Cheat Engine

iPromise · Posted: Sat Jun 01, 2013 8:49 am Post subject: Inject DLL

How does Cheat Engines kernel driver inject dll's? I was monitoring DbgView and I noticed that you called ZwAllocateVirtualMemory. Do you write down all the bytes of the library into the usermode app once you allocated memory with ZwAllocateVirtualMemory?

If you do so, how do you eventually "start up the dll" once its been written in memory?

Dark Byte · Posted: Sat Jun 01, 2013 10:48 am Post subject:

Normally, ce just injects a dll loader into the target memory and calls CreateRemoteThread to execute the loader. (loadlibrary and some exit result handling like proccall)
But if you use the forcedinjection plugin, it will manually setup the dll's memory and adjust the pages where needed, and then call createremotethread on the entrypoint of the dll emulating a process attach

There is a currently disabled alternate method to createremotethread by use of APC's but that's disabled for now until it becomes necessary

Tip, yet another method would be to hook an often called routine (like sysenter) or set an often called page to non-executable and on hook/exception change EIP to the dll injection routine. (or directly to the dll entrypoint if you used the forced injection method)

iPromise · Posted: Sun Jun 02, 2013 9:09 am Post subject:

To change the EIP we would need to set a breakpoint. Is it possible to set hardware breakpoints in drivers?

Also, is sysenter a function or an opcode. i'm pretty sure I saw sysenter's in the ntdll to call the kernel

atom0s · Posted: Sun Jun 02, 2013 4:49 pm Post subject:

It's an instruction to make a fast call to ring 0.