SinMapper - usermode driver mapper that forcefully loads any signed kernel driver

Overview

SinMapper

usermode driver mapper that forcefully loads any signed kernel driver (legit cert) with a big enough section (example: .data, .rdata) to map your driver over. the main focus of this project is to prevent modern anti-cheats (BattlEye, EAC) from finding your driver and having the power to hook anything and create system threads / callbacks due to being inside of legit memory (signed legit driver).

Procedure

  1. The usermode program loads a signed driver of your choice (signed with any valid cert, example: microsoft, intel, etc...)
  2. Loads vulnerable driver to read/write physical memory which is needed for syscalls. credits: vdm (xerox)
  3. Changes the executable and writable bit of the page tables of the pe section of your choice where the wanted driver is going to be mapped.
  4. All traces of the vulnerable driver are cleared including MmUnloadedDrivers list and PiddbCacheTable
  5. The driver is mapped in the wanted pe section and the entry is called through syscalls.

Requirements

Your driver needs an entry like the example driver:

NTSTATUS DriverEntry(std::uintptr_t mappedImageBase, std::size_t mappedImageSize)
{
	DebugPrint("Example Driver Mapped [%p] w/ Size [0x%x]\n", mappedImageBase, mappedImageSize);

	return STATUS_SUCCESS;
}

The current example passes a structure with the image base and size of the mapped driver but it can be modified to your own liking.

DbgView Example

The project has been tested on Windows 10 20H2, 21H1, 21H2 & Windows 11

Usage

sinmapper.exe driver.sys signed_driver.sys .section_name

You might also like...
Hygieia, a vulnerable driver traces scanner written in C++ as an x64 Windows kernel driver.

Hygieia The Greek goddess of health, her name is the source for the word "hygiene". Hygieia is a windows driver that works similarly to how pagewalkr

Automatically load dlls into any executables without replacing any files!

Automatically loaded dll using xinput9_1_0 proxy. Please put the modified xinput9_1_0.dll in the executable's directory.

Create a calculator of any kind in any language, create a pr.

calculators Create a calculator of any kind in any language, create a pr. Create a calculator of any type using the programming language of your choic

A kernel module to provide /system/xbin/su to Android Kernel (especially to WSA)

WSA-Kernel-SU Intro This is a kernel module to provide /system/xbin/su to Android Kernel (especially to WSA). Only works on 4.17+ kernel. For older ke

NetHunter Kernel for the OnePlus 7 Series based on DragonHeart Kernel

Linux kernel ============ This file was moved to Documentation/admin-guide/README.rst Please notice that there are several guides for kernel develop

a unix inspired, non posix compliant micro kernel (more of a monolithic kernel for now though) that i am working on in my spare time

toy-kernel a unix inspired, non posix compliant micro kernel (more of a monolithic kernel for now though) that i am working on in my spare time prereq

A kernel module that patches Linux kernel "on-the-fly" to skip TASK_RSS_EVENTS_THRESH check in check_sync_rss_stat

split-rss-counting-patch A kernel module that patches Linux kernel "on-the-fly" to skip TASK_RSS_EVENTS_THRESH check in check_sync_rss_stat. Why? Read

A kernel level driver for Windows built to configure the Blue Screen Of Death

BSODConfigure A kernel level driver for Windows built to configure the Blue Screen Of Death. Go see the writeup at https://www.phasetw0.com/configurin

Comments
  • what is .section_name?

    what is .section_name?

    I don't understand. my driver : DriverEntry(In PDRIVER_OBJECT Driver, In PUNICODE_STRING RegPath) if i want use this tool What should I do? how to get driver mappedImageBase, and mappedImageSize? Do you have a complete example? Sorry, I'm stupid

    opened by 04255 0
Owner
Discord: flushin#9408
null
Signed - a 3D modeling and construction language based on Lua and SDFs. Signed will be available for macOS and iOS and is heavily optimized for Metal.

Signed - A 3D modeling language Abstract Signed is a Lua based 3D modeling language, it provides a unique way to create high quality 3D content for yo

Markus Moenig 90 Nov 21, 2022
x64 Windows kernel driver mapper, inject unsigned driver using anycall

anymapper x64 Windows kernel driver mapper, inject unsigned driver using anycall This project is WIP. Todo Fix: Can't make API calls from IAT nor func

Kento Oki 72 Dec 26, 2022
KernelReadWriteMemory - Simple code to manipulate the memory of a usermode process from kernel.

KernelReadWriteMemory Simple proof of concept -code to manipulate the memory of a usermode process from kernelmode of a windows NT operating system. T

Zer0Mem0ry 159 Dec 27, 2022
This is a simple project of a driver + usermode.

This is a simple project of a driver + usermode.

Spuckwaffel 39 Dec 31, 2022
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections and LSASS protections

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

Wavestone - Cybersecurity & Digital Trust 846 Jan 2, 2023
DRAGEN open-source mapper

Dragmap Dragmap is the Dragen mapper/aligner Open Source Software. Installation Prerequisites Compilation was tested on CentOS 7 C++11 compatible comp

Illumina 115 Dec 14, 2022
Manual mapper that uses PTE manipulation, Virtual Address Descriptor (VAD) manipulation, and forceful memory allocation to hide executable pages. (VAD hide / NX bit swapping)

Stealthy Kernel-mode Injector Manual mapper that uses PTE manipulation, Virtual Address Descriptor (VAD) manipulation, and forceful memory allocation

Charlie Wolfe 137 Jan 3, 2023
PoC capable of detecting manual syscalls from usermode.

syscall-detect PoC capable of detecting manual syscalls from usermode. More information available at: https://winternl.com/detecting-manual-syscalls-f

null 125 Dec 26, 2022
communicate between usermode and kernelmode through a swapped qword ptr argument

communicate between usermode and kernelmode through a swapped qword ptr argument

null 35 Nov 29, 2022
GPU 3D signed distance field generator, written with DirectX 11 compute shader

GPU SDF Generator GPU 3D signed distance field generator, written with DirectX 11 compute shader Building git clone --recursive https://github.com/Air

Z Guan 30 Dec 13, 2022