├── Kernel-DLL-Injector
├── Communication.cpp
├── Communication.hpp
├── Kernel Dll Injector.filters
├── Kernel Dll Injector.sln
├── Kernel Dll Injector.user
├── Kernel Dll Injector.vcxproj
├── Kernel Dll Injector.vcxproj.user
├── Loader.cpp
├── Loader.hpp
├── Mapper.cpp
├── Mapper.hpp
├── MemoryUtils.cpp
├── MemoryUtils.hpp
├── Operation.hpp
├── ProcessUtils.cpp
├── ProcessUtils.hpp
├── driver.hpp
├── intel_driver.cpp
├── intel_driver.hpp
├── intel_driver_resource.hpp
├── kdmapper.cpp
├── kdmapper.hpp
├── lazy_importer.hpp
├── nt.hpp
├── portable_executable.cpp
├── portable_executable.hpp
├── service.cpp
├── service.hpp
├── utils.cpp
├── utils.hpp
└── xorstr.hpp
├── README.md
├── example.gif
└── test.dll
/Kernel-DLL-Injector/Communication.cpp:
--------------------------------------------------------------------------------
1 | #include "Communication.hpp"
2 |
3 | OperationCallback Communication::Init(string moduleName, string exportName)
4 | {
5 | auto hModule = LoadLibraryA(moduleName.c_str());
6 |
7 | if (!hModule)
8 | {
9 | printf(xor ("[-] Communication init error: Failed to load library.\n"));
10 | return nullptr;
11 | }
12 |
13 | OperationCallback callback = (OperationCallback)GetProcAddress(hModule, exportName.c_str());
14 |
15 | if (!callback)
16 | {
17 | printf(xor ("[-] Communication init error: Export not found.\n"));
18 | return nullptr;
19 | }
20 |
21 | return callback;
22 | }
23 |
24 | bool Communication::TestOperation(OperationCallback operation)
25 | {
26 | PACKET_BASE packet{};
27 |
28 | packet.op = TEST;
29 | packet.side = SIDE::SERVER;
30 | packet.magic = 0xBEED0FEA;
31 |
32 | constexpr ULONG firstCall = 1;
33 |
34 | auto veh = AddVectoredExceptionHandler(firstCall, [](PEXCEPTION_POINTERS exceptionHandler) -> LONG
35 | {
36 | auto context = exceptionHandler->ContextRecord;
37 | context->Rip += 8;
38 |
39 | return EXCEPTION_CONTINUE_EXECUTION;
40 | });
41 |
42 | if (!veh)
43 | return false;
44 |
45 | if (!operation(0x000004, 0x128, packet, 0xBEED0FEA, 0x1, 0x1))
46 | {
47 | printf(xor ("[+] Test operation failed.\n"));
48 | return false;
49 | }
50 |
51 | if (!RemoveVectoredExceptionHandler(veh))
52 | return false;
53 |
54 | return packet.client.test.valid;
55 | }
56 |
57 | NTSTATUS Communication::CopyVirtualMemory(OperationCallback operation, ULONGLONG srcPid, uintptr_t srcAddr, ULONGLONG targetPid, uintptr_t targetAddr, SIZE_T size)
58 | {
59 | PACKET_BASE packet{};
60 |
61 | packet.op = COPY_VIRTUAL_MEMORY;
62 | packet.side = SIDE::SERVER;
63 | packet.magic = 0xBEED0FEA;
64 |
65 | auto& serverRequest = packet.server.copy_virtual_memory;
66 |
67 | serverRequest.sourcePid = srcPid;
68 | serverRequest.sourceAddress = srcAddr;
69 |
70 | serverRequest.targetPid = targetPid;
71 | serverRequest.targetAddress = targetAddr;
72 |
73 | serverRequest.size = size;
74 |
75 | constexpr ULONG firstCall = 1;
76 |
77 | auto veh = AddVectoredExceptionHandler(firstCall, [](PEXCEPTION_POINTERS exceptionHandler) -> LONG
78 | {
79 | auto context = exceptionHandler->ContextRecord;
80 | context->Rip += 8;
81 |
82 | return EXCEPTION_CONTINUE_EXECUTION;
83 | });
84 |
85 | if (!veh)
86 | return false;
87 |
88 | if (!operation(0x000004, 0x128, packet, 0xBEED0FEA, 0x1, 0x1))
89 | {
90 | //printf(xor ("[+] Copy virtual memory operation failed.\n"));
91 | return STATUS_INVALID_HANDLE;
92 | }
93 |
94 | if (!RemoveVectoredExceptionHandler(veh))
95 | return false;
96 |
97 | auto clientRequest = packet.client.copy_virtual_memory;
98 |
99 | return NTSTATUS(clientRequest.size);
100 | }
101 |
102 | uint64_t Communication::GetModuleBaseOperation(OperationCallback operation, ULONGLONG processId, wstring moduleName)
103 | {
104 | PACKET_BASE packet{};
105 |
106 | packet.op = GET_MODULE_BASE_SIZE;
107 | packet.side = SIDE::SERVER;
108 | packet.magic = 0xBEED0FEA;
109 |
110 | auto& serverRequest = packet.server;
111 | moduleName.copy(serverRequest.get_module.name, moduleName.length());
112 |
113 | serverRequest.get_module.pid = processId;
114 |
115 | constexpr ULONG firstCall = 1;
116 |
117 | auto veh = AddVectoredExceptionHandler(firstCall, [](PEXCEPTION_POINTERS exceptionHandler) -> LONG
118 | {
119 | auto context = exceptionHandler->ContextRecord;
120 | context->Rip += 8;
121 |
122 | return EXCEPTION_CONTINUE_EXECUTION;
123 | });
124 |
125 | if (!veh)
126 | return false;
127 |
128 | if (!operation(0x000004, 0x128, packet, 0xBEED0FEA, 0x1, 0x1))
129 | {
130 | printf(xor ("[+] Get module base operation failed.\n"));
131 | return -1;
132 | }
133 |
134 | if (!RemoveVectoredExceptionHandler(veh))
135 | return false;
136 |
137 | auto clientRequest = packet.client.get_module;
138 |
139 | return clientRequest.baseAddress;
140 | }
141 |
142 | uint64_t Communication::AllocateVirtualMemory(OperationCallback operation, ULONGLONG targetPid, size_t size, uint32_t allocationType, uint32_t protect, uintptr_t sourceAddress)
143 | {
144 | PACKET_BASE packet{};
145 |
146 | packet.op = ALLOC_VIRTUAL_MEMORY;
147 | packet.side = SIDE::SERVER;
148 | packet.magic = 0xBEED0FEA;
149 |
150 | auto& serverRequest = packet.server.alloc_virtual_memory;
151 |
152 | serverRequest.targetPid = targetPid;
153 | serverRequest.sourceAddress = sourceAddress;
154 |
155 | serverRequest.allocationType = allocationType;
156 | serverRequest.protect = protect;
157 |
158 | serverRequest.size = size;
159 | serverRequest.code = STATUS_INTERRUPTED;
160 |
161 | constexpr ULONG firstCall = 1;
162 |
163 | auto veh = AddVectoredExceptionHandler(firstCall, [](PEXCEPTION_POINTERS exceptionHandler) -> LONG
164 | {
165 | auto context = exceptionHandler->ContextRecord;
166 | context->Rip += 8;
167 |
168 | return EXCEPTION_CONTINUE_EXECUTION;
169 | });
170 |
171 | if (!veh)
172 | return false;
173 |
174 | if (!operation(0x000004, 0x128, packet, 0xBEED0FEA, 0x1, 0x1))
175 | {
176 | printf(xor ("[+] Allocate virtual memory operation failed.\n"));
177 | return -1;
178 | }
179 |
180 | if (!RemoveVectoredExceptionHandler(veh))
181 | return false;
182 |
183 | auto clientRequest = packet.client.alloc_virtual_memory;
184 |
185 | return clientRequest.targetAddress;
186 | }
187 |
188 | NTSTATUS Communication::ProtectVirtualMemory(OperationCallback operation, ULONGLONG targetPid, size_t size, uint32_t protect, uintptr_t sourceAddress)
189 | {
190 | PACKET_BASE packet{};
191 |
192 | packet.op = PROTECT_VIRTUAL_MEMORY;
193 | packet.side = SIDE::SERVER;
194 | packet.magic = 0xBEED0FEA;
195 |
196 | auto& serverRequest = packet.server.protect_virtual_memory;
197 |
198 | serverRequest.targetPid = targetPid;
199 | serverRequest.sourceAddress = sourceAddress;
200 |
201 | serverRequest.protect = protect;
202 |
203 | serverRequest.size = size;
204 | serverRequest.code = STATUS_INTERRUPTED;
205 |
206 | constexpr ULONG firstCall = 1;
207 |
208 | auto veh = AddVectoredExceptionHandler(firstCall, [](PEXCEPTION_POINTERS exceptionHandler) -> LONG
209 | {
210 | auto context = exceptionHandler->ContextRecord;
211 | context->Rip += 8;
212 |
213 | return EXCEPTION_CONTINUE_EXECUTION;
214 | });
215 |
216 | if (!veh)
217 | return false;
218 |
219 | if (!operation(0x000004, 0x128, packet, 0xBEED0FEA, 0x1, 0x1))
220 | {
221 | printf(xor ("[+] Protect virtual memory operation failed.\n"));
222 | return -1;
223 | }
224 |
225 | if (!RemoveVectoredExceptionHandler(veh))
226 | return false;
227 |
228 | auto clientRequest = packet.client.protect_virtual_memory;
229 |
230 | protect = clientRequest.protect;
231 |
232 | return NTSTATUS(clientRequest.code);
233 | }
234 |
235 | NTSTATUS Communication::FreeVirtualMemory(OperationCallback operation, ULONGLONG targetPid, uintptr_t address)
236 | {
237 | PACKET_BASE packet{};
238 |
239 | packet.op = FREE_VIRTUAL_MEMORY;
240 | packet.side = SIDE::SERVER;
241 | packet.magic = 0xBEED0FEA;
242 |
243 | auto& serverRequest = packet.server.free_memory;
244 |
245 | serverRequest.targetPid = targetPid;
246 | serverRequest.address = address;
247 |
248 | serverRequest.code = STATUS_INTERRUPTED;
249 |
250 | constexpr ULONG firstCall = 1;
251 |
252 | auto veh = AddVectoredExceptionHandler(firstCall, [](PEXCEPTION_POINTERS exceptionHandler) -> LONG
253 | {
254 | auto context = exceptionHandler->ContextRecord;
255 | context->Rip += 8;
256 |
257 | return EXCEPTION_CONTINUE_EXECUTION;
258 | });
259 |
260 | if (!veh)
261 | return false;
262 |
263 | if (!operation(0x000004, 0x128, packet, 0xBEED0FEA, 0x1, 0x1))
264 | {
265 | printf(xor ("[+] Free virtual memory operation failed.\n"));
266 | return -1;
267 | }
268 |
269 | if (!RemoveVectoredExceptionHandler(veh))
270 | return false;
271 |
272 | auto clientRequest = packet.client.free_memory;
273 |
274 | return NTSTATUS(clientRequest.code);
275 | }
--------------------------------------------------------------------------------
/Kernel-DLL-Injector/Communication.hpp:
--------------------------------------------------------------------------------
1 | #include "Operation.hpp"
2 |
3 | class Communication
4 | {
5 | public:
6 | static OperationCallback Init(string moduleName, string exportName);
7 |
8 | static bool TestOperation(OperationCallback operation);
9 |
10 | static NTSTATUS CopyVirtualMemory(OperationCallback operation, ULONGLONG srcPid, uintptr_t srcAddr, ULONGLONG targetPid, uintptr_t targetAddr, SIZE_T size);
11 | static uint64_t GetModuleBaseOperation(OperationCallback operation, ULONGLONG processId, wstring moduleName);
12 |
13 | static uint64_t AllocateVirtualMemory(OperationCallback operation, ULONGLONG targetPid, size_t size, uint32_t allocationType, uint32_t protect, uintptr_t sourceAddress);
14 | static NTSTATUS ProtectVirtualMemory(OperationCallback operation, ULONGLONG targetPid, size_t size, uint32_t protect, uintptr_t sourceAddress);
15 | static NTSTATUS FreeVirtualMemory(OperationCallback operation, ULONGLONG targetPid, uintptr_t address);
16 | };
--------------------------------------------------------------------------------
/Kernel-DLL-Injector/Kernel Dll Injector.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {61bc51c6-141d-4fc0-af67-58e35cc9d7e3}
6 |
7 |
8 | {b2e55e85-97af-4ae2-a2eb-224b0a13721c}
9 |
10 |
11 | {7dc26e77-57f2-4c44-8604-68c0cd31dede}
12 |
13 |
14 | {505f70e7-fa3e-4d5e-be18-5c5eea44110c}
15 |
16 |
17 | {f8f91e30-ead3-4827-97d9-9fbc5d1e6d6d}
18 |
19 |
20 |
21 |
22 | Core
23 |
24 |
25 | Core
26 |
27 |
28 | Utils
29 |
30 |
31 | Utils
32 |
33 |
34 | Vulnerable
35 |
36 |
37 | Vulnerable\kdshitter
38 |
39 |
40 | Vulnerable\kdshitter
41 |
42 |
43 | Vulnerable\kdshitter
44 |
45 |
46 | Vulnerable\kdshitter
47 |
48 |
49 | Vulnerable\kdshitter
50 |
51 |
52 |
53 |
54 | Core
55 |
56 |
57 | Core
58 |
59 |
60 | Core
61 |
62 |
63 | Utils
64 |
65 |
66 | Utils
67 |
68 |
69 | Utils
70 |
71 |
72 | Vulnerable
73 |
74 |
75 | Vulnerable\driver
76 |
77 |
78 | Vulnerable\kdshitter
79 |
80 |
81 | Vulnerable\kdshitter
82 |
83 |
84 | Vulnerable\kdshitter
85 |
86 |
87 | Vulnerable\kdshitter
88 |
89 |
90 | Vulnerable\kdshitter
91 |
92 |
93 | Vulnerable\kdshitter
94 |
95 |
96 | Vulnerable\kdshitter
97 |
98 |
99 |
--------------------------------------------------------------------------------
/Kernel-DLL-Injector/Kernel Dll Injector.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.31605.320
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Kernel Dll Injector", "Kernel Dll Injector.vcxproj", "{B8437ACF-518D-4330-A9EB-96F4922CA818}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {B8437ACF-518D-4330-A9EB-96F4922CA818}.Debug|x64.ActiveCfg = Debug|x64
17 | {B8437ACF-518D-4330-A9EB-96F4922CA818}.Debug|x64.Build.0 = Debug|x64
18 | {B8437ACF-518D-4330-A9EB-96F4922CA818}.Debug|x86.ActiveCfg = Debug|Win32
19 | {B8437ACF-518D-4330-A9EB-96F4922CA818}.Debug|x86.Build.0 = Debug|Win32
20 | {B8437ACF-518D-4330-A9EB-96F4922CA818}.Release|x64.ActiveCfg = Release|x64
21 | {B8437ACF-518D-4330-A9EB-96F4922CA818}.Release|x64.Build.0 = Release|x64
22 | {B8437ACF-518D-4330-A9EB-96F4922CA818}.Release|x86.ActiveCfg = Release|Win32
23 | {B8437ACF-518D-4330-A9EB-96F4922CA818}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {72E3EB4D-A69E-45B8-8551-0268B1CCAB4C}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/Kernel-DLL-Injector/Kernel Dll Injector.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/Kernel-DLL-Injector/Kernel Dll Injector.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {b8437acf-518d-4330-a9eb-96f4922ca818}
25 | DullTarkov
26 | 10.0
27 | Kernel Dll Injector
28 |
29 |
30 |
31 | Application
32 | true
33 | v142
34 | Unicode
35 |
36 |
37 | Application
38 | false
39 | v142
40 | true
41 | Unicode
42 |
43 |
44 | Application
45 | true
46 | v142
47 | Unicode
48 |
49 |
50 | Application
51 | false
52 | v142
53 | true
54 | MultiByte
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | true
76 |
77 |
78 | false
79 |
80 |
81 | true
82 |
83 |
84 | false
85 | C:\Program Files %28x86%29\Microsoft DirectX SDK (June 2010)\Include;$(IncludePath)
86 | C:\Program Files %28x86%29\Microsoft DirectX SDK (June 2010)\Lib\x64;$(LibraryPath)
87 |
88 |
89 |
90 | Level3
91 | true
92 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
93 | true
94 |
95 |
96 | Console
97 | true
98 |
99 |
100 |
101 |
102 | Level3
103 | true
104 | true
105 | true
106 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
107 | true
108 |
109 |
110 | Console
111 | true
112 | true
113 | true
114 |
115 |
116 |
117 |
118 | Level3
119 | true
120 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
121 | true
122 |
123 |
124 | Console
125 | true
126 |
127 |
128 |
129 |
130 | Level3
131 | true
132 | true
133 | true
134 | _SILENCE_CXX17_CODECVT_HEADER_DEPRECATION_WARNING;_CRT_SECURE_NO_WARNINGS;JM_XORSTR_DISABLE_AVX_INTRINSICS;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
135 | true
136 | MultiThreaded
137 | stdcpp17
138 | stdc17
139 |
140 |
141 | Console
142 | true
143 | true
144 | false
145 | RequireAdministrator
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 |
163 |
164 |
165 |
166 |
167 |
168 |
169 |
170 |
171 |
172 |
173 |
174 |
175 |
176 |
177 |
178 |
179 |
180 |
--------------------------------------------------------------------------------
/Kernel-DLL-Injector/Kernel Dll Injector.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/Kernel-DLL-Injector/Loader.cpp:
--------------------------------------------------------------------------------
1 | #include "MemoryUtils.hpp"
2 |
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include