Я следовал учебному пособию о том, как сделать этот драйвер ядра (это чтение / запись в память и некоторые другие вещи). Я получил это:
#include <ntifs.h>
#include <ntddk.h>
#include <windef.h>
#include <wdf.h>
#include <ntdef.h>
#include "ntos.h"
DRIVER_INITIALIZE DriverEntry;
PDEVICE_OBJECT pDeviceObject;
UNICODE_STRING noname, eftnoname;
// Request Code To Read
#define IO_READ_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x512, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
// Request Code To Write
#define IO_WRITE_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x513, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
// Request to retrieve the process id of eft process, from kernel space
#define IO_GET_ID_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x514, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
// Request to retrieve the base address of client.dll in Eft.exe from kernel space
#define IO_GET_MODULE_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x515, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
UNICODE_STRING noname, eftnoname;
PDEVICE_OBJECT pDeviceObj;
ULONG eftId, GameManagerAddress;
typedef struct _KERNEL_READ_REQUEST
{
ULONG ProcessId;
ULONG Address;
ULONG Response;
ULONG Size;
} KERNEL_READ_REQUEST, * PKERNEL_READ_REQUEST;
typedef struct _KERNEL_WRITE_REQUEST
{
ULONG ProcessId;
ULONG Address;
ULONG Value;
ULONG Size;
} KERNEL_WRITE_REQUEST, * PKERNEL_WRITE_REQUEST;
typedef struct _LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
WORD LoadCount;
WORD TlsIndex;
union
{
LIST_ENTRY HashLinks;
struct
{
PVOID SectionPointer;
ULONG CheckSum;
};
};
union
{
ULONG TimeDateStamp;
PVOID LoadedImports;
};
struct _ACTIVATION_CONTEXT* EntryPointActivationContext;
PVOID PatchInformation;
LIST_ENTRY ForwarderLinks;
LIST_ENTRY ServiceTagLinks;
LIST_ENTRY StaticLinks;
} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
PLOAD_IMAGE_NOTIFY_ROUTINE ImageLoadCallback(PUNICODE_STRING FullImageName,
HANDLE ProcessId, PIMAGE_INFO ImageInfo)
{
// Compare our string to input
if (wcsstr(FullImageName->Buffer, L"\\EscapeFromTarkov_Data\\Managed\\Assembly-CSharp.dll")) {
// if it matches
DbgPrintEx(0, 0, "Loaded Name: %ls \n", FullImageName->Buffer);
DbgPrintEx(0, 0, "Loaded To Process: %d \n", ProcessId);
GameManagerAddress = ImageInfo->ImageBase;
eftId = ProcessId;
}
}
NTSTATUS KeReadVirtualMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size)
{
PSIZE_T Bytes;
if (NT_SUCCESS(MmCopyVirtualMemory(Process, SourceAddress, PsGetCurrentProcess(),
TargetAddress, Size, KernelMode, &Bytes)))
return STATUS_SUCCESS;
else
return STATUS_ACCESS_DENIED;
}
NTSTATUS KeWriteVirtualMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size)
{
PSIZE_T Bytes;
if (NT_SUCCESS(MmCopyVirtualMemory(PsGetCurrentProcess(), SourceAddress, Process,
TargetAddress, Size, KernelMode, &Bytes)))
return STATUS_SUCCESS;
else
return STATUS_ACCESS_DENIED;
}
NTSTATUS DriverUnload(PDRIVER_OBJECT pDriverObject);
NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP irp);
NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP irp);
NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP irp);
NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT pDriverObject, _In_ PUNICODE_STRING RegistryPath)
{
DbgPrintEx(0, 0, "NoName Driver Loaded\n");
RtlInitUnicodeString(&noname, L"\\Device\\eftnoname"); // Giving the driver a name
RtlInitUnicodeString(&eftnoname, L"\\DosDevices\\eftnoname"); // Giving the driver a symbol
PLDR_DATA_TABLE_ENTRY CurDriverEntry = (PLDR_DATA_TABLE_ENTRY)pDriverObject->DriverSection;
PLDR_DATA_TABLE_ENTRY NextDriverEntry = (PLDR_DATA_TABLE_ENTRY)CurDriverEntry->InLoadOrderLinks.Flink;
PLDR_DATA_TABLE_ENTRY PrevDriverEntry = (PLDR_DATA_TABLE_ENTRY)CurDriverEntry->InLoadOrderLinks.Blink;
