| View previous topic :: View next topic |
| Author |
Message |
iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
 Posted: Thu Jan 10, 2013 9:03 pm Post subject: Hooking kernel functions |
 |
|
I have a few questions in regards to drivers as well as hooking kernel functions. I've personally created my own driver so I know that KeStackAttachProcess is a crucial function to any driver that accesses memory be it for anti-hacking purposes or for hacking purposes.
What i've noticed however is these functions don't have their own libraries (understandable) but then if they don't have their own libraries, where does the call to the function end up at? What application handles the call to the function?
I'm attempting to set a hook on the function in order to prevent specific drivers from attaching to specific processes. I figured that if 64-bit machines reject unsigned drivers from loading, and if they are loaded, from running correctly then I must be able to set a hook on KeStackAttachProcess without receiving much of an error from the game such as "Can't communicate with the driver".
But theres a big difference from setting a hook in usermode and kernelmode.
I don't know where to set the hook and I also don't have to the ability to read the inline assembly of the kernel function like I can read it in usermode in order for me to create an appropriate hook. I have a variety of tools for usermode functions such as Cheat Engine and ollydbg but I don't have those luxories when I want to view kernelmode memory so I was wondering if there is any softwares similiar to OllyDbg which allows to be view kernel memory.
If anybody can clear up my questions that would be awesome.
|
|
| Back to top |
|
 |
Zerith
Master Cheater
 Reputation: 1
Joined: 07 Oct 2007
Posts: 468
|
| Posted: Fri Jan 11, 2013 3:28 am Post subject: |
|
|
This is something you could have easily found by searching.
Many kernel debuggers exist, such as WingDbg, which is a very powerful tool, and Syser.
Moreover, I did not understand your original question: "What application handles the call to the function? ". I suggest you read a good book, like Windows Internals.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25827
Location: The netherlands
|
| Posted: Fri Jan 11, 2013 4:07 am Post subject: |
|
|
Cheat engine can view kernel memory as well, just enable kernelmode readprocessmemory in settings. And for debugging use dbvm when in 64bit
Anyhow, you can't hook KeAttachProcess in 64-bit as windows does an integrity check now and then
Also, mov cr3 is a very useful instruction that works without that api
You can call obRegisterCallback to register a signed function to block everything from getting a handle to your process and threads (not windows i think), but KeAttachProcess will keep working
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
| Posted: Fri Jan 11, 2013 5:22 pm Post subject: |
|
|
Thanks for your detailed response.
My goal is to hook KeStackAttachProcess on 32 bit computers so I shouldn't have to worry about an integrity check should I?
Anyhow, I dived right into the subject and currently i'm attempting to hook KeStackAttachProcess after using MmGetSystemRoutine to locate its address.
This is my following hooking code, short but breif:
| Code: |
// Setup Hook
VOID Hook ()
{
__asm
{
pushfd
pushad
}
DbgPrint ( "I'm inside KeStackAttachProcess" );
__asm
{
popfd
popad
mov edi, edi
push ebp
mov ebp, esp
}
}
VOID Setup ( PVOID From, PVOID To )
{
// Setup bytes
JmpToHook [0] = 0xE9;
*(DWORD*) &JmpToHook [1] = (DWORD) To - ( (DWORD) From + 0x05 );
// Set protection
__try
{
ntStatus = ZwProtectVirtualMemory ( NtCurrentProcess (), From, &szToProtect, PAGE_EXECUTE_READWRITE, &oldProtection );
// Set memory
memcpy ( From, &JmpToHook, 5 );
}
__except ( 1 )
{
DbgPrint ( "Failed to protect/set hook" );
}
}
// |
I keep getting a BSOD that says "An attempt was made to execute non executable memory". I tried to doing research on it but there wasn't much info and the error message seems to be self-explanatory. I'm curious however to why i'm receiving that message as I don't see any potential logic errors in my code.
Also, a quick question. KeStackAttachProcess is a function in Ntoskrnl.exe. I do understand that its a stub to the the real KeStackAttachProcess. SO my question is if I set a hook on this function, would it take into effect globally? If I set the hook in kernel mode, and then opened CE and attached it into a random process and then browsed to the memory address of KeStackAttachProcess I should see my hook in place correct?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25827
Location: The netherlands
|
| Posted: Fri Jan 11, 2013 7:36 pm Post subject: |
|
|
Your hook function is not declared as naked, so it places a push ebp/mov ebp,esp at the start, causing your own push ebp/mov ebp,esp to be duplicate and thus mess up the return address, causing it to jump to a random location.(stack)
And yes, most kernelmode memory is shared by all processes, so if you change it in one process, you're changing it in all (You can bypass that by setting up your own pagetable entries for the .code section of ntoskrnl.exe though so that your own process never sees the hooked code, but that's very ugly)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
| Posted: Fri Jan 11, 2013 9:27 pm Post subject: |
|
|
Thanks for your help.
I got everything working, however there is one final problem. Everytime I load up my driver, it halts any driver including cheat engine's from loading up if it hasn't already loaded up until my driver has finished and unloaded. StartService () doesn't return until my driver has been unloaded.
I have no clue how to solve this as I am new to driver coding and the documentation on the DriverEntry function in MSDN doesn't to my knowledge cover where you should initialize your main code. Can you guide me to any links that covers this issue?
If you need to look at my driverentry code, here it is:
| Code: |
NTSTATUS DriverEntry ( struct _DRIVER_OBJECT *DriverObject, PUNICODE_STRING RegistryPath )
{
// Specify the 'Unload' function
DriverObject->DriverUnload = DriverUnload;
// Notify that you've loaded
DbgPrint ( "EazyDriver: Loaded!" );
// Initialize 'uKeStackAttachProcess'
RtlInitUnicodeString ( &uKeStackAttachProcess, cKeStackAttachProcess );
// Obtain the address
pKeStackAttachProcess = MmGetSystemRoutineAddress ( &uKeStackAttachProcess );
dwKeStackAttachProcess = (DWORD) pKeStackAttachProcess + 0x5;
if ( !pKeStackAttachProcess )
DbgPrint ( "EazyDriver: Failed to locate." );
else
{
// Display the address
DbgPrint ( "%x", pKeStackAttachProcess );
ZwProtectVirtualMemory = (ZWPROTECTMEM) findUnresolved ( ZwPulseEvent );
// Failed to locate 'ZwProtectVirtualMemory'
if ( !ZwProtectVirtualMemory )
DbgPrint ( "EazyDriver: Failed to locate (2)." );
else
{
// Good grounds to setup the hook
Setup ( pKeStackAttachProcess, &Hook );
}
}
return STATUS_SUCCESS;
}
|
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25827
Location: The netherlands
|
| Posted: Fri Jan 11, 2013 9:34 pm Post subject: |
|
|
Try commenting out Setup ( pKeStackAttachProcess, &Hook ); and see if it still freezes
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
| Posted: Fri Jan 11, 2013 9:43 pm Post subject: |
|
|
Its not a problem of freezing.
The problem is that each time I start up my driver, it works wonders. However, it for some reason doesn't allow any other driver to load up until it has unloaded.
I assumed that was because I had something screwed up in DriverEntry.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
