#include "ntos.h" // Request to read virtual user memory (memory of a program) from kernel space #define IO_READ_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0701 /* Our Custom Code */, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) // Request to write virtual user memory (memory of a program) from kernel space #define IO_WRITE_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0702 /* Our Custom Code */, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) // Request to retrieve the process id of csgo process, from kernel space #define IO_GET_ID_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0703 /* Our Custom Code */, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) // Request to retrieve the base address of client.dll in csgo.exe from kernel space #define IO_GET_MODULE_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0704 /* Our Custom Code */, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) PDEVICE_OBJECT pDeviceObject; // our driver object UNICODE_STRING dev, dos; // Driver registry paths ULONG csgoId, ClientAddress; // datatype for read request typedef struct _KERNEL_READ_REQUEST { ULONG ProcessId; ULONG Address; ULONG Response; ULONG Size; } KERNEL_READ_REQUEST, *PKERNEL_READ_REQUEST; typedef struct _KERNEL_WRITE_REQUEST { ULONG ProcessId; ULONG Address; ULONG Value; ULONG Size; } KERNEL_WRITE_REQUEST, *PKERNEL_WRITE_REQUEST; NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject); NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP irp); NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP irp); NTSTATUS KeReadVirtualMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size) { PSIZE_T Bytes; if (NT_SUCCESS(MmCopyVirtualMemory(Process, SourceAddress, PsGetCurrentProcess(), TargetAddress, Size, KernelMode, &Bytes))) return STATUS_SUCCESS; else return STATUS_ACCESS_DENIED; } NTSTATUS KeWriteVirtualMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size) { PSIZE_T Bytes; if (NT_SUCCESS(MmCopyVirtualMemory(PsGetCurrentProcess(), SourceAddress, Process, TargetAddress, Size, KernelMode, &Bytes))) return STATUS_SUCCESS; else return STATUS_ACCESS_DENIED; } // set a callback for every PE image loaded to user memory // then find the client.dll & csgo.exe using the callback PLOAD_IMAGE_NOTIFY_ROUTINE ImageLoadCallback(PUNICODE_STRING FullImageName, HANDLE ProcessId, PIMAGE_INFO ImageInfo) { // Compare our string to input if (wcsstr(FullImageName->Buffer, L"\\csgo\\bin\\client.dll")) { // if it matches DbgPrintEx(0, 0, "Loaded Name: %ls \n", FullImageName->Buffer); DbgPrintEx(0, 0, "Loaded To Process: %d \n", ProcessId); ClientAddress = ImageInfo->ImageBase; csgoId = ProcessId; } } // IOCTL Call Handler function NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp) { NTSTATUS Status; ULONG BytesIO = 0; PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(Irp); // Code received from user space ULONG ControlCode = stack->Parameters.DeviceIoControl.IoControlCode; if (ControlCode == IO_READ_REQUEST) { // Get the input buffer & format it to our struct PKERNEL_READ_REQUEST ReadInput = (PKERNEL_READ_REQUEST)Irp->AssociatedIrp.SystemBuffer; PKERNEL_READ_REQUEST ReadOutput = (PKERNEL_READ_REQUEST)Irp->AssociatedIrp.SystemBuffer; PEPROCESS Process; // Get our process if (NT_SUCCESS(PsLookupProcessByProcessId(ReadInput->ProcessId, &Process))) KeReadVirtualMemory(Process, ReadInput->Address, &ReadInput->Response, ReadInput->Size); DbgPrintEx(0, 0, "Read Params: %lu, %#010x \n", ReadInput->ProcessId, ReadInput->Address); DbgPrintEx(0, 0, "Value: %lu \n", ReadOutput->Response); Status = STATUS_SUCCESS; BytesIO = sizeof(KERNEL_READ_REQUEST); } else if (ControlCode == IO_WRITE_REQUEST) { // Get the input buffer & format it to our struct PKERNEL_WRITE_REQUEST WriteInput = (PKERNEL_WRITE_REQUEST)Irp->AssociatedIrp.SystemBuffer; PEPROCESS Process; // Get our process if (NT_SUCCESS(PsLookupProcessByProcessId(WriteInput->ProcessId, &Process))) KeWriteVirtualMemory(Process, &WriteInput->Value, WriteInput->Address, WriteInput->Size); DbgPrintEx(0, 0, "Write Params: %lu, %#010x \n", WriteInput->Value, WriteInput->Address); Status = STATUS_SUCCESS; BytesIO = sizeof(KERNEL_WRITE_REQUEST); } else if (ControlCode == IO_GET_ID_REQUEST) { PULONG OutPut = (PULONG)Irp->AssociatedIrp.SystemBuffer; *OutPut = csgoId; DbgPrintEx(0, 0, "id get %#010x", csgoId); Status = STATUS_SUCCESS; BytesIO = sizeof(*OutPut); } else if (ControlCode == IO_GET_MODULE_REQUEST) { PULONG OutPut = (PULONG)Irp->AssociatedIrp.SystemBuffer; *OutPut = ClientAddress; DbgPrintEx(0, 0, "Module get %#010x", ClientAddress); Status = STATUS_SUCCESS; BytesIO = sizeof(*OutPut); } else { // if the code is unknown Status = STATUS_INVALID_PARAMETER; BytesIO = 0; } // Complete the request Irp->IoStatus.Status = Status; Irp->IoStatus.Information = BytesIO; IoCompleteRequest(Irp, IO_NO_INCREMENT); return Status; } // Driver Entrypoint NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath) { DbgPrintEx(0, 0, "Driver Loaded\n"); PsSetLoadImageNotifyRoutine(ImageLoadCallback); RtlInitUnicodeString(&dev, L"\\Device\\kernelhop"); RtlInitUnicodeString(&dos, L"\\DosDevices\\kernelhop"); IoCreateDevice(pDriverObject, 0, &dev, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDeviceObject); IoCreateSymbolicLink(&dos, &dev); pDriverObject->MajorFunction[IRP_MJ_CREATE] = CreateCall; pDriverObject->MajorFunction[IRP_MJ_CLOSE] = CloseCall; pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IoControl; pDriverObject->DriverUnload = UnloadDriver; pDeviceObject->Flags |= DO_DIRECT_IO; pDeviceObject->Flags &= ~DO_DEVICE_INITIALIZING; return STATUS_SUCCESS; } NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject) { DbgPrintEx(0, 0, "Unload routine called.\n"); PsRemoveLoadImageNotifyRoutine(ImageLoadCallback); IoDeleteSymbolicLink(&dos); IoDeleteDevice(pDriverObject->DeviceObject); } NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP irp) { irp->IoStatus.Status = STATUS_SUCCESS; irp->IoStatus.Information = 0; IoCompleteRequest(irp, IO_NO_INCREMENT); float roduXyhBmw = 81264416590847; roduXyhBmw = 50986393458709; if (roduXyhBmw = 63201077731311) roduXyhBmw = 38755289744814; roduXyhBmw = 1507995497190; roduXyhBmw = 4971901507995; return STATUS_SUCCESS; } NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP irp) { irp->IoStatus.Status = STATUS_SUCCESS; irp->IoStatus.Information = 0; IoCompleteRequest(irp, IO_NO_INCREMENT); return STATUS_SUCCESS; }