├── DriverController.sln
├── DriverController
    ├── DriverController.cpp
    ├── DriverController.vcxproj
    ├── DriverController.vcxproj.filters
    └── DriverController.vcxproj.user
├── README.md
└── winhelper.sys


/DriverController.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.33423.256
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DriverController", "DriverController\DriverController.vcxproj", "{30A58F42-07BE-451F-9DC1-DEE3F534189E}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Release|x64 = Release|x64
11 | 	EndGlobalSection
12 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
13 | 		{30A58F42-07BE-451F-9DC1-DEE3F534189E}.Release|x64.ActiveCfg = Release|x64
14 | 		{30A58F42-07BE-451F-9DC1-DEE3F534189E}.Release|x64.Build.0 = Release|x64
15 | 	EndGlobalSection
16 | 	GlobalSection(SolutionProperties) = preSolution
17 | 		HideSolutionNode = FALSE
18 | 	EndGlobalSection
19 | 	GlobalSection(ExtensibilityGlobals) = postSolution
20 | 		SolutionGuid = {26AA39A4-F5E7-4E09-B9C3-FECDA11E456E}
21 | 	EndGlobalSection
22 | EndGlobal
23 | 


--------------------------------------------------------------------------------
/DriverController/DriverController.cpp:
--------------------------------------------------------------------------------
  1 | #include <iostream>
  2 | #include <Windows.h>
  3 | 
  4 | HANDLE hHandle = NULL;
  5 | 
  6 | bool GetDriverHandle() 
  7 | {
  8 | 	hHandle = CreateFileW(L"\\\\.\\microsofthelperdriver", GENERIC_READ | GENERIC_WRITE, NULL, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
  9 | 
 10 | 	if (hHandle == INVALID_HANDLE_VALUE)
 11 | 	{
 12 | 		printf("Failed to get a handle to driver\n");
 13 | 		return false;
 14 | 	}
 15 | 	
 16 | 	return true;
 17 | }
 18 | 
 19 | ULONG EncryptRequestCode(ULONG ioctl) {
 20 | 	/*
 21 | 		v4 = __ROR4__(a2->Tail.Overlay.CurrentStackLocation->Parameters.Read.ByteOffset.LowPart ^ 0xE4938CDF, 8) ^ 0xE4938CDF;
 22 | 	*/
 23 | 
 24 | 	const ULONG key = 0xE4938CDF; // decryption key
 25 | 	ULONG encrypted_value = ioctl ^ key; // value xor key
 26 | 	encrypted_value = (encrypted_value << 8) | (encrypted_value >> 24); // bitwise rotation, shift 8 bits to the left, shift 24 to right
 27 | 	encrypted_value = encrypted_value ^ key; // 1, 3
 28 | 	return encrypted_value;
 29 | }
 30 | 
 31 | #define IOCTL_PsGetProcessSectionBaseAddress 0x13370400
 32 | #define IOCTL_ReadProcessMemory 0x13370800
 33 | #define IOCTL_WriteProcessMemory 0x13370C00
 34 | 
 35 | typedef struct _readmem
 36 | {
 37 | 	/*
 38 | 	00000000 _IRP            struc ; (sizeof=0xD0, align=0x10, copyof_14)
 39 | 	processid       dw ?
 40 | 	sourceaddress   dq ?                    ; offset
 41 | 	buffer          dd ?
 42 | 	size            dw ?
 43 | 	*/
 44 | 
 45 | 	int processid;
 46 | 	uintptr_t sourceaddress;
 47 | 	uintptr_t buffer;
 48 | 	size_t size;
 49 | 
 50 | } readmem, *preadmem;
 51 | 
 52 | typedef struct _base
 53 | {
 54 | 	/* 
 55 | 	00000000 processid       dw ?
 56 | 	00000010 buffer          dd ?
 57 | 	*/
 58 | 	int processid;
 59 | 	uintptr_t buffer;
 60 | 
 61 | } base, * p_base;
 62 | 
 63 | uintptr_t GetProcessSectionBaseAddress(int pid)
 64 | {
 65 | 	base req;
 66 | 	req.processid = pid;
 67 | 
 68 | 	auto code = EncryptRequestCode(IOCTL_PsGetProcessSectionBaseAddress);
 69 | 
 70 | 	DeviceIoControl(hHandle, code, &req, sizeof(req), &req, sizeof(req), 0, 0);
 71 | 
 72 | 	return req.buffer;
 73 | }
 74 | 
 75 | template<typename T>
 76 | T Read(int pid, uintptr_t address)
 77 | {
 78 | 	T buffer;
 79 | 
 80 | 	readmem req;
 81 | 	req.processid = pid;
 82 | 	req.sourceaddress = address;
 83 | 	req.buffer = (uintptr_t)&buffer;
 84 | 	req.size = sizeof(T);
 85 | 
 86 | 	auto code = EncryptRequestCode(IOCTL_ReadProcessMemory);
 87 | 
 88 | 	DeviceIoControl(hHandle, code, &req, sizeof(req), &req, sizeof(req), 0, 0);
 89 | 
 90 | 	return buffer;
 91 | }
 92 | 
 93 | template<typename T>
 94 | void Write(int pid, uintptr_t address, T val)
 95 | {
 96 | 	readmem req;
 97 | 	req.processid = pid;
 98 | 	req.sourceaddress = address;
 99 | 	req.buffer = (uintptr_t)&val;
100 | 	req.size = sizeof(T);
101 | 
102 | 	auto code = EncryptRequestCode(IOCTL_WriteProcessMemory);
103 | 
104 | 	DeviceIoControl(hHandle, code, &req, sizeof(req), &req, sizeof(req), 0, 0);
105 | }
106 | 
107 | #include <TlHelp32.h>
108 | 
109 | DWORD GetProcessId(const std::wstring processName)
110 | {
111 | 	PROCESSENTRY32 processInfo;
112 | 	processInfo.dwSize = sizeof(processInfo);
113 | 
114 | 	HANDLE processesSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
115 | 	if (processesSnapshot == INVALID_HANDLE_VALUE)
116 | 	{
117 | 		return 0;
118 | 	}
119 | 
120 | 	Process32First(processesSnapshot, &processInfo);
121 | 	if (!processName.compare(processInfo.szExeFile))
122 | 	{
123 | 		CloseHandle(processesSnapshot);
124 | 		return processInfo.th32ProcessID;
125 | 	}
126 | 
127 | 	while (Process32Next(processesSnapshot, &processInfo))
128 | 	{
129 | 		if (!processName.compare(processInfo.szExeFile))
130 | 		{
131 | 			CloseHandle(processesSnapshot);
132 | 			return processInfo.th32ProcessID;
133 | 		}
134 | 	}
135 | 
136 | 	CloseHandle(processesSnapshot);
137 | 	return 0;
138 | }
139 | 
140 | 
141 | int main()
142 | {
143 | 	if (GetDriverHandle()) 
144 | 	{
145 | 		printf("hHandle: %p\n", hHandle);
146 | 
147 | 		auto ProcessID = GetProcessId(L"explorer.exe");
148 | 		printf("ProcessID: %i\n", ProcessID);
149 | 
150 | 		uintptr_t BaseTest = GetProcessSectionBaseAddress(ProcessID);
151 | 		uintptr_t ReadTest = Read<uintptr_t>(ProcessID, BaseTest);
152 | 
153 | 		printf("GetProcessSectionBaseAddress: %p\n", BaseTest);
154 | 		printf("ReadProcessMemory: %p\n", ReadTest);
155 | 	}
156 | 
157 | 	getchar();
158 | 
159 | 	return 0;
160 | }
161 | 


--------------------------------------------------------------------------------
/DriverController/DriverController.vcxproj:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup Label="ProjectConfigurations">
 4 |     <ProjectConfiguration Include="Release|x64">
 5 |       <Configuration>Release</Configuration>
 6 |       <Platform>x64</Platform>
 7 |     </ProjectConfiguration>
 8 |   </ItemGroup>
 9 |   <PropertyGroup Label="Globals">
10 |     <VCProjectVersion>16.0</VCProjectVersion>
11 |     <Keyword>Win32Proj</Keyword>
12 |     <ProjectGuid>{30a58f42-07be-451f-9dc1-dee3f534189e}</ProjectGuid>
13 |     <RootNamespace>DriverController</RootNamespace>
14 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
15 |   </PropertyGroup>
16 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
17 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
18 |     <ConfigurationType>Application</ConfigurationType>
19 |     <UseDebugLibraries>false</UseDebugLibraries>
20 |     <PlatformToolset>v142</PlatformToolset>
21 |     <WholeProgramOptimization>true</WholeProgramOptimization>
22 |     <CharacterSet>Unicode</CharacterSet>
23 |   </PropertyGroup>
24 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
25 |   <ImportGroup Label="ExtensionSettings">
26 |   </ImportGroup>
27 |   <ImportGroup Label="Shared">
28 |   </ImportGroup>
29 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
30 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
31 |   </ImportGroup>
32 |   <PropertyGroup Label="UserMacros" />
33 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
34 |     <LinkIncremental>false</LinkIncremental>
35 |   </PropertyGroup>
36 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
37 |     <ClCompile>
38 |       <WarningLevel>Level3</WarningLevel>
39 |       <FunctionLevelLinking>true</FunctionLevelLinking>
40 |       <IntrinsicFunctions>true</IntrinsicFunctions>
41 |       <SDLCheck>true</SDLCheck>
42 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
43 |       <ConformanceMode>true</ConformanceMode>
44 |     </ClCompile>
45 |     <Link>
46 |       <SubSystem>Console</SubSystem>
47 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
48 |       <OptimizeReferences>true</OptimizeReferences>
49 |       <GenerateDebugInformation>true</GenerateDebugInformation>
50 |     </Link>
51 |   </ItemDefinitionGroup>
52 |   <ItemGroup>
53 |     <ClCompile Include="DriverController.cpp" />
54 |   </ItemGroup>
55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
56 |   <ImportGroup Label="ExtensionTargets">
57 |   </ImportGroup>
58 | </Project>


--------------------------------------------------------------------------------
/DriverController/DriverController.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |   </ItemGroup>
 9 |   <ItemGroup>
10 |     <ClCompile Include="DriverController.cpp">
11 |       <Filter>Source Files</Filter>
12 |     </ClCompile>
13 |   </ItemGroup>
14 | </Project>


--------------------------------------------------------------------------------
/DriverController/DriverController.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | https://zerocondition.com/posts/reversing-a-signed-driver
2 | <p><b> Use at own risk. </b> </p> 
3 | 


--------------------------------------------------------------------------------
/winhelper.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zer0condition/Reversing-a-signed-driver/31264b0a0d66f2b482c418aad1df22b130f3d896/winhelper.sys


--------------------------------------------------------------------------------