思绪整理

制作一款Bypass AC的CE

Undetected Cheat Engine + Driver | 2023 | Bypass Anticheats (BE / EAC)

Preface: Every now and then I come across someone asking about how to use Cheat Engine in games with anticheats, such as Easy Anticheat or Battle Eye....

https://www.unknowncheats.me/forum/anti-cheat-bypass/504191-undetected-cheat-engine-driver-2023-bypass-anticheats-eac.html

手动映射驱动

方法1 利用在野驱动的漏洞映射自己的驱动 或 直接利用读写内存

Abusing nvidia driver for physical/virtual memory and control register manipulation

Abusing nvaudio.sys for arbitrary physical memory read/writes, control registers (CR0 - CR4 and more). Added in some code for getting system cr3 and p...

https://www.unknowncheats.me/forum/anti-cheat-bypass/597094-abusing-nvidia-driver-physical-virtual-memory-control-register-manipulation.html

UnKnoWnCheaTs - Multiplayer Game Hacking and Cheats

UnKnoWnCheaTs - Multiplayer Game Hacking and Cheats, leading the scene since 2000. We offer a huge amount of information and content for game hacks and cheats through our game hacking forum, download database, game hacking tutorials, and wiki sections. We supply everything for game hack source codes, anti cheat bypasses, game hack tools, game hack programming or free undetected game hacking files.

https://www.unknowncheats.me/forum/3218276-post1.html

方法2 禁用DSE

disable DSE to load cheat engine driver DBK | Bypass EAC

Nothing new, I just made a simple modification to the GDRVLoader associated with the infected Gigabyte GDRV driver to disable the Driver Signature Enf...

https://www.unknowncheats.me/forum/anti-cheat-bypass/602024-disable-dse-load-cheat-engine-driver-dbk-bypass-eac.html

GitHub - zer0condition/GDRVLoader: Unsigned driver loader using CVE-2018-19320

Unsigned driver loader using CVE-2018-19320. Contribute to zer0condition/GDRVLoader development by creating an account on GitHub.

https://github.com/zer0condition/GDRVLoader

GIGABYTE Drivers Elevation of Privilege Vulnerabilities

1. Advisory Information Title: GIGABYTE Drivers Elevation of Privilege Vulnerabilities Advisory ID: CORE-2018-0007 Advisory URL: https://www.secureauth.com/labs/advisories/gigabyte-drivers-elevation-privilege-vulnerabilities Date published: 2018-12-18 Date of last update: 2020-05-14 Vendors contacted: Gigabyte Release mode: User release 2. Vulnerability Information Class: Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control […]

https://www.secureauth.com/labs/advisories/gigabyte-drivers-elevation-of-privilege-vulnerabilities/

NHA DSE Bypass - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.

https://pastebin.com/Gji126hs

GitHub - TheCruZ/kdmapper: KDMapper is a simple tool that exploits iqvw64e.sys Intel driver to manually map non-signed drivers in memory

KDMapper is a simple tool that exploits iqvw64e.sys Intel driver to manually map non-signed drivers in memory - GitHub - TheCruZ/kdmapper: KDMapper is a simple tool that exploits iqvw64e.sys Intel ...

https://github.com/TheCruZ/kdmapper

The Swan Song for Driver Signature Enforcement Tampering | Fortinet Blog

FortiGuard Labs examines the state of Driver Signature Enforcement (DSE) tampering attacks given the increase in attacks leveraging this tampering method. Read more about how defenders can protect …

https://www.fortinet.com/blog/threat-research/driver-signature-enforcement-tampering

Rootkits

广义而言，Rootkit也可视为一项技术。今天，Rootkit一词更多指伪装成驱动程序加载到操作系统内核中的恶意软件，其代码在特权模式运行，能造成意外危险。

GitHub - XaFF-XaFF/Black-Angel-Rootkit: Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality.

Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality. - GitHub - XaFF-XaFF/Black-Angel-Rootkit: Black Angel is a W...

https://github.com/XaFF-XaFF/Black-Angel-Rootkit/tree/master

GitHub - memN0ps/rootkit-rs: Rusty Rootkit - Windows Kernel Rookit in Rust (Codename: Eagle)

Rusty Rootkit - Windows Kernel Rookit in Rust (Codename: Eagle) - GitHub - memN0ps/rootkit-rs: Rusty Rootkit - Windows Kernel Rookit in Rust (Codename: Eagle)

https://github.com/memN0ps/rootkit-rs/

Rusty Windows Kernel Rootkit

Introduction This post will go through some of the basic rootkit techniques, using one of the first publicly available rootkits made in Rust as a proof of concept https://github.com/memN0ps/rootkit-rs/. Many anti-cheats and EDRs are utilizing Windows kernel drivers using rootkit-like techniques to detect game hackers or adversaries. However, this is a cat and mouse game, and the game hackers and malware authors have been years ahead of the industry. Why was this made?

https://memn0ps.github.io/rusty-windows-kernel-rootkit/

新的方法

滥用 LargePageDrivers 将 shellcode 复制到有效的内核模块中 （Lpmapper）

"有效模块"指的是操作系统内核的合法、经过签名或认证的模块，通常是由操作系统或硬件厂商提供并被认为是可信的。这些模块包括正式的设备驱动、文件系统驱动等，它们通过操作系统的加载机制被载入内核。在这里，"有效模块之外"表示作弊驱动被手动映射到内核，但没有经过正规的、系统认可的加载过程。 手动映射是指通过一些工具（如 kdmapper）将自定义的驱动程序加载到内核空间，而不是通过系统提供的标准加载机制。这可能是为了绕过一些系统的安全机制，例如签名验证或其他安全检查。在这种情况下，作弊驱动可能位于内核地址空间的一部分，但并没有经过系统正常的加载过程。

Abusing LargePageDrivers to copy shellcode into valid kernel modules

Introduction Most people in the game hacking community write their kernel-mode drivers to get around kernel-level anti-cheats such as EasyAntiCheat. However, those anti-cheats have several methods to detect cheat drivers. The most commonly used way to load the cheat driver is manually mapping it with tools like kdmapper. Unfortunately, manually mapping a driver in this way causes the code to be outside of a valid module. Recommended communication methods like IOCTL are rendered unusable because they can be detected with a few lines of code.

https://vollragm.github.io/posts/abusing-large-page-drivers/

lpmapper - Execute shellcode in drivers .data section

Hey, many times I have ranted about how people still claim that .text patching a driver (like in the infamous "Null driver") is undetected. ...

https://www.unknowncheats.me/forum/anti-cheat-bypass/495784-lpmapper-execute-shellcode-drivers.html

GhostMapper 将您的驱动程序映射到签名内存中

GhostMapper - Manual map drivers in signed memory

Since it's recently been Halloween and ghosts have been roaming around the forum I'm going to release my own GhostMapper. Ghost mapper maps your drive...

https://www.unknowncheats.me/forum/anti-cheat-bypass/609378-ghostmapper-manual-map-drivers-signed-memory.html

GitHub - Oliver-1-1/GhostMapper

Contribute to Oliver-1-1/GhostMapper development by creating an account on GitHub.

https://github.com/Oliver-1-1/GhostMapper

其他好玩的

仅当调用线程属于用户模式进程时 从内核模式显示消息框

Showing a MessageBox from kernel-mode

Introduction Message boxes provide a simple way to show feedback to the user. In user-mode, a message box can be shown with the MessageBoxW API function. However, this API does not exist in kernel-mode. One of the common ways to display info from kernel-mode is the DbgPrint API, which can be listened to from DbgView or an attached Kernel debugger. Recently I wanted to display a message box from kernel-mode though, so the user can receive feedback easily. There already are sources on how it’s done out on the web, but I want to take you through the inner workings of the MessageBox function itself and add more information to it.

https://vollragm.github.io/posts/kernel-message-box/#messageboxw

Defcon的媒体服务器

media.defcon.org

All DEF CON video presentations, music, documentaries, pictures, villages, and Capture The Flag data that can be found.

https://media.defcon.org/DEF%20CON%20China%20Party/

C++内核编程以及RUST的书籍（废了好大力气搞来的）

function renameComponents(c)
  local i
  if c.Component then
    for i=0,c.ComponentCount-1 do
      renameComponents(c.Component[i])
    end
  end
 
  if c.Caption then
    c.Caption='WTF'
  end
end
 
 
for i=0,getFormCount()-1 do
    local form = getForm(i)
    for j=0,form.ControlCount-1 do
      renameComponents(form)
    end
 
    form.Caption='Bla'
end
 
registerFormAddNotification(function(f)
  f.registerCreateCallback(function(frm)
    renameComponents(f)
  end)
end)