Untitled

This is a Windows kernel-mode driver that loads and maps another driver into kernel memory. It performs various checks to ensure that the driver being loaded is valid and that it is compatible with the current operating system architecture.

The function MapDriver takes a path to the driver file to be loaded as an input parameter. The driver file is read into memory using the ReadAllBytes function, which returns a vector of bytes that contains the contents of the file. The function then checks if the size of the file is zero and returns STATUS_UNSUCCESSFUL if it is.

The function then creates an instance of the LenovoMemoryMgr class, which is a custom class that provides access to various kernel functions that are needed to map the driver. It calls the Init method of this class to initialize it, passing in the name of a system service. If the initialization is successful, it proceeds with the driver mapping; otherwise, it returns STATUS_UNSUCCESSFUL after calling the Shutdown method of the LenovoMemoryMgr class to clean up any resources that were allocated during the initialization.

The function then checks if the driver file has a valid DOS header by checking the e_magic field of the IMAGE_DOS_HEADER structure that is located at the beginning of the file. If the e_magic field is not equal to 0x5A4D (the ASCII code for the letters "MZ"), the function returns STATUS_UNSUCCESSFUL after calling the Shutdown method of the LenovoMemoryMgr class.

The function then parses the PE header of the driver file to obtain the IMAGE_NT_HEADERS structure, which contains information about the architecture, size, and entry point of the driver. It checks if the architecture of the driver is compatible with the current system architecture (i.e., x64), and if not, it returns STATUS_UNSUCCESSFUL after calling the Shutdown method of the LenovoMemoryMgr class.

The function then calculates the aligned size of the driver image, which is the size of the image rounded up to the nearest multiple of the page size. It uses the VirtualAlloc function to allocate in the kernel address space for the driver image, using the aligned size as the allocation size. If the allocation fails, the function returns STATUS_UNSUCCESSFUL after calling the Shutdown method of the LenovoMemoryMgr class.

The function then calls the LenovoMemoryMgr::MmCopyMemory method to copy the contents of the driver file into the allocated memory, and then calls the LenovoMemoryMgr::MmProtectMemory method to set the protection level of the memory to read, write, and execute. This is necessary to allow the driver code to be executed.

The function then calls the LenovoMemoryMgr::MmGetModuleBase method to obtain the base address of the kernel module that is responsible for loading drivers. This address is needed to properly set up the import table of the driver, which contains references to functions in other kernel modules that the driver depends on.

The function then calls the LenovoMemoryMgr::MmRelocateImage method to perform the necessary relocations on the driver image. Relocations are necessary because the driver may contain references to memory addresses that are specific to the address space of the process that created the driver image. The MmRelocateImage method adjusts these references to work correctly in the kernel address space.

The function then calls the LenovoMemoryMgr::MmSetupImportTable method to set up the import table of the driver, using the base address of the kernel module that was obtained earlier. This ensures that the driver can access the functions it needs from other kernel modules.

Finally, the function calls the entry point of the driver, which is specified in the IMAGE_NT_HEADERS structure. If the driver initializes successfully, the function returns STATUS_SUCCESS. Otherwise, it returns STATUS_UNSUCCESSFUL after calling the Shutdown method of the LenovoMemoryMgr class to clean up any resources that were allocated during the driver loading process.