├── .gitattributes
├── .gitignore
├── EnumWindows_TEST
├── EnumWindows_TEST.vcxproj
├── EnumWindows_TEST.vcxproj.filters
└── main.cpp
├── README.md
├── dkom_overlay.sln
├── dkom_overlay
├── dkom_overlay.inf
├── dkom_overlay.vcxproj
├── dkom_overlay.vcxproj.filters
├── entry.cpp
├── includes.h
├── skcrypt.h
├── structs.h
└── util.h
└── usermode
├── main.cpp
├── usermode.vcxproj
└── usermode.vcxproj.filters
/.gitattributes:
--------------------------------------------------------------------------------
1 | ###############################################################################
2 | # Set default behavior to automatically normalize line endings.
3 | ###############################################################################
4 | * text=auto
5 |
6 | ###############################################################################
7 | # Set default behavior for command prompt diff.
8 | #
9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs diff=csharp
14 |
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln merge=binary
26 | #*.csproj merge=binary
27 | #*.vbproj merge=binary
28 | #*.vcxproj merge=binary
29 | #*.vcproj merge=binary
30 | #*.dbproj merge=binary
31 | #*.fsproj merge=binary
32 | #*.lsproj merge=binary
33 | #*.wixproj merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj merge=binary
36 | #*.wwaproj merge=binary
37 |
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg binary
44 | #*.png binary
45 | #*.gif binary
46 |
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | #
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the
52 | # entries below.
53 | ###############################################################################
54 | #*.doc diff=astextplain
55 | #*.DOC diff=astextplain
56 | #*.docx diff=astextplain
57 | #*.DOCX diff=astextplain
58 | #*.dot diff=astextplain
59 | #*.DOT diff=astextplain
60 | #*.pdf diff=astextplain
61 | #*.PDF diff=astextplain
62 | #*.rtf diff=astextplain
63 | #*.RTF diff=astextplain
64 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Ww][Ii][Nn]32/
27 | [Aa][Rr][Mm]/
28 | [Aa][Rr][Mm]64/
29 | bld/
30 | [Bb]in/
31 | [Oo]bj/
32 | [Oo]ut/
33 | [Ll]og/
34 | [Ll]ogs/
35 |
36 | # Visual Studio 2015/2017 cache/options directory
37 | .vs/
38 | # Uncomment if you have tasks that create the project's static files in wwwroot
39 | #wwwroot/
40 |
41 | # Visual Studio 2017 auto generated files
42 | Generated\ Files/
43 |
44 | # MSTest test Results
45 | [Tt]est[Rr]esult*/
46 | [Bb]uild[Ll]og.*
47 |
48 | # NUnit
49 | *.VisualState.xml
50 | TestResult.xml
51 | nunit-*.xml
52 |
53 | # Build Results of an ATL Project
54 | [Dd]ebugPS/
55 | [Rr]eleasePS/
56 | dlldata.c
57 |
58 | # Benchmark Results
59 | BenchmarkDotNet.Artifacts/
60 |
61 | # .NET Core
62 | project.lock.json
63 | project.fragment.lock.json
64 | artifacts/
65 |
66 | # ASP.NET Scaffolding
67 | ScaffoldingReadMe.txt
68 |
69 | # StyleCop
70 | StyleCopReport.xml
71 |
72 | # Files built by Visual Studio
73 | *_i.c
74 | *_p.c
75 | *_h.h
76 | *.ilk
77 | *.meta
78 | *.obj
79 | *.iobj
80 | *.pch
81 | *.pdb
82 | *.ipdb
83 | *.pgc
84 | *.pgd
85 | *.rsp
86 | *.sbr
87 | *.tlb
88 | *.tli
89 | *.tlh
90 | *.tmp
91 | *.tmp_proj
92 | *_wpftmp.csproj
93 | *.log
94 | *.vspscc
95 | *.vssscc
96 | .builds
97 | *.pidb
98 | *.svclog
99 | *.scc
100 |
101 | # Chutzpah Test files
102 | _Chutzpah*
103 |
104 | # Visual C++ cache files
105 | ipch/
106 | *.aps
107 | *.ncb
108 | *.opendb
109 | *.opensdf
110 | *.sdf
111 | *.cachefile
112 | *.VC.db
113 | *.VC.VC.opendb
114 |
115 | # Visual Studio profiler
116 | *.psess
117 | *.vsp
118 | *.vspx
119 | *.sap
120 |
121 | # Visual Studio Trace Files
122 | *.e2e
123 |
124 | # TFS 2012 Local Workspace
125 | $tf/
126 |
127 | # Guidance Automation Toolkit
128 | *.gpState
129 |
130 | # ReSharper is a .NET coding add-in
131 | _ReSharper*/
132 | *.[Rr]e[Ss]harper
133 | *.DotSettings.user
134 |
135 | # TeamCity is a build add-in
136 | _TeamCity*
137 |
138 | # DotCover is a Code Coverage Tool
139 | *.dotCover
140 |
141 | # AxoCover is a Code Coverage Tool
142 | .axoCover/*
143 | !.axoCover/settings.json
144 |
145 | # Coverlet is a free, cross platform Code Coverage Tool
146 | coverage*.json
147 | coverage*.xml
148 | coverage*.info
149 |
150 | # Visual Studio code coverage results
151 | *.coverage
152 | *.coveragexml
153 |
154 | # NCrunch
155 | _NCrunch_*
156 | .*crunch*.local.xml
157 | nCrunchTemp_*
158 |
159 | # MightyMoose
160 | *.mm.*
161 | AutoTest.Net/
162 |
163 | # Web workbench (sass)
164 | .sass-cache/
165 |
166 | # Installshield output folder
167 | [Ee]xpress/
168 |
169 | # DocProject is a documentation generator add-in
170 | DocProject/buildhelp/
171 | DocProject/Help/*.HxT
172 | DocProject/Help/*.HxC
173 | DocProject/Help/*.hhc
174 | DocProject/Help/*.hhk
175 | DocProject/Help/*.hhp
176 | DocProject/Help/Html2
177 | DocProject/Help/html
178 |
179 | # Click-Once directory
180 | publish/
181 |
182 | # Publish Web Output
183 | *.[Pp]ublish.xml
184 | *.azurePubxml
185 | # Note: Comment the next line if you want to checkin your web deploy settings,
186 | # but database connection strings (with potential passwords) will be unencrypted
187 | *.pubxml
188 | *.publishproj
189 |
190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
191 | # checkin your Azure Web App publish settings, but sensitive information contained
192 | # in these scripts will be unencrypted
193 | PublishScripts/
194 |
195 | # NuGet Packages
196 | *.nupkg
197 | # NuGet Symbol Packages
198 | *.snupkg
199 | # The packages folder can be ignored because of Package Restore
200 | **/[Pp]ackages/*
201 | # except build/, which is used as an MSBuild target.
202 | !**/[Pp]ackages/build/
203 | # Uncomment if necessary however generally it will be regenerated when needed
204 | #!**/[Pp]ackages/repositories.config
205 | # NuGet v3's project.json files produces more ignorable files
206 | *.nuget.props
207 | *.nuget.targets
208 |
209 | # Microsoft Azure Build Output
210 | csx/
211 | *.build.csdef
212 |
213 | # Microsoft Azure Emulator
214 | ecf/
215 | rcf/
216 |
217 | # Windows Store app package directories and files
218 | AppPackages/
219 | BundleArtifacts/
220 | Package.StoreAssociation.xml
221 | _pkginfo.txt
222 | *.appx
223 | *.appxbundle
224 | *.appxupload
225 |
226 | # Visual Studio cache files
227 | # files ending in .cache can be ignored
228 | *.[Cc]ache
229 | # but keep track of directories ending in .cache
230 | !?*.[Cc]ache/
231 |
232 | # Others
233 | ClientBin/
234 | ~$*
235 | *~
236 | *.dbmdl
237 | *.dbproj.schemaview
238 | *.jfm
239 | *.pfx
240 | *.publishsettings
241 | orleans.codegen.cs
242 |
243 | # Including strong name files can present a security risk
244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
245 | #*.snk
246 |
247 | # Since there are multiple workflows, uncomment next line to ignore bower_components
248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
249 | #bower_components/
250 |
251 | # RIA/Silverlight projects
252 | Generated_Code/
253 |
254 | # Backup & report files from converting an old project file
255 | # to a newer Visual Studio version. Backup files are not needed,
256 | # because we have git ;-)
257 | _UpgradeReport_Files/
258 | Backup*/
259 | UpgradeLog*.XML
260 | UpgradeLog*.htm
261 | ServiceFabricBackup/
262 | *.rptproj.bak
263 |
264 | # SQL Server files
265 | *.mdf
266 | *.ldf
267 | *.ndf
268 |
269 | # Business Intelligence projects
270 | *.rdl.data
271 | *.bim.layout
272 | *.bim_*.settings
273 | *.rptproj.rsuser
274 | *- [Bb]ackup.rdl
275 | *- [Bb]ackup ([0-9]).rdl
276 | *- [Bb]ackup ([0-9][0-9]).rdl
277 |
278 | # Microsoft Fakes
279 | FakesAssemblies/
280 |
281 | # GhostDoc plugin setting file
282 | *.GhostDoc.xml
283 |
284 | # Node.js Tools for Visual Studio
285 | .ntvs_analysis.dat
286 | node_modules/
287 |
288 | # Visual Studio 6 build log
289 | *.plg
290 |
291 | # Visual Studio 6 workspace options file
292 | *.opt
293 |
294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
295 | *.vbw
296 |
297 | # Visual Studio LightSwitch build output
298 | **/*.HTMLClient/GeneratedArtifacts
299 | **/*.DesktopClient/GeneratedArtifacts
300 | **/*.DesktopClient/ModelManifest.xml
301 | **/*.Server/GeneratedArtifacts
302 | **/*.Server/ModelManifest.xml
303 | _Pvt_Extensions
304 |
305 | # Paket dependency manager
306 | .paket/paket.exe
307 | paket-files/
308 |
309 | # FAKE - F# Make
310 | .fake/
311 |
312 | # CodeRush personal settings
313 | .cr/personal
314 |
315 | # Python Tools for Visual Studio (PTVS)
316 | __pycache__/
317 | *.pyc
318 |
319 | # Cake - Uncomment if you are using it
320 | # tools/**
321 | # !tools/packages.config
322 |
323 | # Tabs Studio
324 | *.tss
325 |
326 | # Telerik's JustMock configuration file
327 | *.jmconfig
328 |
329 | # BizTalk build output
330 | *.btp.cs
331 | *.btm.cs
332 | *.odx.cs
333 | *.xsd.cs
334 |
335 | # OpenCover UI analysis results
336 | OpenCover/
337 |
338 | # Azure Stream Analytics local run output
339 | ASALocalRun/
340 |
341 | # MSBuild Binary and Structured Log
342 | *.binlog
343 |
344 | # NVidia Nsight GPU debugger configuration file
345 | *.nvuser
346 |
347 | # MFractors (Xamarin productivity tool) working folder
348 | .mfractor/
349 |
350 | # Local History for Visual Studio
351 | .localhistory/
352 |
353 | # BeatPulse healthcheck temp database
354 | healthchecksdb
355 |
356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
357 | MigrationBackup/
358 |
359 | # Ionide (cross platform F# VS Code tools) working folder
360 | .ionide/
361 |
362 | # Fody - auto-generated XML schema
363 | FodyWeavers.xsd
--------------------------------------------------------------------------------
/EnumWindows_TEST/EnumWindows_TEST.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {100ec34c-1c55-4261-90df-c84114571066}
25 | EnumWindowsTEST
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v143
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v143
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v143
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v143
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | Level3
76 | true
77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
78 | true
79 |
80 |
81 | Console
82 | true
83 |
84 |
85 |
86 |
87 | Level3
88 | true
89 | true
90 | true
91 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
92 | true
93 |
94 |
95 | Console
96 | true
97 | true
98 | true
99 |
100 |
101 |
102 |
103 | Level3
104 | true
105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
106 | true
107 |
108 |
109 | Console
110 | true
111 |
112 |
113 |
114 |
115 | Level3
116 | true
117 | true
118 | true
119 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
120 | true
121 |
122 |
123 | Console
124 | true
125 | true
126 | true
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
--------------------------------------------------------------------------------
/EnumWindows_TEST/EnumWindows_TEST.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/EnumWindows_TEST/main.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | BOOL CALLBACK EnumWindowsProc(HWND hWnd, long lParam) {
5 | char buff[255];
6 |
7 | if (IsWindowVisible(hWnd)) {
8 | GetWindowTextA(hWnd, buff, 64);
9 | printf("%s\n", buff);
10 | }
11 | return TRUE;
12 | }
13 |
14 | int main() {
15 | EnumWindows((WNDENUMPROC)EnumWindowsProc, 0);
16 | std::cin.get( );
17 | return 0;
18 | }
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | A cursed PoC of hiding the overlay handle from TAGWND linked list.
2 |
--------------------------------------------------------------------------------
/dkom_overlay.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 17
4 | VisualStudioVersion = 17.3.32922.545
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dkom_overlay", "dkom_overlay\dkom_overlay.vcxproj", "{2C5CDDFA-7AFE-4D1B-A427-B03F24B7D46B}"
7 | EndProject
8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "usermode", "usermode\usermode.vcxproj", "{FCF73A40-41D6-41D7-B018-FC15E6FFED9E}"
9 | EndProject
10 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumWindows_TEST", "EnumWindows_TEST\EnumWindows_TEST.vcxproj", "{100EC34C-1C55-4261-90DF-C84114571066}"
11 | EndProject
12 | Global
13 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
14 | Debug|ARM64 = Debug|ARM64
15 | Debug|x64 = Debug|x64
16 | Debug|x86 = Debug|x86
17 | Release|ARM64 = Release|ARM64
18 | Release|x64 = Release|x64
19 | Release|x86 = Release|x86
20 | EndGlobalSection
21 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
22 | {2C5CDDFA-7AFE-4D1B-A427-B03F24B7D46B}.Debug|ARM64.ActiveCfg = Debug|ARM64
23 | {2C5CDDFA-7AFE-4D1B-A427-B03F24B7D46B}.Debug|ARM64.Build.0 = Debug|ARM64
24 | {2C5CDDFA-7AFE-4D1B-A427-B03F24B7D46B}.Debug|ARM64.Deploy.0 = Debug|ARM64
25 | {2C5CDDFA-7AFE-4D1B-A427-B03F24B7D46B}.Debug|x64.ActiveCfg = Debug|x64
26 | {2C5CDDFA-7AFE-4D1B-A427-B03F24B7D46B}.Debug|x64.Build.0 = Debug|x64
27 | {2C5CDDFA-7AFE-4D1B-A427-B03F24B7D46B}.Debug|x64.Deploy.0 = Debug|x64
28 | {2C5CDDFA-7AFE-4D1B-A427-B03F24B7D46B}.Debug|x86.ActiveCfg = Debug|x64
29 | {2C5CDDFA-7AFE-4D1B-A427-B03F24B7D46B}.Debug|x86.Build.0 = Debug|x64
30 | {2C5CDDFA-7AFE-4D1B-A427-B03F24B7D46B}.Debug|x86.Deploy.0 = Debug|x64
31 | {2C5CDDFA-7AFE-4D1B-A427-B03F24B7D46B}.Release|ARM64.ActiveCfg = Release|ARM64
32 | {2C5CDDFA-7AFE-4D1B-A427-B03F24B7D46B}.Release|ARM64.Build.0 = Release|ARM64
33 | {2C5CDDFA-7AFE-4D1B-A427-B03F24B7D46B}.Release|ARM64.Deploy.0 = Release|ARM64
34 | {2C5CDDFA-7AFE-4D1B-A427-B03F24B7D46B}.Release|x64.ActiveCfg = Release|x64
35 | {2C5CDDFA-7AFE-4D1B-A427-B03F24B7D46B}.Release|x64.Build.0 = Release|x64
36 | {2C5CDDFA-7AFE-4D1B-A427-B03F24B7D46B}.Release|x64.Deploy.0 = Release|x64
37 | {2C5CDDFA-7AFE-4D1B-A427-B03F24B7D46B}.Release|x86.ActiveCfg = Release|x64
38 | {2C5CDDFA-7AFE-4D1B-A427-B03F24B7D46B}.Release|x86.Build.0 = Release|x64
39 | {2C5CDDFA-7AFE-4D1B-A427-B03F24B7D46B}.Release|x86.Deploy.0 = Release|x64
40 | {FCF73A40-41D6-41D7-B018-FC15E6FFED9E}.Debug|ARM64.ActiveCfg = Debug|x64
41 | {FCF73A40-41D6-41D7-B018-FC15E6FFED9E}.Debug|ARM64.Build.0 = Debug|x64
42 | {FCF73A40-41D6-41D7-B018-FC15E6FFED9E}.Debug|x64.ActiveCfg = Debug|x64
43 | {FCF73A40-41D6-41D7-B018-FC15E6FFED9E}.Debug|x64.Build.0 = Debug|x64
44 | {FCF73A40-41D6-41D7-B018-FC15E6FFED9E}.Debug|x86.ActiveCfg = Debug|Win32
45 | {FCF73A40-41D6-41D7-B018-FC15E6FFED9E}.Debug|x86.Build.0 = Debug|Win32
46 | {FCF73A40-41D6-41D7-B018-FC15E6FFED9E}.Release|ARM64.ActiveCfg = Release|x64
47 | {FCF73A40-41D6-41D7-B018-FC15E6FFED9E}.Release|ARM64.Build.0 = Release|x64
48 | {FCF73A40-41D6-41D7-B018-FC15E6FFED9E}.Release|x64.ActiveCfg = Release|x64
49 | {FCF73A40-41D6-41D7-B018-FC15E6FFED9E}.Release|x64.Build.0 = Release|x64
50 | {FCF73A40-41D6-41D7-B018-FC15E6FFED9E}.Release|x86.ActiveCfg = Release|Win32
51 | {FCF73A40-41D6-41D7-B018-FC15E6FFED9E}.Release|x86.Build.0 = Release|Win32
52 | {100EC34C-1C55-4261-90DF-C84114571066}.Debug|ARM64.ActiveCfg = Debug|x64
53 | {100EC34C-1C55-4261-90DF-C84114571066}.Debug|ARM64.Build.0 = Debug|x64
54 | {100EC34C-1C55-4261-90DF-C84114571066}.Debug|x64.ActiveCfg = Debug|x64
55 | {100EC34C-1C55-4261-90DF-C84114571066}.Debug|x64.Build.0 = Debug|x64
56 | {100EC34C-1C55-4261-90DF-C84114571066}.Debug|x86.ActiveCfg = Debug|Win32
57 | {100EC34C-1C55-4261-90DF-C84114571066}.Debug|x86.Build.0 = Debug|Win32
58 | {100EC34C-1C55-4261-90DF-C84114571066}.Release|ARM64.ActiveCfg = Release|x64
59 | {100EC34C-1C55-4261-90DF-C84114571066}.Release|ARM64.Build.0 = Release|x64
60 | {100EC34C-1C55-4261-90DF-C84114571066}.Release|x64.ActiveCfg = Release|x64
61 | {100EC34C-1C55-4261-90DF-C84114571066}.Release|x64.Build.0 = Release|x64
62 | {100EC34C-1C55-4261-90DF-C84114571066}.Release|x86.ActiveCfg = Release|Win32
63 | {100EC34C-1C55-4261-90DF-C84114571066}.Release|x86.Build.0 = Release|Win32
64 | EndGlobalSection
65 | GlobalSection(SolutionProperties) = preSolution
66 | HideSolutionNode = FALSE
67 | EndGlobalSection
68 | GlobalSection(ExtensibilityGlobals) = postSolution
69 | SolutionGuid = {1A2301AC-44C4-452E-B3CC-E687AD35B879}
70 | EndGlobalSection
71 | EndGlobal
72 |
--------------------------------------------------------------------------------
/dkom_overlay/dkom_overlay.inf:
--------------------------------------------------------------------------------
1 | ;
2 | ; dkom_overlay.inf
3 | ;
4 |
5 | [Version]
6 | Signature="$WINDOWS NT$"
7 | Class=System ; TODO: specify appropriate Class
8 | ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318} ; TODO: specify appropriate ClassGuid
9 | Provider=%ManufacturerName%
10 | CatalogFile=dkom_overlay.cat
11 | DriverVer= ; TODO: set DriverVer in stampinf property pages
12 | PnpLockdown=1
13 |
14 | [DestinationDirs]
15 | DefaultDestDir = 12
16 | dkom_overlay_Device_CoInstaller_CopyFiles = 11
17 |
18 | [SourceDisksNames]
19 | 1 = %DiskName%,,,""
20 |
21 | [SourceDisksFiles]
22 | dkom_overlay.sys = 1,,
23 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames
24 |
25 | ;*****************************************
26 | ; Install Section
27 | ;*****************************************
28 |
29 | [Manufacturer]
30 | %ManufacturerName%=Standard,NT$ARCH$
31 |
32 | [Standard.NT$ARCH$]
33 | %dkom_overlay.DeviceDesc%=dkom_overlay_Device, Root\dkom_overlay ; TODO: edit hw-id
34 |
35 | [dkom_overlay_Device.NT]
36 | CopyFiles=Drivers_Dir
37 |
38 | [Drivers_Dir]
39 | dkom_overlay.sys
40 |
41 | ;-------------- Service installation
42 | [dkom_overlay_Device.NT.Services]
43 | AddService = dkom_overlay,%SPSVCINST_ASSOCSERVICE%, dkom_overlay_Service_Inst
44 |
45 | ; -------------- dkom_overlay driver install sections
46 | [dkom_overlay_Service_Inst]
47 | DisplayName = %dkom_overlay.SVCDESC%
48 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER
49 | StartType = 3 ; SERVICE_DEMAND_START
50 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL
51 | ServiceBinary = %12%\dkom_overlay.sys
52 |
53 | ;
54 | ;--- dkom_overlay_Device Coinstaller installation ------
55 | ;
56 |
57 | [dkom_overlay_Device.NT.CoInstallers]
58 | AddReg=dkom_overlay_Device_CoInstaller_AddReg
59 | CopyFiles=dkom_overlay_Device_CoInstaller_CopyFiles
60 |
61 | [dkom_overlay_Device_CoInstaller_AddReg]
62 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller"
63 |
64 | [dkom_overlay_Device_CoInstaller_CopyFiles]
65 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll
66 |
67 | [dkom_overlay_Device.NT.Wdf]
68 | KmdfService = dkom_overlay, dkom_overlay_wdfsect
69 | [dkom_overlay_wdfsect]
70 | KmdfLibraryVersion = $KMDFVERSION$
71 |
72 | [Strings]
73 | SPSVCINST_ASSOCSERVICE= 0x00000002
74 | ManufacturerName="" ;TODO: Replace with your manufacturer name
75 | DiskName = "dkom_overlay Installation Disk"
76 | dkom_overlay.DeviceDesc = "dkom_overlay Device"
77 | dkom_overlay.SVCDESC = "dkom_overlay Service"
78 |
--------------------------------------------------------------------------------
/dkom_overlay/dkom_overlay.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | x64
7 |
8 |
9 | Release
10 | x64
11 |
12 |
13 | Debug
14 | ARM64
15 |
16 |
17 | Release
18 | ARM64
19 |
20 |
21 |
22 | {2C5CDDFA-7AFE-4D1B-A427-B03F24B7D46B}
23 | {1bc93793-694f-48fe-9372-81e2b05556fd}
24 | v4.5
25 | 12.0
26 | Debug
27 | x64
28 | dkom_overlay
29 | $(LatestTargetPlatformVersion)
30 | driver
31 |
32 |
33 |
34 | Windows10
35 | true
36 | WindowsKernelModeDriver10.0
37 | Driver
38 | KMDF
39 | Universal
40 | 1
41 | false
42 |
43 |
44 | Windows10
45 | false
46 | WindowsKernelModeDriver10.0
47 | Driver
48 | KMDF
49 | Universal
50 | 1
51 | false
52 |
53 |
54 | Windows10
55 | true
56 | WindowsKernelModeDriver10.0
57 | Driver
58 | KMDF
59 | Universal
60 |
61 |
62 | Windows10
63 | false
64 | WindowsKernelModeDriver10.0
65 | Driver
66 | KMDF
67 | Universal
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 | DbgengKernelDebugger
79 | false
80 |
81 |
82 | DbgengKernelDebugger
83 | false
84 |
85 |
86 | DbgengKernelDebugger
87 |
88 |
89 | DbgengKernelDebugger
90 |
91 |
92 |
93 | sha256
94 |
95 |
96 | entry
97 |
98 |
99 | stdcpp17
100 | false
101 | _DEBUG;_WIN64;_AMD64_;AMD64;%(PreprocessorDefinitions)
102 |
103 |
104 |
105 |
106 | sha256
107 |
108 |
109 | entry
110 |
111 |
112 | stdcpp17
113 | false
114 |
115 |
116 |
117 |
118 | sha256
119 |
120 |
121 |
122 |
123 | sha256
124 |
125 |
126 |
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
--------------------------------------------------------------------------------
/dkom_overlay/dkom_overlay.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {8E41214B-6785-4CFE-B992-037D68949A14}
14 | inf;inv;inx;mof;mc;
15 |
16 |
17 |
18 |
19 | Driver Files
20 |
21 |
22 |
23 |
24 | Header Files
25 |
26 |
27 | Header Files
28 |
29 |
30 | Header Files
31 |
32 |
33 | Header Files
34 |
35 |
36 |
37 |
38 | Source Files
39 |
40 |
41 |
--------------------------------------------------------------------------------
/dkom_overlay/entry.cpp:
--------------------------------------------------------------------------------
1 | #include "includes.h"
2 | #include "util.h"
3 |
4 | #define rva(addr, size)((PBYTE)(addr + *(DWORD*)(addr + ((size) - 4)) + size))
5 |
6 | // .data ptr signature 48 8B 05 FD 6F 05 ? 48 85 C0 ( NtMITPostWindowEventMessage )
7 | std::int64_t (__fastcall* orig_callback)(void*, void*) = nullptr;
8 |
9 | struct comms_t {
10 | std::uint32_t key;
11 |
12 | struct {
13 | void* handle;
14 | }window;
15 | };
16 |
17 | bool handle_overlay( comms_t* ptr ) {
18 | if ( !ptr->window.handle ) {
19 | log_e( "passed hwnd invalid...\n" );
20 | return false;
21 | }
22 |
23 | /*
24 | Exposing TAG_WND structure pointer of our hwnd
25 | Note: If you're calling this export from a thread without Win32StartAddress, it will not work.
26 | Solutions: Attach to a process with a win32thread, dkom the win32startaddress of the target to your thread's win32startaddress.
27 | */
28 |
29 | static const auto validate_hwnd = util::module_t::win32k_base->get_export< TAG_WND* ( * )( void* ) >( _( "ValidateHwnd" ) );
30 |
31 | if ( !validate_hwnd ) {
32 | log_e( "couldn't find validate_hwnd...\n" );
33 | return false;
34 | }
35 |
36 | // Validating the kernel window handle
37 | const auto our_wnd = validate_hwnd( ptr->window.handle );
38 |
39 | if ( !our_wnd ) {
40 | log_e( "failed to obtain our window instance...\n" );
41 | return false;
42 | }
43 |
44 | // Sanity check to avoid Blue Screen of Death.
45 | if ( our_wnd != our_wnd->prev->next || our_wnd != our_wnd->next->prev ) {
46 | log_e( "TAG_WND structure outdated, check offsets with bruteforcer above!\n" );
47 | return false;
48 | }
49 |
50 | if ( !( our_wnd->prev->next = our_wnd->next ) || !( our_wnd->next->prev = our_wnd->prev ) ) {
51 | log_e( "something went really really wrong...\n" );
52 | return false;
53 | }
54 |
55 | log_s( "overlay handled successfully!\n" );
56 |
57 | return true;
58 | }
59 |
60 | std::int64_t callback( comms_t* a1, void* a2 ) {
61 | static comms_t buffer = { };
62 | if ( ExGetPreviousMode( ) != UserMode || !util::memory_t::safe_copy( &buffer, a1, sizeof( comms_t )) || buffer.key != 0xCA ) {
63 | return orig_callback( a1, a2 );
64 | }
65 |
66 | handle_overlay( a1 );
67 |
68 | return 0;
69 | }
70 |
71 | NTSTATUS entry( ) {
72 |
73 | if ( !util::module_t::init( ) )
74 | return STATUS_UNSUCCESSFUL;
75 |
76 | const auto ptr = rva( util::module_t::win32k->find_pattern( _( "\x48\x8B\x05\xFD\x6F\x05\x00\x48\x85\xC0" ), _( "xxxxxx?xxx" ) ), 7 );
77 |
78 | if ( !ptr ) {
79 | log_e( "ptr not found...\n" );
80 | return STATUS_UNSUCCESSFUL;
81 | }
82 |
83 | if ( !( *reinterpret_cast< void** >( &orig_callback ) = _InterlockedExchangePointer( reinterpret_cast< void** >( ptr ), callback ) ) ){
84 | log_e( "swapping pointer failed...\n" );
85 | return STATUS_UNSUCCESSFUL;
86 | }
87 |
88 | log_s( "driver initialized!\n" );
89 |
90 | return STATUS_SUCCESS;
91 | }
92 |
--------------------------------------------------------------------------------
/dkom_overlay/includes.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 | #include
10 | #include
11 | #include
12 |
13 | #include "skcrypt.h"
14 |
15 | #pragma comment(lib, "ntoskrnl.lib")
16 |
17 | #ifdef _DEBUG
18 | #define log( s, ... ) DbgPrintEx( DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, _("[DEBUG-LOG] " s), __VA_ARGS__ )
19 | #define log_s( s, ... ) DbgPrintEx( DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, _("[+] " s), __VA_ARGS__ )
20 | #define log_e( s, ... ) DbgPrintEx( DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, _("[-] " s), __VA_ARGS__ )
21 | #define log_w( s, ... ) DbgPrintEx( DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, _("[!] " s), __VA_ARGS__ )
22 | #else
23 | #define log( s, ... ) ( DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, _("[DEBUG-LOG] " s), __VA_ARGS__ )
24 | #define log_s( s, ... ) ( DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, _("[+] " s), __VA_ARGS__ )
25 | #define log_e( s, ... ) ( DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, _("[-] " s), __VA_ARGS__ )
26 | #define log_w( s, ... ) ( DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, _("[!] " s), __VA_ARGS__ )
27 | #endif
--------------------------------------------------------------------------------
/dkom_overlay/skcrypt.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | /*____________________________________________________________________________________________________________
4 |
5 | Original Author: skadro
6 | Github: https://github.com/skadro-official
7 | License: See end of file
8 |
9 | skCrypter
10 | Compile-time, Usermode + Kernelmode, safe and lightweight string crypter library for C++11+
11 |
12 | *Not removing this part is appreciated*
13 | ____________________________________________________________________________________________________________*/
14 |
15 | #ifdef _KERNEL_MODE
16 | namespace std
17 | {
18 | // STRUCT TEMPLATE remove_reference
19 | template
20 | struct remove_reference {
21 | using type = _Ty;
22 | };
23 |
24 | template
25 | struct remove_reference<_Ty&> {
26 | using type = _Ty;
27 | };
28 |
29 | template
30 | struct remove_reference<_Ty&&> {
31 | using type = _Ty;
32 | };
33 |
34 | template
35 | using remove_reference_t = typename remove_reference<_Ty>::type;
36 |
37 | // STRUCT TEMPLATE remove_const
38 | template
39 | struct remove_const { // remove top-level const qualifier
40 | using type = _Ty;
41 | };
42 |
43 | template
44 | struct remove_const {
45 | using type = _Ty;
46 | };
47 |
48 | template
49 | using remove_const_t = typename remove_const<_Ty>::type;
50 | }
51 | #else
52 | #include
53 | #endif
54 |
55 | namespace skc
56 | {
57 | template
58 | using clean_type = typename std::remove_const_t>;
59 |
60 | template
61 | class skCrypter
62 | {
63 | public:
64 | __forceinline constexpr skCrypter(T* data)
65 | {
66 | crypt(data);
67 | }
68 |
69 | __forceinline T* get()
70 | {
71 | return _storage;
72 | }
73 |
74 | __forceinline int size() // (w)char count
75 | {
76 | return _size;
77 | }
78 |
79 | __forceinline char key()
80 | {
81 | return _key1;
82 | }
83 |
84 | __forceinline T* encrypt()
85 | {
86 | if (!isEncrypted())
87 | crypt(_storage);
88 |
89 | return _storage;
90 | }
91 |
92 | __forceinline T* decrypt()
93 | {
94 | if (isEncrypted())
95 | crypt(_storage);
96 |
97 | return _storage;
98 | }
99 |
100 | __forceinline bool isEncrypted()
101 | {
102 | return _storage[_size - 1] != 0;
103 | }
104 |
105 | __forceinline void clear() // set full storage to 0
106 | {
107 | for (int i = 0; i < _size; i++)
108 | {
109 | _storage[i] = 0;
110 | }
111 | }
112 |
113 | __forceinline operator T* ()
114 | {
115 | decrypt();
116 |
117 | return _storage;
118 | }
119 |
120 | private:
121 | __forceinline constexpr void crypt(T* data)
122 | {
123 | for (int i = 0; i < _size; i++)
124 | {
125 | _storage[i] = data[i] ^ (_key1 + i % (1 + _key2));
126 | }
127 | }
128 |
129 | T _storage[_size]{};
130 | };
131 | }
132 |
133 | #define _(str) skCrypt_key(str, __TIME__[4], __TIME__[7])
134 | #define skCrypt_key(str, key1, key2) []() { \
135 | constexpr static auto crypted = skc::skCrypter \
136 | >((skc::clean_type*)str); \
137 | return crypted; }()
--------------------------------------------------------------------------------
/dkom_overlay/structs.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "includes.h"
3 |
4 | typedef struct _LDR_DATA_TABLE_ENTRY
5 | {
6 | LIST_ENTRY InLoadOrderModuleList;
7 | LIST_ENTRY InMemoryOrderModuleList;
8 | LIST_ENTRY InInitializationOrderModuleList;
9 | PVOID DllBase;
10 | PVOID EntryPoint;
11 | ULONG SizeOfImage; // in bytes
12 | UNICODE_STRING FullDllName;
13 | UNICODE_STRING BaseDllName;
14 | ULONG Flags; // LDR_*
15 | USHORT LoadCount;
16 | USHORT TlsIndex;
17 | LIST_ENTRY HashLinks;
18 | PVOID SectionPointer;
19 | ULONG CheckSum;
20 | ULONG TimeDateStamp;
21 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
22 |
23 | typedef enum SYSTEM_INFORMATION_CLASS
24 | {
25 | SystemInformationClassMin = 0,
26 | SystemBasicInformation = 0,
27 | SystemProcessorInformation = 1,
28 | SystemPerformanceInformation = 2,
29 | SystemTimeOfDayInformation = 3,
30 | SystemPathInformation = 4,
31 | SystemNotImplemented1 = 4,
32 | SystemProcessInformation = 5,
33 | SystemProcessesAndThreadsInformation = 5,
34 | SystemCallCountInfoInformation = 6,
35 | SystemCallCounts = 6,
36 | SystemDeviceInformation = 7,
37 | SystemConfigurationInformation = 7,
38 | SystemProcessorPerformanceInformation = 8,
39 | SystemProcessorTimes = 8,
40 | SystemFlagsInformation = 9,
41 | SystemGlobalFlag = 9,
42 | SystemCallTimeInformation = 10,
43 | SystemNotImplemented2 = 10,
44 | SystemModuleInformation = 11,
45 | SystemLocksInformation = 12,
46 | SystemLockInformation = 12,
47 | SystemStackTraceInformation = 13,
48 | SystemNotImplemented3 = 13,
49 | SystemPagedPoolInformation = 14,
50 | SystemNotImplemented4 = 14,
51 | SystemNonPagedPoolInformation = 15,
52 | SystemNotImplemented5 = 15,
53 | SystemHandleInformation = 16,
54 | SystemObjectInformation = 17,
55 | SystemPageFileInformation = 18,
56 | SystemPagefileInformation = 18,
57 | SystemVdmInstemulInformation = 19,
58 | SystemInstructionEmulationCounts = 19,
59 | SystemVdmBopInformation = 20,
60 | SystemInvalidInfoClass1 = 20,
61 | SystemFileCacheInformation = 21,
62 | SystemCacheInformation = 21,
63 | SystemPoolTagInformation = 22,
64 | SystemInterruptInformation = 23,
65 | SystemProcessorStatistics = 23,
66 | SystemDpcBehaviourInformation = 24,
67 | SystemDpcInformation = 24,
68 | SystemFullMemoryInformation = 25,
69 | SystemNotImplemented6 = 25,
70 | SystemLoadImage = 26,
71 | SystemUnloadImage = 27,
72 | SystemTimeAdjustmentInformation = 28,
73 | SystemTimeAdjustment = 28,
74 | SystemSummaryMemoryInformation = 29,
75 | SystemNotImplemented7 = 29,
76 | SystemNextEventIdInformation = 30,
77 | SystemNotImplemented8 = 30,
78 | SystemEventIdsInformation = 31,
79 | SystemNotImplemented9 = 31,
80 | SystemCrashDumpInformation = 32,
81 | SystemExceptionInformation = 33,
82 | SystemCrashDumpStateInformation = 34,
83 | SystemKernelDebuggerInformation = 35,
84 | SystemContextSwitchInformation = 36,
85 | SystemRegistryQuotaInformation = 37,
86 | SystemLoadAndCallImage = 38,
87 | SystemPrioritySeparation = 39,
88 | SystemPlugPlayBusInformation = 40,
89 | SystemNotImplemented10 = 40,
90 | SystemDockInformation = 41,
91 | SystemNotImplemented11 = 41,
92 | SystemInvalidInfoClass2 = 42,
93 | SystemProcessorSpeedInformation = 43,
94 | SystemInvalidInfoClass3 = 43,
95 | SystemCurrentTimeZoneInformation = 44,
96 | SystemTimeZoneInformation = 44,
97 | SystemLookasideInformation = 45,
98 | SystemSetTimeSlipEvent = 46,
99 | SystemCreateSession = 47,
100 | SystemDeleteSession = 48,
101 | SystemInvalidInfoClass4 = 49,
102 | SystemRangeStartInformation = 50,
103 | SystemVerifierInformation = 51,
104 | SystemAddVerifier = 52,
105 | SystemSessionProcessesInformation = 53,
106 | SystemInformationClassMax
107 | } SYSTEM_INFORMATION_CLASS;
108 |
109 | typedef struct _RTL_PROCESS_MODULE_INFORMATION
110 | {
111 | HANDLE Section;
112 | PVOID MappedBase;
113 | PVOID ImageBase;
114 | ULONG ImageSize;
115 | ULONG Flags;
116 | USHORT LoadOrderIndex;
117 | USHORT InitOrderIndex;
118 | USHORT LoadCount;
119 | USHORT OffsetToFileName;
120 | UCHAR FullPathName[256];
121 | } RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION;
122 |
123 | typedef struct _RTL_PROCESS_MODULES
124 | {
125 | ULONG NumberOfModules;
126 | RTL_PROCESS_MODULE_INFORMATION Modules[1];
127 | } RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES;
128 |
129 | // This structure was reversed by my friend and I via bruteforcing.
130 | typedef struct _TAG_WND
131 | {
132 | char padding_0[0x10];
133 | struct _TAG_INFO* tag_info;
134 | char padding_0x0[0x40];
135 | struct _TAG_WND* next; // 0x58
136 | struct _TAG_WND* prev; // 0x60
137 | struct _TAG_WND* parent; // 0x68
138 | struct _TAG_WND* child; // 0x70
139 | }TAG_WND, * PTAG_WND;
--------------------------------------------------------------------------------
/dkom_overlay/util.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "includes.h"
3 | #include "structs.h"
4 |
5 | extern "C" {
6 | NTSTATUS
7 | WINAPI ZwQuerySystemInformation(
8 | _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
9 | _Inout_ PVOID SystemInformation,
10 | _In_ ULONG SystemInformationLength,
11 | _Out_opt_ PULONG ReturnLength
12 | );
13 | NTSTATUS
14 | MmCopyVirtualMemory(
15 | IN PEPROCESS FromProcess,
16 | IN CONST VOID *FromAddress,
17 | IN PEPROCESS ToProcess,
18 | OUT PVOID ToAddress,
19 | IN SIZE_T BufferSize,
20 | IN KPROCESSOR_MODE PreviousMode,
21 | OUT PSIZE_T NumberOfBytesCopied
22 | );
23 | NTKERNELAPI
24 | PVOID
25 | NTAPI
26 | RtlFindExportedRoutineByName (
27 | _In_ PVOID ImageBase,
28 | _In_ PCCH RoutineNam
29 | );
30 | }
31 |
32 | namespace util
33 | {
34 | struct string_t {
35 | static UNICODE_STRING ansi_to_unicode( const char* str ) {
36 | ANSI_STRING a_str{};
37 | UNICODE_STRING u_str{};
38 |
39 | RtlInitAnsiString(&a_str, str);
40 | RtlAnsiStringToUnicodeString(&u_str, &a_str, true);
41 |
42 | return u_str;
43 | }
44 | };
45 |
46 | struct system_t {
47 | template< typename t >
48 | static t get_routine_address( const char* routine_name ) {
49 | UNICODE_STRING u_str = string_t::ansi_to_unicode( routine_name );
50 |
51 | return ( t )MmGetSystemRoutineAddress(&u_str);
52 | }
53 | };
54 |
55 | struct process_t {
56 | static inline PEPROCESS e_process = { };
57 |
58 | static PEPROCESS get_e_process( std::int32_t process_id ) {
59 | PEPROCESS proc = { };
60 |
61 | if ( !NT_SUCCESS( PsLookupProcessByProcessId( reinterpret_cast< HANDLE >( process_id ), &proc ) ) )
62 | return nullptr;
63 |
64 | return proc;
65 | }
66 | };
67 |
68 | struct memory_t {
69 | static bool safe_copy( void* dst, void* src, size_t size ) {
70 | size_t bytes = 0;
71 |
72 | if ( !NT_SUCCESS( MmCopyVirtualMemory( IoGetCurrentProcess( ), src, IoGetCurrentProcess( ), dst, size, KernelMode, &bytes ) ) )
73 | return false;
74 |
75 | return true;
76 | }
77 | };
78 |
79 | struct module_t {
80 | static inline module_t* ntos = nullptr, *win32k = nullptr, *win32k_base = nullptr;
81 |
82 | static module_t* get_ntos_base( ) {
83 | const auto idt_base = reinterpret_cast< std::uintptr_t >( KeGetPcr( )->IdtBase );
84 | auto align_page = *reinterpret_cast< std::uintptr_t* >( idt_base + 4 ) >> 0xc << 0xc;
85 |
86 | for ( ; align_page; align_page -= 0x1000 )
87 | {
88 | for ( int index = 0; index < 0x1000 - 0x7; index++ ) {
89 | const auto current_address = static_cast< std::intptr_t >( align_page ) + index;
90 |
91 | if
92 | (
93 | *reinterpret_cast< std::uint8_t* >( current_address ) == 0x48 &&
94 | *reinterpret_cast< std::uint8_t* >( current_address + 0x1 ) == 0x8d &&
95 | *reinterpret_cast< std::uint8_t* >( current_address + 0x2 ) == 0x1d &&
96 | *reinterpret_cast< std::uint8_t* >( current_address + 0x6 ) == 0xff
97 | )
98 | {
99 | const auto nto_base_offset = *reinterpret_cast< int* >( current_address + 0x3 );
100 | const auto nto_base_ = ( current_address + nto_base_offset + 0x7 );
101 |
102 | if (! ( nto_base_ & 0xfff ) )
103 | return reinterpret_cast< module_t* >(nto_base_);
104 | }
105 | }
106 | }
107 | return nullptr;
108 | }
109 |
110 | static module_t* get_system_module_base( const char* name ) {
111 | module_t* base = 0;
112 | ULONG bytes = 0;
113 |
114 | ZwQuerySystemInformation( SystemModuleInformation, 0, bytes, &bytes );
115 |
116 | if ( !bytes ) {
117 | log_e( "get_system_module_base failed...\n" );
118 | return nullptr;
119 | }
120 |
121 | const auto modules = reinterpret_cast< RTL_PROCESS_MODULES* >( ExAllocatePoolWithTag( NonPagedPoolNx, bytes, 'udom' ) );
122 |
123 | if ( !modules )
124 | return 0;
125 |
126 | if ( !NT_SUCCESS( ZwQuerySystemInformation( SystemModuleInformation, modules, bytes, &bytes ) ) ) {
127 | ExFreePoolWithTag( modules, 'udom' );
128 | return 0;
129 | }
130 |
131 | for ( ULONG i = 0; i < modules->NumberOfModules; i++ ) {
132 | const auto current_module = modules->Modules[ i ];
133 |
134 | if ( !_stricmp( reinterpret_cast< const char* >( current_module.FullPathName ), name ) ) {
135 | base = reinterpret_cast< module_t* >( current_module.ImageBase );
136 | break;
137 | }
138 | }
139 |
140 | if ( modules )
141 | ExFreePoolWithTag( modules, 'udom' );
142 |
143 | return base;
144 | }
145 |
146 | template< typename t >
147 | t get_export( char* name ) {
148 | return ( t )RtlFindExportedRoutineByName( this, name );
149 | }
150 |
151 | __forceinline std::uint8_t* find_pattern( module_t* _this, std::uint32_t size, const char* pattern, const char* mask ) {
152 | auto check_mask = [ ]( std::uint8_t* buf, const char* _pattern, const char* _mask ) -> bool {
153 | for ( std::uint8_t* x = buf; *_mask; _pattern++, _mask++, x++ ) {
154 | const auto addr = *( std::uint8_t* )( _pattern );
155 |
156 | if ( addr != *x && *_mask != '?' )
157 | return false;
158 | }
159 | return true;
160 | };
161 |
162 | for ( int i = 0; i < size - strlen( mask ); i++ ) {
163 | const auto addr = reinterpret_cast< std::uint8_t* >(_this) + i;
164 |
165 | if ( check_mask( addr, pattern, mask ) )
166 | return addr;
167 | }
168 | return nullptr;
169 | }
170 |
171 | __forceinline std::uint8_t* find_pattern( const char* pattern, const char* mask ) {
172 | const auto dos = reinterpret_cast< IMAGE_DOS_HEADER* >( this );
173 |
174 | const auto header = reinterpret_cast< IMAGE_NT_HEADERS64* >(reinterpret_cast< std::uintptr_t >( this ) + dos->e_lfanew);
175 |
176 | if ( !header ) {
177 | log_e( "nt header invalid\n" );
178 | return nullptr;
179 | }
180 |
181 | auto section = IMAGE_FIRST_SECTION( header );
182 |
183 | if ( !section ) {
184 | log_e( "pe section invalid\n" );
185 | return nullptr;
186 | }
187 |
188 | for ( int i = 0; i < header->FileHeader.NumberOfSections; i++, section++ ) {
189 | if ( !memcmp( section->Name, _( ".text" ), 5 ) || !memcmp( section->Name, _( "PAGE" ), 4 ) )
190 | return find_pattern( reinterpret_cast< module_t* >( this + section->VirtualAddress ), section->Misc.VirtualSize, pattern, mask );
191 | }
192 | return nullptr;
193 | }
194 |
195 | static bool init( ) {
196 | ntos = get_ntos_base( );
197 |
198 | if ( !ntos ) {
199 | log_e( "couldn't obtain ntos base...\n" );
200 | return false;
201 | }
202 |
203 | win32k = util::module_t::get_system_module_base( _( "\\SystemRoot\\System32\\win32k.sys" ) );
204 |
205 | if ( !win32k ) {
206 | log_e( "couldn't obtain win32k...\n" );
207 | return false;
208 | }
209 |
210 | win32k_base = util::module_t::get_system_module_base( _( "\\SystemRoot\\System32\\win32kbase.sys" ) );
211 |
212 | if ( !win32k_base ) {
213 | log_e( "couldn't obtain win32kbase...\n" );
214 | return false;
215 | }
216 |
217 | log_s( "initialized modules!\n" );
218 |
219 | return true;
220 | }
221 | };
222 | }
--------------------------------------------------------------------------------
/usermode/main.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 |
7 | #pragma comment(lib, "d3d11.lib")
8 | #pragma comment(lib, "d3dx11.lib")
9 | #pragma comment(lib, "dwmapi.lib")
10 |
11 | std::int64_t (__fastcall* kernel_call)(void*, void*) = nullptr;
12 |
13 | struct comms_t {
14 | std::uint32_t key;
15 |
16 | struct {
17 | void* handle;
18 | }window;
19 | };
20 |
21 | bool init_driver( ) {
22 |
23 | // Manually loading user32.dll to avoid stupid exceptions / crashes encountered previously.
24 | LoadLibraryA("user32.dll");
25 |
26 | const auto mod = LoadLibraryA("win32u.dll");
27 |
28 | if ( !mod )
29 | return false;
30 |
31 | const auto address = GetProcAddress(mod, "NtMITPostWindowEventMessage");
32 |
33 | if ( !address )
34 | return false;
35 |
36 | if ( !( *reinterpret_cast< void** >( &kernel_call ) = address ) )
37 | return false;
38 |
39 | return true;
40 | }
41 |
42 | void handle_overlay( HWND hwnd ) {
43 | comms_t req{};
44 |
45 | req.key = 0xCA;
46 | req.window.handle = hwnd;
47 |
48 | kernel_call(&req, 0);
49 | }
50 |
51 |
52 | // CreateWindow stuff
53 | // Data
54 | static ID3D11Device* g_pd3dDevice = NULL;
55 | static ID3D11DeviceContext* g_pd3dDeviceContext = NULL;
56 | static IDXGISwapChain* g_pSwapChain = NULL;
57 | static ID3D11RenderTargetView* g_mainRenderTargetView = NULL;
58 |
59 | // Forward declarations of helper functions
60 | bool CreateDeviceD3D(HWND hWnd);
61 | void CleanupDeviceD3D();
62 | void CreateRenderTarget();
63 | void CleanupRenderTarget();
64 | LRESULT WINAPI WndProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam);
65 |
66 |
67 |
68 | int main( ) {
69 | if ( !init_driver( ) ) {
70 | printf( "failed to initialize driver...\n" );
71 | std::cin.get( );
72 | return 0;
73 | }
74 |
75 | WNDCLASSEX wc = { sizeof(WNDCLASSEX), CS_CLASSDC, WndProc, 0L, 0L, GetModuleHandle(NULL), NULL, NULL, NULL, NULL, L"JZ'S TEST_WND", NULL };
76 | RegisterClassEx(&wc);
77 | HWND hwnd = CreateWindow(wc.lpszClassName, L"JZ_WND", WS_OVERLAPPEDWINDOW, 100, 100, 400, 200, NULL, NULL, wc.hInstance, NULL);
78 |
79 | if (!CreateDeviceD3D(hwnd)) {
80 | CleanupDeviceD3D();
81 | ::UnregisterClass(wc.lpszClassName, wc.hInstance);
82 | return 1;
83 | }
84 |
85 | ShowWindow(hwnd, SW_SHOWDEFAULT);
86 | UpdateWindow(hwnd);
87 |
88 | printf( "press END to spoof overlay!\n" );
89 |
90 | bool done = false;
91 | while (!done) {
92 | if( GetAsyncKeyState( VK_END ) ) {
93 | static bool do_once = false;
94 |
95 | if ( !do_once ) {
96 | handle_overlay( hwnd );
97 | do_once = true;
98 | printf( "overlay handled!\n" );
99 | }
100 | }
101 |
102 | MSG msg;
103 | while (::PeekMessage(&msg, NULL, 0U, 0U, PM_REMOVE)) {
104 | ::TranslateMessage(&msg);
105 | ::DispatchMessage(&msg);
106 | if (msg.message == WM_QUIT)
107 | done = true;
108 | }
109 | if (done)
110 | break;
111 |
112 | const float clear_color_with_alpha[4] = { 255, 255, 255, 255 };
113 | g_pd3dDeviceContext->OMSetRenderTargets(1, &g_mainRenderTargetView, NULL);
114 | g_pd3dDeviceContext->ClearRenderTargetView(g_mainRenderTargetView, clear_color_with_alpha);
115 | g_pSwapChain->Present(1, 0); // Present with vsync
116 | }
117 |
118 | printf( "overlay should be handled now\n" );
119 |
120 | return 0;
121 | }
122 |
123 | bool CreateDeviceD3D(HWND hWnd)
124 | {
125 | // Setup swap chain
126 | DXGI_SWAP_CHAIN_DESC sd;
127 | ZeroMemory(&sd, sizeof(sd));
128 | sd.BufferCount = 2;
129 | sd.BufferDesc.Width = 0;
130 | sd.BufferDesc.Height = 0;
131 | sd.BufferDesc.Format = DXGI_FORMAT_R8G8B8A8_UNORM;
132 | sd.BufferDesc.RefreshRate.Numerator = 60;
133 | sd.BufferDesc.RefreshRate.Denominator = 1;
134 | sd.Flags = DXGI_SWAP_CHAIN_FLAG_ALLOW_MODE_SWITCH;
135 | sd.BufferUsage = DXGI_USAGE_RENDER_TARGET_OUTPUT;
136 | sd.OutputWindow = hWnd;
137 | sd.SampleDesc.Count = 1;
138 | sd.SampleDesc.Quality = 0;
139 | sd.Windowed = TRUE;
140 | sd.SwapEffect = DXGI_SWAP_EFFECT_DISCARD;
141 |
142 | UINT createDeviceFlags = 0;
143 | D3D_FEATURE_LEVEL featureLevel;
144 | const D3D_FEATURE_LEVEL featureLevelArray[2] = { D3D_FEATURE_LEVEL_11_0, D3D_FEATURE_LEVEL_10_0, };
145 | if (D3D11CreateDeviceAndSwapChain(NULL, D3D_DRIVER_TYPE_HARDWARE, NULL, createDeviceFlags, featureLevelArray, 2, D3D11_SDK_VERSION, &sd, &g_pSwapChain, &g_pd3dDevice, &featureLevel, &g_pd3dDeviceContext) != S_OK)
146 | return false;
147 |
148 | CreateRenderTarget();
149 | return true;
150 | }
151 |
152 | void CleanupDeviceD3D()
153 | {
154 | CleanupRenderTarget();
155 | if (g_pSwapChain) { g_pSwapChain->Release(); g_pSwapChain = NULL; }
156 | if (g_pd3dDeviceContext) { g_pd3dDeviceContext->Release(); g_pd3dDeviceContext = NULL; }
157 | if (g_pd3dDevice) { g_pd3dDevice->Release(); g_pd3dDevice = NULL; }
158 | }
159 |
160 | void CreateRenderTarget()
161 | {
162 | ID3D11Texture2D* pBackBuffer;
163 | g_pSwapChain->GetBuffer(0, IID_PPV_ARGS(&pBackBuffer));
164 | g_pd3dDevice->CreateRenderTargetView(pBackBuffer, NULL, &g_mainRenderTargetView);
165 | pBackBuffer->Release();
166 | }
167 |
168 | void CleanupRenderTarget()
169 | {
170 | if (g_mainRenderTargetView) { g_mainRenderTargetView->Release(); g_mainRenderTargetView = NULL; }
171 | }
172 |
173 |
174 | LRESULT WINAPI WndProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam)
175 | {
176 | switch (msg)
177 | {
178 | case WM_SIZE:
179 | if (g_pd3dDevice != NULL && wParam != SIZE_MINIMIZED)
180 | {
181 | CleanupRenderTarget();
182 | g_pSwapChain->ResizeBuffers(0, (UINT)LOWORD(lParam), (UINT)HIWORD(lParam), DXGI_FORMAT_UNKNOWN, 0);
183 | CreateRenderTarget();
184 | }
185 | return 0;
186 | case WM_SYSCOMMAND:
187 | if ((wParam & 0xfff0) == SC_KEYMENU) // Disable ALT application menu
188 | return 0;
189 | break;
190 | case WM_DESTROY:
191 | ::PostQuitMessage(0);
192 | return 0;
193 | }
194 | return ::DefWindowProc(hWnd, msg, wParam, lParam);
195 | }
--------------------------------------------------------------------------------
/usermode/usermode.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {fcf73a40-41d6-41d7-b018-fc15e6ffed9e}
25 | usermode
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v143
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v143
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v143
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v143
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | $(VC_IncludePath);$(WindowsSDK_IncludePath);$(DXSDK_DIR)Include
75 | $(VC_LibraryPath_x64);$(WindowsSDK_LibraryPath_x64);$(DXSDK_DIR)Lib\x64
76 |
77 |
78 | $(VC_IncludePath);$(WindowsSDK_IncludePath);$(DXSDK_DIR)Include
79 | $(VC_LibraryPath_x64);$(WindowsSDK_LibraryPath_x64);$(DXSDK_DIR)Lib\x64
80 |
81 |
82 |
83 | Level3
84 | true
85 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
86 | true
87 |
88 |
89 | Console
90 | true
91 |
92 |
93 |
94 |
95 | Level3
96 | true
97 | true
98 | true
99 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
100 | true
101 |
102 |
103 | Console
104 | true
105 | true
106 | true
107 |
108 |
109 |
110 |
111 | Level3
112 | true
113 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
114 | true
115 |
116 |
117 | Console
118 | true
119 |
120 |
121 |
122 |
123 | Level3
124 | true
125 | true
126 | true
127 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
128 | true
129 |
130 |
131 | Console
132 | true
133 | true
134 | true
135 |
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
--------------------------------------------------------------------------------
/usermode/usermode.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 |
10 |
11 | Source Files
12 |
13 |
14 |
--------------------------------------------------------------------------------