PrevDriverEntry->InLoadOrderLinks.Flink = CurDriverEntry->InLoadOrderLinks.Flink;
NextDriverEntry->InLoadOrderLinks.Blink = CurDriverEntry->InLoadOrderLinks.Blink;
CurDriverEntry->InLoadOrderLinks.Flink = (PLIST_ENTRY)CurDriverEntry;
CurDriverEntry->InLoadOrderLinks.Blink = (PLIST_ENTRY)CurDriverEntry;
IoCreateDevice(pDriverObject, 0, &noname, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDeviceObj);
IoCreateSymbolicLink(&eftnoname, &noname);
pDriverObject->MajorFunction[IRP_MJ_CREATE] = CreateCall;
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = CloseCall;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IoControl;
pDriverObject->DriverUnload = DriverUnload;
pDeviceObject->Flags |= DO_DIRECT_IO;
pDeviceObject->Flags &= ~DO_DEVICE_INITIALIZING;
}
NTSTATUS DriverUnload(PDRIVER_OBJECT pDriverObject)
{
DbgPrintEx(0, 0, "NoName Unload routine called.\n");
PsRemoveLoadImageNotifyRoutine(ImageLoadCallback);
IoDeleteSymbolicLink(&eftnoname);
IoDeleteDevice(pDriverObject->DeviceObject);
}
NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
NTSTATUS Status;
ULONG BytesIO = 0;
PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(Irp);
ULONG ControlCode = stack->Parameters.DeviceIoControl.IoControlCode;
if(ControlCode == IO_READ_REQUEST)
{
PKERNEL_READ_REQUEST ReadInput = (PKERNEL_READ_REQUEST)Irp->AssociatedIrp.SystemBuffer;
PKERNEL_READ_REQUEST ReadOutput = (PKERNEL_READ_REQUEST)Irp->AssociatedIrp.SystemBuffer;
PEPROCESS Process;
// Get our process
if (NT_SUCCESS(PsLookupProcessByProcessId(ReadInput->ProcessId, &Process)))
KeReadVirtualMemory(Process, ReadInput->Address,
&ReadInput->Response, ReadInput->Size);
BytesIO = sizeof(KERNEL_READ_REQUEST);
Status = STATUS_SUCCESS;
}
else if (ControlCode == IO_WRITE_REQUEST)
{
// Get the input buffer & format it to our struct
PKERNEL_WRITE_REQUEST WriteInput = (PKERNEL_WRITE_REQUEST)Irp->AssociatedIrp.SystemBuffer;
PEPROCESS Process;
// Get our process
if (NT_SUCCESS(PsLookupProcessByProcessId(WriteInput->ProcessId, &Process)))
KeWriteVirtualMemory(Process, &WriteInput->Value,
WriteInput->Address, WriteInput->Size);
BytesIO = sizeof(KERNEL_WRITE_REQUEST);
Status = STATUS_SUCCESS;
}
else if (ControlCode == IO_GET_ID_REQUEST)
{
PULONG OutPut = (PULONG)Irp->AssociatedIrp.SystemBuffer;
*OutPut = eftId;
DbgPrintEx(0, 0, "id get %#010x", eftId);
Status = STATUS_SUCCESS;
BytesIO = sizeof(*OutPut);
}
else if (ControlCode == IO_GET_MODULE_REQUEST)
{
PULONG OutPut = (PULONG)Irp->AssociatedIrp.SystemBuffer;
*OutPut = GameManagerAddress;
DbgPrintEx(0, 0, "Module get %#010x", GameManagerAddress);
Status = STATUS_SUCCESS;
BytesIO = sizeof(*OutPut);
}
else
{
// if the code is unknown
Status = STATUS_INVALID_PARAMETER;
BytesIO = 0;
}
// Complete the request
Irp->IoStatus.Status = Status;
Irp->IoStatus.Information = BytesIO;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return Status;
}
NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP irp)
{
irp->IoStatus.Status = STATUS_SUCCESS;
irp->IoStatus.Information = 0;
IoCompleteRequest(irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP irp)
{
irp->IoStatus.Status = STATUS_SUCCESS;
irp->IoStatus.Information = 0;
IoCompleteRequest(irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
ntos.h имеет защиту для MmCopyVirtualMemory (
NTSTATUS NTAPI MmCopyVirtualMemory
(
PEPROCESS SourceProcess,
PVOID SourceAddress,
PEPROCESS TargetProcess,
PVOID TargetAddress,
SIZE_T BufferSize,
KPROCESSOR_MODE PreviousMode,
PSIZE_T ReturnSize
);
), которая должна быть в порядке, но я получаю ошибку в строке 66, потому что структура. Я не понимаю, что я сделал не так. Я совершенно новый, поэтому я приму любую помощь, которую смогу получить. Если у вас есть учебник или ссылки, которые я мог бы использовать для продолжения моего проекта, это было бы круто! Заранее спасибо