├── README.md
├── KernelDrawing
├── Cheat Driver.vcxproj.filters
├── Misc.h
├── Main.cpp
├── CheatDriver.inf
├── Cheat Driver.sln
├── Drawing.h
├── Nt.h
└── Cheat Driver.vcxproj
└── .gitignore
/README.md:
--------------------------------------------------------------------------------
1 | # KernelDrawing
2 | Drawing from kernelmode without any hooks
3 |
4 | ## DESCRIPTION
5 | All the examples I have seen so far that call the windows gdi functions hook a gdi function that gets called often to get a valid win32 thread value.
6 | In this project I achieve the same by spoofing the win32 thread value (and some other things) to bypass the security checks in the kernel gdi functions.
7 |
8 | This is only a proof of concept so it does not include any other drawing functions other than a box but I have provided every needed function (as far as I know) to get everything else to work.
9 |
10 | ## NOTES
11 | I have only provided the right nt offsets for my windows version (21h1). You can get the correct offsets for your windows version from vergiliusproject (https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016).
12 | Every offset that might change across windows versions is in Nt.h and has comments on where to find them.
13 |
14 | ## USAGE
15 | Compile this in x64 release and set Sign mode to off. You can load it with a driver manual mapper such as KDmapper (https://github.com/TheCruZ/kdmapper).
16 |
17 | When loading the driver it should look like this:
18 | 
19 |
--------------------------------------------------------------------------------
/KernelDrawing/Cheat Driver.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 | {8E41214B-6785-4CFE-B992-037D68949A14}
18 | inf;inv;inx;mof;mc;
19 |
20 |
21 |
22 |
23 | Driver Files
24 |
25 |
26 |
27 |
28 | Source Files
29 |
30 |
31 |
32 |
33 | Header Files
34 |
35 |
36 | Header Files
37 |
38 |
39 | Header Files
40 |
41 |
42 |
--------------------------------------------------------------------------------
/KernelDrawing/Misc.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "Nt.h"
3 |
4 | void Sleep(int ms)
5 | {
6 | LARGE_INTEGER time = { 0 };
7 | time.QuadPart = -(ms) * 10 * 1000;
8 | KeDelayExecutionThread(KernelMode, TRUE, &time);
9 | }
10 |
11 | PVOID QuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInfoClass, ULONG* size)
12 | {
13 | int currAttempt = 0;
14 | int maxAttempt = 20;
15 |
16 |
17 | QueryTry:
18 | if (currAttempt >= maxAttempt)
19 | return 0;
20 |
21 | currAttempt++;
22 | ULONG neededSize = 0;
23 | ZwQuerySystemInformation(SystemInfoClass, NULL, neededSize, &neededSize);
24 | if (!neededSize)
25 | goto QueryTry;
26 |
27 | ULONG allocationSize = neededSize;
28 | PVOID informationBuffer = ExAllocatePool(NonPagedPool ,allocationSize);
29 | if (!informationBuffer)
30 | goto QueryTry;
31 |
32 | NTSTATUS status = ZwQuerySystemInformation(SystemInfoClass, informationBuffer, neededSize, &neededSize);
33 | if (!NT_SUCCESS(status))
34 | {
35 | ExFreePoolWithTag(informationBuffer, 0);
36 | goto QueryTry;
37 | }
38 |
39 | *size = allocationSize;
40 | return informationBuffer;
41 | }
42 |
43 |
44 | UINT64 GetKernelModuleBase(const char* name)
45 | {
46 | ULONG size = 0;
47 | PSYSTEM_MODULE_INFORMATION moduleInformation = (PSYSTEM_MODULE_INFORMATION)QuerySystemInformation(SystemModuleInformation, &size);
48 |
49 | if (!moduleInformation || !size)
50 | return 0;
51 |
52 | for (size_t i = 0; i < moduleInformation->Count; i++)
53 | {
54 | char* fileName = (char*)moduleInformation->Module[i].FullPathName + moduleInformation->Module[i].OffsetToFileName;
55 | if (!strcmp(fileName, name))
56 | {
57 | UINT64 imageBase = (UINT64)moduleInformation->Module[i].ImageBase;
58 | ExFreePoolWithTag(moduleInformation, 0);
59 | return imageBase;
60 | }
61 | }
62 |
63 | ExFreePoolWithTag(moduleInformation, 0);
64 | }
65 |
66 |
--------------------------------------------------------------------------------
/KernelDrawing/Main.cpp:
--------------------------------------------------------------------------------
1 | #include "Drawing.h"
2 |
3 |
4 | void MainThread()
5 | {
6 | Print("doin the thing");
7 | currentProcess = IoGetCurrentProcess();
8 | currentThread = KeGetCurrentThread();
9 | memcpy(¤tCid, (PVOID)((char*)currentThread + cidOffset), sizeof(CLIENT_ID));
10 |
11 | while (true)
12 | {
13 | BeginFrame();
14 |
15 | FrameRect({ 100, 100, 200, 200 }, 3);
16 |
17 | EndFrame();
18 | }
19 |
20 | PsTerminateSystemThread(STATUS_SUCCESS);
21 | }
22 |
23 | NTSTATUS CreateThread(PVOID entry)
24 | {
25 | HANDLE threadHandle = NULL;
26 | NTSTATUS status = PsCreateSystemThread(&threadHandle, NULL, NULL, NULL, NULL, (PKSTART_ROUTINE)entry, NULL);
27 |
28 | if (!NT_SUCCESS(status))
29 | {
30 | Print("failed to create system thread, %x", status);
31 | return status;
32 | }
33 |
34 | ZwClose(threadHandle);
35 | return status;
36 | }
37 |
38 | extern "C" NTSTATUS DriverEntry()
39 | {
40 | Print("welcome");
41 | NTSTATUS status = STATUS_SUCCESS;
42 |
43 |
44 | PVOID win32kBase = (PVOID)GetKernelModuleBase("win32kbase.sys");
45 | PVOID win32kfullBase = (PVOID)GetKernelModuleBase("win32kfull.sys");
46 |
47 | if (!win32kBase || !win32kfullBase)
48 | {
49 | Print("Could not find kernel module bases");
50 | return STATUS_UNSUCCESSFUL;
51 | }
52 |
53 | NtUserGetDCPtr = RtlFindExportedRoutineByName(win32kBase, "NtUserGetDC");
54 | NtGdiPatBltPtr = RtlFindExportedRoutineByName(win32kfullBase, "NtGdiPatBlt");
55 | NtGdiSelectBrushPtr = RtlFindExportedRoutineByName(win32kBase, "GreSelectBrush");
56 | NtUserReleaseDCPtr = RtlFindExportedRoutineByName(win32kBase, "NtUserReleaseDC");
57 | NtGdiCreateSolidBrushPtr = RtlFindExportedRoutineByName(win32kfullBase, "NtGdiCreateSolidBrush");
58 | NtGdiDeleteObjectAppPtr = RtlFindExportedRoutineByName(win32kBase, "NtGdiDeleteObjectApp");
59 | NtGdiExtTextOutWPtr = RtlFindExportedRoutineByName(win32kfullBase, "NtGdiExtTextOutW");
60 | NtGdiHfontCreatePtr = RtlFindExportedRoutineByName(win32kfullBase, "hfontCreate");
61 | NtGdiSelectFontPtr = RtlFindExportedRoutineByName(win32kfullBase, "NtGdiSelectFont");
62 |
63 |
64 | if (!NtUserGetDCPtr || !NtGdiPatBltPtr || !NtGdiSelectBrushPtr ||
65 | !NtUserReleaseDCPtr || !NtGdiCreateSolidBrushPtr || !NtGdiDeleteObjectAppPtr
66 | || !NtGdiExtTextOutWPtr || !NtGdiHfontCreatePtr || !NtGdiSelectFontPtr)
67 | {
68 | Print("Could not find kernel functions required for drawing");
69 | return STATUS_UNSUCCESSFUL;
70 | }
71 |
72 | Print("found everything");
73 | CreateThread(MainThread);
74 |
75 | return STATUS_SUCCESS;
76 | }
77 |
--------------------------------------------------------------------------------
/KernelDrawing/CheatDriver.inf:
--------------------------------------------------------------------------------
1 | ;
2 | ; CheatDriver.inf
3 | ;
4 |
5 | [Version]
6 | Signature="$WINDOWS NT$"
7 | Class=Sample ; TODO: edit Class
8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid
9 | Provider=%ManufacturerName%
10 | CatalogFile=CheatDriver.cat
11 | DriverVer= ; TODO: set DriverVer in stampinf property pages
12 | PnpLockDown=1
13 |
14 | [DestinationDirs]
15 | DefaultDestDir = 12
16 | CheatDriver_Device_CoInstaller_CopyFiles = 11
17 |
18 | ; ================= Class section =====================
19 |
20 | [ClassInstall32]
21 | Addreg=SampleClassReg
22 |
23 | [SampleClassReg]
24 | HKR,,,0,%ClassName%
25 | HKR,,Icon,,-5
26 |
27 | [SourceDisksNames]
28 | 1 = %DiskName%,,,""
29 |
30 | [SourceDisksFiles]
31 | CheatDriver.sys = 1,,
32 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames
33 |
34 | ;*****************************************
35 | ; Install Section
36 | ;*****************************************
37 |
38 | [Manufacturer]
39 | %ManufacturerName%=Standard,NT$ARCH$
40 |
41 | [Standard.NT$ARCH$]
42 | %CheatDriver.DeviceDesc%=CheatDriver_Device, Root\CheatDriver ; TODO: edit hw-id
43 |
44 | [CheatDriver_Device.NT]
45 | CopyFiles=Drivers_Dir
46 |
47 | [Drivers_Dir]
48 | CheatDriver.sys
49 |
50 | ;-------------- Service installation
51 | [CheatDriver_Device.NT.Services]
52 | AddService = CheatDriver,%SPSVCINST_ASSOCSERVICE%, CheatDriver_Service_Inst
53 |
54 | ; -------------- CheatDriver driver install sections
55 | [CheatDriver_Service_Inst]
56 | DisplayName = %CheatDriver.SVCDESC%
57 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER
58 | StartType = 3 ; SERVICE_DEMAND_START
59 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL
60 | ServiceBinary = %12%\CheatDriver.sys
61 |
62 | ;
63 | ;--- CheatDriver_Device Coinstaller installation ------
64 | ;
65 |
66 | [CheatDriver_Device.NT.CoInstallers]
67 | AddReg=CheatDriver_Device_CoInstaller_AddReg
68 | CopyFiles=CheatDriver_Device_CoInstaller_CopyFiles
69 |
70 | [CheatDriver_Device_CoInstaller_AddReg]
71 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller"
72 |
73 | [CheatDriver_Device_CoInstaller_CopyFiles]
74 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll
75 |
76 | [CheatDriver_Device.NT.Wdf]
77 | KmdfService = CheatDriver, CheatDriver_wdfsect
78 | [CheatDriver_wdfsect]
79 | KmdfLibraryVersion = $KMDFVERSION$
80 |
81 | [Strings]
82 | SPSVCINST_ASSOCSERVICE= 0x00000002
83 | ManufacturerName="" ;TODO: Replace with your manufacturer name
84 | ClassName="Samples" ; TODO: edit ClassName
85 | DiskName = "CheatDriver Installation Disk"
86 | CheatDriver.DeviceDesc = "CheatDriver Device"
87 | CheatDriver.SVCDESC = "CheatDriver Service"
88 |
--------------------------------------------------------------------------------
/KernelDrawing/Cheat Driver.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.32228.343
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Cheat Driver", "Cheat Driver.vcxproj", "{A6577777-B76A-4FCD-B672-8BC8DD9D6165}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|ARM = Debug|ARM
11 | Debug|ARM64 = Debug|ARM64
12 | Debug|x64 = Debug|x64
13 | Debug|x86 = Debug|x86
14 | Release|ARM = Release|ARM
15 | Release|ARM64 = Release|ARM64
16 | Release|x64 = Release|x64
17 | Release|x86 = Release|x86
18 | EndGlobalSection
19 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
20 | {A6577777-B76A-4FCD-B672-8BC8DD9D6165}.Debug|ARM.ActiveCfg = Debug|ARM
21 | {A6577777-B76A-4FCD-B672-8BC8DD9D6165}.Debug|ARM.Build.0 = Debug|ARM
22 | {A6577777-B76A-4FCD-B672-8BC8DD9D6165}.Debug|ARM.Deploy.0 = Debug|ARM
23 | {A6577777-B76A-4FCD-B672-8BC8DD9D6165}.Debug|ARM64.ActiveCfg = Debug|ARM64
24 | {A6577777-B76A-4FCD-B672-8BC8DD9D6165}.Debug|ARM64.Build.0 = Debug|ARM64
25 | {A6577777-B76A-4FCD-B672-8BC8DD9D6165}.Debug|ARM64.Deploy.0 = Debug|ARM64
26 | {A6577777-B76A-4FCD-B672-8BC8DD9D6165}.Debug|x64.ActiveCfg = Debug|x64
27 | {A6577777-B76A-4FCD-B672-8BC8DD9D6165}.Debug|x64.Build.0 = Debug|x64
28 | {A6577777-B76A-4FCD-B672-8BC8DD9D6165}.Debug|x64.Deploy.0 = Debug|x64
29 | {A6577777-B76A-4FCD-B672-8BC8DD9D6165}.Debug|x86.ActiveCfg = Debug|Win32
30 | {A6577777-B76A-4FCD-B672-8BC8DD9D6165}.Debug|x86.Build.0 = Debug|Win32
31 | {A6577777-B76A-4FCD-B672-8BC8DD9D6165}.Debug|x86.Deploy.0 = Debug|Win32
32 | {A6577777-B76A-4FCD-B672-8BC8DD9D6165}.Release|ARM.ActiveCfg = Release|ARM
33 | {A6577777-B76A-4FCD-B672-8BC8DD9D6165}.Release|ARM.Build.0 = Release|ARM
34 | {A6577777-B76A-4FCD-B672-8BC8DD9D6165}.Release|ARM.Deploy.0 = Release|ARM
35 | {A6577777-B76A-4FCD-B672-8BC8DD9D6165}.Release|ARM64.ActiveCfg = Release|ARM64
36 | {A6577777-B76A-4FCD-B672-8BC8DD9D6165}.Release|ARM64.Build.0 = Release|ARM64
37 | {A6577777-B76A-4FCD-B672-8BC8DD9D6165}.Release|ARM64.Deploy.0 = Release|ARM64
38 | {A6577777-B76A-4FCD-B672-8BC8DD9D6165}.Release|x64.ActiveCfg = Release|x64
39 | {A6577777-B76A-4FCD-B672-8BC8DD9D6165}.Release|x64.Build.0 = Release|x64
40 | {A6577777-B76A-4FCD-B672-8BC8DD9D6165}.Release|x64.Deploy.0 = Release|x64
41 | {A6577777-B76A-4FCD-B672-8BC8DD9D6165}.Release|x86.ActiveCfg = Release|Win32
42 | {A6577777-B76A-4FCD-B672-8BC8DD9D6165}.Release|x86.Build.0 = Release|Win32
43 | {A6577777-B76A-4FCD-B672-8BC8DD9D6165}.Release|x86.Deploy.0 = Release|Win32
44 | EndGlobalSection
45 | GlobalSection(SolutionProperties) = preSolution
46 | HideSolutionNode = FALSE
47 | EndGlobalSection
48 | GlobalSection(ExtensibilityGlobals) = postSolution
49 | SolutionGuid = {7B1C978A-5DA8-4488-A191-881D7001FAD5}
50 | EndGlobalSection
51 | EndGlobal
52 |
--------------------------------------------------------------------------------
/KernelDrawing/Drawing.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "Misc.h"
3 |
4 | PETHREAD GetValidWin32Thread(PVOID* win32Thread)
5 | {
6 | int currentThreadId = 1;
7 | NTSTATUS status = STATUS_SUCCESS;
8 | do
9 | {
10 | PETHREAD currentEthread = 0;
11 | status = PsLookupThreadByThreadId((HANDLE)currentThreadId, ¤tEthread);
12 |
13 | if (!NT_SUCCESS(status) || !currentEthread)
14 | {
15 | currentThreadId++;
16 | continue;
17 | }
18 |
19 | if (PsIsThreadTerminating(currentEthread))
20 | {
21 | currentThreadId++;
22 | continue;
23 | }
24 |
25 | PVOID Win32Thread;
26 | memcpy(&Win32Thread, (PVOID)((UINT64)currentEthread + win32ThreadOffset), sizeof(PVOID));
27 |
28 | if (Win32Thread)
29 | {
30 | PEPROCESS threadOwner = PsGetThreadProcess(currentEthread);
31 | char procName[15];
32 | memcpy(&procName, (PVOID)((UINT64)threadOwner + imageFileNameOffset), sizeof(procName));
33 | if (!strcmp(procName, "explorer.exe"))
34 | {
35 | *win32Thread = Win32Thread;
36 | return currentEthread;
37 | }
38 | }
39 | currentThreadId++;
40 | } while (0x3000 > currentThreadId);
41 |
42 | return 0;
43 | }
44 |
45 | inline void SpoofWin32Thread(PVOID newWin32Value, PEPROCESS newProcess, CLIENT_ID newClientId)
46 | {
47 | PKTHREAD currentThread = KeGetCurrentThread();
48 |
49 | PVOID win32ThreadPtr = (PVOID)((char*)currentThread + win32ThreadOffset);
50 | memcpy(win32ThreadPtr, &newWin32Value, sizeof(PVOID));
51 |
52 | PVOID processPtr = (PVOID)((char*)currentThread + processOffset);
53 | memcpy(processPtr, &newProcess, sizeof(PEPROCESS));
54 |
55 | PVOID clientIdPtr = (PVOID)((char*)currentThread + cidOffset);
56 | memcpy(clientIdPtr, &newClientId, sizeof(CLIENT_ID));
57 | }
58 |
59 | KAPC_STATE apc = { 0 };
60 |
61 | PVOID currentWin32Thread = 0;
62 | PEPROCESS currentProcess = 0;
63 | PETHREAD currentThread = 0;
64 | CLIENT_ID currentCid = { 0 };
65 |
66 | HDC hdc;
67 | HBRUSH brush;
68 |
69 | bool BeginFrame()
70 | {
71 | PVOID targetWin32Thread = 0;
72 | PETHREAD targetThread = GetValidWin32Thread(&targetWin32Thread);
73 | if (!targetWin32Thread || !targetThread)
74 | {
75 | Print("failed to find win32thread");
76 | return false;
77 | }
78 | PEPROCESS targetProcess = PsGetThreadProcess(targetThread);
79 |
80 | CLIENT_ID targetCid = { 0 };
81 | memcpy(&targetCid, (PVOID)((char*)targetThread + cidOffset), sizeof(CLIENT_ID));
82 |
83 | KeStackAttachProcess(targetProcess, &apc);
84 | SpoofWin32Thread(targetWin32Thread, targetProcess, targetCid);
85 |
86 |
87 |
88 | hdc = NtUserGetDC(0);
89 | if (!hdc)
90 | {
91 | Print("failed to get userdc");
92 | return false;
93 | }
94 |
95 | brush = NtGdiCreateSolidBrush(RGB(255, 0, 0), NULL);
96 | if (!brush)
97 | {
98 | Print("failed create brush");
99 | NtUserReleaseDC(hdc);
100 | return false;
101 | }
102 | }
103 |
104 | void EndFrame()
105 | {
106 | NtGdiDeleteObjectApp(brush);
107 | NtUserReleaseDC(hdc);
108 |
109 | SpoofWin32Thread(currentWin32Thread, currentProcess, currentCid);
110 | KeUnstackDetachProcess(&apc);
111 | }
112 |
113 |
114 | INT FrameRect(RECT rect, int thickness)
115 | {
116 | HBRUSH oldBrush = NtGdiSelectBrush(hdc, brush);
117 | if (!oldBrush)
118 | {
119 | Print("failed to get brush");
120 | return 0;
121 | }
122 |
123 |
124 | NtGdiPatBlt(hdc, rect.left, rect.top, thickness, rect.bottom - rect.top, PATCOPY);
125 | NtGdiPatBlt(hdc, rect.right - thickness, rect.top, thickness, rect.bottom - rect.top, PATCOPY);
126 | NtGdiPatBlt(hdc, rect.left, rect.top, rect.right - rect.left, thickness, PATCOPY);
127 | NtGdiPatBlt(hdc, rect.left, rect.bottom - thickness, rect.right - rect.left, thickness, PATCOPY);
128 |
129 | NtGdiSelectBrush(hdc, oldBrush);
130 | return 1;
131 | }
--------------------------------------------------------------------------------
/KernelDrawing/Nt.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 | #include
5 |
6 | #define Print(fmt, ...) DbgPrint("[s11]: " fmt, ##__VA_ARGS__)
7 |
8 | //_KTHREAD stuff for drawing
9 | ULONG processOffset = 0x220; //_KTHREAD->_KPROCESS* Process;
10 | ULONG win32ThreadOffset = 0x1c8; //_KTHREAD->VOID* volatile Win32Thread
11 |
12 | //_ETHREAD stuff for drawing
13 | ULONG cidOffset = 0x478; //_ETHREAD->_CLIENT_ID Cid;
14 |
15 | //EPROC stuff for find eproc by name
16 | ULONG imageFileNameOffset = 0x5a8; //_PEPROCESS->UCHAR ImageFileName[15];
17 |
18 | typedef DWORD LFTYPE;
19 |
20 | extern "C"
21 | {
22 | NTSTATUS NTAPI ZwQuerySystemInformation(ULONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
23 | NTKERNELAPI PVOID NTAPI RtlFindExportedRoutineByName(PVOID ImageBase, PCCH RoutineNam);
24 | NTKERNELAPI PVOID NTAPI PsGetCurrentThreadWin32Thread(VOID);
25 | }
26 |
27 |
28 | typedef enum _SYSTEM_INFORMATION_CLASS
29 | {
30 | SystemBasicInformation,
31 | SystemProcessorInformation,
32 | SystemPerformanceInformation,
33 | SystemTimeOfDayInformation,
34 | SystemPathInformation,
35 | SystemProcessInformation,
36 | SystemCallCountInformation,
37 | SystemDeviceInformation,
38 | SystemProcessorPerformanceInformation,
39 | SystemFlagsInformation,
40 | SystemCallTimeInformation,
41 | SystemModuleInformation,
42 | } SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS;
43 |
44 |
45 | typedef struct _SYSTEM_MODULE_ENTRY {
46 | HANDLE Section;
47 | PVOID MappedBase;
48 | PVOID ImageBase;
49 | ULONG ImageSize;
50 | ULONG Flags;
51 | USHORT LoadOrderIndex;
52 | USHORT InitOrderIndex;
53 | USHORT LoadCount;
54 | USHORT OffsetToFileName;
55 | UCHAR FullPathName[256];
56 | } SYSTEM_MODULE_ENTRY, * PSYSTEM_MODULE_ENTRY;
57 |
58 | typedef struct _SYSTEM_MODULE_INFORMATION {
59 | ULONG Count;
60 | SYSTEM_MODULE_ENTRY Module[1];
61 | } SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
62 |
63 |
64 | PVOID NtUserGetDCPtr = 0;
65 | PVOID NtGdiSelectBrushPtr = 0;
66 | PVOID NtGdiPatBltPtr = 0;
67 | PVOID NtUserReleaseDCPtr = 0;
68 | PVOID NtGdiCreateSolidBrushPtr = 0;
69 | PVOID NtGdiDeleteObjectAppPtr = 0;
70 | PVOID NtGdiExtTextOutWPtr = 0;
71 | PVOID NtGdiHfontCreatePtr = 0;
72 | PVOID NtGdiSelectFontPtr = 0;
73 |
74 | inline HDC NtUserGetDC(HWND hwnd)
75 | {
76 | auto fn = reinterpret_cast(NtUserGetDCPtr);
77 | return fn(hwnd);
78 | }
79 |
80 | inline HBRUSH NtGdiSelectBrush(HDC hdc, HBRUSH hbrush)
81 | {
82 | auto fn = reinterpret_cast(NtGdiSelectBrushPtr);
83 | return fn(hdc, hbrush);
84 | }
85 |
86 | inline BOOL NtGdiPatBlt(HDC hdcDest, INT x, INT y, INT cx, INT cy, DWORD dwRop)
87 | {
88 | auto fn = reinterpret_cast(NtGdiPatBltPtr);
89 | return fn(hdcDest, x, y, cx, cy, dwRop);
90 | }
91 |
92 | inline int NtUserReleaseDC(HDC hdc)
93 | {
94 | auto fn = reinterpret_cast(NtUserReleaseDCPtr);
95 | return fn(hdc);
96 | }
97 |
98 | inline HBRUSH NtGdiCreateSolidBrush(COLORREF cr, HBRUSH hbr)
99 | {
100 | auto fn = reinterpret_cast(NtGdiCreateSolidBrushPtr);
101 | return fn(cr, hbr);
102 | }
103 |
104 | inline BOOL NtGdiDeleteObjectApp(HANDLE hobj)
105 | {
106 | auto fn = reinterpret_cast(NtGdiDeleteObjectAppPtr);
107 | return fn(hobj);
108 | }
109 |
110 | inline BOOL NtGdiExtTextOutW(HDC hDC, INT XStart, INT YStart, UINT fuOptions, LPRECT UnsafeRect, LPWSTR UnsafeString, INT Count, LPINT UnsafeDx, DWORD dwCodePage)
111 | {
112 | auto fn = reinterpret_cast(NtGdiExtTextOutWPtr);
113 | return fn(hDC, XStart, YStart, fuOptions, UnsafeRect, UnsafeString, Count, UnsafeDx, dwCodePage);
114 | }
115 |
116 | inline HFONT NtGdiHfontCreate(PENUMLOGFONTEXDVW pelfw, ULONG cjElfw, LFTYPE lft, FLONG fl, PVOID pvCliData)
117 | {
118 | auto fn = reinterpret_cast(NtGdiHfontCreatePtr);
119 | return fn(pelfw, cjElfw, lft, fl, pvCliData);
120 | }
121 |
122 | inline HFONT NtGdiSelectFont(HDC hdc, HFONT hfont)
123 | {
124 | auto fn = reinterpret_cast(NtGdiSelectFontPtr);
125 | return fn(hdc, hfont);
126 | }
127 |
128 |
129 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Aa][Rr][Mm]/
27 | [Aa][Rr][Mm]64/
28 | bld/
29 | [Bb]in/
30 | [Oo]bj/
31 | [Ll]og/
32 | [Ll]ogs/
33 |
34 | # Visual Studio 2015/2017 cache/options directory
35 | .vs/
36 | # Uncomment if you have tasks that create the project's static files in wwwroot
37 | #wwwroot/
38 |
39 | # Visual Studio 2017 auto generated files
40 | Generated\ Files/
41 |
42 | # MSTest test Results
43 | [Tt]est[Rr]esult*/
44 | [Bb]uild[Ll]og.*
45 |
46 | # NUnit
47 | *.VisualState.xml
48 | TestResult.xml
49 | nunit-*.xml
50 |
51 | # Build Results of an ATL Project
52 | [Dd]ebugPS/
53 | [Rr]eleasePS/
54 | dlldata.c
55 |
56 | # Benchmark Results
57 | BenchmarkDotNet.Artifacts/
58 |
59 | # .NET Core
60 | project.lock.json
61 | project.fragment.lock.json
62 | artifacts/
63 |
64 | # StyleCop
65 | StyleCopReport.xml
66 |
67 | # Files built by Visual Studio
68 | *_i.c
69 | *_p.c
70 | *_h.h
71 | *.ilk
72 | *.meta
73 | *.obj
74 | *.iobj
75 | *.pch
76 | *.pdb
77 | *.ipdb
78 | *.pgc
79 | *.pgd
80 | *.rsp
81 | *.sbr
82 | *.tlb
83 | *.tli
84 | *.tlh
85 | *.tmp
86 | *.tmp_proj
87 | *_wpftmp.csproj
88 | *.log
89 | *.vspscc
90 | *.vssscc
91 | .builds
92 | *.pidb
93 | *.svclog
94 | *.scc
95 |
96 | # Chutzpah Test files
97 | _Chutzpah*
98 |
99 | # Visual C++ cache files
100 | ipch/
101 | *.aps
102 | *.ncb
103 | *.opendb
104 | *.opensdf
105 | *.sdf
106 | *.cachefile
107 | *.VC.db
108 | *.VC.VC.opendb
109 |
110 | # Visual Studio profiler
111 | *.psess
112 | *.vsp
113 | *.vspx
114 | *.sap
115 |
116 | # Visual Studio Trace Files
117 | *.e2e
118 |
119 | # TFS 2012 Local Workspace
120 | $tf/
121 |
122 | # Guidance Automation Toolkit
123 | *.gpState
124 |
125 | # ReSharper is a .NET coding add-in
126 | _ReSharper*/
127 | *.[Rr]e[Ss]harper
128 | *.DotSettings.user
129 |
130 | # TeamCity is a build add-in
131 | _TeamCity*
132 |
133 | # DotCover is a Code Coverage Tool
134 | *.dotCover
135 |
136 | # AxoCover is a Code Coverage Tool
137 | .axoCover/*
138 | !.axoCover/settings.json
139 |
140 | # Visual Studio code coverage results
141 | *.coverage
142 | *.coveragexml
143 |
144 | # NCrunch
145 | _NCrunch_*
146 | .*crunch*.local.xml
147 | nCrunchTemp_*
148 |
149 | # MightyMoose
150 | *.mm.*
151 | AutoTest.Net/
152 |
153 | # Web workbench (sass)
154 | .sass-cache/
155 |
156 | # Installshield output folder
157 | [Ee]xpress/
158 |
159 | # DocProject is a documentation generator add-in
160 | DocProject/buildhelp/
161 | DocProject/Help/*.HxT
162 | DocProject/Help/*.HxC
163 | DocProject/Help/*.hhc
164 | DocProject/Help/*.hhk
165 | DocProject/Help/*.hhp
166 | DocProject/Help/Html2
167 | DocProject/Help/html
168 |
169 | # Click-Once directory
170 | publish/
171 |
172 | # Publish Web Output
173 | *.[Pp]ublish.xml
174 | *.azurePubxml
175 | # Note: Comment the next line if you want to checkin your web deploy settings,
176 | # but database connection strings (with potential passwords) will be unencrypted
177 | *.pubxml
178 | *.publishproj
179 |
180 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
181 | # checkin your Azure Web App publish settings, but sensitive information contained
182 | # in these scripts will be unencrypted
183 | PublishScripts/
184 |
185 | # NuGet Packages
186 | *.nupkg
187 | # NuGet Symbol Packages
188 | *.snupkg
189 | # The packages folder can be ignored because of Package Restore
190 | **/[Pp]ackages/*
191 | # except build/, which is used as an MSBuild target.
192 | !**/[Pp]ackages/build/
193 | # Uncomment if necessary however generally it will be regenerated when needed
194 | #!**/[Pp]ackages/repositories.config
195 | # NuGet v3's project.json files produces more ignorable files
196 | *.nuget.props
197 | *.nuget.targets
198 |
199 | # Microsoft Azure Build Output
200 | csx/
201 | *.build.csdef
202 |
203 | # Microsoft Azure Emulator
204 | ecf/
205 | rcf/
206 |
207 | # Windows Store app package directories and files
208 | AppPackages/
209 | BundleArtifacts/
210 | Package.StoreAssociation.xml
211 | _pkginfo.txt
212 | *.appx
213 | *.appxbundle
214 | *.appxupload
215 |
216 | # Visual Studio cache files
217 | # files ending in .cache can be ignored
218 | *.[Cc]ache
219 | # but keep track of directories ending in .cache
220 | !?*.[Cc]ache/
221 |
222 | # Others
223 | ClientBin/
224 | ~$*
225 | *~
226 | *.dbmdl
227 | *.dbproj.schemaview
228 | *.jfm
229 | *.pfx
230 | *.publishsettings
231 | orleans.codegen.cs
232 |
233 | # Including strong name files can present a security risk
234 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
235 | #*.snk
236 |
237 | # Since there are multiple workflows, uncomment next line to ignore bower_components
238 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
239 | #bower_components/
240 |
241 | # RIA/Silverlight projects
242 | Generated_Code/
243 |
244 | # Backup & report files from converting an old project file
245 | # to a newer Visual Studio version. Backup files are not needed,
246 | # because we have git ;-)
247 | _UpgradeReport_Files/
248 | Backup*/
249 | UpgradeLog*.XML
250 | UpgradeLog*.htm
251 | ServiceFabricBackup/
252 | *.rptproj.bak
253 |
254 | # SQL Server files
255 | *.mdf
256 | *.ldf
257 | *.ndf
258 |
259 | # Business Intelligence projects
260 | *.rdl.data
261 | *.bim.layout
262 | *.bim_*.settings
263 | *.rptproj.rsuser
264 | *- [Bb]ackup.rdl
265 | *- [Bb]ackup ([0-9]).rdl
266 | *- [Bb]ackup ([0-9][0-9]).rdl
267 |
268 | # Microsoft Fakes
269 | FakesAssemblies/
270 |
271 | # GhostDoc plugin setting file
272 | *.GhostDoc.xml
273 |
274 | # Node.js Tools for Visual Studio
275 | .ntvs_analysis.dat
276 | node_modules/
277 |
278 | # Visual Studio 6 build log
279 | *.plg
280 |
281 | # Visual Studio 6 workspace options file
282 | *.opt
283 |
284 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
285 | *.vbw
286 |
287 | # Visual Studio LightSwitch build output
288 | **/*.HTMLClient/GeneratedArtifacts
289 | **/*.DesktopClient/GeneratedArtifacts
290 | **/*.DesktopClient/ModelManifest.xml
291 | **/*.Server/GeneratedArtifacts
292 | **/*.Server/ModelManifest.xml
293 | _Pvt_Extensions
294 |
295 | # Paket dependency manager
296 | .paket/paket.exe
297 | paket-files/
298 |
299 | # FAKE - F# Make
300 | .fake/
301 |
302 | # CodeRush personal settings
303 | .cr/personal
304 |
305 | # Python Tools for Visual Studio (PTVS)
306 | __pycache__/
307 | *.pyc
308 |
309 | # Cake - Uncomment if you are using it
310 | # tools/**
311 | # !tools/packages.config
312 |
313 | # Tabs Studio
314 | *.tss
315 |
316 | # Telerik's JustMock configuration file
317 | *.jmconfig
318 |
319 | # BizTalk build output
320 | *.btp.cs
321 | *.btm.cs
322 | *.odx.cs
323 | *.xsd.cs
324 |
325 | # OpenCover UI analysis results
326 | OpenCover/
327 |
328 | # Azure Stream Analytics local run output
329 | ASALocalRun/
330 |
331 | # MSBuild Binary and Structured Log
332 | *.binlog
333 |
334 | # NVidia Nsight GPU debugger configuration file
335 | *.nvuser
336 |
337 | # MFractors (Xamarin productivity tool) working folder
338 | .mfractor/
339 |
340 | # Local History for Visual Studio
341 | .localhistory/
342 |
343 | # BeatPulse healthcheck temp database
344 | healthchecksdb
345 |
346 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
347 | MigrationBackup/
348 |
349 | # Ionide (cross platform F# VS Code tools) working folder
350 | .ionide/
351 |
--------------------------------------------------------------------------------
/KernelDrawing/Cheat Driver.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 | Debug
22 | ARM
23 |
24 |
25 | Release
26 | ARM
27 |
28 |
29 | Debug
30 | ARM64
31 |
32 |
33 | Release
34 | ARM64
35 |
36 |
37 |
38 | {A6577777-B76A-4FCD-B672-8BC8DD9D6165}
39 | {1bc93793-694f-48fe-9372-81e2b05556fd}
40 | v4.5
41 | 12.0
42 | Debug
43 | Win32
44 | Cheat_Driver
45 | $(LatestTargetPlatformVersion)
46 |
47 |
48 |
49 | Windows10
50 | true
51 | WindowsKernelModeDriver10.0
52 | Driver
53 | KMDF
54 | Universal
55 |
56 |
57 | Windows10
58 | false
59 | WindowsKernelModeDriver10.0
60 | Driver
61 | KMDF
62 | Universal
63 |
64 |
65 | Windows10
66 | true
67 | WindowsKernelModeDriver10.0
68 | Driver
69 | KMDF
70 | Universal
71 | MultiByte
72 | Spectre
73 | 1
74 |
75 |
76 | Windows10
77 | false
78 | WindowsKernelModeDriver10.0
79 | Driver
80 | KMDF
81 | Universal
82 | MultiByte
83 | Spectre
84 | 1
85 |
86 |
87 | Windows10
88 | true
89 | WindowsKernelModeDriver10.0
90 | Driver
91 | KMDF
92 | Universal
93 |
94 |
95 | Windows10
96 | false
97 | WindowsKernelModeDriver10.0
98 | Driver
99 | KMDF
100 | Universal
101 |
102 |
103 | Windows10
104 | true
105 | WindowsKernelModeDriver10.0
106 | Driver
107 | KMDF
108 | Universal
109 |
110 |
111 | Windows10
112 | false
113 | WindowsKernelModeDriver10.0
114 | Driver
115 | KMDF
116 | Universal
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 | DbgengKernelDebugger
129 |
130 |
131 | DbgengKernelDebugger
132 |
133 |
134 | DbgengKernelDebugger
135 | false
136 |
137 |
138 | DbgengKernelDebugger
139 | false
140 |
141 |
142 | DbgengKernelDebugger
143 |
144 |
145 | DbgengKernelDebugger
146 |
147 |
148 | DbgengKernelDebugger
149 |
150 |
151 | DbgengKernelDebugger
152 |
153 |
154 |
155 | stdcpp20
156 | false
157 |
158 |
159 | DriverEntry
160 |
161 |
162 |
163 |
164 | stdcpp20
165 | false
166 |
167 |
168 | DriverEntry
169 |
170 |
171 |
172 |
173 |
174 |
175 |
176 |
177 |
178 |
179 |
180 |
181 |
182 |
183 |
184 |
185 |
186 |
187 |
188 |
189 |
--------------------------------------------------------------------------------