Skip to content

Allows you to communicate with the kernel mode to manipulate memory in a stealthy way to avoid kernel anticheats.

Notifications You must be signed in to change notification settings

PhamtomK12/DoubleDataPointer

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

DoubleDataPointer

Double data pointer communication in to the kernel mode, the driver should be manually mapped into the kernel. Useful for bypassing Anti-Cheat solutions.

This project points a data pointer at another data pointer which is pointed to memory inside of the driver. This allows a user to send commands through a uncommonly used windows API, and execute commands at a kernel permission level.

Features

  • Read Memory
  • Write Memory
  • Nulls Page Frame numbers of the driver (so it is harder to find the pages with the driver stub)
  • Clears Big pools (Usually ExAllocatePool is used to allocate the driver when manually mapping, this takes the driver out of the pig pool tables)
  • Physical Memory Read/Write (KeStackAttach can be detected, which is used inside of MmCopyVirtualMemory)
  • Uses 2 data pointers so that a surface level check on the first pointer is not outside of a valid module

Limitations/Detections

  • RIP will be outisde of a valid memory region whenever a stack frame is captured from NMI callbacks. This way anticheats can flag you.
  • This project creates alertable threads that can be indexed and captured, later anylyzed or checked for abnormalities.
  • The data pointer itself can be directly verified to point to a specific region.

This project was created ages ago, it is most definetly detected.

About

Allows you to communicate with the kernel mode to manipulate memory in a stealthy way to avoid kernel anticheats.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C++ 50.6%
  • C 49.4%