WELCOME TO INFOCHEATS.NET

INFOCHEATS is a community-driven platform focused on free game cheats, cheat development, and verified commercial software for a wide range of popular games. We provide a large collection of free cheats shared by the community. All public releases are checked for malicious code to reduce the risk of viruses, malware, or unwanted software before users interact with them.

Alongside free content, INFOCHEATS hosts an active marketplace with many independent sellers offering commercial cheats. Each product is discussed openly, with user feedback, reviews, and real usage experience available to help you make informed decisions before purchasing.

Whether you are looking for free cheats, exploring paid solutions, comparing sellers, or studying how cheats are developed and tested, INFOCHEATS brings everything together in one place — transparently and community-driven.

Click to expand...
Register Log in

Source Twizzy Bootkit Base — UEFI Syscall Hook for Kernel R/W

byte_corvus

Expert
Expert
byte_corvus
byte_corvus
Expert
Expert
Status
Offline
Joined
Mar 3, 2026
Messages
720
Reaction score
457
Found this bootkit base dubbed Twizzy — it handles the usermode to bootkit communication by hooking a specific syscall in ntoskrnl. If you are looking for a starting point for physical memory operations that dodge standard driver detection vectors, this is a solid look.

Technical Capabilities
This isn't a full-blown private build yet, but the core features are functional for anyone who knows how to handle a compiler:
  1. Physical Memory Read/Write — bypassing virtual memory protections entirely.
  2. Process CR3 Fetching — specifically noted to work against EAC's cr3 protection logic.
  3. Kernel Memory Access — full R/W capabilities within the kernel space.
  4. Base Address Resolution — automated retrieval of module bases through the bootkit.
  5. Usermode Communication — achieved through a hook on NtAcquireProcessActivityReference in ntoskrnl.
You cant view this link please login.


Setup & Deployment
Since this is a bootkit, you aren't just double-clicking an exe. You need to prep your environment:
  1. Grab a USB drive and format it to FAT32.
  2. Rename your compiled bootkit.efi to bootx64.efi.
  3. Construct the directory path: EFI/BOOT/bootx64.efi.
  4. Adjust your BIOS boot sequence to prioritize the USB.
  5. On reboot, the kit hooks the kernel during the transition from the firmware environment to Windows.

Architectural Notes
All offsets in this release are hardcoded for Windows 10. Consider this a built-in "antipaste" mechanism. If you want this running on Windows 11 or specific builds, you will need to dump the target kernel and update the structures yourself. Currently, it functions as a runtime driver; a smart logical progression would be converting this into a standard EFI application so Windows reclaims the memory, leaving less of a footprint.

Code: 
#pragma once
#include <Windows.h>
#include <TlHelp32.h>
#include <cstdint>
#include <Psapi.h>
//twizzy 
constexpr uint64_t luh_magic = 0x12E7A12D; //thx sleepy
constexpr uint64_t luh_kernel_cr3_w10 = 0x1ad000;
constexpr uint64_t luh_kernel_cr3_w11 = 0x1ae000;
typedef struct cmd_t
{
    enum operations : int
    {
        write_physical = 0x0,
        read_physical = 0x1,
        get_cr3 = 0x2,
        get_base = 0x3
    };
 
    int operation;
    uint64_t address;
    uint64_t value;
    uint64_t pid;
    uint64_t magic;
    uint64_t buffer;
    uint64_t size;
 
    uint64_t base;
    uint64_t cr3;
};
 
typedef long( *nt_acquire_process_activity_reference_t )( int64_t, void*, int );
 
class c_bootkit
{
public:
    nt_acquire_process_activity_reference_t hooked_function = 0;
    uint64_t luh_pid = 0;
    uint64_t luh_cr3 = 0;
    bool init( )
    {
        auto ntdll = LoadLibrary( L"ntdll.dll" );
        if ( !ntdll )
            return false;
 
        hooked_function = ( nt_acquire_process_activity_reference_t ) GetProcAddress( ntdll, "NtAcquireProcessActivityReference" );
 
        if ( !hooked_function )
            return false;
 
        return true;
    }
 
    void create_request( cmd_t* cmd )
    {
        cmd->magic = luh_magic;
        hooked_function( ( int64_t ) cmd, 0, 0 );
    }
 
 
    uint64_t get_process_id( const wchar_t* name )
    {
        uint64_t pid = 0;
        auto snapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
 
        PROCESSENTRY32W entry = {};
        entry.dwSize = sizeof( PROCESSENTRY32W );
 
        if ( Process32FirstW( snapshot, &entry ) )
        {
            do
            {
                if ( wcscmp( entry.szExeFile, name ) == 0 )
                {
                    pid = entry.th32ProcessID;
                    break;
                }
            } while ( Process32NextW( snapshot, &entry ) );
        }
 
        luh_pid = pid;
        return pid;
    }
 
    uint64_t get_image_base( )
    {
        cmd_t cmd = { 0 };
        cmd.operation = cmd_t::operations::get_base;
        cmd.pid = luh_pid;
 
        this->create_request( &cmd );
 
        return cmd.base;
    }
 
    uint64_t get_cr3( ) //works on eac
    {
        if ( luh_cr3 )
            return luh_cr3;
 
        cmd_t cmd = { 0 };
        cmd.operation = cmd_t::operations::get_cr3;
        cmd.pid = luh_pid;
 
        create_request( &cmd );
 
        luh_cr3 = cmd.cr3;
        return cmd.cr3;
    }
    
    template <typename t>
    t read_physical( uint64_t address )
    {
        cmd_t cmd = { 0 };
        cmd.address = address;
        t buffer{ };
        cmd.buffer = ( uint64_t ) &buffer;
        cmd.size = sizeof( t );
        cmd.operation = cmd_t::operations::read_physical;
        create_request( &cmd );
 
        return buffer;
    }
 
    template <typename t>
    void write_physical( uint64_t address, t value )
    {
        cmd_t cmd = { 0 };
        cmd.address = address;
        t buffer = value;
        cmd.value = ( uint64_t ) &buffer;
        cmd.size = sizeof( t );
        cmd.operation = cmd_t::operations::write_physical;
        create_request( &cmd );
    }
 
    uint64_t translate_virtual( uint64_t virtual_address, uint64_t cr3 )
    {
        if ( !virtual_address || !cr3 )
            return 0;
        uint64_t pml4_idx = ( virtual_address >> 39 ) & 0x1FF;
        uint64_t pdpt_idx = ( virtual_address >> 30 ) & 0x1FF;
        uint64_t pd_idx = ( virtual_address >> 21 ) & 0x1FF;
        uint64_t pt_idx = ( virtual_address >> 12 ) & 0x1FF;
        uint64_t page = virtual_address & 0xFFF;
        uint64_t pml4_base = cr3 & 0x000FFFFFFFFFF000ULL;
        uint64_t pml4e_raw = pml4_base + ( pml4_idx * 8 );
        uint64_t pml4e = this->read_physical<uint64_t>( pml4e_raw );
 
        if ( !( pml4e & 1 ) )
            return 0;
 
        uint64_t pdpt_base = pml4e & 0x000FFFFFFFFFF000ULL;
        uint64_t pdpte_raw = pdpt_base + ( pdpt_idx * 8 );
        uint64_t pdpte = this->read_physical<uint64_t>( pdpte_raw );
 
        if ( !( pdpte & 1 ) )
            return 0;
 
        if ( pdpte & ( 1ULL << 7 ) )
        {
            uint64_t physical = ( pdpte & 0x000FFFFFC0000000ULL ) | ( virtual_address & 0x000000003FFFFFFFULL );
            return physical;
        }
 
 
        uint64_t pd_base = pdpte & 0x000FFFFFFFFFF000ULL;
        uint64_t pde_raw = pd_base + ( pd_idx * 8 );
        uint64_t pde = this->read_physical<uint64_t>( pde_raw );
 
        if ( !( pde & 1 ) )
            return 0;
 
        if ( pde & ( 1ULL << 7 ) )
        {
            uint64_t physical = ( pde & 0x000FFFFFFFE00000ULL ) | ( virtual_address & 0x00000000001FFFFFULL );
            return physical;
        }
 
        uint64_t pt_base = pde & 0x000FFFFFFFFFF000ULL;
        uint64_t pte_raw = pt_base + ( pt_idx * 8 );
        uint64_t pte = this->read_physical<uint64_t>( pte_raw );
 
        if ( !( pte & 1 ) )
            return 0;
 
        uint64_t physical = ( pte & 0x000FFFFFFFFFF000ULL ) | ( virtual_address & 0x0000000000000FFFULL );
        return physical;
    }
 
    template <typename t>
    t read_kernel( uint64_t address )
    {
        uint64_t physical = this->translate_virtual( address, luh_kernel_cr3_w10 );
        
        if ( !physical )
            return t{ };
 
        return this->read_physical<t>( physical );
    }
 
    template <typename t>
    void write_kernel( uint64_t address, t value )
    {
        uint64_t physical = this->translate_virtual( address, luh_kernel_cr3_w10 );
 
        if ( !physical )
            return;
 
        this->write_physical<t>( physical, value );
    }
 
    template <typename t>
    t read_virtual( uint64_t address )
    {
        uint64_t physical = this->translate_virtual( address, luh_cr3 );
 
        if ( !physical )
            return t{ };
 
        return this->read_physical<t>( physical );
    }
 
    template <typename t>
    void write_virtual( uint64_t address, t value )
    {
        uint64_t physical = this->translate_virtual( address, luh_cr3 );
 
        if ( !physical )
            return;
 
        this->write_physical<t>( physical, value );
    }
 
    uint64_t get_ntoskrnl_base( )
    {
        uint64_t base = 0;
        uint32_t yea = 0;
 
        EnumDeviceDrivers( nullptr, 0, reinterpret_cast< unsigned long* >( &yea ) );
 
        uint32_t count = yea / sizeof( void* );
        void** drivers = new void* [ count ];
 
        if ( EnumDeviceDrivers( drivers, yea, reinterpret_cast< unsigned long* >( &yea ) ) )
            base = reinterpret_cast< uint64_t >( drivers[ 0 ] );
 
        delete[] drivers;
        return base;
    }
};

The source can be compiled with EDK2. It’s a clean base for those tired of dealing with leaked certificates and vulnerable drivers that get blacklisted every other week.

Drop your crash logs below if you're trying to port the offsets to newer Win 10 builds.
 
You must log in or register to reply here.
Top