Cheat Engine

TsTg

I'm writing a dll that does the same job of stealthedit plugin,but this is for use outside cheat engine,anyway i'm using the method of VEH as the error handler; what i want to do here, is the target address(with it's memory page) will be copied to some where else (virtualAlloc then memcpy), then to start the redirection,the original code page access is changed to PAGE_READWRITE(so i have removed the EXECUTE access)

once the program steps on somewhere inside the same page,windows raises an access violation expection, then will be sent to my VEH to deal with it, or else the handler retu
rns 0 then exit.

I know that i can read the expection info(at my VEH routine), it,s found in [ESP+4], and the EIP to be modified is located at 0x108 offset far from what inside [ESP+4].

once i read the EIP, i change it to it's equivalent address in the 'copied' page, write it back,then exit my VEH routine with -1 value (CONTINUE_EXECUTION)
My problem here is that i cant get it to work.

Am i missing something, do i need to copy all pages of the module?,Should i add the vectored handler as the first? , and finally do i need to suspend the process before injecting the dll and setting up the VEH??[/img]

Dark Byte · Posted: Sun Dec 16, 2012 7:39 am Post subject:

You will need to force DEP on for the process, else windows will make the page executable when it triggers such a pagefault

And yes, you need to copy all pages of the module, or else rewrite all relative address specifiers in the code, which will cause a change in offset, which you will need to take care of as well... (just copy it all)

And it's best to set your handler as first, and pass the exception on to the next one if it's not an exception you handle

TsTg · Posted: Sun Dec 16, 2012 8:04 am Post subject:

Yes sure,data execution prevention is enabled., but what about the suspending of the process, is it required first before adding the veh?(ZwSuspendProcess and not SuspendThread).

Also,is there a difference in just setting the DEP generally on from windows, or i must also use SetProcesDEPPolicy to change dep specifically for the process?

Dark Byte · Posted: Sun Dec 16, 2012 8:09 am Post subject:

No, there is no need to freeze anything, just call AddVectoredExceptionHandler

TsTg · Posted: Sun Dec 16, 2012 8:14 am Post subject:

And about the dep?

Dark Byte · Posted: Sun Dec 16, 2012 8:29 am Post subject:

If you're in XP SP3, or Vista SP1 you can use SetProcessDEPPolicy to enable DEP
If you're in an older version, you need to turn on DEP for ALL applications using the control panel in windows

Also, if you program was started with DEP disabled, and you turn it on, you may need to make pages executable when they cause an execute pagefault and continue without raising an exception

TsTg · Posted: Sun Dec 16, 2012 8:36 am Post subject:

I'm on windows 7 x64 with dep enabled by default, my question is that do i still need to use SetDEPPolicy function for my target process?

Dark Byte · Posted: Sun Dec 16, 2012 8:47 am Post subject:

Just enabled isn't enough, it must be forced to enabled for all processes and not just 64 apps. So yes, you need to call SetDEPPolicy
The taskmanager has a column to show if dep is enabled on the process

TsTg · Posted: Sun Dec 16, 2012 6:29 pm Post subject:

Yeah i know that, thanks man, i'll posting the DLL here once i finish it in case someone needs it Smile

TsTg · Posted: Tue Dec 18, 2012 11:44 am Post subject:

Hi again,..

I'm almost finished with the dll, but i have a problem with the VE handler now, i'm not sure how its code should be, but here's what i wrote:

Beginning:

mov eax,[esp+4]

push ebx
push ecx

mov ebx,[eax]
mov ebx,[ebx]

cmp ebx,0xC0000005 <--Is it an access violation
jne Redirector+0x8D <--jump to bad boy

mov ebx,[eax]

mov ecx,[ebx+0xC] <--I get the EIP address

cmp ecx,[MainBase] <--MainBase is the start of the original memory i copied (say it's 0x400000)
jb Redirector+0x76 <--jump to bad boy

mov eax,[MainBase]
add eax,[Size]
cmp ecx,eax <--i compare the EIP with my maximum memory i copied
ja Redirector+0x76 <--jump to bad boy

mov eax,[esp+0xC] <---here is good boy start, i get eax again, 0xC because i pushed ebx and ecx earlier

sub ecx,[MainBase] <---Subtract the EIP to get the offset
add ecx,[Alloc] <---Add the offset to my Allocated area (to get the equavalent redirected address)

mov dword [ebx+0x108],ecx

pop ecx <--- pop my previous PUSHes
pop ebx
or eax,0xFFFFFFFF <--- Continue execution
ret 4

bad boy start:

pop ecx
pop ebx
xor eax,eax <-- continue search
ret 4
_________________________________________________________
hey dark byte, what do you think of this routine anyway, is there anything missing or i should add more conditions to compare for?

This is for redirecting the code to my copied address of the new memory page but i can't get this veh to work (crashes the game).

Dark Byte · Posted: Tue Dec 18, 2012 12:32 pm Post subject:

I don't recommend doing a no-execute on all of the module memory but only on a few 4k pages

Also, you need to do a few extra checks to see if the exception you're getting is actually caused by your change and not a random exception by the game.
For example, the game might do:

TsTg · Posted: Tue Dec 18, 2012 1:06 pm Post subject:

So you mean here, that i also should check if that value of Element zero,in the expection info equals to 0? , i use PAGE_READWRITE as the new page protection.

and another question, i should get the EIP from the element 1, and not by the [esp+4] method? ?,and if should, what is the offset added to ESP to get those values?

Dark Byte · Posted: Tue Dec 18, 2012 5:06 pm Post subject:

Actually, look for 8, since you're looking for an execute exception

And you'll need to use both.

For example, you have set page 004c4000 to non executable, and 004c3fff contains a 2+ byte instruction.
You then get an eip that isn't in your protected page, but element 1 of the ExceptionInformation array will contain 004c4000, which is