feat: initial commit of the files

.gitignore

@@ -0,0 +1,4 @@
+.vs
+.git
+kdmapper
+x64

EdomResu/EdomResu.vcxproj

@@ -0,0 +1,153 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>16.0</VCProjectVersion>
+    <Keyword>Win32Proj</Keyword>
+    <ProjectGuid>{2a246068-e114-49a5-bdbd-1e4be88d97a8}</ProjectGuid>
+    <RootNamespace>EdomResu</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v143</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v143</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v143</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v143</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="main.cpp" />
+    <ClCompile Include="Operations.cpp" />
+    <ClCompile Include="Registry.cpp" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="Operations.hpp" />
+    <ClInclude Include="Registry.hpp" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

EdomResu/EdomResu.vcxproj.filters

@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Fichiers sources">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Fichiers d%27en-tête">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
+    </Filter>
+    <Filter Include="Fichiers de ressources">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+    <Filter Include="Driver">
+      <UniqueIdentifier>{f2a6166a-1bee-4280-b122-413668ba2688}</UniqueIdentifier>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="main.cpp">
+      <Filter>Fichiers sources</Filter>
+    </ClCompile>
+    <ClCompile Include="Operations.cpp">
+      <Filter>Driver</Filter>
+    </ClCompile>
+    <ClCompile Include="Registry.cpp">
+      <Filter>Driver</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="Operations.hpp">
+      <Filter>Driver</Filter>
+    </ClInclude>
+    <ClInclude Include="Registry.hpp">
+      <Filter>Driver</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>

EdomResu/EdomResu.vcxproj.user

@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup />
+</Project>

EdomResu/Operations.cpp

@@ -0,0 +1,68 @@
+#include "Operations.hpp"
+#include "Registry.hpp"
+
+QWORD GetProcess(const std::wstring &process_name) {
+	bool status = true;
+
+	status = SetRegistryValue(L"Process", process_name);
+	if (!status) return 0;
+
+	BYTE operation = OPERATION_GET_PROCESS;
+	status = SetRegistryValue(L"Operation", REG_BINARY, &operation, sizeof(BYTE));
+	if (!status) return 0;
+
+	BYTE go = 0x01;
+	status = SetRegistryValue(L"Go", REG_BINARY, &go, sizeof(BYTE));
+	if (!status) return 0;
+
+	do {
+		status = GetRegistryValue(L"Go", REG_BINARY, &go, sizeof(BYTE));
+		if (!status) return 0;
+	} while (go == 0x01);
+
+	QWORD res = 0;
+	GetRegistryValue(L"Out", REG_QWORD, &res, sizeof(QWORD));
+
+	return res;
+}
+
+QWORD GetProcessModule(const std::wstring &process_name, const std::wstring &module_name) {
+	bool status = true;
+
+	status = SetRegistryValue(L"Process", process_name);
+	if (!status) return 0;
+
+	status = SetRegistryValue(L"Module", module_name);
+	if (!status) return 0;
+
+	BYTE operation = OPERATION_GET_PROCESS_MODULE;
+	status = SetRegistryValue(L"Operation", REG_BINARY, &operation, sizeof(BYTE));
+	if (!status) return 0;
+
+	BYTE go = 0x01;
+	status = SetRegistryValue(L"Go", REG_BINARY, &go, sizeof(BYTE));
+	if (!status) return 0;
+
+	do {
+		status = GetRegistryValue(L"Go", REG_BINARY, &go, sizeof(BYTE));
+		if (!status) return 0;
+	} while (go == 0x01);
+
+	QWORD res = 0;
+	GetRegistryValue(L"Out", REG_QWORD, &res, sizeof(QWORD));
+
+	return res;
+}
+
+void DriverUnload(void) {
+	bool status = true;
+
+	BYTE unload = 0x01;
+	status = SetRegistryValue(L"Unload", REG_BINARY, &unload, sizeof(BYTE));
+	if (!status) return;
+
+	do {
+		status = GetRegistryValue(L"Unload", REG_BINARY, &unload, sizeof(BYTE));
+		if (!status) return;
+	} while (unload == 0x01);
+}

EdomResu/Operations.hpp

@@ -0,0 +1,76 @@
+#pragma once
+#include <Windows.h>
+#include <iostream>
+
+#include "Registry.hpp"
+
+typedef unsigned __int64 QWORD;
+
+enum Operation {
+    OPERATION_WPM,
+    OPERATION_RPM,
+    OPERATION_GET_PROCESS,
+    OPERATION_GET_PROCESS_MODULE
+};
+
+template<typename TYPE>
+TYPE RPM(QWORD address) {
+    TYPE buffer = { 0 };
+    bool status = true;
+
+    BYTE operation = OPERATION_RPM;
+    status = SetRegistryValue(L"Operation", REG_BINARY, &operation, sizeof(BYTE));
+    if (!status) return 0;
+
+    SIZE_T size = sizeof(TYPE);
+    status = SetRegistryValue(L"Size", REG_DWORD, &size, sizeof(DWORD));
+    if (!status) return 0;
+
+    status = SetRegistryValue(L"Address", REG_QWORD, &address, sizeof(QWORD));
+    if (!status) return 0;
+
+    BYTE go = 0x01;
+    status = SetRegistryValue(L"Go", REG_BINARY, &go, sizeof(BYTE));
+    if (!status) return 0;
+
+    do {
+        status = GetRegistryValue(L"Go", REG_BINARY, &go, sizeof(BYTE));
+        if (!status) return 0;
+    } while (go == 0x01);
+
+    GetRegistryValue(L"Out", REG_QWORD, &buffer, sizeof(QWORD));
+
+    return buffer;
+}
+
+template<typename TYPE>
+void WPM(QWORD address, TYPE data) {
+    bool status = true;
+
+    BYTE operation = OPERATION_WPM;
+    status = SetRegistryValue(L"Operation", REG_BINARY, &operation, sizeof(BYTE));
+    if (!status) return;
+
+    SIZE_T size = sizeof(TYPE);
+    status = SetRegistryValue(L"Size", REG_DWORD, &size, sizeof(DWORD));
+    if (!status) return;
+
+    status = SetRegistryValue(L"Address", REG_QWORD, &address, sizeof(QWORD));
+    if (!status) return;
+
+    status = SetRegistryValue(L"Data", REG_BINARY, &data, sizeof(TYPE));
+    if (!status) return;
+
+    BYTE go = 0x01;
+    status = SetRegistryValue(L"Go", REG_BINARY, &go, sizeof(BYTE));
+    if (!status) return;
+
+    do {
+        status = GetRegistryValue(L"Go", REG_BINARY, &go, sizeof(BYTE));
+        if (!status) return;
+    } while (go == 0x01);
+}
+
+QWORD GetProcess(const std::wstring& process_name);
+QWORD GetProcessModule(const std::wstring& process_name, const std::wstring& module_name);
+void DriverUnload(void);

EdomResu/Registry.cpp

@@ -0,0 +1,88 @@
+#include "Registry.hpp"
+#include <Windows.h>
+#include <iostream>
+
+const HKEY HKEY_ROOT = HKEY_LOCAL_MACHINE;
+const LPCWSTR SUBKEY = L"SOFTWARE\\Revird";
+
+bool SetRegistryValue(LPCWSTR valueName, const std::wstring& data) {
+    HKEY hKey;
+    LONG result = RegCreateKeyEx(HKEY_ROOT, SUBKEY, 0, NULL, 0, KEY_WRITE, NULL, &hKey, NULL);
+    if (result != ERROR_SUCCESS) {
+        std::wcerr << L"Failed to open or create registry key. Error: " << result << std::endl;
+        return false;
+    }
+
+    result = RegSetValueEx(hKey, valueName, 0, REG_SZ, reinterpret_cast<const BYTE*>(data.c_str()),
+        (DWORD)((data.size() + 1) * sizeof(wchar_t)));
+    if (result != ERROR_SUCCESS) {
+        std::wcerr << L"Failed to set registry value. Error: " << result << std::endl;
+        RegCloseKey(hKey);
+        return false;
+    }
+
+    RegCloseKey(hKey);
+    return true;
+}
+
+bool GetRegistryValue(LPCWSTR valueName, std::wstring& data) {
+    HKEY hKey;
+    LONG result = RegOpenKeyEx(HKEY_ROOT, SUBKEY, 0, KEY_READ, &hKey);
+    if (result != ERROR_SUCCESS) {
+        std::wcerr << L"Failed to open registry key. Error: " << result << std::endl;
+        return false;
+    }
+
+    DWORD type = REG_SZ;
+    wchar_t buffer[256];
+    DWORD bufferSize = sizeof(buffer);
+
+    result = RegQueryValueEx(hKey, valueName, 0, &type, reinterpret_cast<LPBYTE>(buffer), &bufferSize);
+    if (result != ERROR_SUCCESS) {
+        std::wcerr << L"Failed to read registry value. Error: " << result << std::endl;
+        RegCloseKey(hKey);
+        return false;
+    }
+
+    data.assign(buffer);
+    RegCloseKey(hKey);
+    return true;
+}
+
+bool SetRegistryValue(LPCWSTR valueName, DWORD type, const void* data, DWORD dataSize) {
+    HKEY hKey;
+    LONG result = RegCreateKeyEx(HKEY_ROOT, SUBKEY, 0, NULL, 0, KEY_WRITE, NULL, &hKey, NULL);
+    if (result != ERROR_SUCCESS) {
+        std::wcerr << L"Failed to open or create registry key. Error: " << result << std::endl;
+        return false;
+    }
+
+    result = RegSetValueEx(hKey, valueName, 0, type, static_cast<const BYTE*>(data), dataSize);
+    if (result != ERROR_SUCCESS) {
+        std::wcerr << L"Failed to set registry value. Error: " << result << std::endl;
+        RegCloseKey(hKey);
+        return false;
+    }
+
+    RegCloseKey(hKey);
+    return true;
+}
+
+bool GetRegistryValue(LPCWSTR valueName, DWORD type, void* data, DWORD dataSize) {
+    HKEY hKey;
+    LONG result = RegOpenKeyEx(HKEY_ROOT, SUBKEY, 0, KEY_READ, &hKey);
+    if (result != ERROR_SUCCESS) {
+        std::wcerr << L"Failed to open registry key. Error: " << result << std::endl;
+        return false;
+    }
+
+    result = RegQueryValueEx(hKey, valueName, 0, &type, static_cast<LPBYTE>(data), &dataSize);
+    if (result != ERROR_SUCCESS) {
+        std::wcerr << L"Failed to read registry value. Error: " << result << std::endl;
+        RegCloseKey(hKey);
+        return false;
+    }
+
+    RegCloseKey(hKey);
+    return true;
+}

EdomResu/Registry.hpp

@@ -0,0 +1,9 @@
+#pragma once
+#include <iostream>
+#include <Windows.h>
+
+bool SetRegistryValue(LPCWSTR valueName, DWORD type, const void* data, DWORD dataSize);
+bool SetRegistryValue(LPCWSTR valueName, const std::wstring& data);
+
+bool GetRegistryValue(LPCWSTR valueName, DWORD type, void* data, DWORD dataSize);
+bool GetRegistryValue(LPCWSTR valueName, std::wstring& data);

EdomResu/main.cpp

@@ -0,0 +1,16 @@
+#include <stdio.h>
+#include "Operations.hpp"
+
+int main(void) {
+	QWORD proc_addr = GetProcess(L"explorer.exe");
+	QWORD mod_addr = GetProcessModule(L"explorer.exe", L"kernel32.dll");
+	BYTE mz = RPM<BYTE>(proc_addr);
+
+	printf("Address of explorer.exe : 0x%p\n", (void*)proc_addr);
+	printf("Address of kernel32.dll in explorer.exe : 0x%p\n", (void*)mod_addr);
+	printf("Header of explorer.exe : 0x%X\n", mz);
+	printf("Unloading driver...");
+	DriverUnload();
+	printf("ok.\n");
+	return 0;
+}

Revird.sln

@@ -0,0 +1,57 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 17
+VisualStudioVersion = 17.1.32407.343
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Revird", "Revird\Revird.vcxproj", "{5C7B498C-CA04-413E-84E7-429F3986B41D}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EdomResu", "EdomResu\EdomResu.vcxproj", "{2A246068-E114-49A5-BDBD-1E4BE88D97A8}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|ARM64 = Debug|ARM64
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|ARM64 = Release|ARM64
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{5C7B498C-CA04-413E-84E7-429F3986B41D}.Debug|ARM64.ActiveCfg = Debug|ARM64
+		{5C7B498C-CA04-413E-84E7-429F3986B41D}.Debug|ARM64.Build.0 = Debug|ARM64
+		{5C7B498C-CA04-413E-84E7-429F3986B41D}.Debug|ARM64.Deploy.0 = Debug|ARM64
+		{5C7B498C-CA04-413E-84E7-429F3986B41D}.Debug|x64.ActiveCfg = Debug|x64
+		{5C7B498C-CA04-413E-84E7-429F3986B41D}.Debug|x64.Build.0 = Debug|x64
+		{5C7B498C-CA04-413E-84E7-429F3986B41D}.Debug|x64.Deploy.0 = Debug|x64
+		{5C7B498C-CA04-413E-84E7-429F3986B41D}.Debug|x86.ActiveCfg = Debug|x64
+		{5C7B498C-CA04-413E-84E7-429F3986B41D}.Debug|x86.Build.0 = Debug|x64
+		{5C7B498C-CA04-413E-84E7-429F3986B41D}.Debug|x86.Deploy.0 = Debug|x64
+		{5C7B498C-CA04-413E-84E7-429F3986B41D}.Release|ARM64.ActiveCfg = Release|ARM64
+		{5C7B498C-CA04-413E-84E7-429F3986B41D}.Release|ARM64.Build.0 = Release|ARM64
+		{5C7B498C-CA04-413E-84E7-429F3986B41D}.Release|ARM64.Deploy.0 = Release|ARM64
+		{5C7B498C-CA04-413E-84E7-429F3986B41D}.Release|x64.ActiveCfg = Release|x64
+		{5C7B498C-CA04-413E-84E7-429F3986B41D}.Release|x64.Build.0 = Release|x64
+		{5C7B498C-CA04-413E-84E7-429F3986B41D}.Release|x64.Deploy.0 = Release|x64
+		{5C7B498C-CA04-413E-84E7-429F3986B41D}.Release|x86.ActiveCfg = Release|x64
+		{5C7B498C-CA04-413E-84E7-429F3986B41D}.Release|x86.Build.0 = Release|x64
+		{5C7B498C-CA04-413E-84E7-429F3986B41D}.Release|x86.Deploy.0 = Release|x64
+		{2A246068-E114-49A5-BDBD-1E4BE88D97A8}.Debug|ARM64.ActiveCfg = Debug|x64
+		{2A246068-E114-49A5-BDBD-1E4BE88D97A8}.Debug|ARM64.Build.0 = Debug|x64
+		{2A246068-E114-49A5-BDBD-1E4BE88D97A8}.Debug|x64.ActiveCfg = Debug|x64
+		{2A246068-E114-49A5-BDBD-1E4BE88D97A8}.Debug|x64.Build.0 = Debug|x64
+		{2A246068-E114-49A5-BDBD-1E4BE88D97A8}.Debug|x86.ActiveCfg = Debug|Win32
+		{2A246068-E114-49A5-BDBD-1E4BE88D97A8}.Debug|x86.Build.0 = Debug|Win32
+		{2A246068-E114-49A5-BDBD-1E4BE88D97A8}.Release|ARM64.ActiveCfg = Release|x64
+		{2A246068-E114-49A5-BDBD-1E4BE88D97A8}.Release|ARM64.Build.0 = Release|x64
+		{2A246068-E114-49A5-BDBD-1E4BE88D97A8}.Release|x64.ActiveCfg = Release|x64
+		{2A246068-E114-49A5-BDBD-1E4BE88D97A8}.Release|x64.Build.0 = Release|x64
+		{2A246068-E114-49A5-BDBD-1E4BE88D97A8}.Release|x86.ActiveCfg = Release|Win32
+		{2A246068-E114-49A5-BDBD-1E4BE88D97A8}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {12C4A5A0-6C7D-494B-8ECE-45BFCE7B2AB8}
+	EndGlobalSection
+EndGlobal

Revird/Dispatcher.cpp

@@ -0,0 +1,65 @@
+#include "Dispatcher.hpp"
+#include "Registry.hpp"
+#include "Operation.hpp"
+#include "Memory.hpp"
+#include "Process.hpp"
+#include "Output.hpp"
+#include <ntifs.h>
+
+void DispatchOperation(void) {
+	UCHAR op = 0;
+	QWORD address = 0;
+	ULONG size = 0;
+	WCHAR process[MODULE_NAME_SIZE] = { 0 };
+	WCHAR module[MODULE_NAME_SIZE] = { 0 };
+
+	NTSTATUS status = GetValue("Operation", &op);
+	if (!NT_SUCCESS(status)) {
+		DbgPrint_("[DispatchOperation] Failed to GetValue.\n");
+		return;
+	}
+
+	status = GetValue("Address", &address);
+	if (!NT_SUCCESS(status)) {
+		DbgPrint_("[DispatchOperation] Failed to GetValue.\n");
+		return;
+	}
+
+	status = GetValue("Size", &size);
+	if (!NT_SUCCESS(status)) {
+		DbgPrint_("[DispatchOperation] Failed to GetValue.\n");
+		return;
+	}
+
+	status = GetValue("Process", process, MODULE_NAME_SIZE);
+	if (!NT_SUCCESS(status)) {
+		DbgPrint_("[DispatchOperation] Failed to GetValue.\n");
+		return;
+	}
+
+	status = GetValue("Module", module, MODULE_NAME_SIZE);
+	if (!NT_SUCCESS(status)) {
+		DbgPrint_("[DispatchOperation] Failed to GetValue.\n");
+		return;
+	}
+
+	switch (op) {
+	case OPERATION_WPM:
+		WPM(address, size);
+		break;
+	case OPERATION_RPM:
+		RPM(address, size);
+		break;
+	case OPERATION_GET_PROCESS:
+		GetProcess(process);
+		break;
+	case OPERATION_GET_PROCESS_MODULE:
+		GetProcessModule(process, module);
+		break;
+	default:
+		DbgPrint_("[DispatchOperation] Operation \"%d\" is not a valid operation.\n", op);
+		return;
+	}
+
+	return;
+}

Revird/Dispatcher.hpp

@@ -0,0 +1,3 @@
+#pragma once
+
+void DispatchOperation(void);

Revird/Entry.cpp

@@ -0,0 +1,63 @@
+#include <ntifs.h>
+#include <wdm.h>
+
+#include "Registry.hpp"
+#include "Dispatcher.hpp"
+#include "Output.hpp"
+
+VOID Mainloop(IN PVOID Context)
+{
+	UNREFERENCED_PARAMETER(Context);
+	UCHAR unload = false;
+	UCHAR go = false;
+	NTSTATUS status;
+
+	DbgPrint_("[MAINLOOP] Hello from MainLoop.\n");
+    DbgPrint_("[MAINLOOP] Init registry...\n");
+    InitRegistry();
+    DbgPrint_("[MAINLOOP] ok.\n");
+
+	do {
+		status = GetValue("Unload", &unload);
+		if (!NT_SUCCESS(status)) {
+			DbgPrint_("[MAINLOOP] Failed to GetValue.\n");
+			break;
+		}
+
+		status = GetValue("Go", &go);
+		if (!NT_SUCCESS(status)) {
+			DbgPrint_("[MAINLOOP] Failed to GetValue.\n");
+			break;
+		}
+		if (go) {
+			DbgPrint_("[MAINLOOP] \"Go\" order.");
+			DispatchOperation();
+			SetValue("Go", (UCHAR)false);
+		}
+	} while (!unload);
+
+	DbgPrint_("[MAINLOOP] Received unload order.\n");
+	SetValue("Unload", (UCHAR)false);
+
+    PsTerminateSystemThread(STATUS_SUCCESS);
+}
+
+NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT     DriverObject, _In_ PUNICODE_STRING    RegistryPath)
+{
+	UNREFERENCED_PARAMETER(RegistryPath);
+	UNREFERENCED_PARAMETER(DriverObject);
+
+	HANDLE hMainLoop = nullptr;
+
+	DbgPrint_("[ENTRY] Driver loaded !\n");
+	NTSTATUS status = PsCreateSystemThread(&hMainLoop, THREAD_ALL_ACCESS, NULL, NULL, NULL, (PKSTART_ROUTINE)Mainloop, NULL);
+	if (!NT_SUCCESS(status)) {
+		DbgPrint_("[ENTRY] MainLoop thread creation failed.\n");
+		return STATUS_FAIL_CHECK;
+	}
+	DbgPrint_("[ENTRY] MainLoop thread created.\n");
+
+	ZwClose(hMainLoop);
+
+    return STATUS_SUCCESS;
+}

Revird/Memory.cpp

@@ -0,0 +1,121 @@
+#include "Memory.hpp"
+#include "Registry.hpp"
+#include "Output.hpp"
+
+PEPROCESS last_process = nullptr;
+
+static NTSTATUS KeReadVirtualMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size)
+{
+	SIZE_T Bytes = 0;
+
+	__try {
+		ProbeForRead(SourceAddress, Size, (ULONG)Size);
+	} __except (EXCEPTION_EXECUTE_HANDLER) {
+		DbgPrint_("[KeReadVirtualMemory] Can't read at address 0x%p.\n", SourceAddress);
+		return STATUS_ACCESS_VIOLATION;
+	}
+
+	if (NT_SUCCESS(MmCopyVirtualMemory(Process, SourceAddress, PsGetCurrentProcess(),
+		TargetAddress, Size, KernelMode, &Bytes)))
+		return STATUS_SUCCESS;
+	else
+		return STATUS_ACCESS_DENIED;
+}
+
+NTSTATUS KeWriteVirtualMemory(PEPROCESS Process, PVOID Source, PVOID Target, SIZE_T Size) {
+	SIZE_T Bytes = 0;
+
+	__try {
+		ProbeForRead(Target, Size, (ULONG)Size);
+	} __except (EXCEPTION_EXECUTE_HANDLER) {
+		DbgPrint_("[KeReadVirtualMemory] Can't read at address 0x%p.\n", Target);
+		return STATUS_ACCESS_VIOLATION;
+	}
+
+	if (NT_SUCCESS(MmCopyVirtualMemory(PsGetCurrentProcess(), Source, Process, Target, Size, KernelMode, &Bytes)))
+		return STATUS_SUCCESS;
+	else
+		return STATUS_ACCESS_DENIED;
+}
+
+void RPM(QWORD address, ULONG size) {
+	PVOID buffer = nullptr;
+
+	DbgPrint_("[RPM] Reading %ld bytes at address 0x%p.\n", size, (void *)address);
+
+	if (size <= 0) {
+		DbgPrint_("[RPM] Size is not valid.\n");
+		return;
+	}
+
+	if (last_process == nullptr) {
+		DbgPrint_("[RPM] last_process was nulll.\n");
+		return;
+	}
+
+	buffer = ExAllocatePool2(POOL_FLAG_NON_PAGED, size, 'rpm');
+	if (buffer == NULL)
+	{
+		DbgPrint_("[RPM] Failed to allocate buffer.\n");
+		return;
+	}
+
+	NTSTATUS status = KeReadVirtualMemory(last_process, (void *)address, buffer, size);
+	if (!NT_SUCCESS(status))
+	{
+		DbgPrint_("[RPM] Could not read memory at 0x%p.\n", (void*)address);
+		ExFreePool2(buffer, 'rpm', 0, 0);
+	}
+
+	DbgPrint_("[RPM] Success.\n");
+
+	status = SetValue("Out", buffer, size);
+	if (!NT_SUCCESS(status))
+	{
+		DbgPrint_("[RPM] Failed to find SetValue\n");
+		ExFreePool2(buffer, 'rpm', 0, 0);
+		return;
+	}
+
+	ExFreePool2(buffer, 'rpm', 0, 0);
+}
+
+void WPM(QWORD address, ULONG size) {
+	PVOID buffer = nullptr;
+
+	if (last_process == nullptr) {
+		DbgPrint_("[WPM] last_process was nulll.\n");
+		return;
+	}
+
+	DbgPrint_("[WPM] Writing %ld bytes at address 0x%p.\n", size, (void *)address);
+	if (size <= 0) {
+		DbgPrint_("[WPM] Size or address is not valid.\n");
+		return;
+	}
+
+	buffer = ExAllocatePool2(POOL_FLAG_NON_PAGED, size, 'wpm');
+	if (buffer == NULL)
+	{
+		DbgPrint_("[WPM] Failed to allocate buffer.\n");
+		return;
+	}
+
+	NTSTATUS status = GetValue("Data", buffer, size);
+	if (!NT_SUCCESS(status)) {
+		DbgPrint_("[WPM] Failed to GetValue.\n");
+		ExFreePool2(buffer, 'wpm', 0, 0);
+		return;
+	}
+
+	status = KeWriteVirtualMemory(last_process, buffer, (void*)address, size);
+	if (!NT_SUCCESS(status))
+	{
+		DbgPrint_("[WPM] Could not write memory at 0x%p.\n", (void*)address);
+		ExFreePool2(buffer, 'wpm', 0, 0);
+	}
+
+	DbgPrint_("[WPM] Success.\n");
+
+	ExFreePool2(buffer, 'wpm', 0, 0);
+}

Revird/Memory.hpp

@@ -0,0 +1,12 @@
+#pragma once
+#include <ntifs.h>
+
+typedef unsigned __int64 QWORD;
+extern PEPROCESS last_process;
+
+void RPM(QWORD address, ULONG size);
+void WPM(QWORD address, ULONG size);
+
+extern "C" NTKERNELAPI NTSTATUS NTAPI MmCopyVirtualMemory(PEPROCESS sourceProcess, PVOID sourceAddress,
+    PEPROCESS targetProcess, PVOID targetAddress, SIZE_T bufferSize,
+    KPROCESSOR_MODE previousMode, PSIZE_T returnSize);

Revird/Operation.hpp

@@ -0,0 +1,8 @@
+#pragma once
+
+enum Operation {
+	OPERATION_WPM,
+	OPERATION_RPM,
+	OPERATION_GET_PROCESS,
+	OPERATION_GET_PROCESS_MODULE
+};

Revird/Output.hpp

@@ -0,0 +1,7 @@
+#pragma once
+
+#ifdef _DEBUG
+	#define DbgPrint_(msg, ...) DbgPrint(msg, __VA_ARGS__)
+#else
+	#define DbgPrint_(msg, ...) (void)0
+#endif

Revird/Process.cpp

@@ -0,0 +1,172 @@
+#include "Process.hpp"
+#include "Memory.hpp"
+#include "Registry.hpp"
+#include "Output.hpp"
+
+extern "C" NTKERNELAPI PPEB NTAPI PsGetProcessPeb(IN PEPROCESS Process);
+extern "C" NTKERNELAPI PVOID PsGetProcessSectionBaseAddress(__in PEPROCESS Process);
+
+NTSTATUS GetProcessBaseAddress(PEPROCESS Process, PVOID* BaseAddress) {
+	PVOID BaseAddress_ = PsGetProcessSectionBaseAddress(Process);
+	if (BaseAddress_ != 0) {
+		*BaseAddress = BaseAddress_;
+		return STATUS_SUCCESS;
+	}
+	return STATUS_NOT_FOUND;
+}
+
+// if you crash in this function, update the offsets of the EPROCESS structure
+// get it from here: https://www.vergiliusproject.com/kernels/x64/windows-11/23h2/_EPROCESS
+NTSTATUS PsLookupProcessByProcessName(CHAR* ProcessName, PEPROCESS* Process) {
+	if (ProcessName == nullptr || Process == nullptr)
+		return STATUS_FWP_NULL_POINTER;
+
+	PEPROCESS SystemProcess = PsInitialSystemProcess;
+	PEPROCESS CurrentEntry = SystemProcess;
+	CHAR ImageName[15] = { 0 };
+	do {
+		RtlCopyMemory((PVOID)(&ImageName), (PVOID)((ULONG64)CurrentEntry + 0x5a8) /*EPROCESS->ImageFileName*/, sizeof(ImageName));
+		if (strstr(ImageName, ProcessName)) {
+			ULONG ActiveThreads;
+			RtlCopyMemory((PVOID)&ActiveThreads, (PVOID)((ULONG64)CurrentEntry + 0x5f0) /*EPROCESS->ActiveThreads*/, sizeof(ActiveThreads));
+			if (ActiveThreads) {
+				*Process = CurrentEntry;
+				return STATUS_SUCCESS;
+			}
+		}
+		PLIST_ENTRY list = (PLIST_ENTRY)((ULONG64)(CurrentEntry)+0x448); /*EPROCESS->ActiveProcessLinks*/;
+		CurrentEntry = (PEPROCESS)((ULONG64)list->Flink - 0x448);
+	} while (CurrentEntry != SystemProcess);
+	return STATUS_NOT_FOUND;
+}
+
+NTSTATUS PsGetModuleBaseAddress(PEPROCESS TargetProcess, LPCWSTR ModuleName, PULONG64 Result) {
+	KeAttachProcess(TargetProcess);
+
+	PPEB PEB = PsGetProcessPeb(TargetProcess);
+	if (!PEB) {
+		KeDetachProcess();
+		ObfDereferenceObject(TargetProcess);
+		return STATUS_NOT_FOUND;
+	}
+
+	if (!PEB->Ldr || !PEB->Ldr->Initialized) {
+		KeDetachProcess();
+		ObfDereferenceObject(TargetProcess);
+		return STATUS_NOT_FOUND;
+	}
+
+	UNICODE_STRING ModuleNameU;
+	RtlInitUnicodeString(&ModuleNameU, ModuleName);
+	for (PLIST_ENTRY PList = PEB->Ldr->InLoadOrderModuleList.Flink; PList != &PEB->Ldr->InLoadOrderModuleList; PList = PList->Flink) {
+		PLDR_DATA_TABLE_ENTRY PLDREntry = CONTAINING_RECORD(PList, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
+		if (RtlCompareUnicodeString(&PLDREntry->BaseDllName, &ModuleNameU, TRUE) == 0) {
+			*Result = (ULONG64)PLDREntry->DllBase;
+			KeDetachProcess();
+			ObfDereferenceObject(TargetProcess);
+			return STATUS_SUCCESS;
+		}
+	}
+	return STATUS_NOT_FOUND;
+}
+
+void GetProcess(PWCHAR process) {
+    PEPROCESS eProcess;
+    NTSTATUS status;
+	CHAR ansiProcessName[MODULE_NAME_SIZE];
+	size_t convertedChars = 0;
+
+	DbgPrint_("[GetProcess] Called, process: %ws\n", process);
+
+	status = RtlUnicodeToMultiByteN(
+		ansiProcessName,
+		sizeof(ansiProcessName),
+		(PULONG)&convertedChars,
+		process,
+		MODULE_NAME_SIZE);
+	if (!NT_SUCCESS(status))
+	{
+		DbgPrint_("[GetProcess] Failed to convert process name to ANSI, status: 0x%X\n", status);
+		return;
+	}
+
+    status = PsLookupProcessByProcessName(ansiProcessName, &eProcess);
+    if (!NT_SUCCESS(status))
+    {
+        DbgPrint_("[GetProcess] Failed to find process: %ws, status: 0x%X\n", process, status);
+        return;
+    }
+
+	void *addr = 0;
+	status = GetProcessBaseAddress(eProcess, &addr);
+	if (!NT_SUCCESS(status)) {
+		DbgPrint_("[GetProcess] Failed to find process base address.\n");
+		ObDereferenceObject(eProcess);
+		return;
+	}
+
+    DbgPrint_("[GetProcess] Process: %ws, Base Address: 0x%p\n", process, (PVOID)addr);
+	last_process = eProcess;
+
+	status = SetValue("Out", (QWORD)addr);
+	if (!NT_SUCCESS(status))
+	{
+		DbgPrint_("[GetProcess] Failed to find SetValue\n");
+		ObDereferenceObject(eProcess);
+		return;
+	}
+
+    ObDereferenceObject(eProcess);
+}
+
+void GetProcessModule(PWCHAR process, PWCHAR module) {
+	PEPROCESS eProcess;
+	NTSTATUS status;
+	ULONG64 addr = 0;
+	size_t convertedChars = 0;
+	CHAR ansiProcessName[MODULE_NAME_SIZE];
+
+	DbgPrint_("[GetProcessModule] Called, process: %ws module: %ws\n", process, module);
+
+	status = RtlUnicodeToMultiByteN(
+		ansiProcessName,
+		sizeof(ansiProcessName),
+		(PULONG)&convertedChars,
+		process,
+		MODULE_NAME_SIZE);
+	if (!NT_SUCCESS(status))
+	{
+		DbgPrint_("[GetProcessModule] Failed to convert process name to ANSI, status: 0x%X\n", status);
+		return;
+	}
+
+	status = PsLookupProcessByProcessName(ansiProcessName, &eProcess);
+	if (!NT_SUCCESS(status))
+	{
+		DbgPrint_("[GetProcessModule] Failed to find process: %ws, status: 0x%X\n", process, status);
+		return;
+	}
+
+	DbgPrint_("[GetProcessModule] Process: %ws, Base Address: 0x%p\n", process, (PVOID)eProcess);
+	last_process = eProcess;
+
+	status = PsGetModuleBaseAddress(eProcess, module, &addr);
+	if (!NT_SUCCESS(status))
+	{
+		DbgPrint_("[GetProcessModule] Failed to find module %ws in process %ws, status: 0x%X\n", module, process, status);
+		ObDereferenceObject(eProcess);
+		return;
+	}
+
+	DbgPrint_("[GetProcessModule] Module : %ws, Base Address: 0x%p\n", module, (PVOID)addr);
+
+	status = SetValue("Out", (QWORD)addr);
+	if (!NT_SUCCESS(status))
+	{
+		DbgPrint_("[GetProcessModule] Failed to find SetValue\n");
+		ObDereferenceObject(eProcess);
+		return;
+	}
+
+	ObDereferenceObject(eProcess);
+}

