Solved How to make Kernel Mode Read/Write Process Memory?

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat
Status
Not open for further replies.

skythen

Newbie
Full Member
Nov 8, 2014
11
152
0
As topic says.

So far simple Read and Write Process Memory function was working just fine for my needs, but since the game is blocking RPM and WPM i was told to make own kernel driver and so on.
I've no idea where to start since it's not an easy task.
My hack was external and it was for DayZ now everything i can do is draw shit on screen since i can't read memory anymore.

Any thoughs on this subject? Where to start? Should i switch to internal or it will change nothing? Or making kernel driver is the only way to make RPM and WPM work again?
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,074
78,998
2,371
If you change to internal dll you can use memcpy/memset which may solve your problem. I would search around for what hack methods the anti-cheat blocks and plan your attack based on that
 

squeenie

Hacker
Meme Tier VIP
Dank Tier Donator
Mar 6, 2013
677
5,478
37
Have a look in Olly and see what's different about rpm/wpm. It might just write a jmp which you could replace with the original bytes
 

skythen

Newbie
Full Member
Nov 8, 2014
11
152
0
JMP? I've no idea what you are talking about.
AFAIK BattleEye is just closing all handles and OpenProcess to the Dayz.exe.
I've been thinking if i moved my external hack to be internal if that will change anything ex
Is there any other substitute for RPM/WPM? Afaik NtReadProcessMemory is exacly same as ReadProcessMemory so there is no point using this unless i am missing something?
Also memory classes/wrappers... I've seen some and every single one has to do something with RPM/WPM so it is pointless to use them right?

There is still other way like Xenos Injector that is using Kernel Mode Manual Mapping injection, then the RPM works just fine as i heard from others, but yeah, it is a public release so it will get detected sooner or later i guess, but there is a good point in that, source code is available for free so what if i stripped only the code that i need like internal dll injection and memory class that it uses?
 
Last edited:

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,074
78,998
2,371
So if it just blocks WPM and RPM then you can inject a dll and use memcpy/memset

Other thoughts, you might want to try
-NtWriteVirtualMemory
-VirtualProtect

You can also use SendInput/MouseEvent to send mouse x and y values I think

 

skythen

Newbie
Full Member
Nov 8, 2014
11
152
0
Afaik NtWriteVirutalMemory is just a other side of Write Process Memory, am i right?
Or there are more differences..
 

NTvalk

Hacker
Meme Tier VIP
Jul 6, 2013
499
3,108
8
Afaik NtWriteVirutalMemory is just a other side of Write Process Memory, am i right?
Or there are more differences..
WPM is a wrapper around ntwritevirtualmem, so yeah not much difference
 

skythen

Newbie
Full Member
Nov 8, 2014
11
152
0
So as i though, that wouldn't work.
What about ZwReadVirtualMemory? I think it's Kernel, but i can't just use it in user mode aplication like mine?
 

AxDSan

Newbie
Full Member
Nobleman
May 24, 2012
58
703
1
As topic says.

So far simple Read and Write Process Memory function was working just fine for my needs, but since the game is blocking RPM and WPM i was told to make own kernel driver and so on.
I've no idea where to start since it's not an easy task.
My hack was external and it was for DayZ now everything i can do is draw shit on screen since i can't read memory anymore.

Any thoughs on this subject? Where to start? Should i switch to internal or it will change nothing? Or making kernel driver is the only way to make RPM and WPM work again?
C++:
Detection of hidden process is equally challenging as Rootkit can employ one or more methods to cover its presence. Here are some of the very effective methods to detect such userland Rootkit processes.
All these detection methods work on common approach. First they get the list of all running processes using standard API functions such as EnumProcesses or Process32First. Then one or more special methods mentioned below are used to enumerate the processes. Finally this new process list is compared with previously obtained list and any new process found in this new list is detected as hidden rootkit process.
C++:
This is very effective method to detect any hidden userland rootkit processes. One of the lesser-known methods of enumerating the processes is to use NtQuerySystemInformation function by passing first parameter as SystemProcessesAndThreadsInformation. The drawback of this method is that it can be easily circumvented by hooking the NtQuerySystemInformation function and then by tampering with the results.

The NtQuerySystemInformation is basically stub having few lines of code to transition from user to kernel land. It finally calls the NtQuerySystemInformation function within the kernel. So the trick here is to implement the NtQuerySystemInformation without directly calling the function.

Here is the sample code that shows how one can directly implement NtQuerySystemInformation on various platforms. On Windows2000, INT 2E and from XP onwards 'sysenter' instruction is used to transition from user to kernel.
Source: https://securityxploded.com/hidden-process-detection.php

Hope it helped, making a research online never hurts anyone.
 

skythen

Newbie
Full Member
Nov 8, 2014
11
152
0
skythen Battleye is not blocking RPM/WPM but it is hiding the Process Handle so you can not alter the process from an outside process unless you have a driver to.

Then why my external overlay is working and RPM/WPM isn't?


Today i tried to inject my dll into DayZ exe, well it says it did successfully, but nothing happens then, weird that is is working fine if i try to inject it into Fraps, or Skyrim, but it wont work on paint, notepad and dayz, lel
 
Last edited:

skythen

Newbie
Full Member
Nov 8, 2014
11
152
0
Maybe because BEDaisy.sys (BattleEye) is blocking DayZ.exe from ring3 aplications and you can't inject dll into DayZ unless you use ring0 injector..
 

skythen

Newbie
Full Member
Nov 8, 2014
11
152
0
Most of the times it's possible to inject the hack dll while the game is starting.
Furthermore there are other methods to force your targetprocess to load your dll.
First when you turn on Dayz, it turns process name DayZ_BE and then BEDaisy.sys goes on and after that DayZ exe starts, so there is no way to inject anything afaik?
 
Status
Not open for further replies.
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods