Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Dll Callgate causing BSOD

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
BanMe
Master Cheater
Reputation: 0

Joined: 29 Nov 2005
Posts: 375
Location: Farmington NH, USA
PostPosted: Wed Dec 24, 2008 1:02 pm    Post subject: Dll Callgate causing BSOD Reply with quote
NtSystemDebugControl() callgate much info on net about it, so i wont go over that piece of code but i wish to read Current EThread ServiceTableBase from the Callgate using some code i found posted by OpCode
Code:

mov eax, 0xffdff124//KTHREAD
mov eax, [eax]
add eax, 0xe0//KTHREAD.ServiceTable
mov eax, [eax]
mov eax, [eax - 0x30]


ok so ive BSOD'd using this specific peice of code but i now have a Crash Dump to look over is there anyone out there will to give a old coder a hand at anaylzing it?
Back to top
View user's profile Send private message MSN Messenger
Dark Byte
Site Admin
Reputation: 473

Joined: 09 May 2003
Posts: 25908
Location: The netherlands
PostPosted: Wed Dec 24, 2008 1:39 pm    Post subject: Reply with quote
windbg can open those crashdumps and then inspect it. showing iformation like eip, assembler code, etc...

Also, it could be those specific offsets are only for windows 2000, or XP SP0, or XP SP1, or XP SP2

(On my system, XP SP2, the path does lead to descriptor)

edit: Actually, I just noticed something
if you add this pointer to ce:
[[ffdff124]+e0]-30

you'll notice it sometimes switches to a wrong address
in my case it goes between: 80884670 and 808846B0

80884670 points to a zeroed region of memory, but 808846B0 is valid. So it's based on luck if you crash or not...
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
BanMe
Master Cheater
Reputation: 0

Joined: 29 Nov 2005
Posts: 375
Location: Farmington NH, USA
PostPosted: Wed Dec 24, 2008 2:11 pm    Post subject: Reply with quote
ok i think i have a workable version here is the code o0 it isnt exactly a call gate but i think i can still use the callgate material to access kernel mode hooked api's...i also narrowed the BSOD down to KiServiceExit2 first instruction 'cli'... also im using ntkrnlmpa so results vary from Kernel to Kernel.. i got 0x805624e0... which is The KeServiceDescriptorTableShadow and after doing a lil digging on my XP sp2 Multi-Processor System i found that if you add 0x40 to that value it should lead you to the read SSDT... i would appreciate verification xD

p.s. if these functions are run from a gui thread (like loaded through olly)
it returns the shadow if run from non gui thread it returns KeServiceDescriptorTable.

some code from the VirToPhy.c by kissingger
Code:

ULONG GetCurrentEThread( void )
{
   LONG (NTAPI *NtSystemDebugControl)(int,void*,DWORD,void*,DWORD,DWORD*);
   *(DWORD*)&NtSystemDebugControl = (DWORD)GetProcAddress(LoadLibrary(L"ntdll"),"NtSystemDebugControl");
   SYSDBG_VIRTUAL    ThreadData;
   ULONG                Buffer;
   ULONG                  ReturnLength;
   NTSTATUS            Status;
   TOKEN_PRIVILEGES pv={1},po;
   pv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
   HANDLE t;
   int hr;
   DWORD no;
   // This will enable NtSystemDebugControl usage
   hr = LookupPrivilegeValue(  0, SE_DEBUG_NAME, &pv.Privileges[0].Luid );
   hr = OpenProcessToken(      GetCurrentProcess(), TOKEN_ALL_ACCESS,&t);
   hr = AdjustTokenPrivileges( t,0,&pv,sizeof(po),&po, &no);
   ZeroMemory((PVOID)&ThreadData, sizeof(SYSDBG_VIRTUAL));
   
   ThreadData.Address   = (PVOID)(0xffdff000+0x124);//Read CurrentThread from KPRCB+0x4
   ThreadData.Buffer      = &Buffer;
   ThreadData.Request   = sizeof(ULONG);
   Status = NtSystemDebugControl(
    SysDbgReadVirtual,
    &ThreadData,
    sizeof(SYSDBG_VIRTUAL),
    NULL,
    0,
    &ReturnLength
    );
   
  if(NT_SUCCESS(Status))
  {
      return Buffer;
  }
  return 0;    
}
ULONG GetServiceTableShadow( void )
{
   LONG (NTAPI *NtSystemDebugControl)(int,void*,DWORD,void*,DWORD,DWORD*);
   *(DWORD*)&NtSystemDebugControl = (DWORD)GetProcAddress(LoadLibrary(L"ntdll"),"NtSystemDebugControl");
   SYSDBG_VIRTUAL ThreadData;
   ULONG          Buffer;
   ULONG         ReturnLength;
   NTSTATUS      Status;
   ULONG EThread = GetCurrentEThread();
   if(EThread)
   {
      ThreadData.Address = (PVOID)(EThread+0xe0);
      ThreadData.Buffer  = &Buffer;
      ThreadData.Request = sizeof(ULONG);
      Status = NtSystemDebugControl(SysDbgReadVirtual,&ThreadData,sizeof(SYSDBG_VIRTUAL),0,0,&ReturnLength);
      if(NT_SUCCESS(Status))
      {
         return Buffer;
      }
   }
   return 0;
}
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites