#include <ntdef.h>#include <ntifs.h>#include "Types.h"PLOAD_IMAGE_NOTIFY

1. #include <ntdef.h>
2. #include <ntifs.h>
3. #include "Types.h"
4.  
5. PLOAD_IMAGE_NOTIFY_ROUTINE NotifyImageLoadCallback(PUNICODE_STRING w_FullImageName, HANDLE w_ProcessId, PIMAGE_INFO w_ImageInfo)
6. {
7. if (wcsstr(w_FullImageName->Buffer, L"\\TslGame\\Binaries\\Win64\\TslGame.exe") && wcsstr(w_FullImageName->Buffer, L"Device"))
8. {
9. PUID = w_ProcessId;
10. PUBase = GetSectionBaseAddress(w_ProcessId);
11. DbgPrintEx(0, 0, "base : %llx %d %ws\r\n", PUBase, w_ProcessId, w_FullImageName->Buffer);
12. }
13. }
14.  
15. NTKERNELAPI PVOID PsGetProcessSectionBaseAddress(__in PEPROCESS Process);
16.  
17. // 例程忽略PE头并获得实际的游戏基地址
18. DWORD64 GetSectionBaseAddress(HANDLE w_pid)
19. {
20. NTSTATUS ntStatus = STATUS_SUCCESS;
21. PEPROCESS targetProcess;
22. PVOID value = 0;
23.  
24. ntStatus = PsLookupProcessByProcessId((HANDLE)w_pid, &targetProcess);
25.  
26. if (ntStatus != STATUS_SUCCESS || !targetProcess)
27. return 0;
28.  
29. __try
30. {
31. KeAttachProcess((PKPROCESS)targetProcess);
32. value = PsGetProcessSectionBaseAddress(targetProcess);
33. KeDetachProcess();
34. }
35. __except (GetExceptionCode())
36. {
37. return 0;
38. }
39.  
40. return (DWORD64)value;
41. }
42.  
43. VOID Unload(PDRIVER_OBJECT DriverObject)
44. {
45. PsRemoveLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)NotifyImageLoadCallback);
46.  
47. UNICODE_STRING usDosDeviceName;
48.  
49. RtlInitUnicodeString(&usDosDeviceName, L"\\DosDevices\\BcDirver");
50. IoDeleteSymbolicLink(&usDosDeviceName);
51.  
52. IoDeleteDevice(DriverObject->DeviceObject);
53. }
54.  
55. // This is where the magic happens.
56. // You can also try to direct write to the usermode app buffer,
57. // I just did it always this way
58. // Also MmCopyVirtualMemory can be used, I think...
59. NTSTATUS ReadMemOutputClient(pReadStruct w_poReadStruct)
60. {
61. PEPROCESS hClient, hGame;
62.  
63. KAPC_STATE apc_state;
64. NTSTATUS NtStatus = STATUS_SUCCESS;
65.  
66. // sanity check, you can change this if you happen to
67. // expand the protocol
68. if (PUBase == 0 && w_poReadStruct->ProtocolMsg != PROTO_GET_BASEADDR)
69. {
70. return STATUS_UNSUCCESSFUL;
71. }
72.  
73. // get the game and a handle
74. PsLookupProcessByProcessId(PUID, &hGame);
75. PsLookupProcessByProcessId((HANDLE)w_poReadStruct->UserPID, &hClient);
76.  
77. // allocate kernel memory for cache buffer
78. DriverBuffer = ExAllocatePoolWithTag(NonPagedPool, w_poReadStruct->ReadSize, 'Sys');
79.  
80. if (DriverBuffer == NULL)
81. {
82. return STATUS_MEMORY_NOT_ALLOCATED;
83. }
84.  
85. // get baseaddr is a req from usermode app to receive the baseaddr
86. if (w_poReadStruct->ProtocolMsg == PROTO_GET_BASEADDR)
87. {
88. __try
89. {
90. KeStackAttachProcess(hClient, &apc_state);
91. ProbeForRead((CONST PVOID)w_poReadStruct->UserBufferAdress, w_poReadStruct->ReadSize, sizeof(CHAR));
92. RtlCopyMemory(w_poReadStruct->UserBufferAdress, &PUBase, w_poReadStruct->ReadSize);
93. DbgPrintEx(0, 0, "read size : %x \r\n", w_poReadStruct->ReadSize);
94. KeUnstackDetachProcess(&apc_state);
95. }
96. __except (EXCEPTION_EXECUTE_HANDLER)
97. {
98. KeUnstackDetachProcess(&apc_state);
99. NtStatus = STATUS_ABANDONED;
100. }
101. }
102.  
103. // normal read means game-->usermode app transfer
104. else if (w_poReadStruct->ProtocolMsg == PROTO_NORMAL_READ)
105. {
106. // transfer the data from game to kernel
107. __try
108. {
109. KeStackAttachProcess(hGame, &apc_state);
110. ProbeForRead((CONST PVOID)w_poReadStruct->GameAddressOffset, w_poReadStruct->ReadSize, sizeof(CHAR));
111. RtlCopyMemory(DriverBuffer, w_poReadStruct->GameAddressOffset, w_poReadStruct->ReadSize);
112. KeUnstackDetachProcess(&apc_state);
113. }
114. __except (EXCEPTION_EXECUTE_HANDLER)
115. {
116. KeUnstackDetachProcess(&apc_state);
117. NtStatus = STATUS_ABANDONED;
118. }
119. // transfer the data from kernel to usermode app
120. __try
121. {
122. KeStackAttachProcess(hClient, &apc_state);
123. ProbeForRead((CONST PVOID)w_poReadStruct->UserBufferAdress, w_poReadStruct->ReadSize, sizeof(CHAR));
124. RtlCopyMemory(w_poReadStruct->UserBufferAdress, DriverBuffer, w_poReadStruct->ReadSize);
125. KeUnstackDetachProcess(&apc_state);
126. }
127. __except (EXCEPTION_EXECUTE_HANDLER)
128. {
129. KeUnstackDetachProcess(&apc_state);
130. NtStatus = STATUS_ABANDONED;
131. }
132. }
133. else if (w_poReadStruct->ProtocolMsg == PROTO_NORMAL_WRITE)
134. {
135. // transfer the data from game to kernel
136. __try
137. {
138. KeStackAttachProcess(hClient, &apc_state);
139. ProbeForRead((CONST PVOID)w_poReadStruct->UserBufferAdress, w_poReadStruct->ReadSize, sizeof(CHAR));
140. RtlCopyMemory(DriverBuffer, w_poReadStruct->UserBufferAdress, w_poReadStruct->ReadSize);
141. KeUnstackDetachProcess(&apc_state);
142. }
143. __except (EXCEPTION_EXECUTE_HANDLER)
144. {
145. KeUnstackDetachProcess(&apc_state);
146. NtStatus = STATUS_ABANDONED;
147. }
148. __try
149. {
150. KeStackAttachProcess(hGame, &apc_state);
151. ProbeForRead((CONST PVOID)w_poReadStruct->GameAddressOffset, w_poReadStruct->ReadSize, sizeof(CHAR));
152. RtlCopyMemory(w_poReadStruct->GameAddressOffset, DriverBuffer, w_poReadStruct->ReadSize);
153. KeUnstackDetachProcess(&apc_state);
154. }
155. __except (EXCEPTION_EXECUTE_HANDLER)
156. {
157. KeUnstackDetachProcess(&apc_state);
158. NtStatus = STATUS_ABANDONED;
159. }
160.  
161. }
162. ExFreePool(DriverBuffer);
163.  
164. return NtStatus;
165.  
166. }
167.  
168. // basic IOCTL communication routine
169. NTSTATUS WriteBufferedIO(PDEVICE_OBJECT DeviceObject, PIRP Irp)
170. {
171. NTSTATUS NtStatus = STATUS_SUCCESS;
172. PIO_STACK_LOCATION pIoStackIrp = NULL;
173. pReadStruct readStruct;
174.  
175. pIoStackIrp = IoGetCurrentIrpStackLocation(Irp);
176.  
177. if (pIoStackIrp)
178. {
179. // Read the struct from the IRP and store inside readStruct
180. readStruct = (pReadStruct)Irp->AssociatedIrp.SystemBuffer;
181. if (readStruct)
182. {
183. // do the magic the client (um app) wants to
184. if (readStruct->ReadSize)
185. {
186. ReadMemOutputClient(readStruct);
187. }
188. }
189. }
190.  
191. return NtStatus;
192. }
193.  
194. // dummy routine
195. NTSTATUS UnSupportedIrpFunction(PDEVICE_OBJECT DeviceObject, PIRP Irp)
196. {
197. NTSTATUS NtStatus = STATUS_NOT_SUPPORTED;
198. DbgPrintEx(0, 0, "Unsupported Irp Function \r\n");
199. return NtStatus;
200. }
201.  
202. // driver entrypoint
203. NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT pDriverObject, _In_ PUNICODE_STRING RegistryPath)
204. {
205. PUBase = 0;
206.  
207. NTSTATUS status = STATUS_SUCCESS;
208.  
209. RtlInitUnicodeString(&dev, L"\\Device\\bambooqj");
210. RtlInitUnicodeString(&dos, L"\\DosDevices\\bambooqj");
211.  
212. status = IoCreateDevice(pDriverObject, 0, &dev, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDeviceObject);
213.  
214. if (status == STATUS_SUCCESS)
215. {
216. for (UINT32 uiIndex = 0; uiIndex < IRP_MJ_MAXIMUM_FUNCTION; uiIndex++)
217. {
218. pDriverObject->MajorFunction[uiIndex] = UnSupportedIrpFunction;
219. }
220.  
221. pDriverObject->MajorFunction[IRP_MJ_WRITE] = WriteBufferedIO;
222. pDriverObject->DriverUnload = Unload;
223.  
224. pDeviceObject->Flags |= DO_BUFFERED_IO;
225. pDeviceObject->Flags &= (~DO_DEVICE_INITIALIZING);
226.  
227. IoCreateSymbolicLink(&dos, &dev);
228. }
229. else
230. {
231. return STATUS_UNSUCCESSFUL;
232. }
233.  
234. PsSetLoadImageNotifyRoutine(NotifyImageLoadCallback);
235.  
236. return STATUS_SUCCESS;
237. }