-
Notifications
You must be signed in to change notification settings - Fork 140
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Admin
authored and
Admin
committed
Oct 19, 2019
1 parent
cdcd8b7
commit 066f4b6
Showing
12 changed files
with
725 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
|
|
||
| Microsoft Visual Studio Solution File, Format Version 12.00 | ||
| # Visual Studio 15 | ||
| VisualStudioVersion = 15.0.28010.2016 | ||
| MinimumVisualStudioVersion = 10.0.40219.1 | ||
| Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dxgkrnl_hook", "dxgkrnl_hook\dxgkrnl_hook.vcxproj", "{11ADF42E-392F-4AA8-86B6-484120E7A540}" | ||
| EndProject | ||
| Global | ||
| GlobalSection(SolutionConfigurationPlatforms) = preSolution | ||
| Debug|ARM = Debug|ARM | ||
| Debug|ARM64 = Debug|ARM64 | ||
| Debug|x64 = Debug|x64 | ||
| Debug|x86 = Debug|x86 | ||
| Release|ARM = Release|ARM | ||
| Release|ARM64 = Release|ARM64 | ||
| Release|x64 = Release|x64 | ||
| Release|x86 = Release|x86 | ||
| EndGlobalSection | ||
| GlobalSection(ProjectConfigurationPlatforms) = postSolution | ||
| {11ADF42E-392F-4AA8-86B6-484120E7A540}.Debug|ARM.ActiveCfg = Debug|ARM | ||
| {11ADF42E-392F-4AA8-86B6-484120E7A540}.Debug|ARM.Build.0 = Debug|ARM | ||
| {11ADF42E-392F-4AA8-86B6-484120E7A540}.Debug|ARM.Deploy.0 = Debug|ARM | ||
| {11ADF42E-392F-4AA8-86B6-484120E7A540}.Debug|ARM64.ActiveCfg = Debug|ARM64 | ||
| {11ADF42E-392F-4AA8-86B6-484120E7A540}.Debug|ARM64.Build.0 = Debug|ARM64 | ||
| {11ADF42E-392F-4AA8-86B6-484120E7A540}.Debug|ARM64.Deploy.0 = Debug|ARM64 | ||
| {11ADF42E-392F-4AA8-86B6-484120E7A540}.Debug|x64.ActiveCfg = Debug|x64 | ||
| {11ADF42E-392F-4AA8-86B6-484120E7A540}.Debug|x64.Build.0 = Debug|x64 | ||
| {11ADF42E-392F-4AA8-86B6-484120E7A540}.Debug|x64.Deploy.0 = Debug|x64 | ||
| {11ADF42E-392F-4AA8-86B6-484120E7A540}.Debug|x86.ActiveCfg = Debug|Win32 | ||
| {11ADF42E-392F-4AA8-86B6-484120E7A540}.Debug|x86.Build.0 = Debug|Win32 | ||
| {11ADF42E-392F-4AA8-86B6-484120E7A540}.Debug|x86.Deploy.0 = Debug|Win32 | ||
| {11ADF42E-392F-4AA8-86B6-484120E7A540}.Release|ARM.ActiveCfg = Release|ARM | ||
| {11ADF42E-392F-4AA8-86B6-484120E7A540}.Release|ARM.Build.0 = Release|ARM | ||
| {11ADF42E-392F-4AA8-86B6-484120E7A540}.Release|ARM.Deploy.0 = Release|ARM | ||
| {11ADF42E-392F-4AA8-86B6-484120E7A540}.Release|ARM64.ActiveCfg = Release|ARM64 | ||
| {11ADF42E-392F-4AA8-86B6-484120E7A540}.Release|ARM64.Build.0 = Release|ARM64 | ||
| {11ADF42E-392F-4AA8-86B6-484120E7A540}.Release|ARM64.Deploy.0 = Release|ARM64 | ||
| {11ADF42E-392F-4AA8-86B6-484120E7A540}.Release|x64.ActiveCfg = Release|x64 | ||
| {11ADF42E-392F-4AA8-86B6-484120E7A540}.Release|x64.Build.0 = Release|x64 | ||
| {11ADF42E-392F-4AA8-86B6-484120E7A540}.Release|x64.Deploy.0 = Release|x64 | ||
| {11ADF42E-392F-4AA8-86B6-484120E7A540}.Release|x86.ActiveCfg = Release|Win32 | ||
| {11ADF42E-392F-4AA8-86B6-484120E7A540}.Release|x86.Build.0 = Release|Win32 | ||
| {11ADF42E-392F-4AA8-86B6-484120E7A540}.Release|x86.Deploy.0 = Release|Win32 | ||
| EndGlobalSection | ||
| GlobalSection(SolutionProperties) = preSolution | ||
| HideSolutionNode = FALSE | ||
| EndGlobalSection | ||
| GlobalSection(ExtensibilityGlobals) = postSolution | ||
| SolutionGuid = {F1E0558A-0FD8-4345-AB49-0A7D8364779D} | ||
| EndGlobalSection | ||
| EndGlobal |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| /*++ | ||
| Module Name: | ||
| device.h | ||
| Abstract: | ||
| This file contains the device definitions. | ||
| Environment: | ||
| Kernel-mode Driver Framework | ||
| --*/ | ||
|
|
||
| #include "public.h" | ||
|
|
||
| EXTERN_C_START | ||
|
|
||
| // | ||
| // The device context performs the same job as | ||
| // a WDM device extension in the driver frameworks | ||
| // | ||
| typedef struct _DEVICE_CONTEXT | ||
| { | ||
| ULONG PrivateDeviceData; // just a placeholder | ||
|
|
||
| } DEVICE_CONTEXT, *PDEVICE_CONTEXT; | ||
|
|
||
| // | ||
| // This macro will generate an inline function called DeviceGetContext | ||
| // which will be used to get a pointer to the device context memory | ||
| // in a type safe manner. | ||
| // | ||
| WDF_DECLARE_CONTEXT_TYPE_WITH_NAME(DEVICE_CONTEXT, DeviceGetContext) | ||
|
|
||
| // | ||
| // Function to initialize the device and its callbacks | ||
| // | ||
| NTSTATUS | ||
| dxgkrnlhookCreateDevice( | ||
| _Inout_ PWDFDEVICE_INIT DeviceInit | ||
| ); | ||
|
|
||
| EXTERN_C_END |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| /*++ | ||
| Module Name: | ||
| driver.h | ||
| Abstract: | ||
| This file contains the driver definitions. | ||
| Environment: | ||
| Kernel-mode Driver Framework | ||
| --*/ | ||
|
|
||
| #include <ntddk.h> | ||
| #include <wdf.h> | ||
| #include <initguid.h> | ||
|
|
||
| #include "device.h" | ||
| #include "queue.h" | ||
| #include "trace.h" | ||
|
|
||
| EXTERN_C_START | ||
|
|
||
| // | ||
| // WDFDRIVER Events | ||
| // | ||
|
|
||
| DRIVER_INITIALIZE DriverEntry; | ||
| EVT_WDF_DRIVER_DEVICE_ADD dxgkrnlhookEvtDeviceAdd; | ||
| EVT_WDF_OBJECT_CONTEXT_CLEANUP dxgkrnlhookEvtDriverContextCleanup; | ||
|
|
||
| EXTERN_C_END |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| /*++ | ||
| Module Name: | ||
| public.h | ||
| Abstract: | ||
| This module contains the common declarations shared by driver | ||
| and user applications. | ||
| Environment: | ||
| user and kernel | ||
| --*/ | ||
|
|
||
| // | ||
| // Define an Interface Guid so that apps can find the device and talk to it. | ||
| // | ||
|
|
||
| DEFINE_GUID (GUID_DEVINTERFACE_dxgkrnlhook, | ||
| 0x517caa08,0xa850,0x475a,0x9f,0xa6,0x69,0xf5,0x03,0x20,0x72,0x27); | ||
| // {517caa08-a850-475a-9fa6-69f503207227} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| /*++ | ||
| Module Name: | ||
| queue.h | ||
| Abstract: | ||
| This file contains the queue definitions. | ||
| Environment: | ||
| Kernel-mode Driver Framework | ||
| --*/ | ||
|
|
||
| EXTERN_C_START | ||
|
|
||
| // | ||
| // This is the context that can be placed per queue | ||
| // and would contain per queue information. | ||
| // | ||
| typedef struct _QUEUE_CONTEXT { | ||
|
|
||
| ULONG PrivateDeviceData; // just a placeholder | ||
|
|
||
| } QUEUE_CONTEXT, *PQUEUE_CONTEXT; | ||
|
|
||
| WDF_DECLARE_CONTEXT_TYPE_WITH_NAME(QUEUE_CONTEXT, QueueGetContext) | ||
|
|
||
| NTSTATUS | ||
| dxgkrnlhookQueueInitialize( | ||
| _In_ WDFDEVICE Device | ||
| ); | ||
|
|
||
| // | ||
| // Events from the IoQueue object | ||
| // | ||
| EVT_WDF_IO_QUEUE_IO_DEVICE_CONTROL dxgkrnlhookEvtIoDeviceControl; | ||
| EVT_WDF_IO_QUEUE_IO_STOP dxgkrnlhookEvtIoStop; | ||
|
|
||
| EXTERN_C_END |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| /*++ | ||
| Module Name: | ||
| Trace.h | ||
| Abstract: | ||
| Header file for the debug tracing related function defintions and macros. | ||
| Environment: | ||
| Kernel mode | ||
| --*/ | ||
|
|
||
| // | ||
| // Define the tracing flags. | ||
| // | ||
| // Tracing GUID - b7f375fa-435f-4345-82c9-6945e2268c1c | ||
| // | ||
|
|
||
| #define WPP_CONTROL_GUIDS \ | ||
| WPP_DEFINE_CONTROL_GUID( \ | ||
| dxgkrnlhookTraceGuid, (b7f375fa,435f,4345,82c9,6945e2268c1c), \ | ||
| \ | ||
| WPP_DEFINE_BIT(MYDRIVER_ALL_INFO) \ | ||
| WPP_DEFINE_BIT(TRACE_DRIVER) \ | ||
| WPP_DEFINE_BIT(TRACE_DEVICE) \ | ||
| WPP_DEFINE_BIT(TRACE_QUEUE) \ | ||
| ) | ||
|
|
||
| #define WPP_FLAG_LEVEL_LOGGER(flag, level) \ | ||
| WPP_LEVEL_LOGGER(flag) | ||
|
|
||
| #define WPP_FLAG_LEVEL_ENABLED(flag, level) \ | ||
| (WPP_LEVEL_ENABLED(flag) && \ | ||
| WPP_CONTROL(WPP_BIT_ ## flag).Level >= level) | ||
|
|
||
| #define WPP_LEVEL_FLAGS_LOGGER(lvl,flags) \ | ||
| WPP_LEVEL_LOGGER(flags) | ||
|
|
||
| #define WPP_LEVEL_FLAGS_ENABLED(lvl, flags) \ | ||
| (WPP_LEVEL_ENABLED(flags) && WPP_CONTROL(WPP_BIT_ ## flags).Level >= lvl) | ||
|
|
||
| // | ||
| // WPP orders static parameters before dynamic parameters. To support the Trace function | ||
| // defined below which sets FLAGS=MYDRIVER_ALL_INFO, a custom macro must be defined to | ||
| // reorder the arguments to what the .tpl configuration file expects. | ||
| // | ||
| #define WPP_RECORDER_FLAGS_LEVEL_ARGS(flags, lvl) WPP_RECORDER_LEVEL_FLAGS_ARGS(lvl, flags) | ||
| #define WPP_RECORDER_FLAGS_LEVEL_FILTER(flags, lvl) WPP_RECORDER_LEVEL_FLAGS_FILTER(lvl, flags) | ||
|
|
||
| // | ||
| // This comment block is scanned by the trace preprocessor to define our | ||
| // Trace function. | ||
| // | ||
| // begin_wpp config | ||
| // FUNC Trace{FLAGS=MYDRIVER_ALL_INFO}(LEVEL, MSG, ...); | ||
| // FUNC TraceEvents(LEVEL, FLAGS, MSG, ...); | ||
| // end_wpp | ||
| // |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,92 @@ | ||
| #include "dxgkrnl_hook.hpp" | ||
|
|
||
| bool dxgkrnl_hook::is_hooked = false; | ||
|
|
||
| dxgkrnl_hook::dxgk_submit_command_t dxgkrnl_hook::original_submit_command = nullptr; | ||
| dxgkrnl_hook::dxgk_submit_command_t* dxgkrnl_hook::original_entry = nullptr; | ||
|
|
||
| bool dxgkrnl_hook::hook_submit_command() | ||
| { | ||
| // SAVE ORIGINAL ENTRY | ||
| dxgkrnl_hook::original_entry = dxgkrnl_hook::find_submit_command_entry(); | ||
|
|
||
| if (dxgkrnl_hook::original_entry == nullptr) | ||
| { | ||
| DbgPrint("Failed to find NtGdiDdDDISubmitCommand\n"); | ||
| return false; | ||
| } | ||
|
|
||
| // SAVE ORIGINAL FUNCTION POINTER | ||
| dxgkrnl_hook::original_submit_command = *dxgkrnl_hook::original_entry; | ||
|
|
||
| if (dxgkrnl_hook::original_submit_command == nullptr) | ||
| { | ||
| DbgPrint("Failed to find DxgkSubmitCommand\n"); | ||
| return false; | ||
| } | ||
|
|
||
| // HOOK | ||
| *dxgkrnl_hook::original_entry = dxgkrnl_hook::submit_command_hook; | ||
|
|
||
| // SAVE STATE | ||
| dxgkrnl_hook::is_hooked = true; | ||
|
|
||
| DbgPrint("Hooked DxgkSubmitCommand!\n"); | ||
|
|
||
| return true; | ||
| } | ||
|
|
||
| bool dxgkrnl_hook::unhook_submit_command() | ||
| { | ||
| if (!dxgkrnl_hook::is_hooked) | ||
| return false; | ||
|
|
||
| // UNHOOK | ||
| *dxgkrnl_hook::original_entry = dxgkrnl_hook::original_submit_command; | ||
|
|
||
| DbgPrint("Unhooked DxgkSubmitCommand!\n"); | ||
|
|
||
| return true; | ||
| } | ||
|
|
||
| dxgkrnl_hook::dxgk_submit_command_t* dxgkrnl_hook::find_submit_command_entry() | ||
| { | ||
| uint8_t* submit_command_address = reinterpret_cast<uint8_t*>(NtGdiDdDDISubmitCommand); | ||
|
|
||
| // FIND MOV INSTRUCTION | ||
| auto instruction = submit_command_address; | ||
| for (; | ||
| instruction[0] != 0x48 || | ||
| instruction[1] != 0x8B || | ||
| instruction[2] != 0x05; | ||
| instruction++) | ||
| { | ||
| //:) | ||
| } | ||
|
|
||
| // mov rax,QWORD PTR [rip+0x????????] | ||
| // 48 8B 05 ?? ?? ?? ?? | ||
| auto delta = *reinterpret_cast<int32_t*>(instruction + 3); | ||
| auto result = reinterpret_cast<dxgkrnl_hook::dxgk_submit_command_t*>(instruction + delta + 7); | ||
|
|
||
| DbgPrint("DxgkSubmitCommand: %p\n", result); | ||
|
|
||
| return result; | ||
| } | ||
|
|
||
| int64_t __fastcall dxgkrnl_hook::submit_command_hook(D3DKMT_SUBMITCOMMAND * data) | ||
| { | ||
| const auto current_process = IoGetCurrentProcess(); | ||
| const auto process_name = PsGetProcessImageFileName(current_process); | ||
|
|
||
| if (memeq(process_name, dxgkrnl_hook::target_name)) | ||
| { | ||
| // GET CONTEXT | ||
| const auto ctx = NtUserGetDc(0x00); | ||
|
|
||
| // DRAW TO GAME WINDOW BUFFER | ||
| NtGdiPatBlt(ctx, 15, 15, 5, 5, PATCOPY); | ||
| } | ||
|
|
||
| return dxgkrnl_hook::original_submit_command(data); | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| #pragma once | ||
|
|
||
| namespace dxgkrnl_hook | ||
| { | ||
| extern bool is_hooked; | ||
|
|
||
| constexpr auto target_name = "RainbowSix.exe"; | ||
|
|
||
| // HOOKERS | ||
| bool hook_submit_command(); | ||
| bool unhook_submit_command(); | ||
|
|
||
| // HOOK INFO | ||
| using dxgk_submit_command_t = int64_t(__fastcall*)(D3DKMT_SUBMITCOMMAND* data); | ||
| extern dxgk_submit_command_t original_submit_command; | ||
| extern dxgk_submit_command_t* original_entry; | ||
|
|
||
| // NATIVE HELPERS | ||
| dxgkrnl_hook::dxgk_submit_command_t* find_submit_command_entry(); | ||
|
|
||
| // HOOK HANDLER | ||
| int64_t __fastcall submit_command_hook(D3DKMT_SUBMITCOMMAND* data); | ||
| } |
Oops, something went wrong.