From f0c8a80be67ae6ca8986b25b51df5d017161f3c2 Mon Sep 17 00:00:00 2001
From: gmh5225 <2315157@qq.com>
Date: Wed, 17 Aug 2022 00:50:32 +0800
Subject: [PATCH] Update

---
 .clang-format                                 | 101 +++++++++++++
 CallMeWin32kDriver.sln                        |  49 +++++++
 CallMeWin32kDriver/CallMeWWWWWWin32k.cpp      |  91 ++++++++++++
 CallMeWin32kDriver/CallMeWin32kDriver.vcxproj | 135 +++++++++++++++++
 .../CallMeWin32kDriver.vcxproj.filters        |  26 ++++
 CallMeWin32kDriver/Common.h                   |  28 ++++
 CallMeWin32kDriver/Source.cpp                 |  50 +++++++
 README.md                                     |  13 ++
 license                                       |  21 +++
 win32bro/Source.cpp                           |  12 ++
 win32bro/win32bro.vcxproj                     | 136 ++++++++++++++++++
 win32bro/win32bro.vcxproj.filters             |  18 +++
 12 files changed, 680 insertions(+)
 create mode 100644 .clang-format
 create mode 100644 CallMeWin32kDriver.sln
 create mode 100644 CallMeWin32kDriver/CallMeWWWWWWin32k.cpp
 create mode 100644 CallMeWin32kDriver/CallMeWin32kDriver.vcxproj
 create mode 100644 CallMeWin32kDriver/CallMeWin32kDriver.vcxproj.filters
 create mode 100644 CallMeWin32kDriver/Common.h
 create mode 100644 CallMeWin32kDriver/Source.cpp
 create mode 100644 README.md
 create mode 100644 license
 create mode 100644 win32bro/Source.cpp
 create mode 100644 win32bro/win32bro.vcxproj
 create mode 100644 win32bro/win32bro.vcxproj.filters

diff --git a/.clang-format b/.clang-format
new file mode 100644
index 0000000..4096055
--- /dev/null
+++ b/.clang-format
@@ -0,0 +1,101 @@
+AccessModifierOffset: -4
+AlignAfterOpenBracket: AlwaysBreak
+AlignConsecutiveAssignments: false
+AlignConsecutiveDeclarations: false
+AlignEscapedNewlines: DontAlign
+AlignOperands: true
+AllowAllParametersOfDeclarationOnNextLine: false
+AllowShortBlocksOnASingleLine: false
+AllowShortCaseLabelsOnASingleLine: false
+AllowShortFunctionsOnASingleLine: Inline
+AllowShortIfStatementsOnASingleLine: false
+AllowShortLoopsOnASingleLine: false
+AlwaysBreakAfterReturnType: TopLevel
+AlwaysBreakBeforeMultilineStrings: false
+AlwaysBreakTemplateDeclarations: true
+BinPackArguments: false
+BinPackParameters: false
+BraceWrapping:
+    AfterClass: true
+    AfterControlStatement: true
+    AfterEnum: true
+    AfterFunction: true
+    AfterNamespace: false
+    AfterStruct: true
+    AfterUnion: true
+    AfterExternBlock: false
+    BeforeCatch: true
+    BeforeElse: true
+BreakBeforeBraces: Custom
+BreakBeforeBinaryOperators: None
+BreakBeforeTernaryOperators: true
+BreakConstructorInitializers: AfterColon
+BreakStringLiterals: false
+ColumnLimit: 120
+CommentPragmas: '^begin_wpp|^end_wpp|^FUNC |^USESUFFIX |^USESUFFIX '
+ConstructorInitializerAllOnOneLineOrOnePerLine: true
+ConstructorInitializerIndentWidth: 4
+ContinuationIndentWidth: 4
+Cpp11BracedListStyle: true
+DerivePointerAlignment: false
+ExperimentalAutoDetectBinPacking: false
+IndentCaseLabels: false
+IndentPPDirectives: AfterHash
+IndentWidth: 4
+KeepEmptyLinesAtTheStartOfBlocks: false
+Language: Cpp
+MacroBlockBegin: '^BEGIN_MODULE$|^BEGIN_TEST_CLASS$|^BEGIN_TEST_METHOD$'
+MacroBlockEnd: '^END_MODULE$|^END_TEST_CLASS$|^END_TEST_METHOD$'
+MaxEmptyLinesToKeep: 1
+NamespaceIndentation: None
+PointerAlignment: Right
+ReflowComments: true
+SortIncludes: false
+SpaceAfterCStyleCast: false
+SpaceBeforeAssignmentOperators: true
+SpaceBeforeCtorInitializerColon: true
+SpaceBeforeCtorInitializerColon: true
+SpaceBeforeParens: ControlStatements
+SpaceBeforeRangeBasedForLoopColon: true
+SpaceInEmptyParentheses: false
+SpacesInAngles: false
+SpacesInCStyleCastParentheses: false
+SpacesInParentheses: false
+SpacesInSquareBrackets: false
+Standard: Cpp11
+StatementMacros: [
+    'EXTERN_C',
+    'PAGED',
+    'PAGEDX',
+    'NONPAGED',
+    'PNPCODE',
+    'INITCODE',
+    '_At_',
+    '_When_',
+    '_Success_',
+    '_Check_return_',
+    '_Must_inspect_result_',
+    '_IRQL_requires_',
+    '_IRQL_requires_max_',
+    '_IRQL_requires_min_',
+    '_IRQL_saves_',
+    '_IRQL_restores_',
+    '_IRQL_saves_global_',
+    '_IRQL_restores_global_',
+    '_IRQL_raises_',
+    '_IRQL_lowers_',
+    '_Acquires_lock_',
+    '_Releases_lock_',
+    '_Acquires_exclusive_lock_',
+    '_Releases_exclusive_lock_',
+    '_Acquires_shared_lock_',
+    '_Releases_shared_lock_',
+    '_Requires_lock_held_',
+    '_Use_decl_annotations_',
+    '_Guarded_by_',
+    '__drv_preferredFunction',
+    '__drv_allocatesMem',
+    '__drv_freesMem',
+    ]
+TabWidth: '4'
+UseTab: Never
diff --git a/CallMeWin32kDriver.sln b/CallMeWin32kDriver.sln
new file mode 100644
index 0000000..55c4273
--- /dev/null
+++ b/CallMeWin32kDriver.sln
@@ -0,0 +1,49 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 17
+VisualStudioVersion = 17.2.32519.379
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CallMeWin32kDriver", "CallMeWin32kDriver\CallMeWin32kDriver.vcxproj", "{F78E2281-0FA8-4370-887C-A50B6F6DE96D}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "win32bro", "win32bro\win32bro.vcxproj", "{81F19D96-3BC8-4179-9B14-C1E46119233D}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|ARM64 = Debug|ARM64
+		Debug|x64 = Debug|x64
+		Release|ARM64 = Release|ARM64
+		Release|x64 = Release|x64
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{F78E2281-0FA8-4370-887C-A50B6F6DE96D}.Debug|ARM64.ActiveCfg = Debug|ARM64
+		{F78E2281-0FA8-4370-887C-A50B6F6DE96D}.Debug|ARM64.Build.0 = Debug|ARM64
+		{F78E2281-0FA8-4370-887C-A50B6F6DE96D}.Debug|ARM64.Deploy.0 = Debug|ARM64
+		{F78E2281-0FA8-4370-887C-A50B6F6DE96D}.Debug|x64.ActiveCfg = Debug|x64
+		{F78E2281-0FA8-4370-887C-A50B6F6DE96D}.Debug|x64.Build.0 = Debug|x64
+		{F78E2281-0FA8-4370-887C-A50B6F6DE96D}.Debug|x64.Deploy.0 = Debug|x64
+		{F78E2281-0FA8-4370-887C-A50B6F6DE96D}.Release|ARM64.ActiveCfg = Release|ARM64
+		{F78E2281-0FA8-4370-887C-A50B6F6DE96D}.Release|ARM64.Build.0 = Release|ARM64
+		{F78E2281-0FA8-4370-887C-A50B6F6DE96D}.Release|ARM64.Deploy.0 = Release|ARM64
+		{F78E2281-0FA8-4370-887C-A50B6F6DE96D}.Release|x64.ActiveCfg = Release|x64
+		{F78E2281-0FA8-4370-887C-A50B6F6DE96D}.Release|x64.Build.0 = Release|x64
+		{F78E2281-0FA8-4370-887C-A50B6F6DE96D}.Release|x64.Deploy.0 = Release|x64
+		{81F19D96-3BC8-4179-9B14-C1E46119233D}.Debug|ARM64.ActiveCfg = Debug|ARM64
+		{81F19D96-3BC8-4179-9B14-C1E46119233D}.Debug|ARM64.Build.0 = Debug|ARM64
+		{81F19D96-3BC8-4179-9B14-C1E46119233D}.Debug|ARM64.Deploy.0 = Debug|ARM64
+		{81F19D96-3BC8-4179-9B14-C1E46119233D}.Debug|x64.ActiveCfg = Debug|x64
+		{81F19D96-3BC8-4179-9B14-C1E46119233D}.Debug|x64.Build.0 = Debug|x64
+		{81F19D96-3BC8-4179-9B14-C1E46119233D}.Debug|x64.Deploy.0 = Debug|x64
+		{81F19D96-3BC8-4179-9B14-C1E46119233D}.Release|ARM64.ActiveCfg = Release|ARM64
+		{81F19D96-3BC8-4179-9B14-C1E46119233D}.Release|ARM64.Build.0 = Release|ARM64
+		{81F19D96-3BC8-4179-9B14-C1E46119233D}.Release|ARM64.Deploy.0 = Release|ARM64
+		{81F19D96-3BC8-4179-9B14-C1E46119233D}.Release|x64.ActiveCfg = Release|x64
+		{81F19D96-3BC8-4179-9B14-C1E46119233D}.Release|x64.Build.0 = Release|x64
+		{81F19D96-3BC8-4179-9B14-C1E46119233D}.Release|x64.Deploy.0 = Release|x64
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {BCF8649F-AA5B-4BCF-B197-7EDE9A0BEFC4}
+	EndGlobalSection
+EndGlobal
diff --git a/CallMeWin32kDriver/CallMeWWWWWWin32k.cpp b/CallMeWin32kDriver/CallMeWWWWWWin32k.cpp
new file mode 100644
index 0000000..6e8e2f3
--- /dev/null
+++ b/CallMeWin32kDriver/CallMeWWWWWWin32k.cpp
@@ -0,0 +1,91 @@
+#include "Common.h"
+#include <ntimage.h>
+
+EXTERN_C
+__int64 __fastcall fnMmLoadSystemImage(
+    struct _UNICODE_STRING *DrvName,
+    const UNICODE_STRING *a2,
+    UNICODE_STRING *a3,
+    unsigned int a4_win32k_status,
+    ULONG64 *SectionPointer,
+    ULONG64 *BaseAddress);
+
+EXTERN_C
+PIMAGE_NT_HEADERS
+NTAPI
+RtlImageNtHeader(PVOID Base);
+
+__declspec(
+    noinline) long CallMeWin32kDriver(wchar_t *DriverPath, unsigned long DriverPathLength, bool NeedPrefix /*= true*/)
+{
+    long lStatus = -1;
+
+    unsigned long uDriverPathAllLength = DriverPathLength;
+
+    do
+    {
+        if (!DriverPath || !DriverPathLength)
+        {
+            break;
+        }
+
+        wchar_t wszDriverPath[MAX_PATH + 1];
+        RtlSecureZeroMemory(wszDriverPath, sizeof(wszDriverPath));
+
+        if (NeedPrefix)
+        {
+            strcat_w(wszDriverPath, (L"\\??\\"));
+        }
+
+        if (DriverPathLength < MAX_PATH * sizeof(wchar_t))
+        {
+            strcat_w(wszDriverPath, DriverPath);
+            if (NeedPrefix)
+            {
+                uDriverPathAllLength += 4 * sizeof(wchar_t);
+            }
+        }
+
+        UNICODE_STRING usDriverName;
+        usDriverName.Buffer = wszDriverPath;
+        usDriverName.Length = (USHORT)uDriverPathAllLength;
+        usDriverName.MaximumLength = MAX_PATH * sizeof(wchar_t);
+
+        UNICODE_STRING usMmLoadSystemImage;
+        RtlInitUnicodeString(&usMmLoadSystemImage, L"MmLoadSystemImage");
+
+        auto pMmLoadSystemImage = (decltype(&fnMmLoadSystemImage))(MmGetSystemRoutineAddress(&usMmLoadSystemImage));
+        if (pMmLoadSystemImage)
+        {
+            ULONG64 uSectionPointer = 0, uBaseAddress = 0;
+            lStatus = pMmLoadSystemImage(&usDriverName, 0, 0, 1, &uSectionPointer, &uBaseAddress);
+            if (NT_SUCCESS(lStatus) && uBaseAddress)
+            {
+                auto pImageNtHeader = RtlImageNtHeader((void *)uBaseAddress);
+                if (pImageNtHeader)
+                {
+                    // Fake Driver Object
+                    auto pNewDrvObj = (PDRIVER_OBJECT)ExAllocatePool(NonPagedPool, 0x1000);
+                    if (!pNewDrvObj)
+                    {
+                        __asm {int 3 }
+                    }
+
+                    RtlSecureZeroMemory(pNewDrvObj, 0x1000);
+                    pNewDrvObj->DriverStart = (PVOID)uBaseAddress;
+
+                    // Call OEP
+                    auto pOEP = (PDRIVER_INITIALIZE)(uBaseAddress + pImageNtHeader->OptionalHeader.AddressOfEntryPoint);
+                    lStatus = pOEP(pNewDrvObj, nullptr);
+                }
+            }
+        }
+        else
+        {
+            lStatus = STATUS_NOT_SUPPORTED;
+        }
+
+    } while (0);
+
+    return lStatus;
+}
diff --git a/CallMeWin32kDriver/CallMeWin32kDriver.vcxproj b/CallMeWin32kDriver/CallMeWin32kDriver.vcxproj
new file mode 100644
index 0000000..9263f9b
--- /dev/null
+++ b/CallMeWin32kDriver/CallMeWin32kDriver.vcxproj
@@ -0,0 +1,135 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|ARM64">
+      <Configuration>Debug</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|ARM64">
+      <Configuration>Release</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{F78E2281-0FA8-4370-887C-A50B6F6DE96D}</ProjectGuid>
+    <TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
+    <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
+    <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
+    <Configuration>Debug</Configuration>
+    <Platform Condition="'$(Platform)' == ''">x64</Platform>
+    <RootNamespace>CallMeWin32kDriver</RootNamespace>
+    <WindowsTargetPlatformVersion>$(LatestTargetPlatformVersion)</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>LLVM-MSVC_v143_KernelMode</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>
+    </DriverTargetPlatform>
+    <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>LLVM-MSVC_v143_KernelMode</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>
+    </DriverTargetPlatform>
+    <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>LLVM-MSVC_v143_KernelMode</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>Universal</DriverTargetPlatform>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>LLVM-MSVC_v143_KernelMode</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>Universal</DriverTargetPlatform>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <DriverSign>
+      <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
+    </DriverSign>
+    <Link>
+      <EntryPointSymbol>DriverEntry</EntryPointSymbol>
+    </Link>
+    <ClCompile>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <WarningLevel>Level3</WarningLevel>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <DriverSign>
+      <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
+    </DriverSign>
+    <Link>
+      <EntryPointSymbol>DriverEntry</EntryPointSymbol>
+    </Link>
+    <ClCompile>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <WarningLevel>Level3</WarningLevel>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
+    <DriverSign>
+      <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
+    </DriverSign>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
+    <DriverSign>
+      <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
+    </DriverSign>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <FilesToPackage Include="$(TargetPath)" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="CallMeWWWWWWin32k.cpp" />
+    <ClCompile Include="Source.cpp" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="Common.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/CallMeWin32kDriver/CallMeWin32kDriver.vcxproj.filters b/CallMeWin32kDriver/CallMeWin32kDriver.vcxproj.filters
new file mode 100644
index 0000000..f297d89
--- /dev/null
+++ b/CallMeWin32kDriver/CallMeWin32kDriver.vcxproj.filters
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="Source.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="CallMeWWWWWWin32k.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="Common.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/CallMeWin32kDriver/Common.h b/CallMeWin32kDriver/Common.h
new file mode 100644
index 0000000..ea2e1b4
--- /dev/null
+++ b/CallMeWin32kDriver/Common.h
@@ -0,0 +1,28 @@
+#pragma once
+
+#include <fltKernel.h>
+
+#define MAX_PATH 260
+
+#define dprintf(...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, __VA_ARGS__)
+
+FORCEINLINE
+wchar_t *
+strcat_w(wchar_t *dest, const wchar_t *src)
+{
+    if ((dest == 0) || (src == 0))
+        return dest;
+
+    while (*dest != 0)
+        dest++;
+
+    while (*src != 0)
+    {
+        *dest = *src;
+        dest++;
+        src++;
+    }
+
+    *dest = 0;
+    return dest;
+}
diff --git a/CallMeWin32kDriver/Source.cpp b/CallMeWin32kDriver/Source.cpp
new file mode 100644
index 0000000..1f8943c
--- /dev/null
+++ b/CallMeWin32kDriver/Source.cpp
@@ -0,0 +1,50 @@
+#include "Common.h"
+
+EXTERN_C
+PCCHAR
+NTAPI
+PsGetProcessImageFileName(IN PEPROCESS Process);
+
+__declspec(
+    noinline) long CallMeWin32kDriver(wchar_t *DriverPath, unsigned long DriverPathLength, bool NeedPrefix = true);
+
+EXTERN_C
+NTSTATUS
+DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
+{
+    dprintf("new world!\n");
+
+    PEPROCESS pEpLsass = nullptr;
+    for (ULONG i = 0; i < 0x5000; i += 4)
+    {
+        PEPROCESS pEp = nullptr;
+        auto lStatus = PsLookupProcessByProcessId((HANDLE)i, &pEp);
+        if (!NT_SUCCESS(lStatus) || !pEp)
+        {
+            continue;
+        }
+
+        auto pName = PsGetProcessImageFileName(pEp);
+        // A more casual code
+        if (pName && strstr(pName, "lsass"))
+        {
+            pEpLsass = pEp;
+        }
+        ObDereferenceObject(pEp);
+
+        if (pEpLsass)
+        {
+            break;
+        }
+    }
+
+    if (pEpLsass)
+    {
+        KAPC_STATE ks;
+        KeStackAttachProcess(pEpLsass, &ks);
+        CallMeWin32kDriver(L"C:\\win32kbro.sys", wcslen(L"C:\\win32kbro.sys") * 2);
+        KeUnstackDetachProcess(&ks);
+    }
+
+    return STATUS_VIRUS_DELETED;
+}
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..48b5f0c
--- /dev/null
+++ b/README.md
@@ -0,0 +1,13 @@
+# CallMeWin32kDriver
+Load your driver like win32k.sys
+
+![Q`NXJ7G@89G@K)6~5H8JA@6](https://user-images.githubusercontent.com/13917777/184930976-1ee5dd35-04a0-4d98-85a4-1f51074b9784.png)
+
+
+## Motivation
+This feature was analyzed from a certain PUBG cheat driver.
+
+
+## Compile
+- Visual Studio 2022 & WDK10
+- llvm-msvc [[link]](https://github.com/NewWorldComingSoon/llvm-msvc-build)
diff --git a/license b/license
new file mode 100644
index 0000000..1c3f914
--- /dev/null
+++ b/license
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 gmh5225
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/win32bro/Source.cpp b/win32bro/Source.cpp
new file mode 100644
index 0000000..a968a8a
--- /dev/null
+++ b/win32bro/Source.cpp
@@ -0,0 +1,12 @@
+
+#include <fltKernel.h>
+
+#define dprintf(...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, __VA_ARGS__)
+
+EXTERN_C
+NTSTATUS
+DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
+{
+    dprintf("end world!\n");
+    return 0;
+}
diff --git a/win32bro/win32bro.vcxproj b/win32bro/win32bro.vcxproj
new file mode 100644
index 0000000..c62f9b6
--- /dev/null
+++ b/win32bro/win32bro.vcxproj
@@ -0,0 +1,136 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|ARM64">
+      <Configuration>Debug</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|ARM64">
+      <Configuration>Release</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{81F19D96-3BC8-4179-9B14-C1E46119233D}</ProjectGuid>
+    <TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
+    <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
+    <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
+    <Configuration>Debug</Configuration>
+    <Platform Condition="'$(Platform)' == ''">x64</Platform>
+    <RootNamespace>win32bro</RootNamespace>
+    <WindowsTargetPlatformVersion>$(LatestTargetPlatformVersion)</WindowsTargetPlatformVersion>
+    <ProjectName>win32kbro</ProjectName>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>LLVM-MSVC_v143_KernelMode</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>
+    </DriverTargetPlatform>
+    <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>LLVM-MSVC_v143_KernelMode</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>
+    </DriverTargetPlatform>
+    <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>LLVM-MSVC_v143_KernelMode</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>Universal</DriverTargetPlatform>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>LLVM-MSVC_v143_KernelMode</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>Universal</DriverTargetPlatform>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <DriverSign>
+      <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
+    </DriverSign>
+    <Link>
+      <EntryPointSymbol>DriverEntry</EntryPointSymbol>
+    </Link>
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+    </ClCompile>
+    <ClCompile>
+      <TreatWarningAsError>false</TreatWarningAsError>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <DriverSign>
+      <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
+    </DriverSign>
+    <Link>
+      <EntryPointSymbol>DriverEntry</EntryPointSymbol>
+    </Link>
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+    </ClCompile>
+    <ClCompile>
+      <TreatWarningAsError>false</TreatWarningAsError>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
+    <DriverSign>
+      <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
+    </DriverSign>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
+    <DriverSign>
+      <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
+    </DriverSign>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <FilesToPackage Include="$(TargetPath)" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="Source.cpp" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/win32bro/win32bro.vcxproj.filters b/win32bro/win32bro.vcxproj.filters
new file mode 100644
index 0000000..b92b0fb
--- /dev/null
+++ b/win32bro/win32bro.vcxproj.filters
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="Source.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file