Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


loading dbk64.sys via dbvm: will it be harder to detect?

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Source -> DBVM
View previous topic :: View next topic  
Author Message
ntint
How do I cheat?
Reputation: 0

Joined: 29 May 2017
Posts: 5

PostPosted: Mon May 29, 2017 4:14 am    Post subject: loading dbk64.sys via dbvm: will it be harder to detect? Reply with quote

Hi.

Since I can't get dbvm to load dbk64.sys (yet), I just wanna know if it would be worth trying to get it to work.

Whichever technique dbvm uses to load dbk64.sys, will dbk64.sys be visible in

1) PsLoadedModuleList
2) Service Manager
3) Registry ?

In the official release, it will be visible in all three when loading it "normally". So I wanted to know if dbvm would simply fix all 3?


Thanks in advance.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 338

Joined: 09 May 2003
Posts: 19742
Location: The netherlands

PostPosted: Mon May 29, 2017 4:19 am    Post subject: Reply with quote

if you let DBVM load the driver then it will not be visible there
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
ntint
How do I cheat?
Reputation: 0

Joined: 29 May 2017
Posts: 5

PostPosted: Mon May 29, 2017 4:36 am    Post subject: Reply with quote

Thanks for that quick answer! But this raises quite some more questions:

1) Does it manually map the driver?
2) Does it work with a self-compiled unsigned ce driver with dse enabled and testsigning off?
3) Could you load other drivers the same way? And if so, do these drivers have to be "specially crafted" to follow certain rules?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 338

Joined: 09 May 2003
Posts: 19742
Location: The netherlands

PostPosted: Mon May 29, 2017 6:07 pm    Post subject: Reply with quote

1: Yes
2: It just maps the driver, as long as it's not encrypted, or relies to much on windows behaviour it'll be fine.
3: No, the dbk driver is specifically designed to be operable in case it's loaded by DBVM, and used by CE
e.g Exception handling will not properly work so special paths will then be taken
and no deviceiocontrol will work, only specially fabricated DBVM privilege packets will end up with the handler

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
ntint
How do I cheat?
Reputation: 0

Joined: 29 May 2017
Posts: 5

PostPosted: Tue May 30, 2017 3:32 am    Post subject: Reply with quote

Alright, thanks. Sounds all good.
Hopefully you can give me some hints on how to get my setup to work.

What I'm trying to do is the following:

1) Use official ce to load dbvm
2) Use dbvm to load my self-compiled unsigned ce driver while dse is enabled and testsigning is disabled


The setup is the following:

I use Win7 x64 on an i7, all 4 cores enabled. dbvm is supported and working in official ce (just some occassional clock timeouts here and there on breakpoints, but never on loading dbvm). I downloaded the latest ce source, successfully built release version of ce with lazarus 1.6 and the driver using ce.bat inside the win7 x64 checked build environment of wdk 7.1. Just to make sure, I copied vmdisk.img and vmdisk.img.sig from original ce to the bin directory. I'm not renaming any files and not using driver64.dat. I can't run buildsigs.bat since the siggen directory is missing.

Now I do the following:

1) Run offcial ce and load dbvm -> success
2) Close official ce
2) Run kernelmoduleunloader -> success (I also tried without running the unloader)
3) Run self-compiled ce in bin directory -> loading driver fails because of dse -> try to load via dbvm -> bugcheck 0x1e (KMODE_EXCEPTION_NOT_HANDLED)


Just to see if everything works when loading the driver normally, I did the following:

1) Run official ce and load dbvm
2) Manually set ntoskrnl!g_CiEnabled to 0 to temporarily disable dse
3) Close official ce and run kernelmoduleunloader
4) Run self-compiled ce and load driver "normally" with dse disabled -> success


Am I missing something in this setup or dbvm just not working like that?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 338

Joined: 09 May 2003
Posts: 19742
Location: The netherlands

PostPosted: Tue May 30, 2017 3:51 am    Post subject: Reply with quote

could be there is an exception being handled somewhere. DBVM does not allow drivers to handle exceptions

find all try/except blocks and rewrite them with only the code in the try, and make sure it never raises an exception.
then try loading it the normal way and fix/adjust it till it's not crashing you anymore. (some features may have to go)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
ntint
How do I cheat?
Reputation: 0

Joined: 29 May 2017
Posts: 5

PostPosted: Wed May 31, 2017 1:20 am    Post subject: Reply with quote

Dark Byte wrote:
could be there is an exception being handled somewhere. DBVM does not allow drivers to handle exceptions


Just making sure..doesn't it allow any driver in the system to handle exceptions or just dbk64?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 338

Joined: 09 May 2003
Posts: 19742
Location: The netherlands

PostPosted: Wed May 31, 2017 1:45 am    Post subject: Reply with quote

just the one it loads
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
ntint
How do I cheat?
Reputation: 0

Joined: 29 May 2017
Posts: 5

PostPosted: Thu Jun 01, 2017 5:53 am    Post subject: Reply with quote

Appreciate the help!
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Source -> DBVM All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites