Changes to Readme

DriverDisabler/README.md

@@ -7,11 +7,15 @@
 
 This Module will inject a "return" on the methods StartServiceA and OpenServiceW in order to prevent to the anti-cheat to load the driver.
 
+Some Anti-Cheat (AC) load their service/driver from within the game. By injecting a return the method will get executed but no service will be started.
+
+This module can be easily adapted to disable AC services that are started by using different methods.
+
 ## Configuration
 
 This module does not requires much configuration, compile for the required architecture (x86/x64) and inject it.
 
-It is possible to add new methods to test by adding them at  **handleAction**.
+**targetProc** need to be provided by usign config.ini file.
 
 ## Combination with other techniques
 

DriverHelper/Readme.md

@@ -0,0 +1,76 @@
+# DriverHelper
+
+## Introduction
+
+
+## Usage
+
+This module provides all key features required to exploit and communicate with a Driver.
+
+## Key Features
+
+Class DriverHelper will provide the following method:
+
+- static int memmem(PBYTE haystack, DWORD haystack_size, PBYTE needle, DWORD needle_size);
+- static int getDeviceHandle(LPTSTR name);
+- static unsigned __int64 __fastcall ExpLookupHandleTableEntryW7(__int64 HandleTable, unsigned __int64 handle);
+- static unsigned __int64 __fastcall ExpLookupHandleTableEntryW10(__int64 HandleTable, __int64 handle);
+- static ULONG64 findPhisical_ObjectTable(DWORDLONG startAddress, DWORDLONG stopAddress, DWORD searchSpace, PBYTE  searchBuffer, DWORD bufferSize);
+- static DWORDLONG findPhisical(DWORDLONG startAddress, DWORDLONG stopAddress, DWORD searchSpace, PBYTE  searchBuffer, DWORD bufferSize);
+
+
+## Usefull Structures:
+
+EPROCESS pattern:
+```
+typedef struct {
+	CHAR  ImageFileName[15];
+	DWORD PriorityClass;
+} _EPROCESS_PATTERN;
+```
+
+Read physicalAddress:
+```
+typedef struct _READ_REQUEST {
+	DWORD InterfaceType;
+	DWORD Bus;
+	ULONG64 PhysicalAddress;
+	DWORD IOSpace;
+	DWORD size;
+} READ_REQUEST;
+```
+
+Write physicalAddress:
+```
+typedef struct _WRITE_REQUEST {
+	DWORDLONG address;
+	DWORD length;
+	DWORDLONG buffer;
+} WRITE_REQUEST;
+```
+
+Structure for memcpy using VA:
+```
+typedef struct _MEMCPY_REQUEST {
+	ULONG64 dest;
+	ULONG64 src;
+	DWORD size;
+} MEMCPY_REQUEST;
+```
+
+HANDLE_TABLE_ENTRY:
+```
+typedef struct _HANDLE_TABLE_ENTRY
+{
+	ULONGLONG Value;
+	ULONGLONG GrantedAccess : 25;
+} HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;
+```
+
+HANDLE_TABLE:_
+```
+typedef struct _HANDLE_TABLE
+{
+	CHAR fill[100];
+} HANDLE_TABLE, *PHANDLE_TABLE;
+```

DriverTester/Readme.md

@@ -0,0 +1,80 @@
+# DriverTester
+
+## Introduction
+
+
+## Usage
+
+This module exploits **Razer Synapse rzpnk.sys (2.20.15.1104) - CVE-2017-9769** to open a new HANDLE to the game from kernel mode. Then it attempts to access to the memory of the game by using this handle.
+
+> A specially crafted IOCTL can be issued to the rzpnk.sys driver in Razer Synapse 2.20.15.1104 that is forwarded to ZwOpenProcess allowing a handle to be opened to an arbitrary process.
+References
+
+__Actions that this module attemps:__
+
+-  ReadProcessMemory
+-  WriteProcessMemory
+-  ntReadVirtualMemory
+-  ntWriteVirtualMemory
+-  ZwReadVirtualMemory
+-  ZwWriteVirtualMemory
+
+## Configuration
+
+This module requires configuration:
+
+- The following variables in config.ini need to the provided:
+
+[Addresses]
+```
+RPMAddressHigh=0x1
+RPMAddressLow=0x58A60000
+RPMAddress=0x0
+WPMAddressHigh=0x00000000
+WPMAddressLow=0x58A60000
+WPMAddress=0x0
+ntRVMAddressHigh=0x00000000
+ntRVMAddressLow=0x58A60000
+ntRVMAddress=0x0
+ntWVMAddressHigh=0x00000000
+ntWVMAddressLow=0x58A60000
+ntWVMAddress=0x0
+ZwRVMAddressHigh=0x00000000
+ZwRVMAddressLow=0x58A60000
+ZwRVMAddress=0x0
+ZwWVMAddressHigh=0x00000000
+ZwWVMAddressLow=0x58A60000
+ZwWVMAddress=0x0
+```
+
+
+[Buffers]
+```
+#SIZE MUST BE SIZE+1
+RPMBuffer=TTTT1
+RPMBufferSize=0x6
+WPMBuffer=TTTT2
+WPMBufferSize=0x6
+ntRVMBuffer=TTTT4
+ntRVMBufferSize=0x6
+ntWVMBuffer=TTTT5
+ntWVMBufferSize=0x6
+ZwRVMBuffer=TTTT6
+ZwRVMBufferSize=0x6
+ZwWVMBuffer=TTTT7
+ZwWVMBufferSize=0x6
+``` 
+
+[Strings]
+```
+targetProc=r5apex.exe
+```
+
+## Combination with other techniques
+
+- **RUNASKINVOKER**: By executing the game using this options we will prevent the Anti-cheat to fully protect the game end load the driver.
+
+
+## Links
+
+https://warroom.rsmus.com/cve-2017-9769/

HandleElevationDriver/Readme.md

@@ -13,7 +13,30 @@ HandleHijakingMaster will create a NamedPipe that the DLL will use to receive in
 
 ## Configuration
 
-This module requries configuration:
+This module requires configuration:
+
+- The following variables in config.ini need to the provided:
+
+[Addresses]
+```
+startAddressPhyHigh=0x00000000
+startAddressPhyLow=0x58A60000
+startAddressPhy=0x0
+```
+
+[Handles]
+```
+requestHandleDrv=0x15FC
+```
+
+[Strings]
+```
+privotProc=lsass.exe
+driverName=\\.\GIO
+```
+
+
+## Notes
 
 - startPhysicalAddress: Physical memory to start looking for EPROCESS structures.
 - driverName: Name of the driver device to exploit

HandleHijackingDLL/README.md

@@ -9,6 +9,7 @@ This module is used combinaded with **HandleHijackingMaster**. This is the DLL i
 
 HandleHijakingMaster will create a NamedPipe that this module uses to receive instructions and then return information to the master (where all the bot logic should be located).
 
+
 ## Combination with other techniques
 
 - **RUNASKINVOKER**: By executing the game using this options we will prevent the Anti-cheat to fully protect the game end load the driver.

HandleHijackingMaster/README.md

@@ -11,14 +11,66 @@ HandleHijakingMaster will create a NamedPipe that the DLL will use to receive in
 
 ## Configuration
 
-This module requries configuration:
-
-- Address to Read/Write (TODO: implement to use multiple addresses, not just one)
-- Sequence of actions to perform (TODO: now it tries everything from 0 to 5, implement a list)
-- HANDLE to use as pivot (TODO: It is hardocded now so it need to be recompiled, it would be better to enumerate handles and identify the correct one).
-- Buffer with the CONTENT we will write.
-- CHANGE VALUE OF namedPipeName
-
+This module requires configuration:
+
+- ~~Address to Read/Write (TODO: implement to use multiple addresses, not just one)~~
+- ~~Sequence of actions to perform (TODO: now it tries everything from 0 to 5, implement a list)~~
+- ~~HANDLE to use as pivot (TODO: It is hardocded now so it need to be recompiled, it would be better to enumerate handles and identify the correct one).~~
+- The following variables in config.ini need to the provided:
+
+[Addresses]
+```
+RPMAddressHigh=0x1
+RPMAddressLow=0x58A60000
+RPMAddress=0x0
+WPMAddressHigh=0x00000000
+WPMAddressLow=0x58A60000
+WPMAddress=0x0
+ntRVMAddressHigh=0x00000000
+ntRVMAddressLow=0x58A60000
+ntRVMAddress=0x0
+ntWVMAddressHigh=0x00000000
+ntWVMAddressLow=0x58A60000
+ntWVMAddress=0x0
+ZwRVMAddressHigh=0x00000000
+ZwRVMAddressLow=0x58A60000
+ZwRVMAddress=0x0
+ZwWVMAddressHigh=0x00000000
+ZwWVMAddressLow=0x58A60000
+ZwWVMAddress=0x0
+```
+
+[Handles]
+
+```
+requestHandleNP=0x15FC
+```
+
+[Buffers]
+```
+#SIZE MUST BE SIZE+1
+RPMBuffer=TTTT1
+RPMBufferSize=0x6
+WPMBuffer=TTTT2
+WPMBufferSize=0x6
+ntRVMBuffer=TTTT4
+ntRVMBufferSize=0x6
+ntWVMBuffer=TTTT5
+ntWVMBufferSize=0x6
+ZwRVMBuffer=TTTT6
+ZwRVMBufferSize=0x6
+ZwWVMBuffer=TTTT7
+ZwWVMBufferSize=0x6
+``` 
+
+[Strings]
+```
+targetProc=BlackDesert64.exe
+privotProc=lsass.exe
+#Edit in DLL if you changed it here
+namedPipeName=\\.\\pipe\\driverbypass
+```
+
 ## Combination with other techniques
 
 - **RUNASKINVOKER**: By executing the game using this options we will prevent the Anti-cheat to fully protect the game end load the driver.

StealthHijackingNormalMaster/Readme.md

@@ -0,0 +1,75 @@
+# StealthHandleHijackingMaster
+
+## Introduction
+
+
+## Usage
+
+This module is used combinaded with **StealthHandleHijackingDLL**. This is the "command and control" implementation. Has to be executed before injecting the DLL. 
+
+HandleHijakingMaster will create a FileMapping (Share Memory) that this module uses to receive instructions and then return information to the master (where all the bot logic should be located).
+
+## Configuration
+
+This module requires configuration:
+
+- The following variables in config.ini need to the provided:
+
+[Addresses]
+```
+RPMAddressHigh=0x1
+RPMAddressLow=0x58A60000
+RPMAddress=0x0
+WPMAddressHigh=0x00000000
+WPMAddressLow=0x58A60000
+WPMAddress=0x0
+ntRVMAddressHigh=0x00000000
+ntRVMAddressLow=0x58A60000
+ntRVMAddress=0x0
+ntWVMAddressHigh=0x00000000
+ntWVMAddressLow=0x58A60000
+ntWVMAddress=0x0
+ZwRVMAddressHigh=0x00000000
+ZwRVMAddressLow=0x58A60000
+ZwRVMAddress=0x0
+ZwWVMAddressHigh=0x00000000
+ZwWVMAddressLow=0x58A60000
+ZwWVMAddress=0x0
+```
+
+[Handles]
+
+```
+requestHandleFM=0x15FC
+```
+
+[Buffers]
+```
+#SIZE MUST BE SIZE+1
+RPMBuffer=TTTT1
+RPMBufferSize=0x6
+WPMBuffer=TTTT2
+WPMBufferSize=0x6
+ntRVMBuffer=TTTT4
+ntRVMBufferSize=0x6
+ntWVMBuffer=TTTT5
+ntWVMBufferSize=0x6
+ZwRVMBuffer=TTTT6
+ZwRVMBufferSize=0x6
+ZwWVMBuffer=TTTT7
+ZwWVMBufferSize=0x6
+``` 
+
+[Strings]
+```
+targetProc=BlackDesert64.exe
+privotProc=lsass.exe
+#Edit in DLL if you changed it here
+fileMapName=Global\StealthHijacking
+```
+
+## Combination with other techniques
+
+- **RUNASKINVOKER**: By executing the game using this options we will prevent the Anti-cheat to fully protect the game end load the driver.
+
+