├── DisplayMiniportHooking.sln
├── DisplayMiniportHooking
    ├── DisplayMiniportHooking.cpp
    ├── DisplayMiniportHooking.h
    ├── DisplayMiniportHooking.inf
    ├── DisplayMiniportHooking.vcxproj
    ├── DisplayMiniportHooking.vcxproj.filters
    ├── DisplayMiniportHooking.vcxproj.user
    ├── DummyMiniport.h
    ├── Hooking.cpp
    ├── Hooking.h
    ├── RAIIUtils.h
    ├── common.cpp
    └── common.h
└── README.md


/DisplayMiniportHooking.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.30128.74
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DisplayMiniportHooking", "DisplayMiniportHooking\DisplayMiniportHooking.vcxproj", "{C47A81D0-B061-439E-89D1-25EDFBAA93E4}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|ARM = Debug|ARM
11 | 		Debug|ARM64 = Debug|ARM64
12 | 		Debug|x64 = Debug|x64
13 | 		Debug|x86 = Debug|x86
14 | 		Release|ARM = Release|ARM
15 | 		Release|ARM64 = Release|ARM64
16 | 		Release|x64 = Release|x64
17 | 		Release|x86 = Release|x86
18 | 	EndGlobalSection
19 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
20 | 		{C47A81D0-B061-439E-89D1-25EDFBAA93E4}.Debug|ARM.ActiveCfg = Debug|ARM
21 | 		{C47A81D0-B061-439E-89D1-25EDFBAA93E4}.Debug|ARM.Build.0 = Debug|ARM
22 | 		{C47A81D0-B061-439E-89D1-25EDFBAA93E4}.Debug|ARM.Deploy.0 = Debug|ARM
23 | 		{C47A81D0-B061-439E-89D1-25EDFBAA93E4}.Debug|ARM64.ActiveCfg = Debug|ARM64
24 | 		{C47A81D0-B061-439E-89D1-25EDFBAA93E4}.Debug|ARM64.Build.0 = Debug|ARM64
25 | 		{C47A81D0-B061-439E-89D1-25EDFBAA93E4}.Debug|ARM64.Deploy.0 = Debug|ARM64
26 | 		{C47A81D0-B061-439E-89D1-25EDFBAA93E4}.Debug|x64.ActiveCfg = Debug|x64
27 | 		{C47A81D0-B061-439E-89D1-25EDFBAA93E4}.Debug|x64.Build.0 = Debug|x64
28 | 		{C47A81D0-B061-439E-89D1-25EDFBAA93E4}.Debug|x64.Deploy.0 = Debug|x64
29 | 		{C47A81D0-B061-439E-89D1-25EDFBAA93E4}.Debug|x86.ActiveCfg = Debug|Win32
30 | 		{C47A81D0-B061-439E-89D1-25EDFBAA93E4}.Debug|x86.Build.0 = Debug|Win32
31 | 		{C47A81D0-B061-439E-89D1-25EDFBAA93E4}.Debug|x86.Deploy.0 = Debug|Win32
32 | 		{C47A81D0-B061-439E-89D1-25EDFBAA93E4}.Release|ARM.ActiveCfg = Release|ARM
33 | 		{C47A81D0-B061-439E-89D1-25EDFBAA93E4}.Release|ARM.Build.0 = Release|ARM
34 | 		{C47A81D0-B061-439E-89D1-25EDFBAA93E4}.Release|ARM.Deploy.0 = Release|ARM
35 | 		{C47A81D0-B061-439E-89D1-25EDFBAA93E4}.Release|ARM64.ActiveCfg = Release|ARM64
36 | 		{C47A81D0-B061-439E-89D1-25EDFBAA93E4}.Release|ARM64.Build.0 = Release|ARM64
37 | 		{C47A81D0-B061-439E-89D1-25EDFBAA93E4}.Release|ARM64.Deploy.0 = Release|ARM64
38 | 		{C47A81D0-B061-439E-89D1-25EDFBAA93E4}.Release|x64.ActiveCfg = Release|x64
39 | 		{C47A81D0-B061-439E-89D1-25EDFBAA93E4}.Release|x64.Build.0 = Release|x64
40 | 		{C47A81D0-B061-439E-89D1-25EDFBAA93E4}.Release|x64.Deploy.0 = Release|x64
41 | 		{C47A81D0-B061-439E-89D1-25EDFBAA93E4}.Release|x86.ActiveCfg = Release|Win32
42 | 		{C47A81D0-B061-439E-89D1-25EDFBAA93E4}.Release|x86.Build.0 = Release|Win32
43 | 		{C47A81D0-B061-439E-89D1-25EDFBAA93E4}.Release|x86.Deploy.0 = Release|Win32
44 | 	EndGlobalSection
45 | 	GlobalSection(SolutionProperties) = preSolution
46 | 		HideSolutionNode = FALSE
47 | 	EndGlobalSection
48 | 	GlobalSection(ExtensibilityGlobals) = postSolution
49 | 		SolutionGuid = {4A3A7848-5228-45B8-BFD0-1220E4DB0B63}
50 | 	EndGlobalSection
51 | EndGlobal
52 | 


--------------------------------------------------------------------------------
/DisplayMiniportHooking/DisplayMiniportHooking.cpp:
--------------------------------------------------------------------------------
 1 | #include "DisplayMiniportHooking.h"
 2 | 
 3 | 
 4 | VOID Unload(PDRIVER_OBJECT driverObject)
 5 | {
 6 |     UNREFERENCED_PARAMETER(driverObject);
 7 | 
 8 |     DbgPrint("Unload Driver \r\n");
 9 | 
10 |     unHookCallbacks();
11 | }
12 | 
13 | extern "C" NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT driverObject, _In_ PUNICODE_STRING registryPath)
14 | {
15 |     UNREFERENCED_PARAMETER(registryPath);
16 | 
17 |     DRIVER_INITIALIZATION_DATA dummyInitData = { '/0' };
18 |     UNICODE_STRING TARGET_DRV_NAME = RTL_CONSTANT_STRING(L"\\Driver\\BasicRender");
19 | 
20 |     DbgPrint("DriverEntry Called \r\n");
21 |     DriverObjectGuard targetDriverObject(&TARGET_DRV_NAME);
22 | 
23 |     if (!targetDriverObject.isValid())
24 |     {
25 |         return STATUS_UNSUCCESSFUL;
26 |     }
27 | 
28 |     NTSTATUS status = initDisplay(driverObject, registryPath, &dummyInitData);
29 | 
30 |     if (NT_SUCCESS(status))
31 |     {
32 |         if (targetDriverObject.get()->DeviceObject != nullptr)
33 |         {
34 |             DriverObjectGuard dummyDriverObject(driverObject);
35 | 
36 |             hookCallbacks(
37 |                 dummyDriverObject.getDriverObjectExtension(dummyDriverObject.get()),
38 |                 targetDriverObject.getDriverObjectExtension(targetDriverObject.get()),
39 |                 targetDriverObject.get()->DeviceObject->DeviceExtension,
40 |                 dummyInitData);
41 |         }
42 | 
43 |         status = unInitializeMiniport(driverObject);
44 | 
45 |         // Overide the callbacks that DxgkInitialize set to enable unloading of the driver
46 |         if (NT_SUCCESS(status))
47 |         {
48 |             driverObject->DriverUnload = Unload;
49 |             driverObject->DriverExtension->AddDevice = nullptr;
50 |         }
51 |     }
52 | 
53 |     return status;
54 | }


--------------------------------------------------------------------------------
/DisplayMiniportHooking/DisplayMiniportHooking.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | #include "DummyMiniport.h"
 4 | #include "Hooking.h"
 5 | 
 6 | 
 7 | extern "C" DRIVER_INITIALIZE DriverEntry;
 8 | 
 9 | extern "C" NTSTATUS DriverEntry(
10 |     _In_ PDRIVER_OBJECT DriverObject,
11 |     _In_ PUNICODE_STRING RegistryPath);


--------------------------------------------------------------------------------
/DisplayMiniportHooking/DisplayMiniportHooking.inf:
--------------------------------------------------------------------------------
 1 | ;
 2 | ; DisplayMiniportHooking.inf
 3 | ;
 4 | 
 5 | [Version]
 6 | Signature="$WINDOWS NT$"
 7 | Class=Sample ; TODO: edit Class
 8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid
 9 | Provider=%ManufacturerName%
10 | CatalogFile=DisplayMiniportHooking.cat
11 | DriverVer= ; TODO: set DriverVer in stampinf property pages
12 | PnpLockDown=1
13 | 
14 | [DestinationDirs]
15 | DefaultDestDir = 12
16 | DisplayMiniportHooking_Device_CoInstaller_CopyFiles = 11
17 | 
18 | ; ================= Class section =====================
19 | 
20 | [ClassInstall32]
21 | Addreg=SampleClassReg
22 | 
23 | [SampleClassReg]
24 | HKR,,,0,%ClassName%
25 | HKR,,Icon,,-5
26 | 
27 | [SourceDisksNames]
28 | 1 = %DiskName%,,,""
29 | 
30 | [SourceDisksFiles]
31 | DisplayMiniportHooking.sys  = 1,,
32 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames
33 | 
34 | ;*****************************************
35 | ; Install Section
36 | ;*****************************************
37 | 
38 | [Manufacturer]
39 | %ManufacturerName%=Standard,NT$ARCH$
40 | 
41 | [Standard.NT$ARCH$]
42 | %DisplayMiniportHooking.DeviceDesc%=DisplayMiniportHooking_Device, Root\DisplayMiniportHooking ; TODO: edit hw-id
43 | 
44 | [DisplayMiniportHooking_Device.NT]
45 | CopyFiles=Drivers_Dir
46 | 
47 | [Drivers_Dir]
48 | DisplayMiniportHooking.sys
49 | 
50 | ;-------------- Service installation
51 | [DisplayMiniportHooking_Device.NT.Services]
52 | AddService = DisplayMiniportHooking,%SPSVCINST_ASSOCSERVICE%, DisplayMiniportHooking_Service_Inst
53 | 
54 | ; -------------- DisplayMiniportHooking driver install sections
55 | [DisplayMiniportHooking_Service_Inst]
56 | DisplayName    = %DisplayMiniportHooking.SVCDESC%
57 | ServiceType    = 1               ; SERVICE_KERNEL_DRIVER
58 | StartType      = 3               ; SERVICE_DEMAND_START
59 | ErrorControl   = 1               ; SERVICE_ERROR_NORMAL
60 | ServiceBinary  = %12%\DisplayMiniportHooking.sys
61 | 
62 | ;
63 | ;--- DisplayMiniportHooking_Device Coinstaller installation ------
64 | ;
65 | 
66 | [DisplayMiniportHooking_Device.NT.CoInstallers]
67 | AddReg=DisplayMiniportHooking_Device_CoInstaller_AddReg
68 | CopyFiles=DisplayMiniportHooking_Device_CoInstaller_CopyFiles
69 | 
70 | [DisplayMiniportHooking_Device_CoInstaller_AddReg]
71 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller"
72 | 
73 | [DisplayMiniportHooking_Device_CoInstaller_CopyFiles]
74 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll
75 | 
76 | [DisplayMiniportHooking_Device.NT.Wdf]
77 | KmdfService =  DisplayMiniportHooking, DisplayMiniportHooking_wdfsect
78 | [DisplayMiniportHooking_wdfsect]
79 | KmdfLibraryVersion = $KMDFVERSION$
80 | 
81 | [Strings]
82 | SPSVCINST_ASSOCSERVICE= 0x00000002
83 | ManufacturerName="<Your manufacturer name>" ;TODO: Replace with your manufacturer name
84 | ClassName="Samples" ; TODO: edit ClassName
85 | DiskName = "DisplayMiniportHooking Installation Disk"
86 | DisplayMiniportHooking.DeviceDesc = "DisplayMiniportHooking Device"
87 | DisplayMiniportHooking.SVCDESC = "DisplayMiniportHooking Service"
88 | 


--------------------------------------------------------------------------------
/DisplayMiniportHooking/DisplayMiniportHooking.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |     <ProjectConfiguration Include="Debug|ARM">
 21 |       <Configuration>Debug</Configuration>
 22 |       <Platform>ARM</Platform>
 23 |     </ProjectConfiguration>
 24 |     <ProjectConfiguration Include="Release|ARM">
 25 |       <Configuration>Release</Configuration>
 26 |       <Platform>ARM</Platform>
 27 |     </ProjectConfiguration>
 28 |     <ProjectConfiguration Include="Debug|ARM64">
 29 |       <Configuration>Debug</Configuration>
 30 |       <Platform>ARM64</Platform>
 31 |     </ProjectConfiguration>
 32 |     <ProjectConfiguration Include="Release|ARM64">
 33 |       <Configuration>Release</Configuration>
 34 |       <Platform>ARM64</Platform>
 35 |     </ProjectConfiguration>
 36 |   </ItemGroup>
 37 |   <PropertyGroup Label="Globals">
 38 |     <ProjectGuid>{C47A81D0-B061-439E-89D1-25EDFBAA93E4}</ProjectGuid>
 39 |     <TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
 40 |     <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
 41 |     <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
 42 |     <Configuration>Debug</Configuration>
 43 |     <Platform Condition="'$(Platform)' == ''">Win32</Platform>
 44 |     <RootNamespace>DisplayMiniportHooking</RootNamespace>
 45 |     <WindowsTargetPlatformVersion>$(LatestTargetPlatformVersion)</WindowsTargetPlatformVersion>
 46 |   </PropertyGroup>
 47 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 49 |     <TargetVersion>Windows10</TargetVersion>
 50 |     <UseDebugLibraries>true</UseDebugLibraries>
 51 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 52 |     <ConfigurationType>Driver</ConfigurationType>
 53 |     <DriverType>KMDF</DriverType>
 54 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 55 |   </PropertyGroup>
 56 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 57 |     <TargetVersion>Windows10</TargetVersion>
 58 |     <UseDebugLibraries>false</UseDebugLibraries>
 59 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 60 |     <ConfigurationType>Driver</ConfigurationType>
 61 |     <DriverType>KMDF</DriverType>
 62 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 63 |   </PropertyGroup>
 64 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 65 |     <TargetVersion>WindowsV6.3</TargetVersion>
 66 |     <UseDebugLibraries>true</UseDebugLibraries>
 67 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 68 |     <ConfigurationType>Driver</ConfigurationType>
 69 |     <DriverType>KMDF</DriverType>
 70 |     <DriverTargetPlatform>Desktop</DriverTargetPlatform>
 71 |   </PropertyGroup>
 72 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 73 |     <TargetVersion>Windows10</TargetVersion>
 74 |     <UseDebugLibraries>false</UseDebugLibraries>
 75 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 76 |     <ConfigurationType>Driver</ConfigurationType>
 77 |     <DriverType>KMDF</DriverType>
 78 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 79 |   </PropertyGroup>
 80 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
 81 |     <TargetVersion>Windows10</TargetVersion>
 82 |     <UseDebugLibraries>true</UseDebugLibraries>
 83 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 84 |     <ConfigurationType>Driver</ConfigurationType>
 85 |     <DriverType>KMDF</DriverType>
 86 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 87 |   </PropertyGroup>
 88 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
 89 |     <TargetVersion>Windows10</TargetVersion>
 90 |     <UseDebugLibraries>false</UseDebugLibraries>
 91 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 92 |     <ConfigurationType>Driver</ConfigurationType>
 93 |     <DriverType>KMDF</DriverType>
 94 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 95 |   </PropertyGroup>
 96 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
 97 |     <TargetVersion>Windows10</TargetVersion>
 98 |     <UseDebugLibraries>true</UseDebugLibraries>
 99 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
100 |     <ConfigurationType>Driver</ConfigurationType>
101 |     <DriverType>KMDF</DriverType>
102 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
103 |   </PropertyGroup>
104 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
105 |     <TargetVersion>Windows10</TargetVersion>
106 |     <UseDebugLibraries>false</UseDebugLibraries>
107 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
108 |     <ConfigurationType>Driver</ConfigurationType>
109 |     <DriverType>KMDF</DriverType>
110 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
111 |   </PropertyGroup>
112 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
113 |   <ImportGroup Label="ExtensionSettings">
114 |   </ImportGroup>
115 |   <ImportGroup Label="PropertySheets">
116 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
117 |   </ImportGroup>
118 |   <PropertyGroup Label="UserMacros" />
119 |   <PropertyGroup />
120 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
121 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
122 |   </PropertyGroup>
123 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
124 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
125 |   </PropertyGroup>
126 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
127 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
128 |   </PropertyGroup>
129 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
130 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
131 |   </PropertyGroup>
132 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
133 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
134 |   </PropertyGroup>
135 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
136 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
137 |   </PropertyGroup>
138 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
139 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
140 |   </PropertyGroup>
141 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
142 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
143 |   </PropertyGroup>
144 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
145 |     <Link>
146 |       <AdditionalDependencies>%(AdditionalDependencies);$(DDK_LIB_PATH)displib.lib</AdditionalDependencies>
147 |     </Link>
148 |     <ClCompile>
149 |       <LanguageStandard>stdcpp17</LanguageStandard>
150 |     </ClCompile>
151 |   </ItemDefinitionGroup>
152 |   <ItemGroup>
153 |     <Inf Include="DisplayMiniportHooking.inf" />
154 |   </ItemGroup>
155 |   <ItemGroup>
156 |     <FilesToPackage Include="$(TargetPath)" />
157 |   </ItemGroup>
158 |   <ItemGroup>
159 |     <ClCompile Include="common.cpp" />
160 |     <ClCompile Include="DisplayMiniportHooking.cpp" />
161 |     <ClCompile Include="Hooking.cpp" />
162 |   </ItemGroup>
163 |   <ItemGroup>
164 |     <ClInclude Include="common.h" />
165 |     <ClInclude Include="DisplayMiniportHooking.h" />
166 |     <ClInclude Include="Hooking.h" />
167 |     <ClInclude Include="RAIIUtils.h" />
168 |     <ClInclude Include="DummyMiniport.h" />
169 |   </ItemGroup>
170 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
171 |   <ImportGroup Label="ExtensionTargets">
172 |   </ImportGroup>
173 | </Project>


--------------------------------------------------------------------------------
/DisplayMiniportHooking/DisplayMiniportHooking.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |     <Filter Include="Driver Files">
17 |       <UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
18 |       <Extensions>inf;inv;inx;mof;mc;</Extensions>
19 |     </Filter>
20 |   </ItemGroup>
21 |   <ItemGroup>
22 |     <Inf Include="DisplayMiniportHooking.inf">
23 |       <Filter>Driver Files</Filter>
24 |     </Inf>
25 |   </ItemGroup>
26 |   <ItemGroup>
27 |     <ClCompile Include="DisplayMiniportHooking.cpp">
28 |       <Filter>Source Files</Filter>
29 |     </ClCompile>
30 |     <ClCompile Include="Hooking.cpp">
31 |       <Filter>Source Files</Filter>
32 |     </ClCompile>
33 |     <ClCompile Include="common.cpp">
34 |       <Filter>Source Files</Filter>
35 |     </ClCompile>
36 |   </ItemGroup>
37 |   <ItemGroup>
38 |     <ClInclude Include="DisplayMiniportHooking.h">
39 |       <Filter>Header Files</Filter>
40 |     </ClInclude>
41 |     <ClInclude Include="RAIIUtils.h">
42 |       <Filter>Header Files</Filter>
43 |     </ClInclude>
44 |     <ClInclude Include="DummyMiniport.h">
45 |       <Filter>Header Files</Filter>
46 |     </ClInclude>
47 |     <ClInclude Include="common.h">
48 |       <Filter>Header Files</Filter>
49 |     </ClInclude>
50 |     <ClInclude Include="Hooking.h">
51 |       <Filter>Header Files</Filter>
52 |     </ClInclude>
53 |   </ItemGroup>
54 | </Project>


--------------------------------------------------------------------------------
/DisplayMiniportHooking/DisplayMiniportHooking.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/DisplayMiniportHooking/DummyMiniport.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | 
  3 | #include "common.h"
  4 | 
  5 | 
  6 | NTSTATUS dummySubmitCommand(IN_CONST_HANDLE hAdapter, IN_CONST_PDXGKARG_SUBMITCOMMAND submitCommand)
  7 | {
  8 |     UNREFERENCED_PARAMETER(hAdapter);
  9 |     UNREFERENCED_PARAMETER(submitCommand);
 10 | 
 11 |     DbgPrint("Enter to dummySubmitCommand");
 12 | 
 13 |     return STATUS_SUCCESS;
 14 | }
 15 | 
 16 | NTSTATUS dummyRender(IN_CONST_HANDLE hContext, INOUT_PDXGKARG_RENDER render)
