- system threads
- IRP, IOCTL
- sockets
Try to hide our communication from anti-cheats/anti-viruses.
Communication must haven't driver device and using asm shellcode. Based on shared memory!
My solution:
- Create user-mode app with two thread. First thread - main thread, second - sleep thread
- Create FileMapping and fill data of the sleep thread
- Load driver with test sign or buy cert or sign your driver with leaked cert
- Driver allocates memory and fill asm shellcode
- Kernel driver gets data from the FileMapping, find sleep user-mode thread and hijack ret address in stack of this thread
- Now, user-mode thread hijacked to our asm shellcode
- Unload your driver and clear all traces
Worked on: Win7+ x64
PatchGuard compitable on all Windows 10 versions!
Scan all user-mode threads and walk through their stacks If ret address in stack is located in unknown memory, that maybe PatchGuard or using this method