Making A Kernel Cheat - Part 1/3 - KM/UM Communication Via Function Hooking

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's up guys welcome to my new cheat series that kernel drivers going to be reading and writing memory and the user mode clients gonna be doing most of the calculations and I'll probably add an overlay as well so it'll wind our wall hacks and stuff like that basically we're gonna hook a random function here the one I'm using this video is called query composition surface statistics okay big word so what we're gonna do is I'm gonna show you guys in my virtual machine here after I explain this how to refine this reverse this and we're gonna look at the assembly and stuff like that and we're gonna make our shell code and basically what it's gonna do is it's gonna say move our hook address which is going to be the address of our function in our driver or however you load your driver is going to be wherever it is in two racks which is a register and then we're gonna jump to racks which is it's gonna jump to our function and execute our function and then our function is basically gonna have access to the parameters of this function here and what's the parameter gonna be it's gonna be instructions for our driver and we're gonna say let's say this is completely example let's say there's a boolean read and we say is read true yes it's true let's read process memory okay otherwise if write is true we're gonna write price this memory and then after all that we're gonna return status success which means it's basically just not going to run the rest of this function here so essentially what's gonna happen is every time we call this function here or every time this function gets caught it's gonna call that hook and then it's just gonna return so okay we've got our kernel hook in place now how do we actually call this function from user mode from our client right well what we're gonna do is we're gonna load a library and we're gonna export the function and then we're gonna make our end little struct here copy memory whatever and we got this little bull read/write and we make a pointer we're going to set where the instructions we want they're going to be much more variables because we're gonna need a buff address the extra address we want to read the value to write etc then we call the function from user mode which calls the function in kernel write so we call that with the parameters that we want it calls the kernel version kernel function runs what does it do runs out hook goes over to our driver runs our hook function and we get access the parameters and it's our struct so we say you know is read true whatever like I explained before once we do all the instructions we return okay simple as that so the user mode calls the kernel function where our hook is in kernel mode our hook runs we check the instructions the parameters whatever maybe we didn't even call it so if none of these are true whatever it's still returns okay and that's pretty much it so we get to communicate without driver and run this function with instructions whenever we want oh hey guys how's it going so we're gonna disassemble the function here I'm gonna use a win dbg so I'm in the debug program yeah I'm gonna click kernel debug since I'm in a VM here I'm just gonna do a local debugging alright so once you've got the command line open gonna have to do a few commands yeah so we're gonna have to attach to a session space process and she can do that with the Explorer tada you see like that oh no like that this is how we get the code and then go to the dot process slash P and then put the code yeah and there we go so now we need to reload the driver we want to disassemble which in our case is DHG kernel Dutchess I forgot that you oughta put slash ahead before the name and then that's it so we can go into a disassembly view and just type in the function name up Yong will see the function so the name of the one we're doing is an T query actually first I'll show you guys how you can find the functions so hopefully let me restore the page yeah here we go so I'll leave a link to this down below this is just that from Firefox it's a table pretty much of a bunch of functions some of these aren't gonna work but most of the composition ones do in my experience I just look through them these lines won't work I'm pretty sure with NTD composition I'm pretty sure that they won't work better if you go down lower these ones usually work so handle info I think this one is fine so here's our function here query surface statistics so you can just copy that chuck it into the windbg up here paste it and it will show you the function straightaway now sure you guys had to find like another function if you guys want to make your own hook let's say you guys choose this one handle info or something how this one looks pretty good actually so I'll try to find one that is like a bad one probably this one just so you guys know from my experience at least alright this one looks good as well okay yikes what the very way okay this one surely unbind surface very high here we go so functions like this where they have this security cookie instruction yeah yeah you don't want to hook down one okay in my experience it just blue screens you no matter what you do so I'm pretty sure it's like some sort of security check obviously so if it's got this security cookie thing don't hook that function look for ones that don't have this yeah this security cookie thing so make sure your function doesn't have that and you should be good I just went through like two or three just now in a row and none of them had that so you should be fine but just so you know I try not to hook functions with that if it's got this critical region thing that's fine you can hook those bad other security cookie ones are you know a bit of a Ikes so I'm gonna go on the one that I'm using for the example doesn't really matter at the end of the day you can use the same shell code for like most of these functions what we want to do is we want to do a move and a jump now the move racks is going to be two bytes so let's move racks and then it's going to be another eight bytes for our function address right so that's ten bytes in total for the first address alphabet basically for the first instruction we're going to need ten bytes then for the jump rax we're going to need another two bytes so we only need 12 12 bytes for this hook okay you just so you guys can kind of get a wrap your head around it a little better I've got a the driver here that I'm going to code in this video I've got already compiled obviously I'm gonna run it yeah this is just Kady mapper you guys I'm sure you can get Kady map it yourself so I'm gonna load this driver and I'm gonna show you how it changes the function here so you guys can see what we're doing exactly now I'm just going to run it there we go and I'm gonna reload the function basically so I'm just going to delete the s but the s back there we go it's refreshed you can see how it looks in place so what do I mean by that well you can see his first address has a lot of bytes so if you can see the first address here move racks and then it's got our function address so this is the address of the hook function right now and then after that it's just jump racks so we're putting our function address into rax and then we're jumping there okay simple as that and then the five seven to end into push hard I interesting yes that's pretty much it every time this function gets cold it's gonna run this line puts our function address into rax and then it jumps there that's it executes our function so I think this is our function here the hook function and basically all I have it to do right now is just return and yeah you can see you're right here I just wrote it so yeah that's basically the hook that's how you find a function how you disassemble it you know look at the bytes whatever now I'm going to show you how to actually code the driver so let's start coding this driver it is not going to be a USB driver so you want to do an empty KMD F Drive apparently I'm just going to call it this one first thing I'm going to do is some of the settings the project settings to help you guys get a successful build so very cool so you want it to be x64 release of course whatever you want to make sure character set is not set what else info to cat you don't want that to run driver signing you want that off okay and what else link oh yeah you want to make sure drive entries actually drive the entry and there's one more thing I forgot about it I think that's it well if we run into a problem I'll show you guys how to fix it so first thing I'm gonna add here is a bunch of the definitions for like the undocumented functions and stuff that we're going to use yeah so the way you can find this kind of stuff is you can just go and react OS and there you go you see like the function definition they see the arguments what it returns stuff like that so react device is really good for finding these kind of undocumented structures or functions so you can try and implement them into your Windows stuff yeah so if you guys want to just copy it out from the video here it is it's not too much I'll just scroll through it's got a couple includes here and then it's got these structures here and it you know and then couple function definitions which we're gonna need so you guys can pause the video whatever shameless plug there's a link down below to my patreon might be top comment or in the description and on my patreon five bucks a month you can get access to all my source code from every single one of my videos so try that it's basically a one-time payment because I only upload like once a month see ya man just five bucks you can get access to all this source code you even get a supporter all in my discord you get access to locked channels in my discord where I actually read them and reply of course if you're asking dumb questions simple questions that can be answered by Google I'm not gonna entertain them I'm probably gonna troll you or someone else who's gonna troll you speaking of discord there's gonna be a link down below either pin comment or description or you can join my discord we got a bunch of people there so we've got the definitions here next thing is we're gonna do so next thing is going to be a memory header I'm just going to define some functions so we want to include definitions and then define some function so first time we're going to need is getting module base and that's going to take a parameter of what module we want next is gonna be get it module export and then we're gonna need two more functions yeah we're gonna need a little write memory function it's going to need the address buffer and the size and then we're going to need you to write it to read any memory cool so include memory all right so we're gonna coat the functions now gonna have to include that header file there first function hopefully zoom did enough for you guys I'll do a little bit more because I know some you guys like to code while watching the video and so having Adam didn't helps a lot so we want to query the module information here so we're going to pass it a little ennum value that and then no and then we're gonna pause the bites you and then pause that queue if not so if the bite is invalid we want to return nothing and then otherwise keep going okay so when you're making a pool here and you make a tag basically pass this hexadecimal value which is converted from text so that's gonna be the name of your tag the one time I'm just gonna make one right now show you guys how you can make it so like text to hex go yeah put in whatever text you want I'm just going to do now and there you go that's the hex you want to put in for the tag which isn't coming of a scene so hey you gonna do 0x get rid of the gaps okay there you go and that's it I can only be four letters I'm pretty sure all right so that's our tag there and it says no you know because that's I'm gonna say if NT status whoops success and then we pass status return now qo Leos - I'm talking guys I woke up like half an hour ago and I'm just I'm drinking coffee and trying to focus and I'm just I really do be vibey you know I really do be buddy we've already done a string comparison oh my god so I'm gonna just explain some of these code because I like literally disconnected IRL so getting a list of the modules okay and then we're looping through the modules this is equivalent if you're doing like a user mode external this is pretty much the equivalent of taking a snapshot of the process list or whatever or what is that the module list or some so we're living through these modules here we're comparing the name of the so we're comparing the path name of V so we're comparing the name of the module that we're looping through to the one we pass in the argument and we're seeing if it returns zero it means it matches so if it matches then we found our module so we want to save some of the information from that module demo so we obviously want the module base right because that's why use for the address calculations I'm sure you guys already know this I mean if you're doing kernel kernel reversing in kernel programming I mean I'm sure you know all this but I don't know I just don't know what else to talk about when I'm coding so ichael so save the module base and the module size and then we can break after that clean up y'all so if modules we want to free that that I had a tag modules I mean you can pass the null for that doesn't matter I like to use null instead of zero because my name uh null cool and if you look at what null means guess what it means it literally means zero so so after all that we want to return obviously what we got which is module bar say alrighty now that was probably the biggest function in this like entire program so that's why I I went into Super Saiyan cool these other functions are pretty simple so next is gonna be get module export a I believe that's what we called it yet you know and that's got a shop owner cure yes all right so we're gonna need module pointer and that's gonna be returned from this bad boy we can pass module I think I'm going right now where I'm going yeah yeah so got a waypoint on the module and then basically we just say is that valid if it's not year 18 home what we do return null don't all right so otherwise it works and then we just return RTL find exported routine by name and the routine name which is going to be the function name essentially which we want to hook kyoool so that's that function then we're gonna need the right memory functions so I'm gonna make a nice small ride memory a little kind of like a wrapper here it's gonna need to address buffer and the size and all it's going to do is just use this definition here RTL copying memory and basically all that does is it calls mem copy okay so you can use mem copy all that interchangeably that I believe they're big English but I believe the but I believe the parameters are a little different not to shoulder so basically if that failed to be returning false otherwise we want to return true because I worked so there you go if you look at this definition is just mem copy so you can put mem copy there's only manner anyway now we're doing a cool so this is what we're gonna use to write to read only memories crazy right like the function name describes what it does it's crazy so so I misspelled the function name there obviously IRL biquette MDL very cool return false cool and that's why they are queuing it to read Ryan nice see ya what we're doing here is we're basically just a mapping memory and we're giving it the readwrite access I think I spelled this wrong meant to be cached cool that looks good yeah cool so once we've done that we can write the memory so we just got a write memory wherever mapped and then the buffer size cool and then we're gonna need to clean up everything so gonna need to unwrap the locked pages and then unlock them I had freed the memory descriptor cool and then we going to entry because I wait he's not cool so that's all the memory functions I think we're gonna need so i actually forgot a line in the memory file here i forgot to add another query here so we need to do z w query system information again am i passing the same flag yo at this time we're gonna use the modules variable and I completely miss spelt it there you go so that's the line I forgot I add that line and then should work that's pretty much like the bulk of the coding now we can move on to like the hook which is the fun pot so I'm gonna do a new header file here hook da fiel so for some reason I made a namespace here so I'm just gonna do this same thing again I guess null hook doesn't that sound cool I'm gonna make this whole kernel function what's this gonna do it's kind of cool the kernel function so nt status look handle and this is pretty much gonna be a hook right and then this is the parameters that were given to the function Coolio is now we can card these out so we're gonna do the basically we're gonna set up the function that makes the hook or sets the hook basically so that's gonna be cool kernel function and it takes you in whatever thing we want to hook so this is gonna be the address of that hook function so we want to make sure that address is correct or at least it's valid because what's the point of trying to hook something if the hook isn't real um function address so we're gonna return false if that's not valid so we need to get the address of the function we want to hook it's also called I'm just going to call it function and we're gonna need to do a cost here so reinterpret costs to avoid point on oh well P void point oh and we got to use that little function here which is gonna be they get the exponent so we need to pass the directory to the driver which is in system root system 32 and then drivers and then the name which is DHT kernel dot sis I think that's right let me system area system 32 yeah cool and then the name of the routine that you would hook so our one was query composition surfer statistics we want to make sure that's valid as well so if not function it's gonna be a byte array and I'm just gonna make this I'm gonna say oreag basically you just want to be 12 bytes long doesn't really matter what this is so basically what you can do here is you can put the original instructions from the function so when you disassembled it you could see the original instructions then you could copy paste the bytes into here basically what that would mean is when you do the whole credit is leftover bytes in this array it'll put the right bytes in if that makes sense but basically the way I do it is there's not gonna be any leftover bytes because I only need 12 for the hook and I'm gonna put 12 in this array so it just doesn't really matter I'm just as long as this is 12 bytes long which I don't know what I'm up to him up to one two three four five six seven eight I think at 12 you can just hover over here and you can see the size of the array so it's 12 cool that's 12 bytes which is how long a hook is gonna be now if it was like a detour hook where it where it runs the hook and then it goes back to the original function that's when it would matter to put the actual original bytes in here because you don't want to crash basically you want to have the right instructions that are meant to be executed but since we're not returning to the original function it's just running our hook it doesn't really matter as long as there's enough space for our hook that's all we care about so we got our shellcode yeah and that's gonna be high 0 x4 8 0 XB 8 and what that translates to is this is jump and this is rax so it's going to be jump right oh sorry move rax no jump rax that's the next one so this is gonna be move rax and then afterwards would be our function address so it would be something like you saw the original I did show you guys the actual instructions I did show you guys the actual eye assembly in the windbg if you remember that but I'll just kind of type it out here so it would be move rax if you remember and then it was like ffffff whatever how address was right so that's what this line is doing and then the next one's going to be the end all right so this is jump rack so it's jump rack school yeah so this is jump racks yeah so it's very simple it's just jump racks and what's in racks now function address so it's gonna jump to our function hook function now we've got that shellcode set up we're gonna do the actual writing of memory yeah now I just want to say this right here is what's detected by bad align easy antichain okay they cig scan for this they sick scan for a move racks and a jump racks okay so if you change the signature of this shellcode right here it's going to be undetected by be e and e AC that's all I'm gonna say okay this is the method I use for my personal hack and it's been undetected for like a month okay I use different shellcode obviously I'm not gonna show you the shellcode but I just want you guys to know you can't actually make this undetected very easily okay I'm gonna say that it's very easy so hopefully that inspires you guys to mess around with this and change the shellcode it'll be undetected but if you want to just use the shellcode here it'll still work but it it will only be undetected by back okay you'll get banned in Baddeley and stuff like that so let me get to so we're going to do the actual hook yeah and we're going to put our egg and the size of the original bytes Brittney's mem copy how what type of cost to a white point iron then ilan point I want to put a rig and then the shell code starts okay I'm gonna get the hook address yeah it's gonna be another reinterpret cost Q this is saying bad why huh LM L so you want to put another bracket after this thing here I forgot about that anyway we got the hook address now we're gonna do another mem copy yeah P void it's gonna be sighs a void pointer because it's just a pointer to a function address and then we're doing another mem copy when I'm just gonna copy paste this by now honestly like this gonna be our egg plus size of the shellcode and we also want to do the size of the function address which is Waypoint and then we want to put the end finally and that's gonna be the size of whatever that is there we go all right so now we're gonna actually write the shell code to the function so this is where we're riding the hook so this is the function address and then we want to do shell code there's gonna be size of the show code so basically what we're doing here is we're getting the instructions ready to be ridden so the first thing we're doing is we're copying the move racks into here and then after the move racks we put the hook address right which is this yeah copy the book address into that and then lastly we're copying the jump racks at the end which would be the last two bytes into there that's pretty much the hook right there okay okay so after that we want to return true because it actually hooked and now every time that function runs its gonna run out so now we want to actually write the whole function right we want to write the function that runs and that's going to be kodou book Handler and we want access to the parameters Young so eventually this parameter is gonna be our some sort of structs we're gonna make and that's gonna stall the instructions on what we want to do but for now just to cut this video short honestly it's going for way too long already we're just going to make a return success to see if the hook works and see for blue screens or not so I'm gonna compile this see if I get any errors hopefully not actually I have an even ton I haven't even made the main alrighty so it's time to do the main function and this is gonna be easy we just wanted to extern see empty status drive entry or whatever you made it in the linker settings if you followed what I did at the start it would be drive entry and I'm spelling this completely wrong drive on object so since I'm using Katy mapper I can't actually use the driver object or the registry path so I'm gonna do an reference parameter for both of them and then I'm uh then we just need to call the hook pass the address all right so after that we just need to call the hook oh well set the hook and then pass our book function just a hook hand alone and that should be it then we can return success um cool so let's see I do have some areas down here so I'm going to see what they are so it it just means this is the last sitting I forgot to do it's treating warnings as errors so I think that's in in C++ yep here we go three warnings as areas you want that as no and then it should let you compile awesome so I'm gonna help you my VM and try load it and see what happens alrighty so I'm in my VM now I've compiled e driver and I've disassembled the function here so let's see if it works I'm gonna load it with KD mapa there we go the hook works so we've got the move racks and then the address of the hook function and then we jump racks simple as that I'm gonna go to the hook address here and you can see like before it's just returning yeah so that's basically it the next part to this is going to be adding the user mode client and communicating with the driver and adding that memory struct to make the driver read and write and do what we want so it's going to be the next episode this one was long enough on its own I hope you guys learned something from this comment down below if you've got any other series ideas any video ideas leave a like as well subscribe and once again patreon down in the link below you can get the source code from this video and all my other videos 5 bucks a month you

Info

Channel: Null

Views: 144,480

Rating: undefined out of 5

Keywords: c++, tutorial, simple, easy, code, source, programming, copy, paste, beginner, null, terminator, free, new, updated, hack, cheat, csgo, game, hacking, cheating, gamehacking, for, 101, how, to, how to, vmt, virtual, method, table, hooking, hook, internal, external, multihack, series, bhop, bunny hop, hop, quick, fast, counter strike, global offensive, part 1, playlist, episode, kernel, battleye bypass, easy anti cheat bypass, how to bypass battleye, km um communication, undetected 2020

Id: KNGr4m99PTU

Channel Id: undefined

Length: 42min 23sec (2543 seconds)

Published: Fri Jul 17 2020