Loads a signed kernel driver which allows you to map any driver to kernel mode without any traces of the signed / mapped driver.

CosMapper

Loads a signed kernel driver (signed with leaked cert) which allows you to map any driver to kernel mode without any traces of the signed / mapped driver.

Procedure

  1. The usermode program loads the signed driver (signed with leaked cert)
  2. The signed driver then does a [.data] hook on a ntoskrnl function to transfer the mapped driver buffer to kernel
  3. Usermode process sends mapped driver bytes to driver to map and returns status to usermode.
  4. MmUnloadedList PiddbCache and BigPoolAllocation are cleaned and the driver header is not mapped and no empty bytes for the header allocated.
  5. The usermode program unloads the signed driver (signed with leaked cert) and deletes the service to remove final traces.

Requirements

Your driver needs an entry like the example driver:

struct EntryInitialize
{
	std::uintptr_t mappedImageBase{};
	std::size_t mappedImageSize{};
};

NTSTATUS DriverEntry(EntryInitialize* entryParam)
{
	DebugPrint("Example Driver Mapped [%p] w/ Size [0x%x]", entryParam->mappedImageBase, entryParam->mappedImageSize);

	ExFreePool(reinterpret_cast<void*>(entryParam));

	return STATUS_SUCCESS;
}

The current example passes a structure with the image base and size of the mapped driver but it can be modified to your own liking.

DbgView Example

Note: this project was coded in 2 days so it might have some bugs (open ticket)
The project has been tested on Windows 10 20H2

Usage

cosusermode.exe driver.sys

Owner
Similar Resources

Cross-platform C++11 header-only library for memory mapped file IO

mio An easy to use header-only cross-platform C++11 memory mapping library with an MIT license. mio has been created with the goal to be easily includ

Nov 26, 2022

Code Injection via Memory Mapped Files

MMFCodeInjection This technique leverages File Mapping and APC(s) to execute shellcode into another process. By leveraging file mapping we would not h

Oct 27, 2022

Automatically load dlls into any executables without replacing any files!

Automatically loaded dll using xinput9_1_0 proxy. Please put the modified xinput9_1_0.dll in the executable's directory.

Nov 25, 2022

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections and LSASS protections

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

Nov 27, 2022

If the button pressed esp will reset and App mode will on. App mode will on then led will on, network is connected led will off.

DHT22-to-Google-sheet-Reset-Using-ESP8266-LED-Switch If button pressed esp will reset and App mode will on. App mode will on then led will on, network

Aug 17, 2022

Had a tough time playing Microsoft Wordament ? Well WORDament_Solver has your back. It suggests you meaningful words you can use while playing the game and help you top the leaderboard.

Had a tough time playing Microsoft Wordament ? Well WORDament_Solver has your back. It suggests you meaningful words you can use while playing the game and help you top the leaderboard.

WORDament_Solver Had a tough time playing Microsoft Wordament ? Well WORDament_Solver has your back. It suggests you meaningful words you can use whil

Aug 19, 2021

Some hypervisor research notes. There is also a useful exploit template that you can use to verify / falsify any assumptions you may make while auditing code, and for exploit development.

Introduction Over the past few weeks, I've been doing some hypervisor research here and there, with most of my focus being on PCI device emulation cod

Nov 18, 2022

Windows kernel-mode driver emulating well-known USB game controllers.

Windows kernel-mode driver emulating well-known USB game controllers.

Dec 4, 2022
Hygieia, a vulnerable driver traces scanner written in C++ as an x64 Windows kernel driver.

Hygieia The Greek goddess of health, her name is the source for the word "hygiene". Hygieia is a windows driver that works similarly to how pagewalkr

Dec 4, 2022
Signed - a 3D modeling and construction language based on Lua and SDFs. Signed will be available for macOS and iOS and is heavily optimized for Metal.
Signed - a 3D modeling and construction language based on Lua and SDFs. Signed will be available for macOS and iOS and is heavily optimized for Metal.

Signed - A 3D modeling language Abstract Signed is a Lua based 3D modeling language, it provides a unique way to create high quality 3D content for yo

Nov 21, 2022
External warzone cheat with manual mapped driver (function hook), overlay (nvidia hijack), simple esp, no recoil

external_warzone_cheat External warzone cheat with manual mapped driver (function hook), overlay (nvidia hijack), simple esp, no recoil Offsests are N

Nov 28, 2022
Program that allows you to get the source code of a website's home page without doing it manually. Use it at your own risk.

Website-Homepage-Grabber Install one of the folders x64 or x32 if the program doesn't work(probably because you don't have visual studio installed) If

Feb 19, 2022
A fantasy map generator based on Martin O'Leary's "Generating fantasy map" notes
A fantasy map generator based on Martin O'Leary's

Fantasy Map Generator This program is an implementation of a fantasy map generator written in C++ based on the methods described in Martin O'Leary's "

Nov 29, 2022
A lightweight C++14 parsing library for tmx map files created with the Tiled map editor

tmxlite Description A lightweight C++14 parsing library for tmx map files created with the Tiled map editor. Requires no external linking, all depende

Nov 26, 2022
An Arduino library which allows you to communicate seamlessly with the full range of u-blox GNSS modules
An Arduino library which allows you to communicate seamlessly with the full range of u-blox GNSS modules

u-blox makes some incredible GNSS receivers covering everything from low-cost, highly configurable modules such as the SAM-M8Q all the way up to the surveyor grade ZED-F9P with precision of the diameter of a dime.

Nov 21, 2022
King Hamlet is a simple tool, which allows you to perform a Process Ghosting Attack

KingHamlet Process Ghosting Tool - 64 bits Only! King Hamlet is a simple tool, which allows you to perform a Process Ghosting Attack

Nov 9, 2022
A light-weight Flutter Engine Embedder based on HADK ,which for Android devices that runs without any java code

flutter-hadk A light-weight Flutter Engine Embedder based on HADK ,which for Android devices that runs without any java code 1.Build by android-ndk-to

Jun 15, 2022
Allows you to easily control via MQTT any Micronova equiped pellet stove. (MCZ, Extraflame, Laminox, and many others brands!)
Allows you to easily control via MQTT any Micronova equiped pellet stove. (MCZ, Extraflame, Laminox, and many others brands!)

micronova_controller Kits are available on Tindie! Currently out of stock. V2 will be in stock soon! Here is an overview of the additions: possibility

Nov 29, 2022