Skip to content

Instantly share code, notes, and snippets.

View kuh4it's full-sized avatar

risku kuh4it

View GitHub Profile
@kuh4it
kuh4it / PoC_Stripped.cpp
Last active February 4, 2024 15:32
PatchNotGuard
// you can hook syscalls without triggering KPP or PG, that's just a project for fun
PVOID DisgustingPatchGuard = Utils::FindPatternImage( KBase, "\x40\x53\x48\x83\xEC\x30\x8B\x41\x18" );
if ( !DisgustingPatchGuard )
{
Utils::ThrowException( _( "C4GE: FAILED TO FIND PATCHGUARD INITIALIZATION CONTEXT" ) );
return STATUS_INVALID_ADDRESS;
}
DisgustingPatchGuard = RVA( DisgustingPatchGuard, 7 );
if ( !DisgustingPatchGuard )
@kuh4it
kuh4it / vgm_ctx_stripped.hpp
Last active January 26, 2024 22:05
my CPU's temperature is too high
//
// <function>
// VgmCtx::BlockSwapContextHooks()
// </function>
// <purpose>
// Prevent all vanguard TLB flushing and PML4 page remapping/copying routines in 9 lines
// by setting a thermal sensor interrupt, not registered within the IDT directly
// </purpose>
//
VOID BlockSwapContextHooks()
// DoggoHook <CDumper.hpp>
namespace Dumper {
class Instruction {
ZydisDecodedInstruction instr;
uintptr_t address;
public:
Instruction(const ZydisDecodedInstruction& instr, uintptr_t address) : instr(instr), address(address) {}
@kuh4it
kuh4it / DriverMain.c
Created December 23, 2023 20:51
Usermode->Kernel communication using Events
#include <ntifs.h>
const wchar_t* EVENT_NAME = L"Global\\EventMeme";
extern "C"
NTSTATUS
DriverEntry(
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
)
@kuh4it
kuh4it / Thread.c
Last active December 17, 2023 17:08
Create legit kernel system thread
//
// InterDKOM - Making magic happen
// -> Thread.c
//
NTSTATUS
InterDkom::Core::PsCreateLegitSystemThread
(OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
@kuh4it
kuh4it / register_shot.cc
Created December 16, 2023 22:36
fortnite health/shield esp estimator (90% accurate)
//
// stripped off projectnino
// register_shot.cc: 14
//
const auto memes::etw_get_registered_shot_event[&] = ( {
this->registered_bullet.weapon_capacitor = reinterpret_cast< pawn* >( this->registered_bullet.sender )->current_weapon;
this->registered_damage = static_cast< float >( this->cached_estimated_health_and_shield - GET_DAMAGE_MULTIPLIER( ##this->registered_bullet.weapon_capacitor ) );
if ( this->cached_estimated_health_and_shield >= 205 )
this->event_register_count -= 5.0f;
return true;
@kuh4it
kuh4it / inject.c
Created November 25, 2023 15:44
Threaded kernel-mode DLL manual mapper exploiting a vulnerable RWX section within signed memory.
//Replace Zw... functions with your own memory managing implementation
//And hide your thread (it is not needed here but makes code execution easier)
//Solution tested and working on Rust(EAC) and EFT(BE) on Windows 11 Pro 22h2
#include "util.h"
ULONG_PTR FindRwxSection(PCHAR moduleName)
{
ULONG_PTR moduleBase = GetModuleBaseAddress(moduleName);
if (moduleBase == 0)
return 0;
@kuh4it
kuh4it / DriverImpersonator.c
Created August 27, 2023 21:31
Impersonate kernelmode drivers
#include <ntifs.h>
#include <ntddk.h>
typedef unsigned char BYTE;
#pragma warning(disable : 4152)
extern NTKERNELAPI NTSTATUS ObCreateObject(
IN KPROCESSOR_MODE ObjectAttributesAccessMode OPTIONAL,
IN POBJECT_TYPE ObjectType,