Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


[C] Relinking a Hidden Process

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
rapion124
Grandmaster Cheater Supreme
Reputation: 0

Joined: 25 Mar 2007
Posts: 1095
PostPosted: Thu Apr 24, 2008 5:25 pm    Post subject: [C] Relinking a Hidden Process Reply with quote
I know how to hide a process using DKOM, but how do you "find" the process to relink after it is hidden? Btw, I'm trying to do this for the processes GG hides.
Back to top
View user's profile Send private message
lurc
Grandmaster Cheater Supreme
Reputation: 2

Joined: 13 Nov 2006
Posts: 1900
PostPosted: Thu Apr 24, 2008 6:12 pm    Post subject: Reply with quote
Easiest way is Bruteforce method, which is to loop the pID from 0 to 0x41DC and call OpenProcess on each of them, if its valid then store the info.

then use CreateToolhelp32Snapshot and compare the list, any differences are hidden.
_________________
Back to top
View user's profile Send private message
rapion124
Grandmaster Cheater Supreme
Reputation: 0

Joined: 25 Mar 2007
Posts: 1095
PostPosted: Fri Apr 25, 2008 3:52 pm    Post subject: Reply with quote
How do I find the address of its EPROCESS block after you find the process ID?
Back to top
View user's profile Send private message
lurc
Grandmaster Cheater Supreme
Reputation: 2

Joined: 13 Nov 2006
Posts: 1900
PostPosted: Fri Apr 25, 2008 4:21 pm    Post subject: Reply with quote
I think You could use the kernel routine PsLookupProcessByProcessId to get it
Code:
NTSTATUS  PsLookupProcessByProcessId(   
     IN HANDLE ProcessId,   
     OUT PEPROCESS *Process   
     );


http://msdn2.microsoft.com/en-ca/library/aa489311.aspx
_________________
Back to top
View user's profile Send private message
the_undead
Expert Cheater
Reputation: 1

Joined: 12 Nov 2006
Posts: 235
Location: Johannesburg, South Africa
PostPosted: Sun Apr 27, 2008 5:09 am    Post subject: Reply with quote
x0r wrote:
Walk the PspCidTable.

+1
_________________
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites