 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
pkedpker
Master Cheater
![]() Reputation: 1
Joined: 11 Oct 2006
Posts: 412
|
 Posted: Wed Feb 10, 2010 2:44 am Post subject: Driver BSOD on DBKSuspendProcess |
 |
|
hey sorry for asking so much questions probably stupid ones too.
I'd like to say I downloaded Cheat Engine 5.3? I believe which had those labels which lets you suspend a process / threads from using driver.
Which works very nicely just tested on calc.exe
Now I decided to remove nearly everything only leave dbk32.dll + driver and start my gui from scratch figured it would be easier. All going good and so far undetected OP/RPM/WPM.
when I ported over the DBKSuspendThread / DBKResumeThread / DBKSuspendProcess / DBKResumeProcess
as soon as I suspend a process computer freezes and 2-3 seconds the BSOD happens.
driver_irql_not_less_or_equal
I dont know why it works on one and not on other.
The driver which was compiled on working version of CE copy-pasted into this new project.
I added the exports like this.
to dbk32.dpr using notepad
| Code: | exports xxxxxxx18;//DBKSuspendThread
exports xxxxxxx19;//DBKResumeThread
exports xxxxxxx20;//DBKSuspendProcess
exports xxxxxxx21;//DBKResumeProcess |
functions look like this
| Code: | function {DBKSuspendThread}xxxxxxx18(ThreadID:dword):boolean; stdcall;
var cc,x: dword;
begin
result:=false;
x:=ThreadId;
if (hdevice<>INVALID_HANDLE_VALUE) then
begin
cc:=CTL_CODE(IOCTL_UNKNOWN_BASE, $0822, METHOD_BUFFERED, FILE_READ_ACCESS or FILE_WRITE_ACCESS);
result:=deviceiocontrol(hdevice,cc,@x,sizeof(x),nil,0,x,nil);
end;
end;
function {DBKResumeThread}xxxxxxx19(ThreadID:dword):boolean; stdcall;
var cc,x: dword;
begin
result:=false;
x:=threadid;
if (hdevice<>INVALID_HANDLE_VALUE) then
begin
cc:=CTL_CODE(IOCTL_UNKNOWN_BASE, $0823, METHOD_BUFFERED, FILE_READ_ACCESS or FILE_WRITE_ACCESS);
result:=deviceiocontrol(hdevice,cc,@x,sizeof(x),nil,0,x,nil);
end;
end;
function {DBKSuspendProcess}xxxxxxx20(ProcessID:dword):boolean; stdcall;
var cc,x: dword;
begin
result:=false;
x:=ProcessID;
if (hdevice<>INVALID_HANDLE_VALUE) then
begin
cc:=CTL_CODE(IOCTL_UNKNOWN_BASE, $0824, METHOD_BUFFERED, FILE_READ_ACCESS or FILE_WRITE_ACCESS);
result:=deviceiocontrol(hdevice,cc,@x,sizeof(x),nil,0,x,nil);
end;
end;
function {DBKResumeProcess}xxxxxxx21(ProcessID:dword):boolean; stdcall;
var cc,x: dword;
begin
result:=false;
x:=ProcessID;
if (hdevice<>INVALID_HANDLE_VALUE) then
begin
cc:=CTL_CODE(IOCTL_UNKNOWN_BASE, $0825, METHOD_BUFFERED, FILE_READ_ACCESS or FILE_WRITE_ACCESS);
result:=deviceiocontrol(hdevice,cc,@x,sizeof(x),nil,0,x,nil);
end;
end; |
to main ce project NewKernelHandler I added
| Code: | type TDBKSuspendThread=function(ThreadID:dword):boolean; stdcall;
type TDBKResumeThread=function(ThreadID:dword):boolean; stdcall;
type TDBKSuspendProcess=function(ProcessID:dword):boolean; stdcall;
type TDBKResumeProcess=function(ProcessID:dword):boolean; stdcall;
|
under var I added the instances
| Code: | DBKSuspendThread :TDBKSuspendThread;
DBKResumeThread :TDBKResumeThread;
DBKSuspendProcess :TDBKSuspendProcess;
DBKResumeProcess :TDBKResumeProcess;
|
under the loader for dbk32.dll
| Code: | DBKSuspendThread:=GetProcAddress(kern,'xxxxxxx18');
DBKResumeThread:=GetProcAddress(kernl,'xxxxxxx19');
DBKSuspendProcess:=GetProcAddress(kern,'xxxxxxx20');
DBKResumeProcess:=GetProcAddress(kern,'xxxxxxx21');
|
then in project I did exact same test with label's
| Code: | procedure TForm1.Label15Click(Sender: TObject);
begin
dbksuspendprocess(xx81);//processId
end; |
xx81 I debugged to be sure it's processId with
ShowMessage('xx81='+IntToStr(xx81));
got 1165 which in calculator after going to hex mode matched the processId I checked with Task Manager, so all matchs..
even the DBKDrvr.c matches
| Code: | #define IOCTL_CE_SUSPENDPROCESS CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0824, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
|
with
| Code: | | cc:=CTL_CODE(IOCTL_UNKNOWN_BASE, $0824, METHOD_BUFFERED, FILE_READ_ACCESS or FILE_WRITE_ACCESS); |
sorry but i really don't understand why this happens to me yah i haven't ever dealt with anything like this before but I just can't seem to find anything wrong
I downloaded WinDBG but no idea how to use it.. tried to attach it to the UCE process and ran suspendprocess on calc this time no BSOD just computer making beeping sounds non-stop lol
_________________
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Wed Feb 10, 2010 9:10 am Post subject: |
|
|
dbksuspendprocess is an untested routine which makes use of the APC routine which can be quite unpredictable
Have you made sure that ProcesslistSL is being initialized?
Anyhow, you can edit threads.c and comment out specific blocks to find out where exactly it goes wrong
also, configure windows to make full kernel dumps (at least) and then when it bsod's you can open the crash dump (memory.dmp) with windbg and see where the crash happened. (it help if you compile as a checked driver)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
pkedpker
Master Cheater
![]() Reputation: 1
Joined: 11 Oct 2006
Posts: 412
|
| Posted: Fri Feb 19, 2010 12:57 am Post subject: |
|
|
| Dark Byte wrote: | dbksuspendprocess is an untested routine which makes use of the APC routine which can be quite unpredictable
Have you made sure that ProcesslistSL is being initialized?
Anyhow, you can edit threads.c and comment out specific blocks to find out where exactly it goes wrong
also, configure windows to make full kernel dumps (at least) and then when it bsod's you can open the crash dump (memory.dmp) with windbg and see where the crash happened. (it help if you compile as a checked driver) |
hey I can't seem to figure out how to make sure ProcesslistSL is being initialized.
Does cheatengine have to send it's process/thread list to driver? by running WaitForProcessListData or is that when the driver is sending it's list to cheat engine and do I have to start StartProcessWatch? for DBK32ProcessSuspend to work..
Either way I tired both as well both give BSOD.. I removed all the features I wont be using so I might of removed something useful.
in InitializeDriver function for driver in cheatengine dll the
| Code: |
processevent:=OpenEvent(SYNCHRONIZE,false,pchar('PROCXXXXList')); //processlist init name
threadevent:=OpenEvent(SYNCHRONIZE,false,pchar('THXXXXXLIST')); //threadlist init name
|
The end of InitializeDriver is
| Code: |
cc:=CTL_CODE(IOCTL_UNKNOWN_BASE, $080d, METHOD_BUFFERED, FILE_READ_ACCESS or FILE_WRITE_ACCESS);
if deviceiocontrol(hdevice,cc,@buf,sizeof(tinput),@buf,sizeof(tinput),x,nil) then
begin
result:=true;
SDTShadow:=res;
end;
ownprocess:={OpenProcess}XXXXXXXX2(PROCESS_ALL_ACCESS,false,GetCurrentProcessId);
|
is there and I haven't had that before.. and it seems to still not work.
I made the kernel dumps umm but I don't have internet to upload them to this computer umm... all I remember the ARG4 address after looking up in memory viewer was ab ab ab ab had something to do with STOS 4 times.. crash was in win32k i dont know for sure I may post later when I get some CD's to burn data on
_________________
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Fri Feb 19, 2010 9:02 am Post subject: |
|
|
Yer, you first need to start the processwatcher for the thread functions to work (StartProcessWatch)
I would not bother with WaitForProcessListData because that's tricky to gety to work properly since you renamed the eventnames, but just a working processwatcher in the driver should be enough
Anyhow, you will have to compile the driver yourself.
Also, please be aware the drivers and dbk32.dll's written for different versions will BSOD you (e.g 5.5 or 5.6 sourcecode will not work on a 5.3 driver)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
pkedpker
Master Cheater
![]() Reputation: 1
Joined: 11 Oct 2006
Posts: 412
|
| Posted: Mon Feb 22, 2010 2:47 am Post subject: |
|
|
Okay thanks last question about the unrandomizer it seems to work on games like Solitaire but on other game lets just say it worked before hackshield was added on that game doubt the patched it completely..
anyways it seems to be blocked I think it has something to do with the rewritecodedata
| Code: |
procedure rewritedata(processhandle: thandle; address:dword; buffer: pointer; size:dword);
var written: dword;
original,a: dword;
begin
//make writable, write, restore, flush
VirtualProtectEx(processhandle, pointer(address),size,PAGE_EXECUTE_READWRITE,original); writeprocessmemory(processhandle,pointer(address),buffer,size,written);
VirtualProtectEx(processhandle,pointer(address),size,original,a);
end;
|
could it be that just the wpm it uses is the windows kernel one thats being blocked. Or maybe even the unradomizer.pas rpm cannot even find anything because of hackshield blocking.
So should i just replace both wpm/rpm's with
NewKernelHandler.wpm
NewKernelHandler.rpm
or some kind of toggle thats linked to the settings window
or its not important all wpm's are replaced with the settings one I pick?
but yah also..
should I just remove the VirtualProtectEx and maybe also make a toggle for MakeWritable() driver version one if it does the same thing
_________________
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Mon Feb 22, 2010 6:40 am Post subject: |
|
|
just add the newkernelhandler to the uses list (after windows) and it'll use the nkh version of the apis
the problem is more likely with the memory being readonly, so yes, just call MakeWritable
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
