Don't really remember where i grabbed this driver from, but it was a BIOS IO tool by Asus iirc.
Exposes ZwMapViewOfSection ioctl for mapping/unmapping arbitrary physical memory to usermode.
uintptr_t GetSystemCR3();
// two ways: walk physical pages for the 0xa0 magic or by leaking eprocess->dtb field superfetch translate and read physical address directly
uintptr_t GetProcessCr3(const wchar_t* ProcessName);
// leak eprocess->dtb from usermode; superfetch translate and read physical address directly
uintptr_t MapPhysical(_In_ ULONG_PTR PhysicalAddress, _In_ ULONG NumberOfBytes, _Inout_ HANDLE* SectionHandle, _Inout_ PVOID* Object);
bool UnmapPhysical(_In_ PVOID AdressToUnmap, HANDLE Section, PVOID Object);
bool ReadPhysicalMemory(uintptr_t physical_address, void* output, unsigned long size);
bool WritePhysicalMemory(uintptr_t physical_address, void* data, unsigned long size);
BOOL SwitchSystemContext();
// wrapper pretty much, to switch cr3 for virtual read contexts to the system cr3
BOOL SwitchProcessContext(const wchar_t* ProcessName);
// wrapper pretty much, to switch cr3 for virtual read contexts to any process by name easily
UINT64 TranslateLinearAddress(_In_ UINT64 VirtualAddress);
bool ReadVirtualMemory(PVOID Source, PVOID Buffer, ULONG Size);
bool WriteVirtualMemory(PVOID Source, PVOID Buffer, ULONG Size);Was used in my other project recently:
- BusterCall - "Bypassing" HVCI via donor PFN swaps to modify read-only code pages. Call chained kernel functions (kCET and SLAT support), modify read-only code pages, and more.