133 lines
3.3 KiB
C++
133 lines
3.3 KiB
C++
#include "Bypass.h"
|
|
|
|
namespace Bypass
|
|
{
|
|
bool Init()
|
|
{
|
|
SeValidateImageDataOffset = KernelUtils::GetSeValidateImageDataOffset();
|
|
SeValidateImageHeaderOffset = KernelUtils::GetSeValidateImageHeaderOffset();
|
|
RetOffset = KernelUtils::GetReturnOffset();
|
|
NtoskrnlBaseAddress = KernelUtils::GetNtoskrnlBase();
|
|
PatchgaurdValueOffset = KernelUtils::GetPatchGaurdValueOffset();
|
|
PatchgaurdOffset = KernelUtils::GetPatchGaurdOffset();
|
|
|
|
if (SeValidateImageDataOffset == 0 || SeValidateImageHeaderOffset == 0 || RetOffset == 0 || NtoskrnlBaseAddress == 0)
|
|
return false;
|
|
|
|
return true;
|
|
}
|
|
|
|
bool DisableDSE()
|
|
{
|
|
ULONG64 ReturnAddressOffset = NtoskrnlBaseAddress + RetOffset;
|
|
|
|
BOOL Status = Vuln::WriteVirtualMemory(VulnurableDriverHandle, NtoskrnlBaseAddress + SeValidateImageHeaderOffset, &ReturnAddressOffset, sizeof(ReturnAddressOffset));
|
|
if (!Status)
|
|
return false;
|
|
|
|
Status = Vuln::WriteVirtualMemory(VulnurableDriverHandle, NtoskrnlBaseAddress + SeValidateImageDataOffset, &ReturnAddressOffset, sizeof(ReturnAddressOffset));
|
|
if (!Status)
|
|
return false;
|
|
|
|
return Status;
|
|
}
|
|
|
|
bool DisablePG()
|
|
{
|
|
ULONG64 ReturnAddressOffset = NtoskrnlBaseAddress + RetOffset;
|
|
ULONG64 PatchGaurdValueAddress = NtoskrnlBaseAddress + PatchgaurdValueOffset;
|
|
|
|
BOOL Status = Vuln::WriteVirtualMemory(VulnurableDriverHandle, NtoskrnlBaseAddress + PatchgaurdOffset, &PatchGaurdValueAddress, 8);
|
|
return Status;
|
|
}
|
|
|
|
bool LoadVulnurableDriver(std::string PdFwKrnlPath, std::string PdFwKrnlServiceName)
|
|
{
|
|
std::string DrvPath = PdFwKrnlPath;
|
|
bool Status = driver::load(DrvPath, PdFwKrnlServiceName);
|
|
if (!Status)
|
|
return Status;
|
|
|
|
std::string PdFw = "\\\\.\\" + PdFwKrnlServiceName;
|
|
VulnurableDriverHandle = CreateFileA((LPCSTR)PdFw.c_str(), GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
|
|
if (VulnurableDriverHandle == INVALID_HANDLE_VALUE || !VulnurableDriverHandle)
|
|
return false;
|
|
|
|
return true;
|
|
}
|
|
|
|
BypassStatus LoadCheatDriver(std::string DriverPath, std::string DriverServiceName, std::string PdFwKrnlPath, std::string PdFwKrnlServiceName)
|
|
{
|
|
bool Status = LoadVulnurableDriver(PdFwKrnlPath, PdFwKrnlServiceName);
|
|
if (!Status)
|
|
return FAILED_LOADINGVULN;
|
|
|
|
Status = DisablePG();
|
|
if (!Status)
|
|
return FAILED_DISABLEPG;
|
|
|
|
Status = DisableDSE();
|
|
if (!Status)
|
|
return FAILED_DISABLEDSE;
|
|
|
|
std::string DrvPath = DriverPath;
|
|
Status = driver::load(DrvPath, DriverServiceName);
|
|
if (Status == 0xC000010E)
|
|
driver::unload(DriverServiceName);
|
|
|
|
Status = driver::load(DrvPath, DriverServiceName);
|
|
if (!Status)
|
|
return FAILED_LOADINGCHEATDRV;
|
|
|
|
driver::unload(PdFwKrnlServiceName);
|
|
return SUCCESS;
|
|
}
|
|
|
|
std::string BypassStatusToString(BypassStatus Status)
|
|
{
|
|
std::string StatusString;
|
|
|
|
switch (Status)
|
|
{
|
|
case FAILED_LOADINGVULN:
|
|
{
|
|
StatusString = "Failed loading Vulnurable Driver";
|
|
break;
|
|
}
|
|
|
|
case FAILED_DISABLEPG:
|
|
{
|
|
StatusString = "Failed Disabling Patchgaurd";
|
|
break;
|
|
}
|
|
|
|
case FAILED_DISABLEDSE:
|
|
{
|
|
StatusString = "Failed Disabling DSE";
|
|
break;
|
|
}
|
|
|
|
case FAILED_LOADINGCHEATDRV:
|
|
{
|
|
StatusString = "Failed Loading Main Driver";
|
|
break;
|
|
}
|
|
|
|
case SUCCESS:
|
|
{
|
|
StatusString = "Success";
|
|
break;
|
|
}
|
|
|
|
defualt:
|
|
{
|
|
StatusString = "Unkown Status, assuming success";
|
|
break;
|
|
}
|
|
}
|
|
|
|
return StatusString;
|
|
}
|
|
}
|
|
|