commit all changed files (signed) commit the kernel changes as well

Cheat Engine/release/readme.txt

@@ -12,7 +12,7 @@ Fixed show as signed not working for custom types
 Fixed several issues with the structure spider
 Fixed 64-bit registers in the tracer getting truncated on doubleclick, and fix r8 to r15
 Fixed copy/paste in the scanvalue
-Fixed kernelmode QueryMemoryRegions for windows build 1707
+Fixed kernelmode QueryMemoryRegions for windows build 1607
 Fixed some disassembler errors
 Fixed lua command fullAccess
 Fixed text to speech if launched from a different thread

DBKKernel/DBKDrvr.c

@@ -152,7 +152,6 @@ VOID TestThread(__in PVOID StartContext)
 	
 }
 
-#pragma optimize( "", off )  
 NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,
                      IN PUNICODE_STRING RegistryPath)
 /*++
@@ -564,7 +563,6 @@ Return Value:
     return STATUS_SUCCESS;
 }
 
-#pragma optimize( "", on )  
 
 
 NTSTATUS DispatchCreate(IN PDEVICE_OBJECT DeviceObject,
@@ -581,14 +579,18 @@ NTSTATUS DispatchCreate(IN PDEVICE_OBJECT DeviceObject,
 
 
 	if (SeSinglePrivilegeCheck(sedebugprivUID, UserMode))
-	{
-#ifdef TOBESIGNED
-		NTSTATUS s=SecurityCheck();	
-		Irp->IoStatus.Status = s; 		
-	//	DbgPrint("Returning %x (and %x)\n", Irp->IoStatus.Status, s);
-#else
+	{		
 		Irp->IoStatus.Status = STATUS_SUCCESS;
+#ifdef AMD64
+#ifdef TOBESIGNED
+		{
+			NTSTATUS s=SecurityCheck();	
+			Irp->IoStatus.Status = s; 		
+		}
+	//	DbgPrint("Returning %x (and %x)\n", Irp->IoStatus.Status, s);
 #endif
+#endif
+
 
 	}
 	else
@@ -718,10 +720,12 @@ void UnloadDriver(PDRIVER_OBJECT DriverObject)
 
 	RtlZeroMemory(&ProcesslistR, sizeof(ProcesslistR));
 
+#if (NTDDI_VERSION >= NTDDI_VISTA)
 	if (DRMHandle)
 	{
 		DbgPrint("Unregistering DRM handle");
 		ObUnRegisterCallbacks(DRMHandle);
 		DRMHandle = NULL;
 	}
+#endif
 }

DBKKernel/IOPLDispatcher.c

@@ -24,8 +24,10 @@
 UINT64 PhysicalMemoryRanges=0; //initialized once, and used thereafter. If the user adds/removes ram at runtime, screw him and make him the reload the driver
 UINT64 PhysicalMemoryRangesListSize=0;
 
+#if (NTDDI_VERSION >= NTDDI_VISTA)
 PVOID DRMHandle = NULL;
 PEPROCESS DRMProcess = NULL;
+#endif
 
 PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTableShadow=NULL;
 PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable=NULL;
@@ -63,11 +65,13 @@ void mykapc2(PKAPC Apc, PKNORMAL_ROUTINE NormalRoutine, PVOID NormalContext, PVO
 
 	if (ZwQueryInformationProcess(ZwCurrentProcess(), ProcessWow64Information, &iswow64, sizeof(iswow64), NULL) == STATUS_SUCCESS)
 	{
+#if (NTDDI_VERSION >= NTDDI_VISTA)	
 		if (iswow64)
 		{
 			DbgPrint("WOW64 apc");
 			PsWrapApcWow64Thread(NormalContext, (PVOID*)NormalRoutine);
 		}
+#endif
 	}
 
 }
@@ -110,7 +114,7 @@ void mykapc(PKAPC Apc, PKNORMAL_ROUTINE NormalRoutine, PVOID NormalContext, PVOI
 	KeInsertQueueApc (kApc, (PVOID)*(PUINT_PTR)SystemArgument1, (PVOID)*(PUINT_PTR)SystemArgument2, 0);
 
 
-	//wait in usermode (to interruptable by a usermode apc)
+	//wait in usermode (so interruptable by a usermode apc)
 	Timeout.QuadPart = 0;
 	KeDelayExecutionThread(UserMode, TRUE, &Timeout);
 
@@ -164,7 +168,7 @@ void CreateRemoteAPC(ULONG threadid,PVOID addresstoexecute)
 #define PROCESS_QUERY_LIMITED_INFORMATION  (0x1000)  
 
 
-
+#if (NTDDI_VERSION >= NTDDI_VISTA)
 OB_PREOP_CALLBACK_STATUS ThreadPreCallback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation)
 {		
 	if (DRMProcess == NULL)
@@ -190,7 +194,7 @@ OB_PREOP_CALLBACK_STATUS ThreadPreCallback(PVOID RegistrationContext, POB_PRE_OP
 
 				da = da & (THREAD_SET_LIMITED_INFORMATION | THREAD_QUERY_LIMITED_INFORMATION);
 
-				OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = da;
+				OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = 0;// da;
 			}
 			else if (OperationInformation->Operation == OB_OPERATION_HANDLE_DUPLICATE)
 			{
@@ -200,7 +204,7 @@ OB_PREOP_CALLBACK_STATUS ThreadPreCallback(PVOID RegistrationContext, POB_PRE_OP
 				DbgPrint("PID %d duplicated a handle to a CE thread with access mask %x", PsGetCurrentProcessId(), da);
 
 				da = da & (THREAD_SET_LIMITED_INFORMATION | THREAD_QUERY_LIMITED_INFORMATION);
-				OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess = da;
+				OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess = 0;// da;
 			}
 		}
 	}
@@ -219,8 +223,8 @@ OB_PREOP_CALLBACK_STATUS ProcessPreCallback(PVOID RegistrationContext, POB_PRE_O
 	if (DRMProcess == NULL)
 		return OB_PREOP_SUCCESS;
 
-	if (PsGetCurrentProcess() == DRMProcess)
-		return OB_PREOP_SUCCESS;
+	//if (PsGetCurrentProcess() == DRMProcess)
+	//	return OB_PREOP_SUCCESS;
 
 	if (OperationInformation->ObjectType == *PsProcessType)
 	{
@@ -238,7 +242,9 @@ OB_PREOP_CALLBACK_STATUS ProcessPreCallback(PVOID RegistrationContext, POB_PRE_O
 
 				da = da & (PROCESS_TERMINATE | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_SUSPEND_RESUME);
 
-				OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = da;
+				//da = da & PROCESS_SUSPEND_RESUME;
+
+				OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = 0;// da;
 			}
 			else if (OperationInformation->Operation == OB_OPERATION_HANDLE_DUPLICATE)
 			{
@@ -249,7 +255,10 @@ OB_PREOP_CALLBACK_STATUS ProcessPreCallback(PVOID RegistrationContext, POB_PRE_O
 
 
 				da = da & (PROCESS_TERMINATE | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_SUSPEND_RESUME);
-				OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess = da;
+
+				//da = da & PROCESS_SUSPEND_RESUME;
+
+				OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess = 0;// da;
 			}
 		}
 	}
@@ -261,6 +270,7 @@ VOID ProcessPostCallback(PVOID RegistrationContext, POB_POST_OPERATION_INFORMATI
 {
 	//DbgPrint("ProcessPostCallback");
 }
+#endif
 
 
 BOOL DispatchIoctlDBVM(IN PDEVICE_OBJECT DeviceObject, ULONG IoControlCode, PVOID lpInBuffer, DWORD nInBufferSize, PVOID lpOutBuffer, DWORD nOutBufferSize, PDWORD lpBytesReturned)
@@ -535,7 +545,17 @@ NTSTATUS DispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 
 		case IOCTL_CE_TEST: //just a test to see it's working
 			{
-				DbgPrint("yes");
+				UNICODE_STRING test;
+				PVOID x;
+				RtlInitUnicodeString(&test, L"NtProtectVirtualMemory");
+				x = MmGetSystemRoutineAddress(&test);
+				if (x)
+				{
+					DbgPrint("yes %p", x);
+				}
+					DbgPrint("no");
+
+
 
 				
 				break;
@@ -1155,7 +1175,7 @@ NTSTATUS DispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 				} *inp;
 				inp=Irp->AssociatedIrp.SystemBuffer;
 
-				CreateRemoteAPC(inp->threadid,(PVOID)(UINT_PTR)inp->addresstoexecute);
+				CreateRemoteAPC((ULONG)inp->threadid,(PVOID)(UINT_PTR)inp->addresstoexecute);
 				ntStatus=STATUS_SUCCESS;
 				break;
 			}
@@ -2227,6 +2247,7 @@ NTSTATUS DispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 
 		case IOCTL_CE_ENABLE_DRM:
 			{
+#if (NTDDI_VERSION >= NTDDI_VISTA)				
 				struct
 				{
 					QWORD PreferedAltitude;
@@ -2303,8 +2324,9 @@ NTSTATUS DispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 				}
 				else
 					ntStatus = STATUS_SUCCESS;
-
-				
+#else
+				ntStatus = STATUS_NOT_IMPLEMENTED;
+#endif				
 				break;
 			}
 
@@ -2315,7 +2337,7 @@ NTSTATUS DispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 
 
 			//DbgPrint("IOCTL_CE_GET_PEB");
-			KeStackAttachProcess(ep, &oldstate);
+			KeStackAttachProcess((PKPROCESS)ep, &oldstate);
 			__try
 			{
 				ULONG r;
@@ -2371,8 +2393,8 @@ NTSTATUS DispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 				
 				if (PsLookupProcessByProcessId((PVOID)inp->processid, &selectedprocess) == STATUS_SUCCESS)
 				{
-					PKAPC_STATE oldstate;
-					KeStackAttachProcess(selectedprocess, &oldstate);
+					KAPC_STATE oldstate;
+					KeStackAttachProcess((PKPROCESS)selectedprocess, &oldstate);
 					__try
 					{
 						ULONG returnLength;
@@ -2380,10 +2402,10 @@ NTSTATUS DispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 						if (inp->ProcessInformationAddress == 0)
 						{
 							DbgPrint("NULL ProcessInformationAddress");
-							outp->result = ZwQueryInformationProcess(NtCurrentProcess(), inp->ProcessInformationClass, NULL, inp->ProcessInformationLength, &returnLength);
+							outp->result = ZwQueryInformationProcess(NtCurrentProcess(), inp->ProcessInformationClass, NULL, (ULONG)inp->ProcessInformationLength, &returnLength);
 						}
 						else
-							outp->result = ZwQueryInformationProcess(NtCurrentProcess(), inp->ProcessInformationClass, &(outp->data), inp->ProcessInformationLength, &returnLength);
+							outp->result = ZwQueryInformationProcess(NtCurrentProcess(), inp->ProcessInformationClass, &(outp->data), (ULONG)inp->ProcessInformationLength, &returnLength);
 
 						DbgPrint("outp->result=%x", outp->result);
 
@@ -2413,6 +2435,13 @@ NTSTATUS DispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 			break;
 		}
 
+		case IOCTL_CE_NTPROTECTVIRTUALMEMORY:
+		{
+
+			
+			break;
+		}
+
         default:
 			DbgPrint("Unhandled IO request: %x\n", IoControlCode);			
             break;

DBKKernel/IOPLDispatcher.h

@@ -111,6 +111,7 @@
 #define IOCTL_CE_ENABLE_DRM						CTL_CODE(IOCTL_UNKNOWN_BASE, 0x085c, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
 #define IOCTL_CE_GET_PEB						CTL_CODE(IOCTL_UNKNOWN_BASE, 0x085d, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
 #define IOCTL_CE_QUERYINFORMATIONPROCESS		CTL_CODE(IOCTL_UNKNOWN_BASE, 0x085e, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
+#define IOCTL_CE_NTPROTECTVIRTUALMEMORY 		CTL_CODE(IOCTL_UNKNOWN_BASE, 0x085f, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
 
 extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTableShadow;
 extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;

DBKKernel/SOURCES

@@ -2,6 +2,7 @@ TARGETNAME=dbk
 TARGETPATH=obj
 TARGETTYPE=DRIVER
 TARGETLIBS=$(DDK_LIB_PATH)\Ntstrsafe.lib
+
 AMD64_SOURCES=dbkfunca.asm vmxhelpera.asm debuggera.asm vmxoffloada.asm ultimapa.asm noexceptionsa.asm
 I386_SOURCES=noexceptionsa.asm
 SOURCES=DBKDrvr.c DBKFunc.c IOPLDispatcher.c memscan.c threads.c processlist.c vmxhelper.c interrupthook.c debugger.c vmxoffload.c deepkernel.c ultimap.c ultimap2.c noexceptions.c

DBKKernel/ces.bat

@@ -23,8 +23,8 @@ goto error
 
 :x86success:
 	copy .\obj%BUILD_ALT_DIR%\amd64\dbk.sys "..\Cheat Engine\bin\dbk64.sys"
-        "c:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /a /sha1 B43612984DA774647384FC539EF17C41305F92E2 /ac "..\cheat engine\release\sig\GlobalSign Root CA.crt" /t http://timestamp.globalsign.com/scripts/timstamp.dll "..\Cheat Engine\bin\dbk64.sys"
-	"c:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /a /sha1 A9F93214813B99645897CA59E4E83EBA4F65818B /ac "..\cheat engine\release\sig\GlobalSign Root CA.crt" /tr http://timestamp.globalsign.com/?signature=sha2 /td SHA256 /fd SHA256 /as "..\Cheat Engine\bin\dbk64.sys
+        "c:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /a  /ac "..\cheat engine\release\sig\GlobalSign Root CA.crt" /t http://timestamp.globalsign.com/scripts/timstamp.dll "..\Cheat Engine\bin\dbk64.sys"
+	"c:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /a /ac "..\cheat engine\release\sig\GlobalSign Root CA.crt" /tr http://timestamp.globalsign.com/?signature=sha2 /td SHA256 /fd SHA256 /as "..\Cheat Engine\bin\dbk64.sys
 
 
 	siggen\siggen.exe "..\Cheat Engine\bin\cheatengine-i386.exe"

DBKKernel/memscan.c

@@ -450,6 +450,7 @@ UINT_PTR SignExtend(UINT_PTR a)
 UINT_PTR KnownPageTableBase = 0;
 UINT_PTR getPageTableBase()
 {
+#if (NTDDI_VERSION >= NTDDI_VISTA)
 	if (KnownPageTableBase==0)
 	{
 		RTL_OSVERSIONINFOW v;
@@ -540,6 +541,10 @@ UINT_PTR getPageTableBase()
 	}	
 
 	return KnownPageTableBase;
+#else
+	return PAGETABLEBASE;
+#endif
+
 }
 
 typedef void PRESENTPAGECALLBACK(UINT_PTR StartAddress, UINT_PTR EndAddress, struct PTEStruct *pageEntry);

DBKKernel/noexceptions.c

@@ -13,6 +13,22 @@ extern void __cdecl NoException14(void); //declared in debuggera.asm
 extern int __cdecl ExceptionlessCopy_Internal(PVOID destination, PVOID source, int size);
 #endif
 
+#if (NTDDI_VERSION < NTDDI_VISTA)
+int KeQueryActiveProcessorCount(PVOID x)
+{
+	int cpucount=0;
+	KAFFINITY cpus = KeQueryActiveProcessors();
+	while (cpus)
+	{
+		if (cpus % 2)
+			cpucount++;
+
+		cpus = cpus / 2;
+	}
+
+	return cpucount;
+}
+#endif
 
 
 BOOL NoExceptions_Enter()
@@ -28,7 +44,7 @@ BOOL NoExceptions_Enter()
 		if (cpustate == NULL)
 		{
 			//initialize the list
-			MaxCPUCount = KeQueryActiveProcessorCount(NULL);
+			MaxCPUCount = (int)KeQueryActiveProcessorCount(NULL);
 			cpustate = ExAllocatePoolWithTag(NonPagedPool, MaxCPUCount*sizeof(CPUSTATE), 'cece');
 
 			if (cpustate)

DBKKernel/processlist.c

@@ -5,6 +5,8 @@
 #include "threads.h"
 #include "memscan.h"
 
+#include "ultimap2.h"
+
 PRTL_GENERIC_TABLE InternalProcessList = NULL;
 
 PEPROCESS WatcherProcess = NULL;
@@ -125,11 +127,19 @@ VOID CreateThreadNotifyRoutine(IN HANDLE  ProcessId,IN HANDLE  ThreadId,IN BOOLE
 	}
 }
 
-VOID CreateProcessNotifyRoutine( IN HANDLE  ParentId, IN HANDLE  ProcessId, IN BOOLEAN  Create)
-{	
+VOID CreateProcessNotifyRoutine(IN HANDLE  ParentId, IN HANDLE  ProcessId, IN BOOLEAN  Create)
+{
 	PEPROCESS CurrentProcess = NULL;
 	HANDLE ProcessHandle = 0;
-
+	/*
+	if (PsSuspendProcess)
+	{
+		DbgPrint("Suspending process %d", PsGetCurrentThreadId());
+		PsSuspendProcess(PsGetCurrentProcess());
+		DbgPrint("After PsGetCurrentProcess()");
+	}
+*/
+	
 	
 	if (KeGetCurrentIrql()==PASSIVE_LEVEL)
 	{
@@ -161,7 +171,7 @@ VOID CreateProcessNotifyRoutine( IN HANDLE  ParentId, IN HANDLE  ProcessId, IN B
 						ObReferenceObject(CurrentProcess);
 
 						
-						KeStackAttachProcess(WatcherProcess, &oldstate);						
+						KeStackAttachProcess((PKPROCESS)WatcherProcess, &oldstate);						
 						__try
 						{
 							__try
@@ -373,13 +383,11 @@ HANDLE GetHandleForProcessID(IN HANDLE ProcessID)
 		if (r)
 		{
 			DbgPrint("Found a handle for PID %d (%x)", (int)ProcessID, (int)r->ProcessHandle);
-			return (int)r->ProcessHandle; // r->ProcessHandle;
-		}
-		
-			
-	}
-	else
-		return 0;
+			return r->ProcessHandle; // r->ProcessHandle;
+		}	
+	}	
+
+	return 0;
 }
 
 VOID CleanProcessList()
@@ -395,7 +403,7 @@ VOID CleanProcessList()
 
 			if ((WatcherProcess) && (WatcherProcess != PsGetCurrentProcess()))
 			{				
-				KeStackAttachProcess(WatcherProcess, &oldstate);
+				KeStackAttachProcess((PKPROCESS)WatcherProcess, &oldstate);
 				ChangedContext = TRUE;
 			}