Revird/Process.hpp

@@ -0,0 +1,158 @@
+#pragma once
+#include <ntifs.h>
+
+#define MODULE_NAME_SIZE 256
+
+typedef unsigned short WORD;
+
+typedef struct _RTL_CRITICAL_SECTION {
+	VOID* DebugInfo;
+	LONG LockCount;
+	LONG RecursionCount;
+	PVOID OwningThread;
+	PVOID LockSemaphore;
+	ULONG SpinCount;
+} RTL_CRITICAL_SECTION, * PRTL_CRITICAL_SECTION;
+typedef struct _RTL_PROCESS_MODULE_INFORMATION {
+	HANDLE Section;
+	PVOID MappedBase;
+	PVOID ImageBase;
+	ULONG ImageSize;
+	ULONG Flags;
+	USHORT LoadOrderIndex;
+	USHORT InitOrderIndex;
+	USHORT LoadCount;
+	USHORT OffsetToFileName;
+	UCHAR  FullPathName[0x100];
+} RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION;
+typedef struct _RTL_PROCESS_MODULES {
+	ULONG NumberOfModules;
+	RTL_PROCESS_MODULE_INFORMATION Modules[0x1];
+} RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES;
+
+typedef struct _PEB_LDR_DATA {
+	ULONG Length;
+	UCHAR Initialized;
+	PVOID SsHandle;
+	LIST_ENTRY InLoadOrderModuleList;
+	LIST_ENTRY InMemoryOrderModuleList;
+	LIST_ENTRY InInitializationOrderModuleList;
+	PVOID EntryInProgress;
+} PEB_LDR_DATA, * PPEB_LDR_DATA;
+typedef struct _PEB {
+	UCHAR InheritedAddressSpace;
+	UCHAR ReadImageFileExecOptions;
+	UCHAR BeingDebugged;
+	UCHAR BitField;
+	ULONG ImageUsesLargePages : 1;
+	ULONG IsProtectedProcess : 1;
+	ULONG IsLegacyProcess : 1;
+	ULONG IsImageDynamicallyRelocated : 1;
+	ULONG SpareBits : 4;
+	PVOID Mutant;
+	PVOID ImageBaseAddress;
+	PPEB_LDR_DATA Ldr;
+	VOID* ProcessParameters;
+	PVOID SubSystemData;
+	PVOID ProcessHeap;
+	PRTL_CRITICAL_SECTION FastPebLock;
+	PVOID AtlThunkSListPtr;
+	PVOID IFEOKey;
+	ULONG CrossProcessFlags;
+	ULONG ProcessInJob : 1;
+	ULONG ProcessInitializing : 1;
+	ULONG ReservedBits0 : 30;
+	union {
+		PVOID KernelCallbackTable;
+		PVOID UserSharedInfoPtr;
+	};
+	ULONG SystemReserved[1];
+	ULONG SpareUlong;
+	VOID* FreeList;
+	ULONG TlsExpansionCounter;
+	PVOID TlsBitmap;
+	ULONG TlsBitmapBits[2];
+	PVOID ReadOnlySharedMemoryBase;
+	PVOID HotpatchInformation;
+	VOID** ReadOnlyStaticServerData;
+	PVOID AnsiCodePageData;
+	PVOID OemCodePageData;
+	PVOID UnicodeCaseTableData;
+	ULONG NumberOfProcessors;
+	ULONG NtGlobalFlag;
+	LARGE_INTEGER CriticalSectionTimeout;
+	ULONG HeapSegmentReserve;
+	ULONG HeapSegmentCommit;
+	ULONG HeapDeCommitTotalFreeThreshold;
+	ULONG HeapDeCommitFreeBlockThreshold;
+	ULONG NumberOfHeaps;
+	ULONG MaximumNumberOfHeaps;
+	VOID** ProcessHeaps;
+	PVOID GdiSharedHandleTable;
+	PVOID ProcessStarterHelper;
+	ULONG GdiDCAttributeList;
+	PRTL_CRITICAL_SECTION LoaderLock;
+	ULONG OSMajorVersion;
+	ULONG OSMinorVersion;
+	WORD OSBuildNumber;
+	WORD OSCSDVersion;
+	ULONG OSPlatformId;
+	ULONG ImageSubsystem;
+	ULONG ImageSubsystemMajorVersion;
+	ULONG ImageSubsystemMinorVersion;
+	ULONG ImageProcessAffinityMask;
+	ULONG GdiHandleBuffer[34];
+	PVOID PostProcessInitRoutine;
+	PVOID TlsExpansionBitmap;
+	ULONG TlsExpansionBitmapBits[32];
+	ULONG SessionId;
+	ULARGE_INTEGER AppCompatFlags;
+	ULARGE_INTEGER AppCompatFlagsUser;
+	PVOID pShimData;
+	PVOID AppCompatInfo;
+	UNICODE_STRING CSDVersion;
+	VOID* ActivationContextData;
+	VOID* ProcessAssemblyStorageMap;
+	VOID* SystemDefaultActivationContextData;
+	VOID* SystemAssemblyStorageMap;
+	ULONG MinimumStackCommit;
+	VOID* FlsCallback;
+	LIST_ENTRY FlsListHead;
+	PVOID FlsBitmap;
+	ULONG FlsBitmapBits[4];
+	ULONG FlsHighIndex;
+	PVOID WerRegistrationData;
+	PVOID WerShipAssertPtr;
+} PEB, * PPEB;
+typedef struct _LDR_DATA_TABLE_ENTRY {
+	LIST_ENTRY InLoadOrderLinks;
+	LIST_ENTRY InMemoryOrderLinks;
+	LIST_ENTRY InInitializationOrderLinks;
+	PVOID DllBase;
+	PVOID EntryPoint;
+	ULONG SizeOfImage;
+	UNICODE_STRING FullDllName;
+	UNICODE_STRING BaseDllName;
+	ULONG Flags;
+	WORD LoadCount;
+	WORD TlsIndex;
+	union {
+		LIST_ENTRY HashLinks;
+		struct SectionInfo {
+			PVOID SectionPointer;
+			ULONG CheckSum;
+		};
+	};
+	union {
+		ULONG TimeDateStamp;
+		PVOID LoadedImports;
+	};
+	VOID* EntryPointActivationContext;
+	PVOID PatchInformation;
+	LIST_ENTRY ForwarderLinks;
+	LIST_ENTRY ServiceTagLinks;
+	LIST_ENTRY StaticLinks;
+} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
+
+void GetProcess(PWCHAR process);
+void GetProcessModule(PWCHAR process, PWCHAR module);

Revird/Registry.cpp

@@ -0,0 +1,425 @@
+#include "Registry.hpp"
+#include "Output.hpp"
+
+typedef unsigned __int64 QWORD;
+
+NTSTATUS InitRegistry()
+{
+    UNICODE_STRING keyPath;
+    OBJECT_ATTRIBUTES objectAttributes;
+    HANDLE keyHandle;
+    NTSTATUS status;
+    UNICODE_STRING valueName;
+    ULONG valueData;
+
+    RtlInitUnicodeString(&keyPath, L"\\Registry\\Machine\\SOFTWARE\\Revird");
+    InitializeObjectAttributes(&objectAttributes, &keyPath, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);
+    status = ZwCreateKey(&keyHandle, KEY_ALL_ACCESS, &objectAttributes, 0, NULL, REG_OPTION_NON_VOLATILE, NULL);
+    if (!NT_SUCCESS(status))
+    {
+        DbgPrint_("[INIT_REG] Failed to create or open registry key: 0x%X\n", status);
+        return status;
+    }
+
+    RtlInitUnicodeString(&valueName, L"Address");
+    valueData = 0x000000000000000000000;
+    status = ZwSetValueKey(keyHandle, &valueName, 0, REG_QWORD, &valueData, sizeof(QWORD));
+    if (!NT_SUCCESS(status))
+    {
+        DbgPrint_("[INIT_REG] Failed to set 'address' value: 0x%X\n", status);
+        ZwClose(keyHandle);
+        return status;
+    }
+
+	RtlInitUnicodeString(&valueName, L"Data");
+    valueData = 0x0;
+    status = ZwSetValueKey(keyHandle, &valueName, 0, REG_BINARY, &valueData, sizeof(UCHAR));
+    if (!NT_SUCCESS(status))
+    {
+        DbgPrint_("[INIT_REG] Failed to set 'Data' value: 0x%X\n", status);
+        ZwClose(keyHandle);
+        return status;
+    }
+
+
+    RtlInitUnicodeString(&valueName, L"Size");
+    valueData = 4;
+    status = ZwSetValueKey(keyHandle, &valueName, 0, REG_DWORD, &valueData, sizeof(valueData));
+    if (!NT_SUCCESS(status))
+    {
+        DbgPrint_("[INIT_REG] Failed to set 'size' value: 0x%X\n", status);
+        ZwClose(keyHandle);
+        return status;
+    }
+
+    RtlInitUnicodeString(&valueName, L"Go");
+    valueData = 0;
+    status = ZwSetValueKey(keyHandle, &valueName, 0, REG_BINARY, &valueData, sizeof(UCHAR));
+    if (!NT_SUCCESS(status))
+    {
+        DbgPrint_("[INIT_REG] Failed to set 'go' value: 0x%X\n", status);
+        ZwClose(keyHandle);
+        return status;
+    }
+
+    RtlInitUnicodeString(&valueName, L"Operation"); //0 for RPM, 1 for WPM
+    valueData = 0;
+    status = ZwSetValueKey(keyHandle, &valueName, 0, REG_BINARY, &valueData, sizeof(UCHAR));
+    if (!NT_SUCCESS(status))
+    {
+        DbgPrint_("[INIT_REG] Failed to set 'Operation' value: 0x%X\n", status);
+        ZwClose(keyHandle);
+        return status;
+    }
+
+    RtlInitUnicodeString(&valueName, L"Out");
+    valueData = 0x00;
+    status = ZwSetValueKey(keyHandle, &valueName, 0, REG_BINARY, &valueData, sizeof(UCHAR));
+    if (!NT_SUCCESS(status))
+    {
+        DbgPrint_("[INIT_REG] Failed to set 'out' value: 0x%X\n", status);
+        ZwClose(keyHandle);
+        return status;
+    }
+
+    RtlInitUnicodeString(&valueName, L"Unload");
+    valueData = 0;
+    status = ZwSetValueKey(keyHandle, &valueName, 0, REG_BINARY, &valueData, sizeof(UCHAR));
+    if (!NT_SUCCESS(status))
+    {
+        DbgPrint_("[INIT_REG] Failed to set 'unload' value: 0x%X\n", status);
+        ZwClose(keyHandle);
+        return status;
+    }
+
+    RtlInitUnicodeString(&valueName, L"Process");
+    valueData = 0;
+    status = ZwSetValueKey(keyHandle, &valueName, 0, REG_SZ, &valueData, sizeof(UCHAR));
+    if (!NT_SUCCESS(status))
+    {
+        DbgPrint_("[INIT_REG] Failed to set 'Process' value: 0x%X\n", status);
+        ZwClose(keyHandle);
+        return status;
+    }
+
+    RtlInitUnicodeString(&valueName, L"Module");
+    valueData = 0;
+    status = ZwSetValueKey(keyHandle, &valueName, 0, REG_SZ, &valueData, sizeof(UCHAR));
+    if (!NT_SUCCESS(status))
+    {
+        DbgPrint_("[INIT_REG] Failed to set 'Module' value: 0x%X\n", status);
+        ZwClose(keyHandle);
+        return status;
+    }
+
+    ZwClose(keyHandle);
+
+    return STATUS_SUCCESS;
+}
+
+NTSTATUS QueryRegistryValue(const char* valueNameStr, PKEY_VALUE_PARTIAL_INFORMATION* kvpi, ULONG* resultLength)
+{
+    UNICODE_STRING keyPath;
+    UNICODE_STRING valueName;
+    OBJECT_ATTRIBUTES objectAttributes;
+    HANDLE keyHandle;
+    NTSTATUS status;
+    static UCHAR buffer[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + 256] = { 0 };
+
+    valueName = CharToUnicode(valueNameStr);
+    RtlInitUnicodeString(&keyPath, L"\\Registry\\Machine\\SOFTWARE\\Revird");
+    InitializeObjectAttributes(&objectAttributes, &keyPath, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);
+
+    status = ZwOpenKey(&keyHandle, KEY_READ, &objectAttributes);
+    if (!NT_SUCCESS(status))
+    {
+        DbgPrint_("[QUERY_REG] Failed to open registry key: 0x%X\n", status);
+        RtlFreeUnicodeString(&valueName);
+        return status;
+    }
+
+    status = ZwQueryValueKey(keyHandle, &valueName, KeyValuePartialInformation, buffer, sizeof(buffer), resultLength);
+    if (!NT_SUCCESS(status))
+    {
+        DbgPrint_("[QUERY_REG] Failed to query registry value: 0x%X\n", status);
+        ZwClose(keyHandle);
+        RtlFreeUnicodeString(&valueName);
+        return status;
+    }
+
+    *kvpi = (PKEY_VALUE_PARTIAL_INFORMATION)buffer;
+
+    ZwClose(keyHandle);
+    RtlFreeUnicodeString(&valueName);
+
+    return STATUS_SUCCESS;
+}
+
+NTSTATUS GetValue(const char* valueNameStr, PVOID buffer, ULONG bufferSize)
+{
+    PKEY_VALUE_PARTIAL_INFORMATION kvpi;
+    ULONG resultLength;
+    NTSTATUS status = QueryRegistryValue(valueNameStr, &kvpi, &resultLength);
+
+    if (!NT_SUCCESS(status))
+    {
+        return status;
+    }
+
+    if (kvpi->Type == REG_BINARY)
+    {
+        if (kvpi->DataLength <= bufferSize)
+        {
+            RtlCopyMemory(buffer, kvpi->Data, kvpi->DataLength);
+        }
+        else
+        {
+            status = STATUS_BUFFER_TOO_SMALL;
+            DbgPrint_("[GET_BINARY_VALUE] Buffer too small: 0x%X\n", status);
+        }
+    }
+    else
+    {
+        status = STATUS_OBJECT_TYPE_MISMATCH;
+        DbgPrint_("[GET_BINARY_VALUE] Registry value type mismatch: 0x%X\n", status);
+    }
+
+    return status;
+}
+
+NTSTATUS GetValue(const char* valueNameStr, PWCHAR value, ULONG valueBufferSize)
+{
+    PKEY_VALUE_PARTIAL_INFORMATION kvpi;
+    ULONG resultLength;
+    NTSTATUS status = QueryRegistryValue(valueNameStr, &kvpi, &resultLength);
+
+    if (!NT_SUCCESS(status))
+    {
+        return status;
+    }
+
+    if (kvpi->Type == REG_SZ)
+    {
+        if (kvpi->DataLength <= valueBufferSize)
+        {
+            RtlCopyMemory(value, kvpi->Data, kvpi->DataLength);
+            value[kvpi->DataLength / sizeof(WCHAR)] = L'\0';
+        }
+        else
+        {
+            status = STATUS_BUFFER_TOO_SMALL;
+            DbgPrint_("[GET_STRING_VALUE][SZ] Buffer too small: 0x%X\n", status);
+        }
+    }
+    else
+    {
+        status = STATUS_OBJECT_TYPE_MISMATCH;
+        DbgPrint_("[GET_STRING_VALUE][SZ] Registry value type mismatch: 0x%X\n", status);
+    }
+
+    return status;
+}
+
+NTSTATUS GetValue(const char* valueNameStr, ULONG* value)
+{
+    PKEY_VALUE_PARTIAL_INFORMATION kvpi;
+    ULONG resultLength;
+    NTSTATUS status = QueryRegistryValue(valueNameStr, &kvpi, &resultLength);
+
+    if (!NT_SUCCESS(status))
+    {
+        return status;
+    }
+
+    if (kvpi->Type == REG_DWORD)
+    {
+        *value = *(ULONG*)(kvpi->Data);
+    }
+    else
+    {
+        status = STATUS_OBJECT_TYPE_MISMATCH;
+        DbgPrint_("[GET_VALUE][DWORD] Registry value type mismatch: 0x%X\n", status);
+    }
+
+    return status;
+}
+
+NTSTATUS GetValue(const char* valueNameStr, ULONGLONG* value)
+{
+    PKEY_VALUE_PARTIAL_INFORMATION kvpi;
+    ULONG resultLength;
+    NTSTATUS status = QueryRegistryValue(valueNameStr, &kvpi, &resultLength);
+
+    if (!NT_SUCCESS(status))
+    {
+        return status;
+    }
+
+    if (kvpi->Type == REG_QWORD)
+    {
+        *value = *(ULONGLONG*)(kvpi->Data);
+    }
+    else
+    {
+        status = STATUS_OBJECT_TYPE_MISMATCH;
+        DbgPrint_("[GET_VALUE][QWORD] Registry value type mismatch: 0x%X\n", status);
+    }
+
+    return status;
+}
+
+NTSTATUS GetValue(const char* valueNameStr, PUCHAR value)
+{
+    PKEY_VALUE_PARTIAL_INFORMATION kvpi;
+    ULONG resultLength;
+    NTSTATUS status = QueryRegistryValue(valueNameStr, &kvpi, &resultLength);
+
+    if (!NT_SUCCESS(status))
+    {
+        return status;
+    }
+
+    if (kvpi->Type == REG_BINARY)
+    {
+        RtlCopyMemory(value, kvpi->Data, kvpi->DataLength);
+    }
+    else
+    {
+        status = STATUS_OBJECT_TYPE_MISMATCH;
+        DbgPrint_("[GET_VALUE][BINARY] Registry value type mismatch or buffer too small: 0x%X\n", status);
+    }
+
+    return status;
+}
+
+NTSTATUS SetValue(const char* valueNameStr, PVOID buffer, ULONG bufferSize)
+{
+    UNICODE_STRING keyPath;
+    UNICODE_STRING valueName;
+    OBJECT_ATTRIBUTES objectAttributes;
+    HANDLE keyHandle;
+    NTSTATUS status;
+
+    // Convert the ANSI string to a UNICODE string
+    valueName = CharToUnicode(valueNameStr);
+    RtlInitUnicodeString(&keyPath, L"\\Registry\\Machine\\SOFTWARE\\Revird");
+    InitializeObjectAttributes(&objectAttributes, &keyPath, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);
+
+    // Open the registry key for writing
+    status = ZwOpenKey(&keyHandle, KEY_WRITE, &objectAttributes);
+    if (!NT_SUCCESS(status))
+    {
+        DbgPrint_("[SetValue][BINARY] Failed to open registry key for writing: 0x%X\n", status);
+        RtlFreeUnicodeString(&valueName);
+        return status;
+    }
+
+    // Write the buffer as a REG_BINARY value
+    status = ZwSetValueKey(keyHandle, &valueName, 0, REG_BINARY, buffer, bufferSize);
+    if (!NT_SUCCESS(status))
+    {
+        DbgPrint_("[SetValue][BINARY] Failed to set binary value: 0x%X\n", status);
+    }
+
+    // Clean up resources
+    ZwClose(keyHandle);
+    RtlFreeUnicodeString(&valueName);
+
+    return status;
+}
+
+NTSTATUS SetValue(const char* valueNameStr, ULONG value)
+{
+    UNICODE_STRING keyPath;
+    UNICODE_STRING valueName;
+    OBJECT_ATTRIBUTES objectAttributes;
+    HANDLE keyHandle;
+    NTSTATUS status;
+
+    valueName = CharToUnicode(valueNameStr);
+    RtlInitUnicodeString(&keyPath, L"\\Registry\\Machine\\SOFTWARE\\Revird");
+    InitializeObjectAttributes(&objectAttributes, &keyPath, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);
+
+    status = ZwOpenKey(&keyHandle, KEY_WRITE, &objectAttributes);
+    if (!NT_SUCCESS(status))
+    {
+        DbgPrint_("[SET_VALUE][DWORD] Failed to open registry key for writing: 0x%X\n", status);
+        RtlFreeUnicodeString(&valueName);
+        return status;
+    }
+
+    status = ZwSetValueKey(keyHandle, &valueName, 0, REG_DWORD, &value, sizeof(value));
+    if (!NT_SUCCESS(status))
+    {
+        DbgPrint_("[SET_VALUE][DWORD] Failed to set DWORD value: 0x%X\n", status);
+    }
+
+    ZwClose(keyHandle);
+    RtlFreeUnicodeString(&valueName);
+
+    return status;
+}
+
+NTSTATUS SetValue(const char* valueNameStr, ULONGLONG value)
+{
+    UNICODE_STRING keyPath;
+    UNICODE_STRING valueName;
+    OBJECT_ATTRIBUTES objectAttributes;
+    HANDLE keyHandle;
+    NTSTATUS status;
+
+    valueName = CharToUnicode(valueNameStr);
+    RtlInitUnicodeString(&keyPath, L"\\Registry\\Machine\\SOFTWARE\\Revird");
+    InitializeObjectAttributes(&objectAttributes, &keyPath, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);
+
+    status = ZwOpenKey(&keyHandle, KEY_WRITE, &objectAttributes);
+    if (!NT_SUCCESS(status))
+    {
+        DbgPrint_("[SET_VALUE][QWORD] Failed to open registry key for writing: 0x%X\n", status);
+        RtlFreeUnicodeString(&valueName);
+        return status;
+    }
+
+    status = ZwSetValueKey(keyHandle, &valueName, 0, REG_QWORD, &value, sizeof(value));
+    if (!NT_SUCCESS(status))
+    {
+        DbgPrint_("[SET_VALUE][QWORD] Failed to set QWORD value: 0x%X\n", status);
+    }
+
+    ZwClose(keyHandle);
+    RtlFreeUnicodeString(&valueName);
+
+    return status;
+}
+
+NTSTATUS SetValue(const char* valueNameStr, UCHAR value)
+{
+    UNICODE_STRING keyPath;
+    UNICODE_STRING valueName;
+    OBJECT_ATTRIBUTES objectAttributes;
+    HANDLE keyHandle;
+    NTSTATUS status;
+
+    valueName = CharToUnicode(valueNameStr);
+    RtlInitUnicodeString(&keyPath, L"\\Registry\\Machine\\SOFTWARE\\Revird");
+    InitializeObjectAttributes(&objectAttributes, &keyPath, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);
+
+    status = ZwOpenKey(&keyHandle, KEY_WRITE, &objectAttributes);
+    if (!NT_SUCCESS(status))
+    {
+        DbgPrint_("[SET_VALUE][BINARY] Failed to open registry key for writing: 0x%X\n", status);
+        RtlFreeUnicodeString(&valueName);
+        return status;
+    }
+
+    status = ZwSetValueKey(keyHandle, &valueName, 0, REG_BINARY, &value, sizeof(UCHAR));
+    if (!NT_SUCCESS(status))
+    {
+        DbgPrint_("[SET_VALUE][BINARY] Failed to set binary value: 0x%X\n", status);
+    }
+
+    ZwClose(keyHandle);
+    RtlFreeUnicodeString(&valueName);
+
+    return status;
+}

Revird/Registry.hpp

@@ -0,0 +1,16 @@
+#pragma once
+#include "Utils.hpp"
+
+NTSTATUS InitRegistry();
+NTSTATUS QueryRegistryValue(const char* valueNameStr, PKEY_VALUE_PARTIAL_INFORMATION* kvpi, ULONG* resultLength);
+
+NTSTATUS GetValue(const char* valueNameStr, PVOID buffer, ULONG bufferSize);
+NTSTATUS GetValue(const char* valueNameStr, PWCHAR value, ULONG valueBufferSize);
+NTSTATUS GetValue(const char* valueNameStr, ULONG* value);
+NTSTATUS GetValue(const char* valueNameStr, ULONGLONG* value);
+NTSTATUS GetValue(const char* valueNameStr, PUCHAR value);
+
+NTSTATUS SetValue(const char* valueNameStr, PVOID buffer, ULONG bufferSize);
+NTSTATUS SetValue(const char* valueNameStr, ULONG value);
+NTSTATUS SetValue(const char* valueNameStr, ULONGLONG value);
+NTSTATUS SetValue(const char* valueNameStr, UCHAR value);

Revird/Revird.vcxproj

@@ -0,0 +1,118 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|ARM64">
+      <Configuration>Debug</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|ARM64">
+      <Configuration>Release</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{5C7B498C-CA04-413E-84E7-429F3986B41D}</ProjectGuid>
+    <TemplateGuid>{dd38f7fc-d7bd-488b-9242-7d8754cde80d}</TemplateGuid>
+    <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
+    <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
+    <Configuration>Debug</Configuration>
+    <Platform Condition="'$(Platform)' == ''">x64</Platform>
+    <RootNamespace>Revird</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>WDM</DriverType>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>WDM</DriverType>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>WDM</DriverType>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>WDM</DriverType>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <DriverSign>
+      <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
+    </DriverSign>
+    <Link>
+      <EntryPointSymbol>DriverEntry</EntryPointSymbol>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <DriverSign>
+      <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
+    </DriverSign>
+    <Link>
+      <EntryPointSymbol>DriverEntry</EntryPointSymbol>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <FilesToPackage Include="$(TargetPath)" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="Dispatcher.cpp" />
+    <ClCompile Include="Entry.cpp" />
+    <ClCompile Include="Memory.cpp" />
+    <ClCompile Include="Process.cpp" />
+    <ClCompile Include="Registry.cpp" />
+    <ClCompile Include="Utils.cpp" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="Dispatcher.hpp" />
+    <ClInclude Include="Memory.hpp" />
+    <ClInclude Include="Operation.hpp" />
+    <ClInclude Include="Output.hpp" />
+    <ClInclude Include="Process.hpp" />
+    <ClInclude Include="Registry.hpp" />
+    <ClInclude Include="Utils.hpp" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

Revird/Revird.vcxproj.filters

@@ -0,0 +1,64 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+    <Filter Include="Driver Files">
+      <UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
+      <Extensions>inf;inv;inx;mof;mc;</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="Entry.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="Registry.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="Utils.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="Memory.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="Process.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatcher.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="Registry.hpp">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="Utils.hpp">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="Memory.hpp">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="Operation.hpp">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="Process.hpp">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatcher.hpp">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="Output.hpp">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>

Revird/Revird.vcxproj.user

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <SignMode>Off</SignMode>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <SignMode>Off</SignMode>
+  </PropertyGroup>
+</Project>

Revird/Utils.cpp

@@ -0,0 +1,10 @@
+#include "Utils.hpp"
+
+UNICODE_STRING CharToUnicode(const char* str)
+{
+    ANSI_STRING ansiString;
+    UNICODE_STRING unicodeString;
+    RtlInitAnsiString(&ansiString, str);
+    RtlAnsiStringToUnicodeString(&unicodeString, &ansiString, TRUE);
+    return unicodeString;
+}

Revird/Utils.hpp

@@ -0,0 +1,4 @@
+#pragma once
+#include <ntifs.h>
+
+UNICODE_STRING CharToUnicode(const char* str);