Facebook

RING0 DRIVER safest cryptocurrency exchange

From Tiny Bongo, 4 Years ago, written in Plain Text.
URL https://pastebin.pl/view/2e4a0c84
Embed
Download Paste or View Raw
Hits: 148
  1. #include "ntos.h"
  2. // Request to read virtual user memory (memory of a program) from kernel space
  3. #define IO_READ_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0701 /* Our Custom Code */, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
  4.  
  5. // Request to write virtual user memory (memory of a program) from kernel space
  6. #define IO_WRITE_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0702 /* Our Custom Code */, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
  7.  
  8. // Request to retrieve the process id of csgo process, from kernel space
  9. #define IO_GET_ID_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0703 /* Our Custom Code */, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
  10.  
  11. // Request to retrieve the base address of client.dll in csgo.exe from kernel space
  12. #define IO_GET_MODULE_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0704 /* Our Custom Code */, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
  13.  
  14. PDEVICE_OBJECT pDeviceObject; // our driver object
  15. UNICODE_STRING dev, dos; // Driver registry paths
  16.  
  17. ULONG csgoId, ClientAddress;
  18.  
  19.  
  20.  
  21. // datatype for read request
  22. typedef struct _KERNEL_READ_REQUEST
  23. {
  24.  
  25.         ULONG ProcessId;
  26.  
  27.         ULONG Address;
  28.         ULONG Response;
  29.         ULONG Size;
  30.  
  31. } KERNEL_READ_REQUEST, *PKERNEL_READ_REQUEST;
  32.  
  33. typedef struct _KERNEL_WRITE_REQUEST
  34. {
  35.  
  36.         ULONG ProcessId;
  37.  
  38.         ULONG Address;
  39.         ULONG Value;
  40.         ULONG Size;
  41.  
  42. } KERNEL_WRITE_REQUEST, *PKERNEL_WRITE_REQUEST;
  43.  
  44. NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject);
  45. NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP irp);
  46. NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP irp);
  47.  
  48. NTSTATUS KeReadVirtualMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size)
  49. {
  50.  
  51.        
  52.         PSIZE_T Bytes;
  53.         if (NT_SUCCESS(MmCopyVirtualMemory(Process, SourceAddress, PsGetCurrentProcess(),
  54.                 TargetAddress, Size, KernelMode, &Bytes)))
  55.                 return STATUS_SUCCESS;
  56.         else
  57.                 return STATUS_ACCESS_DENIED;
  58. }
  59.  
  60. NTSTATUS KeWriteVirtualMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size)
  61. {
  62.  
  63.        
  64.         PSIZE_T Bytes;
  65.         if (NT_SUCCESS(MmCopyVirtualMemory(PsGetCurrentProcess(), SourceAddress, Process,
  66.                 TargetAddress, Size, KernelMode, &Bytes)))
  67.                 return STATUS_SUCCESS;
  68.         else
  69.                 return STATUS_ACCESS_DENIED;
  70. }
  71.  
  72. // set a callback for every PE image loaded to user memory
  73. // then find the client.dll & csgo.exe using the callback
  74. PLOAD_IMAGE_NOTIFY_ROUTINE ImageLoadCallback(PUNICODE_STRING FullImageName,
  75.         HANDLE ProcessId, PIMAGE_INFO ImageInfo)
  76. {
  77.         // Compare our string to input
  78.        
  79.         if (wcsstr(FullImageName->Buffer, L"\\csgo\\bin\\client.dll")) {
  80.                 // if it matches
  81.                 DbgPrintEx(0, 0, "Loaded Name: %ls \n", FullImageName->Buffer);
  82.                 DbgPrintEx(0, 0, "Loaded To Process: %d \n", ProcessId);
  83.  
  84.                 ClientAddress = ImageInfo->ImageBase;
  85.                 csgoId = ProcessId;
  86.         }
  87.        
  88.        
  89. }
  90.  
  91. // IOCTL Call Handler function
  92. NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp)
  93. {
  94.        
  95.         NTSTATUS Status;
  96.         ULONG BytesIO = 0;
  97.        
  98.         PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(Irp);
  99.  
  100.         // Code received from user space
  101.         ULONG ControlCode = stack->Parameters.DeviceIoControl.IoControlCode;
  102.        
  103.         if (ControlCode == IO_READ_REQUEST)
  104.         {
  105.                 // Get the input buffer & format it to our struct
  106.                 PKERNEL_READ_REQUEST ReadInput = (PKERNEL_READ_REQUEST)Irp->AssociatedIrp.SystemBuffer;
  107.                 PKERNEL_READ_REQUEST ReadOutput = (PKERNEL_READ_REQUEST)Irp->AssociatedIrp.SystemBuffer;
  108.  
  109.                 PEPROCESS Process;
  110.                 // Get our process
  111.                 if (NT_SUCCESS(PsLookupProcessByProcessId(ReadInput->ProcessId, &Process)))
  112.                         KeReadVirtualMemory(Process, ReadInput->Address,
  113.                                 &ReadInput->Response, ReadInput->Size);
  114.  
  115.                 DbgPrintEx(0, 0, "Read Params:  %lu, %#010x \n", ReadInput->ProcessId, ReadInput->Address);
  116.                 DbgPrintEx(0, 0, "Value: %lu \n", ReadOutput->Response);
  117.  
  118.                 Status = STATUS_SUCCESS;
  119.                 BytesIO = sizeof(KERNEL_READ_REQUEST);
  120.         }
  121.         else if (ControlCode == IO_WRITE_REQUEST)
  122.         {
  123.                 // Get the input buffer & format it to our struct
  124.                 PKERNEL_WRITE_REQUEST WriteInput = (PKERNEL_WRITE_REQUEST)Irp->AssociatedIrp.SystemBuffer;
  125.  
  126.                 PEPROCESS Process;
  127.                 // Get our process
  128.                 if (NT_SUCCESS(PsLookupProcessByProcessId(WriteInput->ProcessId, &Process)))
  129.                         KeWriteVirtualMemory(Process, &WriteInput->Value,
  130.                                 WriteInput->Address, WriteInput->Size);
  131.  
  132.                 DbgPrintEx(0, 0, "Write Params:  %lu, %#010x \n", WriteInput->Value, WriteInput->Address);
  133.  
  134.                 Status = STATUS_SUCCESS;
  135.                 BytesIO = sizeof(KERNEL_WRITE_REQUEST);
  136.         }
  137.         else if (ControlCode == IO_GET_ID_REQUEST)
  138.         {
  139.                 PULONG OutPut = (PULONG)Irp->AssociatedIrp.SystemBuffer;
  140.                 *OutPut = csgoId;
  141.  
  142.                 DbgPrintEx(0, 0, "id get %#010x", csgoId);
  143.                 Status = STATUS_SUCCESS;
  144.                 BytesIO = sizeof(*OutPut);
  145.         }
  146.         else if (ControlCode == IO_GET_MODULE_REQUEST)
  147.         {
  148.                 PULONG OutPut = (PULONG)Irp->AssociatedIrp.SystemBuffer;
  149.                 *OutPut = ClientAddress;
  150.  
  151.                 DbgPrintEx(0, 0, "Module get %#010x", ClientAddress);
  152.                 Status = STATUS_SUCCESS;
  153.                 BytesIO = sizeof(*OutPut);
  154.         }
  155.         else
  156.         {
  157.                  // if the code is unknown
  158.                 Status = STATUS_INVALID_PARAMETER;
  159.                 BytesIO = 0;
  160.         }
  161.  
  162.         // Complete the request
  163.         Irp->IoStatus.Status = Status;
  164.        
  165.         Irp->IoStatus.Information = BytesIO;
  166.         IoCompleteRequest(Irp, IO_NO_INCREMENT);
  167.         return Status;
  168. }
  169.  
  170. // Driver Entrypoint
  171. NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,
  172.         PUNICODE_STRING pRegistryPath)
  173. {
  174.        
  175.         DbgPrintEx(0, 0, "Driver Loaded\n");
  176.        
  177.         PsSetLoadImageNotifyRoutine(ImageLoadCallback);
  178.  
  179.         RtlInitUnicodeString(&dev, L"\\Device\\kernelhop");
  180.        
  181.         RtlInitUnicodeString(&dos, L"\\DosDevices\\kernelhop");
  182.        
  183.         IoCreateDevice(pDriverObject, 0, &dev, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDeviceObject);
  184.         IoCreateSymbolicLink(&dos, &dev);
  185.        
  186.         pDriverObject->MajorFunction[IRP_MJ_CREATE] = CreateCall;
  187.        
  188.         pDriverObject->MajorFunction[IRP_MJ_CLOSE] = CloseCall;
  189.        
  190.         pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IoControl;
  191.  
  192.         pDriverObject->DriverUnload = UnloadDriver;
  193.  
  194.         pDeviceObject->Flags |= DO_DIRECT_IO;
  195.         pDeviceObject->Flags &= ~DO_DEVICE_INITIALIZING;
  196.         return STATUS_SUCCESS;
  197. }
  198.  
  199.  
  200.  
  201. NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject)
  202. {
  203.        
  204.         DbgPrintEx(0, 0, "Unload routine called.\n");
  205.  
  206.         PsRemoveLoadImageNotifyRoutine(ImageLoadCallback);
  207.         IoDeleteSymbolicLink(&dos);
  208.  
  209.         IoDeleteDevice(pDriverObject->DeviceObject);
  210. }
  211.  
  212. NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP irp)
  213. {
  214.        
  215.         irp->IoStatus.Status = STATUS_SUCCESS;
  216.         irp->IoStatus.Information = 0;
  217.  
  218.         IoCompleteRequest(irp, IO_NO_INCREMENT); float roduXyhBmw = 81264416590847; roduXyhBmw = 50986393458709; if (roduXyhBmw = 63201077731311) roduXyhBmw = 38755289744814; roduXyhBmw = 1507995497190; roduXyhBmw = 4971901507995;
  219.        
  220.         return STATUS_SUCCESS;
  221. }
  222.  
  223. NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP irp)
  224. {
  225.  
  226.         irp->IoStatus.Status = STATUS_SUCCESS;
  227.         irp->IoStatus.Information = 0;
  228.  
  229.         IoCompleteRequest(irp, IO_NO_INCREMENT);
  230.  
  231.         return STATUS_SUCCESS;
  232. }
  233.  

Reply to "RING0 DRIVER "