Pancake Posted May 30, 2014 Posted May 30, 2014 (edited) Hello. I got few small technical problems - im developing my kernel mode driver, everything runs fine on x32 system but it doesnt work on x64. How can i make my driver compatible with x64 systems?Second question, is im lookin for flink offset in process list structure for windows 8 (i mean the list you use to hide process by modifying flink and blink in this system list). I digged the internet and found all working offsets for xp and higher up to win 7 but cant get win 8. Thanx in advance Edited May 31, 2014 by Pancake
user1 Posted May 31, 2014 Posted May 31, 2014 How can i make my driver compatible with x64 systems? Did u enabled in windows 7, 8 drivers "test mode" for x64 systems? http://msdn.microsoft.com/en-us/library/windows/hardware/ff553484%28v=vs.85%29.aspx
mrexodia Posted May 31, 2014 Posted May 31, 2014 @Pancake: you will have to do a complete rewrite of your kernel driver and you will need to buy a certificate from microsoft to install the driver on a normal system. If you plan to hook some functions, you will have to bypass PatchGuard. What kind of driver are you working on? Mr. eXoDia
Pancake Posted May 31, 2014 Author Posted May 31, 2014 driver which hides the process by PID. Works on x32
mrexodia Posted May 31, 2014 Posted May 31, 2014 @Pancake: then forget it, there is no way of making it work without disabling PatchGuard and removing driver signature verification. Take a look at TitanHide for SSDT hooking on x64 https://bitbucket.org/mrexodia/titanhide If you just want to use this on your own PC it is possible, otherwise just forget about it. Greetings
Pancake Posted June 1, 2014 Author Posted June 1, 2014 (edited) I dont have illegal plans dont worry - i'm writing anticheat system for game, and i know that 99% newbie cheaters give up when you 1) cant attach to running process 2) cant load it in olly 3) you dont see it in processlist only number 3 is missing Edited June 1, 2014 by Pancake
Pancake Posted June 1, 2014 Author Posted June 1, 2014 (edited) By the way, im basing on anti-attach from themida, i was trying to bypass it but damn, i hadnt luck to find out how does it work. Do you know how it finds the debugger? Sorry for doublepost but i dont see delete button Edited June 1, 2014 by Pancake
mrexodia Posted June 2, 2014 Posted June 2, 2014 @Pancake: what you're trying to make is a rootkit, no matter the intention. You will never get users to install this on their systems, just write better anti-cheat. When you have money to purchase a certificate to sign your driver you have a chance, but otherwise, just forget about drivers on x64. greetings
Pancake Posted June 2, 2014 Author Posted June 2, 2014 (edited) Wait, i am loading the driver from resource inside a file and load it. Is there any problem with this thing? Its not malicious, user is just loading the .exe launcher and all the magic is made behind Edited June 2, 2014 by Pancake
relentless1 Posted July 30, 2014 Posted July 30, 2014 then that is illegal, you must create a user agreement (ToS/EULA) where they accept and decline, decline would mean the launcher would exit meaning they cannot play, accepting would mean your giving them access to load the driver. on x64 you will need people to be in test mode, this is crazy for an anticheat. you will need to purchase a certificate and do this the legal way to avoid major issues. once you have your cert the world is your oyster to disable/detect cheats.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now