Cheat Engine

[bahblahblahbah]

How does CE or any other debugger find out what's in the (main) registers like EAX, ECX, etc?

What functions does CE hook to get User Mode Stealth?
And for Kernel Mode Stealth?

[Dark Byte]

to show the registers can be done in 2 ways.
1: Look at the stackframe when interrupt 1 or 3 fires
2: Use getthreadcontext to get the registers

and the apis I hook are mainly some windows and process functions where just filter out cheat engine's window and proces

same for kernel, some ntUserxxx functions

[bahblahblahbah]

Thx, but I forgot to ask...how does a read/write trace work (or in your program "Find out what accesses this address", and the others)?

Thx again DarkByte for the help

[Dark Byte]

there are also 2 methods (or more...)

These are the 2 methods ce uses
1: (exceptions)
Make the memory inaccessible. When the program tries to read or write to it it raises an exception that the debugger receives. If it isn't a exception caused by cheat engine just continue with unhandled exception code. But if it is, make the memory accessible, do a single step in the code (using the single stef eflag bit) then make the memory inaccessible again. (and of course record the registers like eip, and the other regs

2: Debug registers
With debug registers you can set up to 4 breakpoints of dfferent types. (access, write and execute)
You just set the debug registers in every thread of the process to the address(es) you want to watch and then wait for debug events.
One problem with debug registers is that the state of the registers is always AFTER the instruction has been executed (except for the execute debugreg type) So you'll have to do some disassembling to find the real address that caused the break. But the good part is that it's incredibly fast and you're not changing any memory.

(check out the debugregister part in this file: http://podgoretsky.com/ftp/Docs/Hardware/Processors/Intel/24547211.pdf )