Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


[C] VirtualQueryEx and Battleye
Goto page Previous  1, 2
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
ulysse31
Master Cheater
Reputation: 2

Joined: 19 Mar 2015
Posts: 324
Location: Paris

PostPosted: Fri Dec 02, 2016 10:36 am    Post subject: Reply with quote

I think the nativeldr error is okay, you should step into the code and see by yourself why the driver fails to load, make sure you can load unsigned drivers first. There is no reason for which you couldn't load the drivers, use admin rights and windows test mode (or special startup as DB mentioned)
Back to top
View user's profile Send private message
Cotino
Newbie cheater
Reputation: 0

Joined: 30 Oct 2013
Posts: 14
Location: Le France

PostPosted: Wed Dec 14, 2016 3:27 am    Post subject: Reply with quote

Update as i solved most of the issues.
You have to copy Blackbone-master\src\BlacklBoneDrv\bin\x64\Win7Release\BlackBoneDrv7.sys into Blackbone-master\build\x64\Debug\ .
Make sure the file isn't 1kb, for some reason i had to download BlackBoneDrv7.sys separately.
Enable Test Mode on windows, and there you go.
Blackbone loads successfully.

However that didn't help my problem, as BattleEye still doesn't launch under test mode, even after launching BlackBone.
Perhaps i missed something, from what i understand TestDriver() does his thing on the current process selected. However, BattlEye won't even launch under Test Mode, so i can't really select the BattlEye process.
Or maybe what it does is give the selected process full access through BattleEye, but that doesn't solve BattleEye not launching.

Wow my bad, i didn't even see there was a second page, just saw your post ulysse31.
Back to top
View user's profile Send private message
ulysse31
Master Cheater
Reputation: 2

Joined: 19 Mar 2015
Posts: 324
Location: Paris

PostPosted: Thu Dec 15, 2016 5:23 am    Post subject: Reply with quote

You can try this :
https://www.unknowncheats.me/forum/dayz-sa/140652-dsefix-disable-dse-without-test-mode.html

Note that I haven't tried it myself (didn't have your test mode problem) however a friend linked it to me just in case and afaik it might suit your need (load unsigned driver on normal mode windows, watch out for BSODs, must be done right after restart).
Back to top
View user's profile Send private message
Cotino
Newbie cheater
Reputation: 0

Joined: 30 Oct 2013
Posts: 14
Location: Le France

PostPosted: Thu Dec 15, 2016 8:56 am    Post subject: Reply with quote

Looks promising, thanks !

I'm assuming it's talking about Oracle VirtualBox ?

Some guy says it doesn't work w7 x64, will try as soon as i can and give feedback.
Back to top
View user's profile Send private message
Cotino
Newbie cheater
Reputation: 0

Joined: 30 Oct 2013
Posts: 14
Location: Le France

PostPosted: Fri Dec 16, 2016 6:03 am    Post subject: Reply with quote

DSEFix works perfectly, i am able to load unsigned driver without activating test mode.

My problem is now using BlackBone.
I haven't touched the code, TestDriver() seems to grant privilege to explorer.exe, so all i did was change explorer.exe to memscan.exe (my program) on line 8
Code:
Process::EnumByName( L"memscan32.exe", procIDs );

But i still get access denied from VirtualQueryEx.
Tried adding a sleep before TestDriver and switching to memscan32 window in case it grants privilege to the active window, but nope, still access denied.

I'm probably just using BlackBone wrong, but i am not familiar enough with driver programming to step into the code.
Back to top
View user's profile Send private message
ulysse31
Master Cheater
Reputation: 2

Joined: 19 Mar 2015
Posts: 324
Location: Paris

PostPosted: Fri Dec 16, 2016 3:32 pm    Post subject: Reply with quote

Cotino wrote:

I haven't touched the code, TestDriver() seems to grant privilege to explorer.exe, so all i did was change explorer.exe to memscan.exe (my program) on line 8

I'm probably just using BlackBone wrong, but i am not familiar enough with driver programming to step into the code.

1/This has nothing to do with driver programming, when using blackbone library you don't have to worry/know anything about how the driver itself is implemented. It is the same as using some public c++ library such as boost or whatever.
The reason you get lost is that your c++ knowledge is poor.

2/No, TestDriver doesn't grant privilege to explorer.exe which reading the c++ code would tell you.
Changing explorer.exe to memscan.exe makes 0 sense since explorer.exe is the target process (which makes sense when you think about it the presentation app will target a process which is always open on every windows so that the test don't fail because no process found).
Therefore you don't replace explorer.exe by memscan.exe, you replace it by your target process which is BattleEye protected.

Fetch the function inside TestDriver() which upgrades the handle of your target, get a normal handle to your target program (the game), then use the driver upgrade handle to promote it (then again, this function is exported through blackbone's interface library, you do not need to know anything about driver implementation), then you'll get access to the game's memory.
If you get lost in the code, I'd recommend you to spend a few weeks on a decent c++ book, might delay your progress now but will for sure make you gain time on the long term.
Back to top
View user's profile Send private message
Cotino
Newbie cheater
Reputation: 0

Joined: 30 Oct 2013
Posts: 14
Location: Le France

PostPosted: Sun Dec 18, 2016 11:00 am    Post subject: Reply with quote

Thanks for your precisions.

I actually took 2 years of C++ classes 16 hours a week, i have all the basics from dynamic arrays to polymorphism or GUI making.
However i never touched a single library, all the code we made was from scratch or using stadfx.

Now before my next point : I have 2 processes. game.exe and gameBattleEye.exe
If i load the driver to gameBattleEye.exe the driver loads normally but memscan still get access denied on game.exe, and cannot find any relatable value in gamebattleEye.exe

As for loading the driver to game.exe, i get a breakpoint during Driver().Ensureloaded()
At auto address = proc.modules().GetMainModule()->baseAddress;
GetMainModule() returns a null pointer.
BattleEye is a *32 process, but i don't think that is the source of the problem since it works fine on other *32 processes.
Stepping into GetMainModule, it doesn't return nullptr right away, instead it's GetModule( peb.ImageBaseAddress ) that returns nullptr.
Tried stepping into GetModule() but couldn't understand much in there.

BattleEye really went all the way to protect their game i'll give them that.
Back to top
View user's profile Send private message
ulysse31
Master Cheater
Reputation: 2

Joined: 19 Mar 2015
Posts: 324
Location: Paris

PostPosted: Sun Dec 18, 2016 11:30 am    Post subject: Reply with quote

Cotino wrote:
BattleEye really went all the way to protect their game i'll give them that.

I tend to disagree here, what they do is very user intrusive and annoying, it is also getting easier to overcome day by day.
Cotino wrote:

Now before my next point : I have 2 processes. game.exe and gameBattleEye.exe
If i load the driver to gameBattleEye.exe the driver loads normally but memscan still get access denied on game.exe, and cannot find any relatable value in gamebattleEye.exe

As for loading the driver to game.exe, i get a breakpoint during Driver().Ensureloaded()
At auto address = proc.modules().GetMainModule()->baseAddress;
GetMainModule() returns a null pointer.
BattleEye is a *32 process, but i don't think that is the source of the problem since it works fine on other *32 processes.
Stepping into GetMainModule, it doesn't return nullptr right away, instead it's GetModule( peb.ImageBaseAddress ) that returns nullptr.
Tried stepping into GetModule() but couldn't understand much in there.

Stop using your memscan for now, just use the Testapp provided with Blackbone.
Inside TestDriver(), move the Driver().PromoteHandle() function to the very first function being called.
My code looks like this :
Code:
Process proc, thisProc; //Global definitions so that the handle remains valid outside Read's scope
void Read()
{
   
   // proc, thisProc;
   {
   std::vector<DWORD> procIDs;
   Process::EnumByName(DebuggedProc.wsChosenProc, procIDs);
   proc.Attach(procIDs.front());
   thisProc.Attach(GetCurrentProcessId());
   if (NT_SUCCESS(Driver().EnsureLoaded()))
   {
      DRIVOUT << "                  #######################   DRIVER LOADED   ##############" << endl;
      NTSTATUS status = STATUS_SUCCESS;
      DWORD depFlags = 0;
      BOOL perm = FALSE;
      uint8_t buf[0x1000] = { 0 };
      MEMORY_BASIC_INFORMATION64 memInfo = { 0 };
      Driver().PromoteHandle(GetCurrentProcessId(), proc.core().handle(), PROCESS_ALL_ACCESS);


Cotino wrote:

GetMainModule() returns a null pointer.
BattleEye is a *32 process, but i don't think that is the source of the problem since it works fine on other *32 processes.
Stepping into GetMainModule, it doesn't return nullptr right away, instead it's GetModule( peb.ImageBaseAddress ) that returns nullptr.
Tried stepping into GetModule() but couldn't understand much in there.

Yes that is all normal (except the fact that you didn't understand much in the function, might be because at some point the library will use virtualisation and if you press F12 (see func definition on msvc) compiler won't know which function definition to send you to however considering there are less definitions that your hand has fingers you can find out which function is called by in a few minutes).
The thing with this testapp is that it isn't meant to do anything usefull (pretty much quoting its author) and therefore the order in which all the calls are made is pretty much senseless (not to say stupid).
The reason your getmodule call fails is because the app, as you see if you step through the code, will try to retrieve module info by usual API ways (include readprocmem and other ntqueryinfo calls) which are doomed to fail otherwise we wouldn't be using blackbone's driver in the first place.
However, if you promote the handle right at the begining of the tests, all those API calls will (well, should) magically succeed.
Get it working from the TestApp.exe before you attempt to use it from your memscan.exe
Back to top
View user's profile Send private message
Cotino
Newbie cheater
Reputation: 0

Joined: 30 Oct 2013
Posts: 14
Location: Le France

PostPosted: Mon Dec 19, 2016 9:36 am    Post subject: Reply with quote

Indeed the driver loaded successfully.

However, first issue i still got access denied from virtualQueryEx, second i got a VAC global ban 5 seconds after loading the driver.

I tried on another account, first loading the driver on gameBattleEye.exe and then on game.exe, still got a global ban.

I don't think there's much more to do about that, still it was worth a try.
Back to top
View user's profile Send private message
ulysse31
Master Cheater
Reputation: 2

Joined: 19 Mar 2015
Posts: 324
Location: Paris

PostPosted: Mon Dec 19, 2016 10:55 am    Post subject: Reply with quote

Well if you are serious about gamehacking driver protected apps there is much more to do since promote handle is about the least powerfull function this driver library (blackbone) has to offer
Back to top
View user's profile Send private message
Cotino
Newbie cheater
Reputation: 0

Joined: 30 Oct 2013
Posts: 14
Location: Le France

PostPosted: Mon Dec 19, 2016 3:35 pm    Post subject: Reply with quote

Quite interesting, the problem is that i can only afford to buy so many games until i have to sleep in the street.
I am curious however as how it would work.
Back to top
View user's profile Send private message
helenedwards
Newbie cheater
Reputation: 0

Joined: 11 Oct 2016
Posts: 11

PostPosted: Wed Dec 28, 2016 10:43 pm    Post subject: Reply with quote

Well i'm getting lots of errors for no reason while running the Blackbone sln under visual studio enterprise 2016
Back to top
View user's profile Send private message
ulysse31
Master Cheater
Reputation: 2

Joined: 19 Mar 2015
Posts: 324
Location: Paris

PostPosted: Thu Dec 29, 2016 8:20 am    Post subject: Reply with quote

helenedwards wrote:
Well i'm getting lots of errors for no reason while running the Blackbone sln under visual studio enterprise 2016

Idea Must be blackbone's code. Idea
Back to top
View user's profile Send private message
WndDrgn
Cheater
Reputation: 0

Joined: 24 May 2015
Posts: 49

PostPosted: Sat Dec 31, 2016 5:44 pm    Post subject: Reply with quote

This topic very is interesting for me.

I hope many more people involve in discussion. Very Happy Very Happy
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites