Showing preview only (249K chars total). Download the full file or copy to clipboard to get everything.
Repository: zouxianyu/KernelHiddenExecute
Branch: master
Commit: 355450b86818
Files: 55
Total size: 233.2 KB
Directory structure:
gitextract_mwid84fv/
├── .gitattributes
├── .gitignore
├── ControlPanel/
│ ├── ControlPanel.cpp
│ ├── ControlPanel.h
│ ├── ControlPanel.qrc
│ ├── ControlPanel.ui
│ ├── ControlPanel.vcxproj
│ ├── ControlPanel.vcxproj.filters
│ ├── dlcommon.cpp
│ ├── dlcommon.h
│ ├── dlconfig.h
│ ├── dldrivers.cpp
│ ├── dldrivers.h
│ ├── dlioctl.cpp
│ ├── dlioctl.h
│ ├── dlservices.cpp
│ ├── dlservices.h
│ └── main.cpp
├── KernelHiddenExcute/
│ ├── Head.h
│ ├── HiddenCallApiTransfer.h
│ ├── HiddenExecute.h
│ ├── HiddenFunctions.h
│ ├── KernelHiddenExcute.inf
│ ├── KernelHiddenExcute.vcxproj
│ ├── KernelHiddenExcute.vcxproj.filters
│ ├── MyDebugPrint.h
│ ├── PhysicalMemoryOperation.h
│ ├── SectionOperation.h
│ └── main.c
├── KernelHiddenExecute/
│ ├── DebugPrintEx.h
│ ├── HiddenCallApiTransfer.c
│ ├── HiddenCallApiTransfer.h
│ ├── HiddenExecute.c
│ ├── HiddenExecute.h
│ ├── HiddenFunctions.c
│ ├── HiddenFunctions.h
│ ├── KernelHiddenExecute.inf
│ ├── KernelHiddenExecute.vcxproj
│ ├── KernelHiddenExecute.vcxproj.filters
│ ├── PhysicalMemoryOperation.c
│ ├── PhysicalMemoryOperation.h
│ ├── SectionOperation.c
│ ├── SectionOperation.h
│ ├── main.c
│ └── main.h
├── KernelHiddenExecute.sln
├── LICENSE
├── Malware/
│ ├── Attack.c
│ ├── Attack.h
│ ├── Malware.inf
│ ├── Malware.vcxproj
│ ├── Malware.vcxproj.filters
│ ├── main.c
│ └── main.h
└── README.md
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitattributes
================================================
# Auto detect text files and perform LF normalization
* text=auto
================================================
FILE: .gitignore
================================================
*.exe
*.dll
*.pdb
*.sys
*.ink
*.txt
*.log
test/
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
##
## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
# User-specific files
*.rsuser
*.suo
*.user
*.userosscache
*.sln.docstates
# User-specific files (MonoDevelop/Xamarin Studio)
*.userprefs
# Mono auto generated files
mono_crash.*
# Build results
[Dd]ebug/
[Dd]ebugPublic/
[Rr]elease/
[Rr]eleases/
x64/
x86/
[Ww][Ii][Nn]32/
[Aa][Rr][Mm]/
[Aa][Rr][Mm]64/
bld/
[Bb]in/
[Oo]bj/
[Ll]og/
[Ll]ogs/
# Visual Studio 2015/2017 cache/options directory
.vs/
# Uncomment if you have tasks that create the project's static files in wwwroot
#wwwroot/
# Visual Studio 2017 auto generated files
Generated\ Files/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
# NUnit
*.VisualState.xml
TestResult.xml
nunit-*.xml
# Build Results of an ATL Project
[Dd]ebugPS/
[Rr]eleasePS/
dlldata.c
# Benchmark Results
BenchmarkDotNet.Artifacts/
# .NET Core
project.lock.json
project.fragment.lock.json
artifacts/
# ASP.NET Scaffolding
ScaffoldingReadMe.txt
# StyleCop
StyleCopReport.xml
# Files built by Visual Studio
*_i.c
*_p.c
*_h.h
*.ilk
*.meta
*.obj
*.iobj
*.pch
*.pdb
*.ipdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*_wpftmp.csproj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.svclog
*.scc
# Chutzpah Test files
_Chutzpah*
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opendb
*.opensdf
*.sdf
*.cachefile
*.VC.db
*.VC.VC.opendb
# Visual Studio profiler
*.psess
*.vsp
*.vspx
*.sap
# Visual Studio Trace Files
*.e2e
# TFS 2012 Local Workspace
$tf/
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
*.DotSettings.user
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# AxoCover is a Code Coverage Tool
.axoCover/*
!.axoCover/settings.json
# Coverlet is a free, cross platform Code Coverage Tool
coverage*.json
coverage*.xml
coverage*.info
# Visual Studio code coverage results
*.coverage
*.coveragexml
# NCrunch
_NCrunch_*
.*crunch*.local.xml
nCrunchTemp_*
# MightyMoose
*.mm.*
AutoTest.Net/
# Web workbench (sass)
.sass-cache/
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.[Pp]ublish.xml
*.azurePubxml
# Note: Comment the next line if you want to checkin your web deploy settings,
# but database connection strings (with potential passwords) will be unencrypted
*.pubxml
*.publishproj
# Microsoft Azure Web App publish settings. Comment the next line if you want to
# checkin your Azure Web App publish settings, but sensitive information contained
# in these scripts will be unencrypted
PublishScripts/
# NuGet Packages
*.nupkg
# NuGet Symbol Packages
*.snupkg
# The packages folder can be ignored because of Package Restore
**/[Pp]ackages/*
# except build/, which is used as an MSBuild target.
!**/[Pp]ackages/build/
# Uncomment if necessary however generally it will be regenerated when needed
#!**/[Pp]ackages/repositories.config
# NuGet v3's project.json files produces more ignorable files
*.nuget.props
*.nuget.targets
# Microsoft Azure Build Output
csx/
*.build.csdef
# Microsoft Azure Emulator
ecf/
rcf/
# Windows Store app package directories and files
AppPackages/
BundleArtifacts/
Package.StoreAssociation.xml
_pkginfo.txt
*.appx
*.appxbundle
*.appxupload
# Visual Studio cache files
# files ending in .cache can be ignored
*.[Cc]ache
# but keep track of directories ending in .cache
!?*.[Cc]ache/
# Others
ClientBin/
~$*
*~
*.dbmdl
*.dbproj.schemaview
*.jfm
*.pfx
*.publishsettings
orleans.codegen.cs
# Including strong name files can present a security risk
# (https://github.com/github/gitignore/pull/2483#issue-259490424)
#*.snk
# Since there are multiple workflows, uncomment next line to ignore bower_components
# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
#bower_components/
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file
# to a newer Visual Studio version. Backup files are not needed,
# because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
ServiceFabricBackup/
*.rptproj.bak
# SQL Server files
*.mdf
*.ldf
*.ndf
# Business Intelligence projects
*.rdl.data
*.bim.layout
*.bim_*.settings
*.rptproj.rsuser
*- [Bb]ackup.rdl
*- [Bb]ackup ([0-9]).rdl
*- [Bb]ackup ([0-9][0-9]).rdl
# Microsoft Fakes
FakesAssemblies/
# GhostDoc plugin setting file
*.GhostDoc.xml
# Node.js Tools for Visual Studio
.ntvs_analysis.dat
node_modules/
# Visual Studio 6 build log
*.plg
# Visual Studio 6 workspace options file
*.opt
# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
*.vbw
# Visual Studio LightSwitch build output
**/*.HTMLClient/GeneratedArtifacts
**/*.DesktopClient/GeneratedArtifacts
**/*.DesktopClient/ModelManifest.xml
**/*.Server/GeneratedArtifacts
**/*.Server/ModelManifest.xml
_Pvt_Extensions
# Paket dependency manager
.paket/paket.exe
paket-files/
# FAKE - F# Make
.fake/
# CodeRush personal settings
.cr/personal
# Python Tools for Visual Studio (PTVS)
__pycache__/
*.pyc
# Cake - Uncomment if you are using it
# tools/**
# !tools/packages.config
# Tabs Studio
*.tss
# Telerik's JustMock configuration file
*.jmconfig
# BizTalk build output
*.btp.cs
*.btm.cs
*.odx.cs
*.xsd.cs
# OpenCover UI analysis results
OpenCover/
# Azure Stream Analytics local run output
ASALocalRun/
# MSBuild Binary and Structured Log
*.binlog
# NVidia Nsight GPU debugger configuration file
*.nvuser
# MFractors (Xamarin productivity tool) working folder
.mfractor/
# Local History for Visual Studio
.localhistory/
# BeatPulse healthcheck temp database
healthchecksdb
# Backup folder for Package Reference Convert tool in Visual Studio 2017
MigrationBackup/
# Ionide (cross platform F# VS Code tools) working folder
.ionide/
# Fody - auto-generated XML schema
FodyWeavers.xsd
================================================
FILE: ControlPanel/ControlPanel.cpp
================================================
#include "ControlPanel.h"
ControlPanel::ControlPanel(QWidget* parent)
: QWidget(parent),
//initialize strings
protectedServiceName("KernelHiddenExecute"),
protectedServiceDisplayName("Kernel Hidden Execute"),
//protectedDriverPath(".\\sys\\protected.sys"),
protectedDeviceName("\\\\.\\KernelHiddenExecute"),
protectedDriverControl(),
malwareServiceName("KernelHiddenExecuteMalware"),
malwareServiceDisplayName("Kernel Hidden Execute Malware"),
//malwareDriverPath(".\\sys\\malware.sys"),
malwareDeviceName("\\\\.\\KernelHiddenExecuteMalware"),
malwareDriverControl(),
//initialize bool variables
initialized(false)
//isSafeProcExecuted1(false),
//isUnsafeProcExecuted1(false),
//isAttacked(false),
//isSafeProcExecuted2(false),
//isUnsafeProcExecuted2(false)
{
ui.setupUi(this);
//initialize buttons connection
connect(ui.initBtn, &QPushButton::clicked, this, &ControlPanel::initialize);
connect(ui.attackBtn, &QPushButton::clicked, this, &ControlPanel::attack);
connect(ui.unsafeProcBtn, &QPushButton::clicked, this, &ControlPanel::normalProcedure);
connect(ui.safeProcBtn, &QPushButton::clicked, this, &ControlPanel::protectedProcedure);
//fix relative path
QDir protectedDriverDir("./sys/KernelHiddenExecute.sys");
protectedDriverPath = protectedDriverDir.absolutePath().replace(QString("/"), QString("\\"));
QDir malwareDriverDir("./sys/KernelHiddenExecuteMalware.sys");
malwareDriverPath = malwareDriverDir.absolutePath().replace(QString("/"), QString("\\"));
//add helper text
ui.helperTextBrowser->clear();
ui.helperTextBrowser->append("гʼ");
ui.helperTextBrowser->append("·ʾʼ״̬");
}
void ControlPanel::initialize()
{
qDebug() << "initialize";
if (initialized)
{
return;
}
//initialize service control manager
ui.outputTextBrowser->append("ʼʼSCM");
if (Services::init() == false)
{
ui.outputTextBrowser->append("SCMʼʧ");
return;
}
ui.outputTextBrowser->append("SCMʼɹ");
//load protected driver
//TODO:FIX ABSOLUTE PATH
ui.outputTextBrowser->append("ʼرij");
if (!loadDriver(protectedDriverPath, protectedServiceName, protectedServiceDisplayName))
{
return;
}
//load malware driver
ui.outputTextBrowser->append("ʼض");
if (!loadDriver(malwareDriverPath, malwareServiceName, malwareServiceDisplayName))
{
return;
}
//open drivers handle
ui.outputTextBrowser->append("ʼӵij");
if (!protectedDriverControl.open(protectedDeviceName))
{
ui.outputTextBrowser->append("ʧ");
return;
}
ui.outputTextBrowser->append("ɹ");
ui.outputTextBrowser->append("ʼӵ");
if (!malwareDriverControl.open(malwareDeviceName))
{
ui.outputTextBrowser->append("ʧ");
return;
}
ui.outputTextBrowser->append("ɹ");
initialized = true;
//scroll to next page
ui.controlStackedWidget->setCurrentIndex(1);
//add helper text
ui.helperTextBrowser->clear();
ui.helperTextBrowser->append("ʼɹ");
ui.helperTextBrowser->append("ȵϷť۲ִȻٽйٴεϷťٴι۲ִ");
}
void ControlPanel::attack()
{
qDebug() << "attack";
if (!malwareDriverControl.attack())
{
ui.outputTextBrowser->append("ʧ");
return;
}
ui.outputTextBrowser->append("ɹ");
}
void ControlPanel::normalProcedure()
{
qDebug() << "normalProcedure";
ui.outputTextBrowser->append("ʼʾδܱĹ");
ui.outputTextBrowser->append(QString("ȡݣ") + protectedDriverControl.unsafeRead());
ui.outputTextBrowser->append(QString("ִеĽ") + protectedDriverControl.unsafeExec());
}
void ControlPanel::protectedProcedure()
{
qDebug() << "protectedProcedure";
ui.outputTextBrowser->append("ʼʾܱĹ");
ui.outputTextBrowser->append(QString("ȡݣ") + protectedDriverControl.safeRead());
ui.outputTextBrowser->append(QString("ִеĽ") + protectedDriverControl.safeExec());
}
void ControlPanel::closeEvent(QCloseEvent* event)
{
qDebug() << "closeEvent";
if (QMessageBox::question(this, "˳", "ȷҪ˳", QMessageBox::Yes, QMessageBox::No) == QMessageBox::Yes)
{
//unload drivers
malwareDriverControl.close();
protectedDriverControl.close();
unloadDriver(malwareServiceName);
unloadDriver(protectedServiceName);
//ui.outputTextBrowser->append("ж");
//QThread::sleep(2);
//uninitialize SCM
Services::uninit();
event->accept();
}
else
{
event->ignore();
}
}
bool ControlPanel::loadDriver(QString driverPath, QString serviceName, QString serviceDisplayName)
{
unsigned long registrationResult = Services::Register(driverPath,
serviceName,
serviceDisplayName,
"Demand",
"Normal");
switch (registrationResult) {
case ERROR_SERVICE_EXISTS:
ui.outputTextBrowser->append("Service registration failed. The service already exists.");
break;
case 1:
ui.outputTextBrowser->append("Service registration failed. Empty or invalid parameters have been provided.");
return false;
case 0:
ui.outputTextBrowser->append("Service registration succeeded.");
break;
default:
ui.outputTextBrowser->append(QString("Service registration failed. Error code %1.").arg(registrationResult));
return false;
}
unsigned long startResult = Services::Start(serviceName);
switch (startResult) {
case 1:
ui.outputTextBrowser->append("Starting service failed.");
return false;
case ERROR_SHARING_VIOLATION:
ui.outputTextBrowser->append("The process cannot access the file because it is being used by another process.");
return false;
case ERROR_SERVICE_DOES_NOT_EXIST:
ui.outputTextBrowser->append("The specified service does not exist as an installed service.");
return false;
case ERROR_SERVICE_ALREADY_RUNNING:
ui.outputTextBrowser->append("An instance of the service is already running.");
break;
case 0:
ui.outputTextBrowser->append("Service started.");
break;
default:
ui.outputTextBrowser->append(QString("Starting service failed. Error code %1.").arg(startResult));
return false;
}
return true;
}
bool ControlPanel::unloadDriver(QString serviceName)
{
//if (!initialized)
//{
// return false;
//}
unsigned long stopResult = Services::Stop(serviceName);
switch (stopResult) {
case 1:
ui.outputTextBrowser->append("Stopping service failed.");
break;
case ERROR_SERVICE_NOT_ACTIVE:
ui.outputTextBrowser->append("The service has not been started.");
break;
case ERROR_SERVICE_DOES_NOT_EXIST:
ui.outputTextBrowser->append("The specified service does not exist as an installed service.");
break;
case 0:
ui.outputTextBrowser->append("Service stopped.");
break;
default:
ui.outputTextBrowser->append(QString("Stopping service failed. Error code %1.").arg(stopResult));
break;
}
unsigned long unregistrationResult = Services::Unregister(serviceName);
bool unregResult = false;
switch (unregistrationResult) {
case 1:
ui.outputTextBrowser->append("Service unregistration failed.");
unregResult = false;
break;
case ERROR_SERVICE_DOES_NOT_EXIST:
ui.outputTextBrowser->append("The specified service does not exist as an installed service.");
unregResult = false;
break;
case 0:
ui.outputTextBrowser->append("Service unregistration succeeded.");
unregResult = true;
break;
default:
ui.outputTextBrowser->append(QString("Service unregistration failed. Error code %1.").arg(unregistrationResult));
unregResult = false;
break;
}
//initialized = false;
return unregResult;
}
================================================
FILE: ControlPanel/ControlPanel.h
================================================
#pragma once
#pragma execution_character_set("utf-8")
#include <QtWidgets/QWidget>
#include <QPushButton>
#include <QDebug>
#include <QCloseEvent>
#include <QMessageBox>
#include <QDir>
#include "ui_ControlPanel.h"
#include "dlcommon.h"
#include "dlservices.h"
#include "dldrivers.h"
#include "dlioctl.h"
class ControlPanel : public QWidget
{
Q_OBJECT
public:
ControlPanel(QWidget *parent = Q_NULLPTR);
public slots:
void initialize();
void attack();
void normalProcedure();
void protectedProcedure();
protected:
void closeEvent(QCloseEvent * event);
private:
Ui::ControlPanelClass ui;
bool initialized;
//bool isSafeProcExecuted1;
//bool isUnsafeProcExecuted1;
//bool isAttacked;
//bool isSafeProcExecuted2;
//bool isUnsafeProcExecuted2;
QString protectedServiceName;
QString protectedServiceDisplayName;
QString protectedDriverPath;
QString protectedDeviceName;
ProtectedDriverControl protectedDriverControl;
QString malwareServiceName;
QString malwareServiceDisplayName;
QString malwareDriverPath;
QString malwareDeviceName;
MalwareDriverControl malwareDriverControl;
bool loadDriver(QString driverPath, QString serviceName, QString serviceDisplayName);
bool unloadDriver(QString serviceName);
};
================================================
FILE: ControlPanel/ControlPanel.qrc
================================================
<RCC>
<qresource prefix="/">
<file>resources/malware.png</file>
<file>resources/safeProcedure.png</file>
<file>resources/unsafeProcedure.png</file>
<file>resources/start.png</file>
</qresource>
</RCC>
================================================
FILE: ControlPanel/ControlPanel.ui
================================================
<?xml version="1.0" encoding="UTF-8"?>
<ui version="4.0">
<class>ControlPanelClass</class>
<widget class="QWidget" name="ControlPanelClass">
<property name="geometry">
<rect>
<x>0</x>
<y>0</y>
<width>846</width>
<height>540</height>
</rect>
</property>
<property name="windowTitle">
<string>ControlPanel</string>
</property>
<layout class="QVBoxLayout" name="verticalLayout_3">
<item>
<widget class="QWidget" name="widget" native="true">
<layout class="QHBoxLayout" name="horizontalLayout_3">
<item>
<widget class="QStackedWidget" name="controlStackedWidget">
<property name="currentIndex">
<number>0</number>
</property>
<widget class="QWidget" name="loaderPage">
<layout class="QHBoxLayout" name="horizontalLayout">
<item>
<spacer name="horizontalSpacer">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item>
<widget class="QToolButton" name="initBtn">
<property name="text">
<string>初始化</string>
</property>
<property name="icon">
<iconset resource="ControlPanel.qrc">
<normaloff>:/resources/start.png</normaloff>:/resources/start.png</iconset>
</property>
<property name="iconSize">
<size>
<width>128</width>
<height>128</height>
</size>
</property>
<property name="toolButtonStyle">
<enum>Qt::ToolButtonTextUnderIcon</enum>
</property>
<property name="autoRaise">
<bool>true</bool>
</property>
</widget>
</item>
<item>
<spacer name="horizontalSpacer_2">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
<widget class="QWidget" name="procedurePage">
<layout class="QVBoxLayout" name="verticalLayout_4">
<item>
<widget class="QWidget" name="widget_2" native="true">
<layout class="QHBoxLayout" name="horizontalLayout_2">
<item>
<widget class="QToolButton" name="unsafeProcBtn">
<property name="text">
<string>不安全的过程</string>
</property>
<property name="icon">
<iconset resource="ControlPanel.qrc">
<normaloff>:/resources/unsafeProcedure.png</normaloff>:/resources/unsafeProcedure.png</iconset>
</property>
<property name="iconSize">
<size>
<width>72</width>
<height>72</height>
</size>
</property>
<property name="toolButtonStyle">
<enum>Qt::ToolButtonTextUnderIcon</enum>
</property>
<property name="autoRaise">
<bool>true</bool>
</property>
</widget>
</item>
<item>
<widget class="QToolButton" name="safeProcBtn">
<property name="text">
<string>安全的过程</string>
</property>
<property name="icon">
<iconset resource="ControlPanel.qrc">
<normaloff>:/resources/safeProcedure.png</normaloff>:/resources/safeProcedure.png</iconset>
</property>
<property name="iconSize">
<size>
<width>72</width>
<height>72</height>
</size>
</property>
<property name="toolButtonStyle">
<enum>Qt::ToolButtonTextUnderIcon</enum>
</property>
<property name="autoRaise">
<bool>true</bool>
</property>
</widget>
</item>
</layout>
</widget>
</item>
<item>
<widget class="QWidget" name="widget_3" native="true">
<layout class="QHBoxLayout" name="horizontalLayout_4">
<item>
<widget class="QToolButton" name="attackBtn">
<property name="text">
<string>开始攻击</string>
</property>
<property name="icon">
<iconset resource="ControlPanel.qrc">
<normaloff>:/resources/malware.png</normaloff>:/resources/malware.png</iconset>
</property>
<property name="iconSize">
<size>
<width>72</width>
<height>72</height>
</size>
</property>
<property name="toolButtonStyle">
<enum>Qt::ToolButtonTextUnderIcon</enum>
</property>
<property name="autoRaise">
<bool>true</bool>
</property>
</widget>
</item>
</layout>
</widget>
</item>
</layout>
</widget>
</widget>
</item>
<item>
<widget class="QWidget" name="helperWidget" native="true">
<layout class="QVBoxLayout" name="verticalLayout_2">
<item>
<widget class="QLabel" name="helperLabel">
<property name="text">
<string>帮助:</string>
</property>
</widget>
</item>
<item>
<widget class="QTextBrowser" name="helperTextBrowser"/>
</item>
</layout>
</widget>
</item>
</layout>
</widget>
</item>
<item>
<widget class="QWidget" name="outputWidget" native="true">
<layout class="QVBoxLayout" name="verticalLayout">
<item>
<widget class="QLabel" name="outputLabel">
<property name="text">
<string>状态输出:</string>
</property>
</widget>
</item>
<item>
<widget class="QTextBrowser" name="outputTextBrowser"/>
</item>
</layout>
</widget>
</item>
</layout>
</widget>
<layoutdefault spacing="6" margin="11"/>
<resources>
<include location="ControlPanel.qrc"/>
</resources>
<connections/>
</ui>
================================================
FILE: ControlPanel/ControlPanel.vcxproj
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="16.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{2C7AEAC4-25F4-4C9D-842D-5C001D2BBA71}</ProjectGuid>
<Keyword>QtVS_v303</Keyword>
<WindowsTargetPlatformVersion Condition="'$(Configuration)|$(Platform)' == 'Debug|Win32'">10.0.19041.0</WindowsTargetPlatformVersion>
<WindowsTargetPlatformVersion Condition="'$(Configuration)|$(Platform)' == 'Release|Win32'">10.0.19041.0</WindowsTargetPlatformVersion>
<QtMsBuild Condition="'$(QtMsBuild)'=='' OR !Exists('$(QtMsBuild)\qt.targets')">$(MSBuildProjectDirectory)\QtMsBuild</QtMsBuild>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<PlatformToolset>v142</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<PlatformToolset>v142</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<Target Name="QtMsBuildNotFound" BeforeTargets="CustomBuild;ClCompile" Condition="!Exists('$(QtMsBuild)\qt.targets') or !Exists('$(QtMsBuild)\qt.props')">
<Message Importance="High" Text="QtMsBuild: could not locate qt.targets, qt.props; project may not build correctly." />
</Target>
<ImportGroup Label="ExtensionSettings" />
<ImportGroup Label="Shared" />
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)' == 'Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)' == 'Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<ImportGroup Condition="Exists('$(QtMsBuild)\qt_defaults.props')">
<Import Project="$(QtMsBuild)\qt_defaults.props" />
</ImportGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|Win32'">
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Release|Win32'">
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Link>
<UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Link>
<UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
</Link>
</ItemDefinitionGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|Win32'" Label="QtSettings">
<QtInstall>msvc2017</QtInstall>
<QtModules>core;gui;widgets</QtModules>
<QtBuildConfig>debug</QtBuildConfig>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Release|Win32'" Label="QtSettings">
<QtInstall>msvc2017</QtInstall>
<QtModules>core;gui;widgets</QtModules>
<QtBuildConfig>release</QtBuildConfig>
<QMakeCodeLines>
</QMakeCodeLines>
</PropertyGroup>
<ImportGroup Condition="Exists('$(QtMsBuild)\qt.props')">
<Import Project="$(QtMsBuild)\qt.props" />
</ImportGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|Win32'" Label="Configuration">
<ClCompile>
<TreatWChar_tAsBuiltInType>true</TreatWChar_tAsBuiltInType>
<MultiProcessorCompilation>true</MultiProcessorCompilation>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<Optimization>Disabled</Optimization>
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)' == 'Release|Win32'" Label="Configuration">
<ClCompile>
<TreatWChar_tAsBuiltInType>true</TreatWChar_tAsBuiltInType>
<MultiProcessorCompilation>true</MultiProcessorCompilation>
<DebugInformationFormat>None</DebugInformationFormat>
<Optimization>MaxSpeed</Optimization>
<RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>false</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<QtRcc Include="ControlPanel.qrc" />
<QtUic Include="ControlPanel.ui" />
<QtMoc Include="ControlPanel.h" />
<ClCompile Include="ControlPanel.cpp" />
<ClCompile Include="dlcommon.cpp" />
<ClCompile Include="dlioctl.cpp" />
<ClCompile Include="dlservices.cpp" />
<ClCompile Include="main.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="dlcommon.h" />
<ClInclude Include="dlconfig.h" />
<ClInclude Include="dlioctl.h" />
<ClInclude Include="dlservices.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Condition="Exists('$(QtMsBuild)\qt.targets')">
<Import Project="$(QtMsBuild)\qt.targets" />
</ImportGroup>
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
================================================
FILE: ControlPanel/ControlPanel.vcxproj.filters
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
<Filter Include="Form Files">
<UniqueIdentifier>{99349809-55BA-4b9d-BF79-8FDBB0286EB3}</UniqueIdentifier>
<Extensions>ui</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{D9D6E242-F8AF-46E4-B9FD-80ECBC20BA3E}</UniqueIdentifier>
<Extensions>qrc;*</Extensions>
<ParseFiles>false</ParseFiles>
</Filter>
</ItemGroup>
<ItemGroup>
<QtRcc Include="ControlPanel.qrc">
<Filter>Resource Files</Filter>
</QtRcc>
<QtUic Include="ControlPanel.ui">
<Filter>Resource Files</Filter>
</QtUic>
<QtMoc Include="ControlPanel.h">
<Filter>Header Files</Filter>
</QtMoc>
<ClCompile Include="ControlPanel.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="dlcommon.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="dlservices.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="dlioctl.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="dlcommon.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="dlservices.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="dlconfig.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="dlioctl.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
</Project>
================================================
FILE: ControlPanel/dlcommon.cpp
================================================
/*
This file is part of driver-loader
Copyright (C) 2017 @maldevel
driver-loader - Load a Windows Kernel Driver.
https://github.com/maldevel/driver-loader
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
For more see the file 'LICENSE' for copying permission.
*/
#include "dlcommon.h"
#include <QDebug>
static HANDLE processHeap;
//retrieve a handle to the default heap of this process
void Common::init(void) {
processHeap = GetProcessHeap();
}
//HeapAlloc wrapper
//allocate a block of memory from a heap
void *Common::hAlloc(SIZE_T size) {
if (processHeap == NULL || size <= 0) return NULL;
return HeapAlloc(processHeap, HEAP_ZERO_MEMORY, size);
}
//HeapReAlloc wrapper
void *Common::hReAlloc(void *mem, SIZE_T size) {
if (processHeap == NULL || mem == NULL || size <= 0) return NULL;
return HeapReAlloc(processHeap, HEAP_ZERO_MEMORY, mem, size);
}
//free a memory block allocated from a heap by the HeapAlloc
void Common::hFree(void *mem) {
if (processHeap == NULL || mem == NULL) return;
HeapFree(processHeap, 0, mem);
mem = NULL;
}
void Common::ConsoleLog(QString log) {
if (log == NULL) return;
if (DEBUG) {
qDebug() << log;
}
}
================================================
FILE: ControlPanel/dlcommon.h
================================================
#pragma once
/*
This file is part of driver-loader
Copyright (C) 2017 @maldevel
driver-loader - Load a Windows Kernel Driver.
https://github.com/maldevel/driver-loader
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
For more see the file 'LICENSE' for copying permission.
*/
#include "dlconfig.h"
#include <Windows.h>
#include <QString>
//#define TRUE 1
//#define FALSE 0
namespace Common {
//initialize common lib stuff
void init(void);
//Allocates a block of memory from a heap.
void *hAlloc(SIZE_T size);
//Reallocates a block of memory from a heap.
void *hReAlloc(void *mem, SIZE_T size);
//free a memory block allocated from a heap by the hAlloc
void hFree(void *mem);
//console.log
void ConsoleLog(QString log);
}
================================================
FILE: ControlPanel/dlconfig.h
================================================
#pragma once
/*
This file is part of driver-loader
Copyright (C) 2017 @maldevel
driver-loader - Load a Windows Kernel Driver.
https://github.com/maldevel/driver-loader
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
For more see the file 'LICENSE' for copying permission.
*/
//#define APP_VERSION "1.0"
//#define APP_DATE "March, 2017"
#define DEBUG 1
================================================
FILE: ControlPanel/dldrivers.cpp
================================================
/*
This file is part of driver-loader
Copyright (C) 2017 @maldevel
driver-loader - Load a Windows Kernel Driver.
https://github.com/maldevel/driver-loader
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
For more see the file 'LICENSE' for copying permission.
*/
#include "dldrivers.h"
#include "dlcommon.h"
#include <Windows.h>
#include <Shlwapi.h>
static BOOL _fileExists(const char *filename) {
if (filename == NULL)return FALSE;
return PathFileExistsA(filename);
}
QString Drivers::GetFileVersion(QString fName) {
if (fName == NULL || !_fileExists(fName.toStdString().c_str())) return "";
DWORD handle;
DWORD size = 0;
void *buffer = 0;
VS_FIXEDFILEINFO *lpBuffer = 0;
unsigned int len = 0;
QString fVersion = 0;
if ((size = GetFileVersionInfoSizeA(fName.toStdString().c_str(), &handle)) == FALSE) {
return "";
}
if ((buffer = Common::hAlloc(size)) == NULL) {
return "";
}
if (GetFileVersionInfoA(fName.toStdString().c_str(), handle, size, buffer) == FALSE) {
Common::hFree(buffer);
return "";
}
if (VerQueryValue(buffer, QString("\\").toStdWString().c_str(), (void **)&lpBuffer, &len) == FALSE) {
Common::hFree(buffer);
return "";
}
fVersion = QString("%1.%2.%3.%4")
.arg(HIWORD(lpBuffer->dwFileVersionMS))
.arg(LOWORD(lpBuffer->dwFileVersionMS))
.arg(HIWORD(lpBuffer->dwFileVersionLS))
.arg(LOWORD(lpBuffer->dwFileVersionLS));
Common::hFree(buffer);
return fVersion;
}
unsigned long Drivers::GetDriverFileSize(QString fName) {
if (fName == NULL || !_fileExists(fName.toStdString().c_str())) return 0;
HANDLE hFile;
unsigned long size = 0;
unsigned long sizeHigh = 0;
if ((hFile = CreateFileA(fName.toStdString().c_str(), GENERIC_READ, 0, 0, OPEN_EXISTING, 0, 0)) == INVALID_HANDLE_VALUE) {
return 0;
}
if ((size = GetFileSize(hFile, NULL)) == INVALID_FILE_SIZE) {
if (GetLastError() == NO_ERROR) {
if ((size = GetFileSize(hFile, &sizeHigh)) != INVALID_FILE_SIZE) {
CloseHandle(hFile);
return sizeHigh;
}
}
CloseHandle(hFile);
return 0;
}
CloseHandle(hFile);
return size;
}
QString Drivers::GetFileLastWriteTime(QString fName) {
if (fName == NULL || !_fileExists(fName.toStdString().c_str())) return 0;
HANDLE hFile;
FILETIME ftCreate, ftAccess, ftWrite;
SYSTEMTIME stUTC, stLocal;
QString day = "";
QString month = "";
if ((hFile = CreateFileA(fName.toStdString().c_str(), GENERIC_READ, 0, 0, OPEN_EXISTING, 0, 0)) == INVALID_HANDLE_VALUE) {
return "";
}
if (GetFileTime(hFile, &ftCreate, &ftAccess, &ftWrite) == 0) {
CloseHandle(hFile);
return "";
}
if (FileTimeToSystemTime(&ftWrite, &stUTC) == 0) {
CloseHandle(hFile);
return "";
}
if (SystemTimeToTzSpecificLocalTime(NULL, &stUTC, &stLocal) == 0) {
CloseHandle(hFile);
return "";
}
switch (stLocal.wDayOfWeek) {
case 0:
day = "Sunday";
break;
case 1:
day = "Monday";
break;
case 2:
day = "Tuesday";
break;
case 3:
day = "Wednesday";
break;
case 4:
day = "Thursday";
break;
case 5:
day = "Friday";
break;
case 6:
day = "Saturday";
break;
};
switch (stLocal.wMonth) {
case 1:
month = "January";
break;
case 2:
month = "February";
break;
case 3:
month = "March";
break;
case 4:
month = "April";
break;
case 5:
month = "May";
break;
case 6:
month = "June";
break;
case 7:
month = "July";
break;
case 8:
month = "August";
break;
case 9:
month = "September";
break;
case 10:
month = "October";
break;
case 11:
month = "November";
break;
case 12:
month = "December";
break;
};
CloseHandle(hFile);
return QString("%1, %2 %3, %4 %5:%6:%7")
.arg(day)
.arg(month)
.arg(stLocal.wDay)
.arg(stLocal.wYear)
.arg(stLocal.wHour)
.arg(stLocal.wMinute)
.arg(stLocal.wSecond);
}
================================================
FILE: ControlPanel/dldrivers.h
================================================
#pragma once
/*
This file is part of driver-loader
Copyright (C) 2017 @maldevel
driver-loader - Load a Windows Kernel Driver.
https://github.com/maldevel/driver-loader
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
For more see the file 'LICENSE' for copying permission.
*/
#include <QString>
namespace Drivers {
//get driver file version
QString GetFileVersion(QString fName);
//get driver file size in bytes
unsigned long GetDriverFileSize(QString fName);
//get driver file last-write time
QString GetFileLastWriteTime(QString fName);
}
================================================
FILE: ControlPanel/dlioctl.cpp
================================================
#include "dlioctl.h"
ProtectedDriverControl::ProtectedDriverControl()
:hDevice(INVALID_HANDLE_VALUE)
{
}
ProtectedDriverControl::~ProtectedDriverControl()
{
close();
}
bool ProtectedDriverControl::open(QString deviceName)
{
hDevice = CreateFile(deviceName.toStdWString().c_str(),
GENERIC_WRITE | GENERIC_READ,
0,
NULL,
OPEN_EXISTING,
0,
NULL);
if (hDevice == INVALID_HANDLE_VALUE)
{
return false;
}
return true;
}
void ProtectedDriverControl::close()
{
if (hDevice != INVALID_HANDLE_VALUE)
{
CloseHandle(hDevice);
}
hDevice = INVALID_HANDLE_VALUE;
}
QString ProtectedDriverControl::safeRead()
{
if (hDevice == INVALID_HANDLE_VALUE)
{
return QString("INVALID_HANDLE_VALUE");
}
DWORD returnedBytes = 0;
const int bufferSize = 64;
char outputBuffer[bufferSize] = {};
if (!DeviceIoControl(hDevice, IOCTL_SAFE_READ, NULL, 0, outputBuffer, bufferSize, &returnedBytes, 0))
{
return QString("DeviceIoControl failed");
}
return QString(outputBuffer);
}
QString ProtectedDriverControl::safeExec()
{
if (hDevice == INVALID_HANDLE_VALUE)
{
return QString("INVALID_HANDLE_VALUE");
}
DWORD returnedBytes = 0;
const int bufferSize = 64;
char inputBuffer[bufferSize] = "wrongPassword";
char outputBuffer[bufferSize] = {};
if (!DeviceIoControl(hDevice, IOCTL_SAFE_EXEC, inputBuffer, bufferSize, outputBuffer, bufferSize, &returnedBytes, 0))
{
return QString("DeviceIoControl failed");
}
return QString(*(int*)outputBuffer ? "verification success" : "verification failed");
}
QString ProtectedDriverControl::unsafeRead()
{
if (hDevice == INVALID_HANDLE_VALUE)
{
return QString("INVALID_HANDLE_VALUE");
}
DWORD returnedBytes = 0;
const int bufferSize = 64;
char outputBuffer[bufferSize] = {};
if (!DeviceIoControl(hDevice, IOCTL_UNSAFE_READ, NULL, 0, outputBuffer, bufferSize, &returnedBytes, 0))
{
return QString("DeviceIoControl failed");
}
return QString(outputBuffer);
}
QString ProtectedDriverControl::unsafeExec()
{
if (hDevice == INVALID_HANDLE_VALUE)
{
return QString("INVALID_HANDLE_VALUE");
}
DWORD returnedBytes = 0;
const int bufferSize = 64;
char inputBuffer[bufferSize] = "wrongPassword";
char outputBuffer[bufferSize] = {};
if (!DeviceIoControl(hDevice, IOCTL_UNSAFE_EXEC, inputBuffer, bufferSize, outputBuffer, bufferSize, &returnedBytes, 0))
{
return QString("DeviceIoControl failed");
}
return QString(*(int*)outputBuffer ? "verification success" : "verification failed");
}
MalwareDriverControl::MalwareDriverControl()
:hDevice(INVALID_HANDLE_VALUE)
{
}
MalwareDriverControl::~MalwareDriverControl()
{
close();
}
bool MalwareDriverControl::open(QString deviceName)
{
hDevice = CreateFile(deviceName.toStdWString().c_str(),
GENERIC_WRITE | GENERIC_READ,
0,
NULL,
OPEN_EXISTING,
0,
NULL);
if (hDevice == INVALID_HANDLE_VALUE)
{
return false;
}
return true;
}
void MalwareDriverControl::close()
{
if (hDevice != INVALID_HANDLE_VALUE)
{
CloseHandle(hDevice);
}
hDevice = INVALID_HANDLE_VALUE;
}
bool MalwareDriverControl::attack()
{
if (hDevice == INVALID_HANDLE_VALUE)
{
return false;
}
DWORD returnedBytes = 0;
const int bufferSize = 64;
char outputBuffer[bufferSize] = {};
if (!DeviceIoControl(hDevice, IOCTL_ATTACK, NULL, 0, outputBuffer, bufferSize, &returnedBytes, 0))
{
return false;
}
return (bool)*(int*)outputBuffer;
}
================================================
FILE: ControlPanel/dlioctl.h
================================================
#pragma once
#include <Windows.h>
#include <QString>
#define IOCTL_SAFE_READ CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_SAFE_EXEC CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_UNSAFE_READ CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_UNSAFE_EXEC CTL_CODE(FILE_DEVICE_UNKNOWN, 0x803, METHOD_BUFFERED, FILE_ANY_ACCESS)
class ProtectedDriverControl
{
public:
ProtectedDriverControl();
~ProtectedDriverControl();
bool open(QString deviceName);
void close();
QString safeRead();
QString safeExec();
QString unsafeRead();
QString unsafeExec();
private:
HANDLE hDevice;
};
#define IOCTL_ATTACK CTL_CODE(FILE_DEVICE_UNKNOWN, 0x810, METHOD_BUFFERED, FILE_ANY_ACCESS)
class MalwareDriverControl
{
public:
MalwareDriverControl();
~MalwareDriverControl();
bool open(QString deviceName);
void close();
bool attack();
private:
HANDLE hDevice;
};
================================================
FILE: ControlPanel/dlservices.cpp
================================================
/*
This file is part of driver-loader
Copyright (C) 2017 @maldevel
driver-loader - Load a Windows Kernel Driver.
https://github.com/maldevel/driver-loader
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
For more see the file 'LICENSE' for copying permission.
*/
#include "dlservices.h"
static SC_HANDLE scManager;
bool Services::init(void) {
scManager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_ALL_ACCESS);
if (scManager == NULL) {
return false;
}
return true;
}
SC_HANDLE Services::Open(QString service) {
if (service == NULL || scManager == NULL || service.trimmed().isEmpty() ||
service.trimmed().length() > 256) return NULL;
return OpenServiceA(scManager, service.toStdString().c_str(), SERVICE_ALL_ACCESS);
}
void Services::uninit(void) {
if (scManager == NULL) return;
CloseServiceHandle(scManager);
}
unsigned long Services::Register(QString driver, QString serviceName, QString displayName,
QString startTypeStr, QString error) {
if (driver == NULL || serviceName == NULL || scManager == NULL ||
displayName == NULL || startTypeStr == NULL || error == NULL ||
driver.trimmed().isEmpty() || serviceName.trimmed().isEmpty() ||
displayName.trimmed().isEmpty() || startTypeStr.trimmed().isEmpty() ||
error.trimmed().isEmpty() || serviceName.trimmed().length() > 256 ||
displayName.trimmed().length() > 256) return 1;
SC_HANDLE scService;
unsigned long startType = SERVICE_DEMAND_START;
unsigned long errorControl = SERVICE_ERROR_NORMAL;
//"Automatic" "Boot" "Demand" "Disabled" "System"
if (startTypeStr.trimmed().compare("Automatic", Qt::CaseSensitive) == 0) {
startType = SERVICE_AUTO_START;
} else if (startTypeStr.trimmed().compare("Boot", Qt::CaseSensitive) == 0) {
startType = SERVICE_BOOT_START;
} else if (startTypeStr.trimmed().compare("Demand", Qt::CaseSensitive) == 0) {
startType = SERVICE_DEMAND_START;
} else if (startTypeStr.trimmed().compare("Disabled", Qt::CaseSensitive) == 0) {
startType = SERVICE_DISABLED;
} else if (startTypeStr.trimmed().compare("System", Qt::CaseSensitive) == 0) {
startType = SERVICE_SYSTEM_START;
}
//"Critical" "Ignore" "Normal" "Severe"
if (error.trimmed().compare("Critical", Qt::CaseSensitive) == 0) {
errorControl = SERVICE_ERROR_CRITICAL;
} else if (error.trimmed().compare("Ignore", Qt::CaseSensitive) == 0) {
errorControl = SERVICE_ERROR_IGNORE;
} else if (error.trimmed().compare("Normal", Qt::CaseSensitive) == 0) {
errorControl = SERVICE_ERROR_NORMAL;
} else if (error.trimmed().compare("Severe", Qt::CaseSensitive) == 0) {
errorControl = SERVICE_ERROR_SEVERE;
}
if ((scService = CreateServiceA(scManager, serviceName.trimmed().toStdString().c_str(),
displayName.trimmed().toStdString().c_str(),
SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER,
startType, errorControl,
driver.trimmed().toStdString().c_str(),
NULL, NULL, NULL, NULL, NULL)) == NULL) {
return GetLastError();
}
CloseServiceHandle(scService);
return 0;
}
unsigned long Services::Unregister(QString service) {
if (service == NULL || scManager == NULL || service.trimmed().isEmpty() ||
service.trimmed().length() > 256) return 1;
SC_HANDLE srvHandle;
unsigned long error = 0;
if ((srvHandle = Open(service)) == NULL) {
return GetLastError();
}
if ((error = Stop(srvHandle)) != 0) {
if (error != ERROR_SERVICE_NOT_ACTIVE) {
CloseServiceHandle(srvHandle);
return error;
}
}
if (DeleteService(srvHandle) == 0) {
CloseServiceHandle(srvHandle);
return GetLastError();
}
CloseServiceHandle(srvHandle);
return 0;
}
unsigned long Services::Start(SC_HANDLE service) {
if (service == NULL || scManager == NULL) return 1;
if (StartService(service, 0, NULL) == 0) {
return GetLastError();
}
return 0;
}
unsigned long Services::Start(QString service) {
if (service == NULL || scManager == NULL || service.trimmed().isEmpty() ||
service.trimmed().length() > 256) return 1;
unsigned long error = 0;
SC_HANDLE srvHandle;
if ((srvHandle = Open(service)) == NULL) {
return GetLastError();
}
if ((error = Start(srvHandle)) != 0) {
CloseServiceHandle(srvHandle);
return error;
}
CloseServiceHandle(srvHandle);
return 0;
}
unsigned long Services::Stop(SC_HANDLE service) {
if (service == NULL || scManager == NULL) return 1;
SERVICE_STATUS serviceStatus;
if (ControlService(service, SERVICE_CONTROL_STOP, &serviceStatus) == 0) {
return GetLastError();
}
return 0;
}
unsigned long Services::Stop(QString service) {
if (service == NULL || scManager == NULL || service.trimmed().isEmpty() ||
service.trimmed().length() > 256) return 1;
SC_HANDLE srvHandle;
unsigned long error = 0;
if ((srvHandle = Open(service)) == NULL) {
return GetLastError();
}
if ((error = Stop(srvHandle)) != 0) {
CloseServiceHandle(srvHandle);
return error;
}
CloseServiceHandle(srvHandle);
return 0;
}
================================================
FILE: ControlPanel/dlservices.h
================================================
#pragma once
/*
This file is part of driver-loader
Copyright (C) 2017 @maldevel
driver-loader - Load a Windows Kernel Driver.
https://github.com/maldevel/driver-loader
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
For more see the file 'LICENSE' for copying permission.
*/
#include <Windows.h>
#include <QString>
namespace Services {
//initialize services lib stuff
bool init(void);
//un-initialize services lib stuff
void uninit(void);
//register a new service (install)
unsigned long Register(QString driver, QString serviceName, QString displayName, QString startType, QString error);
//unregister a service (uninstall)
unsigned long Unregister(QString service);
//start a service
unsigned long Start(SC_HANDLE service);
//start a service
unsigned long Start(QString service);
//stop a service
unsigned long Stop(SC_HANDLE service);
//stop a service
unsigned long Stop(QString service);
//open handle to service
SC_HANDLE Open(QString service);
}
================================================
FILE: ControlPanel/main.cpp
================================================
#include "ControlPanel.h"
#include <QtWidgets/QApplication>
#include <regex>
#include <string>
using namespace std;
int execmd(char* cmd, char* result) {
char buffer[128]; //建
FILE* pipe = _popen(cmd, "r"); //ִܵ
if (!pipe)
return 0; //0ʾʧ
while (!feof(pipe)) {
if (fgets(buffer, 128, pipe)) { //ܵresult
strcat(result, buffer);
}
}
_pclose(pipe); //رչܵ
return 1; //1ʾгɹ
}
int main(int argc, char *argv[])
{
QApplication a(argc, argv);
char buffer[128];
execmd("VER", buffer);
string tempStr = string(buffer);
smatch subFormulaMatch;
regex pattern(R"(\d+\.\d+\.(\d+))");
regex_search(tempStr, subFormulaMatch, pattern);
if (subFormulaMatch.size()==2&&stoi(subFormulaMatch[1].str()) > 7601)
{
QMessageBox::critical(nullptr, "ش", "ֵ֧ϵͳ汾");
return 0;
}
ControlPanel w;
w.show();
return a.exec();
}
================================================
FILE: KernelHiddenExcute/Head.h
================================================
#pragma once
#include <ntifs.h>
#include <ntddk.h>
#include <stdlib.h>
#include <windef.h>
#include <ntimage.h>
#include <intrin.h>
#include "MyDebugPrint.h"
#include "PhysicalMemoryOperation.h"
#include "SectionOperation.h"
#include "HiddenExecute.h"
#include "HiddenCallApiTransfer.h"
#include "HiddenFunctions.h"
#define DEVICE_NAME L"\\Device\\KernelHiddenExcute"
#define LINK_NAME L"\\DosDevices\\Global\\KernelHiddenExcute"
#define IOCTL_TEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS)
PHIDDEN_PAGE_RECORD g_pHiddenPageRecord = NULL;
================================================
FILE: KernelHiddenExcute/HiddenCallApiTransfer.h
================================================
#pragma once
#include "Head.h"
/*********************************************************
function: SimulateApi
description:
**********************************************************/
NTSTATUS SimulateApi(ULONG64 param1)
{
MyPrint(_TitleAndFunc"param1:%16IX\n", param1);
return STATUS_SUCCESS;
}
/*********************************************************
function: ApiTransfer_SimulateApi
description: test of call apis in the hidden apis
**********************************************************/
NTSTATUS ApiTransfer_SimulateApi(PHIDDEN_PAGE_RECORD pHiddenPageRecord, ULONG64 param1)
{
//BOOL IsIrqlChanged = FALSE;
NTSTATUS Status;
/*
if (HighestIrql < HIDDEN_IRQL)
{
ChangeIrql(HighestIrql);
IsIrqlChanged = TRUE;
}
*/
ContextHiddenToOriginal(pHiddenPageRecord);
Status = SimulateApi(param1);
ContextOriginalToHidden(pHiddenPageRecord);
/*
if (IsIrqlChanged)
ChangeIrql(HIDDEN_IRQL);
*/
return Status;
}
================================================
FILE: KernelHiddenExcute/HiddenExecute.h
================================================
#pragma once
#include "Head.h"
/*********************************************************
description:
notice!!! run in IRQL >= DPC_LEVEL
call apis maybe due to lower irql
in order to hidden real code in the non-mapped physical pages,and clear original codes
before call the hidden functions,we should map the physical pages to correct position.
if we have to call windows api in our hidden functions,we should call the transfer functions(not hidden)
features of transfer functions:check & change irql,restore & rewrite page table(pte),call specific apis
reserve the physical pages by Api:MmMarkPhysicalMemoryAsBad,prevent the allocation of our physical pages space
**********************************************************/
#define SECTION_NAME_HIDDEN ".hidden"
#define HIDDEN_IRQL DISPATCH_LEVEL
#define ChangeIrql(x) WriteCR8(x)
#define ClearPageTableFlag(x) ClearCR3Flag(x)
#define HIDDEN_PAGE_RECORD_LENGTH 0x1000
#define MAX_HIDDEN_PAGE_COUNT 126 // (4096 - 40) / (4 * 8) = 126.75
typedef struct _MMPTE
{
struct /* bitfield */
{
/* 0x0000 */ unsigned __int64 Valid : 1; /* bit position: 0 */
/* 0x0000 */ unsigned __int64 Dirty1 : 1; /* bit position: 1 */
/* 0x0000 */ unsigned __int64 Owner : 1; /* bit position: 2 */
/* 0x0000 */ unsigned __int64 WriteThrough : 1; /* bit position: 3 */
/* 0x0000 */ unsigned __int64 CacheDisable : 1; /* bit position: 4 */
/* 0x0000 */ unsigned __int64 Accessed : 1; /* bit position: 5 */
/* 0x0000 */ unsigned __int64 Dirty : 1; /* bit position: 6 */
/* 0x0000 */ unsigned __int64 LargePage : 1; /* bit position: 7 */
/* 0x0000 */ unsigned __int64 Global : 1; /* bit position: 8 */
/* 0x0000 */ unsigned __int64 CopyOnWrite : 1; /* bit position: 9 */
/* 0x0000 */ unsigned __int64 Unused : 1; /* bit position: 10 */
/* 0x0000 */ unsigned __int64 Write : 1; /* bit position: 11 */
/* 0x0000 */ unsigned __int64 PageFrameNumber : 36; /* bit position: 12 */
/* 0x0000 */ unsigned __int64 reserved1 : 4; /* bit position: 48 */
/* 0x0000 */ unsigned __int64 SoftwareWsIndex : 11; /* bit position: 52 */
/* 0x0000 */ unsigned __int64 NoExecute : 1; /* bit position: 63 */
}; /* bitfield */
} MMPTE, *PMMPTE; /* size: 0x0008 */
typedef struct _SPECIFIC_HIDDEN_PAGE_RECORD
{
PVOID pHiddenBase;
PMMPTE pPTE;
ULONG64 OriginalPfn;
ULONG64 HiddenPfn;
}SPECIFIC_HIDDEN_PAGE_RECORD, *PSPECIFIC_HIDDEN_PAGE_RECORD;
typedef struct _HIDDEN_PAGE_RECORD
{
BOOL IsHidden;
KIRQL OriginalIrql;
BOOL IsIrqlChanged;
KSPIN_LOCK SpinLock;
ULONG64 Count;
SPECIFIC_HIDDEN_PAGE_RECORD Record[MAX_HIDDEN_PAGE_COUNT - 1];
}HIDDEN_PAGE_RECORD, *PHIDDEN_PAGE_RECORD;
PHYSICAL_OP_CR3 g_PhysicalOpCR3 = { 0 };
BOOL g_IsHiddenOpInit = FALSE;
NTSYSAPI NTSTATUS MmMarkPhysicalMemoryAsBad(IN PPHYSICAL_ADDRESS, IN OUT PLARGE_INTEGER);
NTSYSAPI NTSTATUS MmMarkPhysicalMemoryAsGood(IN PPHYSICAL_ADDRESS, IN OUT PLARGE_INTEGER);
/*********************************************************
function: InitializeHiddenPageRecordStructure
description: initialize the structure:initialize spin lock & set count to zero
calls: ExAllocatePool
KeInitializeSpinLock
CreatePhysicalOpCR3BySystemCR3
**********************************************************/
NTSTATUS InitializeHiddenPageRecordStructure(PHIDDEN_PAGE_RECORD* ppHiddenPageRecord)
{
//check the init state
if (g_IsHiddenOpInit)
return STATUS_UNSUCCESSFUL;
PHIDDEN_PAGE_RECORD pHiddenPageRecord = NULL;
pHiddenPageRecord = (PHIDDEN_PAGE_RECORD)ExAllocatePool(NonPagedPool, HIDDEN_PAGE_RECORD_LENGTH);
*ppHiddenPageRecord = pHiddenPageRecord;
MyPrint(_TitleAndFunc"pHiddenPageRecord:%16IX\n", pHiddenPageRecord);
if (pHiddenPageRecord != NULL)
{
//set count to zero
pHiddenPageRecord->Count = 0;
//initialize spin lock
KeInitializeSpinLock(&pHiddenPageRecord->SpinLock);
//initialize physical memory context
CreatePhysicalOpCR3BySystemCR3(GetCR3ByPID(4), &g_PhysicalOpCR3);
//change init state
g_IsHiddenOpInit = TRUE;
return STATUS_SUCCESS;
}
else {
return STATUS_UNSUCCESSFUL;
}
}
/*********************************************************
function: FreeHiddenPageRecordStructure
description: free the structure and set pHiddenPageRecord to zero
calls: ExFreePool
**********************************************************/
NTSTATUS FreeHiddenPageRecordStructure(PHIDDEN_PAGE_RECORD pHiddenPageRecord)
{
//check the init state
if (!g_IsHiddenOpInit)
return STATUS_UNSUCCESSFUL;
if (pHiddenPageRecord != NULL)
{
//free hidden operation structure
ExFreePool(pHiddenPageRecord);
pHiddenPageRecord = NULL;
//free physical operation structure
FreePhysicalOpCR3(&g_PhysicalOpCR3);
//change the init state
g_IsHiddenOpInit = FALSE;
return STATUS_SUCCESS;
}
else {
return STATUS_UNSUCCESSFUL;
}
}
/*********************************************************
function: pPTEPFNtoPhysicalAddress
description: translate pfn number to physical address
**********************************************************/
PVOID pPTEPFNtoPhysicalAddress(ULONG64 PFN)
{
return (PVOID)(PFN << 12);
}
/*********************************************************
function: pPhysicalAddresstoPTEPFN
description: translate physical address to pfn number
**********************************************************/
ULONG64 pPhysicalAddresstoPTEPFN(PVOID PhysicalAddressBase)
{
return (ULONG64)PhysicalAddressBase >> 12;
}
/*********************************************************
function: pGetSpecificAddresspPTEPhysical
description: get the pointer of pPTEPhysical
calls: ContextVirtualToPhysical
ClearPageTableFlag
ContextPhysicalToVirtual
**********************************************************/
PMMPTE pGetSpecificAddresspPTEPhysical(ULONG64 CR3, PVOID pPageBase)
{
//analyse the params
PMMVA pAddressInfo = (PMMVA)&pPageBase;
PVOID pPML4T = (PVOID)ClearCR3Flag(CR3);
PMMPTE pPML4E = NULL;
PVOID pPDPT = NULL;
PMMPTE pPDPTE = NULL;
PVOID pPDT = NULL;
PMMPTE pPDE = NULL;
PVOID pPT = NULL;
PMMPTE pPTE = NULL;
//switch to physical context
ContextVirtualToPhysical(&g_PhysicalOpCR3);
pPML4E = (PMMPTE)((ULONG64)pPML4T + pAddressInfo->PML4T*ENTRY_SIZE);
if (!pPML4E->Valid)
goto Lable_Error;
pPDPT = (PVOID)ClearPageTableFlag(*(PULONG64)pPML4E);
pPDPTE = (PMMPTE)((ULONG64)pPDPT + pAddressInfo->PDPT*ENTRY_SIZE);
if (pPDPTE->LargePage || !pPDPTE->Valid)
goto Lable_Error;
pPDT = (PVOID)ClearPageTableFlag(*(PULONG64)pPDPTE);
pPDE = (PMMPTE)((ULONG64)pPDT + pAddressInfo->PDT*ENTRY_SIZE);
if (pPDE->LargePage || !pPDE->Valid)
goto Lable_Error;
pPT = (PVOID)ClearPageTableFlag(*(PULONG64)pPDE);
pPTE = (PMMPTE)((ULONG64)pPT + pAddressInfo->PT*ENTRY_SIZE);
if (!pPTE->Valid)
goto Lable_Error;
ContextPhysicalToVirtual(&g_PhysicalOpCR3);
//look up the page table finished
MyPrint(_TitleAndFunc"pPTE:%16IX\n", pPTE);
return pPTE;
Lable_Error:
ContextPhysicalToVirtual(&g_PhysicalOpCR3);
return NULL;
}
/*********************************************************
function: pGetSpecificAddressPhysicalForR3
description: just for E language
**********************************************************/
#define PHYSICAL_OFFSET 0x8000000000
#define NUM_1G 0x40000000
#define NUM_2M 0x200000
PVOID pGetSpecificAddressPhysicalForR3(ULONG64 CR3, PVOID pVirtual)
{
//analyse the params
PMMVA pAddressInfo = (PMMVA)&pVirtual;
PVOID pPML4T = (PVOID)ClearCR3Flag(CR3);
PMMPTE pPML4E = NULL;
PVOID pPDPT = NULL;
PMMPTE pPDPTE = NULL;
PVOID pPDT = NULL;
PMMPTE pPDE = NULL;
PVOID pPT = NULL;
PMMPTE pPTE = NULL;
PVOID pPhysicalBase = NULL;
PVOID pPhysical = NULL;
PVOID pPhysicalR3 = NULL;
pPML4E = (PMMPTE)((ULONG64)pPML4T + pAddressInfo->PML4T*ENTRY_SIZE + PHYSICAL_OFFSET);
if (!pPML4E->Valid)
return NULL;
pPDPT = (PVOID)ClearPageTableFlag(*(PULONG64)pPML4E);
pPDPTE = (PMMPTE)((ULONG64)pPDPT + pAddressInfo->PDPT*ENTRY_SIZE + PHYSICAL_OFFSET);
if (!pPDPTE->Valid)
return NULL;
if (pPDPTE->LargePage)
goto Lable_PDPTE_LargePage;
pPDT = (PVOID)ClearPageTableFlag(*(PULONG64)pPDPTE);
pPDE = (PMMPTE)((ULONG64)pPDT + pAddressInfo->PDT*ENTRY_SIZE + PHYSICAL_OFFSET);
if (!pPDE->Valid)
return NULL;
if (pPDE->LargePage)
goto Lable_PDE_LargePage;
pPT = (PVOID)ClearPageTableFlag(*(PULONG64)pPDE);
pPTE = (PMMPTE)((ULONG64)pPT + pAddressInfo->PT*ENTRY_SIZE + PHYSICAL_OFFSET);
if (!pPTE->Valid)
return NULL;
pPhysicalBase = (PVOID)ClearPageTableFlag(*(PULONG64)pPTE);
pPhysical = (PVOID)((ULONG64)pPhysicalBase + pAddressInfo->Offset);
pPhysicalR3 = (PVOID)((ULONG64)pPhysical + PHYSICAL_OFFSET);
return pPhysicalR3;
Lable_PDPTE_LargePage:
pPhysicalBase = (PVOID)(((PMMPDPTE)pPDPTE)->PageFrameNumber*NUM_1G);
pPhysical = (PVOID)((ULONG64)pPhysicalBase + ((PMMVA_PDPTE_LARGE)pAddressInfo)->Offset);
pPhysicalR3 = (PVOID)((ULONG64)pPhysical + PHYSICAL_OFFSET);
return pPhysicalR3;
Lable_PDE_LargePage:
pPhysicalBase = (PVOID)(((PMMPDE)pPDE)->PageFrameNumber*NUM_2M);
pPhysical = (PVOID)((ULONG64)pPhysicalBase + ((PMMVA_PDE_LARGE)pAddressInfo)->Offset);
pPhysicalR3 = (PVOID)((ULONG64)pPhysical + PHYSICAL_OFFSET);
return pPhysicalR3;
}
/*********************************************************
function: AddHiddenPageRecord
description: add a record element to the structure
include get pte physical address of the specific page and record the pfn
reserve a physical page by api:MmAllocateNonCachedMemory and MmMarkPhysicalMemoryAsBad
then free the page
calls: KeAcquireSpinLock
pGetSpecificAddresspPTEPhysical
ContextVirtualToPhysical
ContextPhysicalToVirtual
MmAllocateNonCachedMemory
MmGetPhysicalAddress
pPhysicalAddresstoPTEPFN
MmFreeNonCachedMemory
MmMarkPhysicalMemoryAsBad
KeReleaseSpinLock
**********************************************************/
NTSTATUS AddHiddenPageRecord(ULONG64 CR3, PVOID pHiddenPageBase, PHIDDEN_PAGE_RECORD pHiddenPageRecord)
{
KIRQL EntryIrql;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
//prevent mulit-thread change the page record count
KeAcquireSpinLock(&pHiddenPageRecord->SpinLock, &EntryIrql);
//check count
MyPrint(_TitleAndFunc"pHiddenPageRecord->Count:%16IX\n", pHiddenPageRecord->Count);
if (pHiddenPageRecord->Count == MAX_HIDDEN_PAGE_COUNT)
goto Lable_Error;
//add pPTE record
PSPECIFIC_HIDDEN_PAGE_RECORD pCurrentRecord = &pHiddenPageRecord->Record[pHiddenPageRecord->Count];
pCurrentRecord->pPTE = pGetSpecificAddresspPTEPhysical(CR3, pHiddenPageBase);
MyPrint(_TitleAndFunc"pCurrentRecord->pPTE:%16IX\n", pCurrentRecord->pPTE);
if (pCurrentRecord->pPTE == NULL)
goto Lable_Error;
//add hidden virtual address record
pCurrentRecord->pHiddenBase = pHiddenPageBase;
MyPrint(_TitleAndFunc"pCurrentRecord->pHiddenBase:%16IX\n", pCurrentRecord->pHiddenBase);
//add original pfn record
ContextVirtualToPhysical(&g_PhysicalOpCR3);
pCurrentRecord->OriginalPfn = pCurrentRecord->pPTE->PageFrameNumber;
ContextPhysicalToVirtual(&g_PhysicalOpCR3);
MyPrint(_TitleAndFunc"pCurrentRecord->OriginalPfn:%16IX\n", pCurrentRecord->OriginalPfn);
//add hidden pfn record
//allocate memory
//record the physical address
//then free the memory and mark it as bad
PVOID TemporaryVirtual = MmAllocateNonCachedMemory(PAGE_SIZE);
if (TemporaryVirtual == NULL)
goto Lable_Error;
PHYSICAL_ADDRESS TemporaryPhysical = MmGetPhysicalAddress(TemporaryVirtual);
LARGE_INTEGER PhysicalLength = { 0 };
PhysicalLength.QuadPart = PAGE_SIZE;
pCurrentRecord->HiddenPfn = pPhysicalAddresstoPTEPFN((PVOID)(TemporaryPhysical.QuadPart));
MyPrint(_TitleAndFunc"pCurrentRecord->HiddenPfn:%16IX\n", pCurrentRecord->HiddenPfn);
MmFreeNonCachedMemory(TemporaryVirtual, PAGE_SIZE);
Status = MmMarkPhysicalMemoryAsBad(&TemporaryPhysical, &PhysicalLength);
//copy codes to the new non-mapped physical address
ContextVirtualToPhysical(&g_PhysicalOpCR3);
RtlCopyMemory((PVOID)(TemporaryPhysical.QuadPart),
pCurrentRecord->pHiddenBase,
PAGE_SIZE
);
ContextPhysicalToVirtual(&g_PhysicalOpCR3);
//check the mark state
if (!NT_SUCCESS(Status))
goto Lable_Error;
//the last step:count +1
pHiddenPageRecord->Count++;
//release spin lock
KeReleaseSpinLock(&pHiddenPageRecord->SpinLock, EntryIrql);
return STATUS_SUCCESS;
Lable_Error:
KeReleaseSpinLock(&pHiddenPageRecord->SpinLock, EntryIrql);
return STATUS_UNSUCCESSFUL;
}
/*********************************************************
function: RemoveAndRestoreAllHiddenPageRecord
description: remove and restore all the records of the structure
include mark hidden physical memory as good,
change mapping relations,
and invalid the specific TLB
calls: KeAcquireSpinLock
pPTEPFNtoPhysicalAddress
MmMarkPhysicalMemoryAsGood
ContextVirtualToPhysical
ContextPhysicalToVirtual
__invlpg
KeReleaseSpinLock
**********************************************************/
NTSTATUS RemoveAndRestoreAllHiddenPageRecord(PHIDDEN_PAGE_RECORD pHiddenPageRecord)
{
KIRQL EntryIrql;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
//prevent mulit-thread change the page record count
KeAcquireSpinLock(&pHiddenPageRecord->SpinLock, &EntryIrql);
//assert we have elements
if (pHiddenPageRecord->Count == 0)
goto Lable_Error;
//restore all records and mark all the hidden physical memory as good
PSPECIFIC_HIDDEN_PAGE_RECORD pCurrentRecord = NULL;
PHYSICAL_ADDRESS CurrentHiddenPhysical = { 0 };
LARGE_INTEGER PhysicalLength = { 0 };
PhysicalLength.QuadPart = PAGE_SIZE;
for (int i = 0; i < pHiddenPageRecord->Count; i++)
{
pCurrentRecord = &pHiddenPageRecord->Record[i];
CurrentHiddenPhysical.QuadPart = (ULONG64)pPTEPFNtoPhysicalAddress(pCurrentRecord->HiddenPfn);
//mark it as good
MmMarkPhysicalMemoryAsGood(&CurrentHiddenPhysical, &PhysicalLength);
//restore all page mapping relations
ContextVirtualToPhysical(&g_PhysicalOpCR3);
pCurrentRecord->pPTE->PageFrameNumber = pCurrentRecord->OriginalPfn;
ContextPhysicalToVirtual(&g_PhysicalOpCR3);
//invalid the TLB of current hidden address
__invlpg(pCurrentRecord->pHiddenBase);
}
//set count to zero
pHiddenPageRecord->Count = 0;
//release spin lock
KeReleaseSpinLock(&pHiddenPageRecord->SpinLock, EntryIrql);
return STATUS_SUCCESS;
Lable_Error:
KeReleaseSpinLock(&pHiddenPageRecord->SpinLock, EntryIrql);
return STATUS_UNSUCCESSFUL;
}
/*********************************************************
function: ContextOriginalToHidden
description: switch to hidden code,so that we can call our hidden functions
calls: KeGetCurrentIrql
KeRaiseIrqlToDpcLevel
_disable
KeAcquireSpinLock
ContextVirtualToPhysical
ContextPhysicalToVirtual
__invlpg
KeReleaseSpinLock
**********************************************************/
NTSTATUS ContextOriginalToHidden(PHIDDEN_PAGE_RECORD pHiddenPageRecord)
{
KIRQL EntryIrql;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
//record original irql
pHiddenPageRecord->OriginalIrql = KeGetCurrentIrql();
MyPrint(_TitleAndFunc"pHiddenPageRecord->OriginalIrql:%16IX\n", pHiddenPageRecord->OriginalIrql);
//assert irql >= dispatch level
if (pHiddenPageRecord->OriginalIrql < DISPATCH_LEVEL)
{
pHiddenPageRecord->IsIrqlChanged = TRUE;
KeRaiseIrqlToDpcLevel();
}
//disable task switch interrupt(maskable)
_disable();
//prevent mulit-thread change the page record count
KeAcquireSpinLock(&pHiddenPageRecord->SpinLock, &EntryIrql);
//assert we have elements
if (pHiddenPageRecord->Count == 0)
goto Lable_Error;
//check the initialize state and current hidden state
if (!g_IsHiddenOpInit || pHiddenPageRecord->IsHidden)
goto Lable_Error;
//restore all records and mark all the hidden physical memory as good
PSPECIFIC_HIDDEN_PAGE_RECORD pCurrentRecord = NULL;
for (int i = 0; i < pHiddenPageRecord->Count; i++)
{
pCurrentRecord = &pHiddenPageRecord->Record[i];
//change all page mapping relations
ContextVirtualToPhysical(&g_PhysicalOpCR3);
pCurrentRecord->pPTE->PageFrameNumber = pCurrentRecord->HiddenPfn;
ContextPhysicalToVirtual(&g_PhysicalOpCR3);
//invalid the TLB of current hidden address
__invlpg(pCurrentRecord->pHiddenBase);
}
KeReleaseSpinLock(&pHiddenPageRecord->SpinLock, EntryIrql);
//change the flag IsHidden
pHiddenPageRecord->IsHidden = TRUE;
return STATUS_SUCCESS;
Lable_Error:
KeReleaseSpinLock(&pHiddenPageRecord->SpinLock, EntryIrql);
return STATUS_UNSUCCESSFUL;
}
/*********************************************************
function: ContextOriginalToHidden
description: switch to hidden code,so that we can call our hidden functions
calls: KeAcquireSpinLock
ContextVirtualToPhysical
ContextPhysicalToVirtual
__invlpg
KeReleaseSpinLock
_enable
KeLowerIrql
**********************************************************/
NTSTATUS ContextHiddenToOriginal(PHIDDEN_PAGE_RECORD pHiddenPageRecord)
{
KIRQL EntryIrql;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
//prevent mulit-thread change the page record count
KeAcquireSpinLock(&pHiddenPageRecord->SpinLock, &EntryIrql);
//assert we have elements
if (pHiddenPageRecord->Count == 0)
goto Lable_Error;
//check the initialize state and current hidden state
if (!g_IsHiddenOpInit || !pHiddenPageRecord->IsHidden)
goto Lable_Error;
//restore all records and mark all the hidden physical memory as good
PSPECIFIC_HIDDEN_PAGE_RECORD pCurrentRecord = NULL;
for (int i = 0; i < pHiddenPageRecord->Count; i++)
{
pCurrentRecord = &pHiddenPageRecord->Record[i];
//change all page mapping relations
ContextVirtualToPhysical(&g_PhysicalOpCR3);
pCurrentRecord->pPTE->PageFrameNumber = pCurrentRecord->OriginalPfn;
ContextPhysicalToVirtual(&g_PhysicalOpCR3);
//invalid the TLB of current hidden address
__invlpg(pCurrentRecord->pHiddenBase);
}
KeReleaseSpinLock(&pHiddenPageRecord->SpinLock, EntryIrql);
//enable task switch interrupt(maskable)
_enable();
//restore irql
MyPrint(_TitleAndFunc"pHiddenPageRecord->IsIrqlChanged:%16IX\n", pHiddenPageRecord->IsIrqlChanged);
if (pHiddenPageRecord->IsIrqlChanged)
{
KeLowerIrql(pHiddenPageRecord->OriginalIrql);
//restore the flag IsIrqlChanged
pHiddenPageRecord->IsIrqlChanged = FALSE;
}
//change the flag IsHidden
pHiddenPageRecord->IsHidden = FALSE;
return STATUS_SUCCESS;
Lable_Error:
KeReleaseSpinLock(&pHiddenPageRecord->SpinLock, EntryIrql);
return STATUS_UNSUCCESSFUL;
}
/*********************************************************
function: GetPagesCountByLength
description: get pages count by length
**********************************************************/
ULONG64 GetPagesCountByLength(ULONG64 Length)
{
if ((Length & 0xFFF) == 0)
return (Length >> 12);
else
return (Length >> 12) + 1;
}
/*********************************************************
function: AddHiddenSection
description: add hidden address by the offered section name
if all the calls of AddHiddenPageRecord are successful,return STATUS_SUCCESS
calls: GetSegmentStartAddress
GetSegmentLength
GetPagesCountByLength
AddHiddenPageRecord
**********************************************************/
NTSTATUS AddHiddenSection(ULONG64 SystemCR3, PDRIVER_OBJECT pDriverObj, PCHAR pSegName, PHIDDEN_PAGE_RECORD pHiddenPageRecord)
{
//analyse number of pages of the section
PVOID pSectionStart = (PVOID)GetSegmentStartAddress(pDriverObj, pSegName);
ULONG64 SectionLength = GetSegmentLength(pDriverObj, pSegName);
ULONG64 PagesCount = GetPagesCountByLength(SectionLength);
PVOID pCurrentPage = NULL;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
MyPrint(_TitleAndFunc"pSectionStart:%16IX\n", pSectionStart);
MyPrint(_TitleAndFunc"SectionLength:%16IX\n", SectionLength);
MyPrint(_TitleAndFunc"PagesCount:%16IX\n", PagesCount);
//call AddHiddenPageRecord to record the hidden info
for (int i = 0; i < PagesCount; i++)
{
pCurrentPage = (PVOID)((ULONG64)pSectionStart + i*PAGE_SIZE);
Status = AddHiddenPageRecord(SystemCR3, pCurrentPage, pHiddenPageRecord);
//make sure all the records are successful
if (!NT_SUCCESS(Status))
return Status;
}
return STATUS_SUCCESS;
}
================================================
FILE: KernelHiddenExcute/HiddenFunctions.h
================================================
#pragma once
#include "Head.h"
#pragma code_seg(SECTION_NAME_HIDDEN)
NTSTATUS HiddenFunctionA(PHIDDEN_PAGE_RECORD pHiddenPageRecord)
{
NTSTATUS Status = STATUS_UNSUCCESSFUL;
Status = ApiTransfer_SimulateApi(pHiddenPageRecord, 0xFAFAFAFAFAFAFAFA);
return Status;
}
#pragma code_seg()
================================================
FILE: KernelHiddenExcute/KernelHiddenExcute.inf
================================================
;
; KernelHiddenExcute.inf
;
[Version]
Signature="$WINDOWS NT$"
Class=System
ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318}
Provider=XYLab
DriverVer=
CatalogFile=KernelHiddenExcute.inf.cat
;[DestinationDirs]
;DefaultDestDir = 12
;[SourceDisksNames]
;1 = %DiskName%,,,""
;[SourceDisksFiles]
;[Manufacturer]
;%ManufacturerName%=Standard,NT$ARCH$
;[Standard.NT$ARCH$]
[Strings]
ManufacturerName="XYLab"
ClassName=""
DiskName="KernelHiddenExcute Source Disk"
================================================
FILE: KernelHiddenExcute/KernelHiddenExcute.vcxproj
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM">
<Configuration>Debug</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM">
<Configuration>Release</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM64">
<Configuration>Debug</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM64">
<Configuration>Release</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{B6DD98D0-0343-41DD-94FC-542035EE9B88}</ProjectGuid>
<TemplateGuid>{dd38f7fc-d7bd-488b-9242-7d8754cde80d}</TemplateGuid>
<TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
<MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
<Configuration>Debug</Configuration>
<Platform Condition="'$(Platform)' == ''">Win32</Platform>
<RootNamespace>KernelHiddenExcute</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<TargetVersion>Windows7</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
<DriverTargetPlatform>Desktop</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<TargetVersion>Windows7</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
<DriverTargetPlatform>Desktop</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<EnableInf2cat>false</EnableInf2cat>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<EnableInf2cat>false</EnableInf2cat>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
</ClCompile>
<Link>
<OptimizeReferences>false</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<Inf Include="KernelHiddenExcute.inf" />
</ItemGroup>
<ItemGroup>
<FilesToPackage Include="$(TargetPath)" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="Head.h" />
<ClInclude Include="HiddenCallApiTransfer.h" />
<ClInclude Include="HiddenExecute.h" />
<ClInclude Include="HiddenFunctions.h" />
<ClInclude Include="MyDebugPrint.h" />
<ClInclude Include="PhysicalMemoryOperation.h" />
<ClInclude Include="SectionOperation.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
================================================
FILE: KernelHiddenExcute/KernelHiddenExcute.vcxproj.filters
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
<Filter Include="Driver Files">
<UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
<Extensions>inf;inv;inx;mof;mc;</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<Inf Include="KernelHiddenExcute.inf">
<Filter>Driver Files</Filter>
</Inf>
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="Head.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="MyDebugPrint.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="PhysicalMemoryOperation.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="HiddenExecute.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="HiddenCallApiTransfer.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="SectionOperation.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="HiddenFunctions.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
</Project>
================================================
FILE: KernelHiddenExcute/MyDebugPrint.h
================================================
#pragma once
#include "Head.h"
#define _DBG_PRINT
#define PRINT_NAME "XYLab"
#define _Title "["##PRINT_NAME##"] "
#define _Func "["##__FUNCTION__##"] "
#define _TitleAndFunc "["##PRINT_NAME##"] "##"["##__FUNCTION__##"] "
#ifdef _DBG_PRINT
//#define MyPrint(_x_) DbgPrint _x_
#define MyPrint(...) DbgPrint(__VA_ARGS__)
#else
//#define MyPrint(_x_)
#define MyPrint(...)
#endif
================================================
FILE: KernelHiddenExcute/PhysicalMemoryOperation.h
================================================
#pragma once
#include "Head.h"
BOOL g_IsPhysicalOpInit = FALSE;
HANDLE g_SectionHandle = NULL;
#define PAGE_TABLE_SIZE 0x1000
#define CR3_FLAG_ALL_BITS 0xFFF0000000000FFF
#define PAGE_TABLE_PML4T_FLAG 0x867 //1000 0110 0111
#define PAGE_TABLE_PDPT_FLAG 0x9E7 //1001 1110 0111
#define VA_SYSTEM_START 0xFFFF080000000000 //IA64
#define MAX_ENTRY_COUNT 512
#define ENTRY_SIZE sizeof(ULONG64)
typedef struct _PHYSICAL_OP_CR3
{
PVOID pAllocVA_PML4T;
PVOID pAllocPA_PML4T;
PVOID pAllocVA_PDPT;
PVOID pAllocPA_PDPT;
PVOID pSystemPML4TMap;
ULONG64 CR3Generated;
ULONG64 CR3System;
ULONG64 CR3BeforeSwitch;
BOOL IsContextSwitched;
BOOL IsIrqlChanged;
KIRQL OriginalIrql;//available if the IsIrqlChanged is true
}PHYSICAL_OP_CR3, *PPHYSICAL_OP_CR3;
typedef struct _MMPDPTE
{
struct /* bitfield */
{
/* 0x0000 */ unsigned __int64 Valid : 1; /* bit position: 0 */
/* 0x0000 */ unsigned __int64 Dirty1 : 1; /* bit position: 1 */
/* 0x0000 */ unsigned __int64 Owner : 1; /* bit position: 2 */
/* 0x0000 */ unsigned __int64 WriteThrough : 1; /* bit position: 3 */
/* 0x0000 */ unsigned __int64 CacheDisable : 1; /* bit position: 4 */
/* 0x0000 */ unsigned __int64 Accessed : 1; /* bit position: 5 */
/* 0x0000 */ unsigned __int64 Dirty : 1; /* bit position: 6 */
/* 0x0000 */ unsigned __int64 LargePage : 1; /* bit position: 7 */
/* 0x0000 */ unsigned __int64 Global : 1; /* bit position: 8 */
/* 0x0000 */ unsigned __int64 CopyOnWrite : 1; /* bit position: 9 */
/* 0x0000 */ unsigned __int64 Unused : 1; /* bit position: 10 */
/* 0x0000 */ unsigned __int64 Write : 1; /* bit position: 11 */
/* 0x0000 */ unsigned __int64 reserved0 : 18; /* bit position: 12 */
/* 0x0000 */ unsigned __int64 PageFrameNumber : 18; /* bit position: 30 */
/* 0x0000 */ unsigned __int64 reserved1 : 4; /* bit position: 48 */
/* 0x0000 */ unsigned __int64 SoftwareWsIndex : 11; /* bit position: 52 */
/* 0x0000 */ unsigned __int64 NoExecute : 1; /* bit position: 63 */
}; /* bitfield */
} MMPDPTE, *PMMPDPTE; /* size: 0x0008 */
typedef struct _MMPDE
{
struct /* bitfield */
{
/* 0x0000 */ unsigned __int64 Valid : 1; /* bit position: 0 */
/* 0x0000 */ unsigned __int64 Dirty1 : 1; /* bit position: 1 */
/* 0x0000 */ unsigned __int64 Owner : 1; /* bit position: 2 */
/* 0x0000 */ unsigned __int64 WriteThrough : 1; /* bit position: 3 */
/* 0x0000 */ unsigned __int64 CacheDisable : 1; /* bit position: 4 */
/* 0x0000 */ unsigned __int64 Accessed : 1; /* bit position: 5 */
/* 0x0000 */ unsigned __int64 Dirty : 1; /* bit position: 6 */
/* 0x0000 */ unsigned __int64 LargePage : 1; /* bit position: 7 */
/* 0x0000 */ unsigned __int64 Global : 1; /* bit position: 8 */
/* 0x0000 */ unsigned __int64 CopyOnWrite : 1; /* bit position: 9 */
/* 0x0000 */ unsigned __int64 Unused : 1; /* bit position: 10 */
/* 0x0000 */ unsigned __int64 Write : 1; /* bit position: 11 */
/* 0x0000 */ unsigned __int64 reserved0 : 9; /* bit position: 12 */
/* 0x0000 */ unsigned __int64 PageFrameNumber : 27; /* bit position: 21 */
/* 0x0000 */ unsigned __int64 reserved1 : 4; /* bit position: 48 */
/* 0x0000 */ unsigned __int64 SoftwareWsIndex : 11; /* bit position: 52 */
/* 0x0000 */ unsigned __int64 NoExecute : 1; /* bit position: 63 */
}; /* bitfield */
} MMPDE, *PMMPDE; /* size: 0x0008 */
typedef struct _MMVA
{
struct /* bitfield */
{
/* 0x0000 */ unsigned __int64 Offset : 12;
/* 0x0000 */ unsigned __int64 PT : 9;
/* 0x0000 */ unsigned __int64 PDT : 9;
/* 0x0000 */ unsigned __int64 PDPT : 9;
/* 0x0000 */ unsigned __int64 PML4T : 9;
/* 0x0000 */ unsigned __int64 Partition : 16; //User:0x0000 System:0xFFFF
}; /* bitfield */
} MMVA, *PMMVA; /* size: 0x0008 */
typedef struct _MMVA_PDPTE_LARGE
{
struct /* bitfield */
{
/* 0x0000 */ unsigned __int64 Offset : 30;
/* 0x0000 */ unsigned __int64 PDPT : 9;
/* 0x0000 */ unsigned __int64 PML4T : 9;
/* 0x0000 */ unsigned __int64 Partition : 16; //User:0x0000 System:0xFFFF
}; /* bitfield */
} MMVA_PDPTE_LARGE, *PMMVA_PDPTE_LARGE; /* size: 0x0008 */
typedef struct _MMVA_PDE_LARGE
{
struct /* bitfield */
{
/* 0x0000 */ unsigned __int64 Offset : 21;
/* 0x0000 */ unsigned __int64 PDT : 9;
/* 0x0000 */ unsigned __int64 PDPT : 9;
/* 0x0000 */ unsigned __int64 PML4T : 9;
/* 0x0000 */ unsigned __int64 Partition : 16; //User:0x0000 System:0xFFFF
}; /* bitfield */
} MMVA_PDE_LARGE, *PMMVA_PDE_LARGE; /* size: 0x0008 */
/*********************************************************
function: OpenPhysicalMemory
pMapPhysicalMemoryPre
MapPhysicalMemory
UnmapPhysicalMemory
description: use map view of section to map physical address to virtual address
**********************************************************/
HANDLE OpenPhysicalMemory()
{
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
WCHAR physmemName[] = L"\\device\\physicalmemory";
NTSTATUS status;
HANDLE physmem;
RtlInitUnicodeString(&physmemString, physmemName);
InitializeObjectAttributes(&attributes, &physmemString, OBJ_CASE_INSENSITIVE, NULL, NULL);
status = ZwOpenSection(&physmem, SECTION_ALL_ACCESS, &attributes);
if (!NT_SUCCESS(status))
{
return NULL;
}
return physmem;
}
BOOLEAN pMapPhysicalMemoryPre(HANDLE hMemory, PDWORD64 pDwAddress, PSIZE_T pSize, PDWORD64 pDwVirtualAddress)
{
NTSTATUS ntStatus;
LARGE_INTEGER viewBase;
*pDwVirtualAddress = 0;
viewBase.QuadPart = *pDwAddress;
ntStatus = ZwMapViewOfSection(hMemory, (HANDLE)-1, (void**)pDwVirtualAddress, 0L, *pSize, &viewBase, pSize, ViewShare, 0, PAGE_READWRITE | PAGE_NOCACHE);
if (!NT_SUCCESS(ntStatus))
return FALSE;
//*pDwAddress = viewBase.QuadPart;
return TRUE;
}
PVOID MapPhysicalMemory(PVOID PA, SIZE_T Size)
{
ULONGLONG DwAddress = (ULONG64)PA;
ULONGLONG DwVirtualAddress = 0;
BOOLEAN status = pMapPhysicalMemoryPre(g_SectionHandle, &DwAddress, &Size, &DwVirtualAddress);
return (status == TRUE) ? (PVOID)DwVirtualAddress : NULL;
}
BOOLEAN UnmapPhysicalMemory(PVOID VA)
{
if (!ZwUnmapViewOfSection((HANDLE)-1, VA))
return TRUE;
else
return FALSE;
}
/*********************************************************
function: GetCR3Flag
description: get cr3 flag, only save the flag bits
**********************************************************/
ULONG64 GetCR3Flag(ULONG64 CR3)
{
return (CR3 & CR3_FLAG_ALL_BITS);
}
/*********************************************************
function: ClearCR3Flag
description: clear cr3 flag, only clear the flag bits
**********************************************************/
ULONG64 ClearCR3Flag(ULONG64 CR3)
{
return (CR3 & ~CR3_FLAG_ALL_BITS);
}
/*********************************************************
function: pPrintPhysicalOpStructure
description: print the structure elements
**********************************************************/
VOID pPrintPhysicalOpStructure(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
{
MyPrint(_TitleAndFunc"[PrintStart]\n");
MyPrint(_TitleAndFunc"pPhysicalOpCR3->pAllocVA_PML4T:%16IX\n", pPhysicalOpCR3->pAllocVA_PML4T);
MyPrint(_TitleAndFunc"pPhysicalOpCR3->pAllocPA_PML4T:%16IX\n", pPhysicalOpCR3->pAllocPA_PML4T);
MyPrint(_TitleAndFunc"pPhysicalOpCR3->pAllocVA_PDPT:%16IX\n", pPhysicalOpCR3->pAllocVA_PDPT);
MyPrint(_TitleAndFunc"pPhysicalOpCR3->pAllocPA_PDPT:%16IX\n", pPhysicalOpCR3->pAllocPA_PDPT);
MyPrint(_TitleAndFunc"pPhysicalOpCR3->pSystemPML4TMap:%16IX\n", pPhysicalOpCR3->pSystemPML4TMap);
MyPrint(_TitleAndFunc"pPhysicalOpCR3->CR3Generated:%16IX\n", pPhysicalOpCR3->CR3Generated);
MyPrint(_TitleAndFunc"[PrintEnd]\n");
}
/*********************************************************
function: pFreePhysicalOpPageTableMemory
description: to free the allocated memory (PML4T and PDPT page table) with null pointer check
**********************************************************/
NTSTATUS pFreePhysicalOpPageTableMemory(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
{
if (pPhysicalOpCR3->pAllocVA_PML4T != NULL)
{
MmFreeNonCachedMemory(pPhysicalOpCR3->pAllocVA_PML4T, PAGE_TABLE_SIZE);
pPhysicalOpCR3->pAllocVA_PML4T = NULL;
pPhysicalOpCR3->pAllocPA_PML4T = NULL;
}
if (pPhysicalOpCR3->pAllocVA_PDPT != NULL)
{
MmFreeNonCachedMemory(pPhysicalOpCR3->pAllocVA_PDPT, PAGE_TABLE_SIZE);
pPhysicalOpCR3->pAllocVA_PDPT = NULL;
pPhysicalOpCR3->pAllocPA_PDPT = NULL;
}
return STATUS_SUCCESS;
}
/*********************************************************
function: pAllocPhysicalOpPageTableMemory
description: to allocate memory (PML4T and PDPT page table)
if the allocate procduce failed,it can free all the allocated pages
calls: MmAllocateNonCachedMemory
MmGetPhysicalAddress
pFreePhysicalOpPageTableMemory
**********************************************************/
NTSTATUS pAllocPhysicalOpPageTableMemory(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
{
//PML4T
pPhysicalOpCR3->pAllocVA_PML4T = MmAllocateNonCachedMemory(PAGE_TABLE_SIZE);
//check allocate state
if (pPhysicalOpCR3->pAllocVA_PML4T == NULL)
goto Lable_Error;
pPhysicalOpCR3->pAllocPA_PML4T = (PVOID)MmGetPhysicalAddress(pPhysicalOpCR3->pAllocVA_PML4T).QuadPart;
//PDPT
pPhysicalOpCR3->pAllocVA_PDPT = MmAllocateNonCachedMemory(PAGE_TABLE_SIZE);
//check allocate state
if (pPhysicalOpCR3->pAllocVA_PDPT == NULL)
goto Lable_Error;
pPhysicalOpCR3->pAllocPA_PDPT = (PVOID)MmGetPhysicalAddress(pPhysicalOpCR3->pAllocVA_PDPT).QuadPart;
return STATUS_SUCCESS;
Lable_Error:
//free allocated memory
pFreePhysicalOpPageTableMemory(pPhysicalOpCR3);
return STATUS_UNSUCCESSFUL;
}
/*********************************************************
function: pMapPML4T
description: map the system cr3(pml4t) to virtual address
calls: ClearCR3Flag
OpenPhysicalMemory
MapPhysicalMemory
**********************************************************/
NTSTATUS pMapSystemPML4T(ULONG64 SystemCR3, PPHYSICAL_OP_CR3 pPhysicalOpCR3)
{
ULONG64 SystemCR3NonFlag = ClearCR3Flag(SystemCR3);
PVOID pSystemPML4T = (PVOID)SystemCR3NonFlag;
if (g_SectionHandle == NULL)
g_SectionHandle = OpenPhysicalMemory();
pPhysicalOpCR3->pSystemPML4TMap = MapPhysicalMemory(pSystemPML4T, PAGE_TABLE_SIZE);
return pPhysicalOpCR3->pSystemPML4TMap == NULL ? STATUS_UNSUCCESSFUL : STATUS_SUCCESS;
}
/*********************************************************
function: pUnmapSystemPML4T
description: unmap the system cr3(pml4t)
calls: OpenPhysicalMemory
UnmapPhysicalMemory
**********************************************************/
NTSTATUS pUnmapSystemPML4T(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
{
if (g_SectionHandle == NULL)
g_SectionHandle = OpenPhysicalMemory();
BOOL State = UnmapPhysicalMemory(pPhysicalOpCR3->pSystemPML4TMap);
if (State)
pPhysicalOpCR3->pSystemPML4TMap = NULL;
if (g_SectionHandle != NULL)
ZwClose(g_SectionHandle);
return !State ? STATUS_UNSUCCESSFUL : STATUS_SUCCESS;
}
/*********************************************************
function: pFillGeneratedPML4TandPDPT
description: fill the pml4t table,genarate the first large page entry and copy the system space map
fill the pdpt table point to the physical address,every PDPTE point to a 1G-byte page(512G in total)
calls: RtlCopyMemory
**********************************************************/
NTSTATUS pFillGeneratedPML4TandPDPT(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
{
//copy the system space map
PVOID pSystemStart = (PVOID)VA_SYSTEM_START;
ULONG64 SystemPML4TStart = ((PMMVA)&pSystemStart)->PML4T;
MyPrint(_TitleAndFunc"SystemPML4TStart:%16X\n", SystemPML4TStart);
RtlCopyMemory((PVOID)((ULONG64)pPhysicalOpCR3->pAllocVA_PML4T + SystemPML4TStart*ENTRY_SIZE),
(PVOID)((ULONG64)pPhysicalOpCR3->pSystemPML4TMap + SystemPML4TStart*ENTRY_SIZE),
(MAX_ENTRY_COUNT - SystemPML4TStart)*ENTRY_SIZE
);
//make the first address point to my PDPT table
*(PULONG64)pPhysicalOpCR3->pAllocVA_PML4T = (ULONG64)pPhysicalOpCR3->pAllocPA_PDPT | PAGE_TABLE_PML4T_FLAG;
//fill the PDPT page table
//add flag
ULONG64 CurrentPDPTEntry = PAGE_TABLE_PDPT_FLAG;
for (int i = 0; i < MAX_ENTRY_COUNT; i++)
{
//change pfn
((PMMPDPTE)&CurrentPDPTEntry)->PageFrameNumber = i;
//
*(PULONG64)((ULONG64)pPhysicalOpCR3->pAllocVA_PDPT + i*ENTRY_SIZE) = CurrentPDPTEntry;
}
return STATUS_SUCCESS;
}
/*********************************************************
function: CreatePhysicalOpCR3BySystemCR3
description: to initialize the physical memory operation structure
calls: pAllocPhysicalOpPageTableMemory
pMapSystemPML4T
pFillGeneratedPML4TandPDPT
pMapPML4T
GetCR3Flag
**********************************************************/
NTSTATUS CreatePhysicalOpCR3BySystemCR3(ULONG64 SystemCR3, PPHYSICAL_OP_CR3 pPhysicalOpCR3)
{
//check the init state
if (g_IsPhysicalOpInit)
return STATUS_UNSUCCESSFUL;
//allocate page table memory and fill the structure
if (!NT_SUCCESS(pAllocPhysicalOpPageTableMemory(pPhysicalOpCR3)))
return STATUS_UNSUCCESSFUL;
//map pSystemPML4T to virtual address and fill the structure
if (!NT_SUCCESS(pMapSystemPML4T(SystemCR3, pPhysicalOpCR3)))
return STATUS_UNSUCCESSFUL;
//fill PML4T and PDPT page table
if (!NT_SUCCESS(pFillGeneratedPML4TandPDPT(pPhysicalOpCR3)))
return STATUS_UNSUCCESSFUL;
//generate new cr3 for reading the physical memory and add cr3 flag
ULONG64 SystemCR3Flag = GetCR3Flag(SystemCR3);
pPhysicalOpCR3->CR3Generated = (ULONG64)pPhysicalOpCR3->pAllocPA_PML4T | SystemCR3Flag;
//fill the structure part:CR3System
pPhysicalOpCR3->CR3System = SystemCR3;
//print structure
pPrintPhysicalOpStructure(pPhysicalOpCR3);
g_IsPhysicalOpInit = TRUE;
return STATUS_SUCCESS;
}
/*********************************************************
function: FreePhysicalOpCR3
description: to uninitialize the physical memory operation structure
calls: pUnmapSystemPML4T
pFreePhysicalOpPageTableMemory
RtlZeroMemory
**********************************************************/
NTSTATUS FreePhysicalOpCR3(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
{
//check the init state
if (!g_IsPhysicalOpInit)
return STATUS_UNSUCCESSFUL;
//unmap pSystemPML4T
pUnmapSystemPML4T(pPhysicalOpCR3);
//free allocated memory
pFreePhysicalOpPageTableMemory(pPhysicalOpCR3);
//clear generated cr3 and recorded system cr3
pPhysicalOpCR3->CR3Generated = 0;
pPhysicalOpCR3->CR3System = 0;
//print structure
pPrintPhysicalOpStructure(pPhysicalOpCR3);
// set the structure to zero,avoid some bugs
RtlZeroMemory((PVOID)pPhysicalOpCR3, sizeof(PHYSICAL_OP_CR3));
g_IsPhysicalOpInit = FALSE;
return STATUS_SUCCESS;
}
/*********************************************************
function: ContextVirtualToPhysical
description: raise irql and switch to generated cr3
**********************************************************/
NTSTATUS ContextVirtualToPhysical(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
{
//check the initialize state and current context
if (!g_IsPhysicalOpInit || pPhysicalOpCR3->IsContextSwitched)
return STATUS_UNSUCCESSFUL;
//assert irql >= dispatch level
pPhysicalOpCR3->OriginalIrql = KeGetCurrentIrql();
if (pPhysicalOpCR3->OriginalIrql < DISPATCH_LEVEL)
{
pPhysicalOpCR3->IsIrqlChanged = TRUE;
KeRaiseIrqlToDpcLevel();
}
//disable task switch interrupt(maskable)
_disable();
//record and switch cr3
pPhysicalOpCR3->CR3BeforeSwitch = __readcr3();
__writecr3(pPhysicalOpCR3->CR3Generated);
//change the flag IsContextSwitched
pPhysicalOpCR3->IsContextSwitched = TRUE;
return STATUS_SUCCESS;
}
/*********************************************************
function: ContextPhysicalToVirtual
description: lower irql and switch to system cr3
**********************************************************/
NTSTATUS ContextPhysicalToVirtual(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
{
//check the initialize state and current context
if (!g_IsPhysicalOpInit || !pPhysicalOpCR3->IsContextSwitched)
return STATUS_UNSUCCESSFUL;
//restore cr3
__writecr3(pPhysicalOpCR3->CR3BeforeSwitch);
//enable task switch interrupt(maskable)
_enable();
//restore irql
if (pPhysicalOpCR3->IsIrqlChanged)
{
KeLowerIrql(pPhysicalOpCR3->OriginalIrql);
//restore the flag IsIrqlChanged
pPhysicalOpCR3->IsIrqlChanged = FALSE;
}
//change the flag IsContextSwitched
pPhysicalOpCR3->IsContextSwitched = FALSE;
return STATUS_SUCCESS;
}
/*********************************************************
function: GetCR3ByEprocess
description: get cr3 by eprocess
**********************************************************/
ULONG64 GetCR3ByEprocess(PEPROCESS pEProc)
{
if (pEProc == NULL)
return 0;
//get dirbase
ULONG64 DirBase = *(PULONG64)((ULONG64)pEProc + 0x028);
return DirBase;
}
/*********************************************************
function: GetEProcess
description: get eprocess by pid
**********************************************************/
PEPROCESS GetEProcess(ULONG64 PID)
{
PEPROCESS pEProc = NULL;
//check pid
if (PID == 0)
return 0;
//get eprocess
if (!NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)PID, (PEPROCESS*)&pEProc)))
return 0;
//dereference
if (pEProc != NULL)
ObDereferenceObject((PVOID)pEProc);
return pEProc;
}
/*********************************************************
function: GetCR3ByPID
description: get cr3 by pid
calls: GetEProcess
GetCR3ByEprocess
**********************************************************/
ULONG64 GetCR3ByPID(ULONG64 PID)
{
return GetCR3ByEprocess(GetEProcess(PID));
}
================================================
FILE: KernelHiddenExcute/SectionOperation.h
================================================
#pragma once
#include "Head.h"
typedef struct _LDR_DATA_TABLE_ENTRY64
{
LIST_ENTRY64 InLoadOrderLinks;
LIST_ENTRY64 InMemoryOrderLinks;
LIST_ENTRY64 InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
PVOID SectionPointer;
ULONG CheckSum;
PVOID LoadedImports;
PVOID EntryPointActivationContext;
PVOID PatchInformation;
LIST_ENTRY64 ForwarderLinks;
LIST_ENTRY64 ServiceTagLinks;
LIST_ENTRY64 StaticLinks;
PVOID ContextInformation;
ULONG64 OriginalBase;
LARGE_INTEGER LoadTime;
} LDR_DATA_TABLE_ENTRY64, *PLDR_DATA_TABLE_ENTRY64;
PIMAGE_SECTION_HEADER GetSegmentHeadPointer(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
{
PLDR_DATA_TABLE_ENTRY64 entry = (PLDR_DATA_TABLE_ENTRY64)pDriverObj->DriverSection;
PUCHAR pJumpDrvBase = (PUCHAR)entry->DllBase;
PIMAGE_DOS_HEADER pDosHead;
PIMAGE_NT_HEADERS pNtHead;
PIMAGE_SECTION_HEADER pSecHead;
BOOL bFinded = FALSE;
pDosHead = (PIMAGE_DOS_HEADER)pJumpDrvBase;
if (pDosHead->e_magic != IMAGE_DOS_SIGNATURE)
{
MyPrint(("[" PRINT_NAME "] DosHead Error\n"));
return 0;
}
pNtHead = (PIMAGE_NT_HEADERS)\
((LONG_PTR)pDosHead + pDosHead->e_lfanew);
if (pNtHead->Signature != IMAGE_NT_SIGNATURE)
{
MyPrint(("[" PRINT_NAME "] NtHead Error\n"));
return 0;
}
pSecHead = IMAGE_FIRST_SECTION(pNtHead);
for (int i = 0; i < pNtHead->FileHeader.NumberOfSections; i++)
{
if (strcmp((const char*)(pSecHead->Name), pSegName) == 0)
{
bFinded = TRUE;
break;
}
pSecHead++;
}
if (bFinded == FALSE)
{
MyPrint(("[" PRINT_NAME "] SecHead Error\n"));
return 0;
}
return pSecHead;
}
ULONG64 GetDriverBaseAddress(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
{
PLDR_DATA_TABLE_ENTRY64 entry = (PLDR_DATA_TABLE_ENTRY64)pDriverObj->DriverSection;
PUCHAR pJumpDrvBase = (PUCHAR)entry->DllBase;
return (ULONG64)pJumpDrvBase;
}
ULONG64 GetSegmentAddressPointer(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
{
PIMAGE_SECTION_HEADER pSecHead = GetSegmentHeadPointer(pDriverObj, pSegName);
return (ULONG64)&(pSecHead->VirtualAddress);
}
ULONG64 GetSegmentLengthPointer(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
{
PIMAGE_SECTION_HEADER pSecHead = GetSegmentHeadPointer(pDriverObj, pSegName);
return (ULONG64)&(pSecHead->Misc.VirtualSize);
}
ULONG64 GetSegmentRawDataAddressPointer(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
{
PIMAGE_SECTION_HEADER pSecHead = GetSegmentHeadPointer(pDriverObj, pSegName);
return (ULONG64)&(pSecHead->PointerToRawData);
}
ULONG64 GetSegmentRawDataLengthPointer(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
{
PIMAGE_SECTION_HEADER pSecHead = GetSegmentHeadPointer(pDriverObj, pSegName);
return (ULONG64)&(pSecHead->SizeOfRawData);
}
ULONG64 GetSegmentStartAddress(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
{
ULONG64 pDriverBase = GetDriverBaseAddress(pDriverObj, pSegName);
ULONG64 pSegmentAddress = GetSegmentAddressPointer(pDriverObj, pSegName);
return pDriverBase + *(PULONG32)pSegmentAddress;
}
ULONG64 GetSegmentEndAddress(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
{
ULONG64 pDriverBase = GetDriverBaseAddress(pDriverObj, pSegName);
ULONG64 pSegmentAddress = GetSegmentAddressPointer(pDriverObj, pSegName);
ULONG64 pSegmentLength = GetSegmentLengthPointer(pDriverObj, pSegName);
return pDriverBase + *(PULONG32)pSegmentAddress + *(PULONG32)pSegmentLength;
}
ULONG64 GetSegmentLength(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
{
ULONG64 pDriverBase = GetDriverBaseAddress(pDriverObj, pSegName);
ULONG64 pSegmentAddress = GetSegmentAddressPointer(pDriverObj, pSegName);
ULONG64 pSegmentLength = GetSegmentLengthPointer(pDriverObj, pSegName);
return *(PULONG32)pSegmentLength;
}
================================================
FILE: KernelHiddenExcute/main.c
================================================
#include "Head.h"
NTSTATUS DispatchCreate(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS DispatchClose(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST;
PIO_STACK_LOCATION pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
ULONG uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;
PVOID pIoBuffer = pIrp->AssociatedIrp.SystemBuffer;
ULONG uInSize = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
ULONG uOutSize = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
switch (uIoControlCode)
{
case IOCTL_TEST:
{
DWORD dw;
memcpy(&dw, pIoBuffer, sizeof(dw));
dw++;
memcpy(pIoBuffer, &dw, sizeof(dw));
status = STATUS_SUCCESS;
break;
}
}
if (status == STATUS_SUCCESS)
pIrp->IoStatus.Information = uOutSize;
else
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = status;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
VOID DriverUnload(PDRIVER_OBJECT pDriverObj)
{
UNICODE_STRING strLink;
//do sth...
MyPrint(_TitleAndFunc"Exit\n");
RemoveAndRestoreAllHiddenPageRecord(g_pHiddenPageRecord);
FreeHiddenPageRecordStructure(g_pHiddenPageRecord);
//delete device and symbolic link
RtlInitUnicodeString(&strLink, LINK_NAME);
IoDeleteSymbolicLink(&strLink);
IoDeleteDevice(pDriverObj->DeviceObject);
}
VOID WriteEnable()
{
UINT64 cr0 = __readcr0();
cr0 &= 0xfffffffffffeffff;
__writecr0(cr0);
_disable();
}
VOID WriteDisable()
{
UINT64 cr0 = __readcr0();
cr0 |= 0x10000;
_enable();
__writecr0(cr0);
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
{
NTSTATUS status = STATUS_SUCCESS;
PDEVICE_OBJECT pDevObj = NULL;
UNICODE_STRING ustrDeviceName;
UNICODE_STRING ustrLinkName;
//set dispatch functions
pDriverObj->DriverUnload = DriverUnload;
pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
//create device
RtlInitUnicodeString(&ustrDeviceName, DEVICE_NAME);
status = IoCreateDevice(pDriverObj, 0, &ustrDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDevObj);
if (!NT_SUCCESS(status))
{
return status;
}
//create symbolic link
RtlInitUnicodeString(&ustrLinkName, LINK_NAME);
status = IoCreateSymbolicLink(&ustrLinkName, &ustrDeviceName);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(pDevObj);
return status;
}
//do sth...
MyPrint(_TitleAndFunc "Entry\n");
InitializeHiddenPageRecordStructure(&g_pHiddenPageRecord);
AddHiddenSection(GetCR3ByPID(4), pDriverObj, SECTION_NAME_HIDDEN, g_pHiddenPageRecord);
WriteEnable();
RtlZeroMemory((PVOID)HiddenFunctionA, 10);
WriteDisable();
ContextOriginalToHidden(g_pHiddenPageRecord);
HiddenFunctionA(g_pHiddenPageRecord);
ContextHiddenToOriginal(g_pHiddenPageRecord);
return status;
}
================================================
FILE: KernelHiddenExecute/DebugPrintEx.h
================================================
#pragma once
#include <ntddk.h>
//switch
#define _DBG_PRINT
#define PRINT_NAME "XYLab"
#define _Title "["##PRINT_NAME##"] "
#define _Func "["##__FUNCTION__##"] "
#define _TitleAndFunc "["##PRINT_NAME##"] "##"["##__FUNCTION__##"] "
#ifdef _DBG_PRINT
//#define MyPrint(_x_) DbgPrint _x_
#define MyPrint(...) DbgPrint(__VA_ARGS__)
#else
//#define MyPrint(_x_)
#define MyPrint(...)
#endif
================================================
FILE: KernelHiddenExecute/HiddenCallApiTransfer.c
================================================
#include "HiddenCallApiTransfer.h"
//////////////////////////////////////////////////////////////////////////
//functions
/*********************************************************
function: SimulateApi
description:
**********************************************************/
NTSTATUS SimulateApi(ULONG64 param1)
{
MyPrint(_TitleAndFunc"param1:%16IX\n", param1);
return STATUS_SUCCESS;
}
/*********************************************************
function: ApiTransfer_SimulateApi
description: test of call apis in the hidden apis
**********************************************************/
NTSTATUS ApiTransfer_SimulateApi(PHIDDEN_PAGE_RECORD pHiddenPageRecord, ULONG64 param1)
{
//BOOL IsIrqlChanged = FALSE;
NTSTATUS Status;
/*
if (HighestIrql < HIDDEN_IRQL)
{
ChangeIrql(HighestIrql);
IsIrqlChanged = TRUE;
}
*/
ContextHiddenToOriginal(pHiddenPageRecord);
Status = SimulateApi(param1);
ContextOriginalToHidden(pHiddenPageRecord);
/*
if (IsIrqlChanged)
ChangeIrql(HIDDEN_IRQL);
*/
return Status;
}
================================================
FILE: KernelHiddenExecute/HiddenCallApiTransfer.h
================================================
#pragma once
#include <ntddk.h>
#include <windef.h>
#include "DebugPrintEx.h"
#include "HiddenExecute.h"
//////////////////////////////////////////////////////////////////////////
//prototypes
NTSTATUS SimulateApi(ULONG64 param1);
NTSTATUS ApiTransfer_SimulateApi(PHIDDEN_PAGE_RECORD pHiddenPageRecord, ULONG64 param1);
================================================
FILE: KernelHiddenExecute/HiddenExecute.c
================================================
#include "HiddenExecute.h"
//////////////////////////////////////////////////////////////////////////
//global variables
PHYSICAL_OP_CR3 g_PhysicalOpCR3 = { 0 };
BOOL g_IsHiddenOpInit = FALSE;
//////////////////////////////////////////////////////////////////////////
//functions
/*********************************************************
function: InitializeHiddenPageRecordStructure
description: initialize the structure:initialize spin lock & set count to zero
calls: ExAllocatePool
KeInitializeSpinLock
CreatePhysicalOpCR3BySystemCR3
**********************************************************/
NTSTATUS InitializeHiddenPageRecordStructure(PHIDDEN_PAGE_RECORD* ppHiddenPageRecord)
{
//check the init state
if (g_IsHiddenOpInit)
return STATUS_UNSUCCESSFUL;
PHIDDEN_PAGE_RECORD pHiddenPageRecord = NULL;
pHiddenPageRecord = (PHIDDEN_PAGE_RECORD)ExAllocatePool(NonPagedPool, HIDDEN_PAGE_RECORD_LENGTH);
if (!pHiddenPageRecord)
return STATUS_UNSUCCESSFUL;
RtlZeroMemory(pHiddenPageRecord, HIDDEN_PAGE_RECORD_LENGTH);
*ppHiddenPageRecord = pHiddenPageRecord;
MyPrint(_TitleAndFunc"pHiddenPageRecord:%16IX\n", pHiddenPageRecord);
if (pHiddenPageRecord != NULL)
{
//set count to zero
pHiddenPageRecord->Count = 0;
//initialize spin lock
KeInitializeSpinLock(&pHiddenPageRecord->SpinLock);
//initialize physical memory context
CreatePhysicalOpCR3BySystemCR3(GetCR3ByPID(4), &g_PhysicalOpCR3);
//change init state
g_IsHiddenOpInit = TRUE;
return STATUS_SUCCESS;
}
else {
return STATUS_UNSUCCESSFUL;
}
}
/*********************************************************
function: FreeHiddenPageRecordStructure
description: free the structure and set pHiddenPageRecord to zero
calls: ExFreePool
**********************************************************/
NTSTATUS FreeHiddenPageRecordStructure(PHIDDEN_PAGE_RECORD pHiddenPageRecord)
{
//check the init state
if (!g_IsHiddenOpInit)
return STATUS_UNSUCCESSFUL;
if (pHiddenPageRecord != NULL)
{
//free hidden operation structure
ExFreePool(pHiddenPageRecord);
pHiddenPageRecord = NULL;
//free physical operation structure
FreePhysicalOpCR3(&g_PhysicalOpCR3);
//change the init state
g_IsHiddenOpInit = FALSE;
return STATUS_SUCCESS;
}
else {
return STATUS_UNSUCCESSFUL;
}
}
/*********************************************************
function: pPTEPFNtoPhysicalAddress
description: translate pfn number to physical address
**********************************************************/
PVOID pPTEPFNtoPhysicalAddress(ULONG64 PFN)
{
return (PVOID)(PFN << 12);
}
/*********************************************************
function: pPhysicalAddresstoPTEPFN
description: translate physical address to pfn number
**********************************************************/
ULONG64 pPhysicalAddresstoPTEPFN(PVOID PhysicalAddressBase)
{
return (ULONG64)PhysicalAddressBase >> 12;
}
/*********************************************************
function: pGetSpecificAddresspPTEPhysical
description: get the pointer of pPTEPhysical
calls: ContextVirtualToPhysical
ClearPageTableFlag
ContextPhysicalToVirtual
**********************************************************/
PMMPTE pGetSpecificAddresspPTEPhysical(ULONG64 CR3, PVOID pPageBase)
{
//analyse the params
PMMVA pAddressInfo = (PMMVA)&pPageBase;
PVOID pPML4T = (PVOID)ClearCR3Flag(CR3);
PMMPTE pPML4E = NULL;
PVOID pPDPT = NULL;
PMMPTE pPDPTE = NULL;
PVOID pPDT = NULL;
PMMPTE pPDE = NULL;
PVOID pPT = NULL;
PMMPTE pPTE = NULL;
//switch to physical context
ContextVirtualToPhysical(&g_PhysicalOpCR3);
pPML4E = (PMMPTE)((ULONG64)pPML4T + pAddressInfo->PML4T * ENTRY_SIZE);
if (!pPML4E->Valid)
goto Lable_Error;
pPDPT = (PVOID)ClearPageTableFlag(*(PULONG64)pPML4E);
pPDPTE = (PMMPTE)((ULONG64)pPDPT + pAddressInfo->PDPT * ENTRY_SIZE);
if (pPDPTE->LargePage || !pPDPTE->Valid)
goto Lable_Error;
pPDT = (PVOID)ClearPageTableFlag(*(PULONG64)pPDPTE);
pPDE = (PMMPTE)((ULONG64)pPDT + pAddressInfo->PDT * ENTRY_SIZE);
if (pPDE->LargePage || !pPDE->Valid)
goto Lable_Error;
pPT = (PVOID)ClearPageTableFlag(*(PULONG64)pPDE);
pPTE = (PMMPTE)((ULONG64)pPT + pAddressInfo->PT * ENTRY_SIZE);
if (!pPTE->Valid)
goto Lable_Error;
ContextPhysicalToVirtual(&g_PhysicalOpCR3);
//look up the page table finished
MyPrint(_TitleAndFunc"pPTE:%16IX\n", pPTE);
return pPTE;
Lable_Error:
ContextPhysicalToVirtual(&g_PhysicalOpCR3);
return NULL;
}
/*********************************************************
function: pGetSpecificAddressPhysicalForR3
description: just for E language
**********************************************************/
#define PHYSICAL_OFFSET 0x8000000000
#define NUM_1G 0x40000000
#define NUM_2M 0x200000
PVOID pGetSpecificAddressPhysicalForR3(ULONG64 CR3, PVOID pVirtual)
{
//analyse the params
PMMVA pAddressInfo = (PMMVA)&pVirtual;
PVOID pPML4T = (PVOID)ClearCR3Flag(CR3);
PMMPTE pPML4E = NULL;
PVOID pPDPT = NULL;
PMMPTE pPDPTE = NULL;
PVOID pPDT = NULL;
PMMPTE pPDE = NULL;
PVOID pPT = NULL;
PMMPTE pPTE = NULL;
PVOID pPhysicalBase = NULL;
PVOID pPhysical = NULL;
PVOID pPhysicalR3 = NULL;
pPML4E = (PMMPTE)((ULONG64)pPML4T + pAddressInfo->PML4T * ENTRY_SIZE + PHYSICAL_OFFSET);
if (!pPML4E->Valid)
return NULL;
pPDPT = (PVOID)ClearPageTableFlag(*(PULONG64)pPML4E);
pPDPTE = (PMMPTE)((ULONG64)pPDPT + pAddressInfo->PDPT * ENTRY_SIZE + PHYSICAL_OFFSET);
if (!pPDPTE->Valid)
return NULL;
if (pPDPTE->LargePage)
goto Lable_PDPTE_LargePage;
pPDT = (PVOID)ClearPageTableFlag(*(PULONG64)pPDPTE);
pPDE = (PMMPTE)((ULONG64)pPDT + pAddressInfo->PDT * ENTRY_SIZE + PHYSICAL_OFFSET);
if (!pPDE->Valid)
return NULL;
if (pPDE->LargePage)
goto Lable_PDE_LargePage;
pPT = (PVOID)ClearPageTableFlag(*(PULONG64)pPDE);
pPTE = (PMMPTE)((ULONG64)pPT + pAddressInfo->PT * ENTRY_SIZE + PHYSICAL_OFFSET);
if (!pPTE->Valid)
return NULL;
pPhysicalBase = (PVOID)ClearPageTableFlag(*(PULONG64)pPTE);
pPhysical = (PVOID)((ULONG64)pPhysicalBase + pAddressInfo->Offset);
pPhysicalR3 = (PVOID)((ULONG64)pPhysical + PHYSICAL_OFFSET);
return pPhysicalR3;
Lable_PDPTE_LargePage:
pPhysicalBase = (PVOID)(((PMMPDPTE)pPDPTE)->PageFrameNumber * NUM_1G);
pPhysical = (PVOID)((ULONG64)pPhysicalBase + ((PMMVA_PDPTE_LARGE)pAddressInfo)->Offset);
pPhysicalR3 = (PVOID)((ULONG64)pPhysical + PHYSICAL_OFFSET);
return pPhysicalR3;
Lable_PDE_LargePage:
pPhysicalBase = (PVOID)(((PMMPDE)pPDE)->PageFrameNumber * NUM_2M);
pPhysical = (PVOID)((ULONG64)pPhysicalBase + ((PMMVA_PDE_LARGE)pAddressInfo)->Offset);
pPhysicalR3 = (PVOID)((ULONG64)pPhysical + PHYSICAL_OFFSET);
return pPhysicalR3;
}
/*********************************************************
function: AddHiddenPageRecord
description: add a record element to the structure
include get pte physical address of the specific page and record the pfn
reserve a physical page by api:MmAllocateNonCachedMemory and MmMarkPhysicalMemoryAsBad
then free the page
calls: KeAcquireSpinLock
pGetSpecificAddresspPTEPhysical
ContextVirtualToPhysical
ContextPhysicalToVirtual
MmAllocateNonCachedMemory
MmGetPhysicalAddress
pPhysicalAddresstoPTEPFN
MmFreeNonCachedMemory
MmMarkPhysicalMemoryAsBad
KeReleaseSpinLock
**********************************************************/
NTSTATUS AddHiddenPageRecord(ULONG64 CR3, PVOID pHiddenPageBase, PHIDDEN_PAGE_RECORD pHiddenPageRecord)
{
KIRQL EntryIrql;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
//prevent mulit-thread change the page record count
KeAcquireSpinLock(&pHiddenPageRecord->SpinLock, &EntryIrql);
//check count
MyPrint(_TitleAndFunc"pHiddenPageRecord->Count:%16IX\n", pHiddenPageRecord->Count);
if (pHiddenPageRecord->Count == MAX_HIDDEN_PAGE_COUNT)
goto Lable_Error;
//add pPTE record
PSPECIFIC_HIDDEN_PAGE_RECORD pCurrentRecord = &pHiddenPageRecord->Record[pHiddenPageRecord->Count];
pCurrentRecord->pPTE = pGetSpecificAddresspPTEPhysical(CR3, pHiddenPageBase);
MyPrint(_TitleAndFunc"pCurrentRecord->pPTE:%16IX\n", pCurrentRecord->pPTE);
if (pCurrentRecord->pPTE == NULL)
goto Lable_Error;
//add hidden virtual address record
pCurrentRecord->pHiddenBase = pHiddenPageBase;
MyPrint(_TitleAndFunc"pCurrentRecord->pHiddenBase:%16IX\n", pCurrentRecord->pHiddenBase);
//add original pfn record
ContextVirtualToPhysical(&g_PhysicalOpCR3);
pCurrentRecord->OriginalPfn = pCurrentRecord->pPTE->PageFrameNumber;
ContextPhysicalToVirtual(&g_PhysicalOpCR3);
MyPrint(_TitleAndFunc"pCurrentRecord->OriginalPfn:%16IX\n", pCurrentRecord->OriginalPfn);
//add hidden pfn record
//allocate memory
//record the physical address
//then free the memory and mark it as bad
PVOID TemporaryVirtual = MmAllocateNonCachedMemory(PAGE_SIZE);
if (TemporaryVirtual == NULL)
goto Lable_Error;
PHYSICAL_ADDRESS TemporaryPhysical = MmGetPhysicalAddress(TemporaryVirtual);
LARGE_INTEGER PhysicalLength = { 0 };
PhysicalLength.QuadPart = PAGE_SIZE;
pCurrentRecord->HiddenPfn = pPhysicalAddresstoPTEPFN((PVOID)(TemporaryPhysical.QuadPart));
MyPrint(_TitleAndFunc"pCurrentRecord->HiddenPfn:%16IX\n", pCurrentRecord->HiddenPfn);
MmFreeNonCachedMemory(TemporaryVirtual, PAGE_SIZE);
Status = MmMarkPhysicalMemoryAsBad(&TemporaryPhysical, &PhysicalLength);
//copy codes to the new non-mapped physical address
ContextVirtualToPhysical(&g_PhysicalOpCR3);
RtlCopyMemory((PVOID)(TemporaryPhysical.QuadPart),
pCurrentRecord->pHiddenBase,
PAGE_SIZE
);
ContextPhysicalToVirtual(&g_PhysicalOpCR3);
//check the mark state
if (!NT_SUCCESS(Status))
goto Lable_Error;
//the last step:count +1
pHiddenPageRecord->Count++;
//release spin lock
KeReleaseSpinLock(&pHiddenPageRecord->SpinLock, EntryIrql);
return STATUS_SUCCESS;
Lable_Error:
KeReleaseSpinLock(&pHiddenPageRecord->SpinLock, EntryIrql);
return STATUS_UNSUCCESSFUL;
}
/*********************************************************
function: RemoveAndRestoreAllHiddenPageRecord
description: remove and restore all the records of the structure
include mark hidden physical memory as good,
change mapping relations,
and invalid the specific TLB
calls: KeAcquireSpinLock
pPTEPFNtoPhysicalAddress
MmMarkPhysicalMemoryAsGood
ContextVirtualToPhysical
ContextPhysicalToVirtual
__invlpg
KeReleaseSpinLock
**********************************************************/
NTSTATUS RemoveAndRestoreAllHiddenPageRecord(PHIDDEN_PAGE_RECORD pHiddenPageRecord)
{
KIRQL EntryIrql;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
//prevent mulit-thread change the page record count
KeAcquireSpinLock(&pHiddenPageRecord->SpinLock, &EntryIrql);
//assert we have elements
if (pHiddenPageRecord->Count == 0)
goto Lable_Error;
//restore all records and mark all the hidden physical memory as good
PSPECIFIC_HIDDEN_PAGE_RECORD pCurrentRecord = NULL;
PHYSICAL_ADDRESS CurrentHiddenPhysical = { 0 };
LARGE_INTEGER PhysicalLength = { 0 };
PhysicalLength.QuadPart = PAGE_SIZE;
for (int i = 0; i < pHiddenPageRecord->Count; i++)
{
pCurrentRecord = &pHiddenPageRecord->Record[i];
CurrentHiddenPhysical.QuadPart = (ULONG64)pPTEPFNtoPhysicalAddress(pCurrentRecord->HiddenPfn);
//mark it as good
MmMarkPhysicalMemoryAsGood(&CurrentHiddenPhysical, &PhysicalLength);
//restore all page mapping relations
ContextVirtualToPhysical(&g_PhysicalOpCR3);
pCurrentRecord->pPTE->PageFrameNumber = pCurrentRecord->OriginalPfn;
ContextPhysicalToVirtual(&g_PhysicalOpCR3);
//invalid the TLB of current hidden address
__invlpg(pCurrentRecord->pHiddenBase);
}
//set count to zero
pHiddenPageRecord->Count = 0;
//release spin lock
KeReleaseSpinLock(&pHiddenPageRecord->SpinLock, EntryIrql);
return STATUS_SUCCESS;
Lable_Error:
KeReleaseSpinLock(&pHiddenPageRecord->SpinLock, EntryIrql);
return STATUS_UNSUCCESSFUL;
}
/*********************************************************
function: ContextOriginalToHidden
description: switch to hidden code,so that we can call our hidden functions
calls: KeGetCurrentIrql
KeRaiseIrqlToDpcLevel
_disable
KeAcquireSpinLock
ContextVirtualToPhysical
ContextPhysicalToVirtual
__invlpg
KeReleaseSpinLock
**********************************************************/
NTSTATUS ContextOriginalToHidden(PHIDDEN_PAGE_RECORD pHiddenPageRecord)
{
KIRQL EntryIrql;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
//record original irql
pHiddenPageRecord->OriginalIrql = KeGetCurrentIrql();
MyPrint(_TitleAndFunc"pHiddenPageRecord->OriginalIrql:%16IX\n", pHiddenPageRecord->OriginalIrql);
//assert irql >= dispatch level
if (pHiddenPageRecord->OriginalIrql < DISPATCH_LEVEL)
{
pHiddenPageRecord->IsIrqlChanged = TRUE;
KeRaiseIrqlToDpcLevel();
}
//disable task switch interrupt(maskable)
_disable();
//prevent mulit-thread change the page record count
KeAcquireSpinLock(&pHiddenPageRecord->SpinLock, &EntryIrql);
//assert we have elements
if (pHiddenPageRecord->Count == 0)
goto Lable_Error;
//check the initialize state and current hidden state
if (!g_IsHiddenOpInit || pHiddenPageRecord->IsHidden)
goto Lable_Error;
//restore all records and mark all the hidden physical memory as good
PSPECIFIC_HIDDEN_PAGE_RECORD pCurrentRecord = NULL;
for (int i = 0; i < pHiddenPageRecord->Count; i++)
{
pCurrentRecord = &pHiddenPageRecord->Record[i];
//change all page mapping relations
ContextVirtualToPhysical(&g_PhysicalOpCR3);
pCurrentRecord->pPTE->PageFrameNumber = pCurrentRecord->HiddenPfn;
ContextPhysicalToVirtual(&g_PhysicalOpCR3);
//invalid the TLB of current hidden address
__invlpg(pCurrentRecord->pHiddenBase);
}
KeReleaseSpinLock(&pHiddenPageRecord->SpinLock, EntryIrql);
//change the flag IsHidden
pHiddenPageRecord->IsHidden = TRUE;
return STATUS_SUCCESS;
Lable_Error:
KeReleaseSpinLock(&pHiddenPageRecord->SpinLock, EntryIrql);
return STATUS_UNSUCCESSFUL;
}
/*********************************************************
function: ContextOriginalToHidden
description: switch to hidden code,so that we can call our hidden functions
calls: KeAcquireSpinLock
ContextVirtualToPhysical
ContextPhysicalToVirtual
__invlpg
KeReleaseSpinLock
_enable
KeLowerIrql
**********************************************************/
NTSTATUS ContextHiddenToOriginal(PHIDDEN_PAGE_RECORD pHiddenPageRecord)
{
KIRQL EntryIrql;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
//prevent mulit-thread change the page record count
KeAcquireSpinLock(&pHiddenPageRecord->SpinLock, &EntryIrql);
//assert we have elements
if (pHiddenPageRecord->Count == 0)
goto Lable_Error;
//check the initialize state and current hidden state
if (!g_IsHiddenOpInit || !pHiddenPageRecord->IsHidden)
goto Lable_Error;
//restore all records and mark all the hidden physical memory as good
PSPECIFIC_HIDDEN_PAGE_RECORD pCurrentRecord = NULL;
for (int i = 0; i < pHiddenPageRecord->Count; i++)
{
pCurrentRecord = &pHiddenPageRecord->Record[i];
//change all page mapping relations
ContextVirtualToPhysical(&g_PhysicalOpCR3);
pCurrentRecord->pPTE->PageFrameNumber = pCurrentRecord->OriginalPfn;
ContextPhysicalToVirtual(&g_PhysicalOpCR3);
//invalid the TLB of current hidden address
__invlpg(pCurrentRecord->pHiddenBase);
}
KeReleaseSpinLock(&pHiddenPageRecord->SpinLock, EntryIrql);
//enable task switch interrupt(maskable)
_enable();
//restore irql
MyPrint(_TitleAndFunc"pHiddenPageRecord->IsIrqlChanged:%16IX\n", pHiddenPageRecord->IsIrqlChanged);
if (pHiddenPageRecord->IsIrqlChanged)
{
KeLowerIrql(pHiddenPageRecord->OriginalIrql);
//restore the flag IsIrqlChanged
pHiddenPageRecord->IsIrqlChanged = FALSE;
}
//change the flag IsHidden
pHiddenPageRecord->IsHidden = FALSE;
return STATUS_SUCCESS;
Lable_Error:
KeReleaseSpinLock(&pHiddenPageRecord->SpinLock, EntryIrql);
return STATUS_UNSUCCESSFUL;
}
/*********************************************************
function: GetPagesCountByLength
description: get pages count by length
**********************************************************/
ULONG64 GetPagesCountByLength(ULONG64 Length)
{
if ((Length & 0xFFF) == 0)
return (Length >> 12);
else
return (Length >> 12) + 1;
}
/*********************************************************
function: AddHiddenSection
description: add hidden address by the offered section name
if all the calls of AddHiddenPageRecord are successful,return STATUS_SUCCESS
calls: GetSegmentStartAddress
GetSegmentLength
GetPagesCountByLength
AddHiddenPageRecord
**********************************************************/
NTSTATUS AddHiddenSection(ULONG64 SystemCR3, PDRIVER_OBJECT pDriverObj, PCHAR pSegName, PHIDDEN_PAGE_RECORD pHiddenPageRecord)
{
//analyse number of pages of the section
PVOID pSectionStart = (PVOID)GetSegmentStartAddress(pDriverObj, pSegName);
ULONG64 SectionLength = GetSegmentLength(pDriverObj, pSegName);
ULONG64 PagesCount = GetPagesCountByLength(SectionLength);
PVOID pCurrentPage = NULL;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
MyPrint(_TitleAndFunc"pSectionStart:%16IX\n", pSectionStart);
MyPrint(_TitleAndFunc"SectionLength:%16IX\n", SectionLength);
MyPrint(_TitleAndFunc"PagesCount:%16IX\n", PagesCount);
//call AddHiddenPageRecord to record the hidden info
for (int i = 0; i < PagesCount; i++)
{
pCurrentPage = (PVOID)((ULONG64)pSectionStart + i * PAGE_SIZE);
Status = AddHiddenPageRecord(SystemCR3, pCurrentPage, pHiddenPageRecord);
//make sure all the records are successful
if (!NT_SUCCESS(Status))
return Status;
}
return STATUS_SUCCESS;
}
================================================
FILE: KernelHiddenExecute/HiddenExecute.h
================================================
#pragma once
/*********************************************************
description:
notice!!! run in IRQL >= DPC_LEVEL
call apis maybe due to lower irql
in order to hidden real code in the non-mapped physical pages,and clear original codes
before call the hidden functions,we should map the physical pages to correct position.
if we have to call windows api in our hidden functions,we should call the transfer functions(not hidden)
features of transfer functions:check & change irql,restore & rewrite page table(pte),call specific apis
reserve the physical pages by Api:MmMarkPhysicalMemoryAsBad,prevent the allocation of our physical pages space
**********************************************************/
#include <ntddk.h>
#include <windef.h>
#include "DebugPrintEx.h"
#include "PhysicalMemoryOperation.h"
#include "SectionOperation.h"
//////////////////////////////////////////////////////////////////////////
//macro utilities
#define ChangeIrql(x) WriteCR8(x)
#define ClearPageTableFlag(x) ClearCR3Flag(x)
//////////////////////////////////////////////////////////////////////////
//constants and macros
#define SECTION_NAME_HIDDEN_INSTRUCTIONS ".hi"
#define SECTION_NAME_HIDDEN_DATA ".hd"
#define HIDDEN_IRQL DISPATCH_LEVEL
#define HIDDEN_PAGE_RECORD_LENGTH 0x1000
#define MAX_HIDDEN_PAGE_COUNT 126 // (4096 - 40) / (4 * 8) = 126.75
//////////////////////////////////////////////////////////////////////////
//types
typedef struct _MMPTE
{
struct /* bitfield */
{
/* 0x0000 */ unsigned __int64 Valid : 1; /* bit position: 0 */
/* 0x0000 */ unsigned __int64 Dirty1 : 1; /* bit position: 1 */
/* 0x0000 */ unsigned __int64 Owner : 1; /* bit position: 2 */
/* 0x0000 */ unsigned __int64 WriteThrough : 1; /* bit position: 3 */
/* 0x0000 */ unsigned __int64 CacheDisable : 1; /* bit position: 4 */
/* 0x0000 */ unsigned __int64 Accessed : 1; /* bit position: 5 */
/* 0x0000 */ unsigned __int64 Dirty : 1; /* bit position: 6 */
/* 0x0000 */ unsigned __int64 LargePage : 1; /* bit position: 7 */
/* 0x0000 */ unsigned __int64 Global : 1; /* bit position: 8 */
/* 0x0000 */ unsigned __int64 CopyOnWrite : 1; /* bit position: 9 */
/* 0x0000 */ unsigned __int64 Unused : 1; /* bit position: 10 */
/* 0x0000 */ unsigned __int64 Write : 1; /* bit position: 11 */
/* 0x0000 */ unsigned __int64 PageFrameNumber : 36; /* bit position: 12 */
/* 0x0000 */ unsigned __int64 reserved1 : 4; /* bit position: 48 */
/* 0x0000 */ unsigned __int64 SoftwareWsIndex : 11; /* bit position: 52 */
/* 0x0000 */ unsigned __int64 NoExecute : 1; /* bit position: 63 */
}; /* bitfield */
} MMPTE, * PMMPTE; /* size: 0x0008 */
typedef struct _SPECIFIC_HIDDEN_PAGE_RECORD
{
PVOID pHiddenBase;
PMMPTE pPTE;
ULONG64 OriginalPfn;
ULONG64 HiddenPfn;
}SPECIFIC_HIDDEN_PAGE_RECORD, * PSPECIFIC_HIDDEN_PAGE_RECORD;
typedef struct _HIDDEN_PAGE_RECORD
{
BOOL IsHidden;
KIRQL OriginalIrql;
BOOL IsIrqlChanged;
KSPIN_LOCK SpinLock;
ULONG64 Count;
SPECIFIC_HIDDEN_PAGE_RECORD Record[MAX_HIDDEN_PAGE_COUNT - 1];
}HIDDEN_PAGE_RECORD, * PHIDDEN_PAGE_RECORD;
//////////////////////////////////////////////////////////////////////////
//prototypes
//undocumented kernel functions
NTSYSAPI NTSTATUS MmMarkPhysicalMemoryAsBad(IN PPHYSICAL_ADDRESS, IN OUT PLARGE_INTEGER);
NTSYSAPI NTSTATUS MmMarkPhysicalMemoryAsGood(IN PPHYSICAL_ADDRESS, IN OUT PLARGE_INTEGER);
//functions
NTSTATUS InitializeHiddenPageRecordStructure(PHIDDEN_PAGE_RECORD* ppHiddenPageRecord);
NTSTATUS FreeHiddenPageRecordStructure(PHIDDEN_PAGE_RECORD pHiddenPageRecord);
//private functions
PVOID pPTEPFNtoPhysicalAddress(ULONG64 PFN);
ULONG64 pPhysicalAddresstoPTEPFN(PVOID PhysicalAddressBase);
PMMPTE pGetSpecificAddresspPTEPhysical(ULONG64 CR3, PVOID pPageBase);
PVOID pGetSpecificAddressPhysicalForR3(ULONG64 CR3, PVOID pVirtual);
ULONG64 GetPagesCountByLength(ULONG64 Length);
//public functions
//add page(s) to the hidden records
NTSTATUS AddHiddenPageRecord(ULONG64 CR3, PVOID pHiddenPageBase, PHIDDEN_PAGE_RECORD pHiddenPageRecord);
NTSTATUS AddHiddenSection(ULONG64 SystemCR3, PDRIVER_OBJECT pDriverObj, PCHAR pSegName, PHIDDEN_PAGE_RECORD pHiddenPageRecord);
NTSTATUS RemoveAndRestoreAllHiddenPageRecord(PHIDDEN_PAGE_RECORD pHiddenPageRecord);
//context swap
NTSTATUS ContextOriginalToHidden(PHIDDEN_PAGE_RECORD pHiddenPageRecord);
NTSTATUS ContextHiddenToOriginal(PHIDDEN_PAGE_RECORD pHiddenPageRecord);
================================================
FILE: KernelHiddenExecute/HiddenFunctions.c
================================================
#include "HiddenFunctions.h"
//////////////////////////////////////////////////////////////////////////
//functions
//#pragma code_seg(SECTION_NAME_HIDDEN_INSTRUCTIONS)
//NTSTATUS HiddenFunctionA(PHIDDEN_PAGE_RECORD pHiddenPageRecord)
//{
// NTSTATUS Status = STATUS_UNSUCCESSFUL;
//
// Status = ApiTransfer_SimulateApi(pHiddenPageRecord, 0xFAFAFAFAFAFAFAFA);
//
// return Status;
//}
//#pragma code_seg()
#pragma code_seg(SECTION_NAME_HIDDEN_INSTRUCTIONS)
BOOL HiddenFunction(PCHAR checkStr)
{
if (!checkStr)
{
return FALSE;
}
CHAR validStr[64] = "strongPassword";
return strcmp(validStr, checkStr) == 0;//we are going to modify the equal operator
}
#pragma code_seg()
BOOL UnsafeFunction(PCHAR checkStr)
{
if (!checkStr)
{
return FALSE;
}
CHAR validStr[64] = "strongPassword";
return strcmp(validStr, checkStr) == 0;
}
#pragma data_seg(SECTION_NAME_HIDDEN_DATA)
char HiddenData[4096] = "normal data";//we are going to hack the data
#pragma data_seg()
char UnsafeData[4096] = "normal data";
================================================
FILE: KernelHiddenExecute/HiddenFunctions.h
================================================
#pragma once
#include <ntddk.h>
#include <windef.h>
#include "DebugPrintEx.h"
#include "HiddenExecute.h"
#include "HiddenCallApiTransfer.h"
//////////////////////////////////////////////////////////////////////////
//prototypes
//NTSTATUS HiddenFunctionA(PHIDDEN_PAGE_RECORD pHiddenPageRecord);
BOOL HiddenFunction(PCHAR checkStr);
BOOL UnsafeFunction(PCHAR checkStr);
================================================
FILE: KernelHiddenExecute/KernelHiddenExecute.inf
================================================
;
; KernelHiddenExecute.inf
;
[Version]
Signature="$WINDOWS NT$"
Class=System
ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318}
Provider=XYLab
DriverVer=
CatalogFile=KernelHiddenExecute.cat
PnpLockDown=1
;[DestinationDirs]
;DefaultDestDir = 12
;[SourceDisksNames]
;1 = %DiskName%,,,""
;[SourceDisksFiles]
;[Manufacturer]
;%ManufacturerName%=Standard,NT$ARCH$
;[Standard.NT$ARCH$]
[Strings]
ManufacturerName="XYLab"
ClassName=""
DiskName="KernelHiddenExecute Source Disk"
================================================
FILE: KernelHiddenExecute/KernelHiddenExecute.vcxproj
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM">
<Configuration>Debug</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM">
<Configuration>Release</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM64">
<Configuration>Debug</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM64">
<Configuration>Release</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{C9710F06-7BBB-4B03-9736-F7CA8D0B1759}</ProjectGuid>
<TemplateGuid>{dd38f7fc-d7bd-488b-9242-7d8754cde80d}</TemplateGuid>
<TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
<MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
<Configuration>Debug</Configuration>
<Platform Condition="'$(Platform)' == ''">Win32</Platform>
<RootNamespace>KernelHiddenExecute</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<TargetVersion>Windows7</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
<DriverTargetPlatform>Desktop</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<TargetVersion>Windows7</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
<DriverTargetPlatform>Desktop</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<EnableInf2cat>false</EnableInf2cat>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<EnableInf2cat>false</EnableInf2cat>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level4</WarningLevel>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
<Link>
<TreatLinkerWarningAsErrors>false</TreatLinkerWarningAsErrors>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level4</WarningLevel>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
<Link>
<TreatLinkerWarningAsErrors>false</TreatLinkerWarningAsErrors>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<Inf Include="KernelHiddenExecute.inf" />
</ItemGroup>
<ItemGroup>
<FilesToPackage Include="$(TargetPath)" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="HiddenCallApiTransfer.c" />
<ClCompile Include="HiddenExecute.c" />
<ClCompile Include="HiddenFunctions.c" />
<ClCompile Include="main.c" />
<ClCompile Include="PhysicalMemoryOperation.c" />
<ClCompile Include="SectionOperation.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="DebugPrintEx.h" />
<ClInclude Include="HiddenCallApiTransfer.h" />
<ClInclude Include="HiddenExecute.h" />
<ClInclude Include="HiddenFunctions.h" />
<ClInclude Include="main.h" />
<ClInclude Include="PhysicalMemoryOperation.h" />
<ClInclude Include="SectionOperation.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
================================================
FILE: KernelHiddenExecute/KernelHiddenExecute.vcxproj.filters
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
<Filter Include="Driver Files">
<UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
<Extensions>inf;inv;inx;mof;mc;</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<Inf Include="KernelHiddenExecute.inf">
<Filter>Driver Files</Filter>
</Inf>
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="PhysicalMemoryOperation.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="SectionOperation.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="HiddenExecute.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="HiddenCallApiTransfer.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="HiddenFunctions.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="main.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="DebugPrintEx.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="PhysicalMemoryOperation.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="SectionOperation.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="HiddenExecute.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="HiddenCallApiTransfer.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="HiddenFunctions.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
</Project>
================================================
FILE: KernelHiddenExecute/PhysicalMemoryOperation.c
================================================
#include "PhysicalMemoryOperation.h"
//////////////////////////////////////////////////////////////////////////
//global variables
BOOL g_IsPhysicalOpInit = FALSE;
HANDLE g_SectionHandle = NULL;
//////////////////////////////////////////////////////////////////////////
//functions
/*********************************************************
function: OpenPhysicalMemory
pMapPhysicalMemoryPre
MapPhysicalMemory
UnmapPhysicalMemory
description: use map view of section to map physical address to virtual address
**********************************************************/
HANDLE OpenPhysicalMemory()
{
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
WCHAR physmemName[] = L"\\device\\physicalmemory";
NTSTATUS status;
HANDLE physmem;
RtlInitUnicodeString(&physmemString, physmemName);
InitializeObjectAttributes(&attributes, &physmemString, OBJ_CASE_INSENSITIVE, NULL, NULL);
status = ZwOpenSection(&physmem, SECTION_ALL_ACCESS, &attributes);
if (!NT_SUCCESS(status))
{
return NULL;
}
return physmem;
}
BOOLEAN pMapPhysicalMemoryPre(HANDLE hMemory, PDWORD64 pDwAddress, PSIZE_T pSize, PDWORD64 pDwVirtualAddress)
{
NTSTATUS ntStatus;
LARGE_INTEGER viewBase;
*pDwVirtualAddress = 0;
viewBase.QuadPart = *pDwAddress;
ntStatus = ZwMapViewOfSection(hMemory, (HANDLE)-1, (void**)pDwVirtualAddress, 0L, *pSize, &viewBase, pSize, ViewShare, 0, PAGE_READWRITE | PAGE_NOCACHE);
if (!NT_SUCCESS(ntStatus))
return FALSE;
//*pDwAddress = viewBase.QuadPart;
return TRUE;
}
PVOID MapPhysicalMemory(PVOID PA, SIZE_T Size)
{
ULONGLONG DwAddress = (ULONG64)PA;
ULONGLONG DwVirtualAddress = 0;
BOOLEAN status = pMapPhysicalMemoryPre(g_SectionHandle, &DwAddress, &Size, &DwVirtualAddress);
return (status == TRUE) ? (PVOID)DwVirtualAddress : NULL;
}
BOOLEAN UnmapPhysicalMemory(PVOID VA)
{
if (!ZwUnmapViewOfSection((HANDLE)-1, VA))
return TRUE;
else
return FALSE;
}
/*********************************************************
function: GetCR3Flag
description: get cr3 flag, only save the flag bits
**********************************************************/
ULONG64 GetCR3Flag(ULONG64 CR3)
{
return (CR3 & CR3_FLAG_ALL_BITS);
}
/*********************************************************
function: ClearCR3Flag
description: clear cr3 flag, only clear the flag bits
**********************************************************/
ULONG64 ClearCR3Flag(ULONG64 CR3)
{
return (CR3 & ~CR3_FLAG_ALL_BITS);
}
/*********************************************************
function: pPrintPhysicalOpStructure
description: print the structure elements
**********************************************************/
VOID pPrintPhysicalOpStructure(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
{
MyPrint(_TitleAndFunc"[PrintStart]\n");
MyPrint(_TitleAndFunc"pPhysicalOpCR3->pAllocVA_PML4T:%16IX\n", pPhysicalOpCR3->pAllocVA_PML4T);
MyPrint(_TitleAndFunc"pPhysicalOpCR3->pAllocPA_PML4T:%16IX\n", pPhysicalOpCR3->pAllocPA_PML4T);
MyPrint(_TitleAndFunc"pPhysicalOpCR3->pAllocVA_PDPT:%16IX\n", pPhysicalOpCR3->pAllocVA_PDPT);
MyPrint(_TitleAndFunc"pPhysicalOpCR3->pAllocPA_PDPT:%16IX\n", pPhysicalOpCR3->pAllocPA_PDPT);
MyPrint(_TitleAndFunc"pPhysicalOpCR3->pSystemPML4TMap:%16IX\n", pPhysicalOpCR3->pSystemPML4TMap);
MyPrint(_TitleAndFunc"pPhysicalOpCR3->CR3Generated:%16IX\n", pPhysicalOpCR3->CR3Generated);
MyPrint(_TitleAndFunc"[PrintEnd]\n");
}
/*********************************************************
function: pFreePhysicalOpPageTableMemory
description: to free the allocated memory (PML4T and PDPT page table) with null pointer check
**********************************************************/
NTSTATUS pFreePhysicalOpPageTableMemory(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
{
if (pPhysicalOpCR3->pAllocVA_PML4T != NULL)
{
MmFreeNonCachedMemory(pPhysicalOpCR3->pAllocVA_PML4T, PAGE_TABLE_SIZE);
pPhysicalOpCR3->pAllocVA_PML4T = NULL;
pPhysicalOpCR3->pAllocPA_PML4T = NULL;
}
if (pPhysicalOpCR3->pAllocVA_PDPT != NULL)
{
MmFreeNonCachedMemory(pPhysicalOpCR3->pAllocVA_PDPT, PAGE_TABLE_SIZE);
pPhysicalOpCR3->pAllocVA_PDPT = NULL;
pPhysicalOpCR3->pAllocPA_PDPT = NULL;
}
return STATUS_SUCCESS;
}
/*********************************************************
function: pAllocPhysicalOpPageTableMemory
description: to allocate memory (PML4T and PDPT page table)
if the allocate procduce failed,it can free all the allocated pages
calls: MmAllocateNonCachedMemory
MmGetPhysicalAddress
pFreePhysicalOpPageTableMemory
**********************************************************/
NTSTATUS pAllocPhysicalOpPageTableMemory(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
{
//PML4T
pPhysicalOpCR3->pAllocVA_PML4T = MmAllocateNonCachedMemory(PAGE_TABLE_SIZE);
//check allocate state
if (pPhysicalOpCR3->pAllocVA_PML4T == NULL)
goto Lable_Error;
pPhysicalOpCR3->pAllocPA_PML4T = (PVOID)MmGetPhysicalAddress(pPhysicalOpCR3->pAllocVA_PML4T).QuadPart;
//PDPT
pPhysicalOpCR3->pAllocVA_PDPT = MmAllocateNonCachedMemory(PAGE_TABLE_SIZE);
//check allocate state
if (pPhysicalOpCR3->pAllocVA_PDPT == NULL)
goto Lable_Error;
pPhysicalOpCR3->pAllocPA_PDPT = (PVOID)MmGetPhysicalAddress(pPhysicalOpCR3->pAllocVA_PDPT).QuadPart;
return STATUS_SUCCESS;
Lable_Error:
//free allocated memory
pFreePhysicalOpPageTableMemory(pPhysicalOpCR3);
return STATUS_UNSUCCESSFUL;
}
/*********************************************************
function: pMapPML4T
description: map the system cr3(pml4t) to virtual address
calls: ClearCR3Flag
OpenPhysicalMemory
MapPhysicalMemory
**********************************************************/
NTSTATUS pMapSystemPML4T(ULONG64 SystemCR3, PPHYSICAL_OP_CR3 pPhysicalOpCR3)
{
ULONG64 SystemCR3NonFlag = ClearCR3Flag(SystemCR3);
PVOID pSystemPML4T = (PVOID)SystemCR3NonFlag;
if (g_SectionHandle == NULL)
g_SectionHandle = OpenPhysicalMemory();
pPhysicalOpCR3->pSystemPML4TMap = MapPhysicalMemory(pSystemPML4T, PAGE_TABLE_SIZE);
return pPhysicalOpCR3->pSystemPML4TMap == NULL ? STATUS_UNSUCCESSFUL : STATUS_SUCCESS;
}
/*********************************************************
function: pUnmapSystemPML4T
description: unmap the system cr3(pml4t)
calls: OpenPhysicalMemory
UnmapPhysicalMemory
**********************************************************/
NTSTATUS pUnmapSystemPML4T(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
{
if (g_SectionHandle == NULL)
g_SectionHandle = OpenPhysicalMemory();
BOOL State = UnmapPhysicalMemory(pPhysicalOpCR3->pSystemPML4TMap);
if (State)
pPhysicalOpCR3->pSystemPML4TMap = NULL;
if (g_SectionHandle != NULL)
ZwClose(g_SectionHandle);
return !State ? STATUS_UNSUCCESSFUL : STATUS_SUCCESS;
}
/*********************************************************
function: pFillGeneratedPML4TandPDPT
description: fill the pml4t table,genarate the first large page entry and copy the system space map
fill the pdpt table point to the physical address,every PDPTE point to a 1G-byte page(512G in total)
calls: RtlCopyMemory
**********************************************************/
NTSTATUS pFillGeneratedPML4TandPDPT(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
{
//copy the system space map
PVOID pSystemStart = (PVOID)VA_SYSTEM_START;
ULONG64 SystemPML4TStart = ((PMMVA)&pSystemStart)->PML4T;
MyPrint(_TitleAndFunc"SystemPML4TStart:%16X\n", SystemPML4TStart);
RtlCopyMemory((PVOID)((ULONG64)pPhysicalOpCR3->pAllocVA_PML4T + SystemPML4TStart * ENTRY_SIZE),
(PVOID)((ULONG64)pPhysicalOpCR3->pSystemPML4TMap + SystemPML4TStart * ENTRY_SIZE),
(MAX_ENTRY_COUNT - SystemPML4TStart) * ENTRY_SIZE
);
//make the first address point to my PDPT table
*(PULONG64)pPhysicalOpCR3->pAllocVA_PML4T = (ULONG64)pPhysicalOpCR3->pAllocPA_PDPT | PAGE_TABLE_PML4T_FLAG;
//fill the PDPT page table
//add flag
ULONG64 CurrentPDPTEntry = PAGE_TABLE_PDPT_FLAG;
for (int i = 0; i < MAX_ENTRY_COUNT; i++)
{
//change pfn
((PMMPDPTE)&CurrentPDPTEntry)->PageFrameNumber = i;
//
*(PULONG64)((ULONG64)pPhysicalOpCR3->pAllocVA_PDPT + i * ENTRY_SIZE) = CurrentPDPTEntry;
}
return STATUS_SUCCESS;
}
/*********************************************************
function: CreatePhysicalOpCR3BySystemCR3
description: to initialize the physical memory operation structure
calls: pAllocPhysicalOpPageTableMemory
pMapSystemPML4T
pFillGeneratedPML4TandPDPT
pMapPML4T
GetCR3Flag
**********************************************************/
NTSTATUS CreatePhysicalOpCR3BySystemCR3(ULONG64 SystemCR3, PPHYSICAL_OP_CR3 pPhysicalOpCR3)
{
//check the init state
if (g_IsPhysicalOpInit)
return STATUS_UNSUCCESSFUL;
//allocate page table memory and fill the structure
if (!NT_SUCCESS(pAllocPhysicalOpPageTableMemory(pPhysicalOpCR3)))
return STATUS_UNSUCCESSFUL;
//map pSystemPML4T to virtual address and fill the structure
if (!NT_SUCCESS(pMapSystemPML4T(SystemCR3, pPhysicalOpCR3)))
return STATUS_UNSUCCESSFUL;
//fill PML4T and PDPT page table
if (!NT_SUCCESS(pFillGeneratedPML4TandPDPT(pPhysicalOpCR3)))
return STATUS_UNSUCCESSFUL;
//generate new cr3 for reading the physical memory and add cr3 flag
ULONG64 SystemCR3Flag = GetCR3Flag(SystemCR3);
pPhysicalOpCR3->CR3Generated = (ULONG64)pPhysicalOpCR3->pAllocPA_PML4T | SystemCR3Flag;
//fill the structure part:CR3System
pPhysicalOpCR3->CR3System = SystemCR3;
//print structure
pPrintPhysicalOpStructure(pPhysicalOpCR3);
g_IsPhysicalOpInit = TRUE;
return STATUS_SUCCESS;
}
/*********************************************************
function: FreePhysicalOpCR3
description: to uninitialize the physical memory operation structure
calls: pUnmapSystemPML4T
pFreePhysicalOpPageTableMemory
RtlZeroMemory
**********************************************************/
NTSTATUS FreePhysicalOpCR3(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
{
//check the init state
if (!g_IsPhysicalOpInit)
return STATUS_UNSUCCESSFUL;
//unmap pSystemPML4T
pUnmapSystemPML4T(pPhysicalOpCR3);
//free allocated memory
pFreePhysicalOpPageTableMemory(pPhysicalOpCR3);
//clear generated cr3 and recorded system cr3
pPhysicalOpCR3->CR3Generated = 0;
pPhysicalOpCR3->CR3System = 0;
//print structure
pPrintPhysicalOpStructure(pPhysicalOpCR3);
// set the structure to zero,avoid some bugs
RtlZeroMemory((PVOID)pPhysicalOpCR3, sizeof(PHYSICAL_OP_CR3));
g_IsPhysicalOpInit = FALSE;
return STATUS_SUCCESS;
}
/*********************************************************
function: ContextVirtualToPhysical
description: raise irql and switch to generated cr3
**********************************************************/
NTSTATUS ContextVirtualToPhysical(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
{
//check the initialize state and current context
if (!g_IsPhysicalOpInit || pPhysicalOpCR3->IsContextSwitched)
return STATUS_UNSUCCESSFUL;
//assert irql >= dispatch level
pPhysicalOpCR3->OriginalIrql = KeGetCurrentIrql();
if (pPhysicalOpCR3->OriginalIrql < DISPATCH_LEVEL)
{
pPhysicalOpCR3->IsIrqlChanged = TRUE;
KeRaiseIrqlToDpcLevel();
}
//disable task switch interrupt(maskable)
_disable();
//record and switch cr3
pPhysicalOpCR3->CR3BeforeSwitch = __readcr3();
__writecr3(pPhysicalOpCR3->CR3Generated);
//change the flag IsContextSwitched
pPhysicalOpCR3->IsContextSwitched = TRUE;
return STATUS_SUCCESS;
}
/*********************************************************
function: ContextPhysicalToVirtual
description: lower irql and switch to system cr3
**********************************************************/
NTSTATUS ContextPhysicalToVirtual(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
{
//check the initialize state and current context
if (!g_IsPhysicalOpInit || !pPhysicalOpCR3->IsContextSwitched)
return STATUS_UNSUCCESSFUL;
//restore cr3
__writecr3(pPhysicalOpCR3->CR3BeforeSwitch);
//enable task switch interrupt(maskable)
_enable();
//restore irql
if (pPhysicalOpCR3->IsIrqlChanged)
{
KeLowerIrql(pPhysicalOpCR3->OriginalIrql);
//restore the flag IsIrqlChanged
pPhysicalOpCR3->IsIrqlChanged = FALSE;
}
//change the flag IsContextSwitched
pPhysicalOpCR3->IsContextSwitched = FALSE;
return STATUS_SUCCESS;
}
/*********************************************************
function: GetCR3ByEprocess
description: get cr3 by eprocess
**********************************************************/
ULONG64 GetCR3ByEprocess(PEPROCESS pEProc)
{
if (pEProc == NULL)
return 0;
//get dirbase
ULONG64 DirBase = *(PULONG64)((ULONG64)pEProc + 0x028);
return DirBase;
}
/*********************************************************
function: GetEProcess
description: get eprocess by pid
**********************************************************/
PEPROCESS GetEProcess(ULONG64 PID)
{
PEPROCESS pEProc = NULL;
//check pid
if (PID == 0)
return 0;
//get eprocess
if (!NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)PID, (PEPROCESS*)&pEProc)))
return 0;
//dereference
if (pEProc != NULL)
ObDereferenceObject((PVOID)pEProc);
return pEProc;
}
/*********************************************************
function: GetCR3ByPID
description: get cr3 by pid
calls: GetEProcess
GetCR3ByEprocess
**********************************************************/
ULONG64 GetCR3ByPID(ULONG64 PID)
{
return GetCR3ByEprocess(GetEProcess(PID));
}
================================================
FILE: KernelHiddenExecute/PhysicalMemoryOperation.h
================================================
#pragma once
#include <ntddk.h>
//#include <ntifs.h>
#include <windef.h>
#include <intrin.h>
#include "DebugPrintEx.h"
//////////////////////////////////////////////////////////////////////////
//constants and macros
#define PAGE_TABLE_SIZE 0x1000
#define CR3_FLAG_ALL_BITS 0xFFF0000000000FFF
#define PAGE_TABLE_PML4T_FLAG 0x867 //1000 0110 0111
#define PAGE_TABLE_PDPT_FLAG 0x9E7 //1001 1110 0111
#define VA_SYSTEM_START 0xFFFF080000000000 //IA64
#define MAX_ENTRY_COUNT 512
#define ENTRY_SIZE sizeof(ULONG64)
//////////////////////////////////////////////////////////////////////////
//types
typedef struct _PHYSICAL_OP_CR3
{
PVOID pAllocVA_PML4T;
PVOID pAllocPA_PML4T;
PVOID pAllocVA_PDPT;
PVOID pAllocPA_PDPT;
PVOID pSystemPML4TMap;
ULONG64 CR3Generated;
ULONG64 CR3System;
ULONG64 CR3BeforeSwitch;
BOOL IsContextSwitched;
BOOL IsIrqlChanged;
KIRQL OriginalIrql;//available if the IsIrqlChanged is true
}PHYSICAL_OP_CR3, * PPHYSICAL_OP_CR3;
typedef struct _MMPDPTE
{
struct /* bitfield */
{
/* 0x0000 */ unsigned __int64 Valid : 1; /* bit position: 0 */
/* 0x0000 */ unsigned __int64 Dirty1 : 1; /* bit position: 1 */
/* 0x0000 */ unsigned __int64 Owner : 1; /* bit position: 2 */
/* 0x0000 */ unsigned __int64 WriteThrough : 1; /* bit position: 3 */
/* 0x0000 */ unsigned __int64 CacheDisable : 1; /* bit position: 4 */
/* 0x0000 */ unsigned __int64 Accessed : 1; /* bit position: 5 */
/* 0x0000 */ unsigned __int64 Dirty : 1; /* bit position: 6 */
/* 0x0000 */ unsigned __int64 LargePage : 1; /* bit position: 7 */
/* 0x0000 */ unsigned __int64 Global : 1; /* bit position: 8 */
/* 0x0000 */ unsigned __int64 CopyOnWrite : 1; /* bit position: 9 */
/* 0x0000 */ unsigned __int64 Unused : 1; /* bit position: 10 */
/* 0x0000 */ unsigned __int64 Write : 1; /* bit position: 11 */
/* 0x0000 */ unsigned __int64 reserved0 : 18; /* bit position: 12 */
/* 0x0000 */ unsigned __int64 PageFrameNumber : 18; /* bit position: 30 */
/* 0x0000 */ unsigned __int64 reserved1 : 4; /* bit position: 48 */
/* 0x0000 */ unsigned __int64 SoftwareWsIndex : 11; /* bit position: 52 */
/* 0x0000 */ unsigned __int64 NoExecute : 1; /* bit position: 63 */
}; /* bitfield */
} MMPDPTE, * PMMPDPTE; /* size: 0x0008 */
typedef struct _MMPDE
{
struct /* bitfield */
{
/* 0x0000 */ unsigned __int64 Valid : 1; /* bit position: 0 */
/* 0x0000 */ unsigned __int64 Dirty1 : 1; /* bit position: 1 */
/* 0x0000 */ unsigned __int64 Owner : 1; /* bit position: 2 */
/* 0x0000 */ unsigned __int64 WriteThrough : 1; /* bit position: 3 */
/* 0x0000 */ unsigned __int64 CacheDisable : 1; /* bit position: 4 */
/* 0x0000 */ unsigned __int64 Accessed : 1; /* bit position: 5 */
/* 0x0000 */ unsigned __int64 Dirty : 1; /* bit position: 6 */
/* 0x0000 */ unsigned __int64 LargePage : 1; /* bit position: 7 */
/* 0x0000 */ unsigned __int64 Global : 1; /* bit position: 8 */
/* 0x0000 */ unsigned __int64 CopyOnWrite : 1; /* bit position: 9 */
/* 0x0000 */ unsigned __int64 Unused : 1; /* bit position: 10 */
/* 0x0000 */ unsigned __int64 Write : 1; /* bit position: 11 */
/* 0x0000 */ unsigned __int64 reserved0 : 9; /* bit position: 12 */
/* 0x0000 */ unsigned __int64 PageFrameNumber : 27; /* bit position: 21 */
/* 0x0000 */ unsigned __int64 reserved1 : 4; /* bit position: 48 */
/* 0x0000 */ unsigned __int64 SoftwareWsIndex : 11; /* bit position: 52 */
/* 0x0000 */ unsigned __int64 NoExecute : 1; /* bit position: 63 */
}; /* bitfield */
} MMPDE, * PMMPDE; /* size: 0x0008 */
typedef struct _MMVA
{
struct /* bitfield */
{
/* 0x0000 */ unsigned __int64 Offset : 12;
/* 0x0000 */ unsigned __int64 PT : 9;
/* 0x0000 */ unsigned __int64 PDT : 9;
/* 0x0000 */ unsigned __int64 PDPT : 9;
/* 0x0000 */ unsigned __int64 PML4T : 9;
/* 0x0000 */ unsigned __int64 Partition : 16; //User:0x0000 System:0xFFFF
}; /* bitfield */
} MMVA, * PMMVA; /* size: 0x0008 */
typedef struct _MMVA_PDPTE_LARGE
{
struct /* bitfield */
{
/* 0x0000 */ unsigned __int64 Offset : 30;
/* 0x0000 */ unsigned __int64 PDPT : 9;
/* 0x0000 */ unsigned __int64 PML4T : 9;
/* 0x0000 */ unsigned __int64 Partition : 16; //User:0x0000 System:0xFFFF
}; /* bitfield */
} MMVA_PDPTE_LARGE, * PMMVA_PDPTE_LARGE; /* size: 0x0008 */
typedef struct _MMVA_PDE_LARGE
{
struct /* bitfield */
{
/* 0x0000 */ unsigned __int64 Offset : 21;
/* 0x0000 */ unsigned __int64 PDT : 9;
/* 0x0000 */ unsigned __int64 PDPT : 9;
/* 0x0000 */ unsigned __int64 PML4T : 9;
/* 0x0000 */ unsigned __int64 Partition : 16; //User:0x0000 System:0xFFFF
}; /* bitfield */
} MMVA_PDE_LARGE, * PMMVA_PDE_LARGE; /* size: 0x0008 */
//////////////////////////////////////////////////////////////////////////
//prototypes
//windows API
NTKERNELAPI
NTSTATUS
PsLookupProcessByProcessId(
_In_ HANDLE ProcessId,
_Outptr_ PEPROCESS* Process
);
//operate physical memory via system API
HANDLE OpenPhysicalMemory();
BOOLEAN pMapPhysicalMemoryPre(HANDLE hMemory, PDWORD64 pDwAddress, PSIZE_T pSize, PDWORD64 pDwVirtualAddress);
PVOID MapPhysicalMemory(PVOID PA, SIZE_T Size);
BOOLEAN UnmapPhysicalMemory(PVOID VA);
//get specific info from CR3 value
ULONG64 GetCR3Flag(ULONG64 CR3);
ULONG64 ClearCR3Flag(ULONG64 CR3);
//get specific info from opaque eprocess struct
ULONG64 GetCR3ByEprocess(PEPROCESS pEProc);
PEPROCESS GetEProcess(ULONG64 PID);
ULONG64 GetCR3ByPID(ULONG64 PID);
//private functions
VOID pPrintPhysicalOpStructure(PPHYSICAL_OP_CR3 pPhysicalOpCR3);
NTSTATUS pFreePhysicalOpPageTableMemory(PPHYSICAL_OP_CR3 pPhysicalOpCR3);
NTSTATUS pAllocPhysicalOpPageTableMemory(PPHYSICAL_OP_CR3 pPhysicalOpCR3);
NTSTATUS pMapSystemPML4T(ULONG64 SystemCR3, PPHYSICAL_OP_CR3 pPhysicalOpCR3);
NTSTATUS pUnmapSystemPML4T(PPHYSICAL_OP_CR3 pPhysicalOpCR3);
NTSTATUS pFillGeneratedPML4TandPDPT(PPHYSICAL_OP_CR3 pPhysicalOpCR3);
//public functions
NTSTATUS CreatePhysicalOpCR3BySystemCR3(ULONG64 SystemCR3, PPHYSICAL_OP_CR3 pPhysicalOpCR3);
NTSTATUS FreePhysicalOpCR3(PPHYSICAL_OP_CR3 pPhysicalOpCR3);
NTSTATUS ContextVirtualToPhysical(PPHYSICAL_OP_CR3 pPhysicalOpCR3);
NTSTATUS ContextPhysicalToVirtual(PPHYSICAL_OP_CR3 pPhysicalOpCR3);
================================================
FILE: KernelHiddenExecute/SectionOperation.c
================================================
#include "SectionOperation.h"
//////////////////////////////////////////////////////////////////////////
//functions
PIMAGE_SECTION_HEADER GetSegmentHeadPointer(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
{
PLDR_DATA_TABLE_ENTRY64 entry = (PLDR_DATA_TABLE_ENTRY64)pDriverObj->DriverSection;
PUCHAR pJumpDrvBase = (PUCHAR)entry->DllBase;
PIMAGE_DOS_HEADER pDosHead;
PIMAGE_NT_HEADERS pNtHead;
PIMAGE_SECTION_HEADER pSecHead;
BOOL bFinded = FALSE;
pDosHead = (PIMAGE_DOS_HEADER)pJumpDrvBase;
if (pDosHead->e_magic != IMAGE_DOS_SIGNATURE)
{
MyPrint(("[" PRINT_NAME "] DosHead Error\n"));
return 0;
}
pNtHead = (PIMAGE_NT_HEADERS)\
((LONG_PTR)pDosHead + pDosHead->e_lfanew);
if (pNtHead->Signature != IMAGE_NT_SIGNATURE)
{
MyPrint(("[" PRINT_NAME "] NtHead Error\n"));
return 0;
}
pSecHead = IMAGE_FIRST_SECTION(pNtHead);
for (int i = 0; i < pNtHead->FileHeader.NumberOfSections; i++)
{
if (strcmp((const char*)(pSecHead->Name), pSegName) == 0)
{
bFinded = TRUE;
break;
}
pSecHead++;
}
if (bFinded == FALSE)
{
MyPrint(("[" PRINT_NAME "] SecHead Error\n"));
return 0;
}
return pSecHead;
}
ULONG64 GetDriverBaseAddress(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
{
PLDR_DATA_TABLE_ENTRY64 entry = (PLDR_DATA_TABLE_ENTRY64)pDriverObj->DriverSection;
PUCHAR pJumpDrvBase = (PUCHAR)entry->DllBase;
return (ULONG64)pJumpDrvBase;
}
ULONG64 GetSegmentAddressPointer(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
{
PIMAGE_SECTION_HEADER pSecHead = GetSegmentHeadPointer(pDriverObj, pSegName);
return (ULONG64) & (pSecHead->VirtualAddress);
}
ULONG64 GetSegmentLengthPointer(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
{
PIMAGE_SECTION_HEADER pSecHead = GetSegmentHeadPointer(pDriverObj, pSegName);
return (ULONG64) & (pSecHead->Misc.VirtualSize);
}
ULONG64 GetSegmentRawDataAddressPointer(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
{
PIMAGE_SECTION_HEADER pSecHead = GetSegmentHeadPointer(pDriverObj, pSegName);
return (ULONG64) & (pSecHead->PointerToRawData);
}
ULONG64 GetSegmentRawDataLengthPointer(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
{
PIMAGE_SECTION_HEADER pSecHead = GetSegmentHeadPointer(pDriverObj, pSegName);
return (ULONG64) & (pSecHead->SizeOfRawData);
}
ULONG64 GetSegmentStartAddress(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
{
ULONG64 pDriverBase = GetDriverBaseAddress(pDriverObj, pSegName);
ULONG64 pSegmentAddress = GetSegmentAddressPointer(pDriverObj, pSegName);
return pDriverBase + *(PULONG32)pSegmentAddress;
}
ULONG64 GetSegmentEndAddress(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
{
ULONG64 pDriverBase = GetDriverBaseAddress(pDriverObj, pSegName);
ULONG64 pSegmentAddress = GetSegmentAddressPointer(pDriverObj, pSegName);
ULONG64 pSegmentLength = GetSegmentLengthPointer(pDriverObj, pSegName);
return pDriverBase + *(PULONG32)pSegmentAddress + *(PULONG32)pSegmentLength;
}
ULONG64 GetSegmentLength(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
{
ULONG64 pDriverBase = GetDriverBaseAddress(pDriverObj, pSegName);
ULONG64 pSegmentAddress = GetSegmentAddressPointer(pDriverObj, pSegName);
ULONG64 pSegmentLength = GetSegmentLengthPointer(pDriverObj, pSegName);
return *(PULONG32)pSegmentLength;
}
================================================
FILE: KernelHiddenExecute/SectionOperation.h
================================================
#pragma once
#include <ntddk.h>
#include <ntimage.h>
#include <windef.h>
#include "DebugPrintEx.h"
//////////////////////////////////////////////////////////////////////////
//types
typedef struct _LDR_DATA_TABLE_ENTRY64
{
LIST_ENTRY64 InLoadOrderLinks;
LIST_ENTRY64 InMemoryOrderLinks;
LIST_ENTRY64 InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
PVOID SectionPointer;
ULONG CheckSum;
PVOID LoadedImports;
PVOID EntryPointActivationContext;
PVOID PatchInformation;
LIST_ENTRY64 ForwarderLinks;
LIST_ENTRY64 ServiceTagLinks;
LIST_ENTRY64 StaticLinks;
PVOID ContextInformation;
ULONG64 OriginalBase;
LARGE_INTEGER LoadTime;
} LDR_DATA_TABLE_ENTRY64, * PLDR_DATA_TABLE_ENTRY64;
//////////////////////////////////////////////////////////////////////////
//prototypes
PIMAGE_SECTION_HEADER GetSegmentHeadPointer(PDRIVER_OBJECT pDriverObj, PCHAR pSegName);
ULONG64 GetDriverBaseAddress(PDRIVER_OBJECT pDriverObj, PCHAR pSegName);
ULONG64 GetSegmentAddressPointer(PDRIVER_OBJECT pDriverObj, PCHAR pSegName);
ULONG64 GetSegmentLengthPointer(PDRIVER_OBJECT pDriverObj, PCHAR pSegName);
ULONG64 GetSegmentRawDataAddressPointer(PDRIVER_OBJECT pDriverObj, PCHAR pSegName);
ULONG64 GetSegmentRawDataLengthPointer(PDRIVER_OBJECT pDriverObj, PCHAR pSegName);
ULONG64 GetSegmentStartAddress(PDRIVER_OBJECT pDriverObj, PCHAR pSegName);
ULONG64 GetSegmentEndAddress(PDRIVER_OBJECT pDriverObj, PCHAR pSegName);
ULONG64 GetSegmentLength(PDRIVER_OBJECT pDriverObj, PCHAR pSegName);
================================================
FILE: KernelHiddenExecute/main.c
================================================
#include "main.h"
//////////////////////////////////////////////////////////////////////////
//global variables
PHIDDEN_PAGE_RECORD g_pHiddenPageRecord = NULL;
//////////////////////////////////////////////////////////////////////////
//functions
NTSTATUS DispatchCreate(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS DispatchClose(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST;
PIO_STACK_LOCATION pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
ULONG uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;
PVOID pIoBuffer = pIrp->AssociatedIrp.SystemBuffer;
ULONG uInSize = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
ULONG uOutSize = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
switch (uIoControlCode)
{
case IOCTL_SAFE_READ:
{
ContextOriginalToHidden(g_pHiddenPageRecord);
strcpy(pIoBuffer, HiddenData);
ContextHiddenToOriginal(g_pHiddenPageRecord);
//uOutSize = strlen(pIoBuffer);
status = STATUS_SUCCESS;
break;
}
case IOCTL_UNSAFE_READ:
{
strcpy(pIoBuffer, UnsafeData);
//uOutSize = strlen(pIoBuffer);
status = STATUS_SUCCESS;
break;
}
case IOCTL_SAFE_EXEC:
{
ContextOriginalToHidden(g_pHiddenPageRecord);
BOOL result = HiddenFunction(pIoBuffer);
ContextHiddenToOriginal(g_pHiddenPageRecord);
*(PBOOL)pIoBuffer = result;
//uOutSize = sizeof(BOOL);
status = STATUS_SUCCESS;
break;
}
case IOCTL_UNSAFE_EXEC:
{
BOOL result = UnsafeFunction(pIoBuffer);
*(PBOOL)pIoBuffer = result;
//uOutSize = sizeof(BOOL);
status = STATUS_SUCCESS;
break;
}
}
if (status == STATUS_SUCCESS)
pIrp->IoStatus.Information = uOutSize;
else
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = status;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
VOID DriverUnload(PDRIVER_OBJECT pDriverObj)
{
UNICODE_STRING strLink;
//do sth...
MyPrint(_TitleAndFunc"Exit\n");
RemoveAndRestoreAllHiddenPageRecord(g_pHiddenPageRecord);
FreeHiddenPageRecordStructure(g_pHiddenPageRecord);
//delete device and symbolic link
RtlInitUnicodeString(&strLink, LINK_NAME);
IoDeleteSymbolicLink(&strLink);
IoDeleteDevice(pDriverObj->DeviceObject);
}
//VOID WriteEnable()
//{
// UINT64 cr0 = __readcr0();
// cr0 &= 0xfffffffffffeffff;
// __writecr0(cr0);
// _disable();
//}
//VOID WriteDisable()
//{
// UINT64 cr0 = __readcr0();
// cr0 |= 0x10000;
// _enable();
// __writecr0(cr0);
//}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
{
NTSTATUS status = STATUS_SUCCESS;
PDEVICE_OBJECT pDevObj = NULL;
UNICODE_STRING ustrDeviceName;
UNICODE_STRING ustrLinkName;
//set dispatch functions
pDriverObj->DriverUnload = DriverUnload;
pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
//create device
RtlInitUnicodeString(&ustrDeviceName, DEVICE_NAME);
status = IoCreateDevice(pDriverObj, 0, &ustrDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDevObj);
if (!NT_SUCCESS(status))
{
return status;
}
//create symbolic link
RtlInitUnicodeString(&ustrLinkName, LINK_NAME);
status = IoCreateSymbolicLink(&ustrLinkName, &ustrDeviceName);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(pDevObj);
return status;
}
//do sth...
MyPrint(_TitleAndFunc "Entry\n");
InitializeHiddenPageRecordStructure(&g_pHiddenPageRecord);
AddHiddenSection(GetCR3ByPID(4), pDriverObj, SECTION_NAME_HIDDEN_INSTRUCTIONS, g_pHiddenPageRecord);
AddHiddenSection(GetCR3ByPID(4), pDriverObj, SECTION_NAME_HIDDEN_DATA, g_pHiddenPageRecord);
//WriteEnable();
//RtlZeroMemory((PVOID)HiddenFunctionA, 10);
//WriteDisable();
//ContextOriginalToHidden(g_pHiddenPageRecord);
//HiddenFunctionA(g_pHiddenPageRecord);
//ContextHiddenToOriginal(g_pHiddenPageRecord);
return status;
}
================================================
FILE: KernelHiddenExecute/main.h
================================================
#pragma once
#include <ntifs.h>
#include <ntddk.h>
#include <stdlib.h>
#include <windef.h>
#include <ntimage.h>
#include <intrin.h>
#include "DebugPrintEx.h"
#include "HiddenExecute.h"
#include "HiddenCallApiTransfer.h"
#include "HiddenFunctions.h"
//////////////////////////////////////////////////////////////////////////
//constants and macros
#define DEVICE_NAME L"\\Device\\KernelHiddenExecute"
#define LINK_NAME L"\\DosDevices\\Global\\KernelHiddenExecute"
#define IOCTL_SAFE_READ CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_SAFE_EXEC CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_UNSAFE_READ CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_UNSAFE_EXEC CTL_CODE(FILE_DEVICE_UNKNOWN, 0x803, METHOD_BUFFERED, FILE_ANY_ACCESS)
//////////////////////////////////////////////////////////////////////////
//prototypes
//modify WD bit in the CR0
//VOID WriteEnable();
//VOID WriteDisable();
//dispatch functions
NTSTATUS DispatchCreate(PDEVICE_OBJECT pDevObj, PIRP pIrp);
NTSTATUS DispatchClose(PDEVICE_OBJECT pDevObj, PIRP pIrp);
NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp);
VOID DriverUnload(PDRIVER_OBJECT pDriverObj);
//driver entry
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString);
//////////////////////////////////////////////////////////////////////////
//global variables
extern char HiddenData[4096];
extern char UnsafeData[4096];
================================================
FILE: KernelHiddenExecute.sln
================================================
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.30907.101
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "KernelHiddenExecute", "KernelHiddenExecute\KernelHiddenExecute.vcxproj", "{C9710F06-7BBB-4B03-9736-F7CA8D0B1759}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ControlPanel", "ControlPanel\ControlPanel.vcxproj", "{2C7AEAC4-25F4-4C9D-842D-5C001D2BBA71}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Malware", "Malware\Malware.vcxproj", "{AEA72597-54BB-4720-916D-17F4B53F615D}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|ARM = Debug|ARM
Debug|ARM64 = Debug|ARM64
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|ARM = Release|ARM
Release|ARM64 = Release|ARM64
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{C9710F06-7BBB-4B03-9736-F7CA8D0B1759}.Debug|ARM.ActiveCfg = Debug|ARM
{C9710F06-7BBB-4B03-9736-F7CA8D0B1759}.Debug|ARM.Build.0 = Debug|ARM
{C9710F06-7BBB-4B03-9736-F7CA8D0B1759}.Debug|ARM.Deploy.0 = Debug|ARM
{C9710F06-7BBB-4B03-9736-F7CA8D0B1759}.Debug|ARM64.ActiveCfg = Debug|ARM64
{C9710F06-7BBB-4B03-9736-F7CA8D0B1759}.Debug|ARM64.Build.0 = Debug|ARM64
{C9710F06-7BBB-4B03-9736-F7CA8D0B1759}.Debug|ARM64.Deploy.0 = Debug|ARM64
{C9710F06-7BBB-4B03-9736-F7CA8D0B1759}.Debug|x64.ActiveCfg = Debug|x64
{C9710F06-7BBB-4B03-9736-F7CA8D0B1759}.Debug|x64.Build.0 = Debug|x64
{C9710F06-7BBB-4B03-9736-F7CA8D0B1759}.Debug|x64.Deploy.0 = Debug|x64
{C9710F06-7BBB-4B03-9736-F7CA8D0B1759}.Debug|x86.ActiveCfg = Debug|Win32
{C9710F06-7BBB-4B03-9736-F7CA8D0B1759}.Debug|x86.Build.0 = Debug|Win32
{C9710F06-7BBB-4B03-9736-F7CA8D0B1759}.Debug|x86.Deploy.0 = Debug|Win32
{C9710F06-7BBB-4B03-9736-F7CA8D0B1759}.Release|ARM.ActiveCfg = Release|ARM
{C9710F06-7BBB-4B03-9736-F7CA8D0B1759}.Release|ARM.Build.0 = Release|ARM
{C9710F06-7BBB-4B03-9736-F7CA8D0B1759}.Release|ARM.Deploy.0 = Release|ARM
{C9710F06-7BBB-4B03-9736-F7CA8D0B1759}.Release|ARM64.ActiveCfg = Release|ARM64
{C9710F06-7BBB-4B03-9736-F7CA8D0B1759}.Release|ARM64.Build.0 = Release|ARM64
{C9710F06-7BBB-4B03-9736-F7CA8D0B1759}.Release|ARM64.Deploy.0 = Release|ARM64
{C9710F06-7BBB-4B03-9736-F7CA8D0B1759}.Release|x64.ActiveCfg = Release|x64
{C9710F06-7BBB-4B03-9736-F7CA8D0B1759}.Release|x64.Build.0 = Release|x64
{C9710F06-7BBB-4B03-9736-F7CA8D0B1759}.Release|x64.Deploy.0 = Release|x64
{C9710F06-7BBB-4B03-9736-F7CA8D0B1759}.Release|x86.ActiveCfg = Release|Win32
{C9710F06-7BBB-4B03-9736-F7CA8D0B1759}.Release|x86.Build.0 = Release|Win32
{C9710F06-7BBB-4B03-9736-F7CA8D0B1759}.Release|x86.Deploy.0 = Release|Win32
{2C7AEAC4-25F4-4C9D-842D-5C001D2BBA71}.Debug|ARM.ActiveCfg = Debug|Win32
{2C7AEAC4-25F4-4C9D-842D-5C001D2BBA71}.Debug|ARM64.ActiveCfg = Debug|Win32
{2C7AEAC4-25F4-4C9D-842D-5C001D2BBA71}.Debug|x64.ActiveCfg = Debug|Win32
{2C7AEAC4-25F4-4C9D-842D-5C001D2BBA71}.Debug|x86.ActiveCfg = Debug|Win32
{2C7AEAC4-25F4-4C9D-842D-5C001D2BBA71}.Debug|x86.Build.0 = Debug|Win32
{2C7AEAC4-25F4-4C9D-842D-5C001D2BBA71}.Release|ARM.ActiveCfg = Release|Win32
{2C7AEAC4-25F4-4C9D-842D-5C001D2BBA71}.Release|ARM64.ActiveCfg = Release|Win32
{2C7AEAC4-25F4-4C9D-842D-5C001D2BBA71}.Release|x64.ActiveCfg = Release|Win32
{2C7AEAC4-25F4-4C9D-842D-5C001D2BBA71}.Release|x86.ActiveCfg = Release|Win32
{2C7AEAC4-25F4-4C9D-842D-5C001D2BBA71}.Release|x86.Build.0 = Release|Win32
{AEA72597-54BB-4720-916D-17F4B53F615D}.Debug|ARM.ActiveCfg = Debug|ARM
{AEA72597-54BB-4720-916D-17F4B53F615D}.Debug|ARM.Build.0 = Debug|ARM
{AEA72597-54BB-4720-916D-17F4B53F615D}.Debug|ARM.Deploy.0 = Debug|ARM
{AEA72597-54BB-4720-916D-17F4B53F615D}.Debug|ARM64.ActiveCfg = Debug|ARM64
{AEA72597-54BB-4720-916D-17F4B53F615D}.Debug|ARM64.Build.0 = Debug|ARM64
{AEA72597-54BB-4720-916D-17F4B53F615D}.Debug|ARM64.Deploy.0 = Debug|ARM64
{AEA72597-54BB-4720-916D-17F4B53F615D}.Debug|x64.ActiveCfg = Debug|x64
{AEA72597-54BB-4720-916D-17F4B53F615D}.Debug|x64.Build.0 = Debug|x64
{AEA72597-54BB-4720-916D-17F4B53F615D}.Debug|x64.Deploy.0 = Debug|x64
{AEA72597-54BB-4720-916D-17F4B53F615D}.Debug|x86.ActiveCfg = Debug|Win32
{AEA72597-54BB-4720-916D-17F4B53F615D}.Debug|x86.Build.0 = Debug|Win32
{AEA72597-54BB-4720-916D-17F4B53F615D}.Debug|x86.Deploy.0 = Debug|Win32
{AEA72597-54BB-4720-916D-17F4B53F615D}.Release|ARM.ActiveCfg = Release|ARM
{AEA72597-54BB-4720-916D-17F4B53F615D}.Release|ARM.Build.0 = Release|ARM
{AEA72597-54BB-4720-916D-17F4B53F615D}.Release|ARM.Deploy.0 = Release|ARM
{AEA72597-54BB-4720-916D-17F4B53F615D}.Release|ARM64.ActiveCfg = Release|ARM64
{AEA72597-54BB-4720-916D-17F4B53F615D}.Release|ARM64.Build.0 = Release|ARM64
{AEA72597-54BB-4720-916D-17F4B53F615D}.Release|ARM64.Deploy.0 = Release|ARM64
{AEA72597-54BB-4720-916D-17F4B53F615D}.Release|x64.ActiveCfg = Release|x64
{AEA72597-54BB-4720-916D-17F4B53F615D}.Release|x64.Build.0 = Release|x64
{AEA72597-54BB-4720-916D-17F4B53F615D}.Release|x64.Deploy.0 = Release|x64
{AEA72597-54BB-4720-916D-17F4B53F615D}.Release|x86.ActiveCfg = Release|Win32
{AEA72597-54BB-4720-916D-17F4B53F615D}.Release|x86.Build.0 = Release|Win32
{AEA72597-54BB-4720-916D-17F4B53F615D}.Release|x86.Deploy.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {CA87CDA3-6E95-4C2A-8FF5-255603FFBB5F}
EndGlobalSection
EndGlobal
================================================
FILE: LICENSE
================================================
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The GNU General Public License is a free, copyleft license for
software and other kinds of works.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
the GNU General Public License is intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users. We, the Free Software Foundation, use the
GNU General Public License for most of our software; it applies also to
any other work released this way by its authors. You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
To protect your rights, we need to prevent others from denying you
these rights or asking you to surrender the rights. Therefore, you have
certain responsibilities if you distribute copies of the software, or if
you modify it: responsibilities to respect the freedom of others.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must pass on to the recipients the same
freedoms that you received. You must make sure that they, too, receive
or can get the source code. And you must show them these terms so they
know their rights.
Developers that use the GNU GPL protect your rights with two steps:
(1) assert copyright on the software, and (2) offer you this License
giving you legal permission to copy, distribute and/or modify it.
For the developers' and authors' protection, the GPL clearly explains
that there is no warranty for this free software. For both users' and
authors' sake, the GPL requires that modified versions be marked as
changed, so that their problems will not be attributed erroneously to
authors of previous versions.
Some devices are designed to deny users access to install or run
modified versions of the software inside them, although the manufacturer
can do so. This is fundamentally incompatible with the aim of
protecting users' freedom to change the software. The systematic
pattern of such abuse occurs in the area of products for individuals to
use, which is precisely where it is most unacceptable. Therefore, we
have designed this version of the GPL to prohibit the practice for those
products. If such problems arise substantially in other domains, we
stand ready to extend this provision to those domains in future versions
of the GPL, as needed to protect the freedom of users.
Finally, every program is threatened constantly by software patents.
States should not allow patents to restrict development and use of
software on general-purpose computers, but in those that do, we wish to
avoid the special danger that patents applied to a free program could
make it effectively proprietary. To prevent this, the GPL assures that
patents cannot be used to render the program non-free.
The precise terms and conditions for copying, distribution and
modification follow.
TERMS AND CONDITIONS
0. Definitions.
"This License" refers to version 3 of the GNU General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this
License. Each licensee is addressed as "you". "Licensees" and
"recipients" may be individuals or organizations.
To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy. The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.
A "covered work" means either the unmodified Program or a work based
on the Program.
To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.
To "convey" a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.
An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.
1. Source Code.
The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.
A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.
The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.
The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.
The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.
The Corresponding Source for a work in source code form is that
same work.
2. Basic Permissions.
All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force. You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright. Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.
Conveying under any other circumstances is permitted solely under
the conditions stated below. Sublicensing is not allowed; section 10
makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.
When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you
gitextract_mwid84fv/ ├── .gitattributes ├── .gitignore ├── ControlPanel/ │ ├── ControlPanel.cpp │ ├── ControlPanel.h │ ├── ControlPanel.qrc │ ├── ControlPanel.ui │ ├── ControlPanel.vcxproj │ ├── ControlPanel.vcxproj.filters │ ├── dlcommon.cpp │ ├── dlcommon.h │ ├── dlconfig.h │ ├── dldrivers.cpp │ ├── dldrivers.h │ ├── dlioctl.cpp │ ├── dlioctl.h │ ├── dlservices.cpp │ ├── dlservices.h │ └── main.cpp ├── KernelHiddenExcute/ │ ├── Head.h │ ├── HiddenCallApiTransfer.h │ ├── HiddenExecute.h │ ├── HiddenFunctions.h │ ├── KernelHiddenExcute.inf │ ├── KernelHiddenExcute.vcxproj │ ├── KernelHiddenExcute.vcxproj.filters │ ├── MyDebugPrint.h │ ├── PhysicalMemoryOperation.h │ ├── SectionOperation.h │ └── main.c ├── KernelHiddenExecute/ │ ├── DebugPrintEx.h │ ├── HiddenCallApiTransfer.c │ ├── HiddenCallApiTransfer.h │ ├── HiddenExecute.c │ ├── HiddenExecute.h │ ├── HiddenFunctions.c │ ├── HiddenFunctions.h │ ├── KernelHiddenExecute.inf │ ├── KernelHiddenExecute.vcxproj │ ├── KernelHiddenExecute.vcxproj.filters │ ├── PhysicalMemoryOperation.c │ ├── PhysicalMemoryOperation.h │ ├── SectionOperation.c │ ├── SectionOperation.h │ ├── main.c │ └── main.h ├── KernelHiddenExecute.sln ├── LICENSE ├── Malware/ │ ├── Attack.c │ ├── Attack.h │ ├── Malware.inf │ ├── Malware.vcxproj │ ├── Malware.vcxproj.filters │ ├── main.c │ └── main.h └── README.md
SYMBOL INDEX (146 symbols across 26 files)
FILE: ControlPanel/ControlPanel.h
function class (line 16) | class ControlPanel : public QWidget
FILE: ControlPanel/dlcommon.h
function namespace (line 33) | namespace Common {
FILE: ControlPanel/dldrivers.cpp
function BOOL (line 28) | static BOOL _fileExists(const char *filename) {
function QString (line 34) | QString Drivers::GetFileVersion(QString fName) {
function QString (line 101) | QString Drivers::GetFileLastWriteTime(QString fName) {
FILE: ControlPanel/dldrivers.h
function namespace (line 27) | namespace Drivers {
FILE: ControlPanel/dlioctl.cpp
function QString (line 38) | QString ProtectedDriverControl::safeRead()
function QString (line 56) | QString ProtectedDriverControl::safeExec()
function QString (line 76) | QString ProtectedDriverControl::unsafeRead()
function QString (line 94) | QString ProtectedDriverControl::unsafeExec()
FILE: ControlPanel/dlioctl.h
function class (line 11) | class ProtectedDriverControl
function class (line 31) | class MalwareDriverControl
FILE: ControlPanel/dlservices.cpp
function SC_HANDLE (line 36) | SC_HANDLE Services::Open(QString service) {
FILE: ControlPanel/dlservices.h
function namespace (line 28) | namespace Services {
FILE: ControlPanel/main.cpp
function execmd (line 7) | int execmd(char* cmd, char* result) {
function main (line 22) | int main(int argc, char *argv[])
FILE: KernelHiddenExcute/HiddenCallApiTransfer.h
function NTSTATUS (line 8) | NTSTATUS SimulateApi(ULONG64 param1)
function NTSTATUS (line 19) | NTSTATUS ApiTransfer_SimulateApi(PHIDDEN_PAGE_RECORD pHiddenPageRecord, ...
FILE: KernelHiddenExcute/HiddenExecute.h
type MMPTE (line 27) | typedef struct _MMPTE
type SPECIFIC_HIDDEN_PAGE_RECORD (line 50) | typedef struct _SPECIFIC_HIDDEN_PAGE_RECORD
type HIDDEN_PAGE_RECORD (line 58) | typedef struct _HIDDEN_PAGE_RECORD
function NTSTATUS (line 83) | NTSTATUS InitializeHiddenPageRecordStructure(PHIDDEN_PAGE_RECORD* ppHidd...
function NTSTATUS (line 119) | NTSTATUS FreeHiddenPageRecordStructure(PHIDDEN_PAGE_RECORD pHiddenPageRe...
function PVOID (line 148) | PVOID pPTEPFNtoPhysicalAddress(ULONG64 PFN)
function ULONG64 (line 157) | ULONG64 pPhysicalAddresstoPTEPFN(PVOID PhysicalAddressBase)
function PMMPTE (line 169) | PMMPTE pGetSpecificAddresspPTEPhysical(ULONG64 CR3, PVOID pPageBase)
function PVOID (line 221) | PVOID pGetSpecificAddressPhysicalForR3(ULONG64 CR3, PVOID pVirtual)
function NTSTATUS (line 295) | NTSTATUS AddHiddenPageRecord(ULONG64 CR3, PVOID pHiddenPageBase, PHIDDEN...
function NTSTATUS (line 384) | NTSTATUS RemoveAndRestoreAllHiddenPageRecord(PHIDDEN_PAGE_RECORD pHidden...
function NTSTATUS (line 444) | NTSTATUS ContextOriginalToHidden(PHIDDEN_PAGE_RECORD pHiddenPageRecord)
function NTSTATUS (line 513) | NTSTATUS ContextHiddenToOriginal(PHIDDEN_PAGE_RECORD pHiddenPageRecord)
function ULONG64 (line 573) | ULONG64 GetPagesCountByLength(ULONG64 Length)
function NTSTATUS (line 590) | NTSTATUS AddHiddenSection(ULONG64 SystemCR3, PDRIVER_OBJECT pDriverObj, ...
FILE: KernelHiddenExcute/HiddenFunctions.h
function NTSTATUS (line 6) | NTSTATUS HiddenFunctionA(PHIDDEN_PAGE_RECORD pHiddenPageRecord)
FILE: KernelHiddenExcute/PhysicalMemoryOperation.h
type PHYSICAL_OP_CR3 (line 15) | typedef struct _PHYSICAL_OP_CR3
type MMPDPTE (line 36) | typedef struct _MMPDPTE
type MMPDE (line 60) | typedef struct _MMPDE
type MMVA (line 84) | typedef struct _MMVA
type MMVA_PDPTE_LARGE (line 97) | typedef struct _MMVA_PDPTE_LARGE
type MMVA_PDE_LARGE (line 108) | typedef struct _MMVA_PDE_LARGE
function HANDLE (line 127) | HANDLE OpenPhysicalMemory()
function BOOLEAN (line 143) | BOOLEAN pMapPhysicalMemoryPre(HANDLE hMemory, PDWORD64 pDwAddress, PSIZE...
function PVOID (line 156) | PVOID MapPhysicalMemory(PVOID PA, SIZE_T Size)
function BOOLEAN (line 163) | BOOLEAN UnmapPhysicalMemory(PVOID VA)
function ULONG64 (line 175) | ULONG64 GetCR3Flag(ULONG64 CR3)
function ULONG64 (line 184) | ULONG64 ClearCR3Flag(ULONG64 CR3)
function VOID (line 193) | VOID pPrintPhysicalOpStructure(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
function NTSTATUS (line 214) | NTSTATUS pFreePhysicalOpPageTableMemory(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
function NTSTATUS (line 242) | NTSTATUS pAllocPhysicalOpPageTableMemory(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
function NTSTATUS (line 274) | NTSTATUS pMapSystemPML4T(ULONG64 SystemCR3, PPHYSICAL_OP_CR3 pPhysicalOp...
function NTSTATUS (line 293) | NTSTATUS pUnmapSystemPML4T(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
function NTSTATUS (line 314) | NTSTATUS pFillGeneratedPML4TandPDPT(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
function NTSTATUS (line 350) | NTSTATUS CreatePhysicalOpCR3BySystemCR3(ULONG64 SystemCR3, PPHYSICAL_OP_...
function NTSTATUS (line 391) | NTSTATUS FreePhysicalOpCR3(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
function NTSTATUS (line 422) | NTSTATUS ContextVirtualToPhysical(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
function NTSTATUS (line 454) | NTSTATUS ContextPhysicalToVirtual(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
function ULONG64 (line 485) | ULONG64 GetCR3ByEprocess(PEPROCESS pEProc)
function PEPROCESS (line 499) | PEPROCESS GetEProcess(ULONG64 PID)
function ULONG64 (line 524) | ULONG64 GetCR3ByPID(ULONG64 PID)
FILE: KernelHiddenExcute/SectionOperation.h
type LDR_DATA_TABLE_ENTRY64 (line 4) | typedef struct _LDR_DATA_TABLE_ENTRY64
function PIMAGE_SECTION_HEADER (line 30) | PIMAGE_SECTION_HEADER GetSegmentHeadPointer(PDRIVER_OBJECT pDriverObj, P...
function ULONG64 (line 71) | ULONG64 GetDriverBaseAddress(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
function ULONG64 (line 77) | ULONG64 GetSegmentAddressPointer(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
function ULONG64 (line 82) | ULONG64 GetSegmentLengthPointer(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
function ULONG64 (line 87) | ULONG64 GetSegmentRawDataAddressPointer(PDRIVER_OBJECT pDriverObj, PCHAR...
function ULONG64 (line 92) | ULONG64 GetSegmentRawDataLengthPointer(PDRIVER_OBJECT pDriverObj, PCHAR ...
function ULONG64 (line 98) | ULONG64 GetSegmentStartAddress(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
function ULONG64 (line 105) | ULONG64 GetSegmentEndAddress(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
function ULONG64 (line 113) | ULONG64 GetSegmentLength(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
FILE: KernelHiddenExcute/main.c
function NTSTATUS (line 3) | NTSTATUS DispatchCreate(PDEVICE_OBJECT pDevObj, PIRP pIrp)
function NTSTATUS (line 11) | NTSTATUS DispatchClose(PDEVICE_OBJECT pDevObj, PIRP pIrp)
function NTSTATUS (line 19) | NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp)
function VOID (line 48) | VOID DriverUnload(PDRIVER_OBJECT pDriverObj)
function VOID (line 62) | VOID WriteEnable()
function VOID (line 69) | VOID WriteDisable()
function NTSTATUS (line 76) | NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistr...
FILE: KernelHiddenExecute/HiddenCallApiTransfer.c
function NTSTATUS (line 11) | NTSTATUS SimulateApi(ULONG64 param1)
function NTSTATUS (line 22) | NTSTATUS ApiTransfer_SimulateApi(PHIDDEN_PAGE_RECORD pHiddenPageRecord, ...
FILE: KernelHiddenExecute/HiddenExecute.c
function NTSTATUS (line 19) | NTSTATUS InitializeHiddenPageRecordStructure(PHIDDEN_PAGE_RECORD* ppHidd...
function NTSTATUS (line 59) | NTSTATUS FreeHiddenPageRecordStructure(PHIDDEN_PAGE_RECORD pHiddenPageRe...
function PVOID (line 88) | PVOID pPTEPFNtoPhysicalAddress(ULONG64 PFN)
function ULONG64 (line 97) | ULONG64 pPhysicalAddresstoPTEPFN(PVOID PhysicalAddressBase)
function PMMPTE (line 109) | PMMPTE pGetSpecificAddresspPTEPhysical(ULONG64 CR3, PVOID pPageBase)
function PVOID (line 161) | PVOID pGetSpecificAddressPhysicalForR3(ULONG64 CR3, PVOID pVirtual)
function NTSTATUS (line 235) | NTSTATUS AddHiddenPageRecord(ULONG64 CR3, PVOID pHiddenPageBase, PHIDDEN...
function NTSTATUS (line 324) | NTSTATUS RemoveAndRestoreAllHiddenPageRecord(PHIDDEN_PAGE_RECORD pHidden...
function NTSTATUS (line 384) | NTSTATUS ContextOriginalToHidden(PHIDDEN_PAGE_RECORD pHiddenPageRecord)
function NTSTATUS (line 453) | NTSTATUS ContextHiddenToOriginal(PHIDDEN_PAGE_RECORD pHiddenPageRecord)
function ULONG64 (line 513) | ULONG64 GetPagesCountByLength(ULONG64 Length)
function NTSTATUS (line 530) | NTSTATUS AddHiddenSection(ULONG64 SystemCR3, PDRIVER_OBJECT pDriverObj, ...
FILE: KernelHiddenExecute/HiddenExecute.h
type MMPTE (line 46) | typedef struct _MMPTE
type SPECIFIC_HIDDEN_PAGE_RECORD (line 69) | typedef struct _SPECIFIC_HIDDEN_PAGE_RECORD
type HIDDEN_PAGE_RECORD (line 77) | typedef struct _HIDDEN_PAGE_RECORD
FILE: KernelHiddenExecute/HiddenFunctions.c
function BOOL (line 19) | BOOL HiddenFunction(PCHAR checkStr)
function BOOL (line 29) | BOOL UnsafeFunction(PCHAR checkStr)
FILE: KernelHiddenExecute/PhysicalMemoryOperation.c
function HANDLE (line 21) | HANDLE OpenPhysicalMemory()
function BOOLEAN (line 37) | BOOLEAN pMapPhysicalMemoryPre(HANDLE hMemory, PDWORD64 pDwAddress, PSIZE...
function PVOID (line 50) | PVOID MapPhysicalMemory(PVOID PA, SIZE_T Size)
function BOOLEAN (line 57) | BOOLEAN UnmapPhysicalMemory(PVOID VA)
function ULONG64 (line 69) | ULONG64 GetCR3Flag(ULONG64 CR3)
function ULONG64 (line 78) | ULONG64 ClearCR3Flag(ULONG64 CR3)
function VOID (line 87) | VOID pPrintPhysicalOpStructure(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
function NTSTATUS (line 108) | NTSTATUS pFreePhysicalOpPageTableMemory(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
function NTSTATUS (line 136) | NTSTATUS pAllocPhysicalOpPageTableMemory(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
function NTSTATUS (line 168) | NTSTATUS pMapSystemPML4T(ULONG64 SystemCR3, PPHYSICAL_OP_CR3 pPhysicalOp...
function NTSTATUS (line 187) | NTSTATUS pUnmapSystemPML4T(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
function NTSTATUS (line 208) | NTSTATUS pFillGeneratedPML4TandPDPT(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
function NTSTATUS (line 244) | NTSTATUS CreatePhysicalOpCR3BySystemCR3(ULONG64 SystemCR3, PPHYSICAL_OP_...
function NTSTATUS (line 285) | NTSTATUS FreePhysicalOpCR3(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
function NTSTATUS (line 316) | NTSTATUS ContextVirtualToPhysical(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
function NTSTATUS (line 348) | NTSTATUS ContextPhysicalToVirtual(PPHYSICAL_OP_CR3 pPhysicalOpCR3)
function ULONG64 (line 379) | ULONG64 GetCR3ByEprocess(PEPROCESS pEProc)
function PEPROCESS (line 393) | PEPROCESS GetEProcess(ULONG64 PID)
function ULONG64 (line 418) | ULONG64 GetCR3ByPID(ULONG64 PID)
FILE: KernelHiddenExecute/PhysicalMemoryOperation.h
type PHYSICAL_OP_CR3 (line 26) | typedef struct _PHYSICAL_OP_CR3
type MMPDPTE (line 45) | typedef struct _MMPDPTE
type MMPDE (line 69) | typedef struct _MMPDE
type MMVA (line 93) | typedef struct _MMVA
type MMVA_PDPTE_LARGE (line 106) | typedef struct _MMVA_PDPTE_LARGE
type MMVA_PDE_LARGE (line 117) | typedef struct _MMVA_PDE_LARGE
FILE: KernelHiddenExecute/SectionOperation.c
function PIMAGE_SECTION_HEADER (line 7) | PIMAGE_SECTION_HEADER GetSegmentHeadPointer(PDRIVER_OBJECT pDriverObj, P...
function ULONG64 (line 48) | ULONG64 GetDriverBaseAddress(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
function ULONG64 (line 54) | ULONG64 GetSegmentAddressPointer(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
function ULONG64 (line 59) | ULONG64 GetSegmentLengthPointer(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
function ULONG64 (line 64) | ULONG64 GetSegmentRawDataAddressPointer(PDRIVER_OBJECT pDriverObj, PCHAR...
function ULONG64 (line 69) | ULONG64 GetSegmentRawDataLengthPointer(PDRIVER_OBJECT pDriverObj, PCHAR ...
function ULONG64 (line 75) | ULONG64 GetSegmentStartAddress(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
function ULONG64 (line 82) | ULONG64 GetSegmentEndAddress(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
function ULONG64 (line 90) | ULONG64 GetSegmentLength(PDRIVER_OBJECT pDriverObj, PCHAR pSegName)
FILE: KernelHiddenExecute/SectionOperation.h
type LDR_DATA_TABLE_ENTRY64 (line 12) | typedef struct _LDR_DATA_TABLE_ENTRY64
FILE: KernelHiddenExecute/main.c
function NTSTATUS (line 13) | NTSTATUS DispatchCreate(PDEVICE_OBJECT pDevObj, PIRP pIrp)
function NTSTATUS (line 21) | NTSTATUS DispatchClose(PDEVICE_OBJECT pDevObj, PIRP pIrp)
function NTSTATUS (line 29) | NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp)
function VOID (line 83) | VOID DriverUnload(PDRIVER_OBJECT pDriverObj)
function NTSTATUS (line 111) | NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistr...
FILE: Malware/Attack.c
function VOID (line 16) | VOID WriteEnable()
function VOID (line 23) | VOID WriteDisable()
function VOID (line 32) | VOID cal_next(PCHAR str, PLONG_PTR next, LONG_PTR len)
function PVOID (line 46) | PVOID KMP(PVOID str, LONG_PTR slen, PVOID ptr, LONG_PTR plen)
function BOOL (line 74) | BOOL AttackCodeAndData(PDRIVER_OBJECT pDrvObj, PCHAR pSegName, PCHAR pPa...
function NTSTATUS (line 104) | NTSTATUS AttackDemoDriver(BOOL restore)
FILE: Malware/main.c
function NTSTATUS (line 6) | NTSTATUS DispatchCreate(PDEVICE_OBJECT pDevObj, PIRP pIrp)
function NTSTATUS (line 14) | NTSTATUS DispatchClose(PDEVICE_OBJECT pDevObj, PIRP pIrp)
function NTSTATUS (line 22) | NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp)
function VOID (line 49) | VOID DriverUnload(PDRIVER_OBJECT pDriverObj)
function NTSTATUS (line 63) | NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistr...
Condensed preview — 55 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (255K chars).
[
{
"path": ".gitattributes",
"chars": 66,
"preview": "# Auto detect text files and perform LF normalization\n* text=auto\n"
},
{
"path": ".gitignore",
"chars": 6265,
"preview": "*.exe\n*.dll\n*.pdb\n*.sys\n*.ink\n*.txt\n*.log\ntest/\n\n\n## Ignore Visual Studio temporary files, build results, and\n## files g"
},
{
"path": "ControlPanel/ControlPanel.cpp",
"chars": 7197,
"preview": "#include \"ControlPanel.h\"\n\nControlPanel::ControlPanel(QWidget* parent)\n\t: QWidget(parent),\n\t//initialize strings\n\tprotec"
},
{
"path": "ControlPanel/ControlPanel.h",
"chars": 1232,
"preview": "#pragma once\n#pragma execution_character_set(\"utf-8\")\n\n#include <QtWidgets/QWidget>\n#include <QPushButton>\n#include <QDe"
},
{
"path": "ControlPanel/ControlPanel.qrc",
"chars": 241,
"preview": "<RCC>\n <qresource prefix=\"/\">\n <file>resources/malware.png</file>\n <file>resources/safeProcedure.png</f"
},
{
"path": "ControlPanel/ControlPanel.ui",
"chars": 6797,
"preview": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<ui version=\"4.0\">\n <class>ControlPanelClass</class>\n <widget class=\"QWidget\" nam"
},
{
"path": "ControlPanel/ControlPanel.vcxproj",
"chars": 6013,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"16.0\" xmlns=\"http://schemas.micros"
},
{
"path": "ControlPanel/ControlPanel.vcxproj.filters",
"chars": 2362,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
},
{
"path": "ControlPanel/dlcommon.cpp",
"chars": 1824,
"preview": "/*\n This file is part of driver-loader\n Copyright (C) 2017 @maldevel\n\n driver-loader - Load a Windows Kernel Dr"
},
{
"path": "ControlPanel/dlcommon.h",
"chars": 1395,
"preview": "#pragma once\n\n/*\n This file is part of driver-loader\n Copyright (C) 2017 @maldevel\n\n driver-loader - Load a Win"
},
{
"path": "ControlPanel/dlconfig.h",
"chars": 986,
"preview": "#pragma once\n\n/*\n This file is part of driver-loader\n Copyright (C) 2017 @maldevel\n\n driver-loader - Load a Win"
},
{
"path": "ControlPanel/dldrivers.cpp",
"chars": 5320,
"preview": "/*\n This file is part of driver-loader\n Copyright (C) 2017 @maldevel\n\n driver-loader - Load a Windows Kernel Dr"
},
{
"path": "ControlPanel/dldrivers.h",
"chars": 1195,
"preview": "#pragma once\n\n/*\n This file is part of driver-loader\n Copyright (C) 2017 @maldevel\n\n driver-loader - Load a Win"
},
{
"path": "ControlPanel/dlioctl.cpp",
"chars": 3376,
"preview": "#include \"dlioctl.h\"\n\nProtectedDriverControl::ProtectedDriverControl()\n\t:hDevice(INVALID_HANDLE_VALUE)\n{\n}\n\nProtectedDri"
},
{
"path": "ControlPanel/dlioctl.h",
"chars": 976,
"preview": "#pragma once\n\n#include <Windows.h>\n#include <QString>\n\n#define IOCTL_SAFE_READ\tCTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METH"
},
{
"path": "ControlPanel/dlservices.cpp",
"chars": 6158,
"preview": "/*\n This file is part of driver-loader\n Copyright (C) 2017 @maldevel\n\n driver-loader - Load a Windows Kernel Dr"
},
{
"path": "ControlPanel/dlservices.h",
"chars": 1662,
"preview": "#pragma once\n\n/*\n This file is part of driver-loader\n Copyright (C) 2017 @maldevel\n\n driver-loader - Load a Win"
},
{
"path": "ControlPanel/main.cpp",
"chars": 1000,
"preview": "#include \"ControlPanel.h\"\n#include <QtWidgets/QApplication>\n#include <regex>\n#include <string>\nusing namespace std;\n\nint"
},
{
"path": "KernelHiddenExcute/Head.h",
"chars": 574,
"preview": "#pragma once\n\n#include <ntifs.h>\n#include <ntddk.h>\n#include <stdlib.h>\n#include <windef.h>\n#include <ntimage.h>\n#includ"
},
{
"path": "KernelHiddenExcute/HiddenCallApiTransfer.h",
"chars": 940,
"preview": "#pragma once\n#include \"Head.h\"\n\n/*********************************************************\nfunction:\t\tSimulateApi\ndescri"
},
{
"path": "KernelHiddenExcute/HiddenExecute.h",
"chars": 20115,
"preview": "#pragma once\n#include \"Head.h\"\n\n/*********************************************************\ndescription:\nnotice!!!\trun in"
},
{
"path": "KernelHiddenExcute/HiddenFunctions.h",
"chars": 290,
"preview": "#pragma once\n#include \"Head.h\"\n\n#pragma code_seg(SECTION_NAME_HIDDEN)\n\nNTSTATUS HiddenFunctionA(PHIDDEN_PAGE_RECORD pHid"
},
{
"path": "KernelHiddenExcute/KernelHiddenExcute.inf",
"chars": 467,
"preview": ";\n; KernelHiddenExcute.inf\n;\n\n[Version]\nSignature=\"$WINDOWS NT$\"\nClass=System\nClassGuid={4d36e97d-e325-11ce-bfc1-08002be"
},
{
"path": "KernelHiddenExcute/KernelHiddenExcute.vcxproj",
"chars": 7829,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"12.0\" xmlns=\"http://schemas.micros"
},
{
"path": "KernelHiddenExcute/KernelHiddenExcute.vcxproj.filters",
"chars": 1937,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
},
{
"path": "KernelHiddenExcute/MyDebugPrint.h",
"chars": 383,
"preview": "#pragma once\n\n#include \"Head.h\"\n\n\n\n#define _DBG_PRINT\n#define PRINT_NAME \"XYLab\"\n\n\n#define _Title \"[\"##PRINT_NAME##\"] \"\n"
},
{
"path": "KernelHiddenExcute/PhysicalMemoryOperation.h",
"chars": 17341,
"preview": "#pragma once\n#include \"Head.h\"\n\nBOOL\tg_IsPhysicalOpInit = FALSE;\nHANDLE\tg_SectionHandle = NULL;\n\n#define\tPAGE_TABLE_SIZE"
},
{
"path": "KernelHiddenExcute/SectionOperation.h",
"chars": 3933,
"preview": "#pragma once\n#include \"Head.h\"\n\ntypedef struct _LDR_DATA_TABLE_ENTRY64\n{\n\tLIST_ENTRY64 InLoadOrderLinks;\n\tLIST_ENTRY6"
},
{
"path": "KernelHiddenExcute/main.c",
"chars": 3202,
"preview": "#include \"Head.h\"\n\nNTSTATUS DispatchCreate(PDEVICE_OBJECT pDevObj, PIRP pIrp)\n{\n\tpIrp->IoStatus.Status = STATUS_SUCCESS;"
},
{
"path": "KernelHiddenExecute/DebugPrintEx.h",
"chars": 391,
"preview": "#pragma once\n\n#include <ntddk.h>\n\n//switch\n#define _DBG_PRINT\n\n#define PRINT_NAME \"XYLab\"\n\n\n#define _Title \"[\"##PRINT_NA"
},
{
"path": "KernelHiddenExecute/HiddenCallApiTransfer.c",
"chars": 1034,
"preview": "#include \"HiddenCallApiTransfer.h\"\n\n\n//////////////////////////////////////////////////////////////////////////\n//functi"
},
{
"path": "KernelHiddenExecute/HiddenCallApiTransfer.h",
"chars": 324,
"preview": "#pragma once\n\n#include <ntddk.h>\n#include <windef.h>\n\n#include \"DebugPrintEx.h\"\n#include \"HiddenExecute.h\"\n\n\n///////////"
},
{
"path": "KernelHiddenExecute/HiddenExecute.c",
"chars": 17585,
"preview": "#include \"HiddenExecute.h\"\n\n//////////////////////////////////////////////////////////////////////////\n//global variable"
},
{
"path": "KernelHiddenExecute/HiddenExecute.h",
"chars": 4473,
"preview": "#pragma once\n\n/*********************************************************\ndescription:\nnotice!!!\trun in IRQL >= DPC_LEVEL"
},
{
"path": "KernelHiddenExecute/HiddenFunctions.c",
"chars": 1016,
"preview": "#include \"HiddenFunctions.h\"\n\n\n//////////////////////////////////////////////////////////////////////////\n//functions\n\n/"
},
{
"path": "KernelHiddenExecute/HiddenFunctions.h",
"chars": 372,
"preview": "#pragma once\n\n#include <ntddk.h>\n#include <windef.h>\n\n#include \"DebugPrintEx.h\"\n#include \"HiddenExecute.h\"\n#include \"Hid"
},
{
"path": "KernelHiddenExecute/KernelHiddenExecute.inf",
"chars": 480,
"preview": ";\n; KernelHiddenExecute.inf\n;\n\n[Version]\nSignature=\"$WINDOWS NT$\"\nClass=System\nClassGuid={4d36e97d-e325-11ce-bfc1-08002b"
},
{
"path": "KernelHiddenExecute/KernelHiddenExecute.vcxproj",
"chars": 8570,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"12.0\" xmlns=\"http://schemas.micros"
},
{
"path": "KernelHiddenExecute/KernelHiddenExecute.vcxproj.filters",
"chars": 2436,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
},
{
"path": "KernelHiddenExecute/PhysicalMemoryOperation.c",
"chars": 13172,
"preview": "#include \"PhysicalMemoryOperation.h\"\n\n\n//////////////////////////////////////////////////////////////////////////\n//glob"
},
{
"path": "KernelHiddenExecute/PhysicalMemoryOperation.h",
"chars": 6175,
"preview": "#pragma once\n\n#include <ntddk.h>\n//#include <ntifs.h>\n#include <windef.h>\n#include <intrin.h>\n\n#include \"DebugPrintEx.h\""
},
{
"path": "KernelHiddenExecute/SectionOperation.c",
"chars": 3206,
"preview": "#include \"SectionOperation.h\"\n\n\n//////////////////////////////////////////////////////////////////////////\n//functions\n\n"
},
{
"path": "KernelHiddenExecute/SectionOperation.h",
"chars": 1797,
"preview": "#pragma once\n\n#include <ntddk.h>\n#include <ntimage.h>\n#include <windef.h>\n\n#include \"DebugPrintEx.h\"\n\n//////////////////"
},
{
"path": "KernelHiddenExecute/main.c",
"chars": 4221,
"preview": "#include \"main.h\"\n\n\n//////////////////////////////////////////////////////////////////////////\n//global variables\n\nPHIDD"
},
{
"path": "KernelHiddenExecute/main.h",
"chars": 1518,
"preview": "#pragma once\n\n#include <ntifs.h>\n#include <ntddk.h>\n#include <stdlib.h>\n#include <windef.h>\n#include <ntimage.h>\n#includ"
},
{
"path": "KernelHiddenExecute.sln",
"chars": 5650,
"preview": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Version 16\nVisualStudioVersion = 16.0.3090"
},
{
"path": "LICENSE",
"chars": 35129,
"preview": "GNU GENERAL PUBLIC LICENSE\n Version 3, 29 June 2007\n\n Copyright (C) 2007 Free Software Foundation,"
},
{
"path": "Malware/Attack.c",
"chars": 4347,
"preview": "#include \"Attack.h\"\n\n\n//////////////////////////////////////////////////////////////////////////\n//global variables\n\ncha"
},
{
"path": "Malware/Attack.h",
"chars": 1242,
"preview": "#pragma once\n\n#include <ntddk.h>\n#include <windef.h>\n#include <intrin.h>\n\n#include \"..\\KernelHiddenExecute\\DebugPrintEx."
},
{
"path": "Malware/Malware.inf",
"chars": 444,
"preview": ";\n; Malware.inf\n;\n\n[Version]\nSignature=\"$WINDOWS NT$\"\nClass=System\nClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318}\nProv"
},
{
"path": "Malware/Malware.vcxproj",
"chars": 7751,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"12.0\" xmlns=\"http://schemas.micros"
},
{
"path": "Malware/Malware.vcxproj.filters",
"chars": 1869,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
},
{
"path": "Malware/main.c",
"chars": 2661,
"preview": "#include \"main.h\"\n\n\n//////////////////////////////////////////////////////////////////////////\n//functions\nNTSTATUS Disp"
},
{
"path": "Malware/main.h",
"chars": 962,
"preview": "#pragma once\n\n#include <ntifs.h>\n#include <ntddk.h>\n#include <stdlib.h>\n#include <windef.h>\n#include <ntimage.h>\n#includ"
},
{
"path": "README.md",
"chars": 863,
"preview": "## Kernel Hidden Execute\n\nTo hide codes/data in the kernel address space.\n\n## System requirements\n\nWindows 7 or higher, "
}
]
About this extraction
This page contains the full source code of the zouxianyu/KernelHiddenExecute GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 55 files (233.2 KB), approximately 64.5k tokens, and a symbol index with 146 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.