Loading dbk64.sys and grabbing a handle to it

Related tags

Miscellaneous ceload
Overview

ceload

A tool that allows you to manually load up CheatEngine's signed driver and get a handle to it for various kernel hacking operations.
The code is well documented using comments and a short outline of what's happening is described below and as such this project is a learning resource.
The project has been tested with CheatEngine 7.3.

What is this?

CheatEngine is a well known tool for game hacking. It features a wide variety of functionality, however, (ab)using that functionality within your own project may not be as easy. There's plenty of scenarios where one would want to use a signed driver to execute code in kernel space but getting your hands on a certificate may not be as easy. dbk64.sys - CheatEngine's kernel driver - features a ton of functionality such as kernel read/write, process interactions, and more. However, the author of CheatEngine went out of their way to lock down the signed driver so that one can not easily load it up or get a handle to it.
The project allows you to do exactly that: Load up CheatEngine's signed driver and grab a handle to it.

How does it work?

To bypass CheatEngine's checks we try to make us as legit as possible. CheatEngine employs a couple checks to check for the integrity of the calling process.

  1. Check whether the calling process matches a signature generated by the owner [Reference: CheckSignature]
    • We bypass this by starting the original executable as it's an on-disk check
  2. Check whether the process has been tampered with [Reference: TestProcess]
    • We bypass this by restoring the bytes from the on-disk file
  3. Check whether the calling thread comes from within the .text section [Reference: TestProcess]
    • We bypass this by making sure we spawn the threads from the .text section

This task is split into a few steps:

  1. Start the original CheatEngine process in a suspended state
  2. We patch our shellcode into CheatEngine's entrypoint
    • This is faciliated by the fact that CheatEngine is loaded without ASLR
  3. We then resume all threads
  4. The shellcode will load our DLL
  5. Now the loader performs a few more tasks:
    1. Prepare the registry, namely the A, B, C and D values
    2. Start the driver service
    3. Copy the original bytes from the .text section into our process
    4. Grab a handle to the driver

What can I do with this?

I'll give you two ideas:

  1. Write code that can interact with the kernel. Afterall, you don't have to worry about writing your own kernel routines as CheatEngine covers most of the basics.
  2. Write a driver manualmapper to load up your own unsigned driver without having to disable Driver Signature Enforcement.

Usage

  1. Make sure CheatEngine 7.3 is installed. You may have to run it at least once (with kernel settings enabled)
  2. Execute cemap.exe as administrator. Make sure loader.dll is in the same directory as cemap.exe
  3. If you want to use the handle, have a look at the loader project
You might also like...
A crate for loading data from the aseprite sprite editor

aseprite A crate for loading data from the aseprite sprite editor. Should go along well with the tiled crate, I hope! It does not load any actual imag

ozz-animation provides runtime character animation playback functionalities (loading, sampling, blending...)
ozz-animation provides runtime character animation playback functionalities (loading, sampling, blending...)

ozz-animation open source c++ 3d skeletal animation library and toolset ozz-animation provides runtime character animation playback functionalities (l

Firebase Arduino Client Library for ESP8266 and ESP32. The unified version of Firebase-ESP8266 and Firebase-ESP32 Realtime database libraries with Cloud Firestore, Firebase and Google Cloud Storage, Cloud messaging and Cloud Functions supports. PikaScript is an ultra-lightweight Python engine with zero dependencies and zero-configuration, that can run with 4KB of RAM (such as STM32G030C8 and STM32F103C8), and is very easy to deploy and expand.
PikaScript is an ultra-lightweight Python engine with zero dependencies and zero-configuration, that can run with 4KB of RAM (such as STM32G030C8 and STM32F103C8), and is very easy to deploy and expand.

PikaScript 中文页| Star please~ 1. Abstract PikaScript is an ultra-lightweight Python engine with zero dependencies and zero-configuration, that can run

Signed - a 3D modeling and construction language based on Lua and SDFs. Signed will be available for macOS and iOS and is heavily optimized for Metal.
Signed - a 3D modeling and construction language based on Lua and SDFs. Signed will be available for macOS and iOS and is heavily optimized for Metal.

Signed - A 3D modeling language Abstract Signed is a Lua based 3D modeling language, it provides a unique way to create high quality 3D content for yo

ESP32 firmware to read and control EMS and Heatronic compatible equipment such as boilers, thermostats, solar modules, and heat pumps
ESP32 firmware to read and control EMS and Heatronic compatible equipment such as boilers, thermostats, solar modules, and heat pumps

EMS-ESP is an open-source firmware for the Espressif ESP8266 and ESP32 microcontroller that communicates with EMS (Energy Management System) based equipment from manufacturers like Bosch, Buderus, Nefit, Junkers, Worcester and Sieger.

Hobbyist Operating System targeting x86_64 systems. Includes userspace, Virtual File System, An InitFS (tarfs), Lua port, easy porting, a decent LibC and LibM, and a shell that supports: piping, file redirection, and more.
Hobbyist Operating System targeting x86_64 systems. Includes userspace, Virtual File System, An InitFS (tarfs), Lua port, easy porting, a decent LibC and LibM, and a shell that supports: piping, file redirection, and more.

SynnixOS Epic Hobby OS targeting x86_64 CPUs, it includes some hacked together functionality for most essential OSs although, with interactivity via Q

🎮 Plants vs. Zombies multiplayer battle, developed via reverse engineering, inline hook and dynamic-link library injection. Two online players defend and attack as the plant side and zombie side respectively.
🎮 Plants vs. Zombies multiplayer battle, developed via reverse engineering, inline hook and dynamic-link library injection. Two online players defend and attack as the plant side and zombie side respectively.

Plants vs. Zombies Online Battle This project has two original repositories: https://github.com/czs108/Plants-vs.-Zombies-Online-Battle https://github

Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++, the architecture and usage like Cobalt Strike
Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++, the architecture and usage like Cobalt Strike

Khepri Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++ Description Khepri is a Cross-platform agent, the archi

Owner
Layle | Luca
full time stack frame counterfeiter
Layle | Luca
A user-mode emulator for the mhyprot2.sys driver

mhynot2 Cheating is bad, but I think requiring a kernel driver to play a (mostly) single-player game is worse. mhynot2 is a hook DLL which hooks into

Khangaroo 92 Dec 28, 2022
An implementation of a weak handle interface to a packed vector in C++

Experimental handle container in C++ Overview Following on from c-handle-container, this library builds on the same ideas but supports a dynamic numbe

Tom Hulton-Harrop 13 Nov 26, 2022
A simple proxyless tool that checks if a linktr.ee handle is available.

linktree_checker A simple proxyless tool that checks if a linktr.ee handle is available. Installation Use g++ to build the program. g++ main.cpp -o li

mayhaps 1 Nov 11, 2021
Simple, cross-platform library to handle multiple mice.

ManyMouse ManyMouse's website is https://icculus.org/manymouse/ This is a simple library to abstract away the reading of multiple input devices. It is

Ryan C. Gordon 35 Dec 12, 2022
A library to handle Apple Property List format in binary or XML

libplist A small portable C library to handle Apple Property List files in binary or XML format. Features The project provides an interface to read an

libimobiledevice 433 Dec 26, 2022
Arduino Sketch and a Web Bluetooth API for loading models and running inference on the Nano Sense 33 BLE device.

TF4Micro Motion Kit This repo contains the Arduino Sketch and a Web Bluetooth API for loading models and running inference on the device. Install and

Google Creative Lab 52 Nov 24, 2022
VGG Runtime for loading design and running emulated apps.

VGG Runtime A design engine capable of loading design drafts as well as running design as an emulated app. Features Game-engine-like ECS architecture

Very Good Graphics 21 Nov 24, 2022
A repository for experimenting with elf loading and in-place patching of android native libraries on non-android operating systems.

droidports: A repository for experimenting with elf loading and in-place patching of android native libraries on non-android operating systems. Discla

João Henrique 26 Dec 15, 2022
A simple utility for loading custom firmware onto the PS5 camera, using libusb.

A simple utility for loading custom firmware onto the PS5 camera, using libusb.

Raleigh Littles 21 Nov 10, 2022
LibEFT: an EFT loading DLL for Emergency mods!

LibEFT: an EFT loading DLL for Emergency mods! "Ladies and gentlemen, I present... The disguised S3TC texture. There's no way it's anything else. I di

null 2 Dec 18, 2021