├── README.md
└── dse_meme
    ├── dse_meme
        ├── dse_meme.vcxproj.user
        ├── utils
        │   ├── crt.h
        │   └── utils.h
        ├── entry.cpp
        ├── dse_meme.vcxproj.filters
        ├── dse_meme.inf
        ├── dse_meme.vcxproj
        └── structs
        │   └── windows.h
    └── dse_meme.sln


/README.md:
--------------------------------------------------------------------------------
1 | # Dse-Patcher
2 | Patches DSE by swapping both data ptrs located in SeValidateImageHeader && SeValidateImageData
3 | 


--------------------------------------------------------------------------------
/dse_meme/dse_meme/dse_meme.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup>
4 |     <ShowAllFiles>true</ShowAllFiles>
5 |   </PropertyGroup>
6 | </Project>


--------------------------------------------------------------------------------
/dse_meme/dse_meme/utils/crt.h:
--------------------------------------------------------------------------------
 1 | namespace crt {
 2 | 	template <typename t>
 3 | 	__forceinline int strlen( t str ) {
 4 | 		if ( !str ) {
 5 | 			return 0;
 6 | 		}
 7 | 
 8 | 		t buffer = str;
 9 | 
10 | 		while ( *buffer ) {
11 | 			*buffer++;
12 | 		}
13 | 
14 | 		return ( int )( buffer - str );
15 | 	}
16 | 
17 | 	bool strcmp( const char* src, const char* dst ) {
18 | 		if ( !src || !dst ) {
19 | 			return true;
20 | 		}
21 | 
22 | 		const auto src_sz = crt::strlen( src );
23 | 		const auto dst_sz = crt::strlen( dst );
24 | 
25 | 		if ( src_sz != dst_sz ) {
26 | 			return true;
27 | 		}
28 | 
29 | 		for ( int i = 0; i < src_sz; i++ ) {
30 | 			if ( src[ i ] != dst[ i ] ) {
31 | 				return true;
32 | 			}
33 | 		}
34 | 
35 | 		return false;
36 | 	}
37 | }


--------------------------------------------------------------------------------
/dse_meme/dse_meme/entry.cpp:
--------------------------------------------------------------------------------
 1 | #include <ntdef.h>
 2 | #include <stdint.h>
 3 | #include <ntifs.h>
 4 | #include <ntddk.h>
 5 | #include <ntimage.h>
 6 | #include <windef.h>
 7 | #include <intrin.h>
 8 | #include <ntstrsafe.h>
 9 | 
10 | #include "structs/windows.h"
11 | 
12 | #include "utils/crt.h"
13 | #include "utils/utils.h"
14 | 
15 | NTSTATUS DriverEntry( ) {
16 | 	
17 | 	auto ntoskrnl = get_kernel_module( "ntoskrnl.exe" );
18 | 	if ( !ntoskrnl )
19 | 		return STATUS_FAILED_DRIVER_ENTRY;
20 | 	auto se_validate_image_header = find_pattern( ntoskrnl, "\x48\x39\x35\xCC\xCC\xCC\xCC\x48\x8B\xF9", "xxx????xxx" );
21 | 	if ( !se_validate_image_header )
22 | 		return STATUS_FAILED_DRIVER_ENTRY;
23 | 	
24 | 	auto se_validate_image_data = find_pattern( ntoskrnl, "\x48\x8B\x05\xCC\xCC\xCC\xCC\x4C\x8B\xD1\x48\x85\xC0", "xxx????xxxxxx" ); 
25 | 	if ( !se_validate_image_data )
26 | 		return STATUS_FAILED_DRIVER_ENTRY;
27 | 
28 | 	auto rva = se_validate_image_header + *( int32_t* )( se_validate_image_header + 3 ) + 7;
29 | 	auto rva2 = se_validate_image_data +  *( int32_t* )( se_validate_image_header + 3 ) + 7;
30 | 	if ( !rva && !rva2 ) {
31 | 		DbgPrintEx( 0, 0, "Fuck\n" );
32 | 		return STATUS_FAILED_DRIVER_ENTRY;
33 | 	}
34 | 
35 | 	DbgPrintEx( 0, 0, "se_validate_image_header %llX\n", rva ); 
36 | 	DbgPrintEx( 0, 0, "se_validate_image_data %llX\n", rva2 );
37 | 
38 | 	auto rop = find_pattern( ntoskrnl, "\xB8\x01\x00\x00\x00\xC3", "xxxxxx" ); 
39 | 	if ( !rop ) {
40 | 		DbgPrintEx( 0, 0, "Fuck\n" );
41 | 		return STATUS_FAILED_DRIVER_ENTRY;
42 | 	}
43 | 
44 | 	//Swap
45 | 	*( uintptr_t* )rva = rop;
46 | 	*( uintptr_t* )rva2 = rop;
47 | 
48 | 	DbgPrintEx( 0, 0, "Swapped to %llX\n", rop ); 
49 | 
50 | 	return STATUS_SUCCESS;
51 | }


--------------------------------------------------------------------------------
/dse_meme/dse_meme/dse_meme.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |     <Filter Include="Driver Files">
17 |       <UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
18 |       <Extensions>inf;inv;inx;mof;mc;</Extensions>
19 |     </Filter>
20 |   </ItemGroup>
21 |   <ItemGroup>
22 |     <Inf Include="dse_meme.inf">
23 |       <Filter>Driver Files</Filter>
24 |     </Inf>
25 |   </ItemGroup>
26 |   <ItemGroup>
27 |     <ClCompile Include="entry.cpp">
28 |       <Filter>Source Files</Filter>
29 |     </ClCompile>
30 |   </ItemGroup>
31 |   <ItemGroup>
32 |     <ClInclude Include="utils\utils.h">
33 |       <Filter>Header Files</Filter>
34 |     </ClInclude>
35 |     <ClInclude Include="structs\windows.h">
36 |       <Filter>Header Files</Filter>
37 |     </ClInclude>
38 |     <ClInclude Include="utils\crt.h">
39 |       <Filter>Header Files</Filter>
40 |     </ClInclude>
41 |   </ItemGroup>
42 | </Project>


--------------------------------------------------------------------------------
/dse_meme/dse_meme.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.8.34511.84
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dse_meme", "dse_meme\dse_meme.vcxproj", "{69AE4AE2-06F4-4C3F-94D1-E3001D5E44BB}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|ARM64 = Debug|ARM64
11 | 		Debug|x64 = Debug|x64
12 | 		Release|ARM64 = Release|ARM64
13 | 		Release|x64 = Release|x64
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{69AE4AE2-06F4-4C3F-94D1-E3001D5E44BB}.Debug|ARM64.ActiveCfg = Debug|ARM64
17 | 		{69AE4AE2-06F4-4C3F-94D1-E3001D5E44BB}.Debug|ARM64.Build.0 = Debug|ARM64
18 | 		{69AE4AE2-06F4-4C3F-94D1-E3001D5E44BB}.Debug|ARM64.Deploy.0 = Debug|ARM64
19 | 		{69AE4AE2-06F4-4C3F-94D1-E3001D5E44BB}.Debug|x64.ActiveCfg = Debug|x64
20 | 		{69AE4AE2-06F4-4C3F-94D1-E3001D5E44BB}.Debug|x64.Build.0 = Debug|x64
21 | 		{69AE4AE2-06F4-4C3F-94D1-E3001D5E44BB}.Debug|x64.Deploy.0 = Debug|x64
22 | 		{69AE4AE2-06F4-4C3F-94D1-E3001D5E44BB}.Release|ARM64.ActiveCfg = Release|ARM64
23 | 		{69AE4AE2-06F4-4C3F-94D1-E3001D5E44BB}.Release|ARM64.Build.0 = Release|ARM64
24 | 		{69AE4AE2-06F4-4C3F-94D1-E3001D5E44BB}.Release|ARM64.Deploy.0 = Release|ARM64
25 | 		{69AE4AE2-06F4-4C3F-94D1-E3001D5E44BB}.Release|x64.ActiveCfg = Release|x64
26 | 		{69AE4AE2-06F4-4C3F-94D1-E3001D5E44BB}.Release|x64.Build.0 = Release|x64
27 | 		{69AE4AE2-06F4-4C3F-94D1-E3001D5E44BB}.Release|x64.Deploy.0 = Release|x64
28 | 	EndGlobalSection
29 | 	GlobalSection(SolutionProperties) = preSolution
30 | 		HideSolutionNode = FALSE
31 | 	EndGlobalSection
32 | 	GlobalSection(ExtensibilityGlobals) = postSolution
33 | 		SolutionGuid = {D32EC0DF-E0EB-4990-87BC-77AF65FB1311}
34 | 	EndGlobalSection
35 | EndGlobal
36 | 


--------------------------------------------------------------------------------
/dse_meme/dse_meme/dse_meme.inf:
--------------------------------------------------------------------------------
 1 | ;
 2 | ; dse_meme.inf
 3 | ;
 4 | 
 5 | [Version]
 6 | Signature="$WINDOWS NT$"
 7 | Class=System ; TODO: specify appropriate Class
 8 | ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318} ; TODO: specify appropriate ClassGuid
 9 | Provider=%ManufacturerName%
10 | CatalogFile=dse_meme.cat
11 | DriverVer= ; TODO: set DriverVer in stampinf property pages
