Repository: unmaewei/Full-Kernel-Driver
Branch: main
Commit: c7f1d437e254
Files: 17
Total size: 53.6 KB

Directory structure:
gitextract_susrs7x4/

├── full kernel bypass/
│   ├── cleaning/
│   │   ├── cleaning.cpp
│   │   └── cleaning.h
│   ├── defs.h
│   ├── full kernel bypass.vcxproj
│   ├── full kernel bypass.vcxproj.filters
│   ├── full kernel bypass.vcxproj.user
│   ├── io/
│   │   ├── io.cpp
│   │   └── io.h
│   ├── main.cpp
│   ├── memory/
│   │   ├── memory.cpp
│   │   └── memory.h
│   ├── process/
│   │   └── process.h
│   ├── thread/
│   │   ├── thread.cpp
│   │   └── thread.h
│   └── utils/
│       ├── utils.cpp
│       └── utils.h
└── full kernel bypass.sln

================================================
FILE CONTENTS
================================================

================================================
FILE: full kernel bypass/cleaning/cleaning.cpp
================================================
#include <ntifs.h>
#include <ntstrsafe.h>
#include <ntimage.h>

#include "../defs.h"
#include "../io/io.h"
#include "cleaning.h"

using namespace driver;

uintptr_t get_kernel_address( const char* name, size_t& size )
{
	NTSTATUS status = STATUS_SUCCESS;
	ULONG neededSize = 0;

	ZwQuerySystemInformation(
		SystemModuleInformation,
		&neededSize,
		0,
		&neededSize
	);

	PSYSTEM_MODULE_INFORMATIONN pModuleList;

	pModuleList = (PSYSTEM_MODULE_INFORMATIONN)ExAllocatePool(NonPagedPool, neededSize);

	if (!pModuleList) {
		return 0;
	}

	status = ZwQuerySystemInformation(SystemModuleInformation,
		pModuleList,
		neededSize,
		0
	);

	ULONG i = 0;
	uintptr_t address = 0;

	for (i = 0; i < pModuleList->ModuleCount; i++)
	{
		SYSTEM_MODULEE mod = pModuleList->Modules[i];

		address = uintptr_t(pModuleList->Modules[i].Base);
		size = uintptr_t(pModuleList->Modules[i].Size);
		if (strstr(mod.ImageName, name) != NULL)
			break;
	}

	ExFreePool(pModuleList);

	return address;
}

PVOID resolve_relative_address( PVOID Instruction, ULONG OffsetOffset, ULONG InstructionSize )
{
	ULONG_PTR Instr = (ULONG_PTR)Instruction;
	LONG RipOffset = *(PLONG)(Instr + OffsetOffset);
	PVOID ResolvedAddr = (PVOID)(Instr + InstructionSize + RipOffset);

	return ResolvedAddr;
}

ULONGLONG get_exported_function( const ULONGLONG mod, const char* name )
{
	const auto dos_header = reinterpret_cast<PIMAGE_DOS_HEADER>(mod);
	const auto nt_headers = reinterpret_cast<PIMAGE_NT_HEADERS>(reinterpret_cast<ULONGLONG>(dos_header) + dos_header->e_lfanew);

	const auto data_directory = nt_headers->OptionalHeader.DataDirectory[0];
	const auto export_directory = reinterpret_cast<PIMAGE_EXPORT_DIRECTORY>(mod + data_directory.VirtualAddress);

	const auto address_of_names = reinterpret_cast<ULONG*>(mod + export_directory->AddressOfNames);

	for (size_t i = 0; i < export_directory->NumberOfNames; i++)
	{
		const auto function_name = reinterpret_cast<const char*>(mod + address_of_names[i]);

		if (!_stricmp(function_name, name))
		{
			const auto name_ordinal = reinterpret_cast<unsigned short*>(mod + export_directory->AddressOfNameOrdinals)[i];

			const auto function_rva = mod + reinterpret_cast<ULONG*>(mod + export_directory->AddressOfFunctions)[name_ordinal];
			return function_rva;
		}
	}

	return 0;
}

unsigned char random_number( )
{
	size_t size;
	auto mod = get_kernel_address("ntoskrnl.exe", size);

	auto cMmGetSystemRoutineAddress = reinterpret_cast<decltype(&MmGetSystemRoutineAddress)>(get_exported_function((uintptr_t)mod, "MmGetSystemRoutineAddress"));

	UNICODE_STRING routineName = RTL_CONSTANT_STRING(L"RtlRandom");
	auto cRtlRandom = reinterpret_cast<decltype(&RtlRandom)>(cMmGetSystemRoutineAddress(&routineName));

	ULONG seed = 1234765;
	ULONG rand = cRtlRandom(&seed) % 100;

	unsigned char randint = 0;

	if (rand >= 101 || rand <= -1)
		randint = 72;

	return (unsigned char)(rand);
}

PERESOURCE get_ps_loaded( )
{
	size_t size;
	auto mod = get_kernel_address("ntoskrnl.exe", size);

	auto cMmGetSystemRoutineAddress = reinterpret_cast<decltype(&MmGetSystemRoutineAddress)>(get_exported_function((uintptr_t)mod, "MmGetSystemRoutineAddress"));

	ERESOURCE PsLoadedModuleResource;
	UNICODE_STRING routineName = RTL_CONSTANT_STRING(L"PsLoadedModuleResource");
	auto cPsLoadedModuleResource = reinterpret_cast<decltype(&PsLoadedModuleResource)>(cMmGetSystemRoutineAddress(&routineName));

	return cPsLoadedModuleResource;
}

PRTL_AVL_TABLE get_piddb_table( )
{
	size_t size;
	uintptr_t ntos_base = get_kernel_address("ntoskrnl.exe", size);

	RTL_OSVERSIONINFOW osVersion = { 0 };
	osVersion.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW);
	RtlGetVersion(&osVersion);

	PRTL_AVL_TABLE PiDDBCacheTable = nullptr;

	if (osVersion.dwBuildNumber >= 18362) {
		PiDDBCacheTable = (PRTL_AVL_TABLE)dereference(find_pattern<uintptr_t>((void*)ntos_base, size, "\x48\x8d\x0d\x00\x00\x00\x00\xe8\x00\x00\x00\x00\x3d\x00\x00\x00\x00\x0f\x83", "xxx????x????x????xx"), 3);
	}
	else if (osVersion.dwBuildNumber >= 17134) {
		PiDDBCacheTable = (PRTL_AVL_TABLE)dereference(find_pattern<uintptr_t>((void*)ntos_base, size, "\x48\x8D\x0D\x00\x00\x00\x00\x4C\x89\x35\x00\x00\x00\x00\x49", "xxx????xxx????x"), 3);
	}

	if (!PiDDBCacheTable)
		return 0;

	return PiDDBCacheTable;
}

PERESOURCE get_piddb_lock( )
{
	size_t size;
	uintptr_t ntos_base = get_kernel_address("ntoskrnl.exe", size);

	PERESOURCE PiDDBLock = (PERESOURCE)dereference(find_pattern<uintptr_t>((void*)ntos_base, size, "\x48\x8d\x0d\x00\x00\x00\x00\xe8\x00\x00\x00\x00\x48\x8b\x0d\x00\x00\x00\x00\x33\xdb", "xxx????x????xxx????xx"), 3);

	if (!PiDDBLock)
		return 0;

	return PiDDBLock;
}

bool cleaning::verify_piddb()
{
	return (get_piddb_lock() != 0 && get_piddb_table() != 0);
}

bool cleaning::clean_piddb()
{
	PERESOURCE PiDDBLock = get_piddb_lock();
	PRTL_AVL_TABLE PiDDBCacheTable = get_piddb_table();

	PIDDBCACHE_ENTRY lookupEntry = { };

	lookupEntry.DriverName = cleaning::driver_name;
	lookupEntry.TimeDateStamp = cleaning::driver_timestamp;

	ExAcquireResourceExclusiveLite(PiDDBLock, TRUE);

	auto pFoundEntry = (PPIDDBCACHE_ENTRY)RtlLookupElementGenericTableAvl(PiDDBCacheTable, &lookupEntry);
	if (pFoundEntry == nullptr)
	{
		ExReleaseResourceLite(PiDDBLock);
		return false;
	}

	RemoveEntryList(&pFoundEntry->List);
	RtlDeleteElementGenericTableAvl(PiDDBCacheTable, pFoundEntry);

	ExReleaseResourceLite(PiDDBLock);

	return true;
}

bool is_unload_empty(PMM_UNLOADED_DRIVER entry)
{
	if (entry->Name.MaximumLength == 0 || entry->Name.Length == 0 || entry->Name.Buffer == NULL)
		return true;

	return false;
}

PMM_UNLOADED_DRIVER get_mmu_address()
{
	size_t size;
	uintptr_t ntos_base = get_kernel_address("ntoskrnl.exe", size);

	PVOID MmUnloadedDriversInstr = (PVOID)find_pattern2((UINT64)ntos_base, size,
		(unsigned char*)"\x4C\x8B\x15\x00\x00\x00\x00\x4C\x8B\xC9", "xxx????xxx");

	if (MmUnloadedDriversInstr == NULL)
		return NULL;

	return *(PMM_UNLOADED_DRIVER*)resolve_relative_address(MmUnloadedDriversInstr, 3, 7);
}

PULONG get_mml_address()
{
	size_t size;
	uintptr_t ntos_base = get_kernel_address("ntoskrnl.exe", size);

	PVOID mmlastunloadeddriverinst = (PVOID)find_pattern2((UINT64)ntos_base, size,
		(unsigned char*)"\x8B\x05\x00\x00\x00\x00\x83\xF8\x32", "xx????xxx");

	if (mmlastunloadeddriverinst == NULL)
		return { };

	return (PULONG)resolve_relative_address(mmlastunloadeddriverinst, 2, 6);
}

bool cleaning::verify_mmu()
{
	return (get_mmu_address() != NULL && get_mml_address() != NULL);
}

bool is_mmu_filled()
{
	for (ULONG idx = 0; idx < MM_UNLOADED_DRIVERS_SIZE; ++idx)
	{
		PMM_UNLOADED_DRIVER entry = &get_mmu_address()[idx];
		if (is_unload_empty(entry))
			return false;
	}
	return true;
}

bool cleaning::clean_mmu()
{
	auto ps_loaded = get_ps_loaded();

	ExAcquireResourceExclusiveLite(ps_loaded, TRUE);

	BOOLEAN Modified = false;
	BOOLEAN Filled = is_mmu_filled();

	UNICODE_STRING DriverName = cleaning::driver_name;

	for (ULONG Index = 0; Index < MM_UNLOADED_DRIVERS_SIZE; ++Index)
	{
		PMM_UNLOADED_DRIVER Entry = &get_mmu_address()[Index];

		if(cleaning::debug)
			io::dbgprint("mmu driver # %i name %ws", Index, Entry->Name.Buffer);

		if (Modified)
		{
			PMM_UNLOADED_DRIVER PrevEntry = &get_mmu_address()[Index - 1];
			RtlCopyMemory(PrevEntry, Entry, sizeof(MM_UNLOADED_DRIVER));

			if (Index == MM_UNLOADED_DRIVERS_SIZE - 1)
			{
				RtlFillMemory(Entry, sizeof(MM_UNLOADED_DRIVER), 0);
			}
		}
		else if (RtlEqualUnicodeString(&DriverName, &Entry->Name, TRUE))
		{
			PVOID BufferPool = Entry->Name.Buffer;
			RtlFillMemory(Entry, sizeof(MM_UNLOADED_DRIVER), 0);
			ExFreePoolWithTag(BufferPool, 'TDmM');

			*get_mml_address() = (Filled ? MM_UNLOADED_DRIVERS_SIZE : *get_mml_address()) - 1;
			Modified = TRUE;
		}
	}

	if (Modified)
	{
		ULONG64 PreviousTime = 0;

		for (LONG Index = MM_UNLOADED_DRIVERS_SIZE - 2; Index >= 0; --Index)
		{
			PMM_UNLOADED_DRIVER Entry = &get_mmu_address()[Index];
			if (is_unload_empty(Entry))
			{
				continue;
			}

			if (PreviousTime != 0 && Entry->UnloadTime > PreviousTime)
			{
				Entry->UnloadTime = PreviousTime - random_number();
			}

			PreviousTime = Entry->UnloadTime;
		}

		clean_mmu();
	}

	ExReleaseResourceLite(ps_loaded);

	return Modified;
}

bool cleaning::clean_traces()
{
	bool status;

	if (cleaning::verify_mmu())
	{
		status = cleaning::clean_mmu();

		if (!status)
			io::dbgprint("failed to clean mmu");
		else
			io::dbgprint("cleaned mmu");
	}
	else
		io::dbgprint("failed to verify mmu");

	if (cleaning::verify_piddb())
	{
		status = cleaning::clean_piddb();

		if (!status)
			io::dbgprint("failed to clean piddb");

		else
			io::dbgprint("cleaned piddb");
	}
	else
		io::dbgprint("failed to verify piddb");

	return status;
}

================================================
FILE: full kernel bypass/cleaning/cleaning.h
================================================
#define MM_UNLOADED_DRIVERS_SIZE 50

namespace driver
{
	namespace cleaning
	{

		bool clean_traces( );
		bool verify_piddb( );
		bool clean_piddb( );
		bool verify_mmu( );
		bool clean_mmu( );

		UNICODE_STRING driver_name;
		int driver_timestamp;
		bool debug;
	}
}

================================================
FILE: full kernel bypass/defs.h
================================================
#include <ntifs.h>

extern "C"
{

	NTKERNELAPI PVOID
		PsGetProcessSectionBaseAddress(
			PEPROCESS Process
		);

}

#pragma once
#define _USE_MATH_DEFINES
#include <math.h>

#if defined(__GNUC__)
typedef          long long ll;
typedef unsigned long long ull;
#define __int64 long long
#define __int32 int
#define __int16 short
#define __int8  char
#define MAKELL(num) num ## LL
#define FMT_64 "ll"
#elif defined(_MSC_VER)
typedef          __int64 ll;
typedef unsigned __int64 ull;
#define MAKELL(num) num ## i64
#define FMT_64 "I64"
#elif defined (__BORLANDC__)
typedef          __int64 ll;
typedef unsigned __int64 ull;
#define MAKELL(num) num ## i64
#define FMT_64 "L"
#else
#error "unknown compiler"
#endif
typedef unsigned int uint;
typedef unsigned char uchar;
typedef unsigned short ushort;
//typedef unsigned long ulong;

typedef          char   int8;
typedef   signed char   sint8;
typedef unsigned char   uint8;
typedef          short  int16;
typedef   signed short  sint16;
typedef unsigned short  uint16;
typedef          int    int32;
typedef   signed int    sint32;
typedef unsigned int    uint32;
typedef ll              int64;
typedef ll              sint64;
typedef ull             uint64;

// Partially defined types:
#define _BYTE  uint8
#define _WORD  uint16
#define _DWORD uint32
#define _QWORD uint64
#if !defined(_MSC_VER)
#define _LONGLONG __int128
#endif


// Some convenience macros to make partial accesses nicer
// first unsigned macros:
//Already defined
//#define LOBYTE(x)   (*((_BYTE*)&(x)))   // low byte
//#define LOWORD(x)   (*((_WORD*)&(x)))   // low word
//#define LODWORD(x)  (*((_DWORD*)&(x)))  // low dword
//#define HIBYTE(x)   (*((_BYTE*)&(x)+1))
//#define HIWORD(x)   (*((_WORD*)&(x)+1))
#define HIDWORD(x)  (*((_DWORD*)&(x)+1))
#define BYTEn(x, n)   (*((_BYTE*)&(x)+n))
#define WORDn(x, n)   (*((_WORD*)&(x)+n))
#define BYTE1(x)   BYTEn(x,  1)         // byte 1 (counting from 0)
#define BYTE2(x)   BYTEn(x,  2)
#define BYTE3(x)   BYTEn(x,  3)
#define BYTE4(x)   BYTEn(x,  4)
#define BYTE5(x)   BYTEn(x,  5)
#define BYTE6(x)   BYTEn(x,  6)
#define BYTE7(x)   BYTEn(x,  7)
#define BYTE8(x)   BYTEn(x,  8)
#define BYTE9(x)   BYTEn(x,  9)
#define BYTE10(x)  BYTEn(x, 10)
#define BYTE11(x)  BYTEn(x, 11)
#define BYTE12(x)  BYTEn(x, 12)
#define BYTE13(x)  BYTEn(x, 13)
#define BYTE14(x)  BYTEn(x, 14)
#define BYTE15(x)  BYTEn(x, 15)
#define WORD1(x)   WORDn(x,  1)
#define WORD2(x)   WORDn(x,  2)         // third word of the object, unsigned
#define WORD3(x)   WORDn(x,  3)
#define WORD4(x)   WORDn(x,  4)
#define WORD5(x)   WORDn(x,  5)
#define WORD6(x)   WORDn(x,  6)
#define WORD7(x)   WORDn(x,  7)

// now signed macros (the same but with sign extension)
#define SLOBYTE(x)   (*((int8*)&(x)))
#define SLOWORD(x)   (*((int16*)&(x)))
#define SLODWORD(x)  (*((int32*)&(x)))
#define SHIBYTE(x)   (*((int8*)&(x)+1))
#define SHIWORD(x)   (*((int16*)&(x)+1))
#define SHIDWORD(x)  (*((int32*)&(x)+1))
#define SBYTEn(x, n)   (*((int8*)&(x)+n))
#define SWORDn(x, n)   (*((int16*)&(x)+n))
#define SBYTE1(x)   SBYTEn(x,  1)
#define SBYTE2(x)   SBYTEn(x,  2)
#define SBYTE3(x)   SBYTEn(x,  3)
#define SBYTE4(x)   SBYTEn(x,  4)
#define SBYTE5(x)   SBYTEn(x,  5)
#define SBYTE6(x)   SBYTEn(x,  6)
#define SBYTE7(x)   SBYTEn(x,  7)
#define SBYTE8(x)   SBYTEn(x,  8)
#define SBYTE9(x)   SBYTEn(x,  9)
#define SBYTE10(x)  SBYTEn(x, 10)
#define SBYTE11(x)  SBYTEn(x, 11)
#define SBYTE12(x)  SBYTEn(x, 12)
#define SBYTE13(x)  SBYTEn(x, 13)
#define SBYTE14(x)  SBYTEn(x, 14)
#define SBYTE15(x)  SBYTEn(x, 15)
#define SWORD1(x)   SWORDn(x,  1)
#define SWORD2(x)   SWORDn(x,  2)
#define SWORD3(x)   SWORDn(x,  3)
#define SWORD4(x)   SWORDn(x,  4)
#define SWORD5(x)   SWORDn(x,  5)
#define SWORD6(x)   SWORDn(x,  6)
#define SWORD7(x)   SWORDn(x,  7)

template<class T> T __ROL__(T value, int count)
{
    const uint nbits = sizeof(T) * 8;

    if (count > 0)
    {
        count %= nbits;
        T high = value >> (nbits - count);
        if (T(-1) < 0) // signed value
            high &= ~((T(-1) << count));
        value <<= count;
        value |= high;
    }
    else
    {
        count = -count % nbits;
        T low = value << (nbits - count);
        value >>= count;
        value |= low;
    }
    return value;
}

inline uint8  __ROL1__(uint8  value, int count) { return __ROL__((uint8)value, count); }
inline uint16 __ROL2__(uint16 value, int count) { return __ROL__((uint16)value, count); }
inline uint32 __ROL4__(uint32 value, int count) { return __ROL__((uint32)value, count); }
inline uint64 __ROL8__(uint64 value, int count) { return __ROL__((uint64)value, count); }
inline uint8  __ROR1__(uint8  value, int count) { return __ROL__((uint8)value, -count); }
inline uint16 __ROR2__(uint16 value, int count) { return __ROL__((uint16)value, -count); }
inline uint32 __ROR4__(uint32 value, int count) { return __ROL__((uint32)value, -count); }
inline uint64 __ROR8__(uint64 value, int count) { return __ROL__((uint64)value, -count); }

//Dumb glow decryption stuff
//https://www.codeproject.com/Articles/1274943/IEEE-754-Conversion

#define NTH_BIT(b, n) ((b >> n) & 0x1)

#define BYTE_TO_BIN(b)   (( b & 0x80 ) ) |\
            (( b & 0x40 ) ) |\
            (( b & 0x20 ) ) |\
            (( b & 0x10 ) ) |\
            (( b & 0x08 ) ) |\
            (( b & 0x04 ) ) |\
            (( b & 0x02 ) ) |\
            ( b & 0x01 )

#define MANTISSA_TO_BIN(b)  (( b & 0x400000 ) ) |\
             (( b & 0x200000 ) ) |\
             (( b & 0x100000 ) ) |\
             (( b &  0x80000 ) ) |\
             (( b &  0x40000 ) ) |\
             (( b &  0x20000 ) ) |\
             (( b &  0x10000 ) ) |\
             (( b &  0x8000 ) ) |\
             (( b &  0x4000 ) ) |\
             (( b &  0x2000 ) ) |\
             (( b &  0x1000 ) ) |\
             (( b &  0x800 ) ) |\
             (( b &  0x400 ) ) |\
             (( b &  0x200 ) ) |\
             (( b &  0x100 ) ) |\
             (( b &  0x80 ) ) |\
             (( b &  0x40 ) ) |\
             (( b &  0x20 ) ) |\
             (( b &  0x10 ) ) |\
             (( b &  0x08 ) ) |\
             (( b &  0x04 ) ) |\
             (( b &  0x02 ) ) |\
              ( b & 0x01 )

typedef union IEEE754
{
    struct
    {
        unsigned int mantissa : 23;
        unsigned int exponent : 8;
        unsigned int sign : 1;
    } raw;
    float f;
} IEEE754;

