View previous topic :: View next topic |
Author |
Message |
ulysse31 Master Cheater Reputation: 2
Joined: 19 Mar 2015 Posts: 324 Location: Paris
|
Posted: Fri Dec 02, 2016 10:36 am Post subject: |
|
|
I think the nativeldr error is okay, you should step into the code and see by yourself why the driver fails to load, make sure you can load unsigned drivers first. There is no reason for which you couldn't load the drivers, use admin rights and windows test mode (or special startup as DB mentioned)
|
|
Back to top |
|
|
Cotino Newbie cheater Reputation: 0
Joined: 30 Oct 2013 Posts: 14 Location: Le France
|
Posted: Wed Dec 14, 2016 3:27 am Post subject: |
|
|
Update as i solved most of the issues.
You have to copy Blackbone-master\src\BlacklBoneDrv\bin\x64\Win7Release\BlackBoneDrv7.sys into Blackbone-master\build\x64\Debug\ .
Make sure the file isn't 1kb, for some reason i had to download BlackBoneDrv7.sys separately.
Enable Test Mode on windows, and there you go.
Blackbone loads successfully.
However that didn't help my problem, as BattleEye still doesn't launch under test mode, even after launching BlackBone.
Perhaps i missed something, from what i understand TestDriver() does his thing on the current process selected. However, BattlEye won't even launch under Test Mode, so i can't really select the BattlEye process.
Or maybe what it does is give the selected process full access through BattleEye, but that doesn't solve BattleEye not launching.
Wow my bad, i didn't even see there was a second page, just saw your post ulysse31.
|
|
Back to top |
|
|
ulysse31 Master Cheater Reputation: 2
Joined: 19 Mar 2015 Posts: 324 Location: Paris
|
|
Back to top |
|
|
Cotino Newbie cheater Reputation: 0
Joined: 30 Oct 2013 Posts: 14 Location: Le France
|
Posted: Thu Dec 15, 2016 8:56 am Post subject: |
|
|
Looks promising, thanks !
I'm assuming it's talking about Oracle VirtualBox ?
Some guy says it doesn't work w7 x64, will try as soon as i can and give feedback.
|
|
Back to top |
|
|
Cotino Newbie cheater Reputation: 0
Joined: 30 Oct 2013 Posts: 14 Location: Le France
|
Posted: Fri Dec 16, 2016 6:03 am Post subject: |
|
|
DSEFix works perfectly, i am able to load unsigned driver without activating test mode.
My problem is now using BlackBone.
I haven't touched the code, TestDriver() seems to grant privilege to explorer.exe, so all i did was change explorer.exe to memscan.exe (my program) on line 8
Code: | Process::EnumByName( L"memscan32.exe", procIDs ); |
But i still get access denied from VirtualQueryEx.
Tried adding a sleep before TestDriver and switching to memscan32 window in case it grants privilege to the active window, but nope, still access denied.
I'm probably just using BlackBone wrong, but i am not familiar enough with driver programming to step into the code.
|
|
Back to top |
|
|
ulysse31 Master Cheater Reputation: 2
Joined: 19 Mar 2015 Posts: 324 Location: Paris
|
Posted: Fri Dec 16, 2016 3:32 pm Post subject: |
|
|
Cotino wrote: |
I haven't touched the code, TestDriver() seems to grant privilege to explorer.exe, so all i did was change explorer.exe to memscan.exe (my program) on line 8
I'm probably just using BlackBone wrong, but i am not familiar enough with driver programming to step into the code. |
1/This has nothing to do with driver programming, when using blackbone library you don't have to worry/know anything about how the driver itself is implemented. It is the same as using some public c++ library such as boost or whatever.
The reason you get lost is that your c++ knowledge is poor.
2/No, TestDriver doesn't grant privilege to explorer.exe which reading the c++ code would tell you.
Changing explorer.exe to memscan.exe makes 0 sense since explorer.exe is the target process (which makes sense when you think about it the presentation app will target a process which is always open on every windows so that the test don't fail because no process found).
Therefore you don't replace explorer.exe by memscan.exe, you replace it by your target process which is BattleEye protected.
Fetch the function inside TestDriver() which upgrades the handle of your target, get a normal handle to your target program (the game), then use the driver upgrade handle to promote it (then again, this function is exported through blackbone's interface library, you do not need to know anything about driver implementation), then you'll get access to the game's memory.
If you get lost in the code, I'd recommend you to spend a few weeks on a decent c++ book, might delay your progress now but will for sure make you gain time on the long term.
|
|
Back to top |
|
|
Cotino Newbie cheater Reputation: 0
Joined: 30 Oct 2013 Posts: 14 Location: Le France
|
Posted: Sun Dec 18, 2016 11:00 am Post subject: |
|
|
Thanks for your precisions.
I actually took 2 years of C++ classes 16 hours a week, i have all the basics from dynamic arrays to polymorphism or GUI making.
However i never touched a single library, all the code we made was from scratch or using stadfx.
Now before my next point : I have 2 processes. game.exe and gameBattleEye.exe
If i load the driver to gameBattleEye.exe the driver loads normally but memscan still get access denied on game.exe, and cannot find any relatable value in gamebattleEye.exe
As for loading the driver to game.exe, i get a breakpoint during Driver().Ensureloaded()
At auto address = proc.modules().GetMainModule()->baseAddress;
GetMainModule() returns a null pointer.
BattleEye is a *32 process, but i don't think that is the source of the problem since it works fine on other *32 processes.
Stepping into GetMainModule, it doesn't return nullptr right away, instead it's GetModule( peb.ImageBaseAddress ) that returns nullptr.
Tried stepping into GetModule() but couldn't understand much in there.
BattleEye really went all the way to protect their game i'll give them that.
|
|
Back to top |
|
|
ulysse31 Master Cheater Reputation: 2
Joined: 19 Mar 2015 Posts: 324 Location: Paris
|
Posted: Sun Dec 18, 2016 11:30 am Post subject: |
|
|
Cotino wrote: | BattleEye really went all the way to protect their game i'll give them that. |
I tend to disagree here, what they do is very user intrusive and annoying, it is also getting easier to overcome day by day.
Cotino wrote: |
Now before my next point : I have 2 processes. game.exe and gameBattleEye.exe
If i load the driver to gameBattleEye.exe the driver loads normally but memscan still get access denied on game.exe, and cannot find any relatable value in gamebattleEye.exe
As for loading the driver to game.exe, i get a breakpoint during Driver().Ensureloaded()
At auto address = proc.modules().GetMainModule()->baseAddress;
GetMainModule() returns a null pointer.
BattleEye is a *32 process, but i don't think that is the source of the problem since it works fine on other *32 processes.
Stepping into GetMainModule, it doesn't return nullptr right away, instead it's GetModule( peb.ImageBaseAddress ) that returns nullptr.
Tried stepping into GetModule() but couldn't understand much in there.
|
Stop using your memscan for now, just use the Testapp provided with Blackbone.
Inside TestDriver(), move the Driver().PromoteHandle() function to the very first function being called.
My code looks like this :
Code: | Process proc, thisProc; //Global definitions so that the handle remains valid outside Read's scope
void Read()
{
// proc, thisProc;
{
std::vector<DWORD> procIDs;
Process::EnumByName(DebuggedProc.wsChosenProc, procIDs);
proc.Attach(procIDs.front());
thisProc.Attach(GetCurrentProcessId());
if (NT_SUCCESS(Driver().EnsureLoaded()))
{
DRIVOUT << " ####################### DRIVER LOADED ##############" << endl;
NTSTATUS status = STATUS_SUCCESS;
DWORD depFlags = 0;
BOOL perm = FALSE;
uint8_t buf[0x1000] = { 0 };
MEMORY_BASIC_INFORMATION64 memInfo = { 0 };
Driver().PromoteHandle(GetCurrentProcessId(), proc.core().handle(), PROCESS_ALL_ACCESS); |
Cotino wrote: |
GetMainModule() returns a null pointer.
BattleEye is a *32 process, but i don't think that is the source of the problem since it works fine on other *32 processes.
Stepping into GetMainModule, it doesn't return nullptr right away, instead it's GetModule( peb.ImageBaseAddress ) that returns nullptr.
Tried stepping into GetModule() but couldn't understand much in there.
|
Yes that is all normal (except the fact that you didn't understand much in the function, might be because at some point the library will use virtualisation and if you press F12 (see func definition on msvc) compiler won't know which function definition to send you to however considering there are less definitions that your hand has fingers you can find out which function is called by in a few minutes).
The thing with this testapp is that it isn't meant to do anything usefull (pretty much quoting its author) and therefore the order in which all the calls are made is pretty much senseless (not to say stupid).
The reason your getmodule call fails is because the app, as you see if you step through the code, will try to retrieve module info by usual API ways (include readprocmem and other ntqueryinfo calls) which are doomed to fail otherwise we wouldn't be using blackbone's driver in the first place.
However, if you promote the handle right at the begining of the tests, all those API calls will (well, should) magically succeed.
Get it working from the TestApp.exe before you attempt to use it from your memscan.exe
|
|
Back to top |
|
|
Cotino Newbie cheater Reputation: 0
Joined: 30 Oct 2013 Posts: 14 Location: Le France
|
Posted: Mon Dec 19, 2016 9:36 am Post subject: |
|
|
Indeed the driver loaded successfully.
However, first issue i still got access denied from virtualQueryEx, second i got a VAC global ban 5 seconds after loading the driver.
I tried on another account, first loading the driver on gameBattleEye.exe and then on game.exe, still got a global ban.
I don't think there's much more to do about that, still it was worth a try.
|
|
Back to top |
|
|
ulysse31 Master Cheater Reputation: 2
Joined: 19 Mar 2015 Posts: 324 Location: Paris
|
Posted: Mon Dec 19, 2016 10:55 am Post subject: |
|
|
Well if you are serious about gamehacking driver protected apps there is much more to do since promote handle is about the least powerfull function this driver library (blackbone) has to offer
|
|
Back to top |
|
|
Cotino Newbie cheater Reputation: 0
Joined: 30 Oct 2013 Posts: 14 Location: Le France
|
Posted: Mon Dec 19, 2016 3:35 pm Post subject: |
|
|
Quite interesting, the problem is that i can only afford to buy so many games until i have to sleep in the street.
I am curious however as how it would work.
|
|
Back to top |
|
|
helenedwards Newbie cheater Reputation: 0
Joined: 11 Oct 2016 Posts: 11
|
Posted: Wed Dec 28, 2016 10:43 pm Post subject: |
|
|
Well i'm getting lots of errors for no reason while running the Blackbone sln under visual studio enterprise 2016
|
|
Back to top |
|
|
ulysse31 Master Cheater Reputation: 2
Joined: 19 Mar 2015 Posts: 324 Location: Paris
|
Posted: Thu Dec 29, 2016 8:20 am Post subject: |
|
|
helenedwards wrote: | Well i'm getting lots of errors for no reason while running the Blackbone sln under visual studio enterprise 2016 |
Must be blackbone's code.
|
|
Back to top |
|
|
WndDrgn Cheater Reputation: 0
Joined: 24 May 2015 Posts: 49
|
Posted: Sat Dec 31, 2016 5:44 pm Post subject: |
|
|
This topic very is interesting for me.
I hope many more people involve in discussion.
|
|
Back to top |
|
|
|