2017-05-26 13:23 CEST

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0000408Cheat Engine(No Category)public2015-09-22 11:47
Reporterpausebreak7 
Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusnewResolutionopen 
Summary0000408: dark byte x64 patchguard disable mode IDT debug hook possible?
Descriptioncheat engine source debugger.c
_declspec( naked ) void interrupt1_asmentry( void )
windows x32 IDT HOOK CODE

windows x64 IDT HOOKING CODE POSSIBLE?(PatchGuard Disable Mode)

And Debug Option

Use windows debugger,veh,kernelmode

possible only kernel-mode options?

Is it possible to bypass the debug detected by IDT hooking without the dbvm








TagsNo tags attached.
Attached Files
  • png file icon qq.png (105,356 bytes) 2015-09-21 16:16 -
    png file icon qq.png (105,356 bytes) 2015-09-21 16:16 +
  • png file icon bsod.png (181,501 bytes) 2015-09-22 11:44 -
    png file icon bsod.png (181,501 bytes) 2015-09-22 11:44 +

-Relationships
+Relationships

-Notes

~0000868

pausebreak7 (reporter)

x64 computer

debug kernelmode option -> DBVM NOT LOAD ->DEBUG START -> SYSTEM BSOD?

safe options Suggested

safe option -> DBVM NOT LOAD ->DEBUG NOT START -> Safe Messagebox

~0000869

pausebreak7 (reporter)

lua command dbk_writesIgnoreWriteProtection(true)

Lua functions can be added to the command as shown above?

Not possible, I will not question anymore

~0000870

Dark Byte (developer)

Last edited: 2015-09-21 17:22

View 2 revisions

the interrupt hooker in the driver has a check for dbvm. Just ignore that and it'll fall back on IDT hooking

but keep in mind that anti reverse engineering tools and anti cheats check the idt for tampering first (you may be able to hook the address the original idt points to, but you'll have to adjust the code to deal with that yourself)

~0000871

pausebreak7 (reporter)

TitanHide
https://bitbucket.org/mrexodia/titanhide

Engine

debug option

windows debugger,try to prevent check

TBreakOption = (bo_Break = 0, bo_ChangeRegister = 1, bo_FindCode = 2, bo_FindWhatCodeAccesses = 3, bo_BreakAndTrace=4, bo_OnBreakpoint=5);

Find out what addresses this instruction accesses(3)

TitanHide Driver Load Pid Fake Option Check
processDebugFlags
processDebugPort
ProcessDebugobjectHandle
debugobject

Find out what addresses this instruction accesses(3) <-Not Detect
bo_ChangeRegister <-Detect
bo_FindCode <-Detect
bo_BreakAndTrace <Detect
bo_OnBreakpoint <-Detect

If the other options are all hidden in TitanHide detected

Driver Source Debugger.c Fake Dr7? Dr0~3?

How Does it not also detect other accessibility features?

~0000872

pausebreak7 (reporter)

windows Debug is going to be detected should not be the case where ring0 ssdt hooking?

TitanHide Option All Check Debug Test[Windows Debugger]
ProcessDebugFlags (NtQueryInformationProcess)
ProcessDebugPort (NtQueryInformationProcess)
ProcessDebugObjectHandle (NtQueryInformationProcess)
DebugObject (NtQueryObject)
SystemKernelDebuggerInformation (NtQuerySystemInformation)
NtClose (STATUS_INVALID_HANDLE exception)
ThreadHideFromDebugger (NtSetInformationThread)
Protect DRx (HW BPs) (NtSetContextThread)

Find out what addresses this instruction accesses <-Not Detect

Other Change Register,Debugger Find,break,findcode,trace,Onbreak <-Detect

Is it possible to modify the source Cheat Engine?

Or it does need to hook the ssdt apart from titanhide?

~0000873

pausebreak7 (reporter)

DBVM Not Load ->F5 Attack Debug
->System Freeze -> BSOD
DBVM LOAD -> F5 Attack Debug
->Process Success NOT BSOD

DBVM Not Load Global Debug Routines
Check IDT HOOKing Error?
Driver.sys Memory Code Information
mov eax,Dr7 BSOD

BSOD.PNG UPDATE

~0000874

pausebreak7 (reporter)

Global Debug(DBVM NoT load) BSOD Safe Option

can you add options?

Do IDT x64 HOOKING example?
+Notes

-Issue History
Date Modified Username Field Change
2015-09-21 16:16 pausebreak7 New Issue
2015-09-21 16:16 pausebreak7 File Added: qq.png
2015-09-21 16:21 pausebreak7 Note Added: 0000868
2015-09-21 16:29 pausebreak7 Note Added: 0000869
2015-09-21 17:17 Dark Byte Note Added: 0000870
2015-09-21 17:22 Dark Byte Note Edited: 0000870 View Revisions
2015-09-21 19:10 pausebreak7 Note Added: 0000871
2015-09-21 19:17 pausebreak7 Note Added: 0000872
2015-09-22 11:44 pausebreak7 Note Added: 0000873
2015-09-22 11:44 pausebreak7 File Added: bsod.png
2015-09-22 11:47 pausebreak7 Note Added: 0000874
2016-02-29 11:30 Carter Greatshow Issue cloned: 0000445
+Issue History