/
main.cpp
81 lines (70 loc) · 1.96 KB
/
main.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#include "util.h"
#include "undocumented.h"
#include "com.h"
#include "ptutil.h"
NTSTATUS DriverDispatch(PDEVICE_OBJECT device, PIRP irp)
{
UNREFERENCED_PARAMETER(device);
PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(irp);
auto inputBuffer = irpStack->Parameters.DeviceIoControl.Type3InputBuffer;
NTSTATUS status = STATUS_SUCCESS;
switch (irpStack->Parameters.DeviceIoControl.IoControlCode)
{
case IOCTL_DIRBASE:
if (inputBuffer)
{
HANDLE pid = *(HANDLE*)inputBuffer;
PEPROCESS proc;
status = PsLookupProcessByProcessId(pid, &proc);
if (NT_SUCCESS(status))
{
ULONG64 dirbase = PsGetDirbase(proc);
ObDereferenceObject(proc);
*(ULONG64*)irp->UserBuffer = dirbase;
}
}
break;
case IOCTL_DUMP_PT:
if (inputBuffer)
{
ULONG64 pfn = *(ULONG64*)inputBuffer;
status = DumpPageTable(pfn, irp->UserBuffer);
}
break;
case IOCTL_DUMP_PAGE:
if (inputBuffer)
{
ULONG64 pfn = *(ULONG64*)inputBuffer;
status = DumpPage(pfn, false, irp->UserBuffer);
}
break;
case IOCTL_DUMP_LARGE_PAGE:
if (inputBuffer)
{
ULONG64 pfn = *(ULONG64*)inputBuffer;
status = DumpPage(pfn, true, irp->UserBuffer);
}
break;
}
irp->IoStatus.Information = 0;
irp->IoStatus.Status = status;
IoCompleteRequest(irp, IO_NO_INCREMENT);
return status;
}
NTSTATUS ManualDriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
{
UNREFERENCED_PARAMETER(RegistryPath);
return SetupDevice(DriverObject, DriverDispatch);
}
NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
{
if (!DriverObject || DriverObject->DriverInit != DriverEntry)
{
// Create driver if manually mapped
UNICODE_STRING driverName = RTL_CONSTANT_STRING(L"\\Driver\\PTView");
auto status = IoCreateDriver(&driverName, ManualDriverEntry);
DbgPrintEx(0, 0, "IoCreateDriver -> %lx", status);
return status;
}
return SetupDevice(DriverObject, DriverDispatch);
}