DeFexNN/drivers-portfolio
GitHub: DeFexNN/drivers-portfolio
生产级 Windows 内核驱动安全工程套件,提供隐蔽物理内存访问、DSE 绕过、手动 PE 映射及多层混淆保护的全链路实现。
Stars: 0 | Forks: 0
# 🛡️ 驱动作品集 — 内核安全工程套件
一个用于特权内存访问的生产级 Windows 内核驱动生态系统,
涵盖进程保护、DSE 绕过、手动映射和安全加载器架构。
使用 WDK/MSVC 构建,受 VMProtect 保护,并通过 Firebase 进行身份验证。
## 理念
本作品集展示了**每一层的纵深防御** — 从主动规避反作弊检测模式的内核内存
原语,到具备 IAT 隐藏、运行时 API 解析和编译时字符串混淆功能的用户模式加载器。
每一个设计决策都是有明确目的的:
- **不使用 `KeStackAttachProcess`** — 它会在 `KTHREAD.ApcState` 中留下反作弊程序扫描的痕迹
- **基于 CR3 的物理页遍历** — 绕过基于 VAD 的 `MmMapIoSpace` 检测
- **使用 Data hooks,而非 Code hooks** — 在 dxgkrnl 分发表上使用 `InterlockedExchangePointer`,而不是内联补丁 (inline patches)
- **无明文 API 名称** — 所有 Win32/d3d11/BCrypt 导入均在运行时通过 XOR 加密字符串进行解析
- **每次构建使用新的 AES 密钥** — 嵌入的 payload 由 `encrypt_bins.ps1` 重新加密,密钥从不提交
## 架构
```
┌──────────────────────────────────────────────────────────────────┐
│ driver_loader.exe (VMProtect-protected, ImGui + D3D11 GUI) │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────────┐ ┌─────────────┐ │
│ │ Auth UI │ │ DSE │ │ Driver Load │ │ Payload │ │
│ │ Firebase │ │ Bypass │ │ via SCM │ │ Launch + │ │
│ │ key check│ │ kvc.sys │ │ Create/Start│ │ Protection │ │
│ └────┬─────┘ └────┬─────┘ └──────┬───────┘ └──────┬──────┘ │
│ │ │ │ │ │
│ ┌────┴──────────────┴──────────────┴──────────────────┴──────┐ │
│ │ lazy_api.hpp · embedded.hpp · string_obf.hpp │ │
│ │ Runtime API resolution · AES-256 decryption · OBF │ │
│ └────────────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────────┘
│ │
SCM Load Manual Map
│ │
┌───────┴────────┐ ┌─────────────┴──────────────────┐
│ MidnightSoftware │ │ driver_manual_mapper.exe │
│ Driver.sys │ │ │
│ │ │ PE Parser → Relocations → │
│ • CR3 page walk│ │ Remote IAT → Kernel APC → │
│ • Physical mem │ │ PEB Ldr Link → TLS Init │
│ • dxgkrnl hook │ │ │
│ • Process prot. │ │ 3160 lines of academic-grade │
│ • PPL patching │ │ manual mapping logic │
│ • Handle strip │ └────────────────────────────────┘
└─────────────────┘
```
## 代码示例
### 基于 CR3 的物理内存读取 (Kernel)
```
// Walk x64 4-level page tables to translate virtual → physical, then
// MmCopyMemory(MM_COPY_MEMORY_PHYSICAL). No KeStackAttachProcess.
NTSTATUS ReadMemoryCr3(UINT64 cr3, UINT64 va, PVOID buffer, SIZE_T size) {
// PML4 → PDPT → PD → PT
UINT64 phys = cr3 & ~0xFFF;
for (int level = 4; level > 0; level--) {
phys = ReadPhysicalQword(phys + PML4E_OFFSET(va, level));
if (!(phys & 1)) return STATUS_UNSUCCESSFUL; // not present
if (level > 1 && (phys & (1 << 7))) break; // huge page
}
return MmCopyMemory(buffer, phys + PAGE_OFFSET(va), size,
MM_COPY_MEMORY_PHYSICAL, &copied);
}
```
### dxgkrnl 指针交换 (Kernel)
```
// No code patching — pure data-hook via InterlockedExchangePointer.
// Non-magic IOCTLs forwarded transparently to the original handler.
old_dispatch = InterlockedExchangePointer(
(PVOID*)&dxg_device->StackSize,
MidnightSoftwareDispatch);
// Dispatch: check magic code, if not ours, forward:
if (IoControlCode != MidnightSoftware_MAGIC_ECHO && old_dispatch)
return old_dispatch(DeviceObject, Irp);
```
### 编译时字符串混淆 (C++20)
```
// Unique XOR key per literal, Xorshift32 from __TIME__ + __COUNTER__.
// Volatile reads defeat compiler constant folding.
consteval auto encrypt(const char* s, size_t n, uint32_t key) {
obfuscated_string result{};
for (size_t i = 0; i < n; i++) {
key = xorshift32(key);
result.data[i] = static_cast(s[i] ^ (key & 0xFF));
}
return result;
}
#define OBF(str) ([]() { \
constexpr auto enc = encrypt(str, sizeof(str)-1, __COUNTER__ ^ hash(__TIME__)); \
return enc.decrypt(); \
}())
```
### 基于远程 EAT 的导入解析 (手动映射器)
```
// Resolve imports by walking target process's loaded module exports.
// Handles forwarded exports recursively, API set names, and per-boot ASLR.
FARPROC GetRemoteProcAddress(HANDLE driver, DWORD pid, HMODULE_P remoteBase,
const char* dllName, const char* funcName) {
// Walk EAT → check name RVA → handle forward → resolve API set → return RVA
IMAGE_EXPORT_DIRECTORY eat = ReadRemote(...);
for (DWORD i = 0; i < eat.NumberOfNames; i++) {
// ... name comparison, ordinal lookup, forward handling
}
}
```
### 带有 IAT 隐藏的 AES-256-CBC 运行时解密
```
// BCrypt DLL loaded at runtime. Every export name is OBF-encrypted.
// Key split into 3 XOR parts — impossible to extract from static analysis.
auto init_bcrypt() -> bool {
auto bcrypt_dll = OBF("bcrypt.dll");
auto open_algo = OBF("BCryptOpenAlgorithmProvider");
// ... resolve via LazyAPI, reconstruct key, decrypt embedded resources
}
```
## IOCTL 参考 (MidnightSoftware 驱动)
| Code | Function | Mechanism |
|------|----------|-----------|
| `0x0DEF` | Echo | 往返 IOCTL 验证 |
| `0x0DE0` | Read Memory | CR3 物理页表遍历 |
| `0x0DE1` | Write Memory | CR3 物理页表遍历 |
| `0x0DE2` | Enum Processes | `ZwQuerySystemInformation` |
| `0x0DE3` | Query VAD | `ZwQueryVirtualMemory` (kernel handle) |
| `0x0DE4` | Get CR3 | `PsGetProcessId` → 读取 `DirectoryTableBase` |
| `0x0DE5` | Queue APC | `KeInitializeApc` + `KeInsertQueueApc` |
| `0x0DE6` | Alloc Memory | `KeStackAttachProcess` + `ZwAllocateVirtualMemory` |
| `0x0DE7` | Free Memory | Kernel-mode `ZwFreeVirtualMemory` |
| `0x0DE8` | Enum Modules | 带有 `__try/__except` 的 PEB Ldr 遍历 |
| `0x0DE9` | Protect Memory | 按节区修改页面属性 |
| `0x0DEA` | Protect Process | `ObRegisterCallbacks` + PPL patching |
## 防御层 (加载器)
```
Build Time: encrypt_bins.ps1 → fresh AES-256 key, split into 3 XOR parts
Compile Time: string_obf.hpp → consteval XOR per literal, volatile reads
Link Time: VMProtect → mutation + ultra virtualization markers
Load Time: lazy_api.hpp → all Win32/D3D11/BCrypt resolved at runtime
Auth Time: Firebase REST → key validation, HWID binding, expiry check
Bypass Time: dse_bypass.hpp → standard (g_CiOptions) + safe (SeCiCallbacks)
Runtime: embedded.hpp → AES-256-CBC decryption in process memory
Post-Load: ObRegisterCallbacks + PPL + handle stripping → payload guarded
```
## 安全说明
该项目的存在仅出于**教育和研究目的**。所演示的内核级
技术 — CR3 页表遍历、dxgkrnl 分发挂钩 (dispatch hooking)、
通过内核内存修补绕过 DSE,以及 ObRegisterCallbacks 进程保护
— 需要对 Windows 内核有深刻的理解,并且只能在
隔离的、经授权的环境中进行研究。
*"理解内核。控制机器。保护重要事物。"*
标签:AI合规, DNS 反向解析, NSM, Web报告查看器, Windows内核驱动, 内存读写, 反作弊绕过, 安全意识培训, 混淆与保护, 游戏外挂框架, 驱动签名绕过