Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


RPM Hook Crashing CE

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Source -> Plugin development
View previous topic :: View next topic  
Author Message
DP_4819566
How do I cheat?
Reputation: 0

Joined: 26 Jul 2020
Posts: 5

PostPosted: Sun Jul 26, 2020 12:04 pm    Post subject: RPM Hook Crashing CE Reply with quote

I have made a plugin to hook OpenProcess and ReadProcessMemory to use my own driver. When I use the hook in my own program using RPM, it works fine. However, when I use it as a CE plugin, CE crashes on RPM.

I have narrowed the problem down to know that CE will only crash when my driver's rpm is called (Driver::read_memory()).

Code:

static BOOL(WINAPI* TrueReadProcessMemory)
    (HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T* lpNumberOfBytesRead) = ReadProcessMemory;

BOOL WINAPI InterceptReadProcessMemory(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID &lpBuffer, SIZE_T nSize, SIZE_T* lpNumberOfBytesRead)
{
    uint64_t buffer;
    Driver::read_memory(curr_pid, (uint64_t)lpBaseAddress, (uint64_t)&buffer, nSize); // breaks the dll
    lpBuffer = (LPVOID)buffer;
    *lpNumberOfBytesRead = nSize;
    return 1;
}


Any ideas?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 380

Joined: 09 May 2003
Posts: 22741
Location: The netherlands

PostPosted: Sun Jul 26, 2020 1:17 pm    Post subject: Reply with quote

lpNumberOfBytesRead can be null

and nsize can be bigger than 8

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
DP_4819566
How do I cheat?
Reputation: 0

Joined: 26 Jul 2020
Posts: 5

PostPosted: Sun Jul 26, 2020 6:16 pm    Post subject: Reply with quote

Dark Byte wrote:
lpNumberOfBytesRead can be null

and nsize can be bigger than 8


Seems like fixing the nSize issue fixed my problem. My Cheat Engine no longer crashes and I can read memory correctly. Thanks!

I'm having another issue that I can't figure out. When I have my plugin loaded, nothing comes up in the scans. Even when I know that a certain value exists and my RPM works correctly when entering an address manually.

Here is my updated code.

Code:

BOOL WINAPI InterceptReadProcessMemory(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T* lpNumberOfBytesRead)
{
    BYTE* buffer = new BYTE[nSize];
    memset(buffer, 0, nSize);
    NTSTATUS status = Driver::read_memory(curr_pid, (uint64_t)lpBaseAddress, (uint64_t)&buffer[0], nSize);
    if (NT_SUCCESS(status)) {
        memcpy(lpBuffer, buffer, sizeof(LPVOID));
        if (lpNumberOfBytesRead != NULL) {
            *lpNumberOfBytesRead = nSize;
        }
        return TRUE;
    }
    return FALSE;
}
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 380

Joined: 09 May 2003
Posts: 22741
Location: The netherlands

PostPosted: Mon Jul 27, 2020 1:06 am    Post subject: Reply with quote

that is because
Code:

memcpy(lpBuffer, buffer, sizeof(LPVOID));

only copies 8 bytes, as an LPVOID is 8 bytes long

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
DP_4819566
How do I cheat?
Reputation: 0

Joined: 26 Jul 2020
Posts: 5

PostPosted: Mon Jul 27, 2020 11:10 am    Post subject: Reply with quote

Dark Byte wrote:
that is because
Code:

memcpy(lpBuffer, buffer, sizeof(LPVOID));

only copies 8 bytes, as an LPVOID is 8 bytes long


This should be correct though right? I am just swapping the address of the passed variable with the address of the buffer. Which would both be only 8 bytes long.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 380

Joined: 09 May 2003
Posts: 22741
Location: The netherlands

PostPosted: Mon Jul 27, 2020 12:37 pm    Post subject: Reply with quote

no, lpBuffer points to a block of memory that is nSize bytes long
buffer is also a block of memory that is nSize bytes long (the new BYTE[nSize]; does that )

Driver::read_memory reads nsize bytes into buffer


yet, you just do a memcpy(lpBuffer, buffer, 8); which means you only copy 8 bytes from the block that buffer points to memory block that lpBuffer points to

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
DP_4819566
How do I cheat?
Reputation: 0

Joined: 26 Jul 2020
Posts: 5

PostPosted: Mon Jul 27, 2020 1:55 pm    Post subject: Reply with quote

Dark Byte wrote:
no, lpBuffer points to a block of memory that is nSize bytes long
buffer is also a block of memory that is nSize bytes long (the new BYTE[nSize]; does that )

Driver::read_memory reads nsize bytes into buffer


yet, you just do a memcpy(lpBuffer, buffer, Cool; which means you only copy 8 bytes from the block that buffer points to memory block that lpBuffer points to


Still isn't working unless OpenProcess returns a valid handle to the target process. Are you aware of any other function I should be hooking within CE in order for search to work other than RPM and OpenProcess?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 380

Joined: 09 May 2003
Posts: 22741
Location: The netherlands

PostPosted: Mon Jul 27, 2020 2:08 pm    Post subject: Reply with quote

VirtualQueryEx
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
DP_4819566
How do I cheat?
Reputation: 0

Joined: 26 Jul 2020
Posts: 5

PostPosted: Mon Aug 03, 2020 7:32 pm    Post subject: Reply with quote

Dark Byte wrote:
VirtualQueryEx


What would be a kernel-mode replacement for this function? I have seen suggestions for ZwQueryVirtualMemory but this function requires a handle to the process which what I am trying to avoid.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 380

Joined: 09 May 2003
Posts: 22741
Location: The netherlands

PostPosted: Mon Aug 03, 2020 11:42 pm    Post subject: Reply with quote

look at the pagetable

See CE's driver sourcecode on how it's done (it works without handles)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Source -> Plugin development All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites