Helloi am reversing FacDrv.sysand found out some good stuff: Physycal Pages Scan Until PDE
Code:
char __fastcall PTEPAGETABLESPHYSICALSCAN_14000370C(HANDLE ProcessId)
{
unsigned __int64 v1; // r13
char v2; // r15
PPHYSICAL_MEMORY_RANGE PhysicalMemoryRanges; // rax
LARGE_INTEGER *p_NumberOfBytes; // r8
LARGE_INTEGER NumberOfBytes; // rcx
ULONG_PTR v7; // rdx
ULONG_PTR v8; // rcx
unsigned __int64 v9; // rdi
unsigned __int64 v10; // r14
_BYTE *v11; // rdx
ULONG_PTR v12; // r8
unsigned __int64 v13; // rcx
_QWORD *v14; // r12
unsigned __int64 i; // rsi
unsigned __int64 v16; // rcx
ULONG_PTR ViewSize; // [rsp+58h] [rbp-F0h] BYREF
PVOID BaseAddress; // [rsp+60h] [rbp-E8h] BYREF
PEPROCESS Process; // [rsp+68h] [rbp-E0h] BYREF
void *SectionHandle[3]; // [rsp+70h] [rbp-D8h] BYREF
struct _UNICODE_STRING DestinationString; // [rsp+88h] [rbp-C0h] BYREF
struct _OBJECT_ATTRIBUTES ObjectAttributes; // [rsp+98h] [rbp-B0h] BYREF
_DWORD Src[4]; // [rsp+C8h] [rbp-80h] BYREF
__int64 v24; // [rsp+D8h] [rbp-70h]
_KAPC_STATE ApcState; // [rsp+E0h] [rbp-68h] BYREF
v1 = (unsigned int)ProcessId;
v2 = 0;
RtlInitUnicodeString(&DestinationStringL"\\Device\\PhysicalMemory");
ObjectAttributes.Length = 48;
ObjectAttributes.RootDirectory = 0LL;
ObjectAttributes.Attributes = 576;
ObjectAttributes.ObjectName = &DestinationString;
*(_OWORD *)&ObjectAttributes.SecurityDescriptor = 0LL;
if ( ZwOpenSection(SectionHandle0xF001Fu&ObjectAttributes) < 0 )
return 0;
BaseAddress = 0LL;
ViewSize = 0LL;
PhysicalMemoryRanges = MmGetPhysicalMemoryRanges();
if ( PhysicalMemoryRanges )
{
p_NumberOfBytes = &PhysicalMemoryRanges->NumberOfBytes;
NumberOfBytes = PhysicalMemoryRanges->NumberOfBytes;
if ( NumberOfBytes.QuadPart )
{
v7 = ViewSize;
do
{
v8 = p_NumberOfBytes[-1].QuadPart + NumberOfBytes.QuadPart;
if ( v7 <= v8 )
v7 = v8;
ViewSize = v7;
p_NumberOfBytes += 2;
NumberOfBytes = *p_NumberOfBytes;
}
while ( p_NumberOfBytes->QuadPart );
}
}
if ( ZwMapViewOfSection(
SectionHandle[0],
(HANDLE)0xFFFFFFFFFFFFFFFFLL,
&BaseAddress,
0LL,
0LL,
0LL,
&ViewSize,
ViewUnmap,
0,
4u) < 0 )
{
ZwClose(SectionHandle[0]);
return 0;
}
Process = 0LL;
if ( PsLookupProcessByProcessId((HANDLE)v1&Process) >= 0 )
{
KeStackAttachProcess(Process&ApcState);
v9 = __readcr3();
KeUnstackDetachProcess(&ApcState);
v10 = ((unsigned __int64)MmSystemRangeStart >> 39) & 0x1FF;
v11 = BaseAddress;
v12 = ViewSize;
while ( 1 )
{
SectionHandle[2] = (void *)v10;
if ( v10 >= 0x200 )
break;
v13 = (v9 & 0xFFFFFFFFFF000LL) + 8 * v10;
if ( v13 <= v12 )
{
v14 = &v11[v13];
if ( (v11[v13] & 5) == 5 )
{
for ( i = ((unsigned __int64)MmSystemRangeStart >> 30) & 0x1FF; ; ++i )
