Barakat/Client.c

## Client.c
/* Run as admin */
#include <Windows.h>
#include <stdio.h>

int main(void)
{
	const HANDLE SharedSection = OpenFileMappingW(FILE_MAP_READ,
	                                              FALSE,
	                                              L"Global\\ToyDriverSharedSection");

	if (SharedSection != NULL)
	{
		const LPCVOID BaseAddress = MapViewOfFile(SharedSection,
		                                          FILE_MAP_READ,
		                                          0,
		                                          0,
		                                          512);

		if (BaseAddress != NULL)
		{
			printf("%s\n", (const char*)BaseAddress);
			UnmapViewOfFile(BaseAddress);
		}

		CloseHandle(SharedSection);
	}

	return 0;
}

## Driver.c
#include <wdm.h>


static HANDLE SharedSectionHandle;
static PETHREAD ThreadObject;
static KEVENT ExitEvent;


//
// Device unload procedure
//

static
VOID
_Function_class_(DRIVER_UNLOAD)
DriverUnload(PDRIVER_OBJECT DriverObject)
{
	LONG EventPreviousState;
	NTSTATUS Status;

	UNREFERENCED_PARAMETER(DriverObject);

	DbgPrint("[!] Driver.DriverUnload\n");

	EventPreviousState = KeSetEvent(&ExitEvent, 0, FALSE);

	ASSERT(EventPreviousState == 0);

	Status = KeWaitForSingleObject(ThreadObject, Executive, KernelMode, FALSE, NULL);

	ASSERT(NT_SUCCESS(Status));

	ObDereferenceObject(ThreadObject);

	Status = ZwClose(SharedSectionHandle);

	ASSERT(NT_SUCCESS(Status));
}


//
// Driver entry point
//

static
VOID
_Function_class_(KSTART_ROUTINE)
StartRoutine(PVOID StartContext)
{
	NTSTATUS Status;
	PVOID BaseAddress = NULL;
	SIZE_T ViewSize = 0;
	const HANDLE CurrentProcess = ZwCurrentProcess();

	UNREFERENCED_PARAMETER(StartContext);

	DbgPrint("[!] Driver.StartRoutine\n");

	Status = ZwMapViewOfSection(SharedSectionHandle,
	                            CurrentProcess,
	                            &BaseAddress,
	                            0,
	                            1024,
	                            NULL,
	                            &ViewSize,
	                            ViewUnmap,
	                            0,
	                            PAGE_READWRITE);

	ASSERT(NT_SUCCESS(Status));

	static const CHAR Message[] = "Hello world from the kernel!";

	RtlCopyMemory(BaseAddress, Message, sizeof(Message));

	Status = KeWaitForSingleObject(&ExitEvent, Executive, KernelMode, FALSE, NULL);

	ASSERT(NT_SUCCESS(Status));

	Status = ZwUnmapViewOfSection(CurrentProcess, BaseAddress);

	ASSERT(NT_SUCCESS(Status));

	DbgPrint("[!] Driver.StartRoutineExit\n");
}


//
// Driver entry point
//

NTSTATUS
NTAPI
_Function_class_(DRIVER_INITIALIZE)
DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
	NTSTATUS Status;
	UNICODE_STRING SharedSectionName;
	OBJECT_ATTRIBUTES ObjectAttributes;
	LARGE_INTEGER SharedSectionSize;

	UNREFERENCED_PARAMETER(RegistryPath);

	DriverObject->DriverUnload = DriverUnload;

	DbgPrint("[!] Driver.DriverEntry\n");

	RtlInitUnicodeString(&SharedSectionName, L"\\BaseNamedObjects\\ToyDriverSharedSection");
	InitializeObjectAttributes(&ObjectAttributes,
	                           &SharedSectionName,
	                           0,
	                           NULL,
	                           NULL);

	SharedSectionSize.QuadPart = 1024;
	Status = ZwCreateSection(&SharedSectionHandle,
	                         SECTION_ALL_ACCESS,
	                         &ObjectAttributes,
	                         &SharedSectionSize,
	                         PAGE_READWRITE,
	                         SEC_COMMIT,
	                         NULL);

	if (NT_SUCCESS(Status))
	{
		HANDLE ThreadHandle;

		KeInitializeEvent(&ExitEvent, NotificationEvent, FALSE);

		Status = PsCreateSystemThread(&ThreadHandle,
		                              THREAD_ALL_ACCESS,
		                              NULL,
		                              NULL,
		                              NULL,
		                              StartRoutine,
		                              NULL);

		if (NT_SUCCESS(Status))
		{
			Status = ObReferenceObjectByHandle(ThreadHandle,
			                                   SYNCHRONIZE,
			                                   *PsThreadType,
			                                   KernelMode,
			                                   (PVOID)&ThreadObject,
			                                   NULL);

			ZwClose(ThreadHandle);

			if (NT_SUCCESS(Status))
			{
				return STATUS_SUCCESS;
			}
		}
	}

	ZwClose(SharedSectionHandle);

	return Status;
}
	/* Run as admin */
	#include <Windows.h>
	#include <stdio.h>

	int main(void)
	{
	const HANDLE SharedSection = OpenFileMappingW(FILE_MAP_READ,
	FALSE,
	L"Global\\ToyDriverSharedSection");

	if (SharedSection != NULL)
	{
	const LPCVOID BaseAddress = MapViewOfFile(SharedSection,
	FILE_MAP_READ,
	0,
	0,
	512);

	if (BaseAddress != NULL)
	{
	printf("%s\n", (const char*)BaseAddress);
	UnmapViewOfFile(BaseAddress);
	}

	CloseHandle(SharedSection);
	}

	return 0;
	}
	#include <wdm.h>


	static HANDLE SharedSectionHandle;
	static PETHREAD ThreadObject;
	static KEVENT ExitEvent;


	//
	// Device unload procedure
	//

	static
	VOID
	_Function_class_(DRIVER_UNLOAD)
	DriverUnload(PDRIVER_OBJECT DriverObject)
	{
	LONG EventPreviousState;
	NTSTATUS Status;

	UNREFERENCED_PARAMETER(DriverObject);

	DbgPrint("[!] Driver.DriverUnload\n");

	EventPreviousState = KeSetEvent(&ExitEvent, 0, FALSE);

	ASSERT(EventPreviousState == 0);

	Status = KeWaitForSingleObject(ThreadObject, Executive, KernelMode, FALSE, NULL);

	ASSERT(NT_SUCCESS(Status));

	ObDereferenceObject(ThreadObject);

	Status = ZwClose(SharedSectionHandle);

	ASSERT(NT_SUCCESS(Status));
	}


	//
	// Driver entry point
	//

	static
	VOID
	_Function_class_(KSTART_ROUTINE)
	StartRoutine(PVOID StartContext)
	{
	NTSTATUS Status;
	PVOID BaseAddress = NULL;
	SIZE_T ViewSize = 0;
	const HANDLE CurrentProcess = ZwCurrentProcess();

	UNREFERENCED_PARAMETER(StartContext);

	DbgPrint("[!] Driver.StartRoutine\n");

	Status = ZwMapViewOfSection(SharedSectionHandle,
	CurrentProcess,
	&BaseAddress,
	0,
	1024,
	NULL,
	&ViewSize,
	ViewUnmap,
	0,
	PAGE_READWRITE);

	ASSERT(NT_SUCCESS(Status));

	static const CHAR Message[] = "Hello world from the kernel!";

	RtlCopyMemory(BaseAddress, Message, sizeof(Message));

	Status = KeWaitForSingleObject(&ExitEvent, Executive, KernelMode, FALSE, NULL);

	ASSERT(NT_SUCCESS(Status));

	Status = ZwUnmapViewOfSection(CurrentProcess, BaseAddress);

	ASSERT(NT_SUCCESS(Status));

	DbgPrint("[!] Driver.StartRoutineExit\n");
	}


	//
	// Driver entry point
	//

	NTSTATUS
	NTAPI
	_Function_class_(DRIVER_INITIALIZE)
	DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
	{
	NTSTATUS Status;
	UNICODE_STRING SharedSectionName;
	OBJECT_ATTRIBUTES ObjectAttributes;
	LARGE_INTEGER SharedSectionSize;

	UNREFERENCED_PARAMETER(RegistryPath);

	DriverObject->DriverUnload = DriverUnload;

	DbgPrint("[!] Driver.DriverEntry\n");

	RtlInitUnicodeString(&SharedSectionName, L"\\BaseNamedObjects\\ToyDriverSharedSection");
	InitializeObjectAttributes(&ObjectAttributes,
	&SharedSectionName,
	0,
	NULL,
	NULL);

	SharedSectionSize.QuadPart = 1024;
	Status = ZwCreateSection(&SharedSectionHandle,
	SECTION_ALL_ACCESS,
	&ObjectAttributes,
	&SharedSectionSize,
	PAGE_READWRITE,
	SEC_COMMIT,
	NULL);

	if (NT_SUCCESS(Status))
	{
	HANDLE ThreadHandle;

	KeInitializeEvent(&ExitEvent, NotificationEvent, FALSE);

	Status = PsCreateSystemThread(&ThreadHandle,
	THREAD_ALL_ACCESS,
	NULL,
	NULL,
	NULL,
	StartRoutine,
	NULL);

	if (NT_SUCCESS(Status))
	{
	Status = ObReferenceObjectByHandle(ThreadHandle,
	SYNCHRONIZE,
	*PsThreadType,
	KernelMode,
	(PVOID)&ThreadObject,
	NULL);

	ZwClose(ThreadHandle);

	if (NT_SUCCESS(Status))
	{
	return STATUS_SUCCESS;
	}
	}
	}

	ZwClose(SharedSectionHandle);

	return Status;
	}