├── .gitignore ├── LICENSE ├── README.md ├── driver ├── communication │ ├── dispatch.c │ └── dispatch.h ├── km-mouse.inf ├── km-mouse.vcxproj ├── km-mouse.vcxproj.filters ├── km-mouse.vcxproj.user ├── main.c ├── memory │ ├── memory.c │ ├── memory.h │ ├── process.c │ └── process.h ├── mouse │ ├── mouse.asm │ └── mouse.h └── utils │ ├── defs.h │ └── message.h ├── examples ├── security_check.png └── test.png └── km-mouse.sln /.gitignore: -------------------------------------------------------------------------------- 1 | ##### Windows 2 | # Windows thumbnail cache files 3 | Thumbs.db 4 | Thumbs.db:encryptable 5 | ehthumbs.db 6 | ehthumbs_vista.db 7 | 8 | # Dump file 9 | *.stackdump 10 | 11 | # Folder config file 12 | [Dd]esktop.ini 13 | 14 | # Recycle Bin used on file shares 15 | $RECYCLE.BIN/ 16 | 17 | # Windows Installer files 18 | *.cab 19 | *.msi 20 | *.msix 21 | *.msm 22 | *.msp 23 | 24 | # Windows shortcuts 25 | *.lnk 26 | 27 | ##### Linux 28 | *~ 29 | 30 | # temporary files which can be created if a process still has a handle open of a deleted file 31 | .fuse_hidden* 32 | 33 | # KDE directory preferences 34 | .directory 35 | 36 | # Linux trash folder which might appear on any partition or disk 37 | .Trash-* 38 | 39 | # .nfs files are created when an open file is removed but is still being accessed 40 | .nfs* 41 | 42 | ##### MacOS 43 | # General 44 | .DS_Store 45 | .AppleDouble 46 | .LSOverride 47 | 48 | # Thumbnails 49 | ._* 50 | 51 | # Files that might appear in the root of a volume 52 | .DocumentRevisions-V100 53 | .fseventsd 54 | .Spotlight-V100 55 | .TemporaryItems 56 | .Trashes 57 | .VolumeIcon.icns 58 | .com.apple.timemachine.donotpresent 59 | 60 | # Directories potentially created on remote AFP share 61 | .AppleDB 62 | .AppleDesktop 63 | Network Trash Folder 64 | Temporary Items 65 | .apdisk 66 | 67 | ##### Android 68 | # Built application files 69 | *.apk 70 | *.ap_ 71 | *.aab 72 | 73 | # Files for the ART/Dalvik VM 74 | *.dex 75 | 76 | # Java class files 77 | *.class 78 | 79 | # Generated files 80 | bin/ 81 | gen/ 82 | out/ 83 | # Uncomment the following line in case you need and you don't have the release build type files in your app 84 | # release/ 85 | 86 | # Gradle files 87 | .gradle/ 88 | build/ 89 | 90 | # Local configuration file (sdk path, etc) 91 | local.properties 92 | 93 | # Proguard folder generated by Eclipse 94 | proguard/ 95 | 96 | # Log Files 97 | *.log 98 | 99 | # Android Studio Navigation editor temp files 100 | .navigation/ 101 | 102 | # Android Studio captures folder 103 | captures/ 104 | 105 | # IntelliJ 106 | *.iml 107 | .idea/workspace.xml 108 | .idea/tasks.xml 109 | .idea/gradle.xml 110 | .idea/assetWizardSettings.xml 111 | .idea/dictionaries 112 | .idea/libraries 113 | # Android Studio 3 in .gitignore file. 114 | .idea/caches 115 | .idea/modules.xml 116 | # Comment next line if keeping position of elements in Navigation Editor is relevant for you 117 | .idea/navEditor.xml 118 | 119 | # Keystore files 120 | # Uncomment the following lines if you do not want to check your keystore files in. 121 | #*.jks 122 | #*.keystore 123 | 124 | # External native build folder generated in Android Studio 2.2 and later 125 | .externalNativeBuild 126 | 127 | # Google Services (e.g. APIs or Firebase) 128 | # google-services.nlohmann 129 | 130 | # Freeline 131 | freeline.py 132 | freeline/ 133 | freeline_project_description.json 134 | 135 | # fastlane 136 | fastlane/report.xml 137 | fastlane/Preview.html 138 | fastlane/screenshots 139 | fastlane/test_output 140 | fastlane/readme.md 141 | 142 | # Version control 143 | vcs.xml 144 | 145 | # lint 146 | lint/intermediates/ 147 | lint/generated/ 148 | lint/outputs/ 149 | lint/tmp/ 150 | # lint/reports/ 151 | 152 | ##### Backup 153 | *.bak 154 | *.gho 155 | *.ori 156 | *.orig 157 | *.tmp 158 | 159 | ##### GPG 160 | secring.* 161 | 162 | ##### Dropbox 163 | # Dropbox settings and caches 164 | .dropbox 165 | .dropbox.attr 166 | .dropbox.cache 167 | 168 | ##### SynopsysVCS 169 | # Waveform formats 170 | *.vcd 171 | *.vpd 172 | *.evcd 173 | *.fsdb 174 | 175 | # Default name of the simulation executable. A different name can be 176 | # specified with this switch (the associated daidir database name is 177 | # also taken from here): -o / 178 | simv 179 | 180 | # Generated for Verilog and VHDL top configs 181 | simv.daidir/ 182 | simv.db.dir/ 183 | 184 | # Infrastructure necessary to co-simulate SystemC models with 185 | # Verilog/VHDL models. An alternate directory may be specified with this 186 | # switch: -Mdir= 187 | csrc/ 188 | 189 | # Log file - the following switch allows to specify the file that will be 190 | # used to write all messages from simulation: -l 191 | *.log 192 | 193 | # Coverage results (generated with urg) and database location. The 194 | # following switch can also be used: urg -dir .vdb 195 | simv.vdb/ 196 | urgReport/ 197 | 198 | # DVE and UCLI related files. 199 | DVEfiles/ 200 | ucli.key 201 | 202 | # When the design is elaborated for DirectC, the following file is created 203 | # with declarations for C/C++ functions. 204 | vc_hdrs.h 205 | 206 | ##### SVN 207 | .svn/ 208 | 209 | ##### Mercurial 210 | .hg/ 211 | .hgignore 212 | .hgsigs 213 | .hgsub 214 | .hgsubstate 215 | .hgtags 216 | 217 | ##### Bazaar 218 | .bzr/ 219 | .bzrignore 220 | 221 | ##### CVS 222 | /CVS/* 223 | **/CVS/* 224 | .cvsignore 225 | */.cvsignore 226 | 227 | ##### TortoiseGit 228 | # Project-level settings 229 | /.tgitconfig 230 | 231 | ##### PuTTY 232 | # Private key 233 | *.ppk 234 | 235 | ##### Vim 236 | # Swap 237 | [._]*.s[a-v][a-z] 238 | !*.svg # comment out if you don't need vector files 239 | [._]*.sw[a-p] 240 | [._]s[a-rt-v][a-z] 241 | [._]ss[a-gi-z] 242 | [._]sw[a-p] 243 | 244 | # Session 245 | Session.vim 246 | Sessionx.vim 247 | 248 | # Temporary 249 | .netrwhist 250 | *~ 251 | # Auto-generated tag files 252 | tags 253 | # Persistent undo 254 | [._]*.un~ 255 | 256 | ##### Emacs 257 | # -*- mode: gitignore; -*- 258 | *~ 259 | \#*\# 260 | /.emacs.desktop 261 | /.emacs.desktop.lock 262 | *.elc 263 | auto-save-list 264 | tramp 265 | .\#* 266 | 267 | # Org-mode 268 | .org-id-locations 269 | *_archive 270 | 271 | # flymake-mode 272 | *_flymake.* 273 | 274 | # eshell files 275 | /eshell/history 276 | /eshell/lastdir 277 | 278 | # elpa packages 279 | /elpa/ 280 | 281 | # reftex files 282 | *.rel 283 | 284 | # AUCTeX auto folder 285 | /auto/ 286 | 287 | # cask packages 288 | .cask/ 289 | dist/ 290 | 291 | # Flycheck 292 | flycheck_*.el 293 | 294 | # server auth directory 295 | /server/ 296 | 297 | # projectiles files 298 | .projectile 299 | 300 | # directory configuration 301 | .dir-locals.el 302 | 303 | # network security 304 | /network-security.data 305 | 306 | ##### SublimeText 307 | # Cache files for Sublime Text 308 | *.tmlanguage.cache 309 | *.tmPreferences.cache 310 | *.stTheme.cache 311 | 312 | # Workspace files are user-specific 313 | *.sublime-workspace 314 | 315 | # Project files should be checked into the repository, unless a significant 316 | # proportion of contributors will probably not be using Sublime Text 317 | # *.sublime-project 318 | 319 | # SFTP configuration file 320 | sftp-config.json 321 | sftp-config-alt*.json 322 | 323 | # Package control specific files 324 | Package Control.last-run 325 | Package Control.ca-list 326 | Package Control.ca-bundle 327 | Package Control.system-ca-bundle 328 | Package Control.cache/ 329 | Package Control.ca-certs/ 330 | Package Control.merged-ca-bundle 331 | Package Control.user-ca-bundle 332 | oscrypto-ca-bundle.crt 333 | bh_unicode_properties.cache 334 | 335 | # Sublime-github package stores a github token in this file 336 | # https://packagecontrol.io/packages/sublime-github 337 | GitHub.sublime-settings 338 | 339 | ##### Notepad++ 340 | # Notepad++ backups # 341 | *.bak 342 | 343 | ##### TextMate 344 | *.tmproj 345 | *.tmproject 346 | tmtags 347 | 348 | ##### VisualStudioCode 349 | .vscode/* 350 | !.vscode/settings.json 351 | !.vscode/tasks.json 352 | !.vscode/launch.json 353 | !.vscode/extensions.json 354 | *.code-workspace 355 | 356 | # Local History for Visual Studio Code 357 | .history/ 358 | 359 | ##### NetBeans 360 | **/nbproject/private/ 361 | **/nbproject/Makefile-*.mk 362 | **/nbproject/Package-*.bash 363 | build/ 364 | nbbuild/ 365 | dist/ 366 | nbdist/ 367 | .nb-gradle/ 368 | 369 | ##### JetBrains 370 | # Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider 371 | # Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839 372 | 373 | # User-specific stuff 374 | .idea/**/workspace.xml 375 | .idea/**/tasks.xml 376 | .idea/**/usage.statistics.xml 377 | .idea/**/dictionaries 378 | .idea/**/shelf 379 | 380 | # Generated files 381 | .idea/**/contentModel.xml 382 | 383 | # Sensitive or high-churn files 384 | .idea/**/dataSources/ 385 | .idea/**/dataSources.ids 386 | .idea/**/dataSources.local.xml 387 | .idea/**/sqlDataSources.xml 388 | .idea/**/dynamic.xml 389 | .idea/**/uiDesigner.xml 390 | .idea/**/dbnavigator.xml 391 | 392 | # Gradle 393 | .idea/**/gradle.xml 394 | .idea/**/libraries 395 | 396 | # Gradle and Maven with auto-import 397 | # When using Gradle or Maven with auto-import, you should exclude module files, 398 | # since they will be recreated, and may cause churn. Uncomment if using 399 | # auto-import. 400 | # .idea/artifacts 401 | # .idea/compiler.xml 402 | # .idea/jarRepositories.xml 403 | # .idea/modules.xml 404 | # .idea/*.iml 405 | # .idea/modules 406 | # *.iml 407 | # *.ipr 408 | 409 | # CMake 410 | cmake-build-*/ 411 | 412 | # Mongo Explorer plugin 413 | .idea/**/mongoSettings.xml 414 | 415 | # File-based project format 416 | *.iws 417 | 418 | # IntelliJ 419 | out/ 420 | 421 | # mpeltonen/sbt-idea plugin 422 | .idea_modules/ 423 | 424 | # JIRA plugin 425 | atlassian-ide-plugin.xml 426 | 427 | # Cursive Clojure plugin 428 | .idea/replstate.xml 429 | 430 | # Crashlytics plugin (for Android Studio and IntelliJ) 431 | com_crashlytics_export_strings.xml 432 | crashlytics.properties 433 | crashlytics-build.properties 434 | fabric.properties 435 | 436 | # Editor-based Rest Client 437 | .idea/httpRequests 438 | 439 | # Android studio 3.1+ serialized cache file 440 | .idea/caches/build_file_checksums.ser 441 | 442 | ##### Eclipse 443 | .metadata 444 | bin/ 445 | tmp/ 446 | *.tmp 447 | *.bak 448 | *.swp 449 | *~.nib 450 | local.properties 451 | .settings/ 452 | .loadpath 453 | .recommenders 454 | 455 | # External tool builders 456 | .externalToolBuilders/ 457 | 458 | # Locally stored "Eclipse launch configurations" 459 | *.launch 460 | 461 | # PyDev specific (Python IDE for Eclipse) 462 | *.pydevproject 463 | 464 | # CDT-specific (C/C++ Development Tooling) 465 | .cproject 466 | 467 | # CDT- autotools 468 | .autotools 469 | 470 | # Java annotation processor (APT) 471 | .factorypath 472 | 473 | # PDT-specific (PHP Development Tools) 474 | .buildpath 475 | 476 | # sbteclipse plugin 477 | .target 478 | 479 | # Tern plugin 480 | .tern-project 481 | 482 | # TeXlipse plugin 483 | .texlipse 484 | 485 | # STS (Spring Tool Suite) 486 | .springBeans 487 | 488 | # Code Recommenders 489 | .recommenders/ 490 | 491 | # Annotation Processing 492 | .apt_generated/ 493 | .apt_generated_test/ 494 | 495 | # Scala IDE specific (Scala & Java development for Eclipse) 496 | .cache-main 497 | .scala_dependencies 498 | .worksheet 499 | 500 | # Uncomment this line if you wish to ignore the project description file. 501 | # Typically, this file would be tracked if it contains build/dependency configurations: 502 | #.project 503 | 504 | ##### Qt 505 | # C++ objects and libs 506 | *.slo 507 | *.lo 508 | *.o 509 | *.a 510 | *.la 511 | *.lai 512 | *.so 513 | *.so.* 514 | *.dll 515 | *.dylib 516 | 517 | # Qt-es 518 | object_script.*.Release 519 | object_script.*.Debug 520 | *_plugin_import.cpp 521 | /.qmake.cache 522 | /.qmake.stash 523 | *.pro.user 524 | *.pro.user.* 525 | *.qbs.user 526 | *.qbs.user.* 527 | *.moc 528 | moc_*.cpp 529 | moc_*.h 530 | qrc_*.cpp 531 | ui_*.h 532 | *.qmlc 533 | *.jsc 534 | Makefile* 535 | *build-* 536 | *.qm 537 | *.prl 538 | 539 | # Qt unit tests 540 | target_wrapper.* 541 | 542 | # QtCreator 543 | *.autosave 544 | 545 | # QtCreator Qml 546 | *.qmlproject.user 547 | *.qmlproject.user.* 548 | 549 | # QtCreator CMake 550 | CMakeLists.txt.user* 551 | 552 | # QtCreator 4.8< compilation database 553 | compile_commands.json 554 | 555 | # QtCreator local machine specific files for imported projects 556 | *creator.user* 557 | 558 | ##### VisualStudio 559 | ##### VisualStudio 560 | ## Ignore Visual Studio temporary files, build results, and 561 | ## files generated by popular Visual Studio add-ons. 562 | ## 563 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 564 | 565 | # User-specific files 566 | *.rsuser 567 | *.suo 568 | *.user 569 | *.userosscache 570 | *.sln.docstates 571 | 572 | # User-specific files (MonoDevelop/Xamarin Studio) 573 | *.userprefs 574 | 575 | # Mono auto generated files 576 | mono_crash.* 577 | 578 | # Build results 579 | [Dd]ebug/ 580 | [Dd]ebugPublic/ 581 | [Rr]elease/ 582 | [Rr]eleases/ 583 | x64/ 584 | x86/ 585 | [Ww][Ii][Nn]32/ 586 | [Aa][Rr][Mm]/ 587 | [Aa][Rr][Mm]64/ 588 | bld/ 589 | [Bb]in/ 590 | [Oo]bj/ 591 | [Ll]og/ 592 | [Ll]ogs/ 593 | 594 | # Visual Studio 2015/2017 cache/options directory 595 | .vs/ 596 | # Uncomment if you have tasks that create the project's static files in wwwroot 597 | #wwwroot/ 598 | 599 | # Visual Studio 2017 auto generated files 600 | Generated\ Files/ 601 | 602 | # MSTest test Results 603 | [Tt]est[Rr]esult*/ 604 | [Bb]uild[Ll]og.* 605 | 606 | # NUnit 607 | *.VisualState.xml 608 | TestResult.xml 609 | nunit-*.xml 610 | 611 | # Build Results of an ATL Project 612 | [Dd]ebugPS/ 613 | [Rr]eleasePS/ 614 | dlldata.c 615 | 616 | # Benchmark Results 617 | BenchmarkDotNet.Artifacts/ 618 | 619 | # .NET Core 620 | project.lock.json 621 | project.fragment.lock.json 622 | artifacts/ 623 | 624 | # ASP.NET Scaffolding 625 | ScaffoldingReadMe.txt 626 | 627 | # StyleCop 628 | StyleCopReport.xml 629 | 630 | # Files built by Visual Studio 631 | *_i.c 632 | *_p.c 633 | *_h.h 634 | *.ilk 635 | *.meta 636 | *.obj 637 | *.iobj 638 | *.pch 639 | *.pdb 640 | *.ipdb 641 | *.pgc 642 | *.pgd 643 | *.rsp 644 | *.sbr 645 | *.tlb 646 | *.tli 647 | *.tlh 648 | *.tmp 649 | *.tmp_proj 650 | *_wpftmp.csproj 651 | *.log 652 | *.vspscc 653 | *.vssscc 654 | .builds 655 | *.pidb 656 | *.svclog 657 | *.scc 658 | 659 | # Chutzpah Test files 660 | _Chutzpah* 661 | 662 | # Visual C++ cache files 663 | ipch/ 664 | *.aps 665 | *.ncb 666 | *.opendb 667 | *.opensdf 668 | *.sdf 669 | *.cachefile 670 | *.VC.db 671 | *.VC.VC.opendb 672 | 673 | # Visual Studio profiler 674 | *.psess 675 | *.vsp 676 | *.vspx 677 | *.sap 678 | 679 | # Visual Studio Trace Files 680 | *.e2e 681 | 682 | # TFS 2012 Local Workspace 683 | $tf/ 684 | 685 | # Guidance Automation Toolkit 686 | *.gpState 687 | 688 | # ReSharper is a .NET coding add-in 689 | _ReSharper*/ 690 | *.[Rr]e[Ss]harper 691 | *.DotSettings.user 692 | 693 | # TeamCity is a build add-in 694 | _TeamCity* 695 | 696 | # DotCover is a Code Coverage Tool 697 | *.dotCover 698 | 699 | # AxoCover is a Code Coverage Tool 700 | .axoCover/* 701 | !.axoCover/settings.json 702 | 703 | # Coverlet is a free, cross platform Code Coverage Tool 704 | coverage*[.json, .xml, .info] 705 | 706 | # Visual Studio code coverage results 707 | *.coverage 708 | *.coveragexml 709 | 710 | # NCrunch 711 | _NCrunch_* 712 | .*crunch*.local.xml 713 | nCrunchTemp_* 714 | 715 | # MightyMoose 716 | *.mm.* 717 | AutoTest.Net/ 718 | 719 | # Web workbench (sass) 720 | .sass-cache/ 721 | 722 | # Installshield output folder 723 | [Ee]xpress/ 724 | 725 | # DocProject is a documentation generator add-in 726 | DocProject/buildhelp/ 727 | DocProject/Help/*.HxT 728 | DocProject/Help/*.HxC 729 | DocProject/Help/*.hhc 730 | DocProject/Help/*.hhk 731 | DocProject/Help/*.hhp 732 | DocProject/Help/Html2 733 | DocProject/Help/html 734 | 735 | # Click-Once directory 736 | publish/ 737 | 738 | # Publish Web Output 739 | *.[Pp]ublish.xml 740 | *.azurePubxml 741 | # Note: Comment the next line if you want to checkin your web deploy settings, 742 | # but database connection strings (with potential passwords) will be unencrypted 743 | *.pubxml 744 | *.publishproj 745 | 746 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 747 | # checkin your Azure Web App publish settings, but sensitive information contained 748 | # in these scripts will be unencrypted 749 | PublishScripts/ 750 | 751 | # NuGet Packages 752 | *.nupkg 753 | # NuGet Symbol Packages 754 | *.snupkg 755 | # The packages folder can be ignored because of Package Restore 756 | **/[Pp]ackages/* 757 | # except build/, which is used as an MSBuild target. 758 | !**/[Pp]ackages/build/ 759 | # Uncomment if necessary however generally it will be regenerated when needed 760 | #!**/[Pp]ackages/repositories.config 761 | # NuGet v3's project.nlohmann files produces more ignorable files 762 | *.nuget.props 763 | *.nuget.targets 764 | 765 | # Microsoft Azure Build Output 766 | csx/ 767 | *.build.csdef 768 | 769 | # Microsoft Azure Emulator 770 | ecf/ 771 | rcf/ 772 | 773 | # Windows Store app package directories and files 774 | AppPackages/ 775 | BundleArtifacts/ 776 | Package.StoreAssociation.xml 777 | _pkginfo.txt 778 | *.appx 779 | *.appxbundle 780 | *.appxupload 781 | 782 | # Visual Studio cache files 783 | # files ending in .cache can be ignored 784 | *.[Cc]ache 785 | # but keep track of directories ending in .cache 786 | !?*.[Cc]ache/ 787 | 788 | # Others 789 | ClientBin/ 790 | ~$* 791 | *~ 792 | *.dbmdl 793 | *.dbproj.schemaview 794 | *.jfm 795 | *.pfx 796 | *.publishsettings 797 | orleans.codegen.cs 798 | 799 | # Including strong name files can present a security risk 800 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 801 | #*.snk 802 | 803 | # Since there are multiple workflows, uncomment next line to ignore bower_components 804 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 805 | #bower_components/ 806 | 807 | # RIA/Silverlight projects 808 | Generated_Code/ 809 | 810 | # Backup & report files from converting an old project file 811 | # to a newer Visual Studio version. Backup files are not needed, 812 | # because we have git ;-) 813 | _UpgradeReport_Files/ 814 | Backup*/ 815 | UpgradeLog*.XML 816 | UpgradeLog*.htm 817 | ServiceFabricBackup/ 818 | *.rptproj.bak 819 | 820 | # SQL Server files 821 | *.mdf 822 | *.ldf 823 | *.ndf 824 | 825 | # Business Intelligence projects 826 | *.rdl.data 827 | *.bim.layout 828 | *.bim_*.settings 829 | *.rptproj.rsuser 830 | *- [Bb]ackup.rdl 831 | *- [Bb]ackup ([0-9]).rdl 832 | *- [Bb]ackup ([0-9][0-9]).rdl 833 | 834 | # Microsoft Fakes 835 | FakesAssemblies/ 836 | 837 | # GhostDoc plugin setting file 838 | *.GhostDoc.xml 839 | 840 | # Node.js Tools for Visual Studio 841 | .ntvs_analysis.dat 842 | node_modules/ 843 | 844 | # Visual Studio 6 build log 845 | *.plg 846 | 847 | # Visual Studio 6 workspace options file 848 | *.opt 849 | 850 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 851 | *.vbw 852 | 853 | # Visual Studio LightSwitch build output 854 | **/*.HTMLClient/GeneratedArtifacts 855 | **/*.DesktopClient/GeneratedArtifacts 856 | **/*.DesktopClient/ModelManifest.xml 857 | **/*.Server/GeneratedArtifacts 858 | **/*.Server/ModelManifest.xml 859 | _Pvt_Extensions 860 | 861 | # Paket dependency manager 862 | .paket/paket.exe 863 | paket-files/ 864 | 865 | # FAKE - F# Make 866 | .fake/ 867 | 868 | # CodeRush personal settings 869 | .cr/personal 870 | 871 | # Python Tools for Visual Studio (PTVS) 872 | __pycache__/ 873 | *.pyc 874 | 875 | # Cake - Uncomment if you are using it 876 | # tools/** 877 | # !tools/packages.config 878 | 879 | # Tabs Studio 880 | *.tss 881 | 882 | # Telerik's JustMock configuration file 883 | *.jmconfig 884 | 885 | # BizTalk build output 886 | *.btp.cs 887 | *.btm.cs 888 | *.odx.cs 889 | *.xsd.cs 890 | 891 | # OpenCover UI analysis results 892 | OpenCover/ 893 | 894 | # Azure Stream Analytics local run output 895 | ASALocalRun/ 896 | 897 | # MSBuild Binary and Structured Log 898 | *.binlog 899 | 900 | # NVidia Nsight GPU debugger configuration file 901 | *.nvuser 902 | 903 | # MFractors (Xamarin productivity tool) working folder 904 | .mfractor/ 905 | 906 | # Local History for Visual Studio 907 | .localhistory/ 908 | 909 | # BeatPulse healthcheck temp database 910 | healthchecksdb 911 | 912 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 913 | MigrationBackup/ 914 | 915 | # Ionide (cross platform F# VS Code tools) working folder 916 | .ionide/ 917 | 918 | # Fody - auto-generated XML schema 919 | FodyWeavers.xsd 920 | 921 | ##### Gradle 922 | .gradle 923 | **/build/ 924 | !src/**/build/ 925 | 926 | # Ignore Gradle GUI config 927 | gradle-app.setting 928 | 929 | # Avoid ignoring Gradle wrapper jar file (.jar files are usually ignored) 930 | !gradle-wrapper.jar 931 | 932 | # Cache of project 933 | .gradletasknamecache 934 | 935 | # # Work around https://youtrack.jetbrains.com/issue/IDEA-116898 936 | # gradle/wrapper/gradle-wrapper.properties 937 | 938 | ##### CMake 939 | CMakeLists.txt.user 940 | CMakeCache.txt 941 | CMakeFiles 942 | CMakeScripts 943 | Testing 944 | Makefile 945 | cmake_install.cmake 946 | install_manifest.txt 947 | compile_commands.json 948 | CTestTestfile.cmake 949 | _deps 950 | 951 | ##### C++ 952 | # Prerequisites 953 | *.d 954 | 955 | # Compiled Object files 956 | *.slo 957 | *.lo 958 | *.o 959 | *.obj 960 | 961 | # Precompiled Headers 962 | *.gch 963 | *.pch 964 | 965 | # Compiled Dynamic libraries 966 | *.so 967 | *.dylib 968 | *.dll 969 | 970 | # Fortran module files 971 | *.mod 972 | *.smod 973 | 974 | # Compiled Static libraries 975 | *.lai 976 | *.la 977 | *.a 978 | *.lib 979 | 980 | # Executables 981 | *.exe 982 | *.out 983 | *.app 984 | 985 | # C/C++ binary extension file 986 | *.bin 987 | 988 | ##### C 989 | # Prerequisites 990 | *.d 991 | 992 | # Object files 993 | *.o 994 | *.ko 995 | *.obj 996 | *.elf 997 | 998 | # Linker output 999 | *.ilk 1000 | *.map 1001 | *.exp 1002 | 1003 | # Precompiled Headers 1004 | *.gch 1005 | *.pch 1006 | 1007 | # Libraries 1008 | *.lib 1009 | *.a 1010 | *.la 1011 | *.lo 1012 | 1013 | # General 1014 | *.json 1015 | *.yml 1016 | *.yaml 1017 | *.db 1018 | *.sql 1019 | 1020 | # Shared objects (inc. Windows DLLs) 1021 | *.dll 1022 | *.so 1023 | *.so.* 1024 | *.dylib 1025 | 1026 | # Executables 1027 | *.exe 1028 | *.out 1029 | *.app 1030 | *.i*86 1031 | *.x86_64 1032 | *.hex 1033 | 1034 | # Debug files 1035 | *.dSYM/ 1036 | *.su 1037 | *.idb 1038 | *.pdb 1039 | 1040 | # Kernel Module Compile Results 1041 | *.mod* 1042 | *.cmd 1043 | .tmp_versions/ 1044 | modules.order 1045 | Module.symvers 1046 | Mkfile.old 1047 | dkms.conf 1048 | 1049 | # Raspberry Pi Pico Object file 1050 | *.uf2 1051 | # Raspberry Pi Pico disassembler file 1052 | *.dis -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Lesser General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | 294 | Copyright (C) 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License along 307 | with this program; if not, write to the Free Software Foundation, Inc., 308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 309 | 310 | Also add information on how to contact you by electronic and paper mail. 311 | 312 | If the program is interactive, make it output a short notice like this 313 | when it starts in an interactive mode: 314 | 315 | Gnomovision version 69, Copyright (C) year name of author 316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 317 | This is free software, and you are welcome to redistribute it 318 | under certain conditions; type `show c' for details. 319 | 320 | The hypothetical commands `show w' and `show c' should show the appropriate 321 | parts of the General Public License. Of course, the commands you use may 322 | be called something other than `show w' and `show c'; they could even be 323 | mouse-clicks or menu items--whatever suits your program. 324 | 325 | You should also get your employer (if you work as a programmer) or your 326 | school, if any, to sign a "copyright disclaimer" for the program, if 327 | necessary. Here is a sample; alter the names: 328 | 329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 331 | 332 | , 1 April 1989 333 | Ty Coon, President of Vice 334 | 335 | This General Public License does not permit incorporating your program into 336 | proprietary programs. If your program is a subroutine library, you may 337 | consider it more useful to permit linking proprietary applications with the 338 | library. If this is what you want to do, use the GNU Lesser General 339 | Public License instead of this License. 340 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Infestation 2 | 3 | 4 | ### Usermode 5 | 6 | I've made simple usermode for testing, but i wont release, there are many sources available to copy and use. 7 | 8 | ### Kernelmode 9 | 10 | 11 | Watch the demo 12 | 13 | The driver can be used in any windows 10/11 versions. 14 | 15 | **Available** 16 | - [x] Kernel driver with extra addons 17 | - [x] kernel **mouse_movement** 18 | - [x] Kernel **mouse_down** and **mouse_up** 19 | - [x] Read virtual memory (**mmcopy**) 20 | - [x] Write virtual memory (**mmcopy/mdl**) 21 | - [x] Kernel driver ready to be manually mapped **tested** (kdmapper/lenovo) 22 | 23 | **Planning** 24 | - [ ] TODO: Kernel Dispatch **Write Memory** 25 | - [ ] TODO: Protect usermode process 26 | - [ ] TODO: Clear MmUnloadedDrivers 27 | - [ ] TODO: Clear PiDDBCacheTable 28 | 29 | ## How to use ? 30 | 31 | 32 | ### 1.1 Manually mapping 33 | 34 | - Clone the repository 35 | - Open the solution in Visual Studio 2022 v143 36 | - **DISABLE** `Security Check` if loading driver with driver mapper 37 | 38 | 39 | 40 | - Build the project 41 | - Copy the driver to the same folder as the executable 42 | - Load the driver with the driver mapper 43 | 44 | ### 1.2 Loading via service `SC` 45 | 46 | - Clone the repository 47 | - Open the solution in Visual Studio 2022 v143 48 | 49 | - Build the project 50 | - To load the driver **MUST HAVE**: driver certificate, using [DSE](https://github.com/hfiref0x/UPGDSED) or with [Windows Testmode](https://linuxhint.com/enable-disable-test-mode-windows-10-11/) 51 | 52 | >create driver 53 | sc create [service name] binPath= [path to your .sys file] type= kernel 54 | 55 | >load driver 56 | sc start [service name] 57 | 58 | > stop driver 59 | sc stop [service name] 60 | 61 | > delete driver 62 | sc delete [service name] 63 | 64 | ### Disclaimer ⚠ 65 | 66 | >I wont support or provide any binaries for this project, you are free to use it as you wish, this is a free project. 67 | 68 | -------------------------------------------------------------------------------- /driver/communication/dispatch.c: -------------------------------------------------------------------------------- 1 | #include "dispatch.h" 2 | 3 | 4 | NTSTATUS on_message(PDEVICE_OBJECT device_object, PIRP irp) { 5 | UNREFERENCED_PARAMETER(device_object); 6 | 7 | PIO_STACK_LOCATION io_stack = IoGetCurrentIrpStackLocation(irp); 8 | ULONG control_code = io_stack->Parameters.DeviceIoControl.IoControlCode; 9 | 10 | if (control_code == MOUSE_REQUEST) { 11 | message("Mouse request\n"); 12 | PKMOUSE_REQUEST mouse_request = (PKMOUSE_REQUEST)irp->AssociatedIrp.SystemBuffer; 13 | 14 | mouse_move(mouse_request->x, mouse_request->y, mouse_request->button_flags); 15 | 16 | irp->IoStatus.Status = STATUS_SUCCESS; 17 | irp->IoStatus.Information = 0; 18 | IoCompleteRequest(irp, IO_NO_INCREMENT); 19 | 20 | return STATUS_SUCCESS; 21 | } 22 | else if (control_code == PROCESSID_REQUEST) { 23 | message("Process id request\n"); 24 | PKPROCESSID_REQUEST process_request = (PKPROCESSID_REQUEST)irp->AssociatedIrp.SystemBuffer; 25 | message("Process name %ws\n", process_request->process_name); 26 | int process_id = get_process_id(process_request->process_name); 27 | message("Process id %d\n", process_id); 28 | irp->IoStatus.Status = STATUS_SUCCESS; 29 | irp->IoStatus.Information = process_id; 30 | IoCompleteRequest(irp, IO_NO_INCREMENT); 31 | 32 | return STATUS_SUCCESS; 33 | } 34 | else if (control_code == MODULEBASE_REQUEST) { 35 | message("Module base request\n"); 36 | PKERNEL_MODULE_REQUEST module_request = (PKERNEL_MODULE_REQUEST)irp->AssociatedIrp.SystemBuffer; 37 | 38 | uintptr_t module_base = get_module_base(module_request->pid, module_request->module_name); 39 | 40 | message("Module base %p\n", module_base); 41 | 42 | irp->IoStatus.Status = STATUS_SUCCESS; 43 | irp->IoStatus.Information = module_base; 44 | 45 | IoCompleteRequest(irp, IO_NO_INCREMENT); 46 | 47 | return STATUS_SUCCESS; 48 | } 49 | else if (control_code = READ_REQUEST) { 50 | message("Read request\n"); 51 | PKERNEL_READ_REQUEST read_request = (PKERNEL_READ_REQUEST)irp->AssociatedIrp.SystemBuffer; 52 | 53 | message("Src pid %d\n", read_request->src_pid); 54 | message("Src address %p\n", read_request->src_address); 55 | message("Dst buffer %p\n", read_request->p_buffer); 56 | message("Size %d\n", read_request->size); 57 | 58 | NTSTATUS status = read_virtual_memory(read_request->src_pid, read_request->src_address, read_request->p_buffer, read_request->size); 59 | 60 | if (!NT_SUCCESS(status)) { 61 | irp->IoStatus.Status = status; 62 | irp->IoStatus.Information = 0; 63 | IoCompleteRequest(irp, IO_NO_INCREMENT); 64 | return status; 65 | } 66 | 67 | irp->IoStatus.Status = STATUS_SUCCESS; 68 | irp->IoStatus.Information = read_request->size; 69 | IoCompleteRequest(irp, IO_NO_INCREMENT); 70 | 71 | return STATUS_SUCCESS; 72 | 73 | } 74 | else { 75 | message("Unknown request\n"); 76 | irp->IoStatus.Status = STATUS_NOT_SUPPORTED; 77 | irp->IoStatus.Information = 0; 78 | IoCompleteRequest(irp, IO_NO_INCREMENT); 79 | return STATUS_ABANDONED; 80 | } 81 | 82 | } 83 | 84 | NTSTATUS unsupported_opperation(PDEVICE_OBJECT device_object, PIRP irp) { 85 | UNREFERENCED_PARAMETER(device_object); 86 | UNREFERENCED_PARAMETER(irp); 87 | 88 | message("TODO\n"); 89 | return STATUS_NOT_SUPPORTED; 90 | } 91 | 92 | NTSTATUS on_create(PDEVICE_OBJECT device_object, PIRP irp) { 93 | UNREFERENCED_PARAMETER(device_object); 94 | 95 | message("Creation called\n"); 96 | irp->IoStatus.Status = STATUS_SUCCESS; 97 | irp->IoStatus.Information = 0; 98 | IoCompleteRequest(irp, IO_NO_INCREMENT); 99 | 100 | return STATUS_SUCCESS; 101 | } 102 | 103 | NTSTATUS on_close(PDEVICE_OBJECT device_object, PIRP irp) { 104 | UNREFERENCED_PARAMETER(device_object); 105 | 106 | message("Close called\n"); 107 | irp->IoStatus.Status = STATUS_SUCCESS; 108 | irp->IoStatus.Information = 0; 109 | IoCompleteRequest(irp, IO_NO_INCREMENT); 110 | 111 | return STATUS_SUCCESS; 112 | } -------------------------------------------------------------------------------- /driver/communication/dispatch.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "../utils/defs.h" 3 | #include "../utils/message.h" 4 | #include "../memory/memory.h" 5 | #include "../mouse/mouse.h" 6 | #include "../memory/process.h" 7 | 8 | #define PROCESSID_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x555, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 9 | 10 | typedef struct _KPROCESSID_REQUEST { 11 | const char* process_name; 12 | } KPROCESSID_REQUEST, * PKPROCESSID_REQUEST; 13 | 14 | #define MOUSE_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x666, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 15 | 16 | typedef struct _KMOUSE_REQUEST { 17 | long x; 18 | long y; 19 | unsigned char button_flags; 20 | } KMOUSE_REQUEST, * PKMOUSE_REQUEST; 21 | 22 | 23 | #define MODULEBASE_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x777, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 24 | 25 | typedef struct _KERNEL_MODULE_REQUEST { 26 | int pid; 27 | UNICODE_STRING module_name; 28 | uintptr_t module_base; 29 | } KERNEL_MODULE_REQUEST, * PKERNEL_MODULE_REQUEST; 30 | 31 | #define READ_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x888, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 32 | 33 | typedef struct _KERNEL_READ_REQUEST { 34 | int src_pid; 35 | PVOID src_address; 36 | PVOID p_buffer; 37 | SIZE_T size; 38 | 39 | } KERNEL_READ_REQUEST, * PKERNEL_READ_REQUEST; 40 | 41 | #define WRITE_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x999, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 42 | 43 | typedef struct _KERNEL_WRITE_REQUEST { 44 | int src_pid; 45 | PVOID src_address; 46 | PVOID p_buffer; 47 | SIZE_T size; 48 | 49 | } KERNEL_WRITE_REQUEST, * PKERNEL_WRITE_REQUEST; 50 | 51 | NTSTATUS on_message(PDEVICE_OBJECT device_object, PIRP irp); 52 | NTSTATUS on_create(PDEVICE_OBJECT device_object, PIRP irp); 53 | NTSTATUS on_close(PDEVICE_OBJECT device_object, PIRP irp); 54 | NTSTATUS unsupported_opperation(PDEVICE_OBJECT device_object, PIRP irp); 55 | 56 | 57 | 58 | -------------------------------------------------------------------------------- /driver/km-mouse.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; km-mouse.inf 3 | ; 4 | 5 | [Version] 6 | Signature="$WINDOWS NT$" 7 | Class=System ; TODO: specify appropriate Class 8 | ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318} ; TODO: specify appropriate ClassGuid 9 | Provider=%ManufacturerName% 10 | CatalogFile=km-mouse.cat 11 | DriverVer= ; TODO: set DriverVer in stampinf property pages 12 | PnpLockdown=1 13 | 14 | [DestinationDirs] 15 | DefaultDestDir = 12 16 | km-mouse_Device_CoInstaller_CopyFiles = 11 17 | 18 | [SourceDisksNames] 19 | 1 = %DiskName%,,,"" 20 | 21 | [SourceDisksFiles] 22 | km-mouse.sys = 1,, 23 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames 24 | 25 | ;***************************************** 26 | ; Install Section 27 | ;***************************************** 28 | 29 | [Manufacturer] 30 | %ManufacturerName%=Standard,NT$ARCH$ 31 | 32 | [Standard.NT$ARCH$] 33 | %km-mouse.DeviceDesc%=km-mouse_Device, Root\km-mouse ; TODO: edit hw-id 34 | 35 | [km-mouse_Device.NT] 36 | CopyFiles=Drivers_Dir 37 | 38 | [Drivers_Dir] 39 | km-mouse.sys 40 | 41 | ;-------------- Service installation 42 | [km-mouse_Device.NT.Services] 43 | AddService = km-mouse,%SPSVCINST_ASSOCSERVICE%, km-mouse_Service_Inst 44 | 45 | ; -------------- km-mouse driver install sections 46 | [km-mouse_Service_Inst] 47 | DisplayName = %km-mouse.SVCDESC% 48 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 49 | StartType = 3 ; SERVICE_DEMAND_START 50 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 51 | ServiceBinary = %12%\km-mouse.sys 52 | 53 | ; 54 | ;--- km-mouse_Device Coinstaller installation ------ 55 | ; 56 | 57 | [km-mouse_Device.NT.CoInstallers] 58 | AddReg=km-mouse_Device_CoInstaller_AddReg 59 | CopyFiles=km-mouse_Device_CoInstaller_CopyFiles 60 | 61 | [km-mouse_Device_CoInstaller_AddReg] 62 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller" 63 | 64 | [km-mouse_Device_CoInstaller_CopyFiles] 65 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll 66 | 67 | [km-mouse_Device.NT.Wdf] 68 | KmdfService = km-mouse, km-mouse_wdfsect 69 | [km-mouse_wdfsect] 70 | KmdfLibraryVersion = $KMDFVERSION$ 71 | 72 | [Strings] 73 | SPSVCINST_ASSOCSERVICE= 0x00000002 74 | ManufacturerName="" ;TODO: Replace with your manufacturer name 75 | DiskName = "km-mouse Installation Disk" 76 | km-mouse.DeviceDesc = "km-mouse Device" 77 | km-mouse.SVCDESC = "km-mouse Service" 78 | -------------------------------------------------------------------------------- /driver/km-mouse.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | x64 7 | 8 | 9 | Release 10 | x64 11 | 12 | 13 | Debug 14 | ARM64 15 | 16 | 17 | Release 18 | ARM64 19 | 20 | 21 | 22 | {099D3591-88DE-488C-A83C-4A3AEFD6A47E} 23 | {1bc93793-694f-48fe-9372-81e2b05556fd} 24 | v4.5 25 | 12.0 26 | Debug 27 | x64 28 | km_mouse 29 | 30 | 31 | 32 | Windows10 33 | true 34 | WindowsKernelModeDriver10.0 35 | Driver 36 | KMDF 37 | Universal 38 | false 39 | 40 | 41 | Windows10 42 | false 43 | WindowsKernelModeDriver10.0 44 | Driver 45 | KMDF 46 | Universal 47 | Spectre 48 | 49 | 50 | Windows10 51 | true 52 | WindowsKernelModeDriver10.0 53 | Driver 54 | KMDF 55 | Universal 56 | 57 | 58 | Windows10 59 | false 60 | WindowsKernelModeDriver10.0 61 | Driver 62 | KMDF 63 | Universal 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | DbgengKernelDebugger 75 | 76 | 77 | DbgengKernelDebugger 78 | 79 | 80 | DbgengKernelDebugger 81 | 82 | 83 | DbgengKernelDebugger 84 | 85 | 86 | 87 | sha256 88 | 89 | 90 | _DEBUG;_WIN64;_AMD64_;AMD64;%(PreprocessorDefinitions) 91 | false 92 | false 93 | 94 | 95 | driver_entry 96 | ntoskrnl.lib;%(AdditionalDependencies) 97 | 98 | 99 | 100 | 101 | sha256 102 | 103 | 104 | false 105 | false 106 | 107 | 108 | ntoskrnl.lib;%(AdditionalDependencies) 109 | driver_entry 110 | 111 | 112 | 113 | 114 | sha256 115 | 116 | 117 | 118 | 119 | sha256 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | Document 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | -------------------------------------------------------------------------------- /driver/km-mouse.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {8E41214B-6785-4CFE-B992-037D68949A14} 18 | inf;inv;inx;mof;mc; 19 | 20 | 21 | 22 | 23 | Driver Files 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | Source Files 35 | 36 | 37 | Source Files 38 | 39 | 40 | Source Files 41 | 42 | 43 | Source Files 44 | 45 | 46 | 47 | 48 | Header Files 49 | 50 | 51 | Header Files 52 | 53 | 54 | Header Files 55 | 56 | 57 | Header Files 58 | 59 | 60 | Header Files 61 | 62 | 63 | Header Files 64 | 65 | 66 | 67 | 68 | Source Files 69 | 70 | 71 | -------------------------------------------------------------------------------- /driver/km-mouse.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | true 5 | 6 | -------------------------------------------------------------------------------- /driver/main.c: -------------------------------------------------------------------------------- 1 | #include "communication/dispatch.h" 2 | #include "utils/message.h" 3 | #include "memory/memory.h" 4 | #include "memory/process.h" 5 | 6 | // must change 7 | UNICODE_STRING device_name = RTL_CONSTANT_STRING(L"\\Device\\infestation"); 8 | UNICODE_STRING device_link = RTL_CONSTANT_STRING(L"\\DosDevices\\infestation"); 9 | PDEVICE_OBJECT device_object; 10 | 11 | 12 | NTSTATUS driver_unload(PDRIVER_OBJECT driver_object) { 13 | 14 | IoDeleteDevice(device_object); 15 | IoDeleteSymbolicLink(&device_link); 16 | message("Goodbye, world!\n"); 17 | return STATUS_SUCCESS; 18 | } 19 | 20 | NTSTATUS driver_entry(PDRIVER_OBJECT driver_object, PUNICODE_STRING registry_path) { 21 | 22 | UNREFERENCED_PARAMETER(registry_path); 23 | 24 | message("Hello, world!\n"); 25 | driver_object->DriverUnload = driver_unload; 26 | 27 | message("mouhid.sys %p\n", get_kernel_module("mouhid.sys")); 28 | 29 | 30 | IoCreateDevice(driver_object, 0, &device_name, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &device_object); 31 | IoCreateSymbolicLink(&device_link, &device_name); 32 | 33 | driver_object->MajorFunction[IRP_MJ_CREATE] = on_create; 34 | driver_object->MajorFunction[IRP_MJ_CLOSE] = on_close; 35 | driver_object->MajorFunction[IRP_MJ_DEVICE_CONTROL] = on_message; 36 | 37 | device_object->Flags |= DO_DIRECT_IO; 38 | device_object->Flags &= ~DO_DEVICE_INITIALIZING; 39 | 40 | // Sample example, have fun! 41 | int pid = get_process_id("cs2.exe"); 42 | UNICODE_STRING module_name; 43 | RtlInitUnicodeString(&module_name, L"client.dll"); 44 | uintptr_t client = get_module_base(pid, module_name); 45 | int local_health = 0; 46 | uintptr_t local_player = 0; 47 | read_virtual_memory(pid, client + 0x16C2B18, &local_player, sizeof(uintptr_t)); 48 | 49 | read_virtual_memory(pid, local_player + 0x32C,&local_health, sizeof(int)); 50 | 51 | message("local_player %p , health %d",local_player, local_health); 52 | 53 | return STATUS_SUCCESS; 54 | } 55 | 56 | // NOTE: to use this driver, you need to change the current driver_entry to driver_initialize 57 | //NTSTATUS driver_entry(PDRIVER_OBJECT driver_object, PUNICODE_STRING registry_path) { 58 | // UNREFERENCED_PARAMETER(driver_object); 59 | // UNREFERENCED_PARAMETER(registry_path); 60 | // 61 | // message("system range start is %p driver_entry at %p\n", MmSystemRangeStart, driver_entry); 62 | // 63 | // NTSTATUS status = STATUS_SUCCESS; 64 | // __try { 65 | // must change 66 | // UNICODE_STRING driver_name = RTL_CONSTANT_STRING(L"\\Driver\\infestation"); 67 | // 68 | // status = IoCreateDriver(&driver_name, &driver_initialize); 69 | // } 70 | // __except (EXCEPTION_EXECUTE_HANDLER) { 71 | // status = GetExceptionCode(); 72 | // } 73 | // 74 | // if (!NT_SUCCESS(status)) { 75 | // message("driver_initialize failed with status 0x%08X\n", status); 76 | // driver_unload(driver_object); 77 | // } 78 | // 79 | // return status; 80 | //} 81 | -------------------------------------------------------------------------------- /driver/memory/memory.c: -------------------------------------------------------------------------------- 1 | #include "memory.h" 2 | 3 | ULONG64 get_kernel_module(const char* module_name) { 4 | ULONG64 module_base = 0; 5 | ULONG module_size = 0; 6 | PRTL_PROCESS_MODULES modules = NULL; 7 | NTSTATUS status = ZwQuerySystemInformation(0x0B, 0, 0, &module_size); 8 | 9 | if (status != STATUS_INFO_LENGTH_MISMATCH) 10 | return 0; 11 | 12 | 13 | modules = (PRTL_PROCESS_MODULES)ExAllocatePool2(POOL_FLAG_NON_PAGED, module_size, KM_POOL_TAG); 14 | if (!modules) 15 | return 0; 16 | 17 | status = ZwQuerySystemInformation(0x0B, modules, module_size, &module_size); 18 | if (!NT_SUCCESS(status)) { 19 | ExFreePoolWithTag(modules, KM_POOL_TAG); 20 | return 0; 21 | } 22 | 23 | PRTL_PROCESS_MODULE_INFORMATION module = modules->Modules; 24 | for (ULONG i = 0; i < modules->NumberOfModules; i++) { 25 | message("Module Name: %s\n", module[i].FullPathName + module[i].OffsetToFileName); 26 | message("Module Base: %p\n", module[i].ImageBase); 27 | message("Module Size: %d\n", module[i].ImageSize); 28 | 29 | if (strcmp((char*)module[i].FullPathName + module[i].OffsetToFileName, module_name) == 0) { 30 | module_base = (ULONG64)module[i].ImageBase; 31 | break; 32 | } 33 | } 34 | 35 | ExFreePoolWithTag(modules, KM_POOL_TAG); 36 | return module_base; 37 | } 38 | 39 | ULONG64 get_module_imagebase(int pid) { 40 | PEPROCESS proc; 41 | if (PsLookupProcessByProcessId((HANDLE)pid, &proc) != STATUS_SUCCESS) 42 | return 0; 43 | 44 | return (ULONG64)PsGetProcessSectionBaseAddress(proc); 45 | 46 | } 47 | 48 | // driver built for windows 10 22H2, change the offsets if you're using a different version 49 | //https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016 50 | 51 | int get_process_id(const char* process_name) { 52 | PEPROCESS proc; 53 | PEPROCESS sysproc = PsInitialSystemProcess; 54 | PLIST_ENTRY list = (PLIST_ENTRY)((char*)sysproc + ActiveProcessLinks); // _EPROCESS.ActiveProcessLinks 55 | PLIST_ENTRY head = list; 56 | do { 57 | proc = (PEPROCESS)((char*)list - ActiveProcessLinks); // _EPROCESS.ActiveProcessLinks 58 | if (strstr((char*)proc + ImageFileName, process_name)) { // _EPROCESS.ImageFileName 59 | return (int)PsGetProcessId(proc); 60 | } 61 | list = list->Flink; 62 | } while (list != head); 63 | 64 | return 0; 65 | } 66 | 67 | uintptr_t get_module_base(int pid, UNICODE_STRING module_name) { 68 | 69 | PEPROCESS proc; 70 | if (PsLookupProcessByProcessId((HANDLE)pid, &proc) != STATUS_SUCCESS) 71 | return 0; 72 | 73 | PPEB p_peb = (PPEB)PsGetProcessPeb(proc); 74 | 75 | if (!p_peb) 76 | return 0; 77 | 78 | KAPC_STATE state; 79 | 80 | KeStackAttachProcess(proc, &state); 81 | 82 | PPEB_LDR_DATA pLdr = (PPEB_LDR_DATA)p_peb->Ldr; 83 | 84 | if (!pLdr) { 85 | KeUnstackDetachProcess(&state); 86 | return 0; 87 | } 88 | 89 | 90 | for (PLIST_ENTRY list = (PLIST_ENTRY)pLdr->InLoadOrderModuleList.Flink; 91 | list != &pLdr->InLoadOrderModuleList; list = (PLIST_ENTRY)list->Flink) 92 | { 93 | PLDR_DATA_TABLE_ENTRY pEntry = 94 | CONTAINING_RECORD(list, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); 95 | 96 | 97 | if (RtlCompareUnicodeString(&pEntry->BaseDllName, &module_name, TRUE) == 0) { 98 | message("Module Name: %wZ\n", pEntry->BaseDllName); 99 | message("Module Base: %p\n", pEntry->DllBase); 100 | message("Module Size: %d\n", pEntry->SizeOfImage); 101 | uintptr_t module_base = (uintptr_t)pEntry->DllBase; 102 | KeUnstackDetachProcess(&state); 103 | 104 | return module_base; 105 | } 106 | 107 | 108 | } 109 | 110 | KeUnstackDetachProcess(&state); 111 | message("Failed to find module\n"); 112 | return 0; 113 | } 114 | -------------------------------------------------------------------------------- /driver/memory/memory.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "../utils/defs.h" 3 | #include "../utils/message.h" 4 | 5 | ULONG64 get_kernel_module(const char* module_name); 6 | 7 | ULONG64 get_module_imagebase(int pid); 8 | 9 | int get_process_id(const char* process_name); 10 | 11 | uintptr_t get_module_base(int pid,UNICODE_STRING module_name); 12 | -------------------------------------------------------------------------------- /driver/memory/process.c: -------------------------------------------------------------------------------- 1 | #include "process.h" 2 | 3 | NTSTATUS read_virtual_memory(int pid, PVOID source_addr, PVOID target_addr, SIZE_T size) { 4 | SIZE_T bytes; 5 | NTSTATUS status = STATUS_SUCCESS; 6 | PEPROCESS process; 7 | 8 | if(!NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)pid,&process))) 9 | return STATUS_INVALID_PARAMETER; 10 | 11 | status = MmCopyVirtualMemory(process, source_addr, process, target_addr, size, KernelMode, &bytes); 12 | if (!NT_SUCCESS(status)) 13 | return status; 14 | 15 | return status; 16 | 17 | } 18 | 19 | NTSTATUS write_virtual_memory(int pid, PVOID source_addr, PVOID target_addr, SIZE_T size) { 20 | SIZE_T bytes; 21 | NTSTATUS status = STATUS_SUCCESS; 22 | PEPROCESS process; 23 | 24 | if (!NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)pid, &process))) 25 | return STATUS_INVALID_PARAMETER; 26 | 27 | status = MmCopyVirtualMemory(process, source_addr, process, target_addr, size, KernelMode, &bytes); 28 | if (!NT_SUCCESS(status)) 29 | return status; 30 | 31 | return status; 32 | } 33 | 34 | NTSTATUS write_safe_memory(int pid, PVOID source_addr, PVOID target_addr, SIZE_T size) { 35 | NTSTATUS status = STATUS_SUCCESS; 36 | PEPROCESS process; 37 | PMDL mdl = NULL; 38 | PVOID mapped_buffer = NULL; 39 | SIZE_T bytes; 40 | 41 | if (!NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)pid, &process))) 42 | return STATUS_INVALID_PARAMETER; 43 | 44 | mdl = IoAllocateMdl(target_addr, size, FALSE, FALSE, NULL); 45 | if (!mdl) 46 | return STATUS_INSUFFICIENT_RESOURCES; 47 | 48 | __try { 49 | MmProbeAndLockPages(mdl, KernelMode, IoReadAccess); 50 | mapped_buffer = MmMapLockedPagesSpecifyCache(mdl, KernelMode, MmNonCached, NULL, FALSE, NormalPagePriority); 51 | if (!mapped_buffer) { 52 | status = STATUS_INSUFFICIENT_RESOURCES; 53 | __leave; 54 | } 55 | 56 | RtlCopyMemory(mapped_buffer, source_addr, size); 57 | MmUnmapLockedPages(mapped_buffer, mdl); 58 | MmUnlockPages(mdl); 59 | } 60 | __finally { 61 | if (mdl) 62 | IoFreeMdl(mdl); 63 | } 64 | 65 | return status; 66 | } -------------------------------------------------------------------------------- /driver/memory/process.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "../utils/defs.h" 3 | 4 | NTSTATUS read_virtual_memory(int pid, PVOID source_addr, PVOID target_addr, SIZE_T size); 5 | 6 | NTSTATUS write_virtual_memory(int pid, PVOID source_addr, PVOID target_addr, SIZE_T size); 7 | 8 | NTSTATUS write_safe_memory(int pid, PVOID source_addr, PVOID target_addr, SIZE_T size); -------------------------------------------------------------------------------- /driver/mouse/mouse.asm: -------------------------------------------------------------------------------- 1 | EXTERNDEF _KeAcquireSpinLockAtDpcLevel:PROC 2 | EXTERNDEF _KeReleaseSpinLockFromDpcLevel:PROC 3 | EXTERNDEF _IofCompleteRequest:PROC 4 | EXTERNDEF _IoReleaseRemoveLockEx:PROC 5 | EXTERNDEF memmove:PROC 6 | 7 | .data 8 | WPP_RECORDER_INITIALIZED dq 0; 9 | WPP_GLOBAL_Control dq 0; 10 | .code 11 | 12 | WPP_RECORDER_SF proc 13 | ret 14 | WPP_RECORDER_SF endp 15 | 16 | MouseClassReadCopyData proc 17 | mov r11,rsp 18 | mov QWORD PTR [r11+8h],rbx 19 | mov QWORD PTR [r11+10h],rbp 20 | mov QWORD PTR [r11+18h],rsi 21 | push rdi 22 | push r12 23 | push r13 24 | push r14 25 | push r15 26 | sub rsp,50h 27 | inc DWORD PTR [rcx+0a8h] 28 | mov rsi,rdx 29 | mov eax,DWORD PTR [rcx+54h] 30 | mov rdi,rcx 31 | mov r13,QWORD PTR [rdx+0b8h] 32 | lea ebp,[rax+rax*2] 33 | mov ebx,DWORD PTR [r13+8h] 34 | shl ebp,3h 35 | mov edx,DWORD PTR [rdi+88h] 36 | cmp ebp,ebx 37 | cmovae ebp,ebx 38 | sub edx,DWORD PTR [rdi+78h] 39 | add edx,DWORD PTR [rdi+68h] 40 | mov r12d,ebp 41 | cmp ebp,edx 42 | cmovae r12d,edx 43 | mov r14,QWORD PTR [rsi+18h] 44 | mov rdx,QWORD PTR [rdi+78h] 45 | mov rcx,r14 46 | mov r8d,r12d 47 | mov r15d,r12d 48 | call memmove 49 | add r14,r15 50 | mov ebx,ebp 51 | sub ebx,r12d 52 | je J1A5 53 | mov rdx,QWORD PTR [rdi+68h] 54 | mov r8,rbx 55 | mov rcx,r14 56 | call memmove 57 | mov rcx,QWORD PTR [rdi+68h] 58 | add rcx,rbx 59 | mov QWORD PTR [rdi+78h],rcx 60 | jmp J1B0 61 | J1A5: 62 | add QWORD PTR [rdi+78h],r15 63 | J1B0: 64 | mov ebx,ebp 65 | mov rax,0aaaaaaaaaaaaaaabh 66 | mul rbx 67 | shr rdx,4h 68 | sub DWORD PTR [rdi+54h],edx 69 | jne J1FF 70 | mov BYTE PTR [rdi+42h],1h 71 | J1FF: 72 | mov QWORD PTR [rsi+38h],rbx 73 | lea r11,[rsp+50h] 74 | mov rbx,QWORD PTR [r11+30h] 75 | xor eax,eax 76 | mov rsi,QWORD PTR [r11+40h] 77 | mov DWORD PTR [r13+8h],ebp 78 | mov rbp,QWORD PTR [r11+38h] 79 | mov rsp,r11 80 | pop r15 81 | pop r14 82 | pop r13 83 | pop r12 84 | pop rdi 85 | ret 86 | MouseClassReadCopyData endp 87 | 88 | 89 | 90 | 91 | MouseClassDequeueRead proc 92 | xor edx,edx 93 | lea r8,[rcx+98h] 94 | J9: 95 | mov rcx,QWORD PTR [r8] 96 | cmp rcx,r8 97 | je J47 98 | cmp QWORD PTR [rcx+8h],r8 99 | jne J4C 100 | mov rax,QWORD PTR [rcx] 101 | cmp QWORD PTR [rax+8h],rcx 102 | jne J4C 103 | mov QWORD PTR [r8],rax 104 | lea rdx,[rcx-0a8h] 105 | mov QWORD PTR [rax+8h],r8 106 | xor eax,eax 107 | xchg QWORD PTR [rdx+68h],rax 108 | test rax,rax 109 | jne J42 110 | mov QWORD PTR [rcx+8h],rcx 111 | xor edx,edx 112 | mov QWORD PTR [rcx],rcx 113 | J42: 114 | test rdx,rdx 115 | je J9 116 | J47: 117 | mov rax,rdx 118 | ret 119 | int 3 120 | J4C: 121 | mov ecx,3h 122 | int 29h 123 | MouseClassDequeueRead endp 124 | 125 | 126 | MouseClassServiceCallback proc 127 | mov rax,rsp 128 | mov QWORD PTR [rax+8h],rbx 129 | mov QWORD PTR [rax+10h],rsi 130 | mov QWORD PTR [rax+18h],rdi 131 | mov QWORD PTR [rax+20h],r9 132 | push rbp 133 | push r12 134 | push r13 135 | push r14 136 | push r15 137 | mov rbp,rsp 138 | sub rsp,70h 139 | mov r13,r9 140 | mov rbx,r8 141 | mov r14,rdx 142 | mov r15,rcx 143 | 144 | 145 | 146 | 147 | lea rax, WPP_RECORDER_INITIALIZED 148 | xor esi,esi 149 | cmp WPP_RECORDER_INITIALIZED, rax 150 | jne J61 151 | mov rcx,QWORD PTR WPP_GLOBAL_Control 152 | cmp WORD PTR [rcx+48h],si 153 | je J61 154 | mov rcx,QWORD PTR [rcx+40h] 155 | lea r9d,[rsi+32h] 156 | lea r8d,[rsi+3h] 157 | mov dl,5h 158 | call WPP_RECORDER_SF 159 | 160 | J61: 161 | 162 | 163 | mov rdi,QWORD PTR [r15+40h] 164 | sub ebx,r14d 165 | mov r12d,esi 166 | mov DWORD PTR [r13+0h],esi 167 | lea rcx,[rdi+90h] 168 | call QWORD PTR _KeAcquireSpinLockAtDpcLevel 169 | nop DWORD PTR [rax+rax*1+0h] 170 | lea rax,[rbp-10h] 171 | mov rcx,rdi 172 | mov QWORD PTR [rbp-8h],rax 173 | lea rax,[rbp-10h] 174 | mov QWORD PTR [rbp-10h],rax 175 | call MouseClassDequeueRead 176 | mov rsi,rax 177 | xor r9d,r9d 178 | mov rax,0aaaaaaaaaaaaaaabh 179 | test rsi,rsi 180 | je J1aa 181 | mov r13,QWORD PTR [rsi+0b8h] 182 | mov r12d,ebx 183 | mov r8d,DWORD PTR [r13+8h] 184 | cmp ebx,r8d 185 | cmovae r12d,r8d 186 | mul r12 187 | mov rax,QWORD PTR [rbp+48h] 188 | shr rdx,4h 189 | add DWORD PTR [rax],edx 190 | lea rax, WPP_RECORDER_INITIALIZED 191 | cmp WPP_RECORDER_INITIALIZED,rax 192 | jne J11d 193 | mov rcx, QWORD PTR WPP_GLOBAL_Control 194 | cmp WORD PTR [rcx+48h],r9w 195 | je J11d 196 | mov rax,QWORD PTR [rsi+18h] 197 | mov rcx,QWORD PTR [rcx+40h] 198 | mov QWORD PTR [rsp+50h],rax 199 | mov QWORD PTR [rsp+48h],r14 200 | mov DWORD PTR [rsp+40h],r8d 201 | mov DWORD PTR [rsp+38h],ebx 202 | mov QWORD PTR [rsp+30h],rsi 203 | mov QWORD PTR [rsp+28h],r15 204 | call WPP_RECORDER_SF 205 | 206 | J11d: 207 | 208 | mov rax,0fffff78000000014h 209 | mov rax,QWORD PTR [rax] 210 | lea rdx,WPP_RECORDER_INITIALIZED 211 | cmp WPP_RECORDER_INITIALIZED,rdx 212 | jne J15e 213 | mov rcx, QWORD PTR WPP_GLOBAL_Control 214 | mov DWORD PTR [rsp+40h],r12d 215 | mov QWORD PTR [rsp+38h],rax 216 | mov QWORD PTR [rsp+30h],rsi 217 | mov rcx,QWORD PTR [rcx+40h] 218 | mov QWORD PTR [rsp+28h],r15 219 | call WPP_RECORDER_SF 220 | 221 | J15e: 222 | 223 | mov rcx,QWORD PTR [rsi+18h] 224 | mov r8,r12 225 | mov rdx,r14 226 | call memmove 227 | mov QWORD PTR [rsi+38h],r12 228 | lea rcx,[rbp-10h] 229 | xor r8d,r8d 230 | mov DWORD PTR [rsi+30h],r8d 231 | add rsi,0a8h 232 | mov DWORD PTR [r13+8h],r12d 233 | mov rax,QWORD PTR [rbp-8h] 234 | cmp QWORD PTR [rax],rcx 235 | jne J495 236 | mov r13,QWORD PTR [rbp+48h] 237 | lea rcx,[rbp-10h] 238 | mov QWORD PTR [rsi],rcx 239 | mov QWORD PTR [rsi+8h],rax 240 | mov QWORD PTR [rax],rsi 241 | mov QWORD PTR [rbp-8h],rsi 242 | 243 | J1aa: 244 | 245 | mov eax,r12d 246 | add r14,rax 247 | sub ebx,r12d 248 | lea r12,WPP_RECORDER_INITIALIZED 249 | xor esi,esi 250 | cmp WPP_RECORDER_INITIALIZED,r12 251 | jne J1e4 252 | mov rcx, QWORD PTR WPP_GLOBAL_Control 253 | cmp WORD PTR [rcx+48h],si 254 | je J1e4 255 | mov rcx,QWORD PTR [rcx+40h] 256 | mov DWORD PTR [rsp+30h],ebx 257 | mov QWORD PTR [rsp+28h],r15 258 | call WPP_RECORDER_SF 259 | 260 | J1e4: 261 | 262 | test ebx,ebx 263 | je J41d 264 | cmp WPP_RECORDER_INITIALIZED,r12 265 | jne J22f 266 | mov rcx, QWORD PTR WPP_GLOBAL_Control 267 | cmp WORD PTR [rcx+48h],si 268 | je J22f 269 | mov eax,DWORD PTR [rdi+54h] 270 | mov r9d,36h 271 | mov rcx,QWORD PTR [rcx+40h] 272 | mov DWORD PTR [rsp+38h],ebx 273 | lea edx,[rax+rax*2] 274 | mov eax,DWORD PTR [rdi+88h] 275 | shl edx,3h 276 | sub eax,edx 277 | mov DWORD PTR [rsp+30h],eax 278 | mov QWORD PTR [rsp+28h],r15 279 | call WPP_RECORDER_SF 280 | 281 | J22f: 282 | 283 | mov ecx,DWORD PTR [rdi+88h] 284 | cmp ecx,ebx 285 | mov r12d,ecx 286 | cmovae r12d,ebx 287 | sub ecx,DWORD PTR [rdi+70h] 288 | mov ebx,DWORD PTR [rdi+68h] 289 | add ebx,ecx 290 | lea rax,WPP_RECORDER_INITIALIZED 291 | cmp WPP_RECORDER_INITIALIZED,rax 292 | jne J287 293 | mov rcx, QWORD PTR WPP_GLOBAL_Control 294 | cmp WORD PTR [rcx+48h],si 295 | je J287 296 | mov rcx,QWORD PTR [rcx+40h] 297 | mov r9d,38h 298 | mov DWORD PTR [rsp+38h],ebx 299 | mov DWORD PTR [rsp+30h],r12d 300 | mov QWORD PTR [rsp+28h],r15 301 | call WPP_RECORDER_SF 302 | lea rax,WPP_RECORDER_INITIALIZED 303 | 304 | J287: 305 | 306 | cmp r12d,ebx 307 | mov esi,r12d 308 | cmovae esi,ebx 309 | cmp WPP_RECORDER_INITIALIZED,rax 310 | jne J2cc 311 | mov rcx, QWORD PTR WPP_GLOBAL_Control 312 | xor eax,eax 313 | cmp WORD PTR [rcx+48h],ax 314 | je J2cc 315 | mov rcx,QWORD PTR [rcx+40h] 316 | lea r9d,[rax+39h] 317 | mov rax,QWORD PTR [rdi+70h] 318 | mov QWORD PTR [rsp+40h],rax 319 | mov QWORD PTR [rsp+38h],r14 320 | mov DWORD PTR [rsp+30h],esi 321 | mov QWORD PTR [rsp+28h],r15 322 | call WPP_RECORDER_SF 323 | 324 | J2cc: 325 | 326 | mov rcx,QWORD PTR [rdi+70h] 327 | mov rdx,r14 328 | mov r8d,esi 329 | mov ebx,esi 330 | call memmove 331 | add QWORD PTR [rdi+70h],rbx 332 | add r14,rbx 333 | mov rdx,QWORD PTR [rdi+68h] 334 | mov eax,DWORD PTR [rdi+88h] 335 | mov rcx,QWORD PTR [rdi+70h] 336 | add rax,rdx 337 | cmp rcx,rax 338 | jb J301 339 | mov QWORD PTR [rdi+70h],rdx 340 | mov rcx,rdx 341 | 342 | J301: 343 | 344 | mov ebx,r12d 345 | sub ebx,esi 346 | je J362 347 | lea rdx,WPP_RECORDER_INITIALIZED 348 | mov rax,rcx 349 | cmp WPP_RECORDER_INITIALIZED,rdx 350 | jne J350 351 | mov rdx, QWORD PTR WPP_GLOBAL_Control 352 | xor r8d,r8d 353 | cmp WORD PTR [rdx+48h],r8w 354 | je J350 355 | mov QWORD PTR [rsp+40h],rcx 356 | lea r9d,[r8+03ah] 357 | mov rcx,QWORD PTR [rdx+40h] 358 | mov QWORD PTR [rsp+38h],r14 359 | mov DWORD PTR [rsp+30h],ebx 360 | mov QWORD PTR [rsp+28h],r15 361 | call WPP_RECORDER_SF 362 | mov rax,QWORD PTR [rdi+70h] 363 | 364 | J350: 365 | 366 | mov r8,rbx 367 | mov rdx,r14 368 | mov rcx,rax 369 | call memmove 370 | add QWORD PTR [rdi+70h],rbx 371 | 372 | J362: 373 | 374 | mov ecx,r12d 375 | mov rax,0aaaaaaaaaaaaaaabh 376 | mul rcx 377 | shr rdx,4h 378 | add DWORD PTR [rdi+54h],edx 379 | mov ecx,DWORD PTR [r13+0h] 380 | add ecx,edx 381 | mov eax,ecx 382 | mov DWORD PTR [r13+0h],ecx 383 | lea r12,WPP_RECORDER_INITIALIZED 384 | xor esi,esi 385 | cmp WPP_RECORDER_INITIALIZED,r12 386 | jne J41d 387 | mov rcx, QWORD PTR WPP_GLOBAL_Control 388 | cmp WORD PTR [rcx+48h],si 389 | je J41d 390 | mov rcx,QWORD PTR [rcx+40h] 391 | mov DWORD PTR [rsp+48h],eax 392 | mov rax,QWORD PTR [rdi+78h] 393 | mov QWORD PTR [rsp+40h],rax 394 | mov rax,QWORD PTR [rdi+70h] 395 | mov QWORD PTR [rsp+38h],rax 396 | mov eax,DWORD PTR [rdi+54h] 397 | mov DWORD PTR [rsp+30h],eax 398 | mov QWORD PTR [rsp+28h],r15 399 | call WPP_RECORDER_SF 400 | jmp J41d 401 | 402 | J3d5: 403 | 404 | mov rcx,rdi 405 | call MouseClassDequeueRead 406 | mov rbx,rax 407 | test rax,rax 408 | je J422 409 | mov rdx,rax 410 | mov rcx,rdi 411 | call MouseClassReadCopyData 412 | mov DWORD PTR [rbx+30h],eax 413 | lea rcx,[rbp-10h] 414 | mov rdx,QWORD PTR [rbp-8h] 415 | lea rax,[rbx+0a8h] 416 | cmp QWORD PTR [rdx],rcx 417 | jne J495 418 | mov QWORD PTR [rax+8h],rdx 419 | lea rcx,[rbp-10h] 420 | mov QWORD PTR [rax],rcx 421 | mov QWORD PTR [rdx],rax 422 | mov QWORD PTR [rbp-8h],rax 423 | 424 | J41d: 425 | 426 | cmp DWORD PTR [rdi+54h],esi 427 | 428 | 429 | ja J3d5 430 | 431 | J422: 432 | 433 | lea rcx,[rdi+90h] 434 | call QWORD PTR _KeReleaseSpinLockFromDpcLevel 435 | nop DWORD PTR [rax+rax*1+0h] 436 | 437 | J435: 438 | 439 | mov rbx,QWORD PTR [rbp-10h] 440 | lea rax,[rbp-10h] 441 | cmp rbx,rax 442 | je J49c 443 | lea rax,[rbp-10h] 444 | cmp QWORD PTR [rbx+8h],rax 445 | jne J495 446 | mov rax,QWORD PTR [rbx] 447 | cmp QWORD PTR [rax+8h],rbx 448 | jne J495 449 | lea rcx,[rbp-10h] 450 | mov QWORD PTR [rbp-10h],rax 451 | mov QWORD PTR [rax+8h],rcx 452 | mov dl,6h 453 | lea rcx,[rbx-0a8h] 454 | call QWORD PTR _IofCompleteRequest 455 | nop DWORD PTR [rax+rax*1+0h] 456 | lea rcx,[rdi+20h] 457 | mov r8d,20h 458 | lea rdx,[rbx-0a8h] 459 | call QWORD PTR _IoReleaseRemoveLockEx 460 | nop DWORD PTR [rax+rax*1+0h] 461 | jmp J435 462 | 463 | J495: 464 | 465 | mov ecx,3h 466 | int 29h 467 | 468 | J49C: 469 | 470 | cmp WPP_RECORDER_INITIALIZED,r12 471 | jne J4c7 472 | mov rcx, QWORD PTR WPP_GLOBAL_Control 473 | cmp WORD PTR [rcx+48h],si 474 | je J4c7 475 | mov rcx,QWORD PTR [rcx+40h] 476 | mov r9d,3ch 477 | mov dl,5h 478 | lea r8d,[r9-39h] 479 | call WPP_RECORDER_SF 480 | 481 | J4c7: 482 | 483 | lea r11,[rsp+70h] 484 | mov rbx,QWORD PTR [r11+30h] 485 | mov rsi,QWORD PTR [r11+38h] 486 | mov rdi,QWORD PTR [r11+40h] 487 | mov rsp,r11 488 | pop r15 489 | pop r14 490 | pop r13 491 | pop r12 492 | pop rbp 493 | ret 494 | MouseClassServiceCallback endp 495 | 496 | end 497 | 498 | -------------------------------------------------------------------------------- /driver/mouse/mouse.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "../utils/defs.h" 3 | 4 | #define MOUSE_MOVE_RELATIVE 0 5 | #define MOUSE_MOVE_ABSOLUTE 1 6 | 7 | #define MOUSE_LEFT_BUTTON_DOWN 0x0001 // Left Button changed to down. 8 | #define MOUSE_LEFT_BUTTON_UP 0x0002 // Left Button changed to up. 9 | #define MOUSE_RIGHT_BUTTON_DOWN 0x0004 // Right Button changed to down. 10 | #define MOUSE_RIGHT_BUTTON_UP 0x0008 // Right Button changed to up. 11 | #define MOUSE_MIDDLE_BUTTON_DOWN 0x0010 // Middle Button changed to down. 12 | #define MOUSE_MIDDLE_BUTTON_UP 0x0020 // Middle Button changed to up. 13 | 14 | // @norsefire & @ekknod 15 | 16 | inline BOOL mouse_open() { 17 | _KeAcquireSpinLockAtDpcLevel = (QWORD)KeAcquireSpinLockAtDpcLevel; 18 | _KeReleaseSpinLockFromDpcLevel = (QWORD)KeReleaseSpinLockFromDpcLevel; 19 | _IofCompleteRequest = (QWORD)IofCompleteRequest; 20 | _IoReleaseRemoveLockEx = (QWORD)IoReleaseRemoveLockEx; 21 | 22 | 23 | if (gMouseObject.use_mouse == 0) { 24 | 25 | UNICODE_STRING class_string; 26 | RtlInitUnicodeString(&class_string, L"\\Driver\\MouClass"); 27 | 28 | PDRIVER_OBJECT class_driver_object = NULL; 29 | NTSTATUS status = ObReferenceObjectByName(&class_string, OBJ_CASE_INSENSITIVE, NULL, 0, *IoDriverObjectType, KernelMode, NULL, (PVOID*)&class_driver_object); 30 | if (!NT_SUCCESS(status)) { 31 | gMouseObject.use_mouse = 0; 32 | return 0; 33 | } 34 | 35 | UNICODE_STRING hid_string; 36 | RtlInitUnicodeString(&hid_string, L"\\Driver\\MouHID"); 37 | 38 | PDRIVER_OBJECT hid_driver_object = NULL; 39 | 40 | status = ObReferenceObjectByName(&hid_string, OBJ_CASE_INSENSITIVE, NULL, 0, *IoDriverObjectType, KernelMode, NULL, (PVOID*)&hid_driver_object); 41 | if (!NT_SUCCESS(status)) { 42 | if (class_driver_object) 43 | ObfDereferenceObject(class_driver_object); 44 | gMouseObject.use_mouse = 0; 45 | return 0; 46 | } 47 | 48 | PVOID class_driver_base = NULL; 49 | 50 | PDEVICE_OBJECT hid_device_object = hid_driver_object->DeviceObject; 51 | while (hid_device_object && !gMouseObject.service_callback) { 52 | PDEVICE_OBJECT class_device_object = class_driver_object->DeviceObject; 53 | while (class_device_object && !gMouseObject.service_callback) { 54 | if (!class_device_object->NextDevice && !gMouseObject.mouse_device) 55 | gMouseObject.mouse_device = class_device_object; 56 | 57 | PULONG_PTR device_extension = (PULONG_PTR)hid_device_object->DeviceExtension; 58 | ULONG_PTR device_ext_size = ((ULONG_PTR)hid_device_object->DeviceObjectExtension - (ULONG_PTR)hid_device_object->DeviceExtension) / 4; 59 | class_driver_base = class_driver_object->DriverStart; 60 | for (ULONG_PTR i = 0; i < device_ext_size; i++) { 61 | if (device_extension[i] == (ULONG_PTR)class_device_object && device_extension[i + 1] > (ULONG_PTR)class_driver_object) { 62 | gMouseObject.service_callback = (MouseClassServiceCallbackFn)(device_extension[i + 1]); 63 | 64 | break; 65 | } 66 | } 67 | class_device_object = class_device_object->NextDevice; 68 | } 69 | hid_device_object = hid_device_object->AttachedDevice; 70 | } 71 | 72 | if (!gMouseObject.mouse_device) { 73 | PDEVICE_OBJECT target_device_object = class_driver_object->DeviceObject; 74 | while (target_device_object) { 75 | if (!target_device_object->NextDevice) { 76 | gMouseObject.mouse_device = target_device_object; 77 | break; 78 | } 79 | target_device_object = target_device_object->NextDevice; 80 | } 81 | } 82 | 83 | ObfDereferenceObject(class_driver_object); 84 | ObfDereferenceObject(hid_driver_object); 85 | 86 | if (gMouseObject.mouse_device && gMouseObject.service_callback) 87 | gMouseObject.use_mouse = 1; 88 | } 89 | 90 | return gMouseObject.mouse_device && gMouseObject.service_callback; 91 | } 92 | 93 | inline VOID mouse_move(long x, long y, unsigned short button_flags) { 94 | KIRQL irql; 95 | ULONG input_data; 96 | MOUSE_INPUT_DATA mid = { 0 }; 97 | mid.LastX = x; 98 | mid.LastY = y; 99 | mid.ButtonFlags = button_flags; 100 | if (!mouse_open()) 101 | return; 102 | 103 | mid.UnitId = 1; 104 | KeMRaiseIrql(DISPATCH_LEVEL, &irql); 105 | MouseClassServiceCallback(gMouseObject.mouse_device, &mid, (PMOUSE_INPUT_DATA)&mid + 1, &input_data); 106 | KeLowerIrql(irql); 107 | } 108 | 109 | 110 | inline VOID mouse_down() { 111 | mouse_move(0, 0, MOUSE_LEFT_BUTTON_DOWN); 112 | } 113 | 114 | inline VOID mouse_up() { 115 | mouse_move(0, 0, MOUSE_LEFT_BUTTON_UP); 116 | } -------------------------------------------------------------------------------- /driver/utils/defs.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #define KeMRaiseIrql(a, b) *(b) = KfRaiseIrql(a) 4 | #define KM_POOL_TAG 'kdd' 5 | 6 | typedef int BOOL; 7 | typedef unsigned int DWORD; 8 | typedef ULONG_PTR QWORD; 9 | 10 | #pragma warning(disable : 4201) 11 | typedef struct _MOUSE_INPUT_DATA { 12 | USHORT UnitId; 13 | USHORT Flags; 14 | union { 15 | ULONG Buttons; 16 | struct { 17 | USHORT ButtonFlags; 18 | USHORT ButtonData; 19 | }; 20 | }; 21 | ULONG RawButtons; 22 | LONG LastX; 23 | LONG LastY; 24 | ULONG ExtraInformation; 25 | } MOUSE_INPUT_DATA, * PMOUSE_INPUT_DATA; 26 | 27 | typedef VOID(*MouseClassServiceCallbackFn)(PDEVICE_OBJECT DeviceObject, PMOUSE_INPUT_DATA InputDataStart, PMOUSE_INPUT_DATA InputDataEnd, PULONG InputDataConsumed); 28 | 29 | typedef struct _MOUSE_OBJECT { 30 | PDEVICE_OBJECT mouse_device; 31 | MouseClassServiceCallbackFn service_callback; 32 | BOOL use_mouse; 33 | } MOUSE_OBJECT, * PMOUSE_OBJECT; 34 | 35 | typedef struct _PEB_LDR_DATA 36 | { 37 | ULONG Length; 38 | UCHAR Initialized; 39 | PVOID SsHandle; 40 | LIST_ENTRY InLoadOrderModuleList; 41 | LIST_ENTRY InMemoryOrderModuleList; 42 | LIST_ENTRY InInitializationOrderModuleList; 43 | } PEB_LDR_DATA, * PPEB_LDR_DATA; 44 | 45 | typedef struct _PEB 46 | { 47 | UCHAR InheritedAddressSpace; 48 | UCHAR ReadImageFileExecOptions; 49 | UCHAR BeingDebugged; 50 | UCHAR BitField; 51 | PVOID Mutant; 52 | PVOID ImageBaseAddress; 53 | PPEB_LDR_DATA Ldr; 54 | PVOID ProcessParameters; 55 | PVOID SubSystemData; 56 | PVOID ProcessHeap; 57 | PVOID FastPebLock; 58 | PVOID AtlThunkSListPtr; 59 | PVOID IFEOKey; 60 | PVOID CrossProcessFlags; 61 | PVOID KernelCallbackTable; 62 | ULONG SystemReserved; 63 | ULONG AtlThunkSListPtr32; 64 | PVOID ApiSetMap; 65 | } PEB, * PPEB; 66 | 67 | typedef struct _LDR_DATA_TABLE_ENTRY 68 | { 69 | LIST_ENTRY InLoadOrderLinks; 70 | LIST_ENTRY InMemoryOrderLinks; 71 | LIST_ENTRY InInitializationOrderLinks; 72 | PVOID DllBase; 73 | PVOID EntryPoint; 74 | ULONG SizeOfImage; 75 | UNICODE_STRING FullDllName; 76 | UNICODE_STRING BaseDllName; 77 | ULONG Flags; 78 | USHORT LoadCount; 79 | USHORT TlsIndex; 80 | LIST_ENTRY HashLinks; 81 | ULONG TimeDateStamp; 82 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; 83 | 84 | typedef struct _RTL_PROCESS_MODULE_INFORMATION 85 | { 86 | HANDLE Section; 87 | PVOID MappedBase; 88 | PVOID ImageBase; 89 | ULONG ImageSize; 90 | ULONG Flags; 91 | USHORT LoadOrderIndex; 92 | USHORT InitOrderIndex; 93 | USHORT LoadCount; 94 | USHORT OffsetToFileName; 95 | UCHAR FullPathName[256]; 96 | } RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION; 97 | 98 | 99 | 100 | typedef enum _EPROCESS_OFFSETS { 101 | 102 | ActiveProcessLinks = 0x448, 103 | UniqueProcessId = 0x2e8, 104 | ImageFileName = 0x5a8 105 | } EPROCESS_OFFSETS; 106 | 107 | typedef struct _RTL_PROCESS_MODULES 108 | { 109 | ULONG NumberOfModules; 110 | RTL_PROCESS_MODULE_INFORMATION Modules[1]; 111 | } RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES; 112 | 113 | MOUSE_OBJECT gMouseObject; 114 | QWORD _KeAcquireSpinLockAtDpcLevel; 115 | QWORD _KeReleaseSpinLockFromDpcLevel; 116 | QWORD _IofCompleteRequest; 117 | QWORD _IoReleaseRemoveLockEx; 118 | 119 | NTSYSCALLAPI 120 | POBJECT_TYPE* IoDriverObjectType; 121 | 122 | VOID MouseClassServiceCallback(PDEVICE_OBJECT DeviceObject, PMOUSE_INPUT_DATA InputDataStart, PMOUSE_INPUT_DATA InputDataEnd, PULONG InputDataConsumed); 123 | 124 | NTSYSCALLAPI 125 | NTSTATUS 126 | ObReferenceObjectByName(__in PUNICODE_STRING ObjectName, __in ULONG Attributes, __in_opt PACCESS_STATE AccessState, __in_opt ACCESS_MASK DesiredAccess, __in POBJECT_TYPE ObjectType, 127 | __in KPROCESSOR_MODE AccessMode, __inout_opt PVOID ParseContext, __out PVOID* Object); 128 | __declspec(dllimport) PPEB PsGetProcessPeb(PEPROCESS); 129 | NTSTATUS ZwQuerySystemInformation(ULONG InfoClass, PVOID Buffer, ULONG Length, PULONG ReturnLength); 130 | NTKERNELAPI PVOID PsGetProcessSectionBaseAddress(__in PEPROCESS Process); 131 | 132 | NTSTATUS NTAPI MmCopyVirtualMemory(PEPROCESS SourceProcess, PVOID SourceAddress, PEPROCESS TargetProcess, PVOID TargetAddress, SIZE_T BufferSize, KPROCESSOR_MODE PreviousMode, PSIZE_T ReturnSize); 133 | NTKERNELAPI 134 | NTSTATUS 135 | IoCreateDriver(IN PUNICODE_STRING DriverName, OPTIONAL IN PDRIVER_INITIALIZE InitializationFunction); 136 | 137 | NTKERNELAPI 138 | VOID IoDeleteDriver(IN PDRIVER_OBJECT DriverObject); 139 | //void Sleep(DWORD milliseconds) { 140 | // QWORD ms = milliseconds; 141 | // ms = (ms * 1000) * 10; 142 | // ms = ms * -1; 143 | // #ifdef _KERNEL_MODE 144 | // KeDelayExecutionThread(KernelMode, 0, (PLARGE_INTEGER)&ms); 145 | // #else 146 | // NtDelayExecution(0, (PLARGE_INTEGER)&ms); 147 | // #endif 148 | //} 149 | -------------------------------------------------------------------------------- /driver/utils/message.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | #ifdef _DEBUG 5 | #define message(...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[KM] - " __VA_ARGS__) 6 | #else 7 | #define message(...) 8 | #endif) -------------------------------------------------------------------------------- /examples/security_check.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vsaint1/kernel-mouse/932b8ba555ce42bd011ba77fbc20b7dc396f317e/examples/security_check.png -------------------------------------------------------------------------------- /examples/test.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vsaint1/kernel-mouse/932b8ba555ce42bd011ba77fbc20b7dc396f317e/examples/test.png -------------------------------------------------------------------------------- /km-mouse.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.7.34202.233 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "km-mouse", "Driver\km-mouse.vcxproj", "{099D3591-88DE-488C-A83C-4A3AEFD6A47E}" 7 | EndProject 8 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{6E8C2E65-627C-40D3-90CA-0CC98C045B32}" 9 | ProjectSection(SolutionItems) = preProject 10 | .gitignore = .gitignore 11 | LICENSE = LICENSE 12 | README.md = README.md 13 | EndProjectSection 14 | EndProject 15 | Global 16 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 17 | Debug|ARM64 = Debug|ARM64 18 | Debug|x64 = Debug|x64 19 | Debug|x86 = Debug|x86 20 | Release|ARM64 = Release|ARM64 21 | Release|x64 = Release|x64 22 | Release|x86 = Release|x86 23 | EndGlobalSection 24 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 25 | {099D3591-88DE-488C-A83C-4A3AEFD6A47E}.Debug|ARM64.ActiveCfg = Debug|ARM64 26 | {099D3591-88DE-488C-A83C-4A3AEFD6A47E}.Debug|ARM64.Build.0 = Debug|ARM64 27 | {099D3591-88DE-488C-A83C-4A3AEFD6A47E}.Debug|ARM64.Deploy.0 = Debug|ARM64 28 | {099D3591-88DE-488C-A83C-4A3AEFD6A47E}.Debug|x64.ActiveCfg = Debug|x64 29 | {099D3591-88DE-488C-A83C-4A3AEFD6A47E}.Debug|x64.Build.0 = Debug|x64 30 | {099D3591-88DE-488C-A83C-4A3AEFD6A47E}.Debug|x64.Deploy.0 = Debug|x64 31 | {099D3591-88DE-488C-A83C-4A3AEFD6A47E}.Debug|x86.ActiveCfg = Debug|x64 32 | {099D3591-88DE-488C-A83C-4A3AEFD6A47E}.Debug|x86.Build.0 = Debug|x64 33 | {099D3591-88DE-488C-A83C-4A3AEFD6A47E}.Debug|x86.Deploy.0 = Debug|x64 34 | {099D3591-88DE-488C-A83C-4A3AEFD6A47E}.Release|ARM64.ActiveCfg = Release|ARM64 35 | {099D3591-88DE-488C-A83C-4A3AEFD6A47E}.Release|ARM64.Build.0 = Release|ARM64 36 | {099D3591-88DE-488C-A83C-4A3AEFD6A47E}.Release|ARM64.Deploy.0 = Release|ARM64 37 | {099D3591-88DE-488C-A83C-4A3AEFD6A47E}.Release|x64.ActiveCfg = Release|x64 38 | {099D3591-88DE-488C-A83C-4A3AEFD6A47E}.Release|x64.Build.0 = Release|x64 39 | {099D3591-88DE-488C-A83C-4A3AEFD6A47E}.Release|x64.Deploy.0 = Release|x64 40 | {099D3591-88DE-488C-A83C-4A3AEFD6A47E}.Release|x86.ActiveCfg = Release|x64 41 | {099D3591-88DE-488C-A83C-4A3AEFD6A47E}.Release|x86.Build.0 = Release|x64 42 | {099D3591-88DE-488C-A83C-4A3AEFD6A47E}.Release|x86.Deploy.0 = Release|x64 43 | EndGlobalSection 44 | GlobalSection(SolutionProperties) = preSolution 45 | HideSolutionNode = FALSE 46 | EndGlobalSection 47 | GlobalSection(ExtensibilityGlobals) = postSolution 48 | SolutionGuid = {D5DFF3CF-CD73-44E4-A5D7-3599BB3ED06E} 49 | EndGlobalSection 50 | EndGlobal 51 | --------------------------------------------------------------------------------