├── README.md ├── KernelCheatUM ├── KernelCheatUM.vcxproj.user ├── KernelCheatUM.vcxproj.filters ├── main.cpp └── KernelCheatUM.vcxproj ├── KernelCheatYT ├── KernelCheatYT.vcxproj.user ├── main.cpp ├── hook.h ├── memory.h ├── KernelCheatYT.vcxproj.filters ├── KernelCheatYT.inf ├── definitions.h ├── hook.cpp ├── memory.cpp └── KernelCheatYT.vcxproj ├── KernelCheatYT.sln └── .gitignore /README.md: -------------------------------------------------------------------------------- 1 | Work in Progress 2 | -------------------------------------------------------------------------------- /KernelCheatUM/KernelCheatUM.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /KernelCheatYT/KernelCheatYT.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Off 5 | 6 | -------------------------------------------------------------------------------- /KernelCheatYT/main.cpp: -------------------------------------------------------------------------------- 1 | #include "hook.h" 2 | 3 | extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT driver_object, PUNICODE_STRING reg_path) 4 | { 5 | UNREFERENCED_PARAMETER(driver_object); 6 | UNREFERENCED_PARAMETER(reg_path); 7 | 8 | nullhook::call_kernel_function(&nullhook::hook_handler); 9 | 10 | return STATUS_SUCCESS; 11 | } -------------------------------------------------------------------------------- /KernelCheatYT/hook.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "memory.h" 4 | 5 | typedef HBRUSH(*GdiSelectBrush_t)(_In_ HDC hdc, 6 | _In_ HBRUSH hbr 7 | ); 8 | 9 | typedef BOOL(*PatBlt_t)(_In_ HDC, 10 | _In_ int x, 11 | _In_ int y, 12 | _In_ int w, 13 | _In_ int h, 14 | _In_ DWORD 15 | ); 16 | 17 | typedef HDC(*NtUserGetDC_t)(HWND hWnd); 18 | 19 | typedef HBRUSH(*NtGdiCreateSolidBrush_t)(_In_ COLORREF crColor, 20 | _In_opt_ HBRUSH hbr 21 | ); 22 | 23 | typedef int (*ReleaseDC_t)(HDC hdc); 24 | typedef BOOL(*DeleteObjectApp_t)(HANDLE hobj); 25 | 26 | namespace nullhook 27 | { 28 | bool call_kernel_function(void* kernel_function_address); 29 | NTSTATUS hook_handler(PVOID called_param); 30 | INT FrameRect(HDC hDC, CONST RECT* lprc, HBRUSH hbr, int thickness); 31 | } -------------------------------------------------------------------------------- /KernelCheatYT/memory.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "definitions.h" 3 | 4 | PVOID get_system_module_base(const char* module_name); 5 | PVOID get_system_module_export(const char* module_name, LPCSTR routine_name); 6 | bool write_memory(void* address, void* buffer, size_t size); 7 | bool write_to_read_only_memory(void* address, void* buffer, size_t size); 8 | ULONG64 get_module_base_x64(PEPROCESS proc, UNICODE_STRING module_name); 9 | bool read_kernel_memory(HANDLE pid, uintptr_t address, void* buffer, SIZE_T size); 10 | bool write_kernel_memory(HANDLE pid, uintptr_t address, void* buffer, SIZE_T size); 11 | PVOID get_system_module_export(LPCWSTR module_name, LPCSTR routine_name); 12 | 13 | typedef struct _NULL_MEMORY 14 | { 15 | void* buffer_address; 16 | UINT_PTR address; 17 | ULONGLONG size; 18 | ULONG pid; 19 | BOOLEAN write; 20 | BOOLEAN read; 21 | BOOLEAN req_base; 22 | BOOLEAN draw_box; 23 | int r, g, b, x, y, w, h, t; 24 | void* output; 25 | const char* module_name; 26 | ULONG64 base_address; 27 | }NULL_MEMORY; -------------------------------------------------------------------------------- /KernelCheatUM/KernelCheatUM.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /KernelCheatYT/KernelCheatYT.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {8E41214B-6785-4CFE-B992-037D68949A14} 18 | inf;inv;inx;mof;mc; 19 | 20 | 21 | 22 | 23 | Driver Files 24 | 25 | 26 | 27 | 28 | Header Files 29 | 30 | 31 | Header Files 32 | 33 | 34 | Header Files 35 | 36 | 37 | 38 | 39 | Source Files 40 | 41 | 42 | Source Files 43 | 44 | 45 | Source Files 46 | 47 | 48 | -------------------------------------------------------------------------------- /KernelCheatYT/KernelCheatYT.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; KernelCheatYT.inf 3 | ; 4 | 5 | [Version] 6 | Signature="$WINDOWS NT$" 7 | Class=Sample ; TODO: edit Class 8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid 9 | Provider=%ManufacturerName% 10 | CatalogFile=KernelCheatYT.cat 11 | DriverVer= ; TODO: set DriverVer in stampinf property pages 12 | 13 | [DestinationDirs] 14 | DefaultDestDir = 12 15 | KernelCheatYT_Device_CoInstaller_CopyFiles = 11 16 | 17 | ; ================= Class section ===================== 18 | 19 | [ClassInstall32] 20 | Addreg=SampleClassReg 21 | 22 | [SampleClassReg] 23 | HKR,,,0,%ClassName% 24 | HKR,,Icon,,-5 25 | 26 | [SourceDisksNames] 27 | 1 = %DiskName%,,,"" 28 | 29 | [SourceDisksFiles] 30 | KernelCheatYT.sys = 1,, 31 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames 32 | 33 | ;***************************************** 34 | ; Install Section 35 | ;***************************************** 36 | 37 | [Manufacturer] 38 | %ManufacturerName%=Standard,NT$ARCH$ 39 | 40 | [Standard.NT$ARCH$] 41 | %KernelCheatYT.DeviceDesc%=KernelCheatYT_Device, Root\KernelCheatYT ; TODO: edit hw-id 42 | 43 | [KernelCheatYT_Device.NT] 44 | CopyFiles=Drivers_Dir 45 | 46 | [Drivers_Dir] 47 | KernelCheatYT.sys 48 | 49 | ;-------------- Service installation 50 | [KernelCheatYT_Device.NT.Services] 51 | AddService = KernelCheatYT,%SPSVCINST_ASSOCSERVICE%, KernelCheatYT_Service_Inst 52 | 53 | ; -------------- KernelCheatYT driver install sections 54 | [KernelCheatYT_Service_Inst] 55 | DisplayName = %KernelCheatYT.SVCDESC% 56 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 57 | StartType = 3 ; SERVICE_DEMAND_START 58 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 59 | ServiceBinary = %12%\KernelCheatYT.sys 60 | 61 | ; 62 | ;--- KernelCheatYT_Device Coinstaller installation ------ 63 | ; 64 | 65 | [KernelCheatYT_Device.NT.CoInstallers] 66 | AddReg=KernelCheatYT_Device_CoInstaller_AddReg 67 | CopyFiles=KernelCheatYT_Device_CoInstaller_CopyFiles 68 | 69 | [KernelCheatYT_Device_CoInstaller_AddReg] 70 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller" 71 | 72 | [KernelCheatYT_Device_CoInstaller_CopyFiles] 73 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll 74 | 75 | [KernelCheatYT_Device.NT.Wdf] 76 | KmdfService = KernelCheatYT, KernelCheatYT_wdfsect 77 | [KernelCheatYT_wdfsect] 78 | KmdfLibraryVersion = $KMDFVERSION$ 79 | 80 | [Strings] 81 | SPSVCINST_ASSOCSERVICE= 0x00000002 82 | ManufacturerName="" ;TODO: Replace with your manufacturer name 83 | ClassName="Samples" ; TODO: edit ClassName 84 | DiskName = "KernelCheatYT Installation Disk" 85 | KernelCheatYT.DeviceDesc = "KernelCheatYT Device" 86 | KernelCheatYT.SVCDESC = "KernelCheatYT Service" 87 | -------------------------------------------------------------------------------- /KernelCheatYT.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.29905.134 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "KernelCheatYT", "KernelCheatYT\KernelCheatYT.vcxproj", "{59AD331E-D3D4-46C4-8759-4A02AB42353A}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "KernelCheatUM", "KernelCheatUM\KernelCheatUM.vcxproj", "{64DE4F42-B12F-431D-89D5-89F8C41249B5}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|ARM = Debug|ARM 13 | Debug|ARM64 = Debug|ARM64 14 | Debug|x64 = Debug|x64 15 | Debug|x86 = Debug|x86 16 | Release|ARM = Release|ARM 17 | Release|ARM64 = Release|ARM64 18 | Release|x64 = Release|x64 19 | Release|x86 = Release|x86 20 | EndGlobalSection 21 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 22 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|ARM.ActiveCfg = Debug|ARM 23 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|ARM.Build.0 = Debug|ARM 24 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|ARM.Deploy.0 = Debug|ARM 25 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|ARM64.ActiveCfg = Debug|ARM64 26 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|ARM64.Build.0 = Debug|ARM64 27 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|ARM64.Deploy.0 = Debug|ARM64 28 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|x64.ActiveCfg = Debug|x64 29 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|x64.Build.0 = Debug|x64 30 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|x64.Deploy.0 = Debug|x64 31 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|x86.ActiveCfg = Debug|Win32 32 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|x86.Build.0 = Debug|Win32 33 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|x86.Deploy.0 = Debug|Win32 34 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|ARM.ActiveCfg = Release|ARM 35 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|ARM.Build.0 = Release|ARM 36 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|ARM.Deploy.0 = Release|ARM 37 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|ARM64.ActiveCfg = Release|ARM64 38 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|ARM64.Build.0 = Release|ARM64 39 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|ARM64.Deploy.0 = Release|ARM64 40 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|x64.ActiveCfg = Release|x64 41 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|x64.Build.0 = Release|x64 42 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|x64.Deploy.0 = Release|x64 43 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|x86.ActiveCfg = Release|Win32 44 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|x86.Build.0 = Release|Win32 45 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|x86.Deploy.0 = Release|Win32 46 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Debug|ARM.ActiveCfg = Debug|Win32 47 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Debug|ARM64.ActiveCfg = Debug|Win32 48 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Debug|x64.ActiveCfg = Debug|x64 49 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Debug|x64.Build.0 = Debug|x64 50 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Debug|x86.ActiveCfg = Debug|Win32 51 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Debug|x86.Build.0 = Debug|Win32 52 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Release|ARM.ActiveCfg = Release|Win32 53 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Release|ARM64.ActiveCfg = Release|Win32 54 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Release|x64.ActiveCfg = Release|x64 55 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Release|x64.Build.0 = Release|x64 56 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Release|x86.ActiveCfg = Release|Win32 57 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Release|x86.Build.0 = Release|Win32 58 | EndGlobalSection 59 | GlobalSection(SolutionProperties) = preSolution 60 | HideSolutionNode = FALSE 61 | EndGlobalSection 62 | GlobalSection(ExtensibilityGlobals) = postSolution 63 | SolutionGuid = {689D2A6E-68F2-42AE-8B13-36F3041DB588} 64 | EndGlobalSection 65 | EndGlobal 66 | -------------------------------------------------------------------------------- /KernelCheatUM/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | typedef struct _NULL_MEMORY 10 | { 11 | void* buffer_address; 12 | UINT_PTR address; 13 | ULONGLONG size; 14 | ULONG pid; 15 | BOOLEAN write; 16 | BOOLEAN read; 17 | BOOLEAN req_base; 18 | BOOLEAN draw_box; 19 | int r, g, b, x, y, w, h, t; 20 | void* output; 21 | const char* module_name; 22 | ULONG64 base_address; 23 | }NULL_MEMORY; 24 | 25 | uintptr_t base_address = 0; 26 | std::uint32_t process_id = 0; 27 | HDC hdc; 28 | 29 | template 30 | uint64_t call_hook(const Arg ... args) 31 | { 32 | void* hooked_func = GetProcAddress(LoadLibrary("win32u.dll"), "NtDxgkGetTrackedWorkloadStatistics"); 33 | 34 | auto func = static_cast(hooked_func); 35 | 36 | return func(args ...); 37 | } 38 | 39 | struct HandleDisposer 40 | { 41 | using pointer = HANDLE; 42 | void operator()(HANDLE handle) const 43 | { 44 | if (handle != NULL || handle != INVALID_HANDLE_VALUE) 45 | { 46 | CloseHandle(handle); 47 | } 48 | } 49 | }; 50 | 51 | using unique_handle = std::unique_ptr; 52 | 53 | std::uint32_t get_process_id(std::string_view process_name) 54 | { 55 | PROCESSENTRY32 processentry; 56 | const unique_handle snapshot_handle(CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL)); 57 | 58 | if (snapshot_handle.get() == INVALID_HANDLE_VALUE) 59 | return NULL; 60 | 61 | processentry.dwSize = sizeof(MODULEENTRY32); 62 | 63 | while (Process32Next(snapshot_handle.get(), &processentry) == TRUE) 64 | { 65 | if (process_name.compare(processentry.szExeFile) == NULL) 66 | { 67 | return processentry.th32ProcessID; 68 | } 69 | } 70 | return NULL; 71 | } 72 | 73 | static ULONG64 get_module_base_address(const char* module_name) 74 | { 75 | NULL_MEMORY instructions = { 0 }; 76 | instructions.pid = process_id; 77 | instructions.req_base = TRUE; 78 | instructions.read = FALSE; 79 | instructions.write = FALSE; 80 | instructions.draw_box = FALSE; 81 | instructions.module_name = module_name; 82 | call_hook(&instructions); 83 | 84 | ULONG64 base = NULL; 85 | base = instructions.base_address; 86 | return base; 87 | } 88 | template 89 | T Read(UINT_PTR read_address) 90 | { 91 | T response{}; 92 | NULL_MEMORY instructions; 93 | instructions.pid = process_id; 94 | instructions.size = sizeof(T); 95 | instructions.address = read_address; 96 | instructions.read = TRUE; 97 | instructions.write = FALSE; 98 | instructions.req_base = FALSE; 99 | instructions.draw_box = FALSE; 100 | instructions.output = &response; 101 | call_hook(&instructions); 102 | 103 | return response; 104 | } 105 | 106 | bool write_memory(UINT_PTR write_address, UINT_PTR source_address, SIZE_T write_size) 107 | { 108 | NULL_MEMORY instructions; 109 | instructions.address = write_address; 110 | instructions.pid = process_id; 111 | instructions.write = TRUE; 112 | instructions.read = FALSE; 113 | instructions.req_base = FALSE; 114 | instructions.draw_box = FALSE; 115 | instructions.buffer_address = (void*)source_address; 116 | instructions.size = write_size; 117 | 118 | call_hook(&instructions); 119 | 120 | return true; 121 | } 122 | 123 | bool draw_box(int x, int y, int w, int h, int t, int r, int g, int b) 124 | { 125 | NULL_MEMORY instructions; 126 | instructions.write = FALSE; 127 | instructions.read = FALSE; 128 | instructions.req_base = FALSE; 129 | instructions.draw_box = TRUE; 130 | 131 | instructions.x = x; 132 | instructions.y = y; 133 | instructions.w = w; 134 | instructions.h = h; 135 | instructions.t = t; 136 | 137 | instructions.r = r; 138 | instructions.g = g; 139 | instructions.b = b; 140 | 141 | call_hook(&instructions); 142 | 143 | return true; 144 | } 145 | 146 | template 147 | bool write(UINT_PTR write_address, const S& value) 148 | { 149 | return write_memory(write_address, (UINT_PTR)&value, sizeof(S)); 150 | } 151 | 152 | int main() 153 | { 154 | while (true) 155 | { 156 | draw_box(50, 50, 50, 50, 2, 255, 0, 0); 157 | } 158 | } -------------------------------------------------------------------------------- /KernelCheatYT/definitions.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #pragma comment(lib, "ntoskrnl.lib") 8 | 9 | typedef enum _SYSTEM_INFORMATION_CLASS 10 | { 11 | SystemBasicInformation, 12 | SystemProcessorInformation, 13 | SystemPerformanceInformation, 14 | SystemTimeOfDayInformation, 15 | SystemPathInformation, 16 | SystemProcessInformation, 17 | SystemCallCountInformation, 18 | SystemDeviceInformation, 19 | SystemProcessorPerformanceInformation, 20 | SystemFlagsInformation, 21 | SystemCallTimeInformation, 22 | SystemModuleInformation = 0x0B 23 | } SYSTEM_INFORMATION_CLASS, 24 | * PSYSTEM_INFORMATION_CLASS; 25 | 26 | typedef struct _RTL_PROCESS_MODULE_INFORMATION 27 | { 28 | HANDLE Section; 29 | PVOID MappedBase; 30 | PVOID ImageBase; 31 | ULONG ImageSize; 32 | ULONG Flags; 33 | USHORT LoadOrderIndex; 34 | USHORT InitOrderIndex; 35 | USHORT LoadCount; 36 | USHORT OffsetToFileName; 37 | UCHAR FullPathName[256]; 38 | } RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION; 39 | 40 | typedef struct _RTL_PROCESS_MODULES 41 | { 42 | ULONG NumberOfModules; 43 | RTL_PROCESS_MODULE_INFORMATION Modules[1]; 44 | } RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES; 45 | 46 | typedef struct _PEB_LDR_DATA { 47 | ULONG Length; 48 | BOOLEAN Initialized; 49 | PVOID SsHandle; 50 | LIST_ENTRY ModuleListLoadOrder; 51 | LIST_ENTRY ModuleListMemoryOrder; 52 | LIST_ENTRY ModuleListInitOrder; 53 | } PEB_LDR_DATA, * PPEB_LDR_DATA; 54 | 55 | typedef struct _LDR_DATA_TABLE_ENTRY { 56 | LIST_ENTRY InLoadOrderModuleList; 57 | LIST_ENTRY InMemoryOrderModuleList; 58 | LIST_ENTRY InInitializationOrderModuleList; 59 | PVOID DllBase; 60 | PVOID EntryPoint; 61 | ULONG SizeOfImage; // in bytes 62 | UNICODE_STRING FullDllName; 63 | UNICODE_STRING BaseDllName; 64 | ULONG Flags; // LDR_* 65 | USHORT LoadCount; 66 | USHORT TlsIndex; 67 | LIST_ENTRY HashLinks; 68 | PVOID SectionPointer; 69 | ULONG CheckSum; 70 | ULONG TimeDateStamp; 71 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; 72 | 73 | typedef struct _RTL_USER_PROCESS_PARAMETERS { 74 | BYTE Reserved1[16]; 75 | PVOID Reserved2[10]; 76 | UNICODE_STRING ImagePathName; 77 | UNICODE_STRING CommandLine; 78 | } RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS; 79 | 80 | typedef void(__stdcall* PPS_POST_PROCESS_INIT_ROUTINE)(void); // not exported 81 | 82 | typedef struct _PEB { 83 | BYTE Reserved1[2]; 84 | BYTE BeingDebugged; 85 | BYTE Reserved2[1]; 86 | PVOID Reserved3[2]; 87 | PPEB_LDR_DATA Ldr; 88 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters; 89 | PVOID Reserved4[3]; 90 | PVOID AtlThunkSListPtr; 91 | PVOID Reserved5; 92 | ULONG Reserved6; 93 | PVOID Reserved7; 94 | ULONG Reserved8; 95 | ULONG AtlThunkSListPtr32; 96 | PVOID Reserved9[45]; 97 | BYTE Reserved10[96]; 98 | PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine; 99 | BYTE Reserved11[128]; 100 | PVOID Reserved12[1]; 101 | ULONG SessionId; 102 | } PEB, * PPEB; 103 | 104 | extern "C" __declspec(dllimport) 105 | NTSTATUS NTAPI ZwProtectVirtualMemory( 106 | HANDLE ProcessHandle, 107 | PVOID * BaseAddress, 108 | PULONG ProtectSize, 109 | ULONG NewProtect, 110 | PULONG OldProtect 111 | ); 112 | 113 | extern "C" NTKERNELAPI 114 | PVOID 115 | NTAPI 116 | RtlFindExportedRoutineByName( 117 | _In_ PVOID ImageBase, 118 | _In_ PCCH RoutineNam 119 | ); 120 | 121 | extern "C" NTSTATUS ZwQuerySystemInformation(ULONG InfoClass, PVOID Buffer, ULONG Length, PULONG ReturnLength); 122 | 123 | extern "C" NTKERNELAPI 124 | PPEB 125 | PsGetProcessPeb( 126 | IN PEPROCESS Process 127 | ); 128 | 129 | extern "C" NTSTATUS NTAPI MmCopyVirtualMemory 130 | ( 131 | PEPROCESS SourceProcess, 132 | PVOID SourceAddress, 133 | PEPROCESS TargetProcess, 134 | PVOID TargetAddress, 135 | SIZE_T BufferSize, 136 | KPROCESSOR_MODE PreviousMode, 137 | PSIZE_T ReturnSize 138 | ); 139 | 140 | typedef struct _IMAGE_EXPORT_DIRECTORY { 141 | ULONG Characteristics; 142 | ULONG TimeDateStamp; 143 | USHORT MajorVersion; 144 | USHORT MinorVersion; 145 | ULONG Name; 146 | ULONG Base; 147 | ULONG NumberOfFunctions; 148 | ULONG NumberOfNames; 149 | ULONG AddressOfFunctions; // RVA from base of image 150 | ULONG AddressOfNames; // RVA from base of image 151 | ULONG AddressOfNameOrdinals; // RVA from base of image 152 | } IMAGE_EXPORT_DIRECTORY, * PIMAGE_EXPORT_DIRECTORY; 153 | 154 | extern "C" __declspec(dllimport) 155 | PVOID 156 | NTAPI 157 | RtlImageDirectoryEntryToData( 158 | PVOID ImageBase, 159 | BOOLEAN MappedAsImage, 160 | USHORT DirectoryEntry, 161 | PULONG Size 162 | ); -------------------------------------------------------------------------------- /KernelCheatYT/hook.cpp: -------------------------------------------------------------------------------- 1 | #include "hook.h" 2 | #include 3 | 4 | GdiSelectBrush_t GdiSelectBrush = NULL; 5 | PatBlt_t NtGdiPatBlt = NULL; 6 | NtUserGetDC_t NtUserGetDC = NULL; 7 | NtGdiCreateSolidBrush_t NtGdiCreateSolidBrush = NULL; 8 | ReleaseDC_t NtUserReleaseDC = NULL; 9 | DeleteObjectApp_t NtGdiDeleteObjectApp = NULL; 10 | 11 | bool nullhook::call_kernel_function(void* kernel_function_address) 12 | { 13 | if (!kernel_function_address) 14 | return false; 15 | //NtQueryCompositionSurfaceStatistics 16 | PVOID* function = reinterpret_cast(get_system_module_export("\\SystemRoot\\System32\\drivers\\dxgkrnl.sys", 17 | "NtDxgkGetTrackedWorkloadStatistics")); 18 | 19 | if (!function) 20 | return false; 21 | 22 | BYTE orig[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 23 | 24 | BYTE shell_code[] = { 0x48, 0xB8 }; // mov rax, xxx 25 | BYTE shell_code_end[] = { 0xFF, 0xE0 }; //jmp rax 26 | 27 | RtlSecureZeroMemory(&orig, sizeof(orig)); 28 | memcpy((PVOID)((ULONG_PTR)orig), &shell_code, sizeof(shell_code)); 29 | uintptr_t hook_address = reinterpret_cast(kernel_function_address); 30 | memcpy((PVOID)((ULONG_PTR)orig + sizeof(shell_code)), &hook_address, sizeof(void*)); 31 | memcpy((PVOID)((ULONG_PTR)orig + sizeof(shell_code) + sizeof(void*)), &shell_code_end, sizeof(shell_code_end)); 32 | 33 | write_to_read_only_memory(function, &orig, sizeof(orig)); 34 | 35 | GdiSelectBrush = (GdiSelectBrush_t)get_system_module_export(L"win32kfull.sys", "NtGdiSelectBrush"); 36 | NtGdiCreateSolidBrush = (NtGdiCreateSolidBrush_t)get_system_module_export(L"win32kfull.sys", "NtGdiCreateSolidBrush"); 37 | NtGdiPatBlt = (PatBlt_t)get_system_module_export(L"win32kfull.sys", "NtGdiPatBlt"); 38 | NtUserGetDC = (NtUserGetDC_t)get_system_module_export(L"win32kbase.sys", "NtUserGetDC"); 39 | NtUserReleaseDC = (ReleaseDC_t)get_system_module_export(L"win32kbase.sys", "NtUserReleaseDC"); 40 | NtGdiDeleteObjectApp = (DeleteObjectApp_t)get_system_module_export(L"win32kbase.sys", "NtGdiDeleteObjectApp"); 41 | 42 | return true; 43 | } 44 | 45 | NTSTATUS nullhook::hook_handler(PVOID called_param) 46 | { 47 | NULL_MEMORY* instructions = (NULL_MEMORY*)called_param; 48 | 49 | if (instructions->req_base == TRUE) 50 | { 51 | ANSI_STRING AS; 52 | UNICODE_STRING ModuleName; 53 | 54 | RtlInitAnsiString(&AS, instructions->module_name); 55 | RtlAnsiStringToUnicodeString(&ModuleName, &AS, TRUE); 56 | 57 | PEPROCESS process; 58 | PsLookupProcessByProcessId((HANDLE)instructions->pid, &process); 59 | ULONG64 base_address64 = NULL; 60 | base_address64 = get_module_base_x64(process, ModuleName); 61 | instructions->base_address = base_address64; 62 | RtlFreeUnicodeString(&ModuleName); 63 | } 64 | 65 | else if (instructions->write == TRUE) 66 | { 67 | if (instructions->address < 0x7FFFFFFFFFFF && instructions->address > 0) 68 | { 69 | PVOID kernelBuff = ExAllocatePool(NonPagedPool, instructions->size); 70 | 71 | if (!kernelBuff) 72 | { 73 | return STATUS_UNSUCCESSFUL; 74 | } 75 | 76 | if (!memcpy(kernelBuff, instructions->buffer_address, instructions->size)) 77 | { 78 | return STATUS_UNSUCCESSFUL; 79 | } 80 | 81 | PEPROCESS process; 82 | PsLookupProcessByProcessId((HANDLE)instructions->pid, &process); 83 | write_kernel_memory((HANDLE)instructions->pid, instructions->address, kernelBuff, instructions->size); 84 | ExFreePool(kernelBuff); 85 | } 86 | } 87 | 88 | else if (instructions->read == TRUE) 89 | { 90 | if (instructions->address < 0x7FFFFFFFFFFF && instructions->address > 0) 91 | { 92 | read_kernel_memory((HANDLE)instructions->pid, instructions->address, instructions->output, instructions->size); 93 | } 94 | } 95 | 96 | else if (instructions->draw_box == TRUE) 97 | { 98 | HDC hdc = NtUserGetDC(NULL); 99 | if (!hdc) 100 | return STATUS_UNSUCCESSFUL; 101 | 102 | HBRUSH brush = NtGdiCreateSolidBrush(RGB(instructions->r, instructions->g, instructions->b), NULL); 103 | if (!brush) 104 | return STATUS_UNSUCCESSFUL; 105 | 106 | RECT rect = { instructions->x, instructions->y, instructions->x + instructions->w, instructions->y + instructions->h }; 107 | FrameRect(hdc, &rect, brush, instructions->t); 108 | NtUserReleaseDC(hdc); 109 | NtGdiDeleteObjectApp(brush); 110 | } 111 | 112 | return STATUS_SUCCESS; 113 | } 114 | 115 | INT nullhook::FrameRect(HDC hDC, CONST RECT* lprc, HBRUSH hbr, int thickness) 116 | { 117 | HBRUSH oldbrush; 118 | RECT r = *lprc; 119 | 120 | if (!(oldbrush = GdiSelectBrush(hDC, hbr))) return 0; 121 | 122 | NtGdiPatBlt(hDC, r.left, r.top, thickness, r.bottom - r.top, PATCOPY); 123 | NtGdiPatBlt(hDC, r.right - thickness, r.top, thickness, r.bottom - r.top, PATCOPY); 124 | NtGdiPatBlt(hDC, r.left, r.top, r.right - r.left, thickness, PATCOPY); 125 | NtGdiPatBlt(hDC, r.left, r.bottom - thickness, r.right - r.left, thickness, PATCOPY); 126 | 127 | GdiSelectBrush(hDC, oldbrush); 128 | return TRUE; 129 | } -------------------------------------------------------------------------------- /KernelCheatYT/memory.cpp: -------------------------------------------------------------------------------- 1 | #include "memory.h" 2 | 3 | PVOID get_system_module_base(const char* module_name) 4 | { 5 | ULONG bytes = 0; 6 | NTSTATUS status = ZwQuerySystemInformation(SystemModuleInformation, NULL, bytes, &bytes); 7 | 8 | if (!bytes) 9 | return NULL; 10 | 11 | PRTL_PROCESS_MODULES modules = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPool, bytes, 0x4e554c4c); 12 | 13 | status = ZwQuerySystemInformation(SystemModuleInformation, modules, bytes, &bytes); 14 | 15 | if (!NT_SUCCESS(status)) 16 | return NULL; 17 | 18 | PRTL_PROCESS_MODULE_INFORMATION module = modules->Modules; 19 | PVOID module_base = 0, module_size = 0; 20 | 21 | for (ULONG i = 0; i < modules->NumberOfModules; i++) 22 | { 23 | if (strcmp((char*)module[i].FullPathName, module_name) == NULL) 24 | { 25 | module_base = module[i].ImageBase; 26 | module_size = (PVOID)module[i].ImageSize; 27 | break; 28 | } 29 | } 30 | 31 | if (modules) 32 | ExFreePoolWithTag(modules, NULL); 33 | 34 | if (module_base <= NULL) 35 | return NULL; 36 | 37 | return module_base; 38 | } 39 | 40 | PVOID get_system_module_export(const char* module_name, LPCSTR routine_name) 41 | { 42 | PVOID lpModule = get_system_module_base(module_name); 43 | 44 | if (!lpModule) 45 | return NULL; 46 | 47 | return RtlFindExportedRoutineByName(lpModule, routine_name); 48 | } 49 | 50 | PVOID get_system_routine_address(PCWSTR routine_name) 51 | { 52 | UNICODE_STRING name; 53 | RtlInitUnicodeString(&name, routine_name); 54 | return MmGetSystemRoutineAddress(&name); 55 | } 56 | 57 | PVOID get_system_module_export(LPCWSTR module_name, LPCSTR routine_name) 58 | { 59 | PLIST_ENTRY module_list = reinterpret_cast(get_system_routine_address(L"PsLoadedModuleList")); 60 | 61 | if (!module_list) 62 | return NULL; 63 | 64 | for (PLIST_ENTRY link = module_list; link != module_list->Blink; link = link->Flink) 65 | { 66 | LDR_DATA_TABLE_ENTRY* entry = CONTAINING_RECORD(link, LDR_DATA_TABLE_ENTRY, InLoadOrderModuleList); 67 | 68 | UNICODE_STRING name; 69 | RtlInitUnicodeString(&name, module_name); 70 | 71 | if (RtlEqualUnicodeString(&entry->BaseDllName, &name, TRUE)) 72 | { 73 | return (entry->DllBase) ? RtlFindExportedRoutineByName(entry->DllBase, routine_name) : NULL; 74 | } 75 | } 76 | } 77 | 78 | bool write_memory(void* address, void* buffer, size_t size) 79 | { 80 | if (!RtlCopyMemory(address, buffer, size)) 81 | { 82 | return false; 83 | } 84 | else 85 | { 86 | return true; 87 | } 88 | } 89 | 90 | bool write_to_read_only_memory(void* address, void* buffer, size_t size) 91 | { 92 | PMDL Mdl = IoAllocateMdl(address, size, FALSE, FALSE, NULL); 93 | 94 | if (!Mdl) 95 | return false; 96 | 97 | MmProbeAndLockPages(Mdl, KernelMode, IoReadAccess); 98 | PVOID Mapping = MmMapLockedPagesSpecifyCache(Mdl, KernelMode, MmNonCached, NULL, FALSE, NormalPagePriority); 99 | MmProtectMdlSystemAddress(Mdl, PAGE_READWRITE); 100 | 101 | write_memory(Mapping, buffer, size); 102 | 103 | MmUnmapLockedPages(Mapping, Mdl); 104 | MmUnlockPages(Mdl); 105 | IoFreeMdl(Mdl); 106 | 107 | return true; 108 | } 109 | 110 | ULONG64 get_module_base_x64(PEPROCESS proc, UNICODE_STRING module_name) 111 | { 112 | PPEB pPeb = PsGetProcessPeb(proc); 113 | 114 | if (!pPeb) 115 | { 116 | return NULL; 117 | } 118 | 119 | KAPC_STATE state; 120 | 121 | KeStackAttachProcess(proc, &state); 122 | 123 | PPEB_LDR_DATA pLdr = (PPEB_LDR_DATA)pPeb->Ldr; 124 | 125 | if (!pLdr) 126 | { 127 | KeUnstackDetachProcess(&state); 128 | return NULL; 129 | } 130 | 131 | for (PLIST_ENTRY list = (PLIST_ENTRY)pLdr->ModuleListLoadOrder.Flink; list != &pLdr->ModuleListLoadOrder; list = (PLIST_ENTRY)list->Flink) 132 | { 133 | PLDR_DATA_TABLE_ENTRY pEntry = CONTAINING_RECORD(list, LDR_DATA_TABLE_ENTRY, InLoadOrderModuleList); 134 | 135 | if (RtlCompareUnicodeString(&pEntry->BaseDllName, &module_name, TRUE) == NULL) 136 | { 137 | ULONG64 baseAddr = (ULONG64)pEntry->DllBase; 138 | KeUnstackDetachProcess(&state); 139 | return baseAddr; 140 | } 141 | } 142 | 143 | KeUnstackDetachProcess(&state); 144 | return NULL; 145 | } 146 | 147 | bool read_kernel_memory(HANDLE pid, uintptr_t address, void* buffer, SIZE_T size) 148 | { 149 | if (!address || !buffer || !size) 150 | return false; 151 | 152 | SIZE_T bytes = 0; 153 | NTSTATUS status = STATUS_SUCCESS; 154 | PEPROCESS process; 155 | PsLookupProcessByProcessId((HANDLE)pid, &process); 156 | 157 | status = MmCopyVirtualMemory(process, (void*)address, (PEPROCESS)PsGetCurrentProcess(), (void*)buffer, size, KernelMode, &bytes); 158 | 159 | if (!NT_SUCCESS(status)) 160 | { 161 | return false; 162 | } 163 | else 164 | { 165 | return true; 166 | } 167 | } 168 | 169 | bool write_kernel_memory(HANDLE pid, uintptr_t address, void* buffer, SIZE_T size) 170 | { 171 | if (!address || !buffer || !size) 172 | return false; 173 | 174 | NTSTATUS status = STATUS_SUCCESS; 175 | PEPROCESS process; 176 | PsLookupProcessByProcessId((HANDLE)pid, &process); 177 | 178 | KAPC_STATE state; 179 | KeStackAttachProcess((PEPROCESS)process, &state); 180 | 181 | MEMORY_BASIC_INFORMATION info; 182 | 183 | status = ZwQueryVirtualMemory(ZwCurrentProcess(), (PVOID)address, MemoryBasicInformation, &info, sizeof(info), NULL); 184 | if (!NT_SUCCESS(status)) 185 | { 186 | KeUnstackDetachProcess(&state); 187 | return false; 188 | } 189 | 190 | if (((uintptr_t)info.BaseAddress + info.RegionSize) < (address + size)) 191 | { 192 | KeUnstackDetachProcess(&state); 193 | return false; 194 | } 195 | 196 | if (!(info.State & MEM_COMMIT) || (info.Protect & (PAGE_GUARD | PAGE_NOACCESS))) 197 | { 198 | KeUnstackDetachProcess(&state); 199 | return false; 200 | } 201 | 202 | if ((info.Protect & PAGE_EXECUTE_READWRITE) || (info.Protect & PAGE_EXECUTE_WRITECOPY) 203 | || (info.Protect & PAGE_READWRITE) || (info.Protect & PAGE_WRITECOPY)) 204 | { 205 | RtlCopyMemory((void*)address, buffer, size); 206 | } 207 | KeUnstackDetachProcess(&state); 208 | return true; 209 | } -------------------------------------------------------------------------------- /KernelCheatUM/KernelCheatUM.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | {64DE4F42-B12F-431D-89D5-89F8C41249B5} 24 | KernelCheatUM 25 | 10.0 26 | 27 | 28 | 29 | Application 30 | true 31 | v143 32 | Unicode 33 | 34 | 35 | Application 36 | false 37 | v143 38 | true 39 | Unicode 40 | 41 | 42 | Application 43 | true 44 | v143 45 | Unicode 46 | 47 | 48 | Application 49 | false 50 | v143 51 | true 52 | NotSet 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | true 74 | 75 | 76 | true 77 | 78 | 79 | false 80 | 81 | 82 | false 83 | 84 | 85 | 86 | Level3 87 | true 88 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 89 | true 90 | stdcpp17 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 102 | true 103 | stdcpp17 104 | stdc17 105 | 106 | 107 | Console 108 | true 109 | 110 | 111 | 112 | 113 | Level3 114 | true 115 | true 116 | true 117 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | true 124 | true 125 | 126 | 127 | 128 | 129 | Level3 130 | true 131 | true 132 | true 133 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 134 | true 135 | stdcpplatest 136 | 137 | 138 | Console 139 | true 140 | true 141 | true 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Ww][Ii][Nn]32/ 27 | [Aa][Rr][Mm]/ 28 | [Aa][Rr][Mm]64/ 29 | bld/ 30 | [Bb]in/ 31 | [Oo]bj/ 32 | [Ll]og/ 33 | [Ll]ogs/ 34 | 35 | # Visual Studio 2015/2017 cache/options directory 36 | .vs/ 37 | # Uncomment if you have tasks that create the project's static files in wwwroot 38 | #wwwroot/ 39 | 40 | # Visual Studio 2017 auto generated files 41 | Generated\ Files/ 42 | 43 | # MSTest test Results 44 | [Tt]est[Rr]esult*/ 45 | [Bb]uild[Ll]og.* 46 | 47 | # NUnit 48 | *.VisualState.xml 49 | TestResult.xml 50 | nunit-*.xml 51 | 52 | # Build Results of an ATL Project 53 | [Dd]ebugPS/ 54 | [Rr]eleasePS/ 55 | dlldata.c 56 | 57 | # Benchmark Results 58 | BenchmarkDotNet.Artifacts/ 59 | 60 | # .NET Core 61 | project.lock.json 62 | project.fragment.lock.json 63 | artifacts/ 64 | 65 | # ASP.NET Scaffolding 66 | ScaffoldingReadMe.txt 67 | 68 | # StyleCop 69 | StyleCopReport.xml 70 | 71 | # Files built by Visual Studio 72 | *_i.c 73 | *_p.c 74 | *_h.h 75 | *.ilk 76 | *.meta 77 | *.obj 78 | *.iobj 79 | *.pch 80 | *.pdb 81 | *.ipdb 82 | *.pgc 83 | *.pgd 84 | *.rsp 85 | *.sbr 86 | *.tlb 87 | *.tli 88 | *.tlh 89 | *.tmp 90 | *.tmp_proj 91 | *_wpftmp.csproj 92 | *.log 93 | *.tlog 94 | *.vspscc 95 | *.vssscc 96 | .builds 97 | *.pidb 98 | *.svclog 99 | *.scc 100 | 101 | # Chutzpah Test files 102 | _Chutzpah* 103 | 104 | # Visual C++ cache files 105 | ipch/ 106 | *.aps 107 | *.ncb 108 | *.opendb 109 | *.opensdf 110 | *.sdf 111 | *.cachefile 112 | *.VC.db 113 | *.VC.VC.opendb 114 | 115 | # Visual Studio profiler 116 | *.psess 117 | *.vsp 118 | *.vspx 119 | *.sap 120 | 121 | # Visual Studio Trace Files 122 | *.e2e 123 | 124 | # TFS 2012 Local Workspace 125 | $tf/ 126 | 127 | # Guidance Automation Toolkit 128 | *.gpState 129 | 130 | # ReSharper is a .NET coding add-in 131 | _ReSharper*/ 132 | *.[Rr]e[Ss]harper 133 | *.DotSettings.user 134 | 135 | # TeamCity is a build add-in 136 | _TeamCity* 137 | 138 | # DotCover is a Code Coverage Tool 139 | *.dotCover 140 | 141 | # AxoCover is a Code Coverage Tool 142 | .axoCover/* 143 | !.axoCover/settings.json 144 | 145 | # Coverlet is a free, cross platform Code Coverage Tool 146 | coverage*.json 147 | coverage*.xml 148 | coverage*.info 149 | 150 | # Visual Studio code coverage results 151 | *.coverage 152 | *.coveragexml 153 | 154 | # NCrunch 155 | _NCrunch_* 156 | .*crunch*.local.xml 157 | nCrunchTemp_* 158 | 159 | # MightyMoose 160 | *.mm.* 161 | AutoTest.Net/ 162 | 163 | # Web workbench (sass) 164 | .sass-cache/ 165 | 166 | # Installshield output folder 167 | [Ee]xpress/ 168 | 169 | # DocProject is a documentation generator add-in 170 | DocProject/buildhelp/ 171 | DocProject/Help/*.HxT 172 | DocProject/Help/*.HxC 173 | DocProject/Help/*.hhc 174 | DocProject/Help/*.hhk 175 | DocProject/Help/*.hhp 176 | DocProject/Help/Html2 177 | DocProject/Help/html 178 | 179 | # Click-Once directory 180 | publish/ 181 | 182 | # Publish Web Output 183 | *.[Pp]ublish.xml 184 | *.azurePubxml 185 | # Note: Comment the next line if you want to checkin your web deploy settings, 186 | # but database connection strings (with potential passwords) will be unencrypted 187 | *.pubxml 188 | *.publishproj 189 | 190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 191 | # checkin your Azure Web App publish settings, but sensitive information contained 192 | # in these scripts will be unencrypted 193 | PublishScripts/ 194 | 195 | # NuGet Packages 196 | *.nupkg 197 | # NuGet Symbol Packages 198 | *.snupkg 199 | # The packages folder can be ignored because of Package Restore 200 | **/[Pp]ackages/* 201 | # except build/, which is used as an MSBuild target. 202 | !**/[Pp]ackages/build/ 203 | # Uncomment if necessary however generally it will be regenerated when needed 204 | #!**/[Pp]ackages/repositories.config 205 | # NuGet v3's project.json files produces more ignorable files 206 | *.nuget.props 207 | *.nuget.targets 208 | 209 | # Microsoft Azure Build Output 210 | csx/ 211 | *.build.csdef 212 | 213 | # Microsoft Azure Emulator 214 | ecf/ 215 | rcf/ 216 | 217 | # Windows Store app package directories and files 218 | AppPackages/ 219 | BundleArtifacts/ 220 | Package.StoreAssociation.xml 221 | _pkginfo.txt 222 | *.appx 223 | *.appxbundle 224 | *.appxupload 225 | 226 | # Visual Studio cache files 227 | # files ending in .cache can be ignored 228 | *.[Cc]ache 229 | # but keep track of directories ending in .cache 230 | !?*.[Cc]ache/ 231 | 232 | # Others 233 | ClientBin/ 234 | ~$* 235 | *~ 236 | *.dbmdl 237 | *.dbproj.schemaview 238 | *.jfm 239 | *.pfx 240 | *.publishsettings 241 | orleans.codegen.cs 242 | 243 | # Including strong name files can present a security risk 244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 245 | #*.snk 246 | 247 | # Since there are multiple workflows, uncomment next line to ignore bower_components 248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 249 | #bower_components/ 250 | 251 | # RIA/Silverlight projects 252 | Generated_Code/ 253 | 254 | # Backup & report files from converting an old project file 255 | # to a newer Visual Studio version. Backup files are not needed, 256 | # because we have git ;-) 257 | _UpgradeReport_Files/ 258 | Backup*/ 259 | UpgradeLog*.XML 260 | UpgradeLog*.htm 261 | ServiceFabricBackup/ 262 | *.rptproj.bak 263 | 264 | # SQL Server files 265 | *.mdf 266 | *.ldf 267 | *.ndf 268 | 269 | # Business Intelligence projects 270 | *.rdl.data 271 | *.bim.layout 272 | *.bim_*.settings 273 | *.rptproj.rsuser 274 | *- [Bb]ackup.rdl 275 | *- [Bb]ackup ([0-9]).rdl 276 | *- [Bb]ackup ([0-9][0-9]).rdl 277 | 278 | # Microsoft Fakes 279 | FakesAssemblies/ 280 | 281 | # GhostDoc plugin setting file 282 | *.GhostDoc.xml 283 | 284 | # Node.js Tools for Visual Studio 285 | .ntvs_analysis.dat 286 | node_modules/ 287 | 288 | # Visual Studio 6 build log 289 | *.plg 290 | 291 | # Visual Studio 6 workspace options file 292 | *.opt 293 | 294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 295 | *.vbw 296 | 297 | # Visual Studio 6 auto-generated project file (contains which files were open etc.) 298 | *.vbp 299 | 300 | # Visual Studio 6 workspace and project file (working project files containing files to include in project) 301 | *.dsw 302 | *.dsp 303 | 304 | # Visual Studio 6 technical files 305 | *.ncb 306 | *.aps 307 | 308 | # Visual Studio LightSwitch build output 309 | **/*.HTMLClient/GeneratedArtifacts 310 | **/*.DesktopClient/GeneratedArtifacts 311 | **/*.DesktopClient/ModelManifest.xml 312 | **/*.Server/GeneratedArtifacts 313 | **/*.Server/ModelManifest.xml 314 | _Pvt_Extensions 315 | 316 | # Paket dependency manager 317 | .paket/paket.exe 318 | paket-files/ 319 | 320 | # FAKE - F# Make 321 | .fake/ 322 | 323 | # CodeRush personal settings 324 | .cr/personal 325 | 326 | # Python Tools for Visual Studio (PTVS) 327 | __pycache__/ 328 | *.pyc 329 | 330 | # Cake - Uncomment if you are using it 331 | # tools/** 332 | # !tools/packages.config 333 | 334 | # Tabs Studio 335 | *.tss 336 | 337 | # Telerik's JustMock configuration file 338 | *.jmconfig 339 | 340 | # BizTalk build output 341 | *.btp.cs 342 | *.btm.cs 343 | *.odx.cs 344 | *.xsd.cs 345 | 346 | # OpenCover UI analysis results 347 | OpenCover/ 348 | 349 | # Azure Stream Analytics local run output 350 | ASALocalRun/ 351 | 352 | # MSBuild Binary and Structured Log 353 | *.binlog 354 | 355 | # NVidia Nsight GPU debugger configuration file 356 | *.nvuser 357 | 358 | # MFractors (Xamarin productivity tool) working folder 359 | .mfractor/ 360 | 361 | # Local History for Visual Studio 362 | .localhistory/ 363 | 364 | # Visual Studio History (VSHistory) files 365 | .vshistory/ 366 | 367 | # BeatPulse healthcheck temp database 368 | healthchecksdb 369 | 370 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 371 | MigrationBackup/ 372 | 373 | # Ionide (cross platform F# VS Code tools) working folder 374 | .ionide/ 375 | 376 | # Fody - auto-generated XML schema 377 | FodyWeavers.xsd 378 | 379 | # VS Code files for those working on multiple tools 380 | .vscode/* 381 | !.vscode/settings.json 382 | !.vscode/tasks.json 383 | !.vscode/launch.json 384 | !.vscode/extensions.json 385 | *.code-workspace 386 | 387 | # Local History for Visual Studio Code 388 | .history/ 389 | 390 | # Windows Installer files from build outputs 391 | *.cab 392 | *.msi 393 | *.msix 394 | *.msm 395 | *.msp 396 | 397 | # JetBrains Rider 398 | *.sln.iml 399 | >>>>>>> b3e84dbb8653c28d127cd6900c51cb2c0ec66fd7 400 | -------------------------------------------------------------------------------- /KernelCheatYT/KernelCheatYT.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | Debug 22 | ARM 23 | 24 | 25 | Release 26 | ARM 27 | 28 | 29 | Debug 30 | ARM64 31 | 32 | 33 | Release 34 | ARM64 35 | 36 | 37 | 38 | {59AD331E-D3D4-46C4-8759-4A02AB42353A} 39 | {1bc93793-694f-48fe-9372-81e2b05556fd} 40 | v4.5 41 | 12.0 42 | Debug 43 | Win32 44 | KernelCheatYT 45 | 10.0 46 | 47 | 48 | 49 | Windows10 50 | true 51 | WindowsKernelModeDriver10.0 52 | Driver 53 | KMDF 54 | Universal 55 | 56 | 57 | Windows10 58 | false 59 | WindowsKernelModeDriver10.0 60 | Driver 61 | KMDF 62 | Universal 63 | 64 | 65 | Windows10 66 | true 67 | WindowsKernelModeDriver10.0 68 | Driver 69 | KMDF 70 | Universal 71 | 72 | 73 | Windows10 74 | false 75 | WindowsKernelModeDriver10.0 76 | Driver 77 | KMDF 78 | Universal 79 | 80 | 81 | Windows10 82 | true 83 | WindowsKernelModeDriver10.0 84 | Driver 85 | KMDF 86 | Universal 87 | 88 | 89 | Windows10 90 | false 91 | WindowsKernelModeDriver10.0 92 | Driver 93 | KMDF 94 | Universal 95 | 96 | 97 | Windows10 98 | true 99 | WindowsKernelModeDriver10.0 100 | Driver 101 | KMDF 102 | Universal 103 | 104 | 105 | Windows10 106 | false 107 | WindowsKernelModeDriver10.0 108 | Driver 109 | KMDF 110 | Universal 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | DbgengKernelDebugger 122 | 123 | 124 | DbgengKernelDebugger 125 | 126 | 127 | DbgengKernelDebugger 128 | 129 | 130 | DbgengKernelDebugger 131 | false 132 | $(IncludePath);$(WindowsSDK_IncludePath);$(KMDF_INC_PATH)$(KMDF_VER_PATH) 133 | 134 | 135 | DbgengKernelDebugger 136 | 137 | 138 | DbgengKernelDebugger 139 | 140 | 141 | DbgengKernelDebugger 142 | 143 | 144 | DbgengKernelDebugger 145 | 146 | 147 | 148 | DriverEntry 149 | 150 | 151 | false 152 | 153 | 154 | 155 | 156 | stdcpp17 157 | 158 | 159 | 160 | 161 | stdc17 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | --------------------------------------------------------------------------------