typedef struct _MM_UNLOADED_DRIVER
{
    UNICODE_STRING     Name;
    PVOID             ModuleStart;
    PVOID             ModuleEnd;
    ULONG64         UnloadTime;
} MM_UNLOADED_DRIVER, * PMM_UNLOADED_DRIVER;
typedef struct _PIDDBCACHE_ENTRY
{
    LIST_ENTRY        List;
    UNICODE_STRING    DriverName;
    ULONG            TimeDateStamp;
    NTSTATUS        LoadStatus;
    char            _0x0028[16];
} PIDDBCACHE_ENTRY, * PPIDDBCACHE_ENTRY;
typedef struct _SYSTEM_MODULEE
{
    ULONG_PTR Reserved[2];
    PVOID     Base;
    ULONG     Size;
    ULONG     Flags;
    USHORT    Index;
    USHORT    Unknown;
    USHORT    LoadCount;
    USHORT    ModuleNameOffset;
    CHAR      ImageName[256];
} SYSTEM_MODULEE, * PSYSTEM_MODULEE;
typedef struct _SYSTEM_MODULE_INFORMATIONN
{
    ULONG_PTR     ModuleCount;
    SYSTEM_MODULEE Modules[1];
} SYSTEM_MODULE_INFORMATIONN, * PSYSTEM_MODULE_INFORMATIONN;
typedef enum _SYSTEM_INFORMATION_CLASS
{
	SystemBasicInformation,				   // q: SYSTEM_BASIC_INFORMATION
	SystemProcessorInformation,			   // q: SYSTEM_PROCESSOR_INFORMATION
	SystemPerformanceInformation,		   // q: SYSTEM_PERFORMANCE_INFORMATION
	SystemTimeOfDayInformation,			   // q: SYSTEM_TIMEOFDAY_INFORMATION
	SystemPathInformation,				   // not implemented
	SystemProcessInformation,			   // q: SYSTEM_PROCESS_INFORMATION
	SystemCallCountInformation,			   // q: SYSTEM_CALL_COUNT_INFORMATION
	SystemDeviceInformation,			   // q: SYSTEM_DEVICE_INFORMATION
	SystemProcessorPerformanceInformation, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION
	SystemFlagsInformation,				   // q: SYSTEM_FLAGS_INFORMATION
	SystemCallTimeInformation,			   // not implemented // SYSTEM_CALL_TIME_INFORMATION // 10
	SystemModuleInformation,			   // q: RTL_PROCESS_MODULES
	SystemLocksInformation,				   // q: SYSTEM_LOCK_INFORMATION
	SystemStackTraceInformation,
	SystemPagedPoolInformation,			   // not implemented
	SystemNonPagedPoolInformation,		   // not implemented
	SystemHandleInformation,			   // q: SYSTEM_HANDLE_INFORMATION
	SystemObjectInformation,			   // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION
	SystemPageFileInformation,			   // q: SYSTEM_PAGEFILE_INFORMATION
	SystemVdmInstemulInformation,		   // q
	SystemVdmBopInformation,			   // not implemented // 20
	SystemFileCacheInformation,			   // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache)
	SystemPoolTagInformation,			   // q: SYSTEM_POOLTAG_INFORMATION
	SystemInterruptInformation,			   // q: SYSTEM_INTERRUPT_INFORMATION
	SystemDpcBehaviorInformation,		   // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege)
	SystemFullMemoryInformation,		   // not implemented
	SystemLoadGdiDriverInformation,		   // s (kernel-mode only)
	SystemUnloadGdiDriverInformation,	  // s (kernel-mode only)
	SystemTimeAdjustmentInformation,	   // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege)
	SystemSummaryMemoryInformation,		   // not implemented
	SystemMirrorMemoryInformation,		   // s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege) // 30
	SystemPerformanceTraceInformation,	 // s
	SystemObsolete0,					   // not implemented
	SystemExceptionInformation,			   // q: SYSTEM_EXCEPTION_INFORMATION
	SystemCrashDumpStateInformation,	   // s (requires SeDebugPrivilege)
	SystemKernelDebuggerInformation,	   // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION
	SystemContextSwitchInformation,		   // q: SYSTEM_CONTEXT_SWITCH_INFORMATION
	SystemRegistryQuotaInformation,		   // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege)
	SystemExtendServiceTableInformation,   // s (requires SeLoadDriverPrivilege) // loads win32k only
	SystemPrioritySeperation,			   // s (requires SeTcbPrivilege)
	SystemVerifierAddDriverInformation,	// s (requires SeDebugPrivilege) // 40
	SystemVerifierRemoveDriverInformation, // s (requires SeDebugPrivilege)
	SystemProcessorIdleInformation,		   // q: SYSTEM_PROCESSOR_IDLE_INFORMATION
	SystemLegacyDriverInformation,		   // q: SYSTEM_LEGACY_DRIVER_INFORMATION
	SystemCurrentTimeZoneInformation,	  // q
	SystemLookasideInformation,			   // q: SYSTEM_LOOKASIDE_INFORMATION
	SystemTimeSlipNotification,			   // s (requires SeSystemtimePrivilege)
	SystemSessionCreate,				   // not implemented
	SystemSessionDetach,				   // not implemented
	SystemSessionInformation,			   // not implemented
	SystemRangeStartInformation,		   // q: SYSTEM_RANGE_START_INFORMATION // 50
	SystemVerifierInformation,			   // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege)
	SystemVerifierThunkExtend,			   // s (kernel-mode only)
	SystemSessionProcessInformation,	   // q: SYSTEM_SESSION_PROCESS_INFORMATION
	SystemLoadGdiDriverInSystemSpace,	  // s (kernel-mode only) (same as SystemLoadGdiDriverInformation)
	SystemNumaProcessorMap,				   // q
	SystemPrefetcherInformation,		   // q: PREFETCHER_INFORMATION; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation
	SystemExtendedProcessInformation,	  // q: SYSTEM_PROCESS_INFORMATION
	SystemRecommendedSharedDataAlignment,  // q
	SystemComPlusPackage,				   // q; s
	SystemNumaAvailableMemory,			   // 60
	SystemProcessorPowerInformation,	   // q: SYSTEM_PROCESSOR_POWER_INFORMATION
	SystemEmulationBasicInformation,	   // q
	SystemEmulationProcessorInformation,
	SystemExtendedHandleInformation,			   // q: SYSTEM_HANDLE_INFORMATION_EX
	SystemLostDelayedWriteInformation,			   // q: ULONG
	SystemBigPoolInformation,					   // q: SYSTEM_BIGPOOL_INFORMATION
	SystemSessionPoolTagInformation,			   // q: SYSTEM_SESSION_POOLTAG_INFORMATION
	SystemSessionMappedViewInformation,			   // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION
	SystemHotpatchInformation,					   // q; s
	SystemObjectSecurityMode,					   // q // 70
	SystemWatchdogTimerHandler,					   // s (kernel-mode only)
	SystemWatchdogTimerInformation,				   // q (kernel-mode only); s (kernel-mode only)
	SystemLogicalProcessorInformation,			   // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION
	SystemWow64SharedInformationObsolete,		   // not implemented
	SystemRegisterFirmwareTableInformationHandler, // s (kernel-mode only)
	SystemFirmwareTableInformation,				   // SYSTEM_FIRMWARE_TABLE_INFORMATION
	SystemModuleInformationEx,					   // q: RTL_PROCESS_MODULE_INFORMATION_EX
	SystemVerifierTriageInformation,			   // not implemented
	SystemSuperfetchInformation,				   // q; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation
	SystemMemoryListInformation,				   // q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege) // 80
	SystemFileCacheInformationEx,				   // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation)
	SystemThreadPriorityClientIdInformation,	   // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege)
	SystemProcessorIdleCycleTimeInformation,	   // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[]
	SystemVerifierCancellationInformation,		   // not implemented // name:wow64:whNT32QuerySystemVerifierCancellationInformation
	SystemProcessorPowerInformationEx,			   // not implemented
	SystemRefTraceInformation,					   // q; s: SYSTEM_REF_TRACE_INFORMATION // ObQueryRefTraceInformation
	SystemSpecialPoolInformation,				   // q; s (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0
	SystemProcessIdInformation,					   // q: SYSTEM_PROCESS_ID_INFORMATION
	SystemErrorPortInformation,					   // s (requires SeTcbPrivilege)
	SystemBootEnvironmentInformation,			   // q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION // 90
	SystemHypervisorInformation,				   // q; s (kernel-mode only)
	SystemVerifierInformationEx,				   // q; s: SYSTEM_VERIFIER_INFORMATION_EX
	SystemTimeZoneInformation,					   // s (requires SeTimeZonePrivilege)
	SystemImageFileExecutionOptionsInformation,	// s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege)
	SystemCoverageInformation,					   // q; s // name:wow64:whNT32QuerySystemCoverageInformation; ExpCovQueryInformation
	SystemPrefetchPatchInformation,				   // not implemented
	SystemVerifierFaultsInformation,			   // s (requires SeDebugPrivilege)
	SystemSystemPartitionInformation,			   // q: SYSTEM_SYSTEM_PARTITION_INFORMATION
	SystemSystemDiskInformation,				   // q: SYSTEM_SYSTEM_DISK_INFORMATION
	SystemProcessorPerformanceDistribution,		   // q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION // 100
	SystemNumaProximityNodeInformation,			   // q
	SystemDynamicTimeZoneInformation,			   // q; s (requires SeTimeZonePrivilege)
	SystemCodeIntegrityInformation,				   // q: SYSTEM_CODEINTEGRITY_INFORMATION // SeCodeIntegrityQueryInformation
	SystemProcessorMicrocodeUpdateInformation,	 // s
	SystemProcessorBrandString,					   // q // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23
	SystemVirtualAddressInformation,			   // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation
	SystemLogicalProcessorAndGroupInformation,	 // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // since WIN7 // KeQueryLogicalProcessorRelationship
	SystemProcessorCycleTimeInformation,		   // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[]
	SystemStoreInformation,						   // q; s // SmQueryStoreInformation
	SystemRegistryAppendString,					   // s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // 110
	SystemAitSamplingValue,						   // s: ULONG (requires SeProfileSingleProcessPrivilege)
	SystemVhdBootInformation,					   // q: SYSTEM_VHD_BOOT_INFORMATION
	SystemCpuQuotaInformation,					   // q; s // PsQueryCpuQuotaInformation
	SystemNativeBasicInformation,				   // not implemented
	SystemSpare1,								   // not implemented
	SystemLowPriorityIoInformation,				   // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION
	SystemTpmBootEntropyInformation,			   // q: TPM_BOOT_ENTROPY_NT_RESULT // ExQueryTpmBootEntropyInformation
	SystemVerifierCountersInformation,			   // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION
	SystemPagedPoolInformationEx,				   // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool)
	SystemSystemPtesInformationEx,				   // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) // 120
	SystemNodeDistanceInformation,				   // q
	SystemAcpiAuditInformation,					   // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26
	SystemBasicPerformanceInformation,			   // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation
	SystemQueryPerformanceCounterInformation,	  // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1
	SystemSessionBigPoolInformation,			   // q: SYSTEM_SESSION_POOLTAG_INFORMATION // since WIN8
	SystemBootGraphicsInformation,				   // q; s: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only)
	SystemScrubPhysicalMemoryInformation,
	SystemBadPageInformation,
	SystemProcessorProfileControlArea,
	SystemCombinePhysicalMemoryInformation, // 130
	SystemEntropyInterruptTimingCallback,
	SystemConsoleInformation,		 // q: SYSTEM_CONSOLE_INFORMATION
	SystemPlatformBinaryInformation, // q: SYSTEM_PLATFORM_BINARY_INFORMATION
	SystemThrottleNotificationInformation,
	SystemHypervisorProcessorCountInformation, // q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION
	SystemDeviceDataInformation,			   // q: SYSTEM_DEVICE_DATA_INFORMATION
	SystemDeviceDataEnumerationInformation,
	SystemMemoryTopologyInformation,		 // q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION
	SystemMemoryChannelInformation,			 // q: SYSTEM_MEMORY_CHANNEL_INFORMATION
	SystemBootLogoInformation,				 // q: SYSTEM_BOOT_LOGO_INFORMATION // 140
	SystemProcessorPerformanceInformationEx, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // since WINBLUE
	SystemSpare0,
	SystemSecureBootPolicyInformation, // q: SYSTEM_SECUREBOOT_POLICY_INFORMATION
	SystemPageFileInformationEx,	   // q: SYSTEM_PAGEFILE_INFORMATION_EX
	SystemSecureBootInformation,	   // q: SYSTEM_SECUREBOOT_INFORMATION
	SystemEntropyInterruptTimingRawInformation,
	SystemPortableWorkspaceEfiLauncherInformation, // q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION
	SystemFullProcessInformation,				   // q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin)
	SystemKernelDebuggerInformationEx,			   // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX
	SystemBootMetadataInformation,				   // 150
	SystemSoftRebootInformation,
	SystemElamCertificateInformation, // s: SYSTEM_ELAM_CERTIFICATE_INFORMATION
	SystemOfflineDumpConfigInformation,
	SystemProcessorFeaturesInformation, // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION
	SystemRegistryReconciliationInformation,
	SystemEdidInformation,
	SystemManufacturingInformation,			 // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD
	SystemEnergyEstimationConfigInformation, // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION
	SystemHypervisorDetailInformation,		 // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION
	SystemProcessorCycleStatsInformation,	// q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION // 160
	SystemVmGenerationCountInformation,
	SystemTrustedPlatformModuleInformation, // q: SYSTEM_TPM_INFORMATION
	SystemKernelDebuggerFlags,
	SystemCodeIntegrityPolicyInformation, // q: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION
	SystemIsolatedUserModeInformation,	// q: SYSTEM_ISOLATED_USER_MODE_INFORMATION
	SystemHardwareSecurityTestInterfaceResultsInformation,
	SystemSingleModuleInformation, // q: SYSTEM_SINGLE_MODULE_INFORMATION
	SystemAllowedCpuSetsInformation,
	SystemDmaProtectionInformation,		   // q: SYSTEM_DMA_PROTECTION_INFORMATION
	SystemInterruptCpuSetsInformation,	 // q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION // 170
	SystemSecureBootPolicyFullInformation, // q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION
	SystemCodeIntegrityPolicyFullInformation,
	SystemAffinitizedInterruptProcessorInformation,
	SystemRootSiloInformation,  // q: SYSTEM_ROOT_SILO_INFORMATION
	SystemCpuSetInformation,	// q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2
	SystemCpuSetTagInformation, // q: SYSTEM_CPU_SET_TAG_INFORMATION
	SystemWin32WerStartCallout,
	SystemSecureKernelProfileInformation,			// q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION
	SystemCodeIntegrityPlatformManifestInformation, // q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION // since REDSTONE
	SystemInterruptSteeringInformation,				// 180
	SystemSupportedProcessorArchitectures,
	SystemMemoryUsageInformation,			   // q: SYSTEM_MEMORY_USAGE_INFORMATION
	SystemCodeIntegrityCertificateInformation, // q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION
	MaxSystemInfoClass
} SYSTEM_INFORMATION_CLASS;

