Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


GameGuard Hooking QUestion
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
dnsi0
I post too much
Reputation: 0

Joined: 04 Jan 2007
Posts: 2674
PostPosted: Thu Aug 07, 2008 8:17 pm    Post subject: GameGuard Hooking QUestion Reply with quote
How exactly does gameguard hook to the librarys and how does game create and use the clones. Before all I know is how to bypass and that the original won't work.
Back to top
View user's profile Send private message
lurc
Grandmaster Cheater Supreme
Reputation: 2

Joined: 13 Nov 2006
Posts: 1900
PostPosted: Thu Aug 07, 2008 8:39 pm    Post subject: Reply with quote
If buy hook to the library's you mean hook user-mode functions, it injects npggNT.des into every process, which does all the user level hooks.

GameGuard im guessing would create the clones via CopyFile, CreateFile, and WriteFile (guessing). I would guess it stores all the names and then loads them.
_________________
Back to top
View user's profile Send private message
dnsi0
I post too much
Reputation: 0

Joined: 04 Jan 2007
Posts: 2674
PostPosted: Thu Aug 07, 2008 8:47 pm    Post subject: Reply with quote
so I can freelibraryandexitthread that piece of crap?
Back to top
View user's profile Send private message
lurc
Grandmaster Cheater Supreme
Reputation: 2

Joined: 13 Nov 2006
Posts: 1900
PostPosted: Thu Aug 07, 2008 9:02 pm    Post subject: Reply with quote
dnsi0 wrote:
so I can freelibraryandexitthread that piece of crap?


Somehow I don't think it will be that easy...
_________________
Back to top
View user's profile Send private message
&Vage
Grandmaster Cheater Supreme
Reputation: 0

Joined: 25 Jul 2008
Posts: 1053
PostPosted: Fri Aug 08, 2008 2:05 pm    Post subject: Reply with quote
It loads it's driver too so you can't call anything via r0 without it getting hook...well almost everything without GameGuard's hook on your arse.
Back to top
View user's profile Send private message
lurc
Grandmaster Cheater Supreme
Reputation: 2

Joined: 13 Nov 2006
Posts: 1900
PostPosted: Fri Aug 08, 2008 3:22 pm    Post subject: Reply with quote
_void_ wrote:
It loads it's driver too so you can't call anything via r0 without it getting hook...well almost everything without GameGuard's hook on your arse.


Trampolining Over Kernel functions is just as easy as user-mode Wink
_________________
Back to top
View user's profile Send private message
Overload
Master Cheater
Reputation: 0

Joined: 08 Feb 2008
Posts: 293
PostPosted: Fri Aug 08, 2008 4:16 pm    Post subject: Reply with quote
Instead of trampolining over functions, what about just hiding the process. Like hiding using DKOM or something?
_________________
Blog

Quote:
Rhys says:
you can be my maid
Rhys says:
ill buy you a french maid outfit
Tyler says:
Sounds good
Rhys says:
ill hold you to that
Back to top
View user's profile Send private message MSN Messenger
&Vage
Grandmaster Cheater Supreme
Reputation: 0

Joined: 25 Jul 2008
Posts: 1053
PostPosted: Fri Aug 08, 2008 4:38 pm    Post subject: Reply with quote
lurc wrote:
_void_ wrote:
It loads it's driver too so you can't call anything via r0 without it getting hook...well almost everything without GameGuard's hook on your arse.


Trampolining Over Kernel functions is just as easy as user-mode Wink


I never said it wasn't easy...

Overload wrote:
Instead of trampolining over functions, what about just hiding the process. Like hiding using DKOM or something?


Because the process will still called the hooked API?
Back to top
View user's profile Send private message
samuri25404
Grandmaster Cheater
Reputation: 7

Joined: 04 May 2007
Posts: 955
Location: Why do you care?
PostPosted: Fri Aug 08, 2008 7:25 pm    Post subject: Reply with quote
Overload wrote:
Instead of trampolining over functions, what about just hiding the process. Like hiding using DKOM or something?


When you create your process, GG injects itself into your process.

That means that when you get created, GG has your PID, and whether or not you hide yourself using DKOM, you're still fucked if they've got your PID.

Just mess with their CreateProcess hook, or whatever. Razz
_________________
Wiccaan wrote:

Oh jeez, watchout I'm a bias person! Locked.


Auto Assembly Tuts:
In Depth Tutorial on AA
Extended
Back to top
View user's profile Send private message
rapion124
Grandmaster Cheater Supreme
Reputation: 0

Joined: 25 Mar 2007
Posts: 1095
PostPosted: Fri Aug 08, 2008 9:26 pm    Post subject: Reply with quote
Kernel memory is "global." All your API calls will be subject to GG's ring0 hooks. The only way you can avoid them is by patching them, or loading another copy of ntoskrnl. GG also has a usermode hooking component called npggNT.des. It gets injected into every process except GG itself.

@samurai25404:
GG doesn't use a CreateProcess hook... It uses PsSetProcessNotifyRoutine.
Back to top
View user's profile Send private message
dnsi0
I post too much
Reputation: 0

Joined: 04 Jan 2007
Posts: 2674
PostPosted: Sat Aug 09, 2008 8:13 am    Post subject: Reply with quote
Hows this get an autoinjector and inject npggNT.des into GG when it Loads @.@
Back to top
View user's profile Send private message
Zand
Master Cheater
Reputation: 0

Joined: 21 Jul 2006
Posts: 424
PostPosted: Sat Aug 09, 2008 8:27 am    Post subject: Reply with quote
That will either 1. Do nothing. 2. Screw up GG, which will bitch about it and exit. 3. Cause errors.
Back to top
View user's profile Send private message
lurc
Grandmaster Cheater Supreme
Reputation: 2

Joined: 13 Nov 2006
Posts: 1900
PostPosted: Sat Aug 09, 2008 1:14 pm    Post subject: Reply with quote
dnsi0 wrote:
Hows this get an autoinjector and inject npggNT.des into GG when it Loads @.@


Won't really matter, GameGuard dispatch's a lot of the important user-mode functions to the kernel, instead of using the user-mode function directly.
_________________
Back to top
View user's profile Send private message
rapion124
Grandmaster Cheater Supreme
Reputation: 0

Joined: 25 Mar 2007
Posts: 1095
PostPosted: Sat Aug 09, 2008 6:22 pm    Post subject: Reply with quote
lurc wrote:
dnsi0 wrote:
Hows this get an autoinjector and inject npggNT.des into GG when it Loads @.@


Won't really matter, GameGuard dispatch's a lot of the important user-mode functions to the kernel, instead of using the user-mode function directly.


Correct, which is how one version of GGCRC works. Hook NtDeviceIoControlFile, make GG call NtDeviceIoControlFile and not directly using sysenter, and modify the parameters of GG's IOCTL to read memory. Although x0r only used it for GGCRC, it had a lot more potential such as crippling GG's driver, if only people decided to take a look at the source and not spend the few days it was released hacking MS. You can even stop GG's driver from loading and all you need to do is bypass the usermode hooks via a trampoline.
Back to top
View user's profile Send private message
FullyAwesome
I post too much
Reputation: 0

Joined: 05 Apr 2007
Posts: 4438
Location: Land Down Under
PostPosted: Sat Aug 09, 2008 8:16 pm    Post subject: Reply with quote
where do you learn all of this stuff? like about hooks and stuff?
_________________
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites