-
Notifications
You must be signed in to change notification settings - Fork 41
/
Copy pathMain.cpp
167 lines (124 loc) · 5.5 KB
/
Main.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
#include "Include.hpp"
//pls no leak :'-(
std::uintptr_t originalSimpleCallFunction {};
std::uint32_t rectangleCount {};
RectangleRequest drawRectRequest[1000];
typedef HBITMAP(*CreateCompatibleBitmap_t)(_In_ HDC hdc, _In_ int cx, _In_ int cy);
typedef HDC(*CreateCompatibleDC_t)(_In_ HDC hdc);
typedef HBITMAP(*SelectBitmap_t)(_In_ HDC hdc, _In_ HBITMAP hbm);
typedef BOOL(*BitBit_t)(_In_ HDC hdcDst, _In_ INT x, _In_ INT y, _In_ INT cx, _In_ INT cy, _In_opt_ HDC hdcSrc, _In_ INT xSrc, _In_ INT ySrc, _In_ DWORD rop4, _In_ DWORD crBackColor, _In_ FLONG fl);
typedef BOOL(NTAPI* DeleteObject_t)(HGDIOBJ hobj);
typedef BOOL(APIENTRY* DeleteObjectApp_t)(_In_ HANDLE hobj);
CreateCompatibleBitmap_t NtGdiCreateCompatibleBitmap = 0;
CreateCompatibleDC_t GreCreateCompatibleDC = 0;
SelectBitmap_t GreSelectBitmap = 0;
DeleteObject_t GreDeleteObject = 0;
BitBit_t NtGdiBitBlt = 0;
DeleteObjectApp_t NtGdiDeleteObjectApp = 0;
PEPROCESS NTAPI SubmitCommandHook(const std::uint64_t parameter1/*VOID*/) {
const auto window = win32::ntUserGetForegroundWindow();
const auto processId = win32::ntUserQueryWindow(window, 0);
if(!window || !processId)
return PsGetCurrentProcess();
PEPROCESS process{};
if (!NT_SUCCESS(PsLookupProcessByProcessId(reinterpret_cast<HANDLE>(processId), &process)))
return PsGetCurrentProcess();
if (!strstr("csgo.exe", reinterpret_cast<char*>(process) + 0x450))
return PsGetCurrentProcess();
//0x0 for getting the virtual screen (other hwnd somehow flicker)
const auto windowDC = win32::ntUserGetDCEx(0x0, 0, 1);
if (!windowDC)
return PsGetCurrentProcess();
//setting up backbuffer
HBITMAP bitmap = NtGdiCreateCompatibleBitmap((HDC)windowDC, 500, 300);
HDC windowDCMem = GreCreateCompatibleDC((HDC)windowDC);
HBITMAP oldBitmap = GreSelectBitmap(windowDCMem, bitmap);
//rendering
Render::InitializeBrush(windowDC, 2, 0);
Render::RenderText(windowDC, L"LMFAO", 50, 100, 0);
Render::RenderRectangle(windowDC, 50, 50, 150, 150);
//copy content to the regular context
NtGdiBitBlt((HDC)windowDC, 0, 0, 500, 300, windowDCMem, 0, 0, 0xCC0020, 0, 0);
GreSelectBitmap(windowDCMem, oldBitmap);
NtGdiDeleteObjectApp(bitmap);
GreDeleteObject(bitmap);
win32::ntUserReleaseDC(windowDC);
win32::ntUserReleaseDC((std::uint64_t)windowDCMem);
return PsGetCurrentProcess();
}
VOID
Unload(
IN PDRIVER_OBJECT DriverObject
) {
//nigga
}
NTSTATUS DriverEntry(const PDRIVER_OBJECT driverObject, const PUNICODE_STRING registryPath) {
driverObject->DriverUnload = Unload;
PEPROCESS explorerProcess{};
if (Nt::findProcessByName("explorer.exe", &explorerProcess)) {
return STATUS_NOT_FOUND;
}
KAPC_STATE apcState{};
KeStackAttachProcess(explorerProcess, &apcState);
//------------------------------>
std::uintptr_t win32kfull{};
std::size_t win32kfullSize{};
win32kfull = Nt::get_krnl_module_base("win32kfull.sys", win32kfullSize);
if (!win32kfull) {
DbgPrintEx(0, 0, "[DRIVER] Failed to get win32kfull base!");
KeUnstackDetachProcess(&apcState);
return STATUS_UNSUCCESSFUL;
}
//get backbuffer dependencies
DbgPrintEx(0, 0, "[DRIVER] win32kfull: 0x%p win32kfullsize: 0x%p \n", win32kfull, win32kfullSize);
NtGdiCreateCompatibleBitmap = (CreateCompatibleBitmap_t)Nt::get_krnl_module_export("win32kfull.sys", "NtGdiCreateCompatibleBitmap");
if (!NtGdiCreateCompatibleBitmap) {
DbgPrintEx(0, 0, "[DRIVER] Failed to get win32kfull:NtGdiCreateCompatibleBitmap!");
KeUnstackDetachProcess(&apcState);
return STATUS_UNSUCCESSFUL;
}
GreCreateCompatibleDC = (CreateCompatibleDC_t)Nt::get_krnl_module_export("win32kbase.sys", "GreCreateCompatibleDC");
if (!GreCreateCompatibleDC) {
DbgPrintEx(0, 0, "[DRIVER] Failed to get win32kfull:GreCreateCompatibleDC!");
KeUnstackDetachProcess(&apcState);
return STATUS_UNSUCCESSFUL;
}
GreSelectBitmap = (SelectBitmap_t)Nt::get_krnl_module_export("win32kbase.sys", "GreSelectBitmap");
if (!GreSelectBitmap) {
DbgPrintEx(0, 0, "[DRIVER] Failed to get win32kfull:GreSelectBitmap!");
KeUnstackDetachProcess(&apcState);
return STATUS_UNSUCCESSFUL;
}
GreDeleteObject = (DeleteObject_t)Nt::get_krnl_module_export("win32kbase.sys", "GreDeleteObject");
if (!GreDeleteObject) {
DbgPrintEx(0, 0, "[DRIVER] Failed to get win32kbase:GreDeleteObject!");
KeUnstackDetachProcess(&apcState);
return STATUS_UNSUCCESSFUL;
}
NtGdiBitBlt = (BitBit_t)Nt::get_krnl_module_export("win32kfull.sys", "NtGdiBitBlt");
if (!NtGdiBitBlt) {
DbgPrintEx(0, 0, "[DRIVER] Failed to get win32kfull:NtGdiBitBlt!");
KeUnstackDetachProcess(&apcState);
return STATUS_UNSUCCESSFUL;
}
NtGdiDeleteObjectApp = (DeleteObjectApp_t)Nt::get_krnl_module_export("win32kbase.sys", "NtGdiDeleteObjectApp");
if (!NtGdiDeleteObjectApp) {
DbgPrintEx(0, 0, "[DRIVER] Failed to get win32kfull:NtGdiDeleteObjectApp!");
KeUnstackDetachProcess(&apcState);
return STATUS_UNSUCCESSFUL;
}
DbgPrintEx(0, 0, "[DRIVER] NtGdiCreateCompatibleBitmap: 0x%p\n", NtGdiCreateCompatibleBitmap);
DbgPrintEx(0, 0, "[DRIVER] NtGdiCreateCompatibleDC: 0x%p\n", GreCreateCompatibleDC);
DbgPrintEx(0, 0, "[DRIVER] GreSelectBitmap: 0x%p\n", GreSelectBitmap);
DbgPrintEx(0, 0, "[DRIVER] GreDeleteObject: 0x%p\n", GreDeleteObject);
DbgPrintEx(0, 0, "[DRIVER] NtGdiBitBlt: 0x%p\n", NtGdiBitBlt);
DbgPrintEx(0, 0, "[DRIVER] NtGdiDeleteObjectApp: 0x%p\n", NtGdiDeleteObjectApp);
//KeUnstackDetachProcess(&apcState);
//return STATUS_SUCCESS;
//------------------------------>
if (!Render::ResolveWin32Functions())
return STATUS_NOT_FOUND;
auto status = Render::HookSubmitCommand();
KeUnstackDetachProcess(&apcState);
return status;
}