二 R0与R3通信
R0 driver pragram
1回调函数获取进程id
给项目添加class起名为events,
events.h
1
2
3
4
5
6
| #pragma once
#include <ntifs.h>
PLOAD_IMAGE_NOTIFY_ROUTINE ImageLoadCallback(PUNICODE_STRING FullImageName, HANDLE Processld, PIMAGE_INFO ImageInfo);
|
events.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| #pragma warning (disable : 4047)
#include "events.h"
#include "messages.h"
#include "data.h"
PLOAD_IMAGE_NOTIFY_ROUTINE ImageLoadCallback(PUNICODE_STRING FullImageName, HANDLE Processld, PIMAGE_INFO ImageInfo)
{
if (wcsstr(FullImageName->Buffer, L"\\black\\client.dll"))
{
DebugMessage("client.dll found!\n");
BlackMesaClientDLLAddress = ImageInfo->ImageBase;
DebugMessage("ProcessID: %d \n", Processld);
}
return STATUS_SUCCESS;
}
|
添加头文件data.h
data.h
1
2
3
4
5
| #pragma once
#include <ntdef.h>
ULONG BlackMesaClientDLLAddress;
|
GuideHacking.h
1
2
3
4
5
6
7
8
| #pragma once
#include <ntifs.h>
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath);
NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject);
|
GuideHacking.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| #pragma warning (disable : 4100 4047 4024)
#include "GuideHacking.h"
#include "events.h"
#include "messages.h"
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
UNREFERENCED_PARAMETER(pRegistryPath);
pDriverObject->DriverUnload = UnloadDriver;
DbgPrintEx(0, 0, "Message!");
DebugMessage("Welcome to the first GuideHacking Driver!");
PsSetLoadImageNotifyRoutine(ImageLoadCallback);
return STATUS_SUCCESS;
}
NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject)
{
UNREFERENCED_PARAMETER(pDriverObject);
DebugMessage("papa rake syas goodbye!");
PsRemoveLoadImageNotifyRoutine(ImageLoadCallback);
return STATUS_SUCCESS;
}
|
messages.h
1
2
3
| #pragma once
#define DebugMessage(x, ...) DbgPrintEx(0, 0, x, __VA_ARGS__);
|
编译成功
cmd load driver
运行程序dll后得到processID
cmd停止驱动
2 R0添加通信功能
add a class named “communication’,include” communication.h’ and “communication.cpp”
communication.h
1
2
3
4
5
6
7
8
9
10
11
| #pragma once
#include <ntifs.h>
#define IO_GET_CLIENTADDRESS CTL_CODE(FILE_DEVICE_UNKNOWN,0x666,METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp);
NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP Irp);
NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP Irp);
|
communication.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
| #include "communication.h"
#include "data.h"
#include "messages.h"
NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
UNREFERENCED_PARAMETER(DeviceObject);
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
DebugMessage("CreateCall was called,connection enstablished\n");
return STATUS_SUCCESS;
}
NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
UNREFERENCED_PARAMETER(DeviceObject);
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
DebugMessage("Connection Terminated\n");
return STATUS_SUCCESS;
}
NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
UNREFERENCED_PARAMETER(DeviceObject);
NTSTATUS Status = STATUS_UNSUCCESSFUL;
ULONG ByteIO = 0;
PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(Irp);
ULONG ControlCode = stack->Parameters.DeviceIoControl.IoControlCode;
if (ControlCode == IO_GET_CLIENTADDRESS)
{
PULONG OutPut = (PULONG)Irp->AssociatedIrp.SystemBuffer;
*OutPut = BlackMesaClientDLLAddress;
DebugMessage("clientAddress requesteed!\n");
Status = STATUS_SUCCESS;
ByteIO = sizeof(*OutPut);
}
else
{
ByteIO = 0;
}
Irp->IoStatus.Status = Status;
Irp->IoStatus.Information = ByteIO;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return Status;
}
|
data.h
1
2
3
4
5
6
| #pragma once
#include <ntdef.h>
ULONG BlackMesaClientDLLAddress;
PDEVICE_OBJECT pDeviceObject;
UNICODE_STRING dev, dos;
|
events.h
1
2
3
4
5
6
| #pragma once
#include <ntifs.h>
PLOAD_IMAGE_NOTIFY_ROUTINE ImageLoadCallback(PUNICODE_STRING FullImageName, HANDLE Processld, PIMAGE_INFO ImageInfo);
|
events.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| #pragma warning (disable : 4047)
#include "events.h"
#include "messages.h"
#include "data.h"
PLOAD_IMAGE_NOTIFY_ROUTINE ImageLoadCallback(PUNICODE_STRING FullImageName, HANDLE Processld, PIMAGE_INFO ImageInfo)
{
if (wcsstr(FullImageName->Buffer, L"\\black\\client.dll"))
{
DebugMessage("client.dll found!\n");
BlackMesaClientDLLAddress = ImageInfo->ImageBase;
DebugMessage("ProcessID: %d \n", Processld);
}
return STATUS_SUCCESS;
}
|
messages.h
1
2
3
| #pragma once
#define DebugMessage(x, ...) DbgPrintEx(0, 0, x, __VA_ARGS__);
|
GuideHacking.h
1
2
3
4
5
6
7
8
| #pragma once
#include <ntifs.h>
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath);
NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject);
|
GuideHacking.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
| #pragma warning (disable : 4100 4047 4024)
#include "GuideHacking.h"
#include "communication.h"
#include "data.h"
#include "events.h"
#include "messages.h"
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
UNREFERENCED_PARAMETER(pRegistryPath);
pDriverObject->DriverUnload = UnloadDriver;
DbgPrintEx(0, 0, "Message!");
DebugMessage("Welcome to the first GuideHacking Driver!");
PsSetLoadImageNotifyRoutine(ImageLoadCallback);
RtlInitUnicodeString(&dev, L"\\Device\\guidehacking");
RtlInitUnicodeString(&dos, L"\\DosDevices\\guidehacking");
IoCreateDevice(pDriverObject, 0, &dev, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDeviceObject);
IoCreateSymbolicLink(&dos, &dev);
pDriverObject->MajorFunction[IRP_MJ_CREATE] = CreateCall;
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = CloseCall;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IoControl;
pDeviceObject->Flags |= DO_DIRECT_IO;
pDeviceObject->Flags &= ~DO_DEVICE_INITIALIZING;
return STATUS_SUCCESS;
}
NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject)
{
UNREFERENCED_PARAMETER(pDriverObject);
DebugMessage("papa rake syas goodbye!");
PsRemoveLoadImageNotifyRoutine(ImageLoadCallback);
IoDeleteSymbolicLink(&dos);
IoDeleteDevice(pDriverObject->DeviceObject);
return STATUS_SUCCESS;
}
|
build succeeded
R3 application pragram
add a new ConsoleApplication project named “GuideHackingController”
add a header file named “communication.hpp”
add a header file name it “Kernelinterface.hpp”
communication.hpp
1
2
3
4
5
| #pragma once
#include <Windows.h>
#define IO_GET_CLIENTADDRESS CTL_CODE(FILE_DEVICE_UNKNOWN,0x666,METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
Kernelinterface.hpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
| #pragma once
#include "communication.hpp"
class KernelInterface
{
public:
HANDLE hDriver;
KernelInterface(LPCSTR RegistryPath)
{
hDriver = CreateFileA(RegistryPath, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0);
}
DWORD GetClientAddress()
{
if (hDriver == INVALID_HANDLE_VALUE)
{
return 0;
}
ULONG Address;
DWORD Bytes;
if (DeviceIoControl(hDriver, IO_GET_CLIENTADDRESS, &Address, sizeof(Address), &Address, sizeof(Address), &Bytes, NULL))
{
return Address;
}
return 0;
}
};
|
GuideHackingController.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
#include <iostream>
#include "kernelinterface.hpp"
int main()
{
KernelInterface Driver = KernelInterface("\\\\.\\guidehacking");
ULONG address = Driver.GetClientAddress();
std::cout << "Hello World!\n" << address << std::endl;
while (true)
{
}
}
|
build successded
**testing **
run DebugView
load driver GuideHacking use command
launch game
run GuideHackingController.exe
三 Write Process Memory
R3
create a header file name it offsets.hpp
offsets.hpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
| #pragma once
#include <cstddef>
#include <cstdint>
namespace hazedumper {
constexpr ::std::int64_t timestamp = 1686124261;
namespace netvars {
constexpr ::std::ptrdiff_t cs_gamerules_data = 0x0;
constexpr ::std::ptrdiff_t m_ArmorValue = 0x117CC;
constexpr ::std::ptrdiff_t m_Collision = 0x320;
constexpr ::std::ptrdiff_t m_CollisionGroup = 0x474;
constexpr ::std::ptrdiff_t m_Local = 0x2FCC;
constexpr ::std::ptrdiff_t m_MoveType = 0x25C;
constexpr ::std::ptrdiff_t m_OriginalOwnerXuidHigh = 0x31D4;
constexpr ::std::ptrdiff_t m_OriginalOwnerXuidLow = 0x31D0;
constexpr ::std::ptrdiff_t m_SurvivalGameRuleDecisionTypes = 0x1328;
constexpr ::std::ptrdiff_t m_SurvivalRules = 0xD00;
constexpr ::std::ptrdiff_t m_aimPunchAngle = 0x303C;
constexpr ::std::ptrdiff_t m_aimPunchAngleVel = 0x3048;
constexpr ::std::ptrdiff_t m_angEyeAnglesX = 0x117D0;
constexpr ::std::ptrdiff_t m_angEyeAnglesY = 0x117D4;
constexpr ::std::ptrdiff_t m_bBombDefused = 0x29C0;
constexpr ::std::ptrdiff_t m_bBombPlanted = 0x9A5;
constexpr ::std::ptrdiff_t m_bBombTicking = 0x2990;
constexpr ::std::ptrdiff_t m_bFreezePeriod = 0x20;
constexpr ::std::ptrdiff_t m_bGunGameImmunity = 0x9990;
constexpr ::std::ptrdiff_t m_bHasDefuser = 0x117DC;
constexpr ::std::ptrdiff_t m_bHasHelmet = 0x117C0;
constexpr ::std::ptrdiff_t m_bInReload = 0x32B5;
constexpr ::std::ptrdiff_t m_bIsDefusing = 0x997C;
constexpr ::std::ptrdiff_t m_bIsQueuedMatchmaking = 0x74;
constexpr ::std::ptrdiff_t m_bIsScoped = 0x9974;
constexpr ::std::ptrdiff_t m_bIsValveDS = 0x7C;
constexpr ::std::ptrdiff_t m_bSpotted = 0x93D;
constexpr ::std::ptrdiff_t m_bSpottedByMask = 0x980;
constexpr ::std::ptrdiff_t m_bStartedArming = 0x3400;
constexpr ::std::ptrdiff_t m_bUseCustomAutoExposureMax = 0x9D9;
constexpr ::std::ptrdiff_t m_bUseCustomAutoExposureMin = 0x9D8;
constexpr ::std::ptrdiff_t m_bUseCustomBloomScale = 0x9DA;
constexpr ::std::ptrdiff_t m_clrRender = 0x70;
constexpr ::std::ptrdiff_t m_dwBoneMatrix = 0x26A8;
constexpr ::std::ptrdiff_t m_fAccuracyPenalty = 0x3340;
constexpr ::std::ptrdiff_t m_fFlags = 0x104;
constexpr ::std::ptrdiff_t m_flC4Blow = 0x29A0;
constexpr ::std::ptrdiff_t m_flCustomAutoExposureMax = 0x9E0;
constexpr ::std::ptrdiff_t m_flCustomAutoExposureMin = 0x9DC;
constexpr ::std::ptrdiff_t m_flCustomBloomScale = 0x9E4;
constexpr ::std::ptrdiff_t m_flDefuseCountDown = 0x29BC;
constexpr ::std::ptrdiff_t m_flDefuseLength = 0x29B8;
constexpr ::std::ptrdiff_t m_flFallbackWear = 0x31E0;
constexpr ::std::ptrdiff_t m_flFlashDuration = 0x10470;
constexpr ::std::ptrdiff_t m_flFlashMaxAlpha = 0x1046C;
constexpr ::std::ptrdiff_t m_flLastBoneSetupTime = 0x2928;
constexpr ::std::ptrdiff_t m_flLowerBodyYawTarget = 0x9ADC;
constexpr ::std::ptrdiff_t m_flNextAttack = 0x2D80;
constexpr ::std::ptrdiff_t m_flNextPrimaryAttack = 0x3248;
constexpr ::std::ptrdiff_t m_flSimulationTime = 0x268;
constexpr ::std::ptrdiff_t m_flTimerLength = 0x29A4;
constexpr ::std::ptrdiff_t m_hActiveWeapon = 0x2F08;
constexpr ::std::ptrdiff_t m_hBombDefuser = 0x29C4;
constexpr ::std::ptrdiff_t m_hMyWeapons = 0x2E08;
constexpr ::std::ptrdiff_t m_hObserverTarget = 0x339C;
constexpr ::std::ptrdiff_t m_hOwner = 0x29DC;
constexpr ::std::ptrdiff_t m_hOwnerEntity = 0x14C;
constexpr ::std::ptrdiff_t m_hViewModel = 0x3308;
constexpr ::std::ptrdiff_t m_iAccountID = 0x2FD8;
constexpr ::std::ptrdiff_t m_iClip1 = 0x3274;
constexpr ::std::ptrdiff_t m_iCompetitiveRanking = 0x1A84;
constexpr ::std::ptrdiff_t m_iCompetitiveWins = 0x1B88;
constexpr ::std::ptrdiff_t m_iCrosshairId = 0x11838;
constexpr ::std::ptrdiff_t m_iDefaultFOV = 0x333C;
constexpr ::std::ptrdiff_t m_iEntityQuality = 0x2FBC;
constexpr ::std::ptrdiff_t m_iFOV = 0x31F4;
constexpr ::std::ptrdiff_t m_iFOVStart = 0x31F8;
constexpr ::std::ptrdiff_t m_iGlowIndex = 0x10488;
constexpr ::std::ptrdiff_t m_iHealth = 0x100;
constexpr ::std::ptrdiff_t m_iItemDefinitionIndex = 0x2FBA;
constexpr ::std::ptrdiff_t m_iItemIDHigh = 0x2FD0;
constexpr ::std::ptrdiff_t m_iMostRecentModelBoneCounter = 0x2690;
constexpr ::std::ptrdiff_t m_iObserverMode = 0x3388;
constexpr ::std::ptrdiff_t m_iShotsFired = 0x103E0;
constexpr ::std::ptrdiff_t m_iState = 0x3268;
constexpr ::std::ptrdiff_t m_iTeamNum = 0xF4;
constexpr ::std::ptrdiff_t m_lifeState = 0x25F;
constexpr ::std::ptrdiff_t m_nBombSite = 0x2994;
constexpr ::std::ptrdiff_t m_nFallbackPaintKit = 0x31D8;
constexpr ::std::ptrdiff_t m_nFallbackSeed = 0x31DC;
constexpr ::std::ptrdiff_t m_nFallbackStatTrak = 0x31E4;
constexpr ::std::ptrdiff_t m_nForceBone = 0x268C;
constexpr ::std::ptrdiff_t m_nModelIndex = 0x258;
constexpr ::std::ptrdiff_t m_nTickBase = 0x3440;
constexpr ::std::ptrdiff_t m_nViewModelIndex = 0x29D0;
constexpr ::std::ptrdiff_t m_rgflCoordinateFrame = 0x444;
constexpr ::std::ptrdiff_t m_szCustomName = 0x304C;
constexpr ::std::ptrdiff_t m_szLastPlaceName = 0x35C4;
constexpr ::std::ptrdiff_t m_thirdPersonViewAngles = 0x31E8;
constexpr ::std::ptrdiff_t m_vecOrigin = 0x138;
constexpr ::std::ptrdiff_t m_vecVelocity = 0x114;
constexpr ::std::ptrdiff_t m_vecViewOffset = 0x108;
constexpr ::std::ptrdiff_t m_viewPunchAngle = 0x3030;
constexpr ::std::ptrdiff_t m_zoomLevel = 0x33E0;
}
namespace signatures {
constexpr ::std::ptrdiff_t anim_overlays = 0x2990;
constexpr ::std::ptrdiff_t clientstate_choked_commands = 0x4D30;
constexpr ::std::ptrdiff_t clientstate_delta_ticks = 0x174;
constexpr ::std::ptrdiff_t clientstate_last_outgoing_command = 0x4D2C;
constexpr ::std::ptrdiff_t clientstate_net_channel = 0x9C;
constexpr ::std::ptrdiff_t convar_name_hash_table = 0x301A0;
constexpr ::std::ptrdiff_t dwClientState = 0x59F19C;
constexpr ::std::ptrdiff_t dwClientState_GetLocalPlayer = 0x180;
constexpr ::std::ptrdiff_t dwClientState_IsHLTV = 0x4D48;
constexpr ::std::ptrdiff_t dwClientState_Map = 0x28C;
constexpr ::std::ptrdiff_t dwClientState_MapDirectory = 0x188;
constexpr ::std::ptrdiff_t dwClientState_MaxPlayer = 0x388;
constexpr ::std::ptrdiff_t dwClientState_PlayerInfo = 0x52C0;
constexpr ::std::ptrdiff_t dwClientState_State = 0x108;
constexpr ::std::ptrdiff_t dwClientState_ViewAngles = 0x4D90;
constexpr ::std::ptrdiff_t dwEntityList = 0x4DFFF7C;
constexpr ::std::ptrdiff_t dwForceAttack = 0x322DDE8;
constexpr ::std::ptrdiff_t dwForceAttack2 = 0x322DDF4;
constexpr ::std::ptrdiff_t dwForceBackward = 0x322DE30;
constexpr ::std::ptrdiff_t dwForceForward = 0x322DE24;
constexpr ::std::ptrdiff_t dwForceJump = 0x52BBCD8;
constexpr ::std::ptrdiff_t dwForceLeft = 0x322DDA0;
constexpr ::std::ptrdiff_t dwForceRight = 0x322DDAC;
constexpr ::std::ptrdiff_t dwGameDir = 0x63AD80;
constexpr ::std::ptrdiff_t dwGameRulesProxy = 0x532F4E4;
constexpr ::std::ptrdiff_t dwGetAllClasses = 0xE0BF94;
constexpr ::std::ptrdiff_t dwGlobalVars = 0x59EE60;
constexpr ::std::ptrdiff_t dwGlowObjectManager = 0x535AA08;
constexpr ::std::ptrdiff_t dwInput = 0x525D550;
constexpr ::std::ptrdiff_t dwInterfaceLinkList = 0x99B4A4;
constexpr ::std::ptrdiff_t dwLocalPlayer = 0xDEA98C;
constexpr ::std::ptrdiff_t dwMouseEnable = 0x52391B0;
constexpr ::std::ptrdiff_t dwMouseEnablePtr = 0x5239180;
constexpr ::std::ptrdiff_t dwPlayerResource = 0x322C120;
constexpr ::std::ptrdiff_t dwRadarBase = 0x5236A54;
constexpr ::std::ptrdiff_t dwSensitivity = 0xDEEBA8;
constexpr ::std::ptrdiff_t dwSensitivityPtr = 0xDEEBA8;
constexpr ::std::ptrdiff_t dwSetClanTag = 0x8DA80;
constexpr ::std::ptrdiff_t dwViewMatrix = 0x4DF0DC4;
constexpr ::std::ptrdiff_t dwWeaponTable = 0x525E62C;
constexpr ::std::ptrdiff_t dwWeaponTableIndex = 0x326C;
constexpr ::std::ptrdiff_t dwYawPtr = 0xDEE938;
constexpr ::std::ptrdiff_t dwZoomSensitivityRatioPtr = 0xDF43A8;
constexpr ::std::ptrdiff_t dwbSendPackets = 0xDD2B2;
constexpr ::std::ptrdiff_t dwppDirect3DDevice9 = 0xA62C0;
constexpr ::std::ptrdiff_t find_hud_element = 0x58B402D0;
constexpr ::std::ptrdiff_t force_update_spectator_glow = 0x3D997A;
constexpr ::std::ptrdiff_t interface_engine_cvar = 0x3FA9C;
constexpr ::std::ptrdiff_t is_c4_owner = 0x3E71A0;
constexpr ::std::ptrdiff_t m_bDormant = 0xED;
constexpr ::std::ptrdiff_t m_bIsLocalPlayer = 0x3628;
constexpr ::std::ptrdiff_t m_flSpawnTime = 0x103C0;
constexpr ::std::ptrdiff_t m_pStudioHdr = 0x2950;
constexpr ::std::ptrdiff_t m_pitchClassPtr = 0x52390A8;
constexpr ::std::ptrdiff_t m_yawClassPtr = 0xDEE938;
constexpr ::std::ptrdiff_t model_ambient_min = 0x5A1194;
constexpr ::std::ptrdiff_t set_abs_angles = 0x1E7A10;
constexpr ::std::ptrdiff_t set_abs_origin = 0x1E7850;
}
}
|
communication.hpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| #pragma once
#include <Windows.h>
#define IO_GET_CLIENTADDRESS CTL_CODE(FILE_DEVICE_UNKNOWN,0x666,METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define IO_READ_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN,0x667,METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define IO_WRITE_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN,0x668, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define IO_REQUEST_PROCESSID CTL_CODE(FILE_DEVICE_UNKNOWN,0x669, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
typedef struct _KERNEL_READ_REQUEST
{
ULONG ProcessId;
ULONG Address;
PVOID pBuff;
ULONG Szie;
} KERNEL_READ_REQUEST, * PKERNEL_READ_REQUEST;
typedef struct _KKERNEL_WRITE_REQUEST
{
ULONG ProcessId;
ULONG Address;
PVOID pBuff;
ULONG Size;
} KERNEL_WRITE_REQUEST, * PKERNEL_WRITE_REQUEST;
|
Kernelinterface.hpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
| #pragma once
#include "communication.hpp"
class KernelInterface
{
public:
HANDLE hDriver;
KernelInterface(LPCSTR RegistryPath)
{
hDriver = CreateFileA(RegistryPath, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0);
}
DWORD GetClientAddress()
{
if (hDriver == INVALID_HANDLE_VALUE)
{
return 0;
}
ULONG Address;
DWORD Bytes;
if (DeviceIoControl(hDriver, IO_GET_CLIENTADDRESS, &Address, sizeof(Address), &Address, sizeof(Address), &Bytes, NULL))
{
return Address;
}
return 0;
}
DWORD GetProcessId()
{
if (hDriver == INVALID_HANDLE_VALUE)
{
return 0;
}
ULONG ProccessID;
DWORD Bytes;
if (DeviceIoControl(hDriver, IO_REQUEST_PROCESSID, &ProccessID, sizeof(ProccessID), &ProccessID, sizeof(ProccessID), &Bytes, NULL))
{
return ProccessID;
}
return 0;
}
template <typename type>
type ReadVirtualMemory(ULONG ProcessId, ULONG ReadAddress, SIZE_T Size)
{
type Buffer;
KERNEL_READ_REQUEST ReadRequest;
ReadRequest.ProcessId = ProcessId;
ReadRequest.Address = ReadAddress;
ReadRequest.pBuff = &Buffer;
ReadRequest.Szie = Size;
if (DeviceIoControl(hDriver, IO_READ_REQUEST, &ReadRequest, sizeof(ReadRequest), &ReadRequest, sizeof(ReadRequest),0,0))
{
return Buffer;
}
return Buffer;
}
template <typename type>
bool WriteVirtualMemory(ULONG ProcessId,ULONG WriteAddress, type WriteValue, SIZE_T Size)
{
if (hDriver == INVALID_HANDLE_VALUE)
{
return false;
}
DWORD Bytes;
KERNEL_WRITE_REQUEST WriteRequest;
WriteRequest.ProcessId = ProcessId;
WriteRequest.Address = WriteAddress;
WriteRequest.pBuff = &WriteValue;
WriteRequest.Size = Size;
if(DeviceIoControl(hDriver,IO_WRITE_REQUEST,&WriteRequest,sizeof(WriteRequest),0,0,&Bytes,NULL))
{
return true;
}
return false;
}
};
|
GuideHackingController.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
#include <iostream>
#include "kernelinterface.hpp"
#include "offsets.hpp"
int main()
{
KernelInterface Driver = KernelInterface("\\\\.\\guidehacking");
ULONG address = Driver.GetClientAddress();
ULONG processid = Driver.GetProcessId();
std::cout << "ClientAddress" << std::hex << address<< std::endl;
std::cout << "ProcessID" << processid << std::endl;
std::cout << "Hello World!\n";
while (true)
{
uint32_t LocalPlayerAddress = Driver.ReadVirtualMemory<uint32_t>(processid, address + hazedumper::signatures::dwLocalPlayer, sizeof(uint32_t));
Driver.WriteVirtualMemory(processid, LocalPlayerAddress + hazedumper::netvars::m_flFlashMaxAlpha, 0.f, sizeof(0.f));
}
}
|
R0
add a class name it memory include memory.h and memory.c
communication.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
| #pragma once
#include <ntifs.h>
#define IO_GET_CLIENTADDRESS CTL_CODE(FILE_DEVICE_UNKNOWN,0x666,METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define IO_READ_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN,0x667,METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define IO_WRITE_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN,0x668, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define IO_REQUEST_PROCESSID CTL_CODE(FILE_DEVICE_UNKNOWN,0x669, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp);
NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP Irp);
NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP Irp);
typedef struct _KERNEL_READ_REQUEST
{
ULONG ProcessId;
ULONG Address;
PVOID pBuff;
ULONG Size;
} KERNEL_READ_REQUEST, * PKERNEL_READ_REQUEST;
typedef struct _KKERNEL_WRITE_REQUEST
{
ULONG ProcessId;
ULONG Address;
PVOID pBuff;
ULONG Size;
} KERNEL_WRITE_REQUEST, * PKERNEL_WRITE_REQUEST;
|
data.h
1
2
3
4
5
6
| #pragma once
#include <ntdef.h>
ULONG CSGOClientDLLAddress,ProcessID;
PDEVICE_OBJECT pDeviceObject;
UNICODE_STRING dev, dos;
|
events.h
1
2
3
4
5
6
| #pragma once
#include <ntifs.h>
PLOAD_IMAGE_NOTIFY_ROUTINE ImageLoadCallback(PUNICODE_STRING FullImageName, HANDLE Processld, PIMAGE_INFO ImageInfo);
|
GuideHacking.h
1
2
3
4
5
6
7
8
| #pragma once
#include <ntifs.h>
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath);
NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject);
|
memory.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| #pragma once
#pragma warning (disable : 4047 4024)
#include "ntifs.h"
NTSTATUS NTAPI MmCopyVirtualMemory
(
PEPROCESS SourceProcess,
PVOID SourceAddress,
PEPROCESS TargetProcess,
PVOID TargetAddress,
SIZE_T BufferSize,
KPROCESSOR_MODE PreviousMode,
PSIZE_T ReturnSize
);
NTSTATUS KernelReadVirtualMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size);
NTSTATUS KernelWriteVirtualMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size);
|
messages.h
1
2
3
| #pragma once
#define DebugMessage(x, ...) DbgPrintEx(0, 0, x, __VA_ARGS__);
|
communication.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
| #pragma warning (disable :4022)
#include "communication.h"
#include "data.h"
#include "memory.h"
#include "messages.h"
NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
UNREFERENCED_PARAMETER(DeviceObject);
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
DebugMessage("CreateCall was called,connection enstablished\n");
return STATUS_SUCCESS;
}
NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
UNREFERENCED_PARAMETER(DeviceObject);
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
DebugMessage("Connection Terminated\n");
return STATUS_SUCCESS;
}
NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
UNREFERENCED_PARAMETER(DeviceObject);
NTSTATUS Status = STATUS_UNSUCCESSFUL;
ULONG ByteIO = 0;
PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(Irp);
ULONG ControlCode = stack->Parameters.DeviceIoControl.IoControlCode;
if (ControlCode == IO_GET_CLIENTADDRESS)
{
PULONG OutPut = (PULONG)Irp->AssociatedIrp.SystemBuffer;
*OutPut = CSGOClientDLLAddress;
DebugMessage("clientAddress requesteed!\n");
Status = STATUS_SUCCESS;
ByteIO = sizeof(*OutPut);
}
else if (ControlCode == IO_REQUEST_PROCESSID)
{
PULONG OutPut = (PULONG)Irp->AssociatedIrp.SystemBuffer;
*OutPut = ProcessID;
DebugMessage("ProcessID requesteed!\n");
Status = STATUS_SUCCESS;
ByteIO = sizeof(*OutPut);
}
else if (ControlCode == IO_READ_REQUEST)
{
PKERNEL_READ_REQUEST ReadInput = (PKERNEL_READ_REQUEST)Irp->AssociatedIrp.SystemBuffer;
PEPROCESS Process;
if (NT_SUCCESS(PsLookupProcessByProcessId(ReadInput->ProcessId, &Process)))
{
KernelReadVirtualMemory(Process, ReadInput->Address, ReadInput->pBuff, ReadInput->Size);
Status = STATUS_SUCCESS;
ByteIO = sizeof(KERNEL_READ_REQUEST);
}
}
else if (ControlCode == IO_WRITE_REQUEST)
{
PKERNEL_WRITE_REQUEST WriteInput = (PKERNEL_WRITE_REQUEST)Irp->AssociatedIrp.SystemBuffer;
PEPROCESS Process;
if (NT_SUCCESS(PsLookupProcessByProcessId(WriteInput->ProcessId, &Process)))
{
KernelWriteVirtualMemory(Process, WriteInput->pBuff, WriteInput->Address, WriteInput->Size);
Status = STATUS_SUCCESS;
ByteIO = sizeof(KERNEL_READ_REQUEST);
}
}
else
{
ByteIO = 0;
}
Irp->IoStatus.Status = Status;
Irp->IoStatus.Information = ByteIO;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return Status;
}
|
events.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| #pragma warning (disable : 4047 )
#include "events.h"
#include "messages.h"
#include "data.h"
PLOAD_IMAGE_NOTIFY_ROUTINE ImageLoadCallback(PUNICODE_STRING FullImageName, HANDLE ProcessId, PIMAGE_INFO ImageInfo)
{
if (wcsstr(FullImageName->Buffer, L"\\couter-Strike\\csgo\\bin\\client.dll"))
{
DebugMessage("client.dll found!\n");
CSGOClientDLLAddress = ImageInfo->ImageBase;
DebugMessage("ProcessID: %d \n", ProcessId);
}
return STATUS_SUCCESS;
}
|
GuideHacking.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
| #pragma warning (disable : 4100 4047 4024)
#include "GuideHacking.h"
#include "communication.h"
#include "data.h"
#include "events.h"
#include "messages.h"
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
UNREFERENCED_PARAMETER(pRegistryPath);
pDriverObject->DriverUnload = UnloadDriver;
DbgPrintEx(0, 0, "Message!");
DebugMessage("Welcome to the first GuideHacking Driver!");
PsSetLoadImageNotifyRoutine(ImageLoadCallback);
RtlInitUnicodeString(&dev, L"\\Device\\guidehacking");
RtlInitUnicodeString(&dos, L"\\DosDevices\\guidehacking");
IoCreateDevice(pDriverObject, 0, &dev, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDeviceObject);
IoCreateSymbolicLink(&dos, &dev);
pDriverObject->MajorFunction[IRP_MJ_CREATE] = CreateCall;
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = CloseCall;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IoControl;
pDeviceObject->Flags |= DO_DIRECT_IO;
pDeviceObject->Flags &= ~DO_DEVICE_INITIALIZING;
return STATUS_SUCCESS;
}
NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject)
{
UNREFERENCED_PARAMETER(pDriverObject);
DebugMessage("papa rake syas goodbye!");
PsRemoveLoadImageNotifyRoutine(ImageLoadCallback);
IoDeleteSymbolicLink(&dos);
IoDeleteDevice(pDriverObject->DeviceObject);
return STATUS_SUCCESS;
}
|
memory.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| #include "memory.h"
NTSTATUS KernelReadVirtualMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size)
{
PSIZE_T Bytes;
return MmCopyVirtualMemory(Process, SourceAddress, PsGetCurrentProcess(), TargetAddress, Size, KernelMode, &Bytes);
}
NTSTATUS KernelWriteVirtualMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size)
{
PSIZE_T Bytes;
return MmCopyVirtualMemory(PsGetCurrentProcess(), SourceAddress, Process, TargetAddress, Size, KernelMode, &Bytes);
}
|
and dbgView
use cmd load driver GuideHacking
run GuideHackingController.exe
