├── KernelCheatUM
    ├── KernelCheatUM.vcxproj
    ├── KernelCheatUM.vcxproj.filters
    ├── KernelCheatUM.vcxproj.user
    └── main.cpp
├── KernelCheatYT.sln
├── KernelCheatYT
    ├── KernelCheatYT.inf
    ├── KernelCheatYT.vcxproj
    ├── KernelCheatYT.vcxproj.filters
    ├── KernelCheatYT.vcxproj.user
    ├── definitions.h
    ├── hook.cpp
    ├── hook.h
    ├── main.cpp
    ├── memory.cpp
    └── memory.h
└── README.md


/KernelCheatUM/KernelCheatUM.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <ProjectGuid>{64DE4F42-B12F-431D-89D5-89F8C41249B5}</ProjectGuid>
 24 |     <RootNamespace>KernelCheatUM</RootNamespace>
 25 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 26 |   </PropertyGroup>
 27 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 28 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 29 |     <ConfigurationType>Application</ConfigurationType>
 30 |     <UseDebugLibraries>true</UseDebugLibraries>
 31 |     <PlatformToolset>v142</PlatformToolset>
 32 |     <CharacterSet>Unicode</CharacterSet>
 33 |   </PropertyGroup>
 34 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 35 |     <ConfigurationType>Application</ConfigurationType>
 36 |     <UseDebugLibraries>false</UseDebugLibraries>
 37 |     <PlatformToolset>v142</PlatformToolset>
 38 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 39 |     <CharacterSet>Unicode</CharacterSet>
 40 |   </PropertyGroup>
 41 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 42 |     <ConfigurationType>Application</ConfigurationType>
 43 |     <UseDebugLibraries>true</UseDebugLibraries>
 44 |     <PlatformToolset>v142</PlatformToolset>
 45 |     <CharacterSet>Unicode</CharacterSet>
 46 |   </PropertyGroup>
 47 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 48 |     <ConfigurationType>Application</ConfigurationType>
 49 |     <UseDebugLibraries>false</UseDebugLibraries>
 50 |     <PlatformToolset>v142</PlatformToolset>
 51 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 52 |     <CharacterSet>NotSet</CharacterSet>
 53 |   </PropertyGroup>
 54 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 55 |   <ImportGroup Label="ExtensionSettings">
 56 |   </ImportGroup>
 57 |   <ImportGroup Label="Shared">
 58 |   </ImportGroup>
 59 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 60 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 61 |   </ImportGroup>
 62 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 63 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 64 |   </ImportGroup>
 65 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 66 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 67 |   </ImportGroup>
 68 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 69 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 70 |   </ImportGroup>
 71 |   <PropertyGroup Label="UserMacros" />
 72 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 73 |     <LinkIncremental>true</LinkIncremental>
 74 |   </PropertyGroup>
 75 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 76 |     <LinkIncremental>true</LinkIncremental>
 77 |   </PropertyGroup>
 78 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 79 |     <LinkIncremental>false</LinkIncremental>
 80 |   </PropertyGroup>
 81 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 82 |     <LinkIncremental>false</LinkIncremental>
 83 |   </PropertyGroup>
 84 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 85 |     <ClCompile>
 86 |       <WarningLevel>Level3</WarningLevel>
 87 |       <SDLCheck>true</SDLCheck>
 88 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 89 |       <ConformanceMode>true</ConformanceMode>
 90 |       <LanguageStandard>stdcpp17</LanguageStandard>
 91 |     </ClCompile>
 92 |     <Link>
 93 |       <SubSystem>Console</SubSystem>
 94 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 95 |     </Link>
 96 |   </ItemDefinitionGroup>
 97 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 98 |     <ClCompile>
 99 |       <WarningLevel>Level3</WarningLevel>
100 |       <SDLCheck>true</SDLCheck>
101 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
102 |       <ConformanceMode>true</ConformanceMode>
103 |     </ClCompile>
104 |     <Link>
105 |       <SubSystem>Console</SubSystem>
106 |       <GenerateDebugInformation>true</GenerateDebugInformation>
107 |     </Link>
108 |   </ItemDefinitionGroup>
109 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
110 |     <ClCompile>
111 |       <WarningLevel>Level3</WarningLevel>
112 |       <FunctionLevelLinking>true</FunctionLevelLinking>
113 |       <IntrinsicFunctions>true</IntrinsicFunctions>
114 |       <SDLCheck>true</SDLCheck>
115 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
116 |       <ConformanceMode>true</ConformanceMode>
117 |     </ClCompile>
118 |     <Link>
119 |       <SubSystem>Console</SubSystem>
120 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
121 |       <OptimizeReferences>true</OptimizeReferences>
122 |       <GenerateDebugInformation>true</GenerateDebugInformation>
123 |     </Link>
124 |   </ItemDefinitionGroup>
125 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
126 |     <ClCompile>
127 |       <WarningLevel>Level3</WarningLevel>
128 |       <FunctionLevelLinking>true</FunctionLevelLinking>
129 |       <IntrinsicFunctions>true</IntrinsicFunctions>
130 |       <SDLCheck>true</SDLCheck>
131 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
132 |       <ConformanceMode>true</ConformanceMode>
133 |       <LanguageStandard>stdcpplatest</LanguageStandard>
134 |     </ClCompile>
135 |     <Link>
136 |       <SubSystem>Console</SubSystem>
137 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
138 |       <OptimizeReferences>true</OptimizeReferences>
139 |       <GenerateDebugInformation>true</GenerateDebugInformation>
140 |     </Link>
141 |   </ItemDefinitionGroup>
142 |   <ItemGroup>
143 |     <ClCompile Include="main.cpp" />
144 |   </ItemGroup>
145 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
146 |   <ImportGroup Label="ExtensionTargets">
147 |   </ImportGroup>
148 | </Project>


--------------------------------------------------------------------------------
/KernelCheatUM/KernelCheatUM.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="main.cpp">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |   </ItemGroup>
22 | </Project>


--------------------------------------------------------------------------------
/KernelCheatUM/KernelCheatUM.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/KernelCheatUM/main.cpp:
--------------------------------------------------------------------------------
  1 | #include <iostream>
  2 | #include <Windows.h>
  3 | #include <TlHelp32.h>
  4 | #include <memory>
  5 | #include <string_view>
  6 | #include <cstdint>
  7 | #include <vector>
  8 | 
  9 | typedef struct _NULL_MEMORY
 10 | {
 11 | 	void* buffer_address;
 12 | 	UINT_PTR address;
 13 | 	ULONGLONG size;
 14 | 	ULONG pid;
 15 | 	BOOLEAN write;
 16 | 	BOOLEAN read;
 17 | 	BOOLEAN req_base;
 18 | 	BOOLEAN draw_box;
 19 | 	int		r, g, b, x, y, w, h, t;
 20 | 	void* output;
 21 | 	const char* module_name;
 22 | 	ULONG64 base_address;
 23 | }NULL_MEMORY;
 24 | 
 25 | uintptr_t base_address = 0;
 26 | std::uint32_t process_id = 0;
 27 | HDC hdc;
 28 | 
 29 | template<typename ... Arg>
 30 | uint64_t call_hook(const Arg ... args)
 31 | {
 32 | 	void* hooked_func = GetProcAddress(LoadLibrary("win32u.dll"), "NtDxgkGetTrackedWorkloadStatistics");
 33 | 
 34 | 	auto func = static_cast<uint64_t(_stdcall*)(Arg...)>(hooked_func);
 35 | 
 36 | 	return func(args ...);
 37 | }
 38 | 
 39 | struct HandleDisposer
 40 | {
 41 | 	using pointer = HANDLE;
 42 | 	void operator()(HANDLE handle) const
 43 | 	{
 44 | 		if (handle != NULL || handle != INVALID_HANDLE_VALUE)
 45 | 		{
 46 | 			CloseHandle(handle);
 47 | 		}
 48 | 	}
 49 | };
 50 | 
 51 | using unique_handle = std::unique_ptr<HANDLE, HandleDisposer>;
 52 | 
 53 | std::uint32_t get_process_id(std::string_view process_name)
 54 | {
 55 | 	PROCESSENTRY32 processentry;
 56 | 	const unique_handle snapshot_handle(CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL));
 57 | 
 58 | 	if (snapshot_handle.get() == INVALID_HANDLE_VALUE)
 59 | 		return NULL;
 60 | 
 61 | 	processentry.dwSize = sizeof(MODULEENTRY32);
 62 | 
 63 | 	while (Process32Next(snapshot_handle.get(), &processentry) == TRUE)
 64 | 	{
 65 | 		if (process_name.compare(processentry.szExeFile) == NULL)
 66 | 		{
 67 | 			return processentry.th32ProcessID;
 68 | 		}
 69 | 	}
 70 | 	return NULL;
 71 | }
 72 | 
 73 | static ULONG64 get_module_base_address(const char* module_name)
 74 | {
 75 | 	NULL_MEMORY instructions = { 0 };
 76 | 	instructions.pid = process_id;
 77 | 	instructions.req_base = TRUE;
 78 | 	instructions.read = FALSE;
 79 | 	instructions.write = FALSE;
 80 | 	instructions.draw_box = FALSE;
 81 | 	instructions.module_name = module_name;
 82 | 	call_hook(&instructions);
 83 | 	
 84 | 	ULONG64 base = NULL;
 85 | 	base = instructions.base_address;
 86 | 	return base;
 87 | }
 88 | template <class T>
 89 | T Read(UINT_PTR read_address)
 90 | {
 91 | 	T response{};
 92 | 	NULL_MEMORY instructions;
 93 | 	instructions.pid = process_id;
 94 | 	instructions.size = sizeof(T);
 95 | 	instructions.address = read_address;
 96 | 	instructions.read = TRUE;
 97 | 	instructions.write = FALSE;
 98 | 	instructions.req_base = FALSE;
 99 | 	instructions.draw_box = FALSE;
100 | 	instructions.output = &response;
101 | 	call_hook(&instructions);
102 | 
103 | 	return response;
104 | }
105 | 
106 | bool write_memory(UINT_PTR write_address, UINT_PTR source_address, SIZE_T write_size)
107 | {
108 | 	NULL_MEMORY instructions;
109 | 	instructions.address = write_address;
110 | 	instructions.pid = process_id;
111 | 	instructions.write = TRUE;
112 | 	instructions.read = FALSE;
113 | 	instructions.req_base = FALSE;
114 | 	instructions.draw_box = FALSE;
115 | 	instructions.buffer_address = (void*)source_address;
116 | 	instructions.size = write_size;
117 | 
118 | 	call_hook(&instructions);
119 | 
120 | 	return true;
121 | }
122 | 
123 | bool draw_box(int x, int y, int w, int h, int t, int r, int g, int b)
124 | {
125 | 	NULL_MEMORY instructions;
126 | 	instructions.write = FALSE;
127 | 	instructions.read = FALSE;
128 | 	instructions.req_base = FALSE;
129 | 	instructions.draw_box = TRUE;
130 | 	
131 | 	instructions.x = x;
132 | 	instructions.y = y;
133 | 	instructions.w = w;
134 | 	instructions.h = h;
135 | 	instructions.t = t;
136 | 
137 | 	instructions.r = r;
138 | 	instructions.g = g;
139 | 	instructions.b = b;
140 | 
141 | 	call_hook(&instructions);
142 | 
143 | 	return true;
144 | }
145 | 
146 | template<typename S>
147 | bool write(UINT_PTR write_address, const S& value)
148 | {
149 | 	return write_memory(write_address, (UINT_PTR)&value, sizeof(S));
150 | }
151 | 
152 | int main()
153 | {
154 | 	while (true)
155 | 	{
156 | 		draw_box(50, 50, 50, 50, 2, 255, 0, 0);
157 | 	}
158 | }


--------------------------------------------------------------------------------
/KernelCheatYT.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.29905.134
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "KernelCheatYT", "KernelCheatYT\KernelCheatYT.vcxproj", "{59AD331E-D3D4-46C4-8759-4A02AB42353A}"
 7 | EndProject
 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "KernelCheatUM", "KernelCheatUM\KernelCheatUM.vcxproj", "{64DE4F42-B12F-431D-89D5-89F8C41249B5}"
 9 | EndProject
10 | Global
11 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | 		Debug|ARM = Debug|ARM
13 | 		Debug|ARM64 = Debug|ARM64
14 | 		Debug|x64 = Debug|x64
15 | 		Debug|x86 = Debug|x86
16 | 		Release|ARM = Release|ARM
17 | 		Release|ARM64 = Release|ARM64
18 | 		Release|x64 = Release|x64
19 | 		Release|x86 = Release|x86
20 | 	EndGlobalSection
21 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
22 | 		{59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|ARM.ActiveCfg = Debug|ARM
23 | 		{59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|ARM.Build.0 = Debug|ARM
24 | 		{59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|ARM.Deploy.0 = Debug|ARM
25 | 		{59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|ARM64.ActiveCfg = Debug|ARM64
26 | 		{59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|ARM64.Build.0 = Debug|ARM64
27 | 		{59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|ARM64.Deploy.0 = Debug|ARM64
28 | 		{59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|x64.ActiveCfg = Debug|x64
29 | 		{59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|x64.Build.0 = Debug|x64
30 | 		{59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|x64.Deploy.0 = Debug|x64
31 | 		{59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|x86.ActiveCfg = Debug|Win32
32 | 		{59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|x86.Build.0 = Debug|Win32
33 | 		{59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|x86.Deploy.0 = Debug|Win32
34 | 		{59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|ARM.ActiveCfg = Release|ARM
35 | 		{59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|ARM.Build.0 = Release|ARM
36 | 		{59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|ARM.Deploy.0 = Release|ARM
37 | 		{59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|ARM64.ActiveCfg = Release|ARM64
38 | 		{59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|ARM64.Build.0 = Release|ARM64
39 | 		{59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|ARM64.Deploy.0 = Release|ARM64
40 | 		{59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|x64.ActiveCfg = Release|x64
41 | 		{59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|x64.Build.0 = Release|x64
42 | 		{59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|x64.Deploy.0 = Release|x64
43 | 		{59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|x86.ActiveCfg = Release|Win32
44 | 		{59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|x86.Build.0 = Release|Win32
45 | 		{59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|x86.Deploy.0 = Release|Win32
46 | 		{64DE4F42-B12F-431D-89D5-89F8C41249B5}.Debug|ARM.ActiveCfg = Debug|Win32
47 | 		{64DE4F42-B12F-431D-89D5-89F8C41249B5}.Debug|ARM64.ActiveCfg = Debug|Win32
48 | 		{64DE4F42-B12F-431D-89D5-89F8C41249B5}.Debug|x64.ActiveCfg = Debug|x64
49 | 		{64DE4F42-B12F-431D-89D5-89F8C41249B5}.Debug|x64.Build.0 = Debug|x64
50 | 		{64DE4F42-B12F-431D-89D5-89F8C41249B5}.Debug|x86.ActiveCfg = Debug|Win32
51 | 		{64DE4F42-B12F-431D-89D5-89F8C41249B5}.Debug|x86.Build.0 = Debug|Win32
52 | 		{64DE4F42-B12F-431D-89D5-89F8C41249B5}.Release|ARM.ActiveCfg = Release|Win32
53 | 		{64DE4F42-B12F-431D-89D5-89F8C41249B5}.Release|ARM64.ActiveCfg = Release|Win32
54 | 		{64DE4F42-B12F-431D-89D5-89F8C41249B5}.Release|x64.ActiveCfg = Release|x64
55 | 		{64DE4F42-B12F-431D-89D5-89F8C41249B5}.Release|x64.Build.0 = Release|x64
56 | 		{64DE4F42-B12F-431D-89D5-89F8C41249B5}.Release|x86.ActiveCfg = Release|Win32
57 | 		{64DE4F42-B12F-431D-89D5-89F8C41249B5}.Release|x86.Build.0 = Release|Win32
58 | 	EndGlobalSection
59 | 	GlobalSection(SolutionProperties) = preSolution
60 | 		HideSolutionNode = FALSE
61 | 	EndGlobalSection
62 | 	GlobalSection(ExtensibilityGlobals) = postSolution
63 | 		SolutionGuid = {689D2A6E-68F2-42AE-8B13-36F3041DB588}
64 | 	EndGlobalSection
65 | EndGlobal
66 | 


--------------------------------------------------------------------------------
/KernelCheatYT/KernelCheatYT.inf:
--------------------------------------------------------------------------------
 1 | ;
 2 | ; KernelCheatYT.inf
 3 | ;
 4 | 
 5 | [Version]
 6 | Signature="$WINDOWS NT$"
 7 | Class=Sample ; TODO: edit Class
 8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid
 9 | Provider=%ManufacturerName%
10 | CatalogFile=KernelCheatYT.cat
11 | DriverVer= ; TODO: set DriverVer in stampinf property pages
12 | 
13 | [DestinationDirs]
14 | DefaultDestDir = 12
15 | KernelCheatYT_Device_CoInstaller_CopyFiles = 11
16 | 
17 | ; ================= Class section =====================
18 | 
19 | [ClassInstall32]
20 | Addreg=SampleClassReg
21 | 
22 | [SampleClassReg]
23 | HKR,,,0,%ClassName%
24 | HKR,,Icon,,-5
25 | 
26 | [SourceDisksNames]
27 | 1 = %DiskName%,,,""
28 | 
29 | [SourceDisksFiles]
30 | KernelCheatYT.sys  = 1,,
31 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames
32 | 
33 | ;*****************************************
34 | ; Install Section
35 | ;*****************************************
36 | 
37 | [Manufacturer]
38 | %ManufacturerName%=Standard,NT$ARCH$
39 | 
40 | [Standard.NT$ARCH$]
41 | %KernelCheatYT.DeviceDesc%=KernelCheatYT_Device, Root\KernelCheatYT ; TODO: edit hw-id
42 | 
43 | [KernelCheatYT_Device.NT]
44 | CopyFiles=Drivers_Dir
45 | 
46 | [Drivers_Dir]
47 | KernelCheatYT.sys
48 | 
49 | ;-------------- Service installation
50 | [KernelCheatYT_Device.NT.Services]
51 | AddService = KernelCheatYT,%SPSVCINST_ASSOCSERVICE%, KernelCheatYT_Service_Inst
52 | 
53 | ; -------------- KernelCheatYT driver install sections
54 | [KernelCheatYT_Service_Inst]
55 | DisplayName    = %KernelCheatYT.SVCDESC%
56 | ServiceType    = 1               ; SERVICE_KERNEL_DRIVER
57 | StartType      = 3               ; SERVICE_DEMAND_START
58 | ErrorControl   = 1               ; SERVICE_ERROR_NORMAL
59 | ServiceBinary  = %12%\KernelCheatYT.sys
60 | 
61 | ;
62 | ;--- KernelCheatYT_Device Coinstaller installation ------
63 | ;
64 | 
65 | [KernelCheatYT_Device.NT.CoInstallers]
66 | AddReg=KernelCheatYT_Device_CoInstaller_AddReg
67 | CopyFiles=KernelCheatYT_Device_CoInstaller_CopyFiles
68 | 
69 | [KernelCheatYT_Device_CoInstaller_AddReg]
70 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller"
71 | 
72 | [KernelCheatYT_Device_CoInstaller_CopyFiles]
73 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll
74 | 
75 | [KernelCheatYT_Device.NT.Wdf]
76 | KmdfService =  KernelCheatYT, KernelCheatYT_wdfsect
77 | [KernelCheatYT_wdfsect]
78 | KmdfLibraryVersion = $KMDFVERSION$
79 | 
80 | [Strings]
81 | SPSVCINST_ASSOCSERVICE= 0x00000002
82 | ManufacturerName="<Your manufacturer name>" ;TODO: Replace with your manufacturer name
83 | ClassName="Samples" ; TODO: edit ClassName
84 | DiskName = "KernelCheatYT Installation Disk"
85 | KernelCheatYT.DeviceDesc = "KernelCheatYT Device"
86 | KernelCheatYT.SVCDESC = "KernelCheatYT Service"
87 | 


--------------------------------------------------------------------------------
/KernelCheatYT/KernelCheatYT.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |     <ProjectConfiguration Include="Debug|ARM">
 21 |       <Configuration>Debug</Configuration>
 22 |       <Platform>ARM</Platform>
 23 |     </ProjectConfiguration>
 24 |     <ProjectConfiguration Include="Release|ARM">
 25 |       <Configuration>Release</Configuration>
 26 |       <Platform>ARM</Platform>
 27 |     </ProjectConfiguration>
 28 |     <ProjectConfiguration Include="Debug|ARM64">
 29 |       <Configuration>Debug</Configuration>
 30 |       <Platform>ARM64</Platform>
 31 |     </ProjectConfiguration>
 32 |     <ProjectConfiguration Include="Release|ARM64">
 33 |       <Configuration>Release</Configuration>
 34 |       <Platform>ARM64</Platform>
 35 |     </ProjectConfiguration>
 36 |   </ItemGroup>
 37 |   <PropertyGroup Label="Globals">
 38 |     <ProjectGuid>{59AD331E-D3D4-46C4-8759-4A02AB42353A}</ProjectGuid>
 39 |     <TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
 40 |     <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
 41 |     <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
 42 |     <Configuration>Debug</Configuration>
 43 |     <Platform Condition="'$(Platform)' == ''">Win32</Platform>
 44 |     <RootNamespace>KernelCheatYT</RootNamespace>
 45 |   </PropertyGroup>
 46 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 47 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 48 |     <TargetVersion>Windows10</TargetVersion>
 49 |     <UseDebugLibraries>true</UseDebugLibraries>
 50 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 51 |     <ConfigurationType>Driver</ConfigurationType>
 52 |     <DriverType>KMDF</DriverType>
 53 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 54 |   </PropertyGroup>
 55 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 56 |     <TargetVersion>Windows10</TargetVersion>
 57 |     <UseDebugLibraries>false</UseDebugLibraries>
 58 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 59 |     <ConfigurationType>Driver</ConfigurationType>
 60 |     <DriverType>KMDF</DriverType>
 61 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 62 |   </PropertyGroup>
 63 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 64 |     <TargetVersion>Windows10</TargetVersion>
 65 |     <UseDebugLibraries>true</UseDebugLibraries>
 66 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 67 |     <ConfigurationType>Driver</ConfigurationType>
 68 |     <DriverType>KMDF</DriverType>
 69 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 70 |   </PropertyGroup>
 71 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 72 |     <TargetVersion>Windows10</TargetVersion>
 73 |     <UseDebugLibraries>false</UseDebugLibraries>
 74 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 75 |     <ConfigurationType>Driver</ConfigurationType>
 76 |     <DriverType>KMDF</DriverType>
 77 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
 80 |     <TargetVersion>Windows10</TargetVersion>
 81 |     <UseDebugLibraries>true</UseDebugLibraries>
 82 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 83 |     <ConfigurationType>Driver</ConfigurationType>
 84 |     <DriverType>KMDF</DriverType>
 85 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 86 |   </PropertyGroup>
 87 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
 88 |     <TargetVersion>Windows10</TargetVersion>
 89 |     <UseDebugLibraries>false</UseDebugLibraries>
 90 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 91 |     <ConfigurationType>Driver</ConfigurationType>
 92 |     <DriverType>KMDF</DriverType>
 93 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 94 |   </PropertyGroup>
 95 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
 96 |     <TargetVersion>Windows10</TargetVersion>
 97 |     <UseDebugLibraries>true</UseDebugLibraries>
 98 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 99 |     <ConfigurationType>Driver</ConfigurationType>
100 |     <DriverType>KMDF</DriverType>
101 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
102 |   </PropertyGroup>
103 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
104 |     <TargetVersion>Windows10</TargetVersion>
105 |     <UseDebugLibraries>false</UseDebugLibraries>
106 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
107 |     <ConfigurationType>Driver</ConfigurationType>
108 |     <DriverType>KMDF</DriverType>
109 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
110 |   </PropertyGroup>
111 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
112 |   <ImportGroup Label="ExtensionSettings">
113 |   </ImportGroup>
114 |   <ImportGroup Label="PropertySheets">
115 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
116 |   </ImportGroup>
117 |   <PropertyGroup Label="UserMacros" />
118 |   <PropertyGroup />
119 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
120 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
121 |   </PropertyGroup>
122 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
123 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
124 |   </PropertyGroup>
125 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
126 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
127 |   </PropertyGroup>
128 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
129 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
130 |     <EnableInf2cat>false</EnableInf2cat>
131 |     <IncludePath>$(IncludePath);$(WindowsSDK_IncludePath);$(KMDF_INC_PATH)$(KMDF_VER_PATH)</IncludePath>
132 |   </PropertyGroup>
133 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
134 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
135 |   </PropertyGroup>
136 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
137 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
138 |   </PropertyGroup>
139 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
140 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
141 |   </PropertyGroup>
142 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
143 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
144 |   </PropertyGroup>
145 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
146 |     <Link>
147 |       <EntryPointSymbol>DriverEntry</EntryPointSymbol>
148 |     </Link>
149 |     <ClCompile>
150 |       <TreatWarningAsError>false</TreatWarningAsError>
151 |     </ClCompile>
152 |   </ItemDefinitionGroup>
153 |   <ItemGroup>
154 |     <Inf Include="KernelCheatYT.inf" />
155 |   </ItemGroup>
156 |   <ItemGroup>
157 |     <FilesToPackage Include="$(TargetPath)" />
158 |   </ItemGroup>
159 |   <ItemGroup>
160 |     <ClInclude Include="definitions.h" />
161 |     <ClInclude Include="hook.h" />
162 |     <ClInclude Include="memory.h" />
163 |   </ItemGroup>
164 |   <ItemGroup>
165 |     <ClCompile Include="hook.cpp" />
166 |     <ClCompile Include="main.cpp" />
167 |     <ClCompile Include="memory.cpp" />
168 |   </ItemGroup>
169 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
170 |   <ImportGroup Label="ExtensionTargets">
171 |   </ImportGroup>
172 | </Project>


--------------------------------------------------------------------------------
/KernelCheatYT/KernelCheatYT.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |     <Filter Include="Driver Files">
17 |       <UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
18 |       <Extensions>inf;inv;inx;mof;mc;</Extensions>
19 |     </Filter>
20 |   </ItemGroup>
21 |   <ItemGroup>
22 |     <Inf Include="KernelCheatYT.inf">
23 |       <Filter>Driver Files</Filter>
24 |     </Inf>
25 |   </ItemGroup>
26 |   <ItemGroup>
27 |     <ClInclude Include="definitions.h">
28 |       <Filter>Header Files</Filter>
29 |     </ClInclude>
30 |     <ClInclude Include="memory.h">
31 |       <Filter>Header Files</Filter>
32 |     </ClInclude>
33 |     <ClInclude Include="hook.h">
34 |       <Filter>Header Files</Filter>
35 |     </ClInclude>
36 |   </ItemGroup>
37 |   <ItemGroup>
38 |     <ClCompile Include="memory.cpp">
39 |       <Filter>Source Files</Filter>
40 |     </ClCompile>
41 |     <ClCompile Include="hook.cpp">
42 |       <Filter>Source Files</Filter>
43 |     </ClCompile>
44 |     <ClCompile Include="main.cpp">
45 |       <Filter>Source Files</Filter>
46 |     </ClCompile>
47 |   </ItemGroup>
48 | </Project>


--------------------------------------------------------------------------------
/KernelCheatYT/KernelCheatYT.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
4 |     <SignMode>Off</SignMode>
5 |   </PropertyGroup>
6 | </Project>


--------------------------------------------------------------------------------
/KernelCheatYT/definitions.h:
--------------------------------------------------------------------------------
  1 | #include <ntdef.h>
  2 | #include <ntifs.h>
  3 | #include <ntddk.h>
  4 | #include <windef.h>
  5 | #include <ntstrsafe.h>
  6 | #include <wdm.h>
  7 | #pragma comment(lib, "ntoskrnl.lib")
  8 | 
  9 | typedef enum _SYSTEM_INFORMATION_CLASS
 10 | {
 11 | 	SystemBasicInformation,
 12 | 	SystemProcessorInformation,
 13 | 	SystemPerformanceInformation,
 14 | 	SystemTimeOfDayInformation,
 15 | 	SystemPathInformation,
 16 | 	SystemProcessInformation,
 17 | 	SystemCallCountInformation,
 18 | 	SystemDeviceInformation,
 19 | 	SystemProcessorPerformanceInformation,
 20 | 	SystemFlagsInformation,
 21 | 	SystemCallTimeInformation,
 22 | 	SystemModuleInformation = 0x0B
 23 | } SYSTEM_INFORMATION_CLASS,
 24 | * PSYSTEM_INFORMATION_CLASS;
 25 | 
 26 | typedef struct _RTL_PROCESS_MODULE_INFORMATION
 27 | {
 28 | 	HANDLE Section;
 29 | 	PVOID MappedBase;
 30 | 	PVOID ImageBase;
 31 | 	ULONG ImageSize;
 32 | 	ULONG Flags;
 33 | 	USHORT LoadOrderIndex;
 34 | 	USHORT InitOrderIndex;
 35 | 	USHORT LoadCount;
 36 | 	USHORT OffsetToFileName;
 37 | 	UCHAR  FullPathName[256];
 38 | } RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION;
 39 | 
 40 | typedef struct _RTL_PROCESS_MODULES
 41 | {
 42 | 	ULONG NumberOfModules;
 43 | 	RTL_PROCESS_MODULE_INFORMATION Modules[1];
 44 | } RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES;
 45 | 
 46 | typedef struct _PEB_LDR_DATA {
 47 | 	ULONG Length;
 48 | 	BOOLEAN Initialized;
 49 | 	PVOID SsHandle;
 50 | 	LIST_ENTRY ModuleListLoadOrder;
 51 | 	LIST_ENTRY ModuleListMemoryOrder;
 52 | 	LIST_ENTRY ModuleListInitOrder;
 53 | } PEB_LDR_DATA, * PPEB_LDR_DATA;
 54 | 
 55 | typedef struct _LDR_DATA_TABLE_ENTRY {
 56 | 	LIST_ENTRY InLoadOrderModuleList;
 57 | 	LIST_ENTRY InMemoryOrderModuleList;
 58 | 	LIST_ENTRY InInitializationOrderModuleList;
 59 | 	PVOID DllBase;
 60 | 	PVOID EntryPoint;
 61 | 	ULONG SizeOfImage;  // in bytes
 62 | 	UNICODE_STRING FullDllName;
 63 | 	UNICODE_STRING BaseDllName;
 64 | 	ULONG Flags;  // LDR_*
 65 | 	USHORT LoadCount;
 66 | 	USHORT TlsIndex;
 67 | 	LIST_ENTRY HashLinks;
 68 | 	PVOID SectionPointer;
 69 | 	ULONG CheckSum;
 70 | 	ULONG TimeDateStamp;
 71 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
 72 | 
 73 | typedef struct _RTL_USER_PROCESS_PARAMETERS {
 74 | 	BYTE Reserved1[16];
 75 | 	PVOID Reserved2[10];
 76 | 	UNICODE_STRING ImagePathName;
 77 | 	UNICODE_STRING CommandLine;
 78 | } RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;
 79 | 
 80 | typedef void(__stdcall* PPS_POST_PROCESS_INIT_ROUTINE)(void); // not exported
 81 | 
 82 | typedef struct _PEB {
 83 | 	BYTE Reserved1[2];
 84 | 	BYTE BeingDebugged;
 85 | 	BYTE Reserved2[1];
 86 | 	PVOID Reserved3[2];
 87 | 	PPEB_LDR_DATA Ldr;
 88 | 	PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
 89 | 	PVOID Reserved4[3];
 90 | 	PVOID AtlThunkSListPtr;
 91 | 	PVOID Reserved5;
 92 | 	ULONG Reserved6;
 93 | 	PVOID Reserved7;
 94 | 	ULONG Reserved8;
 95 | 	ULONG AtlThunkSListPtr32;
 96 | 	PVOID Reserved9[45];
 97 | 	BYTE Reserved10[96];
 98 | 	PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
 99 | 	BYTE Reserved11[128];
100 | 	PVOID Reserved12[1];
101 | 	ULONG SessionId;
102 | } PEB, * PPEB;
103 | 
104 | extern "C" __declspec(dllimport)
105 | NTSTATUS NTAPI ZwProtectVirtualMemory(
106 | 	HANDLE ProcessHandle,
107 | 	PVOID * BaseAddress,
108 | 	PULONG ProtectSize,
109 | 	ULONG NewProtect,
110 | 	PULONG OldProtect
111 | );
112 | 
113 | extern "C" NTKERNELAPI
114 | PVOID
115 | NTAPI
116 | RtlFindExportedRoutineByName(
117 | 	_In_ PVOID ImageBase,
118 | 	_In_ PCCH RoutineNam
119 | );
120 | 
121 | extern "C" NTSTATUS ZwQuerySystemInformation(ULONG InfoClass, PVOID Buffer, ULONG Length, PULONG ReturnLength);
122 | 
123 | extern "C" NTKERNELAPI
124 | PPEB
125 | PsGetProcessPeb(
126 | 	IN PEPROCESS Process
127 | );
128 | 
129 | extern "C" NTSTATUS NTAPI MmCopyVirtualMemory
130 | (
131 | 	PEPROCESS SourceProcess,
132 | 	PVOID SourceAddress,
133 | 	PEPROCESS TargetProcess,
134 | 	PVOID TargetAddress,
135 | 	SIZE_T BufferSize,
136 | 	KPROCESSOR_MODE PreviousMode,
137 | 	PSIZE_T ReturnSize
138 | );
139 | 
140 | typedef struct _IMAGE_EXPORT_DIRECTORY {
141 | 	ULONG   Characteristics;
142 | 	ULONG   TimeDateStamp;
143 | 	USHORT  MajorVersion;
144 | 	USHORT  MinorVersion;
145 | 	ULONG   Name;
146 | 	ULONG   Base;
147 | 	ULONG   NumberOfFunctions;
148 | 	ULONG   NumberOfNames;
149 | 	ULONG   AddressOfFunctions;     // RVA from base of image
150 | 	ULONG   AddressOfNames;         // RVA from base of image
151 | 	ULONG   AddressOfNameOrdinals;  // RVA from base of image
152 | } IMAGE_EXPORT_DIRECTORY, * PIMAGE_EXPORT_DIRECTORY;
153 | 
154 | extern "C" __declspec(dllimport)
155 | PVOID
156 | NTAPI
157 | RtlImageDirectoryEntryToData(
158 | 	PVOID ImageBase,
159 | 	BOOLEAN MappedAsImage,
160 | 	USHORT DirectoryEntry,
161 | 	PULONG Size
162 | );


--------------------------------------------------------------------------------
/KernelCheatYT/hook.cpp:
--------------------------------------------------------------------------------
  1 | #include "hook.h"
  2 | #include <wingdi.h>
  3 | 
  4 | GdiSelectBrush_t GdiSelectBrush = NULL;
  5 | PatBlt_t NtGdiPatBlt = NULL;
  6 | NtUserGetDC_t NtUserGetDC = NULL;
  7 | NtGdiCreateSolidBrush_t NtGdiCreateSolidBrush = NULL;
  8 | ReleaseDC_t NtUserReleaseDC = NULL;
  9 | DeleteObjectApp_t NtGdiDeleteObjectApp = NULL;
 10 | 
 11 | bool nullhook::call_kernel_function(void* kernel_function_address)
 12 | {
 13 | 	if (!kernel_function_address)
 14 | 		return false;
 15 | 	//NtQueryCompositionSurfaceStatistics
 16 | 	PVOID* function = reinterpret_cast<PVOID*>(get_system_module_export("\\SystemRoot\\System32\\drivers\\dxgkrnl.sys",
 17 | 																		"NtDxgkGetTrackedWorkloadStatistics"));
 18 | 
 19 | 	if (!function)
 20 | 		return false;
 21 | 
 22 | 	BYTE orig[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
 23 | 
 24 | 	BYTE shell_code[] = { 0x48, 0xB8 }; // mov rax, xxx
 25 | 	BYTE shell_code_end[] = { 0xFF, 0xE0 }; //jmp rax
 26 | 
 27 | 	RtlSecureZeroMemory(&orig, sizeof(orig));
 28 | 	memcpy((PVOID)((ULONG_PTR)orig), &shell_code, sizeof(shell_code));
 29 | 	uintptr_t hook_address = reinterpret_cast<uintptr_t>(kernel_function_address);
 30 | 	memcpy((PVOID)((ULONG_PTR)orig + sizeof(shell_code)), &hook_address, sizeof(void*));
 31 | 	memcpy((PVOID)((ULONG_PTR)orig + sizeof(shell_code) + sizeof(void*)), &shell_code_end, sizeof(shell_code_end));
 32 | 
 33 | 	write_to_read_only_memory(function, &orig, sizeof(orig));
 34 | 	
 35 | 	GdiSelectBrush = (GdiSelectBrush_t)get_system_module_export(L"win32kfull.sys", "NtGdiSelectBrush");
 36 | 	NtGdiCreateSolidBrush = (NtGdiCreateSolidBrush_t)get_system_module_export(L"win32kfull.sys", "NtGdiCreateSolidBrush");
 37 | 	NtGdiPatBlt = (PatBlt_t)get_system_module_export(L"win32kfull.sys", "NtGdiPatBlt");
 38 | 	NtUserGetDC = (NtUserGetDC_t)get_system_module_export(L"win32kbase.sys", "NtUserGetDC");
 39 | 	NtUserReleaseDC = (ReleaseDC_t)get_system_module_export(L"win32kbase.sys", "NtUserReleaseDC");
 40 | 	NtGdiDeleteObjectApp = (DeleteObjectApp_t)get_system_module_export(L"win32kbase.sys", "NtGdiDeleteObjectApp");
 41 | 
 42 | 	return true;
 43 | }
 44 | 
 45 | NTSTATUS nullhook::hook_handler(PVOID called_param)
 46 | {
 47 | 	NULL_MEMORY* instructions = (NULL_MEMORY*)called_param;
 48 | 
 49 | 	if (instructions->req_base == TRUE)
 50 | 	{
 51 | 		ANSI_STRING AS;
 52 | 		UNICODE_STRING ModuleName;
 53 | 
 54 | 		RtlInitAnsiString(&AS, instructions->module_name);
 55 | 		RtlAnsiStringToUnicodeString(&ModuleName, &AS, TRUE);
 56 | 
 57 | 		PEPROCESS process;
 58 | 		PsLookupProcessByProcessId((HANDLE)instructions->pid, &process);
 59 | 		ULONG64 base_address64 = NULL;
 60 | 		base_address64 = get_module_base_x64(process, ModuleName);
 61 | 		instructions->base_address = base_address64;
 62 | 		RtlFreeUnicodeString(&ModuleName);
 63 | 	}
 64 | 
 65 | 	else if (instructions->write == TRUE)
 66 | 	{
 67 | 		if (instructions->address < 0x7FFFFFFFFFFF && instructions->address > 0)
 68 | 		{
 69 | 			PVOID kernelBuff = ExAllocatePool(NonPagedPool, instructions->size);
 70 | 
 71 | 			if (!kernelBuff)
 72 | 			{
 73 | 				return STATUS_UNSUCCESSFUL;
 74 | 			}
 75 | 
 76 | 			if (!memcpy(kernelBuff, instructions->buffer_address, instructions->size))
 77 | 			{
 78 | 				return STATUS_UNSUCCESSFUL;
 79 | 			}
 80 | 
 81 | 			PEPROCESS process;
 82 | 			PsLookupProcessByProcessId((HANDLE)instructions->pid, &process);
 83 | 			write_kernel_memory((HANDLE)instructions->pid, instructions->address, kernelBuff, instructions->size);
 84 | 			ExFreePool(kernelBuff);
 85 | 		}
 86 | 	}
 87 | 
 88 | 	else if (instructions->read == TRUE)
 89 | 	{
 90 | 		if (instructions->address < 0x7FFFFFFFFFFF && instructions->address > 0)
 91 | 		{
 92 | 			read_kernel_memory((HANDLE)instructions->pid, instructions->address, instructions->output, instructions->size);
 93 | 		}
 94 | 	}
 95 | 
 96 | 	else if (instructions->draw_box == TRUE)
 97 | 	{
 98 | 		HDC hdc = NtUserGetDC(NULL);
 99 | 		if (!hdc)
100 | 			return STATUS_UNSUCCESSFUL;
101 | 
102 | 		HBRUSH brush = NtGdiCreateSolidBrush(RGB(instructions->r, instructions->g, instructions->b), NULL);
103 | 		if (!brush)
104 | 			return STATUS_UNSUCCESSFUL;
105 | 
106 | 		RECT rect = { instructions->x, instructions->y, instructions->x + instructions->w, instructions->y + instructions->h };
107 | 		FrameRect(hdc, &rect, brush, instructions->t);
108 | 		NtUserReleaseDC(hdc);
109 | 		NtGdiDeleteObjectApp(brush);
110 | 	}
111 | 
112 | 	return STATUS_SUCCESS;
113 | }
114 | 
115 | INT nullhook::FrameRect(HDC hDC, CONST RECT* lprc, HBRUSH hbr, int thickness)
116 | {
117 | 	HBRUSH oldbrush;
118 | 	RECT r = *lprc;
119 | 
120 | 	if (!(oldbrush = GdiSelectBrush(hDC, hbr))) return 0;
121 | 
122 | 	NtGdiPatBlt(hDC, r.left, r.top, thickness, r.bottom - r.top, PATCOPY);
123 | 	NtGdiPatBlt(hDC, r.right - thickness, r.top, thickness, r.bottom - r.top, PATCOPY);
124 | 	NtGdiPatBlt(hDC, r.left, r.top, r.right - r.left, thickness, PATCOPY);
125 | 	NtGdiPatBlt(hDC, r.left, r.bottom - thickness, r.right - r.left, thickness, PATCOPY);
126 | 
127 | 	GdiSelectBrush(hDC, oldbrush);
128 | 	return TRUE;
129 | }


--------------------------------------------------------------------------------
/KernelCheatYT/hook.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | #include "memory.h"
 4 | 
 5 | typedef HBRUSH(*GdiSelectBrush_t)(_In_ HDC 	hdc,
 6 | 	_In_ HBRUSH 	hbr
 7 | 	);
 8 | 
 9 | typedef BOOL(*PatBlt_t)(_In_ 	HDC,
10 | 	_In_ int x,
11 | 	_In_ int y,
12 | 	_In_ int w,
13 | 	_In_ int h,
14 | 	_In_ 	DWORD
15 | 	);
16 | 
17 | typedef HDC(*NtUserGetDC_t)(HWND hWnd);
18 | 
19 | typedef HBRUSH(*NtGdiCreateSolidBrush_t)(_In_ COLORREF 	crColor,
20 | 	_In_opt_ HBRUSH 	hbr
21 | 	);
22 | 
23 | typedef int (*ReleaseDC_t)(HDC hdc);
24 | typedef BOOL(*DeleteObjectApp_t)(HANDLE hobj);
25 | 
26 | namespace nullhook
27 | {
28 | 	bool call_kernel_function(void* kernel_function_address);
29 | 	NTSTATUS hook_handler(PVOID called_param);
30 | 	INT FrameRect(HDC hDC, CONST RECT* lprc, HBRUSH hbr, int thickness);
31 | }


--------------------------------------------------------------------------------
/KernelCheatYT/main.cpp:
--------------------------------------------------------------------------------
 1 | #include "hook.h"
 2 | 
 3 | extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT driver_object, PUNICODE_STRING reg_path)
 4 | {
 5 | 	UNREFERENCED_PARAMETER(driver_object);
 6 | 	UNREFERENCED_PARAMETER(reg_path);
 7 | 
 8 | 	nullhook::call_kernel_function(&nullhook::hook_handler);
 9 | 
10 | 	return STATUS_SUCCESS;
11 | }


--------------------------------------------------------------------------------
/KernelCheatYT/memory.cpp:
--------------------------------------------------------------------------------
  1 | #include "memory.h"
  2 | 
  3 | PVOID get_system_module_base(const char* module_name)
  4 | {
  5 | 	ULONG bytes = 0;
  6 | 	NTSTATUS status = ZwQuerySystemInformation(SystemModuleInformation, NULL, bytes, &bytes);
  7 | 
  8 | 	if (!bytes)
  9 | 		return NULL;
 10 | 
 11 | 	PRTL_PROCESS_MODULES modules = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPool, bytes, 0x4e554c4c); 
 12 | 
 13 | 	status = ZwQuerySystemInformation(SystemModuleInformation, modules, bytes, &bytes);
 14 | 
 15 | 	if (!NT_SUCCESS(status))
 16 | 		return NULL;
 17 | 
 18 | 	PRTL_PROCESS_MODULE_INFORMATION module = modules->Modules;
 19 | 	PVOID module_base = 0, module_size = 0;
 20 | 
 21 | 	for (ULONG i = 0; i < modules->NumberOfModules; i++)
 22 | 	{
 23 | 		if (strcmp((char*)module[i].FullPathName, module_name) == NULL)
 24 | 		{
 25 | 			module_base = module[i].ImageBase;
 26 | 			module_size = (PVOID)module[i].ImageSize;
 27 | 			break;
 28 | 		}
 29 | 	}
 30 | 
 31 | 	if (modules)
 32 | 		ExFreePoolWithTag(modules, NULL);
 33 | 
 34 | 	if (module_base <= NULL)
 35 | 		return NULL;
 36 | 
 37 | 	return module_base;
 38 | }
 39 | 
 40 | PVOID get_system_module_export(const char* module_name, LPCSTR routine_name)
 41 | {
 42 | 	PVOID lpModule = get_system_module_base(module_name);
 43 | 
 44 | 	if (!lpModule)
 45 | 		return NULL;
 46 | 	
 47 | 	return RtlFindExportedRoutineByName(lpModule, routine_name);
 48 | }
 49 | 
 50 | PVOID get_system_routine_address(PCWSTR routine_name)
 51 | {
 52 | 	UNICODE_STRING name;
 53 | 	RtlInitUnicodeString(&name, routine_name);
 54 | 	return MmGetSystemRoutineAddress(&name);
 55 | }
 56 | 
 57 | PVOID get_system_module_export(LPCWSTR module_name, LPCSTR routine_name)
 58 | {
 59 | 	PLIST_ENTRY module_list = reinterpret_cast<PLIST_ENTRY>(get_system_routine_address(L"PsLoadedModuleList"));
 60 | 
 61 | 	if (!module_list)
 62 | 		return NULL;
 63 | 
 64 | 	for (PLIST_ENTRY link = module_list; link != module_list->Blink; link = link->Flink)
 65 | 	{
 66 | 		LDR_DATA_TABLE_ENTRY* entry = CONTAINING_RECORD(link, LDR_DATA_TABLE_ENTRY, InLoadOrderModuleList);
 67 | 
 68 | 		UNICODE_STRING name;
 69 | 		RtlInitUnicodeString(&name, module_name);
 70 | 
 71 | 		if (RtlEqualUnicodeString(&entry->BaseDllName, &name, TRUE))
 72 | 		{
 73 | 			return (entry->DllBase) ? RtlFindExportedRoutineByName(entry->DllBase, routine_name) : NULL;
 74 | 		}
 75 | 	}
 76 | }
 77 | 
 78 | bool write_memory(void* address, void* buffer, size_t size)
 79 | {
 80 | 	if (!RtlCopyMemory(address, buffer, size))
 81 | 	{
 82 | 		return false;
 83 | 	}
 84 | 	else
 85 | 	{
 86 | 		return true;
 87 | 	}
 88 | }
 89 | 
 90 | bool write_to_read_only_memory(void* address, void* buffer, size_t size)
 91 | {
 92 | 	PMDL Mdl = IoAllocateMdl(address, size, FALSE, FALSE, NULL);
 93 | 
 94 | 	if (!Mdl)
 95 | 		return false;
 96 | 
 97 | 	MmProbeAndLockPages(Mdl, KernelMode, IoReadAccess);
 98 | 	PVOID Mapping = MmMapLockedPagesSpecifyCache(Mdl, KernelMode, MmNonCached, NULL, FALSE, NormalPagePriority);
 99 | 	MmProtectMdlSystemAddress(Mdl, PAGE_READWRITE);
100 | 
101 | 	write_memory(Mapping, buffer, size);
102 | 
103 | 	MmUnmapLockedPages(Mapping, Mdl);
104 | 	MmUnlockPages(Mdl);
105 | 	IoFreeMdl(Mdl);
106 | 
107 | 	return true;
108 | }
109 | 
110 | ULONG64 get_module_base_x64(PEPROCESS proc, UNICODE_STRING module_name)
111 | {
112 | 	PPEB pPeb = PsGetProcessPeb(proc);
113 | 
114 | 	if (!pPeb)
115 | 	{
116 | 		return NULL;
117 | 	}
118 | 
119 | 	KAPC_STATE state;
120 | 
121 | 	KeStackAttachProcess(proc, &state);
122 | 
123 | 	PPEB_LDR_DATA pLdr = (PPEB_LDR_DATA)pPeb->Ldr;
124 | 
125 | 	if (!pLdr)
126 | 	{
127 | 		KeUnstackDetachProcess(&state);
128 | 		return NULL;
129 | 	}
130 | 
131 | 	for (PLIST_ENTRY list = (PLIST_ENTRY)pLdr->ModuleListLoadOrder.Flink; list != &pLdr->ModuleListLoadOrder; list = (PLIST_ENTRY)list->Flink)
132 | 	{
133 | 		PLDR_DATA_TABLE_ENTRY pEntry = CONTAINING_RECORD(list, LDR_DATA_TABLE_ENTRY, InLoadOrderModuleList);
134 | 
135 | 		if (RtlCompareUnicodeString(&pEntry->BaseDllName, &module_name, TRUE) == NULL)
136 | 		{
137 | 			ULONG64 baseAddr = (ULONG64)pEntry->DllBase;
138 | 			KeUnstackDetachProcess(&state);
139 | 			return baseAddr;
140 | 		}
141 | 	}
142 | 
143 | 	KeUnstackDetachProcess(&state);
144 | 	return NULL;
145 | }
146 | 
147 | bool read_kernel_memory(HANDLE pid, uintptr_t address, void* buffer, SIZE_T size)
148 | {
149 | 	if (!address || !buffer || !size)
150 | 		return false;
151 | 
152 | 	SIZE_T bytes = 0;
153 | 	NTSTATUS status = STATUS_SUCCESS;
154 | 	PEPROCESS process;
155 | 	PsLookupProcessByProcessId((HANDLE)pid, &process);
156 | 
157 | 	status = MmCopyVirtualMemory(process, (void*)address, (PEPROCESS)PsGetCurrentProcess(), (void*)buffer, size, KernelMode, &bytes);
158 | 
159 | 	if (!NT_SUCCESS(status))
160 | 	{
161 | 		return false;
162 | 	}
163 | 	else
164 | 	{
165 | 		return true;
166 | 	}
167 | }
168 | 
169 | bool write_kernel_memory(HANDLE pid, uintptr_t address, void* buffer, SIZE_T size)
170 | {
171 | 	if (!address || !buffer || !size)
172 | 		return false;
173 | 
174 | 	NTSTATUS status = STATUS_SUCCESS;
175 | 	PEPROCESS process;
176 | 	PsLookupProcessByProcessId((HANDLE)pid, &process);
177 | 
178 | 	KAPC_STATE state;
179 | 	KeStackAttachProcess((PEPROCESS)process, &state);
180 | 
181 | 	MEMORY_BASIC_INFORMATION info;
182 | 
183 | 	status = ZwQueryVirtualMemory(ZwCurrentProcess(), (PVOID)address, MemoryBasicInformation, &info, sizeof(info), NULL);
184 | 	if (!NT_SUCCESS(status))
185 | 	{
186 | 		KeUnstackDetachProcess(&state);
187 | 		return false;
188 | 	}
189 | 
190 | 	if (((uintptr_t)info.BaseAddress + info.RegionSize) < (address + size))
191 | 	{
192 | 		KeUnstackDetachProcess(&state);
193 | 		return false;
194 | 	}
195 | 
196 | 	if (!(info.State & MEM_COMMIT) || (info.Protect & (PAGE_GUARD | PAGE_NOACCESS)))
197 | 	{
198 | 		KeUnstackDetachProcess(&state);
199 | 		return false;
200 | 	}
201 | 
202 | 	if ((info.Protect & PAGE_EXECUTE_READWRITE) || (info.Protect & PAGE_EXECUTE_WRITECOPY) 
203 | 		|| (info.Protect & PAGE_READWRITE) || (info.Protect & PAGE_WRITECOPY))
204 | 	{
205 | 		RtlCopyMemory((void*)address, buffer, size);
206 | 	}
207 | 	KeUnstackDetachProcess(&state);
208 | 	return true;
209 | }


--------------------------------------------------------------------------------
/KernelCheatYT/memory.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include "definitions.h"
 3 | 
 4 | PVOID get_system_module_base(const char* module_name);
 5 | PVOID get_system_module_export(const char* module_name, LPCSTR routine_name);
 6 | bool write_memory(void* address, void* buffer, size_t size);
 7 | bool write_to_read_only_memory(void* address, void* buffer, size_t size);
 8 | ULONG64 get_module_base_x64(PEPROCESS proc, UNICODE_STRING module_name);
 9 | bool read_kernel_memory(HANDLE pid, uintptr_t address, void* buffer, SIZE_T size);
10 | bool write_kernel_memory(HANDLE pid, uintptr_t address, void* buffer, SIZE_T size);
11 | PVOID get_system_module_export(LPCWSTR module_name, LPCSTR routine_name);
12 | 
13 | typedef struct _NULL_MEMORY
14 | {
15 | 	void* buffer_address;
16 | 	UINT_PTR address;
17 | 	ULONGLONG size;
18 | 	ULONG pid;
19 | 	BOOLEAN write;
20 | 	BOOLEAN read;
21 | 	BOOLEAN req_base;
22 | 	BOOLEAN draw_box;
23 | 	int		r, g, b, x, y, w, h, t;
24 | 	void* output;
25 | 	const char* module_name;
26 | 	ULONG64 base_address;
27 | }NULL_MEMORY;


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # NullHook
2 | Full yt series on how I made this and how it works here https://youtu.be/KNGr4m99PTU <br>
3 | 
4 | You will need to map the driver code yourself, you can use a manual mapper like https://github.com/TheCruZ/kdmapper
5 | 


--------------------------------------------------------------------------------