[
  {
    "path": "full kernel bypass/cleaning/cleaning.cpp",
    "content": "#include <ntifs.h>\n#include <ntstrsafe.h>\n#include <ntimage.h>\n\n#include \"../defs.h\"\n#include \"../io/io.h\"\n#include \"cleaning.h\"\n\nusing namespace driver;\n\nuintptr_t get_kernel_address( const char* name, size_t& size )\n{\n\tNTSTATUS status = STATUS_SUCCESS;\n\tULONG neededSize = 0;\n\n\tZwQuerySystemInformation(\n\t\tSystemModuleInformation,\n\t\t&neededSize,\n\t\t0,\n\t\t&neededSize\n\t);\n\n\tPSYSTEM_MODULE_INFORMATIONN pModuleList;\n\n\tpModuleList = (PSYSTEM_MODULE_INFORMATIONN)ExAllocatePool(NonPagedPool, neededSize);\n\n\tif (!pModuleList) {\n\t\treturn 0;\n\t}\n\n\tstatus = ZwQuerySystemInformation(SystemModuleInformation,\n\t\tpModuleList,\n\t\tneededSize,\n\t\t0\n\t);\n\n\tULONG i = 0;\n\tuintptr_t address = 0;\n\n\tfor (i = 0; i < pModuleList->ModuleCount; i++)\n\t{\n\t\tSYSTEM_MODULEE mod = pModuleList->Modules[i];\n\n\t\taddress = uintptr_t(pModuleList->Modules[i].Base);\n\t\tsize = uintptr_t(pModuleList->Modules[i].Size);\n\t\tif (strstr(mod.ImageName, name) != NULL)\n\t\t\tbreak;\n\t}\n\n\tExFreePool(pModuleList);\n\n\treturn address;\n}\n\nPVOID resolve_relative_address( PVOID Instruction, ULONG OffsetOffset, ULONG InstructionSize )\n{\n\tULONG_PTR Instr = (ULONG_PTR)Instruction;\n\tLONG RipOffset = *(PLONG)(Instr + OffsetOffset);\n\tPVOID ResolvedAddr = (PVOID)(Instr + InstructionSize + RipOffset);\n\n\treturn ResolvedAddr;\n}\n\nULONGLONG get_exported_function( const ULONGLONG mod, const char* name )\n{\n\tconst auto dos_header = reinterpret_cast<PIMAGE_DOS_HEADER>(mod);\n\tconst auto nt_headers = reinterpret_cast<PIMAGE_NT_HEADERS>(reinterpret_cast<ULONGLONG>(dos_header) + dos_header->e_lfanew);\n\n\tconst auto data_directory = nt_headers->OptionalHeader.DataDirectory[0];\n\tconst auto export_directory = reinterpret_cast<PIMAGE_EXPORT_DIRECTORY>(mod + data_directory.VirtualAddress);\n\n\tconst auto address_of_names = reinterpret_cast<ULONG*>(mod + export_directory->AddressOfNames);\n\n\tfor (size_t i = 0; i < export_directory->NumberOfNames; i++)\n\t{\n\t\tconst auto function_name = reinterpret_cast<const char*>(mod + address_of_names[i]);\n\n\t\tif (!_stricmp(function_name, name))\n\t\t{\n\t\t\tconst auto name_ordinal = reinterpret_cast<unsigned short*>(mod + export_directory->AddressOfNameOrdinals)[i];\n\n\t\t\tconst auto function_rva = mod + reinterpret_cast<ULONG*>(mod + export_directory->AddressOfFunctions)[name_ordinal];\n\t\t\treturn function_rva;\n\t\t}\n\t}\n\n\treturn 0;\n}\n\nunsigned char random_number( )\n{\n\tsize_t size;\n\tauto mod = get_kernel_address(\"ntoskrnl.exe\", size);\n\n\tauto cMmGetSystemRoutineAddress = reinterpret_cast<decltype(&MmGetSystemRoutineAddress)>(get_exported_function((uintptr_t)mod, \"MmGetSystemRoutineAddress\"));\n\n\tUNICODE_STRING routineName = RTL_CONSTANT_STRING(L\"RtlRandom\");\n\tauto cRtlRandom = reinterpret_cast<decltype(&RtlRandom)>(cMmGetSystemRoutineAddress(&routineName));\n\n\tULONG seed = 1234765;\n\tULONG rand = cRtlRandom(&seed) % 100;\n\n\tunsigned char randint = 0;\n\n\tif (rand >= 101 || rand <= -1)\n\t\trandint = 72;\n\n\treturn (unsigned char)(rand);\n}\n\nPERESOURCE get_ps_loaded( )\n{\n\tsize_t size;\n\tauto mod = get_kernel_address(\"ntoskrnl.exe\", size);\n\n\tauto cMmGetSystemRoutineAddress = reinterpret_cast<decltype(&MmGetSystemRoutineAddress)>(get_exported_function((uintptr_t)mod, \"MmGetSystemRoutineAddress\"));\n\n\tERESOURCE PsLoadedModuleResource;\n\tUNICODE_STRING routineName = RTL_CONSTANT_STRING(L\"PsLoadedModuleResource\");\n\tauto cPsLoadedModuleResource = reinterpret_cast<decltype(&PsLoadedModuleResource)>(cMmGetSystemRoutineAddress(&routineName));\n\n\treturn cPsLoadedModuleResource;\n}\n\nPRTL_AVL_TABLE get_piddb_table( )\n{\n\tsize_t size;\n\tuintptr_t ntos_base = get_kernel_address(\"ntoskrnl.exe\", size);\n\n\tRTL_OSVERSIONINFOW osVersion = { 0 };\n\tosVersion.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW);\n\tRtlGetVersion(&osVersion);\n\n\tPRTL_AVL_TABLE PiDDBCacheTable = nullptr;\n\n\tif (osVersion.dwBuildNumber >= 18362) {\n\t\tPiDDBCacheTable = (PRTL_AVL_TABLE)dereference(find_pattern<uintptr_t>((void*)ntos_base, size, \"\\x48\\x8d\\x0d\\x00\\x00\\x00\\x00\\xe8\\x00\\x00\\x00\\x00\\x3d\\x00\\x00\\x00\\x00\\x0f\\x83\", \"xxx????x????x????xx\"), 3);\n\t}\n\telse if (osVersion.dwBuildNumber >= 17134) {\n\t\tPiDDBCacheTable = (PRTL_AVL_TABLE)dereference(find_pattern<uintptr_t>((void*)ntos_base, size, \"\\x48\\x8D\\x0D\\x00\\x00\\x00\\x00\\x4C\\x89\\x35\\x00\\x00\\x00\\x00\\x49\", \"xxx????xxx????x\"), 3);\n\t}\n\n\tif (!PiDDBCacheTable)\n\t\treturn 0;\n\n\treturn PiDDBCacheTable;\n}\n\nPERESOURCE get_piddb_lock( )\n{\n\tsize_t size;\n\tuintptr_t ntos_base = get_kernel_address(\"ntoskrnl.exe\", size);\n\n\tPERESOURCE PiDDBLock = (PERESOURCE)dereference(find_pattern<uintptr_t>((void*)ntos_base, size, \"\\x48\\x8d\\x0d\\x00\\x00\\x00\\x00\\xe8\\x00\\x00\\x00\\x00\\x48\\x8b\\x0d\\x00\\x00\\x00\\x00\\x33\\xdb\", \"xxx????x????xxx????xx\"), 3);\n\n\tif (!PiDDBLock)\n\t\treturn 0;\n\n\treturn PiDDBLock;\n}\n\nbool cleaning::verify_piddb()\n{\n\treturn (get_piddb_lock() != 0 && get_piddb_table() != 0);\n}\n\nbool cleaning::clean_piddb()\n{\n\tPERESOURCE PiDDBLock = get_piddb_lock();\n\tPRTL_AVL_TABLE PiDDBCacheTable = get_piddb_table();\n\n\tPIDDBCACHE_ENTRY lookupEntry = { };\n\n\tlookupEntry.DriverName = cleaning::driver_name;\n\tlookupEntry.TimeDateStamp = cleaning::driver_timestamp;\n\n\tExAcquireResourceExclusiveLite(PiDDBLock, TRUE);\n\n\tauto pFoundEntry = (PPIDDBCACHE_ENTRY)RtlLookupElementGenericTableAvl(PiDDBCacheTable, &lookupEntry);\n\tif (pFoundEntry == nullptr)\n\t{\n\t\tExReleaseResourceLite(PiDDBLock);\n\t\treturn false;\n\t}\n\n\tRemoveEntryList(&pFoundEntry->List);\n\tRtlDeleteElementGenericTableAvl(PiDDBCacheTable, pFoundEntry);\n\n\tExReleaseResourceLite(PiDDBLock);\n\n\treturn true;\n}\n\nbool is_unload_empty(PMM_UNLOADED_DRIVER entry)\n{\n\tif (entry->Name.MaximumLength == 0 || entry->Name.Length == 0 || entry->Name.Buffer == NULL)\n\t\treturn true;\n\n\treturn false;\n}\n\nPMM_UNLOADED_DRIVER get_mmu_address()\n{\n\tsize_t size;\n\tuintptr_t ntos_base = get_kernel_address(\"ntoskrnl.exe\", size);\n\n\tPVOID MmUnloadedDriversInstr = (PVOID)find_pattern2((UINT64)ntos_base, size,\n\t\t(unsigned char*)\"\\x4C\\x8B\\x15\\x00\\x00\\x00\\x00\\x4C\\x8B\\xC9\", \"xxx????xxx\");\n\n\tif (MmUnloadedDriversInstr == NULL)\n\t\treturn NULL;\n\n\treturn *(PMM_UNLOADED_DRIVER*)resolve_relative_address(MmUnloadedDriversInstr, 3, 7);\n}\n\nPULONG get_mml_address()\n{\n\tsize_t size;\n\tuintptr_t ntos_base = get_kernel_address(\"ntoskrnl.exe\", size);\n\n\tPVOID mmlastunloadeddriverinst = (PVOID)find_pattern2((UINT64)ntos_base, size,\n\t\t(unsigned char*)\"\\x8B\\x05\\x00\\x00\\x00\\x00\\x83\\xF8\\x32\", \"xx????xxx\");\n\n\tif (mmlastunloadeddriverinst == NULL)\n\t\treturn { };\n\n\treturn (PULONG)resolve_relative_address(mmlastunloadeddriverinst, 2, 6);\n}\n\nbool cleaning::verify_mmu()\n{\n\treturn (get_mmu_address() != NULL && get_mml_address() != NULL);\n}\n\nbool is_mmu_filled()\n{\n\tfor (ULONG idx = 0; idx < MM_UNLOADED_DRIVERS_SIZE; ++idx)\n\t{\n\t\tPMM_UNLOADED_DRIVER entry = &get_mmu_address()[idx];\n\t\tif (is_unload_empty(entry))\n\t\t\treturn false;\n\t}\n\treturn true;\n}\n\nbool