- compile driver
- load driver or map it with kdmapper
- open CE or software(name contain HyperCE)
https://blog.hhhhhi.com/archives/10/
- bypass protection
- hide process
image image our HyperCE 无标题 无标题1
0981e988ecba705e40e30f96305b9b03
the kernel function MiReadWriteVirtualMemory call ObReferenceObjectByHandleWithTag to check the privilege. so hooking ObReferenceObjectByHandleWithTag can let Cheat Engine acess any process despite proctection.
__int64 __fastcall MiReadWriteVirtualMemory(
HANDLE Handle,
char *a2,
char *a3,
size_t a4,
unsigned __int64 a5,
ACCESS_MASK DesiredAccess)
{
__int64 v9; // rsi
struct _KTHREAD *CurrentThread; // r14
KPROCESSOR_MODE PreviousMode; // al
_QWORD *v12; // rbx
__int64 v13; // rcx
NTSTATUS v14; // edi
_KPROCESS *Process; // r10
PVOID v16; // r14
char *v17; // r9
_KPROCESS *v18; // r8
char *v19; // rdx
_KPROCESS *v20; // rcx
NTSTATUS v21; // eax
int v22; // r10d
KPROCESSOR_MODE v24; // [rsp+40h] [rbp-48h]
__int64 v25; // [rsp+48h] [rbp-40h] BYREF
PVOID Object[2]; // [rsp+50h] [rbp-38h] BYREF
v9 = 0LL;
Object[0] = 0LL;
CurrentThread = KeGetCurrentThread();
PreviousMode = CurrentThread->PreviousMode;
v24 = PreviousMode;
if ( PreviousMode )
{
if ( &a2[a4] < a2
|| (unsigned __int64)&a2[a4] > 0x7FFFFFFF0000LL
|| &a3[a4] < a3
|| (unsigned __int64)&a3[a4] > 0x7FFFFFFF0000LL )
{
return 3221225477LL;
}
v12 = (_QWORD *)a5;
if ( a5 )
{
v13 = a5;
if ( a5 >= 0x7FFFFFFF0000LL )
v13 = 0x7FFFFFFF0000LL;
*(_QWORD *)v13 = *(_QWORD *)v13;
}
}
else
{
v12 = (_QWORD *)a5;
}
v25 = 0LL;
v14 = 0;
if ( a4 )
{
v14 = ObReferenceObjectByHandleWithTag(
Handle,
DesiredAccess,
(POBJECT_TYPE)PsProcessType,
PreviousMode,
0x6D566D4Du,
Object,
0LL);
code:
Line 15 in 5c682a4
NTSTATUS ObReferenceObjectByHandleWithTagHook(HANDLE Handle, ACCESS_MASK DesiredAccess, POBJECT_TYPE ObjectType, KPROCESSOR_MODE AccessMode,
first, openprocess without read privilege.
Line 89 in cc6b51a
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPID);
