This is a simple project of a driver + usermode.

Overview

Kernel-Thread-Driver

This is a simple project of a driver + usermode.

Check out the UC post: https://www.unknowncheats.me/forum/general-programming-and-reversing/487919-kernel-thread-driver.html#post3358074

I decided to release my driver I used for quite a while (for BE and EAC games), especially for Fortnite, and it worked pretty well for me (I didn't share the driver). I know kernel thread drivers are quite popular, but I wanted to contribute this to this awesome community, it wouldn't be possible without hundreds of older threads here that gave me the needed information.

Special Thanks to these people, I used some of their code/information in my project: @zach898 @nbq @Frostiest @Swiftik @ShoaShekelberg

The reason this driver is different from other kernel thread drivers, that it's not a full kernel cheat, it communicates with the usermode program too.

The driverentry takes 4 params: NTSTATUS EntryPoint(ULONG64 mdl, ULONG64 code, ULONG64 output, ULONG64 PID)

mdl is the mdl pointer, because im not allocating a pool for my driver. code saves the address what the current status code is. (0 = connected, 1 = success, 2 = error, 3 = disconnected, 4 = reading, 5 = getting base, 6 = init target process) and output saves the address for the UM struct.

Basically it works like this:

I start the UM program. Give the mapper the mdl pointer, code status address, the struct and usermode pid. My kernel driver gets started and nulls the fps, creates a system thread and sets the status code to 0 (connected). While this happens my UM programs stays in a loop until the status code is 0 and then it knows the kernel driver is running. After that i send the target pid to my driver (set the code to 6, my kernel driver is in a permanent loop and always reads the status code and if it's 6, it saves the target pid.) Then I can use basic stuff like reading memory and getting the base address. For disconnecting the usermode, I send the code 3 to my driver, so it knows it should exit the system thread and won't read any more memory from our UM process.

Sidenote: This kernel driver changes InitialStack VCreateTime StartAddress Win32StartAddress KernelStack CID ExitStatus from its current thread.

It supports 1909-21H1.

Obviously this isn't perfect, but it is good for beginners to learn from it. This project shows that this forum is also great for information what the anticheats detect and how to bypass those checks.

The code might be messy, but oh well.

You might also like...
Simple EFI runtime driver that hooks GetVariable function and returns data expected by Windows to make it think that it's running with secure boot enabled (faking secure boot)
Simple EFI runtime driver that hooks GetVariable function and returns data expected by Windows to make it think that it's running with secure boot enabled (faking secure boot)

SecureFakePkg is a simple EFI runtime driver that hooks GetVariable function and returns data expected by Windows to make it think that it's running with secure boot enabled. In other words, it fakes secure boot status.

dogefetch, a project made in C for doges, very project, much wow
dogefetch, a project made in C for doges, very project, much wow

dogefetch dogefetch, a project made in C for doges, very project, much wow. before installing this project uses nerd fonts, please install it to see t

this project is a function in c to take the next line of a file or a file descriptor. this is a project of 42 school.
this project is a function in c to take the next line of a file or a file descriptor. this is a project of 42 school.

Get Next Line of 42. Make with ❤︎ for Luiz Cezario 📌 Index What's this Repo? List of Archives Technologies How to Run Find a Bug? Or somenthing need

The Project name is "ATM - Automated Teller Machine" and It is for beginners level Project.

ATM - Automated Teller Machine The Project name is "ATM - Automated Teller Machine" and It is for beginners level Project. What is ATM? An automated t

The Project name is "ATM - Automated Teller Machine" and It is for beginners level Project.

ATM - Automated Teller Machine The Project name is "ATM - Automated Teller Machine" and It is for beginners level Project. What is ATM? An automated t

The Project name is "ATM - Automated Teller Machine" and It is for beginners level Project.

ATM - Automated Teller Machine The Project name is "ATM - Automated Teller Machine" and It is for beginners level Project. What is ATM? An automated t

This is a project for Rowans ECE Final Project

ECEExposureProject This is a project for Rowans ECE Final Project There are 3 files that can be found in this repository. DHT PIP-Brick - This program

This project generates a keycodes.h file for my fractol project

keycodes_generator This project generates a keycodes.h file for my fractol project It uses the last version of minilibx The program opens a minilibx w

Small commandlet for generating a complete project using UE4SS header dump, Project File and Plugin Manifest

UE4GameProjectGenerator Small commandlet for generating a complete project using UE4SS header dump, Project File and Plugin Manifest Usage Compile the

Owner
Spuckwaffel
Spuckwaffel#5000
Spuckwaffel
KernelReadWriteMemory - Simple code to manipulate the memory of a usermode process from kernel.

KernelReadWriteMemory Simple proof of concept -code to manipulate the memory of a usermode process from kernelmode of a windows NT operating system. T

Zer0Mem0ry 149 Nov 22, 2022
Loads a signed kernel driver which allows you to map any driver to kernel mode without any traces of the signed / mapped driver.

CosMapper Loads a signed kernel driver (signed with leaked cert) which allows you to map any driver to kernel mode without any traces of the signed /

null 154 Nov 25, 2022
PoC capable of detecting manual syscalls from usermode.

syscall-detect PoC capable of detecting manual syscalls from usermode. More information available at: https://winternl.com/detecting-manual-syscalls-f

null 124 Nov 25, 2022
communicate between usermode and kernelmode through a swapped qword ptr argument

communicate between usermode and kernelmode through a swapped qword ptr argument

null 34 Nov 15, 2022
x64 Windows kernel driver mapper, inject unsigned driver using anycall

anymapper x64 Windows kernel driver mapper, inject unsigned driver using anycall This project is WIP. Todo Fix: Can't make API calls from IAT nor func

Kento Oki 71 Nov 26, 2022
Driver leap - Self-sustainable fork of SteamVR driver for Leap Motion controller with updated vendor libraries

Driver Leap Self-sustainable fork of SteamVR driver for Leap Motion controller with updated vendor libraries Installation (for users) Install Ultralea

null 58 Nov 11, 2022
Hygieia, a vulnerable driver traces scanner written in C++ as an x64 Windows kernel driver.

Hygieia The Greek goddess of health, her name is the source for the word "hygiene". Hygieia is a windows driver that works similarly to how pagewalkr

Deputation 101 Oct 28, 2022
Project Etnaviv is an open source user-space driver for the Vivante GCxxx series of embedded GPUs.

Introduction Project Etnaviv is an open source user-space driver for the Vivante GCxxx series of embedded GPUs. This repository contains reverse-engin

null 205 Oct 29, 2022
Simple Player-Glow & Driver Source Included

External-Apex-Cheat Install WDK Build in Release x64 Map driver using KDMapper Launch Game Run User-mode when in main menu Have Fun driver is indeed p

null 102 Nov 8, 2022
External warzone cheat with manual mapped driver (function hook), overlay (nvidia hijack), simple esp, no recoil

external_warzone_cheat External warzone cheat with manual mapped driver (function hook), overlay (nvidia hijack), simple esp, no recoil Offsests are N

NMan 95 Nov 28, 2022