├── .gitignore
├── DataPtrHookWin11.sln
├── DataPtrHookWin11
├── DataPtrHookWin11.vcxproj
├── DataPtrHookWin11.vcxproj.filters
├── command.h
├── main.cpp
└── main.h
├── LICENSE
├── README.md
└── Test
├── Test.cpp
├── Test.vcxproj
├── Test.vcxproj.filters
└── driver.h
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Ww][Ii][Nn]32/
27 | [Aa][Rr][Mm]/
28 | [Aa][Rr][Mm]64/
29 | bld/
30 | [Bb]in/
31 | [Oo]bj/
32 | [Ll]og/
33 | [Ll]ogs/
34 |
35 | # Visual Studio 2015/2017 cache/options directory
36 | .vs/
37 | # Uncomment if you have tasks that create the project's static files in wwwroot
38 | #wwwroot/
39 |
40 | # Visual Studio 2017 auto generated files
41 | Generated\ Files/
42 |
43 | # MSTest test Results
44 | [Tt]est[Rr]esult*/
45 | [Bb]uild[Ll]og.*
46 |
47 | # NUnit
48 | *.VisualState.xml
49 | TestResult.xml
50 | nunit-*.xml
51 |
52 | # Build Results of an ATL Project
53 | [Dd]ebugPS/
54 | [Rr]eleasePS/
55 | dlldata.c
56 |
57 | # Benchmark Results
58 | BenchmarkDotNet.Artifacts/
59 |
60 | # .NET Core
61 | project.lock.json
62 | project.fragment.lock.json
63 | artifacts/
64 |
65 | # ASP.NET Scaffolding
66 | ScaffoldingReadMe.txt
67 |
68 | # StyleCop
69 | StyleCopReport.xml
70 |
71 | # Files built by Visual Studio
72 | *_i.c
73 | *_p.c
74 | *_h.h
75 | *.ilk
76 | *.meta
77 | *.obj
78 | *.iobj
79 | *.pch
80 | *.pdb
81 | *.ipdb
82 | *.pgc
83 | *.pgd
84 | *.rsp
85 | # but not Directory.Build.rsp, as it configures directory-level build defaults
86 | !Directory.Build.rsp
87 | *.sbr
88 | *.tlb
89 | *.tli
90 | *.tlh
91 | *.tmp
92 | *.tmp_proj
93 | *_wpftmp.csproj
94 | *.log
95 | *.tlog
96 | *.vspscc
97 | *.vssscc
98 | .builds
99 | *.pidb
100 | *.svclog
101 | *.scc
102 |
103 | # Chutzpah Test files
104 | _Chutzpah*
105 |
106 | # Visual C++ cache files
107 | ipch/
108 | *.aps
109 | *.ncb
110 | *.opendb
111 | *.opensdf
112 | *.sdf
113 | *.cachefile
114 | *.VC.db
115 | *.VC.VC.opendb
116 |
117 | # Visual Studio profiler
118 | *.psess
119 | *.vsp
120 | *.vspx
121 | *.sap
122 |
123 | # Visual Studio Trace Files
124 | *.e2e
125 |
126 | # TFS 2012 Local Workspace
127 | $tf/
128 |
129 | # Guidance Automation Toolkit
130 | *.gpState
131 |
132 | # ReSharper is a .NET coding add-in
133 | _ReSharper*/
134 | *.[Rr]e[Ss]harper
135 | *.DotSettings.user
136 |
137 | # TeamCity is a build add-in
138 | _TeamCity*
139 |
140 | # DotCover is a Code Coverage Tool
141 | *.dotCover
142 |
143 | # AxoCover is a Code Coverage Tool
144 | .axoCover/*
145 | !.axoCover/settings.json
146 |
147 | # Coverlet is a free, cross platform Code Coverage Tool
148 | coverage*.json
149 | coverage*.xml
150 | coverage*.info
151 |
152 | # Visual Studio code coverage results
153 | *.coverage
154 | *.coveragexml
155 |
156 | # NCrunch
157 | _NCrunch_*
158 | .*crunch*.local.xml
159 | nCrunchTemp_*
160 |
161 | # MightyMoose
162 | *.mm.*
163 | AutoTest.Net/
164 |
165 | # Web workbench (sass)
166 | .sass-cache/
167 |
168 | # Installshield output folder
169 | [Ee]xpress/
170 |
171 | # DocProject is a documentation generator add-in
172 | DocProject/buildhelp/
173 | DocProject/Help/*.HxT
174 | DocProject/Help/*.HxC
175 | DocProject/Help/*.hhc
176 | DocProject/Help/*.hhk
177 | DocProject/Help/*.hhp
178 | DocProject/Help/Html2
179 | DocProject/Help/html
180 |
181 | # Click-Once directory
182 | publish/
183 |
184 | # Publish Web Output
185 | *.[Pp]ublish.xml
186 | *.azurePubxml
187 | # Note: Comment the next line if you want to checkin your web deploy settings,
188 | # but database connection strings (with potential passwords) will be unencrypted
189 | *.pubxml
190 | *.publishproj
191 |
192 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
193 | # checkin your Azure Web App publish settings, but sensitive information contained
194 | # in these scripts will be unencrypted
195 | PublishScripts/
196 |
197 | # NuGet Packages
198 | *.nupkg
199 | # NuGet Symbol Packages
200 | *.snupkg
201 | # The packages folder can be ignored because of Package Restore
202 | **/[Pp]ackages/*
203 | # except build/, which is used as an MSBuild target.
204 | !**/[Pp]ackages/build/
205 | # Uncomment if necessary however generally it will be regenerated when needed
206 | #!**/[Pp]ackages/repositories.config
207 | # NuGet v3's project.json files produces more ignorable files
208 | *.nuget.props
209 | *.nuget.targets
210 |
211 | # Microsoft Azure Build Output
212 | csx/
213 | *.build.csdef
214 |
215 | # Microsoft Azure Emulator
216 | ecf/
217 | rcf/
218 |
219 | # Windows Store app package directories and files
220 | AppPackages/
221 | BundleArtifacts/
222 | Package.StoreAssociation.xml
223 | _pkginfo.txt
224 | *.appx
225 | *.appxbundle
226 | *.appxupload
227 |
228 | # Visual Studio cache files
229 | # files ending in .cache can be ignored
230 | *.[Cc]ache
231 | # but keep track of directories ending in .cache
232 | !?*.[Cc]ache/
233 |
234 | # Others
235 | ClientBin/
236 | ~$*
237 | *~
238 | *.dbmdl
239 | *.dbproj.schemaview
240 | *.jfm
241 | *.pfx
242 | *.publishsettings
243 | orleans.codegen.cs
244 |
245 | # Including strong name files can present a security risk
246 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
247 | #*.snk
248 |
249 | # Since there are multiple workflows, uncomment next line to ignore bower_components
250 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
251 | #bower_components/
252 |
253 | # RIA/Silverlight projects
254 | Generated_Code/
255 |
256 | # Backup & report files from converting an old project file
257 | # to a newer Visual Studio version. Backup files are not needed,
258 | # because we have git ;-)
259 | _UpgradeReport_Files/
260 | Backup*/
261 | UpgradeLog*.XML
262 | UpgradeLog*.htm
263 | ServiceFabricBackup/
264 | *.rptproj.bak
265 |
266 | # SQL Server files
267 | *.mdf
268 | *.ldf
269 | *.ndf
270 |
271 | # Business Intelligence projects
272 | *.rdl.data
273 | *.bim.layout
274 | *.bim_*.settings
275 | *.rptproj.rsuser
276 | *- [Bb]ackup.rdl
277 | *- [Bb]ackup ([0-9]).rdl
278 | *- [Bb]ackup ([0-9][0-9]).rdl
279 |
280 | # Microsoft Fakes
281 | FakesAssemblies/
282 |
283 | # GhostDoc plugin setting file
284 | *.GhostDoc.xml
285 |
286 | # Node.js Tools for Visual Studio
287 | .ntvs_analysis.dat
288 | node_modules/
289 |
290 | # Visual Studio 6 build log
291 | *.plg
292 |
293 | # Visual Studio 6 workspace options file
294 | *.opt
295 |
296 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
297 | *.vbw
298 |
299 | # Visual Studio 6 auto-generated project file (contains which files were open etc.)
300 | *.vbp
301 |
302 | # Visual Studio 6 workspace and project file (working project files containing files to include in project)
303 | *.dsw
304 | *.dsp
305 |
306 | # Visual Studio 6 technical files
307 | *.ncb
308 | *.aps
309 |
310 | # Visual Studio LightSwitch build output
311 | **/*.HTMLClient/GeneratedArtifacts
312 | **/*.DesktopClient/GeneratedArtifacts
313 | **/*.DesktopClient/ModelManifest.xml
314 | **/*.Server/GeneratedArtifacts
315 | **/*.Server/ModelManifest.xml
316 | _Pvt_Extensions
317 |
318 | # Paket dependency manager
319 | .paket/paket.exe
320 | paket-files/
321 |
322 | # FAKE - F# Make
323 | .fake/
324 |
325 | # CodeRush personal settings
326 | .cr/personal
327 |
328 | # Python Tools for Visual Studio (PTVS)
329 | __pycache__/
330 | *.pyc
331 |
332 | # Cake - Uncomment if you are using it
333 | # tools/**
334 | # !tools/packages.config
335 |
336 | # Tabs Studio
337 | *.tss
338 |
339 | # Telerik's JustMock configuration file
340 | *.jmconfig
341 |
342 | # BizTalk build output
343 | *.btp.cs
344 | *.btm.cs
345 | *.odx.cs
346 | *.xsd.cs
347 |
348 | # OpenCover UI analysis results
349 | OpenCover/
350 |
351 | # Azure Stream Analytics local run output
352 | ASALocalRun/
353 |
354 | # MSBuild Binary and Structured Log
355 | *.binlog
356 |
357 | # NVidia Nsight GPU debugger configuration file
358 | *.nvuser
359 |
360 | # MFractors (Xamarin productivity tool) working folder
361 | .mfractor/
362 |
363 | # Local History for Visual Studio
364 | .localhistory/
365 |
366 | # Visual Studio History (VSHistory) files
367 | .vshistory/
368 |
369 | # BeatPulse healthcheck temp database
370 | healthchecksdb
371 |
372 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
373 | MigrationBackup/
374 |
375 | # Ionide (cross platform F# VS Code tools) working folder
376 | .ionide/
377 |
378 | # Fody - auto-generated XML schema
379 | FodyWeavers.xsd
380 |
381 | # VS Code files for those working on multiple tools
382 | .vscode/*
383 | !.vscode/settings.json
384 | !.vscode/tasks.json
385 | !.vscode/launch.json
386 | !.vscode/extensions.json
387 | *.code-workspace
388 |
389 | # Local History for Visual Studio Code
390 | .history/
391 |
392 | # Windows Installer files from build outputs
393 | *.cab
394 | *.msi
395 | *.msix
396 | *.msm
397 | *.msp
398 |
399 | # JetBrains Rider
400 | *.sln.iml
401 |
--------------------------------------------------------------------------------
/DataPtrHookWin11.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 17
4 | VisualStudioVersion = 17.11.35327.3
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DataPtrHookWin11", "DataPtrHookWin11\DataPtrHookWin11.vcxproj", "{302EE750-1316-488F-B9D5-4D57B56E1205}"
7 | EndProject
8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Test", "Test\Test.vcxproj", "{4E582B97-2893-4D75-B9AC-278456B067B6}"
9 | EndProject
10 | Global
11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | Debug|ARM64 = Debug|ARM64
13 | Debug|x64 = Debug|x64
14 | Debug|x86 = Debug|x86
15 | Release|ARM64 = Release|ARM64
16 | Release|x64 = Release|x64
17 | Release|x86 = Release|x86
18 | EndGlobalSection
19 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
20 | {302EE750-1316-488F-B9D5-4D57B56E1205}.Debug|ARM64.ActiveCfg = Debug|ARM64
21 | {302EE750-1316-488F-B9D5-4D57B56E1205}.Debug|ARM64.Build.0 = Debug|ARM64
22 | {302EE750-1316-488F-B9D5-4D57B56E1205}.Debug|ARM64.Deploy.0 = Debug|ARM64
23 | {302EE750-1316-488F-B9D5-4D57B56E1205}.Debug|x64.ActiveCfg = Debug|x64
24 | {302EE750-1316-488F-B9D5-4D57B56E1205}.Debug|x64.Build.0 = Debug|x64
25 | {302EE750-1316-488F-B9D5-4D57B56E1205}.Debug|x64.Deploy.0 = Debug|x64
26 | {302EE750-1316-488F-B9D5-4D57B56E1205}.Debug|x86.ActiveCfg = Debug|x64
27 | {302EE750-1316-488F-B9D5-4D57B56E1205}.Debug|x86.Build.0 = Debug|x64
28 | {302EE750-1316-488F-B9D5-4D57B56E1205}.Debug|x86.Deploy.0 = Debug|x64
29 | {302EE750-1316-488F-B9D5-4D57B56E1205}.Release|ARM64.ActiveCfg = Release|ARM64
30 | {302EE750-1316-488F-B9D5-4D57B56E1205}.Release|ARM64.Build.0 = Release|ARM64
31 | {302EE750-1316-488F-B9D5-4D57B56E1205}.Release|ARM64.Deploy.0 = Release|ARM64
32 | {302EE750-1316-488F-B9D5-4D57B56E1205}.Release|x64.ActiveCfg = Release|x64
33 | {302EE750-1316-488F-B9D5-4D57B56E1205}.Release|x64.Build.0 = Release|x64
34 | {302EE750-1316-488F-B9D5-4D57B56E1205}.Release|x64.Deploy.0 = Release|x64
35 | {302EE750-1316-488F-B9D5-4D57B56E1205}.Release|x86.ActiveCfg = Release|x64
36 | {302EE750-1316-488F-B9D5-4D57B56E1205}.Release|x86.Build.0 = Release|x64
37 | {302EE750-1316-488F-B9D5-4D57B56E1205}.Release|x86.Deploy.0 = Release|x64
38 | {4E582B97-2893-4D75-B9AC-278456B067B6}.Debug|ARM64.ActiveCfg = Debug|x64
39 | {4E582B97-2893-4D75-B9AC-278456B067B6}.Debug|ARM64.Build.0 = Debug|x64
40 | {4E582B97-2893-4D75-B9AC-278456B067B6}.Debug|x64.ActiveCfg = Debug|x64
41 | {4E582B97-2893-4D75-B9AC-278456B067B6}.Debug|x64.Build.0 = Debug|x64
42 | {4E582B97-2893-4D75-B9AC-278456B067B6}.Debug|x86.ActiveCfg = Debug|Win32
43 | {4E582B97-2893-4D75-B9AC-278456B067B6}.Debug|x86.Build.0 = Debug|Win32
44 | {4E582B97-2893-4D75-B9AC-278456B067B6}.Release|ARM64.ActiveCfg = Release|x64
45 | {4E582B97-2893-4D75-B9AC-278456B067B6}.Release|ARM64.Build.0 = Release|x64
46 | {4E582B97-2893-4D75-B9AC-278456B067B6}.Release|x64.ActiveCfg = Release|x64
47 | {4E582B97-2893-4D75-B9AC-278456B067B6}.Release|x64.Build.0 = Release|x64
48 | {4E582B97-2893-4D75-B9AC-278456B067B6}.Release|x86.ActiveCfg = Release|Win32
49 | {4E582B97-2893-4D75-B9AC-278456B067B6}.Release|x86.Build.0 = Release|Win32
50 | EndGlobalSection
51 | GlobalSection(SolutionProperties) = preSolution
52 | HideSolutionNode = FALSE
53 | EndGlobalSection
54 | GlobalSection(ExtensibilityGlobals) = postSolution
55 | SolutionGuid = {45F3706F-E1C4-4704-9FB0-150287270C90}
56 | EndGlobalSection
57 | EndGlobal
58 |
--------------------------------------------------------------------------------
/DataPtrHookWin11/DataPtrHookWin11.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | x64
7 |
8 |
9 | Release
10 | x64
11 |
12 |
13 | Debug
14 | ARM64
15 |
16 |
17 | Release
18 | ARM64
19 |
20 |
21 |
22 | {302EE750-1316-488F-B9D5-4D57B56E1205}
23 | {dd38f7fc-d7bd-488b-9242-7d8754cde80d}
24 | v4.5
25 | 12.0
26 | Debug
27 | x64
28 | DataPtrHookWin11
29 |
30 |
31 |
32 | Windows10
33 | true
34 | WindowsKernelModeDriver10.0
35 | Driver
36 | WDM
37 | Spectre
38 |
39 |
40 | Windows10
41 | false
42 | WindowsKernelModeDriver10.0
43 | Driver
44 | WDM
45 |
46 |
47 | Windows10
48 | true
49 | WindowsKernelModeDriver10.0
50 | Driver
51 | WDM
52 |
53 |
54 | Windows10
55 | false
56 | WindowsKernelModeDriver10.0
57 | Driver
58 | WDM
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 | DbgengKernelDebugger
70 |
71 |
72 | DbgengKernelDebugger
73 |
74 |
75 | DbgengKernelDebugger
76 |
77 |
78 | DbgengKernelDebugger
79 |
80 |
81 |
82 | sha256
83 |
84 |
85 | false
86 |
87 |
88 |
89 |
90 | sha256
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
--------------------------------------------------------------------------------
/DataPtrHookWin11/DataPtrHookWin11.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 | {8E41214B-6785-4CFE-B992-037D68949A14}
18 | inf;inv;inx;mof;mc;
19 |
20 |
21 |
22 |
23 | Source Files
24 |
25 |
26 |
27 |
28 | Header Files
29 |
30 |
31 | Header Files
32 |
33 |
34 |
--------------------------------------------------------------------------------
/DataPtrHookWin11/command.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 |
4 | typedef struct _COMMAND
5 | {
6 | DWORD magic;
7 | DWORD type;
8 | DWORD pid;
9 | ULONG64 address;
10 | PVOID buffer;
11 | SIZE_T size;
12 | } COMMAND, * PCOMMAND;
--------------------------------------------------------------------------------
/DataPtrHookWin11/main.cpp:
--------------------------------------------------------------------------------
1 | #include "main.h"
2 |
3 | void* get_system_information(SYSTEM_INFORMATION_CLASS information_class)
4 | {
5 | unsigned long size = 32;
6 | char buffer[32];
7 |
8 | ZwQuerySystemInformation(information_class, buffer, size, &size);
9 |
10 | void* info = ExAllocatePoolZero(NonPagedPool, size, 'fuck');
11 | if (!info)
12 | return nullptr;
13 |
14 | if (!NT_SUCCESS(ZwQuerySystemInformation(information_class, info, size, &size))) {
15 | ExFreePool(info);
16 | return nullptr;
17 | }
18 |
19 | return info;
20 | }
21 |
22 | uintptr_t get_kernel_module(const char* name)
23 | {
24 | const auto to_lower = [](char* string) -> const char* {
25 | for (char* pointer = string; *pointer != '\0'; ++pointer) {
26 | *pointer = (char)(short)tolower(*pointer);
27 | }
28 |
29 | return string;
30 | };
31 |
32 | const PRTL_PROCESS_MODULES info = (PRTL_PROCESS_MODULES)get_system_information(SystemModuleInformation);
33 |
34 | if (!info)
35 | return NULL;
36 |
37 | for (size_t i = 0; i < info->NumberOfModules; ++i) {
38 | const auto& mod = info->Modules[i];
39 |
40 | if (strcmp(to_lower((char*)mod.FullPathName + mod.OffsetToFileName), name) == 0) {
41 | const void* address = mod.ImageBase;
42 | ExFreePool(info);
43 | return (uintptr_t)address;
44 | }
45 | }
46 |
47 | ExFreePool(info);
48 | return NULL;
49 | }
50 |
51 | NTSTATUS find_process(char* process_name, PEPROCESS* process)
52 | {
53 | PEPROCESS ppEprocess = NULL;
54 | int pid_index = 0;
55 | NTSTATUS status = STATUS_UNSUCCESSFUL;
56 | for (pid_index = 0; pid_index < 30000; pid_index += 4)
57 | {
58 | status = PsLookupProcessByProcessId((HANDLE)pid_index, &ppEprocess);
59 | if (NT_SUCCESS(status))
60 | {
61 | auto name = PsGetProcessImageFileName(ppEprocess);
62 | if (strstr(process_name, name))
63 | {
64 | *process = ppEprocess;
65 | ObDereferenceObject(ppEprocess);
66 | return STATUS_SUCCESS;
67 | }
68 | }
69 | if (ppEprocess != NULL)
70 | {
71 | ObDereferenceObject(ppEprocess);
72 | ppEprocess = NULL;
73 | }
74 | }
75 | return STATUS_NOT_FOUND;
76 | }
77 |
78 | uintptr_t pattern_scan(uintptr_t base, size_t range, const char* pattern, const char* mask)
79 | {
80 | const auto check_mask = [](const char* base, const char* pattern, const char* mask) -> bool {
81 | for (; *mask; ++base, ++pattern, ++mask) {
82 | if (*mask == 'x' && *base != *pattern)
83 | return false;
84 | }
85 |
86 | return true;
87 | };
88 |
89 | range = range - strlen(mask);
90 |
91 | for (size_t i = 0; i < range; ++i) {
92 | if (check_mask((const char*)base + i, pattern, mask))
93 | return base + i;
94 | }
95 |
96 | return NULL;
97 | }
98 |
99 | uintptr_t pattern_scan(uintptr_t base, const char* pattern, const char* mask)
100 | {
101 | const PIMAGE_NT_HEADERS headers = (PIMAGE_NT_HEADERS)(base + ((PIMAGE_DOS_HEADER)base)->e_lfanew);
102 | const PIMAGE_SECTION_HEADER sections = IMAGE_FIRST_SECTION(headers);
103 |
104 | for (size_t i = 0; i < headers->FileHeader.NumberOfSections; i++) {
105 | const PIMAGE_SECTION_HEADER section = §ions[i];
106 |
107 | if (section->Characteristics & IMAGE_SCN_MEM_EXECUTE) {
108 | const uintptr_t match = pattern_scan(base + section->VirtualAddress, section->Misc.VirtualSize, pattern, mask);
109 | if (match)
110 | return match;
111 | }
112 | }
113 |
114 | return 0;
115 | }
116 |
117 | BOOLEAN is_valid(ULONG64 address)
118 | {
119 | return MmIsAddressValid(PVOID(address));
120 | }
121 |
122 | __int64 __fastcall hkNtUserSetGestureConfig(void* a1)
123 | {
124 | PCOMMAND cmd = (PCOMMAND)a1;
125 | if (!MmIsAddressValid(cmd) || cmd->magic != 0x233)
126 | return oNtUserSetGestureConfig(a1);
127 |
128 | switch (cmd->type)
129 | {
130 | case 1:
131 | return 0x666;
132 | case 2:
133 | {
134 | PEPROCESS process;
135 | if (!NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)cmd->pid, &process)))
136 | return 0;
137 | ObDereferenceObject(process);
138 | return (__int64)PsGetProcessSectionBaseAddress(process);
139 | }
140 | case 3:
141 | {
142 | PEPROCESS process;
143 | if (!NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)cmd->pid, &process)))
144 | return 0;
145 | ObDereferenceObject(process);
146 | SIZE_T read;
147 | return MmCopyVirtualMemory(process, (PVOID)cmd->address, IoGetCurrentProcess(), cmd->buffer, cmd->size, KernelMode, &read);
148 | }
149 | case 4:
150 | {
151 | PEPROCESS process;
152 | if (!NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)cmd->pid, &process)))
153 | return 0;
154 | ObDereferenceObject(process);
155 | SIZE_T write;
156 | MmCopyVirtualMemory(IoGetCurrentProcess(), cmd->buffer, process, (PVOID)cmd->address, cmd->size, KernelMode, &write);
157 | }
158 | default:
159 | break;
160 | }
161 | return 0;
162 | }
163 |
164 | extern "C" NTSTATUS DriverEntry()
165 | {
166 | ULONG64 gSessionGlobalSlots;
167 | NTSTATUS status = STATUS_UNSUCCESSFUL;
168 | const uintptr_t win32k = get_kernel_module("win32k.sys");
169 | dbg("win32k %llx\n", win32k)
170 | if (win32k) {
171 | gSessionGlobalSlots = pattern_scan(win32k, "\xE8\x00\x00\x00\x00\x8A\xD3", "x????xx");
172 | dbg("gSessionGlobalSlots %llx\n", gSessionGlobalSlots)
173 | }
174 | else {
175 | return STATUS_UNSUCCESSFUL;
176 | }
177 |
178 | if (!is_valid(gSessionGlobalSlots))
179 | {
180 | return STATUS_UNSUCCESSFUL;
181 | }
182 |
183 | PEPROCESS process_target{};
184 | KAPC_STATE apc{};
185 |
186 | if (find_process("explorer.exe", &process_target) == STATUS_SUCCESS && process_target)
187 | {
188 | KeStackAttachProcess(process_target, &apc);
189 |
190 | do
191 | {
192 | gSessionGlobalSlots = gSessionGlobalSlots + *(int*)(gSessionGlobalSlots + 1) + 5;
193 | dbg("gSessionGlobalSlots %llx\n", gSessionGlobalSlots)
194 | if (!is_valid(gSessionGlobalSlots))
195 | {
196 | status = STATUS_UNSUCCESSFUL;
197 | break;
198 | }
199 |
200 | gSessionGlobalSlots = gSessionGlobalSlots + 0x14;
201 | dbg("gSessionGlobalSlots %llx\n", gSessionGlobalSlots)
202 | if (!is_valid(gSessionGlobalSlots))
203 | {
204 | status = STATUS_UNSUCCESSFUL;
205 | break;
206 | }
207 |
208 | gSessionGlobalSlots = gSessionGlobalSlots + *(int*)(gSessionGlobalSlots + 3) + 7;
209 | dbg("gSessionGlobalSlots %llx\n", gSessionGlobalSlots)
210 | if (!is_valid(gSessionGlobalSlots))
211 | {
212 | status = STATUS_UNSUCCESSFUL;
213 | break;
214 | }
215 |
216 | ULONG64 GetSessionState24H2 = *(ULONG64*)(gSessionGlobalSlots);
217 | dbg("GetSessionState24H2 %llx\n", GetSessionState24H2)
218 | if (!is_valid(GetSessionState24H2))
219 | {
220 | status = STATUS_UNSUCCESSFUL;
221 | break;
222 | }
223 |
224 | GetSessionState24H2 = *(ULONG64*)(GetSessionState24H2);
225 | dbg("GetSessionState24H2 %llx\n", GetSessionState24H2)
226 | if (!is_valid(GetSessionState24H2))
227 | {
228 | status = STATUS_UNSUCCESSFUL;
229 | break;
230 | }
231 |
232 | ULONG64 pointer = *(ULONG64*)(GetSessionState24H2 + 0x88);
233 | dbg("pointer %llx\n", pointer)
234 | if (!is_valid(pointer))
235 | {
236 | status = STATUS_UNSUCCESSFUL;
237 | break;
238 | }
239 |
240 | pointer = *(ULONG64*)(pointer + 0x150);
241 | dbg("pointer %llx\n", pointer)
242 | if (!is_valid(pointer))
243 | {
244 | status = STATUS_UNSUCCESSFUL;
245 | break;
246 | }
247 |
248 | pointer += 0xC30;
249 | dbg("pointer %llx\n", pointer)
250 |
251 | if (is_valid(pointer))
252 | {
253 | *(void**)&oNtUserSetGestureConfig = _InterlockedExchangePointer((void**)pointer, (void*)hkNtUserSetGestureConfig);
254 | status = STATUS_SUCCESS;
255 | }
256 |
257 | } while (false);
258 |
259 | KeUnstackDetachProcess(&apc);
260 | }
261 | else
262 | {
263 | return STATUS_UNSUCCESSFUL;
264 | }
265 |
266 | return status;
267 | }
--------------------------------------------------------------------------------
/DataPtrHookWin11/main.h:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include "command.h"
6 |
7 | typedef enum _SYSTEM_INFORMATION_CLASS
8 | {
9 | SystemBasicInformation,
10 | SystemProcessorInformation,
11 | SystemPerformanceInformation,
12 | SystemTimeOfDayInformation,
13 | SystemPathInformation,
14 | SystemProcessInformation,
15 | SystemCallCountInformation,
16 | SystemDeviceInformation,
17 | SystemProcessorPerformanceInformation,
18 | SystemFlagsInformation,
19 | SystemCallTimeInformation,
20 | SystemModuleInformation,
21 | SystemLocksInformation,
22 | SystemStackTraceInformation,
23 | SystemPagedPoolInformation,
24 | SystemNonPagedPoolInformation,
25 | SystemHandleInformation,
26 | SystemObjectInformation,
27 | SystemPageFileInformation,
28 | SystemVdmInstemulInformation,
29 | SystemVdmBopInformation,
30 | SystemFileCacheInformation,
31 | SystemPoolTagInformation,
32 | SystemInterruptInformation,
33 | SystemDpcBehaviorInformation,
34 | SystemFullMemoryInformation,
35 | SystemLoadGdiDriverInformation,
36 | SystemUnloadGdiDriverInformation,
37 | SystemTimeAdjustmentInformation,
38 | SystemSummaryMemoryInformation,
39 | SystemNextEventIdInformation,
40 | SystemEventIdsInformation,
41 | SystemCrashDumpInformation,
42 | SystemExceptionInformation,
43 | SystemCrashDumpStateInformation,
44 | SystemKernelDebuggerInformation,
45 | SystemContextSwitchInformation,
46 | SystemRegistryQuotaInformation,
47 | SystemExtendServiceTableInformation,
48 | SystemPrioritySeperation,
49 | SystemPlugPlayBusInformation,
50 | SystemDockInformation,
51 | SystemProcessorSpeedInformation,
52 | SystemCurrentTimeZoneInformation,
53 | SystemLookasideInformation
54 | } SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS;
55 |
56 | typedef struct _RTL_PROCESS_MODULE_INFORMATION
57 | {
58 | HANDLE Section;
59 | PVOID MappedBase;
60 | PVOID ImageBase;
61 | ULONG ImageSize;
62 | ULONG Flags;
63 | USHORT LoadOrderIndex;
64 | USHORT InitOrderIndex;
65 | USHORT LoadCount;
66 | USHORT OffsetToFileName;
67 | UCHAR FullPathName[256];
68 | } RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION;
69 |
70 | typedef struct _RTL_PROCESS_MODULES
71 | {
72 | ULONG NumberOfModules;
73 | RTL_PROCESS_MODULE_INFORMATION Modules[1];
74 | } RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES;
75 |
76 | EXTERN_C
77 | {
78 | NTKERNELAPI NTSTATUS NTAPI ZwQuerySystemInformation(
79 | _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
80 | _Inout_ PVOID SystemInformation,
81 | _In_ ULONG SystemInformationLength,
82 | _Out_opt_ PULONG ReturnLength);
83 | NTKERNELAPI CHAR* PsGetProcessImageFileName(IN PEPROCESS Process);
84 | NTKERNELAPI PVOID PsGetProcessSectionBaseAddress(__in PEPROCESS Process);
85 | NTKERNELAPI NTSTATUS MmCopyVirtualMemory(
86 | IN PEPROCESS FromProcess,
87 | IN CONST VOID* FromAddress,
88 | IN PEPROCESS ToProcess,
89 | OUT PVOID ToAddress,
90 | IN SIZE_T BufferSize,
91 | IN KPROCESSOR_MODE PreviousMode,
92 | OUT PSIZE_T NumberOfBytesCopied
93 | );
94 | }
95 |
96 | __int64(__fastcall* oNtUserSetGestureConfig)(void* a1);
97 |
98 | #define dbg(fmt, ...) DbgPrintEx(0, 0, fmt, __VA_ARGS__);
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2025 oakboat
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # DataPtrHookWin11
2 | A .data pointer hook with communication for windows 11
3 | 
4 |
5 | since windows 11, the data pointer is not in the .data section. the fuction pointer store in buffer pool, here code find the pool with pattern, is form 32GetSessionState(). then, we can get function pointer form the pool.
