#include <ntddk.h>#include <ntdef.h>#include <ntifs.h>//Read write #de

1. #include <ntddk.h>
2. #include <ntdef.h>
3. #include <ntifs.h>
4.  
5. //Read write
6. #define IO_READ_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x1, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
7. #define IO_WRITE_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
8.  
9. //Process id and module request
10. #define IO_GET_ID_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x3, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
11. #define IO_GET_MODULE_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x4, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
12.  
13. PDEVICE_OBJECT pDeviceObject; //Driver object
14. UNICODE_STRING dev;           //Driver registry path
15. UNICODE_STRING dos;           //Driver registry path
16.  
17. ULONG csgoId;
18. ULONG ClientAddress;
19.  
20. typedef struct _KERNEL_READ_REQUEST
21. {
22.     ULONG processId;  //Target
23.     ULONG address;    //Address to read
24.     ULONG size;       //Size to read
25.     ULONG response;   //Return value
26. } KERNEL_READ_REQUEST, *PKERNEL_READ_REQUEST;
27.  
28. typedef struct _KERNEL_WRITE_REQUEST
29. {
30.     ULONG processId;  //Target
31.     ULONG address;    //Address to write
32.     ULONG size;       //Size to read
33.     ULONG value;      //Value to write
34. } KERNEL_WRITE_REQUEST, *PKERNEL_WRITE_REQUEST;
35.  
36. NTSTATUS NTAPI MmCopyVirtualMemory(PEPROCESS sourceProcess, PVOID sourceAddress, PEPROCESS targetProcess, PVOID targetAddress, SIZE_T bufferSize, KPROCESSOR_MODE previousMode, PSIZE_T returnSize);
37.  
38.  
39. //Unload driver
40. NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject)
41. {
42.     DbgPrint(0, 0, "Unload routine called...\n");
43.    
44.     IoDeleteSymbolicLink(&dos);
45.     IoDeleteDevice(pDriverObject->DeviceObject);
46.  
47. }
48.  
49. //Create Call
50. NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP irp)
51. {
52.     DbgPrint(0, 0, "Create call routine called...\n");
53.    
54.     irp->IoStatus.Status = STATUS_SUCCESS;
55.     irp->IoStatus.Information = 0;
56.  
57.     IoCompleteRequest(irp, IO_NO_INCREMENT);
58.  
59.     return STATUS_SUCCESS;
60. }
61.  
62. //Close call
63. NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP irp)
64. {
65.     DbgPrint(0, 0, "Close call routine called...\n");
66.  
67.     irp->IoStatus.Status = STATUS_SUCCESS;
68.     irp->IoStatus.Information = 0;
69.  
70.     IoCompleteRequest(irp, IO_NO_INCREMENT);
71.  
72.     return STATUS_SUCCESS;
73. }
74.  
75.  
76. //Write function
77. NTSTATUS KernelWriteVirtualMemory(PEPROCESS targetProcess, PVOID sourceAddress, PVOID targetAddress, SIZE_T size)
78. {
79.     SIZE_T Rsize;
80.  
81.     if (NT_SUCCESS(MmCopyVirtualMemory(PsGetCurrentProcess(), sourceAddress, targetProcess, targetAddress, size, KernelMode, &Rsize))) return STATUS_SUCCESS;
82.     else return STATUS_ACCESS_DENIED;
83. }
84.  
85. //Read function
86. NTSTATUS KernelReadVirtualMemory(PEPROCESS targetProcess, PVOID sourceAddress, PVOID targetAddress, SIZE_T size)
87. {
88.     SIZE_T Rsize;
89.  
90.     if (NT_SUCCESS(MmCopyVirtualMemory(targetProcess, sourceAddress, PsGetCurrentProcess(), targetAddress, size, KernelMode, &Rsize))) return STATUS_SUCCESS;
91.     else return STATUS_ACCESS_DENIED;
92. }
93.  
94.  
95. //IOCTL Call handler
96. NTSTATUS IoControl(PDEVICE_OBJECT deviceObject, PIRP irp)
97. {
98.     NTSTATUS status;
99.     ULONG bytesIO;
100.  
101.     PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(irp);
102.  
103.     //Code recive from user space
104.     ULONG controlCode = stack->Parameters.DeviceIoControl.IoControlCode;
105.  
106.     if (controlCode == IO_READ_REQUEST)
107.     {
108.         PKERNEL_READ_REQUEST readInput = (PKERNEL_READ_REQUEST)irp->AssociatedIrp.SystemBuffer;
109.         PKERNEL_READ_REQUEST readOutput = (PKERNEL_READ_REQUEST)irp->AssociatedIrp.SystemBuffer;
110.  
111.         PEPROCESS process;
112.         if (NT_SUCCESS(PsLookupProcessByProcessId(readInput->processId, &process)))
113.         {
114.             KernelReadVirtualMemory(process, readInput->address, &readInput->response, readInput->size);
115.         }
116.  
117.         DbgPrint(0, 0, "Read params: %lu, %#010x \n", readInput->processId, readInput->address);
118.         DbgPrint(0, 0, "Value: %lu \n", readOutput->response);
119.  
120.         status = STATUS_SUCCESS;
121.         bytesIO = sizeof(IO_READ_REQUEST);
122.     }
123.     else if (controlCode == IO_WRITE_REQUEST)
124.     {
125.         PKERNEL_READ_REQUEST readInput = (PKERNEL_READ_REQUEST)irp->AssociatedIrp.SystemBuffer;
126.         PKERNEL_READ_REQUEST readOutput = (PKERNEL_READ_REQUEST)irp->AssociatedIrp.SystemBuffer;
127.  
128.         PEPROCESS process;
129.         PsLookupProcessByProcessId(readInput->processId, &process);
130.  
131.         KernelReadVirtualMemory(process, readInput->address, &readInput->response, readInput->size);
132.  
133.         DbgPrint(0, 0, "Read params: %lu, %#010x \n", readInput->processId, readInput->address);
134.         DbgPrint(0, 0, "Value: %lu \n", readOutput->response);
135.  
136.         status = STATUS_SUCCESS;
137.         bytesIO = sizeof(IO_READ_REQUEST);
138.     }
139.  
140.  
141. }
142.  
143. //ENTRY--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
144.  
145. NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
146. {
147.     DbgPrint(0, 0, "Driver Loaded!");
148.  
149.     //Set registry path
150.     RtlInitUnicodeString(&dev, L"\\Device\\kernel_IO");
151.     RtlInitUnicodeString(&dos, L"\\DosDevice\\kernel_IO");
152.  
153.  
154.     IoCreateDevice(pDriverObject, 0, &dev, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDeviceObject);
155. }