Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


[C] VirtualQueryEx and Battleye
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
Cotino
Newbie cheater
Reputation: 0

Joined: 30 Oct 2013
Posts: 14
Location: Le France

PostPosted: Sat Nov 19, 2016 9:18 pm    Post subject: [C] VirtualQueryEx and Battleye Reply with quote

Hi, i'm trying to code a memory scanner, and so far it works on every process i tried except one.

However, when i try to run it against Arma 3, VirtualQueryEx gives me error 5 : Access denied.

Arma 3 is on 32bit, however this shouldn't be a problem as it works perfectly on other 32 bit processes.
I tried to change MEMORY_BASIC_INFORMATION to MEMORY_BASIC_INFORMATION32 just in case, but i still get the same error.

I'm thinking Battleye is somehow blocking VirtualQueryEx, but how ?
OpenProcess doesn't return any error, PROCESS_QUERY_INFORMATION is included in PROCESS_ALL_ACCESS.
Maybe Battleye overrides the privileges after it's been opened ?

At this point i'm not sure what to do, i tried everything i knew.
Google doesn't help much as people who get this error aren't blocked by one specific process.

I'm hoping someone could help me here.

This is the part with the error.

Code:
MEMBLOCK* create_scan(unsigned int pid, int data_size)
{
   MEMBLOCK *mb_list = NULL;
   MEMORY_BASIC_INFORMATION meminfo;
   unsigned char *addr = 0;
   std::cout << GetLastError << std::endl;
   HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
   std::cout << GetLastError << std::endl;

   if (hProc)
   {
      while (1)
      {
         if (VirtualQueryEx(hProc, addr, &meminfo, sizeof(meminfo)) == 0)
         {
            break;
         }
#define WRITABLE (PAGE_READWRITE | PAGE_WRITECOPY | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY)
         if ((meminfo.State & MEM_COMMIT) && (meminfo.Protect & WRITABLE))
         {
            MEMBLOCK *mb = create_memblock(hProc, &meminfo, data_size);
            if (mb)
            {
               mb->next = mb_list;
               mb_list = mb;
            }
         }
         addr = (unsigned char*)meminfo.BaseAddress + meminfo.RegionSize;
      }
   }

   return mb_list;
}
Back to top
View user's profile Send private message
ulysse31
Master Cheater
Reputation: 2

Joined: 19 Mar 2015
Posts: 324
Location: Paris

PostPosted: Sun Nov 20, 2016 8:28 am    Post subject: Reply with quote

That's frequent in modern anti cheats, it is likely BattleEye is using a driver, a simple google research may tell you a lot about it. You can also use driverview.exe to show you any loaded driver by BattleEye.
You ll want to use something like this
https://github.com/DarthTon/Blackbone
I am using it myself in my memory viewer to defeat xhunter.sys memory protections.
However to prevent such tools BattleEye doesn't allow windows test modes so if you're using windows 10 you might have problems (heard you can load unsigned drviers in win 7 w/o necessarily using windows test mode but haven't checked myself)
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Sun Nov 20, 2016 9:49 am    Post subject: Reply with quote

in windows 7 just hold f8 during boot and you'll get a menu to allow unsigned drivers (not testmode)

in windows 10 go to advanced startup, restart now, troubleshoot, advanced options,startup settings, restart. Disable driver enforcing ( 7 )

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Cotino
Newbie cheater
Reputation: 0

Joined: 30 Oct 2013
Posts: 14
Location: Le France

PostPosted: Sun Nov 20, 2016 2:52 pm    Post subject: Reply with quote

Wow nice i've never heard of such a thing.

Thanks for Blackbone, i'd prefer to make my own but i'm still gonna give it a look.

I'm gonna try the w7 unsigned driver right away and give you feedback.

Edit : Battleye won't launch with unsigned drivers allowed :/

I'm unsure on how to use Blackbone. Do you have any documentation ? The readme only lists the specifications.

Also i couldn't find xhunter.sys. However, i found BEDaisy.sys, which is situated in the battleye directory.
Back to top
View user's profile Send private message
ulysse31
Master Cheater
Reputation: 2

Joined: 19 Mar 2015
Posts: 324
Location: Paris

PostPosted: Mon Nov 21, 2016 1:05 am    Post subject: Reply with quote

xhunter.sys is XIGNCODE3's tool so you re not supposed to find it.
You need to download blacnbone's solution, it contains 3 projects : the driver, the driver's library and a testapp.exe.
Get a look at the TestDriver() function from the testApp.exe, it shows how to call the driver from your app
Back to top
View user's profile Send private message
Cotino
Newbie cheater
Reputation: 0

Joined: 30 Oct 2013
Posts: 14
Location: Le France

PostPosted: Mon Nov 21, 2016 1:53 am    Post subject: Reply with quote

Well i'm getting lots of errors for no reason while running the Blackbone sln under visual studio enterprise 2015.
Errors like "can't open <windows.h>" or "DWORD undefined", which is weird.
Screenshot : imgur. com/a/pSEfD

Edit : My bad i'm just stupid, i didn't see the TestApp src.

So if i understand correctly, blackbone is a library that loads a driver to bypass memory protections ? And i'm supposed to load it before running my app.
Back to top
View user's profile Send private message
ulysse31
Master Cheater
Reputation: 2

Joined: 19 Mar 2015
Posts: 324
Location: Paris

PostPosted: Mon Nov 21, 2016 4:19 am    Post subject: Reply with quote

To be precise it's not just the library, it's also the driver itself.
Also your app is supposed to load it itself (ie you load it *after* running your app).
Code:
Driver().EnsureLoaded()


Code:
NTSTATUS DriverControl::EnsureLoaded( const std::wstring& path /*= L"" */ )
{
    // Already open
    if (_hDriver != INVALID_HANDLE_VALUE)
        return STATUS_SUCCESS;

    // Try to open handle to existing driver
    _hDriver = CreateFileW(
        BLACKBONE_DEVICE_FILE,
        GENERIC_READ | GENERIC_WRITE,
        FILE_SHARE_READ | FILE_SHARE_WRITE,
        NULL, OPEN_EXISTING, 0, NULL
        );

    if (_hDriver != INVALID_HANDLE_VALUE)
        return _loadStatus = STATUS_SUCCESS;

    // Start new instance
    return Reload( path );
}
Back to top
View user's profile Send private message
Cotino
Newbie cheater
Reputation: 0

Joined: 30 Oct 2013
Posts: 14
Location: Le France

PostPosted: Mon Nov 21, 2016 11:37 am    Post subject: Reply with quote

I'm having some issues running the project.
It requires the windows 10 SDK, however i'm under windows 7 which doesn't support that.
I'm trying to make a new project using all the files from BlackBone, but i keep getting unresolved externals everywhere.
I guess i should try to run it on a W10 VM, but i'm still gonna have troubles exporting it to w7 i believe.


Also as a side thought, could it be possible to run Battleye on a VM and then scan the memory of the VM ?
Back to top
View user's profile Send private message
ulysse31
Master Cheater
Reputation: 2

Joined: 19 Mar 2015
Posts: 324
Location: Paris

PostPosted: Mon Nov 21, 2016 5:37 pm    Post subject: Reply with quote

BlackBone works for all versions post windowd 7, including windows 7. I am using it on 2 computers one of which has win 7 and it all works good.

As for the vm scanning idk (i reckon i've read somewhere that kind of stuff wouldn't work but never tried)
Back to top
View user's profile Send private message
Cotino
Newbie cheater
Reputation: 0

Joined: 30 Oct 2013
Posts: 14
Location: Le France

PostPosted: Mon Nov 21, 2016 10:58 pm    Post subject: Reply with quote

Apparently i'm missing SDK 10.0.10586.0, which is the windows 10 SDK, which is not W7-compatible.
Gonna try to re-update Windows 7, perhaps i missed a patch.
Back to top
View user's profile Send private message
ulysse31
Master Cheater
Reputation: 2

Joined: 19 Mar 2015
Posts: 324
Location: Paris

PostPosted: Tue Nov 22, 2016 2:04 am    Post subject: Reply with quote

Apparently it is not windows 7 which you need to reuptade, simply download all the driver packages inside msvc (i am using msvc 2015).
Back to top
View user's profile Send private message
Cotino
Newbie cheater
Reputation: 0

Joined: 30 Oct 2013
Posts: 14
Location: Le France

PostPosted: Tue Nov 22, 2016 6:00 pm    Post subject: Reply with quote

Updated Windows 7, didn't work.

Installed SDK for windows 7 and 8.1, didn't work either.

I suppose you mean the Driver Kit Version 7.1 ?
Downloaded and installed it, doesn't work either.
I am using Visual Studio Enterprise 2015.
Reinstalling visual studio didn't work either.

It asks for the SDK from windows 10, I don't see how it could work under windows 7.

Edit : Managed to fix it. Right click on each project, property, configuration property, general, target platform version -> 8.1

Now it builds, but won't debug because BlackBone.lib is not a valid Win32 application.
If i run TestApp alone without Blackbone, i get a breakpoint then an exception, not sure if that's the normal behaviour.
I added a pause at the end of the test but the program closes by itself, i'm assuming because of the exception.
Back to top
View user's profile Send private message
Cotino
Newbie cheater
Reputation: 0

Joined: 30 Oct 2013
Posts: 14
Location: Le France

PostPosted: Sun Nov 27, 2016 3:00 pm    Post subject: Reply with quote

Bump, still looking for a solution.
Back to top
View user's profile Send private message
ulysse31
Master Cheater
Reputation: 2

Joined: 19 Mar 2015
Posts: 324
Location: Paris

PostPosted: Tue Nov 29, 2016 3:05 pm    Post subject: Reply with quote

Only you can help yourself, you need to step through the code and if you can't do it through a debugger you can still do it by limiting execution through user input.
The testApp provides serveral functions the most interesting of which is TestDriver(), if you don't know when your program exits you should use system("pause") and try those functions 1 by 1. You can also test return values or local variables by outputing them to file which is how I proceded
Back to top
View user's profile Send private message
Cotino
Newbie cheater
Reputation: 0

Joined: 30 Oct 2013
Posts: 14
Location: Le France

PostPosted: Thu Dec 01, 2016 5:23 pm    Post subject: Reply with quote

Alright, i managed to narrow it down.
Whatever the breakpoint was, doesn't happen if i only launch TestDriver().
However, i now have an error NativeLdr: LdrKernel32PatchAddress not found.
The error happens in NtLoader.cpp line 970

PatternSearch ps2( "\x48\x8D\x8C\x24\x98\x00\x00\x00\x41\xb0\x01", 11 );
ps2.Search( pStart, scanSize, foundData );

For some reason no data is found, and i'm stuck at this point, i have an error later on failed to load driver which i can only assume is caused by this previous error.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites