 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
 Posted: Fri Aug 31, 2012 5:56 pm Post subject: Driver Help.. |
 |
|
Well, I got my driver to load fine. However, I was conducting a test to see if I was able to edit the memory I attached my driver too.
Here is the code of my driver:
| Code: |
NTSTATUS DriverEntry (PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
KAPC_STATE apcState;
DbgPrint ( "Driver has been loaded." );
// Attach to the process
KeStackAttachProcess ( IoGetCurrentProcess (), &apcState );
// Write our memory
//RtlCopyMemory ( (void*) 0x10000, (void*) "\x00\x00\x03\xE8", 4 );
DbgPrint ( "Memory has been edited" );
// Detach from the process
KeUnstackDetachProcess ( &apcState );
return STATUS_SUCCESS;
}
|
As you can see, I commented RtlCopyMemory on purpose because each time I did edit memory, it gave me an error. That is probably either due to the fact that
a) i'm not initializing RtlCopyMemory right
b) my driver wasn't loaded right
So my objective is to edit address 0x10000 of the process i'm attached too through my driver, however, each time I do attempt to edit it won't work.
My driver is a SERVICE_KERNEL_DRIVER. I thought that this should be the mistake, that when I load my driver and edit that address, it wasn't actually writing to the usermode address.
I'm lost and I need help,
ps. 000003E8 = 1000
thanks.
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25813
Location: The netherlands
|
| Posted: Fri Aug 31, 2012 6:01 pm Post subject: |
|
|
Use windbg to read the memory.dmp file to see why it failed
Also, if you put it between a try/except you may prevent the bsod. (it will fail, but you can then use dbgprint to see what went wrong)
And are you sure the driverentry is called by the process that started it ?
Print out the current processid to make sure
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
| Posted: Sat Sep 01, 2012 9:54 pm Post subject: |
|
|
| Dark Byte wrote: | Use windbg to read the memory.dmp file to see why it failed
Also, if you put it between a try/except you may prevent the bsod. (it will fail, but you can then use dbgprint to see what went wrong)
And are you sure the driverentry is called by the process that started it ?
Print out the current processid to make sure |
I put a try/except around the code.
The DriverEntry is being called because I recieve my output from DbgPrint.
I also don't think my driver is attached to my process, and thats why it failed to edit address 0x10000. Also, the memory edit works and doesn't crash, and I recieve "Memory has been edited."
When I tried displaying the current process I was in, I didn't know how to convert from (DWORD) HANDLE to char without the windows library (i can only use ddk libraries).
My loader also gives me mistakes. It seems that after I close the driver and try to reopen it again, it fails. The error codes I get is below my loaders code.
| Code: |
DbgPrint ( PsGetProcessId ( IoGetCurrentProcess () ) ); // Dont know how to convert HANDLE to char without the windows libraries
|
The code for my driver looks like this:
| Code: |
NTSTATUS DriverEntry (PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
KAPC_STATE apcState;
DbgPrint ( "Driver has been loaded." );
// Attach to the process
KeStackAttachProcess ( IoGetCurrentProcess (), &apcState );
// Write our memory
__try
{
RtlCopyMemory ( (void*) 0x10000, (void*) "\x00\x00\x03\xE8", 4 );
DbgPrint ( "Memory has been edited" );
}
__except ( 1 )
{
DbgPrint ( "Memory has failed to edit" );
}
// Detach from the process
KeUnstackDetachProcess ( &apcState );
return STATUS_SUCCESS;
}
|
And the code for my loader looks like this:
| Code: |
int main ( void )
{
cout << "Current pID: " << GetCurrentProcessId () << endl;
// Setup console
system ( "TITLE Loader" );
system ( "COLOR 3" );
system ( "PAUSE" );
// Declare
SERVICE_STATUS ss;
// Open the manager
SC_HANDLE hscManager = OpenSCManager ( NULL, NULL, SC_MANAGER_ALL_ACCESS );
if ( hscManager )
{
// Obtain a handle to the service
SC_HANDLE hscService = OpenService ( hscManager, "Driver", SERVICE_START | DELETE | SERVICE_STOP );
// Create the service
if ( !hscService )
{
// Create the service
hscService = CreateService ( hscManager, "Driver", "Driver Test", SERVICE_START | DELETE | SERVICE_STOP,
SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, "C:\\driver.sys",
NULL, NULL, NULL, NULL, NULL );
}
// Start the driver
if ( hscService )
{
StartService ( hscService, 0, NULL );
cout << "Driver started.. " << endl;
cin.get ();
// Stop the driver
ControlService ( hscService, SERVICE_CONTROL_STOP, &ss );
DeleteService ( hscService );
CloseServiceHandle ( hscService );
}
else
{
cout << "The driver was not loaded. Something went wrong.. " << endl;
}
}
// Close the manager
CloseServiceHandle ( hscManager );
system ( "PAUSE" );
return 0;
} |
I did do checks on the loader before and here where the results:
When I tried to call OpenService the second time I closed my driver and reopened the loader, I got 0x422 (Service has been disabled or elements can't be used).
And when I tried using ControlService to STOP my driver, I would get error 0x41C (The requested control is not valid for this service.).
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
