├── .gitignore
├── CECheater.sln
├── CECheater
├── CECheater.vcxproj
├── DBKControl.cpp
├── DBKControl.h
├── IOCtlCode.h
├── MemLoadDriver.cpp
├── MemLoadDriver.h
├── common.cpp
├── common.h
├── dllmain.cpp
└── export.h
├── MyDriver
├── DriverEntry.cpp
└── MyDriver.vcxproj
├── README.md
└── bin64.7z
/.gitignore:
--------------------------------------------------------------------------------
1 | .vs
2 | *.vcxproj.user
3 | *.suo
4 | *.aps
5 | *.sdf
6 | *.dir
7 | *.log
8 | *.ilk
9 | *.exp
10 | *.opensdf
11 | *.tlog
12 | *.pdb
13 |
14 | x64
15 | bin64
--------------------------------------------------------------------------------
/CECheater.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 17
4 | VisualStudioVersion = 17.5.33627.172
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CECheater", "CECheater\CECheater.vcxproj", "{DA32C6D1-795C-43C5-BD42-B0C383ADBEAD}"
7 | EndProject
8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "MyDriver", "MyDriver\MyDriver.vcxproj", "{3D7E3991-FB02-415C-A9FC-52F812901B8B}"
9 | EndProject
10 | Global
11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | Debug|ARM64 = Debug|ARM64
13 | Debug|x64 = Debug|x64
14 | Debug|x86 = Debug|x86
15 | Release|ARM64 = Release|ARM64
16 | Release|x64 = Release|x64
17 | Release|x86 = Release|x86
18 | EndGlobalSection
19 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
20 | {DA32C6D1-795C-43C5-BD42-B0C383ADBEAD}.Debug|ARM64.ActiveCfg = Debug|x64
21 | {DA32C6D1-795C-43C5-BD42-B0C383ADBEAD}.Debug|ARM64.Build.0 = Debug|x64
22 | {DA32C6D1-795C-43C5-BD42-B0C383ADBEAD}.Debug|x64.ActiveCfg = Debug|x64
23 | {DA32C6D1-795C-43C5-BD42-B0C383ADBEAD}.Debug|x64.Build.0 = Debug|x64
24 | {DA32C6D1-795C-43C5-BD42-B0C383ADBEAD}.Debug|x86.ActiveCfg = Debug|Win32
25 | {DA32C6D1-795C-43C5-BD42-B0C383ADBEAD}.Debug|x86.Build.0 = Debug|Win32
26 | {DA32C6D1-795C-43C5-BD42-B0C383ADBEAD}.Release|ARM64.ActiveCfg = Release|x64
27 | {DA32C6D1-795C-43C5-BD42-B0C383ADBEAD}.Release|ARM64.Build.0 = Release|x64
28 | {DA32C6D1-795C-43C5-BD42-B0C383ADBEAD}.Release|x64.ActiveCfg = Release|x64
29 | {DA32C6D1-795C-43C5-BD42-B0C383ADBEAD}.Release|x64.Build.0 = Release|x64
30 | {DA32C6D1-795C-43C5-BD42-B0C383ADBEAD}.Release|x86.ActiveCfg = Release|Win32
31 | {DA32C6D1-795C-43C5-BD42-B0C383ADBEAD}.Release|x86.Build.0 = Release|Win32
32 | {3D7E3991-FB02-415C-A9FC-52F812901B8B}.Debug|ARM64.ActiveCfg = Debug|ARM64
33 | {3D7E3991-FB02-415C-A9FC-52F812901B8B}.Debug|ARM64.Build.0 = Debug|ARM64
34 | {3D7E3991-FB02-415C-A9FC-52F812901B8B}.Debug|ARM64.Deploy.0 = Debug|ARM64
35 | {3D7E3991-FB02-415C-A9FC-52F812901B8B}.Debug|x64.ActiveCfg = Debug|x64
36 | {3D7E3991-FB02-415C-A9FC-52F812901B8B}.Debug|x64.Build.0 = Debug|x64
37 | {3D7E3991-FB02-415C-A9FC-52F812901B8B}.Debug|x64.Deploy.0 = Debug|x64
38 | {3D7E3991-FB02-415C-A9FC-52F812901B8B}.Debug|x86.ActiveCfg = Debug|x64
39 | {3D7E3991-FB02-415C-A9FC-52F812901B8B}.Debug|x86.Build.0 = Debug|x64
40 | {3D7E3991-FB02-415C-A9FC-52F812901B8B}.Debug|x86.Deploy.0 = Debug|x64
41 | {3D7E3991-FB02-415C-A9FC-52F812901B8B}.Release|ARM64.ActiveCfg = Release|ARM64
42 | {3D7E3991-FB02-415C-A9FC-52F812901B8B}.Release|ARM64.Build.0 = Release|ARM64
43 | {3D7E3991-FB02-415C-A9FC-52F812901B8B}.Release|ARM64.Deploy.0 = Release|ARM64
44 | {3D7E3991-FB02-415C-A9FC-52F812901B8B}.Release|x64.ActiveCfg = Release|x64
45 | {3D7E3991-FB02-415C-A9FC-52F812901B8B}.Release|x64.Build.0 = Release|x64
46 | {3D7E3991-FB02-415C-A9FC-52F812901B8B}.Release|x64.Deploy.0 = Release|x64
47 | {3D7E3991-FB02-415C-A9FC-52F812901B8B}.Release|x86.ActiveCfg = Release|x64
48 | {3D7E3991-FB02-415C-A9FC-52F812901B8B}.Release|x86.Build.0 = Release|x64
49 | {3D7E3991-FB02-415C-A9FC-52F812901B8B}.Release|x86.Deploy.0 = Release|x64
50 | EndGlobalSection
51 | GlobalSection(SolutionProperties) = preSolution
52 | HideSolutionNode = FALSE
53 | EndGlobalSection
54 | GlobalSection(ExtensibilityGlobals) = postSolution
55 | SolutionGuid = {D3138DA5-6957-4616-A6AF-C8EE6BD5390A}
56 | EndGlobalSection
57 | EndGlobal
58 |
--------------------------------------------------------------------------------
/CECheater/CECheater.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {da32c6d1-795c-43c5-bd42-b0c383adbead}
25 | CECheater
26 | 10.0
27 |
28 |
29 |
30 | DynamicLibrary
31 | true
32 | v143
33 | Unicode
34 |
35 |
36 | DynamicLibrary
37 | false
38 | v143
39 | true
40 | Unicode
41 |
42 |
43 | DynamicLibrary
44 | true
45 | v143
46 | Unicode
47 |
48 |
49 | DynamicLibrary
50 | false
51 | v143
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | lua53-64
75 |
76 |
77 | lua53-64
78 |
79 |
80 | lua53-32
81 | $(SolutionDir)$(Platform)\$(Configuration)\
82 | $(Platform)\$(Configuration)\
83 |
84 |
85 | lua53-32
86 | $(SolutionDir)$(Platform)\$(Configuration)\
87 | $(Platform)\$(Configuration)\
88 |
89 |
90 |
91 | TurnOffAllWarnings
92 | true
93 | WIN32;_DEBUG;CECHEATER_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
94 | true
95 | NotUsing
96 | pch.h
97 | MultiThreadedDebug
98 | stdcpp17
99 |
100 |
101 | Windows
102 | true
103 | false
104 |
105 |
106 |
107 |
108 | TurnOffAllWarnings
109 | true
110 | true
111 | true
112 | WIN32;NDEBUG;CECHEATER_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
113 | true
114 | NotUsing
115 | pch.h
116 | MultiThreaded
117 | stdcpp17
118 |
119 |
120 | Windows
121 | true
122 | true
123 | true
124 | false
125 |
126 |
127 |
128 |
129 | TurnOffAllWarnings
130 | true
131 | _DEBUG;CECHEATER_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
132 | true
133 | NotUsing
134 | pch.h
135 | MultiThreadedDebug
136 | stdcpp17
137 |
138 |
139 | Windows
140 | true
141 | false
142 |
143 |
144 |
145 |
146 | TurnOffAllWarnings
147 | true
148 | true
149 | true
150 | NDEBUG;CECHEATER_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
151 | true
152 | NotUsing
153 | pch.h
154 | MultiThreaded
155 | stdcpp17
156 |
157 |
158 | Windows
159 | true
160 | true
161 | true
162 | false
163 |
164 |
165 |
166 |
167 |
168 |
169 |
170 |
171 |
172 |
173 |
174 |
175 |
176 |
177 |
178 |
179 |
180 |
181 |
--------------------------------------------------------------------------------
/CECheater/DBKControl.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TechForBad/CECheater/5e12339178792396ed4394a59de1fe9e983ef4d6/CECheater/DBKControl.cpp
--------------------------------------------------------------------------------
/CECheater/DBKControl.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TechForBad/CECheater/5e12339178792396ed4394a59de1fe9e983ef4d6/CECheater/DBKControl.h
--------------------------------------------------------------------------------
/CECheater/IOCtlCode.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #define FILE_DEVICE_UNKNOWN 0x00000022
4 |
5 | #define CTL_CODE( DeviceType, Function, Method, Access ) ( \
6 | ((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method) \
7 | )
8 |
9 | #define METHOD_BUFFERED 0
10 | #define METHOD_IN_DIRECT 1
11 | #define METHOD_OUT_DIRECT 2
12 | #define METHOD_NEITHER 3
13 |
14 | #define FILE_ANY_ACCESS 0
15 | #define FILE_SPECIAL_ACCESS (FILE_ANY_ACCESS)
16 | #define FILE_READ_ACCESS ( 0x0001 ) // file & pipe
17 | #define FILE_WRITE_ACCESS ( 0x0002 ) // file & pipe
18 |
19 | #define IOCTL_UNKNOWN_BASE FILE_DEVICE_UNKNOWN
20 |
21 | #define IOCTL_CE_READMEMORY CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0800, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
22 | #define IOCTL_CE_WRITEMEMORY CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0801, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
23 | #define IOCTL_CE_OPENPROCESS CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0802, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
24 | #define IOCTL_CE_QUERY_VIRTUAL_MEMORY CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0803, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
25 | #define IOCTL_CE_TEST CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0804, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
26 | #define IOCTL_CE_GETPEPROCESS CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0805, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
27 | #define IOCTL_CE_READPHYSICALMEMORY CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0806, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
28 | #define IOCTL_CE_WRITEPHYSICALMEMORY CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0807, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
29 | #define IOCTL_CE_GETPHYSICALADDRESS CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0808, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
30 | //#define IOCTL_CE_PROTECTME CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0809, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
31 | #define IOCTL_CE_GETCR3 CTL_CODE(IOCTL_UNKNOWN_BASE, 0x080a, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
32 | #define IOCTL_CE_SETCR3 CTL_CODE(IOCTL_UNKNOWN_BASE, 0x080b, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
33 | #define IOCTL_CE_GETSDT CTL_CODE(IOCTL_UNKNOWN_BASE, 0x080c, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
34 | #define IOCTL_CE_INITIALIZE CTL_CODE(IOCTL_UNKNOWN_BASE, 0x080d, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
35 | #define IOCTL_CE_DONTPROTECTME CTL_CODE(IOCTL_UNKNOWN_BASE, 0x080e, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
36 | #define IOCTL_CE_GETIDT CTL_CODE(IOCTL_UNKNOWN_BASE, 0x080f, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
37 | #define IOCTL_CE_HOOKINTS CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0810, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
38 | #define IOCTL_CE_DEBUGPROCESS CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0811, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
39 | //#define IOCTL_CE_RETRIEVEDEBUGDATA CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0812, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
40 | #define IOCTL_CE_STARTPROCESSWATCH CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0813, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
41 | #define IOCTL_CE_GETPROCESSEVENTS CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0814, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
42 | #define IOCTL_CE_GETTHREADEVENTS CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0815, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
43 | #define IOCTL_CE_GETVERSION CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0816, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
44 | #define IOCTL_CE_GETCR4 CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0817, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
45 | #define IOCTL_CE_OPENTHREAD CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0818, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
46 | #define IOCTL_CE_MAKEWRITABLE CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0819, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
47 | //obsolete: #define IOCTL_CE_DEBUGPROCESS_CHANGEREG CTL_CODE(IOCTL_UNKNOWN_BASE, 0x081a, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
48 | #define IOCTL_CE_STOPDEBUGGING CTL_CODE(IOCTL_UNKNOWN_BASE, 0x081b, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
49 | //obsolete: #define IOCTL_CE_STOP_DEBUGPROCESS_CHANGEREG CTL_CODE(IOCTL_UNKNOWN_BASE, 0x081c, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
50 | //#define IOCTL_CE_USEALTERNATEMETHOD CTL_CODE(IOCTL_UNKNOWN_BASE, 0x081d, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
51 | //#define IOCTL_CE_ISUSINGALTERNATEMETHOD CTL_CODE(IOCTL_UNKNOWN_BASE, 0x081e, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
52 | #define IOCTL_CE_ALLOCATEMEM CTL_CODE(IOCTL_UNKNOWN_BASE, 0x081f, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
53 | #define IOCTL_CE_CREATEAPC CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0820, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
54 | #define IOCTL_CE_GETPETHREAD CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0821, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
55 |
56 | #define IOCTL_CE_SUSPENDTHREAD CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0822, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
57 | #define IOCTL_CE_RESUMETHREAD CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0823, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
58 | #define IOCTL_CE_SUSPENDPROCESS CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0824, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
59 | #define IOCTL_CE_RESUMEPROCESS CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0825, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
60 |
61 | #define IOCTL_CE_ALLOCATEMEM_NONPAGED CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0826, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
62 | #define IOCTL_CE_GETPROCADDRESS CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0827, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
63 | //#define IOCTL_CE_SETSDTADDRESS CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0828, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
64 | #define IOCTL_CE_GETSDTADDRESS CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0829, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
65 |
66 | #define IOCTL_CE_GETGDT CTL_CODE(IOCTL_UNKNOWN_BASE, 0x082a, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
67 | #define IOCTL_CE_SETCR4 CTL_CODE(IOCTL_UNKNOWN_BASE, 0x082b, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
68 | #define IOCTL_CE_GETTR CTL_CODE(IOCTL_UNKNOWN_BASE, 0x082c, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
69 | #define IOCTL_CE_VMXCONFIG CTL_CODE(IOCTL_UNKNOWN_BASE, 0x082d, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
70 | #define IOCTL_CE_GETCR0 CTL_CODE(IOCTL_UNKNOWN_BASE, 0x082e, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
71 | #define IOCTL_CE_USERDEFINEDINTERRUPTHOOK CTL_CODE(IOCTL_UNKNOWN_BASE, 0x082f, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
72 | #define IOCTL_CE_SETGLOBALDEBUGSTATE CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0830, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
73 |
74 | #define IOCTL_CE_CONTINUEDEBUGEVENT CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0831, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
75 | #define IOCTL_CE_WAITFORDEBUGEVENT CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0832, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
76 | #define IOCTL_CE_GETDEBUGGERSTATE CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0833, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
77 | #define IOCTL_CE_SETDEBUGGERSTATE CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0834, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
78 | #define IOCTL_CE_GD_SETBREAKPOINT CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0835, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
79 | #define IOCTL_CE_TOUCHDEBUGREGISTER CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0836, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
80 |
81 | #define IOCTL_CE_LAUNCHDBVM CTL_CODE(IOCTL_UNKNOWN_BASE, 0x083a, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
82 | #define IOCTL_CE_UNHOOKALLINTERRUPTS CTL_CODE(IOCTL_UNKNOWN_BASE, 0x083b, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
83 | #define IOCTL_CE_EXECUTE_CODE CTL_CODE(IOCTL_UNKNOWN_BASE, 0x083c, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
84 | #define IOCTL_CE_GETPROCESSNAMEADDRESS CTL_CODE(IOCTL_UNKNOWN_BASE, 0x083d, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
85 | #define IOCTL_CE_SETKERNELSTEPABILITY CTL_CODE(IOCTL_UNKNOWN_BASE, 0x083e, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
86 |
87 | #define IOCTL_CE_READMSR CTL_CODE(IOCTL_UNKNOWN_BASE, 0x083f, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
88 | #define IOCTL_CE_WRITEMSR CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0840, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
89 |
90 | #define IOCTL_CE_SETSTORELBR CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0841, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
91 | #define IOCTL_CE_ULTIMAP CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0842, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
92 | #define IOCTL_CE_ULTIMAP_DISABLE CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0843, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
93 | #define IOCTL_CE_ULTIMAP_WAITFORDATA CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0844, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
94 | #define IOCTL_CE_ULTIMAP_CONTINUE CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0845, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
95 | #define IOCTL_CE_ULTIMAP_FLUSH CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0846, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
96 |
97 | #define IOCTL_CE_GETMEMORYRANGES CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0847, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
98 |
99 | #define IOCTL_CE_STARTACCESMONITOR CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0848, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
100 | #define IOCTL_CE_ENUMACCESSEDMEMORY CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0849, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
101 | #define IOCTL_CE_GETACCESSEDMEMORYLIST CTL_CODE(IOCTL_UNKNOWN_BASE, 0x084a, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
102 | #define IOCTL_CE_WRITESIGNOREWP CTL_CODE(IOCTL_UNKNOWN_BASE, 0x084b, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
103 | #define IOCTL_CE_FREE_NONPAGED CTL_CODE(IOCTL_UNKNOWN_BASE, 0x084c, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
104 | #define IOCTL_CE_MAP_MEMORY CTL_CODE(IOCTL_UNKNOWN_BASE, 0x084d, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
105 | #define IOCTL_CE_UNMAP_MEMORY CTL_CODE(IOCTL_UNKNOWN_BASE, 0x084e, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
106 |
107 | #define IOCTL_CE_ULTIMAP2 CTL_CODE(IOCTL_UNKNOWN_BASE, 0x084f, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
108 | #define IOCTL_CE_DISABLEULTIMAP2 CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0850, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
109 | #define IOCTL_CE_ULTIMAP2_WAITFORDATA CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0851, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
110 | #define IOCTL_CE_ULTIMAP2_CONTINUE CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0852, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
111 | #define IOCTL_CE_ULTIMAP2_FLUSH CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0853, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
112 | #define IOCTL_CE_ULTIMAP2_PAUSE CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0854, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
113 | #define IOCTL_CE_ULTIMAP2_RESUME CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0855, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
114 |
115 | #define IOCTL_CE_ULTIMAP2_LOCKFILE CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0856, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
116 | #define IOCTL_CE_ULTIMAP2_RELEASEFILE CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0857, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
117 |
118 | #define IOCTL_CE_ULTIMAP_PAUSE CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0858, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
119 | #define IOCTL_CE_ULTIMAP_RESUME CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0859, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
120 |
121 | #define IOCTL_CE_ULTIMAP2_GETTRACESIZE CTL_CODE(IOCTL_UNKNOWN_BASE, 0x085a, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
122 | #define IOCTL_CE_ULTIMAP2_RESETTRACESIZE CTL_CODE(IOCTL_UNKNOWN_BASE, 0x085b, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
123 |
124 | #define IOCTL_CE_ENABLE_DRM CTL_CODE(IOCTL_UNKNOWN_BASE, 0x085c, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
125 | #define IOCTL_CE_GET_PEB CTL_CODE(IOCTL_UNKNOWN_BASE, 0x085d, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
126 | #define IOCTL_CE_QUERYINFORMATIONPROCESS CTL_CODE(IOCTL_UNKNOWN_BASE, 0x085e, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
127 | #define IOCTL_CE_NTPROTECTVIRTUALMEMORY CTL_CODE(IOCTL_UNKNOWN_BASE, 0x085f, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
128 |
129 | #define IOCTL_CE_LOCK_MEMORY CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0860, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
130 | #define IOCTL_CE_UNLOCK_MEMORY CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0861, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
131 | #define IOCTL_CE_ALLOCATE_MEMORY_FOR_DBVM CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0862, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
132 |
--------------------------------------------------------------------------------
/CECheater/MemLoadDriver.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TechForBad/CECheater/5e12339178792396ed4394a59de1fe9e983ef4d6/CECheater/MemLoadDriver.cpp
--------------------------------------------------------------------------------
/CECheater/MemLoadDriver.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TechForBad/CECheater/5e12339178792396ed4394a59de1fe9e983ef4d6/CECheater/MemLoadDriver.h
--------------------------------------------------------------------------------
/CECheater/common.cpp:
--------------------------------------------------------------------------------
1 | #include "common.h"
2 |
3 | #include
4 | #include
5 |
6 | static char* str_Format(const char* format, ...)
7 | {
8 | va_list argptr;
9 | va_start(argptr, format);
10 | int count = _vsnprintf(NULL, 0, format, argptr);
11 | va_end(argptr);
12 |
13 | va_start(argptr, format);
14 | char* buf = (char*)malloc((count + 1) * sizeof(char));
15 | if (NULL == buf)
16 | {
17 | return NULL;
18 | }
19 | memset(buf, 0, (count + 1) * sizeof(char));
20 | _vsnprintf(buf, count, format, argptr);
21 | va_end(argptr);
22 |
23 | return buf;
24 | }
25 |
26 | static wchar_t* str_Format(const wchar_t* format, ...)
27 | {
28 | va_list argptr;
29 | va_start(argptr, format);
30 | int count = _vsnwprintf(NULL, 0, format, argptr);
31 | va_end(argptr);
32 |
33 | va_start(argptr, format);
34 | wchar_t* buf = (wchar_t*)malloc((count + 1) * sizeof(wchar_t));
35 | if (NULL == buf)
36 | {
37 | return NULL;
38 | }
39 | memset(buf, 0, (count + 1) * sizeof(wchar_t));
40 | _vsnwprintf(buf, count, format, argptr);
41 | va_end(argptr);
42 |
43 | return buf;
44 | }
45 |
46 | std::string Format(const char* format, ...)
47 | {
48 | va_list argptr;
49 | va_start(argptr, format);
50 | int count = _vsnprintf(NULL, 0, format, argptr);
51 | va_end(argptr);
52 |
53 | va_start(argptr, format);
54 | char* buf = (char*)malloc(count * sizeof(char));
55 | if (NULL == buf)
56 | {
57 | return "";
58 | }
59 | _vsnprintf(buf, count, format, argptr);
60 | va_end(argptr);
61 |
62 | std::string str(buf, count);
63 | free(buf);
64 | return str;
65 | }
66 |
67 | std::wstring Format(const wchar_t* format, ...)
68 | {
69 | va_list argptr;
70 | va_start(argptr, format);
71 | int count = _vsnwprintf(NULL, 0, format, argptr);
72 | va_end(argptr);
73 |
74 | va_start(argptr, format);
75 | wchar_t* buf = (wchar_t*)malloc(count * sizeof(wchar_t));
76 | if (NULL == buf)
77 | {
78 | return L"";
79 | }
80 | _vsnwprintf(buf, count, format, argptr);
81 | va_end(argptr);
82 |
83 | std::wstring str(buf, count);
84 | free(buf);
85 | return str;
86 | }
87 |
88 | std::wstring ConvertCharToWString(const char* charStr)
89 | {
90 | std::wstring wstr;
91 | int len = strlen(charStr);
92 | int size = MultiByteToWideChar(CP_UTF8, 0, charStr, len, NULL, NULL);
93 | if (size > 0)
94 | {
95 | wstr.resize(size);
96 | MultiByteToWideChar(CP_UTF8, 0, charStr, len, &wstr[0], size);
97 | }
98 | return wstr;
99 | }
100 |
101 | std::string ConvertWCharToString(const wchar_t* wcharStr)
102 | {
103 | std::string str;
104 | int wlen = wcslen(wcharStr);
105 | int size = WideCharToMultiByte(CP_OEMCP, 0, wcharStr, wlen, NULL, 0, NULL, NULL);
106 | if (size > 0)
107 | {
108 | str.resize(size);
109 | WideCharToMultiByte(CP_OEMCP, 0, wcharStr, wlen, &str[0], size, NULL, NULL);
110 | }
111 | return str;
112 | }
113 |
114 | BOOL AdjustProcessTokenPrivilege()
115 | {
116 | LUID luidTmp;
117 | HANDLE hToken;
118 | TOKEN_PRIVILEGES tkp;
119 |
120 | if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
121 | {
122 | LOG("OpenProcessToken failed");
123 | return FALSE;
124 | }
125 |
126 | if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luidTmp))
127 | {
128 | LOG("LookupPrivilegeValue failed");
129 | CloseHandle(hToken);
130 | return FALSE;
131 | }
132 |
133 | tkp.PrivilegeCount = 1;
134 | tkp.Privileges[0].Luid = luidTmp;
135 | tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
136 | if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
137 | {
138 | LOG("AdjustTokenPrivileges failed");
139 | CloseHandle(hToken);
140 | return FALSE;
141 | }
142 |
143 | CloseHandle(hToken);
144 | return TRUE;
145 | }
146 |
147 | bool GetCurrentModuleDirPath(WCHAR* dirPath)
148 | {
149 | HMODULE hModule = NULL;
150 | GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, (LPCTSTR)GetCurrentModuleDirPath, &hModule);
151 | GetModuleFileName(hModule, dirPath, MAX_PATH);
152 | wchar_t* pos = wcsrchr(dirPath, L'\\');
153 | if (nullptr == pos)
154 | {
155 | LOG("wcsrchr failed");
156 | return false;
157 | }
158 | *(pos + 1) = L'\0';
159 | return true;
160 | }
161 |
--------------------------------------------------------------------------------
/CECheater/common.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TechForBad/CECheater/5e12339178792396ed4394a59de1fe9e983ef4d6/CECheater/common.h
--------------------------------------------------------------------------------
/CECheater/dllmain.cpp:
--------------------------------------------------------------------------------
1 | #include "common.h"
2 | #include "export.h"
3 | #include "DBKControl.h"
4 | #include "MemLoadDriver.h"
5 |
6 | static LoadType g_LoadType;
7 | static WCHAR g_DriverFilePath[MAX_PATH] = { 0 };
8 | static WCHAR g_DriverName[100] = L"\\FileSystem\\";
9 |
10 | bool ParseCommandLine()
11 | {
12 | int nArgs = 0;
13 | LPWSTR* argList = CommandLineToArgvW(GetCommandLineW(), &nArgs);
14 | if (nArgs < 3)
15 | {
16 | LOG("Number of command args is too few: %d", nArgs);
17 | return false;
18 | }
19 |
20 | // 判断驱动文件是否存在
21 | if (!std::filesystem::exists(argList[2]))
22 | {
23 | LOG("Parameter error, path not exist: %ls", argList[2]);
24 | return false;
25 | }
26 |
27 | // 获取驱动文件绝对路径
28 | std::filesystem::path driverFilePath = std::filesystem::absolute(argList[2]);
29 | wcscpy(g_DriverFilePath, driverFilePath.c_str());
30 | LOG("Find driver file path: %ls", g_DriverFilePath);
31 |
32 | // 获取驱动文件名
33 | std::wstring driverName = driverFilePath.stem();
34 | if (driverName.length() > 90)
35 | {
36 | LOG("Parameter error, file name is too long: %ls", driverName.c_str());
37 | return false;
38 | }
39 | wcscat(g_DriverName, driverName.c_str());
40 |
41 | // 获取加载类型
42 | if (0 == _wcsicmp(argList[1], L"-load_by_shellcode"))
43 | {
44 | g_LoadType = LoadByShellcode;
45 | LOG("load type: load by shellcode");
46 | }
47 | else if (0 == _wcsicmp(argList[1], L"-load_by_driver"))
48 | {
49 | g_LoadType = LoadByIoCreateDriver;
50 | LOG("load type: load by driver, driver name: %ls", g_DriverName);
51 | }
52 | else
53 | {
54 | LOG("Unknown load type: %ls", argList[1]);
55 | return false;
56 | }
57 |
58 | return true;
59 | }
60 |
61 | void Worker()
62 | {
63 | // 提权
64 | if (!AdjustProcessTokenPrivilege())
65 | {
66 | LOG("AdjustProcessTokenPrivilege failed");
67 | return;
68 | }
69 |
70 | // 加载DBK驱动
71 | if (NULL == GetDriverAddress(DBK_DRIVER_NAME))
72 | {
73 | if (!LoadDBKDriver())
74 | {
75 | LOG("load DBKDriver failed");
76 | return;
77 | }
78 | if (NULL == GetDriverAddress(DBK_DRIVER_NAME))
79 | {
80 | LOG("GetDriverAddress failed");
81 | return;
82 | }
83 | LOG("load DBKDriver success");
84 | }
85 | else
86 | {
87 | LOG("DBKDriver Exists");
88 | }
89 |
90 | // 初始化DBK驱动
91 | if (!InitDBKDriver())
92 | {
93 | LOG("init DBKDriver failed");
94 | return;
95 | }
96 | LOG("init DBKDriver success");
97 |
98 | // 加载自定义驱动
99 | if (!DBK_LoadMyDriver(g_LoadType, g_DriverFilePath, g_DriverName))
100 | {
101 | LOG("load my driver failed");
102 | return;
103 | }
104 | LOG("test DBKDriver");
105 | }
106 |
107 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
108 | {
109 | switch (ul_reason_for_call)
110 | {
111 | case DLL_PROCESS_ATTACH:
112 | {
113 | DisableThreadLibraryCalls(hModule);
114 |
115 | __try
116 | {
117 | // 输出重定向到父窗口控制台,方便观察打印日志
118 | AttachConsole(ATTACH_PARENT_PROCESS);
119 | if (NULL == freopen("CONOUT$", "w+t", stdout))
120 | {
121 | LOG("freopen failed");
122 | __leave;
123 | }
124 |
125 | // 解析参数
126 | if (!ParseCommandLine())
127 | {
128 | LOG("ParseCommandLine failed");
129 | __leave;
130 | }
131 |
132 | // 工作
133 | Worker();
134 | }
135 | __finally
136 | {
137 | // 卸载DBK驱动
138 | UninitDBKDriver();
139 |
140 | // 直接结束进程
141 | ExitProcess(0);
142 | }
143 |
144 | break;
145 | }
146 | case DLL_PROCESS_DETACH:
147 | {
148 | break;
149 | }
150 | }
151 | return TRUE;
152 | }
153 |
--------------------------------------------------------------------------------
/CECheater/export.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #define EXPORT_FUNCTION extern "C" __declspec(dllexport)
4 |
5 | EXPORT_FUNCTION void lua_close() {}
6 | EXPORT_FUNCTION void lua_newthread() {}
7 | EXPORT_FUNCTION void lua_atpanic() {}
8 | EXPORT_FUNCTION void lua_rotate() {}
9 | EXPORT_FUNCTION void lua_rawlen() {}
10 | EXPORT_FUNCTION void lua_absindex() {}
11 | EXPORT_FUNCTION void lua_gettop() {}
12 | EXPORT_FUNCTION void lua_settop() {}
13 | EXPORT_FUNCTION void lua_pushvalue() {}
14 | EXPORT_FUNCTION void lua_isnumber() {}
15 | EXPORT_FUNCTION void lua_isinteger() {}
16 | EXPORT_FUNCTION void lua_isstring() {}
17 | EXPORT_FUNCTION void lua_iscfunction() {}
18 | EXPORT_FUNCTION void lua_isuserdata() {}
19 | EXPORT_FUNCTION void lua_type() {}
20 | EXPORT_FUNCTION void lua_tonumberx() {}
21 | EXPORT_FUNCTION void lua_tointegerx() {}
22 | EXPORT_FUNCTION void lua_toboolean() {}
23 | EXPORT_FUNCTION void lua_tolstring() {}
24 | EXPORT_FUNCTION void lua_tocfunction() {}
25 | EXPORT_FUNCTION void lua_touserdata() {}
26 | EXPORT_FUNCTION void lua_pushnil() {}
27 | EXPORT_FUNCTION void lua_pushnumber() {}
28 | EXPORT_FUNCTION void lua_pushinteger() {}
29 | EXPORT_FUNCTION void lua_pushlstring() {}
30 | EXPORT_FUNCTION void lua_pushstring() {}
31 | EXPORT_FUNCTION void lua_pushcclosure() {}
32 | EXPORT_FUNCTION void lua_pushboolean() {}
33 | EXPORT_FUNCTION void lua_pushlightuserdata() {}
34 | EXPORT_FUNCTION void lua_gettable() {}
35 | EXPORT_FUNCTION void lua_rawgeti() {}
36 | EXPORT_FUNCTION void lua_createtable() {}
37 | EXPORT_FUNCTION void lua_newuserdata() {}
38 | EXPORT_FUNCTION void lua_getmetatable() {}
39 | EXPORT_FUNCTION void lua_settable() {}
40 | EXPORT_FUNCTION void lua_rawseti() {}
41 | EXPORT_FUNCTION void lua_setmetatable() {}
42 | EXPORT_FUNCTION void lua_callk() {}
43 | EXPORT_FUNCTION void lua_pcallk() {}
44 | EXPORT_FUNCTION void lua_load() {}
45 | EXPORT_FUNCTION void lua_dump() {}
46 | EXPORT_FUNCTION void lua_gc() {}
47 | EXPORT_FUNCTION void lua_error() {}
48 | EXPORT_FUNCTION void lua_next() {}
49 | EXPORT_FUNCTION void lua_setglobal() {}
50 | EXPORT_FUNCTION void lua_getglobal() {}
51 | EXPORT_FUNCTION void lua_getinfo() {}
52 | EXPORT_FUNCTION void lua_getlocal() {}
53 | EXPORT_FUNCTION void lua_sethook() {}
54 | EXPORT_FUNCTION void luaL_argerror() {}
55 | EXPORT_FUNCTION void luaL_ref() {}
56 | EXPORT_FUNCTION void luaL_unref() {}
57 | EXPORT_FUNCTION void luaL_loadfilex() {}
58 | EXPORT_FUNCTION void luaL_loadstring() {}
59 | EXPORT_FUNCTION void luaL_newstate() {}
60 | EXPORT_FUNCTION void luaL_openlibs() {}
61 |
--------------------------------------------------------------------------------
/MyDriver/DriverEntry.cpp:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT driver_object, PUNICODE_STRING registry_path)
4 | {
5 | UNREFERENCED_PARAMETER(driver_object);
6 | UNREFERENCED_PARAMETER(registry_path);
7 | PAGED_CODE();
8 |
9 | DbgPrint("Enter DriverEntry");
10 |
11 | DbgPrint("Leave DriverEntry");
12 |
13 | return STATUS_SUCCESS;
14 | }
15 |
--------------------------------------------------------------------------------
/MyDriver/MyDriver.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | x64
7 |
8 |
9 | Release
10 | x64
11 |
12 |
13 | Debug
14 | ARM64
15 |
16 |
17 | Release
18 | ARM64
19 |
20 |
21 |
22 | {3D7E3991-FB02-415C-A9FC-52F812901B8B}
23 | {dd38f7fc-d7bd-488b-9242-7d8754cde80d}
24 | v4.5
25 | 12.0
26 | Debug
27 | x64
28 | MyDriver
29 | $(LatestTargetPlatformVersion)
30 |
31 |
32 |
33 | Windows10
34 | true
35 | WindowsKernelModeDriver10.0
36 | Driver
37 | WDM
38 | false
39 | Desktop
40 |
41 |
42 | Windows10
43 | false
44 | WindowsKernelModeDriver10.0
45 | Driver
46 | WDM
47 | false
48 | Desktop
49 |
50 |
51 | Windows10
52 | true
53 | WindowsKernelModeDriver10.0
54 | Driver
55 | WDM
56 | false
57 | Desktop
58 |
59 |
60 | Windows10
61 | false
62 | WindowsKernelModeDriver10.0
63 | Driver
64 | WDM
65 | false
66 | Desktop
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 | DbgengKernelDebugger
78 | $(SolutionDir)$(Platform)\$(Configuration)\
79 | $(Platform)\$(Configuration)\
80 | false
81 | $(VC_IncludePath);$(ProjectDir);$(IncludePath)
82 |
83 |
84 | DbgengKernelDebugger
85 | $(SolutionDir)$(Platform)\$(Configuration)\
86 | $(Platform)\$(Configuration)\
87 | false
88 | $(VC_IncludePath);$(ProjectDir);$(IncludePath)
89 |
90 |
91 | DbgengKernelDebugger
92 | $(SolutionDir)$(Platform)\$(Configuration)\
93 | $(Platform)\$(Configuration)\
94 | false
95 | $(VC_IncludePath);$(ProjectDir);$(IncludePath)
96 |
97 |
98 | DbgengKernelDebugger
99 | $(SolutionDir)$(Platform)\$(Configuration)\
100 | $(Platform)\$(Configuration)\
101 | false
102 | $(VC_IncludePath);$(ProjectDir);$(IncludePath)
103 |
104 |
105 |
106 | sha256
107 |
108 |
109 | TurnOffAllWarnings
110 |
111 |
112 | false
113 | false
114 | Guard
115 | %(AdditionalIncludeDirectories)
116 |
117 |
118 | DriverEntry
119 | $(SolutionDir)$(Platform)\$(Configuration)\;%(AdditionalLibraryDirectories)
120 | %(AdditionalDependencies)
121 |
122 |
123 |
124 |
125 | sha256
126 |
127 |
128 | TurnOffAllWarnings
129 |
130 |
131 | false
132 | false
133 | Guard
134 | %(AdditionalIncludeDirectories)
135 |
136 |
137 | DriverEntry
138 | $(SolutionDir)$(Platform)\$(Configuration)\;%(AdditionalLibraryDirectories)
139 | %(AdditionalDependencies)
140 |
141 |
142 |
143 |
144 | TurnOffAllWarnings
145 |
146 |
147 |
148 |
149 | false
150 | false
151 | Guard
152 | %(AdditionalIncludeDirectories)
153 |
154 |
155 | DriverEntry
156 | $(SolutionDir)$(Platform)\$(Configuration)\;%(AdditionalLibraryDirectories)
157 | %(AdditionalDependencies)
158 |
159 |
160 |
161 |
162 | TurnOffAllWarnings
163 |
164 |
165 |
166 |
167 | false
168 | false
169 | Guard
170 | %(AdditionalIncludeDirectories)
171 |
172 |
173 | DriverEntry
174 | $(SolutionDir)$(Platform)\$(Configuration)\;%(AdditionalLibraryDirectories)
175 | %(AdditionalDependencies)
176 |
177 |
178 |
179 |
180 |
181 |
182 |
183 |
184 |
185 |
186 |
187 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # 介绍
2 | 利用CE的DBK驱动加载未签名驱动
3 |
4 | # 加载未签名驱动的原理
5 | https://bbs.kanxue.com/thread-277919.htm
6 |
7 | # 项目构成
8 | 包含两个项目:
9 | * CECheater项目生成的是lua53-64.dll,用于替换CheatEngine导入的同名dll
10 | * MyDriver项目生成的是MyDriver.sys,仅用于测试,可以替换成您想要加载的未签名驱动
11 |
12 | # 编译
13 | CECheater项目的编译配置为“C++17 + vs2022 + x64 config”,编译完后将生成的lua53-64.dll替换掉bin64里原来的lua53-64.dll就可以了
14 |
15 | # 运行
16 | 文件夹bin64.7z里提供了最终部署结果,需要以管理员权限运行,提供了以下两种不同的方式加载未签名驱动MyDriver.sys
17 | * 将MyDriver.sys映射到内存中,修复其RVA和导入表,之后由当前进程直接运行驱动的入口点代码
18 | ```
19 | richstuff-x86_64.exe -load_by_shellcode .\\MyDriver.sys
20 | ```
21 | * 将MyDriver.sys映射到内存中,修复其RVA和导入表,之后调用IoCreateDriver来加载驱动,会创建驱动对象“\\FileSystem\\<驱动文件名>”(此处为“\\FileSystem\\MyDriver”),并由系统进程运行驱动的入口点代码
22 | ```
23 | richstuff-x86_64.exe -load_by_driver .\\MyDriver.sys
24 | ```
25 |
26 | # 支持平台
27 | x64 Windows 7, 8.1 and 10
28 |
--------------------------------------------------------------------------------
/bin64.7z:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TechForBad/CECheater/5e12339178792396ed4394a59de1fe9e983ef4d6/bin64.7z
--------------------------------------------------------------------------------