MantisBT - Cheat Engine
View Issue Details
0000413Cheat Engine(No Category)public2015-10-14 15:072015-11-19 22:07
Reporterpausebreak7 
Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusnewResolutionopen 
Platformwindows7OSx64OS Version
Summary0000413: dark byte OpenProcess Fake Code impossible?
Descriptionvideo link openprocess detect idea:
https://www.dropbox.com/s/wm30g3hors0rdeu/bandicam%202015-10-14%2021-32-58-820.avi?dl=0
Steps To Reproduceprocess handle information fake information change possible?
0x1f1fff
1.Query information
2.Set information
3.Set quotas
4.Set session ID
5.Create threads
6.Create processes
7.VM operation
8.VM read
9.VM write
10.Duplicate handles
11.Suspend/resume
12.Terminate
13.Synchronize
14.Delete
15.Read control
16.Write DAC
17.Write owner
Additional Informationtwo Patch Guard Disable Mode ProcessHandle information dkom but Detect

hidecon process handle pht option handle list hide
link:
http://fyyre.ivory-tower.de/projects/hidecon.rar

processhacker link:
http://processhacker.sourceforge.net/downloads.php

============================================================

three

DBVM Machine VM_OPENPROCESS READ Write virtual openprocess possible?

============================================================
obregistercallback hiding Procsss

Openprocess access denied

ctrl+alt+s Enumerate dll information not view

Do you get the information without the openprocess?

thankyou dark byte




TagsNo tags attached.
Attached Filespng test.png (123,740) 2015-10-16 05:59
http://cheatengine.org/mantis/file_download.php?file_id=159&type=bug
png

png test2.png (57,796) 2015-10-16 17:35
http://cheatengine.org/mantis/file_download.php?file_id=160&type=bug
png

png test3.png (55,567) 2015-10-20 09:56
http://cheatengine.org/mantis/file_download.php?file_id=161&type=bug
png

Notes
(0000881)
pausebreak7   
2015-10-16 05:58   
0x1010 (Query limited information, VM read)

OpenProcess Minimal options
Enumerate information View Success
User, Kernel both impossible without an openprocess?

========================================================

0x1a (Create threads, VM operation, VM read)
OpenProcess Minimal options
dbvm load breakpoint access success
Do Debugging is impossible without the use of OP options?
========================================================

With OpenProcess Properties detect, it can be bypassed without using the above options?
(0000882)
pausebreak7   
2015-10-16 06:51   
ChangeProcAccess (
    ACCESS_MASK *pDesiredAccess
    )
{
    ACCESS_MASK DesiredAcces = *pDesiredAccess;
/*
    DesiredAcces &= ~PROCESS_CREATE_THREAD;
    DesiredAcces &= ~PROCESS_CREATE_PROCESS;
    DesiredAcces &= ~PROCESS_TERMINATE;
    DesiredAcces &= ~PROCESS_VM_WRITE;
    DesiredAcces &= ~PROCESS_VM_READ;
    DesiredAcces &= ~PROCESS_VM_OPERATION;
    DesiredAcces &= ~PROCESS_SUSPEND_RESUME;
    DesiredAcces &= ~PROCESS_DUP_HANDLE;
    *pDesiredAccess = DesiredAcces;
*/
    *pDesiredAccess = ~1F0FFF
}

*pDesiredAccess = ~1F0FFF //obregistercallback Process handle protect falg on
*pDesiredAccess = 1F0FFF //obregistercallback Process handle protect falg off

my drvier create *pDesiredAccess = 1F0FFF Driver Run Protect Flag OFF

But Security Process -> Engine Openprocess option information
vmread,vmwrite,createthread,VM_OPERATION,TERMINATE etc

Release the protection force to detect if you have information to confirm the Oprocess options

=====================================================================
0x101a implementing the minimum required information on the engine without using the

Openprocess?

======================================================================
user, kernel openprocess disabled
DBVM VirtualMachine VMOPENPROCESS POSSIBLE?
(0000883)
pausebreak7   
2015-10-16 17:35   
Duplicate Handle from CSRSS.exe

Process Handle Csrss.exe

Csrss Process handle information copy -> Engine Target Process Access possible?

===============================================================================
process target open->handle 0x278 create
but 0x278 created information ->detected!
0x278 no created ->not detect
csrss.exe handle link access fake possible?
(0000884)
pausebreak7   
2015-10-19 17:47   
Process list reload click ->openprocess detect!

windows list reload click ->not detect!

Processlist reload handle detect

windows list reload handle not detect -> But Process Open -> Detect!

ObOpenObjectByPointer ->ZwOpenProcess
Api Change And Handle Access information hide & Fake information Possible?
(0000885)
pausebreak7   
2015-10-20 04:41   
original:
ntStatus=ObOpenObjectByPointer
(
selectedprocess,
0,
NULL,
PROCESS_ALL_ACCESS,
*PsProcessType,
KernelMode, //UserMode,
&ProcessHandle);
edit:
ntStatus=ObOpenObjectByPointer
(
selectedprocess,
0,
NULL,
//PROCESS_ALL_ACCESS,
*PsProcessType,
KernelMode, //UserMode,
&ProcessHandle);

PROCESS_ALL_ACCESS DELETE ->NOT DETECT

BUT
1.DBVM LOAD DBVM DEBUG CRASH
2.ENUMERATE DLL'S AND SYMBOL INFORMATION NOT VIEW

Do you write two functions without using the OP(OPENPROCESS)?
(0000886)
pausebreak7   
2015-10-20 05:39   
(Last edited: 2015-10-20 06:21)
maybe..

ZwQuerySystemInformation system handle list structure

pid& openprocess access information detect?

====================================================
driver hiding detect bypass possible?

http://www.rohitab.com/discuss/topic/41522-hiding-loaded-driver-with-dkom/

dbkdrvc.c

line 80 fix?

(0000887)
pausebreak7   
2015-10-20 09:56   
bypass idea

External handle 0x0

Cheat Engine Fake or inside handle 0X1F0FFF Possible?
(0000889)
pausebreak7   
2015-10-29 12:47   
GetModuleFileNameEx -> NtReadVirtualMemory -> PEB -> LDR -> NtQueryVirtualMemory PROCESS_QUERY_INFORMATION?
NtReadVirtualMemory -> PROCESS_VM_READ?

Can I use the openprocess created an API of his own?

handle open address & object bypass impossible?
(0000893)
pausebreak7   
2015-11-14 11:20   
openprocess obregistercallback guard Ignore

force openprocess ctrl+alt+s enumerate dll & process handle open possible?

-;;
(0000897)
Dark Byte   
2015-11-19 22:07   
You have access to the memory, but just lack some of the query tools.

if you have no valid processhandle, but wish a dll list, then you will have to manually get that data.
e.g scan through the memory looking for the MZ/PE header of a module, and then enumerate the symbols when found. Or use the windows internal structures om where it stores that information.

Issue History
2015-10-14 15:07pausebreak7New Issue
2015-10-16 05:58pausebreak7Note Added: 0000881
2015-10-16 05:59pausebreak7File Added: test.png
2015-10-16 06:51pausebreak7Note Added: 0000882
2015-10-16 17:35pausebreak7Note Added: 0000883
2015-10-16 17:35pausebreak7File Added: test2.png
2015-10-19 17:47pausebreak7Note Added: 0000884
2015-10-20 04:41pausebreak7Note Added: 0000885
2015-10-20 05:39pausebreak7Note Added: 0000886
2015-10-20 06:21pausebreak7Note Edited: 0000886bug_revision_view_page.php?bugnote_id=886#r115
2015-10-20 09:56pausebreak7Note Added: 0000887
2015-10-20 09:56pausebreak7File Added: test3.png
2015-10-29 12:47pausebreak7Note Added: 0000889
2015-11-14 11:20pausebreak7Note Added: 0000893
2015-11-19 22:07Dark ByteNote Added: 0000897
2016-02-29 11:30Carter GreatshowIssue cloned: 0000441