└── Source.c /Source.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include "raw.h" 7 | #include "Source.h" 8 | 9 | 10 | 11 | #define GET_MODULE_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x13, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 12 | #define GET_MODULE_REQUEST_GAME CTL_CODE(FILE_DEVICE_UNKNOWN, 0x21, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 13 | 14 | PDEVICE_OBJECT DeviceObject; 15 | UNICODE_STRING dev, dos; 16 | DWORD PID; 17 | DWORD64 MainModule = NULL; 18 | PEPROCESS Process; 19 | 20 | NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject); 21 | NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP irp); 22 | NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP irp); 23 | 24 | 25 | 26 | NTSTATUS RDrvGetModuleEntry(__in LPCWSTR ModuleName) 27 | { 28 | if (!PID) 29 | return STATUS_UNSUCCESSFUL; 30 | 31 | KAPC_STATE pkApc; 32 | // Attach to target process 33 | KeStackAttachProcess(Process, &pkApc); 34 | 35 | if (!Process) return STATUS_INVALID_PARAMETER_1; 36 | //if(!ModuleName) return STATUS_INVALID_PARAMETER_2; 37 | 38 | BOOLEAN returnFirstModule = !ModuleName; 39 | INT waitCount = 0; 40 | 41 | PPEB peb = PsGetProcessPeb(Process); 42 | if (!peb) { 43 | return STATUS_UNSUCCESSFUL; 44 | } 45 | 46 | PPEB_LDR_DATA ldr = peb->Ldr; 47 | 48 | if (!ldr) { 49 | return STATUS_UNSUCCESSFUL; 50 | } 51 | 52 | if (!ldr->Initialized) { 53 | while (!ldr->Initialized && waitCount++ < 4) 54 | 55 | if (!ldr->Initialized) { 56 | return STATUS_UNSUCCESSFUL; 57 | } 58 | } 59 | 60 | for (PLIST_ENTRY listEntry = (PLIST_ENTRY)ldr->InLoadOrderModuleList.Flink; 61 | listEntry != &ldr->InLoadOrderModuleList; 62 | listEntry = (PLIST_ENTRY)listEntry->Flink) { 63 | 64 | PLDR_DATA_TABLE_ENTRY ldrEntry = CONTAINING_RECORD(listEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); 65 | 66 | if (returnFirstModule) { 67 | return STATUS_SUCCESS; 68 | } 69 | else { 70 | if (RtlCompareMemory(ldrEntry->BaseDllName.Buffer, ModuleName, ldrEntry->BaseDllName.Length) == ldrEntry->BaseDllName.Length) { 71 | #ifdef DEBUGPRINT 72 | DbgPrint("%p\n", ldrEntry->DllBase); 73 | #endif 74 | MainModule = ldrEntry->DllBase; 75 | KeUnstackDetachProcess(&pkApc); 76 | return STATUS_SUCCESS; 77 | } 78 | } 79 | } 80 | return STATUS_NOT_FOUND; 81 | } 82 | 83 | NTSTATUS LSFindProcessIdByName(IN PCWSTR imagename) 84 | { 85 | 86 | NTSTATUS durum = STATUS_UNSUCCESSFUL; 87 | ULONG qmemsize = 0x1024; 88 | PVOID qmemptr = 0; 89 | P_SYSTEM_PROCESS_INFO_L spi; 90 | UNICODE_STRING uimagename; 91 | RtlInitUnicodeString(&uimagename, imagename); // @RbMm 92 | do 93 | { 94 | qmemptr = ExAllocatePool(PagedPool, qmemsize); // alloc memory for spi 95 | if (qmemptr == NULL) // check memory is allocated or not. 96 | { 97 | return STATUS_UNSUCCESSFUL; 98 | } 99 | durum = ZwQuerySystemInformation(5, qmemptr, qmemsize, NULL); 100 | if (durum == STATUS_INFO_LENGTH_MISMATCH) 101 | { 102 | qmemsize = qmemsize * 2; // increase qmemsize for next memory alloc 103 | ExFreePool(qmemptr); // free memory 104 | } 105 | } while (durum == STATUS_INFO_LENGTH_MISMATCH); // resize memory 106 | spi = (P_SYSTEM_PROCESS_INFO_L)qmemptr; 107 | 108 | while (1) 109 | { 110 | 111 | if (RtlEqualUnicodeString(&uimagename, &spi->ImageName, TRUE)) // @RbMm 112 | { 113 | #ifdef DEBUGPRINT 114 | DbgPrint("%d\n", spi->ProcessId); 115 | #endif 116 | PID = spi->ProcessId; 117 | break; 118 | } 119 | 120 | if (spi->NextEntryOffset == 0) 121 | break; 122 | 123 | spi = (P_SYSTEM_PROCESS_INFO_L)((unsigned char*)spi + spi->NextEntryOffset); // next info 124 | } 125 | 126 | if (!NT_SUCCESS(durum)) 127 | { 128 | ExFreePool(qmemptr); // free memory 129 | return STATUS_UNSUCCESSFUL; 130 | } 131 | ExFreePool(qmemptr); // free memory 132 | return STATUS_SUCCESS; 133 | } 134 | 135 | 136 | NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp) 137 | { 138 | NTSTATUS Status; 139 | ULONG BytesIO = 0; 140 | 141 | PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(Irp); 142 | 143 | // Code received from user space 144 | ULONG ControlCode = stack->Parameters.DeviceIoControl.IoControlCode; 145 | ULONG outBufferLength = stack->Parameters.DeviceIoControl.OutputBufferLength; 146 | 147 | 148 | if (ControlCode == GET_MODULE_REQUEST_GAME) 149 | { 150 | PDWORD64 OutPut = (PDWORD64)Irp->AssociatedIrp.SystemBuffer; 151 | 152 | LSFindProcessIdByName(L"Notepad.exe"); 153 | NTSTATUS stat = PsLookupProcessByProcessId(PID, &Process); 154 | 155 | RDrvGetModuleEntry(L"WhatModuleYouWant.dll"); 156 | 157 | *OutPut = MainModule; 158 | 159 | //DbgPrintEx(0, 0, "Module get %#010x", MainModule); 160 | Status = STATUS_SUCCESS; 161 | BytesIO = sizeof(*OutPut); 162 | } 163 | else 164 | { 165 | // if the code is unknown 166 | Status = STATUS_INVALID_PARAMETER; 167 | BytesIO = 0; 168 | } 169 | 170 | // Complete the request 171 | Irp->IoStatus.Status = Status; 172 | Irp->IoStatus.Information = BytesIO; 173 | IoCompleteRequest(Irp, IO_NO_INCREMENT); 174 | 175 | return Status; 176 | } 177 | 178 | NTSTATUS DriverInitialize(_In_ struct _DRIVER_OBJECT* DriverObject, _In_ PUNICODE_STRING RegistryPath) 179 | { 180 | NTSTATUS status; 181 | UNICODE_STRING SymLink, DevName; 182 | PDEVICE_OBJECT devobj; 183 | ULONG t; 184 | 185 | //RegistryPath is NULL 186 | UNREFERENCED_PARAMETER(RegistryPath); 187 | 188 | 189 | RtlInitUnicodeString(&DevName, L"\\Device\\DeviceName"); 190 | status = IoCreateDevice(DriverObject, 0, &DevName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, TRUE, &devobj); 191 | 192 | 193 | if (!NT_SUCCESS(status)) { 194 | return status; 195 | } 196 | 197 | RtlInitUnicodeString(&SymLink, L"\\DosDevices\\DeviceName"); 198 | status = IoCreateSymbolicLink(&SymLink, &DevName); 199 | 200 | 201 | 202 | devobj->Flags |= DO_BUFFERED_IO; 203 | 204 | DriverObject->MajorFunction[IRP_MJ_CREATE] = CreateCall; 205 | DriverObject->MajorFunction[IRP_MJ_CLOSE] = CloseCall; 206 | DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IoControl; 207 | DriverObject->DriverUnload = NULL; //nonstandard way of driver loading, no unload 208 | 209 | devobj->Flags &= ~DO_DEVICE_INITIALIZING; 210 | return status; 211 | } 212 | 213 | NTSTATUS DriverEntry(_In_ struct _DRIVER_OBJECT* DriverObject, _In_ PUNICODE_STRING RegistryPath) 214 | { 215 | 216 | UNREFERENCED_PARAMETER(DriverObject); 217 | UNREFERENCED_PARAMETER(RegistryPath); 218 | 219 | 220 | 221 | //PsSetLoadImageNotifyRoutine(ImageLoadCallback); 222 | // Our device and symbolic link names 223 | 224 | RtlInitUnicodeString(&dev, L"\\Driver\\DeviceName"); 225 | 226 | IoCreateDriver(&dev, &DriverInitialize); 227 | 228 | return STATUS_SUCCESS; 229 | } 230 | 231 | NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject) 232 | { 233 | return STATUS_SUCCESS; 234 | } 235 | 236 | NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP irp) 237 | { 238 | irp->IoStatus.Status = STATUS_SUCCESS; 239 | irp->IoStatus.Information = 0; 240 | 241 | IoCompleteRequest(irp, IO_NO_INCREMENT); 242 | return STATUS_SUCCESS; 243 | } 244 | 245 | NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP irp) 246 | { 247 | irp->IoStatus.Status = STATUS_SUCCESS; 248 | irp->IoStatus.Information = 0; 249 | 250 | IoCompleteRequest(irp, IO_NO_INCREMENT); 251 | return STATUS_SUCCESS; 252 | } 253 | --------------------------------------------------------------------------------