 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
cziter15
Newbie cheater
![]() Reputation: 0
Joined: 24 May 2009
Posts: 10
|
 Posted: Mon Mar 22, 2010 1:45 pm Post subject: Hooking under 64-bit |
 |
|
Hello,
I have small problem with hooking KeAttachProcess under 64-bit version of windows. I have disabled PatchGuard successfully but...
Probably, there's a problem with my opcodes. I think they are wrong, but i haven't any kernel memory editor (CE isn't working good on x64 - can't handle 64-bit asm and 64-bit addresses).
My hook function:
| Code: | //NewKeAttachProcess
NTSTATUS NewKeAttachProcess(PEPROCESS proc)
{
return OldKeAttachProcess(proc);
} |
My DetourFunc:
| Code: | void *DetourProc(char *src, const char *dst, const int len, char* space)
{
char *jmp = (char*)space;
RtlCopyMemory(jmp, src, len); jmp += len;
jmp = space;
jmp[0] = 0x50;
jmp[1] = 0x48;
jmp[2] = 0xb8;
*((ULONGLONG*)(jmp + 3)) = (ULONGLONG)dst;
jmp[11] = 0xff;
jmp[12] = 0xe0;
jmp = src+15;
jmp[0] = 0x50;
jmp[1] = 0x48;
jmp[2] = 0xb8;
*((ULONGLONG*)(jmp + 3)) = (ULONGLONG)src+len;
jmp[11] = 0xff;
jmp[12] = 0xe0;
return (jmp-len);
} |
DetourFunc call:
| Code: |
DbgPrint("Hooking KeAttachProcess...");
DbgPrint("Addr %x, Bytes %x", KeAttachProcess, (int*)KeAttachProcess);
_disable(); //disable interrupts
__writecr0(__readcr0() & (~(0x10000))); //go realmode
//Hook keattach
OldKeAttachProcess =
(KEATTACHPROCESS)DetourKeAttacchProc(
(char*)KeAttachProcess,(char*)NewKeAttachProcess,15,(char*)KeAttachProcess_detour_tmp);
__writecr0(__readcr0() ^ 0x10000);
_enable(); |
KeAttachProcess_detour_tmp is a char[100], where i'm storing original bytes.
When i'm hooking, everything is ok. But when i try to call KeAttachProcess for testing purposes the BSOD appears.
Please help me.
Thanks,
cziter15
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25814
Location: The netherlands
|
| Posted: Mon Mar 22, 2010 6:01 pm Post subject: |
|
|
what is the bsod you get? And try loading your crash dump into windbg to see what went wrong
anyhow,
your hook code:
| Code: |
push rax
mov rax,dst
jmp rax
|
so, obvious first question is, does the function dst (or src+len) start with a pop rax (0x58) to restore the stack ?
Also, are you sure you aren't causing incomplete instructions (e.g overwriting an instruction that sits before the end of the end of the jmp and ends a few bytes after)
I'm still working on my understanding of x64 assembler so this might be wrong: but i believe the 48 ff 25 00 00 00 00 address sequence might work here
jmp [eip+0] and directly after the address, but i'm not 100% clear on the eip based addressing in 64-bit yet (does it start from the begin of the current instruction or the begin of the next instruction?)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
cziter15
Newbie cheater
![]() Reputation: 0
Joined: 24 May 2009
Posts: 10
|
| Posted: Tue Mar 23, 2010 6:28 am Post subject: |
|
|
JUST I FOUND ANOTHER WAY. I DON'T NEED TO PATCH THE KERNEL.
Anyway, thank you for your reply, DB.
- Chris
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
