thecruz / crzkd Goto Github PK

So now how to ESP communicate with the driver?
I just dont figure out...

1st run - No info received
2nd run - BSOD SYSTEM_SERVICE_EXCEPTION
win10

`#include <Windows.h>
#include
#include <conio.h>

#define REQUEST_READ_WRITE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x826, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) //YOU MUST CHANGE IOCTL CODE
#define GET_PID_AND_BASE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x827, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) //YOU MUST CHANGE IOCTL CODE

typedef struct PidBase
{
wchar_t name[200];
uintptr_t RetInfoPid;
uintptr_t RetInfoAddr;
} PidBase;
struct PidBaseResponse {
unsigned long long pid;
unsigned long long baseAddr;

};
void main() {

HANDLE driver = CreateFile(
    L"\\\\.\\NsiLookup",
    GENERIC_ALL,
    FILE_SHARE_READ | FILE_SHARE_WRITE,
    nullptr,
    OPEN_EXISTING,
    FILE_ATTRIBUTE_NORMAL,
    nullptr
);

if (driver == INVALID_HANDLE_VALUE) {
    MessageBox(NULL, L"Can't handle", L"Error", 0);
    return;
}

const wchar_t* n = L"Explorer.exe";

PidBaseResponse result = { 0 };
PidBase cmd2 = { 0 };
memcpy(cmd2.name, n, wcslen(n) * sizeof(wchar_t));
cmd2.RetInfoPid = (uintptr_t)&result.pid;
cmd2.RetInfoAddr = (uintptr_t)&result.baseAddr;

if (!DeviceIoControl(driver, GET_PID_AND_BASE, &cmd2, sizeof(PidBase), NULL, NULL, NULL, NULL)) {
    MessageBox(NULL, L"Unknown", L"Error", 0);
    return;
}

if (result.pid == 0) {
    MessageBox(NULL, L"No info received", L"Error", 0);
    return;
}

}`

i got bsod when second times open usermode any idea to fix ? my winver 1909
`
int main()
{
std::cout << "Hello World!\n";

 HANDLE driver = CreateFileW(
    L"\\\\.\\NsiLookup",
    GENERIC_ALL,
    FILE_SHARE_READ | FILE_SHARE_WRITE,
    nullptr,
    OPEN_EXISTING,
    FILE_ATTRIBUTE_NORMAL,
    nullptr
);

if (driver == INVALID_HANDLE_VALUE) {
    MessageBox(NULL, L"Can't open", L"Error", 0);
    return GetLastError();
}

const wchar_t* n = L"notepad.exe";

PidBaseResponse result = { 0 };
PidBase cmd2 = { 0 };
memcpy(cmd2.name, n, wcslen(n) * sizeof(wchar_t));
cmd2.RetInfoPid = (uintptr_t)&result.pid;
cmd2.RetInfoAddr = (uintptr_t)&result.baseAddr;

if (!DeviceIoControl(driver, GET_PID_AND_BASE, &cmd2, sizeof(PidBase), NULL, NULL, NULL, NULL)) {
    MessageBox(NULL, L"Unknown", L"Error", 0);
    return GetLastError();
}
printf("Base_Address:   %p\n", (uintptr_t)&result.baseAddr);
system("pause");

if (result.pid == 0) {
    MessageBox(NULL, L"No info received", L"Error", 0);
    return FALSE;
}

}`

I use the Windbg debugger to remotely debug the Win10 system of the virtual machine. When I load CRZKD Driver normally in test mode, BSOD and ERROR occur_ CODE: (NTSTATUS) 0xc0000096. Display of rows with errors__ Writercr0 (cr0); Error.
OS_ VERSION: 10.0.19041.1.
Where is the problem。
Here is the Log
CONTEXT: ffffc580d0de8920 -- (.cxr 0xffffc580d0de8920) rax=0000000080040033 rbx=ffff8a0f892ef040 rcx=0000000080040033 rdx=000000000000001e rsi=fffff8011e971290 rdi=0000000000000000 rip=fffff8011e9717db rsp=ffff868639f7fad0 rbp=0000000000000080 r8=0000000000000000 r9=0000000000000000 r10=0000000000000000 r11=0000000000000010 r12=0000000000000180 r13=0000000000000000 r14=ffff8a0f836b0040 r15=fffff8010d4cf000 iopl=0 nv up di pl nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050006 CRZKD!DEntry+0x54b: fffff8011e9717db 0f22c0 mov cr0,rax
Resetting default scope

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000096 - { }

EXCEPTION_CODE_STR: c0000096

EXCEPTION_STR: 0xc0000096

STACK_TEXT:
ffff868639f7fad0 fffff8010e9268f5 : 0000000000000000 fffff8011e971290 0000000000000000 000fe47fb19bbdff : CRZKD!DEntry+0x54b [D:\Documents\Visual Studio 2022\Projects\CRZKD\CRZKD\main.cpp @ 276]
ffff868639f7fbd0 fffff8010ea04c68 : fffff8010d393180 ffff8a0f892ef040 fffff8010e9268a0 0000000000000246 : nt!PspSystemThreadStartup+0x55
ffff868639f7fc20 0000000000000000 : ffff868639f80000 ffff868639f79000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x28

FAULTING_SOURCE_LINE: D:\Documents\Visual Studio 2022\Projects\CRZKD\CRZKD\main.cpp

FAULTING_SOURCE_FILE: D:\Documents\Visual Studio 2022\Projects\CRZKD\CRZKD\main.cpp

FAULTING_SOURCE_LINE_NUMBER: 276

FAULTING_SOURCE_CODE:
272: _disable();
273: auto cr0 = __readcr0();
274: const auto old_cr0 = cr0;
275: cr0 &= ~(1UL << 16);

276: __writecr0(cr0);
277:
278: __writecr0(old_cr0);
279: _enable();
280:
281: //Where we will place the hooks

SYMBOL_NAME: CRZKD!DEntry+54b

MODULE_NAME: CRZKD

IMAGE_NAME: CRZKD.sys

`
It occurs on main.cpp because I move the __writecr0 to the main function to test the error.

I guess it has to do something with the bytes you inject.