jussihi / PUBG-map-hack

Map hack solution for PUBG
Apache License 2.0
662 stars 287 forks source link

can I write to the pubg process through the driver? #97

Closed Allen399499 closed 6 years ago

Allen399499 commented 6 years ago

hi @jussihi, is that doable? and thank you !

jussihi commented 6 years ago

In theory it is (and it will actually work too). You just need to reverse the reading process in the driver, so it will read from the usermode app and write to game (In this solution it obviously reads from game and writes to usermode app).

Allen399499 commented 6 years ago

I got it. Will try as I can. Thank you again!

huddhudd commented 6 years ago

new uWorld and Name address ???

Allen399499 commented 6 years ago

without my computer now, will find and post you later.

huddhudd commented 6 years ago

Thank you again!

Allen399499 commented 6 years ago

2.6.44.5 UWorld: 0x3A4C128 GNames: 0x394EF10 @huddhudd

gggith5b commented 6 years ago

@Allen399499 I need a little bit of help, Add me on discord, Emil#7248

Allen399499 commented 6 years ago

I got a problem. I can read a offset from the PUBG and got the correct value, but when I write a different value to the SAME address then read out it to check, the VALUE did not changed. show I put some log in the DRIVER? Am I need two pc and a cable to debug the KERNEL? here is the code, thank you very much @jussihi else if (w_poReadStruct->ProtocolMsg == PROTO_NORMAL_WRITE) {

    // transfer the data from usermode app  to kernel
    __try
    {
        KeStackAttachProcess(hClient, &apc_state);
        ProbeForRead((CONST PVOID)w_poReadStruct->UserBufferAdress, w_poReadStruct->ReadSize, sizeof(CHAR));
        RtlCopyMemory(w_poReadStruct->UserBufferAdress, DriverBuffer, w_poReadStruct->ReadSize);
        KeUnstackDetachProcess(&apc_state);
    }
    __except (EXCEPTION_EXECUTE_HANDLER)
    {
        KeUnstackDetachProcess(&apc_state);
        NtStatus = STATUS_ABANDONED;
    }
    // transfer the data from kernel to the game

    __try
    {
        KeStackAttachProcess(hGame, &apc_state);
        ProbeForWrite((CONST PVOID)w_poReadStruct->GameAddressOffset, w_poReadStruct->ReadSize, sizeof(CHAR));

        RtlCopyMemory(w_poReadStruct->GameAddressOffset, DriverBuffer, w_poReadStruct->ReadSize);

        KeUnstackDetachProcess(&apc_state);
    }
    __except (EXCEPTION_EXECUTE_HANDLER)
    {
        KeUnstackDetachProcess(&apc_state);
        NtStatus = STATUS_ABANDONED;
    }

}

template void writeType(const int64_t& w_read, TW _writeMe,const PROTO_MESSAGE& w_protoMsg) const {

    if (w_protoMsg == PROTO_NORMAL_WRITE)
    {
        readStruct rStruct{ (uint64_t)&_writeMe,0, (uint64_t)w_read,0, sizeof(TW), 0,(uint32_t)GetCurrentProcessId(), 0, TRUE, PROTO_NORMAL_WRITE };
        // send the struct to IOCTL
        WriteFile(m_hDriver, (LPCVOID)&rStruct, sizeof(ReadStruct), NULL, NULL);

    }

}
Allen399499 commented 6 years ago

I got it...

myloft commented 6 years ago

@Allen399499 Can you give me more information about using driver to edit memory or show me some code, i want learn more about it. Thanks, You can add me tg @iloft

ghost commented 5 years ago

@Allen399499 how did you fix it? I can't seem to find whats wrong i also tried your function any help would be appreciated

jussihi commented 5 years ago

I personally didn't use the kernel's template-way to get around it. I used template in the userspace program, and transferred the write size of that type in the IOCTL struct.

I can try to find the kernel writing code from my old hard drive. I'll ping you guys if I find it.

ghost commented 5 years ago

I already fixed it, was some weird issue with the driver buffer. I have another question, is it possible to get PID and BASE without PsSetLoadImageNotify? Like pass it from UM to KM

Am 29.01.2019 um 9:04 AM schrieb Jussi Hietanen notifications@github.com:

I personally didn't use the kernel's template-way to get around it. I used template in the userspace program, and transferred the read size of that type in the IOCTL struct.

I can try to find the kernel writing code from my old hard drive. I'll ping you guys if I find it.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

jussihi commented 5 years ago

@radoradovan great!

