YOUR FIRST KERNEL DRIVER (FULL GUIDE)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

how's it going ladies and gentlemen my name is Cass and welcome back to the channel I haven't released a pure coding tutorial in way too long according to my channel it's been at least over a year so this is going to be interesting I'm sure you've read the title but today we're going to be coding your very first colel driver alongside that we are going to code a user mode application which will be a CS2 Bunny Hop cheet for educational purposes which will use our driver to read and write process memory that way you don't have to use the windows API and it's literally going to be undetected on vac uh forever as long as vac is user mode the third application that you see here is just a driver mapper called KD mapper it's a very popular application for loading unsigned drivers which we are going to use in this video anyway I'd like to actually show you what we are going to be coding in this video so I'm going to launch CS2 and I'll get back to you all right so I'm in game and I have my epic demo 420 open the process of loading this treat is going to be pretty simple you're going to grab the driver going to drop it onto KD mapper hit yes yes and as you can see the output says success that means it worked the next step is to just run our user mode application if I run that we see attachment succeeded that means it did connect to CS2 and uh basically you can open and close this application a million times now uh the driver is always going to be running until you restart your computer let me hop in game and show you what it does all right so we are over here on Ancient everyone's favorite map and if I go ahead and hold down space bar as you can see we just be hop uh add infinitum forever pretty cool and you can show all your friends now just to save everyone some time the driver that we are going to be coding in this video is going to be an iocl driver obviously I will explain what that is later but for people who know what that is that is the driver we're going to be coding now before we actually get into the tutorial I'd like to say that all of the source code from this video is going to be available to my patrons so if you're interested in that go ahead and sign up down below while you're at it I would really appreciate it if you checked out my Instagram and Twitter profiles in the description and you might as well like And subscribe because uh this is going to be a cool video another thing I'd like to say is that this driver is not going to bypass like other colel anti cheets this driver is literally only going to bypass uh user mode anti cheets anyway without further Ado let's get into installing our prerequisites all right so to begin we are going to install Visual Studio why because Visual Studio is the standard way to code C++ on Windows and of course we're going to be using Windows in this tutorial in order to install Visual Studio you're going to head over to this website link will be down below and you're going to go ahead and download the community version just hit this free download button that's should begin a download as you can see it's number one for me that's cuz I've done this already once that's done you're going to go ahead and run this program and this is going to install the visual studio installer for you now I'm not going to go ahead and do that because I already have that installed so visual studio installer once that's installed it should look like this for you except you're not going to have every anything here where you see Visual Studio community 2022 preview that's because I already have it installed instead you should come over here to this available Tab and you should install Visual Studio Community 20122 now in this video I'm going to be using version 17.90 preview 5 you are probably going to be using uh the normal version the only difference between the preview and the normal version is the UI is a little bit more modern so I'm kind of future proofing the video because in the future this is what Visual Studio is going to look like but anyway go ahead and install Comm because that is the free version of Visual Studio once you click this install button you should see a menu like this pop up right for me I went to modify my current installation but for you this should pop up by default as I said earlier we're going to be using C++ to program uh our driver and our application so first of all you're going to want to select desktop development with C++ just click that that check box the only other thing we need to install is uh coming over here to individual components what you're going to do is type in Spectre latest and you're going to install the latest version of the spectum mitigated libraries for your platform in my case I'm x64 x86 so yeah go ahead and make sure that's installed as well then go ahead and close or hit the install button whatever it is for you and after that's installed you should now see Visual Studio Community sitting over here at this current time we can build basically any C++ program but we still can't build drivers and that's because to code drivers you need something called the Windows driver kit once again link will be down below but you're going to come over here to this website which is the Windows driver kit and they are basically going to explain exactly what I just told you which is install Visual Studio 2022 and be sure to install the Specta mitigations as well after that you're going to come here and you're going to hit download Windows SDK and you're going to install that so once again you're just going to click on that it should download and once that is installed let me just go back here you're then going to install the Windows driver kit now if you are trying to code a colel driver you should be able to install these three things by yourself okay cuz I'm not going to redo this for this tutorial it's it's very simple the only thing to note with install wdk is be sure at the end of the installation to select uh install Visual Studio extension because that is what we want we want the extension for visual studio which will allow us to work with drivers once this has been installed go ahead and open up visual studio for me once again it's called preview but for you it will just be normal and uh create a new project and if you set your filters to C++ windows and you should now have driver you should see all of these templates if you see all of these templates you've done it correctly and it's time to move on if you don't see these templates uh go ahead and restart the video start from scratch do everything again and hopefully it works okay so now that we have Visual Studio installed with the Windows driver kit we can code drivers but there's still one problem when you code a driver if you make a programming error in the driver and your program crashes or your driver crashes what happens is it corrupts your entire system memory memory which results in a nice blue screen of death that makes coding drivers extremely impractical if I was constantly coding a driver on this machine loading it into KD mapper and then uh my computer's constantly blue screening you just you can't realistically code anything like that so the way to get around this is to either have a second computer or to make a virtual machine and that's what we're going to do quickly once again down below you're going to go ahead and click on the VMware link we're going to be using VMware inside of this tutorial but you can use any uh desktop hypervisor thing that you want to use to download VMware Workstation you're literally just going to scroll down and you're going to click here try workstation 17 player for windows download now that's going to download the VMware Player and you're going to go ahead and install it by yourself once again cuz you're trying to code a kernel driver you can install things by yourself once VM player is installed you should be able to launch it and it's going to look something like this obviously I've deleted my virtual machines that is something I will set up with you in this tutorial but uh make sure your VMware looks something like this before we can actually create a virtual machine we do need an operating system to create the virtual machine with so in this video we are going to be using uh Windows 11 but this tutorial should work on any version of Windows by the way now generally speaking when you're coding drivers you want your virtual machine and your host machine to be on the same Windows version right so because that means that it's guaranteed that it's going to work on both machines but the type of driver that we're going to be coding in this video known as as an iocl driver is actually very Universal it's very standard so it actually doesn't really matter what version of Windows uh you're going to be testing on what does matter though is uh mapping your driver but luckily KD mapper does work on Windows 23 H2 so what I'm going to do in this video is my host machine is going to be 23 H2 and my virtual machine is also going to be 23 H2 if you are on the latest version of Windows you can download a dis image directly from Microsoft for free just like this go ahead and click the link in the description for the windows download then you're going to come down here to download Windows 11 disk image because we need an ISO file which is a disk image it's the it's the operating system in a binary uh we're going to select download Windows 11 and you're going to download now then you're going to choose your language which of course is going to be English and going to go ahead and confirm and then this will give you a link to download uh for 24 hours just go ahead and click that it's going to be pretty big uh mine was about 6 gigs I believe but uh yeah once that's downloaded I recommend that you make a folder somewhere called VMS and inside of that uh I went ahead and I put my ISO in there we're going to use this ISO to create a virtual machine very shortly so let's do that okay so once VMware Workstation player is running we're going to go ahead and click create new virtual machine we're going to use install a disk image file so that's once again this is the iso that we just downloaded so you're going to hit browse you're going to go and find your ISO wherever you uh saved it we're going to select that and we're going to go ahead and hit next now you can name it whatever you want and I'm going to save it I'm going to save it specifically into this VMS folder and that's where our VM is going to be saved so we're going to go ahead and click next uh now we're going to select only the files needed and we're going to make a password it's going to be super strong 1 2 3 4 5 6 7 8 the reason it goes up to eight is because they require eight uh characters but you can make this password whatever you want mine's literally just 1 2 3 4 5 6 7 8 and next uh now this is just going to depend on your computer and how good your computer is but for me four works and we're going to split the the dis go ahead and click next uh we're not going to customize any hardware just yet but we will later on uh in in the next section in order to set up kernel debugging but for now you just leave this as default and hit finish this is going to go ahead and create your virtual machine now this is going to take some time and if you see something like this timeout EFI network uh don't worry this is normal going to leave it right here it's going to sort out its thing it's going to do its thing and I'll catch catch you guys when we are at the boot screen all right so after a few minutes you should see a menu like this what we're going to do is click on the virtual machine and if you use your arrow keys you can of course navigate we're just going to click boot normally hit enter and hit enter again and as you can see Windows 11 is now booting up by the way if your mouse gets stuck in the virtual machine just hit control and ALT and you'll get your mouse back okay so we now have our Windows set up let's go ahead and set up our Windows going to hit next install now and that's going to go ahead and install Windows for us obviously I don't have a product key Windows 11 home is fine accept the user license agreement at this point you're going to select custom install not upgrade you're going to install Windows onto this drive next obviously this is going to take some time so I will catch you guys when this is finished installing all right ladies and gentlemen it took forever but we are now setting up Windows so just go ahead and go through the Windows setup process I'll catch you guys when it's done all right that took forever but we are now uh we have our virtual machine up and running the only thing I want you guys to do for now in the virtual machine is come up here to your player click manage and install VMware tools then go ahead and click on this DVD drive VMware tools thing that pops up and run setup 64 the typical version is fine go ahead and install okay cool VM tools has been installed now as you can see you need a restart uh I'm just going to say no for now now I'm just going to go ahead and power off this guest cuz we have successfully set up our virtual machine all right so at this point you should have Visual Studio installed with the Windows driver kit so we can make drivers alongside that you should have uh a virtual machine a working one that is set up the next step is we're going to set up our kernel debugging that is our third requirement if you are not interested in debugging your driver at all then you can skip this entire section but I highly recommend that you do set up kernel debugging because it gets very difficult to figure out problems when you can't even read messages that your driver is sending you anyway to set up kernel debugging this is going to be uh quite a process so stick with me here but to start off we're going to open up VMware Player again we're going to click on our virtual machine that we want to debug and we're going to go ahead and edit virtual machine settings next we're going to go over here and we're going to click add and we're going to add a Serial Port as you can see mine is named serial Port 2 yours might be called serial Port one I'll talk about that in a minute now you're going to want to connect at power on and for connection we're going to change that to used named pipe the name of the pipe that we're going to use is going to be uh double back SL do SL pipe back SLC comore n but n is going to be whatever number serial Port you're using so for us it's going to be two next this end is the server and the other end is an application finally you're going to go ahead and click on this yield CPU on poll that's very important and I don't know if I mentioned it but connect on at power on is also important after you've added all of that you're going to go ahead and click okay and and perfect now you can leave this window open but we're going to need to install a special program called wind debug you can type wind debug into your search bar you might have it already I've got a few versions installed but we're going to install this latest version in case you don't have it you're going to head down to this link in the description down below and you're just going to click download when debug this is from Microsoft obviously and it's the newest version you're just going to run the installer and go ahead and click uh for you it'll be installed but for me it's reinstall or launch okay so now that you have one debug installed we're going to go ahead head and we're going to launch our virtual machine again so go ahead and click play Virtual Machine all right cool once your virtual machine has uh booted up if you hover over this icon over here you should see serial port to using name pipe and the name of our pipe uh make sure that that is happening right now we aren't debugging anything we're still setting up the debugging so next what we're going to do is we're going to come to the search bar and we're going to search system configuration my virtual machine is just a little bit slow so we need to wait a few seconds here there we go system configuration ation and go ahead and run that now we're going to go to the boot Tab and we're going to select our current OS and we're going to go to Advanced options what we're going to do here is we're going to turn on debug and the debug Port is going to become whatever Port you chose in your virtual machine earlier so for us remember we use serial Port 2 our name is Comm 2 if your serial Port was one you'd use Comm 1 but for us it's Comm 2 we're going to enable B AUD board rate and that's going to be 115200 and uh that's about it go ahead and click okay apply and this is going to require us to restart our system again but uh for now I'm just going to exit without restart and I'm going to come here and I'm going to direct you to uh your security tab so I want you to type in security window security so before we restart our virtual machine we're going to come here to security and we're going to disable basically every single thing we can so go tab by Tab and go ahead and disable everything so let's go this is where it gets quite important because now we get into uh an interesting part here which is I believe this is called device security you should have a tab over here called core isolation make sure memory Integrity is off and you might have an extra uh box over here which I'll show you on my host PC quickly coming over here to our core isolation in the security tab as you can see on my main PC I also have Microsoft vulnerable driver blocklist if this is there turn that off make sure that that is off let me just turn it off quickly that turned it on but yeah we keep that off so obviously in the VM it's not here uh but uh you will actually need to repeat all of these steps if you want to run the cheat on your main computer you'll have to turn off all of your antivirus protections including that potential block list cuz that is going to block KD mappa but I'll talk about that a little bit later anyway we're going to continue down here turning off everything that we can now you can go ahead and power off your virtual machine again we're going to go shut shut this down close it it's good all right so at this point you should have a virtual machine which has VMware tools installed we've also set up the debugging in uh the system configuration as well as disabled every antivirus uh option we could find what we need to do now is we actually need to set up our host computer for kernel debugging before we can actually do that we need to check something so what you're going to do is you're going to search for Powershell Windows Powershell you're going to right click and run as administrator we need an elevated Powershell for this and we're going to check if your computer currently has secure boot on you can check if secure boot is on by running confirm - secure boot UEFI in an administrative Windows Powershell as you can see when I run it it says false because that means my secure boot is off if this says true for you I need you to go and Google how to turn off secure boot for your computer because secure boot will not let us turn on kernel debugging but anyway while you're here we can now turn on kernel debugging so we're going to do that with a simple command BCD edit SL debug on hit enter and you should see this operation complet successfully if you have a secure boot if secure boot says true this debug on is going to fail and once again just to confirm this is happening on your host PC it's the one that runs the virtual machine you don't do this in the virtual machine we've already set that up okay we are going to need to do one more command over here it's going to be BCD edit SL dbg settings serial debug port and you're going to set this number to uh once again whatever number uh Port you were using whatever serial port for us it's being two this whole time the name is com 2 and everything like that for you it might be one it might be three it doesn't matter and we're also going to add the board rate over here and we're going to set that to the same number which is 115200 and we're just going to hit enter okay so at this point you are going to need to restart your computer so go ahead and do that and I'll catch you guys back here when that's done at this point you should have one debug you should have a virtual machine that is set up to debug and you should have set your host machine up to debug the only thing that's left now is to actually set up the debugging in Wind debug so let's go ahead and run wind debug but we're going to run it as an administrator click yes we're now going to go to file and we're going to go to uh attach the kernel you're going to select Comm and you see whatever settings I have here we're going to copy these settings it's going to be pipe select that reconnect select that zero resets the same board rate we've been using this whole time and the port is now going to be the name the full name of the pipe uh that we created in VMware let me just pull up VMware to show you as a reference reference once again if we come to our virtual machine we edit virtual machine settings we go over here to our serial Port you'll see that this name needs to be the same as this name same board rate and uh yeah that should be it at this point to test that kernel debugging Works we're going to go ahead and click okay you should now see in uh when debug waiting for pipe comp 2 if you go ahead and play your virtual machine we should see a connection here very soon and there we go as you can see uh we have found a connection right over here we are connecting to the virtual machine kernel through our host PC through a named pipe and a Serial Port all right at this point we know that our kernel debugging is working at least as far as we can tell because we can see the connection over here so at this point you can just go ahead and turn off your virtual machine and you can close when debug okay so we have currently installed three of four requirements we have Visual Studio we have a virtual environment we know how to debug that virtual environment the only thing left as a requirement is uh KD mapper getting the mappa that we're going to use to actually load our driver after that we're going to get into coding so in order to get KD mapper you're going to go to the description down below you're going to click on the KD mappa link which will take you to this GitHub repository what you're going to do is you're going to go ahead and click download with zip on the code button once again KD mappa Master one cuz I already have it after that we're just going to click on it and we can go ahead and extract it to our desktop for now of course you put it wherever you need it to go we're going to double click on the project and we're going to open up KD mappa do solution once again you should already have Visual Studio installed so this should not be a problem for you now what you can do is you can just set this to release and go ahead and build but I like to make a simple change to KD mappa over here in main uh I would highly recommend you go through here and you just add a few standard C CN dogs you just add a few lines like this uh everywhere where the where KD MPP is going to return the reason you want to do that is because otherwise KD mappa it literally just uh closes instantly you can't read any output so by adding this uh cin.get it's going to pause the closing of the application until you hit a button and this is also the beauty of uh open source programs we can just modify them to however we like Anyway once you've added all your sin dogs we're going to go ahead and build the solution you should be able to find a KD mappa binary by going to x64 in the KD mappa folder release and right there cool that wraps up all of our requirements for coding this driver once again we have Visual Studio we have the Windows driver kit we have a virtual machine to test our driver on uh we also have kernel debugging setup on the host and on the virtual machine plus we have a way to map our driver with KD mapper all that's left to do now is to actually jump into coding our driver and our application so let's do that in this High paste everchanging modern world it can be difficult to stay up to date with new technology finding accurate high quality information for a reasonable price is is almost impossible and that's precisely why this video is sponsored by brilliant.org brilliant is the best way to interactively learn maths science and computer science the platform is designed to be fun and interactive with thousands of bite-sized lessons taking you from Basics all the way to Advanced topics if you're interested in leveling up your programming game I'd highly recommend their introduction to algorithms course the lessons follow a natural linear path which takes you from fiddling with pseudo code to understanding necessary algorithms like binary search or bubble source and much much more so whether you're a student looking to AC your exams or a professional looking to upskill you can try everything brilliant has to offer free for a full 30 Days by visiting brilliant.org or by clicking on the link in the description down below the first 200 of you will get 20% of brilliant's annual premium subscription thanks for listening and let's get back to the video all right uh how's it going ladies and gentlemen this is Cass from the next day I tried to record the segment yesterday and it utterly failed so you know it's a new day it's a new dawn it's time to retry anyway in this segment we're going to be coding our driver along with our user mode cheat for CS2 for educational purposes right uh so let's go ahead and get started we're going to begin by opening up visual studio of course and we're going to create a new project now when I create these user mode colel mode projects I like to use a blank solution as you can see over here it's it's in my recent projects it probably won't be in your recent project so you're going to have to change your filters just type in blank solution you should be able to find it we're going to create one of those this allows us to put many projects in a single solution it'll make more sense now we're going to call it something I'm going to call it sexy driver because it's going to be very sexy and continue once you've created the project you should see Visual Studio open up uh what we're going to do now is we're going to right click on the solution we're going to go add a new project and we're going to start off by adding our user mode project so that's going to be a C++ project and I like to use the empty project uh configuration because I don't like all of these other templates with all this boilerplate uh nonsense so we're going to use an empty project next and I'm just going to name it um for user mode but you can name this whatever you want you can name it cheat you can name it app you can name it client whatever you want to call it so create now I don't like using uh visual Studios filter system if if I right click on here on my project and I say add as you see it says new filter a filter only exists in Visual Studio it adds no files on your disk so what I like to do is click on my project and then click this button here show all files and that makes it so that uh what you see in visual studio is actually a reflection of your disk once we've done that we're going to go over here we're going to add a new folder and we're going to call that Source right SRC and after that we're going to add our main.cpp file into our SRC folder so main.cpp and uh we can just code a simple hello world application over here cool okay so we we have our simple hello world application here because we've added a CPP file to the project Visual Studio can Now understand understand that we do want to make a C++ project now before we go on and add our kernel mode project we do have some properties to change in this user mode project so we're going to right click on the project and you're going to scroll down to properties make sure you have configurations set to all configurations make sure your platform is set to x64 we're going to change the output directory to just build like this solution D build and then we're going to change the intermediate directory to the same so we're going to copy the buold thing and we're going to change it to _ intermediate otes what we're doing here is we're making it so that this user mode project uh will be built into a folder called build in our solution directory so in the same directory as the SN file there will soon be a buold file uh that will hold our buold make sure to keep the configuration type as application. exe because we do want to make an exe and we're going to change our language standard to C++ 20 now the only other thing we need to change for this tutorial is we're going to come down here to Linker we're going to go to all options and we're going to type in you UAC and this is going to be able to let us set an execution level for our program because we're going to be using iocl communication and everything like that we are going to need to create a file which is going to need it's going to require admin privileges so by changing UAC execution level to require administrator uh what this is going to do is it's going to make it so that you have to run our program in administrator even when you build it it's going to be admin the last thing that we need to change here is we're going to come over here to C++ we're going to come over here to code generation and where you see runtime Library we're going to change this to be MTD multi-threaded debug the reason we do this is because if you want to share your exe with many systems uh they all need to have the same dependencies installed uh that our program depends on by changing runtime library to multi-threaded debug what the compiler is going to do is it's going to embed all the dependencies into our binary so the size of the binary is going to be a lot bigger but uh it's going to be able to run on your virtual machine if you don't have this on if you try and run your program on the virtual machine it's going to give you a dependency error it's going to say that the runtime the the visual C runtime is not available anyway after that's done uh you can click okay and we have successfully set up our user mode application for now if you click this button you should be able to run it as you can see it's asking me to restart Visual Studio because it needs us to run the program in uh administrator so let's go ahead and do that okay now that Visual Studio has been opened as administrator we should be able to run it now and as you see sub to C for real which you should do and you should also subscribe to my patreon and you should check out my Instagram and Twitter down below but that is besides the point now that user mode application is done we're going to go ahead and right click on our solution again and we're going to add our kernel mode application going to be a new project once again C++ platform Windows project type driver and what we're going to look for is this uh kernel mode driver empty obviously I have it under my recent projects but you will have to go and find it kernel mode driver kmdf but this is not empty we don't want this one we want this one kernel mode driver empty next once again I'm just going to name this km but you can name it driver you can name it uh whatever you know whatever your heart desires it doesn't matter for us it's going to be km for kernel mode create once again visual studi uh filter thing is happening over here which I hate so we're going to click on the project and we're going to click the show all files button we're going to do a very similar thing here we're going to go new folder source and we're going to add our main. cppp file after that we can write out our simple hello world uh from the kernel so that's going to be hash include NFS and then we can just create our driver entry and in order to print from the console uh we're going to use debug messages so we're actually going to make a little helper quickly to debug print so and in order to print we're going to use KD print ex we're going to use KD print ex uh the component is going to be a driver the level is going to be info and we're just going to pass in the text that we took as a parameter one thing you do need to remember with KD print is that you have to call this with two parentheses anyway we're going to go ahead and debug print uh all that we need to do now is just quickly set up our kernal mode properties so right click on your project and go to properties once again make sure you have all configurations and platform x64 and we're going to do something very similar where we're going to change the output to solution d/b we're going to change uh the intermediate directory to kmore intermediates we're going to change our C++ language standard to C++ 20 we're then going to go over here to the C C++ tab code generation and security check on all configurations we're going to set that off right this is so that uh we can use KD mapper to launch to load our driver and uh after that the only thing we need to change is in the Linker we're going to come over here to Advanced and where it says entry point we're going to rename this to just driver entry and apply okay at this point you should be able to go ahead and click build build solution and if we navigate to our solution directory you should now see a build folder if you click on that you should find your km.is and your .exe and make sure that your .exe does have this little administrator sign next to it that means that you did set it up correctly all right so within our kernel driver project we're going to begin by importing some functions that we need uh that are undocumented in n kernel the functions that we need are IO create driver and mm copy virtual memory we're going to use IO create driver to make our iocl driver compatible with KD mapper and that'll make some more sense in a little bit and we are going to use mm copy virtual memory to uh Implement read and write process memory inside of our driver Now by declaring these functions by forward declaring these functions inside of this xtone C block this is actually going to allow us to call these undocumented Windows API functions when I say undocumented what do I mean well there might be documentation for them out there uh undocumented just means that basically you can't call them by including things uh what you have to do is you have to forward declare them and then we can call them uh this will make some more sense a bit later but basically when you are coding drivers you're going to come across this a lot you're going to be importing a lot of functions that Windows doesn't necessarily want you to use um but yeah the internet's your friend with this one after that we're going to go under our debug print function and we're going to create a namespace called called driver within that namespace we're going to create another namespace called codes and this is going to hold our iocl codes so let's get started by creating our iocl codes all right so here you are looking at an example iocl code and I realized that I haven't even really explained what iocl is iocl stands for input output control and it's a very common way for drivers to communicate with user mode applications and vice versa according to msdn over here user mode applications send ocls to drivers by calling device IO control so in our user mode application we will be calling device IO control to send a structure to our driver then inside of our driver we can access the structure that we sent from user mode which is going to hold addresses uh and then we can uh perform whatever operations we need to now how do we determine what operation we're going to perform well that's with the code uh we create codes that represent different operations and then inside of our iio device control uh inside of our device control um Handler we are then going to operate on the different codes I don't know if that makes sense uh but hopefully it will make some sense once we see the code I'll explain it again so yeah in order to create a code uh we use this macro over here CTL code and that basically just creates if I hover over attach over here it creates a constant right and that's why we're making it Con exper constant expression uh and the name of this code is attach and the code of this code is 0 69 uh 6 very nice number over there all that really is important here is that we're using method buffered right because our iotl method is going to be buffer IO which is going to allow us to send little bits of data between both our applications um at a very fast rate which is what we want but anyway what you're going to do now is you're just going to copy this uh code that you made and we're going to paste it two more times and we're going to rename these to read and then write and remember to increment The Code by one every time we kind of the same code representing two things so we have ZX 696 697 698 we have the code for attach read and right we're going to call attach uh we haven't made the logic for attach yet but you can kind of Imagine attach as uh something that we're going to implement later uh this is going to basically set up our driver before we call uh read and write which are of course read process memory and WR process memory we're going to have to call attach to our to attach our driver to the process that we do want to read and write process memory from but anyway that's it for our codes our codes are done we're making them at compile time there's a write code a read code and an attached code and later on we're also going to need to copy this and put it into our user mode application but anyway moving on from this under that codes namespace still inside of the driver namespace we are going to create our struct that we're going to share between uh user mode and kernel mode we're going to name it request and basically this is going to hold the data that we're going to send from user mode to Kernel mode and and uh vice versa that it's going to send back to us so let's do it the first field is going to be of type handle and that's going to be process ID then we're going to have two P voids then we're going to have two size undor T arguments so not arguments Fields uh the first one's going to be size and the second one is going to be uh return length or return size intuitively process ID is going to be the process ID of whatever the process we're trying to hack Target and buffer this has to do with um mm copy virtual machine uh sorry not virtual machine mm copy virtual memory we're going to set our Target and our buffer you know for read and write process memory and then this will also have to do with read and write process memory uh as I as I said a few times this will make more sense when you actually see it being used so for now we have our codes we have our request what we're going to do now is we're going to start setting up our driver in driver entry all right so in driver entry what I've done here is I've created a Unicode string called driver name and I've called RTL init Unicode string so one thing you need to understand about the kernel is that when uh functions want strings they typically don't want a const CH pointer you know a const character pointer what they want is a p unic code string uh or a unic code string pointer uh and in order to create a unic code string what we do is we just declare it and then we call RTL a net Unicode string and it's going to place this string into the structure and then we get can go ahead and use it now one thing I need to explain is that since we are mapping this driver with KD mapper uh this introduces a few problems usually driver entry has parameters over here on msdn as you can see this is what driver entry usually looks like it usually takes a p driver object driver object and a p Unicode string registry path as you can see in our driver entry I have left out these parameters the reason I've left them out is because they are going to be equal to null anyway they're not supposed to be null but because we're using KD mapper which manually Maps the driver that means that the operating system doesn't even already know that the driver is running so the operating system can't give the driver uh what it usually expects which would be these two parameters over here driver object and registry path usually you don't even need driver object and registry path so it's not a problem but we want to make an iocl driver and in order to create the iotl communication we need this uh driver object but as I just said we don't have it uh I mean we can declare it over here I can write it out but it's going to be equal to nil so there's no point in order to get around this problem we actually have to kind of springboard from this entry point into a new entry point that kind of simulates the actual entry point okay I just said entry point like five times this will make some more sense right now when I type it out for you we're going to create a new function called NTI status uh and sorry it's not called enti status of type enti status that's what it's going to return and it's going to be called driver main uh or you could call it driver entry or whatever you want to call it and this function is now going to take the expected parameters so it's going to be a p driver object we're to call the driver object and it's going to be a p unic code string of course named Regis y if I could spell registry path and by default we can just return uh stateus success like we did uh in our original entry point when we load our driver with KD mapper KD mapper is going to call driver entry uh and that's obviously going to print whatever message you put here that's going to create our driver name and then we just need to add one more line of code here which is going to be return turn IO create driver which is if you scroll up to the top of your project it's this function over here it's this undocumented uh ncos kernel function that we have imported into our project we're going to call that function and we're going to pass in the address of our driver name and then we are going to pass in the address of our driver main our new main function and we need to pass the address of that like so this now becomes our real entry point driver main because what's going to happen is we calling create driver which is going to populate uh these two parameters correctly for us we're going to have a valid driver object we're going to have a valid registry path but one thing we can instantly do is we can use unreferenced parameter on registry path because we are not going to be using that and uh when you are coding Colonel drivers uh by default warnings are treated as errors of course you can turn it off but it's not a good idea to turn it off obviously we're not using Drive object but we we are going to use it we never use registry path so it wouldn't let us compile uh if we haven't used something and we don't explicitly say it's unreferenced anyway we can now go ahead and get started coding our driver main one thing I did not mention that I just realized is uh our driver name over here it has to be back SLB SL driver backback slash uh and then the name of your driver but this name can be whatever you want it to be right so in this video we're going to be using sexy driver and uh just you know make sure you spell the name correctly and everything because we are going to be typing it out about two or three more times so anyway let's go what we need to do now is uh we actually need to create the driver's device so let's do that we're going to start by creating another Unicode string called device name and we're going to put backback device and then your driver's name into that string we're now going to use the string to actually create our device object like so all right so what I've done here is uh obviously I created the device name then I created an empty device object or not empty but is set to null and then we call IO create device earlier we called IO create driver now we call IO create device passing in our driver object which we needed this is the whole reason we called IO create driver because we needed our driver object over here passing in our device name and our device object which is populates then what we do is we just check the status to make sure that it is successful so if status is not equal to status success we print and then uh we return the status whatever the problem was and uh if all goes well we can go ahead and debug print that it it was successful like so driver device successfully created by the way uh I forgot my new line over here you just need a new line in your driver entry under your debug print back over here to our driver main our real entry point quote unquote what we need to do next is we need to create a symbolic link so that's going to be very similar go ahead and follow along once again we are going to create a string for the third time and uh we're going to populate that with DOs devices and then your driver name so once again dust devices driver name the previous one was device driver name and the very first one was driver and then driver name anyway once that's done we can now create the symbolic link like so we can create our symbolic link by calling IO create symbolic link passing in the name of the symbolic link along with the device name and then we of course just make sure that it is uh state of success if it's not equal to status success we print the error message and then we return the status once again at this point we just want to quickly log that it did succeed so I'm going to copy this one above and I'm going to say driver device I'm going to change this to driver Sy iic link successfully and I'm going to change Creator to established cool at this point we are actually almost done uh we still have a little bit to go but what we need start doing now is actually setting up the ioc tail communication so let's go ahead and do that we're going to begin by setting a flag that's going to allow us to do buffed IO next what we need to do is set up the handlers for our driver object so so the drive object has a bunch of major functions that are going to get called by the operating system and we need to set up functions that are going to handle those calls uh so think of it kind of like an event handler thing going on here now in order to do this we actually do need to create the functions so what we're going to do quickly is you're going to put a pin in whatever we're doing here just keep in mind that we still need to come and do stuff down here but we're going to come up to the top to our driver namespace under your request uh structure and we're going to create three functions like this first one's going to be called NTI status create and it's going to take two parameters all of these functions are going to take the exact same parameters because uh yeah they they all have the same what's it called Signature each one of these functions is going to return NTI status it's going to take a p device object and a pirp uh IRP stands for I request packet that is uh what carries the data uh between our iocl Communications this function uh we can actually fully coded is going to be very simple we're just going to call unreferenced parameter uh device object because we never use that in this function uh what we then do is every time you do complete a IO an IRP every time you do complete an incoming request packets request you have to call IO complete request like so and we are just going to pass in our IRP and then we're going to pass in IO no increment just just like that and then what we can do is just return IRP Dash sorry not Dash IO status and then dot status and uh this is basically the it's a structure that holds the status of the um function that just happened so that uh the operating system and the user can actually tell what happens when uh these handlers are called anyway so that's our create one now you can go ahead and copy this one by the way copying and pasting code is really bad uh because you make a lot of stupid mistakes but uh this one we're going to rename this to close and it's literally going to be the exact same thing that's why we copy and pasted it but now we are going to copy this one more time or you didn't even need to copy it you can just paste again and we're going to rename this to device control and this one is going to get a little bit more complex uh but we are not uh going to implement that just yet so let's just leave a note here note to do because uh yeah we need to come back and this will be the last thing that we need to code uh before driver is done so we're just going to finish the the few lines that we need to do down here in driver Main and then we just need to come and code our device control and everything will be good so coming back down over here now that we've established our Handler functions we're going to come down to our driver Main and we're going to set them so that is done like so going to access the major function array and we're going to index it with IRP MJ create and we're going to set that equal to driver create okay so what's happening here is within our driver object there is this um as you can see it's the size 28 this this array called major function and what's going to happen is when things happen and when events happen on our driver it's going to go through and it's going to call the functions that are saved inside of this array so in order to make our driver do what we want it to do we actually have to set our own functions inside of this major function array so we're going to go ahead and copy this uh two more times we're only going to set three functions that's going to be be create it's going to be close and it's going to be driver control the three functions that we just made uh but oh what's the problem here driver oh sorry device control not driver control device control and we just need to change the things over here to correspond so this is going to become close rpmj close and then this is going to become device control and just like that we have now set up the handlers for our driver all that is left to do inside of this function is to go ahead and uh clear the flag clear a special flag which I will talk about in a moment we're going to go ahead and clear the do device initializing flag because we have completed initializing our device it is done it is initialized and after that I'm going to go ahead and just debug print one more time and what we should do is we should return status not status success we should return status okay so as I said earlier uh this is all done the only thing we have left to do is to fill in our logic in device control so what's going to happen is remember earlier when I was talking about our iotl stuff uh you have to call device IO control in order to send a message from user mode to Kernel mode uh when you do call device IO control what's going to happen is it's whatever you put into it is going to come through on this function it's going to come through this function the IRP is going to hold our data uh that we send through device IO control in the user mode we need to come and implement our logic in here so for example our read and WR press memory and our attach we need to implement these these Logics uh these Logics lots of Logics attach read and write so let's go ahead and get started with that what I'm going to do very first first of all is I'm going to debug print and I'm just going to say in here we're going to make a plus sign CU it's not an error and we're going to say so if you ever see this message you know that at least your IO is working uh at least your device control is working but yeah uh we will go ahead and and debug this uh in a little bit when we are done coding uh our driver and we've made a simple application we will go ahead and debug this in our virtual machine to make sure everything is working nicely but yeah anyway device control we're going to start off by creating NT status call it status like usual and we're going to set it to actually status unsuccessful uh to begin with right so by default it's going to be unsuccessful now what we need to do is we need to get the stack location of the IRP so why we need this is because this is going to hold which code we are passing and we can get it like so by calling I get current IRP stack location we can get our current IRP stack location and as I said earlier we need this to determine which code was passed through so this is going to hold uh which control code so either attach read or write whichever one here uh we are going to yeah it's going to hold that but you'll see it'll make more sense now the other thing we need is the actual request struct that we sent from the user mode so we can do that like so so we can get the request object by accessing I Associated i. system buffer if we actually go to the definition and look at this we can see that Associated I is a union and system buffer is obviously the third thing in this Union so what it says here is this operation is being buffered and the field is the address of the system space buffer which is exactly what we want what does this operation is being buffered mean well earlier inside of our real main is it real Main yes it is real main we set the flag do Buffet IO which is what we want and then also when we create our codes as you can see we create our codes with method buffer right to say that we do want to buffer these codes so that is just how we access the buffer because we're using Buffet IO it is in system buffer in that Union which is called Associated IRP anyway what we're going to do now is we're just going to make sure that none of these are null because if they null our our computer is going to blue screen and we hate those things so now every time you want to return out of one of these ioc handlers you do have to call IO complete request on the IOP which we did do in these other two which we we don't we just need these to be defined we don't have to do anything in them but like here we're going to call I complete request and then we're just going to return the status right because we haven't even changed status yet it's still unsuccessful so it's going to return unsuccessful which is what we want okay now what we're going to do is we're going to create a static pointer to an eess and we're going to call that Target process equals null pointer now obviously this is a static variable which means that uh basically it's not going to be remade every time the function runs this is going to exist uh it's going to have a value that exists beyond the lifetime of this function naturally this is going to be the target process that we want to read and write memory to and from uh we're just storing it in here for now but it will make some sense some more sense in just a moment what we need to do now is we need to create const you long and we're going to call that control code so this is going to be the code that we passed in from uh user mode and as I said we access that from the stack IRP we stack IRP parameters. device IO control do IO control code just like that and now using this control code we can create a switch statement and we're going to switch on that control code the cases are now going to be uh the codes that we defined over here inside of this uh code name Space codes name space so the first case is going to be codes attach and we can just break for now the second one is going to be case codes read break and then the third one is going to be codes write and then break and then I just need the case statement over here now we can actually implement the read and the right process memory and the attach so what attach is going to do is it's just going to set this value to a valid uh program right because obviously it's not pointer by default so that's going to be pretty simple it's going to be status equals PS look up process by ID and the process ID that we're going to use is going to be within that request struct that we're passing in from user mode so it's going to be request process ID and the target process that we want is going to be the address of Target process if I could spell it correctly Target process like that cool and then obviously it's going to break out once it does that it's going to complete the request and it's going to return p uh status like this uh we actually we'll okay I'll come back we'll change that in a moment let's just uh continue here that is that's literally it for attach all all that's going to do is it's going to populate this target process with an actual process theoretically that's going to be CS2 in this video and our driver is going to hold a handle to the eess of CS2 and then we're going to use that with mm copy virtual memory because if we come up here and we take a look it needs a source and it needs a Target uh pointed to an eprocess so yeah let's go ahead and Implement our read process memory the first thing we need to do obviously is we need to check if Target process is not equal to n pointer because if Target process is a null pointer we're going to blue screen and then what we do is we just say status equals mm copy virtual memory not copy memory copy virtual memory and uh yeah have fun typing this out okay so our read process memory logic is a as follows we're going to make sure that Target is not a n pointer and then we're going to call MM copy virtual memory with our Source process being the Target right that's where we want to get our data from The Source address is going to be the target address the the address that we put into Target which this will make sense when we code the user mode uh side of things because we're going to put the address that we want to find into Target and then once again it wants a Target process which is going to be the current process it's going to be our driver because we're going to be reading from the driver and then uh of course we're going to going to store the value in buffer and then it just needs a size conal mode and blah blah blah blah blah so what we can do is we can actually just copy this function uh and once again be careful with copy pasting functions make sure you know what you're doing now what we need to do is we basically just need to switch around the processes and then we need to switch around the Target and the buffer so what I mean is literally we're going to take PSG current process we're going to replace it with Target process and then we're going to place Target process where get current process was and then we're just going to replace Target with buffer and then and replace Target with buffer like that so as you can see Target buffer buffer Target Target process PS get current process PSG current process Target process they like reversed because we're using the same function to read and write uh we just have to reverse these things Okay cool so after that what we do now is before we IO complete request we just have to set some information in the IRP and after that we'll be completely done with our drivers so we're going to go IRP IO request packet uh we're going to use the arrow to D reference the object or whatever it does our status. status equals the current status just like that and then we're going to say IRP I status once again do information equals size of request and then at the very end we're just going to return status like that and that should theoretically be our driver done so what we're going to do now is we're just going to code a simple uh user mode application that attaches to notepad and then we're going to launch our virtual machine and we're going to debug our driver to make sure that everything is going correctly after that we will code our CS2 cheat and then uh you'll be on your way all right so let's get started with coding a basic uh user mode implementation of using this driver obviously you're going to come to your user mode application and then we're going to need kind of two like boilerplate functions and uh I'm I'm really not going to code these because I I did these in my very first video on this channel which is how to code external CSO Bunny Hop the functions that I'm talking about is uh or are get process ID and get module base uh address so these are just not working right now CU I need to include windows. H and then after that we need to include uh TL 32 and after that they work but I'm going to show you what this code is and I'll explain what it does uh let me zoom out here so that you can go ahead and copy it that's that's the whole function over there hopefully you can see it but what this function does is it's going to create a snapshot with th h32 CS snap process uh null being the thread process ID over here and uh that's basically going to create a snapshot of all the processes on the system we're then going to create an entry we're then going to Loop through all of the entries uh inside of the snapshot and we're going to WID string uh compare to see if it's equal to process name if it is equal to process name we're going to return the process ID of said process uh the next function is going to be get module base which is literally the exact same thing except instead of using uh snap process let me zoom out so you can see the whole function once again and you can go ahead and copy that oh I just hit my mic probably pause the video and go ahead and copy it down but what this function is going to do is it's going to do the exact same thing uh it's going to create a snapshot but this time of the modules inside of the process by process ID so we're first going to get the process ID then we're going to call this function passing in the process ID which is going to create a snapshot of all the modules in the process by process ID we're then going to Loop through them and then we're going to call WID string uh substring to see if uh it's in the module and if it is we're going to return the module base very very straightforward stuff over here and once again I explain this in a lot more depth we actually code this together in my very first video on this channel anyone who's been in the hacking Community knows these two functions like the back of their hand everything else I will be coding with you so once you do have those two functions down once you've got them we can move on we can move on to uh a little bit more copy pasting because we're going to come back to our actual driver and let me zoom out little bit what we're going to copy is we're going to copy everything from the bottom of this request struct to the top of namespace driver so we're just going to copy driver codes and then requests like this uh just to zoom out again to show you exactly what we're copying it's just uh namespace driver namespace codes and request we're going to come back into our user mode application we're going to paste that and we are just missing a bracket at the bottom here like that there we go okay so as I explained earlier with the control codes we are going to need the exact same control codes inside of our user mode application that's why we copy pasted them and then we are also going to need uh the very the very same struct called request now you can change the names of these variables but you have to make sure that the size and the order is exactly the same because it is expecting a 40 by structure to be shared between both uh the user mode and the kernel now in our driver in this driver namespace we implemented our handlers for the logic of the driver but in the user mode application what we're going to do here is we're going to implement our attached to process our read process memory and our right process memory as Standalone functions inside of this namespace we're going to set up our whole driver framework by the way obviously in this video I'm putting everything inside of the same everything is going in main.cpp in both projects you probably don't want to do it this way because if you're making a serious project it's going to get really cluttered and crazy uh it would be a good idea to go ahead and take probably this driver namespace and throw it into its own um you know source and header files cons anti paste that's your job okay so we're going to begin by coding our attached to process function or our attach function uh that's going to look something like this we're going to make a bull attach to process and it's going to expect a const dword of process ID let me zoom in here it's also going to expect a handle and we're going to call that driver handle now every one of these functions that we're going to code or the other two functions the read and the right process memory are also going to expect a driver handle so it might actually be a good good idea to put this into a class and then that way you don't always have to pass the driver handle but in this video we're coding this functional Style with dependency injection so let's go anyway attach the process we're going to create the request struct just R and we we're very specifically not going to initialize it so usually when you when you make variables you you want to give them an initial value but request we're not going to initialize it because uh the thing is if you do initialize it that's going to take a few extra CPU cycles and we are hackers and we are lazy and we want performance and therefore uh we are just not going to initialize it but what we are going to initialize is the process ID field of this request structure so we're going to reinterpret Coss this to a handle remember the reason we have to do this is because we declared it as a handle well C why the hell did we declare it as a handle when it's a dword you know the reason we did that is because over here no not that one where is it because PS look up process by ID once the process ID as a handle so I mean either we could make the process ID a dword inside of uh this request struct could be a dword but then we'd have to cast inside the driver or we can just cost here it doesn't really matter that's actually up to you so we're going to cost that dword into a handle and we're going to install that in process ID uh and then to actually send that through to the driver we're going to say return and we just call device IO control like like I told you earlier over here we call device IO control this function over here to actually to send a control code directly to a specified driver causing the corresponding device to perform the corresponding operation that is exactly what we want to do so we're going to call device IO control and this takes quite a few parameters the first one is going to be our driver handle the next one is going to be the control code that corresponds to this uh function so this is going to of course be our attach code so codes attach after that we're going to pass the address of our request we're then going to pass the size of our request we're then going to pass the address of our request again and we're going to pass the size of our request again uh and then after that we're just going to pass n pointer and then n pointer like so yeah so to send the message through to our driver we're just going to return device IO control passing in the driver handle the code is attach we're going to pass the address of R the size of R the address of R the size of R and then nil pointer nil pointer size of R is of course 40 UL which is correct because our request is 40 bytes cool that actually is it for our attached to process but while we're here we might as well Implement our read and write process memory so that's going to be a little bit more complex but it's still going to be pretty easy we're going to create a template over here class T and it's going to return T of course because we are read processing we are read process memory we're just going to call it read memory and then this is going to take of course handle driver handle first and then it's going to take a const standard uint pointer T of address just like that then what we are going to do is we are going to create T temp equals uh nothing so we're going to initialize temp to zero we're then going to create our request and we are not going to ini initialize our request we're then going to go r. Target equals reinterpret cost to a pvoid address just like that uh but we didn't call it address we called it Adder so we're going to set the target to our address and as I said earlier in the video cuz uh over here inside of our driver if we come over here to the read process memory it takes a Source process a source address going to be the Target and then it takes uh the target address is going to be the buffer so our Target address is going to be the address we want to find and then the driver is going to put the result into the buffer right so the buffer is going to be equal to the address of our temp variable so that means that the driver is directly going to put a result of that mm copy virtual memory call into this variable right here into temp because we are passing in the address of Temp and then r. size is going to be equal to size of uh the template parameter and after that we just need a call I device control exactly how we did the last time so I'm just going to copy and paste it but we're not returning this time because instead of returning a Boolean we are going to be returning the temp value uh which as I said the driver we are passing the address of this temp value through the buffer to the driver and what the driver is going to do is it's going to it's going to populate this cuz right now we're sitting it to nothing it's going to populate this variable with a value we're going to then return that value and that is read process memory done now it's time for write process memory it's going to be very similar template class T at this time it's going to return void so it's not going to return anything we're going to call it right memory and this time it's going to take three parameters instead of two so it's going to be driver handle it's going to be the same const standard un pointer address but this time it's also going to take a const t reference value uh which of course is going to be the value that we're going to be writing now instead of creating a TTM like we did in the last one uh we're just going to go directly into filling in our request struct r. Target is going to be exactly the same it's going to be the address but we do need to reinterpret cost the address uh because it expects a p void but we take an a un pointer r. buffer is going to be equal to the value this time uh but we can't just set it to Value that's not going to work so we actually have to set it to at Value and then we have to use a c c style cost over here which I hate you know cuz I like using C++ cost but we have to do c style because this is undefined Behavior according to C++ it'll give us an error if we try reinterpret cross that but what's Happening Here is we're passing this as a reference right and what happens when you pass a reference is you use the address of operator on a reference it literally just Returns the address of the very thing itself actually now that I think about it we might actually just be able to do it like this I'll test that later but for now we're going to leave P void uh and then we're going to cost the address of value to a p void and then of course don't forget to set your size to the very same thing size of not size T size of T and then we just need to go ahead and return device call device IO control and we don't return anything now one thing that I did up here which is absolutely horrible is this is why you don't want to copypaste code because I haven't updated the code that we use as you can see all of these are using the exact same code which is wrong uh just remember to come to your read memory and change the code to read and then come to your right memory and change the code to right and basically we have fully completed our driver framework inside of uh our user mode application all we have to do now is implement it but before we code the Cs two cheat what we're going to do is we're going to code a simple application that just connects to notepad we're going to run that in our virtual machine we're going to debug it and we're going to make sure that everything is working so let's go ahead and do that we're going to start by trying to get the process ID of notepad like so okay so we're going to start by getting the process ID of notepad uh and obviously if it's equal to zero that means it failed we're going to say failed to find Notepad and then we're just going to leave now here is where it gets important we're going to create uh the handle that we need to call our driver functions right cuz all we're missing is this parameter over here so in order to populate driver handle uh we need to create a handle to our driver and we're going to use our driver's name for this but it's going to it's going to be like this so const handle and I'm just going to call it driver but obviously it's the driver handle is equal to create file uh like so over here you're going to give four backs slashes with a DOT two backslashes and then the name of your driver that you've been setting inside of your driver uh inside of the actual driver project whatever you named it uh in all these places uh you're going to use that exact same name inside of this user mode application that is the name of your driver going to open it with generic read There we go so we're going to create our driver handle uh using Create file the name of our driver generic read and all this other and that is going to return us a handle to our driver what we just need to do now is we need to make sure that this handle is valid and we can do that like so so we're going to check if driver is equal to invalid handle value if it is we're going to see out an error and then we're just going to see in to pause execution at this point uh we can call close handle uh just preemptively to driver because we don't really want to leak the handle to our driver but above that is now where it gets a little bit more fun so now what we're going to do is we're going to try and attach to notepad using our driver so that's going to be like so we're going to go driver attach to process and we're going to pass in notepads process ID sorry we're going to pass in our driver handle first and then we're going to pass in notepads process ID and we're going to check if this is equal to true if it is equal to true we're going to see out attachment successful and that's all we are going to do for now although what we should do is add a standard in get to the bottom here so theoretically this application is going to open it should search for notepad if it finds notepad it should create a handle to our driver if that succeeds it's going to try and attach to our driver which means that it's going to set this internal static Target process um value over here inside of our driver it's going to set that to a value instead of null pointer and that should be notepad and eventually it's going to be CS2 at the end of this video but for now you should be able to go ahead and build solution uh as you can see for me two succeeded uh it's now time to launch our virtual machine and start uh and check out if it's working so let's go ahead and do that all right ladies and gentlemen here on my desktop I have uh VMware open and I also have my buold folder open inside of my sexy driver along with KD MPP over here you might want to grab that out of your KD mappa folder out of your build all we need to do right now is launch when debug so we're going to go ahead and right click run as administrator remember you have to run it in an elevated mode to connect to the kernel we're going to go file and we're going to go attach the kernel once again these are going to be your settings they shouldn't really change very often and you're going to go ahead and click okay and it's going to wait for Al connection now all that's left to do is to go ahead and launch our virtual machine go ahead and hit play and uh I'll catch you guys when my VM is up and running once again just make sure that you are of course getting a connection over here as you can see colel debugger connection established and yeah once again I'll see you guys now all right ladies and gentlemen my virtual machine has successfully uh started now I'm going to go to the search Tab and I'm going to go to the security tab because unfortunately windows will every time you restart your virtual machine it will reenable real time protection so damn this virtual machine is slow but basically we just need to disable that quickly in your security tab you're going to go to virus and threat protection manage settings and turn off o you should have turned off every other setting when I asked you to if you haven't then go ahead and do that now because that will mess with loading your driver the next thing that we need to do is we need to get our driver KD mapper and our user mode application on this virtual machine so how do we do that well earlier in the beginning of the video I asked you to install VMware tools and what that allows us to do is literally just drag and drop things into our virtual machine so there we go we've got KD mapper you need km.is or whatever you named to your driver and then you also need a.exe now if you are struggling to if you aren't able to drag and drop things into your virtual machine then uh you either didn't install VM tools or it is struggling it's just not working so you're going to come up here to player you're going to go manage and you're going to reinstall VMware tools okay now that we have all our stuff on here there is one last thing that we have to do in order to see konel debug messages that are printed from KD print oh yeah by the way make sure that you did build in debug mode because uh KD print is only going to print uh when you compile in debug okay but besides that every time you want to use wind debug to see debug messages you're going to have to break click the break button which is going to pause execution on the virtual machine you'll see here it just freezes you can't really access anything on there uh and what we're going to do is we're going to type in a command as you can see it says KD that means kernel debugger it's waiting for for a command the command we're going to type is Ed for edit NT exclamation mark KD ihv driver mask and we're going to set that to8 now why are we doing that well if you remember inside of our driver we have debug print and we're calling KD printex which once again only works if you build in debug so you're not going to see any messages if you don't build in debug but anyway uh that's also why I called it debug print but KD print ex as you can see the first argument that it takes is actually a component ID and we have we are using ihv driver and we are using info level which is level three so what we are doing here is we are typing in this command we are editing the IH driver mask to 8 okay because right now it's zero and I don't actually know what number this should be for info level I'll be honest but eight works so we're going to make it eight now this is extremely annoying because you have to do this every single time basically KD mapper not KD Mapp every single time when debug restarts or even every time colel debugging restarts you have to do this you have to break you have to type this in the alternative to this is uh inside of your virtual machine you're going to go into original registry editor and then you're going to add a key uh I'll leave a link to in in the description Down Below on how to do that uh you should go ahead and do that it's just but for this video for the sake of Simplicity we're just going to use this command to edit KD I HV driver mask so if you hit enter there we go it has uh if it pops up that means it's been done and now remember you still can't use uh the virtual machine cuz it's still paused you either have to click this button to go or you can just type G in the command hit G and now we are back in Action so at this point theoretically speaking if we if we run our driver if we drop it into KD mappa we should go ahead and see its output so let's do that we're going to load our driver yes and there we go so our KD mappa output ended with success that's always good and if we check out the kernel debugger we see sub to C from the kernel driver device successfully created driver symbolic link successfully established and Driver initialized successfully that's what we like to see but there is one more thing thing that we do want to see if we come back to our driver uh inside of device control we did add a debug print message here device control called we do want to make sure that this is being called and the only way to see this message is to call device control and how do we do that well we need to use a command from our user mode application and in this case it's going to be attached process right by calling attached process we are calling device IO control which is going into the kernel it's going into our driver device control but this user mode application that we have set up is looking for notepad just for an example because we don't have CS2 installed on our virtual machine we're looking for notepad so let's go ahead and launch Notepad and if we run our user mode application what we should expect to see is a few messages from the user mode application but we should also expect to see a very nice message from here we should expect to see device control called uh inside of our kernel debugger so let's go ahead and see if uh all goes well so once again notepad is running we're going to go ahead and run user mode yes attachments successful device control called that is a very good sign that means that at the very very least our device control is working we are able to communicate with our driver now we still haven't tested if read and write process memory work uh we're going to find out if those work in the next segment of this video when we actually code our CS2 cheat but for now that is just an example of how you would debug something uh on the Kernel uh in in the kernel on your virtual machine but anyway you can go ahead and close out of your virtual machine and everything like that now it is time to code uh our CS2 Bunny Hop all right ladies and gentlemen before we can code our CS2 cheat we actually need to get offsets for the cheat right we all know what offsets are we'll hate them equally so in order to get that we're going to go to the internet and you're going to click on the link to a2x CS2 dumper which should take you to this gsub repository and I don't know why what just happened to my GitHub Let me refresh over here uh so what we're going to do here is we just need two files we're going to come over here to generated and we're going to find client. d. HPP uh going to open that in a new new tab and then I'm going to look for offsets HPP just like that we're going to go ahead and we're going to download both of these files so you can click download raw file like that and then download raw file like that cool once that's done uh they should be in your downloads folder you're going to want to navigate to your uh driver folder and then we're going to go into the user mode project of our driver folder then we're going to go into the source directory uh of our user mode project and then we're going to go ahead and we're going to drag and drop these into our source directory next to main just like that now if we return back to visual studio go ahead and click on user mode on your profile on your project and click this refresh button and you should now see client. dl. HPP as well as offsets HPP what we're going to do is we're going to right click and we are going to include in project and do the same for offsets HPP include in Project now we can go back to main we can scroll right to the top and we can go ahead and we can include both of those files so first we're going to include client. d. HPP then we are going to include offsets HP PP now we can come back to our main file and we are going to be working inside of this if statement if driver attached the process but before we do that we need to go to the top here and we need to change our get process ID from notepad.exe to CS 2.exe uh and then we're going to update our error code over here from saying failed to find Notepad it's going to say failed to find CS2 still going to create our driver in the exact same way and we still going to try and attach so we're going to say going to keep this attachment successful message but we're just going to add a body to our if statement over here and inside here is where we are going to code our Bunny Hop cheet to begin with uh we do need to get the address of client. dll which is a module that is why we have this function over here get module base which I did show you how to code earlier and in other videos so that is going to look something like this we're going to say if const standard uint pointer we're going to call it client is equal to get module base and we are going to pass in process ID of course and we're going to pass in client dll going to add a semicolon uh this is some new C++ syntax well it's not new it's not exactly new but we're going to say client not equal to zero so what we've done here is we've actually declared the client uh variable inside of this if statement this is the actual if check this is just like a normal statement as if it was outside of the if statement but anyway that is for a C++ tutorial later on inside of this if statement we will have a valid client which is always a good sign so I mean we can go ahead and print that out we can say uh ient found like that something like that just to let us know what's happening afterwards we are going to enter an infinite while loop so while true and then we can just add a break condition to this so something like if get async key State VK underscore end if you press end we're just going to break out of this but otherwise we're going to be inside of this uh infinite wall Loop going on and on and on so the first thing we need to do as per usual is we need to get our local player now uh CS2 has changed a little bit we no longer get our local play player we now get our local player porn so that's going to be something like this const Auto local player porn is going to be equal to driver and then we're going to call read memory from our driver and what we're reading is going to be a standard EU in pointer T because we do want it will be a pointer so we do want to use an 8 by type and what we're going to pass in is driver because we need to pass in our driver handle first it's going to be client plus client dll uh the names space client uncore D and what we're going to get is DW local player Pawn so the final uh thing should look something like this what we're then going to do is we're just going to check if local player Pawn equals zero we're going to continue right so that means that if for some reason we failed to get our local player uh we're just going to continue and do it again and again and again we're going to skip uh after we have successfully got our local player what we need now is to get our local players Flags right cuz the flags will tell us if we're on ground or in air and whatnot so pretty simple once again const Auto uh we're just going to call it Flags is going to be equal to driver read memory this time we're going to be reading a standard uint 32 we're not going to be reading a u pointer cuz this time we want a 4 by unsigned int we're going to pass in driver and we're going to add instead of client plus an offset this time it's going to be local player Pawn Plus ccore base entity so we just got to find base entity over there and the offset from base entity is going to be M if Flags so that this will be your final um line over here Flags is equal to read memory we're reading a un32 passing and Driver local play Pawn Plus the flags offset now we can create a few Bulls so we can say const in air is equal to flags and then we use this uh we use a bit mask thingy going on one smaller than smaller than zero or whatever and sorry this needs to be a Boolean const Boolean in air so is your player in air that's what this is and then we're also going to create a const Bull space press equals uh get async key State vkor space the last variable that we need over here is going to be a const auto and it's just going to be the current value of force jump so we're going to say Force jump is going to be equal to just going to copy this read memory over here because it's going to be reading a un 32 as well so we're going to be reading a a dword over here from Force jump uh so let's actually just name a dword it doesn't really matter and yeah so we're just going to store the value of force jump okay now we can actually start our Bunny Hop logic so if space pressed and in air so if you're in the air and spacebar is pressed what we're going to do is we're going to call driver WR memory and this time you don't actually have to give a type in to the template because it'll automatically deduce what type we are passing in so driver and then the address is going to be of course uh client plus client dll DW Force jump oh and I just realized that I just made a a horrific error uh we're reading Force jump up here I don't know why I used yeah you see this is why you mustn't copy paste this code uh we need client plus Force jump up here my bad sorry about that uh so driver client plus Force jump and then we're going to write this to a very interesting value of 65537 okay now if you want to know how this works go ahead and watch someone else's video I'm not explaining how this works uh we are just using this to implement our driver to make sure that the driver does work so else if space pressed once again and exclamation in s so the opposite so if we are on the ground and space is pressed we are going to copy this line once again don't copy line it's very bad but do copy this line we're going to change this to 256 and then the last else if is going to be if space isn't pressed and force jump is equal to 65337 we just need the double equal sign there what we're going to do is we're going to copy this line we're going to write 255 or sorry 256 and the only thing I'm missing here is we just want to sleep uh this for about 5 Seconds 5 milliseconds before we do decide to write to our Force jump uh and yeah after that theoretically speaking we should be good we should now have a fully working CS2 bunny up so let's go ahead and test it out we're going to build in debug I'm going to launch the game and I will catch you guys uh there all right ladies and gentlemen I am in the menu of CS2 uh we're going to go ahead and we're going to manual map my driver on my host PC and we have success and then we're just going to go ahead and run our user mode application where we found client attachment seems successful so let's hop into a practice game I hate ancients so let's go with like over pass that's fine I'm going to select CT and if I hold on space bar we be hop and this is obviously konel beop we are not reading and writing process memory through RPM and all that crap this is through the konel boom boom boom look I can even do it backwards anyway ladies and gentlemen I really do hope that you enjoyed the video it's been a very long video and it's taken me a long time to make I hope that you did manage to get a working driver out of it and uh I hope that this doesn't completely and utterly ruin CS2 but uh anyway this was just meant to be an introduction to Kel development um if you want to get better now and you want to go and bypass other colal anti sheets I'd recommend you study KD mapper and see how uh KD mapper Maps the driver I'd also recommend that you go and study different communication methods learn about their pros and their cons and then also you're just going to need to go and reverse engineer those anti cheets that you want to get around to discover how they detect you and how you can get around them but anyway ladies and gentlemen I hope you did enjoy the video and as always shout out to the following sexy patrons you guys are awesome and check out my Instagram and Twitter down below and uh leave any comments or suggestions or whatever in in the description down below I'm tired I'm over this video it's time to go edit uh hope you guys have a good one cheers and peace out

Info

Channel: cazz

Views: 86,818

Rating: undefined out of 5

Keywords: csgo, bunnyhop, bhop, bhopping, external, csgo hack, tutorial, csgo hack tutorial, free csgo hack, csgo cheat, csgo tutorial, how to code, hacks csgo, wall hacks, hack, aimbot, csgo aimbot, skin changer, 2022, imgui, esp, legitbot, overlay, external overlay, hacking, cheat, learn, hacker, game hacker, game, cheats, cazz, cpp, hacks, pro, reclass, ghidra, engine, games, c++, C++, menu, dear, 2023, kernel, windows, driver, bypass, anti, anticheat, pattern, sig, scan, aiming, cs, hook, hooking, x86, first, be, km, kdmapper

Id: n463QJ4cjsU

Channel Id: undefined

Length: 84min 44sec (5084 seconds)

Published: Thu Feb 22 2024