Skip to content

Latest commit

 

History

History
27 lines (20 loc) · 2.18 KB

README.md

File metadata and controls

27 lines (20 loc) · 2.18 KB

[ARCHIVE/2014] Kernel driver for CS:GO cheater

  • ARCHIVAL code written in 2014,
  • shows example how to READ/WRITE PROCESS MEMORY (user-mode, ring 3) from KERNEL DRIVER (kernel-mode, ring 0),
  • NOT tested on later CS:GO versions (and for almost sure does not work anymore).

What does kernel driver do?

  • create symbolic device \Device\csgo-trigger,
  • register driver handlers:
    • IRP_MJ_READ: find csgo.exe process, then READ FROM ITS MEMORY,
    • IRP_MJ_WRITE: find csgo.exe process, then WRITE TO ITS MEMORY.

What does user-mode app do?

  • open kernel driver via symbolic name \.\csgo-trigger (registered during driver entry routine),
  • read from CS:GO memory by asking a driver,
  • emit fake mouse click (fire weapon) depending on game state.

How does user app communicate with kernel driver?

  • Kernel drivers can registers its SYMBOLIC NAME (csgo-trigger),
  • then user-app can comminicate with driver LIKE WITH A FILE:
    • call CreateFile to OPEN a driver, then the driver receives IRP_MJ_CREATE request,
    • call ReadFile to READ data delivered by driver, then the driver receives IRP_MJ_READ request and can pass arbitrary data in response,
    • call WriteFile to WRITE own data to the driver, then the driver receives IRP_MJ_WRITE request and can process received data in arbitrary way,
    • call CloseHandle to CLOSE a driver handle if it's not needed anymore, then the driver receives IRP_MJ_CLOSE request.