Cheat Engine

oib111 · Posted: Sun Sep 07, 2008 11:52 pm Post subject: Kernelmode Hooks

What's the difference between creating a kernelmode hooks and usermode hooks? And why is it that kernelmode hooks seem so much more difficult to bypass?

HalfPrime · Posted: Mon Sep 08, 2008 12:15 am Post subject:

elpacco, knock this crap off. You're spouting shit in computer talk and now here. Just leave.

on topic:
From what I undersatnd, a usermode hook happens in ring3 while a kernel mod hook happens in ring0. A usermmode hook is generally just that redirect from the first 5 bytes, but there's several other kernel mode hooks. For instance SSDT hooks where you change the SSD table to jump to your code instead of call X function. Also, I think I've read GG gets a little more creative with kernel mode hooks and place them in weird places (ie, not the first 5 bytes).

BanMe · Posted: Mon Sep 08, 2008 12:51 am Post subject:

the reason Kernel mode funtions are so much harder to bypass is
that the kernel mode function site below UserMode API there they tke precedence over them...

Ie almost all API call into KernelMode so by hooking the KernelMode API that is called by the Usermode API you have succefully modified the Code path to execute our code and if conditions are met then parameter tampering and code behavior changes can then apply.. if not the the Hook Forwards to the Origanil call..

Slugsnack · Posted: Mon Sep 08, 2008 2:17 am Post subject:

Also ring3 applications will not have access to kernel memory which adds that extra level of difficulty to code a driver or something to play with kernel space.

oib111 · Posted: Mon Sep 08, 2008 8:37 am Post subject:

What exactly is "Kernel memory"? Is it just physical memory and not virtual memory?

sphere90 · Posted: Mon Sep 08, 2008 9:58 am Post subject:

Kernel memory is the region of memory located from 0x80000000 to 0xFFFFFFFF. There's a subtle difference between virtual memory and physical memory. 0x80000000 and 0xFFFFFFFF are virtual memory address of kernel space but the actual physical address of the kernel space maybe different because virtual memory will get mapped into the physical memory eventually. Read Intel's System Programming Guide and you will learn more. It's hard for me to explain it here because memory management is a very broad topic.

Flyte · Posted: Mon Sep 08, 2008 11:48 am Post subject:

rapion124 · Posted: Mon Sep 08, 2008 2:43 pm Post subject:

@Flyte:

You can't write to kernelmode from usermode unless you have a driver that modifies the GDT.

HomerSexual · Posted: Mon Sep 08, 2008 2:54 pm Post subject:

Writing directly to the ram is basically the same thing as kmode

dnsi0 · Posted: Mon Sep 08, 2008 4:55 pm Post subject:

What??? you can use other methods into ring0? How do u do it? I gave up on driver programing after it crashed my comp 5 times.

HomerSexual · Posted: Mon Sep 08, 2008 5:26 pm Post subject:

Something tells me that driver programming will be the easiest way. Writing directly to RAM could damage and idk about call gates. Sounds tricky

oib111 · Posted: Mon Sep 08, 2008 5:57 pm Post subject:

I would agree with blank. And dnsi0 make sure you test your drivers on a Virtual Machine so that you it doesn't crash YOUR machine.

dnsi0 · Posted: Mon Sep 08, 2008 5:59 pm Post subject:

Um... Talking about vms I am testing my drivers on my own machine and it is my own computer Im crashing over and over again...

jackyyll · Posted: Mon Sep 08, 2008 6:41 pm Post subject:

lurc · Posted: Mon Sep 08, 2008 6:59 pm Post subject:

Or learn to code driver's better? Catch exceptions using __try/__except and you won't have that problem.