ZAM64.SYS (ZAMGUARD64.SYS) most interesting IOCTLs.
All parameters to the functions supplied from user-mode via DeviceIoControl parameters. Everything from this available for any local user on machine where this driver is running.
Arbitrary file deletion. Resets file attributes via ZwSetInformationFile and then does ZwDeleteFile.
Wrapper around ZwQuerySystemInformation(SystemProcessInformation).
Enumerate process modules for given PID. Does ZwOpenProcess/ObReferenceObjectByHandle/KeStackAttachProcess and walks loader list.
Creates registry key with full access, handle returned to user-mode.
Deletes arbitrary registry key.
Deletes arbitrary registry value.
Returns information about given loaded image - ZwQuerySystemInformation(SystemModuleInformation).
Modify arbitrary driver object.
Add requester process id to the list of trusted processes (must be called first before calling other IOCTLs).
Read arbitrary disk sectors using SCSI request.
Write arbitrary disk sectors using SCSI request.
Open arbitrary physical drive.
Open thread by id and return handle to user-mode (wrapper around ZwOpenThread).
Terminate process by id, will not terminate critical processes (ZwOpenProcess/ZwTerminateProcess).
Open process by id. Forces CurrentThread->PreviousMode to KernelMode by patching it and calls NtOpenProcess if Windows build is known. Otherwise it defaults to usual ZwOpenProcess.
Returns information about files in the directory specified by the file handle by direct talking to device via IRP. Basically it is reimplemented ZwQueryDirectoryFile.