cleaning::clean_mmu()\n{\n\tauto ps_loaded = get_ps_loaded();\n\n\tExAcquireResourceExclusiveLite(ps_loaded, TRUE);\n\n\tBOOLEAN Modified = false;\n\tBOOLEAN Filled = is_mmu_filled();\n\n\tUNICODE_STRING DriverName = cleaning::driver_name;\n\n\tfor (ULONG Index = 0; Index < MM_UNLOADED_DRIVERS_SIZE; ++Index)\n\t{\n\t\tPMM_UNLOADED_DRIVER Entry = &get_mmu_address()[Index];\n\n\t\tif(cleaning::debug)\n\t\t\tio::dbgprint(\"mmu driver # %i name %ws\", Index, Entry->Name.Buffer);\n\n\t\tif (Modified)\n\t\t{\n\t\t\tPMM_UNLOADED_DRIVER PrevEntry = &get_mmu_address()[Index - 1];\n\t\t\tRtlCopyMemory(PrevEntry, Entry, sizeof(MM_UNLOADED_DRIVER));\n\n\t\t\tif (Index == MM_UNLOADED_DRIVERS_SIZE - 1)\n\t\t\t{\n\t\t\t\tRtlFillMemory(Entry, sizeof(MM_UNLOADED_DRIVER), 0);\n\t\t\t}\n\t\t}\n\t\telse if (RtlEqualUnicodeString(&DriverName, &Entry->Name, TRUE))\n\t\t{\n\t\t\tPVOID BufferPool = Entry->Name.Buffer;\n\t\t\tRtlFillMemory(Entry, sizeof(MM_UNLOADED_DRIVER), 0);\n\t\t\tExFreePoolWithTag(BufferPool, 'TDmM');\n\n\t\t\t*get_mml_address() = (Filled ? MM_UNLOADED_DRIVERS_SIZE : *get_mml_address()) - 1;\n\t\t\tModified = TRUE;\n\t\t}\n\t}\n\n\tif (Modified)\n\t{\n\t\tULONG64 PreviousTime = 0;\n\n\t\tfor (LONG Index = MM_UNLOADED_DRIVERS_SIZE - 2; Index >= 0; --Index)\n\t\t{\n\t\t\tPMM_UNLOADED_DRIVER Entry = &get_mmu_address()[Index];\n\t\t\tif (is_unload_empty(Entry))\n\t\t\t{\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tif (PreviousTime != 0 && Entry->UnloadTime > PreviousTime)\n\t\t\t{\n\t\t\t\tEntry->UnloadTime = PreviousTime - random_number();\n\t\t\t}\n\n\t\t\tPreviousTime = Entry->UnloadTime;\n\t\t}\n\n\t\tclean_mmu();\n\t}\n\n\tExReleaseResourceLite(ps_loaded);\n\n\treturn Modified;\n}\n\nbool cleaning::clean_traces()\n{\n\tbool status;\n\n\tif (cleaning::verify_mmu())\n\t{\n\t\tstatus = cleaning::clean_mmu();\n\n\t\tif (!status)\n\t\t\tio::dbgprint(\"failed to clean mmu\");\n\t\telse\n\t\t\tio::dbgprint(\"cleaned mmu\");\n\t}\n\telse\n\t\tio::dbgprint(\"failed to verify mmu\");\n\n\tif (cleaning::verify_piddb())\n\t{\n\t\tstatus = cleaning::clean_piddb();\n\n\t\tif (!status)\n\t\t\tio::dbgprint(\"failed to clean piddb\");\n\n\t\telse\n\t\t\tio::dbgprint(\"cleaned piddb\");\n\t}\n\telse\n\t\tio::dbgprint(\"failed to verify piddb\");\n\n\treturn status;\n}"
  },
  {
    "path": "full kernel bypass/cleaning/cleaning.h",
    "content": "#define MM_UNLOADED_DRIVERS_SIZE 50\r\n\r\nnamespace driver\r\n{\r\n\tnamespace cleaning\r\n\t{\r\n\r\n\t\tbool clean_traces( );\r\n\t\tbool verify_piddb( );\r\n\t\tbool clean_piddb( );\r\n\t\tbool verify_mmu( );\r\n\t\tbool clean_mmu( );\r\n\r\n\t\tUNICODE_STRING driver_name;\r\n\t\tint driver_timestamp;\r\n\t\tbool debug;\r\n\t}\r\n}"
  },
  {
    "path": "full kernel bypass/defs.h",
    "content": "#include <ntifs.h>\r\n\r\nextern \"C\"\r\n{\r\n\r\n\tNTKERNELAPI PVOID\r\n\t\tPsGetProcessSectionBaseAddress(\r\n\t\t\tPEPROCESS Process\r\n\t\t);\r\n\r\n}\r\n\r\n#pragma once\r\n#define _USE_MATH_DEFINES\r\n#include <math.h>\r\n\r\n#if defined(__GNUC__)\r\ntypedef          long long ll;\r\ntypedef unsigned long long ull;\r\n#define __int64 long long\r\n#define __int32 int\r\n#define __int16 short\r\n#define __int8  char\r\n#define MAKELL(num) num ## LL\r\n#define FMT_64 \"ll\"\r\n#elif defined(_MSC_VER)\r\ntypedef          __int64 ll;\r\ntypedef unsigned __int64 ull;\r\n#define MAKELL(num) num ## i64\r\n#define FMT_64 \"I64\"\r\n#elif defined (__BORLANDC__)\r\ntypedef          __int64 ll;\r\ntypedef unsigned __int64 ull;\r\n#define MAKELL(num) num ## i64\r\n#define FMT_64 \"L\"\r\n#else\r\n#error \"unknown compiler\"\r\n#endif\r\ntypedef unsigned int uint;\r\ntypedef unsigned char uchar;\r\ntypedef unsigned short ushort;\r\n//typedef unsigned long ulong;\r\n\r\ntypedef          char   int8;\r\ntypedef   signed char   sint8;\r\ntypedef unsigned char   uint8;\r\ntypedef          short  int16;\r\ntypedef   signed short  sint16;\r\ntypedef unsigned short  uint16;\r\ntypedef          int    int32;\r\ntypedef   signed int    sint32;\r\ntypedef unsigned int    uint32;\r\ntypedef ll              int64;\r\ntypedef ll              sint64;\r\ntypedef ull             uint64;\r\n\r\n// Partially defined types:\r\n#define _BYTE  uint8\r\n#define _WORD  uint16\r\n#define _DWORD uint32\r\n#define _QWORD uint64\r\n#if !defined(_MSC_VER)\r\n#define _LONGLONG __int128\r\n#endif\r\n\r\n\r\n// Some convenience macros to make partial accesses nicer\r\n// first unsigned macros:\r\n//Already defined\r\n//#define LOBYTE(x)   (*((_BYTE*)&(x)))   // low byte\r\n//#define LOWORD(x)   (*((_WORD*)&(x)))   // low word\r\n//#define LODWORD(x)  (*((_DWORD*)&(x)))  // low dword\r\n//#define HIBYTE(x)   (*((_BYTE*)&(x)+1))\r\n//#define HIWORD(x)   (*((_WORD*)&(x)+1))\r\n#define HIDWORD(x)  (*((_DWORD*)&(x)+1))\r\n#define BYTEn(x, n)   (*((_BYTE*)&(x)+n))\r\n#define WORDn(x, n)   (*((_WORD*)&(x)+n))\r\n#define BYTE1(x)   BYTEn(x,  1)         // byte 1 (counting from 0)\r\n#define BYTE2(x)   BYTEn(x,  2)\r\n#define BYTE3(x)   BYTEn(x,  3)\r\n#define BYTE4(x)   BYTEn(x,  4)\r\n#define BYTE5(x)   BYTEn(x,  5)\r\n#define BYTE6(x)   BYTEn(x,  6)\r\n#define BYTE7(x)   BYTEn(x,  7)\r\n#define BYTE8(x)   BYTEn(x,  8)\r\n#define BYTE9(x)   BYTEn(x,  9)\r\n#define BYTE10(x)  BYTEn(x, 10)\r\n#define BYTE11(x)  BYTEn(x, 11)\r\n#define BYTE12(x)  BYTEn(x, 12)\r\n#define BYTE13(x)  BYTEn(x, 13)\r\n#define BYTE14(x)  BYTEn(x, 14)\r\n#define BYTE15(x)  BYTEn(x, 15)\r\n#define WORD1(x)   WORDn(x,  1)\r\n#define WORD2(x)   WORDn(x,  2)         // third word of the object, unsigned\r\n#define WORD3(x)   WORDn(x,  3)\r\n#define WORD4(x)   WORDn(x,  4)\r\n#define WORD5(x)   WORDn(x,  5)\r\n#define WORD6(x)   WORDn(x,  6)\r\n#define WORD7(x)   WORDn(x,  7)\r\n\r\n// now signed macros (the same but with sign extension)\r\n#define SLOBYTE(x)   (*((int8*)&(x)))\r\n#define SLOWORD(x)   (*((int16*)&(x)))\r\n#define SLODWORD(x)  (*((int32*)&(x)))\r\n#define SHIBYTE(x)   (*((int8*)&(x)+1))\r\n#define SHIWORD(x)   (*((int16*)&(x)+1))\r\n#define SHIDWORD(x)  (*((int32*)&(x)+1))\r\n#define SBYTEn(x, n)   (*((int8*)&(x)+n))\r\n#define SWORDn(x, n)   (*((int16*)&(x)+n))\r\n#define SBYTE1(x)   SBYTEn(x,  1)\r\n#define SBYTE2(x)   SBYTEn(x,  2)\r\n#define SBYTE3(x)   SBYTEn(x,  3)\r\n#define SBYTE4(x)   SBYTEn(x,  4)\r\n#define SBYTE5(x)   SBYTEn(x,  5)\r\n#define SBYTE6(x)   SBYTEn(x,  6)\r\n#define SBYTE7(x)   SBYTEn(x,  7)\r\n#define SBYTE8(x)   SBYTEn(x,  8)\r\n#define SBYTE9(x)   SBYTEn(x,  9)\r\n#define SBYTE10(x)  SBYTEn(x, 10)\r\n#define SBYTE11(x)  SBYTEn(x, 11)\r\n#define SBYTE12(x)  SBYTEn(x, 12)\r\n#define SBYTE13(x)  SBYTEn(x, 13)\r\n#define SBYTE14(x)  SBYTEn(x, 14)\r\n#define SBYTE15(x)  SBYTEn(x, 15)\r\n#define SWORD1(x)   SWORDn(x,  1)\r\n#define SWORD2(x)   SWORDn(x,  2)\r\n#define SWORD3(x)   SWORDn(x,  3)\r\n#define SWORD4(x)   SWORDn(x,  4)\r\n#define SWORD5(x)   SWORDn(x,  5)\r\n#define SWORD6(x)   SWORDn(x,  6)\r\n#define SWORD7(x)   SWORDn(x,  7)\r\n\r\ntemplate<class T> T __ROL__(T value, int count)\r\n{\r\n    const uint nbits = sizeof(T) * 8;\r\n\r\n    if (count > 0)\r\n    {\r\n        count %= nbits;\r\n        T high = value >> (nbits - count);\r\n        if (T(-1) < 0) // signed value\r\n            high &= ~((T(-1) << count));\r\n        value <<= count;\r\n        value |= high;\r\n    }\r\n    else\r\n    {\r\n        count = -count % nbits;\r\n        T low = value << (nbits - count);\r\n        value >>= count;\r\n        value |= low;\r\n    }\r\n    return value;\r\n}\r\n\r\ninline uint8  __ROL1__(uint8  value, int count) { return __ROL__((uint8)value, count); }\r\ninline uint16 __ROL2__(uint16 value, int count) { return __ROL__((uint16)value, count); }\r\ninline uint32 __ROL4__(uint32 value, int count) { return __ROL__((uint32)value, count); }\r\ninline uint64 __ROL8__(uint64 value, int count) { return __ROL__((uint64)value, count); }\r\ninline uint8  __ROR1__(uint8  value, int count) { return __ROL__((uint8)value, -count); }\r\ninline uint16 __ROR2__(uint16 value, int count) { return __ROL__((uint16)value, -count); }\r\ninline uint32 __ROR4__(uint32 value, int count) { return __ROL__((uint32)value, -count); }\r\ninline uint64 __ROR8__(uint64 value, int count) { return __ROL__((uint64)value, -count); }\r\n\r\n//Dumb glow decryption stuff\r\n//https://www.codeproject.com/Articles/1274943/IEEE-754-Conversion\r\n\r\n#define NTH_BIT(b, n) ((b >> n) & 0x1)\r\n\r\n#define BYTE_TO_BIN(b)   (( b & 0x80 ) ) |\\\r\n            (( b & 0x40 ) ) |\\\r\n            (( b & 0x20 ) ) |\\\r\n            (( b & 0x10 ) ) |\\\r\n            (( b & 0x08 ) ) |\\\r\n            (( b & 0x04 ) ) |\\\r\n            (( b & 0x02 ) ) |\\\r\n            ( b & 0x01 )\r\n\r\n#define MANTISSA_TO_BIN(b)  (( b & 0x400000 ) ) |\\\r\n             (( b & 0x200000 ) ) |\\\r\n             (( b & 0x100000 ) ) |\\\r\n             (( b &  0x80000 ) ) |\\\r\n             (( b &  0x40000 ) ) |\\\r\n             (( b &  0x20000 ) ) |\\\r\n             (( b &  0x10000 ) ) |\\\r\n             (( b &  0x8000 ) ) |\\\r\n             (( b &  0x4000 ) ) |\\\r\n             (( b &  0x2000 ) ) |\\\r\n             (( b &  0x1000 ) ) |\\\r\n             (( b &  0x800 ) ) |\\\r\n             (( b &  0x400 ) ) |\\\r\n             (( b &  0x200 ) ) |\\\r\n             (( b &  0x100 ) ) |\\\r\n             (( b &  0x80 ) ) |\\\r\n             (( b &  0x40 ) ) |\\\r\n             (( b &  0x20 ) ) |\\\r\n             (( b &  0x10 ) ) |\\\r\n             (( b &  0x08 ) ) |\\\r\n             (( b &  0x04 ) ) |\\\r\n             (( b &  0x02 ) ) |\\\r\n              ( b & 0x01 )\r\n\r\ntypedef union IEEE754\r\n{\r\n    struct\r\n    {\r\n        unsigned int mantissa : 23;\r\n        unsigned int exponent : 8;\r\n        unsigned int sign : 1;\r\n    } raw;\r\n    float f;\r\n} IEEE754;\r\n\r\ntypedef struct _MM_UNLOADED_DRIVER\r\n{\r\n    UNICODE_STRING     Name;\r\n    PVOID             ModuleStart;\r\n    PVOID             ModuleEnd;\r\n    ULONG64         UnloadTime;\r\n} MM_UNLOADED_DRIVER, * PMM_UNLOADED_DRIVER;\r\ntypedef struct _PIDDBCACHE_ENTRY\r\n{\r\n    LIST_ENTRY        List;\r\n    UNICODE_STRING    DriverName;\r\n    ULONG            TimeDateStamp;\r\n    NTSTATUS        LoadStatus;\r\n    char            _0x0028[16];\r\n} PIDDBCACHE_ENTRY, * PPIDDBCACHE_ENTRY;\r\ntypedef struct _SYSTEM_MODULEE\r\n{\r\n    ULONG_PTR Reserved[2];\r\n    PVOID     Base;\r\n    ULONG     Size;\r\n    ULONG     Flags;\r\n    USHORT    Index;\r\n    USHORT    Unknown;\r\n    USHORT    LoadCount;\r\n    USHORT    ModuleNameOffset;\r\n    CHAR      ImageName[256];\r\n} SYSTEM_MODULEE, * PSYSTEM_MODULEE;\r\ntypedef struct _SYSTEM_MODULE_INFORMATIONN\r\n{\r\n    ULONG_PTR     ModuleCount;\r\n    SYSTEM_MODULEE Modules[1];\r\n} SYSTEM_MODULE_INFORMATIONN, * PSYSTEM_MODULE_INFORMATIONN;\r\ntypedef enum _SYSTEM_INFORMATION_CLASS\r\n{\r\n\tSystemBasicInformation,\t\t\t\t   // q: SYSTEM_BASIC_INFORMATION\r\n\tSystemProcessorInformation,\t\t\t   // q: SYSTEM_PROCESSOR_INFORMATION\r\n\tSystemPerformanceInformation,\t\t   // q: SYSTEM_PERFORMANCE_INFORMATION\r\n\tSystemTimeOfDayInformation,\t\t\t   // q: SYSTEM_TIMEOFDAY_INFORMATION\r\n\tSystemPathInformation,\t\t\t\t   // not implemented\r\n\tSystemProcessInformation,\t\t\t   // q: SYSTEM_PROCESS_INFORMATION\r\n\tSystemCallCountInformation,\t\t\t   // q: SYSTEM_CALL_COUNT_INFORMATION\r\n\tSystemDeviceInformation,\t\t\t   // q: SYSTEM_DEVICE_INFORMATION\r\n\tSystemProcessorPerformanceInformation, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION\r\n\tSystemFlagsInformation,\t\t\t\t   // q: SYSTEM_FLAGS_INFORMATION\r\n\tSystemCallTimeInformation,\t\t\t   // not implemented // SYSTEM_CALL_TIME_INFORMATION // 10\r\n\tSystemModuleInformation,\t\t\t   // q: RTL_PROCESS_MODULES\r\n\tSystemLocksInformation,\t\t\t\t   // q: SYSTEM_LOCK_INFORMATION\r\n\tSystemStackTraceInformation,\r\n\tSystemPagedPoolInformation,\t\t\t   // not implemented\r\n\tSystemNonPagedPoolInformation,\t\t   // not implemented\r\n\tSystemHandleInformation,\t\t\t   // q: SYSTEM_HANDLE_INFORMATION\r\n\tSystemObjectInformation,\t\t\t   // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION\r\n\tSystemPageFileInformation,\t\t\t   // q: SYSTEM_PAGEFILE_INFORMATION\r\n\tSystemVdmInstemulInformation,\t\t   // q\r\n\tSystemVdmBopInformation,\t\t\t   // not implemented // 20\r\n\tSystemFileCacheInformation,\t\t\t   // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache)\r\n\tSystemPoolTagInformation,\t\t\t   // q: SYSTEM_POOLTAG_INFORMATION\r\n\tSystemInterruptInformation,\t\t\t   // q: SYSTEM_INTERRUPT_INFORMATION\r\n\tSystemDpcBehaviorInformation,\t\t   // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege)\r\n\tSystemFullMemoryInformation,\t\t   // not implemented\r\n\tSystemLoadGdiDriverInformation,\t\t   // s (kernel-mode only)\r\n\tSystemUnloadGdiDriverInformation,\t  // s (kernel-mode only)\r\n\tSystemTimeAdjustmentInformation,\t   // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege)\r\n\tSystemSummaryMemoryInformation,\t\t   // not implemented\r\n\tSystemMirrorMemoryInformation,\t\t   // s (requires license value \"Kernel-MemoryMirroringSupported\") (requires SeShutdownPrivilege) // 30\r\n\tSystemPerformanceTraceInformation,\t // s\r\n\tSystemObsolete0,\t\t\t\t\t   // not implemented\r\n\tSystemExceptionInformation,\t\t\t   // q: SYSTEM_EXCEPTION_INFORMATION\r\n\tSystemCrashDumpStateInformation,\t   // s (requires SeDebugPrivilege)\r\n\tSystemKernelDebuggerInformation,\t   // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION\r\n\tSystemContextSwitchInformation,\t\t   // q: SYSTEM_CONTEXT_SWITCH_INFORMATION\r\n\tSystemRegistryQuotaInformation,\t\t   // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege)\r\n\tSystemExtendServiceTableInformation,   // s (requires SeLoadDriverPrivilege) // loads win32k only\r\n\tSystemPrioritySeperation,\t\t\t   // s (requires SeTcbPrivilege)\r\n\tSystemVerifierAddDriverInformation,\t// s (requires SeDebugPrivilege) // 40\r\n\tSystemVerifierRemoveDriverInformation, // s (requires SeDebugPrivilege)\r\n\tSystemProcessorIdleInformation,\t\t   // q: SYSTEM_PROCESSOR_IDLE_INFORMATION\r\n\tSystemLegacyDriverInformation,\t\t   // q: SYSTEM_LEGACY_DRIVER_INFORMATION\r\n\tSystemCurrentTimeZoneInformation,\t  // q\r\n\tSystemLookasideInformation,\t\t\t   // q: SYSTEM_LOOKASIDE_INFORMATION\r\n\tSystemTimeSlipNotification,\t\t\t   // s (requires SeSystemtimePrivilege)\r\n\tSystemSessionCreate,\t\t\t\t   // not implemented\r\n\tSystemSessionDetach,\t\t\t\t   // not implemented\r\n\tSystemSessionInformation,\t\t\t   // not implemented\r\n\tSystemRangeStartInformation,\t\t   // q: SYSTEM_RANGE_START_INFORMATION // 50\r\n\tSystemVerifierInformation,\t\t\t   // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege)\r\n\tSystemVerifierThunkExtend,\t\t\t   // s (kernel-mode only)\r\n\tSystemSessionProcessInformation,\t   // q: SYSTEM_SESSION_PROCESS_INFORMATION\r\n\tSystemLoadGdiDriverInSystemSpace,\t  // s (kernel-mode only) (same as SystemLoadGdiDriverInformation)\r\n\tSystemNumaProcessorMap,\t\t\t\t   // q\r\n\tSystemPrefetcherInformation,\t\t   // q: PREFETCHER_INFORMATION; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation\r\n\tSystemExtendedProcessInformation,\t  // q: SYSTEM_PROCESS_INFORMATION\r\n\tSystemRecommendedSharedDataAlignment,  // q\r\n\tSystemComPlusPackage,\t\t\t\t   // q; s\r\n\tSystemNumaAvailableMemory,\t\t\t   // 60\r\n\tSystemProcessorPowerInformation,\t   // q: SYSTEM_PROCESSOR_POWER_INFORMATION\r\n\tSystemEmulationBasicInformation,\t   // q\r\n\tSystemEmulationProcessorInformation,\r\n\tSystemExtendedHandleInformation,\t\t\t   // q: SYSTEM_HANDLE_INFORMATION_EX\r\n\tSystemLostDelayedWriteInformation,\t\t\t   // q: ULONG\r\n\tSystemBigPoolInformation,\t\t\t\t\t   // q: SYSTEM_BIGPOOL_INFORMATION\r\n\tSystemSessionPoolTagInformation,\t\t\t   // q: SYSTEM_SESSION_POOLTAG_INFORMATION\r\n\tSystemSessionMappedViewInformation,\t\t\t   // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION\r\n\tSystemHotpatchInformation,\t\t\t\t\t   // q; s\r\n\tSystemObjectSecurityMode,\t\t\t\t\t   // q // 70\r\n\tSystemWatchdogTimerHandler,\t\t\t\t\t   // s (kernel-mode only)\r\n\tSystemWatchdogTimerInformation,\t\t\t\t   // q (kernel-mode only); s (kernel-mode only)\r\n\tSystemLogicalProcessorInformation,\t\t\t   // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION\r\n\tSystemWow64SharedInformationObsolete,\t\t   // not implemented\r\n\tSystemRegisterFirmwareTableInformationHandler, // s (kernel-mode only)\r\n\tSystemFirmwareTableInformation,\t\t\t\t   // SYSTEM_FIRMWARE_TABLE_INFORMATION\r\n\tSystemModuleInformationEx,\t\t\t\t\t   // q: RTL_PROCESS_MODULE_INFORMATION_EX\r\n\tSystemVerifierTriageInformation,\t\t\t   // not implemented\r\n\tSystemSuperfetchInformation,\t\t\t\t   // q; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation\r\n\tSystemMemoryListInformation,\t\t\t\t   // q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege) // 80\r\n\tSystemFileCacheInformationEx,\t\t\t\t   // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation)\r\n\tSystemThreadPriorityClientIdInformation,\t   // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege)\r\n\tSystemProcessorIdleCycleTimeInformation,\t   // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[]\r\n\tSystemVerifierCancellationInformation,\t\t   // not implemented // name:wow64:whNT32QuerySystemVerifierCancellationInformation\r\n\tSystemProcessorPowerInformationEx,\t\t\t   // not implemented\r\n\tSystemRefTraceInformation,\t\t\t\t\t   // q; s: SYSTEM_REF_TRACE_INFORMATION // ObQueryRefTraceInformation\r\n\tSystemSpecialPoolInformation,\t\t\t\t   // q; s (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0\r\n\tSystemProcessIdInformation,\t\t\t\t\t   // q: SYSTEM_PROCESS_ID_INFORMATION\r\n\tSystemErrorPortInformation,\t\t\t\t\t   // s (requires SeTcbPrivilege)\r\n\tSystemBootEnvironmentInformation,\t\t\t   // q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION // 90\r\n\tSystemHypervisorInformation,\t\t\t\t   // q; s (kernel-mode only)\r\n\tSystemVerifierInformationEx,\t\t\t\t   // q; s: SYSTEM_VERIFIER_INFORMATION_EX\r\n\tSystemTimeZoneInformation,\t\t\t\t\t   // s (requires SeTimeZonePrivilege)\r\n\tSystemImageFileExecutionOptionsInformation,\t// s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege)\r\n\tSystemCoverageInformation,\t\t\t\t\t   // q; s // name:wow64:whNT32QuerySystemCoverageInformation; ExpCovQueryInformation\r\n\tSystemPrefetchPatchInformation,\t\t\t\t   // not implemented\r\n\tSystemVerifierFaultsInformation,\t\t\t   // s (requires SeDebugPrivilege)\r\n\tSystemSystemPartitionInformation,\t\t\t   // q: SYSTEM_SYSTEM_PARTITION_INFORMATION\r\n\tSystemSystemDiskInformation,\t\t\t\t   // q: SYSTEM_SYSTEM_DISK_INFORMATION\r\n\tSystemProcessorPerformanceDistribution,\t\t   // q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION // 100\r\n\tSystemNumaProximityNodeInformation,\t\t\t   // q\r\n\tSystemDynamicTimeZoneInformation,\t\t\t   // q; s (requires SeTimeZonePrivilege)\r\n\tSystemCodeIntegrityInformation,\t\t\t\t   // q: SYSTEM_CODEINTEGRITY_INFORMATION // SeCodeIntegrityQueryInformation\r\n\tSystemProcessorMicrocodeUpdateInformation,\t // s\r\n\tSystemProcessorBrandString,\t\t\t\t\t   // q // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23\r\n\tSystemVirtualAddressInformation,\t\t\t   // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation\r\n\tSystemLogicalProcessorAndGroupInformation,\t // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // since WIN7 // KeQueryLogicalProcessorRelationship\r\n\tSystemProcessorCycleTimeInformation,\t\t   // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[]\r\n\tSystemStoreInformation,\t\t\t\t\t\t   // q; s // SmQueryStoreInformation\r\n\tSystemRegistryAppendString,\t\t\t\t\t   // s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // 110\r\n\tSystemAitSamplingValue,\t\t\t\t\t\t   // s: ULONG (requires SeProfileSingleProcessPrivilege)\r\n\tSystemVhdBootInformation,\t\t\t\t\t   // q: SYSTEM_VHD_BOOT_INFORMATION\r\n\tSystemCpuQuotaInformation,\t\t\t\t\t   // q; s // PsQueryCpuQuotaInformation\r\n\tSystemNativeBasicInformation,\t\t\t\t   // not implemented\r\n\tSystemSpare1,\t\t\t\t\t\t\t\t   // not implemented\r\n\tSystemLowPriorityIoInformation,\t\t\t\t   // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION\r\n\tSystemTpmBootEntropyInformation,\t\t\t   // q: TPM_BOOT_ENTROPY_NT_RESULT // ExQueryTpmBootEntropyInformation\r\n\tSystemVerifierCountersInformation,\t\t\t   // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION\r\n\tSystemPagedPoolInformationEx,\t\t\t\t   // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool)\r\n\tSystemSystemPtesInformationEx,\t\t\t\t   // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) // 120\r\n\tSystemNodeDistanceInformation,\t\t\t\t   // q\r\n\tSystemAcpiAuditInformation,\t\t\t\t\t   // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26\r\n\tSystemBasicPerformanceInformation,\t\t\t   // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation\r\n\tSystemQueryPerformanceCounterInformation,\t  // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1\r\n\tSystemSessionBigPoolInformation,\t\t\t   // q: SYSTEM_SESSION_POOLTAG_INFORMATION // since WIN8\r\n\tSystemBootGraphicsInformation,\t\t\t\t   // q; s: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only)\r\n\tSystemScrubPhysicalMemoryInformation,\r\n\tSystemBadPageInformation,\r\n\tSystemProcessorProfileControlArea,\r\n\tSystemCombinePhysicalMemoryInformation, // 130\r\n\tSystemEntropyInterruptTimingCallback,\r\n\tSystemConsoleInformation,\t\t // q: SYSTEM_CONSOLE_INFORMATION\r\n\tSystemPlatformBinaryInformation, // q: SYSTEM_PLATFORM_BINARY_INFORMATION\r\n\tSystemThrottleNotificationInformation,\r\n\tSystemHypervisorProcessorCountInformation, // q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION\r\n\tSystemDeviceDataInformation,\t\t\t   // q: SYSTEM_DEVICE_DATA_INFORMATION\r\n\tSystemDeviceDataEnumerationInformation,\r\n\tSystemMemoryTopologyInformation,\t\t // q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION\r\n\tSystemMemoryChannelInformation,\t\t\t // q: SYSTEM_MEMORY_CHANNEL_INFORMATION\r\n\tSystemBootLogoInformation,\t\t\t\t // q: SYSTEM_BOOT_LOGO_INFORMATION // 140\r\n\tSystemProcessorPerformanceInformationEx, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // since WINBLUE\r\n\tSystemSpare0,\r\n\tSystemSecureBootPolicyInformation, // q: SYSTEM_SECUREBOOT_POLICY_INFORMATION\r\n\tSystemPageFileInformationEx,\t   // q: SYSTEM_PAGEFILE_INFORMATION_EX\r\n\tSystemSecureBootInformation,\t   // q: SYSTEM_SECUREBOOT_INFORMATION\r\n\tSystemEntropyInterruptTimingRawInformation,\r\n\tSystemPortableWorkspaceEfiLauncherInformation, // q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION\r\n\tSystemFullProcessInformation,\t\t\t\t   // q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin)\r\n\tSystemKernelDebuggerInformationEx,\t\t\t   // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX\r\n\tSystemBootMetadataInformation,\t\t\t\t   // 150\r\n\tSystemSoftRebootInformation,\r\n\tSystemElamCertificateInformation, // s: SYSTEM_ELAM_CERTIFICATE_INFORMATION\r\n\tSystemOfflineDumpConfigInformation,\r\n\tSystemProcessorFeaturesInformation, // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION\r\n\tSystemRegistryReconciliationInformation,\r\n\tSystemEdidInformation,\r\n\tSystemManufacturingInformation,\t\t\t // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD\r\n\tSystemEnergyEstimationConfigInformation, // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION\r\n\tSystemHypervisorDetailInformation,\t\t // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION\r\n\tSystemProcessorCycleStatsInformation,\t// q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION // 160\r\n\tSystemVmGenerationCountInformation,\r\n\tSystemTrustedPlatformModuleInformation, // q: SYSTEM_TPM_INFORMATION\r\n\tSystemKernelDebuggerFlags,\r\n\tSystemCodeIntegrityPolicyInformation, // q: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION\r\n\tSystemIsolatedUserModeInformation,\t// q: SYSTEM_ISOLATED_USER_MODE_INFORMATION\r\n\tSystemHardwareSecurityTestInterfaceResultsInformation,\r\n\tSystemSingleModuleInformation, // q: SYSTEM_SINGLE_MODULE_INFORMATION\r\n\tSystemAllowedCpuSetsInformation,\r\n\tSystemDmaProtectionInformation,\t\t   // q: SYSTEM_DMA_PROTECTION_INFORMATION\r\n\tSystemInterruptCpuSetsInformation,\t // q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION // 170\r\n\tSystemSecureBootPolicyFullInformation, // q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION\r\n\tSystemCodeIntegrityPolicyFullInformation,\r\n\tSystemAffinitizedInterruptProcessorInformation,\r\n\tSystemRootSiloInformation,  // q: SYSTEM_ROOT_SILO_INFORMATION\r\n\tSystemCpuSetInformation,\t// q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2\r\n\tSystemCpuSetTagInformation, // q: SYSTEM_CPU_SET_TAG_INFORMATION\r\n\tSystemWin32WerStartCallout,\r\n\tSystemSecureKernelProfileInformation,\t\t\t// q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION\r\n\tSystemCodeIntegrityPlatformManifestInformation, // q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION // since REDSTONE\r\n\tSystemInterruptSteeringInformation,\t\t\t\t// 180\r\n\tSystemSupportedProcessorArchitectures,\r\n\tSystemMemoryUsageInformation,\t\t\t   // q: SYSTEM_MEMORY_USAGE_INFORMATION\r\n\tSystemCodeIntegrityCertificateInformation, // q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION\r\n\tMaxSystemInfoClass\r\n} SYSTEM_INFORMATION_CLASS;\r\n\r\nextern \"C\"\r\nNTKERNELAPI NTSTATUS NTAPI\r\nZwQuerySystemInformation(\r\n    SYSTEM_INFORMATION_CLASS SystemInformationClass,\r\n    PVOID SystemInformation,\r\n    ULONG SystemInformationLength,\r\n    PULONG ReturnLength\r\n);\r\n\r\ninline auto dereference(uintptr_t address, unsigned int offset) -> uintptr_t\r\n{\r\n    if (address == 0)\r\n        return 0;\r\n\r\n    return address + (int)((*(int*)(address + offset) + offset) + sizeof(int));\r\n}\r\ninline auto relative(uintptr_t address, unsigned int size) -> PVOID\r\n{\r\n    if (address == 0)\r\n        return 0;\r\n\r\n    return ((PVOID)((unsigned char*)(address)+*(int*)((unsigned char*)(address)+((size)-(INT)sizeof(INT))) + (size)));\r\n}\r\ninline auto compare_data(const unsigned char* pData, const unsigned char* bMask, const char* szMask) -> bool\r\n{\r\n    for (; *szMask; ++szMask, ++pData, ++bMask)\r\n        if (*szMask == 'x' && *pData != *bMask)\r\n            return 0;\r\n\r\n    return (*szMask) == 0;\r\n}\r\ninline auto find_pattern2(UINT64 dwAddress, UINT64 dwLen, unsigned char* bMask, const char* szMask) -> ULONGLONG\r\n{\r\n    for (ULONGLONG i = 0; i < dwLen; i++)\r\n        if (compare_data((unsigned char*)(dwAddress + i), bMask, szMask))\r\n            return (ULONGLONG)(dwAddress + i);\r\n\r\n    return 0;\r\n}\r\ntemplate <typename t = void*>\r\ninline auto find_pattern(void* start, size_t length, const char* pattern, const char* mask) -> t\r\n{\r\n    const auto data = static_cast<const char*>(start);\r\n    const auto pattern_length = strlen(mask);\r\n\r\n    for (size_t i = 0; i <= length - pattern_length; i++)\r\n    {\r\n        bool accumulative_found = true;\r\n\r\n        for (size_t j = 0; j < pattern_length; j++)\r\n        {\r\n            if (!MmIsAddressValid(reinterpret_cast<void*>(reinterpret_cast<uintptr_t>(data) + i + j)))\r\n            {\r\n                accumulative_found = false;\r\n                break;\r\n            }\r\n\r\n            if (data[i + j] != pattern[j] && mask[j] != '?')\r\n            {\r\n                accumulative_found = false;\r\n                break;\r\n            }\r\n        }\r\n\r\n        if (accumulative_found)\r\n        {\r\n            return (t)(reinterpret_cast<uintptr_t>(data) + i);\r\n        }\r\n    }\r\n\r\n    return (t)nullptr;\r\n}"
  },
  {
    "path": "full kernel bypass/full kernel bypass.vcxproj",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project DefaultTargets=\"Build\" ToolsVersion=\"12.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\r\n  <ItemGroup Label=\"ProjectConfigurations\">\r\n    <ProjectConfiguration Include=\"Debug|Win32\">\r\n      <Configuration>Debug</Configuration>\r\n      <Platform>Win32</Platform>\r\n    </ProjectConfiguration>\r\n    <ProjectConfiguration Include=\"Release|Win32\">\r\n      <Configuration>Release</Configuration>\r\n      <Platform>Win32</Platform>\r\n    </ProjectConfiguration>\r\n    <ProjectConfiguration Include=\"Debug|x64\">\r\n      <Configuration>Debug</Configuration>\r\n      <Platform>x64</Platform>\r\n    </ProjectConfiguration>\r\n    <ProjectConfiguration Include=\"Release|x64\">\r\n      <Configuration>Release</Configuration>\r\n      <Platform>x64</Platform>\r\n    </ProjectConfiguration>\r\n    <ProjectConfiguration Include=\"Debug|ARM\">\r\n      <Configuration>Debug</Configuration>\r\n      <Platform>ARM</Platform>\r\n    </ProjectConfiguration>\r\n    <ProjectConfiguration Include=\"Release|ARM\">\r\n      <Configuration>Release</Configuration>\r\n      <Platform>ARM</Platform>\r\n    </ProjectConfiguration>\r\n    <ProjectConfiguration Include=\"Debug|ARM64\">\r\n      <Configuration>Debug</Configuration>\r\n      <Platform>ARM64</Platform>\r\n    </ProjectConfiguration>\r\n    <ProjectConfiguration