├── README.md
├── kernel.sln
└── kernel
    ├── entry.cpp
    ├── kernel.inf
    ├── kernel.vcxproj
    ├── kernel.vcxproj.filters
    ├── kernel.vcxproj.user
    └── library
        ├── globals.h
        ├── kecheck.h
        ├── stdint.h
        ├── structs.h
        └── utils.h


/README.md:
--------------------------------------------------------------------------------
 1 | # Detect-KeAttachProcess
 2 | Detect-KeAttachProcess - by iterating through all processes as well as checking the context of the thread.
 3 | 
 4 | Recently I started studying the KeAttachProcess system. 
 5 | And to be more specific, how exactly can you find out that your process is attached. 
 6 | And so, as soon as we start looking at the function, 
 7 | we see that it first gets the current context of the thread from which Keattachprocess was called.
 8 | 
 9 | ![Alt text](https://i.ibb.co/WDYWQhX/scr1.png "Optional title")
10 | 
11 | Also note that the PROCESS is passed to the "v2" variable from the argument, 
12 | respectively, this is the target process to which the function is attached in the future.
13 | 
14 | The current thread of the process from which the function is called, 
15 | as well as the PROCESS from the argument, are passed to the "KiAttachProcess" function.
16 | 
17 | ![Alt text](https://i.ibb.co/hWZXj5t/image.png "Optional title")
18 | 
19 | We switch to this function, and after studying it a little, 
20 | we see that the target process (v2) is written to offset "0xB8" the current thread context.
21 | 
22 | ![Alt text](https://i.ibb.co/1LVbv2Y/image.png "Optional title")
23 | 
24 | The further plan is as follows: 
25 | 
26 | 1) Go through all the processes 
27 | 2) Go through all the threads of each process in the system 
28 | 3) Look in the context of each thread, what is the offset "0xB8".
29 | 
30 | If the current process is not attached to anything, 
31 | usually the current "PEPROCESS" of the process itself is stored in the offset "0xB8", 
32 | and if the current process was attached to any process,
33 | then the "PEPROCESS" target process will be written to the offset "0xB8".
34 | 
35 | I have implemented a check for this for every process in the system, and here is my result:
36 | 
37 | ![Alt Text](https://i.ibb.co/Gvm1gsX/image.png)
38 | 


--------------------------------------------------------------------------------
/kernel.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.31911.196
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "kernel", "kernel\kernel.vcxproj", "{2211136A-E9DC-44ED-ACB0-F342DC08C4DC}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|ARM = Debug|ARM
11 | 		Debug|ARM64 = Debug|ARM64
12 | 		Debug|x64 = Debug|x64
13 | 		Debug|x86 = Debug|x86
14 | 		Release|ARM = Release|ARM
15 | 		Release|ARM64 = Release|ARM64
16 | 		Release|x64 = Release|x64
17 | 		Release|x86 = Release|x86
18 | 	EndGlobalSection
19 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
20 | 		{2211136A-E9DC-44ED-ACB0-F342DC08C4DC}.Debug|ARM.ActiveCfg = Debug|ARM
21 | 		{2211136A-E9DC-44ED-ACB0-F342DC08C4DC}.Debug|ARM.Build.0 = Debug|ARM
22 | 		{2211136A-E9DC-44ED-ACB0-F342DC08C4DC}.Debug|ARM.Deploy.0 = Debug|ARM
23 | 		{2211136A-E9DC-44ED-ACB0-F342DC08C4DC}.Debug|ARM64.ActiveCfg = Debug|ARM64
24 | 		{2211136A-E9DC-44ED-ACB0-F342DC08C4DC}.Debug|ARM64.Build.0 = Debug|ARM64
25 | 		{2211136A-E9DC-44ED-ACB0-F342DC08C4DC}.Debug|ARM64.Deploy.0 = Debug|ARM64
26 | 		{2211136A-E9DC-44ED-ACB0-F342DC08C4DC}.Debug|x64.ActiveCfg = Debug|x64
27 | 		{2211136A-E9DC-44ED-ACB0-F342DC08C4DC}.Debug|x64.Build.0 = Debug|x64
28 | 		{2211136A-E9DC-44ED-ACB0-F342DC08C4DC}.Debug|x64.Deploy.0 = Debug|x64
29 | 		{2211136A-E9DC-44ED-ACB0-F342DC08C4DC}.Debug|x86.ActiveCfg = Debug|Win32
30 | 		{2211136A-E9DC-44ED-ACB0-F342DC08C4DC}.Debug|x86.Build.0 = Debug|Win32
31 | 		{2211136A-E9DC-44ED-ACB0-F342DC08C4DC}.Debug|x86.Deploy.0 = Debug|Win32
32 | 		{2211136A-E9DC-44ED-ACB0-F342DC08C4DC}.Release|ARM.ActiveCfg = Release|ARM
33 | 		{2211136A-E9DC-44ED-ACB0-F342DC08C4DC}.Release|ARM.Build.0 = Release|ARM
34 | 		{2211136A-E9DC-44ED-ACB0-F342DC08C4DC}.Release|ARM.Deploy.0 = Release|ARM
35 | 		{2211136A-E9DC-44ED-ACB0-F342DC08C4DC}.Release|ARM64.ActiveCfg = Release|ARM64
36 | 		{2211136A-E9DC-44ED-ACB0-F342DC08C4DC}.Release|ARM64.Build.0 = Release|ARM64
37 | 		{2211136A-E9DC-44ED-ACB0-F342DC08C4DC}.Release|ARM64.Deploy.0 = Release|ARM64
38 | 		{2211136A-E9DC-44ED-ACB0-F342DC08C4DC}.Release|x64.ActiveCfg = Release|x64
39 | 		{2211136A-E9DC-44ED-ACB0-F342DC08C4DC}.Release|x64.Build.0 = Release|x64
40 | 		{2211136A-E9DC-44ED-ACB0-F342DC08C4DC}.Release|x64.Deploy.0 = Release|x64
41 | 		{2211136A-E9DC-44ED-ACB0-F342DC08C4DC}.Release|x86.ActiveCfg = Release|Win32
42 | 		{2211136A-E9DC-44ED-ACB0-F342DC08C4DC}.Release|x86.Build.0 = Release|Win32
43 | 		{2211136A-E9DC-44ED-ACB0-F342DC08C4DC}.Release|x86.Deploy.0 = Release|Win32
44 | 	EndGlobalSection
45 | 	GlobalSection(SolutionProperties) = preSolution
46 | 		HideSolutionNode = FALSE
47 | 	EndGlobalSection
48 | 	GlobalSection(ExtensibilityGlobals) = postSolution
49 | 		SolutionGuid = {CF052229-3368-4356-AE4A-77406BD2CB75}
50 | 	EndGlobalSection
51 | EndGlobal
52 | 


--------------------------------------------------------------------------------
/kernel/entry.cpp:
--------------------------------------------------------------------------------
 1 | #include "library/globals.h"
 2 | 
 3 | VOID NTAPI entry_thread(PVOID)
 4 | {
 5 | 	while (1)
 6 | 	{
 7 | 		ke_attach_detect();
 8 | 	}
 9 | }
10 | 
11 | NTSTATUS entry_point(PVOID, PVOID)
12 | {
13 | 	HANDLE h_thread = 0;
14 | 	NTSTATUS status = PsCreateSystemThread(&h_thread, 0x10000000L, 0, 0, 0, entry_thread, 0);
15 | 
16 | 	if (!NT_SUCCESS(status))
17 | 		return status;
18 | 
19 | 	ZwClose(h_thread);
20 | 
21 | 	return STATUS_SUCCESS;	
22 | }
23 | 


--------------------------------------------------------------------------------
/kernel/kernel.inf:
--------------------------------------------------------------------------------
 1 | ;
 2 | ; kernel.inf
 3 | ;
 4 | 
 5 | [Version]
 6 | Signature="$WINDOWS NT$"
 7 | Class=Sample ; TODO: edit Class
 8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid
 9 | Provider=%ManufacturerName%
10 | CatalogFile=kernel.cat
11 | DriverVer= ; TODO: set DriverVer in stampinf property pages
12 | PnpLockDown=1
13 | 
14 | [DestinationDirs]
15 | DefaultDestDir = 12
16 | kernel_Device_CoInstaller_CopyFiles = 11
17 | 
18 | ; ================= Class section =====================
19 | 
20 | [ClassInstall32]
21 | Addreg=SampleClassReg
22 | 
23 | [SampleClassReg]
24 | HKR,,,0,%ClassName%
25 | HKR,,Icon,,-5
26 | 
27 | [SourceDisksNames]
28 | 1 = %DiskName%,,,""
29 | 
30 | [SourceDisksFiles]
31 | kernel.sys  = 1,,
32 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames
33 | 
34 | ;*****************************************
35 | ; Install Section
36 | ;*****************************************
37 | 
38 | [Manufacturer]
39 | %ManufacturerName%=Standard,NT$ARCH$
40 | 
41 | [Standard.NT$ARCH$]
42 | %kernel.DeviceDesc%=kernel_Device, Root\kernel ; TODO: edit hw-id
43 | 
44 | [kernel_Device.NT]
45 | CopyFiles=Drivers_Dir
46 | 
47 | [Drivers_Dir]
48 | kernel.sys
49 | 
50 | ;-------------- Service installation
51 | [kernel_Device.NT.Services]
52 | AddService = kernel,%SPSVCINST_ASSOCSERVICE%, kernel_Service_Inst
53 | 
54 | ; -------------- kernel driver install sections
55 | [kernel_Service_Inst]
56 | DisplayName    = %kernel.SVCDESC%
57 | ServiceType    = 1               ; SERVICE_KERNEL_DRIVER
58 | StartType      = 3               ; SERVICE_DEMAND_START
