Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Driver Based Plugin

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Source -> Plugin development
View previous topic :: View next topic  
Author Message
letmeknowit
How do I cheat?
Reputation: 0

Joined: 07 Jul 2018
Posts: 3

PostPosted: Sat Jul 07, 2018 12:22 pm    Post subject: Driver Based Plugin Reply with quote

Good Day!

i've been trying to implement my own Read and Write to bypass some anticheats and i almost succeed except i get BSOD when Searching/Scanning for value/s. I code a basic plugin to hook ReadProcessMemory and it works in memory viewer etc except when scanning value.

here's the exact code hope someone could help me.

Code:


typedef HANDLE(WINAPI* oOpenProcess)(DWORD fdwAccess, BOOL fInherit, DWORD IDProcess);
oOpenProcess pOpenProcess = NULL;
HANDLE MyOpenProcess(
   DWORD fdwAccess,
   BOOL fInherit,
   DWORD IDProcess
)
{
   Driver.Attach(IDProcess);

   return (HANDLE)(-1);
}

typedef BOOL(WINAPI* oReadProcessMemory)(HANDLE  hProcess, LPCVOID lpBaseAddress, LPVOID  lpBuffer, SIZE_T  nSize, SIZE_T  *lpNumberOfBytesRead);
oReadProcessMemory pReadProcessMemory = NULL;
BOOL WINAPI MyReadProcessMemory(
   _In_  HANDLE  hProcess,
   _In_  LPCVOID lpBaseAddress,
   _Out_ LPVOID  lpBuffer,
   _In_  SIZE_T  nSize,
   _Out_ SIZE_T  *lpNumberOfBytesRead
)
{
   BOOL bStatus = FALSE;

   if (NT_SUCCESS(Driver.DriverRead((ptr_t)lpBaseAddress, nSize, lpBuffer)))
   {
      *lpNumberOfBytesRead = nSize;
      bStatus = TRUE;
   }

   return bStatus;
}


BOOL __stdcall CEPlugin_InitializePlugin(PExportedFunctions ef, int pluginid)
{
   if (!Driver.Init())
   {
      Exported.ShowMessage("Failed to load Driver!");
      return false;
   }

   Exported = *ef;
   

   pOpenProcess = (oOpenProcess)DetourFunction(*(PBYTE*)Exported.OpenProcess, (PBYTE)MyOpenProcess);

   pReadProcessMemory = (oReadProcessMemory)DetourFunction(*(PBYTE*)Exported.ReadProcessMemory, (PBYTE)MyReadProcessMemory);

   return TRUE;
}





here is how i use the driver

Code:

typedef struct _COPY_MEMORY
{
   ULONGLONG localbuf;         // Buffer address
   ULONGLONG targetPtr;        // Target address
   ULONGLONG size;             // Buffer size
   ULONG     pid;              // Target process id
   BOOLEAN   write;            // TRUE if write operation, FALSE if read
} COPY_MEMORY, *PCOPY_MEMORY;


VOID Attach(ptr_t PID)
{
   TargetPID = PID;
}

NTSTATUS DriverRead(ptr_t base, size_t size, PVOID buffer)
{
   if (TargetPID == 0)
      return STATUS_ACCESS_DENIED;

   // Not loaded
   if (_hDriver == INVALID_HANDLE_VALUE)
      return STATUS_DEVICE_DOES_NOT_EXIST;

   DWORD bytes = 0;
   COPY_MEMORY copyMem = { 0 };

   copyMem.pid = TargetPID;
   copyMem.targetPtr = base;
   copyMem.localbuf = (ULONGLONG)buffer;
   copyMem.size = size;
   copyMem.write = FALSE;

   if (!DeviceIoControl(_hDriver, IOCTL_RPMWPM_MEMORY, &copyMem, sizeof(copyMem), nullptr, 0, &bytes, NULL))
      return LastNtStatus();

   return STATUS_SUCCESS;
}






this is my first time to create a plugin and driver.
the driver's code is just for reading and writing.

thanks in advance.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Tue Jul 10, 2018 5:17 am    Post subject: Reply with quote

the bsod happens in the driver. check the driver source
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
letmeknowit
How do I cheat?
Reputation: 0

Joined: 07 Jul 2018
Posts: 3

PostPosted: Thu Jul 12, 2018 10:47 am    Post subject: Reply with quote

This is what i did in driver.
this my first try writing a driver and most of the codes are c&p

Code:

typedef struct _COPY_MEMORY
{
   ULONGLONG localbuf;
   ULONGLONG targetPtr;
   ULONGLONG size;
   ULONG     pid;
   BOOLEAN   write;
} COPY_MEMORY, *PCOPY_MEMORY;

NTSTATUS DriverCopyMemory(IN PCOPY_MEMORY pCopy)
{
   NTSTATUS status = STATUS_SUCCESS;
   PEPROCESS pProcess = NULL, pSourceProc = NULL, pTargetProc = NULL;
   PVOID pSource = NULL, pTarget = NULL;

   status = PsLookupProcessByProcessId((HANDLE)pCopy->pid, &pProcess);

   if (NT_SUCCESS(status))
   {
      SIZE_T bytes = 0;

      // Write
      if (pCopy->write != FALSE)
      {
         pSourceProc = PsGetCurrentProcess();
         pTargetProc = pProcess;
         pSource = (PVOID)pCopy->localbuf;
         pTarget = (PVOID)pCopy->targetPtr;
      }
      // Read
      else
      {
         pSourceProc = pProcess;
         pTargetProc = PsGetCurrentProcess();
         pSource = (PVOID)pCopy->targetPtr;
         pTarget = (PVOID)pCopy->localbuf;
      }

      status = MmCopyVirtualMemory(pSourceProc, pSource, pTargetProc, pTarget, pCopy->size, KernelMode, &bytes);
   }

   if (pProcess)
      ObDereferenceObject(pProcess);

   return status;
}


NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
   ........
   ........
   ........
   ........
   ........

   if (ioControlCode == IOCTL_BLG_COPY_MEMORY)
   {
      if (inputBufferLength >= sizeof(COPY_MEMORY) && ioBuffer)
         Irp->IoStatus.Status = DriverCopyMemory((PCOPY_MEMORY)ioBuffer);
      else
         Irp->IoStatus.Status = STATUS_INFO_LENGTH_MISMATCH;
   }
   else
      Irp->IoStatus.Status = STATUS_INVALID_PARAMETER;

   ........
   ........
   ........
   ........
}




thanks DarkByte
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Thu Jul 12, 2018 10:56 am    Post subject: Reply with quote

you need to make sure that the output buffer and source are readable

also, when the bsod happens copy c:\windows\memory.dmp to a writable location and open it as a crash dump in windbg
if the sourcecode is correct it will show the sourcecode line where it failed

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
letmeknowit
How do I cheat?
Reputation: 0

Joined: 07 Jul 2018
Posts: 3

PostPosted: Fri Jul 13, 2018 8:56 am    Post subject: Reply with quote

thanks darkbyte maybe it crash because i return (HANDLE)(-1) in OpenProcess and VirtualQueryEx returns unwanted result because handle is not from target PID.

i will take a look thanks again Smile
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Source -> Plugin development All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites