diff --git a/BEDaisy.i64 b/BEDaisy.i64
new file mode 100644
index 0000000..5a3ace0
Binary files /dev/null and b/BEDaisy.i64 differ
diff --git a/BEDaisy.sys b/BEDaisy.sys
new file mode 100644
index 0000000..ef1a87a
Binary files /dev/null and b/BEDaisy.sys differ
diff --git a/BEDaisy/BEDaisy.filters b/BEDaisy/BEDaisy.filters
new file mode 100644
index 0000000..534be27
--- /dev/null
+++ b/BEDaisy/BEDaisy.filters
@@ -0,0 +1,41 @@
+
+
+
+
+ {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
+ cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
+
+
+ {93995380-89BD-4b04-88EB-625FBE52EBFB}
+ h;hpp;hxx;hm;inl;inc;xsd
+
+
+
+
+ Source Files
+
+
+ Source Files
+
+
+ Source Files
+
+
+ Source Files
+
+
+
+
+ Header Files
+
+
+ Header Files
+
+
+ Header Files
+
+
+ Header Files
+
+
+
\ No newline at end of file
diff --git a/BEDaisy/BEDaisy.vcxproj b/BEDaisy/BEDaisy.vcxproj
new file mode 100644
index 0000000..6ffa27f
--- /dev/null
+++ b/BEDaisy/BEDaisy.vcxproj
@@ -0,0 +1,282 @@
+
+
+
+
+ Debug
+ Win32
+
+
+ Release
+ Win32
+
+
+ Debug
+ x64
+
+
+ Release
+ x64
+
+
+ Debug
+ ARM
+
+
+ Release
+ ARM
+
+
+ Debug
+ ARM64
+
+
+ Release
+ ARM64
+
+
+
+ {1F1679F7-60D4-4170-8FE1-FA6B49D7D229}
+ {1bc93793-694f-48fe-9372-81e2b05556fd}
+ v4.5
+ 12.0
+ Debug
+ Win32
+ ioctl_meme
+ $(LatestTargetPlatformVersion)
+ BEDaisy
+
+
+
+ Windows10
+ true
+ WindowsKernelModeDriver10.0
+ Driver
+ KMDF
+ Universal
+ false
+
+
+ Windows10
+ false
+ WindowsKernelModeDriver10.0
+ Driver
+ KMDF
+ Universal
+ false
+
+
+ Windows10
+ true
+ WindowsKernelModeDriver10.0
+ Driver
+ KMDF
+ Universal
+ false
+
+
+ Windows10
+ false
+ WindowsKernelModeDriver10.0
+ Driver
+ KMDF
+ Universal
+ false
+ false
+
+
+ Windows10
+ true
+ WindowsKernelModeDriver10.0
+ Driver
+ KMDF
+ Universal
+ false
+
+
+ Windows10
+ false
+ WindowsKernelModeDriver10.0
+ Driver
+ KMDF
+ Universal
+ false
+
+
+ Windows10
+ true
+ WindowsKernelModeDriver10.0
+ Driver
+ KMDF
+ Universal
+
+
+ Windows10
+ false
+ WindowsKernelModeDriver10.0
+ Driver
+ KMDF
+ Universal
+
+
+
+
+
+
+
+
+
+
+ DbgengKernelDebugger
+
+
+ DbgengKernelDebugger
+
+
+ DbgengKernelDebugger
+ false
+
+
+ DbgengKernelDebugger
+
+
+ DbgengKernelDebugger
+
+
+ DbgengKernelDebugger
+
+
+ DbgengKernelDebugger
+
+
+ DbgengKernelDebugger
+
+
+
+ stdcpp17
+ false
+ false
+
+
+ DriverEntry
+
+
+ false
+
+
+
+
+ stdcpp17
+ false
+ false
+
+
+ DriverEntry
+
+
+ false
+
+
+
+
+ stdcpp17
+ false
+ false
+
+
+ DriverEntry
+
+
+ false
+
+
+
+
+ stdcpp17
+ false
+ false
+
+
+ DriverEntry
+
+
+ false
+
+
+
+
+ stdcpp17
+ false
+ false
+
+
+ DriverEntry
+
+
+ false
+
+
+
+
+ stdcpp17
+ false
+ false
+
+
+ DriverEntry
+
+
+ false
+
+
+
+
+ stdcpp17
+ false
+ false
+
+
+ DriverEntry
+
+
+ false
+ FltMgr.lib;%(AdditionalDependencies)
+
+
+ false
+ false
+ false
+
+
+
+
+ stdcpp17
+ false
+ false
+
+
+ DriverEntry
+
+
+ false
+ FltMgr.lib;%(AdditionalDependencies)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/BEDaisy/BEDaisy.vcxproj.filters b/BEDaisy/BEDaisy.vcxproj.filters
new file mode 100644
index 0000000..354b6e5
--- /dev/null
+++ b/BEDaisy/BEDaisy.vcxproj.filters
@@ -0,0 +1,39 @@
+
+
+
+
+ Source
+
+
+ Source
+
+
+ Source
+
+
+ Source
+
+
+
+
+ Headers
+
+
+ Headers
+
+
+ Headers
+
+
+ Headers
+
+
+
+
+ {b2f67e29-768d-4980-9e9e-c112e9c7635e}
+
+
+ {937d350f-e918-446d-9ee9-1a9d69013f1b}
+
+
+
\ No newline at end of file
diff --git a/BEDaisy/DriverEntry.cpp b/BEDaisy/DriverEntry.cpp
new file mode 100644
index 0000000..50cbdfc
--- /dev/null
+++ b/BEDaisy/DriverEntry.cpp
@@ -0,0 +1,40 @@
+#include "Types.h"
+#include "DriverUtil.h"
+#include "Hooks.h"
+
+using namespace DriverUtil;
+using namespace Hooks;
+
+void TdDeviceUnload(
+ DRIVER_OBJECT* DriverObject
+)
+{
+ PsRemoveLoadImageNotifyRoutine(&LoadImageNotifyRoutine);
+}
+
+NTSTATUS TdDeviceClose(
+ IN PDEVICE_OBJECT DeviceObject,
+ IN PIRP Irp
+)
+{
+ UNREFERENCED_PARAMETER(DeviceObject);
+
+ Irp->IoStatus.Status = STATUS_SUCCESS;
+ Irp->IoStatus.Information = 0;
+ IoCompleteRequest(Irp, IO_NO_INCREMENT);
+
+ return STATUS_SUCCESS;
+}
+
+NTSTATUS DriverEntry(
+ _In_ PDRIVER_OBJECT DriverObject,
+ _In_ PUNICODE_STRING RegistryPath
+)
+{
+ DriverObject->MajorFunction[IRP_MJ_CLOSE] = &TdDeviceClose;
+ DriverObject->DriverUnload = &TdDeviceUnload;
+
+ PsSetLoadImageNotifyRoutine(&LoadImageNotifyRoutine);
+ DBG_PRINT("Installed ImageNotifyRoutine... 0x%p", &LoadImageNotifyRoutine);
+ return STATUS_SUCCESS;
+}
\ No newline at end of file
diff --git a/BEDaisy/DriverUtil.cpp b/BEDaisy/DriverUtil.cpp
new file mode 100644
index 0000000..d315a8f
--- /dev/null
+++ b/BEDaisy/DriverUtil.cpp
@@ -0,0 +1,311 @@
+#include "DriverUtil.h"
+
+namespace DriverUtil
+{
+ // This function was created with help from wlan
+ //
+ // Links to his work:
+ // https://github.com/not-wlan/driver-hijack
+ // https://www.unknowncheats.me/forum/c-and-c-/274073-iterating-driver_objects.html
+ // https://www.unknowncheats.me/forum/anti-cheat-bypass/274881-memedriver-driver-object-hijack-poc.html
+
+ PDRIVER_OBJECT GetDriverObject(PUNICODE_STRING lpDriverName)
+ {
+ HANDLE handle{};
+ OBJECT_ATTRIBUTES attributes{};
+ UNICODE_STRING directory_name{};
+ PVOID directory{};
+ BOOLEAN success = FALSE;
+ FAST_IO_DISPATCH fastIoDispatch;
+ bool installedHook = false;
+ RtlZeroMemory(&fastIoDispatch, sizeof(FAST_IO_DISPATCH));
+ RtlInitUnicodeString(&directory_name, L"\\Driver");
+ InitializeObjectAttributes(
+ &attributes,
+ &directory_name,
+ OBJ_CASE_INSENSITIVE,
+ NULL,
+ NULL
+ );
+
+ // open OBJECT_DIRECTORY for \\Driver
+ auto status = ZwOpenDirectoryObject(
+ &handle,
+ DIRECTORY_ALL_ACCESS,
+ &attributes
+ );
+
+ if (!NT_SUCCESS(status))
+ {
+ DBG_PRINT("ZwOpenDirectoryObject Failed");
+ return NULL;
+ }
+
+ // Get OBJECT_DIRECTORY pointer from HANDLE
+ status = ObReferenceObjectByHandle(
+ handle,
+ DIRECTORY_ALL_ACCESS,
+ nullptr,
+ KernelMode,
+ &directory,
+ nullptr
+ );
+
+ if (!NT_SUCCESS(status))
+ {
+ DBG_PRINT("ObReferenceObjectByHandle Failed");
+ ZwClose(handle);
+ return NULL;
+ }
+
+ const auto directory_object = POBJECT_DIRECTORY(directory);
+ if (!directory_object)
+ return NULL;
+
+ ExAcquirePushLockExclusiveEx(&directory_object->Lock, 0);
+
+ // traverse hash table with 37 entries
+ // when a new object is created, the object manager computes a hash value in the range zero to 36 from the object name and creates an OBJECT_DIRECTORY_ENTRY.
+ // http://www.informit.com/articles/article.aspx?p=22443&seqNum=7
+ for (auto entry : directory_object->HashBuckets)
+ {
+ if (!entry)
+ continue;
+
+ while (entry && entry->Object)
+ {
+ auto driver = PDRIVER_OBJECT(entry->Object);
+ if (!driver)
+ continue;
+
+ if (wcscmp(driver->DriverExtension->ServiceKeyName.Buffer, lpDriverName->Buffer) == 0)
+ return driver;
+ }
+ }
+
+ ExReleasePushLockExclusiveEx(&directory_object->Lock, 0);
+ // Release the acquired resources back to the OS
+ ObDereferenceObject(directory);
+ ZwClose(handle);
+ //TODO remove
+ return NULL;
+ }
+
+ PVOID GetDriverBase(LPCSTR module_name)
+ {
+ ULONG bytes{};
+ NTSTATUS status = ZwQuerySystemInformation(
+ SystemModuleInformation,
+ NULL,
+ bytes,
+ &bytes
+ );
+ if (!bytes)
+ return NULL;
+ PRTL_PROCESS_MODULES modules =
+ (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPool, bytes, POOLTAG);
+
+ if (modules)
+ {
+ status = ZwQuerySystemInformation(
+ SystemModuleInformation,
+ modules,
+ bytes,
+ &bytes
+ );
+
+ if (!NT_SUCCESS(status))
+ {
+ ExFreePoolWithTag(modules, POOLTAG);
+ return NULL;
+ }
+
+ PRTL_PROCESS_MODULE_INFORMATION module = modules->Modules;
+ PVOID module_base{}, module_size{};
+ for (ULONG i = 0; i < modules->NumberOfModules; i++)
+ {
+ if (strcmp(reinterpret_cast(module[i].FullPathName + module[i].OffsetToFileName), module_name) == 0)
+ {
+ module_base = module[i].ImageBase;
+ module_size = (PVOID)module[i].ImageSize;
+ break;
+ }
+ }
+ ExFreePoolWithTag(modules, POOLTAG);
+ return module_base;
+ }
+ return NULL;
+ }
+
+ PVOID GetSystemModuleExport(LPCSTR ModName, LPCSTR RoutineName)
+ {
+ PVOID result = GetDriverBase(ModName);
+ if (!result)
+ return NULL;
+ return RtlFindExportedRoutineByName(result, RoutineName);
+ }
+
+ PVOID IATHook(PVOID lpBaseAddress, CHAR* lpcStrImport, PVOID lpFuncAddress)
+ {
+ if (!lpBaseAddress || !lpcStrImport || !lpFuncAddress)
+ return NULL;
+
+ PIMAGE_DOS_HEADER dosHeaders =
+ reinterpret_cast(lpBaseAddress);
+
+ PIMAGE_NT_HEADERS ntHeaders =
+ reinterpret_cast(
+ reinterpret_cast(lpBaseAddress) + dosHeaders->e_lfanew);
+
+ IMAGE_DATA_DIRECTORY importsDirectory =
+ ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
+
+ PIMAGE_IMPORT_DESCRIPTOR importDescriptor =
+ reinterpret_cast(importsDirectory.VirtualAddress + (DWORD_PTR)lpBaseAddress);
+
+ LPCSTR libraryName = NULL;
+ PVOID result = NULL;
+ PIMAGE_IMPORT_BY_NAME functionName = NULL;
+
+ if (!importDescriptor)
+ return NULL;
+
+ while (importDescriptor->Name != NULL)
+ {
+ libraryName = (LPCSTR)importDescriptor->Name + (DWORD_PTR)lpBaseAddress;
+ if (GetDriverBase(libraryName))
+ {
+ PIMAGE_THUNK_DATA originalFirstThunk = NULL, firstThunk = NULL;
+ originalFirstThunk = (PIMAGE_THUNK_DATA)((DWORD_PTR)lpBaseAddress + importDescriptor->OriginalFirstThunk);
+ firstThunk = (PIMAGE_THUNK_DATA)((DWORD_PTR)lpBaseAddress + importDescriptor->FirstThunk);
+ while (originalFirstThunk->u1.AddressOfData != NULL)
+ {
+ functionName = (PIMAGE_IMPORT_BY_NAME)((DWORD_PTR)lpBaseAddress + originalFirstThunk->u1.AddressOfData);
+ if (strcmp(functionName->Name, lpcStrImport) == 0)
+ {
+ // save old function pointer
+ result = reinterpret_cast(firstThunk->u1.Function);
+ Memory::WriteProtectOff();
+ // swap address
+ firstThunk->u1.Function = reinterpret_cast(lpFuncAddress);
+ Memory::WriteProtectOn();
+ return result;
+ }
+ ++originalFirstThunk;
+ ++firstThunk;
+ }
+ }
+ importDescriptor++;
+ }
+ return NULL;
+ }
+
+ PVOID DriverIATHook(PDRIVER_OBJECT pDriverObject, CHAR* lpcStrImport, PVOID lpFuncAddress)
+ {
+ if (!pDriverObject || !lpcStrImport)
+ return NULL;
+ return IATHook(pDriverObject->DriverStart, lpcStrImport, lpFuncAddress);
+ }
+
+ VOID DumpDriver(PDRIVER_OBJECT lpDriverObject)
+ {
+ DumpDriver(lpDriverObject->DriverStart);
+ }
+
+ VOID DumpDriver(PVOID lpBaseAddress)
+ {
+ if (!lpBaseAddress || *(short*) lpBaseAddress != 0x5A4D)
+ return;
+
+ PIMAGE_DOS_HEADER dosHeaders =
+ reinterpret_cast(lpBaseAddress);
+
+ PIMAGE_NT_HEADERS ntHeaders =
+ reinterpret_cast(
+ reinterpret_cast(lpBaseAddress) + dosHeaders->e_lfanew);
+
+ HANDLE hFile;
+ UNICODE_STRING uniName;
+ OBJECT_ATTRIBUTES objAttr;
+ IO_STATUS_BLOCK ioStatusBlock;
+ LARGE_INTEGER offset{};
+
+ RtlInitUnicodeString(&uniName, L"\\DosDevices\\C:\\DriverDump.sys");
+ InitializeObjectAttributes(&objAttr, &uniName,
+ OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
+ NULL, NULL
+ );
+
+ ZwCreateFile(&hFile,
+ GENERIC_WRITE,
+ &objAttr,
+ &ioStatusBlock,
+ NULL,
+ FILE_ATTRIBUTE_NORMAL,
+ NULL,
+ FILE_OVERWRITE_IF,
+ FILE_SYNCHRONOUS_IO_NONALERT,
+ NULL,
+ NULL
+ );
+
+ ZwWriteFile(
+ hFile,
+ NULL,
+ NULL,
+ NULL,
+ &ioStatusBlock,
+ lpBaseAddress,
+ ntHeaders->OptionalHeader.SizeOfImage,
+ &offset,
+ NULL
+ );
+
+ ZwClose(hFile);
+ }
+
+ void MemDump(void* BaseAddress, unsigned Size)
+ {
+ if (!BaseAddress || !Size)
+ return;
+
+ HANDLE h_file;
+ UNICODE_STRING name;
+ OBJECT_ATTRIBUTES attr;
+ IO_STATUS_BLOCK status_block;
+ LARGE_INTEGER offset{ NULL };
+
+ RtlInitUnicodeString(&name, L"\\DosDevices\\C:\\dump.bin");
+ InitializeObjectAttributes(&attr, &name,
+ OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
+ NULL, NULL
+ );
+
+ auto status = ZwCreateFile(
+ &h_file,
+ GENERIC_WRITE,
+ &attr,
+ &status_block,
+ NULL,
+ FILE_ATTRIBUTE_NORMAL,
+ NULL,
+ FILE_OVERWRITE_IF,
+ FILE_SYNCHRONOUS_IO_NONALERT,
+ NULL,
+ NULL
+ );
+
+ status = ZwWriteFile(
+ h_file,
+ NULL,
+ NULL,
+ NULL,
+ &status_block,
+ BaseAddress,
+ Size,
+ &offset,
+ NULL
+ );
+ ZwClose(h_file);
+ }
+}
\ No newline at end of file
diff --git a/BEDaisy/DriverUtil.h b/BEDaisy/DriverUtil.h
new file mode 100644
index 0000000..3340b7a
--- /dev/null
+++ b/BEDaisy/DriverUtil.h
@@ -0,0 +1,17 @@
+#pragma once
+#include
+#include "Types.h"
+#include "Memory.h"
+
+namespace DriverUtil
+{
+ PDRIVER_OBJECT GetDriverObject(PUNICODE_STRING lpDriverName);
+ PVOID GetDriverBase(LPCSTR module_name);
+ PVOID IATHook(PVOID lpBaseAddress, CHAR* lpcStrImport, PVOID lpFuncAddress);
+ PVOID DriverIATHook(PDRIVER_OBJECT pDriverObject, CHAR* lpcStrImport, PVOID lpFuncAddress);
+
+ PVOID GetSystemModuleExport(LPCSTR ModName, LPCSTR RoutineName);
+ VOID DumpDriver(PVOID lpBaseAddress);
+ VOID DumpDriver(PDRIVER_OBJECT lpDriverObject);
+ void MemDump(void* BaseAddress, unsigned Size);
+}
\ No newline at end of file
diff --git a/BEDaisy/Hooks.cpp b/BEDaisy/Hooks.cpp
new file mode 100644
index 0000000..b18abbf
--- /dev/null
+++ b/BEDaisy/Hooks.cpp
@@ -0,0 +1,922 @@
+#include "Hooks.h"
+#include
+
+namespace Hooks
+{
+ BOOLEAN gh_ExEnumHandleTable(
+ PVOID HandleTable,
+ PVOID EnumHandleProcedure,
+ PVOID EnumParameter,
+ PHANDLE Handle OPTIONAL
+ )
+ {
+ DBG_PRINT("EnumHandleProcedure Called From: 0x%p, EnumHandleProcedure: 0x%p", _ReturnAddress(), EnumHandleProcedure);
+ return TRUE;
+ }
+
+ NTSTATUS gh_ZwAllocateVirtualMemory(
+ _In_ HANDLE ProcessHandle,
+ _Inout_ PVOID* BaseAddress,
+ _In_ ULONG_PTR ZeroBits,
+ _Inout_ PSIZE_T RegionSize,
+ _In_ ULONG AllocationType,
+ _In_ ULONG Protect
+ )
+ {
+ DBG_PRINT("ZwAllocateVirtualMemory called from: 0x%p", _ReturnAddress());
+ DBG_PRINT(" - ProcessHandle: 0x%p", ProcessHandle);
+ if(BaseAddress)
+ DBG_PRINT(" - BaseAddress (of allocation): 0x%p", *(ULONGLONG*)BaseAddress);
+ if(RegionSize)
+ DBG_PRINT(" - RegionSize: 0x%p", *(SIZE_T*)RegionSize);
+ DBG_PRINT(" - Protect: 0x%p", Protect);
+
+ return ZwAllocateVirtualMemory(
+ ProcessHandle,
+ BaseAddress,
+ ZeroBits,
+ RegionSize,
+ AllocationType,
+ Protect
+ );
+ }
+
+ NTSTATUS gh_PsSetLoadImageNotifyRoutine(
+ PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine
+ )
+ {
+ DBG_PRINT("PsSetLoadImageNotifyRoutine called from: 0x%p", _ReturnAddress());
+ DBG_PRINT(" - NotifyRoutine: 0x%p", NotifyRoutine);
+ return PsSetLoadImageNotifyRoutine(NotifyRoutine);
+ }
+
+ NTSTATUS gh_ObRegisterCallbacks(
+ POB_CALLBACK_REGISTRATION CallbackRegistration,
+ PVOID* RegistrationHandle
+ )
+ {
+ DBG_PRINT("ObRegisterCallbacks called from: 0x%p", _ReturnAddress());
+ return ObRegisterCallbacks(
+ CallbackRegistration,
+ RegistrationHandle
+ );
+ }
+
+ NTSTATUS gh_ZwQuerySystemInformation(
+ _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
+ _Inout_ PVOID SystemInformation,
+ _In_ ULONG SystemInformationLength,
+ _Out_opt_ PULONG ReturnLength
+ )
+ {
+ DBG_PRINT("ZwQuerySystemInformation called");
+ DBG_PRINT(" - SystemInformationClass: 0x%p", SystemInformationClass);
+ DBG_PRINT(" - SystemInformation: 0x%p", SystemInformation);
+ DBG_PRINT(" - SystemInformationLength: 0x%p", SystemInformationLength);
+
+ auto result = ZwQuerySystemInformation(
+ SystemInformationClass,
+ SystemInformation,
+ SystemInformationLength,
+ ReturnLength
+ );
+
+ if (SystemInformationLength && SystemInformation && ReturnLength && *ReturnLength)
+ {
+ switch (SystemInformationClass)
+ {
+ case SystemProcessInformation:
+ {
+ auto process_info = reinterpret_cast(SystemInformation);
+ process_info->NextEntryOffset = NULL;
+ DBG_PRINT("Spoofed SystemProcessInformation.....");
+ break;
+ }
+ case SystemModuleInformation:
+ {
+ auto module_info = reinterpret_cast(SystemInformation);
+ module_info->NumberOfModules = 1;
+ DBG_PRINT("Spoofed SystemModuleInformation.....");
+ break;
+ }
+ default:
+ break;
+ }
+ }
+ return result;
+ }
+
+ NTSTATUS gh_PsSetCreateProcessNotifyRoutineEx(
+ PCREATE_PROCESS_NOTIFY_ROUTINE_EX NotifyRoutine,
+ BOOLEAN Remove
+ )
+ {
+ DBG_PRINT("PsSetCreateProcessNotifyRoutineEx Called From 0x%p", _ReturnAddress());
+ DBG_PRINT(" - NotifyRoutine: 0x%p", NotifyRoutine);
+ DBG_PRINT(" - Remove: 0x%x", Remove);
+ return PsSetCreateProcessNotifyRoutineEx(NotifyRoutine, Remove);
+ }
+
+ NTSTATUS gh_IoCreateDevice(
+ PDRIVER_OBJECT DriverObject,
+ ULONG DeviceExtensionSize,
+ PUNICODE_STRING DeviceName,
+ DEVICE_TYPE DeviceType,
+ ULONG DeviceCharacteristics,
+ BOOLEAN Exclusive,
+ PDEVICE_OBJECT* DeviceObject
+ )
+ {
+ DBG_PRINT("================= BattlEye =================");
+ DBG_PRINT(" - BattlEye IRP_MJ_DEVICE_CONTROL: 0x%p", DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]);
+ DBG_PRINT(" - BattlEye IRP_MJ_READ: 0x%p", DriverObject->MajorFunction[IRP_MJ_READ]);
+ DBG_PRINT(" - BattlEye IRP_MJ_WRITE: 0x%p", DriverObject->MajorFunction[IRP_MJ_WRITE]);
+
+ return IoCreateDevice(
+ DriverObject,
+ DeviceExtensionSize,
+ DeviceName,
+ DeviceType,
+ DeviceCharacteristics,
+ Exclusive,
+ DeviceObject
+ );
+ }
+
+ NTSTATUS gh_PsSetCreateThreadNotifyRoutine(
+ PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine
+ )
+ {
+ DBG_PRINT("PsSetCreateThreadNotifyRoutine Called From 0x%p", _ReturnAddress());
+ DBG_PRINT(" - NotifyRoutine: 0x%p", NotifyRoutine);
+ return PsSetCreateThreadNotifyRoutine(NotifyRoutine);
+ }
+
+ PHYSICAL_ADDRESS gh_MmGetPhysicalAddress(
+ PVOID BaseAddress
+ )
+ {
+ DBG_PRINT("MmGetPhysicalAddress called from: 0x%p", _ReturnAddress());
+ DBG_PRINT(" - BaseAddress (Virtual Address): 0x%p", BaseAddress);
+ return MmGetPhysicalAddress(BaseAddress);
+ }
+
+ BOOLEAN gh_MmIsAddressValid(
+ PVOID VirtualAddress
+ )
+ {
+ DBG_PRINT("MmIsAddressValid Called From: 0x%p", _ReturnAddress());
+ DBG_PRINT(" - NonPaged VirtualAddress: 0x%p", VirtualAddress);
+ return MmIsAddressValid(VirtualAddress);
+ }
+
+ NTSTATUS gh_ZwDeviceIoControlFile(
+ HANDLE FileHandle,
+ HANDLE Event,
+ PIO_APC_ROUTINE ApcRoutine,
+ PVOID ApcContext,
+ PIO_STATUS_BLOCK IoStatusBlock,
+ ULONG IoControlCode,
+ PVOID InputBuffer,
+ ULONG InputBufferLength,
+ PVOID OutputBuffer,
+ ULONG OutputBufferLength
+ )
+ {
+ DBG_PRINT("ZwDeviceIoControlFile Called From 0x%p", _ReturnAddress());
+ DBG_PRINT(" - FileHandle: 0x%p", FileHandle);
+ DBG_PRINT(" - IoControlCode: 0x%p", IoControlCode);
+ DBG_PRINT(" - OutputBufferLength: 0x%p", OutputBufferLength);
+ DBG_PRINT(" - InoutBufferLength: 0x%p", InputBufferLength);
+ const auto result = ZwDeviceIoControlFile(
+ FileHandle,
+ Event,
+ ApcRoutine,
+ ApcContext,
+ IoStatusBlock,
+ IoControlCode,
+ InputBuffer,
+ InputBufferLength,
+ OutputBuffer,
+ OutputBufferLength
+ );
+ ULONG seed = 0x1000;
+ for (auto idx = 0u; idx < OutputBufferLength; ++idx)
+ *(unsigned char*)((unsigned char*)OutputBuffer + idx) = (unsigned char)RtlRandomEx(&seed);
+ return result;
+ }
+
+ VOID gh_RtlInitAnsiString(
+ PANSI_STRING DestinationString,
+ PCSZ SourceString
+ )
+ {
+ DBG_PRINT("RtlInitAnsiString Called From: 0x%p", _ReturnAddress());
+ DBG_PRINT(" - SourceString: 0x%s", SourceString);
+ return RtlInitAnsiString(DestinationString, SourceString);
+ }
+
+ VOID gh_RtlInitUnicodeString(
+ PUNICODE_STRING DestinationString,
+ PCWSTR SourceString
+ )
+ {
+ DBG_PRINT("RtlInitUnicodeString Called From: 0x%p", _ReturnAddress());
+ DBG_PRINT(" - SourceString: %ws", SourceString);
+ return RtlInitUnicodeString(DestinationString, SourceString);
+ }
+
+ PVOID gh_MmMapIoSpace(
+ PHYSICAL_ADDRESS PhysicalAddress,
+ SIZE_T NumberOfBytes,
+ MEMORY_CACHING_TYPE CacheType
+ )
+ {
+ DBG_PRINT("MmMapIoSpace called from: 0x%p", _ReturnAddress());
+ DBG_PRINT(" - PhysicalAddress: 0x%p", PhysicalAddress);
+ DBG_PRINT(" - NumberOfBytes: 0x%p", NumberOfBytes);
+
+ return MmMapIoSpace(
+ PhysicalAddress,
+ NumberOfBytes,
+ CacheType
+ );
+ }
+
+ NTSTATUS gh_ZwOpenFile(
+ PHANDLE FileHandle,
+ ACCESS_MASK DesiredAccess,
+ POBJECT_ATTRIBUTES ObjectAttributes,
+ PIO_STATUS_BLOCK IoStatusBlock,
+ ULONG ShareAccess,
+ ULONG OpenOptions
+ )
+ {
+ DBG_PRINT("ZwOpenFile called from: 0x%p", _ReturnAddress());
+ if (ObjectAttributes)
+ DBG_PRINT(" - ZwOpenFile(%ws)", ObjectAttributes->ObjectName->Buffer);
+
+ const auto result = ZwOpenFile(
+ FileHandle,
+ DesiredAccess,
+ ObjectAttributes,
+ IoStatusBlock,
+ ShareAccess,
+ OpenOptions
+ );
+ DBG_PRINT(" - ZwOpenFile handle result: 0x%p", *(HANDLE*)FileHandle);
+ return result;
+ }
+
+ void gh_KeStackAttachProcess(
+ PRKPROCESS PROCESS,
+ PRKAPC_STATE ApcState
+ )
+ {
+ DBG_PRINT("KeStackAttachProcess called from: 0x%p", _ReturnAddress());
+ DBG_PRINT(" - Attaching to %s....", PsGetProcessImageFileName(PROCESS));
+ KeStackAttachProcess(PROCESS, ApcState);
+ }
+
+ NTSTATUS gh_ZwCreateSection(
+ PHANDLE SectionHandle,
+ ACCESS_MASK DesiredAccess,
+ POBJECT_ATTRIBUTES ObjectAttributes,
+ PLARGE_INTEGER MaximumSize,
+ ULONG SectionPageProtection,
+ ULONG AllocationAttributes,
+ HANDLE FileHandle
+ )
+ {
+ DBG_PRINT("ZwCreateSection called from: 0x%p", _ReturnAddress());
+ const auto result = ZwCreateSection(
+ SectionHandle,
+ DesiredAccess,
+ ObjectAttributes,
+ MaximumSize,
+ SectionPageProtection,
+ AllocationAttributes,
+ FileHandle
+ );
+ DBG_PRINT(" - DesiredAccess: 0x%p", DesiredAccess);
+ DBG_PRINT(" - SectionPageProtection: 0x%p", SectionPageProtection);
+ DBG_PRINT(" - SectionHandle: 0x%p", *SectionHandle);
+ DBG_PRINT(" - FileHandle: 0x%p", FileHandle);
+ return result;
+ }
+
+ NTSTATUS gh_ObOpenObjectByName(
+ __in POBJECT_ATTRIBUTES ObjectAttributes,
+ __in_opt POBJECT_TYPE ObjectType,
+ __in KPROCESSOR_MODE AccessMode,
+ __inout_opt PACCESS_STATE AccessState,
+ __in_opt ACCESS_MASK DesiredAccess,
+ __inout_opt PVOID ParseContext,
+ __out PHANDLE Handle
+ )
+ {
+ DBG_PRINT("ObOpenObjectByName called from: 0x%p", _ReturnAddress());
+ const auto result = ObOpenObjectByName(
+ ObjectAttributes,
+ ObjectType,
+ AccessMode,
+ AccessState,
+ DesiredAccess,
+ ParseContext,
+ Handle
+ );
+ DBG_PRINT(" - ObjectName: %s", ObjectAttributes->ObjectName->Buffer);
+ return result;
+ }
+
+ NTSTATUS gh_ZwMapViewOfSection(
+ HANDLE SectionHandle,
+ HANDLE ProcessHandle,
+ PVOID* BaseAddress,
+ ULONG_PTR ZeroBits,
+ SIZE_T CommitSize,
+ PLARGE_INTEGER SectionOffset,
+ PSIZE_T ViewSize,
+ SECTION_INHERIT InheritDisposition,
+ ULONG AllocationType,
+ ULONG Win32Protect
+ )
+ {
+ const auto result = ZwMapViewOfSection(
+ SectionHandle,
+ ProcessHandle,
+ BaseAddress,
+ ZeroBits,
+ CommitSize,
+ SectionOffset,
+ ViewSize,
+ InheritDisposition,
+ AllocationType,
+ Win32Protect
+ );
+
+ DBG_PRINT("ZwMapViewOfSection called from: 0x%p", _ReturnAddress());
+ DBG_PRINT(" - SectionHandle: 0x%p", SectionHandle);
+ DBG_PRINT(" - ProcessHandle: 0x%p", ProcessHandle);
+ DBG_PRINT(" - ViewSize: 0x%p", *ViewSize);
+ DBG_PRINT(" - Win32Protect: 0x%p", Win32Protect);
+ return result;
+ }
+
+ NTSTATUS gh_MmCopyVirtualMemory
+ (
+ PEPROCESS SourceProcess,
+ PVOID SourceAddress,
+ PEPROCESS TargetProcess,
+ PVOID TargetAddress,
+ SIZE_T BufferSize,
+ KPROCESSOR_MODE PreviousMode,
+ PSIZE_T ReturnSize
+ )
+ {
+ DBG_PRINT("MmCopyVirtualMemory called from: 0x%p", _ReturnAddress());
+ DBG_PRINT(" - SourceProcess: %s", PsGetProcessImageFileName(SourceProcess));
+ DBG_PRINT(" - SourceAddress: 0x%p", SourceAddress);
+ DBG_PRINT(" - TargetProcess: %s", PsGetProcessImageFileName(TargetProcess));
+ DBG_PRINT(" - TargetAddress: 0x%p", TargetAddress);
+ DBG_PRINT(" - BufferSize: 0x%p", BufferSize);
+
+ const auto result = MmCopyVirtualMemory(
+ SourceProcess,
+ SourceAddress,
+ TargetProcess,
+ TargetAddress,
+ BufferSize,
+ PreviousMode,
+ ReturnSize
+ );
+ return result;
+ }
+
+ void gh_IofCompleteRequest(
+ PIRP Irp,
+ CCHAR PriorityBoost
+ )
+ {
+ auto StackLocation = IoGetCurrentIrpStackLocation(Irp);
+ DBG_PRINT("IofCompleteRequest called from: 0x%p", _ReturnAddress());
+ DBG_PRINT(" - Request Called From: %s", PsGetProcessImageFileName(IoGetCurrentProcess()));
+ switch (StackLocation->MajorFunction)
+ {
+ case IRP_MJ_DEVICE_CONTROL:
+ DBG_PRINT(" - IRP_MJ_DEVICE_CONTROL!");
+ DBG_PRINT(" - IoControlCode: 0x%p", StackLocation->Parameters.DeviceIoControl.IoControlCode);
+ DBG_PRINT(" - InputBufferLength: 0x%p", StackLocation->Parameters.DeviceIoControl.InputBufferLength);
+ DBG_PRINT(" - OutputBufferLength: 0x%p", StackLocation->Parameters.DeviceIoControl.OutputBufferLength);
+ DBG_PRINT(" - UserBuffer: 0x%p", Irp->UserBuffer);
+ DBG_PRINT(" - MdlAddress: 0x%p", Irp->MdlAddress);
+ DBG_PRINT(" - SystemBuffer: 0x%p", Irp->AssociatedIrp.SystemBuffer);
+ break;
+ case IRP_MJ_READ:
+ DBG_PRINT(" - IRP_MJ_READ!");
+ DBG_PRINT(" - ReadSize: 0x%p", StackLocation->Parameters.Read.Length);
+ DBG_PRINT(" - UserBuffer: 0x%p", Irp->UserBuffer);
+ DBG_PRINT(" - MdlAddress: 0x%p", Irp->MdlAddress);
+ DBG_PRINT(" - SystemBuffer: 0x%p", Irp->AssociatedIrp.SystemBuffer);
+ break;
+ case IRP_MJ_WRITE:
+ DBG_PRINT(" - IRP_MJ_WRITE!");
+ DBG_PRINT(" - WriteSize: 0x%p", StackLocation->Parameters.Write.Length);
+ DBG_PRINT(" - UserBuffer: 0x%p", Irp->UserBuffer);
+ DBG_PRINT(" - MdlAddress: 0x%p", Irp->MdlAddress);
+ DBG_PRINT(" - SystemBuffer: 0x%p", Irp->AssociatedIrp.SystemBuffer);
+ break;
+ default:
+ DBG_PRINT("Unkown Major Function Type: 0x%p", StackLocation->MajorFunction);
+ break;
+ }
+ IofCompleteRequest(Irp, PriorityBoost);
+ }
+
+ int gh_stricmp(
+ const char* string1,
+ const char* string2
+ )
+ {
+ DBG_PRINT("_stricmp called from: 0x%p", _ReturnAddress());
+ DBG_PRINT(" - string1: %s", string1);
+ DBG_PRINT(" - string2: %s", string2);
+ return reinterpret_cast(DriverUtil::GetSystemModuleExport("ntoskrnl.exe", "stricmp"))(string1, string2);
+ }
+
+ int gh_strnicmp(
+ const char* string1,
+ const char* string2,
+ size_t count
+ )
+ {
+ DBG_PRINT("_strnicmp called from: 0x%p", _ReturnAddress());
+ DBG_PRINT(" - string1: %s", string1);
+ DBG_PRINT(" - string2: %s", string2);
+ DBG_PRINT(" - count: 0x%x", count);
+ return reinterpret_cast(DriverUtil::GetSystemModuleExport("ntoskrnl.exe", "strnicmp"))(string1, string2, count);
+ }
+
+ int gh_wcsncmp(const wchar_t* wcs1, const wchar_t* wcs2, size_t num)
+ {
+ DBG_PRINT("gh_wcsncmp called from: 0x%p", _ReturnAddress());
+ DBG_PRINT(" - string1: %ws", wcs1);
+ DBG_PRINT(" - string2: %ws", wcs2);
+ DBG_PRINT(" - count: 0x%x", num);
+ return wcsncmp(wcs1, wcs2, num);
+ }
+
+ int gh_wcsnicmp(
+ const wchar_t* string1,
+ const wchar_t* string2,
+ size_t count
+ )
+ {
+ DBG_PRINT("gh_wcsnicmp called from: 0x%p", _ReturnAddress());
+ DBG_PRINT(" - string1: %ws", string1);
+ DBG_PRINT(" - string2: %ws", string2);
+ DBG_PRINT(" - count: 0x%x", count);
+ return wcsncmp(string1, string2, count);
+ }
+
+ wchar_t* gh_wcsncat(wchar_t* dest, const wchar_t* src, size_t count)
+ {
+ DBG_PRINT("wcsncat called from: 0x%p", _ReturnAddress());
+ DBG_PRINT(" - dest: %ws", dest);
+ DBG_PRINT(" - src: %ws", src);
+ DBG_PRINT(" - count: 0x%x", count);
+ auto result = wcsncat(dest, src, count);
+ DBG_PRINT(" - result: %ws", result);
+ return result;
+ }
+
+ void gh_KeInitializeEvent(
+ PRKEVENT Event,
+ EVENT_TYPE Type,
+ BOOLEAN State
+ )
+ {
+ DBG_PRINT("KeInitializeEvent called from: 0x%p", _ReturnAddress());
+ DBG_PRINT(" - Event: 0x%p", Event);
+ DBG_PRINT(" - Type: 0x%x", Type);
+ DBG_PRINT(" - State: 0x%x", State);
+ KeInitializeEvent(Event, Type, State);
+ }
+
+ PVOID gh_ExAllocatePoolWithTag(
+ POOL_TYPE PoolType,
+ SIZE_T NumberOfBytes,
+ ULONG Tag
+ )
+ {
+ auto result = ExAllocatePoolWithTag(PoolType, NumberOfBytes, Tag);
+ DBG_PRINT("ExAllocatePoolWithTag called from: 0x%p", _ReturnAddress());
+ DBG_PRINT(" - PoolType: 0x%x", PoolType);
+ DBG_PRINT(" - NumberOfBytes: 0x%x", NumberOfBytes);
+ DBG_PRINT(" - Tag: 0x%x", Tag);
+ DBG_PRINT(" - Allocate Pool at: 0x%p", result);
+ return result;
+ }
+
+ PVOID gh_ExAllocatePool(
+ POOL_TYPE PoolType,
+ SIZE_T NumberOfBytes
+ )
+ {
+ auto result = ExAllocatePool(PoolType, NumberOfBytes);
+ DBG_PRINT("ExAllocatePool called from: 0x%p", _ReturnAddress());
+ DBG_PRINT(" - PoolType: 0x%x", PoolType);
+ DBG_PRINT(" - NumberOfBytes: 0x%x", NumberOfBytes);
+ DBG_PRINT(" - Allocate Pool at: 0x%p", result);
+ return result;
+ }
+
+ void gh_ExFreePoolWithTag(
+ PVOID P,
+ ULONG Tag
+ )
+ {
+ DBG_PRINT("ExFreePoolWithTag called from: 0x%p", _ReturnAddress());
+ DBG_PRINT(" - Freeing pool at: 0x%p", P);
+ DBG_PRINT(" - Pool Tag: 0x%x", Tag);
+ return ExFreePoolWithTag(P, Tag);
+ }
+
+ void gh_ProbeForRead(
+ volatile VOID* Address,
+ SIZE_T Length,
+ ULONG Alignment
+ )
+ {
+ DBG_PRINT("ProbeForRead called from: 0x%p", _ReturnAddress());
+ DBG_PRINT(" - Address: 0x%p", Address);
+ DBG_PRINT(" - Length: 0x%x", Length);
+ DBG_PRINT(" - Alignment: 0x%x", Alignment);
+
+ __try
+ {
+ ProbeForRead(Address, Length, Alignment);
+ }
+ __except (STATUS_ACCESS_VIOLATION | STATUS_DATATYPE_MISALIGNMENT) {}
+ }
+
+ void gh_ProbeForWrite(
+ volatile VOID* Address,
+ SIZE_T Length,
+ ULONG Alignment
+ )
+ {
+ DBG_PRINT("ProbeForWrite called from: 0x%p", _ReturnAddress());
+ DBG_PRINT(" - Address: 0x%p", Address);
+ DBG_PRINT(" - Length: 0x%x", Length);
+ DBG_PRINT(" - Alignment: 0x%x", Alignment);
+
+ __try
+ {
+ ProbeForWrite(Address, Length, Alignment);
+ }
+ __except (STATUS_ACCESS_VIOLATION | STATUS_DATATYPE_MISALIGNMENT) {}
+ }
+
+ NTSTATUS gh_PsCreateSystemThread(
+ PHANDLE ThreadHandle,
+ ULONG DesiredAccess,
+ POBJECT_ATTRIBUTES ObjectAttributes,
+ HANDLE ProcessHandle,
+ PCLIENT_ID ClientId,
+ PKSTART_ROUTINE StartRoutine,
+ PVOID StartContext
+ )
+ {
+ DBG_PRINT("PsCreateSystemThread called from: 0x%p", _ReturnAddress());
+ DBG_PRINT(" - StartRoutine: 0x%p", StartRoutine);
+ DBG_PRINT(" - StartContext: 0x%p", StartContext);
+ DBG_PRINT(" - ProcessHandle: 0x%p", ProcessHandle);
+ DBG_PRINT(" - ClientId Pointer: 0x%p", ClientId);
+ if (ClientId)
+ {
+ DBG_PRINT(" - ClientId->ProcessId: 0x%x", ClientId->UniqueProcess);
+ DBG_PRINT(" - ClientId->ThreadId: 0x%x", ClientId->UniqueThread);
+ }
+ auto result = PsCreateSystemThread(
+ ThreadHandle,
+ DesiredAccess,
+ ObjectAttributes,
+ ProcessHandle,
+ ClientId,
+ StartRoutine,
+ StartContext
+ );
+ DBG_PRINT(" - Thread Handle: 0x%x", *ThreadHandle);
+ return result;
+ }
+
+ PMDL gh_IoAllocateMdl(
+ __drv_aliasesMem PVOID VirtualAddress,
+ ULONG Length,
+ BOOLEAN SecondaryBuffer,
+ BOOLEAN ChargeQuota,
+ PIRP Irp
+ )
+ {
+ DBG_PRINT("IoAllocateMdl called from: 0x%p", _ReturnAddress());
+ DBG_PRINT(" - VirtualAddress: 0x%p", VirtualAddress);
+ DBG_PRINT(" - Length: 0x%x", Length);
+ DBG_PRINT(" - Irp: 0x%p", Irp);
+ return IoAllocateMdl(
+ VirtualAddress,
+ Length,
+ SecondaryBuffer,
+ ChargeQuota,
+ Irp
+ );
+ }
+
+ NTSTATUS gh_ObReferenceObjectByName(
+ __in PUNICODE_STRING ObjectName,
+ __in ULONG Attributes,
+ __in_opt PACCESS_STATE AccessState,