12 | PnpLockdown=1
13 | 
14 | [DestinationDirs]
15 | DefaultDestDir = 12
16 | dse_meme_Device_CoInstaller_CopyFiles = 11
17 | 
18 | [SourceDisksNames]
19 | 1 = %DiskName%,,,""
20 | 
21 | [SourceDisksFiles]
22 | dse_meme.sys  = 1,,
23 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames
24 | 
25 | ;*****************************************
26 | ; Install Section
27 | ;*****************************************
28 | 
29 | [Manufacturer]
30 | %ManufacturerName%=Standard,NT$ARCH$
31 | 
32 | [Standard.NT$ARCH$]
33 | %dse_meme.DeviceDesc%=dse_meme_Device, Root\dse_meme ; TODO: edit hw-id
34 | 
35 | [dse_meme_Device.NT]
36 | CopyFiles=Drivers_Dir
37 | 
38 | [Drivers_Dir]
39 | dse_meme.sys
40 | 
41 | ;-------------- Service installation
42 | [dse_meme_Device.NT.Services]
43 | AddService = dse_meme,%SPSVCINST_ASSOCSERVICE%, dse_meme_Service_Inst
44 | 
45 | ; -------------- dse_meme driver install sections
46 | [dse_meme_Service_Inst]
47 | DisplayName    = %dse_meme.SVCDESC%
48 | ServiceType    = 1               ; SERVICE_KERNEL_DRIVER
49 | StartType      = 3               ; SERVICE_DEMAND_START
50 | ErrorControl   = 1               ; SERVICE_ERROR_NORMAL
51 | ServiceBinary  = %12%\dse_meme.sys
52 | 
53 | ;
54 | ;--- dse_meme_Device Coinstaller installation ------
55 | ;
56 | 
57 | [dse_meme_Device.NT.CoInstallers]
58 | AddReg=dse_meme_Device_CoInstaller_AddReg
59 | CopyFiles=dse_meme_Device_CoInstaller_CopyFiles
60 | 
61 | [dse_meme_Device_CoInstaller_AddReg]
62 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller"
63 | 
64 | [dse_meme_Device_CoInstaller_CopyFiles]
65 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll
66 | 
67 | [dse_meme_Device.NT.Wdf]
68 | KmdfService =  dse_meme, dse_meme_wdfsect
69 | [dse_meme_wdfsect]
70 | KmdfLibraryVersion = $KMDFVERSION$
71 | 
72 | [Strings]
73 | SPSVCINST_ASSOCSERVICE= 0x00000002
74 | ManufacturerName="<Your manufacturer name>" ;TODO: Replace with your manufacturer name
75 | DiskName = "dse_meme Installation Disk"
76 | dse_meme.DeviceDesc = "dse_meme Device"
77 | dse_meme.SVCDESC = "dse_meme Service"
78 | 


--------------------------------------------------------------------------------
/dse_meme/dse_meme/utils/utils.h:
--------------------------------------------------------------------------------
  1 | #define in_range(x,a,b)    (x >= a && x <= b) 
  2 | #define get_bits( x )    (in_range((x&(~0x20)),'A','F') ? ((x&(~0x20)) - 'A' + 0xA) : (in_range(x,'0','9') ? x - '0' : 0))
  3 | #define get_byte( x )    (get_bits(x[0]) << 4 | get_bits(x[1]))
  4 | #define to_lower_i(Char) ((Char >= 'A' && Char <= 'Z') ? (Char + 32) : Char)
  5 | #define to_lower_c(Char) ((Char >= (char*)'A' && Char <= (char*)'Z') ? (Char + 32) : Char)
  6 | 
  7 | auto get_system_information( SYSTEM_INFORMATION_CLASS InformationClass ) -> void* {
  8 |     unsigned long size = 32;
  9 |     char buffer[ 32 ];
 10 | 
 11 |     ZwQuerySystemInformation( InformationClass, buffer, size, &size );
 12 | 
 13 |     void* info = ExAllocatePoolZero( NonPagedPool, size, 'UD' );
 14 | 
 15 |     if ( !info )
 16 |         return nullptr;
 17 | 
 18 |     if ( !NT_SUCCESS( ZwQuerySystemInformation( InformationClass, info, size, &size ) ) ) {
 19 |         ExFreePool( info );
 20 |         return nullptr;
 21 |     }
 22 | 
 23 |     return info;
 24 | }
 25 | 
 26 | auto get_kernel_module( const char* name ) -> uintptr_t {
 27 |     const auto to_lower = [ ]( char* string ) -> const char* {
 28 |         for ( char* pointer = string; *pointer != '\0'; ++pointer ) {
 29 |             *pointer = ( char )( short )tolower( *pointer );
 30 |         }
 31 | 
 32 |         return string;
 33 |         };
 34 | 
 35 |     const PRTL_PROCESS_MODULES info = ( PRTL_PROCESS_MODULES )get_system_information( SystemModuleInformation );
 36 | 
 37 |     if ( !info )
 38 |         return NULL;
 39 | 
 40 |     for ( size_t i = 0; i < info->NumberOfModules; ++i ) {
 41 |         const auto& mod = info->Modules[ i ];
 42 | 
 43 |         if ( crt::strcmp( to_lower_c( ( char* )mod.FullPathName + mod.OffsetToFileName ), name ) == 0 ) {
 44 |             const void* address = mod.ImageBase;
 45 |             ExFreePool( info );
 46 |             return ( uintptr_t )address;
 47 |         }
 48 |     }
 49 | 
 50 |     ExFreePool( info );
 51 |     return NULL;
 52 | }
 53 | 
 54 | uintptr_t find_pattern( uintptr_t base, size_t range, const char* pattern, const char* mask ) {
 55 |    
 56 |     const auto check_mask = [ ]( const char* base, const char* pattern, const char* mask ) -> bool {
 57 |         for ( ; *mask; ++base, ++pattern, ++mask ) {
 58 |             if ( *mask == 'x' && *base != *pattern ) {
 59 |                 return false;
 60 |             }
 61 |         }
 62 | 
 63 |         return true;
 64 |         };
 65 | 
 66 |     range = range - crt::strlen( mask );
 67 | 
 68 |     for ( size_t i = 0; i < range; ++i ) {
 69 |         if ( check_mask( ( const char* )base + i, pattern, mask ) ) {
 70 |             return base + i;
 71 |         }
 72 |     }
 73 | 
 74 |     return NULL;
 75 | }
 76 | 
 77 | uintptr_t find_pattern( uintptr_t base, const char* pattern, const char* mask ) {
 78 |     const PIMAGE_NT_HEADERS headers = ( PIMAGE_NT_HEADERS )( base + ( ( PIMAGE_DOS_HEADER )base )->e_lfanew );
 79 | 
 80 |     const PIMAGE_SECTION_HEADER sections = IMAGE_FIRST_SECTION( headers );
 81 | 
 82 |     for ( size_t i = 0; i < headers->FileHeader.NumberOfSections; i++ ) {
 83 |         const PIMAGE_SECTION_HEADER section = &sections[ i ];
 84 | 
 85 |         if ( section->Characteristics & IMAGE_SCN_MEM_EXECUTE ) {
 86 |             const auto match = find_pattern( base + section->VirtualAddress, section->Misc.VirtualSize, pattern, mask );
 87 | 
 88 |             if ( match ) {
 89 |                 return match;
 90 |             }
 91 |         }
 92 |     }
 93 | 
 94 |     return 0;
 95 | }
 96 | 
 97 | uintptr_t find_pattern( uintptr_t module_base, const char* pattern ) {
 98 |     auto pattern_ = pattern;
 99 |     uintptr_t first_match = 0;
100 | 
101 |     if ( !module_base ) {
102 |         return 0;
103 |     }
104 | 
105 |     const auto nt = reinterpret_cast< IMAGE_NT_HEADERS* >( module_base + reinterpret_cast< IMAGE_DOS_HEADER* >( module_base )->e_lfanew );
106 | 
107 |     for ( uintptr_t current = module_base; current < module_base + nt->OptionalHeader.SizeOfImage; current++ ) {
108 |         if ( !*pattern_ ) {
109 |             return first_match;
110 |         }
111 | 
112 |         if ( *( BYTE* )pattern_ == '\?' || *( BYTE* )current == get_byte( pattern_ ) ) {
113 |             if ( !first_match )
114 |                 first_match = current;
115 | 
116 |             if ( !pattern_[ 2 ] )
117 |                 return first_match;
118 | 
119 |             if ( *( WORD* )pattern_ == '\?\?' || *( BYTE* )pattern_ != '\?' )
120 |                 pattern_ += 3;
121 | 
122 |             else
123 |                 pattern_ += 2;
124 |         }
125 |         else {
