├── README.md
├── User
    ├── stdafx.h
    ├── User.vcxproj.filters
    ├── util.h
    ├── User.vcxproj
    ├── util.c
    └── main.c
└── Kernel
    ├── Kernel.vcxproj.filters
    ├── stdafx.h
    ├── Kernel.inf
    ├── util.c
    ├── Kernel.vcxproj
    ├── util.h
    └── main.c


/README.md:
--------------------------------------------------------------------------------
 1 | # HWID-Spoofer
 2 | 
 3 | A HWID-Spoofer made by me. Tested for Fortnite and Valorant. Really undetected in the moment
 4 | 
 5 | ***
 6 | 
 7 | #### How to use the Valorant Internal
 8 | 
 9 | [+] - Download it, then compile the cheat
10 | 
11 | [+] - Execute the Spoofer and your hwid will be changed
12 | 
13 | ***
14 | 


--------------------------------------------------------------------------------
/User/stdafx.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | #define _CRT_SECURE_NO_WARNINGS
 4 | 
 5 | #include <stdio.h>
 6 | #include <windows.h>
 7 | #include <shlwapi.h>
 8 | #include <accctrl.h>
 9 | #include <aclapi.h>
10 | #include <shlobj_core.h>
11 | #include <tlhelp32.h>
12 | 
13 | #pragma comment(lib, "shlwapi.lib")
14 | 
15 | #include "util.h"
16 | 
17 | typedef struct _SECTOR {
18 | 	LPCSTR Name;
19 | 	DWORD  NameOffset;
20 | 	DWORD  SerialOffset;
21 | } SECTOR, *PSECTOR;
22 | 
23 | static SECTOR SECTORS[] = {
24 | 	{ "FAT",   0x36, 0x27 },
25 | 	{ "FAT32", 0x52, 0x43 },
26 | 	{ "NTFS",  0x03, 0x48 },
27 | };


--------------------------------------------------------------------------------
/User/User.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="main.c">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |     <ClCompile Include="util.c">
22 |       <Filter>Source Files</Filter>
23 |     </ClCompile>
24 |   </ItemGroup>
25 |   <ItemGroup>
26 |     <ClInclude Include="stdafx.h">
27 |       <Filter>Header Files</Filter>
28 |     </ClInclude>
29 |     <ClInclude Include="util.h">
30 |       <Filter>Header Files</Filter>
31 |     </ClInclude>
32 |   </ItemGroup>
33 | </Project>


--------------------------------------------------------------------------------
/Kernel/Kernel.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |     <Filter Include="Driver Files">
17 |       <UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
18 |       <Extensions>inf;inv;inx;mof;mc;</Extensions>
19 |     </Filter>
20 |   </ItemGroup>
21 |   <ItemGroup>
22 |     <Inf Include="Kernel.inf">
23 |       <Filter>Driver Files</Filter>
24 |     </Inf>
25 |   </ItemGroup>
26 |   <ItemGroup>
27 |     <ClCompile Include="main.c">
28 |       <Filter>Source Files</Filter>
29 |     </ClCompile>
30 |     <ClCompile Include="util.c">
31 |       <Filter>Source Files</Filter>
32 |     </ClCompile>
33 |   </ItemGroup>
34 |   <ItemGroup>
35 |     <ClInclude Include="stdafx.h">
36 |       <Filter>Header Files</Filter>
37 |     </ClInclude>
38 |     <ClInclude Include="util.h">
39 |       <Filter>Header Files</Filter>
40 |     </ClInclude>
41 |   </ItemGroup>
42 | </Project>


--------------------------------------------------------------------------------
/Kernel/stdafx.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | #include <ntifs.h>
 4 | #include <ntddk.h>
 5 | #include <windef.h>
 6 | #include <ntdddisk.h>
 7 | #include <ntddscsi.h>
 8 | #include <ata.h>
 9 | #include <scsi.h>
10 | #include <ntddndis.h>
11 | #include <mountmgr.h>
12 | #include <mountdev.h>
13 | #include <classpnp.h>
14 | #include <ntimage.h>
15 | 
16 | #include "util.h"
17 | 
18 | static DWORD SEED = 0;
19 | static CHAR SERIAL[] = "---------";
20 | 
21 | typedef struct _NIC_DRIVER {
22 | 	PDRIVER_OBJECT DriverObject;
23 | 	PDRIVER_DISPATCH Original;
24 | } NIC_DRIVER, *PNIC_DRIVER;
25 | 
26 | typedef struct _SWAP {
27 | 	UNICODE_STRING Name;
28 | 	PVOID *Swap;
29 | 	PVOID Original;
30 | } SWAP, *PSWAP;
31 | 
32 | static struct {
33 | 	SWAP Buffer[0xFF];
34 | 	ULONG Length;
35 | } SWAPS = { 0 };
36 | 
37 | // Appends swap to swap list
38 | #define AppendSwap(name, swap, hook, original) { \
39 | 	UNICODE_STRING _n = name; \
40 | 	PSWAP _s = &SWAPS.Buffer[SWAPS.Length++]; \
41 | 	*(PVOID *)&original = _s->Original = InterlockedExchangePointer((PVOID *)(_s->Swap = (PVOID *)swap), (PVOID)hook); \
42 | 	_s->Name = _n; \
43 | 	printf("swapped %wZ\n", &_n); \
44 | }
45 | 
46 | // Swaps MJ device control and appends it to swap list on success
47 | #define SwapControl(driver, hook, original) { \
48 | 	UNICODE_STRING str = driver; \
49 | 	PDRIVER_OBJECT object = 0; \
50 | 	NTSTATUS _status = ObReferenceObjectByName(&str, OBJ_CASE_INSENSITIVE, 0, 0, *IoDriverObjectType, KernelMode, 0, &object); \
51 | 	if (NT_SUCCESS(_status)) { \
52 | 		AppendSwap(str, &object->MajorFunction[IRP_MJ_DEVICE_CONTROL], hook, original); \
53 | 		ObDereferenceObject(object); \
54 | 	} else { \
55 | 		printf("! failed to get %wZ: %p !\n", &str, _status); \
56 | 	} \
57 | }


--------------------------------------------------------------------------------
/Kernel/Kernel.inf:
--------------------------------------------------------------------------------
 1 | ;
 2 | ; Kernel.inf
 3 | ;
 4 | 
 5 | [Version]
 6 | Signature="$WINDOWS NT$"
 7 | Class=Sample ; TODO: edit Class
 8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid
 9 | Provider=%ManufacturerName%
10 | CatalogFile=Kernel.cat
11 | DriverVer= ; TODO: set DriverVer in stampinf property pages
12 | 
13 | [DestinationDirs]
14 | DefaultDestDir = 12
15 | Kernel_Device_CoInstaller_CopyFiles = 11
16 | 
17 | ; ================= Class section =====================
18 | 
19 | [ClassInstall32]
20 | Addreg=SampleClassReg
21 | 
22 | [SampleClassReg]
23 | HKR,,,0,%ClassName%
24 | HKR,,Icon,,-5
25 | 
26 | [SourceDisksNames]
27 | 1 = %DiskName%,,,""
28 | 
29 | [SourceDisksFiles]
30 | Kernel.sys  = 1,,
31 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames
32 | 
33 | ;*****************************************
34 | ; Install Section
35 | ;*****************************************
36 | 
37 | [Manufacturer]
38 | %ManufacturerName%=Standard,NT$ARCH$
39 | 
40 | [Standard.NT$ARCH$]
41 | %Kernel.DeviceDesc%=Kernel_Device, Root\Kernel ; TODO: edit hw-id
42 | 
43 | [Kernel_Device.NT]
44 | CopyFiles=Drivers_Dir
45 | 
46 | [Drivers_Dir]
47 | Kernel.sys
48 | 
49 | ;-------------- Service installation
50 | [Kernel_Device.NT.Services]
51 | AddService = Kernel,%SPSVCINST_ASSOCSERVICE%, Kernel_Service_Inst
52 | 
53 | ; -------------- Kernel driver install sections
54 | [Kernel_Service_Inst]
55 | DisplayName    = %Kernel.SVCDESC%
56 | ServiceType    = 1               ; SERVICE_KERNEL_DRIVER
57 | StartType      = 3               ; SERVICE_DEMAND_START
58 | ErrorControl   = 1               ; SERVICE_ERROR_NORMAL
59 | ServiceBinary  = %12%\Kernel.sys
60 | 
61 | ;
62 | ;--- Kernel_Device Coinstaller installation ------
63 | ;
64 | 
65 | [Kernel_Device.NT.CoInstallers]
66 | AddReg=Kernel_Device_CoInstaller_AddReg
67 | CopyFiles=Kernel_Device_CoInstaller_CopyFiles
68 | 
69 | [Kernel_Device_CoInstaller_AddReg]
70 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller"
71 | 
72 | [Kernel_Device_CoInstaller_CopyFiles]
73 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll
74 | 
75 | [Kernel_Device.NT.Wdf]
76 | KmdfService =  Kernel, Kernel_wdfsect
77 | [Kernel_wdfsect]
78 | KmdfLibraryVersion = $KMDFVERSION$
79 | 
80 | [Strings]
81 | SPSVCINST_ASSOCSERVICE= 0x00000002
82 | ManufacturerName="<Your manufacturer name>" ;TODO: Replace with your manufacturer name
83 | ClassName="Samples" ; TODO: edit ClassName
84 | DiskName = "Kernel Installation Disk"
85 | Kernel.DeviceDesc = "Kernel Device"
86 | Kernel.SVCDESC = "Kernel Service"
87 | 


--------------------------------------------------------------------------------
/User/util.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | #define LENGTH(a) (sizeof(a) / sizeof(a[0]))
 4 | 
 5 | typedef NTSTATUS(WINAPI *NTQK)(HANDLE KeyHandle, DWORD KeyInformationClass, PVOID KeyInformation, ULONG Length, PULONG ResultLength);
 6 | NTQK NtQueryKey;
 7 | 
 8 | LPWSTR GetKeyPath(HKEY key);
 9 | BOOL GetKeyValue(HKEY key, LPCWSTR value, LPBYTE buffer, DWORD *size);
10 | VOID OutSpoofUnique(LPWSTR buffer);
11 | VOID KeySpoofOutGUID(HKEY key, LPCWSTR value, LPWSTR buffer, DWORD size);
12 | VOID KeySpoofUnique(HKEY key, LPCWSTR value);
13 | VOID SpoofUnique(HKEY key, LPCWSTR subkey, LPCWSTR value);
14 | VOID SpoofUniques(HKEY key, LPCWSTR subkey, LPCWSTR value);
15 | VOID SpoofQWORD(HKEY key, LPCWSTR subkey, LPCWSTR value);
16 | VOID SpoofDWORD(HKEY key, LPCWSTR subkey, LPCWSTR value);
17 | VOID SpoofBinary(HKEY key, LPCWSTR subkey, LPCWSTR value);
18 | VOID RenameSubkey(HKEY key, LPCWSTR subkey, LPCWSTR name);
19 | VOID DeleteValue(HKEY key, LPCWSTR subkey, LPCWSTR value);
20 | VOID DeleteKey(HKEY key, LPCWSTR subkey);
21 | BOOL AdjustCurrentPrivilege(LPCWSTR privilege);
22 | VOID ForceDeleteFile(LPWSTR path);
23 | VOID RecursiveDelete(LPWSTR dir, LPWSTR match);
24 | 
25 | #define ForEachFile(dir, callback) { \
26 | 	WIN32_FIND_DATA fd = { 0 }; \
27 | 	HANDLE f = FindFirstFile(dir, &fd); \
28 | 	do { \
29 | 		if (wcscmp(fd.cFileName, L".") && wcscmp(fd.cFileName, L"..")) { \
30 | 			LPWSTR file = fd.cFileName; \
31 | 			callback; \
32 | 		} \
33 | 	} while (FindNextFile(f, &fd)); \
34 | 	FindClose(f); \
35 | }
36 | 
37 | #define ForEachSubkey(hkey_key, callback) { \
38 | 	WCHAR name[MAX_PATH] = { 0 }; \
39 | 	for (DWORD _i = 0, _s = sizeof(name); ERROR_SUCCESS == RegEnumKeyEx(hkey_key, _i, name, &_s, 0, 0, 0, 0); ++_i, _s = sizeof(name)) { \
40 | 		callback; \
41 | 	} \
42 | }
43 | 
44 | #define SpoofUniqueThen(hkey_key, lpcwstr_subkey, lpcwstr_value, callback) { \
45 | 	HKEY _k = 0; \
46 | 	if (ERROR_SUCCESS != RegOpenKeyEx(hkey_key, lpcwstr_subkey, 0, KEY_ALL_ACCESS, &_k)) { \
47 | 		printf("Failed to open key: %ws\\%ws\n\n", GetKeyPath(hkey_key), lpcwstr_subkey); \
48 | 	} else { \
49 | 		WCHAR spoof[MAX_PATH] = { 0 }; \
50 | 		HKEY key = _k; \
51 | 		KeySpoofOutGUID(key, lpcwstr_value, spoof, sizeof(spoof)); \
52 | 		callback; \
53 | 		RegCloseKey(key); \
54 | 	} \
55 | }
56 | 
57 | #define OpenThen(hkey_key, lpcwstr_subkey, callback) { \
58 | 	HKEY _k = 0; \
59 | 	if (ERROR_SUCCESS != RegOpenKeyEx(hkey_key, lpcwstr_subkey, 0, KEY_ALL_ACCESS, &_k)) { \
60 | 		printf("Failed to open key: %ws\\%ws\n\n", GetKeyPath(hkey_key), lpcwstr_subkey); \
61 | 	} else { \
62 | 		HKEY key = _k; \
63 | 		callback; \
64 | 		RegCloseKey(key); \
65 | 	} \
66 | }


--------------------------------------------------------------------------------
/Kernel/util.c:
--------------------------------------------------------------------------------
  1 | #include "stdafx.h"
  2 | 
  3 | PCHAR LowerStr(PCHAR str) {
  4 | 	for (PCHAR s = str; *s; ++s) {
  5 | 		*s = (CHAR)tolower(*s);
  6 | 	}
  7 | 	return str;
  8 | }
  9 | 
 10 | DWORD Random(PDWORD seed) {
 11 | 	DWORD s = *seed * 1103515245 + 12345;
 12 | 	*seed = s;
 13 | 	return (s / 65536) % 32768;
 14 | }
 15 | 
 16 | DWORD Hash(PBYTE buffer, DWORD length) {
 17 | 	if (!length) {
 18 | 		return 0;
 19 | 	}
 20 | 
 21 | 	DWORD h = (*buffer ^ 0x4B9ACE2F) * 0x1000193;
 22 | 	for (DWORD i = 1; i < length; ++i) {
 23 | 		h = (buffer[i] ^ h) * 0x1000193;
 24 | 	}
 25 | 	return h;
 26 | }
 27 | 
 28 | PVOID SafeCopy(PVOID src, DWORD size) {
 29 | 	PCHAR buffer = (PCHAR)ExAllocatePool(NonPagedPool, size);
 30 | 	if (buffer) {
 31 | 		MM_COPY_ADDRESS addr = { 0 };
 32 | 		addr.VirtualAddress = src;
 33 | 
 34 | 		SIZE_T read = 0;
 35 | 		if (NT_SUCCESS(MmCopyMemory(buffer, addr, size, MM_COPY_MEMORY_VIRTUAL, &read)) && read == size) {
 36 | 			return buffer;
 37 | 		}
 38 | 
 39 | 		ExFreePool(buffer);
 40 | 	} else {
 41 | 		printf("! failed to allocate pool of size %d !\n", size);
 42 | 	}
 43 | 
 44 | 	return 0;
 45 | }
 46 | 
 47 | VOID SpoofBuffer(DWORD seed, PBYTE buffer, DWORD length) {
 48 | 	seed ^= Hash(buffer, length);
 49 | 	for (DWORD i = 0; i < length; ++i) {
 50 | 		buffer[i] ^= (BYTE)Random(&seed);
 51 | 	}
 52 | }
 53 | 
 54 | PWCHAR TrimGUID(PWCHAR guid, DWORD max) {
 55 | 	DWORD i = 0;
 56 | 	PWCHAR start = guid;
 57 | 
 58 | 	--max;
 59 | 	for (; i < max && *start != L'{'; ++i, ++start);
 60 | 	for (; i < max && guid[i++] != L'}';);
 61 | 	
 62 | 	guid[i] = 0;
 63 | 	return start;
 64 | }
 65 | 
 66 | VOID ChangeIoc(PIO_STACK_LOCATION ioc, PIRP irp, PIO_COMPLETION_ROUTINE routine) {
 67 | 	PIOC_REQUEST request = (PIOC_REQUEST)ExAllocatePool(NonPagedPool, sizeof(IOC_REQUEST));
 68 | 	if (!request) {
 69 | 		printf("! failed to allocate IOC_REQUEST !\n");
 70 | 		return;
 71 | 	}
 72 | 
 73 | 	request->Buffer = irp->AssociatedIrp.SystemBuffer;
 74 | 	request->BufferLength = ioc->Parameters.DeviceIoControl.OutputBufferLength;
 75 | 	request->OldContext = ioc->Context;
 76 | 	request->OldRoutine = ioc->CompletionRoutine;
 77 | 
 78 | 	ioc->Control = SL_INVOKE_ON_SUCCESS;
 79 | 	ioc->Context = request;
 80 | 	ioc->CompletionRoutine = routine;
 81 | }
 82 | 
 83 | VOID SwapEndianess(PCHAR dest, PCHAR src) {
 84 | 	for (size_t i = 0, l = strlen(src); i < l; i += 2) {
 85 | 		dest[i] = src[i + 1];
 86 | 		dest[i + 1] = src[i];
 87 | 	}
 88 | }
 89 | 
 90 | BOOL CheckMask(PCHAR base, PCHAR pattern, PCHAR mask) {
 91 | 	for (; *mask; ++base, ++pattern, ++mask) {
 92 | 		if ('x' == *mask && *base != *pattern) {
 93 | 			return FALSE;
 94 | 		}
 95 | 	}
 96 | 
 97 | 	return TRUE;
 98 | }
 99 | 
100 | PVOID FindPattern(PCHAR base, DWORD length, PCHAR pattern, PCHAR mask) {
101 | 	length -= (DWORD)strlen(mask);
102 | 	for (DWORD i = 0; i <= length; ++i) {
103 | 		PVOID addr = &base[i];
104 | 		if (CheckMask(addr, pattern, mask)) {
105 | 			return addr;
106 | 		}
107 | 	}
108 | 
109 | 	return 0;
110 | }
111 | 
112 | PVOID FindPatternImage(PCHAR base, PCHAR pattern, PCHAR mask) {
113 | 	PVOID match = 0;
114 | 
115 | 	PIMAGE_NT_HEADERS headers = (PIMAGE_NT_HEADERS)(base + ((PIMAGE_DOS_HEADER)base)->e_lfanew);
116 | 	PIMAGE_SECTION_HEADER sections = IMAGE_FIRST_SECTION(headers);
117 | 	for (DWORD i = 0; i < headers->FileHeader.NumberOfSections; ++i) {
118 | 		PIMAGE_SECTION_HEADER section = &sections[i];
119 | 		if ('EGAP' == *(PINT)section->Name || memcmp(section->Name, ".text", 5) == 0) {
120 | 			match = FindPattern(base + section->VirtualAddress, section->Misc.VirtualSize, pattern, mask);
121 | 			if (match) {
122 | 				break;
123 | 			}
124 | 		}
125 | 	}
126 | 
127 | 	return match;
128 | }
129 | 
130 | PVOID GetBaseAddress(PCHAR name, PULONG out_size) {
131 | 	PVOID addr = 0;
132 | 
133 | 	ULONG size = 0;
134 | 	NTSTATUS status = ZwQuerySystemInformation(SystemModuleInformation, 0, 0, &size);
135 | 	if (STATUS_INFO_LENGTH_MISMATCH != status) {
136 | 		printf("! ZwQuerySystemInformation for size failed: %p !\n", status);
137 | 		return addr;
138 | 	}
139 | 
140 | 	PSYSTEM_MODULE_INFORMATION modules = ExAllocatePool(NonPagedPool, size);
141 | 	if (!modules) {
142 | 		printf("! failed to allocate %d bytes for modules !\n", size);
143 | 		return addr;
144 | 	}
145 | 
146 | 	if (!NT_SUCCESS(status = ZwQuerySystemInformation(SystemModuleInformation, modules, size, 0))) {
147 | 		ExFreePool(modules);
148 | 		
149 | 		printf("! ZwQuerySystemInformation failed: %p !\n", status);
150 | 		return addr;
151 | 	}
152 | 
153 | 	for (ULONG i = 0; i < modules->NumberOfModules; ++i) {
154 | 		SYSTEM_MODULE m = modules->Modules[i];
155 | 
156 | 		if (strstr(LowerStr((PCHAR)m.FullPathName), name)) {
157 | 			addr = m.ImageBase;
158 | 			if (out_size) {
159 | 				*out_size = m.ImageSize;
160 | 			}
161 | 			break;
162 | 		}
163 | 	}
164 | 
165 | 	ExFreePool(modules);
166 | 	return addr;
167 | }
168 | 


--------------------------------------------------------------------------------
/Kernel/Kernel.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |     <ProjectConfiguration Include="Debug|ARM">
 21 |       <Configuration>Debug</Configuration>
 22 |       <Platform>ARM</Platform>
 23 |     </ProjectConfiguration>
 24 |     <ProjectConfiguration Include="Release|ARM">
 25 |       <Configuration>Release</Configuration>
 26 |       <Platform>ARM</Platform>
 27 |     </ProjectConfiguration>
 28 |     <ProjectConfiguration Include="Debug|ARM64">
 29 |       <Configuration>Debug</Configuration>
 30 |       <Platform>ARM64</Platform>
 31 |     </ProjectConfiguration>
 32 |     <ProjectConfiguration Include="Release|ARM64">
 33 |       <Configuration>Release</Configuration>
 34 |       <Platform>ARM64</Platform>
 35 |     </ProjectConfiguration>
 36 |   </ItemGroup>
 37 |   <PropertyGroup Label="Globals">
 38 |     <ProjectGuid>{ED726B72-C3C8-4092-8350-ADA43CA1CBE0}</ProjectGuid>
 39 |     <TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
 40 |     <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
 41 |     <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
 42 |     <Configuration>Debug</Configuration>
 43 |     <Platform Condition="'$(Platform)' == ''">Win32</Platform>
 44 |     <RootNamespace>Kernel</RootNamespace>
 45 |   </PropertyGroup>
 46 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 47 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 48 |     <TargetVersion>Windows10</TargetVersion>
 49 |     <UseDebugLibraries>true</UseDebugLibraries>
 50 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 51 |     <ConfigurationType>Driver</ConfigurationType>
 52 |     <DriverType>KMDF</DriverType>
 53 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 54 |   </PropertyGroup>
 55 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 56 |     <TargetVersion>Windows10</TargetVersion>
 57 |     <UseDebugLibraries>false</UseDebugLibraries>
 58 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 59 |     <ConfigurationType>Driver</ConfigurationType>
 60 |     <DriverType>KMDF</DriverType>
 61 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 62 |   </PropertyGroup>
 63 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 64 |     <TargetVersion>Windows10</TargetVersion>
 65 |     <UseDebugLibraries>true</UseDebugLibraries>
 66 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 67 |     <ConfigurationType>Driver</ConfigurationType>
 68 |     <DriverType>KMDF</DriverType>
 69 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 70 |   </PropertyGroup>
 71 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 72 |     <TargetVersion>Windows10</TargetVersion>
 73 |     <UseDebugLibraries>false</UseDebugLibraries>
 74 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 75 |     <ConfigurationType>Driver</ConfigurationType>
 76 |     <DriverType>KMDF</DriverType>
 77 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
 80 |     <TargetVersion>Windows10</TargetVersion>
 81 |     <UseDebugLibraries>true</UseDebugLibraries>
 82 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 83 |     <ConfigurationType>Driver</ConfigurationType>
 84 |     <DriverType>KMDF</DriverType>
 85 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 86 |   </PropertyGroup>
 87 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
 88 |     <TargetVersion>Windows10</TargetVersion>
 89 |     <UseDebugLibraries>false</UseDebugLibraries>
 90 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 91 |     <ConfigurationType>Driver</ConfigurationType>
 92 |     <DriverType>KMDF</DriverType>
 93 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 94 |   </PropertyGroup>
 95 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
 96 |     <TargetVersion>Windows10</TargetVersion>
 97 |     <UseDebugLibraries>true</UseDebugLibraries>
 98 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 99 |     <ConfigurationType>Driver</ConfigurationType>
100 |     <DriverType>KMDF</DriverType>
101 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
102 |   </PropertyGroup>
103 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
104 |     <TargetVersion>Windows10</TargetVersion>
105 |     <UseDebugLibraries>false</UseDebugLibraries>
106 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
107 |     <ConfigurationType>Driver</ConfigurationType>
108 |     <DriverType>KMDF</DriverType>
109 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
110 |   </PropertyGroup>
111 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
112 |   <ImportGroup Label="ExtensionSettings">
113 |   </ImportGroup>
114 |   <ImportGroup Label="PropertySheets">
115 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
116 |   </ImportGroup>
117 |   <PropertyGroup Label="UserMacros" />
118 |   <PropertyGroup />
119 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
120 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
121 |   </PropertyGroup>
122 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
123 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
124 |   </PropertyGroup>
125 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
126 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
127 |   </PropertyGroup>
128 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
129 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
130 |   </PropertyGroup>
131 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
132 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
133 |   </PropertyGroup>
134 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
135 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
136 |   </PropertyGroup>
137 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
138 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
139 |   </PropertyGroup>
140 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
141 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
142 |   </PropertyGroup>
143 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
144 |     <ClCompile>
145 |       <BufferSecurityCheck>false</BufferSecurityCheck>
146 |     </ClCompile>
147 |   </ItemDefinitionGroup>
148 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
149 |     <ClCompile>
150 |       <ControlFlowGuard>false</ControlFlowGuard>
151 |     </ClCompile>
152 |   </ItemDefinitionGroup>
153 |   <ItemGroup>
154 |     <Inf Include="Kernel.inf" />
155 |   </ItemGroup>
156 |   <ItemGroup>
157 |     <FilesToPackage Include="$(TargetPath)" />
158 |   </ItemGroup>
159 |   <ItemGroup>
160 |     <ClCompile Include="main.c" />
161 |     <ClCompile Include="util.c" />
162 |   </ItemGroup>
163 |   <ItemGroup>
164 |     <ClInclude Include="stdafx.h" />
165 |     <ClInclude Include="util.h" />
166 |   </ItemGroup>
167 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
168 |   <ImportGroup Label="ExtensionTargets">
169 |   </ImportGroup>
170 | </Project>


--------------------------------------------------------------------------------
/User/User.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>15.0</VCProjectVersion>
 23 |     <ProjectGuid>{82CBF7D9-6CF2-4B1A-9BEC-CAF40175FE5A}</ProjectGuid>
 24 |     <Keyword>Win32Proj</Keyword>
 25 |     <RootNamespace>User</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v142</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v142</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v142</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v142</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <LinkIncremental>true</LinkIncremental>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 77 |     <LinkIncremental>true</LinkIncremental>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 80 |     <LinkIncremental>false</LinkIncremental>
 81 |   </PropertyGroup>
 82 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 83 |     <LinkIncremental>false</LinkIncremental>
 84 |   </PropertyGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 86 |     <ClCompile>
 87 |       <PrecompiledHeader>Use</PrecompiledHeader>
 88 |       <WarningLevel>Level3</WarningLevel>
 89 |       <Optimization>Disabled</Optimization>
 90 |       <SDLCheck>true</SDLCheck>
 91 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 92 |       <ConformanceMode>true</ConformanceMode>
 93 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
 94 |     </ClCompile>
 95 |     <Link>
 96 |       <SubSystem>Console</SubSystem>
 97 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 98 |     </Link>
 99 |   </ItemDefinitionGroup>
100 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
101 |     <ClCompile>
102 |       <PrecompiledHeader>Use</PrecompiledHeader>
103 |       <WarningLevel>Level3</WarningLevel>
104 |       <Optimization>Disabled</Optimization>
105 |       <SDLCheck>true</SDLCheck>
106 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
107 |       <ConformanceMode>true</ConformanceMode>
108 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
109 |     </ClCompile>
110 |     <Link>
111 |       <SubSystem>Console</SubSystem>
112 |       <GenerateDebugInformation>true</GenerateDebugInformation>
113 |     </Link>
114 |   </ItemDefinitionGroup>
115 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
116 |     <ClCompile>
117 |       <PrecompiledHeader>Use</PrecompiledHeader>
118 |       <WarningLevel>Level3</WarningLevel>
119 |       <Optimization>MaxSpeed</Optimization>
120 |       <FunctionLevelLinking>true</FunctionLevelLinking>
121 |       <IntrinsicFunctions>true</IntrinsicFunctions>
122 |       <SDLCheck>true</SDLCheck>
123 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
124 |       <ConformanceMode>true</ConformanceMode>
125 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
126 |     </ClCompile>
127 |     <Link>
128 |       <SubSystem>Console</SubSystem>
129 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
130 |       <OptimizeReferences>true</OptimizeReferences>
131 |       <GenerateDebugInformation>true</GenerateDebugInformation>
132 |     </Link>
133 |   </ItemDefinitionGroup>
134 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
135 |     <ClCompile>
136 |       <PrecompiledHeader>NotUsing</PrecompiledHeader>
137 |       <WarningLevel>Level3</WarningLevel>
138 |       <Optimization>MaxSpeed</Optimization>
139 |       <FunctionLevelLinking>true</FunctionLevelLinking>
140 |       <IntrinsicFunctions>true</IntrinsicFunctions>
141 |       <SDLCheck>true</SDLCheck>
142 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
143 |       <ConformanceMode>true</ConformanceMode>
144 |       <PrecompiledHeaderFile>
145 |       </PrecompiledHeaderFile>
146 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
147 |     </ClCompile>
148 |     <Link>
149 |       <SubSystem>Console</SubSystem>
150 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
151 |       <OptimizeReferences>true</OptimizeReferences>
152 |       <GenerateDebugInformation>true</GenerateDebugInformation>
153 |       <UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
154 |     </Link>
155 |   </ItemDefinitionGroup>
156 |   <ItemGroup>
157 |     <ClInclude Include="stdafx.h" />
158 |     <ClInclude Include="util.h" />
159 |   </ItemGroup>
160 |   <ItemGroup>
161 |     <ClCompile Include="main.c" />
162 |     <ClCompile Include="util.c" />
163 |   </ItemGroup>
164 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
165 |   <ImportGroup Label="ExtensionTargets">
166 |   </ImportGroup>
167 | </Project>


--------------------------------------------------------------------------------
/User/util.c:
--------------------------------------------------------------------------------
  1 | #include "stdafx.h"
  2 | 
  3 | static WCHAR alphabet[] = L"abcdef012345789";
  4 | 
  5 | LPWSTR GetKeyPath(HKEY key) {
  6 | 	static WCHAR buffer[MAX_PATH] = { 0 };
  7 | 	DWORD size = sizeof(buffer);
  8 | 	memset(buffer, 0, sizeof(buffer));
  9 | 	NtQueryKey(key, 3, buffer, size, &size);
 10 | 	return buffer + 3;
 11 | }
 12 | 
 13 | BOOL GetKeyValue(HKEY key, LPCWSTR value, LPBYTE buffer, DWORD *size) {
 14 | 	if (ERROR_SUCCESS == RegQueryValueEx(key, value, 0, 0, buffer, size)) {
 15 | 		return TRUE;
 16 | 	}
 17 | 
 18 | 	printf("Failed to read: %ws\\%ws\n\n", GetKeyPath(key), value);
 19 | 	return FALSE;
 20 | }
 21 | 
 22 | VOID OutSpoofUnique(LPWSTR buffer) {
 23 | 	for (DWORD i = 0; i < wcslen(buffer); ++i) {
 24 | 		if (iswxdigit(buffer[i])) {
 25 | 			buffer[i] = alphabet[rand() % wcslen(alphabet)];
 26 | 		}
 27 | 	}
 28 | }
 29 | 
 30 | VOID KeySpoofOutGUID(HKEY key, LPCWSTR value, LPWSTR buffer, DWORD size) {
 31 | 	if (!GetKeyValue(key, value, (LPBYTE)buffer, &size)) {
 32 | 		return;
 33 | 	}
 34 | 
 35 | 	printf("%ws\\%ws\n%c%c %ws -> ", GetKeyPath(key), value, 192, 196, buffer);
 36 | 
 37 | 	OutSpoofUnique(buffer);
 38 | 
 39 | 	RegSetValueEx(key, value, 0, REG_SZ, (PBYTE)buffer, size);
 40 | 	printf("%ws\n\n", buffer);
 41 | }
 42 | 
 43 | VOID KeySpoofUnique(HKEY key, LPCWSTR value) {
 44 | 	WCHAR buffer[MAX_PATH] = { 0 };
 45 | 	KeySpoofOutGUID(key, value, buffer, sizeof(buffer));
 46 | }
 47 | 
 48 | VOID SpoofUnique(HKEY key, LPCWSTR subkey, LPCWSTR value) {
 49 | 	OpenThen(key, subkey, {
 50 | 		KeySpoofUnique(key, value);
 51 | 	});
 52 | }
 53 | 
 54 | VOID SpoofUniques(HKEY key, LPCWSTR subkey, LPCWSTR value) {
 55 | 	OpenThen(key, subkey, {
 56 | 		WCHAR buffer[0xFFF] = { 0 };
 57 | 		DWORD size = sizeof(buffer);
 58 | 		if (!GetKeyValue(key, value, (LPBYTE)buffer, &size)) {
 59 | 			RegCloseKey(key);
 60 | 			return;
 61 | 		}
 62 | 
 63 | 		for (DWORD i = 0; i < size; ++i) {
 64 | 			if (iswxdigit(buffer[i])) {
 65 | 				buffer[i] = alphabet[rand() % (wcslen(alphabet) - 1)];
 66 | 			}
 67 | 		}
 68 | 
 69 | 		RegSetValueEx(key, value, 0, REG_MULTI_SZ, (PBYTE)buffer, size);
 70 | 		printf("%ws\\%ws\n%c%c multi-string of length %d\n\n", GetKeyPath(key), value, 192, 196, size);
 71 | 	});
 72 | }
 73 | 
 74 | VOID SpoofDWORD(HKEY key, LPCWSTR subkey, LPCWSTR value) {
 75 | 	OpenThen(key, subkey, {
 76 | 		DWORD data = rand();
 77 | 		if (ERROR_SUCCESS == RegSetValueEx(key, value, 0, REG_QWORD, (PBYTE)&data, sizeof(data))) {
 78 | 			printf("%ws\\%ws\n%c%c qword\n\n", GetKeyPath(key), value, 192, 196);
 79 | 		} else {
 80 | 			printf("Failed to write: %ws\\%ws\n\n", GetKeyPath(key), value);
 81 | 		}
 82 | 	});
 83 | }
 84 | 
 85 | VOID SpoofQWORD(HKEY key, LPCWSTR subkey, LPCWSTR value) {
 86 | 	OpenThen(key, subkey, {
 87 | 		LARGE_INTEGER data = { 0 };
 88 | 		data.LowPart = rand();
 89 | 		data.HighPart = rand();
 90 | 		if (ERROR_SUCCESS == RegSetValueEx(key, value, 0, REG_QWORD, (PBYTE)&data, sizeof(data))) {
 91 | 			printf("%ws\\%ws\n%c%c qword\n\n", GetKeyPath(key), value, 192, 196);
 92 | 		} else {
 93 | 			printf("Failed to write: %ws\\%ws\n\n", GetKeyPath(key), value);
 94 | 		}
 95 | 	});
 96 | }
 97 | 
 98 | VOID SpoofBinary(HKEY key, LPCWSTR subkey, LPCWSTR value) {
 99 | 	OpenThen(key, subkey, {
100 | 		DWORD size = 0;
101 | 		if (ERROR_SUCCESS != RegQueryValueEx(key, value, 0, 0, 0, &size)) {
102 | 			printf("Failed to query size of: %ws\\%ws\n\n", GetKeyPath(key), value);
103 | 			RegCloseKey(key);
104 | 			return;
105 | 		}
106 | 
107 | 		BYTE *buffer = (BYTE *)malloc(size);
108 | 		if (!buffer) {
109 | 			printf("Failed to allocate buffer for SpoofBinary\n\n");
110 | 			RegCloseKey(key);
111 | 			return;
112 | 		}
113 | 
114 | 		for (DWORD i = 0; i < size; ++i) {
115 | 			buffer[i] = (BYTE)(rand() % 0x100);
116 | 		}
117 | 
118 | 		RegSetValueEx(key, value, 0, REG_BINARY, buffer, size);
119 | 		free(buffer);
120 | 
121 | 		printf("%ws\\%ws\n%c%c binary of length %d\n\n", GetKeyPath(key), value, 192, 196, size);
122 | 	});
123 | }
124 | 
125 | VOID RenameSubkey(HKEY key, LPCWSTR subkey, LPCWSTR name) {
126 | 	HKEY k = 0;
127 | 	DWORD error = RegCreateKey(key, name, &k);
128 | 	if (ERROR_CHILD_MUST_BE_VOLATILE == error) {
129 | 		error = RegCreateKeyEx(key, name, 0, 0, REG_OPTION_VOLATILE, KEY_ALL_ACCESS, 0, &k, 0);
130 | 	}
131 | 	
132 | 	if (ERROR_SUCCESS != error) {
133 | 		printf("Failed to create key: %ws\\%ws\n\n", GetKeyPath(key), name);
134 | 		return;
135 | 	}
136 | 
137 | 	if (ERROR_SUCCESS == RegCopyTree(key, subkey, k)) {
138 | 		if (ERROR_SUCCESS == SHDeleteKey(key, subkey)) {
139 | 			printf("%ws\\%ws\n%c%c renamed to %ws\n\n", GetKeyPath(key), subkey, 192, 196, name);
140 | 		} else {
141 | 			printf("Failed to delete key: %ws\\%ws\n\n", GetKeyPath(key), subkey);
142 | 		}
143 | 	} else {
144 | 		printf("Failed to copy key: %ws\\%ws\n\n", GetKeyPath(key), subkey);
145 | 	}
146 | 
147 | 	RegCloseKey(k);
148 | }
149 | 
150 | VOID DeleteKey(HKEY key, LPCWSTR subkey) {
151 | 	DWORD s = SHDeleteKey(key, subkey);
152 | 	if (ERROR_FILE_NOT_FOUND == s) {
153 | 		return;
154 | 	} else if (ERROR_SUCCESS == s) {
155 | 		printf("%ws\\%ws\n%c%c deleted\n\n", GetKeyPath(key), subkey, 192, 196);
156 | 	} else {
157 | 		printf("Failed to delete value: %ws\\%ws\n\n", GetKeyPath(key), subkey);
158 | 	}
159 | }
160 | 
161 | VOID DeleteValue(HKEY key, LPCWSTR subkey, LPCWSTR value) {
162 | 	DWORD s = SHDeleteValue(key, subkey, value);
163 | 	if (ERROR_FILE_NOT_FOUND == s) {
164 | 		return;
165 | 	} else if (ERROR_SUCCESS == s) {
166 | 		printf("%ws\\%ws\\%ws\n%c%c deleted\n\n", GetKeyPath(key), subkey, value, 192, 196);
167 | 	} else {
168 | 		printf("Failed to delete value: %ws\\%ws\\%ws\n\n", GetKeyPath(key), subkey, value);
169 | 	}
170 | }
171 | 
172 | BOOL AdjustCurrentPrivilege(LPCWSTR privilege) {
173 | 	LUID luid = { 0 };
174 | 	if (!LookupPrivilegeValue(0, privilege, &luid)) {
175 | 		printf("Failed to lookup privilege %ws: %d\n", privilege, GetLastError());
176 | 		return FALSE;
177 | 	}
178 | 
179 | 	TOKEN_PRIVILEGES tp = { 0 };
180 | 	tp.PrivilegeCount = 1;
181 | 	tp.Privileges[0].Luid = luid;
182 | 	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
183 | 
184 | 	HANDLE token = 0;
185 | 	if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token)) {
186 | 		printf("Failed to open current process token: %d\n", GetLastError());
187 | 		return FALSE;
188 | 	}
189 | 
190 | 	if (!AdjustTokenPrivileges(token, FALSE, &tp, sizeof(tp), 0, 0)) {
191 | 		printf("Failed to adjust current process token privileges: %d\n", GetLastError());
192 | 		CloseHandle(token);
193 | 		return FALSE;
194 | 	}
195 | 
196 | 	if (GetLastError() == ERROR_NOT_ALL_ASSIGNED) {
197 | 		printf("Token failed to acquire privilege\n");
198 | 		CloseHandle(token);
199 | 		return FALSE;
200 | 	}
201 | 
202 | 	CloseHandle(token);
203 | 	return TRUE;
204 | }
205 | 
206 | VOID ForceDeleteFile(LPWSTR path) {
207 | 	if (!PathFileExists(path)) {
208 | 		return;
209 | 	}
210 | 
211 | 	PSID all = 0, admin = 0;
212 | 	SID_IDENTIFIER_AUTHORITY world = SECURITY_WORLD_SID_AUTHORITY;
213 | 	if (!AllocateAndInitializeSid(&world, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &all)) {
214 | 		printf("Failed to initialize all SID for %ws: %d\n\n", path, GetLastError());
215 | 		return;
216 | 	}
217 | 
218 | 	SID_IDENTIFIER_AUTHORITY auth = SECURITY_NT_AUTHORITY;
219 | 	if (!AllocateAndInitializeSid(&auth, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &admin)) {
220 | 		printf("Failed to initialize admin SID for %ws: %d\n\n", path, GetLastError());
221 | 		FreeSid(all);
222 | 		return;
223 | 	}
224 | 
225 | 	EXPLICIT_ACCESS access[2] = { 0 };
226 | 	access[0].grfAccessPermissions = GENERIC_ALL;
227 | 	access[0].grfAccessMode = SET_ACCESS;
228 | 	access[0].grfInheritance = NO_INHERITANCE;
229 | 	access[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
230 | 	access[0].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
231 | 	access[0].Trustee.ptstrName = all;
232 | 	access[1].grfAccessPermissions = GENERIC_ALL;
233 | 	access[1].grfAccessMode = SET_ACCESS;
234 | 	access[1].grfInheritance = NO_INHERITANCE;
235 | 	access[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
236 | 	access[1].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
237 | 	access[1].Trustee.ptstrName = admin;
238 | 
239 | 	PACL acl = { 0 };
240 | 	DWORD error = SetEntriesInAcl(2, access, 0, &acl);
241 | 	if (ERROR_SUCCESS != error) {
242 | 		printf("Failed to set ACL entries for %ws: %d\n\n", path, error);
243 | 		FreeSid(all);
244 | 		FreeSid(admin);
245 | 		return;
246 | 	}
247 | 
248 | 	if (ERROR_SUCCESS != (error = SetNamedSecurityInfo((LPWSTR)path, SE_FILE_OBJECT, OWNER_SECURITY_INFORMATION, admin, 0, 0, 0))) {
249 | 		printf("Failed to set owner security info for %ws: %d\n\n", path, error);
250 | 		FreeSid(all);
251 | 		FreeSid(admin);
252 | 		LocalFree(acl);
253 | 		return;
254 | 	}
255 | 
256 | 	if (ERROR_SUCCESS != (error = SetNamedSecurityInfo((LPWSTR)path, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, acl, 0))) {
257 | 		printf("Failed to set DACL info for %ws: %d\n\n", path, error);
258 | 		FreeSid(all);
259 | 		FreeSid(admin);
260 | 		LocalFree(acl);
261 | 		return;
262 | 	}
263 | 
264 | 	SetFileAttributes(path, FILE_ATTRIBUTE_NORMAL);
265 | 
266 | 	SHFILEOPSTRUCT op = { 0 };
267 | 	op.wFunc = FO_DELETE;
268 | 	path[wcslen(path) + 1] = 0;
269 | 	op.pFrom = path;
270 | 	op.pTo = L"\0";
271 | 	op.fFlags = FOF_NOCONFIRMATION | FOF_NOERRORUI | FOF_SILENT;
272 | 	op.lpszProgressTitle = L"";
273 | 	if (DeleteFile(path) || !SHFileOperation(&op)) {
274 | 		printf("%ws\n%c%c deleted\n\n", path, 192, 196);
275 | 	} else {
276 | 		printf("Failed to delete file %ws: %d\n\n", path, GetLastError());
277 | 	}
278 | 
279 | 	FreeSid(all);
280 | 	FreeSid(admin);
281 | 	LocalFree(acl);
282 | }
283 | 
284 | VOID RecursiveDelete(LPWSTR dir, LPWSTR match) {
285 | 	WCHAR path[MAX_PATH] = { 0 };
286 | 	wsprintf(path, L"%ws\\*", dir);
287 | 
288 | 	WIN32_FIND_DATA fd = { 0 };
289 | 	HANDLE f = FindFirstFile(path, &fd);
290 | 
291 | 	do {
292 | 		WCHAR sub[MAX_PATH] = { 0 };
293 | 		wsprintf(sub, L"%ws\\%ws", dir, fd.cFileName);
294 | 
295 | 		if (wcscmp(fd.cFileName, L".") && wcscmp(fd.cFileName, L"..")) {
296 | 			if (fd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
297 | 				RecursiveDelete(sub, match);
298 | 			} else if (StrStr(fd.cFileName, match)) {
299 | 				ForceDeleteFile(sub);
300 | 			}
301 | 		}
302 | 	} while (FindNextFile(f, &fd));
303 | 
304 | 	FindClose(f);
305 | }


