MantisBT - Cheat Engine
View Issue Details
0000374Cheat Engine(No Category)public2015-02-21 13:462015-02-23 23:22
Reporterpausebreak7 
Assigned ToDark Byte 
PrioritynoneSeverityminorReproducibilityN/A
StatusresolvedResolutionfixed 
PlatformOSOS Version
Summary0000374: Dark Byte Cheat engine X64 kernel Memory Edit Impossible?
DescriptionProcess Protect Kernel Driver Memory Fix ->BSOD

Obregister call back

Cheat Engine Kernel Edit impossible?

Kernel Memory Edit -> JMP OR NOP ->BSOD

But Win64ast Kernel Explorer & Pchunter(Xuetr) Obregister call back Edit possible


cheatengine is not possible to modify the kernel memory?





TagsNo tags attached.
Attached Filespng hmm.png (71,876) 2015-02-21 13:46
http://cheatengine.org/mantis/file_download.php?file_id=133&type=bug
png

png win64ast.png (68,792) 2015-02-21 13:59
http://cheatengine.org/mantis/file_download.php?file_id=134&type=bug
png

png testS.png (128,274) 2015-02-21 20:29
http://cheatengine.org/mantis/file_download.php?file_id=135&type=bug
png

png Thanks.png (108,798) 2015-02-21 23:44
http://cheatengine.org/mantis/file_download.php?file_id=137&type=bug
png

png bluescreen.png (1,085,156) 2015-02-22 12:39
http://cheatengine.org/mantis/file_download.php?file_id=138&type=bug

Notes
(0000759)
pausebreak7   
2015-02-21 13:59   
win64ast technology

possible Cheat Engine?
(0000760)
Dark Byte   
2015-02-21 18:51   
you need to disable patchguard first which will BSOD you when kernelmode memory gets changed
Try out kpp destroyer: http://forum.cheatengine.org/viewtopic.php?t=573311
(0000761)
pausebreak7   
2015-02-21 20:32   
(Last edited: 2015-02-21 20:45)
Patch Guard On System Test
(disable patchguard No Setup)

standard windows 7 64bit OS

win64ast Modify -> Not BSOD

Cheat Engine Kernel Edit -> BSOD

Obregistercallback Cheat engine kernel memory edit Fail

Test Info:

PatchGuard ON System

Original Windows7 64bit

------------------------------
win64 ast Modify

xor eax,eax
ret

No blue Screen
------------------------------

Test Win64 ast file

win64ast -> http://pan.baidu.com/s/1o6MDJmE

NET Framework 4.0 -> http://pan.baidu.com/s/1bnnitIJ

http://m5home.blog.163.com/blog/static/2091221812012760245552

(0000762)
pausebreak7   
2015-02-21 20:39   
Cheat engine technology is impossible?

Please answer the Darkbyte
(0000764)
Dark Byte   
2015-02-21 22:28   
what is the bsod you get? (details)
Try editing the physical memory of that page instead
(0000766)
pausebreak7   
2015-02-21 23:44   
(Last edited: 2015-02-21 23:56)
DarkByte Genius Thanks

-My Test Success Or small Bug-

1.dbk.sys Load My Cheat Engine TarGet Open And Driver Memory Address
  Go to the Address(Screen Shot)
  Driver Address : 0xfffff8800cf50880
  Physical address : 41DA7A880

2.Go To the Physical Address 41DA7A880 -> Memory View ?? ?? ?? ??

3.Process Open Physical Memory click -> 41DA7A880 -> Memory View 48 89 54 10

4.Physical Memory Edit NOP -> Not Bsod Kernel Memory Change Success

-small bug?-
5.Process Change My Cheat Engine Process Re open
 -> Kernel Memory 0xfffff8800cf50880 Memory View -> ?? ?? ?? ??
(Process again to the memory kernel driver address is not visible)

*Does this fix should select a physical memory Open?

(0000767)
Dark Byte   
2015-02-22 00:23   
(Last edited: 2015-02-22 01:06)
sometimes you need to change to a process multiple times for it to fix.
physical memory is mainly used in a second instance of ce next to another one(so usually doesn't require this)

and this is why bsod information helps instead of saying it just bsod's. my guess is that you get a pagefault in nonpaged area exception, instead of an integrity violation error.
you can bypass that without physical memory by editing the pagetable entry and mark it writable before writing

in your example:
0xfffff8800cf50880 has it's pagetable entry at: (in win7)

0xfffff68000000000+(((0xfffff8800cf50880 & 0x0000ffffffffffff) >> 0xc)*8)=FFFFF6FC40067A80

There change bit 1(the second bit) to 1

(0000768)
pausebreak7   
2015-02-22 00:46   
Where do I modify the code?

CheatEngine Source MemoryBrowserFormUnit.pas Edit?
(0000769)
Dark Byte   
2015-02-22 01:10   
(Last edited: 2015-02-22 02:29)
best in the driver, but you can do it in memorybrowser as well, or write a hook on writeProcessMemory (you can even fix it with lua using a wpm hook)

before you write to an address do the calculation: PTE=$fffff68000000000+(((address and $0000ffffffffffff) shr 12)*8)
then read the byte from that address, and set bit 1 to true. : bytevalue:=bytevalue or 2; and write that to the page table entry
then you can write the page

in the driver you might also be able to just unset the WP bit (bit 16) in CR0, so it won't generate write protect pagefaults in kernelmode, but you must disable interrupts before doing that (cli) and when done restore them (sti)
And make sure you restore the WP bit in CR0 back to the original state

(0000770)
pausebreak7   
2015-02-22 09:35   
(Last edited: 2015-02-22 09:54)
I Temporarily resolved

PTE is Okay But Driver Source Code I'll never understand

Where do I modify the code?(DBKDrvr.c?,memscan.c?,IOPLDispatcher.c?)

generate write protect pagefaults in kernelmode Create Source Code ?

Dark Byte Thanks

(0000771)
Dark Byte   
2015-02-22 10:49   
memscan.c has a writeProcessMemory function. you can do that there
(0000772)
pausebreak7   
2015-02-22 11:45   
BlueScreen Bug Check 0xBE: ATTEMPTED_WRITE_TO_READONLY_MEMORY

Where Does the need to modify the code?

Disableinterrupts()->Enable?

vmx_disable_dataPageFaults->enable?


---------------------
if (loadedbydbvm) //add a extra security around it
{
disableInterrupts();
vmx_disable_dataPageFaults();
}
RtlCopyMemory(target,source,Size);
ntStatus = STATUS_SUCCESS;
if (loadedbydbvm)
{
UINT_PTR lastError;
lastError=vmx_getLastSkippedPageFault();
vmx_enable_dataPageFaults();
enableInterrupts();
DbgPrint("lastError=%p\n", lastError);
if (lastError)
ntStatus=STATUS_UNSUCCESSFUL;
}
(0000773)
Dark Byte   
2015-02-22 11:52   
(Last edited: 2015-02-22 11:54)
Outside of the vmx related parts:

disableInterrupts()
setCR0(getCR0() & (~(1<<16)))

writetothememory (rtlcopymemory might not function)

setCR0(getCR0() | (1<<16))
enableInterrupts()

(0000774)
pausebreak7   
2015-02-22 12:17   
(Last edited: 2015-02-22 12:40)
blue screen shot image upload

I compile this code?

if (loadedbydbvm) //add a extra security around it as the PF will not be handled
{
disableInterrupts();
setCR0(getCR0() & (~(1<<16)));
vmx_disable_dataPageFaults();
}
for (i=0; i<Size; i++)
{
target[i]=source[i];
}
ntStatus = STATUS_SUCCESS;
if (loadedbydbvm)
{
UINT_PTR lastError;
lastError=vmx_getLastSkippedPageFault();
vmx_enable_dataPageFaults();
setCR0(getCR0() | (1<<16));
enableInterrupts();
DbgPrint("lastError=%p\n", lastError);
if (lastError)
ntStatus=STATUS_UNSUCCESSFUL;
}

(0000775)
Dark Byte   
2015-02-22 13:35   
(Last edited: 2015-02-22 13:36)
i said to put it outside of the vmx related parts, yet you put it in the vmx only part
move it out of there as the vmx hasn't force loaded the driver(loadedbydbvm is false)

(0000776)
pausebreak7   
2015-02-22 15:20   
(Last edited: 2015-02-22 15:24)
Dark Byte sorry

I would not know how to solve

Is there certainly know how to modify the source where?

Sorry, do not know for sure

Can you upload the modified file memscan.c?

------------------- Write Process Memory -----------
BOOLEAN WriteProcessMemory(DWORD PID,PEPROCESS PEProcess,PVOID Address,DWORD Size, PVOID Buffer)
{
PEPROCESS selectedprocess=PEProcess;
KAPC_STATE apc_state;
NTSTATUS ntStatus=STATUS_UNSUCCESSFUL;
if (selectedprocess==NULL)
{
//DbgPrint("WriteProcessMemory:Getting PEPROCESS\n");
if (!NT_SUCCESS(PsLookupProcessByProcessId((PVOID)(UINT_PTR)PID,&selectedprocess)))
return FALSE; //couldn't get the PID
//DbgPrint("Retrieved peprocess");
}
//selectedprocess now holds a valid peprocess value
__try
{
UINT_PTR temp=(UINT_PTR)Address;
RtlZeroMemory(&apc_state,sizeof(apc_state));
KeAttachProcess((PEPROCESS)selectedprocess);
__try
{
char* target;
char* source;
unsigned int i;
//DbgPrint("Checking safety of memory\n");
if ((IsAddressSafe((UINT_PTR)Address)) && (IsAddressSafe((UINT_PTR)Address+Size-1)))
{
//still here, then I gues it's safe to read. (But I can't be 100% sure though, it's still the users problem if he accesses memory that doesn't exist)
target=Address;
source=Buffer;
if (loadedbydbvm) //add a extra security around it as the PF will not be handled
{
disableInterrupts();
vmx_disable_dataPageFaults();
}
for (i=0; i<Size; i++)
{
target[i]=source[i];
}
ntStatus = STATUS_SUCCESS;
if (loadedbydbvm)
{
UINT_PTR lastError;
lastError=vmx_getLastSkippedPageFault();
vmx_enable_dataPageFaults();
enableInterrupts();
DbgPrint("lastError=%p\n", lastError);
if (lastError)
ntStatus=STATUS_UNSUCCESSFUL;
}
}
}
__finally
{
KeDetachProcess();
}
}
__except(1)
{
//DbgPrint("Error while writing\n");
ntStatus = STATUS_UNSUCCESSFUL;
}
if (PEProcess==NULL) //no valid peprocess was given so I made a reference, so lets also dereference
ObDereferenceObject(selectedprocess);
return NT_SUCCESS(ntStatus);
}

(0000777)
Dark Byte   
2015-02-23 01:10   
change CR0 and disable interrupts before the for loop, and change CR0 back and re-enable interrupts after the for loop
stay out of loadedbydbvm
(0000778)
pausebreak7   
2015-02-23 08:37   
Dark Byte Thank you!

I solved the problem 100%

I am honored to know a great person like you.

Thank you for your answer for a long time ^^

Issue History
2015-02-21 13:46pausebreak7New Issue
2015-02-21 13:46pausebreak7File Added: hmm.png
2015-02-21 13:59pausebreak7Note Added: 0000759
2015-02-21 13:59pausebreak7File Added: win64ast.png
2015-02-21 18:51Dark ByteNote Added: 0000760
2015-02-21 20:29pausebreak7File Added: testS.png
2015-02-21 20:32pausebreak7Note Added: 0000761
2015-02-21 20:34pausebreak7Note Edited: 0000761bug_revision_view_page.php?bugnote_id=761#r15
2015-02-21 20:36pausebreak7Note Edited: 0000761bug_revision_view_page.php?bugnote_id=761#r16
2015-02-21 20:39pausebreak7Note Added: 0000762
2015-02-21 20:43pausebreak7Note Edited: 0000761bug_revision_view_page.php?bugnote_id=761#r17
2015-02-21 20:45pausebreak7Note Edited: 0000761bug_revision_view_page.php?bugnote_id=761#r18
2015-02-21 22:28Dark ByteNote Added: 0000764
2015-02-21 23:44pausebreak7Note Added: 0000766
2015-02-21 23:44pausebreak7File Added: Thanks.png
2015-02-21 23:56pausebreak7Note Edited: 0000766bug_revision_view_page.php?bugnote_id=766#r25
2015-02-22 00:23Dark ByteNote Added: 0000767
2015-02-22 00:23Dark ByteNote Edited: 0000767bug_revision_view_page.php?bugnote_id=767#r27
2015-02-22 00:46pausebreak7Note Added: 0000768
2015-02-22 01:06Dark ByteNote Edited: 0000767bug_revision_view_page.php?bugnote_id=767#r28
2015-02-22 01:10Dark ByteNote Added: 0000769
2015-02-22 01:11Dark ByteNote Edited: 0000769bug_revision_view_page.php?bugnote_id=769#r30
2015-02-22 01:12Dark ByteNote Edited: 0000769bug_revision_view_page.php?bugnote_id=769#r31
2015-02-22 01:13Dark ByteNote Edited: 0000769bug_revision_view_page.php?bugnote_id=769#r32
2015-02-22 01:13Dark ByteNote Edited: 0000769bug_revision_view_page.php?bugnote_id=769#r33
2015-02-22 01:18Dark ByteNote Edited: 0000769bug_revision_view_page.php?bugnote_id=769#r34
2015-02-22 02:15Dark ByteNote Edited: 0000769bug_revision_view_page.php?bugnote_id=769#r35
2015-02-22 02:29Dark ByteNote Edited: 0000769bug_revision_view_page.php?bugnote_id=769#r36
2015-02-22 09:35pausebreak7Note Added: 0000770
2015-02-22 09:36pausebreak7Note Edited: 0000770bug_revision_view_page.php?bugnote_id=770#r38
2015-02-22 09:54pausebreak7Note Edited: 0000770bug_revision_view_page.php?bugnote_id=770#r39
2015-02-22 10:49Dark ByteNote Added: 0000771
2015-02-22 11:45pausebreak7Note Added: 0000772
2015-02-22 11:52Dark ByteNote Added: 0000773
2015-02-22 11:52Dark ByteNote Edited: 0000773bug_revision_view_page.php?bugnote_id=773#r41
2015-02-22 11:54Dark ByteNote Edited: 0000773bug_revision_view_page.php?bugnote_id=773#r42
2015-02-22 12:17pausebreak7Note Added: 0000774
2015-02-22 12:39pausebreak7File Added: bluescreen.png
2015-02-22 12:40pausebreak7Note Edited: 0000774bug_revision_view_page.php?bugnote_id=774#r44
2015-02-22 13:35Dark ByteNote Added: 0000775
2015-02-22 13:36Dark ByteNote Edited: 0000775bug_revision_view_page.php?bugnote_id=775#r46
2015-02-22 15:20pausebreak7Note Added: 0000776
2015-02-22 15:24pausebreak7Note Edited: 0000776bug_revision_view_page.php?bugnote_id=776#r48
2015-02-23 01:10Dark ByteNote Added: 0000777
2015-02-23 08:37pausebreak7Note Added: 0000778
2015-02-23 23:22Dark ByteStatusnew => resolved
2015-02-23 23:22Dark ByteResolutionopen => fixed
2015-02-23 23:22Dark ByteAssigned To => Dark Byte