Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <ntddk.h>
- #include <ntdef.h>
- #include <ntifs.h>
- //Read write
- #define IO_READ_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x1, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
- #define IO_WRITE_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
- //Process id and module request
- #define IO_GET_ID_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x3, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
- #define IO_GET_MODULE_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x4, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
- PDEVICE_OBJECT pDeviceObject; //Driver object
- UNICODE_STRING dev; //Driver registry path
- UNICODE_STRING dos; //Driver registry path
- ULONG csgoId;
- ULONG ClientAddress;
- typedef struct _KERNEL_READ_REQUEST
- {
- ULONG processId; //Target
- ULONG address; //Address to read
- ULONG size; //Size to read
- ULONG response; //Return value
- } KERNEL_READ_REQUEST, *PKERNEL_READ_REQUEST;
- typedef struct _KERNEL_WRITE_REQUEST
- {
- ULONG processId; //Target
- ULONG address; //Address to write
- ULONG size; //Size to read
- ULONG value; //Value to write
- } KERNEL_WRITE_REQUEST, *PKERNEL_WRITE_REQUEST;
- NTSTATUS NTAPI MmCopyVirtualMemory(PEPROCESS sourceProcess, PVOID sourceAddress, PEPROCESS targetProcess, PVOID targetAddress, SIZE_T bufferSize, KPROCESSOR_MODE previousMode, PSIZE_T returnSize);
- //Unload driver
- NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject)
- {
- DbgPrint(0, 0, "Unload routine called...\n");
- IoDeleteSymbolicLink(&dos);
- IoDeleteDevice(pDriverObject->DeviceObject);
- }
- //Create Call
- NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP irp)
- {
- DbgPrint(0, 0, "Create call routine called...\n");
- irp->IoStatus.Status = STATUS_SUCCESS;
- irp->IoStatus.Information = 0;
- IoCompleteRequest(irp, IO_NO_INCREMENT);
- return STATUS_SUCCESS;
- }
- //Close call
- NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP irp)
- {
- DbgPrint(0, 0, "Close call routine called...\n");
- irp->IoStatus.Status = STATUS_SUCCESS;
- irp->IoStatus.Information = 0;
- IoCompleteRequest(irp, IO_NO_INCREMENT);
- return STATUS_SUCCESS;
- }
- //Write function
- NTSTATUS KernelWriteVirtualMemory(PEPROCESS targetProcess, PVOID sourceAddress, PVOID targetAddress, SIZE_T size)
- {
- SIZE_T Rsize;
- if (NT_SUCCESS(MmCopyVirtualMemory(PsGetCurrentProcess(), sourceAddress, targetProcess, targetAddress, size, KernelMode, &Rsize))) return STATUS_SUCCESS;
- else return STATUS_ACCESS_DENIED;
- }
- //Read function
- NTSTATUS KernelReadVirtualMemory(PEPROCESS targetProcess, PVOID sourceAddress, PVOID targetAddress, SIZE_T size)
- {
- SIZE_T Rsize;
- if (NT_SUCCESS(MmCopyVirtualMemory(targetProcess, sourceAddress, PsGetCurrentProcess(), targetAddress, size, KernelMode, &Rsize))) return STATUS_SUCCESS;
- else return STATUS_ACCESS_DENIED;
- }
- //IOCTL Call handler
- NTSTATUS IoControl(PDEVICE_OBJECT deviceObject, PIRP irp)
- {
- NTSTATUS status;
- ULONG bytesIO;
- PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(irp);
- //Code recive from user space
- ULONG controlCode = stack->Parameters.DeviceIoControl.IoControlCode;
- if (controlCode == IO_READ_REQUEST)
- {
- PKERNEL_READ_REQUEST readInput = (PKERNEL_READ_REQUEST)irp->AssociatedIrp.SystemBuffer;
- PKERNEL_READ_REQUEST readOutput = (PKERNEL_READ_REQUEST)irp->AssociatedIrp.SystemBuffer;
- PEPROCESS process;
- if (NT_SUCCESS(PsLookupProcessByProcessId(readInput->processId, &process)))
- {
- KernelReadVirtualMemory(process, readInput->address, &readInput->response, readInput->size);
- }
- DbgPrint(0, 0, "Read params: %lu, %#010x \n", readInput->processId, readInput->address);
- DbgPrint(0, 0, "Value: %lu \n", readOutput->response);
- status = STATUS_SUCCESS;
- bytesIO = sizeof(IO_READ_REQUEST);
- }
- else if (controlCode == IO_WRITE_REQUEST)
- {
- PKERNEL_READ_REQUEST readInput = (PKERNEL_READ_REQUEST)irp->AssociatedIrp.SystemBuffer;
- PKERNEL_READ_REQUEST readOutput = (PKERNEL_READ_REQUEST)irp->AssociatedIrp.SystemBuffer;
- PEPROCESS process;
- PsLookupProcessByProcessId(readInput->processId, &process);
- KernelReadVirtualMemory(process, readInput->address, &readInput->response, readInput->size);
- DbgPrint(0, 0, "Read params: %lu, %#010x \n", readInput->processId, readInput->address);
- DbgPrint(0, 0, "Value: %lu \n", readOutput->response);
- status = STATUS_SUCCESS;
- bytesIO = sizeof(IO_READ_REQUEST);
- }
- }
- //ENTRY--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
- NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
- {
- DbgPrint(0, 0, "Driver Loaded!");
- //Set registry path
- RtlInitUnicodeString(&dev, L"\\Device\\kernel_IO");
- RtlInitUnicodeString(&dos, L"\\DosDevice\\kernel_IO");
- IoCreateDevice(pDriverObject, 0, &dev, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDeviceObject);
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement