flarn2006 Advanced Cheater Reputation: 1
Joined: 27 Nov 2012 Posts: 73
|
Posted: Mon Jun 08, 2015 2:49 am Post subject: How to run a snippet of assembly code at the kernel level |
|
|
The ability to run arbitrary code at the kernel level, for obvious reasons, would be very useful for anyone who wants to experiment with privileged assembly instructions. While Cheat Engine provides this functionality, it's not particularly obvious how to actually use it. So here's how. (Familiarity with Cheat Engine as well as assembly programming is expected here.)
Warning: while the example I give should be safe, when experimenting here, there is a definite risk of causing a blue screen of death. So make sure you don't have anything in the background that you didn't save! I am not responsible if anything bad happens to your computer as a result of this.
First, you're going to need to go into Cheat Engine's settings, and select the "Extra" section on the left. Make sure all these options are checked:
Now, exit and restart Cheat Engine. You should see a large flashing message in the upper-left corner of the screen saying "DBK64 LOADED".
Click the button to select a process, and select "System". It should be the second item in the list, right under "[Physical memory]". Click the "Memory view" button. In the window that appears, go to the "Kernel tools" menu, and select "Allocate nonpaged memory". Click OK (accepting the default of 4096, which is fine) and then Yes.
What this does is allocate some memory that can hold some code to be run. You can also write to this section of memory from your code, as a way of providing feedback to the user. You should now see something like this in the assembler window:
Notice the address right above the mouse cursor in the screenshot. This address will be referred to as the "base address" from here on out. It will almost definitely not be the same address as in the screenshot, but if it is that's fine.
Now press Ctrl+A to open the auto assembler. Enter the following code:
Code: | label(outputLocation)
BaseAddress:
inc [outputLocation]
ret
outputLocation:
dq 0
|
Replace "BaseAddress" in the code with the actual base address. It should look something like this:
Click Execute, and then Yes. The code should appear in the disassembly. Now to actually run it. Press Ctrl+L to open the Lua window. Don't worry, if you don't know Lua that's fine. All you have to do is enter the following line of code:
Code: | dbk_executeKernelMemory(0xBaseAddress)
|
Again, replace "BaseAddress" with the address. It should look like this:
Finally, click Execute. You can click it repeatedly if you want. If you see the instruction under "ret" change, that means it worked!
Of course, this code doesn't really need to run at the kernel level, other than the fact that only the kernel has access to the memory that was allocated. Let's try something more dramatic. Enter the following in the code assembler, replacing "BaseAddress" as usual:
Code: | label(loopLabel)
BaseAddress:
mov rcx,80000000
cli
loopLabel:
loop loopLabel
sti
ret
|
What this does is disable interrupts, wait a couple seconds in a busy loop (if your processor is on the slower side you might want to lower the value after "mov rcx,") and then re-enable interrupts. The "cli" and "sti" instructions are privileged instructions; they only work in kernel-level code.
Run it via the same method as before. (Execute in assembler, Yes, OK, Execute in Lua window.) Put something on in the background that makes sound for full effect. Your computer will freeze completely for a few seconds (the mouse cursor won't even move) and then go back to normal. Its effects on audio vary--sometimes it continues playing as normal, sometimes it mutes while it's frozen, and sometimes the sound gets all slow and messed up while it's frozen. Keep in mind that this might make some programs crash or stop working properly, so don't do it with anything important running!
Let me know if you have any questions!
|
|