ceload

A tool that allows you to manually load up CheatEngine’s signed driver and get a handle to it for various kernel hacking operations.
The code is well documented using comments and a short outline of what’s happening is described below and as such this project is a learning resource.
The project has been tested with CheatEngine 7.3.

What is this?

CheatEngine is a well known tool for game hacking. It features a wide variety of functionality, however, (ab)using that functionality within your own project may not be as easy. There’s plenty of scenarios where one would want to use a signed driver to execute code in kernel space but getting your hands on a certificate may not be as easy. dbk64.sys – CheatEngine’s kernel driver – features a ton of functionality such as kernel read/write, process interactions, and more. However, the author of CheatEngine went out of their way to lock down the signed driver so that one can not easily load it up or get a handle to it.
The project allows you to do exactly that: Load up CheatEngine’s signed driver and grab a handle to it.

How does it work?

To bypass CheatEngine’s checks we try to make us as legit as possible. CheatEngine employs a couple checks to check for the integrity of the calling process.

  1. Check whether the calling process matches a signature generated by the owner [Reference: CheckSignature]
    • We bypass this by starting the original executable as it’s an on-disk check
  2. Check whether the process has been tampered with [Reference: TestProcess]
    • We bypass this by restoring the bytes from the on-disk file
  3. Check whether the calling thread comes from within the .text section [Reference: TestProcess]
    • We bypass this by making sure we spawn the threads from the .text section

This task is split into a few steps:

  1. Start the original CheatEngine process in a suspended state
  2. We patch our shellcode into CheatEngine’s entrypoint
    • This is faciliated by the fact that CheatEngine is loaded without ASLR
  3. We then resume all threads
  4. The shellcode will load our DLL
  5. Now the loader performs a few more tasks:
    1. Prepare the registry, namely the A, B, C and D values
    2. Start the driver service
    3. Copy the original bytes from the .text section into our process
    4. Grab a handle to the driver

What can I do with this?

I’ll give you two ideas:

  1. Write code that can interact with the kernel. Afterall, you don’t have to worry about writing your own kernel routines as CheatEngine covers most of the basics.
  2. Write a driver manualmapper to load up your own unsigned driver without having to disable Driver Signature Enforcement.

Usage

  1. Make sure CheatEngine 7.3 is installed. You may have to run it at least once (with kernel settings enabled)
  2. Execute ceload.exe as administrator. Make sure loader.dll is in the same directory as ceload.exe
  3. If you want to use the handle, have a look at the loader project

GitHub

View Github