https://github.com/btbd/hwid/blob/master/Kernel/main.c
VOID SpoofNIC() {
SwapControl(RTL_CONSTANT_STRING(L"\\Driver\\nsiproxy"), NsiControl, NsiControlOriginal);
PVOID base = GetBaseAddress("ndis.sys", 0);
if (!base) {
printf("! failed to get \"ndis.sys\" !\n");
return;
}
PNDIS_FILTER_BLOCK ndisGlobalFilterList = FindPatternImage(base, "\x40\x8A\xF0\x48\x8B\x05", "xxxxxx");
if (ndisGlobalFilterList) {
PDWORD ndisFilter_IfBlock = FindPatternImage(base, "\x48\x85\x00\x0F\x84\x00\x00\x00\x00\x00\x8B\x00\x00\x00\x00\x00\x33", "xx?xx?????x???xxx");
if (ndisFilter_IfBlock) {
DWORD ndisFilter_IfBlock_offset = *(PDWORD)((PBYTE)ndisFilter_IfBlock + 12);
ndisGlobalFilterList = (PNDIS_FILTER_BLOCK)((PBYTE)ndisGlobalFilterList + 3);
ndisGlobalFilterList = *(PNDIS_FILTER_BLOCK *)((PBYTE)ndisGlobalFilterList + 7 + *(PINT)((PBYTE)ndisGlobalFilterList + 3));
DWORD count = 0;
for (PNDIS_FILTER_BLOCK filter = ndisGlobalFilterList; filter; filter = filter->NextFilter) {
PNDIS_IF_BLOCK block = *(PNDIS_IF_BLOCK *)((PBYTE)filter + ndisFilter_IfBlock_offset);
if (block) {
PWCHAR copy = SafeCopy(filter->FilterInstanceName->Buffer, MAX_PATH);
if (copy) {
WCHAR adapter[MAX_PATH] = { 0 };
swprintf(adapter, L"\\Device\\%ws", TrimGUID(copy, MAX_PATH / 2));
ExFreePool(copy);
printf("found NIC %ws\n", adapter);
UNICODE_STRING name = { 0 };
RtlInitUnicodeString(&name, adapter);
PFILE_OBJECT file = 0;
PDEVICE_OBJECT device = 0;
NTSTATUS status = IoGetDeviceObjectPointer(&name, FILE_READ_DATA, &file, &device);
if (NT_SUCCESS(status)) {
PDRIVER_OBJECT driver = device->DriverObject;
if (driver) {
BOOL exists = FALSE;
for (DWORD i = 0; i < NICs.Length; ++i) {
if (NICs.Drivers[i].DriverObject == driver) {
exists = TRUE;
break;
}
}
if (exists) {
printf("%wZ already swapped\n", &driver->DriverName);
} else {
PNIC_DRIVER nic = &NICs.Drivers[NICs.Length];
nic->DriverObject = driver;
AppendSwap(driver->DriverName, &driver->MajorFunction[IRP_MJ_DEVICE_CONTROL], NICControl, nic->Original);
++NICs.Length;
}
}
// Indirectly dereferences device object
ObDereferenceObject(file);
} else {
printf("! failed to get %wZ: %p !\n", &name, status);
}
}
// Current MAC
PIF_PHYSICAL_ADDRESS_LH addr = &block->ifPhysAddress;
SpoofBuffer(SEED, addr->Address, addr->Length);
addr = &block->PermanentPhysAddress;
SpoofBuffer(SEED, addr->Address, addr->Length);
++count;
}
}
printf("handled %d MACs\n", count);
} else {
printf("! failed to find ndisFilter_IfBlock !\n");
}
} else {
printf("! failed to find ndisGlobalFilterList !\n");
}
}
I'm using this piece of code to spoof mac address, it works fine after I first installed it, my mac address has been changed.
but after I restart my computer, the mac address returns to what is was before I installed this driver, I had to manually uninstall and install this driver every single time after I restart my computer.
So I checked what's happening, when I restart my computer, the driver jumped over this loop:
for (PNDIS_FILTER_BLOCK filter = ndisGlobalFilterList; filter; filter = filter->NextFilter)
Seems that ndisGlobalFilterList is null ,but why ,is this by design or is it not achievable to make it work through restarts ?
