├── driver
├── pdrv
│ ├── x64
│ │ ├── Release
│ │ │ ├── pdrv.tlog
│ │ │ │ ├── unsuccessfulbuild
│ │ │ │ ├── CL.command.1.tlog
│ │ │ │ └── pdrv.lastbuildstate
│ │ │ ├── vc143.pdb
│ │ │ └── pdrv.log
│ │ └── Debug
│ │ │ └── pdrv.log
│ ├── Log.h
│ ├── Private.h
│ ├── Shared.h
│ ├── pdrv.vcxproj.user
│ ├── Utils.h
│ ├── Imports.h
│ ├── Funcs.h
│ ├── Callbacks.h
│ ├── pdrv.vcxproj.filters
│ ├── Utils.c
│ ├── Driver.c
│ ├── Private.c
│ ├── pdrv.vcxproj
│ ├── Funcs.c
│ ├── Callbacks.c
│ └── Structs.h
└── pdrv.sln
├── Client
├── pclient
│ ├── x64
│ │ └── Release
│ │ │ ├── vc143.pdb
│ │ │ ├── pclient.iobj
│ │ │ ├── pclient.ipdb
│ │ │ ├── pclient.obj
│ │ │ ├── pclient.tlog
│ │ │ ├── CL.read.1.tlog
│ │ │ ├── CL.write.1.tlog
│ │ │ ├── link.read.1.tlog
│ │ │ ├── CL.command.1.tlog
│ │ │ ├── link.command.1.tlog
│ │ │ ├── link.write.1.tlog
│ │ │ └── pclient.lastbuildstate
│ │ │ ├── pclient.exe.recipe
│ │ │ └── pclient.log
│ ├── pclient.vcxproj.user
│ ├── pclient.vcxproj.filters
│ ├── skStr.h
│ ├── pclient.vcxproj
│ └── pclient.cpp
└── pclient.sln
└── README.md
/driver/pdrv/x64/Release/pdrv.tlog/unsuccessfulbuild:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/driver/pdrv/Log.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #define Log(x, ...) DbgPrintEx(0, 0, x, __VA_ARGS__)
--------------------------------------------------------------------------------
/driver/pdrv/x64/Release/vc143.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Rogue619Z/Manual-Map-Injector/HEAD/driver/pdrv/x64/Release/vc143.pdb
--------------------------------------------------------------------------------
/Client/pclient/x64/Release/vc143.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Rogue619Z/Manual-Map-Injector/HEAD/Client/pclient/x64/Release/vc143.pdb
--------------------------------------------------------------------------------
/Client/pclient/x64/Release/pclient.iobj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Rogue619Z/Manual-Map-Injector/HEAD/Client/pclient/x64/Release/pclient.iobj
--------------------------------------------------------------------------------
/Client/pclient/x64/Release/pclient.ipdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Rogue619Z/Manual-Map-Injector/HEAD/Client/pclient/x64/Release/pclient.ipdb
--------------------------------------------------------------------------------
/Client/pclient/x64/Release/pclient.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Rogue619Z/Manual-Map-Injector/HEAD/Client/pclient/x64/Release/pclient.obj
--------------------------------------------------------------------------------
/driver/pdrv/x64/Release/pdrv.tlog/CL.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Rogue619Z/Manual-Map-Injector/HEAD/driver/pdrv/x64/Release/pdrv.tlog/CL.command.1.tlog
--------------------------------------------------------------------------------
/Client/pclient/x64/Release/pclient.tlog/CL.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Rogue619Z/Manual-Map-Injector/HEAD/Client/pclient/x64/Release/pclient.tlog/CL.read.1.tlog
--------------------------------------------------------------------------------
/driver/pdrv/Private.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | PVOID GetKernelBase(OUT PULONG pSize);
4 | PSYSTEM_SERVICE_DESCRIPTOR_TABLE GetSSDTBase();
5 | PVOID GetSSDTEntry(IN ULONG index);
--------------------------------------------------------------------------------
/Client/pclient/x64/Release/pclient.tlog/CL.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Rogue619Z/Manual-Map-Injector/HEAD/Client/pclient/x64/Release/pclient.tlog/CL.write.1.tlog
--------------------------------------------------------------------------------
/Client/pclient/x64/Release/pclient.tlog/link.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Rogue619Z/Manual-Map-Injector/HEAD/Client/pclient/x64/Release/pclient.tlog/link.read.1.tlog
--------------------------------------------------------------------------------
/Client/pclient/x64/Release/pclient.tlog/CL.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Rogue619Z/Manual-Map-Injector/HEAD/Client/pclient/x64/Release/pclient.tlog/CL.command.1.tlog
--------------------------------------------------------------------------------
/Client/pclient/x64/Release/pclient.tlog/link.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Rogue619Z/Manual-Map-Injector/HEAD/Client/pclient/x64/Release/pclient.tlog/link.command.1.tlog
--------------------------------------------------------------------------------
/Client/pclient/x64/Release/pclient.tlog/link.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Rogue619Z/Manual-Map-Injector/HEAD/Client/pclient/x64/Release/pclient.tlog/link.write.1.tlog
--------------------------------------------------------------------------------
/driver/pdrv/Shared.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #define CODE_DISABLE 0x1601
4 | #define CODE_RESTORE 0x1602
5 |
6 | #define PROC_NAME "r5apex.exe"
7 | #define DRV_NAME "EasyAntiCheat.sys"
--------------------------------------------------------------------------------
/driver/pdrv/pdrv.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/Client/pclient/pclient.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/Client/pclient/x64/Release/pclient.tlog/pclient.lastbuildstate:
--------------------------------------------------------------------------------
1 | PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.34.31933:TargetPlatformVersion=10.0.22621.0:
2 | Release|x64|C:\Users\kcxac\Documents\Eac inje\Client\|
3 |
--------------------------------------------------------------------------------
/driver/pdrv/x64/Release/pdrv.tlog/pdrv.lastbuildstate:
--------------------------------------------------------------------------------
1 | PlatformToolSet=WindowsKernelModeDriver10.0:VCToolArchitecture=Native64Bit:VCToolsVersion=14.34.31933:TargetPlatformVersion=10.0.22621.0:
2 | Release|x64|C:\Users\kcxac\Documents\Eac inje\pdrv\|
3 |
--------------------------------------------------------------------------------
/driver/pdrv/Utils.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | NTSTATUS SearchPattern(IN PCUCHAR pattern, IN UCHAR wildcard, IN ULONG_PTR len, IN const VOID* base, IN ULONG_PTR size, OUT PVOID* ppFound);
4 | char* GetName(IN HANDLE pid);
5 | BOOLEAN IsPartOf(IN char* w1, IN char* w2);
6 | void SwitchMode(IN BOOLEAN Restore);
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | Functionality:
2 |
3 | The driver suspends anti-cheat threads.
4 | It disables AC image load callbacks and protection.
5 | The usermode client manually maps the DLL and hijacks the thread.
6 | The driver restores all callbacks.
7 | The driver resumes AC threads.
8 |
9 | Games tested:
10 | Rust (Steam)
11 | Apex Legends
12 |
--------------------------------------------------------------------------------
/driver/pdrv/x64/Debug/pdrv.log:
--------------------------------------------------------------------------------
1 | C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v170\Microsoft.CppBuild.targets(490,5): error MSB8040: Spectre-mitigated libraries are required for this project. Install them from the Visual Studio installer (Individual components tab) for any toolsets and architectures being used. Learn more: https://aka.ms/Ofhn4c
2 |
--------------------------------------------------------------------------------
/Client/pclient/x64/Release/pclient.exe.recipe:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | C:\Users\kcxac\Documents\Eac inje\Client\x64\Release\pclient.exe
6 |
7 |
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/driver/pdrv/Imports.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | NTSYSAPI
4 | NTSTATUS
5 | NTAPI
6 | ZwQuerySystemInformation(
7 | IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
8 | OUT PVOID SystemInformation,
9 | IN ULONG SystemInformationLength,
10 | OUT PULONG ReturnLength OPTIONAL
11 | );
12 |
13 | NTSYSAPI
14 | PIMAGE_NT_HEADERS
15 | NTAPI
16 | RtlImageNtHeader(PVOID Base);
17 |
18 | NTSTATUS
19 | NTAPI
20 | ZwOpenThread(
21 | _Out_ PHANDLE ThreadHandle,
22 | _In_ ACCESS_MASK DesiredAccess,
23 | _In_ POBJECT_ATTRIBUTES ObjectAttributes,
24 | _In_opt_ PCLIENT_ID ClientId
25 | );
26 |
27 | NTKERNELAPI
28 | PVOID
29 | NTAPI
30 | RtlFindExportedRoutineByName(
31 | _In_ PVOID ImageBase,
32 | _In_ PCCH RoutineNam
33 | );
34 |
35 | CHAR* PsGetProcessImageFileName(
36 | _In_ PEPROCESS Process
37 | );
--------------------------------------------------------------------------------
/Client/pclient/pclient.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | {f3a5e199-8393-4b0b-b176-96ac58a2f05f}
9 |
10 |
11 |
12 |
13 | Auth
14 |
15 |
16 | Auth
17 |
18 |
19 |
20 |
21 |
22 |
23 |
--------------------------------------------------------------------------------
/driver/pdrv/Funcs.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | typedef NTSTATUS(NTAPI* fnNtTerminateThread)(IN HANDLE ThreadHandle, IN NTSTATUS ExitStatus);
4 | typedef NTSTATUS(NTAPI* fnNtSuspendThread)(IN HANDLE ThreadHandle, OUT PULONG PreviousSuspendCount);
5 |
6 | HANDLE OpenThread(DWORD dwDesiredAccess, BOOLEAN bInheritHandle, DWORD dwThreadId);
7 | NTSTATUS SuspendThread(__in HANDLE ThreadHandle);
8 | NTSTATUS TerminateThread(__in HANDLE ThreadHandle);
9 | NTSTATUS ResumeThread(HANDLE hThread);
10 | PVOID GetModuleBase(IN char* ModuleName, OUT ULONG64* BaseAddr, OUT ULONG* DriverSize);
11 | NTSTATUS ApcpQuerySystemProcessInformation(PSYSTEM_PROCESS_INFORMATION* SystemInfo);
12 | NTSTATUS GetProcessThreadInfo(IN ULONG Pid, OUT ULONG* ThreadNuber, OUT PULONG64 Tid, OUT PULONG64 StartAddr);
13 | NTSTATUS GetDriverThreads(char* DriverName, OUT ULONG* ThreadNuber, OUT PULONG64 Tid);
--------------------------------------------------------------------------------
/driver/pdrv/x64/Release/pdrv.log:
--------------------------------------------------------------------------------
1 | Callbacks.c
2 | C:\Users\kcxac\Documents\Eac inje\pdrv\pdrv\Callbacks.c(1,10): fatal error C1083: Cannot open include file: 'ntifs.h': No such file or directory
3 | Driver.c
4 | C:\Users\kcxac\Documents\Eac inje\pdrv\pdrv\Driver.c(19,10): fatal error C1083: Cannot open include file: 'ntifs.h': No such file or directory
5 | Funcs.c
6 | C:\Users\kcxac\Documents\Eac inje\pdrv\pdrv\Funcs.c(1,10): fatal error C1083: Cannot open include file: 'ntifs.h': No such file or directory
7 | Private.c
8 | C:\Users\kcxac\Documents\Eac inje\pdrv\pdrv\Private.c(1,10): fatal error C1083: Cannot open include file: 'ntifs.h': No such file or directory
9 | Utils.c
10 | C:\Users\kcxac\Documents\Eac inje\pdrv\pdrv\Utils.c(1,10): fatal error C1083: Cannot open include file: 'ntifs.h': No such file or directory
11 | Generating Code...
12 |
--------------------------------------------------------------------------------
/driver/pdrv/Callbacks.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #define WORD USHORT
4 | #define QWORD UINT64
5 |
6 | // OLD_CALLBACKS
7 | typedef struct _OLD_CALLBACKS {
8 | QWORD PreOperationProc;
9 | QWORD PostOperationProc;
10 | QWORD PreOperationThread;
11 | QWORD PostOperationThread;
12 | } OLD_CALLBACKS, * POLD_CALLBACKS;
13 |
14 | // CALLBACK_ENTRY
15 | typedef struct _CALLBACK_ENTRY {
16 | WORD Version; // 0x0
17 | WORD OperationRegistrationCount; // 0x2
18 | DWORD unk1; // 0x4
19 | PVOID RegistrationContext; // 0x8
20 | UNICODE_STRING Altitude; // 0x10
21 | } CALLBACK_ENTRY, * PCALLBACK_ENTRY; // header size: 0x20 (0x6C if you count the array afterwards - this is only the header. The array of CALLBACK_ENTRY_ITEMs is useless.)
22 |
23 | // CALLBACK_ENTRY_ITEM
24 | typedef struct _CALLBACK_ENTRY_ITEM {
25 | LIST_ENTRY CallbackList; // 0x0
26 | OB_OPERATION Operations; // 0x10
27 | DWORD Active; // 0x14
28 | CALLBACK_ENTRY* CallbackEntry; // 0x18
29 | PVOID ObjectType; // 0x20
30 | POB_PRE_OPERATION_CALLBACK PreOperation; // 0x28
31 | POB_POST_OPERATION_CALLBACK PostOperation; // 0x30
32 | QWORD unk1; // 0x38
33 | } CALLBACK_ENTRY_ITEM, * PCALLBACK_ENTRY_ITEM; // size: 0x40
34 |
35 | void Disable(POLD_CALLBACKS oldCallbacks);
36 | void Restore(POLD_CALLBACKS oldCallbacks);
--------------------------------------------------------------------------------
/driver/pdrv/pdrv.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 | wdsk
21 |
22 |
23 | wdsk
24 |
25 |
26 | wdsk
27 |
28 |
29 | wdsk
30 |
31 |
32 |
33 |
34 | {04920e27-6fcd-4cd7-b2c2-df1faddfe6f7}
35 |
36 |
37 |
--------------------------------------------------------------------------------
/Client/pclient.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.29519.87
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pclient", "pclient\pclient.vcxproj", "{E70B6BC2-EC48-4BDB-925B-C2D9102FC88D}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {E70B6BC2-EC48-4BDB-925B-C2D9102FC88D}.Debug|x64.ActiveCfg = Debug|x64
17 | {E70B6BC2-EC48-4BDB-925B-C2D9102FC88D}.Debug|x64.Build.0 = Debug|x64
18 | {E70B6BC2-EC48-4BDB-925B-C2D9102FC88D}.Debug|x86.ActiveCfg = Debug|Win32
19 | {E70B6BC2-EC48-4BDB-925B-C2D9102FC88D}.Debug|x86.Build.0 = Debug|Win32
20 | {E70B6BC2-EC48-4BDB-925B-C2D9102FC88D}.Release|x64.ActiveCfg = Release|x64
21 | {E70B6BC2-EC48-4BDB-925B-C2D9102FC88D}.Release|x64.Build.0 = Release|x64
22 | {E70B6BC2-EC48-4BDB-925B-C2D9102FC88D}.Release|x86.ActiveCfg = Release|Win32
23 | {E70B6BC2-EC48-4BDB-925B-C2D9102FC88D}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {07334F45-CDDF-40ED-B848-FA69D56B688B}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/Client/pclient/x64/Release/pclient.log:
--------------------------------------------------------------------------------
1 | pclient.cpp
2 | C:\Users\kcxac\Documents\Eac inje\Client\pclient\pclient.cpp(221,9): warning C4129: '[': unrecognized character escape sequence
3 | C:\Users\kcxac\Documents\Eac inje\Client\pclient\pclient.cpp(544,10): warning C4473: 'printf' : not enough arguments passed for format string
4 | C:\Users\kcxac\Documents\Eac inje\Client\pclient\pclient.cpp(544,10): message : placeholders and their parameters expect 1 variadic arguments, but 0 were provided
5 | C:\Users\kcxac\Documents\Eac inje\Client\pclient\pclient.cpp(544,10): message : the missing variadic argument 1 is required by format string '%d'
6 | Generating code
7 | 133 of 251 functions (53.0%) were compiled, the rest were copied from previous compilation.
8 | 96 functions were new in current compilation
9 | 0 functions had inline decision re-evaluated but remain unchanged
10 | Finished generating code
11 | library_x64.lib(auth.obj) : warning LNK4099: PDB '' was not found with 'library_x64.lib(auth.obj)' or at ''; linking object as if no debug info
12 | library_x64.lib(utils.obj) : warning LNK4099: PDB '' was not found with 'library_x64.lib(utils.obj)' or at ''; linking object as if no debug info
13 | library_x64.lib(hmac_sha256.obj) : warning LNK4099: PDB '' was not found with 'library_x64.lib(hmac_sha256.obj)' or at ''; linking object as if no debug info
14 | library_x64.lib(sha256.obj) : warning LNK4099: PDB '' was not found with 'library_x64.lib(sha256.obj)' or at ''; linking object as if no debug info
15 | pclient.vcxproj -> C:\Users\kcxac\Documents\Eac inje\Client\x64\Release\pclient.exe
16 |
--------------------------------------------------------------------------------
/driver/pdrv.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.29519.87
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pdrv", "pdrv\pdrv.vcxproj", "{58BA8DEC-BB05-4607-94DF-242B498AE5BC}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|ARM = Debug|ARM
11 | Debug|ARM64 = Debug|ARM64
12 | Debug|x64 = Debug|x64
13 | Debug|x86 = Debug|x86
14 | Release|ARM = Release|ARM
15 | Release|ARM64 = Release|ARM64
16 | Release|x64 = Release|x64
17 | Release|x86 = Release|x86
18 | EndGlobalSection
19 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
20 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Debug|ARM.ActiveCfg = Debug|ARM
21 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Debug|ARM.Build.0 = Debug|ARM
22 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Debug|ARM.Deploy.0 = Debug|ARM
23 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Debug|ARM64.ActiveCfg = Debug|ARM64
24 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Debug|ARM64.Build.0 = Debug|ARM64
25 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Debug|ARM64.Deploy.0 = Debug|ARM64
26 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Debug|x64.ActiveCfg = Debug|x64
27 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Debug|x64.Build.0 = Debug|x64
28 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Debug|x64.Deploy.0 = Debug|x64
29 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Debug|x86.ActiveCfg = Debug|Win32
30 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Debug|x86.Build.0 = Debug|Win32
31 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Debug|x86.Deploy.0 = Debug|Win32
32 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Release|ARM.ActiveCfg = Release|ARM
33 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Release|ARM.Build.0 = Release|ARM
34 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Release|ARM.Deploy.0 = Release|ARM
35 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Release|ARM64.ActiveCfg = Release|ARM64
36 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Release|ARM64.Build.0 = Release|ARM64
37 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Release|ARM64.Deploy.0 = Release|ARM64
38 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Release|x64.ActiveCfg = Release|x64
39 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Release|x64.Build.0 = Release|x64
40 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Release|x64.Deploy.0 = Release|x64
41 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Release|x86.ActiveCfg = Release|Win32
42 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Release|x86.Build.0 = Release|Win32
43 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}.Release|x86.Deploy.0 = Release|Win32
44 | EndGlobalSection
45 | GlobalSection(SolutionProperties) = preSolution
46 | HideSolutionNode = FALSE
47 | EndGlobalSection
48 | GlobalSection(ExtensibilityGlobals) = postSolution
49 | SolutionGuid = {52D18CE6-C821-41B3-8F39-16BB1017D6F8}
50 | EndGlobalSection
51 | EndGlobal
52 |
--------------------------------------------------------------------------------
/driver/pdrv/Utils.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include "Structs.h"
3 | #include "Imports.h"
4 | #include "Log.h"
5 |
6 | ///
7 | /// Search for pattern
8 | ///
9 | /// Pattern to search for
10 | /// Used wildcard
11 | /// Pattern length
12 | /// Base address for searching
13 | /// Address range to search in
14 | /// Found location
15 | /// Status code
16 | NTSTATUS SearchPattern(IN PCUCHAR pattern, IN UCHAR wildcard, IN ULONG_PTR len, IN const VOID* base, IN ULONG_PTR size, OUT PVOID* ppFound)
17 | {
18 | ASSERT(ppFound != NULL && pattern != NULL && base != NULL);
19 | if (ppFound == NULL || pattern == NULL || base == NULL)
20 | return STATUS_INVALID_PARAMETER;
21 |
22 | for (ULONG_PTR i = 0; i < size - len; i++)
23 | {
24 | BOOLEAN found = TRUE;
25 | for (ULONG_PTR j = 0; j < len; j++)
26 | {
27 | if (pattern[j] != wildcard && pattern[j] != ((PCUCHAR)base)[i + j])
28 | {
29 | found = FALSE;
30 | break;
31 | }
32 | }
33 |
34 | if (found != FALSE)
35 | {
36 | *ppFound = (PUCHAR)base + i;
37 | return STATUS_SUCCESS;
38 | }
39 | }
40 |
41 | return STATUS_NOT_FOUND;
42 | }
43 |
44 | ///
45 | /// Gets name of process main module
46 | ///
47 | /// PID of process
48 | /// Pointer to name
49 | char* GetName(IN HANDLE pid)
50 | {
51 | PEPROCESS Process;
52 | if (PsLookupProcessByProcessId(pid, &Process) == STATUS_INVALID_PARAMETER)
53 | {
54 | return "invalid";
55 | }
56 | return (CHAR*)PsGetProcessImageFileName(Process);
57 | }
58 |
59 | ///
60 | /// Unsecure! Compares two char pointer and if one is part of another it returns true
61 | ///
62 | /// First char pointer
63 | /// Second char pointer
64 | /// Boolean
65 | BOOLEAN IsPartOf(IN char* w1, IN char* w2)
66 | {
67 | int i = 0;
68 | int j = 0;
69 |
70 | while (w1[i] != '\0') {
71 | if (w1[i] == w2[j])
72 | {
73 | while (w1[i] == w2[j] && w2[j] != '\0')
74 | {
75 | j++;
76 | i++;
77 | }
78 | if (w2[j] == '\0') {
79 | return TRUE;
80 | }
81 | j = 0;
82 | }
83 | i++;
84 | }
85 | return FALSE;
86 | }
87 |
88 | ///
89 | /// Switch current thread mode
90 | ///
91 | /// Usermode if true
92 | /// Boolean
93 | void SwitchMode(IN BOOLEAN Mode)
94 | {
95 | Log("[>] Switching mode...");
96 | PUCHAR pprevmode = (PUCHAR)PsGetCurrentThread() + 0x232; // PrevMode from blackbone
97 | UCHAR prevmode = *pprevmode;
98 | if (Mode)
99 | {
100 | *pprevmode = UserMode;
101 | }
102 | else
103 | {
104 | *pprevmode = KernelMode;
105 | }
106 | Log("[+] Switched mode (from %u, to %u)", prevmode, *pprevmode);
107 | }
--------------------------------------------------------------------------------
/driver/pdrv/Driver.c:
--------------------------------------------------------------------------------
1 | /*
2 | _
3 | _ __ __| |_ ___ __
4 | | '_ \/ _` | '_\ V /
5 | | .__/\__,_|_| \_/
6 | |_|
7 |
8 | Copyright (c) 2019 Samuel Tulach - All rights reserved
9 |
10 | Used sources:
11 | - BlackBone Driver
12 | - (c) 2015 DarthTon
13 | - MIT
14 | - https://github.com/DarthTon/Blackbone
15 |
16 | Tested on Windows 10 x64 1909 18363.476
17 | */
18 |
19 | #include "ntifs.h"
20 | #include "ntstrsafe.h"
21 | #include "Log.h"
22 | #include "Structs.h"
23 | #include "Private.h"
24 | #include "Funcs.h"
25 | #include "Imports.h"
26 | #include "Callbacks.h"
27 | #include "Utils.h"
28 | #include "Callbacks.h"
29 | #include "Shared.h"
30 |
31 | #pragma warning( disable : 4152 )
32 |
33 | static ULONG64 ArrTID[0x256] = { 0 };
34 | static ULONG ThreadNumber = 0;
35 | static OLD_CALLBACKS OldCallbacks = { 0 };
36 | static HANDLE Threads[0x256] = { 0 };
37 |
38 | ///
39 | /// Function executed when our hooked func is called
40 | ///
41 | /// Dummy arg
42 | /// Dummy arg
43 | /// Argument used to indentify request
44 | /// Status
45 | NTSTATUS HookHandler(UINT_PTR DontUse1, UINT_PTR DontUse2, PULONG32 Code)
46 | {
47 | UNREFERENCED_PARAMETER(DontUse1);
48 | UNREFERENCED_PARAMETER(DontUse2);
49 |
50 | Log("[+] Hook call with code %x", *Code);
51 |
52 | if (!(*Code == CODE_DISABLE || *Code == CODE_RESTORE))
53 | {
54 | Log("[-] Invalid code");
55 | return STATUS_CANCELLED;
56 | }
57 |
58 | SwitchMode(FALSE);
59 |
60 | if (*Code == CODE_DISABLE)
61 | {
62 | // Get anticheat threads to manupulate them
63 | Log("[>] Gettting anticheat threads...");
64 | NTSTATUS status = GetDriverThreads("EasyAntiCheat.sys", &ThreadNumber, ArrTID);
65 | if (!NT_SUCCESS(status) || ThreadNumber == 0)
66 | {
67 | Log("[-] Failed to get anticheat threads");
68 | }
69 | Log("[+] Found %u threads", ThreadNumber);
70 |
71 | // Suspend threads
72 | Log("[>] Suspending threads...");
73 | for (ULONG i = 0; i < ThreadNumber; i++)
74 | {
75 | Threads[i] = OpenThread(THREAD_ALL_ACCESS, FALSE, (DWORD)ArrTID[i]);
76 | status = SuspendThread(Threads[i]);
77 | Log("[+] Thread with HANDLE %p suspended (%x)", Threads[i], status);
78 | }
79 |
80 | // Unregister callbacks
81 | Log("[>] Disabling anticheat callbacks...");
82 | Disable(&OldCallbacks);
83 | Log("[+] Callbacks disabled");
84 | }
85 |
86 | if (*Code == CODE_RESTORE)
87 | {
88 | // TODO: Check if CODE_DISABLE was called first
89 |
90 | // Resume threads
91 | Log("[>] Resuming threads...");
92 | for (ULONG i = 0; i < ThreadNumber; i++)
93 | {
94 | Threads[i] = OpenThread(THREAD_ALL_ACCESS, FALSE, (DWORD)ArrTID[i]);
95 | ResumeThread(Threads[i]);
96 | Log("[+] Thread with HANDLE %p resumed", Threads[i]);
97 | }
98 |
99 | // Restore old callbacks
100 | Log("[>] Restoring anticheat callbacks...");
101 | Restore(&OldCallbacks);
102 | Log("[+] Callbacks restored");
103 | }
104 |
105 | SwitchMode(TRUE);
106 |
107 | return STATUS_SUCCESS;
108 | }
109 |
110 | ///
111 | /// Driver main entry point
112 | ///
113 | /// DriverObject pointer
114 | /// Status
115 | NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
116 | {
117 | // Both are undefined when we manual map the driver
118 | UNREFERENCED_PARAMETER(DriverObject);
119 | UNREFERENCED_PARAMETER(RegistryPath);
120 |
121 | // Print some copyright because that's what matters the most
122 | Log("\n\npdrv\n");
123 |
124 | // Hook NtQueryIntervalProfile
125 | Log("[>] Hooking functions...");
126 |
127 | PVOID ntosbase = GetKernelBase(NULL);
128 | if (!ntosbase)
129 | {
130 | Log("[-] Failed to get kernel base");
131 | return STATUS_CANCELLED;
132 | }
133 | Log("[+] Kernel base: %p", ntosbase);
134 |
135 | PVOID* dsptbl = (PVOID*)(RtlFindExportedRoutineByName(ntosbase, "HalDispatchTable"));
136 | if (!dsptbl)
137 | {
138 | Log("[-] Failed to get HalDispatchTable");
139 | return STATUS_CANCELLED;
140 | }
141 | Log("[+] HalDispatchTable: %p", dsptbl);
142 |
143 | dsptbl[1] = &HookHandler;
144 |
145 | Log("[+] Functions hoooked");
146 |
147 | // Return dummy status
148 | return STATUS_SUCCESS;
149 | }
150 |
--------------------------------------------------------------------------------
/driver/pdrv/Private.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include "Log.h"
4 | #include "Structs.h"
5 | #include "Imports.h"
6 | #include "Utils.h"
7 |
8 | PVOID g_KernelBase = NULL;
9 | ULONG g_KernelSize = 0;
10 | PSYSTEM_SERVICE_DESCRIPTOR_TABLE g_SSDT = NULL;
11 |
12 | ///
13 | /// Get ntoskrnl base address
14 | ///
15 | /// Size of module
16 | /// Found address, NULL if not found
17 | PVOID GetKernelBase(OUT PULONG pSize)
18 | {
19 | NTSTATUS status = STATUS_SUCCESS;
20 | ULONG bytes = 0;
21 | PRTL_PROCESS_MODULES pMods = NULL;
22 | PVOID checkPtr = NULL;
23 | UNICODE_STRING routineName;
24 |
25 | // Already found
26 | if (g_KernelBase != NULL)
27 | {
28 | if (pSize)
29 | *pSize = g_KernelSize;
30 | return g_KernelBase;
31 | }
32 |
33 | RtlUnicodeStringInit(&routineName, L"NtOpenFile");
34 |
35 | checkPtr = MmGetSystemRoutineAddress(&routineName);
36 | if (checkPtr == NULL)
37 | return NULL;
38 |
39 | // Protect from UserMode AV
40 | status = ZwQuerySystemInformation(SystemModuleInformation, 0, bytes, &bytes);
41 | if (bytes == 0)
42 | {
43 | //DPRINT("BlackBone: %s: Invalid SystemModuleInformation size\n", __FUNCTION__);
44 | Log("[-] Invalid SystemModuleInformation size");
45 | return NULL;
46 | }
47 |
48 | pMods = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPool, bytes, POOL_TAG);
49 | RtlZeroMemory(pMods, bytes);
50 |
51 | status = ZwQuerySystemInformation(SystemModuleInformation, pMods, bytes, &bytes);
52 |
53 | if (NT_SUCCESS(status))
54 | {
55 | PRTL_PROCESS_MODULE_INFORMATION pMod = pMods->Modules;
56 |
57 | for (ULONG i = 0; i < pMods->NumberOfModules; i++)
58 | {
59 | // System routine is inside module
60 | if (checkPtr >= pMod[i].ImageBase &&
61 | checkPtr < (PVOID)((PUCHAR)pMod[i].ImageBase + pMod[i].ImageSize))
62 | {
63 | g_KernelBase = pMod[i].ImageBase;
64 | g_KernelSize = pMod[i].ImageSize;
65 | if (pSize)
66 | *pSize = g_KernelSize;
67 | break;
68 | }
69 | }
70 | }
71 |
72 | if (pMods)
73 | ExFreePoolWithTag(pMods, POOL_TAG);
74 |
75 | return g_KernelBase;
76 | }
77 |
78 | ///
79 | /// Gets SSDT base - KiServiceTable
80 | ///
81 | /// SSDT base, NULL if not found
82 | PSYSTEM_SERVICE_DESCRIPTOR_TABLE GetSSDTBase()
83 | {
84 | PUCHAR ntosBase = GetKernelBase(NULL);
85 |
86 | // Already found
87 | if (g_SSDT != NULL)
88 | return g_SSDT;
89 |
90 | if (!ntosBase)
91 | return NULL;
92 |
93 | PIMAGE_NT_HEADERS pHdr = RtlImageNtHeader(ntosBase);
94 | PIMAGE_SECTION_HEADER pFirstSec = (PIMAGE_SECTION_HEADER)(pHdr + 1);
95 | for (PIMAGE_SECTION_HEADER pSec = pFirstSec; pSec < pFirstSec + pHdr->FileHeader.NumberOfSections; pSec++)
96 | {
97 | // Non-paged, non-discardable, readable sections
98 | // Probably still not fool-proof enough...
99 | if (pSec->Characteristics & IMAGE_SCN_MEM_NOT_PAGED &&
100 | pSec->Characteristics & IMAGE_SCN_MEM_EXECUTE &&
101 | !(pSec->Characteristics & IMAGE_SCN_MEM_DISCARDABLE) &&
102 | (*(PULONG)pSec->Name != 'TINI') &&
103 | (*(PULONG)pSec->Name != 'EGAP'))
104 | {
105 | PVOID pFound = NULL;
106 |
107 | // KiSystemServiceRepeat pattern
108 | UCHAR pattern[] = "\x4c\x8d\x15\xcc\xcc\xcc\xcc\x4c\x8d\x1d\xcc\xcc\xcc\xcc\xf7";
109 | NTSTATUS status = SearchPattern(pattern, 0xCC, sizeof(pattern) - 1, ntosBase + pSec->VirtualAddress, pSec->Misc.VirtualSize, &pFound);
110 | if (NT_SUCCESS(status))
111 | {
112 | g_SSDT = (PSYSTEM_SERVICE_DESCRIPTOR_TABLE)((PUCHAR)pFound + *(PULONG)((PUCHAR)pFound + 3) + 7);
113 | //DPRINT( "BlackBone: %s: KeSystemServiceDescriptorTable = 0x%p\n", __FUNCTION__, g_SSDT );
114 | return g_SSDT;
115 | }
116 | }
117 | }
118 |
119 | return NULL;
120 | }
121 |
122 | ///
123 | /// Gets the SSDT entry address by index.
124 | ///
125 | /// Service index
126 | /// Found service address, NULL if not found
127 | PVOID GetSSDTEntry(IN ULONG index)
128 | {
129 | ULONG size = 0;
130 | PSYSTEM_SERVICE_DESCRIPTOR_TABLE pSSDT = GetSSDTBase();
131 | PVOID pBase = GetKernelBase(&size);
132 |
133 | if (pSSDT && pBase)
134 | {
135 | // Index range check
136 | if (index > pSSDT->NumberOfServices)
137 | return NULL;
138 |
139 | return (PUCHAR)pSSDT->ServiceTableBase + (((PLONG)pSSDT->ServiceTableBase)[index] >> 4);
140 | }
141 |
142 | return NULL;
143 | }
--------------------------------------------------------------------------------
/Client/pclient/skStr.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | /*____________________________________________________________________________________________________________
4 |
5 | Original Author: skadro
6 | Github: https://github.com/skadro-official
7 | License: See end of file
8 |
9 | skCrypter
10 | Compile-time, Usermode + Kernelmode, safe and lightweight string crypter library for C++11+
11 |
12 | *Not removing this part is appreciated*
13 | ____________________________________________________________________________________________________________*/
14 |
15 | #ifdef _KERNEL_MODE
16 | namespace std
17 | {
18 | // STRUCT TEMPLATE remove_reference
19 | template
20 | struct remove_reference {
21 | using type = _Ty;
22 | };
23 |
24 | template
25 | struct remove_reference<_Ty&> {
26 | using type = _Ty;
27 | };
28 |
29 | template
30 | struct remove_reference<_Ty&&> {
31 | using type = _Ty;
32 | };
33 |
34 | template
35 | using remove_reference_t = typename remove_reference<_Ty>::type;
36 |
37 | // STRUCT TEMPLATE remove_const
38 | template
39 | struct remove_const { // remove top-level const qualifier
40 | using type = _Ty;
41 | };
42 |
43 | template
44 | struct remove_const {
45 | using type = _Ty;
46 | };
47 |
48 | template
49 | using remove_const_t = typename remove_const<_Ty>::type;
50 | }
51 | #else
52 | #include
53 | #endif
54 |
55 | namespace skc
56 | {
57 | template
58 | using clean_type = typename std::remove_const_t>;
59 |
60 | template
61 | class skCrypter
62 | {
63 | public:
64 | __forceinline constexpr skCrypter(T* data)
65 | {
66 | crypt(data);
67 | }
68 |
69 | __forceinline T* get()
70 | {
71 | return _storage;
72 | }
73 |
74 | __forceinline int size() // (w)char count
75 | {
76 | return _size;
77 | }
78 |
79 | __forceinline char key()
80 | {
81 | return _key1;
82 | }
83 |
84 | __forceinline T* encrypt()
85 | {
86 | if (!isEncrypted())
87 | crypt(_storage);
88 |
89 | return _storage;
90 | }
91 |
92 | __forceinline T* decrypt()
93 | {
94 | if (isEncrypted())
95 | crypt(_storage);
96 |
97 | return _storage;
98 | }
99 |
100 | __forceinline bool isEncrypted()
101 | {
102 | return _storage[_size - 1] != 0;
103 | }
104 |
105 | __forceinline void clear() // set full storage to 0
106 | {
107 | for (int i = 0; i < _size; i++)
108 | {
109 | _storage[i] = 0;
110 | }
111 | }
112 |
113 | __forceinline operator T* ()
114 | {
115 | decrypt();
116 |
117 | return _storage;
118 | }
119 |
120 | private:
121 | __forceinline constexpr void crypt(T* data)
122 | {
123 | for (int i = 0; i < _size; i++)
124 | {
125 | _storage[i] = data[i] ^ (_key1 + i % (1 + _key2));
126 | }
127 | }
128 |
129 | T _storage[_size]{};
130 | };
131 | }
132 |
133 | #define skCrypt(str) skCrypt_key(str, __TIME__[4], __TIME__[7])
134 | #define skCrypt_key(str, key1, key2) []() { \
135 | constexpr static auto crypted = skc::skCrypter \
136 | >((skc::clean_type*)str); \
137 | return crypted; }()
138 |
139 | /*________________________________________________________________________________
140 |
141 | MIT License
142 |
143 | Copyright (c) 2020 skadro
144 |
145 | Permission is hereby granted, free of charge, to any person obtaining a copy
146 | of this software and associated documentation files (the "Software"), to deal
147 | in the Software without restriction, including without limitation the rights
148 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
149 | copies of the Software, and to permit persons to whom the Software is
150 | furnished to do so, subject to the following conditions:
151 |
152 | The above copyright notice and this permission notice shall be included in all
153 | copies or substantial portions of the Software.
154 |
155 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
156 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
157 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
158 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
159 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
160 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
161 | SOFTWARE.
162 |
163 | ________________________________________________________________________________*/
--------------------------------------------------------------------------------
/driver/pdrv/pdrv.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 | Debug
22 | ARM
23 |
24 |
25 | Release
26 | ARM
27 |
28 |
29 | Debug
30 | ARM64
31 |
32 |
33 | Release
34 | ARM64
35 |
36 |
37 |
38 | {58BA8DEC-BB05-4607-94DF-242B498AE5BC}
39 | {1bc93793-694f-48fe-9372-81e2b05556fd}
40 | v4.5
41 | 12.0
42 | Debug
43 | Win32
44 | pdrv
45 | 10.0
46 |
47 |
48 |
49 | Windows10
50 | true
51 | WindowsKernelModeDriver10.0
52 | Driver
53 | KMDF
54 | Universal
55 |
56 |
57 | Windows10
58 | false
59 | WindowsKernelModeDriver10.0
60 | Driver
61 | KMDF
62 | Universal
63 |
64 |
65 | Windows10
66 | true
67 | WindowsKernelModeDriver10.0
68 | Driver
69 | KMDF
70 | Universal
71 |
72 |
73 | Windows7
74 | false
75 | WindowsKernelModeDriver10.0
76 | Driver
77 | KMDF
78 | Desktop
79 | false
80 |
81 |
82 | Windows10
83 | true
84 | WindowsKernelModeDriver10.0
85 | Driver
86 | KMDF
87 | Universal
88 |
89 |
90 | Windows10
91 | false
92 | WindowsKernelModeDriver10.0
93 | Driver
94 | KMDF
95 | Universal
96 |
97 |
98 | Windows10
99 | true
100 | WindowsKernelModeDriver10.0
101 | Driver
102 | KMDF
103 | Universal
104 |
105 |
106 | Windows10
107 | false
108 | WindowsKernelModeDriver10.0
109 | Driver
110 | KMDF
111 | Universal
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 | DbgengKernelDebugger
123 |
124 |
125 | DbgengKernelDebugger
126 |
127 |
128 | DbgengKernelDebugger
129 |
130 |
131 | DbgengKernelDebugger
132 |
133 |
134 | DbgengKernelDebugger
135 |
136 |
137 | DbgengKernelDebugger
138 |
139 |
140 | DbgengKernelDebugger
141 |
142 |
143 | DbgengKernelDebugger
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 |
163 |
164 |
165 |
166 |
167 |
168 |
169 |
170 |
171 |
172 |
--------------------------------------------------------------------------------
/driver/pdrv/Funcs.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include "Log.h"
4 | #include "Structs.h"
5 | #include "Private.h"
6 | #include "Imports.h"
7 | #include "Utils.h"
8 | #include "Funcs.h"
9 |
10 | #define SSDT_NTSUSPENDTHRED 438
11 | #define SSDT_RESUMETHREAD 82
12 | #define SSDT_TERMINATETHREAD 83
13 |
14 | static NTSTATUS
15 | (__fastcall* NtSuspendThread)(
16 | __in HANDLE ThreadHandle,
17 | __out_opt PULONG PreviousSuspendCount
18 | );
19 |
20 | static NTSTATUS
21 | (__fastcall* NtTerminateThread)(
22 | __in HANDLE ThreadHandle,
23 | DWORD dwExitCode
24 | );
25 |
26 |
27 | static NTSTATUS
28 | (__fastcall* NtResumeThread)(
29 | __in HANDLE ThreadHandle,
30 | __out_opt PULONG PreviousSuspendCount
31 | );
32 |
33 | ///
34 | /// Open HANDLE to the thread
35 | ///
36 | /// Desired access
37 | /// Inherit handle
38 | /// Thread ID
39 | /// HANDLE for thread
40 | HANDLE OpenThread(DWORD dwDesiredAccess, BOOLEAN bInheritHandle, DWORD dwThreadId)
41 | {
42 | OBJECT_ATTRIBUTES ObjectAttributes = { 0, };
43 | CLIENT_ID ClientId = { 0, };
44 | HANDLE hThread = NULL;
45 | NTSTATUS Status;
46 |
47 | InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
48 |
49 | if (bInheritHandle) {
50 | ObjectAttributes.Attributes = OBJ_INHERIT;
51 | }
52 |
53 | ClientId.UniqueProcess = NULL;
54 | ClientId.UniqueThread = (HANDLE)dwThreadId;
55 |
56 | Status = ZwOpenThread(&hThread,
57 | dwDesiredAccess,
58 | &ObjectAttributes,
59 | &ClientId);
60 | return hThread;
61 | }
62 |
63 | ///
64 | /// Suspend (pause) thread
65 | ///
66 | /// HANDLE to desired thread
67 | /// Status
68 | NTSTATUS SuspendThread(__in HANDLE ThreadHandle)
69 | {
70 | NTSTATUS Status;
71 | fnNtSuspendThread suspth = (fnNtSuspendThread)(ULONG_PTR)GetSSDTEntry(SSDT_NTSUSPENDTHRED); // Warning! Latest Windows has changed this!
72 | Status = suspth(ThreadHandle, 0);
73 | return Status;
74 | }
75 |
76 | ///
77 | /// Terminate thread
78 | ///
79 | /// HANDLE to desired thread
80 | /// Status
81 | NTSTATUS TerminateThread(__in HANDLE ThreadHandle)
82 | {
83 | NTSTATUS Status;
84 | fnNtTerminateThread termth = (fnNtTerminateThread)(ULONG_PTR)GetSSDTEntry(SSDT_TERMINATETHREAD);
85 | Status = termth(ThreadHandle, 0);
86 | return Status;
87 | }
88 |
89 | ///
90 | /// Resume (unpause) thread
91 | ///
92 | /// HANDLE to desired thread
93 | /// Status
94 | NTSTATUS ResumeThread(__in HANDLE ThreadHandle)
95 | {
96 | NTSTATUS Status;
97 | NtResumeThread = (NTSTATUS(__cdecl*)(HANDLE, PULONG))GetSSDTEntry(SSDT_RESUMETHREAD);
98 | Status = NtResumeThread(ThreadHandle, NULL);
99 | return Status;
100 | }
101 |
102 | ///
103 | /// Get base address of system module
104 | ///
105 | /// Name of module
106 | /// Found address, 0 if not found
107 | PVOID GetModuleBase(IN char* ModuleName, OUT ULONG64* BaseAddr, OUT ULONG* DriverSize)
108 | {
109 | NTSTATUS status = STATUS_SUCCESS;
110 | ULONG bytes = 0;
111 | PRTL_PROCESS_MODULES pMods = NULL;
112 | UNICODE_STRING routineName;
113 |
114 | RtlUnicodeStringInit(&routineName, L"NtOpenFile");
115 |
116 | // Protect from UserMode AV
117 | status = ZwQuerySystemInformation(SystemModuleInformation, 0, bytes, &bytes);
118 | if (bytes == 0)
119 | {
120 | //DPRINT("BlackBone: %s: Invalid SystemModuleInformation size\n", __FUNCTION__);
121 | Log("[-] Invalid SystemModuleInformation size");
122 | return NULL;
123 | }
124 |
125 | pMods = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPool, bytes, POOL_TAG);
126 | RtlZeroMemory(pMods, bytes);
127 |
128 | status = ZwQuerySystemInformation(SystemModuleInformation, pMods, bytes, &bytes);
129 |
130 | if (NT_SUCCESS(status))
131 | {
132 | for (ULONG i = 0; i < pMods->NumberOfModules; i++)
133 | {
134 | // System routine is inside module
135 | if ((PVOID)pMods->Modules[i].ImageBase > (PVOID)0x8000000000000000)
136 | {
137 | char* pDrvName = (char*)(pMods->Modules[i].FullPathName) + pMods->Modules[i].OffsetToFileName;
138 | if (_stricmp(pDrvName, ModuleName) == 0) {
139 | *BaseAddr = (ULONG64)(pMods->Modules[i].ImageBase);
140 | *DriverSize = (ULONG64)(pMods->Modules[i].ImageSize);
141 | return (PVOID)(pMods->Modules[i].ImageBase);
142 | }
143 | }
144 | }
145 | }
146 |
147 | if (pMods)
148 | ExFreePoolWithTag(pMods, POOL_TAG);
149 |
150 | return 0;
151 | }
152 |
153 | // TODO: Comment
154 | ///
155 | /// ApcpQuerySystemProcessInformation
156 | ///
157 | /// Status
158 | NTSTATUS ApcpQuerySystemProcessInformation(PSYSTEM_PROCESS_INFORMATION* SystemInfo)
159 | {
160 | PSYSTEM_PROCESS_INFORMATION pBuffer = NULL;
161 | ULONG BufferSize = 0;
162 | ULONG RequiredSize = 0;
163 |
164 | NTSTATUS status = STATUS_SUCCESS;
165 | while ((status = ZwQuerySystemInformation(
166 | SystemProcessInformation,
167 | pBuffer,
168 | BufferSize,
169 | &RequiredSize//retn Length
170 | )) == STATUS_INFO_LENGTH_MISMATCH)
171 | {
172 | BufferSize = RequiredSize;
173 | pBuffer = (PSYSTEM_PROCESS_INFORMATION)ExAllocatePool(PagedPool, BufferSize);
174 | }
175 |
176 | if (!NT_SUCCESS(status))
177 | {
178 | if (pBuffer != NULL)
179 | {
180 | ExFreePool(pBuffer);
181 | }
182 |
183 | return status;
184 | }
185 | *SystemInfo = pBuffer;
186 | return status;
187 | }
188 |
189 | // TODO: Comment
190 | ///
191 | /// Gets information about thread
192 | ///
193 | /// Status
194 | NTSTATUS GetProcessThreadInfo(IN ULONG Pid, OUT ULONG* ThreadNuber, OUT PULONG64 Tid, OUT PULONG64 StartAddr)
195 | {
196 | PEPROCESS pEProcess;
197 | PSYSTEM_PROCESS_INFORMATION OriginalSystemProcessInfo = NULL;
198 | NTSTATUS status = PsLookupProcessByProcessId((HANDLE)Pid, &pEProcess);
199 | if (!NT_SUCCESS(status))
200 | {
201 | return status;
202 | }
203 | if (MmIsAddressValid(ThreadNuber) == 0)
204 | {
205 | status = STATUS_UNSUCCESSFUL;
206 | return status;
207 | }
208 | if (MmIsAddressValid(StartAddr) == 0)
209 | {
210 | status = STATUS_UNSUCCESSFUL;
211 | return status;
212 | }
213 | if (MmIsAddressValid(Tid) == 0)
214 | {
215 | status = STATUS_UNSUCCESSFUL;
216 | return status;
217 | }
218 | status = ApcpQuerySystemProcessInformation(&OriginalSystemProcessInfo);
219 | if (!NT_SUCCESS(status))
220 | {
221 | ObDereferenceObject(pEProcess);
222 | return status;
223 | }
224 | PSYSTEM_PROCESS_INFORMATION SystemProcessInfo = OriginalSystemProcessInfo;
225 | status = STATUS_NOT_FOUND;
226 | do
227 | {
228 | if (SystemProcessInfo->UniqueProcessId == PsGetProcessId(pEProcess))
229 | {
230 | status = STATUS_SUCCESS;
231 | break;
232 | }
233 |
234 | SystemProcessInfo = (PSYSTEM_PROCESS_INFORMATION)((PUCHAR)SystemProcessInfo + SystemProcessInfo->NextEntryOffset);
235 | } while (SystemProcessInfo->NextEntryOffset != 0);
236 |
237 | if (!NT_SUCCESS(status))
238 | {
239 | ObDereferenceObject(pEProcess);
240 | ExFreePool(OriginalSystemProcessInfo);
241 | return status;
242 | }
243 | *ThreadNuber = SystemProcessInfo->NumberOfThreads;
244 |
245 | for (ULONG Index = 0; Index < SystemProcessInfo->NumberOfThreads; ++Index)
246 | {
247 | HANDLE UniqueThreadId = SystemProcessInfo->Threads[Index].ClientId.UniqueThread;
248 | Tid[Index] = (ULONG64)UniqueThreadId;
249 | StartAddr[Index] = (ULONG64)SystemProcessInfo->Threads[Index].StartAddress;
250 | }
251 |
252 | ObDereferenceObject(pEProcess);
253 | return status;
254 | }
255 |
256 | ///
257 | /// Gets driver threads
258 | ///
259 | /// Name of module
260 | /// Number of threads
261 | /// Threads IDs (array)
262 | /// Found address, 0 if not found
263 | NTSTATUS GetDriverThreads(char* DriverName, OUT ULONG* ThreadNuber, OUT PULONG64 Tid)
264 | {
265 | ULONG64 DriverBaseAddr = 0;
266 | ULONG DriverSize = 0;
267 | ULONG Number = 0;
268 | ULONG64 __Tid[0x256] = { 0 };
269 | ULONG64 __ThreadStartAddr[0x256] = { 0 };
270 | NTSTATUS Status = STATUS_UNSUCCESSFUL;
271 | ULONG Count = 0;
272 | GetModuleBase(DriverName, &DriverBaseAddr, &DriverSize);
273 |
274 | if (DriverBaseAddr == 0 || DriverSize == 0) {
275 | Log("[-] Driver base is 0");
276 | return Status;
277 | }
278 | Status = GetProcessThreadInfo(4, &Number, __Tid, __ThreadStartAddr);
279 | if (!NT_SUCCESS(Status)) {
280 | Log("[-] Failed to get thread info");
281 | return Status;
282 | }
283 | for (ULONG i = 0; i < Number; i++)
284 | {
285 | if (__ThreadStartAddr[i] >= DriverBaseAddr)
286 | {
287 | if (__ThreadStartAddr[i] <= DriverBaseAddr + DriverSize)
288 | {
289 | Tid[Count] = __Tid[i];
290 | Count++;
291 | }
292 | }
293 | }
294 | *ThreadNuber = Count;
295 | return STATUS_SUCCESS;
296 | }
--------------------------------------------------------------------------------
/Client/pclient/pclient.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | {E70B6BC2-EC48-4BDB-925B-C2D9102FC88D}
24 | Win32Proj
25 | pclient
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v142
46 | Unicode
47 | false
48 | false
49 |
50 |
51 | Application
52 | false
53 | v143
54 | true
55 | Unicode
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 | true
77 |
78 |
79 | false
80 |
81 |
82 | false
83 |
84 |
85 | false
86 |
87 |
88 |
89 |
90 |
91 | Level3
92 | Disabled
93 | true
94 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
95 | true
96 |
97 |
98 | Console
99 | true
100 |
101 |
102 |
103 |
104 |
105 |
106 | Level3
107 | Disabled
108 | false
109 | _DEBUG;_CONSOLE;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)
110 | true
111 | stdcpp17
112 | Default
113 | false
114 | false
115 | false
116 | false
117 | false
118 | false
119 | None
120 | false
121 |
122 |
123 | Console
124 | false
125 | "C:\Users\Samuel Tulach\Desktop\pdrv\pclient\pclient\ntdll.lib";%(AdditionalDependencies)
126 |
127 |
128 | false
129 |
130 |
131 |
132 |
133 |
134 |
135 | Level3
136 | MaxSpeed
137 | true
138 | true
139 | true
140 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
141 | true
142 |
143 |
144 | Console
145 | true
146 | true
147 | true
148 |
149 |
150 |
151 |
152 |
153 |
154 | Level3
155 | MaxSpeed
156 | true
157 | true
158 | true
159 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
160 | true
161 |
162 |
163 | Console
164 | true
165 | true
166 | true
167 | RequireAdministrator
168 |
169 |
170 |
171 |
172 |
173 |
174 |
175 |
176 |
177 |
178 |
179 |
180 |
181 |
182 |
183 |
184 |
--------------------------------------------------------------------------------
/driver/pdrv/Callbacks.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include "Log.h"
4 | #include "Callbacks.h"
5 |
6 | /*
7 | Sorry for inconsistent types and naming. This code was ported from
8 | one driver to another and I have lost a track of it (little bit).
9 | */
10 |
11 | // https://www.unknowncheats.me/forum/arma-2-a/175227-driver-disable-process-thread-object-callbacks.html
12 |
13 | // https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes
14 | #define DRIVER_ALT "327530"
15 |
16 | ///
17 | /// Dummy precallback
18 | ///
19 | /// Dummy status
20 | OB_PREOP_CALLBACK_STATUS DummyObjectPreCallback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation)
21 | {
22 | UNREFERENCED_PARAMETER(RegistrationContext);
23 | UNREFERENCED_PARAMETER(OperationInformation);
24 | return(OB_PREOP_SUCCESS);
25 | }
26 |
27 | ///
28 | /// Dummy postcallback
29 | ///
30 | /// Dummy status
31 | VOID DummyObjectPostCallback(PVOID RegistrationContext, POB_POST_OPERATION_INFORMATION OperationInformation)
32 | {
33 | UNREFERENCED_PARAMETER(RegistrationContext);
34 | UNREFERENCED_PARAMETER(OperationInformation);
35 | return;
36 | }
37 |
38 | ///
39 | /// Bruteforces offset
40 | ///
41 | /// Callback offset
42 | QWORD GetCallbackListOffset()
43 | {
44 | POBJECT_TYPE procType = *PsProcessType;
45 |
46 | __try {
47 | if (procType && MmIsAddressValid((void*)procType)) {
48 | for (int i = 0xF8; i > 0; i -= 8) {
49 | QWORD first = *(QWORD*)((QWORD)procType + i), second = *(QWORD*)((QWORD)procType + (i + 8));
50 | if (first && MmIsAddressValid((void*)first) && second && MmIsAddressValid((void*)second)) {
51 | QWORD test1First = *(QWORD*)(first + 0x0), test1Second = *(QWORD*)(first + 0x8);
52 | if (test1First && MmIsAddressValid((void*)test1First) && test1Second && MmIsAddressValid((void*)test1Second)) {
53 | QWORD testObjectType = *(QWORD*)(first + 0x20);
54 | if (testObjectType == (QWORD)procType)
55 | return((QWORD)i);
56 | }
57 | }
58 | }
59 | }
60 | }
61 | __except (EXCEPTION_EXECUTE_HANDLER) {
62 | Log("There was fatal error in %s", __FUNCTION__);
63 | return(0);
64 | }
65 |
66 | return 0;
67 | }
68 |
69 | ///
70 | /// Disables all anticheat callsback to allow access from usermode
71 | ///
72 | /// Pointer to callback object to we can restore them later
73 | /// Callback offset
74 | void Disable(POLD_CALLBACKS oldCallbacks) {
75 | POBJECT_TYPE procType = *PsProcessType;
76 | if (procType && MmIsAddressValid((void*)procType)) {
77 | __try {
78 | QWORD callbackListOffset = GetCallbackListOffset();
79 | if (callbackListOffset && MmIsAddressValid((void*)((QWORD)procType + callbackListOffset))) {
80 | LIST_ENTRY* callbackList = (LIST_ENTRY*)((QWORD)procType + callbackListOffset);
81 | if (callbackList->Flink && MmIsAddressValid((void*)callbackList->Flink)) {
82 | CALLBACK_ENTRY_ITEM* firstCallback = (CALLBACK_ENTRY_ITEM*)callbackList->Flink;
83 | CALLBACK_ENTRY_ITEM* curCallback = firstCallback;
84 |
85 | do {
86 | // Make sure the callback is valid.
87 | if (curCallback && MmIsAddressValid((void*)curCallback) && MmIsAddressValid((void*)curCallback->CallbackEntry)) {
88 | ANSI_STRING altitudeAnsi = { 0 };
89 | UNICODE_STRING altitudeUni = curCallback->CallbackEntry->Altitude;
90 | RtlUnicodeStringToAnsiString(&altitudeAnsi, &altitudeUni, 1);
91 |
92 | if (!strcmp(altitudeAnsi.Buffer, DRIVER_ALT)) {
93 | if (curCallback->PreOperation) {
94 | oldCallbacks->PreOperationProc = (QWORD)curCallback->PreOperation;
95 | curCallback->PreOperation = DummyObjectPreCallback;
96 | }
97 | if (curCallback->PostOperation) {
98 | oldCallbacks->PostOperationProc = (QWORD)curCallback->PostOperation;
99 | curCallback->PostOperation = DummyObjectPostCallback;
100 | }
101 | RtlFreeAnsiString(&altitudeAnsi);
102 | break;
103 | }
104 |
105 | RtlFreeAnsiString(&altitudeAnsi);
106 | }
107 |
108 | // Get the next callback.
109 | curCallback = (CALLBACK_ENTRY_ITEM*)(curCallback->CallbackList.Flink);
110 | } while (curCallback != firstCallback);
111 | }
112 | }
113 | }
114 | __except (EXCEPTION_EXECUTE_HANDLER) {
115 | Log("There was fatal error in %s", __FUNCTION__);
116 | return;
117 | }
118 | }
119 |
120 | POBJECT_TYPE threadType = *PsThreadType;
121 | if (threadType && MmIsAddressValid((void*)threadType)) {
122 | __try {
123 | QWORD callbackListOffset = GetCallbackListOffset();
124 | if (callbackListOffset && MmIsAddressValid((void*)((QWORD)threadType + callbackListOffset))) {
125 | LIST_ENTRY* callbackList = (LIST_ENTRY*)((QWORD)threadType + callbackListOffset);
126 | if (callbackList->Flink && MmIsAddressValid((void*)callbackList->Flink)) {
127 | CALLBACK_ENTRY_ITEM* firstCallback = (CALLBACK_ENTRY_ITEM*)callbackList->Flink;
128 | CALLBACK_ENTRY_ITEM* curCallback = firstCallback;
129 |
130 | do {
131 | // Make sure the callback is valid.
132 | if (curCallback && MmIsAddressValid((void*)curCallback) && MmIsAddressValid((void*)curCallback->CallbackEntry)) {
133 | ANSI_STRING altitudeAnsi = { 0 };
134 | UNICODE_STRING altitudeUni = curCallback->CallbackEntry->Altitude;
135 | RtlUnicodeStringToAnsiString(&altitudeAnsi, &altitudeUni, 1);
136 |
137 | if (!strcmp(altitudeAnsi.Buffer, DRIVER_ALT)) {
138 | if (curCallback->PreOperation) {
139 | oldCallbacks->PreOperationThread = (QWORD)curCallback->PreOperation;
140 | curCallback->PreOperation = DummyObjectPreCallback;
141 | }
142 | if (curCallback->PostOperation) {
143 | oldCallbacks->PostOperationThread = (QWORD)curCallback->PostOperation;
144 | curCallback->PostOperation = DummyObjectPostCallback;
145 | }
146 | RtlFreeAnsiString(&altitudeAnsi);
147 | break;
148 | }
149 |
150 | RtlFreeAnsiString(&altitudeAnsi);
151 | }
152 |
153 | // Get the next callback.
154 | curCallback = (CALLBACK_ENTRY_ITEM*)(curCallback->CallbackList.Flink);
155 | } while (curCallback != firstCallback);
156 | }
157 | }
158 | }
159 | __except (EXCEPTION_EXECUTE_HANDLER) {
160 | Log("There was fatal error in %s", __FUNCTION__);
161 | return;
162 | }
163 | }
164 | }
165 |
166 | ///
167 | /// Restores anticheat callbacks
168 | ///
169 | /// Pointer to callback object
170 | /// Callback offset
171 | void Restore(POLD_CALLBACKS oldCallbacks) {
172 | POBJECT_TYPE procType = *PsProcessType;
173 | if (procType && MmIsAddressValid((void*)procType)) {
174 | __try {
175 | QWORD callbackListOffset = GetCallbackListOffset();
176 | if (callbackListOffset && MmIsAddressValid((void*)((QWORD)procType + callbackListOffset))) {
177 | LIST_ENTRY* callbackList = (LIST_ENTRY*)((QWORD)procType + callbackListOffset);
178 | if (callbackList->Flink && MmIsAddressValid((void*)callbackList->Flink)) {
179 | CALLBACK_ENTRY_ITEM* firstCallback = (CALLBACK_ENTRY_ITEM*)callbackList->Flink;
180 | CALLBACK_ENTRY_ITEM* curCallback = firstCallback;
181 |
182 | do {
183 | // Make sure the callback is valid.
184 | if (curCallback && MmIsAddressValid((void*)curCallback) && MmIsAddressValid((void*)curCallback->CallbackEntry)) {
185 | ANSI_STRING altitudeAnsi = { 0 };
186 | UNICODE_STRING altitudeUni = curCallback->CallbackEntry->Altitude;
187 | RtlUnicodeStringToAnsiString(&altitudeAnsi, &altitudeUni, 1);
188 |
189 | if (!strcmp(altitudeAnsi.Buffer, DRIVER_ALT)) {
190 | if (curCallback->PreOperation && oldCallbacks->PreOperationProc)
191 | curCallback->PreOperation = (POB_PRE_OPERATION_CALLBACK)oldCallbacks->PreOperationProc;
192 | if (curCallback->PostOperation && oldCallbacks->PostOperationProc)
193 | curCallback->PostOperation = (POB_POST_OPERATION_CALLBACK)oldCallbacks->PostOperationProc;
194 | RtlFreeAnsiString(&altitudeAnsi);
195 | break;
196 | }
197 |
198 | RtlFreeAnsiString(&altitudeAnsi);
199 | }
200 |
201 | // Get the next callback.
202 | curCallback = (CALLBACK_ENTRY_ITEM*)(curCallback->CallbackList.Flink);
203 | } while (curCallback != firstCallback);
204 | }
205 | }
206 | }
207 | __except (EXCEPTION_EXECUTE_HANDLER) {
208 | Log("There was fatal error in %s", __FUNCTION__);
209 | return;
210 | }
211 | }
212 |
213 | POBJECT_TYPE threadType = *PsThreadType;
214 | if (threadType && MmIsAddressValid((void*)threadType)) {
215 | __try {
216 | QWORD callbackListOffset = GetCallbackListOffset();
217 | if (callbackListOffset && MmIsAddressValid((void*)((QWORD)threadType + callbackListOffset))) {
218 | LIST_ENTRY* callbackList = (LIST_ENTRY*)((QWORD)threadType + callbackListOffset);
219 | if (callbackList->Flink && MmIsAddressValid((void*)callbackList->Flink)) {
220 | CALLBACK_ENTRY_ITEM* firstCallback = (CALLBACK_ENTRY_ITEM*)callbackList->Flink;
221 | CALLBACK_ENTRY_ITEM* curCallback = firstCallback;
222 |
223 | do {
224 | // Make sure the callback is valid.
225 | if (curCallback && MmIsAddressValid((void*)curCallback) && MmIsAddressValid((void*)curCallback->CallbackEntry)) {
226 | ANSI_STRING altitudeAnsi = { 0 };
227 | UNICODE_STRING altitudeUni = curCallback->CallbackEntry->Altitude;
228 | RtlUnicodeStringToAnsiString(&altitudeAnsi, &altitudeUni, 1);
229 |
230 | if (!strcmp(altitudeAnsi.Buffer, DRIVER_ALT)) {
231 | if (curCallback->PreOperation && oldCallbacks->PreOperationThread)
232 | curCallback->PreOperation = (POB_PRE_OPERATION_CALLBACK)oldCallbacks->PreOperationThread;
233 | if (curCallback->PostOperation && oldCallbacks->PostOperationThread)
234 | curCallback->PostOperation = (POB_POST_OPERATION_CALLBACK)oldCallbacks->PostOperationThread;
235 | RtlFreeAnsiString(&altitudeAnsi);
236 | break;
237 | }
238 |
239 | RtlFreeAnsiString(&altitudeAnsi);
240 | }
241 |
242 | // Get the next callback.
243 | curCallback = (CALLBACK_ENTRY_ITEM*)(curCallback->CallbackList.Flink);
244 | } while (curCallback != firstCallback);
245 | }
246 | }
247 | }
248 | __except (EXCEPTION_EXECUTE_HANDLER) {
249 | Log("There was fatal error in %s", __FUNCTION__);
250 | return;
251 | }
252 | }
253 | }
--------------------------------------------------------------------------------
/driver/pdrv/Structs.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #define POOL_TAG 'anoB'
4 |
5 | typedef struct _RTL_PROCESS_MODULE_INFORMATION
6 | {
7 | HANDLE Section; // Not filled in
8 | PVOID MappedBase;
9 | PVOID ImageBase;
10 | ULONG ImageSize;
11 | ULONG Flags;
12 | USHORT LoadOrderIndex;
13 | USHORT InitOrderIndex;
14 | USHORT LoadCount;
15 | USHORT OffsetToFileName;
16 | UCHAR FullPathName[MAXIMUM_FILENAME_LENGTH];
17 | } RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION;
18 |
19 | typedef struct _RTL_PROCESS_MODULES
20 | {
21 | ULONG NumberOfModules;
22 | RTL_PROCESS_MODULE_INFORMATION Modules[1];
23 | } RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES;
24 |
25 | typedef enum _SYSTEM_INFORMATION_CLASS
26 | {
27 | SystemBasicInformation = 0x0,
28 | SystemProcessorInformation = 0x1,
29 | SystemPerformanceInformation = 0x2,
30 | SystemTimeOfDayInformation = 0x3,
31 | SystemPathInformation = 0x4,
32 | SystemProcessInformation = 0x5,
33 | SystemCallCountInformation = 0x6,
34 | SystemDeviceInformation = 0x7,
35 | SystemProcessorPerformanceInformation = 0x8,
36 | SystemFlagsInformation = 0x9,
37 | SystemCallTimeInformation = 0xa,
38 | SystemModuleInformation = 0xb,
39 | SystemLocksInformation = 0xc,
40 | SystemStackTraceInformation = 0xd,
41 | SystemPagedPoolInformation = 0xe,
42 | SystemNonPagedPoolInformation = 0xf,
43 | SystemHandleInformation = 0x10,
44 | SystemObjectInformation = 0x11,
45 | SystemPageFileInformation = 0x12,
46 | SystemVdmInstemulInformation = 0x13,
47 | SystemVdmBopInformation = 0x14,
48 | SystemFileCacheInformation = 0x15,
49 | SystemPoolTagInformation = 0x16,
50 | SystemInterruptInformation = 0x17,
51 | SystemDpcBehaviorInformation = 0x18,
52 | SystemFullMemoryInformation = 0x19,
53 | SystemLoadGdiDriverInformation = 0x1a,
54 | SystemUnloadGdiDriverInformation = 0x1b,
55 | SystemTimeAdjustmentInformation = 0x1c,
56 | SystemSummaryMemoryInformation = 0x1d,
57 | SystemMirrorMemoryInformation = 0x1e,
58 | SystemPerformanceTraceInformation = 0x1f,
59 | SystemObsolete0 = 0x20,
60 | SystemExceptionInformation = 0x21,
61 | SystemCrashDumpStateInformation = 0x22,
62 | SystemKernelDebuggerInformation = 0x23,
63 | SystemContextSwitchInformation = 0x24,
64 | SystemRegistryQuotaInformation = 0x25,
65 | SystemExtendServiceTableInformation = 0x26,
66 | SystemPrioritySeperation = 0x27,
67 | SystemVerifierAddDriverInformation = 0x28,
68 | SystemVerifierRemoveDriverInformation = 0x29,
69 | SystemProcessorIdleInformation = 0x2a,
70 | SystemLegacyDriverInformation = 0x2b,
71 | SystemCurrentTimeZoneInformation = 0x2c,
72 | SystemLookasideInformation = 0x2d,
73 | SystemTimeSlipNotification = 0x2e,
74 | SystemSessionCreate = 0x2f,
75 | SystemSessionDetach = 0x30,
76 | SystemSessionInformation = 0x31,
77 | SystemRangeStartInformation = 0x32,
78 | SystemVerifierInformation = 0x33,
79 | SystemVerifierThunkExtend = 0x34,
80 | SystemSessionProcessInformation = 0x35,
81 | SystemLoadGdiDriverInSystemSpace = 0x36,
82 | SystemNumaProcessorMap = 0x37,
83 | SystemPrefetcherInformation = 0x38,
84 | SystemExtendedProcessInformation = 0x39,
85 | SystemRecommendedSharedDataAlignment = 0x3a,
86 | SystemComPlusPackage = 0x3b,
87 | SystemNumaAvailableMemory = 0x3c,
88 | SystemProcessorPowerInformation = 0x3d,
89 | SystemEmulationBasicInformation = 0x3e,
90 | SystemEmulationProcessorInformation = 0x3f,
91 | SystemExtendedHandleInformation = 0x40,
92 | SystemLostDelayedWriteInformation = 0x41,
93 | SystemBigPoolInformation = 0x42,
94 | SystemSessionPoolTagInformation = 0x43,
95 | SystemSessionMappedViewInformation = 0x44,
96 | SystemHotpatchInformation = 0x45,
97 | SystemObjectSecurityMode = 0x46,
98 | SystemWatchdogTimerHandler = 0x47,
99 | SystemWatchdogTimerInformation = 0x48,
100 | SystemLogicalProcessorInformation = 0x49,
101 | SystemWow64SharedInformationObsolete = 0x4a,
102 | SystemRegisterFirmwareTableInformationHandler = 0x4b,
103 | SystemFirmwareTableInformation = 0x4c,
104 | SystemModuleInformationEx = 0x4d,
105 | SystemVerifierTriageInformation = 0x4e,
106 | SystemSuperfetchInformation = 0x4f,
107 | SystemMemoryListInformation = 0x50,
108 | SystemFileCacheInformationEx = 0x51,
109 | SystemThreadPriorityClientIdInformation = 0x52,
110 | SystemProcessorIdleCycleTimeInformation = 0x53,
111 | SystemVerifierCancellationInformation = 0x54,
112 | SystemProcessorPowerInformationEx = 0x55,
113 | SystemRefTraceInformation = 0x56,
114 | SystemSpecialPoolInformation = 0x57,
115 | SystemProcessIdInformation = 0x58,
116 | SystemErrorPortInformation = 0x59,
117 | SystemBootEnvironmentInformation = 0x5a,
118 | SystemHypervisorInformation = 0x5b,
119 | SystemVerifierInformationEx = 0x5c,
120 | SystemTimeZoneInformation = 0x5d,
121 | SystemImageFileExecutionOptionsInformation = 0x5e,
122 | SystemCoverageInformation = 0x5f,
123 | SystemPrefetchPatchInformation = 0x60,
124 | SystemVerifierFaultsInformation = 0x61,
125 | SystemSystemPartitionInformation = 0x62,
126 | SystemSystemDiskInformation = 0x63,
127 | SystemProcessorPerformanceDistribution = 0x64,
128 | SystemNumaProximityNodeInformation = 0x65,
129 | SystemDynamicTimeZoneInformation = 0x66,
130 | SystemCodeIntegrityInformation = 0x67,
131 | SystemProcessorMicrocodeUpdateInformation = 0x68,
132 | SystemProcessorBrandString = 0x69,
133 | SystemVirtualAddressInformation = 0x6a,
134 | SystemLogicalProcessorAndGroupInformation = 0x6b,
135 | SystemProcessorCycleTimeInformation = 0x6c,
136 | SystemStoreInformation = 0x6d,
137 | SystemRegistryAppendString = 0x6e,
138 | SystemAitSamplingValue = 0x6f,
139 | SystemVhdBootInformation = 0x70,
140 | SystemCpuQuotaInformation = 0x71,
141 | SystemNativeBasicInformation = 0x72,
142 | SystemErrorPortTimeouts = 0x73,
143 | SystemLowPriorityIoInformation = 0x74,
144 | SystemBootEntropyInformation = 0x75,
145 | SystemVerifierCountersInformation = 0x76,
146 | SystemPagedPoolInformationEx = 0x77,
147 | SystemSystemPtesInformationEx = 0x78,
148 | SystemNodeDistanceInformation = 0x79,
149 | SystemAcpiAuditInformation = 0x7a,
150 | SystemBasicPerformanceInformation = 0x7b,
151 | SystemQueryPerformanceCounterInformation = 0x7c,
152 | SystemSessionBigPoolInformation = 0x7d,
153 | SystemBootGraphicsInformation = 0x7e,
154 | SystemScrubPhysicalMemoryInformation = 0x7f,
155 | SystemBadPageInformation = 0x80,
156 | SystemProcessorProfileControlArea = 0x81,
157 | SystemCombinePhysicalMemoryInformation = 0x82,
158 | SystemEntropyInterruptTimingInformation = 0x83,
159 | SystemConsoleInformation = 0x84,
160 | SystemPlatformBinaryInformation = 0x85,
161 | SystemThrottleNotificationInformation = 0x86,
162 | SystemHypervisorProcessorCountInformation = 0x87,
163 | SystemDeviceDataInformation = 0x88,
164 | SystemDeviceDataEnumerationInformation = 0x89,
165 | SystemMemoryTopologyInformation = 0x8a,
166 | SystemMemoryChannelInformation = 0x8b,
167 | SystemBootLogoInformation = 0x8c,
168 | SystemProcessorPerformanceInformationEx = 0x8d,
169 | SystemSpare0 = 0x8e,
170 | SystemSecureBootPolicyInformation = 0x8f,
171 | SystemPageFileInformationEx = 0x90,
172 | SystemSecureBootInformation = 0x91,
173 | SystemEntropyInterruptTimingRawInformation = 0x92,
174 | SystemPortableWorkspaceEfiLauncherInformation = 0x93,
175 | SystemFullProcessInformation = 0x94,
176 | SystemKernelDebuggerInformationEx = 0x95,
177 | SystemBootMetadataInformation = 0x96,
178 | SystemSoftRebootInformation = 0x97,
179 | SystemElamCertificateInformation = 0x98,
180 | SystemOfflineDumpConfigInformation = 0x99,
181 | SystemProcessorFeaturesInformation = 0x9a,
182 | SystemRegistryReconciliationInformation = 0x9b,
183 | MaxSystemInfoClass = 0x9c,
184 | } SYSTEM_INFORMATION_CLASS;
185 |
186 | //
187 | // Section characteristics.
188 | //
189 | // IMAGE_SCN_TYPE_REG 0x00000000 // Reserved.
190 | // IMAGE_SCN_TYPE_DSECT 0x00000001 // Reserved.
191 | // IMAGE_SCN_TYPE_NOLOAD 0x00000002 // Reserved.
192 | // IMAGE_SCN_TYPE_GROUP 0x00000004 // Reserved.
193 | #define IMAGE_SCN_TYPE_NO_PAD 0x00000008 // Reserved.
194 | // IMAGE_SCN_TYPE_COPY 0x00000010 // Reserved.
195 |
196 | #define IMAGE_SCN_CNT_CODE 0x00000020 // Section contains code.
197 | #define IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040 // Section contains initialized data.
198 | #define IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080 // Section contains uninitialized data.
199 |
200 | #define IMAGE_SCN_LNK_OTHER 0x00000100 // Reserved.
201 | #define IMAGE_SCN_LNK_INFO 0x00000200 // Section contains comments or some other type of information.
202 | // IMAGE_SCN_TYPE_OVER 0x00000400 // Reserved.
203 | #define IMAGE_SCN_LNK_REMOVE 0x00000800 // Section contents will not become part of image.
204 | #define IMAGE_SCN_LNK_COMDAT 0x00001000 // Section contents comdat.
205 | // 0x00002000 // Reserved.
206 | // IMAGE_SCN_MEM_PROTECTED - Obsolete 0x00004000
207 | #define IMAGE_SCN_NO_DEFER_SPEC_EXC 0x00004000 // Reset speculative exceptions handling bits in the TLB entries for this section.
208 | #define IMAGE_SCN_GPREL 0x00008000 // Section content can be accessed relative to GP
209 | #define IMAGE_SCN_MEM_FARDATA 0x00008000
210 | // IMAGE_SCN_MEM_SYSHEAP - Obsolete 0x00010000
211 | #define IMAGE_SCN_MEM_PURGEABLE 0x00020000
212 | #define IMAGE_SCN_MEM_16BIT 0x00020000
213 | #define IMAGE_SCN_MEM_LOCKED 0x00040000
214 | #define IMAGE_SCN_MEM_PRELOAD 0x00080000
215 |
216 | #define IMAGE_SCN_ALIGN_1BYTES 0x00100000 //
217 | #define IMAGE_SCN_ALIGN_2BYTES 0x00200000 //
218 | #define IMAGE_SCN_ALIGN_4BYTES 0x00300000 //
219 | #define IMAGE_SCN_ALIGN_8BYTES 0x00400000 //
220 | #define IMAGE_SCN_ALIGN_16BYTES 0x00500000 // Default alignment if no others are specified.
221 | #define IMAGE_SCN_ALIGN_32BYTES 0x00600000 //
222 | #define IMAGE_SCN_ALIGN_64BYTES 0x00700000 //
223 | #define IMAGE_SCN_ALIGN_128BYTES 0x00800000 //
224 | #define IMAGE_SCN_ALIGN_256BYTES 0x00900000 //
225 | #define IMAGE_SCN_ALIGN_512BYTES 0x00A00000 //
226 | #define IMAGE_SCN_ALIGN_1024BYTES 0x00B00000 //
227 | #define IMAGE_SCN_ALIGN_2048BYTES 0x00C00000 //
228 | #define IMAGE_SCN_ALIGN_4096BYTES 0x00D00000 //
229 | #define IMAGE_SCN_ALIGN_8192BYTES 0x00E00000 //
230 | // Unused 0x00F00000
231 | #define IMAGE_SCN_ALIGN_MASK 0x00F00000
232 |
233 | #define IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000 // Section contains extended relocations.
234 | #define IMAGE_SCN_MEM_DISCARDABLE 0x02000000 // Section can be discarded.
235 | #define IMAGE_SCN_MEM_NOT_CACHED 0x04000000 // Section is not cachable.
236 | #define IMAGE_SCN_MEM_NOT_PAGED 0x08000000 // Section is not pageable.
237 | #define IMAGE_SCN_MEM_SHARED 0x10000000 // Section is shareable.
238 | #define IMAGE_SCN_MEM_EXECUTE 0x20000000 // Section is executable.
239 | #define IMAGE_SCN_MEM_READ 0x40000000 // Section is readable.
240 | #define IMAGE_SCN_MEM_WRITE 0x80000000 // Section is writeable.
241 |
242 | typedef struct _IMAGE_FILE_HEADER // Size=20
243 | {
244 | USHORT Machine;
245 | USHORT NumberOfSections;
246 | ULONG TimeDateStamp;
247 | ULONG PointerToSymbolTable;
248 | ULONG NumberOfSymbols;
249 | USHORT SizeOfOptionalHeader;
250 | USHORT Characteristics;
251 | } IMAGE_FILE_HEADER, * PIMAGE_FILE_HEADER;
252 |
253 | typedef struct _IMAGE_DATA_DIRECTORY
254 | {
255 | ULONG VirtualAddress;
256 | ULONG Size;
257 | } IMAGE_DATA_DIRECTORY, * PIMAGE_DATA_DIRECTORY;
258 |
259 | typedef struct _IMAGE_OPTIONAL_HEADER64
260 | {
261 | USHORT Magic;
262 | UCHAR MajorLinkerVersion;
263 | UCHAR MinorLinkerVersion;
264 | ULONG SizeOfCode;
265 | ULONG SizeOfInitializedData;
266 | ULONG SizeOfUninitializedData;
267 | ULONG AddressOfEntryPoint;
268 | ULONG BaseOfCode;
269 | ULONGLONG ImageBase;
270 | ULONG SectionAlignment;
271 | ULONG FileAlignment;
272 | USHORT MajorOperatingSystemVersion;
273 | USHORT MinorOperatingSystemVersion;
274 | USHORT MajorImageVersion;
275 | USHORT MinorImageVersion;
276 | USHORT MajorSubsystemVersion;
277 | USHORT MinorSubsystemVersion;
278 | ULONG Win32VersionValue;
279 | ULONG SizeOfImage;
280 | ULONG SizeOfHeaders;
281 | ULONG CheckSum;
282 | USHORT Subsystem;
283 | USHORT DllCharacteristics;
284 | ULONGLONG SizeOfStackReserve;
285 | ULONGLONG SizeOfStackCommit;
286 | ULONGLONG SizeOfHeapReserve;
287 | ULONGLONG SizeOfHeapCommit;
288 | ULONG LoaderFlags;
289 | ULONG NumberOfRvaAndSizes;
290 | struct _IMAGE_DATA_DIRECTORY DataDirectory[16];
291 | } IMAGE_OPTIONAL_HEADER64, * PIMAGE_OPTIONAL_HEADER64;
292 |
293 | typedef struct _IMAGE_NT_HEADERS64
294 | {
295 | ULONG Signature;
296 | struct _IMAGE_FILE_HEADER FileHeader;
297 | struct _IMAGE_OPTIONAL_HEADER64 OptionalHeader;
298 | } IMAGE_NT_HEADERS64, * PIMAGE_NT_HEADERS64;
299 |
300 | typedef struct _IMAGE_SECTION_HEADER
301 | {
302 | UCHAR Name[8];
303 | union
304 | {
305 | ULONG PhysicalAddress;
306 | ULONG VirtualSize;
307 | } Misc;
308 | ULONG VirtualAddress;
309 | ULONG SizeOfRawData;
310 | ULONG PointerToRawData;
311 | ULONG PointerToRelocations;
312 | ULONG PointerToLinenumbers;
313 | USHORT NumberOfRelocations;
314 | USHORT NumberOfLinenumbers;
315 | ULONG Characteristics;
316 | } IMAGE_SECTION_HEADER, * PIMAGE_SECTION_HEADER;
317 |
318 | typedef struct _SYSTEM_SERVICE_DESCRIPTOR_TABLE
319 | {
320 | PULONG_PTR ServiceTableBase;
321 | PULONG ServiceCounterTableBase;
322 | ULONG_PTR NumberOfServices;
323 | PUCHAR ParamTableBase;
324 | } SYSTEM_SERVICE_DESCRIPTOR_TABLE, * PSYSTEM_SERVICE_DESCRIPTOR_TABLE;
325 |
326 | typedef struct _SYSTEM_THREAD_INFORMATION
327 | {
328 | LARGE_INTEGER KernelTime;
329 | LARGE_INTEGER UserTime;
330 | LARGE_INTEGER CreateTime;
331 | ULONG WaitTime;
332 | PVOID StartAddress;
333 | CLIENT_ID ClientId;
334 | KPRIORITY Priority;
335 | LONG BasePriority;
336 | ULONG ContextSwitches;
337 | ULONG ThreadState;
338 | KWAIT_REASON WaitReason;
339 | } SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION;
340 |
341 | typedef struct _TEB* PTEB;
342 |
343 | // private
344 | typedef struct _SYSTEM_EXTENDED_THREAD_INFORMATION
345 | {
346 | SYSTEM_THREAD_INFORMATION ThreadInfo;
347 | PVOID StackBase;
348 | PVOID StackLimit;
349 | PVOID Win32StartAddress;
350 | PTEB TebBase; // since VISTA
351 | ULONG_PTR Reserved2;
352 | ULONG_PTR Reserved3;
353 | ULONG_PTR Reserved4;
354 | } SYSTEM_EXTENDED_THREAD_INFORMATION, * PSYSTEM_EXTENDED_THREAD_INFORMATION;
355 |
356 | typedef struct _SYSTEM_PROCESS_INFORMATION
357 | {
358 | ULONG NextEntryOffset;
359 | ULONG NumberOfThreads;
360 | LARGE_INTEGER WorkingSetPrivateSize; // since VISTA
361 | ULONG HardFaultCount; // since WIN7
362 | ULONG NumberOfThreadsHighWatermark; // since WIN7
363 | ULONGLONG CycleTime; // since WIN7
364 | LARGE_INTEGER CreateTime;
365 | LARGE_INTEGER UserTime;
366 | LARGE_INTEGER KernelTime;
367 | UNICODE_STRING ImageName;
368 | KPRIORITY BasePriority;
369 | HANDLE UniqueProcessId;
370 | HANDLE InheritedFromUniqueProcessId;
371 | ULONG HandleCount;
372 | ULONG SessionId;
373 | ULONG_PTR UniqueProcessKey; // since VISTA (requires SystemExtendedProcessInformation)
374 | SIZE_T PeakVirtualSize;
375 | SIZE_T VirtualSize;
376 | ULONG PageFaultCount;
377 | SIZE_T PeakWorkingSetSize;
378 | SIZE_T WorkingSetSize;
379 | SIZE_T QuotaPeakPagedPoolUsage;
380 | SIZE_T QuotaPagedPoolUsage;
381 | SIZE_T QuotaPeakNonPagedPoolUsage;
382 | SIZE_T QuotaNonPagedPoolUsage;
383 | SIZE_T PagefileUsage;
384 | SIZE_T PeakPagefileUsage;
385 | SIZE_T PrivatePageCount;
386 | LARGE_INTEGER ReadOperationCount;
387 | LARGE_INTEGER WriteOperationCount;
388 | LARGE_INTEGER OtherOperationCount;
389 | LARGE_INTEGER ReadTransferCount;
390 | LARGE_INTEGER WriteTransferCount;
391 | LARGE_INTEGER OtherTransferCount;
392 | SYSTEM_THREAD_INFORMATION Threads[1]; // SystemProcessInformation
393 | // SYSTEM_EXTENDED_THREAD_INFORMATION Threads[1]; // SystemExtendedProcessinformation
394 | // SYSTEM_EXTENDED_THREAD_INFORMATION + SYSTEM_PROCESS_INFORMATION_EXTENSION // SystemFullProcessInformation
395 | } SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
--------------------------------------------------------------------------------
/Client/pclient/pclient.cpp:
--------------------------------------------------------------------------------
1 |
2 |
3 | // TODO: Use blank space instead of allocating memory
4 | // TODO: Load driver automatically (add kdmapper)
5 |
6 | #include
7 | #include
8 | #include
9 | #include
10 | #include "skStr.h"
11 |
12 |
13 |
14 | //#define TARGET_DLL_ADDRESS L""
15 | #define TARGET_DLL_ADDRESS L"" //dllpath
16 | //#define TARGET_PROCESS L"RustClient.exe"
17 | #define TARGET_PROCESS L"FortniteClient-Win64-Shipping.exe"
18 | #define TARGET_THREAD 3
19 |
20 | #define CODE_DISABLE 0x1601
21 | #define CODE_RESTORE 0x1602
22 |
23 | typedef HMODULE(WINAPI* pLoadLibraryA)(LPCSTR);
24 | typedef FARPROC(WINAPI* pGetProcAddress)(HMODULE, LPCSTR);
25 |
26 | typedef BOOL(WINAPI* PDLL_MAIN)(HMODULE, DWORD, PVOID);
27 |
28 | typedef struct _MANUAL_INJECT
29 | {
30 | PVOID ImageBase;
31 | PIMAGE_NT_HEADERS NtHeaders;
32 | PIMAGE_BASE_RELOCATION BaseRelocation;
33 | PIMAGE_IMPORT_DESCRIPTOR ImportDirectory;
34 | pLoadLibraryA fnLoadLibraryA;
35 | pGetProcAddress fnGetProcAddress;
36 | }MANUAL_INJECT, * PMANUAL_INJECT;
37 |
38 | DWORD WINAPI LoadDll(PVOID p)
39 | {
40 | PMANUAL_INJECT ManualInject;
41 |
42 | HMODULE hModule;
43 | DWORD64 i, Function, count, delta;
44 |
45 | DWORD64* ptr;
46 | PWORD list;
47 |
48 | PIMAGE_BASE_RELOCATION pIBR;
49 | PIMAGE_IMPORT_DESCRIPTOR pIID;
50 | PIMAGE_IMPORT_BY_NAME pIBN;
51 | PIMAGE_THUNK_DATA FirstThunk, OrigFirstThunk;
52 |
53 | PDLL_MAIN EntryPoint;
54 |
55 | ManualInject = (PMANUAL_INJECT)p;
56 |
57 | pIBR = ManualInject->BaseRelocation;
58 | delta = (DWORD64)((LPBYTE)ManualInject->ImageBase - ManualInject->NtHeaders->OptionalHeader.ImageBase); // Calculate the delta
59 |
60 | while (pIBR->VirtualAddress)
61 | {
62 | if (pIBR->SizeOfBlock >= sizeof(IMAGE_BASE_RELOCATION))
63 | {
64 | count = (pIBR->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
65 | list = (PWORD)(pIBR + 1);
66 |
67 | for (i = 0; i < count; i++)
68 | {
69 | if (list[i])
70 | {
71 | ptr = (DWORD64*)((LPBYTE)ManualInject->ImageBase + (pIBR->VirtualAddress + (list[i] & 0xFFF)));
72 | *ptr += delta;
73 | }
74 | }
75 | }
76 |
77 | pIBR = (PIMAGE_BASE_RELOCATION)((LPBYTE)pIBR + pIBR->SizeOfBlock);
78 | }
79 |
80 | pIID = ManualInject->ImportDirectory;
81 |
82 | // Resolve DLL imports
83 |
84 | while (pIID->Characteristics)
85 | {
86 | OrigFirstThunk = (PIMAGE_THUNK_DATA)((LPBYTE)ManualInject->ImageBase + pIID->OriginalFirstThunk);
87 | FirstThunk = (PIMAGE_THUNK_DATA)((LPBYTE)ManualInject->ImageBase + pIID->FirstThunk);
88 |
89 | hModule = ManualInject->fnLoadLibraryA((LPCSTR)ManualInject->ImageBase + pIID->Name);
90 |
91 | if (!hModule)
92 | {
93 | return FALSE;
94 | }
95 |
96 | while (OrigFirstThunk->u1.AddressOfData)
97 | {
98 | if (OrigFirstThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG)
99 | {
100 | // Import by ordinal
101 |
102 | Function = (DWORD64)ManualInject->fnGetProcAddress(hModule, (LPCSTR)(OrigFirstThunk->u1.Ordinal & 0xFFFF));
103 |
104 | if (!Function)
105 | {
106 | return FALSE;
107 | }
108 |
109 | FirstThunk->u1.Function = Function;
110 | }
111 |
112 | else
113 | {
114 | // Import by name
115 |
116 | pIBN = (PIMAGE_IMPORT_BY_NAME)((LPBYTE)ManualInject->ImageBase + OrigFirstThunk->u1.AddressOfData);
117 | Function = (DWORD64)ManualInject->fnGetProcAddress(hModule, (LPCSTR)pIBN->Name);
118 |
119 | if (!Function)
120 | {
121 | return FALSE;
122 | }
123 |
124 | FirstThunk->u1.Function = Function;
125 | }
126 |
127 | OrigFirstThunk++;
128 | FirstThunk++;
129 | }
130 |
131 | pIID++;
132 | }
133 |
134 | if (ManualInject->NtHeaders->OptionalHeader.AddressOfEntryPoint)
135 | {
136 | EntryPoint = (PDLL_MAIN)((LPBYTE)ManualInject->ImageBase + ManualInject->NtHeaders->OptionalHeader.AddressOfEntryPoint);
137 | return EntryPoint((HMODULE)ManualInject->ImageBase, DLL_PROCESS_ATTACH, NULL); // Call the entry point
138 | }
139 |
140 | return TRUE;
141 | }
142 |
143 | DWORD WINAPI LoadDllEnd()
144 | {
145 | return 0;
146 | }
147 |
148 | #pragma comment(lib, "ntdll.lib")
149 |
150 | extern "C" NTSTATUS NTAPI RtlAdjustPrivilege(ULONG Privilege, BOOLEAN Enable, BOOLEAN CurrentThread, PBOOLEAN Enabled);
151 |
152 | UCHAR code[] = {
153 | 0x48, 0xB8, 0xF0, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // mov -16 to rax
154 | 0x48, 0x21, 0xC4, // and rsp, rax
155 | 0x48, 0x83, 0xEC, 0x20, // subtract 32 from rsp
156 | 0x48, 0x8b, 0xEC, // mov rbp, rsp
157 | 0x90, 0x90, // nop nop
158 | 0x48, 0xB9, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, // mov rcx,CCCCCCCCCCCCCCCC
159 | 0x48, 0xB8, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, // mov rax,AAAAAAAAAAAAAAAA
160 | 0xFF, 0xD0, // call rax
161 | 0x90, // nop
162 | 0x90, // nop
163 | 0xEB, 0xFC // JMP to nop
164 | };
165 |
166 | void CallbackSwitch(bool restore)
167 | {
168 | FARPROC fnNtQueryIntervalProfile = GetProcAddress(LoadLibrary(L"ntdll.dll"), "NtQueryIntervalProfile");
169 | typedef HRESULT(__stdcall* tNtQueryIntervalProfile)(ULONG64 ProfileSource, PULONG Interval);
170 |
171 | tNtQueryIntervalProfile NtQueryIntervalProfile = reinterpret_cast(fnNtQueryIntervalProfile);
172 |
173 | ULONG a2 = 0;
174 | if (restore)
175 | {
176 | NtQueryIntervalProfile(CODE_RESTORE, &a2);
177 | }
178 | else
179 | {
180 | NtQueryIntervalProfile(CODE_DISABLE, &a2);
181 | }
182 |
183 | }
184 |
185 | DWORD GetPID()
186 | {
187 | PROCESSENTRY32 entry;
188 | entry.dwSize = sizeof(PROCESSENTRY32);
189 |
190 | HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
191 |
192 | if (Process32First(snapshot, &entry) == TRUE)
193 | {
194 | while (Process32Next(snapshot, &entry) == TRUE)
195 | {
196 | if (wcscmp(entry.szExeFile, TARGET_PROCESS) == 0)
197 | {
198 | return entry.th32ProcessID;
199 | }
200 | }
201 | }
202 |
203 | CloseHandle(snapshot);
204 | return 0;
205 | }
206 |
207 | void End()
208 | {
209 | Beep(300, 300);
210 | printf(skCrypt("\[+] Successfully injected!\n"));
211 | getchar();
212 | while (true)
213 | {
214 | exit(0);
215 | }
216 | }
217 |
218 | int main()
219 | {
220 |
221 | LPBYTE ptr;
222 | HANDLE hProcess, hThread, hSnap, hFile;
223 | PVOID mem, mem1;
224 | DWORD ProcessId, FileSize, read, i;
225 | PVOID buffer, image;
226 | BOOLEAN bl;
227 | PIMAGE_DOS_HEADER pIDH;
228 | PIMAGE_NT_HEADERS pINH;
229 | PIMAGE_SECTION_HEADER pISH;
230 |
231 | THREADENTRY32 te32;
232 | CONTEXT ctx;
233 |
234 | MANUAL_INJECT ManualInject;
235 |
236 | te32.dwSize = sizeof(te32);
237 | ctx.ContextFlags = CONTEXT_FULL;
238 |
239 | system("cls");
240 | printf(skCrypt("[+] Initialized\n"));
241 |
242 | printf(skCrypt("[>] Disabling anticheat callbacks...\n"));
243 | CallbackSwitch(false);
244 | printf(skCrypt("[+] Callbacks disabled\n"));
245 | Sleep(100);
246 | system("cls");
247 |
248 | printf(skCrypt("[>] Getting game PID...\n"));
249 | DWORD PID = GetPID();
250 | if (PID == 0)
251 | {
252 | system("cls");
253 | printf(skCrypt("[-] Game is not running\n"));
254 | Sleep(1000);
255 | exit(0);
256 | End();
257 | }
258 | system("cls");
259 | printf(skCrypt("[+] Found on PID %u\n"), PID);
260 | system("cls");
261 | printf(skCrypt("[>] Injecting...\n"));
262 | //std::vector bytes = KeyAuthApp.download(" 858860");
263 | //if (!KeyAuthApp.data.success) // check whether file downloaded correctly
264 | //{
265 | // system("cls");
266 | // std::cout << skCrypt("\n\nStatus: ") << KeyAuthApp.data.message;
267 | // Sleep(1500);
268 | // exit(0);
269 | //}
270 | //std::ofstream file("file.dll", std::ios_base::out | std::ios_base::binary);
271 | //file.write((char*)bytes.data(), bytes.size());
272 | //file.close();
273 |
274 | hFile = CreateFile(TARGET_DLL_ADDRESS, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); // Open the DLL
275 |
276 | if (hFile == INVALID_HANDLE_VALUE)
277 | {
278 | system("cls");
279 | printf(skCrypt("[-] Unable to open the DLL (%d)\n"), GetLastError());
280 | Sleep(100);
281 | system("cls");
282 | End();
283 | }
284 |
285 | FileSize = GetFileSize(hFile, NULL);
286 | buffer = VirtualAlloc(NULL, FileSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
287 |
288 | if (!buffer)
289 | {
290 | system("cls");
291 | printf(skCrypt("[-] Unable to allocate memory for DLL data (%d)\n"), GetLastError());
292 |
293 | CloseHandle(hFile);
294 | Sleep(100);
295 | system("cls");
296 | End();
297 | }
298 |
299 | // Read the DLL
300 |
301 | if (!ReadFile(hFile, buffer, FileSize, &read, NULL))
302 | {
303 | system("cls");
304 | printf(skCrypt("[-] Unable to read the DLL (%d)\n"), GetLastError());
305 |
306 | VirtualFree(buffer, 0, MEM_RELEASE);
307 | CloseHandle(hFile);
308 | Sleep(100);
309 | system("cls");
310 | End();
311 | }
312 |
313 | CloseHandle(hFile);
314 |
315 | pIDH = (PIMAGE_DOS_HEADER)buffer;
316 |
317 | if (pIDH->e_magic != IMAGE_DOS_SIGNATURE)
318 | {
319 | system("cls");
320 | printf(skCrypt("[-] Invalid executable image\n"));
321 |
322 | VirtualFree(buffer, 0, MEM_RELEASE);
323 | Sleep(100);
324 | system("cls");
325 | End();
326 | }
327 |
328 | pINH = (PIMAGE_NT_HEADERS)((LPBYTE)buffer + pIDH->e_lfanew);
329 |
330 | if (pINH->Signature != IMAGE_NT_SIGNATURE)
331 | {
332 | system("cls");
333 | printf(skCrypt("[-] Invalid PE header\n"));
334 |
335 | VirtualFree(buffer, 0, MEM_RELEASE);
336 | End();
337 | }
338 |
339 | if (!(pINH->FileHeader.Characteristics & IMAGE_FILE_DLL))
340 | {
341 | system("cls");
342 | printf(skCrypt("[-] The image is not DLL\n"));
343 |
344 | VirtualFree(buffer, 0, MEM_RELEASE);
345 | End();
346 | }
347 |
348 | RtlAdjustPrivilege(20, TRUE, FALSE, &bl);
349 |
350 | ProcessId = PID;
351 | hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);
352 |
353 | if (!hProcess)
354 | {
355 | system("cls");
356 | printf(skCrypt("[-] Unable to open target process handle (%d)\n"), GetLastError());
357 | End();
358 | }
359 |
360 | image = VirtualAllocEx(hProcess, NULL, pINH->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); // Allocate memory for the DLL
361 |
362 | if (!image)
363 | {
364 | system("cls");
365 | printf(skCrypt("[-] Unable to allocate memory for the DLL (%d)\n"), GetLastError());
366 |
367 | VirtualFree(buffer, 0, MEM_RELEASE);
368 | CloseHandle(hProcess);
369 |
370 | End();
371 | }
372 |
373 | // Copy the header to target process
374 |
375 | if (!WriteProcessMemory(hProcess, image, buffer, pINH->OptionalHeader.SizeOfHeaders, NULL))
376 | {
377 | system("cls");
378 | printf(skCrypt("[-] Unable to copy headers to target process (%d)\n"), GetLastError());
379 |
380 | VirtualFreeEx(hProcess, image, 0, MEM_RELEASE);
381 | CloseHandle(hProcess);
382 |
383 | VirtualFree(buffer, 0, MEM_RELEASE);
384 | End();
385 | }
386 |
387 | pISH = (PIMAGE_SECTION_HEADER)(pINH + 1);
388 |
389 | // Copy the DLL to target process
390 |
391 | for (i = 0; i < pINH->FileHeader.NumberOfSections; i++)
392 | {
393 | WriteProcessMemory(hProcess, (PVOID)((LPBYTE)image + pISH[i].VirtualAddress), (PVOID)((LPBYTE)buffer + pISH[i].PointerToRawData), pISH[i].SizeOfRawData, NULL);
394 | }
395 |
396 | mem1 = VirtualAllocEx(hProcess, NULL, 4096, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); // Allocate memory for the loader code
397 |
398 | if (!mem1)
399 | {
400 | system("cls");
401 | printf(skCrypt("[-] Unable to allocate memory for the loader code (%d)\n"), GetLastError());
402 |
403 | VirtualFreeEx(hProcess, image, 0, MEM_RELEASE);
404 | CloseHandle(hProcess);
405 |
406 | VirtualFree(buffer, 0, MEM_RELEASE);
407 | End();
408 | }
409 |
410 | printf(skCrypt("[+] Loader code allocated at %#x\n"), mem1);
411 | memset(&ManualInject, 0, sizeof(MANUAL_INJECT));
412 |
413 | ManualInject.ImageBase = image;
414 | ManualInject.NtHeaders = (PIMAGE_NT_HEADERS)((LPBYTE)image + pIDH->e_lfanew);
415 | ManualInject.BaseRelocation = (PIMAGE_BASE_RELOCATION)((LPBYTE)image + pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
416 | ManualInject.ImportDirectory = (PIMAGE_IMPORT_DESCRIPTOR)((LPBYTE)image + pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
417 | ManualInject.fnLoadLibraryA = LoadLibraryA;
418 | ManualInject.fnGetProcAddress = GetProcAddress;
419 |
420 |
421 | if (!WriteProcessMemory(hProcess, mem1, &ManualInject, sizeof(MANUAL_INJECT), NULL))
422 | system("cls");
423 | printf(skCrypt("[-] Memory write error (%d)\n"), GetLastError());
424 | //std::cout << "LoadDllSize " << std::dec << (DWORD64)LoadDllEnd - (DWORD64)LoadDll << std::endl;
425 |
426 | // FIXED by removing optimiations : some fat fucking error here.. writing LoadDll directly appears to write a bunch of JMP instructions to undefined memory and the sizes are messed
427 | if (!WriteProcessMemory(hProcess, (PVOID)((PMANUAL_INJECT)mem1 + 1), LoadDll, 4096 - sizeof(MANUAL_INJECT), NULL))
428 | system("cls");
429 | printf(skCrypt("[-] Memory write error (%d)\n"), GetLastError());
430 | //std::cout << "LoadDllAddress " << std::hex << (PVOID)((PMANUAL_INJECT)mem1 + 1) << std::endl;
431 |
432 | hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
433 |
434 | Thread32First(hSnap, &te32);
435 |
436 | int number = 0;
437 | while (Thread32Next(hSnap, &te32))
438 | {
439 | if (te32.th32OwnerProcessID == ProcessId)
440 | {
441 | if (number == TARGET_THREAD)
442 | {
443 | break;
444 | }
445 | number++;
446 | }
447 | }
448 | system("cls");
449 | printf(skCrypt("[+] Thread found on ID: %d\n"), te32.th32ThreadID);
450 |
451 | CloseHandle(hSnap);
452 |
453 | mem = VirtualAllocEx(hProcess, NULL, 4096, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
454 |
455 | if (!mem)
456 | {
457 | system("cls");
458 | printf(skCrypt("[-] Unable to allocate memory in target process (%d)\n"), GetLastError());
459 |
460 | CloseHandle(hProcess);
461 | End();
462 | }
463 | system("cls");
464 | printf(skCrypt("[+] Memory allocated at %#x\n"), mem);
465 |
466 | hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, te32.th32ThreadID);
467 |
468 | if (!hThread)
469 | {
470 | system("cls");
471 | printf(skCrypt("[-] Unable to open target thread handle (%d)\n"), GetLastError());
472 |
473 | VirtualFreeEx(hProcess, mem, 0, MEM_RELEASE);
474 | CloseHandle(hProcess);
475 | End();
476 | }
477 |
478 | SuspendThread(hThread);
479 | GetThreadContext(hThread, &ctx);
480 |
481 | buffer = VirtualAlloc(NULL, 65536, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
482 | ptr = (LPBYTE)buffer;
483 | ZeroMemory(buffer, 65536);
484 | memcpy(buffer, code, sizeof(code));
485 |
486 | for (BYTE* ptr = (LPBYTE)buffer; ptr < ((LPBYTE)buffer + 300); ptr++)
487 | {
488 | DWORD64 address = *(DWORD64*)ptr;
489 | if (address == 0xCCCCCCCCCCCCCCCC)
490 | {
491 | system("cls");
492 | printf(skCrypt("[>] Writing param 1 (rcx)...\n"));
493 | *(DWORD64*)ptr = (DWORD64)mem1;
494 | }
495 |
496 | if (address == 0xAAAAAAAAAAAAAAAA)
497 | {
498 | system("cls");
499 | printf(skCrypt("[>] Writing function address (rax)...\n"));
500 | *(DWORD64*)ptr = (DWORD64)((PMANUAL_INJECT)mem1 + 1);
501 | }
502 | }
503 |
504 | if (!WriteProcessMemory(hProcess, mem, buffer, sizeof(code), NULL)) // + 0x4 because a DWORD is 0x4 big
505 | {
506 | system("cls");
507 | printf(skCrypt("[-] Unable to write shellcode into target process (%d)\n"), GetLastError());
508 |
509 | VirtualFreeEx(hProcess, mem, 0, MEM_RELEASE);
510 | ResumeThread(hThread);
511 |
512 | CloseHandle(hThread);
513 | CloseHandle(hProcess);
514 |
515 | VirtualFree(buffer, 0, MEM_RELEASE);
516 | End();
517 | }
518 |
519 | ctx.Rip = (DWORD64)mem;
520 |
521 | if (!SetThreadContext(hThread, &ctx))
522 | {
523 | system("cls");
524 | printf("[-] Unable to hijack target thread (%d)\n"), GetLastError();
525 |
526 | VirtualFreeEx(hProcess, mem, 0, MEM_RELEASE);
527 | ResumeThread(hThread);
528 |
529 | CloseHandle(hThread);
530 | CloseHandle(hProcess);
531 |
532 | VirtualFree(buffer, 0, MEM_RELEASE);
533 | End();
534 | }
535 |
536 | ResumeThread(hThread);
537 |
538 | CloseHandle(hThread);
539 | CloseHandle(hProcess);
540 |
541 | VirtualFree(buffer, 0, MEM_RELEASE);
542 |
543 | system("cls");
544 | printf(skCrypt("[+] Injected successfully\n"));
545 |
546 | /*printf(xorstr_("[>] Waiting... "));
547 | for (int i = 1; i <= 10; i++)
548 | {
549 | printf(xorstr_(" %i "), i);
550 | Sleep(1000);
551 | }
552 | printf(xorstr_("\n[+] Wait complete\n"));*/
553 |
554 | system("cls");
555 | printf(skCrypt("[>] Restoring anticheat callbacks...\n"));
556 | CallbackSwitch(true);
557 | system("cls");
558 | printf(skCrypt("[+] Callbacks restored\n"));
559 |
560 | End();
561 | }
562 |
--------------------------------------------------------------------------------