2017-03-27 08:42 CEST

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0000386Cheat Engine(No Category)public2015-03-23 22:05
Reporterpausebreak7 
Assigned To 
PrioritynormalSeveritycrashReproducibilityalways
StatusnewResolutionopen 
Summary0000386: Dark Byte Cheat engine X64 kernel Memory Edit Kernel32.dll API ALL PROCESS FIX
Descriptionwrite process memory source edit
------------------------------
setCR0(getCR0() & (~(1<<16)));
disableInterrupts();
for (i=0; i<Size; i++)
{
target[i]=source[i];
}
setCR0(getCR0() | (1<<16));
enableInterrupts();
ntStatus = STATUS_SUCCESS;

Kernel Memory Edit Fix Source Compile

Kernel32.dll API Code Fix -> ALL PROCESSS Kernel32.dll CODE FIX

I do not understand

videoLink:
https://www.dropbox.com/s/1g8yqer5mc4jbba/bandicam%202015-03-24%2000-26-44-944.avi?dl=0

TagsNo tags attached.
Attached Files

-Relationships
+Relationships

-Notes

~0000792

Dark Byte (developer)

Last edited: 2015-03-23 20:51

View 2 revisions

If you disable the write exception, you also skip the "copy-on-write" mechanism in windows, which will copy the page and assign it to that specific process specifically.
So instead of editing it for one process, you're editing it for all processes that have share that specific page.

The easiest solution is only apply the setCR0 code when the address is bigger than 0xf000000000000000ULL

~0000793

pausebreak7 (reporter)

//simple Code PLZ
//Sorry Darkbyte
//I do not know how to write code
//Can you help me out?


setCR0(getCR0() & (~(1<<16)));
disableInterrupts();
for (i=0; i<Size; i++)
{
target[i]=source[i];
}
setCR0(getCR0() | (1<<16));
enableInterrupts();


--WriteProcessMemory Source CODE--

BOOLEAN WriteProcessMemory(DWORD PID,PEPROCESS PEProcess,PVOID Address,DWORD Size, PVOID Buffer)
{
PEPROCESS selectedprocess=PEProcess;
KAPC_STATE apc_state;
NTSTATUS ntStatus=STATUS_UNSUCCESSFUL;
if (selectedprocess==NULL)
{
//DbgPrint("WriteProcessMemory:Getting PEPROCESS\n");
if (!NT_SUCCESS(PsLookupProcessByProcessId((PVOID)(UINT_PTR)PID,&selectedprocess)))
return FALSE; //couldn't get the PID
//DbgPrint("Retrieved peprocess");
}
//selectedprocess now holds a valid peprocess value
__try
{
UINT_PTR temp=(UINT_PTR)Address;
RtlZeroMemory(&apc_state,sizeof(apc_state));
KeAttachProcess((PEPROCESS)selectedprocess);
__try
{
char* target;
char* source;
unsigned int i;
//DbgPrint("Checking safety of memory\n");
if ((IsAddressSafe((UINT_PTR)Address)) && (IsAddressSafe((UINT_PTR)Address+Size-1)))
{
//still here, then I gues it's safe to read. (But I can't be 100% sure though, it's still the users problem if he accesses memory that doesn't exist)
target=Address;
source=Buffer;
if (loadedbydbvm) //add a extra security around it as the PF will not be handled
{
disableInterrupts();
vmx_disable_dataPageFaults();
}
setCR0(getCR0() & (~(1<<16)));
disableInterrupts();
for (i=0; i<Size; i++)
{
target[i]=source[i];
}
setCR0(getCR0() | (1<<16));
enableInterrupts();
ntStatus = STATUS_SUCCESS;
if (loadedbydbvm)
{
UINT_PTR lastError;
lastError=vmx_getLastSkippedPageFault();
vmx_enable_dataPageFaults();
enableInterrupts();
DbgPrint("lastError=%p\n", lastError);
if (lastError)
ntStatus=STATUS_UNSUCCESSFUL;
}
}
}
__finally
{
KeDetachProcess();
}
}
__except(1)
{
//DbgPrint("Error while writing\n");
ntStatus = STATUS_UNSUCCESSFUL;
}
if (PEProcess==NULL) //no valid peprocess was given so I made a reference, so lets also dereference
ObDereferenceObject(selectedprocess);
return NT_SUCCESS(ntStatus);
}

~0000794

pausebreak7 (reporter)

Last edited: 2015-03-23 22:05

View 2 revisions

I solved the problem

Thank you dark byte

have a nice day

////////my fix code////////

if (target>0xf000000000000000ULL) //kernel32.dll fix compare
{
setCR0(getCR0() & (~(1<<16)));
disableInterrupts();
}
else
{
}
for (i=0; i<Size; i++)
{
target[i]=source[i];
}
setCR0(getCR0() | (1<<16));
enableInterrupts();
ntStatus = STATUS_SUCCESS;

+Notes

-Issue History
Date Modified Username Field Change
2015-03-23 18:52 pausebreak7 New Issue
2015-03-23 20:51 Dark Byte Note Added: 0000792
2015-03-23 20:51 Dark Byte Note Edited: 0000792 View Revisions
2015-03-23 21:42 pausebreak7 Note Added: 0000793
2015-03-23 22:04 pausebreak7 Note Added: 0000794
2015-03-23 22:05 pausebreak7 Note Edited: 0000794 View Revisions
2016-02-29 11:30 Carter Greatshow Issue cloned: 0000455
+Issue History