pointmaster2 / ghostmapperum Goto Github PK

manual map your unsigned driver over signed memory

inspired by the initial research and PoC (https://github.com/Oliver-1-1/GhostMapper) made by @Oliver-1-1 :)

since the original PoC intended to mainly demonstrate the concept , Oliver chose to use a driver to map another unsigned driver GhostMapperUM intends to provide a more realistic / "ready to use" version of GhostMapper , implementing it entirely from usermode

generally speaking , we do that by exploiting the iqvw64e.sys vulnerable intel driver (thanks to kdmapper's utilities - https://github.com/TheCruZ/kdmapper)

set the path your your target driver in 'config.h' and compile

just run GhostMapperUM.exe

note your driver should not touch the DriverObject / RegistryPath entry args as we pass them as null when calling the DriverEntry

You should read the detailed readme description in the original GhostMapper repo , in short :

when a crush happens , crush related data needs to be saved to disk. drivers that need to save data to disk on a crush are cloned with the prefix of 'dump_'

the idea behind this is that on a crush , the system is in an unknwon state , a driver that needs to save data to disk might be the one that caused the crush... to solve that , the kernel asks the clones to step in and write the data instead

and that's why , by design , after initialization , dump drivers are kept in a suspended state and are not in use (to minimize the chance they will be corrupted in case of a crush)

this gives us the opportuinty to leverage the signed memory range held by those 'ghost' drivers and map our own driver over it !

• Read the specefied driver in 'config.h' from disk , that is the unsigned driver to map
• Find the base address of a ghost driver (we target dump_dumpfve.sys)
• apply relocations to our local target driver image & fix imports
• mark the entire ghost driver range as rwx by directly manipulating ptes through iqvw64e.sys's read/write primitive (saving the original ptes in a vector)
• read the original ghost driver image
• write our target driver over the ghost driver using a standard write primitive (no need for write to readonly...)
• to avoid rwx pages we unset the 'rw' bit from executable sections pages ptes , and set the 'nx' bit for others
• finally , we call the entry point of the mapped driver by patching ZwAddAtom to jump to it , and calling NtAddAtom to trigger the syscall
• when your driver is done (sync this somehow...) call the RestoreOriginalDriver function to restore the original ghost driver image and ptes like we never patched it (currently , it is being called after returning from DriverEntry since the example driver we map does nothing afterwards, oviously change that according to your needs )
• cleaning of traces taken from kdmapper

• whilst the mapped driver is active , the ghost driver's text section on disk differs from the one in memory
• whilst the mapped driver is active , section's memory protections differ between disk and memory
• saying that , the image path of dump drivers is not a valid path on disk , some anti cheats (and perhaps AVs) tend to skip them during integrity checks, some arent , check it for your specific use-case