Cheat Engine

fjfc · Posted: Wed Feb 17, 2010 2:23 pm Post subject: [Help DB] SDT Hook on W-Seven x64

DB, can u please give me an example on how to do it?
I used to do it easily on x32 based-systems... but i have no idea on how to do it on x64 ones...

I used to do like that on XP x32

to unlock the protection
cli
mov eax, cr0
mov _cr0, eax
and eax, 0fffeffffh
mov cr0, eax

and to put my hooks i used to do like

declare
PSERVICE_DESCRIPTOR_TABLE pSDT;

then

// replace API with NewAPI
mov ecx, DWORD PTR [API]
mov edx, [ecx+1]
mov eax, DWORD PTR [pSDT]
mov esi, [eax]
mov edx, [esi+edx*4]
mov DWORD PTR [OldAPI], edx
mov ecx, [ecx+1]
mov eax, [eax]
mov dword ptr [eax+ecx*4], offset NewAPI

Can u put a light on my way and tell me if i can do that on x64 based systems? (using a example if yes, please) thanks.

fjfc · Posted: Thu Feb 18, 2010 10:32 pm Post subject:

rapion124 · Posted: Sun Feb 28, 2010 1:47 pm Post subject:

You can't do SDT hooks on Windows Vista or 7 because of PatchGuard. Even if you manage to load your unsigned driver, PatchGuard will cause a hard reboot if you mess with the IDT, SDT, etc.

Dark Byte · Posted: Sun Feb 28, 2010 8:09 pm Post subject:

yes, you can't edit the kernel unless you disable patchguard first.

At most I can tell you to launch dbvm and then ask that to hook the interrupts for you.

As for hooking the SDT, that's a bit more tricky. Perhaps the dbvm option to invisibly change the sysenter MSR can be of help here , but you will have to write your own low level sysenter routine to dispatch all unused entries yourself, and won't catch calls from ring0, unless they explicitly call the sysenter themself, which is stupid doing from ring0 if they could just jump to it