nbqofficial
/
norsefire
mirror of https://github.com/nbqofficial/norsefire.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

1st

This commit is contained in:
Dario Pendic 2020-09-01 16:54:17 +02:00
commit d94db7264e
24 changed files with 1743 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

345
.gitignore vendored Normal file
View File

@ -0,0 +1,345 @@
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
##
## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
# User-specific files
*.rsuser
*.suo
*.user
*.userosscache
*.sln.docstates
# User-specific files (MonoDevelop/Xamarin Studio)
*.userprefs
# Build results
[Dd]ebug/
[Dd]ebugPublic/
[Rr]elease/
[Rr]eleases/
x64/
x86/
[Aa][Rr][Mm]/
[Aa][Rr][Mm]64/
bld/
[Bb]in/
[Oo]bj/
[Ll]og/
# Visual Studio 2015/2017 cache/options directory
.vs/
# Uncomment if you have tasks that create the project's static files in wwwroot
#wwwroot/
# Visual Studio 2017 auto generated files
Generated\ Files/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
# NUNIT
*.VisualState.xml
TestResult.xml
# Build Results of an ATL Project
[Dd]ebugPS/
[Rr]eleasePS/
dlldata.c
# Benchmark Results
BenchmarkDotNet.Artifacts/
# .NET Core
project.lock.json
project.fragment.lock.json
artifacts/
# StyleCop
StyleCopReport.xml
# Files built by Visual Studio
*_i.c
*_p.c
*_h.h
*.ilk
*.meta
*.obj
*.iobj
*.pch
*.pdb
*.ipdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*_wpftmp.csproj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.svclog
*.scc
# Chutzpah Test files
_Chutzpah*
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opendb
*.opensdf
*.sdf
*.cachefile
*.VC.db
*.VC.VC.opendb
# Visual Studio profiler
*.psess
*.vsp
*.vspx
*.sap
# Visual Studio Trace Files
*.e2e
# TFS 2012 Local Workspace
$tf/
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
*.DotSettings.user
# JustCode is a .NET coding add-in
.JustCode
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# AxoCover is a Code Coverage Tool
.axoCover/*
!.axoCover/settings.json
# Visual Studio code coverage results
*.coverage
*.coveragexml
# NCrunch
_NCrunch_*
.*crunch*.local.xml
nCrunchTemp_*
# MightyMoose
*.mm.*
AutoTest.Net/
# Web workbench (sass)
.sass-cache/
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.[Pp]ublish.xml
*.azurePubxml
# Note: Comment the next line if you want to checkin your web deploy settings,
# but database connection strings (with potential passwords) will be unencrypted
*.pubxml
*.publishproj
# Microsoft Azure Web App publish settings. Comment the next line if you want to
# checkin your Azure Web App publish settings, but sensitive information contained
# in these scripts will be unencrypted
PublishScripts/
# NuGet Packages
*.nupkg
# The packages folder can be ignored because of Package Restore
**/[Pp]ackages/*
# except build/, which is used as an MSBuild target.
!**/[Pp]ackages/build/
# Uncomment if necessary however generally it will be regenerated when needed
#!**/[Pp]ackages/repositories.config
# NuGet v3's project.json files produces more ignorable files
*.nuget.props
*.nuget.targets
# Microsoft Azure Build Output
csx/
*.build.csdef
# Microsoft Azure Emulator
ecf/
rcf/
# Windows Store app package directories and files
AppPackages/
BundleArtifacts/
Package.StoreAssociation.xml
_pkginfo.txt
*.appx
# Visual Studio cache files
# files ending in .cache can be ignored
*.[Cc]ache
# but keep track of directories ending in .cache
!?*.[Cc]ache/
# Others
ClientBin/
~$*
*~
*.dbmdl
*.dbproj.schemaview
*.jfm
*.pfx
*.publishsettings
orleans.codegen.cs
# Including strong name files can present a security risk
# (https://github.com/github/gitignore/pull/2483#issue-259490424)
#*.snk
# Since there are multiple workflows, uncomment next line to ignore bower_components
# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
#bower_components/
# ASP.NET Core default setup: bower directory is configured as wwwroot/lib/ and bower restore is true
**/wwwroot/lib/
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file
# to a newer Visual Studio version. Backup files are not needed,
# because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
ServiceFabricBackup/
*.rptproj.bak
# SQL Server files
*.mdf
*.ldf
*.ndf
# Business Intelligence projects
*.rdl.data
*.bim.layout
*.bim_*.settings
*.rptproj.rsuser
*- Backup*.rdl
# Microsoft Fakes
FakesAssemblies/
# GhostDoc plugin setting file
*.GhostDoc.xml
# Node.js Tools for Visual Studio
.ntvs_analysis.dat
node_modules/
# Visual Studio 6 build log
*.plg
# Visual Studio 6 workspace options file
*.opt
# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
*.vbw
# Visual Studio LightSwitch build output
**/*.HTMLClient/GeneratedArtifacts
**/*.DesktopClient/GeneratedArtifacts
**/*.DesktopClient/ModelManifest.xml
**/*.Server/GeneratedArtifacts
**/*.Server/ModelManifest.xml
_Pvt_Extensions
# Paket dependency manager
.paket/paket.exe
paket-files/
# FAKE - F# Make
.fake/
# JetBrains Rider
.idea/
*.sln.iml
# CodeRush personal settings
.cr/personal
# Python Tools for Visual Studio (PTVS)
__pycache__/
*.pyc
# Cake - Uncomment if you are using it
# tools/**
# !tools/packages.config
# Tabs Studio
*.tss
# Telerik's JustMock configuration file
*.jmconfig
# BizTalk build output
*.btp.cs
*.btm.cs
*.odx.cs
*.xsd.cs
# OpenCover UI analysis results
OpenCover/
# Azure Stream Analytics local run output
ASALocalRun/
# MSBuild Binary and Structured Log
*.binlog
# NVidia Nsight GPU debugger configuration file
*.nvuser
# MFractors (Xamarin productivity tool) working folder
.mfractor/
# Local History for Visual Studio
.localhistory/
# BeatPulse healthcheck temp database
healthchecksdb
# Backup folder for Package Reference Convert tool in Visual Studio 2017
MigrationBackup/

48
kernelmode/definitions.hpp Normal file
View File

@ -0,0 +1,48 @@
#pragma once
#include "ntapi.hpp"
#define ACTIVE_PROCESS_LINKS_FLINK 0x2f0
#define IMAGE_FILE_NAME 0x450
#define NF_GET_PROCESS_ID CTL_CODE(FILE_DEVICE_UNKNOWN, 0xf9000, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define NF_GET_MODULE CTL_CODE(FILE_DEVICE_UNKNOWN, 0xf9001, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define NF_READ_MEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0xf9002, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define NF_WRITE_MEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0xf9003, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define NF_MOUSE_EVENT CTL_CODE(FILE_DEVICE_UNKNOWN, 0xf9004, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
typedef struct _NF_PROCESS_ID_REQUEST
{
ULONG process_id;
char process_name[64];
}NF_PROCESS_ID_REQUEST, *PNF_PROCESS_ID_REQUEST;
typedef struct _NF_MODULE_REQUEST
{
ULONG process_id;
ULONG address;
wchar_t module_name[64];
}NF_MODULE_REQUEST, *PNF_MODULE_REQUEST;
typedef struct _NF_READ_REQUEST
{
ULONG process_id;
ULONG address;
ULONG buffer;
ULONG size;
}NF_READ_REQUEST, *PNF_READ_REQUEST;
typedef struct _NF_WRITE_REQUEST
{
ULONG process_id;
ULONG address;
ULONG buffer;
ULONG size;
}NF_WRITE_REQUEST, *PNF_WRITE_REQUEST;
typedef struct _NF_MOUSE_REQUEST
{
long x;
long y;
unsigned short button_flags;
}NF_MOUSE_REQUEST, * PNF_MOUSE_REQUEST;

102
kernelmode/dispatch.cpp Normal file
View File

@ -0,0 +1,102 @@
#include "dispatch.hpp"
MOUSE_OBJECT mouse_obj = { 0 };
NTSTATUS dispatch::handler(PDEVICE_OBJECT device_object, PIRP irp)
{
UNREFERENCED_PARAMETER(device_object);
if (!mouse_obj.service_callback || !mouse_obj.mouse_device) { mouse::init_mouse(&mouse_obj); }
NTSTATUS status = STATUS_INVALID_PARAMETER;
ULONG bytes_io = 0;
PIO_STACK_LOCATION pio = IoGetCurrentIrpStackLocation(irp);
ULONG ioctl = pio->Parameters.DeviceIoControl.IoControlCode;
if (ioctl == NF_GET_PROCESS_ID)
{
PNF_PROCESS_ID_REQUEST process_id_request = (PNF_PROCESS_ID_REQUEST)irp->AssociatedIrp.SystemBuffer;
process_id_request->process_id = memory::get_process_id_by_name(IoGetCurrentProcess(), process_id_request->process_name);
if (process_id_request->process_id) { status = STATUS_SUCCESS; }
bytes_io = sizeof(NF_PROCESS_ID_REQUEST);
DbgPrintEx(0, 0, "[norsefire]: NF_GET_PROCESS_ID\n");
}
else if (ioctl == NF_GET_MODULE)
{
PNF_MODULE_REQUEST module_request = (PNF_MODULE_REQUEST)irp->AssociatedIrp.SystemBuffer;
PEPROCESS target_process = 0;
if (NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)module_request->process_id, &target_process)))
{
KAPC_STATE apc;
KeStackAttachProcess(target_process, &apc);
ULONG base = memory::get_module_base(target_process, module_request->module_name);
KeUnstackDetachProcess(&apc);
if (base)
{
module_request->address = base;
status = STATUS_SUCCESS;
}
bytes_io = sizeof(NF_MODULE_REQUEST);
DbgPrintEx(0, 0, "[norsefire]: NF_GET_MODULE\n");
}
}
else if (ioctl == NF_READ_MEMORY)
{
PNF_READ_REQUEST read_request = (PNF_READ_REQUEST)irp->AssociatedIrp.SystemBuffer;
PEPROCESS target_process = 0;
if (NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)read_request->process_id, &target_process)))
{
status = memory::read_memory(target_process, (void*)read_request->address, &read_request->buffer, read_request->size);
}
bytes_io = sizeof(NF_READ_REQUEST);
DbgPrintEx(0, 0, "[norsefire]: NF_READ_MEMORY\n");
}
else if (ioctl == NF_WRITE_MEMORY)
{
PNF_WRITE_REQUEST write_request = (PNF_WRITE_REQUEST)irp->AssociatedIrp.SystemBuffer;
PEPROCESS target_process = 0;
if (NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)write_request->process_id, &target_process)))
{
status = memory::write_memory(target_process, &write_request->buffer, (void*)write_request->address, write_request->size);
}
bytes_io = sizeof(NF_WRITE_REQUEST);
DbgPrintEx(0, 0, "[norsefire]: NF_WRITE_MEMORY\n");
}
else if (ioctl == NF_MOUSE_EVENT)
{
PNF_MOUSE_REQUEST mouse_request = (PNF_MOUSE_REQUEST)irp->AssociatedIrp.SystemBuffer;
mouse::mouse_event(mouse_obj, mouse_request->x, mouse_request->y, mouse_request->button_flags);
status = STATUS_SUCCESS;
bytes_io = sizeof(NF_MOUSE_REQUEST);
DbgPrintEx(0, 0, "[norsefire]: NF_MOUSE_EVENT\n");
}
else
{
status = STATUS_INVALID_PARAMETER;
bytes_io = 0;
DbgPrintEx(0, 0, "[norsefire]: NF_FAILED_REQUEST\n");
}
irp->IoStatus.Status = status;
irp->IoStatus.Information = bytes_io;
IoCompleteRequest(irp, IO_NO_INCREMENT);
return status;
}
NTSTATUS dispatch::create_call(PDEVICE_OBJECT device_object, PIRP irp)
{
UNREFERENCED_PARAMETER(device_object);
irp->IoStatus.Status = STATUS_SUCCESS;
irp->IoStatus.Information = 0;
IoCompleteRequest(irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS dispatch::close_call(PDEVICE_OBJECT device_object, PIRP irp)
{
UNREFERENCED_PARAMETER(device_object);
irp->IoStatus.Status = STATUS_SUCCESS;
irp->IoStatus.Information = 0;
IoCompleteRequest(irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}

12
kernelmode/dispatch.hpp Normal file
View File

@ -0,0 +1,12 @@
#pragma once
#include "memory.hpp"
namespace dispatch
{
NTSTATUS handler(PDEVICE_OBJECT device_object, PIRP irp);
NTSTATUS create_call(PDEVICE_OBJECT device_object, PIRP irp);
NTSTATUS close_call(PDEVICE_OBJECT device_object, PIRP irp);
}

33
kernelmode/driver.cpp Normal file
View File

@ -0,0 +1,33 @@
#include "dispatch.hpp"
PDEVICE_OBJECT device_object;
UNICODE_STRING dev, dos;
void unload(PDRIVER_OBJECT driver_object)
{
IoDeleteSymbolicLink(&dos);
IoDeleteDevice(driver_object->DeviceObject);
DbgPrintEx(0, 0, "[norsefire]: Driver unloaded\n");
}
extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT driver_object, PUNICODE_STRING registry_path)
{
UNREFERENCED_PARAMETER(registry_path);
RtlInitUnicodeString(&dev, L"\\Device\\norsefire");
RtlInitUnicodeString(&dos, L"\\DosDevices\\norsefire");
IoCreateDevice(driver_object, 0, &dev, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &device_object);
IoCreateSymbolicLink(&dos, &dev);
driver_object->MajorFunction[IRP_MJ_CREATE] = dispatch::create_call;
driver_object->MajorFunction[IRP_MJ_CLOSE] = dispatch::close_call;
driver_object->MajorFunction[IRP_MJ_DEVICE_CONTROL] = dispatch::handler;
driver_object->DriverUnload = unload;
device_object->Flags |= DO_DIRECT_IO;
device_object->Flags &= ~DO_DEVICE_INITIALIZING;
DbgPrintEx(0, 0, "[norsefire]: Driver loaded\n");
return STATUS_SUCCESS;
}

86
kernelmode/kernelmode.inf Normal file
View File

@ -0,0 +1,86 @@
;
; kernelmode.inf
;
[Version]
Signature="$WINDOWS NT$"
Class=Sample ; TODO: edit Class
ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid
Provider=%ManufacturerName%
CatalogFile=kernelmode.cat
DriverVer= ; TODO: set DriverVer in stampinf property pages
[DestinationDirs]
DefaultDestDir = 12
kernelmode_Device_CoInstaller_CopyFiles = 11
; ================= Class section =====================
[ClassInstall32]
Addreg=SampleClassReg
[SampleClassReg]
HKR,,,0,%ClassName%
HKR,,Icon,,-5
[SourceDisksNames]
1 = %DiskName%,,,""
[SourceDisksFiles]
kernelmode.sys = 1,,
WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames
;*****************************************
; Install Section
;*****************************************
[Manufacturer]
%ManufacturerName%=Standard,NT$ARCH$
[Standard.NT$ARCH$]
%kernelmode.DeviceDesc%=kernelmode_Device, Root\kernelmode ; TODO: edit hw-id
[kernelmode_Device.NT]
CopyFiles=Drivers_Dir
[Drivers_Dir]
kernelmode.sys
;-------------- Service installation
[kernelmode_Device.NT.Services]
AddService = kernelmode,%SPSVCINST_ASSOCSERVICE%, kernelmode_Service_Inst
; -------------- kernelmode driver install sections
[kernelmode_Service_Inst]
DisplayName = %kernelmode.SVCDESC%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 3 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\kernelmode.sys
;
;--- kernelmode_Device Coinstaller installation ------
;
[kernelmode_Device.NT.CoInstallers]
AddReg=kernelmode_Device_CoInstaller_AddReg
CopyFiles=kernelmode_Device_CoInstaller_CopyFiles
[kernelmode_Device_CoInstaller_AddReg]
HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller"
[kernelmode_Device_CoInstaller_CopyFiles]
WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll
[kernelmode_Device.NT.Wdf]
KmdfService = kernelmode, kernelmode_wdfsect
[kernelmode_wdfsect]
KmdfLibraryVersion = $KMDFVERSION$
[Strings]
SPSVCINST_ASSOCSERVICE= 0x00000002
ManufacturerName="<Your manufacturer name>" ;TODO: Replace with your manufacturer name
ClassName="Samples" ; TODO: edit ClassName
DiskName = "kernelmode Installation Disk"
kernelmode.DeviceDesc = "kernelmode Device"
kernelmode.SVCDESC = "kernelmode Service"

182
kernelmode/kernelmode.vcxproj Normal file
View File

@ -0,0 +1,182 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM">
<Configuration>Debug</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM">
<Configuration>Release</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM64">
<Configuration>Debug</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM64">
<Configuration>Release</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}</ProjectGuid>
<TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
<TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
<MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
<Configuration>Debug</Configuration>
<Platform Condition="'$(Platform)' == ''">Win32</Platform>
<RootNamespace>kernelmode</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Desktop</DriverTargetPlatform>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<EnableInf2cat>false</EnableInf2cat>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<DebugInformationFormat>None</DebugInformationFormat>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
<Link>
<GenerateDebugInformation>false</GenerateDebugInformation>
<TreatLinkerWarningAsErrors>true</TreatLinkerWarningAsErrors>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<Inf Include="kernelmode.inf" />
</ItemGroup>
<ItemGroup>
<FilesToPackage Include="$(TargetPath)" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="dispatch.cpp" />
<ClCompile Include="driver.cpp" />
<ClCompile Include="memory.cpp" />
<ClCompile Include="mouse.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="definitions.hpp" />
<ClInclude Include="dispatch.hpp" />
<ClInclude Include="memory.hpp" />
<ClInclude Include="mouse.hpp" />
<ClInclude Include="ntapi.hpp" />
<ClInclude Include="ntstructs.hpp" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

63
kernelmode/kernelmode.vcxproj.filters Normal file
View File

@ -0,0 +1,63 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
<Filter Include="Driver Files">
<UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
<Extensions>inf;inv;inx;mof;mc;</Extensions>
</Filter>
<Filter Include="Header Files\nt">
<UniqueIdentifier>{e72edb77-bac1-4bc0-b0c2-3e9773afb504}</UniqueIdentifier>
</Filter>
</ItemGroup>
<ItemGroup>
<Inf Include="kernelmode.inf">
<Filter>Driver Files</Filter>
</Inf>
</ItemGroup>
<ItemGroup>
<ClCompile Include="driver.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="mouse.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="memory.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="dispatch.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="definitions.hpp">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="ntapi.hpp">
<Filter>Header Files\nt</Filter>
</ClInclude>
<ClInclude Include="ntstructs.hpp">
<Filter>Header Files\nt</Filter>
</ClInclude>
<ClInclude Include="mouse.hpp">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="memory.hpp">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="dispatch.hpp">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
</Project>

81
kernelmode/memory.cpp Normal file
View File

@ -0,0 +1,81 @@
#include "memory.hpp"
ULONG memory::get_process_id_by_name(PEPROCESS start_process, const char* process_name)
{
PLIST_ENTRY active_process_links;
PEPROCESS current_process = start_process;
do
{
PKPROCESS kproc = (PKPROCESS)current_process;
PDISPATCHER_HEADER header = (PDISPATCHER_HEADER)kproc;
LPSTR current_process_name = (LPSTR)((PUCHAR)current_process + IMAGE_FILE_NAME);
if (header->SignalState == 0 && strcmp(current_process_name, process_name) == 0)
{
return (ULONG)PsGetProcessId(current_process);
}
active_process_links = (PLIST_ENTRY)((PUCHAR)current_process + ACTIVE_PROCESS_LINKS_FLINK);
current_process = (PEPROCESS)(active_process_links->Flink);
current_process = (PEPROCESS)((PUCHAR)current_process - ACTIVE_PROCESS_LINKS_FLINK);
} while (start_process != current_process);
return 0;
}
ULONG memory::get_module_base(PEPROCESS process, wchar_t* module_name)
{
if (!process) { return 0; }
__try
{
PPEB32 peb32 = (PPEB32)PsGetProcessWow64Process(process);
if (!peb32 || !peb32->Ldr) { return 0; }
for (PLIST_ENTRY32 plist_entry = (PLIST_ENTRY32)((PPEB_LDR_DATA32)peb32->Ldr)->InLoadOrderModuleList.Flink;
plist_entry != &((PPEB_LDR_DATA32)peb32->Ldr)->InLoadOrderModuleList;
plist_entry = (PLIST_ENTRY32)plist_entry->Flink)
{
PLDR_DATA_TABLE_ENTRY32 pentry = CONTAINING_RECORD(plist_entry, LDR_DATA_TABLE_ENTRY32, InLoadOrderLinks);
if (wcscmp((PWCH)pentry->BaseDllName.Buffer, module_name) == 0)
{
return pentry->DllBase;
}
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
}
return 0;
}
NTSTATUS memory::read_memory(PEPROCESS target_process, void* source, void* target, size_t size)
{
if (!target_process) { return STATUS_INVALID_PARAMETER; }
size_t bytes = 0;
NTSTATUS status = MmCopyVirtualMemory(target_process, source, IoGetCurrentProcess(), target, size, KernelMode, &bytes);
if (!NT_SUCCESS(status) || !bytes)
{
return STATUS_INVALID_ADDRESS;
}
return status;
}
NTSTATUS memory::write_memory(PEPROCESS target_process, void* source, void* target, size_t size)
{
if (!target_process) { return STATUS_INVALID_PARAMETER; }
size_t bytes = 0;
NTSTATUS status = MmCopyVirtualMemory(IoGetCurrentProcess(), source, target_process, target, size, KernelMode, &bytes);
if (!NT_SUCCESS(status) || !bytes)
{
return STATUS_INVALID_ADDRESS;
}
return status;
}

14
kernelmode/memory.hpp Normal file
View File

@ -0,0 +1,14 @@
#pragma once
#include "mouse.hpp"
namespace memory
{
ULONG get_process_id_by_name(PEPROCESS start_process, const char* process_name);
ULONG get_module_base(PEPROCESS process, wchar_t* module_name);
NTSTATUS read_memory(PEPROCESS target_process, void* source, void* target, size_t size);
NTSTATUS write_memory(PEPROCESS target_process, void* source, void* target, size_t size);
}

87
kernelmode/mouse.cpp Normal file
View File

@ -0,0 +1,87 @@
#include "mouse.hpp"
NTSTATUS mouse::init_mouse(PMOUSE_OBJECT mouse_obj)
{
UNICODE_STRING class_string;
RtlInitUnicodeString(&class_string, L"\\Driver\\MouClass");
PDRIVER_OBJECT class_driver_object = NULL;
NTSTATUS status = ObReferenceObjectByName(&class_string, OBJ_CASE_INSENSITIVE, NULL, 0, *IoDriverObjectType, KernelMode, NULL, (PVOID*)&class_driver_object);
if (!NT_SUCCESS(status)) { return status; }
UNICODE_STRING hid_string;
RtlInitUnicodeString(&hid_string, L"\\Driver\\MouHID");
PDRIVER_OBJECT hid_driver_object = NULL;
status = ObReferenceObjectByName(&hid_string, OBJ_CASE_INSENSITIVE, NULL, 0, *IoDriverObjectType, KernelMode, NULL, (PVOID*)&hid_driver_object);
if (!NT_SUCCESS(status))
{
if (class_driver_object) { ObDereferenceObject(class_driver_object); }
return status;
}
PVOID class_driver_base = NULL;
PDEVICE_OBJECT hid_device_object = hid_driver_object->DeviceObject;
while (hid_device_object && !mouse_obj->service_callback)
{
PDEVICE_OBJECT class_device_object = class_driver_object->DeviceObject;
while (class_device_object && !mouse_obj->service_callback)
{
if (!class_device_object->NextDevice && !mouse_obj->mouse_device)
{
mouse_obj->mouse_device = class_device_object;
}
PULONG_PTR device_extension = (PULONG_PTR)hid_device_object->DeviceExtension;
ULONG_PTR device_ext_size = ((ULONG_PTR)hid_device_object->DeviceObjectExtension - (ULONG_PTR)hid_device_object->DeviceExtension) / 4;
class_driver_base = class_driver_object->DriverStart;
for (ULONG_PTR i = 0; i < device_ext_size; i++)
{
if (device_extension[i] == (ULONG_PTR)class_device_object && device_extension[i + 1] > (ULONG_PTR)class_driver_object)
{
mouse_obj->service_callback = (MouseClassServiceCallback)(device_extension[i + 1]);
break;
}
}
class_device_object = class_device_object->NextDevice;
}
hid_device_object = hid_device_object->AttachedDevice;
}
if (!mouse_obj->mouse_device)
{
PDEVICE_OBJECT target_device_object = class_driver_object->DeviceObject;
while (target_device_object)
{
if (!target_device_object->NextDevice)
{
mouse_obj->mouse_device = target_device_object;
break;
}
target_device_object = target_device_object->NextDevice;
}
}
ObDereferenceObject(class_driver_object);
ObDereferenceObject(hid_driver_object);
DbgPrintEx(0, 0, "[norsefire]: Mouse initialized\n");
return STATUS_SUCCESS;
}
void mouse::mouse_event(MOUSE_OBJECT mouse_obj, long x, long y, unsigned short button_flags)
{
ULONG input_data;
KIRQL irql;
MOUSE_INPUT_DATA mid = { 0 };
mid.LastX = x;
mid.LastY = y;
mid.ButtonFlags = button_flags;
KeRaiseIrql(DISPATCH_LEVEL, &irql);
mouse_obj.service_callback(mouse_obj.mouse_device, &mid, (PMOUSE_INPUT_DATA)&mid + 1, &input_data);
KeLowerIrql(irql);
}

26
kernelmode/mouse.hpp Normal file
View File

@ -0,0 +1,26 @@
#pragma once
#include "definitions.hpp"
extern "C" POBJECT_TYPE* IoDriverObjectType;
typedef VOID
(*MouseClassServiceCallback)(
PDEVICE_OBJECT DeviceObject,
PMOUSE_INPUT_DATA InputDataStart,
PMOUSE_INPUT_DATA InputDataEnd,
PULONG InputDataConsumed
);
typedef struct _MOUSE_OBJECT
{
PDEVICE_OBJECT mouse_device;
MouseClassServiceCallback service_callback;
} MOUSE_OBJECT, * PMOUSE_OBJECT;
namespace mouse
{
NTSTATUS init_mouse(PMOUSE_OBJECT mouse_obj);
void mouse_event(MOUSE_OBJECT mouse_obj, long x, long y, unsigned short button_flags);
}

40
kernelmode/ntapi.hpp Normal file
View File

@ -0,0 +1,40 @@
#pragma once
#include "ntstructs.hpp"
extern "C"
NTKERNELAPI
PVOID
NTAPI
PsGetProcessWow64Process(
_In_ PEPROCESS Process
);
extern "C"
NTKERNELAPI
NTSTATUS
NTAPI
MmCopyVirtualMemory(
_In_ PEPROCESS FromProcess,
_In_ PVOID FromAddress,
_In_ PEPROCESS ToProcess,
_Out_ PVOID ToAddress,
_In_ SIZE_T BufferSize,
_In_ KPROCESSOR_MODE PreviousMode,
_Out_ PSIZE_T NumberOfBytesCopied
);
extern "C"
NTSYSAPI
NTSTATUS
NTAPI
ObReferenceObjectByName(
_In_ PUNICODE_STRING ObjectName,
_In_ ULONG Attributes,
_In_opt_ PACCESS_STATE AccessState,
_In_opt_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_TYPE ObjectType,
_In_ KPROCESSOR_MODE AccessMode,
_Inout_opt_ PVOID ParseContext,
_Out_ PVOID* Object
);

53
kernelmode/ntstructs.hpp Normal file
View File

@ -0,0 +1,53 @@
#pragma once
#include <ntifs.h>
#include <ntddmou.h>
typedef struct _PEB_LDR_DATA32
{
ULONG Length;
UCHAR Initialized;
ULONG SsHandle;
LIST_ENTRY32 InLoadOrderModuleList;
LIST_ENTRY32 InMemoryOrderModuleList;
LIST_ENTRY32 InInitializationOrderModuleList;
} PEB_LDR_DATA32, * PPEB_LDR_DATA32;
typedef struct _LDR_DATA_TABLE_ENTRY32
{
LIST_ENTRY32 InLoadOrderLinks;
LIST_ENTRY32 InMemoryOrderLinks;
LIST_ENTRY32 InInitializationOrderLinks;
ULONG DllBase;
ULONG EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING32 FullDllName;
UNICODE_STRING32 BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
LIST_ENTRY32 HashLinks;
ULONG TimeDateStamp;
} LDR_DATA_TABLE_ENTRY32, * PLDR_DATA_TABLE_ENTRY32;
typedef struct _PEB32
{
UCHAR InheritedAddressSpace;
UCHAR ReadImageFileExecOptions;
UCHAR BeingDebugged;
UCHAR BitField;
ULONG Mutant;
ULONG ImageBaseAddress;
ULONG Ldr;
ULONG ProcessParameters;
ULONG SubSystemData;
ULONG ProcessHeap;
ULONG FastPebLock;
ULONG AtlThunkSListPtr;
ULONG IFEOKey;
ULONG CrossProcessFlags;
ULONG UserSharedInfoPtr;
ULONG SystemReserved;
ULONG AtlThunkSListPtr32;
ULONG ApiSetMap;
} PEB32, * PPEB32;

65
norsefire.sln Normal file
View File

@ -0,0 +1,65 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.30406.217
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "kernelmode", "kernelmode\kernelmode.vcxproj", "{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "usermode", "usermode\usermode.vcxproj", "{E2262904-BB0D-4DEB-8830-1B5BEC96AD76}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|ARM = Debug|ARM
Debug|ARM64 = Debug|ARM64
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|ARM = Release|ARM
Release|ARM64 = Release|ARM64
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Debug|ARM.ActiveCfg = Debug|ARM
{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Debug|ARM.Build.0 = Debug|ARM
{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Debug|ARM.Deploy.0 = Debug|ARM
{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Debug|ARM64.ActiveCfg = Debug|ARM64
{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Debug|ARM64.Build.0 = Debug|ARM64
{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Debug|ARM64.Deploy.0 = Debug|ARM64
{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Debug|x64.ActiveCfg = Debug|x64
{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Debug|x64.Build.0 = Debug|x64
{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Debug|x64.Deploy.0 = Debug|x64
{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Debug|x86.ActiveCfg = Debug|Win32
{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Debug|x86.Build.0 = Debug|Win32
{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Debug|x86.Deploy.0 = Debug|Win32
{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Release|ARM.ActiveCfg = Release|ARM
{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Release|ARM.Build.0 = Release|ARM
{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Release|ARM.Deploy.0 = Release|ARM
{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Release|ARM64.ActiveCfg = Release|ARM64
{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Release|ARM64.Build.0 = Release|ARM64
{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Release|ARM64.Deploy.0 = Release|ARM64
{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Release|x64.ActiveCfg = Release|x64
{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Release|x64.Build.0 = Release|x64
{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Release|x64.Deploy.0 = Release|x64
{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Release|x86.ActiveCfg = Release|Win32
{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Release|x86.Build.0 = Release|Win32
{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Release|x86.Deploy.0 = Release|Win32
{E2262904-BB0D-4DEB-8830-1B5BEC96AD76}.Debug|ARM.ActiveCfg = Debug|Win32
{E2262904-BB0D-4DEB-8830-1B5BEC96AD76}.Debug|ARM64.ActiveCfg = Debug|Win32
{E2262904-BB0D-4DEB-8830-1B5BEC96AD76}.Debug|x64.ActiveCfg = Debug|x64
{E2262904-BB0D-4DEB-8830-1B5BEC96AD76}.Debug|x64.Build.0 = Debug|x64
{E2262904-BB0D-4DEB-8830-1B5BEC96AD76}.Debug|x86.ActiveCfg = Debug|Win32
{E2262904-BB0D-4DEB-8830-1B5BEC96AD76}.Debug|x86.Build.0 = Debug|Win32
{E2262904-BB0D-4DEB-8830-1B5BEC96AD76}.Release|ARM.ActiveCfg = Release|Win32
{E2262904-BB0D-4DEB-8830-1B5BEC96AD76}.Release|ARM64.ActiveCfg = Release|Win32
{E2262904-BB0D-4DEB-8830-1B5BEC96AD76}.Release|x64.ActiveCfg = Release|x64
{E2262904-BB0D-4DEB-8830-1B5BEC96AD76}.Release|x64.Build.0 = Release|x64
{E2262904-BB0D-4DEB-8830-1B5BEC96AD76}.Release|x86.ActiveCfg = Release|Win32
{E2262904-BB0D-4DEB-8830-1B5BEC96AD76}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {0CAE6BBB-4512-4072-A926-D617D65A91B2}
EndGlobalSection
EndGlobal

8
usermode/Source.cpp Normal file
View File

@ -0,0 +1,8 @@
#include "triggerbot.hpp"
int main()
{
triggerbot trigger;
trigger.run();
return 0;
}

46
usermode/definitions.hpp Normal file
View File

@ -0,0 +1,46 @@
#pragma once
#include <Windows.h>
#include <iostream>
#define NF_GET_PROCESS_ID CTL_CODE(FILE_DEVICE_UNKNOWN, 0xf9000, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define NF_GET_MODULE CTL_CODE(FILE_DEVICE_UNKNOWN, 0xf9001, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define NF_READ_MEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0xf9002, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define NF_WRITE_MEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0xf9003, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define NF_MOUSE_EVENT CTL_CODE(FILE_DEVICE_UNKNOWN, 0xf9004, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
typedef struct _NF_PROCESS_ID_REQUEST
{
ULONG process_id;
char process_name[64];
}NF_PROCESS_ID_REQUEST, * PNF_PROCESS_ID_REQUEST;
typedef struct _NF_MODULE_REQUEST
{
ULONG process_id;
ULONG address;
wchar_t module_name[64];
}NF_MODULE_REQUEST, * PNF_MODULE_REQUEST;
typedef struct _NF_READ_REQUEST
{
ULONG process_id;
ULONG address;
ULONG buffer;
ULONG size;
}NF_READ_REQUEST, * PNF_READ_REQUEST;
typedef struct _NF_WRITE_REQUEST
{
ULONG process_id;
ULONG address;
ULONG buffer;
ULONG size;
}NF_WRITE_REQUEST, * PNF_WRITE_REQUEST;
typedef struct _NF_MOUSE_REQUEST
{
long x;
long y;
unsigned short button_flags;
}NF_MOUSE_REQUEST, * PNF_MOUSE_REQUEST;

65
usermode/driver_control.cpp Normal file
View File

@ -0,0 +1,65 @@
#include "driver_control.hpp"
driver_control::driver_control(const char* path)
{
this->driver_handle = CreateFileA(path, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0);
if (this->driver_handle) { printf("[norsefire]: Driver handle open\n"); }
}
driver_control::~driver_control()
{
CloseHandle(this->driver_handle);
printf("[norsefire]: Driver handle closed\n");
}
ULONG driver_control::get_process_id_by_name(const char* process_name, size_t process_name_size)
{
if (this->driver_handle)
{
ULONG bytes;
NF_PROCESS_ID_REQUEST process_id_request = { 0 };
memcpy(process_id_request.process_name, process_name, process_name_size);
if (DeviceIoControl(driver_handle, NF_GET_PROCESS_ID, &process_id_request, sizeof(process_id_request), &process_id_request, sizeof(process_id_request), &bytes, 0))
{
return process_id_request.process_id;
}
else
{
return 0;
}
}
return 0;
}
ULONG driver_control::get_module_base(ULONG process_id, const wchar_t* module_name, size_t module_name_size)
{
if (this->driver_handle)
{
ULONG bytes;
NF_MODULE_REQUEST module_request = { 0 };
module_request.process_id = process_id;
memcpy(module_request.module_name, module_name, module_name_size);
if (DeviceIoControl(driver_handle, NF_GET_MODULE, &module_request, sizeof(module_request), &module_request, sizeof(module_request), &bytes, 0))
{
return module_request.address;
}
else
{
return 0;
}
}
return 0;
}
void driver_control::mouse_event(long x, long y, unsigned short button_flags)
{
if (this->driver_handle)
{
ULONG bytes;
NF_MOUSE_REQUEST mouse_request = { 0 };
mouse_request.x = x;
mouse_request.y = y;
mouse_request.button_flags = button_flags;
DeviceIoControl(driver_handle, NF_MOUSE_EVENT, &mouse_request, sizeof(mouse_request), &mouse_request, sizeof(mouse_request), &bytes, 0);
}
}

65
usermode/driver_control.hpp Normal file
View File

@ -0,0 +1,65 @@
#pragma once
#include "definitions.hpp"
class driver_control
{
private:
HANDLE driver_handle = 0;
public:
driver_control(const char* path);
~driver_control();
ULONG get_process_id_by_name(const char* process_name, size_t process_name_size);
ULONG get_module_base(ULONG process_id, const wchar_t* module_name, size_t module_name_size);
template<typename t>
t read_memory(ULONG process_id, ULONG address);
template<typename t>
void write_memory(ULONG process_id, ULONG address, t buffer);
void mouse_event(long x, long y, unsigned short button_flags);
};
template<typename t>
inline t driver_control::read_memory(ULONG process_id, ULONG address)
{
if (this->driver_handle)
{
ULONG bytes;
NF_READ_REQUEST read_request = { 0 };
read_request.process_id = process_id;
read_request.address = address;
read_request.size = sizeof(t);
if (DeviceIoControl(driver_handle, NF_READ_MEMORY, &read_request, sizeof(read_request), &read_request, sizeof(read_request), &bytes, 0))
{
return *(t*)&read_request.buffer;
}
else
{
return 0;
}
}
return 0;
}
template<typename t>
inline void driver_control::write_memory(ULONG process_id, ULONG address, t buffer)
{
if (this->driver_handle)
{
ULONG bytes;
NF_WRITE_REQUEST write_request = { 0 };
write_request.process_id = process_id;
write_request.address = address;
write_request.buffer = buffer;
write_request.size = sizeof(t);
DeviceIoControl(driver_handle, NF_WRITE_MEMORY, &write_request, sizeof(write_request), &write_request, sizeof(write_request), &bytes, 0);
}
}

54
usermode/offsets.hpp Normal file
View File

@ -0,0 +1,54 @@
#pragma once
// CSGO offsets and netvars
// 01.09.2020. 16:39:08
#define m_dwEpochTime 1598971148
#define m_dwLocalPlayer 0xD3FC5C
#define m_dwEntityList 0x4D5442C
#define m_dwClientState 0x589DD4
#define m_dwPlayerResource 0x3183D10
#define m_dwForceAttack 0x3185984
#define m_dwForceAlt1 0x51FE080
#define m_dwForceJump 0x51FE044
#define m_dwSensitivity 0xD4569C
#define m_dwGlowObject 0x529C208
#define m_iCrossHairID 0xB3E4
#define m_bHasDefuser 0xB388
#define m_iGlowIndex 0xA438
#define m_flFlashDuration 0xA420
#define m_iShotsFired 0xA390
#define m_dwPlayerInfo 0x52B8
#define m_dwViewAngles 0x4D88
#define m_bIsScoped 0x3928
#define m_vecPunch 0x302C
#define m_dwButtonBits 0x2717
#define m_dwBoneMatrix 0x26A8
#define m_iPlayerC4 0x165C
#define m_bSpotted 0x93D
#define m_hViewModel 0x32F8
#define m_iViewModelIndex 0x3240
#define m_flFallbackWear 0x31D0
#define m_nFallbackPaintKit 0x31C8
#define m_iItemIDHigh 0x2FC0
#define m_iEntityQuality 0x2FAC
#define m_iItemDefinitionIndex 0x2FAA
#define m_hActiveWeapon 0x2EF8
#define m_hMyWeapons 0x2DF8
#define m_nModelIndex 0x258
#define m_szMapName 0x28C
#define m_szMapPath 0x188
#define m_iLocalPlayer 0x180
#define m_dwInGame 0x108
#define m_vecOrigin 0x138
#define m_angRotation 0x12C
#define m_vecViewOffset 0x108
#define m_fFlags 0x104
#define m_iHealth 0x100
#define m_iTeamNum 0xF4
#define m_bDormant 0xED

58
usermode/triggerbot.cpp Normal file
View File

@ -0,0 +1,58 @@
#include "triggerbot.hpp"
void triggerbot::run()
{
driver_control driver("\\\\.\\norsefire");
const char process_name[] = "csgo.exe";
const wchar_t module_name[] = L"client.dll";
printf("[norsefire]: Looking for %s process...\n", process_name);
ULONG process_id = driver.get_process_id_by_name(process_name, sizeof(process_name));
if (process_id)
{
printf("[norsefire]: Process identifier found: %d\n", process_id);
printf("[norsefire]: Looking for %ws...\n", module_name);
ULONG client_base = driver.get_module_base(process_id, module_name, sizeof(module_name));
if (client_base)
{
printf("[norsefire]: %ws found: 0x%x\n", module_name, client_base);
printf("[norsefire]: Running...\n");
for (;;)
{
ULONG my_player = driver.read_memory<ULONG>(process_id, client_base + m_dwLocalPlayer);
if (my_player <= 0) { continue; }
ULONG my_team = driver.read_memory<ULONG>(process_id, my_player + m_iTeamNum);
ULONG my_cross = driver.read_memory<ULONG>(process_id, my_player + m_iCrossHairID);
if (my_cross > 0 && my_cross <= 64)
{
ULONG entity = driver.read_memory<ULONG>(process_id, client_base + m_dwEntityList + ((my_cross - 1) * 0x10));
if (entity <= 0) { continue; }
ULONG entity_health = driver.read_memory<ULONG>(process_id, entity + m_iHealth);
ULONG entity_team = driver.read_memory<ULONG>(process_id, entity + m_iTeamNum);
if (entity_health > 0 && entity_team != my_team && entity_team > 1)
{
Sleep(3);
driver.mouse_event(0, 0, 0x1);
Sleep(1);
driver.mouse_event(0, 0, 0x2);
}
}
Sleep(1);
}
}
else
{
printf("[norsefire]: Failed to obtain %ws\n", module_name);
}
}
else
{
printf("[norsefire]: Failed to find %s process\n", process_name);
}
}

11
usermode/triggerbot.hpp Normal file
View File

@ -0,0 +1,11 @@
#pragma once
#include "driver_control.hpp"
#include "offsets.hpp"
class triggerbot
{
public:
void run();
};

157
usermode/usermode.vcxproj Normal file
View File

@ -0,0 +1,157 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion>
<Keyword>Win32Proj</Keyword>
<ProjectGuid>{e2262904-bb0d-4deb-8830-1b5bec96ad76}</ProjectGuid>
<RootNamespace>usermode</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<DebugInformationFormat>None</DebugInformationFormat>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>false</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="driver_control.cpp" />
<ClCompile Include="Source.cpp" />
<ClCompile Include="triggerbot.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="triggerbot.hpp" />
<ClInclude Include="definitions.hpp" />
<ClInclude Include="driver_control.hpp" />
<ClInclude Include="offsets.hpp" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

42
usermode/usermode.vcxproj.filters Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="Source.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="driver_control.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="triggerbot.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="definitions.hpp">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="driver_control.hpp">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="offsets.hpp">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="triggerbot.hpp">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
</Project>