| View previous topic :: View next topic |
| Author |
Message |
kittonkicker
I post too much
 Reputation: 1
Joined: 19 Apr 2006
Posts: 2171
|
 Posted: Mon Sep 17, 2007 10:48 am Post subject: [HELP] Trampolining in r0 |
 |
|
Thanks to an idea from x0r I've written a driver with trampolined functions, which I was hoping would get round GameGuard.
I'm trampolining or "jumping over" GameGuard's hooks to bypass NtRead/WriteVirtualMemory and NtOpenProcess.
The redefined functions in my driver:
| Code: | _declspec(naked) NTSTATUS ReadVirtualMemory(IN HANDLE ProcessHandle,IN PVOID BaseAddress,OUT PVOID Buffer,IN ULONG NumberOfBytesToRead,OUT PULONG NumberOfBytesReaded OPTIONAL)
{
__asm
{
push 0x1c
push 0x804d94c0
jmp [AddressOfReadVirtualMemory]
}
}
_declspec(naked) NTSTATUS WriteVirtualMemory(IN HANDLE ProcessHandle,IN PVOID BaseAddress,IN PVOID Buffer,IN ULONG NumberOfBytesToWrite,OUT PULONG NumberOfBytesWritten OPTIONAL)
{
__asm
{
push 0x1c
push 0x804d94d8
jmp [AddressOfWriteVirtualMemory]
}
}
_declspec(naked) NTSTATUS OpenProcess(OUT PHANDLE ProcessHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,IN PCLIENT_ID ClientId OPTIONAL)
{
__asm
{
push 0x00c4
jmp [AddressOfOpenProcess]
}
} |
From there I've added these new functions as entrys to the SSDT which I call in my redefined AltZwR/WVM and AltZwOP, which get called by my redefined AltR/WPM and AltOP functions.
I beleive the process goes like this:
User calls redefined API AltReadProcessMemory->AltReadProcessMemory calls AltZwReadVirtualMemory->New serviceid gets pushed and enters r0 using SYSENTER->serviceid is located to corresponding function in the SSDT and calls my unhooked function.
I can read any processes memory, so I know it definately works AND I know it's not getting unhooked because it still works while GameGuard is running...just not on GameGuard's protected process or GameMon.des, etc.
Does this have something to do with KeAttachProcess, etc or am I missing something crucial?
Thanks.
PS Not sure if this should be here or in the Anti Cheat Bypassing section...o_O.
_________________
All gone  |
|
| Back to top |
|
 |
Uligor
Grandmaster Cheater
 Reputation: 0
Joined: 21 Jan 2006
Posts: 956
|
| Posted: Mon Sep 17, 2007 3:47 pm Post subject: |
|
|
I don't know if ObOpenObjectByPointer is hooked, try unhooking that.
_________________
|
|
| Back to top |
|
|
kittonkicker
I post too much
Reputation: 1
Joined: 19 Apr 2006
Posts: 2171
|
| Posted: Mon Sep 17, 2007 4:22 pm Post subject: |
|
|
Thanks I'll take a look!
EDIT: It's not...
_________________
All gone |
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25821
Location: The netherlands
|
| Posted: Mon Sep 17, 2007 4:37 pm Post subject: |
|
|
yes, it has to do with KeAttachProcess and KiattachProcess and KiMoveApcState, those 3 api's are hooked and used by readvirtualmemory
you have to trampoline a bit further into the code
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping
Last edited by Dark Byte on Mon Sep 17, 2007 4:47 pm; edited 1 time in total |
|
| Back to top |
|
|
kittonkicker
I post too much
Reputation: 1
Joined: 19 Apr 2006
Posts: 2171
|
| Posted: Mon Sep 17, 2007 4:45 pm Post subject: |
|
|
Awesome, I'll begin delving into the code.
Just out of curiosity DB, rather than using IOCTL's is it possible to add the functions you made to the SSDT and then code the appropriate Zw api to communicate with it?
I'm thinking about the best way to get around GameGuard, and it seems a little silly to not take advantage of an already awesome API you coded..!
_________________
All gone |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25821
Location: The netherlands
|
| Posted: Mon Sep 17, 2007 4:48 pm Post subject: |
|
|
yes, you can expand the sdt, you can even add a 3th or even 4th entry to it. I think a beta driver has that as a test.
You could even replace it with a read/write method, where you write to the driver and then read the result back out
also, how about making a complete copy of the kernel file and change all base relocations to point to the original base? (so processlists and static addresses stay the same, but relative stuff like calls and jmps get the unedited copy. Of course, to get into the unedited copy you'd have to place a jmp in the original code...)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
linden
Master Cheater
![]() Reputation: 0
Joined: 10 Mar 2006
Posts: 319
|
| Posted: Tue Sep 18, 2007 5:12 am Post subject: |
|
|
| Dark Byte wrote: | yes, you can expand the sdt, you can even add a 3th or even 4th entry to it. I think a beta driver has that as a test.
You could even replace it with a read/write method, where you write to the driver and then read the result back out
|
Preparing another copy of the kernel with faked base relocation would be better. Messing with SDT won't do much good...expanding SDT needs a relocation, GG will just detect it with a range check; and adding 3rd or 4th entry won't work on Vista because it only recognize 2 entries...
But another method, is to do the same thing as GG does. Have anyone noticed that GG makes an unhooked copy of the SDT for itself, and then for some of the critical threads (must be GUI thread though), it modifies the ServiceTable member inside the ETHREAD object to point to its own copy of SDT instead of the original ShadowServiceTable in order to evade any SDT hooks? We can do the same thing  |
|
| Back to top |
|
|
Seyren
Master Cheater
 Reputation: 0
Joined: 17 Aug 2007
Posts: 456
Location: Yeah i have one,why?
|
| Posted: Tue Sep 18, 2007 6:18 pm Post subject: |
|
|
| R0? |
|
| Back to top |
|
|
kittonkicker
I post too much
Reputation: 1
Joined: 19 Apr 2006
Posts: 2171
|
| Posted: Tue Sep 18, 2007 6:59 pm Post subject: |
|
|
If you have to ask, this topic isn't for you.
Thanks for all the ideas guys, I'm working on something now ^^.
_________________
All gone |
|
| Back to top |
|
|
the_undead
Expert Cheater
 Reputation: 1
Joined: 12 Nov 2006
Posts: 235
Location: Johannesburg, South Africa
|
| Posted: Wed Sep 19, 2007 3:19 am Post subject: |
|
|
| Crimsonzero747 wrote: | | R0? |
Ring 0.
_________________
|
|
| Back to top |
|
|
appalsap
Moderator
 Reputation: 0
Joined: 27 Apr 2006
Posts: 6753
Location: Pakistan
|
| Posted: Wed Sep 19, 2007 8:09 am Post subject: |
|
|
| the_undead wrote: | | Crimsonzero747 wrote: | | R0? |
Ring 0. |
Rules 3 and 0  |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
