/ReadWriteDriver

A kernel driver for reading and writing memory

Primary LanguageC

ReadWriteDriver

A kernel driver for reading and writing memory. Contains a test that writes to notepad.exe's memory, and classes to read/write to two games (Halo: MCC & Apex Legends) which are protected by EAC. I also created a modified version of ReClass.NET that utilizes the driver for its read/write operations, but the laptop I had it on sustained water damage and was destroyed. I will recreate it when I have the time.

Please note that the function addresses are currently hardcoded for Windows 11 kernel 10.0.22000.376. A signature scanner can (and should) be added in the future to avoid this.

image

Technical information

  • The usermode module (ReadWriteUser.exe) loads ReadWriteDriverMapper.sys, which then manually maps ReadWriteDriver.sys
  • ReadWriteDriverMapper.sys allocates non-paged memory with MmAllocateIndependentPages(), and then sets its page protection to make it executable memory with MmSetPageProtection()
  • ReadWriteDriver.sys attaches to a usermode process that loads user32.dll (in this case, ReadWriteUser.exe) to gain access to win32kbase.sys;NtUserSetSysColors and overwrites a global pointer in NtUserSetSysColors() for its hook

Credits

• JD96 for answering questions, of course! ☺️

Frostiest for his physmem class, since I had to add it in at the last minute after I found out that the Apex version of EAC supposedly detects KeStackAttach().