 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
scorj
How do I cheat?
![]() Reputation: 0
Joined: 21 Aug 2011
Posts: 6
|
 Posted: Sun Aug 21, 2011 8:08 pm Post subject: ZwReadVirtualMemory Hook... |
 |
|
hi im trying to hook ZwReadVirtualMemory with driver. but i couldnt do. when i try to hook or use zwreadvirtualmemory. driver couldnt loading.
but the same way and same functions just changed apis with ZwCreateFile. it working anyway and sucessfully loading.. and when i try to use zwreadvirtualmem or zwwritevirtualmem or ntreadvirtualmem or ntwritevirtualmem apis it failing. heres my code.
| Code: |
#include <ntddk.h>
#define SYSTEMSERVICE(_name) KeServiceDescriptorTable.ServiceTable[*(DWORD *) ((unsigned char *)_name + 1)]
typedef unsigned long DWORD, *PDWORD;
typedef unsigned char BYTE, *PBYTE;
typedef struct ServiceDescriptorEntry {
PDWORD ServiceTable;
PDWORD CounterTableBase;
DWORD ServiceLimit;
PBYTE ArgumentTable;
} SDT;
typedef NTSTATUS (*ZWREADVIRTUALMEMORY)(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG NumberOfBytesToRead,
OUT PULONG NumberOfBytesReaded OPTIONAL
);
__declspec(dllimport) SDT KeServiceDescriptorTable;
VOID HookAPI(PDWORD API, PDWORD NewAPI);
VOID UnHookAPI(PDWORD OriginalAPI, PDWORD API);
VOID OnUnload(PDRIVER_OBJECT pDriverObj);
NTSYSAPI NTSTATUS ZwReadVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG NumberOfBytesToRead,
OUT PULONG NumberOfBytesReaded OPTIONAL
);
NTSTATUS ZwReadVirtualMemoryOwned(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG NumberOfBytesToRead,
OUT PULONG NumberOfBytesReaded OPTIONAL
);
PDWORD OriginalAPI;
//extern PDWORD OriginalAPI;
NTSTATUS ZwReadVirtualMemoryOwned(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG NumberOfBytesToRead,
OUT PULONG NumberOfBytesReaded OPTIONAL
)
{
NTSTATUS ret;
ZWREADVIRTUALMEMORY OriginalFunc = (ZWREADVIRTUALMEMORY)OriginalAPI;
DbgPrint("\nProcessHandle:0x%X\nBaseAddress:0x%X\nBufferAddress:0x%X\nNumberOfBytesToRead:%d\nNumberOfBytesReaded:%d\n",
(ULONG) ProcessHandle,(ULONG)BaseAddress,(ULONG)Buffer,(ULONG)NumberOfBytesToRead,(ULONG) NumberOfBytesReaded);
ret = OriginalFunc(ProcessHandle,BaseAddress,Buffer,NumberOfBytesToRead,NumberOfBytesReaded);
return ret;
}
VOID HookAPI(PDWORD API, PDWORD NewAPI)
{
//DWORD nOldProtect;
OriginalAPI = (PDWORD) (SYSTEMSERVICE(API));
DbgPrint("\nAPI Address : 0x%x", SYSTEMSERVICE(API));
DbgPrint("\nHooking API...");
__asm
{
cli //; clear interrupt bit, stop
}
(PDWORD) (SYSTEMSERVICE(API)) = NewAPI;
__asm
{
sti
}
}
VOID UnHookAPI(PDWORD OriginalAPI, PDWORD API)
{
//DWORD nOldProtect;
DbgPrint("\nUnhooking API...\n");
__asm
{
cli //; clear interrupt bit, stop
}
(PDWORD)(SYSTEMSERVICE(API)) = OriginalAPI;
__asm
{
sti
}
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegisteryPath)
{
// DbgPrint("SSDT Address: 0x%x\nZwReadVirtualMemory Address: 0x%x\n", KeServiceDescriptorTable.ServiceTable,(ULONG)ZwReadVirtualMemory); // if i open this one driver cannot be loaded.
// DbgPrint("SSDT Address: 0x%x\nZwReadVirtualMemory Address: 0x%x\n", KeServiceDescriptorTable.ServiceTable,(ULONG)ZwCreateFile); // only it sucessfully loading
// DbgPrint("or something without these apis\n"); // sucessfully loading omg im fall in fail!.
// HookAPI((PDWORD)ZwReadVirtualMemory, (PDWORD)ZwReadVirtualMemoryOwned); // or this one... but anyway if i open them without zwreadvirtualmemory. it sucessfully load.
pDriverObj->DriverUnload = OnUnload;
return STATUS_SUCCESS;
}
VOID OnUnload(PDRIVER_OBJECT pDriverObj)
{
UnHookAPI(OriginalAPI, (PDWORD)ZwCreateFile);
DbgPrint("\nDriver Unload\n");
}
|
helpme mates. ty for all...
|
|
| Back to top |
|
 |
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
| Posted: Tue Aug 23, 2011 1:38 am Post subject: |
|
|
| Are you at a 64 bit system?
|
|
| Back to top |
|
|
scorj
How do I cheat?
![]() Reputation: 0
Joined: 21 Aug 2011
Posts: 6
|
| Posted: Tue Aug 23, 2011 6:10 pm Post subject: |
|
|
no. it wont work on 64 bit systems.
its for x86. but not working in x86 too.its sucessfully for zcreatefile with this method. but when i changed or i need to say like that; when i try zwreadvm, or writevm or nt readvm or nt writevm it cant be loaded...
omg ill be crazy....
|
|
| Back to top |
|
|
scorj
How do I cheat?
![]() Reputation: 0
Joined: 21 Aug 2011
Posts: 6
|
| Posted: Thu Aug 25, 2011 3:34 am Post subject: |
|
|
| i need help please help me fast....
|
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
|
| Back to top |
|
|
scorj
How do I cheat?
![]() Reputation: 0
Joined: 21 Aug 2011
Posts: 6
|
| Posted: Thu Aug 25, 2011 12:22 pm Post subject: |
|
|
| ill check ty
|
|
| Back to top |
|
|
scorj
How do I cheat?
![]() Reputation: 0
Joined: 21 Aug 2011
Posts: 6
|
| Posted: Fri Aug 26, 2011 3:46 pm Post subject: |
|
|
| it work for zwopenprocess but not work for zwread or zwwrite... i thunk its problem of library? becouse i need to add ntdll.lib and im adding but not loading
|
|
| Back to top |
|
|
the_undead
Expert Cheater
 Reputation: 1
Joined: 12 Nov 2006
Posts: 235
Location: Johannesburg, South Africa
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
