Source Code Kernel Mode Communication with user mode NO IOCTL

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

neonplanet

Newbie
Meme Tier VIP
Dank Tier Donator
Sep 7, 2017
248
4,078
13
How long you been coding/hacking?
2 years
Hello all, I've been working on this project for about a week now.

Let me start by saying I DON'T BELIEVE THIS 1000000% bypasses EAC or BE I only believe it'll be undetected if you tweak the driver and um application heavily.


I would like to share my method of communicating to kernel without any system threads, and user mode doesn't even touch the driver in any way shape or form.


So this method I'm about to share, to my knowledge, has not been posted on UC or GH. I'm 100% sure someone has thought of this method before so I don't claim any "title" or "I found this!" etc.


This communication method occurs using the windows REGISTRY!

Here is a video on the driver in action:


Sorry for the black screen UAC makes obs bug out.



But as you can see in the video the kernel successfully grabs the health of the player.



Here is a run down of the code if you're too lazy to read the code:

  • Kernel creates 2 registry keys called "Code" and "Address"
  • Usermode program will send an address to the registry key "Address"
  • ex. LocalPlayer + Client.dll
  • then user mode program changes the "Code" key to 1 telling the driver "Hey read the address key now and plug it into RPM.
  • Kernel takes Address code plugs it into RtlCopyMemory function
  • Kernel then writes the address that it read to user mode
  • and usermode reads address back from the registry and bam you now have your local player address!




PS. this code is very bad, I suggest you don't use this, I suggest you all to read and tweak to your needs / fix things / improve it, I would love to see how ya'll can improve this project.


I wont be updating this project from here. I plan on creating a different version of this for personal use maybe, or using a different comm method.

Happy learning
 

Attachments

Last edited:

dretax

CIL Expert
Dank Tier VIP
Fleep Tier Donator
Mar 28, 2020
96
8,273
0
You would not be the first one to do communications through registry or by hooking something.
Good job achieving It by yourself though, research is always important (y) . The "major" anti-cheats would have a major issue on "validating" what is touching the registry (When the last time I was trying to attempt this on FairPlayKD I found no actual way to achieve It, and It kinda makes sense) unlike at IOCTL.

So as of right now I would say there is no way to know what driver is modifying the registry, reading, etc...
@mambda papa might be able to either verify, or wreck me on that line. :foreveralone::ressleeper:
 

neonplanet

Newbie
Meme Tier VIP
Dank Tier Donator
Sep 7, 2017
248
4,078
13
You would not be the first one to do communications through registry or by hooking something.
Good job achieving It by yourself though, research is always important (y) . The "major" anti-cheats would have a major issue on "validating" what is touching the registry (When the last time I was trying to attempt this on FairPlayKD I found no actual way to achieve It, and It kinda makes sense) unlike at IOCTL.

So as of right now I would say there is no way to know what driver is modifying the registry, reading, etc...
@mambda papa might be able to either verify, or wreck me on that line. :foreveralone::ressleeper:
Awesome, I knew I wasn’t the only one to come up with this idea just surprised I haven't seen much info on it.

I thought it would be hard to detect because there are countless programs editing registry keys in usermode and driver mode.

Thanks for the info though man,.
 

moleskn

Dank Tier Donator
Full Member
May 25, 2020
15
318
0
Hello all, I've been working on this project for about a week now.

Let me start by saying I DON'T BELIEVE THIS 1000000% bypasses EAC or BE I only believe it'll be undetected if you tweak the driver and um application heavily.


I would like to share my method of communicating to kernel without any system threads, and user mode doesn't even touch the driver in any way shape or form.


So this method I'm about to share, to my knowledge, has not been posted on UC or GH. I'm 100% sure someone has thought of this method before so I don't claim any "title" or "I found this!" etc.


This communication method occurs using the windows REGISTRY!

Here is a video on the driver in action:


Sorry for the black screen UAC makes obs bug out.



But as you can see in the video the kernel successfully grabs the health of the player.



Here is the source code on github:

tawnix/SickKernelComm



Here is a run down of the code if you're too lazy to read the code:

  • Kernel creates 2 registry keys called "Code" and "Address"
  • Usermode program will send an address to the registry key "Address"
  • ex. LocalPlayer + Client.dll
  • then user mode program changes the "Code" key to 1 telling the driver "Hey read the address key now and plug it into RPM.
  • Kernel takes Address code plugs it into RtlCopyMemory function
  • Kernel then writes the address that it read to user mode
  • and usermode reads address back from the registry and bam you now have your local player address!




PS. this code is very bad, I suggest you don't use this, I suggest you all to read and tweak to your needs / fix things / improve it, I would love to see how ya'll can improve this project.


I wont be updating this project from here. I plan on creating a different version of this for personal use maybe, or using a different comm method.

Happy learning
Was going to have a look at code on gihub but been taken down?
 

Kleon742

Feature Enthusiast
Moderator
Dank Tier VIP
Dank Tier Donator
Sep 2, 2018
336
16,058
40
Was going to have a look at code on gihub but been taken down?
Looks like it..

@neonplanet Why is the master not attached to the fucking thread. smh
This is exactly why Rake made the rules.
No Spamming Your Repos - Attach your zip to the thread
The thread was made on the same day as the rules recap, so it's okay. Just fix it by attaching the old project / PM me if you've got any problems.
You've got 72h to do so.
 
  • Love
Reactions: moleskn

redark974

Newbie
Meme Tier VIP
Full Member
Feb 21, 2018
211
3,798
8
Yo, i also posted this comm method a few months ago, AC's can rekt that by using a simple CmRegisterCallback, so dont (never) forget to XOR your string. The registry method have been thought by a lot of people before us tbh, especially by security researchers. CF -> Some rootkits :)
 
  • Wow
  • Like
Reactions: neonplanet and Kix

redark974

Newbie
Meme Tier VIP
Full Member
Feb 21, 2018
211
3,798
8
Also, never take this argument "A lot of program access it" as an achievement. Remember, in fact, you are not a real program. You are nothing. Except memory, its kinda weird that a "memory" access to the registry. Yes man, you are manual mapped, never forget it. A simple Callback recover your sus reg keys, and trace back to what access it and see that in fact, nothing really access it.
 
  • Like
Reactions: Kix

neonplanet

Newbie
Meme Tier VIP
Dank Tier Donator
Sep 7, 2017
248
4,078
13
Looks like it..

@neonplanet Why is the master not attached to the fucking thread. smh
This is exactly why Rake made the rules.

The thread was made on the same day as the rules recap, so it's okay. Just fix it by attaching the old project / PM me if you've got any problems.
You've got 72h to do so.
Sorry for the trouble to all of you, I had an issue with my github acc.


The master zip file is now attached to this comment, and main thread.


Once again sorry to all.

VirusTotal
 

Attachments

Last edited:
  • Like
Reactions: Kleon742 and Rake

neonplanet

Newbie
Meme Tier VIP
Dank Tier Donator
Sep 7, 2017
248
4,078
13
Yo, i also posted this comm method a few months ago, AC's can rekt that by using a simple CmRegisterCallback, so dont (never) forget to XOR your string. The registry method have been thought by a lot of people before us tbh, especially by security researchers. CF -> Some rootkits :)
holy shit, and here I was thinking I was being sneaky. This pretty much renders this method useless for my scope of knowledge on kernel drivers.

I am really enjoying learning about this shit though its so addicting.

Here is a little copy+paste method to be used for reading structures using the registry key method:


Writing bytes:
struct angles {
    float x;
    float y;
    float z;
};


NTSTATUS ReadStructure()
{
    struct angles MyAngles;
    DWORD SetBackCode = 0;
    PVOID ReadAddress = 0;
    PVOID OutPut = 0;
    SIZE_T size = 0;
    NTSTATUS status = STATUS_UNSUCCESSFUL;

    status = WriteToKey(L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", L"Code", REG_DWORD, SetBackCode, sizeof(DWORD));

    if (!NT_SUCCESS(status))
        return STATUS_UNSUCCESSFUL;

    ReadKeyValue(L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", L"Size", REG_DWORD, &size, sizeof(DWORD));
    DbgPrintEx(0, 0, "size variable retrieved: %d > 8", size);

    ReadKeyValue(L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", L"Address", REG_DWORD, &ReadAddress, sizeof(DWORD));
    DbgPrintEx(0, 0, "Read key, data received: ReadAddress [+] %d", ReadAddress);
    DbgPrintEx(0, 0, "Calling RPM now with address: [+] 0x%X", ReadAddress);


    PEPROCESS Process;
    if (NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)ProcessID, &Process)))
    {
        ReadVirtualMem(Process, ReadAddress, &MyAngles, size);
    }



    // Create Registry key the size of the bytes that are being read
    status = CreateRegKey(L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", L"Bytes", REG_BINARY, &SetBackCode, size);
    if (!NT_SUCCESS(status))
        return STATUS_UNSUCCESSFUL;

    status = WriteToBytes(L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", L"Bytes", REG_BINARY, MyAngles, size);


    if (!NT_SUCCESS(status))
        return STATUS_UNSUCCESSFUL;

    return STATUS_SUCCESS;
}
Writing bytes:
NTSTATUS WriteToBytes(PWSTR registry_path, PWSTR value_name, ULONG type, struct angles data, ULONG length)
{

    UNICODE_STRING valname;
    UNICODE_STRING keyname;
    OBJECT_ATTRIBUTES attribs;
    HANDLE handle;
    NTSTATUS rc;
    ULONG result;

    RtlInitUnicodeString(&valname, registry_path);
    RtlInitUnicodeString(&keyname, value_name);

    InitializeObjectAttributes(&attribs, &valname, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);

    rc = ZwCreateKey(&handle, KEY_ALL_ACCESS, &attribs, 0, NULL, REG_OPTION_VOLATILE, &result);

    if (!NT_SUCCESS(rc))
        return STATUS_UNSUCCESSFUL;

    rc = ZwSetValueKey(handle, &keyname, 0, type, &data, length);

    if (!NT_SUCCESS(rc))
        STATUS_UNSUCCESSFUL;

    return STATUS_SUCCESS;
}
And here is how to use it in user mode:
Usermode reading bytes:
void ReadBytes(DWORD LocalPlayer)
{
    DWORD dwSize = sizeof(angles);
    WriteRegKey(dwSize, "Size");
    WriteRegKey(LocalPlayer + 0x290, "Address");
    WriteRegKey(READ_CODE, "Code");
    Sleep(1);

    PVOID Test = ReadRegKey("Bytes", dwSize);
    angles testAngs;



    memcpy(&testAngs, &Test, sizeof(angles));

    std::cout << "TestAngs x: " << testAngs.x << std::endl;
    std::cout << "TestAngs y: " << testAngs.y << std::endl;
    std::cout << "TestAngs z: " << testAngs.z << std::endl;

}





Edit: How do they obtain the information on what accesses the registry keys?

on the MSDN it has nothing about a "program accesses this key", it just states that it can block specific operations being done to the registry. If an AC did block like any key from being read then it would possibly break a ton of programs.

Am I missing something?
 
Last edited:

dretax

CIL Expert
Dank Tier VIP
Fleep Tier Donator
Mar 28, 2020
96
8,273
0
holy shit, and here I was thinking I was being sneaky. This pretty much renders this method useless for my scope of knowledge on kernel drivers.

I am really enjoying learning about this shit though its so addicting.

Here is a little copy+paste method to be used for reading structures using the registry key method:


Writing bytes:
struct angles {
    float x;
    float y;
    float z;
};


NTSTATUS ReadStructure()
{
    struct angles MyAngles;
    DWORD SetBackCode = 0;
    PVOID ReadAddress = 0;
    PVOID OutPut = 0;
    SIZE_T size = 0;
    NTSTATUS status = STATUS_UNSUCCESSFUL;

    status = WriteToKey(L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", L"Code", REG_DWORD, SetBackCode, sizeof(DWORD));

    if (!NT_SUCCESS(status))
        return STATUS_UNSUCCESSFUL;

    ReadKeyValue(L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", L"Size", REG_DWORD, &size, sizeof(DWORD));
    DbgPrintEx(0, 0, "size variable retrieved: %d > 8", size);

    ReadKeyValue(L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", L"Address", REG_DWORD, &ReadAddress, sizeof(DWORD));
    DbgPrintEx(0, 0, "Read key, data received: ReadAddress [+] %d", ReadAddress);
    DbgPrintEx(0, 0, "Calling RPM now with address: [+] 0x%X", ReadAddress);


    PEPROCESS Process;
    if (NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)ProcessID, &Process)))
    {
        ReadVirtualMem(Process, ReadAddress, &MyAngles, size);
    }



    // Create Registry key the size of the bytes that are being read
    status = CreateRegKey(L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", L"Bytes", REG_BINARY, &SetBackCode, size);
    if (!NT_SUCCESS(status))
        return STATUS_UNSUCCESSFUL;

    status = WriteToBytes(L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", L"Bytes", REG_BINARY, MyAngles, size);


    if (!NT_SUCCESS(status))
        return STATUS_UNSUCCESSFUL;

    return STATUS_SUCCESS;
}
Writing bytes:
NTSTATUS WriteToBytes(PWSTR registry_path, PWSTR value_name, ULONG type, struct angles data, ULONG length)
{

    UNICODE_STRING valname;
    UNICODE_STRING keyname;
    OBJECT_ATTRIBUTES attribs;
    HANDLE handle;
    NTSTATUS rc;
    ULONG result;

    RtlInitUnicodeString(&valname, registry_path);
    RtlInitUnicodeString(&keyname, value_name);

    InitializeObjectAttributes(&attribs, &valname, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);

    rc = ZwCreateKey(&handle, KEY_ALL_ACCESS, &attribs, 0, NULL, REG_OPTION_VOLATILE, &result);

    if (!NT_SUCCESS(rc))
        return STATUS_UNSUCCESSFUL;

    rc = ZwSetValueKey(handle, &keyname, 0, type, &data, length);

    if (!NT_SUCCESS(rc))
        STATUS_UNSUCCESSFUL;

    return STATUS_SUCCESS;
}
And here is how to use it in user mode:
Usermode reading bytes:
void ReadBytes(DWORD LocalPlayer)
{
    DWORD dwSize = sizeof(angles);
    WriteRegKey(dwSize, "Size");
    WriteRegKey(LocalPlayer + 0x290, "Address");
    WriteRegKey(READ_CODE, "Code");
    Sleep(1);

    PVOID Test = ReadRegKey("Bytes", dwSize);
    angles testAngs;



    memcpy(&testAngs, &Test, sizeof(angles));

    std::cout << "TestAngs x: " << testAngs.x << std::endl;
    std::cout << "TestAngs y: " << testAngs.y << std::endl;
    std::cout << "TestAngs z: " << testAngs.z << std::endl;

}





Edit: How do they obtain the information on what accesses the registry keys?

on the MSDN it has nothing about a "program accesses this key", it just states that it can block specific operations being done to the registry. If an AC did block like any key from being read then it would possibly break a ton of programs.

Am I missing something?
I have an ongoing fairplay bypass project, but afaik you can't really tell what accesses the registry keys. Papa @mambda was telling a lot to me about it.
You can block operations though, and you can see what is going on the registries.

You can do
C++:
InitializeRegistryCallbackTable(DriverObject);



VOID InitializeRegistryCallbackTable(_In_  struct _DRIVER_OBJECT* DriverObject)

NTSTATUS RfRegistryCallback(__in PVOID CallbackContext, __in PVOID Argument1, __in PVOID Argument2)

NTSTATUS RfPreCreateKeyEx(__in PVOID CallbackContext, __in PVOID Argument1, __in PREG_CREATE_KEY_INFORMATION CallbackData)

NTSTATUS RfPreOpenKeyEx(__in PVOID CallbackContext, __in PVOID Argument1, __in PREG_OPEN_KEY_INFORMATION CallbackData)
I was in a hurry but If you want i can provide some samples.
The fairplay information post is smh i also have to make.
 

redark974

Newbie
Meme Tier VIP
Full Member
Feb 21, 2018
211
3,798
8
Im pretty sure there is a way, since, registry, is like everything else, just memory. So im sure we can still find a way to access this memory and see what is accessing it. By doing some reversing at some point. And if we can do it then we have to think that BE can do it too. So the safiest way would be to XORstring your keys atm so nobody can see what is going on in here.
 

dretax

CIL Expert
Dank Tier VIP
Fleep Tier Donator
Mar 28, 2020
96
8,273
0
I haven't digged further in the registry subject, but this is probably a good start if somebody wishes to research further. I just needed to know which keys to read and delete.
 

rzirvi

Full Member
Nobleman
Sep 7, 2019
54
1,183
1
How are you polling the registry key without system thread? nice release BTW, It's a decent communication.

(this is quite similar to shared memory, using normal buffer and/or section objects)
 

redark974

Newbie
Meme Tier VIP
Full Member
Feb 21, 2018
211
3,798
8
How are you polling the registry key without system thread? nice release BTW, It's a decent communication.

(this is quite similar to shared memory, using normal buffer and/or section objects)
Its way slower than shared memory to be honest, and you are using a system thread. Just need to find a bypass of their anti system thread system :)
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods