Windows Driver PoC | Take Ownership of Win Store NieR:Automata Binary

1.  // e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - JEREMY SHA-256 EXE
2. NTSTATUS KsNierExe(VOID)
3. {
4.     NTSTATUS Status;
5.     HANDLE hFile, hFileDest;
6.     UNICODE_STRING uniSrcName, uniDestName;
7.     OBJECT_ATTRIBUTES ObjAttribSrc, ObjAttrDest;
8.     IO_STATUS_BLOCK IoStatusBlock;
9.     BYTE Buffer[1024];
10.  
11.     LARGE_INTEGER liCursorWrite = { 0 };
12.     LARGE_INTEGER liCursorRead = { 0 };
13.  
14.     RtlInitUnicodeString(&uniSrcName, L"\\DosDevices\\C:\\Program Files\\WindowsApps\\39EA002F.NieRAutomataPC_1.0.38.0_x64__n746a19ndrrjg\\NieRAutomata.exe");
15.  
16.     InitializeObjectAttributes(&ObjAttribSrc, &uniSrcName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
17.  
18.     TRACE("File:  %ls \n", uniSrcName.Buffer);
19.  
20.     // Do not try to perform any file operations at higher IRQL levels.
21.     // Instead, you may use a work item or a system worker thread to perform file operations.
22.     if (KeGetCurrentIrql() != PASSIVE_LEVEL)
23.         return STATUS_INVALID_DEVICE_STATE;
24.  
25.     TRACE("IRQL CHECK\n");
26.  
27.     Status = ZwOpenFile(&hFile, GENERIC_READ, &ObjAttribSrc, &IoStatusBlock, NULL,
28.         FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
29.  
30.     if (NT_SUCCESS(Status))
31.     {
32.         TRACE("Opened Source File\n");
33.  
34.         RtlInitUnicodeString(&uniDestName, L"\\DosDevices\\Z:\\39EA002F.NieRAutomataPC_1.0.38.0_x64__n746a19ndrrjg\\NieRAutomata.exe");
35.  
36.         InitializeObjectAttributes(&ObjAttrDest, &uniDestName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
37.  
38.         Status = ZwCreateFile(&hFileDest, GENERIC_WRITE, &ObjAttrDest, &IoStatusBlock, NULL,
39.             FILE_ATTRIBUTE_NORMAL, 0, FILE_CREATE, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
40.  
41.         TRACE("ZwCreateFile (DEST) %x\n", Status);
42.  
43.         if (NT_SUCCESS(Status))
44.         {
45.             TRACE("Opened Dest File\n");
46.  
47.             FILE_STANDARD_INFORMATION fileInfo = { 0 };
48.  
49.             //. fileInfo.EndOfFile is the file size of handle.
50.             Status = ZwQueryInformationFile(hFile, &IoStatusBlock, &fileInfo, sizeof(fileInfo), FileStandardInformation);
51.             if (NT_SUCCESS(Status))
52.             {
53.                 TRACE("Src File Size %llx\n", fileInfo.EndOfFile.QuadPart);
54.  
55.                 while (liCursorRead.QuadPart < fileInfo.EndOfFile.QuadPart)
56.                 {
57.                     ULONG uReadSize = (fileInfo.EndOfFile.QuadPart - liCursorRead.QuadPart >= 1024) ? 1024 : fileInfo.EndOfFile.QuadPart - liCursorRead.QuadPart;
58.  
59.                     if (NT_SUCCESS(Status))
60.                     {
61.                         Status = ZwReadFile(hFile, NULL, NULL, NULL, &IoStatusBlock,
62.                             Buffer, uReadSize, &liCursorRead, NULL);
63.  
64.                         liCursorRead.QuadPart += uReadSize;
65.  
66.                         TRACE("READ BUFFER STATUS %x Cursor %llx\n", Status, liCursorRead.QuadPart);
67.                     }
68.  
69.                     if (NT_SUCCESS(Status))
70.                     {
71.                         Status = ZwWriteFile(hFileDest, NULL, NULL, NULL, &IoStatusBlock,
72.                             Buffer, uReadSize, &liCursorWrite, NULL);
73.  
74.                         liCursorWrite.QuadPart += uReadSize;
75.  
76.                         TRACE("WRITE BUFFER %x Cursor %llx\n", Status, liCursorWrite.QuadPart);
77.                     }
78.  
79.                     TRACE("FILE SIZE: %llx READ CURSOR: %llx\n", liCursorRead.QuadPart, fileInfo.EndOfFile.QuadPart);
80.                 }
81.             }
82.             ZwClose(hFileDest);
83.         }
84.         ZwClose(hFile);
85.     }
86.  
87.     return Status;
88. }