Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Protecting usermode memory in a driver

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
iPromise
Grandmaster Cheater
Reputation: -1

Joined: 27 Jun 2009
Posts: 529
Location: Canada
PostPosted: Tue Nov 06, 2012 3:03 pm    Post subject: Protecting usermode memory in a driver Reply with quote
What are some methods to protect usermode memory in a driver without utilizing Nt/ZwProtectVirtualMemory?
Back to top
View user's profile Send private message MSN Messenger
Dark Byte
Site Admin
Reputation: 471

Joined: 09 May 2003
Posts: 25815
Location: The netherlands
PostPosted: Tue Nov 06, 2012 4:20 pm    Post subject: Reply with quote
another thing you could try is get the callnumber of NtProtectVirtualMemory from a usermode app. (the mov eax,xxxx part)
Then get the disassembly of a function you have access to (e.g ZwCreateFile and then rebuild that function somewhere else to make use of the callnumber of NtProtectVirtualMemory)

e.g: XP kernelmode ZwCreateFile=
Code:

804FF558 - B8 25000000           - mov eax,00000025  (callnumber for ZwCreateFile)
804FF55D - 8D 54 24 04           - lea edx,[esp+04]
804FF561 - 9C                    - pushfd
804FF562 - 6A 08                 - push 08
804FF564 - E8 68110400           - call 805406D1
804FF569 - C2 2C00               - ret 002C

In xp the callnumber for NtProtectVirtualMemory is 0x89 so replace that mov with 89
also, the return 0x2c is because ZwCreateFile takes 11 parameters (11*4=44=0x2c)
NtProtectVirtualMemory only has 5, so 5*4=20=0x14, so "ret 0014"

For example:
Code:

804FFD28 - B8 89000000           - mov eax,00000089
804FFD2D - 8D 54 24 04           - lea edx,[esp+04]
804FFD31 - 9C                    - pushfd
804FFD32 - 6A 08                 - push 08
804FFD34 - E8 98090400           - call 805406D1
804FFD39 - C2 1400               - ret 0014

Which seems to be already defined in the kernel of windows.



Anyhow, what is your intention.
Do you wish to make a page writable?
If so, you can do that using the pagetable. (or disable the write protect flag in one of the control registers while editing)

If using the pagetable then you need to access (in 32-bit) 0xc0000000 +pageyouwishtoedit/0x1000*pagetableentrysize

if your system uses PAE then pagetableentry is 8 bytes, else 4

Then change the writable bit in the pagetable entry to 1 and it can be written
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
iPromise
Grandmaster Cheater
Reputation: -1

Joined: 27 Jun 2009
Posts: 529
Location: Canada
PostPosted: Tue Nov 06, 2012 9:55 pm    Post subject: Reply with quote
My intention is to set a hook on a usermode address.

So you mean something like this within my driver assuming the call number is 0x89:

Code:

NTSYSAPI
NTSTATUS
NTAPI
NtProtectVirtualMemoryX (

  IN HANDLE               ProcessHandle,
  IN OUT PVOID            *BaseAddress,
  IN OUT PULONG           NumberOfBytesToProtect,
  IN ULONG                NewAccessProtection,
  OUT PULONG              OldAccessProtection );
{
 __asm
 {
   mov eax,00000089   
   lea edx,[esp+04]
   pushfd
   push 08
   call 805406D1
   ret 0014
  }
}
Back to top
View user's profile Send private message MSN Messenger
Dark Byte
Site Admin
Reputation: 471

Joined: 09 May 2003
Posts: 25815
Location: The netherlands
PostPosted: Wed Nov 07, 2012 4:00 am    Post subject: Reply with quote
Yes, and of course, replace the call with the correct address. (Alternatively, do an AOB scan from your driver looking for the function that is the one you need)

Also, be aware that this will change the WHOLE page (4096 bytes, and not just the one address you wish to watch)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
iPromise
Grandmaster Cheater
Reputation: -1

Joined: 27 Jun 2009
Posts: 529
Location: Canada
PostPosted: Wed Nov 07, 2012 7:40 am    Post subject: Reply with quote
Alright final question.

I get the call number with my usermode application then I send it to my driver.

As for my driver, after it receives the call number a byte signature scan is done for the bytes above but what region do I scan? The drivers range is nearly endless arn't I correct?

In regular scanning we use VirtualQuery with MBI_BASIC_INFORMATION and we read the following regions but in driver scanning, do we still apply the same concept?

If so what do we use for VirtualQuery?
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites