2017-12-15 22:40 CET

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0000387Cheat Engine(No Category)public2015-04-07 20:52
Reporterpausebreak7 
Assigned To 
PriorityhighSeverityblockReproducibilityalways
StatusnewResolutionopen 
Summary0000387: Dark Byte OP(Openprocess Detection Bypass? IDEA?)
Description-Dbk32functions.pas-
function {OpenProcess}OP(dwDesiredAccess:DWORD;bInheritHandle:BOOL;dwProcessId:DWORD):THANDLE; stdcall;
var valid:boolean;
    //Processhandle: uint64;
    Processhandle: Thandle;
    i:integer;
    cc,x: dword;

begin

  valid:=true;
  if dwProcessId=0 then
  begin
    result:=0;
    exit;
  end;

  if hdevice<>INVALID_HANDLE_VALUE then
  begin
    cc:=IOCTL_CE_OPENPROCESS; //여기를 주석 하거나 hdevice,cc -> hdevice,0으로 하면 OP 동작 안함
    if deviceiocontrol(hdevice,cc,@dwProcessId,4,@processhandle,8,x,nil) then
    begin
    result:=processhandle;
    end
    else
  result:=0;
end

case IOCTL_CE_OPENPROCESS:
{
PEPROCESS selectedprocess;
ULONG processid=*(PULONG)Irp->AssociatedIrp.SystemBuffer;
HANDLE ProcessHandle;
ntStatus=STATUS_SUCCESS;
__try
{
ProcessHandle=0;
if (PsLookupProcessByProcessId((PVOID)(UINT_PTR)(processid),&selectedprocess)==STATUS_SUCCESS)
{
//DbgPrint("Calling ObOpenObjectByPointer\n");
ntStatus=ObOpenObjectByPointer (
selectedprocess,
0,
NULL,
PROCESS_ALL_ACCESS,
*PsProcessType,
KernelMode, //UserMode,
&ProcessHandle);
//DbgPrint("ntStatus=%x",ntStatus);
}
}
__except(1)
{
ntStatus=STATUS_UNSUCCESSFUL;
}
*(PUINT64)Irp->AssociatedIrp.SystemBuffer=(UINT64)ProcessHandle;
break;
}
Additional InformationMy Test Source Code Fix
dbk32functions.pas
original -> result:=processhandle;
     fix -> result:=processhandle xor $1234;

IOPLDispatcher.c
Original-> *(PUINT64)Irp->AssociatedIrp.SystemBuffer=(UINT64)ProcessHandle;
     Fix-> *(PUINT64)Irp->AssociatedIrp.SystemBuffer=(UINT64)ProcessHandle ^0x1234;

OpenProcess Detection Bypass Fail

may be...

Openprocess Process Handle Or ProcessID Check Detect...

Do you have a good idea?
TagsNo tags attached.
Attached Files

-Relationships
+Relationships

-Notes

~0000795

pausebreak7 (reporter)

Sys Code IOPLDispatcher.h
// Test Compile
#define IOCTL_CE_OPENPROCESS CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0802, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) <-- Detect
//#define IOCTL_CE_OPENPROCESS <--Not Detect

//#define IOCTL_CE_READMEMORY CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0800, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
//#define IOCTL_CE_WRITEMEMORY CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0801, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)

~0000796

pausebreak7 (reporter)

Is associated with the following code to bypass?

