[
{
"path": ".gitignore",
"content": "\n# Created by https://www.toptal.com/developers/gitignore/api/visualstudio\n# Edit at https://www.toptal.com/developers/gitignore?templates=visualstudio\n\n### VisualStudio ###\n## Ignore Visual Studio temporary files, build results, and\n## files generated by popular Visual Studio add-ons.\n##\n## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore\n\n# User-specific files\n*.rsuser\n*.suo\n*.user\n*.userosscache\n*.sln.docstates\n\n# User-specific files (MonoDevelop/Xamarin Studio)\n*.userprefs\n\n# Mono auto generated files\nmono_crash.*\n\n# Build results\n[Dd]ebug/\n[Dd]ebugPublic/\n[Rr]elease/\n[Rr]eleases/\nx64/\nx86/\n[Ww][Ii][Nn]32/\n[Aa][Rr][Mm]/\n[Aa][Rr][Mm]64/\nbld/\n[Bb]in/\n[Oo]bj/\n[Ll]og/\n[Ll]ogs/\n\n# Visual Studio 2015/2017 cache/options directory\n.vs/\n# Uncomment if you have tasks that create the project's static files in wwwroot\n#wwwroot/\n\n# Visual Studio 2017 auto generated files\nGenerated\\ Files/\n\n# MSTest test Results\n[Tt]est[Rr]esult*/\n[Bb]uild[Ll]og.*\n\n# NUnit\n*.VisualState.xml\nTestResult.xml\nnunit-*.xml\n\n# Build Results of an ATL Project\n[Dd]ebugPS/\n[Rr]eleasePS/\ndlldata.c\n\n# Benchmark Results\nBenchmarkDotNet.Artifacts/\n\n# .NET Core\nproject.lock.json\nproject.fragment.lock.json\nartifacts/\n\n# ASP.NET Scaffolding\nScaffoldingReadMe.txt\n\n# StyleCop\nStyleCopReport.xml\n\n# Files built by Visual Studio\n*_i.c\n*_p.c\n*_h.h\n*.ilk\n*.meta\n*.obj\n*.iobj\n*.pch\n*.pdb\n*.ipdb\n*.pgc\n*.pgd\n*.rsp\n*.sbr\n*.tlb\n*.tli\n*.tlh\n*.tmp\n*.tmp_proj\n*_wpftmp.csproj\n*.log\n*.vspscc\n*.vssscc\n.builds\n*.pidb\n*.svclog\n*.scc\n\n# Chutzpah Test files\n_Chutzpah*\n\n# Visual C++ cache files\nipch/\n*.aps\n*.ncb\n*.opendb\n*.opensdf\n*.sdf\n*.cachefile\n*.VC.db\n*.VC.VC.opendb\n\n# Visual Studio profiler\n*.psess\n*.vsp\n*.vspx\n*.sap\n\n# Visual Studio Trace Files\n*.e2e\n\n# TFS 2012 Local Workspace\n$tf/\n\n# Guidance Automation Toolkit\n*.gpState\n\n# ReSharper is a .NET coding add-in\n_ReSharper*/\n*.[Rr]e[Ss]harper\n*.DotSettings.user\n\n# TeamCity is a build add-in\n_TeamCity*\n\n# DotCover is a Code Coverage Tool\n*.dotCover\n\n# AxoCover is a Code Coverage Tool\n.axoCover/*\n!.axoCover/settings.json\n\n# Coverlet is a free, cross platform Code Coverage Tool\ncoverage*.[ji][sn][of][no]\ncoverage*.xml\n\n# Visual Studio code coverage results\n*.coverage\n*.coveragexml\n\n# NCrunch\n_NCrunch_*\n.*crunch*.local.xml\nnCrunchTemp_*\n\n# MightyMoose\n*.mm.*\nAutoTest.Net/\n\n# Web workbench (sass)\n.sass-cache/\n\n# Installshield output folder\n[Ee]xpress/\n\n# DocProject is a documentation generator add-in\nDocProject/buildhelp/\nDocProject/Help/*.HxT\nDocProject/Help/*.HxC\nDocProject/Help/*.hhc\nDocProject/Help/*.hhk\nDocProject/Help/*.hhp\nDocProject/Help/Html2\nDocProject/Help/html\n\n# Click-Once directory\npublish/\n\n# Publish Web Output\n*.[Pp]ublish.xml\n*.azurePubxml\n# Note: Comment the next line if you want to checkin your web deploy settings,\n# but database connection strings (with potential passwords) will be unencrypted\n*.pubxml\n*.publishproj\n\n# Microsoft Azure Web App publish settings. Comment the next line if you want to\n# checkin your Azure Web App publish settings, but sensitive information contained\n# in these scripts will be unencrypted\nPublishScripts/\n\n# NuGet Packages\n*.nupkg\n# NuGet Symbol Packages\n*.snupkg\n# The packages folder can be ignored because of Package Restore\n**/[Pp]ackages/*\n# except build/, which is used as an MSBuild target.\n!**/[Pp]ackages/build/\n# Uncomment if necessary however generally it will be regenerated when needed\n#!**/[Pp]ackages/repositories.config\n# NuGet v3's project.json files produces more ignorable files\n*.nuget.props\n*.nuget.targets\n\n# Microsoft Azure Build Output\ncsx/\n*.build.csdef\n\n# Microsoft Azure Emulator\necf/\nrcf/\n\n# Windows Store app package directories and files\nAppPackages/\nBundleArtifacts/\nPackage.StoreAssociation.xml\n_pkginfo.txt\n*.appx\n*.appxbundle\n*.appxupload\n\n# Visual Studio cache files\n# files ending in .cache can be ignored\n*.[Cc]ache\n# but keep track of directories ending in .cache\n!?*.[Cc]ache/\n\n# Others\nClientBin/\n~$*\n*~\n*.dbmdl\n*.dbproj.schemaview\n*.jfm\n*.pfx\n*.publishsettings\norleans.codegen.cs\n\n# Including strong name files can present a security risk\n# (https://github.com/github/gitignore/pull/2483#issue-259490424)\n#*.snk\n\n# Since there are multiple workflows, uncomment next line to ignore bower_components\n# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)\n#bower_components/\n\n# RIA/Silverlight projects\nGenerated_Code/\n\n# Backup & report files from converting an old project file\n# to a newer Visual Studio version. Backup files are not needed,\n# because we have git ;-)\n_UpgradeReport_Files/\nBackup*/\nUpgradeLog*.XML\nUpgradeLog*.htm\nServiceFabricBackup/\n*.rptproj.bak\n\n# SQL Server files\n*.mdf\n*.ldf\n*.ndf\n\n# Business Intelligence projects\n*.rdl.data\n*.bim.layout\n*.bim_*.settings\n*.rptproj.rsuser\n*- [Bb]ackup.rdl\n*- [Bb]ackup ([0-9]).rdl\n*- [Bb]ackup ([0-9][0-9]).rdl\n\n# Microsoft Fakes\nFakesAssemblies/\n\n# GhostDoc plugin setting file\n*.GhostDoc.xml\n\n# Node.js Tools for Visual Studio\n.ntvs_analysis.dat\nnode_modules/\n\n# Visual Studio 6 build log\n*.plg\n\n# Visual Studio 6 workspace options file\n*.opt\n\n# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)\n*.vbw\n\n# Visual Studio LightSwitch build output\n**/*.HTMLClient/GeneratedArtifacts\n**/*.DesktopClient/GeneratedArtifacts\n**/*.DesktopClient/ModelManifest.xml\n**/*.Server/GeneratedArtifacts\n**/*.Server/ModelManifest.xml\n_Pvt_Extensions\n\n# Paket dependency manager\n.paket/paket.exe\npaket-files/\n\n# FAKE - F# Make\n.fake/\n\n# CodeRush personal settings\n.cr/personal\n\n# Python Tools for Visual Studio (PTVS)\n__pycache__/\n*.pyc\n\n# Cake - Uncomment if you are using it\n# tools/**\n# !tools/packages.config\n\n# Tabs Studio\n*.tss\n\n# Telerik's JustMock configuration file\n*.jmconfig\n\n# BizTalk build output\n*.btp.cs\n*.btm.cs\n*.odx.cs\n*.xsd.cs\n\n# OpenCover UI analysis results\nOpenCover/\n\n# Azure Stream Analytics local run output\nASALocalRun/\n\n# MSBuild Binary and Structured Log\n*.binlog\n\n# NVidia Nsight GPU debugger configuration file\n*.nvuser\n\n# MFractors (Xamarin productivity tool) working folder\n.mfractor/\n\n# Local History for Visual Studio\n.localhistory/\n\n# BeatPulse healthcheck temp database\nhealthchecksdb\n\n# Backup folder for Package Reference Convert tool in Visual Studio 2017\nMigrationBackup/\n\n# Ionide (cross platform F# VS Code tools) working folder\n.ionide/\n\n# Fody - auto-generated XML schema\nFodyWeavers.xsd\n\n### VisualStudio Patch ###\n# Additional files built by Visual Studio\n*.tlog\n\n# End of https://www.toptal.com/developers/gitignore/api/visualstudio"
},
{
"path": "Poseidon/Poseidon.sln",
"content": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 16\r\nVisualStudioVersion = 16.0.30711.63\r\nMinimumVisualStudioVersion = 10.0.40219.1\r\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"Poseidon\", \"Poseidon.vcxproj\", \"{A941F3A1-C164-4A34-94B4-9577B7CD5FE2}\"\r\nEndProject\r\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"PoseidonClient\", \"..\\PoseidonClient\\PoseidonClient.vcxproj\", \"{46A9D08D-4962-4434-BC75-C60339512252}\"\r\nEndProject\r\nGlobal\r\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\r\n\t\tDebug|x64 = Debug|x64\r\n\t\tRelease|x64 = Release|x64\r\n\tEndGlobalSection\r\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\r\n\t\t{A941F3A1-C164-4A34-94B4-9577B7CD5FE2}.Debug|x64.ActiveCfg = Debug|x64\r\n\t\t{A941F3A1-C164-4A34-94B4-9577B7CD5FE2}.Debug|x64.Build.0 = Debug|x64\r\n\t\t{A941F3A1-C164-4A34-94B4-9577B7CD5FE2}.Debug|x64.Deploy.0 = Debug|x64\r\n\t\t{A941F3A1-C164-4A34-94B4-9577B7CD5FE2}.Release|x64.ActiveCfg = Release|x64\r\n\t\t{A941F3A1-C164-4A34-94B4-9577B7CD5FE2}.Release|x64.Build.0 = Release|x64\r\n\t\t{A941F3A1-C164-4A34-94B4-9577B7CD5FE2}.Release|x64.Deploy.0 = Release|x64\r\n\t\t{46A9D08D-4962-4434-BC75-C60339512252}.Debug|x64.ActiveCfg = Debug|x64\r\n\t\t{46A9D08D-4962-4434-BC75-C60339512252}.Debug|x64.Build.0 = Debug|x64\r\n\t\t{46A9D08D-4962-4434-BC75-C60339512252}.Release|x64.ActiveCfg = Release|x64\r\n\t\t{46A9D08D-4962-4434-BC75-C60339512252}.Release|x64.Build.0 = Release|x64\r\n\tEndGlobalSection\r\n\tGlobalSection(SolutionProperties) = preSolution\r\n\t\tHideSolutionNode = FALSE\r\n\tEndGlobalSection\r\n\tGlobalSection(ExtensibilityGlobals) = postSolution\r\n\t\tSolutionGuid = {A7CE4DCC-6D4C-4C0F-A15F-3D65EBEA3C6F}\r\n\tEndGlobalSection\r\nEndGlobal\r\n"
},
{
"path": "Poseidon/Poseidon.vcxproj",
"content": "\r\n\r\n \r\n \r\n Debug\r\n x64\r\n \r\n \r\n Release\r\n x64\r\n \r\n \r\n \r\n {A941F3A1-C164-4A34-94B4-9577B7CD5FE2}\r\n {1bc93793-694f-48fe-9372-81e2b05556fd}\r\n v4.5\r\n 12.0\r\n Debug\r\n Win32\r\n Poseidon\r\n $(LatestTargetPlatformVersion)\r\n \r\n \r\n \r\n Windows10\r\n true\r\n WindowsKernelModeDriver10.0\r\n Driver\r\n KMDF\r\n Universal\r\n \r\n \r\n Windows10\r\n false\r\n WindowsKernelModeDriver10.0\r\n Driver\r\n KMDF\r\n Universal\r\n false\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n DbgengKernelDebugger\r\n driver\r\n \r\n \r\n DbgengKernelDebugger\r\n false\r\n driver\r\n \r\n \r\n \r\n stdcpp17\r\n false\r\n false\r\n false\r\n \r\n \r\n DriverEntry\r\n \r\n \r\n false\r\n \r\n \r\n \r\n \r\n false\r\n stdcpp17\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n"
},
{
"path": "Poseidon/Poseidon.vcxproj.filters",
"content": "\r\n\r\n \r\n \r\n {4FC737F1-C7A5-4376-A066-2A32D752A2FF}\r\n cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx\r\n \r\n \r\n {93995380-89BD-4b04-88EB-625FBE52EBFB}\r\n h;hpp;hxx;hm;inl;inc;xsd\r\n \r\n \r\n {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}\r\n rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms\r\n \r\n \r\n {8E41214B-6785-4CFE-B992-037D68949A14}\r\n inf;inv;inx;mof;mc;\r\n \r\n \r\n {877b8484-960c-4f48-978f-d985dc5a098a}\r\n \r\n \r\n \r\n \r\n Source Files\r\n \r\n \r\n \r\n \r\n Header Files\\sdk\r\n \r\n \r\n Header Files\\sdk\r\n \r\n \r\n Header Files\\sdk\r\n \r\n \r\n Header Files\\sdk\r\n \r\n \r\n Header Files\\sdk\r\n \r\n \r\n Header Files\\sdk\r\n \r\n \r\n Header Files\r\n \r\n \r\n"
},
{
"path": "Poseidon/global.h",
"content": "#pragma once\r\n#include \r\n#include \r\n#include \r\n#include \r\n\r\nenum Code {\r\n\tComplete,\r\n\tBaseRequest,\r\n\tSizeRequest,\r\n\tPebRequest,\r\n\tQIPRequest,\r\n\tCopyRequest,\r\n\tAVMRequest,\r\n\tFVMRequest,\r\n\tPVMRequest,\r\n\tQVMRequest,\r\n\tModuleRequest,\r\n\tIndexRequest,\r\n};\r\n\r\nenum Status {\r\n\tInactive,\t// We'll use this status to let the driver know it can sleep for a while\r\n\tActive,\t\t// We'll use this status to let the driver know we may be sending requests any second\r\n\tWaiting,\t// We'll use this status to let the driver know we sent a request and are waiting for completion\r\n\tExit\t\t// We'll use this status to let the driver know it can exit the shared memory loop and untrap our thread\r\n};\r\n\r\ntypedef struct OperationData {\r\n\r\n\tstruct {\r\n\t\tchar* Name;\r\n\t\tDWORD\tId;\r\n\t\tPVOID\tBaseAddress;\r\n\t\tSIZE_T Size;\r\n\t\tPPEB\tPeb;\r\n\t\tPROCESS_BASIC_INFORMATION PBI;\r\n\t} Process;\r\n\r\n\tstruct {\r\n\t\tSIZE_T Size;\r\n\t\tSIZE_T ReturnLength;\r\n\r\n\t\tstruct {\r\n\t\t\tPVOID Address;\r\n\t\t\tPVOID Buffer;\r\n\t\t\tBOOLEAN\tReadOperation;\r\n\t\t} Copy;\r\n\r\n\t\tPVOID Base;\r\n\t\tDWORD AllocType;\r\n\t\tDWORD FreeType;\r\n\t\tDWORD Protect;\r\n\t\tDWORD OldProtect;\r\n\t\tMEMORY_BASIC_INFORMATION MBI;\r\n\t} Memory;\r\n\r\n\tstruct {\r\n\t\tPVOID BaseAddress;\r\n\t\tSIZE_T SizeOfImage;\r\n\t\tint Index;\r\n\t} Module;\r\n};\r\n\r\ntypedef struct CommunicationData {\r\n\r\n\tDWORD\tProcessId;\r\n\tPVOID\tSharedMemory;\r\n\tDWORD*\tpCode;\r\n\tSHORT*\tpStatus;\r\n\tDWORD\tMagic;\r\n};\r\n\r\nINT64(NTAPI *EnumerateDebuggingDevicesOriginal)(PVOID, PVOID);\r\nCommunicationData gData{};\r\nPEPROCESS gProcess{};\r\nDWORD64 gFunc{};\r\nCHAR* gKernelBase{};\r\nDWORD ActiveThreadsOffset{ 0x5F0 };\r\n\r\ntypedef enum _SYSTEM_INFORMATION_CLASS \r\n{\r\n\tSystemBasicInformation,\r\n\tSystemProcessorInformation,\r\n\tSystemPerformanceInformation,\r\n\tSystemTimeOfDayInformation,\r\n\tSystemPathInformation,\r\n\tSystemProcessInformation,\r\n\tSystemCallCountInformation,\r\n\tSystemDeviceInformation,\r\n\tSystemProcessorPerformanceInformation,\r\n\tSystemFlagsInformation,\r\n\tSystemCallTimeInformation,\r\n\tSystemModuleInformation,\r\n\tSystemLocksInformation,\r\n\tSystemStackTraceInformation,\r\n\tSystemPagedPoolInformation,\r\n\tSystemNonPagedPoolInformation,\r\n\tSystemHandleInformation,\r\n\tSystemObjectInformation,\r\n\tSystemPageFileInformation,\r\n\tSystemVdmInstemulInformation,\r\n\tSystemVdmBopInformation,\r\n\tSystemFileCacheInformation,\r\n\tSystemPoolTagInformation,\r\n\tSystemInterruptInformation,\r\n\tSystemDpcBehaviorInformation,\r\n\tSystemFullMemoryInformation,\r\n\tSystemLoadGdiDriverInformation,\r\n\tSystemUnloadGdiDriverInformation,\r\n\tSystemTimeAdjustmentInformation,\r\n\tSystemSummaryMemoryInformation,\r\n\tSystemNextEventIdInformation,\r\n\tSystemEventIdsInformation,\r\n\tSystemCrashDumpInformation,\r\n\tSystemExceptionInformation,\r\n\tSystemCrashDumpStateInformation,\r\n\tSystemKernelDebuggerInformation,\r\n\tSystemContextSwitchInformation,\r\n\tSystemRegistryQuotaInformation,\r\n\tSystemExtendServiceTableInformation,\r\n\tSystemPrioritySeperation,\r\n\tSystemPlugPlayBusInformation,\r\n\tSystemDockInformation,\r\n\tSystemProcessorSpeedInformation,\r\n\tSystemCurrentTimeZoneInformation,\r\n\tSystemLookasideInformation\r\n} SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS;\r\n\r\ntypedef struct _PEB_LDR_DATA \r\n{\r\n\tULONG Length;\r\n\tUCHAR Initialized;\r\n\tPVOID SsHandle;\r\n\tLIST_ENTRY InLoadOrderModuleList;\r\n\tLIST_ENTRY InMemoryOrderModuleList;\r\n\tLIST_ENTRY InInitializationOrderModuleList;\r\n} PEB_LDR_DATA, * PPEB_LDR_DATA;\r\n\r\ntypedef struct _LDR_DATA_TABLE_ENTRY \r\n{\r\n\tLIST_ENTRY InLoadOrderLinks;\r\n\tLIST_ENTRY InMemoryOrderLinks;\r\n\tLIST_ENTRY InInitializationOrderLinks;\r\n\tPVOID DllBase;\r\n\tPVOID EntryPoint;\r\n\tULONG SizeOfImage;\r\n\tUNICODE_STRING FullDllName;\r\n\tUNICODE_STRING BaseDllName;\r\n\tULONG Flags;\r\n\tUSHORT LoadCount;\r\n\tUSHORT TlsIndex;\r\n\tLIST_ENTRY HashLinks;\r\n\tULONG TimeDateStamp;\r\n} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;\r\n\r\ntypedef struct _PEB \r\n{\r\n\tUCHAR InheritedAddressSpace;\r\n\tUCHAR ReadImageFileExecOptions;\r\n\tUCHAR BeingDebugged;\r\n\tUCHAR BitField;\r\n\tPVOID Mutant;\r\n\tPVOID ImageBaseAddress;\r\n\tPPEB_LDR_DATA Ldr;\r\n\tPVOID ProcessParameters;\r\n\tPVOID SubSystemData;\r\n\tPVOID ProcessHeap;\r\n\tPVOID FastPebLock;\r\n\tPVOID AtlThunkSListPtr;\r\n\tPVOID IFEOKey;\r\n\tPVOID CrossProcessFlags;\r\n\tPVOID KernelCallbackTable;\r\n\tULONG SystemReserved;\r\n\tULONG AtlThunkSListPtr32;\r\n\tPVOID ApiSetMap;\r\n} PEB, * PPEB;\r\n\r\ntypedef struct _SYSTEM_MODULE \r\n{\r\n\tHANDLE Section;\r\n\tPVOID MappedBase;\r\n\tPVOID ImageBase;\r\n\tULONG ImageSize;\r\n\tULONG Flags;\r\n\tUSHORT LoadOrderIndex;\r\n\tUSHORT InitOrderIndex;\r\n\tUSHORT LoadCount;\r\n\tUSHORT OffsetToFileName;\r\n\tUCHAR FullPathName[MAXIMUM_FILENAME_LENGTH];\r\n} SYSTEM_MODULE, *PSYSTEM_MODULE;\r\n\r\ntypedef struct _SYSTEM_MODULE_INFORMATION \r\n{\r\n\tULONG NumberOfModules;\r\n\tSYSTEM_MODULE Modules[1];\r\n} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;\r\n\r\ntypedef struct _RTL_PROCESS_MODULE_INFORMATION\r\n{\r\n\tHANDLE Section;\r\n\tPVOID MappedBase;\r\n\tPVOID ImageBase;\r\n\tULONG ImageSize;\r\n\tULONG Flags;\r\n\tUSHORT LoadOrderIndex;\r\n\tUSHORT InitOrderIndex;\r\n\tUSHORT LoadCount;\r\n\tUSHORT OffsetToFileName;\r\n\tUCHAR FullPathName[MAXIMUM_FILENAME_LENGTH];\r\n} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;\r\n\r\ntypedef struct _RTL_PROCESS_MODULES\r\n{\r\n\tULONG NumberOfModules;\r\n\tRTL_PROCESS_MODULE_INFORMATION Modules[1];\r\n} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;\r\n\r\ntypedef struct PiDDBCache\r\n{\r\n\tLIST_ENTRY\t\tList;\r\n\tUNICODE_STRING\tDriverName;\r\n\tULONG\t\t\tTimeDateStamp;\r\n\tNTSTATUS\t\tLoadStatus;\r\n\tchar\t\t\t_0x0028[16];\r\n};\r\n\r\nextern \"C\" \r\n{\r\n\tNTKERNELAPI\r\n\tPVOID\r\n\tPsGetProcessSectionBaseAddress(\r\n\t\tPEPROCESS Process\r\n\t);\r\n\r\n\tNTKERNELAPI\r\n\tPPEB\r\n\tNTAPI\r\n\tPsGetProcessPeb(\r\n\t\tPEPROCESS Process\r\n\t);\r\n\r\n\tNTKERNELAPI\r\n\tNTSTATUS\r\n\tMmCopyVirtualMemory(\r\n\t\tPEPROCESS SourceProcess,\r\n\t\tPVOID SourceAddress,\r\n\t\tPEPROCESS TarGet,\r\n\t\tPVOID TargetAddress,\r\n\t\tSIZE_T BufferSize,\r\n\t\tKPROCESSOR_MODE PreviousMode,\r\n\t\tPSIZE_T ReturnSize\r\n\t);\r\n\r\n\tNTSYSCALLAPI \r\n\tNTSTATUS \r\n\tNTAPI \r\n\tZwQuerySystemInformation(\r\n\t\tULONG InfoClass,\r\n\t\tPVOID Buffer, \r\n\t\tULONG Length,\r\n\t\tPULONG ReturnLength\r\n\t);\r\n\r\n\tNTSYSCALLAPI\r\n\tNTSTATUS \r\n\tZwQueryInformationProcess(\r\n\t\tHANDLE ProcessHandle,\r\n\t\tPROCESSINFOCLASS ProcessInformationClass,\r\n\t\tPVOID ProcessInformation,\r\n\t\tULONG ProcessInformationLength,\r\n\t\tPULONG ReturnLength\r\n\t);\r\n\r\n\tNTSYSCALLAPI \r\n\tNTSTATUS \r\n\tNTAPI \r\n\tZwProtectVirtualMemory(\r\n\t\tHANDLE ProcessHandle, \r\n\t\tPVOID *BaseAddress, \r\n\t\tPSIZE_T RegionSize,\r\n\t\tULONG NewAccessProtection, \r\n\t\tPULONG OldAccessProtection\r\n\t);\r\n}"
},
{
"path": "Poseidon/main.cpp",
"content": "#include \"sdk.h\"\r\n\r\nNTSTATUS DriverEntry(DRIVER_OBJECT* DriverObject, UNICODE_STRING* RegistryPath) {\r\n\treturn Driver::Initialize();\r\n}"
},
{
"path": "Poseidon/memory.h",
"content": "#pragma once\r\n#include \"process.h\"\r\n\r\nnamespace Memory {\r\n\r\n\ttemplate \r\n\tT Allocate(SIZE_T Size) {\r\n\t\treturn reinterpret_cast(ExAllocatePool(NonPagedPool, Size));\r\n\t}\r\n\r\n\tVOID Free(PVOID Buffer) {\r\n\t\tExFreePool(Buffer);\r\n\t}\r\n\r\n\tBOOLEAN Copy(PVOID Destination, PVOID Source, SIZE_T Size) {\r\n\t\tSIZE_T BytesRead{ 0 };\r\n\t\treturn NT_SUCCESS(MmCopyVirtualMemory(IoGetCurrentProcess(), \r\n\t\t\t\t\t\t Source, \r\n\t\t\t\t\t\t IoGetCurrentProcess(), \r\n\t\t\t\t\t\t Destination, \r\n\t\t\t\t\t\t Size, \r\n\t\t\t\t\t\t KernelMode, \r\n\t\t\t\t\t\t &BytesRead)) && BytesRead == Size;\r\n\t}\r\n\r\n\tNTSTATUS CopyVirtualMemory(OperationData* Data) {\r\n\t\tNTSTATUS Status{ STATUS_SUCCESS };\r\n\t\tPEPROCESS eProcess{ Process::GetProcess(Data->Process.Id) };\r\n\r\n\t\tif (eProcess == nullptr) {\r\n\t\t\treturn STATUS_UNSUCCESSFUL;\r\n\t\t}\r\n\r\n\t\tif (Data->Memory.Copy.ReadOperation) {\r\n\t\t\tStatus = MmCopyVirtualMemory(eProcess, \r\n\t\t\t\t\t\t Data->Memory.Copy.Address, \r\n\t\t\t\t\t\t IoGetCurrentProcess(), \r\n\t\t\t\t\t\t Data->Memory.Copy.Buffer, \r\n\t\t\t\t\t\t Data->Memory.Size, \r\n\t\t\t\t\t\t UserMode, \r\n\t\t\t\t\t\t &Data->Memory.ReturnLength);\r\n\t\t} else {\r\n\t\t\tStatus = MmCopyVirtualMemory(IoGetCurrentProcess(), \r\n\t\t\t\t\t\t Data->Memory.Copy.Buffer,\r\n\t\t\t\t\t\t eProcess, \r\n\t\t\t\t\t\t Data->Memory.Copy.Address, \r\n\t\t\t\t\t\t Data->Memory.Size, \r\n\t\t\t\t\t\t UserMode, \r\n\t\t\t\t\t\t &Data->Memory.ReturnLength);\r\n\t\t}\r\n\r\n\t\tObfDereferenceObject(eProcess);\r\n\t\treturn Status;\r\n\t}\r\n\r\n\tNTSTATUS AllocateVirtualMemory(OperationData* Data) {\r\n\t\tKAPC_STATE Apc{ NULL };\r\n\t\tPEPROCESS eProcess{ Process::GetProcess(Data->Process.Id) };\r\n\r\n\t\tif (eProcess == nullptr) {\r\n\t\t\treturn STATUS_UNSUCCESSFUL;\r\n\t\t}\r\n\r\n\t\tKeStackAttachProcess(eProcess, &Apc);\r\n\r\n\t\tNTSTATUS Status{ ZwAllocateVirtualMemory(ZwCurrentProcess(), \r\n\t\t\t\t\t\t\t &Data->Memory.Base, \r\n\t\t\t\t\t\t\t NULL, \r\n\t\t\t\t\t\t\t &Data->Memory.Size,\r\n\t\t\t\t\t\t\t Data->Memory.AllocType,\r\n\t\t\t\t\t\t\t Data->Memory.Protect) };\r\n\r\n\t\tKeUnstackDetachProcess(&Apc);\r\n\t\tObfDereferenceObject(eProcess);\r\n\t\treturn Status;\r\n\t}\r\n\r\n\tNTSTATUS FreeVirtualMemory(OperationData* Data) {\r\n\t\tKAPC_STATE Apc{ NULL };\r\n\t\tPEPROCESS eProcess{ Process::GetProcess(Data->Process.Id) };\r\n\r\n\t\tif (eProcess == nullptr) {\r\n\t\t\treturn STATUS_UNSUCCESSFUL;\r\n\t\t}\r\n\r\n\t\tKeStackAttachProcess(eProcess, &Apc);\r\n\r\n\t\tNTSTATUS Status{ ZwFreeVirtualMemory(ZwCurrentProcess(),\r\n\t\t\t\t\t\t &Data->Memory.Base,\r\n\t\t\t\t\t\t &Data->Memory.Size,\r\n\t\t\t\t\t\t Data->Memory.FreeType) };\r\n\r\n\t\tKeUnstackDetachProcess(&Apc);\r\n\t\tObfDereferenceObject(eProcess);\r\n\t\treturn Status;\r\n\t}\r\n\r\n\tNTSTATUS ProtectVirtualMemory(OperationData* Data) {\r\n\t\tKAPC_STATE Apc{ NULL };\r\n\t\tPEPROCESS eProcess{ Process::GetProcess(Data->Process.Id) };\r\n\r\n\t\tif (eProcess == nullptr) {\r\n\t\t\treturn STATUS_UNSUCCESSFUL;\r\n\t\t}\r\n\r\n\t\tKeStackAttachProcess(eProcess, &Apc);\r\n\r\n\t\tNTSTATUS Status{ ZwProtectVirtualMemory(ZwCurrentProcess(), \r\n\t\t\t\t\t\t\t&Data->Memory.Base, \r\n\t\t\t\t\t\t\t&Data->Memory.Size,\r\n\t\t\t\t\t\t\tData->Memory.Protect,\r\n\t\t\t\t\t\t\t&Data->Memory.OldProtect) };\r\n\r\n\t\tKeUnstackDetachProcess(&Apc);\r\n\t\tObfDereferenceObject(eProcess);\r\n\t\treturn Status;\r\n\t}\r\n\r\n\tNTSTATUS QueryVirtualMemory(OperationData* Data) {\r\n\t\tNTSTATUS Status{ STATUS_SUCCESS };\r\n\t\tKAPC_STATE Apc{ 0 };\r\n\t\tPEPROCESS eProcess{ Process::GetProcess(Data->Process.Id) };\r\n\r\n\t\tif (eProcess == nullptr) {\r\n\t\t\treturn STATUS_UNSUCCESSFUL;\r\n\t\t}\r\n\r\n\t\tKeStackAttachProcess(eProcess, &Apc);\r\n\r\n\t\tStatus = ZwQueryVirtualMemory(ZwCurrentProcess(), \r\n\t\t\t\t\t Data->Memory.Base,\r\n\t\t\t\t\t MemoryBasicInformation, \r\n\t\t\t\t\t &Data->Memory.MBI, \r\n\t\t\t\t\t sizeof(Data->Memory.MBI),\r\n\t\t\t\t\t &Data->Memory.ReturnLength);\r\n\r\n\t\tKeUnstackDetachProcess(&Apc);\r\n\t\tObfDereferenceObject(eProcess);\r\n\t\treturn Status;\r\n\t}\r\n}\r\n"
},
{
"path": "Poseidon/process.h",
"content": "#pragma once\r\n#include \"global.h\"\r\n\r\nnamespace Process {\r\n\r\n\tPEPROCESS GetProcess(DWORD ProcessId) {\r\n\t\tPEPROCESS eProcess{ nullptr };\r\n\t\tPsLookupProcessByProcessId(reinterpret_cast(ProcessId), &eProcess);\r\n\t\treturn eProcess;\r\n\t}\r\n\r\n\tNTSTATUS GetBaseAddress(OperationData* Data) {\r\n\t\tPEPROCESS eProcess{ GetProcess(Data->Process.Id) };\r\n\r\n\t\tif (eProcess == nullptr) {\r\n\t\t\treturn STATUS_UNSUCCESSFUL;\r\n\t\t}\r\n\r\n\t\tData->Process.BaseAddress = PsGetProcessSectionBaseAddress(eProcess);\r\n\r\n\t\tObfDereferenceObject(eProcess);\r\n\t\treturn Data->Process.BaseAddress ? STATUS_SUCCESS : STATUS_UNSUCCESSFUL;\r\n\t}\r\n\r\n\tNTSTATUS GetMainModuleSize(OperationData* Data) {\r\n\t\tKAPC_STATE Apc{ 0 };\r\n\t\tDWORD Size{ NULL };\r\n\t\tPEPROCESS eProcess{ GetProcess(Data->Process.Id) };\r\n\r\n\t\tif (eProcess == nullptr) {\r\n\t\t\treturn STATUS_UNSUCCESSFUL;\r\n\t\t}\r\n\r\n\t\tKeStackAttachProcess(eProcess, &Apc);\r\n\r\n\t\tif (LIST_ENTRY* ModuleEntry{ PsGetProcessPeb(eProcess)->Ldr->InLoadOrderModuleList.Flink }) {\r\n\t\t\tData->Process.Size = CONTAINING_RECORD(ModuleEntry, \r\n\t\t\t\t\t\t\t LDR_DATA_TABLE_ENTRY, \r\n\t\t\t\t\t\t\t InLoadOrderLinks)->SizeOfImage;\r\n\t\t}\r\n\r\n\t\tKeUnstackDetachProcess(&Apc);\r\n\t\tObfDereferenceObject(eProcess);\r\n\r\n\t\treturn Data->Process.Size ? STATUS_SUCCESS : STATUS_UNSUCCESSFUL;\r\n\t}\r\n\r\n\tNTSTATUS GetPeb(OperationData* Data) {\r\n\t\tPEPROCESS eProcess{ GetProcess(Data->Process.Id) };\r\n\r\n\t\tif (eProcess == nullptr) {\r\n\t\t\treturn STATUS_UNSUCCESSFUL;\r\n\t\t}\r\n\r\n\t\tData->Process.Peb = PsGetProcessPeb(eProcess);\r\n\r\n\t\tObfDereferenceObject(eProcess);\r\n\t\treturn Data->Process.Peb ? STATUS_SUCCESS : STATUS_UNSUCCESSFUL;\r\n\t}\r\n\r\n\tNTSTATUS QueryInformation(OperationData* Data) {\r\n\t\tKAPC_STATE Apc{ 0 };\r\n\t\tPEPROCESS eProcess{ GetProcess(Data->Process.Id) };\r\n\r\n\t\tif (eProcess == nullptr) {\r\n\t\t\treturn STATUS_UNSUCCESSFUL;\r\n\t\t}\r\n\r\n\t\tKeStackAttachProcess(eProcess, &Apc);\r\n\r\n\t\tNTSTATUS Status{ ZwQueryInformationProcess(ZwCurrentProcess(), \r\n\t\t\t\t\t\t\t ProcessBasicInformation, \r\n\t\t\t\t\t\t\t &Data->Process.PBI, \r\n\t\t\t\t\t\t\t sizeof(Data->Process.PBI),\r\n\t\t\t\t\t\t\t nullptr) };\r\n\r\n\t\tKeUnstackDetachProcess(&Apc);\r\n\t\tObfDereferenceObject(eProcess);\r\n\t\treturn Status;\r\n\t}\r\n\r\n\tNTSTATUS GetModuleInfo(OperationData* Data) {\r\n\t\tKAPC_STATE Apc{ 0 };\r\n\t\tPVOID Base{ nullptr };\r\n\t\tDWORD Size{ NULL};\r\n\t\tUNICODE_STRING usModule{ 0 };\r\n\r\n\t\tif (Data->Process.Name) {\r\n\t\t\tANSI_STRING asModule{ 0 };\r\n\r\n\t\t\tRtlInitAnsiString(&asModule, Data->Process.Name);\r\n\t\t\tif (!NT_SUCCESS(RtlAnsiStringToUnicodeString(&usModule, &asModule, TRUE))) {\r\n\t\t\t\treturn STATUS_UNSUCCESSFUL;\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tPEPROCESS eProcess{ GetProcess(Data->Process.Id) };\r\n\r\n\t\tif (eProcess == nullptr) {\r\n\t\t\treturn STATUS_UNSUCCESSFUL;\r\n\t\t}\r\n\r\n\t\tKeStackAttachProcess(eProcess, &Apc);\r\n\r\n\t\tLIST_ENTRY* List = &(PsGetProcessPeb(eProcess)->Ldr->InLoadOrderModuleList);\r\n\r\n\t\tfor (LIST_ENTRY* Entry = List->Flink; Entry != List;) {\r\n\t\t\tauto Module{ CONTAINING_RECORD(Entry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks) };\r\n\r\n\t\t\tif (Module) {\r\n\t\t\t\t++Data->Module.Index;\r\n\r\n\t\t\t\tif (Data->Process.Name && !RtlCompareUnicodeString(&Module->BaseDllName, &usModule, TRUE)) {\r\n\t\t\t\t\tData->Module.BaseAddress = Module->DllBase;\r\n\t\t\t\t\tData->Module.SizeOfImage = Module->SizeOfImage;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\r\n\t\t\tEntry = Module->InLoadOrderLinks.Flink;\r\n\t\t}\r\n\r\n\t\tKeUnstackDetachProcess(&Apc);\r\n\t\tRtlFreeUnicodeString(&usModule);\r\n\t\tObfDereferenceObject(eProcess);\r\n\t\treturn Data->Module.SizeOfImage ? STATUS_SUCCESS : STATUS_UNSUCCESSFUL;\r\n\t}\r\n\r\n\tNTSTATUS GetModuleInfoByIndex(OperationData* Data) {\r\n\t\tKAPC_STATE Apc{ 0 };\r\n\t\tint Count{ 0 };\r\n\t\tPEPROCESS eProcess{ GetProcess(Data->Process.Id) };\r\n\r\n\t\tif (eProcess == nullptr) {\r\n\t\t\treturn STATUS_UNSUCCESSFUL;\r\n\t\t}\r\n\r\n\t\tKeStackAttachProcess(eProcess, &Apc);\r\n\r\n\t\tLIST_ENTRY* List = &(PsGetProcessPeb(eProcess)->Ldr->InLoadOrderModuleList);\r\n\r\n\t\tfor (LIST_ENTRY* Entry = List->Flink; Entry != List;) {\r\n\t\t\tauto Module{ CONTAINING_RECORD(Entry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks) };\r\n\t\t\r\n\t\t\tif (Module && Count == Data->Module.Index) {\r\n\t\t\t\tData->Module.BaseAddress = Module->DllBase;\r\n\t\t\t\tData->Module.SizeOfImage = Module->SizeOfImage;\r\n\t\t\t\tbreak;\r\n\t\t\t}\r\n\r\n\t\t\tCount += 1;\r\n\t\t\tEntry = Module->InLoadOrderLinks.Flink;\r\n\t\t}\r\n\r\n\t\tKeUnstackDetachProcess(&Apc);\r\n\t\tObfDereferenceObject(eProcess);\r\n\t\treturn STATUS_SUCCESS;\r\n\t}\r\n}\r\n"
},
{
"path": "Poseidon/sdk.h",
"content": "#pragma once\r\n#include \"sharedmemory.h\"\r\n\r\n#define RVA(addr, size) (BYTE*)addr + *(INT*)((BYTE*)addr + ((size) - 4)) + size\r\n\r\nnamespace Driver {\r\n\r\n\tINT64 NTAPI EnumerateDebuggingDevicesHook(PVOID A1, PINT64 A2) {\r\n\t\tif (ExGetPreviousMode() != UserMode\r\n\t\t || A1 == nullptr \r\n\t\t || !Utils::ProbeUserAddress(A1, sizeof(gData), sizeof(DWORD)) \r\n\t\t || !Memory::Copy(&gData, A1, sizeof(CommunicationData))\r\n\t\t || gData.Magic != 0x999) {\r\n\r\n\t\t\t// NtConvertBetweenAuxiliaryCounterAndPerformanceCounter() was not called by our usermode client\r\n\t\t\t// Call the original EnumerateDebuggingDevices() for whoever called\r\n\r\n\t\t\treturn EnumerateDebuggingDevicesOriginal(A1, A2);\r\n\t\t} \r\n\r\n\t\t// NtConvertBetweenAuxiliaryCounterAndPerformanceCounter() was called by the usermode client\r\n\t\t// We're only able to execute code right now because the usermode thread within the client transitioned into the kernel to complete the system call\r\n\t\t// We can take advantage of this and execute code in our driver for as long as we want by simply never returning\r\n\r\n\t\tInterlockedExchangePointer((PVOID*)gFunc, (PVOID)EnumerateDebuggingDevicesOriginal); // Unhook EnumerateDebuggingDevices() - it can be detected easily\r\n\t\t\r\n\t\tSharedMemory::Loop();\r\n\t}\r\n\r\n\tNTSTATUS Initialize() {\r\n\t\tauto OSInfo{ System::GetOSVersion() };\r\n\r\n\t\tif (OSInfo.dwBuildNumber < 19041) {\r\n\t\t\tActiveThreadsOffset = OSInfo.dwBuildNumber == 10240 ? 0x490 : 0x498;\r\n\t\t}\r\n\r\n\t\tif (gKernelBase = System::GetModuleInfo(\"ntoskrnl.exe\")) {\r\n\t\t\tif (auto Func = Utils::FindPatternImage(gKernelBase, \r\n\t\t\t\t\t\t\t\t\"\\x48\\x8B\\x05\\x00\\x00\\x00\\x00\\x75\\x07\\x48\\x8B\\x05\\x00\\x00\\x00\\x00\\xE8\\x00\\x00\\x00\\x00\", \r\n\t\t\t\t\t\t\t\t\"xxx????xxxxx????x????\")) {\r\n\r\n\t\t\t\tgFunc = (DWORD64)(Func = RVA(Func, 7));\r\n\t\t\t\t*(PVOID*)&EnumerateDebuggingDevicesOriginal = InterlockedExchangePointer((PVOID*)Func, (PVOID)EnumerateDebuggingDevicesHook); // Hook EnumerateDebuggingDevices()\r\n\t\t\t\treturn STATUS_SUCCESS;\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\treturn STATUS_UNSUCCESSFUL;\r\n\t}\r\n}\r\n"
},
{
"path": "Poseidon/sharedmemory.h",
"content": "#pragma once\r\n#include \"memory.h\"\r\n#include \"system.h\"\r\n\r\nnamespace SharedMemory {\r\n\r\n\tBOOLEAN ReadSharedMemory(PVOID Address, PVOID Buffer, SIZE_T Size) {\r\n\t\tSIZE_T Bytes{ 0 };\r\n\r\n\t\tif (NT_SUCCESS(MmCopyVirtualMemory(gProcess, Address, IoGetCurrentProcess(), Buffer, Size, KernelMode, &Bytes))) {\r\n\t\t\treturn TRUE;\r\n\t\t} return FALSE;\r\n\t}\r\n\r\n\ttemplate \r\n\tBOOLEAN WriteSharedMemory(PVOID Address, T Buffer, SIZE_T Size = sizeof(T)) {\r\n\t\tSIZE_T Bytes{ 0 };\r\n\r\n\t\tif (NT_SUCCESS(MmCopyVirtualMemory(IoGetCurrentProcess(), (PVOID)&Buffer, gProcess, Address, Size, KernelMode, &Bytes))) {\r\n\t\t\treturn TRUE;\r\n\t\t} return FALSE;\r\n\t}\r\n\r\n\tBYTE GetStatus() {\r\n\t\tBYTE CurStatus{ 0 };\r\n\t\tReadSharedMemory(gData.pStatus, &CurStatus, sizeof(SHORT));\r\n\t\treturn CurStatus;\r\n\t}\r\n\r\n\tDWORD GetCode() {\r\n\t\tDWORD CurCode{ 0 };\r\n\t\tReadSharedMemory(gData.pCode, &CurCode, sizeof(DWORD));\r\n\t\treturn CurCode;\r\n\t}\r\n\r\n\tOperationData GetBuffer() {\r\n\t\tOperationData CurBuffer{ 0 };\r\n\t\tReadSharedMemory(gData.SharedMemory, &CurBuffer, sizeof(OperationData));\r\n\t\treturn CurBuffer;\r\n\t}\r\n\r\n\tBOOLEAN SetStatus(Status DesiredStatus) {\r\n\t\treturn WriteSharedMemory(gData.pStatus, DesiredStatus);\r\n\t}\r\n\r\n\tBOOLEAN SetCode() {\r\n\t\treturn WriteSharedMemory(gData.pCode, Complete);\r\n\t}\r\n\r\n\tBOOLEAN SetBuffer(OperationData Buffer) {\r\n\t\treturn WriteSharedMemory(gData.SharedMemory, Buffer);\r\n\t}\r\n\r\n\tVOID Respond() {\r\n\t\tDWORD Code{ GetCode() };\r\n\t\tOperationData Params{ GetBuffer() };\r\n\r\n\t\tswitch (Code) {\r\n\r\n\t\t\tcase BaseRequest: {\r\n\t\t\t\tProcess::GetBaseAddress(&Params);\r\n\t\t\t\tSetBuffer(Params);\r\n\t\t\t\tSetCode();\r\n\t\t\t\tSetStatus(Active);\r\n\t\t\t} break;\r\n\r\n\t\t\tcase SizeRequest: {\r\n\t\t\t\tProcess::GetMainModuleSize(&Params);\r\n\t\t\t\tSetBuffer(Params);\r\n\t\t\t\tSetCode();\r\n\t\t\t\tSetStatus(Active);\r\n\t\t\t} break;\r\n\r\n\t\t\tcase PebRequest: {\r\n\t\t\t\tProcess::GetPeb(&Params);\r\n\t\t\t\tSetBuffer(Params);\r\n\t\t\t\tSetCode();\r\n\t\t\t\tSetStatus(Active);\r\n\t\t\t} break;\r\n\r\n\t\t\tcase QIPRequest: {\r\n\t\t\t\tProcess::QueryInformation(&Params);\r\n\t\t\t\tSetBuffer(Params);\r\n\t\t\t\tSetCode();\r\n\t\t\t\tSetStatus(Active);\r\n\t\t\t} break;\r\n\r\n\t\t\tcase CopyRequest: {\r\n\t\t\t\tMemory::CopyVirtualMemory(&Params);\r\n\t\t\t\tSetBuffer(Params);\r\n\t\t\t\tSetCode();\r\n\t\t\t\tSetStatus(Active);\r\n\t\t\t} break;\r\n\r\n\t\t\tcase AVMRequest: {\r\n\t\t\t\tMemory::AllocateVirtualMemory(&Params);\r\n\t\t\t\tSetBuffer(Params);\r\n\t\t\t\tSetCode();\r\n\t\t\t\tSetStatus(Active);\r\n\t\t\t} break;\r\n\r\n\t\t\tcase FVMRequest: {\r\n\t\t\t\tMemory::FreeVirtualMemory(&Params);\r\n\t\t\t\tSetBuffer(Params);\r\n\t\t\t\tSetCode();\r\n\t\t\t\tSetStatus(Active);\r\n\t\t\t} break;\r\n\r\n\t\t\tcase PVMRequest: {\r\n\t\t\t\tMemory::ProtectVirtualMemory(&Params);\r\n\t\t\t\tSetBuffer(Params);\r\n\t\t\t\tSetCode();\r\n\t\t\t\tSetStatus(Active);\r\n\t\t\t} break;\r\n\r\n\t\t\tcase QVMRequest: {\r\n\t\t\t\tMemory::QueryVirtualMemory(&Params);\r\n\t\t\t\tSetBuffer(Params);\r\n\t\t\t\tSetCode();\r\n\t\t\t\tSetStatus(Active);\r\n\t\t\t} break;\r\n\r\n\t\t\tcase ModuleRequest: {\r\n\t\t\t\tProcess::GetModuleInfo(&Params);\r\n\t\t\t\tSetBuffer(Params);\r\n\t\t\t\tSetCode();\r\n\t\t\t\tSetStatus(Active);\r\n\t\t\t} break;\r\n\r\n\t\t\tcase IndexRequest: {\r\n\t\t\t\tProcess::GetModuleInfoByIndex(&Params);\r\n\t\t\t\tSetBuffer(Params);\r\n\t\t\t\tSetCode();\r\n\t\t\t\tSetStatus(Active);\r\n\t\t\t} break;\r\n\r\n\t\t\tdefault: {\r\n\t\t\t} break;\r\n\t\t}\r\n\t}\r\n\r\n\tVOID Loop() {\r\n\t\tgProcess = Process::GetProcess(gData.ProcessId);\r\n\r\n\t\tif (gProcess == nullptr) {\r\n\t\t\treturn;\r\n\t\t}\r\n\r\n\t\tfor (;;) {\r\n\r\n\t\t\tif (*(DWORD*)((BYTE*)gProcess + ActiveThreadsOffset) == 1) {\r\n\t\t\t\t// We're the only active thread - the client must be trying to terminate\r\n\t\t\t\tObfDereferenceObject(gProcess);\r\n\t\t\t\treturn;\r\n\t\t\t}\r\n\r\n\t\t\tDWORD Status{ GetStatus() };\r\n\r\n\t\t\tswitch (Status) {\r\n\t\t\t\tcase Inactive: {\r\n\t\t\t\t\tUtils::Sleep(50);\r\n\t\t\t\t} break;\r\n\r\n\t\t\t\tcase Active: {\r\n\t\t\t\t\tUtils::Sleep(1);\r\n\t\t\t\t} break;\r\n\r\n\t\t\t\tcase Waiting: {\r\n\t\t\t\t\tRespond();\r\n\t\t\t\t} break;\r\n\r\n\t\t\t\tcase Exit: {\r\n\t\t\t\t\tSetStatus(Inactive);\r\n\t\t\t\t\tObfDereferenceObject(gProcess);\r\n\t\t\t\t\treturn;\r\n\t\t\t\t} break;\r\n\r\n\t\t\t\tdefault: {\r\n\t\t\t\t\tUtils::Sleep(50);\r\n\t\t\t\t} break;\r\n\t\t\t}\r\n\t\t} \r\n\t}\r\n}"
},
{
"path": "Poseidon/system.h",
"content": "#pragma once\r\n#include \"global.h\"\r\n#include \"utils.h\"\r\n\r\nnamespace System {\r\n\r\n\ttemplate \r\n\tT GetModuleInfo(const char* Name, DWORD* OutSize = nullptr) {\r\n\t\tPVOID Base{ nullptr };\r\n\t\tDWORD RequiredSize{ 0 };\r\n\r\n\t\tif (ZwQuerySystemInformation(SystemModuleInformation, \r\n\t\t\t\t nullptr,\r\n\t\t\t\t\t NULL,\r\n\t\t\t\t\t &RequiredSize) != STATUS_INFO_LENGTH_MISMATCH) {\r\n\r\n\t\t\treturn reinterpret_cast(nullptr);\r\n\t\t}\r\n\r\n\t\tauto Modules{ Memory::Allocate(RequiredSize) };\r\n\r\n\t\tif (!Modules) {\r\n\t\t\treturn reinterpret_cast(nullptr);\r\n\t\t}\r\n\r\n\t\tif (!NT_SUCCESS(ZwQuerySystemInformation(SystemModuleInformation, \r\n\t\t\t\t\t\t\t Modules, \r\n\t\t\t\t\t\t\t RequiredSize, \r\n\t\t\t\t\t\t\t nullptr))) {\r\n\t\t\tMemory::Free(Modules);\r\n\t\t\treturn reinterpret_cast(nullptr);\r\n\t\t}\r\n\r\n\t\tfor (DWORD i = 0; i < Modules->NumberOfModules; ++i) {\r\n\t\t\tSYSTEM_MODULE CurModule{ Modules->Modules[i] };\r\n\r\n\t\t\tif (strstr(Utils::LowerStr((CHAR*)CurModule.FullPathName), Name)) \r\n\t\t\t{\r\n\t\t\t\tBase = CurModule.ImageBase;\r\n\r\n\t\t\t\tif (OutSize) {\r\n\t\t\t\t\t*OutSize = CurModule.ImageSize;\r\n\t\t\t\t}\r\n\r\n\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tMemory::Free(Modules);\r\n\t\treturn reinterpret_cast(Base);\r\n\t}\r\n\r\n\tOSVERSIONINFOW GetOSVersion() {\r\n\t\tOSVERSIONINFOW OSInfo{ 0 };\r\n\t\tRtlGetVersion(&OSInfo);\r\n\t\treturn OSInfo;\r\n\t}\r\n}\r\n"
},
{
"path": "Poseidon/utils.h",
"content": "#pragma once\r\n#include \"global.h\"\r\n\r\nnamespace Utils {\r\n\r\n\tVOID Sleep(INT ms) {\r\n\t\tLARGE_INTEGER li{ 0 };\r\n\t\tli.QuadPart = -10000;\r\n\r\n\t\tfor (INT i{ 0 }; i < ms; i++) {\r\n\t\t\tKeDelayExecutionThread(KernelMode, FALSE, &li);\r\n\t\t}\r\n\t}\r\n\r\n\tBOOLEAN ProbeUserAddress(PVOID Address, SIZE_T Size, DWORD Alignment) {\r\n\t\tif (Size == 0) {\r\n\t\t\treturn TRUE;\r\n\t\t}\r\n\t\t\r\n\t\tDWORD64 Current = (DWORD64)Address;\r\n\t\tif (((DWORD64)Address & (Alignment - 1)) != 0) {\r\n\t\t\treturn FALSE;\r\n\t\t}\r\n\r\n\t\tDWORD64 Last{ Current + Size - 1 };\r\n\r\n\t\tif ((Last < Current) || (Last >= MmUserProbeAddress)) {\r\n\t\t\treturn FALSE;\r\n\t\t}\r\n\r\n\t\treturn TRUE;\r\n\t}\r\n\r\n\tCHAR* LowerStr(CHAR* Str) {\r\n\t\tfor (CHAR* S = Str; *S; ++S) {\r\n\t\t\t*S = (CHAR)tolower(*S);\r\n\t\t}\r\n\t\treturn Str;\r\n\t}\r\n\r\n\tBOOLEAN CheckMask(CHAR* Base, CHAR* Pattern, CHAR* Mask) {\r\n\t\tfor (; *Mask; ++Base, ++Pattern, ++Mask) {\r\n\t\t\tif (*Mask == 'x' && *Base != *Pattern) {\r\n\t\t\t\treturn FALSE;\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\treturn TRUE;\r\n\t}\r\n\r\n\tPVOID FindPattern(CHAR* Base, DWORD Length, CHAR* Pattern, CHAR* Mask) {\r\n\t\tLength -= (DWORD)strlen(Mask);\r\n\r\n\t\tfor (DWORD i = 0; i <= Length; ++i) {\r\n\t\t\tPVOID Addr{ &Base[i] };\r\n\r\n\t\t\tif (CheckMask(static_cast(Addr), Pattern, Mask)) {\r\n\t\t\t\treturn Addr;\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\treturn 0;\r\n\t}\r\n\r\n\tPVOID FindPatternImage(CHAR* Base, CHAR* Pattern, CHAR* Mask) {\r\n\t\tPVOID Match{ 0 };\r\n\r\n\t\tIMAGE_NT_HEADERS* Headers{ (PIMAGE_NT_HEADERS)(Base + ((PIMAGE_DOS_HEADER)Base)->e_lfanew) };\r\n\t\tIMAGE_SECTION_HEADER* Sections{ IMAGE_FIRST_SECTION(Headers) };\r\n\r\n\t\tfor (DWORD i = 0; i < Headers->FileHeader.NumberOfSections; ++i) {\r\n\t\t\tIMAGE_SECTION_HEADER* Section{ &Sections[i] };\r\n\r\n\t\t\tif (*(INT*)Section->Name == 'EGAP' || memcmp(Section->Name, \".text\", 5) == 0) {\r\n\t\t\t\tMatch = FindPattern(Base + Section->VirtualAddress, Section->Misc.VirtualSize, Pattern, Mask);\r\n\r\n\t\t\t\tif (Match) {\r\n\t\t\t\t\tbreak;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\treturn Match;\r\n\t}\r\n}\r\n"
},
{
"path": "PoseidonClient/PoseidonClient.vcxproj",
"content": "\r\n\r\n \r\n \r\n Debug\r\n Win32\r\n \r\n \r\n Release\r\n Win32\r\n \r\n \r\n Debug\r\n x64\r\n \r\n \r\n Release\r\n x64\r\n \r\n \r\n \r\n 16.0\r\n Win32Proj\r\n {46a9d08d-4962-4434-bc75-c60339512252}\r\n PoseidonClient\r\n 10.0\r\n \r\n \r\n \r\n Application\r\n true\r\n v142\r\n Unicode\r\n \r\n \r\n Application\r\n false\r\n v142\r\n true\r\n Unicode\r\n \r\n \r\n Application\r\n true\r\n v142\r\n Unicode\r\n \r\n \r\n Application\r\n false\r\n v142\r\n true\r\n Unicode\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n true\r\n Client\r\n \r\n \r\n false\r\n Client\r\n \r\n \r\n true\r\n Client\r\n \r\n \r\n false\r\n Client\r\n \r\n \r\n \r\n Level3\r\n true\r\n WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n stdcpp17\r\n \r\n \r\n Console\r\n true\r\n \r\n \r\n \r\n \r\n Level3\r\n true\r\n true\r\n true\r\n WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n stdcpp17\r\n \r\n \r\n Console\r\n true\r\n true\r\n true\r\n \r\n \r\n \r\n \r\n Level3\r\n true\r\n _DEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n stdcpp17\r\n \r\n \r\n Console\r\n true\r\n \r\n \r\n \r\n \r\n Level3\r\n true\r\n true\r\n true\r\n NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n stdcpp17\r\n \r\n \r\n Console\r\n true\r\n true\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n"
},
{
"path": "PoseidonClient/PoseidonClient.vcxproj.filters",
"content": "\r\n\r\n \r\n \r\n {4FC737F1-C7A5-4376-A066-2A32D752A2FF}\r\n cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx\r\n \r\n \r\n {93995380-89BD-4b04-88EB-625FBE52EBFB}\r\n h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd\r\n \r\n \r\n {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}\r\n rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms\r\n \r\n \r\n {a1d20eea-b682-43a7-8ec6-07bcaa3f318a}\r\n \r\n \r\n \r\n \r\n Source Files\r\n \r\n \r\n \r\n \r\n Header Files\r\n \r\n \r\n Header Files\\sdk\r\n \r\n \r\n Header Files\\sdk\r\n \r\n \r\n Header Files\\sdk\r\n \r\n \r\n Header Files\\sdk\r\n \r\n \r\n"
},
{
"path": "PoseidonClient/global.h",
"content": "#pragma once\r\n#include \r\n#include \r\n#include \r\n#include \r\n#include \r\n\r\nPVOID(NTAPI *NtConvertBetweenAuxiliaryCounterAndPerformanceCounter)(PVOID, PVOID, PVOID, PVOID);\r\n\r\nenum Code {\r\n\tComplete,\r\n\tBaseRequest,\r\n\tSizeRequest,\r\n\tPebRequest,\r\n\tQIPRequest,\r\n\tCopyRequest,\r\n\tAVMRequest,\r\n\tFVMRequest,\r\n\tPVMRequest,\r\n\tQVMRequest,\r\n\tModuleRequest,\r\n\tIndexRequest,\r\n};\r\n\r\nenum Status {\r\n\tInactive,\r\n\tActive,\r\n\tWaiting,\r\n\tExit\r\n};\r\n\r\ntypedef struct OperationData {\r\n\r\n\tstruct {\r\n\t\tchar* Name;\r\n\t\tDWORD\tId;\r\n\t\tPVOID\tBaseAddress;\r\n\t\tSIZE_T Size;\r\n\t\tPPEB\tPeb;\r\n\t\tPROCESS_BASIC_INFORMATION PBI;\r\n\t} Process;\r\n\r\n\tstruct {\r\n\t\tSIZE_T Size;\r\n\t\tSIZE_T ReturnLength;\r\n\r\n\t\tstruct {\r\n\t\t\tPVOID Address;\r\n\t\t\tPVOID Buffer;\r\n\t\t\tBOOLEAN\tReadOperation;\r\n\t\t} Copy;\r\n\r\n\t\tPVOID Base;\r\n\t\tDWORD AllocType;\r\n\t\tDWORD FreeType;\r\n\t\tDWORD Protect;\r\n\t\tDWORD OldProtect;\r\n\t\tMEMORY_BASIC_INFORMATION MBI;\r\n\t} Memory;\r\n\r\n\tstruct {\r\n\t\tPVOID BaseAddress;\r\n\t\tSIZE_T SizeOfImage;\r\n\t\tint Index;\r\n\t} Module;\r\n};\r\n\r\ntypedef struct CommunicationData {\r\n\r\n\tDWORD\tProcessId;\r\n\tPVOID\tSharedMemory;\r\n\tDWORD*\tpCode;\r\n\tSHORT*\tpStatus;\r\n\tDWORD\tMagic;\r\n};\r\n\r\ntypedef struct MODULE {\r\n\tPVOID BaseAddress;\r\n\tDWORD SizeOfImage;\r\n};"
},
{
"path": "PoseidonClient/main.cpp",
"content": "#include \"sdk.h\"\r\n#include \r\n\r\nint main() {\r\n\tClient::Connect();\r\n\r\n\t// Manually calling the functions in process.h and memory.h\r\n\r\n\tDWORD ProcessId{ Process::GetProcessId(L\"notepad.exe\") };\r\n\tPVOID BaseAddress{ Process::GetBase(ProcessId) };\r\n\tint ExampleValue{ Memory::Read(ProcessId, BaseAddress) };\r\n\r\n\tstd::cout << \"0x\" << std::hex << BaseAddress << std::endl;\r\n\tstd::cout << std::dec << ExampleValue << std::endl;\r\n\r\n\tgetchar();\r\n\r\n\t// Or using a KProcess object\r\n\r\n\tauto Notepad{ KProcess(L\"notepad.exe\") };\r\n\tint ExampleValue2{ Notepad.Read(Notepad.BaseAddress) };\r\n\tstd::cout << \"0x\" << std::hex << Notepad.BaseAddress << std::endl;\r\n\tstd::cout << std::dec << ExampleValue2 << std::endl;\r\n\r\n\tgetchar();\r\n\r\n\tClient::Disconnect(); // Once this is called or usermode closed / crashed, we can never reobtain a connection to the driver without remapping it\r\n}"
},
{
"path": "PoseidonClient/memory.h",
"content": "#pragma once\r\n#include \"process.h\"\r\n\r\nnamespace Memory {\r\n\r\n\tbool Read(DWORD ProcessId, PVOID Address, PVOID Buffer, SIZE_T Size) {\r\n\t\tOperationData Data{ 0 };\r\n\r\n\t\tData.Process.Id = ProcessId;\r\n\t\tData.Memory.Copy.Address = Address;\r\n\t\tData.Memory.Copy.Buffer = Buffer;\r\n\t\tData.Memory.Size = Size;\r\n\t\tData.Memory.Copy.ReadOperation = true;\r\n\r\n\t\treturn SharedMemory::SendRequest(CopyRequest, Data);\r\n\t}\r\n\t\r\n\ttemplate \r\n\tT Read(DWORD ProcessId, PVOID Address, SIZE_T Size = sizeof(T)) {\r\n\t\tT Buffer{};\r\n\t\tRead(ProcessId, Address, static_cast(&Buffer), Size);\r\n\t\treturn Buffer; \r\n\t}\r\n\r\n\tbool Write(DWORD ProcessId, PVOID Address, PVOID Buffer, SIZE_T Size) {\r\n\t\tOperationData Data{ 0 };\r\n\r\n\t\tData.Process.Id = ProcessId;\r\n\t\tData.Memory.Copy.Address = Address;\r\n\t\tData.Memory.Copy.Buffer = Buffer;\r\n\t\tData.Memory.Size = Size;\r\n\t\tData.Memory.Copy.ReadOperation = false;\r\n\r\n\t\treturn SharedMemory::SendRequest(CopyRequest, Data);\r\n\t}\r\n\r\n\ttemplate \r\n\tbool Write(DWORD ProcessId, PVOID Address, T Value, SIZE_T Size = sizeof(T)) {\r\n\t\tOperationData Data{ 0 };\r\n\r\n\t\tData.Process.Id = ProcessId;\r\n\t\tData.Memory.Copy.Address = Address;\r\n\t\tData.Memory.Copy.Buffer = &Value;\r\n\t\tData.Memory.Size = Size;\r\n\t\tData.Memory.Copy.ReadOperation = false;\r\n\r\n\t\treturn SharedMemory::SendRequest(CopyRequest, Data);\r\n\t}\r\n\r\n\tPVOID AllocateVirtualMemory(DWORD ProcessId, PVOID Base, SIZE_T Size, DWORD AllocType, DWORD Protect) {\r\n\t\tOperationData Data{ 0 };\r\n\r\n\t\tData.Process.Id = ProcessId;\r\n\t\tData.Memory.Base = Base;\r\n\t\tData.Memory.Size = Size;\r\n\t\tData.Memory.AllocType = AllocType;\r\n\t\tData.Memory.Protect = Protect;\r\n\r\n\t\tSharedMemory::SendRequest(AVMRequest, Data);\r\n\t\treturn SharedMemory::GetBuffer().Memory.Base;\r\n\t}\r\n\r\n\tbool FreeVirtualMemory(DWORD ProcessId, PVOID Base, SIZE_T Size, DWORD FreeType) {\r\n\t\tOperationData Data{ 0 };\r\n\r\n\t\tData.Process.Id = ProcessId;\r\n\t\tData.Memory.Base = Base;\r\n\t\tData.Memory.Size = Size;\r\n\t\tData.Memory.AllocType = FreeType;\r\n\r\n\t\treturn SharedMemory::SendRequest(FVMRequest, Data);\r\n\t}\r\n\t\r\n\tDWORD ProtectVirtualMemory(DWORD ProcessId, PVOID Base, SIZE_T Size, DWORD Protect, DWORD* OldProtect = nullptr) {\r\n\t\tOperationData Data{ 0 };\r\n\r\n\t\tData.Process.Id = ProcessId;\r\n\t\tData.Memory.Base = Base;\r\n\t\tData.Memory.Size = Size;\r\n\t\tData.Memory.Protect = Protect;\r\n\r\n\t\tif (SharedMemory::SendRequest(PVMRequest, Data)) {\r\n\t\t\tOperationData Buffer{ SharedMemory::GetBuffer() };\r\n\r\n\t\t\tif (OldProtect) {\r\n\t\t\t\t*OldProtect = Buffer.Memory.OldProtect;\r\n\t\t\t}\r\n\r\n\t\t\treturn Buffer.Memory.Protect;\r\n\t\t}\r\n\t}\r\n\r\n\tbool QueryVirtualMemory(DWORD ProcessId, PVOID Address, MEMORY_BASIC_INFORMATION& MemoryBasicInfo, SIZE_T Size) {\r\n\t\tOperationData Data{ 0 };\r\n\r\n\t\tData.Process.Id = ProcessId;\r\n\t\tData.Memory.Base = Address;\r\n\t\tData.Memory.Size = Size;\r\n\r\n\t\tif (SharedMemory::SendRequest(QVMRequest, Data)) {\r\n\t\t\tMemoryBasicInfo = SharedMemory::GetBuffer().Memory.MBI;\r\n\t\t}\r\n\r\n\t\treturn MemoryBasicInfo.Protect ? true : false;\r\n\t}\r\n}"
},
{
"path": "PoseidonClient/process.h",
"content": "#pragma once\r\n#include \"global.h\"\r\n#include \"sharedmemory.h\"\r\n\r\nnamespace Process {\r\n\r\n\tDWORD GetProcessId(const wchar_t* ImageName) {\r\n\t\tHANDLE Snapshot{ CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) };\r\n\t\tPROCESSENTRY32W Process{ sizeof(PROCESSENTRY32W) };\r\n\r\n\t\tif (Process32FirstW(Snapshot, &Process)) {\r\n\t\t\tdo {\r\n\t\t\t\tif (!wcscmp(ImageName, Process.szExeFile)) {\r\n\t\t\t\t\tCloseHandle(Snapshot);\r\n\t\t\t\t\treturn Process.th32ProcessID;\r\n\t\t\t\t}\r\n\t\t\t} while (Process32NextW(Snapshot, &Process));\r\n\t\t}\r\n\r\n\t\tCloseHandle(Snapshot);\r\n\t\treturn NULL;\r\n\t}\r\n\r\n\tPVOID GetBase(DWORD ProcessId) {\r\n\t\tOperationData Data{ 0 };\r\n\t\tData.Process.Id = ProcessId;\r\n\t\t\r\n\t\tif (SharedMemory::SendRequest(BaseRequest, Data)) {\r\n\t\t\treturn SharedMemory::GetBuffer().Process.BaseAddress;\r\n\t\t} return nullptr;\r\n\t}\r\n\r\n\tDWORD GetSize(DWORD ProcessId) {\r\n\t\tOperationData Data{ 0 };\r\n\t\tData.Process.Id = ProcessId;\r\n\r\n\t\tif (SharedMemory::SendRequest(SizeRequest, Data)) {\r\n\t\t\treturn SharedMemory::GetBuffer().Process.Size;\r\n\t\t} return NULL;\r\n\t}\r\n\r\n\ttemplate \r\n\tT GetModuleInfo(DWORD ProcessId, const char* ModuleName, DWORD &OutSize) {\r\n\t\tOperationData Data{ 0 };\r\n\r\n\t\tData.Process.Id = ProcessId;\r\n\t\tData.Process.Name = const_cast(ModuleName);\r\n\r\n\t\tif (SharedMemory::SendRequest(ModuleRequest, Data)) {\r\n\t\t\tOperationData Buffer{ SharedMemory::GetBuffer() };\r\n\t\t\tOutSize = Buffer.Module.SizeOfImage;\r\n\t\t\treturn reinterpret_cast(Buffer.Module.BaseAddress);\r\n\t\t}\r\n\r\n\t\treturn {};\r\n\t}\r\n\r\n\tbool QueryInformation(DWORD ProcessId, PROCESS_BASIC_INFORMATION& PBI) {\r\n\t\tOperationData Data{ 0 };\r\n\r\n\t\tData.Process.Id = ProcessId;\r\n\r\n\t\tif (SharedMemory::SendRequest(QIPRequest, Data)) {\r\n\t\t\tPBI = SharedMemory::GetBuffer().Process.PBI;\r\n\t\t}\r\n\r\n\t\treturn PBI.PebBaseAddress ? true : false;\r\n\t}\r\n\r\n\tPPEB GetPeb(DWORD ProcessId) {\r\n\t\tOperationData Data{ 0 };\r\n\t\tData.Process.Id = ProcessId;\r\n\r\n\t\tif (SharedMemory::SendRequest(PebRequest, Data)) {\r\n\t\t\treturn SharedMemory::GetBuffer().Process.Peb;\r\n\t\t} return nullptr;\r\n\t}\r\n\r\n\tDWORD GetModuleCount(DWORD ProcessId) {\r\n\t\tOperationData Data{ 0 };\r\n\r\n\t\tData.Process.Id = ProcessId;\r\n\r\n\t\tif (SharedMemory::SendRequest(ModuleRequest, Data)) {\r\n\t\t\treturn SharedMemory::GetBuffer().Module.Index;\r\n\t\t} return NULL;\r\n\t}\r\n\r\n\tPVOID GetModuleByIndex(DWORD ProcessId, DWORD Index, DWORD& OutSize) {\r\n\t\tPVOID Base{ nullptr };\r\n\t\tOperationData Data{ 0 };\r\n\r\n\t\tData.Process.Id = ProcessId;\r\n\t\tData.Module.Index = Index;\r\n\r\n\t\tif (SharedMemory::SendRequest(IndexRequest, Data)) {\r\n\t\t\tOperationData Buffer{ SharedMemory::GetBuffer() };\r\n\t\t\tBase = Buffer.Module.BaseAddress;\r\n\t\t\tOutSize = Buffer.Module.SizeOfImage;\r\n\t\t}\r\n\r\n\t\treturn Base;\r\n\t}\r\n}\r\n"
},
{
"path": "PoseidonClient/sdk.h",
"content": "#pragma once\r\n#include \"memory.h\"\r\n\r\nnamespace Client {\r\n\tbool ErrorFlag{ false };\r\n\r\n\tvoid KernelThread(PVOID LParam) {\r\n\t\tINT64 Status{ 0 };\r\n\r\n\t\tCommunicationData Data{ *(CommunicationData*)LParam };\r\n\t\tPVOID pData{ &Data };\r\n\r\n\t\tHMODULE Module{ LoadLibrary(L\"ntdll.dll\") };\r\n\r\n\t\tif (!Module) {\r\n\t\t\treturn;\r\n\t\t}\r\n\r\n\t\t*(PVOID*)&NtConvertBetweenAuxiliaryCounterAndPerformanceCounter = GetProcAddress(Module, \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\");\r\n\r\n\t\tif (!NtConvertBetweenAuxiliaryCounterAndPerformanceCounter) {\r\n\t\t\treturn;\r\n\t\t}\r\n\r\n\t\tNtConvertBetweenAuxiliaryCounterAndPerformanceCounter((PVOID)1, &pData, &Status, nullptr);\r\n\t\tErrorFlag = true; // NtConvertBetweenAuxiliaryCounterAndPerformanceCounter() is the call that transitions this thread into the kernel, and as such should not return until Client::Disconnect() is called.\r\n\t}\r\n\r\n\tvoid Connect() {\r\n\t\tCommunicationData Data{ 0 };\r\n\r\n\t\tPVOID Memory{ VirtualAlloc(nullptr, \r\n\t\t\t\t\t sizeof(OperationData) * 2, \r\n\t\t\t\t\t MEM_COMMIT | MEM_RESERVE, \r\n\t\t\t\t\t PAGE_READWRITE) };\r\n\r\n\t\tif (!Memory) {\r\n\t\t\treturn;\r\n\t\t}\r\n\r\n\t\tData.ProcessId = GetCurrentProcessId();\r\n\t\tData.SharedMemory = Memory;\r\n\t\tData.pCode = (DWORD*)Memory + sizeof(OperationData);\r\n\t\tData.pStatus = (SHORT*)Data.pCode + 8;\r\n\t\tData.Magic = 0x999;\r\n\r\n\t\tCreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)KernelThread, &Data, 0, nullptr);\r\n\r\n\t\tSleep(500);\r\n\r\n\t\tif (ErrorFlag) {\r\n\t\t\tstd::cout << \"Error Connecting\";\r\n\t\t\tgetchar();\r\n\t\t\texit(0);\r\n\t\t}\r\n\r\n\t\tSharedMemory::Connect(Data);\r\n\t}\r\n\r\n\tvoid Disconnect() {\r\n\t\tSharedMemory::Disconnect();\r\n\t}\r\n}\r\n\r\nclass KProcess {\r\npublic:\r\n\r\n\twchar_t* ImageName{};\r\n\tDWORD ProcessId{};\r\n\tPVOID BaseAddress{};\r\n\tDWORD Size{};\r\n\tPPEB Peb{};\r\n\tDWORD ModuleCount{};\r\n\tstd::vector ModuleList{};\r\n\r\n\tKProcess(const wchar_t* ImageName) {\r\n\t\tthis->ImageName = const_cast(ImageName);\r\n\t\tthis->ProcessId = Process::GetProcessId(ImageName);\r\n\t\tthis->BaseAddress = Process::GetBase(this->ProcessId);\r\n\t\tthis->Size = Process::GetSize(this->ProcessId);\r\n\t\tthis->Peb = Process::GetPeb(this->ProcessId);\r\n\t\tthis->ModuleCount = Process::GetModuleCount(this->ProcessId);\r\n\r\n\t\tfor (int i = 0; i < this->ModuleCount; i++) {\r\n\t\t\tDWORD SizeOfImage{ 0 };\r\n\t\t\tPVOID BaseAddress{ Process::GetModuleByIndex(this->ProcessId, i, SizeOfImage) };\r\n\t\t\tModuleList.push_back({ BaseAddress, SizeOfImage });\r\n\t\t}\r\n\t}\r\n\r\n\ttemplate \r\n\tT GetModuleInfo(const char* ModuleName, DWORD &OutSize) {\r\n\t\treturn Process::GetModuleInfo(this->ProcessId, ModuleName, OutSize);\r\n\t}\r\n\r\n\tPROCESS_BASIC_INFORMATION QueryInformationProcess() {\r\n\t\tPROCESS_BASIC_INFORMATION Pbi{ 0 };\r\n\t\tProcess::QueryInformation(this->ProcessId, Pbi);\r\n\t\treturn Pbi;\r\n\t}\r\n\r\n\tbool Read(PVOID Address, PVOID Buffer, SIZE_T Size) {\r\n\t\treturn Memory::Read(this->ProcessId, Address, Buffer, Size);\r\n\t}\r\n\t\r\n\ttemplate \r\n\tT Read(PVOID Address, SIZE_T Size = sizeof(T)) {\r\n\t\treturn Memory::Read(this->ProcessId, Address, Size);\r\n\t}\r\n\r\n\tbool Write(PVOID Address, PVOID Buffer, SIZE_T Size) {\r\n\t\treturn Memory::Write(this->ProcessId, Address, Buffer, Size);\r\n\t}\r\n\r\n\ttemplate \r\n\tbool Write(PVOID Address, T Value, SIZE_T Size = sizeof(T)) {\r\n\t\treturn Memory::Write(this->ProcessId, Address, Value, Size);\r\n\t}\r\n\r\n\tPVOID AllocateVirtualMemory(PVOID Base, SIZE_T Size, DWORD AllocType, DWORD Protect) {\r\n\t\treturn Memory::AllocateVirtualMemory(this->ProcessId, Base, Size, AllocType, Protect);\r\n\t}\r\n\r\n\tbool FreeVirtualMemory(PVOID Base, SIZE_T Size, DWORD FreeType) {\r\n\t\treturn Memory::FreeVirtualMemory(this->ProcessId, Base, Size, FreeType);\r\n\t}\r\n\t\r\n\tDWORD ProtectVirtualMemory(PVOID Base, SIZE_T Size, DWORD Protect, DWORD* OldProtect) {\r\n\t\treturn Memory::ProtectVirtualMemory(this->ProcessId, Base, Size, Protect, OldProtect);\r\n\t}\r\n\r\n\tbool QueryVirtualMemory(PVOID Address, MEMORY_BASIC_INFORMATION& MemoryBasicInfo, SIZE_T Size) {\r\n\t\treturn Memory::QueryVirtualMemory(this->ProcessId, Address, MemoryBasicInfo, Size);\r\n\t}\r\n\r\n\tMEMORY_BASIC_INFORMATION QueryVirtualMemory(PVOID Address, SIZE_T Size) {\r\n\t\tMEMORY_BASIC_INFORMATION Mbi{ 0 };\r\n\t\tthis->QueryVirtualMemory(Address, Mbi, Size);\r\n\t\treturn Mbi;\r\n\t}\r\n\r\n\tBYTE* PatternFinder(BYTE* Start, DWORD Size, const char* Signature, const char* Mask) {\r\n\t\tauto CompareData = [] (const char* Data, const char* Signature, const char* Mask) -> BOOL {\r\n\t\t\tfor (; *Mask; ++Mask, ++Data, ++Signature) {\r\n\t\t\t\tif (*Mask == 'x' && *Data != *Signature) {\r\n\t\t\t\t\treturn FALSE;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\treturn (*Mask == NULL);\r\n\t\t};\r\n\r\n\t\tauto Buffer{ static_cast(VirtualAlloc(nullptr, Size, MEM_COMMIT, PAGE_READWRITE)) };\r\n\t\tthis->Read(Start, Buffer, Size);\r\n\r\n\t\tfor (DWORD64 i = 0; i < Size; i++) {\r\n\t\t\tif (CompareData(Buffer + i, Signature, Mask)) {\r\n\t\t\t\tVirtualFree(Buffer, 0, MEM_RELEASE);\r\n\t\t\t\treturn Start + i;\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tVirtualFree(Buffer, NULL, MEM_RELEASE);\r\n\t\treturn NULL;\r\n\t}\r\n\r\n\tBYTE* AbsoluteAddress(BYTE* Rip, DWORD InstructionLength) {\r\n\t\tDWORD RelativeOffset{ 0 };\r\n\t\tthis->Read(Rip + InstructionLength - 4, &RelativeOffset, sizeof(DWORD));\r\n\t\treturn Rip + InstructionLength + RelativeOffset;\r\n\t}\r\n\r\n\tBYTE* RelativeAddress(BYTE* DestinationAddress, BYTE* SourceAddress, DWORD InstructionLength) {\r\n\t\treturn reinterpret_cast(reinterpret_cast(SourceAddress) \r\n\t\t\t\t\t - InstructionLength \r\n\t\t\t\t\t - reinterpret_cast(DestinationAddress));\r\n\t}\r\n};\r\n"
},
{
"path": "PoseidonClient/sharedmemory.h",
"content": "#pragma once\r\n#include \"global.h\"\r\n\r\nnamespace SharedMemory {\r\n\r\n\tCommunicationData Data{ 0 };\r\n\tINT Queue{ 0 };\r\n\r\n\r\n\tvoid PushQueue() {\r\n\t\tQueue += 1;\r\n\t}\r\n\r\n\tvoid PopQueue() {\r\n\t\tQueue -= 1;\r\n\t}\r\n\r\n\tBOOL WriteSharedMemory(PVOID Address, PVOID Value, SIZE_T Size) {\r\n\t\treturn reinterpret_cast(memcpy(Address, Value, Size));\r\n\t}\r\n\r\n\ttemplate \r\n\tT ReadSharedMemory(PVOID Address, SIZE_T Size = sizeof(T)) {\r\n\t\tT Ret{ 0 };\r\n\t\tmemcpy(static_cast(&Ret), Address, Size);\r\n\t\treturn Ret;\r\n\t}\r\n\r\n\tBOOL SetStatus(Status Status) {\r\n\t\treturn WriteSharedMemory(Data.pStatus, &Status, sizeof(SHORT));\r\n\t}\r\n\r\n\tBOOL SetCode(DWORD Code) {\r\n\t\treturn WriteSharedMemory(Data.pCode, &Code, sizeof(DWORD));\r\n\t}\r\n\r\n\tBOOL SetBuffer(OperationData Buffer) {\r\n\t\treturn WriteSharedMemory(Data.SharedMemory, &Buffer, sizeof(OperationData));\r\n\t}\r\n\r\n\tStatus GetStatus() {\r\n\t\treturn static_cast(ReadSharedMemory(Data.pStatus));\r\n\t}\r\n\r\n\tDWORD GetCode() {\r\n\t\treturn ReadSharedMemory(Data.pCode);\r\n\t}\r\n\r\n\tOperationData GetBuffer() {\r\n\t\treturn ReadSharedMemory(Data.SharedMemory);\r\n\t}\r\n\r\n\tBOOL SendRequest(Code Request, OperationData Data) {\r\n\r\n\t\tdo {\r\n\t\t\tSleep(10);\r\n\t\t} while (GetCode() != Complete \r\n\t\t\t || GetStatus() != Active \r\n\t\t\t || Queue >= 1);\r\n\r\n\t\tPushQueue();\r\n\r\n\t\tif (SetBuffer(Data)) {\r\n\t\t\tif (SetCode(Request)) {\r\n\t\t\t\tif (SetStatus(Waiting)) {\r\n\r\n\t\t\t\t\tdo {\r\n\t\t\t\t\t\tSleep(10);\r\n\t\t\t\t\t} while (GetCode() != Complete || GetStatus() != Active);\r\n\r\n\t\t\t\t\tPopQueue();\r\n\t\t\t\t\treturn true;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tPopQueue();\r\n\t\treturn false;\r\n\t}\r\n\r\n\tvoid Connect(CommunicationData InitData) {\r\n\t\tData = InitData;\r\n\t\tSetStatus(Active);\r\n\t\tSetCode(Complete);\r\n\t}\r\n\r\n\tvoid Disconnect() {\r\n\t\tSetStatus(Exit);\r\n\t}\r\n};"
},
{
"path": "README.md",
"content": "# KM-UM-Communication\n\nStealthy UM <-> KM communication system without creating any system threads, permanent hooks, driver objects, section objects or device objects.\n\nProcess:\n\n- In our driver, we hook a function in ntoskrnl (.data pointer swap)\n- In usermode, we manually allocate memory and index it via custom data structures\n- We then create a thread in usermode and call the hooked function's corresponding usermode-accessible function\n- When the correct magic number is passed to the function, the driver will know it's us, and will then unhook and enter a shared memory loop, trapping our usermode thread in the kernel until we choose to break out of the loop\n\nAs long as this is set up prior to any anti-cheat being active on your system, you can communicate with the driver without being detected by most of the various security measures employed by invasive anti-cheat technologies such as BattlEye and EasyAntiCheat.\n\n2023 Update: There are quite a few detection vectors that can be identified by BE and EAC, some of which are discussed in (now closed) issues. Most are easy to bypass, but others are a bit more tricky. Having said that, I still have never had any action taken against me for using this for relatively licit purposes (i.e. no aimbot, ESP, or any other blatant violative use), nor has anyone I know who's used it. Regardless, steps should be taken to mitigate any potential detection vectors. I will not be providing any updates or revisions, as this is nearly four years old and there are far superior options to accomplish stealthy communication. This is mainly meant to serve as an interesting, novel communication method that demostrates the potential creativity that can be employed to get around invasive security software, mainly anti-cheat software.\n\nLimitations:\n\n- Dodgy synchronization\n- Not many kernel features, just basic remote-process operability\n- Not designed with safety as a priority (i.e. you may well BSOD)\n- Only tested on Windows 10 20H2\n- The client can only be used once. If you terminate it or call Client::Disconnect(), you'll need to remap the driver\n\nThe driver is intended to be manually mapped by exploiting Intel's vulnerable network adapter diagnostic driver, iqvw64e.sys (or any other suitable vulnerable driver).\n\nThis was created for fun, I do not condone the use of this code in any program that violates the integrity of any online game, nor do I condone the use of this in any malicious software. This should only be used for learning purposes or to prevent custom software from being falsely detected as an illicit program.\n\nUsage:\n\n- Map the driver\n- Start the client\n- Start the target process\n- Do stuff\n\nYou have to modify the client to sleep until your target process is running (since it must be set up prior to any anti-cheat being active). Basic example of how main.cpp in the client should typically look:\n\n```\nint main() {\n\tClient::Connect();\n\n\tfor (;;) {\n\t\tSleep(100);\n\n\t\tif (YourTargetProcessIsRunning) {\n\t\t\tbreak;\n\t\t}\n\t}\n\n\t// Do stuff\n \n Client::Disconnect();\n }\n ```\n \nYou can either call the functions in memory.h and process.h manually, or you can just create a KProcess object for easier use. KProcess features are as follows:\n\n```\n\n\t// Make a process object for your target process\n\t\n\tKProcess Notepad(L\"notepad.exe\");\n\t\n\t\n // Read Memory\n\n\tint Value = Notepad.Read((PVOID)0xDEADBEEF);\n\tNotepad.Read((PVOID)0xDEADBEEF, &Value, sizeof(int)); // Overload\n\n\n\t// Write Memory\n\n\tNotepad.Write((PVOID)0xDEADBEEF, 2);\n\tNotepad.Write((PVOID)0xDEADBEEF, &Value, sizeof(int)); // Overload\n\n\n\t// Allocate Virtual Memory\n\n\tNotepad.AllocateVirtualMemory(PVOID Base, SIZE_T Size, DWORD AllocType, DWORD Protect);\n\n\n\t// Free Virtual Memory\n\n\tNotepad.FreeVirtualMemory(PVOID Base, SIZE_T Size, DWORD FreeType);\n\n\n\t// Change Virtual Memory Protection\n\n\tNotepad.ProtectVirtualMemory(PVOID Base, SIZE_T Size, DWORD Protect, DWORD* OldProtect);\n\n\n\t// Query Virtual Memory. MEMORY_BASIC_INFORMATION only.\n\n\tMEMORY_BASIC_INFORMATION MBI{ 0 };\n\n\tbool bResult = Notepad.QueryVirtualMemory(PVOID Address, MEMORY_BASIC_INFORMATION& MemoryBasicInfo, SIZE_T Size);\n\tMBI = Notepad.QueryVirtualMemory(PVOID Address, SIZE_T Size); // Overload\n\n\n\t// Query Process Information\n\n\tNotepad.QueryInformationProcess();\n\n\n\t// Get module info by name\n\n\tNotepad.GetModuleInfo(const char* ModuleName, DWORD& ModuleSize);\n\n\n\t// Pattern finder\n\n\tNotepad.PatternFinder(BYTE* Start, DWORD Size, const char* Signature, const char* Mask);\n\n\n\t// Get absolute address within specified asm instruction\n\n\tNotepad.AbsoluteAddress(BYTE* Rip, DWORD InstructionLength);\n\n\n\t// Get relative address within specified asm instruction\n\n\tNotepad.RelativeAddress(BYTE* DestinationAddress, BYTE* SourceAddress, DWORD InstructionLength);\n\n\n\tNotepad.BaseAddress; // Base Address\n\tNotepad.ImageName;\t // Name\n\tNotepad.ModuleCount; // Number of modules\n\tNotepad.ModuleList; // std::vector containing all modules' base address and size\n\tNotepad.Peb;\t\t // Process Environment Block\n\tNotepad.ProcessId;\t // Process Id\n\tNotepad.Size;\t\t // Main module size\n ```\n"
}
]