This module exploits Razer Synapse rzpnk.sys (220.127.116.114) - CVE-2017-9769 to open a new HANDLE to the game from kernel mode. Then it attempts to access to the memory of the game by using this handle.
A specially crafted IOCTL can be issued to the rzpnk.sys driver in Razer Synapse 18.104.22.1684 that is forwarded to ZwOpenProcess allowing a handle to be opened to an arbitrary process. References
Actions that this module attemps:
This module requires configuration:
- The following variables in config.ini need to the provided:
RPMAddressHigh=0x1 RPMAddressLow=0x58A60000 RPMAddress=0x0 WPMAddressHigh=0x00000000 WPMAddressLow=0x58A60000 WPMAddress=0x0 ntRVMAddressHigh=0x00000000 ntRVMAddressLow=0x58A60000 ntRVMAddress=0x0 ntWVMAddressHigh=0x00000000 ntWVMAddressLow=0x58A60000 ntWVMAddress=0x0 ZwRVMAddressHigh=0x00000000 ZwRVMAddressLow=0x58A60000 ZwRVMAddress=0x0 ZwWVMAddressHigh=0x00000000 ZwWVMAddressLow=0x58A60000 ZwWVMAddress=0x0
#SIZE MUST BE SIZE+1 RPMBuffer=TTTT1 RPMBufferSize=0x6 WPMBuffer=TTTT2 WPMBufferSize=0x6 ntRVMBuffer=TTTT4 ntRVMBufferSize=0x6 ntWVMBuffer=TTTT5 ntWVMBufferSize=0x6 ZwRVMBuffer=TTTT6 ZwRVMBufferSize=0x6 ZwWVMBuffer=TTTT7 ZwWVMBufferSize=0x6
Combination with other techniques
- RUNASKINVOKER: By executing the game using this options we will prevent the Anti-cheat to fully protect the game end load the driver.