Hello. I got few small technical problems - im developing my kernel mode driver, everything runs fine on x32 system but it doesnt work on x64. How can i make my driver compatible with x64 systems?

Second question, is im lookin for flink offset in process list structure for windows 8 (i mean the list you use to hide process by modifying flink and blink in this system list). I digged the internet and found all working offsets for xp and higher up to win 7 but cant get win 8.

 

 

Thanx in advance

Edited May 31, 201411 yr by Pancake

How can i make my driver compatible with x64 systems?

 

Did u enabled in windows 7, 8 drivers "test mode" for x64 systems?

 

http://msdn.microsoft.com/en-us/library/windows/hardware/ff553484%28v=vs.85%29.aspx

@Pancake: you will have to do a complete rewrite of your kernel driver and you will need to buy a certificate from microsoft to install the driver on a normal system. If you plan to hook some functions, you will have to bypass PatchGuard.

What kind of driver are you working on?

Mr. eXoDia

driver which hides the process by PID. Works on x32

@Pancake: then forget it, there is no way of making it work without disabling PatchGuard and removing driver signature verification. Take a look at TitanHide for SSDT hooking on x64 https://bitbucket.org/mrexodia/titanhide If you just want to use this on your own PC it is possible, otherwise just forget about it.

Greetings

I dont have illegal plans dont worry - i'm writing anticheat system for game, and i know that 99% newbie cheaters give up when you 1) cant attach to running process 2) cant load it in olly 3) you dont see it in processlist

 

only number 3 is missing

Edited June 1, 201411 yr by Pancake

By the way, im basing on anti-attach from themida, i was trying to bypass it but damn, i hadnt luck to find out how does it work. Do you know how it finds the debugger?

 

Sorry for doublepost but i dont see delete button

Edited June 1, 201411 yr by Pancake

@Pancake: what you're trying to make is a rootkit, no matter the intention. You will never get users to install this on their systems, just write better anti-cheat. When you have money to purchase a certificate to sign your driver you have a chance, but otherwise, just forget about drivers on x64.

greetings

Wait, i am loading the driver from resource inside a file and load it. Is there any problem with this thing? Its not malicious, user is just loading the .exe launcher and all the magic is made behind

Edited June 2, 201411 yr by Pancake

then that is illegal, you must create a user agreement (ToS/EULA) where they accept and decline, decline would mean the launcher would exit meaning they cannot play, accepting would mean your giving them access to load the driver.

 

on x64 you will need people to be in test mode, this is crazy for an anticheat.  you will need to purchase a certificate and do this the legal way to avoid major issues.   once you have your cert the world is your oyster to disable/detect cheats.