Awesome
ReadWriteDriver
A kernel driver for reading and writing memory. Contains a test that writes to notepad.exe's memory, and classes to read/write to two games (Halo: MCC & Apex Legends) which are protected by EAC. I also created a modified version of ReClass.NET that utilizes the driver for its read/write operations, but the laptop I had it on sustained water damage and was destroyed. I will recreate it when I have the time.
Please note that the function addresses are currently hardcoded for Windows 11 kernel 10.0.22000.376. A signature scanner can (and should) be added in the future to avoid this.
Technical information
- The usermode module (ReadWriteUser.exe) loads ReadWriteDriverMapper.sys, which then manually maps ReadWriteDriver.sys
- ReadWriteDriverMapper.sys allocates non-paged memory with
MmAllocateIndependentPages()
, and then sets its page protection to make it executable memory withMmSetPageProtection()
- ReadWriteDriver.sys attaches to a usermode process that loads user32.dll (in this case, ReadWriteUser.exe) to gain access to
win32kbase.sys;NtUserSetSysColors
and overwrites a global pointer inNtUserSetSysColors()
for its hook
Credits
• JD96 for answering questions, of course! ☺️
• Frostiest for his physmem class, since I had to add it in at the last minute after I found out that the Apex version of EAC supposedly detects KeStackAttach()
.