Mark the ProcessWatcher handles as 'Special' so the NtOpenProcess sub…

…stitute routines do not NtClose them
cheat-engine · Jan 13, 2017 · 2299f5c · 2299f5c
1 parent 662cc7b
commit 2299f5c
Show file tree

Hide file tree

Showing 9 changed files with 398 additions and 235 deletions.
diff --git a/Cheat Engine/NewKernelHandler.pas b/Cheat Engine/NewKernelHandler.pas
@@ -8,7 +8,7 @@ interface
 uses classes, sysutils, unixporthelper;
 {$else}
 uses jwawindows, windows,LCLIntf,sysutils, dialogs, classes, controls,
-     dbk32functions, vmxfunctions,debug, multicpuexecution, contnrs;
+     dbk32functions, vmxfunctions,debug, multicpuexecution, contnrs, Clipbrd;
 {$endif}
 
 const dbkdll='DBK32.dll';
@@ -772,7 +772,7 @@ implementation
      dbvmPhysicalMemoryHandler, //'' for physical mem
      {$endif}
      filehandler,  //so I can let readprocessmemory point to ReadProcessMemoryFile in filehandler
-     autoassembler, frmEditHistoryUnit;
+     autoassembler, frmEditHistoryUnit, frmautoinjectunit;
 {$endif}
 
 
@@ -1416,6 +1416,10 @@ procedure DontUseDBKOpenProcess;
 procedure UseDBKOpenProcess;
 var
   nthookscript: Tstringlist;
+  zwc: pointer;
+  ntdll: HModule;
+  old: pointer;
+  olds: string;
 begin
 {$ifdef windows}
   LoadDBK32;
@@ -1426,9 +1430,24 @@ procedure UseDBKOpenProcess;
   nthookscript:=tstringlist.create;
   nthookscript.add('NtOpenProcess:');
   nthookscript.add('jmp '+IntToHex(ptruint(@NOP),8));
+  autoassemble(nthookscript, false, true, false, true);
+
+
+  nthookscript.clear;
+
+  ntdll:=loadlibrary('ntdll.dll');
+  zwc:=GetProcAddress(ntdll,'NtClose');
+
+  old:=@oldZwClose;
+  olds:=inttohex(ptruint(old),8);
+  generateAPIHookScript(nthookscript,IntToHex(ptruint(zwc),8),IntToHex(ptruint(@ZC),8),IntToHex(ptruint(@oldZwClose),8),'0',true);
+ // clipboard.AsText:=nthookscript.Text;
 
   autoassemble(nthookscript, false, true, false, true);
 
+
+
+
   nthookscript.free;
 
   {$ifdef cemain}

diff --git a/Cheat Engine/ProcessHandlerUnit.pas b/Cheat Engine/ProcessHandlerUnit.pas
@@ -115,6 +115,8 @@ procedure TProcessHandler.setProcessHandle(processhandle: THandle);
   begin
     fSystemArchitecture:=archX86;
     setIs64Bit(newkernelhandler.Is64BitProcess(fProcessHandle));
+
+
   end;
 
   {$ifdef ARMTEST}

diff --git a/Cheat Engine/dbk32/DBK32functions.pas b/Cheat Engine/dbk32/DBK32functions.pas
@@ -5,7 +5,7 @@
 interface
 
 uses jwawindows, windows, sysutils, classes, types, registry, multicpuexecution,
-  forms,dialogs, controls;
+  forms,dialogs, controls, maps;
 
 //xp sp2
 //ThreadsProcess=220
@@ -229,6 +229,7 @@   TPRange=record
 
 var hdevice: thandle=INVALID_HANDLE_VALUE; //handle to my the device driver
     handlelist: array of thandlelist;
+    handlemap: TMap;
     driverloc: string;
     iamprotected:boolean;
     SDTShadow: DWORD;
@@ -247,6 +248,8 @@   TPRange=record
 
     saferQueryPhysicalMemory: boolean=true;
 
+    oldZwClose: pointer;
+
 function CTL_CODE(DeviceType, Func, Method, Access : integer) : integer;
 function IsValidHandle(hProcess:THandle):BOOL; stdcall;
 Function {OpenProcess}OP(dwDesiredAccess:DWORD;bInheritHandle:BOOL;dwProcessId:DWORD):THANDLE; stdcall;
@@ -259,6 +262,8 @@ function {WriteProcessMemory}WriteProcessMemory64(hProcess:THANDLE;BaseAddress:q
 
 function {VirtualQueryEx}VQE(hProcess: THandle; address: pointer; var mbi: _MEMORY_BASIC_INFORMATION; bufsize: DWORD):dword; stdcall;
 Function {NtOpenProcess}NOP(var Handle: THandle; AccessMask: dword; objectattributes: pointer; clientid: PClient_ID):DWORD; stdcall;
+Function {ZwClose}ZC(Handle: THandle): NTSTATUS; stdcall;
+
 Function {NtOpenThread}NtOT(var Handle: THandle; AccessMask: dword; objectattributes: pointer; clientid: PClient_ID):DWORD; stdcall;
 Function {VirtualAllocEx}VAE(hProcess: THandle; lpAddress: Pointer; dwSize, flAllocationType: DWORD; flProtect: DWORD): Pointer; stdcall;
 Function CreateRemoteAPC(threadid: dword; lpStartAddress: TFNAPCProc): THandle; stdcall;
@@ -1506,9 +1511,15 @@ function {OpenThread}OT(dwDesiredAccess:DWORD;bInheritHandle:BOOL;dwThreadId:DWO
 
 function {OpenProcess}OP(dwDesiredAccess:DWORD;bInheritHandle:BOOL;dwProcessId:DWORD):THANDLE; stdcall;
 var valid:boolean;
-    Processhandle: uint64;
+    output: record
+      Processhandle: uint64;
+      Special: byte;
+    end;
+
     i:integer;
     cc,x: dword;
+    pbi: _OBJECT_BASIC_INFORMATION;
+    z: NTSTATUS;
 begin
   valid:=true;
   if dwProcessId=0 then
@@ -1521,12 +1532,41 @@ function {OpenProcess}OP(dwDesiredAccess:DWORD;bInheritHandle:BOOL;dwProcessId:D
   begin
     cc:=IOCTL_CE_OPENPROCESS;
 
-    if deviceiocontrol(hdevice,cc,@dwProcessId,4,@processhandle,8,x,nil) then
+    OutputDebugString(inttostr(dwProcessid)+' OpenProcess kernelmode');
+    if deviceiocontrol(hdevice,cc,@dwProcessId,4,@output,sizeof(output),x,nil) then
     begin
-      result:=processhandle
+      result:=output.Processhandle;
+
+      if output.Special<>0 then  //do not call close on these
+      begin
+        if handlemap=nil then
+          handlemap:=tmap.Create(ituPtrSize,4);
+
+        if handlemap.HasId(result) then
+          handlemap.Delete(result);
+
+        handlemap.Add(result,dwProcessId);
+      end;
+      {
+      z:=NtQueryObject(processhandle, ObjectBasicInformation, @pbi, sizeof(pbi),@x);
+      OutputDebugString(inttostr(dwProcessid)+' NtQueryObject='+inttohex(z,8));
+
+      if z<>0 then
+        result:=0
+      else
+      if pbi.GrantedAccess and (PROCESS_VM_READ or PROCESS_VM_WRITE) <>(PROCESS_VM_READ or PROCESS_VM_WRITE) then
+      begin
+        result:=0;
+        OutputDebugString(inttostr(dwProcessid)+' failed access');
+      end;
+
+      OutputDebugString(inttostr(dwProcessid)+' OpenProcess GrantedAccess='+inttohex(pbi.GrantedAccess,8));   }
     end
     else
+    begin
+      OutputDebugString(inttostr(dwProcessid)+' deviceiocontrol returned false');
       result:=0;
+    end;
   end else result:=windows.OpenProcess(dwDesiredAccess,bInheritHandle,dwProcessID);
 
 {$ifdef badopen}
@@ -1562,7 +1602,7 @@ function {OpenProcess}OP(dwDesiredAccess:DWORD;bInheritHandle:BOOL;dwProcessId:D
 
 Function {NtOpenThread}NtOT(var Handle: THandle; AccessMask: dword; objectattributes: pointer; clientid: PClient_ID):DWORD; stdcall;
 begin
-  handle:=OP(STANDARD_RIGHTS_REQUIRED or windows.synchronize or $3ff,true,clientid.processid);
+  handle:=OT(STANDARD_RIGHTS_REQUIRED or windows.synchronize or $3ff,true,clientid.processid);
   if handle<>0 then result:=0 else result:=$c000000e;
 end;
 
@@ -1572,6 +1612,16 @@ function {OpenProcess}OP(dwDesiredAccess:DWORD;bInheritHandle:BOOL;dwProcessId:D
   if handle<>0 then result:=0 else result:=$C000000E;
 end;
 
+Function {ZwClose}ZC(Handle: THandle): NTSTATUS; stdcall;
+type z=function (Handle: THandle): NTSTATUS; stdcall;
+begin
+  //check if the handle is a kernelmode opened one, and if so, don't
+  if (handlemap<>nil) and (handlemap.HasId(handle)) then exit;
+
+  //still here
+  result:=z(oldZwClose)(Handle);
+end;
+
 function MarkAllPagesAsNonAccessed(hProcess: THandle):boolean;
 var
   i: integer;