├── Atapi.hpp
├── Entry.cpp
├── FakeDriver.sln
├── FakeDriver.vcxproj
├── FakeDriver.vcxproj.filters
├── FakeDriver.vcxproj.user
├── IDA_Defs.hpp
├── Imports.hpp
├── README.md
└── Utils.hpp


/Atapi.hpp:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | #include <version>  // For C++20 feature checking
 4 | #include "IDA_Defs.hpp" 
 5 | 
 6 | class Atapi {
 7 | public:
 8 | 	static Atapi* Get( ) {
 9 | 		static Atapi instance;
10 | 		return &instance;
11 | 	}
12 | 
13 | 	char __fastcall EmulateHwBuildIoRoutine( __int64 a1, __int64 a2 )
14 | 	{
15 |         if ( ( *( _DWORD* )( a1 + 136 ) & 8 ) != 0 && ( *( _DWORD* )( a2 + 24 ) & 3 ) != 0 )
16 |         {
17 |             if ( ( *( _WORD* )a2 & 0x200 ) != 0 )
18 |                 *( _DWORD* )( a2 + 16 ) &= ~2u;
19 |             else
20 |                 *( _BYTE* )( a2 + 2 ) = 4;
21 |         }
22 |         if ( ( *( _DWORD* )( a1 + 136 ) & 0x10 ) != 0
23 |             && *( _DWORD* )( a2 + 24 ) > 0x2000u
24 |             && ( *( _DWORD* )( a2 + 24 ) & 0x1FFFu ) - 1 <= 0x1FE )
25 |         {
26 |             if ( ( *( _WORD* )a2 & 0x200 ) != 0 )
27 |                 *( _DWORD* )( a2 + 16 ) &= ~2u;
28 |             else
29 |                 *( _BYTE* )( a2 + 2 ) = 4;
30 |         }
31 |         return 1;
32 | 	}
33 | };


--------------------------------------------------------------------------------
/Entry.cpp:
--------------------------------------------------------------------------------
 1 | #include "Imports.hpp"
 2 | char( __fastcall * o_AtapiHwBuildIo )( ... );
 3 | char __fastcall hk_AtapiHwBuildIo( __int64 a1, __int64 a2 )
 4 | {
 5 | 	/* Execute anything..*/
 6 | 	return Atapi::Get( )->EmulateHwBuildIoRoutine( a1, a2 );
 7 | } 
 8 | 
 9 | NTSTATUS DriverEntry( PDRIVER_OBJECT Arg1, PUNICODE_STRING Arg2 )
10 | {
11 | 	/* Locate the vulnerable driver's base address
12 | 	   Could also be obtained from PEB->ImageBaseAddress but CBA :/ */
13 | 	const auto AtapiBaseAddress = Utils::Get( )->DrvBase( "atapi.sys" );
14 | 	if ( !AtapiBaseAddress )
15 | 		return 2;
16 | 
17 | 	/* Function called upon driver initialization routine */
18 | 	const auto AtapiHwBuildIo = Utils::Get( )->FindSignatureInDriver( reinterpret_cast< PDRIVER_OBJECT >( AtapiBaseAddress ), "48 89 4A 10 48 8D 0D ? ? ? ?", 0x1000 );
19 | 	if ( !AtapiBaseAddress )
20 | 		return 3;
21 | 
22 | 	o_AtapiHwBuildIo = ( char( * )( ... ) )AtapiHwBuildIo;
23 | 	o_AtapiHwBuildIo = ( char( * )( ... ) )InterlockedExchangePointer( ( PVOID* )&AtapiHwBuildIo, ( PVOID )hk_AtapiHwBuildIo );
24 | 
25 | 	/* Swap it */ 
26 | 	InterlockedExchangePointer( ( PVOID* )&AtapiHwBuildIo, o_AtapiHwBuildIo );
27 | 
28 | 	return STATUS_SUCCESS;
29 | }


--------------------------------------------------------------------------------
/FakeDriver.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.7.34009.444
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FakeDriver", "FakeDriver.vcxproj", "{A1B3991B-09DC-4DC0-A6D0-888F85F2B389}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|ARM64 = Debug|ARM64
11 | 		Debug|x64 = Debug|x64
12 | 		Release|ARM64 = Release|ARM64
13 | 		Release|x64 = Release|x64
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{A1B3991B-09DC-4DC0-A6D0-888F85F2B389}.Debug|ARM64.ActiveCfg = Debug|ARM64
17 | 		{A1B3991B-09DC-4DC0-A6D0-888F85F2B389}.Debug|ARM64.Build.0 = Debug|ARM64
18 | 		{A1B3991B-09DC-4DC0-A6D0-888F85F2B389}.Debug|ARM64.Deploy.0 = Debug|ARM64
19 | 		{A1B3991B-09DC-4DC0-A6D0-888F85F2B389}.Debug|x64.ActiveCfg = Debug|x64
20 | 		{A1B3991B-09DC-4DC0-A6D0-888F85F2B389}.Debug|x64.Build.0 = Debug|x64
21 | 		{A1B3991B-09DC-4DC0-A6D0-888F85F2B389}.Debug|x64.Deploy.0 = Debug|x64
22 | 		{A1B3991B-09DC-4DC0-A6D0-888F85F2B389}.Release|ARM64.ActiveCfg = Release|ARM64
23 | 		{A1B3991B-09DC-4DC0-A6D0-888F85F2B389}.Release|ARM64.Build.0 = Release|ARM64
24 | 		{A1B3991B-09DC-4DC0-A6D0-888F85F2B389}.Release|ARM64.Deploy.0 = Release|ARM64
25 | 		{A1B3991B-09DC-4DC0-A6D0-888F85F2B389}.Release|x64.ActiveCfg = Release|x64
26 | 		{A1B3991B-09DC-4DC0-A6D0-888F85F2B389}.Release|x64.Build.0 = Release|x64
27 | 		{A1B3991B-09DC-4DC0-A6D0-888F85F2B389}.Release|x64.Deploy.0 = Release|x64
28 | 	EndGlobalSection
29 | 	GlobalSection(SolutionProperties) = preSolution
30 | 		HideSolutionNode = FALSE
31 | 	EndGlobalSection
32 | 	GlobalSection(ExtensibilityGlobals) = postSolution
33 | 		SolutionGuid = {8AD49645-E1A1-423C-8462-0032B577DD81}
34 | 	EndGlobalSection
35 | EndGlobal
36 | 


--------------------------------------------------------------------------------
/FakeDriver.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|x64">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>x64</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|x64">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>x64</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|ARM64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>ARM64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|ARM64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>ARM64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <ProjectGuid>{A1B3991B-09DC-4DC0-A6D0-888F85F2B389}</ProjectGuid>
 23 |     <TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
 24 |     <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
 25 |     <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
 26 |     <Configuration>Debug</Configuration>
 27 |     <Platform Condition="'$(Platform)' == ''">x64</Platform>
 28 |     <RootNamespace>FakeDriver</RootNamespace>
 29 |   </PropertyGroup>
 30 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 31 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 32 |     <TargetVersion>Windows10</TargetVersion>
 33 |     <UseDebugLibraries>true</UseDebugLibraries>
 34 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 35 |     <ConfigurationType>Driver</ConfigurationType>
 36 |     <DriverType>KMDF</DriverType>
 37 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 38 |   </PropertyGroup>
 39 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 40 |     <TargetVersion>Windows10</TargetVersion>
 41 |     <UseDebugLibraries>false</UseDebugLibraries>
 42 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 43 |     <ConfigurationType>Driver</ConfigurationType>
 44 |     <DriverType>KMDF</DriverType>
 45 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 46 |     <Driver_SpectreMitigation>Spectre</Driver_SpectreMitigation>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
 49 |     <TargetVersion>Windows10</TargetVersion>
 50 |     <UseDebugLibraries>true</UseDebugLibraries>
 51 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 52 |     <ConfigurationType>Driver</ConfigurationType>
 53 |     <DriverType>KMDF</DriverType>
 54 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 55 |   </PropertyGroup>
 56 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
 57 |     <TargetVersion>Windows10</TargetVersion>
 58 |     <UseDebugLibraries>false</UseDebugLibraries>
 59 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 60 |     <ConfigurationType>Driver</ConfigurationType>
 61 |     <DriverType>KMDF</DriverType>
 62 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 63 |   </PropertyGroup>
 64 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 65 |   <ImportGroup Label="ExtensionSettings">
 66 |   </ImportGroup>
 67 |   <ImportGroup Label="PropertySheets">
 68 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 69 |   </ImportGroup>
 70 |   <PropertyGroup Label="UserMacros" />
 71 |   <PropertyGroup />
 72 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 73 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
 74 |   </PropertyGroup>
 75 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 76 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
 77 |   </PropertyGroup>
 78 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
 79 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
 80 |   </PropertyGroup>
 81 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
 82 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
 83 |   </PropertyGroup>
 84 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 85 |     <DriverSign>
 86 |       <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
 87 |     </DriverSign>
 88 |   </ItemDefinitionGroup>
 89 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 90 |     <DriverSign>
 91 |       <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
 92 |     </DriverSign>
 93 |     <Link>
 94 |       <EntryPointSymbol>DriverEntry</EntryPointSymbol>
 95 |     </Link>
 96 |     <ClCompile>
 97 |       <TreatWarningAsError>false</TreatWarningAsError>
 98 |     </ClCompile>
 99 |   </ItemDefinitionGroup>
100 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
101 |     <DriverSign>
102 |       <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
103 |     </DriverSign>
104 |   </ItemDefinitionGroup>
105 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
106 |     <DriverSign>
107 |       <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
108 |     </DriverSign>
109 |   </ItemDefinitionGroup>
110 |   <ItemGroup>
111 |     <FilesToPackage Include="$(TargetPath)" />
112 |   </ItemGroup>
113 |   <ItemGroup>
114 |     <ClInclude Include="Atapi.hpp" />
115 |     <ClInclude Include="IDA_Defs.hpp" />
116 |     <ClInclude Include="Imports.hpp" />
117 |     <ClInclude Include="Utils.hpp" />
118 |   </ItemGroup>
119 |   <ItemGroup>
120 |     <ClCompile Include="Entry.cpp" />
121 |   </ItemGroup>
122 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
123 |   <ImportGroup Label="ExtensionTargets">
124 |   </ImportGroup>
125 | </Project>


--------------------------------------------------------------------------------
/FakeDriver.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Components">
 5 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
 6 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
 7 |     </Filter>
 8 |   </ItemGroup>
 9 |   <ItemGroup>
10 |     <ClInclude Include="Imports.hpp">
11 |       <Filter>Components</Filter>
12 |     </ClInclude>
13 |     <ClInclude Include="Utils.hpp">
14 |       <Filter>Components</Filter>
15 |     </ClInclude>
16 |     <ClInclude Include="Atapi.hpp">
17 |       <Filter>Components</Filter>
18 |     </ClInclude>
19 |     <ClInclude Include="IDA_Defs.hpp">
20 |       <Filter>Components</Filter>
21 |     </ClInclude>
22 |   </ItemGroup>
23 |   <ItemGroup>
24 |     <ClCompile Include="Entry.cpp" />
25 |   </ItemGroup>
26 | </Project>


--------------------------------------------------------------------------------
/FakeDriver.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
4 |     <SignMode>Off</SignMode>
5 |   </PropertyGroup>
6 | </Project>


--------------------------------------------------------------------------------
/IDA_Defs.hpp:
--------------------------------------------------------------------------------
  1 | /*
  2 | 
  3 |    This file contains definitions used by the Hex-Rays decompiler output.
  4 |    It has type definitions and convenience macros to make the
  5 |    output more readable.
  6 | 
  7 |    Copyright (c) 2007-2017 Hex-Rays
  8 | 
  9 | */
 10 | 
 11 | #ifndef HEXRAYS_DEFS_H
 12 | #define HEXRAYS_DEFS_H
 13 | 
 14 | #if defined(__GNUC__)
 15 | typedef          long long ll;
 16 | typedef unsigned long long ull;
 17 | #define __int64 long long
 18 | #define __int32 int
 19 | #define __int16 short
 20 | #define __int8  char
 21 | #define MAKELL(num) num ## LL
 22 | #define FMT_64 "ll"
 23 | #elif defined(_MSC_VER)
 24 | typedef          __int64 ll;
 25 | typedef unsigned __int64 ull;
 26 | #define MAKELL(num) num ## i64
 27 | #define FMT_64 "I64"
 28 | #elif defined (__BORLANDC__)
 29 | typedef          __int64 ll;
 30 | typedef unsigned __int64 ull;
 31 | #define MAKELL(num) num ## i64
 32 | #define FMT_64 "L"
 33 | #else
 34 | #error "unknown compiler"
 35 | #endif
 36 | typedef unsigned int uint;
 37 | typedef unsigned char uchar;
 38 | typedef unsigned short ushort;
 39 | typedef unsigned long ulong;
 40 | 
 41 | typedef          char   int8;
 42 | typedef   signed char   sint8;
 43 | typedef unsigned char   uint8;
 44 | typedef          short  int16;
 45 | typedef   signed short  sint16;
 46 | typedef unsigned short  uint16;
 47 | typedef          int    int32;
 48 | typedef   signed int    sint32;
 49 | typedef unsigned int    uint32;
 50 | typedef ll              int64;
 51 | typedef ll              sint64;
 52 | typedef ull             uint64;
 53 | 
 54 | // Partially defined types. They are used when the decompiler does not know
 55 | // anything about the type except its size.
 56 | #define _BYTE  uint8
 57 | #define _WORD  uint16
 58 | #define _DWORD uint32
 59 | #define _QWORD uint64
 60 | #if !defined(_MSC_VER)
 61 | #define _LONGLONG __int128
 62 | #endif
 63 | 
 64 | // Non-standard boolean types. They are used when the decompiler can not use
 65 | // the standard "bool" type because of the size mistmatch but the possible
 66 | // values are only 0 and 1. See also 'BOOL' type below.
 67 | typedef int8 _BOOL1;
 68 | typedef int16 _BOOL2;
 69 | typedef int32 _BOOL4;
 70 | 
 71 | #ifndef _WINDOWS_
 72 | typedef int8 BYTE;
 73 | typedef int16 WORD;
 74 | typedef int32 DWORD;
 75 | typedef int32 LONG;
 76 | typedef int BOOL;       // uppercase BOOL is usually 4 bytes
 77 | #endif
 78 | typedef int64 QWORD;
 79 | #ifndef __cplusplus
 80 | typedef int bool;       // we want to use bool in our C programs
 81 | #endif
 82 | 
 83 | #define __pure          // pure function: always returns the same value, has no
 84 | // side effects
 85 | 
 86 | // Non-returning function
 87 | #if defined(__GNUC__)
 88 | #define __noreturn  __attribute__((noreturn))
 89 | #else
 90 | #define __noreturn  __declspec(noreturn)
 91 | #endif
 92 | 
 93 | 
 94 | #ifndef NULL
 95 | #define NULL 0
 96 | #endif
 97 | 
 98 | // Some convenience macros to make partial accesses nicer
 99 | #define LAST_IND(x,part_type)    (sizeof(x)/sizeof(part_type) - 1)
100 | #if defined(__BYTE_ORDER) && __BYTE_ORDER == __BIG_ENDIAN
101 | #  define LOW_IND(x,part_type)   LAST_IND(x,part_type)
102 | #  define HIGH_IND(x,part_type)  0
103 | #else
104 | #  define HIGH_IND(x,part_type)  LAST_IND(x,part_type)
105 | #  define LOW_IND(x,part_type)   0
106 | #endif
107 | // first unsigned macros:
108 | #define BYTEn(x, n)   (*((_BYTE*)&(x)+n))
109 | #define WORDn(x, n)   (*((_WORD*)&(x)+n))
110 | #define DWORDn(x, n)  (*((_DWORD*)&(x)+n))
111 | 
112 | #define LOBYTE(x)  BYTEn(x,LOW_IND(x,_BYTE))
113 | #define LOWORD(x)  WORDn(x,LOW_IND(x,_WORD))
114 | #define LODWORD(x) DWORDn(x,LOW_IND(x,_DWORD))
115 | #define HIBYTE(x)  BYTEn(x,HIGH_IND(x,_BYTE))
116 | #define HIWORD(x)  WORDn(x,HIGH_IND(x,_WORD))
117 | #define HIDWORD(x) DWORDn(x,HIGH_IND(x,_DWORD))
118 | #define BYTE1(x)   BYTEn(x,  1)         // byte 1 (counting from 0)
119 | #define BYTE2(x)   BYTEn(x,  2)
120 | #define BYTE3(x)   BYTEn(x,  3)
121 | #define BYTE4(x)   BYTEn(x,  4)
122 | #define BYTE5(x)   BYTEn(x,  5)
123 | #define BYTE6(x)   BYTEn(x,  6)
124 | #define BYTE7(x)   BYTEn(x,  7)
125 | #define BYTE8(x)   BYTEn(x,  8)
126 | #define BYTE9(x)   BYTEn(x,  9)
127 | #define BYTE10(x)  BYTEn(x, 10)
128 | #define BYTE11(x)  BYTEn(x, 11)
129 | #define BYTE12(x)  BYTEn(x, 12)
130 | #define BYTE13(x)  BYTEn(x, 13)
131 | #define BYTE14(x)  BYTEn(x, 14)
132 | #define BYTE15(x)  BYTEn(x, 15)
133 | #define WORD1(x)   WORDn(x,  1)
134 | #define WORD2(x)   WORDn(x,  2)         // third word of the object, unsigned
135 | #define WORD3(x)   WORDn(x,  3)
136 | #define WORD4(x)   WORDn(x,  4)
137 | #define WORD5(x)   WORDn(x,  5)
138 | #define WORD6(x)   WORDn(x,  6)
139 | #define WORD7(x)   WORDn(x,  7)
140 | 
141 | // now signed macros (the same but with sign extension)
142 | #define SBYTEn(x, n)   (*((int8*)&(x)+n))
143 | #define SWORDn(x, n)   (*((int16*)&(x)+n))
144 | #define SDWORDn(x, n)  (*((int32*)&(x)+n))
145 | 
146 | #define SLOBYTE(x)  SBYTEn(x,LOW_IND(x,int8))
147 | #define SLOWORD(x)  SWORDn(x,LOW_IND(x,int16))
148 | #define SLODWORD(x) SDWORDn(x,LOW_IND(x,int32))
149 | #define SHIBYTE(x)  SBYTEn(x,HIGH_IND(x,int8))
150 | #define SHIWORD(x)  SWORDn(x,HIGH_IND(x,int16))
151 | #define SHIDWORD(x) SDWORDn(x,HIGH_IND(x,int32))
152 | #define SBYTE1(x)   SBYTEn(x,  1)
153 | #define SBYTE2(x)   SBYTEn(x,  2)
154 | #define SBYTE3(x)   SBYTEn(x,  3)
155 | #define SBYTE4(x)   SBYTEn(x,  4)
156 | #define SBYTE5(x)   SBYTEn(x,  5)
157 | #define SBYTE6(x)   SBYTEn(x,  6)
158 | #define SBYTE7(x)   SBYTEn(x,  7)
159 | #define SBYTE8(x)   SBYTEn(x,  8)
160 | #define SBYTE9(x)   SBYTEn(x,  9)
161 | #define SBYTE10(x)  SBYTEn(x, 10)
162 | #define SBYTE11(x)  SBYTEn(x, 11)
163 | #define SBYTE12(x)  SBYTEn(x, 12)
164 | #define SBYTE13(x)  SBYTEn(x, 13)
165 | #define SBYTE14(x)  SBYTEn(x, 14)
166 | #define SBYTE15(x)  SBYTEn(x, 15)
167 | #define SWORD1(x)   SWORDn(x,  1)
168 | #define SWORD2(x)   SWORDn(x,  2)
169 | #define SWORD3(x)   SWORDn(x,  3)
170 | #define SWORD4(x)   SWORDn(x,  4)
171 | #define SWORD5(x)   SWORDn(x,  5)
172 | #define SWORD6(x)   SWORDn(x,  6)
173 | #define SWORD7(x)   SWORDn(x,  7)
174 | 
175 | 
176 | // Helper functions to represent some assembly instructions.
177 | 
178 | #ifdef __cplusplus
179 | 
180 | // compile time assertion
181 | #define __CASSERT_N0__(l) COMPILE_TIME_ASSERT_ ## l
182 | #define __CASSERT_N1__(l) __CASSERT_N0__(l)
183 | #define CASSERT(cnd) typedef char __CASSERT_N1__(__LINE__) [(cnd) ? 1 : -1]
184 | 
185 | // check that unsigned multiplication does not overflow
186 | template<class T> bool is_mul_ok( T count, T elsize )
187 | {
188 |     CASSERT( ( T )( -1 ) > 0 ); // make sure T is unsigned
189 |     if ( elsize == 0 || count == 0 )
190 |         return true;
191 |     return count <= ( ( T )( -1 ) ) / elsize;
192 | }
193 | 
194 | // multiplication that saturates (yields the biggest value) instead of overflowing
195 | // such a construct is useful in "operator new[]"
196 | template<class T> bool saturated_mul( T count, T elsize )
197 | {
198 |     return is_mul_ok( count, elsize ) ? count * elsize : T( -1 );
199 | }
200 | 
201 | #include <stddef.h> // for size_t
202 | 
203 | // memcpy() with determined behavoir: it always copies
204 | // from the start to the end of the buffer
205 | // note: it copies byte by byte, so it is not equivalent to, for example, rep movsd
206 | inline void* qmemcpy( void* dst, const void* src, size_t cnt )
207 | {
208 |     char* out = ( char* )dst;
209 |     const char* in = ( const char* )src;
210 |     while ( cnt > 0 )
211 |     {
212 |         *out++ = *in++;
213 |         --cnt;
214 |     }
215 |     return dst;
216 | }
217 | 
218 | // Generate a reference to pair of operands
219 | template<class T>  int16 __PAIR__( int8  high, T low ) { return ( ( ( int16 )high ) << sizeof( high ) * 8 ) | uint8( low ); }
220 | template<class T>  int32 __PAIR__( int16 high, T low ) { return ( ( ( int32 )high ) << sizeof( high ) * 8 ) | uint16( low ); }
221 | template<class T>  int64 __PAIR__( int32 high, T low ) { return ( ( ( int64 )high ) << sizeof( high ) * 8 ) | uint32( low ); }
222 | template<class T> uint16 __PAIR__( uint8  high, T low ) { return ( ( ( uint16 )high ) << sizeof( high ) * 8 ) | uint8( low ); }
223 | template<class T> uint32 __PAIR__( uint16 high, T low ) { return ( ( ( uint32 )high ) << sizeof( high ) * 8 ) | uint16( low ); }
224 | template<class T> uint64 __PAIR__( uint32 high, T low ) { return ( ( ( uint64 )high ) << sizeof( high ) * 8 ) | uint32( low ); }
225 | 
226 | // rotate left
227 | template<class T> T __ROL__( T value, int count )
228 | {
229 |     const uint nbits = sizeof( T ) * 8;
230 | 
231 |     if ( count > 0 )
232 |     {
233 |         count %= nbits;
234 |         T high = value >> ( nbits - count );
235 |         if ( T( -1 ) < 0 ) // signed value
236 |             high &= ~( ( T( -1 ) << count ) );
237 |         value <<= count;
238 |         value |= high;
239 |     }
240 |     else
241 |     {
242 |         count = -count % nbits;
243 |         T low = value << ( nbits - count );
244 |         value >>= count;
245 |         value |= low;
246 |     }
247 |     return value;
248 | }
249 | 
250 | inline uint8  __ROL1__( uint8  value, int count ) { return __ROL__( ( uint8 )value, count ); }
251 | inline uint16 __ROL2__( uint16 value, int count ) { return __ROL__( ( uint16 )value, count ); }
252 | inline uint32 __ROL4__( uint32 value, int count ) { return __ROL__( ( uint32 )value, count ); }
253 | inline uint64 __ROL8__( uint64 value, int count ) { return __ROL__( ( uint64 )value, count ); }
254 | inline uint8  __ROR1__( uint8  value, int count ) { return __ROL__( ( uint8 )value, -count ); }
255 | inline uint16 __ROR2__( uint16 value, int count ) { return __ROL__( ( uint16 )value, -count ); }
256 | inline uint32 __ROR4__( uint32 value, int count ) { return __ROL__( ( uint32 )value, -count ); }
257 | inline uint64 __ROR8__( uint64 value, int count ) { return __ROL__( ( uint64 )value, -count ); }
258 | 
259 | // carry flag of left shift
260 | template<class T> int8 __MKCSHL__( T value, uint count )
261 | {
262 |     const uint nbits = sizeof( T ) * 8;
263 |     count %= nbits;
264 | 
265 |     return ( value >> ( nbits - count ) ) & 1;
266 | }
267 | 
268 | // carry flag of right shift
269 | template<class T> int8 __MKCSHR__( T value, uint count )
270 | {
271 |     return ( value >> ( count - 1 ) ) & 1;
272 | }
273 | 
274 | // sign flag
275 | template<class T> int8 __SETS__( T x )
276 | {
277 |     if ( sizeof( T ) == 1 )
278 |         return int8( x ) < 0;
279 |     if ( sizeof( T ) == 2 )
280 |         return int16( x ) < 0;
281 |     if ( sizeof( T ) == 4 )
282 |         return int32( x ) < 0;
283 |     return int64( x ) < 0;
284 | }
285 | 
286 | // overflow flag of subtraction (x-y)
287 | template<class T, class U> int8 __OFSUB__( T x, U y )
288 | {
289 |     if ( sizeof( T ) < sizeof( U ) )
290 |     {
291 |         U x2 = x;
292 |         int8 sx = __SETS__( x2 );
293 |         return ( sx ^ __SETS__( y ) ) & ( sx ^ __SETS__( x2 - y ) );
294 |     }
295 |     else
296 |     {
297 |         T y2 = y;
298 |         int8 sx = __SETS__( x );
299 |         return ( sx ^ __SETS__( y2 ) ) & ( sx ^ __SETS__( x - y2 ) );
300 |     }
301 | }
302 | 
303 | // overflow flag of addition (x+y)
304 | template<class T, class U> int8 __OFADD__( T x, U y )
305 | {
306 |     if ( sizeof( T ) < sizeof( U ) )
307 |     {
308 |         U x2 = x;
309 |         int8 sx = __SETS__( x2 );
310 |         return ( ( 1 ^ sx ) ^ __SETS__( y ) ) & ( sx ^ __SETS__( x2 + y ) );
311 |     }
312 |     else
313 |     {
314 |         T y2 = y;
315 |         int8 sx = __SETS__( x );
316 |         return ( ( 1 ^ sx ) ^ __SETS__( y2 ) ) & ( sx ^ __SETS__( x + y2 ) );
317 |     }
318 | }
319 | 
320 | // carry flag of subtraction (x-y)
321 | template<class T, class U> int8 __CFSUB__( T x, U y )
322 | {
323 |     int size = sizeof( T ) > sizeof( U ) ? sizeof( T ) : sizeof( U );
324 |     if ( size == 1 )
325 |         return uint8( x ) < uint8( y );
326 |     if ( size == 2 )
327 |         return uint16( x ) < uint16( y );
328 |     if ( size == 4 )
329 |         return uint32( x ) < uint32( y );
330 |     return uint64( x ) < uint64( y );
331 | }
332 | 
333 | // carry flag of addition (x+y)
334 | template<class T, class U> int8 __CFADD__( T x, U y )
335 | {
336 |     int size = sizeof( T ) > sizeof( U ) ? sizeof( T ) : sizeof( U );
337 |     if ( size == 1 )
338 |         return uint8( x ) > uint8( x + y );
339 |     if ( size == 2 )
340 |         return uint16( x ) > uint16( x + y );
341 |     if ( size == 4 )
342 |         return uint32( x ) > uint32( x + y );
343 |     return uint64( x ) > uint64( x + y );
344 | }
345 | 
346 | #else
347 | // The following definition is not quite correct because it always returns
348 | // uint64. The above C++ functions are good, though.
349 | #define __PAIR__(high, low) (((uint64)(high)<<sizeof(high)*8) | low)
350 | // For C, we just provide macros, they are not quite correct.
351 | #define __ROL__(x, y) __rotl__(x, y)      // Rotate left
352 | #define __ROR__(x, y) __rotr__(x, y)      // Rotate right
353 | #define __CFSHL__(x, y) invalid_operation // Generate carry flag for (x<<y)
354 | #define __CFSHR__(x, y) invalid_operation // Generate carry flag for (x>>y)
355 | #define __CFADD__(x, y) invalid_operation // Generate carry flag for (x+y)
356 | #define __CFSUB__(x, y) invalid_operation // Generate carry flag for (x-y)
357 | #define __OFADD__(x, y) invalid_operation // Generate overflow flag for (x+y)
358 | #define __OFSUB__(x, y) invalid_operation // Generate overflow flag for (x-y)
359 | #endif
360 | 
361 | // No definition for rcl/rcr because the carry flag is unknown
362 | #define __RCL__(x, y)    invalid_operation // Rotate left thru carry
363 | #define __RCR__(x, y)    invalid_operation // Rotate right thru carry
364 | #define __MKCRCL__(x, y) invalid_operation // Generate carry flag for a RCL
365 | #define __MKCRCR__(x, y) invalid_operation // Generate carry flag for a RCR
366 | #define __SETP__(x, y)   invalid_operation // Generate parity flag for (x-y)
367 | 
368 | // In the decompilation listing there are some objects declarared as _UNKNOWN
369 | // because we could not determine their types. Since the C compiler does not
370 | // accept void item declarations, we replace them by anything of our choice,
371 | // for example a char:
372 | 
373 | #define _UNKNOWN char
374 | 
375 | #ifdef _MSC_VER
376 | #define snprintf _snprintf
377 | #define vsnprintf _vsnprintf
378 | #endif
379 | 
380 | #endif // HEXRAYS_DEFS_H


--------------------------------------------------------------------------------
/Imports.hpp:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | 
  3 | #include <cstdint>  // or <stdint.h> for C
  4 | #include <ntddk.h>  // Windows Driver Development Kit
  5 | #include <ntdef.h>  // Windows NT Definitions 
  6 | 
  7 | #include "Utils.hpp"  
  8 | #include "Atapi.hpp"
  9 | 
 10 | typedef struct _SYSTEM_MODULE_ENTRY
 11 | {
 12 | 	HANDLE Section;
 13 | 	PVOID MappedBase;
 14 | 	PVOID ImageBase;
 15 | 	ULONG ImageSize;
 16 | 	ULONG Flags;
 17 | 	USHORT LoadOrderIndex;
 18 | 	USHORT InitOrderIndex;
 19 | 	USHORT LoadCount;
 20 | 	USHORT OffsetToFileName;
 21 | 	UCHAR FullPathName [ 256 ];
 22 | } SYSTEM_MODULE_ENTRY, * PSYSTEM_MODULE_ENTRY;
 23 | 
 24 | #pragma warning(disable:4200)
 25 | typedef struct _SYSTEM_MODULE_INFORMATION
 26 | {
 27 | 	ULONG Count;
 28 | 	SYSTEM_MODULE_ENTRY Module [ 0 ];
 29 | } SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
 30 | 
 31 | enum class SYSTEM_INFORMATION_CLASS : uint32_t {
 32 |     SystemProcessInformation = 5, // q: SYSTEM_PROCESS_INFORMATION
 33 | };  
 34 | 
 35 | struct SYSTEM_PROCESS_INFORMATION {
 36 |     ULONG NextEntryOffset;
 37 |     ULONG NumberOfThreads;
 38 |     LARGE_INTEGER WorkingSetPrivateSize; // since VISTA
 39 |     ULONG HardFaultCount;                // since WIN7
 40 |     ULONG NumberOfThreadsHighWatermark;  // since WIN7
 41 |     ULONGLONG CycleTime;                 // since WIN7
 42 |     LARGE_INTEGER CreateTime;
 43 |     LARGE_INTEGER UserTime;
 44 |     LARGE_INTEGER KernelTime;
 45 |     UNICODE_STRING ImageName;
 46 |     UINT32 BasePriority;
 47 |     ULONG_PTR UniqueProcessId;
 48 | };
 49 | 
 50 | typedef enum _SYSTEM_INFORMATION_CLASS
 51 | {
 52 | 	SystemBasicInformation, // q: SYSTEM_BASIC_INFORMATION
 53 | 	SystemProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION
 54 | 	SystemPerformanceInformation, // q: SYSTEM_PERFORMANCE_INFORMATION
 55 | 	SystemTimeOfDayInformation, // q: SYSTEM_TIMEOFDAY_INFORMATION
 56 | 	SystemPathInformation, // not implemented
 57 | 	SystemProcessInformation, // q: SYSTEM_PROCESS_INFORMATION
 58 | 	SystemCallCountInformation, // q: SYSTEM_CALL_COUNT_INFORMATION
 59 | 	SystemDeviceInformation, // q: SYSTEM_DEVICE_INFORMATION
 60 | 	SystemProcessorPerformanceInformation, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION
 61 | 	SystemFlagsInformation, // q: SYSTEM_FLAGS_INFORMATION
 62 | 	SystemCallTimeInformation, // not implemented // SYSTEM_CALL_TIME_INFORMATION // 10
 63 | 	SystemModuleInformation, // q: RTL_PROCESS_MODULES
 64 | 	SystemLocksInformation, // q: RTL_PROCESS_LOCKS
 65 | 	SystemStackTraceInformation, // q: RTL_PROCESS_BACKTRACES
 66 | 	SystemPagedPoolInformation, // not implemented
 67 | 	SystemNonPagedPoolInformation, // not implemented
 68 | 	SystemHandleInformation, // q: SYSTEM_HANDLE_INFORMATION
 69 | 	SystemObjectInformation, // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION
 70 | 	SystemPageFileInformation, // q: SYSTEM_PAGEFILE_INFORMATION
 71 | 	SystemVdmInstemulInformation, // q
 72 | 	SystemVdmBopInformation, // not implemented // 20
 73 | 	SystemFileCacheInformation, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache)
 74 | 	SystemPoolTagInformation, // q: SYSTEM_POOLTAG_INFORMATION
 75 | 	SystemInterruptInformation, // q: SYSTEM_INTERRUPT_INFORMATION
 76 | 	SystemDpcBehaviorInformation, // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege)
 77 | 	SystemFullMemoryInformation, // not implemented
 78 | 	SystemLoadGdiDriverInformation, // s (kernel-mode only)
 79 | 	SystemUnloadGdiDriverInformation, // s (kernel-mode only)
 80 | 	SystemTimeAdjustmentInformation, // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege)
 81 | 	SystemSummaryMemoryInformation, // not implemented
 82 | 	SystemMirrorMemoryInformation, // s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege) // 30
 83 | 	SystemPerformanceTraceInformation, // q; s: (type depends on EVENT_TRACE_INFORMATION_CLASS)
 84 | 	SystemObsolete0, // not implemented
 85 | 	SystemExceptionInformation, // q: SYSTEM_EXCEPTION_INFORMATION
 86 | 	SystemCrashDumpStateInformation, // s (requires SeDebugPrivilege)
 87 | 	SystemKernelDebuggerInformation, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION
 88 | 	SystemContextSwitchInformation, // q: SYSTEM_CONTEXT_SWITCH_INFORMATION
 89 | 	SystemRegistryQuotaInformation, // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege)
 90 | 	SystemExtendServiceTableInformation, // s (requires SeLoadDriverPrivilege) // loads win32k only
 91 | 	SystemPrioritySeperation, // s (requires SeTcbPrivilege)
 92 | 	SystemVerifierAddDriverInformation, // s (requires SeDebugPrivilege) // 40
 93 | 	SystemVerifierRemoveDriverInformation, // s (requires SeDebugPrivilege)
 94 | 	SystemProcessorIdleInformation, // q: SYSTEM_PROCESSOR_IDLE_INFORMATION
 95 | 	SystemLegacyDriverInformation, // q: SYSTEM_LEGACY_DRIVER_INFORMATION
 96 | 	SystemCurrentTimeZoneInformation, // q; s: RTL_TIME_ZONE_INFORMATION
 97 | 	SystemLookasideInformation, // q: SYSTEM_LOOKASIDE_INFORMATION
 98 | 	SystemTimeSlipNotification, // s (requires SeSystemtimePrivilege)
 99 | 	SystemSessionCreate, // not implemented
100 | 	SystemSessionDetach, // not implemented
101 | 	SystemSessionInformation, // not implemented (SYSTEM_SESSION_INFORMATION)
102 | 	SystemRangeStartInformation, // q: SYSTEM_RANGE_START_INFORMATION // 50
103 | 	SystemVerifierInformation, // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege)
104 | 	SystemVerifierThunkExtend, // s (kernel-mode only)
105 | 	SystemSessionProcessInformation, // q: SYSTEM_SESSION_PROCESS_INFORMATION
106 | 	SystemLoadGdiDriverInSystemSpace, // s (kernel-mode only) (same as SystemLoadGdiDriverInformation)
107 | 	SystemNumaProcessorMap, // q
108 | 	SystemPrefetcherInformation, // q: PREFETCHER_INFORMATION; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation
109 | 	SystemExtendedProcessInformation, // q: SYSTEM_PROCESS_INFORMATION
110 | 	SystemRecommendedSharedDataAlignment, // q
111 | 	SystemComPlusPackage, // q; s
112 | 	SystemNumaAvailableMemory, // 60
113 | 	SystemProcessorPowerInformation, // q: SYSTEM_PROCESSOR_POWER_INFORMATION
114 | 	SystemEmulationBasicInformation, // q
115 | 	SystemEmulationProcessorInformation,
116 | 	SystemExtendedHandleInformation, // q: SYSTEM_HANDLE_INFORMATION_EX
117 | 	SystemLostDelayedWriteInformation, // q: ULONG
118 | 	SystemBigPoolInformation, // q: SYSTEM_BIGPOOL_INFORMATION
119 | 	SystemSessionPoolTagInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION
120 | 	SystemSessionMappedViewInformation, // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION
121 | 	SystemHotpatchInformation, // q; s: SYSTEM_HOTPATCH_CODE_INFORMATION
122 | 	SystemObjectSecurityMode, // q: ULONG // 70
123 | 	SystemWatchdogTimerHandler, // s (kernel-mode only)
124 | 	SystemWatchdogTimerInformation, // q (kernel-mode only); s (kernel-mode only)
125 | 	SystemLogicalProcessorInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION
126 | 	SystemWow64SharedInformationObsolete, // not implemented
127 | 	SystemRegisterFirmwareTableInformationHandler, // s (kernel-mode only)
128 | 	SystemFirmwareTableInformation, // SYSTEM_FIRMWARE_TABLE_INFORMATION
129 | 	SystemModuleInformationEx, // q: RTL_PROCESS_MODULE_INFORMATION_EX
130 | 	SystemVerifierTriageInformation, // not implemented
131 | 	SystemSuperfetchInformation, // q; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation
132 | 	SystemMemoryListInformation, // q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege) // 80
133 | 	SystemFileCacheInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation)
134 | 	SystemThreadPriorityClientIdInformation, // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege)
135 | 	SystemProcessorIdleCycleTimeInformation, // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[]
136 | 	SystemVerifierCancellationInformation, // not implemented // name:wow64:whNT32QuerySystemVerifierCancellationInformation
137 | 	SystemProcessorPowerInformationEx, // not implemented
138 | 	SystemRefTraceInformation, // q; s: SYSTEM_REF_TRACE_INFORMATION // ObQueryRefTraceInformation
139 | 	SystemSpecialPoolInformation, // q; s (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0
140 | 	SystemProcessIdInformation, // q: SYSTEM_PROCESS_ID_INFORMATION
141 | 	SystemErrorPortInformation, // s (requires SeTcbPrivilege)
142 | 	SystemBootEnvironmentInformation, // q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION // 90
143 | 	SystemHypervisorInformation, // q; s (kernel-mode only)
144 | 	SystemVerifierInformationEx, // q; s: SYSTEM_VERIFIER_INFORMATION_EX
145 | 	SystemTimeZoneInformation, // s (requires SeTimeZonePrivilege)
146 | 	SystemImageFileExecutionOptionsInformation, // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege)
147 | 	SystemCoverageInformation, // q; s // name:wow64:whNT32QuerySystemCoverageInformation; ExpCovQueryInformation
148 | 	SystemPrefetchPatchInformation, // not implemented
149 | 	SystemVerifierFaultsInformation, // s (requires SeDebugPrivilege)
150 | 	SystemSystemPartitionInformation, // q: SYSTEM_SYSTEM_PARTITION_INFORMATION
151 | 	SystemSystemDiskInformation, // q: SYSTEM_SYSTEM_DISK_INFORMATION
152 | 	SystemProcessorPerformanceDistribution, // q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION // 100
153 | 	SystemNumaProximityNodeInformation, // q
154 | 	SystemDynamicTimeZoneInformation, // q; s (requires SeTimeZonePrivilege)
155 | 	SystemCodeIntegrityInformation, // q: SYSTEM_CODEINTEGRITY_INFORMATION // SeCodeIntegrityQueryInformation
156 | 	SystemProcessorMicrocodeUpdateInformation, // s
157 | 	SystemProcessorBrandString, // q // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23
158 | 	SystemVirtualAddressInformation, // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation
159 | 	SystemLogicalProcessorAndGroupInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // since WIN7 // KeQueryLogicalProcessorRelationship
160 | 	SystemProcessorCycleTimeInformation, // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[]
161 | 	SystemStoreInformation, // q; s // SmQueryStoreInformation
162 | 	SystemRegistryAppendString, // s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // 110
163 | 	SystemAitSamplingValue, // s: ULONG (requires SeProfileSingleProcessPrivilege)
164 | 	SystemVhdBootInformation, // q: SYSTEM_VHD_BOOT_INFORMATION
165 | 	SystemCpuQuotaInformation, // q; s // PsQueryCpuQuotaInformation
166 | 	SystemNativeBasicInformation, // not implemented
167 | 	SystemSpare1, // not implemented
168 | 	SystemLowPriorityIoInformation, // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION
169 | 	SystemTpmBootEntropyInformation, // q: TPM_BOOT_ENTROPY_NT_RESULT // ExQueryTpmBootEntropyInformation
170 | 	SystemVerifierCountersInformation, // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION
171 | 	SystemPagedPoolInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool)
172 | 	SystemSystemPtesInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) // 120
173 | 	SystemNodeDistanceInformation, // q
174 | 	SystemAcpiAuditInformation, // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26
175 | 	SystemBasicPerformanceInformation, // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation
176 | 	SystemQueryPerformanceCounterInformation, // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1
177 | 	SystemSessionBigPoolInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION // since WIN8
178 | 	SystemBootGraphicsInformation, // q; s: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only)
179 | 	SystemScrubPhysicalMemoryInformation, // q; s: MEMORY_SCRUB_INFORMATION
180 | 	SystemBadPageInformation,
181 | 	SystemProcessorProfileControlArea, // q; s: SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA
182 | 	SystemCombinePhysicalMemoryInformation, // s: MEMORY_COMBINE_INFORMATION, MEMORY_COMBINE_INFORMATION_EX, MEMORY_COMBINE_INFORMATION_EX2 // 130
183 | 	SystemEntropyInterruptTimingCallback,
184 | 	SystemConsoleInformation, // q: SYSTEM_CONSOLE_INFORMATION
185 | 	SystemPlatformBinaryInformation, // q: SYSTEM_PLATFORM_BINARY_INFORMATION
186 | 	SystemThrottleNotificationInformation,
187 | 	SystemHypervisorProcessorCountInformation, // q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION
188 | 	SystemDeviceDataInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION
189 | 	SystemDeviceDataEnumerationInformation,
190 | 	SystemMemoryTopologyInformation, // q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION
191 | 	SystemMemoryChannelInformation, // q: SYSTEM_MEMORY_CHANNEL_INFORMATION
192 | 	SystemBootLogoInformation, // q: SYSTEM_BOOT_LOGO_INFORMATION // 140
193 | 	SystemProcessorPerformanceInformationEx, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // since WINBLUE
194 | 	SystemSpare0,
195 | 	SystemSecureBootPolicyInformation, // q: SYSTEM_SECUREBOOT_POLICY_INFORMATION
196 | 	SystemPageFileInformationEx, // q: SYSTEM_PAGEFILE_INFORMATION_EX
197 | 	SystemSecureBootInformation, // q: SYSTEM_SECUREBOOT_INFORMATION
198 | 	SystemEntropyInterruptTimingRawInformation,
199 | 	SystemPortableWorkspaceEfiLauncherInformation, // q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION
200 | 	SystemFullProcessInformation, // q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin)
201 | 	SystemKernelDebuggerInformationEx, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX
202 | 	SystemBootMetadataInformation, // 150
203 | 	SystemSoftRebootInformation,
204 | 	SystemElamCertificateInformation, // s: SYSTEM_ELAM_CERTIFICATE_INFORMATION
205 | 	SystemOfflineDumpConfigInformation,
206 | 	SystemProcessorFeaturesInformation, // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION
207 | 	SystemRegistryReconciliationInformation,
208 | 	SystemEdidInformation,
209 | 	SystemManufacturingInformation, // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD
210 | 	SystemEnergyEstimationConfigInformation, // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION
211 | 	SystemHypervisorDetailInformation, // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION
212 | 	SystemProcessorCycleStatsInformation, // q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION // 160
213 | 	SystemVmGenerationCountInformation,
214 | 	SystemTrustedPlatformModuleInformation, // q: SYSTEM_TPM_INFORMATION
215 | 	SystemKernelDebuggerFlags,
216 | 	SystemCodeIntegrityPolicyInformation, // q: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION
217 | 	SystemIsolatedUserModeInformation, // q: SYSTEM_ISOLATED_USER_MODE_INFORMATION
218 | 	SystemHardwareSecurityTestInterfaceResultsInformation,
219 | 	SystemSingleModuleInformation, // q: SYSTEM_SINGLE_MODULE_INFORMATION
220 | 	SystemAllowedCpuSetsInformation,
221 | 	SystemDmaProtectionInformation, // q: SYSTEM_DMA_PROTECTION_INFORMATION
222 | 	SystemInterruptCpuSetsInformation, // q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION // 170
223 | 	SystemSecureBootPolicyFullInformation, // q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION
224 | 	SystemCodeIntegrityPolicyFullInformation,
225 | 	SystemAffinitizedInterruptProcessorInformation,
226 | 	SystemRootSiloInformation, // q: SYSTEM_ROOT_SILO_INFORMATION
227 | 	SystemCpuSetInformation, // q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2
228 | 	SystemCpuSetTagInformation, // q: SYSTEM_CPU_SET_TAG_INFORMATION
229 | 	SystemWin32WerStartCallout,
230 | 	SystemSecureKernelProfileInformation, // q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION
231 | 	SystemCodeIntegrityPlatformManifestInformation, // q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION // since REDSTONE
232 | 	SystemInterruptSteeringInformation, // 180
233 | 	SystemSupportedProcessorArchitectures,
234 | 	SystemMemoryUsageInformation, // q: SYSTEM_MEMORY_USAGE_INFORMATION
235 | 	SystemCodeIntegrityCertificateInformation, // q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION
236 | 	SystemPhysicalMemoryInformation, // q: SYSTEM_PHYSICAL_MEMORY_INFORMATION // since REDSTONE2
237 | 	SystemControlFlowTransition,
238 | 	SystemKernelDebuggingAllowed,
239 | 	SystemActivityModerationExeState, // SYSTEM_ACTIVITY_MODERATION_EXE_STATE
240 | 	SystemActivityModerationUserSettings, // SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS
241 | 	SystemCodeIntegrityPoliciesFullInformation,
242 | 	SystemCodeIntegrityUnlockInformation, // SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION // 190
243 | 	SystemIntegrityQuotaInformation,
244 | 	SystemFlushInformation, // q: SYSTEM_FLUSH_INFORMATION
245 | 	SystemProcessorIdleMaskInformation, // since REDSTONE3
246 | 	SystemSecureDumpEncryptionInformation,
247 | 	SystemWriteConstraintInformation, // SYSTEM_WRITE_CONSTRAINT_INFORMATION
248 | 	MaxSystemInfoClass
249 | } SYSTEM_INFORMATION_CLASS;
250 | 
251 | NTSTATUS NTAPI ZwQuerySystemInformation( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL );


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # FakeDriver
 2 | Execute anything in a legit memory region by attacking a windows driver 
 3 | ### What are we attacking?
 4 | A windows driver named atapi.sys, digitally code signed and automatically running on every Windows 10/11 machines.
 5 | This driver calls multiple functions which do not call any external ones and thus could easily be swapped/hooked
 6 | ### What are the potential detection vectors?
 7 | The driver still hooks something so it may be that, but once you're in the function, except if you trigger another flag, you can (almost) do whatever you want.
 8 | ### Risks of BSOD'ing other than PG?
 9 | The function itself is entirely emulated so, no. And no issues will be caused on the behalf of atapi.sys
10 | ![image](https://github.com/patchbull/FakeDriver/assets/125939943/41f02d91-8b32-4570-b6e4-efb17f95469a)
11 | 


--------------------------------------------------------------------------------
/Utils.hpp:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | #include <version>  // For C++20 feature checking
 4 | #define BYTE unsigned char
 5 | 
 6 | class Utils {
 7 | public:
 8 | 	static Utils* Get( ) {
 9 | 		static Utils instance;
10 | 		return &instance;
11 | 	}
12 | 
13 | 	ULONG_PTR FindSignatureInDriver( PDRIVER_OBJECT driverObject, const BYTE* signature, ULONG signatureSize ) {
14 | 		ULONG_PTR baseAddress = ( ULONG_PTR )driverObject->DriverStart;
15 | 		ULONG_PTR endAddress = baseAddress + driverObject->DriverSize - signatureSize;
16 | 
17 | 		for ( ULONG_PTR address = baseAddress; address < endAddress; ++address ) {
18 | 			BOOLEAN match = TRUE;
19 | 
20 | 			for ( ULONG offset = 0; offset < signatureSize; ++offset ) {
21 | 				UCHAR byte = *( ( UCHAR* )( address + offset ) );
22 | 
23 | 				if ( signature [ offset ] != byte ) {
24 | 					match = FALSE;
25 | 					break;
26 | 				}
27 | 			}
28 | 
29 | 			if ( match ) {
30 | 				return address;
31 | 			}
32 | 		}
33 | 
34 | 		return 0x0001;  // Signature not found
35 | 	}
36 | 
37 | 	ULONG_PTR DrvBase( const char* szModuleName ) {
38 | 		PVOID pModuleBase = NULL;
39 | 		PSYSTEM_MODULE_INFORMATION pSystemInfoBuffer = NULL;
40 | 
41 | 		ULONG SystemInfoBufferSize = 0;
42 | 
43 | 		NTSTATUS status = ZwQuerySystemInformation( SystemModuleInformation,
44 | 			&SystemInfoBufferSize,
45 | 			0,
46 | 			&SystemInfoBufferSize );
47 | 
48 | 		if ( !SystemInfoBufferSize )
49 | 		{
50 | 			return NULL;
51 | 		}
52 | 
53 | 		pSystemInfoBuffer = ( PSYSTEM_MODULE_INFORMATION )ExAllocatePoolWithTag( NonPagedPool, SystemInfoBufferSize * 2, '1gaT' );
54 | 
55 | 		if ( !pSystemInfoBuffer )
56 | 		{
57 | 			return NULL;
58 | 		}
59 | 
60 | 		memset( pSystemInfoBuffer, 0, SystemInfoBufferSize * 2 );
61 | 
62 | 		status = ZwQuerySystemInformation( SystemModuleInformation,
63 | 			pSystemInfoBuffer,
64 | 			SystemInfoBufferSize * 2,
65 | 			&SystemInfoBufferSize );
66 | 
67 | 		if ( NT_SUCCESS( status ) )
68 | 		{
69 | 			for ( int ModuleCount = 0; ModuleCount < pSystemInfoBuffer->Count; ModuleCount++ )
70 | 			{
71 | 
72 | 				char* ModuleFileName = ( char* )pSystemInfoBuffer->Module [ ModuleCount ].FullPathName;
73 | 
74 | 				int l = strlen( ModuleFileName );
75 | 
76 | 				for ( int i = l; i != 0; i-- )
77 | 				{
78 | 					if ( ModuleFileName [ i ] == '\\' )
79 | 					{
80 | 						ModuleFileName = ModuleFileName + i + 1;
81 | 						break;
82 | 					}
83 | 				}
84 | 
85 | 				if ( _stricmp( szModuleName, ModuleFileName ) == 0 )
86 | 				{
87 | 					pModuleBase = pSystemInfoBuffer->Module [ ModuleCount ].ImageBase;
88 | 
89 | 					break;
90 | 				}
91 | 
92 | 			}
93 | 		}
94 | 
95 | 		ExFreePoolWithTag( pSystemInfoBuffer, 'qbWn' );
96 | 		return STATUS_SUCCESS; // Driver found
97 | 	} 
98 | };


--------------------------------------------------------------------------------