WELCOME TO INFOCHEATS.NET

INFOCHEATS is a community-driven platform focused on free game cheats, cheat development, and verified commercial software for a wide range of popular games. We provide a large collection of free cheats shared by the community. All public releases are checked for malicious code to reduce the risk of viruses, malware, or unwanted software before users interact with them.

Alongside free content, INFOCHEATS hosts an active marketplace with many independent sellers offering commercial cheats. Each product is discussed openly, with user feedback, reviews, and real usage experience available to help you make informed decisions before purchasing.

Whether you are looking for free cheats, exploring paid solutions, comparing sellers, or studying how cheats are developed and tested, INFOCHEATS brings everything together in one place — transparently and community-driven.

Click to expand...
Register Log in

Guide Anti-Cheat Bypass — Leveraging Steam Overlay Driver for Arbitrary Kernel Read & Write

byte_corvus

Newbie
Newbie
byte_corvus

byte_corvus

Newbie
Newbie
Status
Offline
Joined
Mar 3, 2026
Messages
104
Reaction score
7
Boys, stumbled upon something interesting while looking into the Steam Overlay Performance Monitor. Turns out the driver associated with it is vulnerable and allows for direct read/write access to physical memory via MmMapIoSpace. This is a solid primitive if you are building your own external tools or looking to bypass standard memory read restrictions without dealing with a full custom Kernel driver from scratch.

1774356635556.png


To get this rolling, you just need to head into your Steam settings and toggle the In-Game Overlay Performance Monitor to on. It is currently working across most titles, though obviously, watch your main account if you are going to mess with process memory while an anticheat is active.

Technical Breakdown:
  1. Prerequisites: Enable Steam Performance Monitor in overlay settings.
  2. Mechanism: Uses the underlying driver to leverage DeviceIoControl with the specific IOCTL (0x9C402540) to hit physical memory addresses.
  3. Capabilities: Provides a wrapper for reading physical memory and a helper to write to virtual memory by mapping physical pages.

Code: 
#include <windows.h>
#include <stdio.h>

#define SeLockMemoryPrivilege     04ull
#define SeLoadDriverPrivilege    10ull
#define AdjustCurrentProcess    0ull
#define SwapAddress(x)            ((((ULONG_PTR)(x)) >> 32) | (((ULONG_PTR)(x)) << 32))

BOOL AcquirePrivilege(DWORD Privilege, BOOLEAN Proc)
{
    NTSTATUS(NTAPI *RtlAdjustPrivilege)(ULONG, BOOLEAN, BOOLEAN, PBOOLEAN);
    RtlAdjustPrivilege = reinterpret_cast<decltype(RtlAdjustPrivilege)>(GetProcAddress(LoadLibraryW(L"ntdll.dll"), "RtlAdjustPrivilege"));

    BOOLEAN Enabled = 0;
    return !RtlAdjustPrivilege(Privilege, static_cast<BOOLEAN>(1), Proc, &Enabled) || Enabled;
}

HANDLE OpenDriverHandle()
{
    return CreateFileW(
        L"\\\\?\\GLOBALROOT\\Device\\cpuz160",
        GENERIC_READ | GENERIC_WRITE,
        FILE_SHARE_READ | FILE_SHARE_WRITE,
        NULL,
        OPEN_EXISTING,
        0ul,
        NULL
    );
}

BOOLEAN ReadPhysicalMemory(HANDLE hDriver, ULONG_PTR PhysicalAddress, PVOID Buffer, SIZE_T Size)
{
    #pragma pack(push,1)
    struct IOCTL_CONTEXT {
        union {
            struct {
                ULONG AddressHigh;
                ULONG AddressLow;
            };
            ULONG64 Address;
        };
        ULONG Length;
        union {
            struct {
                ULONG BufferHigh;
                ULONG BufferLow;
            };
            ULONG64 Buffer;
        };
    } Context;
    #pragma pack(pop)

    Context.Address = SwapAddress(PhysicalAddress);
    Context.Length = Size;
    Context.Buffer = SwapAddress(Buffer);

    DWORD BytesReturned;
    return DeviceIoControl(hDriver, 0x9C402540, reinterpret_cast<LPVOID>(&Context), static_cast<DWORD>(sizeof(Context)), reinterpret_cast<LPVOID>(&Context), static_cast<DWORD>(sizeof(Context)), &BytesReturned, NULL);
}

BOOLEAN WriteVirtualMemory(HANDLE hDriver, PVOID VirtualAddress, PVOID Buffer, SIZE_T Size)
{
    const SIZE_T PageSize = 0x1000;
    SIZE_T PagesCount = (Size / PageSize) + 1;
    PULONG_PTR PagesArray = reinterpret_cast<PULONG_PTR>(VirtualAlloc(NULL, sizeof(ULONG_PTR) * PagesCount, MEM_COMMIT, PAGE_READWRITE));
    if (!PagesArray)
        return FALSE;

    if (!AllocateUserPhysicalPages(GetCurrentProcess(), &PagesCount, PagesArray)) {
        VirtualFree(PagesArray, 0, MEM_RELEASE);
        return FALSE;
    }

    PVOID Mapped = VirtualAlloc(NULL, Size, MEM_RESERVE | MEM_PHYSICAL, PAGE_READWRITE);
    if (!Mapped) {
        FreeUserPhysicalPages(GetCurrentProcess(), &PagesCount, PagesArray);
        VirtualFree(PagesArray, 0, MEM_RELEASE);
        return FALSE;
    }

    if (!MapUserPhysicalPages(Mapped, PagesCount, PagesArray)) {
        VirtualFree(Mapped, 0, MEM_RELEASE);
        FreeUserPhysicalPages(GetCurrentProcess(), &PagesCount, PagesArray);
        VirtualFree(PagesArray, 0, MEM_RELEASE);
        return FALSE;
    }

    // Copy virtual memory
    RtlCopyMemory(Mapped, Buffer, Size);

    // Write virtual memory per page
    BOOLEAN Result = TRUE;
    for (SIZE_T Offset = 0, Page = 0; Page < PagesCount; Page++) {
        SIZE_T WriteSize = min(PageSize, Size - Offset);
        Result &= ReadPhysicalMemory(hDriver, PagesArray[Page] << 12, reinterpret_cast<PVOID>(reinterpret_cast<ULONG_PTR>(VirtualAddress) + Offset), WriteSize);
        Offset += WriteSize;
    }

    // Release physical memory
    VirtualFree(Mapped, 0, MEM_RELEASE);
    FreeUserPhysicalPages(GetCurrentProcess(), &PagesCount, PagesArray);
    VirtualFree(PagesArray, 0, MEM_RELEASE);

    return Result;
}

ULONG_PTR GetSystemPML4(HANDLE hDriver)
{
    // Exist only on CPU with more then 1 logical processor
    __try {
        for (ULONG Address = 0x0; Address < 0x100000; Address += 0x1000) {
            UCHAR Buffer[0x1000];
            if (!ReadPhysicalMemory(hDriver, Address, Buffer, 0x1000))
                continue;

            if (0x00000001000600E9 != (0xffffffffffff00ff & *reinterpret_cast<ULONG_PTR*>(Buffer))) //PROCESSOR_START_BLOCK->Jmp
                continue;

            if (0xfffff80000000000 != (0xfffff80000000003 & *reinterpret_cast<ULONG_PTR*>(Buffer + 0x70))) // PROCESSOR_START_BLOCK->LmTarget
                continue;

            if (0xffffff0000000fff & *reinterpret_cast<ULONG_PTR*>(Buffer + 0xA0)) // PROCESSOR_START_BLOCK->CR3
                continue;

            return *reinterpret_cast<ULONG_PTR*>(Buffer + 0xA0); // PROCESSOR_START_BLOCK->CR3
        }
    }
    __except (EXCEPTION_EXECUTE_HANDLER) {
        return 0x0ull;
    }

    return 0x0ull;
}

int main()
{
    if (!AcquirePrivilege(SeLockMemoryPrivilege, AdjustCurrentProcess)) {
        printf("failed to acquire required privileges");
        return 1;
    }

    if (!AcquirePrivilege(SeLoadDriverPrivilege, AdjustCurrentProcess)) {
        printf("failed to acquire required privileges");
        return 2;
    }

    HANDLE hDriver = OpenDriverHandle();
    if (!hDriver) {
        printf("failed to open handle to the vulnerable driver");
        return 3;
    }

    ULONG uValue = 0ul;
    printf("ReadStatus = 0x%0X\n", ReadPhysicalMemory(hDriver, 0x100400000, &uValue, sizeof(uValue)));
    printf("Value = 0x%0X\n", uValue);

    ULONG_PTR SystemDirectoryTableBase = GetSystemPML4(hDriver);
    printf("SystemDirectoryTableBase = 0x%p\n", SystemDirectoryTableBase);

    ULONG uValue1 = 0ul;
    printf("WriteStatus = 0x%0X\n", WriteVirtualMemory(hDriver, &uValue1, &uValue, sizeof(uValue)));
    printf("Value1 = 0x%0X\n", uValue1);

    system("pause");

    return 0;
}

You cant view this link please login.


Has anyone tried mapping the CR3 with this to walk the process list for deeper memory access? Curious if the driver handles the page translation correctly on newer OS builds or if we need to manually adjust the PML4 walking. Drop your findings below if you test this on a specific AC.
 
Last edited by a moderator:
You must log in or register to reply here.
Top