Making A Kernel Cheat - Part 3/3 - Drawing ESP

thank you guys so much for 10 000

subscribers i genuinely didn't even

think i would actually hit that number

when i was around seven to eight

thousand

on discord i made my name next video at

10k because i thought

i'm never gonna hit that so i'm just

gonna like quit youtube and that's it

here we are you guys actually kept

subscribing even though i haven't

uploaded a

proper video for like almost a year we

still hit 10 000 subscribers and thank

you so much um

it really means a lot it shows me that

you guys actually enjoy my videos

if you have any video ideas leave a

comment down below once again

thank you so much for 10 000 subscribers

i'm really grateful for it it means a

lot enjoy this video

what's going on guys this is going to be

the last episode of the kernel series

we're basically just going to draw esp

from our kernel driver we're just going

to implement

uh the win gdi functions in our driver

so basically a quick rundown on wingdi

it stands for windows graphics driver

interface so it's just a programming

interface core operating system

component

and it lets you just output to your

screen so what can we use that for we

can draw lines curves boxes and text

in this video we're focusing on the

boxes but you can follow the same steps

in this video to implement draw text

or lines or whatever you want drawing a

box so in user mode you can just use the

function

frame rec and that's going to basically

just draw a box on your screen

now we can't exactly call this function

from our kernel driver so how we're

going to do it well we're going to look

at what this function actually does and

this is from react os

and as you can see all this function

does is it selects the brush that you

want to use to draw and then it calls

this function pad blt to draw the

rectangle the first thing it does is it

saves

the current brush before drawing and

then once it's done drawing with the

brush you want

it sets it back to the old brush so next

thing we need to do is just look at

these functions here select object and

pad blt

and see if we can call them from the

kernel a way we can do this

is shout out to this guy no idea how to

say his name but i'm just going to say

guru we're going to look at

the windows syscalls now i usually use

his website but it's down at the moment

so

i'm going to use this github now this

might look a little familiar we did use

this in part one when we were looking

for a function to hook but now we're

just looking at functions to

export and call so what this is is it's

just

a bunch of syscalls from the win32k

driver

and the reason we're interested in this

one is because it stores a bunch of the

graphics cisco's

for the gdi so what we can do is we can

just control f and

look for the functions that we're

interested in i was looking at get dc

before don't worry about that before we

get into this i just want to say head

over to my patreon

it'll be linked below patreon.com null

terminator five dollars a month you get

access to the source code from

this video and all the other videos on

my channel and

recently i've been uploading the

compiled files as well

so for the kernel cheat tutorial for

part one and two you can just have

access to the files straight away

you can check out the code as well

you'll have all the source code so this

is all you've got to do just search

the function you want to look at and

then just react os and it'll pop up here

so here's the code for frame rack the

first function i want to look at

is select object now i don't really care

about this line because i'm just going

to delete this line but

we do need this one because we need to

set it to the brush that we want

so it takes in the hdc which is a

handle to the device context and it

takes in the

object that you want to select okay

now what this function does is it just

has a switch case and it just looks for

which

type of object you're trying to select

but in this case

since we're just implementing frame

rates we're trying to select a brush so

let's see what would happen so it does

checks what handle type it is it's not a

region type not a bitmap it's a brush

type and of course this function select

brush

so let's just do this function so this

one is a bit more specific

nice takes in htc and a brush which is

exactly what we want so we'd probably

just want to call this function anyway

but

let's look at the syscalls and check if

select object is in there and uh it's

not in here so

let's look at select brush

okay so select brush is in here so that

means we can

export it and call it from our kernel

driver next function we're going to need

is this thing pat blt so same as select

object we're just going to check if it's

in here

and if it is then we can just call it

directly otherwise

oh it isn't here so we can export um

select

not select object we can export select

brush and replace

select object with select brush because

it's doing the same thing and then we

can just

export pat blt as well to do this part

so let's um implement this in the code

i'm using the same project from

part one and two i just downloaded this

from my patreon because i'm pretty sure

i've lost the original project but

anyway i'm just having a quick

look through here and there's a couple

things i want to change um

i don't know why i did this not equal

default it should

be something like this

i'm not even doing else ifs i'm just

doing if statements it could do

three operations in one call which is

not

how it's designed it's meant to be one

operation per call so i'm just going to

add the else fcr to make it safer

because you don't really want to just

request the base but then it ends up

writing some random bit of memory or

whatnot anyway all right great

so how do we actually implement this

into our code and export these functions

so all you want to do is let's start

with select brush so you just copy this

part here paste it into the code and you

want to just add a bit so you want to

say type def

i don't think that matters do this this

and then you want to add a semicolon

right there man and that's it so now we

have a typedef

for the function we had another function

pad blt so copy this

i'm pretty sure this is x y

width high yeah so i'm pretty sure

that's right and then the last one the

word cool no okay

so we're just going to do the same thing

type dev and get rid of this

okay great so we need to export another

function to actually get the device

context and the way you do it in user

mode is with

get dc so first thing we want to check

is if there's just a kernel function we

can export that does it for us

but if there isn't then that's when you

want to go in react os look at the user

mode function

and see what kernel functions it calls

and you're going to have to basically

just replicate

the user mode function in kernel right

and call the functions it's calling

by exporting those specific functions

luckily there's a syscall that we can

just

export and call so it's going to be

enter user get dc

so this is it in react os i clicked on

it just to get this side here that we

can just copy and paste

and we're just gonna have to do this

type def thing again

just like that so we have select brush

uh pad blt

and get dc let's see if we need any

more okay yeah so we're going to need to

create the brush as well which doesn't

show up here but

it requires a brush as a parameter so

the way you do it in windy eyes you just

create brush so i'm just going to search

create first i'm going to search brush

so i don't know what it's called exactly

so i'm just going to go through all of

these

and there we go so we see create solid

brush which is just the kernel

uh syscall that we can export so since

we can export it i'm

going to search it in react os um this

one

and then we just copy this

i'm sorry if this is a little all over

the place i usually have like a second

monitor

to keep me on track with like notes and

stuff i don't have that anymore

and i'm kind of just doing this on the

fly so we got select brush

pad blt get dc create brush let's just

triple check make sure we're not missing

any other function so we can get the dc

the rectangle is just uh we create our

own rectangle

we can create the brush we can select

the brush and we can draw the actual

rectangle okay

i think that's it so it returns an int

and it takes this so i'm just honestly

just gonna oh my god now i'm just gonna

add the function in this namespace here

so i'm gonna copy that uh

do the um get rid of this there you go

dude copy that again go down here paste

it

add this all right cool now we can just

paste this code into here

we're going to add our own parameter

here for the thickness delete this line

replace select object with select brush

replace

pad blt with nt pad blt and lastly

replace the one with

the thickness parameter and there we go

our own frame wrecked function

the video you just been watching was

recorded a week ago after that point i

kind of ran into some problems when i

was trying to get this to work but i've

solved those issues it's a week later

and i'm going to finish off the video

the functional

hooking for some reason when you hook

that function and then you open like

google chrome it blue screens your

computer but the way i fix it is just by

hooking a different function everything

else is the same you just change the

function name here you can copy the one

i'm using here it'll work perfectly fine

it also comes up in the

syscall table that we've been using here

i'm pretty sure these

other functions around it will work as

well they're very similar so that fixes

the blue screen

next problem for some reason win32k

doesn't come up in this

module list so we're gonna have to make

another module export function

that can actually find the base address

of the win32k modules

so we need to make a function that's

going to get a

routine address and it takes in the

routine name that's going to be a really

short function

we need a unicode string and we're

basically just going to convert

the parameter into a unicode string and

we're converting it to a unicode so that

we can pass

that into this function here and that'll

work so that's the function there

next we're going to pretty much make a

new version of this function here so i'm

going to copy this paste it and this

needs to be

a wsdr again well we can delete all this

if you want more information on what i'm

about to do here

you can check out this grade right up

here there's two different write-ups

this first one has a bunch of

information on a lot of windows

internals and other things like that

i'll link it in the description we're

looking at how to get kernel module

addresses so the method we've been using

is similar to this

method that he puts here the query

system information method but this

wasn't working for me

because win32k wasn't coming up for me

it says

i it works for him but it wasn't working

i just switched over to another method

down here

which is the ps loaded modulus method uh

we're going to be doing it a similar way

to this but i just wanted to give credit

to this guy because this is where i

learned about this this second write up

here goes into a lot more detail if you

really want to understand what's

happening so this gives a nice

visualization of the module list and it

also goes into depth with the kernel

debugging okay great so let's start

putting it into code first thing we're

going to need

is module list and we're going to get it

using a little function that we coded

up here and we want to say es loaded

module list awesome so that's how you

get the module list i'm going to quickly

check if that pointer is valid

now that we have the list how do we

actually traverse it so basically the

way we're going to loop this is going to

look a little different if you haven't

worked with doubly linked lists before

we're basically just going to say

while we're not at the end of the list

just go to the next link in the list so

we're going to create a new variable

here it's going to be a place entry and

that's going to be the link and we're

going to start at the top of the list

and we want to say while it's not the

bottom of the list it's going to be b

link

equal the next element in the list right

but while we're not at the bottom

keep going through the list so now that

we're in the list okay that's going to

be the entry

and we want to use containing record at

link

it's going to be a data table entry and

we want to do the first

field so this one right here just like

that now that we have the entry we can

check

if it's the right module we're going to

need another unicode string here

and it's going to be the module name and

we're going to be comparing the entry

based dll name so that's going to be the

module name right with the one we're

looking for

and we want it to be case sensitive so

if they match we're returning the base

address

oh so if the base is valid we're going

to export the routine

pass the base and then the routine name

we're looking for

otherwise if the dll base is null now

that we have these export functions that

we can use head over to our hook.cpt

i've already got the just recorded this

by the way my computer crashed and i

lost the recording

so i'm doing it again so some of the

code is still here but we're going to

have to create the

function variables right using the type

defs that we created earlier

and you just want to set it to null

initially here i guess just pause the

video and copy this out

but what we're going to do is we're

going to actually use the export

functions

in our call kernel function here so this

is where we set the hook and because

this only runs one gonna put this code

in here as well because we only want it

to run one so we can set our function

addresses now the way we're going to do

this

is by setting the function address

we want to type cast the return of our

function that we just created

so it gets the module export and you

want to make sure you're passing a wstr

so it uses the right function because if

you don't use this l here it's going to

go to the other

version here so you see we have two

versions with the same name so make sure

that's a wstr

or select brush it's in win32k full if

you want to know which module it's in

you can just use winddbg you can load

win32k

full and win 32k base and then search

for whatever function you're looking for

so if you're looking for select brush

you just search select brush in win dbg

and it'll tell you which module it's in

it'll be something like this

formation mark and then like select

brush or whatever the function name is

that's going to be the module editing

and then we want to put the routine name

which is going to be like this

with nt at the start i think so now we

need to do this exact same thing with

all the other functions i'm just going

to edit that for you

this is create solid brush at blt get dc

release dc and delete object app so i

just realized i i've added these two

functions here

um when i was fixing the code so i think

you guys wouldn't won't have these type

devs here so i'll show you guys the type

devs

you can go on react os search these

functions here if you want to get the

function definitions like that or just

pause the video and copy these two type

devs here these are the type def for the

two function so we're gonna need these

two functions

um to release the hdc our device context

handle and this is going to be

to delete the handle to the brush that

we create

now we can use them in our hook we just

scroll down here and we're going to add

another

if statement and we're going to say if

we want to draw a box we're going to use

these functions here

so we're going to need a new boolean and

some ins in our struct here so you want

to add a boolean

raw box and you want to add

rgb x y width height and thickness

as in and we're going to need these to

draw the actual box the first thing

we're going to have to do is get the htc

using our exported function and we pass

null in there so that we get

the device context for the whole screen

the entire monitor so we can draw

anywhere we want

i'm going to quickly check if this

handle is valid and if it's not and

unsuccessful

next we need uh the brush we're going to

use create solid brush you want to pass

rgb which is a macro this is defined

in wingdi.h so make sure you include

that

it's got r g b and it's from zero to two

five okay so we wanna pass our

instructions for r

g and b and then you wanna pass knob

once again i'm going to check if the

brush is a valid handle just like that

now we can actually draw the rectangle

oh well we actually need to create the

rectangle first and that's going to be

the x

y the x plus the width and then it's the

y plus the height now we can call frame

rect

as hdc plus the rectangle the brush and

the thickness

but now we've drawn the rectangle just

need to release the hdc and the brush

and we do this using the new exports

that we've added

and you want to pass brush for the

delete object app and that's it

that should be it for the driver now we

want to head over to the user mode

program and we need to create a function

to draw the box so

it's going to be the same as these other

functions that we have here going to be

called draw box and it's going to take

uh

quite a few parameters going to take the

x y width height

thickness r e and b we don't need

these two don't need these two either

also i forgot to mention

um since we changed the struct we need

to copy it and

paste it into the user mode one you want

to make sure that the struct

is the exact same in the user mode

program and the driver you also want to

make sure in the user mode

program that you change the function

name as well otherwise it's not going to

work you're going to make sure this

function name matches

the one in the driver and up here okay

great so the struct matches the function

matches now we need to

change these other function calls here

anytime you add a new

boolean you need to make sure that

you're setting that boolean to false in

all the other function calls so we've

created the draw box boolean and you

want to make sure you're setting it to

false so i'm going to copy this and you

want to paste it

in all of the functions i've already

done it because like i said before i or

just recorded this

but the mp4 got corrupted so i have to

record it again but you just want to

make sure you're pasting it in all the

other functions and of course in the

draw box function

you want to set it to true and set all

the other ones to false we'll have to

set some more instructions here so we

have the x y with height

etc the x y width height

r e b so we're setting the x y i forgot

the thickness

good thing i'm double checking out and

you want to make sure you do the

thickness now

down in main i'm just doing a while loop

and i'm calling dropbox

5050 size of 50 50 thickness of two

and it's red i'm going to build this and

let's hope it works now to map the

driver i'm using kd mapper google

kd mapper it's the first link credits to

the cruise for maintaining this and

updating it

adding a bunch of features apparently

this works on from 1607

to windows 11. there shouldn't be any

problems you guys should be able to run

this download the code and compile it

and copy the exe over to the directory

okay great so i'm going to map the

driver just by dragging and dropping it

onto kdmapper so we've mapped the driver

now i'm going to run the user mode

exe and hopefully it'll draw a box in

the top left corner and there we go

you can see it's throwing a box it's on

top of everything it'll be on top of

games as well

i know this is probably a little

underwhelming just drawing a box in the

corner of my screen like i said earlier

this isn't just

boxes you can follow the same steps in

this video by going to react os and

looking up function definition

and the code for the functions and

implementing them in your drive and

specifically you can do this with draw

tech and you can also do it with a

function called fill rec to draw filled

rectangles for like health bars and

stuff

anyways here's a clip of my talk of

cheat that uses this exact same drawing

method

um in that one i have implemented draw

text and fill rec hopefully you guys can

do that yourselves

thank you so much for watching once

again thank you so much for 10 000

subscribers leave a like

subscribe okay great goodbye