search

ufrisk / MemProcFS

MemProcFS
GNU Affero General Public License v3.0
2.8k stars 352 forks source link

The PID can be found, but its base address cannot be found. #297

Closed subeoy1 closed 3 weeks ago

subeoy1 commented 3 weeks ago

define VMMDLL_ProcessGetModuleBase VMMDLL_ProcessGetModuleBaseW

uintptr_t c_process::get_module_base(const std::wstring& module_name) { return VMMDLL_ProcessGetModuleBase(m_vmh, (DWORD)m_pid, (LPWSTR)module_name.c_str()); m_base = get_module_base(utils->string_to_wstring(process_name)); if (!m_base) { std::cout << "Failed getting base address for process.\n"; return false; } if fails the m_base is 0

S1ckZer commented 3 weeks ago

The 5E Protect the Game

no support for cheats :D

subeoy1 commented 3 weeks ago

The 5E Protect the Game

no support for cheats :D

Why can other people's software support it? Is there any other way?

ufrisk commented 3 weeks ago

No discussions about Anti-Cheat bypasses on this Github. There are far better forums for that. Thank You.

DefaultO commented 1 week ago

I have switched to Rust now. And slowly get used to your memprocfs crate. Thank you for releasing it.

@ufrisk sorry for bumping this (if I can even comment on this after pressing on "comment") but it looks like anti-cheats do mess with the module list as this information has been established already. but precisely only your method seems to be affected.

grafik

What I found out is that like @subeoy1, I wasn't able to get the process base address of a game protected by EAC the ordinary way.

// notepad++.exe
vmmprocess.get_module_base():
notepad++.exe -> 7ff698160000
...
// r5apex.exe
vmmprocess.get_module_base():
-/-

But I was able to parse the list returned by memprocfs::VmmProcess | pub fn map_vad for the name of the process in the memprocfs::VmmProcessMapVadEntry | pub info: String field. Do you think this is something we could get implemented and use as a backup in the future? Seems to be a solution or rather workaround to that "problem" as I am getting consistent results across different processes.

Thought I let you know about this. Since what anti-cheats can do, malware and all the other programs your DMA toolkit could be used on can do too. Could have genuine use besides, you know what.

This might be of use for CS too @S1ckZer. But you don't seem to have any issues in regards to your AL solution. I assume you actually restore some tables EAC gets rid of. Which would be the proper solution. But I am too lazy now that I found a quickfix.

Code:

let args = ["-printf", "-device", "fpga"].to_vec();
let vmm_path = "./target/debug/vmm.dll";
let current_dir = std::env::current_dir().unwrap_or_else(|e| {
    println!("Failed to get current directory: {}", e);
    return std::path::Path::new("").to_path_buf(); // Return an empty PathBuf as a fallback
});

let vmm = match memprocfs::Vmm::new(vmm_path, &args) {
    Ok(vmm) => vmm,
    Err(e) => {
        println!(
            "Failed to create Vmm object. Error: '{}'\nLibrary path '{}'\nCurrent directory '{}'",
            e,
            vmm_path,
            current_dir.display()
        );
        return;
    }
};

let vmmprocess = match vmm.process_from_name("r5apex.exe") {
    Ok(vmmprocess) => {
        println!("Process found! PID: {}", vmmprocess.pid);
        vmmprocess
    },
    Err(e) => {
        println!(
            "Failed to find r5apex.exe. Error: '{}'",
            e
        );
        return;
    }
};

if let Ok(vad_all) = vmmprocess.map_vad(true) {
    println!("Number of VAD entries: {}.", vad_all.len());
    if let Some(vad_entry) = vad_all.iter().find(|vad| vad.info.ends_with("r5apex.exe")) {
        println!("Found VAD entry: {:#X}", vad_entry.va_start);
    } else {
        println!("No VAD entry contains 'r5apex.exe' at the end.");
    }
} else {
    println!("Failed to retrieve VAD entries.");
}

Output:

PS C:\Users\micro\Downloads\rust-dma-al> cargo build
   Compiling rust-dma-al v0.1.0 (C:\Users\micro\Downloads\rust-dma-al)
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.54s
PS C:\Users\micro\Downloads\rust-dma-al> cargo run  
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.02s
     Running `target\debug\rust-dma-al.exe`
[SYMBOL]   Functionality may be limited. Extended debug information disabled.
[SYMBOL]   Offline symbols unavailable - file 'info.db' not found.
[SYMBOL]   Reason: Could not load PDB required file - symsrv.dll/dbghelp.dll.
[SYMBOL]   Reason: Could not load PDB required file - libpdbcrust.dll/so.

Initialized 64-bit Windows 10.0.22621
[PLUGIN]   Python initialization failed. Python 3.6 or later not found.
Process found! PID: 6700
Number of VAD entries: 820.
Found VAD entry: 0x7FF7C1890000
S1ckZer commented 1 week ago

@DefaultO I know how to do it, of course, but I just want to respect ufrist's rules. He doesn't want to support cheaters in his repo or discord.