当前位置:网站首页>Hook graphics kernel subsystem
Hook graphics kernel subsystem
2022-06-24 16:39:00 【franket】
Today's cheating mainly uses internal Directx Hooks or window overlays to visualize hidden game information . These two methods have been widely documented , But other, less obvious methods include Windows Hook graphics routines in the kernel , As we will demonstrate in this article . No public release uses a similar approach , It's a pity , Because with ordinary Directx Hook comparison , It's actually very easy to use and almost traceless .
dxgkrnl
stay dxgkrnl.sys in Realized Microsoft DirectX The graphics kernel subsystem is DirectX Graphics infrastructure (DXGI) Part of the device driver interface . The driver acts as an abstraction layer for each display driver , Expose various interfaces , And act as an intermediary between the user mode implementation and the graphics card . This is a very extensive subsystem , And it has many interesting functions . We decided to focus on D3DKMTSubmitCommand
gdi32!D3DKMTSubmitCommand Used to submit the command buffer to the graphics driver that supports virtual addressing . These commands are generated entirely in user mode , Pass to the graphics driver only through the graphics kernel subsystem . Its predecessor DxgkDdiRenderKm Only used for “ Old edition ” Graphics driver , But it also looks interesting , Because it is likely to produce the same result . Described D3DKMTSubmitCommand Function passes an argument : example D3DKMT_SUBMITCOMMAND structure . The structure contains GPU command , Submit flag and context data , It's of no use to us , Unless we want to modify the actual gpu command .
When !GDI32 D3DKMTSubmitCommand Called , It routes calls through the system NtGdiDdDDISubmitCommand, This is in any Win32 Driver implementation ( some Windows Version has been implemented in it win32kbase, some win32kfull) by :
chart 1-win32kbase!NtGdiDdDDISubmitCommand
This kind of abnormal function call of data member is actually the whole dxgkrnl Part of the larger function table of the abstraction layer , The function table is neither recorded in the symbol , Also not exported to binary file , This may explain the unusual omission of this type of graphic use in cheating . This particular data member points to dxgkrnl!DxgkSubmitCommand, The rest of the table illustrates this ( see also x-refs):
chart 2-win32kbase Function pointer table
This means that we can simply change this data member RW(!) To control all execution processes , This makes automatic integrity checking more difficult . After overwriting pointer , You can draw to the screen buffer .
Why? ?
By intercepting this particular gpu call , We can fully synchronize with the actual screen update , This allows us to use GDI Function to manipulate the intermediate screen buffer . The only trace we draw to the game buffer is the blurry pointer exchange , In fact, there is no anti cheating check . Please note that , this yes be based on cpu Of , This means that there is a large performance overhead , But you can use gpu Draw the same hook .
To actually draw , We can use any... Directly in the kernel Gdi function , Without any problems ! This is a copy operation using bit mode NtGdiPatBlt Draw an example of a simple box :
int64_t __fastcall dxgkrnl_hook::submit_command_hook(D3DKMT_SUBMITCOMMAND* data)
{
const auto current_process = IoGetCurrentProcess();
const auto process_name = PsGetProcessImageFileName(current_process);
if (std::memeq(process_name, dxgkrnl_hook::target_name))
{
// GET CONTEXT
const auto ctx = NtUserGetDc(0x00);
// DRAW TO GAME WINDOW BUFFER
NtGdiPatBlt(ctx, 15, 15, 5, 5, PATCOPY);
}
return dxgkrnl_hook::original_submit_command(data);
}demonstration
I have assembled a proof of concept Github The repository , The The repository Is extracted from a larger project , This is why some of the referenced symbols are undefined - Finding them is trivial , So for readers .
If you don't want to try this method yourself , be this Video uses exactly the same method for the player box , This demonstrates the perfect synchronization of the kernel hooks we mentioned earlier .
边栏推荐
- [tke] whether to configure SNAT when the container accesses services outside the node
- mysql时间戳格式转换日期格式字符串
- Regular expression learning artifact!
- Pageadmin CMS solution for redundant attachments in website construction
- Embedded Software Engineer written interview guide arm system and architecture
- How to access tke cluster API interface with certificate or token
- [idea] dynamic planning (DP)
- Goby+awvs realize attack surface detection
- What is the difference between optical fiber jumper and copper wire
- MD5 verification based on stm32
猜你喜欢

A survey of training on graphs: taxonomy, methods, and Applications

Applet wxss

C. K-th not divisible by n (Mathematics + thinking) codeforces round 640 (Div. 4)

Ui- first lesson
MySQL進階系列:鎖-InnoDB中鎖的情况

B. Terry sequence (thinking + greed) codeforces round 665 (Div. 2)

Some adventurer hybrid versions with potential safety hazards will be recalled
MySQL Advanced Series: locks - locks in InnoDB

ZOJ - 4104 sequence in the pocket

Applet - use of template
随机推荐
National standard gb28181 protocol video platform easygbs alarm reporting function adds video alarm reporting and video recording
MySQL timestamp format conversion date format string
[go] concurrent programming channel
MD5 verification based on stm32
What is the difference between a network card and a port
Modern finite element analysis can easily achieve accurate results
MySQL date timestamp conversion
【Prometheus】2. Overview and deployment
Transpose convolution explanation
It may be a good idea to use simulation software in the cloud for simulation
国泰君安期货安全么?期货开户怎么开?期货手续费怎么降低?
[tke] enable CPU static management strategy
Tencent blue whale Zhiyun community version v6.0.3 was officially released together with the container management platform!
Kubernetes 1.20.5 setting up Sentinel
Heavy release! Tencent cloud ASW workflow, visual orchestration cloud service
Applet wxss
What can Lu yuanjiu Jiao buy?
Page scrolling effect library, a little skinny
Tencent blue whale container management platform was officially released!
Serial of H3CNE experiment column - spanning tree STP configuration experiment