6 | ### origin function in IDA
7 | ```
8 | __int64 (__fastcall *__fastcall NtUserSetGestureConfig(__int64 a1, unsigned int a2, unsigned int a3, __int64 a4, int a5))(__int64, _QWORD, _QWORD, __int64, int)
9 | {
10 | __int64 (__fastcall *result)(__int64, _QWORD, _QWORD, __int64, int); // rax
11 |
12 | result = *(__int64 (__fastcall **)(__int64, _QWORD, _QWORD, __int64, int))(*(_QWORD *)(*(_QWORD *)(W32GetSessionState() + 136)
13 | + 336i64)
14 | + 3120i64);
15 | if ( result )
16 | result = (__int64 (__fastcall *)(__int64, _QWORD, _QWORD, __int64, int))result(a1, a2, a3, a4, a5);
17 | return result;
18 | }
19 | ```
20 |
--------------------------------------------------------------------------------
/Test/Test.cpp:
--------------------------------------------------------------------------------
1 | #include "driver.h"
2 |
3 | int main()
4 | {
5 | init();
6 | auto pid = GetCurrentProcessId();
7 | auto base = get_base(pid);
8 | std::cout << std::hex << base << "\n";
9 | int x = 0x123;
10 | std::cout << read(pid, (ULONG64)&x) << "\n";
11 | write(pid, (ULONG64)&x, 0x456u);
12 | std::cout << x << "\n";
13 | return 0;
14 | }
15 |
16 |
--------------------------------------------------------------------------------
/Test/Test.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 17.0
23 | Win32Proj
24 | {4e582b97-2893-4d75-b9ac-278456b067b6}
25 | Test
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v143
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v143
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v143
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v143
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | Level3
76 | true
77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
78 | true
79 |
80 |
81 | Console
82 | true
83 |
84 |
85 |
86 |
87 | Level3
88 | true
89 | true
90 | true
91 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
92 | true
93 |
94 |
95 | Console
96 | true
97 | true
98 | true
99 |
100 |
101 |
102 |
103 | Level3
104 | true
105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
106 | true
107 |
108 |
109 | Console
110 | true
111 |
112 |
113 |
114 |
115 | Level3
116 | true
117 | true
118 | true
119 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
120 | true
121 |
122 |
123 | Console
124 | true
125 | true
126 | true
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
--------------------------------------------------------------------------------
/Test/Test.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | 源文件
20 |
21 |
22 |
23 |
24 | 头文件
25 |
26 |
27 |
--------------------------------------------------------------------------------
/Test/driver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 | #include "../DataPtrHookWin11/command.h"
5 | __int64(__fastcall* NtUserSetGestureConfig)(void* a1) = nullptr;
6 |
7 | bool init()
8 | {
9 | LoadLibraryA("user32.dll");
10 | LoadLibraryA("win32u.dll");
11 |
12 | const HMODULE win32u = GetModuleHandleA("win32u.dll");
13 | if (!win32u)
14 | return false;
15 |
16 | *(void**)&NtUserSetGestureConfig = GetProcAddress(win32u, "NtUserSetGestureConfig");
17 | }
18 |
19 | bool ping()
20 | {
21 | COMMAND cmd{};
22 | cmd.magic = 0x233;
23 | cmd.type = 1;
24 | return NtUserSetGestureConfig(&cmd) == 0x666;
25 | }
26 |
27 | ULONG64 get_base(DWORD pid)
28 | {
29 | COMMAND cmd{};
30 | cmd.magic = 0x233;
31 | cmd.type = 2;
32 | cmd.pid = pid;
33 | return NtUserSetGestureConfig(&cmd);
34 | }
35 |
36 | bool read(DWORD pid, ULONG64 address, PVOID buffer, SIZE_T size)
37 | {
38 | COMMAND cmd{};
39 | cmd.magic = 0x233;
40 | cmd.type = 3;
41 | cmd.pid = pid;
42 | cmd.address = address;
43 | cmd.buffer = buffer;
44 | cmd.size = size;
45 | return NtUserSetGestureConfig(&cmd);
46 | }
47 |
48 | template
49 | T read(DWORD pid, ULONG64 address)
50 | {
51 | T result{};
52 | read(pid, address, &result, sizeof(T));
53 | return result;
54 | }
55 |
56 | bool write(DWORD pid, ULONG64 address, PVOID buffer, SIZE_T size)
57 | {
58 | COMMAND cmd{};
59 | cmd.magic = 0x233;
60 | cmd.type = 4;
61 | cmd.pid = pid;
62 | cmd.address = address;
63 | cmd.buffer = buffer;
64 | cmd.size = size;
65 | return NtUserSetGestureConfig(&cmd);
66 | }
67 |
68 | template
69 | bool write(DWORD pid, ULONG64 address, T data)
70 | {
71 | return write(pid, address, &data, sizeof(T));
72 | }
73 |
--------------------------------------------------------------------------------