Today's cheating mainly uses internal Directx Hooks or window overlays to visualize hidden game information . These two methods have been widely documented , But other, less obvious methods include Windows Hook graphics routines in the kernel , As we will demonstrate in this article . No public release uses a similar approach , It's a pity , Because with ordinary Directx Hook comparison , It's actually very easy to use and almost traceless .

dxgkrnl

stay dxgkrnl.sys in Realized Microsoft DirectX The graphics kernel subsystem is DirectX Graphics infrastructure （DXGI） Part of the device driver interface . The driver acts as an abstraction layer for each display driver , Expose various interfaces , And act as an intermediary between the user mode implementation and the graphics card . This is a very extensive subsystem , And it has many interesting functions . We decided to focus on D3DKMTSubmitCommand

gdi32！D3DKMTSubmitCommand Used to submit the command buffer to the graphics driver that supports virtual addressing . These commands are generated entirely in user mode , Pass to the graphics driver only through the graphics kernel subsystem . Its predecessor DxgkDdiRenderKm Only used for “ Old edition ” Graphics driver , But it also looks interesting , Because it is likely to produce the same result . Described D3DKMTSubmitCommand Function passes an argument ： example D3DKMT_SUBMITCOMMAND structure . The structure contains GPU command , Submit flag and context data , It's of no use to us , Unless we want to modify the actual gpu command .

When ！GDI32 D3DKMTSubmitCommand Called , It routes calls through the system NtGdiDdDDISubmitCommand, This is in any Win32 Driver implementation （ some Windows Version has been implemented in it win32kbase, some win32kfull） by ：

chart 1-win32kbase！NtGdiDdDDISubmitCommand

This kind of abnormal function call of data member is actually the whole dxgkrnl Part of the larger function table of the abstraction layer , The function table is neither recorded in the symbol , Also not exported to binary file , This may explain the unusual omission of this type of graphic use in cheating . This particular data member points to dxgkrnl！DxgkSubmitCommand, The rest of the table illustrates this （ see also x-refs）：

chart 2-win32kbase Function pointer table

This means that we can simply change this data member RW（！） To control all execution processes , This makes automatic integrity checking more difficult . After overwriting pointer , You can draw to the screen buffer .

Why? ？

By intercepting this particular gpu call , We can fully synchronize with the actual screen update , This allows us to use GDI Function to manipulate the intermediate screen buffer . The only trace we draw to the game buffer is the blurry pointer exchange , In fact, there is no anti cheating check . Please note that , this yes be based on cpu Of , This means that there is a large performance overhead , But you can use gpu Draw the same hook .

To actually draw , We can use any... Directly in the kernel Gdi function , Without any problems ！ This is a copy operation using bit mode NtGdiPatBlt Draw an example of a simple box ：

int64_t __fastcall dxgkrnl_hook::submit_command_hook(D3DKMT_SUBMITCOMMAND* data)
{
	const auto current_process = IoGetCurrentProcess();
	const auto process_name = PsGetProcessImageFileName(current_process);

	if (std::memeq(process_name, dxgkrnl_hook::target_name))
	{
		// GET CONTEXT
		const auto ctx = NtUserGetDc(0x00);

		// DRAW TO GAME WINDOW BUFFER
		NtGdiPatBlt(ctx, 15, 15, 5, 5, PATCOPY);
	}

	return dxgkrnl_hook::original_submit_command(data);
}

demonstration

I have assembled a proof of concept Github The repository , The The repository Is extracted from a larger project , This is why some of the referenced symbols are undefined - Finding them is trivial , So for readers .

If you don't want to try this method yourself , be this Video uses exactly the same method for the player box , This demonstrates the perfect synchronization of the kernel hooks we mentioned earlier .