Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/Kharos102/ReadWriteDriverSample
https://github.com/Kharos102/ReadWriteDriverSample
Last synced: 5 days ago
JSON representation
- Host: GitHub
- URL: https://github.com/Kharos102/ReadWriteDriverSample
- Owner: Kharos102
- Created: 2024-02-21T22:18:40.000Z (9 months ago)
- Default Branch: main
- Last Pushed: 2024-04-28T16:32:20.000Z (7 months ago)
- Last Synced: 2024-08-02T15:36:51.828Z (3 months ago)
- Language: Rust
- Size: 5.18 MB
- Stars: 22
- Watchers: 1
- Forks: 2
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Overview
Sample driver + user component to demonstrate writing into arbitrary process memory from Kernel via CR3 manipulation (opposed to the usual KeStackAttachProcess API).
Note: Only for fun and demonstration
# Fun
There's a few fun techniques in this that have been individually useful outside of this demo project. This includes:
- Halting all other cores/threads on the machine except my own executing code
- Providing windows and alternative x86-generic methods for certain things (e.g. IRQLs v CR8)
- Resolving offsets of unexported structures and union fields at runtime via runtime PDB parsing (instead of hardcoding offsets, etc)
- Modifying arbitrary user process memory from Kernel without KeStackAttachProcess (optionally checking VaSpaceDeleted via PDB-provided offsets)
- Surviving page-faults in >= DISPATCH without try/catch or letting the Kernel log the fault, achieved via IDT hijackingThis thing is also written in Rust.
For PDB parsing, I pulled in and modified pdblister https://github.com/microsoft/pdblister to support building as a lib.
# How to Use
- Navigate to read_write_driver
- run `cargo make` (sometimes it requires the first run to be done as administrator, you can safely ignore any "missing INF" related errors/warnings that pop up, build process also documented here: https://github.com/microsoft/windows-drivers-rs)
- Copy the driver (e.g for debug builds it'll be `read_write_driver\target\debug\read_write_driver.sys` to your target machine/VM
- Start the driver (e.g. in an administrator cmd prompt run `sc create readwrite binPath= C:\\code\\read_write_driver.sys type= kernel` followed by `sc start readwrite`. Replace the paths with your own)
- Navigate to `read_write_user` and build (e.g. `cargo build` or `cargo build --release`)
- Copy the binary (either `read_write_user\target\debug\read_write_user.exe` or `read_write_user\target\release\read_write_user.exe`) to your target machine/VM
- Find a PID and address in that PID you want to overwrite (e.g. launch notepad.exe, note its pid is 0x1234, attach a debugger and find some address in the target)
- If the address if valid + paged-in, it'll be overwritten with hardcoded sample bytes, if the address is invalid the driver will return an error to our userland process. No BSOD should occur regardless.
- Run the userland process, to run the example that'll leverage runtime PDB parsing add the `--use-symbols` flag, e.g. `read_write_user.exe --pid 0x1234 --address 0x100000 --use-symbols`. The address can be specified in hex (prefixed by `0x`) or in decimal without the prefix.
- If no error was displayed in the userland process, observe the modified bytes at your chosen address.