Yes I think you can get it by using https://docs.microsoft.com/en-us/windows/desktop/ToolHelp/process-walking this, but then again I'm not sure if the process IDs in UM and KM match or not. You can try to find it out. But I think that googling this might help.

ghost commented 5 years ago

Well let’s hope they are the same, I will try it right now. thanks again for your contribution!

Am 30.01.2019 um 10:05 AM schrieb Jussi Hietanen notifications@github.com:

@radoradovan great!

Yes I think you can get it by using https://docs.microsoft.com/en-us/windows/desktop/ToolHelp/process-walking this, but then again I'm not sure if the process IDs in UM and KM match or not. You can try to find it out. But I think that googling this might help.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

ghost commented 5 years ago

Sadly I can’t get it to work. I always bsod system_service_exception. Are you maybe to do me a sample on how to pass pid and base from um to km and use it in your km driver source? I tried it the last 2 days without success. Also do you got something where I could donate, since this is a very nice contribution. Thank. You

Am 30.01.2019 um 10:05 AM schrieb Jussi Hietanen notifications@github.com:

@radoradovan great!

Yes I think you can get it by using https://docs.microsoft.com/en-us/windows/desktop/ToolHelp/process-walking this, but then again I'm not sure if the process IDs in UM and KM match or not. You can try to find it out. But I think that googling this might help.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

jussihi commented 5 years ago

@radoradovan

Did you first try with some other process, for example notepad.exe, to see if the ID in kernel & userland match each other? Just print out the IDs in both UM and KM and see if they match. If they do, you should be good to go. Just remove the PE header length (IIRC), so you get the true entrypoint of the process.

Is there a specific reason why you cannot use PsGetProcessSectionBaseAddress and PsSetLoadImageNotifyRoutine in kernel?

I don't need donations, I have a work and I study in the uni so I already have money :) But thanks

jussihi commented 5 years ago

@radoradovan and if you make the writing complete, please fork the repo and create a pull request and I will merge your work to the repo. I haven't used Windows for a long time and that's why I'm not updating this anymore (another reason was that in new releases of PUBG the offsets are encrypted)

ghost commented 5 years ago

I want to avoid using callbacks since it creates another detection vector, also it’s not patchguard safe if you manual map the driver. Process ID/Base seems correct now, but somehow I’ll get a BSOD when try to read or write. "System_Memory_Exception" Or something similar, I can upload the crash dump later but I didn’t found anything which leads me to anything sadly.

@radoradovan and if you make the writing complete, please fork the repo and create a pull request and I will merge your work to the repo. I haven't used Windows for a long time and that's why I'm not updating this anymore (another reason was that in new releases of PUBG the offsets are HMU if you need offsets / encrypion for new PUBG

jussihi commented 5 years ago

@radoradovan does the original code work for you? If you use the original KM-way to get the baseaddress etc...? I don't know what's wrong with this, it might be also the way you are loading the driver. I remember some unofficial ways to load the driver did not support SEH (try-except...), but I think that was a problem with Turla. I used a DMA device to load the driver myself (pcileech).

So, does the writing work if you use the original way to acquire base address?

iloft commented 5 years ago

Dear all, can you please remove me from this conversation? I really don’t know why I receive these mails and don’t know what you all talking about :-)

Thank you iloft

Op 2 feb. 2019 om 22:14 heeft Jussi Hietanen notifications@github.com<mailto:notifications@github.com> het volgende geschreven:

@radoradovanhttps://github.com/radoradovan does the original code work for you? If you use the original KM-way to get the baseaddress etc...? I don't know what's wrong with this, it might be also the way you are loading the driver. I remember some unofficial ways to load the driver did not support SEH (try-except...), but I think that was a problem with Turla. I used a DMA device to load the driver (pcileech).

So, does the writing work if you use the original way to acquire base address?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/jussihi/PUBG-map-hack/issues/97#issuecomment-459999697, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AHqLRIo4OotwYuNyqzfmoegamzM-pMQTks5vJf-3gaJpZM4QvIDq.

jussihi commented 5 years ago

@iloft sorry, I think that someone has the same telegram nickname as your GitHub username, and they posted that nick here, I'm sorry about that. Please click the "mute the thread"-link in your email to stop receiving this "spam" 👍 Sorry for this.

jussihi commented 5 years ago

@radoradovan

If you have a telegram account, you can find me from there with the same username. We can continue the chat there (if you want to) and then possibly commit the final changes to the repo if needed.

ghost commented 5 years ago

Sure thing thank you, I’ve added you.

@radoradovan

If you have a telegram account, you can find me from there with the same username. We can continue the chat there (if you want to) and then possibly commit the final changes to the repo if needed.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.