Video Tutorial Kernel 2 - Usermode Communication - IOCTL Tutorial

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

dretax

CIL Expert
Meme Tier VIP
Fleep Tier Donator
Mar 28, 2020
81
3,273
0
Game Name
Black Mesa
Anticheat
None
How long you been coding/hacking?
7/3
Coding Language
C
Learn how to use PsSetLoadImageNotifyRoutine() to detect when a DLL is loaded, get it's base address from kernel mode, output it with DbgPrintEx() and then how to pass that variable to a usermode process using IOCTL. This is the first step to communicating between your usermode DLL and your kernel driver. This is the preferred way to hack games with kernel anticheat, bypass via kernel but use a regular DLL to do your regular hacking stuff. Of course, later on we are going to review the making of Manual Mapped Drivers, and declare a communication which is hard to detect from a kernel mode anti-cheat.


PsSetLoadImageNotifyRoutine
The PsSetLoadImageNotifyRoutine routine registers a driver-supplied callback that is subsequently notified whenever an image is loaded (or mapped into memory).

C++:
NTSTATUS PsSetLoadImageNotifyRoutine(PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine);
Parameters
NotifyRoutine - A pointer to the caller-implemented PLOAD_IMAGE_NOTIFY_ROUTINE callback routine for load-image notifications.

Return value
PsSetLoadImageNotifyRoutine
either returns STATUS_SUCCESS or it returns STATUS_INSUFFICIENT_RESOURCES if it failed the callback registration.

Remarks
Highest-level system-profiling drivers can call PsSetLoadImageNotifyRoutine to set up their load-image notify routines (see PLOAD_IMAGE_NOTIFY_ROUTINE).

The maximum number of drivers that can be simultaneously registered to receive load-image notifications is eight. If the maximum number of load-image notify routines is already registered when a driver calls PsSetLoadImageNotifyRoutine to try to register an additional notify routine, PsSetLoadImageNotifyRoutine fails and returns STATUS_INSUFFICIENT_RESOURCES. A driver must remove any callbacks it registers before it unloads. You can remove the callback by calling the PsRemoveLoadImageNotifyRoutine routine.

DbgPrintEx
The DbgPrintEx routine sends a string to the kernel debugger if the conditions you specify are met.
C++:
NTSYSAPI ULONG DbgPrintEx(ULONG ComponentId, ULONG Level, PCSTR Format, ...);
IoGetCurrentIrpStackLocation
The IoGetCurrentIrpStackLocation routine returns a pointer to the caller's I/O stack location in the specified IRP.
C++:
PIO_STACK_LOCATION IoGetCurrentIrpStackLocation(PIRP Irp)
We use this to get the IO Stack variable IOStack->Parameters.DeviceIoControl.IoControlCode. If the IoControlCode is the one we specified, being sent by our usermode application, our driver than processes the request.

Project Kernel Code Sample:
C++:
#pragma warning (disable : 4100 4047 4024)

#include <ntifs.h>

#define DebugMessage(x, ...) DbgPrintEx(0, 0, x, __VA_ARGS__)
#define IO_GET_CLIENTADDRESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x666, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)

NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
    UNREFERENCED_PARAMETER(DeviceObject);
    Irp->IoStatus.Status = STATUS_SUCCESS;
    Irp->IoStatus.Information = 0;

    IoCompleteRequest(Irp, IO_NO_INCREMENT);

    DebugMessage("CreateCall was called, connection enstablished!\n");

    return STATUS_SUCCESS;
}

NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
    UNREFERENCED_PARAMETER(DeviceObject);
    Irp->IoStatus.Status = STATUS_SUCCESS;
    Irp->IoStatus.Information = 0;

    IoCompleteRequest(Irp, IO_NO_INCREMENT);

    DebugMessage("Connection Terminated!\n");

    return STATUS_SUCCESS;
}

NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
    UNREFERENCED_PARAMETER(DeviceObject);
    NTSTATUS Status = STATUS_UNSUCCESSFUL;
    ULONG ByteIO = 0;

    PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(Irp);

    ULONG ControlCode = stack->Parameters.DeviceIoControl.IoControlCode;

    if (ControlCode == IO_GET_CLIENTADDRESS)
    {
        PULONG OutPut = (PULONG)Irp->AssociatedIrp.SystemBuffer;
        *OutPut = BlackMesaClientDLLAddress;

        DebugMessage("ClientAddress requested!\n");

        Status = STATUS_SUCCESS;
        ByteIO = sizeof(*OutPut);
    }
    else
    {
        ByteIO = 0;
    }

    Irp->IoStatus.Status = Status;
    Irp->IoStatus.Information = ByteIO;
    IoCompleteRequest(Irp, IO_NO_INCREMENT);

    return Status;
}

ULONG BlackMesaClientDLLAddress;
PDEVICE_OBJECT pDeviceObject;
UNICODE_STRING dev, dos;

PLOAD_IMAGE_NOTIFY_ROUTINE ImageLoadCallback(PUNICODE_STRING FullImageName, HANDLE ProcessId, PIMAGE_INFO ImageInfo)
{
    //DebugMessage("ImageLoaded: %ls \n", FullImageName->Buffer);

    if (wcsstr(FullImageName->Buffer, L"\\Black Mesa\\bms\\bin\\client.dll"))
    {
        DebugMessage("Black Mesa Client.DLL found!\n");
        BlackMesaClientDLLAddress = ImageInfo->ImageBase;

        DebugMessage("ProcessID: %d \n", ProcessId);
    }

    return STATUS_SUCCESS;
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
    UNREFERENCED_PARAMETER(pRegistryPath);
    pDriverObject->DriverUnload = UnloadDriver;
    DebugMessage("Welcome to the first GuidedHacking Driver!");

    PsSetLoadImageNotifyRoutine(ImageLoadCallback);

    RtlInitUnicodeString(&dev, L"\\Device\\guidedhacking");
    RtlInitUnicodeString(&dos, L"\\DosDevices\\guidedhacking");

    IoCreateDevice(pDriverObject, 0, &dev, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDeviceObject);
    IoCreateSymbolicLink(&dos, &dev);

    pDriverObject->MajorFunction[IRP_MJ_CREATE] = CreateCall;
    pDriverObject->MajorFunction[IRP_MJ_CLOSE] = CloseCall;
    pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IoControl;

    pDeviceObject->Flags |= DO_DIRECT_IO;
    pDeviceObject->Flags &= ~DO_DEVICE_INITIALIZING;

    return STATUS_SUCCESS;
}

NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject)
{
    UNREFERENCED_PARAMETER(pDriverObject);
    DebugMessage("Papa Rake says goodbye!");

    PsRemoveLoadImageNotifyRoutine(ImageLoadCallback);

    IoDeleteSymbolicLink(&dos);
    IoDeleteDevice(pDriverObject->DeviceObject);
 
    return STATUS_SUCCESS;
}

Project Usermode Code Sample:
C++:
#include <iostream>
#include "kernelinterface.hpp"

#define IO_GET_CLIENTADDRESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x666, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)

class KernelInterface
{
public:
    HANDLE hDriver;

    KernelInterface(LPCSTR RegistryPath)
    {
        hDriver = CreateFileA(RegistryPath, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0);
    }

    DWORD GetClientAddress()
    {
        if (hDriver == INVALID_HANDLE_VALUE)
        {
            return 0;
        }

        ULONG Address;
        DWORD Bytes;

        if (DeviceIoControl(hDriver, IO_GET_CLIENTADDRESS, &Address, sizeof(Address), &Address, sizeof(Address), &Bytes, NULL))
        {
            return Address;
        }

        return 0;
    }
};

int main()
{
    KernelInterface Driver = KernelInterface("\\\\.\\guidedhacking");

    ULONG address = Driver.GetClientAddress();

    std::cout << " address " << std::hex << address << std::endl;
 
    std::cout << "Hello World!\n";

    std::getchar();
}
Full project source in attachment

References
 

Attachments

Last edited:

saadoxdev

Newbie
Full Member
Jan 22, 2018
10
168
0
@dretax Can you put a link to the actual Playlist in youtube ?

Also , I'm assuming this will need a windows installed in VM , as far as I know Programming driver's related sh!t can fu*k up your OS if you dont do it the right way , right ?

Also i know that you need to pay some real $$ to actualy signe your driver else it will be flagged ?

Finaly , Thanks for taking this initiative and putting some good tuts for the peeps .
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,525
78,998
2,308
@dretax Can you put a link to the actual Playlist in youtube ?

Also , I'm assuming this will need a windows installed in VM , as far as I know Programming driver's related sh!t can fu*k up your OS if you dont do it the right way , right ?

Also i know that you need to pay some real $$ to actualy signe your driver else it will be flagged ?

Finaly , Thanks for taking this initiative and putting some good tuts for the peeps .
Playlist:

All questions answered here:
Video Tutorial - How to Make a Windows Kernel Mode Driver Tutorial
Guide - Kernel Mode Drivers Info for Anticheat Bypass
 

dretax

CIL Expert
Meme Tier VIP
Fleep Tier Donator
Mar 28, 2020
81
3,273
0
@dretax Can you put a link to the actual Playlist in youtube ?

Also , I'm assuming this will need a windows installed in VM , as far as I know Programming driver's related sh!t can fu*k up your OS if you dont do it the right way , right ?

Also i know that you need to pay some real $$ to actualy signe your driver else it will be flagged ?

Finaly , Thanks for taking this initiative and putting some good tuts for the peeps .
I believe you should start at the first episode where I go from the bottom basics. You will find the answer there regarding VM, and OS related stuffs.
If you ever wish to sign your driver, then yes, you would need to play around 500$ to my knowledge to a company that is allowed to create certificates.
 
  • Like
Reactions: saadoxdev

dretax

CIL Expert
Meme Tier VIP
Fleep Tier Donator
Mar 28, 2020
81
3,273
0
@dretax Can you put a link to the actual Playlist in youtube ?

Also , I'm assuming this will need a windows installed in VM , as far as I know Programming driver's related sh!t can fu*k up your OS if you dont do it the right way , right ?

Also i know that you need to pay some real $$ to actualy signe your driver else it will be flagged ?

Finaly , Thanks for taking this initiative and putting some good tuts for the peeps .
+1 note:

The next video will be recorded this week explaining read/write memory. Then I'll want to cover obregistercallbacks, registries, creating C/C++ mixed drivers, and various other useful set before jumping to manual mapped drivers. In that scenario we would use a signed driver to load our very own unsigned one without testmode. =)
 
  • Like
Reactions: saadoxdev

saadoxdev

Newbie
Full Member
Jan 22, 2018
10
168
0
The next video will be recorded this week explaining read/write memory. Then I'll want to cover obregistercallbacks, registries, creating C/C++ mixed drivers, and various other useful set before jumping to manual mapped drivers. In that scenario we would use a signed driver to load our very own unsigned one without testmode. =)
I can not wait man ! Time for me to switch to R0 which is basically the reason why i even started digging into Rake's mellons :fleep:
Is it our signed driver tho ? :p
Or plaining to use other's signed exploitable drivers :trollface: ?
 
Last edited:
  • Like
Reactions: dretax

dretax

CIL Expert
Meme Tier VIP
Fleep Tier Donator
Mar 28, 2020
81
3,273
0
Any exploitable would suffice that would allow us to load. Making a driver doesn't mean you won't get checked when they are issuing certificates. If you make something bad, Microsoft will look badly at you. Your certificate can be even revoked. The easiest to use is kdmapper, which uses a vulnerable intel driver.
All you have to do from that point is clean your traces, which I managed to do recently a couple of weeks ago. Problem is time, I'm learning by myself too by fucking around with FairPlayKD Anti-Cheat Driver.
 
  • Love
Reactions: saadoxdev

saadoxdev

Newbie
Full Member
Jan 22, 2018
10
168
0
Any exploitable would suffice that would allow us to load. Making a driver doesn't mean you won't get checked when they are issuing certificates. If you make something bad, Microsoft will look badly at you. Your certificate can be even revoked. The easiest to use is kdmapper, which uses a vulnerable intel driver.
All you have to do from that point is clean your traces, which I managed to do recently a couple of weeks ago. Problem is time, I'm learning by myself too by fucking around with FairPlayKD Anti-Cheat Driver.
Hell ya that's what i wanted :D
Looking forward this yummi sht man , Once i get my environement ready I will give my all to your videos and topics, Kudos to you for the efforts , Much love .
 
  • Like
Reactions: dretax
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods League of Legends Accounts