Since we know the parameters and return type of getdriver, we can actually call this function with our own code. For clarity, the function prototype looks like this: std::uintptr_t GetDriver(unsigned* size);
//--- amlegit dll functions. namespace amlegit { //--- function is only for extracting the driver static std::tuple<std::uintptr_t, std::size_t> get_driver() { auto get_driver_temp = reinterpret_cast<__int64(*)(unsigned*)>( GetProcAddress(LoadLibrary(L"buffer.dll"), "GetDriver")); unsigned driver_size; if (get_driver_temp) return { get_driver_temp(&driver_size), driver_size }; return { {}, {} }; } } //--- calling example. auto [driver_ptr, driver_size] = amlegit::get_driver();
driver
Now that we have the driver, let's see how it communicates with the cheating user mode counterpart. This spoofing IOCTL hook points to their IOCTL functions by changing the main function pointers of legitimate Windows drivers. They also change the uninstall function to point to them, so if / when the driver is uninstalled, they can remove the IOCTL hook.
INIT:000000014000C268 ; --------------------------------------------------------------------------- INIT:000000014000C268 INIT:000000014000C268 loc_14000C268: ; CODE XREF: ioctl_hook_setup+FFA INIT:000000014000C268 lea rax, IRP_MJ_CREATE INIT:000000014000C26F mov [rbx+70h], rax INIT:000000014000C273 lea rax, IRP_MJ_CLOSE INIT:000000014000C27A mov [rbx+80h], rax INIT:000000014000C281 lea rax, IOCTL_HOOK_FUNCTION INIT:000000014000C288 mov [rbx+0E0h], rax INIT:000000014000C28F mov rcx, cs:hooked_driver_object_ptr INIT:000000014000C296 mov cs:pdriver_obj, rbx INIT:000000014000C29D call create_symbolic_link INIT:000000014000C2A2 or eax, eax INIT:000000014000C2A4 jns short loc_14000C2B2 INIT:000000014000C2A6 lea rcx, aFailedToCreate_0 ; "Failed to create symlink\n" INIT:000000014000C2AD call debug_with_prefix
Considering that we know how drivers communicate with user mode processes, let's look at the IOCTL hook function itself. IOCTL supports reading from the process of a given PID, writing to the process according to its PID, allocating memory in the process of a given PID, and spoofing hwid. The two most prominent options for me are hwid spoofing and memory allocation, because remember, this cheating is internal, so they have to hide their own memory, right? Errors, as you will see, call ZwAllocateVirtualMemory only after calling ZwOpenProcess. They don't hide their memories at all.
if (IOCTL_CODE == 0x224986) { v18 = * (unsigned int ** )(PIRP_1 + 24); PsLookupProcessByProcessId( * v18, & v25); debug_with_prefix((__int64) "Allocating with size %llu...\n", v18[4]); v19 = * (_QWORD * )(PIRP_1 + 8); if ( * (_BYTE * )(v19 + 10) & 5) v20 = * (_QWORD ** )(v19 + 24); else v20 = MmMapLockedPagesSpecifyCache((PMDL) v19, 0, MmCached, 0 i64, 0, (MM_PAGE_PRIORITY) 0x40000010); v26 = * v18; v27 = 0 i64; v28 = 48; v29 = 0 i64; v31 = 0; v30 = 0 i64; _mm_storeu_si128((__m128i * ) & v32, (__m128i) 0 i64); v4 = (unsigned int) ZwOpenProcess( & v34, 0x1FFFFF i64, & v28, & v26); debug_with_prefix((__int64) "Got process handle %x with status %x\n", v34, v4); v21 = 0 i64; v33 = 0 i64; v35 = v18[4]; if ((int) v4 >= 0) { v4 = (unsigned int) ZwAllocateVirtualMemory(v34, & v33, 0 i64, & v35, 4096, 64); debug_with_prefix((__int64) "Allocated at %llx with status %x\n", v33, v4); v21 = v33; }* v20 = v21; v20[2] = 0 i64; v20[1] = 0 i64; }
Before I delve into fraudsters, I just want to say that the developers of amlegit have not found a new way to cheat hwid. In other words, they just paste the public code together and start selling. If you don't want to read about the github repository, you can skip this section and move on to the next section.
The cheater in this driver is public code that can be found here. It is by no means undiscovered, and its use will lead to a ban. Let's first look at the IOCTL option to deceive hwid. The debug print statement tells us what each subsequent function is related to. This makes it easy to cross reference the public github repository to ensure that what we're looking for is really someone else's work.
if (IOCTL_CODE == 0x235C42) { debug_with_prefix((__int64) "Initializing...\n"); init_spoof(); debug_with_prefix((__int64) "Disks...\n"); spoof_disk(); debug_with_prefix((__int64) "Volumes...\n"); spoof_volumes(); debug_with_prefix((__int64) "NIC...\n"); spoof_nic(0 i64); debug_with_prefix((__int64) "SMBIOS...\n"); spoof_smbios(); debug_with_prefix((__int64) "GPU...\n"); spoof_gpu(); v22 = "Done\n"; }
Let's take a look at spoof first_ disk. As you can see, this function is 1:1 with the common source. Since this function is very large, I'll put it on another page so that you can cross reference it with the github repository.
media
This is a youtube video copy of the demo launcher in case it becomes private or deleted. As you will see in the video, the open console contains the same information as the cheater you ran btbd and printed when you openly pasted it. (1:50)
This is a video of cheating. Due to the detection of cheating, the account proving this cheating has been banned. As you can see, it's nothing special.