#include "kernel_ctx/kernel_ctx.h" #include "drv_image/drv_image.h" #include "raw_driver.hpp" int __cdecl main(int argc, char** argv) { if (argc < 2) { std::perror("[-] invalid use, please provide a path to a driver\n"); return -1; } std::vector drv_buffer; util::open_binary_file(argv[1], drv_buffer); if (!drv_buffer.size()) { std::perror("[-] invalid drv_buffer size\n"); return -1; } physmeme::drv_image image(drv_buffer); if (!physmeme::load_drv()) { std::perror("[!] unable to load driver....\n"); return -1; } physmeme::kernel_ctx kernel_ctx; std::printf("[+] driver has been loaded...\n"); std::printf("[+] %s mapped physical page -> 0x%p\n", physmeme::syscall_hook.first, physmeme::psyscall_func.load()); std::printf("[+] %s page offset -> 0x%x\n", physmeme::syscall_hook.first, physmeme::nt_page_offset); const auto drv_timestamp = util::get_file_header((void*)raw_driver)->TimeDateStamp; if (!kernel_ctx.clear_piddb_cache(physmeme::drv_key, drv_timestamp)) { // this is because the signature might be broken on these versions of windows. perror("[-] failed to clear PiDDBCacheTable.\n"); return -1; } const auto _get_export_name = [&](const char* base, const char* name) { return reinterpret_cast(util::get_kernel_export(base, name)); }; image.fix_imports(_get_export_name); image.map(); const auto pool_base = kernel_ctx.allocate_pool(image.size(), NonPagedPool); image.relocate(pool_base); kernel_ctx.write_kernel(pool_base, image.data(), image.size()); auto entry_point = reinterpret_cast(pool_base) + image.entry_point(); auto result = kernel_ctx.syscall ( reinterpret_cast(entry_point), reinterpret_cast(pool_base), image.size() ); std::printf("[+] driver entry returned: 0x%p\n", result); kernel_ctx.zero_kernel_memory(pool_base, image.header_size()); if (!physmeme::unload_drv()) { std::perror("[!] unable to unload driver... all handles closed?\n"); return -1; } std::printf("[=] press enter to close\n"); std::cin.get(); }