Cheat Engine

iPromise · Posted: Fri Aug 10, 2012 2:24 am Post subject: Driver Help

I understand that when I load my driver, I have access to all the memory as if I was a DLL injected into a process.

But the memory is different, how do I determine which region belows to which process?

I am trying to write my dll path in a target process so I can call CreateRemoteThread from my usermode application. How can I communicate between my driver and my software?

Thanks

Dark Byte · Posted: Fri Aug 10, 2012 4:37 am Post subject:

You have access to all the memory of the current process. You can use KeStackAttachProcess to specify in which process context you wish to be (can be hooked in 32-bit so doesn't always work there)

And are you sure CreateRemoteThread isn't hooked? (If so, in kernelmode you can make use of the undocumented and well hidden APC method, or try contextsurfing by hooking the context switch function in windows, or use dbvm and do a cr3 hook)

iPromise · Posted: Fri Aug 10, 2012 4:41 am Post subject:

So I have access to the memory of the process i've loaded the driver with until I use KeStackAttachProcess?

Dark Byte · Posted: Fri Aug 10, 2012 5:50 pm Post subject:

Well, you could load the driver in one process and issue commands from the other, but yes, you usually have to switch the current process to the target

iPromise · Posted: Fri Aug 10, 2012 11:03 pm Post subject:

So its impossible to have access to all running memory?

What if KeStackAttachProcess is hooked?

Dark Byte · Posted: Sat Aug 11, 2012 4:17 am Post subject:

Well, you could edit the pagetable to point to every physical memory region you wish, but the order is then completely random

Alternatively, just change the CR3 register to the pagetable of the target process. (you can find the cr3 in the EProcess structure of the target process, or when you hook the timer interrupt and watch when it is signaled when the processid is that of the target)
Note though that only changing cr3 will break window's ability to load in unloaded pages, so if a page has been paged out, it will raise a page fault that if not handled, will crash the system. Luckely, modules of running applications tend to stay paged in, and data pages that are often used tend to be in ram as well.

To deal with this situation I recommend you always first check the page table if the page is loaded, or better, disable all interrupts, hook the int14 interrupt of the current cpu core to only set a flag if a pagefault has occured and nothing else, and then read/write.
Then after each read/write check if the flag has been set or not (and reset it yourself)
And finally restore the int14 handler and the interrupts themself

And another method is just get the cr3 value of the target process, and then use that page table information to map the physical memory pages manually. Check out the virtualpagedir plugin I posted a long time ago. It uses this method

iPromise · Posted: Mon Aug 13, 2012 6:03 am Post subject:

thanks man ill post on my progress