Log in

View Full Version : exploring sxe memory


codeofshadows
April 19th, 2009, 01:38
hi I was trying to explore the memory of an anticheat called sxe injected for counter strike non steam (the FPS game), this anticheat injects itself in the game and uses a driver so it has part of its checks in user mode side and other part in kernel mode side. ok I tried to attach olly debugger to the game but it crashes, I didn't tried other program, do you know what program can I use, I know about tsearch, windbg and cheat engine, I know olly is not for kernel use, I am not sure about the others

anticheat download
www.sxe-anticheat.com

disavowed
April 19th, 2009, 22:19
though not very intuitive, i'd stick with windbg. the only other kernel debugger for current versions of windows is syser, which is unstable as hell

codeofshadows
April 19th, 2009, 23:15
I'm using winXP and I got now softice kernel debugger, for xp supposedly, also I will take a look to syser, but for now I completed installation of windebug thank you

edit: why you say syser is unstable and what about softice

Elenil
April 20th, 2009, 15:46
i prolly dont got the game + sxe but maybe this helps :
olly cant view kernel memory or debug kernel memory -> change debugger to softice, syser, windbg (softice dont run on windows vista/windows 7)
the other things you should check if this sxe blocks kernel functions like:
NtWriteVirtualMemory, NtOpenProcess,NtCreateThread and such things this is often done by "anti virus software" or anti cheat like "hackshield" does
you also should debug DeviceIoControl what will communicate with the driver
also a idea would be to debug the entry point of the driver and the kernel functions it use

codeofshadows
April 21st, 2009, 19:24
yes sxe hooks in sstd the native apis needed to do dll injection, that is the driver part I think, then uses a dll called sxe.dll that is injected in the game. that dll executes some checks in the game memory, hooks and unknown modules by name, correct dll sizes on disk by md5, etc
I open the sxe, then the game and then olly and now it doesn't crash but I cannot see the hl.exe process (the game) in the list. I need other way to explore the sxe memory or game memory since the sxe.dll is injected in the game. and about the driver maybe is possible to trace the driver I heard it is possible to do with olly but I'm not sure

P: sxe-injected.exe is protected with themida and sxe.dll with execryptor so I think that is a problem for debuggers what do you think?

Elenil
April 24th, 2009, 22:21
the process is prolly hidden via NtQuerySystemInformation if not thats not a problem for softice
softice does run global it can show every memory softice also dont need to attach a process
i dont think olly can show kernel memory cause olly use ring3 debugging functions prolly ReadProcessMemory what dont work on a driver
but the thing you can do is use IDA to not runtime debug/show your driver in memory
well to the last problem softice is detected if you dont use some toolz to hide it from themida/execryptor
http://www.woodmann.com/collaborative/tools/Category:SoftICE_Extensions
download IceStealth 1.5 and themida doesnt detect softice anymore

codeofshadows
April 30th, 2009, 20:51
thanks, I was seeing the sxe log file inside the sxe folder
http://img12.imageshack.us/img12/182/adasdasdz.png
it seems that the process is hidden, and the module sxe.dll is hidden too, seems it injects into explorer.exe, but is hidden by the driver thank you for the tips about soft ice
i think is possible to debug or trace the driver with softice or windbg, but the sxe.dll is hidden and you cant access it, maybe from inside is possible right

Elenil
May 1st, 2009, 03:42
if the dll is not in the list with its base in a process this is not a problem on softice
you can do these things :
1: you find a function what your target dll use (softice can set global beakpoints)
2: you break on dll main for your target dll (there a few ways solvings that)
3: since it injects the dll it maybe use CreateRemoteThread,WriteProcessMemory,SetWindowsHookEx you also can set global breakpoint on these functions and look their parameters
for CreateRemoteThread see that :
HANDLE WINAPI CreateRemoteThread(
__in HANDLE hProcess,
__in LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in SIZE_T dwStackSize,
__in LPTHREAD_START_ROUTINE lpStartAddress,
__in LPVOID lpParameter,
__in DWORD dwCreationFlags,
__out LPDWORD lpThreadId
);

when this happens you look the lpStartAddress parameter this is where the thread will start in your target exe
you then switch target to your exe via "ADDR exename" and set a breakpoint on the address you founded
then you see where LoadLibrary happens what will return the base address where the dll is loaded
now you have a few options
1: you can freez and dump the dll with the information you got (useful info for you :softice also shows all dlls loaded with base + size just look the softice window(NTICE: Load32 START=7C000000 SIZE=14000 KPEB=849DBA20 MOD=notepad) )
as you see it comes with all information you need
you also should note that the prolly only the dll info is hidden the memory still exits
but as i sayed thats really not a problem on softice
2: you can scroll the dll manual or setting some breakpoints

ok well thats what came in my mind atm
btw i didnt exactly understand what you want to do ? do you want to unpack the dll ? do you want to gain information about the dll ? do you want to runtime debug it ?

codeofshadows
May 1st, 2009, 15:16
Quote:
[Originally Posted by Elenil;80347]
...........................
btw i didnt exactly understand what you want to do ? do you want to unpack the dll ? do you want to gain information about the dll ? do you want to runtime debug it ?


ty very much let me restore my pc and then ill try that.
yes I want the 3 things hehe, to have access to unpacked dll because inside sxe.dll lie most of protections on game, blocks, security i think its possible to hook or patch something in there what do you think