| View previous topic :: View next topic |
| Author |
Message |
Deine Mutter
Expert Cheater
 Reputation: 1
Joined: 05 Apr 2006
Posts: 181
|
 Posted: Tue Jun 23, 2009 12:58 pm Post subject: Copying/Calling functions in ring0 |
 |
|
Hello,
A little noobie question to bother you with:
When I thought about bypassing hooks of game protections I had an idea. Instead of changing the function pointer of the SSDT-Table we could just copy all the bytes of a function into an empty one before it is hooked an then use it via IOCTLs. For example NtUserSendInput:
| Code: | UINT __declspec(naked) __stdcall MyNtUserSendInput (UINT nInputs, LPINPUT pInput, INT cbSize){
__asm{
nop
nop
nop
//and so on...
}
} |
And then replacing the nops with the original bytes. I don't know if it is possible, it is just theory.
When thinking about that I was not sure if it is that easy to call NtUserSendInput in ring 0, so I just tried a call with the original function for testing purposes.
| Code: | typedef UINT (NTAPI*NTUSERSENDINPUT)(ULONG ,LPINPUT, int );
NTUSERSENDINPUT OriginalNtUserSendInput; |
| Code: | KeServiceDescriptorTableShadow = GetKeServiceDescriptorTableShadow();
OriginalNtUserSendInput = (NTUSERSENDINPUT)SYSTEMSERVICE(0x1F6); //Don't worry about that, addresses are right, I checked it |
| Code: | INPUT Input;
RtlZeroMemory(&Input, sizeof(INPUT));
Input.type = INPUT_KEYBOARD;
Input.ki.wVk = 65;
Input.ki.dwFlags = KEYEVENTF_EXTENDEDKEY;
OriginalNtUserSendInput(1, &Input, sizeof(INPUT));
Input.type = INPUT_KEYBOARD;
Input.ki.wVk = 65;
Input.ki.dwFlags = KEYEVENTF_KEYUP;
OriginalNtUserSendInput(1, &Input, sizeof(INPUT)); |
Which resulted in an assumed BSOD. What did I do wrong? How can i call NtUserSendInput in ring0? This might sound a little bit stupid, but I searched on google and I did not get an answer.
_________________
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25820
Location: The netherlands
|
| Posted: Tue Jun 23, 2009 2:48 pm Post subject: |
|
|
well, just copying the bytes alone won't work. For example relative jumps and relative calls that jump outside of the region you copied will land in random memory and crash
so either copy everything of the kernel so when a relative call or jump does happen it at least lands on code that does what it is intended to do, or just reassemble the relative jumps to the new offsets.
Of course, keep in mind that a short jump may turn into a long jump so the code shift a bit up as well and again change all relative jumps accordingly
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Deine Mutter
Expert Cheater
Reputation: 1
Joined: 05 Apr 2006
Posts: 181
|
| Posted: Tue Jun 23, 2009 3:00 pm Post subject: |
|
|
thanks for that. Can you also tell me why my call to the original NtUserSendInput in my example BSOD'ed me, or can you tell me a way to directly call NtUserSendInput (or unexported nt-apis in general) in ring0?
_________________
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Tue Jun 23, 2009 5:59 pm Post subject: |
|
|
| How I bypass NtUserSendInput is I basically copy Win32k.sys into a new place with ExAllocatePool (Non Paged Pool) Then scan the pool for the starting bytes of NtUserSendInput (like aob scanning I do this since my SDTS is messed up by Kaspersky internet security). Then I make a type to point to that then call. Works perfect. Bypasses gameguard before ms got hs.
|
|
| Back to top |
|
|
Guy
Expert Cheater
![]() Reputation: 0
Joined: 30 May 2009
Posts: 187
|
| Posted: Tue Jun 23, 2009 10:33 pm Post subject: |
|
|
| dnsi0 wrote: | | How I bypass NtUserSendInput is I basically copy Win32k.sys into a new place with ExAllocatePool (Non Paged Pool) Then scan the pool for the starting bytes of NtUserSendInput (like aob scanning I do this since my SDTS is messed up by Kaspersky internet security). Then I make a type to point to that then call. Works perfect. Bypasses gameguard before ms got hs. |
Replacing the hook a la inline ASM or shellcode is a commonly used method - OP, I'd have you do that rather than rewrite the entire routine.
|
|
| Back to top |
|
|
Deine Mutter
Expert Cheater
Reputation: 1
Joined: 05 Apr 2006
Posts: 181
|
| Posted: Thu Jun 25, 2009 3:06 pm Post subject: |
|
|
I know about those methods. My problem is not bypassing NtUserSendInput, since I already did that. I am doing this just for fun and to extend my knowledge. The thing which is more important to me is why the OriginalNtUserSendInput call in my example BSOD'ed me.
_________________
|
|
| Back to top |
|
|
ktn122
How do I cheat?
![]() Reputation: 0
Joined: 27 Sep 2010
Posts: 1
|
| Posted: Mon Sep 27, 2010 11:36 pm Post subject: |
|
|
i've the same problem too anyone knows ?
i try to call the original ntusersendinput but get a BSOD
|
|
| Back to top |
|
|
tombana
Master Cheater
![]() Reputation: 2
Joined: 14 Jun 2007
Posts: 456
Location: The Netherlands
|
| Posted: Tue Sep 28, 2010 12:59 pm Post subject: |
|
|
| Guy wrote: | | Replacing the hook a la inline ASM or shellcode is a commonly used method - OP, I'd have you do that rather than rewrite the entire routine. |
That will not always work. Some functions are hooked several levels deep. (For example KeAttachProcess is hooked 3 levels deep or so)
| Deine Mutter wrote: | | I know about those methods. My problem is not bypassing NtUserSendInput, since I already did that. I am doing this just for fun and to extend my knowledge. The thing which is more important to me is why the OriginalNtUserSendInput call in my example BSOD'ed me. |
Read this: http://www.osronline.com/article.cfm?id=257
It will tell you to use ZwXxx functions instead of NtXxx. I don't know if that's the problem you're having but you could try.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
