A kernel driver for reading and writing memory. Contains a test that writes to notepad.exe's memory, and classes to read/write to two games (Halo: MCC & Apex Legends) which are protected by EAC. I also created a modified version of ReClass.NET that utilizes the driver for its read/write operations, but the laptop I had it on sustained water damage and was destroyed. I will recreate it when I have the time.
Please note that the function addresses are currently hardcoded for Windows 11 kernel 10.0.22000.376. A signature scanner can (and should) be added in the future to avoid this.
- The usermode module (ReadWriteUser.exe) loads ReadWriteDriverMapper.sys, which then manually maps ReadWriteDriver.sys
- ReadWriteDriverMapper.sys allocates non-paged memory with
MmAllocateIndependentPages(), and then sets its page protection to make it executable memory withMmSetPageProtection() - ReadWriteDriver.sys attaches to a usermode process that loads user32.dll (in this case, ReadWriteUser.exe) to gain access to
win32kbase.sys;NtUserSetSysColorsand overwrites a global pointer inNtUserSetSysColors()for its hook
• JD96 for answering questions, of course!
• Frostiest for his physmem class, since I had to add it in at the last minute after I found out that the Apex version of EAC supposedly detects KeStackAttach().
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent