Author Topic: How to get the directory table base on windows  (Read 471 times)

0 Members and 1 Guest are viewing this topic.

Mercenary_Frank

  • Online Villain
  • ***
  • Posts: 177
    • View Profile
How to get the directory table base on windows
« on: September 23, 2017, 04:58:11 pm »
This question is mostly aimed at mrmedic since I doubt anybody else has any knowledge on windows internals.

I am trying to get the directory table base so I can translate a physical address to a linear one. How can one achieve getting the dirbase of the current process in userland? It is possible to read the CR3 for the table offset but I need a vulnerable driver that allows reading of the register. Does anybody know of any driver that allows you to do that? KPROCESS struct has an offset to the dirBase and EPROCESS has an offset to KPROCESS. How can one get the EPROCESS struct of the current process who is executing the code?

Solving any of the questions would help me a great deal and solve the problem.

MrMedic

  • MasstKer
  • ********
  • Posts: 8900
  • programmer/dev/software engineer
    • View Profile
Re: How to get the directory table base on windows
« Reply #1 on: September 23, 2017, 11:12:14 pm »
you need to hang the process with a stop 0x101 mate that will lead you to it and watchdog will help but to write your own will take a while depending on what your trying to do exactly ps its at 0x18 in the table.
EnCoded Message: i3iy9yl8kr2xf3g2Txs3pr6ye3ya7jg5ty2z

you need a paypal account for the private versions.

Website:
http://bit.ly/medic101

Teamspeak 3: 85.236.101.5:10157

Mercenary_Frank

  • Online Villain
  • ***
  • Posts: 177
    • View Profile
Re: How to get the directory table base on windows
« Reply #2 on: September 23, 2017, 11:40:58 pm »
Found another way mate but what you said works as well.
« Last Edit: September 23, 2017, 11:50:26 pm by Mercenary_Frank »

MrMedic

  • MasstKer
  • ********
  • Posts: 8900
  • programmer/dev/software engineer
    • View Profile
Re: How to get the directory table base on windows
« Reply #3 on: September 24, 2017, 12:22:29 am »
ok mate , good luck with what your trying to do , im guessing battleye

you can tell that anti cheat $able in his wisdom made ... to go fuck its self quite easily you know , same method works on vac and punkbuster.
EnCoded Message: i3iy9yl8kr2xf3g2Txs3pr6ye3ya7jg5ty2z

you need a paypal account for the private versions.

Website:
http://bit.ly/medic101

Teamspeak 3: 85.236.101.5:10157

Mercenary_Frank

  • Online Villain
  • ***
  • Posts: 177
    • View Profile
Re: How to get the directory table base on windows
« Reply #4 on: September 24, 2017, 12:27:33 am »
ok mate , good luck with what your trying to do , im guessing battleye

you can tell that anti cheat $able in his wisdom made ... to go fuck its self quite easily you know , same method works on vac and punkbuster.

BE got a kernel driver that has PsCreateRemoteThreadNotifyRoutine so you can launch your shellcode it isn't so simple on BE lol How would you proceed with bypassing it?
« Last Edit: September 24, 2017, 02:43:49 pm by Mercenary_Frank »

ZOldDude

  • The Unknown Rank!
  • Administrator
  • MasstKer
  • *
  • *
  • Posts: 20810
  • Old School TKC
    • View Profile
    • Admin
Re: How to get the directory table base on windows
« Reply #5 on: September 24, 2017, 06:14:35 am »
All that needs to be done with any anti-cheat is let it think all is fine.
It's the only thing that matters.
That is the basic idea that matters which has never changed from back when it all started.
I myself stopped programming in the 1980's but the basics still hold true to this day.

If you spend all your waking hours wondering how to defeat every way it works...your thinking to hard.
« Last Edit: September 24, 2017, 06:23:06 am by ZOldDude »

*While we crash and burn, small, low tech, agrarian societies such as the Hmong in the mountains of Laos will continue on without so much as blinking an eye.*

MrMedic

  • MasstKer
  • ********
  • Posts: 8900
  • programmer/dev/software engineer
    • View Profile
Re: How to get the directory table base on windows
« Reply #6 on: September 29, 2017, 10:56:26 pm »
defeat every way it works...your thinking to hard.


 :icon_thumbsup
EnCoded Message: i3iy9yl8kr2xf3g2Txs3pr6ye3ya7jg5ty2z

you need a paypal account for the private versions.

Website:
http://bit.ly/medic101

Teamspeak 3: 85.236.101.5:10157

Mercenary_Frank

  • Online Villain
  • ***
  • Posts: 177
    • View Profile
Re: How to get the directory table base on windows
« Reply #7 on: October 01, 2017, 05:24:13 am »
Strange, I tried walking the active process links in the EProcess struct but I am unable to find the next EProcess. Flink is in kernelspace so I have no clue what is going wrong

code


Code: [Select]
uint8_t* virtCurrentEProcess = (addr + x + PoolHeaderDelta - 4);
DWORD64 dirbase = *(DWORD64*)(virtCurrentEProcess + DIRBASEOFFSET);
_LIST_ENTRY activeProcessList = *(_LIST_ENTRY*)(virtCurrentEProcess + PROCESSLINKSOFFSET);

printf("EPROCESS FOUND: %s \n", virtCurrentEProcess + EprocessImageFileName);
printf("Flink address %p\n", activeProcessList.Flink);

auto cr = memory.TranslateLinearAddress(dirbase, activeProcessList.Flink);

auto newProcessName = memory.GetMemory(cr - PROCESSLINKSOFFSET + EprocessImageFileName, 15);
printf("new EProcess name %s \n", newProcessName);

MrMedic

  • MasstKer
  • ********
  • Posts: 8900
  • programmer/dev/software engineer
    • View Profile
Re: How to get the directory table base on windows
« Reply #8 on: October 05, 2017, 10:21:43 pm »
i think your out of your depth mate.
EnCoded Message: i3iy9yl8kr2xf3g2Txs3pr6ye3ya7jg5ty2z

you need a paypal account for the private versions.

Website:
http://bit.ly/medic101

Teamspeak 3: 85.236.101.5:10157

Mercenary_Frank

  • Online Villain
  • ***
  • Posts: 177
    • View Profile
Re: How to get the directory table base on windows
« Reply #9 on: October 06, 2017, 12:46:59 am »
nah mate already solved it long time ago driver gets me a pointer to the value instead of the value itself hence why derefing it gave me the correct value.

MrMedic

  • MasstKer
  • ********
  • Posts: 8900
  • programmer/dev/software engineer
    • View Profile
Re: How to get the directory table base on windows
« Reply #10 on: October 06, 2017, 01:35:16 am »
ok mate but theres a much easier way to beat be

if i told you you wouldnt believe it but its dead easy. google my old posts on other forums from 1992 about an anti cheat named game cat , same thing works for any be game.

i was called t-crew back then i was hacking xbox hardware and software as a sideline.

i was the first one to do a wallhack for xbox  :smile ( t-crew jelly gulch )
EnCoded Message: i3iy9yl8kr2xf3g2Txs3pr6ye3ya7jg5ty2z

you need a paypal account for the private versions.

Website:
http://bit.ly/medic101

Teamspeak 3: 85.236.101.5:10157