//newkernelhandler.pas
//procedure UseDBKOpenProcess;

nthookscript:=tstringlist.create;
nthookscript.add('NtOpenProcess:');
nthookscript.add('jmp '+IntToHex(ptruint(@NOP),8));
autoassemble(nthookscript, false, true, false, true);

~0000797

pausebreak7 (reporter)

Last edited: 2015-03-30 00:57

View 4 revisions

hmm openprocess flag vm write delete bypass success

original: PROCESS_ALL_ACCESS(0x1fffff)
(Query information,Set information, Set quotas, Set session ID, Create threads, Create processes, VM operation, VM read, VM write, Duplicate handles, Suspend/resume, Terminate, Synchronize, Delete, Read control, Write DAC, Write owner)
edit: 0X1FFFDF(0x1fffdf)
(Query information,Set information, Set quotas, Set session ID, Create threads, Create processes, VM operation, VM read, Duplicate handles, Suspend/resume, Terminate, Synchronize, Delete, Read control, Write DAC, Write owner))

ACCESS_MASK DesiredAccess <-Detect

Remove the vm_write function ->bypass success

but Can not be bypassed while using functions without removing the vm_write?

You know you're vm_write to be replaced with the writeprocess but not while

bypassing do I apply without having to remove the flag?

~0000798

pausebreak7 (reporter)

Last edited: 2015-03-30 01:17

View 2 revisions

without removing the process flag

bypass idea...plz

~0000799

Dark Byte (developer)

Last edited: 2015-04-01 14:02

View 2 revisions

try this:
change
ntStatus=ObOpenObjectByPointer (
selectedprocess,
0,
NULL,
PROCESS_ALL_ACCESS,
*PsProcessType,
KernelMode, //UserMode,
&ProcessHandle);
to
ntStatus=STATUS_UNSUCCESSFUL;

CE will then fallback on pure kernelmode(CR3 access). (symbol lookup will fail)

~0000800

pausebreak7 (reporter)

Last edited: 2015-04-02 03:44

View 2 revisions

bypass success

ntStatus=ObOpenObjectByPointer (
selectedprocess,
0,
NULL,
0X1FFFDF,
*PsProcessType,
KernelMode, //UserMode,
&ProcessHandle);

Can not be bypassed while using functions without removing the vm_write?

fake pid & fake handle & fake process flag idea?...

~0000801

Dark Byte (developer)

remove the vm_write and see if you can still write or not (kernelmode read/write do not look at the rights of the handle)

~0000802

pausebreak7 (reporter)

vm_write substitute-> read/write kernelmode&usermode
but...
I would like to bypass function without erasing vm_write

~0000803

pausebreak7 (reporter)

I have an idea

1.OpenProcess Handle dkom(Direct Kernel Object Manipulation)

Process Target Handle Link Hide(x64 System Not Patch Guard possibility?)

2.Handle Granted Access
Original 0x1FFFFF -> Fake Granted Access Code 0X??????

3.TarGet ProcessID Fake Change?

Original 0x1234 ->Fake PID -> 0x1234+3

Is it possible in three ways?
+Notes

-Issue History
Date Modified Username Field Change
2015-03-25 23:12 pausebreak7 New Issue
2015-03-25 23:24 pausebreak7 Note Added: 0000795
2015-03-26 01:05 pausebreak7 Note Added: 0000796
2015-03-30 00:54 pausebreak7 Note Added: 0000797
2015-03-30 00:55 pausebreak7 Note Edited: 0000797 View Revisions
2015-03-30 00:56 pausebreak7 Note Edited: 0000797 View Revisions
2015-03-30 00:57 pausebreak7 Note Edited: 0000797 View Revisions
2015-03-30 01:15 pausebreak7 Note Added: 0000798
2015-03-30 01:17 pausebreak7 Note Edited: 0000798 View Revisions
2015-04-01 14:02 Dark Byte Note Added: 0000799
2015-04-01 14:02 Dark Byte Note Edited: 0000799 View Revisions
2015-04-02 03:40 pausebreak7 Note Added: 0000800
2015-04-02 03:44 pausebreak7 Note Edited: 0000800 View Revisions
2015-04-02 15:24 Dark Byte Note Added: 0000801
2015-04-03 12:20 pausebreak7 Note Added: 0000802
2015-04-07 20:52 pausebreak7 Note Added: 0000803
2016-02-29 11:30 Carter Greatshow Issue cloned: 0000453
+Issue History