|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
BanMe Master Cheater Reputation: 0
Joined: 29 Nov 2005 Posts: 375 Location: Farmington NH, USA
|
Posted: Mon Jan 26, 2009 9:27 pm Post subject: ThreadContextTracker Plugin |
|
|
this is what im working with so far
any further suggestions or optimized implementations will be fully taken into account
Code: |
//
#define _CRT_SECURE_NO_WARNINGS
#define _WIN32_WINNT 0x501
//#define WIN32_LEAN_AND_MEAN
// Windows Header Files:
#include <windows.h>
#include <tlhelp32.h>
#include "example-c.h"
int selfid;
int pluginid=-1;
HANDLE hTarget = 0;
ULONG hTargetId = 0;
HANDLE ThreadHandleList[20] = {0};
ULONG ThreadIdList[20] = {0};
BOOL IsInitialized = FALSE;
CRITICAL_SECTION cSection;
DWORD orig_OpenThread;
DWORD orig_KernelOpenProcess;
HANDLE Monitor_KernelOpenProcess(DWORD dwAccess,BOOL Inherit,DWORD Pid);
void Hook_API();
void FnPointerChange(int Reserved);
HANDLE CheckThreadHandleInList(DWORD ThreadId)
{
int i;
HANDLE hThread = INVALID_HANDLE_VALUE;
BOOL IdInList = FALSE;
for(i=0;i<=20;i++)//search forward
{
if(ThreadIdList[i] == ThreadId)
{
IdInList= TRUE;
//Exported.ShowMessage("Handle Alread In List");
return ThreadHandleList[i];
}
}
if(IdInList == FALSE)
{
for(i=0;i<=20;i++)//searchbackward
{
if(ThreadIdList[i] == 0);
{
ThreadIdList[i] = ThreadId;
hThread = CECT.OpenThread(THREAD_ALL_ACCESS,FALSE,ThreadId);
if(hThread != INVALID_HANDLE_VALUE)
{
ThreadHandleList[i] = hThread;
//Exported.ShowMessage("Handle Not In List");
return hThread;
}
}
}
}
}
void StartThreadContextSnap(HANDLE hThread)
{
CONTEXT Context = {0};
char Buffer[255]= {0};
Context.ContextFlags = CONTEXT_FULL;
if(CECT.SuspendThread(hThread) != -1)
{
if(CECT.GetThreadContext(hThread,&Context) != 0)
{
//Exported.ShowMessage("Got Thread Context");
_itoa(Context.Eip,Buffer,16);
Exported.ShowMessage(Buffer);
memset((void*)&Buffer,0,sizeof(Buffer));
CECT.ResumeThread(hThread);
return;
}
}
Exported.ShowMessage("Failed Getting Context");
return;
}
BOOL PoolForTargetThreads(ULONG ProcessId)
{
THREADENTRY32 te32;
HANDLE hSnap,hThread;
te32.dwSize = sizeof(THREADENTRY32);
hSnap = CECT.CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,ProcessId);
if(hSnap != INVALID_HANDLE_VALUE)
{
if(CECT.Thread32First(hSnap,&te32) != FALSE)
{
do
{
if(te32.th32OwnerProcessID == ProcessId)
{
hThread = CheckThreadHandleInList(te32.th32ThreadID);
if(hThread != INVALID_HANDLE_VALUE)
{
//Exported.ShowMessage("Thread Found");
StartThreadContextSnap(hThread);
}
}
}while(CECT.Thread32Next(hSnap,&te32) != FALSE);
return TRUE;
}
}
return FALSE;
}
BOOL APIENTRY DllMain( HANDLE hModule,DWORD ul_reason_for_call,LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
BOOL __stdcall GetVersion(PluginVersion *pv , int sizeofpluginversion)
{
pv->version= 1;
pv->pluginname = "BaNiMiZeR";
return TRUE;
}
BOOL __stdcall InitializePlugin(struct ExportedFunctions *ef , int pluginid)
{
POINTERREASSIGNMENTPLUGIN_INIT init;
HMODULE dbk32,k32;
selfid = pluginid;
Exported = *ef;
Exported.OpenedProcessHandle = 0;
Exported.OpenedProcessID = 0;
dbk32 = GetModuleHandle("dbk32.dll");
k32 = GetModuleHandle("kernel32.dll");
if(dbk32 != 0 && k32 != 0)
{
CECT.ChangeRegOnBP = (ChangeReg)GetProcAddress(dbk32,"ChangeRegOnBP");
CECT.ContinueDebugEvent = (ContinueDbg)GetProcAddress(k32,"ContinueDebugEvent");
CECT.CreateToolhelp32Snapshot = (CreateSnapshot)GetProcAddress(k32,"CreateToolhelp32Snapshot");
CECT.CreateRemoteThread = (CreateRemote)GetProcAddress(k32,"CreateRemoteThread");
CECT.DBKResumeProcess = (DBKResProcess)GetProcAddress(dbk32,"DBKResumeProcess");
CECT.DBKResumeThread = (DBKRes)GetProcAddress(dbk32,"DBKResumeThread");
CECT.DBKSuspendProcess = (DBKSusProcess)GetProcAddress(dbk32,"DBKSuspendProcess");
CECT.DBKSuspendThread = (DBKSus)GetProcAddress(dbk32,"DBKSuspendThread");
CECT.DebugActiveProcess = (DbgActive)GetProcAddress(k32,"DebugActiveProcess");
CECT.DebugProcess = (DbgProcess)GetProcAddress(dbk32,"DebugProcess");
CECT.getAlternateDebugMethod = (GetDbgMethod)GetProcAddress(dbk32,"getAlternateDebugMethod");
CECT.GetCR3 = (GCR3)GetProcAddress(dbk32,"GetCR3");
CECT.GetCR4 = (GCR4)GetProcAddress(dbk32,"GetCR4");
CECT.GetDebugportOffset = (GetDbgOffset)GetProcAddress(dbk32,"GetDebugportOffset");
CECT.GetIDTCurrentThread = (GetIDTThread)GetProcAddress(dbk32,"GetIDTCurrentThread");
CECT.GetIDTs = (GIDTs)GetProcAddress(dbk32,"GetIDTs");
CECT.GetKProcAddress = (GetKAddress)GetProcAddress(dbk32,"GetKProcAddress");
CECT.GetLoadedState = (GetState)GetProcAddress(dbk32,"GetLoadedState");
CECT.GetPEProcess = (GetProc)GetProcAddress(dbk32,"GetPEProcess");
CECT.GetPEThread = (GetThread)GetProcAddress(dbk32,"GetPEThread");
CECT.GetPhysicalAddress = (GetAddress)GetProcAddress(dbk32,"GetPhysicalAddress");
CECT.GetProcessNameFromID = (GetNameFromID)GetProcAddress(dbk32,"GetProcessNameFromID");
CECT.GetProcessNameFromPEProcess = (GetNameFromPEProcess)GetProcAddress(dbk32,"GetProcessNameFromPEProcess");
CECT.GetProcessnameOffset = (GetNameOffset)GetProcAddress(dbk32,"GetProcessnameOffset");
CECT.GetSDT = (GSDT)GetProcAddress(dbk32,"GetSDT");
CECT.GetSDTShadow = (GSDTShadow)GetProcAddress(dbk32,"GetSDTShadow");
CECT.GetThreadContext = (GetContext)GetProcAddress(k32,"GetThreadContext");
CECT.GetThreadListEntryOffset = (GetThreadListOffset)GetProcAddress(dbk32,"GetThreadListEntryOffset");
CECT.GetThreadsProcessOffset = (GetThreadsOffset)GetProcAddress(dbk32,"GetThreadsProcessOffset");
CECT.Heap32ListFirst = (HeapFirst)GetProcAddress(k32,"Heap32ListFirst");
CECT.Heap32ListNext = (HeapNext)GetProcAddress(k32,"Heap32ListNext");
CECT.IsValidHandle = (IsValid)GetProcAddress(dbk32,"IsValidHandle");
CECT.KernelAlloc = (KAlloc)GetProcAddress(dbk32,"KernelAlloc");
CECT.KernelOpenProcess = (ProcessOpen)GetProcAddress(dbk32,"OP");
CECT.KernelOpenThread = (ThreadOpen)GetProcAddress(dbk32,"OT");
CECT.KernelReadProcessMemory = (ReadProc)GetProcAddress(dbk32,"RPM");
CECT.KernelVirtualAllocEx = (VirtAllocEx)GetProcAddress(dbk32,"VAE");
CECT.KernelWriteProcessMemory = (WriteProc)GetProcAddress(dbk32,"WPM");
CECT.MakeWritable = (MkWritable)GetProcAddress(dbk32,"MakeWritable");
CECT.Module32First = (ModuleFirst)GetProcAddress(k32,"Module32First");
CECT.Module32Next = (ModuleNext)GetProcAddress(k32,"Module32Next");
CECT.OpenProcess = (ProcessOpen)GetProcAddress(k32,"OpenProcess");
CECT.OpenThread = (ThreadOpen)GetProcAddress(k32,"OpenThread");
CECT.Process32First = (ProcFirst)GetProcAddress(k32,"Process32First");
CECT.Process32Next = (ProcNext)GetProcAddress(k32,"Process32Next");
CECT.ProtectMe = (Protect)GetProcAddress(dbk32,"ProtectMe");
CECT.ReadProcessMemory = (ReadProc)GetProcAddress(k32,"ReadProcessMemory");
CECT.ResumeThread = (ThreadResume)GetProcAddress(k32,"ResumeThread");
CECT.RetrieveDebugData = (RetrieveDbgData)GetProcAddress(dbk32,"RetrieveDebugData");
CECT.setAlternateDebugMethod = (SetDbgMethod)GetProcAddress(dbk32,"setAlternateDebugMethod");
CECT.SetCR3 = (SCR3)GetProcAddress(dbk32,"SetCR3");
CECT.SetThreadContext = (SetContext)GetProcAddress(k32,"SetThreadContext");
CECT.StartProcessWatch = (StartWatch)GetProcAddress(dbk32,"StartProcessWatch");
CECT.StopDebugging = (PVOID)GetProcAddress(dbk32,"StopDebugging");
CECT.StopRegisterChange = (PVOID)GetProcAddress(dbk32,"StopRegisterChange");
CECT.SuspendThread = (ThreadSuspend)GetProcAddress(k32,"SuspendThread");
CECT.Thread32First = (ThreadFirst)GetProcAddress(k32,"Thread32First");
CECT.Thread32Next = (ThreadNext)GetProcAddress(k32,"Thread32Next");
CECT.VirtualAllocEx = (VirtAllocEx)GetProcAddress(dbk32,"VAE");
CECT.VirtualProtect = (VirtProtect)GetProcAddress(k32,"VirtualProtect");
CECT.VirtualProtectEx = (VirtProtectEx)GetProcAddress(k32,"VirtualProtectEx");
CECT.VirtualQueryEx = (VirtQueryEx)GetProcAddress(dbk32,"VQE");
CECT.WaitForDebugEvent = (WaitDbg)GetProcAddress(k32,"WaitForDebugEvent");
CECT.WaitForProcessListData = (WaitListData)GetProcAddress(dbk32,"WaitForProcessListData");
CECT.WriteProcessMemory = (WriteProc)GetProcAddress(k32,"WriteProcessMemory");
}
init.callbackroutine = (CEP_PLUGINTYPE4)FnPointerChange;
pluginid = Exported.RegisterFunction(pluginid, ptFunctionPointerchange, &init);
Hook_API();
return TRUE;
}
BOOL __stdcall DisablePlugin(void)
{
if (pluginid!=-1)
{
if (Exported.UnregisterFunction(selfid,pluginid) == FALSE)
{
Exported.ShowMessage("Failure to unregister a plugin function"); //nothing to be done about this. the plugin is being set on stand by...
}
}
return TRUE;
}
DWORD PrevPid = 0;
HANDLE Monitor_KernelOpenProcess(DWORD Access,BOOL Inherit,DWORD Pid)
{
ProcessOpen oOpenProcess;
//Exported.ShowMessage("Hook_Entered");
hTarget = INVALID_HANDLE_VALUE;
oOpenProcess = (ProcessOpen)orig_KernelOpenProcess;
hTarget = oOpenProcess(Access,Inherit,Pid);
if(hTarget != INVALID_HANDLE_VALUE)
{
Exported.OpenedProcessHandle = hTarget;
hTargetId = GetProcessId(hTarget);
Exported.OpenedProcessID = hTargetId;
if(PrevPid != hTargetId)
{
PoolForTargetThreads(hTargetId);
PrevPid = hTargetId;
}
return hTarget;
}
Exported.ShowMessage("Fail");
return hTarget;
}
void FnPointerChange(int Reserved)
{
Hook_API();
}
void Hook_API()
{
if(*(PVOID**)Exported.KernelOpenProcess != Monitor_KernelOpenProcess)
{
orig_KernelOpenProcess = CECT.KernelOpenProcess;
*(PVOID**)Exported.KernelOpenProcess = Monitor_KernelOpenProcess;
}
if(*(PVOID**)Exported.OpenProcess != Monitor_KernelOpenProcess)
{
*(PVOID**)Exported.OpenProcess = Monitor_KernelOpenProcess;
}
}
|
Still working out the bugs but no BSOD
regards BanMe |
|
Back to top |
|
|
_dan How do I cheat? Reputation: 0
Joined: 06 May 2009 Posts: 3
|
Posted: Wed May 06, 2009 9:21 am Post subject: |
|
|
Thats very useful, maybe I'll be able to tweak some bugs out as well. _________________
Cogito Ergo Sum |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
'][0]['L_POST_REPLY_TOPIC'] : '') , '" align="middle" />
';
$_switch_quick_reply_count = (isset($this->_tpldata['switch_quick_reply'])) ? sizeof($this->_tpldata['switch_quick_reply']) : 0;for ($_switch_quick_reply_i = 0; $_switch_quick_reply_i < $_switch_quick_reply_count; $_switch_quick_reply_i++){
echo '
';
} // END switch_quick_reply
echo ' |
';
echo '
';
echo ' ' , ((isset($this->_tpldata['.'][0]['L_INDEX'])) ? $this->_tpldata['.'][0]['L_INDEX'] : '') , '
';
$_switch_parent_link_count = (isset($this->_tpldata['switch_parent_link'])) ? sizeof($this->_tpldata['switch_parent_link']) : 0;for ($_switch_parent_link_i = 0; $_switch_parent_link_i < $_switch_parent_link_count; $_switch_parent_link_i++){
echo ' -> ' , ((isset($this->_tpldata['.'][0]['PARENT_NAME'])) ? $this->_tpldata['.'][0]['PARENT_NAME'] : '') , '
';
} // END switch_parent_link
echo ' -> ' , ((isset($this->_tpldata['.'][0]['FORUM_NAME'])) ? $this->_tpldata['.'][0]['FORUM_NAME'] : '') , ' |
';
echo '
';
echo ' ' , ((isset($this->_tpldata['.'][0]['S_TIMEZONE'])) ? $this->_tpldata['.'][0]['S_TIMEZONE'] : '') , ' ' , ((isset($this->_tpldata['.'][0]['PAGINATION'])) ? $this->_tpldata['.'][0]['PAGINATION'] : '') , '
';
echo ' |
';
echo '
';
echo '