【转载】利用签名驱动漏洞加载未签名驱动

原文链接：《利用签名驱动漏洞过游戏反作弊引擎》

自己写的驱动没有签名，系统不加载

设置电脑为测试模式加载驱动，某些游戏在该模式下不运行

ASUS

ASMMAP64.sys ZwMapViewOfSection/ZwUnmapViewOfSection

Device Name: ""\\.\ASMMAP64"
Map Physical IOCTL: 0x9C402580
Unmap Physical IOCTL: 0x9C402584

EIO64.sys MmMapIoSpace/MmUnmapIoSpace
IOMap64.sys MmMapIoSpace/MmUnmapIoSpace

GLCKIo.sys ZwMapViewOfSection/ZwUnmapViewOfSection

Device Name: ""\\.\GLCKIo"
Map Physical IOCTL: 0x80102040
Unmap Physical IOCTL: 0x80102044

eneio64.sys ZwMapViewOfSection/ZwUnmapViewOfSection

Device Name: ""\\.\EneIo"
Map Physical IOCTL: 0x80102040
Unmap Physical IOCTL: 0x80102044

ATSZIO64.sys ZwMapViewOfSection/ZwUnmapViewOfSection/MmGetPhysicalAddress

Device Name: ""\\.\ATSZIO"
Map Physical IOCTL: 0x8807200C
Unmap Physical IOCTL: 0x88072010

Example:  https://github.com/LimiQS/AsusDriver...r/PoC-fixed.cs

ATI

atillk64.sys MmMapIoSpace/MmUnmapIoSpace/MmBuildMdlForNonPagedPool/MmMapLockedPages

Device Name: "\\.\atillk64"
Map/Unmap IOCTLs: 0x9C402534, 0x9C402538, 0x9C402544, 0x9C402548
MDL IOCTLs: 0x9C40254C, 0x9C402558, 0x9C402560, 0x9C402564

Avast

aswVmm.sys SSDT Hooking

Device Name: "\\.\aswVmm"
Hook IOCTL: 0xA000E804
Example:  https://github.com/tanduRE/AvastHV/

Biostar

BS_Flash64.sys MmMapIoSpace/MmUnmapIoSpace/MmMapLockedPages/ExAllocatePoolWithTag/ExFreePoolWithTag

Device Name: "\\.\BS_Flash64"
Map/Unmap IOCTL: 0x222000
Allocate IOCTL: 0x22203C

BS_I2c64.sys MmMapIoSpace/MmUnmapIoSpace
BSMEMx64.sys MmMapIoSpace/MmUnmapIoSpace/MmGetPhysicalAddress
BSMIXP64.sys MmMapIoSpace/MmUnmapIoSpace/MmGetPhysicalAddress

Capcom

Capcom.sys MmGetSystemRoutineAddress

Device Name: "\\.\Htsysm72FB"
Execute IOCTL: 0xAA013044

CPUID

cpuz141.sys MmMapIoSpace/MmUnmapIoSpace

Device Name: "\\.\cpuz141"
Read Register IOCTL: 0x9C402428
Physical Read: 0x9C402420
Physical Write: 0x9C402430

Notes: CVE-2017-15303

CrystalMark

WinRing0x64.sys MmMapIoSpace/MmUnmapIoSpace

Device Name: "\\.\WinRing0_1_0_1"
Map/Unmap IOCTL: 0x9C406104

Fairplay

FairplayKD.sys MmProbeAndLockPages/KeStackAttachProcess/RtlCompareMemory

Device Name: "\\.\FairplayKD0"
Main Control Code: 22E008
Example:  https://www.unknowncheats.me/forum/d...=file&id=21780

GMEREK

pgldqpoc.sys IoAllocateMdl/MmProbeAndLockPages/MmMapLockedPagesSpecifyCache
Map/Unmap IOCTL: 0x7201C028

 

GMER

gmer64.sys IoAllocateMdl/MmProbeAndLockPages/MmMapLockedPagesSpecifyCache

Read IOCTL: 0x7201C028

Write IOCTL: 0x7201C034

Device Initialize IOCTL: 0x9876C004

Device Name: Same as the driver name

Huawei

HwOs2Ec10x64.sys MmMapIoSpaceEx/KeInitializeApc/KeInsertQueueApc

Device Name: "\\.\HwOs2EcDevX64"
Notes: CVE-2019-5241

sub_140009160
- allocates RWX page in some target process;
- resolves CreateProcessW and CloseHandle function pointers in the address space of the target process;
- copies a code area from the driver as well as what seemed to be a parameter block to the allocated page; and
- performs User APC injection targeting that page
More Information:  https://www.microsoft.com/security/b...calation-flaw/

Phymemx64.sys ZwMapViewOfSection

Map IOCTL: 0x80102040
Unmap UICTL: 0x80102044
Device Name: "\\.\PhyMem"

Notes: Use Phymemx64.dll for reference

Intel

iqvw64e.sys MmMapIoSpace/MmUnmapIoSpace/MmGetPhysicalAddress

Map/Unmap IOCTL: 0x80862007
Device Name: "\\.\Nal"
Example:  kdmapper - manual map your driver using a vulnerable driver by Intel

IOBIT

Monitor_win10_x64.sys MmMapIoSpace/MmUnmapIoSpace

Map/Unmap IOCTL: 0x9C406104
Device Name: "\\.\IOBIT_WinRing0_1_3_0"
Notes: CVE-2018-16712

JCOS Media

driver.sys ZwMapViewOfSection

Physical Map IOCTL: 0x4F3EE000
Device Name: "\\.\\gejoriejo"
Download: https://www.unknowncheats.me/forum/d...=file&id=26891
Discussion:  signed p2c cheat driver

LG Driver

lha.sys
Map IOCTL: 0x9C402FD8
Unmap IOCTL: 0x9C402FDC

Device Name: "\\.\{E8F2FF20-6AF7-4914-9398-CE2132FE170F}"
Notes: CVE-2019-8372
Example:  http://jackson-t.ca/lg-driver-lpe.html

MICSYS

Mslo64.sys Physical Map IOCTL: 0x80102040
Physical Unmap IOCTL 0x0x80102044

Notes: Packaged in ASRock Utilities (Polychrome RGB)

MSI/Microstar

NTIOLib_x64.sys MmMapIoSpace/MmUnmapIoSpace

Device Name: "\\.\NTIOLib_LiveUpdate"
Read IOCTL: 0xC3506104
Write IOCTL: 0xC350A108

Notes: Packaged with MSI
Can read/write MSR
Example:  https://github.com/rwfpl/rewolf-msi-exploit

PC-Doctor

pcdsrvc_x64.pkms MmMapIoSpace/MmProbeAndLockPages/

Device Name: "\\.\PCDSRVC{3B54B31B-D06B6431-06020200}_0"
GetPhysicalAddress IOCTL: 0x222080
Read/Write Physical IOCTL: 0x222084, 0x222088
Read/Write MSR IOCTL: 0x222180/0x222184

Notes: Packaged with Dell SupportAssist
Example:  https://github.com/hatRiot/bugs/blob...ell-sa-lpe.cpp

ProcessHacker

krpocesshacker.sys MmProbeAndLockPages/MmMapLockedPagesSpecifyCache/KeStackAttachProcess

Device Name: "\\.\KProcessHacker2"
Read/Write IOCTL: 0x999920EB/0x999920E3/0x999920E7
Example:  https://www.unknowncheats.me/forum/d...=file&id=25444

REALiX

HWiNFO64A.SYS MmapIoSpace/MmUnmapIoSpace

Device Name: "\\.\HWiNFO"
Physical Map IOCTL: 0x85FE2D18
Notes: version <= 8.98, CVE-2018-8061

Razer

rzpnk.sys ZwOpenSection/ZwMapViewOfSection

Device Name: "\\.\47CD78C9-64C3-47C2-B80F-677B887CF095"
Map/Unmap IOCTL: 0x22a050

Notes: CVE-2017-9769
Packaged with Razer Synapse (v2.20.15.1104)
Example:  https://www.rapid7.com/db/modules/ex..._zwopenprocess

Samsung

magdrvamd64.sys MmMapIoSpace/MmUnmapIoSpace

Device Name: "\\.\MagicianSataModeReader"
Map/Unamp IOCTL: 0x80002000, 0x80002004

SOKNO S.R.L.

speedfan.sys MmMapIoSpace/MmMapIoSpace/MmUnmapIoSpace

Device Name: "\\.\SpeedFan"
Read Physical IOCTL: 0x9C402428
Write Physical IOCTL: 0x9C40242C
Read MSR: 0x9C402438

Example:  https://github.com/SamLarenN/SpeedFa...t/Speedfan.cpp

Zemana

zam64.sys ZwOpenProcess

Device name: "\\.\ZemanaAntiMalware"
Open full access handle IOCTL: 0x80002010/0x8000204C
Notes: CVE-2018-6606
Example:  https://github.com/SouhailHammou/Exp...x_privescl_1.c