126 |             pattern_ = pattern;
127 |             first_match = 0;
128 |         }
129 |     }
130 | 
131 |     return 0;
132 | }


--------------------------------------------------------------------------------
/dse_meme/dse_meme/dse_meme.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|x64">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>x64</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|x64">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>x64</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|ARM64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>ARM64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|ARM64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>ARM64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <ProjectGuid>{69AE4AE2-06F4-4C3F-94D1-E3001D5E44BB}</ProjectGuid>
 23 |     <TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
 24 |     <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
 25 |     <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
 26 |     <Configuration>Debug</Configuration>
 27 |     <Platform Condition="'$(Platform)' == ''">x64</Platform>
 28 |     <RootNamespace>dse_meme</RootNamespace>
 29 |     <WindowsTargetPlatformVersion>$(LatestTargetPlatformVersion)</WindowsTargetPlatformVersion>
 30 |   </PropertyGroup>
 31 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 32 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 33 |     <TargetVersion>Windows10</TargetVersion>
 34 |     <UseDebugLibraries>true</UseDebugLibraries>
 35 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 36 |     <ConfigurationType>Driver</ConfigurationType>
 37 |     <DriverType>KMDF</DriverType>
 38 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 39 |     <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
 40 |   </PropertyGroup>
 41 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 42 |     <TargetVersion>Windows10</TargetVersion>
 43 |     <UseDebugLibraries>false</UseDebugLibraries>
 44 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 45 |     <ConfigurationType>Driver</ConfigurationType>
 46 |     <DriverType>KMDF</DriverType>
 47 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 48 |   </PropertyGroup>
 49 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
 50 |     <TargetVersion>Windows10</TargetVersion>
 51 |     <UseDebugLibraries>true</UseDebugLibraries>
 52 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 53 |     <ConfigurationType>Driver</ConfigurationType>
 54 |     <DriverType>KMDF</DriverType>
 55 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 56 |   </PropertyGroup>
 57 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
 58 |     <TargetVersion>Windows10</TargetVersion>
 59 |     <UseDebugLibraries>false</UseDebugLibraries>
 60 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 61 |     <ConfigurationType>Driver</ConfigurationType>
 62 |     <DriverType>KMDF</DriverType>
 63 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 64 |   </PropertyGroup>
 65 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 66 |   <ImportGroup Label="ExtensionSettings">
 67 |   </ImportGroup>
 68 |   <ImportGroup Label="PropertySheets">
 69 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 70 |   </ImportGroup>
 71 |   <PropertyGroup Label="UserMacros" />
 72 |   <PropertyGroup />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 74 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 77 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
 80 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
 81 |   </PropertyGroup>
 82 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
 83 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
 84 |   </PropertyGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 86 |     <DriverSign>
 87 |       <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
 88 |     </DriverSign>
 89 |     <ClCompile>
 90 |       <LanguageStandard>stdcpp17</LanguageStandard>
 91 |     </ClCompile>
 92 |     <ClCompile>
 93 |       <LanguageStandard_C>stdc11</LanguageStandard_C>
 94 |       <TreatWarningAsError>false</TreatWarningAsError>
 95 |     </ClCompile>
 96 |     <Link>
 97 |       <EntryPointSymbol>DriverEntry</EntryPointSymbol>
 98 |     </Link>
 99 |   </ItemDefinitionGroup>
100 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
101 |     <DriverSign>
102 |       <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
103 |     </DriverSign>
104 |   </ItemDefinitionGroup>
105 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
106 |     <DriverSign>
107 |       <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
108 |     </DriverSign>
109 |   </ItemDefinitionGroup>
110 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
111 |     <DriverSign>
112 |       <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
113 |     </DriverSign>
114 |   </ItemDefinitionGroup>
115 |   <ItemGroup>
116 |     <Inf Include="dse_meme.inf" />
117 |   </ItemGroup>
118 |   <ItemGroup>
119 |     <FilesToPackage Include="$(TargetPath)" />
120 |   </ItemGroup>
121 |   <ItemGroup>
122 |     <ClCompile Include="entry.cpp" />
123 |   </ItemGroup>
124 |   <ItemGroup>
125 |     <ClInclude Include="structs\windows.h" />
126 |     <ClInclude Include="utils\crt.h" />
127 |     <ClInclude Include="utils\utils.h" />
128 |   </ItemGroup>
129 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
130 |   <ImportGroup Label="ExtensionTargets">
131 |   </ImportGroup>
132 | </Project>


--------------------------------------------------------------------------------
/dse_meme/dse_meme/structs/windows.h:
--------------------------------------------------------------------------------
  1 | constexpr auto SystemExtendedHandleInformation = 64;
  2 | 
  3 | typedef unsigned int uint32_t;
  4 | 
  5 | typedef struct _RTL_PROCESS_MODULE_INFORMATION {
  6 |     HANDLE Section;
  7 |     PVOID MappedBase;
  8 |     PVOID ImageBase;
  9 |     ULONG ImageSize;
 10 |     ULONG Flags;
 11 |     USHORT LoadOrderIndex;
 12 |     USHORT InitOrderIndex;
 13 |     USHORT LoadCount;
 14 |     USHORT OffsetToFileName;
 15 |     UCHAR  FullPathName[ 256 ];
 16 | } RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION;
 17 | 
 18 | typedef struct _POOL_TRACKER_BIG_PAGES {
 19 |     volatile unsigned long long va;                                                  //0x0
 20 |     ULONG key;                                                              //0x8
 21 |     ULONG pattern : 8;                                                        //0xc
 22 |     ULONG pool_type : 12;                                                      //0xc
 23 |     ULONG slush_size : 12;                                                     //0xc
 24 |     ULONGLONG number_of_bytes;                                                //0x10
 25 | }POOL_TRACKER_BIG_PAGES, * PPOOL_TRACKER_BIG_PAGES;
 26 | 
 27 | typedef struct _RTL_PROCESS_MODULES {
 28 |     ULONG NumberOfModules;
 29 |     RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];
 30 | } RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES;
 31 | 
 32 | typedef struct _LDR_DATA_TABLE_ENTRY {
 33 |     LIST_ENTRY InLoadOrderLinks;
 34 |     LIST_ENTRY InMemoryOrderLinks;
 35 |     LIST_ENTRY InInitializationOrderLinks;
 36 |     PVOID DllBase;
 37 |     PVOID EntryPoint;
 38 |     ULONG SizeOfImage;
 39 |     UNICODE_STRING FullDllName;
 40 |     UNICODE_STRING BaseDllName;
 41 |     ULONG Flags;
 42 |     WORD LoadCount;
 43 |     WORD TlsIndex;
 44 |     union {
 45 |         LIST_ENTRY HashLinks;
 46 |         struct {
 47 |             PVOID SectionPointer;
 48 |             ULONG CheckSum;
 49 |         };
 50 |     };
 51 |     union {
 52 |         ULONG TimeDateStamp;
 53 |         PVOID LoadedImports;
 54 |     };
 55 |     VOID* EntryPointActivationContext;
 56 |     PVOID PatchInformation;
 57 |     LIST_ENTRY ForwarderLinks;
 58 |     LIST_ENTRY ServiceTagLinks;
 59 |     LIST_ENTRY StaticLinks;
 60 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
 61 | 
 62 | typedef struct _RTL_CRITICAL_SECTION {
 63 |     VOID* DebugInfo;
 64 |     LONG LockCount;
 65 |     LONG RecursionCount;
 66 |     PVOID OwningThread;
 67 |     PVOID LockSemaphore;
 68 |     ULONG SpinCount;
 69 | } RTL_CRITICAL_SECTION, * PRTL_CRITICAL_SECTION;
 70 | 
 71 | typedef struct _PEB_LDR_DATA {
 72 |     ULONG Length;
 73 |     UCHAR Initialized;
 74 |     PVOID SsHandle;
 75 |     LIST_ENTRY InLoadOrderModuleList;
 76 |     LIST_ENTRY InMemoryOrderModuleList;
 77 |     LIST_ENTRY InInitializationOrderModuleList;
 78 |     PVOID EntryInProgress;
 79 | } PEB_LDR_DATA, * PPEB_LDR_DATA;
 80 | 
 81 | typedef struct _PEB {
 82 |     UCHAR InheritedAddressSpace;
 83 |     UCHAR ReadImageFileExecOptions;
 84 |     UCHAR BeingDebugged;
 85 |     UCHAR BitField;
 86 |     ULONG ImageUsesLargePages : 1;
 87 |     ULONG IsProtectedProcess : 1;
 88 |     ULONG IsLegacyProcess : 1;
 89 |     ULONG IsImageDynamicallyRelocated : 1;
 90 |     ULONG SpareBits : 4;
 91 |     PVOID Mutant;
 92 |     PVOID ImageBaseAddress;
 93 |     PPEB_LDR_DATA Ldr;
 94 |     VOID* ProcessParameters;
 95 |     PVOID SubSystemData;
 96 |     PVOID ProcessHeap;
 97 |     PRTL_CRITICAL_SECTION FastPebLock;
 98 |     PVOID AtlThunkSListPtr;
 99 |     PVOID IFEOKey;
100 |     ULONG CrossProcessFlags;
101 |     ULONG ProcessInJob : 1;
102 |     ULONG ProcessInitializing : 1;
103 |     ULONG ReservedBits0 : 30;
104 |     union {
105 |         PVOID KernelCallbackTable;
106 |         PVOID UserSharedInfoPtr;
107 |     };
108 |     ULONG SystemReserved[ 1 ];
109 |     ULONG SpareUlong;
110 |     VOID* FreeList;
111 |     ULONG TlsExpansionCounter;
112 |     PVOID TlsBitmap;
113 |     ULONG TlsBitmapBits[ 2 ];
114 |     PVOID ReadOnlySharedMemoryBase;
115 |     PVOID HotpatchInformation;
116 |     VOID** ReadOnlyStaticServerData;
117 |     PVOID AnsiCodePageData;
118 |     PVOID OemCodePageData;
119 |     PVOID UnicodeCaseTableData;
120 |     ULONG NumberOfProcessors;
121 |     ULONG NtGlobalFlag;
122 |     LARGE_INTEGER CriticalSectionTimeout;
123 |     ULONG HeapSegmentReserve;
124 |     ULONG HeapSegmentCommit;
125 |     ULONG HeapDeCommitTotalFreeThreshold;
126 |     ULONG HeapDeCommitFreeBlockThreshold;
127 |     ULONG NumberOfHeaps;
128 |     ULONG MaximumNumberOfHeaps;
129 |     VOID** ProcessHeaps;
130 |     PVOID GdiSharedHandleTable;
131 |     PVOID ProcessStarterHelper;
132 |     ULONG GdiDCAttributeList;
133 |     PRTL_CRITICAL_SECTION LoaderLock;
134 |     ULONG OSMajorVersion;
135 |     ULONG OSMinorVersion;
136 |     WORD OSBuildNumber;
137 |     WORD OSCSDVersion;
138 |     ULONG OSPlatformId;
139 |     ULONG ImageSubsystem;
140 |     ULONG ImageSubsystemMajorVersion;
141 |     ULONG ImageSubsystemMinorVersion;
142 |     ULONG ImageProcessAffinityMask;
143 |     ULONG GdiHandleBuffer[ 34 ];
144 |     PVOID PostProcessInitRoutine;
145 |     PVOID TlsExpansionBitmap;
146 |     ULONG TlsExpansionBitmapBits[ 32 ];
147 |     ULONG SessionId;
148 |     ULARGE_INTEGER AppCompatFlags;
149 |     ULARGE_INTEGER AppCompatFlagsUser;
150 |     PVOID pShimData;
151 |     PVOID AppCompatInfo;
152 |     UNICODE_STRING CSDVersion;
153 |     VOID* ActivationContextData;
154 |     VOID* ProcessAssemblyStorageMap;
155 |     VOID* SystemDefaultActivationContextData;
156 |     VOID* SystemAssemblyStorageMap;
157 |     ULONG MinimumStackCommit;
158 |     VOID* FlsCallback;
159 |     LIST_ENTRY FlsListHead;
160 |     PVOID FlsBitmap;
161 |     ULONG FlsBitmapBits[ 4 ];
162 |     ULONG FlsHighIndex;
163 |     PVOID WerRegistrationData;
164 |     PVOID WerShipAssertPtr;
165 | } PEB, * PPEB;
166 | 
167 | typedef enum _SYSTEM_INFORMATION_CLASS {
168 |     SystemBasicInformation,
169 |     SystemProcessorInformation,
170 |     SystemPerformanceInformation,
171 |     SystemTimeOfDayInformation,
172 |     SystemPathInformation,
173 |     SystemProcessInformation,
174 |     SystemCallCountInformation,
175 |     SystemDeviceInformation,
176 |     SystemProcessorPerformanceInformation,
177 |     SystemFlagsInformation,
178 |     SystemCallTimeInformation,
179 |     SystemModuleInformation,
180 |     SystemLocksInformation,
181 |     SystemStackTraceInformation,
182 |     SystemPagedPoolInformation,
183 |     SystemNonPagedPoolInformation,
184 |     SystemHandleInformation,
185 |     SystemObjectInformation,
186 |     SystemPageFileInformation,
187 |     SystemVdmInstemulInformation,
188 |     SystemVdmBopInformation,
189 |     SystemFileCacheInformation,
190 |     SystemPoolTagInformation,
191 |     SystemInterruptInformation,
192 |     SystemDpcBehaviorInformation,
193 |     SystemFullMemoryInformation,
194 |     SystemLoadGdiDriverInformation,
195 |     SystemUnloadGdiDriverInformation,
196 |     SystemTimeAdjustmentInformation,
197 |     SystemSummaryMemoryInformation,
198 |     SystemNextEventIdInformation,
199 |     SystemEventIdsInformation,
200 |     SystemCrashDumpInformation,
201 |     SystemExceptionInformation,
202 |     SystemCrashDumpStateInformation,
203 |     SystemKernelDebuggerInformation,
204 |     SystemContextSwitchInformation,
205 |     SystemRegistryQuotaInformation,
206 |     SystemExtendServiceTableInformation,
207 |     SystemPrioritySeperation,
208 |     SystemPlugPlayBusInformation,
209 |     SystemDockInformation,
210 |     SystemProcessorSpeedInformation,
211 |     SystemCurrentTimeZoneInformation,
212 |     SystemLookasideInformation,
213 |     system_bigpool_information = 0x42,
214 | } SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS;
215 | 
216 | 
217 | 
218 | extern "C"
219 | {
220 |     NTKERNELAPI NTSTATUS NTAPI ZwQuerySystemInformation(
221 |         _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
222 |         _Inout_ PVOID SystemInformation,
223 |         _In_ ULONG SystemInformationLength,
224 |         _Out_opt_ PULONG ReturnLength
225 |     );
226 | 
227 |   
228 | 
229 | }
230 | 
231 | 


--------------------------------------------------------------------------------