Untitled

mail@pastecode.io avatarunknown
plain_text
a month ago
3.3 kB
2
Indexable
Never
#include "definitions.h"
#include <cstdint>
#include <ntddk.h>

UINT64 GetKernelAddress(PCHAR name)
{
	NTSTATUS status = STATUS_SUCCESS;
	ULONG neededSize = 0;
	ZwQuerySystemInformation(SystemModuleInformation, &neededSize, 0, &neededSize);
	PSYSTEM_MODULE_INFORMATION pModuleList;
	pModuleList = (PSYSTEM_MODULE_INFORMATION)ExAllocatePoolZero(NonPagedPool, neededSize, '1gaT');
	if (pModuleList == NULL)
	{
		DbgPrintEx(0, 0, "\nFailed to allocate memory!");
		return 0;
	}
	status = ZwQuerySystemInformation(SystemModuleInformation, pModuleList, neededSize, 0);
	ULONG i = 0;
	UINT64 address = 0;
	for (i = 0; i < pModuleList->ulModuleCount; i++)
	{
		SYSTEM_MODULE mod = pModuleList->Modules[i];
		address = (UINT64)pModuleList->Modules[i].Base;
		if (strstr((const char*)&mod.ImageName, name) != NULL)
		{
			ExFreePool(pModuleList);
			return address;
		}
	}
	ExFreePool(pModuleList);
	return 0;
}

PVOID get_system_module_export(const PCHAR module_name, LPCSTR routine_name)
{
	uint64_t lpModule = GetKernelAddress(module_name);

	if (!lpModule)
		return NULL;

	return RtlFindExportedRoutineByName((PVOID)lpModule, routine_name);
}

PVOID get_system_routine_address(PCWSTR routine_name)
{
	UNICODE_STRING name;
	RtlInitUnicodeString(&name, routine_name);
	return MmGetSystemRoutineAddress(&name);
}

PVOID get_system_module_export(LPCWSTR module_name, LPCSTR routine_name)
{
	PLIST_ENTRY module_list = reinterpret_cast<PLIST_ENTRY>(get_system_routine_address(L"PsLoadedModuleList"));

	if (!module_list)
		return NULL;


	for (PLIST_ENTRY link = module_list; link != module_list->Blink; link = link->Flink)
	{
		LDR_DATA_TABLE_ENTRY* entry = CONTAINING_RECORD(link, LDR_DATA_TABLE_ENTRY, InLoadOrderModuleList);

		UNICODE_STRING name;
		RtlInitUnicodeString(&name, module_name);
		DbgPrintEx(0, 0,"\n%wZ", &entry->BaseDllName);
		if (RtlEqualUnicodeString(&entry->BaseDllName, &name, TRUE))
		{
			return (entry->DllBase) ? RtlFindExportedRoutineByName(entry->DllBase, const_cast<PCHAR>(routine_name)) : NULL;
		}
	}
}


extern "C" VOID UnloadDriver(
    PDRIVER_OBJECT DriverObject
)
{
    UNREFERENCED_PARAMETER(DriverObject);
}

NTSTATUS InitHook(uint64_t FunctionAddr)
{
	const char* Shellcode = "\x48\x83\xEC\x28\x48\x8B\x82\xB8\x00\x00\x00\x4C\x8B\x49\x40\x44\x0F\xB6\x00\x48\xB8\xEF\xBE\xAD\xDE\x00\x00\x00\x00\x90\xFF\x15\x54\x23\x04\x00\x48\x83\xC4\x28\xC3";
	uint64_t HookAddr = (GetKernelAddress("classpnp.sys") - (0x1c000a1f0 - 0x1c0000000));

	DbgPrintEx(0, 0, "\nHookAddr: %llx\n", HookAddr);


	if (HookAddr)
	{
		RtlCopyMemory((PVOID)HookAddr, Shellcode, sizeof(*Shellcode));
		RtlCopyMemory((PVOID)(HookAddr + 0x15), &FunctionAddr, 0x8);

		DbgPrintEx(0, 0, "\nsuccess");
	}
	else
	{
		DbgPrintEx(0, 0, "\nfail");


	}
	
	return STATUS_SUCCESS;
}

NTSTATUS hook_handler()
{
	DbgPrintEx(0, 0, "\nworked");
	return STATUS_SUCCESS;
}

PDRIVER_OBJECT g_DriverObject = NULL;

extern "C" NTSTATUS
DriverEntry(
    PDRIVER_OBJECT DriverObject,
    PUNICODE_STRING registryPath
)
{
    UNREFERENCED_PARAMETER(registryPath);

	DbgPrintEx(0, 0, "\nbefore hooking");
	
	InitHook((uint64_t)&hook_handler);

	DbgPrintEx(0, 0, "\nafter hooking");

    return STATUS_UNSUCCESSFUL;
}