Closed Allen399499 closed 6 years ago
In theory it is (and it will actually work too). You just need to reverse the reading process in the driver, so it will read from the usermode app and write to game (In this solution it obviously reads from game and writes to usermode app).
I got it. Will try as I can. Thank you again!
new uWorld and Name address ???
without my computer now, will find and post you later.
Thank you again!
2.6.44.5 UWorld: 0x3A4C128 GNames: 0x394EF10 @huddhudd
@Allen399499 I need a little bit of help, Add me on discord, Emil#7248
I got a problem. I can read a offset from the PUBG and got the correct value, but when I write a different value to the SAME address then read out it to check, the VALUE did not changed. show I put some log in the DRIVER? Am I need two pc and a cable to debug the KERNEL? here is the code, thank you very much @jussihi else if (w_poReadStruct->ProtocolMsg == PROTO_NORMAL_WRITE) {
// transfer the data from usermode app to kernel
__try
{
KeStackAttachProcess(hClient, &apc_state);
ProbeForRead((CONST PVOID)w_poReadStruct->UserBufferAdress, w_poReadStruct->ReadSize, sizeof(CHAR));
RtlCopyMemory(w_poReadStruct->UserBufferAdress, DriverBuffer, w_poReadStruct->ReadSize);
KeUnstackDetachProcess(&apc_state);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
KeUnstackDetachProcess(&apc_state);
NtStatus = STATUS_ABANDONED;
}
// transfer the data from kernel to the game
__try
{
KeStackAttachProcess(hGame, &apc_state);
ProbeForWrite((CONST PVOID)w_poReadStruct->GameAddressOffset, w_poReadStruct->ReadSize, sizeof(CHAR));
RtlCopyMemory(w_poReadStruct->GameAddressOffset, DriverBuffer, w_poReadStruct->ReadSize);
KeUnstackDetachProcess(&apc_state);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
KeUnstackDetachProcess(&apc_state);
NtStatus = STATUS_ABANDONED;
}
}
template
if (w_protoMsg == PROTO_NORMAL_WRITE)
{
readStruct rStruct{ (uint64_t)&_writeMe,0, (uint64_t)w_read,0, sizeof(TW), 0,(uint32_t)GetCurrentProcessId(), 0, TRUE, PROTO_NORMAL_WRITE };
// send the struct to IOCTL
WriteFile(m_hDriver, (LPCVOID)&rStruct, sizeof(ReadStruct), NULL, NULL);
}
}
I got it...
@Allen399499 Can you give me more information about using driver to edit memory or show me some code, i want learn more about it. Thanks, You can add me tg @iloft
@Allen399499 how did you fix it? I can't seem to find whats wrong i also tried your function any help would be appreciated
I personally didn't use the kernel's template-way to get around it. I used template in the userspace program, and transferred the write size of that type in the IOCTL struct.
I can try to find the kernel writing code from my old hard drive. I'll ping you guys if I find it.
I already fixed it, was some weird issue with the driver buffer. I have another question, is it possible to get PID and BASE without PsSetLoadImageNotify? Like pass it from UM to KM
Am 29.01.2019 um 9:04 AM schrieb Jussi Hietanen notifications@github.com:
I personally didn't use the kernel's template-way to get around it. I used template in the userspace program, and transferred the read size of that type in the IOCTL struct.
I can try to find the kernel writing code from my old hard drive. I'll ping you guys if I find it.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
@radoradovan great!
Yes I think you can get it by using https://docs.microsoft.com/en-us/windows/desktop/ToolHelp/process-walking this, but then again I'm not sure if the process IDs in UM and KM match or not. You can try to find it out. But I think that googling this might help.
Well let’s hope they are the same, I will try it right now. thanks again for your contribution!
Am 30.01.2019 um 10:05 AM schrieb Jussi Hietanen notifications@github.com:
@radoradovan great!
Yes I think you can get it by using https://docs.microsoft.com/en-us/windows/desktop/ToolHelp/process-walking this, but then again I'm not sure if the process IDs in UM and KM match or not. You can try to find it out. But I think that googling this might help.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.
Sadly I can’t get it to work. I always bsod system_service_exception. Are you maybe to do me a sample on how to pass pid and base from um to km and use it in your km driver source? I tried it the last 2 days without success. Also do you got something where I could donate, since this is a very nice contribution. Thank. You
Am 30.01.2019 um 10:05 AM schrieb Jussi Hietanen notifications@github.com:
@radoradovan great!
Yes I think you can get it by using https://docs.microsoft.com/en-us/windows/desktop/ToolHelp/process-walking this, but then again I'm not sure if the process IDs in UM and KM match or not. You can try to find it out. But I think that googling this might help.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.
@radoradovan
Did you first try with some other process, for example notepad.exe, to see if the ID in kernel & userland match each other? Just print out the IDs in both UM and KM and see if they match. If they do, you should be good to go. Just remove the PE header length (IIRC), so you get the true entrypoint of the process.
Is there a specific reason why you cannot use PsGetProcessSectionBaseAddress
and PsSetLoadImageNotifyRoutine
in kernel?
I don't need donations, I have a work and I study in the uni so I already have money :) But thanks
@radoradovan and if you make the writing complete, please fork the repo and create a pull request and I will merge your work to the repo. I haven't used Windows for a long time and that's why I'm not updating this anymore (another reason was that in new releases of PUBG the offsets are encrypted)
I want to avoid using callbacks since it creates another detection vector, also it’s not patchguard safe if you manual map the driver. Process ID/Base seems correct now, but somehow I’ll get a BSOD when try to read or write. "System_Memory_Exception" Or something similar, I can upload the crash dump later but I didn’t found anything which leads me to anything sadly.
@radoradovan and if you make the writing complete, please fork the repo and create a pull request and I will merge your work to the repo. I haven't used Windows for a long time and that's why I'm not updating this anymore (another reason was that in new releases of PUBG the offsets are HMU if you need offsets / encrypion for new PUBG
@radoradovan does the original code work for you? If you use the original KM-way to get the baseaddress etc...? I don't know what's wrong with this, it might be also the way you are loading the driver. I remember some unofficial ways to load the driver did not support SEH (try-except...), but I think that was a problem with Turla. I used a DMA device to load the driver myself (pcileech).
So, does the writing work if you use the original way to acquire base address?
Dear all, can you please remove me from this conversation? I really don’t know why I receive these mails and don’t know what you all talking about :-)
Thank you iloft
Op 2 feb. 2019 om 22:14 heeft Jussi Hietanen notifications@github.com<mailto:notifications@github.com> het volgende geschreven:
@radoradovanhttps://github.com/radoradovan does the original code work for you? If you use the original KM-way to get the baseaddress etc...? I don't know what's wrong with this, it might be also the way you are loading the driver. I remember some unofficial ways to load the driver did not support SEH (try-except...), but I think that was a problem with Turla. I used a DMA device to load the driver (pcileech).
So, does the writing work if you use the original way to acquire base address?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/jussihi/PUBG-map-hack/issues/97#issuecomment-459999697, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AHqLRIo4OotwYuNyqzfmoegamzM-pMQTks5vJf-3gaJpZM4QvIDq.
@iloft sorry, I think that someone has the same telegram nickname as your GitHub username, and they posted that nick here, I'm sorry about that. Please click the "mute the thread"-link in your email to stop receiving this "spam" 👍 Sorry for this.
@radoradovan
If you have a telegram account, you can find me from there with the same username. We can continue the chat there (if you want to) and then possibly commit the final changes to the repo if needed.
Sure thing thank you, I’ve added you.
@radoradovan
If you have a telegram account, you can find me from there with the same username. We can continue the chat there (if you want to) and then possibly commit the final changes to the repo if needed.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.
hi @jussihi, is that doable? and thank you !