KDMAPPER cause ObRegisterCallbacks error: STATUS_ACCESS_DENIED
leidadpig opened this issue · 6 comments
Hi, when I try to load the driver in test mode using "sc"cmd, driver works perfectly and user mode also works.
However when I try using the latest kdmapper , ObRegisterCallbacks failed, and cannot get the base address.
My setup checklist:
Rename the function inside garhal.c from DriverEntry to DriverInitialize
Uncomment the commented block to get new "DriverEntry "
Comment line pDriverObject->DriverUnload = UnloadDriver;
Comment block NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject) {...}
Add line #define _NO_CRT_STDIO_INLINE inside hide.h (don't know why but do as previous closed issue 99 said)
C++ -> Code Generation -> Security Check -> set to /GS-
Linker -> Command Line -> add /INTEGRITYCHECK
Inf2Cat -> Use Local Time -> set /uselocaltime
Successfully compiled the driver & copy the outputs to vmware
After all these setup, run cmd like ----> kamapper.exe Garhal.sys
debugview shows as :
======================================
Garhal is swimming as a manual mapped driver, system range start is FFFF800000000000, code mapped at FFFF908297EF0690
Garhal CSGO External hack By DreTaX
Starting...
Try ObRegisterCallbacks .
ObRegisterCallbacks error: STATUS_ACCESS_DENIED.
ObRegisterCallbacks Failed!
Process hiding feature is disabled.
Driver hiding feature is disabled.
Successfully started!
Created driver.
clearly, ObRegisterCallbacks failed and when I try use user mode, it can not get the base address of client and engine.
OS: win10 21h1 (VMware) and 1909 (real PC)
If anyone have any ideas, much appreciated!
ObRegisterCallbacks won't work in a manually mapped module unless you research and write code to make it so. However, the issue with getting base address shouldn't be related to that since ObRegisterCallbacks is just an additional protection layer. First of all ensure that you start the controller as administrator.
ObRegisterCallbacks won't work in a manually mapped module unless you research and write code to make it so. However, the issue with getting base address shouldn't be related to that since ObRegisterCallbacks is just an additional protection layer. First of all ensure that you start the controller as administrator.
Thanks, I tried what u suggest and found out new problem here.
After successfully kdmapping the Garhal.sys
- I compile the controller with updated offset.h, I run the GarhalController.exe as administrator, the console window just blink once then closed and nothing happened, no console window left.
- I run the GarhalController.exe with double click( not as administrator) my mouse, window stays and says "Addresses are 0x0. Waiting for CSGO... "
- I run GarhalController project in vs2019 debug mode, and find out that "hDriver == INVALID_HANDLE_VALUE"
- I run GarhalRankDisplayer.exe as administrator, console window stays and print out "Starting....." which I guess it received the driver handle correctly.
- I run the GarhalRankDisplayer.exe with double click( no administrator) my mouse, window shows and says "Addresses are 0x0. Waiting for CSGO... "
Based on these, I guess my problem is I can not run GarhalController .exe as administrator successfully. If I can run it as administrator, then everything should be fine.
I will try google this problem, and any help would be much appreciated. Thanks in advance
7. I run in GarhalController the vs2019 debug mode
PS. If I just load the driver using "sc" cmd in win10 test mode, I can even run everything in vs2019 debug mode successfully, which means the code should be alright
I find out that it is windows defender stop me to run GarhalController .exe as admin 。。。。
try shut it down once for all
Something is crashing for you when you are launching the app as admin. Obviously doing so without admin rights will get you no where as it is needed for the IOCTL communication. Did you debug where the application crashes for you?
Its weird if you didnt get a notification from windows defender until now.
If you really wish to make obregistercallback work, the best bet would be hooking a legit driver's callback and utilizing it
,I figure out this morning that the windows defendor stop me running it as admin, and the solution is close windows Driver Signature Enforcement. Now I can run it as admin in my work pc, I will try later on my home pc. should fix this problem.
Thanks agian for your work and reply
@leidadpig Glad to know it got resolved. I answered your question on #99 as well.