--------------------------------------------------------------------------------
/Kernel/util.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | 
  3 | // Util defs
  4 | #define printf(fmt, ...) DbgPrint("[dbg] "fmt, ##__VA_ARGS__)
  5 | #define LENGTH(a) (sizeof(a) / sizeof(a[0]))
  6 | 
  7 | #define IOCTL_NVIDIA_SMIL (0x8DE0008)
  8 | #define IOCTL_NVIDIA_SMIL_MAX (512)
  9 | 
 10 | typedef struct _IOC_REQUEST {
 11 | 	PVOID Buffer;
 12 | 	ULONG BufferLength;
 13 | 	PVOID OldContext;
 14 | 	PIO_COMPLETION_ROUTINE OldRoutine;
 15 | } IOC_REQUEST, *PIOC_REQUEST;
 16 | 
 17 | PCHAR LowerStr(PCHAR str);
 18 | DWORD Random(PDWORD seed);
 19 | PVOID SafeCopy(PVOID src, DWORD size);
 20 | VOID SpoofBuffer(DWORD seed, PBYTE buffer, DWORD length);
 21 | PWCHAR TrimGUID(PWCHAR guid, DWORD max);
 22 | VOID ChangeIoc(PIO_STACK_LOCATION ioc, PIRP irp, PIO_COMPLETION_ROUTINE routine);
 23 | VOID SwapEndianess(PCHAR dest, PCHAR src);
 24 | PVOID FindPattern(PCHAR base, DWORD length, PCHAR pattern, PCHAR mask);
 25 | PVOID FindPatternImage(PCHAR base, PCHAR pattern, PCHAR mask);
 26 | PVOID GetBaseAddress(PCHAR name, PULONG out_size);
 27 | 
 28 | // Win defs
 29 | #define IsListEmtpy(list) (list == list->Flink)
 30 | 
 31 | typedef NTSTATUS(__fastcall *DISK_FAIL_PREDICTION)(PVOID device_extension, BYTE enable);
 32 | typedef NTSTATUS(__fastcall *RU_REGISTER_INTERFACES)(PVOID device_extension);
 33 | extern POBJECT_TYPE *IoDriverObjectType;
 34 | NTKERNELAPI NTSTATUS ObReferenceObjectByName(IN PUNICODE_STRING ObjectName, IN ULONG Attributes, IN PACCESS_STATE PassedAccessState, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, IN OUT PVOID ParseContext, OUT PVOID * Object);
 35 | NTSTATUS NTAPI ZwQuerySystemInformation(ULONG InfoClass, PVOID Buffer, ULONG Length, PULONG ReturnLength);
 36 | 
 37 | // dt ndis!_NDIS_IF_BLOCK
 38 | typedef struct _NDIS_IF_BLOCK {
 39 | 	char _padding_0[0x464];
 40 | 	IF_PHYSICAL_ADDRESS_LH ifPhysAddress; // 0x464
 41 | 	IF_PHYSICAL_ADDRESS_LH PermanentPhysAddress; // 0x486
 42 | } NDIS_IF_BLOCK, *PNDIS_IF_BLOCK;
 43 | 
 44 | typedef struct _KSTRING {
 45 | 	char _padding_0[0x10];
 46 | 	WCHAR Buffer[1]; // 0x10 at least
 47 | } KSTRING, *PKSTRING;
 48 | 
 49 | // dt ndis!_NDIS_FILTER_BLOCK
 50 | typedef struct _NDIS_FILTER_BLOCK {
 51 | 	char _padding_0[0x8];
 52 | 	struct _NDIS_FILTER_BLOCK *NextFilter; // 0x8
 53 | 	char _padding_1[0x18];
 54 | 	PKSTRING FilterInstanceName; // 0x28
 55 | } NDIS_FILTER_BLOCK, *PNDIS_FILTER_BLOCK;
 56 | 
 57 | typedef struct _STOR_SCSI_IDENTITY {
 58 | 	INQUIRYDATA *InquiryData;
 59 | 	STRING SerialNumber;
 60 | 	CHAR Supports1667;
 61 | 	CHAR ZonedDevice;
 62 | } STOR_SCSI_IDENTITY, *PSTOR_SCSI_IDENTITY;
 63 | 
 64 | #define IOCTL_NSI_PROXY_ARP (0x0012001B)
 65 | #define NSI_PARAMS_ARP (11)
 66 | typedef struct _NSI_PARAMS {
 67 | 	char _padding_0[0x18];
 68 | 	ULONG Type; // 0x18
 69 | } NSI_PARAMS, *PNSI_PARAMS;
 70 | 
 71 | typedef struct _IDSECTOR {
 72 | 	USHORT  wGenConfig;
 73 | 	USHORT  wNumCyls;
 74 | 	USHORT  wReserved;
 75 | 	USHORT  wNumHeads;
 76 | 	USHORT  wBytesPerTrack;
 77 | 	USHORT  wBytesPerSector;
 78 | 	USHORT  wSectorsPerTrack;
 79 | 	USHORT  wVendorUnique[3];
 80 | 	CHAR    sSerialNumber[20];
 81 | 	USHORT  wBufferType;
 82 | 	USHORT  wBufferSize;
 83 | 	USHORT  wECCSize;
 84 | 	CHAR    sFirmwareRev[8];
 85 | 	CHAR    sModelNumber[40];
 86 | 	USHORT  wMoreVendorUnique;
 87 | 	USHORT  wDoubleWordIO;
 88 | 	USHORT  wCapabilities;
 89 | 	USHORT  wReserved1;
 90 | 	USHORT  wPIOTiming;
 91 | 	USHORT  wDMATiming;
 92 | 	USHORT  wBS;
 93 | 	USHORT  wNumCurrentCyls;
 94 | 	USHORT  wNumCurrentHeads;
 95 | 	USHORT  wNumCurrentSectorsPerTrack;
 96 | 	ULONG   ulCurrentSectorCapacity;
 97 | 	USHORT  wMultSectorStuff;
 98 | 	ULONG   ulTotalAddressableSectors;
 99 | 	USHORT  wSingleWordDMA;
100 | 	USHORT  wMultiWordDMA;
101 | 	BYTE    bReserved[128];
102 | } IDSECTOR, *PIDSECTOR;
103 | 
104 | typedef struct _KLDR_DATA_TABLE_ENTRY {
105 | 	LIST_ENTRY InLoadOrderLinks;
106 | 	PVOID ExceptionTable;
107 | 	ULONG ExceptionTableSize;
108 | 	PVOID GpValue;
109 | 	PVOID NonPagedDebugInfo;
110 | 	PVOID DllBase;
111 | 	PVOID EntryPoint;
112 | 	ULONG SizeOfImage;
113 | 	UNICODE_STRING FullDllName;
114 | 	UNICODE_STRING BaseDllName;
115 | 	ULONG Flags;
116 | 	USHORT LoadCount;
117 | 	USHORT __Unused;
118 | 	PVOID SectionPointer;
119 | 	ULONG CheckSum;
120 | 	PVOID LoadedImports;
121 | 	PVOID PatchInformation;
122 | } KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;
123 | 
124 | typedef struct _SYSTEM_MODULE {
125 | 	HANDLE Section;
126 | 	PVOID MappedBase;
127 | 	PVOID ImageBase;
128 | 	ULONG ImageSize;
129 | 	ULONG Flags;
130 | 	USHORT LoadOrderIndex;
131 | 	USHORT InitOrderIndex;
132 | 	USHORT LoadCount;
133 | 	USHORT OffsetToFileName;
134 | 	UCHAR  FullPathName[MAXIMUM_FILENAME_LENGTH];
135 | } SYSTEM_MODULE, *PSYSTEM_MODULE;
136 | 
137 | typedef struct _SYSTEM_MODULE_INFORMATION  {
138 | 	ULONG NumberOfModules;
139 | 	SYSTEM_MODULE Modules[1];
140 | } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
141 | 
142 | typedef enum _SYSTEM_INFORMATION_CLASS {
143 | 	SystemBasicInformation = 0x0,
144 | 	SystemProcessorInformation = 0x1,
145 | 	SystemPerformanceInformation = 0x2,
146 | 	SystemTimeOfDayInformation = 0x3,
147 | 	SystemPathInformation = 0x4,
148 | 	SystemProcessInformation = 0x5,
149 | 	SystemCallCountInformation = 0x6,
150 | 	SystemDeviceInformation = 0x7,
151 | 	SystemProcessorPerformanceInformation = 0x8,
152 | 	SystemFlagsInformation = 0x9,
153 | 	SystemCallTimeInformation = 0xa,
154 | 	SystemModuleInformation = 0xb,
155 | 	SystemLocksInformation = 0xc,
156 | 	SystemStackTraceInformation = 0xd,
157 | 	SystemPagedPoolInformation = 0xe,
158 | 	SystemNonPagedPoolInformation = 0xf,
159 | 	SystemHandleInformation = 0x10,
160 | 	SystemObjectInformation = 0x11,
161 | 	SystemPageFileInformation = 0x12,
162 | 	SystemVdmInstemulInformation = 0x13,
163 | 	SystemVdmBopInformation = 0x14,
164 | 	SystemFileCacheInformation = 0x15,
165 | 	SystemPoolTagInformation = 0x16,
166 | 	SystemInterruptInformation = 0x17,
167 | 	SystemDpcBehaviorInformation = 0x18,
168 | 	SystemFullMemoryInformation = 0x19,
169 | 	SystemLoadGdiDriverInformation = 0x1a,
170 | 	SystemUnloadGdiDriverInformation = 0x1b,
171 | 	SystemTimeAdjustmentInformation = 0x1c,
172 | 	SystemSummaryMemoryInformation = 0x1d,
173 | 	SystemMirrorMemoryInformation = 0x1e,
174 | 	SystemPerformanceTraceInformation = 0x1f,
175 | 	SystemObsolete0 = 0x20,
176 | 	SystemExceptionInformation = 0x21,
177 | 	SystemCrashDumpStateInformation = 0x22,
178 | 	SystemKernelDebuggerInformation = 0x23,
179 | 	SystemContextSwitchInformation = 0x24,
180 | 	SystemRegistryQuotaInformation = 0x25,
181 | 	SystemExtendServiceTableInformation = 0x26,
182 | 	SystemPrioritySeperation = 0x27,
183 | 	SystemVerifierAddDriverInformation = 0x28,
184 | 	SystemVerifierRemoveDriverInformation = 0x29,
185 | 	SystemProcessorIdleInformation = 0x2a,
186 | 	SystemLegacyDriverInformation = 0x2b,
187 | 	SystemCurrentTimeZoneInformation = 0x2c,
188 | 	SystemLookasideInformation = 0x2d,
189 | 	SystemTimeSlipNotification = 0x2e,
190 | 	SystemSessionCreate = 0x2f,
191 | 	SystemSessionDetach = 0x30,
192 | 	SystemSessionInformation = 0x31,
193 | 	SystemRangeStartInformation = 0x32,
194 | 	SystemVerifierInformation = 0x33,
195 | 	SystemVerifierThunkExtend = 0x34,
196 | 	SystemSessionProcessInformation = 0x35,
197 | 	SystemLoadGdiDriverInSystemSpace = 0x36,
198 | 	SystemNumaProcessorMap = 0x37,
199 | 	SystemPrefetcherInformation = 0x38,
200 | 	SystemExtendedProcessInformation = 0x39,
201 | 	SystemRecommendedSharedDataAlignment = 0x3a,
202 | 	SystemComPlusPackage = 0x3b,
203 | 	SystemNumaAvailableMemory = 0x3c,
204 | 	SystemProcessorPowerInformation = 0x3d,
205 | 	SystemEmulationBasicInformation = 0x3e,
206 | 	SystemEmulationProcessorInformation = 0x3f,
207 | 	SystemExtendedHandleInformation = 0x40,
208 | 	SystemLostDelayedWriteInformation = 0x41,
209 | 	SystemBigPoolInformation = 0x42,
210 | 	SystemSessionPoolTagInformation = 0x43,
211 | 	SystemSessionMappedViewInformation = 0x44,
212 | 	SystemHotpatchInformation = 0x45,
213 | 	SystemObjectSecurityMode = 0x46,
214 | 	SystemWatchdogTimerHandler = 0x47,
215 | 	SystemWatchdogTimerInformation = 0x48,
216 | 	SystemLogicalProcessorInformation = 0x49,
217 | 	SystemWow64SharedInformationObsolete = 0x4a,
218 | 	SystemRegisterFirmwareTableInformationHandler = 0x4b,
219 | 	SystemFirmwareTableInformation = 0x4c,
220 | 	SystemModuleInformationEx = 0x4d,
221 | 	SystemVerifierTriageInformation = 0x4e,
222 | 	SystemSuperfetchInformation = 0x4f,
223 | 	SystemMemoryListInformation = 0x50,
224 | 	SystemFileCacheInformationEx = 0x51,
225 | 	SystemThreadPriorityClientIdInformation = 0x52,
226 | 	SystemProcessorIdleCycleTimeInformation = 0x53,
227 | 	SystemVerifierCancellationInformation = 0x54,
228 | 	SystemProcessorPowerInformationEx = 0x55,
229 | 	SystemRefTraceInformation = 0x56,
230 | 	SystemSpecialPoolInformation = 0x57,
231 | 	SystemProcessIdInformation = 0x58,
232 | 	SystemErrorPortInformation = 0x59,
233 | 	SystemBootEnvironmentInformation = 0x5a,
234 | 	SystemHypervisorInformation = 0x5b,
235 | 	SystemVerifierInformationEx = 0x5c,
236 | 	SystemTimeZoneInformation = 0x5d,
237 | 	SystemImageFileExecutionOptionsInformation = 0x5e,
238 | 	SystemCoverageInformation = 0x5f,
239 | 	SystemPrefetchPatchInformation = 0x60,
240 | 	SystemVerifierFaultsInformation = 0x61,
241 | 	SystemSystemPartitionInformation = 0x62,
242 | 	SystemSystemDiskInformation = 0x63,
243 | 	SystemProcessorPerformanceDistribution = 0x64,
244 | 	SystemNumaProximityNodeInformation = 0x65,
245 | 	SystemDynamicTimeZoneInformation = 0x66,
246 | 	SystemCodeIntegrityInformation = 0x67,
247 | 	SystemProcessorMicrocodeUpdateInformation = 0x68,
248 | 	SystemProcessorBrandString = 0x69,
249 | 	SystemVirtualAddressInformation = 0x6a,
250 | 	SystemLogicalProcessorAndGroupInformation = 0x6b,
251 | 	SystemProcessorCycleTimeInformation = 0x6c,
252 | 	SystemStoreInformation = 0x6d,
253 | 	SystemRegistryAppendString = 0x6e,
254 | 	SystemAitSamplingValue = 0x6f,
255 | 	SystemVhdBootInformation = 0x70,
256 | 	SystemCpuQuotaInformation = 0x71,
257 | 	SystemNativeBasicInformation = 0x72,
258 | 	SystemErrorPortTimeouts = 0x73,
259 | 	SystemLowPriorityIoInformation = 0x74,
260 | 	SystemBootEntropyInformation = 0x75,
261 | 	SystemVerifierCountersInformation = 0x76,
262 | 	SystemPagedPoolInformationEx = 0x77,
263 | 	SystemSystemPtesInformationEx = 0x78,
264 | 	SystemNodeDistanceInformation = 0x79,
265 | 	SystemAcpiAuditInformation = 0x7a,
266 | 	SystemBasicPerformanceInformation = 0x7b,
267 | 	SystemQueryPerformanceCounterInformation = 0x7c,
268 | 	SystemSessionBigPoolInformation = 0x7d,
269 | 	SystemBootGraphicsInformation = 0x7e,
270 | 	SystemScrubPhysicalMemoryInformation = 0x7f,
271 | 	SystemBadPageInformation = 0x80,
272 | 	SystemProcessorProfileControlArea = 0x81,
273 | 	SystemCombinePhysicalMemoryInformation = 0x82,
274 | 	SystemEntropyInterruptTimingInformation = 0x83,
275 | 	SystemConsoleInformation = 0x84,
276 | 	SystemPlatformBinaryInformation = 0x85,
277 | 	SystemThrottleNotificationInformation = 0x86,
278 | 	SystemHypervisorProcessorCountInformation = 0x87,
279 | 	SystemDeviceDataInformation = 0x88,
280 | 	SystemDeviceDataEnumerationInformation = 0x89,
281 | 	SystemMemoryTopologyInformation = 0x8a,
282 | 	SystemMemoryChannelInformation = 0x8b,
283 | 	SystemBootLogoInformation = 0x8c,
284 | 	SystemProcessorPerformanceInformationEx = 0x8d,
285 | 	SystemSpare0 = 0x8e,
286 | 	SystemSecureBootPolicyInformation = 0x8f,
287 | 	SystemPageFileInformationEx = 0x90,
288 | 	SystemSecureBootInformation = 0x91,
289 | 	SystemEntropyInterruptTimingRawInformation = 0x92,
290 | 	SystemPortableWorkspaceEfiLauncherInformation = 0x93,
291 | 	SystemFullProcessInformation = 0x94,
292 | 	SystemKernelDebuggerInformationEx = 0x95,
293 | 	SystemBootMetadataInformation = 0x96,
294 | 	SystemSoftRebootInformation = 0x97,
295 | 	SystemElamCertificateInformation = 0x98,
296 | 	SystemOfflineDumpConfigInformation = 0x99,
297 | 	SystemProcessorFeaturesInformation = 0x9a,
298 | 	SystemRegistryReconciliationInformation = 0x9b,
299 | 	MaxSystemInfoClass = 0x9c,
300 | } SYSTEM_INFORMATION_CLASS;


--------------------------------------------------------------------------------
/User/main.c:
--------------------------------------------------------------------------------
  1 | #include "stdafx.h"
  2 | 
  3 | int main() {
  4 | 	srand(GetTickCount());
  5 | 	LoadLibrary(L"ntdll.dll");
  6 | 	NtQueryKey = (NTQK)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtQueryKey");
  7 | 	if (!AdjustCurrentPrivilege(SE_TAKE_OWNERSHIP_NAME)) {
  8 | 		printf("failed to adjust privilege\n");
  9 | 		return 1;
 10 | 	}
 11 | 
 12 | 	// Monitors
 13 | 	OpenThen(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Enum\\DISPLAY", {
 14 | 		ForEachSubkey(key, {
 15 | 			OpenThen(key, name, {
 16 | 				ForEachSubkey(key, {
 17 | 					OpenThen(key, name, {
 18 | 						ForEachSubkey(key, {
 19 | 							if (_wcsicmp(name, L"device parameters") == 0) {
 20 | 								SpoofBinary(key, name, L"EDID");
 21 | 								break;
 22 | 							}
 23 | 						});
 24 | 					});
 25 | 				});
 26 | 			});
 27 | 		});
 28 | 	});
 29 | 
 30 | 	/*
 31 | 	OpenThen(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Control\\Video", {
 32 | 		ForEachSubkey(key, {
 33 | 			HKEY parent = key;
 34 | 			WCHAR spoof[MAX_PATH] = { 0 };
 35 | 
 36 | 			OpenThen(HKEY_LOCAL_MACHINE, L"HARDWARE\\DEVICEMAP\\VIDEO", {
 37 | 				DWORD count = 0;
 38 | 				DWORD size = sizeof(count);
 39 | 				if (GetKeyValue(key, L"MaxObjectNumber", (LPBYTE)&count, &size)) {
 40 | 					WCHAR video[MAX_PATH] = { 0 };
 41 | 					WCHAR path[MAX_PATH] = { 0 };
 42 | 
 43 | 					for (DWORD i = 0; i < count; ++i) {
 44 | 						size = sizeof(path);
 45 | 						wsprintf(video, L"\\Device\\Video%d", i);
 46 | 						if (GetKeyValue(key, video, (LPBYTE)path, &size)) {
 47 | 							LPWSTR replace = StrStrIW(path, name);
 48 | 							if (replace) {
 49 | 								if (!spoof[0]) {
 50 | 									wcscpy(spoof, name);
 51 | 									OutSpoofUnique(spoof);
 52 | 									RenameSubkey(parent, name, spoof);
 53 | 								}
 54 | 
 55 | 								memcpy(replace, spoof, wcslen(spoof) * 2);
 56 | 								RegSetValueEx(key, video, 0, REG_SZ, (PBYTE)path, size);
 57 | 							}
 58 | 						}
 59 | 					}
 60 | 				}
 61 | 			});
 62 | 		});
 63 | 	});
 64 | 	*/
 65 | 
 66 | 	// SMBIOS
 67 | 	DeleteValue(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Services\\mssmbios\\Data", L"SMBiosData");
 68 | 
 69 | 	// Motherboard
 70 | 	SpoofUniqueThen(HKEY_LOCAL_MACHINE, L"SYSTEM\\HardwareConfig", L"LastConfig", {
 71 | 		ForEachSubkey(key, {
 72 | 			if (_wcsicmp(name, L"current")) {
 73 | 				RenameSubkey(key, name, spoof);
 74 | 				break;
 75 | 			}
 76 | 		});
 77 | 	});
 78 | 
 79 | 	// NVIDIA
 80 | 	SpoofUnique(HKEY_LOCAL_MACHINE, L"SOFTWARE\\NVIDIA Corporation\\Global", L"ClientUUID");
 81 | 	SpoofUnique(HKEY_LOCAL_MACHINE, L"SOFTWARE\\NVIDIA Corporation\\Global", L"PersistenceIdentifier");
 82 | 	SpoofUnique(HKEY_LOCAL_MACHINE, L"SOFTWARE\\NVIDIA Corporation\\Global\\CoProcManager", L"ChipsetMatchID");
 83 | 
 84 | 	// Misc
 85 | 	DeleteKey(HKEY_LOCAL_MACHINE, L"SYSTEM\\MountedDevices");
 86 | 	DeleteKey(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Dfrg\\Statistics");
 87 | 	DeleteKey(HKEY_CURRENT_USER, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket\\Volume");
 88 | 	DeleteKey(HKEY_CURRENT_USER, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume");
 89 | 	DeleteKey(HKEY_CURRENT_USER, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2");
 90 | 	DeleteValue(HKEY_CURRENT_USER, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket", L"LastEnum");
 91 | 
 92 | 	SpoofBinary(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI", L"WindowsAIKHash");
 93 | 	SpoofBinary(HKEY_CURRENT_USER, L"Software\\Microsoft\\Direct3D", L"WHQLClass");
 94 | 	SpoofBinary(HKEY_CURRENT_USER, L"Software\\Classes\\Installer\\Dependencies", L"MSICache");
 95 | 
 96 | 	OpenThen(HKEY_LOCAL_MACHINE, L"HARDWARE\\DESCRIPTION\\System\\MultifunctionAdapter\\0\\DiskController\\0\\DiskPeripheral", {
 97 | 		ForEachSubkey(key, {
 98 | 			SpoofUnique(key, name, L"Identifier");
 99 | 		});
100 | 	});
101 | 
102 | 	OpenThen(HKEY_LOCAL_MACHINE, L"HARDWARE\\DEVICEMAP\\Scsi", {
103 | 		ForEachSubkey(key, {
104 | 			OpenThen(key, name, {
105 | 				ForEachSubkey(key, {
106 | 					OpenThen(key, name, {
107 | 						ForEachSubkey(key, {
108 | 							if (wcsstr(name, L"arget")) {
109 | 								OpenThen(key, name, {
110 | 									ForEachSubkey(key, {
111 | 										SpoofUnique(key, name, L"Identifier");
112 | 									});
113 | 								});
114 | 							}
115 | 						});
116 | 					});
117 | 				});
118 | 			});
119 | 		});
120 | 	});
121 | 
122 | 	SpoofBinary(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Services\\TPM\\ODUID", L"RandomSeed");
123 | 	SpoofUnique(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Cryptography", L"MachineGuid");
124 | 	SpoofUnique(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Control\\IDConfigDB\\Hardware Profiles\\0001", L"HwProfileGuid");
125 | 	SpoofUnique(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate", L"AccountDomainSid");
126 | 	SpoofUnique(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate", L"PingID");
127 | 	SpoofUnique(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate", L"SusClientId");
128 | 	SpoofBinary(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate", L"SusClientIdValidation");
129 | 	SpoofBinary(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters", L"Dhcpv6DUID");
130 | 	SpoofUnique(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Control\\SystemInformation", L"ComputerHardwareId");
131 | 	SpoofUniques(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Control\\SystemInformation", L"ComputerHardwareIds");
132 | 	SpoofBinary(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Internet Explorer\\Migration", L"IE Installed Date");
133 | 	SpoofUnique(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\SQMClient", L"MachineId");
134 | 	SpoofQWORD(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\SQMClient", L"WinSqmFirstSessionStartTime");
135 | 	SpoofQWORD(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"InstallTime");
136 | 	SpoofQWORD(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"InstallDate");
137 | 	SpoofBinary(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"DigitalProductId");
138 | 	SpoofBinary(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"DigitalProductId4");
139 | 	SpoofUnique(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"BuildGUID");
140 | 	SpoofUnique(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"ProductId");
141 | 	SpoofUnique(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"BuildLab");
142 | 	SpoofUnique(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"BuildLabEx");
143 | 	SpoofUnique(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Control\\Class\\{4d36e968-e325-11ce-bfc1-08002be10318}\\0000", L"_DriverProviderInfo");
144 | 	SpoofUnique(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Control\\Class\\{4d36e968-e325-11ce-bfc1-08002be10318}\\0000", L"UserModeDriverGUID");
145 | 
146 | 	OpenThen(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}", {
147 | 		ForEachSubkey(key, {
148 | 			if (_wcsicmp(name, L"configuration") && _wcsicmp(name, L"properties")) {
149 | 				DeleteValue(key, name, L"NetworkAddress");
150 | 				SpoofQWORD(key, name, L"NetworkInterfaceInstallTimestamp");
151 | 			}
152 | 		});
153 | 	});
154 | 
155 | 	DeleteKey(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack\\SettingsRequests");
156 | 	SpoofQWORD(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack\\SevilleEventlogManager", L"LastEventlogWrittenTime");
157 | 	SpoofQWORD(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform\\Activation", L"ProductActivationTime");
158 | 	DeleteValue(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform", L"BackupProductKeyDefault");
159 | 	DeleteValue(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform", L"actionlist");
160 | 	DeleteValue(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform", L"ServiceSessionId");
161 | 	DeleteKey(HKEY_CURRENT_USER, L"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist");
162 | 	DeleteKey(HKEY_CURRENT_USER, L"Software\\Hex-Rays\\IDA\\History");
163 | 	DeleteKey(HKEY_CURRENT_USER, L"Software\\Hex-Rays\\IDA\\History64");
164 | 
165 | 	OpenThen(HKEY_LOCAL_MACHINE, L"HARDWARE\\UEFI\\ESRT", {
166 | 		WCHAR subkeys[0xFF][MAX_PATH] = { 0 };
167 | 		DWORD subkeys_length = 0;
168 | 
169 | 		ForEachSubkey(key, {
170 | 			wcscpy(subkeys[subkeys_length++], name);
171 | 		});
172 | 
173 | 		for (DWORD i = 0; i < subkeys_length; ++i) {
174 | 			WCHAR spoof[MAX_PATH] = { 0 };
175 | 			wcscpy(spoof, subkeys[i]);
176 | 			OutSpoofUnique(spoof);
177 | 			RenameSubkey(key, subkeys[i], spoof);
178 | 		}
179 | 	});
180 | 
181 | 	// Tracking files
182 | 	WCHAR path[MAX_PATH] = { 0 };
183 | 	WCHAR temp[MAX_PATH] = { 0 };
184 | 	WCHAR appdata[MAX_PATH] = { 0 };
185 | 	WCHAR localappdata[MAX_PATH] = { 0 };
186 | 	GetTempPath(MAX_PATH, temp);
187 | 
188 | 	SHGetFolderPath(0, CSIDL_APPDATA, 0, SHGFP_TYPE_DEFAULT, appdata);
189 | 	SHGetFolderPath(0, CSIDL_LOCAL_APPDATA, 0, SHGFP_TYPE_DEFAULT, localappdata);
190 | 
191 | 	wsprintf(path, L"%ws*", temp);
192 | 	ForEachFile(path, {
193 | 		wsprintf(path, L"%ws%ws", temp, file);
194 | 		ForceDeleteFile(path);
195 | 	});
196 | 
197 | 	wsprintf(path, L"%ws\\D3DSCache", localappdata);
198 | 	ForceDeleteFile(path);
199 | 
200 | 	wsprintf(path, L"%ws\\NVIDIA Corporation\\GfeSDK", localappdata);
201 | 	ForceDeleteFile(path);
202 | 
203 | 	wsprintf(path, L"%ws\\Microsoft\\Feeds", localappdata);
204 | 	ForceDeleteFile(path);
205 | 
206 | 	wsprintf(path, L"%ws\\Microsoft\\Feeds Cache", localappdata);
207 | 	ForceDeleteFile(path);
208 | 
209 | 	wsprintf(path, L"%ws\\Microsoft\\Windows\\INetCache", localappdata);
210 | 	ForceDeleteFile(path);
211 | 
212 | 	wsprintf(path, L"%ws\\Microsoft\\Windows\\INetCookies", localappdata);
213 | 	ForceDeleteFile(path);
214 | 
215 | 	wsprintf(path, L"%ws\\Microsoft\\Windows\\WebCache", localappdata);
216 | 	ForceDeleteFile(path);
217 | 
218 | 	wsprintf(path, L"%ws\\Microsoft\\XboxLive\\AuthStateCache.dat", localappdata);
219 | 	ForceDeleteFile(path);
220 | 
221 | 	for (DWORD drives = GetLogicalDrives(), drive = L'C', index = 0; drives; drives >>= 1, ++index) {
222 | 		if (drives & 1) {
223 | 			printf("\n-- DRIVE: %c --\n\n", drive);
224 | 
225 | 			// Volume serial change applies after restart
226 | 			wsprintf(path, L"\\\\.\\%c:", drive);
227 | 			HANDLE device = CreateFile(path, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
228 | 			if (device != INVALID_HANDLE_VALUE) {
229 | 				BYTE sector[512] = { 0 };
230 | 				DWORD read = 0;
231 | 				if (ReadFile(device, sector, sizeof(sector), &read, 0) && read == sizeof(sector)) {
232 | 					for (DWORD i = 0; i < LENGTH(SECTORS); ++i) {
233 | 						PSECTOR s = &SECTORS[i];
234 | 						if (0 == memcmp(sector + s->NameOffset, s->Name, strlen(s->Name))) {
235 | 							*(PDWORD)(sector + s->SerialOffset) = (rand() << 16) + rand();
236 | 							if (INVALID_SET_FILE_POINTER != SetFilePointer(device, 0, 0, FILE_BEGIN)) {
237 | 								WriteFile(device, sector, sizeof(sector), 0, 0);
238 | 							}
239 | 
240 | 							break;
241 | 						}
242 | 					}
243 | 				}
244 | 
245 | 				CloseHandle(device);
246 | 			}
247 | 
248 | 			wsprintf(path, L"%c:\\Windows\\System32\\restore\\MachineGuid.txt", drive);
249 | 			ForceDeleteFile(path);
250 | 
251 | 			wsprintf(path, L"%c:\\Users\\Public\\Libraries\\collection.dat", drive);
252 | 			ForceDeleteFile(path);
253 | 
254 | 			wsprintf(path, L"%c:\\System Volume Information\\IndexerVolumeGuid", drive);
255 | 			ForceDeleteFile(path);
256 | 
257 | 			wsprintf(path, L"%c:\\System Volume Information\\WPSettings.dat", drive);
258 | 			ForceDeleteFile(path);
259 | 
260 | 			wsprintf(path, L"%c:\\System Volume Information\\tracking.log", drive);
261 | 			ForceDeleteFile(path);
262 | 
263 | 			wsprintf(path, L"%c:\\ProgramData\\Microsoft\\Windows\\WER", drive);
264 | 			ForceDeleteFile(path);
265 | 
266 | 			wsprintf(path, L"%c:\\Users\\Public\\Shared Files", drive);
267 | 			ForceDeleteFile(path);
268 | 
269 | 			wsprintf(path, L"%c:\\Windows\\INF\\setupapi.dev.log", drive);
270 | 			ForceDeleteFile(path);
271 | 
272 | 			wsprintf(path, L"%c:\\Windows\\INF\\setupapi.setup.log", drive);
273 | 			ForceDeleteFile(path);
274 | 
275 | 			// wsprintf(path, L"%c:\\Windows\\System32\\spp\\store", drive);
276 | 			// ForceDeleteFile(path);
277 | 
278 | 			wsprintf(path, L"%c:\\Users\\Public\\Libraries", drive);
279 | 			ForceDeleteFile(path);
280 | 
281 | 			wsprintf(path, L"%c:\\MSOCache", drive);
282 | 			ForceDeleteFile(path);
283 | 
284 | 			wsprintf(path, L"%c:\\ProgramData\\ntuser.pol", drive);
285 | 			ForceDeleteFile(path);
286 | 
287 | 			wsprintf(path, L"%c:\\Users\\Default\\NTUSER.DAT", drive);
288 | 			ForceDeleteFile(path);
289 | 
290 | 			wsprintf(path, L"%c:\\Recovery\\ntuser.sys", drive);
291 | 			ForceDeleteFile(path);
292 | 
293 | 			wsprintf(path, L"%c:\\desktop.ini", drive);
294 | 			ForceDeleteFile(path);
295 | 
296 | 			wsprintf(path, L"%c:\\Windows\\Prefetch\\*", drive);
297 | 			ForEachFile(path, {
298 | 				wsprintf(path, L"%c:\\Windows\\Prefetch\\%ws", drive, file);
299 | 				ForceDeleteFile(path);
300 | 			});
301 | 
302 | 			wsprintf(path, L"%c:\\Users\\*", drive);
303 | 			ForEachFile(path, {
304 | 				if (fd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
305 | 					WCHAR user[MAX_PATH] = { 0 };
306 | 					wcscpy(user, file);
307 | 					wsprintf(path, L"%c:\\Users\\%ws\\*", drive, user);
308 | 					ForEachFile(path, {
309 | 						if (StrStr(file, L"ntuser")) {
310 | 							wsprintf(path, L"%c:\\Users\\%ws\\%ws", drive, user, file);
311 | 							ForceDeleteFile(path);
312 | 						}
313 | 					});
314 | 				}
315 | 			});
316 | 
317 | 			wsprintf(path, L"%c:\\Users", drive);
318 | 			RecursiveDelete(path, L"desktop.ini");
319 | 
320 | 			CHAR journal[MAX_PATH] = { 0 };
321 | 			sprintf(journal, "fsutil usn deletejournal /d %c:", drive);
322 | 			system(journal);
323 | 
324 | 			++drive;
325 | 		}
326 | 	}
327 | 
328 | 	// Extra cleanup
329 | 	system("vssadmin delete shadows /All /Quiet");
330 | 
331 | 	// WMIC holds cache of SMBIOS. With the driver loaded, starting WMIC will query the nulled SMBIOS data
332 | 	HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
333 | 	if (snapshot) {
334 | 		PROCESSENTRY32 entry = { 0 };
335 | 		entry.dwSize = sizeof(entry);
336 | 		if (Process32First(snapshot, &entry)) {
337 | 			do {
338 | 				// Sometimes 'net stop' by itself isn't enough
339 | 				if (0 == _wcsicmp(entry.szExeFile, L"WmiPrvSE.exe")) {
340 | 					HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, 0, entry.th32ProcessID);
341 | 					if (INVALID_HANDLE_VALUE != process) {
342 | 						printf("Killed Winmgmt\n");
343 | 						TerminateProcess(process, 0);
344 | 						CloseHandle(process);
345 | 					}
346 | 
347 | 					break;
348 | 				}
349 | 			} while (Process32Next(snapshot, &entry));
350 | 		}
351 | 
352 | 		CloseHandle(snapshot);
353 | 	}
354 | 
355 | 	system("net stop winmgmt /Y");
356 | 
357 | 	system("pause");
358 | 
359 | 	return 0;
360 | }
361 | 


--------------------------------------------------------------------------------
/Kernel/main.c:
--------------------------------------------------------------------------------
  1 | #include "stdafx.h"
  2 | 
  3 | struct {
  4 | 	DWORD Length;
  5 | 	NIC_DRIVER Drivers[0xFF];
  6 | } NICs = { 0 };
  7 | 
  8 | PDRIVER_DISPATCH DiskControlOriginal = 0, MountControlOriginal = 0, PartControlOriginal = 0, NsiControlOriginal = 0, GpuControlOriginal = 0;
  9 | 
 10 | /**** DISKS ****/
 11 | NTSTATUS PartInfoIoc(PDEVICE_OBJECT device, PIRP irp, PVOID context) {
 12 | 	if (context) {
 13 | 		IOC_REQUEST request = *(PIOC_REQUEST)context;
 14 | 		ExFreePool(context);
 15 | 
 16 | 		if (request.BufferLength >= sizeof(PARTITION_INFORMATION_EX)) {
 17 | 			PPARTITION_INFORMATION_EX info = (PPARTITION_INFORMATION_EX)request.Buffer;
 18 | 			if (PARTITION_STYLE_GPT == info->PartitionStyle) {
 19 | 				memset(&info->Gpt.PartitionId, 0, sizeof(GUID));
 20 | 			}
 21 | 		}
 22 | 
 23 | 		if (request.OldRoutine && irp->StackCount > 1) {
 24 | 			return request.OldRoutine(device, irp, request.OldContext);
 25 | 		}
 26 | 	}
 27 | 
 28 | 	return STATUS_SUCCESS;
 29 | }
 30 | 
 31 | NTSTATUS PartLayoutIoc(PDEVICE_OBJECT device, PIRP irp, PVOID context) {
 32 | 	if (context) {
 33 | 		IOC_REQUEST request = *(PIOC_REQUEST)context;
 34 | 		ExFreePool(context);
 35 | 
 36 | 		if (request.BufferLength >= sizeof(DRIVE_LAYOUT_INFORMATION_EX)) {
 37 | 			PDRIVE_LAYOUT_INFORMATION_EX info = (PDRIVE_LAYOUT_INFORMATION_EX)request.Buffer;
 38 | 			if (PARTITION_STYLE_GPT == info->PartitionStyle) {
 39 | 				memset(&info->Gpt.DiskId, 0, sizeof(GUID));
 40 | 			}
 41 | 		}
 42 | 
 43 | 		if (request.OldRoutine && irp->StackCount > 1) {
 44 | 			return request.OldRoutine(device, irp, request.OldContext);
 45 | 		}
 46 | 	}
 47 | 
 48 | 	return STATUS_SUCCESS;
 49 | }
 50 | 
 51 | NTSTATUS PartControl(PDEVICE_OBJECT device, PIRP irp) {
 52 | 	PIO_STACK_LOCATION ioc = IoGetCurrentIrpStackLocation(irp);
 53 | 	switch (ioc->Parameters.DeviceIoControl.IoControlCode) {
 54 | 		case IOCTL_DISK_GET_PARTITION_INFO_EX:
 55 | 			ChangeIoc(ioc, irp, PartInfoIoc);
 56 | 			break;
 57 | 		case IOCTL_DISK_GET_DRIVE_LAYOUT_EX:
 58 | 			ChangeIoc(ioc, irp, PartLayoutIoc);
 59 | 			break;
 60 | 	}
 61 | 
 62 | 	return PartControlOriginal(device, irp);
 63 | }
 64 | 
 65 | NTSTATUS StorageQueryIoc(PDEVICE_OBJECT device, PIRP irp, PVOID context) {
 66 | 	if (context) {
 67 | 		IOC_REQUEST request = *(PIOC_REQUEST)context;
 68 | 		ExFreePool(context);
 69 | 
 70 | 		if (request.BufferLength >= sizeof(STORAGE_DEVICE_DESCRIPTOR)) {
 71 | 			PSTORAGE_DEVICE_DESCRIPTOR desc = (PSTORAGE_DEVICE_DESCRIPTOR)request.Buffer;
 72 | 			ULONG offset = desc->SerialNumberOffset;
 73 | 			if (offset && offset < request.BufferLength) {
 74 | 				strcpy((PCHAR)desc + offset, SERIAL);
 75 | 
 76 | 				printf("handled StorageQueryIoc\n");
 77 | 			}
 78 | 		}
 79 | 
 80 | 		if (request.OldRoutine && irp->StackCount > 1) {
 81 | 			return request.OldRoutine(device, irp, request.OldContext);
 82 | 		}
 83 | 	}
 84 | 
 85 | 	return STATUS_SUCCESS;
 86 | }
 87 | 
 88 | NTSTATUS AtaPassIoc(PDEVICE_OBJECT device, PIRP irp, PVOID context) {
 89 | 	if (context) {
 90 | 		IOC_REQUEST request = *(PIOC_REQUEST)context;
 91 | 		ExFreePool(context);
 92 | 
 93 | 		if (request.BufferLength >= sizeof(ATA_PASS_THROUGH_EX) + sizeof(PIDENTIFY_DEVICE_DATA)) {
 94 | 			PATA_PASS_THROUGH_EX pte = (PATA_PASS_THROUGH_EX)request.Buffer;
 95 | 			ULONG offset = (ULONG)pte->DataBufferOffset;
 96 | 			if (offset && offset < request.BufferLength) {
 97 | 				PCHAR serial = (PCHAR)((PIDENTIFY_DEVICE_DATA)((PBYTE)request.Buffer + offset))->SerialNumber;
 98 | 				SwapEndianess(serial, SERIAL);
 99 | 
100 | 				printf("handled AtaPassIoc\n");
101 | 			}
102 | 		}
103 | 
104 | 		if (request.OldRoutine && irp->StackCount > 1) {
105 | 			return request.OldRoutine(device, irp, request.OldContext);
106 | 		}
107 | 	}
108 | 
109 | 	return STATUS_SUCCESS;
110 | }
111 | 
112 | NTSTATUS SmartDataIoc(PDEVICE_OBJECT device, PIRP irp, PVOID context) {
113 | 	if (context) {
114 | 		IOC_REQUEST request = *(PIOC_REQUEST)context;
115 | 		ExFreePool(context);
116 | 
117 | 		if (request.BufferLength >= sizeof(SENDCMDOUTPARAMS)) {
118 | 			PCHAR serial = ((PIDSECTOR)((PSENDCMDOUTPARAMS)request.Buffer)->bBuffer)->sSerialNumber;
119 | 			SwapEndianess(serial, SERIAL);
120 | 
121 | 			printf("handled SmartDataIoc\n");
122 | 		}
123 | 
124 | 		if (request.OldRoutine && irp->StackCount > 1) {
125 | 			return request.OldRoutine(device, irp, request.OldContext);
126 | 		}
127 | 	}
128 | 
129 | 	return STATUS_SUCCESS;
130 | }
131 | 
132 | NTSTATUS DiskControl(PDEVICE_OBJECT device, PIRP irp) {
133 | 	PIO_STACK_LOCATION ioc = IoGetCurrentIrpStackLocation(irp);
134 | 	switch (ioc->Parameters.DeviceIoControl.IoControlCode) {
135 | 		case IOCTL_STORAGE_QUERY_PROPERTY:
136 | 			if (StorageDeviceProperty == ((PSTORAGE_PROPERTY_QUERY)irp->AssociatedIrp.SystemBuffer)->PropertyId) {
137 | 				ChangeIoc(ioc, irp, StorageQueryIoc);
138 | 			}
139 | 			break;
140 | 		case IOCTL_ATA_PASS_THROUGH:
141 | 			ChangeIoc(ioc, irp, AtaPassIoc);
142 | 			break;
143 | 		case SMART_RCV_DRIVE_DATA:
144 | 			ChangeIoc(ioc, irp, SmartDataIoc);
145 | 			break;
146 | 	}
147 | 
148 | 	return DiskControlOriginal(device, irp);
149 | }
150 | 
151 | VOID SpoofRaidUnits(RU_REGISTER_INTERFACES RaidUnitRegisterInterfaces, BYTE RaidUnitExtension_SerialNumber_offset) {
152 | 	UNICODE_STRING storahci_str = RTL_CONSTANT_STRING(L"\\Driver\\storahci");
153 | 	PDRIVER_OBJECT storahci_object = 0;
154 | 	
155 | 	// Enumerate RaidPorts in storahci
156 | 	NTSTATUS status = ObReferenceObjectByName(&storahci_str, OBJ_CASE_INSENSITIVE, 0, 0, *IoDriverObjectType, KernelMode, 0, &storahci_object);
157 | 	if (NT_SUCCESS(status)) {
158 | 		ULONG length = 0;
159 | 		if (STATUS_BUFFER_TOO_SMALL == (status = IoEnumerateDeviceObjectList(storahci_object, 0, 0, &length)) && length) {
160 | 			ULONG size = length * sizeof(PDEVICE_OBJECT);
161 | 			PDEVICE_OBJECT *devices = ExAllocatePool(NonPagedPool, size);
162 | 			if (devices) {
163 | 				if (NT_SUCCESS(status = IoEnumerateDeviceObjectList(storahci_object, devices, size, &length)) && length) {
164 | 					for (ULONG i = 0; i < length; ++i) {
165 | 						PDEVICE_OBJECT raidport_object = devices[i];
166 | 						
167 | 						BYTE buffer[MAX_PATH] = { 0 };
168 | 						if (NT_SUCCESS(ObQueryNameString(raidport_object, (POBJECT_NAME_INFORMATION)buffer, sizeof(buffer), &size))) {
169 | 							PUNICODE_STRING raidport_str = (PUNICODE_STRING)buffer;
170 | 
171 | 							// Enumerate devices for each RaidPort
172 | 							if (wcsstr(raidport_str->Buffer, L"\\RaidPort")) {
173 | 								DWORD total = 0, success = 0;
174 | 								for (PDEVICE_OBJECT device = raidport_object->DriverObject->DeviceObject; device; device = device->NextDevice) {
175 | 									if (FILE_DEVICE_DISK == device->DeviceType) {
176 | 										PSTRING serial = (PSTRING)((PBYTE)device->DeviceExtension + RaidUnitExtension_SerialNumber_offset);
177 | 										strcpy(serial->Buffer, SERIAL);
178 | 										serial->Length = (USHORT)strlen(SERIAL);
179 | 
180 | 										if (NT_SUCCESS(status = RaidUnitRegisterInterfaces(device->DeviceExtension))) {
181 | 											++success;
182 | 										} else {
183 | 											printf("! RaidUnitRegisterInterfaces failed: %p !\n", status);
184 | 										}
185 | 
186 | 										++total;
187 | 									}
188 | 								}
189 | 
190 | 								printf("%wZ: RaidUnitRegisterInterfaces succeeded for %d/%d\n", raidport_str, success, total);
191 | 							}
192 | 						}
193 | 
194 | 						ObDereferenceObject(raidport_object);
195 | 					}
196 | 				} else {
197 | 					printf("! failed to get storahci devices (got %d): %p !\n", length, status);
198 | 				}
199 | 
200 | 				ExFreePool(devices);
201 | 			} else {
202 | 				printf("! failed to allocated %d storahci devices !\n", length);
203 | 			}
204 | 		} else {
205 | 			printf("! failed to get storahci device list size (got %d): %p !\n", length, status);
206 | 		}
207 | 
208 | 		ObDereferenceObject(storahci_object);
209 | 	} else {
210 | 		printf("! failed to get %wZ: %p !\n", &storahci_object, status);
211 | 	}
212 | }
213 | 
214 | VOID SpoofDisks() {
215 | 	SwapControl(RTL_CONSTANT_STRING(L"\\Driver\\partmgr"), PartControl, PartControlOriginal);
216 | 
217 | 	UNICODE_STRING disk_str = RTL_CONSTANT_STRING(L"\\Driver\\Disk");
218 | 	PDRIVER_OBJECT disk_object = 0;
219 | 
220 | 	NTSTATUS status = ObReferenceObjectByName(&disk_str, OBJ_CASE_INSENSITIVE, 0, 0, *IoDriverObjectType, KernelMode, 0, &disk_object);
221 | 	if (!NT_SUCCESS(status)) {
222 | 		printf("! failed to get %wZ: %p !\n", &disk_str, status);
223 | 		return;
224 | 	}
225 | 
226 | 	AppendSwap(disk_str, &disk_object->MajorFunction[IRP_MJ_DEVICE_CONTROL], DiskControl, DiskControlOriginal);
227 | 
228 | 	DISK_FAIL_PREDICTION DiskEnableDisableFailurePrediction = (DISK_FAIL_PREDICTION)FindPatternImage(disk_object->DriverStart, "\x48\x89\x00\x24\x10\x48\x89\x74\x24\x18\x57\x48\x81\xEC\x90\x00", "xx?xxxxxxxxxxxxx");
229 | 	if (DiskEnableDisableFailurePrediction) {
230 | 		ULONG length = 0;
231 | 		if (STATUS_BUFFER_TOO_SMALL == (status = IoEnumerateDeviceObjectList(disk_object, 0, 0, &length)) && length) {
232 | 			ULONG size = length * sizeof(PDEVICE_OBJECT);
233 | 			PDEVICE_OBJECT *devices = ExAllocatePool(NonPagedPool, size);
234 | 			if (devices) {
235 | 				if (NT_SUCCESS(status = IoEnumerateDeviceObjectList(disk_object, devices, size, &length)) && length) {
236 | 					ULONG success = 0, total = 0;
237 | 
238 | 					for (ULONG i = 0; i < length; ++i) {
239 | 						PDEVICE_OBJECT device = devices[i];
240 | 
241 | 						// Update disk properties for disk ID
242 | 						PDEVICE_OBJECT disk = IoGetAttachedDeviceReference(device);
243 | 						if (disk) {
244 | 							KEVENT event = { 0 };
245 | 							KeInitializeEvent(&event, NotificationEvent, FALSE);
246 | 
247 | 							PIRP irp = IoBuildDeviceIoControlRequest(IOCTL_DISK_UPDATE_PROPERTIES, disk, 0, 0, 0, 0, 0, &event, 0);
248 | 							if (irp) {
249 | 								if (STATUS_PENDING == IoCallDriver(disk, irp)) {
250 | 									KeWaitForSingleObject(&event, Executive, KernelMode, FALSE, 0);
251 | 								}
252 | 							} else {
253 | 								printf("! failed to build IoControlRequest !\n");
254 | 							}
255 | 
256 | 							ObDereferenceObject(disk);
257 | 						}
258 | 
259 | 						PFUNCTIONAL_DEVICE_EXTENSION ext = device->DeviceExtension;
260 | 						if (ext) {
261 | 							strcpy((PCHAR)ext->DeviceDescriptor + ext->DeviceDescriptor->SerialNumberOffset, SERIAL);
262 | 
263 | 							// Disables SMART
264 | 							if (NT_SUCCESS(status = DiskEnableDisableFailurePrediction(ext, FALSE))) {
265 | 								++success;
266 | 							} else {
267 | 								printf("! DiskEnableDisableFailurePrediction failed: %p !\n", status);
268 | 							}
269 | 
270 | 							++total;
271 | 						}
272 | 						
273 | 						ObDereferenceObject(device);
274 | 					}
275 | 
276 | 					printf("disabling smart succeeded for %d/%d\n", success, total);
277 | 				} else {
278 | 					printf("! failed to get disk devices (got %d): %p !\n", length, status);
279 | 				}
280 | 
281 | 				ExFreePool(devices);
282 | 			} else {
283 | 				printf("! failed to allocated %d disk devices !\n", length);
284 | 			}
285 | 		} else {
286 | 			printf("! failed to get disk device list size (got %d): %p !\n", length, status);
287 | 		}
288 | 	} else {
289 | 		printf("! failed to find DiskEnableDisableFailurePrediction !\n");
290 | 	}
291 | 
292 | 	ObDereferenceObject(disk_object);
293 | 
294 | 	// RaidUnitRegisterInterfaces -> Registry
295 | 	PVOID storport = GetBaseAddress("storport.sys", 0);
296 | 	if (storport) {
297 | 		RU_REGISTER_INTERFACES RaidUnitRegisterInterfaces = (RU_REGISTER_INTERFACES)FindPatternImage(storport, "\x48\x8B\xCB\xE8\x00\x00\x00\x00\x48\x8B\xCB\xE8\x00\x00\x00\x00\x85\xC0", "xxxx????xxxx????xx");
298 | 		if (RaidUnitRegisterInterfaces) {
299 | 			PBYTE RaidUnitExtension_SerialNumber = FindPatternImage(storport, "\x66\x39\x2C\x41", "xxxx");
300 | 			if (RaidUnitExtension_SerialNumber) {
301 | 				RaidUnitExtension_SerialNumber = FindPattern((PCHAR)RaidUnitExtension_SerialNumber, 32, "\x4C\x8D\x4F", "xxx");
302 | 				if (RaidUnitExtension_SerialNumber) {
303 | 					BYTE RaidUnitExtension_SerialNumber_offset = *(RaidUnitExtension_SerialNumber + 3);
304 | 					RaidUnitRegisterInterfaces = (RU_REGISTER_INTERFACES)((PBYTE)RaidUnitRegisterInterfaces + 8 + *(PINT)((PBYTE)RaidUnitRegisterInterfaces + 4));
305 | 
306 | 					SpoofRaidUnits(RaidUnitRegisterInterfaces, RaidUnitExtension_SerialNumber_offset);
307 | 				} else {
308 | 					printf("! failed to find RaidUnitExtension_SerialNumber (1) !\n");
309 | 				}
310 | 			} else {
311 | 				printf("! failed to find RaidUnitExtension_SerialNumber (0) !\n");
312 | 			}
313 | 		} else {
314 | 			printf("! failed to find RaidUnitRegisterInterfaces !\n");
315 | 		}
316 | 	} else {
317 | 		printf("! failed to get \"storport.sys\" !\n");
318 | 	}
319 | }
320 | 
321 | /**** VOLUMES ****/
322 | NTSTATUS MountPointsIoc(PDEVICE_OBJECT device, PIRP irp, PVOID context) {
323 | 	if (context) {
324 | 		IOC_REQUEST request = *(PIOC_REQUEST)context;
325 | 		ExFreePool(context);
326 | 
327 | 		if (request.BufferLength >= sizeof(MOUNTMGR_MOUNT_POINTS)) {
328 | 			PMOUNTMGR_MOUNT_POINTS points = (PMOUNTMGR_MOUNT_POINTS)request.Buffer;
329 | 			for (DWORD i = 0; i < points->NumberOfMountPoints; ++i) {
330 | 				PMOUNTMGR_MOUNT_POINT point = &points->MountPoints[i];
331 | 				if (point->UniqueIdOffset) {
332 | 					point->UniqueIdLength = 0;
333 | 				}
334 | 
335 | 				if (point->SymbolicLinkNameOffset) {
336 | 					point->SymbolicLinkNameLength = 0;
337 | 				}
338 | 			}
339 | 		}
340 | 
341 | 		if (request.OldRoutine && irp->StackCount > 1) {
342 | 			return request.OldRoutine(device, irp, request.OldContext);
343 | 		}
344 | 	}
345 | 
346 | 	return STATUS_SUCCESS;
347 | }
348 | 
349 | NTSTATUS MountUniqueIoc(PDEVICE_OBJECT device, PIRP irp, PVOID context) {
350 | 	if (context) {
351 | 		IOC_REQUEST request = *(PIOC_REQUEST)context;
352 | 		ExFreePool(context);
353 | 
354 | 		if (request.BufferLength >= sizeof(MOUNTDEV_UNIQUE_ID)) {
355 | 			((PMOUNTDEV_UNIQUE_ID)request.Buffer)->UniqueIdLength = 0;
356 | 		}
357 | 
358 | 		if (request.OldRoutine && irp->StackCount > 1) {
359 | 			return request.OldRoutine(device, irp, request.OldContext);
360 | 		}
361 | 	}
362 | 
363 | 	return STATUS_SUCCESS;
364 | }
365 | 
366 | NTSTATUS MountControl(PDEVICE_OBJECT device, PIRP irp) {
367 | 	PIO_STACK_LOCATION ioc = IoGetCurrentIrpStackLocation(irp);
368 | 	switch (ioc->Parameters.DeviceIoControl.IoControlCode) {
369 | 		case IOCTL_MOUNTMGR_QUERY_POINTS:
370 | 			ChangeIoc(ioc, irp, MountPointsIoc);
371 | 			break;
372 | 		case IOCTL_MOUNTDEV_QUERY_UNIQUE_ID:
373 | 			ChangeIoc(ioc, irp, MountUniqueIoc);
374 | 			break;
375 | 	}
376 | 
377 | 	return MountControlOriginal(device, irp);
378 | }
379 | 
380 | // Volume serial is spoofed from usermode
381 | void SpoofVolumes() {
382 | 	SwapControl(RTL_CONSTANT_STRING(L"\\Driver\\mountmgr"), MountControl, MountControlOriginal);
383 | }
384 | 
385 | /**** NIC ****/
386 | NTSTATUS NICIoc(PDEVICE_OBJECT device, PIRP irp, PVOID context) {
387 | 	if (context) {
388 | 		IOC_REQUEST request = *(PIOC_REQUEST)context;
389 | 		ExFreePool(context);
390 | 
391 | 		if (irp->MdlAddress) {
392 | 			SpoofBuffer(SEED, (PBYTE)MmGetSystemAddressForMdl(irp->MdlAddress), 6);
393 | 
394 | 			printf("handled NICIoc\n");
395 | 		}
396 | 
397 | 		if (request.OldRoutine && irp->StackCount > 1) {
398 | 			return request.OldRoutine(device, irp, request.OldContext);
399 | 		}
400 | 	}
401 | 
402 | 	return STATUS_SUCCESS;
403 | }
404 | 
405 | NTSTATUS NICControl(PDEVICE_OBJECT device, PIRP irp) {
406 | 	for (DWORD i = 0; i < NICs.Length; ++i) {
407 | 		PNIC_DRIVER driver = &NICs.Drivers[i];
408 | 
409 | 		if (driver->Original && driver->DriverObject == device->DriverObject) {
410 | 			PIO_STACK_LOCATION ioc = IoGetCurrentIrpStackLocation(irp);
411 | 			switch (ioc->Parameters.DeviceIoControl.IoControlCode) {
412 | 				case IOCTL_NDIS_QUERY_GLOBAL_STATS: {
413 | 					switch (*(PDWORD)irp->AssociatedIrp.SystemBuffer) {
414 | 						case OID_802_3_PERMANENT_ADDRESS:
415 | 						case OID_802_3_CURRENT_ADDRESS:
416 | 						case OID_802_5_PERMANENT_ADDRESS:
417 | 						case OID_802_5_CURRENT_ADDRESS:
418 | 							ChangeIoc(ioc, irp, NICIoc);
419 | 							break;
420 | 					}
421 | 
422 | 					break;
423 | 				}
424 | 			}
425 | 
426 | 			return driver->Original(device, irp);
427 | 		}
428 | 	}
429 | 
430 | 	return STATUS_SUCCESS;
431 | }
432 | 
433 | NTSTATUS NsiControl(PDEVICE_OBJECT device, PIRP irp) {
434 | 	PIO_STACK_LOCATION ioc = IoGetCurrentIrpStackLocation(irp);
435 | 	switch (ioc->Parameters.DeviceIoControl.IoControlCode) {
436 | 		case IOCTL_NSI_PROXY_ARP: {
437 | 			DWORD length = ioc->Parameters.DeviceIoControl.OutputBufferLength;
438 | 			NTSTATUS ret = NsiControlOriginal(device, irp);
439 | 
440 | 			PNSI_PARAMS params = (PNSI_PARAMS)irp->UserBuffer;
441 | 			if (params && NSI_PARAMS_ARP == params->Type) {
442 | 				memset(irp->UserBuffer, 0, length);
443 | 
444 | 				printf("handled ARP table\n");
445 | 			}
446 | 
447 | 			return ret;
448 | 		}
449 | 	}
450 | 
451 | 	return NsiControlOriginal(device, irp);
452 | }
453 | 
454 | VOID SpoofNIC() {
455 | 	SwapControl(RTL_CONSTANT_STRING(L"\\Driver\\nsiproxy"), NsiControl, NsiControlOriginal);
456 | 
457 | 	PVOID base = GetBaseAddress("ndis.sys", 0);
458 | 	if (!base) {
459 | 		printf("! failed to get \"ndis.sys\" !\n");
460 | 		return;
461 | 	}
462 | 
463 | 	PNDIS_FILTER_BLOCK ndisGlobalFilterList = FindPatternImage(base, "\x40\x8A\xF0\x48\x8B\x05", "xxxxxx");
464 | 	if (ndisGlobalFilterList) {
465 | 		PDWORD ndisFilter_IfBlock = FindPatternImage(base, "\x48\x85\x00\x0F\x84\x00\x00\x00\x00\x00\x8B\x00\x00\x00\x00\x00\x33", "xx?xx?????x???xxx");
466 | 		if (ndisFilter_IfBlock) {
467 | 			DWORD ndisFilter_IfBlock_offset = *(PDWORD)((PBYTE)ndisFilter_IfBlock + 12);
468 | 
469 | 			ndisGlobalFilterList = (PNDIS_FILTER_BLOCK)((PBYTE)ndisGlobalFilterList + 3);
470 | 			ndisGlobalFilterList = *(PNDIS_FILTER_BLOCK *)((PBYTE)ndisGlobalFilterList + 7 + *(PINT)((PBYTE)ndisGlobalFilterList + 3));
471 | 
472 | 			DWORD count = 0;
473 | 			for (PNDIS_FILTER_BLOCK filter = ndisGlobalFilterList; filter; filter = filter->NextFilter) {
474 | 				PNDIS_IF_BLOCK block = *(PNDIS_IF_BLOCK *)((PBYTE)filter + ndisFilter_IfBlock_offset);
475 | 				if (block) {
476 | 					PWCHAR copy = SafeCopy(filter->FilterInstanceName->Buffer, MAX_PATH);
477 | 					if (copy) {
478 | 						WCHAR adapter[MAX_PATH] = { 0 };
479 | 						swprintf(adapter, L"\\Device\\%ws", TrimGUID(copy, MAX_PATH / 2));
480 | 						ExFreePool(copy);
481 | 
482 | 						printf("found NIC %ws\n", adapter);
483 | 
484 | 						UNICODE_STRING name = { 0 };
485 | 						RtlInitUnicodeString(&name, adapter);
486 | 
487 | 						PFILE_OBJECT file = 0;
488 | 						PDEVICE_OBJECT device = 0;
489 | 
490 | 						NTSTATUS status = IoGetDeviceObjectPointer(&name, FILE_READ_DATA, &file, &device);
491 | 						if (NT_SUCCESS(status)) {
492 | 							PDRIVER_OBJECT driver = device->DriverObject;
493 | 							if (driver) {
494 | 								BOOL exists = FALSE;
495 | 								for (DWORD i = 0; i < NICs.Length; ++i) {
496 | 									if (NICs.Drivers[i].DriverObject == driver) {
497 | 										exists = TRUE;
498 | 										break;
499 | 									}
500 | 								}
501 | 
502 | 								if (exists) {
503 | 									printf("%wZ already swapped\n", &driver->DriverName);
504 | 								} else {
505 | 									PNIC_DRIVER nic = &NICs.Drivers[NICs.Length];
506 | 									nic->DriverObject = driver;
507 | 
508 | 									AppendSwap(driver->DriverName, &driver->MajorFunction[IRP_MJ_DEVICE_CONTROL], NICControl, nic->Original);
509 | 
510 | 									++NICs.Length;
511 | 								}
512 | 							}
513 | 
514 | 							// Indirectly dereferences device object
515 | 							ObDereferenceObject(file);
516 | 						} else {
517 | 							printf("! failed to get %wZ: %p !\n", &name, status);
518 | 						}
519 | 					}
520 | 
521 | 					// Current MAC
522 | 					PIF_PHYSICAL_ADDRESS_LH addr = &block->ifPhysAddress;
523 | 					SpoofBuffer(SEED, addr->Address, addr->Length);
524 | 					addr = &block->PermanentPhysAddress;
525 | 					SpoofBuffer(SEED, addr->Address, addr->Length);
526 | 
527 | 					++count;
528 | 				}
529 | 			}
530 | 
531 | 			printf("handled %d MACs\n", count);
532 | 		} else {
533 | 			printf("! failed to find ndisFilter_IfBlock !\n");
534 | 		}
535 | 	} else {
536 | 		printf("! failed to find ndisGlobalFilterList !\n");
537 | 	}
538 | }
539 | 
540 | /**** SMBIOS (and boot) ****/
541 | void SpoofSMBIOS() {
542 | 	PVOID base = GetBaseAddress("ntoskrnl.exe", 0);
543 | 	if (!base) {
544 | 		printf("! failed to get \"ntoskrnl.exe\" !\n");
545 | 		return;
546 | 	}
547 | 
548 | 	PBYTE ExpBootEnvironmentInformation = FindPatternImage(base, "\x0F\x10\x05\x00\x00\x00\x00\x0F\x11\x00\x8B", "xxx????xx?x");
549 | 	if (ExpBootEnvironmentInformation) {
550 | 		ExpBootEnvironmentInformation = ExpBootEnvironmentInformation + 7 + *(PINT)(ExpBootEnvironmentInformation + 3);
551 | 		SpoofBuffer(SEED, ExpBootEnvironmentInformation, 16);
552 | 
553 | 		printf("handled ExpBootEnvironmentInformation\n");
554 | 	} else {
555 | 		printf("! ExpBootEnvironmentInformation not found !\n");
556 | 	}
557 | 
558 | 	PPHYSICAL_ADDRESS WmipSMBiosTablePhysicalAddress = FindPatternImage(base, "\x48\x8B\x0D\x00\x00\x00\x00\x48\x85\xC9\x74\x00\x8B\x15", "xxx????xxxx?xx");
559 | 	if (WmipSMBiosTablePhysicalAddress) {
560 | 		WmipSMBiosTablePhysicalAddress = (PPHYSICAL_ADDRESS)((PBYTE)WmipSMBiosTablePhysicalAddress + 7 + *(PINT)((PBYTE)WmipSMBiosTablePhysicalAddress + 3));
561 | 		memset(WmipSMBiosTablePhysicalAddress, 0, sizeof(PHYSICAL_ADDRESS));
562 | 
563 | 		printf("nulled SMBIOS table physical address\n");
564 | 	} else {
565 | 		printf("! WmipSMBiosTablePhysicalAddress not found !\n");
566 | 	}
567 | }
568 | 
569 | /**** GPU ****/
570 | NTSTATUS GpuControl(PDEVICE_OBJECT device, PIRP irp) {
571 | 	PIO_STACK_LOCATION ioc = IoGetCurrentIrpStackLocation(irp);
572 | 	switch (ioc->Parameters.DeviceIoControl.IoControlCode) {
573 | 		case IOCTL_NVIDIA_SMIL: {
574 | 			NTSTATUS ret = GpuControlOriginal(device, irp);
575 | 
576 | 			PCHAR buffer = irp->UserBuffer;
577 | 			if (buffer) {
578 | 				PCHAR copy = SafeCopy(buffer, IOCTL_NVIDIA_SMIL_MAX);
579 | 				if (copy) {
580 | 					for (DWORD i = 0; i < IOCTL_NVIDIA_SMIL_MAX - 4; ++i) {
581 | 						if (0 == memcmp(copy + i, "GPU-", 4)) {
582 | 							buffer[i] = 0;
583 | 
584 | 							printf("handled GPU serial\n");
585 | 							break;
586 | 						}
587 | 					}
588 | 
589 | 					ExFreePool(copy);
590 | 				}
591 | 			}
592 | 
593 | 			return ret;
594 | 		}
595 | 	}
596 | 
597 | 	return GpuControlOriginal(device, irp);
598 | }
599 | 
600 | VOID SpoofGPU() {
601 | 	SwapControl(RTL_CONSTANT_STRING(L"\\Driver\\nvlddmkm"), GpuControl, GpuControlOriginal);
602 | }
603 | 
604 | VOID DriverUnload(PDRIVER_OBJECT driver) {
605 | 	UNREFERENCED_PARAMETER(driver);
606 | 	printf("-- unloading\n");
607 | 
608 | 	for (DWORD i = 0; i < SWAPS.Length; ++i) {
609 | 		PSWAP s = (PSWAP)&SWAPS.Buffer[i];
610 | 		if (s->Swap && s->Original) {
611 | 			InterlockedExchangePointer(s->Swap, s->Original);
612 | 			printf("reverted %wZ swap\n", &s->Name);
613 | 		}
614 | 	}
615 | 
616 | 	printf("-- unloaded\n");
617 | }
618 | 
619 | NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING registry_path) {
620 | 	UNREFERENCED_PARAMETER(registry_path);
621 | 	driver->DriverUnload = DriverUnload;
622 | 
623 | 	ULONG64 time = 0;
624 | 	KeQuerySystemTime(&time);
625 | 	SEED = (DWORD)time;
626 | 
627 | 	CHAR alphabet[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";
628 | 	for (DWORD i = 0, l = (DWORD)strlen(SERIAL); i < l; ++i) {
629 | 		SERIAL[i] = alphabet[RtlRandomEx(&SEED) % (sizeof(alphabet) - 1)];
630 | 	}
631 | 
632 | 	printf("++ loading (serial: %s)\n", SERIAL);
633 | 
634 | 	SpoofDisks();
635 | 	SpoofVolumes();
636 | 	SpoofNIC();
637 | 	SpoofSMBIOS();
638 | 	SpoofGPU();
639 | 
640 | 	printf("++ loaded\n");
641 | 
642 | 	return STATUS_SUCCESS;
643 | }
644 | 


--------------------------------------------------------------------------------