Include=\"Release|ARM64\">\r\n      <Configuration>Release</Configuration>\r\n      <Platform>ARM64</Platform>\r\n    </ProjectConfiguration>\r\n  </ItemGroup>\r\n  <PropertyGroup Label=\"Globals\">\r\n    <ProjectGuid>{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}</ProjectGuid>\r\n    <TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>\r\n    <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>\r\n    <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>\r\n    <Configuration>Debug</Configuration>\r\n    <Platform Condition=\"'$(Platform)' == ''\">Win32</Platform>\r\n    <RootNamespace>full_kernel_bypass</RootNamespace>\r\n  </PropertyGroup>\r\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.Default.props\" />\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\" Label=\"Configuration\">\r\n    <TargetVersion>Windows10</TargetVersion>\r\n    <UseDebugLibraries>true</UseDebugLibraries>\r\n    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>\r\n    <ConfigurationType>Driver</ConfigurationType>\r\n    <DriverType>KMDF</DriverType>\r\n    <DriverTargetPlatform>Universal</DriverTargetPlatform>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\" Label=\"Configuration\">\r\n    <TargetVersion>Windows10</TargetVersion>\r\n    <UseDebugLibraries>false</UseDebugLibraries>\r\n    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>\r\n    <ConfigurationType>Driver</ConfigurationType>\r\n    <DriverType>KMDF</DriverType>\r\n    <DriverTargetPlatform>Universal</DriverTargetPlatform>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\" Label=\"Configuration\">\r\n    <TargetVersion>Windows10</TargetVersion>\r\n    <UseDebugLibraries>true</UseDebugLibraries>\r\n    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>\r\n    <ConfigurationType>Driver</ConfigurationType>\r\n    <DriverType>KMDF</DriverType>\r\n    <DriverTargetPlatform>Universal</DriverTargetPlatform>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\" Label=\"Configuration\">\r\n    <TargetVersion>Windows10</TargetVersion>\r\n    <UseDebugLibraries>false</UseDebugLibraries>\r\n    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>\r\n    <ConfigurationType>Driver</ConfigurationType>\r\n    <DriverType>KMDF</DriverType>\r\n    <DriverTargetPlatform>Universal</DriverTargetPlatform>\r\n    <Driver_SpectreMitigation>false</Driver_SpectreMitigation>\r\n    <CharacterSet>MultiByte</CharacterSet>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|ARM'\" Label=\"Configuration\">\r\n    <TargetVersion>Windows10</TargetVersion>\r\n    <UseDebugLibraries>true</UseDebugLibraries>\r\n    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>\r\n    <ConfigurationType>Driver</ConfigurationType>\r\n    <DriverType>KMDF</DriverType>\r\n    <DriverTargetPlatform>Universal</DriverTargetPlatform>\r\n    <Driver_SpectreMitigation>false</Driver_SpectreMitigation>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|ARM'\" Label=\"Configuration\">\r\n    <TargetVersion>Windows10</TargetVersion>\r\n    <UseDebugLibraries>false</UseDebugLibraries>\r\n    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>\r\n    <ConfigurationType>Driver</ConfigurationType>\r\n    <DriverType>KMDF</DriverType>\r\n    <DriverTargetPlatform>Universal</DriverTargetPlatform>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|ARM64'\" Label=\"Configuration\">\r\n    <TargetVersion>Windows10</TargetVersion>\r\n    <UseDebugLibraries>true</UseDebugLibraries>\r\n    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>\r\n    <ConfigurationType>Driver</ConfigurationType>\r\n    <DriverType>KMDF</DriverType>\r\n    <DriverTargetPlatform>Universal</DriverTargetPlatform>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|ARM64'\" Label=\"Configuration\">\r\n    <TargetVersion>Windows10</TargetVersion>\r\n    <UseDebugLibraries>false</UseDebugLibraries>\r\n    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>\r\n    <ConfigurationType>Driver</ConfigurationType>\r\n    <DriverType>KMDF</DriverType>\r\n    <DriverTargetPlatform>Universal</DriverTargetPlatform>\r\n  </PropertyGroup>\r\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.props\" />\r\n  <ImportGroup Label=\"ExtensionSettings\">\r\n  </ImportGroup>\r\n  <ImportGroup Label=\"PropertySheets\">\r\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\r\n  </ImportGroup>\r\n  <PropertyGroup Label=\"UserMacros\" />\r\n  <PropertyGroup />\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\r\n    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\r\n    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\r\n    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\r\n    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|ARM'\">\r\n    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|ARM'\">\r\n    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|ARM64'\">\r\n    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|ARM64'\">\r\n    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>\r\n  </PropertyGroup>\r\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\r\n    <ClCompile>\r\n      <WarningLevel>TurnOffAllWarnings</WarningLevel>\r\n      <TreatWarningAsError>false</TreatWarningAsError>\r\n    </ClCompile>\r\n    <Link>\r\n      <AdditionalOptions>/FORCE:MULTIPLE %(AdditionalOptions)</AdditionalOptions>\r\n      <TreatLinkerWarningAsErrors>false</TreatLinkerWarningAsErrors>\r\n      <EntryPointSymbol>DriverEntry</EntryPointSymbol>\r\n    </Link>\r\n  </ItemDefinitionGroup>\r\n  <ItemGroup>\r\n    <FilesToPackage Include=\"$(TargetPath)\" />\r\n  </ItemGroup>\r\n  <ItemGroup>\r\n    <ClCompile Include=\"cleaning\\cleaning.cpp\" />\r\n    <ClCompile Include=\"io\\io.cpp\" />\r\n    <ClCompile Include=\"main.cpp\" />\r\n    <ClCompile Include=\"memory\\memory.cpp\" />\r\n    <ClCompile Include=\"thread\\thread.cpp\" />\r\n    <ClCompile Include=\"utils\\utils.cpp\" />\r\n  </ItemGroup>\r\n  <ItemGroup>\r\n    <ClInclude Include=\"cleaning\\cleaning.h\" />\r\n    <ClInclude Include=\"defs.h\" />\r\n    <ClInclude Include=\"io\\io.h\" />\r\n    <ClInclude Include=\"memory\\memory.h\" />\r\n    <ClInclude Include=\"process\\process.h\" />\r\n    <ClInclude Include=\"thread\\thread.h\" />\r\n    <ClInclude Include=\"utils\\utils.h\" />\r\n  </ItemGroup>\r\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.targets\" />\r\n  <ImportGroup Label=\"ExtensionTargets\">\r\n  </ImportGroup>\r\n</Project>"
  },
  {
    "path": "full kernel bypass/full kernel bypass.vcxproj.filters",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\r\n  <ItemGroup>\r\n    <Filter Include=\"Source Files\">\r\n      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>\r\n      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>\r\n    </Filter>\r\n    <Filter Include=\"Header Files\">\r\n      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>\r\n      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>\r\n    </Filter>\r\n    <Filter Include=\"Header Files\\io\">\r\n      <UniqueIdentifier>{8a1420fe-ef8f-4abd-bdd2-80a5734844bc}</UniqueIdentifier>\r\n    </Filter>\r\n    <Filter Include=\"Header Files\\memory\">\r\n      <UniqueIdentifier>{993343d9-8704-4670-8624-a6f5a0072cd7}</UniqueIdentifier>\r\n    </Filter>\r\n    <Filter Include=\"Header Files\\process\">\r\n      <UniqueIdentifier>{14d0d3d7-34f7-480b-85c9-6b27177eff87}</UniqueIdentifier>\r\n    </Filter>\r\n    <Filter Include=\"Header Files\\utils\">\r\n      <UniqueIdentifier>{09dd5666-fb10-485e-8c4d-536470abc1f9}</UniqueIdentifier>\r\n    </Filter>\r\n    <Filter Include=\"Header Files\\thread\">\r\n      <UniqueIdentifier>{b5004452-c296-4540-90de-83293b83e9af}</UniqueIdentifier>\r\n    </Filter>\r\n    <Filter Include=\"Header Files\\cleaning\">\r\n      <UniqueIdentifier>{3f41d68c-0fe0-4184-92a1-9663637a241d}</UniqueIdentifier>\r\n    </Filter>\r\n  </ItemGroup>\r\n  <ItemGroup>\r\n    <ClCompile Include=\"io\\io.cpp\">\r\n      <Filter>Header Files\\io</Filter>\r\n    </ClCompile>\r\n    <ClCompile Include=\"memory\\memory.cpp\">\r\n      <Filter>Header Files\\memory</Filter>\r\n    </ClCompile>\r\n    <ClCompile Include=\"main.cpp\">\r\n      <Filter>Source Files</Filter>\r\n    </ClCompile>\r\n    <ClCompile Include=\"utils\\utils.cpp\">\r\n      <Filter>Header Files\\utils</Filter>\r\n    </ClCompile>\r\n    <ClCompile Include=\"thread\\thread.cpp\">\r\n      <Filter>Header Files\\thread</Filter>\r\n    </ClCompile>\r\n    <ClCompile Include=\"cleaning\\cleaning.cpp\">\r\n      <Filter>Header Files\\cleaning</Filter>\r\n    </ClCompile>\r\n  </ItemGroup>\r\n  <ItemGroup>\r\n    <ClInclude Include=\"memory\\memory.h\">\r\n      <Filter>Header Files\\memory</Filter>\r\n    </ClInclude>\r\n    <ClInclude Include=\"process\\process.h\">\r\n      <Filter>Header Files\\process</Filter>\r\n    </ClInclude>\r\n    <ClInclude Include=\"io\\io.h\">\r\n      <Filter>Header Files\\io</Filter>\r\n    </ClInclude>\r\n    <ClInclude Include=\"utils\\utils.h\">\r\n      <Filter>Header Files\\utils</Filter>\r\n    </ClInclude>\r\n    <ClInclude Include=\"defs.h\">\r\n      <Filter>Header Files</Filter>\r\n    </ClInclude>\r\n    <ClInclude Include=\"thread\\thread.h\">\r\n      <Filter>Header Files\\thread</Filter>\r\n    </ClInclude>\r\n    <ClInclude Include=\"cleaning\\cleaning.h\">\r\n      <Filter>Header Files\\cleaning</Filter>\r\n    </ClInclude>\r\n  </ItemGroup>\r\n</Project>"
  },
  {
    "path": "full kernel bypass/full kernel bypass.vcxproj.user",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"Current\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\r\n  <PropertyGroup />\r\n</Project>"
  },
  {
    "path": "full kernel bypass/io/io.cpp",
    "content": "#include <ntifs.h>\n#include <stdio.h>\n#include <stdarg.h> \n#include <ntimage.h>\n#include \"io.h\"\n\nvoid driver::io::dbgprint( PCCH format, ...)\n{\n\tCHAR message[512];\n\tva_list _valist;\n\tva_start(_valist, format);\n\tconst ULONG N = _vsnprintf_s(message, sizeof(message) - 1, format, _valist);\n\tmessage[N] = L'\\0';\n\n\tvDbgPrintExWithPrefix(\"[Kernel Driver] \", DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, message, _valist);\n\n\tva_end(_valist);\n}\n"
  },
  {
    "path": "full kernel bypass/io/io.h",
    "content": "#include <ntdef.h>\r\n\r\nnamespace driver\r\n{\r\n\tnamespace io\r\n\t{\r\n\t\tvoid dbgprint(PCCH format, ...);\r\n\t}\r\n}"
  },
  {
    "path": "full kernel bypass/main.cpp",
    "content": "#include <ntifs.h>\r\n#include <ntimage.h>\r\n#include <ntddk.h>\r\n#include \"defs.h\"\r\n#include \"io/io.h\"\r\n#include \"utils/utils.h\"\r\n#include \"memory/memory.h\"\r\n#include \"thread/thread.h\"\r\n#include \"cleaning/cleaning.h\"\r\nusing namespace driver;\r\n\r\nvoid driver_thread( void* context )\r\n{\r\n\t// allow five seconds for driver to finish entry\r\n\tutils::sleep(5000);\r\n\t\r\n\t// debug text\r\n\tio::dbgprint( \"cleaning status -> %i\", cleaning::clean_traces( ) );\r\n\tio::dbgprint( \"tid -> %i\", PsGetCurrentThreadId( ) );\r\n\r\n\t// user extersize\r\n\tbool status = thread::unlink( );\r\n\tio::dbgprint( \"unlinked thread -> %i\", status );\r\n\r\n\t// change your process name here\r\n\tprocess::process_name = \"RainbowSix.exe\";\r\n\tio::dbgprint( \"process name -> %s\", process::process_name );\r\n\r\n\t// scuff check to check if our peprocess is valid\r\n\twhile ( utils::process_by_name( process::process_name, &process::process ) == STATUS_NOT_FOUND)\r\n\t{\r\n\t\tio::dbgprint( \"waiting for -> %s\", process::process_name );\r\n\t\tutils::sleep(2000);\r\n\t}\r\n\tio::dbgprint(\"found process -> %s\", process::process_name);\r\n\r\n\t// sleep for 15 seconds to allow game to get started and prevent us from getting false info\r\n\tutils::sleep(15000);\r\n\r\n\tutils::process_by_name( process::process_name, &process::process );\r\n\tio::dbgprint( \"peprocess -> 0x%llx\", process::process );\r\n\r\n\tprocess::pid = reinterpret_cast< uint32 >( PsGetProcessId( process::process ) );\r\n\tio::dbgprint(\"pid -> %i\", process::pid);\r\n\r\n\tprocess::base_address = reinterpret_cast < uint64 >( PsGetProcessSectionBaseAddress( process::process ) );\r\n\tio::dbgprint( \"base address -> 0x%llx\", process::base_address );\r\n\r\n\t// main loop\r\n\twhile ( true )\r\n\t{\r\n\t\t\r\n\t\t//example read\r\n\t\tuint64 round_manager = memory::read< uint64 >( process::base_address + 0x77BF800 );\r\n\t\tuint32 encrypted_round_state = memory::read< uint32 >( round_manager + 0xC0 );\r\n\t\tuint32 decrypted_round_state = _rotl64( encrypted_round_state - 0x56, 0x1E );\r\n\t\tio::dbgprint( \"round state ptr -> 0x%llx\", decrypted_round_state );\r\n\r\n\t\t// example write\r\n\t\tmemory::write< uint32 >( round_manager + 0xC0, 0x0 );\r\n\r\n\t\t// for testing\r\n\t\tif ( thread::terminate_thread ) \r\n\t\t{\r\n\t\t\tio::dbgprint( \"loops -> %i\", thread::total_loops );\r\n\t\t\tutils::sleep( 5000 );\r\n\t\t\tthread::total_loops++;\r\n\r\n\t\t\tif ( thread::total_loops > thread::loops_before_end )\r\n\t\t\t{\r\n\t\t\t\tio::dbgprint( \"terminating thread\" );\r\n\t\t\t\tPsTerminateSystemThread( STATUS_SUCCESS );\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n\tPsTerminateSystemThread( STATUS_SUCCESS );\r\n}\r\n\r\nNTSTATUS DriverEntry( PDRIVER_OBJECT driver_object, PUNICODE_STRING registry_path ) {\r\n\tUNREFERENCED_PARAMETER( driver_object );\r\n\tUNREFERENCED_PARAMETER( registry_path );\r\n\r\n\tio::dbgprint(\"driver entry called.\");\r\n\r\n\t// change this per mapper; debug prints the entire mmu\r\n\tcleaning::debug = false;\r\n\tcleaning::driver_timestamp = 0x5284EAC3;\r\n\tcleaning::driver_name = RTL_CONSTANT_STRING(L\"iqvw64e.sys\");\r\n\r\n\tHANDLE thread_handle = nullptr;\r\n\tOBJECT_ATTRIBUTES object_attribues{ };\r\n\tInitializeObjectAttributes( &object_attribues, nullptr, OBJ_KERNEL_HANDLE, nullptr, nullptr );\r\n\r\n\tNTSTATUS status = PsCreateSystemThread( &thread_handle, 0, &object_attribues, nullptr, nullptr, reinterpret_cast< PKSTART_ROUTINE >( &driver_thread ), nullptr );\r\n\tio::dbgprint(\"thread status -> 0x%llx\", status);\r\n\r\n\tio::dbgprint(\"fininshed driver entry... closing...\");\r\n        \r\n\treturn STATUS_SUCCESS;\r\n}\r\n\r\n"
  },
  {
    "path": "full kernel bypass/memory/memory.cpp",
    "content": "#include <ntifs.h>\n#include <stdio.h>\n#include <stdarg.h> \n#include <ntimage.h>\n#include \"memory.h\"\n\nextern \"C\" \nNTSTATUS NTAPI MmCopyVirtualMemory\n(\n\tPEPROCESS\t\tSourceProcess,\n\tPVOID\t\t\tSourceAddress,\n\tPEPROCESS\t\tTargetProcess,\n\tPVOID\t\t\tTargetAddress,\n\tSIZE_T\t\t\tBufferSize,\n\tKPROCESSOR_MODE PreviousMode,\n\tPSIZE_T\t\t\tReturnSize\n);\n\nNTSTATUS driver::memory::read_virtual_memory( ULONG pid, PEPROCESS process, PVOID source_address, PVOID target_address, SIZE_T size )\n{\n\tSIZE_T bytes = 0;\n\tif ( NT_SUCCESS( MmCopyVirtualMemory( process, source_address, PsGetCurrentProcess(), target_address, size, KernelMode, &bytes ) ) )\n\t\treturn STATUS_SUCCESS;\n\n\treturn STATUS_UNSUCCESSFUL;\n}\n\nNTSTATUS  driver::memory::write_virtual_memory( ULONG pid, PEPROCESS process, PVOID source_address, PVOID target_address, SIZE_T size )\n{\n\tSIZE_T bytes = 0;\n\tif ( NT_SUCCESS ( MmCopyVirtualMemory( PsGetCurrentProcess(), source_address, process, target_address, size, KernelMode, &bytes ) ) )\n\t\treturn STATUS_SUCCESS;\n\n\treturn STATUS_UNSUCCESSFUL;\n}\n"
  },
  {
    "path": "full kernel bypass/memory/memory.h",
    "content": "#include \"../process/process.h\"\r\n\r\nnamespace driver\r\n{\r\n\tnamespace memory\r\n\t{\r\n\t\tNTSTATUS read_virtual_memory( ULONG pid, PEPROCESS process, PVOID source_address, PVOID target_address, SIZE_T size );\r\n\t\tNTSTATUS write_virtual_memory( ULONG pid, PEPROCESS process, PVOID source_address, PVOID target_address, SIZE_T size );\r\n\r\n\t\ttemplate< typename T >\r\n\t\tT read( uintptr_t address )\r\n\t\t{\r\n\t\t\tT buffer{};\r\n\t\t\tread_virtual_memory( process::pid, process::process, (void*)address, &buffer, sizeof(T) );\r\n\t\t\treturn buffer;\r\n\t\t}\r\n\r\n\t\ttemplate< typename T >\r\n\t\tvoid write( uintptr_t address, T buffer )\r\n\t\t{\r\n\t\t\twrite_virtual_memory( process::pid, process::process, (void*)address, &buffer, sizeof(T) );\r\n\t\t}\r\n\t};\r\n}"
  },
  {
    "path": "full kernel bypass/process/process.h",
    "content": "\r\nnamespace driver\r\n{\r\n\tnamespace process\r\n\t{\r\n\t\tULONG pid;\r\n\t\tPEPROCESS process;\r\n\t\tCHAR* process_name;\r\n\t\tULONGLONG base_address;\r\n\t}\r\n}"
  },
  {
    "path": "full kernel bypass/thread/thread.cpp",
    "content": "#include \"../defs.h\"\r\n#include \"thread.h\"\r\n\r\nbool driver::thread::unlink()\r\n{\r\n\t// Up to the reader to determine how to do /\r\n\t// implement your own method\r\n\treturn true;\r\n}\r\n\r\nbool driver::thread::link()\r\n{\r\n\t// Up to the reader to determine how to do /\r\n\t// implement your own method\r\n\treturn true;\r\n}\r\n\r\n"
  },
  {
    "path": "full kernel bypass/thread/thread.h",
    "content": "\r\nnamespace driver\r\n{\r\n\tnamespace thread\r\n\t{\r\n\t\tbool unlink();\r\n\t\tbool link();\r\n\r\n\t\tbool terminate_thread = true;\r\n\t\tint total_loops = 0;\r\n\t\tint loops_before_end = 2;\r\n\t}\r\n}"
  },
  {
    "path": "full kernel bypass/utils/utils.cpp",
    "content": "#include <ntifs.h>\r\n#include \"utils.h\"\r\n\r\n\r\nNTSTATUS driver::utils::process_by_name(CHAR* process_name, PEPROCESS* process)\r\n{\r\n    PEPROCESS sys_process = PsInitialSystemProcess;\r\n    PEPROCESS cur_entry = sys_process;\r\n    CHAR image_name[15];\r\n\r\n    do\r\n    {\r\n        RtlCopyMemory( ( PVOID )( &image_name ), ( PVOID )( ( uintptr_t )cur_entry + 0x450 ) /*EPROCESS->ImageFileName*/, sizeof( image_name ) );\r\n\r\n        if ( strstr ( image_name, process_name ) )\r\n        {\r\n            ULONG active_threads;\r\n            RtlCopyMemory( ( PVOID ) &active_threads, ( PVOID )( ( uintptr_t )cur_entry + 0x498) /*EPROCESS->ActiveThreads*/, sizeof( active_threads ) );\r\n            if ( active_threads )\r\n            {\r\n                *process = cur_entry;\r\n                return STATUS_SUCCESS;\r\n            }\r\n        }\r\n\r\n        PLIST_ENTRY list = (PLIST_ENTRY)((uintptr_t)(cur_entry)+0x2F0) /*EPROCESS->ActiveProcessLinks*/;\r\n        cur_entry = (PEPROCESS)((uintptr_t)list->Flink - 0x2F0);\r\n\r\n    } while (cur_entry != sys_process);\r\n\r\n    return STATUS_NOT_FOUND;\r\n}"
  },
  {
    "path": "full kernel bypass/utils/utils.h",
    "content": "\r\nnamespace driver\r\n{\r\n\tnamespace utils\r\n\t{\r\n\t\tNTSTATUS process_by_name( CHAR* process_name, PEPROCESS* process );\r\n\r\n\t\tvoid sleep(int ms) { LARGE_INTEGER time;  time.QuadPart =- (ms) * 10 * 1000; KeDelayExecutionThread(KernelMode, TRUE, &time); }\r\n\t}\r\n}"
  },
  {
    "path": "full kernel bypass.sln",
    "content": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 16\r\nVisualStudioVersion = 16.0.30804.86\r\nMinimumVisualStudioVersion = 10.0.40219.1\r\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"full kernel bypass\", \"full kernel bypass\\full kernel bypass.vcxproj\", \"{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}\"\r\nEndProject\r\nGlobal\r\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\r\n\t\tDebug|ARM = Debug|ARM\r\n\t\tDebug|ARM64 = Debug|ARM64\r\n\t\tDebug|x64 = Debug|x64\r\n\t\tDebug|x86 = Debug|x86\r\n\t\tRelease|ARM = Release|ARM\r\n\t\tRelease|ARM64 = Release|ARM64\r\n\t\tRelease|x64 = Release|x64\r\n\t\tRelease|x86 = Release|x86\r\n\tEndGlobalSection\r\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\r\n\t\t{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|ARM.ActiveCfg = Debug|ARM\r\n\t\t{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|ARM.Build.0 = Debug|ARM\r\n\t\t{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|ARM.Deploy.0 = Debug|ARM\r\n\t\t{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|ARM64.ActiveCfg = Debug|ARM64\r\n\t\t{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|ARM64.Build.0 = Debug|ARM64\r\n\t\t{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|ARM64.Deploy.0 = Debug|ARM64\r\n\t\t{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|x64.ActiveCfg = Debug|x64\r\n\t\t{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|x64.Build.0 = Debug|x64\r\n\t\t{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|x64.Deploy.0 = Debug|x64\r\n\t\t{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|x86.ActiveCfg = Debug|Win32\r\n\t\t{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|x86.Build.0 = Debug|Win32\r\n\t\t{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|x86.Deploy.0 = Debug|Win32\r\n\t\t{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|ARM.ActiveCfg = Release|ARM\r\n\t\t{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|ARM.Build.0 = Release|ARM\r\n\t\t{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|ARM.Deploy.0 = Release|ARM\r\n\t\t{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|ARM64.ActiveCfg = Release|ARM64\r\n\t\t{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|ARM64.Build.0 = Release|ARM64\r\n\t\t{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|ARM64.Deploy.0 = Release|ARM64\r\n\t\t{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|x64.ActiveCfg = Release|x64\r\n\t\t{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|x64.Build.0 = Release|x64\r\n\t\t{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|x64.Deploy.0 = Release|x64\r\n\t\t{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|x86.ActiveCfg = Release|Win32\r\n\t\t{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|x86.Build.0 = Release|Win32\r\n\t\t{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|x86.Deploy.0 = Release|Win32\r\n\tEndGlobalSection\r\n\tGlobalSection(SolutionProperties) = preSolution\r\n\t\tHideSolutionNode = FALSE\r\n\tEndGlobalSection\r\n\tGlobalSection(ExtensibilityGlobals) = postSolution\r\n\t\tSolutionGuid = {6BC51261-A1CA-4C1F-90B5-8DF303CE1727}\r\n\tEndGlobalSection\r\nEndGlobal\r\n"
  }
]