This repository has been archived by the owner on Jul 12, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 45
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
243 changed files
with
40,403 additions
and
29,125 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
|
||
Microsoft Visual Studio Solution File, Format Version 12.00 | ||
# Visual Studio Version 16 | ||
VisualStudioVersion = 16.0.30406.217 | ||
MinimumVisualStudioVersion = 10.0.40219.1 | ||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "driver", "driver\driver.vcxproj", "{B733A66A-C850-41F9-B262-5D16B9877834}" | ||
EndProject | ||
Global | ||
GlobalSection(SolutionConfigurationPlatforms) = preSolution | ||
Debug|ARM = Debug|ARM | ||
Debug|ARM64 = Debug|ARM64 | ||
Debug|x64 = Debug|x64 | ||
Debug|x86 = Debug|x86 | ||
Release|ARM = Release|ARM | ||
Release|ARM64 = Release|ARM64 | ||
Release|x64 = Release|x64 | ||
Release|x86 = Release|x86 | ||
EndGlobalSection | ||
GlobalSection(ProjectConfigurationPlatforms) = postSolution | ||
{B733A66A-C850-41F9-B262-5D16B9877834}.Debug|ARM.ActiveCfg = Debug|ARM | ||
{B733A66A-C850-41F9-B262-5D16B9877834}.Debug|ARM.Build.0 = Debug|ARM | ||
{B733A66A-C850-41F9-B262-5D16B9877834}.Debug|ARM.Deploy.0 = Debug|ARM | ||
{B733A66A-C850-41F9-B262-5D16B9877834}.Debug|ARM64.ActiveCfg = Debug|ARM64 | ||
{B733A66A-C850-41F9-B262-5D16B9877834}.Debug|ARM64.Build.0 = Debug|ARM64 | ||
{B733A66A-C850-41F9-B262-5D16B9877834}.Debug|ARM64.Deploy.0 = Debug|ARM64 | ||
{B733A66A-C850-41F9-B262-5D16B9877834}.Debug|x64.ActiveCfg = Debug|x64 | ||
{B733A66A-C850-41F9-B262-5D16B9877834}.Debug|x64.Build.0 = Debug|x64 | ||
{B733A66A-C850-41F9-B262-5D16B9877834}.Debug|x64.Deploy.0 = Debug|x64 | ||
{B733A66A-C850-41F9-B262-5D16B9877834}.Debug|x86.ActiveCfg = Debug|Win32 | ||
{B733A66A-C850-41F9-B262-5D16B9877834}.Debug|x86.Build.0 = Debug|Win32 | ||
{B733A66A-C850-41F9-B262-5D16B9877834}.Debug|x86.Deploy.0 = Debug|Win32 | ||
{B733A66A-C850-41F9-B262-5D16B9877834}.Release|ARM.ActiveCfg = Release|ARM | ||
{B733A66A-C850-41F9-B262-5D16B9877834}.Release|ARM.Build.0 = Release|ARM | ||
{B733A66A-C850-41F9-B262-5D16B9877834}.Release|ARM.Deploy.0 = Release|ARM | ||
{B733A66A-C850-41F9-B262-5D16B9877834}.Release|ARM64.ActiveCfg = Release|ARM64 | ||
{B733A66A-C850-41F9-B262-5D16B9877834}.Release|ARM64.Build.0 = Release|ARM64 | ||
{B733A66A-C850-41F9-B262-5D16B9877834}.Release|ARM64.Deploy.0 = Release|ARM64 | ||
{B733A66A-C850-41F9-B262-5D16B9877834}.Release|x64.ActiveCfg = Release|x64 | ||
{B733A66A-C850-41F9-B262-5D16B9877834}.Release|x64.Build.0 = Release|x64 | ||
{B733A66A-C850-41F9-B262-5D16B9877834}.Release|x64.Deploy.0 = Release|x64 | ||
{B733A66A-C850-41F9-B262-5D16B9877834}.Release|x86.ActiveCfg = Release|Win32 | ||
{B733A66A-C850-41F9-B262-5D16B9877834}.Release|x86.Build.0 = Release|Win32 | ||
{B733A66A-C850-41F9-B262-5D16B9877834}.Release|x86.Deploy.0 = Release|Win32 | ||
EndGlobalSection | ||
GlobalSection(SolutionProperties) = preSolution | ||
HideSolutionNode = FALSE | ||
EndGlobalSection | ||
GlobalSection(ExtensibilityGlobals) = postSolution | ||
SolutionGuid = {F5D0D578-8073-42C4-9249-F31F2C0A326B} | ||
EndGlobalSection | ||
EndGlobal |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,233 @@ | ||
#pragma warning (disable: 4100 4047 4024 4022) | ||
|
||
#include <ntdef.h> | ||
#include <ntifs.h> | ||
#include <ntddk.h> | ||
|
||
#define IO_GET_ID_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x6210, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) | ||
|
||
#define IO_READ_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x6211, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) | ||
|
||
#define IO_WRITE_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x6212, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) | ||
|
||
#define IO_GET_MODULE_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x6213, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) | ||
|
||
|
||
ULONG processId, ClientAddress; | ||
PDEVICE_OBJECT pDeviceObject; | ||
UNICODE_STRING dev, dos; //driver registry paths | ||
|
||
typedef struct _KERNEL_READ_REQUEST | ||
{ | ||
ULONG ProcessId; //target process id | ||
ULONG Address; // address of memory to start reading from | ||
PVOID pBuff; // return value | ||
ULONG Size; // size of memory to read | ||
|
||
} KERNEL_READ_REQUEST, * PKERNEL_READ_REQUEST; | ||
|
||
typedef struct _KERNEL_WRITE_REQUEST | ||
{ | ||
ULONG ProcessId; //target process id | ||
ULONG Address; // address of memory to start reading from | ||
PVOID pBuff; // return value | ||
ULONG Size; // size of memory to read | ||
|
||
} KERNEL_WRITE_REQUEST, * PKERNEL_WRITE_REQUEST; | ||
|
||
NTSTATUS NTAPI MmCopyVirtualMemory | ||
( | ||
PEPROCESS SourceProcess, | ||
PVOID SourceAddress, | ||
PEPROCESS TargetProcess, | ||
PVOID TargetAddress, | ||
SIZE_T BufferSize, | ||
KPROCESSOR_MODE PreviousMode, | ||
PSIZE_T ReturnSize | ||
); | ||
|
||
|
||
NTSTATUS KernelReadVirtualMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size) | ||
{ | ||
PSIZE_T Bytes; | ||
return MmCopyVirtualMemory(Process, SourceAddress, PsGetCurrentProcess(), TargetAddress, Size, KernelMode, &Bytes); | ||
} | ||
|
||
NTSTATUS KernelWriteVirtualMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size) | ||
{ | ||
PSIZE_T Bytes; | ||
return MmCopyVirtualMemory(PsGetCurrentProcess(), SourceAddress, Process, TargetAddress, Size, KernelMode, &Bytes); | ||
} | ||
|
||
|
||
|
||
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath); | ||
NTSTATUS UnloadDriver(PDRIVER_OBJECT DriverObject); | ||
PLOAD_IMAGE_NOTIFY_ROUTINE ImageLoadCallback(PUNICODE_STRING FullImageName, HANDLE ProcessId, PIMAGE_INFO ImageInfo); | ||
NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp); | ||
NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP irp); | ||
NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP irp); | ||
|
||
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) | ||
{ | ||
UNREFERENCED_PARAMETER(RegistryPath); | ||
DriverObject->DriverUnload = UnloadDriver; | ||
//DbgPrintEx(0, 0, "Started"); | ||
|
||
PsSetLoadImageNotifyRoutine(ImageLoadCallback); | ||
|
||
RtlInitUnicodeString(&dev, L"\\Device\\kbotl"); | ||
RtlInitUnicodeString(&dos, L"\\DosDevices\\kbotl"); | ||
|
||
IoCreateDevice(DriverObject, 0, &dev, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDeviceObject); | ||
IoCreateSymbolicLink(&dos, &dev); | ||
|
||
DriverObject->MajorFunction[IRP_MJ_CREATE] = CreateCall; | ||
DriverObject->MajorFunction[IRP_MJ_CLOSE] = CloseCall; | ||
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IoControl; | ||
|
||
pDeviceObject->Flags |= DO_DIRECT_IO; | ||
pDeviceObject->Flags &= ~DO_DEVICE_INITIALIZING; | ||
|
||
return STATUS_SUCCESS; | ||
} | ||
|
||
NTSTATUS UnloadDriver(PDRIVER_OBJECT DriverObject) | ||
{ | ||
//DbgPrintEx(0, 0, "Unloaded"); | ||
|
||
|
||
PsRemoveLoadImageNotifyRoutine(ImageLoadCallback); | ||
IoDeleteSymbolicLink(&dos); | ||
IoDeleteDevice(DriverObject->DeviceObject); | ||
|
||
return STATUS_SUCCESS; | ||
|
||
} | ||
|
||
//searches for lol | ||
PLOAD_IMAGE_NOTIFY_ROUTINE ImageLoadCallback(PUNICODE_STRING FullImageName, HANDLE ProcessId, PIMAGE_INFO ImageInfo) | ||
{ | ||
|
||
if (wcsstr(FullImageName->Buffer, L"\\Riot Games\\League of Legends\\Game\\League of Legends.exe")) | ||
{ | ||
|
||
//DbgPrintEx(0, 0, "Lol found\n"); | ||
//DbgPrintEx(0, 0, "Found at PID: %d \n", ProcessId); | ||
|
||
ClientAddress = ImageInfo->ImageBase; | ||
processId = ProcessId; | ||
} | ||
|
||
return STATUS_SUCCESS; | ||
} | ||
|
||
NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp) | ||
{ | ||
UNREFERENCED_PARAMETER(DeviceObject); | ||
NTSTATUS Status = STATUS_UNSUCCESSFUL; | ||
ULONG ByteIo = 0; | ||
|
||
PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(Irp); | ||
|
||
|
||
//listen to user mode | ||
ULONG ControlCode = stack->Parameters.DeviceIoControl.IoControlCode; | ||
|
||
|
||
if(ControlCode == IO_READ_REQUEST) | ||
{ | ||
|
||
PKERNEL_READ_REQUEST ReadInput = (PKERNEL_READ_REQUEST)Irp->AssociatedIrp.SystemBuffer; | ||
PKERNEL_READ_REQUEST ReadOutput = (PKERNEL_READ_REQUEST)Irp->AssociatedIrp.SystemBuffer; | ||
PEPROCESS Process; | ||
|
||
/*DbgPrintEx(0, 0, "PreValue: %lu , 0x%x\n", ReadOutput->pBuff, ReadOutput->pBuff); | ||
DbgPrintEx(0, 0, "PreValue2: %lu , 0x%x\n", ReadInput->pBuff, ReadInput->pBuff);*/ | ||
|
||
if (NT_SUCCESS(PsLookupProcessByProcessId(ReadInput->ProcessId, &Process))) | ||
{ | ||
KernelReadVirtualMemory(Process, ReadInput->Address, &ReadInput->pBuff, ReadInput->Size); | ||
} | ||
|
||
UNREFERENCED_PARAMETER(ReadOutput); | ||
/* DbgPrintEx(0, 0, "Read Params: %lu, %#010x, %d\n", ReadInput->ProcessId, ReadInput->Address, ReadInput->Size); | ||
DbgPrintEx(0, 0, "Value: %lu , 0x%x\n", ReadOutput->pBuff, ReadOutput->pBuff); | ||
DbgPrintEx(0, 0, "Value2: %lu , 0x%x\n", ReadInput->Address, ReadInput->Address);*/ | ||
|
||
Status = STATUS_SUCCESS; | ||
ByteIo = sizeof(KERNEL_READ_REQUEST); | ||
} | ||
else if (ControlCode == IO_WRITE_REQUEST) | ||
{ | ||
|
||
PKERNEL_WRITE_REQUEST WriteInput = (PKERNEL_WRITE_REQUEST)Irp->AssociatedIrp.SystemBuffer; | ||
PEPROCESS Process; | ||
|
||
if (NT_SUCCESS(PsLookupProcessByProcessId(WriteInput->ProcessId, &Process))) | ||
{ | ||
KernelWriteVirtualMemory(Process, &WriteInput->pBuff, WriteInput->Address, WriteInput->Size); | ||
} | ||
|
||
//DbgPrintEx(0, 0, "Write Params: %lu, %#010x \n", WriteInput->pBuff, WriteInput->Address); | ||
|
||
Status = STATUS_SUCCESS; | ||
ByteIo = sizeof(KERNEL_WRITE_REQUEST); | ||
} | ||
else if (ControlCode == IO_GET_ID_REQUEST) | ||
{ | ||
PULONG OutPut = (PULONG)Irp->AssociatedIrp.SystemBuffer; | ||
*OutPut = processId; | ||
|
||
//DbgPrintEx(0, 0, "Pid: %#010x", processId); | ||
Status = STATUS_SUCCESS; | ||
ByteIo = sizeof(*OutPut); | ||
} | ||
else if (ControlCode == IO_GET_MODULE_REQUEST) | ||
{ | ||
PULONG OutPut = (PULONG)Irp->AssociatedIrp.SystemBuffer; | ||
*OutPut = ClientAddress; | ||
|
||
//DbgPrintEx(0, 0, "ClientAddress: %#010x", ClientAddress); | ||
Status = STATUS_SUCCESS; | ||
ByteIo = sizeof(*OutPut); | ||
} | ||
else | ||
{ | ||
//DbgPrintEx(0, 0, "IoControl failed\n"); | ||
Status = STATUS_INVALID_PARAMETER; | ||
ByteIo = 0; | ||
} | ||
|
||
Irp->IoStatus.Status = Status; | ||
Irp->IoStatus.Information = ByteIo; | ||
IoCompleteRequest(Irp, IO_NO_INCREMENT); | ||
|
||
return Status; | ||
} | ||
|
||
NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP irp) | ||
{ | ||
UNREFERENCED_PARAMETER(DeviceObject); | ||
irp->IoStatus.Status = STATUS_SUCCESS; | ||
irp->IoStatus.Information = 0; | ||
|
||
//DbgPrintEx(0, 0, "CreateCall\n"); | ||
|
||
IoCompleteRequest(irp, IO_NO_INCREMENT); | ||
return STATUS_SUCCESS; | ||
|
||
} | ||
|
||
NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP irp) | ||
{ | ||
UNREFERENCED_PARAMETER(DeviceObject); | ||
irp->IoStatus.Status = STATUS_SUCCESS; | ||
irp->IoStatus.Information = 0; | ||
|
||
//DbgPrintEx(0, 0, "CloseCall\n"); | ||
|
||
IoCompleteRequest(irp, IO_NO_INCREMENT); | ||
return STATUS_SUCCESS; | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,87 @@ | ||
; | ||
; driver.inf | ||
; | ||
|
||
[Version] | ||
Signature="$WINDOWS NT$" | ||
Class=Sample ; TODO: edit Class | ||
ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid | ||
Provider=%ManufacturerName% | ||
CatalogFile=driver.cat | ||
DriverVer= ; TODO: set DriverVer in stampinf property pages | ||
PnpLockDown=1 | ||
|
||
[DestinationDirs] | ||
DefaultDestDir = 12 | ||
driver_Device_CoInstaller_CopyFiles = 11 | ||
|
||
; ================= Class section ===================== | ||
|
||
[ClassInstall32] | ||
Addreg=SampleClassReg | ||
|
||
[SampleClassReg] | ||
HKR,,,0,%ClassName% | ||
HKR,,Icon,,-5 | ||
|
||
[SourceDisksNames] | ||
1 = %DiskName%,,,"" | ||
|
||
[SourceDisksFiles] | ||
driver.sys = 1,, | ||
WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames | ||
|
||
;***************************************** | ||
; Install Section | ||
;***************************************** | ||
|
||
[Manufacturer] | ||
%ManufacturerName%=Standard,NT$ARCH$ | ||
|
||
[Standard.NT$ARCH$] | ||
%driver.DeviceDesc%=driver_Device, Root\driver ; TODO: edit hw-id | ||
|
||
[driver_Device.NT] | ||
CopyFiles=Drivers_Dir | ||
|
||
[Drivers_Dir] | ||
driver.sys | ||
|
||
;-------------- Service installation | ||
[driver_Device.NT.Services] | ||
AddService = driver,%SPSVCINST_ASSOCSERVICE%, driver_Service_Inst | ||
|
||
; -------------- driver driver install sections | ||
[driver_Service_Inst] | ||
DisplayName = %driver.SVCDESC% | ||
ServiceType = 1 ; SERVICE_KERNEL_DRIVER | ||
StartType = 3 ; SERVICE_DEMAND_START | ||
ErrorControl = 1 ; SERVICE_ERROR_NORMAL | ||
ServiceBinary = %12%\driver.sys | ||
|
||
; | ||
;--- driver_Device Coinstaller installation ------ | ||
; | ||
|
||
[driver_Device.NT.CoInstallers] | ||
AddReg=driver_Device_CoInstaller_AddReg | ||
CopyFiles=driver_Device_CoInstaller_CopyFiles | ||
|
||
[driver_Device_CoInstaller_AddReg] | ||
HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller" | ||
|
||
[driver_Device_CoInstaller_CopyFiles] | ||
WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll | ||
|
||
[driver_Device.NT.Wdf] | ||
KmdfService = driver, driver_wdfsect | ||
[driver_wdfsect] | ||
KmdfLibraryVersion = $KMDFVERSION$ | ||
|
||
[Strings] | ||
SPSVCINST_ASSOCSERVICE= 0x00000002 | ||
ManufacturerName="Google" ;TODO: Replace with your manufacturer name | ||
ClassName="drivers" ; TODO: edit ClassName | ||
DiskName = "driver Installation Disk" | ||
driver.DeviceDesc = "driver Device" | ||
driver.SVCDESC = "driver Service" |
Oops, something went wrong.