2018-07-23 13:24 CEST

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0000408Cheat Engine(No Category)public2015-09-22 11:47
Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Summary0000408: dark byte x64 patchguard disable mode IDT debug hook possible?
Descriptioncheat engine source debugger.c
_declspec( naked ) void interrupt1_asmentry( void )
windows x32 IDT HOOK CODE

windows x64 IDT HOOKING CODE POSSIBLE?(PatchGuard Disable Mode)

And Debug Option

Use windows debugger,veh,kernelmode

possible only kernel-mode options?

Is it possible to bypass the debug detected by IDT hooking without the dbvm

TagsNo tags attached.
Attached Files
  • png file icon qq.png (105,356 bytes) 2015-09-21 16:16 -
    png file icon qq.png (105,356 bytes) 2015-09-21 16:16 +
  • png file icon bsod.png (181,501 bytes) 2015-09-22 11:44 -
    png file icon bsod.png (181,501 bytes) 2015-09-22 11:44 +




pausebreak7 (reporter)

x64 computer

debug kernelmode option -> DBVM NOT LOAD ->DEBUG START -> SYSTEM BSOD?

safe options Suggested

safe option -> DBVM NOT LOAD ->DEBUG NOT START -> Safe Messagebox


pausebreak7 (reporter)

lua command dbk_writesIgnoreWriteProtection(true)

Lua functions can be added to the command as shown above?

Not possible, I will not question anymore


Dark Byte (developer)

Last edited: 2015-09-21 17:22

View 2 revisions

the interrupt hooker in the driver has a check for dbvm. Just ignore that and it'll fall back on IDT hooking

but keep in mind that anti reverse engineering tools and anti cheats check the idt for tampering first (you may be able to hook the address the original idt points to, but you'll have to adjust the code to deal with that yourself)


pausebreak7 (reporter)



debug option

windows debugger,try to prevent check

TBreakOption = (bo_Break = 0, bo_ChangeRegister = 1, bo_FindCode = 2, bo_FindWhatCodeAccesses = 3, bo_BreakAndTrace=4, bo_OnBreakpoint=5);

Find out what addresses this instruction accesses(3)

TitanHide Driver Load Pid Fake Option Check

Find out what addresses this instruction accesses(3) <-Not Detect
bo_ChangeRegister <-Detect
bo_FindCode <-Detect
bo_BreakAndTrace <Detect
bo_OnBreakpoint <-Detect

If the other options are all hidden in TitanHide detected

Driver Source Debugger.c Fake Dr7? Dr0~3?

How Does it not also detect other accessibility features?


pausebreak7 (reporter)

windows Debug is going to be detected should not be the case where ring0 ssdt hooking?

TitanHide Option All Check Debug Test[Windows Debugger]
ProcessDebugFlags (NtQueryInformationProcess)
ProcessDebugPort (NtQueryInformationProcess)
ProcessDebugObjectHandle (NtQueryInformationProcess)
DebugObject (NtQueryObject)
SystemKernelDebuggerInformation (NtQuerySystemInformation)
ThreadHideFromDebugger (NtSetInformationThread)
Protect DRx (HW BPs) (NtSetContextThread)

Find out what addresses this instruction accesses <-Not Detect

Other Change Register,Debugger Find,break,findcode,trace,Onbreak <-Detect

Is it possible to modify the source Cheat Engine?

Or it does need to hook the ssdt apart from titanhide?


pausebreak7 (reporter)

DBVM Not Load ->F5 Attack Debug
->System Freeze -> BSOD
DBVM LOAD -> F5 Attack Debug
->Process Success NOT BSOD

DBVM Not Load Global Debug Routines
Check IDT HOOKing Error?
Driver.sys Memory Code Information
mov eax,Dr7 BSOD



pausebreak7 (reporter)

Global Debug(DBVM NoT load) BSOD Safe Option

can you add options?

Do IDT x64 HOOKING example?

-Issue History
Date Modified Username Field Change
2015-09-21 16:16 pausebreak7 New Issue
2015-09-21 16:16 pausebreak7 File Added: qq.png
2015-09-21 16:21 pausebreak7 Note Added: 0000868
2015-09-21 16:29 pausebreak7 Note Added: 0000869
2015-09-21 17:17 Dark Byte Note Added: 0000870
2015-09-21 17:22 Dark Byte Note Edited: 0000870 View Revisions
2015-09-21 19:10 pausebreak7 Note Added: 0000871
2015-09-21 19:17 pausebreak7 Note Added: 0000872
2015-09-22 11:44 pausebreak7 Note Added: 0000873
2015-09-22 11:44 pausebreak7 File Added: bsod.png
2015-09-22 11:47 pausebreak7 Note Added: 0000874
2016-02-29 11:30 Carter Greatshow Issue cloned: 0000445
+Issue History