├── SKLib-v ├── src │ ├── VMTimers.cpp │ ├── iommu.cpp │ ├── VMCSCheck.cpp │ ├── VMExitHandlers.cpp │ ├── windowspoof.cpp │ ├── event.cpp │ ├── VMMAllocator.cpp │ ├── exception.cpp │ ├── ioctrlhook.cpp │ ├── spoof.cpp │ ├── Vmoperations.cpp │ ├── Vmexit.cpp │ ├── VTxException.cpp │ ├── VmIDT-helper.asm │ ├── efispoof.cpp │ ├── eac.cpp │ ├── wmispoof.cpp │ ├── usbspoof.cpp │ └── volumespoof.cpp ├── include │ ├── windowspoof.h │ ├── smbiosspoof.h │ ├── efispoof.h │ ├── VMMAllocator.h │ ├── usbspoof.h │ ├── gpuspoof.h │ ├── spoof.h │ ├── VTx.h │ ├── EPT.h │ ├── VTxException.h │ ├── VMExitHandlers.h │ ├── VmIDT.h │ ├── ddma.h │ ├── event.h │ ├── Vmoperations.h │ ├── VMTimers.h │ ├── Vmexit.h │ ├── VMCSCheck.h │ ├── eac.h │ ├── volumespoof.h │ ├── ioctlhook.h │ └── Vmcall.h ├── SKLib-v.vcxproj.user └── vcpkg.json ├── SKLib ├── src │ ├── Setup.cpp │ ├── xor.cpp │ ├── bitmap.cpp │ ├── timing.cpp │ ├── IDT-helper.asm │ ├── queue.cpp │ ├── utils.cpp │ ├── std.cpp │ ├── defender.cpp │ ├── file.cpp │ ├── disassembler.cpp │ ├── threading.cpp │ ├── data.cpp │ ├── power.cpp │ ├── sharedpool.cpp │ └── collector.cpp ├── README.md ├── include │ ├── xor.h │ ├── acl.h │ ├── defender.h │ ├── disassembler.h │ ├── queue.h │ ├── SKLib.h │ ├── file.h │ ├── utils.h │ ├── timing.h │ ├── power.h │ ├── bitmap.h │ ├── spinlock.h │ ├── status.h │ ├── collector.h │ ├── sharedpool.h │ ├── exception.h │ ├── cpp.h │ ├── eventlogger.h │ ├── StringArray.h │ ├── Arch │ │ ├── Interrupts.h │ │ └── Intrinsics.h │ ├── threading.h │ ├── std.h │ ├── ioctl.h │ ├── bugcheck.h │ ├── RandEx.h │ ├── IDT.h │ ├── macros.h │ ├── VirtualizerSDKMacros.h │ ├── data.h │ ├── signatures.h │ ├── paging.h │ ├── registry.h │ ├── StringEx.h │ └── MapEx.h ├── SKLib.vcxproj.user ├── .gitignore ├── SKLib.cv └── SKLib.inf ├── Pdbparser ├── md5.cpp ├── Pdbparser.vcxproj.user ├── md5.h ├── pdbparse.h ├── Pdbparser.vcxproj.filters └── EzPdb.h ├── kdmapper_lib ├── .gitignore ├── kdmapper │ ├── include │ │ ├── service.hpp │ │ ├── portable_executable.hpp │ │ ├── utils.hpp │ │ ├── kdmapper.hpp │ │ └── nt.hpp │ ├── kdmapper.vcxproj.filters │ └── src │ │ ├── service.cpp │ │ ├── portable_executable.cpp │ │ └── utils.cpp └── kdmapper.sln ├── phymeme_lib ├── dbrequest-helper.asm ├── phymeme_lib │ ├── phymeme_lib.vcxproj.user │ └── phymeme_lib.vcxproj.filters ├── .gitignore ├── kernel_ctx │ ├── dbrequest.cpp │ ├── dbrequest.h │ └── kernel_ctx.h ├── map_driver.hpp ├── phymeme_lib.sln ├── physmeme_lib.vcxproj.user ├── map_driver.cpp ├── drv_image │ └── drv_image.h ├── physmeme │ └── physmeme.hpp ├── physmeme_lib.vcxproj.filters └── util │ ├── nt.hpp │ └── hook.hpp ├── vcpkg.json ├── .gitignore └── SKLib.sln /SKLib-v/src/VMTimers.cpp: -------------------------------------------------------------------------------- 1 | #include "VMTimers.h" -------------------------------------------------------------------------------- /SKLib/src/Setup.cpp: -------------------------------------------------------------------------------- 1 | #include "Setup.hpp" 2 | -------------------------------------------------------------------------------- /SKLib/README.md: -------------------------------------------------------------------------------- 1 | # SKLib 2 | Standard Kernel Library 3 | -------------------------------------------------------------------------------- /Pdbparser/md5.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cutecatsandvirtualmachines/SKLib/HEAD/Pdbparser/md5.cpp -------------------------------------------------------------------------------- /kdmapper_lib/.gitignore: -------------------------------------------------------------------------------- 1 | .vs 2 | kdmapper/x64 3 | kdmapper/kdmapper.vcxproj.user 4 | x64 5 | HelloWorld/.vs -------------------------------------------------------------------------------- /SKLib-v/src/iommu.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cutecatsandvirtualmachines/SKLib/HEAD/SKLib-v/src/iommu.cpp -------------------------------------------------------------------------------- /SKLib-v/src/VMCSCheck.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cutecatsandvirtualmachines/SKLib/HEAD/SKLib-v/src/VMCSCheck.cpp -------------------------------------------------------------------------------- /SKLib-v/src/VMExitHandlers.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cutecatsandvirtualmachines/SKLib/HEAD/SKLib-v/src/VMExitHandlers.cpp -------------------------------------------------------------------------------- /SKLib/include/xor.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "cpp.h" 4 | 5 | namespace encryption { 6 | void xorBytes(PVOID pBase, SIZE_T sz, SIZE_T key); 7 | } -------------------------------------------------------------------------------- /SKLib-v/include/windowspoof.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "cpp.h" 4 | #include "Setup.hpp" 5 | 6 | namespace window { 7 | void Hide(int hwnd, char* pTeb); 8 | } -------------------------------------------------------------------------------- /SKLib-v/include/smbiosspoof.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "ioctlhook.h" 4 | #include "smbios.h" 5 | 6 | namespace smbios { 7 | bool Spoof(DWORD64 seed = TEST_SEED); 8 | } -------------------------------------------------------------------------------- /phymeme_lib/dbrequest-helper.asm: -------------------------------------------------------------------------------- 1 | 2 | .code _text 3 | 4 | ;DWORD64 DbRequest(DWORD64 code, PDB_INFO pDbInfo) 5 | DbRequest proc 6 | int 3 7 | ret 8 | DbRequest endp 9 | 10 | END -------------------------------------------------------------------------------- /SKLib-v/include/efispoof.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "ioctlhook.h" 4 | 5 | namespace efi { 6 | bool Spoof(DWORD64 seed = TEST_SEED); 7 | } 8 | 9 | #define VARIABLE_ATTRIBUTE_NON_VOLATILE 1 -------------------------------------------------------------------------------- /SKLib-v/include/VMMAllocator.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "cpp.h" 4 | 5 | namespace vmm { 6 | BOOLEAN InitAllocator(); 7 | 8 | PVOID malloc(SIZE_T sz); 9 | VOID free(PVOID pMem); 10 | } -------------------------------------------------------------------------------- /Pdbparser/Pdbparser.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /SKLib/include/acl.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "cpp.h" 3 | 4 | NTSTATUS CreateStandardSCAndACL(OUT PSECURITY_DESCRIPTOR* SecurityDescriptor, OUT PACL* Acl); 5 | NTSTATUS GrantAccess(HANDLE hSection, IN PACL StandardAcl); -------------------------------------------------------------------------------- /SKLib/include/defender.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef _KERNEL_MODE 4 | #include "winternlex.h" 5 | #include "MemoryEx.h" 6 | 7 | namespace defender { 8 | bool CleanFilterList(string driverName); 9 | } 10 | #endif -------------------------------------------------------------------------------- /phymeme_lib/phymeme_lib/phymeme_lib.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /SKLib-v/include/usbspoof.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "ioctlhook.h" 4 | #include 5 | 6 | #ifdef _KERNEL_MODE 7 | 8 | namespace usb { 9 | bool Spoof(DWORD64 seed = TEST_SEED); 10 | } 11 | 12 | #endif -------------------------------------------------------------------------------- /Pdbparser/md5.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // swprintf 4 | #pragma warning (disable : 4996) 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | std::string Md5(PVOID buffer, ULONG bufferLen); -------------------------------------------------------------------------------- /SKLib/SKLib.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | false 5 | 6 | -------------------------------------------------------------------------------- /SKLib-v/SKLib-v.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | false 5 | 6 | -------------------------------------------------------------------------------- /phymeme_lib/.gitignore: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | # This .gitignore file was automatically created by Microsoft(R) Visual Studio. 3 | ################################################################################ 4 | 5 | /.vs 6 | /x64 7 | -------------------------------------------------------------------------------- /SKLib/include/disassembler.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef _KERNEL_MODE 4 | 5 | #define ZYDIS_DISABLE_FORMATTER 6 | 7 | #include 8 | 9 | #include "cpp.h" 10 | 11 | namespace disassembler { 12 | size_t GetInstrBoundaryLen(PVOID pBase, size_t targetLen); 13 | } 14 | 15 | #endif -------------------------------------------------------------------------------- /SKLib/include/queue.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #ifdef _KERNEL_MODE 3 | 4 | #include "cpp.h" 5 | #include "VectorEx.h" 6 | #include "RandEx.h" 7 | 8 | #define DEFAULT_QUEUE_RESERVE 20 9 | 10 | class Queue { 11 | vector queue; 12 | 13 | Queue(); 14 | 15 | void Lock(); 16 | void Unlock(); 17 | }; 18 | #endif -------------------------------------------------------------------------------- /kdmapper_lib/kdmapper/include/service.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include "intel_driver.hpp" 6 | 7 | namespace service 8 | { 9 | bool RegisterAndStart(const std::wstring& driver_path); 10 | bool StopAndRemove(const std::wstring& driver_name); 11 | }; -------------------------------------------------------------------------------- /SKLib-v/src/windowspoof.cpp: -------------------------------------------------------------------------------- 1 | #include "windowspoof.h" 2 | #include 3 | 4 | void window::Hide(int hwnd, char* pTeb) 5 | { 6 | DWORD64* pClientInfo = (DWORD64*)(pTeb + offsets.ClientInfo); 7 | pClientInfo[offsets.HwndCache] = (DWORD64)hwnd; 8 | pClientInfo[offsets.HwndCache + 1] = 0; //tagWND cache 9 | } 10 | -------------------------------------------------------------------------------- /SKLib-v/include/gpuspoof.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "ioctlhook.h" 4 | #include "disassembler.h" 5 | 6 | namespace gpu { 7 | bool Spoof(DWORD64 seed = TEST_SEED); 8 | } 9 | 10 | #define NV_MAX_DEVICES 32 11 | #define IOCTL_NVIDIA_SMIL (0x8DE0008) 12 | #define IOCTL_NVIDIA_SMIL_MAX (512) 13 | #define GPU_SERIAL_OFFSET 0x1AC -------------------------------------------------------------------------------- /SKLib/src/xor.cpp: -------------------------------------------------------------------------------- 1 | #include "xor.h" 2 | 3 | void encryption::xorBytes(PVOID pBase, SIZE_T sz, SIZE_T key) 4 | { 5 | if (sz % 8) { 6 | for (SIZE_T i = 0; i < sz; i++) { 7 | *(char*)pBase ^= key; 8 | } 9 | } 10 | else { 11 | for (SIZE_T i = 0; i < sz; i += 8) { 12 | *(DWORD64*)pBase ^= key; 13 | } 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /SKLib/include/SKLib.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #ifdef _KERNEL_MODE 9 | 10 | extern "C" NTSTATUS IoCreateDriver( 11 | IN PUNICODE_STRING DriverName OPTIONAL, 12 | IN PDRIVER_INITIALIZE InitializationFunction 13 | ); 14 | 15 | #endif -------------------------------------------------------------------------------- /vcpkg.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://raw.githubusercontent.com/microsoft/vcpkg-tool/main/docs/vcpkg.schema.json", 3 | "name": "sklib", 4 | "version": "1.0.0", 5 | "dependencies": [ 6 | { 7 | "name": "zydis", 8 | "platform": "x64" 9 | } 10 | ], 11 | "builtin-baseline": "3426db05b996481ca31e95fff3734cf23e0f51bc" 12 | } -------------------------------------------------------------------------------- /SKLib-v/vcpkg.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://raw.githubusercontent.com/microsoft/vcpkg-tool/main/docs/vcpkg.schema.json", 3 | "name": "sklib", 4 | "version": "1.0.0", 5 | "dependencies": [ 6 | { 7 | "name": "zydis", 8 | "platform": "x64" 9 | } 10 | ], 11 | "builtin-baseline": "3426db05b996481ca31e95fff3734cf23e0f51bc" 12 | } -------------------------------------------------------------------------------- /SKLib/include/file.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "cpp.h" 4 | #include "winternlex.h" 5 | 6 | namespace file { 7 | class fstream { 8 | private: 9 | HANDLE hFile; 10 | OBJECT_ATTRIBUTES ObjectAttributes; 11 | 12 | public: 13 | fstream(string&& path); 14 | fstream(string& path); 15 | ~fstream(); 16 | 17 | HANDLE Handle(); 18 | }; 19 | } 20 | -------------------------------------------------------------------------------- /SKLib/include/utils.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #ifdef _KERNEL_MODE 3 | #ifndef _WDMDDK_ 4 | #include 5 | #endif 6 | #endif 7 | 8 | #include "cpp.h" 9 | #include "StringEx.h" 10 | 11 | #ifdef _KERNEL_MODE 12 | //Remember to deallocate string's buffer after you're done using the UNICODE_STRING returned from this function 13 | UNICODE_STRING GetModuleNameFromPath(PUNICODE_STRING path); 14 | #endif -------------------------------------------------------------------------------- /SKLib-v/include/spoof.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "cpp.h" 4 | #include "diskspoof.h" 5 | #include "volumespoof.h" 6 | #include "nicspoof.h" 7 | #include "smbiosspoof.h" 8 | #include "gpuspoof.h" 9 | #include "efispoof.h" 10 | #include "wmispoof.h" 11 | #include "usbspoof.h" 12 | 13 | namespace spoofer { 14 | NTSTATUS SpoofAll(DWORD64 seed = TEST_SEED); 15 | 16 | extern DWORD64 seed; 17 | } 18 | -------------------------------------------------------------------------------- /SKLib-v/src/event.cpp: -------------------------------------------------------------------------------- 1 | #include "event.h" 2 | 3 | #include 4 | 5 | bool SKLibEvent::Triggered() 6 | { 7 | return bPreNotified; 8 | } 9 | 10 | void SKLibEvent::Await() 11 | { 12 | if (bPreNotified) 13 | return; 14 | 15 | _lock.Lock(); 16 | _lock.Lock(); 17 | _lock.Unlock(); 18 | } 19 | 20 | void SKLibEvent::Trigger() 21 | { 22 | bPreNotified = true; 23 | _lock.Unlock(); 24 | } 25 | -------------------------------------------------------------------------------- /SKLib/.gitignore: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Compiled Object files 5 | *.slo 6 | *.lo 7 | *.o 8 | *.obj 9 | 10 | # Precompiled Headers 11 | *.gch 12 | *.pch 13 | 14 | # Compiled Dynamic libraries 15 | *.so 16 | *.dylib 17 | *.dll 18 | 19 | # Fortran module files 20 | *.mod 21 | *.smod 22 | 23 | # Compiled Static libraries 24 | *.lai 25 | *.la 26 | *.a 27 | *.lib 28 | 29 | # Executables 30 | *.exe 31 | *.out 32 | *.app 33 | -------------------------------------------------------------------------------- /SKLib-v/include/VTx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #pragma warning (disable:4267) 4 | #pragma warning (disable:4201) 5 | #pragma warning (disable:4334) 6 | 7 | #include "macros.h" 8 | #include "data.h" 9 | #include "MemoryEx.h" 10 | #include "VMCSCheck.h" 11 | #include "power.h" 12 | #include "bitmap.h" 13 | #include "VMTimers.h" 14 | #include "VMExitHandlers.h" 15 | #include "winternlex.h" 16 | #include "bugcheck.h" 17 | #include "VMMDef.h" 18 | -------------------------------------------------------------------------------- /SKLib-v/include/EPT.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #pragma warning (disable:4353) 4 | 5 | #ifdef _KERNEL_MODE 6 | #include 7 | #endif 8 | 9 | #include "VMMDef.h" 10 | #include "ia32.h" 11 | #include "cpp.h" 12 | #include "cpu.h" 13 | #include "MemoryEx.h" 14 | #include "ListEx.h" 15 | #include "VectorEx.h" 16 | #include "spinlock.h" 17 | #include "IDT.h" 18 | #include "paging.h" 19 | #include "disassembler.h" 20 | #include "VTxException.h" 21 | #include "PE.h" 22 | #include "VMMAllocator.h" 23 | -------------------------------------------------------------------------------- /SKLib-v/include/VTxException.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef _KERNEL_MODE 4 | #include 5 | #endif 6 | 7 | #include 8 | 9 | #include "cpp.h" 10 | #include "cpu.h" 11 | #include "VMMDef.h" 12 | 13 | #define RST_CNT_IO_PORT (USHORT)0xCF9 14 | 15 | #define DUMP_SECTION_NAME "SKLibDump" 16 | 17 | #ifdef _KERNEL_MODE 18 | namespace VTx { 19 | namespace Exceptions { 20 | extern "C" bool InjectException(EXCEPTION_VECTOR ex, DWORD32 eCode = 0); 21 | void ApHardReset(); 22 | } 23 | } 24 | #endif -------------------------------------------------------------------------------- /SKLib/src/bitmap.cpp: -------------------------------------------------------------------------------- 1 | #include "bitmap.h" 2 | 3 | DWORD64 Power2(DWORD64 pw) { 4 | return 1ull << pw; 5 | } 6 | 7 | void bitmap::SetBit(PVOID va, DWORD32 bit, BOOLEAN bSet) 8 | { 9 | DWORD32 byte = bit / 8; 10 | bit %= 8; 11 | 12 | if (bSet) { 13 | ((PUCHAR)va)[byte] |= Power2(bit); 14 | } 15 | else { 16 | ((PUCHAR)va)[byte] &= ~Power2(bit); 17 | } 18 | } 19 | 20 | BOOLEAN bitmap::GetBit(PVOID va, DWORD32 bit) 21 | { 22 | UCHAR byte = ((PUCHAR)va)[bit / 8]; 23 | bit %= 8; 24 | 25 | return byte & Power2(bit); 26 | } 27 | -------------------------------------------------------------------------------- /SKLib-v/include/VMExitHandlers.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "EPT.h" 4 | #include "VTxException.h" 5 | 6 | #ifdef _KERNEL_MODE 7 | 8 | namespace VTx { 9 | namespace VMExitHandlers { 10 | bool HandleCPUID(PREGS pContext); 11 | bool HandleCR(PREGS pContext); 12 | bool HandleGDTRIDTR(PREGS pContext); 13 | bool HandleRDMSR(PREGS pContext); 14 | bool HandleWRMSR(PREGS pContext); 15 | bool HandleXSetBv(PREGS pContext); 16 | bool HandleInvpcid(PREGS pContext); 17 | } 18 | } 19 | 20 | #endif -------------------------------------------------------------------------------- /SKLib/include/timing.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "cpp.h" 4 | 5 | #define TICKS_TO_S(ns) ((ns) / 10000000) 6 | #define S_TO_TICKS(s) ((s) * 10000000) 7 | #define TICKS_TO_MS(ns) ((ns) / 10000) 8 | #define MS_TO_TICKS(s) ((s) * 10000) 9 | 10 | namespace timing { 11 | LARGE_INTEGER currentTime(); 12 | 13 | class StopWatch { 14 | private: 15 | LARGE_INTEGER start; 16 | LARGE_INTEGER stop; 17 | 18 | public: 19 | StopWatch(); 20 | 21 | DWORD64 ms(); 22 | DWORD64 s(); 23 | DWORD64 ticks(); 24 | 25 | void reset(); 26 | }; 27 | } -------------------------------------------------------------------------------- /SKLib-v/include/VmIDT.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | #ifdef _KERNEL_MODE 5 | 6 | extern "C" void generic_interrupt_handler_vm(); 7 | extern "C" void generic_interrupt_handler_ecode_vm(); 8 | extern "C" void __nmi_handler_vm(); 9 | extern "C" void __gp_handler_vm(); 10 | extern "C" void __pf_handler_vm(); 11 | extern "C" void __de_handler_vm(); 12 | 13 | extern "C" void seh_handler_ecode_vm(PIDT_REGS_ECODE regs); 14 | extern "C" void seh_handler_vm(PIDT_REGS regs); 15 | 16 | extern "C" void NmiHandler(); 17 | 18 | void SetupIDTVm(IDT& idt); 19 | 20 | #endif -------------------------------------------------------------------------------- /SKLib-v/include/ddma.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "cpp.h" 4 | 5 | #ifdef _KERNEL_MODE 6 | 7 | typedef struct _DISK { 8 | PDEVICE_OBJECT Device; 9 | // Buffer holding sectors original data 10 | UINT8 Buffer[PAGE_SIZE]; 11 | } DISK, * PDISK; 12 | 13 | class DdmaProvider { 14 | private: 15 | PDISK pDisk; 16 | BOOLEAN bScsi; 17 | 18 | public: 19 | DdmaProvider(); 20 | ~DdmaProvider(); 21 | 22 | NTSTATUS ReadPage(OUT PVOID dest); 23 | 24 | NTSTATUS WritePage(IN PVOID src); 25 | 26 | NTSTATUS DiskCopyPage(PVOID dest, PVOID src); 27 | }; 28 | 29 | #endif -------------------------------------------------------------------------------- /phymeme_lib/kernel_ctx/dbrequest.cpp: -------------------------------------------------------------------------------- 1 | #include "dbrequest.h" 2 | 3 | PVOID db::AllocatePool(SIZE_T size) 4 | { 5 | volatile PVOID pOut = 0; 6 | PDB_INFO pDbInfo = (PDB_INFO)_aligned_malloc(sizeof(*pDbInfo), 0x1000); 7 | if (!pDbInfo) 8 | return nullptr; 9 | 10 | pDbInfo->allocate.pOut = (PVOID*)&pOut; 11 | pDbInfo->allocate.sz = size; 12 | 13 | DbRequest(DB_ALLOCATE, pDbInfo); 14 | 15 | int i = 0; 16 | while (!pOut) { 17 | Sleep(1); 18 | 19 | if (i > 1000) { 20 | return nullptr; 21 | } 22 | i++; 23 | } 24 | 25 | _aligned_free(pDbInfo); 26 | return pOut; 27 | } 28 | -------------------------------------------------------------------------------- /SKLib-v/include/event.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "spinlock.h" 4 | #include "RandEx.h" 5 | 6 | class SKLibEvent { 7 | private: 8 | Spinlock _lock; 9 | bool bPreNotified; 10 | 11 | DWORD64 _id; 12 | 13 | public: 14 | SKLibEvent() : bPreNotified(false), _id(random::NextHardware(0, MAXULONG64)) {}; 15 | 16 | bool Triggered(); 17 | void Await(); 18 | 19 | #ifdef _KERNEL_MODE 20 | void Trigger(); 21 | #endif 22 | 23 | __forceinline bool operator==(SKLibEvent& rhs) { 24 | return _id == rhs._id; 25 | } 26 | __forceinline bool operator!=(SKLibEvent& rhs) { 27 | return !(*this == rhs); 28 | } 29 | }; -------------------------------------------------------------------------------- /SKLib/include/power.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #ifdef _KERNEL_MODE 3 | 4 | #include "cpp.h" 5 | #include "StringEx.h" 6 | #include "ListEx.h" 7 | 8 | typedef void (*fnPowerCallback)(PVOID, PVOID, PVOID); 9 | 10 | namespace Power { 11 | extern bool bInit; 12 | 13 | extern list* vCallbackObjs; 14 | extern list* vRegistrationObjs; 15 | 16 | void Init(); 17 | void Dispose(); 18 | 19 | //The returned index is necessary to unregister the callback later on 20 | NTSTATUS RegisterCallback(fnPowerCallback fnCallback, int* index = nullptr); 21 | void UnregisterCallback(int index); 22 | } 23 | #endif -------------------------------------------------------------------------------- /phymeme_lib/map_driver.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | 6 | namespace physmeme 7 | { 8 | void Init(); 9 | std::string DriverName(); 10 | DWORD32 DriverTimestamp(); 11 | HANDLE DriverHandle(); 12 | 13 | NTSTATUS __cdecl map_driver(std::string driver_name, uintptr_t param1, uintptr_t param2, bool bAllocationPtrParam1 = false, bool bAllocationSizeParam2 = false, uintptr_t* allocBase = 0); 14 | NTSTATUS __cdecl map_driver(const std::vector& raw_driver, uintptr_t param1, uintptr_t param2, bool bAllocationPtrParam1 = false, bool bAllocationSizeParam2 = false, uintptr_t* allocBase = 0); 15 | } -------------------------------------------------------------------------------- /SKLib/include/bitmap.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "cpp.h" 4 | 5 | namespace bitmap { 6 | typedef struct _LARGE_BITMAP { 7 | DWORD64 low; 8 | DWORD64 high; 9 | } LARGE_BITMAP, *PLARGE_BITMAP; 10 | 11 | VOID SetBit(PVOID va, DWORD32 bit, BOOLEAN bSet); 12 | BOOLEAN GetBit(PVOID va, DWORD32 bit); 13 | 14 | template 15 | T bits(DWORD64 value, DWORD64 start, DWORD64 end) { 16 | if (end <= start) 17 | return 0; 18 | DWORD64 bitmask = 0; 19 | for (DWORD32 i = 0; i < sizeof(bitmask) * 8; i++) { 20 | if(i <= end && i >= start) 21 | SetBit(&bitmask, i, true); 22 | } 23 | 24 | return (T)((value & bitmask) >> start); 25 | } 26 | } -------------------------------------------------------------------------------- /SKLib/include/spinlock.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "cpp.h" 4 | 5 | #define SPINLOCK_MAX_WAIT ~0ul 6 | 7 | #pragma pack(push, 1) 8 | class Spinlock { 9 | public: 10 | Spinlock() { 11 | Init(); 12 | } 13 | 14 | void Unlock() { 15 | InterlockedExchange(&_lock, 0); 16 | } 17 | void Disable() { 18 | _bDisabled = true; 19 | } 20 | void Enable() { 21 | _bDisabled = false; 22 | } 23 | 24 | void Init() { 25 | _lock = 0; 26 | _bDisabled = false; 27 | } 28 | void Lock() { 29 | while (!_bDisabled && (InterlockedCompareExchange(&_lock, 1, 0) == 1)) 30 | ; 31 | } 32 | private: 33 | long _lock; 34 | bool _bDisabled; 35 | }; 36 | #pragma pack(pop) -------------------------------------------------------------------------------- /SKLib-v/src/VMMAllocator.cpp: -------------------------------------------------------------------------------- 1 | #include "VMMAllocator.h" 2 | 3 | PVOID pPreallocatedBuffer = nullptr; 4 | constexpr SIZE_T szBuffer = 0x800000; //8MB 5 | SIZE_T szAllocated = 0; 6 | 7 | BOOLEAN vmm::InitAllocator() 8 | { 9 | pPreallocatedBuffer = cpp::kMallocZero(szBuffer, PAGE_READWRITE); 10 | if (!pPreallocatedBuffer) 11 | return FALSE; 12 | return TRUE; 13 | } 14 | 15 | PVOID vmm::malloc(SIZE_T sz) 16 | { 17 | PVOID retValue = 0; 18 | if (szAllocated + sz <= szBuffer) { 19 | retValue = (PVOID)((SIZE_T)pPreallocatedBuffer + szAllocated + sz); 20 | } 21 | else { 22 | return nullptr; 23 | } 24 | 25 | szAllocated += sz; 26 | return retValue; 27 | } 28 | 29 | VOID vmm::free(PVOID pMem) 30 | { 31 | return VOID(); 32 | } 33 | -------------------------------------------------------------------------------- /SKLib/src/timing.cpp: -------------------------------------------------------------------------------- 1 | #include "timing.h" 2 | 3 | LARGE_INTEGER timing::currentTime() 4 | { 5 | LARGE_INTEGER currTime = { 0 }; 6 | KeQuerySystemTime(&currTime); 7 | return currTime; 8 | } 9 | 10 | timing::StopWatch::StopWatch() 11 | { 12 | start = currentTime(); 13 | stop = start; 14 | } 15 | 16 | DWORD64 timing::StopWatch::ms() 17 | { 18 | return TICKS_TO_MS(ticks()); 19 | } 20 | 21 | DWORD64 timing::StopWatch::s() 22 | { 23 | return TICKS_TO_S(ticks()); 24 | } 25 | 26 | DWORD64 timing::StopWatch::ticks() 27 | { 28 | stop = currentTime(); 29 | return stop.QuadPart - start.QuadPart; 30 | } 31 | 32 | void timing::StopWatch::reset() 33 | { 34 | start = currentTime(); 35 | stop = start; 36 | } 37 | -------------------------------------------------------------------------------- /SKLib/src/IDT-helper.asm: -------------------------------------------------------------------------------- 1 | 2 | .code _text 3 | 4 | EXTERN seh_handler : proc 5 | EXTERN seh_handler_ecode : proc 6 | 7 | ; #DE has no error code... 8 | generic_interrupt_handler PROC 9 | __de_handler proc 10 | iretq 11 | __de_handler endp 12 | generic_interrupt_handler ENDP 13 | 14 | ; PF and GP have error code... 15 | generic_interrupt_handler_ecode PROC 16 | __pf_handler proc 17 | __gp_handler proc 18 | add rsp, 8 ; remove error code on the stack... 19 | 20 | iretq 21 | __gp_handler endp 22 | __pf_handler endp 23 | generic_interrupt_handler_ecode ENDP 24 | 25 | __db_handler proc 26 | push rax 27 | pushfq 28 | pop rax 29 | 30 | btr rax, 8 31 | 32 | push rax 33 | popfq 34 | pop rax 35 | iretq 36 | __db_handler endp 37 | 38 | END -------------------------------------------------------------------------------- /SKLib-v/src/exception.cpp: -------------------------------------------------------------------------------- 1 | #include "exception.h" 2 | 3 | cpp::exception::EX_CTL cpp::exception::HandleStdEx(PEXCEPTION_POINTERS pEx) 4 | { 5 | if (pEx->ExceptionRecord->ExceptionCode == STD_EXCEPTION 6 | && cpp::IsInRange(pEx->ExceptionRecord->ExceptionAddress, Throw, 50)) { 7 | DbgMsg("[EXCEPTION] Caught standard exception, executing handler!"); 8 | return cpp::exception::EXECUTE_HANDLER; 9 | } 10 | 11 | DbgMsg("[EXCEPTION] Non standard exception caught, continuing search: 0x%x", pEx->ExceptionRecord->ExceptionCode); 12 | return cpp::exception::CONTINUE_SEARCH; 13 | } 14 | 15 | #pragma warning (disable:6011) 16 | void cpp::exception::Throw() 17 | { 18 | volatile int* zero = nullptr; 19 | *zero = 0; 20 | } 21 | #pragma warning (default:6011) -------------------------------------------------------------------------------- /SKLib/src/queue.cpp: -------------------------------------------------------------------------------- 1 | #include "queue.h" 2 | 3 | Queue::Queue() { 4 | queue.reserve(DEFAULT_QUEUE_RESERVE); 5 | } 6 | 7 | void Queue::Lock() 8 | { 9 | unsigned int wait = 1; 10 | unsigned int maxWait = ~0ul; 11 | 12 | DWORD32 curIndex = (DWORD32)random::Next32(0, MAXUINT32); 13 | queue.Append(curIndex); 14 | 15 | while (!(queue[0] == curIndex)) 16 | { 17 | for (unsigned i = 0; i < wait; ++i) 18 | { 19 | _mm_pause(); 20 | } 21 | 22 | // Don't call "pause" too many times. If the wait becomes too big, 23 | // clamp it to the max_wait. 24 | 25 | if (wait * 2 > maxWait) 26 | { 27 | wait = maxWait; 28 | } 29 | else 30 | { 31 | wait = wait * 2; 32 | } 33 | } 34 | } 35 | 36 | void Queue::Unlock() 37 | { 38 | queue.RemoveAt(0); 39 | } 40 | -------------------------------------------------------------------------------- /SKLib/src/utils.cpp: -------------------------------------------------------------------------------- 1 | #include "utils.h" 2 | 3 | UNICODE_STRING GetModuleNameFromPath(PUNICODE_STRING path) 4 | { 5 | UNICODE_STRING s; 6 | 7 | char* char_arr = (char*)ExAllocatePool(NonPagedPoolNx, (size_t)path->Length + 1); 8 | wcstombs(char_arr, path->Buffer, (size_t)path->Length); 9 | string* full_path = string::create(char_arr); 10 | 11 | int index = full_path->last_of('\\'); 12 | string modName = full_path->substring(index + 1); 13 | PCWSTR wstr = (PCWSTR)cpp::kMalloc(((size_t)modName.Length() + 1) * 2, PAGE_READWRITE); 14 | mbstowcs((wchar_t*)wstr, (char*)modName.pBuffer, modName.Length()); 15 | RtlInitUnicodeString(&s, wstr); 16 | 17 | full_path->Dispose(); 18 | modName.Dispose(); 19 | cpp::kFree(full_path); 20 | ExFreePool(char_arr); 21 | 22 | return s; 23 | } -------------------------------------------------------------------------------- /SKLib-v/include/Vmoperations.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef _KERNEL_MODE 4 | #include "Vmexit.h" 5 | #include "bitmap.h" 6 | 7 | typedef void (*fnVmOperation)(ONEXIT_DATA data); 8 | 9 | typedef struct _OPERATION_DATA { 10 | fnVmOperation operation; 11 | bitmap::LARGE_BITMAP executedBitmap; 12 | bitmap::LARGE_BITMAP executionBitmap; 13 | 14 | __forceinline bool operator==(_OPERATION_DATA& rhs) { 15 | return memcmp(this, &rhs, sizeof(rhs)) == 0; 16 | } 17 | __forceinline bool operator!=(_OPERATION_DATA& rhs) { 18 | return !(*this == rhs); 19 | } 20 | } OPERATION_DATA, *POPERATION_DATA; 21 | 22 | namespace vmoperations { 23 | void Init(); 24 | 25 | void ExecuteOperations(ONEXIT_DATA data); 26 | void InsertOperation(bitmap::LARGE_BITMAP executionBitmap, fnVmOperation operation); 27 | } 28 | #endif -------------------------------------------------------------------------------- /Pdbparser/pdbparse.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #include "dia2.h" 9 | #include "EzPdb.h" 10 | 11 | typedef struct _OFFSET_DATA { 12 | std::string name; 13 | size_t offset; 14 | } OFFSET_DATA, * POFFSET_DATA; 15 | 16 | #define INVALID_OFFSET ((DWORD64)-1) 17 | 18 | class PdbParser { 19 | private: 20 | IDiaDataSource* pDiaDataSource; 21 | IDiaSession* pDiaSession; 22 | IDiaSymbol* pGlobalSymbol; 23 | 24 | public: 25 | PdbParser(std::wstring path); 26 | ~PdbParser(); 27 | 28 | bool IsInit(); 29 | 30 | bool GetAllRVA(std::vector& vRVAs); 31 | size_t GetSymbolRVA(std::wstring funcName); 32 | size_t GetStructMemberOffset(std::wstring structName, std::wstring memberName); 33 | }; 34 | -------------------------------------------------------------------------------- /phymeme_lib/kernel_ctx/dbrequest.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | typedef enum _DB_CODE : ULONG64 { 5 | DB_NULL = 0, 6 | DB_MAP = 0xdeada55, 7 | DB_ALLOCATE, 8 | DB_REGISTER_CALLBACK, 9 | DB_TEST, 10 | DB_STOP 11 | } DB_CODE, * PDB_CODE; 12 | 13 | #pragma pack(push, 1) 14 | typedef union _DB_INFO { 15 | struct { 16 | SIZE_T sz; 17 | DWORD64 pa; 18 | PVOID* pOut; 19 | NTSTATUS* pNtStatus; 20 | } map; 21 | struct { 22 | SIZE_T sz; 23 | PVOID* pOut; 24 | } allocate; 25 | } DB_INFO, * PDB_INFO; 26 | 27 | typedef struct _COMMS_INFO { 28 | DB_CODE code; 29 | DWORD64 cr3; 30 | PDB_INFO pDbInfo; 31 | } COMMS_INFO, * PCOMMS_INFO; 32 | #pragma pack(pop) 33 | 34 | namespace db { 35 | extern "C" DWORD64 DbRequest(DWORD64 code, PDB_INFO pDbInfo); 36 | PVOID AllocatePool(SIZE_T size); 37 | } -------------------------------------------------------------------------------- /kdmapper_lib/kdmapper/include/portable_executable.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | namespace portable_executable 8 | { 9 | struct RelocInfo 10 | { 11 | uint64_t address; 12 | uint16_t* item; 13 | uint32_t count; 14 | }; 15 | 16 | struct ImportFunctionInfo 17 | { 18 | std::string name; 19 | uint64_t* address; 20 | }; 21 | 22 | struct ImportInfo 23 | { 24 | std::string module_name; 25 | std::vector function_datas; 26 | }; 27 | 28 | using vec_sections = std::vector; 29 | using vec_relocs = std::vector; 30 | using vec_imports = std::vector; 31 | 32 | PIMAGE_NT_HEADERS64 GetNtHeaders(void* image_base); 33 | vec_relocs GetRelocs(void* image_base); 34 | vec_imports GetImports(void* image_base); 35 | } -------------------------------------------------------------------------------- /phymeme_lib/phymeme_lib/phymeme_lib.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | -------------------------------------------------------------------------------- /SKLib/src/std.cpp: -------------------------------------------------------------------------------- 1 | #include "std.h" 2 | 3 | char cpp::isalnum(char ch) 4 | { 5 | return 6 | (ch >= '0' && ch <= '9') 7 | || (ch >= 'A' && ch <= 'Z') 8 | || (ch >= 'a' && ch <= 'z') 9 | || ch == '_' 10 | || ch == '-' 11 | || ch == '.' 12 | ; 13 | } 14 | 15 | char cpp::isalnumcap(char ch) { 16 | return 17 | (ch >= '0' && ch <= '9') 18 | || (ch >= 'A' && ch <= 'Z'); 19 | } 20 | 21 | bool cpp::isalnumstr(char* str) { 22 | int i = 0; 23 | 24 | while (str[i]) { 25 | if (!isalnum(str[i++])) 26 | return false; 27 | } 28 | return true; 29 | } 30 | 31 | bool cpp::isalnumstr_s(char* str, size_t max) { 32 | int len = (int)strnlen_s(str, max); 33 | if (!len) 34 | return false; 35 | 36 | for (int i = 0; i < len; i++) { 37 | if (!isalnum(str[i])) 38 | return false; 39 | } 40 | return true; 41 | } 42 | -------------------------------------------------------------------------------- /SKLib-v/include/VMTimers.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | #define IO_TIMER1_PORT 0x40 /* 8253 Timer #1 */ 5 | #define NMISC_PORT 0x61 6 | #define TIMER_REG_CNTR0 0 /* timer 0 counter port */ 7 | #define TIMER_REG_CNTR1 1 /* timer 1 counter port */ 8 | #define TIMER_REG_CNTR2 2 /* timer 2 counter port */ 9 | #define TIMER_REG_MODE 3 /* timer mode port */ 10 | 11 | /* 12 | * The outputs of the three timers are connected as follows: 13 | * 14 | * timer 0 -> irq 0 15 | * timer 1 -> dma chan 0 (for dram refresh) 16 | * timer 2 -> speaker (via keyboard controller) 17 | * 18 | * Timer 0 is used to call hard clock. 19 | * Timer 2 is used to generate console beeps. 20 | */ 21 | #define TIMER_CNTR0 (IO_TIMER1_PORT + TIMER_REG_CNTR0) 22 | #define TIMER_CNTR1 (IO_TIMER1_PORT + TIMER_REG_CNTR1) 23 | #define TIMER_CNTR2 (IO_TIMER1_PORT + TIMER_REG_CNTR2) 24 | #define TIMER_MODE (IO_TIMER1_PORT + TIMER_REG_MODE) 25 | 26 | #define IO_RTC 0x070 /* RTC */ -------------------------------------------------------------------------------- /SKLib/include/status.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define SKLIB_IOMMU_NOT_PRESENT 0x80000000 4 | #define SKLIB_IOMMU_NOT_LOADED 0x80000001 5 | #define SKLIB_VIRTUALIZATION_FAILED 0x80000002 6 | #define SKLIB_SETUP_FAILED 0x80000003 7 | #define SKLIB_USER_INFO_INVALID 0x80000004 8 | #define SKLIB_SPOOFER_FAILED 0x80000005 9 | #define SKLIB_EPT_FAILED 0x80000006 10 | #define SKLIB_LOAD_FAILED 0x80000007 11 | #define SKLIB_DEBUGGER_DETECTED 0x80000008 12 | #define SKLIB_HYPERVISOR_DETECTED 0x80000009 13 | 14 | #define STATUS_FAILED_VOLUME_SPOOF 0x81000000 15 | #define STATUS_FAILED_DISKS_SPOOF 0x81000001 16 | #define STATUS_FAILED_NICS_SPOOF 0x81000002 17 | #define STATUS_FAILED_MONITOR_SPOOF 0x81000003 18 | #define STATUS_FAILED_USB_SPOOF 0x81000004 19 | #define STATUS_FAILED_SMBIOS_SPOOF 0x81000005 20 | #define STATUS_FAILED_EFI_SPOOF 0x81000006 21 | #define STATUS_FAILED_GPU_SPOOF 0x81000007 22 | 23 | #define SKLIB_DETECTION(code) (SKLIB_DEBUGGER_DETECTED | (code << 8)) -------------------------------------------------------------------------------- /kdmapper_lib/kdmapper/include/utils.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define Log(content, ...) printf(content "\n", __VA_ARGS__) 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | #include "nt.hpp" 15 | 16 | namespace kdmapper_utils 17 | { 18 | std::wstring GetFullTempPath(); 19 | bool ReadFileToMemory(const std::wstring& file_path, std::vector* out_buffer); 20 | bool CreateFileFromMemory(const std::wstring& desired_file_path, const char* address, size_t size); 21 | uint64_t GetKernelModuleAddress(const std::string& module_name); 22 | BOOLEAN bDataCompare(const BYTE* pData, const BYTE* bMask, const char* szMask); 23 | uintptr_t FindPattern(uintptr_t dwAddress, uintptr_t dwLen, BYTE* bMask, char* szMask); 24 | PVOID FindSection(char* sectionName, uintptr_t modulePtr, PULONG size); 25 | } 26 | 27 | void DbgPrint(const char* FormatString, ...); -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Compiled Object files 5 | *.slo 6 | *.lo 7 | *.o 8 | *.obj 9 | 10 | # Precompiled Headers 11 | *.gch 12 | *.pch 13 | 14 | # Compiled Dynamic libraries 15 | *.so 16 | *.dylib 17 | *.dll 18 | 19 | # Fortran module files 20 | *.mod 21 | *.smod 22 | 23 | # Compiled Static libraries 24 | *.lai 25 | *.la 26 | *.a 27 | *.lib 28 | 29 | # Executables 30 | *.exe 31 | *.out 32 | *.app 33 | *.vsidx 34 | *.lock 35 | *.suo 36 | *.db-shm 37 | *.db 38 | *.db-wal 39 | *.opendb 40 | *.tlog 41 | *.log 42 | *.recipe 43 | *.pdb 44 | *.cat 45 | *.sys 46 | *.cer 47 | *.ipch 48 | *.pdb 49 | *.tlog 50 | *.log 51 | *.iobj 52 | *.ipdb 53 | *.ilk 54 | *.idb 55 | *.wsuo 56 | *.txt 57 | *.sqlite-journal 58 | /.vs/slnx.sqlite 59 | *.bin 60 | /.vs/SKLib/v17/fileList.bin 61 | /.vs/SKLib/v17/fileList.bin 62 | /.vs/SKLib/v17/fileList.bin 63 | /SKLib/vcpkg_installed 64 | /.vs/SKLib/v17 65 | /vcpkg_installed/x64-windows-static 66 | /.vs 67 | /SKLib-v/vcpkg_installed/x64-windows-static 68 | /x64 69 | /SKLib/x64 70 | /vcpkg_installed/x64-windows 71 | -------------------------------------------------------------------------------- /SKLib-v/include/Vmexit.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef _KERNEL_MODE 4 | #include "cpp.h" 5 | #include "cpu.h" 6 | #include "VMMDef.h" 7 | 8 | typedef union _ONEXIT_DATA { 9 | SVM::SVMState* svm; 10 | PREGS intel; 11 | 12 | _ONEXIT_DATA(SVM::SVMState* pState) : svm(pState) {} 13 | _ONEXIT_DATA(PREGS pRegs) : intel(pRegs) {} 14 | } ONEXIT_DATA, * PONEXIT_DATA; 15 | 16 | typedef bool (*fnVmexitHandler)(ONEXIT_DATA data); 17 | 18 | typedef struct _VMEXIT_DATA { 19 | ULONG64 exitCode; 20 | fnVmexitHandler handler; 21 | 22 | __forceinline bool operator==(_VMEXIT_DATA& rhs) { 23 | return memcmp(this, &rhs, sizeof(rhs)) == 0; 24 | } 25 | __forceinline bool operator!=(_VMEXIT_DATA& rhs) { 26 | return !(*this == rhs); 27 | } 28 | } VMEXIT_DATA, *PVMEXIT_DATA; 29 | 30 | namespace vmexit { 31 | void Init(); 32 | bool OnVmexit(ULONG64 vmexitCode, ONEXIT_DATA data); 33 | 34 | void InsertHandler(ULONG64 vmexitCode, fnVmexitHandler handler); 35 | void RemoveHandler(ULONG64 vmexitCode); 36 | fnVmexitHandler FindHandler(ULONG64 vmexitCode); 37 | } 38 | #endif -------------------------------------------------------------------------------- /SKLib-v/src/ioctrlhook.cpp: -------------------------------------------------------------------------------- 1 | #include "ioctlhook.h" 2 | #include 3 | 4 | random::Random rnd(random::SecurityLevel::PREDICTABLE); 5 | bool spoofer::bLogHooks = false; 6 | 7 | void ChangeIoc(PIO_STACK_LOCATION ioc, PIRP irp, PIO_COMPLETION_ROUTINE routine) { 8 | PIOC_REQUEST request = (PIOC_REQUEST)ExAllocatePool(POOL_TYPE::NonPagedPoolNx, sizeof(IOC_REQUEST)); 9 | if (!request) { 10 | DbgMsg("! failed to allocate IOC_REQUEST !"); 11 | return; 12 | } 13 | 14 | request->Buffer = irp->AssociatedIrp.SystemBuffer; 15 | request->BufferLength = ioc->Parameters.DeviceIoControl.OutputBufferLength; 16 | request->OldContext = ioc->Context; 17 | request->OldRoutine = ioc->CompletionRoutine; 18 | 19 | ioc->Control = SL_INVOKE_ON_SUCCESS; 20 | ioc->Context = request; 21 | ioc->CompletionRoutine = routine; 22 | } 23 | 24 | PWCHAR TrimGUID(PWCHAR guid, DWORD max) { 25 | DWORD i = 0; 26 | PWCHAR start = guid; 27 | 28 | --max; 29 | for (; i < max && *start != L'{'; ++i, ++start); 30 | for (; i < max && guid[i++] != L'}';); 31 | 32 | guid[i] = 0; 33 | return start; 34 | } -------------------------------------------------------------------------------- /SKLib/SKLib.cv: -------------------------------------------------------------------------------- 1 | [SECURE_ENGINE] 2 | SOFTWARE_NAME= 3 | ADVANCED_OPTIONS_NUMBER=0 4 | OPTION_MACROS_MAP_FUNCTIONS_NUMBER=0 5 | OPTION_MACROS_DISABLE_AT_RVA_NUMBER=0 6 | OPTION_VIRTUAL_MACHINE_NUMBER=2 7 | OPTION_VIRTUAL_MACHINE_ID_AT_0=0x84581905 8 | OPTION_VIRTUAL_MACHINE_CPUS_AT_0=1 9 | OPTION_VIRTUAL_MACHINE_ID_AT_1=0x84581901 10 | OPTION_VIRTUAL_MACHINE_CPUS_AT_1=1 11 | OPTION_VIRTUAL_MACHINE_PROTECTION_BOOT_ID=0x84581905 12 | OPTION_VIRTUAL_MACHINE_OLD_VM_MACROS_ID=0x84581905 13 | INPUT_FILE_NAME=C:\Users\sbombolante\source\repos\CheatDriver\x64\ReleaseWithSpoofer\CheatDriver.sys 14 | OUTPUT_FILE_NAME=C:\Users\sbombolante\source\repos\CheatDriver\x64\ReleaseWithSpoofer\CheatDriver_protected.sys 15 | OPTION_PROTECTION_INSERT_IN_NEW_SECTION=true 16 | OPTION_PROTECTION_INSERT_IN_LAST_SECTION=false 17 | OPTION_PROTECTION_INSERT_IN_STEALTH_AREA=false 18 | OPTION_MACROS_ENCRYPT_ANSI_STRINGS=false 19 | OPTION_MACROS_ENCRYPT_UNICODE_STRINGS=false 20 | OPTION_PROTECTION_IS_ENTRYPOINT_OBFUSCATION=false 21 | OPTION_COMPRESSION_COMPRESS_SECUREENGINE=false 22 | OPTION_PROTECTION_STRIP_RELOCS=false 23 | OPTION_PROTECTION_IS_OPTIMIZE_WINDOWS_ARM=false 24 | 25 | -------------------------------------------------------------------------------- /kdmapper_lib/kdmapper.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.30621.155 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "kdmapper", "kdmapper\kdmapper.vcxproj", "{518E0636-BA8F-459D-ACAC-81BD33475E3E}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Release|x64 = Release|x64 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {518E0636-BA8F-459D-ACAC-81BD33475E3E}.Debug|x64.ActiveCfg = Debug|x64 15 | {518E0636-BA8F-459D-ACAC-81BD33475E3E}.Debug|x64.Build.0 = Debug|x64 16 | {518E0636-BA8F-459D-ACAC-81BD33475E3E}.Release|x64.ActiveCfg = Release|x64 17 | {518E0636-BA8F-459D-ACAC-81BD33475E3E}.Release|x64.Build.0 = Release|x64 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {83D5D338-2A6D-49D5-B1DF-BDD34FB5CC9F} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /SKLib-v/include/VMCSCheck.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #pragma warning (disable:4005) 4 | #pragma warning (disable:4267) 5 | 6 | #ifdef _KERNEL_MODE 7 | #include 8 | #include 9 | #endif 10 | 11 | #include 12 | 13 | #include "ia32.h" 14 | #include "macros.h" 15 | 16 | // 17 | // The result type of Microsoft VMX-intrinsic functions. 18 | // 19 | typedef enum _VMX_RESULT 20 | { 21 | VmxResultOk = 0, //!< Operation succeeded 22 | VmxResultErrorWithStatus = 1, //!< Operation failed with extended status available 23 | VmxResultErrorWithoutStatus = 2, //!< Operation failed without status available 24 | } VMX_RESULT; 25 | 26 | typedef enum _SEGMENT_TYPE 27 | { 28 | SegmentCs, 29 | SegmentSs, 30 | SegmentDs, 31 | SegmentEs, 32 | SegmentFs, 33 | SegmentGs, 34 | } SEGMENT_TYPE; 35 | 36 | #define MAX_UINT16 0xffff 37 | 38 | #define ASSERT(x) if(!(x)){DbgMsg("[VMCS] ASSERT FAILURE: (%s) at %s:%i\n", #x, __FILE__, __LINE__);} 39 | #define IS_FLAG_SET(F, SF) ((BOOLEAN)(((F) & (SF)) != 0)) 40 | 41 | #ifdef _KERNEL_MODE 42 | 43 | namespace Checks { 44 | void CheckGuestVmcsFieldsForVmEntry(); 45 | } 46 | 47 | #endif -------------------------------------------------------------------------------- /SKLib-v/include/eac.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "cpp.h" 4 | #include "winternlex.h" 5 | #include "MapEx.h" 6 | #include "paging.h" 7 | 8 | namespace eac { 9 | typedef struct _CR3_TRACKING { 10 | union { 11 | PVOID pImageBase; 12 | DWORD64 dwNmiQueue[64]; 13 | }; 14 | DWORD64* pCr3; 15 | DWORD64 srcCr3; 16 | 17 | _CR3_TRACKING() { 18 | memset(this, 0, sizeof(*this)); 19 | }; 20 | _CR3_TRACKING(PVOID _pImageBase, DWORD64* _pCr3, DWORD64 _srcCr3) { 21 | memset(this, 0, sizeof(*this)); 22 | pImageBase = _pImageBase; 23 | pCr3 = _pCr3; 24 | srcCr3 = _srcCr3; 25 | }; 26 | 27 | __forceinline bool operator==(_CR3_TRACKING& rhs) { 28 | return !memcmp(&rhs, this, sizeof(rhs)); 29 | } 30 | __forceinline bool operator!=(_CR3_TRACKING& rhs) { 31 | return !(*this == rhs); 32 | } 33 | } CR3_TRACKING; 34 | 35 | void Init(); 36 | 37 | void UpdateCr3(CR3 cr3); 38 | void TrackCr3(DWORD64* pCr3, PVOID pAddressToCheck, DWORD64 srcCr3); 39 | void UntrackCr3(DWORD64* pCr3); 40 | 41 | void BlockNmi(CR3 cr3); 42 | void UnblockNmi(CR3 cr3); 43 | bool IsNmiBlocked(CR3 cr3); 44 | int GetAndDecreaseNmiCount(CR3 cr3); 45 | void IncreaseNmiCount(CR3 cr3); 46 | } -------------------------------------------------------------------------------- /SKLib-v/include/volumespoof.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "ioctlhook.h" 4 | 5 | #define MOUNTMGRCONTROLTYPE ((ULONG) 'm') 6 | #define MOUNTDEVCONTROLTYPE ((ULONG) 'M') 7 | 8 | #define IOCTL_MOUNTDEV_QUERY_UNIQUE_ID CTL_CODE(MOUNTDEVCONTROLTYPE, 0, METHOD_BUFFERED, FILE_ANY_ACCESS) 9 | #define IOCTL_MOUNTMGR_QUERY_POINTS \ 10 | CTL_CODE(MOUNTMGRCONTROLTYPE, 2, METHOD_BUFFERED, FILE_ANY_ACCESS) 11 | 12 | typedef struct _MOUNTDEV_UNIQUE_ID { 13 | USHORT UniqueIdLength; 14 | UCHAR UniqueId[1]; 15 | } MOUNTDEV_UNIQUE_ID, * PMOUNTDEV_UNIQUE_ID; 16 | 17 | typedef struct _MOUNTMGR_MOUNT_POINT { 18 | ULONG SymbolicLinkNameOffset; 19 | USHORT SymbolicLinkNameLength; 20 | USHORT Reserved1; 21 | ULONG UniqueIdOffset; 22 | USHORT UniqueIdLength; 23 | USHORT Reserved2; 24 | ULONG DeviceNameOffset; 25 | USHORT DeviceNameLength; 26 | USHORT Reserved3; 27 | } MOUNTMGR_MOUNT_POINT, * PMOUNTMGR_MOUNT_POINT; 28 | 29 | typedef struct _MOUNTMGR_MOUNT_POINTS { 30 | ULONG Size; 31 | ULONG NumberOfMountPoints; 32 | MOUNTMGR_MOUNT_POINT MountPoints[1]; 33 | } MOUNTMGR_MOUNT_POINTS, * PMOUNTMGR_MOUNT_POINTS; 34 | 35 | namespace volumes { 36 | bool Spoof(DWORD64 seed = TEST_SEED); 37 | } -------------------------------------------------------------------------------- /SKLib/src/defender.cpp: -------------------------------------------------------------------------------- 1 | #include "defender.h" 2 | 3 | bool defender::CleanFilterList(string driverName) 4 | { 5 | PVOID wdfilterBase = Memory::GetKernelAddress((PCHAR)"WdFilter.sys"); 6 | if (!wdfilterBase) { 7 | DbgMsg("[DEFENDER] Failed finding wdfilter!"); 8 | return false; 9 | } 10 | ULONG64 gTableOffset = (ULONG64)Memory::FindPatternImage(wdfilterBase, (PCHAR)"\x48\x8B\x0D\x00\x00\x00\x00\xFF\x05", (PCHAR)"xxx????xx"); 11 | if (!gTableOffset) { 12 | DbgMsg("[DEFENDER] Failed finding gTable offset!"); 13 | return false; 14 | } 15 | ULONG64 gTable = gTableOffset + 7 + *(PINT)(gTableOffset + 3); 16 | LIST_ENTRY* gTableHead = (LIST_ENTRY*)(gTable - 0x8); 17 | 18 | for (LIST_ENTRY* entry = gTableHead->Flink; 19 | entry != gTableHead; 20 | entry = entry->Flink) { 21 | UNICODE_STRING* pImageName = (UNICODE_STRING*)((ULONG64)entry + 0x10); 22 | 23 | string imageName(pImageName); 24 | if (wcsstr(imageName.w_str(), driverName.w_str())) { 25 | DbgMsg("[DEFENDER] Found entry %wZ, unlinking...", *pImageName); 26 | 27 | LIST_ENTRY* pNext = entry->Flink; 28 | LIST_ENTRY* pPrev = entry->Blink; 29 | 30 | entry->Blink->Flink = pNext; 31 | entry->Flink->Blink = pPrev; 32 | } 33 | } 34 | 35 | DbgMsg("[DEFENDER] Finished iterating wdfilter list for %ws", driverName.w_str()); 36 | return true; 37 | } 38 | -------------------------------------------------------------------------------- /SKLib/include/collector.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "ListEx.h" 4 | #include "MemoryEx.h" 5 | 6 | #ifdef _KERNEL_MODE 7 | 8 | struct MemoryAddress { 9 | cpp::MemoryType type; 10 | PVOID pMemory; 11 | size_t szMemory; // If 0 it means the size is not important for this type of memory 12 | PMDL pMdl; // If 0 no MDL is associated with the memory type 13 | 14 | bool operator==(MemoryAddress& mAddress) { 15 | return this->pMemory == mAddress.pMemory; 16 | } 17 | bool operator==(PVOID pMem) { 18 | return this->pMemory == pMem; 19 | } 20 | bool operator!=(MemoryAddress& mAddress) { 21 | return !(mAddress== this->pMemory); 22 | } 23 | bool operator!=(PVOID pMem) { 24 | return !(this == pMem); 25 | } 26 | }; 27 | 28 | //Implements shit for disposing of unused memory 29 | struct Collector { 30 | private: 31 | static list* myGarbage; 32 | public: 33 | static void Init(); 34 | static void Add(void* p, cpp::MemoryType type, size_t sz = 0, PMDL pMdl = 0); 35 | static void Remove(void* p); 36 | static void Remove(MemoryAddress& pMem); 37 | static void Clean(); 38 | static void Clean(void* pMemory); 39 | static void FreeMemory(MemoryAddress& memAddr); 40 | static void Dispose(); 41 | static MemoryAddress GetMemoryInfo(void* pMemory); 42 | static void Lock(); 43 | static void Unlock(); 44 | }; 45 | #endif -------------------------------------------------------------------------------- /SKLib/include/sharedpool.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #pragma warning (disable:4244) 4 | 5 | #include "cpp.h" 6 | #include "ListEx.h" 7 | #include "RandEx.h" 8 | #include "StringEx.h" 9 | #include "acl.h" 10 | 11 | #define INVALID_POOL_HANDLE ~0ul; 12 | 13 | typedef DWORD64 POOL_HANDLE; 14 | typedef POOL_HANDLE* PPOOL_HANDLE; 15 | 16 | typedef struct _SHARED_POOL { 17 | size_t baseAddr; 18 | size_t size; 19 | 20 | bool bMapped; 21 | 22 | bool operator==(_SHARED_POOL rhs); 23 | bool operator!=(_SHARED_POOL rhs); 24 | } SHARED_POOL, *PSHARED_POOL; 25 | 26 | enum POOL_REQUEST { 27 | REQUEST_NONE, 28 | REQUEST_VTX_START, 29 | REQUEST_VTX_STOP, 30 | REQUEST_DRIVER_STOP 31 | }; 32 | 33 | enum POOL_RESULT { 34 | RESULT_AWAIT, 35 | RESULT_OK, 36 | RESULT_ERROR 37 | }; 38 | 39 | typedef struct _COMMUNICATION_POOL { 40 | Spinlock lock; 41 | POOL_REQUEST request; 42 | POOL_RESULT result; 43 | PVOID pParam; 44 | size_t szParam; 45 | } COMMUNICATION_POOL, * PCOMMUNICATION_POOL; 46 | 47 | #ifdef _KERNEL_MODE 48 | 49 | namespace sharedpool { 50 | extern list* vPools; 51 | extern bool bInit; 52 | 53 | bool Init(); 54 | bool Dispose(); 55 | 56 | PVOID Create(size_t size, OUT PPOOL_HANDLE pHandle = nullptr); 57 | void Delete(POOL_HANDLE poolHandle); 58 | 59 | PVOID MapUserData(PVOID pUsermodeBuffer, DWORD32 procId); 60 | 61 | PVOID PoolBase(POOL_HANDLE hPool); 62 | } 63 | 64 | #endif -------------------------------------------------------------------------------- /SKLib-v/src/spoof.cpp: -------------------------------------------------------------------------------- 1 | #include "spoof.h" 2 | 3 | DWORD64 spoofer::seed = 0; 4 | 5 | NTSTATUS spoofer::SpoofAll(DWORD64 _seed) 6 | { 7 | bool bSuccessful = true; 8 | spoofer::seed = _seed; 9 | bSuccessful &= volumes::Spoof(_seed); 10 | if (!bSuccessful) { 11 | DbgMsg("[SPOOFER] Failed volumes"); 12 | return STATUS_FAILED_VOLUME_SPOOF; 13 | } 14 | bSuccessful &= disks::Spoof(_seed); 15 | if (!bSuccessful) { 16 | DbgMsg("[SPOOFER] Failed disk"); 17 | return STATUS_FAILED_DISKS_SPOOF; 18 | } 19 | bSuccessful &= nics::Spoof(_seed); 20 | if (!bSuccessful) { 21 | DbgMsg("[SPOOFER] Failed nics"); 22 | return STATUS_FAILED_NICS_SPOOF; 23 | } 24 | bSuccessful &= wmi::SpoofMonitor(_seed); 25 | if (!bSuccessful) { 26 | DbgMsg("[SPOOFER] Failed monitors"); 27 | return STATUS_FAILED_MONITOR_SPOOF; 28 | } 29 | bSuccessful &= usb::Spoof(_seed); 30 | if (!bSuccessful) { 31 | DbgMsg("[SPOOFER] Failed usb"); 32 | return STATUS_FAILED_USB_SPOOF; 33 | } 34 | bSuccessful &= smbios::Spoof(_seed); 35 | if (!bSuccessful) { 36 | DbgMsg("[SPOOFER] Failed smbios"); 37 | return STATUS_FAILED_SMBIOS_SPOOF; 38 | } 39 | bSuccessful &= efi::Spoof(_seed); 40 | if (!bSuccessful) { 41 | DbgMsg("[SPOOFER] Failed efi"); 42 | return STATUS_FAILED_EFI_SPOOF; 43 | } 44 | bSuccessful &= gpu::Spoof(_seed); 45 | if (!bSuccessful) { 46 | DbgMsg("[SPOOFER] Failed gpu"); 47 | return STATUS_FAILED_GPU_SPOOF; 48 | } 49 | return STATUS_SUCCESS; 50 | } 51 | -------------------------------------------------------------------------------- /SKLib/src/file.cpp: -------------------------------------------------------------------------------- 1 | #include "file.h" 2 | 3 | file::fstream::fstream(string&& path) 4 | { 5 | hFile = (HANDLE)~0ull; 6 | 7 | IO_STATUS_BLOCK IoStatusBlock; 8 | 9 | InitializeObjectAttributes(&ObjectAttributes, &path.unicode(), OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); 10 | 11 | NTSTATUS ntStatus = ZwCreateFile(&hFile, GENERIC_ALL, &ObjectAttributes, 12 | &IoStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN_IF, 13 | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); 14 | 15 | if (!NT_SUCCESS(ntStatus)) 16 | { 17 | DbgMsg("[FSTREAM]: Creating file error: 0x%x", ntStatus); 18 | } 19 | } 20 | 21 | file::fstream::fstream(string& path) 22 | { 23 | hFile = (HANDLE)~0ull; 24 | 25 | IO_STATUS_BLOCK IoStatusBlock; 26 | 27 | InitializeObjectAttributes(&ObjectAttributes, &path.unicode(), OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); 28 | 29 | NTSTATUS ntStatus = ZwCreateFile(&hFile, GENERIC_ALL, &ObjectAttributes, 30 | &IoStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN_IF, 31 | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); 32 | 33 | if (!NT_SUCCESS(ntStatus)) 34 | { 35 | DbgMsg("[FSTREAM]: Creating file error: 0x%x", ntStatus); 36 | } 37 | } 38 | 39 | file::fstream::~fstream() 40 | { 41 | if ((HANDLE)~0ull == hFile) 42 | return; 43 | 44 | ZwClose(hFile); 45 | } 46 | 47 | HANDLE file::fstream::Handle() 48 | { 49 | return hFile; 50 | } 51 | -------------------------------------------------------------------------------- /SKLib/src/disassembler.cpp: -------------------------------------------------------------------------------- 1 | #include "disassembler.h" 2 | 3 | size_t disassembler::GetInstrBoundaryLen(PVOID pBase, size_t targetLen) 4 | { 5 | ZyanUSize instrLen = 0; 6 | 7 | /* Determine the number of instructions necessary to overwrite using Length Disassembler Engine */ 8 | // Initialize decoder context 9 | ZydisDecoder* pDecoder = (ZydisDecoder*)cpp::kMalloc(sizeof(*pDecoder), PAGE_READWRITE); 10 | ZyanStatus status = ZydisDecoderInit(pDecoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_ADDRESS_WIDTH_64); 11 | if (!ZYAN_SUCCESS(status)) { 12 | DbgMsg("[ZYDIS] Failed creating decoder: 0x%x", status); 13 | } 14 | // Loop over the instructions in our buffer. 15 | // The runtime-address (instruction pointer) is chosen arbitrary here in order to better 16 | // visualize relative addressing 17 | ZyanU8* data = (ZyanU8*)pBase; 18 | const ZyanUSize length = PAGE_SIZE; 19 | ZydisDecodedInstruction* instruction = (ZydisDecodedInstruction*)cpp::kMalloc(sizeof(*instruction), PAGE_READWRITE); 20 | while (ZYAN_SUCCESS(ZydisDecoderDecodeBuffer(pDecoder, data + instrLen, length - instrLen, 21 | instruction))) 22 | { 23 | if (instruction->opcode == 0xe8 //Call near 24 | || instruction->opcode == 0xeb //Jmp near 25 | ) 26 | break; 27 | instrLen += instruction->length; 28 | if (instrLen >= targetLen) 29 | break; 30 | } 31 | cpp::kFree(instruction); 32 | cpp::kFree(pDecoder); 33 | 34 | return instrLen; 35 | } 36 | -------------------------------------------------------------------------------- /phymeme_lib/phymeme_lib.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.6.33717.318 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "physmeme_lib", "physmeme_lib.vcxproj", "{13FFA531-AD46-46F8-B52D-4A01BA078034}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {13FFA531-AD46-46F8-B52D-4A01BA078034}.Debug|x64.ActiveCfg = Debug|x64 17 | {13FFA531-AD46-46F8-B52D-4A01BA078034}.Debug|x64.Build.0 = Debug|x64 18 | {13FFA531-AD46-46F8-B52D-4A01BA078034}.Debug|x86.ActiveCfg = Debug|Win32 19 | {13FFA531-AD46-46F8-B52D-4A01BA078034}.Debug|x86.Build.0 = Debug|Win32 20 | {13FFA531-AD46-46F8-B52D-4A01BA078034}.Release|x64.ActiveCfg = Release|x64 21 | {13FFA531-AD46-46F8-B52D-4A01BA078034}.Release|x64.Build.0 = Release|x64 22 | {13FFA531-AD46-46F8-B52D-4A01BA078034}.Release|x86.ActiveCfg = Release|Win32 23 | {13FFA531-AD46-46F8-B52D-4A01BA078034}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {16EC3E3F-C0C9-4B9F-87F9-E7BEFCDC1A43} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /SKLib/include/exception.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "std.h" 4 | 5 | //Standard exception for SKLib 6 | #define STATUS_ACCESS_VIOLATION ((NTSTATUS)0xC0000005L) 7 | #define STD_EXCEPTION STATUS_ACCESS_VIOLATION 8 | 9 | #ifndef _KDMAPPED 10 | #define throw_std() cpp::exception::Throw() 11 | #define STD_TRY_SECTION_START __try { 12 | #define STD_CATCH } __except (cpp::exception::HandleStdEx(GetExceptionInformation())) { 13 | #define STD_FINALLY } __finally { 14 | #define STD_TRY_SECTION_END } 15 | #else 16 | #define throw_std() 17 | #define STD_TRY_SECTION_START { 18 | #define STD_CATCH } if(0) { 19 | #define STD_FINALLY }{ 20 | #define STD_TRY_SECTION_END } 21 | #endif 22 | 23 | #define throw_std_force() cpp::exception::Throw() 24 | 25 | #ifdef _KERNEL_MODE 26 | namespace cpp { 27 | namespace exception { 28 | enum EX_CTL : ULONG64 { 29 | EXECUTE_HANDLER = 1, 30 | CONTINUE_SEARCH = 0, 31 | CONTINUE_EXECUTION = -1 32 | }; 33 | 34 | void Throw(); 35 | EX_CTL HandleStdEx(PEXCEPTION_POINTERS pEx); 36 | } 37 | 38 | __forceinline BOOLEAN IsInRange(PVOID va, PVOID center, size_t radius) { 39 | size_t upperBound = (size_t)center + radius; 40 | size_t lowerBound = (size_t)center - radius; 41 | 42 | return ((size_t)va < upperBound) && ((size_t)va > lowerBound); 43 | } 44 | __forceinline BOOLEAN IsInRange(PVOID va, DWORD64 start, DWORD64 end) { 45 | return ((size_t)va >= start) && ((size_t)va <= end); 46 | } 47 | __forceinline BOOLEAN IsKernelAddress(PVOID va) { 48 | return (size_t)va >> (62); 49 | } 50 | } 51 | #endif -------------------------------------------------------------------------------- /SKLib-v/include/ioctlhook.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "cpp.h" 4 | #include "Setup.hpp" 5 | 6 | #include 7 | #include 8 | #include 9 | 10 | #define TEST_SEED 0xb5ff6677 11 | #define SERIAL_MAX_LENGTH 20 12 | 13 | #pragma warning (disable:4305) 14 | #pragma warning (disable:4309) 15 | 16 | enum HookedDriver : UCHAR { 17 | DriverUSB, 18 | DriverDisk, 19 | DriverNIC, 20 | DriverTCP, 21 | DriverNSI, 22 | DriverWMI, 23 | DriverPartmgr, 24 | DriverVolume, 25 | DriverScsi, 26 | DriverNvme, 27 | DriverDump 28 | }; 29 | 30 | #ifdef _KERNEL_MODE 31 | 32 | typedef struct _IOC_REQUEST { 33 | PVOID Buffer; 34 | ULONG BufferLength; 35 | PVOID OldContext; 36 | PIO_COMPLETION_ROUTINE OldRoutine; 37 | } IOC_REQUEST, * PIOC_REQUEST; 38 | 39 | extern random::Random rnd; 40 | 41 | VOID ChangeIoc(PIO_STACK_LOCATION ioc, PIRP irp, PIO_COMPLETION_ROUTINE routine); 42 | PWCHAR TrimGUID(PWCHAR guid, DWORD max); 43 | 44 | namespace spoofer { 45 | extern bool bLogHooks; 46 | extern DWORD64 seed; 47 | 48 | bool LogDetections(); 49 | } 50 | 51 | __forceinline VOID LogCaller(PIRP pIrp, HookedDriver driverCode) 52 | { 53 | } 54 | 55 | extern vector* vDiskModels; 56 | 57 | struct NVME_IDENTIFY_DEVICE 58 | { 59 | CHAR Reserved1[4]; 60 | CHAR SerialNumber[20]; 61 | CHAR Model[40]; 62 | CHAR FirmwareRev[8]; 63 | CHAR Reserved2[9]; 64 | CHAR MinorVersion; 65 | SHORT MajorVersion; 66 | CHAR Reserved3[428]; 67 | CHAR Reserved4[3584]; 68 | }; 69 | 70 | #endif -------------------------------------------------------------------------------- /Pdbparser/Pdbparser.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | Source Files 37 | 38 | 39 | -------------------------------------------------------------------------------- /SKLib/include/cpp.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #pragma warning (disable: 4100 4996) 4 | 5 | #ifdef _KERNEL_MODE 6 | #ifndef _WDMDDK_ 7 | #include 8 | #endif 9 | 10 | #include "VirtualizerSDKMacros.h" 11 | #endif 12 | 13 | #include "macros.h" 14 | #include "std.h" 15 | #include "exception.h" 16 | 17 | #define forEach(iterator, collection) for(auto iterator = collection.begin(); iterator != collection.end(); ++iterator) 18 | 19 | #ifdef _KERNEL_MODE 20 | 21 | // Integer 2MB 22 | #define SIZE_2_MB ((SIZE_T)(512 * PAGE_SIZE)) 23 | // Integer 1GB 24 | #define SIZE_1_GB ((SIZE_T)(512 * SIZE_2_MB)) 25 | 26 | void* operator new(size_t /* ignored */, void* where); 27 | 28 | namespace cpp { 29 | enum MemoryType { 30 | NonPaged, 31 | NonCached, 32 | Continuous, 33 | Pooled 34 | }; 35 | 36 | void* uMalloc(size_t size, ULONG protect = PAGE_READWRITE); 37 | void* kMallocTryAll(size_t size); 38 | void* kMallocTryAllZero(size_t size); 39 | void* kMalloc(size_t size, ULONG protect = PAGE_READWRITE); 40 | void* kMallocZero(size_t size, ULONG protect = PAGE_READWRITE); 41 | void* kMallocPool(size_t size); 42 | void* kMallocContinuous(size_t size); 43 | void* kMallocContinuousZero(size_t size); 44 | void* kMallocNonCached(size_t size); 45 | void* kMallocAligned(size_t size, size_t alignment, ULONG protection = PAGE_READWRITE); 46 | void* kMap(size_t pa, size_t size, ULONG protection = PAGE_READWRITE); 47 | void kFree(void* pObj); 48 | 49 | bool kProtect(void* pObj, ULONG protect); 50 | bool kProtect(void* pObj, SIZE_T sz, ULONG protect); 51 | } 52 | #endif -------------------------------------------------------------------------------- /SKLib-v/src/Vmoperations.cpp: -------------------------------------------------------------------------------- 1 | #include "Vmoperations.h" 2 | 3 | bool bVmOperationsInit = false; 4 | vector* vVmOperations = nullptr; 5 | 6 | void vmoperations::Init() 7 | { 8 | if (bVmOperationsInit) 9 | return; 10 | 11 | if (!vVmOperations) { 12 | vVmOperations = (vector*)cpp::kMalloc(sizeof(*vVmOperations), PAGE_READWRITE); 13 | RtlZeroMemory(vVmOperations, sizeof(*vVmOperations)); 14 | vVmOperations->Init(); 15 | vVmOperations->reserve(64); 16 | vVmOperations->DisableLock(); 17 | } 18 | 19 | bVmOperationsInit = true; 20 | } 21 | 22 | void vmoperations::ExecuteOperations(ONEXIT_DATA data) 23 | { 24 | if (!bVmOperationsInit) 25 | return; 26 | 27 | ULONG dwCore = CPU::GetCPUIndex(true); 28 | int operationIdx = 0; 29 | for (auto& operation : *vVmOperations) { 30 | if (!bitmap::GetBit(&operation.executionBitmap, dwCore)) 31 | continue; 32 | 33 | operation.operation(data); 34 | bitmap::SetBit(&operation.executedBitmap, dwCore, true); 35 | 36 | size_t executedCores = 0; 37 | for (int i = 0; i < sizeof(bitmap::LARGE_BITMAP) * 8; i++) { 38 | if (bitmap::GetBit(&operation.executedBitmap, i)) 39 | executedCores++; 40 | } 41 | if (executedCores == CPU::GetCPUCount()) { 42 | vVmOperations->RemoveAt(operationIdx); 43 | break; 44 | } 45 | 46 | operationIdx++; 47 | } 48 | } 49 | 50 | void vmoperations::InsertOperation(bitmap::LARGE_BITMAP executionBitmap, fnVmOperation operation) 51 | { 52 | if (!bVmOperationsInit) 53 | return; 54 | 55 | OPERATION_DATA data = { 0 }; 56 | data.executionBitmap = executionBitmap; 57 | data.operation = operation; 58 | vVmOperations->Append(data); 59 | } 60 | -------------------------------------------------------------------------------- /kdmapper_lib/kdmapper/include/kdmapper.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include "portable_executable.hpp" 10 | #include "utils.hpp" 11 | #include "nt.hpp" 12 | #include "intel_driver.hpp" 13 | 14 | #define PAGE_SIZE 0x1000 15 | #define PAGE_2MB_SIZE PAGE_SIZE * 512 16 | #define PAGE_2MB_SHIFT 22ull 17 | #define PAGE_ALIGN_2MB(_VAR_) (((DWORD64)_VAR_) & 0xFFFFFFFFFFE00000ULL) 18 | #define ADDRMASK_EPT_PML2_OFFSET(_VAR_) (((DWORD64)_VAR_) & 0x1FFFFFULL) 19 | 20 | namespace kdmapper 21 | { 22 | typedef bool (*mapCallback)(ULONG64* param1, ULONG64* param2, ULONG64 allocationPtr, ULONG64 allocationSize, ULONG64 mdlptr); 23 | 24 | bool Init(); 25 | void Dispose(); 26 | 27 | HANDLE IntelHandle(); 28 | //Note: if you set PassAllocationAddressAsFirstParam as true, param1 will be ignored 29 | uint64_t MapDriver(std::wstring driverName, ULONG64 param1 = 0, ULONG64 param2 = 0, intel_driver::ALLOCATION_TYPE allocType = intel_driver::ALLOCATION_TYPE::LargeContinuous, bool free = false, bool destroyHeader = true, bool PassAllocationAddressAsFirstParam = false, bool PassTextSizeAsSecondParam = true, mapCallback callback = nullptr, NTSTATUS* exitCode = nullptr); 30 | uint64_t MapDriver(BYTE* data, ULONG64 param1 = 0, ULONG64 param2 = 0, intel_driver::ALLOCATION_TYPE allocType = intel_driver::ALLOCATION_TYPE::LargeContinuous, bool free = false, bool destroyHeader = true, bool PassAllocationAddressAsFirstParam = false, bool PassTextSizeAsSecondParam = true, mapCallback callback = nullptr, NTSTATUS* exitCode = nullptr); 31 | 32 | uint64_t AllocMdlMemory(uint64_t size, uint64_t* mdlPtr); 33 | } -------------------------------------------------------------------------------- /Pdbparser/EzPdb.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define _CRT_SECURE_NO_WARNINGS 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | #include "md5.h" 14 | #pragma comment(lib, "DbgHelp.lib") 15 | #pragma comment(lib, "Urlmon.lib") 16 | 17 | 18 | //Thanks mambda 19 | //https://bitbucket.org/mambda/pdb-parser/src/master/ 20 | struct PDBHeader7 21 | { 22 | char signature[0x20]; 23 | int page_size; 24 | int allocation_table_pointer; 25 | int file_page_count; 26 | int root_stream_size; 27 | int reserved; 28 | int root_stream_page_number_list_number; 29 | }; 30 | 31 | struct RootStream7 32 | { 33 | int num_streams; 34 | int stream_sizes[1]; //num_streams 35 | }; 36 | 37 | struct GUID_StreamData 38 | { 39 | int ver; 40 | int date; 41 | int age; 42 | GUID guid; 43 | }; 44 | 45 | struct PdbInfo 46 | { 47 | DWORD Signature; 48 | GUID Guid; 49 | DWORD Age; 50 | char PdbFileName[1]; 51 | }; 52 | 53 | #define EZ_PDB_BASE_OF_DLL (DWORD64)0x10000000 54 | 55 | typedef struct _EZPDB 56 | { 57 | HANDLE hProcess; 58 | HANDLE hPdbFile; 59 | }EZPDB, * PEZPDB; 60 | 61 | 62 | 63 | std::string EzPdbDownload( 64 | IN std::string pePath, 65 | IN OPTIONAL std::string pdbDownloadPath = "", 66 | IN OPTIONAL std::string symbolServer = "https://msdl.microsoft.com/download/symbols/"); 67 | 68 | bool EzPdbLoad(IN std::string pdbPath, OUT PEZPDB Pdb); 69 | 70 | ULONG EzPdbGetRva(IN PEZPDB Pdb, IN std::string SymName); 71 | 72 | ULONG EzPdbGetStructPropertyOffset(IN PEZPDB Pdb, IN std::string StructName, IN std::wstring PropertyName); 73 | 74 | ULONG EzPdbGetStructSize(IN PEZPDB Pdb, IN std::string StructName); 75 | 76 | VOID EzPdbUnload(IN PEZPDB Pdb); 77 | 78 | -------------------------------------------------------------------------------- /SKLib/src/threading.cpp: -------------------------------------------------------------------------------- 1 | #include "threading.h" 2 | 3 | int activeThreads = 0; 4 | 5 | threading::Thread::~Thread() 6 | { 7 | DbgMsg("[THREAD] Disposing of thread object: h = %p", hThread); 8 | ZwClose(hThread); 9 | ObDereferenceObjectDeferDelete(pThreadObj); 10 | hThread = NULL; 11 | pThreadObj = NULL; 12 | } 13 | 14 | VOID threading::Thread::Join() 15 | { 16 | DbgMsg("[THREAD] Joining thread: %p", hThread); 17 | NTSTATUS ntStatus = KeWaitForSingleObject( 18 | pThreadObj, 19 | Executive, 20 | KernelMode, 21 | FALSE, 22 | NULL 23 | ); 24 | 25 | if (!NT_SUCCESS(ntStatus)) { 26 | DbgMsg("[THREAD] Join failed with code: %x", ntStatus); 27 | } 28 | } 29 | 30 | BOOLEAN threading::Thread::IsRunning() 31 | { 32 | return bRunning; 33 | } 34 | 35 | HANDLE threading::Thread::Handle() 36 | { 37 | return hThread; 38 | } 39 | 40 | PVOID threading::Thread::TObject() 41 | { 42 | return pThreadObj; 43 | } 44 | 45 | void threading::Thread::ThreadStartWrapper(ThreadStartContext* pStartContext) 46 | { 47 | Thread* pThread = pStartContext->pThread; 48 | if (MmIsAddressValid(pThread)) 49 | pThread->bRunning = true; 50 | activeThreads++; 51 | 52 | pStartContext->pFn(pStartContext->pContext); 53 | 54 | if (MmIsAddressValid(pThread)) 55 | pThread->bRunning = false; 56 | activeThreads--; 57 | 58 | ExFreePool(pStartContext); 59 | 60 | PsTerminateSystemThread(0); 61 | } 62 | 63 | void threading::Sleep(int ms) 64 | { 65 | //Negative values represent a relative interval 66 | LARGE_INTEGER lInt; 67 | int wait = ms >= 0 ? ms : MAXINT32; 68 | lInt.QuadPart = -10000 * (size_t)wait; 69 | do { 70 | KeDelayExecutionThread(KernelMode, FALSE, &lInt); 71 | } while (ms == SLEEP_FOREVER); 72 | } 73 | 74 | bool threading::AreThreadsRunning() 75 | { 76 | return activeThreads > 0; 77 | } 78 | -------------------------------------------------------------------------------- /SKLib/include/eventlogger.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef _KERNEL_MODE 4 | #include 5 | 6 | #include "macros.h" 7 | 8 | class EventLogger 9 | { 10 | public: 11 | PDRIVER_OBJECT pDriverObj; 12 | 13 | EventLogger() : pDriverObj(nullptr) { 14 | }; 15 | 16 | void LogEvent(NTSTATUS ntStatus, const WCHAR* pStr, ...) 17 | { 18 | if (!pDriverObj) { 19 | DbgMsg("[EVENTS] Error: Device object is not set, cannot log"); 20 | return; 21 | } 22 | size_t entry_size; 23 | size_t string1_len = 0; 24 | if (pStr) 25 | string1_len = (wcslen(pStr) + 1) * sizeof(WCHAR); 26 | entry_size = sizeof(IO_ERROR_LOG_PACKET) + string1_len; 27 | if (entry_size <= ERROR_LOG_MAXIMUM_SIZE) { 28 | IO_ERROR_LOG_PACKET* entry = 29 | (IO_ERROR_LOG_PACKET*)IoAllocateErrorLogEntry( 30 | pDriverObj, (UCHAR)entry_size); 31 | if (entry) { 32 | UCHAR* strings; 33 | entry->RetryCount = 0; 34 | entry->DumpDataSize = 0; 35 | entry->NumberOfStrings = 0; 36 | strings = ((UCHAR*)entry) + sizeof(IO_ERROR_LOG_PACKET); 37 | if (string1_len > 0) { 38 | ++entry->NumberOfStrings; 39 | memcpy(strings, pStr, string1_len); 40 | strings += string1_len; 41 | } 42 | entry->StringOffset = sizeof(IO_ERROR_LOG_PACKET); 43 | entry->ErrorCode = ntStatus; 44 | entry->FinalStatus = STATUS_SUCCESS; 45 | IoWriteErrorLogEntry(entry); 46 | } 47 | else { 48 | DbgMsg("[EVENTS] Error: failed to allocate error log entry"); 49 | } 50 | } 51 | } 52 | }; 53 | #endif 54 | -------------------------------------------------------------------------------- /kdmapper_lib/kdmapper/kdmapper.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | src 6 | 7 | 8 | src 9 | 10 | 11 | src 12 | 13 | 14 | src 15 | 16 | 17 | src 18 | 19 | 20 | 21 | 22 | headers 23 | 24 | 25 | headers 26 | 27 | 28 | headers 29 | 30 | 31 | headers 32 | 33 | 34 | headers 35 | 36 | 37 | headers 38 | 39 | 40 | headers 41 | 42 | 43 | 44 | 45 | {04838667-84a9-40d4-9d3f-e7d7dca49ad2} 46 | 47 | 48 | {5005f6fd-fa6b-40d2-a3e3-522b2fc74dab} 49 | 50 | 51 | -------------------------------------------------------------------------------- /SKLib/include/StringArray.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "cpp.h" 3 | 4 | template 5 | class StringArray { 6 | private: 7 | T* _array; 8 | int _length; 9 | int _sz; 10 | 11 | int strlen(const T* pString) { 12 | int i = 0; 13 | while (pString[i] != 0) { 14 | i++; 15 | } 16 | return i; 17 | } 18 | void strcpy(T* dst, T* src) { 19 | int i = 0; 20 | while (src[i] != 0) { 21 | dst[i] = src[i]; 22 | i++; 23 | } 24 | dst[i] = 0; 25 | } 26 | public: 27 | #ifdef _KERNEL_MODE 28 | void Init(const T* pString) { 29 | _length = this->strlen(pString) + 1; 30 | _array = (T*)cpp::kMalloc(_length + 2); 31 | this->strcpy((T*)_array, (T*)pString); 32 | _array[_length] = 0; 33 | _sz = 1; 34 | } 35 | void Dispose() { 36 | cpp::kFree(_array); 37 | } 38 | 39 | StringArray() { 40 | T t[2] = { 0 }; 41 | t[0] = ' '; 42 | Init(t); 43 | } 44 | StringArray(const T* pString) { 45 | Init(pString); 46 | } 47 | ~StringArray() { 48 | Dispose(); 49 | } 50 | 51 | T* Append(T* pString) { 52 | if (!_array) { 53 | Init(pString); 54 | return &_array[0]; 55 | } 56 | int len = this->strlen(pString); 57 | T* pNewArray = (T*)cpp::kMalloc(_length + len + 3); 58 | 59 | RtlCopyMemory(pNewArray, _array, _length + 1); 60 | strcpy(pNewArray + _length + 1, pString); 61 | _length += len + 1; 62 | _sz++; 63 | cpp::kFree(_array); 64 | _array = pNewArray; 65 | _array[_length] = 0; 66 | return &_array[_length + 1]; 67 | } 68 | #endif 69 | 70 | T* at(int i) { 71 | int currLen = 0; 72 | for (int idx = 0; idx < min(i, _sz); idx++) { 73 | currLen += this->strlen(_array + currLen) + 1; 74 | } 75 | return _array + currLen; 76 | } 77 | 78 | T* operator[](int i) { 79 | return this->at(i); 80 | } 81 | 82 | int length() { 83 | return _length; 84 | } 85 | int size() { 86 | return _sz; 87 | } 88 | }; 89 | -------------------------------------------------------------------------------- /SKLib/src/data.cpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "data.h" 3 | #include "cpp.h" 4 | #include "macros.h" 5 | #include "utils.h" 6 | #include "RandEx.h" 7 | #include "collector.h" 8 | #include "threading.h" 9 | #include "identity.h" 10 | 11 | //Global strings 12 | wchar_t SKLib::UniHideKeysPath[] = L"SOFTWARE\\UniHide"; 13 | wchar_t SKLib::CurrentDriverName[64] = { 0 }; 14 | bool SKLib::IsInitialized = false; 15 | 16 | PUSERMODE_INFO SKLib::pUserInfo = nullptr; 17 | 18 | //Logging 19 | EventLogger SKLib::Log::evLogger; 20 | 21 | OffsetDump offsets = { 0 }; 22 | CLEANUP_DATA cleanupData = { 0 }; 23 | 24 | void SKLib::Init(PDRIVER_OBJECT pDriverObj) 25 | { 26 | if (IsInitialized) 27 | return; 28 | IsInitialized = true; 29 | 30 | Collector::Init(); 31 | 32 | if (pDriverObj) { 33 | IOCTL::Init(pDriverObj); 34 | Log::evLogger.pDriverObj = pDriverObj; 35 | } 36 | 37 | CPU::Init(); 38 | 39 | random::rnd.setSecLevel(random::SecurityLevel::SECURE); 40 | InitName(); 41 | 42 | sharedpool::Init(); 43 | 44 | pUserInfo = (PUSERMODE_INFO)cpp::kMalloc(sizeof(*pUserInfo), PAGE_READWRITE); 45 | 46 | identity::Init(); 47 | 48 | DbgMsg("[GLOBALS] Successfully initialized global variables"); 49 | } 50 | 51 | void SKLib::InitName(wchar_t* pDriverName) { 52 | wchar_t SPOOFER_TMP[32] = { 0x0 }; 53 | wchar_t* pName = SPOOFER_TMP; 54 | if (!pDriverName) 55 | random::w_str(pName, 8); 56 | else 57 | pName = pDriverName; 58 | 59 | size_t strLen = wcslen(pName); 60 | memcpy(SKLib::CurrentDriverName, L"\\Driver\\", 8 * 2); 61 | memcpy(SKLib::CurrentDriverName + 8, pName, strLen * 2); 62 | } 63 | 64 | void SKLib::Dispose() 65 | { 66 | IOCTL::Dispose(); 67 | Power::Dispose(); 68 | 69 | while (threading::AreThreadsRunning()) { 70 | threading::Sleep(10); 71 | } 72 | Collector::Dispose(); 73 | DbgMsg("[GLOBALS] Successfully disposed of global variables"); 74 | } 75 | -------------------------------------------------------------------------------- /SKLib/include/Arch/Interrupts.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | enum class InterruptVector : int 4 | { 5 | DivideError = 0, // #DE, DIV and IDIV instructions 6 | Debug = 1, // #DB, any code or data reference 7 | NmiInterrupt = 2, // Non-maskable interrupt 8 | Breakpoint = 3, // #BP, INT3 instruction 9 | Overflow = 4, // #OF, INT0 instruction 10 | BoundRangeExceeded = 5, // #BR, BOUND instruction 11 | InvalidOpcode = 6, // #UD, UD instruction or reserved opcode 12 | DeviceNotAvailable = 7, // #NM, No math coprocoessor (floating point or WAIT/FWAIT instruction) 13 | DoubleFault = 8, // #DF, Any instruction that can generate an exception, an NMI or an INTR 14 | CoProcessorSegmentOverrun = 9, // #MF, Floating-point instruction 15 | InvalidTss = 10, // #TS, Task switch or TSS access 16 | SegmentNotPresent = 11, // #NP, Loading segment register or accessing system segments 17 | StackSegmentFault = 12, // #SS, Stack operations and SS register loads 18 | GeneralProtection = 13, // #GP, Any memory reference and other protection checks 19 | PageFault = 14, // #PF, Any memory reference 20 | Reserved = 15, 21 | FloatingPointError = 16, // #MF, Floating-point or WAIT/FWAIT instruction 22 | AlignmentCheck = 17, // #AC, Any data reference in memory 23 | MachineCheck = 18, // #MC, Error codes (if any) and source are model-dependent 24 | SimdFloatingPointException = 19, // #XM, SIMD floating-point instruction 25 | VirtualizationException = 20, // #VE, EPT violations 26 | ControlProtectionException = 21, // #CP, The RET, IRET, RSTORSSP, SETSSBSY, and ENDBRANCH (whet CET is enabled) instructions 27 | // 22..31 are reserved 28 | // 32..255 are maskable interrupts (external interrupt from INTR pin or INTn instruction 29 | }; -------------------------------------------------------------------------------- /SKLib-v/src/Vmexit.cpp: -------------------------------------------------------------------------------- 1 | #include "Vmexit.h" 2 | 3 | bool bVmexitHandlerInit = false; 4 | vector* vVmexitHandlers = 0; 5 | 6 | void vmexit::Init() 7 | { 8 | if (bVmexitHandlerInit) 9 | return; 10 | 11 | if (!vVmexitHandlers) { 12 | vVmexitHandlers = (vector*)cpp::kMalloc(sizeof(*vVmexitHandlers), PAGE_READWRITE); 13 | RtlZeroMemory(vVmexitHandlers, sizeof(*vVmexitHandlers)); 14 | vVmexitHandlers->Init(); 15 | vVmexitHandlers->reserve(64); 16 | vVmexitHandlers->DisableLock(); 17 | } 18 | 19 | bVmexitHandlerInit = true; 20 | } 21 | 22 | bool vmexit::OnVmexit(ULONG64 vmexitCode, ONEXIT_DATA data) 23 | { 24 | if (!vVmexitHandlers) 25 | return false; 26 | 27 | for (auto& exitData : *vVmexitHandlers) { 28 | if (exitData.exitCode == vmexitCode) { 29 | if(exitData.handler(data)) 30 | return true; 31 | } 32 | } 33 | return false; 34 | } 35 | 36 | void vmexit::InsertHandler(ULONG64 vmexitCode, fnVmexitHandler handler) 37 | { 38 | if (!bVmexitHandlerInit 39 | || !handler) 40 | return; 41 | 42 | for (auto& exitHandler : *vVmexitHandlers) { 43 | if (exitHandler.exitCode == vmexitCode) { 44 | exitHandler.handler = handler; 45 | return; 46 | } 47 | } 48 | 49 | VMEXIT_DATA exitData = { 0 }; 50 | exitData.exitCode = vmexitCode; 51 | exitData.handler = handler; 52 | 53 | vVmexitHandlers->Append(exitData); 54 | } 55 | 56 | void vmexit::RemoveHandler(ULONG64 vmexitCode) 57 | { 58 | if (!bVmexitHandlerInit) 59 | return; 60 | 61 | bool bFound = false; 62 | int i = 0; 63 | for (auto& exitHandlers : *vVmexitHandlers) { 64 | if (exitHandlers.exitCode == vmexitCode) { 65 | bFound = true; 66 | break; 67 | } 68 | i++; 69 | } 70 | 71 | if(bFound) 72 | vVmexitHandlers->RemoveAt(i); 73 | } 74 | 75 | fnVmexitHandler vmexit::FindHandler(ULONG64 vmexitCode) 76 | { 77 | if (!bVmexitHandlerInit) 78 | return nullptr; 79 | 80 | for (auto& exitHandlers : *vVmexitHandlers) { 81 | if (exitHandlers.exitCode == vmexitCode) { 82 | return exitHandlers.handler; 83 | } 84 | } 85 | 86 | return nullptr; 87 | } 88 | -------------------------------------------------------------------------------- /SKLib/include/threading.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #ifdef _KERNEL_MODE 3 | 4 | #include "cpp.h" 5 | #include "spinlock.h" 6 | 7 | #define SLEEP_FOREVER -1 8 | #define INVALID_HANDLE_VALUE ((HANDLE)-1) 9 | 10 | #pragma warning (disable:26495) 11 | 12 | namespace threading { 13 | class Thread { 14 | public: 15 | Thread(PKSTART_ROUTINE fnEntry, PVOID pContext) { 16 | OBJECT_ATTRIBUTES objAttrb; 17 | InitializeObjectAttributes(&objAttrb, NULL, OBJ_KERNEL_HANDLE, NULL, NULL); 18 | 19 | bRunning = false; 20 | hThread = NULL; 21 | pThreadObj = nullptr; 22 | 23 | ThreadStartContext* pStartContext = (ThreadStartContext*)ExAllocatePool(NonPagedPool, sizeof(*pStartContext)); 24 | pStartContext->pFn = fnEntry; 25 | pStartContext->pContext = pContext; 26 | pStartContext->pThread = this; 27 | 28 | NTSTATUS ntStatus = PsCreateSystemThread( 29 | &hThread, 30 | THREAD_ALL_ACCESS, 31 | &objAttrb, 32 | NULL, 33 | NULL, 34 | (PKSTART_ROUTINE)ThreadStartWrapper, 35 | pStartContext 36 | ); 37 | 38 | if (!NT_SUCCESS(ntStatus)) { 39 | DbgMsg("[THREAD] Error: cannot create thread - 0x%x", ntStatus); 40 | } 41 | else { 42 | DbgMsg("[THREAD] Created thread with handle: %p", hThread); 43 | } 44 | 45 | ntStatus = ObReferenceObjectByHandle( 46 | hThread, 47 | THREAD_ALL_ACCESS, 48 | NULL, 49 | KernelMode, 50 | (PVOID*)&pThreadObj, 51 | NULL); 52 | if (!NT_SUCCESS(ntStatus)) { 53 | DbgMsg("[THREAD] Error: cannot reference object - 0x%x", ntStatus); 54 | } 55 | } 56 | ~Thread(); 57 | 58 | VOID Join(); 59 | 60 | BOOLEAN IsRunning(); 61 | HANDLE Handle(); 62 | PVOID TObject(); 63 | private: 64 | HANDLE hThread; 65 | PVOID pThreadObj; 66 | BOOLEAN bRunning; 67 | 68 | struct ThreadStartContext { 69 | Thread* pThread; 70 | PKSTART_ROUTINE pFn; 71 | PVOID pContext; 72 | }; 73 | 74 | static void ThreadStartWrapper(ThreadStartContext* pStartContext); 75 | }; 76 | 77 | void Sleep(int ms); 78 | bool AreThreadsRunning(); 79 | } 80 | 81 | #pragma warning (default:26495) 82 | #endif -------------------------------------------------------------------------------- /SKLib/SKLib.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; SKLib.inf 3 | ; 4 | 5 | [Version] 6 | Signature="$WINDOWS NT$" 7 | Class=System ; TODO: specify appropriate Class 8 | ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318} ; TODO: specify appropriate ClassGuid 9 | Provider=%ManufacturerName% 10 | CatalogFile=SKLib.cat 11 | DriverVer = 12/17/2022,20.52.9.188 12 | PnpLockdown=1 13 | 14 | [DestinationDirs] 15 | DefaultDestDir = 12 16 | SKLib_Device_CoInstaller_CopyFiles = 11 17 | 18 | [SourceDisksNames] 19 | 1 = %DiskName%,,,"" 20 | 21 | [SourceDisksFiles] 22 | SKLib.sys = 1,, 23 | ; 24 | 25 | 26 | ;***************************************** 27 | ; Install Section 28 | ;***************************************** 29 | 30 | [Manufacturer] 31 | %ManufacturerName%=Standard,NTamd64 32 | 33 | [Standard.NTamd64] 34 | %SKLib.DeviceDesc%=SKLib_Device, Root\SKLib ; TODO: edit hw-id 35 | 36 | [SKLib_Device.NT] 37 | CopyFiles=Drivers_Dir 38 | 39 | [Drivers_Dir] 40 | SKLib.sys 41 | 42 | ;-------------- Service installation 43 | [SKLib_Device.NT.Services] 44 | AddService = SKLib,%SPSVCINST_ASSOCSERVICE%, SKLib_Service_Inst 45 | 46 | ; -------------- SKLib driver install sections 47 | [SKLib_Service_Inst] 48 | DisplayName = %SKLib.SVCDESC% 49 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 50 | StartType = 3 ; SERVICE_DEMAND_START 51 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 52 | ServiceBinary = %12%\SKLib.sys 53 | 54 | ; 55 | ;--- SKLib_Device Coinstaller installation ------ 56 | ; 57 | 58 | [SKLib_Device.NT.CoInstallers] 59 | AddReg=SKLib_Device_CoInstaller_AddReg 60 | CopyFiles=SKLib_Device_CoInstaller_CopyFiles 61 | 62 | [SKLib_Device_CoInstaller_AddReg] 63 | ; 64 | 65 | 66 | [SKLib_Device_CoInstaller_CopyFiles] 67 | ; 68 | 69 | 70 | [SKLib_Device.NT.Wdf] 71 | KmdfService = SKLib, SKLib_wdfsect 72 | [SKLib_wdfsect] 73 | KmdfLibraryVersion = 1.15 74 | 75 | [Strings] 76 | SPSVCINST_ASSOCSERVICE= 0x00000002 77 | ManufacturerName="" ;TODO: Replace with your manufacturer name 78 | DiskName = "SKLib Installation Disk" 79 | SKLib.DeviceDesc = "SKLib Device" 80 | SKLib.SVCDESC = "SKLib Service" 81 | -------------------------------------------------------------------------------- /SKLib/include/std.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef _KERNEL_MODE 4 | #include 5 | #endif 6 | 7 | #include "macros.h" 8 | 9 | namespace cpp { 10 | template 11 | struct integral_constant { 12 | static constexpr T value = v; 13 | using value_type = T; 14 | using type = integral_constant; // using injected-class-name 15 | constexpr operator value_type() const noexcept { return value; } 16 | constexpr value_type operator()() const noexcept { return value; } // since c++14 17 | }; 18 | 19 | typedef integral_constant false_type; 20 | typedef integral_constant true_type; 21 | 22 | template 23 | struct is_same : false_type {}; 24 | template 25 | struct is_same : true_type {}; 26 | 27 | template struct is_lvalue_reference : false_type {}; 28 | template struct is_lvalue_reference : true_type {}; 29 | 30 | template struct remove_reference { typedef T type; }; 31 | template struct remove_reference { typedef T type; }; 32 | template struct remove_reference { typedef T type; }; 33 | 34 | template 35 | constexpr T&& forward(remove_reference& t) noexcept 36 | { 37 | return static_cast(t); 38 | } 39 | template 40 | constexpr T&& forward(remove_reference&& t) noexcept 41 | { 42 | static_assert(!is_lvalue_reference); 43 | return static_cast(t); 44 | } 45 | template 46 | void swap(T& lhs, T& rhs) { 47 | T temp = lhs; 48 | lhs = rhs; 49 | rhs = temp; 50 | } 51 | 52 | template 53 | struct is_pointer : cpp::false_type {}; 54 | 55 | template 56 | struct is_pointer : cpp::true_type {}; 57 | 58 | template 59 | struct is_pointer : cpp::true_type {}; 60 | 61 | template 62 | struct is_pointer : cpp::true_type {}; 63 | 64 | template 65 | struct is_pointer : cpp::true_type {}; 66 | 67 | char isalnum(char ch); 68 | char isalnumcap(char ch); 69 | bool isalnumstr(char* str); 70 | bool isalnumstr_s(char* str, size_t max); 71 | } -------------------------------------------------------------------------------- /SKLib-v/src/VTxException.cpp: -------------------------------------------------------------------------------- 1 | #include "VTxException.h" 2 | 3 | void InjectInterrupt(INTERRUPTION_TYPE intType, EXCEPTION_VECTOR exVec, bool bDeliverCode, ULONG32 dwErCode) 4 | { 5 | INTERRUPT_INFO intInfo = { 0 }; 6 | 7 | intInfo.Valid = true; 8 | intInfo.InterruptType = intType; 9 | intInfo.Vector = exVec; 10 | intInfo.DeliverCode = bDeliverCode; 11 | __vmx_vmwrite(VM_ENTRY_INTR_INFO_FIELD, intInfo.Flags); 12 | 13 | if (bDeliverCode) 14 | __vmx_vmwrite(VM_ENTRY_EXCEPTION_ERROR_CODE, dwErCode); 15 | } 16 | 17 | bool VTx::Exceptions::InjectException(EXCEPTION_VECTOR ex, DWORD32 eCode) 18 | { 19 | size_t ExitInstrLength; 20 | INTERRUPTION_TYPE intType = HardwareException; 21 | bool bDeliverCode = false; 22 | ULONG32 dwErCode = eCode; 23 | 24 | switch (ex) { 25 | case EXCEPTION_VECTOR_DEBUG_BREAKPOINT: 26 | { 27 | intType = SoftwareException; 28 | break; 29 | } 30 | case EXCEPTION_VECTOR_NMI: 31 | { 32 | intType = NonMaskableInterrupt; 33 | break; 34 | } 35 | case EXCEPTION_VECTOR_BREAKPOINT: 36 | { 37 | intType = SoftwareException; 38 | break; 39 | } 40 | case EXCEPTION_VECTOR_OVERFLOW: 41 | { 42 | intType = SoftwareException; 43 | break; 44 | } 45 | case EXCEPTION_VECTOR_DOUBLE_FAULT: 46 | { 47 | bDeliverCode = true; 48 | break; 49 | } 50 | case EXCEPTION_VECTOR_ALIGNMENT_CHECK: 51 | { 52 | bDeliverCode = true; 53 | break; 54 | } 55 | } 56 | 57 | if (ex >= EXCEPTION_VECTOR_INVALID_TASK_SEGMENT_SELECTOR && ex <= EXCEPTION_VECTOR_PAGE_FAULT) { 58 | bDeliverCode = true; 59 | } 60 | 61 | InjectInterrupt(intType, ex, bDeliverCode, dwErCode); 62 | 63 | __vmx_vmread(VM_EXIT_INSTRUCTION_LEN, &ExitInstrLength); 64 | __vmx_vmwrite(VM_ENTRY_INSTRUCTION_LEN, ExitInstrLength); 65 | return true; 66 | } 67 | 68 | void VTx::Exceptions::ApHardReset() 69 | { 70 | union __reset_control_register reset_register; 71 | reset_register.flags = __inbyte(RST_CNT_IO_PORT); 72 | 73 | // 74 | // Reset CPU bit set, determines type of reset based on: 75 | // - System Reset = 0; soft reset by activating INIT# for 16 PCI clocks. 76 | // - System Reset = 1; then hard reset by activating PLTRST# and SUS_STAT#. 77 | // - System Reset = 1; main power well reset. 78 | // 79 | reset_register.reset_cpu = 1; 80 | reset_register.system_reset = 1; 81 | 82 | __outbyte(RST_CNT_IO_PORT, reset_register.flags); 83 | } -------------------------------------------------------------------------------- /SKLib/include/ioctl.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef _KERNEL_MODE 4 | #ifndef _WDMDDK_ 5 | #include 6 | #endif 7 | #include 8 | #endif 9 | 10 | #include "macros.h" 11 | #include "StringEx.h" 12 | #include "VectorEx.h" 13 | 14 | #ifdef _KERNEL_MODE 15 | 16 | extern "C" POBJECT_TYPE * IoDriverObjectType; 17 | extern "C" NTKERNELAPI NTSTATUS ObReferenceObjectByName( 18 | IN PUNICODE_STRING ObjectName, 19 | IN ULONG Attributes, 20 | IN PACCESS_STATE PassedAccessState, 21 | IN ACCESS_MASK DesiredAccess, 22 | IN POBJECT_TYPE ObjectType, 23 | IN KPROCESSOR_MODE AccessMode, 24 | IN OUT PVOID ParseContext, 25 | OUT PVOID* Object 26 | ); 27 | 28 | typedef DWORD64 IOCTL_HANDLE; 29 | 30 | typedef NTSTATUS(*fnCallback) ( 31 | PDEVICE_OBJECT pDeviceObj, 32 | PIRP pIrp 33 | ); 34 | 35 | class DispatchHandler 36 | { 37 | private: 38 | DWORD32 dispatcherBitMask; 39 | bool bSymLinkExists; 40 | 41 | string currentDeviceName; 42 | PDEVICE_OBJECT pDeviceObj; 43 | 44 | static NTSTATUS defaultHandler(PDEVICE_OBJECT pDeviceObj, PIRP pIrp); 45 | 46 | public: 47 | void Init(char* pDeviceName, fnCallback fnCallback = &defaultHandler); 48 | DispatchHandler(); 49 | DispatchHandler(char* pDeviceName, fnCallback fnCallback = nullptr); 50 | void addHandler(DWORD dwIrpMj, fnCallback fnCallback); 51 | void addUnsupportedHandler(fnCallback fnCallback); 52 | void Dispose(); 53 | 54 | bool operator==(DispatchHandler& rhs) { 55 | return currentDeviceName == rhs.currentDeviceName; 56 | } 57 | 58 | bool operator!=(DispatchHandler& rhs) { 59 | return !(*this == rhs); 60 | } 61 | }; 62 | 63 | namespace IOCTL { 64 | void Init(PDRIVER_OBJECT pDriverObj); 65 | IOCTL_HANDLE Add(char* pDeviceName, fnCallback fnCallback = nullptr); 66 | DispatchHandler& GetHandler(IOCTL_HANDLE hHandler); 67 | PDRIVER_DISPATCH* GetMJFunctions(string driverName); 68 | 69 | PDRIVER_OBJECT GetDriverObj(string driverName); 70 | PDEVICE_OBJECT GetDevice(string deviceName); 71 | PDEVICE_OBJECT GetDeviceFromIName(string deviceName); 72 | 73 | NTSTATUS SendIoctl(string driverName, DWORD64 dwIoctlCode, PVOID pInBuf = nullptr, ULONG ulInBufLen = 0, PVOID pOutBuffer = nullptr, ULONG ulOutBufLen = 0); 74 | NTSTATUS SendIoctl(PDEVICE_OBJECT pDeviceObj, DWORD64 dwIoctlCode, PVOID pInBuf = nullptr, ULONG ulInBufLen = 0, PVOID pOutBuffer = nullptr, ULONG ulOutBufLen = 0); 75 | 76 | void Dispose(); 77 | } 78 | #endif -------------------------------------------------------------------------------- /SKLib/src/power.cpp: -------------------------------------------------------------------------------- 1 | #include "power.h" 2 | 3 | bool Power::bInit = false; 4 | 5 | list* Power::vCallbackObjs = nullptr; 6 | list* Power::vRegistrationObjs = nullptr; 7 | 8 | void Power::Init() 9 | { 10 | if (bInit) { 11 | return; 12 | } 13 | 14 | if (!vCallbackObjs) { 15 | vCallbackObjs = (list*)cpp::kMalloc(sizeof(*vCallbackObjs), PAGE_READWRITE); 16 | vCallbackObjs->Init(); 17 | } 18 | if (!vRegistrationObjs) { 19 | vRegistrationObjs = (list*)cpp::kMalloc(sizeof(*vRegistrationObjs), PAGE_READWRITE); 20 | vRegistrationObjs->Init(); 21 | } 22 | 23 | bInit = true; 24 | } 25 | 26 | void Power::Dispose() 27 | { 28 | if (!bInit) { 29 | DbgMsg("[POWER] Error: cannot dispose of uninitialized objects!"); 30 | return; 31 | } 32 | if (!vRegistrationObjs) 33 | return; 34 | forEach(itRegisterObj, (*vRegistrationObjs)) { 35 | ExUnregisterCallback(*itRegisterObj); 36 | } 37 | if (!vCallbackObjs) 38 | return; 39 | forEach(itCallbackObj, (*vCallbackObjs)) { 40 | ObDereferenceObject(*itCallbackObj); 41 | } 42 | 43 | vRegistrationObjs->Dispose(); 44 | vCallbackObjs->Dispose(); 45 | 46 | cpp::kFree(vRegistrationObjs); 47 | cpp::kFree(vCallbackObjs); 48 | 49 | vRegistrationObjs = nullptr; 50 | vCallbackObjs = nullptr; 51 | } 52 | 53 | NTSTATUS Power::RegisterCallback(fnPowerCallback fnCallback, int* index) 54 | { 55 | Init(); 56 | 57 | string cbName("\\Callback\\PowerState"); 58 | OBJECT_ATTRIBUTES oa = RTL_CONSTANT_OBJECT_ATTRIBUTES(&cbName.unicode(), OBJ_CASE_INSENSITIVE); 59 | 60 | PCALLBACK_OBJECT pCallbackObj = nullptr; 61 | NTSTATUS ntStatus = ExCreateCallback(&pCallbackObj, &oa, FALSE, TRUE); 62 | if (!NT_SUCCESS(ntStatus)) { 63 | ObDereferenceObject(pCallbackObj); 64 | cpp::kFree(pCallbackObj); 65 | return STATUS_UNSUCCESSFUL; 66 | } 67 | 68 | PVOID pRegistrationObj = ExRegisterCallback(pCallbackObj, fnCallback, nullptr); 69 | if (!pRegistrationObj) { 70 | return STATUS_UNSUCCESSFUL; 71 | } 72 | 73 | vCallbackObjs->Append(pCallbackObj); 74 | vRegistrationObjs->Append(pRegistrationObj); 75 | 76 | if (index) { 77 | *index = vRegistrationObjs->Length() - 1; 78 | } 79 | 80 | return ntStatus; 81 | } 82 | 83 | void Power::UnregisterCallback(int index) 84 | { 85 | ExUnregisterCallback(vRegistrationObjs->at(index)); 86 | vRegistrationObjs->RemoveAt(index); 87 | ObDereferenceObject(vCallbackObjs->at(index)); 88 | vCallbackObjs->RemoveAt(index); 89 | } 90 | -------------------------------------------------------------------------------- /phymeme_lib/physmeme_lib.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | C:\Users\interesting\Desktop\hello-world.sys 5 | WindowsLocalDebugger 6 | 7 | 8 | C:\Users\interesting\Desktop\hello-world.sys 9 | WindowsLocalDebugger 10 | 11 | 12 | C:\Users\interesting\Desktop\hello-world.sys 13 | WindowsLocalDebugger 14 | 15 | 16 | C:\Users\interesting\Desktop\hello-world.sys 17 | WindowsLocalDebugger 18 | 19 | 20 | C:\Users\interesting\Desktop\hello-world.sys 21 | WindowsLocalDebugger 22 | 23 | 24 | C:\Users\interesting\Desktop\hello-world.sys 25 | WindowsLocalDebugger 26 | 27 | 28 | C:\Users\interesting\Desktop\hello-world.sys 29 | WindowsLocalDebugger 30 | 31 | 32 | C:\Users\interesting\Desktop\hello-world.sys 33 | WindowsLocalDebugger 34 | 35 | 36 | false 37 | 38 | -------------------------------------------------------------------------------- /phymeme_lib/map_driver.cpp: -------------------------------------------------------------------------------- 1 | #include "kernel_ctx/kernel_ctx.h" 2 | #include "drv_image/drv_image.h" 3 | #include "map_driver.hpp" 4 | #include "kernel_ctx/dbrequest.h" 5 | 6 | 7 | namespace physmeme 8 | { 9 | bool bInit = false; 10 | void Init() 11 | { 12 | if(!bInit) 13 | physmeme::load_drv(); 14 | bInit = true; 15 | } 16 | 17 | std::string DriverName() 18 | { 19 | return physmeme::drv_key; 20 | } 21 | 22 | DWORD32 DriverTimestamp() 23 | { 24 | return util::get_file_header((void*)raw_driver)->TimeDateStamp; 25 | } 26 | 27 | HANDLE DriverHandle() 28 | { 29 | return physmeme::drv_handle; 30 | } 31 | 32 | NTSTATUS __cdecl map_driver(std::string driver_name, uintptr_t param1, uintptr_t param2, bool bAllocationPtrParam1, bool bAllocationSizeParam2, uintptr_t* allocBase) 33 | { 34 | std::vector drv_buffer; 35 | util::open_binary_file(driver_name.c_str(), drv_buffer); 36 | if (!drv_buffer.size()) 37 | { 38 | std::perror("[-] invalid drv_buffer size\n"); 39 | return -1; 40 | } 41 | return map_driver(drv_buffer, param1, param2, bAllocationPtrParam1, bAllocationSizeParam2, allocBase); 42 | } 43 | 44 | NTSTATUS __cdecl map_driver(const std::vector& driver, uintptr_t param1, uintptr_t param2, bool bAllocationPtrParam1, bool bAllocationSizeParam2, uintptr_t* allocBase) 45 | { 46 | Init(); 47 | 48 | physmeme::drv_image image(driver); 49 | physmeme::kernel_ctx ctx; 50 | const auto drv_timestamp = util::get_file_header((void*)raw_driver)->TimeDateStamp; 51 | ctx.clear_piddb_cache(physmeme::drv_key, drv_timestamp); 52 | 53 | const auto _get_export_name = [&](const char* base, const char* name) 54 | { 55 | return reinterpret_cast(util::get_kernel_export(base, name)); 56 | }; 57 | 58 | image.fix_imports(_get_export_name); 59 | image.map(); 60 | 61 | void* pool_base = 0; 62 | 63 | if (!*allocBase) { 64 | pool_base = 65 | ctx.allocate_pool( 66 | image.size(), 67 | NonPagedPool 68 | ); 69 | *allocBase = (uintptr_t)pool_base; 70 | } 71 | else { 72 | pool_base = (void*)*allocBase; 73 | } 74 | 75 | image.relocate(pool_base); 76 | ctx.write_kernel(pool_base, image.data(), image.size()); 77 | auto entry_point = reinterpret_cast(pool_base) + image.entry_point(); 78 | 79 | auto result = ctx.syscall 80 | ( 81 | (PVOID)entry_point, 82 | bAllocationPtrParam1 ? (uintptr_t)(pool_base) : (uintptr_t)(param1), 83 | bAllocationSizeParam2 ? (uintptr_t)(image.size()) : (uintptr_t)(param2) 84 | ); 85 | 86 | return result; 87 | } 88 | } -------------------------------------------------------------------------------- /phymeme_lib/drv_image/drv_image.h: -------------------------------------------------------------------------------- 1 | /* 2 | This is free and unencumbered software released into the public domain. 3 | 4 | Anyone is free to copy, modify, publish, use, compile, sell, or 5 | distribute this software, either in source code form or as a compiled 6 | binary, for any purpose, commercial or non-commercial, and by any 7 | means. 8 | 9 | In jurisdictions that recognize copyright laws, the author or authors 10 | of this software dedicate any and all copyright interest in the 11 | software to the public domain. We make this dedication for the benefit 12 | of the public at large and to the detriment of our heirs and 13 | successors. We intend this dedication to be an overt act of 14 | relinquishment in perpetuity of all present and future rights to this 15 | software under copyright law. 16 | 17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 18 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 19 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 20 | IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR 21 | OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 22 | ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 23 | OTHER DEALINGS IN THE SOFTWARE. 24 | 25 | For more information, please refer to 26 | 27 | 28 | !!!!!!!!!!!!!!!!!!!!!!!!!!! This code was created by not-wlan (wlan). all credit for this header and source file goes to him !!!!!!!!!!!!!!!!!!!!!!!!!!!!! 29 | */ 30 | 31 | #pragma once 32 | #include 33 | #define WIN32_NO_STATUS 34 | #include 35 | #include 36 | #undef WIN32_NO_STATUS 37 | #include 38 | 39 | #include 40 | #include 41 | #include 42 | #include "../util/nt.hpp" 43 | 44 | #pragma comment(lib, "Dbghelp.lib") 45 | namespace physmeme 46 | { 47 | class drv_image 48 | { 49 | std::vector m_image; 50 | std::vector m_image_mapped; 51 | PIMAGE_DOS_HEADER m_dos_header = nullptr; 52 | PIMAGE_NT_HEADERS64 m_nt_headers = nullptr; 53 | PIMAGE_SECTION_HEADER m_section_header = nullptr; 54 | public: 55 | explicit drv_image(std::vector image); 56 | 57 | void map(); 58 | void* data(); 59 | size_t size() const; 60 | size_t header_size(); 61 | uintptr_t entry_point() const; 62 | void relocate(void* base) const; 63 | void fix_imports(const std::function get_function); 64 | static bool process_relocation(size_t image_base_delta, uint16_t data, uint8_t* relocation_base); 65 | 66 | template 67 | __forceinline T* get_rva(const unsigned long offset) 68 | { 69 | return (T*)::ImageRvaToVa(m_nt_headers, m_image.data(), offset, nullptr); 70 | } 71 | }; 72 | } -------------------------------------------------------------------------------- /phymeme_lib/physmeme/physmeme.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | 5 | #include "../util/util.hpp" 6 | #include "../loadup.hpp" 7 | #include "../raw_driver.hpp" 8 | 9 | #define MAP_PHYSICAL 0x80102040 10 | #define UNMAP_PHYSICAL 0x80102044 11 | 12 | #pragma pack ( push, 1 ) 13 | typedef struct _GIOMAP 14 | { 15 | unsigned long interface_type; 16 | unsigned long bus; 17 | std::uintptr_t physical_address; 18 | unsigned long io_space; 19 | unsigned long size; 20 | } GIOMAP; 21 | #pragma pack ( pop ) 22 | 23 | struct tagPhysStruct 24 | { 25 | DWORD64 dwPhysMemSizeInBytes; 26 | DWORD64 pvPhysAddress; 27 | DWORD64 PhysicalMemoryHandle; 28 | DWORD64 pvPhysMemLin; 29 | DWORD64 pvPhysSection; 30 | }; 31 | 32 | namespace physmeme 33 | { 34 | inline std::string drv_key; 35 | inline HANDLE drv_handle = NULL; 36 | 37 | inline bool load_drv() 38 | { 39 | const auto [result, key] = 40 | driver::load( 41 | raw_driver, 42 | sizeof(raw_driver) 43 | ); 44 | 45 | drv_key = key; 46 | drv_handle = CreateFileA( 47 | "\\\\.\\EneIo", 48 | GENERIC_READ | GENERIC_WRITE, 49 | NULL, 50 | NULL, 51 | OPEN_EXISTING, 52 | FILE_ATTRIBUTE_NORMAL, 53 | NULL 54 | ); 55 | if (drv_handle == INVALID_HANDLE_VALUE) { 56 | printf("[-] Could not load EneIo: 0x%x", GetLastError()); 57 | } 58 | return drv_handle; 59 | } 60 | 61 | inline bool unload_drv() 62 | { 63 | return CloseHandle(drv_handle) && driver::unload(drv_key); 64 | } 65 | 66 | inline std::uintptr_t map_phys(std::uintptr_t addr, std::size_t size) 67 | { 68 | //--- ensure the validity of the address we are going to try and map 69 | if (!util::is_valid(addr)) 70 | return NULL; 71 | 72 | tagPhysStruct in_buffer = { 0 }; 73 | in_buffer.dwPhysMemSizeInBytes = size; 74 | in_buffer.pvPhysAddress = addr; 75 | unsigned long returned = 0; 76 | 77 | if (!DeviceIoControl( 78 | drv_handle, 79 | MAP_PHYSICAL, 80 | reinterpret_cast(&in_buffer), 81 | sizeof(in_buffer), 82 | reinterpret_cast(&in_buffer), 83 | sizeof(in_buffer), 84 | &returned, NULL 85 | )) 86 | return NULL; 87 | 88 | return in_buffer.pvPhysMemLin; 89 | } 90 | 91 | inline bool unmap_phys(std::uintptr_t addr, std::size_t size) 92 | { 93 | tagPhysStruct in_buffer = { 0 }; 94 | in_buffer.pvPhysAddress = addr; 95 | in_buffer.dwPhysMemSizeInBytes = size; 96 | unsigned long returned = NULL; 97 | 98 | return DeviceIoControl( 99 | drv_handle, 100 | UNMAP_PHYSICAL, 101 | reinterpret_cast(&in_buffer), 102 | sizeof(in_buffer), 103 | reinterpret_cast(&in_buffer), 104 | sizeof(in_buffer), 105 | &returned, NULL 106 | ); 107 | } 108 | } -------------------------------------------------------------------------------- /SKLib/src/sharedpool.cpp: -------------------------------------------------------------------------------- 1 | #include "sharedpool.h" 2 | 3 | #include "MemoryEx.h" 4 | #include "paging.h" 5 | 6 | list* sharedpool::vPools = nullptr; 7 | bool sharedpool::bInit = false; 8 | 9 | bool sharedpool::Init() 10 | { 11 | if (bInit) { 12 | DbgMsg("[SHAREDPOOL] Warning: namespace was already initialized!"); 13 | return true; 14 | } 15 | bInit = true; 16 | 17 | sharedpool::vPools = (list*)cpp::kMalloc(sizeof(*sharedpool::vPools), PAGE_READWRITE); 18 | sharedpool::vPools->Init(); 19 | 20 | return true; 21 | } 22 | 23 | bool sharedpool::Dispose() 24 | { 25 | bInit = false; 26 | 27 | for(SHARED_POOL poolData : (*sharedpool::vPools)) 28 | { 29 | cpp::kFree((PVOID)poolData.baseAddr); 30 | } 31 | 32 | sharedpool::vPools->Dispose(); 33 | cpp::kFree(sharedpool::vPools); 34 | return true; 35 | } 36 | 37 | PVOID sharedpool::Create(size_t size, OUT PPOOL_HANDLE pHandle) 38 | { 39 | if (!bInit) { 40 | DbgMsg("[SHAREDPOOL] Error: sharedpool not initialized"); 41 | return 0; 42 | } 43 | 44 | PVOID pBase = cpp::kMalloc(size, PAGE_READWRITE); 45 | SHARED_POOL sharedPool; 46 | sharedPool.baseAddr = (size_t)pBase; 47 | sharedPool.size = size; 48 | sharedPool.bMapped = true; 49 | 50 | POOL_HANDLE hPool = vPools->Append(sharedPool); 51 | if (pHandle) 52 | *pHandle = hPool; 53 | 54 | DbgMsg("[SHAREDPOOL] Created and mapped section: %p", pBase); 55 | return pBase; 56 | } 57 | 58 | void sharedpool::Delete(POOL_HANDLE poolHandle) 59 | { 60 | if (!bInit) { 61 | DbgMsg("[SHAREDPOOL] Error: sharedpool not initialized"); 62 | return; 63 | } 64 | 65 | SHARED_POOL& sharedPool = vPools->at(poolHandle); 66 | if (!sharedPool.bMapped) { 67 | DbgMsg("[SHAREDPOOL] Warning: cannot unmap already unmapped view of section!"); 68 | return; 69 | } 70 | 71 | cpp::kFree((PVOID)sharedPool.baseAddr); 72 | vPools->RemoveAt(poolHandle); 73 | } 74 | 75 | PVOID sharedpool::MapUserData(PVOID pUsermodeBuffer, DWORD32 procId) { 76 | PVOID pBase = nullptr; 77 | if (!procId) { 78 | return nullptr; 79 | } 80 | 81 | DWORD64 guestPa = 0; 82 | while (!guestPa) { 83 | PRKAPC_STATE pRkapcState = (PRKAPC_STATE)Memory::AttachToProcessId(procId); 84 | if (!pRkapcState) { 85 | return nullptr; 86 | } 87 | 88 | guestPa = Memory::VirtToPhy(pUsermodeBuffer); 89 | 90 | Memory::DetachFromProcess(pRkapcState); 91 | } 92 | 93 | LARGE_INTEGER pa = { 0 }; 94 | pa.QuadPart = guestPa; 95 | pBase = MmMapIoSpace(pa, sizeof(USERMODE_INFO), MmCached); 96 | return pBase; 97 | } 98 | 99 | PVOID sharedpool::PoolBase(POOL_HANDLE hPool) 100 | { 101 | SHARED_POOL& sharedPool = vPools->at(hPool); 102 | return (PVOID)sharedPool.baseAddr; 103 | } 104 | 105 | bool _SHARED_POOL::operator==(_SHARED_POOL rhs) 106 | { 107 | return !memcmp(this, &rhs, sizeof(rhs)); 108 | } 109 | 110 | bool _SHARED_POOL::operator!=(_SHARED_POOL rhs) 111 | { 112 | return !(*this == rhs); 113 | } 114 | -------------------------------------------------------------------------------- /SKLib/include/bugcheck.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #pragma pack(push, 1) 4 | typedef struct _BUGCHECK_INFO { 5 | unsigned int ulBugCheckCode; 6 | wchar_t* pCaption; 7 | wchar_t* pMessage; 8 | wchar_t* pLink; 9 | unsigned int bgColor; 10 | 11 | __int64 pBugCheckTrampoline; 12 | } BUGCHECK_INFO, *PBUGCHECK_INFO; 13 | #pragma pack(pop) 14 | 15 | #ifdef _KERNEL_MODE 16 | #include "cpp.h" 17 | #include "winternlex.h" 18 | #include "MemoryEx.h" 19 | 20 | typedef VOID 21 | (*fnKiDisplayBlueScreen)( 22 | IN ULONG PssMessage, 23 | IN BOOLEAN HardErrorCalled, 24 | IN PCHAR HardErrorCaption, 25 | IN PCHAR HardErrorMessage, 26 | IN PCHAR StateString 27 | ); 28 | 29 | typedef DWORD64 30 | (*fnBgpFwDisplayBugCheckScreen) ( 31 | DWORD32 BugCheckDataFirstDword, 32 | DWORD64* BugCheckData_0x8_ptr, 33 | DWORD32 BugCheckDriverFirstDword, 34 | DWORD64* someArray0xA0, 35 | char bugCheckCode_maybe 36 | ); 37 | 38 | typedef VOID 39 | (*fnBgpClearScreen) ( 40 | DWORD argb 41 | ); 42 | 43 | typedef DWORD64 44 | (*fnBgpDisplayCharacterEx) ( 45 | unsigned __int16 a1, 46 | __int64 a2, 47 | unsigned int a3, 48 | unsigned int a4, 49 | unsigned int color, 50 | int a6, 51 | __int64 a7, 52 | __int64 a8, 53 | unsigned __int64 a9 54 | ); 55 | 56 | typedef DWORD64 57 | (*fnBgpGxFillRectangle) ( 58 | DWORD64 a1, 59 | DWORD32 color 60 | ); 61 | 62 | typedef DWORD64 63 | (*fnBgpRasPrintGlyph) ( 64 | __int64 a1, 65 | __int64 pColor, 66 | __int16 a3, 67 | unsigned int a4, 68 | int a5, 69 | char a6, 70 | __int64 a7, 71 | __int64 a8, 72 | __int64* a9 73 | ); 74 | 75 | typedef DWORD64 76 | (*fnBgpGxProcessQrCodeBitmap) ( 77 | BYTE* pBitmap, 78 | DWORD64** outRect 79 | ); 80 | 81 | typedef DWORD64 82 | (*fnInbvAcquireDisplayOwnership) ( 83 | DWORD64 a1, 84 | DWORD64 a2, 85 | DWORD64 a3, 86 | DWORD64 a4 87 | ); 88 | 89 | typedef void 90 | (*fnBugCheckEx) ( 91 | DWORD64 dwBugCheckCode, 92 | DWORD64 dwBugCheckParam1, 93 | DWORD64 dwBugCheckParam2, 94 | DWORD64 dwBugCheckParam3, 95 | DWORD64 dwBugCheckParam4 96 | ); 97 | 98 | typedef DWORD64 99 | (*fnDumpWrite) ( 100 | DWORD* dumpStack_maybe, 101 | DWORD64 a2, 102 | DWORD64 a3 103 | ); 104 | 105 | typedef DWORD64 (*fnWriteBitmapDump) ( 106 | DWORD64 pDumpStack, 107 | DWORD64 a2, 108 | DWORD64 a3 109 | ); 110 | 111 | typedef DWORD64(*fnWriteMiniDump) ( 112 | DWORD64 pDumpStack, 113 | DWORD64 a2 114 | ); 115 | 116 | namespace bugcheck { 117 | VOID Init(); 118 | VOID Update( 119 | PBUGCHECK_INFO pBugCheckInfo 120 | ); 121 | VOID Setup(); 122 | 123 | extern fnKiDisplayBlueScreen pKiDisplayBlueScreen; 124 | extern fnBgpGxFillRectangle pBgpGxFillRectangle; 125 | extern DWORD64* pBugCheckListHead; 126 | extern DWORD64* pTriageDumpListHead; 127 | extern DWORD64* KiBugCheckData; 128 | } 129 | #endif -------------------------------------------------------------------------------- /SKLib/include/RandEx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | #include "macros.h" 6 | #include "cpp.h" 7 | #include "cpu.h" 8 | #include "StringEx.h" 9 | #include "std.h" 10 | 11 | #define RND_STRING_MAX_LEN 256 12 | 13 | namespace random { 14 | enum class SecurityLevel { 15 | PSEUDO = 0, 16 | SECURE, 17 | PREDICTABLE 18 | }; 19 | class Random { 20 | private: 21 | SecurityLevel _eSecLevel; 22 | ULONG _seed; 23 | ULONG64 _xorKey; 24 | ULONG getRandom(); 25 | 26 | public: 27 | Random(SecurityLevel eSecLevl = SecurityLevel::PREDICTABLE); 28 | Random(ULONG seed); 29 | 30 | void setSeed(ULONG seed); 31 | void setSecLevel(SecurityLevel eSecLevel); 32 | 33 | size_t Next(size_t begin, size_t end); 34 | int Next(int begin, int end); 35 | size_t NextPredictable(size_t begin, size_t end); 36 | int NextPredictable(int begin, int end); 37 | size_t XorPredictable(size_t number); 38 | int XorPredictable(int number); 39 | #ifdef _KERNEL_MODE 40 | string String(size_t sz); 41 | void bytes(char* pOut, size_t sz); 42 | void c_str(char* pOut, size_t sz); 43 | void w_str(wchar_t* pOut, size_t sz); 44 | void c_str_upper(char* pOut, size_t sz); 45 | void w_str_upper(wchar_t* pOut, size_t sz); 46 | void c_str_hex(char* pOut, size_t sz); 47 | void w_str_hex(wchar_t* pOut, size_t sz); 48 | 49 | template 50 | void random_shuffle(T* pStr, int sz) { 51 | for (int i = sz - 1; i >= 0; --i) { 52 | cpp::swap(pStr[i], pStr[Next(0, i + 1)]); 53 | } 54 | } 55 | 56 | template 57 | void random_shuffle_ignore_chars(T* pStr, int sz, T* ignore = "", int ignoreLen = 0) { 58 | for (int i = sz - 1; i >= 0; --i) { 59 | auto rndSelect = Next(0, i + 1); 60 | bool bIgnore = false; 61 | for (int j = 0; j < ignoreLen; j++) { 62 | if (ignore[j] == pStr[i]) { 63 | bIgnore = true; 64 | break; 65 | } 66 | while (ignore[j] == pStr[rndSelect]) { 67 | rndSelect = (++rndSelect) % (i + 1); 68 | } 69 | } 70 | if (!bIgnore) { 71 | cpp::swap(pStr[i], pStr[rndSelect]); 72 | } 73 | } 74 | } 75 | 76 | template 77 | void predictable_shuffle(T* pStr, int sz) { 78 | for (int i = sz - 1; i >= 0; --i) { 79 | cpp::swap(pStr[i], pStr[NextPredictable(0, i)]); 80 | } 81 | } 82 | 83 | template 84 | void predictable_xor(T* pStr, int sz) { 85 | static char charset[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; 86 | for (int i = sz - 1; i >= 0; --i) { 87 | pStr[i] = (T)XorPredictable((int)pStr[i]); 88 | pStr[i] = charset[pStr[i] % sizeof(charset)]; 89 | } 90 | } 91 | #endif 92 | }; 93 | 94 | extern Random rnd; 95 | 96 | void Regenerate(SecurityLevel eSecLevl = SecurityLevel::PSEUDO); 97 | 98 | size_t Next(size_t begin, size_t end); 99 | size_t NextHardware(size_t begin, size_t end); 100 | int Next32(int begin, int end); 101 | #ifdef _KERNEL_MODE 102 | string String(size_t sz); 103 | void c_str(char* pOut, size_t sz); 104 | void w_str(wchar_t* pOut, size_t sz); 105 | #endif 106 | } -------------------------------------------------------------------------------- /SKLib/include/Arch/Intrinsics.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | #ifdef __cplusplus 6 | extern "C" 7 | { 8 | #endif 9 | 10 | #if _WIN64 || __x86_64__ 11 | typedef unsigned long long reg_t; 12 | #else 13 | typedef unsigned long reg_t; 14 | #endif 15 | 16 | void __cpuid(int[4], int); 17 | void __cpuidex(int[4], int, int); 18 | 19 | void __int2c(void); 20 | 21 | unsigned char __inbyte(unsigned short); 22 | unsigned short __inword(unsigned short); 23 | unsigned long __indword(unsigned short); 24 | void __inbytestring(unsigned short, unsigned char*, unsigned long); 25 | void __inwordstring(unsigned short, unsigned short*, unsigned long); 26 | void __indwordstring(unsigned short, unsigned long*, unsigned long); 27 | 28 | void __outbyte(unsigned short, unsigned char); 29 | void __outword(unsigned short, unsigned short); 30 | void __outdword(unsigned short, unsigned long); 31 | void __outbytestring(unsigned short, unsigned char*, unsigned long); 32 | void __outwordstring(unsigned short, unsigned short*, unsigned long); 33 | void __outdwordstring(unsigned short, unsigned long*, unsigned long); 34 | 35 | void __lidt(void*); 36 | void __sidt(void*); 37 | 38 | void _lgdt(void*); 39 | void _sgdt(void*); 40 | 41 | unsigned long long __rdtsc(void); 42 | unsigned long long __rdtscp(unsigned int*); 43 | 44 | reg_t __readcr0(void); 45 | reg_t __readcr2(void); 46 | reg_t __readcr3(void); 47 | reg_t __readcr4(void); 48 | reg_t __readcr8(void); 49 | 50 | void __writecr0(size_t); 51 | void __writecr2(size_t); 52 | void __writecr3(size_t); 53 | void __writecr4(size_t); 54 | void __writecr8(size_t); 55 | 56 | size_t __readdr(unsigned int); 57 | void __writedr(unsigned int, size_t); 58 | 59 | size_t __readeflags(void); 60 | void __writeeflags(size_t); 61 | 62 | unsigned long long __readmsr(unsigned long); 63 | void __writemsr(unsigned long, unsigned long long); 64 | 65 | unsigned long long __readpmc(unsigned long); 66 | 67 | unsigned long __segmentlimit(unsigned long); 68 | 69 | void __invlpg(void*); 70 | void __wbinvd(void); 71 | 72 | void __cdecl _disable(void); 73 | void __cdecl _enable(void); 74 | 75 | void _rsm(void); 76 | 77 | void __halt(void); 78 | 79 | void __cdecl __debugbreak(void); 80 | __declspec(noreturn) void __fastfail(unsigned int); 81 | 82 | void __svm_clgi(void); 83 | void __svm_invlpga(void*, int); 84 | void __svm_skinit(int); 85 | void __svm_stgi(void); 86 | void __svm_vmload(size_t); 87 | void __svm_vmrun(size_t); 88 | void __svm_vmsave(size_t); 89 | void __svm_invlpgb(void*, int); 90 | void __svm_tlbsync(void); 91 | 92 | void __vmx_off(void); 93 | unsigned char __vmx_on(unsigned long long*); 94 | unsigned char __vmx_vmclear(unsigned long long*); 95 | unsigned char __vmx_vmlaunch(void); 96 | unsigned char __vmx_vmptrld(unsigned long long*); 97 | void __vmx_vmptrst(unsigned long long*); 98 | unsigned char __vmx_vmread(size_t, size_t*); 99 | unsigned char __vmx_vmresume(void); 100 | unsigned char __vmx_vmwrite(size_t, size_t); 101 | 102 | void __ud2(void); 103 | void __nop(void); 104 | 105 | #ifdef __cplusplus 106 | } // extern "C" 107 | #endif -------------------------------------------------------------------------------- /SKLib-v/src/VmIDT-helper.asm: -------------------------------------------------------------------------------- 1 | 2 | .code _text 3 | 4 | ;void nmiHandler(); 5 | EXTERN NmiHandler:PROC 6 | 7 | EXTERN seh_handler_vm : proc 8 | EXTERN seh_handler_ecode_vm : proc 9 | 10 | ; Macro for NMI-blocking iret. 11 | nmiret macro 12 | 13 | ; Emulate the iret instruction in order not to unblock NMIs. 14 | push rax ; Save the rax 15 | ; Now the stack layout would be like: 16 | ; qword ptr [rsp+8*0] rax 17 | ; qword ptr [rsp+8*1] rip 18 | ; word ptr [rsp+8*2] cs 19 | ; qword ptr [rsp+8*3] rflags 20 | ; qword ptr [rsp+8*4] rsp 21 | ; qword ptr [rsp+8*5] ss 22 | mov rax,rsp ; Save the NMI stack pointer. 23 | lss rsp,[rax+8*4] ; Restore ss and rsp 24 | ; Note that rsp is switched to pre-NMI stack, so use rax for memory addressing. 25 | push qword ptr [rax+18h] ; Store rflags to pre-NMI stack. 26 | popfq ; Restore rflags 27 | push qword ptr [rax+10h] ; Store cs to pre-NMI stack. 28 | push qword ptr [rax+8h] ; Store rip to pre-NMI stack. 29 | mov rax,qword ptr [rax] ; Restore rax 30 | retfq ; Restore cs and rip 31 | 32 | endm 33 | 34 | __nmi_handler_vm PROC 35 | push rax 36 | push rbx 37 | push rcx 38 | push rdx 39 | push rsi 40 | push rdi 41 | push rbp 42 | push r8 43 | push r9 44 | push r10 45 | push r11 46 | push r12 47 | push r13 48 | push r14 49 | push r15 50 | 51 | sub rsp, 20h 52 | call NmiHandler 53 | add rsp, 20h 54 | 55 | pop r15 56 | pop r14 57 | pop r13 58 | pop r12 59 | pop r11 60 | pop r10 61 | pop r9 62 | pop r8 63 | pop rbp 64 | pop rdi 65 | pop rsi 66 | pop rdx 67 | pop rcx 68 | pop rbx 69 | pop rax 70 | 71 | nmiret 72 | __nmi_handler_vm ENDP 73 | 74 | ; #DE has no error code... 75 | generic_interrupt_handler_vm PROC 76 | __de_handler_vm proc 77 | push rax 78 | push rbx 79 | push rcx 80 | push rdx 81 | push rsi 82 | push rdi 83 | push rbp 84 | push r8 85 | push r9 86 | push r10 87 | push r11 88 | push r12 89 | push r13 90 | push r14 91 | push r15 92 | 93 | mov rcx, rsp 94 | sub rsp, 20h 95 | call seh_handler_vm 96 | add rsp, 20h 97 | 98 | pop r15 99 | pop r14 100 | pop r13 101 | pop r12 102 | pop r11 103 | pop r10 104 | pop r9 105 | pop r8 106 | pop rbp 107 | pop rdi 108 | pop rsi 109 | pop rdx 110 | pop rcx 111 | pop rbx 112 | pop rax 113 | 114 | iretq 115 | __de_handler_vm endp 116 | generic_interrupt_handler_vm ENDP 117 | 118 | ; PF and GP have error code... 119 | generic_interrupt_handler_ecode_vm PROC 120 | __pf_handler_vm proc 121 | __gp_handler_vm proc 122 | push rax 123 | push rbx 124 | push rcx 125 | push rdx 126 | push rsi 127 | push rdi 128 | push rbp 129 | push r8 130 | push r9 131 | push r10 132 | push r11 133 | push r12 134 | push r13 135 | push r14 136 | push r15 137 | 138 | mov rcx, rsp 139 | sub rsp, 20h 140 | call seh_handler_ecode_vm 141 | add rsp, 20h 142 | 143 | pop r15 144 | pop r14 145 | pop r13 146 | pop r12 147 | pop r11 148 | pop r10 149 | pop r9 150 | pop r8 151 | pop rbp 152 | pop rdi 153 | pop rsi 154 | pop rdx 155 | pop rcx 156 | pop rbx 157 | pop rax 158 | add rsp, 8 ; remove error code on the stack... 159 | 160 | iretq 161 | __gp_handler_vm endp 162 | __pf_handler_vm endp 163 | generic_interrupt_handler_ecode_vm ENDP 164 | 165 | END -------------------------------------------------------------------------------- /SKLib-v/src/efispoof.cpp: -------------------------------------------------------------------------------- 1 | #include "efispoof.h" 2 | 3 | bool SpoofFirmwareEntry(string entryName) { 4 | string guidString("{eaec226f-c9a3-477a-a826-ddc716cdc0e3}"); 5 | GUID guid = { 0 }; 6 | NTSTATUS ntStatus = RtlGUIDFromString(&guidString.unicode(), &guid); 7 | 8 | if (!NT_SUCCESS(ntStatus)) { 9 | return false; 10 | } 11 | 12 | char buffer[0x100] = { 0 }; 13 | char bufferCheck[0x100] = { 0 }; 14 | ULONG length = 0xff; 15 | ULONG attributes = 0; 16 | 17 | ntStatus = ExGetFirmwareEnvironmentVariable(&entryName.unicode(), &guid, buffer, &length, &attributes); 18 | if (!NT_SUCCESS(ntStatus)) { 19 | DbgMsg("[EFI] Could not get firmware env variable: 0x%x", ntStatus); 20 | return false; 21 | } 22 | 23 | memcpy(bufferCheck, buffer, length); 24 | rnd.c_str(buffer, length); 25 | 26 | if (!memcmp(buffer, bufferCheck, length)) { 27 | DbgMsg("[EFI] All %d bytes are equal, failed to generate spoofed value", length); 28 | return false; 29 | } 30 | 31 | DbgMsg("[EFI] Spoofed entry %s to %s", entryName.c_str(), buffer); 32 | 33 | attributes |= VARIABLE_ATTRIBUTE_NON_VOLATILE; 34 | ntStatus = ExSetFirmwareEnvironmentVariable(&entryName.unicode(), &guid, buffer, length, attributes); 35 | if (!NT_SUCCESS(ntStatus)) { 36 | DbgMsg("[EFI] Could not set firmware env variable: 0x%x", ntStatus); 37 | return false; 38 | } 39 | 40 | length = 0xff; 41 | ntStatus = ExGetFirmwareEnvironmentVariable(&entryName.unicode(), &guid, buffer, &length, NULL); 42 | if (!NT_SUCCESS(ntStatus)) { 43 | DbgMsg("[EFI] Could not get firmware env variable: 0x%x", ntStatus); 44 | return false; 45 | } 46 | 47 | if (!memcmp(buffer, bufferCheck, length)) { 48 | return false; 49 | } 50 | 51 | return true; 52 | } 53 | 54 | bool efi::Spoof(DWORD64 seed) 55 | { 56 | rnd.setSeed(seed); 57 | rnd.setSecLevel(random::SecurityLevel::PREDICTABLE); 58 | 59 | PGUID pExpBootEnvironmentInformation = (PGUID)((DWORD64)winternl::ntoskrnlBase + offsets.ExpBootEnvironmentInformation); 60 | 61 | //_disable(); 62 | //bool bEnableCET = CPU::DisableWriteProtection(); 63 | //pExpBootEnvironmentInformation->Data1 = (LONG)rnd.Next(0, MAXULONG); 64 | //pExpBootEnvironmentInformation->Data2 = (SHORT)rnd.Next(0, MAXUSHORT); 65 | //pExpBootEnvironmentInformation->Data3 = (SHORT)rnd.Next(0, MAXUSHORT); 66 | //CPU::EnableWriteProtection(bEnableCET); 67 | //_enable(); 68 | 69 | if (!SpoofFirmwareEntry("UnlockIDCopy")) { 70 | DbgMsg("[EFI] Failed spoofing UnlockIDCopy"); 71 | } 72 | if (!SpoofFirmwareEntry("OfflineUniqueIDRandomSeed")) { 73 | DbgMsg("[EFI] Failed spoofing OfflineUniqueIDRandomSeed"); 74 | } 75 | if (!SpoofFirmwareEntry("OfflineUniqueIDRandomSeedCRC")) { 76 | DbgMsg("[EFI] Failed spoofing OfflineUniqueIDRandomSeedCRC"); 77 | } 78 | if (!SpoofFirmwareEntry("OfflineUniqueIDEKPub")) { 79 | DbgMsg("[EFI] Failed spoofing OfflineUniqueIDEKPub"); 80 | } 81 | if (!SpoofFirmwareEntry("OfflineUniqueIDEKPubCRC")) { 82 | DbgMsg("[EFI] Failed spoofing OfflineUniqueIDEKPubCRC"); 83 | } 84 | if (!SpoofFirmwareEntry("PlatformModuleData")) { 85 | DbgMsg("[EFI] Failed spoofing PlatformModuleData"); 86 | } 87 | 88 | return true; 89 | } 90 | -------------------------------------------------------------------------------- /phymeme_lib/physmeme_lib.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {040c8387-476c-4aa5-aa2a-ca30465b41bd} 14 | 15 | 16 | {642c89a0-7989-4f5c-ae5a-f71e697abe16} 17 | 18 | 19 | {c4aa2f98-70d4-418e-894d-4e1975e2bad2} 20 | 21 | 22 | {4fd2f117-66bb-4f75-af5b-b7e041a4dc48} 23 | 24 | 25 | {161b3714-a6cd-4b7b-a1f1-9b90b1f84aca} 26 | 27 | 28 | {ed9d2db3-acef-42c0-880f-7f95dcca819d} 29 | 30 | 31 | 32 | 33 | Source Files\kernel_ctx 34 | 35 | 36 | Source Files\drv_image 37 | 38 | 39 | Source Files 40 | 41 | 42 | Source Files 43 | 44 | 45 | 46 | 47 | Header Files\kernel_ctx 48 | 49 | 50 | Header Files\util 51 | 52 | 53 | Header Files\util 54 | 55 | 56 | Header Files\util 57 | 58 | 59 | Header Files\drv_image 60 | 61 | 62 | Header Files\physmeme 63 | 64 | 65 | Header Files 66 | 67 | 68 | Header Files 69 | 70 | 71 | Header Files 72 | 73 | 74 | Header Files 75 | 76 | 77 | 78 | 79 | Source Files 80 | 81 | 82 | -------------------------------------------------------------------------------- /SKLib/include/IDT.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef _KERNEL_MODE 4 | #include 5 | #include 6 | #include "winternlex.h" 7 | 8 | typedef struct _IDT_REGS_ECODE IDT_REGS_ECODE, * PIDT_REGS_ECODE; 9 | 10 | typedef struct _IDT_REGS IDT_REGS, * PIDT_REGS; 11 | 12 | extern "C" void generic_interrupt_handler(); 13 | extern "C" void generic_interrupt_handler_ecode(); 14 | extern "C" void __gp_handler(); 15 | extern "C" void __pf_handler(); 16 | extern "C" void __de_handler(); 17 | extern "C" void __db_handler(); 18 | 19 | extern "C" void seh_handler_ecode(PIDT_REGS_ECODE regs); 20 | extern "C" void seh_handler(PIDT_REGS regs); 21 | 22 | // Vol3 Ch 6.14.1 23 | union IDTGateDescriptor64 24 | { 25 | private: 26 | public: 27 | struct 28 | { 29 | DWORD32 offset0_15 : 16; 30 | DWORD32 cs_selector : 16; 31 | DWORD32 ist : 3; 32 | DWORD32 must_be_zero1 : 5; 33 | DWORD32 type : 5; 34 | DWORD32 dpl : 2; 35 | DWORD32 present : 1; 36 | DWORD32 offset16_31 : 16; 37 | DWORD32 offset32_63 : 32; 38 | DWORD32 reserved : 32; 39 | } bits; 40 | DWORD32 values[4]{}; 41 | 42 | constexpr IDTGateDescriptor64() = default; 43 | 44 | void setup(void* handler, bool present, DWORD32 selector, DWORD32 type); 45 | void setup(void* handler); 46 | DWORD64 getAddress(); 47 | }; 48 | 49 | typedef struct _IDT_REGS_ECODE 50 | { 51 | UINT64 r15; 52 | UINT64 r14; 53 | UINT64 r13; 54 | UINT64 r12; 55 | UINT64 r11; 56 | UINT64 r10; 57 | UINT64 r9; 58 | UINT64 r8; 59 | UINT64 rbp; 60 | UINT64 rdi; 61 | UINT64 rsi; 62 | UINT64 rdx; 63 | UINT64 rcx; 64 | UINT64 rbx; 65 | UINT64 rax; 66 | 67 | UINT64 error_code; 68 | UINT64 rip; 69 | UINT64 cs_selector; 70 | RFLAGS rflags; 71 | UINT64 rsp; 72 | UINT64 ss_selector; 73 | } IDT_REGS_ECODE, * PIDT_REGS_ECODE; 74 | 75 | typedef struct _IDT_REGS 76 | { 77 | UINT64 r15; 78 | UINT64 r14; 79 | UINT64 r13; 80 | UINT64 r12; 81 | UINT64 r11; 82 | UINT64 r10; 83 | UINT64 r9; 84 | UINT64 r8; 85 | UINT64 rbp; 86 | UINT64 rdi; 87 | UINT64 rsi; 88 | UINT64 rdx; 89 | UINT64 rcx; 90 | UINT64 rbx; 91 | UINT64 rax; 92 | 93 | UINT64 rip; 94 | UINT64 cs_selector; 95 | RFLAGS rflags; 96 | UINT64 rsp; 97 | UINT64 ss_selector; 98 | } IDT_REGS, * PIDT_REGS; 99 | 100 | class IDT 101 | { 102 | public: 103 | IDTGateDescriptor64 descriptor[256]; 104 | 105 | void setup_entry(size_t i, bool present, void* handler = nullptr) 106 | { 107 | descriptor[i].setup( 108 | handler, 109 | present, 110 | CPU::GetCs(), 111 | SEGMENT_DESCRIPTOR_TYPE_INTERRUPT_GATE 112 | ); 113 | } 114 | 115 | void setup_entry(size_t i, void* handler = nullptr) 116 | { 117 | descriptor[i].setup( 118 | handler 119 | ); 120 | } 121 | 122 | void* get_address() { return &descriptor; } 123 | size_t get_limit() const { return sizeof(descriptor) | 7; } 124 | 125 | void setup(void(*handler)(), void(*handler_ecode)()); 126 | void setup(); 127 | void setup(IDTGateDescriptor64* pOrigIDT); 128 | 129 | void save(); 130 | }; 131 | 132 | #endif -------------------------------------------------------------------------------- /SKLib/include/macros.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef _KERNEL_MODE 4 | #define _DEBUG 5 | #endif 6 | 7 | /* 8 | * Enables logging, disables DMA protection and guarded regions 9 | */ 10 | #define DEBUG_BUILD 11 | 12 | /* 13 | * Log MmCopyMemory and catch serials being copied from memory 14 | */ 15 | //#define LOG_AC 16 | 17 | /* 18 | * Log hypervisor operations and hooks 19 | */ 20 | //#define HYPER_LOG 21 | 22 | /* 23 | * Defining this macro will disable exception handling, and map 24 | * the driver via kdmapper 25 | */ 26 | #define _KDMAPPED 27 | 28 | /* 29 | * Defining this macro will allocate a shared buffer for logging 30 | * that the driver is responsible for passing to the usermode 31 | * module for log retrieval 32 | */ 33 | #define _USERMODE_LOGS 34 | 35 | /* 36 | * Defining this macro will link against code virtualizer 37 | * therefore forcing you to go through the protection process 38 | */ 39 | //#define PROTECT_BINARY 40 | 41 | /* 42 | * When disabled all pseudorandom generations are treated as hardware generation 43 | * requests 44 | */ 45 | #define ENABLE_PREDICTABLE_RANDOM 46 | 47 | /* 48 | * When disabled there will be no bsod customization related setup, and all functions will 49 | * immediately return if invoked 50 | */ 51 | //#define CUSTOMIZE_BSOD 52 | 53 | /* 54 | * Necessary to avoid on dump DMA read of hv address space 55 | */ 56 | //#define DISABLE_FULL_DUMPS 57 | 58 | /* 59 | * When disabled the function EPT::HideDriver will do nothing, use for debug only 60 | */ 61 | #define ENABLE_EPT_PROTECTION 62 | 63 | /* 64 | * When disabled there will be no checks for freeze conditions 65 | */ 66 | //#define ENABLE_CLOCK_TIMEOUT 67 | 68 | #pragma warning (disable:4390) 69 | #pragma warning (disable:4189) 70 | 71 | #define DbgMsgIfPossible(x, ...) if(KeGetCurrentIrql() <= 2 /*DISPATCH_LEVEL*/) DbgPrintEx(0, 0, x##"\n", __VA_ARGS__) 72 | #define DbgMsgForce(x, ...) DbgPrintEx(0, 0, x##"\n", __VA_ARGS__) 73 | 74 | #ifdef DEBUG_BUILD 75 | #ifndef ENABLE_EPT_PROTECTION 76 | 77 | #define DbgMsg(x, ...) DbgPrintEx(0, 0, x##"\n", __VA_ARGS__) 78 | 79 | #else 80 | 81 | #define DbgMsg(x, ...) 82 | 83 | #endif 84 | #else 85 | #define DbgMsg(x, ...) 86 | 87 | /* 88 | * Necessary to protect from DMA dumps 89 | */ 90 | #define ENABLE_DMA_PROTECTION 91 | 92 | /* 93 | * Necessary to create guarded regions 94 | */ 95 | //#define ENABLE_IDENTITY_GUARD 96 | 97 | #endif 98 | 99 | #ifndef _KDMAPPED 100 | #define EntryInit DriverEntryInit 101 | #define EntryPoint DriverEntry 102 | #else 103 | #define EntryInit DriverEntry 104 | #define EntryPoint DriverEntryInit 105 | #endif 106 | 107 | #define RND_SECURE 1 108 | #define RND_PSEUDO 0 109 | #define RND_SECURITY_LEVEL RND_PSEUDO 110 | 111 | //Functions 112 | #define DebugBreak() 113 | #define BreakAtIRQL(irql) if(KeGetCurrentIrql() >= irql) DebugBreak(); 114 | 115 | //Constants 116 | #define DRIVER_TAG NULL 117 | 118 | #define INIT_GUID(name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) \ 119 | const GUID name \ 120 | = { l, w1, w2, { b1, b2, b3, b4, b5, b6, b7, b8 } } 121 | 122 | #ifdef BUILD_SPOOFER 123 | #ifdef DEBUG_BUILD 124 | #define BUILD_FLAGS (0x0) 125 | #else 126 | #define BUILD_FLAGS (0x1) 127 | #endif 128 | #else 129 | #ifdef DEBUG_BUILD 130 | #define BUILD_FLAGS (0xff) 131 | #else 132 | #define BUILD_FLAGS (0x2) 133 | #endif 134 | #endif -------------------------------------------------------------------------------- /SKLib.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.4.33122.133 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "kdmapper", "kdmapper_lib\kdmapper\kdmapper.vcxproj", "{518E0636-BA8F-459D-ACAC-81BD33475E3E}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Pdbparser", "Pdbparser\Pdbparser.vcxproj", "{E00C691A-12FF-45E0-AC0A-4CC80DAD2D78}" 9 | EndProject 10 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "physmeme_lib", "phymeme_lib\physmeme_lib.vcxproj", "{13FFA531-AD46-46F8-B52D-4A01BA078034}" 11 | EndProject 12 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SKLib-v", "SKLib-v\SKLib-v.vcxproj", "{64D50B5F-55D6-4F58-B6A8-0BF0D40B1500}" 13 | ProjectSection(ProjectDependencies) = postProject 14 | {780FD52C-B046-4AFF-95F9-F6778247D26E} = {780FD52C-B046-4AFF-95F9-F6778247D26E} 15 | EndProjectSection 16 | EndProject 17 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SKLib", "SKLib\SKLib.vcxproj", "{780FD52C-B046-4AFF-95F9-F6778247D26E}" 18 | EndProject 19 | Global 20 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 21 | Release|x64 = Release|x64 22 | ReleaseWithSpoofer|x64 = ReleaseWithSpoofer|x64 23 | EndGlobalSection 24 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 25 | {518E0636-BA8F-459D-ACAC-81BD33475E3E}.Release|x64.ActiveCfg = Release|x64 26 | {518E0636-BA8F-459D-ACAC-81BD33475E3E}.Release|x64.Build.0 = Release|x64 27 | {518E0636-BA8F-459D-ACAC-81BD33475E3E}.ReleaseWithSpoofer|x64.ActiveCfg = ReleaseWithSpoofer|x64 28 | {518E0636-BA8F-459D-ACAC-81BD33475E3E}.ReleaseWithSpoofer|x64.Build.0 = ReleaseWithSpoofer|x64 29 | {E00C691A-12FF-45E0-AC0A-4CC80DAD2D78}.Release|x64.ActiveCfg = Release|x64 30 | {E00C691A-12FF-45E0-AC0A-4CC80DAD2D78}.Release|x64.Build.0 = Release|x64 31 | {E00C691A-12FF-45E0-AC0A-4CC80DAD2D78}.ReleaseWithSpoofer|x64.ActiveCfg = ReleaseWithSpoofer|x64 32 | {E00C691A-12FF-45E0-AC0A-4CC80DAD2D78}.ReleaseWithSpoofer|x64.Build.0 = ReleaseWithSpoofer|x64 33 | {13FFA531-AD46-46F8-B52D-4A01BA078034}.Release|x64.ActiveCfg = Release|x64 34 | {13FFA531-AD46-46F8-B52D-4A01BA078034}.Release|x64.Build.0 = Release|x64 35 | {13FFA531-AD46-46F8-B52D-4A01BA078034}.ReleaseWithSpoofer|x64.ActiveCfg = ReleaseWithSpoofer|x64 36 | {13FFA531-AD46-46F8-B52D-4A01BA078034}.ReleaseWithSpoofer|x64.Build.0 = ReleaseWithSpoofer|x64 37 | {64D50B5F-55D6-4F58-B6A8-0BF0D40B1500}.Release|x64.ActiveCfg = Release|x64 38 | {64D50B5F-55D6-4F58-B6A8-0BF0D40B1500}.Release|x64.Build.0 = Release|x64 39 | {64D50B5F-55D6-4F58-B6A8-0BF0D40B1500}.ReleaseWithSpoofer|x64.ActiveCfg = ReleaseWithSpoofer|x64 40 | {64D50B5F-55D6-4F58-B6A8-0BF0D40B1500}.ReleaseWithSpoofer|x64.Build.0 = ReleaseWithSpoofer|x64 41 | {780FD52C-B046-4AFF-95F9-F6778247D26E}.Release|x64.ActiveCfg = Release|x64 42 | {780FD52C-B046-4AFF-95F9-F6778247D26E}.Release|x64.Build.0 = Release|x64 43 | {780FD52C-B046-4AFF-95F9-F6778247D26E}.ReleaseWithSpoofer|x64.ActiveCfg = ReleaseWithSpoofer|x64 44 | {780FD52C-B046-4AFF-95F9-F6778247D26E}.ReleaseWithSpoofer|x64.Build.0 = ReleaseWithSpoofer|x64 45 | EndGlobalSection 46 | GlobalSection(SolutionProperties) = preSolution 47 | HideSolutionNode = FALSE 48 | EndGlobalSection 49 | GlobalSection(ExtensibilityGlobals) = postSolution 50 | SolutionGuid = {80EEFEA5-C8AE-4027-83B3-0486AEFFCB23} 51 | EndGlobalSection 52 | EndGlobal 53 | -------------------------------------------------------------------------------- /SKLib/src/collector.cpp: -------------------------------------------------------------------------------- 1 | #include "collector.h" 2 | 3 | list* Collector::myGarbage = nullptr; 4 | Spinlock garbageLock; 5 | 6 | void Collector::Init() 7 | { 8 | myGarbage = (list*)ExAllocatePoolWithTag(NonPagedPoolNx, sizeof(*myGarbage), NULL); 9 | myGarbage->Init(false); 10 | } 11 | 12 | void Collector::Add(void* p, cpp::MemoryType type, size_t sz, PMDL pMdl) 13 | { 14 | MemoryAddress mAddy = { 15 | type, 16 | p, 17 | sz, 18 | pMdl 19 | }; 20 | 21 | garbageLock.Lock(); 22 | myGarbage->Append(mAddy); 23 | garbageLock.Unlock(); 24 | } 25 | 26 | void Collector::Remove(void* p) 27 | { 28 | auto fnDeleteWhere = [p](MemoryAddress mObj) { 29 | return mObj.pMemory == p; 30 | }; 31 | 32 | garbageLock.Lock(); 33 | myGarbage->RemoveWhere(fnDeleteWhere); 34 | garbageLock.Unlock(); 35 | } 36 | 37 | void Collector::Remove(MemoryAddress& pMem) { 38 | garbageLock.Lock(); 39 | myGarbage->Remove(pMem); 40 | garbageLock.Unlock(); 41 | } 42 | 43 | void Collector::Clean() 44 | { 45 | DbgMsg("[COLLECTOR] Number of leaked memory pools: %d", myGarbage->Length()); 46 | //Dispose of pointers stored inside node's objects 47 | node* curNode = myGarbage->FirstNode(); 48 | for (int i = 0; i < myGarbage->Length(); i++) { 49 | auto nextNode = curNode->fLink; 50 | FreeMemory(curNode->obj); 51 | curNode = nextNode; 52 | } 53 | DbgMsg("[COLLECTOR] Disposed of leaked memory"); 54 | 55 | myGarbage->Dispose(); 56 | DbgMsg("[COLLECTOR] Disposed of collector nodes"); 57 | } 58 | 59 | void Collector::FreeMemory(MemoryAddress& memAddr) { 60 | switch (memAddr.type) { 61 | case cpp::NonPaged: 62 | MmUnmapLockedPages(memAddr.pMemory, memAddr.pMdl); 63 | MmFreePagesFromMdl(memAddr.pMdl); 64 | ExFreePool(memAddr.pMdl); 65 | break; 66 | case cpp::NonCached: 67 | MmFreeNonCachedMemory(memAddr.pMemory, memAddr.szMemory); 68 | break; 69 | case cpp::Continuous: 70 | MmFreeContiguousMemory(memAddr.pMemory); 71 | break; 72 | case cpp::Pooled: 73 | ExFreePool(memAddr.pMemory); 74 | break; 75 | } 76 | } 77 | 78 | void Collector::Dispose() 79 | { 80 | if (!myGarbage) 81 | return; 82 | 83 | Clean(); 84 | ExFreePool(myGarbage); 85 | } 86 | 87 | MemoryAddress Collector::GetMemoryInfo(void* pMemory) 88 | { 89 | Lock(); 90 | node* curNode = myGarbage->LastNode(); 91 | for (int i = myGarbage->Length() - 1; i >= 0; i--) { 92 | auto nextNode = curNode->bLink; 93 | if (pMemory == curNode->obj.pMemory) { 94 | Unlock(); 95 | return curNode->obj; 96 | } 97 | curNode = nextNode; 98 | } 99 | Unlock(); 100 | return MemoryAddress(); 101 | } 102 | 103 | void Collector::Lock() 104 | { 105 | garbageLock.Lock(); 106 | } 107 | 108 | void Collector::Unlock() 109 | { 110 | garbageLock.Unlock(); 111 | } 112 | 113 | void Collector::Clean(void* pMemory) 114 | { 115 | //Dispose of pointers stored inside node's objects 116 | bool bFound = false; 117 | 118 | for(int i = myGarbage->Length() - 1; i >= 0; i--) { 119 | auto curNode = myGarbage->at(i); 120 | if (curNode.pMemory == pMemory) { 121 | bFound = true; 122 | //Dispose of nodes and list object 123 | FreeMemory(curNode); 124 | break; 125 | } 126 | } 127 | 128 | // Remove from linked list 129 | Remove(pMemory); 130 | 131 | if (!bFound) { 132 | DbgMsg("[COLLECTOR] Warning: %p not found in garbage!", pMemory); 133 | return; 134 | } 135 | } 136 | -------------------------------------------------------------------------------- /SKLib/include/VirtualizerSDKMacros.h: -------------------------------------------------------------------------------- 1 | /****************************************************************************** 2 | Header: VirtualizerMacros.h 3 | Description: Definition of SecureEngine macros via ASM module 4 | 5 | Author/s: Oreans Technologies 6 | (c) 2013 Oreans Technologies 7 | *****************************************************************************/ 8 | 9 | #pragma once 10 | 11 | #include "macros.h" 12 | 13 | 14 | // *********************************************** 15 | // Specify platform 16 | // *********************************************** 17 | 18 | #ifdef _WIN64 19 | #define PLATFORM_X64 20 | #else 21 | #define PLATFORM_X32 22 | #endif 23 | 24 | 25 | // *********************************************** 26 | // Include files 27 | // *********************************************** 28 | 29 | #include "VirtualizerSDKCustomVMsMacros.h" 30 | 31 | #ifdef __cplusplus 32 | extern "C" { 33 | #endif 34 | 35 | #ifdef PROTECT_BINARY 36 | #if defined(PLATFORM_X32) 37 | 38 | void __stdcall VIRTUALIZER_START_ASM32(); 39 | void __stdcall VIRTUALIZER_END_ASM32(); 40 | void __stdcall VIRTUALIZER_STR_ENCRYPT_START_ASM32(); 41 | void __stdcall VIRTUALIZER_STR_ENCRYPT_END_ASM32(); 42 | void __stdcall VIRTUALIZER_STR_ENCRYPTW_START_ASM32(); 43 | void __stdcall VIRTUALIZER_STR_ENCRYPTW_END_ASM32(); 44 | void __stdcall VIRTUALIZER_UNPROTECTED_START_ASM32(); 45 | void __stdcall VIRTUALIZER_UNPROTECTED_END_ASM32(); 46 | 47 | #define VIRTUALIZER_START VIRTUALIZER_START_ASM32(); 48 | #define VIRTUALIZER_END VIRTUALIZER_END_ASM32(); 49 | #define VIRTUALIZER_STR_ENCRYPT_START VIRTUALIZER_STR_ENCRYPT_START_ASM32(); 50 | #define VIRTUALIZER_STR_ENCRYPT_END VIRTUALIZER_STR_ENCRYPT_END_ASM32(); 51 | #define VIRTUALIZER_STR_ENCRYPTW_START VIRTUALIZER_STR_ENCRYPTW_START_ASM32(); 52 | #define VIRTUALIZER_STR_ENCRYPTW_END VIRTUALIZER_STR_ENCRYPTW_END_ASM32(); 53 | #define VIRTUALIZER_UNPROTECTED_START VIRTUALIZER_UNPROTECTED_START_ASM32(); 54 | #define VIRTUALIZER_UNPROTECTED_END VIRTUALIZER_UNPROTECTED_END_ASM32(); 55 | 56 | #endif 57 | 58 | #if defined(PLATFORM_X64) 59 | 60 | void __stdcall VIRTUALIZER_START_ASM64(); 61 | void __stdcall VIRTUALIZER_END_ASM64(); 62 | void __stdcall VIRTUALIZER_STR_ENCRYPT_START_ASM64(); 63 | void __stdcall VIRTUALIZER_STR_ENCRYPT_END_ASM64(); 64 | void __stdcall VIRTUALIZER_STR_ENCRYPTW_START_ASM64(); 65 | void __stdcall VIRTUALIZER_STR_ENCRYPTW_END_ASM64(); 66 | void __stdcall VIRTUALIZER_UNPROTECTED_START_ASM64(); 67 | void __stdcall VIRTUALIZER_UNPROTECTED_END_ASM64(); 68 | 69 | #define VIRTUALIZER_START VIRTUALIZER_START_ASM64(); 70 | #define VIRTUALIZER_END VIRTUALIZER_END_ASM64(); 71 | #define VIRTUALIZER_STR_ENCRYPT_START VIRTUALIZER_STR_ENCRYPT_START_ASM64(); 72 | #define VIRTUALIZER_STR_ENCRYPT_END VIRTUALIZER_STR_ENCRYPT_END_ASM64(); 73 | #define VIRTUALIZER_STR_ENCRYPTW_START VIRTUALIZER_STR_ENCRYPTW_START_ASM64(); 74 | #define VIRTUALIZER_STR_ENCRYPTW_END VIRTUALIZER_STR_ENCRYPTW_END_ASM64(); 75 | #define VIRTUALIZER_UNPROTECTED_START VIRTUALIZER_UNPROTECTED_START_ASM64(); 76 | #define VIRTUALIZER_UNPROTECTED_END VIRTUALIZER_UNPROTECTED_END_ASM64(); 77 | 78 | #endif 79 | #else 80 | 81 | #define VIRTUALIZER_START 82 | #define VIRTUALIZER_END 83 | #define VIRTUALIZER_STR_ENCRYPT_START 84 | #define VIRTUALIZER_STR_ENCRYPT_END 85 | #define VIRTUALIZER_STR_ENCRYPTW_START 86 | #define VIRTUALIZER_STR_ENCRYPTW_END 87 | #define VIRTUALIZER_UNPROTECTED_START 88 | #define VIRTUALIZER_UNPROTECTED_END 89 | 90 | #endif 91 | 92 | #ifdef __cplusplus 93 | } 94 | #endif -------------------------------------------------------------------------------- /phymeme_lib/kernel_ctx/kernel_ctx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include "../util/util.hpp" 10 | #include "../physmeme/physmeme.hpp" 11 | #include "../util/hook.hpp" 12 | 13 | namespace physmeme 14 | { 15 | // 16 | // offset of function into a physical page 17 | // used for comparing bytes when searching 18 | // 19 | inline std::uint16_t nt_page_offset{}; 20 | 21 | // 22 | // rva of nt function we are going to hook 23 | // 24 | inline std::uint32_t nt_rva{}; 25 | 26 | // 27 | // base address of ntoskrnl (inside of this process) 28 | // 29 | inline const std::uint8_t* ntoskrnl_buffer{}; 30 | 31 | // 32 | // has the page been found yet? 33 | // 34 | inline std::atomic is_page_found = false; 35 | 36 | // 37 | // mapping of a syscalls physical memory (for installing hooks) 38 | // 39 | inline std::atomic psyscall_func{}; 40 | 41 | // 42 | // you can edit this how you choose, im hooking NtShutdownSystem. 43 | // 44 | inline const std::pair syscall_hook = { "NtShutdownSystem", "ntdll.dll" }; 45 | 46 | class kernel_ctx 47 | { 48 | public: 49 | // 50 | // default constructor 51 | // 52 | kernel_ctx(); 53 | 54 | // 55 | // allocate kernel pool of desired size and type 56 | // 57 | void* allocate_pool(std::size_t size, POOL_TYPE pool_type = NonPagedPool); 58 | void* allocate_pool_db(std::size_t size); 59 | 60 | // 61 | // allocate kernel pool of size, pool tag, and type 62 | // 63 | void* allocate_pool(std::size_t size, ULONG pool_tag = 'MEME', POOL_TYPE pool_type = NonPagedPool); 64 | 65 | // 66 | // read kernel memory with RtlCopyMemory 67 | // 68 | void read_kernel(void* addr, void* buffer, std::size_t size); 69 | 70 | // 71 | // write kernel memory with RtlCopyMemory 72 | // 73 | void write_kernel(void* addr, void* buffer, std::size_t size); 74 | 75 | // 76 | // zero kernel memory using RtlZeroMemory 77 | // 78 | void zero_kernel_memory(void* addr, std::size_t size); 79 | 80 | // 81 | // clear piddb cache of a specific driver 82 | // 83 | bool clear_piddb_cache(const std::string& file_name, const std::uint32_t timestamp); 84 | 85 | template 86 | T read_kernel(void* addr) 87 | { 88 | if (!addr) 89 | return {}; 90 | T buffer; 91 | read_kernel(addr, (void*)&buffer, sizeof(T)); 92 | return buffer; 93 | } 94 | 95 | template 96 | void write_kernel(void* addr, const T& data) 97 | { 98 | if (!addr) 99 | return; 100 | write_kernel(addr, (void*)&data, sizeof(T)); 101 | } 102 | 103 | template 104 | std::invoke_result_t syscall(void* addr, Ts ... args) const 105 | { 106 | static const auto proc = 107 | GetProcAddress( 108 | GetModuleHandleA("ntdll.dll"), 109 | syscall_hook.first.data() 110 | ); 111 | 112 | hook::make_hook(psyscall_func, addr); 113 | auto result = reinterpret_cast(proc)(args ...); 114 | hook::remove(psyscall_func); 115 | return result; 116 | } 117 | private: 118 | 119 | // 120 | // find and map the physical page of a syscall into this process 121 | // 122 | void map_syscall(std::uintptr_t begin, std::uintptr_t end) const; 123 | 124 | // 125 | // used in conjunction with get_process_base. 126 | // 127 | PEPROCESS get_peprocess(unsigned pid) const; 128 | 129 | // 130 | // get base address of process (used to compare and ensure we find the right page). 131 | // 132 | void* get_proc_base(unsigned pid) const; 133 | 134 | bool bPiddbClear; 135 | }; 136 | } -------------------------------------------------------------------------------- /SKLib/include/data.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef _KERNEL_MODE 4 | #ifndef _WDMDDK_ 5 | #include 6 | #endif 7 | #include 8 | #endif 9 | 10 | #include "ListEx.h" 11 | #include "eventlogger.h" 12 | #include "ioctl.h" 13 | #include "power.h" 14 | #include "sharedpool.h" 15 | #include "RandEx.h" 16 | 17 | #pragma warning (disable:4458) 18 | #pragma warning (disable:4101) 19 | #pragma warning (disable:4238) 20 | 21 | 22 | struct OffsetDump; 23 | struct _CLEANUP_DATA; 24 | 25 | extern OffsetDump offsets; 26 | extern _CLEANUP_DATA cleanupData; 27 | 28 | #define VALID_OFFSET(offset) (offset && (offset != MAXULONG64)) 29 | 30 | #pragma pack(push, 1) 31 | struct OffsetDump { 32 | /* 33 | * RAID 34 | */ 35 | ULONG64 RaidIdentity; 36 | ULONG64 RaidSerialNumber; 37 | ULONG64 RaidUnitRegInterface; 38 | 39 | ULONG64 ScsiSerialNumber; 40 | 41 | /* 42 | * NIC 43 | */ 44 | ULONG64 NdisGlobalFilterList; 45 | ULONG64 FilterBlockNextFilter; 46 | ULONG64 FilterBlockMiniport; 47 | ULONG64 FilterBlockInstanceName; 48 | ULONG64 FilterBlockIfBlock; 49 | 50 | ULONG64 MiniportBlockInterfaceGuid; 51 | ULONG64 MiniportBlockLowestFilter; 52 | ULONG64 MiniportBlockHighestFilter; 53 | 54 | ULONG64 IfBlockPhy; 55 | ULONG64 IfBlockPermanentPhy; 56 | 57 | /* 58 | * SMBIOS 59 | */ 60 | ULONG64 WmipSMBiosTableLength; 61 | 62 | /* 63 | * TEB 64 | */ 65 | ULONG64 ClientInfo; 66 | ULONG64 HwndCache; 67 | 68 | /* 69 | * ci.dll 70 | */ 71 | ULONG64 g_KernelHashBucketList; 72 | ULONG64 g_HashCacheLock; 73 | 74 | /* 75 | * Functions 76 | */ 77 | ULONG64 PsEnumProcesses; 78 | ULONG64 PsEnumProcessThreads; 79 | ULONG64 WmipSMBiosVersionInfo; 80 | ULONG64 PspInsertProcess; 81 | ULONG64 PspInsertThread; 82 | ULONG64 PspTerminateProcess; 83 | ULONG64 MmQueryVirtualMemory; 84 | ULONG64 NtResumeThread; 85 | ULONG64 BgpFwQueryBootGraphicsInformation; 86 | ULONG64 MiniportPendingMacAddress; 87 | ULONG64 PspCreateThread; 88 | ULONG64 PspSetQuotaLimits; 89 | ULONG64 MmQueryWorkingSetInformation; 90 | ULONG64 MmAdjustWorkingSetSizeEx; 91 | ULONG64 MiniportIfBlock; 92 | ULONG64 PspRundownSingleProcess; 93 | ULONG64 PspGetContextThreadInternal; 94 | ULONG64 WmipQueryAllData; 95 | ULONG64 ZwSetInformationProcess; 96 | ULONG64 PsQueryFullProcessImageName; 97 | 98 | ULONG64 ExpBootEnvironmentInformation; 99 | ULONG64 WmipSMBiosTablePhysicalAddress; 100 | ULONG64 PiDDBLock; 101 | ULONG64 PiDDBCacheTable; 102 | ULONG64 KiNmiInterruptStart; 103 | ULONG64 NtLockVirtualMemory; 104 | }; 105 | 106 | typedef struct _CLEANUP_DATA { 107 | HANDLE hDevice; 108 | DWORD32 dwTimestamp; 109 | char pDriverName[0x100]; 110 | PVOID pPreHv; 111 | } CLEANUP_DATA, * PCLEANUP_DATA; 112 | 113 | typedef struct _USERMODE_INFO { 114 | //Usermode to kernel 115 | DWORD64 vmcallKey; 116 | PVOID driverBase; 117 | ULONG64 driverSize; 118 | ULONG32 loaderProcId; 119 | 120 | //Kernel to usermode 121 | ULONG64 callbackAddress; 122 | FILETIME callTime; 123 | 124 | //Shared 125 | OffsetDump offsets; 126 | CLEANUP_DATA cleanupData; 127 | DWORD64 spooferSeed; 128 | 129 | //Pre-to-hv 130 | PVOID pIdtCopy; 131 | ULONG64 cpuIdx; 132 | PVOID pDetectionCallback; 133 | } USERMODE_INFO, * PUSERMODE_INFO; 134 | #pragma pack(pop) 135 | 136 | #ifdef _KERNEL_MODE 137 | 138 | namespace SKLib { 139 | extern wchar_t UniHideKeysPath[]; 140 | extern wchar_t CurrentDriverName[]; 141 | extern bool IsInitialized; 142 | 143 | //Logging 144 | namespace Log { 145 | extern EventLogger evLogger; 146 | } 147 | 148 | extern PUSERMODE_INFO pUserInfo; 149 | 150 | void Init(PDRIVER_OBJECT pDevice = nullptr); 151 | void InitName(wchar_t* pDriverName = nullptr); 152 | void Dispose(); 153 | } 154 | 155 | #endif 156 | -------------------------------------------------------------------------------- /kdmapper_lib/kdmapper/src/service.cpp: -------------------------------------------------------------------------------- 1 | #include "service.hpp" 2 | 3 | bool service::RegisterAndStart(const std::wstring& driver_path) { 4 | const static DWORD ServiceTypeKernel = 1; 5 | const std::wstring driver_name = intel_driver::GetDriverNameW(); 6 | const std::wstring servicesPath = L"SYSTEM\\CurrentControlSet\\Services\\" + driver_name; 7 | const std::wstring nPath = L"\\??\\" + driver_path; 8 | 9 | HKEY dservice; 10 | LSTATUS status = RegCreateKeyW(HKEY_LOCAL_MACHINE, servicesPath.c_str(), &dservice); //Returns Ok if already exists 11 | if (status != ERROR_SUCCESS) { 12 | Log("[-] Can't create service key"); 13 | return false; 14 | } 15 | 16 | status = RegSetKeyValueW(dservice, NULL, L"ImagePath", REG_EXPAND_SZ, nPath.c_str(), (DWORD)(nPath.size()*sizeof(wchar_t))); 17 | if (status != ERROR_SUCCESS) { 18 | RegCloseKey(dservice); 19 | Log("[-] Can't create 'ImagePath' registry value"); 20 | return false; 21 | } 22 | 23 | status = RegSetKeyValueW(dservice, NULL, L"Type", REG_DWORD, &ServiceTypeKernel, sizeof(DWORD)); 24 | if (status != ERROR_SUCCESS) { 25 | RegCloseKey(dservice); 26 | Log("[-] Can't create 'Type' registry value"); 27 | return false; 28 | } 29 | 30 | RegCloseKey(dservice); 31 | 32 | HMODULE ntdll = GetModuleHandleA("ntdll.dll"); 33 | if (ntdll == NULL) { 34 | return false; 35 | } 36 | 37 | auto RtlAdjustPrivilege = (nt::RtlAdjustPrivilege)GetProcAddress(ntdll, "RtlAdjustPrivilege"); 38 | auto NtLoadDriver = (nt::NtLoadDriver)GetProcAddress(ntdll, "NtLoadDriver"); 39 | 40 | ULONG SE_LOAD_DRIVER_PRIVILEGE = 10UL; 41 | BOOLEAN SeLoadDriverWasEnabled; 42 | NTSTATUS Status = RtlAdjustPrivilege(SE_LOAD_DRIVER_PRIVILEGE, TRUE, FALSE, &SeLoadDriverWasEnabled); 43 | if (!NT_SUCCESS(Status)) { 44 | Log("Fatal error: failed to acquire SE_LOAD_DRIVER_PRIVILEGE. Make sure you are running as administrator."); 45 | return false; 46 | } 47 | 48 | std::wstring wdriver_reg_path = L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\" + driver_name; 49 | UNICODE_STRING serviceStr; 50 | RtlInitUnicodeString(&serviceStr, wdriver_reg_path.c_str()); 51 | 52 | Status = NtLoadDriver(&serviceStr); 53 | Log("[+] NtLoadDriver Status 0x%x", Status); 54 | 55 | //Never should occur since kdmapper checks for "IsRunning" driver before 56 | if (Status == 0xC000010E) {// STATUS_IMAGE_ALREADY_LOADED 57 | return true; 58 | } 59 | 60 | return NT_SUCCESS(Status); 61 | } 62 | 63 | bool service::StopAndRemove(const std::wstring& driver_name) { 64 | HMODULE ntdll = GetModuleHandleA("ntdll.dll"); 65 | if (ntdll == NULL) 66 | return false; 67 | 68 | std::wstring wdriver_reg_path = L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\" + driver_name; 69 | UNICODE_STRING serviceStr; 70 | RtlInitUnicodeString(&serviceStr, wdriver_reg_path.c_str()); 71 | 72 | HKEY driver_service; 73 | std::wstring servicesPath = L"SYSTEM\\CurrentControlSet\\Services\\" + driver_name; 74 | LSTATUS status = RegOpenKeyW(HKEY_LOCAL_MACHINE, servicesPath.c_str(), &driver_service); 75 | if (status != ERROR_SUCCESS) { 76 | if (status == ERROR_FILE_NOT_FOUND) { 77 | return true; 78 | } 79 | return false; 80 | } 81 | RegCloseKey(driver_service); 82 | 83 | auto NtUnloadDriver = (nt::NtUnloadDriver)GetProcAddress(ntdll, "NtUnloadDriver"); 84 | NTSTATUS st = NtUnloadDriver(&serviceStr); 85 | Log("[+] NtUnloadDriver Status 0x%x", st); 86 | if (st != 0x0) { 87 | Log("[-] Driver Unload Failed!!"); 88 | status = RegDeleteKeyW(HKEY_LOCAL_MACHINE, servicesPath.c_str()); 89 | return false; //lets consider unload fail as error because can cause problems with anti cheats later 90 | } 91 | 92 | 93 | status = RegDeleteKeyW(HKEY_LOCAL_MACHINE, servicesPath.c_str()); 94 | if (status != ERROR_SUCCESS) { 95 | return false; 96 | } 97 | return true; 98 | } 99 | -------------------------------------------------------------------------------- /kdmapper_lib/kdmapper/src/portable_executable.cpp: -------------------------------------------------------------------------------- 1 | #include "portable_executable.hpp" 2 | 3 | PIMAGE_NT_HEADERS64 portable_executable::GetNtHeaders(void* image_base) { 4 | const auto dos_header = reinterpret_cast(image_base); 5 | 6 | if (dos_header->e_magic != IMAGE_DOS_SIGNATURE) 7 | return nullptr; 8 | 9 | const auto nt_headers = reinterpret_cast(reinterpret_cast(image_base) + dos_header->e_lfanew); 10 | 11 | if (nt_headers->Signature != IMAGE_NT_SIGNATURE) 12 | return nullptr; 13 | 14 | return nt_headers; 15 | } 16 | 17 | portable_executable::vec_relocs portable_executable::GetRelocs(void* image_base) { 18 | const PIMAGE_NT_HEADERS64 nt_headers = GetNtHeaders(image_base); 19 | 20 | if (!nt_headers) 21 | return {}; 22 | 23 | vec_relocs relocs; 24 | DWORD reloc_va = nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress; 25 | 26 | if (!reloc_va) //Fix from @greetmark of UnknownCheats Forum 27 | return {}; 28 | 29 | auto current_base_relocation = reinterpret_cast(reinterpret_cast(image_base) + reloc_va); 30 | const auto reloc_end = reinterpret_cast(reinterpret_cast(current_base_relocation) + nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size); 31 | 32 | while (current_base_relocation < reloc_end && current_base_relocation->SizeOfBlock) { 33 | RelocInfo reloc_info; 34 | 35 | reloc_info.address = reinterpret_cast(image_base) + current_base_relocation->VirtualAddress; 36 | reloc_info.item = reinterpret_cast(reinterpret_cast(current_base_relocation) + sizeof(IMAGE_BASE_RELOCATION)); 37 | reloc_info.count = (current_base_relocation->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(uint16_t); 38 | 39 | relocs.push_back(reloc_info); 40 | 41 | current_base_relocation = reinterpret_cast(reinterpret_cast(current_base_relocation) + current_base_relocation->SizeOfBlock); 42 | } 43 | 44 | return relocs; 45 | } 46 | 47 | portable_executable::vec_imports portable_executable::GetImports(void* image_base) { 48 | const PIMAGE_NT_HEADERS64 nt_headers = GetNtHeaders(image_base); 49 | 50 | if (!nt_headers) 51 | return {}; 52 | 53 | DWORD import_va = nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; 54 | 55 | //not imports necesary 56 | if (!import_va) 57 | return {}; 58 | 59 | vec_imports imports; 60 | 61 | auto current_import_descriptor = reinterpret_cast(reinterpret_cast(image_base) + import_va); 62 | 63 | while (current_import_descriptor->FirstThunk) { 64 | ImportInfo import_info; 65 | 66 | import_info.module_name = std::string(reinterpret_cast(reinterpret_cast(image_base) + current_import_descriptor->Name)); 67 | 68 | auto current_first_thunk = reinterpret_cast(reinterpret_cast(image_base) + current_import_descriptor->FirstThunk); 69 | auto current_originalFirstThunk = reinterpret_cast(reinterpret_cast(image_base) + current_import_descriptor->OriginalFirstThunk); 70 | 71 | while (current_originalFirstThunk->u1.Function) { 72 | ImportFunctionInfo import_function_data; 73 | 74 | auto thunk_data = reinterpret_cast(reinterpret_cast(image_base) + current_originalFirstThunk->u1.AddressOfData); 75 | 76 | import_function_data.name = thunk_data->Name; 77 | import_function_data.address = ¤t_first_thunk->u1.Function; 78 | 79 | import_info.function_datas.push_back(import_function_data); 80 | 81 | ++current_originalFirstThunk; 82 | ++current_first_thunk; 83 | } 84 | 85 | imports.push_back(import_info); 86 | ++current_import_descriptor; 87 | } 88 | 89 | return imports; 90 | } -------------------------------------------------------------------------------- /kdmapper_lib/kdmapper/include/nt.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #pragma comment(lib, "ntdll.lib") 5 | #define STATUS_INFO_LENGTH_MISMATCH 0xC0000004 6 | namespace nt 7 | { 8 | constexpr auto PAGE_SIZE = 0x1000; 9 | 10 | constexpr auto SystemModuleInformation = 11; 11 | constexpr auto SystemHandleInformation = 16; 12 | constexpr auto SystemExtendedHandleInformation = 64; 13 | 14 | typedef NTSTATUS(*NtLoadDriver)(PUNICODE_STRING DriverServiceName); 15 | typedef NTSTATUS(*NtUnloadDriver)(PUNICODE_STRING DriverServiceName); 16 | typedef NTSTATUS(*RtlAdjustPrivilege)(_In_ DWORD32 Privilege, _In_ BOOLEAN Enable, _In_ BOOLEAN Client, _Out_ PBOOLEAN WasEnabled); 17 | 18 | typedef struct _SYSTEM_HANDLE 19 | { 20 | PVOID Object; 21 | HANDLE UniqueProcessId; 22 | HANDLE HandleValue; 23 | DWORD32 GrantedAccess; 24 | USHORT CreatorBackTraceIndex; 25 | USHORT ObjectTypeIndex; 26 | DWORD32 HandleAttributes; 27 | DWORD32 Reserved; 28 | } SYSTEM_HANDLE, *PSYSTEM_HANDLE; 29 | 30 | typedef struct _SYSTEM_HANDLE_INFORMATION_EX 31 | { 32 | DWORD64 HandleCount; 33 | DWORD64 Reserved; 34 | SYSTEM_HANDLE Handles[1]; 35 | } SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX; 36 | 37 | //Thanks to Pvt Comfy for remember to update this https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ne-wdm-_pool_type 38 | typedef enum class _POOL_TYPE { 39 | NonPagedPool, 40 | NonPagedPoolExecute = NonPagedPool, 41 | PagedPool, 42 | NonPagedPoolMustSucceed = NonPagedPool + 2, 43 | DontUseThisType, 44 | NonPagedPoolCacheAligned = NonPagedPool + 4, 45 | PagedPoolCacheAligned, 46 | NonPagedPoolCacheAlignedMustS = NonPagedPool + 6, 47 | MaxPoolType, 48 | NonPagedPoolBase = 0, 49 | NonPagedPoolBaseMustSucceed = NonPagedPoolBase + 2, 50 | NonPagedPoolBaseCacheAligned = NonPagedPoolBase + 4, 51 | NonPagedPoolBaseCacheAlignedMustS = NonPagedPoolBase + 6, 52 | NonPagedPoolSession = 32, 53 | PagedPoolSession = NonPagedPoolSession + 1, 54 | NonPagedPoolMustSucceedSession = PagedPoolSession + 1, 55 | DontUseThisTypeSession = NonPagedPoolMustSucceedSession + 1, 56 | NonPagedPoolCacheAlignedSession = DontUseThisTypeSession + 1, 57 | PagedPoolCacheAlignedSession = NonPagedPoolCacheAlignedSession + 1, 58 | NonPagedPoolCacheAlignedMustSSession = PagedPoolCacheAlignedSession + 1, 59 | NonPagedPoolNx = 512, 60 | NonPagedPoolNxCacheAligned = NonPagedPoolNx + 4, 61 | NonPagedPoolSessionNx = NonPagedPoolNx + 32, 62 | } POOL_TYPE; 63 | 64 | typedef struct _RTL_PROCESS_MODULE_INFORMATION 65 | { 66 | HANDLE Section; 67 | PVOID MappedBase; 68 | PVOID ImageBase; 69 | DWORD32 ImageSize; 70 | DWORD32 Flags; 71 | USHORT LoadOrderIndex; 72 | USHORT InitOrderIndex; 73 | USHORT LoadCount; 74 | USHORT OffsetToFileName; 75 | UCHAR FullPathName[256]; 76 | } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION; 77 | 78 | typedef struct _RTL_PROCESS_MODULES 79 | { 80 | DWORD32 NumberOfModules; 81 | RTL_PROCESS_MODULE_INFORMATION Modules[1]; 82 | } RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES; 83 | 84 | /*added by psec*/ 85 | typedef enum _MEMORY_CACHING_TYPE_ORIG { 86 | MmFrameBufferCached = 2 87 | } MEMORY_CACHING_TYPE_ORIG; 88 | 89 | typedef enum _MEMORY_CACHING_TYPE { 90 | MmNonCached = FALSE, 91 | MmCached = TRUE, 92 | MmWriteCombined = MmFrameBufferCached, 93 | MmHardwareCoherentCached, 94 | MmNonCachedUnordered, // IA64 95 | MmUSWCCached, 96 | MmMaximumCacheType, 97 | MmNotMapped = -1 98 | } MEMORY_CACHING_TYPE; 99 | 100 | typedef CCHAR KPROCESSOR_MODE; 101 | 102 | typedef enum _MODE { 103 | KernelMode, 104 | UserMode, 105 | MaximumMode 106 | } MODE; 107 | 108 | typedef enum _MM_PAGE_PRIORITY { 109 | LowPagePriority, 110 | NormalPagePriority = 16, 111 | HighPagePriority = 32 112 | } MM_PAGE_PRIORITY; 113 | /**/ 114 | } 115 | -------------------------------------------------------------------------------- /SKLib-v/src/eac.cpp: -------------------------------------------------------------------------------- 1 | #include "eac.h" 2 | #include 3 | #include 4 | 5 | vector* pCr3s = nullptr; 6 | vector* pNmiBlockedCr3s = nullptr; 7 | 8 | bool bEacInitialized = false; 9 | 10 | void eac::Init() 11 | { 12 | if (bEacInitialized) { 13 | DbgMsg("[EAC] Already initialized!"); 14 | return; 15 | } 16 | 17 | pCr3s = (vector*)cpp::kMalloc(sizeof(*pCr3s), PAGE_READWRITE); 18 | RtlZeroMemory(pCr3s, sizeof(*pCr3s)); 19 | pCr3s->Init(); 20 | pCr3s->DisableLock(); 21 | pCr3s->reserve(64); 22 | 23 | pNmiBlockedCr3s = (vector*)cpp::kMalloc(sizeof(*pNmiBlockedCr3s), PAGE_READWRITE); 24 | RtlZeroMemory(pNmiBlockedCr3s, sizeof(*pNmiBlockedCr3s)); 25 | pNmiBlockedCr3s->Init(); 26 | pNmiBlockedCr3s->DisableLock(); 27 | pNmiBlockedCr3s->reserve(64); 28 | 29 | bEacInitialized = true; 30 | } 31 | 32 | void eac::UpdateCr3(CR3 cr3) 33 | { 34 | if (!bEacInitialized) 35 | return; 36 | 37 | identity::PhysicalAccess pa(vmm::pIdentityMap, cr3.Flags); 38 | for (auto& data : *pCr3s) { 39 | if (data.pCr3 40 | //&& paging::vmmhost::MapGuestToHost(cr3.Flags, (PVOID)((DWORD64)data.pImageBase + PAGE_SIZE)) 41 | && pa.getPhysicalAddress((DWORD64)data.pImageBase + PAGE_SIZE) 42 | ) { 43 | identity::PhysicalAccess paSrc(vmm::pIdentityMap, data.srcCr3); 44 | paSrc.Write(data.pCr3, cr3); 45 | } 46 | } 47 | } 48 | 49 | void eac::TrackCr3(DWORD64* pCr3, PVOID pAddressToCheck, DWORD64 srcCr3) 50 | { 51 | if (!bEacInitialized 52 | || !pCr3 53 | || !srcCr3 54 | ) 55 | return; 56 | 57 | pCr3s->emplace_back(pAddressToCheck, pCr3, srcCr3); 58 | } 59 | 60 | void eac::UntrackCr3(DWORD64* pCr3) 61 | { 62 | bool bFound = false; 63 | int i = 0; 64 | for (auto& cr3 : *pCr3s) { 65 | if (cr3.pCr3 == pCr3) { 66 | bFound = true; 67 | break; 68 | } 69 | i++; 70 | } 71 | if (bFound) 72 | pCr3s->RemoveAt(i); 73 | } 74 | 75 | void eac::BlockNmi(CR3 cr3) 76 | { 77 | if (!bEacInitialized 78 | || !cr3.Flags 79 | ) 80 | return; 81 | 82 | CR3_TRACKING tracking; 83 | tracking.srcCr3 = cr3.Flags; 84 | 85 | bool bFound = false; 86 | int i = 0; 87 | for (auto& tracked : *pNmiBlockedCr3s) { 88 | if (tracked.srcCr3 == cr3.Flags) { 89 | bFound = true; 90 | break; 91 | } 92 | i++; 93 | } 94 | if (bFound) 95 | return; 96 | 97 | pNmiBlockedCr3s->Append(tracking); 98 | } 99 | 100 | void eac::UnblockNmi(CR3 cr3) 101 | { 102 | bool bFound = false; 103 | int i = 0; 104 | for (auto& tracked : *pNmiBlockedCr3s) { 105 | if (tracked.srcCr3 == cr3.Flags) { 106 | bFound = true; 107 | break; 108 | } 109 | i++; 110 | } 111 | if (bFound) 112 | pNmiBlockedCr3s->RemoveAt(i); 113 | } 114 | 115 | bool eac::IsNmiBlocked(CR3 cr3) 116 | { 117 | bool bFound = false; 118 | int i = 0; 119 | for (auto& tracked : *pNmiBlockedCr3s) { 120 | if (tracked.srcCr3 == cr3.Flags) { 121 | bFound = true; 122 | break; 123 | } 124 | i++; 125 | } 126 | return bFound; 127 | } 128 | 129 | int eac::GetAndDecreaseNmiCount(CR3 cr3) 130 | { 131 | bool bFound = false; 132 | int i = 0; 133 | for (auto& tracked : *pNmiBlockedCr3s) { 134 | if (tracked.srcCr3 == cr3.Flags) { 135 | bFound = true; 136 | break; 137 | } 138 | i++; 139 | } 140 | if (!bFound) 141 | return 0; 142 | 143 | auto dwCore = CPU::GetCPUIndex(true); 144 | 145 | auto& count = pNmiBlockedCr3s->at(i).dwNmiQueue[dwCore]; 146 | 147 | if (count) 148 | count -= 1; 149 | 150 | return count; 151 | } 152 | 153 | void eac::IncreaseNmiCount(CR3 cr3) 154 | { 155 | bool bFound = false; 156 | int i = 0; 157 | for (auto& tracked : *pNmiBlockedCr3s) { 158 | if (tracked.srcCr3 == cr3.Flags) { 159 | bFound = true; 160 | break; 161 | } 162 | i++; 163 | } 164 | if (!bFound) 165 | return; 166 | auto dwCore = CPU::GetCPUIndex(true); 167 | 168 | auto& count = pNmiBlockedCr3s->at(i).dwNmiQueue[dwCore]; 169 | 170 | if(!count) 171 | count += 1; 172 | } 173 | -------------------------------------------------------------------------------- /SKLib-v/src/wmispoof.cpp: -------------------------------------------------------------------------------- 1 | #include "wmispoof.h" 2 | 3 | vector* vMonitorSerials = nullptr; 4 | typedef NTSTATUS (*fnWmipQueryAllData)( 5 | IN PWMIGUIDOBJECT GuidObject, 6 | IN PIRP Irp, 7 | IN KPROCESSOR_MODE AccessMode, 8 | IN PWNODE_ALL_DATA Wnode, 9 | IN ULONG OutBufferLen, 10 | OUT PULONG RetSize 11 | ); 12 | 13 | fnWmipQueryAllData pWmipQueryAllData = nullptr; 14 | 15 | bool FindFakeMonitorSerial(USHORT* pOriginal) { 16 | #ifdef DUMMY_SERIAL 17 | bool bFound = true; 18 | RtlCopyMemory(pOriginal, DUMMY_SERIAL, MONITOR_SERIAL_LENGTH * sizeof(USHORT)); 19 | #else 20 | bool bFound = false; 21 | for (auto& serial : *vMonitorSerials) { 22 | if (!memcmp(serial, pOriginal, 4)) { 23 | Memory::WriteProtected(pOriginal, serial, MONITOR_SERIAL_LENGTH * sizeof(USHORT)); 24 | bFound = true; 25 | break; 26 | } 27 | } 28 | if (!bFound) { 29 | rnd.setSeed(spoofer::seed); 30 | wchar_t* pBuf = (wchar_t*)cpp::kMalloc((MONITOR_SERIAL_LENGTH + 1) * sizeof(USHORT), PAGE_READWRITE); 31 | RtlCopyMemory(pBuf, pOriginal, (MONITOR_SERIAL_LENGTH + 1) * sizeof(USHORT)); 32 | rnd.w_str(pBuf, MONITOR_SERIAL_LENGTH); 33 | vMonitorSerials->Append(pBuf); 34 | Memory::WriteProtected(pOriginal, pBuf, MONITOR_SERIAL_LENGTH * sizeof(USHORT)); 35 | bFound = true; 36 | } 37 | #endif 38 | 39 | return bFound; 40 | } 41 | 42 | NTSTATUS WmipQueryAllDataHook( 43 | IN PWMIGUIDOBJECT GuidObject, 44 | IN PIRP Irp, 45 | IN KPROCESSOR_MODE AccessMode, 46 | IN PWNODE_ALL_DATA Wnode, 47 | IN ULONG OutBufferLen, 48 | OUT PULONG RetSize 49 | ) 50 | { 51 | NTSTATUS ntStatus = pWmipQueryAllData(GuidObject, Irp, AccessMode, Wnode, OutBufferLen, RetSize); 52 | if (NT_SUCCESS(ntStatus)) { 53 | PWNODE_ALL_DATA pAllData = (PWNODE_ALL_DATA)Wnode; 54 | if (!MmIsAddressValid(pAllData)) 55 | return ntStatus; 56 | 57 | PWmiMonitorID MonitorID; 58 | if (pAllData->WnodeHeader.Guid == WmiMonitorID_GUID) { 59 | if (pAllData->WnodeHeader.Flags & WNODE_FLAG_FIXED_INSTANCE_SIZE) 60 | MonitorID = (PWmiMonitorID) &((UCHAR*)pAllData)[pAllData->DataBlockOffset]; 61 | else 62 | MonitorID = (PWmiMonitorID) &((UCHAR*)pAllData)[pAllData->OffsetInstanceDataAndLength[0].OffsetInstanceData]; 63 | 64 | if (MmIsAddressValid(MonitorID)) { 65 | RtlFillBytes(MonitorID->SerialNumberID, sizeof(MonitorID->SerialNumberID), 0); 66 | RtlFillBytes(MonitorID->ProductCodeID, sizeof(MonitorID->ProductCodeID), 0); 67 | } 68 | } 69 | } 70 | 71 | return ntStatus; 72 | } 73 | 74 | bool wmi::SpoofMonitor(DWORD64 seed) 75 | { 76 | bool bRes = false; 77 | 78 | rnd.setSeed(seed); 79 | rnd.setSecLevel(random::SecurityLevel::PREDICTABLE); 80 | 81 | vMonitorSerials = (vector*)cpp::kMalloc(sizeof(*vMonitorSerials), PAGE_READWRITE); 82 | RtlZeroMemory(vMonitorSerials, sizeof(*vMonitorSerials)); 83 | vMonitorSerials->Init(); 84 | vMonitorSerials->reserve(64); 85 | 86 | //DWORD64 EDIDBootCopy = 87 | // (DWORD64)Memory::FindPatternImage(winternl::ntoskrnlBase, (PCHAR)"\x0F\x10\x05\x00\x00\x00\x00\x0F\x11\x02", (PCHAR)"xxx????xxx"); 88 | // 89 | //if (!EDIDBootCopy) { 90 | // DbgMsg("[WMI] Could not find EDID boot copy offset"); 91 | // return false; 92 | //} 93 | //char* pEDIDBoot = (char*)(EDIDBootCopy + 7 + *(PINT)(EDIDBootCopy + 3)); 94 | //_disable(); 95 | //bool bEnableCET = CPU::DisableWriteProtection(); 96 | //RtlZeroMemory(pEDIDBoot, 0x80); 97 | //CPU::EnableWriteProtection(bEnableCET); 98 | //_enable(); 99 | // 100 | //DbgMsg("[MONITOR] Zeroed EDID boot copy at: %p", pEDIDBoot); 101 | 102 | DWORD64 WmipQueryAllData = ((DWORD64)winternl::ntoskrnlBase + offsets.WmipQueryAllData); 103 | HOOK_SECONDARY_INFO hkSecondaryInfo = { 0 }; 104 | hkSecondaryInfo.pOrigFn = (PVOID*)&pWmipQueryAllData; 105 | 106 | if (!EPT::HookExec((PVOID)WmipQueryAllData, WmipQueryAllDataHook, hkSecondaryInfo)) { 107 | DbgMsg("[MONITOR] Failed hooking WmipQueryAllData"); 108 | bRes = false; 109 | } 110 | else { 111 | DbgMsg("[MONITOR] Hooked WmipQueryAllData"); 112 | bRes = true; 113 | } 114 | 115 | return bRes; 116 | } 117 | -------------------------------------------------------------------------------- /SKLib/include/signatures.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | /** 4 | 5 | * Returns a 16-bit signature built from 2 ASCII characters. 6 | 7 | * 8 | 9 | * This macro returns a 16-bit value built from the two ASCII characters 10 | 11 | * specified by A and B. 12 | 13 | * 14 | 15 | * @A: The first ASCII character. 16 | 17 | * @B: The second ASCII character. 18 | 19 | * 20 | 21 | * @return: A 16-bit value built from the two ASCII characters specified by 22 | 23 | * A and B. 24 | 25 | */ 26 | 27 | #define SIGNATURE_16(A, B) ((A) | (B << 8)) 28 | 29 | /** 30 | 31 | * Returns a 32-bit signature built from 4 ASCII characters. 32 | 33 | * 34 | 35 | * This macro returns a 32-bit value built from the four ASCII characters 36 | 37 | * specified by A, B, C, and D. 38 | 39 | * 40 | 41 | * @A: The first ASCII character. 42 | 43 | * @B: The second ASCII character. 44 | 45 | * @C: The third ASCII character. 46 | 47 | * @D: The fourth ASCII character. 48 | 49 | * 50 | 51 | * @return: A 32-bit value built from the two ASCII characters specified by 52 | 53 | * A, B, C and D. 54 | 55 | */ 56 | 57 | #define SIGNATURE_32(A, B, C, D) \ 58 | (SIGNATURE_16(A, B) | (SIGNATURE_16(C, D) << 16)) 59 | 60 | /** 61 | 62 | * Returns a 64-bit signature built from 8 ASCII characters. 63 | 64 | * 65 | 66 | * This macro returns a 64-bit value built from the eight ASCII characters 67 | 68 | * specified by A, B, C, D, E, F, G,and H. 69 | 70 | * 71 | 72 | * @A: The first ASCII character. 73 | 74 | * @B: The second ASCII character. 75 | 76 | * @C: The third ASCII character. 77 | 78 | * @D: The fourth ASCII character. 79 | 80 | * @E: The fifth ASCII character. 81 | 82 | * @F: The sixth ASCII character. 83 | 84 | * @G: The seventh ASCII character. 85 | 86 | * @H: The eighth ASCII character. 87 | 88 | * 89 | 90 | * @return: A 64-bit value built from the two ASCII characters specified by 91 | 92 | * A, B, C, D, E, F, G and H. 93 | 94 | */ 95 | 96 | #define SIGNATURE_64(A, B, C, D, E, F, G, H) \ 97 | (SIGNATURE_32(A, B, C, D) | ((u64)(SIGNATURE_32(E, F, G, H)) << 32)) 98 | 99 | namespace signatures { 100 | constexpr PCHAR PsEnumProcesses = (PCHAR)"\x33\xD2\x48\x8D\x0D\x00\x00\x00\x00\xE8\x00\x00\x00\x00\x33\x00\x33\xC9"; 101 | constexpr PCHAR PsEnumProcessThreads = (PCHAR)"\x0F\x84\x00\x00\x00\x00\x4C\x8B\xC6\x48\x8D\x15\x00\x00\x00\x00\x48\x8B\x00\xE8"; 102 | constexpr PCHAR NtCreateUserProcess = (PCHAR)"\x33\xD2\x48\x8D\x8D\x00\x00\x00\x00\xE8\x00\x00\x00\x00\x48\x89\xBD"; 103 | constexpr PCHAR PspInsertProcess = (PCHAR)"\x44\x8B\x84\x24\x00\x00\x00\x00\x49\x8B\x00\x48\x8B\x8C\x24\x00\x00\x00\x00\xE8\x00\x00\x00\x00\x8B"; 104 | constexpr PCHAR PspTerminateProcess = (PCHAR)"\xE8\x00\x00\x00\x00\xBA\x50\x73\x54\x65\x00\x8B\x00\x8B"; 105 | constexpr PCHAR PspCreateProcess = (PCHAR)"\x41\x8B\xD3\x49\x8B\xCA\xE8\x00\x00\x00\x00\x48\x83\xC4"; 106 | constexpr PCHAR NtResumeThread = (PCHAR)"\x48\x89\x44\x24\x28\xC7\x44\x24\x20\x50\x73\x53\x75"; 107 | constexpr PCHAR NtCreateUserThread = (PCHAR)"\x24\x60\x4C\x89\x7C\x24\x28\x4C\x89\x74\x24\x20\xE8\x00\x00\x00\x00\x85\xC0"; 108 | constexpr PCHAR KeResumeThread = (PCHAR)"\x8D\xB3\xE0\x02\x00\x00\x00\x8B\xCE\xE8"; 109 | constexpr PCHAR PspCreateThread = (PCHAR)"\x4C\x8B\x45\x00\x8B\x55\x00\x48\x8B\xCE\xE8"; 110 | 111 | namespace masks { 112 | constexpr PCHAR PsEnumProcesses = (PCHAR)"xxxxx????x????x?xx"; 113 | constexpr PCHAR PsEnumProcessThreads = (PCHAR)"xx????xxxxxx????xx?x"; 114 | constexpr PCHAR NtCreateUserProcess = (PCHAR)"xxxxx????x????xxx"; 115 | constexpr PCHAR PspInsertProcess = (PCHAR)"xxxx????xx?xxxx????x????x"; 116 | constexpr PCHAR PspTerminateProcess = (PCHAR)"x????xxxxx?x?x"; 117 | constexpr PCHAR PspCreateProcess = (PCHAR)"xxxxxxx????xxx"; 118 | constexpr PCHAR NtResumeThread = (PCHAR)"xxxxxxxxxxxxx"; 119 | constexpr PCHAR NtCreateUserThread = (PCHAR)"xxxxxxxxxxxxx????xx"; 120 | constexpr PCHAR KeResumeThread = (PCHAR)"xxxxxx?xxx"; 121 | constexpr PCHAR PspCreateThread = (PCHAR)"xxx?xx?xxxx"; 122 | } 123 | } -------------------------------------------------------------------------------- /SKLib/include/paging.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "cpp.h" 4 | #include "MemoryEx.h" 5 | #include "winternlex.h" 6 | 7 | #include 8 | #include 9 | 10 | #ifdef _KERNEL_MODE 11 | 12 | #define PT_ENTRIES 512 13 | 14 | typedef enum _EXIT_ERRORS : ULONG { 15 | ERROR_SUCCESS = 0, 16 | ERROR_CANNOT_MAP_PARAM, 17 | ERROR_CANNOT_MAP_SRC, 18 | ERROR_CANNOT_MAP_DST, 19 | ERROR_CANNOT_READ, 20 | ERROR_CANNOT_WRITE, 21 | ERROR_INVALID_PARAM, 22 | ERROR_PAGE_FAULT 23 | } EXIT_ERRORS, * PEXIT_ERRORS; 24 | 25 | typedef struct _PML4T { 26 | PML4E_64 entry[512]; 27 | } PML4T, *PPML4T; 28 | 29 | typedef struct _PDPT { 30 | PDPTE_64 entry[512]; 31 | } PDPT, * PPDPT; 32 | 33 | typedef struct _PDT { 34 | PDE_64 entry[512]; 35 | } PDT, * PPDT; 36 | 37 | typedef struct _PT { 38 | PTE_64 entry[512]; 39 | } PT, * PPT; 40 | 41 | enum MAP_TYPE { 42 | src = 0, 43 | dest 44 | }; 45 | 46 | typedef union { 47 | struct { 48 | DWORD64 Offset : 12; 49 | DWORD64 Level1 : 9; 50 | DWORD64 Level2 : 9; 51 | DWORD64 Level3 : 9; 52 | DWORD64 Level4 : 9; 53 | DWORD64 SignExt : 16; 54 | }; 55 | 56 | DWORD64 Flags; 57 | } VIRT_ADD_MAP, * PVIRT_ADD_MAP; 58 | 59 | typedef union _VIRT_ADD 60 | { 61 | DWORD64 value; 62 | struct 63 | { 64 | DWORD64 offset_4kb : 12; 65 | DWORD64 pt_index : 9; 66 | DWORD64 pdt_index : 9; 67 | DWORD64 pdpt_index : 9; 68 | DWORD64 pml4_index : 9; 69 | DWORD64 reserved : 16; 70 | }; 71 | 72 | struct 73 | { 74 | DWORD64 offset_2mb : 21; 75 | DWORD64 pdt_index : 9; 76 | DWORD64 pdpt_index : 9; 77 | DWORD64 pml4_index : 9; 78 | DWORD64 reserved : 16; 79 | }; 80 | 81 | struct 82 | { 83 | DWORD64 offset_1gb : 30; 84 | DWORD64 pdpt_index : 9; 85 | DWORD64 pml4_index : 9; 86 | DWORD64 reserved : 16; 87 | }; 88 | 89 | } VIRT_ADD, * PVIRT_ADD; 90 | 91 | typedef struct _MANUAL_PAGED_TABLES { 92 | PML4E_64* pPml4e; 93 | PDPTE_64* pPdpte; 94 | PDE_64* pPde; 95 | PTE_64* pPte; 96 | PTE_64 pteOrig; 97 | 98 | __forceinline bool operator==(_MANUAL_PAGED_TABLES& rhs) { 99 | return !memcmp(&rhs, this, sizeof(rhs)); 100 | } 101 | __forceinline bool operator!=(_MANUAL_PAGED_TABLES& rhs) { 102 | return !(*this == rhs); 103 | } 104 | } MANUAL_PAGED_TABLES, *PMANUAL_PAGED_TABLES; 105 | 106 | typedef struct _TARGET_TRANSLATION { 107 | DWORD64 va; 108 | DWORD64 pa; 109 | 110 | __forceinline bool operator==(_TARGET_TRANSLATION& rhs) { 111 | return !memcmp(&rhs, this, sizeof(rhs)); 112 | } 113 | __forceinline bool operator!=(_TARGET_TRANSLATION& rhs) { 114 | return !(*this == rhs); 115 | } 116 | } TARGET_TRANSLATION, * PTARGET_TRANSLATION; 117 | 118 | namespace paging { 119 | BOOLEAN IsMapped(PPML4T ppml4t, PVOID va); 120 | BOOLEAN MapPage(PPML4T pTargetPml4t, DWORD64 va, DWORD64 pa, MANUAL_PAGED_TABLES* manualMapTracking = nullptr); 121 | BOOLEAN MapRegion(PPML4T ppml4t, PVOID va, size_t size); 122 | PTE_64* GetPPTE(PPML4T ppml4t, PVOID va, BOOLEAN bMap = false); 123 | BOOLEAN IsAddressValid(PVOID va); 124 | 125 | PMDL LockRange(PVOID pBase, size_t size); 126 | VOID UnlockRange(PMDL pMdl); 127 | 128 | PVOID MapNonPaged(PVOID pa, size_t size, MODE allocationMode); 129 | 130 | PPML4T GetPML4Base(CR3 cr3 = { 0 }); 131 | PPML4T MapPML4Base(CR3 cr3 = { 0 }); 132 | VOID SetPML4Base(PVOID pPML4Table); 133 | 134 | PVOID GuestVirtToPhy(PVOID va, PVOID pGuestPml4tPa = nullptr, bool* pIsLargePage = nullptr); 135 | DWORD64 ProcessVirtToPhy(PEPROCESS pEprocess, PVOID va); 136 | DWORD64 CurrProcessVirtToPhy(PVOID va); 137 | 138 | DWORD64 VirtToPhy(PVOID va); 139 | 140 | vector CopyMapRegion(CR3 toCr3, vector& translations); 141 | MANUAL_PAGED_TABLES CopyMapPage(CR3 toCr3, TARGET_TRANSLATION translations); 142 | 143 | PVOID MapPhysical(DWORD64 pa, DWORD64 sz, ULONG protect = PAGE_READWRITE); 144 | } 145 | 146 | #endif -------------------------------------------------------------------------------- /phymeme_lib/util/nt.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | 5 | #pragma comment(lib, "ntdll.lib") 6 | constexpr auto page_size = 0x1000; 7 | 8 | inline const char piddb_lock_sig[] = "\x8B\xD8\x85\xC0\x0F\x88\x00\x00\x00\x00\x65\x48\x8B\x04\x25\x00\x00\x00\x00\x66\xFF\x88\x00\x00\x00\x00\xB2\x01\x48\x8D\x0D\x00\x00\x00\x00\xE8\x00\x00\x00\x00\x4C\x8B\x00\x24"; 9 | inline const char piddb_lock_mask[] = "xxxxxx????xxxxx????xxx????xxxxx????x????xx?x"; 10 | 11 | inline const char piddb_table_sig[] = "\x66\x03\xD2\x48\x8D\x0D"; 12 | inline const char piddb_table_mask[] = "xxxxxx"; 13 | 14 | inline const char piddb_lock_sig2[] = "\x48\x8B\x0D\x00\x00\x00\x00\x48\x85\xC9\x0F\x85\x00\x00\x00\x00\x48\x8D\x0D\x00\x00\x00\x00\xE8\x00\x00\x00\x00\xE8"; 15 | inline const char piddb_lock_mask2[] = "xxx????xxxxx????xxx????x????x"; 16 | 17 | constexpr auto SystemModuleInformation = 11; 18 | constexpr auto SystemHandleInformation = 16; 19 | constexpr auto SystemExtendedHandleInformation = 64; 20 | 21 | #define MM_COPY_MEMORY_PHYSICAL 0x1 22 | #define MM_COPY_MEMORY_VIRTUAL 0x2 23 | 24 | typedef struct PiDDBCacheEntry 25 | { 26 | LIST_ENTRY list; 27 | UNICODE_STRING driver_name; 28 | ULONG time_stamp; 29 | NTSTATUS load_status; 30 | char _0x0028[16]; // data from the shim engine, or uninitialized memory for custom drivers 31 | }PIDCacheobj; 32 | 33 | typedef struct _SYSTEM_HANDLE 34 | { 35 | PVOID Object; 36 | HANDLE UniqueProcessId; 37 | HANDLE HandleValue; 38 | ULONG GrantedAccess; 39 | USHORT CreatorBackTraceIndex; 40 | USHORT ObjectTypeIndex; 41 | ULONG HandleAttributes; 42 | ULONG Reserved; 43 | } SYSTEM_HANDLE, * PSYSTEM_HANDLE; 44 | 45 | typedef struct _SYSTEM_HANDLE_INFORMATION_EX 46 | { 47 | ULONG_PTR HandleCount; 48 | ULONG_PTR Reserved; 49 | SYSTEM_HANDLE Handles[1]; 50 | } SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX; 51 | 52 | typedef enum _POOL_TYPE { 53 | NonPagedPool, 54 | NonPagedPoolExecute, 55 | PagedPool, 56 | NonPagedPoolMustSucceed, 57 | DontUseThisType, 58 | NonPagedPoolCacheAligned, 59 | PagedPoolCacheAligned, 60 | NonPagedPoolCacheAlignedMustS, 61 | MaxPoolType, 62 | NonPagedPoolBase, 63 | NonPagedPoolBaseMustSucceed, 64 | NonPagedPoolBaseCacheAligned, 65 | NonPagedPoolBaseCacheAlignedMustS, 66 | NonPagedPoolSession, 67 | PagedPoolSession, 68 | NonPagedPoolMustSucceedSession, 69 | DontUseThisTypeSession, 70 | NonPagedPoolCacheAlignedSession, 71 | PagedPoolCacheAlignedSession, 72 | NonPagedPoolCacheAlignedMustSSession, 73 | NonPagedPoolNx, 74 | NonPagedPoolNxCacheAligned, 75 | NonPagedPoolSessionNx 76 | } POOL_TYPE; 77 | 78 | typedef struct _RTL_PROCESS_MODULE_INFORMATION 79 | { 80 | HANDLE Section; 81 | PVOID MappedBase; 82 | PVOID ImageBase; 83 | ULONG ImageSize; 84 | ULONG Flags; 85 | USHORT LoadOrderIndex; 86 | USHORT InitOrderIndex; 87 | USHORT LoadCount; 88 | USHORT OffsetToFileName; 89 | UCHAR FullPathName[256]; 90 | } RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION; 91 | 92 | typedef struct _RTL_PROCESS_MODULES 93 | { 94 | ULONG NumberOfModules; 95 | RTL_PROCESS_MODULE_INFORMATION Modules[1]; 96 | } RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES; 97 | 98 | typedef LARGE_INTEGER PHYSICAL_ADDRESS, * PPHYSICAL_ADDRESS; 99 | 100 | typedef struct _MM_COPY_ADDRESS { 101 | union { 102 | PVOID VirtualAddress; 103 | PHYSICAL_ADDRESS PhysicalAddress; 104 | }; 105 | } MM_COPY_ADDRESS, * PMMCOPY_ADDRESS; 106 | 107 | using PEPROCESS = PVOID; 108 | using ExAllocatePool = PVOID(__stdcall*) (POOL_TYPE, SIZE_T); 109 | using ExAllocatePoolWithTag = PVOID(__stdcall*)(POOL_TYPE, SIZE_T, ULONG); 110 | using MmCopyMemory = NTSTATUS (__stdcall*)(PVOID, MM_COPY_ADDRESS,SIZE_T,ULONG,PSIZE_T); 111 | using DRIVER_INITIALIZE = NTSTATUS(__stdcall*)(std::uintptr_t, std::size_t); 112 | using ExAcquireResourceExclusiveLite = BOOLEAN(__stdcall*)(void*,bool); 113 | using RtlLookupElementGenericTableAvl = PIDCacheobj* (__stdcall*) (void*, void*); 114 | using RtlDeleteElementGenericTableAvl = bool(__stdcall*)(void*,void*); 115 | using ExReleaseResourceLite = bool(__stdcall*)(void*); 116 | using PsLookupProcessByProcessId = NTSTATUS(__fastcall*)(HANDLE, PEPROCESS*); 117 | using PsGetProcessSectionBaseAddress = void* (__fastcall*)(PEPROCESS); -------------------------------------------------------------------------------- /SKLib/include/registry.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "cpp.h" 4 | #include "data.h" 5 | #include "StringEx.h" 6 | 7 | #ifdef _KERNEL_MODE 8 | 9 | #define INVALID_KEY_VALUE ((HANDLE)-1) 10 | 11 | namespace registry { 12 | HANDLE GetKeyHandleEx(string& path); 13 | bool RenameEx(string path, string newName); 14 | bool Delete(string path); 15 | bool DeleteKeyValueEx(string path, string valueName); 16 | 17 | template 18 | bool DeleteIf(string path, F callback) { 19 | OBJECT_ATTRIBUTES KeyAttributes; 20 | UNICODE_STRING Name; 21 | UNICODE_STRING ValueName; 22 | HANDLE hKey = GetKeyHandleEx(path); 23 | if (hKey == INVALID_KEY_VALUE) { 24 | return false; 25 | } 26 | 27 | ULONG keyIndex = 0; 28 | NTSTATUS ntStatus = STATUS_SUCCESS; 29 | while (NT_SUCCESS(ntStatus)) { 30 | KEY_BASIC_INFORMATION* pKeyInfo = (KEY_BASIC_INFORMATION*)cpp::kMalloc(0x100); 31 | RtlZeroMemory(pKeyInfo, 0x100); 32 | ULONG realLength = 0; 33 | ntStatus = ZwEnumerateKey(hKey, keyIndex, KeyBasicInformation, pKeyInfo, 0x100, &realLength); 34 | if (ntStatus == STATUS_BUFFER_TOO_SMALL) { 35 | cpp::kFree(pKeyInfo); 36 | pKeyInfo = (KEY_BASIC_INFORMATION*)cpp::kMalloc(realLength); 37 | ntStatus = ZwEnumerateKey(hKey, keyIndex, KeyBasicInformation, pKeyInfo, realLength, &realLength); 38 | if (!NT_SUCCESS(ntStatus)) { 39 | DbgMsg("[REGISTRY] Failed enumerating key: 0%x - %s", ntStatus, path.c_str()); 40 | return false; 41 | } 42 | } 43 | if (pKeyInfo->NameLength) { 44 | string strName((wchar_t*)pKeyInfo->Name); 45 | string newPath = path; 46 | newPath += "\\"; 47 | newPath += strName; 48 | if (!DeleteIf(newPath, callback)) 49 | keyIndex++; 50 | } 51 | 52 | cpp::kFree(pKeyInfo); 53 | } 54 | 55 | KEY_VALUE_BASIC_INFORMATION* pKeyValueInfo = (KEY_VALUE_BASIC_INFORMATION*)cpp::kMalloc(0x100); 56 | while (NT_SUCCESS(ntStatus)) { 57 | ULONG valueLength = 0; 58 | RtlZeroMemory(pKeyValueInfo, 0x100); 59 | ntStatus = ZwEnumerateValueKey(hKey, 0, KeyValueBasicInformation, pKeyValueInfo, 0x100, &valueLength); 60 | if (ntStatus == STATUS_BUFFER_TOO_SMALL) { 61 | cpp::kFree(pKeyValueInfo); 62 | pKeyValueInfo = (KEY_VALUE_BASIC_INFORMATION*)cpp::kMalloc(valueLength); 63 | ntStatus = ZwEnumerateValueKey(hKey, 0, KeyValueBasicInformation, pKeyValueInfo, valueLength, &valueLength); 64 | if (!NT_SUCCESS(ntStatus)) { 65 | DbgMsg("[REGISTRY] Failed enumerating key values: 0%x - %s", ntStatus, path.c_str()); 66 | return false; 67 | } 68 | } 69 | 70 | if (!pKeyValueInfo->NameLength) { 71 | break; 72 | } 73 | string keyValueName(pKeyValueInfo->Name); 74 | ntStatus = ZwDeleteValueKey(hKey, &keyValueName.unicode()); 75 | if (!NT_SUCCESS(ntStatus)) { 76 | DbgMsg("[REGISTRY] Failed deleting key value: 0%x - %s\\%s", ntStatus, path.c_str(), keyValueName.c_str()); 77 | return false; 78 | } 79 | } 80 | cpp::kFree(pKeyValueInfo); 81 | 82 | ntStatus = callback(path) ? ZwDeleteKey(hKey) : STATUS_UNSUCCESSFUL; 83 | if (ntStatus != STATUS_SUCCESS) { 84 | DbgMsg("[REGISTRY] Could not delete registry key name: %x:%s", ntStatus, path.c_str()); 85 | return false; 86 | } 87 | 88 | ZwClose(hKey); 89 | 90 | return true; 91 | } 92 | 93 | template 94 | bool SetKeyValueEx(string path, string valueName, T* value, ULONG valueType, ULONG valueSize = 0) { 95 | HANDLE hKey = GetKeyHandleEx(path); 96 | if (hKey == INVALID_KEY_VALUE) { 97 | DbgMsg("[REGISTRY] INVALID_KEY_VALUE"); 98 | return false; 99 | } 100 | 101 | ULONG out = valueSize ? valueSize : sizeof(T); 102 | 103 | NTSTATUS ntStatus = ZwSetValueKey(hKey, &valueName.unicode(), 0, valueType, value, out); 104 | if (!NT_SUCCESS(ntStatus)) { 105 | DbgMsg("[REGISTRY] Could not set registry key value: %x", ntStatus); 106 | return false; 107 | } 108 | else { 109 | DbgMsg("[REGISTRY] Set registry key %s: 0x%x", valueName.c_str(), ntStatus); 110 | } 111 | 112 | ZwClose(hKey); 113 | 114 | return true; 115 | } 116 | 117 | class KeyEnumerator { 118 | private: 119 | HANDLE hRootKey; 120 | ULONG currentKeyIndex; 121 | public: 122 | KeyEnumerator(const char* pKeyPath); 123 | ~KeyEnumerator(); 124 | 125 | bool Next(string& outSubkeyName); 126 | }; 127 | } 128 | 129 | #endif -------------------------------------------------------------------------------- /SKLib/include/StringEx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "cpp.h" 4 | #include "spinlock.h" 5 | 6 | #ifdef _KERNEL_MODE 7 | #ifndef _WDMDDK_ 8 | #include 9 | #endif 10 | 11 | void mbstowcs(wchar_t* dst, char* src, size_t len); 12 | void wcstombs(char* dst, wchar_t* src, size_t len); 13 | 14 | struct string { 15 | private: 16 | bool bDisposed; 17 | size_t len; 18 | Spinlock lock; 19 | public: 20 | char* pBuffer; 21 | wchar_t* lpBuffer; 22 | UNICODE_STRING uBuffer; 23 | 24 | string(); 25 | string(const char* pString); 26 | string(const wchar_t* pWString); 27 | string(UNICODE_STRING* pWString); 28 | string(string&& obj); 29 | string(string& obj); 30 | static string* create(const char* pString); 31 | ~string(); 32 | void Dispose(); //c# style memory free 33 | size_t Length(); 34 | const char* c_str(); 35 | const wchar_t* w_str(); 36 | UNICODE_STRING& unicode(); 37 | string substring(int index); 38 | string substring(int index, int length); 39 | int last_of(char to_find); 40 | int first_of(char to_find); 41 | char* to_lower(); 42 | char* to_upper(); 43 | wchar_t* to_lowerw(); 44 | wchar_t* to_upperw(); 45 | bool contains(const char* pSubstring); 46 | 47 | string& operator+(const char* pString) { 48 | if (pString == nullptr) 49 | return *this; 50 | 51 | lock.Lock(); 52 | auto length = len + (int)strlen(pString); 53 | auto buffer = (char*)cpp::kMallocZero((size_t)length + 1); 54 | if (buffer == nullptr) return *this; 55 | RtlZeroMemory((void*)buffer, (size_t)length + 1); 56 | memcpy((void*)buffer, pBuffer, len); 57 | strcat((char*)buffer, pString); 58 | lock.Unlock(); 59 | 60 | return *string::create(buffer); 61 | } 62 | string& operator+(string& pString) { 63 | return *this + pString.c_str(); 64 | } 65 | void operator+=(const char* pString) { 66 | if (pString == nullptr) 67 | return; 68 | 69 | lock.Lock(); 70 | auto length = len + (int)strlen(pString); 71 | auto buffer = (char*)cpp::kMalloc((size_t)length + 1); 72 | if (buffer == nullptr) { 73 | lock.Unlock(); 74 | return; 75 | } 76 | RtlZeroMemory((void*)buffer, (size_t)length + 1); 77 | memcpy((void*)buffer, pBuffer, len); 78 | strcat((char*)buffer, pString); 79 | lock.Unlock(); 80 | Dispose(); 81 | lock.Lock(); 82 | bDisposed = false; 83 | this->pBuffer = buffer; 84 | this->len = length; 85 | lock.Unlock(); 86 | } 87 | void operator+=(string& string) { 88 | lock.Lock(); 89 | auto length = len + (int)string.Length(); 90 | auto buffer = (char*)cpp::kMalloc((size_t)length + 1); 91 | if (buffer == nullptr) { 92 | lock.Unlock(); 93 | return; 94 | } 95 | RtlZeroMemory((void*)buffer, (size_t)length + 1); 96 | memcpy((void*)buffer, pBuffer, len); 97 | strcat((char*)buffer, string.c_str()); 98 | lock.Unlock(); 99 | Dispose(); 100 | lock.Lock(); 101 | bDisposed = false; 102 | this->pBuffer = buffer; 103 | this->len = length; 104 | lock.Unlock(); 105 | } 106 | void operator=(const string& obj) { 107 | if (&obj == this 108 | || obj.pBuffer == this->pBuffer 109 | ) 110 | return; 111 | Dispose(); 112 | lock.Lock(); 113 | bDisposed = false; 114 | pBuffer = (char*)cpp::kMalloc((size_t)obj.len + 1); 115 | //RtlZeroMemory((void*)pBuffer, (size_t)obj.len + 1); 116 | memcpy((void*)pBuffer, obj.pBuffer, obj.len + 1); 117 | len = obj.len; 118 | lock.Unlock(); 119 | } 120 | void operator=(const char* pString) { 121 | Dispose(); 122 | lock.Lock(); 123 | bDisposed = false; 124 | len = strlen(pString); 125 | pBuffer = (char*)cpp::kMalloc((size_t)len + 1); 126 | strcpy((char*)pBuffer, pString); 127 | lock.Unlock(); 128 | } 129 | bool operator==(string& rhs) { 130 | lock.Lock(); 131 | bool bSuccess = !strcmp(this->c_str(), rhs.c_str()); 132 | lock.Unlock(); 133 | return bSuccess; 134 | } 135 | bool operator!=(string& rhs) { 136 | return !(*this == rhs); 137 | } 138 | bool operator==(string&& rhs) { 139 | return *this == rhs; 140 | } 141 | bool operator!=(string&& rhs) { 142 | return !(*this == rhs); 143 | } 144 | 145 | static string* alloc(char* s) { 146 | string* pString = (string*)cpp::kMalloc(sizeof(*pString)); 147 | RtlZeroMemory(pString, sizeof(*pString)); 148 | pString->len = 0; 149 | pString->pBuffer = nullptr; 150 | pString->uBuffer.Buffer = nullptr; 151 | pString->lpBuffer = nullptr; 152 | pString->bDisposed = false; 153 | pString->lock.Init(); 154 | 155 | *pString = s; 156 | return pString; 157 | } 158 | }; 159 | #endif -------------------------------------------------------------------------------- /kdmapper_lib/kdmapper/src/utils.cpp: -------------------------------------------------------------------------------- 1 | #include "utils.hpp" 2 | 3 | std::wstring kdmapper_utils::GetFullTempPath() { 4 | wchar_t temp_directory[MAX_PATH + 1] = { 0 }; 5 | const uint32_t get_temp_path_ret = GetTempPathW(sizeof(temp_directory) / 2, temp_directory); 6 | if (!get_temp_path_ret || get_temp_path_ret > MAX_PATH + 1) { 7 | Log("[-] Failed to get temp path"); 8 | return L""; 9 | } 10 | if (temp_directory[wcslen(temp_directory) - 1] == L'\\') 11 | temp_directory[wcslen(temp_directory) - 1] = 0x0; 12 | 13 | return std::wstring(temp_directory); 14 | } 15 | 16 | bool kdmapper_utils::ReadFileToMemory(const std::wstring& file_path, std::vector* out_buffer) { 17 | std::ifstream file_ifstream(file_path, std::ios::binary); 18 | 19 | if (!file_ifstream) 20 | return false; 21 | 22 | out_buffer->assign((std::istreambuf_iterator(file_ifstream)), std::istreambuf_iterator()); 23 | file_ifstream.close(); 24 | 25 | return true; 26 | } 27 | 28 | bool kdmapper_utils::CreateFileFromMemory(const std::wstring& desired_file_path, const char* address, size_t size) { 29 | std::ofstream file_ofstream(desired_file_path.c_str(), std::ios_base::out | std::ios_base::binary); 30 | 31 | if (!file_ofstream.write(address, size)) { 32 | file_ofstream.close(); 33 | return false; 34 | } 35 | 36 | file_ofstream.close(); 37 | return true; 38 | } 39 | 40 | uint64_t kdmapper_utils::GetKernelModuleAddress(const std::string& module_name) { 41 | void* buffer = nullptr; 42 | DWORD buffer_size = 0; 43 | 44 | NTSTATUS status = NtQuerySystemInformation(static_cast(nt::SystemModuleInformation), buffer, buffer_size, &buffer_size); 45 | 46 | while (status == STATUS_INFO_LENGTH_MISMATCH) { 47 | if (buffer != nullptr) 48 | VirtualFree(buffer, 0, MEM_RELEASE); 49 | 50 | buffer = VirtualAlloc(nullptr, buffer_size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 51 | status = NtQuerySystemInformation(static_cast(nt::SystemModuleInformation), buffer, buffer_size, &buffer_size); 52 | } 53 | 54 | if (!NT_SUCCESS(status)) { 55 | if (buffer != nullptr) 56 | VirtualFree(buffer, 0, MEM_RELEASE); 57 | return 0; 58 | } 59 | 60 | const auto modules = static_cast(buffer); 61 | if (!modules) 62 | return 0; 63 | 64 | for (auto i = 0u; i < modules->NumberOfModules; ++i) { 65 | const std::string current_module_name = std::string(reinterpret_cast(modules->Modules[i].FullPathName) + modules->Modules[i].OffsetToFileName); 66 | 67 | if (!_stricmp(current_module_name.c_str(), module_name.c_str())) 68 | { 69 | const uint64_t result = reinterpret_cast(modules->Modules[i].ImageBase); 70 | 71 | VirtualFree(buffer, 0, MEM_RELEASE); 72 | return result; 73 | } 74 | } 75 | 76 | VirtualFree(buffer, 0, MEM_RELEASE); 77 | return 0; 78 | } 79 | 80 | BOOLEAN kdmapper_utils::bDataCompare(const BYTE* pData, const BYTE* bMask, const char* szMask) { 81 | for (; *szMask; ++szMask, ++pData, ++bMask) 82 | if (*szMask == 'x' && *pData != *bMask) 83 | return 0; 84 | return (*szMask) == 0; 85 | } 86 | 87 | uintptr_t kdmapper_utils::FindPattern(uintptr_t dwAddress, uintptr_t dwLen, BYTE* bMask, char* szMask) { 88 | size_t max_len = dwLen - strlen(szMask); 89 | for (uintptr_t i = 0; i < max_len; i++) 90 | if (bDataCompare((BYTE*)(dwAddress + i), bMask, szMask)) 91 | return (uintptr_t)(dwAddress + i); 92 | return 0; 93 | } 94 | 95 | PVOID kdmapper_utils::FindSection(char* sectionName, uintptr_t modulePtr, PULONG size) { 96 | size_t namelength = strlen(sectionName); 97 | PIMAGE_NT_HEADERS headers = (PIMAGE_NT_HEADERS)(modulePtr + ((PIMAGE_DOS_HEADER)modulePtr)->e_lfanew); 98 | PIMAGE_SECTION_HEADER sections = IMAGE_FIRST_SECTION(headers); 99 | for (DWORD i = 0; i < headers->FileHeader.NumberOfSections; ++i) { 100 | PIMAGE_SECTION_HEADER section = §ions[i]; 101 | if (memcmp(section->Name, sectionName, namelength) == 0 && 102 | namelength == strlen((char*)section->Name)) { 103 | if (!section->VirtualAddress) { 104 | return 0; 105 | } 106 | if (size) { 107 | *size = section->Misc.VirtualSize; 108 | } 109 | return (PVOID)(modulePtr + section->VirtualAddress); 110 | } 111 | } 112 | return 0; 113 | } 114 | 115 | void DbgPrint(const char* FormatString, ...) 116 | { 117 | char* dbgout = new char[1024]; 118 | va_list vaList; 119 | 120 | va_start(vaList, FormatString); 121 | wvsprintfA(dbgout, FormatString, vaList); 122 | OutputDebugStringA(dbgout); 123 | va_end(vaList); 124 | } -------------------------------------------------------------------------------- /SKLib/include/MapEx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #ifdef _KERNEL_MODE 3 | 4 | #include "cpp.h" 5 | #include "ListEx.h" 6 | #include "spinlock.h" 7 | 8 | #pragma warning (disable:4311) 9 | #pragma warning (disable:4302) 10 | 11 | #define DEFAULT_MAP_SIZE 10 12 | 13 | template 14 | struct MapItem { 15 | K key; 16 | V value; 17 | 18 | bool bValid; 19 | 20 | MapItem(K k, V v, bool isValid = true) { 21 | key = k; 22 | value = v; 23 | bValid = isValid; 24 | } 25 | }; 26 | 27 | template 28 | class unordered_map { 29 | public: 30 | void Init() { 31 | lock.Init(); 32 | lock.Lock(); 33 | length = 0; 34 | size = DEFAULT_MAP_SIZE; 35 | items = (list>*)cpp::kMalloc(sizeof(*items) * size); 36 | for (int i = 0; i < size; i++) { 37 | items[i].Init(); 38 | items[i].emplace_back(K(), V()); 39 | } 40 | lock.Unlock(); 41 | } 42 | void Dispose() { 43 | lock.Lock(); 44 | for (int i = 0; i < size; i++) 45 | items[i].Dispose(); 46 | cpp::kFree(items); 47 | items = nullptr; 48 | size = 0; 49 | lock.Unlock(); 50 | } 51 | unordered_map() { 52 | Init(); 53 | } 54 | ~unordered_map() { 55 | Dispose(); 56 | } 57 | 58 | void Append(K& key, V& value) { 59 | int index = Hash(key); 60 | lock.Lock(); 61 | if (!items[index].Length()) 62 | items[index].emplace_back(key, value, false); 63 | MapItem& curItem = items[index].Last(); 64 | if (!curItem.bValid) { 65 | //Item is not used 66 | if (length == size) { 67 | int oldSize = size; 68 | size += DEFAULT_MAP_SIZE; 69 | list>* newItems = (list>*)cpp::kMalloc(sizeof(*newItems) * size); 70 | 71 | RtlZeroMemory(newItems, sizeof(*newItems) * size); 72 | RtlCopyMemory(newItems, items, sizeof(*newItems) * oldSize); 73 | 74 | cpp::kFree(items); 75 | items = newItems; 76 | } 77 | 78 | curItem.key = key; 79 | curItem.value = value; 80 | curItem.bValid = true; 81 | 82 | length++; 83 | } 84 | else { 85 | if (curItem.key == key) { 86 | curItem.value = value; 87 | lock.Unlock(); 88 | return; 89 | } 90 | 91 | items[index].emplace_back(key, value, false); 92 | } 93 | lock.Unlock(); 94 | } 95 | 96 | void Append(K&& key, V&& value) { 97 | Append(key, value); 98 | } 99 | void Append(K& key, V&& value) { 100 | Append(key, value); 101 | } 102 | void Append(K&& key, V& value) { 103 | Append(key, value); 104 | } 105 | void Clean() { 106 | lock.Lock(); 107 | length = 0; 108 | RtlRtlZeroMemory(items, sizeof(*items) * size); 109 | lock.Unlock(); 110 | } 111 | void reserve(int amount) { 112 | if (amount <= 0) 113 | return; 114 | 115 | lock.Lock(); 116 | int oldSize = size; 117 | size += amount; 118 | list>* newItems = (list>*)cpp::kMalloc(sizeof(*items) * size); 119 | 120 | RtlZeroMemory(newItems, sizeof(*newItems) * size); 121 | RtlCopyMemory(newItems, items, sizeof(*newItems) * oldSize); 122 | 123 | cpp::kFree(items); 124 | items = newItems; 125 | 126 | for (int i = oldSize; i < size; i++) 127 | items[i].Init(); 128 | lock.Unlock(); 129 | } 130 | bool Contains(K&& key) { 131 | int index = Hash(key); 132 | return items[index].Length(); 133 | } 134 | bool Contains(K& key) { 135 | int index = Hash(key); 136 | return items[index].Length(); 137 | } 138 | 139 | V& Value(K&& key) { 140 | return BracketOverload(key); 141 | } 142 | V& Value(K& key) { 143 | return BracketOverload(key); 144 | } 145 | const V& operator[](K&& key) const { 146 | return BracketOverload(key); 147 | } 148 | V& operator[](K&& key) { 149 | return BracketOverload(key); 150 | } 151 | const V& operator[](K& key) const { 152 | return BracketOverload(key); 153 | } 154 | V& operator[](K& key) { 155 | return BracketOverload(key); 156 | } 157 | 158 | void DisableLock() { 159 | lock.Unlock(); 160 | } 161 | 162 | private: 163 | int length; 164 | int size; 165 | list>* items; 166 | Spinlock lock; 167 | 168 | ULONG Hash(K& value) { 169 | ULONG val = 0; 170 | 171 | for (int i = 0; i < sizeof(value) / 4; i++) { 172 | if(i & 1) 173 | val |= ((ULONG*)&value)[i]; 174 | else 175 | val ^= ((ULONG*)&value)[i]; 176 | } 177 | 178 | val %= size; 179 | return val; 180 | } 181 | 182 | V& BracketOverload(K&& key) { 183 | return BracketOverload(key); 184 | } 185 | 186 | V& BracketOverload(K& key) { 187 | lock.Lock(); 188 | int index = Hash(key); 189 | if (!items[index].Length()) { 190 | throw_std(); 191 | } 192 | MapItem& curItem = items[index].Last(); 193 | 194 | if (!curItem.bValid || curItem.key != key) 195 | throw_std(); 196 | 197 | lock.Unlock(); 198 | return curItem.value; 199 | } 200 | }; 201 | 202 | #pragma warning (default:4311) 203 | #pragma warning (default:4302) 204 | 205 | #endif -------------------------------------------------------------------------------- /phymeme_lib/util/hook.hpp: -------------------------------------------------------------------------------- 1 | /* 2 | MIT License 3 | 4 | Copyright (c) 2020 xerox 5 | 6 | Permission is hereby granted, free of charge, to any person obtaining a copy 7 | of this software and associated documentation files (the "Software"), to deal 8 | in the Software without restriction, including without limitation the rights 9 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 10 | copies of the Software, and to permit persons to whom the Software is 11 | furnished to do so, subject to the following conditions: 12 | 13 | The above copyright notice and this permission notice shall be included in all 14 | copies or substantial portions of the Software. 15 | 16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 21 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22 | SOFTWARE. 23 | */ 24 | 25 | #pragma once 26 | #include 27 | #include 28 | #include 29 | #include 30 | 31 | #if _M_IX86 32 | #define OFFSET_TO_ADDRESS 0x1 33 | #elif _M_X64 34 | #define OFFSET_TO_ADDRESS 0x2 35 | #endif 36 | 37 | namespace hook 38 | { 39 | static void write_to_readonly(void* addr, void* data, int size) 40 | { 41 | DWORD old_flags; 42 | VirtualProtect((LPVOID)addr, size, PAGE_EXECUTE_READWRITE, &old_flags); 43 | memcpy((void*)addr, data, size); 44 | VirtualProtect((LPVOID)addr, size, old_flags, &old_flags); 45 | } 46 | 47 | class detour 48 | { 49 | public: 50 | detour(void* addr_to_hook, void* jmp_to, bool enable = true) 51 | : hook_addr(addr_to_hook), detour_addr(jmp_to), hook_installed(false) 52 | { 53 | //setup hook 54 | memcpy( 55 | jmp_code + OFFSET_TO_ADDRESS, 56 | &jmp_to, 57 | sizeof(jmp_to) 58 | ); 59 | 60 | //save bytes 61 | memcpy( 62 | org_bytes, 63 | hook_addr, 64 | sizeof(org_bytes) 65 | ); 66 | if(enable) 67 | install(); 68 | } 69 | 70 | void install() 71 | { 72 | if (hook_installed.load()) 73 | return; 74 | 75 | // mapped page is already read/write 76 | memcpy(hook_addr, jmp_code, sizeof(jmp_code)); 77 | hook_installed.exchange(true); 78 | } 79 | void uninstall() 80 | { 81 | if (!hook_installed.load()) 82 | return; 83 | 84 | // mapped page is already read/write 85 | memcpy(hook_addr, org_bytes, sizeof(org_bytes)); 86 | hook_installed.exchange(false); 87 | } 88 | 89 | ~detour() { uninstall(); } 90 | bool installed() { return hook_installed; } 91 | void* hook_address() { return hook_addr; } 92 | void* detour_address() { return detour_addr; } 93 | private: 94 | std::atomic hook_installed; 95 | void *hook_addr, *detour_addr; 96 | 97 | #if _M_IX86 98 | /* 99 | 0: b8 ff ff ff ff mov eax, 0xffffffff 100 | 5: ff e0 jmp eax 101 | */ 102 | unsigned char jmp_code[7] = { 103 | 0xb8, 0x0, 0x0, 0x0, 0x0, 104 | 0xFF, 0xE0 105 | }; 106 | #elif _M_X64 107 | /* 108 | 0: 48 b8 ff ff ff ff ff ff ff ff movabs rax,0xffffffffffffffff 109 | 7: ff e0 jmp rax 110 | */ 111 | unsigned char jmp_code[12] = { 112 | 0x48, 0xb8, 113 | 0x0, 114 | 0x0, 115 | 0x0, 116 | 0x0, 117 | 0x0, 118 | 0x0, 119 | 0x0, 120 | 0x0, 121 | 0xff, 0xe0 122 | }; 123 | #endif 124 | std::uint8_t org_bytes[sizeof(jmp_code)]; 125 | }; 126 | 127 | static std::map> hooks{}; 128 | 129 | /* 130 | Author: xerox 131 | Date: 12/19/2019 132 | 133 | Create Hook without needing to deal with objects 134 | */ 135 | static void make_hook(void* addr_to_hook, void* jmp_to_addr, bool enable = true) 136 | { 137 | if (!addr_to_hook) 138 | return; 139 | 140 | hooks.insert({ 141 | addr_to_hook, 142 | std::make_unique( 143 | addr_to_hook, 144 | jmp_to_addr, 145 | enable 146 | )} 147 | ); 148 | } 149 | 150 | /* 151 | Author: xerox 152 | Date: 12/19/2019 153 | 154 | Enable hook given the address to hook 155 | */ 156 | static void enable(void* addr) 157 | { 158 | if (!addr) 159 | return; 160 | hooks.at(addr)->install(); 161 | } 162 | 163 | /* 164 | Author: xerox 165 | Date: 12/19/2019 166 | 167 | Disable hook givent the address of the hook 168 | */ 169 | static void disable(void* addr) 170 | { 171 | if (!addr) 172 | return; 173 | hooks.at(addr)->uninstall(); 174 | } 175 | 176 | 177 | /* 178 | Author: xerox 179 | Date: 12/19/2019 180 | 181 | Remove hook completely from vector 182 | */ 183 | static void remove(void* addr) 184 | { 185 | if (!addr) 186 | return; 187 | hooks.at(addr)->~detour(); 188 | hooks.erase(addr); 189 | } 190 | } -------------------------------------------------------------------------------- /SKLib-v/src/usbspoof.cpp: -------------------------------------------------------------------------------- 1 | #include "usbspoof.h" 2 | 3 | typedef struct _USB_DRIVER { 4 | PDRIVER_OBJECT DriverObject; 5 | PDRIVER_DISPATCH Original; 6 | } USB_DRIVER, * PUSB_DRIVER; 7 | 8 | struct USBS { 9 | DWORD Length; 10 | USB_DRIVER Drivers[0xFF]; 11 | } USBs = { 0 }; 12 | 13 | NTSTATUS GetNodeConnectionInfoExIoc(PDEVICE_OBJECT device, PIRP irp, PVOID context) { 14 | if (MmIsAddressValid(context)) { 15 | IOC_REQUEST request = *(PIOC_REQUEST)context; 16 | ExFreePool(context); 17 | 18 | PUSB_NODE_CONNECTION_INFORMATION_EX pUsbInfo = (PUSB_NODE_CONNECTION_INFORMATION_EX)request.Buffer; 19 | if (MmIsAddressValid(pUsbInfo)) { 20 | pUsbInfo->DeviceDescriptor.iSerialNumber = 0; 21 | //pUsbInfo->DeviceDescriptor.iProduct = 0; 22 | //pUsbInfo->DeviceDescriptor.iManufacturer = 0; 23 | //pUsbInfo->DeviceDescriptor.idProduct = 0; 24 | //pUsbInfo->DeviceDescriptor.idVendor = 0; 25 | } 26 | } 27 | 28 | return STATUS_SUCCESS; 29 | } 30 | 31 | NTSTATUS GetNodeConnectionInfoIoc(PDEVICE_OBJECT device, PIRP irp, PVOID context) { 32 | if (MmIsAddressValid(context)) { 33 | IOC_REQUEST request = *(PIOC_REQUEST)context; 34 | ExFreePool(context); 35 | 36 | PUSB_NODE_CONNECTION_INFORMATION pUsbInfo = (PUSB_NODE_CONNECTION_INFORMATION)request.Buffer; 37 | if (MmIsAddressValid(pUsbInfo)) { 38 | pUsbInfo->DeviceDescriptor.iSerialNumber = 0; 39 | //pUsbInfo->DeviceDescriptor.iProduct = 0; 40 | //pUsbInfo->DeviceDescriptor.iManufacturer = 0; 41 | //pUsbInfo->DeviceDescriptor.idProduct = 0; 42 | //pUsbInfo->DeviceDescriptor.idVendor = 0; 43 | } 44 | } 45 | 46 | return STATUS_SUCCESS; 47 | } 48 | 49 | NTSTATUS UsbHubControl(PDEVICE_OBJECT device, PIRP irp) { 50 | for (size_t i = 0; i < USBs.Length; i++) { 51 | PUSB_DRIVER driver = &USBs.Drivers[i]; 52 | 53 | if (driver->Original && 54 | MmIsAddressValid(driver->DriverObject) && 55 | driver->DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] == device->DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]) { 56 | if (cpp::IsKernelAddress(irp)) { 57 | PIO_STACK_LOCATION ioc = IoGetCurrentIrpStackLocation(irp); 58 | if (!MmIsAddressValid(ioc)) 59 | return driver->Original(device, irp); 60 | 61 | switch (ioc->Parameters.DeviceIoControl.IoControlCode) { 62 | case IOCTL_USB_GET_NODE_CONNECTION_INFORMATION: 63 | LogCaller(irp, HookedDriver::DriverUSB); 64 | ChangeIoc(ioc, irp, GetNodeConnectionInfoIoc); 65 | break; 66 | case IOCTL_USB_GET_NODE_CONNECTION_INFORMATION_EX: 67 | LogCaller(irp, HookedDriver::DriverUSB); 68 | ChangeIoc(ioc, irp, GetNodeConnectionInfoExIoc); 69 | break; 70 | case IOCTL_USB_GET_DESCRIPTOR_FROM_NODE_CONNECTION: 71 | LogCaller(irp, HookedDriver::DriverUSB); 72 | return STATUS_SUCCESS; 73 | } 74 | } 75 | 76 | return driver->Original(device, irp); 77 | } 78 | } 79 | 80 | return STATUS_UNSUCCESSFUL; 81 | } 82 | 83 | bool usb::Spoof(DWORD64 seed) 84 | { 85 | rnd.setSeed(seed); 86 | rnd.setSecLevel(random::SecurityLevel::PREDICTABLE); 87 | 88 | //vector toDeleteKeys; 89 | // 90 | //registry::KeyEnumerator usbEnum("SYSTEM\\CurrentControlSet\\Enum\\USB"); 91 | //string subKey; 92 | //while (usbEnum.Next(subKey)) { 93 | // string fullSubPath = string("SYSTEM\\CurrentControlSet\\Enum\\USB\\") + subKey; 94 | // registry::KeyEnumerator subEnum(fullSubPath.c_str()); 95 | // string deviceInstanceId; 96 | // while (subEnum.Next(deviceInstanceId)) { 97 | // fullSubPath += "\\"; 98 | // fullSubPath += deviceInstanceId; 99 | // toDeleteKeys.Append(fullSubPath); 100 | // } 101 | //} 102 | // 103 | //for (auto& key : toDeleteKeys) { 104 | // registry::Delete(key); 105 | //} 106 | 107 | HOOK_SECONDARY_INFO hkSecondaryInfo = { 0 }; 108 | PAGE_PERMISSIONS pgPermissions = { 0 }; 109 | 110 | PWCHAR pDeviceNames = nullptr; 111 | const GUID GUID_USB_HUB = { 0xf18a0e88, 0xc30c, 0x11d0, 0x88, 0x15, 0x00, 0xa0, 0xc9, 0x06, 0xbe, 0xd8 }; 112 | NTSTATUS ntStatus = IoGetDeviceInterfaces(&GUID_USB_HUB, nullptr, DEVICE_INTERFACE_INCLUDE_NONACTIVE, &pDeviceNames); 113 | if (!NT_SUCCESS(ntStatus)) { 114 | DbgMsg("[USB] Failed enumerating usb device interfaces: 0x%x", ntStatus); 115 | return false; 116 | } 117 | 118 | list usbInterfaces; 119 | while (true) { 120 | int strLen = wcslen(pDeviceNames); 121 | if (!strLen) 122 | break; 123 | usbInterfaces.emplace_back(pDeviceNames); 124 | pDeviceNames += (strLen)+1; 125 | } 126 | 127 | vmm::vHooks->reserve(20); 128 | 129 | for (auto& interface : usbInterfaces) { 130 | PDEVICE_OBJECT pCurrDevObj = IOCTL::GetDeviceFromIName(interface); 131 | if (!pCurrDevObj) { 132 | continue; 133 | } 134 | DbgMsg("[USB] Found device interface: %s", interface.c_str()); 135 | 136 | auto usb = &USBs.Drivers[USBs.Length]; 137 | usb->DriverObject = pCurrDevObj->DriverObject; 138 | hkSecondaryInfo.pOrigFn = (PVOID*)&usb->Original; 139 | 140 | if (!EPT::HookExec(pCurrDevObj->DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL], UsbHubControl, hkSecondaryInfo)) { 141 | DbgMsg("[USB] Failed hooking %s IoDeviceCtrl", interface.c_str()); 142 | } 143 | else { 144 | DbgMsg("[USB] Hooked %s IoDeviceCtrl", interface.c_str()); 145 | } 146 | USBs.Length++; 147 | } 148 | 149 | return true; 150 | } 151 | -------------------------------------------------------------------------------- /SKLib-v/include/Vmcall.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "VMMDef.h" 4 | #include "MapEx.h" 5 | #include "paging.h" 6 | #include "bugcheck.h" 7 | 8 | #ifdef _KERNEL_MODE 9 | typedef NTSTATUS(*fnVmcallCallback)(ULONG64& ulOpt1, ULONG64& ulOpt2, ULONG64& ulOpt3); 10 | 11 | namespace vmcall { 12 | 13 | enum VMCALL_TYPE { 14 | VMCALL_TEST = 0x1, 15 | VMCALL_VMXOFF, 16 | VMCALL_INVEPT_CONTEXT, 17 | VMCALL_HOOK_PAGE, 18 | VMCALL_UNHOOK_PAGE, 19 | VMCALL_HOOK_PAGE_RANGE, 20 | VMCALL_HOOK_PAGE_INDEX, 21 | VMCALL_SUBSTITUTE_PAGE, 22 | VMCALL_CRASH, //Test VMCALL 23 | VMCALL_PROBE, //Test VMCALL 24 | VMCALL_READ_VIRT, 25 | VMCALL_WRITE_VIRT, 26 | VMCALL_READ_PHY, 27 | VMCALL_WRITE_PHY, 28 | VMCALL_DISABLE_EPT, 29 | VMCALL_SET_COMM_KEY, 30 | VMCALL_GET_CR3, 31 | VMCALL_GET_EPT_BASE, 32 | VMCALL_VIRT_TO_PHY, 33 | VMCALL_STORAGE_QUERY 34 | }; 35 | 36 | extern unordered_map* vVmcallCallbacks; 37 | 38 | bool Init(); 39 | void Dispose(); 40 | 41 | fnVmcallCallback FindHandler(ULONG64 vmcallCode); 42 | 43 | void InsertHandler(fnVmcallCallback pCallback, ULONG64 vmcallCode); 44 | void RemoveHandler(ULONG64 vmcallCode); 45 | 46 | bool ValidateCommunicationKey(ULONG64 key); 47 | bool IsVmcall(ULONG64 r9); 48 | ULONG64 GetCommunicationKey(); 49 | ULONG64 GetLastGuestCr3(); 50 | NTSTATUS HandleVmcall(ULONG64 ulCallNum, ULONG64& ulOpt1, ULONG64& ulOpt2, ULONG64& ulOpt3); 51 | 52 | class RW { 53 | private: 54 | DWORD64 _cr3; 55 | 56 | public: 57 | RW(DWORD64 cr3) : _cr3(cr3) {}; 58 | 59 | template 60 | T Read(PVOID pAddress) { 61 | vmm::PREAD_DATA readData = nullptr; 62 | char buffer[sizeof(vmm::READ_DATA) * 2] = { 0 }; 63 | if (PAGE_ALIGN(buffer) != PAGE_ALIGN(buffer + sizeof(vmm::READ_DATA))) { 64 | readData = (vmm::PREAD_DATA)PAGE_ALIGN(buffer + sizeof(vmm::READ_DATA)); 65 | } 66 | else { 67 | readData = (vmm::PREAD_DATA)buffer; 68 | } 69 | 70 | T out; 71 | readData->length = sizeof(T); 72 | readData->pOutBuf = &out; 73 | readData->pTarget = pAddress; 74 | 75 | NTSTATUS ntStatus = CPU::CPUIDVmCall(VMCALL_READ_VIRT, (ULONG64)readData, _cr3, vmcall::GetCommunicationKey()); 76 | if (ntStatus != STATUS_SUCCESS) { 77 | DbgMsg("[RW] Failed reading %p: 0x%x", pAddress, ntStatus); 78 | return T(); 79 | } 80 | 81 | return out; 82 | } 83 | 84 | bool Read(PVOID pAddress, PVOID pOut, SIZE_T sz) { 85 | vmm::PREAD_DATA readData = nullptr; 86 | char buffer[sizeof(vmm::READ_DATA) * 2] = { 0 }; 87 | if (PAGE_ALIGN(buffer) != PAGE_ALIGN(buffer + sizeof(vmm::READ_DATA))) { 88 | readData = (vmm::PREAD_DATA)PAGE_ALIGN(buffer + sizeof(vmm::READ_DATA)); 89 | } 90 | else { 91 | readData = (vmm::PREAD_DATA)buffer; 92 | } 93 | 94 | readData->length = sz; 95 | readData->pOutBuf = pOut; 96 | readData->pTarget = pAddress; 97 | 98 | NTSTATUS ntStatus = CPU::CPUIDVmCall(VMCALL_READ_VIRT, (ULONG64)readData, _cr3, vmcall::GetCommunicationKey()); 99 | if (ntStatus != STATUS_SUCCESS) { 100 | DbgMsg("[RW] Failed reading %p: 0x%x", pAddress, ntStatus); 101 | return false; 102 | } 103 | 104 | return true; 105 | } 106 | 107 | template 108 | bool Write(PVOID pAddress, T obj) { 109 | vmm::PWRITE_DATA writeData = nullptr; 110 | char buffer[sizeof(vmm::WRITE_DATA) * 2] = { 0 }; 111 | if (PAGE_ALIGN(buffer) != PAGE_ALIGN(buffer + sizeof(vmm::WRITE_DATA))) { 112 | writeData = (vmm::PWRITE_DATA)PAGE_ALIGN(buffer + sizeof(vmm::WRITE_DATA)); 113 | } 114 | else { 115 | writeData = (vmm::PWRITE_DATA)buffer; 116 | } 117 | writeData->length = sizeof(T); 118 | writeData->pInBuf = &obj; 119 | writeData->pTarget = pAddress; 120 | 121 | NTSTATUS ntStatus = CPU::CPUIDVmCall(VMCALL_WRITE_VIRT, (ULONG64)writeData, _cr3, vmcall::GetCommunicationKey()); 122 | if (ntStatus != STATUS_SUCCESS) { 123 | DbgMsg("[RW] Failed writing %p: 0x%x", pAddress, ntStatus); 124 | return false; 125 | } 126 | return true; 127 | } 128 | 129 | inline bool Write(PVOID pAddress, PVOID pIn, SIZE_T sz) { 130 | vmm::PWRITE_DATA writeData = nullptr; 131 | char buffer[sizeof(vmm::WRITE_DATA) * 2] = { 0 }; 132 | if (PAGE_ALIGN(buffer) != PAGE_ALIGN(buffer + sizeof(vmm::WRITE_DATA))) { 133 | writeData = (vmm::PWRITE_DATA)PAGE_ALIGN(buffer + sizeof(vmm::WRITE_DATA)); 134 | } 135 | else { 136 | writeData = (vmm::PWRITE_DATA)buffer; 137 | } 138 | writeData->length = sz; 139 | writeData->pInBuf = pIn; 140 | writeData->pTarget = pAddress; 141 | 142 | NTSTATUS ntStatus = CPU::CPUIDVmCall(VMCALL_WRITE_VIRT, (ULONG64)writeData, _cr3, vmcall::GetCommunicationKey()); 143 | if (ntStatus != STATUS_SUCCESS) { 144 | DbgMsg("[RW] Failed writing %p: 0x%x", pAddress, ntStatus); 145 | return false; 146 | } 147 | return true; 148 | } 149 | }; 150 | } 151 | #endif -------------------------------------------------------------------------------- /SKLib-v/src/volumespoof.cpp: -------------------------------------------------------------------------------- 1 | #include "volumespoof.h" 2 | 3 | typedef NTSTATUS(*fnMountControl)(PDEVICE_OBJECT device, PIRP irp); 4 | fnMountControl pMountControl = nullptr; 5 | 6 | typedef struct _MOUNT_SERIAL_DATA { 7 | wchar_t* spoofed; 8 | wchar_t* orig; 9 | 10 | __forceinline bool operator==(_MOUNT_SERIAL_DATA& rhs) { 11 | return memcmp(this, &rhs, sizeof(*this)) == 0; 12 | } 13 | __forceinline bool operator!=(_MOUNT_SERIAL_DATA& rhs) { 14 | return !(*this == rhs); 15 | } 16 | } MOUNT_SERIAL_DATA, * PMOUNT_SERIAL_DATA; 17 | 18 | vector* vVolGUIDs = nullptr; 19 | 20 | #define VOLUME_GUID_MAX_LENGTH (0x24) 21 | #define GUID_OFFSET 22 22 | 23 | /* 24 | * Enable to use hardcoded volume GUID value 25 | */ 26 | //#define DUMMY_VOLUME_GUID L"12345678-1234-1234-1234-123456789123" 27 | 28 | bool FindFakeVolumeGUID(wchar_t* pOriginal) { 29 | if (winternl::IsNtoskrnlAddress((DWORD64)pOriginal)) { 30 | DbgMsg("[DISK] Trying to write volume GUID in ntoskrnl"); 31 | return false; 32 | } 33 | 34 | #ifdef DUMMY_VOLUME_GUID 35 | bool bFound = true; 36 | RtlCopyMemory(pOriginal, DUMMY_VOLUME_GUID, VOLUME_GUID_MAX_LENGTH * 2); 37 | #else 38 | bool bFound = false; 39 | for (auto& serial : *vVolGUIDs) { 40 | if (!memcmp(serial.orig, pOriginal, 4)) { 41 | Memory::WriteProtected(pOriginal, serial.spoofed, VOLUME_GUID_MAX_LENGTH * 2); 42 | bFound = true; 43 | break; 44 | } 45 | } 46 | if (!bFound) { 47 | rnd.setSeed(spoofer::seed); 48 | wchar_t* pBuf = (wchar_t*)cpp::kMalloc((VOLUME_GUID_MAX_LENGTH + 1) * 2); 49 | wchar_t* pBufOrig = (wchar_t*)cpp::kMalloc((VOLUME_GUID_MAX_LENGTH + 1) * 2); 50 | pBuf[VOLUME_GUID_MAX_LENGTH] = 0; 51 | pBufOrig[VOLUME_GUID_MAX_LENGTH] = 0; 52 | RtlCopyMemory(pBuf, pOriginal, VOLUME_GUID_MAX_LENGTH * 2); 53 | RtlCopyMemory(pBufOrig, pOriginal, VOLUME_GUID_MAX_LENGTH * 2); 54 | rnd.w_str_hex(pBuf + 2, 2); 55 | rnd.w_str_hex(pBuf + 9, 4); 56 | rnd.w_str_hex(pBuf + 14, 4); 57 | rnd.random_shuffle(pBuf + 19, 4); 58 | 59 | MOUNT_SERIAL_DATA serial = { 0 }; 60 | serial.orig = pBufOrig; 61 | serial.spoofed = pBuf; 62 | vVolGUIDs->Append(serial); 63 | 64 | Memory::WriteProtected(pOriginal, pBuf, VOLUME_GUID_MAX_LENGTH * 2); 65 | bFound = true; 66 | } 67 | #endif 68 | 69 | return bFound; 70 | } 71 | 72 | NTSTATUS MountPointsIoc(PDEVICE_OBJECT device, PIRP irp, PVOID context) { 73 | if (MmIsAddressValid(context)) { 74 | IOC_REQUEST request = *(PIOC_REQUEST)context; 75 | ExFreePool(context); 76 | 77 | if (request.BufferLength >= sizeof(MOUNTMGR_MOUNT_POINTS)) { 78 | PMOUNTMGR_MOUNT_POINTS points = (PMOUNTMGR_MOUNT_POINTS)request.Buffer; 79 | if (MmIsAddressValid(points)) { 80 | for (DWORD32 i = 0; i < points->NumberOfMountPoints; ++i) { 81 | volatile PMOUNTMGR_MOUNT_POINT point = points->MountPoints + i; 82 | if (*(wchar_t*)((DWORD64)points + point->SymbolicLinkNameOffset + GUID_OFFSET - 2) == L'{') { 83 | FindFakeVolumeGUID((wchar_t*)((char*)points + point->SymbolicLinkNameOffset + GUID_OFFSET)); 84 | } 85 | } 86 | } 87 | } 88 | 89 | if (request.OldRoutine && irp->StackCount > 1) { 90 | return request.OldRoutine(device, irp, request.OldContext); 91 | } 92 | } 93 | 94 | return STATUS_SUCCESS; 95 | } 96 | 97 | NTSTATUS MountUniqueIoc(PDEVICE_OBJECT device, PIRP irp, PVOID context) { 98 | if (MmIsAddressValid(context)) { 99 | IOC_REQUEST request = *(PIOC_REQUEST)context; 100 | ExFreePool(context); 101 | 102 | if (request.BufferLength >= sizeof(MOUNTDEV_UNIQUE_ID)) { 103 | PMOUNTDEV_UNIQUE_ID point = (PMOUNTDEV_UNIQUE_ID)request.Buffer; 104 | if(MmIsAddressValid(point)) 105 | FindFakeVolumeGUID((wchar_t*)point->UniqueId); 106 | } 107 | 108 | if (request.OldRoutine && irp->StackCount > 1) { 109 | return request.OldRoutine(device, irp, request.OldContext); 110 | } 111 | } 112 | 113 | return STATUS_SUCCESS; 114 | } 115 | 116 | NTSTATUS MountControl(PDEVICE_OBJECT device, PIRP irp) { 117 | if (cpp::IsKernelAddress(irp)) { 118 | PIO_STACK_LOCATION ioc = IoGetCurrentIrpStackLocation(irp); 119 | if (!cpp::IsKernelAddress(ioc)) 120 | return pMountControl(device, irp); 121 | 122 | switch (ioc->Parameters.DeviceIoControl.IoControlCode) { 123 | case IOCTL_MOUNTMGR_QUERY_POINTS: 124 | LogCaller(irp, HookedDriver::DriverVolume); 125 | ChangeIoc(ioc, irp, MountPointsIoc); 126 | break; 127 | case IOCTL_MOUNTDEV_QUERY_UNIQUE_ID: 128 | LogCaller(irp, HookedDriver::DriverVolume); 129 | ChangeIoc(ioc, irp, MountUniqueIoc); 130 | break; 131 | } 132 | } 133 | 134 | return pMountControl(device, irp); 135 | } 136 | 137 | bool volumes::Spoof(DWORD64 seed) 138 | { 139 | bool bRes = false; 140 | 141 | rnd.setSeed(seed); 142 | rnd.setSecLevel(random::SecurityLevel::PREDICTABLE); 143 | 144 | if (!vVolGUIDs) { 145 | vVolGUIDs = (vector*)cpp::kMalloc(sizeof(*vVolGUIDs), PAGE_READWRITE); 146 | vVolGUIDs->Init(); 147 | vVolGUIDs->reserve(64); 148 | } 149 | else { 150 | for (auto& guid : *vVolGUIDs) { 151 | rnd.setSeed(seed); 152 | wchar_t* pBuf = (wchar_t*)cpp::kMalloc((VOLUME_GUID_MAX_LENGTH + 1) * 2); 153 | pBuf[VOLUME_GUID_MAX_LENGTH] = 0; 154 | rnd.w_str_hex(pBuf + 2, 2); 155 | rnd.w_str_hex(pBuf + 9, 4); 156 | rnd.w_str_hex(pBuf + 14, 4); 157 | rnd.random_shuffle(pBuf + 19, 4); 158 | guid.spoofed = pBuf; 159 | } 160 | return true; 161 | } 162 | 163 | HOOK_SECONDARY_INFO hkSecondaryInfo = { 0 }; 164 | hkSecondaryInfo.pOrigFn = (PVOID*)&pMountControl; 165 | PDRIVER_OBJECT pDrivObj = IOCTL::GetDriverObj("\\Driver\\mountmgr"); 166 | 167 | if (!EPT::HookExec(pDrivObj->MajorFunction[IRP_MJ_DEVICE_CONTROL], MountControl, hkSecondaryInfo)) { 168 | DbgMsg("[DISK] Failed hooking mountmgr IoDeviceCtrl"); 169 | bRes = false; 170 | } 171 | else { 172 | DbgMsg("[DISK] Hooked mountmgr IoDeviceCtrl"); 173 | bRes = true; 174 | } 175 | ObDereferenceObject(pDrivObj); 176 | 177 | return bRes; 178 | } 179 | --------------------------------------------------------------------------------