Repository: unmaewei/Full-Kernel-Driver
Branch: main
Commit: c7f1d437e254
Files: 17
Total size: 53.6 KB
Directory structure:
gitextract_susrs7x4/
├── full kernel bypass/
│ ├── cleaning/
│ │ ├── cleaning.cpp
│ │ └── cleaning.h
│ ├── defs.h
│ ├── full kernel bypass.vcxproj
│ ├── full kernel bypass.vcxproj.filters
│ ├── full kernel bypass.vcxproj.user
│ ├── io/
│ │ ├── io.cpp
│ │ └── io.h
│ ├── main.cpp
│ ├── memory/
│ │ ├── memory.cpp
│ │ └── memory.h
│ ├── process/
│ │ └── process.h
│ ├── thread/
│ │ ├── thread.cpp
│ │ └── thread.h
│ └── utils/
│ ├── utils.cpp
│ └── utils.h
└── full kernel bypass.sln
================================================
FILE CONTENTS
================================================
================================================
FILE: full kernel bypass/cleaning/cleaning.cpp
================================================
#include <ntifs.h>
#include <ntstrsafe.h>
#include <ntimage.h>
#include "../defs.h"
#include "../io/io.h"
#include "cleaning.h"
using namespace driver;
uintptr_t get_kernel_address( const char* name, size_t& size )
{
NTSTATUS status = STATUS_SUCCESS;
ULONG neededSize = 0;
ZwQuerySystemInformation(
SystemModuleInformation,
&neededSize,
0,
&neededSize
);
PSYSTEM_MODULE_INFORMATIONN pModuleList;
pModuleList = (PSYSTEM_MODULE_INFORMATIONN)ExAllocatePool(NonPagedPool, neededSize);
if (!pModuleList) {
return 0;
}
status = ZwQuerySystemInformation(SystemModuleInformation,
pModuleList,
neededSize,
0
);
ULONG i = 0;
uintptr_t address = 0;
for (i = 0; i < pModuleList->ModuleCount; i++)
{
SYSTEM_MODULEE mod = pModuleList->Modules[i];
address = uintptr_t(pModuleList->Modules[i].Base);
size = uintptr_t(pModuleList->Modules[i].Size);
if (strstr(mod.ImageName, name) != NULL)
break;
}
ExFreePool(pModuleList);
return address;
}
PVOID resolve_relative_address( PVOID Instruction, ULONG OffsetOffset, ULONG InstructionSize )
{
ULONG_PTR Instr = (ULONG_PTR)Instruction;
LONG RipOffset = *(PLONG)(Instr + OffsetOffset);
PVOID ResolvedAddr = (PVOID)(Instr + InstructionSize + RipOffset);
return ResolvedAddr;
}
ULONGLONG get_exported_function( const ULONGLONG mod, const char* name )
{
const auto dos_header = reinterpret_cast<PIMAGE_DOS_HEADER>(mod);
const auto nt_headers = reinterpret_cast<PIMAGE_NT_HEADERS>(reinterpret_cast<ULONGLONG>(dos_header) + dos_header->e_lfanew);
const auto data_directory = nt_headers->OptionalHeader.DataDirectory[0];
const auto export_directory = reinterpret_cast<PIMAGE_EXPORT_DIRECTORY>(mod + data_directory.VirtualAddress);
const auto address_of_names = reinterpret_cast<ULONG*>(mod + export_directory->AddressOfNames);
for (size_t i = 0; i < export_directory->NumberOfNames; i++)
{
const auto function_name = reinterpret_cast<const char*>(mod + address_of_names[i]);
if (!_stricmp(function_name, name))
{
const auto name_ordinal = reinterpret_cast<unsigned short*>(mod + export_directory->AddressOfNameOrdinals)[i];
const auto function_rva = mod + reinterpret_cast<ULONG*>(mod + export_directory->AddressOfFunctions)[name_ordinal];
return function_rva;
}
}
return 0;
}
unsigned char random_number( )
{
size_t size;
auto mod = get_kernel_address("ntoskrnl.exe", size);
auto cMmGetSystemRoutineAddress = reinterpret_cast<decltype(&MmGetSystemRoutineAddress)>(get_exported_function((uintptr_t)mod, "MmGetSystemRoutineAddress"));
UNICODE_STRING routineName = RTL_CONSTANT_STRING(L"RtlRandom");
auto cRtlRandom = reinterpret_cast<decltype(&RtlRandom)>(cMmGetSystemRoutineAddress(&routineName));
ULONG seed = 1234765;
ULONG rand = cRtlRandom(&seed) % 100;
unsigned char randint = 0;
if (rand >= 101 || rand <= -1)
randint = 72;
return (unsigned char)(rand);
}
PERESOURCE get_ps_loaded( )
{
size_t size;
auto mod = get_kernel_address("ntoskrnl.exe", size);
auto cMmGetSystemRoutineAddress = reinterpret_cast<decltype(&MmGetSystemRoutineAddress)>(get_exported_function((uintptr_t)mod, "MmGetSystemRoutineAddress"));
ERESOURCE PsLoadedModuleResource;
UNICODE_STRING routineName = RTL_CONSTANT_STRING(L"PsLoadedModuleResource");
auto cPsLoadedModuleResource = reinterpret_cast<decltype(&PsLoadedModuleResource)>(cMmGetSystemRoutineAddress(&routineName));
return cPsLoadedModuleResource;
}
PRTL_AVL_TABLE get_piddb_table( )
{
size_t size;
uintptr_t ntos_base = get_kernel_address("ntoskrnl.exe", size);
RTL_OSVERSIONINFOW osVersion = { 0 };
osVersion.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW);
RtlGetVersion(&osVersion);
PRTL_AVL_TABLE PiDDBCacheTable = nullptr;
if (osVersion.dwBuildNumber >= 18362) {
PiDDBCacheTable = (PRTL_AVL_TABLE)dereference(find_pattern<uintptr_t>((void*)ntos_base, size, "\x48\x8d\x0d\x00\x00\x00\x00\xe8\x00\x00\x00\x00\x3d\x00\x00\x00\x00\x0f\x83", "xxx????x????x????xx"), 3);
}
else if (osVersion.dwBuildNumber >= 17134) {
PiDDBCacheTable = (PRTL_AVL_TABLE)dereference(find_pattern<uintptr_t>((void*)ntos_base, size, "\x48\x8D\x0D\x00\x00\x00\x00\x4C\x89\x35\x00\x00\x00\x00\x49", "xxx????xxx????x"), 3);
}
if (!PiDDBCacheTable)
return 0;
return PiDDBCacheTable;
}
PERESOURCE get_piddb_lock( )
{
size_t size;
uintptr_t ntos_base = get_kernel_address("ntoskrnl.exe", size);
PERESOURCE PiDDBLock = (PERESOURCE)dereference(find_pattern<uintptr_t>((void*)ntos_base, size, "\x48\x8d\x0d\x00\x00\x00\x00\xe8\x00\x00\x00\x00\x48\x8b\x0d\x00\x00\x00\x00\x33\xdb", "xxx????x????xxx????xx"), 3);
if (!PiDDBLock)
return 0;
return PiDDBLock;
}
bool cleaning::verify_piddb()
{
return (get_piddb_lock() != 0 && get_piddb_table() != 0);
}
bool cleaning::clean_piddb()
{
PERESOURCE PiDDBLock = get_piddb_lock();
PRTL_AVL_TABLE PiDDBCacheTable = get_piddb_table();
PIDDBCACHE_ENTRY lookupEntry = { };
lookupEntry.DriverName = cleaning::driver_name;
lookupEntry.TimeDateStamp = cleaning::driver_timestamp;
ExAcquireResourceExclusiveLite(PiDDBLock, TRUE);
auto pFoundEntry = (PPIDDBCACHE_ENTRY)RtlLookupElementGenericTableAvl(PiDDBCacheTable, &lookupEntry);
if (pFoundEntry == nullptr)
{
ExReleaseResourceLite(PiDDBLock);
return false;
}
RemoveEntryList(&pFoundEntry->List);
RtlDeleteElementGenericTableAvl(PiDDBCacheTable, pFoundEntry);
ExReleaseResourceLite(PiDDBLock);
return true;
}
bool is_unload_empty(PMM_UNLOADED_DRIVER entry)
{
if (entry->Name.MaximumLength == 0 || entry->Name.Length == 0 || entry->Name.Buffer == NULL)
return true;
return false;
}
PMM_UNLOADED_DRIVER get_mmu_address()
{
size_t size;
uintptr_t ntos_base = get_kernel_address("ntoskrnl.exe", size);
PVOID MmUnloadedDriversInstr = (PVOID)find_pattern2((UINT64)ntos_base, size,
(unsigned char*)"\x4C\x8B\x15\x00\x00\x00\x00\x4C\x8B\xC9", "xxx????xxx");
if (MmUnloadedDriversInstr == NULL)
return NULL;
return *(PMM_UNLOADED_DRIVER*)resolve_relative_address(MmUnloadedDriversInstr, 3, 7);
}
PULONG get_mml_address()
{
size_t size;
uintptr_t ntos_base = get_kernel_address("ntoskrnl.exe", size);
PVOID mmlastunloadeddriverinst = (PVOID)find_pattern2((UINT64)ntos_base, size,
(unsigned char*)"\x8B\x05\x00\x00\x00\x00\x83\xF8\x32", "xx????xxx");
if (mmlastunloadeddriverinst == NULL)
return { };
return (PULONG)resolve_relative_address(mmlastunloadeddriverinst, 2, 6);
}
bool cleaning::verify_mmu()
{
return (get_mmu_address() != NULL && get_mml_address() != NULL);
}
bool is_mmu_filled()
{
for (ULONG idx = 0; idx < MM_UNLOADED_DRIVERS_SIZE; ++idx)
{
PMM_UNLOADED_DRIVER entry = &get_mmu_address()[idx];
if (is_unload_empty(entry))
return false;
}
return true;
}
bool cleaning::clean_mmu()
{
auto ps_loaded = get_ps_loaded();
ExAcquireResourceExclusiveLite(ps_loaded, TRUE);
BOOLEAN Modified = false;
BOOLEAN Filled = is_mmu_filled();
UNICODE_STRING DriverName = cleaning::driver_name;
for (ULONG Index = 0; Index < MM_UNLOADED_DRIVERS_SIZE; ++Index)
{
PMM_UNLOADED_DRIVER Entry = &get_mmu_address()[Index];
if(cleaning::debug)
io::dbgprint("mmu driver # %i name %ws", Index, Entry->Name.Buffer);
if (Modified)
{
PMM_UNLOADED_DRIVER PrevEntry = &get_mmu_address()[Index - 1];
RtlCopyMemory(PrevEntry, Entry, sizeof(MM_UNLOADED_DRIVER));
if (Index == MM_UNLOADED_DRIVERS_SIZE - 1)
{
RtlFillMemory(Entry, sizeof(MM_UNLOADED_DRIVER), 0);
}
}
else if (RtlEqualUnicodeString(&DriverName, &Entry->Name, TRUE))
{
PVOID BufferPool = Entry->Name.Buffer;
RtlFillMemory(Entry, sizeof(MM_UNLOADED_DRIVER), 0);
ExFreePoolWithTag(BufferPool, 'TDmM');
*get_mml_address() = (Filled ? MM_UNLOADED_DRIVERS_SIZE : *get_mml_address()) - 1;
Modified = TRUE;
}
}
if (Modified)
{
ULONG64 PreviousTime = 0;
for (LONG Index = MM_UNLOADED_DRIVERS_SIZE - 2; Index >= 0; --Index)
{
PMM_UNLOADED_DRIVER Entry = &get_mmu_address()[Index];
if (is_unload_empty(Entry))
{
continue;
}
if (PreviousTime != 0 && Entry->UnloadTime > PreviousTime)
{
Entry->UnloadTime = PreviousTime - random_number();
}
PreviousTime = Entry->UnloadTime;
}
clean_mmu();
}
ExReleaseResourceLite(ps_loaded);
return Modified;
}
bool cleaning::clean_traces()
{
bool status;
if (cleaning::verify_mmu())
{
status = cleaning::clean_mmu();
if (!status)
io::dbgprint("failed to clean mmu");
else
io::dbgprint("cleaned mmu");
}
else
io::dbgprint("failed to verify mmu");
if (cleaning::verify_piddb())
{
status = cleaning::clean_piddb();
if (!status)
io::dbgprint("failed to clean piddb");
else
io::dbgprint("cleaned piddb");
}
else
io::dbgprint("failed to verify piddb");
return status;
}
================================================
FILE: full kernel bypass/cleaning/cleaning.h
================================================
#define MM_UNLOADED_DRIVERS_SIZE 50
namespace driver
{
namespace cleaning
{
bool clean_traces( );
bool verify_piddb( );
bool clean_piddb( );
bool verify_mmu( );
bool clean_mmu( );
UNICODE_STRING driver_name;
int driver_timestamp;
bool debug;
}
}
================================================
FILE: full kernel bypass/defs.h
================================================
#include <ntifs.h>
extern "C"
{
NTKERNELAPI PVOID
PsGetProcessSectionBaseAddress(
PEPROCESS Process
);
}
#pragma once
#define _USE_MATH_DEFINES
#include <math.h>
#if defined(__GNUC__)
typedef long long ll;
typedef unsigned long long ull;
#define __int64 long long
#define __int32 int
#define __int16 short
#define __int8 char
#define MAKELL(num) num ## LL
#define FMT_64 "ll"
#elif defined(_MSC_VER)
typedef __int64 ll;
typedef unsigned __int64 ull;
#define MAKELL(num) num ## i64
#define FMT_64 "I64"
#elif defined (__BORLANDC__)
typedef __int64 ll;
typedef unsigned __int64 ull;
#define MAKELL(num) num ## i64
#define FMT_64 "L"
#else
#error "unknown compiler"
#endif
typedef unsigned int uint;
typedef unsigned char uchar;
typedef unsigned short ushort;
//typedef unsigned long ulong;
typedef char int8;
typedef signed char sint8;
typedef unsigned char uint8;
typedef short int16;
typedef signed short sint16;
typedef unsigned short uint16;
typedef int int32;
typedef signed int sint32;
typedef unsigned int uint32;
typedef ll int64;
typedef ll sint64;
typedef ull uint64;
// Partially defined types:
#define _BYTE uint8
#define _WORD uint16
#define _DWORD uint32
#define _QWORD uint64
#if !defined(_MSC_VER)
#define _LONGLONG __int128
#endif
// Some convenience macros to make partial accesses nicer
// first unsigned macros:
//Already defined
//#define LOBYTE(x) (*((_BYTE*)&(x))) // low byte
//#define LOWORD(x) (*((_WORD*)&(x))) // low word
//#define LODWORD(x) (*((_DWORD*)&(x))) // low dword
//#define HIBYTE(x) (*((_BYTE*)&(x)+1))
//#define HIWORD(x) (*((_WORD*)&(x)+1))
#define HIDWORD(x) (*((_DWORD*)&(x)+1))
#define BYTEn(x, n) (*((_BYTE*)&(x)+n))
#define WORDn(x, n) (*((_WORD*)&(x)+n))
#define BYTE1(x) BYTEn(x, 1) // byte 1 (counting from 0)
#define BYTE2(x) BYTEn(x, 2)
#define BYTE3(x) BYTEn(x, 3)
#define BYTE4(x) BYTEn(x, 4)
#define BYTE5(x) BYTEn(x, 5)
#define BYTE6(x) BYTEn(x, 6)
#define BYTE7(x) BYTEn(x, 7)
#define BYTE8(x) BYTEn(x, 8)
#define BYTE9(x) BYTEn(x, 9)
#define BYTE10(x) BYTEn(x, 10)
#define BYTE11(x) BYTEn(x, 11)
#define BYTE12(x) BYTEn(x, 12)
#define BYTE13(x) BYTEn(x, 13)
#define BYTE14(x) BYTEn(x, 14)
#define BYTE15(x) BYTEn(x, 15)
#define WORD1(x) WORDn(x, 1)
#define WORD2(x) WORDn(x, 2) // third word of the object, unsigned
#define WORD3(x) WORDn(x, 3)
#define WORD4(x) WORDn(x, 4)
#define WORD5(x) WORDn(x, 5)
#define WORD6(x) WORDn(x, 6)
#define WORD7(x) WORDn(x, 7)
// now signed macros (the same but with sign extension)
#define SLOBYTE(x) (*((int8*)&(x)))
#define SLOWORD(x) (*((int16*)&(x)))
#define SLODWORD(x) (*((int32*)&(x)))
#define SHIBYTE(x) (*((int8*)&(x)+1))
#define SHIWORD(x) (*((int16*)&(x)+1))
#define SHIDWORD(x) (*((int32*)&(x)+1))
#define SBYTEn(x, n) (*((int8*)&(x)+n))
#define SWORDn(x, n) (*((int16*)&(x)+n))
#define SBYTE1(x) SBYTEn(x, 1)
#define SBYTE2(x) SBYTEn(x, 2)
#define SBYTE3(x) SBYTEn(x, 3)
#define SBYTE4(x) SBYTEn(x, 4)
#define SBYTE5(x) SBYTEn(x, 5)
#define SBYTE6(x) SBYTEn(x, 6)
#define SBYTE7(x) SBYTEn(x, 7)
#define SBYTE8(x) SBYTEn(x, 8)
#define SBYTE9(x) SBYTEn(x, 9)
#define SBYTE10(x) SBYTEn(x, 10)
#define SBYTE11(x) SBYTEn(x, 11)
#define SBYTE12(x) SBYTEn(x, 12)
#define SBYTE13(x) SBYTEn(x, 13)
#define SBYTE14(x) SBYTEn(x, 14)
#define SBYTE15(x) SBYTEn(x, 15)
#define SWORD1(x) SWORDn(x, 1)
#define SWORD2(x) SWORDn(x, 2)
#define SWORD3(x) SWORDn(x, 3)
#define SWORD4(x) SWORDn(x, 4)
#define SWORD5(x) SWORDn(x, 5)
#define SWORD6(x) SWORDn(x, 6)
#define SWORD7(x) SWORDn(x, 7)
template<class T> T __ROL__(T value, int count)
{
const uint nbits = sizeof(T) * 8;
if (count > 0)
{
count %= nbits;
T high = value >> (nbits - count);
if (T(-1) < 0) // signed value
high &= ~((T(-1) << count));
value <<= count;
value |= high;
}
else
{
count = -count % nbits;
T low = value << (nbits - count);
value >>= count;
value |= low;
}
return value;
}
inline uint8 __ROL1__(uint8 value, int count) { return __ROL__((uint8)value, count); }
inline uint16 __ROL2__(uint16 value, int count) { return __ROL__((uint16)value, count); }
inline uint32 __ROL4__(uint32 value, int count) { return __ROL__((uint32)value, count); }
inline uint64 __ROL8__(uint64 value, int count) { return __ROL__((uint64)value, count); }
inline uint8 __ROR1__(uint8 value, int count) { return __ROL__((uint8)value, -count); }
inline uint16 __ROR2__(uint16 value, int count) { return __ROL__((uint16)value, -count); }
inline uint32 __ROR4__(uint32 value, int count) { return __ROL__((uint32)value, -count); }
inline uint64 __ROR8__(uint64 value, int count) { return __ROL__((uint64)value, -count); }
//Dumb glow decryption stuff
//https://www.codeproject.com/Articles/1274943/IEEE-754-Conversion
#define NTH_BIT(b, n) ((b >> n) & 0x1)
#define BYTE_TO_BIN(b) (( b & 0x80 ) ) |\
(( b & 0x40 ) ) |\
(( b & 0x20 ) ) |\
(( b & 0x10 ) ) |\
(( b & 0x08 ) ) |\
(( b & 0x04 ) ) |\
(( b & 0x02 ) ) |\
( b & 0x01 )
#define MANTISSA_TO_BIN(b) (( b & 0x400000 ) ) |\
(( b & 0x200000 ) ) |\
(( b & 0x100000 ) ) |\
(( b & 0x80000 ) ) |\
(( b & 0x40000 ) ) |\
(( b & 0x20000 ) ) |\
(( b & 0x10000 ) ) |\
(( b & 0x8000 ) ) |\
(( b & 0x4000 ) ) |\
(( b & 0x2000 ) ) |\
(( b & 0x1000 ) ) |\
(( b & 0x800 ) ) |\
(( b & 0x400 ) ) |\
(( b & 0x200 ) ) |\
(( b & 0x100 ) ) |\
(( b & 0x80 ) ) |\
(( b & 0x40 ) ) |\
(( b & 0x20 ) ) |\
(( b & 0x10 ) ) |\
(( b & 0x08 ) ) |\
(( b & 0x04 ) ) |\
(( b & 0x02 ) ) |\
( b & 0x01 )
typedef union IEEE754
{
struct
{
unsigned int mantissa : 23;
unsigned int exponent : 8;
unsigned int sign : 1;
} raw;
float f;
} IEEE754;
typedef struct _MM_UNLOADED_DRIVER
{
UNICODE_STRING Name;
PVOID ModuleStart;
PVOID ModuleEnd;
ULONG64 UnloadTime;
} MM_UNLOADED_DRIVER, * PMM_UNLOADED_DRIVER;
typedef struct _PIDDBCACHE_ENTRY
{
LIST_ENTRY List;
UNICODE_STRING DriverName;
ULONG TimeDateStamp;
NTSTATUS LoadStatus;
char _0x0028[16];
} PIDDBCACHE_ENTRY, * PPIDDBCACHE_ENTRY;
typedef struct _SYSTEM_MODULEE
{
ULONG_PTR Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULEE, * PSYSTEM_MODULEE;
typedef struct _SYSTEM_MODULE_INFORMATIONN
{
ULONG_PTR ModuleCount;
SYSTEM_MODULEE Modules[1];
} SYSTEM_MODULE_INFORMATIONN, * PSYSTEM_MODULE_INFORMATIONN;
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation, // q: SYSTEM_BASIC_INFORMATION
SystemProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION
SystemPerformanceInformation, // q: SYSTEM_PERFORMANCE_INFORMATION
SystemTimeOfDayInformation, // q: SYSTEM_TIMEOFDAY_INFORMATION
SystemPathInformation, // not implemented
SystemProcessInformation, // q: SYSTEM_PROCESS_INFORMATION
SystemCallCountInformation, // q: SYSTEM_CALL_COUNT_INFORMATION
SystemDeviceInformation, // q: SYSTEM_DEVICE_INFORMATION
SystemProcessorPerformanceInformation, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION
SystemFlagsInformation, // q: SYSTEM_FLAGS_INFORMATION
SystemCallTimeInformation, // not implemented // SYSTEM_CALL_TIME_INFORMATION // 10
SystemModuleInformation, // q: RTL_PROCESS_MODULES
SystemLocksInformation, // q: SYSTEM_LOCK_INFORMATION
SystemStackTraceInformation,
SystemPagedPoolInformation, // not implemented
SystemNonPagedPoolInformation, // not implemented
SystemHandleInformation, // q: SYSTEM_HANDLE_INFORMATION
SystemObjectInformation, // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION
SystemPageFileInformation, // q: SYSTEM_PAGEFILE_INFORMATION
SystemVdmInstemulInformation, // q
SystemVdmBopInformation, // not implemented // 20
SystemFileCacheInformation, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache)
SystemPoolTagInformation, // q: SYSTEM_POOLTAG_INFORMATION
SystemInterruptInformation, // q: SYSTEM_INTERRUPT_INFORMATION
SystemDpcBehaviorInformation, // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege)
SystemFullMemoryInformation, // not implemented
SystemLoadGdiDriverInformation, // s (kernel-mode only)
SystemUnloadGdiDriverInformation, // s (kernel-mode only)
SystemTimeAdjustmentInformation, // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege)
SystemSummaryMemoryInformation, // not implemented
SystemMirrorMemoryInformation, // s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege) // 30
SystemPerformanceTraceInformation, // s
SystemObsolete0, // not implemented
SystemExceptionInformation, // q: SYSTEM_EXCEPTION_INFORMATION
SystemCrashDumpStateInformation, // s (requires SeDebugPrivilege)
SystemKernelDebuggerInformation, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION
SystemContextSwitchInformation, // q: SYSTEM_CONTEXT_SWITCH_INFORMATION
SystemRegistryQuotaInformation, // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege)
SystemExtendServiceTableInformation, // s (requires SeLoadDriverPrivilege) // loads win32k only
SystemPrioritySeperation, // s (requires SeTcbPrivilege)
SystemVerifierAddDriverInformation, // s (requires SeDebugPrivilege) // 40
SystemVerifierRemoveDriverInformation, // s (requires SeDebugPrivilege)
SystemProcessorIdleInformation, // q: SYSTEM_PROCESSOR_IDLE_INFORMATION
SystemLegacyDriverInformation, // q: SYSTEM_LEGACY_DRIVER_INFORMATION
SystemCurrentTimeZoneInformation, // q
SystemLookasideInformation, // q: SYSTEM_LOOKASIDE_INFORMATION
SystemTimeSlipNotification, // s (requires SeSystemtimePrivilege)
SystemSessionCreate, // not implemented
SystemSessionDetach, // not implemented
SystemSessionInformation, // not implemented
SystemRangeStartInformation, // q: SYSTEM_RANGE_START_INFORMATION // 50
SystemVerifierInformation, // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege)
SystemVerifierThunkExtend, // s (kernel-mode only)
SystemSessionProcessInformation, // q: SYSTEM_SESSION_PROCESS_INFORMATION
SystemLoadGdiDriverInSystemSpace, // s (kernel-mode only) (same as SystemLoadGdiDriverInformation)
SystemNumaProcessorMap, // q
SystemPrefetcherInformation, // q: PREFETCHER_INFORMATION; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation
SystemExtendedProcessInformation, // q: SYSTEM_PROCESS_INFORMATION
SystemRecommendedSharedDataAlignment, // q
SystemComPlusPackage, // q; s
SystemNumaAvailableMemory, // 60
SystemProcessorPowerInformation, // q: SYSTEM_PROCESSOR_POWER_INFORMATION
SystemEmulationBasicInformation, // q
SystemEmulationProcessorInformation,
SystemExtendedHandleInformation, // q: SYSTEM_HANDLE_INFORMATION_EX
SystemLostDelayedWriteInformation, // q: ULONG
SystemBigPoolInformation, // q: SYSTEM_BIGPOOL_INFORMATION
SystemSessionPoolTagInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION
SystemSessionMappedViewInformation, // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION
SystemHotpatchInformation, // q; s
SystemObjectSecurityMode, // q // 70
SystemWatchdogTimerHandler, // s (kernel-mode only)
SystemWatchdogTimerInformation, // q (kernel-mode only); s (kernel-mode only)
SystemLogicalProcessorInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION
SystemWow64SharedInformationObsolete, // not implemented
SystemRegisterFirmwareTableInformationHandler, // s (kernel-mode only)
SystemFirmwareTableInformation, // SYSTEM_FIRMWARE_TABLE_INFORMATION
SystemModuleInformationEx, // q: RTL_PROCESS_MODULE_INFORMATION_EX
SystemVerifierTriageInformation, // not implemented
SystemSuperfetchInformation, // q; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation
SystemMemoryListInformation, // q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege) // 80
SystemFileCacheInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation)
SystemThreadPriorityClientIdInformation, // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege)
SystemProcessorIdleCycleTimeInformation, // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[]
SystemVerifierCancellationInformation, // not implemented // name:wow64:whNT32QuerySystemVerifierCancellationInformation
SystemProcessorPowerInformationEx, // not implemented
SystemRefTraceInformation, // q; s: SYSTEM_REF_TRACE_INFORMATION // ObQueryRefTraceInformation
SystemSpecialPoolInformation, // q; s (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0
SystemProcessIdInformation, // q: SYSTEM_PROCESS_ID_INFORMATION
SystemErrorPortInformation, // s (requires SeTcbPrivilege)
SystemBootEnvironmentInformation, // q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION // 90
SystemHypervisorInformation, // q; s (kernel-mode only)
SystemVerifierInformationEx, // q; s: SYSTEM_VERIFIER_INFORMATION_EX
SystemTimeZoneInformation, // s (requires SeTimeZonePrivilege)
SystemImageFileExecutionOptionsInformation, // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege)
SystemCoverageInformation, // q; s // name:wow64:whNT32QuerySystemCoverageInformation; ExpCovQueryInformation
SystemPrefetchPatchInformation, // not implemented
SystemVerifierFaultsInformation, // s (requires SeDebugPrivilege)
SystemSystemPartitionInformation, // q: SYSTEM_SYSTEM_PARTITION_INFORMATION
SystemSystemDiskInformation, // q: SYSTEM_SYSTEM_DISK_INFORMATION
SystemProcessorPerformanceDistribution, // q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION // 100
SystemNumaProximityNodeInformation, // q
SystemDynamicTimeZoneInformation, // q; s (requires SeTimeZonePrivilege)
SystemCodeIntegrityInformation, // q: SYSTEM_CODEINTEGRITY_INFORMATION // SeCodeIntegrityQueryInformation
SystemProcessorMicrocodeUpdateInformation, // s
SystemProcessorBrandString, // q // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23
SystemVirtualAddressInformation, // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation
SystemLogicalProcessorAndGroupInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // since WIN7 // KeQueryLogicalProcessorRelationship
SystemProcessorCycleTimeInformation, // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[]
SystemStoreInformation, // q; s // SmQueryStoreInformation
SystemRegistryAppendString, // s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // 110
SystemAitSamplingValue, // s: ULONG (requires SeProfileSingleProcessPrivilege)
SystemVhdBootInformation, // q: SYSTEM_VHD_BOOT_INFORMATION
SystemCpuQuotaInformation, // q; s // PsQueryCpuQuotaInformation
SystemNativeBasicInformation, // not implemented
SystemSpare1, // not implemented
SystemLowPriorityIoInformation, // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION
SystemTpmBootEntropyInformation, // q: TPM_BOOT_ENTROPY_NT_RESULT // ExQueryTpmBootEntropyInformation
SystemVerifierCountersInformation, // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION
SystemPagedPoolInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool)
SystemSystemPtesInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) // 120
SystemNodeDistanceInformation, // q
SystemAcpiAuditInformation, // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26
SystemBasicPerformanceInformation, // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation
SystemQueryPerformanceCounterInformation, // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1
SystemSessionBigPoolInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION // since WIN8
SystemBootGraphicsInformation, // q; s: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only)
SystemScrubPhysicalMemoryInformation,
SystemBadPageInformation,
SystemProcessorProfileControlArea,
SystemCombinePhysicalMemoryInformation, // 130
SystemEntropyInterruptTimingCallback,
SystemConsoleInformation, // q: SYSTEM_CONSOLE_INFORMATION
SystemPlatformBinaryInformation, // q: SYSTEM_PLATFORM_BINARY_INFORMATION
SystemThrottleNotificationInformation,
SystemHypervisorProcessorCountInformation, // q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION
SystemDeviceDataInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION
SystemDeviceDataEnumerationInformation,
SystemMemoryTopologyInformation, // q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION
SystemMemoryChannelInformation, // q: SYSTEM_MEMORY_CHANNEL_INFORMATION
SystemBootLogoInformation, // q: SYSTEM_BOOT_LOGO_INFORMATION // 140
SystemProcessorPerformanceInformationEx, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // since WINBLUE
SystemSpare0,
SystemSecureBootPolicyInformation, // q: SYSTEM_SECUREBOOT_POLICY_INFORMATION
SystemPageFileInformationEx, // q: SYSTEM_PAGEFILE_INFORMATION_EX
SystemSecureBootInformation, // q: SYSTEM_SECUREBOOT_INFORMATION
SystemEntropyInterruptTimingRawInformation,
SystemPortableWorkspaceEfiLauncherInformation, // q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION
SystemFullProcessInformation, // q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin)
SystemKernelDebuggerInformationEx, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX
SystemBootMetadataInformation, // 150
SystemSoftRebootInformation,
SystemElamCertificateInformation, // s: SYSTEM_ELAM_CERTIFICATE_INFORMATION
SystemOfflineDumpConfigInformation,
SystemProcessorFeaturesInformation, // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION
SystemRegistryReconciliationInformation,
SystemEdidInformation,
SystemManufacturingInformation, // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD
SystemEnergyEstimationConfigInformation, // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION
SystemHypervisorDetailInformation, // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION
SystemProcessorCycleStatsInformation, // q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION // 160
SystemVmGenerationCountInformation,
SystemTrustedPlatformModuleInformation, // q: SYSTEM_TPM_INFORMATION
SystemKernelDebuggerFlags,
SystemCodeIntegrityPolicyInformation, // q: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION
SystemIsolatedUserModeInformation, // q: SYSTEM_ISOLATED_USER_MODE_INFORMATION
SystemHardwareSecurityTestInterfaceResultsInformation,
SystemSingleModuleInformation, // q: SYSTEM_SINGLE_MODULE_INFORMATION
SystemAllowedCpuSetsInformation,
SystemDmaProtectionInformation, // q: SYSTEM_DMA_PROTECTION_INFORMATION
SystemInterruptCpuSetsInformation, // q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION // 170
SystemSecureBootPolicyFullInformation, // q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION
SystemCodeIntegrityPolicyFullInformation,
SystemAffinitizedInterruptProcessorInformation,
SystemRootSiloInformation, // q: SYSTEM_ROOT_SILO_INFORMATION
SystemCpuSetInformation, // q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2
SystemCpuSetTagInformation, // q: SYSTEM_CPU_SET_TAG_INFORMATION
SystemWin32WerStartCallout,
SystemSecureKernelProfileInformation, // q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION
SystemCodeIntegrityPlatformManifestInformation, // q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION // since REDSTONE
SystemInterruptSteeringInformation, // 180
SystemSupportedProcessorArchitectures,
SystemMemoryUsageInformation, // q: SYSTEM_MEMORY_USAGE_INFORMATION
SystemCodeIntegrityCertificateInformation, // q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION
MaxSystemInfoClass
} SYSTEM_INFORMATION_CLASS;
extern "C"
NTKERNELAPI NTSTATUS NTAPI
ZwQuerySystemInformation(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
inline auto dereference(uintptr_t address, unsigned int offset) -> uintptr_t
{
if (address == 0)
return 0;
return address + (int)((*(int*)(address + offset) + offset) + sizeof(int));
}
inline auto relative(uintptr_t address, unsigned int size) -> PVOID
{
if (address == 0)
return 0;
return ((PVOID)((unsigned char*)(address)+*(int*)((unsigned char*)(address)+((size)-(INT)sizeof(INT))) + (size)));
}
inline auto compare_data(const unsigned char* pData, const unsigned char* bMask, const char* szMask) -> bool
{
for (; *szMask; ++szMask, ++pData, ++bMask)
if (*szMask == 'x' && *pData != *bMask)
return 0;
return (*szMask) == 0;
}
inline auto find_pattern2(UINT64 dwAddress, UINT64 dwLen, unsigned char* bMask, const char* szMask) -> ULONGLONG
{
for (ULONGLONG i = 0; i < dwLen; i++)
if (compare_data((unsigned char*)(dwAddress + i), bMask, szMask))
return (ULONGLONG)(dwAddress + i);
return 0;
}
template <typename t = void*>
inline auto find_pattern(void* start, size_t length, const char* pattern, const char* mask) -> t
{
const auto data = static_cast<const char*>(start);
const auto pattern_length = strlen(mask);
for (size_t i = 0; i <= length - pattern_length; i++)
{
bool accumulative_found = true;
for (size_t j = 0; j < pattern_length; j++)
{
if (!MmIsAddressValid(reinterpret_cast<void*>(reinterpret_cast<uintptr_t>(data) + i + j)))
{
accumulative_found = false;
break;
}
if (data[i + j] != pattern[j] && mask[j] != '?')
{
accumulative_found = false;
break;
}
}
if (accumulative_found)
{
return (t)(reinterpret_cast<uintptr_t>(data) + i);
}
}
return (t)nullptr;
}
================================================
FILE: full kernel bypass/full kernel bypass.vcxproj
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM">
<Configuration>Debug</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM">
<Configuration>Release</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM64">
<Configuration>Debug</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM64">
<Configuration>Release</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}</ProjectGuid>
<TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
<TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
<MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
<Configuration>Debug</Configuration>
<Platform Condition="'$(Platform)' == ''">Win32</Platform>
<RootNamespace>full_kernel_bypass</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
<Driver_SpectreMitigation>false</Driver_SpectreMitigation>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
<Driver_SpectreMitigation>false</Driver_SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>TurnOffAllWarnings</WarningLevel>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
<Link>
<AdditionalOptions>/FORCE:MULTIPLE %(AdditionalOptions)</AdditionalOptions>
<TreatLinkerWarningAsErrors>false</TreatLinkerWarningAsErrors>
<EntryPointSymbol>DriverEntry</EntryPointSymbol>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<FilesToPackage Include="$(TargetPath)" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="cleaning\cleaning.cpp" />
<ClCompile Include="io\io.cpp" />
<ClCompile Include="main.cpp" />
<ClCompile Include="memory\memory.cpp" />
<ClCompile Include="thread\thread.cpp" />
<ClCompile Include="utils\utils.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="cleaning\cleaning.h" />
<ClInclude Include="defs.h" />
<ClInclude Include="io\io.h" />
<ClInclude Include="memory\memory.h" />
<ClInclude Include="process\process.h" />
<ClInclude Include="thread\thread.h" />
<ClInclude Include="utils\utils.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
================================================
FILE: full kernel bypass/full kernel bypass.vcxproj.filters
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Header Files\io">
<UniqueIdentifier>{8a1420fe-ef8f-4abd-bdd2-80a5734844bc}</UniqueIdentifier>
</Filter>
<Filter Include="Header Files\memory">
<UniqueIdentifier>{993343d9-8704-4670-8624-a6f5a0072cd7}</UniqueIdentifier>
</Filter>
<Filter Include="Header Files\process">
<UniqueIdentifier>{14d0d3d7-34f7-480b-85c9-6b27177eff87}</UniqueIdentifier>
</Filter>
<Filter Include="Header Files\utils">
<UniqueIdentifier>{09dd5666-fb10-485e-8c4d-536470abc1f9}</UniqueIdentifier>
</Filter>
<Filter Include="Header Files\thread">
<UniqueIdentifier>{b5004452-c296-4540-90de-83293b83e9af}</UniqueIdentifier>
</Filter>
<Filter Include="Header Files\cleaning">
<UniqueIdentifier>{3f41d68c-0fe0-4184-92a1-9663637a241d}</UniqueIdentifier>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="io\io.cpp">
<Filter>Header Files\io</Filter>
</ClCompile>
<ClCompile Include="memory\memory.cpp">
<Filter>Header Files\memory</Filter>
</ClCompile>
<ClCompile Include="main.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="utils\utils.cpp">
<Filter>Header Files\utils</Filter>
</ClCompile>
<ClCompile Include="thread\thread.cpp">
<Filter>Header Files\thread</Filter>
</ClCompile>
<ClCompile Include="cleaning\cleaning.cpp">
<Filter>Header Files\cleaning</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="memory\memory.h">
<Filter>Header Files\memory</Filter>
</ClInclude>
<ClInclude Include="process\process.h">
<Filter>Header Files\process</Filter>
</ClInclude>
<ClInclude Include="io\io.h">
<Filter>Header Files\io</Filter>
</ClInclude>
<ClInclude Include="utils\utils.h">
<Filter>Header Files\utils</Filter>
</ClInclude>
<ClInclude Include="defs.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="thread\thread.h">
<Filter>Header Files\thread</Filter>
</ClInclude>
<ClInclude Include="cleaning\cleaning.h">
<Filter>Header Files\cleaning</Filter>
</ClInclude>
</ItemGroup>
</Project>
================================================
FILE: full kernel bypass/full kernel bypass.vcxproj.user
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>
================================================
FILE: full kernel bypass/io/io.cpp
================================================
#include <ntifs.h>
#include <stdio.h>
#include <stdarg.h>
#include <ntimage.h>
#include "io.h"
void driver::io::dbgprint( PCCH format, ...)
{
CHAR message[512];
va_list _valist;
va_start(_valist, format);
const ULONG N = _vsnprintf_s(message, sizeof(message) - 1, format, _valist);
message[N] = L'\0';
vDbgPrintExWithPrefix("[Kernel Driver] ", DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, message, _valist);
va_end(_valist);
}
================================================
FILE: full kernel bypass/io/io.h
================================================
#include <ntdef.h>
namespace driver
{
namespace io
{
void dbgprint(PCCH format, ...);
}
}
================================================
FILE: full kernel bypass/main.cpp
================================================
#include <ntifs.h>
#include <ntimage.h>
#include <ntddk.h>
#include "defs.h"
#include "io/io.h"
#include "utils/utils.h"
#include "memory/memory.h"
#include "thread/thread.h"
#include "cleaning/cleaning.h"
using namespace driver;
void driver_thread( void* context )
{
// allow five seconds for driver to finish entry
utils::sleep(5000);
// debug text
io::dbgprint( "cleaning status -> %i", cleaning::clean_traces( ) );
io::dbgprint( "tid -> %i", PsGetCurrentThreadId( ) );
// user extersize
bool status = thread::unlink( );
io::dbgprint( "unlinked thread -> %i", status );
// change your process name here
process::process_name = "RainbowSix.exe";
io::dbgprint( "process name -> %s", process::process_name );
// scuff check to check if our peprocess is valid
while ( utils::process_by_name( process::process_name, &process::process ) == STATUS_NOT_FOUND)
{
io::dbgprint( "waiting for -> %s", process::process_name );
utils::sleep(2000);
}
io::dbgprint("found process -> %s", process::process_name);
// sleep for 15 seconds to allow game to get started and prevent us from getting false info
utils::sleep(15000);
utils::process_by_name( process::process_name, &process::process );
io::dbgprint( "peprocess -> 0x%llx", process::process );
process::pid = reinterpret_cast< uint32 >( PsGetProcessId( process::process ) );
io::dbgprint("pid -> %i", process::pid);
process::base_address = reinterpret_cast < uint64 >( PsGetProcessSectionBaseAddress( process::process ) );
io::dbgprint( "base address -> 0x%llx", process::base_address );
// main loop
while ( true )
{
//example read
uint64 round_manager = memory::read< uint64 >( process::base_address + 0x77BF800 );
uint32 encrypted_round_state = memory::read< uint32 >( round_manager + 0xC0 );
uint32 decrypted_round_state = _rotl64( encrypted_round_state - 0x56, 0x1E );
io::dbgprint( "round state ptr -> 0x%llx", decrypted_round_state );
// example write
memory::write< uint32 >( round_manager + 0xC0, 0x0 );
// for testing
if ( thread::terminate_thread )
{
io::dbgprint( "loops -> %i", thread::total_loops );
utils::sleep( 5000 );
thread::total_loops++;
if ( thread::total_loops > thread::loops_before_end )
{
io::dbgprint( "terminating thread" );
PsTerminateSystemThread( STATUS_SUCCESS );
}
}
}
PsTerminateSystemThread( STATUS_SUCCESS );
}
NTSTATUS DriverEntry( PDRIVER_OBJECT driver_object, PUNICODE_STRING registry_path ) {
UNREFERENCED_PARAMETER( driver_object );
UNREFERENCED_PARAMETER( registry_path );
io::dbgprint("driver entry called.");
// change this per mapper; debug prints the entire mmu
cleaning::debug = false;
cleaning::driver_timestamp = 0x5284EAC3;
cleaning::driver_name = RTL_CONSTANT_STRING(L"iqvw64e.sys");
HANDLE thread_handle = nullptr;
OBJECT_ATTRIBUTES object_attribues{ };
InitializeObjectAttributes( &object_attribues, nullptr, OBJ_KERNEL_HANDLE, nullptr, nullptr );
NTSTATUS status = PsCreateSystemThread( &thread_handle, 0, &object_attribues, nullptr, nullptr, reinterpret_cast< PKSTART_ROUTINE >( &driver_thread ), nullptr );
io::dbgprint("thread status -> 0x%llx", status);
io::dbgprint("fininshed driver entry... closing...");
return STATUS_SUCCESS;
}
================================================
FILE: full kernel bypass/memory/memory.cpp
================================================
#include <ntifs.h>
#include <stdio.h>
#include <stdarg.h>
#include <ntimage.h>
#include "memory.h"
extern "C"
NTSTATUS NTAPI MmCopyVirtualMemory
(
PEPROCESS SourceProcess,
PVOID SourceAddress,
PEPROCESS TargetProcess,
PVOID TargetAddress,
SIZE_T BufferSize,
KPROCESSOR_MODE PreviousMode,
PSIZE_T ReturnSize
);
NTSTATUS driver::memory::read_virtual_memory( ULONG pid, PEPROCESS process, PVOID source_address, PVOID target_address, SIZE_T size )
{
SIZE_T bytes = 0;
if ( NT_SUCCESS( MmCopyVirtualMemory( process, source_address, PsGetCurrentProcess(), target_address, size, KernelMode, &bytes ) ) )
return STATUS_SUCCESS;
return STATUS_UNSUCCESSFUL;
}
NTSTATUS driver::memory::write_virtual_memory( ULONG pid, PEPROCESS process, PVOID source_address, PVOID target_address, SIZE_T size )
{
SIZE_T bytes = 0;
if ( NT_SUCCESS ( MmCopyVirtualMemory( PsGetCurrentProcess(), source_address, process, target_address, size, KernelMode, &bytes ) ) )
return STATUS_SUCCESS;
return STATUS_UNSUCCESSFUL;
}
================================================
FILE: full kernel bypass/memory/memory.h
================================================
#include "../process/process.h"
namespace driver
{
namespace memory
{
NTSTATUS read_virtual_memory( ULONG pid, PEPROCESS process, PVOID source_address, PVOID target_address, SIZE_T size );
NTSTATUS write_virtual_memory( ULONG pid, PEPROCESS process, PVOID source_address, PVOID target_address, SIZE_T size );
template< typename T >
T read( uintptr_t address )
{
T buffer{};
read_virtual_memory( process::pid, process::process, (void*)address, &buffer, sizeof(T) );
return buffer;
}
template< typename T >
void write( uintptr_t address, T buffer )
{
write_virtual_memory( process::pid, process::process, (void*)address, &buffer, sizeof(T) );
}
};
}
================================================
FILE: full kernel bypass/process/process.h
================================================
namespace driver
{
namespace process
{
ULONG pid;
PEPROCESS process;
CHAR* process_name;
ULONGLONG base_address;
}
}
================================================
FILE: full kernel bypass/thread/thread.cpp
================================================
#include "../defs.h"
#include "thread.h"
bool driver::thread::unlink()
{
// Up to the reader to determine how to do /
// implement your own method
return true;
}
bool driver::thread::link()
{
// Up to the reader to determine how to do /
// implement your own method
return true;
}
================================================
FILE: full kernel bypass/thread/thread.h
================================================
namespace driver
{
namespace thread
{
bool unlink();
bool link();
bool terminate_thread = true;
int total_loops = 0;
