View previous topic :: View next topic |
Author |
Message |
ntint Newbie cheater Reputation: 0
Joined: 29 May 2017 Posts: 11
|
Posted: Mon May 29, 2017 4:14 am Post subject: loading dbk64.sys via dbvm: will it be harder to detect? |
|
|
Hi.
Since I can't get dbvm to load dbk64.sys (yet), I just wanna know if it would be worth trying to get it to work.
Whichever technique dbvm uses to load dbk64.sys, will dbk64.sys be visible in
1) PsLoadedModuleList
2) Service Manager
3) Registry ?
In the official release, it will be visible in all three when loading it "normally". So I wanted to know if dbvm would simply fix all 3?
Thanks in advance. |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25291 Location: The netherlands
|
Posted: Mon May 29, 2017 4:19 am Post subject: |
|
|
if you let DBVM load the driver then it will not be visible there _________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
ntint Newbie cheater Reputation: 0
Joined: 29 May 2017 Posts: 11
|
Posted: Mon May 29, 2017 4:36 am Post subject: |
|
|
Thanks for that quick answer! But this raises quite some more questions:
1) Does it manually map the driver?
2) Does it work with a self-compiled unsigned ce driver with dse enabled and testsigning off?
3) Could you load other drivers the same way? And if so, do these drivers have to be "specially crafted" to follow certain rules? |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25291 Location: The netherlands
|
Posted: Mon May 29, 2017 6:07 pm Post subject: |
|
|
1: Yes
2: It just maps the driver, as long as it's not encrypted, or relies to much on windows behaviour it'll be fine.
3: No, the dbk driver is specifically designed to be operable in case it's loaded by DBVM, and used by CE
e.g Exception handling will not properly work so special paths will then be taken
and no deviceiocontrol will work, only specially fabricated DBVM privilege packets will end up with the handler _________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
ntint Newbie cheater Reputation: 0
Joined: 29 May 2017 Posts: 11
|
Posted: Tue May 30, 2017 3:32 am Post subject: |
|
|
Alright, thanks. Sounds all good.
Hopefully you can give me some hints on how to get my setup to work.
What I'm trying to do is the following:
1) Use official ce to load dbvm
2) Use dbvm to load my self-compiled unsigned ce driver while dse is enabled and testsigning is disabled
The setup is the following:
I use Win7 x64 on an i7, all 4 cores enabled. dbvm is supported and working in official ce (just some occassional clock timeouts here and there on breakpoints, but never on loading dbvm). I downloaded the latest ce source, successfully built release version of ce with lazarus 1.6 and the driver using ce.bat inside the win7 x64 checked build environment of wdk 7.1. Just to make sure, I copied vmdisk.img and vmdisk.img.sig from original ce to the bin directory. I'm not renaming any files and not using driver64.dat. I can't run buildsigs.bat since the siggen directory is missing.
Now I do the following:
1) Run offcial ce and load dbvm -> success
2) Close official ce
2) Run kernelmoduleunloader -> success (I also tried without running the unloader)
3) Run self-compiled ce in bin directory -> loading driver fails because of dse -> try to load via dbvm -> bugcheck 0x1e (KMODE_EXCEPTION_NOT_HANDLED)
Just to see if everything works when loading the driver normally, I did the following:
1) Run official ce and load dbvm
2) Manually set ntoskrnl!g_CiEnabled to 0 to temporarily disable dse
3) Close official ce and run kernelmoduleunloader
4) Run self-compiled ce and load driver "normally" with dse disabled -> success
Am I missing something in this setup or dbvm just not working like that? |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25291 Location: The netherlands
|
Posted: Tue May 30, 2017 3:51 am Post subject: |
|
|
could be there is an exception being handled somewhere. DBVM does not allow drivers to handle exceptions
find all try/except blocks and rewrite them with only the code in the try, and make sure it never raises an exception.
then try loading it the normal way and fix/adjust it till it's not crashing you anymore. (some features may have to go) _________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
ntint Newbie cheater Reputation: 0
Joined: 29 May 2017 Posts: 11
|
Posted: Wed May 31, 2017 1:20 am Post subject: |
|
|
Dark Byte wrote: | could be there is an exception being handled somewhere. DBVM does not allow drivers to handle exceptions |
Just making sure..doesn't it allow any driver in the system to handle exceptions or just dbk64? |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25291 Location: The netherlands
|
Posted: Wed May 31, 2017 1:45 am Post subject: |
|
|
just the one it loads _________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
ntint Newbie cheater Reputation: 0
Joined: 29 May 2017 Posts: 11
|
Posted: Thu Jun 01, 2017 5:53 am Post subject: |
|
|
Appreciate the help! |
|
Back to top |
|
|
|