Wanted: Windows 7 device driver (ring 0) C source code that can be used to cloak memory in a userland process. Goal: Patching a userland process .IMAGE (code redirection/hooking) that has internal CRC self-checks -> Bypassing them. Driver must work on Windows 7 64bits (-> driver signing bypass + patchguard disabled -> no problem)
1. Userland application creates & starts memory cloaking service (driver)
2. Userland application launches target (CreateProcess)
3. Userland application calls driver -> CloakVirtualMemoryOnRead( hTargetProcess, dwVMemStart, dwVMemEnd, pFakeMem )
Memory is now cloaked, that means:
1. Reading the protected virtual memory will trigger a (forced) PAGE_FAULT
2. The PAGE handler decides whether the PAGE request was OnRead or OnExecute
2a. OnRead: Redirect the request to pFakeMem (cloak)
2b. OnExecute: Return the "real" memory (e.g. patched)
The userland application should be unable to detect the .CODE patches by reading them directly (internal = direct access) nor by the use of ReadProcessMemory for instance.
Pay on deliver. No cash in advance/scam possible.