2017-05-30 05:02 CEST

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0000413Cheat Engine(No Category)public2015-11-19 22:07
Reporterpausebreak7 
Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusnewResolutionopen 
Platformwindows7OSx64OS Version
Summary0000413: dark byte OpenProcess Fake Code impossible?
Descriptionvideo link openprocess detect idea:
https://www.dropbox.com/s/wm30g3hors0rdeu/bandicam%202015-10-14%2021-32-58-820.avi?dl=0
Steps To Reproduceprocess handle information fake information change possible?
0x1f1fff
1.Query information
2.Set information
3.Set quotas
4.Set session ID
5.Create threads
6.Create processes
7.VM operation
8.VM read
9.VM write
10.Duplicate handles
11.Suspend/resume
12.Terminate
13.Synchronize
14.Delete
15.Read control
16.Write DAC
17.Write owner
Additional Informationtwo Patch Guard Disable Mode ProcessHandle information dkom but Detect

hidecon process handle pht option handle list hide
link:
http://fyyre.ivory-tower.de/projects/hidecon.rar

processhacker link:
http://processhacker.sourceforge.net/downloads.php

============================================================

three

DBVM Machine VM_OPENPROCESS READ Write virtual openprocess possible?

============================================================
obregistercallback hiding Procsss

Openprocess access denied

ctrl+alt+s Enumerate dll information not view

Do you get the information without the openprocess?

thankyou dark byte




TagsNo tags attached.
Attached Files

-Relationships
+Relationships

-Notes

~0000881

pausebreak7 (reporter)

0x1010 (Query limited information, VM read)

OpenProcess Minimal options
Enumerate information View Success
User, Kernel both impossible without an openprocess?

========================================================

0x1a (Create threads, VM operation, VM read)
OpenProcess Minimal options
dbvm load breakpoint access success
Do Debugging is impossible without the use of OP options?
========================================================

With OpenProcess Properties detect, it can be bypassed without using the above options?

~0000882

pausebreak7 (reporter)

ChangeProcAccess (
    ACCESS_MASK *pDesiredAccess
    )
{
    ACCESS_MASK DesiredAcces = *pDesiredAccess;
/*
    DesiredAcces &= ~PROCESS_CREATE_THREAD;
    DesiredAcces &= ~PROCESS_CREATE_PROCESS;
    DesiredAcces &= ~PROCESS_TERMINATE;
    DesiredAcces &= ~PROCESS_VM_WRITE;
    DesiredAcces &= ~PROCESS_VM_READ;
    DesiredAcces &= ~PROCESS_VM_OPERATION;
    DesiredAcces &= ~PROCESS_SUSPEND_RESUME;
    DesiredAcces &= ~PROCESS_DUP_HANDLE;
    *pDesiredAccess = DesiredAcces;
*/
    *pDesiredAccess = ~1F0FFF
}

*pDesiredAccess = ~1F0FFF //obregistercallback Process handle protect falg on
*pDesiredAccess = 1F0FFF //obregistercallback Process handle protect falg off

my drvier create *pDesiredAccess = 1F0FFF Driver Run Protect Flag OFF

But Security Process -> Engine Openprocess option information
vmread,vmwrite,createthread,VM_OPERATION,TERMINATE etc

Release the protection force to detect if you have information to confirm the Oprocess options

=====================================================================
0x101a implementing the minimum required information on the engine without using the

Openprocess?

======================================================================
user, kernel openprocess disabled
DBVM VirtualMachine VMOPENPROCESS POSSIBLE?

~0000883

pausebreak7 (reporter)

Duplicate Handle from CSRSS.exe

Process Handle Csrss.exe

Csrss Process handle information copy -> Engine Target Process Access possible?

===============================================================================
process target open->handle 0x278 create
but 0x278 created information ->detected!
0x278 no created ->not detect
csrss.exe handle link access fake possible?

~0000884

pausebreak7 (reporter)

Process list reload click ->openprocess detect!

windows list reload click ->not detect!

Processlist reload handle detect

windows list reload handle not detect -> But Process Open -> Detect!

ObOpenObjectByPointer ->ZwOpenProcess
Api Change And Handle Access information hide & Fake information Possible?

~0000885

pausebreak7 (reporter)

original:
ntStatus=ObOpenObjectByPointer
(
selectedprocess,
0,
NULL,
PROCESS_ALL_ACCESS,
*PsProcessType,
KernelMode, //UserMode,
&ProcessHandle);
edit:
ntStatus=ObOpenObjectByPointer
(
selectedprocess,
0,
NULL,
//PROCESS_ALL_ACCESS,
*PsProcessType,
KernelMode, //UserMode,
&ProcessHandle);

PROCESS_ALL_ACCESS DELETE ->NOT DETECT

BUT
1.DBVM LOAD DBVM DEBUG CRASH
2.ENUMERATE DLL'S AND SYMBOL INFORMATION NOT VIEW

Do you write two functions without using the OP(OPENPROCESS)?

~0000886

pausebreak7 (reporter)

Last edited: 2015-10-20 06:21

View 2 revisions

maybe..

ZwQuerySystemInformation system handle list structure

pid& openprocess access information detect?

====================================================
driver hiding detect bypass possible?

http://www.rohitab.com/discuss/topic/41522-hiding-loaded-driver-with-dkom/

dbkdrvc.c

line 80 fix?

~0000887

pausebreak7 (reporter)

bypass idea

External handle 0x0

Cheat Engine Fake or inside handle 0X1F0FFF Possible?

~0000889

pausebreak7 (reporter)

GetModuleFileNameEx -> NtReadVirtualMemory -> PEB -> LDR -> NtQueryVirtualMemory PROCESS_QUERY_INFORMATION?
NtReadVirtualMemory -> PROCESS_VM_READ?

Can I use the openprocess created an API of his own?

handle open address & object bypass impossible?

~0000893

pausebreak7 (reporter)

openprocess obregistercallback guard Ignore

force openprocess ctrl+alt+s enumerate dll & process handle open possible?

-;;

~0000897

Dark Byte (developer)

You have access to the memory, but just lack some of the query tools.

if you have no valid processhandle, but wish a dll list, then you will have to manually get that data.
e.g scan through the memory looking for the MZ/PE header of a module, and then enumerate the symbols when found. Or use the windows internal structures om where it stores that information.
+Notes

-Issue History
Date Modified Username Field Change
2015-10-14 15:07 pausebreak7 New Issue
2015-10-16 05:58 pausebreak7 Note Added: 0000881
2015-10-16 05:59 pausebreak7 File Added: test.png
2015-10-16 06:51 pausebreak7 Note Added: 0000882
2015-10-16 17:35 pausebreak7 Note Added: 0000883
2015-10-16 17:35 pausebreak7 File Added: test2.png
2015-10-19 17:47 pausebreak7 Note Added: 0000884
2015-10-20 04:41 pausebreak7 Note Added: 0000885
2015-10-20 05:39 pausebreak7 Note Added: 0000886
2015-10-20 06:21 pausebreak7 Note Edited: 0000886 View Revisions
2015-10-20 09:56 pausebreak7 Note Added: 0000887
2015-10-20 09:56 pausebreak7 File Added: test3.png
2015-10-29 12:47 pausebreak7 Note Added: 0000889
2015-11-14 11:20 pausebreak7 Note Added: 0000893
2015-11-19 22:07 Dark Byte Note Added: 0000897
2016-02-29 11:30 Carter Greatshow Issue cloned: 0000441
+Issue History