+ __in_opt ACCESS_MASK DesiredAccess,
+ __in POBJECT_TYPE ObjectType,
+ __in KPROCESSOR_MODE AccessMode,
+ __inout_opt PVOID ParseContext,
+ __out PVOID* Object
+ )
+ {
+ DBG_PRINT("ObReferenceObjectByName called from: 0x%p", _ReturnAddress());
+ if(ObjectName)
+ DBG_PRINT(" - ObjectName: %ws", ObjectName->Buffer);
+
+ return ObReferenceObjectByName(
+ ObjectName,
+ Attributes,
+ AccessState,
+ DesiredAccess,
+ ObjectType,
+ AccessMode,
+ ParseContext,
+ Object
+ );
+ }
+
+ NTSTATUS gh_MmCopyMemory(
+ PVOID TargetAddress,
+ MM_COPY_ADDRESS SourceAddress,
+ SIZE_T NumberOfBytes,
+ ULONG Flags,
+ PSIZE_T NumberOfBytesTransferred
+ )
+ {
+ DBG_PRINT("MmCopyMemory called from: 0x%p", _ReturnAddress());
+ DBG_PRINT(" - TargetAddress: 0x%p", TargetAddress);
+ DBG_PRINT(" - SourceAddress: 0x%p", SourceAddress);
+ DBG_PRINT(" - Size: 0x%x", NumberOfBytes);
+ DBG_PRINT(" - Flags: 0x%x", Flags);
+
+ return MmCopyMemory(
+ TargetAddress,
+ SourceAddress,
+ NumberOfBytes,
+ Flags,
+ NumberOfBytesTransferred
+ );
+ }
+
+ ULONG gh_RtlWalkFrameChain(
+ __out PVOID* Callers,
+ __in ULONG Count,
+ __in ULONG Flags
+ )
+ {
+ return NULL;
+ }
+
+ PVOID gh_MmGetSystemRoutineAddress(
+ PUNICODE_STRING SystemRoutineName
+ )
+ {
+ DBG_PRINT("MmGetSystemRoutineAddress: %ws", SystemRoutineName->Buffer);
+ if (wcsstr(SystemRoutineName->Buffer, L"ZwAllocateVirtualMemory"))
+ {
+ DBG_PRINT("Hooking ZwAllocateVirtualMemory");
+ return &gh_ZwAllocateVirtualMemory;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"RtlInitUnicodeString"))
+ {
+ DBG_PRINT("Hooking RtlInitUnicodeString...");
+ return &gh_RtlInitUnicodeString;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"RtlInitAnsiString"))
+ {
+ DBG_PRINT("Hooking RtlInitAnsiString...");
+ return &gh_RtlInitAnsiString;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"MmIsAddressValid"))
+ {
+ DBG_PRINT("Hooking MmIsAddressValid...");
+ return &gh_MmIsAddressValid;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"IoCreateDevice"))
+ {
+ DBG_PRINT("Hooking IoCreateDevice...");
+ return &gh_IoCreateDevice;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"PsSetCreateProcessNotifyRoutineEx"))
+ {
+ DBG_PRINT("Hooking PsSetCreateProcessNotifyRoutineEx...");
+ return &gh_PsSetCreateProcessNotifyRoutineEx;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"ObRegisterCallbacks"))
+ {
+ DBG_PRINT("Hooking ObRegisterCallbacks...");
+ return &gh_ObRegisterCallbacks;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"PsSetLoadImageNotifyRoutine"))
+ {
+ DBG_PRINT("Hooking PsSetLoadImageNotifyRoutine...");
+ return &gh_PsSetLoadImageNotifyRoutine;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"ExEnumHandleTable"))
+ {
+ //DBG_PRINT("Hooking ExEnumHandleTable...");
+ //return &gh_ExEnumHandleTable;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"MmGetPhysicalAddress"))
+ {
+ DBG_PRINT("Hooking MmGetPhysicalAddress...");
+ return &gh_MmGetPhysicalAddress;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"MmMapIoSpace"))
+ {
+ DBG_PRINT("Hooking MmMapIoSpace...");
+ return &gh_MmMapIoSpace;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"ZwOpenFile"))
+ {
+ DBG_PRINT("Hooking ZwOpenFile...");
+ return &gh_ZwOpenFile;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"DeviceIoControlFile")) // Nt or Zw
+ {
+ DBG_PRINT("Hooking %ws....", SystemRoutineName->Buffer);
+ return &gh_ZwDeviceIoControlFile;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"KeStackAttachProcess"))
+ {
+ DBG_PRINT("Hooking KeStackAttachProcess....");
+ return &gh_KeStackAttachProcess;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"ZwMapViewOfSection"))
+ {
+ DBG_PRINT("Hooking ZwMapViewOfSection....");
+ return &gh_ZwMapViewOfSection;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"ObOpenObjectByName"))
+ {
+ DBG_PRINT("Hooking ObOpenObjectByName....");
+ return &gh_ObOpenObjectByName;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"ZwCreateSection"))
+ {
+ DBG_PRINT("Hooking ZwCreateSection....");
+ return &gh_ZwCreateSection;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"MmCopyVirtualMemory"))
+ {
+ DBG_PRINT("Hooking MmCopyVirtualMemory....");
+ return &gh_MmCopyVirtualMemory;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"IofCompleteRequest"))
+ {
+ DBG_PRINT("Hooking IofCompleteRequest...");
+ return &gh_IofCompleteRequest;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"QuerySystemInformation"))
+ {
+ DBG_PRINT("Hooking QuerySystemInformation...");
+ return &gh_ZwQuerySystemInformation;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"stricmp"))
+ {
+ //DBG_PRINT("Hooking stricmp...");
+ //return &gh_stricmp;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"strnicmp"))
+ {
+ //DBG_PRINT("Hooking strnicmp...");
+ //return &gh_strnicmp;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"wcsncmp"))
+ {
+ DBG_PRINT("Hooking wcsncmp...");
+ return &gh_wcsncmp;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"wcsnicmp"))
+ {
+ DBG_PRINT("Hooking wcsnicmp...");
+ return &gh_wcsnicmp;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"wcsncat"))
+ {
+ DBG_PRINT("Hooking wcsncat...");
+ return &gh_wcsncat;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"KeInitializeEvent"))
+ {
+ DBG_PRINT("Hooking KeInitializeEvent...");
+ return &gh_KeInitializeEvent;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"ExAllocatePoolWithTag"))
+ {
+ DBG_PRINT("Hooking ExAllocatePoolWithTag...");
+ return &gh_ExAllocatePoolWithTag;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"ExAllocatePool"))
+ {
+ DBG_PRINT("Hooking ExAllocatePool...");
+ return &gh_ExAllocatePool;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"ExFreePoolWithTag"))
+ {
+ DBG_PRINT("Hooking ExFreePoolWithTag...");
+ return &gh_ExFreePoolWithTag;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"ProbeForWrite"))
+ {
+ DBG_PRINT("Hooking ProbeForWrite...");
+ return &gh_ProbeForWrite;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"ProbeForRead"))
+ {
+ DBG_PRINT("Hooking ProbeForRead...");
+ return &gh_ProbeForRead;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"PsCreateSystemThread"))
+ {
+ DBG_PRINT("Hooking PsCreateSystemThread...");
+ return &gh_PsCreateSystemThread;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"ObReferenceObjectByName"))
+ {
+ DBG_PRINT("Hooking ObReferenceObjectByName...");
+ return &gh_ObReferenceObjectByName;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"MmCopyMemory"))
+ {
+ DBG_PRINT("Hooking MmCopyMemory...");
+ return &gh_MmCopyMemory;
+ }
+ else if (wcsstr(SystemRoutineName->Buffer, L"RtlWalkFrameChain"))
+ {
+ DBG_PRINT("Hooking RtlWalkFrameChain...");
+ return &gh_RtlWalkFrameChain;
+ }
+ return MmGetSystemRoutineAddress(SystemRoutineName);
+ }
+
+ PVOID gh_FltGetRoutineAddress(
+ PCSTR FltMgrRoutineName
+ )
+ {
+ DBG_PRINT("FltGetRoutineAddress: %s", FltMgrRoutineName);
+ return FltGetRoutineAddress(FltMgrRoutineName);
+ }
+
+ VOID gh_KeBugCheckEx(
+ ULONG BugCheckCode,
+ ULONG_PTR BugCheckParameter1,
+ ULONG_PTR BugCheckParameter2,
+ ULONG_PTR BugCheckParameter3,
+ ULONG_PTR BugCheckParameter4
+ )
+ { DBG_PRINT("KeBugCheckEx Called!"); }
+
+ VOID LoadImageNotifyRoutine(
+ PUNICODE_STRING FullImageName,
+ HANDLE ProcessId,
+ PIMAGE_INFO ImageInfo
+ )
+ {
+ if (!ProcessId && FullImageName && wcsstr(FullImageName->Buffer, L"BEDaisy.sys"))
+ {
+ DBG_PRINT("> ============= Driver %ws ================", FullImageName->Buffer);
+ DriverUtil::IATHook(
+ ImageInfo->ImageBase,
+ "KeBugCheckEx",
+ &gh_KeBugCheckEx
+ );
+
+ DriverUtil::IATHook(
+ ImageInfo->ImageBase,
+ "MmGetSystemRoutineAddress",
+ &gh_MmGetSystemRoutineAddress
+ );
+
+ DriverUtil::IATHook(
+ ImageInfo->ImageBase,
+ "FltGetRoutineAddress",
+ &gh_FltGetRoutineAddress
+ );
+ }
+ }
+}
\ No newline at end of file
diff --git a/BEDaisy/Hooks.h b/BEDaisy/Hooks.h
new file mode 100644
index 0000000..6f91658
--- /dev/null
+++ b/BEDaisy/Hooks.h
@@ -0,0 +1,190 @@
+#pragma once
+#include "Types.h"
+#include "DriverUtil.h"
+
+namespace Hooks
+{
+ BOOLEAN gh_ExEnumHandleTable(
+ PVOID HandleTable,
+ PVOID EnumHandleProcedure,
+ PVOID EnumParameter,
+ PHANDLE Handle OPTIONAL
+ );
+
+ NTSTATUS gh_ZwAllocateVirtualMemory(
+ _In_ HANDLE ProcessHandle,
+ _Inout_ PVOID* BaseAddress,
+ _In_ ULONG_PTR ZeroBits,
+ _Inout_ PSIZE_T RegionSize,
+ _In_ ULONG AllocationType,
+ _In_ ULONG Protect
+ );
+
+ NTSTATUS gh_PsSetLoadImageNotifyRoutine(
+ PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine
+ );
+
+ NTSTATUS gh_ObRegisterCallbacks(
+ POB_CALLBACK_REGISTRATION CallbackRegistration,
+ PVOID* RegistrationHandle
+ );
+
+ NTSTATUS gh_ZwQuerySystemInformation(
+ _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
+ _Inout_ PVOID SystemInformation,
+ _In_ ULONG SystemInformationLength,
+ _Out_opt_ PULONG ReturnLength
+ );
+
+ NTSTATUS gh_PsSetCreateProcessNotifyRoutineEx(
+ PCREATE_PROCESS_NOTIFY_ROUTINE_EX NotifyRoutine,
+ BOOLEAN Remove
+ );
+
+ NTSTATUS gh_IoCreateDevice(
+ PDRIVER_OBJECT DriverObject,
+ ULONG DeviceExtensionSize,
+ PUNICODE_STRING DeviceName,
+ DEVICE_TYPE DeviceType,
+ ULONG DeviceCharacteristics,
+ BOOLEAN Exclusive,
+ PDEVICE_OBJECT* DeviceObject
+ );
+
+ NTSTATUS gh_PsSetCreateThreadNotifyRoutine(
+ PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine
+ );
+
+ PHYSICAL_ADDRESS gh_MmGetPhysicalAddress(
+ PVOID BaseAddress
+ );
+
+ BOOLEAN gh_MmIsAddressValid(
+ PVOID VirtualAddress
+ );
+
+ NTSTATUS gh_ZwDeviceIoControlFile(
+ HANDLE FileHandle,
+ HANDLE Event,
+ PIO_APC_ROUTINE ApcRoutine,
+ PVOID ApcContext,
+ PIO_STATUS_BLOCK IoStatusBlock,
+ ULONG IoControlCode,
+ PVOID InputBuffer,
+ ULONG InputBufferLength,
+ PVOID OutputBuffer,
+ ULONG OutputBufferLength
+ );
+
+ VOID gh_RtlInitAnsiString(
+ PANSI_STRING DestinationString,
+ PCSZ SourceString
+ );
+
+ VOID gh_RtlInitUnicodeString(
+ PUNICODE_STRING DestinationString,
+ PCWSTR SourceString
+ );
+
+ PVOID gh_MmMapIoSpace(
+ PHYSICAL_ADDRESS PhysicalAddress,
+ SIZE_T NumberOfBytes,
+ MEMORY_CACHING_TYPE CacheType
+ );
+
+ NTSTATUS gh_ZwOpenFile(
+ PHANDLE FileHandle,
+ ACCESS_MASK DesiredAccess,
+ POBJECT_ATTRIBUTES ObjectAttributes,
+ PIO_STATUS_BLOCK IoStatusBlock,
+ ULONG ShareAccess,
+ ULONG OpenOptions
+ );
+
+ void gh_KeStackAttachProcess(
+ PRKPROCESS PROCESS,
+ PRKAPC_STATE ApcState
+ );
+
+ NTSTATUS gh_ZwCreateSection(
+ PHANDLE SectionHandle,
+ ACCESS_MASK DesiredAccess,
+ POBJECT_ATTRIBUTES ObjectAttributes,
+ PLARGE_INTEGER MaximumSize,
+ ULONG SectionPageProtection,
+ ULONG AllocationAttributes,
+ HANDLE FileHandle
+ );
+
+ NTSTATUS gh_ObOpenObjectByName(
+ __in POBJECT_ATTRIBUTES ObjectAttributes,
+ __in_opt POBJECT_TYPE ObjectType,
+ __in KPROCESSOR_MODE AccessMode,
+ __inout_opt PACCESS_STATE AccessState,
+ __in_opt ACCESS_MASK DesiredAccess,
+ __inout_opt PVOID ParseContext,
+ __out PHANDLE Handle
+ );
+
+ NTSTATUS gh_ZwMapViewOfSection(
+ HANDLE SectionHandle,
+ HANDLE ProcessHandle,
+ PVOID* BaseAddress,
+ ULONG_PTR ZeroBits,
+ SIZE_T CommitSize,
+ PLARGE_INTEGER SectionOffset,
+ PSIZE_T ViewSize,
+ SECTION_INHERIT InheritDisposition,
+ ULONG AllocationType,
+ ULONG Win32Protect
+ );
+
+ NTSTATUS gh_MmCopyVirtualMemory
+ (
+ PEPROCESS SourceProcess,
+ PVOID SourceAddress,
+ PEPROCESS TargetProcess,
+ PVOID TargetAddress,
+ SIZE_T BufferSize,
+ KPROCESSOR_MODE PreviousMode,
+ PSIZE_T ReturnSize
+ );
+
+ void gh_IofCompleteRequest(
+ PIRP Irp,
+ CCHAR PriorityBoost
+ );
+
+ PVOID gh_MmGetSystemRoutineAddress(
+ PUNICODE_STRING SystemRoutineName
+ );
+
+ PVOID gh_FltGetRoutineAddress(
+ PCSTR FltMgrRoutineName
+ );
+
+ VOID gh_KeBugCheckEx(
+ ULONG BugCheckCode,
+ ULONG_PTR BugCheckParameter1,
+ ULONG_PTR BugCheckParameter2,
+ ULONG_PTR BugCheckParameter3,
+ ULONG_PTR BugCheckParameter4
+ );
+
+ int gh_strnicmp(
+ const char* string1,
+ const char* string2,
+ size_t count
+ );
+
+ int gh_stricmp(
+ const char* string1,
+ const char* string2
+ );
+
+ VOID LoadImageNotifyRoutine(
+ PUNICODE_STRING FullImageName,
+ HANDLE ProcessId,
+ PIMAGE_INFO ImageInfo
+ );
+}
\ No newline at end of file
diff --git a/BEDaisy/Memory.cpp b/BEDaisy/Memory.cpp
new file mode 100644
index 0000000..b77947b
--- /dev/null
+++ b/BEDaisy/Memory.cpp
@@ -0,0 +1,20 @@
+#include "Memory.h"
+
+namespace Memory
+{
+ void WriteProtectOff()
+ {
+ auto cr0 = __readcr0();
+ cr0 &= 0xfffffffffffeffff;
+ __writecr0(cr0);
+ _disable();
+ }
+
+ void WriteProtectOn()
+ {
+ auto cr0 = __readcr0();
+ cr0 |= 0x10000;
+ _enable();
+ __writecr0(cr0);
+ }
+}
\ No newline at end of file
diff --git a/BEDaisy/Memory.h b/BEDaisy/Memory.h
new file mode 100644
index 0000000..28b75f7
--- /dev/null
+++ b/BEDaisy/Memory.h
@@ -0,0 +1,8 @@
+#pragma once
+#include
+
+namespace Memory
+{
+ void WriteProtectOff();
+ void WriteProtectOn();
+}
\ No newline at end of file
diff --git a/BEDaisy/Types.h b/BEDaisy/Types.h
new file mode 100644
index 0000000..06777ea
--- /dev/null
+++ b/BEDaisy/Types.h
@@ -0,0 +1,295 @@
+#pragma once
+#include
+#include
+
+#define MAX_PATH 260
+#define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
+#define POOLTAG 'MEME'
+
+#if true
+#define DBG_PRINT(...) DbgPrintEx( DPFLTR_SYSTEM_ID, DPFLTR_ERROR_LEVEL, "[GoodEye]" __VA_ARGS__);
+#else
+#define DBG_PRINT(...)
+#endif
+
+#ifndef DWORD
+#define DWORD unsigned
+#endif
+
+#ifndef WORD
+#define WORD unsigned short
+#endif
+
+extern "C" NTSTATUS ObReferenceObjectByName(
+ __in PUNICODE_STRING ObjectName,
+ __in ULONG Attributes,
+ __in_opt PACCESS_STATE AccessState,
+ __in_opt ACCESS_MASK DesiredAccess,
+ __in POBJECT_TYPE ObjectType,
+ __in KPROCESSOR_MODE AccessMode,
+ __inout_opt PVOID ParseContext,
+ __out PVOID* Object
+);
+
+extern "C" NTSTATUS NTAPI MmCopyVirtualMemory
+(
+ PEPROCESS SourceProcess,
+ PVOID SourceAddress,
+ PEPROCESS TargetProcess,
+ PVOID TargetAddress,
+ SIZE_T BufferSize,
+ KPROCESSOR_MODE PreviousMode,
+ PSIZE_T ReturnSize
+);
+
+extern "C" NTSTATUS ObOpenObjectByName(
+ __in POBJECT_ATTRIBUTES ObjectAttributes,
+ __in_opt POBJECT_TYPE ObjectType,
+ __in KPROCESSOR_MODE AccessMode,
+ __inout_opt PACCESS_STATE AccessState,
+ __in_opt ACCESS_MASK DesiredAccess,
+ __inout_opt PVOID ParseContext,
+ __out PHANDLE Handle
+);
+
+extern "C" NTKERNELAPI UCHAR* PsGetProcessImageFileName(
+ _In_ PEPROCESS Process
+);
+
+extern "C" NTSTATUS ZwQueryDirectoryObject(
+ IN HANDLE DirectoryHandle,
+ OUT PVOID Buffer,
+ IN ULONG BufferLength,
+ IN BOOLEAN ReturnSingleEntry,
+ IN BOOLEAN RestartScan,
+ IN OUT PULONG Context,
+ OUT PULONG ReturnLength OPTIONAL
+);
+
+extern "C" NTSTATUS ZwQuerySystemInformation(
+ ULONG InfoClass,
+ PVOID Buffer,
+ ULONG Length,
+ PULONG ReturnLength
+);
+
+extern "C" ULONG RtlWalkFrameChain(
+ __out PVOID * Callers,
+ __in ULONG Count,
+ __in ULONG Flags
+);
+
+extern "C" NTKERNELAPI
+PVOID
+NTAPI
+RtlFindExportedRoutineByName(
+ _In_ PVOID ImageBase,
+ _In_ PCCH RoutineName
+);
+
+typedef struct _IMAGE_THUNK_DATA64 {
+ union {
+ ULONGLONG ForwarderString; // PBYTE
+ ULONGLONG Function; // PDWORD
+ ULONGLONG Ordinal;
+ ULONGLONG AddressOfData; // PIMAGE_IMPORT_BY_NAME
+ } u1;
+} IMAGE_THUNK_DATA64;
+typedef IMAGE_THUNK_DATA64* PIMAGE_THUNK_DATA64;
+
+typedef struct _DEVICE_MAP* PDEVICE_MAP;
+typedef PIMAGE_THUNK_DATA64 PIMAGE_THUNK_DATA;
+
+typedef struct _OBJECT_DIRECTORY_ENTRY
+{
+ _OBJECT_DIRECTORY_ENTRY* ChainLink;
+ PVOID Object;
+ ULONG HashValue;
+} OBJECT_DIRECTORY_ENTRY, * POBJECT_DIRECTORY_ENTRY;
+
+typedef struct _OBJECT_DIRECTORY
+{
+ POBJECT_DIRECTORY_ENTRY HashBuckets[37];
+ EX_PUSH_LOCK Lock;
+ PDEVICE_MAP DeviceMap;
+ ULONG SessionId;
+ PVOID NamespaceEntry;
+ ULONG Flags;
+} OBJECT_DIRECTORY, * POBJECT_DIRECTORY;
+
+typedef struct _IMAGE_IMPORT_DESCRIPTOR {
+ union {
+ DWORD Characteristics; // 0 for terminating null import descriptor
+ DWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
+ } DUMMYUNIONNAME;
+ DWORD TimeDateStamp; // 0 if not bound,
+ // -1 if bound, and real date\time stamp
+ // in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
+ // O.W. date/time stamp of DLL bound to (Old BIND)
+
+ DWORD ForwarderChain; // -1 if no forwarders
+ DWORD Name;
+ DWORD FirstThunk; // RVA to IAT (if bound this IAT has actual addresses)
+} IMAGE_IMPORT_DESCRIPTOR;
+typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED* PIMAGE_IMPORT_DESCRIPTOR;
+
+typedef struct _SYSTEM_PROCESS_INFORMATION {
+ ULONG NextEntryOffset;
+ ULONG NumberOfThreads;
+ unsigned char Reserved1[48];
+ UNICODE_STRING ImageName;
+ KPRIORITY BasePriority;
+ HANDLE UniqueProcessId;
+ PVOID Reserved2;
+ ULONG HandleCount;
+ ULONG SessionId;
+ PVOID Reserved3;
+ SIZE_T PeakVirtualSize;
+ SIZE_T VirtualSize;
+ ULONG Reserved4;
+ SIZE_T PeakWorkingSetSize;
+ SIZE_T WorkingSetSize;
+ PVOID Reserved5;
+ SIZE_T QuotaPagedPoolUsage;
+ PVOID Reserved6;
+ SIZE_T QuotaNonPagedPoolUsage;
+ SIZE_T PagefileUsage;
+ SIZE_T PeakPagefileUsage;
+ SIZE_T PrivatePageCount;
+ LARGE_INTEGER Reserved7[6];
+} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
+
+typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
+ USHORT e_magic; // Magic number
+ USHORT e_cblp; // Bytes on last page of file
+ USHORT e_cp; // Pages in file
+ USHORT e_crlc; // Relocations
+ USHORT e_cparhdr; // Size of header in paragraphs
+ USHORT e_minalloc; // Minimum extra paragraphs needed
+ USHORT e_maxalloc; // Maximum extra paragraphs needed
+ USHORT e_ss; // Initial (relative) SS value
+ USHORT e_sp; // Initial SP value
+ USHORT e_csum; // Checksum
+ USHORT e_ip; // Initial IP value
+ USHORT e_cs; // Initial (relative) CS value
+ USHORT e_lfarlc; // File address of relocation table
+ USHORT e_ovno; // Overlay number
+ USHORT e_res[4]; // Reserved words
+ USHORT e_oemid; // OEM identifier (for e_oeminfo)
+ USHORT e_oeminfo; // OEM information; e_oemid specific
+ USHORT e_res2[10]; // Reserved words
+ LONG e_lfanew; // File address of new exe header
+} IMAGE_DOS_HEADER, * PIMAGE_DOS_HEADER;
+
+typedef struct _IMAGE_FILE_HEADER {
+ short Machine;
+ short NumberOfSections;
+ unsigned TimeDateStamp;
+ unsigned PointerToSymbolTable;
+ unsigned NumberOfSymbols;
+ short SizeOfOptionalHeader;
+ short Characteristics;
+} IMAGE_FILE_HEADER, * PIMAGE_FILE_HEADER;
+
+typedef struct _RTL_PROCESS_MODULE_INFORMATION
+{
+ HANDLE Section;
+ PVOID MappedBase;
+ PVOID ImageBase;
+ ULONG ImageSize;
+ ULONG Flags;
+ USHORT LoadOrderIndex;
+ USHORT InitOrderIndex;
+ USHORT LoadCount;
+ USHORT OffsetToFileName;
+ UCHAR FullPathName[256];
+} RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION;
+
+typedef struct _IMAGE_IMPORT_BY_NAME {
+ WORD Hint;
+ CHAR Name[1];
+} IMAGE_IMPORT_BY_NAME, * PIMAGE_IMPORT_BY_NAME;
+
+typedef struct _RTL_PROCESS_MODULES
+{
+ ULONG NumberOfModules;
+ RTL_PROCESS_MODULE_INFORMATION Modules[1];
+} RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES;
+
+
+typedef enum _SYSTEM_INFORMATION_CLASS
+{
+ SystemBasicInformation,
+ SystemProcessorInformation,
+ SystemPerformanceInformation,
+ SystemTimeOfDayInformation,
+ SystemPathInformation,
+ SystemProcessInformation,
+ SystemCallCountInformation,
+ SystemDeviceInformation,
+ SystemProcessorPerformanceInformation,
+ SystemFlagsInformation,
+ SystemCallTimeInformation,
+ SystemModuleInformation = 0x0B
+} SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS;
+
+
+typedef struct _IMAGE_DATA_DIRECTORY {
+ unsigned VirtualAddress;
+ unsigned Size;
+} IMAGE_DATA_DIRECTORY, * PIMAGE_DATA_DIRECTORY;
+
+typedef struct _IMAGE_OPTIONAL_HEADER64 {
+ short Magic;
+ unsigned char MajorLinkerVersion;
+ unsigned char MinorLinkerVersion;
+ unsigned SizeOfCode;
+ unsigned SizeOfInitializedData;
+ unsigned SizeOfUninitializedData;
+ unsigned AddressOfEntryPoint;
+ unsigned BaseOfCode;
+ ULONGLONG ImageBase;
+ unsigned SectionAlignment;
+ unsigned FileAlignment;
+ short MajorOperatingSystemVersion;
+ short MinorOperatingSystemVersion;
+ short MajorImageVersion;
+ short MinorImageVersion;
+ short MajorSubsystemVersion;
+ short MinorSubsystemVersion;
+ unsigned Win32VersionValue;
+ unsigned SizeOfImage;
+ unsigned SizeOfHeaders;
+ unsigned CheckSum;
+ short Subsystem;
+ short DllCharacteristics;
+ ULONGLONG SizeOfStackReserve;
+ ULONGLONG SizeOfStackCommit;
+ ULONGLONG SizeOfHeapReserve;
+ ULONGLONG SizeOfHeapCommit;
+ unsigned LoaderFlags;
+ unsigned NumberOfRvaAndSizes;
+ IMAGE_DATA_DIRECTORY DataDirectory[16];
+} IMAGE_OPTIONAL_HEADER64, * PIMAGE_OPTIONAL_HEADER64;
+
+typedef struct _IMAGE_NT_HEADERS64 {
+ unsigned Signature;
+ IMAGE_FILE_HEADER FileHeader;
+ IMAGE_OPTIONAL_HEADER64 OptionalHeader;
+} IMAGE_NT_HEADERS64, * PIMAGE_NT_HEADERS64;
+
+typedef struct _IMAGE_SECTION_HEADER {
+ unsigned char Name[8];
+ union {
+ unsigned PhysicalAddress;
+ unsigned VirtualSize;
+ } Misc;
+ unsigned VirtualAddress;
+ unsigned SizeOfRawData;
+ unsigned PointerToRawData;
+ unsigned PointerToRelocations;
+ unsigned PointerToLinenumbers;
+ short NumberOfRelocations;
+ short NumberOfLinenumbers;
+ unsigned Characteristics;
+} IMAGE_SECTION_HEADER, * PIMAGE_SECTION_HEADER;
diff --git a/GoodEye_Import_Address.LOG b/GoodEye_Import_Address.LOG
new file mode 100644
index 0000000..d1ffb7d
--- /dev/null
+++ b/GoodEye_Import_Address.LOG
@@ -0,0 +1,366 @@
+00000001 6:10:42 AM [GoodEye]Installed ImageNotifyRoutine... 0xFFFFF8007ADF1260
+00000002 6:10:50 AM [GoodEye]> ============= Driver \Device\HarddiskVolume2\Program Files (x86)\Common Files\BattlEye\BEDaisy.sys ================
+00000003 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: _stricmp is 0xFFFFF8007BF9E700
+00000004 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: _strnicmp is 0xFFFFF8007BF9E7B0
+00000005 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: wcsncmp is 0xFFFFF8007BFA0C00
+00000006 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: _wcsnicmp is 0xFFFFF8007BF9EDF0
+00000007 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: wcsncat is 0xFFFFF8007BFA0BB0
+00000008 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: wcsstr is 0xFFFFF8007BFA0D50
+00000009 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: _wcsicmp is 0xFFFFF8007BF9ECB0
+00000010 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: _wcslwr is 0xFFFFF8007BF9ED10
+00000011 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: RtlInitAnsiString is 0xFFFFF8007BED57A0
+00000012 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: RtlInitUnicodeString is 0xFFFFF8007BEA6560
+00000013 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: RtlAnsiStringToUnicodeString is 0xFFFFF8007C4DCB50
+00000014 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: RtlUnicodeStringToAnsiString is 0xFFFFF8007C41FFC0
+00000015 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: RtlFreeUnicodeString is 0xFFFFF8007C424760
+00000016 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: RtlFreeAnsiString is 0xFFFFF8007C424760
+00000017 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: RtlGetVersion is 0xFFFFF8007C4ACD40
+00000018 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: KeInitializeEvent is 0xFFFFF8007BE98F10
+00000019 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: KeSetEvent is 0xFFFFF8007BEB03C0
+00000020 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: KeInitializeMutex is 0xFFFFF8007BE06450
+00000021 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: KeReleaseMutex is 0xFFFFF8007BEB4690
+00000022 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: KeWaitForSingleObject is 0xFFFFF8007BEA2A60
+00000023 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ExAllocatePoolWithTag is 0xFFFFF8007C16F010
+00000024 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ExAllocatePool is 0xFFFFF8007BF25F40
+00000025 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ExFreePoolWithTag is 0xFFFFF8007C16F0A0
+00000026 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ProbeForRead is 0xFFFFF8007C4922D0
+00000027 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ProbeForWrite is 0xFFFFF8007C405C30
+00000028 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsCreateSystemThread is 0xFFFFF8007C3B7E00
+00000029 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsTerminateSystemThread is 0xFFFFF8007C48DDA0
+00000030 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: IofCompleteRequest is 0xFFFFF8007BEAF560
+00000031 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: IoCreateDevice is 0xFFFFF8007C474B50
+00000032 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: IoCreateSymbolicLink is 0xFFFFF8007C51AD00
+00000033 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: IoDeleteDevice is 0xFFFFF8007BEE0F20
+00000034 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: IoDeleteSymbolicLink is 0xFFFFF8007C53A2E0
+00000035 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: IoGetCurrentProcess is 0xFFFFF8007BE92220
+00000036 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: IoGetTopLevelIrp is 0xFFFFF8007BE95540
+00000037 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ObReferenceObjectByHandle is 0xFFFFF8007C40F8B0
+00000038 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ObfReferenceObject is 0xFFFFF8007BEA1030
+00000039 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ObfDereferenceObject is 0xFFFFF8007BEA0F60
+00000040 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ObRegisterCallbacks is 0xFFFFF8007C580FF0
+00000041 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ObUnRegisterCallbacks is 0xFFFFF8007C6A0F00
+00000042 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ObGetFilterVersion is 0xFFFFF8007C6A0EF0
+00000043 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ZwOpenFile is 0xFFFFF8007BFBEFB0
+00000044 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ZwQueryInformationFile is 0xFFFFF8007BFBEB70
+00000045 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ZwReadFile is 0xFFFFF8007BFBEA10
+00000046 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ZwClose is 0xFFFFF8007BFBEB30
+00000047 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: MmIsAddressValid is 0xFFFFF8007C0C57D0
+00000048 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsSetCreateProcessNotifyRoutineEx is 0xFFFFF8007C5533D0
+00000049 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsSetCreateThreadNotifyRoutine is 0xFFFFF8007C5533F0
+00000050 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsRemoveCreateThreadNotifyRoutine is 0xFFFFF8007C6CCC70
+00000051 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsSetLoadImageNotifyRoutine is 0xFFFFF8007C553410
+00000052 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsRemoveLoadImageNotifyRoutine is 0xFFFFF8007C6CCD60
+00000053 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsGetCurrentProcessId is 0xFFFFF8007BEE0F00
+00000054 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsGetCurrentThreadId is 0xFFFFF8007BF06380
+00000055 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsGetProcessId is 0xFFFFF8007BE927A0
+00000056 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsGetThreadId is 0xFFFFF8007BF0BEC0
+00000057 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsGetThreadProcessId is 0xFFFFF8007BF11A70
+00000058 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ZwDeviceIoControlFile is 0xFFFFF8007BFBEA30
+00000059 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: RtlRandomEx is 0xFFFFF8007BED44A0
+00000060 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsLookupProcessByProcessId is 0xFFFFF8007C3F0630
+00000061 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsLookupThreadByThreadId is 0xFFFFF8007C3F08C0
+00000062 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsGetThreadProcess is 0xFFFFF8007BE1B010
+00000063 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: IoQueryFileDosDeviceName is 0xFFFFF8007C4C7BE0
+00000064 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ObOpenObjectByPointer is 0xFFFFF8007C3FF420
+00000065 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ObQueryNameString is 0xFFFFF8007C4C7BC0
+00000066 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ZwOpenDirectoryObject is 0xFFFFF8007BFBF450
+00000067 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsGetProcessImageFileName is 0xFFFFF8007BF16680
+00000068 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsGetProcessInheritedFromUniqueProcessId is 0xFFFFF8007BE19E30
+00000069 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ZwQueryInformationThread is 0xFFFFF8007BFBEDF0
+00000070 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ZwQuerySystemInformation is 0xFFFFF8007BFBF010
+00000071 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsAcquireProcessExitSynchronization is 0xFFFFF8007C4D8DC0
+00000072 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsReleaseProcessExitSynchronization is 0xFFFFF8007C49FF60
+00000073 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ExfUnblockPushLock is 0xFFFFF8007BFBE570
+00000074 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ExEnumHandleTable is 0xFFFFF8007C488ED0
+00000075 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ZwQueryDirectoryObject is 0xFFFFF8007BFC10F0
+00000076 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ObOpenObjectByName is 0xFFFFF8007C4133E0
+00000077 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: CmUnRegisterCallback is 0xFFFFF8007C627D50
+00000078 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: MmProbeAndLockPages is 0xFFFFF8007BEBCA90
+00000079 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: MmUnlockPages is 0xFFFFF8007BEB3030
+00000080 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: IoAllocateMdl is 0xFFFFF8007BE99330
+00000081 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: IoFreeMdl is 0xFFFFF8007BEEFB20
+00000082 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ObReferenceObjectByName is 0xFFFFF8007C3F44A0
+00000083 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ZwOpenSection is 0xFFFFF8007BFBF030
+00000084 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: KeStackAttachProcess is 0xFFFFF8007BE920E0
+00000085 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: KeUnstackDetachProcess is 0xFFFFF8007BE9D3B0
+00000086 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsGetProcessPeb is 0xFFFFF8007BF138F0
+00000087 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsGetProcessWow64Process is 0xFFFFF8007BEF8FD0
+00000088 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: RtlWalkFrameChain is 0xFFFFF8007BE09DC0
+00000089 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: KeInitializeApc is 0xFFFFF8007BEC7A50
+00000090 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: KeInsertQueueApc is 0xFFFFF8007BEC5F50
+00000091 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ZwTerminateProcess is 0xFFFFF8007BFBEED0
+00000092 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: MmUnmapViewOfSection is 0xFFFFF8007C3CE0D0
+00000093 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsSuspendProcess is 0xFFFFF8007C6CD140
+00000094 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsResumeProcess is 0xFFFFF8007C4A00D0
+00000095 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ZwCreateSection is 0xFFFFF8007BFBF290
+00000096 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ZwMapViewOfSection is 0xFFFFF8007BFBEE50
+00000097 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ZwUnmapViewOfSection is 0xFFFFF8007BFBEE90
+00000098 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: IoThreadToProcess is 0xFFFFF8007BE1B010
+00000099 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ZwAllocateVirtualMemory is 0xFFFFF8007BFBEC50
+00000100 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ZwFreeVirtualMemory is 0xFFFFF8007BFBED10
+00000101 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsGetContextThread is 0xFFFFF8007C6CBF30
+00000102 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: MmCopyVirtualMemory is 0xFFFFF8007C419850
+00000103 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ZwOpenThread is 0xFFFFF8007BFC0E70
+00000104 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: MmMapIoSpace is 0xFFFFF8007BF051E0
+00000105 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: MmUnmapIoSpace is 0xFFFFF8007BF03BE0
+00000106 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: MmGetPhysicalAddress is 0xFFFFF8007BF10580
+00000107 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: KeDelayExecutionThread is 0xFFFFF8007BE9DE80
+00000108 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: RtlCompareUnicodeString is 0xFFFFF8007C41FE90
+00000109 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsGetProcessSessionId is 0xFFFFF8007BED04D0
+00000110 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: MmCopyMemory is 0xFFFFF8007BF2A060
+00000111 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ZwTraceControl is 0xFFFFF8007BFC20F0
+00000112 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: RtlImageNtHeader is 0xFFFFF8007BE88E20
+00000113 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: IoFileObjectType is 0xFFFFF8007C3743C8
+00000114 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsProcessType is 0xFFFFF8007C374390
+00000115 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsThreadType is 0xFFFFF8007C3743B8
+00000116 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: PsInitialSystemProcess is 0xFFFFF8007C3743A0
+00000117 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: IoDriverObjectType is 0xFFFFF8007C374518
+00000118 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: NtBuildNumber is 0xFFFFF8007C196238
+00000127 6:10:50 AM [GoodEye]MmGetSystemRoutineAddress: ObGetObjectType is 0xFFFFF8007C3DE960
+00000128 6:10:54 AM [GoodEye]MmGetSystemRoutineAddress: MmIsAddressValid is 0xFFFFF8007C0C57D0
+00000129 6:10:54 AM [GoodEye]MmGetSystemRoutineAddress: ZwQuerySystemInformation is 0xFFFFF8007BFBF010
+00000130 6:10:54 AM [GoodEye]MmGetSystemRoutineAddress: NtQuerySystemInformation is 0xFFFFF8007C3FFDE0
+00000131 6:10:54 AM [GoodEye]MmGetSystemRoutineAddress: ZwClose is 0xFFFFF8007BFBEB30
+00000132 6:10:54 AM [GoodEye]MmGetSystemRoutineAddress: ZwClose is 0xFFFFF8007BFBEB30
+00000133 6:10:54 AM [GoodEye]MmGetSystemRoutineAddress: ZwClose is 0xFFFFF8007BFBEB30
+00000134 6:10:54 AM [GoodEye]MmGetSystemRoutineAddress: ZwClose is 0xFFFFF8007BFBEB30
+
+//
+// file system imports
+//
+
+[GoodEye]FltGetRoutineAddress: FltRegisterFilter, 0xFFFFF8007FB5B590
+[GoodEye]FltGetRoutineAddress: FltUnregisterFilter, 0xFFFFF8007FB5D0E0
+[GoodEye]FltGetRoutineAddress: FltStartFiltering, 0xFFFFF8007FB5CE00
+[GoodEye]FltGetRoutineAddress: FltGetFileNameInformation, 0xFFFFF8007FB18190
+[GoodEye]FltGetRoutineAddress: FltReleaseFileNameInformation, 0xFFFFF8007FB4EC80
+[GoodEye]FltGetRoutineAddress: FltReadFile, 0xFFFFF8007FB28100
+[GoodEye]FltGetRoutineAddress: FltQueryInformationFile, 0xFFFFF8007FB4C3B0
+[GoodEye]FltGetRoutineAddress: FltGetRequestorProcess, 0xFFFFF8007FB1C0E0
+
+
+//
+// loaded drivers at the time of dump (windows 10 2004)
+//
+
+win32k.sys, 0xffff84384c090000, 560 kB, Full/Desktop Multi-User Win32 Driver
+win32kfull.sys, 0xffff84384c2c0000, 3.63 MB, Full/Desktop Win32k Kernel Driver
+win32kbase.sys, 0xffff84384ca50000, 2.65 MB, Base Win32k Kernel Driver
+cdd.dll, 0xffff84384cd00000, 288 kB, Canonical Display Driver
+peauth.sys, 0xfffff8007a600000, 856 kB, Protected Environment Authentication and Authorization Export Driver
+srv2.sys, 0xfffff8007a6e0000, 788 kB, Smb 2.0 Server driver
+tcpipreg.sys, 0xfffff8007a7b0000, 80 kB, TCP/IP Registry Compatibility Driver
+tdevmonc.sys, 0xfffff8007a7d0000, 56 kB, Tibbo Device Monitor core driver
+rassstp.sys, 0xfffff8007a7e0000, 116 kB, RAS SSTP Miniport Call Manager
+NDProxy.sys, 0xfffff8007a800000, 260 kB, NDIS Proxy
+AgileVpn.sys, 0xfffff8007a850000, 156 kB, RAS Agile Vpn Miniport Call Manager
+rasl2tp.sys, 0xfffff8007a880000, 136 kB, RAS L2TP mini-port/call-manager driver
+raspptp.sys, 0xfffff8007a8b0000, 128 kB, Peer-to-Peer Tunneling Protocol
+raspppoe.sys, 0xfffff8007a8e0000, 112 kB, RAS PPPoE mini-port/call-manager driver
+ndistapi.sys, 0xfffff8007a900000, 60 kB, NDIS 3.0 connection wrapper driver
+ndiswan.sys, 0xfffff8007a910000, 232 kB, MS PPP Framing Driver (Strong Encryption)
+condrv.sys, 0xfffff8007a950000, 76 kB, Console Driver
+p9rdr.sys, 0xfffff8007a970000, 104 kB, Plan 9 redirector
+bindflt.sys, 0xfffff8007a990000, 132 kB, Windows Bind Filter Driver
+asyncmac.sys, 0xfffff8007ab20000, 56 kB, MS Remote Access serial network driver
+ssudbus.sys, 0xfffff8007ab30000, 128 kB, SAMSUNG USB Composite Device Driver
+WinUsb.sys, 0xfffff8007ab60000, 128 kB, Windows WinUSB Class Driver
+WUDFRd.sys, 0xfffff8007ab90000, 320 kB, Windows Driver Foundation - User-mode Driver Framework Reflector
+WpdUpFltr.sys, 0xfffff8007abf0000, 56 kB, Windows Portable Device Upper Class Filter Driver
+VMMR0.r0, 0xfffff8007ac00000, 1.59 MB, VirtualBox VMM - ring-0 context parts
+VBoxDDR0.r0, 0xfffff8007ada0000, 200 kB, VirtualBox VMM Devices and Drivers, ring-0
+Dbgv.sys, 0xfffff8007ade0000, 36 kB, Windows Debug Monitor
+GoodEye.sys, 0xfffff8007adf0000, 28 kB,
+HTTP.sys, 0xfffff8007af20000, 1.27 MB, HTTP Protocol Stack
+mpsdrv.sys, 0xfffff8007b070000, 104 kB, Microsoft Protection Service Driver
+vwifimp.sys, 0xfffff8007b090000, 76 kB, Virtual WiFi Miniport Driver
+IntelHaxm.sys, 0xfffff8007b0b0000, 188 kB, HAXM_Driver
+srvnet.sys, 0xfffff8007b0e0000, 332 kB, Server Network driver
+Ndu.sys, 0xfffff8007b140000, 156 kB, Windows Network Data Usage Monitoring Driver
+npf.sys, 0xfffff8007b170000, 48 kB, npf.sys (NT5/6 AMD64) Kernel Driver
+hal.dll, 0xfffff8007bd5c000, 656 kB, Hardware Abstraction Layer DLL
+ntoskrnl.exe, 0xfffff8007be00000, 10.71 MB, NT Kernel & System
+kprocesshacker.sys, 0xfffff8007e420000, 44 kB, KProcessHacker
+kd.dll, 0xfffff8007f600000, 44 kB, Local Kernel Debugger
+mcupdate_GenuineIntel.dll, 0xfffff8007f610000, 2.3 MB, Intel Microcode Update Library
+werkernel.sys, 0xfffff8007f860000, 68 kB, Windows Error Reporting Kernel Driver
+ksecdd.sys, 0xfffff8007f880000, 168 kB, Kernel Security Support Provider Interface
+msrpc.sys, 0xfffff8007f8b0000, 384 kB, Kernel Remote Procedure Call Provider
+tm.sys, 0xfffff8007f920000, 156 kB, Kernel Transaction Manager Driver
+CLFS.SYS, 0xfffff8007f950000, 416 kB, Common Log File System Driver
+PSHED.dll, 0xfffff8007f9c0000, 104 kB, Platform Specific Hardware Error Driver
+BOOTVID.dll, 0xfffff8007f9e0000, 44 kB, VGA Boot Driver
+cmimcext.sys, 0xfffff8007f9f0000, 56 kB, Kernel Configuration Manager Initial Configuration Extension Host Export Driver
+clipsp.sys, 0xfffff8007fa00000, 1.02 MB, CLIP Service
+FLTMGR.SYS, 0xfffff8007fb10000, 452 kB, Microsoft Filesystem Filter Manager
+ntosext.sys, 0xfffff8007fb90000, 48 kB, NTOS extension host driver
+CI.dll, 0xfffff8007fba0000, 884 kB, Code Integrity Module
+cng.sys, 0xfffff8007fc80000, 752 kB, Kernel Cryptography, Next Generation
+Wdf01000.sys, 0xfffff8007fd40000, 852 kB, Kernel Mode Driver Framework Runtime
+WDFLDR.SYS, 0xfffff8007fe20000, 76 kB, Kernel Mode Driver Framework Loader
+SleepStudyHelper.sys, 0xfffff8007fe40000, 60 kB, Sleep Study Helper
+WppRecorder.sys, 0xfffff8007fe50000, 64 kB, WPP Trace Recorder
+acpiex.sys, 0xfffff8007fe70000, 148 kB, ACPIEx Driver
+mssecflt.sys, 0xfffff8007fea0000, 264 kB, Microsoft Security Events Component file system filter driver
+SgrmAgent.sys, 0xfffff8007fef0000, 104 kB, System Guard Runtime Monitor Agent Driver
+lxss.sys, 0xfffff8007ff10000, 40 kB, LXSS
+LXCORE.SYS, 0xfffff8007ff20000, 1.09 MB, LX Core
+ACPI.sys, 0xfffff80080040000, 816 kB, ACPI Driver for NT
+WMILIB.SYS, 0xfffff80080110000, 48 kB, WMILIB WMI support library Dll
+msisadrv.sys, 0xfffff80080120000, 44 kB, ISA Driver
+pci.sys, 0xfffff80080130000, 444 kB, NT Plug and Play PCI Enumerator
+tpm.sys, 0xfffff800801a0000, 256 kB, TPM Device Driver
+WindowsTrustedRTProxy.sys, 0xfffff800801f0000, 44 kB, Windows Trusted Runtime Service Proxy Driver
+intelpep.sys, 0xfffff80080220000, 364 kB, Intel Power Engine Plugin
+WindowsTrustedRT.sys, 0xfffff80080280000, 92 kB, Windows Trusted Runtime Interface Driver
+pcw.sys, 0xfffff800802a0000, 84 kB, Performance Counters for Windows Driver
+vdrvroot.sys, 0xfffff800802c0000, 76 kB, Virtual Drive Root Enumerator
+pdc.sys, 0xfffff800802e0000, 204 kB, Power Dependency Coordinator Driver
+CEA.sys, 0xfffff80080320000, 100 kB, Event Aggregation Kernel Mode Library
+partmgr.sys, 0xfffff80080340000, 192 kB, Partition driver
+spaceport.sys, 0xfffff80080380000, 660 kB, Storage Spaces Driver
+volmgr.sys, 0xfffff80080430000, 104 kB, Volume Manager Driver
+volmgrx.sys, 0xfffff80080450000, 396 kB, Volume Manager Extension Driver
+mountmgr.sys, 0xfffff800804c0000, 124 kB, Mount Point Manager
+iaStorA.sys, 0xfffff800804e0000, 5.46 MB, Intel(R) Rapid Storage Technology driver - x64
+storport.sys, 0xfffff80080a60000, 648 kB, Microsoft Storage Port Driver
+EhStorClass.sys, 0xfffff80080b10000, 108 kB, Enhanced Storage Class driver for IEEE 1667 devices
+fileinfo.sys, 0xfffff80080b30000, 104 kB, FileInfo Filter Driver
+pmdrvs.sys, 0xfffff80080b50000, 40 kB, Lenovo Power Management Driver
+Fs_Rec.sys, 0xfffff80080b60000, 52 kB, File System Recognizer Driver
+Wof.sys, 0xfffff80080b80000, 244 kB, Windows Overlay Filter
+WdFilter.sys, 0xfffff80080bc0000, 336 kB, Microsoft antimalware file system filter driver
+Ntfs.sys, 0xfffff80080c20000, 2.61 MB, NT File System Driver
+ndis.sys, 0xfffff80080ec0000, 1.45 MB, Network Driver Interface Specification (NDIS)
+NETIO.SYS, 0xfffff80081040000, 592 kB, Network I/O Subsystem
+ksecpkg.sys, 0xfffff800810e0000, 200 kB, Kernel Security Support Provider Interface Packages
+tcpip.sys, 0xfffff80081120000, 2.91 MB, TCP/IP Driver
+fwpkclnt.sys, 0xfffff80081410000, 488 kB, FWP/IPsec Kernel-Mode API
+wfplwfs.sys, 0xfffff80081490000, 192 kB, WFP NDIS 6.30 Lightweight Filter Driver
+VmsProxy.sys, 0xfffff800814d0000, 64 kB, VMSWITCH Proxy Driver
+vmbkmclr.sys, 0xfffff800814f0000, 128 kB, Hyper-V VMBus Root KMCL
+VmsProxyHNic.sys, 0xfffff80081520000, 60 kB, VmSwitch NIC Proxy Driver
+fvevol.sys, 0xfffff80081530000, 804 kB, BitLocker Drive Encryption Driver
+volume.sys, 0xfffff80081600000, 44 kB, Volume driver
+volsnap.sys, 0xfffff80081610000, 436 kB, Volume Shadow Copy driver
+rdyboost.sys, 0xfffff80081680000, 312 kB, ReadyBoost Driver
+mup.sys, 0xfffff800816d0000, 148 kB, Multiple UNC Provider Driver
+iorate.sys, 0xfffff80081700000, 72 kB, I/O rate control Filter
+IntelPcc.sys, 0xfffff80081720000, 88 kB, Intel Collaborative Processor Performance Control (CPPC) Driver
+disk.sys, 0xfffff80081760000, 112 kB, PnP Disk Driver
+CLASSPNP.SYS, 0xfffff80081780000, 428 kB, SCSI Class System Dll
+VBoxDrv.sys, 0xfffff80c57020000, 1.07 MB, VirtualBox Support Driver
+npsvctrig.sys, 0xfffff80c57140000, 52 kB, Named pipe service triggers
+mssmbios.sys, 0xfffff80c57150000, 64 kB, System Management BIOS Driver
+HWiNFO64A.SYS, 0xfffff80c57170000, 40 kB, HWiNFO AMD64 Kernel Driver
+gpuenergydrv.sys, 0xfffff80c57180000, 40 kB, GPU Energy Kernel Driver
+dfsc.sys, 0xfffff80c57190000, 176 kB, DFS Namespace Client Driver
+umbus.sys, 0xfffff80c571c0000, 84 kB, User-Mode Bus Enumerator
+bam.sys, 0xfffff80c571e0000, 88 kB, BAM Kernel Driver
+ahcache.sys, 0xfffff80c57200000, 316 kB, Application Compatibility Cache
+tap0901.sys, 0xfffff80c57250000, 48 kB, TAP-Windows Virtual Network Driver (NDIS 6.0)
+VBoxNetAdp6.sys, 0xfffff80c57260000, 328 kB, VirtualBox NDIS 6.0 Host-Only Network Adapter Driver
+tapprotonvpn.sys, 0xfffff80c572c0000, 48 kB, TAP-Windows Virtual Network Driver (NDIS 6.0)
+Vid.sys, 0xfffff80c572d0000, 560 kB, Microsoft Hyper-V Virtualization Infrastructure Driver
+winhvr.sys, 0xfffff80c57360000, 124 kB, Windows Hypervisor Root Interface Driver
+CompositeBus.sys, 0xfffff80c57380000, 68 kB, Multi-Transport Composite Bus Enumerator
+kdnic.sys, 0xfffff80c573a0000, 52 kB, Microsoft Kernel Debugger Network Miniport
+crashdmp.sys, 0xfffff80c573e0000, 116 kB, Crash Dump Driver
+dump_iaStorA.sys, 0xfffff80c57a00000, 5.46 MB,
+cdrom.sys, 0xfffff80c57fc0000, 192 kB, SCSI CD-ROM Driver
+filecrypt.sys, 0xfffff80c58000000, 84 kB, Windows sandboxing and encryption filter
+tbs.sys, 0xfffff80c58020000, 56 kB, Export driver for kernel mode TPM API
+Null.SYS, 0xfffff80c58030000, 40 kB, NULL Driver
+Beep.SYS, 0xfffff80c58040000, 40 kB, BEEP Driver
+dxgkrnl.sys, 0xfffff80c58050000, 3.44 MB, DirectX Graphics Kernel
+watchdog.sys, 0xfffff80c583d0000, 88 kB, Watchdog Driver
+BasicDisplay.sys, 0xfffff80c583f0000, 88 kB, Microsoft Basic Display Driver
+BasicRender.sys, 0xfffff80c58410000, 68 kB, Microsoft Basic Render Driver
+Npfs.SYS, 0xfffff80c58430000, 112 kB, NPFS Driver
+Msfs.SYS, 0xfffff80c58450000, 68 kB, Mailslot driver
+tdx.sys, 0xfffff80c58470000, 152 kB, TDI Translation Driver
+TDI.SYS, 0xfffff80c584a0000, 64 kB, TDI Wrapper
+netbt.sys, 0xfffff80c584c0000, 356 kB, MBT Transport driver
+afunix.sys, 0xfffff80c58520000, 76 kB, AF_UNIX socket provider
+afd.sys, 0xfffff80c58540000, 668 kB, Ancillary Function Driver for WinSock
+npcap.sys, 0xfffff80c585f0000, 76 kB, npcap.sys (NT6 AMD64) Kernel Filter Driver
+VBoxNetLwf.sys, 0xfffff80c58610000, 344 kB, VirtualBox NDIS 6.0 Lightweight Filter Driver
+vwififlt.sys, 0xfffff80c58670000, 104 kB, Virtual WiFi Filter Driver
+pacer.sys, 0xfffff80c58690000, 172 kB, QoS Packet Scheduler
+netbios.sys, 0xfffff80c586c0000, 80 kB, NetBIOS interface driver
+smi.sys, 0xfffff80c586e0000, 40 kB, SSO SMI Kernel Mode Driver
+rdbss.sys, 0xfffff80c586f0000, 492 kB, Redirected Drive Buffering SubSystem Driver
+nsiproxy.sys, 0xfffff80c58770000, 72 kB, NSI Proxy
+csc.sys, 0xfffff80c58d10000, 592 kB, Windows Client Side Caching Driver
+VBoxUSBMon.sys, 0xfffff80c58db0000, 220 kB, VirtualBox USB Monitor Driver
+Tppwr64v.sys, 0xfffff80c58df0000, 36 kB, Power Manager
+igdkmd64.sys, 0xfffff80c58e00000, 7.77 MB, Intel Graphics Kernel Mode Driver
+USBXHCI.SYS, 0xfffff80c595d0000, 548 kB, USB XHCI Driver
+TeeDriverW8x64.sys, 0xfffff80c59660000, 208 kB, Intel(R) Management Engine Interface
+e1d68x64.sys, 0xfffff80c596a0000, 596 kB, Intel(R) Gigabit Adapter NDIS 6.x driver
+usbehci.sys, 0xfffff80c59740000, 116 kB, EHCI eUSB Miniport Driver
+USBPORT.SYS, 0xfffff80c59760000, 488 kB, USB 1.1 & 2.0 Port Driver
+RtsPer.sys, 0xfffff80c597e0000, 880 kB, RTS PCIE READER Driver
+nwifi.sys, 0xfffff80c598c0000, 712 kB, NativeWiFi Miniport Driver
+CAD.sys, 0xfffff80c59a90000, 84 kB, Charge Arbiration Driver
+intelppm.sys, 0xfffff80c59ab0000, 248 kB, Processor Device Driver
+USBD.SYS, 0xfffff80c59c00000, 56 kB, Universal Serial Bus Driver
+HIDPARSE.SYS, 0xfffff80c59c10000, 76 kB, Hid Parsing Library
+kbdclass.sys, 0xfffff80c59c30000, 80 kB, Keyboard Class Driver
+mouclass.sys, 0xfffff80c59c50000, 76 kB, Mouse Class Driver
+CmBatt.sys, 0xfffff80c59c70000, 60 kB, Control Method Battery Driver
+BATTC.SYS, 0xfffff80c59c80000, 64 kB, Battery Class Driver
+ibmpmdrv.sys, 0xfffff80c59ca0000, 84 kB, Lenovo Power Management Driver
+Smb_driver_Intel.sys, 0xfffff80c59cc0000, 60 kB, Synaptics SMBus Driver
+wmiacpi.sys, 0xfffff80c59cd0000, 48 kB, Windows Management Interface for ACPI
+NdisVirtualBus.sys, 0xfffff80c59ce0000, 52 kB, Microsoft Virtual Network Adapter Enumerator
+swenum.sys, 0xfffff80c59cf0000, 48 kB, Plug and Play Software Device Enumerator
+rdpbus.sys, 0xfffff80c59d00000, 56 kB, Microsoft RDP Bus Device driver
+usbhub.sys, 0xfffff80c59d10000, 552 kB, Default Hub Driver for USB
+ksthunk.sys, 0xfffff80c59e20000, 60 kB, Kernel Streaming WOW Thunk Service
+UsbHub3.sys, 0xfffff80c59e30000, 640 kB, USB3 HUB Driver
+vmswitch.sys, 0xfffff80c59ee0000, 2.35 MB, Microsoft® Network Virtualization Service Provider
+Netwbw02.sys, 0xfffff80c5a170000, 3.55 MB, Intel® Wireless WiFi Link Driver
+vwifibus.sys, 0xfffff80c5a500000, 56 kB, Virtual Wireless Bus Driver
+i8042prt.sys, 0xfffff80c5a510000, 140 kB, i8042 Port Driver
+SynTP.sys, 0xfffff80c5a540000, 716 kB, Synaptics Touchpad Win64 Driver
+ks.sys, 0xfffff80c5b200000, 480 kB, Kernel CSA Library
+ucx01000.sys, 0xfffff80c5b280000, 260 kB, USB Controller Extension
+nvlddmkm.sys, 0xfffff80c5b2e0000, 20.21 MB, NVIDIA Windows Kernel Mode Driver, Version 425.91
+HDAudBus.sys, 0xfffff80c5c720000, 136 kB, High Definition Audio Bus Driver
+portcls.sys, 0xfffff80c5c750000, 412 kB, Port Class (Class Driver for Port/Miniport Devices)
+drmk.sys, 0xfffff80c5c7c0000, 132 kB, Microsoft Trusted Audio Drivers
+BTHUSB.sys, 0xfffff80c5c800000, 124 kB, Bluetooth Miniport Driver
+bthport.sys, 0xfffff80c5c820000, 1.39 MB, Bluetooth Bus Driver
+hidusb.sys, 0xfffff80c5c990000, 72 kB, USB Miniport Driver for Input Devices
+HIDCLASS.SYS, 0xfffff80c5c9b0000, 236 kB, Hid Class Library
+mouhid.sys, 0xfffff80c5c9f0000, 64 kB, HID Mouse Filter Driver
+Microsoft.Bluetooth.Legacy.LEEnumerator.sys, 0xfffff80c5ca10000, 120 kB, Legacy Bluetooth LE Bus Enumerator
+rfcomm.sys, 0xfffff80c5ca30000, 232 kB, Bluetooth RFCOMM Driver
+BthEnum.sys, 0xfffff80c5ca70000, 136 kB, Bluetooth Bus Extender
+bthpan.sys, 0xfffff80c5caa0000, 152 kB, Bluetooth Personal Area Networking
+usbvideo.sys, 0xfffff80c5cae0000, 316 kB, USB Video Class Driver
+tsusbhub.sys, 0xfffff80c5cb30000, 156 kB, Remote Desktop USB Hub
+bowser.sys, 0xfffff80c5cb60000, 148 kB, NT Lan Manager Datagram Receiver Driver
+winquic.sys, 0xfffff80c5cb90000, 224 kB, Windows QUIC Driver
+mrxsmb.sys, 0xfffff80c5cbd0000, 572 kB, Windows NT SMB Minirdr
+mrxsmb20.sys, 0xfffff80c5cc80000, 276 kB, Longhorn SMB 2.0 Redirector
+lltdio.sys, 0xfffff80c5ccd0000, 96 kB, Link-Layer Topology Mapper I/O Driver
+mslldp.sys, 0xfffff80c5ccf0000, 100 kB, Microsoft Link-Layer Discovery Protocol Driver
+rspndr.sys, 0xfffff80c5cd10000, 108 kB, Link-Layer Topology Responder Driver for NDIS 6
+wanarp.sys, 0xfffff80c5cd30000, 116 kB, MS Remote Access and Routing ARP Driver
+ndisuio.sys, 0xfffff80c5cd50000, 96 kB, NDIS User mode I/O driver
+dump_diskdump.sys, 0xfffff80c5cdf0000, 56 kB,
+dump_dumpfve.sys, 0xfffff80c5ce20000, 116 kB,
+dxgmms2.sys, 0xfffff80c5ce40000, 872 kB, DirectX Graphics MMS
+monitor.sys, 0xfffff80c5cf20000, 96 kB, Monitor Driver
+rdpvideominiport.sys, 0xfffff80c5cf40000, 52 kB, Microsoft RDP Video Miniport driver
+wcifs.sys, 0xfffff80c5cf80000, 220 kB, Windows Container Isolation FS Filter Driver
+cldflt.sys, 0xfffff80c5cfc0000, 476 kB, Cloud Files Mini Filter Driver
+storqosflt.sys, 0xfffff80c5d040000, 104 kB, Storage QoS Filter
+mmcss.sys, 0xfffff80c5d060000, 80 kB, MMCSS Driver
+rdpdr.sys, 0xfffff80c5d080000, 188 kB, Microsoft RDP Device redirector
+RTKVHD64.sys, 0xfffff80c5d0b0000, 6.77 MB, Realtek(r) High Definition Audio Function Driver
+usbccgp.sys, 0xfffff80c5d780000, 204 kB, USB Common Class Generic Parent Driver
+ibtusb.sys, 0xfffff80c5d7c0000, 236 kB, Intel(R) Wireless Bluetooth(R) Filter Driver
+