Discuss Ring 0 External

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Tarolion

Newbie
Full Member
Nobleman
Mar 12, 2015
42
258
1
Hi Guys,

So I've been trying to do this for some time, and I'm failing simply because I don't understand how this level of programming works.

I was hoping we could start a decent discussion on Ring 0 memory reading and editing, and maybe those of you who understand this area of programming well, could maybe shed some light on it for the less enlightened of us.

My research so far has told me what Ring 0 is, and some basics about how to enter that level of programming, but I can't find anything that really helps me to learn Driver level programming, and reading memory. I'm convinced that if I can read memory, I can edit it fairly easily. But How does it work programming wise?

Also in terms of making hacks for games, how does one use memory addresses? Should we stick to virtual addresses, or must be convert our virtual addresses to Physical Addresses?

My own personal interest in this topic is to make a hack for Arma 3, which I have so far been totally unable to do due to the introduction of the Battleeye rootkit which strips the Arma 3 process of all handles, and therefore prevents us accessing the memory data, without diving under the battleye net, and accessing the memory via ring 0.
 
  • Like
Reactions: CheatingEnabled9380

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,297
37,938
269
R0 = KeStackAttachProcess(peprocessHere, &apcState);
RtlCopyMemory/RtlMoveMemory/MmCopyVirtualMemory ( this can take either a physical or virtual address )

basically, you use memory addresses the same as if you were internal, but first you hvae to attach to a process via KeStackAttachProcess ( and make sure to detach with KeUnstackDetach )
 

Tarolion

Newbie
Full Member
Nobleman
Mar 12, 2015
42
258
1
R0 = KeStackAttachProcess(peprocessHere, &apcState);
RtlCopyMemory/RtlMoveMemory/MmCopyVirtualMemory ( this can take either a physical or virtual address )

basically, you use memory addresses the same as if you were internal, but first you hvae to attach to a process via KeStackAttachProcess ( and make sure to detach with KeUnstackDetach )
Will this bypass BattleEye's Rootkit? Because that uses ObRegisterCallbacks to detect when something is trying to access the process, and therefore prevents us Injecting into Arma 3?
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,297
37,938
269
ObRegisterCallbacks aka Object Callbacks fire when a handle is being created via things like OpenProcess, OpenThread, DuplicateHandle, etc.

KeStackAttachProcess doesnt require a handle like that, it just requires the PEPROCESS, which can be done via PsLookupProcessByPid or whatever tickles your fancy, like walking the process list

So yes, it wil bypass BE
 

Tarolion

Newbie
Full Member
Nobleman
Mar 12, 2015
42
258
1
ObRegisterCallbacks aka Object Callbacks fire when a handle is being created via things like OpenProcess, OpenThread, DuplicateHandle, etc.

KeStackAttachProcess doesnt require a handle like that, it just requires the PEPROCESS, which can be done via PsLookupProcessByPid or whatever tickles your fancy, like walking the process list

So yes, it wil bypass BE
Nice thanks, I'll give this a try :)
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,297
37,938
269
Oh, just to tack onto this, if you don't want to keep your cheat 100% r0, you can just get a handle from r0 and pass it to an r3 application, thats what I do for one of my injectors, though ofc you'll probably want to protect your r3 app with your r0 driver
 

Tarolion

Newbie
Full Member
Nobleman
Mar 12, 2015
42
258
1
Oh, just to tack onto this, if you don't want to keep your cheat 100% r0, you can just get a handle from r0 and pass it to an r3 application, thats what I do for one of my injectors, though ofc you'll probably want to protect your r3 app with your r0 driver
That was my original plan, but I'm struggling enough just writing the R0 section.

I'm thinking of creating the R0 injector, and simply use that to inject my R3 DLL file. Would that be enough?

The one thing hindering my progress is the lack of R0 tutorials, or examples I can use as reference. Do you have any suggestions?
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,297
37,938
269
Yeah thats enough, sadly i've got no references for driver programming, its pretty much dependant on your understanding of C/C++, the OS and the functions relevant to your purpose, and maybe some luck finding a dank undocumented API

Feel free to HMU on skype tho: edited out LADZZ
 
Last edited:

maxownage01

Jr.Coder
Full Member
Nobleman
Apr 23, 2015
69
493
1
To join into the discussion, what exactly does Ring 0 protection exactly do? Just extra added protection for internal hacks?
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,297
37,938
269
It does whatever you want it to do, its up to you to code it for whatever your needs are.
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,099
78,998
2,373
To join into the discussion, what exactly does Ring 0 protection exactly do? Just extra added protection for internal hacks?
For a usermode anti-cheat to access your module and scan it, it must make calls into Ring0 to do the system calls involved in scanning modules/processes. You hook those functions in your Ring0 driver and protect your module/process by denying access, deflecting or spoofing return values.

If the anti-cheat is below usermode you need load your ring 0 below the anti-cheat or before the anti-cheat
 

maxownage01

Jr.Coder
Full Member
Nobleman
Apr 23, 2015
69
493
1
Rake;40460 said:
For a usermode anti-cheat to access your module and scan it, it must make calls into Ring0 to do the system calls involved in scanning modules/processes. You hook those functions in your Ring0 driver and protect your module/process by denying access, deflecting or spoofing return values.

If the anti-cheat is below usermode you need load your ring 0 below the anti-cheat or before the anti-cheat
Thanks Rake, helps my understanding a lot. Ring0 can be implemented into external and internal hacks correct?
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,297
37,938
269
r0 code isnt implemented into something, its its own thing. you code a driver and it can be interfaced from a usermode application if you want ( so yes, internally or externally ) if you alow for that functionality.

Here's a breakdown:

all the stuff you currently use and care about are in ring 3, applications and shit like that
they talk to things in ring0 to get information, normally through WINAPI, but also other things that require a device/filter driver and stuff like that, like looking at your file system and knowing what files are where, and being able to access them.
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,099
78,998
2,373
Thanks Rake, helps my understanding a lot. Ring0 can be implemented into external and internal hacks correct?
"incorporated" yes but you would need to learn how to program a system driver and you would load the system driver when you load your hack, you can have your usermode process communicate with your system driver. But honestly if you talk to people who code payhacks kernel mode is generally unnecesary. You should really read up on Windows Architecture and Windows Internals so you understand the concepts better. If your prefer videos check here:

https://www.youtube.com/watch?v=Nc6KKSv_Ljc&list=PLCwUSyNqAQUgkRAgqy3j4Srb2aAqni1P3&index=2
https://www.youtube.com/watch?v=mM5r9VeczTM
 

maxownage01

Jr.Coder
Full Member
Nobleman
Apr 23, 2015
69
493
1
Rake;40473 said:
"incorporated" yes but you would need to learn how to program a system driver and you would load the system driver when you load your hack, you can have your usermode process communicate with your system driver. But honestly if you talk to people who code payhacks kernel mode is generally unnecesary. You should really read up on Windows Architecture and Windows Internals so you understand the concepts better. If your prefer videos check here:

https://www.youtube.com/watch?v=Nc6KKSv_Ljc&list=PLCwUSyNqAQUgkRAgqy3j4Srb2aAqni1P3&index=2
https://www.youtube.com/watch?v=mM5r9VeczTM
Much appreciated Rake, I shall give these a watch.
 

Coco Pommel

Newbie
Dank Tier Donator
Oct 19, 2012
44
1,558
0

Ring 0 is the lowest protection level.
Basically the most control is here and most anticheats aren't kernel mode so this will bypass it.
Ring0 can be achieved by writing a driver to do what you need to do.

Edit: Didn't notice people answered in page 2. Anyways here is my contribution.
 

d0wen

Jr.Coder
Full Member
Nobleman
Dec 26, 2012
87
473
0

Ring 0 is the lowest protection level.
Basically the most control is here and most anticheats aren't kernel mode so this will bypass it.
Ring0 can be achieved by writing a driver to do what you need to do.

Edit: Didn't notice people answered in page 2. Anyways here is my contribution.
Ring-1 should be mentioned as well even though it's highly unpractical.
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods