iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
 Posted: Sat Jul 20, 2013 6:52 pm Post subject: Wierd problem |
 |
|
I'm trying to add a certification process to my driver where it checks the dll's memory after I load it up to see if it contains my signature but I have a problem.
When I decrypt the DLL, load it into memory, and read it then my memory scanning check works.
When I encrypt the DLL with Themida or VMProtect, load it into memory, and read it then my memory scanning check doesn't work.
At first I thought the signature was screwed up after encrypting the DLL, but after testing I realized that when the DLL loads into memory after being called by LoadLibrary, the encryptor decrypts itself. So it shouldn't be a problem with the signatures. I also confirmed it with Cheat Engine and I saw the signature in memory.
After that I assumed it was a protection problem, so I called NtProtectVirtualMemory but even after that I still couldn't read it.
I can perfectly read the memory in usermode, but when I try to read the memory in kernel mode it won't succeed.
I simply call memcpy for each address while going through the dll's regions including that which contains the signature. When its decrypted it works, but when its encrypted it doesn't. The protection constant in both cases is readable.
does anybody have any idea why?
edit
my memory comparison function which is just memcmp enclosed with try and except receives an exception when I attempt to read although the memory protection constant of that region is readable. if only there was a driver version of getlasterror.
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Reputation: 471
