Code:
bool call_kernel_function(void* kernel_function_address) {
if (!kernel_function_address) {
return false;
}
PVOID* hookFunction = reinterpret_cast<PVOID*>(memory::get_system_module_export("\\SystemRoot\\System32\\drivers\\dxgkrnl.sys",
"NtQueryCompositionSurfaceStatistics"));
//BYTE* hookFunctionByte = reinterpret_cast<BYTE*>(hookFunction)+3;
//hookFunction = reinterpret_cast<PVOID*>(hookFunctionByte);
if (!hookFunction) {
return false;
}
//BYTE original_func[] = { 0x4C, 0x8B, 0xDC, 0x49, 0x89, 0x5B, 0x18, 0x4D, 0x89, 0x4B, 0x20, 0x49, 0x89, 0x4B, 0x08 };//This is the original funtion of the driver
//BYTE original_func[] = { 0x8B, 0x04, 0x24, 0x89, 0x41, 0x44, 0xC7, 0x41, 0x30, 0x0F, 0x00, 0x10 };
BYTE original_func[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
BYTE shell_code_start[]
{
0x48, 0xB8 //0x48 is mov, 0xb8 is rax; then our funtion address
};
BYTE shell_code_end[]
{
0xFF, 0xE0 // jmp rax
//,0xCC
};
RtlSecureZeroMemory(&original_func, sizeof(original_func));
memcpy((PVOID)((ULONG_PTR)original_func), &shell_code_start, sizeof(shell_code_start));
uintptr_t test_address = reinterpret_cast <uintptr_t> (kernel_function_address);
memcpy((PVOID)((ULONG_PTR)original_func + sizeof(shell_code_start)), &test_address, sizeof(void*));
memcpy((PVOID)((ULONG_PTR)original_func + sizeof(shell_code_start)+sizeof(void*)), &shell_code_end, sizeof(shell_code_end));
memory::write_to_read_only_memory(hookFunction, &original_func, sizeof(original_func));
return true;
}