1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
|
#pragma once
#ifdef KERNEL_MODULE
#include "Native.h"
#ifdef _DEBUG_
#define KDBG(fmt, ...) DbgPrint("KMemDriver[%01d]: " fmt, KeGetCurrentIrql(), __VA_ARGS__)
#else
#define KDBG(fmt, ...)
#endif
#else
#include <windows.h>
#ifndef NTSTATUS
typedef _Return_type_success_(return >= 0) LONG NTSTATUS;
#endif
#endif
#define HDR_MAGIC 0xDEADC0DE
#define SHMEM_ADDR 0x60000000
#define SHMEM_SIZE 8192*8*2
#define INVALID_REQUEST (UINT32)-1
#define MEM_HANDSHAKE 0x800
#define MEM_PING 0x801
#define MEM_MODULES 0x802
#define MEM_PAGES 0x803
#define MEM_RPM 0x804
#define MEM_WPM 0x805
#define MEM_VALLOC 0x806
#define MEM_VFREE 0x807
#define MEM_VUNLINK 0x808
#define MEM_EXIT 0x809
typedef struct _KERNEL_HEADER
{
UINT32 magic;
UINT32 type;
} KERNEL_HEADER, *PKERNEL_HEADER;
typedef struct _KERNEL_HANDSHAKE
{
KERNEL_HEADER hdr;
HANDLE kevent;
HANDLE uevent;
} KERNEL_HANDSHAKE, *PKERNEL_HANDSHAKE;
typedef struct _KERNEL_PING
{
KERNEL_HEADER hdr;
UINT32 rnd_user;
UINT32 rnd_kern;
} KERNEL_PING, *PKERNEL_PING;
typedef struct _KERNEL_PAGE
{
KERNEL_HEADER hdr;
HANDLE ProcessId;
PVOID StartAddress;
NTSTATUS StatusRes;
SIZE_T pages;
MEMORY_BASIC_INFORMATION pages_start;
} KERNEL_PAGE, *PKERNEL_PAGE;
typedef struct _MODULE_DATA
{
PVOID DllBase;
ULONG SizeOfImage;
CHAR BaseDllName[64];
CHAR FullDllPath[256];
} MODULE_DATA, *PMODULE_DATA;
typedef struct _KERNEL_MODULES
{
KERNEL_HEADER hdr;
HANDLE ProcessId;
SIZE_T StartIndex;
NTSTATUS StatusRes;
SIZE_T modules;
MODULE_DATA modules_start;
} KERNEL_MODULES, *PKERNEL_MODULES;
typedef struct _KERNEL_EXIT
{
KERNEL_HEADER hdr;
} KERNEL_EXIT, *PKERNEL_EXIT;
typedef struct _KERNEL_READ_REQUEST
{
KERNEL_HEADER hdr;
HANDLE ProcessId;
PVOID Address;
SIZE_T SizeReq;
NTSTATUS StatusRes;
SIZE_T SizeRes;
} KERNEL_READ_REQUEST, *PKERNEL_READ_REQUEST;
typedef struct _KERNEL_WRITE_REQUEST
{
KERNEL_HEADER hdr;
HANDLE ProcessId;
PVOID Address;
SIZE_T SizeReq;
NTSTATUS StatusRes;
SIZE_T SizeRes;
} KERNEL_WRITE_REQUEST, *PKERNEL_WRITE_REQUEST;
typedef struct _KERNEL_VALLOC_REQUEST
{
KERNEL_HEADER hdr;
HANDLE ProcessId;
PVOID AddressReq;
SIZE_T SizeReq;
ULONG Protection;
NTSTATUS StatusRes;
PVOID AddressRes;
SIZE_T SizeRes;
} KERNEL_VALLOC_REQUEST, *PKERNEL_VALLOC_REQUEST;
typedef struct _KERNEL_VFREE_REQUEST
{
KERNEL_HEADER hdr;
HANDLE ProcessId;
PVOID Address;
SIZE_T Size;
NTSTATUS StatusRes;
} KERNEL_VFREE_REQUEST, *PKERNEL_VFREE_REQUEST;
typedef struct _KERNEL_VUNLINK_REQUEST
{
KERNEL_HEADER hdr;
HANDLE ProcessId;
PVOID Address;
NTSTATUS StatusRes;
} KERNEL_VUNLINK_REQUEST, *PKERNEL_VUNLINK_REQUEST;
#ifndef KERNEL_MODULE
static inline VOID prepareRequest(PVOID buf, UINT32 type)
{
PKERNEL_HEADER hdr = (PKERNEL_HEADER)buf;
hdr->magic = HDR_MAGIC;
hdr->type = type;
}
#endif
static inline UINT32
#ifndef KERNEL_MODULE
validateRespone
#else
validateRequest
#endif
(PVOID buf)
{
PKERNEL_HEADER hdr = (PKERNEL_HEADER)buf;
if (hdr->magic != HDR_MAGIC)
return INVALID_REQUEST;
switch (hdr->type) {
case MEM_HANDSHAKE:
case MEM_PING:
case MEM_PAGES:
case MEM_MODULES:
case MEM_RPM:
case MEM_WPM:
case MEM_VALLOC:
case MEM_VFREE:
case MEM_VUNLINK:
case MEM_EXIT:
return hdr->type;
default:
return INVALID_REQUEST;
}
}
|