Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


POC: Stealthed Kernelmode API hooking
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Extensions
View previous topic :: View next topic  
Author Message
Dark Byte
Site Admin
Reputation: 371

Joined: 09 May 2003
Posts: 21913
Location: The netherlands

PostPosted: Tue Mar 12, 2019 9:27 am    Post subject: POC: Stealthed Kernelmode API hooking Reply with quote

Here's an extension/example that will hook NtQuerySystemInformation and ZwQuerySystemInformation and keep a log of all the calls.

It will use DBVM (latest version) to hide the changes in kernelmode memory from patchguard. There is an option to run without DBVM, but you will BSOD within a few hours (but might be enough to to get the data you need anyhow)

This extension adds a new generateAPIHookScriptK function to deal with the >2GB detour, but I guess you can also apply it to your own situation in case the prefered base fails (change kalloc to alloc then)

The kinfo.sys driver (source included) gets manually mapped by CE using the loadModule function (it can map .sys files, as long as it only imports ntoskrnl.exe and hal.dll exports, so the project has some modified parameters here and there)

The internal log can be 64MB , so if you close CE and then unload the driver it will keep logging for a while (Do write down the export addresses of kinfo.sys and register them back, and do a resume on the gui, so don't erase the old log which is it's default behaviour)

Download: https://cheatengine.org/download/poc/kinfo.zip
extract to the base of your CE folder, overwriting the old vmdisk files

once loaded you'll have a "proof-of-concept" menu item left of the help menu item



kinfo.png
 Description:
Screenshot of it working
 Filesize:  36.09 KB
 Viewed:  6151 Time(s)

kinfo.png



_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
nb81
Cheater
Reputation: 0

Joined: 08 Jun 2013
Posts: 31

PostPosted: Wed Jul 03, 2019 8:06 am    Post subject: Reply with quote

This is pretty neat! does loadModule use DBVM to map the new driver?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 371

Joined: 09 May 2003
Posts: 21913
Location: The netherlands

PostPosted: Wed Jul 03, 2019 9:03 am    Post subject: Reply with quote

If DBK is loaded it uses that, but it can fall back on using DBVM to map the new driver if dbk64 isn't loaded/responding (though that requires windows 7 and older. It's not updated for win10)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
nb81
Cheater
Reputation: 0

Joined: 08 Jun 2013
Posts: 31

PostPosted: Thu Jul 04, 2019 12:07 am    Post subject: Reply with quote

Did a quick test, it doesn't seem to be working. DBVM image provided in this thread BSOD's every single time, your latest one (version 13 in vmdisk07032019.zip) doesn't bsod but the extension doesn't log calls either, LUA code runs without problems, last log message is cloaking (tried it with and without cloaking, same thing happens).
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 371

Joined: 09 May 2003
Posts: 21913
Location: The netherlands

PostPosted: Thu Jul 04, 2019 12:47 am    Post subject: Reply with quote

i figured. i havn't tested the new cloaking implementation yet.

not sure about the bsod in the older version (are you running it on actual hardware or in a vm ? And what is the bsod message?)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
nb81
Cheater
Reputation: 0

Joined: 08 Jun 2013
Posts: 31

PostPosted: Thu Jul 04, 2019 1:25 am    Post subject: Reply with quote

Actually there was no BSOD screen just a system hang (looping sound, typically happens before BSOD but it didn't come) and I had to restart the machine (which is a physical machine btw).

Also, I don't think it's the cloaking as I tried commenting out the calls to cloak() in the LUA file but it still didn't work.

Checked kernel memory at NtQuerySystemInformation, seems like the jmp is written (jumps to r8 before a few nops and r8 is loaded from some address that references CE's address space(there's a reference to the process exe), idk if this is how it should look after your byte-patch).

I'm suspecting an issue with kinfo.sys of some sort as I wasn't able to catch DbgPrints from it (but again, I'm not even sure if these 'hacked' driverless drivers support DbgPrint, also I just reinstalled my PC so I might have to configure DbgView properly to catch kernel-mode messages).

Messages I see in the lua engine are:
Rewriting [address of NtQSI]
Rewriting [address of ZwQSI]
and that's it.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 371

Joined: 09 May 2003
Posts: 21913
Location: The netherlands

PostPosted: Thu Jul 04, 2019 1:54 am    Post subject: Reply with quote

dbgprint works on them, but dbgview can be tricky. It will work one time after a reboot (not shutdown and back on as the old driver will be in memory then)
After that you may have to rename the dbgv.sys file in system32 so it can extract the new file (and don't forget to run as admin)

The jmp will show if the memory is shown by ce's disassembler (green bytes)
But if you use a second CE that hasn't been told about it, it should show as no jmp

the freeze with no BSOD means dbvm encountered a situation it doesn't know how to handle. (Right now mainly other VM's running or if the system qas supposed to spontanously reboot)

I can reproduce with the latest DBVM, so i'll go check what happens (exception in vmcall handler)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
nb81
Cheater
Reputation: 0

Joined: 08 Jun 2013
Posts: 31

PostPosted: Thu Jul 04, 2019 2:41 am    Post subject: Reply with quote

What do you mean by 'reboot' ? How can I perform a clean reboot so memory gets properly cleared (of dbvm, dbgview driver and also dbk64 as I seen sometimes it doesn't get unloaded)? And is there a less messy way of catching DbgPrint?

What did you manage to reproduce? The 'random' BSOD or the failure of this extension? Please note that I don't use cloaking at all (for some reason a security driver on my home pc catches it, idk if paging in cr0 is disabled while cloaking is on, if so that's the reason) so I don't see those green bytes but that shouldn't be a problem as the few hours PatchGuard window would be enough for me to check some calls.

btw, thanks a lot for your continous support (y)
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 371

Joined: 09 May 2003
Posts: 21913
Location: The netherlands

PostPosted: Thu Jul 04, 2019 3:14 am    Post subject: Reply with quote

windows 10 by default has fastboot on, which means when you shutdown it saves the kernel to disk so when you turn it back on it loads that, including all the drivers

dbgview has a bug where once it has extracted it's driver to system32 it can't overwrite it anymore the second time because windows uses it, which is why you either have to rename it, or unload the old driver (reboot is easiest at times)

As for reproducing I meant the DBVM part (ept_reset was working with a nil pointer)
I haven't looked at the no-dbvm run yet (but when I did try it a few months ago it did work)

Edit: I just tested it without DBVM and it works for me (Without editing the script)
First question to load DBVM: No
Second question to ask if you're sure: Yes

I do notice that the second time the "Stop logging" button is gone

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Dark Byte
Site Admin
Reputation: 371

Joined: 09 May 2003
Posts: 21913
Location: The netherlands

PostPosted: Thu Jul 04, 2019 3:28 am    Post subject: Reply with quote

https://cheatengine.org/download/vmdisk07042019.zip for a version that works on my test systems (Of course, no security programs running on there and obviously not a single thing that uses hyper-v)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
nb81
Cheater
Reputation: 0

Joined: 08 Jun 2013
Posts: 31

PostPosted: Thu Jul 04, 2019 5:27 am    Post subject: Reply with quote

Thank you.

I've tried running it but this security driver keeps nagging me about it, tried to debug it but apparently HideThreadFromDebugger counters DBVM powered kernelmode debugging too? Is there any way around that?

Anyways, I'll put up a new system this evening and try it there.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 371

Joined: 09 May 2003
Posts: 21913
Location: The netherlands

PostPosted: Thu Jul 04, 2019 5:45 am    Post subject: Reply with quote

no, hidefromdebugger doesn't block it , once globaldebug has started it won't stop. It will be in every thread running on the cpucore that gets the GD flag set.
But if you have spectre protection the CR3 value in usermode non-admin targets will be different than in kernelmode, and CE gets the kernelmode CR3. You can disable spectre protection by clicking "Make possible" in kernelmode debug settings and do a reboot (Though I think you already did that else you'd have bsod'd when the interrupt handler gets called from the cut down usermode pagetable)


But perhaps you are inside a virtual machine already and the thread you're interested in is in another system (I've seen some people with systems where the virtualization protection scheme in windows 10 was enabled which makes processes not even see eachother)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
nb81
Cheater
Reputation: 0

Joined: 08 Jun 2013
Posts: 31

PostPosted: Thu Jul 04, 2019 1:34 pm    Post subject: Reply with quote

Got rid of that security driver, now I was able to get a DbgPrint out of kinfo.sys (Entrypoint was called) but nothing else, hooks don't seem to work.

This is how NtQuerySystemInformation looks like (cloaking is enabled now).


After pressing 'Stop logging' original bytes don't get restored either.
edit: Actually these are the original bytes lol (idk why theres a reference to CE), perhaps the hook doesn't get written? Screenshot is from the main CE instance so I should be able to see the real memory there.
update: its actually autoAssemble that seems to be failing Surprised
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 371

Joined: 09 May 2003
Posts: 21913
Location: The netherlands

PostPosted: Thu Jul 04, 2019 2:28 pm    Post subject: Reply with quote

hmm, I have been testing on my testsystem with an older ce.exe build and new driver (no sigcheck). Perhaps something broke in the assembler in a newer build or I updated the driver to support something that broke in a new windows build (E.g ExAllocatePoolEx was failing in the latest win10 build but fixed it here)

I'll have to test if it's the assembler

try this script:
Code:

kalloc(xxx,4096)
registersymbol(xxx)

and see if it actually allocated that memory

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping


Last edited by Dark Byte on Thu Jul 04, 2019 2:33 pm; edited 1 time in total
Back to top
View user's profile Send private message MSN Messenger
nb81
Cheater
Reputation: 0

Joined: 08 Jun 2013
Posts: 31

PostPosted: Thu Jul 04, 2019 2:33 pm    Post subject: Reply with quote

Downloaded released 6.8.2, works well there however not with a self-built master HEAD. Also, on the self-compiled version (I haven't touched any lua functionality) it seems like this extension's script runs into recodeIfNeeded and rewriting happens, this is not case with the released version (relevant code:
Code:

local rrs=createRipRelativeScanner(d.address, d.address+#d.bytes, true)
  local hasrra=rrs.Count>0
  rrs.destroy()

  if (not hasrra) and (d.isConditionalJump==false) then return d.opcode.." "..d.parameters end

released version returns here and works, self-compiled master doesn't and proceed to rewrite.

update: your script works fine, allocates memory and lets me inspect in kernel address space
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Extensions All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites