| View previous topic :: View next topic |
| Author |
Message |
DP_4819566
How do I cheat?
![]() Reputation: 0
Joined: 26 Jul 2020
Posts: 5
|
 Posted: Sun Jul 26, 2020 12:04 pm Post subject: RPM Hook Crashing CE |
 |
|
I have made a plugin to hook OpenProcess and ReadProcessMemory to use my own driver. When I use the hook in my own program using RPM, it works fine. However, when I use it as a CE plugin, CE crashes on RPM.
I have narrowed the problem down to know that CE will only crash when my driver's rpm is called (Driver::read_memory()).
| Code: |
static BOOL(WINAPI* TrueReadProcessMemory)
(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T* lpNumberOfBytesRead) = ReadProcessMemory;
BOOL WINAPI InterceptReadProcessMemory(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID &lpBuffer, SIZE_T nSize, SIZE_T* lpNumberOfBytesRead)
{
uint64_t buffer;
Driver::read_memory(curr_pid, (uint64_t)lpBaseAddress, (uint64_t)&buffer, nSize); // breaks the dll
lpBuffer = (LPVOID)buffer;
*lpNumberOfBytesRead = nSize;
return 1;
}
|
Any ideas?
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 465
Joined: 09 May 2003
Posts: 25570
Location: The netherlands
|
| Posted: Sun Jul 26, 2020 1:17 pm Post subject: |
|
|
lpNumberOfBytesRead can be null
and nsize can be bigger than 8
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
DP_4819566
How do I cheat?
![]() Reputation: 0
Joined: 26 Jul 2020
Posts: 5
|
| Posted: Sun Jul 26, 2020 6:16 pm Post subject: |
|
|
| Dark Byte wrote: | lpNumberOfBytesRead can be null
and nsize can be bigger than 8 |
Seems like fixing the nSize issue fixed my problem. My Cheat Engine no longer crashes and I can read memory correctly. Thanks!
I'm having another issue that I can't figure out. When I have my plugin loaded, nothing comes up in the scans. Even when I know that a certain value exists and my RPM works correctly when entering an address manually.
Here is my updated code.
| Code: |
BOOL WINAPI InterceptReadProcessMemory(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T* lpNumberOfBytesRead)
{
BYTE* buffer = new BYTE[nSize];
memset(buffer, 0, nSize);
NTSTATUS status = Driver::read_memory(curr_pid, (uint64_t)lpBaseAddress, (uint64_t)&buffer[0], nSize);
if (NT_SUCCESS(status)) {
memcpy(lpBuffer, buffer, sizeof(LPVOID));
if (lpNumberOfBytesRead != NULL) {
*lpNumberOfBytesRead = nSize;
}
return TRUE;
}
return FALSE;
}
|
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 465
Joined: 09 May 2003
Posts: 25570
Location: The netherlands
|
| Posted: Mon Jul 27, 2020 1:06 am Post subject: |
|
|
that is because
| Code: |
memcpy(lpBuffer, buffer, sizeof(LPVOID));
|
only copies 8 bytes, as an LPVOID is 8 bytes long
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
DP_4819566
How do I cheat?
![]() Reputation: 0
Joined: 26 Jul 2020
Posts: 5
|
| Posted: Mon Jul 27, 2020 11:10 am Post subject: |
|
|
| Dark Byte wrote: | that is because
| Code: |
memcpy(lpBuffer, buffer, sizeof(LPVOID));
|
only copies 8 bytes, as an LPVOID is 8 bytes long |
This should be correct though right? I am just swapping the address of the passed variable with the address of the buffer. Which would both be only 8 bytes long.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 465
Joined: 09 May 2003
Posts: 25570
Location: The netherlands
|
| Posted: Mon Jul 27, 2020 12:37 pm Post subject: |
|
|
no, lpBuffer points to a block of memory that is nSize bytes long
buffer is also a block of memory that is nSize bytes long (the new BYTE[nSize]; does that )
Driver::read_memory reads nsize bytes into buffer
yet, you just do a memcpy(lpBuffer, buffer, 8); which means you only copy 8 bytes from the block that buffer points to memory block that lpBuffer points to
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
DP_4819566
How do I cheat?
![]() Reputation: 0
Joined: 26 Jul 2020
Posts: 5
|
| Posted: Mon Jul 27, 2020 1:55 pm Post subject: |
|
|
| Dark Byte wrote: | no, lpBuffer points to a block of memory that is nSize bytes long
buffer is also a block of memory that is nSize bytes long (the new BYTE[nSize]; does that )
Driver::read_memory reads nsize bytes into buffer
yet, you just do a memcpy(lpBuffer, buffer,  ; which means you only copy 8 bytes from the block that buffer points to memory block that lpBuffer points to |
Still isn't working unless OpenProcess returns a valid handle to the target process. Are you aware of any other function I should be hooking within CE in order for search to work other than RPM and OpenProcess?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 465
Joined: 09 May 2003
Posts: 25570
Location: The netherlands
|
| Posted: Mon Jul 27, 2020 2:08 pm Post subject: |
|
|
VirtualQueryEx
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
DP_4819566
How do I cheat?
![]() Reputation: 0
Joined: 26 Jul 2020
Posts: 5
|
| Posted: Mon Aug 03, 2020 7:32 pm Post subject: |
|
|
| Dark Byte wrote: | | VirtualQueryEx |
What would be a kernel-mode replacement for this function? I have seen suggestions for ZwQueryVirtualMemory but this function requires a handle to the process which what I am trying to avoid.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 465
Joined: 09 May 2003
Posts: 25570
Location: The netherlands
|
| Posted: Mon Aug 03, 2020 11:42 pm Post subject: |
|
|
look at the pagetable
See CE's driver sourcecode on how it's done (it works without handles)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
