Tutorial Make your own undetected fast driver!

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

rzirvi

Full Member
Nobleman
Sep 7, 2019
54
1,183
1
Game Name
N/A
Anticheat
N/A
How long you been coding/hacking?
1.5 year hacking
Coding Language
C++
Introduction:

steps to make an undetectable fast driver for BE/EAC:
1. undetected communication method (ioctl detected)
2. clear traces (Mmunload and PiDDBCachetable)
3. avoid allocating pools

that's it! simple right?


Hello! I found an extremely fast and undetected communication method. You just find a function pointer that is callable from usermode and replace it to point to your own function. Anticheats like BE/EAC won't be able to integrity check a function pointer in .data section that is not part of a dispatch pointer table. Most of these function pointers are syscalls in win32k and ntoskrnl, and some are EFI runtime services.

I finished this undetectable driver in 4 hours. (if you can finish this driver in under 6 hours then you are 1337)

credits to @sinclairq/bright for giving me ideas
😳



STEP 1: Finding the function pointer:

our criteria for this function pointer:
1. must be callable from Usermode
2. must not be protected by patchguard
3. must have parameters
4. must have at least 1 parameter not sanitized before this function call


to start off, we need to find xrefs to the guard_dispatch_icall. guard_dispatch_icall is the function called by drivers with control flow guard to protect ALL function pointers from executing unwanted code. If you xref it, you can find ALL function pointers of a kernel driver. It will call whatever function stored in RAX after the integrity check.

For some reason, guard dispatch icall doesn't prevent me from abusing these function pointers at all! control flow guard does absolutely nothing!!!.

ntoskrnl.exe in IDA pro


1600041373639.png



Most syscalls are prefixed by "Nt" so I'll search for an "Nt" function.

1600041941153.png


and I found a function pointer called from a syscall! I won't tell you what it is, finding your own function is an exercise for the reader.

Now we can just set this function pointer (v8) to our own function and pass our own input through the parameters.

code:
    *(functionPtr*)Globals::funcPtrAddress = (functionLevelPtr)handler;
Fun fact: you only need 1 byte of parameter space! you can allocate a buffer in usermode to communicate with extra input/output, and use MmCopyVirtualMemory/KeStackAttachProcess to communicate through this buffer.


Step 2: Calling from usermode and putting everything together


The way you call your function depends on what kind of function you are abusing. I replaced a function pointer that was called in a standard syscall in Ntoskrnl.exe so I am calling my function using Loadlibrary(ntdll.dll) and getprocAddress().

C++:
    HMODULE  hModule = LoadLibrary(L"ntdll.dll");

function= (FunctionPtr)GetProcAddress(hModule, "censored_because_i_am_using_for_p2c");
Pass your input through the parameters of this function, clear your kdmapper traces, add read/write functionality, and you are good to go for apex legends, rainbow 6 siege, fortnite, pubg, and other games with a decent external bypass!
😳😳
 
Last edited:

neonplanet

Newbie
Meme Tier VIP
Dank Tier Donator
Sep 7, 2017
248
4,078
13
this shit is crazy, yall like never fail to astonish me. I need to go hard and be on your level. lol
 
  • Like
Reactions: Kix

Kix

Wannabe 1337
Meme Tier VIP
Trump Tier Donator
Full Member
Jan 18, 2018
261
4,548
13
Also wanted to add. If you guys are worried about control flow guard getting to you, I think you can just turn it off.
Capture.PNG

🤣

Edit: Nvm, it still will bsod you after a while
 
Last edited:
  • Like
  • Haha
Reactions: rzirvi and Lukor
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods