A driver to implement IOCTL hooking
Warning: In progress
<\ _
\\ _/{
_ \\ _- -_
/{ / `\ _- - -_
_~ = ( @ \ - - -_
_- - ~-_ \( =\ \ - -_
_~ - ~_ | 1 :\ \ _-~-_ - -_
_- - ~ |V: \ \ _-~ ~-_- -_
_-~ - / | : \ \ ~-_- -_
_-~ - _.._ { | : _-`` ~- _-_
_-~ -__..--~ ~-_ { : \:}
=~__.--~~ ~-_\ : /
\ : /__
//`Y'--\\ = IOCTL
<+ \\
\\ WWW
MMM
CheatController.exe -load
>>>> Cheat Console:
1 List Modules
2 Select Module
3 List Hooks
4 Place Hook (Inserts Into list, TODO: set hook)
5 Kernel Memory Read (TODO)
6 Kernel Memory Write (TODO)
0 Exit
- Search for existing modules
- Select module by ID
- List Hooks
- Add a new hook to the selected module (TODO: Implment control for hook)
- TODO: read memory
- TODO: write memory
Tested on Windows 10 build 17763.rs5 with TestSigning On
bcdedit /set testsigning on
Adding cert command
certmgr.exe /add CheatDriver.cer /s /r localMachine root
Uses a generic hook structure to instrument a jmp
typedef struct _CD_HOOK_OFFSET_STRUCT {
DWORD64 EntryAddr; // start of func
DWORD64 ReturnAddr; // return address
DWORD64 JumpAddr;
CdHookStatus HookStatus; // if established
BOOLEAN IsCustomHook;
UCHAR CustomHookBuffer[256]; // Assembly data to write
DWORD32 CustomHookLen;
DWORD32 CustomHookAddrOffset; // Offset of custom hookbuffer
} CD_HOOK_OFFSET_STRUCT, * PCD_HOOK_OFFSET_STRUCT;
Example Usage:
CD_HOOK_STRUCT newHook = { };
UCHAR JUMP_RAX[] = "\x48\xB8\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xE0";
// This is a test, address are dummy addresses
newHook.Hook.EntryAddr = 0x1234; // This should be physical address not an offset
newHook.Hook.JumpAddr = 0x4567; // This should be physical address not an offset
newHook.Hook.ReturnAddr = 0x9123; // This should be physical address not an offset
newHook.Hook.IsCustomHook = TRUE;
memcpy(newHook.Hook.CustomHookBuffer, JUMP_RAX, sizeof(JUMP_RAX));
newHook.Hook.CustomHookLen = sizeof(JUMP_RAX);
newHook.Hook.CustomHookAddrOffset = 2;