├── QQ截图20230818115205.png
├── README.md
├── enum_real_dirbase
    ├── enum_real_dirbase.vcxproj.filters
    ├── enum_real_dirbase.inf
    ├── enum_real_dirbase.vcxproj
    └── main.cpp
├── enum_real_dirbase.sln
├── .gitattributes
└── .gitignore


/QQ截图20230818115205.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MapleSwan/enum_real_dirbase/HEAD/QQ截图20230818115205.png


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # enum_real_dirbase
2 | ![Image text](https://github.com/Rythorndoran/enum_real_dirbase/blob/master/QQ%E6%88%AA%E5%9B%BE20230818115205.png)
3 | 


--------------------------------------------------------------------------------
/enum_real_dirbase/enum_real_dirbase.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |     <Filter Include="Driver Files">
17 |       <UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
18 |       <Extensions>inf;inv;inx;mof;mc;</Extensions>
19 |     </Filter>
20 |   </ItemGroup>
21 |   <ItemGroup>
22 |     <Inf Include="enum_real_dirbase.inf">
23 |       <Filter>Driver Files</Filter>
24 |     </Inf>
25 |   </ItemGroup>
26 |   <ItemGroup>
27 |     <ClCompile Include="main.cpp">
28 |       <Filter>Source Files</Filter>
29 |     </ClCompile>
30 |   </ItemGroup>
31 | </Project>


--------------------------------------------------------------------------------
/enum_real_dirbase.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.6.33815.320
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "enum_real_dirbase", "enum_real_dirbase\enum_real_dirbase.vcxproj", "{5361CFD3-1F11-4DAC-91DA-48572399DB3E}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|ARM64 = Debug|ARM64
11 | 		Debug|x64 = Debug|x64
12 | 		Release|ARM64 = Release|ARM64
13 | 		Release|x64 = Release|x64
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{5361CFD3-1F11-4DAC-91DA-48572399DB3E}.Debug|ARM64.ActiveCfg = Debug|ARM64
17 | 		{5361CFD3-1F11-4DAC-91DA-48572399DB3E}.Debug|ARM64.Build.0 = Debug|ARM64
18 | 		{5361CFD3-1F11-4DAC-91DA-48572399DB3E}.Debug|ARM64.Deploy.0 = Debug|ARM64
19 | 		{5361CFD3-1F11-4DAC-91DA-48572399DB3E}.Debug|x64.ActiveCfg = Debug|x64
20 | 		{5361CFD3-1F11-4DAC-91DA-48572399DB3E}.Debug|x64.Build.0 = Debug|x64
21 | 		{5361CFD3-1F11-4DAC-91DA-48572399DB3E}.Debug|x64.Deploy.0 = Debug|x64
22 | 		{5361CFD3-1F11-4DAC-91DA-48572399DB3E}.Release|ARM64.ActiveCfg = Release|ARM64
23 | 		{5361CFD3-1F11-4DAC-91DA-48572399DB3E}.Release|ARM64.Build.0 = Release|ARM64
24 | 		{5361CFD3-1F11-4DAC-91DA-48572399DB3E}.Release|ARM64.Deploy.0 = Release|ARM64
25 | 		{5361CFD3-1F11-4DAC-91DA-48572399DB3E}.Release|x64.ActiveCfg = Release|x64
26 | 		{5361CFD3-1F11-4DAC-91DA-48572399DB3E}.Release|x64.Build.0 = Release|x64
27 | 		{5361CFD3-1F11-4DAC-91DA-48572399DB3E}.Release|x64.Deploy.0 = Release|x64
28 | 	EndGlobalSection
29 | 	GlobalSection(SolutionProperties) = preSolution
30 | 		HideSolutionNode = FALSE
31 | 	EndGlobalSection
32 | 	GlobalSection(ExtensibilityGlobals) = postSolution
33 | 		SolutionGuid = {8FAC03B3-F1F1-4103-AE1F-9C322740E42B}
34 | 	EndGlobalSection
35 | EndGlobal
36 | 


--------------------------------------------------------------------------------
/enum_real_dirbase/enum_real_dirbase.inf:
--------------------------------------------------------------------------------
 1 | ;
 2 | ; enum_real_dirbase.inf
 3 | ;
 4 | 
 5 | [Version]
 6 | Signature="$WINDOWS NT$"
 7 | Class=System ; TODO: specify appropriate Class
 8 | ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318} ; TODO: specify appropriate ClassGuid
 9 | Provider=%ManufacturerName%
10 | CatalogFile=enum_real_dirbase.cat
11 | DriverVer= ; TODO: set DriverVer in stampinf property pages
12 | PnpLockdown=1
13 | 
14 | [DestinationDirs]
15 | DefaultDestDir = 12
16 | enum_real_dirbase_Device_CoInstaller_CopyFiles = 11
17 | 
18 | [SourceDisksNames]
19 | 1 = %DiskName%,,,""
20 | 
21 | [SourceDisksFiles]
22 | enum_real_dirbase.sys  = 1,,
23 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames
24 | 
25 | ;*****************************************
26 | ; Install Section
27 | ;*****************************************
28 | 
29 | [Manufacturer]
30 | %ManufacturerName%=Standard,NT$ARCH$
31 | 
32 | [Standard.NT$ARCH$]
33 | %enum_real_dirbase.DeviceDesc%=enum_real_dirbase_Device, Root\enum_real_dirbase ; TODO: edit hw-id
34 | 
35 | [enum_real_dirbase_Device.NT]
36 | CopyFiles=Drivers_Dir
37 | 
38 | [Drivers_Dir]
39 | enum_real_dirbase.sys
40 | 
41 | ;-------------- Service installation
42 | [enum_real_dirbase_Device.NT.Services]
43 | AddService = enum_real_dirbase,%SPSVCINST_ASSOCSERVICE%, enum_real_dirbase_Service_Inst
44 | 
45 | ; -------------- enum_real_dirbase driver install sections
46 | [enum_real_dirbase_Service_Inst]
47 | DisplayName    = %enum_real_dirbase.SVCDESC%
48 | ServiceType    = 1               ; SERVICE_KERNEL_DRIVER
49 | StartType      = 3               ; SERVICE_DEMAND_START
50 | ErrorControl   = 1               ; SERVICE_ERROR_NORMAL
51 | ServiceBinary  = %12%\enum_real_dirbase.sys
52 | 
53 | ;
54 | ;--- enum_real_dirbase_Device Coinstaller installation ------
55 | ;
56 | 
57 | [enum_real_dirbase_Device.NT.CoInstallers]
58 | AddReg=enum_real_dirbase_Device_CoInstaller_AddReg
59 | CopyFiles=enum_real_dirbase_Device_CoInstaller_CopyFiles
60 | 
61 | [enum_real_dirbase_Device_CoInstaller_AddReg]
62 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller"
63 | 
64 | [enum_real_dirbase_Device_CoInstaller_CopyFiles]
65 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll
66 | 
67 | [enum_real_dirbase_Device.NT.Wdf]
68 | KmdfService =  enum_real_dirbase, enum_real_dirbase_wdfsect
69 | [enum_real_dirbase_wdfsect]
70 | KmdfLibraryVersion = $KMDFVERSION$
71 | 
72 | [Strings]
73 | SPSVCINST_ASSOCSERVICE= 0x00000002
74 | ManufacturerName="<Your manufacturer name>" ;TODO: Replace with your manufacturer name
75 | DiskName = "enum_real_dirbase Installation Disk"
76 | enum_real_dirbase.DeviceDesc = "enum_real_dirbase Device"
77 | enum_real_dirbase.SVCDESC = "enum_real_dirbase Service"
78 | 


--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
 1 | ###############################################################################
 2 | # Set default behavior to automatically normalize line endings.
 3 | ###############################################################################
 4 | * text=auto
 5 | 
 6 | ###############################################################################
 7 | # Set default behavior for command prompt diff.
 8 | #
 9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs     diff=csharp
14 | 
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following 
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln       merge=binary
26 | #*.csproj    merge=binary
27 | #*.vbproj    merge=binary
28 | #*.vcxproj   merge=binary
29 | #*.vcproj    merge=binary
30 | #*.dbproj    merge=binary
31 | #*.fsproj    merge=binary
32 | #*.lsproj    merge=binary
33 | #*.wixproj   merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj   merge=binary
36 | #*.wwaproj   merge=binary
37 | 
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg   binary
44 | #*.png   binary
45 | #*.gif   binary
46 | 
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | # 
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the 
52 | # entries below.
53 | ###############################################################################
54 | #*.doc   diff=astextplain
55 | #*.DOC   diff=astextplain
56 | #*.docx  diff=astextplain
57 | #*.DOCX  diff=astextplain
58 | #*.dot   diff=astextplain
59 | #*.DOT   diff=astextplain
60 | #*.pdf   diff=astextplain
61 | #*.PDF   diff=astextplain
62 | #*.rtf   diff=astextplain
63 | #*.RTF   diff=astextplain
64 | 


--------------------------------------------------------------------------------
/enum_real_dirbase/enum_real_dirbase.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|x64">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>x64</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|x64">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>x64</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|ARM64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>ARM64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|ARM64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>ARM64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <ProjectGuid>{5361CFD3-1F11-4DAC-91DA-48572399DB3E}</ProjectGuid>
 23 |     <TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
 24 |     <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
 25 |     <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
 26 |     <Configuration>Debug</Configuration>
 27 |     <Platform Condition="'$(Platform)' == ''">x64</Platform>
 28 |     <RootNamespace>enum_real_dirbase</RootNamespace>
 29 |     <WindowsTargetPlatformVersion>$(LatestTargetPlatformVersion)</WindowsTargetPlatformVersion>
 30 |   </PropertyGroup>
 31 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 32 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 33 |     <TargetVersion>Windows10</TargetVersion>
 34 |     <UseDebugLibraries>true</UseDebugLibraries>
 35 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 36 |     <ConfigurationType>Driver</ConfigurationType>
 37 |     <DriverType>KMDF</DriverType>
 38 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 39 |     <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
 40 |   </PropertyGroup>
 41 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 42 |     <TargetVersion>Windows10</TargetVersion>
 43 |     <UseDebugLibraries>false</UseDebugLibraries>
 44 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 45 |     <ConfigurationType>Driver</ConfigurationType>
 46 |     <DriverType>KMDF</DriverType>
 47 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 48 |     <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
 49 |   </PropertyGroup>
 50 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
 51 |     <TargetVersion>Windows10</TargetVersion>
 52 |     <UseDebugLibraries>true</UseDebugLibraries>
 53 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 54 |     <ConfigurationType>Driver</ConfigurationType>
 55 |     <DriverType>KMDF</DriverType>
 56 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 57 |   </PropertyGroup>
 58 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
 59 |     <TargetVersion>Windows10</TargetVersion>
 60 |     <UseDebugLibraries>false</UseDebugLibraries>
 61 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 62 |     <ConfigurationType>Driver</ConfigurationType>
 63 |     <DriverType>KMDF</DriverType>
 64 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 65 |   </PropertyGroup>
 66 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 67 |   <ImportGroup Label="ExtensionSettings">
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup />
 74 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 75 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
 76 |     <IncludePath>$(VC_IncludePath);$(IncludePath);$(KMDF_INC_PATH)$(KMDF_VER_PATH)</IncludePath>
 77 |   </PropertyGroup>
 78 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 79 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
 80 |   </PropertyGroup>
 81 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
 82 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
 83 |   </PropertyGroup>
 84 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
 85 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
 86 |   </PropertyGroup>
 87 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 88 |     <DriverSign>
 89 |       <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
 90 |     </DriverSign>
 91 |     <ClCompile>
 92 |       <LanguageStandard>stdcpp20</LanguageStandard>
 93 |     </ClCompile>
 94 |   </ItemDefinitionGroup>
 95 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 96 |     <DriverSign>
 97 |       <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
 98 |     </DriverSign>
 99 |     <ClCompile>
100 |       <LanguageStandard>stdcpp20</LanguageStandard>
101 |     </ClCompile>
102 |   </ItemDefinitionGroup>
103 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
104 |     <DriverSign>
105 |       <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
106 |     </DriverSign>
107 |   </ItemDefinitionGroup>
108 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
109 |     <DriverSign>
110 |       <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
111 |     </DriverSign>
112 |   </ItemDefinitionGroup>
113 |   <ItemGroup>
114 |     <Inf Include="enum_real_dirbase.inf" />
115 |   </ItemGroup>
116 |   <ItemGroup>
117 |     <FilesToPackage Include="$(TargetPath)" />
118 |   </ItemGroup>
119 |   <ItemGroup>
120 |     <ClCompile Include="main.cpp" />
121 |   </ItemGroup>
122 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
123 |   <ImportGroup Label="ExtensionTargets">
124 |   </ImportGroup>
125 | </Project>


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | ##
  4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
  5 | 
  6 | # User-specific files
  7 | *.rsuser
  8 | *.suo
  9 | *.user
 10 | *.userosscache
 11 | *.sln.docstates
 12 | 
 13 | # User-specific files (MonoDevelop/Xamarin Studio)
 14 | *.userprefs
 15 | 
 16 | # Mono auto generated files
 17 | mono_crash.*
 18 | 
 19 | # Build results
 20 | [Dd]ebug/
 21 | [Dd]ebugPublic/
 22 | [Rr]elease/
 23 | [Rr]eleases/
 24 | x64/
 25 | x86/
 26 | [Ww][Ii][Nn]32/
 27 | [Aa][Rr][Mm]/
 28 | [Aa][Rr][Mm]64/
 29 | bld/
 30 | [Bb]in/
 31 | [Oo]bj/
 32 | [Oo]ut/
 33 | [Ll]og/
 34 | [Ll]ogs/
 35 | 
 36 | # Visual Studio 2015/2017 cache/options directory
 37 | .vs/
 38 | # Uncomment if you have tasks that create the project's static files in wwwroot
 39 | #wwwroot/
 40 | 
 41 | # Visual Studio 2017 auto generated files
 42 | Generated\ Files/
 43 | 
 44 | # MSTest test Results
 45 | [Tt]est[Rr]esult*/
 46 | [Bb]uild[Ll]og.*
 47 | 
 48 | # NUnit
 49 | *.VisualState.xml
 50 | TestResult.xml
 51 | nunit-*.xml
 52 | 
 53 | # Build Results of an ATL Project
 54 | [Dd]ebugPS/
 55 | [Rr]eleasePS/
 56 | dlldata.c
 57 | 
 58 | # Benchmark Results
 59 | BenchmarkDotNet.Artifacts/
 60 | 
 61 | # .NET Core
 62 | project.lock.json
 63 | project.fragment.lock.json
 64 | artifacts/
 65 | 
 66 | # ASP.NET Scaffolding
 67 | ScaffoldingReadMe.txt
 68 | 
 69 | # StyleCop
 70 | StyleCopReport.xml
 71 | 
 72 | # Files built by Visual Studio
 73 | *_i.c
 74 | *_p.c
 75 | *_h.h
 76 | *.ilk
 77 | *.meta
 78 | *.obj
 79 | *.iobj
 80 | *.pch
 81 | *.pdb
 82 | *.ipdb
 83 | *.pgc
 84 | *.pgd
 85 | *.rsp
 86 | *.sbr
 87 | *.tlb
 88 | *.tli
 89 | *.tlh
 90 | *.tmp
 91 | *.tmp_proj
 92 | *_wpftmp.csproj
 93 | *.log
 94 | *.vspscc
 95 | *.vssscc
 96 | .builds
 97 | *.pidb
 98 | *.svclog
 99 | *.scc
100 | 
101 | # Chutzpah Test files
102 | _Chutzpah*
103 | 
104 | # Visual C++ cache files
105 | ipch/
106 | *.aps
107 | *.ncb
108 | *.opendb
109 | *.opensdf
110 | *.sdf
111 | *.cachefile
112 | *.VC.db
113 | *.VC.VC.opendb
114 | 
115 | # Visual Studio profiler
116 | *.psess
117 | *.vsp
118 | *.vspx
119 | *.sap
120 | 
121 | # Visual Studio Trace Files
122 | *.e2e
123 | 
124 | # TFS 2012 Local Workspace
125 | $tf/
126 | 
127 | # Guidance Automation Toolkit
128 | *.gpState
129 | 
130 | # ReSharper is a .NET coding add-in
131 | _ReSharper*/
132 | *.[Rr]e[Ss]harper
133 | *.DotSettings.user
134 | 
135 | # TeamCity is a build add-in
136 | _TeamCity*
137 | 
138 | # DotCover is a Code Coverage Tool
139 | *.dotCover
140 | 
141 | # AxoCover is a Code Coverage Tool
142 | .axoCover/*
143 | !.axoCover/settings.json
144 | 
145 | # Coverlet is a free, cross platform Code Coverage Tool
146 | coverage*.json
147 | coverage*.xml
148 | coverage*.info
149 | 
150 | # Visual Studio code coverage results
151 | *.coverage
152 | *.coveragexml
153 | 
154 | # NCrunch
155 | _NCrunch_*
156 | .*crunch*.local.xml
157 | nCrunchTemp_*
158 | 
159 | # MightyMoose
160 | *.mm.*
161 | AutoTest.Net/
162 | 
163 | # Web workbench (sass)
164 | .sass-cache/
165 | 
166 | # Installshield output folder
167 | [Ee]xpress/
168 | 
169 | # DocProject is a documentation generator add-in
170 | DocProject/buildhelp/
171 | DocProject/Help/*.HxT
172 | DocProject/Help/*.HxC
173 | DocProject/Help/*.hhc
174 | DocProject/Help/*.hhk
175 | DocProject/Help/*.hhp
176 | DocProject/Help/Html2
177 | DocProject/Help/html
178 | 
179 | # Click-Once directory
180 | publish/
181 | 
182 | # Publish Web Output
183 | *.[Pp]ublish.xml
184 | *.azurePubxml
185 | # Note: Comment the next line if you want to checkin your web deploy settings,
186 | # but database connection strings (with potential passwords) will be unencrypted
187 | *.pubxml
188 | *.publishproj
189 | 
190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
191 | # checkin your Azure Web App publish settings, but sensitive information contained
192 | # in these scripts will be unencrypted
193 | PublishScripts/
194 | 
195 | # NuGet Packages
196 | *.nupkg
197 | # NuGet Symbol Packages
198 | *.snupkg
199 | # The packages folder can be ignored because of Package Restore
200 | **/[Pp]ackages/*
201 | # except build/, which is used as an MSBuild target.
202 | !**/[Pp]ackages/build/
203 | # Uncomment if necessary however generally it will be regenerated when needed
204 | #!**/[Pp]ackages/repositories.config
205 | # NuGet v3's project.json files produces more ignorable files
206 | *.nuget.props
207 | *.nuget.targets
208 | 
209 | # Microsoft Azure Build Output
210 | csx/
211 | *.build.csdef
212 | 
213 | # Microsoft Azure Emulator
214 | ecf/
215 | rcf/
216 | 
217 | # Windows Store app package directories and files
218 | AppPackages/
219 | BundleArtifacts/
220 | Package.StoreAssociation.xml
221 | _pkginfo.txt
222 | *.appx
223 | *.appxbundle
224 | *.appxupload
225 | 
226 | # Visual Studio cache files
227 | # files ending in .cache can be ignored
228 | *.[Cc]ache
229 | # but keep track of directories ending in .cache
230 | !?*.[Cc]ache/
231 | 
232 | # Others
233 | ClientBin/
234 | ~$*
235 | *~
236 | *.dbmdl
237 | *.dbproj.schemaview
238 | *.jfm
239 | *.pfx
240 | *.publishsettings
241 | orleans.codegen.cs
242 | 
243 | # Including strong name files can present a security risk
244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
245 | #*.snk
246 | 
247 | # Since there are multiple workflows, uncomment next line to ignore bower_components
248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
249 | #bower_components/
250 | 
251 | # RIA/Silverlight projects
252 | Generated_Code/
253 | 
254 | # Backup & report files from converting an old project file
255 | # to a newer Visual Studio version. Backup files are not needed,
256 | # because we have git ;-)
257 | _UpgradeReport_Files/
258 | Backup*/
259 | UpgradeLog*.XML
260 | UpgradeLog*.htm
261 | ServiceFabricBackup/
262 | *.rptproj.bak
263 | 
264 | # SQL Server files
265 | *.mdf
266 | *.ldf
267 | *.ndf
268 | 
269 | # Business Intelligence projects
270 | *.rdl.data
271 | *.bim.layout
272 | *.bim_*.settings
273 | *.rptproj.rsuser
274 | *- [Bb]ackup.rdl
275 | *- [Bb]ackup ([0-9]).rdl
276 | *- [Bb]ackup ([0-9][0-9]).rdl
277 | 
278 | # Microsoft Fakes
279 | FakesAssemblies/
280 | 
281 | # GhostDoc plugin setting file
282 | *.GhostDoc.xml
283 | 
284 | # Node.js Tools for Visual Studio
285 | .ntvs_analysis.dat
286 | node_modules/
287 | 
288 | # Visual Studio 6 build log
289 | *.plg
290 | 
291 | # Visual Studio 6 workspace options file
292 | *.opt
293 | 
294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
295 | *.vbw
296 | 
297 | # Visual Studio LightSwitch build output
298 | **/*.HTMLClient/GeneratedArtifacts
299 | **/*.DesktopClient/GeneratedArtifacts
300 | **/*.DesktopClient/ModelManifest.xml
301 | **/*.Server/GeneratedArtifacts
302 | **/*.Server/ModelManifest.xml
303 | _Pvt_Extensions
304 | 
305 | # Paket dependency manager
306 | .paket/paket.exe
307 | paket-files/
308 | 
309 | # FAKE - F# Make
310 | .fake/
311 | 
312 | # CodeRush personal settings
313 | .cr/personal
314 | 
315 | # Python Tools for Visual Studio (PTVS)
316 | __pycache__/
317 | *.pyc
318 | 
319 | # Cake - Uncomment if you are using it
320 | # tools/**
321 | # !tools/packages.config
322 | 
323 | # Tabs Studio
324 | *.tss
325 | 
326 | # Telerik's JustMock configuration file
327 | *.jmconfig
328 | 
329 | # BizTalk build output
330 | *.btp.cs
331 | *.btm.cs
332 | *.odx.cs
333 | *.xsd.cs
334 | 
335 | # OpenCover UI analysis results
336 | OpenCover/
337 | 
338 | # Azure Stream Analytics local run output
339 | ASALocalRun/
340 | 
341 | # MSBuild Binary and Structured Log
342 | *.binlog
343 | 
344 | # NVidia Nsight GPU debugger configuration file
345 | *.nvuser
346 | 
347 | # MFractors (Xamarin productivity tool) working folder
348 | .mfractor/
349 | 
350 | # Local History for Visual Studio
351 | .localhistory/
352 | 
353 | # BeatPulse healthcheck temp database
354 | healthchecksdb
355 | 
356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
357 | MigrationBackup/
358 | 
359 | # Ionide (cross platform F# VS Code tools) working folder
360 | .ionide/
361 | 
362 | # Fody - auto-generated XML schema
363 | FodyWeavers.xsd


--------------------------------------------------------------------------------
/enum_real_dirbase/main.cpp:
--------------------------------------------------------------------------------
  1 | #include <ntifs.h>
  2 | #include <ntimage.h>
  3 | #include <stdint.h>
  4 | #include <intrin.h>
  5 | EXTERN_C NTSYSAPI CHAR *PsGetProcessImageFileName(__in uintptr_t Process);
  6 | constexpr auto cr3_pfn(uint64_t _cr3) -> uint64_t { return ((_cr3 & 0xFFFFFFFFF000) >> 12); }
  7 | constexpr auto cr3_dirbase(uint64_t _cr3) -> uint64_t { return (_cr3 & 0xFFFFFFFFF000); }
  8 | 
  9 | #pragma warning(push)
 10 | #pragma warning(disable:4201)
 11 | struct _MMPFN {
 12 | 	uintptr_t flags;
 13 | 	uintptr_t pte_address;
 14 | 	uintptr_t Unused_1;
 15 | 	uintptr_t Unused_2;
 16 | 	uintptr_t Unused_3;
 17 | 	uintptr_t Unused_4;
 18 | };
 19 | static_assert(sizeof(_MMPFN) == 0x30);
 20 | 
 21 | typedef union {
 22 | 	struct {
 23 | 		uint64_t reserved1 : 3;
 24 | 		uint64_t page_level_write_through : 1;
 25 | 		uint64_t page_level_cache_disable : 1;
 26 | 		uint64_t reserved2 : 7;
 27 | 		uint64_t address_of_page_directory : 36;
 28 | 		uint64_t reserved3 : 16;
 29 | 	};
 30 | 	uint64_t flags;
 31 | } cr3;
 32 | static_assert(sizeof(cr3) == 0x8);
 33 | 
 34 | typedef union {
 35 | 	struct {
 36 | 		uint64_t present : 1;
 37 | 		uint64_t write : 1;
 38 | 		uint64_t supervisor : 1;
 39 | 		uint64_t page_level_write_through : 1;
 40 | 		uint64_t page_level_cache_disable : 1;
 41 | 		uint64_t accessed : 1;
 42 | 		uint64_t dirty : 1;
 43 | 		uint64_t large_page : 1;
 44 | 		uint64_t global : 1;
 45 | 		uint64_t ignored_1 : 2;
 46 | 		uint64_t restart : 1;
 47 | 		uint64_t page_frame_number : 36;
 48 | 		uint64_t reserved1 : 4;
 49 | 		uint64_t ignored_2 : 7;
 50 | 		uint64_t protection_key : 4;
 51 | 		uint64_t execute_disable : 1;
 52 | 	};
 53 | 
 54 | 	uint64_t flags;
 55 | } pt_entry_64;
 56 | static_assert(sizeof(pt_entry_64) == 0x8);
 57 | #pragma warning(pop)
 58 | 
 59 | static uint64_t pte_base = 0;
 60 | static uint64_t pde_base = 0;
 61 | static uint64_t ppe_base = 0;
 62 | static uint64_t pxe_base = 0;
 63 | static uint64_t self_mapidx = 0;
 64 | static uint64_t mm_pfn_database = 0;
 65 | 
 66 | uint64_t get_dirbase() {
 67 | 	return __readcr3() & 0xFFFFFFFFFFFFF000;
 68 | }
 69 | 
 70 | void *phys_to_virt(uint64_t phys) {
 71 | 	PHYSICAL_ADDRESS phys_addr = { .QuadPart = (int64_t)(phys) };
 72 | 	return reinterpret_cast<void *>(MmGetVirtualForPhysical(phys_addr));
 73 | }
 74 | 
 75 | void init_pte_base() {
 76 | 	cr3 system_cr3 = { .flags = get_dirbase() };
 77 | 	uint64_t dirbase_phys = system_cr3.address_of_page_directory << 12;
 78 | 	pt_entry_64 *pt_entry = reinterpret_cast<pt_entry_64 *>(phys_to_virt(dirbase_phys));
 79 | 	for (uint64_t idx = 0; idx < 0x200; idx++) {
 80 | 		if (pt_entry[idx].page_frame_number == system_cr3.address_of_page_directory) {
 81 | 			pte_base = (idx + 0x1FFFE00ui64) << 39ui64;
 82 | 			pde_base = (idx << 30ui64) + pte_base;
 83 | 			ppe_base = (idx << 30ui64) + pte_base + (idx << 21ui64);
 84 | 			pxe_base = (idx << 12ui64) + ppe_base;
 85 | 			self_mapidx = idx;
 86 | 			DbgPrintEx(DPFLTR_IHVDRIVER_ID , DPFLTR_ERROR_LEVEL , "PteBase 0x%llx\n" , pte_base);
 87 | 			DbgPrintEx(DPFLTR_IHVDRIVER_ID , DPFLTR_ERROR_LEVEL , "PdeBase 0x%llx\n" , pde_base);
 88 | 			DbgPrintEx(DPFLTR_IHVDRIVER_ID , DPFLTR_ERROR_LEVEL , "PpeBase 0x%llx\n" , ppe_base);
 89 | 			DbgPrintEx(DPFLTR_IHVDRIVER_ID , DPFLTR_ERROR_LEVEL , "PxeBase 0x%llx\n" , pxe_base);
 90 | 			DbgPrintEx(DPFLTR_IHVDRIVER_ID , DPFLTR_ERROR_LEVEL , "idx 0x%llx\n" , idx);
 91 | 
 92 | 			break;
 93 | 		}
 94 | 	}
 95 | }
 96 | 
 97 | uintptr_t get_kernel_base() {
 98 | 	const auto idtbase = *reinterpret_cast<uint64_t *>(__readgsqword(0x18) + 0x38);
 99 | 	const auto descriptor_0 = *reinterpret_cast<uint64_t *>(idtbase);
100 | 	const auto descriptor_1 = *reinterpret_cast<uint64_t *>(idtbase + 8);
101 | 	const auto isr_base = ((descriptor_0 >> 32) & 0xFFFF0000) + (descriptor_0 & 0xFFFF) + (descriptor_1 << 32);
102 | 	auto align_base = isr_base & 0xFFFFFFFFFFFFF000;
103 | 
104 | 	for (; ; align_base -= 0x1000) {
105 | 		for (auto *search_base = reinterpret_cast<uint8_t *>(align_base); search_base < reinterpret_cast<uint8_t *>(align_base) + 0xFF9; search_base++) {
106 | 			if (search_base[0] == 0x48 &&
107 | 				search_base[1] == 0x8D &&
108 | 				search_base[2] == 0x1D &&
109 | 				search_base[6] == 0xFF) {
110 | 				const auto relative_offset = *reinterpret_cast<int *>(&search_base[3]);
111 | 				const auto address = reinterpret_cast<uint64_t>(search_base + relative_offset + 7);
112 | 				if ((address & 0xFFF) == 0) {
113 | 					if (*reinterpret_cast<uint16_t *>(address) == 0x5A4D) {
114 | 						return address;
115 | 					}
116 | 				}
117 | 			}
118 | 		}
119 | 	}
120 | }
121 | 
122 | uintptr_t search_pattern(void *module_handle , const char *signature_value) {
123 | 	static auto in_range = [] (auto x , auto a , auto b) { return (x >= a && x <= b); };
124 | 	static auto get_bits = [] (auto  x) { return (in_range((x & (~0x20)) , 'A' , 'F') ? ((x & (~0x20)) - 'A' + 0xa) : (in_range(x , '0' , '9') ? x - '0' : 0)); };
125 | 	static auto get_byte = [] (auto  x) { return (get_bits(x[0]) << 4 | get_bits(x[1])); };
126 | 
127 | 	const auto dos_headers = reinterpret_cast<PIMAGE_DOS_HEADER>(module_handle);
128 | 	const auto nt_headers = reinterpret_cast<PIMAGE_NT_HEADERS>(reinterpret_cast<uintptr_t>(module_handle) + dos_headers->e_lfanew);
129 | 
130 | 	const auto range_start = reinterpret_cast<uintptr_t>(module_handle);
131 | 	const auto range_end = range_start + nt_headers->OptionalHeader.SizeOfImage;
132 | 
133 | 	auto first_match = 0ui64;
134 | 	auto pat = signature_value;
135 | 
136 | 	for (uintptr_t cur = range_start; cur < range_end; cur++) {
137 | 		if (*pat == '\0') {
138 | 			return first_match;
139 | 		}
140 | 		if (*(uint8_t *)pat == '\?' || *reinterpret_cast<uint8_t *>(cur) == get_byte(pat)) {
141 | 			if (!first_match)
142 | 				first_match = cur;
143 | 
144 | 			if (!pat[2])
145 | 				return first_match;
146 | 
147 | 			if (*(uint16_t *)pat == 16191 || *(uint8_t *)pat != '\?') {
148 | 				pat += 3;
149 | 			}
150 | 			else {
151 | 				pat += 2;
152 | 			}
153 | 		}
154 | 		else {
155 | 			pat = signature_value;
156 | 			first_match = 0;
157 | 		}
158 | 	}
159 | 	return 0u;
160 | }
161 | 
162 | uintptr_t search_pattern(void *module_handle , const char *section , const char *signature_value) {
163 | 	static auto in_range = [] (auto x , auto a , auto b) { return (x >= a && x <= b); };
164 | 	static auto get_bits = [] (auto  x) { return (in_range((x & (~0x20)) , 'A' , 'F') ? ((x & (~0x20)) - 'A' + 0xa) : (in_range(x , '0' , '9') ? x - '0' : 0)); };
165 | 	static auto get_byte = [] (auto  x) { return (get_bits(x[0]) << 4 | get_bits(x[1])); };
166 | 
167 | 	const auto dos_headers = reinterpret_cast<PIMAGE_DOS_HEADER>(module_handle);
168 | 	const auto nt_headers = reinterpret_cast<PIMAGE_NT_HEADERS>(reinterpret_cast<uintptr_t>(module_handle) + dos_headers->e_lfanew);
169 | 	const auto section_headers = reinterpret_cast<PIMAGE_SECTION_HEADER>(nt_headers + 1);
170 | 
171 | 	auto range_start = 0ui64;
172 | 	auto range_end = 0ui64;
173 | 	for (auto cur_section = section_headers; cur_section < section_headers + nt_headers->FileHeader.NumberOfSections; cur_section++) {
174 | 		if (strcmp(reinterpret_cast<const char *>(cur_section->Name) , section) == 0) {
175 | 			range_start = reinterpret_cast<uintptr_t>(module_handle) + cur_section->VirtualAddress;
176 | 			range_end = range_start + cur_section->Misc.VirtualSize;
177 | 		}
178 | 	}
179 | 
180 | 	if (range_start == 0)
181 | 		return 0u;
182 | 
183 | 	auto first_match = 0ui64;
184 | 	auto pat = signature_value;
185 | 	for (uintptr_t cur = range_start; cur < range_end; cur++) {
186 | 		if (*pat == '\0') {
187 | 			return first_match;
188 | 		}
189 | 		if (*(uint8_t *)pat == '\?' || *reinterpret_cast<uint8_t *>(cur) == get_byte(pat)) {
190 | 			if (!first_match)
191 | 				first_match = cur;
192 | 
193 | 			if (!pat[2])
194 | 				return first_match;
195 | 
196 | 			if (*(uint16_t *)pat == 16191 || *(uint8_t *)pat != '\?') {
197 | 				pat += 3;
198 | 			}
199 | 			else {
200 | 				pat += 2;
201 | 			}
202 | 		}
203 | 		else {
204 | 			pat = signature_value;
205 | 			first_match = 0;
206 | 		}
207 | 	}
208 | 	return 0u;
209 | }
210 | 
211 | uintptr_t init_mmpfn_database() {
212 | 	auto search = search_pattern(reinterpret_cast<void *>(get_kernel_base()) , ".text" , "B9 ? ? ? ? 48 8B 05 ? ? ? ? 48 89 43 18") + 5;
213 | 	auto resolved_base = search + *reinterpret_cast<int32_t *>(search + 3) + 7;
214 | 	mm_pfn_database = *reinterpret_cast<uintptr_t *>(resolved_base);
215 | 	return mm_pfn_database;
216 | }
217 | 
218 | void enum_process_dirbase() {
219 | 	auto mem_range = MmGetPhysicalMemoryRanges();
220 | 	auto mem_range_count = 0;
221 | 	static const uint64_t cr3_ptebase = self_mapidx * 8 + pxe_base;
222 | 	DbgPrintEx(DPFLTR_IHVDRIVER_ID , DPFLTR_ERROR_LEVEL , "cr3 ptebase 0x%llx\n" , cr3_ptebase);
223 | 
224 | 	for (mem_range_count = 0; mem_range_count < 200; mem_range_count++) {
225 | 
226 | 		if (mem_range[mem_range_count].BaseAddress.QuadPart == 0 && mem_range[mem_range_count].NumberOfBytes.QuadPart == 0)
227 | 			break;
228 | 
229 | 		auto start_pfn = mem_range[mem_range_count].BaseAddress.QuadPart >> 12;
230 | 		auto end_pfn = start_pfn + (mem_range[mem_range_count].NumberOfBytes.QuadPart >> 12);
231 | 
232 | 		for (auto i = start_pfn; i < end_pfn; i++) {
233 | 			auto cur_mmpfn = reinterpret_cast<_MMPFN *>(mm_pfn_database + 0x30 * i);
234 | 			if (cur_mmpfn->flags) {
235 | 				if (cur_mmpfn->flags == 1) continue;
236 | 				if (cur_mmpfn->pte_address != cr3_ptebase) continue;
237 | 				auto decrypted_eprocess = ((cur_mmpfn->flags | 0xF000000000000000) >> 0xd) | 0xFFFF000000000000;
238 | 				auto dirbase = i << 12;
239 | 				if (MmIsAddressValid(reinterpret_cast<void *>(decrypted_eprocess))) {
240 | 					DbgPrintEx(DPFLTR_IHVDRIVER_ID , DPFLTR_ERROR_LEVEL , "Process -> 0x%llx\nProcessName -> %s\nDirBase -> 0x%llx\n\n" , decrypted_eprocess , PsGetProcessImageFileName(decrypted_eprocess) , dirbase);
241 | 				}
242 | 			}
243 | 		}
244 | 
245 | 
246 | 	}
247 | }
248 | 
249 | 
250 | EXTERN_C NTSTATUS DriverEntry() {
251 | 	init_pte_base();
252 | 	init_mmpfn_database();
253 | 	enum_process_dirbase();
254 | 	return STATUS_SUCCESS;
255 | }


--------------------------------------------------------------------------------