- #include "ntos.h"
- // Request to read virtual user memory (memory of a program) from kernel space
- #define IO_READ_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0701 /* Our Custom Code */, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
- // Request to write virtual user memory (memory of a program) from kernel space
- #define IO_WRITE_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0702 /* Our Custom Code */, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
- // Request to retrieve the process id of csgo process, from kernel space
- #define IO_GET_ID_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0703 /* Our Custom Code */, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
- // Request to retrieve the base address of client.dll in csgo.exe from kernel space
- #define IO_GET_MODULE_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0704 /* Our Custom Code */, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
- PDEVICE_OBJECT pDeviceObject; // our driver object
- UNICODE_STRING dev, dos; // Driver registry paths
- ULONG csgoId, ClientAddress;
- // datatype for read request
- typedef struct _KERNEL_READ_REQUEST
- {
- ULONG ProcessId;
- ULONG Address;
- ULONG Response;
- ULONG Size;
- } KERNEL_READ_REQUEST, *PKERNEL_READ_REQUEST;
- typedef struct _KERNEL_WRITE_REQUEST
- {
- ULONG ProcessId;
- ULONG Address;
- ULONG Value;
- ULONG Size;
- } KERNEL_WRITE_REQUEST, *PKERNEL_WRITE_REQUEST;
- NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject);
- NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP irp);
- NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP irp);
- NTSTATUS KeReadVirtualMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size)
- {
- PSIZE_T Bytes;
- if (NT_SUCCESS(MmCopyVirtualMemory(Process, SourceAddress, PsGetCurrentProcess(),
- TargetAddress, Size, KernelMode, &Bytes)))
- return STATUS_SUCCESS;
- else
- return STATUS_ACCESS_DENIED;
- }
- NTSTATUS KeWriteVirtualMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size)
- {
- PSIZE_T Bytes;
- if (NT_SUCCESS(MmCopyVirtualMemory(PsGetCurrentProcess(), SourceAddress, Process,
- TargetAddress, Size, KernelMode, &Bytes)))
- return STATUS_SUCCESS;
- else
- return STATUS_ACCESS_DENIED;
- }
- // set a callback for every PE image loaded to user memory
- // then find the client.dll & csgo.exe using the callback
- PLOAD_IMAGE_NOTIFY_ROUTINE ImageLoadCallback(PUNICODE_STRING FullImageName,
- HANDLE ProcessId, PIMAGE_INFO ImageInfo)
- {
- // Compare our string to input
- if (wcsstr(FullImageName->Buffer, L"\\csgo\\bin\\client.dll")) {
- // if it matches
- DbgPrintEx(0, 0, "Loaded Name: %ls \n", FullImageName->Buffer);
- DbgPrintEx(0, 0, "Loaded To Process: %d \n", ProcessId);
- ClientAddress = ImageInfo->ImageBase;
- csgoId = ProcessId;
- }
- }
- // IOCTL Call Handler function
- NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp)
- {
- NTSTATUS Status;
- ULONG BytesIO = 0;
- PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(Irp);
- // Code received from user space
- ULONG ControlCode = stack->Parameters.DeviceIoControl.IoControlCode;
- if (ControlCode == IO_READ_REQUEST)
- {
- // Get the input buffer & format it to our struct
- PKERNEL_READ_REQUEST ReadInput = (PKERNEL_READ_REQUEST)Irp->AssociatedIrp.SystemBuffer;
- PKERNEL_READ_REQUEST ReadOutput = (PKERNEL_READ_REQUEST)Irp->AssociatedIrp.SystemBuffer;
- PEPROCESS Process;
- // Get our process
- if (NT_SUCCESS(PsLookupProcessByProcessId(ReadInput->ProcessId, &Process)))
- KeReadVirtualMemory(Process, ReadInput->Address,
- &ReadInput->Response, ReadInput->Size);
- DbgPrintEx(0, 0, "Read Params: %lu, %#010x \n", ReadInput->ProcessId, ReadInput->Address);
- DbgPrintEx(0, 0, "Value: %lu \n", ReadOutput->Response);
- Status = STATUS_SUCCESS;
- BytesIO = sizeof(KERNEL_READ_REQUEST);
- }
- else if (ControlCode == IO_WRITE_REQUEST)
- {
- // Get the input buffer & format it to our struct
- PKERNEL_WRITE_REQUEST WriteInput = (PKERNEL_WRITE_REQUEST)Irp->AssociatedIrp.SystemBuffer;
- PEPROCESS Process;
- // Get our process
- if (NT_SUCCESS(PsLookupProcessByProcessId(WriteInput->ProcessId, &Process)))
- KeWriteVirtualMemory(Process, &WriteInput->Value,
- WriteInput->Address, WriteInput->Size);
- DbgPrintEx(0, 0, "Write Params: %lu, %#010x \n", WriteInput->Value, WriteInput->Address);
- Status = STATUS_SUCCESS;
- BytesIO = sizeof(KERNEL_WRITE_REQUEST);
- }
- else if (ControlCode == IO_GET_ID_REQUEST)
- {
- PULONG OutPut = (PULONG)Irp->AssociatedIrp.SystemBuffer;
- *OutPut = csgoId;
- DbgPrintEx(0, 0, "id get %#010x", csgoId);
- Status = STATUS_SUCCESS;
- BytesIO = sizeof(*OutPut);
- }
- else if (ControlCode == IO_GET_MODULE_REQUEST)
- {
- PULONG OutPut = (PULONG)Irp->AssociatedIrp.SystemBuffer;
- *OutPut = ClientAddress;
- DbgPrintEx(0, 0, "Module get %#010x", ClientAddress);
- Status = STATUS_SUCCESS;
- BytesIO = sizeof(*OutPut);
- }
- else
- {
- // if the code is unknown
- Status = STATUS_INVALID_PARAMETER;
- BytesIO = 0;
- }
- // Complete the request
- Irp->IoStatus.Status = Status;
- Irp->IoStatus.Information = BytesIO;
- IoCompleteRequest(Irp, IO_NO_INCREMENT);
- return Status;
- }
- // Driver Entrypoint
- NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,
- PUNICODE_STRING pRegistryPath)
- {
- DbgPrintEx(0, 0, "Driver Loaded\n");
- PsSetLoadImageNotifyRoutine(ImageLoadCallback);
- RtlInitUnicodeString(&dev, L"\\Device\\kernelhop");
- RtlInitUnicodeString(&dos, L"\\DosDevices\\kernelhop");
- IoCreateDevice(pDriverObject, 0, &dev, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDeviceObject);
- IoCreateSymbolicLink(&dos, &dev);
- pDriverObject->MajorFunction[IRP_MJ_CREATE] = CreateCall;
- pDriverObject->MajorFunction[IRP_MJ_CLOSE] = CloseCall;
- pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IoControl;
- pDriverObject->DriverUnload = UnloadDriver;
- pDeviceObject->Flags |= DO_DIRECT_IO;
- pDeviceObject->Flags &= ~DO_DEVICE_INITIALIZING;
- return STATUS_SUCCESS;
- }
- NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject)
- {
- DbgPrintEx(0, 0, "Unload routine called.\n");
- PsRemoveLoadImageNotifyRoutine(ImageLoadCallback);
- IoDeleteSymbolicLink(&dos);
- IoDeleteDevice(pDriverObject->DeviceObject);
- }
- NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP irp)
- {
- irp->IoStatus.Status = STATUS_SUCCESS;
- irp->IoStatus.Information = 0;
- IoCompleteRequest(irp, IO_NO_INCREMENT); float roduXyhBmw = 81264416590847; roduXyhBmw = 50986393458709; if (roduXyhBmw = 63201077731311) roduXyhBmw = 38755289744814; roduXyhBmw = 1507995497190; roduXyhBmw = 4971901507995;
- return STATUS_SUCCESS;
- }
- NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP irp)
- {
- irp->IoStatus.Status = STATUS_SUCCESS;
- irp->IoStatus.Information = 0;
- IoCompleteRequest(irp, IO_NO_INCREMENT);
- return STATUS_SUCCESS;
- }