├── KernelCheatUM ├── KernelCheatUM.vcxproj ├── KernelCheatUM.vcxproj.filters ├── KernelCheatUM.vcxproj.user └── main.cpp ├── KernelCheatYT.sln ├── KernelCheatYT ├── KernelCheatYT.inf ├── KernelCheatYT.vcxproj ├── KernelCheatYT.vcxproj.filters ├── KernelCheatYT.vcxproj.user ├── definitions.h ├── hook.cpp ├── hook.h ├── main.cpp ├── memory.cpp └── memory.h └── README.md /KernelCheatUM/KernelCheatUM.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | {64DE4F42-B12F-431D-89D5-89F8C41249B5} 24 | KernelCheatUM 25 | 10.0 26 | 27 | 28 | 29 | Application 30 | true 31 | v142 32 | Unicode 33 | 34 | 35 | Application 36 | false 37 | v142 38 | true 39 | Unicode 40 | 41 | 42 | Application 43 | true 44 | v142 45 | Unicode 46 | 47 | 48 | Application 49 | false 50 | v142 51 | true 52 | NotSet 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | true 74 | 75 | 76 | true 77 | 78 | 79 | false 80 | 81 | 82 | false 83 | 84 | 85 | 86 | Level3 87 | true 88 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 89 | true 90 | stdcpp17 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 102 | true 103 | 104 | 105 | Console 106 | true 107 | 108 | 109 | 110 | 111 | Level3 112 | true 113 | true 114 | true 115 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 116 | true 117 | 118 | 119 | Console 120 | true 121 | true 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | stdcpplatest 134 | 135 | 136 | Console 137 | true 138 | true 139 | true 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | -------------------------------------------------------------------------------- /KernelCheatUM/KernelCheatUM.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /KernelCheatUM/KernelCheatUM.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /KernelCheatUM/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | typedef struct _NULL_MEMORY 10 | { 11 | void* buffer_address; 12 | UINT_PTR address; 13 | ULONGLONG size; 14 | ULONG pid; 15 | BOOLEAN write; 16 | BOOLEAN read; 17 | BOOLEAN req_base; 18 | BOOLEAN draw_box; 19 | int r, g, b, x, y, w, h, t; 20 | void* output; 21 | const char* module_name; 22 | ULONG64 base_address; 23 | }NULL_MEMORY; 24 | 25 | uintptr_t base_address = 0; 26 | std::uint32_t process_id = 0; 27 | HDC hdc; 28 | 29 | template 30 | uint64_t call_hook(const Arg ... args) 31 | { 32 | void* hooked_func = GetProcAddress(LoadLibrary("win32u.dll"), "NtDxgkGetTrackedWorkloadStatistics"); 33 | 34 | auto func = static_cast(hooked_func); 35 | 36 | return func(args ...); 37 | } 38 | 39 | struct HandleDisposer 40 | { 41 | using pointer = HANDLE; 42 | void operator()(HANDLE handle) const 43 | { 44 | if (handle != NULL || handle != INVALID_HANDLE_VALUE) 45 | { 46 | CloseHandle(handle); 47 | } 48 | } 49 | }; 50 | 51 | using unique_handle = std::unique_ptr; 52 | 53 | std::uint32_t get_process_id(std::string_view process_name) 54 | { 55 | PROCESSENTRY32 processentry; 56 | const unique_handle snapshot_handle(CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL)); 57 | 58 | if (snapshot_handle.get() == INVALID_HANDLE_VALUE) 59 | return NULL; 60 | 61 | processentry.dwSize = sizeof(MODULEENTRY32); 62 | 63 | while (Process32Next(snapshot_handle.get(), &processentry) == TRUE) 64 | { 65 | if (process_name.compare(processentry.szExeFile) == NULL) 66 | { 67 | return processentry.th32ProcessID; 68 | } 69 | } 70 | return NULL; 71 | } 72 | 73 | static ULONG64 get_module_base_address(const char* module_name) 74 | { 75 | NULL_MEMORY instructions = { 0 }; 76 | instructions.pid = process_id; 77 | instructions.req_base = TRUE; 78 | instructions.read = FALSE; 79 | instructions.write = FALSE; 80 | instructions.draw_box = FALSE; 81 | instructions.module_name = module_name; 82 | call_hook(&instructions); 83 | 84 | ULONG64 base = NULL; 85 | base = instructions.base_address; 86 | return base; 87 | } 88 | template 89 | T Read(UINT_PTR read_address) 90 | { 91 | T response{}; 92 | NULL_MEMORY instructions; 93 | instructions.pid = process_id; 94 | instructions.size = sizeof(T); 95 | instructions.address = read_address; 96 | instructions.read = TRUE; 97 | instructions.write = FALSE; 98 | instructions.req_base = FALSE; 99 | instructions.draw_box = FALSE; 100 | instructions.output = &response; 101 | call_hook(&instructions); 102 | 103 | return response; 104 | } 105 | 106 | bool write_memory(UINT_PTR write_address, UINT_PTR source_address, SIZE_T write_size) 107 | { 108 | NULL_MEMORY instructions; 109 | instructions.address = write_address; 110 | instructions.pid = process_id; 111 | instructions.write = TRUE; 112 | instructions.read = FALSE; 113 | instructions.req_base = FALSE; 114 | instructions.draw_box = FALSE; 115 | instructions.buffer_address = (void*)source_address; 116 | instructions.size = write_size; 117 | 118 | call_hook(&instructions); 119 | 120 | return true; 121 | } 122 | 123 | bool draw_box(int x, int y, int w, int h, int t, int r, int g, int b) 124 | { 125 | NULL_MEMORY instructions; 126 | instructions.write = FALSE; 127 | instructions.read = FALSE; 128 | instructions.req_base = FALSE; 129 | instructions.draw_box = TRUE; 130 | 131 | instructions.x = x; 132 | instructions.y = y; 133 | instructions.w = w; 134 | instructions.h = h; 135 | instructions.t = t; 136 | 137 | instructions.r = r; 138 | instructions.g = g; 139 | instructions.b = b; 140 | 141 | call_hook(&instructions); 142 | 143 | return true; 144 | } 145 | 146 | template 147 | bool write(UINT_PTR write_address, const S& value) 148 | { 149 | return write_memory(write_address, (UINT_PTR)&value, sizeof(S)); 150 | } 151 | 152 | int main() 153 | { 154 | while (true) 155 | { 156 | draw_box(50, 50, 50, 50, 2, 255, 0, 0); 157 | } 158 | } -------------------------------------------------------------------------------- /KernelCheatYT.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.29905.134 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "KernelCheatYT", "KernelCheatYT\KernelCheatYT.vcxproj", "{59AD331E-D3D4-46C4-8759-4A02AB42353A}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "KernelCheatUM", "KernelCheatUM\KernelCheatUM.vcxproj", "{64DE4F42-B12F-431D-89D5-89F8C41249B5}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|ARM = Debug|ARM 13 | Debug|ARM64 = Debug|ARM64 14 | Debug|x64 = Debug|x64 15 | Debug|x86 = Debug|x86 16 | Release|ARM = Release|ARM 17 | Release|ARM64 = Release|ARM64 18 | Release|x64 = Release|x64 19 | Release|x86 = Release|x86 20 | EndGlobalSection 21 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 22 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|ARM.ActiveCfg = Debug|ARM 23 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|ARM.Build.0 = Debug|ARM 24 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|ARM.Deploy.0 = Debug|ARM 25 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|ARM64.ActiveCfg = Debug|ARM64 26 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|ARM64.Build.0 = Debug|ARM64 27 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|ARM64.Deploy.0 = Debug|ARM64 28 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|x64.ActiveCfg = Debug|x64 29 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|x64.Build.0 = Debug|x64 30 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|x64.Deploy.0 = Debug|x64 31 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|x86.ActiveCfg = Debug|Win32 32 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|x86.Build.0 = Debug|Win32 33 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|x86.Deploy.0 = Debug|Win32 34 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|ARM.ActiveCfg = Release|ARM 35 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|ARM.Build.0 = Release|ARM 36 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|ARM.Deploy.0 = Release|ARM 37 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|ARM64.ActiveCfg = Release|ARM64 38 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|ARM64.Build.0 = Release|ARM64 39 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|ARM64.Deploy.0 = Release|ARM64 40 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|x64.ActiveCfg = Release|x64 41 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|x64.Build.0 = Release|x64 42 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|x64.Deploy.0 = Release|x64 43 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|x86.ActiveCfg = Release|Win32 44 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|x86.Build.0 = Release|Win32 45 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|x86.Deploy.0 = Release|Win32 46 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Debug|ARM.ActiveCfg = Debug|Win32 47 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Debug|ARM64.ActiveCfg = Debug|Win32 48 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Debug|x64.ActiveCfg = Debug|x64 49 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Debug|x64.Build.0 = Debug|x64 50 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Debug|x86.ActiveCfg = Debug|Win32 51 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Debug|x86.Build.0 = Debug|Win32 52 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Release|ARM.ActiveCfg = Release|Win32 53 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Release|ARM64.ActiveCfg = Release|Win32 54 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Release|x64.ActiveCfg = Release|x64 55 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Release|x64.Build.0 = Release|x64 56 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Release|x86.ActiveCfg = Release|Win32 57 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Release|x86.Build.0 = Release|Win32 58 | EndGlobalSection 59 | GlobalSection(SolutionProperties) = preSolution 60 | HideSolutionNode = FALSE 61 | EndGlobalSection 62 | GlobalSection(ExtensibilityGlobals) = postSolution 63 | SolutionGuid = {689D2A6E-68F2-42AE-8B13-36F3041DB588} 64 | EndGlobalSection 65 | EndGlobal 66 | -------------------------------------------------------------------------------- /KernelCheatYT/KernelCheatYT.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; KernelCheatYT.inf 3 | ; 4 | 5 | [Version] 6 | Signature="$WINDOWS NT$" 7 | Class=Sample ; TODO: edit Class 8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid 9 | Provider=%ManufacturerName% 10 | CatalogFile=KernelCheatYT.cat 11 | DriverVer= ; TODO: set DriverVer in stampinf property pages 12 | 13 | [DestinationDirs] 14 | DefaultDestDir = 12 15 | KernelCheatYT_Device_CoInstaller_CopyFiles = 11 16 | 17 | ; ================= Class section ===================== 18 | 19 | [ClassInstall32] 20 | Addreg=SampleClassReg 21 | 22 | [SampleClassReg] 23 | HKR,,,0,%ClassName% 24 | HKR,,Icon,,-5 25 | 26 | [SourceDisksNames] 27 | 1 = %DiskName%,,,"" 28 | 29 | [SourceDisksFiles] 30 | KernelCheatYT.sys = 1,, 31 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames 32 | 33 | ;***************************************** 34 | ; Install Section 35 | ;***************************************** 36 | 37 | [Manufacturer] 38 | %ManufacturerName%=Standard,NT$ARCH$ 39 | 40 | [Standard.NT$ARCH$] 41 | %KernelCheatYT.DeviceDesc%=KernelCheatYT_Device, Root\KernelCheatYT ; TODO: edit hw-id 42 | 43 | [KernelCheatYT_Device.NT] 44 | CopyFiles=Drivers_Dir 45 | 46 | [Drivers_Dir] 47 | KernelCheatYT.sys 48 | 49 | ;-------------- Service installation 50 | [KernelCheatYT_Device.NT.Services] 51 | AddService = KernelCheatYT,%SPSVCINST_ASSOCSERVICE%, KernelCheatYT_Service_Inst 52 | 53 | ; -------------- KernelCheatYT driver install sections 54 | [KernelCheatYT_Service_Inst] 55 | DisplayName = %KernelCheatYT.SVCDESC% 56 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 57 | StartType = 3 ; SERVICE_DEMAND_START 58 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 59 | ServiceBinary = %12%\KernelCheatYT.sys 60 | 61 | ; 62 | ;--- KernelCheatYT_Device Coinstaller installation ------ 63 | ; 64 | 65 | [KernelCheatYT_Device.NT.CoInstallers] 66 | AddReg=KernelCheatYT_Device_CoInstaller_AddReg 67 | CopyFiles=KernelCheatYT_Device_CoInstaller_CopyFiles 68 | 69 | [KernelCheatYT_Device_CoInstaller_AddReg] 70 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller" 71 | 72 | [KernelCheatYT_Device_CoInstaller_CopyFiles] 73 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll 74 | 75 | [KernelCheatYT_Device.NT.Wdf] 76 | KmdfService = KernelCheatYT, KernelCheatYT_wdfsect 77 | [KernelCheatYT_wdfsect] 78 | KmdfLibraryVersion = $KMDFVERSION$ 79 | 80 | [Strings] 81 | SPSVCINST_ASSOCSERVICE= 0x00000002 82 | ManufacturerName="" ;TODO: Replace with your manufacturer name 83 | ClassName="Samples" ; TODO: edit ClassName 84 | DiskName = "KernelCheatYT Installation Disk" 85 | KernelCheatYT.DeviceDesc = "KernelCheatYT Device" 86 | KernelCheatYT.SVCDESC = "KernelCheatYT Service" 87 | -------------------------------------------------------------------------------- /KernelCheatYT/KernelCheatYT.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | Debug 22 | ARM 23 | 24 | 25 | Release 26 | ARM 27 | 28 | 29 | Debug 30 | ARM64 31 | 32 | 33 | Release 34 | ARM64 35 | 36 | 37 | 38 | {59AD331E-D3D4-46C4-8759-4A02AB42353A} 39 | {1bc93793-694f-48fe-9372-81e2b05556fd} 40 | v4.5 41 | 12.0 42 | Debug 43 | Win32 44 | KernelCheatYT 45 | 46 | 47 | 48 | Windows10 49 | true 50 | WindowsKernelModeDriver10.0 51 | Driver 52 | KMDF 53 | Universal 54 | 55 | 56 | Windows10 57 | false 58 | WindowsKernelModeDriver10.0 59 | Driver 60 | KMDF 61 | Universal 62 | 63 | 64 | Windows10 65 | true 66 | WindowsKernelModeDriver10.0 67 | Driver 68 | KMDF 69 | Universal 70 | 71 | 72 | Windows10 73 | false 74 | WindowsKernelModeDriver10.0 75 | Driver 76 | KMDF 77 | Universal 78 | 79 | 80 | Windows10 81 | true 82 | WindowsKernelModeDriver10.0 83 | Driver 84 | KMDF 85 | Universal 86 | 87 | 88 | Windows10 89 | false 90 | WindowsKernelModeDriver10.0 91 | Driver 92 | KMDF 93 | Universal 94 | 95 | 96 | Windows10 97 | true 98 | WindowsKernelModeDriver10.0 99 | Driver 100 | KMDF 101 | Universal 102 | 103 | 104 | Windows10 105 | false 106 | WindowsKernelModeDriver10.0 107 | Driver 108 | KMDF 109 | Universal 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | DbgengKernelDebugger 121 | 122 | 123 | DbgengKernelDebugger 124 | 125 | 126 | DbgengKernelDebugger 127 | 128 | 129 | DbgengKernelDebugger 130 | false 131 | $(IncludePath);$(WindowsSDK_IncludePath);$(KMDF_INC_PATH)$(KMDF_VER_PATH) 132 | 133 | 134 | DbgengKernelDebugger 135 | 136 | 137 | DbgengKernelDebugger 138 | 139 | 140 | DbgengKernelDebugger 141 | 142 | 143 | DbgengKernelDebugger 144 | 145 | 146 | 147 | DriverEntry 148 | 149 | 150 | false 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | -------------------------------------------------------------------------------- /KernelCheatYT/KernelCheatYT.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {8E41214B-6785-4CFE-B992-037D68949A14} 18 | inf;inv;inx;mof;mc; 19 | 20 | 21 | 22 | 23 | Driver Files 24 | 25 | 26 | 27 | 28 | Header Files 29 | 30 | 31 | Header Files 32 | 33 | 34 | Header Files 35 | 36 | 37 | 38 | 39 | Source Files 40 | 41 | 42 | Source Files 43 | 44 | 45 | Source Files 46 | 47 | 48 | -------------------------------------------------------------------------------- /KernelCheatYT/KernelCheatYT.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | Off 5 | 6 | -------------------------------------------------------------------------------- /KernelCheatYT/definitions.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #pragma comment(lib, "ntoskrnl.lib") 8 | 9 | typedef enum _SYSTEM_INFORMATION_CLASS 10 | { 11 | SystemBasicInformation, 12 | SystemProcessorInformation, 13 | SystemPerformanceInformation, 14 | SystemTimeOfDayInformation, 15 | SystemPathInformation, 16 | SystemProcessInformation, 17 | SystemCallCountInformation, 18 | SystemDeviceInformation, 19 | SystemProcessorPerformanceInformation, 20 | SystemFlagsInformation, 21 | SystemCallTimeInformation, 22 | SystemModuleInformation = 0x0B 23 | } SYSTEM_INFORMATION_CLASS, 24 | * PSYSTEM_INFORMATION_CLASS; 25 | 26 | typedef struct _RTL_PROCESS_MODULE_INFORMATION 27 | { 28 | HANDLE Section; 29 | PVOID MappedBase; 30 | PVOID ImageBase; 31 | ULONG ImageSize; 32 | ULONG Flags; 33 | USHORT LoadOrderIndex; 34 | USHORT InitOrderIndex; 35 | USHORT LoadCount; 36 | USHORT OffsetToFileName; 37 | UCHAR FullPathName[256]; 38 | } RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION; 39 | 40 | typedef struct _RTL_PROCESS_MODULES 41 | { 42 | ULONG NumberOfModules; 43 | RTL_PROCESS_MODULE_INFORMATION Modules[1]; 44 | } RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES; 45 | 46 | typedef struct _PEB_LDR_DATA { 47 | ULONG Length; 48 | BOOLEAN Initialized; 49 | PVOID SsHandle; 50 | LIST_ENTRY ModuleListLoadOrder; 51 | LIST_ENTRY ModuleListMemoryOrder; 52 | LIST_ENTRY ModuleListInitOrder; 53 | } PEB_LDR_DATA, * PPEB_LDR_DATA; 54 | 55 | typedef struct _LDR_DATA_TABLE_ENTRY { 56 | LIST_ENTRY InLoadOrderModuleList; 57 | LIST_ENTRY InMemoryOrderModuleList; 58 | LIST_ENTRY InInitializationOrderModuleList; 59 | PVOID DllBase; 60 | PVOID EntryPoint; 61 | ULONG SizeOfImage; // in bytes 62 | UNICODE_STRING FullDllName; 63 | UNICODE_STRING BaseDllName; 64 | ULONG Flags; // LDR_* 65 | USHORT LoadCount; 66 | USHORT TlsIndex; 67 | LIST_ENTRY HashLinks; 68 | PVOID SectionPointer; 69 | ULONG CheckSum; 70 | ULONG TimeDateStamp; 71 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; 72 | 73 | typedef struct _RTL_USER_PROCESS_PARAMETERS { 74 | BYTE Reserved1[16]; 75 | PVOID Reserved2[10]; 76 | UNICODE_STRING ImagePathName; 77 | UNICODE_STRING CommandLine; 78 | } RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS; 79 | 80 | typedef void(__stdcall* PPS_POST_PROCESS_INIT_ROUTINE)(void); // not exported 81 | 82 | typedef struct _PEB { 83 | BYTE Reserved1[2]; 84 | BYTE BeingDebugged; 85 | BYTE Reserved2[1]; 86 | PVOID Reserved3[2]; 87 | PPEB_LDR_DATA Ldr; 88 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters; 89 | PVOID Reserved4[3]; 90 | PVOID AtlThunkSListPtr; 91 | PVOID Reserved5; 92 | ULONG Reserved6; 93 | PVOID Reserved7; 94 | ULONG Reserved8; 95 | ULONG AtlThunkSListPtr32; 96 | PVOID Reserved9[45]; 97 | BYTE Reserved10[96]; 98 | PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine; 99 | BYTE Reserved11[128]; 100 | PVOID Reserved12[1]; 101 | ULONG SessionId; 102 | } PEB, * PPEB; 103 | 104 | extern "C" __declspec(dllimport) 105 | NTSTATUS NTAPI ZwProtectVirtualMemory( 106 | HANDLE ProcessHandle, 107 | PVOID * BaseAddress, 108 | PULONG ProtectSize, 109 | ULONG NewProtect, 110 | PULONG OldProtect 111 | ); 112 | 113 | extern "C" NTKERNELAPI 114 | PVOID 115 | NTAPI 116 | RtlFindExportedRoutineByName( 117 | _In_ PVOID ImageBase, 118 | _In_ PCCH RoutineNam 119 | ); 120 | 121 | extern "C" NTSTATUS ZwQuerySystemInformation(ULONG InfoClass, PVOID Buffer, ULONG Length, PULONG ReturnLength); 122 | 123 | extern "C" NTKERNELAPI 124 | PPEB 125 | PsGetProcessPeb( 126 | IN PEPROCESS Process 127 | ); 128 | 129 | extern "C" NTSTATUS NTAPI MmCopyVirtualMemory 130 | ( 131 | PEPROCESS SourceProcess, 132 | PVOID SourceAddress, 133 | PEPROCESS TargetProcess, 134 | PVOID TargetAddress, 135 | SIZE_T BufferSize, 136 | KPROCESSOR_MODE PreviousMode, 137 | PSIZE_T ReturnSize 138 | ); 139 | 140 | typedef struct _IMAGE_EXPORT_DIRECTORY { 141 | ULONG Characteristics; 142 | ULONG TimeDateStamp; 143 | USHORT MajorVersion; 144 | USHORT MinorVersion; 145 | ULONG Name; 146 | ULONG Base; 147 | ULONG NumberOfFunctions; 148 | ULONG NumberOfNames; 149 | ULONG AddressOfFunctions; // RVA from base of image 150 | ULONG AddressOfNames; // RVA from base of image 151 | ULONG AddressOfNameOrdinals; // RVA from base of image 152 | } IMAGE_EXPORT_DIRECTORY, * PIMAGE_EXPORT_DIRECTORY; 153 | 154 | extern "C" __declspec(dllimport) 155 | PVOID 156 | NTAPI 157 | RtlImageDirectoryEntryToData( 158 | PVOID ImageBase, 159 | BOOLEAN MappedAsImage, 160 | USHORT DirectoryEntry, 161 | PULONG Size 162 | ); -------------------------------------------------------------------------------- /KernelCheatYT/hook.cpp: -------------------------------------------------------------------------------- 1 | #include "hook.h" 2 | #include 3 | 4 | GdiSelectBrush_t GdiSelectBrush = NULL; 5 | PatBlt_t NtGdiPatBlt = NULL; 6 | NtUserGetDC_t NtUserGetDC = NULL; 7 | NtGdiCreateSolidBrush_t NtGdiCreateSolidBrush = NULL; 8 | ReleaseDC_t NtUserReleaseDC = NULL; 9 | DeleteObjectApp_t NtGdiDeleteObjectApp = NULL; 10 | 11 | bool nullhook::call_kernel_function(void* kernel_function_address) 12 | { 13 | if (!kernel_function_address) 14 | return false; 15 | //NtQueryCompositionSurfaceStatistics 16 | PVOID* function = reinterpret_cast(get_system_module_export("\\SystemRoot\\System32\\drivers\\dxgkrnl.sys", 17 | "NtDxgkGetTrackedWorkloadStatistics")); 18 | 19 | if (!function) 20 | return false; 21 | 22 | BYTE orig[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 23 | 24 | BYTE shell_code[] = { 0x48, 0xB8 }; // mov rax, xxx 25 | BYTE shell_code_end[] = { 0xFF, 0xE0 }; //jmp rax 26 | 27 | RtlSecureZeroMemory(&orig, sizeof(orig)); 28 | memcpy((PVOID)((ULONG_PTR)orig), &shell_code, sizeof(shell_code)); 29 | uintptr_t hook_address = reinterpret_cast(kernel_function_address); 30 | memcpy((PVOID)((ULONG_PTR)orig + sizeof(shell_code)), &hook_address, sizeof(void*)); 31 | memcpy((PVOID)((ULONG_PTR)orig + sizeof(shell_code) + sizeof(void*)), &shell_code_end, sizeof(shell_code_end)); 32 | 33 | write_to_read_only_memory(function, &orig, sizeof(orig)); 34 | 35 | GdiSelectBrush = (GdiSelectBrush_t)get_system_module_export(L"win32kfull.sys", "NtGdiSelectBrush"); 36 | NtGdiCreateSolidBrush = (NtGdiCreateSolidBrush_t)get_system_module_export(L"win32kfull.sys", "NtGdiCreateSolidBrush"); 37 | NtGdiPatBlt = (PatBlt_t)get_system_module_export(L"win32kfull.sys", "NtGdiPatBlt"); 38 | NtUserGetDC = (NtUserGetDC_t)get_system_module_export(L"win32kbase.sys", "NtUserGetDC"); 39 | NtUserReleaseDC = (ReleaseDC_t)get_system_module_export(L"win32kbase.sys", "NtUserReleaseDC"); 40 | NtGdiDeleteObjectApp = (DeleteObjectApp_t)get_system_module_export(L"win32kbase.sys", "NtGdiDeleteObjectApp"); 41 | 42 | return true; 43 | } 44 | 45 | NTSTATUS nullhook::hook_handler(PVOID called_param) 46 | { 47 | NULL_MEMORY* instructions = (NULL_MEMORY*)called_param; 48 | 49 | if (instructions->req_base == TRUE) 50 | { 51 | ANSI_STRING AS; 52 | UNICODE_STRING ModuleName; 53 | 54 | RtlInitAnsiString(&AS, instructions->module_name); 55 | RtlAnsiStringToUnicodeString(&ModuleName, &AS, TRUE); 56 | 57 | PEPROCESS process; 58 | PsLookupProcessByProcessId((HANDLE)instructions->pid, &process); 59 | ULONG64 base_address64 = NULL; 60 | base_address64 = get_module_base_x64(process, ModuleName); 61 | instructions->base_address = base_address64; 62 | RtlFreeUnicodeString(&ModuleName); 63 | } 64 | 65 | else if (instructions->write == TRUE) 66 | { 67 | if (instructions->address < 0x7FFFFFFFFFFF && instructions->address > 0) 68 | { 69 | PVOID kernelBuff = ExAllocatePool(NonPagedPool, instructions->size); 70 | 71 | if (!kernelBuff) 72 | { 73 | return STATUS_UNSUCCESSFUL; 74 | } 75 | 76 | if (!memcpy(kernelBuff, instructions->buffer_address, instructions->size)) 77 | { 78 | return STATUS_UNSUCCESSFUL; 79 | } 80 | 81 | PEPROCESS process; 82 | PsLookupProcessByProcessId((HANDLE)instructions->pid, &process); 83 | write_kernel_memory((HANDLE)instructions->pid, instructions->address, kernelBuff, instructions->size); 84 | ExFreePool(kernelBuff); 85 | } 86 | } 87 | 88 | else if (instructions->read == TRUE) 89 | { 90 | if (instructions->address < 0x7FFFFFFFFFFF && instructions->address > 0) 91 | { 92 | read_kernel_memory((HANDLE)instructions->pid, instructions->address, instructions->output, instructions->size); 93 | } 94 | } 95 | 96 | else if (instructions->draw_box == TRUE) 97 | { 98 | HDC hdc = NtUserGetDC(NULL); 99 | if (!hdc) 100 | return STATUS_UNSUCCESSFUL; 101 | 102 | HBRUSH brush = NtGdiCreateSolidBrush(RGB(instructions->r, instructions->g, instructions->b), NULL); 103 | if (!brush) 104 | return STATUS_UNSUCCESSFUL; 105 | 106 | RECT rect = { instructions->x, instructions->y, instructions->x + instructions->w, instructions->y + instructions->h }; 107 | FrameRect(hdc, &rect, brush, instructions->t); 108 | NtUserReleaseDC(hdc); 109 | NtGdiDeleteObjectApp(brush); 110 | } 111 | 112 | return STATUS_SUCCESS; 113 | } 114 | 115 | INT nullhook::FrameRect(HDC hDC, CONST RECT* lprc, HBRUSH hbr, int thickness) 116 | { 117 | HBRUSH oldbrush; 118 | RECT r = *lprc; 119 | 120 | if (!(oldbrush = GdiSelectBrush(hDC, hbr))) return 0; 121 | 122 | NtGdiPatBlt(hDC, r.left, r.top, thickness, r.bottom - r.top, PATCOPY); 123 | NtGdiPatBlt(hDC, r.right - thickness, r.top, thickness, r.bottom - r.top, PATCOPY); 124 | NtGdiPatBlt(hDC, r.left, r.top, r.right - r.left, thickness, PATCOPY); 125 | NtGdiPatBlt(hDC, r.left, r.bottom - thickness, r.right - r.left, thickness, PATCOPY); 126 | 127 | GdiSelectBrush(hDC, oldbrush); 128 | return TRUE; 129 | } -------------------------------------------------------------------------------- /KernelCheatYT/hook.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "memory.h" 4 | 5 | typedef HBRUSH(*GdiSelectBrush_t)(_In_ HDC hdc, 6 | _In_ HBRUSH hbr 7 | ); 8 | 9 | typedef BOOL(*PatBlt_t)(_In_ HDC, 10 | _In_ int x, 11 | _In_ int y, 12 | _In_ int w, 13 | _In_ int h, 14 | _In_ DWORD 15 | ); 16 | 17 | typedef HDC(*NtUserGetDC_t)(HWND hWnd); 18 | 19 | typedef HBRUSH(*NtGdiCreateSolidBrush_t)(_In_ COLORREF crColor, 20 | _In_opt_ HBRUSH hbr 21 | ); 22 | 23 | typedef int (*ReleaseDC_t)(HDC hdc); 24 | typedef BOOL(*DeleteObjectApp_t)(HANDLE hobj); 25 | 26 | namespace nullhook 27 | { 28 | bool call_kernel_function(void* kernel_function_address); 29 | NTSTATUS hook_handler(PVOID called_param); 30 | INT FrameRect(HDC hDC, CONST RECT* lprc, HBRUSH hbr, int thickness); 31 | } -------------------------------------------------------------------------------- /KernelCheatYT/main.cpp: -------------------------------------------------------------------------------- 1 | #include "hook.h" 2 | 3 | extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT driver_object, PUNICODE_STRING reg_path) 4 | { 5 | UNREFERENCED_PARAMETER(driver_object); 6 | UNREFERENCED_PARAMETER(reg_path); 7 | 8 | nullhook::call_kernel_function(&nullhook::hook_handler); 9 | 10 | return STATUS_SUCCESS; 11 | } -------------------------------------------------------------------------------- /KernelCheatYT/memory.cpp: -------------------------------------------------------------------------------- 1 | #include "memory.h" 2 | 3 | PVOID get_system_module_base(const char* module_name) 4 | { 5 | ULONG bytes = 0; 6 | NTSTATUS status = ZwQuerySystemInformation(SystemModuleInformation, NULL, bytes, &bytes); 7 | 8 | if (!bytes) 9 | return NULL; 10 | 11 | PRTL_PROCESS_MODULES modules = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPool, bytes, 0x4e554c4c); 12 | 13 | status = ZwQuerySystemInformation(SystemModuleInformation, modules, bytes, &bytes); 14 | 15 | if (!NT_SUCCESS(status)) 16 | return NULL; 17 | 18 | PRTL_PROCESS_MODULE_INFORMATION module = modules->Modules; 19 | PVOID module_base = 0, module_size = 0; 20 | 21 | for (ULONG i = 0; i < modules->NumberOfModules; i++) 22 | { 23 | if (strcmp((char*)module[i].FullPathName, module_name) == NULL) 24 | { 25 | module_base = module[i].ImageBase; 26 | module_size = (PVOID)module[i].ImageSize; 27 | break; 28 | } 29 | } 30 | 31 | if (modules) 32 | ExFreePoolWithTag(modules, NULL); 33 | 34 | if (module_base <= NULL) 35 | return NULL; 36 | 37 | return module_base; 38 | } 39 | 40 | PVOID get_system_module_export(const char* module_name, LPCSTR routine_name) 41 | { 42 | PVOID lpModule = get_system_module_base(module_name); 43 | 44 | if (!lpModule) 45 | return NULL; 46 | 47 | return RtlFindExportedRoutineByName(lpModule, routine_name); 48 | } 49 | 50 | PVOID get_system_routine_address(PCWSTR routine_name) 51 | { 52 | UNICODE_STRING name; 53 | RtlInitUnicodeString(&name, routine_name); 54 | return MmGetSystemRoutineAddress(&name); 55 | } 56 | 57 | PVOID get_system_module_export(LPCWSTR module_name, LPCSTR routine_name) 58 | { 59 | PLIST_ENTRY module_list = reinterpret_cast(get_system_routine_address(L"PsLoadedModuleList")); 60 | 61 | if (!module_list) 62 | return NULL; 63 | 64 | for (PLIST_ENTRY link = module_list; link != module_list->Blink; link = link->Flink) 65 | { 66 | LDR_DATA_TABLE_ENTRY* entry = CONTAINING_RECORD(link, LDR_DATA_TABLE_ENTRY, InLoadOrderModuleList); 67 | 68 | UNICODE_STRING name; 69 | RtlInitUnicodeString(&name, module_name); 70 | 71 | if (RtlEqualUnicodeString(&entry->BaseDllName, &name, TRUE)) 72 | { 73 | return (entry->DllBase) ? RtlFindExportedRoutineByName(entry->DllBase, routine_name) : NULL; 74 | } 75 | } 76 | } 77 | 78 | bool write_memory(void* address, void* buffer, size_t size) 79 | { 80 | if (!RtlCopyMemory(address, buffer, size)) 81 | { 82 | return false; 83 | } 84 | else 85 | { 86 | return true; 87 | } 88 | } 89 | 90 | bool write_to_read_only_memory(void* address, void* buffer, size_t size) 91 | { 92 | PMDL Mdl = IoAllocateMdl(address, size, FALSE, FALSE, NULL); 93 | 94 | if (!Mdl) 95 | return false; 96 | 97 | MmProbeAndLockPages(Mdl, KernelMode, IoReadAccess); 98 | PVOID Mapping = MmMapLockedPagesSpecifyCache(Mdl, KernelMode, MmNonCached, NULL, FALSE, NormalPagePriority); 99 | MmProtectMdlSystemAddress(Mdl, PAGE_READWRITE); 100 | 101 | write_memory(Mapping, buffer, size); 102 | 103 | MmUnmapLockedPages(Mapping, Mdl); 104 | MmUnlockPages(Mdl); 105 | IoFreeMdl(Mdl); 106 | 107 | return true; 108 | } 109 | 110 | ULONG64 get_module_base_x64(PEPROCESS proc, UNICODE_STRING module_name) 111 | { 112 | PPEB pPeb = PsGetProcessPeb(proc); 113 | 114 | if (!pPeb) 115 | { 116 | return NULL; 117 | } 118 | 119 | KAPC_STATE state; 120 | 121 | KeStackAttachProcess(proc, &state); 122 | 123 | PPEB_LDR_DATA pLdr = (PPEB_LDR_DATA)pPeb->Ldr; 124 | 125 | if (!pLdr) 126 | { 127 | KeUnstackDetachProcess(&state); 128 | return NULL; 129 | } 130 | 131 | for (PLIST_ENTRY list = (PLIST_ENTRY)pLdr->ModuleListLoadOrder.Flink; list != &pLdr->ModuleListLoadOrder; list = (PLIST_ENTRY)list->Flink) 132 | { 133 | PLDR_DATA_TABLE_ENTRY pEntry = CONTAINING_RECORD(list, LDR_DATA_TABLE_ENTRY, InLoadOrderModuleList); 134 | 135 | if (RtlCompareUnicodeString(&pEntry->BaseDllName, &module_name, TRUE) == NULL) 136 | { 137 | ULONG64 baseAddr = (ULONG64)pEntry->DllBase; 138 | KeUnstackDetachProcess(&state); 139 | return baseAddr; 140 | } 141 | } 142 | 143 | KeUnstackDetachProcess(&state); 144 | return NULL; 145 | } 146 | 147 | bool read_kernel_memory(HANDLE pid, uintptr_t address, void* buffer, SIZE_T size) 148 | { 149 | if (!address || !buffer || !size) 150 | return false; 151 | 152 | SIZE_T bytes = 0; 153 | NTSTATUS status = STATUS_SUCCESS; 154 | PEPROCESS process; 155 | PsLookupProcessByProcessId((HANDLE)pid, &process); 156 | 157 | status = MmCopyVirtualMemory(process, (void*)address, (PEPROCESS)PsGetCurrentProcess(), (void*)buffer, size, KernelMode, &bytes); 158 | 159 | if (!NT_SUCCESS(status)) 160 | { 161 | return false; 162 | } 163 | else 164 | { 165 | return true; 166 | } 167 | } 168 | 169 | bool write_kernel_memory(HANDLE pid, uintptr_t address, void* buffer, SIZE_T size) 170 | { 171 | if (!address || !buffer || !size) 172 | return false; 173 | 174 | NTSTATUS status = STATUS_SUCCESS; 175 | PEPROCESS process; 176 | PsLookupProcessByProcessId((HANDLE)pid, &process); 177 | 178 | KAPC_STATE state; 179 | KeStackAttachProcess((PEPROCESS)process, &state); 180 | 181 | MEMORY_BASIC_INFORMATION info; 182 | 183 | status = ZwQueryVirtualMemory(ZwCurrentProcess(), (PVOID)address, MemoryBasicInformation, &info, sizeof(info), NULL); 184 | if (!NT_SUCCESS(status)) 185 | { 186 | KeUnstackDetachProcess(&state); 187 | return false; 188 | } 189 | 190 | if (((uintptr_t)info.BaseAddress + info.RegionSize) < (address + size)) 191 | { 192 | KeUnstackDetachProcess(&state); 193 | return false; 194 | } 195 | 196 | if (!(info.State & MEM_COMMIT) || (info.Protect & (PAGE_GUARD | PAGE_NOACCESS))) 197 | { 198 | KeUnstackDetachProcess(&state); 199 | return false; 200 | } 201 | 202 | if ((info.Protect & PAGE_EXECUTE_READWRITE) || (info.Protect & PAGE_EXECUTE_WRITECOPY) 203 | || (info.Protect & PAGE_READWRITE) || (info.Protect & PAGE_WRITECOPY)) 204 | { 205 | RtlCopyMemory((void*)address, buffer, size); 206 | } 207 | KeUnstackDetachProcess(&state); 208 | return true; 209 | } -------------------------------------------------------------------------------- /KernelCheatYT/memory.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "definitions.h" 3 | 4 | PVOID get_system_module_base(const char* module_name); 5 | PVOID get_system_module_export(const char* module_name, LPCSTR routine_name); 6 | bool write_memory(void* address, void* buffer, size_t size); 7 | bool write_to_read_only_memory(void* address, void* buffer, size_t size); 8 | ULONG64 get_module_base_x64(PEPROCESS proc, UNICODE_STRING module_name); 9 | bool read_kernel_memory(HANDLE pid, uintptr_t address, void* buffer, SIZE_T size); 10 | bool write_kernel_memory(HANDLE pid, uintptr_t address, void* buffer, SIZE_T size); 11 | PVOID get_system_module_export(LPCWSTR module_name, LPCSTR routine_name); 12 | 13 | typedef struct _NULL_MEMORY 14 | { 15 | void* buffer_address; 16 | UINT_PTR address; 17 | ULONGLONG size; 18 | ULONG pid; 19 | BOOLEAN write; 20 | BOOLEAN read; 21 | BOOLEAN req_base; 22 | BOOLEAN draw_box; 23 | int r, g, b, x, y, w, h, t; 24 | void* output; 25 | const char* module_name; 26 | ULONG64 base_address; 27 | }NULL_MEMORY; -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # NullHook 2 | Full yt series on how I made this and how it works here https://youtu.be/KNGr4m99PTU
3 | 4 | You will need to map the driver code yourself, you can use a manual mapper like https://github.com/TheCruZ/kdmapper 5 | --------------------------------------------------------------------------------