{
SectionHandle[1] = (void *)i;
if ( i >= 0x200 )
break;
v16 = (*v14 & 0xFFFFFFFFFF000LL) + 8 * i;
if ( v16 <= v12 && (v11[v16] & 5) == 5 )
{
v2 = 1;
Src[0] = 732997;
Src[2] = v1;
v24 = 0LL;
LogAnomalyMaybe_113C(Src0x18uLL);
v11 = BaseAddress;
v12 = ViewSize;
}
}
}
}
++v10;
}
ObfDereferenceObject(Process);
}
ZwUnmapViewOfSection((HANDLE)0xFFFFFFFFFFFFFFFFLLBaseAddress);
ZwClose(SectionHandle[0]);
return v2;
}
Cache Table Scan:
Code:
char PICACHETABLE_3B78()
{
char v0; // di
char result; // al
BOOLEAN i; // dl
_OWORD *v3; // rax
_OWORD *v4; // rbx
PRTL_AVL_TABLE Table; // [rsp+28h] [rbp-E0h] BYREF
PERESOURCE Resource[3]; // [rsp+30h] [rbp-D8h] BYREF
int Src; // [rsp+48h] [rbp-C0h] BYREF
char Dest[256]; // [rsp+50h] [rbp-B8h] BYREF
int v9; // [rsp+150h] [rbp+48h]
int v10; // [rsp+154h] [rbp+4Ch]
v0 = 0;
result = sub_3C74(Resource&Table);
if ( result )
{
ExAcquireResourceExclusiveLite(Resource[0]1u);
for ( i = 1; ; i = 0 )
{
v3 = RtlEnumerateGenericTableAvl(Tablei);
v4 = v3;
if ( !v3 )
break;
v0 = 1;
Src = 160802;
Dest[0] = 0;
if ( *((_WORD *)v3 + 8) )
{
*(_OWORD *)&Resource[1] = v3[1];
sub_1830(Dest255LL(const char *)qword_51F0&Resource[1]);
}
v10 = *((_DWORD *)v4 + 9);
v9 = *((_DWORD *)v4 + 8);
LogAnomalyMaybe_113C(&Src0x110uLL);
}
ExReleaseResourceLite(Resource[0]);
return v0;
}
return result;
}
Code:
Handle Scan: char HandleScanner_1400039DC()
{
_DWORD *v0; // rbx
__int64 i; // rdi
void *SectionHandle; // [rsp+38h] [rbp-80h] BYREF
PVOID Object[2]; // [rsp+40h] [rbp-78h] BYREF
struct _UNICODE_STRING DestinationString; // [rsp+50h] [rbp-68h] BYREF
struct _OBJECT_ATTRIBUTES ObjectAttributes; // [rsp+60h] [rbp-58h] BYREF
_DWORD Src[4]; // [rsp+90h] [rbp-28h] BYREF
v0 = HandleEnumerator_140002808();
Object[1] = v0;
if ( v0 )
{
RtlInitUnicodeString(&DestinationStringL"\\Device\\PhysicalMemory");
ObjectAttributes.Length = 48;
ObjectAttributes.RootDirectory = 0LL;
ObjectAttributes.Attributes = 576;
ObjectAttributes.ObjectName = &DestinationString;
*(_OWORD *)&ObjectAttributes.SecurityDescriptor = 0LL;
if ( ZwOpenSection(&SectionHandle0xF001Fu&ObjectAttributes) >= 0 )
{
if ( ObReferenceObjectByHandle(SectionHandle1u0LL0Object0LL) >= 0 )
{
ZwClose(SectionHandle);
for ( i = 0LL; (unsigned int)i < *v0; i = (unsigned int)(i + 1) )
{
if ( v0[5 * i + 1] != 4
&& *(PVOID *)&v0[5 * i + 3] == Object[0]
&& !ObIsKernelHandle((HANDLE)HIWORD(v0[5 * i + 2])) )
{
Src[0] = 666454;
Src[2] = v0[5 * i + 1];
Src[3] = v0[5 * i + 5];
LogAnomalyMaybe_113C(Src0x10uLL);
}
}
ObfDereferenceObject(Object[0]);
ExFreePoolWithTag(v00x74434146u);
}
else
{
ExFreePoolWithTag(v00x74434146u);
ZwClose(SectionHandle);
}
}
}
return 0;
} Thread Start And Module Check: char __fastcall ThreadModuleScanner_33A0(void *a1_OWORD *a2)
{
unsigned int *ModuleInfomation; // rax
PETHREAD Thread; // [rsp+38h] [rbp+10h] BYREF
unsigned __int64 ThreadInformation; // [rsp+40h] [rbp+18h] BYREF
if ( a2
&& PsLookupThreadByThreadId(a1&Thread) >= 0
&& PsIsSystemThread(Thread)
&& (OutThreadStartAddress_46F0(Thread&ThreadInformation)ThreadInformation)
&& (ModuleInfomation = (unsigned int *)ModuleInfomration_14000325C()) != 0LL )
{
return ThreadKernelScannerModule_32C4(ModuleInfomationThreadInformationa2);
}
else
{
return 0;
}
}
GUID indetifier:
Code:
void __fastcall GuidIdentifier_4784(__int64 a1)
{
unsigned __int16 *PoolWithTag; // rax
unsigned __int16 *v3; // r14
*(_DWORD *)(a1 + 8) = 0xC0000022;
PoolWithTag = (unsigned __int16 *)ExAllocatePoolWithTag(NonPagedPool0x1000uLL'enoN');
v3 = PoolWithTag;
if ( PoolWithTag )
{
if ( ZwQuerySystemInformation(SystemBootEnvironmentInformationPoolWithTag0x1000u0LL) >= 0 )
{
*(_DWORD *)(a1 + 8) = 0;
sub_1830(
(char *)(a1 + 12),
256LL,
"%08X-%04X-%04X-%02X%02X%02X%02X%02X%02X%02X%02X",
*(_DWORD *)v3,
v3[2],
v3[3],
*((unsigned __int8 *)v3 + 8),
*((unsigned __int8 *)v3 + 9),
*((unsigned __int8 *)v3 + 10),
*((unsigned __int8 *)v3 + 11),
*((unsigned __int8 *)v3 + 12),
*((unsigned __int8 *)v3 + 13),
*((unsigned __int8 *)v3 + 14),
*((unsigned __int8 *)v3 + 15));
}
ExFreePoolWithTag(v30x656E6F4Eu);
}
}
editadding driver enumeration:
Code:
char DriverEnum_1494()
{
__int64 ObjectType; // rbx
_QWORD *PoolWithTag; // rdi
unsigned int *v2; // rbx
__int16 *v3; // rcx
__int64 v4; // r8
__int64 v5; // rdx
__int16 v6; // ax
__int64 v7; // rax
int HandleInformation; // [rsp+30h] [rbp-D8h]
PVOID v10; // [rsp+48h] [rbp-C0h] BYREF
ULONG Context[2]; // [rsp+50h] [rbp-B8h] BYREF
HANDLE Handle; // [rsp+58h] [rbp-B0h] BYREF
void *DirectoryHandle; // [rsp+60h] [rbp-A8h] BYREF
PVOID Object; // [rsp+68h] [rbp-A0h] BYREF
_WORD v15[4]; // [rsp+70h] [rbp-98h] BYREF
__int128 *v16; // [rsp+78h] [rbp-90h]
_OBJECT_ATTRIBUTES ObjectAttributes; // [rsp+80h] [rbp-88h] BYREF
_UNICODE_STRING DestinationString; // [rsp+B0h] [rbp-58h] BYREF
__int128 v19; // [rsp+C8h] [rbp-40h] BYREF
__int128 v20; // [rsp+D8h] [rbp-30h] BYREF
__int128 v21; // [rsp+E8h] [rbp-20h] BYREF
int Src; // [rsp+F8h] [rbp-10h] BYREF
char Dest[262]; // [rsp+100h] [rbp-8h] BYREF
__int16 v24; // [rsp+206h] [rbp+FEh] BYREF
__int128 v25; // [rsp+208h] [rbp+100h] BYREF
__int16 v26; // [rsp+218h] [rbp+110h]
_BYTE Dst[182]; // [rsp+21Ah] [rbp+112h] BYREF
if ( IoDriverObjectType )
{
RtlInitUnicodeString(&DestinationStringL"\\Driver");
ObjectAttributes.Length = 48;
ObjectAttributes.ObjectName = &DestinationString;
ObjectAttributes.RootDirectory = 0LL;
ObjectAttributes.Attributes = 576;
*(_OWORD *)&ObjectAttributes.SecurityDescriptor = 0LL;
if ( ZwOpenDirectoryObject(&DirectoryHandle1u&ObjectAttributes) >= 0
&& ObReferenceObjectByHandle(DirectoryHandle1u0LL0&Object0LL) >= 0 )
{
NtClose(DirectoryHandle);
ObjectType = ObGetObjectType(Object);
ObfDereferenceObject(Object);
if ( (int)ObOpenObjectByName(&ObjectAttributesObjectType0LL0LL10LL&Handle) >= 0 )
{
PoolWithTag = ExAllocatePoolWithTag(NonPagedPool0x1000uLL0x74434146u);
if ( PoolWithTag )
{
v2 = (unsigned int *)ModuleInfomration_14000325C();
if ( v2 )
{
Context[0] = 0;
while ( ZwQueryDirectoryObject(HandlePoolWithTag0x1000u1u0Context&Context[1]) >= 0 )
{
v26 = 0;
v25 = xmmword_51D0;
memset(Dst0sizeof(Dst));
v3 = &v24;
do
++v3;
while ( *v3 );
v4 = PoolWithTag[1];
v5 = 0LL;
do
{
v6 = *(_WORD *)(v4 + 2 * v5);
v3[v5++] = v6;
}
while ( v6 );
v7 = -1LL;
do
++v7;
while ( *((_WORD *)&v25 + v7) );
v15[1] = 2 * v7;
v15[0] = 2 * v7;
v16 = &v25;
LOBYTE(HandleInformation) = 0;
if ( (int)ObReferenceObjectByName(v15576LL0LL0LLIoDriverObjectTypeHandleInformation0LL&v10) >= 0 )
{
if ( sub_3408(v2*((_QWORD *)v10 + 28)) == 1 )
{
Src = 0x62514;
v19 = *(_OWORD *)((char *)v10 + 56);
sub_1830(Dest255LL"%wZ"&v19);
LogAnomalyMaybe_113C(&Src0x108uLL);
}
if ( sub_3408(v2*((_QWORD *)v10 + 3)) == 1 )
{
Src = 542066;
v20 = *(_OWORD *)((char *)v10 + 56);
sub_1830(Dest255LL"%wZ"&v20);
LogAnomalyMaybe_113C(&Src0x108uLL);
}
if ( sub_3408(v2*((_QWORD *)v10 + 10)) == 1 )
{
Src = 75317;
v21 = *(_OWORD *)((char *)v10 + 56);
sub_1830(Dest255LL"%wZ"&v21);
LogAnomalyMaybe_113C(&Src0x108uLL);
}
ObfDereferenceObject(v10);
}
}
ExFreePoolWithTag(v20x74434146u);
ExFreePoolWithTag(PoolWithTag0x74434146u);
ZwClose(Handle);
}
}
}
}
}
return 0;
}
So i would like to askhow do i bypass thishow do i hide from PD scan,hadnle and thread scan... i can easily understand what they are doing but from the kernel its not really clear how to bypass itin the sense that in usermode you can just hoo etc.... but here DKOM is detected by PGcan someone experienced suggest me some things to learn etc... thanks a lot
Edit the funxtion where I wrote Report maybenow i am surebut its protected by vmp obviosuly...
still i would be interested in some informationand also they che k for test significa modehow would i kill that detection and be able to load the game even with it? Cause even withouth the anti cheat i need to load a driver to remove the callbacks
