morteeeeh How do I cheat? Reputation: 0
Joined: 12 Jan 2022 Posts: 1
|
Posted: Fri Jan 14, 2022 5:42 am Post subject: Error 31 running dbk64.sys |
|
|
Hi, I am currently studying Yosifovich's Windows Kernel Programming. Yes, I want to better understand kernel programming and other intricacies.
Long story short, after searching various things I have met Cheat Engine. Downloaded it and tried to run its driver, just like I would run any other driver.
So I go with
Code: |
sc create dbk64 type= kernel binPath=dbk64.sys-full-path
sc start dbk64
|
Should work right? No!
Code: |
StartService FAILED 31:
a device attached to the system is not functioning.
|
Uh why? I tried running other drivers with this method and it works. Trying to find a solution on Google, I get to the paper
"GhostEmperor: From ProxyLogon to kernel mode"
Holy, hacker stuff!! They will eat me alive
But I see that
"It is worth mentioning that the malware’s service makes use of a Cheat Engine utility called kernelmoduleuloader.exe (MD5: 96F5312281777E9CC912D5B2D09E6132) during the loading of the dbk64.sys driver. The driver is dropped along with the utility and a .sig file, with the latter being used as a means of authenticating the component calling dbk64.sys by conveying a digital signature that is associated with its binary."
Yeah ok, it seems there is a logical reason behind the error 31. They talk about using an exe from Cheat Engine as a mean to authenticate the accesses to the driver.
But I am a newbie into driver development and it sounds strange to me that there is a sort of authentication involved in user mode code calling a driver.
So, I am at a loss. I have the error 31, but I don't know where it comes from. Is there something in the dbk64 source code that implements such an authentication mechanism??
I have run many drivers using sc and I have never encountered such a thing. So I don't know.
|
|