From d94db7264ec9c921bc869cd60705b861d5e9deb0 Mon Sep 17 00:00:00 2001 From: Dario Pendic Date: Tue, 1 Sep 2020 16:54:17 +0200 Subject: [PATCH] 1st --- .gitignore | 345 ++++++++++++++++++++++++++ kernelmode/definitions.hpp | 48 ++++ kernelmode/dispatch.cpp | 102 ++++++++ kernelmode/dispatch.hpp | 12 + kernelmode/driver.cpp | 33 +++ kernelmode/kernelmode.inf | 86 +++++++ kernelmode/kernelmode.vcxproj | 182 ++++++++++++++ kernelmode/kernelmode.vcxproj.filters | 63 +++++ kernelmode/memory.cpp | 81 ++++++ kernelmode/memory.hpp | 14 ++ kernelmode/mouse.cpp | 87 +++++++ kernelmode/mouse.hpp | 26 ++ kernelmode/ntapi.hpp | 40 +++ kernelmode/ntstructs.hpp | 53 ++++ norsefire.sln | 65 +++++ usermode/Source.cpp | 8 + usermode/definitions.hpp | 46 ++++ usermode/driver_control.cpp | 65 +++++ usermode/driver_control.hpp | 65 +++++ usermode/offsets.hpp | 54 ++++ usermode/triggerbot.cpp | 58 +++++ usermode/triggerbot.hpp | 11 + usermode/usermode.vcxproj | 157 ++++++++++++ usermode/usermode.vcxproj.filters | 42 ++++ 24 files changed, 1743 insertions(+) create mode 100644 .gitignore create mode 100644 kernelmode/definitions.hpp create mode 100644 kernelmode/dispatch.cpp create mode 100644 kernelmode/dispatch.hpp create mode 100644 kernelmode/driver.cpp create mode 100644 kernelmode/kernelmode.inf create mode 100644 kernelmode/kernelmode.vcxproj create mode 100644 kernelmode/kernelmode.vcxproj.filters create mode 100644 kernelmode/memory.cpp create mode 100644 kernelmode/memory.hpp create mode 100644 kernelmode/mouse.cpp create mode 100644 kernelmode/mouse.hpp create mode 100644 kernelmode/ntapi.hpp create mode 100644 kernelmode/ntstructs.hpp create mode 100644 norsefire.sln create mode 100644 usermode/Source.cpp create mode 100644 usermode/definitions.hpp create mode 100644 usermode/driver_control.cpp create mode 100644 usermode/driver_control.hpp create mode 100644 usermode/offsets.hpp create mode 100644 usermode/triggerbot.cpp create mode 100644 usermode/triggerbot.hpp create mode 100644 usermode/usermode.vcxproj create mode 100644 usermode/usermode.vcxproj.filters diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e97b472 --- /dev/null +++ b/.gitignore @@ -0,0 +1,345 @@ +## Ignore Visual Studio temporary files, build results, and +## files generated by popular Visual Studio add-ons. +## +## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore + +# User-specific files +*.rsuser +*.suo +*.user +*.userosscache +*.sln.docstates + +# User-specific files (MonoDevelop/Xamarin Studio) +*.userprefs + +# Build results +[Dd]ebug/ +[Dd]ebugPublic/ +[Rr]elease/ +[Rr]eleases/ +x64/ +x86/ +[Aa][Rr][Mm]/ +[Aa][Rr][Mm]64/ +bld/ +[Bb]in/ +[Oo]bj/ +[Ll]og/ + +# Visual Studio 2015/2017 cache/options directory +.vs/ +# Uncomment if you have tasks that create the project's static files in wwwroot +#wwwroot/ + +# Visual Studio 2017 auto generated files +Generated\ Files/ + +# MSTest test Results +[Tt]est[Rr]esult*/ +[Bb]uild[Ll]og.* + +# NUNIT +*.VisualState.xml +TestResult.xml + +# Build Results of an ATL Project +[Dd]ebugPS/ +[Rr]eleasePS/ +dlldata.c + +# Benchmark Results +BenchmarkDotNet.Artifacts/ + +# .NET Core +project.lock.json +project.fragment.lock.json +artifacts/ + +# StyleCop +StyleCopReport.xml + +# Files built by Visual Studio +*_i.c +*_p.c +*_h.h +*.ilk +*.meta +*.obj +*.iobj +*.pch +*.pdb +*.ipdb +*.pgc +*.pgd +*.rsp +*.sbr +*.tlb +*.tli +*.tlh +*.tmp +*.tmp_proj +*_wpftmp.csproj +*.log +*.vspscc +*.vssscc +.builds +*.pidb +*.svclog +*.scc + +# Chutzpah Test files +_Chutzpah* + +# Visual C++ cache files +ipch/ +*.aps +*.ncb +*.opendb +*.opensdf +*.sdf +*.cachefile +*.VC.db +*.VC.VC.opendb + +# Visual Studio profiler +*.psess +*.vsp +*.vspx +*.sap + +# Visual Studio Trace Files +*.e2e + +# TFS 2012 Local Workspace +$tf/ + +# Guidance Automation Toolkit +*.gpState + +# ReSharper is a .NET coding add-in +_ReSharper*/ +*.[Rr]e[Ss]harper +*.DotSettings.user + +# JustCode is a .NET coding add-in +.JustCode + +# TeamCity is a build add-in +_TeamCity* + +# DotCover is a Code Coverage Tool +*.dotCover + +# AxoCover is a Code Coverage Tool +.axoCover/* +!.axoCover/settings.json + +# Visual Studio code coverage results +*.coverage +*.coveragexml + +# NCrunch +_NCrunch_* +.*crunch*.local.xml +nCrunchTemp_* + +# MightyMoose +*.mm.* +AutoTest.Net/ + +# Web workbench (sass) +.sass-cache/ + +# Installshield output folder +[Ee]xpress/ + +# DocProject is a documentation generator add-in +DocProject/buildhelp/ +DocProject/Help/*.HxT +DocProject/Help/*.HxC +DocProject/Help/*.hhc +DocProject/Help/*.hhk +DocProject/Help/*.hhp +DocProject/Help/Html2 +DocProject/Help/html + +# Click-Once directory +publish/ + +# Publish Web Output +*.[Pp]ublish.xml +*.azurePubxml +# Note: Comment the next line if you want to checkin your web deploy settings, +# but database connection strings (with potential passwords) will be unencrypted +*.pubxml +*.publishproj + +# Microsoft Azure Web App publish settings. Comment the next line if you want to +# checkin your Azure Web App publish settings, but sensitive information contained +# in these scripts will be unencrypted +PublishScripts/ + +# NuGet Packages +*.nupkg +# The packages folder can be ignored because of Package Restore +**/[Pp]ackages/* +# except build/, which is used as an MSBuild target. +!**/[Pp]ackages/build/ +# Uncomment if necessary however generally it will be regenerated when needed +#!**/[Pp]ackages/repositories.config +# NuGet v3's project.json files produces more ignorable files +*.nuget.props +*.nuget.targets + +# Microsoft Azure Build Output +csx/ +*.build.csdef + +# Microsoft Azure Emulator +ecf/ +rcf/ + +# Windows Store app package directories and files +AppPackages/ +BundleArtifacts/ +Package.StoreAssociation.xml +_pkginfo.txt +*.appx + +# Visual Studio cache files +# files ending in .cache can be ignored +*.[Cc]ache +# but keep track of directories ending in .cache +!?*.[Cc]ache/ + +# Others +ClientBin/ +~$* +*~ +*.dbmdl +*.dbproj.schemaview +*.jfm +*.pfx +*.publishsettings +orleans.codegen.cs + +# Including strong name files can present a security risk +# (https://github.com/github/gitignore/pull/2483#issue-259490424) +#*.snk + +# Since there are multiple workflows, uncomment next line to ignore bower_components +# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) +#bower_components/ +# ASP.NET Core default setup: bower directory is configured as wwwroot/lib/ and bower restore is true +**/wwwroot/lib/ + +# RIA/Silverlight projects +Generated_Code/ + +# Backup & report files from converting an old project file +# to a newer Visual Studio version. Backup files are not needed, +# because we have git ;-) +_UpgradeReport_Files/ +Backup*/ +UpgradeLog*.XML +UpgradeLog*.htm +ServiceFabricBackup/ +*.rptproj.bak + +# SQL Server files +*.mdf +*.ldf +*.ndf + +# Business Intelligence projects +*.rdl.data +*.bim.layout +*.bim_*.settings +*.rptproj.rsuser +*- Backup*.rdl + +# Microsoft Fakes +FakesAssemblies/ + +# GhostDoc plugin setting file +*.GhostDoc.xml + +# Node.js Tools for Visual Studio +.ntvs_analysis.dat +node_modules/ + +# Visual Studio 6 build log +*.plg + +# Visual Studio 6 workspace options file +*.opt + +# Visual Studio 6 auto-generated workspace file (contains which files were open etc.) +*.vbw + +# Visual Studio LightSwitch build output +**/*.HTMLClient/GeneratedArtifacts +**/*.DesktopClient/GeneratedArtifacts +**/*.DesktopClient/ModelManifest.xml +**/*.Server/GeneratedArtifacts +**/*.Server/ModelManifest.xml +_Pvt_Extensions + +# Paket dependency manager +.paket/paket.exe +paket-files/ + +# FAKE - F# Make +.fake/ + +# JetBrains Rider +.idea/ +*.sln.iml + +# CodeRush personal settings +.cr/personal + +# Python Tools for Visual Studio (PTVS) +__pycache__/ +*.pyc + +# Cake - Uncomment if you are using it +# tools/** +# !tools/packages.config + +# Tabs Studio +*.tss + +# Telerik's JustMock configuration file +*.jmconfig + +# BizTalk build output +*.btp.cs +*.btm.cs +*.odx.cs +*.xsd.cs + +# OpenCover UI analysis results +OpenCover/ + +# Azure Stream Analytics local run output +ASALocalRun/ + +# MSBuild Binary and Structured Log +*.binlog + +# NVidia Nsight GPU debugger configuration file +*.nvuser + +# MFractors (Xamarin productivity tool) working folder +.mfractor/ + +# Local History for Visual Studio +.localhistory/ + +# BeatPulse healthcheck temp database +healthchecksdb + +# Backup folder for Package Reference Convert tool in Visual Studio 2017 +MigrationBackup/ \ No newline at end of file diff --git a/kernelmode/definitions.hpp b/kernelmode/definitions.hpp new file mode 100644 index 0000000..95458c1 --- /dev/null +++ b/kernelmode/definitions.hpp @@ -0,0 +1,48 @@ +#pragma once + +#include "ntapi.hpp" + +#define ACTIVE_PROCESS_LINKS_FLINK 0x2f0 +#define IMAGE_FILE_NAME 0x450 + +#define NF_GET_PROCESS_ID CTL_CODE(FILE_DEVICE_UNKNOWN, 0xf9000, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) +#define NF_GET_MODULE CTL_CODE(FILE_DEVICE_UNKNOWN, 0xf9001, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) +#define NF_READ_MEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0xf9002, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) +#define NF_WRITE_MEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0xf9003, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) +#define NF_MOUSE_EVENT CTL_CODE(FILE_DEVICE_UNKNOWN, 0xf9004, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) + +typedef struct _NF_PROCESS_ID_REQUEST +{ + ULONG process_id; + char process_name[64]; +}NF_PROCESS_ID_REQUEST, *PNF_PROCESS_ID_REQUEST; + +typedef struct _NF_MODULE_REQUEST +{ + ULONG process_id; + ULONG address; + wchar_t module_name[64]; +}NF_MODULE_REQUEST, *PNF_MODULE_REQUEST; + +typedef struct _NF_READ_REQUEST +{ + ULONG process_id; + ULONG address; + ULONG buffer; + ULONG size; +}NF_READ_REQUEST, *PNF_READ_REQUEST; + +typedef struct _NF_WRITE_REQUEST +{ + ULONG process_id; + ULONG address; + ULONG buffer; + ULONG size; +}NF_WRITE_REQUEST, *PNF_WRITE_REQUEST; + +typedef struct _NF_MOUSE_REQUEST +{ + long x; + long y; + unsigned short button_flags; +}NF_MOUSE_REQUEST, * PNF_MOUSE_REQUEST; \ No newline at end of file diff --git a/kernelmode/dispatch.cpp b/kernelmode/dispatch.cpp new file mode 100644 index 0000000..08e0f0a --- /dev/null +++ b/kernelmode/dispatch.cpp @@ -0,0 +1,102 @@ +#include "dispatch.hpp" + +MOUSE_OBJECT mouse_obj = { 0 }; + +NTSTATUS dispatch::handler(PDEVICE_OBJECT device_object, PIRP irp) +{ + UNREFERENCED_PARAMETER(device_object); + + if (!mouse_obj.service_callback || !mouse_obj.mouse_device) { mouse::init_mouse(&mouse_obj); } + + NTSTATUS status = STATUS_INVALID_PARAMETER; + ULONG bytes_io = 0; + PIO_STACK_LOCATION pio = IoGetCurrentIrpStackLocation(irp); + ULONG ioctl = pio->Parameters.DeviceIoControl.IoControlCode; + + if (ioctl == NF_GET_PROCESS_ID) + { + PNF_PROCESS_ID_REQUEST process_id_request = (PNF_PROCESS_ID_REQUEST)irp->AssociatedIrp.SystemBuffer; + process_id_request->process_id = memory::get_process_id_by_name(IoGetCurrentProcess(), process_id_request->process_name); + if (process_id_request->process_id) { status = STATUS_SUCCESS; } + bytes_io = sizeof(NF_PROCESS_ID_REQUEST); + DbgPrintEx(0, 0, "[norsefire]: NF_GET_PROCESS_ID\n"); + } + else if (ioctl == NF_GET_MODULE) + { + PNF_MODULE_REQUEST module_request = (PNF_MODULE_REQUEST)irp->AssociatedIrp.SystemBuffer; + PEPROCESS target_process = 0; + if (NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)module_request->process_id, &target_process))) + { + KAPC_STATE apc; + KeStackAttachProcess(target_process, &apc); + ULONG base = memory::get_module_base(target_process, module_request->module_name); + KeUnstackDetachProcess(&apc); + if (base) + { + module_request->address = base; + status = STATUS_SUCCESS; + } + bytes_io = sizeof(NF_MODULE_REQUEST); + DbgPrintEx(0, 0, "[norsefire]: NF_GET_MODULE\n"); + } + } + else if (ioctl == NF_READ_MEMORY) + { + PNF_READ_REQUEST read_request = (PNF_READ_REQUEST)irp->AssociatedIrp.SystemBuffer; + PEPROCESS target_process = 0; + if (NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)read_request->process_id, &target_process))) + { + status = memory::read_memory(target_process, (void*)read_request->address, &read_request->buffer, read_request->size); + } + bytes_io = sizeof(NF_READ_REQUEST); + DbgPrintEx(0, 0, "[norsefire]: NF_READ_MEMORY\n"); + } + else if (ioctl == NF_WRITE_MEMORY) + { + PNF_WRITE_REQUEST write_request = (PNF_WRITE_REQUEST)irp->AssociatedIrp.SystemBuffer; + PEPROCESS target_process = 0; + if (NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)write_request->process_id, &target_process))) + { + status = memory::write_memory(target_process, &write_request->buffer, (void*)write_request->address, write_request->size); + } + bytes_io = sizeof(NF_WRITE_REQUEST); + DbgPrintEx(0, 0, "[norsefire]: NF_WRITE_MEMORY\n"); + } + else if (ioctl == NF_MOUSE_EVENT) + { + PNF_MOUSE_REQUEST mouse_request = (PNF_MOUSE_REQUEST)irp->AssociatedIrp.SystemBuffer; + mouse::mouse_event(mouse_obj, mouse_request->x, mouse_request->y, mouse_request->button_flags); + status = STATUS_SUCCESS; + bytes_io = sizeof(NF_MOUSE_REQUEST); + DbgPrintEx(0, 0, "[norsefire]: NF_MOUSE_EVENT\n"); + } + else + { + status = STATUS_INVALID_PARAMETER; + bytes_io = 0; + DbgPrintEx(0, 0, "[norsefire]: NF_FAILED_REQUEST\n"); + } + + irp->IoStatus.Status = status; + irp->IoStatus.Information = bytes_io; + IoCompleteRequest(irp, IO_NO_INCREMENT); + return status; +} + +NTSTATUS dispatch::create_call(PDEVICE_OBJECT device_object, PIRP irp) +{ + UNREFERENCED_PARAMETER(device_object); + irp->IoStatus.Status = STATUS_SUCCESS; + irp->IoStatus.Information = 0; + IoCompleteRequest(irp, IO_NO_INCREMENT); + return STATUS_SUCCESS; +} + +NTSTATUS dispatch::close_call(PDEVICE_OBJECT device_object, PIRP irp) +{ + UNREFERENCED_PARAMETER(device_object); + irp->IoStatus.Status = STATUS_SUCCESS; + irp->IoStatus.Information = 0; + IoCompleteRequest(irp, IO_NO_INCREMENT); + return STATUS_SUCCESS; +} diff --git a/kernelmode/dispatch.hpp b/kernelmode/dispatch.hpp new file mode 100644 index 0000000..46ddc2c --- /dev/null +++ b/kernelmode/dispatch.hpp @@ -0,0 +1,12 @@ +#pragma once + +#include "memory.hpp" + +namespace dispatch +{ + NTSTATUS handler(PDEVICE_OBJECT device_object, PIRP irp); + + NTSTATUS create_call(PDEVICE_OBJECT device_object, PIRP irp); + + NTSTATUS close_call(PDEVICE_OBJECT device_object, PIRP irp); +} \ No newline at end of file diff --git a/kernelmode/driver.cpp b/kernelmode/driver.cpp new file mode 100644 index 0000000..6ffa52d --- /dev/null +++ b/kernelmode/driver.cpp @@ -0,0 +1,33 @@ +#include "dispatch.hpp" + +PDEVICE_OBJECT device_object; +UNICODE_STRING dev, dos; + +void unload(PDRIVER_OBJECT driver_object) +{ + IoDeleteSymbolicLink(&dos); + IoDeleteDevice(driver_object->DeviceObject); + DbgPrintEx(0, 0, "[norsefire]: Driver unloaded\n"); +} + +extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT driver_object, PUNICODE_STRING registry_path) +{ + UNREFERENCED_PARAMETER(registry_path); + + RtlInitUnicodeString(&dev, L"\\Device\\norsefire"); + RtlInitUnicodeString(&dos, L"\\DosDevices\\norsefire"); + + IoCreateDevice(driver_object, 0, &dev, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &device_object); + IoCreateSymbolicLink(&dos, &dev); + + driver_object->MajorFunction[IRP_MJ_CREATE] = dispatch::create_call; + driver_object->MajorFunction[IRP_MJ_CLOSE] = dispatch::close_call; + driver_object->MajorFunction[IRP_MJ_DEVICE_CONTROL] = dispatch::handler; + driver_object->DriverUnload = unload; + + device_object->Flags |= DO_DIRECT_IO; + device_object->Flags &= ~DO_DEVICE_INITIALIZING; + + DbgPrintEx(0, 0, "[norsefire]: Driver loaded\n"); + return STATUS_SUCCESS; +} \ No newline at end of file diff --git a/kernelmode/kernelmode.inf b/kernelmode/kernelmode.inf new file mode 100644 index 0000000..3d7611e --- /dev/null +++ b/kernelmode/kernelmode.inf @@ -0,0 +1,86 @@ +; +; kernelmode.inf +; + +[Version] +Signature="$WINDOWS NT$" +Class=Sample ; TODO: edit Class +ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid +Provider=%ManufacturerName% +CatalogFile=kernelmode.cat +DriverVer= ; TODO: set DriverVer in stampinf property pages + +[DestinationDirs] +DefaultDestDir = 12 +kernelmode_Device_CoInstaller_CopyFiles = 11 + +; ================= Class section ===================== + +[ClassInstall32] +Addreg=SampleClassReg + +[SampleClassReg] +HKR,,,0,%ClassName% +HKR,,Icon,,-5 + +[SourceDisksNames] +1 = %DiskName%,,,"" + +[SourceDisksFiles] +kernelmode.sys = 1,, +WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames + +;***************************************** +; Install Section +;***************************************** + +[Manufacturer] +%ManufacturerName%=Standard,NT$ARCH$ + +[Standard.NT$ARCH$] +%kernelmode.DeviceDesc%=kernelmode_Device, Root\kernelmode ; TODO: edit hw-id + +[kernelmode_Device.NT] +CopyFiles=Drivers_Dir + +[Drivers_Dir] +kernelmode.sys + +;-------------- Service installation +[kernelmode_Device.NT.Services] +AddService = kernelmode,%SPSVCINST_ASSOCSERVICE%, kernelmode_Service_Inst + +; -------------- kernelmode driver install sections +[kernelmode_Service_Inst] +DisplayName = %kernelmode.SVCDESC% +ServiceType = 1 ; SERVICE_KERNEL_DRIVER +StartType = 3 ; SERVICE_DEMAND_START +ErrorControl = 1 ; SERVICE_ERROR_NORMAL +ServiceBinary = %12%\kernelmode.sys + +; +;--- kernelmode_Device Coinstaller installation ------ +; + +[kernelmode_Device.NT.CoInstallers] +AddReg=kernelmode_Device_CoInstaller_AddReg +CopyFiles=kernelmode_Device_CoInstaller_CopyFiles + +[kernelmode_Device_CoInstaller_AddReg] +HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller" + +[kernelmode_Device_CoInstaller_CopyFiles] +WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll + +[kernelmode_Device.NT.Wdf] +KmdfService = kernelmode, kernelmode_wdfsect +[kernelmode_wdfsect] +KmdfLibraryVersion = $KMDFVERSION$ + +[Strings] +SPSVCINST_ASSOCSERVICE= 0x00000002 +ManufacturerName="" ;TODO: Replace with your manufacturer name +ClassName="Samples" ; TODO: edit ClassName +DiskName = "kernelmode Installation Disk" +kernelmode.DeviceDesc = "kernelmode Device" +kernelmode.SVCDESC = "kernelmode Service" diff --git a/kernelmode/kernelmode.vcxproj b/kernelmode/kernelmode.vcxproj new file mode 100644 index 0000000..d7c570f --- /dev/null +++ b/kernelmode/kernelmode.vcxproj @@ -0,0 +1,182 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + Debug + ARM + + + Release + ARM + + + Debug + ARM64 + + + Release + ARM64 + + + + {13F5FFC5-C637-48DD-AFE9-B5F064E25E65} + {1bc93793-694f-48fe-9372-81e2b05556fd} + v4.5 + 12.0 + Debug + Win32 + kernelmode + + + + Windows10 + true + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windows10 + false + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windows10 + true + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windows10 + false + WindowsKernelModeDriver10.0 + Driver + KMDF + Desktop + false + + + Windows10 + true + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windows10 + false + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windows10 + true + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windows10 + false + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + + + + + + + + + DbgengKernelDebugger + + + DbgengKernelDebugger + + + DbgengKernelDebugger + + + DbgengKernelDebugger + false + + + DbgengKernelDebugger + + + DbgengKernelDebugger + + + DbgengKernelDebugger + + + DbgengKernelDebugger + + + + None + + + + + false + + + false + true + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/kernelmode/kernelmode.vcxproj.filters b/kernelmode/kernelmode.vcxproj.filters new file mode 100644 index 0000000..14af9d7 --- /dev/null +++ b/kernelmode/kernelmode.vcxproj.filters @@ -0,0 +1,63 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hpp;hxx;hm;inl;inc;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + {8E41214B-6785-4CFE-B992-037D68949A14} + inf;inv;inx;mof;mc; + + + {e72edb77-bac1-4bc0-b0c2-3e9773afb504} + + + + + Driver Files + + + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + + + Header Files + + + Header Files\nt + + + Header Files\nt + + + Header Files + + + Header Files + + + Header Files + + + \ No newline at end of file diff --git a/kernelmode/memory.cpp b/kernelmode/memory.cpp new file mode 100644 index 0000000..dd267e5 --- /dev/null +++ b/kernelmode/memory.cpp @@ -0,0 +1,81 @@ +#include "memory.hpp" + +ULONG memory::get_process_id_by_name(PEPROCESS start_process, const char* process_name) +{ + PLIST_ENTRY active_process_links; + PEPROCESS current_process = start_process; + + do + { + PKPROCESS kproc = (PKPROCESS)current_process; + PDISPATCHER_HEADER header = (PDISPATCHER_HEADER)kproc; + LPSTR current_process_name = (LPSTR)((PUCHAR)current_process + IMAGE_FILE_NAME); + + if (header->SignalState == 0 && strcmp(current_process_name, process_name) == 0) + { + return (ULONG)PsGetProcessId(current_process); + } + + active_process_links = (PLIST_ENTRY)((PUCHAR)current_process + ACTIVE_PROCESS_LINKS_FLINK); + current_process = (PEPROCESS)(active_process_links->Flink); + current_process = (PEPROCESS)((PUCHAR)current_process - ACTIVE_PROCESS_LINKS_FLINK); + + } while (start_process != current_process); + + return 0; +} + +ULONG memory::get_module_base(PEPROCESS process, wchar_t* module_name) +{ + if (!process) { return 0; } + + __try + { + PPEB32 peb32 = (PPEB32)PsGetProcessWow64Process(process); + if (!peb32 || !peb32->Ldr) { return 0; } + + for (PLIST_ENTRY32 plist_entry = (PLIST_ENTRY32)((PPEB_LDR_DATA32)peb32->Ldr)->InLoadOrderModuleList.Flink; + plist_entry != &((PPEB_LDR_DATA32)peb32->Ldr)->InLoadOrderModuleList; + plist_entry = (PLIST_ENTRY32)plist_entry->Flink) + { + PLDR_DATA_TABLE_ENTRY32 pentry = CONTAINING_RECORD(plist_entry, LDR_DATA_TABLE_ENTRY32, InLoadOrderLinks); + + if (wcscmp((PWCH)pentry->BaseDllName.Buffer, module_name) == 0) + { + return pentry->DllBase; + } + } + } + __except (EXCEPTION_EXECUTE_HANDLER) + { + + } + + return 0; +} + +NTSTATUS memory::read_memory(PEPROCESS target_process, void* source, void* target, size_t size) +{ + if (!target_process) { return STATUS_INVALID_PARAMETER; } + + size_t bytes = 0; + NTSTATUS status = MmCopyVirtualMemory(target_process, source, IoGetCurrentProcess(), target, size, KernelMode, &bytes); + if (!NT_SUCCESS(status) || !bytes) + { + return STATUS_INVALID_ADDRESS; + } + return status; +} + +NTSTATUS memory::write_memory(PEPROCESS target_process, void* source, void* target, size_t size) +{ + if (!target_process) { return STATUS_INVALID_PARAMETER; } + + size_t bytes = 0; + NTSTATUS status = MmCopyVirtualMemory(IoGetCurrentProcess(), source, target_process, target, size, KernelMode, &bytes); + if (!NT_SUCCESS(status) || !bytes) + { + return STATUS_INVALID_ADDRESS; + } + return status; +} diff --git a/kernelmode/memory.hpp b/kernelmode/memory.hpp new file mode 100644 index 0000000..6526bb2 --- /dev/null +++ b/kernelmode/memory.hpp @@ -0,0 +1,14 @@ +#pragma once + +#include "mouse.hpp" + +namespace memory +{ + ULONG get_process_id_by_name(PEPROCESS start_process, const char* process_name); + + ULONG get_module_base(PEPROCESS process, wchar_t* module_name); + + NTSTATUS read_memory(PEPROCESS target_process, void* source, void* target, size_t size); + + NTSTATUS write_memory(PEPROCESS target_process, void* source, void* target, size_t size); +} \ No newline at end of file diff --git a/kernelmode/mouse.cpp b/kernelmode/mouse.cpp new file mode 100644 index 0000000..4ab33e6 --- /dev/null +++ b/kernelmode/mouse.cpp @@ -0,0 +1,87 @@ +#include "mouse.hpp" + +NTSTATUS mouse::init_mouse(PMOUSE_OBJECT mouse_obj) +{ + UNICODE_STRING class_string; + RtlInitUnicodeString(&class_string, L"\\Driver\\MouClass"); + + PDRIVER_OBJECT class_driver_object = NULL; + NTSTATUS status = ObReferenceObjectByName(&class_string, OBJ_CASE_INSENSITIVE, NULL, 0, *IoDriverObjectType, KernelMode, NULL, (PVOID*)&class_driver_object); + if (!NT_SUCCESS(status)) { return status; } + + UNICODE_STRING hid_string; + RtlInitUnicodeString(&hid_string, L"\\Driver\\MouHID"); + + PDRIVER_OBJECT hid_driver_object = NULL; + status = ObReferenceObjectByName(&hid_string, OBJ_CASE_INSENSITIVE, NULL, 0, *IoDriverObjectType, KernelMode, NULL, (PVOID*)&hid_driver_object); + if (!NT_SUCCESS(status)) + { + if (class_driver_object) { ObDereferenceObject(class_driver_object); } + return status; + } + + PVOID class_driver_base = NULL; + + PDEVICE_OBJECT hid_device_object = hid_driver_object->DeviceObject; + while (hid_device_object && !mouse_obj->service_callback) + { + PDEVICE_OBJECT class_device_object = class_driver_object->DeviceObject; + while (class_device_object && !mouse_obj->service_callback) + { + if (!class_device_object->NextDevice && !mouse_obj->mouse_device) + { + mouse_obj->mouse_device = class_device_object; + } + + PULONG_PTR device_extension = (PULONG_PTR)hid_device_object->DeviceExtension; + ULONG_PTR device_ext_size = ((ULONG_PTR)hid_device_object->DeviceObjectExtension - (ULONG_PTR)hid_device_object->DeviceExtension) / 4; + class_driver_base = class_driver_object->DriverStart; + for (ULONG_PTR i = 0; i < device_ext_size; i++) + { + if (device_extension[i] == (ULONG_PTR)class_device_object && device_extension[i + 1] > (ULONG_PTR)class_driver_object) + { + mouse_obj->service_callback = (MouseClassServiceCallback)(device_extension[i + 1]); + break; + } + } + class_device_object = class_device_object->NextDevice; + } + hid_device_object = hid_device_object->AttachedDevice; + } + + if (!mouse_obj->mouse_device) + { + PDEVICE_OBJECT target_device_object = class_driver_object->DeviceObject; + while (target_device_object) + { + if (!target_device_object->NextDevice) + { + mouse_obj->mouse_device = target_device_object; + break; + } + target_device_object = target_device_object->NextDevice; + } + } + + ObDereferenceObject(class_driver_object); + ObDereferenceObject(hid_driver_object); + + DbgPrintEx(0, 0, "[norsefire]: Mouse initialized\n"); + + return STATUS_SUCCESS; +} + +void mouse::mouse_event(MOUSE_OBJECT mouse_obj, long x, long y, unsigned short button_flags) +{ + ULONG input_data; + KIRQL irql; + MOUSE_INPUT_DATA mid = { 0 }; + + mid.LastX = x; + mid.LastY = y; + mid.ButtonFlags = button_flags; + + KeRaiseIrql(DISPATCH_LEVEL, &irql); + mouse_obj.service_callback(mouse_obj.mouse_device, &mid, (PMOUSE_INPUT_DATA)&mid + 1, &input_data); + KeLowerIrql(irql); +} diff --git a/kernelmode/mouse.hpp b/kernelmode/mouse.hpp new file mode 100644 index 0000000..5ce9f7c --- /dev/null +++ b/kernelmode/mouse.hpp @@ -0,0 +1,26 @@ +#pragma once + +#include "definitions.hpp" + +extern "C" POBJECT_TYPE* IoDriverObjectType; + +typedef VOID +(*MouseClassServiceCallback)( + PDEVICE_OBJECT DeviceObject, + PMOUSE_INPUT_DATA InputDataStart, + PMOUSE_INPUT_DATA InputDataEnd, + PULONG InputDataConsumed +); + +typedef struct _MOUSE_OBJECT +{ + PDEVICE_OBJECT mouse_device; + MouseClassServiceCallback service_callback; +} MOUSE_OBJECT, * PMOUSE_OBJECT; + +namespace mouse +{ + NTSTATUS init_mouse(PMOUSE_OBJECT mouse_obj); + + void mouse_event(MOUSE_OBJECT mouse_obj, long x, long y, unsigned short button_flags); +} \ No newline at end of file diff --git a/kernelmode/ntapi.hpp b/kernelmode/ntapi.hpp new file mode 100644 index 0000000..8e073a5 --- /dev/null +++ b/kernelmode/ntapi.hpp @@ -0,0 +1,40 @@ +#pragma once + +#include "ntstructs.hpp" + +extern "C" +NTKERNELAPI +PVOID +NTAPI +PsGetProcessWow64Process( + _In_ PEPROCESS Process +); + +extern "C" +NTKERNELAPI +NTSTATUS +NTAPI +MmCopyVirtualMemory( + _In_ PEPROCESS FromProcess, + _In_ PVOID FromAddress, + _In_ PEPROCESS ToProcess, + _Out_ PVOID ToAddress, + _In_ SIZE_T BufferSize, + _In_ KPROCESSOR_MODE PreviousMode, + _Out_ PSIZE_T NumberOfBytesCopied +); + +extern "C" +NTSYSAPI +NTSTATUS +NTAPI +ObReferenceObjectByName( + _In_ PUNICODE_STRING ObjectName, + _In_ ULONG Attributes, + _In_opt_ PACCESS_STATE AccessState, + _In_opt_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_TYPE ObjectType, + _In_ KPROCESSOR_MODE AccessMode, + _Inout_opt_ PVOID ParseContext, + _Out_ PVOID* Object +); \ No newline at end of file diff --git a/kernelmode/ntstructs.hpp b/kernelmode/ntstructs.hpp new file mode 100644 index 0000000..0d88e4a --- /dev/null +++ b/kernelmode/ntstructs.hpp @@ -0,0 +1,53 @@ +#pragma once + +#include +#include + +typedef struct _PEB_LDR_DATA32 +{ + ULONG Length; + UCHAR Initialized; + ULONG SsHandle; + LIST_ENTRY32 InLoadOrderModuleList; + LIST_ENTRY32 InMemoryOrderModuleList; + LIST_ENTRY32 InInitializationOrderModuleList; +} PEB_LDR_DATA32, * PPEB_LDR_DATA32; + +typedef struct _LDR_DATA_TABLE_ENTRY32 +{ + LIST_ENTRY32 InLoadOrderLinks; + LIST_ENTRY32 InMemoryOrderLinks; + LIST_ENTRY32 InInitializationOrderLinks; + ULONG DllBase; + ULONG EntryPoint; + ULONG SizeOfImage; + UNICODE_STRING32 FullDllName; + UNICODE_STRING32 BaseDllName; + ULONG Flags; + USHORT LoadCount; + USHORT TlsIndex; + LIST_ENTRY32 HashLinks; + ULONG TimeDateStamp; +} LDR_DATA_TABLE_ENTRY32, * PLDR_DATA_TABLE_ENTRY32; + +typedef struct _PEB32 +{ + UCHAR InheritedAddressSpace; + UCHAR ReadImageFileExecOptions; + UCHAR BeingDebugged; + UCHAR BitField; + ULONG Mutant; + ULONG ImageBaseAddress; + ULONG Ldr; + ULONG ProcessParameters; + ULONG SubSystemData; + ULONG ProcessHeap; + ULONG FastPebLock; + ULONG AtlThunkSListPtr; + ULONG IFEOKey; + ULONG CrossProcessFlags; + ULONG UserSharedInfoPtr; + ULONG SystemReserved; + ULONG AtlThunkSListPtr32; + ULONG ApiSetMap; +} PEB32, * PPEB32; \ No newline at end of file diff --git a/norsefire.sln b/norsefire.sln new file mode 100644 index 0000000..01abde6 --- /dev/null +++ b/norsefire.sln @@ -0,0 +1,65 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 16 +VisualStudioVersion = 16.0.30406.217 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "kernelmode", "kernelmode\kernelmode.vcxproj", "{13F5FFC5-C637-48DD-AFE9-B5F064E25E65}" +EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "usermode", "usermode\usermode.vcxproj", "{E2262904-BB0D-4DEB-8830-1B5BEC96AD76}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|ARM = Debug|ARM + Debug|ARM64 = Debug|ARM64 + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|ARM = Release|ARM + Release|ARM64 = Release|ARM64 + Release|x64 = Release|x64 + Release|x86 = Release|x86 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Debug|ARM.ActiveCfg = Debug|ARM + {13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Debug|ARM.Build.0 = Debug|ARM + {13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Debug|ARM.Deploy.0 = Debug|ARM + {13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Debug|ARM64.ActiveCfg = Debug|ARM64 + {13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Debug|ARM64.Build.0 = Debug|ARM64 + {13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Debug|ARM64.Deploy.0 = Debug|ARM64 + {13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Debug|x64.ActiveCfg = Debug|x64 + {13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Debug|x64.Build.0 = Debug|x64 + {13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Debug|x64.Deploy.0 = Debug|x64 + {13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Debug|x86.ActiveCfg = Debug|Win32 + {13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Debug|x86.Build.0 = Debug|Win32 + {13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Debug|x86.Deploy.0 = Debug|Win32 + {13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Release|ARM.ActiveCfg = Release|ARM + {13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Release|ARM.Build.0 = Release|ARM + {13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Release|ARM.Deploy.0 = Release|ARM + {13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Release|ARM64.ActiveCfg = Release|ARM64 + {13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Release|ARM64.Build.0 = Release|ARM64 + {13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Release|ARM64.Deploy.0 = Release|ARM64 + {13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Release|x64.ActiveCfg = Release|x64 + {13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Release|x64.Build.0 = Release|x64 + {13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Release|x64.Deploy.0 = Release|x64 + {13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Release|x86.ActiveCfg = Release|Win32 + {13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Release|x86.Build.0 = Release|Win32 + {13F5FFC5-C637-48DD-AFE9-B5F064E25E65}.Release|x86.Deploy.0 = Release|Win32 + {E2262904-BB0D-4DEB-8830-1B5BEC96AD76}.Debug|ARM.ActiveCfg = Debug|Win32 + {E2262904-BB0D-4DEB-8830-1B5BEC96AD76}.Debug|ARM64.ActiveCfg = Debug|Win32 + {E2262904-BB0D-4DEB-8830-1B5BEC96AD76}.Debug|x64.ActiveCfg = Debug|x64 + {E2262904-BB0D-4DEB-8830-1B5BEC96AD76}.Debug|x64.Build.0 = Debug|x64 + {E2262904-BB0D-4DEB-8830-1B5BEC96AD76}.Debug|x86.ActiveCfg = Debug|Win32 + {E2262904-BB0D-4DEB-8830-1B5BEC96AD76}.Debug|x86.Build.0 = Debug|Win32 + {E2262904-BB0D-4DEB-8830-1B5BEC96AD76}.Release|ARM.ActiveCfg = Release|Win32 + {E2262904-BB0D-4DEB-8830-1B5BEC96AD76}.Release|ARM64.ActiveCfg = Release|Win32 + {E2262904-BB0D-4DEB-8830-1B5BEC96AD76}.Release|x64.ActiveCfg = Release|x64 + {E2262904-BB0D-4DEB-8830-1B5BEC96AD76}.Release|x64.Build.0 = Release|x64 + {E2262904-BB0D-4DEB-8830-1B5BEC96AD76}.Release|x86.ActiveCfg = Release|Win32 + {E2262904-BB0D-4DEB-8830-1B5BEC96AD76}.Release|x86.Build.0 = Release|Win32 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection + GlobalSection(ExtensibilityGlobals) = postSolution + SolutionGuid = {0CAE6BBB-4512-4072-A926-D617D65A91B2} + EndGlobalSection +EndGlobal diff --git a/usermode/Source.cpp b/usermode/Source.cpp new file mode 100644 index 0000000..fbda358 --- /dev/null +++ b/usermode/Source.cpp @@ -0,0 +1,8 @@ +#include "triggerbot.hpp" + +int main() +{ + triggerbot trigger; + trigger.run(); + return 0; +} \ No newline at end of file diff --git a/usermode/definitions.hpp b/usermode/definitions.hpp new file mode 100644 index 0000000..85bf077 --- /dev/null +++ b/usermode/definitions.hpp @@ -0,0 +1,46 @@ +#pragma once + +#include +#include + +#define NF_GET_PROCESS_ID CTL_CODE(FILE_DEVICE_UNKNOWN, 0xf9000, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) +#define NF_GET_MODULE CTL_CODE(FILE_DEVICE_UNKNOWN, 0xf9001, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) +#define NF_READ_MEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0xf9002, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) +#define NF_WRITE_MEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0xf9003, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) +#define NF_MOUSE_EVENT CTL_CODE(FILE_DEVICE_UNKNOWN, 0xf9004, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) + +typedef struct _NF_PROCESS_ID_REQUEST +{ + ULONG process_id; + char process_name[64]; +}NF_PROCESS_ID_REQUEST, * PNF_PROCESS_ID_REQUEST; + +typedef struct _NF_MODULE_REQUEST +{ + ULONG process_id; + ULONG address; + wchar_t module_name[64]; +}NF_MODULE_REQUEST, * PNF_MODULE_REQUEST; + +typedef struct _NF_READ_REQUEST +{ + ULONG process_id; + ULONG address; + ULONG buffer; + ULONG size; +}NF_READ_REQUEST, * PNF_READ_REQUEST; + +typedef struct _NF_WRITE_REQUEST +{ + ULONG process_id; + ULONG address; + ULONG buffer; + ULONG size; +}NF_WRITE_REQUEST, * PNF_WRITE_REQUEST; + +typedef struct _NF_MOUSE_REQUEST +{ + long x; + long y; + unsigned short button_flags; +}NF_MOUSE_REQUEST, * PNF_MOUSE_REQUEST; \ No newline at end of file diff --git a/usermode/driver_control.cpp b/usermode/driver_control.cpp new file mode 100644 index 0000000..584439b --- /dev/null +++ b/usermode/driver_control.cpp @@ -0,0 +1,65 @@ +#include "driver_control.hpp" + +driver_control::driver_control(const char* path) +{ + this->driver_handle = CreateFileA(path, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0); + if (this->driver_handle) { printf("[norsefire]: Driver handle open\n"); } +} + +driver_control::~driver_control() +{ + CloseHandle(this->driver_handle); + printf("[norsefire]: Driver handle closed\n"); +} + +ULONG driver_control::get_process_id_by_name(const char* process_name, size_t process_name_size) +{ + if (this->driver_handle) + { + ULONG bytes; + NF_PROCESS_ID_REQUEST process_id_request = { 0 }; + memcpy(process_id_request.process_name, process_name, process_name_size); + if (DeviceIoControl(driver_handle, NF_GET_PROCESS_ID, &process_id_request, sizeof(process_id_request), &process_id_request, sizeof(process_id_request), &bytes, 0)) + { + return process_id_request.process_id; + } + else + { + return 0; + } + } + return 0; +} + +ULONG driver_control::get_module_base(ULONG process_id, const wchar_t* module_name, size_t module_name_size) +{ + if (this->driver_handle) + { + ULONG bytes; + NF_MODULE_REQUEST module_request = { 0 }; + module_request.process_id = process_id; + memcpy(module_request.module_name, module_name, module_name_size); + if (DeviceIoControl(driver_handle, NF_GET_MODULE, &module_request, sizeof(module_request), &module_request, sizeof(module_request), &bytes, 0)) + { + return module_request.address; + } + else + { + return 0; + } + } + return 0; +} + +void driver_control::mouse_event(long x, long y, unsigned short button_flags) +{ + if (this->driver_handle) + { + ULONG bytes; + NF_MOUSE_REQUEST mouse_request = { 0 }; + mouse_request.x = x; + mouse_request.y = y; + mouse_request.button_flags = button_flags; + DeviceIoControl(driver_handle, NF_MOUSE_EVENT, &mouse_request, sizeof(mouse_request), &mouse_request, sizeof(mouse_request), &bytes, 0); + } +} diff --git a/usermode/driver_control.hpp b/usermode/driver_control.hpp new file mode 100644 index 0000000..f77bb7e --- /dev/null +++ b/usermode/driver_control.hpp @@ -0,0 +1,65 @@ +#pragma once + +#include "definitions.hpp" + +class driver_control +{ + private: + + HANDLE driver_handle = 0; + + public: + + driver_control(const char* path); + + ~driver_control(); + + ULONG get_process_id_by_name(const char* process_name, size_t process_name_size); + + ULONG get_module_base(ULONG process_id, const wchar_t* module_name, size_t module_name_size); + + template + t read_memory(ULONG process_id, ULONG address); + + template + void write_memory(ULONG process_id, ULONG address, t buffer); + + void mouse_event(long x, long y, unsigned short button_flags); +}; + +template +inline t driver_control::read_memory(ULONG process_id, ULONG address) +{ + if (this->driver_handle) + { + ULONG bytes; + NF_READ_REQUEST read_request = { 0 }; + read_request.process_id = process_id; + read_request.address = address; + read_request.size = sizeof(t); + if (DeviceIoControl(driver_handle, NF_READ_MEMORY, &read_request, sizeof(read_request), &read_request, sizeof(read_request), &bytes, 0)) + { + return *(t*)&read_request.buffer; + } + else + { + return 0; + } + } + return 0; +} + +template +inline void driver_control::write_memory(ULONG process_id, ULONG address, t buffer) +{ + if (this->driver_handle) + { + ULONG bytes; + NF_WRITE_REQUEST write_request = { 0 }; + write_request.process_id = process_id; + write_request.address = address; + write_request.buffer = buffer; + write_request.size = sizeof(t); + DeviceIoControl(driver_handle, NF_WRITE_MEMORY, &write_request, sizeof(write_request), &write_request, sizeof(write_request), &bytes, 0); + } +} diff --git a/usermode/offsets.hpp b/usermode/offsets.hpp new file mode 100644 index 0000000..c87a5f3 --- /dev/null +++ b/usermode/offsets.hpp @@ -0,0 +1,54 @@ +#pragma once + +// CSGO offsets and netvars +// 01.09.2020. 16:39:08 + +#define m_dwEpochTime 1598971148 + +#define m_dwLocalPlayer 0xD3FC5C +#define m_dwEntityList 0x4D5442C +#define m_dwClientState 0x589DD4 +#define m_dwPlayerResource 0x3183D10 +#define m_dwForceAttack 0x3185984 +#define m_dwForceAlt1 0x51FE080 +#define m_dwForceJump 0x51FE044 +#define m_dwSensitivity 0xD4569C +#define m_dwGlowObject 0x529C208 + +#define m_iCrossHairID 0xB3E4 +#define m_bHasDefuser 0xB388 +#define m_iGlowIndex 0xA438 +#define m_flFlashDuration 0xA420 +#define m_iShotsFired 0xA390 +#define m_dwPlayerInfo 0x52B8 +#define m_dwViewAngles 0x4D88 +#define m_bIsScoped 0x3928 +#define m_vecPunch 0x302C +#define m_dwButtonBits 0x2717 +#define m_dwBoneMatrix 0x26A8 +#define m_iPlayerC4 0x165C +#define m_bSpotted 0x93D + +#define m_hViewModel 0x32F8 +#define m_iViewModelIndex 0x3240 +#define m_flFallbackWear 0x31D0 +#define m_nFallbackPaintKit 0x31C8 +#define m_iItemIDHigh 0x2FC0 +#define m_iEntityQuality 0x2FAC +#define m_iItemDefinitionIndex 0x2FAA +#define m_hActiveWeapon 0x2EF8 +#define m_hMyWeapons 0x2DF8 +#define m_nModelIndex 0x258 + +#define m_szMapName 0x28C +#define m_szMapPath 0x188 +#define m_iLocalPlayer 0x180 +#define m_dwInGame 0x108 + +#define m_vecOrigin 0x138 +#define m_angRotation 0x12C +#define m_vecViewOffset 0x108 +#define m_fFlags 0x104 +#define m_iHealth 0x100 +#define m_iTeamNum 0xF4 +#define m_bDormant 0xED \ No newline at end of file diff --git a/usermode/triggerbot.cpp b/usermode/triggerbot.cpp new file mode 100644 index 0000000..e923639 --- /dev/null +++ b/usermode/triggerbot.cpp @@ -0,0 +1,58 @@ +#include "triggerbot.hpp" + +void triggerbot::run() +{ + driver_control driver("\\\\.\\norsefire"); + + const char process_name[] = "csgo.exe"; + const wchar_t module_name[] = L"client.dll"; + + printf("[norsefire]: Looking for %s process...\n", process_name); + + ULONG process_id = driver.get_process_id_by_name(process_name, sizeof(process_name)); + if (process_id) + { + printf("[norsefire]: Process identifier found: %d\n", process_id); + printf("[norsefire]: Looking for %ws...\n", module_name); + ULONG client_base = driver.get_module_base(process_id, module_name, sizeof(module_name)); + if (client_base) + { + printf("[norsefire]: %ws found: 0x%x\n", module_name, client_base); + printf("[norsefire]: Running...\n"); + for (;;) + { + ULONG my_player = driver.read_memory(process_id, client_base + m_dwLocalPlayer); + if (my_player <= 0) { continue; } + + ULONG my_team = driver.read_memory(process_id, my_player + m_iTeamNum); + ULONG my_cross = driver.read_memory(process_id, my_player + m_iCrossHairID); + + if (my_cross > 0 && my_cross <= 64) + { + ULONG entity = driver.read_memory(process_id, client_base + m_dwEntityList + ((my_cross - 1) * 0x10)); + if (entity <= 0) { continue; } + + ULONG entity_health = driver.read_memory(process_id, entity + m_iHealth); + ULONG entity_team = driver.read_memory(process_id, entity + m_iTeamNum); + + if (entity_health > 0 && entity_team != my_team && entity_team > 1) + { + Sleep(3); + driver.mouse_event(0, 0, 0x1); + Sleep(1); + driver.mouse_event(0, 0, 0x2); + } + } + Sleep(1); + } + } + else + { + printf("[norsefire]: Failed to obtain %ws\n", module_name); + } + } + else + { + printf("[norsefire]: Failed to find %s process\n", process_name); + } +} diff --git a/usermode/triggerbot.hpp b/usermode/triggerbot.hpp new file mode 100644 index 0000000..8305c2b --- /dev/null +++ b/usermode/triggerbot.hpp @@ -0,0 +1,11 @@ +#pragma once + +#include "driver_control.hpp" +#include "offsets.hpp" + +class triggerbot +{ + public: + + void run(); +}; \ No newline at end of file diff --git a/usermode/usermode.vcxproj b/usermode/usermode.vcxproj new file mode 100644 index 0000000..00503ff --- /dev/null +++ b/usermode/usermode.vcxproj @@ -0,0 +1,157 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {e2262904-bb0d-4deb-8830-1b5bec96ad76} + usermode + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + false + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + None + + + Console + true + true + false + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/usermode/usermode.vcxproj.filters b/usermode/usermode.vcxproj.filters new file mode 100644 index 0000000..2e39714 --- /dev/null +++ b/usermode/usermode.vcxproj.filters @@ -0,0 +1,42 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + Source Files + + + Source Files + + + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + \ No newline at end of file