SinMapper - usermode driver mapper that forcefully loads any signed kernel driver

Overview

SinMapper

usermode driver mapper that forcefully loads any signed kernel driver (legit cert) with a big enough section (example: .data, .rdata) to map your driver over. the main focus of this project is to prevent modern anti-cheats (BattlEye, EAC) from finding your driver and having the power to hook anything and create system threads / callbacks due to being inside of legit memory (signed legit driver).

Procedure

  1. The usermode program loads a signed driver of your choice (signed with any valid cert, example: microsoft, intel, etc...)
  2. Loads vulnerable driver to read/write physical memory which is needed for syscalls. credits: vdm (xerox)
  3. Changes the executable and writable bit of the page tables of the pe section of your choice where the wanted driver is going to be mapped.
  4. All traces of the vulnerable driver are cleared including MmUnloadedDrivers list and PiddbCacheTable
  5. The driver is mapped in the wanted pe section and the entry is called through syscalls.

Requirements

Your driver needs an entry like the example driver:

NTSTATUS DriverEntry(std::uintptr_t mappedImageBase, std::size_t mappedImageSize)
{
	DebugPrint("Example Driver Mapped [%p] w/ Size [0x%x]\n", mappedImageBase, mappedImageSize);

	return STATUS_SUCCESS;
}

The current example passes a structure with the image base and size of the mapped driver but it can be modified to your own liking.

DbgView Example

The project has been tested on Windows 10 20H2, 21H1, 21H2 & Windows 11

Usage

sinmapper.exe driver.sys signed_driver.sys .section_name

Issues
  • what is .section_name?

    what is .section_name?

    I don't understand. my driver : DriverEntry(In PDRIVER_OBJECT Driver, In PUNICODE_STRING RegPath) if i want use this tool What should I do? how to get driver mappedImageBase, and mappedImageSize? Do you have a complete example? Sorry, I'm stupid

    opened by 04255 0
Owner
Discord: flushin#9408
null
Signed - a 3D modeling and construction language based on Lua and SDFs. Signed will be available for macOS and iOS and is heavily optimized for Metal.

Signed - A 3D modeling language Abstract Signed is a Lua based 3D modeling language, it provides a unique way to create high quality 3D content for yo

Markus Moenig 88 May 26, 2022
x64 Windows kernel driver mapper, inject unsigned driver using anycall

anymapper x64 Windows kernel driver mapper, inject unsigned driver using anycall This project is WIP. Todo Fix: Can't make API calls from IAT nor func

Kento Oki 67 Jun 18, 2022
KernelReadWriteMemory - Simple code to manipulate the memory of a usermode process from kernel.

KernelReadWriteMemory Simple proof of concept -code to manipulate the memory of a usermode process from kernelmode of a windows NT operating system. T

Zer0Mem0ry 144 Jun 26, 2022
This is a simple project of a driver + usermode.

This is a simple project of a driver + usermode.

Spuckwaffel 19 Jun 17, 2022
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections and LSASS protections

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

Wavestone - Cybersecurity & Digital Trust 564 Jun 26, 2022
DRAGEN open-source mapper

Dragmap Dragmap is the Dragen mapper/aligner Open Source Software. Installation Prerequisites Compilation was tested on CentOS 7 C++11 compatible comp

Illumina 99 Jun 24, 2022
Manual mapper that uses PTE manipulation, Virtual Address Descriptor (VAD) manipulation, and forceful memory allocation to hide executable pages. (VAD hide / NX bit swapping)

Stealthy Kernel-mode Injector Manual mapper that uses PTE manipulation, Virtual Address Descriptor (VAD) manipulation, and forceful memory allocation

Charlie Wolfe 79 Jun 22, 2022
PoC capable of detecting manual syscalls from usermode.

syscall-detect PoC capable of detecting manual syscalls from usermode. More information available at: https://winternl.com/detecting-manual-syscalls-f

null 104 Jun 20, 2022
communicate between usermode and kernelmode through a swapped qword ptr argument

communicate between usermode and kernelmode through a swapped qword ptr argument

null 22 Jun 23, 2022
GPU 3D signed distance field generator, written with DirectX 11 compute shader

GPU SDF Generator GPU 3D signed distance field generator, written with DirectX 11 compute shader Building git clone --recursive https://github.com/Air

Z Guan 23 May 20, 2022
Hygieia, a vulnerable driver traces scanner written in C++ as an x64 Windows kernel driver.

Hygieia The Greek goddess of health, her name is the source for the word "hygiene". Hygieia is a windows driver that works similarly to how pagewalkr

Deputation 67 Jun 19, 2022
Automatically load dlls into any executables without replacing any files!

Automatically loaded dll using xinput9_1_0 proxy. Please put the modified xinput9_1_0.dll in the executable's directory.

null 11 Apr 17, 2022
Create a calculator of any kind in any language, create a pr.

calculators Create a calculator of any kind in any language, create a pr. Create a calculator of any type using the programming language of your choic

Akshay Gautam 2 Dec 1, 2021
A kernel module to provide /system/xbin/su to Android Kernel (especially to WSA)

WSA-Kernel-SU Intro This is a kernel module to provide /system/xbin/su to Android Kernel (especially to WSA). Only works on 4.17+ kernel. For older ke

LSPosed 123 Jun 15, 2022
NetHunter Kernel for the OnePlus 7 Series based on DragonHeart Kernel

Linux kernel ============ This file was moved to Documentation/admin-guide/README.rst Please notice that there are several guides for kernel develop

cyberknight777 9 Mar 13, 2022
a unix inspired, non posix compliant micro kernel (more of a monolithic kernel for now though) that i am working on in my spare time

toy-kernel a unix inspired, non posix compliant micro kernel (more of a monolithic kernel for now though) that i am working on in my spare time prereq

czapek 13 Jun 14, 2022
A kernel module that patches Linux kernel "on-the-fly" to skip TASK_RSS_EVENTS_THRESH check in check_sync_rss_stat

split-rss-counting-patch A kernel module that patches Linux kernel "on-the-fly" to skip TASK_RSS_EVENTS_THRESH check in check_sync_rss_stat. Why? Read

Bao-Hiep Le 3 Mar 6, 2022
A kernel level driver for Windows built to configure the Blue Screen Of Death

BSODConfigure A kernel level driver for Windows built to configure the Blue Screen Of Death. Go see the writeup at https://www.phasetw0.com/configurin

phasetw0 12 Dec 23, 2021