init commit

BEDaisy/BEDaisy.filters

@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="DriverEntry.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="Hooks.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="DriverUtil.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="Memory.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="Types.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="Hooks.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="DriverUtil.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="Memory.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>

BEDaisy/BEDaisy.vcxproj

@@ -0,0 +1,282 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|ARM">
+      <Configuration>Debug</Configuration>
+      <Platform>ARM</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|ARM">
+      <Configuration>Release</Configuration>
+      <Platform>ARM</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|ARM64">
+      <Configuration>Debug</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|ARM64">
+      <Configuration>Release</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{1F1679F7-60D4-4170-8FE1-FA6B49D7D229}</ProjectGuid>
+    <TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
+    <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
+    <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
+    <Configuration>Debug</Configuration>
+    <Platform Condition="'$(Platform)' == ''">Win32</Platform>
+    <RootNamespace>ioctl_meme</RootNamespace>
+    <WindowsTargetPlatformVersion>$(LatestTargetPlatformVersion)</WindowsTargetPlatformVersion>
+    <ProjectName>BEDaisy</ProjectName>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>Universal</DriverTargetPlatform>
+    <SpectreMitigation>false</SpectreMitigation>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>Universal</DriverTargetPlatform>
+    <SpectreMitigation>false</SpectreMitigation>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>Universal</DriverTargetPlatform>
+    <SpectreMitigation>false</SpectreMitigation>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>Universal</DriverTargetPlatform>
+    <SpectreMitigation>false</SpectreMitigation>
+    <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>Universal</DriverTargetPlatform>
+    <SpectreMitigation>false</SpectreMitigation>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>Universal</DriverTargetPlatform>
+    <SpectreMitigation>false</SpectreMitigation>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>Universal</DriverTargetPlatform>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>Universal</DriverTargetPlatform>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+    <EnableInf2cat>false</EnableInf2cat>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
+    <ClCompile>
+      <LanguageStandard>stdcpp17</LanguageStandard>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <TreatWarningAsError>false</TreatWarningAsError>
+    </ClCompile>
+    <Link>
+      <EntryPointSymbol>DriverEntry</EntryPointSymbol>
+    </Link>
+    <Link>
+      <NoEntryPoint>false</NoEntryPoint>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
+    <ClCompile>
+      <LanguageStandard>stdcpp17</LanguageStandard>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <TreatWarningAsError>false</TreatWarningAsError>
+    </ClCompile>
+    <Link>
+      <EntryPointSymbol>DriverEntry</EntryPointSymbol>
+    </Link>
+    <Link>
+      <NoEntryPoint>false</NoEntryPoint>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
+    <ClCompile>
+      <LanguageStandard>stdcpp17</LanguageStandard>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <TreatWarningAsError>false</TreatWarningAsError>
+    </ClCompile>
+    <Link>
+      <EntryPointSymbol>DriverEntry</EntryPointSymbol>
+    </Link>
+    <Link>
+      <NoEntryPoint>false</NoEntryPoint>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
+    <ClCompile>
+      <LanguageStandard>stdcpp17</LanguageStandard>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <TreatWarningAsError>false</TreatWarningAsError>
+    </ClCompile>
+    <Link>
+      <EntryPointSymbol>DriverEntry</EntryPointSymbol>
+    </Link>
+    <Link>
+      <NoEntryPoint>false</NoEntryPoint>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <LanguageStandard>stdcpp17</LanguageStandard>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <TreatWarningAsError>false</TreatWarningAsError>
+    </ClCompile>
+    <Link>
+      <EntryPointSymbol>DriverEntry</EntryPointSymbol>
+    </Link>
+    <Link>
+      <NoEntryPoint>false</NoEntryPoint>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <LanguageStandard>stdcpp17</LanguageStandard>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <TreatWarningAsError>false</TreatWarningAsError>
+    </ClCompile>
+    <Link>
+      <EntryPointSymbol>DriverEntry</EntryPointSymbol>
+    </Link>
+    <Link>
+      <NoEntryPoint>false</NoEntryPoint>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <LanguageStandard>stdcpp17</LanguageStandard>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <TreatWarningAsError>false</TreatWarningAsError>
+    </ClCompile>
+    <Link>
+      <EntryPointSymbol>DriverEntry</EntryPointSymbol>
+    </Link>
+    <Link>
+      <NoEntryPoint>false</NoEntryPoint>
+      <AdditionalDependencies>FltMgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+    <Inf>
+      <SpecifyArchitecture>false</SpecifyArchitecture>
+      <SpecifyDriverVerDirectiveVersion>false</SpecifyDriverVerDirectiveVersion>
+      <SpecifyDriverVerDirectiveDate>false</SpecifyDriverVerDirectiveDate>
+    </Inf>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <LanguageStandard>stdcpp17</LanguageStandard>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <TreatWarningAsError>false</TreatWarningAsError>
+    </ClCompile>
+    <Link>
+      <EntryPointSymbol>DriverEntry</EntryPointSymbol>
+    </Link>
+    <Link>
+      <NoEntryPoint>false</NoEntryPoint>
+      <AdditionalDependencies>FltMgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <FilesToPackage Include="$(TargetPath)" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="DriverEntry.cpp" />
+    <ClCompile Include="DriverUtil.cpp" />
+    <ClCompile Include="Hooks.cpp" />
+    <ClCompile Include="Memory.cpp" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="DriverUtil.h" />
+    <ClInclude Include="Hooks.h" />
+    <ClInclude Include="Memory.h" />
+    <ClInclude Include="Types.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

BEDaisy/BEDaisy.vcxproj.filters

@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <ClCompile Include="DriverEntry.cpp">
+      <Filter>Source</Filter>
+    </ClCompile>
+    <ClCompile Include="DriverUtil.cpp">
+      <Filter>Source</Filter>
+    </ClCompile>
+    <ClCompile Include="Hooks.cpp">
+      <Filter>Source</Filter>
+    </ClCompile>
+    <ClCompile Include="Memory.cpp">
+      <Filter>Source</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="DriverUtil.h">
+      <Filter>Headers</Filter>
+    </ClInclude>
+    <ClInclude Include="Hooks.h">
+      <Filter>Headers</Filter>
+    </ClInclude>
+    <ClInclude Include="Memory.h">
+      <Filter>Headers</Filter>
+    </ClInclude>
+    <ClInclude Include="Types.h">
+      <Filter>Headers</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <Filter Include="Headers">
+      <UniqueIdentifier>{b2f67e29-768d-4980-9e9e-c112e9c7635e}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Source">
+      <UniqueIdentifier>{937d350f-e918-446d-9ee9-1a9d69013f1b}</UniqueIdentifier>
+    </Filter>
+  </ItemGroup>
+</Project>

BEDaisy/DriverEntry.cpp

@@ -0,0 +1,40 @@
+#include "Types.h"
+#include "DriverUtil.h"
+#include "Hooks.h"
+
+using namespace DriverUtil;
+using namespace Hooks;
+
+void TdDeviceUnload(
+    DRIVER_OBJECT* DriverObject
+)
+{
+    PsRemoveLoadImageNotifyRoutine(&LoadImageNotifyRoutine);
+}
+
+NTSTATUS TdDeviceClose(
+    IN PDEVICE_OBJECT  DeviceObject,
+    IN PIRP  Irp
+)
+{
+    UNREFERENCED_PARAMETER(DeviceObject);
+
+    Irp->IoStatus.Status = STATUS_SUCCESS;
+    Irp->IoStatus.Information = 0;
+    IoCompleteRequest(Irp, IO_NO_INCREMENT);
+
+    return STATUS_SUCCESS;
+}
+
+NTSTATUS DriverEntry(
+    _In_ PDRIVER_OBJECT  DriverObject,
+    _In_ PUNICODE_STRING RegistryPath
+)
+{
+    DriverObject->MajorFunction[IRP_MJ_CLOSE] = &TdDeviceClose;
+    DriverObject->DriverUnload = &TdDeviceUnload;
+
+    PsSetLoadImageNotifyRoutine(&LoadImageNotifyRoutine);
+	DBG_PRINT("Installed ImageNotifyRoutine... 0x%p", &LoadImageNotifyRoutine);
+    return STATUS_SUCCESS;
+}

BEDaisy/DriverUtil.cpp

@@ -0,0 +1,311 @@
+#include "DriverUtil.h"
+
+namespace DriverUtil
+{
+    // This function was created with help from wlan
+    //
+    // Links to his work: 
+    // https://github.com/not-wlan/driver-hijack
+    // https://www.unknowncheats.me/forum/c-and-c-/274073-iterating-driver_objects.html
+    // https://www.unknowncheats.me/forum/anti-cheat-bypass/274881-memedriver-driver-object-hijack-poc.html
+
+    PDRIVER_OBJECT GetDriverObject(PUNICODE_STRING lpDriverName)
+    {
+        HANDLE handle{};
+        OBJECT_ATTRIBUTES attributes{};
+        UNICODE_STRING directory_name{};
+        PVOID directory{};
+        BOOLEAN success = FALSE;
+        FAST_IO_DISPATCH fastIoDispatch;
+        bool installedHook = false;
+        RtlZeroMemory(&fastIoDispatch, sizeof(FAST_IO_DISPATCH));
+        RtlInitUnicodeString(&directory_name, L"\\Driver");
+        InitializeObjectAttributes(
+            &attributes,
+            &directory_name,
+            OBJ_CASE_INSENSITIVE,
+            NULL,
+            NULL
+        );
+
+        // open OBJECT_DIRECTORY for \\Driver
+        auto status = ZwOpenDirectoryObject(
+            &handle,
+            DIRECTORY_ALL_ACCESS,
+            &attributes
+        );
+
+        if (!NT_SUCCESS(status))
+        {
+            DBG_PRINT("ZwOpenDirectoryObject Failed");
+            return NULL;
+        }
+
+        // Get OBJECT_DIRECTORY pointer from HANDLE
+        status = ObReferenceObjectByHandle(
+            handle,
+            DIRECTORY_ALL_ACCESS,
+            nullptr,
+            KernelMode,
+            &directory,
+            nullptr
+        );
+
+        if (!NT_SUCCESS(status))
+        {
+            DBG_PRINT("ObReferenceObjectByHandle Failed");
+            ZwClose(handle);
+            return NULL;
+        }
+
+        const auto directory_object = POBJECT_DIRECTORY(directory);
+        if (!directory_object)
+            return NULL;
+
+        ExAcquirePushLockExclusiveEx(&directory_object->Lock, 0);
+
+        // traverse hash table with 37 entries
+        // when a new object is created, the object manager computes a hash value in the range zero to 36 from the object name and creates an OBJECT_DIRECTORY_ENTRY.    
+        // http://www.informit.com/articles/article.aspx?p=22443&seqNum=7
+        for (auto entry : directory_object->HashBuckets)
+        {
+            if (!entry)
+                continue;
+
+            while (entry && entry->Object)
+            {
+                auto driver = PDRIVER_OBJECT(entry->Object);
+                if (!driver)
+                    continue;
+
+                if (wcscmp(driver->DriverExtension->ServiceKeyName.Buffer, lpDriverName->Buffer) == 0)
+                    return driver;
+            }
+        }
+
+        ExReleasePushLockExclusiveEx(&directory_object->Lock, 0);
+        // Release the acquired resources back to the OS
+        ObDereferenceObject(directory);
+        ZwClose(handle);
+        //TODO remove
+        return NULL;
+    }
+
+    PVOID GetDriverBase(LPCSTR module_name)
+    {
+        ULONG bytes{};
+        NTSTATUS status = ZwQuerySystemInformation(
+            SystemModuleInformation,
+            NULL,
+            bytes,
+            &bytes
+        );
+        if (!bytes)
+            return NULL;
+        PRTL_PROCESS_MODULES modules =
+            (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPool, bytes, POOLTAG);
+
+        if (modules)
+        {
+            status = ZwQuerySystemInformation(
+                SystemModuleInformation,
+                modules,
+                bytes,
+                &bytes
+            );
+
+            if (!NT_SUCCESS(status))
+            {
+                ExFreePoolWithTag(modules, POOLTAG);
+                return NULL;
+            }
+            
+            PRTL_PROCESS_MODULE_INFORMATION module = modules->Modules;
+            PVOID module_base{}, module_size{};
+            for (ULONG i = 0; i < modules->NumberOfModules; i++)
+            {
+                if (strcmp(reinterpret_cast<char*>(module[i].FullPathName + module[i].OffsetToFileName), module_name) == 0)
+                {
+                    module_base = module[i].ImageBase;
+                    module_size = (PVOID)module[i].ImageSize;
+                    break;
+                }
+            }
+            ExFreePoolWithTag(modules, POOLTAG);
+            return module_base;
+        }
+        return NULL;
+    }
+
+    PVOID GetSystemModuleExport(LPCSTR ModName, LPCSTR RoutineName)
+    {
+        PVOID result = GetDriverBase(ModName);
+        if (!result)
+            return NULL;
+        return RtlFindExportedRoutineByName(result, RoutineName);
+    }
+
+    PVOID IATHook(PVOID lpBaseAddress, CHAR* lpcStrImport, PVOID lpFuncAddress)
+    {
+        if (!lpBaseAddress || !lpcStrImport || !lpFuncAddress)
+            return NULL;
+
+        PIMAGE_DOS_HEADER dosHeaders = 
+            reinterpret_cast<PIMAGE_DOS_HEADER>(lpBaseAddress);
+
+        PIMAGE_NT_HEADERS ntHeaders = 
+            reinterpret_cast<PIMAGE_NT_HEADERS>(
+                reinterpret_cast<DWORD_PTR>(lpBaseAddress) + dosHeaders->e_lfanew);
+
+        IMAGE_DATA_DIRECTORY importsDirectory = 
+            ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
+
+        PIMAGE_IMPORT_DESCRIPTOR importDescriptor = 
+            reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>(importsDirectory.VirtualAddress + (DWORD_PTR)lpBaseAddress);
+
+        LPCSTR libraryName = NULL;
+        PVOID result = NULL;
+        PIMAGE_IMPORT_BY_NAME functionName = NULL;
+
+        if (!importDescriptor) 
+            return NULL;
+
+        while (importDescriptor->Name != NULL)
+        {
+            libraryName = (LPCSTR)importDescriptor->Name + (DWORD_PTR)lpBaseAddress;
+            if (GetDriverBase(libraryName))
+            {
+                PIMAGE_THUNK_DATA originalFirstThunk = NULL, firstThunk = NULL;
+                originalFirstThunk = (PIMAGE_THUNK_DATA)((DWORD_PTR)lpBaseAddress + importDescriptor->OriginalFirstThunk);
+                firstThunk = (PIMAGE_THUNK_DATA)((DWORD_PTR)lpBaseAddress + importDescriptor->FirstThunk);
+                while (originalFirstThunk->u1.AddressOfData != NULL)
+                {
+                    functionName = (PIMAGE_IMPORT_BY_NAME)((DWORD_PTR)lpBaseAddress + originalFirstThunk->u1.AddressOfData);
+                    if (strcmp(functionName->Name, lpcStrImport) == 0)
+                    {
+                        // save old function pointer
+                        result = reinterpret_cast<PVOID>(firstThunk->u1.Function);
+                        Memory::WriteProtectOff();
+                        // swap address
+                        firstThunk->u1.Function = reinterpret_cast<ULONG64>(lpFuncAddress);
+                        Memory::WriteProtectOn();
+                        return result;
+                    }
+                    ++originalFirstThunk;
+                    ++firstThunk;
+                }
+            }
+            importDescriptor++;
+        }
+        return NULL;
+    }
+
+    PVOID DriverIATHook(PDRIVER_OBJECT pDriverObject, CHAR* lpcStrImport, PVOID lpFuncAddress)
+    {
+        if (!pDriverObject || !lpcStrImport)
+            return NULL;
+        return IATHook(pDriverObject->DriverStart, lpcStrImport, lpFuncAddress);
+    }
+
+    VOID DumpDriver(PDRIVER_OBJECT lpDriverObject)
+    {
+        DumpDriver(lpDriverObject->DriverStart);
+    }
+
+    VOID DumpDriver(PVOID lpBaseAddress)
+    {
+        if (!lpBaseAddress || *(short*) lpBaseAddress != 0x5A4D)
+            return;
+
+        PIMAGE_DOS_HEADER dosHeaders =
+            reinterpret_cast<PIMAGE_DOS_HEADER>(lpBaseAddress);
+
+        PIMAGE_NT_HEADERS ntHeaders =
+            reinterpret_cast<PIMAGE_NT_HEADERS>(
+                reinterpret_cast<DWORD_PTR>(lpBaseAddress) + dosHeaders->e_lfanew);
+
+        HANDLE             hFile;
+        UNICODE_STRING     uniName;
+        OBJECT_ATTRIBUTES  objAttr;
+        IO_STATUS_BLOCK    ioStatusBlock;
+        LARGE_INTEGER      offset{};
+
+        RtlInitUnicodeString(&uniName, L"\\DosDevices\\C:\\DriverDump.sys");
+        InitializeObjectAttributes(&objAttr, &uniName,
+            OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
+            NULL, NULL
+        );
+
+        ZwCreateFile(&hFile,
+            GENERIC_WRITE,
+            &objAttr,
+            &ioStatusBlock, 
+            NULL,
+            FILE_ATTRIBUTE_NORMAL,
+            NULL,
+            FILE_OVERWRITE_IF,
+            FILE_SYNCHRONOUS_IO_NONALERT,
+            NULL, 
+            NULL
+        );
+
+        ZwWriteFile(
+            hFile,
+            NULL,
+            NULL,
+            NULL,
+            &ioStatusBlock,
+            lpBaseAddress,
+            ntHeaders->OptionalHeader.SizeOfImage,
+            &offset,
+            NULL
+        );
+
+        ZwClose(hFile);
+    }
+
+    void MemDump(void* BaseAddress, unsigned Size)
+    {
+        if (!BaseAddress || !Size)
+            return;
+
+        HANDLE             h_file;
+        UNICODE_STRING     name;
+        OBJECT_ATTRIBUTES  attr;
+        IO_STATUS_BLOCK    status_block;
+        LARGE_INTEGER      offset{ NULL };
+
+        RtlInitUnicodeString(&name, L"\\DosDevices\\C:\\dump.bin");
+        InitializeObjectAttributes(&attr, &name,
+            OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
+            NULL, NULL
+        );
+
+        auto status = ZwCreateFile(
+            &h_file,
+            GENERIC_WRITE,
+            &attr,
+            &status_block,
+            NULL,
+            FILE_ATTRIBUTE_NORMAL,
+            NULL,
+            FILE_OVERWRITE_IF,
+            FILE_SYNCHRONOUS_IO_NONALERT,
+            NULL,
+            NULL
+        );
+
+        status = ZwWriteFile(
+            h_file,
+            NULL,
+            NULL,
+            NULL,
+            &status_block,
+            BaseAddress,
+            Size,
+            &offset,
+            NULL
+        );
+        ZwClose(h_file);
+    }
+}

BEDaisy/DriverUtil.h

@@ -0,0 +1,17 @@
+#pragma once
+#include <intrin.h>
+#include "Types.h"
+#include "Memory.h"
+
+namespace DriverUtil
+{
+	PDRIVER_OBJECT GetDriverObject(PUNICODE_STRING lpDriverName);
+	PVOID GetDriverBase(LPCSTR module_name);
+	PVOID IATHook(PVOID lpBaseAddress, CHAR* lpcStrImport, PVOID lpFuncAddress);
+	PVOID DriverIATHook(PDRIVER_OBJECT pDriverObject, CHAR* lpcStrImport, PVOID lpFuncAddress);
+
+	PVOID GetSystemModuleExport(LPCSTR ModName, LPCSTR RoutineName);
+	VOID DumpDriver(PVOID lpBaseAddress);
+	VOID DumpDriver(PDRIVER_OBJECT lpDriverObject);
+	void MemDump(void* BaseAddress, unsigned Size);
+}

BEDaisy/Hooks.cpp

@@ -0,0 +1,922 @@
+#include "Hooks.h"
+#include <fltKernel.h>
+
+namespace Hooks
+{
+    BOOLEAN gh_ExEnumHandleTable(
+        PVOID HandleTable,
+        PVOID EnumHandleProcedure,
+        PVOID EnumParameter,
+        PHANDLE Handle OPTIONAL
+    )
+    {
+        DBG_PRINT("EnumHandleProcedure Called From: 0x%p, EnumHandleProcedure: 0x%p", _ReturnAddress(), EnumHandleProcedure);
+        return TRUE;
+    }
+
+    NTSTATUS gh_ZwAllocateVirtualMemory(
+        _In_    HANDLE    ProcessHandle,
+        _Inout_ PVOID*    BaseAddress,
+        _In_    ULONG_PTR ZeroBits,
+        _Inout_ PSIZE_T   RegionSize,
+        _In_    ULONG     AllocationType,
+        _In_    ULONG     Protect
+    )
+    {
+        DBG_PRINT("ZwAllocateVirtualMemory called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - ProcessHandle: 0x%p", ProcessHandle);
+        if(BaseAddress)
+            DBG_PRINT("     - BaseAddress (of allocation): 0x%p", *(ULONGLONG*)BaseAddress);
+        if(RegionSize)
+            DBG_PRINT("     - RegionSize: 0x%p", *(SIZE_T*)RegionSize);
+        DBG_PRINT("     - Protect: 0x%p", Protect);
+
+        return ZwAllocateVirtualMemory(
+            ProcessHandle,
+            BaseAddress,
+            ZeroBits, 
+            RegionSize,
+            AllocationType, 
+            Protect
+        );
+    }
+
+    NTSTATUS gh_PsSetLoadImageNotifyRoutine(
+        PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine
+    )
+    {
+        DBG_PRINT("PsSetLoadImageNotifyRoutine called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - NotifyRoutine: 0x%p", NotifyRoutine);
+        return PsSetLoadImageNotifyRoutine(NotifyRoutine);
+    }
+
+    NTSTATUS gh_ObRegisterCallbacks(
+        POB_CALLBACK_REGISTRATION CallbackRegistration,
+        PVOID* RegistrationHandle
+    )
+    {
+        DBG_PRINT("ObRegisterCallbacks called from: 0x%p", _ReturnAddress());
+        return ObRegisterCallbacks(
+            CallbackRegistration,
+            RegistrationHandle
+        );
+    }
+
+    NTSTATUS gh_ZwQuerySystemInformation(
+        _In_      SYSTEM_INFORMATION_CLASS SystemInformationClass,
+        _Inout_   PVOID                    SystemInformation,
+        _In_      ULONG                    SystemInformationLength,
+        _Out_opt_ PULONG                   ReturnLength
+    )
+    {
+        DBG_PRINT("ZwQuerySystemInformation called");
+        DBG_PRINT("     - SystemInformationClass: 0x%p", SystemInformationClass);
+        DBG_PRINT("     - SystemInformation: 0x%p", SystemInformation);
+        DBG_PRINT("     - SystemInformationLength: 0x%p", SystemInformationLength);
+
+        auto result = ZwQuerySystemInformation(
+            SystemInformationClass,
+            SystemInformation,
+            SystemInformationLength,
+            ReturnLength
+        );
+
+        if (SystemInformationLength && SystemInformation && ReturnLength && *ReturnLength)
+        {
+            switch (SystemInformationClass)
+            {
+            case SystemProcessInformation:
+            {
+                auto process_info = reinterpret_cast<PSYSTEM_PROCESS_INFORMATION>(SystemInformation);
+                process_info->NextEntryOffset = NULL;
+                DBG_PRINT("Spoofed SystemProcessInformation.....");
+                break;
+            }
+            case SystemModuleInformation:
+            {
+                auto module_info = reinterpret_cast<PRTL_PROCESS_MODULES>(SystemInformation);
+                module_info->NumberOfModules = 1;
+                DBG_PRINT("Spoofed SystemModuleInformation.....");
+                break;
+            }
+            default:
+                break;
+            }
+        }
+        return result;
+    }
+
+    NTSTATUS gh_PsSetCreateProcessNotifyRoutineEx(
+        PCREATE_PROCESS_NOTIFY_ROUTINE_EX NotifyRoutine,
+        BOOLEAN                           Remove
+    )
+    {
+        DBG_PRINT("PsSetCreateProcessNotifyRoutineEx Called From 0x%p", _ReturnAddress());
+        DBG_PRINT("     - NotifyRoutine: 0x%p", NotifyRoutine);
+        DBG_PRINT("     - Remove: 0x%x", Remove);
+        return PsSetCreateProcessNotifyRoutineEx(NotifyRoutine, Remove);
+    }
+
+    NTSTATUS gh_IoCreateDevice(
+        PDRIVER_OBJECT  DriverObject,
+        ULONG           DeviceExtensionSize,
+        PUNICODE_STRING DeviceName,
+        DEVICE_TYPE     DeviceType,
+        ULONG           DeviceCharacteristics,
+        BOOLEAN         Exclusive,
+        PDEVICE_OBJECT* DeviceObject
+    )
+    {
+        DBG_PRINT("================= BattlEye =================");
+        DBG_PRINT("     - BattlEye IRP_MJ_DEVICE_CONTROL: 0x%p", DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]);
+        DBG_PRINT("     - BattlEye IRP_MJ_READ: 0x%p", DriverObject->MajorFunction[IRP_MJ_READ]);
+        DBG_PRINT("     - BattlEye IRP_MJ_WRITE: 0x%p", DriverObject->MajorFunction[IRP_MJ_WRITE]);
+
+        return IoCreateDevice(
+            DriverObject,
+            DeviceExtensionSize,
+            DeviceName,
+            DeviceType,
+            DeviceCharacteristics,
+            Exclusive,
+            DeviceObject
+        );
+    }
+
+    NTSTATUS gh_PsSetCreateThreadNotifyRoutine(
+        PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine
+    )
+    {
+        DBG_PRINT("PsSetCreateThreadNotifyRoutine Called From 0x%p", _ReturnAddress());
+        DBG_PRINT("     - NotifyRoutine: 0x%p", NotifyRoutine);
+        return PsSetCreateThreadNotifyRoutine(NotifyRoutine);
+    }
+
+    PHYSICAL_ADDRESS gh_MmGetPhysicalAddress(
+        PVOID BaseAddress
+    )
+    {
+        DBG_PRINT("MmGetPhysicalAddress called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - BaseAddress (Virtual Address): 0x%p", BaseAddress);
+        return MmGetPhysicalAddress(BaseAddress);
+    }
+
+    BOOLEAN gh_MmIsAddressValid(
+        PVOID VirtualAddress
+    )
+    {
+        DBG_PRINT("MmIsAddressValid Called From: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - NonPaged VirtualAddress: 0x%p", VirtualAddress);
+        return MmIsAddressValid(VirtualAddress);
+    }
+
+    NTSTATUS gh_ZwDeviceIoControlFile(
+        HANDLE           FileHandle,
+        HANDLE           Event,
+        PIO_APC_ROUTINE  ApcRoutine,
+        PVOID            ApcContext,
+        PIO_STATUS_BLOCK IoStatusBlock,
+        ULONG            IoControlCode,
+        PVOID            InputBuffer,
+        ULONG            InputBufferLength,
+        PVOID            OutputBuffer,
+        ULONG            OutputBufferLength
+    )
+    {
+        DBG_PRINT("ZwDeviceIoControlFile Called From 0x%p", _ReturnAddress());
+        DBG_PRINT("     - FileHandle: 0x%p", FileHandle);
+        DBG_PRINT("     - IoControlCode: 0x%p", IoControlCode);
+        DBG_PRINT("     - OutputBufferLength: 0x%p", OutputBufferLength);
+        DBG_PRINT("     - InoutBufferLength: 0x%p", InputBufferLength);
+        const auto result = ZwDeviceIoControlFile(
+            FileHandle,
+            Event, 
+            ApcRoutine, 
+            ApcContext,
+            IoStatusBlock,
+            IoControlCode, 
+            InputBuffer, 
+            InputBufferLength, 
+            OutputBuffer,
+            OutputBufferLength
+        );
+        ULONG seed = 0x1000;
+        for (auto idx = 0u; idx < OutputBufferLength; ++idx)
+            *(unsigned char*)((unsigned char*)OutputBuffer + idx) = (unsigned char)RtlRandomEx(&seed);
+        return result;
+    }
+
+    VOID gh_RtlInitAnsiString(
+        PANSI_STRING          DestinationString,
+        PCSZ SourceString
+    )
+    {
+        DBG_PRINT("RtlInitAnsiString Called From: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - SourceString: 0x%s", SourceString);
+        return RtlInitAnsiString(DestinationString, SourceString);
+    }
+
+    VOID gh_RtlInitUnicodeString(
+        PUNICODE_STRING         DestinationString,
+        PCWSTR SourceString
+    )
+    {
+        DBG_PRINT("RtlInitUnicodeString Called From: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - SourceString: %ws", SourceString);
+        return RtlInitUnicodeString(DestinationString, SourceString);
+    }
+
+    PVOID gh_MmMapIoSpace(
+        PHYSICAL_ADDRESS    PhysicalAddress,
+        SIZE_T              NumberOfBytes,
+        MEMORY_CACHING_TYPE CacheType
+    )
+    {
+        DBG_PRINT("MmMapIoSpace called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - PhysicalAddress: 0x%p", PhysicalAddress);
+        DBG_PRINT("     - NumberOfBytes: 0x%p", NumberOfBytes);
+
+        return MmMapIoSpace(
+            PhysicalAddress,
+            NumberOfBytes, 
+            CacheType
+        );
+    }
+
+    NTSTATUS gh_ZwOpenFile(
+        PHANDLE            FileHandle,
+        ACCESS_MASK        DesiredAccess,
+        POBJECT_ATTRIBUTES ObjectAttributes,
+        PIO_STATUS_BLOCK   IoStatusBlock,
+        ULONG              ShareAccess,
+        ULONG              OpenOptions
+    )
+    {
+        DBG_PRINT("ZwOpenFile called from: 0x%p", _ReturnAddress());
+        if (ObjectAttributes)
+            DBG_PRINT("     - ZwOpenFile(%ws)", ObjectAttributes->ObjectName->Buffer);
+
+        const auto result = ZwOpenFile(
+            FileHandle,
+            DesiredAccess,
+            ObjectAttributes,
+            IoStatusBlock,
+            ShareAccess,
+            OpenOptions
+        );
+        DBG_PRINT("     - ZwOpenFile handle result: 0x%p", *(HANDLE*)FileHandle);
+        return result;
+    }
+
+    void gh_KeStackAttachProcess(
+        PRKPROCESS   PROCESS,
+        PRKAPC_STATE ApcState
+    )
+    {
+        DBG_PRINT("KeStackAttachProcess called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - Attaching to %s....", PsGetProcessImageFileName(PROCESS));
+        KeStackAttachProcess(PROCESS, ApcState);
+    }
+
+    NTSTATUS gh_ZwCreateSection(
+        PHANDLE            SectionHandle,
+        ACCESS_MASK        DesiredAccess,
+        POBJECT_ATTRIBUTES ObjectAttributes,
+        PLARGE_INTEGER     MaximumSize,
+        ULONG              SectionPageProtection,
+        ULONG              AllocationAttributes,
+        HANDLE             FileHandle
+    )
+    {
+        DBG_PRINT("ZwCreateSection called from: 0x%p", _ReturnAddress());
+        const auto result = ZwCreateSection(
+            SectionHandle, 
+            DesiredAccess,
+            ObjectAttributes,
+            MaximumSize,
+            SectionPageProtection,
+            AllocationAttributes,
+            FileHandle
+        );
+        DBG_PRINT("     - DesiredAccess: 0x%p", DesiredAccess);
+        DBG_PRINT("     - SectionPageProtection: 0x%p", SectionPageProtection);
+        DBG_PRINT("     - SectionHandle: 0x%p", *SectionHandle);
+        DBG_PRINT("     - FileHandle: 0x%p", FileHandle);
+        return result;
+    }
+
+    NTSTATUS gh_ObOpenObjectByName(
+        __in POBJECT_ATTRIBUTES ObjectAttributes,
+        __in_opt POBJECT_TYPE ObjectType,
+        __in KPROCESSOR_MODE AccessMode,
+        __inout_opt PACCESS_STATE AccessState,
+        __in_opt ACCESS_MASK DesiredAccess,
+        __inout_opt PVOID ParseContext,
+        __out PHANDLE Handle
+    )
+    {
+        DBG_PRINT("ObOpenObjectByName called from: 0x%p", _ReturnAddress());
+        const auto result = ObOpenObjectByName(
+            ObjectAttributes,
+            ObjectType, 
+            AccessMode,
+            AccessState,
+            DesiredAccess, 
+            ParseContext,
+            Handle
+        );
+        DBG_PRINT("     - ObjectName: %s", ObjectAttributes->ObjectName->Buffer);
+        return result;
+    }
+
+    NTSTATUS gh_ZwMapViewOfSection(
+        HANDLE          SectionHandle,
+        HANDLE          ProcessHandle,
+        PVOID*          BaseAddress,
+        ULONG_PTR       ZeroBits,
+        SIZE_T          CommitSize,
+        PLARGE_INTEGER  SectionOffset,
+        PSIZE_T         ViewSize,
+        SECTION_INHERIT InheritDisposition,
+        ULONG           AllocationType,
+        ULONG           Win32Protect
+    )
+    {
+        const auto result = ZwMapViewOfSection(
+            SectionHandle, 
+            ProcessHandle,
+            BaseAddress,
+            ZeroBits, 
+            CommitSize,
+            SectionOffset,
+            ViewSize, 
+            InheritDisposition, 
+            AllocationType, 
+            Win32Protect
+        );
+
+        DBG_PRINT("ZwMapViewOfSection called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - SectionHandle: 0x%p", SectionHandle);
+        DBG_PRINT("     - ProcessHandle: 0x%p", ProcessHandle);
+        DBG_PRINT("     - ViewSize: 0x%p", *ViewSize);
+        DBG_PRINT("     - Win32Protect: 0x%p", Win32Protect);
+        return result;
+    }
+
+    NTSTATUS gh_MmCopyVirtualMemory
+    (
+        PEPROCESS SourceProcess,
+        PVOID SourceAddress,
+        PEPROCESS TargetProcess,
+        PVOID TargetAddress,
+        SIZE_T BufferSize,
+        KPROCESSOR_MODE PreviousMode,
+        PSIZE_T ReturnSize
+    )
+    {
+        DBG_PRINT("MmCopyVirtualMemory called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - SourceProcess: %s", PsGetProcessImageFileName(SourceProcess));
+        DBG_PRINT("     - SourceAddress: 0x%p", SourceAddress);
+        DBG_PRINT("     - TargetProcess: %s", PsGetProcessImageFileName(TargetProcess));
+        DBG_PRINT("     - TargetAddress: 0x%p", TargetAddress);
+        DBG_PRINT("     - BufferSize: 0x%p", BufferSize);
+
+        const auto result = MmCopyVirtualMemory(
+            SourceProcess, 
+            SourceAddress,
+            TargetProcess, 
+            TargetAddress, 
+            BufferSize,
+            PreviousMode,
+            ReturnSize
+        );
+        return result;
+    }
+
+    void gh_IofCompleteRequest(
+        PIRP  Irp,
+        CCHAR PriorityBoost
+    )
+    {
+        auto StackLocation = IoGetCurrentIrpStackLocation(Irp);
+        DBG_PRINT("IofCompleteRequest called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - Request Called From: %s", PsGetProcessImageFileName(IoGetCurrentProcess()));
+        switch (StackLocation->MajorFunction)
+        {
+        case IRP_MJ_DEVICE_CONTROL:
+            DBG_PRINT("     - IRP_MJ_DEVICE_CONTROL!");
+            DBG_PRINT("     - IoControlCode:  0x%p", StackLocation->Parameters.DeviceIoControl.IoControlCode);
+            DBG_PRINT("     - InputBufferLength: 0x%p", StackLocation->Parameters.DeviceIoControl.InputBufferLength);
+            DBG_PRINT("     - OutputBufferLength: 0x%p", StackLocation->Parameters.DeviceIoControl.OutputBufferLength);
+            DBG_PRINT("     - UserBuffer: 0x%p", Irp->UserBuffer);
+            DBG_PRINT("     - MdlAddress: 0x%p", Irp->MdlAddress);
+            DBG_PRINT("     - SystemBuffer: 0x%p", Irp->AssociatedIrp.SystemBuffer);
+            break;
+        case IRP_MJ_READ:
+            DBG_PRINT("     - IRP_MJ_READ!");
+            DBG_PRINT("     - ReadSize: 0x%p", StackLocation->Parameters.Read.Length);
+            DBG_PRINT("     - UserBuffer: 0x%p", Irp->UserBuffer);
+            DBG_PRINT("     - MdlAddress: 0x%p", Irp->MdlAddress);
+            DBG_PRINT("     - SystemBuffer: 0x%p", Irp->AssociatedIrp.SystemBuffer);
+            break;
+        case IRP_MJ_WRITE:
+            DBG_PRINT("     - IRP_MJ_WRITE!");
+            DBG_PRINT("     - WriteSize: 0x%p", StackLocation->Parameters.Write.Length);
+            DBG_PRINT("     - UserBuffer: 0x%p", Irp->UserBuffer);
+            DBG_PRINT("     - MdlAddress: 0x%p", Irp->MdlAddress);
+            DBG_PRINT("     - SystemBuffer: 0x%p", Irp->AssociatedIrp.SystemBuffer);
+            break;
+        default:
+            DBG_PRINT("Unkown Major Function Type: 0x%p", StackLocation->MajorFunction);
+            break;
+        }
+        IofCompleteRequest(Irp, PriorityBoost);
+    }
+
+    int gh_stricmp(
+        const char* string1,
+        const char* string2
+    )
+    {
+        DBG_PRINT("_stricmp called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - string1: %s", string1);
+        DBG_PRINT("     - string2: %s", string2);
+        return reinterpret_cast<decltype(&stricmp)>(DriverUtil::GetSystemModuleExport("ntoskrnl.exe", "stricmp"))(string1, string2);
+    }
+
+    int gh_strnicmp(
+        const char* string1,
+        const char* string2,
+        size_t count
+    )
+    {
+        DBG_PRINT("_strnicmp called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - string1: %s", string1);
+        DBG_PRINT("     - string2: %s", string2);
+        DBG_PRINT("     - count: 0x%x", count);
+        return reinterpret_cast<decltype(&strnicmp)>(DriverUtil::GetSystemModuleExport("ntoskrnl.exe", "strnicmp"))(string1, string2, count);
+    }
+
+    int gh_wcsncmp(const wchar_t* wcs1, const wchar_t* wcs2, size_t num)
+    {
+        DBG_PRINT("gh_wcsncmp called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - string1: %ws", wcs1);
+        DBG_PRINT("     - string2: %ws", wcs2);
+        DBG_PRINT("     - count: 0x%x", num);
+        return wcsncmp(wcs1, wcs2, num);
+    }
+
+    int gh_wcsnicmp(
+        const wchar_t* string1,
+        const wchar_t* string2,
+        size_t count
+    )
+    {
+        DBG_PRINT("gh_wcsnicmp called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - string1: %ws", string1);
+        DBG_PRINT("     - string2: %ws", string2);
+        DBG_PRINT("     - count: 0x%x", count);
+        return wcsncmp(string1, string2, count);
+    }
+
+    wchar_t* gh_wcsncat(wchar_t* dest, const wchar_t* src, size_t count)
+    {
+        DBG_PRINT("wcsncat called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - dest: %ws", dest);
+        DBG_PRINT("     - src: %ws", src);
+        DBG_PRINT("     - count: 0x%x", count);
+        auto result = wcsncat(dest, src, count);
+        DBG_PRINT("     - result: %ws", result);
+        return result;
+    }
+
+    void gh_KeInitializeEvent(
+        PRKEVENT   Event,
+        EVENT_TYPE Type,
+        BOOLEAN    State
+    )
+    {
+        DBG_PRINT("KeInitializeEvent called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - Event: 0x%p", Event);
+        DBG_PRINT("     - Type: 0x%x", Type);
+        DBG_PRINT("     - State: 0x%x", State);
+        KeInitializeEvent(Event, Type, State);
+    }
+
+    PVOID gh_ExAllocatePoolWithTag(
+        POOL_TYPE   PoolType,
+        SIZE_T      NumberOfBytes,
+        ULONG       Tag
+    )
+    {
+        auto result = ExAllocatePoolWithTag(PoolType, NumberOfBytes, Tag);
+        DBG_PRINT("ExAllocatePoolWithTag called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - PoolType: 0x%x", PoolType);
+        DBG_PRINT("     - NumberOfBytes: 0x%x", NumberOfBytes);
+        DBG_PRINT("     - Tag: 0x%x", Tag);
+        DBG_PRINT("     - Allocate Pool at: 0x%p", result);
+        return result;
+    }
+
+    PVOID gh_ExAllocatePool(
+        POOL_TYPE PoolType,
+        SIZE_T    NumberOfBytes
+    )
+    {
+        auto result = ExAllocatePool(PoolType, NumberOfBytes);
+        DBG_PRINT("ExAllocatePool called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - PoolType: 0x%x", PoolType);
+        DBG_PRINT("     - NumberOfBytes: 0x%x", NumberOfBytes);
+        DBG_PRINT("     - Allocate Pool at: 0x%p", result);
+        return result;
+    }
+
+    void gh_ExFreePoolWithTag(
+        PVOID P,
+        ULONG Tag
+    )
+    {
+        DBG_PRINT("ExFreePoolWithTag called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - Freeing pool at: 0x%p", P);
+        DBG_PRINT("     - Pool Tag: 0x%x", Tag);
+        return ExFreePoolWithTag(P, Tag);
+    }
+
+    void gh_ProbeForRead(
+        volatile VOID* Address,
+        SIZE_T              Length,
+        ULONG               Alignment
+    )
+    {
+        DBG_PRINT("ProbeForRead called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - Address: 0x%p", Address);
+        DBG_PRINT("     - Length: 0x%x", Length);
+        DBG_PRINT("     - Alignment: 0x%x", Alignment);
+
+        __try
+        {
+            ProbeForRead(Address, Length, Alignment);
+        }
+        __except (STATUS_ACCESS_VIOLATION | STATUS_DATATYPE_MISALIGNMENT) {}
+    }
+
+    void gh_ProbeForWrite(
+        volatile VOID* Address,
+        SIZE_T        Length,
+        ULONG         Alignment
+    )
+    {
+        DBG_PRINT("ProbeForWrite called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - Address: 0x%p", Address);
+        DBG_PRINT("     - Length: 0x%x", Length);
+        DBG_PRINT("     - Alignment: 0x%x", Alignment);
+
+        __try
+        {
+            ProbeForWrite(Address, Length, Alignment);
+        }
+        __except (STATUS_ACCESS_VIOLATION | STATUS_DATATYPE_MISALIGNMENT) {}
+    }
+
+    NTSTATUS gh_PsCreateSystemThread(
+        PHANDLE            ThreadHandle,
+        ULONG              DesiredAccess,
+        POBJECT_ATTRIBUTES ObjectAttributes,
+        HANDLE             ProcessHandle,
+        PCLIENT_ID         ClientId,
+        PKSTART_ROUTINE    StartRoutine,
+        PVOID              StartContext
+    )
+    {
+        DBG_PRINT("PsCreateSystemThread called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - StartRoutine: 0x%p", StartRoutine);
+        DBG_PRINT("     - StartContext: 0x%p", StartContext);
+        DBG_PRINT("     - ProcessHandle: 0x%p", ProcessHandle);
+        DBG_PRINT("     - ClientId Pointer: 0x%p", ClientId);
+        if (ClientId)
+        {
+            DBG_PRINT("     - ClientId->ProcessId: 0x%x", ClientId->UniqueProcess);
+            DBG_PRINT("     - ClientId->ThreadId: 0x%x", ClientId->UniqueThread);
+        }
+        auto result = PsCreateSystemThread(
+            ThreadHandle,
+            DesiredAccess,
+            ObjectAttributes,
+            ProcessHandle, 
+            ClientId, 
+            StartRoutine,
+            StartContext
+        );
+        DBG_PRINT("     - Thread Handle: 0x%x", *ThreadHandle);
+        return result;
+    }
+
+    PMDL gh_IoAllocateMdl(
+        __drv_aliasesMem PVOID VirtualAddress,
+        ULONG                  Length,
+        BOOLEAN                SecondaryBuffer,
+        BOOLEAN                ChargeQuota,
+        PIRP                   Irp
+    )
+    {
+        DBG_PRINT("IoAllocateMdl called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - VirtualAddress: 0x%p", VirtualAddress);
+        DBG_PRINT("     - Length: 0x%x", Length);
+        DBG_PRINT("     - Irp: 0x%p", Irp);
+        return IoAllocateMdl(
+            VirtualAddress,
+            Length, 
+            SecondaryBuffer,
+            ChargeQuota,
+            Irp
+        );
+    }
+
+    NTSTATUS gh_ObReferenceObjectByName(
+            __in PUNICODE_STRING ObjectName,
+            __in ULONG Attributes,
+            __in_opt PACCESS_STATE AccessState,
+            __in_opt ACCESS_MASK DesiredAccess,
+            __in POBJECT_TYPE ObjectType,
+            __in KPROCESSOR_MODE AccessMode,
+            __inout_opt PVOID ParseContext,
+            __out PVOID* Object
+        )
+    {
+        DBG_PRINT("ObReferenceObjectByName called from: 0x%p", _ReturnAddress());
+        if(ObjectName)
+            DBG_PRINT("     - ObjectName: %ws", ObjectName->Buffer);
+
+        return ObReferenceObjectByName(
+            ObjectName, 
+            Attributes,
+            AccessState,
+            DesiredAccess,
+            ObjectType, 
+            AccessMode,
+            ParseContext, 
+            Object
+        );
+    }
+
+    NTSTATUS gh_MmCopyMemory(
+        PVOID           TargetAddress,
+        MM_COPY_ADDRESS SourceAddress,
+        SIZE_T          NumberOfBytes,
+        ULONG           Flags,
+        PSIZE_T         NumberOfBytesTransferred
+    )
+    {
+        DBG_PRINT("MmCopyMemory called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - TargetAddress: 0x%p", TargetAddress);
+        DBG_PRINT("     - SourceAddress: 0x%p", SourceAddress);
+        DBG_PRINT("     - Size: 0x%x", NumberOfBytes);
+        DBG_PRINT("     - Flags: 0x%x", Flags);
+
+        return MmCopyMemory(
+            TargetAddress, 
+            SourceAddress,
+            NumberOfBytes,
+            Flags, 
+            NumberOfBytesTransferred
+        );
+    }
+
+    ULONG gh_RtlWalkFrameChain(
+        __out PVOID* Callers,
+        __in ULONG 	Count,
+        __in ULONG 	Flags
+    )
+    {
+        return NULL;
+    }
+
+    PVOID gh_MmGetSystemRoutineAddress(
+        PUNICODE_STRING SystemRoutineName
+    )
+    {
+        DBG_PRINT("MmGetSystemRoutineAddress: %ws", SystemRoutineName->Buffer);
+        if (wcsstr(SystemRoutineName->Buffer, L"ZwAllocateVirtualMemory"))
+        {
+            DBG_PRINT("Hooking ZwAllocateVirtualMemory");
+            return &gh_ZwAllocateVirtualMemory;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"RtlInitUnicodeString"))
+        {
+            DBG_PRINT("Hooking RtlInitUnicodeString...");
+            return &gh_RtlInitUnicodeString;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"RtlInitAnsiString"))
+        {
+            DBG_PRINT("Hooking RtlInitAnsiString...");
+            return &gh_RtlInitAnsiString;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"MmIsAddressValid"))
+        {
+            DBG_PRINT("Hooking MmIsAddressValid...");
+            return &gh_MmIsAddressValid;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"IoCreateDevice"))
+        {
+            DBG_PRINT("Hooking IoCreateDevice...");
+            return &gh_IoCreateDevice;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"PsSetCreateProcessNotifyRoutineEx"))
+        {
+            DBG_PRINT("Hooking PsSetCreateProcessNotifyRoutineEx...");
+            return &gh_PsSetCreateProcessNotifyRoutineEx;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"ObRegisterCallbacks"))
+        {
+            DBG_PRINT("Hooking ObRegisterCallbacks...");
+            return &gh_ObRegisterCallbacks;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"PsSetLoadImageNotifyRoutine"))
+        {
+            DBG_PRINT("Hooking PsSetLoadImageNotifyRoutine...");
+            return &gh_PsSetLoadImageNotifyRoutine;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"ExEnumHandleTable"))
+        {
+            //DBG_PRINT("Hooking ExEnumHandleTable...");
+            //return &gh_ExEnumHandleTable;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"MmGetPhysicalAddress"))
+        {
+            DBG_PRINT("Hooking MmGetPhysicalAddress...");
+            return &gh_MmGetPhysicalAddress;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"MmMapIoSpace"))
+        {
+            DBG_PRINT("Hooking MmMapIoSpace...");
+            return &gh_MmMapIoSpace;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"ZwOpenFile"))
+        {
+            DBG_PRINT("Hooking ZwOpenFile...");
+            return &gh_ZwOpenFile;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"DeviceIoControlFile")) // Nt or Zw
+        {
+            DBG_PRINT("Hooking %ws....", SystemRoutineName->Buffer);
+            return &gh_ZwDeviceIoControlFile;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"KeStackAttachProcess"))
+        {
+            DBG_PRINT("Hooking KeStackAttachProcess....");
+            return &gh_KeStackAttachProcess;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"ZwMapViewOfSection"))
+        {
+            DBG_PRINT("Hooking ZwMapViewOfSection....");
+            return &gh_ZwMapViewOfSection;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"ObOpenObjectByName"))
+        {
+            DBG_PRINT("Hooking ObOpenObjectByName....");
+            return &gh_ObOpenObjectByName;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"ZwCreateSection"))
+        {
+            DBG_PRINT("Hooking ZwCreateSection....");
+            return &gh_ZwCreateSection;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"MmCopyVirtualMemory"))
+        {
+            DBG_PRINT("Hooking MmCopyVirtualMemory....");
+            return &gh_MmCopyVirtualMemory;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"IofCompleteRequest"))
+        {
+            DBG_PRINT("Hooking IofCompleteRequest...");
+            return &gh_IofCompleteRequest;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"QuerySystemInformation"))
+        {
+            DBG_PRINT("Hooking QuerySystemInformation...");
+            return &gh_ZwQuerySystemInformation;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"stricmp"))
+        {
+            //DBG_PRINT("Hooking stricmp...");
+            //return &gh_stricmp;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"strnicmp"))
+        {
+            //DBG_PRINT("Hooking strnicmp...");
+            //return &gh_strnicmp;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"wcsncmp"))
+        {
+            DBG_PRINT("Hooking wcsncmp...");
+            return &gh_wcsncmp;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"wcsnicmp"))
+        {
+            DBG_PRINT("Hooking wcsnicmp...");
+            return &gh_wcsnicmp;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"wcsncat"))
+        {
+            DBG_PRINT("Hooking wcsncat...");
+            return &gh_wcsncat;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"KeInitializeEvent"))
+        {
+            DBG_PRINT("Hooking KeInitializeEvent...");
+            return &gh_KeInitializeEvent;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"ExAllocatePoolWithTag"))
+        {
+            DBG_PRINT("Hooking ExAllocatePoolWithTag...");
+            return &gh_ExAllocatePoolWithTag;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"ExAllocatePool"))
+        {
+            DBG_PRINT("Hooking ExAllocatePool...");
+            return &gh_ExAllocatePool;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"ExFreePoolWithTag"))
+        {
+            DBG_PRINT("Hooking ExFreePoolWithTag...");
+            return &gh_ExFreePoolWithTag;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"ProbeForWrite"))
+        {
+            DBG_PRINT("Hooking ProbeForWrite...");
+            return &gh_ProbeForWrite;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"ProbeForRead"))
+        {
+            DBG_PRINT("Hooking ProbeForRead...");
+            return &gh_ProbeForRead;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"PsCreateSystemThread"))
+        {
+            DBG_PRINT("Hooking PsCreateSystemThread...");
+            return &gh_PsCreateSystemThread;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"ObReferenceObjectByName"))
+        {
+            DBG_PRINT("Hooking ObReferenceObjectByName...");
+            return &gh_ObReferenceObjectByName;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"MmCopyMemory"))
+        {
+            DBG_PRINT("Hooking MmCopyMemory...");
+            return &gh_MmCopyMemory;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"RtlWalkFrameChain"))
+        {
+            DBG_PRINT("Hooking RtlWalkFrameChain...");
+            return &gh_RtlWalkFrameChain;
+        }
+        return MmGetSystemRoutineAddress(SystemRoutineName);
+    }
+
+    PVOID gh_FltGetRoutineAddress(
+        PCSTR FltMgrRoutineName
+    )
+    {
+        DBG_PRINT("FltGetRoutineAddress: %s", FltMgrRoutineName);
+        return FltGetRoutineAddress(FltMgrRoutineName);
+    }
+
+    VOID gh_KeBugCheckEx(
+        ULONG     BugCheckCode,
+        ULONG_PTR BugCheckParameter1,
+        ULONG_PTR BugCheckParameter2,
+        ULONG_PTR BugCheckParameter3,
+        ULONG_PTR BugCheckParameter4
+    )
+    { DBG_PRINT("KeBugCheckEx Called!"); }
+
+    VOID LoadImageNotifyRoutine(
+        PUNICODE_STRING FullImageName,
+        HANDLE ProcessId,
+        PIMAGE_INFO ImageInfo
+    )
+    {
+        if (!ProcessId && FullImageName && wcsstr(FullImageName->Buffer, L"BEDaisy.sys"))
+        {
+            DBG_PRINT("> ============= Driver %ws ================", FullImageName->Buffer);
+            DriverUtil::IATHook(
+                ImageInfo->ImageBase,
+                "KeBugCheckEx",
+                &gh_KeBugCheckEx
+            );
+
+            DriverUtil::IATHook(
+                ImageInfo->ImageBase,
+                "MmGetSystemRoutineAddress",
+                &gh_MmGetSystemRoutineAddress
+            );
+
+            DriverUtil::IATHook(
+                ImageInfo->ImageBase,
+                "FltGetRoutineAddress",
+                &gh_FltGetRoutineAddress
+            );
+        }
+    }
+}

BEDaisy/Hooks.h

@@ -0,0 +1,190 @@
+#pragma once
+#include "Types.h"
+#include "DriverUtil.h"
+
+namespace Hooks
+{
+    BOOLEAN gh_ExEnumHandleTable(
+        PVOID HandleTable,
+        PVOID EnumHandleProcedure,
+        PVOID EnumParameter,
+        PHANDLE Handle OPTIONAL
+    );
+
+    NTSTATUS gh_ZwAllocateVirtualMemory(
+        _In_    HANDLE    ProcessHandle,
+        _Inout_ PVOID* BaseAddress,
+        _In_    ULONG_PTR ZeroBits,
+        _Inout_ PSIZE_T   RegionSize,
+        _In_    ULONG     AllocationType,
+        _In_    ULONG     Protect
+    );
+
+    NTSTATUS gh_PsSetLoadImageNotifyRoutine(
+        PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine
+    );
+
+    NTSTATUS gh_ObRegisterCallbacks(
+        POB_CALLBACK_REGISTRATION CallbackRegistration,
+        PVOID* RegistrationHandle
+    );
+
+    NTSTATUS gh_ZwQuerySystemInformation(
+        _In_      SYSTEM_INFORMATION_CLASS SystemInformationClass,
+        _Inout_   PVOID                    SystemInformation,
+        _In_      ULONG                    SystemInformationLength,
+        _Out_opt_ PULONG                   ReturnLength
+    );
+
+    NTSTATUS gh_PsSetCreateProcessNotifyRoutineEx(
+        PCREATE_PROCESS_NOTIFY_ROUTINE_EX NotifyRoutine,
+        BOOLEAN                           Remove
+    );
+
+    NTSTATUS gh_IoCreateDevice(
+        PDRIVER_OBJECT  DriverObject,
+        ULONG           DeviceExtensionSize,
+        PUNICODE_STRING DeviceName,
+        DEVICE_TYPE     DeviceType,
+        ULONG           DeviceCharacteristics,
+        BOOLEAN         Exclusive,
+        PDEVICE_OBJECT* DeviceObject
+    );
+
+    NTSTATUS gh_PsSetCreateThreadNotifyRoutine(
+        PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine
+    );
+
+    PHYSICAL_ADDRESS gh_MmGetPhysicalAddress(
+        PVOID BaseAddress
+    );
+
+    BOOLEAN gh_MmIsAddressValid(
+        PVOID VirtualAddress
+    );
+
+    NTSTATUS gh_ZwDeviceIoControlFile(
+        HANDLE           FileHandle,
+        HANDLE           Event,
+        PIO_APC_ROUTINE  ApcRoutine,
+        PVOID            ApcContext,
+        PIO_STATUS_BLOCK IoStatusBlock,
+        ULONG            IoControlCode,
+        PVOID            InputBuffer,
+        ULONG            InputBufferLength,
+        PVOID            OutputBuffer,
+        ULONG            OutputBufferLength
+    );
+
+    VOID gh_RtlInitAnsiString(
+        PANSI_STRING          DestinationString,
+        PCSZ SourceString
+    );
+
+    VOID gh_RtlInitUnicodeString(
+        PUNICODE_STRING         DestinationString,
+        PCWSTR SourceString
+    );
+
+    PVOID gh_MmMapIoSpace(
+        PHYSICAL_ADDRESS    PhysicalAddress,
+        SIZE_T              NumberOfBytes,
+        MEMORY_CACHING_TYPE CacheType
+    );
+
+    NTSTATUS gh_ZwOpenFile(
+        PHANDLE            FileHandle,
+        ACCESS_MASK        DesiredAccess,
+        POBJECT_ATTRIBUTES ObjectAttributes,
+        PIO_STATUS_BLOCK   IoStatusBlock,
+        ULONG              ShareAccess,
+        ULONG              OpenOptions
+    );
+
+    void gh_KeStackAttachProcess(
+        PRKPROCESS   PROCESS,
+        PRKAPC_STATE ApcState
+    );
+
+    NTSTATUS gh_ZwCreateSection(
+        PHANDLE            SectionHandle,
+        ACCESS_MASK        DesiredAccess,
+        POBJECT_ATTRIBUTES ObjectAttributes,
+        PLARGE_INTEGER     MaximumSize,
+        ULONG              SectionPageProtection,
+        ULONG              AllocationAttributes,
+        HANDLE             FileHandle
+    );
+
+    NTSTATUS gh_ObOpenObjectByName(
+        __in POBJECT_ATTRIBUTES ObjectAttributes,
+        __in_opt POBJECT_TYPE ObjectType,
+        __in KPROCESSOR_MODE AccessMode,
+        __inout_opt PACCESS_STATE AccessState,
+        __in_opt ACCESS_MASK DesiredAccess,
+        __inout_opt PVOID ParseContext,
+        __out PHANDLE Handle
+    );
+
+    NTSTATUS gh_ZwMapViewOfSection(
+        HANDLE          SectionHandle,
+        HANDLE          ProcessHandle,
+        PVOID* BaseAddress,
+        ULONG_PTR       ZeroBits,
+        SIZE_T          CommitSize,
+        PLARGE_INTEGER  SectionOffset,
+        PSIZE_T         ViewSize,
+        SECTION_INHERIT InheritDisposition,
+        ULONG           AllocationType,
+        ULONG           Win32Protect
+    );
+
+    NTSTATUS gh_MmCopyVirtualMemory
+    (
+        PEPROCESS SourceProcess,
+        PVOID SourceAddress,
+        PEPROCESS TargetProcess,
+        PVOID TargetAddress,
+        SIZE_T BufferSize,
+        KPROCESSOR_MODE PreviousMode,
+        PSIZE_T ReturnSize
+    );
+
+    void gh_IofCompleteRequest(
+        PIRP  Irp,
+        CCHAR PriorityBoost
+    );
+
+    PVOID gh_MmGetSystemRoutineAddress(
+        PUNICODE_STRING SystemRoutineName
+    );
+
+    PVOID gh_FltGetRoutineAddress(
+        PCSTR FltMgrRoutineName
+    );
+
+    VOID gh_KeBugCheckEx(
+        ULONG     BugCheckCode,
+        ULONG_PTR BugCheckParameter1,
+        ULONG_PTR BugCheckParameter2,
+        ULONG_PTR BugCheckParameter3,
+        ULONG_PTR BugCheckParameter4
+    );
+
+    int gh_strnicmp(
+        const char* string1,
+        const char* string2,
+        size_t count
+    );
+
+    int gh_stricmp(
+        const char* string1,
+        const char* string2
+    );
+
+    VOID LoadImageNotifyRoutine(
+        PUNICODE_STRING FullImageName,
+        HANDLE ProcessId,
+        PIMAGE_INFO ImageInfo
+    );
+}

BEDaisy/Memory.cpp

@@ -0,0 +1,20 @@
+#include "Memory.h"
+
+namespace Memory
+{
+    void WriteProtectOff()
+    {
+        auto cr0 = __readcr0();
+        cr0 &= 0xfffffffffffeffff;
+        __writecr0(cr0);
+        _disable();
+    }
+
+    void WriteProtectOn()
+    {
+        auto cr0 = __readcr0();
+        cr0 |= 0x10000;
+        _enable();
+        __writecr0(cr0);
+    }
+}

BEDaisy/Memory.h

@@ -0,0 +1,8 @@
+#pragma once
+#include <intrin.h>
+
+namespace Memory
+{
+	void WriteProtectOff();
+	void WriteProtectOn();
+}

BEDaisy/Types.h

@@ -0,0 +1,295 @@
+#pragma once
+#include <ntifs.h>
+#include <cstddef>
+
+#define MAX_PATH 260
+#define IMAGE_DIRECTORY_ENTRY_IMPORT          1   // Import Directory
+#define POOLTAG 'MEME'
+
+#if true
+#define DBG_PRINT(...) DbgPrintEx( DPFLTR_SYSTEM_ID, DPFLTR_ERROR_LEVEL, "[GoodEye]" __VA_ARGS__);
+#else
+#define DBG_PRINT(...)
+#endif
+
+#ifndef DWORD
+#define DWORD unsigned
+#endif
+
+#ifndef WORD
+#define WORD unsigned short
+#endif
+
+extern "C" NTSTATUS ObReferenceObjectByName(
+	__in PUNICODE_STRING ObjectName,
+	__in ULONG Attributes,
+	__in_opt PACCESS_STATE AccessState,
+	__in_opt ACCESS_MASK DesiredAccess,
+	__in POBJECT_TYPE ObjectType,
+	__in KPROCESSOR_MODE AccessMode,
+	__inout_opt PVOID ParseContext,
+	__out PVOID* Object
+);
+
+extern "C" NTSTATUS NTAPI MmCopyVirtualMemory
+(
+	PEPROCESS SourceProcess,
+	PVOID SourceAddress,
+	PEPROCESS TargetProcess,
+	PVOID TargetAddress,
+	SIZE_T BufferSize,
+	KPROCESSOR_MODE PreviousMode,
+	PSIZE_T ReturnSize
+);
+
+extern "C" NTSTATUS ObOpenObjectByName(
+	__in POBJECT_ATTRIBUTES ObjectAttributes,
+	__in_opt POBJECT_TYPE ObjectType,
+	__in KPROCESSOR_MODE AccessMode,
+	__inout_opt PACCESS_STATE AccessState,
+	__in_opt ACCESS_MASK DesiredAccess,
+	__inout_opt PVOID ParseContext,
+	__out PHANDLE Handle
+);
+
+extern "C" NTKERNELAPI UCHAR* PsGetProcessImageFileName(
+	_In_ PEPROCESS Process
+);
+
+extern "C" NTSTATUS ZwQueryDirectoryObject(
+	IN HANDLE DirectoryHandle,
+	OUT PVOID Buffer,
+	IN ULONG BufferLength,
+	IN BOOLEAN ReturnSingleEntry,
+	IN BOOLEAN RestartScan,
+	IN OUT PULONG Context,
+	OUT PULONG ReturnLength OPTIONAL
+);
+
+extern "C" NTSTATUS ZwQuerySystemInformation(
+	ULONG InfoClass, 
+	PVOID Buffer,
+	ULONG Length, 
+	PULONG ReturnLength
+);
+
+extern "C" ULONG RtlWalkFrameChain(
+	__out PVOID * Callers,
+	__in ULONG 	Count,
+	__in ULONG 	Flags
+);
+
+extern "C" NTKERNELAPI
+PVOID
+NTAPI
+RtlFindExportedRoutineByName(
+	_In_ PVOID ImageBase,
+	_In_ PCCH RoutineName
+);
+
+typedef struct _IMAGE_THUNK_DATA64 {
+	union {
+		ULONGLONG ForwarderString;  // PBYTE 
+		ULONGLONG Function;         // PDWORD
+		ULONGLONG Ordinal;
+		ULONGLONG AddressOfData;    // PIMAGE_IMPORT_BY_NAME
+	} u1;
+} IMAGE_THUNK_DATA64;
+typedef IMAGE_THUNK_DATA64* PIMAGE_THUNK_DATA64;
+
+typedef struct _DEVICE_MAP* PDEVICE_MAP;
+typedef PIMAGE_THUNK_DATA64             PIMAGE_THUNK_DATA;
+
+typedef struct _OBJECT_DIRECTORY_ENTRY
+{
+	_OBJECT_DIRECTORY_ENTRY* ChainLink;
+	PVOID Object;
+	ULONG HashValue;
+} OBJECT_DIRECTORY_ENTRY, * POBJECT_DIRECTORY_ENTRY;
+
+typedef struct _OBJECT_DIRECTORY
+{
+	POBJECT_DIRECTORY_ENTRY HashBuckets[37];
+	EX_PUSH_LOCK Lock;
+	PDEVICE_MAP DeviceMap;
+	ULONG SessionId;
+	PVOID NamespaceEntry;
+	ULONG Flags;
+} OBJECT_DIRECTORY, * POBJECT_DIRECTORY;
+
+typedef struct _IMAGE_IMPORT_DESCRIPTOR {
+	union {
+		DWORD   Characteristics;            // 0 for terminating null import descriptor
+		DWORD   OriginalFirstThunk;         // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
+	} DUMMYUNIONNAME;
+	DWORD   TimeDateStamp;                  // 0 if not bound,
+											// -1 if bound, and real date\time stamp
+											//     in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
+											// O.W. date/time stamp of DLL bound to (Old BIND)
+
+	DWORD   ForwarderChain;                 // -1 if no forwarders
+	DWORD   Name;
+	DWORD   FirstThunk;                     // RVA to IAT (if bound this IAT has actual addresses)
+} IMAGE_IMPORT_DESCRIPTOR;
+typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED* PIMAGE_IMPORT_DESCRIPTOR;
+
+typedef struct _SYSTEM_PROCESS_INFORMATION {
+	ULONG NextEntryOffset;
+	ULONG NumberOfThreads;
+	unsigned char Reserved1[48];
+	UNICODE_STRING ImageName;
+	KPRIORITY BasePriority;
+	HANDLE UniqueProcessId;
+	PVOID Reserved2;
+	ULONG HandleCount;
+	ULONG SessionId;
+	PVOID Reserved3;
+	SIZE_T PeakVirtualSize;
+	SIZE_T VirtualSize;
+	ULONG Reserved4;
+	SIZE_T PeakWorkingSetSize;
+	SIZE_T WorkingSetSize;
+	PVOID Reserved5;
+	SIZE_T QuotaPagedPoolUsage;
+	PVOID Reserved6;
+	SIZE_T QuotaNonPagedPoolUsage;
+	SIZE_T PagefileUsage;
+	SIZE_T PeakPagefileUsage;
+	SIZE_T PrivatePageCount;
+	LARGE_INTEGER Reserved7[6];
+} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
+
+typedef struct _IMAGE_DOS_HEADER {  // DOS .EXE header
+	USHORT e_magic;         // Magic number
+	USHORT e_cblp;          // Bytes on last page of file
+	USHORT e_cp;            // Pages in file
+	USHORT e_crlc;          // Relocations
+	USHORT e_cparhdr;       // Size of header in paragraphs
+	USHORT e_minalloc;      // Minimum extra paragraphs needed
+	USHORT e_maxalloc;      // Maximum extra paragraphs needed
+	USHORT e_ss;            // Initial (relative) SS value
+	USHORT e_sp;            // Initial SP value
+	USHORT e_csum;          // Checksum
+	USHORT e_ip;            // Initial IP value
+	USHORT e_cs;            // Initial (relative) CS value
+	USHORT e_lfarlc;        // File address of relocation table
+	USHORT e_ovno;          // Overlay number
+	USHORT e_res[4];        // Reserved words
+	USHORT e_oemid;         // OEM identifier (for e_oeminfo)
+	USHORT e_oeminfo;       // OEM information; e_oemid specific
+	USHORT e_res2[10];      // Reserved words
+	LONG   e_lfanew;        // File address of new exe header
+} IMAGE_DOS_HEADER, * PIMAGE_DOS_HEADER;
+
+typedef struct _IMAGE_FILE_HEADER {
+	short  Machine;
+	short  NumberOfSections;
+	unsigned TimeDateStamp;
+	unsigned PointerToSymbolTable;
+	unsigned NumberOfSymbols;
+	short  SizeOfOptionalHeader;
+	short  Characteristics;
+} IMAGE_FILE_HEADER, * PIMAGE_FILE_HEADER;
+
+typedef struct _RTL_PROCESS_MODULE_INFORMATION
+{
+	HANDLE Section;
+	PVOID MappedBase;
+	PVOID ImageBase;
+	ULONG ImageSize;
+	ULONG Flags;
+	USHORT LoadOrderIndex;
+	USHORT InitOrderIndex;
+	USHORT LoadCount;
+	USHORT OffsetToFileName;
+	UCHAR  FullPathName[256];
+} RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION;
+
+typedef struct _IMAGE_IMPORT_BY_NAME {
+	WORD    Hint;
+	CHAR   Name[1];
+} IMAGE_IMPORT_BY_NAME, * PIMAGE_IMPORT_BY_NAME;
+
+typedef struct _RTL_PROCESS_MODULES
+{
+	ULONG NumberOfModules;
+	RTL_PROCESS_MODULE_INFORMATION Modules[1];
+} RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES;
+
+
+typedef enum _SYSTEM_INFORMATION_CLASS
+{
+	SystemBasicInformation,
+	SystemProcessorInformation,
+	SystemPerformanceInformation,
+	SystemTimeOfDayInformation,
+	SystemPathInformation,
+	SystemProcessInformation,
+	SystemCallCountInformation,
+	SystemDeviceInformation,
+	SystemProcessorPerformanceInformation,
+	SystemFlagsInformation,
+	SystemCallTimeInformation,
+	SystemModuleInformation = 0x0B
+} SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS;
+
+
+typedef struct _IMAGE_DATA_DIRECTORY {
+	unsigned VirtualAddress;
+	unsigned Size;
+} IMAGE_DATA_DIRECTORY, * PIMAGE_DATA_DIRECTORY;
+
+typedef struct _IMAGE_OPTIONAL_HEADER64 {
+	short                 Magic;
+	unsigned char                 MajorLinkerVersion;
+	unsigned char                 MinorLinkerVersion;
+	unsigned                SizeOfCode;
+	unsigned                SizeOfInitializedData;
+	unsigned                SizeOfUninitializedData;
+	unsigned                AddressOfEntryPoint;
+	unsigned                BaseOfCode;
+	ULONGLONG            ImageBase;
+	unsigned                SectionAlignment;
+	unsigned                FileAlignment;
+	short                 MajorOperatingSystemVersion;
+	short                 MinorOperatingSystemVersion;
+	short                 MajorImageVersion;
+	short                 MinorImageVersion;
+	short                 MajorSubsystemVersion;
+	short                 MinorSubsystemVersion;
+	unsigned                Win32VersionValue;
+	unsigned                SizeOfImage;
+	unsigned                SizeOfHeaders;
+	unsigned                CheckSum;
+	short                 Subsystem;
+	short                 DllCharacteristics;
+	ULONGLONG            SizeOfStackReserve;
+	ULONGLONG            SizeOfStackCommit;
+	ULONGLONG            SizeOfHeapReserve;
+	ULONGLONG            SizeOfHeapCommit;
+	unsigned                 LoaderFlags;
+	unsigned                NumberOfRvaAndSizes;
+	IMAGE_DATA_DIRECTORY DataDirectory[16];
+} IMAGE_OPTIONAL_HEADER64, * PIMAGE_OPTIONAL_HEADER64;
+
+typedef struct _IMAGE_NT_HEADERS64 {
+	unsigned                   Signature;
+	IMAGE_FILE_HEADER       FileHeader;
+	IMAGE_OPTIONAL_HEADER64 OptionalHeader;
+} IMAGE_NT_HEADERS64, * PIMAGE_NT_HEADERS64;
+
+typedef struct _IMAGE_SECTION_HEADER {
+	unsigned char Name[8];
+	union {
+		unsigned PhysicalAddress;
+		unsigned VirtualSize;
+	} Misc;
+	unsigned VirtualAddress;
+	unsigned SizeOfRawData;
+	unsigned PointerToRawData;
+	unsigned PointerToRelocations;
+	unsigned PointerToLinenumbers;
+	short  NumberOfRelocations;
+	short  NumberOfLinenumbers;
+	unsigned Characteristics;
+} IMAGE_SECTION_HEADER, * PIMAGE_SECTION_HEADER;

GoodEye_Import_Address.LOG

@@ -0,0 +1,366 @@
+00000001	6:10:42 AM	[GoodEye]Installed ImageNotifyRoutine... 0xFFFFF8007ADF1260	
+00000002	6:10:50 AM	[GoodEye]> ============= Driver \Device\HarddiskVolume2\Program Files (x86)\Common Files\BattlEye\BEDaisy.sys ================	
+00000003	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: _stricmp is 0xFFFFF8007BF9E700	
+00000004	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: _strnicmp is 0xFFFFF8007BF9E7B0	
+00000005	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: wcsncmp is 0xFFFFF8007BFA0C00	
+00000006	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: _wcsnicmp is 0xFFFFF8007BF9EDF0	
+00000007	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: wcsncat is 0xFFFFF8007BFA0BB0	
+00000008	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: wcsstr is 0xFFFFF8007BFA0D50	
+00000009	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: _wcsicmp is 0xFFFFF8007BF9ECB0	
+00000010	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: _wcslwr is 0xFFFFF8007BF9ED10	
+00000011	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: RtlInitAnsiString is 0xFFFFF8007BED57A0	
+00000012	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: RtlInitUnicodeString is 0xFFFFF8007BEA6560	
+00000013	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: RtlAnsiStringToUnicodeString is 0xFFFFF8007C4DCB50	
+00000014	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: RtlUnicodeStringToAnsiString is 0xFFFFF8007C41FFC0	
+00000015	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: RtlFreeUnicodeString is 0xFFFFF8007C424760	
+00000016	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: RtlFreeAnsiString is 0xFFFFF8007C424760	
+00000017	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: RtlGetVersion is 0xFFFFF8007C4ACD40	
+00000018	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: KeInitializeEvent is 0xFFFFF8007BE98F10	
+00000019	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: KeSetEvent is 0xFFFFF8007BEB03C0	
+00000020	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: KeInitializeMutex is 0xFFFFF8007BE06450	
+00000021	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: KeReleaseMutex is 0xFFFFF8007BEB4690	
+00000022	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: KeWaitForSingleObject is 0xFFFFF8007BEA2A60	
+00000023	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ExAllocatePoolWithTag is 0xFFFFF8007C16F010	
+00000024	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ExAllocatePool is 0xFFFFF8007BF25F40	
+00000025	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ExFreePoolWithTag is 0xFFFFF8007C16F0A0	
+00000026	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ProbeForRead is 0xFFFFF8007C4922D0	
+00000027	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ProbeForWrite is 0xFFFFF8007C405C30	
+00000028	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsCreateSystemThread is 0xFFFFF8007C3B7E00	
+00000029	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsTerminateSystemThread is 0xFFFFF8007C48DDA0	
+00000030	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: IofCompleteRequest is 0xFFFFF8007BEAF560	
+00000031	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: IoCreateDevice is 0xFFFFF8007C474B50	
+00000032	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: IoCreateSymbolicLink is 0xFFFFF8007C51AD00	
+00000033	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: IoDeleteDevice is 0xFFFFF8007BEE0F20	
+00000034	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: IoDeleteSymbolicLink is 0xFFFFF8007C53A2E0	
+00000035	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: IoGetCurrentProcess is 0xFFFFF8007BE92220	
+00000036	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: IoGetTopLevelIrp is 0xFFFFF8007BE95540	
+00000037	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ObReferenceObjectByHandle is 0xFFFFF8007C40F8B0	
+00000038	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ObfReferenceObject is 0xFFFFF8007BEA1030	
+00000039	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ObfDereferenceObject is 0xFFFFF8007BEA0F60	
+00000040	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ObRegisterCallbacks is 0xFFFFF8007C580FF0	
+00000041	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ObUnRegisterCallbacks is 0xFFFFF8007C6A0F00	
+00000042	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ObGetFilterVersion is 0xFFFFF8007C6A0EF0	
+00000043	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ZwOpenFile is 0xFFFFF8007BFBEFB0	
+00000044	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ZwQueryInformationFile is 0xFFFFF8007BFBEB70	
+00000045	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ZwReadFile is 0xFFFFF8007BFBEA10	
+00000046	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ZwClose is 0xFFFFF8007BFBEB30	
+00000047	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: MmIsAddressValid is 0xFFFFF8007C0C57D0	
+00000048	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsSetCreateProcessNotifyRoutineEx is 0xFFFFF8007C5533D0	
+00000049	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsSetCreateThreadNotifyRoutine is 0xFFFFF8007C5533F0	
+00000050	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsRemoveCreateThreadNotifyRoutine is 0xFFFFF8007C6CCC70	
+00000051	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsSetLoadImageNotifyRoutine is 0xFFFFF8007C553410	
+00000052	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsRemoveLoadImageNotifyRoutine is 0xFFFFF8007C6CCD60	
+00000053	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsGetCurrentProcessId is 0xFFFFF8007BEE0F00	
+00000054	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsGetCurrentThreadId is 0xFFFFF8007BF06380	
+00000055	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsGetProcessId is 0xFFFFF8007BE927A0	
+00000056	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsGetThreadId is 0xFFFFF8007BF0BEC0	
+00000057	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsGetThreadProcessId is 0xFFFFF8007BF11A70	
+00000058	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ZwDeviceIoControlFile is 0xFFFFF8007BFBEA30	
+00000059	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: RtlRandomEx is 0xFFFFF8007BED44A0	
+00000060	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsLookupProcessByProcessId is 0xFFFFF8007C3F0630	
+00000061	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsLookupThreadByThreadId is 0xFFFFF8007C3F08C0	
+00000062	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsGetThreadProcess is 0xFFFFF8007BE1B010	
+00000063	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: IoQueryFileDosDeviceName is 0xFFFFF8007C4C7BE0	
+00000064	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ObOpenObjectByPointer is 0xFFFFF8007C3FF420	
+00000065	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ObQueryNameString is 0xFFFFF8007C4C7BC0	
+00000066	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ZwOpenDirectoryObject is 0xFFFFF8007BFBF450	
+00000067	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsGetProcessImageFileName is 0xFFFFF8007BF16680	
+00000068	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsGetProcessInheritedFromUniqueProcessId is 0xFFFFF8007BE19E30	
+00000069	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ZwQueryInformationThread is 0xFFFFF8007BFBEDF0	
+00000070	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ZwQuerySystemInformation is 0xFFFFF8007BFBF010	
+00000071	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsAcquireProcessExitSynchronization is 0xFFFFF8007C4D8DC0	
+00000072	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsReleaseProcessExitSynchronization is 0xFFFFF8007C49FF60	
+00000073	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ExfUnblockPushLock is 0xFFFFF8007BFBE570	
+00000074	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ExEnumHandleTable is 0xFFFFF8007C488ED0	
+00000075	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ZwQueryDirectoryObject is 0xFFFFF8007BFC10F0	
+00000076	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ObOpenObjectByName is 0xFFFFF8007C4133E0	
+00000077	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: CmUnRegisterCallback is 0xFFFFF8007C627D50	
+00000078	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: MmProbeAndLockPages is 0xFFFFF8007BEBCA90	
+00000079	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: MmUnlockPages is 0xFFFFF8007BEB3030	
+00000080	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: IoAllocateMdl is 0xFFFFF8007BE99330	
+00000081	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: IoFreeMdl is 0xFFFFF8007BEEFB20	
+00000082	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ObReferenceObjectByName is 0xFFFFF8007C3F44A0	
+00000083	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ZwOpenSection is 0xFFFFF8007BFBF030	
+00000084	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: KeStackAttachProcess is 0xFFFFF8007BE920E0	
+00000085	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: KeUnstackDetachProcess is 0xFFFFF8007BE9D3B0	
+00000086	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsGetProcessPeb is 0xFFFFF8007BF138F0	
+00000087	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsGetProcessWow64Process is 0xFFFFF8007BEF8FD0	
+00000088	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: RtlWalkFrameChain is 0xFFFFF8007BE09DC0	
+00000089	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: KeInitializeApc is 0xFFFFF8007BEC7A50	
+00000090	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: KeInsertQueueApc is 0xFFFFF8007BEC5F50	
+00000091	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ZwTerminateProcess is 0xFFFFF8007BFBEED0	
+00000092	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: MmUnmapViewOfSection is 0xFFFFF8007C3CE0D0	
+00000093	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsSuspendProcess is 0xFFFFF8007C6CD140	
+00000094	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsResumeProcess is 0xFFFFF8007C4A00D0	
+00000095	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ZwCreateSection is 0xFFFFF8007BFBF290	
+00000096	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ZwMapViewOfSection is 0xFFFFF8007BFBEE50	
+00000097	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ZwUnmapViewOfSection is 0xFFFFF8007BFBEE90	
+00000098	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: IoThreadToProcess is 0xFFFFF8007BE1B010	
+00000099	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ZwAllocateVirtualMemory is 0xFFFFF8007BFBEC50	
+00000100	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ZwFreeVirtualMemory is 0xFFFFF8007BFBED10	
+00000101	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsGetContextThread is 0xFFFFF8007C6CBF30	
+00000102	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: MmCopyVirtualMemory is 0xFFFFF8007C419850	
+00000103	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ZwOpenThread is 0xFFFFF8007BFC0E70	
+00000104	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: MmMapIoSpace is 0xFFFFF8007BF051E0	
+00000105	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: MmUnmapIoSpace is 0xFFFFF8007BF03BE0	
+00000106	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: MmGetPhysicalAddress is 0xFFFFF8007BF10580	
+00000107	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: KeDelayExecutionThread is 0xFFFFF8007BE9DE80	
+00000108	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: RtlCompareUnicodeString is 0xFFFFF8007C41FE90	
+00000109	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsGetProcessSessionId is 0xFFFFF8007BED04D0	
+00000110	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: MmCopyMemory is 0xFFFFF8007BF2A060	
+00000111	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ZwTraceControl is 0xFFFFF8007BFC20F0	
+00000112	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: RtlImageNtHeader is 0xFFFFF8007BE88E20	
+00000113	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: IoFileObjectType is 0xFFFFF8007C3743C8	
+00000114	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsProcessType is 0xFFFFF8007C374390	
+00000115	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsThreadType is 0xFFFFF8007C3743B8	
+00000116	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: PsInitialSystemProcess is 0xFFFFF8007C3743A0	
+00000117	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: IoDriverObjectType is 0xFFFFF8007C374518	
+00000118	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: NtBuildNumber is 0xFFFFF8007C196238	
+00000127	6:10:50 AM	[GoodEye]MmGetSystemRoutineAddress: ObGetObjectType is 0xFFFFF8007C3DE960	
+00000128	6:10:54 AM	[GoodEye]MmGetSystemRoutineAddress: MmIsAddressValid is 0xFFFFF8007C0C57D0	
+00000129	6:10:54 AM	[GoodEye]MmGetSystemRoutineAddress: ZwQuerySystemInformation is 0xFFFFF8007BFBF010	
+00000130	6:10:54 AM	[GoodEye]MmGetSystemRoutineAddress: NtQuerySystemInformation is 0xFFFFF8007C3FFDE0	
+00000131	6:10:54 AM	[GoodEye]MmGetSystemRoutineAddress: ZwClose is 0xFFFFF8007BFBEB30	
+00000132	6:10:54 AM	[GoodEye]MmGetSystemRoutineAddress: ZwClose is 0xFFFFF8007BFBEB30	
+00000133	6:10:54 AM	[GoodEye]MmGetSystemRoutineAddress: ZwClose is 0xFFFFF8007BFBEB30	
+00000134	6:10:54 AM	[GoodEye]MmGetSystemRoutineAddress: ZwClose is 0xFFFFF8007BFBEB30	
+
+//
+// file system imports
+//
+
+[GoodEye]FltGetRoutineAddress: FltRegisterFilter, 0xFFFFF8007FB5B590
+[GoodEye]FltGetRoutineAddress: FltUnregisterFilter, 0xFFFFF8007FB5D0E0
+[GoodEye]FltGetRoutineAddress: FltStartFiltering, 0xFFFFF8007FB5CE00
+[GoodEye]FltGetRoutineAddress: FltGetFileNameInformation, 0xFFFFF8007FB18190
+[GoodEye]FltGetRoutineAddress: FltReleaseFileNameInformation, 0xFFFFF8007FB4EC80
+[GoodEye]FltGetRoutineAddress: FltReadFile, 0xFFFFF8007FB28100
+[GoodEye]FltGetRoutineAddress: FltQueryInformationFile, 0xFFFFF8007FB4C3B0
+[GoodEye]FltGetRoutineAddress: FltGetRequestorProcess, 0xFFFFF8007FB1C0E0
+
+
+//
+// loaded drivers at the time of dump (windows 10 2004)
+//
+
+win32k.sys, 0xffff84384c090000, 560 kB, Full/Desktop Multi-User Win32 Driver
+win32kfull.sys, 0xffff84384c2c0000, 3.63 MB, Full/Desktop Win32k Kernel Driver
+win32kbase.sys, 0xffff84384ca50000, 2.65 MB, Base Win32k Kernel Driver
+cdd.dll, 0xffff84384cd00000, 288 kB, Canonical Display Driver
+peauth.sys, 0xfffff8007a600000, 856 kB, Protected Environment Authentication and Authorization Export Driver
+srv2.sys, 0xfffff8007a6e0000, 788 kB, Smb 2.0 Server driver
+tcpipreg.sys, 0xfffff8007a7b0000, 80 kB, TCP/IP Registry Compatibility Driver
+tdevmonc.sys, 0xfffff8007a7d0000, 56 kB, Tibbo Device Monitor core driver
+rassstp.sys, 0xfffff8007a7e0000, 116 kB, RAS SSTP Miniport Call Manager
+NDProxy.sys, 0xfffff8007a800000, 260 kB, NDIS Proxy
+AgileVpn.sys, 0xfffff8007a850000, 156 kB, RAS Agile Vpn Miniport Call Manager
+rasl2tp.sys, 0xfffff8007a880000, 136 kB, RAS L2TP mini-port/call-manager driver
+raspptp.sys, 0xfffff8007a8b0000, 128 kB, Peer-to-Peer Tunneling Protocol
+raspppoe.sys, 0xfffff8007a8e0000, 112 kB, RAS PPPoE mini-port/call-manager driver
+ndistapi.sys, 0xfffff8007a900000, 60 kB, NDIS 3.0 connection wrapper driver
+ndiswan.sys, 0xfffff8007a910000, 232 kB, MS PPP Framing Driver (Strong Encryption)
+condrv.sys, 0xfffff8007a950000, 76 kB, Console Driver
+p9rdr.sys, 0xfffff8007a970000, 104 kB, Plan 9 redirector
+bindflt.sys, 0xfffff8007a990000, 132 kB, Windows Bind Filter Driver
+asyncmac.sys, 0xfffff8007ab20000, 56 kB, MS Remote Access serial network driver
+ssudbus.sys, 0xfffff8007ab30000, 128 kB, SAMSUNG USB Composite Device Driver
+WinUsb.sys, 0xfffff8007ab60000, 128 kB, Windows WinUSB Class Driver
+WUDFRd.sys, 0xfffff8007ab90000, 320 kB, Windows Driver Foundation - User-mode Driver Framework Reflector
+WpdUpFltr.sys, 0xfffff8007abf0000, 56 kB, Windows Portable Device Upper Class Filter Driver
+VMMR0.r0, 0xfffff8007ac00000, 1.59 MB, VirtualBox VMM - ring-0 context parts
+VBoxDDR0.r0, 0xfffff8007ada0000, 200 kB, VirtualBox VMM Devices and Drivers, ring-0
+Dbgv.sys, 0xfffff8007ade0000, 36 kB, Windows Debug Monitor
+GoodEye.sys, 0xfffff8007adf0000, 28 kB, 
+HTTP.sys, 0xfffff8007af20000, 1.27 MB, HTTP Protocol Stack
+mpsdrv.sys, 0xfffff8007b070000, 104 kB, Microsoft Protection Service Driver
+vwifimp.sys, 0xfffff8007b090000, 76 kB, Virtual WiFi Miniport Driver
+IntelHaxm.sys, 0xfffff8007b0b0000, 188 kB, HAXM_Driver
+srvnet.sys, 0xfffff8007b0e0000, 332 kB, Server Network driver
+Ndu.sys, 0xfffff8007b140000, 156 kB, Windows Network Data Usage Monitoring Driver
+npf.sys, 0xfffff8007b170000, 48 kB, npf.sys (NT5/6 AMD64) Kernel Driver
+hal.dll, 0xfffff8007bd5c000, 656 kB, Hardware Abstraction Layer DLL
+ntoskrnl.exe, 0xfffff8007be00000, 10.71 MB, NT Kernel & System
+kprocesshacker.sys, 0xfffff8007e420000, 44 kB, KProcessHacker
+kd.dll, 0xfffff8007f600000, 44 kB, Local Kernel Debugger
+mcupdate_GenuineIntel.dll, 0xfffff8007f610000, 2.3 MB, Intel Microcode Update Library
+werkernel.sys, 0xfffff8007f860000, 68 kB, Windows Error Reporting Kernel Driver
+ksecdd.sys, 0xfffff8007f880000, 168 kB, Kernel Security Support Provider Interface
+msrpc.sys, 0xfffff8007f8b0000, 384 kB, Kernel Remote Procedure Call Provider
+tm.sys, 0xfffff8007f920000, 156 kB, Kernel Transaction Manager Driver
+CLFS.SYS, 0xfffff8007f950000, 416 kB, Common Log File System Driver
+PSHED.dll, 0xfffff8007f9c0000, 104 kB, Platform Specific Hardware Error Driver
+BOOTVID.dll, 0xfffff8007f9e0000, 44 kB, VGA Boot Driver
+cmimcext.sys, 0xfffff8007f9f0000, 56 kB, Kernel Configuration Manager Initial Configuration Extension Host Export Driver
+clipsp.sys, 0xfffff8007fa00000, 1.02 MB, CLIP Service
+FLTMGR.SYS, 0xfffff8007fb10000, 452 kB, Microsoft Filesystem Filter Manager
+ntosext.sys, 0xfffff8007fb90000, 48 kB, NTOS extension host driver
+CI.dll, 0xfffff8007fba0000, 884 kB, Code Integrity Module
+cng.sys, 0xfffff8007fc80000, 752 kB, Kernel Cryptography, Next Generation
+Wdf01000.sys, 0xfffff8007fd40000, 852 kB, Kernel Mode Driver Framework Runtime
+WDFLDR.SYS, 0xfffff8007fe20000, 76 kB, Kernel Mode Driver Framework Loader
+SleepStudyHelper.sys, 0xfffff8007fe40000, 60 kB, Sleep Study Helper
+WppRecorder.sys, 0xfffff8007fe50000, 64 kB, WPP Trace Recorder
+acpiex.sys, 0xfffff8007fe70000, 148 kB, ACPIEx Driver
+mssecflt.sys, 0xfffff8007fea0000, 264 kB, Microsoft Security Events Component file system filter driver
+SgrmAgent.sys, 0xfffff8007fef0000, 104 kB, System Guard Runtime Monitor Agent Driver
+lxss.sys, 0xfffff8007ff10000, 40 kB, LXSS
+LXCORE.SYS, 0xfffff8007ff20000, 1.09 MB, LX Core
+ACPI.sys, 0xfffff80080040000, 816 kB, ACPI Driver for NT
+WMILIB.SYS, 0xfffff80080110000, 48 kB, WMILIB WMI support library Dll
+msisadrv.sys, 0xfffff80080120000, 44 kB, ISA Driver
+pci.sys, 0xfffff80080130000, 444 kB, NT Plug and Play PCI Enumerator
+tpm.sys, 0xfffff800801a0000, 256 kB, TPM Device Driver
+WindowsTrustedRTProxy.sys, 0xfffff800801f0000, 44 kB, Windows Trusted Runtime Service Proxy Driver
+intelpep.sys, 0xfffff80080220000, 364 kB, Intel Power Engine Plugin
+WindowsTrustedRT.sys, 0xfffff80080280000, 92 kB, Windows Trusted Runtime Interface Driver
+pcw.sys, 0xfffff800802a0000, 84 kB, Performance Counters for Windows Driver
+vdrvroot.sys, 0xfffff800802c0000, 76 kB, Virtual Drive Root Enumerator
+pdc.sys, 0xfffff800802e0000, 204 kB, Power Dependency Coordinator Driver
+CEA.sys, 0xfffff80080320000, 100 kB, Event Aggregation Kernel Mode Library
+partmgr.sys, 0xfffff80080340000, 192 kB, Partition driver
+spaceport.sys, 0xfffff80080380000, 660 kB, Storage Spaces Driver
+volmgr.sys, 0xfffff80080430000, 104 kB, Volume Manager Driver
+volmgrx.sys, 0xfffff80080450000, 396 kB, Volume Manager Extension Driver
+mountmgr.sys, 0xfffff800804c0000, 124 kB, Mount Point Manager
+iaStorA.sys, 0xfffff800804e0000, 5.46 MB, Intel(R) Rapid Storage Technology driver - x64
+storport.sys, 0xfffff80080a60000, 648 kB, Microsoft Storage Port Driver
+EhStorClass.sys, 0xfffff80080b10000, 108 kB, Enhanced Storage Class driver for IEEE 1667 devices
+fileinfo.sys, 0xfffff80080b30000, 104 kB, FileInfo Filter Driver
+pmdrvs.sys, 0xfffff80080b50000, 40 kB, Lenovo Power Management Driver
+Fs_Rec.sys, 0xfffff80080b60000, 52 kB, File System Recognizer Driver
+Wof.sys, 0xfffff80080b80000, 244 kB, Windows Overlay Filter
+WdFilter.sys, 0xfffff80080bc0000, 336 kB, Microsoft antimalware file system filter driver
+Ntfs.sys, 0xfffff80080c20000, 2.61 MB, NT File System Driver
+ndis.sys, 0xfffff80080ec0000, 1.45 MB, Network Driver Interface Specification (NDIS)
+NETIO.SYS, 0xfffff80081040000, 592 kB, Network I/O Subsystem
+ksecpkg.sys, 0xfffff800810e0000, 200 kB, Kernel Security Support Provider Interface Packages
+tcpip.sys, 0xfffff80081120000, 2.91 MB, TCP/IP Driver
+fwpkclnt.sys, 0xfffff80081410000, 488 kB, FWP/IPsec Kernel-Mode API
+wfplwfs.sys, 0xfffff80081490000, 192 kB, WFP NDIS 6.30 Lightweight Filter Driver
+VmsProxy.sys, 0xfffff800814d0000, 64 kB, VMSWITCH Proxy Driver
+vmbkmclr.sys, 0xfffff800814f0000, 128 kB, Hyper-V VMBus Root KMCL
+VmsProxyHNic.sys, 0xfffff80081520000, 60 kB, VmSwitch NIC Proxy Driver
+fvevol.sys, 0xfffff80081530000, 804 kB, BitLocker Drive Encryption Driver
+volume.sys, 0xfffff80081600000, 44 kB, Volume driver
+volsnap.sys, 0xfffff80081610000, 436 kB, Volume Shadow Copy driver
+rdyboost.sys, 0xfffff80081680000, 312 kB, ReadyBoost Driver
+mup.sys, 0xfffff800816d0000, 148 kB, Multiple UNC Provider Driver
+iorate.sys, 0xfffff80081700000, 72 kB, I/O rate control Filter
+IntelPcc.sys, 0xfffff80081720000, 88 kB, Intel Collaborative Processor Performance Control (CPPC) Driver
+disk.sys, 0xfffff80081760000, 112 kB, PnP Disk Driver
+CLASSPNP.SYS, 0xfffff80081780000, 428 kB, SCSI Class System Dll
+VBoxDrv.sys, 0xfffff80c57020000, 1.07 MB, VirtualBox Support Driver
+npsvctrig.sys, 0xfffff80c57140000, 52 kB, Named pipe service triggers
+mssmbios.sys, 0xfffff80c57150000, 64 kB, System Management BIOS Driver
+HWiNFO64A.SYS, 0xfffff80c57170000, 40 kB, HWiNFO AMD64 Kernel Driver
+gpuenergydrv.sys, 0xfffff80c57180000, 40 kB, GPU Energy Kernel Driver
+dfsc.sys, 0xfffff80c57190000, 176 kB, DFS Namespace Client Driver
+umbus.sys, 0xfffff80c571c0000, 84 kB, User-Mode Bus Enumerator
+bam.sys, 0xfffff80c571e0000, 88 kB, BAM Kernel Driver
+ahcache.sys, 0xfffff80c57200000, 316 kB, Application Compatibility Cache
+tap0901.sys, 0xfffff80c57250000, 48 kB, TAP-Windows Virtual Network Driver (NDIS 6.0)
+VBoxNetAdp6.sys, 0xfffff80c57260000, 328 kB, VirtualBox NDIS 6.0 Host-Only Network Adapter Driver
+tapprotonvpn.sys, 0xfffff80c572c0000, 48 kB, TAP-Windows Virtual Network Driver (NDIS 6.0)
+Vid.sys, 0xfffff80c572d0000, 560 kB, Microsoft Hyper-V Virtualization Infrastructure Driver
+winhvr.sys, 0xfffff80c57360000, 124 kB, Windows Hypervisor Root Interface Driver
+CompositeBus.sys, 0xfffff80c57380000, 68 kB, Multi-Transport Composite Bus Enumerator
+kdnic.sys, 0xfffff80c573a0000, 52 kB, Microsoft Kernel Debugger Network Miniport
+crashdmp.sys, 0xfffff80c573e0000, 116 kB, Crash Dump Driver
+dump_iaStorA.sys, 0xfffff80c57a00000, 5.46 MB, 
+cdrom.sys, 0xfffff80c57fc0000, 192 kB, SCSI CD-ROM Driver
+filecrypt.sys, 0xfffff80c58000000, 84 kB, Windows sandboxing and encryption filter
+tbs.sys, 0xfffff80c58020000, 56 kB, Export driver for kernel mode TPM API
+Null.SYS, 0xfffff80c58030000, 40 kB, NULL Driver
+Beep.SYS, 0xfffff80c58040000, 40 kB, BEEP Driver
+dxgkrnl.sys, 0xfffff80c58050000, 3.44 MB, DirectX Graphics Kernel
+watchdog.sys, 0xfffff80c583d0000, 88 kB, Watchdog Driver
+BasicDisplay.sys, 0xfffff80c583f0000, 88 kB, Microsoft Basic Display Driver
+BasicRender.sys, 0xfffff80c58410000, 68 kB, Microsoft Basic Render Driver
+Npfs.SYS, 0xfffff80c58430000, 112 kB, NPFS Driver
+Msfs.SYS, 0xfffff80c58450000, 68 kB, Mailslot driver
+tdx.sys, 0xfffff80c58470000, 152 kB, TDI Translation Driver
+TDI.SYS, 0xfffff80c584a0000, 64 kB, TDI Wrapper
+netbt.sys, 0xfffff80c584c0000, 356 kB, MBT Transport driver
+afunix.sys, 0xfffff80c58520000, 76 kB, AF_UNIX socket provider
+afd.sys, 0xfffff80c58540000, 668 kB, Ancillary Function Driver for WinSock
+npcap.sys, 0xfffff80c585f0000, 76 kB, npcap.sys (NT6 AMD64) Kernel Filter Driver
+VBoxNetLwf.sys, 0xfffff80c58610000, 344 kB, VirtualBox NDIS 6.0 Lightweight Filter Driver
+vwififlt.sys, 0xfffff80c58670000, 104 kB, Virtual WiFi Filter Driver
+pacer.sys, 0xfffff80c58690000, 172 kB, QoS Packet Scheduler
+netbios.sys, 0xfffff80c586c0000, 80 kB, NetBIOS interface driver
+smi.sys, 0xfffff80c586e0000, 40 kB, SSO SMI Kernel Mode Driver
+rdbss.sys, 0xfffff80c586f0000, 492 kB, Redirected Drive Buffering SubSystem Driver
+nsiproxy.sys, 0xfffff80c58770000, 72 kB, NSI Proxy
+csc.sys, 0xfffff80c58d10000, 592 kB, Windows Client Side Caching Driver
+VBoxUSBMon.sys, 0xfffff80c58db0000, 220 kB, VirtualBox USB Monitor Driver
+Tppwr64v.sys, 0xfffff80c58df0000, 36 kB, Power Manager
+igdkmd64.sys, 0xfffff80c58e00000, 7.77 MB, Intel Graphics Kernel Mode Driver
+USBXHCI.SYS, 0xfffff80c595d0000, 548 kB, USB XHCI Driver
+TeeDriverW8x64.sys, 0xfffff80c59660000, 208 kB, Intel(R) Management Engine Interface
+e1d68x64.sys, 0xfffff80c596a0000, 596 kB, Intel(R) Gigabit Adapter NDIS 6.x driver
+usbehci.sys, 0xfffff80c59740000, 116 kB, EHCI eUSB Miniport Driver
+USBPORT.SYS, 0xfffff80c59760000, 488 kB, USB 1.1 & 2.0 Port Driver
+RtsPer.sys, 0xfffff80c597e0000, 880 kB, RTS PCIE READER Driver
+nwifi.sys, 0xfffff80c598c0000, 712 kB, NativeWiFi Miniport Driver
+CAD.sys, 0xfffff80c59a90000, 84 kB, Charge Arbiration Driver
+intelppm.sys, 0xfffff80c59ab0000, 248 kB, Processor Device Driver
+USBD.SYS, 0xfffff80c59c00000, 56 kB, Universal Serial Bus Driver
+HIDPARSE.SYS, 0xfffff80c59c10000, 76 kB, Hid Parsing Library
+kbdclass.sys, 0xfffff80c59c30000, 80 kB, Keyboard Class Driver
+mouclass.sys, 0xfffff80c59c50000, 76 kB, Mouse Class Driver
+CmBatt.sys, 0xfffff80c59c70000, 60 kB, Control Method Battery Driver
+BATTC.SYS, 0xfffff80c59c80000, 64 kB, Battery Class Driver
+ibmpmdrv.sys, 0xfffff80c59ca0000, 84 kB, Lenovo Power Management Driver
+Smb_driver_Intel.sys, 0xfffff80c59cc0000, 60 kB, Synaptics SMBus Driver
+wmiacpi.sys, 0xfffff80c59cd0000, 48 kB, Windows Management Interface for ACPI
+NdisVirtualBus.sys, 0xfffff80c59ce0000, 52 kB, Microsoft Virtual Network Adapter Enumerator
+swenum.sys, 0xfffff80c59cf0000, 48 kB, Plug and Play Software Device Enumerator
+rdpbus.sys, 0xfffff80c59d00000, 56 kB, Microsoft RDP Bus Device driver
+usbhub.sys, 0xfffff80c59d10000, 552 kB, Default Hub Driver for USB
+ksthunk.sys, 0xfffff80c59e20000, 60 kB, Kernel Streaming WOW Thunk Service
+UsbHub3.sys, 0xfffff80c59e30000, 640 kB, USB3 HUB Driver
+vmswitch.sys, 0xfffff80c59ee0000, 2.35 MB, Microsoft® Network Virtualization Service Provider
+Netwbw02.sys, 0xfffff80c5a170000, 3.55 MB, Intel® Wireless WiFi Link Driver
+vwifibus.sys, 0xfffff80c5a500000, 56 kB, Virtual Wireless Bus Driver
+i8042prt.sys, 0xfffff80c5a510000, 140 kB, i8042 Port Driver
+SynTP.sys, 0xfffff80c5a540000, 716 kB, Synaptics Touchpad Win64 Driver
+ks.sys, 0xfffff80c5b200000, 480 kB, Kernel CSA Library
+ucx01000.sys, 0xfffff80c5b280000, 260 kB, USB Controller Extension
+nvlddmkm.sys, 0xfffff80c5b2e0000, 20.21 MB, NVIDIA Windows Kernel Mode Driver, Version 425.91 
+HDAudBus.sys, 0xfffff80c5c720000, 136 kB, High Definition Audio Bus Driver
+portcls.sys, 0xfffff80c5c750000, 412 kB, Port Class (Class Driver for Port/Miniport Devices)
+drmk.sys, 0xfffff80c5c7c0000, 132 kB, Microsoft Trusted Audio Drivers
+BTHUSB.sys, 0xfffff80c5c800000, 124 kB, Bluetooth Miniport Driver
+bthport.sys, 0xfffff80c5c820000, 1.39 MB, Bluetooth Bus Driver
+hidusb.sys, 0xfffff80c5c990000, 72 kB, USB Miniport Driver for Input Devices
+HIDCLASS.SYS, 0xfffff80c5c9b0000, 236 kB, Hid Class Library
+mouhid.sys, 0xfffff80c5c9f0000, 64 kB, HID Mouse Filter Driver
+Microsoft.Bluetooth.Legacy.LEEnumerator.sys, 0xfffff80c5ca10000, 120 kB, Legacy Bluetooth LE Bus Enumerator
+rfcomm.sys, 0xfffff80c5ca30000, 232 kB, Bluetooth RFCOMM Driver
+BthEnum.sys, 0xfffff80c5ca70000, 136 kB, Bluetooth Bus Extender
+bthpan.sys, 0xfffff80c5caa0000, 152 kB, Bluetooth Personal Area Networking
+usbvideo.sys, 0xfffff80c5cae0000, 316 kB, USB Video Class Driver
+tsusbhub.sys, 0xfffff80c5cb30000, 156 kB, Remote Desktop USB Hub
+bowser.sys, 0xfffff80c5cb60000, 148 kB, NT Lan Manager Datagram Receiver Driver
+winquic.sys, 0xfffff80c5cb90000, 224 kB, Windows QUIC Driver
+mrxsmb.sys, 0xfffff80c5cbd0000, 572 kB, Windows NT SMB Minirdr
+mrxsmb20.sys, 0xfffff80c5cc80000, 276 kB, Longhorn SMB 2.0 Redirector
+lltdio.sys, 0xfffff80c5ccd0000, 96 kB, Link-Layer Topology Mapper I/O Driver
+mslldp.sys, 0xfffff80c5ccf0000, 100 kB, Microsoft Link-Layer Discovery Protocol Driver
+rspndr.sys, 0xfffff80c5cd10000, 108 kB, Link-Layer Topology Responder Driver for NDIS 6
+wanarp.sys, 0xfffff80c5cd30000, 116 kB, MS Remote Access and Routing ARP Driver
+ndisuio.sys, 0xfffff80c5cd50000, 96 kB, NDIS User mode I/O driver
+dump_diskdump.sys, 0xfffff80c5cdf0000, 56 kB, 
+dump_dumpfve.sys, 0xfffff80c5ce20000, 116 kB, 
+dxgmms2.sys, 0xfffff80c5ce40000, 872 kB, DirectX Graphics MMS
+monitor.sys, 0xfffff80c5cf20000, 96 kB, Monitor Driver
+rdpvideominiport.sys, 0xfffff80c5cf40000, 52 kB, Microsoft RDP Video Miniport driver
+wcifs.sys, 0xfffff80c5cf80000, 220 kB, Windows Container Isolation FS Filter Driver
+cldflt.sys, 0xfffff80c5cfc0000, 476 kB, Cloud Files Mini Filter Driver
+storqosflt.sys, 0xfffff80c5d040000, 104 kB, Storage QoS Filter
+mmcss.sys, 0xfffff80c5d060000, 80 kB, MMCSS Driver
+rdpdr.sys, 0xfffff80c5d080000, 188 kB, Microsoft RDP Device redirector
+RTKVHD64.sys, 0xfffff80c5d0b0000, 6.77 MB, Realtek(r) High Definition Audio Function Driver
+usbccgp.sys, 0xfffff80c5d780000, 204 kB, USB Common Class Generic Parent Driver
+ibtusb.sys, 0xfffff80c5d7c0000, 236 kB, Intel(R) Wireless Bluetooth(R) Filter Driver
+