Skip to content

Latest commit

 

History

History
48 lines (35 loc) · 1.39 KB

README.MD

File metadata and controls

48 lines (35 loc) · 1.39 KB

CRZKD

Simply driver with IOCTL comunication method

Prepared to go with kdmapper https://github.com/TheCruZ/kdmapper-1803-2004

IOCTL function trampolines are at the end of the PAGE section of tcpip.sys driver, in the alignment

You should change areas where comments say "YOU MUST CHANGE THIS" for more undetectability

IOCTL name is \\.\NsiLookup but you must change it

Example usage getting the pid and the base address of a process:

const HANDLE driver = CreateFile(
    L"\\\\.\\NsiLookup",
    GENERIC_ALL,
    FILE_SHARE_READ | FILE_SHARE_WRITE,
    nullptr,
    OPEN_EXISTING,
    FILE_ATTRIBUTE_NORMAL,
    nullptr
);

if (driver == INVALID_HANDLE_VALUE) {
    MessageBox(NULL, L"Can't open", L"Error", 0);
    return GetLastError();
}

const wchar_t* n = L"explorer.exe";

PidBaseResponse result = { 0 };
PidBase cmd2 = { 0 };
memcpy(cmd2.name, n, wcslen(n) * sizeof(wchar_t));
cmd2.RetInfoPid = (uintptr_t)&result.pid;
cmd2.RetInfoAddr = (uintptr_t)&result.baseAddr;

if (!DeviceIoControl(driver, GET_PID_AND_BASE, &cmd2, sizeof(PidBase), NULL, NULL, NULL, NULL)) {
    MessageBox(NULL, L"Unknown", L"Error", 0);
    return GetLastError();
}

if (result.pid == 0) {
    MessageBox(NULL, L"No info received", L"Error", 0);
    return FALSE;
}

Have fun ;)