59 | ErrorControl   = 1               ; SERVICE_ERROR_NORMAL
60 | ServiceBinary  = %12%\kernel.sys
61 | 
62 | ;
63 | ;--- kernel_Device Coinstaller installation ------
64 | ;
65 | 
66 | [kernel_Device.NT.CoInstallers]
67 | AddReg=kernel_Device_CoInstaller_AddReg
68 | CopyFiles=kernel_Device_CoInstaller_CopyFiles
69 | 
70 | [kernel_Device_CoInstaller_AddReg]
71 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller"
72 | 
73 | [kernel_Device_CoInstaller_CopyFiles]
74 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll
75 | 
76 | [kernel_Device.NT.Wdf]
77 | KmdfService =  kernel, kernel_wdfsect
78 | [kernel_wdfsect]
79 | KmdfLibraryVersion = $KMDFVERSION$
80 | 
81 | [Strings]
82 | SPSVCINST_ASSOCSERVICE= 0x00000002
83 | ManufacturerName="<Your manufacturer name>" ;TODO: Replace with your manufacturer name
84 | ClassName="Samples" ; TODO: edit ClassName
85 | DiskName = "kernel Installation Disk"
86 | kernel.DeviceDesc = "kernel Device"
87 | kernel.SVCDESC = "kernel Service"
88 | 


--------------------------------------------------------------------------------
/kernel/kernel.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |     <ProjectConfiguration Include="Debug|ARM">
 21 |       <Configuration>Debug</Configuration>
 22 |       <Platform>ARM</Platform>
 23 |     </ProjectConfiguration>
 24 |     <ProjectConfiguration Include="Release|ARM">
 25 |       <Configuration>Release</Configuration>
 26 |       <Platform>ARM</Platform>
 27 |     </ProjectConfiguration>
 28 |     <ProjectConfiguration Include="Debug|ARM64">
 29 |       <Configuration>Debug</Configuration>
 30 |       <Platform>ARM64</Platform>
 31 |     </ProjectConfiguration>
 32 |     <ProjectConfiguration Include="Release|ARM64">
 33 |       <Configuration>Release</Configuration>
 34 |       <Platform>ARM64</Platform>
 35 |     </ProjectConfiguration>
 36 |   </ItemGroup>
 37 |   <PropertyGroup Label="Globals">
 38 |     <ProjectGuid>{2211136A-E9DC-44ED-ACB0-F342DC08C4DC}</ProjectGuid>
 39 |     <TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
 40 |     <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
 41 |     <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
 42 |     <Configuration>Debug</Configuration>
 43 |     <Platform Condition="'$(Platform)' == ''">Win32</Platform>
 44 |     <RootNamespace>kernel</RootNamespace>
 45 |     <WindowsTargetPlatformVersion>$(LatestTargetPlatformVersion)</WindowsTargetPlatformVersion>
 46 |   </PropertyGroup>
 47 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 49 |     <TargetVersion>Windows10</TargetVersion>
 50 |     <UseDebugLibraries>true</UseDebugLibraries>
 51 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 52 |     <ConfigurationType>Driver</ConfigurationType>
 53 |     <DriverType>KMDF</DriverType>
 54 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 55 |   </PropertyGroup>
 56 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 57 |     <TargetVersion>Windows10</TargetVersion>
 58 |     <UseDebugLibraries>false</UseDebugLibraries>
 59 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 60 |     <ConfigurationType>Driver</ConfigurationType>
 61 |     <DriverType>KMDF</DriverType>
 62 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 63 |   </PropertyGroup>
 64 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 65 |     <TargetVersion>Windows10</TargetVersion>
 66 |     <UseDebugLibraries>true</UseDebugLibraries>
 67 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 68 |     <ConfigurationType>Driver</ConfigurationType>
 69 |     <DriverType>KMDF</DriverType>
 70 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 71 |   </PropertyGroup>
 72 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 73 |     <TargetVersion>Windows10</TargetVersion>
 74 |     <UseDebugLibraries>false</UseDebugLibraries>
 75 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 76 |     <ConfigurationType>Driver</ConfigurationType>
 77 |     <DriverType>KMDF</DriverType>
 78 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 79 |     <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
 80 |   </PropertyGroup>
 81 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
 82 |     <TargetVersion>Windows10</TargetVersion>
 83 |     <UseDebugLibraries>true</UseDebugLibraries>
 84 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 85 |     <ConfigurationType>Driver</ConfigurationType>
 86 |     <DriverType>KMDF</DriverType>
 87 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 88 |   </PropertyGroup>
 89 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
 90 |     <TargetVersion>Windows10</TargetVersion>
 91 |     <UseDebugLibraries>false</UseDebugLibraries>
 92 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 93 |     <ConfigurationType>Driver</ConfigurationType>
 94 |     <DriverType>KMDF</DriverType>
 95 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 96 |   </PropertyGroup>
 97 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
 98 |     <TargetVersion>Windows10</TargetVersion>
 99 |     <UseDebugLibraries>true</UseDebugLibraries>
100 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
101 |     <ConfigurationType>Driver</ConfigurationType>
102 |     <DriverType>KMDF</DriverType>
103 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
104 |   </PropertyGroup>
105 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
106 |     <TargetVersion>Windows10</TargetVersion>
107 |     <UseDebugLibraries>false</UseDebugLibraries>
108 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
109 |     <ConfigurationType>Driver</ConfigurationType>
110 |     <DriverType>KMDF</DriverType>
111 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
112 |   </PropertyGroup>
113 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
114 |   <ImportGroup Label="ExtensionSettings">
115 |   </ImportGroup>
116 |   <ImportGroup Label="PropertySheets">
117 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
118 |   </ImportGroup>
119 |   <PropertyGroup Label="UserMacros" />
120 |   <PropertyGroup />
121 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
122 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
123 |   </PropertyGroup>
124 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
125 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
126 |   </PropertyGroup>
127 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
128 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
129 |   </PropertyGroup>
130 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
131 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
132 |   </PropertyGroup>
133 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
134 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
135 |   </PropertyGroup>
136 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
137 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
138 |   </PropertyGroup>
139 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
140 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
141 |   </PropertyGroup>
142 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
143 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
144 |   </PropertyGroup>
145 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
146 |     <ClCompile>
147 |       <LanguageStandard>stdcpp17</LanguageStandard>
148 |       <WarningLevel>TurnOffAllWarnings</WarningLevel>
149 |       <TreatWarningAsError>false</TreatWarningAsError>
150 |       <Optimization>MaxSpeed</Optimization>
151 |       <FavorSizeOrSpeed>Speed</FavorSizeOrSpeed>
152 |       <BufferSecurityCheck>false</BufferSecurityCheck>
153 |       <CreateHotpatchableImage>false</CreateHotpatchableImage>
154 |       <ShowIncludes>true</ShowIncludes>
155 |     </ClCompile>
156 |     <Link>
157 |       <GenerateDebugInformation>false</GenerateDebugInformation>
158 |       <TreatLinkerWarningAsErrors>false</TreatLinkerWarningAsErrors>
159 |       <ProgramDatabaseFile />
160 |       <EntryPointSymbol>entry_point</EntryPointSymbol>
161 |     </Link>
162 |   </ItemDefinitionGroup>
163 |   <ItemGroup>
164 |     <Inf Include="kernel.inf" />
165 |   </ItemGroup>
166 |   <ItemGroup>
167 |     <FilesToPackage Include="$(TargetPath)" />
168 |   </ItemGroup>
169 |   <ItemGroup>
170 |     <ClCompile Include="entry.cpp" />
171 |   </ItemGroup>
172 |   <ItemGroup>
173 |     <ClInclude Include="library\globals.h" />
174 |     <ClInclude Include="library\kecheck.h" />
175 |     <ClInclude Include="library\stdint.h" />
176 |     <ClInclude Include="library\structs.h" />
177 |     <ClInclude Include="library\utils.h" />
178 |   </ItemGroup>
179 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
180 |   <ImportGroup Label="ExtensionTargets">
181 |   </ImportGroup>
182 | </Project>


--------------------------------------------------------------------------------
/kernel/kernel.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Driver Files">
13 |       <UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
14 |       <Extensions>inf;inv;inx;mof;mc;</Extensions>
15 |     </Filter>
16 |     <Filter Include="library">
17 |       <UniqueIdentifier>{ae794118-a9c9-4bd9-9045-d8e44de9f315}</UniqueIdentifier>
18 |     </Filter>
19 |     <Filter Include="Source Files\Resource Files">
20 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
21 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
22 |     </Filter>
23 |   </ItemGroup>
24 |   <ItemGroup>
25 |     <Inf Include="kernel.inf">
26 |       <Filter>Driver Files</Filter>
27 |     </Inf>
28 |   </ItemGroup>
29 |   <ItemGroup>
30 |     <ClCompile Include="entry.cpp">
31 |       <Filter>Source Files</Filter>
32 |     </ClCompile>
33 |   </ItemGroup>
34 |   <ItemGroup>
35 |     <ClInclude Include="library\globals.h">
36 |       <Filter>library</Filter>
37 |     </ClInclude>
38 |     <ClInclude Include="library\utils.h">
39 |       <Filter>library</Filter>
40 |     </ClInclude>
41 |     <ClInclude Include="library\structs.h">
42 |       <Filter>library</Filter>
43 |     </ClInclude>
44 |     <ClInclude Include="library\stdint.h">
45 |       <Filter>library</Filter>
46 |     </ClInclude>
47 |     <ClInclude Include="library\kecheck.h">
48 |       <Filter>library</Filter>
49 |     </ClInclude>
50 |   </ItemGroup>
51 | </Project>


--------------------------------------------------------------------------------
/kernel/kernel.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
4 |     <SignMode>Off</SignMode>
5 |   </PropertyGroup>
6 | </Project>


--------------------------------------------------------------------------------
/kernel/library/globals.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include <ntdef.h>
 3 | #include <ntifs.h>
 4 | #include <ntddk.h>
 5 | #include <ntstrsafe.h>
 6 | #include <minwindef.h>
 7 | #include <ifdef.h>
 8 | #include <ntddndis.h>
 9 | #include <wdm.h>
10 | #include <intrin.h>
11 | #include <ntimage.h>
12 | #include <ntddmou.h>
13 | 
14 | #include "stdint.h"
15 | #include "structs.h"
16 | #include "utils.h"
17 | #include "kecheck.h"
18 | 


--------------------------------------------------------------------------------
/kernel/library/kecheck.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | /*
 4 | 
 5 | The offsets are given below, and the "ETHREAD_META" structure works from win 10 19041 to win 11.
 6 | 
 7 | */
 8 | 
 9 | #define ImageFileName 0x5A8 // EPROCESS::ImageFileName
10 | #define ActiveThreads 0x5F0 // EPROCESS::ActiveThreads
11 | #define ThreadListHead 0x5E0 // EPROCESS::ThreadListHead
12 | #define ActiveProcessLinks 0x448 // EPROCESS::ActiveProcessLinks
13 | 
14 | void ke_attach_detect()
15 | {
16 | 	PEPROCESS sys_process = PsInitialSystemProcess;
17 | 	PEPROCESS cur_entry = sys_process;
18 | 
19 | 	do
20 | 	{
21 | 		CHAR image_name[32];
22 | 		DWORD active_threads;
23 | 
24 | 		RtlCopyMemory((PVOID)&image_name, (PVOID)((uintptr_t)cur_entry + ImageFileName), sizeof(image_name));
25 | 		RtlCopyMemory((PVOID)&active_threads, (PVOID)((uintptr_t)cur_entry + ActiveThreads), sizeof(active_threads));
26 | 
27 | 		if (active_threads && cur_entry != sys_process)
28 | 		{
29 | 			LIST_ENTRY* thread_list_head = (LIST_ENTRY*)make_ptr(cur_entry, ThreadListHead);
30 | 			PLIST_ENTRY list = thread_list_head;
31 | 
32 | 			while ((list = list->Flink) != thread_list_head)
33 | 			{
34 | 				PETHREAD_META entry = CONTAINING_RECORD(list, ETHREAD_META, ThreadListEntry);
35 | 				PEPROCESS attached_pe_proc = *(PEPROCESS*)((uintptr_t)entry + 0xB8);
36 | 
37 | 				if (attached_pe_proc != cur_entry)
38 | 				{
39 | 					CHAR target_image_name[512];
40 | 					RtlCopyMemory((PVOID)(&target_image_name), (PVOID)((uintptr_t)attached_pe_proc + ImageFileName), sizeof(image_name));
41 | 
42 | 					DbgPrintEx(0, 0, "%s attached -> %s\n", image_name, target_image_name);
43 | 				}
44 | 			}
45 | 		}
46 | 
47 | 		PLIST_ENTRY list = (PLIST_ENTRY)((uintptr_t)(cur_entry) + ActiveProcessLinks);
48 | 		cur_entry = (PEPROCESS)((uintptr_t)list->Flink - ActiveProcessLinks);
49 | 
50 | 	} while (cur_entry != sys_process);
51 | }


--------------------------------------------------------------------------------
/kernel/library/stdint.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | #define _STDINT
  3 | 
  4 | #ifndef RC_INVOKED
  5 | typedef signed char        int8_t;
  6 | typedef short              int16_t;
  7 | typedef int                int32_t;
  8 | typedef long long          int64_t;
  9 | typedef unsigned char      uint8_t;
 10 | typedef unsigned short     uint16_t;
 11 | typedef unsigned int       uint32_t;
 12 | typedef unsigned long long uint64_t;
 13 | 
 14 | typedef signed char        int_least8_t;
 15 | typedef short              int_least16_t;
 16 | typedef int                int_least32_t;
 17 | typedef long long          int_least64_t;
 18 | typedef unsigned char      uint_least8_t;
 19 | typedef unsigned short     uint_least16_t;
 20 | typedef unsigned int       uint_least32_t;
 21 | typedef unsigned long long uint_least64_t;
 22 | 
 23 | typedef signed char        int_fast8_t;
 24 | typedef int                int_fast16_t;
 25 | typedef int                int_fast32_t;
 26 | typedef long long          int_fast64_t;
 27 | typedef unsigned char      uint_fast8_t;
 28 | typedef unsigned int       uint_fast16_t;
 29 | typedef unsigned int       uint_fast32_t;
 30 | typedef unsigned long long uint_fast64_t;
 31 | 
 32 | typedef long long          intmax_t;
 33 | typedef unsigned long long uintmax_t;
 34 | 
 35 | // These macros must exactly match those in the Windows SDK's intsafe.h.
 36 | #define INT8_MIN         (-127i8 - 1)
 37 | #define INT16_MIN        (-32767i16 - 1)
 38 | #define INT32_MIN        (-2147483647i32 - 1)
 39 | #define INT64_MIN        (-9223372036854775807i64 - 1)
 40 | #define INT8_MAX         127i8
 41 | #define INT16_MAX        32767i16
 42 | #define INT32_MAX        2147483647i32
 43 | #define INT64_MAX        9223372036854775807i64
 44 | #define UINT8_MAX        0xffui8
 45 | #define UINT16_MAX       0xffffui16
 46 | #define UINT32_MAX       0xffffffffui32
 47 | #define UINT64_MAX       0xffffffffffffffffui64
 48 | 
 49 | #define INT_LEAST8_MIN   INT8_MIN
 50 | #define INT_LEAST16_MIN  INT16_MIN
 51 | #define INT_LEAST32_MIN  INT32_MIN
 52 | #define INT_LEAST64_MIN  INT64_MIN
 53 | #define INT_LEAST8_MAX   INT8_MAX
 54 | #define INT_LEAST16_MAX  INT16_MAX
 55 | #define INT_LEAST32_MAX  INT32_MAX
 56 | #define INT_LEAST64_MAX  INT64_MAX
 57 | #define UINT_LEAST8_MAX  UINT8_MAX
 58 | #define UINT_LEAST16_MAX UINT16_MAX
 59 | #define UINT_LEAST32_MAX UINT32_MAX
 60 | #define UINT_LEAST64_MAX UINT64_MAX
 61 | 
 62 | #define INT_FAST8_MIN    INT8_MIN
 63 | #define INT_FAST16_MIN   INT32_MIN
 64 | #define INT_FAST32_MIN   INT32_MIN
 65 | #define INT_FAST64_MIN   INT64_MIN
 66 | #define INT_FAST8_MAX    INT8_MAX
 67 | #define INT_FAST16_MAX   INT32_MAX
 68 | #define INT_FAST32_MAX   INT32_MAX
 69 | #define INT_FAST64_MAX   INT64_MAX
 70 | #define UINT_FAST8_MAX   UINT8_MAX
 71 | #define UINT_FAST16_MAX  UINT32_MAX
 72 | #define UINT_FAST32_MAX  UINT32_MAX
 73 | #define UINT_FAST64_MAX  UINT64_MAX
 74 | 
 75 | #ifdef _WIN64
 76 | #define INTPTR_MIN   INT64_MIN
 77 | #define INTPTR_MAX   INT64_MAX
 78 | #define UINTPTR_MAX  UINT64_MAX
 79 | #else
 80 | #define INTPTR_MIN   INT32_MIN
 81 | #define INTPTR_MAX   INT32_MAX
 82 | #define UINTPTR_MAX  UINT32_MAX
 83 | #endif
 84 | 
 85 | #define INTMAX_MIN       INT64_MIN
 86 | #define INTMAX_MAX       INT64_MAX
 87 | #define UINTMAX_MAX      UINT64_MAX
 88 | 
 89 | #define PTRDIFF_MIN      INTPTR_MIN
 90 | #define PTRDIFF_MAX      INTPTR_MAX
 91 | 
 92 | #ifndef SIZE_MAX
 93 | #define SIZE_MAX     UINTPTR_MAX
 94 | #endif
 95 | 
 96 | #define SIG_ATOMIC_MIN   INT32_MIN
 97 | #define SIG_ATOMIC_MAX   INT32_MAX
 98 | 
 99 | #define WCHAR_MIN        0x0000
100 | #define WCHAR_MAX        0xffff
101 | 
102 | #define WINT_MIN         0x0000
103 | #define WINT_MAX         0xffff
104 | 
105 | #define INT8_C(x)    (x)
106 | #define INT16_C(x)   (x)
107 | #define INT32_C(x)   (x)
108 | #define INT64_C(x)   (x ## LL)
109 | 
110 | #define UINT8_C(x)   (x)
111 | #define UINT16_C(x)  (x)
112 | #define UINT32_C(x)  (x ## U)
113 | #define UINT64_C(x)  (x ## ULL)
114 | 
115 | #define INTMAX_C(x)  INT64_C(x)
116 | #define UINTMAX_C(x) UINT64_C(x)
117 | 
118 | #endif // RC_INVOKED
119 | 
120 | /*
121 |  * Copyright (c) 1992-2012 by P.J. Plauger.  ALL RIGHTS RESERVED.
122 |  * Consult your license regarding permissions and restrictions.
123 | V6.00:0009 */
124 | 


--------------------------------------------------------------------------------
/kernel/library/structs.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | typedef struct _LDR_DATA_TABLE_ENTRY
 4 | {
 5 | 	LIST_ENTRY InLoadOrderModuleList;
 6 | 	LIST_ENTRY InMemoryOrderModuleList;
 7 | 	LIST_ENTRY InInitializationOrderModuleList;
 8 | 	PVOID DllBase;
 9 | 	PVOID EntryPoint;
10 | 	ULONG SizeOfImage;
11 | 	UNICODE_STRING FullDllName;
12 | 	UNICODE_STRING BaseDllName;
13 | 	ULONG Flags;
14 | 	USHORT LoadCount;
15 | 	USHORT TlsIndex;
16 | 	LIST_ENTRY HashLinks;
17 | 	PVOID SectionPointer;
18 | 	ULONG CheckSum;
19 | 	ULONG TimeDateStamp;
20 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
21 | 
22 | typedef struct _KLDR_DATA_TABLE_ENTRY
23 | {
24 | 	/* 0x0000 */ struct _LIST_ENTRY InLoadOrderLinks;
25 | 	/* 0x0010 */ void* ExceptionTable;
26 | 	/* 0x0018 */ unsigned long ExceptionTableSize;
27 | 	/* 0x001c */ long Padding_687;
28 | 	/* 0x0020 */ void* GpValue;
29 | 	/* 0x0028 */ struct _NON_PAGED_DEBUG_INFO* NonPagedDebugInfo;
30 | 	/* 0x0030 */ void* DllBase;
31 | 	/* 0x0038 */ void* EntryPoint;
32 | 	/* 0x0040 */ unsigned long SizeOfImage;
33 | 	/* 0x0044 */ long Padding_688;
34 | 	/* 0x0048 */ struct _UNICODE_STRING FullDllName;
35 | 	/* 0x0058 */ struct _UNICODE_STRING BaseDllName;
36 | 	/* 0x0068 */ unsigned long Flags;
37 | 	/* 0x006c */ unsigned short LoadCount;
38 | 	union
39 | 	{
40 | 		union
41 | 		{
42 | 			struct /* bitfield */
43 | 			{
44 | 				/* 0x006e */ unsigned short SignatureLevel : 4; /* bit position: 0 */
45 | 				/* 0x006e */ unsigned short SignatureType : 3; /* bit position: 4 */
46 | 				/* 0x006e */ unsigned short Unused : 9; /* bit position: 7 */
47 | 			}; /* bitfield */
48 | 			/* 0x006e */ unsigned short EntireField;
49 | 		}; /* size: 0x0002 */
50 | 	} /* size: 0x0002 */ u1;
51 | 	/* 0x0070 */ void* SectionPointer;
52 | 	/* 0x0078 */ unsigned long CheckSum;
53 | 	/* 0x007c */ unsigned long CoverageSectionSize;
54 | 	/* 0x0080 */ void* CoverageSection;
55 | 	/* 0x0088 */ void* LoadedImports;
56 | 	/* 0x0090 */ void* Spare;
57 | 	/* 0x0098 */ unsigned long SizeOfImageNotRounded;
58 | 	/* 0x009c */ unsigned long TimeDateStamp;
59 | } KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY; /* size: 0x00a0 */
60 | 
61 | typedef struct _ETHREAD_META
62 | {
63 | 	char pad_0x0008[0x448]; //0x0008
64 | 	PVOID StartAddress; //0x0450 
65 | 	char pad_0x0458[0x20]; //0x0458
66 | 	_CLIENT_ID Cid; //0x0478 
67 | 	char pad_0x0480[0x50]; //0x0480
68 | 	PVOID Win32StartAddress; //0x04D0 
69 | 	char pad_0x04D8[0x10]; //0x04D8
70 | 	struct _LIST_ENTRY ThreadListEntry; //0x04E8 
71 | } ETHREAD_META, *PETHREAD_META; 
72 | 
73 | #define make_ptr(ptr, offset) ((uintptr_t)(ptr) + (uintptr_t)(offset))
74 | 
75 | extern "C"
76 | {
77 | 	PLIST_ENTRY NTKERNELAPI PsLoadedModuleList;
78 | 	NTKERNELAPI PVOID NTAPI RtlFindExportedRoutineByName(_In_ PVOID ImageBase, _In_ PCCH RoutineName);
79 | 	NTKERNELAPI NTSTATUS ObReferenceObjectByName(IN PUNICODE_STRING ObjectName, IN ULONG Attributes, IN PACCESS_STATE PassedAccessState, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, IN OUT PVOID ParseContext, OUT PVOID* Object);
80 | }
81 | 


--------------------------------------------------------------------------------
/kernel/library/utils.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | UNICODE_STRING ansi_to_unicode(const char* str)
 4 | {
 5 | 	UNICODE_STRING unicode;
 6 | 	ANSI_STRING ansi_str;
 7 | 
 8 | 	RtlInitAnsiString(&ansi_str, str);
 9 | 	RtlAnsiStringToUnicodeString(&unicode, &ansi_str, TRUE);
10 | 
11 | 	return unicode;
12 | }
13 | 
14 | PVOID get_kernel_proc_address(const char* system_routine_name)
15 | {
16 | 	UNICODE_STRING name;
17 | 	ANSI_STRING ansi_str;
18 | 
19 | 	RtlInitAnsiString(&ansi_str, system_routine_name);
20 | 	RtlAnsiStringToUnicodeString(&name, &ansi_str, TRUE);
21 | 
22 | 	return MmGetSystemRoutineAddress(&name);
23 | }
24 | 
25 | PVOID get_module_base(const char* module_name, ULONG* size_module)
26 | {
27 | 	PLIST_ENTRY ps_loaded_module_list = PsLoadedModuleList;
28 | 	if (!ps_loaded_module_list)
29 | 		return (PVOID)NULL;
30 | 
31 | 	UNICODE_STRING name = ansi_to_unicode(module_name);
32 | 	for (PLIST_ENTRY link = ps_loaded_module_list; link != ps_loaded_module_list->Blink; link = link->Flink)
33 | 	{
34 | 		PLDR_DATA_TABLE_ENTRY entry = CONTAINING_RECORD(link, LDR_DATA_TABLE_ENTRY, InLoadOrderModuleList);
35 | 
36 | 		if (RtlEqualUnicodeString((PCUNICODE_STRING)&entry->BaseDllName, (PCUNICODE_STRING)&name, TRUE))
37 | 		{
38 | 			if (size_module != 0)
39 | 				*size_module = entry->SizeOfImage;
40 | 
41 | 			return (PVOID)entry->DllBase;
42 | 		}
43 | 	}
44 | 
45 | 	return (PVOID)NULL;
46 | }
47 | 
48 | PVOID get_system_base_export(const char* module_name, LPCSTR routine_name)
49 | {
50 | 	PVOID image_base = get_module_base(module_name, 0);
51 | 	if (!image_base)
52 | 		return 0;
53 | 
54 | 	return RtlFindExportedRoutineByName(image_base, routine_name);
55 | }
56 | 


--------------------------------------------------------------------------------