Cheat Engine

cziter15 · Newbie cheater Reputation: 0 Joined: 24 May 2009 Posts: 10

Hi,

I'm wondering how to safely patch kernel routines like ZwOpenProcess, ZwQuerySystemInformation. I know, first 5 bytes can be changed by writing to them directly:

atom0s · Posted: Fri May 06, 2011 3:14 pm Post subject:

You are altering something that isn't supposed to be tampered with. There is no 'correct' way to do it. The most you can do is extensive error checking to prevent invalid data from being written to help prevent crashing. But ultimately there is no correct way to do it as its not meant to be done.

Innovation · Posted: Fri May 06, 2011 3:32 pm Post subject:

To add onto Wiccan's post, Microsoft imposed Kernel Patch Protection for a reason. It simply becomes too difficult to manage when companies such as Symantec rely on internals that may change in future versions. "[The kernel's] stability is critical to the stability of your system." Nothing about patching the kernel is "safe." While it is still possible to bypass such restrictions, it is recommended that you don't.

Kernel Patch Protection: Frequently Asked Questions

Dark Byte · Posted: Fri May 06, 2011 4:06 pm Post subject:

The only "correct" method of hooking certain stuff is getting yourself a class 3 business certificate ,sign your driver and use the ObRegisterCallbacks api

That way you can decide if a handle to your process is allowed to be created or not

cziter15 · Newbie cheater Reputation: 0 Joined: 24 May 2009 Posts: 10

ObCallbacks are not sufficient for me. I want to provide my solution for older operating systems, like Windows 2000, XP. ObCallbacks are not implemented there.

Dark Byte · Posted: Sat May 07, 2011 8:37 am Post subject:

Then just patch the kernel using the official method that was designed back then(as official as possible that is)

Most hookable functions start with at least 5 unused bytes in front and starts with a mov edi,edi

write a "jmp specific address" in the 5 unused bytes before the function and then change the mov edi,edi into jmp eip-7 (eb f9)

this is the safest method of hooking such a function with the least chance of replacing the first instruction with a half working instruction (And if you write those two bytes in a word format at once 0% chance)

cziter15 · Newbie cheater Reputation: 0 Joined: 24 May 2009 Posts: 10

Good idea, thanks. But, I heard, sometimes kernel pages are not mapped and writing to nonpaged memory can result BSOD. Is it true ? What to do with this ?

Dark Byte · Posted: Tue May 10, 2011 4:13 am Post subject:

Then just crash.

Really, if non-paged code has been paged out then there is some serious problem with windows or the hardware you're on. Non-paged memory is specifically there so it never gets paged out, not even when low on memory.

The kernel resides in non-paged memory which means that the functions you may want to hook are present 100% of the time, and if for some reason the code does not reside in non-paged memory and has been paged out then there still will be no bsod because the access will cause windows to page that code back into memory.

In short, don't worry