| View previous topic :: View next topic |
| Author |
Message |
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
 Posted: Mon Jun 13, 2011 2:38 am Post subject: Memory regions in kernel |
 |
|
Hello,
What I'm trying to do this is read the memory of a certain game. The anti-hack system hooks all RPM/WPM and things in kernel. So what I basically wanna do is reading phisical memory. I knew it was in the CE source so I did take a look there.
What I don't understand is the GetMemoryRegion() function, in user mode it's. VirtualQuery, but there? It's numbers, variables. I can't make my way in it. Is this the only way or are there easier ways?
I would need to do this right? I can't read non existing virtual address in phycial memory right? Or is that not even needed?
I've got a smaller question, nothing to do with the above, but the anti-hack system starts a driver etc, I thought what if I make all handles 0 for the driver. So it has no scanning anymore. Would this be possible? Or is it easier if you just completely destroy the driver? Side note the driver does not get called when in 64 bit, make the program think it's in 64 bit?
Thanks for reading,
NM
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Mon Jun 13, 2011 6:50 am Post subject: |
|
|
http://www.intel.com/Assets/PDF/manual/325384.pdf
chapter 4
It describes the paging system (windows has the pages linearly mapped starting at 0xc0000000 )
(and you should see the virtual pagedir plugin plugin for ce which does something similar)
There are of course easier ways, but they are also easier to block
As for making all handles 0 (or -1) works sometimes (especially combined with faking it's running on 64-bit) but it might just as well cause the usermode program to selfdestruct because it can't launch the driver
Hooking the control commands send to the driver sometimes work, but that also can be blocked if there is a sequential encryption used
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping
Last edited by Dark Byte on Mon Jun 13, 2011 8:55 am; edited 1 time in total |
|
| Back to top |
|
|
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
| Posted: Mon Jun 13, 2011 8:11 am Post subject: |
|
|
Figure 3.1.
The far pointer is my address. Let's take for example, 0x00400000. The pages starts 0xc0000000, so the offset is 0xc0000000 - 0x00400000?
EDIT: I've read this
| Quote: | Memory with "small" physical addresses (first 1G minus some reserved space) is mapped directly to kernel virtual addresses, and thus is directly accessible by kernel code without additional mappings.
Memory above that has tro be manually mapped.
Memory above 4G (on 32-bit system) can't be directly accessed with 32-bit addresses, and thus has to be mapped using PAE (http://en.wikipedia.org/wiki/Physical_Address_Extension).
|
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Mon Jun 13, 2011 8:45 am Post subject: |
|
|
oops I meant chapter 4 in that pdf
assuming your system uses PAE paging: systems with no execute support or more than 4GB ram)
the pagetable entry describing 00400000 is at:
0xc0000000+(00400*8=2000 )=0xc0002000
the pagedir entry describing the pagetable:
0xc0000000+(0xc0002 * 8=600010)=0xC0600010
the pagedirptr entry describing the pagedir:
0xc0000000+(0xC0600 * 8=603000)=C0603000
first check the pagedirptr if the pagedir is present, then check the pagedir entry to check if the pagetable is prent, and then check the page table entry to see if the page is present.
if non pae mode is used, then multiply by 4 and there is no pagedir ptr table to check
more info:
http://wiki.cheatengine.org/index.php?title=Windows_internals
Often used code and data will usually not be paged out, but if you do need some code or data that is never accessed it will be a bit more tricky (but reserved bits can help, and obviously, it's not likely they contain anything you need)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
| Posted: Mon Jun 13, 2011 9:37 am Post subject: |
|
|
Ok, thanks a lot, fater I've read lots of thing, I came up with the start of my own function with some things fmo CE source.
| Code: |
NTSTATUS GetMemRegion(DWORD PID, DWORD Address, ULONG *RegionType, UINT_PTR *RegionSize,UINT_PTR *BaseAddress)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
/* declare some variables */
DWORD PageBase=0xc0000000;
PEPROCESS selectedprocess = 0;'
struct PTEStruct *PPTE,*PPDE, *PPDPE, * PPML4E;
// found these, looks logic to what've I read about physcial memory.
if (PsLookupProcessByProcessId((PVOID)(UINT_PTR)PID,&selectedprocess)) != NT_SUCCES)
return FALSE;
*baseaddress=StartAddress & (UINT_PTR)(~0xfff); // this the line you've, but I don't understand how can you know the base address like this?
*memorysize=0;
*regiontype=0;
// well here starts hell
__try
{
KeAttachProcess((PEPROCESS)selectedprocess); // I understand
__try
{
(UINT_PTR)PPTE=((*baseaddress & 0xFFFFFFFFFFFFULL) >> 12) *PTESize + pagebase; // this what your previous post was about, but why the oxfff/ that's 64 bit right? ULL?
while ((UINT_PTR)PPTE<MAX_PTE_POS) // max_PTE_POS
{
(UINT_PTR)PPDE=((((UINT_PTR)PPTE) & 0xFFFFFFFFFFFFULL) >> 12) *PTESize + pagebase; // same as bove and as enxt
if (PTESize==8)
(UINT_PTR)PPDPE=((((UINT_PTR)PPDE) & 0xFFFFFFFFFFFFULL) >> 12) *PTESize + pagebase; //pagedir pointer entry
|
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Mon Jun 13, 2011 9:46 am Post subject: |
|
|
| Code: |
*baseaddress=StartAddress & (UINT_PTR)(~0xfff); // this the line you've, but I don't understand how can you know the base address like this?
|
This just sets the first 12 bits to 0 so it becomes aligned on a page boundary (the base address contains the first byte of the page. It's mainly for VirtualQueryEx emulation so it can fill in the base address which is on a page boundary)
| Code: |
(UINT_PTR)PPTE=((*baseaddress & 0xFFFFFFFFFFFFULL) >> 12) *PTESize + pagebase; // this what your previous post was about, but why the oxfff/ that's 64 bit right? ULL?
|
the & 0xFFFFFFFFFFFFULL strips the sign extended bits from the address (64-bit only requirement since the max is 52-bit)
ULL is to tell the compiler that it's really 0xFFFFFFFFFFFF and not 0xFFFFFFFF with a typo so it won't 'fix' it causing completly wrong results
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
| Posted: Mon Jun 13, 2011 10:33 am Post subject: |
|
|
Omg, thanks so much. I finnaly understand it. Reading 3/4 hours and I 100% understand it thanks. Needed to relearn some bitwise things etc. But bassically it starts at the begin and it goes on and on till the end has reached: MAX_PTE_POS. I've no idea what that value is. Something I've to accept instead of why? Page dir forumles etc.
Anyways, lovely. Now lets read some physical memory:)
Btw, why do you also write down the values? If you scan for a value, you all ready know it right(except for aob) ? And how do you write addreses to a file? sometimes its 400 and sometimes 4000, I'll have to make it 8 bits long, so x << 8. Something like that?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Mon Jun 13, 2011 10:41 am Post subject: |
|
|
For unknown initial values, and range values, and floating point values (1 is the same as 1.000000000000001 and 0.99999999999999999999 )
And for saved scans (e.g same as scan 3, or same as scan 4)
and I write down addresses using the pointersize (4 bytes/8 bytes depending on the version)
That way it's predictable where to seek the file pointer to when displaying the addresses at specific positions when scrolling (it's of course insane to actually write addresses to a listbox)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
| Posted: Mon Jun 13, 2011 10:53 am Post subject: |
|
|
| Code: | VOID UnknownInitialValueScan(IN PVOID StartContext)
793 {
794
795 __try
796 {
797 __try
798 {
799 //this is a unknown initial value scan.
800
801
802
803 }
804 __finally
805 {
806 CurrentScan.scanning=FALSE;
807 CurrentScan.ThreadActive=FALSE;
808 PsTerminateSystemThread(STATUS_SUCCESS);
809 }
810 }
811 __except(1)
812 {
813 //nothing, just go on...
814
815 }
816 } |
something is missing there?
Pointerisze, you mean like base.exe + address = ... and write address down?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Mon Jun 13, 2011 11:56 am Post subject: |
|
|
no, just the address (base.exe will not change between scans)
with pointersize I mean that I write addresses to file in either 4 or 8 bytes (obviously not as a string)
as for the routine, I suggest adding some events to signal another thread that the scan is finished
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
