-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathEntryPoint.cpp
101 lines (86 loc) · 2 KB
/
EntryPoint.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
void DxgkPresentHook_internal()
{
if (!Memory::IsTargetProcess())
{
return;
}
//
// Write your code here
//
return;
}
void InstallDxgkPresentHook()
{
BYTE hook[] =
{
0x48, 0xB8, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, //mov rax, dxgkrnl.DxgkPresent
0xFF, 0xE0 //jmp rax
};
*(__int64*)(hook + 2) = (__int64)DxgkPresentHook;
original_DxgkPresent = (__int64)((__int64)func + 0x13);
auto dxgkrnl = GetKernelModuleBase("dxgkrnl.sys");
auto func = GetProcAddress(dxgkrnl, "DxgkPresent");
PMDL pMdl = IoAllocateMdl(func, 16, FALSE, FALSE, NULL);
if (pMdl == NULL)
{
return;
}
MmProbeAndLockPages(pMdl, KernelMode, IoReadAccess);
PVOID MappingData = MmMapLockedPagesSpecifyCache(pMdl, KernelMode, MmNonCached, NULL, FALSE, NormalPagePriority);
if (MappingData == NULL)
{
MmUnlockPages(pMdl);
IoFreeMdl(pMdl);
return false;
}
if (!NT_SUCCESS(MmProtectMdlSystemAddress(pMdl, PAGE_READWRITE)))
{
MmUnmapLockedPages(MappingData, pMdl);
MmUnlockPages(pMdl);
IoFreeMdl(pMdl);
return;
}
RtlCopyMemory(MappingData, hook, 12);
MmUnmapLockedPages(MappingData, pMdl);
MmUnlockPages(pMdl);
IoFreeMdl(pMdl);
return;
}
bool FindProcess()
{
UNICODE_STRING TargetImageName = RTL_CONSTANT_STRING(L"d3d11.exe");
PSYSTEM_PROCESS_INFO Spi = (PSYSTEM_PROCESS_INFO)NQSI(SystemProcessInformation);
if (void* Buffer = Spi)
{
while (Spi->NextEntryOffset)
{
if (!RtlCompareUnicodeString(&Spi->ImageName, &TargetImageName, FALSE))
{
PEPROCESS Process = nullptr;
PsLookupProcessByProcessId(Spi->UniqueProcessId, &Process);
if (Process)
{
KAPC_STATE apc{};
KeStackAttachProcess(Process, &apc);
InstallDxgkPresentHook();
KeUnstackDetachProcess(&apc);
ObDereferenceObject(Process);
ExFreePool(Buffer);
return true;
}
}
Spi = PSYSTEM_PROCESS_INFO((char*)Spi + Spi->NextEntryOffset);
}
ExFreePool(Buffer);
}
return false;
}
NTSTATUS DriverEntry()
{
while (true)
{
if (FindProcess())
break;
}
return STATUS_SUCCESS;
}