If this is right we should be able to bypass the whole GG SSDT Hook's at KernelMode.
the_undead wrote:
Well I'm assuming youre another uneducated user of mzbot?
Okay. Well the reason mzbot uses a driver is not to replace the keyboard/mouse
drive to create input but to bypass gamegaurds SSDT/SDST hooks. To bypass the
SSDT hook on NtSendUserInput is done by allocating a section of memory to the
size of KeServiceDescriptorTable->TableSize*4. TableSize returns the number
of entries and you multiply that by four because each entry is 4 bytes long. So
anyway, once you've got your memory allocated you copy the original table into
the new table and then change the tables base address to that of the new
address. And you do the same for the shadow table.
If GameGuard is so arrogant on the address of ServiceTable base address, we
can change it, without them knowing. So this is what I will do:1. Allocate KeServiceDescriptorTable->TableSize*sizeof( PVOID ) byte of
memory2. Copy KeServiceDescriptorTable->ServiceTable into the memory
3. Set KeServiceDescriptorTable->ServiceTable to point to the memory.
4. Wait for GameGuard to load, they will hook the memory allocated instead of
the real SSDT
5. Restore KeServiceDescriptorTable->ServiceTable with the original address.
6. Do the same to KeServiceDescriptorTableShadow….
Ok thats what i got soo far.
ULONG size;
unsigned realTable;
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
DbgPrint("Driver Loaded!");
PVOID *faekTable; size = KeServiceDescriptorTable->TableSize*4;
realTable = (unsigned)KeServiceDescriptorTable->ServiceTable;
faekTable = ExAllocatePoolWithTag(0, size, 0x31323334);
memcpy(faekTable, KeServiceDescriptorTable->ServiceTable, size);
(unsigned)KeServiceDescriptorTable->ServiceTable = (unsigned)&faekTable; //Found GG //Sleep(20000); (unsigned)KeServiceDescriptorTable->ServiceTable = realTable;
return STATUS_SUCCESS;
}
No hay comentarios:
Publicar un comentario