Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


POC: Stealthed Kernelmode API hooking
Goto page Previous  1, 2
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Extensions
View previous topic :: View next topic  
Author Message
Dark Byte
Site Admin
Reputation: 367

Joined: 09 May 2003
Posts: 21661
Location: The netherlands

PostPosted: Thu Jul 04, 2019 3:12 pm    Post subject: Reply with quote

i'm not sure what goes wrong. I have tested the latest build and it works (tested it without DBVM at the moment to prevent getting confused by DBVM's cloak)

try: https://cheatengine.org/download/cekinfobuild-07042019.zip
Just extract it to an empty folder.
Make sure DBVM isn't loaded, run the kernelmoduleunloader exe(get rid of older conflicting drivers)
and then run CE.
Click proof of concept->kernelmode hook, no, yes, and see what happens then

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
nb81
Cheater
Reputation: 0

Joined: 08 Jun 2013
Posts: 31

PostPosted: Thu Jul 04, 2019 4:38 pm    Post subject: Reply with quote

Your build works fine.
Anyways, after some real struggle I managed to debug and find the cause: I'm building with the privatebuild flag set and I'm guessing that the NtReadVirtualMemory hook messes autoassemble up. Do you know why / how this could happen?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 367

Joined: 09 May 2003
Posts: 21661
Location: The netherlands

PostPosted: Thu Jul 04, 2019 4:52 pm    Post subject: Reply with quote

ah, that.
I'm not sure it's the NtReadVirtualMemory hook as the command dbk_useKernelmodeProcessMemoryAccess will swap the internal rpm and wpm api pointers to the DBK implementation anyhow


You'll have to do some more debugging to figure out where it goes wrong

(or hook the API's used to detect handles. And in case of an Ob callback then hook the functions pointed to and filter out ce process events)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
nb81
Cheater
Reputation: 0

Joined: 08 Jun 2013
Posts: 31

PostPosted: Thu Jul 04, 2019 6:36 pm    Post subject: Reply with quote

After some more debugging I've found out that it's something with OpenProcess. When autoAssemble (or readByte?) is called from the lua script, somewhere in the code it enumerates and opens handles for every process even though only the CE process is needed (seems like it has to get a valid handle through OpenProcess even though the handle it uses in autoassember is acquired with GetCurrentProcess?, I'm really not sure at this point but I let it get a handle from DBK anyways).

Adding a check for GetCurrentProcessId in the hooked OpenProcess solved my problem (I can now use the call logger and r/w without handles), however I'd consider it a messy and not proper solution, maybe after I get more familiar with the source code I'll come up with something better :/

Also, there are no Ob callbacks, the game I'm trying to get into has some basic antidebug techniques in place and from what I've seen they open handles to CE to scan it's memory for keyword strings.
Back to top
View user's profile Send private message
nb81
Cheater
Reputation: 0

Joined: 08 Jun 2013
Posts: 31

PostPosted: Fri Jul 05, 2019 9:30 am    Post subject: Reply with quote

Is it possible to hook non-exported functions with this lua script (addresses, ntoskrnl offsets or functions which appear in pdb as symbols)?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 367

Joined: 09 May 2003
Posts: 21661
Location: The netherlands

PostPosted: Fri Jul 05, 2019 9:42 am    Post subject: Reply with quote

Yes, but you must make sure that in memoryview kernel symbols is selected (i need to add a lua function to automate that, or use the form access lua commands)

then you can use file-use/download windows symbol files or the lua command enableWindowsSymbols()
Once the symbols are downloaded and loaded by CE those functions will be available as well

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
nb81
Cheater
Reputation: 0

Joined: 08 Jun 2013
Posts: 31

PostPosted: Fri Jul 05, 2019 10:05 am    Post subject: Reply with quote

Thank you, getAddress couldn't find some ntoskrnl symbols, calling enableWindowsSymbols() fixed that.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Extensions All times are GMT - 6 Hours
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites