2017-12-13 21:43 CET

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0000374Cheat Engine(No Category)public2015-02-23 23:22
Reporterpausebreak7 
Assigned ToDark Byte 
PrioritynoneSeverityminorReproducibilityN/A
StatusresolvedResolutionfixed 
Summary0000374: Dark Byte Cheat engine X64 kernel Memory Edit Impossible?
DescriptionProcess Protect Kernel Driver Memory Fix ->BSOD

Obregister call back

Cheat Engine Kernel Edit impossible?

Kernel Memory Edit -> JMP OR NOP ->BSOD

But Win64ast Kernel Explorer & Pchunter(Xuetr) Obregister call back Edit possible


cheatengine is not possible to modify the kernel memory?





TagsNo tags attached.
Attached Files

-Relationships
+Relationships

-Notes

~0000759

pausebreak7 (reporter)

win64ast technology

possible Cheat Engine?

~0000760

Dark Byte (developer)

you need to disable patchguard first which will BSOD you when kernelmode memory gets changed
Try out kpp destroyer: http://forum.cheatengine.org/viewtopic.php?t=573311

~0000761

pausebreak7 (reporter)

Last edited: 2015-02-21 20:45

View 5 revisions

Patch Guard On System Test
(disable patchguard No Setup)

standard windows 7 64bit OS

win64ast Modify -> Not BSOD

Cheat Engine Kernel Edit -> BSOD

Obregistercallback Cheat engine kernel memory edit Fail

Test Info:

PatchGuard ON System

Original Windows7 64bit

------------------------------
win64 ast Modify

xor eax,eax
ret

No blue Screen
------------------------------

Test Win64 ast file

win64ast -> http://pan.baidu.com/s/1o6MDJmE

NET Framework 4.0 -> http://pan.baidu.com/s/1bnnitIJ

http://m5home.blog.163.com/blog/static/2091221812012760245552

~0000762

pausebreak7 (reporter)

Cheat engine technology is impossible?

Please answer the Darkbyte

~0000764

Dark Byte (developer)

what is the bsod you get? (details)
Try editing the physical memory of that page instead

~0000766

pausebreak7 (reporter)

Last edited: 2015-02-21 23:56

View 2 revisions

DarkByte Genius Thanks

-My Test Success Or small Bug-

1.dbk.sys Load My Cheat Engine TarGet Open And Driver Memory Address
  Go to the Address(Screen Shot)
  Driver Address : 0xfffff8800cf50880
  Physical address : 41DA7A880

2.Go To the Physical Address 41DA7A880 -> Memory View ?? ?? ?? ??

3.Process Open Physical Memory click -> 41DA7A880 -> Memory View 48 89 54 10

4.Physical Memory Edit NOP -> Not Bsod Kernel Memory Change Success

-small bug?-
5.Process Change My Cheat Engine Process Re open
 -> Kernel Memory 0xfffff8800cf50880 Memory View -> ?? ?? ?? ??
(Process again to the memory kernel driver address is not visible)

*Does this fix should select a physical memory Open?

~0000767

Dark Byte (developer)

Last edited: 2015-02-22 01:06

View 3 revisions

sometimes you need to change to a process multiple times for it to fix.
physical memory is mainly used in a second instance of ce next to another one(so usually doesn't require this)

and this is why bsod information helps instead of saying it just bsod's. my guess is that you get a pagefault in nonpaged area exception, instead of an integrity violation error.
you can bypass that without physical memory by editing the pagetable entry and mark it writable before writing

in your example:
0xfffff8800cf50880 has it's pagetable entry at: (in win7)

0xfffff68000000000+(((0xfffff8800cf50880 & 0x0000ffffffffffff) >> 0xc)*8)=FFFFF6FC40067A80

There change bit 1(the second bit) to 1

~0000768

pausebreak7 (reporter)

Where do I modify the code?

CheatEngine Source MemoryBrowserFormUnit.pas Edit?

~0000769

Dark Byte (developer)

Last edited: 2015-02-22 02:29

View 8 revisions

best in the driver, but you can do it in memorybrowser as well, or write a hook on writeProcessMemory (you can even fix it with lua using a wpm hook)

before you write to an address do the calculation: PTE=$fffff68000000000+(((address and $0000ffffffffffff) shr 12)*8)
then read the byte from that address, and set bit 1 to true. : bytevalue:=bytevalue or 2; and write that to the page table entry
then you can write the page

in the driver you might also be able to just unset the WP bit (bit 16) in CR0, so it won't generate write protect pagefaults in kernelmode, but you must disable interrupts before doing that (cli) and when done restore them (sti)
And make sure you restore the WP bit in CR0 back to the original state

~0000770

pausebreak7 (reporter)

Last edited: 2015-02-22 09:54

View 3 revisions

I Temporarily resolved

PTE is Okay But Driver Source Code I'll never understand

Where do I modify the code?(DBKDrvr.c?,memscan.c?,IOPLDispatcher.c?)

generate write protect pagefaults in kernelmode Create Source Code ?

Dark Byte Thanks

~0000771

Dark Byte (developer)

memscan.c has a writeProcessMemory function. you can do that there

~0000772

pausebreak7 (reporter)

BlueScreen Bug Check 0xBE: ATTEMPTED_WRITE_TO_READONLY_MEMORY

Where Does the need to modify the code?

Disableinterrupts()->Enable?

vmx_disable_dataPageFaults->enable?


---------------------
if (loadedbydbvm) //add a extra security around it
{
disableInterrupts();
vmx_disable_dataPageFaults();
}
RtlCopyMemory(target,source,Size);
ntStatus = STATUS_SUCCESS;
if (loadedbydbvm)
{
UINT_PTR lastError;
lastError=vmx_getLastSkippedPageFault();
vmx_enable_dataPageFaults();
enableInterrupts();
DbgPrint("lastError=%p\n", lastError);
if (lastError)
ntStatus=STATUS_UNSUCCESSFUL;
}

~0000773

Dark Byte (developer)

Last edited: 2015-02-22 11:54

View 3 revisions

Outside of the vmx related parts:

disableInterrupts()
setCR0(getCR0() & (~(1<<16)))

writetothememory (rtlcopymemory might not function)

setCR0(getCR0() | (1<<16))
enableInterrupts()

~0000774

pausebreak7 (reporter)

Last edited: 2015-02-22 12:40

View 2 revisions

blue screen shot image upload

I compile this code?

if (loadedbydbvm) //add a extra security around it as the PF will not be handled
{
disableInterrupts();
setCR0(getCR0() & (~(1<<16)));
vmx_disable_dataPageFaults();
}
for (i=0; i<Size; i++)
{
target[i]=source[i];
}
ntStatus = STATUS_SUCCESS;
if (loadedbydbvm)
{
UINT_PTR lastError;
lastError=vmx_getLastSkippedPageFault();
vmx_enable_dataPageFaults();
setCR0(getCR0() | (1<<16));
enableInterrupts();
DbgPrint("lastError=%p\n", lastError);
if (lastError)
ntStatus=STATUS_UNSUCCESSFUL;
}

~0000775

Dark Byte (developer)

Last edited: 2015-02-22 13:36

View 2 revisions

i said to put it outside of the vmx related parts, yet you put it in the vmx only part
move it out of there as the vmx hasn't force loaded the driver(loadedbydbvm is false)

~0000776

pausebreak7 (reporter)

Last edited: 2015-02-22 15:24

View 2 revisions

Dark Byte sorry

I would not know how to solve

Is there certainly know how to modify the source where?

Sorry, do not know for sure

Can you upload the modified file memscan.c?

------------------- Write Process Memory -----------
BOOLEAN WriteProcessMemory(DWORD PID,PEPROCESS PEProcess,PVOID Address,DWORD Size, PVOID Buffer)
{
PEPROCESS selectedprocess=PEProcess;
KAPC_STATE apc_state;
NTSTATUS ntStatus=STATUS_UNSUCCESSFUL;
if (selectedprocess==NULL)
{
//DbgPrint("WriteProcessMemory:Getting PEPROCESS\n");
if (!NT_SUCCESS(PsLookupProcessByProcessId((PVOID)(UINT_PTR)PID,&selectedprocess)))
return FALSE; //couldn't get the PID
//DbgPrint("Retrieved peprocess");
}
//selectedprocess now holds a valid peprocess value
__try
{
UINT_PTR temp=(UINT_PTR)Address;
RtlZeroMemory(&apc_state,sizeof(apc_state));
KeAttachProcess((PEPROCESS)selectedprocess);
__try
{
char* target;
char* source;
unsigned int i;
//DbgPrint("Checking safety of memory\n");
if ((IsAddressSafe((UINT_PTR)Address)) && (IsAddressSafe((UINT_PTR)Address+Size-1)))
{
//still here, then I gues it's safe to read. (But I can't be 100% sure though, it's still the users problem if he accesses memory that doesn't exist)
target=Address;
source=Buffer;
if (loadedbydbvm) //add a extra security around it as the PF will not be handled
{
disableInterrupts();
vmx_disable_dataPageFaults();
}
for (i=0; i<Size; i++)
{
target[i]=source[i];
}
ntStatus = STATUS_SUCCESS;
if (loadedbydbvm)
{
UINT_PTR lastError;
lastError=vmx_getLastSkippedPageFault();
vmx_enable_dataPageFaults();
enableInterrupts();
DbgPrint("lastError=%p\n", lastError);
if (lastError)
ntStatus=STATUS_UNSUCCESSFUL;
}
}
}
__finally
{
KeDetachProcess();
}
}
__except(1)
{
//DbgPrint("Error while writing\n");
ntStatus = STATUS_UNSUCCESSFUL;
}
if (PEProcess==NULL) //no valid peprocess was given so I made a reference, so lets also dereference
ObDereferenceObject(selectedprocess);
return NT_SUCCESS(ntStatus);
}

~0000777

Dark Byte (developer)

change CR0 and disable interrupts before the for loop, and change CR0 back and re-enable interrupts after the for loop
stay out of loadedbydbvm

~0000778

pausebreak7 (reporter)

Dark Byte Thank you!

I solved the problem 100%

I am honored to know a great person like you.

Thank you for your answer for a long time ^^
+Notes

-Issue History
Date Modified Username Field Change
2015-02-21 13:46 pausebreak7 New Issue
2015-02-21 13:46 pausebreak7 File Added: hmm.png
2015-02-21 13:59 pausebreak7 Note Added: 0000759
2015-02-21 13:59 pausebreak7 File Added: win64ast.png
2015-02-21 18:51 Dark Byte Note Added: 0000760
2015-02-21 20:29 pausebreak7 File Added: testS.png
2015-02-21 20:32 pausebreak7 Note Added: 0000761
2015-02-21 20:34 pausebreak7 Note Edited: 0000761 View Revisions
2015-02-21 20:36 pausebreak7 Note Edited: 0000761 View Revisions
2015-02-21 20:39 pausebreak7 Note Added: 0000762
2015-02-21 20:43 pausebreak7 Note Edited: 0000761 View Revisions
2015-02-21 20:45 pausebreak7 Note Edited: 0000761 View Revisions
2015-02-21 22:28 Dark Byte Note Added: 0000764
2015-02-21 23:44 pausebreak7 Note Added: 0000766
2015-02-21 23:44 pausebreak7 File Added: Thanks.png
2015-02-21 23:56 pausebreak7 Note Edited: 0000766 View Revisions
2015-02-22 00:23 Dark Byte Note Added: 0000767
2015-02-22 00:23 Dark Byte Note Edited: 0000767 View Revisions
2015-02-22 00:46 pausebreak7 Note Added: 0000768
2015-02-22 01:06 Dark Byte Note Edited: 0000767 View Revisions
2015-02-22 01:10 Dark Byte Note Added: 0000769
2015-02-22 01:11 Dark Byte Note Edited: 0000769 View Revisions
2015-02-22 01:12 Dark Byte Note Edited: 0000769 View Revisions
2015-02-22 01:13 Dark Byte Note Edited: 0000769 View Revisions
2015-02-22 01:13 Dark Byte Note Edited: 0000769 View Revisions
2015-02-22 01:18 Dark Byte Note Edited: 0000769 View Revisions
2015-02-22 02:15 Dark Byte Note Edited: 0000769 View Revisions
2015-02-22 02:29 Dark Byte Note Edited: 0000769 View Revisions
2015-02-22 09:35 pausebreak7 Note Added: 0000770
2015-02-22 09:36 pausebreak7 Note Edited: 0000770 View Revisions
2015-02-22 09:54 pausebreak7 Note Edited: 0000770 View Revisions
2015-02-22 10:49 Dark Byte Note Added: 0000771
2015-02-22 11:45 pausebreak7 Note Added: 0000772
2015-02-22 11:52 Dark Byte Note Added: 0000773
2015-02-22 11:52 Dark Byte Note Edited: 0000773 View Revisions
2015-02-22 11:54 Dark Byte Note Edited: 0000773 View Revisions
2015-02-22 12:17 pausebreak7 Note Added: 0000774
2015-02-22 12:39 pausebreak7 File Added: bluescreen.png
2015-02-22 12:40 pausebreak7 Note Edited: 0000774 View Revisions
2015-02-22 13:35 Dark Byte Note Added: 0000775
2015-02-22 13:36 Dark Byte Note Edited: 0000775 View Revisions
2015-02-22 15:20 pausebreak7 Note Added: 0000776
2015-02-22 15:24 pausebreak7 Note Edited: 0000776 View Revisions
2015-02-23 01:10 Dark Byte Note Added: 0000777
2015-02-23 08:37 pausebreak7 Note Added: 0000778
2015-02-23 23:22 Dark Byte Status new => resolved
2015-02-23 23:22 Dark Byte Resolution open => fixed
2015-02-23 23:22 Dark Byte Assigned To => Dark Byte
+Issue History