Cheat Engine

[Deltron Z]

I'm creating a process using CreateProcess with DEBUG_PROCESS parameter to debug it. I'm not sure what I'm doing wrong, but I have a few problems.
One of them is that I can't set INT 3 at an address, let's say CreateEventA, however I can write memory to an address within the module address range. why when I'm trying to Virtual Protect a Win32 API from Kernel32 it fails with error INVALID_ADDRESS? (487)
And the other problem is when I use ImageLoad - I can get the informatin but the image isn't really loaded to the memory, because the addresses doesn't exist. if I load notepad.exe then when I'm trying to access the IAT for instance, I get an error since the memory is empty there. (something like 0x0100XXXX) And when I'm trying to load anything else with image base 0x00400000 then obviously something is wrong since the addresses cross, and if I use LoadLibrary I get 0x00520000 or so.

I guess I'm using ImageLoad wrong, but the debugging problem is more important because ImageLoad is useless without it.

Thanks.

[Dark Byte]

You have to wait till you get the loadlibrary event of the executable (or dll that you want to place the bp at)

[Deltron Z]

So when I create a process with DEBUG_PROCESS it doesn't break at the entry point? so that brings me back to the ImageLoad question - there won't be any problems getting the RVA of the entry point using ImageLoad, right? but I'm still not sure I'm getting it right - what does ImageLoad do exacly if it doesn't load the library into the memory? I mean, how can I access the IAT then? reading with ReadProcessMemory and the RVA's the VA's and then reading from these VA's once again?

And I have another question now - when I resume the thread I get an error since I overwritten the instruction with 0xCC - INT 3. what should I do to "step" in code? EIP - 1 + re-write original code, would that work?

Thanks a lot for the very quick answer!

[Dark Byte]

Yes, it'll break somewhere at the image loader of windows.

I recommend getting the base address from the load library debug event and from there get the entry point and exports

[Deltron Z]

I tried something out - but I get an error when breaking at the entry point for a second and then resuming the process.
I've set a breakpoint, 0xCC at the entry point, restored it once breakpoint occurred and after resuming the thread I've got the same error that I'm getting when I set EIP to EIP - 1.
What am I doing wrong?

Oh and, about the load library - how am I supposed to break there if kernel32.dll isn't loaded? and how would I get the entry point from that? I've already gotten it by using ImageLoad.

[Dark Byte]

to continue from an int3 breakpoints:
eip-1
restore the original byte
set the trap flag in the eflags register
resume, and wait till it breaks again (next instruction)
set 0xcc back


Also, keep in mind that some breaks are not caused by your debugger, but they are there by default in windows. You need to let them continue normally (handled or not)


as for kernel32.dll, it will eventually be loaded, and when that event happens, you can set a breakpoint in there. (and thats the time you call ImageLoad as well, NOT before)

Actually, I don't think ImageLoad is useful for a debugger, I suggest SymLoadModule

[Deltron Z]

That's what I did before, but the problem was becuase I resumed the thread before calling ContinueDebugEvent.
I called it before resuming and it works perfectly fine now.

It sounds pretty complicated, maybe a little too complicated for what I want... I guess if I'd use DLL Injection method instead it'd be a lot easier and much shorter codes.
However, a debugger is interesting, I might event try and do some stuff to experience it. SymLoadModule seems even more complicated than ImageLoad which seems pretty simple and very useful.

Anyway - thanks a lot for your help.