TKC-Community

Hacking and Art => General Modding & Programming / Other Games => Topic started by: Mercenary_Frank on September 23, 2017, 04:58:11 pm

Title: How to get the directory table base on windows
Post by: Mercenary_Frank on September 23, 2017, 04:58:11 pm
This question is mostly aimed at mrmedic since I doubt anybody else has any knowledge on windows internals.

I am trying to get the directory table base so I can translate a physical address to a linear one. How can one achieve getting the dirbase of the current process in userland? It is possible to read the CR3 for the table offset but I need a vulnerable driver that allows reading of the register. Does anybody know of any driver that allows you to do that? KPROCESS struct has an offset to the dirBase and EPROCESS has an offset to KPROCESS. How can one get the EPROCESS struct of the current process who is executing the code?

Solving any of the questions would help me a great deal and solve the problem.
Title: Re: How to get the directory table base on windows
Post by: MrMedic on September 23, 2017, 11:12:14 pm
you need to hang the process with a stop 0x101 mate that will lead you to it and watchdog will help but to write your own will take a while depending on what your trying to do exactly ps its at 0x18 in the table.
Title: Re: How to get the directory table base on windows
Post by: Mercenary_Frank on September 23, 2017, 11:40:58 pm
Found another way mate but what you said works as well.
Title: Re: How to get the directory table base on windows
Post by: MrMedic on September 24, 2017, 12:22:29 am
ok mate , good luck with what your trying to do , im guessing battleye

you can tell that anti cheat $able in his wisdom made ... to go fuck its self quite easily you know , same method works on vac and punkbuster.
Title: Re: How to get the directory table base on windows
Post by: Mercenary_Frank on September 24, 2017, 12:27:33 am
ok mate , good luck with what your trying to do , im guessing battleye

you can tell that anti cheat $able in his wisdom made ... to go fuck its self quite easily you know , same method works on vac and punkbuster.

BE got a kernel driver that has PsCreateRemoteThreadNotifyRoutine so you can launch your shellcode it isn't so simple on BE lol How would you proceed with bypassing it?
Title: Re: How to get the directory table base on windows
Post by: ZOldDude on September 24, 2017, 06:14:35 am
All that needs to be done with any anti-cheat is let it think all is fine.
It's the only thing that matters.
That is the basic idea that matters which has never changed from back when it all started.
I myself stopped programming in the 1980's but the basics still hold true to this day.

If you spend all your waking hours wondering how to defeat every way it works...your thinking to hard.
Title: Re: How to get the directory table base on windows
Post by: MrMedic on September 29, 2017, 10:56:26 pm
defeat every way it works...your thinking to hard.


 :icon_thumbsup
Title: Re: How to get the directory table base on windows
Post by: Mercenary_Frank on October 01, 2017, 05:24:13 am
Strange, I tried walking the active process links in the EProcess struct but I am unable to find the next EProcess. Flink is in kernelspace so I have no clue what is going wrong

code
(http://i64.tinypic.com/2e5v9ro.png)

Code: [Select]
uint8_t* virtCurrentEProcess = (addr + x + PoolHeaderDelta - 4);
DWORD64 dirbase = *(DWORD64*)(virtCurrentEProcess + DIRBASEOFFSET);
_LIST_ENTRY activeProcessList = *(_LIST_ENTRY*)(virtCurrentEProcess + PROCESSLINKSOFFSET);

printf("EPROCESS FOUND: %s \n", virtCurrentEProcess + EprocessImageFileName);
printf("Flink address %p\n", activeProcessList.Flink);

auto cr = memory.TranslateLinearAddress(dirbase, activeProcessList.Flink);

auto newProcessName = memory.GetMemory(cr - PROCESSLINKSOFFSET + EprocessImageFileName, 15);
printf("new EProcess name %s \n", newProcessName);
Title: Re: How to get the directory table base on windows
Post by: MrMedic on October 05, 2017, 10:21:43 pm
i think your out of your depth mate.
Title: Re: How to get the directory table base on windows
Post by: Mercenary_Frank on October 06, 2017, 12:46:59 am
nah mate already solved it long time ago driver gets me a pointer to the value instead of the value itself hence why derefing it gave me the correct value.
Title: Re: How to get the directory table base on windows
Post by: MrMedic on October 06, 2017, 01:35:16 am
ok mate but theres a much easier way to beat be

if i told you you wouldnt believe it but its dead easy. google my old posts on other forums from 1992 about an anti cheat named game cat , same thing works for any be game.

i was called t-crew back then i was hacking xbox hardware and software as a sideline.

i was the first one to do a wallhack for xbox  :smile ( t-crew jelly gulch )