├── README.md └── map_file_internal.c /README.md: -------------------------------------------------------------------------------- 1 | # Map-file-in-system-space 2 | How to map files into system space using underlying functions directly 3 | 4 | link 5 | 6 | https://alexvogtkernel.blogspot.com/ 7 | -------------------------------------------------------------------------------- /map_file_internal.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #define SEC_IMAGE 0x1000000 5 | 6 | typedef NTSTATUS (*fnMmCreateSection)( 7 | OUT PVOID *SectionObject, 8 | IN ACCESS_MASK DesiredAccess, 9 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 10 | IN PLARGE_INTEGER MaximumSize, 11 | IN ULONG SectionPageProtection, 12 | IN ULONG AllocationAttributes, 13 | IN HANDLE FileHandle OPTIONAL, 14 | IN PFILE_OBJECT File OPTIONAL 15 | ); 16 | 17 | typedef NTSTATUS (*ptrMiCreateSection)(PVOID *a1, POBJECT_ATTRIBUTES a2, char a3, PLARGE_INTEGER *a4, ULONG a5, ULONG a6, char a7, HANDLE a8, PFILE_OBJECT a9, KPROCESSOR_MODE a10); 18 | typedef NTSTATUS (*ptrMiMapViewInSystemSpace)(PVOID a,PVOID b,PVOID *c, PSIZE_T size, PULONG a3,ULONG mask OPTIONAL); 19 | typedef NTSTATUS (*ptrMiRemoveFromSystemSpace)(PVOID Session,PVOID mappedbase,INT a1); 20 | typedef NTSTATUS (*ptrIopCreateFile)( 21 | PHANDLE FileHandle, 22 | ACCESS_MASK DesiredAccess, 23 | POBJECT_ATTRIBUTES ObjectAttributes, 24 | PIO_STATUS_BLOCK IoStatusBlock, 25 | PLARGE_INTEGER AllocationSize, 26 | ULONG FileAttributes, 27 | ULONG ShareAccess, 28 | ULONG Disposition, 29 | ULONG CreateOptions, 30 | PVOID EaBuffer, 31 | ULONG EaLength, 32 | CREATE_FILE_TYPE CreateFileType, 33 | PVOID InternalParameters, 34 | ULONG Options, 35 | ULONG Flags, 36 | PVOID pIoDriverCreateContext 37 | 38 | ); 39 | 40 | 41 | 42 | VOID Unload(PDRIVER_OBJECT pdriver) 43 | { 44 | DbgPrint("\r\n"); 45 | } 46 | 47 | 48 | 49 | NTSTATUS DriverEntry(PDRIVER_OBJECT pdriver, PUNICODE_STRING pregister) 50 | { 51 | 52 | NTSTATUS nStatus = STATUS_SUCCESS; 53 | UNICODE_STRING uni; 54 | OBJECT_ATTRIBUTES oa; 55 | IO_STATUS_BLOCK io; 56 | HANDLE handle; 57 | FILE_STANDARD_INFORMATION fileinfo; 58 | PVOID section = NULL; 59 | PFILE_OBJECT fileobject = NULL; 60 | SIZE_T viewsize = 0; 61 | PVOID mappedbase = NULL; 62 | ptrMiCreateSection MiCreateSection = NULL; 63 | ptrMiMapViewInSystemSpace MiMapViewInSystemSpace = NULL; 64 | ptrMiRemoveFromSystemSpace MiRemoveFromSystemSpace = NULL; 65 | ptrIopCreateFile IopCreateFileWin81 = NULL; 66 | PVOID buffer = NULL; 67 | ULONG value = 0; 68 | 69 | PVOID MmSession = 0xfffff801f73451e0; 70 | IopCreateFileWin81 = (ptrIopCreateFile)0xfffff801f7444470; 71 | MiCreateSection = (ptrMiCreateSection)0xfffff801f7436350; 72 | MiMapViewInSystemSpace = (ptrMiMapViewInSystemSpace)0xfffff801f7493108; 73 | MiRemoveFromSystemSpace = (ptrMiRemoveFromSystemSpace)0xfffff801f71399a4; 74 | 75 | pdriver->DriverUnload = (PDRIVER_UNLOAD)Unload; 76 | 77 | RtlInitUnicodeString(&uni, L"\\??\\C:\\Windows\\System32\\ntdll.dll"); 78 | InitializeObjectAttributes(&oa, &uni, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); 79 | 80 | nStatus = IopCreateFileWin81(&handle, FILE_GENERIC_READ | SYNCHRONIZE, &oa, 81 | &io, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, 82 | FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0, 83 | CreateFileTypeNone, NULL, IO_NO_PARAMETER_CHECKING, 0, NULL); 84 | 85 | if (NT_SUCCESS(nStatus)) 86 | { 87 | 88 | InitializeObjectAttributes(&oa, NULL, OBJ_KERNEL_HANDLE, NULL, NULL); 89 | 90 | RtlSecureZeroMemory(&fileinfo, sizeof(FILE_STANDARD_INFORMATION)); 91 | nStatus = ZwQueryInformationFile(handle, &io, &fileinfo, sizeof(FILE_STANDARD_INFORMATION), FileStandardInformation); 92 | if (NT_SUCCESS(nStatus)) 93 | { 94 | nStatus = ObReferenceObjectByHandle(handle, FILE_GENERIC_READ | SYNCHRONIZE, *IoFileObjectType, KernelMode, &fileobject, NULL); 95 | if (NT_SUCCESS(nStatus)) 96 | { 97 | 98 | nStatus = MiCreateSection(§ion,NULL,2,&fileinfo.EndOfFile.QuadPart,PAGE_READWRITE,SEC_COMMIT,0,handle,fileobject,KernelMode); 99 | if (NT_SUCCESS(nStatus)) 100 | { 101 | 102 | nStatus = MiMapViewInSystemSpace(section, MmSession, &mappedbase, &viewsize,&value,0); 103 | if (NT_SUCCESS(nStatus)) 104 | { 105 | DbgPrint("\r\nSection successfully mapped in system space"); 106 | } 107 | 108 | } 109 | 110 | ObfDereferenceObject(fileobject); 111 | 112 | } 113 | 114 | } 115 | } 116 | 117 | if (handle) 118 | ZwClose(handle); 119 | if (mappedbase) 120 | MiRemoveFromSystemSpace(MmSession, mappedbase, 0); 121 | 122 | 123 | return nStatus; 124 | 125 | } --------------------------------------------------------------------------------