vmcall / dxgkrnl_hook Goto Github PK

First of all, I appreciate this release, I was thinking about doing something like this for a while now.

// GET CONTEXT
const auto ctx = NtUserGetDc(0x00);

// DRAW TO GAME WINDOW BUFFER
NtGdiPatBlt(ctx, 15, 15, 5, 5, PATCOPY);

Are these left out of the project for any specific reason, or am I missing something?

in usermode every time i call the kernel hooked function the usermode program crashes triying to read 2A0 address, the kenel function is hooked and when i call the function the function does not receive the call, sometimes work and other times dont, idk what is happening

This is my source: https://github.com/BadPlayer555/DxgkrnlHook
I have tried to start the driver with kdmapper in both my Vmware vm and my host PC and same result. This only happens when I am trying to replace the pointer.

Window version 1903
This is my output of my Driver from my VM:
[+] Hello from kernel mode!
[+] Found w module_base FFFFF33E17000000.
[+] NtGdiDdDDISubmitCommand: FFFFF33E17260B92
[+] submit_command_address: FFFFF33E17260B92
[+] instruction: FFFFF33E17267044
[+] delta: 00000000FFFA8DB5
[+] DxgkSubmitCommand: FFFFF33E1720FE00
[+] original_entry: FFFFF33E1720FE00
[+] original_submit_command: 00007102DBA82318
[+] hooked original_entry: FFFFF33E1720FE00
[+] Hooked DxgkSubmitCommand!

I have resolved the NtGdiDdDDISubmitCommand symbol in windbg and it is the same as the Driver.
fffff33e`17260b92 win32kbase!NtGdiDdDDISubmitCommand =

And I have checked the instruction Address in Windbg:

I have also checked the DxgkSubmitCommand Address in Windbg:

This is the dump of the VM.
Dump.zip

I just can't figure out what I was wrong about.

stupid issue but i dont know what to do:

// HOOK INFO
	using dxgk_submit_command_t = int64_t(__fastcall*)(D3DKMT_SUBMITCOMMAND * data);

https://i.imgur.com/uftOQKz.png
and
uint8_t* submit_command_address = reinterpret_cast<uint8_t*>(NtGdiDdDDISubmitCommand);
https://i.imgur.com/gSpkHJY.png
please help me with it

Yo,

i just was wondering, on how i should obtain the address of win32kbase!NtGdiDdDDISubmitCommand. I tried with RtlFindExportedRoutineByName(), but that didnt work^^ So do i have to reverse it myself? (find the entry from some exported table in win32kbase). sry if im stupid, but im really no specialist at this.

greeds!

I have implemented a new working version of the NtGdiDdDDISubmitCommand hook in my driver, and am submitting GDI Commands in it like in this example. However I was disappointed to find out that the rendering only works when I am in borderless windowed mode and not in true full screen.

I am wondering, was it like this for you in your original version? I'm not sure if it is something I did, or something with my specific testing game (csgo) or if this hook was only ever for desktop environment rendering. To that end I'm wondering if there is any documentation on this internal side of things or where any of you even learned it.

Additional questions for anyone kind enough to help a noob out:

• If anyone knows of any documentation or reading materials on the internals of the Gdi system I'm sure many people including me would find that very useful
• Anyone know of any other functions to hook that might be more suited to full screen?

PS. Thanks for your awesome write ups vmcall, you do some cool shit bro 👍

Premising that I'm not a newbie, I tried to run the project but I'm experiencing a lot of issues and errors.

Could someone post (or share in private, if you want) a working example?

I've wasted already some hours but fixing one thing, two more breaks up