├── CowInject
    ├── shell_code_end.cpp
    ├── CowInject.inf
    ├── shell_code_start.cpp
    ├── CowInject.vcxproj.filters
    ├── main.h
    ├── helper.cpp
    ├── CowInject.vcxproj
    ├── head.h
    └── main.cpp
├── README.md
├── .gitattributes
├── CowInject.sln
└── .gitignore


/CowInject/shell_code_end.cpp:
--------------------------------------------------------------------------------
1 | #include "head.h"
2 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # CowInjecter
2 | 滥用cow机制进行全局注入
3 | 解析: https://www.unknowncheats.me/forum/anti-cheat-bypass/434051-cow-injecter-abuse-cow-global-injection-bypass-minifilter.html
4 | 


--------------------------------------------------------------------------------
/CowInject/CowInject.inf:
--------------------------------------------------------------------------------
 1 | ;
 2 | ; CowInject.inf
 3 | ;
 4 | 
 5 | [Version]
 6 | Signature="$WINDOWS NT$"
 7 | Class=System
 8 | ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318}
 9 | Provider=%ManufacturerName%
10 | DriverVer=
11 | CatalogFile=CowInject.cat
12 | 
13 | [DestinationDirs]
14 | DefaultDestDir = 12
15 | 
16 | 
17 | [SourceDisksNames]
18 | 1 = %DiskName%,,,""
19 | 
20 | [SourceDisksFiles]
21 | 
22 | 
23 | [Manufacturer]
24 | %ManufacturerName%=Standard,NT$ARCH$
25 | 
26 | [Standard.NT$ARCH$]
27 | 
28 | 
29 | [Strings]
30 | ManufacturerName="<Your manufacturer name>" ;TODO: Replace with your manufacturer name
31 | ClassName=""
32 | DiskName="CowInject Source Disk"
33 | 


--------------------------------------------------------------------------------
/CowInject/shell_code_start.cpp:
--------------------------------------------------------------------------------
 1 | #include "head.h"
 2 | 
 3 | //shellcode just like:
 4 | /*
 5 | HANDLE __stdcall HookCreateFileW(LPCWSTR lpFileName,DWORD dwDesiredAccess,DWORD dwShareMode,LPSECURITY_ATTRIBUTES lpSecurityAttributes,DWORD dwCreationDisposition,DWORD dwFlagsAndAttributes,HANDLE hTemplateFile) {
 6 | 	CreateFileWT oCreateFileW = (CreateFileWT)0x1234567812345678;
 7 | 	wcsstrAt oWcsstr = (wcsstrAt)0x1234567891ABCDEF;
 8 | 	GetModuleFileNameWT oGetModuleFileNameW = (GetModuleFileNameWT)0x1337567891ABCDEF;
 9 | 	LoadLibraryWT oLoadLibraryW = (LoadLibraryWT)0x1234567891AB1337;
10 | 	wchar_t CheatPath[] = { 'C',':','\\','h','u','o','j','i','.','d','l','l','\0' };
11 | 	wchar_t NtdllName[] = { 'C',':','\\','n','t','d','l','l','.','d','l','l','\0' };
12 | 	//RainbowSix.exe
13 | 	wchar_t GameName[] = { 'C','o','n','a','n','S','a','n','d','b','o','x','.','e','x','e','\0' };
14 | 	//BEService.exe
15 | 	wchar_t AntiCheatName[] = { 'B','E','S','e','r','v','i','c','e','.','e','x','e','\0' };
16 | 	wchar_t ExeFile[MAX_PATH];
17 | 	oGetModuleFileNameW(NULL, ExeFile, MAX_PATH);
18 | 	if (oWcsstr(ExeFile, GameName) != NULL) {
19 | 		oLoadLibraryW(CheatPath);
20 | 	}
21 | 	if (oWcsstr(ExeFile, AntiCheatName) != NULL) {
22 | 		return oCreateFileW(oWcsstr(lpFileName, CheatPath) != NULL ? NtdllName : lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
23 | 	}
24 | 	return oCreateFileW(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
25 | }
26 | int __stdcall ShellCodeEnd() {
27 | 	return 0x1337;
28 | }*/


--------------------------------------------------------------------------------
/CowInject/CowInject.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |     <Filter Include="Driver Files">
17 |       <UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
18 |       <Extensions>inf;inv;inx;mof;mc;</Extensions>
19 |     </Filter>
20 |     <Filter Include="Source Files\Shellcode">
21 |       <UniqueIdentifier>{41db35f4-72e8-49d7-81ea-9a18fea3e160}</UniqueIdentifier>
22 |     </Filter>
23 |     <Filter Include="Source Files\ThirdParty">
24 |       <UniqueIdentifier>{9e17b26d-f5cd-4288-962a-5943271da071}</UniqueIdentifier>
25 |     </Filter>
26 |   </ItemGroup>
27 |   <ItemGroup>
28 |     <Inf Include="CowInject.inf">
29 |       <Filter>Driver Files</Filter>
30 |     </Inf>
31 |   </ItemGroup>
32 |   <ItemGroup>
33 |     <ClInclude Include="head.h">
34 |       <Filter>Header Files</Filter>
35 |     </ClInclude>
36 |     <ClInclude Include="main.h">
37 |       <Filter>Header Files</Filter>
38 |     </ClInclude>
39 |   </ItemGroup>
40 |   <ItemGroup>
41 |     <ClCompile Include="main.cpp">
42 |       <Filter>Source Files</Filter>
43 |     </ClCompile>
44 |     <ClCompile Include="shell_code_start.cpp">
45 |       <Filter>Source Files\Shellcode</Filter>
46 |     </ClCompile>
47 |     <ClCompile Include="shell_code_end.cpp">
48 |       <Filter>Source Files\Shellcode</Filter>
49 |     </ClCompile>
50 |     <ClCompile Include="helper.cpp">
51 |       <Filter>Source Files\ThirdParty</Filter>
52 |     </ClCompile>
53 |   </ItemGroup>
54 | </Project>


--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
 1 | ###############################################################################
 2 | # Set default behavior to automatically normalize line endings.
 3 | ###############################################################################
 4 | * text=auto
 5 | 
 6 | ###############################################################################
 7 | # Set default behavior for command prompt diff.
 8 | #
 9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs     diff=csharp
14 | 
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following 
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln       merge=binary
26 | #*.csproj    merge=binary
27 | #*.vbproj    merge=binary
28 | #*.vcxproj   merge=binary
29 | #*.vcproj    merge=binary
30 | #*.dbproj    merge=binary
31 | #*.fsproj    merge=binary
32 | #*.lsproj    merge=binary
33 | #*.wixproj   merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj   merge=binary
36 | #*.wwaproj   merge=binary
37 | 
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg   binary
44 | #*.png   binary
45 | #*.gif   binary
46 | 
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | # 
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the 
52 | # entries below.
53 | ###############################################################################
54 | #*.doc   diff=astextplain
55 | #*.DOC   diff=astextplain
56 | #*.docx  diff=astextplain
57 | #*.DOCX  diff=astextplain
58 | #*.dot   diff=astextplain
59 | #*.DOT   diff=astextplain
60 | #*.pdf   diff=astextplain
61 | #*.PDF   diff=astextplain
62 | #*.rtf   diff=astextplain
63 | #*.RTF   diff=astextplain
64 | 


--------------------------------------------------------------------------------
/CowInject.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.29613.14
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CowInject", "CowInject\CowInject.vcxproj", "{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|ARM = Debug|ARM
11 | 		Debug|ARM64 = Debug|ARM64
12 | 		Debug|x64 = Debug|x64
13 | 		Debug|x86 = Debug|x86
14 | 		Release|ARM = Release|ARM
15 | 		Release|ARM64 = Release|ARM64
16 | 		Release|x64 = Release|x64
17 | 		Release|x86 = Release|x86
18 | 	EndGlobalSection
19 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
20 | 		{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|ARM.ActiveCfg = Debug|ARM
21 | 		{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|ARM.Build.0 = Debug|ARM
22 | 		{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|ARM.Deploy.0 = Debug|ARM
23 | 		{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|ARM64.ActiveCfg = Debug|ARM64
24 | 		{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|ARM64.Build.0 = Debug|ARM64
25 | 		{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|ARM64.Deploy.0 = Debug|ARM64
26 | 		{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|x64.ActiveCfg = Debug|x64
27 | 		{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|x64.Build.0 = Debug|x64
28 | 		{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|x64.Deploy.0 = Debug|x64
29 | 		{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|x86.ActiveCfg = Debug|Win32
30 | 		{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|x86.Build.0 = Debug|Win32
31 | 		{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|x86.Deploy.0 = Debug|Win32
32 | 		{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|ARM.ActiveCfg = Release|ARM
33 | 		{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|ARM.Build.0 = Release|ARM
34 | 		{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|ARM.Deploy.0 = Release|ARM
35 | 		{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|ARM64.ActiveCfg = Release|ARM64
36 | 		{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|ARM64.Build.0 = Release|ARM64
37 | 		{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|ARM64.Deploy.0 = Release|ARM64
38 | 		{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|x64.ActiveCfg = Release|x64
39 | 		{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|x64.Build.0 = Release|x64
40 | 		{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|x64.Deploy.0 = Release|x64
41 | 		{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|x86.ActiveCfg = Release|Win32
42 | 		{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|x86.Build.0 = Release|Win32
43 | 		{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|x86.Deploy.0 = Release|Win32
44 | 	EndGlobalSection
45 | 	GlobalSection(SolutionProperties) = preSolution
46 | 		HideSolutionNode = FALSE
47 | 	EndGlobalSection
48 | 	GlobalSection(ExtensibilityGlobals) = postSolution
49 | 		SolutionGuid = {8B54FB70-B3D2-4C49-87D4-AED93842E605}
50 | 	EndGlobalSection
51 | EndGlobal
52 | 


--------------------------------------------------------------------------------
/CowInject/main.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | extern HANDLE __stdcall HkCreateFileW(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
 4 | extern int __stdcall ShellCodeEnd();
 5 | extern ULONG_PTR GetProcAddressR(ULONG_PTR hModule, const char* lpProcName, BOOL x64Module);
 6 | extern LONG BlackBoneSafeSearchString(IN PUNICODE_STRING source, IN PUNICODE_STRING target, IN BOOLEAN CaseInSensitive);
 7 | extern bool _memcpy(PVOID address, PVOID target_address, ULONG length);
 8 | //see shell_code_start ,fuck gcc, aways broken shellcode
 9 | static BYTE HookCode[] = {
10 | 0x48,0x8B,0xC4,0x48,0x89,0x58,0x08,0x48,0x89,0x70,0x10,0x48,0x89,0x78,0x18,0x55,0x41,0x54,0x41,0x55,0x41,0x56,0x41,0x57,0x48,0x8D,0xA8,0xF8,0xFD,0xFF,0xFF,0x48,0x81,0xEC,0xE0,0x02,0x00,0x00,0x45,0x33,0xED,0xC7,0x44,0x24,0x40,0x43,0x00,0x3A,0x00,0x41,0x8B,0xF0,0x66,0x44,0x89,0x6C,0x24,0x58,0x44,0x8B,0xF2,0x66,0x44,0x89,0x6C,0x24,0x78,0x48,0x8B,0xD9,0x66,0x44,0x89,0x6D,0xC0,0x41,0xB8,0x04,0x01,0x00,0x00,0xC7,0x44,0x24,0x44,0x5C,0x00,0x68,0x00,0x48,0x8D,0x55,0xD0,0xC7,0x44,0x24,0x48,0x75,0x00,0x6F,0x00,0x33,0xC9,0xC7,0x44,0x24,0x4C,0x6A,0x00,0x69,0x00,0x48,0xB8,0xEF,0xCD,0xAB,0x91,0x78,0x56,0x37,0x13,0xC7,0x44,0x24,0x50,0x2E,0x00,0x64,0x00,0x49,0x8B,0xF9,0xC7,0x44,0x24,0x54,0x6C,0x00,0x6C,0x00,0xC7,0x44,0x24,0x60,0x43,0x00,0x3A,0x00,0xC7,0x44,0x24,0x64,0x5C,0x00,0x6E,0x00,0xC7,0x44,0x24,0x68,0x74,0x00,0x64,0x00,0xC7,0x44,0x24,0x6C,0x6C,0x00,0x6C,0x00,0xC7,0x44,0x24,0x70,0x2E,0x00,0x64,0x00,0xC7,0x44,0x24,0x74,0x6C,0x00,0x6C,0x00,0xC7,0x45,0xA0,0x43,0x00,0x6F,0x00,0xC7,0x45,0xA4,0x6E,0x00,0x61,0x00,0xC7,0x45,0xA8,0x6E,0x00,0x53,0x00,0xC7,0x45,0xAC,0x61,0x00,0x6E,0x00,0xC7,0x45,0xB0,0x64,0x00,0x62,0x00,0xC7,0x45,0xB4,0x6F,0x00,0x78,0x00,0xC7,0x45,0xB8,0x2E,0x00,0x65,0x00,0xC7,0x45,0xBC,0x78,0x00,0x65,0x00,0xC7,0x45,0x80,0x42,0x00,0x45,0x00,0xC7,0x45,0x84,0x53,0x00,0x65,0x00,0xC7,0x45,0x88,0x72,0x00,0x76,0x00,0xC7,0x45,0x8C,0x69,0x00,0x63,0x00,0xC7,0x45,0x90,0x65,0x00,0x2E,0x00,0xC7,0x45,0x94,0x65,0x00,0x78,0x00,0xC7,0x45,0x98,0x65,0x00,0x00,0x00,0xFF,0xD0,0x48,0x8D,0x55,0xA0,0x49,0xBF,0xEF,0xCD,0xAB,0x91,0x78,0x56,0x34,0x12,0x48,0x8D,0x4D,0xD0,0x41,0xFF,0xD7,0x48,0x85,0xC0,0x74,0x11,0x48,0x8D,0x4C,0x24,0x40,0x48,0xB8,0x37,0x13,0xAB,0x91,0x78,0x56,0x34,0x12,0xFF,0xD0,0x48,0x8D,0x55,0x80,0x48,0x8D,0x4D,0xD0,0x41,0xFF,0xD7,0x48,0x8B,0xCB,0x48,0x85,0xC0,0x74,0x14,0x48,0x8D,0x54,0x24,0x40,0x41,0xFF,0xD7,0x48,0x85,0xC0,0x48,0x8D,0x4C,0x24,0x60,0x48,0x0F,0x44,0xCB,0x48,0x8B,0x85,0x40,0x02,0x00,0x00,0x4C,0x8B,0xCF,0x48,0x89,0x44,0x24,0x30,0x44,0x8B,0xC6,0x8B,0x85,0x38,0x02,0x00,0x00,0x41,0x8B,0xD6,0x89,0x44,0x24,0x28,0x8B,0x85,0x30,0x02,0x00,0x00,0x89,0x44,0x24,0x20,0x48,0xB8,0x78,0x56,0x34,0x12,0x78,0x56,0x34,0x12,0xFF,0xD0,0x4C,0x8D,0x9C,0x24,0xE0,0x02,0x00,0x00,0x49,0x8B,0x5B,0x30,0x49,0x8B,0x73,0x38,0x49,0x8B,0x7B,0x40,0x49,0x8B,0xE3,0x41,0x5F,0x41,0x5E,0x41,0x5D,0x41,0x5C,0x5D,0xC3,0xCC, 
11 | };


--------------------------------------------------------------------------------
/CowInject/helper.cpp:
--------------------------------------------------------------------------------
  1 | #include "head.h"
  2 | /*
  3 | 	from google
  4 | */
  5 | ULONG_PTR GetProcAddressR(ULONG_PTR hModule, const char* lpProcName, BOOL x64Module)
  6 | {
  7 | 	UINT_PTR uiLibraryAddress = 0;
  8 | 	ULONG_PTR fpResult = NULL;
  9 | 	if (hModule == NULL)
 10 | 		return NULL;
 11 | 	// a module handle is really its base address
 12 | 	uiLibraryAddress = (UINT_PTR)hModule;
 13 | 	__try
 14 | 	{
 15 | 		UINT_PTR uiAddressArray = 0;
 16 | 		UINT_PTR uiNameArray = 0;
 17 | 		UINT_PTR uiNameOrdinals = 0;
 18 | 		PIMAGE_NT_HEADERS32 pNtHeaders32 = NULL;
 19 | 		PIMAGE_NT_HEADERS64 pNtHeaders64 = NULL;
 20 | 		PIMAGE_DATA_DIRECTORY pDataDirectory = NULL;
 21 | 		PIMAGE_EXPORT_DIRECTORY pExportDirectory = NULL;
 22 | 
 23 | 		// get the VA of the modules NT Header
 24 | 		pNtHeaders32 = (PIMAGE_NT_HEADERS32)(uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew);
 25 | 		pNtHeaders64 = (PIMAGE_NT_HEADERS64)(uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew);
 26 | 		if (x64Module)
 27 | 		{
 28 | 			pDataDirectory = (PIMAGE_DATA_DIRECTORY)&pNtHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
 29 | 		}
 30 | 		else
 31 | 		{
 32 | 			pDataDirectory = (PIMAGE_DATA_DIRECTORY)&pNtHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
 33 | 		}
 34 | 
 35 | 
 36 | 		// get the VA of the export directory
 37 | 		pExportDirectory = (PIMAGE_EXPORT_DIRECTORY)(uiLibraryAddress + pDataDirectory->VirtualAddress);
 38 | 
 39 | 		// get the VA for the array of addresses
 40 | 		uiAddressArray = (uiLibraryAddress + pExportDirectory->AddressOfFunctions);
 41 | 
 42 | 		// get the VA for the array of name pointers
 43 | 		uiNameArray = (uiLibraryAddress + pExportDirectory->AddressOfNames);
 44 | 
 45 | 		// get the VA for the array of name ordinals
 46 | 		uiNameOrdinals = (uiLibraryAddress + pExportDirectory->AddressOfNameOrdinals);
 47 | 
 48 | 		// test if we are importing by name or by ordinal...
 49 | 		if ((PtrToUlong(lpProcName) & 0xFFFF0000) == 0x00000000)
 50 | 		{
 51 | 			// import by ordinal...
 52 | 
 53 | 			// use the import ordinal (- export ordinal base) as an index into the array of addresses
 54 | 			uiAddressArray += ((IMAGE_ORDINAL(PtrToUlong(lpProcName)) - pExportDirectory->Base) * sizeof(unsigned long));
 55 | 
 56 | 			// resolve the address for this imported function
 57 | 			fpResult = (ULONG_PTR)(uiLibraryAddress + DEREF_32(uiAddressArray));
 58 | 		}
 59 | 		else
 60 | 		{
 61 | 			// import by name...
 62 | 			unsigned long dwCounter = pExportDirectory->NumberOfNames;
 63 | 			while (dwCounter--)
 64 | 			{
 65 | 				char* cpExportedFunctionName = (char*)(uiLibraryAddress + DEREF_32(uiNameArray));
 66 | 
 67 | 				// test if we have a match...
 68 | 				if (strcmp(cpExportedFunctionName, lpProcName) == 0)
 69 | 				{
 70 | 					// use the functions name ordinal as an index into the array of name pointers
 71 | 					uiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(unsigned long));
 72 | 
 73 | 					// calculate the virtual address for the function
 74 | 					fpResult = (ULONG_PTR)(uiLibraryAddress + DEREF_32(uiAddressArray));
 75 | 
 76 | 					// finish...
 77 | 					break;
 78 | 				}
 79 | 
 80 | 				// get the next exported function name
 81 | 				uiNameArray += sizeof(unsigned long);
 82 | 
 83 | 				// get the next exported function name ordinal
 84 | 				uiNameOrdinals += sizeof(unsigned short);
 85 | 			}
 86 | 		}
 87 | 	}
 88 | 	__except (EXCEPTION_EXECUTE_HANDLER)
 89 | 	{
 90 | 		fpResult = NULL;
 91 | 	}
 92 | 	return fpResult;
 93 | }
 94 | /*
 95 | 	from blackbone
 96 | */
 97 | LONG BlackBoneSafeSearchString(IN PUNICODE_STRING source, IN PUNICODE_STRING target, IN BOOLEAN CaseInSensitive)
 98 | {
 99 | 	ASSERT(source != NULL && target != NULL);
100 | 	if (source == NULL || target == NULL || source->Buffer == NULL || target->Buffer == NULL)
101 | 		return STATUS_INVALID_PARAMETER;
102 | 
103 | 	// Size mismatch
104 | 	if (source->Length < target->Length)
105 | 		return -1;
106 | 
107 | 	USHORT diff = source->Length - target->Length;
108 | 	for (USHORT i = 0; i <= (diff / sizeof(WCHAR)); i++)
109 | 	{
110 | 		if (RtlCompareUnicodeStrings(
111 | 			source->Buffer + i,
112 | 			target->Length / sizeof(WCHAR),
113 | 			target->Buffer,
114 | 			target->Length / sizeof(WCHAR),
115 | 			CaseInSensitive
116 | 		) == 0)
117 | 		{
118 | 			return i;
119 | 		}
120 | 	}
121 | 
122 | 	return -1;
123 | }
124 | /*
125 | 	from  windows explorer
126 | */
127 | bool _memcpy(PVOID address, PVOID target_address, ULONG length)
128 | {
129 | 	bool result = false;
130 | 	PHYSICAL_ADDRESS physicial_address;
131 | 	physicial_address = MmGetPhysicalAddress(address);
132 | 	if (physicial_address.QuadPart)
133 | 	{
134 | 		PVOID maped_mem = MmMapIoSpace(physicial_address, length, MmNonCached);
135 | 		if (maped_mem)
136 | 		{
137 | 			memcpy(maped_mem, target_address, length);
138 | 			MmUnmapIoSpace(maped_mem, length);
139 | 			result = true;
140 | 		}
141 | 	}
142 | 	return result;
143 | }


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | ##
  4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
  5 | 
  6 | # User-specific files
  7 | *.rsuser
  8 | *.suo
  9 | *.user
 10 | *.userosscache
 11 | *.sln.docstates
 12 | 
 13 | # User-specific files (MonoDevelop/Xamarin Studio)
 14 | *.userprefs
 15 | 
 16 | # Build results
 17 | [Dd]ebug/
 18 | [Dd]ebugPublic/
 19 | [Rr]elease/
 20 | [Rr]eleases/
 21 | x64/
 22 | x86/
 23 | [Aa][Rr][Mm]/
 24 | [Aa][Rr][Mm]64/
 25 | bld/
 26 | [Bb]in/
 27 | [Oo]bj/
 28 | [Ll]og/
 29 | 
 30 | # Visual Studio 2015/2017 cache/options directory
 31 | .vs/
 32 | # Uncomment if you have tasks that create the project's static files in wwwroot
 33 | #wwwroot/
 34 | 
 35 | # Visual Studio 2017 auto generated files
 36 | Generated\ Files/
 37 | 
 38 | # MSTest test Results
 39 | [Tt]est[Rr]esult*/
 40 | [Bb]uild[Ll]og.*
 41 | 
 42 | # NUNIT
 43 | *.VisualState.xml
 44 | TestResult.xml
 45 | 
 46 | # Build Results of an ATL Project
 47 | [Dd]ebugPS/
 48 | [Rr]eleasePS/
 49 | dlldata.c
 50 | 
 51 | # Benchmark Results
 52 | BenchmarkDotNet.Artifacts/
 53 | 
 54 | # .NET Core
 55 | project.lock.json
 56 | project.fragment.lock.json
 57 | artifacts/
 58 | 
 59 | # StyleCop
 60 | StyleCopReport.xml
 61 | 
 62 | # Files built by Visual Studio
 63 | *_i.c
 64 | *_p.c
 65 | *_h.h
 66 | *.ilk
 67 | *.meta
 68 | *.obj
 69 | *.iobj
 70 | *.pch
 71 | *.pdb
 72 | *.ipdb
 73 | *.pgc
 74 | *.pgd
 75 | *.rsp
 76 | *.sbr
 77 | *.tlb
 78 | *.tli
 79 | *.tlh
 80 | *.tmp
 81 | *.tmp_proj
 82 | *_wpftmp.csproj
 83 | *.log
 84 | *.vspscc
 85 | *.vssscc
 86 | .builds
 87 | *.pidb
 88 | *.svclog
 89 | *.scc
 90 | 
 91 | # Chutzpah Test files
 92 | _Chutzpah*
 93 | 
 94 | # Visual C++ cache files
 95 | ipch/
 96 | *.aps
 97 | *.ncb
 98 | *.opendb
 99 | *.opensdf
100 | *.sdf
101 | *.cachefile
102 | *.VC.db
103 | *.VC.VC.opendb
104 | 
105 | # Visual Studio profiler
106 | *.psess
107 | *.vsp
108 | *.vspx
109 | *.sap
110 | 
111 | # Visual Studio Trace Files
112 | *.e2e
113 | 
114 | # TFS 2012 Local Workspace
115 | $tf/
116 | 
117 | # Guidance Automation Toolkit
118 | *.gpState
119 | 
120 | # ReSharper is a .NET coding add-in
121 | _ReSharper*/
122 | *.[Rr]e[Ss]harper
123 | *.DotSettings.user
124 | 
125 | # JustCode is a .NET coding add-in
126 | .JustCode
127 | 
128 | # TeamCity is a build add-in
129 | _TeamCity*
130 | 
131 | # DotCover is a Code Coverage Tool
132 | *.dotCover
133 | 
134 | # AxoCover is a Code Coverage Tool
135 | .axoCover/*
136 | !.axoCover/settings.json
137 | 
138 | # Visual Studio code coverage results
139 | *.coverage
140 | *.coveragexml
141 | 
142 | # NCrunch
143 | _NCrunch_*
144 | .*crunch*.local.xml
145 | nCrunchTemp_*
146 | 
147 | # MightyMoose
148 | *.mm.*
149 | AutoTest.Net/
150 | 
151 | # Web workbench (sass)
152 | .sass-cache/
153 | 
154 | # Installshield output folder
155 | [Ee]xpress/
156 | 
157 | # DocProject is a documentation generator add-in
158 | DocProject/buildhelp/
159 | DocProject/Help/*.HxT
160 | DocProject/Help/*.HxC
161 | DocProject/Help/*.hhc
162 | DocProject/Help/*.hhk
163 | DocProject/Help/*.hhp
164 | DocProject/Help/Html2
165 | DocProject/Help/html
166 | 
167 | # Click-Once directory
168 | publish/
169 | 
170 | # Publish Web Output
171 | *.[Pp]ublish.xml
172 | *.azurePubxml
173 | # Note: Comment the next line if you want to checkin your web deploy settings,
174 | # but database connection strings (with potential passwords) will be unencrypted
175 | *.pubxml
176 | *.publishproj
177 | 
178 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
179 | # checkin your Azure Web App publish settings, but sensitive information contained
180 | # in these scripts will be unencrypted
181 | PublishScripts/
182 | 
183 | # NuGet Packages
184 | *.nupkg
185 | # The packages folder can be ignored because of Package Restore
186 | **/[Pp]ackages/*
187 | # except build/, which is used as an MSBuild target.
188 | !**/[Pp]ackages/build/
189 | # Uncomment if necessary however generally it will be regenerated when needed
190 | #!**/[Pp]ackages/repositories.config
191 | # NuGet v3's project.json files produces more ignorable files
192 | *.nuget.props
193 | *.nuget.targets
194 | 
195 | # Microsoft Azure Build Output
196 | csx/
197 | *.build.csdef
198 | 
199 | # Microsoft Azure Emulator
200 | ecf/
201 | rcf/
202 | 
203 | # Windows Store app package directories and files
204 | AppPackages/
205 | BundleArtifacts/
206 | Package.StoreAssociation.xml
207 | _pkginfo.txt
208 | *.appx
209 | 
210 | # Visual Studio cache files
211 | # files ending in .cache can be ignored
212 | *.[Cc]ache
213 | # but keep track of directories ending in .cache
214 | !?*.[Cc]ache/
215 | 
216 | # Others
217 | ClientBin/
218 | ~$*
219 | *~
220 | *.dbmdl
221 | *.dbproj.schemaview
222 | *.jfm
223 | *.pfx
224 | *.publishsettings
225 | orleans.codegen.cs
226 | 
227 | # Including strong name files can present a security risk
228 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
229 | #*.snk
230 | 
231 | # Since there are multiple workflows, uncomment next line to ignore bower_components
232 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
233 | #bower_components/
234 | 
235 | # RIA/Silverlight projects
236 | Generated_Code/
237 | 
238 | # Backup & report files from converting an old project file
239 | # to a newer Visual Studio version. Backup files are not needed,
240 | # because we have git ;-)
241 | _UpgradeReport_Files/
242 | Backup*/
243 | UpgradeLog*.XML
244 | UpgradeLog*.htm
245 | ServiceFabricBackup/
246 | *.rptproj.bak
247 | 
248 | # SQL Server files
249 | *.mdf
250 | *.ldf
251 | *.ndf
252 | 
253 | # Business Intelligence projects
254 | *.rdl.data
255 | *.bim.layout
256 | *.bim_*.settings
257 | *.rptproj.rsuser
258 | *- Backup*.rdl
259 | 
260 | # Microsoft Fakes
261 | FakesAssemblies/
262 | 
263 | # GhostDoc plugin setting file
264 | *.GhostDoc.xml
265 | 
266 | # Node.js Tools for Visual Studio
267 | .ntvs_analysis.dat
268 | node_modules/
269 | 
270 | # Visual Studio 6 build log
271 | *.plg
272 | 
273 | # Visual Studio 6 workspace options file
274 | *.opt
275 | 
276 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
277 | *.vbw
278 | 
279 | # Visual Studio LightSwitch build output
280 | **/*.HTMLClient/GeneratedArtifacts
281 | **/*.DesktopClient/GeneratedArtifacts
282 | **/*.DesktopClient/ModelManifest.xml
283 | **/*.Server/GeneratedArtifacts
284 | **/*.Server/ModelManifest.xml
285 | _Pvt_Extensions
286 | 
287 | # Paket dependency manager
288 | .paket/paket.exe
289 | paket-files/
290 | 
291 | # FAKE - F# Make
292 | .fake/
293 | 
294 | # JetBrains Rider
295 | .idea/
296 | *.sln.iml
297 | 
298 | # CodeRush personal settings
299 | .cr/personal
300 | 
301 | # Python Tools for Visual Studio (PTVS)
302 | __pycache__/
303 | *.pyc
304 | 
305 | # Cake - Uncomment if you are using it
306 | # tools/**
307 | # !tools/packages.config
308 | 
309 | # Tabs Studio
310 | *.tss
311 | 
312 | # Telerik's JustMock configuration file
313 | *.jmconfig
314 | 
315 | # BizTalk build output
316 | *.btp.cs
317 | *.btm.cs
318 | *.odx.cs
319 | *.xsd.cs
320 | 
321 | # OpenCover UI analysis results
322 | OpenCover/
323 | 
324 | # Azure Stream Analytics local run output
325 | ASALocalRun/
326 | 
327 | # MSBuild Binary and Structured Log
328 | *.binlog
329 | 
330 | # NVidia Nsight GPU debugger configuration file
331 | *.nvuser
332 | 
333 | # MFractors (Xamarin productivity tool) working folder
334 | .mfractor/
335 | 
336 | # Local History for Visual Studio
337 | .localhistory/
338 | 
339 | # BeatPulse healthcheck temp database
340 | healthchecksdb


--------------------------------------------------------------------------------
/CowInject/CowInject.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |     <ProjectConfiguration Include="Debug|ARM">
 21 |       <Configuration>Debug</Configuration>
 22 |       <Platform>ARM</Platform>
 23 |     </ProjectConfiguration>
 24 |     <ProjectConfiguration Include="Release|ARM">
 25 |       <Configuration>Release</Configuration>
 26 |       <Platform>ARM</Platform>
 27 |     </ProjectConfiguration>
 28 |     <ProjectConfiguration Include="Debug|ARM64">
 29 |       <Configuration>Debug</Configuration>
 30 |       <Platform>ARM64</Platform>
 31 |     </ProjectConfiguration>
 32 |     <ProjectConfiguration Include="Release|ARM64">
 33 |       <Configuration>Release</Configuration>
 34 |       <Platform>ARM64</Platform>
 35 |     </ProjectConfiguration>
 36 |   </ItemGroup>
 37 |   <PropertyGroup Label="Globals">
 38 |     <ProjectGuid>{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}</ProjectGuid>
 39 |     <TemplateGuid>{dd38f7fc-d7bd-488b-9242-7d8754cde80d}</TemplateGuid>
 40 |     <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
 41 |     <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
 42 |     <Configuration>Debug</Configuration>
 43 |     <Platform Condition="'$(Platform)' == ''">Win32</Platform>
 44 |     <RootNamespace>CowInject</RootNamespace>
 45 |   </PropertyGroup>
 46 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 47 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 48 |     <TargetVersion>Windows10</TargetVersion>
 49 |     <UseDebugLibraries>true</UseDebugLibraries>
 50 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 51 |     <ConfigurationType>Driver</ConfigurationType>
 52 |     <DriverType>WDM</DriverType>
 53 |   </PropertyGroup>
 54 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 55 |     <TargetVersion>Windows10</TargetVersion>
 56 |     <UseDebugLibraries>false</UseDebugLibraries>
 57 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 58 |     <ConfigurationType>Driver</ConfigurationType>
 59 |     <DriverType>WDM</DriverType>
 60 |   </PropertyGroup>
 61 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 62 |     <TargetVersion>Windows10</TargetVersion>
 63 |     <UseDebugLibraries>true</UseDebugLibraries>
 64 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 65 |     <ConfigurationType>Driver</ConfigurationType>
 66 |     <DriverType>WDM</DriverType>
 67 |   </PropertyGroup>
 68 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 69 |     <TargetVersion>Windows7</TargetVersion>
 70 |     <UseDebugLibraries>false</UseDebugLibraries>
 71 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 72 |     <ConfigurationType>Driver</ConfigurationType>
 73 |     <DriverType>WDM</DriverType>
 74 |     <SpectreMitigation>false</SpectreMitigation>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
 77 |     <TargetVersion>Windows10</TargetVersion>
 78 |     <UseDebugLibraries>true</UseDebugLibraries>
 79 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 80 |     <ConfigurationType>Driver</ConfigurationType>
 81 |     <DriverType>WDM</DriverType>
 82 |   </PropertyGroup>
 83 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
 84 |     <TargetVersion>Windows10</TargetVersion>
 85 |     <UseDebugLibraries>false</UseDebugLibraries>
 86 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 87 |     <ConfigurationType>Driver</ConfigurationType>
 88 |     <DriverType>WDM</DriverType>
 89 |   </PropertyGroup>
 90 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
 91 |     <TargetVersion>Windows10</TargetVersion>
 92 |     <UseDebugLibraries>true</UseDebugLibraries>
 93 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 94 |     <ConfigurationType>Driver</ConfigurationType>
 95 |     <DriverType>WDM</DriverType>
 96 |   </PropertyGroup>
 97 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
 98 |     <TargetVersion>Windows10</TargetVersion>
 99 |     <UseDebugLibraries>false</UseDebugLibraries>
100 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
101 |     <ConfigurationType>Driver</ConfigurationType>
102 |     <DriverType>WDM</DriverType>
103 |   </PropertyGroup>
104 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
105 |   <ImportGroup Label="ExtensionSettings">
106 |   </ImportGroup>
107 |   <ImportGroup Label="PropertySheets">
108 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
109 |   </ImportGroup>
110 |   <PropertyGroup Label="UserMacros" />
111 |   <PropertyGroup />
112 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
113 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
114 |   </PropertyGroup>
115 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
116 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
117 |   </PropertyGroup>
118 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
119 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
120 |   </PropertyGroup>
121 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
122 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
123 |     <EnableInf2cat>false</EnableInf2cat>
124 |   </PropertyGroup>
125 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
126 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
127 |   </PropertyGroup>
128 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
129 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
130 |   </PropertyGroup>
131 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
132 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
133 |   </PropertyGroup>
134 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
135 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
136 |   </PropertyGroup>
137 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
138 |     <ClCompile>
139 |       <TreatWarningAsError>false</TreatWarningAsError>
140 |       <BufferSecurityCheck>false</BufferSecurityCheck>
141 |       <Optimization>MinSpace</Optimization>
142 |       <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
143 |       <IntrinsicFunctions>true</IntrinsicFunctions>
144 |       <WholeProgramOptimization>false</WholeProgramOptimization>
145 |     </ClCompile>
146 |   </ItemDefinitionGroup>
147 |   <ItemGroup>
148 |     <Inf Include="CowInject.inf" />
149 |   </ItemGroup>
150 |   <ItemGroup>
151 |     <FilesToPackage Include="$(TargetPath)" />
152 |   </ItemGroup>
153 |   <ItemGroup>
154 |     <ClCompile Include="helper.cpp" />
155 |     <ClCompile Include="main.cpp" />
156 |     <ClCompile Include="shell_code_end.cpp" />
157 |     <ClCompile Include="shell_code_start.cpp" />
158 |   </ItemGroup>
159 |   <ItemGroup>
160 |     <ClInclude Include="head.h" />
161 |     <ClInclude Include="main.h" />
162 |   </ItemGroup>
163 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
164 |   <ImportGroup Label="ExtensionTargets">
165 |   </ImportGroup>
166 | </Project>


--------------------------------------------------------------------------------
/CowInject/head.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | #include <ntifs.h>
  3 | #include <ntstrsafe.h>
  4 | #include <ntimage.h>
  5 | #include <WinDef.h>
  6 | #include <intrin.h>
  7 | #define DebugPrintA(...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,__VA_ARGS__)
  8 | #define HUOJI_POOL_TAG 'huoJ'
  9 | #define CALCSIZE(n,f) (ULONG_PTR)f - (ULONG_PTR)n 
 10 | #define PAGE_ALIGN(Va) ((PVOID)((ULONG_PTR)(Va) & ~(PAGE_SIZE - 1)))
 11 | #define DEREF( name )*(UINT_PTR *)(name)
 12 | #define DEREF_64( name )*(unsigned __int64 *)(name)
 13 | #define DEREF_32( name )*(unsigned long *)(name)