 17 | {
 18 |     UNREFERENCED_PARAMETER(hContext);
 19 |     UNREFERENCED_PARAMETER(render);
 20 | 
 21 |     DbgPrint("Enter to dummyRender");
 22 | 
 23 |     return STATUS_SUCCESS;
 24 | }
 25 | 
 26 | NTSTATUS dummyPresent(_In_ CONST HANDLE hAdapter, INOUT_PDXGKARG_PRESENT present)
 27 | {
 28 |     UNREFERENCED_PARAMETER(hAdapter);
 29 |     UNREFERENCED_PARAMETER(present);
 30 | 
 31 |     DbgPrint("Enter to dummyPresent");
 32 | 
 33 |     return STATUS_SUCCESS;
 34 | }
 35 | 
 36 | NTSTATUS dummyDdiStartDevice(
 37 |     _In_  VOID* deviceContext,
 38 |     _In_  DXGK_START_INFO* dxgkStartInfo,
 39 |     _In_  DXGKRNL_INTERFACE* dxgkInterface,
 40 |     _Out_ ULONG* numberOfViews,
 41 |     _Out_ ULONG* numberOfChildren)
 42 | {
 43 |     UNREFERENCED_PARAMETER(deviceContext);
 44 |     UNREFERENCED_PARAMETER(dxgkStartInfo);
 45 |     UNREFERENCED_PARAMETER(dxgkInterface);
 46 |     UNREFERENCED_PARAMETER(numberOfViews);
 47 |     UNREFERENCED_PARAMETER(numberOfChildren);
 48 | 
 49 |     DbgPrint("Enter to dummyDdiStartDevice");
 50 | 
 51 |     return STATUS_SUCCESS;
 52 | }
 53 | 
 54 | NTSTATUS dummyDdiAddDevice(_In_ DEVICE_OBJECT* physicalDeviceObject, _Outptr_ PVOID* deviceContext)
 55 | {
 56 |     UNREFERENCED_PARAMETER(physicalDeviceObject);
 57 |     UNREFERENCED_PARAMETER(deviceContext);
 58 | 
 59 |     DbgPrint("Enter to dummyDdiAddDevice");
 60 | 
 61 |     return STATUS_SUCCESS;
 62 | }
 63 | 
 64 | NTSTATUS dummyStopDevice(_In_ VOID* deviceContext)
 65 | {
 66 |     UNREFERENCED_PARAMETER(deviceContext);
 67 | 
 68 |     DbgPrint("Enter to dummyStopDevice");
 69 | 
 70 |     return STATUS_SUCCESS;
 71 | }
 72 | 
 73 | NTSTATUS dummyDispatchIoRequest(
 74 |     _In_ VOID* deviceContext,
 75 |     _In_ ULONG vidPnSourceId,
 76 |     _In_ VIDEO_REQUEST_PACKET* videoRequestPacket)
 77 | {
 78 |     UNREFERENCED_PARAMETER(deviceContext);
 79 |     UNREFERENCED_PARAMETER(vidPnSourceId);
 80 |     UNREFERENCED_PARAMETER(videoRequestPacket);
 81 | 
 82 |     DbgPrint("Enter to dummyDispatchIoRequest");
 83 | 
 84 |     return STATUS_SUCCESS;
 85 | }
 86 | 
 87 | NTSTATUS dummySetPowerState(
 88 |     _In_ VOID* deviceContext,
 89 |     _In_ ULONG hardwareUid,
 90 |     _In_ DEVICE_POWER_STATE devicePowerState,
 91 |     _In_ POWER_ACTION actionType)
 92 | {
 93 |     UNREFERENCED_PARAMETER(deviceContext);
 94 |     UNREFERENCED_PARAMETER(hardwareUid);
 95 |     UNREFERENCED_PARAMETER(devicePowerState);
 96 |     UNREFERENCED_PARAMETER(actionType);
 97 | 
 98 |     DbgPrint("Enter to dummySetPowerState");
 99 | 
100 |     return STATUS_SUCCESS;
101 | }
102 | 
103 | NTSTATUS dummyQueryChildRelations(
104 |     _In_ VOID* deviceContext,
105 |     _Out_writes_bytes_(ChildRelationsSize) DXGK_CHILD_DESCRIPTOR* childRelations,
106 |     _In_ ULONG childRelationsSize)
107 | {
108 |     UNREFERENCED_PARAMETER(deviceContext);
109 |     UNREFERENCED_PARAMETER(childRelations);
110 |     UNREFERENCED_PARAMETER(childRelationsSize);
111 | 
112 |     DbgPrint("Enter to dummyQueryChildRelations");
113 | 
114 |     return STATUS_SUCCESS;
115 | }
116 | 
117 | NTSTATUS dummyQueryChildStatus(
118 |     _In_ VOID* deviceContext,
119 |     _Inout_ DXGK_CHILD_STATUS* childStatus,
120 |     _In_ BOOLEAN nonDestructiveOnly)
121 | {
122 |     UNREFERENCED_PARAMETER(deviceContext);
123 |     UNREFERENCED_PARAMETER(childStatus);
124 |     UNREFERENCED_PARAMETER(nonDestructiveOnly);
125 | 
126 |     DbgPrint("Enter to dummyQueryChildStatus");
127 | 
128 |     return STATUS_SUCCESS;
129 | }
130 | 
131 | NTSTATUS dummyQueryDeviceDescriptor(
132 |     _In_  VOID* deviceContext,
133 |     _In_  ULONG childUid,
134 |     _Inout_ DXGK_DEVICE_DESCRIPTOR* deviceDescriptor)
135 | {
136 |     UNREFERENCED_PARAMETER(deviceContext);
137 |     UNREFERENCED_PARAMETER(childUid);
138 |     UNREFERENCED_PARAMETER(deviceDescriptor);
139 | 
140 |     DbgPrint("Enter to dummyQueryDeviceDescriptor");
141 | 
142 |     return STATUS_SUCCESS;
143 | }
144 | 
145 | NTSTATUS APIENTRY dummyQueryAdapterInfo(
146 |     _In_ CONST HANDLE hAdapter,
147 |     _In_ CONST DXGKARG_QUERYADAPTERINFO* queryAdapterInfo)
148 | {
149 |     UNREFERENCED_PARAMETER(hAdapter);
150 |     UNREFERENCED_PARAMETER(queryAdapterInfo);
151 | 
152 |     DbgPrint("Enter to dummyQueryAdapterInfo");
153 | 
154 |     return STATUS_SUCCESS;
155 | }
156 | 
157 | NTSTATUS dummyRemoveDevice(_In_ VOID* deviceContext)
158 | {
159 |     UNREFERENCED_PARAMETER(deviceContext);
160 | 
161 |     DbgPrint("Enter to dummyRemoveDevice");
162 | 
163 |     return STATUS_SUCCESS;
164 | }
165 | 
166 | VOID dummyDpcRoutine(_In_ VOID* deviceContext)
167 | {
168 |     UNREFERENCED_PARAMETER(deviceContext);
169 | 
170 |     DbgPrint("Enter to dummyDpcRoutine");
171 | }
172 | 
173 | BOOLEAN dummyInterruptRoutine(_In_ VOID* deviceContext, _In_ ULONG messageNumber)
174 | {
175 |     UNREFERENCED_PARAMETER(deviceContext);
176 |     UNREFERENCED_PARAMETER(messageNumber);
177 | 
178 |     DbgPrint("Enter to dummyDpcRoutine");
179 | 
180 |     return TRUE;
181 | }
182 | 
183 | VOID dummyUnload()
184 | {
185 |     DbgPrint("Enter to dummyUnload");
186 | }
187 | 
188 | VOID dummyResetDevice(_In_ VOID* deviceContext)
189 | {
190 |     UNREFERENCED_PARAMETER(deviceContext);
191 | 
192 |     DbgPrint("Enter to dummyResetDevice");
193 | }
194 | 
195 | NTSTATUS dummyCreateAllocation(IN_CONST_HANDLE hAdapter, INOUT_PDXGKARG_CREATEALLOCATION createAllocation)
196 | {
197 |     UNREFERENCED_PARAMETER(hAdapter);
198 |     UNREFERENCED_PARAMETER(createAllocation);
199 | 
200 |     DbgPrint("Enter to dummyCreateAllocation");
201 | 
202 |     return STATUS_SUCCESS;
203 | }
204 | 
205 | NTSTATUS dummySetPointerShape(
206 |     _In_ CONST HANDLE hAdapter,
207 |     _In_ CONST DXGKARG_SETPOINTERSHAPE* setPointerShape)
208 | {
209 |     UNREFERENCED_PARAMETER(hAdapter);
210 |     UNREFERENCED_PARAMETER(setPointerShape);
211 | 
212 |     DbgPrint("Enter to dummySetPointerShape");
213 | 
214 |     return STATUS_SUCCESS;
215 | }
216 | 
217 | NTSTATUS dummySetPointerPosition(
218 |     _In_ CONST HANDLE                      hAdapter,
219 |     _In_ CONST DXGKARG_SETPOINTERPOSITION* setPointerPosition)
220 | {
221 |     UNREFERENCED_PARAMETER(hAdapter);
222 |     UNREFERENCED_PARAMETER(setPointerPosition);
223 | 
224 |     DbgPrint("Enter to dummySetPointerPosition");
225 | 
226 |     return STATUS_SUCCESS;
227 | }
228 | 
229 | NTSTATUS dummyCollectdbginfo(
230 |     IN_CONST_HANDLE hAdapter,
231 |     IN_CONST_PDXGKARG_COLLECTDBGINFO collectDbgInfo)
232 | {
233 |     UNREFERENCED_PARAMETER(hAdapter);
234 |     UNREFERENCED_PARAMETER(collectDbgInfo);
235 | 
236 |     DbgPrint("Enter to dummyCollectdbginfo");
237 | 
238 |     return STATUS_SUCCESS;
239 | }
240 | 
241 | NTSTATUS initDisplay(
242 |     PDRIVER_OBJECT driverObject,
243 |     PUNICODE_STRING registryPath,
244 |     PDRIVER_INITIALIZATION_DATA dummyInitData)
245 | {
246 |     if (!ARGUMENT_PRESENT(driverObject) ||
247 |         !ARGUMENT_PRESENT(registryPath) ||
248 |         !ARGUMENT_PRESENT(dummyInitData))
249 |     {
250 |         return STATUS_INVALID_PARAMETER;
251 |     }
252 | 
253 |     dummyInitData->Version = DXGKDDI_INTERFACE_VERSION;
254 |     dummyInitData->DxgkDdiAddDevice = dummyDdiAddDevice;
255 |     dummyInitData->DxgkDdiStartDevice = dummyDdiStartDevice;
256 |     dummyInitData->DxgkDdiStopDevice = dummyStopDevice;
257 |     dummyInitData->DxgkDdiRemoveDevice = dummyRemoveDevice;
258 |     dummyInitData->DxgkDdiDispatchIoRequest = dummyDispatchIoRequest;
259 |     dummyInitData->DxgkDdiInterruptRoutine = dummyInterruptRoutine;
260 |     dummyInitData->DxgkDdiDpcRoutine = dummyDpcRoutine;
261 |     dummyInitData->DxgkDdiQueryChildRelations = dummyQueryChildRelations;
262 |     dummyInitData->DxgkDdiQueryChildStatus = dummyQueryChildStatus;
263 |     dummyInitData->DxgkDdiQueryDeviceDescriptor = dummyQueryDeviceDescriptor;
264 |     dummyInitData->DxgkDdiSetPowerState = dummySetPowerState;
265 |     dummyInitData->DxgkDdiResetDevice = dummyResetDevice;
266 |     dummyInitData->DxgkDdiUnload = dummyUnload;
267 |     dummyInitData->DxgkDdiSetPointerShape = dummySetPointerShape;
268 |     dummyInitData->DxgkDdiSetPointerPosition = dummySetPointerPosition;
269 |     dummyInitData->DxgkDdiCreateAllocation = dummyCreateAllocation;
270 |     dummyInitData->DxgkDdiCollectDbgInfo = dummyCollectdbginfo;
271 |     dummyInitData->DxgkDdiPresent = dummyPresent;
272 |     dummyInitData->DxgkDdiRender = dummyRender;
273 |     dummyInitData->DxgkDdiSubmitCommand = dummySubmitCommand;
274 | 
275 |     return DxgkInitialize(driverObject, registryPath, dummyInitData);
276 | }
277 | 
278 | NTSTATUS unInitializeMiniport(PDRIVER_OBJECT driverObject)
279 | {
280 |     return DxgkUnInitialize(driverObject);
281 | }
282 | 
283 | 


--------------------------------------------------------------------------------
/DisplayMiniportHooking/Hooking.cpp:
--------------------------------------------------------------------------------
  1 | #include "Hooking.h"
  2 | 
  3 | 
  4 | void hookFunction(PVOID* pSourceFunction, PVOID hookFunction)
  5 | {
  6 |     if (MmIsAddressValid(pSourceFunction) && MmIsAddressValid(hookFunction))
  7 |     {
  8 |         InterlockedExchangePointer(pSourceFunction, hookFunction);
  9 |     }
 10 | }
 11 | 
 12 | NTSTATUS hookSetPointerPosition(
 13 |     _In_ CONST HANDLE hAdapter,
 14 |     _In_ CONST DXGKARG_SETPOINTERPOSITION* setPointerPosition)
 15 | {
 16 |     DbgPrint("Enter to hookSetPointerPosition \n");
 17 | 
 18 |     return reinterpret_cast<PDXGKDDI_SETPOINTERPOSITION>(
 19 |         ORIGINAL_CALLBACKS_INFO->SetPointerPosition.CallbackAddress)(hAdapter, setPointerPosition);
 20 | }
 21 | 
 22 | NTSTATUS hookPresent(
 23 |     _In_ CONST HANDLE hAdapter,
 24 |     INOUT_PDXGKARG_PRESENT present)
 25 | {
 26 |     DbgPrint("Enter to hookPresent \n");
 27 | 
 28 |     return reinterpret_cast<PDXGKDDI_PRESENT>(
 29 |         ORIGINAL_CALLBACKS_INFO->Present.CallbackAddress)(hAdapter, present);
 30 | }
 31 | 
 32 | NTSTATUS hookRender(
 33 |     IN_CONST_HANDLE hContext,
 34 |     INOUT_PDXGKARG_RENDER render)
 35 | {
 36 |     DbgPrint("Enter to hookRender \n");
 37 | 
 38 |     return reinterpret_cast<PDXGKDDI_RENDER>(
 39 |         ORIGINAL_CALLBACKS_INFO->Render.CallbackAddress)(hContext, render);
 40 | }
 41 | 
 42 | NTSTATUS hookSubmitCommand(IN_CONST_HANDLE hAdapter, IN_CONST_PDXGKARG_SUBMITCOMMAND submitCommand)
 43 | {
 44 |     DbgPrint("Enter to hookSubmitCommand \n");
 45 | 
 46 |     return reinterpret_cast<PDXGKDDI_SUBMITCOMMAND>(
 47 |         ORIGINAL_CALLBACKS_INFO->SubmitCommand.CallbackAddress)(hAdapter, submitCommand);
 48 | }
 49 | 
 50 | NTSTATUS hookCreateAllocation(IN_CONST_HANDLE hAdapter, INOUT_PDXGKARG_CREATEALLOCATION createAllocation)
 51 | {
 52 |     DbgPrint("Enter to hookCreateAllocation \n");
 53 | 
 54 |     return reinterpret_cast<PDXGKDDI_CREATEALLOCATION>(
 55 |         ORIGINAL_CALLBACKS_INFO->CreateAllocation.CallbackAddress)(hAdapter, createAllocation);
 56 | }
 57 | 
 58 | unsigned short findOffsetCallback(void* startAddress, void* callback, unsigned short limit)
 59 | {
 60 |     if (startAddress == nullptr)
 61 |     {
 62 |         return INVALID_OFFSET;
 63 |     }
 64 | 
 65 |     ArrayGuard<unsigned short> memoryBuffer;
 66 |     memoryBuffer.allocate(NonPagedPool, limit / sizeof(unsigned short));
 67 | 
 68 |     if (!NT_SUCCESS(readMemorySafe(startAddress, memoryBuffer.get(), limit)))
 69 |     {
 70 |         return INVALID_OFFSET;
 71 |     }
 72 | 
 73 |     for (unsigned short i = 0; i < limit / sizeof(unsigned short); i++)
 74 |     {
 75 |         void* potentialPointer = reinterpret_cast<void*>(*(reinterpret_cast<PULONG_PTR>(
 76 |             reinterpret_cast<unsigned short*>(memoryBuffer.get()) + i)));
 77 | 
 78 |         if (callback == potentialPointer)
 79 |         {
 80 |             return i * sizeof(unsigned short);
 81 |         }
 82 |     }
 83 | 
 84 |     return INVALID_OFFSET;
 85 | }
 86 | 
 87 | PVOID* findCallbackLocationByOffset(void* startAddress, unsigned short offset)
 88 | {
 89 |     return reinterpret_cast<PVOID*>(
 90 |         reinterpret_cast<unsigned short*>(startAddress) + (offset / sizeof(unsigned short)));
 91 | }
 92 | 
 93 | void* findAdapterLocation(
 94 |     void* deviceObjectExtension,
 95 |     unsigned short limitDeviceObjectExtension,
 96 |     void* driverExtension,
 97 |     unsigned short limitDriverObjectExtension,
 98 |     void* callback)
 99 | {
100 |     if ((deviceObjectExtension == nullptr) || (callback == nullptr))
101 |     {
102 |         return nullptr;
103 |     }
104 | 
105 |     ArrayGuard<unsigned short> deviceExtensionMemoryBuffer;
106 |     deviceExtensionMemoryBuffer.allocate(NonPagedPool, limitDeviceObjectExtension / sizeof(unsigned short));
107 | 
108 |     if (!NT_SUCCESS(readMemorySafe(
109 |         deviceObjectExtension,
110 |         deviceExtensionMemoryBuffer.get(),
111 |         limitDeviceObjectExtension)))
112 |     {
113 |         return nullptr;
114 |     }
115 | 
116 |     for (unsigned short i = 0; i < limitDeviceObjectExtension / sizeof(unsigned short); i++)
117 |     {
118 |         void* potentialAdapterPointer = reinterpret_cast<void*>(*(reinterpret_cast<PULONG_PTR>(
119 |             reinterpret_cast<unsigned short*>(deviceExtensionMemoryBuffer.get()) + i)));
120 | 
121 |         auto driverExtensionWithLimit = reinterpret_cast<void*>(
122 |             reinterpret_cast<unsigned short*>(driverExtension) + LIMIT_DRIVER_OBJECT_EXTENSION);
123 | 
124 |         if (MmIsAddressValid(potentialAdapterPointer) &&
125 |             ((potentialAdapterPointer < driverExtension) ||
126 |                 (potentialAdapterPointer > driverExtensionWithLimit)))
127 |         {
128 |             auto callbackOffset = findOffsetCallback(
129 |                 potentialAdapterPointer,
130 |                 callback,
131 |                 limitDriverObjectExtension);
132 | 
133 |             if (callbackOffset != INVALID_OFFSET)
134 |             {
135 |                 DbgPrint("Adapter: %p \n", potentialAdapterPointer);
136 |                 return potentialAdapterPointer;
137 |             }
138 |         }
139 |     }
140 | 
141 |     return nullptr;
142 | }
143 | 
144 | PVOID* findCallbackLocationInAdapter(
145 |     void* deviceObjectExtension,
146 |     unsigned short limitDeviceObjectExtension,
147 |     void* driverExtension,
148 |     unsigned short limitDriverObjectExtension,
149 |     void* callback)
150 | {
151 |     if (ADAPTER == nullptr)
152 |     {
153 |         ADAPTER = findAdapterLocation(
154 |             deviceObjectExtension,
155 |             limitDeviceObjectExtension,
156 |             driverExtension,
157 |             limitDriverObjectExtension,
158 |             callback);
159 |     }
160 | 
161 |     auto callbackOffset = findOffsetCallback(ADAPTER, callback, limitDriverObjectExtension);
162 | 
163 |     if (callbackOffset != INVALID_OFFSET)
164 |     {
165 |         return findCallbackLocationByOffset(ADAPTER, callbackOffset);
166 |     }
167 | 
168 |     return nullptr;
169 | }
170 | 
171 | void* findCallbackInDriverExtension(
172 |     void* dummyDriverObjectExtension,
173 |     void* targetDriverObjectExtension,
174 |     void* dummyCallback)
175 | {
176 |     if ((dummyDriverObjectExtension == nullptr) ||
177 |         (targetDriverObjectExtension == nullptr) ||
178 |         (dummyCallback == nullptr))
179 |     {
180 |         return nullptr;
181 |     }
182 | 
183 |     auto callbackOffset = findOffsetCallback(
184 |         dummyDriverObjectExtension,
185 |         dummyCallback,
186 |         LIMIT_DRIVER_OBJECT_EXTENSION);
187 | 
188 |     if (callbackOffset == INVALID_OFFSET)
189 |     {
190 |         return nullptr;
191 |     }
192 | 
193 |     auto callbackLocation = findCallbackLocationByOffset(targetDriverObjectExtension, callbackOffset);
194 | 
195 |     if (!MmIsAddressValid(callbackLocation))
196 |     {
197 |         return nullptr;
198 |     }
199 | 
200 |     return reinterpret_cast<void*>(*callbackLocation);
201 | }
202 | 
203 | void hookCallbackInAdapter(
204 |     void* dummyDriverObjectExtension,
205 |     void* targetDriverObjectExtension,
206 |     void* targetDeviceObjectExtension,
207 |     void* dummyCallback,
208 |     void* hookCallback,
209 |     PVOID* callbackAddress,
210 |     PVOID* callbackLocation)
211 | {
212 |     *callbackAddress = findCallbackInDriverExtension(
213 |         dummyDriverObjectExtension,
214 |         targetDriverObjectExtension,
215 |         dummyCallback);
216 | 
217 |     *callbackLocation = findCallbackLocationInAdapter(
218 |         targetDeviceObjectExtension,
219 |         LIMIT_DEVICE_OBJECT_EXTENSION,
220 |         targetDriverObjectExtension,
221 |         LIMIT_DRIVER_OBJECT_EXTENSION,
222 |         *callbackAddress);
223 | 
224 |     if ((*callbackAddress != nullptr) && (*callbackLocation != nullptr))
225 |     {
226 |         hookFunction(reinterpret_cast<PVOID*>(*callbackLocation), hookCallback);
227 |     }
228 | }
229 | 
230 | void unHookCallbacks()
231 | {
232 |     hookFunction(
233 |         ORIGINAL_CALLBACKS_INFO->SetPointerPosition.CallbackLocation,
234 |         ORIGINAL_CALLBACKS_INFO->SetPointerPosition.CallbackAddress);
235 | 
236 |     hookFunction(
237 |         ORIGINAL_CALLBACKS_INFO->Present.CallbackLocation,
238 |         ORIGINAL_CALLBACKS_INFO->Present.CallbackAddress);
239 | 
240 |     hookFunction(
241 |         ORIGINAL_CALLBACKS_INFO->Render.CallbackLocation,
242 |         ORIGINAL_CALLBACKS_INFO->Render.CallbackAddress);
243 | 
244 |     hookFunction(
245 |         ORIGINAL_CALLBACKS_INFO->SubmitCommand.CallbackLocation,
246 |         ORIGINAL_CALLBACKS_INFO->SubmitCommand.CallbackAddress);
247 | 
248 |     hookFunction(
249 |         ORIGINAL_CALLBACKS_INFO->CreateAllocation.CallbackLocation,
250 |         ORIGINAL_CALLBACKS_INFO->CreateAllocation.CallbackAddress);
251 | 
252 |     delete ORIGINAL_CALLBACKS_INFO;
253 | }
254 | 
255 | void hookCallbacks(
256 |     void* dummyDriverObjectExtension,
257 |     void* targetDriverObjectExtension,
258 |     void* targetDeviceObjectExtension,
259 |     DRIVER_INITIALIZATION_DATA& dummyInitData)
260 | {
261 |     if ((dummyDriverObjectExtension == nullptr) ||
262 |         (targetDriverObjectExtension == nullptr) ||
263 |         (targetDeviceObjectExtension == nullptr))
264 |     {
265 |         return;
266 |     }
267 | 
268 |     DbgPrint("Target Driver Object Extension: %p \n", targetDriverObjectExtension);
269 |     DbgPrint("Target Device Object Extension: %p \n", targetDeviceObjectExtension);
270 | 
271 |     ORIGINAL_CALLBACKS_INFO = new (NonPagedPool, TAG)WDDM_CALLBACKS_INFO();
272 | 
273 |     // Set Pointer Position
274 |     hookCallbackInAdapter(
275 |         dummyDriverObjectExtension,
276 |         targetDriverObjectExtension,
277 |         targetDeviceObjectExtension,
278 |         dummyInitData.DxgkDdiSetPointerPosition,
279 |         hookSetPointerPosition,
280 |         &ORIGINAL_CALLBACKS_INFO->SetPointerPosition.CallbackAddress,
281 |         reinterpret_cast<PVOID*>(&ORIGINAL_CALLBACKS_INFO->SetPointerPosition.CallbackLocation));
282 | 
283 |     // Present
284 |     hookCallbackInAdapter(
285 |         dummyDriverObjectExtension,
286 |         targetDriverObjectExtension,
287 |         targetDeviceObjectExtension,
288 |         dummyInitData.DxgkDdiPresent,
289 |         hookPresent,
290 |         &ORIGINAL_CALLBACKS_INFO->Present.CallbackAddress,
291 |         reinterpret_cast<PVOID*>(&ORIGINAL_CALLBACKS_INFO->Present.CallbackLocation));
292 | 
293 |     // Render
294 |     hookCallbackInAdapter(
295 |         dummyDriverObjectExtension,
296 |         targetDriverObjectExtension,
297 |         targetDeviceObjectExtension,
298 |         dummyInitData.DxgkDdiRender,
299 |         hookRender,
300 |         &ORIGINAL_CALLBACKS_INFO->Render.CallbackAddress,
301 |         reinterpret_cast<PVOID*>(&ORIGINAL_CALLBACKS_INFO->Render.CallbackLocation));
302 | 
303 |     // Submit Command
304 |     hookCallbackInAdapter(
305 |         dummyDriverObjectExtension,
306 |         targetDriverObjectExtension,
307 |         targetDeviceObjectExtension,
308 |         dummyInitData.DxgkDdiSubmitCommand,
309 |         hookSubmitCommand,
310 |         &ORIGINAL_CALLBACKS_INFO->SubmitCommand.CallbackAddress,
311 |         reinterpret_cast<PVOID*>(&ORIGINAL_CALLBACKS_INFO->SubmitCommand.CallbackLocation));
312 | 
313 |     // Create Allocation
314 |     hookCallbackInAdapter(
315 |         dummyDriverObjectExtension,
316 |         targetDriverObjectExtension,
317 |         targetDeviceObjectExtension,
318 |         dummyInitData.DxgkDdiCreateAllocation,
319 |         hookCreateAllocation,
320 |         &ORIGINAL_CALLBACKS_INFO->CreateAllocation.CallbackAddress,
321 |         reinterpret_cast<PVOID*>(&ORIGINAL_CALLBACKS_INFO->CreateAllocation.CallbackLocation));
322 | }
323 | 


--------------------------------------------------------------------------------
/DisplayMiniportHooking/Hooking.h:
--------------------------------------------------------------------------------
 1 | #include "common.h"
 2 | 
 3 | 
 4 | typedef struct _CALLBACK_INFO
 5 | {
 6 |     void* CallbackAddress;
 7 |     PVOID* CallbackLocation;
 8 | }CALLBACK_INFO, * PCALLBACK_INFO;
 9 | 
10 | typedef struct _WDDM_CALLBACKS_INFO
11 | {
12 |     CALLBACK_INFO AddDevice;
13 |     CALLBACK_INFO StartDevice;
14 |     CALLBACK_INFO StopDevice;
15 |     CALLBACK_INFO RemoveDevice;
16 |     CALLBACK_INFO DispatchIoRequest;
17 |     CALLBACK_INFO InterruptRoutine;
18 |     CALLBACK_INFO DpcRoutine;
19 |     CALLBACK_INFO QueryChildRelations;
20 |     CALLBACK_INFO QueryChildStatus;
21 |     CALLBACK_INFO QueryDeviceDescriptor;
22 |     CALLBACK_INFO SetPowerState;
23 |     CALLBACK_INFO NotifyAcpiEvent;
24 |     CALLBACK_INFO ResetDevice;
25 |     CALLBACK_INFO Unload;
26 |     CALLBACK_INFO QueryInterface;
27 |     CALLBACK_INFO ControlEtwLogging;
28 |     CALLBACK_INFO QueryAdapterInfo;
29 |     CALLBACK_INFO CreateDevice;
30 |     CALLBACK_INFO CreateAllocation;
31 |     CALLBACK_INFO DestroyAllocation;
32 |     CALLBACK_INFO DescribeAllocation;
33 |     CALLBACK_INFO GetStandardAllocationDriverData;
34 |     CALLBACK_INFO AcquireSwizzlingRange;
35 |     CALLBACK_INFO ReleaseSwizzlingRange;
36 |     CALLBACK_INFO Patch;
37 |     CALLBACK_INFO SubmitCommand;
38 |     CALLBACK_INFO PreemptCommand;
39 |     CALLBACK_INFO BuildPagingBuffer;
40 |     CALLBACK_INFO SetPalette;
41 |     CALLBACK_INFO SetPointerPosition;
42 |     CALLBACK_INFO SetPointerShape;
43 |     CALLBACK_INFO ResetFromTimeout;
44 |     CALLBACK_INFO RestartFromTimeout;
45 |     CALLBACK_INFO Escape;
46 |     CALLBACK_INFO CollectDbgInfo;
47 |     CALLBACK_INFO QueryCurrentFence;
48 |     CALLBACK_INFO IsSupportedVidPn;
49 |     CALLBACK_INFO RecommendFunctionalVidPn;
50 |     CALLBACK_INFO EnumVidPnCofuncModality;
51 |     CALLBACK_INFO SetVidPnSourceAddress;
52 |     CALLBACK_INFO SetVidPnSourceVisibility;
53 |     CALLBACK_INFO CommitVidPn;
54 |     CALLBACK_INFO UpdateActiveVidPnPresentPath;
55 |     CALLBACK_INFO RecommendMonitorModes;
56 |     CALLBACK_INFO RecommendVidPnTopology;
57 |     CALLBACK_INFO GetScanLine;
58 |     CALLBACK_INFO StopCapture;
59 |     CALLBACK_INFO ControlInterrupt;
60 |     CALLBACK_INFO CreateOverlay;
61 |     CALLBACK_INFO DestroyDevice;
62 |     CALLBACK_INFO OpenAllocation;
63 |     CALLBACK_INFO CloseAllocation;
64 |     CALLBACK_INFO Render;
65 |     CALLBACK_INFO Present;
66 |     CALLBACK_INFO UpdateOverlay;
67 |     CALLBACK_INFO FlipOverlay;
68 |     CALLBACK_INFO DestroyOverlay;
69 |     CALLBACK_INFO CreateContext;
70 |     CALLBACK_INFO DestroyContext;
71 |     CALLBACK_INFO LinkDevice;
72 |     CALLBACK_INFO SetDisplayPrivateDriverFormat;
73 | } WDDM_CALLBACKS_INFO, * PWDDM_CALLBACKS_INFO;
74 | 
75 | constexpr unsigned short LIMIT_DRIVER_OBJECT_EXTENSION = 0x558;
76 | constexpr unsigned short LIMIT_DEVICE_OBJECT_EXTENSION = 0x1688;
77 | constexpr unsigned short INVALID_OFFSET = 0xffff;
78 | 
79 | inline PWDDM_CALLBACKS_INFO ORIGINAL_CALLBACKS_INFO;
80 | 
81 | void unHookCallbacks();
82 | 
83 | void hookCallbacks(
84 |     void* dummyDriverObjectExtension,
85 |     void* targetDriverObjectExtension,
86 |     void* targetDeviceObjectExtension,
87 |     DRIVER_INITIALIZATION_DATA& dummyInitData);
88 | 
89 | inline void* ADAPTER = nullptr;


--------------------------------------------------------------------------------
/DisplayMiniportHooking/RAIIUtils.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | 
  3 | #include "common.h"
  4 | 
  5 | 
  6 | extern "C" NTSYSAPI NTSTATUS NTAPI ObReferenceObjectByName(
  7 |     PUNICODE_STRING ObjectName,
  8 |     ULONG Attributes,
  9 |     PACCESS_STATE AccessState,
 10 |     ACCESS_MASK DesiredAccess,
 11 |     POBJECT_TYPE ObjectType,
 12 |     KPROCESSOR_MODE AccessMode,
 13 |     PVOID ParseContext OPTIONAL,
 14 |     PVOID * Object);
 15 | 
 16 | extern "C" POBJECT_TYPE * IoDriverObjectType;
 17 | 
 18 | template <class T, bool shouldDeleteObj = false>
 19 | class ArrayGuard
 20 | {
 21 | public:
 22 |     ArrayGuard() : _array(nullptr), _isValid(false), _size(0) {}
 23 | 
 24 |     void allocate(POOL_TYPE poolType, size_t objectsCount)
 25 |     {
 26 |         if (_array != nullptr)
 27 |         {
 28 |             delete _array;
 29 |             _isValid = false;
 30 |         }
 31 | 
 32 |         _array = new(poolType, TAG)T[objectsCount * sizeof(T)];
 33 |         NT_ASSERTMSG("Allocate memory for array failed", _array != nullptr);
 34 |         _isValid = true;
 35 |         _size = objectsCount;
 36 |     }
 37 | 
 38 |     ~ArrayGuard()
 39 |     {
 40 |         if ((_array != nullptr) && (isValid()))
 41 |         {
 42 |             if constexpr (shouldDeleteObj)
 43 |             {
 44 |                 for (size_t i = 0; i < _size; i++)
 45 |                 {
 46 |                     delete _array[i];
 47 |                 }
 48 |             }
 49 | 
 50 |             delete _array;
 51 |         }
 52 | 
 53 |         _isValid = false;
 54 |     }
 55 | 
 56 |     T operator [](size_t idx) const { return _array[idx]; }
 57 |     T& operator [](size_t idx) { return _array[idx]; }
 58 |     T* get() { return _array; }
 59 |     bool isValid() const { return _isValid; }
 60 |     size_t getSize() { return _size; }
 61 | 
 62 | private:
 63 |     T* _array;
 64 |     bool _isValid;
 65 |     size_t _size;
 66 | };
 67 | 
 68 | /**
 69 |  *  Guard a object.
 70 |  *  release object when exiting the current context.
 71 |  */
 72 | template <class T>
 73 | class ObjectGuard
 74 | {
 75 | public:
 76 |     ObjectGuard(T object) : _object(object), _isValid(true), _shouldDereference(false) {}
 77 | 
 78 |     ObjectGuard() : _object(nullptr), _isValid(false), _shouldDereference(false) {}
 79 | 
 80 |     ~ObjectGuard()
 81 |     {
 82 |         _isValid = false;
 83 |     }
 84 | 
 85 |     T& get() { return _object; }
 86 |     bool isValid() const { return _isValid; }
 87 | 
 88 | protected:
 89 |     T _object;
 90 |     bool _isValid;
 91 |     bool _shouldDereference;
 92 | };
 93 | 
 94 | class DriverObjectGuard : public ObjectGuard<PDRIVER_OBJECT>
 95 | {
 96 | public:
 97 |     DriverObjectGuard(PDRIVER_OBJECT drvObject) : ObjectGuard(drvObject)
 98 |     {
 99 |         _object = drvObject;
100 |         _isValid = true;
101 |     }
102 | 
103 |     DriverObjectGuard(PUNICODE_STRING driverName) : ObjectGuard()
104 |     {
105 |         PDRIVER_OBJECT drvObject = nullptr;
106 | 
107 |         if (NT_SUCCESS(ObReferenceObjectByName(
108 |             driverName,
109 |             0,
110 |             NULL,
111 |             0,
112 |             *IoDriverObjectType,
113 |             KernelMode,
114 |             NULL,
115 |             reinterpret_cast<PVOID*>(&drvObject))))
116 |         {
117 |             _object = drvObject;
118 |             _isValid = true;
119 |             _shouldDereference = true;
120 |         }
121 |     }
122 | 
123 |     ~DriverObjectGuard()
124 |     {
125 |         if (isValid() && (_object != nullptr) && (_shouldDereference))
126 |         {
127 |             ObDereferenceObject(_object);
128 |             _isValid = false;
129 |         }
130 |     }
131 | 
132 |     PVOID getDriverObjectExtension(PVOID clientIdentificationAddress)
133 |     {
134 |         if (!isValid() || (clientIdentificationAddress == nullptr))
135 |         {
136 |             return nullptr;
137 |         }
138 | 
139 |         return IoGetDriverObjectExtension(_object, clientIdentificationAddress);
140 |     }
141 | };


--------------------------------------------------------------------------------
/DisplayMiniportHooking/common.cpp:
--------------------------------------------------------------------------------
 1 | #include "common.h"
 2 | 
 3 | 
 4 | void* __cdecl operator new(size_t size, POOL_TYPE pool, ULONG tag)
 5 | {
 6 | 	    auto pointer = ExAllocatePoolWithTag(pool, size, tag);
 7 | 
 8 | 	    if (pointer != nullptr)
 9 | 	    {
10 | 	        RtlZeroMemory(pointer, size);
11 | 	    }
12 | 
13 | 		return pointer;
14 | }
15 | 
16 | void __cdecl operator delete(void* p, unsigned __int64)
17 | {
18 | 	ExFreePool(p);
19 | }
20 | 
21 | NTSTATUS readMemorySafe(void* targetAddress, void* buffer, size_t length)
22 | {
23 |     NTSTATUS status = STATUS_UNSUCCESSFUL;
24 |     ArrayGuard<unsigned short> nonPagedBuffer;
25 |     nonPagedBuffer.allocate(NonPagedPool, length / sizeof(unsigned short));
26 | 
27 |     size_t numberOfBytesTransferred;
28 |     MM_COPY_ADDRESS addrToRead;
29 |     addrToRead.VirtualAddress = targetAddress;
30 | 
31 |     status = MmCopyMemory(
32 |         nonPagedBuffer.get(),
33 |         addrToRead,
34 |         length,
35 |         MM_COPY_MEMORY_VIRTUAL,
36 |         &numberOfBytesTransferred);
37 | 
38 |     if (STATUS_SUCCESS == status)
39 |     {
40 |         RtlCopyMemory(buffer, nonPagedBuffer.get(), numberOfBytesTransferred);
41 |     }
42 | 
43 |     return status;
44 | }


--------------------------------------------------------------------------------
/DisplayMiniportHooking/common.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | #include "ntddk.h"
 4 | #include "RAIIUtils.h"
 5 | 
 6 | extern "C"
 7 | {
 8 | #include <dispmprt.h>
 9 | };
10 | 
11 | 
12 | constexpr ULONG TAG = 'DMH';
13 | 
14 | void* __cdecl operator new(size_t size, POOL_TYPE pool, ULONG tag = 0);
15 | 
16 | void __cdecl operator delete(void* p, unsigned __int64);
17 | 
18 | NTSTATUS readMemorySafe(void* targetAddress, void* buffer, size_t length);


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | For more information: https://aviadshamriz.medium.com/part-2-display-miniport-hooking-e1a54661d2e1.
2 | 


--------------------------------------------------------------------------------