Skip to content

Stealthy UM <-> KM communication system without creating any system threads, permanent hooks, driver objects, section objects or device objects

Notifications You must be signed in to change notification settings

sondernextdoor/Poseidon

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

46 Commits
 
 
 
 
 
 
 
 

Repository files navigation

KM-UM-Communication

Stealthy UM <-> KM communication system without creating any system threads, permanent hooks, driver objects, section objects or device objects.

Process:

  • In our driver, we hook a function in ntoskrnl (.data pointer swap)
  • In usermode, we manually allocate memory and index it via custom data structures
  • We then create a thread in usermode and call the hooked function's corresponding usermode-accessible function
  • When the correct magic number is passed to the function, the driver will know it's us, and will then unhook and enter a shared memory loop, trapping our usermode thread in the kernel until we choose to break out of the loop

As long as this is set up prior to any anti-cheat being active on your system, you can communicate with the driver without being detected by most of the various security measures employed by invasive anti-cheat technologies such as BattlEye and EasyAntiCheat.

2023 Update: There are quite a few detection vectors that can be identified by BE and EAC, some of which are discussed in (now closed) issues. Most are easy to bypass, but others are a bit more tricky. Having said that, I still have never had any action taken against me for using this for relatively licit purposes (i.e. no aimbot, ESP, or any other blatant violative use), nor has anyone I know who's used it. Regardless, steps should be taken to mitigate any potential detection vectors. I will not be providing any updates or revisions, as this is nearly four years old and there are far superior options to accomplish stealthy communication. This is mainly meant to serve as an interesting, novel communication method that demostrates the potential creativity that can be employed to get around invasive security software, mainly anti-cheat software.

Limitations:

  • Dodgy synchronization
  • Not many kernel features, just basic remote-process operability
  • Not designed with safety as a priority (i.e. you may well BSOD)
  • Only tested on Windows 10 20H2
  • The client can only be used once. If you terminate it or call Client::Disconnect(), you'll need to remap the driver

The driver is intended to be manually mapped by exploiting Intel's vulnerable network adapter diagnostic driver, iqvw64e.sys (or any other suitable vulnerable driver).

This was created for fun, I do not condone the use of this code in any program that violates the integrity of any online game, nor do I condone the use of this in any malicious software. This should only be used for learning purposes or to prevent custom software from being falsely detected as an illicit program.

Usage:

  • Map the driver
  • Start the client
  • Start the target process
  • Do stuff

You have to modify the client to sleep until your target process is running (since it must be set up prior to any anti-cheat being active). Basic example of how main.cpp in the client should typically look:

int main() {
	Client::Connect();

	for (;;) {
		Sleep(100);

		if (YourTargetProcessIsRunning) {
			break;
		}
	}

	// Do stuff
  
        Client::Disconnect();
  }

You can either call the functions in memory.h and process.h manually, or you can just create a KProcess object for easier use. KProcess features are as follows:


	// Make a process object for your target process
	
	KProcess Notepad(L"notepad.exe");
	
	
        // Read Memory

	int Value = Notepad.Read<int>((PVOID)0xDEADBEEF);
	Notepad.Read((PVOID)0xDEADBEEF, &Value, sizeof(int)); // Overload


	// Write Memory

	Notepad.Write<int>((PVOID)0xDEADBEEF, 2);
	Notepad.Write((PVOID)0xDEADBEEF, &Value, sizeof(int)); // Overload


	// Allocate Virtual Memory

	Notepad.AllocateVirtualMemory(PVOID Base, SIZE_T Size, DWORD AllocType, DWORD Protect);


	// Free Virtual Memory

	Notepad.FreeVirtualMemory(PVOID Base, SIZE_T Size, DWORD FreeType);


	// Change Virtual Memory Protection

	Notepad.ProtectVirtualMemory(PVOID Base, SIZE_T Size, DWORD Protect, DWORD* OldProtect);


	// Query Virtual Memory. MEMORY_BASIC_INFORMATION only.

	MEMORY_BASIC_INFORMATION MBI{ 0 };

	bool bResult = Notepad.QueryVirtualMemory(PVOID Address, MEMORY_BASIC_INFORMATION& MemoryBasicInfo, SIZE_T Size);
	MBI = Notepad.QueryVirtualMemory(PVOID Address, SIZE_T Size); // Overload


	// Query Process Information

	Notepad.QueryInformationProcess();


	// Get module info by name

	Notepad.GetModuleInfo(const char* ModuleName, DWORD& ModuleSize);


	// Pattern finder

	Notepad.PatternFinder(BYTE* Start, DWORD Size, const char* Signature, const char* Mask);


	// Get absolute address within specified asm instruction

	Notepad.AbsoluteAddress(BYTE* Rip, DWORD InstructionLength);


	// Get relative address within specified asm instruction

	Notepad.RelativeAddress(BYTE* DestinationAddress, BYTE* SourceAddress, DWORD InstructionLength);


	Notepad.BaseAddress;     // Base Address
	Notepad.ImageName;	 // Name
	Notepad.ModuleCount;     // Number of modules
	Notepad.ModuleList;      // std::vector containing all modules' base address and size
	Notepad.Peb;		 // Process Environment Block
	Notepad.ProcessId;	 // Process Id
	Notepad.Size;		 // Main module size

About

Stealthy UM <-> KM communication system without creating any system threads, permanent hooks, driver objects, section objects or device objects

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published