HackShield memory protection bypass

Publicado por luchin On domingo, 12 de septiembre de 2010 0 comentarios

Driver to bypass Hackshield memory protection
with source code


HackShield memory protection works by hooking some functions in kernel space. EagleNT.sys is checking all parameters passed to hooked functions and then it blocks or allows operation. When HS memory unprotector driver is loaded, you can use OpenProcess, WriteProcessMemory and ReadProcessMemory like normal.

How memory protection works?
HackShield is replacing three functions (NtReadVirtualMemory, NtWriteVirtualMemory and NtOpenProcess) to protect game memory.

Hackshield01.PNG

How to bypass memory protection?
It's easy. We should take a look on NtWriteVirtualMemory function.

Hackshield02.PNG

As we can see, they are placing 'call' to EagleNT.sys function (call 0xA4A5C800).
Just go to this function (0xA4A5C800).

Hackshield03.PNG

As we can see, they are using ZwQueryInformationProcess function to translate HANDLE to process id (bad idea btw.). We can hook ZwQueryInformationProcess and if EgaleNt.sys is calling this, we can return 0 (or fake number) as process id. Thats all !

Next we should hook NtOpenProcess with small re-implementation of this function.

This material is for EDUCATIONAL PURPOSES only!
Author: Chris (aka kill1212)

Publicado por luchin en 15:15

0 comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)
Twitter Delicious Facebook Digg Stumbleupon Favorites More