自己写的驱动没有签名,系统不加载
设置电脑为测试模式加载驱动,某些游戏在该模式下不运行
ASUS
EIO64.sys MmMapIoSpace/MmUnmapIoSpace
IOMap64.sys MmMapIoSpace/MmUnmapIoSpace
ATSZIO64.sys ZwMapViewOfSection/ZwUnmapViewOfSection/MmGetPhysicalAddress
Device Name: ""\\.\ATSZIO"
Map Physical IOCTL: 0x8807200C
Unmap Physical IOCTL: 0x88072010
Example: https://github.com/LimiQS/AsusDriver...r/PoC-fixed.cs
ATI
atillk64.sys MmMapIoSpace/MmUnmapIoSpace/MmBuildMdlForNonPagedPool/MmMapLockedPages
Device Name: "\\.\atillk64"
Map/Unmap IOCTLs: 0x9C402534, 0x9C402538, 0x9C402544, 0x9C402548
MDL IOCTLs: 0x9C40254C, 0x9C402558, 0x9C402560, 0x9C402564
Avast
aswVmm.sys SSDT Hooking
Device Name: "\\.\aswVmm"
Hook IOCTL: 0xA000E804
Example: https://github.com/tanduRE/AvastHV/
Biostar
BS_Flash64.sys MmMapIoSpace/MmUnmapIoSpace/MmMapLockedPages/ExAllocatePoolWithTag/ExFreePoolWithTag
Device Name: "\\.\BS_Flash64"
Map/Unmap IOCTL: 0x222000
Allocate IOCTL: 0x22203C
BS_I2c64.sys MmMapIoSpace/MmUnmapIoSpace
BSMEMx64.sys MmMapIoSpace/MmUnmapIoSpace/MmGetPhysicalAddress
BSMIXP64.sys MmMapIoSpace/MmUnmapIoSpace/MmGetPhysicalAddress
Capcom
Capcom.sys MmGetSystemRoutineAddress
Device Name: "\\.\Htsysm72FB"
Execute IOCTL: 0xAA013044
CPUID
cpuz141.sys MmMapIoSpace/MmUnmapIoSpace
Device Name: "\\.\cpuz141"
Read Register IOCTL: 0x9C402428
Physical Read: 0x9C402420
Physical Write: 0x9C402430
Notes: CVE-2017-15303
CrystalMark
WinRing0x64.sys MmMapIoSpace/MmUnmapIoSpace
Device Name: "\\.\WinRing0_1_0_1"
Map/Unmap IOCTL: 0x9C406104
Fairplay
FairplayKD.sys MmProbeAndLockPages/KeStackAttachProcess/RtlCompareMemory
Device Name: "\\.\FairplayKD0"
Main Control Code: 22E008
Example: https://www.unknowncheats.me/forum/d...=file&id=21780
GMEREK
pgldqpoc.sys IoAllocateMdl/MmProbeAndLockPages/MmMapLockedPagesSpecifyCache
Map/Unmap IOCTL: 0x7201C028
Huawei
HwOs2Ec10x64.sys MmMapIoSpaceEx/KeInitializeApc/KeInsertQueueApc
Device Name: "\\.\HwOs2EcDevX64"
Notes: CVE-2019-5241
sub_140009160
- allocates RWX page in some target process;
- resolves CreateProcessW and CloseHandle function pointers in the address space of the target process;
- copies a code area from the driver as well as what seemed to be a parameter block to the allocated page; and
- performs User APC injection targeting that page
More Information: https://www.microsoft.com/security/b...calation-flaw/
Phymemx64.sys ZwMapViewOfSection
Map IOCTL: 0x80102040
Unmap UICTL: 0x80102044
Device Name: "\\.\PhyMem"
Notes: Use Phymemx64.dll for reference
Intel
iqvw64e.sys MmMapIoSpace/MmUnmapIoSpace/MmGetPhysicalAddress
Map/Unmap IOCTL: 0x80862007
Device Name: "\\.\Nal"
Example: kdmapper - manual map your driver using a vulnerable driver by Intel
IOBIT
Monitor_win10_x64.sys MmMapIoSpace/MmUnmapIoSpace
Map/Unmap IOCTL: 0x9C406104
Device Name: "\\.\IOBIT_WinRing0_1_3_0"
Notes: CVE-2018-16712
JCOS Media
driver.sys ZwMapViewOfSection
Physical Map IOCTL: 0x4F3EE000
Device Name: "\\.\\gejoriejo"
Download: https://www.unknowncheats.me/forum/d...=file&id=26891
Discussion: signed p2c cheat driver
LG Driver
lha.sys
Map IOCTL: 0x9C402FD8
Unmap IOCTL: 0x9C402FDC
Device Name: "\\.\{E8F2FF20-6AF7-4914-9398-CE2132FE170F}"
Notes: CVE-2019-8372
Example: http://jackson-t.ca/lg-driver-lpe.html
MICSYS
Mslo64.sys Physical Map IOCTL: 0x80102040
Physical Unmap IOCTL 0x0x80102044
Notes: Packaged in ASRock Utilities (Polychrome RGB)
MSI/Microstar
NTIOLib_x64.sys MmMapIoSpace/MmUnmapIoSpace
Device Name: "\\.\NTIOLib_LiveUpdate"
Read IOCTL: 0xC3506104
Write IOCTL: 0xC350A108
Notes: Packaged with MSI
Can read/write MSR
Example: https://github.com/rwfpl/rewolf-msi-exploit
PC-Doctor
pcdsrvc_x64.pkms MmMapIoSpace/MmProbeAndLockPages/
Device Name: "\\.\PCDSRVC{3B54B31B-D06B6431-06020200}_0"
GetPhysicalAddress IOCTL: 0x222080
Read/Write Physical IOCTL: 0x222084, 0x222088
Read/Write MSR IOCTL: 0x222180/0x222184
Notes: Packaged with Dell SupportAssist
Example: https://github.com/hatRiot/bugs/blob...ell-sa-lpe.cpp
ProcessHacker
krpocesshacker.sys MmProbeAndLockPages/MmMapLockedPagesSpecifyCache/KeStackAttachProcess
Device Name: "\\.\KProcessHacker2"
Read/Write IOCTL: 0x999920EB/0x999920E3/0x999920E7
Example: https://www.unknowncheats.me/forum/d...=file&id=25444
REALiX
HWiNFO64A.SYS MmapIoSpace/MmUnmapIoSpace
Device Name: "\\.\HWiNFO"
Physical Map IOCTL: 0x85FE2D18
Notes: version <= 8.98, CVE-2018-8061
Razer
rzpnk.sys ZwOpenSection/ZwMapViewOfSection
Device Name: "\\.\47CD78C9-64C3-47C2-B80F-677B887CF095"
Map/Unmap IOCTL: 0x22a050
Notes: CVE-2017-9769
Packaged with Razer Synapse (v2.20.15.1104)
Example: https://www.rapid7.com/db/modules/ex..._zwopenprocess
Samsung
magdrvamd64.sys MmMapIoSpace/MmUnmapIoSpace
Device Name: "\\.\MagicianSataModeReader"
Map/Unamp IOCTL: 0x80002000, 0x80002004
SOKNO S.R.L.
speedfan.sys MmMapIoSpace/MmMapIoSpace/MmUnmapIoSpace
Device Name: "\\.\SpeedFan"
Read Physical IOCTL: 0x9C402428
Write Physical IOCTL: 0x9C40242C
Read MSR: 0x9C402438
Example: https://github.com/SamLarenN/SpeedFa...t/Speedfan.cpp
Zemana
zam64.sys ZwOpenProcess
Device name: "\\.\ZemanaAntiMalware"
Open full access handle IOCTL: 0x80002010/0x8000204C
Notes: CVE-2018-6606
Example: https://github.com/SouhailHammou/Exp...x_privescl_1.c