 14 | #define DEREF_16( name )*(unsigned short *)(name)
 15 | #define DEREF_8( name )*(UCHAR *)(name)
 16 | typedef HMODULE(WINAPI* LOADLIBRARYA)(LPCSTR);
 17 | typedef FARPROC(WINAPI* GETPROCADDRESS)(HMODULE, LPCSTR);
 18 | typedef LPVOID(WINAPI* VIRTUALALLOC)(LPVOID, SIZE_T, DWORD, DWORD);
 19 | typedef DWORD(NTAPI* NTFLUSHINSTRUCTIONCACHE)(HANDLE, PVOID, ULONG);
 20 | 
 21 | typedef BOOL(WINAPI* ReadFileT)(HANDLE, LPVOID, DWORD, LPDWORD, PVOID);
 22 | typedef DWORD(WINAPI* GetFileSizeT)(HANDLE, LPDWORD);
 23 | typedef BOOL(WINAPI* CloseHandleT)(HANDLE);
 24 | 
 25 | #define KERNEL32DLL_HASH				0x6A4ABC5B
 26 | #define NTDLLDLL_HASH					0x3CFA685D
 27 | #define LOADLIBRARYA_HASH				0xEC0E4E8E
 28 | #define GETPROCADDRESS_HASH				0x7C0DFCAA
 29 | #define VIRTUALALLOC_HASH				0x91AFCA54
 30 | #define NTFLUSHINSTRUCTIONCACHE_HASH	0x534C0AB8
 31 | #define HASH_KEY						13
 32 | #define DLL_PROCESS_ATTACH				1    
 33 | #define DLL_THREAD_ATTACH				2    
 34 | #define DLL_THREAD_DETACH				3    
 35 | #define DLL_PROCESS_DETACH				0    
 36 | 
 37 | typedef enum _SYSTEM_INFORMATION_CLASS
 38 | {
 39 | 	SystemBasicInformation,                 // 0x00 SYSTEM_BASIC_INFORMATION
 40 | 	SystemProcessorInformation,             // 0x01 SYSTEM_PROCESSOR_INFORMATION
 41 | 	SystemPerformanceInformation,           // 0x02
 42 | 	SystemTimeOfDayInformation,             // 0x03
 43 | 	SystemPathInformation,                  // 0x04
 44 | 	SystemProcessInformation,               // 0x05
 45 | 	SystemCallCountInformation,             // 0x06
 46 | 	SystemDeviceInformation,                // 0x07
 47 | 	SystemProcessorPerformanceInformation,  // 0x08
 48 | 	SystemFlagsInformation,                 // 0x09
 49 | 	SystemCallTimeInformation,              // 0x0A
 50 | 	SystemModuleInformation,                // 0x0B SYSTEM_MODULE_INFORMATION
 51 | 	SystemLocksInformation,                 // 0x0C
 52 | 	SystemStackTraceInformation,            // 0x0D
 53 | 	SystemPagedPoolInformation,             // 0x0E
 54 | 	SystemNonPagedPoolInformation,          // 0x0F
 55 | 	SystemHandleInformation,                // 0x10
 56 | 	SystemObjectInformation,                // 0x11
 57 | 	SystemPageFileInformation,              // 0x12
 58 | 	SystemVdmInstemulInformation,           // 0x13
 59 | 	SystemVdmBopInformation,                // 0x14
 60 | 	SystemFileCacheInformation,             // 0x15
 61 | 	SystemPoolTagInformation,               // 0x16
 62 | 	SystemInterruptInformation,             // 0x17
 63 | 	SystemDpcBehaviorInformation,           // 0x18
 64 | 	SystemFullMemoryInformation,            // 0x19
 65 | 	SystemLoadGdiDriverInformation,         // 0x1A
 66 | 	SystemUnloadGdiDriverInformation,       // 0x1B
 67 | 	SystemTimeAdjustmentInformation,        // 0x1C
 68 | 	SystemSummaryMemoryInformation,         // 0x1D
 69 | 	SystemNextEventIdInformation,           // 0x1E
 70 | 	SystemEventIdsInformation,              // 0x1F
 71 | 	SystemCrashDumpInformation,             // 0x20
 72 | 	SystemExceptionInformation,             // 0x21
 73 | 	SystemCrashDumpStateInformation,        // 0x22
 74 | 	SystemKernelDebuggerInformation,        // 0x23
 75 | 	SystemContextSwitchInformation,         // 0x24
 76 | 	SystemRegistryQuotaInformation,         // 0x25
 77 | 	SystemExtendServiceTableInformation,    // 0x26
 78 | 	SystemPrioritySeperation,               // 0x27
 79 | 	SystemPlugPlayBusInformation,           // 0x28
 80 | 	SystemDockInformation,                  // 0x29
 81 | 	//SystemPowerInformation,               // 0x2A
 82 | 	//SystemProcessorSpeedInformation,      // 0x2B
 83 | 	//SystemCurrentTimeZoneInformation,     // 0x2C
 84 | 	//SystemLookasideInformation            // 0x2D
 85 | 
 86 | } SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS;
 87 | 
 88 | typedef BOOL(WINAPI* DLLMAIN)(HINSTANCE, DWORD, LPVOID);
 89 | typedef struct _LDR_DATA_TABLE_ENTRY {
 90 | 	LIST_ENTRY InLoadOrderLinks;
 91 | 	LIST_ENTRY InMemoryOrderLinks;
 92 | 	LIST_ENTRY InInitializationOrderLinks;
 93 | 	PVOID DllBase;
 94 | 	PVOID EntryPoint;
 95 | 	ULONG SizeOfImages;
 96 | 	UNICODE_STRING FullDllName;
 97 | 	UNICODE_STRING BaseDllName;
 98 | 	ULONG Flags;
 99 | 	USHORT LoadCount;
100 | 	USHORT TlsIndex;
101 | 	union {
102 | 		LIST_ENTRY HashLinks;
103 | 		struct {
104 | 			PVOID SectionPointer;
105 | 			ULONG CheckSum;
106 | 		};
107 | 	};
108 | 	union {
109 | 		struct {
110 | 			ULONG TimeDateStamp;
111 | 		};
112 | 		struct {
113 | 			PVOID LoadedImports;
114 | 		};
115 | 	};
116 | }LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
117 | 
118 | typedef struct
119 | {
120 | 	WORD	offset : 12;
121 | 	WORD	type : 4;
122 | } IMAGE_RELOC, * PIMAGE_RELOC;
123 | typedef struct _NT_PROC_THREAD_ATTRIBUTE_ENTRY
124 | {
125 | 	ULONG Attribute;    // PROC_THREAD_ATTRIBUTE_XXX
126 | 	SIZE_T Size;
127 | 	ULONG_PTR Value;
128 | 	ULONG Unknown;
129 | } NT_PROC_THREAD_ATTRIBUTE_ENTRY, * NT_PPROC_THREAD_ATTRIBUTE_ENTRY;
130 | typedef struct _NT_PROC_THREAD_ATTRIBUTE_LIST
131 | {
132 | 	ULONG Length;
133 | 	NT_PROC_THREAD_ATTRIBUTE_ENTRY Entry[1];
134 | } NT_PROC_THREAD_ATTRIBUTE_LIST, * PNT_PROC_THREAD_ATTRIBUTE_LIST;
135 | 
136 | typedef struct _SECURITY_ATTRIBUTES {
137 | 	DWORD nLength;
138 | 	LPVOID lpSecurityDescriptor;
139 | 	BOOL bInheritHandle;
140 | } SECURITY_ATTRIBUTES, * PSECURITY_ATTRIBUTES, * LPSECURITY_ATTRIBUTES;
141 | typedef HANDLE(WINAPI* CreateFileWT)(
142 | 	_In_ LPCWSTR lpFileName,
143 | 	_In_ DWORD dwDesiredAccess,
144 | 	_In_ DWORD dwShareMode,
145 | 	_In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes,
146 | 	_In_ DWORD dwCreationDisposition,
147 | 	_In_ DWORD dwFlagsAndAttributes,
148 | 	_In_opt_ HANDLE hTemplateFile
149 | 	);
150 | typedef DWORD(WINAPI* GetModuleFileNameWT)(HMODULE hModule, LPCWSTR lpFilename, DWORD nSize);
151 | typedef wchar_t* (WINAPI* wcsstrAt)(wchar_t const* _String1, wchar_t const* _String);
152 | typedef HMODULE(WINAPI* LoadLibraryWT)(_In_ LPCWSTR lpLibFileName);
153 | #ifdef __cplusplus  
154 | extern "C"
155 | {
156 | #endif  
157 | #include <NTDDK.h>  
158 |     NTSYSAPI
159 |         NTSTATUS
160 |         NTAPI
161 |         ZwQuerySystemInformation(
162 |             IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
163 |             OUT PVOID SystemInformation,
164 |             IN ULONG SystemInformationLength,
165 |             OUT PULONG ReturnLength OPTIONAL
166 |         );
167 | 	NTKERNELAPI
168 | 		NTSTATUS
169 | 		ObReferenceObjectByName(
170 | 			IN PUNICODE_STRING ObjectName,
171 | 			IN ULONG Attributes,
172 | 			IN PACCESS_STATE PassedAccessState,
173 | 			IN ACCESS_MASK DesiredAccess,
174 | 			IN POBJECT_TYPE ObjectType,
175 | 			IN KPROCESSOR_MODE AccessMode,
176 | 			IN OUT PVOID ParseContext,
177 | 			OUT PVOID* Object
178 | 		);
179 | 	extern POBJECT_TYPE* IoDriverObjectType;
180 | 
181 | 	ULONG
182 | 		NTAPI
183 | 		KeCapturePersistentThreadState(
184 | 			IN PCONTEXT Context,
185 | 			IN PKTHREAD Thread,
186 | 			IN ULONG BugCheckCode,
187 | 			IN ULONG BugCheckParameter1,
188 | 			IN ULONG BugCheckParameter2,
189 | 			IN ULONG BugCheckParameter3,
190 | 			IN ULONG BugCheckParameter4,
191 | 			OUT PVOID VirtualAddress
192 | 		);
193 | 	NTSYSAPI
194 | 		PVOID
195 | 		NTAPI
196 | 		RtlImageDirectoryEntryToData(
197 | 			PVOID ImageBase,
198 | 			BOOLEAN MappedAsImage,
199 | 			USHORT DirectoryEntry,
200 | 			PULONG Size
201 | 		);
202 | 	NTKERNELAPI
203 | 		PPEB
204 | 		NTAPI
205 | 		PsGetProcessPeb(IN PEPROCESS Process);
206 | 	NTKERNELAPI PVOID NTAPI PsGetProcessWow64Process(IN PEPROCESS Process);
207 | 	NTSYSAPI
208 | 		NTSTATUS
209 | 		NTAPI
210 | 		ZwProtectVirtualMemory(
211 | 			IN HANDLE ProcessHandle,
212 | 			IN OUT PVOID* BaseAddress,
213 | 			IN OUT SIZE_T* NumberOfBytesToProtect,
214 | 			IN ULONG NewAccessProtection,
215 | 			OUT PULONG OldAccessProtection
216 | 		);
217 | 
218 | 	NTSYSAPI
219 | 		NTSTATUS
220 | 		NTAPI
221 | 		ZwQueryInformationThread(
222 | 			IN HANDLE ThreadHandle,
223 | 			IN THREADINFOCLASS ThreadInformationClass,
224 | 			OUT PVOID ThreadInformation,
225 | 			IN ULONG ThreadInformationLength,
226 | 			OUT PULONG ReturnLength OPTIONAL
227 | 		);
228 | 
229 | 
230 | #ifdef __cplusplus  
231 | }
232 | #endif


--------------------------------------------------------------------------------
/CowInject/main.cpp:
--------------------------------------------------------------------------------
  1 | #include "head.h"
  2 | #include "main.h"
  3 | struct moudle_info
  4 | {
  5 | 	uintptr_t bsae;
  6 | 	uintptr_t size;
  7 | };
  8 | bool get_moudle_base(PEPROCESS process, moudle_info* kernel32, moudle_info* ntdll, moudle_info* kernelbase) {
  9 | 	PPEB peb = PsGetProcessPeb(process);
 10 | 	bool result = false;
 11 | 	if (peb == NULL)
 12 | 		return result;
 13 | 	DebugPrintA("process peb: %p \n", peb);
 14 | 	//PEB + 0x18 = PEB.Ldr
 15 | 	auto peb_ldr = *(PDWORD64)((PUCHAR)peb + 0x18);
 16 | 	//Pebldr + 0x10 = InLoadOrderModuleList
 17 | 	PLIST_ENTRY module_list_head = (PLIST_ENTRY)((PUCHAR)peb_ldr + 0x10);
 18 | 	PLIST_ENTRY moudle = module_list_head->Flink;
 19 | 	/*
 20 | 		win7: kernel32.dll
 21 | 		win10: KERNEL32.DLL
 22 | 	*/
 23 | 	wchar_t moudle_list[][15] = {
 24 | 		{L"kernel32.dll"},
 25 | 		{L"ntdll.dll"},
 26 | 		{L"kernelbase.dll"},
 27 | 	};
 28 | 	while (module_list_head != moudle)
 29 | 	{
 30 | 		PLDR_DATA_TABLE_ENTRY info = (PLDR_DATA_TABLE_ENTRY)moudle;
 31 | 		UNICODE_STRING	str_moudle_name;
 32 | 		for (size_t i = 0; i < sizeof(moudle_list); i++)
 33 | 		{
 34 | 			RtlInitUnicodeString(&str_moudle_name, moudle_list[i]);
 35 | 			if (BlackBoneSafeSearchString(&info->BaseDllName, &str_moudle_name, true) != -1)
 36 | 			{
 37 | 				DebugPrintA("MoudleBase %p Size %p Name %wZ\n", info->DllBase, info->SizeOfImages, info->BaseDllName);
 38 | 				if (i == 0) {
 39 | 					kernel32->bsae = (uintptr_t)info->DllBase;
 40 | 					kernel32->size = (uintptr_t)info->SizeOfImages;
 41 | 				}
 42 | 				if (i == 1) {
 43 | 					ntdll->bsae = (uintptr_t)info->DllBase;
 44 | 					ntdll->size = (uintptr_t)info->SizeOfImages;
 45 | 				}
 46 | 				if (i == 2) {
 47 | 					kernelbase->bsae = (uintptr_t)info->DllBase;
 48 | 					kernelbase->size = (uintptr_t)info->SizeOfImages;
 49 | 				}
 50 | 				break;
 51 | 			}
 52 | 		}
 53 | 		if (kernel32->bsae && ntdll->bsae && kernelbase->bsae)
 54 | 			break;
 55 | 		moudle = moudle->Flink;
 56 | 	}
 57 | 	result = kernel32->bsae != NULL && ntdll->bsae != NULL  && kernelbase->bsae != NULL;
 58 | 	DebugPrintA("kernel32->bsae %p sizeof:%p ntdll->bsae %p kernelbase->bsae %p result: %d \n", kernel32->bsae, kernel32->size, ntdll->bsae, kernelbase->bsae, result);
 59 | 
 60 | 	return result;
 61 | }
 62 | uintptr_t get_free_speace(uintptr_t base, size_t size, size_t need_size) {
 63 | 	size_t return_length;
 64 | 	
 65 | 	for (uintptr_t address = (uintptr_t)base; address <= (uintptr_t)base + size; address += sizeof(uintptr_t)) {
 66 | 		__try
 67 | 		{
 68 | 			ProbeForRead((void*)address, need_size, 0x1);
 69 | 			if (*(uintptr_t*)address == 0x00 || *(uintptr_t*)address == 0x90)
 70 | 			{
 71 | 				MEMORY_BASIC_INFORMATION memory_information = { 0 };
 72 | 				NTSTATUS status = ZwQueryVirtualMemory(NtCurrentProcess(), (PVOID)address, (MEMORY_INFORMATION_CLASS)0, &memory_information, need_size, &return_length);
 73 | 				if (NT_SUCCESS(status)) {
 74 | 					if ((memory_information.Protect == PAGE_EXECUTE || memory_information.Protect == PAGE_EXECUTE_READ || memory_information.Protect == PAGE_EXECUTE_READWRITE || memory_information.Protect == PAGE_EXECUTE_WRITECOPY) == false) {
 75 | 						continue;
 76 | 					}
 77 | 				}
 78 | 				DebugPrintA("address : %p \n", address);
 79 | 				uintptr_t count = 0;
 80 | 				bool is_good = true;
 81 | 				uintptr_t max_count = 0;
 82 | 				for (; count < need_size && is_good; count += sizeof(uintptr_t))
 83 | 				{
 84 | 					max_count++;
 85 | 					auto check_ptr = (uintptr_t*)((PUCHAR)address + count);
 86 | 					if (*check_ptr != 0x0 && *check_ptr != 0x90)
 87 | 					{
 88 | 						is_good = false;
 89 | 						break;
 90 | 					}
 91 | 				}
 92 | 				if (is_good) {
 93 | 					DebugPrintA("location Cow virtual address : %p \n", address);
 94 | 					return address;
 95 | 				}
 96 | 			}
 97 | 		}
 98 | 		__except (EXCEPTION_EXECUTE_HANDLER)
 99 | 		{
100 | 			continue;
101 | 		}
102 | 	}
103 | 	return NULL;
104 | }
105 | 
106 | 
107 | VOID DriverUnload(PDRIVER_OBJECT driver)
108 | {
109 | 	DebugPrintA("[DebugMessage] Unload Driver");
110 | }
111 | 
112 | extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path)
113 | {
114 | 	DebugPrintA("init Driver \n");
115 | 	/*
116 | 		³õʼ»¯shellcode
117 | 	*/
118 | 	//uintptr_t size_of_shellcode = CALCSIZE(HkCreateFileW, ShellCodeEnd);
119 | 	uintptr_t size_of_shellcode = sizeof(HookCode);
120 | 	DebugPrintA("shell code size: %p \n", size_of_shellcode);
121 | 	/*
122 | 		get a x64 process
123 | 	*/
124 | 	for (uintptr_t i = 8; i < 100000000; i = i + 4)
125 | 	{
126 | 		PEPROCESS _eprocess = NULL;
127 | 		NTSTATUS nt_status = PsLookupProcessByProcessId((HANDLE)i, &_eprocess);
128 | 		if (NT_SUCCESS(nt_status) && _eprocess != NULL)
129 | 		{
130 | 			ObDereferenceObject(_eprocess);
131 | 			bool is_x64_process = PsGetProcessWow64Process(_eprocess) == NULL;
132 | 			if (is_x64_process) {
133 | 				KAPC_STATE apc;
134 | 				KeStackAttachProcess(_eprocess, &apc);
135 | 				moudle_info kernel32 = {0};
136 | 				moudle_info ntdll = { 0 };
137 | 				moudle_info kernelbase = { 0 };
138 | 				/*
139 | 					is x64 process, get kernel32.dll and kernelbase.dll and ntdll.dll base
140 | 				*/
141 | 				if (get_moudle_base(_eprocess, &kernel32, &ntdll, &kernelbase)) {
142 | 					uintptr_t kernel32_loadlibrary = GetProcAddressR(kernel32.bsae, "LoadLibraryW", TRUE);
143 | 					uintptr_t ntdll_wcsstr = GetProcAddressR(ntdll.bsae, "wcsstr", TRUE);
144 | 					uintptr_t kernelbase_GetModuleFileNameW = GetProcAddressR(kernelbase.bsae, "GetModuleFileNameW", TRUE);
145 | 					uintptr_t kernelbase_CreateFileW = GetProcAddressR(kernelbase.bsae, "CreateFileW", TRUE);
146 | 
147 | 					if (kernel32_loadlibrary && ntdll_wcsstr && kernelbase_GetModuleFileNameW && kernelbase_CreateFileW) {
148 | 						uintptr_t hook_function = get_free_speace(kernel32.bsae, kernel32.size, size_of_shellcode + sizeof(void*) + sizeof(CreateFileWT));
149 | 						if (hook_function) {
150 | 							/*
151 | 								Copy shellcode to freespeace
152 | 							*/
153 | 							_memcpy((PVOID)hook_function, (PVOID)HookCode, size_of_shellcode);
154 | 							/*
155 | 								hook
156 | 							*/
157 | 							BYTE _mov_rax[] = {
158 | 								0x48, 0xB8 // mov rax, [xxx]
159 | 							};
160 | 							BYTE _jmp_rax[] = {
161 | 								0xFF, 0xE0, // jmp rax
162 | 							};
163 | 							BYTE shell_code_jmp_back[] = {
164 | 								0xCC, 0xCC, //mov rax
165 | 								0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, //void*
166 | 								0xCC, 0xCC, //jmp rax
167 | 							};
168 | 							uintptr_t function_offset = kernelbase_CreateFileW;
169 | 							//backup
170 | 							_memcpy(shell_code_jmp_back, (void*)function_offset, sizeof(shell_code_jmp_back));
171 | 							/*
172 | 								hook_function -> origin_code
173 | 							*/
174 | 							function_offset = hook_function + size_of_shellcode;
175 | 							uintptr_t jmp_back = function_offset;
176 | 							_memcpy((void*)function_offset, shell_code_jmp_back, sizeof(shell_code_jmp_back));
177 | 							function_offset += sizeof(shell_code_jmp_back);
178 | 							/*
179 | 								origin_code -> jmp CreateFileW
180 | 							*/
181 | 							uintptr_t jmp_offset = kernelbase_CreateFileW + sizeof(_mov_rax) + sizeof(_jmp_rax) + sizeof(void*);
182 | 							_memcpy((void*)function_offset, _mov_rax, sizeof(_mov_rax));
183 | 							function_offset += sizeof(_mov_rax);
184 | 							_memcpy((void*)function_offset, &jmp_offset, sizeof(void*));
185 | 							function_offset += sizeof(void*);
186 | 							_memcpy((void*)function_offset, _jmp_rax, sizeof(_jmp_rax));
187 | 							/*
188 | 								location shellcode function
189 | 							*/
190 | 							for (int i = 0; i < size_of_shellcode; i++)
191 | 							{
192 | 								auto write_ptr = (uintptr_t*)((PUCHAR)hook_function + i);
193 | 								if (*write_ptr == 0x1234567812345678)
194 | 								{
195 | 									_memcpy((void*)write_ptr, (void*)&jmp_back, sizeof(uintptr_t));
196 | 									DebugPrintA("[jmp_back]Fix KernelBase.CreateFileW %p \n", jmp_back);
197 | 								}
198 | 								if (*write_ptr == 0x1234567891ABCDEF)
199 | 								{
200 | 									_memcpy((void*)write_ptr, (void*)&ntdll_wcsstr, sizeof(uintptr_t));
201 | 									DebugPrintA("Fix Ntdll.wcsstr %p \n", ntdll_wcsstr);
202 | 								}
203 | 								if (*write_ptr == 0x1337567891ABCDEF)
204 | 								{
205 | 									_memcpy((void*)write_ptr, (void*)&kernelbase_GetModuleFileNameW, sizeof(uintptr_t));
206 | 									DebugPrintA("Fix KernelBase.GetModuleFileNameW %p \n", kernelbase_GetModuleFileNameW);
207 | 								}
208 | 								if (*write_ptr == 0x1234567891AB1337)
209 | 								{
210 | 									_memcpy((void*)write_ptr, (void*)&kernel32_loadlibrary, sizeof(uintptr_t));
211 | 									DebugPrintA("Fix kernel32.loadlibrary %p \n", kernel32_loadlibrary);
212 | 								}
213 | 							}
214 | 							/*
215 | 								CreateFileW -> hook_function
216 | 							*/
217 | 							function_offset = kernelbase_CreateFileW;
218 | 							_memcpy((void*)function_offset, _mov_rax, sizeof(_mov_rax));
219 | 							function_offset += sizeof(_mov_rax);
220 | 							_memcpy((void*)function_offset, &hook_function, sizeof(void*));
221 | 							function_offset += sizeof(void*);
222 | 							_memcpy((void*)function_offset, _jmp_rax, sizeof(_jmp_rax));
223 | 							DebugPrintA("success hooked at: %p \n", hook_function);
224 | 
225 | 						} else {
226 | 							DebugPrintA("Cannot free space for shellcode \n");
227 | 						}
228 | 					}
229 | 					else {
230 | 						DebugPrintA("can not get export function\n");
231 | 					}
232 | 				}
233 | 				KeUnstackDetachProcess(&apc);
234 | 				break;
235 | 			}
236 | 		}
237 | 	}
238 | 	driver->DriverUnload = DriverUnload;
239 | 	return STATUS_UNSUCCESSFUL;
240 | }
241 | 


--------------------------------------------------------------------------------