apex legends external cheat
external cheat utilizing kernel gdi rendering & kernel key input
esp, chams, broken rcs
syscall is hooked then called, once called hook is restored and enters a while loop. Usermode thread is trapped in kernel loop where cheat runs.
thread is attempted to be hidden by removing it from eprocess ThreadListHead, as well as the thread being hijacked from a legit process to have a start address backed by a signed process (probaly doesnt matter but cant hurt). where u get fucked is the anticheats stack walk, travesing the stack for address reissindg outside of a legit module. perhaps this isnt a big deal because the thread was created in usermode land so they may not stackwalk it but I have read they do. The threads irp also is in the kernel with its cpl being 0 as well which is supsiocous (u can check threads privledge level by checking SegCs register, SegCs & 3 i suppose u could maybe spoof this too? idk maybe use PspGetContextThreadInternal).
Anyways ive been using it for a week and a half on apex and havent been banned yet (its orobaly coming soon!!!). There is a lot of things that can be detcteded here and a lot of things u can do to hide the thread better
- load the apex_driver.sys with kdmapper or whatever u want to use
- run apex_loader.exe
- this exeucatble loads the apex_client.dll into the speicified process (default EpicGamesLauncher.exe) change your path and hijackled process here
- Use dbgview to verifiy succsefull loading of driver.
- if driver failed to intitalize itself (couldnt get rendering functions, failed to unlink thread) it should return STATUS_UNSCUCUSEFL and a messagebox will popup from hijacked process indicating somethign failed
- change screen rsolusiton for proper w2s, replace all 1920 x 1080
- END key unloads driver
- F1 toggles esp
- F2 toggles rcs, if i rmeebr coreeclrt this was broken so i wouldnt use it
quick dll thread hijack paste https://github.com/hrt/ThreadJect-x64
unkown apex thread for offsets