├── Client ├── pclient.sln └── pclient │ ├── pclient.cpp │ ├── pclient.vcxproj │ ├── pclient.vcxproj.filters │ ├── pclient.vcxproj.user │ ├── skStr.h │ └── x64 │ └── Release │ ├── pclient.exe.recipe │ ├── pclient.iobj │ ├── pclient.ipdb │ ├── pclient.log │ ├── pclient.obj │ ├── pclient.tlog │ ├── CL.command.1.tlog │ ├── CL.read.1.tlog │ ├── CL.write.1.tlog │ ├── link.command.1.tlog │ ├── link.read.1.tlog │ ├── link.write.1.tlog │ └── pclient.lastbuildstate │ └── vc143.pdb ├── README.md └── driver ├── pdrv.sln └── pdrv ├── Callbacks.c ├── Callbacks.h ├── Driver.c ├── Funcs.c ├── Funcs.h ├── Imports.h ├── Log.h ├── Private.c ├── Private.h ├── Shared.h ├── Structs.h ├── Utils.c ├── Utils.h ├── pdrv.vcxproj ├── pdrv.vcxproj.filters ├── pdrv.vcxproj.user └── x64 ├── Debug └── pdrv.log └── Release ├── pdrv.log ├── pdrv.tlog ├── CL.command.1.tlog ├── pdrv.lastbuildstate └── unsuccessfulbuild └── vc143.pdb /Client/pclient.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.29519.87 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pclient", "pclient\pclient.vcxproj", "{E70B6BC2-EC48-4BDB-925B-C2D9102FC88D}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {E70B6BC2-EC48-4BDB-925B-C2D9102FC88D}.Debug|x64.ActiveCfg = Debug|x64 17 | {E70B6BC2-EC48-4BDB-925B-C2D9102FC88D}.Debug|x64.Build.0 = Debug|x64 18 | {E70B6BC2-EC48-4BDB-925B-C2D9102FC88D}.Debug|x86.ActiveCfg = Debug|Win32 19 | {E70B6BC2-EC48-4BDB-925B-C2D9102FC88D}.Debug|x86.Build.0 = Debug|Win32 20 | {E70B6BC2-EC48-4BDB-925B-C2D9102FC88D}.Release|x64.ActiveCfg = Release|x64 21 | {E70B6BC2-EC48-4BDB-925B-C2D9102FC88D}.Release|x64.Build.0 = Release|x64 22 | {E70B6BC2-EC48-4BDB-925B-C2D9102FC88D}.Release|x86.ActiveCfg = Release|Win32 23 | {E70B6BC2-EC48-4BDB-925B-C2D9102FC88D}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {07334F45-CDDF-40ED-B848-FA69D56B688B} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /Client/pclient/pclient.cpp: -------------------------------------------------------------------------------- 1 |  2 | 3 | // TODO: Use blank space instead of allocating memory 4 | // TODO: Load driver automatically (add kdmapper) 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include "skStr.h" 11 | 12 | 13 | 14 | //#define TARGET_DLL_ADDRESS L"" 15 | #define TARGET_DLL_ADDRESS L"" //dllpath 16 | //#define TARGET_PROCESS L"RustClient.exe" 17 | #define TARGET_PROCESS L"FortniteClient-Win64-Shipping.exe" 18 | #define TARGET_THREAD 3 19 | 20 | #define CODE_DISABLE 0x1601 21 | #define CODE_RESTORE 0x1602 22 | 23 | typedef HMODULE(WINAPI* pLoadLibraryA)(LPCSTR); 24 | typedef FARPROC(WINAPI* pGetProcAddress)(HMODULE, LPCSTR); 25 | 26 | typedef BOOL(WINAPI* PDLL_MAIN)(HMODULE, DWORD, PVOID); 27 | 28 | typedef struct _MANUAL_INJECT 29 | { 30 | PVOID ImageBase; 31 | PIMAGE_NT_HEADERS NtHeaders; 32 | PIMAGE_BASE_RELOCATION BaseRelocation; 33 | PIMAGE_IMPORT_DESCRIPTOR ImportDirectory; 34 | pLoadLibraryA fnLoadLibraryA; 35 | pGetProcAddress fnGetProcAddress; 36 | }MANUAL_INJECT, * PMANUAL_INJECT; 37 | 38 | DWORD WINAPI LoadDll(PVOID p) 39 | { 40 | PMANUAL_INJECT ManualInject; 41 | 42 | HMODULE hModule; 43 | DWORD64 i, Function, count, delta; 44 | 45 | DWORD64* ptr; 46 | PWORD list; 47 | 48 | PIMAGE_BASE_RELOCATION pIBR; 49 | PIMAGE_IMPORT_DESCRIPTOR pIID; 50 | PIMAGE_IMPORT_BY_NAME pIBN; 51 | PIMAGE_THUNK_DATA FirstThunk, OrigFirstThunk; 52 | 53 | PDLL_MAIN EntryPoint; 54 | 55 | ManualInject = (PMANUAL_INJECT)p; 56 | 57 | pIBR = ManualInject->BaseRelocation; 58 | delta = (DWORD64)((LPBYTE)ManualInject->ImageBase - ManualInject->NtHeaders->OptionalHeader.ImageBase); // Calculate the delta 59 | 60 | while (pIBR->VirtualAddress) 61 | { 62 | if (pIBR->SizeOfBlock >= sizeof(IMAGE_BASE_RELOCATION)) 63 | { 64 | count = (pIBR->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD); 65 | list = (PWORD)(pIBR + 1); 66 | 67 | for (i = 0; i < count; i++) 68 | { 69 | if (list[i]) 70 | { 71 | ptr = (DWORD64*)((LPBYTE)ManualInject->ImageBase + (pIBR->VirtualAddress + (list[i] & 0xFFF))); 72 | *ptr += delta; 73 | } 74 | } 75 | } 76 | 77 | pIBR = (PIMAGE_BASE_RELOCATION)((LPBYTE)pIBR + pIBR->SizeOfBlock); 78 | } 79 | 80 | pIID = ManualInject->ImportDirectory; 81 | 82 | // Resolve DLL imports 83 | 84 | while (pIID->Characteristics) 85 | { 86 | OrigFirstThunk = (PIMAGE_THUNK_DATA)((LPBYTE)ManualInject->ImageBase + pIID->OriginalFirstThunk); 87 | FirstThunk = (PIMAGE_THUNK_DATA)((LPBYTE)ManualInject->ImageBase + pIID->FirstThunk); 88 | 89 | hModule = ManualInject->fnLoadLibraryA((LPCSTR)ManualInject->ImageBase + pIID->Name); 90 | 91 | if (!hModule) 92 | { 93 | return FALSE; 94 | } 95 | 96 | while (OrigFirstThunk->u1.AddressOfData) 97 | { 98 | if (OrigFirstThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG) 99 | { 100 | // Import by ordinal 101 | 102 | Function = (DWORD64)ManualInject->fnGetProcAddress(hModule, (LPCSTR)(OrigFirstThunk->u1.Ordinal & 0xFFFF)); 103 | 104 | if (!Function) 105 | { 106 | return FALSE; 107 | } 108 | 109 | FirstThunk->u1.Function = Function; 110 | } 111 | 112 | else 113 | { 114 | // Import by name 115 | 116 | pIBN = (PIMAGE_IMPORT_BY_NAME)((LPBYTE)ManualInject->ImageBase + OrigFirstThunk->u1.AddressOfData); 117 | Function = (DWORD64)ManualInject->fnGetProcAddress(hModule, (LPCSTR)pIBN->Name); 118 | 119 | if (!Function) 120 | { 121 | return FALSE; 122 | } 123 | 124 | FirstThunk->u1.Function = Function; 125 | } 126 | 127 | OrigFirstThunk++; 128 | FirstThunk++; 129 | } 130 | 131 | pIID++; 132 | } 133 | 134 | if (ManualInject->NtHeaders->OptionalHeader.AddressOfEntryPoint) 135 | { 136 | EntryPoint = (PDLL_MAIN)((LPBYTE)ManualInject->ImageBase + ManualInject->NtHeaders->OptionalHeader.AddressOfEntryPoint); 137 | return EntryPoint((HMODULE)ManualInject->ImageBase, DLL_PROCESS_ATTACH, NULL); // Call the entry point 138 | } 139 | 140 | return TRUE; 141 | } 142 | 143 | DWORD WINAPI LoadDllEnd() 144 | { 145 | return 0; 146 | } 147 | 148 | #pragma comment(lib, "ntdll.lib") 149 | 150 | extern "C" NTSTATUS NTAPI RtlAdjustPrivilege(ULONG Privilege, BOOLEAN Enable, BOOLEAN CurrentThread, PBOOLEAN Enabled); 151 | 152 | UCHAR code[] = { 153 | 0x48, 0xB8, 0xF0, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // mov -16 to rax 154 | 0x48, 0x21, 0xC4, // and rsp, rax 155 | 0x48, 0x83, 0xEC, 0x20, // subtract 32 from rsp 156 | 0x48, 0x8b, 0xEC, // mov rbp, rsp 157 | 0x90, 0x90, // nop nop 158 | 0x48, 0xB9, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, // mov rcx,CCCCCCCCCCCCCCCC 159 | 0x48, 0xB8, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, // mov rax,AAAAAAAAAAAAAAAA 160 | 0xFF, 0xD0, // call rax 161 | 0x90, // nop 162 | 0x90, // nop 163 | 0xEB, 0xFC // JMP to nop 164 | }; 165 | 166 | void CallbackSwitch(bool restore) 167 | { 168 | FARPROC fnNtQueryIntervalProfile = GetProcAddress(LoadLibrary(L"ntdll.dll"), "NtQueryIntervalProfile"); 169 | typedef HRESULT(__stdcall* tNtQueryIntervalProfile)(ULONG64 ProfileSource, PULONG Interval); 170 | 171 | tNtQueryIntervalProfile NtQueryIntervalProfile = reinterpret_cast(fnNtQueryIntervalProfile); 172 | 173 | ULONG a2 = 0; 174 | if (restore) 175 | { 176 | NtQueryIntervalProfile(CODE_RESTORE, &a2); 177 | } 178 | else 179 | { 180 | NtQueryIntervalProfile(CODE_DISABLE, &a2); 181 | } 182 | 183 | } 184 | 185 | DWORD GetPID() 186 | { 187 | PROCESSENTRY32 entry; 188 | entry.dwSize = sizeof(PROCESSENTRY32); 189 | 190 | HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); 191 | 192 | if (Process32First(snapshot, &entry) == TRUE) 193 | { 194 | while (Process32Next(snapshot, &entry) == TRUE) 195 | { 196 | if (wcscmp(entry.szExeFile, TARGET_PROCESS) == 0) 197 | { 198 | return entry.th32ProcessID; 199 | } 200 | } 201 | } 202 | 203 | CloseHandle(snapshot); 204 | return 0; 205 | } 206 | 207 | void End() 208 | { 209 | Beep(300, 300); 210 | printf(skCrypt("\[+] Successfully injected!\n")); 211 | getchar(); 212 | while (true) 213 | { 214 | exit(0); 215 | } 216 | } 217 | 218 | int main() 219 | { 220 | 221 | LPBYTE ptr; 222 | HANDLE hProcess, hThread, hSnap, hFile; 223 | PVOID mem, mem1; 224 | DWORD ProcessId, FileSize, read, i; 225 | PVOID buffer, image; 226 | BOOLEAN bl; 227 | PIMAGE_DOS_HEADER pIDH; 228 | PIMAGE_NT_HEADERS pINH; 229 | PIMAGE_SECTION_HEADER pISH; 230 | 231 | THREADENTRY32 te32; 232 | CONTEXT ctx; 233 | 234 | MANUAL_INJECT ManualInject; 235 | 236 | te32.dwSize = sizeof(te32); 237 | ctx.ContextFlags = CONTEXT_FULL; 238 | 239 | system("cls"); 240 | printf(skCrypt("[+] Initialized\n")); 241 | 242 | printf(skCrypt("[>] Disabling anticheat callbacks...\n")); 243 | CallbackSwitch(false); 244 | printf(skCrypt("[+] Callbacks disabled\n")); 245 | Sleep(100); 246 | system("cls"); 247 | 248 | printf(skCrypt("[>] Getting game PID...\n")); 249 | DWORD PID = GetPID(); 250 | if (PID == 0) 251 | { 252 | system("cls"); 253 | printf(skCrypt("[-] Game is not running\n")); 254 | Sleep(1000); 255 | exit(0); 256 | End(); 257 | } 258 | system("cls"); 259 | printf(skCrypt("[+] Found on PID %u\n"), PID); 260 | system("cls"); 261 | printf(skCrypt("[>] Injecting...\n")); 262 | //std::vector bytes = KeyAuthApp.download(" 858860"); 263 | //if (!KeyAuthApp.data.success) // check whether file downloaded correctly 264 | //{ 265 | // system("cls"); 266 | // std::cout << skCrypt("\n\nStatus: ") << KeyAuthApp.data.message; 267 | // Sleep(1500); 268 | // exit(0); 269 | //} 270 | //std::ofstream file("file.dll", std::ios_base::out | std::ios_base::binary); 271 | //file.write((char*)bytes.data(), bytes.size()); 272 | //file.close(); 273 | 274 | hFile = CreateFile(TARGET_DLL_ADDRESS, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); // Open the DLL 275 | 276 | if (hFile == INVALID_HANDLE_VALUE) 277 | { 278 | system("cls"); 279 | printf(skCrypt("[-] Unable to open the DLL (%d)\n"), GetLastError()); 280 | Sleep(100); 281 | system("cls"); 282 | End(); 283 | } 284 | 285 | FileSize = GetFileSize(hFile, NULL); 286 | buffer = VirtualAlloc(NULL, FileSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 287 | 288 | if (!buffer) 289 | { 290 | system("cls"); 291 | printf(skCrypt("[-] Unable to allocate memory for DLL data (%d)\n"), GetLastError()); 292 | 293 | CloseHandle(hFile); 294 | Sleep(100); 295 | system("cls"); 296 | End(); 297 | } 298 | 299 | // Read the DLL 300 | 301 | if (!ReadFile(hFile, buffer, FileSize, &read, NULL)) 302 | { 303 | system("cls"); 304 | printf(skCrypt("[-] Unable to read the DLL (%d)\n"), GetLastError()); 305 | 306 | VirtualFree(buffer, 0, MEM_RELEASE); 307 | CloseHandle(hFile); 308 | Sleep(100); 309 | system("cls"); 310 | End(); 311 | } 312 | 313 | CloseHandle(hFile); 314 | 315 | pIDH = (PIMAGE_DOS_HEADER)buffer; 316 | 317 | if (pIDH->e_magic != IMAGE_DOS_SIGNATURE) 318 | { 319 | system("cls"); 320 | printf(skCrypt("[-] Invalid executable image\n")); 321 | 322 | VirtualFree(buffer, 0, MEM_RELEASE); 323 | Sleep(100); 324 | system("cls"); 325 | End(); 326 | } 327 | 328 | pINH = (PIMAGE_NT_HEADERS)((LPBYTE)buffer + pIDH->e_lfanew); 329 | 330 | if (pINH->Signature != IMAGE_NT_SIGNATURE) 331 | { 332 | system("cls"); 333 | printf(skCrypt("[-] Invalid PE header\n")); 334 | 335 | VirtualFree(buffer, 0, MEM_RELEASE); 336 | End(); 337 | } 338 | 339 | if (!(pINH->FileHeader.Characteristics & IMAGE_FILE_DLL)) 340 | { 341 | system("cls"); 342 | printf(skCrypt("[-] The image is not DLL\n")); 343 | 344 | VirtualFree(buffer, 0, MEM_RELEASE); 345 | End(); 346 | } 347 | 348 | RtlAdjustPrivilege(20, TRUE, FALSE, &bl); 349 | 350 | ProcessId = PID; 351 | hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId); 352 | 353 | if (!hProcess) 354 | { 355 | system("cls"); 356 | printf(skCrypt("[-] Unable to open target process handle (%d)\n"), GetLastError()); 357 | End(); 358 | } 359 | 360 | image = VirtualAllocEx(hProcess, NULL, pINH->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); // Allocate memory for the DLL 361 | 362 | if (!image) 363 | { 364 | system("cls"); 365 | printf(skCrypt("[-] Unable to allocate memory for the DLL (%d)\n"), GetLastError()); 366 | 367 | VirtualFree(buffer, 0, MEM_RELEASE); 368 | CloseHandle(hProcess); 369 | 370 | End(); 371 | } 372 | 373 | // Copy the header to target process 374 | 375 | if (!WriteProcessMemory(hProcess, image, buffer, pINH->OptionalHeader.SizeOfHeaders, NULL)) 376 | { 377 | system("cls"); 378 | printf(skCrypt("[-] Unable to copy headers to target process (%d)\n"), GetLastError()); 379 | 380 | VirtualFreeEx(hProcess, image, 0, MEM_RELEASE); 381 | CloseHandle(hProcess); 382 | 383 | VirtualFree(buffer, 0, MEM_RELEASE); 384 | End(); 385 | } 386 | 387 | pISH = (PIMAGE_SECTION_HEADER)(pINH + 1); 388 | 389 | // Copy the DLL to target process 390 | 391 | for (i = 0; i < pINH->FileHeader.NumberOfSections; i++) 392 | { 393 | WriteProcessMemory(hProcess, (PVOID)((LPBYTE)image + pISH[i].VirtualAddress), (PVOID)((LPBYTE)buffer + pISH[i].PointerToRawData), pISH[i].SizeOfRawData, NULL); 394 | } 395 | 396 | mem1 = VirtualAllocEx(hProcess, NULL, 4096, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); // Allocate memory for the loader code 397 | 398 | if (!mem1) 399 | { 400 | system("cls"); 401 | printf(skCrypt("[-] Unable to allocate memory for the loader code (%d)\n"), GetLastError()); 402 | 403 | VirtualFreeEx(hProcess, image, 0, MEM_RELEASE); 404 | CloseHandle(hProcess); 405 | 406 | VirtualFree(buffer, 0, MEM_RELEASE); 407 | End(); 408 | } 409 | 410 | printf(skCrypt("[+] Loader code allocated at %#x\n"), mem1); 411 | memset(&ManualInject, 0, sizeof(MANUAL_INJECT)); 412 | 413 | ManualInject.ImageBase = image; 414 | ManualInject.NtHeaders = (PIMAGE_NT_HEADERS)((LPBYTE)image + pIDH->e_lfanew); 415 | ManualInject.BaseRelocation = (PIMAGE_BASE_RELOCATION)((LPBYTE)image + pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); 416 | ManualInject.ImportDirectory = (PIMAGE_IMPORT_DESCRIPTOR)((LPBYTE)image + pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); 417 | ManualInject.fnLoadLibraryA = LoadLibraryA; 418 | ManualInject.fnGetProcAddress = GetProcAddress; 419 | 420 | 421 | if (!WriteProcessMemory(hProcess, mem1, &ManualInject, sizeof(MANUAL_INJECT), NULL)) 422 | system("cls"); 423 | printf(skCrypt("[-] Memory write error (%d)\n"), GetLastError()); 424 | //std::cout << "LoadDllSize " << std::dec << (DWORD64)LoadDllEnd - (DWORD64)LoadDll << std::endl; 425 | 426 | // FIXED by removing optimiations : some fat fucking error here.. writing LoadDll directly appears to write a bunch of JMP instructions to undefined memory and the sizes are messed 427 | if (!WriteProcessMemory(hProcess, (PVOID)((PMANUAL_INJECT)mem1 + 1), LoadDll, 4096 - sizeof(MANUAL_INJECT), NULL)) 428 | system("cls"); 429 | printf(skCrypt("[-] Memory write error (%d)\n"), GetLastError()); 430 | //std::cout << "LoadDllAddress " << std::hex << (PVOID)((PMANUAL_INJECT)mem1 + 1) << std::endl; 431 | 432 | hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); 433 | 434 | Thread32First(hSnap, &te32); 435 | 436 | int number = 0; 437 | while (Thread32Next(hSnap, &te32)) 438 | { 439 | if (te32.th32OwnerProcessID == ProcessId) 440 | { 441 | if (number == TARGET_THREAD) 442 | { 443 | break; 444 | } 445 | number++; 446 | } 447 | } 448 | system("cls"); 449 | printf(skCrypt("[+] Thread found on ID: %d\n"), te32.th32ThreadID); 450 | 451 | CloseHandle(hSnap); 452 | 453 | mem = VirtualAllocEx(hProcess, NULL, 4096, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 454 | 455 | if (!mem) 456 | { 457 | system("cls"); 458 | printf(skCrypt("[-] Unable to allocate memory in target process (%d)\n"), GetLastError()); 459 | 460 | CloseHandle(hProcess); 461 | End(); 462 | } 463 | system("cls"); 464 | printf(skCrypt("[+] Memory allocated at %#x\n"), mem); 465 | 466 | hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, te32.th32ThreadID); 467 | 468 | if (!hThread) 469 | { 470 | system("cls"); 471 | printf(skCrypt("[-] Unable to open target thread handle (%d)\n"), GetLastError()); 472 | 473 | VirtualFreeEx(hProcess, mem, 0, MEM_RELEASE); 474 | CloseHandle(hProcess); 475 | End(); 476 | } 477 | 478 | SuspendThread(hThread); 479 | GetThreadContext(hThread, &ctx); 480 | 481 | buffer = VirtualAlloc(NULL, 65536, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 482 | ptr = (LPBYTE)buffer; 483 | ZeroMemory(buffer, 65536); 484 | memcpy(buffer, code, sizeof(code)); 485 | 486 | for (BYTE* ptr = (LPBYTE)buffer; ptr < ((LPBYTE)buffer + 300); ptr++) 487 | { 488 | DWORD64 address = *(DWORD64*)ptr; 489 | if (address == 0xCCCCCCCCCCCCCCCC) 490 | { 491 | system("cls"); 492 | printf(skCrypt("[>] Writing param 1 (rcx)...\n")); 493 | *(DWORD64*)ptr = (DWORD64)mem1; 494 | } 495 | 496 | if (address == 0xAAAAAAAAAAAAAAAA) 497 | { 498 | system("cls"); 499 | printf(skCrypt("[>] Writing function address (rax)...\n")); 500 | *(DWORD64*)ptr = (DWORD64)((PMANUAL_INJECT)mem1 + 1); 501 | } 502 | } 503 | 504 | if (!WriteProcessMemory(hProcess, mem, buffer, sizeof(code), NULL)) // + 0x4 because a DWORD is 0x4 big 505 | { 506 | system("cls"); 507 | printf(skCrypt("[-] Unable to write shellcode into target process (%d)\n"), GetLastError()); 508 | 509 | VirtualFreeEx(hProcess, mem, 0, MEM_RELEASE); 510 | ResumeThread(hThread); 511 | 512 | CloseHandle(hThread); 513 | CloseHandle(hProcess); 514 | 515 | VirtualFree(buffer, 0, MEM_RELEASE); 516 | End(); 517 | } 518 | 519 | ctx.Rip = (DWORD64)mem; 520 | 521 | if (!SetThreadContext(hThread, &ctx)) 522 | { 523 | system("cls"); 524 | printf("[-] Unable to hijack target thread (%d)\n"), GetLastError(); 525 | 526 | VirtualFreeEx(hProcess, mem, 0, MEM_RELEASE); 527 | ResumeThread(hThread); 528 | 529 | CloseHandle(hThread); 530 | CloseHandle(hProcess); 531 | 532 | VirtualFree(buffer, 0, MEM_RELEASE); 533 | End(); 534 | } 535 | 536 | ResumeThread(hThread); 537 | 538 | CloseHandle(hThread); 539 | CloseHandle(hProcess); 540 | 541 | VirtualFree(buffer, 0, MEM_RELEASE); 542 | 543 | system("cls"); 544 | printf(skCrypt("[+] Injected successfully\n")); 545 | 546 | /*printf(xorstr_("[>] Waiting... ")); 547 | for (int i = 1; i <= 10; i++) 548 | { 549 | printf(xorstr_(" %i "), i); 550 | Sleep(1000); 551 | } 552 | printf(xorstr_("\n[+] Wait complete\n"));*/ 553 | 554 | system("cls"); 555 | printf(skCrypt("[>] Restoring anticheat callbacks...\n")); 556 | CallbackSwitch(true); 557 | system("cls"); 558 | printf(skCrypt("[+] Callbacks restored\n")); 559 | 560 | End(); 561 | } 562 | -------------------------------------------------------------------------------- /Client/pclient/pclient.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | {E70B6BC2-EC48-4BDB-925B-C2D9102FC88D} 24 | Win32Proj 25 | pclient 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | false 48 | false 49 | 50 | 51 | Application 52 | false 53 | v143 54 | true 55 | Unicode 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | true 77 | 78 | 79 | false 80 | 81 | 82 | false 83 | 84 | 85 | false 86 | 87 | 88 | 89 | 90 | 91 | Level3 92 | Disabled 93 | true 94 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 95 | true 96 | 97 | 98 | Console 99 | true 100 | 101 | 102 | 103 | 104 | 105 | 106 | Level3 107 | Disabled 108 | false 109 | _DEBUG;_CONSOLE;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions) 110 | true 111 | stdcpp17 112 | Default 113 | false 114 | false 115 | false 116 | false 117 | false 118 | false 119 | None 120 | false 121 | 122 | 123 | Console 124 | false 125 | "C:\Users\Samuel Tulach\Desktop\pdrv\pclient\pclient\ntdll.lib";%(AdditionalDependencies) 126 | 127 | 128 | false 129 | 130 | 131 | 132 | 133 | 134 | 135 | Level3 136 | MaxSpeed 137 | true 138 | true 139 | true 140 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 141 | true 142 | 143 | 144 | Console 145 | true 146 | true 147 | true 148 | 149 | 150 | 151 | 152 | 153 | 154 | Level3 155 | MaxSpeed 156 | true 157 | true 158 | true 159 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 160 | true 161 | 162 | 163 | Console 164 | true 165 | true 166 | true 167 | RequireAdministrator 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | -------------------------------------------------------------------------------- /Client/pclient/pclient.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | {f3a5e199-8393-4b0b-b176-96ac58a2f05f} 9 | 10 | 11 | 12 | 13 | Auth 14 | 15 | 16 | Auth 17 | 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /Client/pclient/pclient.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /Client/pclient/skStr.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | /*____________________________________________________________________________________________________________ 4 | 5 | Original Author: skadro 6 | Github: https://github.com/skadro-official 7 | License: See end of file 8 | 9 | skCrypter 10 | Compile-time, Usermode + Kernelmode, safe and lightweight string crypter library for C++11+ 11 | 12 | *Not removing this part is appreciated* 13 | ____________________________________________________________________________________________________________*/ 14 | 15 | #ifdef _KERNEL_MODE 16 | namespace std 17 | { 18 | // STRUCT TEMPLATE remove_reference 19 | template 20 | struct remove_reference { 21 | using type = _Ty; 22 | }; 23 | 24 | template 25 | struct remove_reference<_Ty&> { 26 | using type = _Ty; 27 | }; 28 | 29 | template 30 | struct remove_reference<_Ty&&> { 31 | using type = _Ty; 32 | }; 33 | 34 | template 35 | using remove_reference_t = typename remove_reference<_Ty>::type; 36 | 37 | // STRUCT TEMPLATE remove_const 38 | template 39 | struct remove_const { // remove top-level const qualifier 40 | using type = _Ty; 41 | }; 42 | 43 | template 44 | struct remove_const { 45 | using type = _Ty; 46 | }; 47 | 48 | template 49 | using remove_const_t = typename remove_const<_Ty>::type; 50 | } 51 | #else 52 | #include 53 | #endif 54 | 55 | namespace skc 56 | { 57 | template 58 | using clean_type = typename std::remove_const_t>; 59 | 60 | template 61 | class skCrypter 62 | { 63 | public: 64 | __forceinline constexpr skCrypter(T* data) 65 | { 66 | crypt(data); 67 | } 68 | 69 | __forceinline T* get() 70 | { 71 | return _storage; 72 | } 73 | 74 | __forceinline int size() // (w)char count 75 | { 76 | return _size; 77 | } 78 | 79 | __forceinline char key() 80 | { 81 | return _key1; 82 | } 83 | 84 | __forceinline T* encrypt() 85 | { 86 | if (!isEncrypted()) 87 | crypt(_storage); 88 | 89 | return _storage; 90 | } 91 | 92 | __forceinline T* decrypt() 93 | { 94 | if (isEncrypted()) 95 | crypt(_storage); 96 | 97 | return _storage; 98 | } 99 | 100 | __forceinline bool isEncrypted() 101 | { 102 | return _storage[_size - 1] != 0; 103 | } 104 | 105 | __forceinline void clear() // set full storage to 0 106 | { 107 | for (int i = 0; i < _size; i++) 108 | { 109 | _storage[i] = 0; 110 | } 111 | } 112 | 113 | __forceinline operator T* () 114 | { 115 | decrypt(); 116 | 117 | return _storage; 118 | } 119 | 120 | private: 121 | __forceinline constexpr void crypt(T* data) 122 | { 123 | for (int i = 0; i < _size; i++) 124 | { 125 | _storage[i] = data[i] ^ (_key1 + i % (1 + _key2)); 126 | } 127 | } 128 | 129 | T _storage[_size]{}; 130 | }; 131 | } 132 | 133 | #define skCrypt(str) skCrypt_key(str, __TIME__[4], __TIME__[7]) 134 | #define skCrypt_key(str, key1, key2) []() { \ 135 | constexpr static auto crypted = skc::skCrypter \ 136 | >((skc::clean_type*)str); \ 137 | return crypted; }() 138 | 139 | /*________________________________________________________________________________ 140 | 141 | MIT License 142 | 143 | Copyright (c) 2020 skadro 144 | 145 | Permission is hereby granted, free of charge, to any person obtaining a copy 146 | of this software and associated documentation files (the "Software"), to deal 147 | in the Software without restriction, including without limitation the rights 148 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 149 | copies of the Software, and to permit persons to whom the Software is 150 | furnished to do so, subject to the following conditions: 151 | 152 | The above copyright notice and this permission notice shall be included in all 153 | copies or substantial portions of the Software. 154 | 155 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 156 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 157 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 158 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 159 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 160 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 161 | SOFTWARE. 162 | 163 | ________________________________________________________________________________*/ -------------------------------------------------------------------------------- /Client/pclient/x64/Release/pclient.exe.recipe: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | C:\Users\kcxac\Documents\Eac inje\Client\x64\Release\pclient.exe 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /Client/pclient/x64/Release/pclient.iobj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Rogue619Z/Manual-Map-Injector/4b8d0839a69d004ec78d52b4c45cae849640f533/Client/pclient/x64/Release/pclient.iobj -------------------------------------------------------------------------------- /Client/pclient/x64/Release/pclient.ipdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Rogue619Z/Manual-Map-Injector/4b8d0839a69d004ec78d52b4c45cae849640f533/Client/pclient/x64/Release/pclient.ipdb -------------------------------------------------------------------------------- /Client/pclient/x64/Release/pclient.log: -------------------------------------------------------------------------------- 1 |  pclient.cpp 2 | C:\Users\kcxac\Documents\Eac inje\Client\pclient\pclient.cpp(221,9): warning C4129: '[': unrecognized character escape sequence 3 | C:\Users\kcxac\Documents\Eac inje\Client\pclient\pclient.cpp(544,10): warning C4473: 'printf' : not enough arguments passed for format string 4 | C:\Users\kcxac\Documents\Eac inje\Client\pclient\pclient.cpp(544,10): message : placeholders and their parameters expect 1 variadic arguments, but 0 were provided 5 | C:\Users\kcxac\Documents\Eac inje\Client\pclient\pclient.cpp(544,10): message : the missing variadic argument 1 is required by format string '%d' 6 | Generating code 7 | 133 of 251 functions (53.0%) were compiled, the rest were copied from previous compilation. 8 | 96 functions were new in current compilation 9 | 0 functions had inline decision re-evaluated but remain unchanged 10 | Finished generating code 11 | library_x64.lib(auth.obj) : warning LNK4099: PDB '' was not found with 'library_x64.lib(auth.obj)' or at ''; linking object as if no debug info 12 | library_x64.lib(utils.obj) : warning LNK4099: PDB '' was not found with 'library_x64.lib(utils.obj)' or at ''; linking object as if no debug info 13 | library_x64.lib(hmac_sha256.obj) : warning LNK4099: PDB '' was not found with 'library_x64.lib(hmac_sha256.obj)' or at ''; linking object as if no debug info 14 | library_x64.lib(sha256.obj) : warning LNK4099: PDB '' was not found with 'library_x64.lib(sha256.obj)' or at ''; linking object as if no debug info 15 | pclient.vcxproj -> C:\Users\kcxac\Documents\Eac inje\Client\x64\Release\pclient.exe 16 | -------------------------------------------------------------------------------- /Client/pclient/x64/Release/pclient.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Rogue619Z/Manual-Map-Injector/4b8d0839a69d004ec78d52b4c45cae849640f533/Client/pclient/x64/Release/pclient.obj -------------------------------------------------------------------------------- /Client/pclient/x64/Release/pclient.tlog/CL.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Rogue619Z/Manual-Map-Injector/4b8d0839a69d004ec78d52b4c45cae849640f533/Client/pclient/x64/Release/pclient.tlog/CL.command.1.tlog -------------------------------------------------------------------------------- /Client/pclient/x64/Release/pclient.tlog/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Rogue619Z/Manual-Map-Injector/4b8d0839a69d004ec78d52b4c45cae849640f533/Client/pclient/x64/Release/pclient.tlog/CL.read.1.tlog -------------------------------------------------------------------------------- /Client/pclient/x64/Release/pclient.tlog/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Rogue619Z/Manual-Map-Injector/4b8d0839a69d004ec78d52b4c45cae849640f533/Client/pclient/x64/Release/pclient.tlog/CL.write.1.tlog -------------------------------------------------------------------------------- /Client/pclient/x64/Release/pclient.tlog/link.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Rogue619Z/Manual-Map-Injector/4b8d0839a69d004ec78d52b4c45cae849640f533/Client/pclient/x64/Release/pclient.tlog/link.command.1.tlog -------------------------------------------------------------------------------- /Client/pclient/x64/Release/pclient.tlog/link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Rogue619Z/Manual-Map-Injector/4b8d0839a69d004ec78d52b4c45cae849640f533/Client/pclient/x64/Release/pclient.tlog/link.read.1.tlog -------------------------------------------------------------------------------- /Client/pclient/x64/Release/pclient.tlog/link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Rogue619Z/Manual-Map-Injector/4b8d0839a69d004ec78d52b4c45cae849640f533/Client/pclient/x64/Release/pclient.tlog/link.write.1.tlog -------------------------------------------------------------------------------- /Client/pclient/x64/Release/pclient.tlog/pclient.lastbuildstate: -------------------------------------------------------------------------------- 1 | PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.34.31933:TargetPlatformVersion=10.0.22621.0: 2 | Release|x64|C:\Users\kcxac\Documents\Eac inje\Client\| 3 | -------------------------------------------------------------------------------- /Client/pclient/x64/Release/vc143.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Rogue619Z/Manual-Map-Injector/4b8d0839a69d004ec78d52b4c45cae849640f533/Client/pclient/x64/Release/vc143.pdb -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Functionality: 2 | 3 | The driver suspends anti-cheat threads. 4 | It disables AC image load callbacks and protection. 5 | The usermode client manually maps the DLL and hijacks the thread. 6 | The driver restores all callbacks. 7 | The driver resumes AC threads. 8 | 9 | Games tested: 10 | Rust (Steam) 11 | Apex Legends 12 | -------------------------------------------------------------------------------- /driver/pdrv.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.29519.87 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pdrv", "pdrv\pdrv.vcxproj", "{58BA8DEC-BB05-4607-94DF-242B498AE5BC}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|ARM = Debug|ARM 11 | Debug|ARM64 = Debug|ARM64 12 | Debug|x64 = Debug|x64 13 | Debug|x86 = Debug|x86 14 | Release|ARM = Release|ARM 15 | Release|ARM64 = Release|ARM64 16 | Release|x64 = Release|x64 17 | Release|x86 = Release|x86 18 | EndGlobalSection 19 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 20 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Debug|ARM.ActiveCfg = Debug|ARM 21 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Debug|ARM.Build.0 = Debug|ARM 22 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Debug|ARM.Deploy.0 = Debug|ARM 23 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Debug|ARM64.ActiveCfg = Debug|ARM64 24 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Debug|ARM64.Build.0 = Debug|ARM64 25 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Debug|ARM64.Deploy.0 = Debug|ARM64 26 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Debug|x64.ActiveCfg = Debug|x64 27 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Debug|x64.Build.0 = Debug|x64 28 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Debug|x64.Deploy.0 = Debug|x64 29 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Debug|x86.ActiveCfg = Debug|Win32 30 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Debug|x86.Build.0 = Debug|Win32 31 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Debug|x86.Deploy.0 = Debug|Win32 32 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Release|ARM.ActiveCfg = Release|ARM 33 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Release|ARM.Build.0 = Release|ARM 34 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Release|ARM.Deploy.0 = Release|ARM 35 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Release|ARM64.ActiveCfg = Release|ARM64 36 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Release|ARM64.Build.0 = Release|ARM64 37 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Release|ARM64.Deploy.0 = Release|ARM64 38 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Release|x64.ActiveCfg = Release|x64 39 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Release|x64.Build.0 = Release|x64 40 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Release|x64.Deploy.0 = Release|x64 41 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Release|x86.ActiveCfg = Release|Win32 42 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Release|x86.Build.0 = Release|Win32 43 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Release|x86.Deploy.0 = Release|Win32 44 | EndGlobalSection 45 | GlobalSection(SolutionProperties) = preSolution 46 | HideSolutionNode = FALSE 47 | EndGlobalSection 48 | GlobalSection(ExtensibilityGlobals) = postSolution 49 | SolutionGuid = {52D18CE6-C821-41B3-8F39-16BB1017D6F8} 50 | EndGlobalSection 51 | EndGlobal 52 | -------------------------------------------------------------------------------- /driver/pdrv/Callbacks.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "Log.h" 4 | #include "Callbacks.h" 5 | 6 | /* 7 | Sorry for inconsistent types and naming. This code was ported from 8 | one driver to another and I have lost a track of it (little bit). 9 | */ 10 | 11 | // https://www.unknowncheats.me/forum/arma-2-a/175227-driver-disable-process-thread-object-callbacks.html 12 | 13 | // https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes 14 | #define DRIVER_ALT "327530" 15 | 16 | /// 17 | /// Dummy precallback 18 | /// 19 | /// Dummy status 20 | OB_PREOP_CALLBACK_STATUS DummyObjectPreCallback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation) 21 | { 22 | UNREFERENCED_PARAMETER(RegistrationContext); 23 | UNREFERENCED_PARAMETER(OperationInformation); 24 | return(OB_PREOP_SUCCESS); 25 | } 26 | 27 | /// 28 | /// Dummy postcallback 29 | /// 30 | /// Dummy status 31 | VOID DummyObjectPostCallback(PVOID RegistrationContext, POB_POST_OPERATION_INFORMATION OperationInformation) 32 | { 33 | UNREFERENCED_PARAMETER(RegistrationContext); 34 | UNREFERENCED_PARAMETER(OperationInformation); 35 | return; 36 | } 37 | 38 | /// 39 | /// Bruteforces offset 40 | /// 41 | /// Callback offset 42 | QWORD GetCallbackListOffset() 43 | { 44 | POBJECT_TYPE procType = *PsProcessType; 45 | 46 | __try { 47 | if (procType && MmIsAddressValid((void*)procType)) { 48 | for (int i = 0xF8; i > 0; i -= 8) { 49 | QWORD first = *(QWORD*)((QWORD)procType + i), second = *(QWORD*)((QWORD)procType + (i + 8)); 50 | if (first && MmIsAddressValid((void*)first) && second && MmIsAddressValid((void*)second)) { 51 | QWORD test1First = *(QWORD*)(first + 0x0), test1Second = *(QWORD*)(first + 0x8); 52 | if (test1First && MmIsAddressValid((void*)test1First) && test1Second && MmIsAddressValid((void*)test1Second)) { 53 | QWORD testObjectType = *(QWORD*)(first + 0x20); 54 | if (testObjectType == (QWORD)procType) 55 | return((QWORD)i); 56 | } 57 | } 58 | } 59 | } 60 | } 61 | __except (EXCEPTION_EXECUTE_HANDLER) { 62 | Log("There was fatal error in %s", __FUNCTION__); 63 | return(0); 64 | } 65 | 66 | return 0; 67 | } 68 | 69 | /// 70 | /// Disables all anticheat callsback to allow access from usermode 71 | /// 72 | /// Pointer to callback object to we can restore them later 73 | /// Callback offset 74 | void Disable(POLD_CALLBACKS oldCallbacks) { 75 | POBJECT_TYPE procType = *PsProcessType; 76 | if (procType && MmIsAddressValid((void*)procType)) { 77 | __try { 78 | QWORD callbackListOffset = GetCallbackListOffset(); 79 | if (callbackListOffset && MmIsAddressValid((void*)((QWORD)procType + callbackListOffset))) { 80 | LIST_ENTRY* callbackList = (LIST_ENTRY*)((QWORD)procType + callbackListOffset); 81 | if (callbackList->Flink && MmIsAddressValid((void*)callbackList->Flink)) { 82 | CALLBACK_ENTRY_ITEM* firstCallback = (CALLBACK_ENTRY_ITEM*)callbackList->Flink; 83 | CALLBACK_ENTRY_ITEM* curCallback = firstCallback; 84 | 85 | do { 86 | // Make sure the callback is valid. 87 | if (curCallback && MmIsAddressValid((void*)curCallback) && MmIsAddressValid((void*)curCallback->CallbackEntry)) { 88 | ANSI_STRING altitudeAnsi = { 0 }; 89 | UNICODE_STRING altitudeUni = curCallback->CallbackEntry->Altitude; 90 | RtlUnicodeStringToAnsiString(&altitudeAnsi, &altitudeUni, 1); 91 | 92 | if (!strcmp(altitudeAnsi.Buffer, DRIVER_ALT)) { 93 | if (curCallback->PreOperation) { 94 | oldCallbacks->PreOperationProc = (QWORD)curCallback->PreOperation; 95 | curCallback->PreOperation = DummyObjectPreCallback; 96 | } 97 | if (curCallback->PostOperation) { 98 | oldCallbacks->PostOperationProc = (QWORD)curCallback->PostOperation; 99 | curCallback->PostOperation = DummyObjectPostCallback; 100 | } 101 | RtlFreeAnsiString(&altitudeAnsi); 102 | break; 103 | } 104 | 105 | RtlFreeAnsiString(&altitudeAnsi); 106 | } 107 | 108 | // Get the next callback. 109 | curCallback = (CALLBACK_ENTRY_ITEM*)(curCallback->CallbackList.Flink); 110 | } while (curCallback != firstCallback); 111 | } 112 | } 113 | } 114 | __except (EXCEPTION_EXECUTE_HANDLER) { 115 | Log("There was fatal error in %s", __FUNCTION__); 116 | return; 117 | } 118 | } 119 | 120 | POBJECT_TYPE threadType = *PsThreadType; 121 | if (threadType && MmIsAddressValid((void*)threadType)) { 122 | __try { 123 | QWORD callbackListOffset = GetCallbackListOffset(); 124 | if (callbackListOffset && MmIsAddressValid((void*)((QWORD)threadType + callbackListOffset))) { 125 | LIST_ENTRY* callbackList = (LIST_ENTRY*)((QWORD)threadType + callbackListOffset); 126 | if (callbackList->Flink && MmIsAddressValid((void*)callbackList->Flink)) { 127 | CALLBACK_ENTRY_ITEM* firstCallback = (CALLBACK_ENTRY_ITEM*)callbackList->Flink; 128 | CALLBACK_ENTRY_ITEM* curCallback = firstCallback; 129 | 130 | do { 131 | // Make sure the callback is valid. 132 | if (curCallback && MmIsAddressValid((void*)curCallback) && MmIsAddressValid((void*)curCallback->CallbackEntry)) { 133 | ANSI_STRING altitudeAnsi = { 0 }; 134 | UNICODE_STRING altitudeUni = curCallback->CallbackEntry->Altitude; 135 | RtlUnicodeStringToAnsiString(&altitudeAnsi, &altitudeUni, 1); 136 | 137 | if (!strcmp(altitudeAnsi.Buffer, DRIVER_ALT)) { 138 | if (curCallback->PreOperation) { 139 | oldCallbacks->PreOperationThread = (QWORD)curCallback->PreOperation; 140 | curCallback->PreOperation = DummyObjectPreCallback; 141 | } 142 | if (curCallback->PostOperation) { 143 | oldCallbacks->PostOperationThread = (QWORD)curCallback->PostOperation; 144 | curCallback->PostOperation = DummyObjectPostCallback; 145 | } 146 | RtlFreeAnsiString(&altitudeAnsi); 147 | break; 148 | } 149 | 150 | RtlFreeAnsiString(&altitudeAnsi); 151 | } 152 | 153 | // Get the next callback. 154 | curCallback = (CALLBACK_ENTRY_ITEM*)(curCallback->CallbackList.Flink); 155 | } while (curCallback != firstCallback); 156 | } 157 | } 158 | } 159 | __except (EXCEPTION_EXECUTE_HANDLER) { 160 | Log("There was fatal error in %s", __FUNCTION__); 161 | return; 162 | } 163 | } 164 | } 165 | 166 | /// 167 | /// Restores anticheat callbacks 168 | /// 169 | /// Pointer to callback object 170 | /// Callback offset 171 | void Restore(POLD_CALLBACKS oldCallbacks) { 172 | POBJECT_TYPE procType = *PsProcessType; 173 | if (procType && MmIsAddressValid((void*)procType)) { 174 | __try { 175 | QWORD callbackListOffset = GetCallbackListOffset(); 176 | if (callbackListOffset && MmIsAddressValid((void*)((QWORD)procType + callbackListOffset))) { 177 | LIST_ENTRY* callbackList = (LIST_ENTRY*)((QWORD)procType + callbackListOffset); 178 | if (callbackList->Flink && MmIsAddressValid((void*)callbackList->Flink)) { 179 | CALLBACK_ENTRY_ITEM* firstCallback = (CALLBACK_ENTRY_ITEM*)callbackList->Flink; 180 | CALLBACK_ENTRY_ITEM* curCallback = firstCallback; 181 | 182 | do { 183 | // Make sure the callback is valid. 184 | if (curCallback && MmIsAddressValid((void*)curCallback) && MmIsAddressValid((void*)curCallback->CallbackEntry)) { 185 | ANSI_STRING altitudeAnsi = { 0 }; 186 | UNICODE_STRING altitudeUni = curCallback->CallbackEntry->Altitude; 187 | RtlUnicodeStringToAnsiString(&altitudeAnsi, &altitudeUni, 1); 188 | 189 | if (!strcmp(altitudeAnsi.Buffer, DRIVER_ALT)) { 190 | if (curCallback->PreOperation && oldCallbacks->PreOperationProc) 191 | curCallback->PreOperation = (POB_PRE_OPERATION_CALLBACK)oldCallbacks->PreOperationProc; 192 | if (curCallback->PostOperation && oldCallbacks->PostOperationProc) 193 | curCallback->PostOperation = (POB_POST_OPERATION_CALLBACK)oldCallbacks->PostOperationProc; 194 | RtlFreeAnsiString(&altitudeAnsi); 195 | break; 196 | } 197 | 198 | RtlFreeAnsiString(&altitudeAnsi); 199 | } 200 | 201 | // Get the next callback. 202 | curCallback = (CALLBACK_ENTRY_ITEM*)(curCallback->CallbackList.Flink); 203 | } while (curCallback != firstCallback); 204 | } 205 | } 206 | } 207 | __except (EXCEPTION_EXECUTE_HANDLER) { 208 | Log("There was fatal error in %s", __FUNCTION__); 209 | return; 210 | } 211 | } 212 | 213 | POBJECT_TYPE threadType = *PsThreadType; 214 | if (threadType && MmIsAddressValid((void*)threadType)) { 215 | __try { 216 | QWORD callbackListOffset = GetCallbackListOffset(); 217 | if (callbackListOffset && MmIsAddressValid((void*)((QWORD)threadType + callbackListOffset))) { 218 | LIST_ENTRY* callbackList = (LIST_ENTRY*)((QWORD)threadType + callbackListOffset); 219 | if (callbackList->Flink && MmIsAddressValid((void*)callbackList->Flink)) { 220 | CALLBACK_ENTRY_ITEM* firstCallback = (CALLBACK_ENTRY_ITEM*)callbackList->Flink; 221 | CALLBACK_ENTRY_ITEM* curCallback = firstCallback; 222 | 223 | do { 224 | // Make sure the callback is valid. 225 | if (curCallback && MmIsAddressValid((void*)curCallback) && MmIsAddressValid((void*)curCallback->CallbackEntry)) { 226 | ANSI_STRING altitudeAnsi = { 0 }; 227 | UNICODE_STRING altitudeUni = curCallback->CallbackEntry->Altitude; 228 | RtlUnicodeStringToAnsiString(&altitudeAnsi, &altitudeUni, 1); 229 | 230 | if (!strcmp(altitudeAnsi.Buffer, DRIVER_ALT)) { 231 | if (curCallback->PreOperation && oldCallbacks->PreOperationThread) 232 | curCallback->PreOperation = (POB_PRE_OPERATION_CALLBACK)oldCallbacks->PreOperationThread; 233 | if (curCallback->PostOperation && oldCallbacks->PostOperationThread) 234 | curCallback->PostOperation = (POB_POST_OPERATION_CALLBACK)oldCallbacks->PostOperationThread; 235 | RtlFreeAnsiString(&altitudeAnsi); 236 | break; 237 | } 238 | 239 | RtlFreeAnsiString(&altitudeAnsi); 240 | } 241 | 242 | // Get the next callback. 243 | curCallback = (CALLBACK_ENTRY_ITEM*)(curCallback->CallbackList.Flink); 244 | } while (curCallback != firstCallback); 245 | } 246 | } 247 | } 248 | __except (EXCEPTION_EXECUTE_HANDLER) { 249 | Log("There was fatal error in %s", __FUNCTION__); 250 | return; 251 | } 252 | } 253 | } -------------------------------------------------------------------------------- /driver/pdrv/Callbacks.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define WORD USHORT 4 | #define QWORD UINT64 5 | 6 | // OLD_CALLBACKS 7 | typedef struct _OLD_CALLBACKS { 8 | QWORD PreOperationProc; 9 | QWORD PostOperationProc; 10 | QWORD PreOperationThread; 11 | QWORD PostOperationThread; 12 | } OLD_CALLBACKS, * POLD_CALLBACKS; 13 | 14 | // CALLBACK_ENTRY 15 | typedef struct _CALLBACK_ENTRY { 16 | WORD Version; // 0x0 17 | WORD OperationRegistrationCount; // 0x2 18 | DWORD unk1; // 0x4 19 | PVOID RegistrationContext; // 0x8 20 | UNICODE_STRING Altitude; // 0x10 21 | } CALLBACK_ENTRY, * PCALLBACK_ENTRY; // header size: 0x20 (0x6C if you count the array afterwards - this is only the header. The array of CALLBACK_ENTRY_ITEMs is useless.) 22 | 23 | // CALLBACK_ENTRY_ITEM 24 | typedef struct _CALLBACK_ENTRY_ITEM { 25 | LIST_ENTRY CallbackList; // 0x0 26 | OB_OPERATION Operations; // 0x10 27 | DWORD Active; // 0x14 28 | CALLBACK_ENTRY* CallbackEntry; // 0x18 29 | PVOID ObjectType; // 0x20 30 | POB_PRE_OPERATION_CALLBACK PreOperation; // 0x28 31 | POB_POST_OPERATION_CALLBACK PostOperation; // 0x30 32 | QWORD unk1; // 0x38 33 | } CALLBACK_ENTRY_ITEM, * PCALLBACK_ENTRY_ITEM; // size: 0x40 34 | 35 | void Disable(POLD_CALLBACKS oldCallbacks); 36 | void Restore(POLD_CALLBACKS oldCallbacks); -------------------------------------------------------------------------------- /driver/pdrv/Driver.c: -------------------------------------------------------------------------------- 1 | /* 2 | _ 3 | _ __ __| |_ ___ __ 4 | | '_ \/ _` | '_\ V / 5 | | .__/\__,_|_| \_/ 6 | |_| 7 | 8 | Copyright (c) 2019 Samuel Tulach - All rights reserved 9 | 10 | Used sources: 11 | - BlackBone Driver 12 | - (c) 2015 DarthTon 13 | - MIT 14 | - https://github.com/DarthTon/Blackbone 15 | 16 | Tested on Windows 10 x64 1909 18363.476 17 | */ 18 | 19 | #include "ntifs.h" 20 | #include "ntstrsafe.h" 21 | #include "Log.h" 22 | #include "Structs.h" 23 | #include "Private.h" 24 | #include "Funcs.h" 25 | #include "Imports.h" 26 | #include "Callbacks.h" 27 | #include "Utils.h" 28 | #include "Callbacks.h" 29 | #include "Shared.h" 30 | 31 | #pragma warning( disable : 4152 ) 32 | 33 | static ULONG64 ArrTID[0x256] = { 0 }; 34 | static ULONG ThreadNumber = 0; 35 | static OLD_CALLBACKS OldCallbacks = { 0 }; 36 | static HANDLE Threads[0x256] = { 0 }; 37 | 38 | /// 39 | /// Function executed when our hooked func is called 40 | /// 41 | /// Dummy arg 42 | /// Dummy arg 43 | /// Argument used to indentify request 44 | /// Status 45 | NTSTATUS HookHandler(UINT_PTR DontUse1, UINT_PTR DontUse2, PULONG32 Code) 46 | { 47 | UNREFERENCED_PARAMETER(DontUse1); 48 | UNREFERENCED_PARAMETER(DontUse2); 49 | 50 | Log("[+] Hook call with code %x", *Code); 51 | 52 | if (!(*Code == CODE_DISABLE || *Code == CODE_RESTORE)) 53 | { 54 | Log("[-] Invalid code"); 55 | return STATUS_CANCELLED; 56 | } 57 | 58 | SwitchMode(FALSE); 59 | 60 | if (*Code == CODE_DISABLE) 61 | { 62 | // Get anticheat threads to manupulate them 63 | Log("[>] Gettting anticheat threads..."); 64 | NTSTATUS status = GetDriverThreads("EasyAntiCheat.sys", &ThreadNumber, ArrTID); 65 | if (!NT_SUCCESS(status) || ThreadNumber == 0) 66 | { 67 | Log("[-] Failed to get anticheat threads"); 68 | } 69 | Log("[+] Found %u threads", ThreadNumber); 70 | 71 | // Suspend threads 72 | Log("[>] Suspending threads..."); 73 | for (ULONG i = 0; i < ThreadNumber; i++) 74 | { 75 | Threads[i] = OpenThread(THREAD_ALL_ACCESS, FALSE, (DWORD)ArrTID[i]); 76 | status = SuspendThread(Threads[i]); 77 | Log("[+] Thread with HANDLE %p suspended (%x)", Threads[i], status); 78 | } 79 | 80 | // Unregister callbacks 81 | Log("[>] Disabling anticheat callbacks..."); 82 | Disable(&OldCallbacks); 83 | Log("[+] Callbacks disabled"); 84 | } 85 | 86 | if (*Code == CODE_RESTORE) 87 | { 88 | // TODO: Check if CODE_DISABLE was called first 89 | 90 | // Resume threads 91 | Log("[>] Resuming threads..."); 92 | for (ULONG i = 0; i < ThreadNumber; i++) 93 | { 94 | Threads[i] = OpenThread(THREAD_ALL_ACCESS, FALSE, (DWORD)ArrTID[i]); 95 | ResumeThread(Threads[i]); 96 | Log("[+] Thread with HANDLE %p resumed", Threads[i]); 97 | } 98 | 99 | // Restore old callbacks 100 | Log("[>] Restoring anticheat callbacks..."); 101 | Restore(&OldCallbacks); 102 | Log("[+] Callbacks restored"); 103 | } 104 | 105 | SwitchMode(TRUE); 106 | 107 | return STATUS_SUCCESS; 108 | } 109 | 110 | /// 111 | /// Driver main entry point 112 | /// 113 | /// DriverObject pointer 114 | /// Status 115 | NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) 116 | { 117 | // Both are undefined when we manual map the driver 118 | UNREFERENCED_PARAMETER(DriverObject); 119 | UNREFERENCED_PARAMETER(RegistryPath); 120 | 121 | // Print some copyright because that's what matters the most 122 | Log("\n\npdrv\n"); 123 | 124 | // Hook NtQueryIntervalProfile 125 | Log("[>] Hooking functions..."); 126 | 127 | PVOID ntosbase = GetKernelBase(NULL); 128 | if (!ntosbase) 129 | { 130 | Log("[-] Failed to get kernel base"); 131 | return STATUS_CANCELLED; 132 | } 133 | Log("[+] Kernel base: %p", ntosbase); 134 | 135 | PVOID* dsptbl = (PVOID*)(RtlFindExportedRoutineByName(ntosbase, "HalDispatchTable")); 136 | if (!dsptbl) 137 | { 138 | Log("[-] Failed to get HalDispatchTable"); 139 | return STATUS_CANCELLED; 140 | } 141 | Log("[+] HalDispatchTable: %p", dsptbl); 142 | 143 | dsptbl[1] = &HookHandler; 144 | 145 | Log("[+] Functions hoooked"); 146 | 147 | // Return dummy status 148 | return STATUS_SUCCESS; 149 | } 150 | -------------------------------------------------------------------------------- /driver/pdrv/Funcs.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "Log.h" 4 | #include "Structs.h" 5 | #include "Private.h" 6 | #include "Imports.h" 7 | #include "Utils.h" 8 | #include "Funcs.h" 9 | 10 | #define SSDT_NTSUSPENDTHRED 438 11 | #define SSDT_RESUMETHREAD 82 12 | #define SSDT_TERMINATETHREAD 83 13 | 14 | static NTSTATUS 15 | (__fastcall* NtSuspendThread)( 16 | __in HANDLE ThreadHandle, 17 | __out_opt PULONG PreviousSuspendCount 18 | ); 19 | 20 | static NTSTATUS 21 | (__fastcall* NtTerminateThread)( 22 | __in HANDLE ThreadHandle, 23 | DWORD dwExitCode 24 | ); 25 | 26 | 27 | static NTSTATUS 28 | (__fastcall* NtResumeThread)( 29 | __in HANDLE ThreadHandle, 30 | __out_opt PULONG PreviousSuspendCount 31 | ); 32 | 33 | /// 34 | /// Open HANDLE to the thread 35 | /// 36 | /// Desired access 37 | /// Inherit handle 38 | /// Thread ID 39 | /// HANDLE for thread 40 | HANDLE OpenThread(DWORD dwDesiredAccess, BOOLEAN bInheritHandle, DWORD dwThreadId) 41 | { 42 | OBJECT_ATTRIBUTES ObjectAttributes = { 0, }; 43 | CLIENT_ID ClientId = { 0, }; 44 | HANDLE hThread = NULL; 45 | NTSTATUS Status; 46 | 47 | InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL); 48 | 49 | if (bInheritHandle) { 50 | ObjectAttributes.Attributes = OBJ_INHERIT; 51 | } 52 | 53 | ClientId.UniqueProcess = NULL; 54 | ClientId.UniqueThread = (HANDLE)dwThreadId; 55 | 56 | Status = ZwOpenThread(&hThread, 57 | dwDesiredAccess, 58 | &ObjectAttributes, 59 | &ClientId); 60 | return hThread; 61 | } 62 | 63 | /// 64 | /// Suspend (pause) thread 65 | /// 66 | /// HANDLE to desired thread 67 | /// Status 68 | NTSTATUS SuspendThread(__in HANDLE ThreadHandle) 69 | { 70 | NTSTATUS Status; 71 | fnNtSuspendThread suspth = (fnNtSuspendThread)(ULONG_PTR)GetSSDTEntry(SSDT_NTSUSPENDTHRED); // Warning! Latest Windows has changed this! 72 | Status = suspth(ThreadHandle, 0); 73 | return Status; 74 | } 75 | 76 | /// 77 | /// Terminate thread 78 | /// 79 | /// HANDLE to desired thread 80 | /// Status 81 | NTSTATUS TerminateThread(__in HANDLE ThreadHandle) 82 | { 83 | NTSTATUS Status; 84 | fnNtTerminateThread termth = (fnNtTerminateThread)(ULONG_PTR)GetSSDTEntry(SSDT_TERMINATETHREAD); 85 | Status = termth(ThreadHandle, 0); 86 | return Status; 87 | } 88 | 89 | /// 90 | /// Resume (unpause) thread 91 | /// 92 | /// HANDLE to desired thread 93 | /// Status 94 | NTSTATUS ResumeThread(__in HANDLE ThreadHandle) 95 | { 96 | NTSTATUS Status; 97 | NtResumeThread = (NTSTATUS(__cdecl*)(HANDLE, PULONG))GetSSDTEntry(SSDT_RESUMETHREAD); 98 | Status = NtResumeThread(ThreadHandle, NULL); 99 | return Status; 100 | } 101 | 102 | /// 103 | /// Get base address of system module 104 | /// 105 | /// Name of module 106 | /// Found address, 0 if not found 107 | PVOID GetModuleBase(IN char* ModuleName, OUT ULONG64* BaseAddr, OUT ULONG* DriverSize) 108 | { 109 | NTSTATUS status = STATUS_SUCCESS; 110 | ULONG bytes = 0; 111 | PRTL_PROCESS_MODULES pMods = NULL; 112 | UNICODE_STRING routineName; 113 | 114 | RtlUnicodeStringInit(&routineName, L"NtOpenFile"); 115 | 116 | // Protect from UserMode AV 117 | status = ZwQuerySystemInformation(SystemModuleInformation, 0, bytes, &bytes); 118 | if (bytes == 0) 119 | { 120 | //DPRINT("BlackBone: %s: Invalid SystemModuleInformation size\n", __FUNCTION__); 121 | Log("[-] Invalid SystemModuleInformation size"); 122 | return NULL; 123 | } 124 | 125 | pMods = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPool, bytes, POOL_TAG); 126 | RtlZeroMemory(pMods, bytes); 127 | 128 | status = ZwQuerySystemInformation(SystemModuleInformation, pMods, bytes, &bytes); 129 | 130 | if (NT_SUCCESS(status)) 131 | { 132 | for (ULONG i = 0; i < pMods->NumberOfModules; i++) 133 | { 134 | // System routine is inside module 135 | if ((PVOID)pMods->Modules[i].ImageBase > (PVOID)0x8000000000000000) 136 | { 137 | char* pDrvName = (char*)(pMods->Modules[i].FullPathName) + pMods->Modules[i].OffsetToFileName; 138 | if (_stricmp(pDrvName, ModuleName) == 0) { 139 | *BaseAddr = (ULONG64)(pMods->Modules[i].ImageBase); 140 | *DriverSize = (ULONG64)(pMods->Modules[i].ImageSize); 141 | return (PVOID)(pMods->Modules[i].ImageBase); 142 | } 143 | } 144 | } 145 | } 146 | 147 | if (pMods) 148 | ExFreePoolWithTag(pMods, POOL_TAG); 149 | 150 | return 0; 151 | } 152 | 153 | // TODO: Comment 154 | /// 155 | /// ApcpQuerySystemProcessInformation 156 | /// 157 | /// Status 158 | NTSTATUS ApcpQuerySystemProcessInformation(PSYSTEM_PROCESS_INFORMATION* SystemInfo) 159 | { 160 | PSYSTEM_PROCESS_INFORMATION pBuffer = NULL; 161 | ULONG BufferSize = 0; 162 | ULONG RequiredSize = 0; 163 | 164 | NTSTATUS status = STATUS_SUCCESS; 165 | while ((status = ZwQuerySystemInformation( 166 | SystemProcessInformation, 167 | pBuffer, 168 | BufferSize, 169 | &RequiredSize//retn Length 170 | )) == STATUS_INFO_LENGTH_MISMATCH) 171 | { 172 | BufferSize = RequiredSize; 173 | pBuffer = (PSYSTEM_PROCESS_INFORMATION)ExAllocatePool(PagedPool, BufferSize); 174 | } 175 | 176 | if (!NT_SUCCESS(status)) 177 | { 178 | if (pBuffer != NULL) 179 | { 180 | ExFreePool(pBuffer); 181 | } 182 | 183 | return status; 184 | } 185 | *SystemInfo = pBuffer; 186 | return status; 187 | } 188 | 189 | // TODO: Comment 190 | /// 191 | /// Gets information about thread 192 | /// 193 | /// Status 194 | NTSTATUS GetProcessThreadInfo(IN ULONG Pid, OUT ULONG* ThreadNuber, OUT PULONG64 Tid, OUT PULONG64 StartAddr) 195 | { 196 | PEPROCESS pEProcess; 197 | PSYSTEM_PROCESS_INFORMATION OriginalSystemProcessInfo = NULL; 198 | NTSTATUS status = PsLookupProcessByProcessId((HANDLE)Pid, &pEProcess); 199 | if (!NT_SUCCESS(status)) 200 | { 201 | return status; 202 | } 203 | if (MmIsAddressValid(ThreadNuber) == 0) 204 | { 205 | status = STATUS_UNSUCCESSFUL; 206 | return status; 207 | } 208 | if (MmIsAddressValid(StartAddr) == 0) 209 | { 210 | status = STATUS_UNSUCCESSFUL; 211 | return status; 212 | } 213 | if (MmIsAddressValid(Tid) == 0) 214 | { 215 | status = STATUS_UNSUCCESSFUL; 216 | return status; 217 | } 218 | status = ApcpQuerySystemProcessInformation(&OriginalSystemProcessInfo); 219 | if (!NT_SUCCESS(status)) 220 | { 221 | ObDereferenceObject(pEProcess); 222 | return status; 223 | } 224 | PSYSTEM_PROCESS_INFORMATION SystemProcessInfo = OriginalSystemProcessInfo; 225 | status = STATUS_NOT_FOUND; 226 | do 227 | { 228 | if (SystemProcessInfo->UniqueProcessId == PsGetProcessId(pEProcess)) 229 | { 230 | status = STATUS_SUCCESS; 231 | break; 232 | } 233 | 234 | SystemProcessInfo = (PSYSTEM_PROCESS_INFORMATION)((PUCHAR)SystemProcessInfo + SystemProcessInfo->NextEntryOffset); 235 | } while (SystemProcessInfo->NextEntryOffset != 0); 236 | 237 | if (!NT_SUCCESS(status)) 238 | { 239 | ObDereferenceObject(pEProcess); 240 | ExFreePool(OriginalSystemProcessInfo); 241 | return status; 242 | } 243 | *ThreadNuber = SystemProcessInfo->NumberOfThreads; 244 | 245 | for (ULONG Index = 0; Index < SystemProcessInfo->NumberOfThreads; ++Index) 246 | { 247 | HANDLE UniqueThreadId = SystemProcessInfo->Threads[Index].ClientId.UniqueThread; 248 | Tid[Index] = (ULONG64)UniqueThreadId; 249 | StartAddr[Index] = (ULONG64)SystemProcessInfo->Threads[Index].StartAddress; 250 | } 251 | 252 | ObDereferenceObject(pEProcess); 253 | return status; 254 | } 255 | 256 | /// 257 | /// Gets driver threads 258 | /// 259 | /// Name of module 260 | /// Number of threads 261 | /// Threads IDs (array) 262 | /// Found address, 0 if not found 263 | NTSTATUS GetDriverThreads(char* DriverName, OUT ULONG* ThreadNuber, OUT PULONG64 Tid) 264 | { 265 | ULONG64 DriverBaseAddr = 0; 266 | ULONG DriverSize = 0; 267 | ULONG Number = 0; 268 | ULONG64 __Tid[0x256] = { 0 }; 269 | ULONG64 __ThreadStartAddr[0x256] = { 0 }; 270 | NTSTATUS Status = STATUS_UNSUCCESSFUL; 271 | ULONG Count = 0; 272 | GetModuleBase(DriverName, &DriverBaseAddr, &DriverSize); 273 | 274 | if (DriverBaseAddr == 0 || DriverSize == 0) { 275 | Log("[-] Driver base is 0"); 276 | return Status; 277 | } 278 | Status = GetProcessThreadInfo(4, &Number, __Tid, __ThreadStartAddr); 279 | if (!NT_SUCCESS(Status)) { 280 | Log("[-] Failed to get thread info"); 281 | return Status; 282 | } 283 | for (ULONG i = 0; i < Number; i++) 284 | { 285 | if (__ThreadStartAddr[i] >= DriverBaseAddr) 286 | { 287 | if (__ThreadStartAddr[i] <= DriverBaseAddr + DriverSize) 288 | { 289 | Tid[Count] = __Tid[i]; 290 | Count++; 291 | } 292 | } 293 | } 294 | *ThreadNuber = Count; 295 | return STATUS_SUCCESS; 296 | } -------------------------------------------------------------------------------- /driver/pdrv/Funcs.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | typedef NTSTATUS(NTAPI* fnNtTerminateThread)(IN HANDLE ThreadHandle, IN NTSTATUS ExitStatus); 4 | typedef NTSTATUS(NTAPI* fnNtSuspendThread)(IN HANDLE ThreadHandle, OUT PULONG PreviousSuspendCount); 5 | 6 | HANDLE OpenThread(DWORD dwDesiredAccess, BOOLEAN bInheritHandle, DWORD dwThreadId); 7 | NTSTATUS SuspendThread(__in HANDLE ThreadHandle); 8 | NTSTATUS TerminateThread(__in HANDLE ThreadHandle); 9 | NTSTATUS ResumeThread(HANDLE hThread); 10 | PVOID GetModuleBase(IN char* ModuleName, OUT ULONG64* BaseAddr, OUT ULONG* DriverSize); 11 | NTSTATUS ApcpQuerySystemProcessInformation(PSYSTEM_PROCESS_INFORMATION* SystemInfo); 12 | NTSTATUS GetProcessThreadInfo(IN ULONG Pid, OUT ULONG* ThreadNuber, OUT PULONG64 Tid, OUT PULONG64 StartAddr); 13 | NTSTATUS GetDriverThreads(char* DriverName, OUT ULONG* ThreadNuber, OUT PULONG64 Tid); -------------------------------------------------------------------------------- /driver/pdrv/Imports.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | NTSYSAPI 4 | NTSTATUS 5 | NTAPI 6 | ZwQuerySystemInformation( 7 | IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 8 | OUT PVOID SystemInformation, 9 | IN ULONG SystemInformationLength, 10 | OUT PULONG ReturnLength OPTIONAL 11 | ); 12 | 13 | NTSYSAPI 14 | PIMAGE_NT_HEADERS 15 | NTAPI 16 | RtlImageNtHeader(PVOID Base); 17 | 18 | NTSTATUS 19 | NTAPI 20 | ZwOpenThread( 21 | _Out_ PHANDLE ThreadHandle, 22 | _In_ ACCESS_MASK DesiredAccess, 23 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 24 | _In_opt_ PCLIENT_ID ClientId 25 | ); 26 | 27 | NTKERNELAPI 28 | PVOID 29 | NTAPI 30 | RtlFindExportedRoutineByName( 31 | _In_ PVOID ImageBase, 32 | _In_ PCCH RoutineNam 33 | ); 34 | 35 | CHAR* PsGetProcessImageFileName( 36 | _In_ PEPROCESS Process 37 | ); -------------------------------------------------------------------------------- /driver/pdrv/Log.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define Log(x, ...) DbgPrintEx(0, 0, x, __VA_ARGS__) -------------------------------------------------------------------------------- /driver/pdrv/Private.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "Log.h" 4 | #include "Structs.h" 5 | #include "Imports.h" 6 | #include "Utils.h" 7 | 8 | PVOID g_KernelBase = NULL; 9 | ULONG g_KernelSize = 0; 10 | PSYSTEM_SERVICE_DESCRIPTOR_TABLE g_SSDT = NULL; 11 | 12 | /// 13 | /// Get ntoskrnl base address 14 | /// 15 | /// Size of module 16 | /// Found address, NULL if not found 17 | PVOID GetKernelBase(OUT PULONG pSize) 18 | { 19 | NTSTATUS status = STATUS_SUCCESS; 20 | ULONG bytes = 0; 21 | PRTL_PROCESS_MODULES pMods = NULL; 22 | PVOID checkPtr = NULL; 23 | UNICODE_STRING routineName; 24 | 25 | // Already found 26 | if (g_KernelBase != NULL) 27 | { 28 | if (pSize) 29 | *pSize = g_KernelSize; 30 | return g_KernelBase; 31 | } 32 | 33 | RtlUnicodeStringInit(&routineName, L"NtOpenFile"); 34 | 35 | checkPtr = MmGetSystemRoutineAddress(&routineName); 36 | if (checkPtr == NULL) 37 | return NULL; 38 | 39 | // Protect from UserMode AV 40 | status = ZwQuerySystemInformation(SystemModuleInformation, 0, bytes, &bytes); 41 | if (bytes == 0) 42 | { 43 | //DPRINT("BlackBone: %s: Invalid SystemModuleInformation size\n", __FUNCTION__); 44 | Log("[-] Invalid SystemModuleInformation size"); 45 | return NULL; 46 | } 47 | 48 | pMods = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPool, bytes, POOL_TAG); 49 | RtlZeroMemory(pMods, bytes); 50 | 51 | status = ZwQuerySystemInformation(SystemModuleInformation, pMods, bytes, &bytes); 52 | 53 | if (NT_SUCCESS(status)) 54 | { 55 | PRTL_PROCESS_MODULE_INFORMATION pMod = pMods->Modules; 56 | 57 | for (ULONG i = 0; i < pMods->NumberOfModules; i++) 58 | { 59 | // System routine is inside module 60 | if (checkPtr >= pMod[i].ImageBase && 61 | checkPtr < (PVOID)((PUCHAR)pMod[i].ImageBase + pMod[i].ImageSize)) 62 | { 63 | g_KernelBase = pMod[i].ImageBase; 64 | g_KernelSize = pMod[i].ImageSize; 65 | if (pSize) 66 | *pSize = g_KernelSize; 67 | break; 68 | } 69 | } 70 | } 71 | 72 | if (pMods) 73 | ExFreePoolWithTag(pMods, POOL_TAG); 74 | 75 | return g_KernelBase; 76 | } 77 | 78 | /// 79 | /// Gets SSDT base - KiServiceTable 80 | /// 81 | /// SSDT base, NULL if not found 82 | PSYSTEM_SERVICE_DESCRIPTOR_TABLE GetSSDTBase() 83 | { 84 | PUCHAR ntosBase = GetKernelBase(NULL); 85 | 86 | // Already found 87 | if (g_SSDT != NULL) 88 | return g_SSDT; 89 | 90 | if (!ntosBase) 91 | return NULL; 92 | 93 | PIMAGE_NT_HEADERS pHdr = RtlImageNtHeader(ntosBase); 94 | PIMAGE_SECTION_HEADER pFirstSec = (PIMAGE_SECTION_HEADER)(pHdr + 1); 95 | for (PIMAGE_SECTION_HEADER pSec = pFirstSec; pSec < pFirstSec + pHdr->FileHeader.NumberOfSections; pSec++) 96 | { 97 | // Non-paged, non-discardable, readable sections 98 | // Probably still not fool-proof enough... 99 | if (pSec->Characteristics & IMAGE_SCN_MEM_NOT_PAGED && 100 | pSec->Characteristics & IMAGE_SCN_MEM_EXECUTE && 101 | !(pSec->Characteristics & IMAGE_SCN_MEM_DISCARDABLE) && 102 | (*(PULONG)pSec->Name != 'TINI') && 103 | (*(PULONG)pSec->Name != 'EGAP')) 104 | { 105 | PVOID pFound = NULL; 106 | 107 | // KiSystemServiceRepeat pattern 108 | UCHAR pattern[] = "\x4c\x8d\x15\xcc\xcc\xcc\xcc\x4c\x8d\x1d\xcc\xcc\xcc\xcc\xf7"; 109 | NTSTATUS status = SearchPattern(pattern, 0xCC, sizeof(pattern) - 1, ntosBase + pSec->VirtualAddress, pSec->Misc.VirtualSize, &pFound); 110 | if (NT_SUCCESS(status)) 111 | { 112 | g_SSDT = (PSYSTEM_SERVICE_DESCRIPTOR_TABLE)((PUCHAR)pFound + *(PULONG)((PUCHAR)pFound + 3) + 7); 113 | //DPRINT( "BlackBone: %s: KeSystemServiceDescriptorTable = 0x%p\n", __FUNCTION__, g_SSDT ); 114 | return g_SSDT; 115 | } 116 | } 117 | } 118 | 119 | return NULL; 120 | } 121 | 122 | /// 123 | /// Gets the SSDT entry address by index. 124 | /// 125 | /// Service index 126 | /// Found service address, NULL if not found 127 | PVOID GetSSDTEntry(IN ULONG index) 128 | { 129 | ULONG size = 0; 130 | PSYSTEM_SERVICE_DESCRIPTOR_TABLE pSSDT = GetSSDTBase(); 131 | PVOID pBase = GetKernelBase(&size); 132 | 133 | if (pSSDT && pBase) 134 | { 135 | // Index range check 136 | if (index > pSSDT->NumberOfServices) 137 | return NULL; 138 | 139 | return (PUCHAR)pSSDT->ServiceTableBase + (((PLONG)pSSDT->ServiceTableBase)[index] >> 4); 140 | } 141 | 142 | return NULL; 143 | } -------------------------------------------------------------------------------- /driver/pdrv/Private.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | PVOID GetKernelBase(OUT PULONG pSize); 4 | PSYSTEM_SERVICE_DESCRIPTOR_TABLE GetSSDTBase(); 5 | PVOID GetSSDTEntry(IN ULONG index); -------------------------------------------------------------------------------- /driver/pdrv/Shared.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define CODE_DISABLE 0x1601 4 | #define CODE_RESTORE 0x1602 5 | 6 | #define PROC_NAME "r5apex.exe" 7 | #define DRV_NAME "EasyAntiCheat.sys" -------------------------------------------------------------------------------- /driver/pdrv/Structs.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define POOL_TAG 'anoB' 4 | 5 | typedef struct _RTL_PROCESS_MODULE_INFORMATION 6 | { 7 | HANDLE Section; // Not filled in 8 | PVOID MappedBase; 9 | PVOID ImageBase; 10 | ULONG ImageSize; 11 | ULONG Flags; 12 | USHORT LoadOrderIndex; 13 | USHORT InitOrderIndex; 14 | USHORT LoadCount; 15 | USHORT OffsetToFileName; 16 | UCHAR FullPathName[MAXIMUM_FILENAME_LENGTH]; 17 | } RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION; 18 | 19 | typedef struct _RTL_PROCESS_MODULES 20 | { 21 | ULONG NumberOfModules; 22 | RTL_PROCESS_MODULE_INFORMATION Modules[1]; 23 | } RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES; 24 | 25 | typedef enum _SYSTEM_INFORMATION_CLASS 26 | { 27 | SystemBasicInformation = 0x0, 28 | SystemProcessorInformation = 0x1, 29 | SystemPerformanceInformation = 0x2, 30 | SystemTimeOfDayInformation = 0x3, 31 | SystemPathInformation = 0x4, 32 | SystemProcessInformation = 0x5, 33 | SystemCallCountInformation = 0x6, 34 | SystemDeviceInformation = 0x7, 35 | SystemProcessorPerformanceInformation = 0x8, 36 | SystemFlagsInformation = 0x9, 37 | SystemCallTimeInformation = 0xa, 38 | SystemModuleInformation = 0xb, 39 | SystemLocksInformation = 0xc, 40 | SystemStackTraceInformation = 0xd, 41 | SystemPagedPoolInformation = 0xe, 42 | SystemNonPagedPoolInformation = 0xf, 43 | SystemHandleInformation = 0x10, 44 | SystemObjectInformation = 0x11, 45 | SystemPageFileInformation = 0x12, 46 | SystemVdmInstemulInformation = 0x13, 47 | SystemVdmBopInformation = 0x14, 48 | SystemFileCacheInformation = 0x15, 49 | SystemPoolTagInformation = 0x16, 50 | SystemInterruptInformation = 0x17, 51 | SystemDpcBehaviorInformation = 0x18, 52 | SystemFullMemoryInformation = 0x19, 53 | SystemLoadGdiDriverInformation = 0x1a, 54 | SystemUnloadGdiDriverInformation = 0x1b, 55 | SystemTimeAdjustmentInformation = 0x1c, 56 | SystemSummaryMemoryInformation = 0x1d, 57 | SystemMirrorMemoryInformation = 0x1e, 58 | SystemPerformanceTraceInformation = 0x1f, 59 | SystemObsolete0 = 0x20, 60 | SystemExceptionInformation = 0x21, 61 | SystemCrashDumpStateInformation = 0x22, 62 | SystemKernelDebuggerInformation = 0x23, 63 | SystemContextSwitchInformation = 0x24, 64 | SystemRegistryQuotaInformation = 0x25, 65 | SystemExtendServiceTableInformation = 0x26, 66 | SystemPrioritySeperation = 0x27, 67 | SystemVerifierAddDriverInformation = 0x28, 68 | SystemVerifierRemoveDriverInformation = 0x29, 69 | SystemProcessorIdleInformation = 0x2a, 70 | SystemLegacyDriverInformation = 0x2b, 71 | SystemCurrentTimeZoneInformation = 0x2c, 72 | SystemLookasideInformation = 0x2d, 73 | SystemTimeSlipNotification = 0x2e, 74 | SystemSessionCreate = 0x2f, 75 | SystemSessionDetach = 0x30, 76 | SystemSessionInformation = 0x31, 77 | SystemRangeStartInformation = 0x32, 78 | SystemVerifierInformation = 0x33, 79 | SystemVerifierThunkExtend = 0x34, 80 | SystemSessionProcessInformation = 0x35, 81 | SystemLoadGdiDriverInSystemSpace = 0x36, 82 | SystemNumaProcessorMap = 0x37, 83 | SystemPrefetcherInformation = 0x38, 84 | SystemExtendedProcessInformation = 0x39, 85 | SystemRecommendedSharedDataAlignment = 0x3a, 86 | SystemComPlusPackage = 0x3b, 87 | SystemNumaAvailableMemory = 0x3c, 88 | SystemProcessorPowerInformation = 0x3d, 89 | SystemEmulationBasicInformation = 0x3e, 90 | SystemEmulationProcessorInformation = 0x3f, 91 | SystemExtendedHandleInformation = 0x40, 92 | SystemLostDelayedWriteInformation = 0x41, 93 | SystemBigPoolInformation = 0x42, 94 | SystemSessionPoolTagInformation = 0x43, 95 | SystemSessionMappedViewInformation = 0x44, 96 | SystemHotpatchInformation = 0x45, 97 | SystemObjectSecurityMode = 0x46, 98 | SystemWatchdogTimerHandler = 0x47, 99 | SystemWatchdogTimerInformation = 0x48, 100 | SystemLogicalProcessorInformation = 0x49, 101 | SystemWow64SharedInformationObsolete = 0x4a, 102 | SystemRegisterFirmwareTableInformationHandler = 0x4b, 103 | SystemFirmwareTableInformation = 0x4c, 104 | SystemModuleInformationEx = 0x4d, 105 | SystemVerifierTriageInformation = 0x4e, 106 | SystemSuperfetchInformation = 0x4f, 107 | SystemMemoryListInformation = 0x50, 108 | SystemFileCacheInformationEx = 0x51, 109 | SystemThreadPriorityClientIdInformation = 0x52, 110 | SystemProcessorIdleCycleTimeInformation = 0x53, 111 | SystemVerifierCancellationInformation = 0x54, 112 | SystemProcessorPowerInformationEx = 0x55, 113 | SystemRefTraceInformation = 0x56, 114 | SystemSpecialPoolInformation = 0x57, 115 | SystemProcessIdInformation = 0x58, 116 | SystemErrorPortInformation = 0x59, 117 | SystemBootEnvironmentInformation = 0x5a, 118 | SystemHypervisorInformation = 0x5b, 119 | SystemVerifierInformationEx = 0x5c, 120 | SystemTimeZoneInformation = 0x5d, 121 | SystemImageFileExecutionOptionsInformation = 0x5e, 122 | SystemCoverageInformation = 0x5f, 123 | SystemPrefetchPatchInformation = 0x60, 124 | SystemVerifierFaultsInformation = 0x61, 125 | SystemSystemPartitionInformation = 0x62, 126 | SystemSystemDiskInformation = 0x63, 127 | SystemProcessorPerformanceDistribution = 0x64, 128 | SystemNumaProximityNodeInformation = 0x65, 129 | SystemDynamicTimeZoneInformation = 0x66, 130 | SystemCodeIntegrityInformation = 0x67, 131 | SystemProcessorMicrocodeUpdateInformation = 0x68, 132 | SystemProcessorBrandString = 0x69, 133 | SystemVirtualAddressInformation = 0x6a, 134 | SystemLogicalProcessorAndGroupInformation = 0x6b, 135 | SystemProcessorCycleTimeInformation = 0x6c, 136 | SystemStoreInformation = 0x6d, 137 | SystemRegistryAppendString = 0x6e, 138 | SystemAitSamplingValue = 0x6f, 139 | SystemVhdBootInformation = 0x70, 140 | SystemCpuQuotaInformation = 0x71, 141 | SystemNativeBasicInformation = 0x72, 142 | SystemErrorPortTimeouts = 0x73, 143 | SystemLowPriorityIoInformation = 0x74, 144 | SystemBootEntropyInformation = 0x75, 145 | SystemVerifierCountersInformation = 0x76, 146 | SystemPagedPoolInformationEx = 0x77, 147 | SystemSystemPtesInformationEx = 0x78, 148 | SystemNodeDistanceInformation = 0x79, 149 | SystemAcpiAuditInformation = 0x7a, 150 | SystemBasicPerformanceInformation = 0x7b, 151 | SystemQueryPerformanceCounterInformation = 0x7c, 152 | SystemSessionBigPoolInformation = 0x7d, 153 | SystemBootGraphicsInformation = 0x7e, 154 | SystemScrubPhysicalMemoryInformation = 0x7f, 155 | SystemBadPageInformation = 0x80, 156 | SystemProcessorProfileControlArea = 0x81, 157 | SystemCombinePhysicalMemoryInformation = 0x82, 158 | SystemEntropyInterruptTimingInformation = 0x83, 159 | SystemConsoleInformation = 0x84, 160 | SystemPlatformBinaryInformation = 0x85, 161 | SystemThrottleNotificationInformation = 0x86, 162 | SystemHypervisorProcessorCountInformation = 0x87, 163 | SystemDeviceDataInformation = 0x88, 164 | SystemDeviceDataEnumerationInformation = 0x89, 165 | SystemMemoryTopologyInformation = 0x8a, 166 | SystemMemoryChannelInformation = 0x8b, 167 | SystemBootLogoInformation = 0x8c, 168 | SystemProcessorPerformanceInformationEx = 0x8d, 169 | SystemSpare0 = 0x8e, 170 | SystemSecureBootPolicyInformation = 0x8f, 171 | SystemPageFileInformationEx = 0x90, 172 | SystemSecureBootInformation = 0x91, 173 | SystemEntropyInterruptTimingRawInformation = 0x92, 174 | SystemPortableWorkspaceEfiLauncherInformation = 0x93, 175 | SystemFullProcessInformation = 0x94, 176 | SystemKernelDebuggerInformationEx = 0x95, 177 | SystemBootMetadataInformation = 0x96, 178 | SystemSoftRebootInformation = 0x97, 179 | SystemElamCertificateInformation = 0x98, 180 | SystemOfflineDumpConfigInformation = 0x99, 181 | SystemProcessorFeaturesInformation = 0x9a, 182 | SystemRegistryReconciliationInformation = 0x9b, 183 | MaxSystemInfoClass = 0x9c, 184 | } SYSTEM_INFORMATION_CLASS; 185 | 186 | // 187 | // Section characteristics. 188 | // 189 | // IMAGE_SCN_TYPE_REG 0x00000000 // Reserved. 190 | // IMAGE_SCN_TYPE_DSECT 0x00000001 // Reserved. 191 | // IMAGE_SCN_TYPE_NOLOAD 0x00000002 // Reserved. 192 | // IMAGE_SCN_TYPE_GROUP 0x00000004 // Reserved. 193 | #define IMAGE_SCN_TYPE_NO_PAD 0x00000008 // Reserved. 194 | // IMAGE_SCN_TYPE_COPY 0x00000010 // Reserved. 195 | 196 | #define IMAGE_SCN_CNT_CODE 0x00000020 // Section contains code. 197 | #define IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040 // Section contains initialized data. 198 | #define IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080 // Section contains uninitialized data. 199 | 200 | #define IMAGE_SCN_LNK_OTHER 0x00000100 // Reserved. 201 | #define IMAGE_SCN_LNK_INFO 0x00000200 // Section contains comments or some other type of information. 202 | // IMAGE_SCN_TYPE_OVER 0x00000400 // Reserved. 203 | #define IMAGE_SCN_LNK_REMOVE 0x00000800 // Section contents will not become part of image. 204 | #define IMAGE_SCN_LNK_COMDAT 0x00001000 // Section contents comdat. 205 | // 0x00002000 // Reserved. 206 | // IMAGE_SCN_MEM_PROTECTED - Obsolete 0x00004000 207 | #define IMAGE_SCN_NO_DEFER_SPEC_EXC 0x00004000 // Reset speculative exceptions handling bits in the TLB entries for this section. 208 | #define IMAGE_SCN_GPREL 0x00008000 // Section content can be accessed relative to GP 209 | #define IMAGE_SCN_MEM_FARDATA 0x00008000 210 | // IMAGE_SCN_MEM_SYSHEAP - Obsolete 0x00010000 211 | #define IMAGE_SCN_MEM_PURGEABLE 0x00020000 212 | #define IMAGE_SCN_MEM_16BIT 0x00020000 213 | #define IMAGE_SCN_MEM_LOCKED 0x00040000 214 | #define IMAGE_SCN_MEM_PRELOAD 0x00080000 215 | 216 | #define IMAGE_SCN_ALIGN_1BYTES 0x00100000 // 217 | #define IMAGE_SCN_ALIGN_2BYTES 0x00200000 // 218 | #define IMAGE_SCN_ALIGN_4BYTES 0x00300000 // 219 | #define IMAGE_SCN_ALIGN_8BYTES 0x00400000 // 220 | #define IMAGE_SCN_ALIGN_16BYTES 0x00500000 // Default alignment if no others are specified. 221 | #define IMAGE_SCN_ALIGN_32BYTES 0x00600000 // 222 | #define IMAGE_SCN_ALIGN_64BYTES 0x00700000 // 223 | #define IMAGE_SCN_ALIGN_128BYTES 0x00800000 // 224 | #define IMAGE_SCN_ALIGN_256BYTES 0x00900000 // 225 | #define IMAGE_SCN_ALIGN_512BYTES 0x00A00000 // 226 | #define IMAGE_SCN_ALIGN_1024BYTES 0x00B00000 // 227 | #define IMAGE_SCN_ALIGN_2048BYTES 0x00C00000 // 228 | #define IMAGE_SCN_ALIGN_4096BYTES 0x00D00000 // 229 | #define IMAGE_SCN_ALIGN_8192BYTES 0x00E00000 // 230 | // Unused 0x00F00000 231 | #define IMAGE_SCN_ALIGN_MASK 0x00F00000 232 | 233 | #define IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000 // Section contains extended relocations. 234 | #define IMAGE_SCN_MEM_DISCARDABLE 0x02000000 // Section can be discarded. 235 | #define IMAGE_SCN_MEM_NOT_CACHED 0x04000000 // Section is not cachable. 236 | #define IMAGE_SCN_MEM_NOT_PAGED 0x08000000 // Section is not pageable. 237 | #define IMAGE_SCN_MEM_SHARED 0x10000000 // Section is shareable. 238 | #define IMAGE_SCN_MEM_EXECUTE 0x20000000 // Section is executable. 239 | #define IMAGE_SCN_MEM_READ 0x40000000 // Section is readable. 240 | #define IMAGE_SCN_MEM_WRITE 0x80000000 // Section is writeable. 241 | 242 | typedef struct _IMAGE_FILE_HEADER // Size=20 243 | { 244 | USHORT Machine; 245 | USHORT NumberOfSections; 246 | ULONG TimeDateStamp; 247 | ULONG PointerToSymbolTable; 248 | ULONG NumberOfSymbols; 249 | USHORT SizeOfOptionalHeader; 250 | USHORT Characteristics; 251 | } IMAGE_FILE_HEADER, * PIMAGE_FILE_HEADER; 252 | 253 | typedef struct _IMAGE_DATA_DIRECTORY 254 | { 255 | ULONG VirtualAddress; 256 | ULONG Size; 257 | } IMAGE_DATA_DIRECTORY, * PIMAGE_DATA_DIRECTORY; 258 | 259 | typedef struct _IMAGE_OPTIONAL_HEADER64 260 | { 261 | USHORT Magic; 262 | UCHAR MajorLinkerVersion; 263 | UCHAR MinorLinkerVersion; 264 | ULONG SizeOfCode; 265 | ULONG SizeOfInitializedData; 266 | ULONG SizeOfUninitializedData; 267 | ULONG AddressOfEntryPoint; 268 | ULONG BaseOfCode; 269 | ULONGLONG ImageBase; 270 | ULONG SectionAlignment; 271 | ULONG FileAlignment; 272 | USHORT MajorOperatingSystemVersion; 273 | USHORT MinorOperatingSystemVersion; 274 | USHORT MajorImageVersion; 275 | USHORT MinorImageVersion; 276 | USHORT MajorSubsystemVersion; 277 | USHORT MinorSubsystemVersion; 278 | ULONG Win32VersionValue; 279 | ULONG SizeOfImage; 280 | ULONG SizeOfHeaders; 281 | ULONG CheckSum; 282 | USHORT Subsystem; 283 | USHORT DllCharacteristics; 284 | ULONGLONG SizeOfStackReserve; 285 | ULONGLONG SizeOfStackCommit; 286 | ULONGLONG SizeOfHeapReserve; 287 | ULONGLONG SizeOfHeapCommit; 288 | ULONG LoaderFlags; 289 | ULONG NumberOfRvaAndSizes; 290 | struct _IMAGE_DATA_DIRECTORY DataDirectory[16]; 291 | } IMAGE_OPTIONAL_HEADER64, * PIMAGE_OPTIONAL_HEADER64; 292 | 293 | typedef struct _IMAGE_NT_HEADERS64 294 | { 295 | ULONG Signature; 296 | struct _IMAGE_FILE_HEADER FileHeader; 297 | struct _IMAGE_OPTIONAL_HEADER64 OptionalHeader; 298 | } IMAGE_NT_HEADERS64, * PIMAGE_NT_HEADERS64; 299 | 300 | typedef struct _IMAGE_SECTION_HEADER 301 | { 302 | UCHAR Name[8]; 303 | union 304 | { 305 | ULONG PhysicalAddress; 306 | ULONG VirtualSize; 307 | } Misc; 308 | ULONG VirtualAddress; 309 | ULONG SizeOfRawData; 310 | ULONG PointerToRawData; 311 | ULONG PointerToRelocations; 312 | ULONG PointerToLinenumbers; 313 | USHORT NumberOfRelocations; 314 | USHORT NumberOfLinenumbers; 315 | ULONG Characteristics; 316 | } IMAGE_SECTION_HEADER, * PIMAGE_SECTION_HEADER; 317 | 318 | typedef struct _SYSTEM_SERVICE_DESCRIPTOR_TABLE 319 | { 320 | PULONG_PTR ServiceTableBase; 321 | PULONG ServiceCounterTableBase; 322 | ULONG_PTR NumberOfServices; 323 | PUCHAR ParamTableBase; 324 | } SYSTEM_SERVICE_DESCRIPTOR_TABLE, * PSYSTEM_SERVICE_DESCRIPTOR_TABLE; 325 | 326 | typedef struct _SYSTEM_THREAD_INFORMATION 327 | { 328 | LARGE_INTEGER KernelTime; 329 | LARGE_INTEGER UserTime; 330 | LARGE_INTEGER CreateTime; 331 | ULONG WaitTime; 332 | PVOID StartAddress; 333 | CLIENT_ID ClientId; 334 | KPRIORITY Priority; 335 | LONG BasePriority; 336 | ULONG ContextSwitches; 337 | ULONG ThreadState; 338 | KWAIT_REASON WaitReason; 339 | } SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION; 340 | 341 | typedef struct _TEB* PTEB; 342 | 343 | // private 344 | typedef struct _SYSTEM_EXTENDED_THREAD_INFORMATION 345 | { 346 | SYSTEM_THREAD_INFORMATION ThreadInfo; 347 | PVOID StackBase; 348 | PVOID StackLimit; 349 | PVOID Win32StartAddress; 350 | PTEB TebBase; // since VISTA 351 | ULONG_PTR Reserved2; 352 | ULONG_PTR Reserved3; 353 | ULONG_PTR Reserved4; 354 | } SYSTEM_EXTENDED_THREAD_INFORMATION, * PSYSTEM_EXTENDED_THREAD_INFORMATION; 355 | 356 | typedef struct _SYSTEM_PROCESS_INFORMATION 357 | { 358 | ULONG NextEntryOffset; 359 | ULONG NumberOfThreads; 360 | LARGE_INTEGER WorkingSetPrivateSize; // since VISTA 361 | ULONG HardFaultCount; // since WIN7 362 | ULONG NumberOfThreadsHighWatermark; // since WIN7 363 | ULONGLONG CycleTime; // since WIN7 364 | LARGE_INTEGER CreateTime; 365 | LARGE_INTEGER UserTime; 366 | LARGE_INTEGER KernelTime; 367 | UNICODE_STRING ImageName; 368 | KPRIORITY BasePriority; 369 | HANDLE UniqueProcessId; 370 | HANDLE InheritedFromUniqueProcessId; 371 | ULONG HandleCount; 372 | ULONG SessionId; 373 | ULONG_PTR UniqueProcessKey; // since VISTA (requires SystemExtendedProcessInformation) 374 | SIZE_T PeakVirtualSize; 375 | SIZE_T VirtualSize; 376 | ULONG PageFaultCount; 377 | SIZE_T PeakWorkingSetSize; 378 | SIZE_T WorkingSetSize; 379 | SIZE_T QuotaPeakPagedPoolUsage; 380 | SIZE_T QuotaPagedPoolUsage; 381 | SIZE_T QuotaPeakNonPagedPoolUsage; 382 | SIZE_T QuotaNonPagedPoolUsage; 383 | SIZE_T PagefileUsage; 384 | SIZE_T PeakPagefileUsage; 385 | SIZE_T PrivatePageCount; 386 | LARGE_INTEGER ReadOperationCount; 387 | LARGE_INTEGER WriteOperationCount; 388 | LARGE_INTEGER OtherOperationCount; 389 | LARGE_INTEGER ReadTransferCount; 390 | LARGE_INTEGER WriteTransferCount; 391 | LARGE_INTEGER OtherTransferCount; 392 | SYSTEM_THREAD_INFORMATION Threads[1]; // SystemProcessInformation 393 | // SYSTEM_EXTENDED_THREAD_INFORMATION Threads[1]; // SystemExtendedProcessinformation 394 | // SYSTEM_EXTENDED_THREAD_INFORMATION + SYSTEM_PROCESS_INFORMATION_EXTENSION // SystemFullProcessInformation 395 | } SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION; -------------------------------------------------------------------------------- /driver/pdrv/Utils.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "Structs.h" 3 | #include "Imports.h" 4 | #include "Log.h" 5 | 6 | /// 7 | /// Search for pattern 8 | /// 9 | /// Pattern to search for 10 | /// Used wildcard 11 | /// Pattern length 12 | /// Base address for searching 13 | /// Address range to search in 14 | /// Found location 15 | /// Status code 16 | NTSTATUS SearchPattern(IN PCUCHAR pattern, IN UCHAR wildcard, IN ULONG_PTR len, IN const VOID* base, IN ULONG_PTR size, OUT PVOID* ppFound) 17 | { 18 | ASSERT(ppFound != NULL && pattern != NULL && base != NULL); 19 | if (ppFound == NULL || pattern == NULL || base == NULL) 20 | return STATUS_INVALID_PARAMETER; 21 | 22 | for (ULONG_PTR i = 0; i < size - len; i++) 23 | { 24 | BOOLEAN found = TRUE; 25 | for (ULONG_PTR j = 0; j < len; j++) 26 | { 27 | if (pattern[j] != wildcard && pattern[j] != ((PCUCHAR)base)[i + j]) 28 | { 29 | found = FALSE; 30 | break; 31 | } 32 | } 33 | 34 | if (found != FALSE) 35 | { 36 | *ppFound = (PUCHAR)base + i; 37 | return STATUS_SUCCESS; 38 | } 39 | } 40 | 41 | return STATUS_NOT_FOUND; 42 | } 43 | 44 | /// 45 | /// Gets name of process main module 46 | /// 47 | /// PID of process 48 | /// Pointer to name 49 | char* GetName(IN HANDLE pid) 50 | { 51 | PEPROCESS Process; 52 | if (PsLookupProcessByProcessId(pid, &Process) == STATUS_INVALID_PARAMETER) 53 | { 54 | return "invalid"; 55 | } 56 | return (CHAR*)PsGetProcessImageFileName(Process); 57 | } 58 | 59 | /// 60 | /// Unsecure! Compares two char pointer and if one is part of another it returns true 61 | /// 62 | /// First char pointer 63 | /// Second char pointer 64 | /// Boolean 65 | BOOLEAN IsPartOf(IN char* w1, IN char* w2) 66 | { 67 | int i = 0; 68 | int j = 0; 69 | 70 | while (w1[i] != '\0') { 71 | if (w1[i] == w2[j]) 72 | { 73 | while (w1[i] == w2[j] && w2[j] != '\0') 74 | { 75 | j++; 76 | i++; 77 | } 78 | if (w2[j] == '\0') { 79 | return TRUE; 80 | } 81 | j = 0; 82 | } 83 | i++; 84 | } 85 | return FALSE; 86 | } 87 | 88 | /// 89 | /// Switch current thread mode 90 | /// 91 | /// Usermode if true 92 | /// Boolean 93 | void SwitchMode(IN BOOLEAN Mode) 94 | { 95 | Log("[>] Switching mode..."); 96 | PUCHAR pprevmode = (PUCHAR)PsGetCurrentThread() + 0x232; // PrevMode from blackbone 97 | UCHAR prevmode = *pprevmode; 98 | if (Mode) 99 | { 100 | *pprevmode = UserMode; 101 | } 102 | else 103 | { 104 | *pprevmode = KernelMode; 105 | } 106 | Log("[+] Switched mode (from %u, to %u)", prevmode, *pprevmode); 107 | } -------------------------------------------------------------------------------- /driver/pdrv/Utils.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | NTSTATUS SearchPattern(IN PCUCHAR pattern, IN UCHAR wildcard, IN ULONG_PTR len, IN const VOID* base, IN ULONG_PTR size, OUT PVOID* ppFound); 4 | char* GetName(IN HANDLE pid); 5 | BOOLEAN IsPartOf(IN char* w1, IN char* w2); 6 | void SwitchMode(IN BOOLEAN Restore); -------------------------------------------------------------------------------- /driver/pdrv/pdrv.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | Debug 22 | ARM 23 | 24 | 25 | Release 26 | ARM 27 | 28 | 29 | Debug 30 | ARM64 31 | 32 | 33 | Release 34 | ARM64 35 | 36 | 37 | 38 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC} 39 | {1bc93793-694f-48fe-9372-81e2b05556fd} 40 | v4.5 41 | 12.0 42 | Debug 43 | Win32 44 | pdrv 45 | 10.0 46 | 47 | 48 | 49 | Windows10 50 | true 51 | WindowsKernelModeDriver10.0 52 | Driver 53 | KMDF 54 | Universal 55 | 56 | 57 | Windows10 58 | false 59 | WindowsKernelModeDriver10.0 60 | Driver 61 | KMDF 62 | Universal 63 | 64 | 65 | Windows10 66 | true 67 | WindowsKernelModeDriver10.0 68 | Driver 69 | KMDF 70 | Universal 71 | 72 | 73 | Windows7 74 | false 75 | WindowsKernelModeDriver10.0 76 | Driver 77 | KMDF 78 | Desktop 79 | false 80 | 81 | 82 | Windows10 83 | true 84 | WindowsKernelModeDriver10.0 85 | Driver 86 | KMDF 87 | Universal 88 | 89 | 90 | Windows10 91 | false 92 | WindowsKernelModeDriver10.0 93 | Driver 94 | KMDF 95 | Universal 96 | 97 | 98 | Windows10 99 | true 100 | WindowsKernelModeDriver10.0 101 | Driver 102 | KMDF 103 | Universal 104 | 105 | 106 | Windows10 107 | false 108 | WindowsKernelModeDriver10.0 109 | Driver 110 | KMDF 111 | Universal 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | DbgengKernelDebugger 123 | 124 | 125 | DbgengKernelDebugger 126 | 127 | 128 | DbgengKernelDebugger 129 | 130 | 131 | DbgengKernelDebugger 132 | 133 | 134 | DbgengKernelDebugger 135 | 136 | 137 | DbgengKernelDebugger 138 | 139 | 140 | DbgengKernelDebugger 141 | 142 | 143 | DbgengKernelDebugger 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | -------------------------------------------------------------------------------- /driver/pdrv/pdrv.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | wdsk 21 | 22 | 23 | wdsk 24 | 25 | 26 | wdsk 27 | 28 | 29 | wdsk 30 | 31 | 32 | 33 | 34 | {04920e27-6fcd-4cd7-b2c2-df1faddfe6f7} 35 | 36 | 37 | -------------------------------------------------------------------------------- /driver/pdrv/pdrv.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /driver/pdrv/x64/Debug/pdrv.log: -------------------------------------------------------------------------------- 1 | C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v170\Microsoft.CppBuild.targets(490,5): error MSB8040: Spectre-mitigated libraries are required for this project. Install them from the Visual Studio installer (Individual components tab) for any toolsets and architectures being used. Learn more: https://aka.ms/Ofhn4c 2 | -------------------------------------------------------------------------------- /driver/pdrv/x64/Release/pdrv.log: -------------------------------------------------------------------------------- 1 |  Callbacks.c 2 | C:\Users\kcxac\Documents\Eac inje\pdrv\pdrv\Callbacks.c(1,10): fatal error C1083: Cannot open include file: 'ntifs.h': No such file or directory 3 | Driver.c 4 | C:\Users\kcxac\Documents\Eac inje\pdrv\pdrv\Driver.c(19,10): fatal error C1083: Cannot open include file: 'ntifs.h': No such file or directory 5 | Funcs.c 6 | C:\Users\kcxac\Documents\Eac inje\pdrv\pdrv\Funcs.c(1,10): fatal error C1083: Cannot open include file: 'ntifs.h': No such file or directory 7 | Private.c 8 | C:\Users\kcxac\Documents\Eac inje\pdrv\pdrv\Private.c(1,10): fatal error C1083: Cannot open include file: 'ntifs.h': No such file or directory 9 | Utils.c 10 | C:\Users\kcxac\Documents\Eac inje\pdrv\pdrv\Utils.c(1,10): fatal error C1083: Cannot open include file: 'ntifs.h': No such file or directory 11 | Generating Code... 12 | -------------------------------------------------------------------------------- /driver/pdrv/x64/Release/pdrv.tlog/CL.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Rogue619Z/Manual-Map-Injector/4b8d0839a69d004ec78d52b4c45cae849640f533/driver/pdrv/x64/Release/pdrv.tlog/CL.command.1.tlog -------------------------------------------------------------------------------- /driver/pdrv/x64/Release/pdrv.tlog/pdrv.lastbuildstate: -------------------------------------------------------------------------------- 1 | PlatformToolSet=WindowsKernelModeDriver10.0:VCToolArchitecture=Native64Bit:VCToolsVersion=14.34.31933:TargetPlatformVersion=10.0.22621.0: 2 | Release|x64|C:\Users\kcxac\Documents\Eac inje\pdrv\| 3 | -------------------------------------------------------------------------------- /driver/pdrv/x64/Release/pdrv.tlog/unsuccessfulbuild: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Rogue619Z/Manual-Map-Injector/4b8d0839a69d004ec78d52b4c45cae849640f533/driver/pdrv/x64/Release/pdrv.tlog/unsuccessfulbuild -------------------------------------------------------------------------------- /driver/pdrv/x64/Release/vc143.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Rogue619Z/Manual-Map-Injector/4b8d0839a69d004ec78d52b4c45cae849640f533/driver/pdrv/x64/Release/vc143.pdb --------------------------------------------------------------------------------