int loops_before_end = 2;
}
}
================================================
FILE: full kernel bypass/utils/utils.cpp
================================================
#include <ntifs.h>
#include "utils.h"
NTSTATUS driver::utils::process_by_name(CHAR* process_name, PEPROCESS* process)
{
PEPROCESS sys_process = PsInitialSystemProcess;
PEPROCESS cur_entry = sys_process;
CHAR image_name[15];
do
{
RtlCopyMemory( ( PVOID )( &image_name ), ( PVOID )( ( uintptr_t )cur_entry + 0x450 ) /*EPROCESS->ImageFileName*/, sizeof( image_name ) );
if ( strstr ( image_name, process_name ) )
{
ULONG active_threads;
RtlCopyMemory( ( PVOID ) &active_threads, ( PVOID )( ( uintptr_t )cur_entry + 0x498) /*EPROCESS->ActiveThreads*/, sizeof( active_threads ) );
if ( active_threads )
{
*process = cur_entry;
return STATUS_SUCCESS;
}
}
PLIST_ENTRY list = (PLIST_ENTRY)((uintptr_t)(cur_entry)+0x2F0) /*EPROCESS->ActiveProcessLinks*/;
cur_entry = (PEPROCESS)((uintptr_t)list->Flink - 0x2F0);
} while (cur_entry != sys_process);
return STATUS_NOT_FOUND;
}
================================================
FILE: full kernel bypass/utils/utils.h
================================================
namespace driver
{
namespace utils
{
NTSTATUS process_by_name( CHAR* process_name, PEPROCESS* process );
void sleep(int ms) { LARGE_INTEGER time; time.QuadPart =- (ms) * 10 * 1000; KeDelayExecutionThread(KernelMode, TRUE, &time); }
}
}
================================================
FILE: full kernel bypass.sln
================================================
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.30804.86
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "full kernel bypass", "full kernel bypass\full kernel bypass.vcxproj", "{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|ARM = Debug|ARM
Debug|ARM64 = Debug|ARM64
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|ARM = Release|ARM
Release|ARM64 = Release|ARM64
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|ARM.ActiveCfg = Debug|ARM
{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|ARM.Build.0 = Debug|ARM
{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|ARM.Deploy.0 = Debug|ARM
{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|ARM64.ActiveCfg = Debug|ARM64
{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|ARM64.Build.0 = Debug|ARM64
{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|ARM64.Deploy.0 = Debug|ARM64
{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|x64.ActiveCfg = Debug|x64
{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|x64.Build.0 = Debug|x64
{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|x64.Deploy.0 = Debug|x64
{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|x86.ActiveCfg = Debug|Win32
{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|x86.Build.0 = Debug|Win32
{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|x86.Deploy.0 = Debug|Win32
{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|ARM.ActiveCfg = Release|ARM
{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|ARM.Build.0 = Release|ARM
{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|ARM.Deploy.0 = Release|ARM
{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|ARM64.ActiveCfg = Release|ARM64
{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|ARM64.Build.0 = Release|ARM64
{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|ARM64.Deploy.0 = Release|ARM64
{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|x64.ActiveCfg = Release|x64
{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|x64.Build.0 = Release|x64
{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|x64.Deploy.0 = Release|x64
{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|x86.ActiveCfg = Release|Win32
{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|x86.Build.0 = Release|Win32
{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|x86.Deploy.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {6BC51261-A1CA-4C1F-90B5-8DF303CE1727}
EndGlobalSection
EndGlobal
gitextract_susrs7x4/ ├── full kernel bypass/ │ ├── cleaning/ │ │ ├── cleaning.cpp │ │ └── cleaning.h │ ├── defs.h │ ├── full kernel bypass.vcxproj │ ├── full kernel bypass.vcxproj.filters │ ├── full kernel bypass.vcxproj.user │ ├── io/ │ │ ├── io.cpp │ │ └── io.h │ ├── main.cpp │ ├── memory/ │ │ ├── memory.cpp │ │ └── memory.h │ ├── process/ │ │ └── process.h │ ├── thread/ │ │ ├── thread.cpp │ │ └── thread.h │ └── utils/ │ ├── utils.cpp │ └── utils.h └── full kernel bypass.sln
SYMBOL INDEX (57 symbols across 11 files)
FILE: full kernel bypass/cleaning/cleaning.cpp
function get_kernel_address (line 11) | uintptr_t get_kernel_address( const char* name, size_t& size )
function PVOID (line 55) | PVOID resolve_relative_address( PVOID Instruction, ULONG OffsetOffset, U...
function ULONGLONG (line 64) | ULONGLONG get_exported_function( const ULONGLONG mod, const char* name )
function random_number (line 90) | unsigned char random_number( )
function PERESOURCE (line 111) | PERESOURCE get_ps_loaded( )
function PRTL_AVL_TABLE (line 125) | PRTL_AVL_TABLE get_piddb_table( )
function PERESOURCE (line 149) | PERESOURCE get_piddb_lock( )
function is_unload_empty (line 194) | bool is_unload_empty(PMM_UNLOADED_DRIVER entry)
function PMM_UNLOADED_DRIVER (line 202) | PMM_UNLOADED_DRIVER get_mmu_address()
function PULONG (line 216) | PULONG get_mml_address()
function is_mmu_filled (line 235) | bool is_mmu_filled()
FILE: full kernel bypass/cleaning/cleaning.h
function namespace (line 3) | namespace driver
FILE: full kernel bypass/defs.h
type ll (line 18) | typedef long long ll;
type ull (line 19) | typedef unsigned long long ull;
type __int64 (line 27) | typedef __int64 ll;
type ull (line 28) | typedef unsigned __int64 ull;
type __int64 (line 32) | typedef __int64 ll;
type ull (line 33) | typedef unsigned __int64 ull;
type uint (line 39) | typedef unsigned int uint;
type uchar (line 40) | typedef unsigned char uchar;
type ushort (line 41) | typedef unsigned short ushort;
type int8 (line 44) | typedef char int8;
type sint8 (line 45) | typedef signed char sint8;
type uint8 (line 46) | typedef unsigned char uint8;
type int16 (line 47) | typedef short int16;
type sint16 (line 48) | typedef signed short sint16;
type uint16 (line 49) | typedef unsigned short uint16;
type int32 (line 50) | typedef int int32;
type sint32 (line 51) | typedef signed int sint32;
type uint32 (line 52) | typedef unsigned int uint32;
type ll (line 53) | typedef ll int64;
type ll (line 54) | typedef ll sint64;
type ull (line 55) | typedef ull uint64;
function uint8 (line 156) | inline uint8 __ROL1__(uint8 value, int count) { return __ROL__((uint8)...
function uint16 (line 157) | inline uint16 __ROL2__(uint16 value, int count) { return __ROL__((uint16...
function uint32 (line 158) | inline uint32 __ROL4__(uint32 value, int count) { return __ROL__((uint32...
function uint64 (line 159) | inline uint64 __ROL8__(uint64 value, int count) { return __ROL__((uint64...
function uint8 (line 160) | inline uint8 __ROR1__(uint8 value, int count) { return __ROL__((uint8)...
function uint16 (line 161) | inline uint16 __ROR2__(uint16 value, int count) { return __ROL__((uint16...
function uint32 (line 162) | inline uint32 __ROR4__(uint32 value, int count) { return __ROL__((uint32...
function uint64 (line 163) | inline uint64 __ROR8__(uint64 value, int count) { return __ROL__((uint64...
type IEEE754 (line 203) | typedef union IEEE754
type MM_UNLOADED_DRIVER (line 214) | typedef struct _MM_UNLOADED_DRIVER
type PIDDBCACHE_ENTRY (line 221) | typedef struct _PIDDBCACHE_ENTRY
type SYSTEM_MODULEE (line 229) | typedef struct _SYSTEM_MODULEE
type SYSTEM_MODULE_INFORMATIONN (line 241) | typedef struct _SYSTEM_MODULE_INFORMATIONN
type SYSTEM_INFORMATION_CLASS (line 246) | typedef enum _SYSTEM_INFORMATION_CLASS
FILE: full kernel bypass/io/io.h
function namespace (line 3) | namespace driver
FILE: full kernel bypass/main.cpp
function driver_thread (line 12) | void driver_thread( void* context )
function NTSTATUS (line 79) | NTSTATUS DriverEntry( PDRIVER_OBJECT driver_object, PUNICODE_STRING regi...
FILE: full kernel bypass/memory/memory.cpp
function NTSTATUS (line 19) | NTSTATUS driver::memory::read_virtual_memory( ULONG pid, PEPROCESS proce...
function NTSTATUS (line 28) | NTSTATUS driver::memory::write_virtual_memory( ULONG pid, PEPROCESS pro...
FILE: full kernel bypass/memory/memory.h
function namespace (line 3) | namespace driver
FILE: full kernel bypass/process/process.h
function namespace (line 2) | namespace driver
FILE: full kernel bypass/thread/thread.h
function namespace (line 2) | namespace driver
FILE: full kernel bypass/utils/utils.cpp
function NTSTATUS (line 5) | NTSTATUS driver::utils::process_by_name(CHAR* process_name, PEPROCESS* p...
FILE: full kernel bypass/utils/utils.h
function namespace (line 2) | namespace driver
Condensed preview — 17 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (60K chars).
[
{
"path": "full kernel bypass/cleaning/cleaning.cpp",
"chars": 8735,
"preview": "#include <ntifs.h>\n#include <ntstrsafe.h>\n#include <ntimage.h>\n\n#include \"../defs.h\"\n#include \"../io/io.h\"\n#include \"cle"
},
{
"path": "full kernel bypass/cleaning/cleaning.h",
"chars": 284,
"preview": "#define MM_UNLOADED_DRIVERS_SIZE 50\r\n\r\nnamespace driver\r\n{\r\n\tnamespace cleaning\r\n\t{\r\n\r\n\t\tbool clean_traces( );\r\n\t\tbool v"
},
{
"path": "full kernel bypass/defs.h",
"chars": 23832,
"preview": "#include <ntifs.h>\r\n\r\nextern \"C\"\r\n{\r\n\r\n\tNTKERNELAPI PVOID\r\n\t\tPsGetProcessSectionBaseAddress(\r\n\t\t\tPEPROCESS Process\r\n\t\t);"
},
{
"path": "full kernel bypass/full kernel bypass.vcxproj",
"chars": 8629,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project DefaultTargets=\"Build\" ToolsVersion=\"12.0\" xmlns=\"http://schemas.micro"
},
{
"path": "full kernel bypass/full kernel bypass.vcxproj.filters",
"chars": 2815,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "full kernel bypass/full kernel bypass.vcxproj.user",
"chars": 166,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"Current\" xmlns=\"http://schemas.microsoft.com/developer/m"
},
{
"path": "full kernel bypass/io/io.cpp",
"chars": 434,
"preview": "#include <ntifs.h>\n#include <stdio.h>\n#include <stdarg.h> \n#include <ntimage.h>\n#include \"io.h\"\n\nvoid driver::io::dbgpri"
},
{
"path": "full kernel bypass/io/io.h",
"chars": 103,
"preview": "#include <ntdef.h>\r\n\r\nnamespace driver\r\n{\r\n\tnamespace io\r\n\t{\r\n\t\tvoid dbgprint(PCCH format, ...);\r\n\t}\r\n}"
},
{
"path": "full kernel bypass/main.cpp",
"chars": 3364,
"preview": "#include <ntifs.h>\r\n#include <ntimage.h>\r\n#include <ntddk.h>\r\n#include \"defs.h\"\r\n#include \"io/io.h\"\r\n#include \"utils/uti"
},
{
"path": "full kernel bypass/memory/memory.cpp",
"chars": 1027,
"preview": "#include <ntifs.h>\n#include <stdio.h>\n#include <stdarg.h> \n#include <ntimage.h>\n#include \"memory.h\"\n\nextern \"C\" \nNTSTATU"
},
{
"path": "full kernel bypass/memory/memory.h",
"chars": 708,
"preview": "#include \"../process/process.h\"\r\n\r\nnamespace driver\r\n{\r\n\tnamespace memory\r\n\t{\r\n\t\tNTSTATUS read_virtual_memory( ULONG pid"
},
{
"path": "full kernel bypass/process/process.h",
"chars": 138,
"preview": "\r\nnamespace driver\r\n{\r\n\tnamespace process\r\n\t{\r\n\t\tULONG pid;\r\n\t\tPEPROCESS process;\r\n\t\tCHAR* process_name;\r\n\t\tULONGLONG ba"
},
{
"path": "full kernel bypass/thread/thread.cpp",
"chars": 307,
"preview": "#include \"../defs.h\"\r\n#include \"thread.h\"\r\n\r\nbool driver::thread::unlink()\r\n{\r\n\t// Up to the reader to determine how to "
},
{
"path": "full kernel bypass/thread/thread.h",
"chars": 173,
"preview": "\r\nnamespace driver\r\n{\r\n\tnamespace thread\r\n\t{\r\n\t\tbool unlink();\r\n\t\tbool link();\r\n\r\n\t\tbool terminate_thread = true;\r\n\t\tint"
},
{
"path": "full kernel bypass/utils/utils.cpp",
"chars": 1071,
"preview": "#include <ntifs.h>\r\n#include \"utils.h\"\r\n\r\n\r\nNTSTATUS driver::utils::process_by_name(CHAR* process_name, PEPROCESS* proce"
},
{
"path": "full kernel bypass/utils/utils.h",
"chars": 254,
"preview": "\r\nnamespace driver\r\n{\r\n\tnamespace utils\r\n\t{\r\n\t\tNTSTATUS process_by_name( CHAR* process_name, PEPROCESS* process );\r\n\r\n\t\t"
},
{
"path": "full kernel bypass.sln",
"chars": 2816,
"preview": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 16\r\nVisualStudioVersion = 16.0.3"
}
]
About this extraction
This page contains the full source code of the unmaewei/Full-Kernel-Driver GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 17 files (53.6 KB), approximately 15.3k tokens, and a symbol index with 57 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.