MantisBT - Cheat Engine
View Issue Details
0000408Cheat Engine(No Category)public2015-09-21 16:162015-09-22 11:47
Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
PlatformOSOS Version
Summary0000408: dark byte x64 patchguard disable mode IDT debug hook possible?
Descriptioncheat engine source debugger.c
_declspec( naked ) void interrupt1_asmentry( void )
windows x32 IDT HOOK CODE

windows x64 IDT HOOKING CODE POSSIBLE?(PatchGuard Disable Mode)

And Debug Option

Use windows debugger,veh,kernelmode

possible only kernel-mode options?

Is it possible to bypass the debug detected by IDT hooking without the dbvm

TagsNo tags attached.
Attached Filespng qq.png (105,356) 2015-09-21 16:16

png bsod.png (181,501) 2015-09-22 11:44

2015-09-21 16:21   
x64 computer

debug kernelmode option -> DBVM NOT LOAD ->DEBUG START -> SYSTEM BSOD?

safe options Suggested

safe option -> DBVM NOT LOAD ->DEBUG NOT START -> Safe Messagebox
2015-09-21 16:29   
lua command dbk_writesIgnoreWriteProtection(true)

Lua functions can be added to the command as shown above?

Not possible, I will not question anymore
Dark Byte   
2015-09-21 17:17   
(Last edited: 2015-09-21 17:22)
the interrupt hooker in the driver has a check for dbvm. Just ignore that and it'll fall back on IDT hooking

but keep in mind that anti reverse engineering tools and anti cheats check the idt for tampering first (you may be able to hook the address the original idt points to, but you'll have to adjust the code to deal with that yourself)

2015-09-21 19:10   


debug option

windows debugger,try to prevent check

TBreakOption = (bo_Break = 0, bo_ChangeRegister = 1, bo_FindCode = 2, bo_FindWhatCodeAccesses = 3, bo_BreakAndTrace=4, bo_OnBreakpoint=5);

Find out what addresses this instruction accesses(3)

TitanHide Driver Load Pid Fake Option Check

Find out what addresses this instruction accesses(3) <-Not Detect
bo_ChangeRegister <-Detect
bo_FindCode <-Detect
bo_BreakAndTrace <Detect
bo_OnBreakpoint <-Detect

If the other options are all hidden in TitanHide detected

Driver Source Debugger.c Fake Dr7? Dr0~3?

How Does it not also detect other accessibility features?
2015-09-21 19:17   
windows Debug is going to be detected should not be the case where ring0 ssdt hooking?

TitanHide Option All Check Debug Test[Windows Debugger]
ProcessDebugFlags (NtQueryInformationProcess)
ProcessDebugPort (NtQueryInformationProcess)
ProcessDebugObjectHandle (NtQueryInformationProcess)
DebugObject (NtQueryObject)
SystemKernelDebuggerInformation (NtQuerySystemInformation)
ThreadHideFromDebugger (NtSetInformationThread)
Protect DRx (HW BPs) (NtSetContextThread)

Find out what addresses this instruction accesses <-Not Detect

Other Change Register,Debugger Find,break,findcode,trace,Onbreak <-Detect

Is it possible to modify the source Cheat Engine?

Or it does need to hook the ssdt apart from titanhide?
2015-09-22 11:44   
DBVM Not Load ->F5 Attack Debug
->System Freeze -> BSOD
DBVM LOAD -> F5 Attack Debug
->Process Success NOT BSOD

DBVM Not Load Global Debug Routines
Check IDT HOOKing Error?
Driver.sys Memory Code Information
mov eax,Dr7 BSOD

2015-09-22 11:47   
Global Debug(DBVM NoT load) BSOD Safe Option

can you add options?

Do IDT x64 HOOKING example?

Issue History
2015-09-21 16:16pausebreak7New Issue
2015-09-21 16:16pausebreak7File Added: qq.png
2015-09-21 16:21pausebreak7Note Added: 0000868
2015-09-21 16:29pausebreak7Note Added: 0000869
2015-09-21 17:17Dark ByteNote Added: 0000870
2015-09-21 17:22Dark ByteNote Edited: 0000870bug_revision_view_page.php?bugnote_id=870#r113
2015-09-21 19:10pausebreak7Note Added: 0000871
2015-09-21 19:17pausebreak7Note Added: 0000872
2015-09-22 11:44pausebreak7Note Added: 0000873
2015-09-22 11:44pausebreak7File Added: bsod.png
2015-09-22 11:47pausebreak7Note Added: 0000874
2016-02-29 11:30Carter GreatshowIssue cloned: 0000445