Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Bypassing Read/WriteProcessMemory

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
iPromise
Grandmaster Cheater
Reputation: -1

Joined: 27 Jun 2009
Posts: 529
Location: Canada
PostPosted: Fri Jan 11, 2013 9:06 pm    Post subject: Bypassing Read/WriteProcessMemory Reply with quote
Well since both functions have calls to functions in kernel mode (NtWriteProcessMemory/NtReadProcessMemory) it makes sense for an anti-hacking system to set a hook on the entry-point on those kernel mode functions via their driver.

If thats the case then can't we just restore the original bytes. What I mean is that:

Code:

MOV EDI, EDI
PUSH EBP
MOV EBP, ESP


is being replaced with

Code:

JMP xxxxxxxx


So if we just replace the original 5 bytes we can in a sense, remove their global hook on Read/WriteProcessMemory, correct me if i'm wrong?
Back to top
View user's profile Send private message MSN Messenger
Dark Byte
Site Admin
Reputation: 471

Joined: 09 May 2003
Posts: 25827
Location: The netherlands
PostPosted: Fri Jan 11, 2013 9:29 pm    Post subject: Reply with quote
It's possible, but to do that you must have kernel access yourself, and if you have kernel access you can use other functions as well.
Also, they can check if it has been unhooked and act accordingly, like turning of your psu
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
iPromise
Grandmaster Cheater
Reputation: -1

Joined: 27 Jun 2009
Posts: 529
Location: Canada
PostPosted: Fri Jan 11, 2013 9:33 pm    Post subject: Reply with quote
then can't we just simply emulate another Read/WriteProcessMemory function and before it calls sysenter, make it jump to our code which does a hookhop and jumps back to the original kernel function?

is that what you did for cheat engine or did you create our own read/writeprocessmemory function which made use of your driver?
Back to top
View user's profile Send private message MSN Messenger
Dark Byte
Site Admin
Reputation: 471

Joined: 09 May 2003
Posts: 25827
Location: The netherlands
PostPosted: Fri Jan 11, 2013 9:38 pm    Post subject: Reply with quote
I created my own read and write functions
But yes, it's possible. Every thread has a KThread object which controls the function table to use. If you change your own threads to a table that points to unhooked copies it might work.
Problem is that kthread is service pack dependant and not well documented
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites