Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


sysenter hook via dbvm

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Source -> DBVM
View previous topic :: View next topic  
Author Message
buraktamturk
Newbie cheater
Reputation: 0

Joined: 29 Jun 2014
Posts: 18

PostPosted: Fri Mar 04, 2016 8:09 am    Post subject: sysenter hook via dbvm Reply with quote

Hello,

I want to hook sysenter, just saw sysenter hook is supported by DBVM, what paralog/epilog should be for sysenter hook (i look something like interrupt1_asmentry)?

I am writing a cheat to a game that is protected by a hackish anti-cheat (they have drivers too), thanks for the dbvm, the anticheat doesn't know anything about my cheat. But the anticheat itself preventing the creation of the second game instance, may be their drivers written in a way that does not support two process at a time, or may be they have support for this and preventing this by checking their internal structures or the case i hope to find is they check it by using functions that are in SSDT, that would be a bingo case for me.

I thought i can hook sysenter and trace the functions they use, and the eip that they call ZwTerminateProcess so i may break it by using hw breakpoints/page faults etc..

And I wonder the 32bit pointer parameters and the pointers in the structs are normalized by windows before calling sysenter? What I mean is can I get the arguments by reading the stack in my hook?

Thanks,
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 340

Joined: 09 May 2003
Posts: 19902
Location: The netherlands

PostPosted: Fri Mar 04, 2016 8:27 am    Post subject: Reply with quote

I'm not sure it's active right now (not implemented, hidden_sysenter_modification is 0 if i'm not mistaken which disables that feature)
it's also only for the 32-bit (64-bit uses syscall)

Of course, dbvm can be adjusted to hook those MSR's read and write, but it's not currently in

As for multiple instances, it might be as simple as a named object that is being checked for it's existance. (e.g a named event or a named pipe, or one of many other options)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
buraktamturk
Newbie cheater
Reputation: 0

Joined: 29 Jun 2014
Posts: 18

PostPosted: Fri Mar 04, 2016 1:53 pm    Post subject: Reply with quote

Dark Byte wrote:
I'm not sure it's active right now (not implemented, hidden_sysenter_modification is 0 if i'm not mistaken which disables that feature)
it's also only for the 32-bit (64-bit uses syscall)

Of course, dbvm can be adjusted to hook those MSR's read and write, but it's not currently in

As for multiple instances, it might be as simple as a named object that is being checked for it's existance. (e.g a named event or a named pipe, or one of many other options)


There is a global mutex object for sure, when i bypass the routine via int1 hook and hw breakpoints, the first instance got closed after a few seconds with the second instance, which I think the anti-cheat itself does the second checking.

Thanks for the explanation, i would have wasted my time trying to implement it Very Happy

Thanks,
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Source -> DBVM All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites