View previous topic :: View next topic |
Author |
Message |
Cotino Newbie cheater Reputation: 0
Joined: 30 Oct 2013 Posts: 14 Location: Le France
|
Posted: Sat Nov 19, 2016 9:18 pm Post subject: [C] VirtualQueryEx and Battleye |
|
|
Hi, i'm trying to code a memory scanner, and so far it works on every process i tried except one.
However, when i try to run it against Arma 3, VirtualQueryEx gives me error 5 : Access denied.
Arma 3 is on 32bit, however this shouldn't be a problem as it works perfectly on other 32 bit processes.
I tried to change MEMORY_BASIC_INFORMATION to MEMORY_BASIC_INFORMATION32 just in case, but i still get the same error.
I'm thinking Battleye is somehow blocking VirtualQueryEx, but how ?
OpenProcess doesn't return any error, PROCESS_QUERY_INFORMATION is included in PROCESS_ALL_ACCESS.
Maybe Battleye overrides the privileges after it's been opened ?
At this point i'm not sure what to do, i tried everything i knew.
Google doesn't help much as people who get this error aren't blocked by one specific process.
I'm hoping someone could help me here.
This is the part with the error.
Code: | MEMBLOCK* create_scan(unsigned int pid, int data_size)
{
MEMBLOCK *mb_list = NULL;
MEMORY_BASIC_INFORMATION meminfo;
unsigned char *addr = 0;
std::cout << GetLastError << std::endl;
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
std::cout << GetLastError << std::endl;
if (hProc)
{
while (1)
{
if (VirtualQueryEx(hProc, addr, &meminfo, sizeof(meminfo)) == 0)
{
break;
}
#define WRITABLE (PAGE_READWRITE | PAGE_WRITECOPY | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY)
if ((meminfo.State & MEM_COMMIT) && (meminfo.Protect & WRITABLE))
{
MEMBLOCK *mb = create_memblock(hProc, &meminfo, data_size);
if (mb)
{
mb->next = mb_list;
mb_list = mb;
}
}
addr = (unsigned char*)meminfo.BaseAddress + meminfo.RegionSize;
}
}
return mb_list;
} |
|
|
Back to top |
|
|
ulysse31 Master Cheater Reputation: 2
Joined: 19 Mar 2015 Posts: 324 Location: Paris
|
Posted: Sun Nov 20, 2016 8:28 am Post subject: |
|
|
That's frequent in modern anti cheats, it is likely BattleEye is using a driver, a simple google research may tell you a lot about it. You can also use driverview.exe to show you any loaded driver by BattleEye.
You ll want to use something like this
https://github.com/DarthTon/Blackbone
I am using it myself in my memory viewer to defeat xhunter.sys memory protections.
However to prevent such tools BattleEye doesn't allow windows test modes so if you're using windows 10 you might have problems (heard you can load unsigned drviers in win 7 w/o necessarily using windows test mode but haven't checked myself)
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25281 Location: The netherlands
|
Posted: Sun Nov 20, 2016 9:49 am Post subject: |
|
|
in windows 7 just hold f8 during boot and you'll get a menu to allow unsigned drivers (not testmode)
in windows 10 go to advanced startup, restart now, troubleshoot, advanced options,startup settings, restart. Disable driver enforcing ( 7 )
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Cotino Newbie cheater Reputation: 0
Joined: 30 Oct 2013 Posts: 14 Location: Le France
|
Posted: Sun Nov 20, 2016 2:52 pm Post subject: |
|
|
Wow nice i've never heard of such a thing.
Thanks for Blackbone, i'd prefer to make my own but i'm still gonna give it a look.
I'm gonna try the w7 unsigned driver right away and give you feedback.
Edit : Battleye won't launch with unsigned drivers allowed :/
I'm unsure on how to use Blackbone. Do you have any documentation ? The readme only lists the specifications.
Also i couldn't find xhunter.sys. However, i found BEDaisy.sys, which is situated in the battleye directory.
|
|
Back to top |
|
|
ulysse31 Master Cheater Reputation: 2
Joined: 19 Mar 2015 Posts: 324 Location: Paris
|
Posted: Mon Nov 21, 2016 1:05 am Post subject: |
|
|
xhunter.sys is XIGNCODE3's tool so you re not supposed to find it.
You need to download blacnbone's solution, it contains 3 projects : the driver, the driver's library and a testapp.exe.
Get a look at the TestDriver() function from the testApp.exe, it shows how to call the driver from your app
|
|
Back to top |
|
|
Cotino Newbie cheater Reputation: 0
Joined: 30 Oct 2013 Posts: 14 Location: Le France
|
Posted: Mon Nov 21, 2016 1:53 am Post subject: |
|
|
Well i'm getting lots of errors for no reason while running the Blackbone sln under visual studio enterprise 2015.
Errors like "can't open <windows.h>" or "DWORD undefined", which is weird.
Screenshot : imgur. com/a/pSEfD
Edit : My bad i'm just stupid, i didn't see the TestApp src.
So if i understand correctly, blackbone is a library that loads a driver to bypass memory protections ? And i'm supposed to load it before running my app.
|
|
Back to top |
|
|
ulysse31 Master Cheater Reputation: 2
Joined: 19 Mar 2015 Posts: 324 Location: Paris
|
Posted: Mon Nov 21, 2016 4:19 am Post subject: |
|
|
To be precise it's not just the library, it's also the driver itself.
Also your app is supposed to load it itself (ie you load it *after* running your app).
Code: | Driver().EnsureLoaded() |
Code: | NTSTATUS DriverControl::EnsureLoaded( const std::wstring& path /*= L"" */ )
{
// Already open
if (_hDriver != INVALID_HANDLE_VALUE)
return STATUS_SUCCESS;
// Try to open handle to existing driver
_hDriver = CreateFileW(
BLACKBONE_DEVICE_FILE,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL, OPEN_EXISTING, 0, NULL
);
if (_hDriver != INVALID_HANDLE_VALUE)
return _loadStatus = STATUS_SUCCESS;
// Start new instance
return Reload( path );
} |
|
|
Back to top |
|
|
Cotino Newbie cheater Reputation: 0
Joined: 30 Oct 2013 Posts: 14 Location: Le France
|
Posted: Mon Nov 21, 2016 11:37 am Post subject: |
|
|
I'm having some issues running the project.
It requires the windows 10 SDK, however i'm under windows 7 which doesn't support that.
I'm trying to make a new project using all the files from BlackBone, but i keep getting unresolved externals everywhere.
I guess i should try to run it on a W10 VM, but i'm still gonna have troubles exporting it to w7 i believe.
Also as a side thought, could it be possible to run Battleye on a VM and then scan the memory of the VM ?
|
|
Back to top |
|
|
ulysse31 Master Cheater Reputation: 2
Joined: 19 Mar 2015 Posts: 324 Location: Paris
|
Posted: Mon Nov 21, 2016 5:37 pm Post subject: |
|
|
BlackBone works for all versions post windowd 7, including windows 7. I am using it on 2 computers one of which has win 7 and it all works good.
As for the vm scanning idk (i reckon i've read somewhere that kind of stuff wouldn't work but never tried)
|
|
Back to top |
|
|
Cotino Newbie cheater Reputation: 0
Joined: 30 Oct 2013 Posts: 14 Location: Le France
|
Posted: Mon Nov 21, 2016 10:58 pm Post subject: |
|
|
Apparently i'm missing SDK 10.0.10586.0, which is the windows 10 SDK, which is not W7-compatible.
Gonna try to re-update Windows 7, perhaps i missed a patch.
|
|
Back to top |
|
|
ulysse31 Master Cheater Reputation: 2
Joined: 19 Mar 2015 Posts: 324 Location: Paris
|
Posted: Tue Nov 22, 2016 2:04 am Post subject: |
|
|
Apparently it is not windows 7 which you need to reuptade, simply download all the driver packages inside msvc (i am using msvc 2015).
|
|
Back to top |
|
|
Cotino Newbie cheater Reputation: 0
Joined: 30 Oct 2013 Posts: 14 Location: Le France
|
Posted: Tue Nov 22, 2016 6:00 pm Post subject: |
|
|
Updated Windows 7, didn't work.
Installed SDK for windows 7 and 8.1, didn't work either.
I suppose you mean the Driver Kit Version 7.1 ?
Downloaded and installed it, doesn't work either.
I am using Visual Studio Enterprise 2015.
Reinstalling visual studio didn't work either.
It asks for the SDK from windows 10, I don't see how it could work under windows 7.
Edit : Managed to fix it. Right click on each project, property, configuration property, general, target platform version -> 8.1
Now it builds, but won't debug because BlackBone.lib is not a valid Win32 application.
If i run TestApp alone without Blackbone, i get a breakpoint then an exception, not sure if that's the normal behaviour.
I added a pause at the end of the test but the program closes by itself, i'm assuming because of the exception.
|
|
Back to top |
|
|
Cotino Newbie cheater Reputation: 0
Joined: 30 Oct 2013 Posts: 14 Location: Le France
|
Posted: Sun Nov 27, 2016 3:00 pm Post subject: |
|
|
Bump, still looking for a solution.
|
|
Back to top |
|
|
ulysse31 Master Cheater Reputation: 2
Joined: 19 Mar 2015 Posts: 324 Location: Paris
|
Posted: Tue Nov 29, 2016 3:05 pm Post subject: |
|
|
Only you can help yourself, you need to step through the code and if you can't do it through a debugger you can still do it by limiting execution through user input.
The testApp provides serveral functions the most interesting of which is TestDriver(), if you don't know when your program exits you should use system("pause") and try those functions 1 by 1. You can also test return values or local variables by outputing them to file which is how I proceded
|
|
Back to top |
|
|
Cotino Newbie cheater Reputation: 0
Joined: 30 Oct 2013 Posts: 14 Location: Le France
|
Posted: Thu Dec 01, 2016 5:23 pm Post subject: |
|
|
Alright, i managed to narrow it down.
Whatever the breakpoint was, doesn't happen if i only launch TestDriver().
However, i now have an error NativeLdr: LdrKernel32PatchAddress not found.
The error happens in NtLoader.cpp line 970
PatternSearch ps2( "\x48\x8D\x8C\x24\x98\x00\x00\x00\x41\xb0\x01", 11 );
ps2.Search( pStart, scanSize, foundData );
For some reason no data is found, and i'm stuck at this point, i have an error later on failed to load driver which i can only assume is caused by this previous error.
|
|
Back to top |
|
|
|