Page 2 of 2 FirstFirst 12
Results 16 to 30 of 30
  1. #16
    NOOB's Avatar
    Join Date
    Apr 2010
    Gender
    male
    Posts
    3,863
    Reputation
    425
    Thanks
    8,598
    Quote Originally Posted by freedompeace View Post


    Woah, do you have like a CVS for CA addresses? :L
    i do.

  2. #17
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    818
    Reputation
    125
    Thanks
    1,785
    My Mood
    Doh
    keeping old addresses is very useful, you can then determine the offset difference and trend. Or when searching with a debugger you know the rough code area it should be located..

    NOOB send me your cvs

    P.s your sig scan is weird, why would you have wild cards as the first 3 bytes? Also your range is not good at all, you need to change your range to only scan the code section CShell, otherwise you will end up scanning from Cshell all the way into other running processes, Also your start address should be base + 1000, Otherwise once again you are scanning the headers of module instead of starting at the code section.

    DWORD GameStatus = Pattern((DWORD)GetModuleHandleA("CShell.dll"),(DWO RD)0xFFFFFFFF,(PBYTE)"\x00\x00\x00\x37\xFF\x00\xFF ","???xxxx");

    should be just $37,$FF,$00,$FF and then + $B9
    Last edited by Departure; 05-26-2011 at 02:20 PM.

  3. #18
    open|Fire's Avatar
    Join Date
    Jan 2011
    Gender
    male
    Location
    fs:[0]
    Posts
    62
    Reputation
    18
    Thanks
    35
    Quote Originally Posted by Departure View Post
    you need to change your range to only scan the code section CShell, otherwise you will end up scanning from Cshell all the way into other running processes.
    Win9x? you can't scan other processes without inject your code.

  4. #19
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    818
    Reputation
    125
    Thanks
    1,785
    My Mood
    Doh
    ofcause you can scann bytes in other processes your not apart of...

    Actually you don't even need to inject a dll for a logger, you could write an external app that scanns the addresses without injecting..

    A good example is game trainers, they don't inject anything, they simply get the base address of the game they want to modify and search for the address they need to modify...
    Last edited by Departure; 05-26-2011 at 04:40 PM.

  5. #20
    open|Fire's Avatar
    Join Date
    Jan 2011
    Gender
    male
    Location
    fs:[0]
    Posts
    62
    Reputation
    18
    Thanks
    35
    I know it, but in this game you can't do that without repair the SSDT or bypass hackshield, since HS do alot of hooks one of them is on NtOpenProcess so you can't use RPM then you can't read the memory remote.

    but is possible make a sig scan without inject or RPM, I will make an app for it only thing you need to do is convert offset to VA and use hex editor.

    sorry my bad english.

  6. #21
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    818
    Reputation
    125
    Thanks
    1,785
    My Mood
    Doh
    I was reffering to direct move memory and Copymem or even just plain pointer to address... All which can be used instead of RPM and WPM.. also faster than those 2 API's

  7. #22
    open|Fire's Avatar
    Join Date
    Jan 2011
    Gender
    male
    Location
    fs:[0]
    Posts
    62
    Reputation
    18
    Thanks
    35
    I don't get you, first you said we don't need to inject our code to scan.

    Quote Originally Posted by Departure View Post
    ofcause you can scann bytes in other processes your not apart of...

    Actually you don't even need to inject a dll for a logger, you could write an external app that scanns the addresses without injecting..
    RPM

    Quote Originally Posted by Departure View Post
    I was reffering to direct move memory and Copymem or even just plain pointer to address... All which can be used instead of RPM and WPM.. also faster than those 2 API's
    now you saying we need to inject our code because to use these api's like memcpy or RtlMoveMemory, you need to be in the same space of the module you will scan.

    Quote Originally Posted by Departure View Post
    A good example is game trainers, they don't inject anything, they simply get the base address of the game they want to modify and search for the address they need to modify...
    RPM, WPM dll + Named pipes?

  8. #23
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    818
    Reputation
    125
    Thanks
    1,785
    My Mood
    Doh
    Yes you are correct, but you asked 2 questions, the first was about injecting dll, you don't need to inject a dll to read the bytes(Virtual allocate Memory) this was the original discussion right? using this will allow for memcpy, movmem, ect... because its alot faster than RPM and WPM

    Second is reading bytes without being part of its process and without using RPM, you can also do this(2 ways of which I have seen) 1st is an undocumented API, and second is using pointers. I can try and find the examples I seen..

    http://undocumented.ntinternals.net/...ualMemory.html
    Last edited by Departure; 05-27-2011 at 12:38 PM. Reason: Added Link

  9. #24
    open|Fire's Avatar
    Join Date
    Jan 2011
    Gender
    male
    Location
    fs:[0]
    Posts
    62
    Reputation
    18
    Thanks
    35
    ok go stop here.

    but one more thing RPM and NtReadVirtualMemory use the same function which is ZwReadVirtualMemory, so doesn't matter if you use RPM or NtRVM the result is the same.

  10. #25
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    818
    Reputation
    125
    Thanks
    1,785
    My Mood
    Doh
    agreed it does use the same, as RPM is only a wrapper, So the question is... does hackshield hook ReadVirtualMemory? or it does it hook the the wrapper? I guess we could hook this our selfs to find out. I would assume it would hook functions from Ntdll but you never know....

    //Edit

    Just thinking.. If we got the proc address to ReadVirtualMemory and checked it entry point for any hooks and determine the size of the hook if it is hooked by Hackshield could we not jmp over the hook and replace the first bytes with orignal, then we can call ReadVirtualMemory as per normal ... just an idea
    Last edited by Departure; 05-27-2011 at 01:57 PM.

  11. #26
    HellSpider's Avatar
    Join Date
    Jun 2010
    Gender
    male
    Posts
    103
    Reputation
    30
    Thanks
    125
    My Mood
    Asleep
    Quote Originally Posted by Departure View Post
    Yes you are correct, but you asked 2 questions, the first was about injecting dll, you don't need to inject a dll to read the bytes(Virtual allocate Memory) this was the original discussion right? using this will allow for memcpy, movmem, ect... because its alot faster than RPM and WPM
    But nevertheless, you need to have some kind of access to the process space to use functions that access direct memory. It can be a DLL or then a stub allocated to the target process. All those APIs that access direct memory are of course faster because they do not need to interact in Ring0 and gain access to remote processes.

    Quote Originally Posted by Departure View Post
    Second is reading bytes without being part of its process and without using RPM, you can also do this(2 ways of which I have seen) 1st is an undocumented API, and second is using pointers. I can try and find the examples I seen..

    NtReadVirtualMemory
    Could you give some example of the pointers method? Because if you are able to use pointers to memory it means that you are a part of the process memory. RPM and WPM are only made to be used when you operate from another process and are not a part of the target process memory.

    The are a lot of undocumented APIs, but in any case, most of the functions still go through the same steps in Ring0 (kernelmode), which means if the HackShield driver has a well placed hook, it will monitor all access tokens, process handles etc, disabling access from other processes.

    I'm not saying that it would be impossible to get around that stuff, but in my opinion the easiest method by far is being a part of the process memory (DLL or code stub).
    Last edited by HellSpider; 05-27-2011 at 02:08 PM.

  12. #27
    wilsin's Avatar
    Join Date
    May 2010
    Gender
    male
    Location
    sdfsdfsdfsd
    Posts
    1
    Reputation
    10
    Thanks
    0
    My Mood
    Angry
    repliasda dzasafsd

  13. #28
    HellSpider's Avatar
    Join Date
    Jun 2010
    Gender
    male
    Posts
    103
    Reputation
    30
    Thanks
    125
    My Mood
    Asleep
    Quote Originally Posted by wilsin View Post
    repliasda dzasafsd
    What's your problem? Trying to get your post count up? Wrong medication?

  14. #29
    mamago45's Avatar
    Join Date
    Mar 2007
    Gender
    male
    Posts
    11
    Reputation
    10
    Thanks
    2
    Quote Originally Posted by HellSpider View Post
    What's your problem? Trying to get your post count up? Wrong medication?
    It was his first post

  15. #30
    hack4me's Avatar
    Join Date
    Feb 2011
    Gender
    male
    Location
    Colorado
    Posts
    34
    Reputation
    9
    Thanks
    37
    My Mood
    Cool
    Hackshield does hook ReadVirtualMemory on a Kernel level. You would need to have a kernel driver that can detour the HackShield hooks. Can be done without too much
    difficulty. Depends on what you are trying to accomplish. Easier for most people to just use the injected dll to do what they need in memory....

Page 2 of 2 FirstFirst 12