├── README.md ├── kernel mode ├── driver.cpp ├── driver.vcxproj ├── driver.vcxproj.filters ├── driver.vcxproj.user └── x64 │ └── intermediates │ └── driver │ ├── driver.log │ ├── driver.obj │ ├── driver.sys.recipe │ ├── driver.tlog │ ├── CL.command.1.tlog │ ├── CL.read.1.tlog │ ├── CL.write.1.tlog │ ├── Cl.items.tlog │ ├── driver.lastbuildstate │ ├── link.command.1.tlog │ ├── link.read.1.tlog │ ├── link.secondary.1.tlog │ └── link.write.1.tlog │ └── vc143.pdb ├── payson drv.sln └── usermode ├── driver.h ├── main.cpp ├── usermode.vcxproj ├── usermode.vcxproj.filters ├── usermode.vcxproj.user └── x64 └── intermediates └── usermode ├── main.obj ├── usermode.exe.recipe ├── usermode.iobj ├── usermode.ipdb ├── usermode.log ├── usermode.tlog ├── CL.command.1.tlog ├── CL.read.1.tlog ├── CL.write.1.tlog ├── Cl.items.tlog ├── link.command.1.tlog ├── link.read.1.tlog ├── link.secondary.1.tlog ├── link.write.1.tlog └── usermode.lastbuildstate └── vc143.pdb /README.md: -------------------------------------------------------------------------------- 1 | # Payson Driver 2 | 3 | IOCTL cheat driver base that has cr3 decryption for eac. 4 | 5 | This was made for fn (EAC/BE) but can be used as a base for other games. This utilizes MmCopyMemory for reading and memcpy for writing. This is great for a free cheat or learning kernel. 6 | 7 | ## You need the WDK installed to build and not get errors! 8 | 9 | # Credits 10 | 11 | Made by [Payson](https://github.com/paysonism) - [Saturn IV](https://discord.gg/saturniv) 12 | -------------------------------------------------------------------------------- /kernel mode/driver.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | UNICODE_STRING name, link; 5 | 6 | typedef struct _SYSTEM_BIGPOOL_ENTRY { 7 | PVOID VirtualAddress; 8 | ULONG_PTR NonPaged : 1; 9 | ULONG_PTR SizeInBytes; 10 | UCHAR Tag[4]; 11 | } SYSTEM_BIGPOOL_ENTRY, * PSYSTEM_BIGPOOL_ENTRY; 12 | 13 | typedef struct _SYSTEM_BIGPOOL_INFORMATION { 14 | ULONG Count; 15 | SYSTEM_BIGPOOL_ENTRY AllocatedInfo[1]; // Flexible array member, adjust as needed 16 | } SYSTEM_BIGPOOL_INFORMATION, * PSYSTEM_BIGPOOL_INFORMATION; 17 | 18 | typedef enum _SYSTEM_INFORMATION_CLASS { 19 | SystemBigPoolInformation = 0x42, 20 | } SYSTEM_INFORMATION_CLASS; 21 | 22 | extern "C" NTSTATUS NTAPI IoCreateDriver(PUNICODE_STRING DriverName, PDRIVER_INITIALIZE InitializationFunction); 23 | extern "C" PVOID NTAPI PsGetProcessSectionBaseAddress(PEPROCESS Process); 24 | extern "C" NTSTATUS NTAPI ZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS systemInformationClass, PVOID systemInformation, ULONG systemInformationLength, PULONG returnLength); 25 | 26 | #define code_rw CTL_CODE(FILE_DEVICE_UNKNOWN, 0x1645, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 27 | #define code_ba CTL_CODE(FILE_DEVICE_UNKNOWN, 0x1646, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 28 | #define code_get_guarded_region CTL_CODE(FILE_DEVICE_UNKNOWN, 0x1647, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 29 | #define code_security 0x85b3b69 30 | #define win_1803 17134 31 | #define win_1809 17763 32 | #define win_1903 18362 33 | #define win_1909 18363 34 | #define win_2004 19041 35 | #define win_20H2 19569 36 | #define win_21H1 20180 37 | 38 | #define PAGE_OFFSET_SIZE 12 39 | static const UINT64 PMASK = (~0xfull << 8) & 0xfffffffffull; 40 | 41 | typedef struct _rw { 42 | INT32 security; 43 | INT32 process_id; 44 | ULONGLONG address; 45 | ULONGLONG buffer; 46 | ULONGLONG size; 47 | BOOLEAN write; 48 | } rw, * prw; 49 | 50 | typedef struct _ba { 51 | INT32 security; 52 | INT32 process_id; 53 | ULONGLONG* address; 54 | } ba, * pba; 55 | 56 | typedef struct _ga { 57 | INT32 security; 58 | ULONGLONG* address; 59 | } ga, * pga; 60 | 61 | 62 | NTSTATUS read(PVOID target_address, PVOID buffer, SIZE_T size, SIZE_T* bytes_read) { 63 | MM_COPY_ADDRESS to_read = { 0 }; 64 | to_read.PhysicalAddress.QuadPart = (LONGLONG)target_address; 65 | // return MmCopyMemory(buffer, to_read, size, MM_COPY_MEMORY_VIRTUAL, bytes_read); // read virtual (doesnt work) 66 | return MmCopyMemory(buffer, to_read, size, MM_COPY_MEMORY_PHYSICAL, bytes_read); // read physical 67 | } 68 | 69 | NTSTATUS write(PVOID target_address, PVOID buffer, SIZE_T size, SIZE_T* bytes_read) 70 | { 71 | if (!target_address) 72 | return STATUS_UNSUCCESSFUL; 73 | 74 | PHYSICAL_ADDRESS AddrToWrite = { 0 }; 75 | AddrToWrite.QuadPart = LONGLONG(target_address); 76 | 77 | PVOID pmapped_mem = MmMapIoSpaceEx(AddrToWrite, size, PAGE_READWRITE); 78 | 79 | if (!pmapped_mem) 80 | return STATUS_UNSUCCESSFUL; 81 | 82 | memcpy(pmapped_mem, buffer, size); 83 | 84 | *bytes_read = size; 85 | MmUnmapIoSpace(pmapped_mem, size); 86 | return STATUS_SUCCESS; 87 | } 88 | 89 | INT32 get_winver() { 90 | RTL_OSVERSIONINFOW ver = { 0 }; 91 | RtlGetVersion(&ver); 92 | switch (ver.dwBuildNumber) 93 | { 94 | case win_1803: 95 | return 0x0278; 96 | break; 97 | case win_1809: 98 | return 0x0278; 99 | break; 100 | case win_1903: 101 | return 0x0280; 102 | break; 103 | case win_1909: 104 | return 0x0280; 105 | break; 106 | case win_2004: 107 | return 0x0388; 108 | break; 109 | case win_20H2: 110 | return 0x0388; 111 | break; 112 | case win_21H1: 113 | return 0x0388; 114 | break; 115 | default: 116 | return 0x0388; 117 | } 118 | } 119 | 120 | UINT64 get_process_cr3(const PEPROCESS pProcess) { 121 | PUCHAR process = (PUCHAR)pProcess; 122 | ULONG_PTR process_dirbase = *(PULONG_PTR)(process + 0x28); 123 | 124 | if (process_dirbase == 0) { 125 | INT32 UserDirOffset = get_winver(); 126 | 127 | ULONG_PTR process_userdirbase = *(PULONG_PTR)(process + UserDirOffset); 128 | return process_userdirbase; 129 | } 130 | 131 | return process_dirbase; 132 | } 133 | 134 | UINT64 translate_linear(UINT64 directoryTableBase, UINT64 virtualAddress) { 135 | directoryTableBase &= ~0xf; 136 | 137 | UINT64 pageOffset = virtualAddress & ~(~0ul << PAGE_OFFSET_SIZE); 138 | UINT64 pte = ((virtualAddress >> 12) & (0x1ffll)); 139 | UINT64 pt = ((virtualAddress >> 21) & (0x1ffll)); 140 | UINT64 pd = ((virtualAddress >> 30) & (0x1ffll)); 141 | UINT64 pdp = ((virtualAddress >> 39) & (0x1ffll)); 142 | 143 | SIZE_T readsize = 0; 144 | UINT64 pdpe = 0; 145 | read(PVOID(directoryTableBase + 8 * pdp), &pdpe, sizeof(pdpe), &readsize); 146 | if (~pdpe & 1) 147 | return 0; 148 | 149 | UINT64 pde = 0; 150 | read(PVOID((pdpe & PMASK) + 8 * pd), &pde, sizeof(pde), &readsize); 151 | if (~pde & 1) 152 | return 0; 153 | 154 | if (pde & 0x80) 155 | return (pde & (~0ull << 42 >> 12)) + (virtualAddress & ~(~0ull << 30)); 156 | 157 | UINT64 pteAddr = 0; 158 | read(PVOID((pde & PMASK) + 8 * pt), &pteAddr, sizeof(pteAddr), &readsize); 159 | if (~pteAddr & 1) 160 | return 0; 161 | 162 | if (pteAddr & 0x80) 163 | return (pteAddr & PMASK) + (virtualAddress & ~(~0ull << 21)); 164 | 165 | virtualAddress = 0; 166 | read(PVOID((pteAddr & PMASK) + 8 * pte), &virtualAddress, sizeof(virtualAddress), &readsize); 167 | virtualAddress &= PMASK; 168 | 169 | if (!virtualAddress) 170 | return 0; 171 | 172 | return virtualAddress + pageOffset; 173 | } 174 | 175 | ULONG64 find_min(INT32 g, SIZE_T f) { 176 | INT32 h = (INT32)f; 177 | ULONG64 result = 0; 178 | 179 | result = (((g) < (h)) ? (g) : (h)); 180 | 181 | return result; 182 | } 183 | 184 | NTSTATUS frw(prw x) { 185 | if (x->security != code_security) 186 | return STATUS_UNSUCCESSFUL; 187 | 188 | if (!x->process_id) 189 | return STATUS_UNSUCCESSFUL; 190 | 191 | PEPROCESS process = NULL; 192 | PsLookupProcessByProcessId((HANDLE)x->process_id, &process); 193 | if (!process) 194 | return STATUS_UNSUCCESSFUL; 195 | 196 | ULONGLONG process_base = get_process_cr3(process); 197 | ObDereferenceObject(process); 198 | 199 | SIZE_T this_offset = NULL; 200 | SIZE_T total_size = x->size; 201 | 202 | INT64 physical_address = translate_linear(process_base, (ULONG64)x->address + this_offset); 203 | if (!physical_address) 204 | return STATUS_UNSUCCESSFUL; 205 | 206 | ULONG64 final_size = find_min(PAGE_SIZE - (physical_address & 0xFFF), total_size); 207 | SIZE_T bytes_trough = NULL; 208 | 209 | if (x->write) { 210 | write(PVOID(physical_address), (PVOID)((ULONG64)x->buffer + this_offset), final_size, &bytes_trough); 211 | } 212 | else { 213 | read(PVOID(physical_address), (PVOID)((ULONG64)x->buffer + this_offset), final_size, &bytes_trough); 214 | } 215 | 216 | return STATUS_SUCCESS; 217 | } 218 | 219 | NTSTATUS fba(pba x) { 220 | if (x->security != code_security) 221 | return STATUS_UNSUCCESSFUL; 222 | 223 | if (!x->process_id) 224 | return STATUS_UNSUCCESSFUL; 225 | 226 | PEPROCESS process = NULL; 227 | PsLookupProcessByProcessId((HANDLE)x->process_id, &process); 228 | if (!process) 229 | return STATUS_UNSUCCESSFUL; 230 | 231 | ULONGLONG image_base = (ULONGLONG)PsGetProcessSectionBaseAddress(process); 232 | if (!image_base) 233 | return STATUS_UNSUCCESSFUL; 234 | 235 | RtlCopyMemory(x->address, &image_base, sizeof(image_base)); 236 | ObDereferenceObject(process); 237 | 238 | return STATUS_SUCCESS; 239 | } 240 | 241 | NTSTATUS fget_guarded_region(pga x) { 242 | if (x->security != code_security) 243 | return STATUS_UNSUCCESSFUL; 244 | 245 | ULONG infoLen = 0; 246 | NTSTATUS status = ZwQuerySystemInformation(SystemBigPoolInformation, &infoLen, 0, &infoLen); 247 | PSYSTEM_BIGPOOL_INFORMATION pPoolInfo = 0; 248 | 249 | while (status == STATUS_INFO_LENGTH_MISMATCH) 250 | { 251 | if (pPoolInfo) 252 | ExFreePool(pPoolInfo); 253 | 254 | pPoolInfo = (PSYSTEM_BIGPOOL_INFORMATION)ExAllocatePool(NonPagedPool, infoLen); 255 | status = ZwQuerySystemInformation(SystemBigPoolInformation, pPoolInfo, infoLen, &infoLen); 256 | } 257 | 258 | if (pPoolInfo) 259 | { 260 | for (unsigned int i = 0; i < pPoolInfo->Count; i++) 261 | { 262 | SYSTEM_BIGPOOL_ENTRY* Entry = &pPoolInfo->AllocatedInfo[i]; 263 | PVOID VirtualAddress; 264 | VirtualAddress = (PVOID)((uintptr_t)Entry->VirtualAddress & ~1ull); 265 | SIZE_T SizeInBytes = Entry->SizeInBytes; 266 | BOOLEAN NonPaged = Entry->NonPaged; 267 | 268 | if (Entry->NonPaged && Entry->SizeInBytes == 0x200000) { 269 | UCHAR expectedTag[] = "TnoC"; // Tag should be a string, not a ulong 270 | if (memcmp(Entry->Tag, expectedTag, sizeof(expectedTag)) == 0) { 271 | RtlCopyMemory((void*)x->address, &Entry->VirtualAddress, sizeof(Entry->VirtualAddress)); 272 | return STATUS_SUCCESS; 273 | } 274 | } 275 | 276 | } 277 | 278 | ExFreePool(pPoolInfo); 279 | } 280 | 281 | return STATUS_SUCCESS; 282 | } 283 | 284 | NTSTATUS io_controller(PDEVICE_OBJECT device_obj, PIRP irp) { 285 | UNREFERENCED_PARAMETER(device_obj); 286 | 287 | NTSTATUS status = { }; 288 | ULONG bytes = { }; 289 | PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(irp); 290 | 291 | ULONG code = stack->Parameters.DeviceIoControl.IoControlCode; 292 | ULONG size = stack->Parameters.DeviceIoControl.InputBufferLength; 293 | 294 | if (code == code_rw) { 295 | if (size == sizeof(_rw)) { 296 | prw req = (prw)(irp->AssociatedIrp.SystemBuffer); 297 | 298 | status = frw(req); 299 | bytes = sizeof(_rw); 300 | } 301 | else 302 | { 303 | status = STATUS_INFO_LENGTH_MISMATCH; 304 | bytes = 0; 305 | } 306 | } 307 | else if (code == code_ba) { 308 | if (size == sizeof(_ba)) { 309 | pba req = (pba)(irp->AssociatedIrp.SystemBuffer); 310 | 311 | status = fba(req); 312 | bytes = sizeof(_ba); 313 | } 314 | else 315 | { 316 | status = STATUS_INFO_LENGTH_MISMATCH; 317 | bytes = 0; 318 | } 319 | } 320 | else if (code == code_get_guarded_region) { 321 | if (size == sizeof(_ga)) { 322 | pga req = (pga)(irp->AssociatedIrp.SystemBuffer); 323 | 324 | status = fget_guarded_region(req); 325 | bytes = sizeof(_ga); 326 | } 327 | else 328 | { 329 | status = STATUS_INFO_LENGTH_MISMATCH; 330 | bytes = 0; 331 | } 332 | } 333 | 334 | irp->IoStatus.Status = status; 335 | irp->IoStatus.Information = bytes; 336 | IoCompleteRequest(irp, IO_NO_INCREMENT); 337 | 338 | return status; 339 | } 340 | 341 | NTSTATUS unsupported_dispatch(PDEVICE_OBJECT device_obj, PIRP irp) { 342 | UNREFERENCED_PARAMETER(device_obj); 343 | 344 | irp->IoStatus.Status = STATUS_NOT_SUPPORTED; 345 | IoCompleteRequest(irp, IO_NO_INCREMENT); 346 | 347 | return irp->IoStatus.Status; 348 | } 349 | 350 | NTSTATUS dispatch_handler(PDEVICE_OBJECT device_obj, PIRP irp) { 351 | UNREFERENCED_PARAMETER(device_obj); 352 | 353 | PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(irp); 354 | 355 | switch (stack->MajorFunction) { 356 | case IRP_MJ_CREATE: 357 | break; 358 | case IRP_MJ_CLOSE: 359 | break; 360 | default: 361 | break; 362 | } 363 | 364 | IoCompleteRequest(irp, IO_NO_INCREMENT); 365 | return irp->IoStatus.Status; 366 | } 367 | 368 | void unload_drv(PDRIVER_OBJECT drv_obj) { 369 | NTSTATUS status = { }; 370 | 371 | status = IoDeleteSymbolicLink(&link); 372 | 373 | if (!NT_SUCCESS(status)) 374 | return; 375 | 376 | IoDeleteDevice(drv_obj->DeviceObject); 377 | } 378 | 379 | NTSTATUS initialize_driver(PDRIVER_OBJECT drv_obj, PUNICODE_STRING path) { 380 | UNREFERENCED_PARAMETER(path); 381 | 382 | NTSTATUS status = STATUS_SUCCESS; 383 | PDEVICE_OBJECT device_obj = NULL; 384 | 385 | UNICODE_STRING name, link; 386 | RtlInitUnicodeString(&name, L"\\Device\\paysoniscoolio"); // driver name 387 | RtlInitUnicodeString(&link, L"\\DosDevices\\paysoniscoolio"); // driver name 388 | 389 | // Create the device 390 | status = IoCreateDevice(drv_obj, 0, &name, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &device_obj); 391 | if (!NT_SUCCESS(status)) { 392 | return status; 393 | } 394 | 395 | // Create a symbolic link 396 | status = IoCreateSymbolicLink(&link, &name); 397 | if (!NT_SUCCESS(status)) { 398 | IoDeleteDevice(device_obj); 399 | return status; 400 | } 401 | 402 | // Set up IRP dispatch functions 403 | for (int i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++) { 404 | drv_obj->MajorFunction[i] = &unsupported_dispatch; 405 | } 406 | 407 | drv_obj->MajorFunction[IRP_MJ_CREATE] = &dispatch_handler; 408 | drv_obj->MajorFunction[IRP_MJ_CLOSE] = &dispatch_handler; 409 | drv_obj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = &io_controller; 410 | drv_obj->DriverUnload = &unload_drv; 411 | 412 | // Configure device flags 413 | device_obj->Flags |= DO_BUFFERED_IO; 414 | device_obj->Flags &= ~DO_DEVICE_INITIALIZING; 415 | 416 | return status; 417 | } 418 | 419 | 420 | NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { 421 | UNREFERENCED_PARAMETER(DriverObject); 422 | UNREFERENCED_PARAMETER(RegistryPath); 423 | 424 | return IoCreateDriver(NULL, &initialize_driver); 425 | } -------------------------------------------------------------------------------- /kernel mode/driver.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | Debug 22 | ARM 23 | 24 | 25 | Release 26 | ARM 27 | 28 | 29 | Debug 30 | ARM64 31 | 32 | 33 | Release 34 | ARM64 35 | 36 | 37 | 38 | {2BC9C890-EE95-4219-AC58-872DDB9D7F5E} 39 | {1bc93793-694f-48fe-9372-81e2b05556fd} 40 | v4.5 41 | 12.0 42 | Debug 43 | Win32 44 | Driver 45 | driver 46 | $(LatestTargetPlatformVersion) 47 | 48 | 49 | 50 | Windows10 51 | true 52 | WindowsKernelModeDriver10.0 53 | Driver 54 | KMDF 55 | Universal 56 | 57 | 58 | Windows10 59 | false 60 | WindowsKernelModeDriver10.0 61 | Driver 62 | KMDF 63 | Universal 64 | 65 | 66 | Windows10 67 | true 68 | WindowsKernelModeDriver10.0 69 | Driver 70 | KMDF 71 | Universal 72 | 73 | 74 | Windows10 75 | false 76 | WindowsKernelModeDriver10.0 77 | Driver 78 | KMDF 79 | Universal 80 | false 81 | 82 | 83 | Windows10 84 | true 85 | WindowsKernelModeDriver10.0 86 | Driver 87 | KMDF 88 | Universal 89 | 90 | 91 | Windows10 92 | false 93 | WindowsKernelModeDriver10.0 94 | Driver 95 | KMDF 96 | Universal 97 | 98 | 99 | Windows10 100 | true 101 | WindowsKernelModeDriver10.0 102 | Driver 103 | KMDF 104 | Universal 105 | 106 | 107 | Windows10 108 | false 109 | WindowsKernelModeDriver10.0 110 | Driver 111 | KMDF 112 | Universal 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | DbgengKernelDebugger 124 | 125 | 126 | DbgengKernelDebugger 127 | 128 | 129 | DbgengKernelDebugger 130 | 131 | 132 | DbgengKernelDebugger 133 | $(SolutionDir)\build\driver 134 | $(Platform)\intermediates\driver 135 | 136 | 137 | DbgengKernelDebugger 138 | 139 | 140 | DbgengKernelDebugger 141 | 142 | 143 | DbgengKernelDebugger 144 | 145 | 146 | DbgengKernelDebugger 147 | 148 | 149 | 150 | DriverEntry 151 | 152 | 153 | SHA256 154 | 155 | 156 | false 157 | false 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | -------------------------------------------------------------------------------- /kernel mode/driver.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {c31ca960-3410-427f-a1f6-f18317547086} 6 | 7 | 8 | 9 | 10 | source 11 | 12 | 13 | -------------------------------------------------------------------------------- /kernel mode/driver.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | Off 5 | 6 | 7 | false 8 | 9 | -------------------------------------------------------------------------------- /kernel mode/x64/intermediates/driver/driver.log: -------------------------------------------------------------------------------- 1 |  Building 'driver' with toolset 'WindowsKernelModeDriver10.0' and the 'Universal' target platform. 2 | C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v170\Microsoft.CppBuild.targets(516,5): warning MSB8004: Intermediate Directory does not end with a trailing slash. This build instance will add the slash as it is required to allow proper evaluation of the Intermediate Directory. 3 | C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v170\Microsoft.CppBuild.targets(517,5): warning MSB8004: Output Directory does not end with a trailing slash. This build instance will add the slash as it is required to allow proper evaluation of the Output Directory. 4 | driver.cpp 5 | E:\! Saturn\Saturn FN\Saturn Free\v2.1\payson_drv\kernel mode\driver.cpp(285,44): warning C4996: 'ExAllocatePool': ExAllocatePool is deprecated, use ExAllocatePool2. 6 | E:\! Saturn\Saturn FN\Saturn Free\v2.1\payson_drv\kernel mode\driver.cpp(297,12): warning C4189: 'NonPaged': local variable is initialized but not referenced 7 | E:\! Saturn\Saturn FN\Saturn Free\v2.1\payson_drv\kernel mode\driver.cpp(296,11): warning C4189: 'SizeInBytes': local variable is initialized but not referenced 8 | E:\! Saturn\Saturn FN\Saturn Free\v2.1\payson_drv\kernel mode\driver.cpp(416,17): warning C4459: declaration of 'name' hides global declaration 9 | E:\! Saturn\Saturn FN\Saturn Free\v2.1\payson_drv\kernel mode\driver.cpp(416,23): warning C4459: declaration of 'link' hides global declaration 10 | driver.vcxproj -> E:\! Saturn\Saturn FN\Saturn Free\v2.1\payson_drv\build\driver\driver.sys 11 | Driver is 'Universal'. 12 | Inf2Cat task was skipped as there were no inf files to process 13 | 14 | -------------------------------------------------------------------------------- /kernel mode/x64/intermediates/driver/driver.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paysonism/payson-ioctl-cheat-driver/c6a62858a859926e5dab975a3778259dc19f7aa8/kernel mode/x64/intermediates/driver/driver.obj -------------------------------------------------------------------------------- /kernel mode/x64/intermediates/driver/driver.sys.recipe: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | E:\! Saturn\Saturn FN\Saturn Free\v2.1\payson_drv\build\driver\driver.sys 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /kernel mode/x64/intermediates/driver/driver.tlog/CL.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paysonism/payson-ioctl-cheat-driver/c6a62858a859926e5dab975a3778259dc19f7aa8/kernel mode/x64/intermediates/driver/driver.tlog/CL.command.1.tlog -------------------------------------------------------------------------------- /kernel mode/x64/intermediates/driver/driver.tlog/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paysonism/payson-ioctl-cheat-driver/c6a62858a859926e5dab975a3778259dc19f7aa8/kernel mode/x64/intermediates/driver/driver.tlog/CL.read.1.tlog -------------------------------------------------------------------------------- /kernel mode/x64/intermediates/driver/driver.tlog/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paysonism/payson-ioctl-cheat-driver/c6a62858a859926e5dab975a3778259dc19f7aa8/kernel mode/x64/intermediates/driver/driver.tlog/CL.write.1.tlog -------------------------------------------------------------------------------- /kernel mode/x64/intermediates/driver/driver.tlog/Cl.items.tlog: -------------------------------------------------------------------------------- 1 | E:\! Saturn\Saturn FN\Saturn Free\v2.1\payson_drv\kernel mode\driver.cpp;E:\! Saturn\Saturn FN\Saturn Free\v2.1\payson_drv\kernel mode\x64\intermediates\driver\driver.obj 2 | -------------------------------------------------------------------------------- /kernel mode/x64/intermediates/driver/driver.tlog/driver.lastbuildstate: -------------------------------------------------------------------------------- 1 | PlatformToolSet=WindowsKernelModeDriver10.0:VCToolArchitecture=Native64Bit:VCToolsVersion=14.40.33807:TargetPlatformVersion=10.0.22621.0: 2 | Release|x64|E:\! Saturn\Saturn FN\Saturn Free\v2.1\payson_drv\| 3 | -------------------------------------------------------------------------------- /kernel mode/x64/intermediates/driver/driver.tlog/link.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paysonism/payson-ioctl-cheat-driver/c6a62858a859926e5dab975a3778259dc19f7aa8/kernel mode/x64/intermediates/driver/driver.tlog/link.command.1.tlog -------------------------------------------------------------------------------- /kernel mode/x64/intermediates/driver/driver.tlog/link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paysonism/payson-ioctl-cheat-driver/c6a62858a859926e5dab975a3778259dc19f7aa8/kernel mode/x64/intermediates/driver/driver.tlog/link.read.1.tlog -------------------------------------------------------------------------------- /kernel mode/x64/intermediates/driver/driver.tlog/link.secondary.1.tlog: -------------------------------------------------------------------------------- 1 | ^E:\! SATURN\SATURN FN\SATURN FREE\V2.1\PAYSON_DRV\KERNEL MODE\X64\INTERMEDIATES\DRIVER\DRIVER.OBJ 2 | -------------------------------------------------------------------------------- /kernel mode/x64/intermediates/driver/driver.tlog/link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paysonism/payson-ioctl-cheat-driver/c6a62858a859926e5dab975a3778259dc19f7aa8/kernel mode/x64/intermediates/driver/driver.tlog/link.write.1.tlog -------------------------------------------------------------------------------- /kernel mode/x64/intermediates/driver/vc143.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paysonism/payson-ioctl-cheat-driver/c6a62858a859926e5dab975a3778259dc19f7aa8/kernel mode/x64/intermediates/driver/vc143.pdb -------------------------------------------------------------------------------- /payson drv.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.7.34202.233 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "usermode", "usermode\usermode.vcxproj", "{5AE5C5EE-3B21-4181-A223-7D4BC972810A}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "driver", "kernel mode\driver.vcxproj", "{2BC9C890-EE95-4219-AC58-872DDB9D7F5E}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Release|x64 = Release|x64 13 | EndGlobalSection 14 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 15 | {5AE5C5EE-3B21-4181-A223-7D4BC972810A}.Release|x64.ActiveCfg = Release|x64 16 | {5AE5C5EE-3B21-4181-A223-7D4BC972810A}.Release|x64.Build.0 = Release|x64 17 | {2BC9C890-EE95-4219-AC58-872DDB9D7F5E}.Release|x64.ActiveCfg = Release|x64 18 | {2BC9C890-EE95-4219-AC58-872DDB9D7F5E}.Release|x64.Build.0 = Release|x64 19 | {2BC9C890-EE95-4219-AC58-872DDB9D7F5E}.Release|x64.Deploy.0 = Release|x64 20 | EndGlobalSection 21 | GlobalSection(SolutionProperties) = preSolution 22 | HideSolutionNode = FALSE 23 | EndGlobalSection 24 | GlobalSection(ExtensibilityGlobals) = postSolution 25 | SolutionGuid = {C78FBF5D-D011-4909-88E4-5DDC0066DA2F} 26 | EndGlobalSection 27 | EndGlobal 28 | -------------------------------------------------------------------------------- /usermode/driver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | uintptr_t virtualaddy; 7 | 8 | #define code_rw CTL_CODE(FILE_DEVICE_UNKNOWN, 0x1645, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 9 | #define code_ba CTL_CODE(FILE_DEVICE_UNKNOWN, 0x1646, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 10 | #define code_get_guarded_region CTL_CODE(FILE_DEVICE_UNKNOWN, 0x1647, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 11 | #define code_security 0x85b3b69 12 | 13 | 14 | typedef struct _rw { 15 | INT32 security; 16 | INT32 process_id; 17 | ULONGLONG address; 18 | ULONGLONG buffer; 19 | ULONGLONG size; 20 | BOOLEAN write; 21 | } rw, * prw; 22 | 23 | typedef struct _ba { 24 | INT32 security; 25 | INT32 process_id; 26 | ULONGLONG* address; 27 | } ba, * pba; 28 | 29 | typedef struct _ga { 30 | INT32 security; 31 | ULONGLONG* address; 32 | } ga, * pga; 33 | 34 | namespace mem { 35 | HANDLE driver_handle; 36 | INT32 process_id; 37 | 38 | bool find_driver() { 39 | driver_handle = CreateFileW((L"\\\\.\\\paysoniscoolio"), GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); 40 | 41 | if (!driver_handle || (driver_handle == INVALID_HANDLE_VALUE)) 42 | return false; 43 | 44 | return true; 45 | } 46 | 47 | void read_physical(PVOID address, PVOID buffer, DWORD size) { 48 | _rw arguments = { 0 }; 49 | 50 | arguments.security = code_security; 51 | arguments.address = (ULONGLONG)address; 52 | arguments.buffer = (ULONGLONG)buffer; 53 | arguments.size = size; 54 | arguments.process_id = process_id; 55 | arguments.write = FALSE; 56 | 57 | DeviceIoControl(driver_handle, code_rw, &arguments, sizeof(arguments), nullptr, NULL, NULL, NULL); 58 | } 59 | 60 | void write_physical(PVOID address, PVOID buffer, DWORD size) { 61 | _rw arguments = { 0 }; 62 | 63 | arguments.security = code_security; 64 | arguments.address = (ULONGLONG)address; 65 | arguments.buffer = (ULONGLONG)buffer; 66 | arguments.size = size; 67 | arguments.process_id = process_id; 68 | arguments.write = TRUE; 69 | 70 | DeviceIoControl(driver_handle, code_rw, &arguments, sizeof(arguments), nullptr, NULL, NULL, NULL); 71 | } 72 | 73 | uintptr_t find_image() { 74 | uintptr_t image_address = { NULL }; 75 | _ba arguments = { NULL }; 76 | 77 | arguments.security = code_security; 78 | arguments.process_id = process_id; 79 | arguments.address = (ULONGLONG*)&image_address; 80 | 81 | DeviceIoControl(driver_handle, code_ba, &arguments, sizeof(arguments), nullptr, NULL, NULL, NULL); 82 | 83 | return image_address; 84 | } 85 | 86 | uintptr_t get_guarded_region() { 87 | uintptr_t guarded_region_address = { NULL }; 88 | _ga arguments = { NULL }; 89 | 90 | arguments.security = code_security; 91 | arguments.address = (ULONGLONG*)&guarded_region_address; 92 | 93 | DeviceIoControl(driver_handle, code_get_guarded_region, &arguments, sizeof(arguments), nullptr, NULL, NULL, NULL); 94 | 95 | return guarded_region_address; 96 | } 97 | 98 | INT32 find_process(LPCTSTR process_name) { 99 | PROCESSENTRY32 pt; 100 | HANDLE hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 101 | pt.dwSize = sizeof(PROCESSENTRY32); 102 | if (Process32First(hsnap, &pt)) { 103 | do { 104 | if (!lstrcmpi(pt.szExeFile, process_name)) { 105 | CloseHandle(hsnap); 106 | process_id = pt.th32ProcessID; 107 | return pt.th32ProcessID; 108 | } 109 | } while (Process32Next(hsnap, &pt)); 110 | } 111 | CloseHandle(hsnap); 112 | 113 | return { NULL }; 114 | } 115 | } 116 | 117 | template 118 | T read(uint64_t address) { 119 | T buffer{ }; 120 | mem::read_physical((PVOID)address, &buffer, sizeof(T)); 121 | return buffer; 122 | } 123 | 124 | template 125 | T write(uint64_t address, T buffer) { 126 | 127 | mem::write_physical((PVOID)address, &buffer, sizeof(T)); 128 | return buffer; 129 | } 130 | -------------------------------------------------------------------------------- /usermode/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include "driver.h" 3 | 4 | using namespace std; 5 | 6 | 7 | void main() 8 | { 9 | SetConsoleTitleA("Payson IOCTL - github.com/paysonism - Usermode Example"); 10 | if (!mem::find_driver()) { 11 | system("color 2"); 12 | cout << "\n Driver isn't loaded!\n"; 13 | } 14 | mem::process_id = mem::find_process("explorer.exe"); 15 | 16 | virtualaddy = mem::find_image(); 17 | 18 | cout << "File Explorer Base Address -> " << virtualaddy << "\n"; 19 | 20 | cin.get(); 21 | 22 | //FortniteClient-Win64-Shipping.exe 23 | } -------------------------------------------------------------------------------- /usermode/usermode.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 17.0 23 | Win32Proj 24 | {5ae5c5ee-3b21-4181-a223-7d4bc972810a} 25 | Project1 26 | 10.0 27 | usermode 28 | 29 | 30 | 31 | Application 32 | true 33 | v143 34 | Unicode 35 | 36 | 37 | Application 38 | false 39 | v143 40 | true 41 | Unicode 42 | 43 | 44 | Application 45 | true 46 | v143 47 | Unicode 48 | 49 | 50 | Application 51 | false 52 | v143 53 | true 54 | MultiByte 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | $(SolutionDir)\build\usermode 76 | $(Platform)\intermediates\usermode 77 | 78 | 79 | 80 | Level3 81 | true 82 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 83 | true 84 | 85 | 86 | Console 87 | true 88 | 89 | 90 | 91 | 92 | Level3 93 | true 94 | true 95 | true 96 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 97 | true 98 | 99 | 100 | Console 101 | true 102 | true 103 | true 104 | 105 | 106 | 107 | 108 | Level3 109 | true 110 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 111 | true 112 | 113 | 114 | Console 115 | true 116 | 117 | 118 | 119 | 120 | Level3 121 | true 122 | true 123 | true 124 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 125 | true 126 | 127 | 128 | Console 129 | true 130 | true 131 | true 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | -------------------------------------------------------------------------------- /usermode/usermode.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | 10 | 11 | source 12 | 13 | 14 | 15 | 16 | source 17 | 18 | 19 | -------------------------------------------------------------------------------- /usermode/usermode.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /usermode/x64/intermediates/usermode/main.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paysonism/payson-ioctl-cheat-driver/c6a62858a859926e5dab975a3778259dc19f7aa8/usermode/x64/intermediates/usermode/main.obj -------------------------------------------------------------------------------- /usermode/x64/intermediates/usermode/usermode.exe.recipe: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | E:\! Saturn\Saturn FN\Saturn Free\v2.1\payson_drv\build\usermode\usermode.exe 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /usermode/x64/intermediates/usermode/usermode.iobj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paysonism/payson-ioctl-cheat-driver/c6a62858a859926e5dab975a3778259dc19f7aa8/usermode/x64/intermediates/usermode/usermode.iobj -------------------------------------------------------------------------------- /usermode/x64/intermediates/usermode/usermode.ipdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paysonism/payson-ioctl-cheat-driver/c6a62858a859926e5dab975a3778259dc19f7aa8/usermode/x64/intermediates/usermode/usermode.ipdb -------------------------------------------------------------------------------- /usermode/x64/intermediates/usermode/usermode.log: -------------------------------------------------------------------------------- 1 | C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v170\Microsoft.CppBuild.targets(516,5): warning MSB8004: Intermediate Directory does not end with a trailing slash. This build instance will add the slash as it is required to allow proper evaluation of the Intermediate Directory. 2 | C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v170\Microsoft.CppBuild.targets(517,5): warning MSB8004: Output Directory does not end with a trailing slash. This build instance will add the slash as it is required to allow proper evaluation of the Output Directory. 3 | main.cpp 4 | E:\! Saturn\Saturn FN\Saturn Free\v2.1\payson_drv\usermode\driver.h(39,32): warning C4129: 'p': unrecognized character escape sequence 5 | E:\! Saturn\Saturn FN\Saturn Free\v2.1\payson_drv\usermode\main.cpp(7,6): warning C4326: return type of 'main' should be 'int' instead of 'void' 6 | Generating code 7 | Previous IPDB was built with incompatible compiler, fall back to full compilation. 8 | All 13 functions were compiled because no usable IPDB/IOBJ from previous compilation was found. 9 | Finished generating code 10 | usermode.vcxproj -> E:\! Saturn\Saturn FN\Saturn Free\v2.1\payson_drv\build\usermode\usermode.exe 11 | -------------------------------------------------------------------------------- /usermode/x64/intermediates/usermode/usermode.tlog/CL.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paysonism/payson-ioctl-cheat-driver/c6a62858a859926e5dab975a3778259dc19f7aa8/usermode/x64/intermediates/usermode/usermode.tlog/CL.command.1.tlog -------------------------------------------------------------------------------- /usermode/x64/intermediates/usermode/usermode.tlog/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paysonism/payson-ioctl-cheat-driver/c6a62858a859926e5dab975a3778259dc19f7aa8/usermode/x64/intermediates/usermode/usermode.tlog/CL.read.1.tlog -------------------------------------------------------------------------------- /usermode/x64/intermediates/usermode/usermode.tlog/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paysonism/payson-ioctl-cheat-driver/c6a62858a859926e5dab975a3778259dc19f7aa8/usermode/x64/intermediates/usermode/usermode.tlog/CL.write.1.tlog -------------------------------------------------------------------------------- /usermode/x64/intermediates/usermode/usermode.tlog/Cl.items.tlog: -------------------------------------------------------------------------------- 1 | E:\! Saturn\Saturn FN\Saturn Free\v2.1\payson_drv\usermode\main.cpp;E:\! Saturn\Saturn FN\Saturn Free\v2.1\payson_drv\usermode\x64\intermediates\usermode\main.obj 2 | -------------------------------------------------------------------------------- /usermode/x64/intermediates/usermode/usermode.tlog/link.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paysonism/payson-ioctl-cheat-driver/c6a62858a859926e5dab975a3778259dc19f7aa8/usermode/x64/intermediates/usermode/usermode.tlog/link.command.1.tlog -------------------------------------------------------------------------------- /usermode/x64/intermediates/usermode/usermode.tlog/link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paysonism/payson-ioctl-cheat-driver/c6a62858a859926e5dab975a3778259dc19f7aa8/usermode/x64/intermediates/usermode/usermode.tlog/link.read.1.tlog -------------------------------------------------------------------------------- /usermode/x64/intermediates/usermode/usermode.tlog/link.secondary.1.tlog: -------------------------------------------------------------------------------- 1 | ^E:\! SATURN\SATURN FN\SATURN FREE\V2.1\PAYSON_DRV\USERMODE\X64\INTERMEDIATES\USERMODE\MAIN.OBJ 2 | E:\! Saturn\Saturn FN\Saturn Free\v2.1\payson_drv\usermode\x64\intermediates\usermode\usermode.IPDB 3 | E:\! Saturn\Saturn FN\Saturn Free\v2.1\payson_drv\usermode\x64\intermediates\usermode\usermode.iobj 4 | -------------------------------------------------------------------------------- /usermode/x64/intermediates/usermode/usermode.tlog/link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paysonism/payson-ioctl-cheat-driver/c6a62858a859926e5dab975a3778259dc19f7aa8/usermode/x64/intermediates/usermode/usermode.tlog/link.write.1.tlog -------------------------------------------------------------------------------- /usermode/x64/intermediates/usermode/usermode.tlog/usermode.lastbuildstate: -------------------------------------------------------------------------------- 1 | PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.40.33807:TargetPlatformVersion=10.0.22621.0: 2 | Release|x64|E:\! Saturn\Saturn FN\Saturn Free\v2.1\payson_drv\| 3 | -------------------------------------------------------------------------------- /usermode/x64/intermediates/usermode/vc143.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paysonism/payson-ioctl-cheat-driver/c6a62858a859926e5dab975a3778259dc19f7aa8/usermode/x64/intermediates/usermode/vc143.pdb --------------------------------------------------------------------------------