I am writing a game hack and want to run cheat engine while the game is running, the anti hack currently detects both the user mode and kernel mode components and terminates the game. I wrote a device driver to hook ZwQuerySystemInformation to hide the process. I would also like to hide the device driver since it is currently still detected.i know i could do this with DKOM but id prefer to use a SSDT hook, does anyone know what api i should hook to filter the list of services/drivers?
Asked
Active
Viewed 598 times
0
-
I think you're on the wrong forum. There are places where they specialize in such questions. – Carey Gregory Aug 01 '13 at 01:15
-
Couldn't the device driver launch a kernel thread in the context of a suitably chosen process and then exit? Or even uninstall itself, if necessary? – Harry Johnston Aug 08 '13 at 03:06
1 Answers
0
You can follow this article from the beginning to the start and use its supplied code and customize it to fit your own needs: http://www.codeproject.com/Articles/46670/Service-Hiding
Word of advice, if you don't know what you are doing, its best to not play with such stuff.
On a side note, they tend to over complicate their architecture and compilation process so expect some hiccups as its not going to be straightforward solution. But, this should address and solves your question and needs.
EDIT:
You would need to hook the services API that is responsible for showing you what services are running currently on your computer. An example for this is "services.exe" this is where all the data structure(s) you would need to modifiy/alter to properly hide your driver. In specific the SERVICE_RECORD structure and the following members needs to be modified as well: Prev, Next and ServiceName. Once you have found such structure inside services.exe its back to basic algorithm 101. Which is to drop the required driver that you want to hide from those doubly-linked list. The following image is courtesy of the article mentioned before.
This is the basic or general rule behind hiding the service.
-
My bad am still new and picking up all the rules slowly, however the link actually includes a full solution to his requirements. I gave him what to expect and what to watch for. Would this be sufficient, yes? Or Should I iterate more on what the article says? – halsten Aug 30 '15 at 08:31
-
Okay, I see your point. However, I am an expert in that domain. But, I felt the no need to iterate over a subject that is clearly well explained somewhere else. Check my other answers and you will see that I do know what I talk about and to what length I will go to answer a question. :) In Any case, let me edit it a little bit to include an explanation and a short answer. :) – halsten Aug 30 '15 at 08:44
-
Noted and thanks for bringing it up. Any constructive criticism is always and highly welcomed! Hopefully I have edited correctly. :) – halsten Aug 30 '15 at 09:00