extern "C"
NTKERNELAPI NTSTATUS NTAPI
ZwQuerySystemInformation(
    SYSTEM_INFORMATION_CLASS SystemInformationClass,
    PVOID SystemInformation,
    ULONG SystemInformationLength,
    PULONG ReturnLength
);

inline auto dereference(uintptr_t address, unsigned int offset) -> uintptr_t
{
    if (address == 0)
        return 0;

    return address + (int)((*(int*)(address + offset) + offset) + sizeof(int));
}
inline auto relative(uintptr_t address, unsigned int size) -> PVOID
{
    if (address == 0)
        return 0;

    return ((PVOID)((unsigned char*)(address)+*(int*)((unsigned char*)(address)+((size)-(INT)sizeof(INT))) + (size)));
}
inline auto compare_data(const unsigned char* pData, const unsigned char* bMask, const char* szMask) -> bool
{
    for (; *szMask; ++szMask, ++pData, ++bMask)
        if (*szMask == 'x' && *pData != *bMask)
            return 0;

    return (*szMask) == 0;
}
inline auto find_pattern2(UINT64 dwAddress, UINT64 dwLen, unsigned char* bMask, const char* szMask) -> ULONGLONG
{
    for (ULONGLONG i = 0; i < dwLen; i++)
        if (compare_data((unsigned char*)(dwAddress + i), bMask, szMask))
            return (ULONGLONG)(dwAddress + i);

    return 0;
}
template <typename t = void*>
inline auto find_pattern(void* start, size_t length, const char* pattern, const char* mask) -> t
{
    const auto data = static_cast<const char*>(start);
    const auto pattern_length = strlen(mask);

    for (size_t i = 0; i <= length - pattern_length; i++)
    {
        bool accumulative_found = true;

        for (size_t j = 0; j < pattern_length; j++)
        {
            if (!MmIsAddressValid(reinterpret_cast<void*>(reinterpret_cast<uintptr_t>(data) + i + j)))
            {
                accumulative_found = false;
                break;
            }

            if (data[i + j] != pattern[j] && mask[j] != '?')
            {
                accumulative_found = false;
                break;
            }
        }

        if (accumulative_found)
        {
            return (t)(reinterpret_cast<uintptr_t>(data) + i);
        }
    }

    return (t)nullptr;
}

================================================
FILE: full kernel bypass/full kernel bypass.vcxproj
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <ItemGroup Label="ProjectConfigurations">
    <ProjectConfiguration Include="Debug|Win32">
      <Configuration>Debug</Configuration>
      <Platform>Win32</Platform>
    </ProjectConfiguration>
    <ProjectConfiguration Include="Release|Win32">
      <Configuration>Release</Configuration>
      <Platform>Win32</Platform>
    </ProjectConfiguration>
    <ProjectConfiguration Include="Debug|x64">
      <Configuration>Debug</Configuration>
      <Platform>x64</Platform>
    </ProjectConfiguration>
    <ProjectConfiguration Include="Release|x64">
      <Configuration>Release</Configuration>
      <Platform>x64</Platform>
    </ProjectConfiguration>
    <ProjectConfiguration Include="Debug|ARM">
      <Configuration>Debug</Configuration>
      <Platform>ARM</Platform>
    </ProjectConfiguration>
    <ProjectConfiguration Include="Release|ARM">
      <Configuration>Release</Configuration>
      <Platform>ARM</Platform>
    </ProjectConfiguration>
    <ProjectConfiguration Include="Debug|ARM64">
      <Configuration>Debug</Configuration>
      <Platform>ARM64</Platform>
    </ProjectConfiguration>
    <ProjectConfiguration Include="Release|ARM64">
      <Configuration>Release</Configuration>
      <Platform>ARM64</Platform>
    </ProjectConfiguration>
  </ItemGroup>
  <PropertyGroup Label="Globals">
    <ProjectGuid>{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}</ProjectGuid>
    <TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
    <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
    <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
    <Configuration>Debug</Configuration>
    <Platform Condition="'$(Platform)' == ''">Win32</Platform>
    <RootNamespace>full_kernel_bypass</RootNamespace>
  </PropertyGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
    <TargetVersion>Windows10</TargetVersion>
    <UseDebugLibraries>true</UseDebugLibraries>
    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
    <ConfigurationType>Driver</ConfigurationType>
    <DriverType>KMDF</DriverType>
    <DriverTargetPlatform>Universal</DriverTargetPlatform>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
    <TargetVersion>Windows10</TargetVersion>
    <UseDebugLibraries>false</UseDebugLibraries>
    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
    <ConfigurationType>Driver</ConfigurationType>
    <DriverType>KMDF</DriverType>
    <DriverTargetPlatform>Universal</DriverTargetPlatform>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
    <TargetVersion>Windows10</TargetVersion>
    <UseDebugLibraries>true</UseDebugLibraries>
    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
    <ConfigurationType>Driver</ConfigurationType>
    <DriverType>KMDF</DriverType>
    <DriverTargetPlatform>Universal</DriverTargetPlatform>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
    <TargetVersion>Windows10</TargetVersion>
    <UseDebugLibraries>false</UseDebugLibraries>
    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
    <ConfigurationType>Driver</ConfigurationType>
    <DriverType>KMDF</DriverType>
    <DriverTargetPlatform>Universal</DriverTargetPlatform>
    <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
    <CharacterSet>MultiByte</CharacterSet>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
    <TargetVersion>Windows10</TargetVersion>
    <UseDebugLibraries>true</UseDebugLibraries>
    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
    <ConfigurationType>Driver</ConfigurationType>
    <DriverType>KMDF</DriverType>
    <DriverTargetPlatform>Universal</DriverTargetPlatform>
    <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
    <TargetVersion>Windows10</TargetVersion>
    <UseDebugLibraries>false</UseDebugLibraries>
    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
    <ConfigurationType>Driver</ConfigurationType>
    <DriverType>KMDF</DriverType>
    <DriverTargetPlatform>Universal</DriverTargetPlatform>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
    <TargetVersion>Windows10</TargetVersion>
    <UseDebugLibraries>true</UseDebugLibraries>
    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
    <ConfigurationType>Driver</ConfigurationType>
    <DriverType>KMDF</DriverType>
    <DriverTargetPlatform>Universal</DriverTargetPlatform>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
    <TargetVersion>Windows10</TargetVersion>
    <UseDebugLibraries>false</UseDebugLibraries>
    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
    <ConfigurationType>Driver</ConfigurationType>
    <DriverType>KMDF</DriverType>
    <DriverTargetPlatform>Universal</DriverTargetPlatform>
  </PropertyGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
  <ImportGroup Label="ExtensionSettings">
  </ImportGroup>
  <ImportGroup Label="PropertySheets">
    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
  </ImportGroup>
  <PropertyGroup Label="UserMacros" />
  <PropertyGroup />
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
  </PropertyGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
    <ClCompile>
      <WarningLevel>TurnOffAllWarnings</WarningLevel>
      <TreatWarningAsError>false</TreatWarningAsError>
    </ClCompile>
    <Link>
      <AdditionalOptions>/FORCE:MULTIPLE %(AdditionalOptions)</AdditionalOptions>
      <TreatLinkerWarningAsErrors>false</TreatLinkerWarningAsErrors>
      <EntryPointSymbol>DriverEntry</EntryPointSymbol>
    </Link>
  </ItemDefinitionGroup>
  <ItemGroup>
    <FilesToPackage Include="$(TargetPath)" />
  </ItemGroup>
  <ItemGroup>
    <ClCompile Include="cleaning\cleaning.cpp" />
    <ClCompile Include="io\io.cpp" />
    <ClCompile Include="main.cpp" />
    <ClCompile Include="memory\memory.cpp" />
    <ClCompile Include="thread\thread.cpp" />
    <ClCompile Include="utils\utils.cpp" />
  </ItemGroup>
  <ItemGroup>
    <ClInclude Include="cleaning\cleaning.h" />
    <ClInclude Include="defs.h" />
    <ClInclude Include="io\io.h" />
    <ClInclude Include="memory\memory.h" />
    <ClInclude Include="process\process.h" />
    <ClInclude Include="thread\thread.h" />
    <ClInclude Include="utils\utils.h" />
  </ItemGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
  <ImportGroup Label="ExtensionTargets">
  </ImportGroup>
</Project>

================================================
FILE: full kernel bypass/full kernel bypass.vcxproj.filters
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <ItemGroup>
    <Filter Include="Source Files">
      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
    </Filter>
    <Filter Include="Header Files">
      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
    </Filter>
    <Filter Include="Header Files\io">
      <UniqueIdentifier>{8a1420fe-ef8f-4abd-bdd2-80a5734844bc}</UniqueIdentifier>
    </Filter>
    <Filter Include="Header Files\memory">
      <UniqueIdentifier>{993343d9-8704-4670-8624-a6f5a0072cd7}</UniqueIdentifier>
    </Filter>
    <Filter Include="Header Files\process">
      <UniqueIdentifier>{14d0d3d7-34f7-480b-85c9-6b27177eff87}</UniqueIdentifier>
    </Filter>
    <Filter Include="Header Files\utils">
      <UniqueIdentifier>{09dd5666-fb10-485e-8c4d-536470abc1f9}</UniqueIdentifier>
    </Filter>
    <Filter Include="Header Files\thread">
      <UniqueIdentifier>{b5004452-c296-4540-90de-83293b83e9af}</UniqueIdentifier>
    </Filter>
    <Filter Include="Header Files\cleaning">
      <UniqueIdentifier>{3f41d68c-0fe0-4184-92a1-9663637a241d}</UniqueIdentifier>
    </Filter>
  </ItemGroup>
  <ItemGroup>
    <ClCompile Include="io\io.cpp">
      <Filter>Header Files\io</Filter>
    </ClCompile>
    <ClCompile Include="memory\memory.cpp">
      <Filter>Header Files\memory</Filter>
    </ClCompile>
    <ClCompile Include="main.cpp">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="utils\utils.cpp">
      <Filter>Header Files\utils</Filter>
    </ClCompile>
    <ClCompile Include="thread\thread.cpp">
      <Filter>Header Files\thread</Filter>
    </ClCompile>
    <ClCompile Include="cleaning\cleaning.cpp">
      <Filter>Header Files\cleaning</Filter>
    </ClCompile>
  </ItemGroup>
  <ItemGroup>
    <ClInclude Include="memory\memory.h">
      <Filter>Header Files\memory</Filter>
    </ClInclude>
    <ClInclude Include="process\process.h">
      <Filter>Header Files\process</Filter>
    </ClInclude>
    <ClInclude Include="io\io.h">
      <Filter>Header Files\io</Filter>
    </ClInclude>
    <ClInclude Include="utils\utils.h">
      <Filter>Header Files\utils</Filter>
    </ClInclude>
    <ClInclude Include="defs.h">
      <Filter>Header Files</Filter>
    </ClInclude>
    <ClInclude Include="thread\thread.h">
      <Filter>Header Files\thread</Filter>
    </ClInclude>
    <ClInclude Include="cleaning\cleaning.h">
      <Filter>Header Files\cleaning</Filter>
    </ClInclude>
  </ItemGroup>
</Project>

================================================
FILE: full kernel bypass/full kernel bypass.vcxproj.user
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <PropertyGroup />
</Project>

================================================
FILE: full kernel bypass/io/io.cpp
================================================
#include <ntifs.h>
#include <stdio.h>
#include <stdarg.h> 
#include <ntimage.h>
#include "io.h"

void driver::io::dbgprint( PCCH format, ...)
{
	CHAR message[512];
	va_list _valist;
	va_start(_valist, format);
	const ULONG N = _vsnprintf_s(message, sizeof(message) - 1, format, _valist);
	message[N] = L'\0';

	vDbgPrintExWithPrefix("[Kernel Driver] ", DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, message, _valist);

	va_end(_valist);
}


================================================
FILE: full kernel bypass/io/io.h
================================================
#include <ntdef.h>

namespace driver
{
	namespace io
	{
		void dbgprint(PCCH format, ...);
	}
}

================================================
FILE: full kernel bypass/main.cpp
================================================
#include <ntifs.h>
#include <ntimage.h>
#include <ntddk.h>
#include "defs.h"
#include "io/io.h"
#include "utils/utils.h"
#include "memory/memory.h"
#include "thread/thread.h"
#include "cleaning/cleaning.h"
using namespace driver;

void driver_thread( void* context )
{
	// allow five seconds for driver to finish entry
	utils::sleep(5000);
	
	// debug text
	io::dbgprint( "cleaning status -> %i", cleaning::clean_traces( ) );
	io::dbgprint( "tid -> %i", PsGetCurrentThreadId( ) );

	// user extersize
	bool status = thread::unlink( );
	io::dbgprint( "unlinked thread -> %i", status );

	// change your process name here
	process::process_name = "RainbowSix.exe";
	io::dbgprint( "process name -> %s", process::process_name );

	// scuff check to check if our peprocess is valid
	while ( utils::process_by_name( process::process_name, &process::process ) == STATUS_NOT_FOUND)
	{
		io::dbgprint( "waiting for -> %s", process::process_name );
		utils::sleep(2000);
	}
	io::dbgprint("found process -> %s", process::process_name);

	// sleep for 15 seconds to allow game to get started and prevent us from getting false info
	utils::sleep(15000);

	utils::process_by_name( process::process_name, &process::process );
	io::dbgprint( "peprocess -> 0x%llx", process::process );

	process::pid = reinterpret_cast< uint32 >( PsGetProcessId( process::process ) );
	io::dbgprint("pid -> %i", process::pid);

	process::base_address = reinterpret_cast < uint64 >( PsGetProcessSectionBaseAddress( process::process ) );
	io::dbgprint( "base address -> 0x%llx", process::base_address );

	// main loop
	while ( true )
	{
		
		//example read
		uint64 round_manager = memory::read< uint64 >( process::base_address + 0x77BF800 );
		uint32 encrypted_round_state = memory::read< uint32 >( round_manager + 0xC0 );
		uint32 decrypted_round_state = _rotl64( encrypted_round_state - 0x56, 0x1E );
		io::dbgprint( "round state ptr -> 0x%llx", decrypted_round_state );

		// example write
		memory::write< uint32 >( round_manager + 0xC0, 0x0 );

		// for testing
		if ( thread::terminate_thread ) 
		{
			io::dbgprint( "loops -> %i", thread::total_loops );
			utils::sleep( 5000 );
			thread::total_loops++;

			if ( thread::total_loops > thread::loops_before_end )
			{
				io::dbgprint( "terminating thread" );
				PsTerminateSystemThread( STATUS_SUCCESS );
			}
		}
	}
	PsTerminateSystemThread( STATUS_SUCCESS );
}

NTSTATUS DriverEntry( PDRIVER_OBJECT driver_object, PUNICODE_STRING registry_path ) {
	UNREFERENCED_PARAMETER( driver_object );
	UNREFERENCED_PARAMETER( registry_path );

	io::dbgprint("driver entry called.");

	// change this per mapper; debug prints the entire mmu
	cleaning::debug = false;
	cleaning::driver_timestamp = 0x5284EAC3;
	cleaning::driver_name = RTL_CONSTANT_STRING(L"iqvw64e.sys");

	HANDLE thread_handle = nullptr;
	OBJECT_ATTRIBUTES object_attribues{ };
	InitializeObjectAttributes( &object_attribues, nullptr, OBJ_KERNEL_HANDLE, nullptr, nullptr );

	NTSTATUS status = PsCreateSystemThread( &thread_handle, 0, &object_attribues, nullptr, nullptr, reinterpret_cast< PKSTART_ROUTINE >( &driver_thread ), nullptr );
	io::dbgprint("thread status -> 0x%llx", status);

	io::dbgprint("fininshed driver entry... closing...");
        
	return STATUS_SUCCESS;
}



================================================
FILE: full kernel bypass/memory/memory.cpp
================================================
#include <ntifs.h>
#include <stdio.h>
#include <stdarg.h> 
#include <ntimage.h>
#include "memory.h"

extern "C" 
NTSTATUS NTAPI MmCopyVirtualMemory
(
	PEPROCESS		SourceProcess,
	PVOID			SourceAddress,
	PEPROCESS		TargetProcess,
	PVOID			TargetAddress,
	SIZE_T			BufferSize,
	KPROCESSOR_MODE PreviousMode,
	PSIZE_T			ReturnSize
);

NTSTATUS driver::memory::read_virtual_memory( ULONG pid, PEPROCESS process, PVOID source_address, PVOID target_address, SIZE_T size )
{
	SIZE_T bytes = 0;
	if ( NT_SUCCESS( MmCopyVirtualMemory( process, source_address, PsGetCurrentProcess(), target_address, size, KernelMode, &bytes ) ) )
		return STATUS_SUCCESS;

	return STATUS_UNSUCCESSFUL;
}

NTSTATUS  driver::memory::write_virtual_memory( ULONG pid, PEPROCESS process, PVOID source_address, PVOID target_address, SIZE_T size )
{
	SIZE_T bytes = 0;
	if ( NT_SUCCESS ( MmCopyVirtualMemory( PsGetCurrentProcess(), source_address, process, target_address, size, KernelMode, &bytes ) ) )
		return STATUS_SUCCESS;

	return STATUS_UNSUCCESSFUL;
}


================================================
FILE: full kernel bypass/memory/memory.h
================================================
#include "../process/process.h"

namespace driver
{
	namespace memory
	{
		NTSTATUS read_virtual_memory( ULONG pid, PEPROCESS process, PVOID source_address, PVOID target_address, SIZE_T size );
		NTSTATUS write_virtual_memory( ULONG pid, PEPROCESS process, PVOID source_address, PVOID target_address, SIZE_T size );

		template< typename T >
		T read( uintptr_t address )
		{
			T buffer{};
			read_virtual_memory( process::pid, process::process, (void*)address, &buffer, sizeof(T) );
			return buffer;
		}

		template< typename T >
		void write( uintptr_t address, T buffer )
		{
			write_virtual_memory( process::pid, process::process, (void*)address, &buffer, sizeof(T) );
		}
	};
}

================================================
FILE: full kernel bypass/process/process.h
================================================

namespace driver
{
	namespace process
	{
		ULONG pid;
		PEPROCESS process;
		CHAR* process_name;
		ULONGLONG base_address;
	}
}

================================================
FILE: full kernel bypass/thread/thread.cpp
================================================
#include "../defs.h"
#include "thread.h"

bool driver::thread::unlink()
{
	// Up to the reader to determine how to do /
	// implement your own method
	return true;
}

bool driver::thread::link()
{
	// Up to the reader to determine how to do /
	// implement your own method
	return true;
}



================================================
FILE: full kernel bypass/thread/thread.h
================================================

namespace driver
{
	namespace thread
	{
		bool unlink();
		bool link();

		bool terminate_thread = true;
		int total_loops = 0;
		int loops_before_end = 2;
	}
}

================================================
FILE: full kernel bypass/utils/utils.cpp
================================================
#include <ntifs.h>
#include "utils.h"


NTSTATUS driver::utils::process_by_name(CHAR* process_name, PEPROCESS* process)
{
    PEPROCESS sys_process = PsInitialSystemProcess;
    PEPROCESS cur_entry = sys_process;
    CHAR image_name[15];

    do
    {
        RtlCopyMemory( ( PVOID )( &image_name ), ( PVOID )( ( uintptr_t )cur_entry + 0x450 ) /*EPROCESS->ImageFileName*/, sizeof( image_name ) );

        if ( strstr ( image_name, process_name ) )
        {
            ULONG active_threads;
            RtlCopyMemory( ( PVOID ) &active_threads, ( PVOID )( ( uintptr_t )cur_entry + 0x498) /*EPROCESS->ActiveThreads*/, sizeof( active_threads ) );
            if ( active_threads )
            {
                *process = cur_entry;
                return STATUS_SUCCESS;
            }
        }

        PLIST_ENTRY list = (PLIST_ENTRY)((uintptr_t)(cur_entry)+0x2F0) /*EPROCESS->ActiveProcessLinks*/;
        cur_entry = (PEPROCESS)((uintptr_t)list->Flink - 0x2F0);

    } while (cur_entry != sys_process);

    return STATUS_NOT_FOUND;
}

================================================
FILE: full kernel bypass/utils/utils.h
================================================

namespace driver
{
	namespace utils
	{
		NTSTATUS process_by_name( CHAR* process_name, PEPROCESS* process );

		void sleep(int ms) { LARGE_INTEGER time;  time.QuadPart =- (ms) * 10 * 1000; KeDelayExecutionThread(KernelMode, TRUE, &time); }
	}
}

================================================
FILE: full kernel bypass.sln
================================================

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.30804.86
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "full kernel bypass", "full kernel bypass\full kernel bypass.vcxproj", "{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}"
EndProject
Global
	GlobalSection(SolutionConfigurationPlatforms) = preSolution
		Debug|ARM = Debug|ARM
		Debug|ARM64 = Debug|ARM64
		Debug|x64 = Debug|x64
		Debug|x86 = Debug|x86
		Release|ARM = Release|ARM
		Release|ARM64 = Release|ARM64
		Release|x64 = Release|x64
		Release|x86 = Release|x86
	EndGlobalSection
	GlobalSection(ProjectConfigurationPlatforms) = postSolution
		{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|ARM.ActiveCfg = Debug|ARM
		{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|ARM.Build.0 = Debug|ARM
		{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|ARM.Deploy.0 = Debug|ARM
		{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|ARM64.ActiveCfg = Debug|ARM64
		{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|ARM64.Build.0 = Debug|ARM64
		{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|ARM64.Deploy.0 = Debug|ARM64
		{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|x64.ActiveCfg = Debug|x64
		{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|x64.Build.0 = Debug|x64
		{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|x64.Deploy.0 = Debug|x64
		{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|x86.ActiveCfg = Debug|Win32
		{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|x86.Build.0 = Debug|Win32
		{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Debug|x86.Deploy.0 = Debug|Win32
		{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|ARM.ActiveCfg = Release|ARM
		{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|ARM.Build.0 = Release|ARM
		{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|ARM.Deploy.0 = Release|ARM
		{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|ARM64.ActiveCfg = Release|ARM64
		{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|ARM64.Build.0 = Release|ARM64
		{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|ARM64.Deploy.0 = Release|ARM64
		{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|x64.ActiveCfg = Release|x64
		{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|x64.Build.0 = Release|x64
		{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|x64.Deploy.0 = Release|x64
		{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|x86.ActiveCfg = Release|Win32
		{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|x86.Build.0 = Release|Win32
		{2715B363-FA8A-4B04-B3FB-5BBBD88FDB7F}.Release|x86.Deploy.0 = Release|Win32
	EndGlobalSection
	GlobalSection(SolutionProperties) = preSolution
		HideSolutionNode = FALSE
	EndGlobalSection
	GlobalSection(ExtensibilityGlobals) = postSolution
		SolutionGuid = {6BC51261-A1CA-4C1F-90B5-8DF303CE1727}
	EndGlobalSection
EndGlobal