Cheat Engine

[iPromise]

I'm trying to add a certification process to my driver where it checks the dll's memory after I load it up to see if it contains my signature but I have a problem.

When I decrypt the DLL, load it into memory, and read it then my memory scanning check works.

When I encrypt the DLL with Themida or VMProtect, load it into memory, and read it then my memory scanning check doesn't work.

At first I thought the signature was screwed up after encrypting the DLL, but after testing I realized that when the DLL loads into memory after being called by LoadLibrary, the encryptor decrypts itself. So it shouldn't be a problem with the signatures. I also confirmed it with Cheat Engine and I saw the signature in memory.

After that I assumed it was a protection problem, so I called NtProtectVirtualMemory but even after that I still couldn't read it.

I can perfectly read the memory in usermode, but when I try to read the memory in kernel mode it won't succeed.

I simply call memcpy for each address while going through the dll's regions including that which contains the signature. When its decrypted it works, but when its encrypted it doesn't. The protection constant in both cases is readable.

does anybody have any idea why?

edit

my memory comparison function which is just memcmp enclosed with try and except receives an exception when I attempt to read although the memory protection constant of that region is readable. if only there was a driver version of getlasterror.

[Dark Byte]

Themida and vmprotect don't decrypt everything. Only chunks that are needed by the dll at the time are allocated and decrypted and freed and reencrypted when done


Also, don't bother encrypting and certainly don't compare the memory of the dll.
Relocation will change memory addresses