├── IOCTL_Define.h
├── Main.c
├── RemoveTrace.h
├── TECH.sln
├── TECH.vcxproj
├── TECH.vcxproj.filters
└── TECH.vcxproj.user


/IOCTL_Define.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include <ntifs.h>
 3 | #include <ntstrsafe.h>
 4 | 
 5 | #define DRIVER_NAME L"HONGZ"
 6 | #define DRIVER_DEVICE_NAME     L"\\Device\\HONGZ"
 7 | #define DRIVER_DOS_DEVICE_NAME L"\\DosDevices\\HONGZ"
 8 | #define DRIVER_DEVICE_PATH  L"\\\\.\\HONGZ"
 9 | #define DRIVER_DEVICE_TYPE 0x00000022
10 | 
11 | #define IOCTL_DRIVER_INIT ((ULONG)CTL_CODE(DRIVER_DEVICE_TYPE, 4100, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS))
12 | #define IOCTL_DRIVER_GET_BASE_ADDRESS ((ULONG)CTL_CODE(DRIVER_DEVICE_TYPE, 4200, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS))
13 | #define IOCTL_DRIVER_MANAGE_MEMORY ((ULONG)CTL_CODE(DRIVER_DEVICE_TYPE, 4300, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS))
14 | 
15 | typedef struct _DRIVER_INIT {
16 | 	ULONG ProcessId;
17 | } DRIVER_INIT, *PDRIVER_INIT;
18 | 
19 | typedef struct _DRIVER_MANAGE_MEMORY {
20 | 	ULONGLONG Src;
21 | 	ULONGLONG Dst;
22 | 	ULONGLONG Size;
23 | 	BOOLEAN isWrite;
24 | 	BOOLEAN isIgnoreProtect;
25 | } DRIVER_MANAGE_MEMORY, *PDRIVER_MANAGE_MEMORY;
26 | 
27 | typedef struct _GET_BASE_ADDRESS
28 | {
29 | 	ULONGLONG *Result;
30 | } GET_BASE_ADDRESS, *PGET_BASE_ADDRESS;
31 | 
32 | #define IOCTL_SET_GUARDED_REGION            \
33 |     CTL_CODE(                               \
34 |         DRIVER_DEVICE_TYPE,                 \
35 |         4400,                               \
36 |         METHOD_BUFFERED,                    \
37 |         FILE_READ_ACCESS | FILE_WRITE_ACCESS)
38 | 
39 | #define IOCTL_READ_GUARDED_REGION           \
40 |     CTL_CODE(                               \
41 |         DRIVER_DEVICE_TYPE,                 \
42 |         4500,                               \
43 |         METHOD_BUFFERED,                    \
44 |         FILE_READ_ACCESS | FILE_WRITE_ACCESS)
45 | 
46 | typedef struct _SYSTEM_BIGPOOL_ENTRY
47 | {
48 |     union {
49 |         PVOID VirtualAddress;
50 |         ULONG_PTR NonPaged : 1;
51 |     };
52 |     ULONG_PTR SizeInBytes;
53 |     union {
54 |         UCHAR Tag[4];
55 |         ULONG TagUlong;
56 |     };
57 | } SYSTEM_BIGPOOL_ENTRY, * PSYSTEM_BIGPOOL_ENTRY;
58 | 
59 | #ifdef __cplusplus
60 | extern "C" {
61 | #endif
62 |     int _fltused = 0; // it should be a single underscore since the double one is the mangled name
63 | #ifdef __cplusplus
64 | }
65 | #endif
66 | 
67 | typedef struct _READ_GUARDED_REGION_REQUEST {
68 | 	ULONG_PTR Displacement;
69 | 	PVOID Buffer;
70 | 	ULONG Size;
71 |     float X;
72 |     float Y;
73 | } READ_GUARDED_REGION_REQUEST, * PREAD_GUARDED_REGION_REQUEST;
74 | 
75 | typedef struct _KERNEL_READ_REQUEST
76 | {
77 |     DWORD_PTR TargetAddress;
78 |     DWORD_PTR ResponseAddress;
79 |     ULONG Size;
80 | } KERNEL_READ_REQUEST, * PKERNEL_READ_REQUEST;
81 | 
82 | typedef struct _READ_VIRTUAL_MEMORY_REQUEST {
83 |     ULONG_PTR Address;
84 |     ULONG Size;
85 | } READ_VIRTUAL_MEMORY_REQUEST, * PREAD_VIRTUAL_MEMORY_REQUEST;
86 | 
87 | typedef struct _SYSTEM_BIGPOOL_INFORMATION {
88 |     ULONG Count;
89 |     SYSTEM_BIGPOOL_ENTRY AllocatedInfo[ANYSIZE_ARRAY];
90 | } SYSTEM_BIGPOOL_INFORMATION, * PSYSTEM_BIGPOOL_INFORMATION;


--------------------------------------------------------------------------------
/Main.c:
--------------------------------------------------------------------------------
  1 | #include "IOCTL_Define.h"
  2 | #include "RemoveTrace.h"
  3 | 
  4 | PEPROCESS AttachedProcess;
  5 | NTKERNELAPI PVOID PsGetProcessSectionBaseAddress(PEPROCESS Process);
  6 | 
  7 | EXTERN_C
  8 | NTSTATUS
  9 | NTAPI
 10 | PsAcquireProcessExitSynchronization(
 11 | 	_In_ PEPROCESS Process
 12 | );
 13 | 
 14 | EXTERN_C
 15 | VOID
 16 | NTAPI
 17 | PsReleaseProcessExitSynchronization(
 18 | 	_In_ PEPROCESS Process
 19 | );
 20 | 
 21 | NTKERNELAPI NTSTATUS NTAPI MmCopyVirtualMemory(
 22 | 	IN PEPROCESS FromProcess,
 23 | 	IN PVOID FromAddress,
 24 | 	IN PEPROCESS ToProcess,
 25 | 	OUT PVOID ToAddress,
 26 | 	IN SIZE_T BufferSize,
 27 | 	IN KPROCESSOR_MODE PreviousMode,
 28 | 	OUT PSIZE_T NumberOfBytesCopied
 29 | );
 30 | 
 31 | NTSTATUS
 32 | ReadVirtualMemory(
 33 | 	HANDLE ProcessId,
 34 | 	ULONG_PTR Address,
 35 | 	PVOID pBuffer,
 36 | 	ULONG cbBuffer,
 37 | 	PULONG pcbRead
 38 | )
 39 | {
 40 | 	PEPROCESS pProcess = NULL;
 41 | 	BOOLEAN fHasProcessReference = FALSE;
 42 | 	BOOLEAN fHasProcessExitSynchronization = FALSE;
 43 | 	KAPC_STATE ApcState;
 44 | 	NTSTATUS ntstatus = STATUS_SUCCESS;
 45 | 
 46 | 	if (ARGUMENT_PRESENT(pcbRead))
 47 | 	{
 48 | 		*pcbRead = 0;
 49 | 	}
 50 | 
 51 | 	if (Address + cbBuffer < Address ||
 52 | 		Address + cbBuffer > (ULONG_PTR)MmHighestUserAddress ||
 53 | 		Address + cbBuffer > (ULONG_PTR)MmHighestUserAddress)
 54 | 	{
 55 | 		ntstatus = STATUS_ACCESS_VIOLATION;
 56 | 		goto exit;
 57 | 	}
 58 | 
 59 | 	ntstatus = PsLookupProcessByProcessId(ProcessId, &pProcess);
 60 | 	if (!NT_SUCCESS(ntstatus))
 61 | 	{
 62 | 		goto exit;
 63 | 	}
 64 | 
 65 | 	fHasProcessReference = TRUE;
 66 | 
 67 | 	ntstatus = PsAcquireProcessExitSynchronization(pProcess);
 68 | 	if (!NT_SUCCESS(ntstatus))
 69 | 	{
 70 | 		goto exit;
 71 | 	}
 72 | 
 73 | 	fHasProcessExitSynchronization = TRUE;
 74 | 
 75 | 	__try
 76 | 	{
 77 | 		__try
 78 | 		{
 79 | 			KeStackAttachProcess(pProcess, &ApcState);
 80 | 			RtlCopyMemory(pBuffer, (PVOID)Address, cbBuffer);
 81 | 		}
 82 | 		__finally
 83 | 		{
 84 | 			KeUnstackDetachProcess(&ApcState);
 85 | 		}
 86 | 	}
 87 | 	__except (EXCEPTION_EXECUTE_HANDLER)
 88 | 	{
 89 | 		ntstatus = STATUS_UNHANDLED_EXCEPTION;
 90 | 		goto exit;
 91 | 	}
 92 | 
 93 | 	if (ARGUMENT_PRESENT(pcbRead))
 94 | 	{
 95 | 		*pcbRead = cbBuffer;
 96 | 	}
 97 | 
 98 | exit:
 99 | 	if (fHasProcessExitSynchronization)
100 | 	{
101 | 		PsReleaseProcessExitSynchronization(pProcess);
102 | 	}
103 | 
104 | 	if (fHasProcessReference)
105 | 	{
106 | 		ObDereferenceObject(pProcess);
107 | 	}
108 | 
109 | 	return ntstatus;
110 | }
111 | 
112 | NTSTATUS MyReadMemory(IN PEPROCESS EProcess, IN PVOID BaseAddress, OUT PVOID Pbuff, IN ULONG BufferSize)
113 | {
114 | 	KAPC_STATE	ApcState;
115 | 	PVOID		readbuffer = NULL;
116 | 	NTSTATUS	status = STATUS_SUCCESS;
117 | 
118 | 	readbuffer = ExAllocatePoolWithTag(NonPagedPool, BufferSize, 'Sys');
119 | 
120 | 	if (readbuffer == NULL)
121 | 	{
122 | 		ObDereferenceObject(EProcess);
123 | 		ExFreePool(readbuffer);
124 | 		return(STATUS_UNSUCCESSFUL);
125 | 	}
126 | 	*(ULONG*)readbuffer = (ULONG)0x1;
127 | 
128 | 	KeStackAttachProcess(EProcess, &ApcState);
129 | 	if (MmIsAddressValid(BaseAddress))
130 | 	{
131 | 		__try
132 | 		{
133 | 			ProbeForRead((CONST PVOID) BaseAddress, BufferSize, sizeof(CHAR));
134 | 			RtlCopyMemory(readbuffer, BaseAddress, BufferSize);
135 | 		}
136 | 		__except (EXCEPTION_EXECUTE_HANDLER)
137 | 		{
138 | 			status = STATUS_UNSUCCESSFUL;
139 | 		}
140 | 	}
141 | 	else {
142 | 		status = STATUS_UNSUCCESSFUL;
143 | 	}
144 | 	KeUnstackDetachProcess(&ApcState);
145 | 
146 | 	if (NT_SUCCESS(status))
147 | 	{
148 | 		if (MmIsAddressValid(Pbuff))
149 | 		{
150 | 			__try
151 | 			{
152 | 				ProbeForWrite(Pbuff, BufferSize, sizeof(CHAR));
153 | 				RtlCopyMemory(Pbuff, readbuffer, BufferSize);
154 | 			}
155 | 			__except (EXCEPTION_EXECUTE_HANDLER)
156 | 			{
157 | 				status = STATUS_UNSUCCESSFUL;
158 | 			}
159 | 		}
160 | 		else {
161 | 			status = STATUS_UNSUCCESSFUL;
162 | 		}
163 | 	}
164 | 
165 | 	ExFreePool(readbuffer);
166 | 	return(status);
167 | }
168 | 
169 | NTSTATUS DriverCopy(IN PDRIVER_MANAGE_MEMORY copy) {
170 | 	NTSTATUS status = STATUS_SUCCESS;
171 | 	if (NT_SUCCESS(status)) {
172 | 		PEPROCESS sourceProcess, targetProcess;
173 | 		PVOID sourcePtr, targetPtr;
174 | 		if (copy->isWrite == FALSE) {
175 | 			sourceProcess = AttachedProcess;
176 | 			targetProcess = PsGetCurrentProcess();
177 | 			sourcePtr = (PVOID)copy->Dst;
178 | 			targetPtr = (PVOID)copy->Src;
179 | 		}
180 | 		else {
181 | 			sourceProcess = PsGetCurrentProcess();
182 | 			targetProcess = AttachedProcess;
183 | 			sourcePtr = (PVOID)copy->Src;
184 | 			targetPtr = (PVOID)copy->Dst;
185 | 		}
186 | 		ULONG bytes;
187 | 		if (copy->Dst < 0x7FFFFFFFFFFF)
188 | 		{
189 | 			if (copy->isIgnoreProtect)
190 | 			{
191 | 				PMDL mdl = IoAllocateMdl(targetPtr, copy->Size, FALSE, FALSE, NULL);
192 | 
193 | 				MmProbeAndLockProcessPages(mdl, targetProcess, KernelMode, IoReadAccess);
194 | 				void* map = MmMapLockedPagesSpecifyCache(mdl, KernelMode, MmNonCached, NULL, FALSE, NormalPagePriority);
195 | 				MmProtectMdlSystemAddress(mdl, PAGE_READWRITE);
196 | 
197 | 				RtlCopyMemory(map, sourcePtr, copy->Size);
198 | 
199 | 				MmUnmapLockedPages(map, mdl);
200 | 				MmUnlockPages(mdl);
201 | 				IoFreeMdl(mdl);
202 | 			}
203 | 			else
204 | 				status = MyReadMemory(sourceProcess, sourcePtr, targetPtr, copy->Size);
205 | 		}
206 | 	}
207 | 	return status;
208 | }
209 | 
210 | VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
211 | {
212 | 	UNICODE_STRING dosDeviceName;
213 | 	RtlUnicodeStringInit(&dosDeviceName, DRIVER_DOS_DEVICE_NAME);
214 | 	IoDeleteSymbolicLink(&dosDeviceName);
215 | 	IoDeleteDevice(DriverObject->DeviceObject);
216 | 	CleanUnloadedDrivers();
217 | }
218 | 
219 | PVOID GuardedRegionAddress = 0;
220 | 
221 | NTSTATUS
222 | SetGuardedRegion(
223 | )
224 | {
225 | 	PSYSTEM_BIGPOOL_INFORMATION pPoolInfo = 0;
226 | 	NTSTATUS ntstatus = STATUS_SUCCESS;
227 | 	ULONG infoLen = 0;
228 | 
229 | 	ntstatus = ZwQuerySystemInformation(SystemBigPoolInformation, &infoLen, 0, &infoLen);
230 | 	while (ntstatus == STATUS_INFO_LENGTH_MISMATCH)
231 | 	{
232 | 		if (pPoolInfo)
233 | 			ExFreePool(pPoolInfo);
234 | 
235 | 		pPoolInfo = (PSYSTEM_BIGPOOL_INFORMATION)ExAllocatePool(NonPagedPool, infoLen);
236 | 		ntstatus = ZwQuerySystemInformation(SystemBigPoolInformation, pPoolInfo, infoLen, &infoLen);
237 | 	}
238 | 
239 | 	if (pPoolInfo)
240 | 	{
241 | 		for (ULONG i = 0; i < pPoolInfo->Count; ++i)
242 | 		{
243 | 			SYSTEM_BIGPOOL_ENTRY* Entry = &pPoolInfo->AllocatedInfo[i];
244 | 			PVOID VirtualAddress = (PVOID)((uintptr_t)Entry->VirtualAddress & ~1ull);
245 | 			SIZE_T SizeInBytes = Entry->SizeInBytes;
246 | 			BOOLEAN NonPaged = Entry->NonPaged;
247 | 
248 | 			if (NonPaged && SizeInBytes == 0x200000)
249 | 			{
250 | 				ULONG Rsh_x24 = (*(uintptr_t*)((PBYTE)VirtualAddress + 0x50) >> 0x24);
251 | 
252 | 				if (Rsh_x24 == 0x8 || Rsh_x24 == 0x10)
253 | 				{
254 | 					GuardedRegionAddress = VirtualAddress;
255 | 				}
256 | 			}
257 | 		}
258 | 	}
259 | 
260 | 	if (!GuardedRegionAddress)
261 | 	{
262 | 		ntstatus = STATUS_UNSUCCESSFUL;
263 | 	}
264 | 
265 | exit:
266 | 	if (pPoolInfo)
267 | 	{
268 | 		ExFreePool(pPoolInfo);
269 | 	}
270 | 
271 | 	return ntstatus;
272 | }
273 | 
274 | NTSTATUS
275 | ReadGuardedRegion(
276 | 	ULONG_PTR Displacement,
277 | 	PVOID pBuffer,
278 | 	ULONG cbBuffer,
279 | 	PULONG pcbRead,
280 | 	float X,
281 | 	float Y
282 | )
283 | {
284 | 	NTSTATUS ntstatus = STATUS_SUCCESS;
285 | 
286 | 	if (!GuardedRegionAddress)
287 | 	{
288 | 		ntstatus = STATUS_UNSUCCESSFUL;
289 | 		goto exit;
290 | 	}
291 | 
292 | 	if (ARGUMENT_PRESENT(pcbRead))
293 | 	{
294 | 		*pcbRead = 0;
295 | 	}
296 | 
297 | 	__try
298 | 	{
299 | 		RtlCopyMemory(pBuffer, (PVOID)((PBYTE)GuardedRegionAddress + Displacement), cbBuffer);
300 | 
301 | 		if (X != 0.0f)
302 | 			*(float*)(PVOID)((PBYTE)GuardedRegionAddress + Displacement) = X;
303 | 		if (Y != 0.0f)
304 | 			*(float*)(PVOID)((PBYTE)GuardedRegionAddress + Displacement + 0x4) = Y;
305 | 	}
306 | 	__except (EXCEPTION_EXECUTE_HANDLER)
307 | 	{
308 | 		ntstatus = STATUS_UNHANDLED_EXCEPTION;
309 | 		goto exit;
310 | 	}
311 | 
312 | 	if (ARGUMENT_PRESENT(pcbRead))
313 | 	{
314 | 		*pcbRead = cbBuffer;
315 | 	}
316 | 
317 | exit:
318 | 	return ntstatus;
319 | }
320 | 
321 | NTSTATUS DriverDispatch(_In_ PDEVICE_OBJECT DeviceObject, _Inout_ PIRP Irp) {
322 | 	UNREFERENCED_PARAMETER(DeviceObject);
323 | 	Irp->IoStatus.Status = STATUS_SUCCESS;
324 | 	Irp->IoStatus.Information = 0;
325 | 	PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(Irp);
326 | 	PVOID ioBuffer = Irp->AssociatedIrp.SystemBuffer;
327 | 	ULONG inputLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
328 | 	ULONG outbufLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
329 | 	if (irpStack->MajorFunction == IRP_MJ_DEVICE_CONTROL) {
330 | 		ULONG ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
331 | 		if (ioControlCode == IOCTL_DRIVER_INIT)
332 | 		{
333 | 			PDRIVER_INIT ReadInput = (PDRIVER_INIT)Irp->AssociatedIrp.SystemBuffer;
334 | 			PsLookupProcessByProcessId((HANDLE)ReadInput->ProcessId, &AttachedProcess);
335 | 			Irp->IoStatus.Status = STATUS_SUCCESS;
336 | 		}
337 | 		if (ioControlCode == IOCTL_DRIVER_MANAGE_MEMORY)
338 | 		{
339 | 			PKERNEL_READ_REQUEST pReadVirtualMemoryRequest = (PKERNEL_READ_REQUEST)Irp->AssociatedIrp.SystemBuffer;
340 | 			if (!pReadVirtualMemoryRequest)
341 | 			{
342 | 				Irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
343 | 				goto exits;
344 | 			}
345 | 
346 | 			if (sizeof(*pReadVirtualMemoryRequest) != inputLength)
347 | 			{
348 | 				Irp->IoStatus.Status = STATUS_INFO_LENGTH_MISMATCH;
349 | 				goto exits;
350 | 			}
351 | 
352 | 			Irp->IoStatus.Status = MyReadMemory(
353 | 				AttachedProcess,
354 | 				pReadVirtualMemoryRequest->TargetAddress,
355 | 				pReadVirtualMemoryRequest->ResponseAddress,
356 | 				pReadVirtualMemoryRequest->Size);
357 | 
358 | 			if (!NT_SUCCESS(Irp->IoStatus.Status))
359 | 			{
360 | 				goto exits;
361 | 			}
362 | 
363 | 		exits:
364 | 			Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
365 | 		}
366 | 		if (ioControlCode == IOCTL_DRIVER_GET_BASE_ADDRESS)
367 | 		{
368 | 			PGET_BASE_ADDRESS ReadInput = (PGET_BASE_ADDRESS)Irp->AssociatedIrp.SystemBuffer;
369 | 			*ReadInput->Result = (ULONGLONG)PsGetProcessSectionBaseAddress(AttachedProcess);
370 | 			Irp->IoStatus.Status = STATUS_SUCCESS;
371 | 		}
372 | 		if (ioControlCode == IOCTL_SET_GUARDED_REGION)
373 | 		{
374 | 			SetGuardedRegion();
375 | 			Irp->IoStatus.Status = STATUS_SUCCESS;
376 | 		}
377 | 		if (ioControlCode == IOCTL_READ_GUARDED_REGION)
378 | 		{
379 | 			ULONG cbRead = 0;
380 | 			PREAD_GUARDED_REGION_REQUEST pReadGuardedRegionRequest = (PREAD_GUARDED_REGION_REQUEST)Irp->AssociatedIrp.SystemBuffer;
381 | 
382 | 			if (!pReadGuardedRegionRequest)
383 | 			{
384 | 				Irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
385 | 				goto exit;
386 | 			}
387 | 
388 | 			if (sizeof(*pReadGuardedRegionRequest) != inputLength)
389 | 			{
390 | 				Irp->IoStatus.Status = STATUS_INFO_LENGTH_MISMATCH;
391 | 				goto exit;
392 | 			}
393 | 
394 | 			Irp->IoStatus.Status = ReadGuardedRegion(
395 | 				pReadGuardedRegionRequest->Displacement,
396 | 				pReadGuardedRegionRequest->Buffer,
397 | 				pReadGuardedRegionRequest->Size,
398 | 				&cbRead,
399 | 				pReadGuardedRegionRequest->X,
400 | 				pReadGuardedRegionRequest->Y);
401 | 
402 | 			if (!NT_SUCCESS(Irp->IoStatus.Status))
403 | 			{
404 | 				goto exit;
405 | 			}
406 | 		exit:
407 | 			Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
408 | 		}
409 | 	}
410 | 	NTSTATUS status = Irp->IoStatus.Status;
411 | 	IoCompleteRequest(Irp, IO_NO_INCREMENT);
412 | 	return status;
413 | }
414 | 
415 | NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) {
416 | 	DestroyDriverInformation(DriverObject, NULL, (ULONG64)DriverUnload, FALSE);
417 | 	NTSTATUS status = STATUS_SUCCESS;
418 | 	UNREFERENCED_PARAMETER(RegistryPath);
419 | 	UNICODE_STRING deviceName;
420 | 	RtlUnicodeStringInit(&deviceName, DRIVER_DEVICE_NAME);
421 | 	PDEVICE_OBJECT deviceObject = NULL;
422 | 	status = IoCreateDevice(DriverObject, 0, &deviceName, DRIVER_DEVICE_TYPE, 0, FALSE, &deviceObject);
423 | 	if (!NT_SUCCESS(status)) {
424 | 		return status;
425 | 	}
426 | 	DriverObject->MajorFunction[IRP_MJ_CREATE] = DriverDispatch;
427 | 	DriverObject->MajorFunction[IRP_MJ_CLOSE] = DriverDispatch;
428 | 	DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DriverDispatch;
429 | 	DriverObject->DriverUnload = DriverUnload;
430 | 	UNICODE_STRING dosDeviceName;
431 | 	RtlUnicodeStringInit(&dosDeviceName, DRIVER_DOS_DEVICE_NAME);
432 | 	status = IoCreateSymbolicLink(&dosDeviceName, &deviceName);
433 | 	if (!NT_SUCCESS(status)) {
434 | 		IoDeleteDevice(deviceObject);
435 | 	}
436 | 	return status;
437 | }


--------------------------------------------------------------------------------
/RemoveTrace.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Proaids26/Tech-Driver-Source/fbfde52696c9d8b33e85501833571200747203d4/RemoveTrace.h


--------------------------------------------------------------------------------
/TECH.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.32413.511
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ONZ", "TECH.vcxproj", "{97229AB9-D6C4-4681-933D-F3010BE364A2}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|ARM = Debug|ARM
11 | 		Debug|ARM64 = Debug|ARM64
12 | 		Debug|x64 = Debug|x64
13 | 		Debug|x86 = Debug|x86
14 | 		Release|ARM = Release|ARM
15 | 		Release|ARM64 = Release|ARM64
16 | 		Release|x64 = Release|x64
17 | 		Release|x86 = Release|x86
18 | 	EndGlobalSection
19 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
20 | 		{97229AB9-D6C4-4681-933D-F3010BE364A2}.Debug|ARM.ActiveCfg = Debug|ARM
21 | 		{97229AB9-D6C4-4681-933D-F3010BE364A2}.Debug|ARM.Build.0 = Debug|ARM
22 | 		{97229AB9-D6C4-4681-933D-F3010BE364A2}.Debug|ARM.Deploy.0 = Debug|ARM
23 | 		{97229AB9-D6C4-4681-933D-F3010BE364A2}.Debug|ARM64.ActiveCfg = Debug|ARM64
24 | 		{97229AB9-D6C4-4681-933D-F3010BE364A2}.Debug|ARM64.Build.0 = Debug|ARM64
25 | 		{97229AB9-D6C4-4681-933D-F3010BE364A2}.Debug|ARM64.Deploy.0 = Debug|ARM64
26 | 		{97229AB9-D6C4-4681-933D-F3010BE364A2}.Debug|x64.ActiveCfg = Debug|x64
27 | 		{97229AB9-D6C4-4681-933D-F3010BE364A2}.Debug|x64.Build.0 = Debug|x64
28 | 		{97229AB9-D6C4-4681-933D-F3010BE364A2}.Debug|x64.Deploy.0 = Debug|x64
29 | 		{97229AB9-D6C4-4681-933D-F3010BE364A2}.Debug|x86.ActiveCfg = Debug|Win32
30 | 		{97229AB9-D6C4-4681-933D-F3010BE364A2}.Debug|x86.Build.0 = Debug|Win32
31 | 		{97229AB9-D6C4-4681-933D-F3010BE364A2}.Debug|x86.Deploy.0 = Debug|Win32
32 | 		{97229AB9-D6C4-4681-933D-F3010BE364A2}.Release|ARM.ActiveCfg = Release|ARM
33 | 		{97229AB9-D6C4-4681-933D-F3010BE364A2}.Release|ARM.Build.0 = Release|ARM
34 | 		{97229AB9-D6C4-4681-933D-F3010BE364A2}.Release|ARM.Deploy.0 = Release|ARM
35 | 		{97229AB9-D6C4-4681-933D-F3010BE364A2}.Release|ARM64.ActiveCfg = Release|ARM64
36 | 		{97229AB9-D6C4-4681-933D-F3010BE364A2}.Release|ARM64.Build.0 = Release|ARM64
37 | 		{97229AB9-D6C4-4681-933D-F3010BE364A2}.Release|ARM64.Deploy.0 = Release|ARM64
38 | 		{97229AB9-D6C4-4681-933D-F3010BE364A2}.Release|x64.ActiveCfg = Release|x64
39 | 		{97229AB9-D6C4-4681-933D-F3010BE364A2}.Release|x64.Build.0 = Release|x64
40 | 		{97229AB9-D6C4-4681-933D-F3010BE364A2}.Release|x64.Deploy.0 = Release|x64
41 | 		{97229AB9-D6C4-4681-933D-F3010BE364A2}.Release|x86.ActiveCfg = Release|Win32
42 | 		{97229AB9-D6C4-4681-933D-F3010BE364A2}.Release|x86.Build.0 = Release|Win32
43 | 		{97229AB9-D6C4-4681-933D-F3010BE364A2}.Release|x86.Deploy.0 = Release|Win32
44 | 	EndGlobalSection
45 | 	GlobalSection(SolutionProperties) = preSolution
46 | 		HideSolutionNode = FALSE
47 | 	EndGlobalSection
48 | 	GlobalSection(ExtensibilityGlobals) = postSolution
49 | 		SolutionGuid = {96138221-0575-4EEB-BAA2-FCE340F1194E}
50 | 	EndGlobalSection
51 | EndGlobal
52 | 


--------------------------------------------------------------------------------
/TECH.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |     <ProjectConfiguration Include="Debug|ARM">
 21 |       <Configuration>Debug</Configuration>
 22 |       <Platform>ARM</Platform>
 23 |     </ProjectConfiguration>
 24 |     <ProjectConfiguration Include="Release|ARM">
 25 |       <Configuration>Release</Configuration>
 26 |       <Platform>ARM</Platform>
 27 |     </ProjectConfiguration>
 28 |     <ProjectConfiguration Include="Debug|ARM64">
 29 |       <Configuration>Debug</Configuration>
 30 |       <Platform>ARM64</Platform>
 31 |     </ProjectConfiguration>
 32 |     <ProjectConfiguration Include="Release|ARM64">
 33 |       <Configuration>Release</Configuration>
 34 |       <Platform>ARM64</Platform>
 35 |     </ProjectConfiguration>
 36 |   </ItemGroup>
 37 |   <PropertyGroup Label="Globals">
 38 |     <ProjectGuid>{97229AB9-D6C4-4681-933D-F3010BE364A2}</ProjectGuid>
 39 |     <TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
 40 |     <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
 41 |     <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
 42 |     <Configuration>Debug</Configuration>
 43 |     <Platform Condition="'$(Platform)' == ''">Win32</Platform>
 44 |     <RootNamespace>Kain_Kernel</RootNamespace>
 45 |     <ProjectName>TECH</ProjectName>
 46 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 47 |   </PropertyGroup>
 48 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 49 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 50 |     <TargetVersion>Windows10</TargetVersion>
 51 |     <UseDebugLibraries>true</UseDebugLibraries>
 52 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 53 |     <ConfigurationType>Driver</ConfigurationType>
 54 |     <DriverType>KMDF</DriverType>
 55 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 56 |   </PropertyGroup>
 57 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 58 |     <TargetVersion>Windows10</TargetVersion>
 59 |     <UseDebugLibraries>false</UseDebugLibraries>
 60 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 61 |     <ConfigurationType>Driver</ConfigurationType>
 62 |     <DriverType>KMDF</DriverType>
 63 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 64 |   </PropertyGroup>
 65 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 66 |     <TargetVersion>Windows10</TargetVersion>
 67 |     <UseDebugLibraries>true</UseDebugLibraries>
 68 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 69 |     <ConfigurationType>Driver</ConfigurationType>
 70 |     <DriverType>KMDF</DriverType>
 71 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 72 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 73 |     <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
 74 |   </PropertyGroup>
 75 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 76 |     <TargetVersion>Windows10</TargetVersion>
 77 |     <UseDebugLibraries>false</UseDebugLibraries>
 78 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 79 |     <ConfigurationType>Driver</ConfigurationType>
 80 |     <DriverType>KMDF</DriverType>
 81 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 82 |     <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
 83 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 84 |   </PropertyGroup>
 85 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
 86 |     <TargetVersion>Windows10</TargetVersion>
 87 |     <UseDebugLibraries>true</UseDebugLibraries>
 88 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 89 |     <ConfigurationType>Driver</ConfigurationType>
 90 |     <DriverType>KMDF</DriverType>
 91 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 92 |   </PropertyGroup>
 93 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
 94 |     <TargetVersion>Windows10</TargetVersion>
 95 |     <UseDebugLibraries>false</UseDebugLibraries>
 96 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 97 |     <ConfigurationType>Driver</ConfigurationType>
 98 |     <DriverType>KMDF</DriverType>
 99 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
100 |   </PropertyGroup>
101 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
102 |     <TargetVersion>Windows10</TargetVersion>
103 |     <UseDebugLibraries>true</UseDebugLibraries>
104 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
105 |     <ConfigurationType>Driver</ConfigurationType>
106 |     <DriverType>KMDF</DriverType>
107 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
108 |   </PropertyGroup>
109 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
110 |     <TargetVersion>Windows10</TargetVersion>
111 |     <UseDebugLibraries>false</UseDebugLibraries>
112 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
113 |     <ConfigurationType>Driver</ConfigurationType>
114 |     <DriverType>KMDF</DriverType>
115 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
116 |   </PropertyGroup>
117 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
118 |   <ImportGroup Label="ExtensionSettings">
119 |   </ImportGroup>
120 |   <ImportGroup Label="PropertySheets">
121 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
122 |   </ImportGroup>
123 |   <PropertyGroup Label="UserMacros" />
124 |   <PropertyGroup />
125 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
126 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
127 |   </PropertyGroup>
128 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
129 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
130 |   </PropertyGroup>
131 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
132 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
133 |   </PropertyGroup>
134 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
135 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
136 |     <EnableInf2cat>false</EnableInf2cat>
137 |     <TimeStampServer>http://timestamp.verisign.com/scripts/timstamp.dll</TimeStampServer>
138 |   </PropertyGroup>
139 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
140 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
141 |     <TimeStampServer>http://timestamp.globalsign.com/scripts/timstamp.dll</TimeStampServer>
142 |     <DisableProductionSignDebugWarnings>true</DisableProductionSignDebugWarnings>
143 |   </PropertyGroup>
144 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
145 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
146 |   </PropertyGroup>
147 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
148 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
149 |   </PropertyGroup>
150 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
151 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
152 |   </PropertyGroup>
153 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
154 |     <ClCompile>
155 |       <TreatWarningAsError>false</TreatWarningAsError>
156 |       <LanguageStandard>stdcpp17</LanguageStandard>
157 |     </ClCompile>
158 |     <Link>
159 |       <EntryPointSymbol>DriverEntry</EntryPointSymbol>
160 |     </Link>
161 |   </ItemDefinitionGroup>
162 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
163 |     <ClCompile>
164 |       <Optimization>Full</Optimization>
165 |       <TreatWarningAsError>false</TreatWarningAsError>
166 |     </ClCompile>
167 |   </ItemDefinitionGroup>
168 |   <ItemGroup>
169 |     <FilesToPackage Include="$(TargetPath)" />
170 |   </ItemGroup>
171 |   <ItemGroup>
172 |     <ClInclude Include="IOCTL_Define.h" />
173 |     <ClInclude Include="RemoveTrace.h" />
174 |   </ItemGroup>
175 |   <ItemGroup>
176 |     <ClCompile Include="Main.c" />
177 |   </ItemGroup>
178 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
179 |   <ImportGroup Label="ExtensionTargets">
180 |   </ImportGroup>
181 | </Project>


--------------------------------------------------------------------------------
/TECH.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |     <Filter Include="Driver Files">
17 |       <UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
18 |       <Extensions>inf;inv;inx;mof;mc;</Extensions>
19 |     </Filter>
20 |   </ItemGroup>
21 |   <ItemGroup>
22 |     <ClInclude Include="IOCTL_Define.h">
23 |       <Filter>Header Files</Filter>
24 |     </ClInclude>
25 |     <ClInclude Include="RemoveTrace.h">
26 |       <Filter>Header Files</Filter>
27 |     </ClInclude>
28 |   </ItemGroup>
29 |   <ItemGroup>
30 |     <ClCompile Include="Main.c">
31 |       <Filter>Source Files</Filter>
32 |     </ClCompile>
33 |   </ItemGroup>
34 | </Project>


--------------------------------------------------------------------------------
/TECH.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
4 |     <SignMode>Off</SignMode>
5 |     <DbgengKernelMachineName>New Computer</DbgengKernelMachineName>
6 |   </PropertyGroup>
7 | </Project>


--------------------------------------------------------------------------------