Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


reading kernel memory - a safe way?

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
whitepanda
How do I cheat?
Reputation: 0

Joined: 29 Nov 2011
Posts: 3
PostPosted: Tue Nov 29, 2011 6:15 pm    Post subject: reading kernel memory - a safe way? Reply with quote
i'm using the code below to read through kernel memory in a safe manner (at least i thought)

on most driver it works without problems, on some it bugchecks with pfn list corrupt as soon as i call MmUnlockPages(Model);

this issue was already refferenced in this thread ->

hxxp://forum.cheatengine.org/viewtopic.php?t=351853&sid=bc8ae15a17963042e99e49ac944c8871

but theres no reasonable solution...just NOT calling MmUnlockPages or access memory without locking it down and causing a pagefault on paged memory isn't an option in my opinion.

maybe some of you guys are more familiar with device driver developement and can take a look at my snippet.

thx

Code:

    NTSTATUS ReadKernelMemory(LPVOID address, DWORD Size, LPVOID lpOutBuffer, DWORD* lpBytesWritten)
    {
       NTSTATUS NtStatus = STATUS_UNSUCCESSFUL;
       
       if(MmIsAddressValid(address) && MmIsAddressValid(lpOutBuffer))
       {
          PMDL Model = IoAllocateMdl(address, Size, FALSE, FALSE, NULL);
          if(Model)
          {
             __try
             {
                MmProbeAndLockPages(Model, KernelMode, IoReadAccess);
             }
             __except(EXCEPTION_EXECUTE_HANDLER)
             {
                IoFreeMdl(Model);
                return NtStatus;
             }

             address = MmGetSystemAddressForMdlSafe(Model, NormalPagePriority);
             if(address)
             {
                RtlCopyMemory(lpOutBuffer, address, Size);
                *lpBytesWritten = Size;
                NtStatus = STATUS_SUCCESS;
             }

             MmUnlockPages(Model);
             IoFreeMdl(Model);
          }
       }
       
       return NtStatus;
    }

Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 470

Joined: 09 May 2003
Posts: 25788
Location: The netherlands
PostPosted: Tue Nov 29, 2011 7:36 pm    Post subject: Reply with quote
tried raising irql to dispatch level ? (Prevents taskswitching in the current cpucore, but not sure how it goes about other cpu's that decide to free memory)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
whitepanda
How do I cheat?
Reputation: 0

Joined: 29 Nov 2011
Posts: 3
PostPosted: Wed Nov 30, 2011 5:14 am    Post subject: Reply with quote
atm i'm calling the function above from IRP_MJ_DEVICE_CONTROL where default irql is PASSIVE_LEVEL as far as i know.

i will give it a try as soon as i'm back at home, thx.

is there any other way to safly access kernel memory?ntoskrnl.exe seems to be paged in on every process others however are not (win32k.sys e.g. only on gui thread processes).
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 470

Joined: 09 May 2003
Posts: 25788
Location: The netherlands
PostPosted: Wed Nov 30, 2011 7:57 am    Post subject: Reply with quote
Well, the 'safest' method would be to hook the pagefault interrupt for the current cpu only and then when a pagefault happens it sets a global var you can check if the last accessed memory access resulted into a pagefault Ki k. Just make sure that interrupts are disabled (taskswitch and timers could cause a problem then)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
whitepanda
How do I cheat?
Reputation: 0

Joined: 29 Nov 2011
Posts: 3
PostPosted: Wed Nov 30, 2011 8:24 am    Post subject: Reply with quote
you're probably right but i'm looking for a non intrusive way which works on x64 too, without the need to mess with patchguard :/
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 470

Joined: 09 May 2003
Posts: 25788
Location: The netherlands
PostPosted: Wed Nov 30, 2011 8:40 am    Post subject: Reply with quote
Actually, this method should work on 64-bit too if done properly

cli : disable interrupt
stidt : Store the current cpu thread's idt address
ldidt : Set the current cpu thread's idt address to your own

do memory stuff

ldidt : Restore the cpu thread's idt address
sti: Resume

Patchguard has no way to see that the idt has been changed as there is no taskswitch

But yeah, it might be a bit too intrusive, or overkill. (Of course, overkill is something I never walk away from, see dbvm...)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites