MantisBT - Cheat Engine
View Issue Details
0000387Cheat Engine(No Category)public2015-03-25 23:122015-04-07 20:52
Reporterpausebreak7 
Assigned To 
PriorityhighSeverityblockReproducibilityalways
StatusnewResolutionopen 
PlatformOSOS Version
Summary0000387: Dark Byte OP(Openprocess Detection Bypass? IDEA?)
Description-Dbk32functions.pas-
function {OpenProcess}OP(dwDesiredAccess:DWORD;bInheritHandle:BOOL;dwProcessId:DWORD):THANDLE; stdcall;
var valid:boolean;
    //Processhandle: uint64;
    Processhandle: Thandle;
    i:integer;
    cc,x: dword;

begin

  valid:=true;
  if dwProcessId=0 then
  begin
    result:=0;
    exit;
  end;

  if hdevice<>INVALID_HANDLE_VALUE then
  begin
    cc:=IOCTL_CE_OPENPROCESS; //여기를 주석 하거나 hdevice,cc -> hdevice,0으로 하면 OP 동작 안함
    if deviceiocontrol(hdevice,cc,@dwProcessId,4,@processhandle,8,x,nil) then
    begin
    result:=processhandle;
    end
    else
  result:=0;
end

case IOCTL_CE_OPENPROCESS:
{
PEPROCESS selectedprocess;
ULONG processid=*(PULONG)Irp->AssociatedIrp.SystemBuffer;
HANDLE ProcessHandle;
ntStatus=STATUS_SUCCESS;
__try
{
ProcessHandle=0;
if (PsLookupProcessByProcessId((PVOID)(UINT_PTR)(processid),&selectedprocess)==STATUS_SUCCESS)
{
//DbgPrint("Calling ObOpenObjectByPointer\n");
ntStatus=ObOpenObjectByPointer (
selectedprocess,
0,
NULL,
PROCESS_ALL_ACCESS,
*PsProcessType,
KernelMode, //UserMode,
&ProcessHandle);
//DbgPrint("ntStatus=%x",ntStatus);
}
}
__except(1)
{
ntStatus=STATUS_UNSUCCESSFUL;
}
*(PUINT64)Irp->AssociatedIrp.SystemBuffer=(UINT64)ProcessHandle;
break;
}
Additional InformationMy Test Source Code Fix
dbk32functions.pas
original -> result:=processhandle;
     fix -> result:=processhandle xor $1234;

IOPLDispatcher.c
Original-> *(PUINT64)Irp->AssociatedIrp.SystemBuffer=(UINT64)ProcessHandle;
     Fix-> *(PUINT64)Irp->AssociatedIrp.SystemBuffer=(UINT64)ProcessHandle ^0x1234;

OpenProcess Detection Bypass Fail

may be...

Openprocess Process Handle Or ProcessID Check Detect...

Do you have a good idea?
TagsNo tags attached.
Attached Files

Notes
(0000795)
pausebreak7   
2015-03-25 23:24   
Sys Code IOPLDispatcher.h
// Test Compile
#define IOCTL_CE_OPENPROCESS CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0802, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) <-- Detect
//#define IOCTL_CE_OPENPROCESS <--Not Detect

//#define IOCTL_CE_READMEMORY CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0800, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
//#define IOCTL_CE_WRITEMEMORY CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0801, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
(0000796)
pausebreak7   
2015-03-26 01:05   
Is associated with the following code to bypass?

//newkernelhandler.pas
//procedure UseDBKOpenProcess;

nthookscript:=tstringlist.create;
nthookscript.add('NtOpenProcess:');
nthookscript.add('jmp '+IntToHex(ptruint(@NOP),8));
autoassemble(nthookscript, false, true, false, true);
(0000797)
pausebreak7   
2015-03-30 00:54   
(Last edited: 2015-03-30 00:57)
hmm openprocess flag vm write delete bypass success

original: PROCESS_ALL_ACCESS(0x1fffff)
(Query information,Set information, Set quotas, Set session ID, Create threads, Create processes, VM operation, VM read, VM write, Duplicate handles, Suspend/resume, Terminate, Synchronize, Delete, Read control, Write DAC, Write owner)
edit: 0X1FFFDF(0x1fffdf)
(Query information,Set information, Set quotas, Set session ID, Create threads, Create processes, VM operation, VM read, Duplicate handles, Suspend/resume, Terminate, Synchronize, Delete, Read control, Write DAC, Write owner))

ACCESS_MASK DesiredAccess <-Detect

Remove the vm_write function ->bypass success

but Can not be bypassed while using functions without removing the vm_write?

You know you're vm_write to be replaced with the writeprocess but not while

bypassing do I apply without having to remove the flag?

(0000798)
pausebreak7   
2015-03-30 01:15   
(Last edited: 2015-03-30 01:17)
without removing the process flag

bypass idea...plz

(0000799)
Dark Byte   
2015-04-01 14:02   
try this:
change
ntStatus=ObOpenObjectByPointer (
selectedprocess,
0,
NULL,
PROCESS_ALL_ACCESS,
*PsProcessType,
KernelMode, //UserMode,
&ProcessHandle);
to
ntStatus=STATUS_UNSUCCESSFUL;

CE will then fallback on pure kernelmode(CR3 access). (symbol lookup will fail)

(0000800)
pausebreak7   
2015-04-02 03:40   
(Last edited: 2015-04-02 03:44)
bypass success

ntStatus=ObOpenObjectByPointer (
selectedprocess,
0,
NULL,
0X1FFFDF,
*PsProcessType,
KernelMode, //UserMode,
&ProcessHandle);

Can not be bypassed while using functions without removing the vm_write?

fake pid & fake handle & fake process flag idea?...

(0000801)
Dark Byte   
2015-04-02 15:24   
remove the vm_write and see if you can still write or not (kernelmode read/write do not look at the rights of the handle)
(0000802)
pausebreak7   
2015-04-03 12:20   
vm_write substitute-> read/write kernelmode&usermode
but...
I would like to bypass function without erasing vm_write
(0000803)
pausebreak7   
2015-04-07 20:52   
I have an idea

1.OpenProcess Handle dkom(Direct Kernel Object Manipulation)

Process Target Handle Link Hide(x64 System Not Patch Guard possibility?)

2.Handle Granted Access
Original 0x1FFFFF -> Fake Granted Access Code 0X??????

3.TarGet ProcessID Fake Change?

Original 0x1234 ->Fake PID -> 0x1234+3

Is it possible in three ways?

Issue History
2015-03-25 23:12pausebreak7New Issue
2015-03-25 23:24pausebreak7Note Added: 0000795
2015-03-26 01:05pausebreak7Note Added: 0000796
2015-03-30 00:54pausebreak7Note Added: 0000797
2015-03-30 00:55pausebreak7Note Edited: 0000797bug_revision_view_page.php?bugnote_id=797#r64
2015-03-30 00:56pausebreak7Note Edited: 0000797bug_revision_view_page.php?bugnote_id=797#r65
2015-03-30 00:57pausebreak7Note Edited: 0000797bug_revision_view_page.php?bugnote_id=797#r66
2015-03-30 01:15pausebreak7Note Added: 0000798
2015-03-30 01:17pausebreak7Note Edited: 0000798bug_revision_view_page.php?bugnote_id=798#r68
2015-04-01 14:02Dark ByteNote Added: 0000799
2015-04-01 14:02Dark ByteNote Edited: 0000799bug_revision_view_page.php?bugnote_id=799#r70
2015-04-02 03:40pausebreak7Note Added: 0000800
2015-04-02 03:44pausebreak7Note Edited: 0000800bug_revision_view_page.php?bugnote_id=800#r72
2015-04-02 15:24Dark ByteNote Added: 0000801
2015-04-03 12:20pausebreak7Note Added: 0000802
2015-04-07 20:52pausebreak7Note Added: 0000803
2016-02-29 11:30Carter GreatshowIssue cloned: 0000453