | 	SystemBasicPerformanceInformation = 0x7b,
161 | 	SystemQueryPerformanceCounterInformation = 0x7c,
162 | 	SystemSessionBigPoolInformation = 0x7d,
163 | 	SystemBootGraphicsInformation = 0x7e,
164 | 	SystemScrubPhysicalMemoryInformation = 0x7f,
165 | 	SystemBadPageInformation = 0x80,
166 | 	SystemProcessorProfileControlArea = 0x81,
167 | 	SystemCombinePhysicalMemoryInformation = 0x82,
168 | 	SystemEntropyInterruptTimingInformation = 0x83,
169 | 	SystemConsoleInformation = 0x84,
170 | 	SystemPlatformBinaryInformation = 0x85,
171 | 	SystemThrottleNotificationInformation = 0x86,
172 | 	SystemHypervisorProcessorCountInformation = 0x87,
173 | 	SystemDeviceDataInformation = 0x88,
174 | 	SystemDeviceDataEnumerationInformation = 0x89,
175 | 	SystemMemoryTopologyInformation = 0x8a,
176 | 	SystemMemoryChannelInformation = 0x8b,
177 | 	SystemBootLogoInformation = 0x8c,
178 | 	SystemProcessorPerformanceInformationEx = 0x8d,
179 | 	SystemSpare0 = 0x8e,
180 | 	SystemSecureBootPolicyInformation = 0x8f,
181 | 	SystemPageFileInformationEx = 0x90,
182 | 	SystemSecureBootInformation = 0x91,
183 | 	SystemEntropyInterruptTimingRawInformation = 0x92,
184 | 	SystemPortableWorkspaceEfiLauncherInformation = 0x93,
185 | 	SystemFullProcessInformation = 0x94,
186 | 	SystemKernelDebuggerInformationEx = 0x95,
187 | 	SystemBootMetadataInformation = 0x96,
188 | 	SystemSoftRebootInformation = 0x97,
189 | 	SystemElamCertificateInformation = 0x98,
190 | 	SystemOfflineDumpConfigInformation = 0x99,
191 | 	SystemProcessorFeaturesInformation = 0x9a,
192 | 	SystemRegistryReconciliationInformation = 0x9b,
193 | 	MaxSystemInfoClass = 0x9c,
194 | } SYSTEM_INFORMATION_CLASS;
195 | 
196 | EXTERN_C NTSYSAPI
197 | PIMAGE_NT_HEADERS
198 | NTAPI
199 | RtlImageNtHeader(
200 | 	IN PVOID   ModuleAddress);
201 | EXTERN_C NTSYSAPI
202 | NTSTATUS
203 | NTAPI
204 | ZwQuerySystemInformation(
205 | 	IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
206 | 	OUT PVOID SystemInformation,
207 | 	IN ULONG SystemInformationLength,
208 | 	OUT PULONG ReturnLength OPTIONAL
209 | );
210 | 
211 | #define MM_UNLOADED_DRIVERS_SIZE 50
212 | typedef struct _MM_UNLOADED_DRIVER
213 | {
214 | 	UNICODE_STRING 	Name;
215 | 	PVOID 			ModuleStart;
216 | 	PVOID 			ModuleEnd;
217 | 	ULONG64 		UnloadTime;
218 | } MM_UNLOADED_DRIVER, *PMM_UNLOADED_DRIVER;
219 | 


--------------------------------------------------------------------------------