Loads a signed kernel driver which allows you to map any driver to kernel mode without any traces of the signed / mapped driver.

Related tags

Miscellaneous CosMapper
Overview

CosMapper

Loads a signed kernel driver (signed with leaked cert) which allows you to map any driver to kernel mode without any traces of the signed / mapped driver.

Procedure

  1. The usermode program loads the signed driver (signed with leaked cert)
  2. The signed driver then does a [.data] hook on a ntoskrnl function to transfer the mapped driver buffer to kernel
  3. Usermode process sends mapped driver bytes to driver to map and returns status to usermode.
  4. MmUnloadedList PiddbCache and BigPoolAllocation are cleaned and the driver header is not mapped and no empty bytes for the header allocated.
  5. The usermode program unloads the signed driver (signed with leaked cert) and deletes the service to remove final traces.

Requirements

Your driver needs an entry like the example driver:

struct EntryInitialize
{
	std::uintptr_t mappedImageBase{};
	std::size_t mappedImageSize{};
};

NTSTATUS DriverEntry(EntryInitialize* entryParam)
{
	DebugPrint("Example Driver Mapped [%p] w/ Size [0x%x]", entryParam->mappedImageBase, entryParam->mappedImageSize);

	ExFreePool(reinterpret_cast<void*>(entryParam));

	return STATUS_SUCCESS;
}

The current example passes a structure with the image base and size of the mapped driver but it can be modified to your own liking.

DbgView Example

Note: this project was coded in 2 days so it might have some bugs (open ticket)
The project has been tested on Windows 10 20H2

Usage

cosusermode.exe driver.sys

You might also like...
Static reflection for enums (to string, from string, iteration) for modern C++, work with any enum type without any macro or boilerplate code

__ __ _ ______ _____ | \/ | (_) | ____| / ____|_ _ | \ / |

Daniil Goncharov 3.3k Jan 5, 2023
Automatically load dlls into any executables without replacing any files!

Automatically loaded dll using xinput9_1_0 proxy. Please put the modified xinput9_1_0.dll in the executable's directory.

null 14 Dec 24, 2022
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections and LSASS protections

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

Wavestone - Cybersecurity & Digital Trust 846 Jan 2, 2023
Cross-platform C++11 header-only library for memory mapped file IO

mio An easy to use header-only cross-platform C++11 memory mapping library with an MIT license. mio has been created with the goal to be easily includ

null 1.4k Jan 9, 2023
Code Injection via Memory Mapped Files

MMFCodeInjection This technique leverages File Mapping and APC(s) to execute shellcode into another process. By leveraging file mapping we would not h

null 52 Dec 28, 2022
If the button pressed esp will reset and App mode will on. App mode will on then led will on, network is connected led will off.

DHT22-to-Google-sheet-Reset-Using-ESP8266-LED-Switch If button pressed esp will reset and App mode will on. App mode will on then led will on, network

Md. Harun-Or-Rashid 3 Aug 17, 2022
Had a tough time playing Microsoft Wordament ? Well WORDament_Solver has your back. It suggests you meaningful words you can use while playing the game and help you top the leaderboard.
Had a tough time playing Microsoft Wordament ? Well WORDament_Solver has your back. It suggests you meaningful words you can use while playing the game and help you top the leaderboard.

WORDament_Solver Had a tough time playing Microsoft Wordament ? Well WORDament_Solver has your back. It suggests you meaningful words you can use whil

Tushar Agarwal 3 Aug 19, 2021
Some hypervisor research notes. There is also a useful exploit template that you can use to verify / falsify any assumptions you may make while auditing code, and for exploit development.

Introduction Over the past few weeks, I've been doing some hypervisor research here and there, with most of my focus being on PCI device emulation cod

Faith 130 Nov 18, 2022
Windows kernel-mode driver emulating well-known USB game controllers.

Windows kernel-mode driver emulating well-known USB game controllers.

Virtual Gamepad Emulation Framework 1.8k Jan 4, 2023
Owner
Discord: flushin#9408
null
GitHub
Hygieia, a vulnerable driver traces scanner written in C++ as an x64 Windows kernel driver.

Hygieia The Greek goddess of health, her name is the source for the word "hygiene". Hygieia is a windows driver that works similarly to how pagewalkr

Deputation 103 Dec 4, 2022
Signed - a 3D modeling and construction language based on Lua and SDFs. Signed will be available for macOS and iOS and is heavily optimized for Metal.

Signed - A 3D modeling language Abstract Signed is a Lua based 3D modeling language, it provides a unique way to create high quality 3D content for yo

Markus Moenig 90 Nov 21, 2022
Program that allows you to get the source code of a website's home page without doing it manually. Use it at your own risk.

Website-Homepage-Grabber Install one of the folders x64 or x32 if the program doesn't work(probably because you don't have visual studio installed) If

null 5 Feb 19, 2022
External warzone cheat with manual mapped driver (function hook), overlay (nvidia hijack), simple esp, no recoil

external_warzone_cheat External warzone cheat with manual mapped driver (function hook), overlay (nvidia hijack), simple esp, no recoil Offsests are N

NMan 109 Jan 2, 2023
An Arduino library which allows you to communicate seamlessly with the full range of u-blox GNSS modules

u-blox makes some incredible GNSS receivers covering everything from low-cost, highly configurable modules such as the SAM-M8Q all the way up to the surveyor grade ZED-F9P with precision of the diameter of a dime.

SparkFun Electronics 134 Dec 29, 2022
King Hamlet is a simple tool, which allows you to perform a Process Ghosting Attack

KingHamlet Process Ghosting Tool - 64 bits Only! King Hamlet is a simple tool, which allows you to perform a Process Ghosting Attack

null 149 Dec 27, 2022
A fantasy map generator based on Martin O'Leary's "Generating fantasy map" notes

Fantasy Map Generator This program is an implementation of a fantasy map generator written in C++ based on the methods described in Martin O'Leary's "

Ryan Guy 630 Dec 16, 2022
A lightweight C++14 parsing library for tmx map files created with the Tiled map editor

tmxlite Description A lightweight C++14 parsing library for tmx map files created with the Tiled map editor. Requires no external linking, all depende

Matt Styles 325 Dec 26, 2022
A light-weight Flutter Engine Embedder based on HADK ,which for Android devices that runs without any java code

flutter-hadk A light-weight Flutter Engine Embedder based on HADK ,which for Android devices that runs without any java code 1.Build by android-ndk-to

null 12 Jun 15, 2022
Allows you to easily control via MQTT any Micronova equiped pellet stove. (MCZ, Extraflame, Laminox, and many others brands!)

micronova_controller Kits are available on Tindie! Currently out of stock. V2 will be in stock soon! Here is an overview of the additions: possibility

Philibert Cheminot 37 Dec 19, 2022