Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


How to hook function in user mode with DBVM?
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Source -> DBVM
View previous topic :: View next topic  
Author Message
denyMe
How do I cheat?
Reputation: 0

Joined: 08 Jul 2013
Posts: 6

PostPosted: Mon Jul 08, 2013 11:24 am    Post subject: How to hook function in user mode with DBVM? Reply with quote

DB, is it possible to redirect eip when it rich some address in the process? (without code modification)
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 332

Joined: 09 May 2003
Posts: 19646
Location: The netherlands

PostPosted: Mon Jul 08, 2013 12:16 pm    Post subject: Reply with quote

you could try a breakpoint that when hit changes EIP (there's a specific "Change reg on breakpoint" breakpoint type for that)
Or you could apply the same method of stealthedit in kernelmode , mark the page entry as non executable(pagefaults are hookable with dbvm) That requires the ability to write drivers yourself though

Or you could get the dbvm source and implement PET, so you can mark physical memory as non executable and capture it inside dbvm completly outside of the os
Actually, you can configure it to break on read and write the page, but NOT on execute, so you can modify the code as much as you want, and when the integrity check reads it, it breaks, and you modify it to read a copy, at the exact same spot


(there are other methods though, like a modified ultimap where the buffersize is only big enough for 1 branch, so each branch taken causes an interrupt, so you can catch it that way, but not very accurate, unless the instruction is directly jumped to)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
denyMe
How do I cheat?
Reputation: 0

Joined: 08 Jul 2013
Posts: 6

PostPosted: Tue Jul 09, 2013 12:57 pm    Post subject: Reply with quote

Quote:
Or you could apply the same method of stealthedit in kernelmode , mark the page entry as non executable(pagefaults are hookable with dbvm) That requires the ability to write drivers yourself though

Driver for what? Could i use your driver for interacting with dbvm and mark page from ring3 by VirtualProtect?

Great job btw
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 332

Joined: 09 May 2003
Posts: 19646
Location: The netherlands

PostPosted: Tue Jul 09, 2013 2:01 pm    Post subject: Reply with quote

Interracting with dbvm can even be done from usermode, but the problem with interrupts is that they execute in the context of another process, so your code must be present in kernelmode, which is where a driver comes in to play (you could use dbvm to raise prilvilege to ring0 so you can allocate kernel memory and copy your own interrupt handler to there, but that's just ugly)

You can use ce's driver, but you must compile it yourself and then either boot with unsigned driver support, or sign the driver yourself. The one that comes with CE(64-bit) does not allow it to be controlled by any other program besides cheatengine itself

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
denyMe
How do I cheat?
Reputation: 0

Joined: 08 Jul 2013
Posts: 6

PostPosted: Tue Jul 09, 2013 3:40 pm    Post subject: Reply with quote

OK. I had some experience of compiling and debbuging drivers. What i should pass in parametrs to IOCTL_CE_USERDEFINEDINTERRUPTHOOK
interruptnumber - 14 (page fault)
What next?

I would call ring3 code by APC. Is APC fast enough to call it every single frame to draw some stuff? (I really don't want debug entire cheat code in kernel)


Last edited by denyMe on Tue Jul 09, 2013 5:38 pm; edited 1 time in total
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 332

Joined: 09 May 2003
Posts: 19646
Location: The netherlands

PostPosted: Tue Jul 09, 2013 3:57 pm    Post subject: Reply with quote

I don't recommend using the userdefined interrupthook unless you actually inject your own code into the kernel.

I suggest writing the int14 handler inside the driver itself
Then use inthook_HookInterrupt(14, kernelmodecs (0x8 for 32-bit, 0x10 for 64-bit), addressofyourint14hook, &addressofjumpbackobject)

Look at the int1 interrupt stuff for some ideas on the interrupt entrypoint, but in your case it shouldn't be that complex

When setup, make a copy of the module (or a few pages and manually modify all the relative eip addressing instruction...)
And mark the page that has the code you wish to hook as non executable. (either the normal VirtualProtectEx api call, or modify the pagetable entry directly)

Then when a pagefault occurs, your interrupt handler will get called (remember, it will get called for EVERY pagefault in the system, including those you don't want and those of other processes)

To filter that check if the value of CR2 is inside your non-executable page, and the errorcode signals that it's a fault due to an execution protection violation, then adjust the EIP/RIP in the stackframe to your copy that is executable, and return. (iretq)

If not, call the "jumpback" so windows will handle the pagefault normally

And in your copy, (which runs in usermode) you can do your normal hooks and draw operations

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
denyMe
How do I cheat?
Reputation: 0

Joined: 08 Jul 2013
Posts: 6

PostPosted: Tue Jul 09, 2013 5:07 pm    Post subject: Reply with quote

I understood that thing what i said about APC is a little dummy =)

Summary:
All i need is create a driver which filtering faults and adjusting EIP(32-bits in my case) to VA of my version of copied-hooked function then do iretq.

Copying might be a problem because function is much complex as a module.

Why i can't just change rights back to executable, call it and again change rights to non executable?

If i do this i'll send it to you because would be much easier to hook something with dbvm if DBK would be handle hooking exeptions itself without any additional drivers.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 332

Joined: 09 May 2003
Posts: 19646
Location: The netherlands

PostPosted: Tue Jul 09, 2013 5:44 pm    Post subject: Reply with quote

Thats why i recommend a full module copy so relative jumps will work without a problem and direct memory references still point to the old data(which is what you want), so no need to do slow switching back and forth
But yes, you could do it all step by step.
Pf->setto executable+set tf(single step). Wait for int1, change protectionhe whole page (4096 bytes) is non executable, you will immediately get a new PF and do the same. (Slow) if you can just execute the code without singe stepping it's a lot faster



Dbk does already support doing stuff without the driver loadedr, but it wasn't made as an interrupt handler
When you boot up the system with dbvm and launch ce, it will give you the option to force the driver to load in memory(if it's unsigned and you forgot to press fCool. You could use a similar approach to load your int14 handler in kernelmode

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
denyMe
How do I cheat?
Reputation: 0

Joined: 08 Jul 2013
Posts: 6

PostPosted: Tue Jul 09, 2013 6:59 pm    Post subject: Reply with quote

Disasm engine could help. I should copy all 4096 bytes(with whole last function) since hooked function entry point. Change relative jumps and calls. Redirect page faults to them(with shifting if its not hooked function). Tomorrow i will try to implement knowledge that you given me.

Many thanks
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 332

Joined: 09 May 2003
Posts: 19646
Location: The netherlands

PostPosted: Tue Jul 09, 2013 7:31 pm    Post subject: Reply with quote

4096 works, but I still recommend the whole module copy (just one page non executable, but have the whole module as fallback)

for example, 00450009 might contain a short jump to 0044fff0
that can be encoded using 2 bytes, but if it's relocated to a different page, and you reassemble it, it needs 5 bytes

you could make it jump to the page before, and there have a big version jump to the relative location, but you may still come into problem if two jump destinations come close

For a 1 page copy I recommend a more complex method. First follow every possible entry point into that page and reassemble every path separately..
Then in the redirector check what EIP is and which path should be jumped to

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
denyMe
How do I cheat?
Reputation: 0

Joined: 08 Jul 2013
Posts: 6

PostPosted: Wed Jul 10, 2013 6:38 pm    Post subject: Reply with quote

What do you think about bypassing PG by handling VMX_VMEXIT_RDMSR and hooking MSR(176h)?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 332

Joined: 09 May 2003
Posts: 19646
Location: The netherlands

PostPosted: Wed Jul 10, 2013 6:44 pm    Post subject: Reply with quote

Not sure how patchguard can be can be bypassed with editing the value of an msr. (Memory integrity checks still happen)

If you mean adjusting the syscall msr so it points to your function then that's already implemented in dbvm. Check vmcall.h for the command number to set that up. (I don't think i implemented that for the amd version though,so intel only for now)

Edit: ah yes, 176 is syscall. Yeah, that's already available
It's not implemented in the driver, but it shouldn't be too difficult to add, or just do it from usermode (again, same as interrupts, the code it jumps to must be available, so has to be in kernel memory)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
John111
How do I cheat?
Reputation: 0

Joined: 05 May 2015
Posts: 2
Location: Netherlands

PostPosted: Tue May 05, 2015 2:30 pm    Post subject: Reply with quote

Dark Byte wrote:

Actually, you can configure it to break on read and write the page, but NOT on execute, so you can modify the code as much as you want, and when the integrity check reads it, it breaks, and you modify it to read a copy, at the exact same spot

That seems to be a very very nice solution.
Can you elaborate how that is possible with the current dbvm sourcecode
Back to top
View user's profile Send private message
kabachi
How do I cheat?
Reputation: 0

Joined: 08 May 2015
Posts: 7

PostPosted: Fri May 08, 2015 4:23 pm    Post subject: Reply with quote

Dark Byte wrote:

Actually, you can configure it to break on read and write the page, but NOT on execute, so you can modify the code as much as you want, and when the integrity check reads it, it breaks, and you modify it to read a copy, at the exact same spot

Hi Dark Byte, is this even feasible? In WIN32 vmprotect execute flag implies read access and I thought it is just the way x86 CPU works?
EDIT: two people joined in 3 days to ask basically the same question Smile Looks like hypervisor-based stealth breakpoints is something we need Smile
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 332

Joined: 09 May 2003
Posts: 19646
Location: The netherlands

PostPosted: Fri May 08, 2015 6:20 pm    Post subject: Reply with quote

According to http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-system-programming-manual-325384.pdf#page=1107&zoom=auto,-265,517 a few cpu's do support the 100 setup for EPT (execute only)

This code will show (or bsod you) if your system supports it (if i where to implement it)
Code:

dbk_initialize()
print(string.format("dbk_readMSR(0x48C)=%x", dbk_readMSR(0x48C)))
return bAnd(dbk_readMSR(0x48C),1)==1

i can confirm that an Intel Haswell-E Core i7 5960X does support it

Quote:
EDIT: two people joined in 3 days to ask basically the same question Smile Looks like hypervisor-based stealth breakpoints is something we need Smile

or it's just that one single game has recently added integrity checks

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Source -> DBVM All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites