The PID can be found, but its base address cannot be found.
subeoy1 opened this issue · 5 comments
#define VMMDLL_ProcessGetModuleBase VMMDLL_ProcessGetModuleBaseW
uintptr_t c_process::get_module_base(const std::wstring& module_name) {
return VMMDLL_ProcessGetModuleBase(m_vmh, (DWORD)m_pid, (LPWSTR)module_name.c_str());
m_base = get_module_base(utils->string_to_wstring(process_name));
if (!m_base)
{
std::cout << "Failed getting base address for process.\n";
return false;
}
if fails the m_base is 0
The 5E Protect the Game
no support for cheats :D
The 5E Protect the Game
no support for cheats :D
Why can other people's software support it? Is there any other way?
No discussions about Anti-Cheat bypasses on this Github. There are far better forums for that. Thank You.
I have switched to Rust now. And slowly get used to your memprocfs crate. Thank you for releasing it.
@ufrisk sorry for bumping this (if I can even comment on this after pressing on "comment") but it looks like anti-cheats do mess with the module list as this information has been established already. but precisely only your method seems to be affected.
What I found out is that like @subeoy1, I wasn't able to get the process base address of a game protected by EAC the ordinary way.
// notepad++.exe
vmmprocess.get_module_base():
notepad++.exe -> 7ff698160000
...
// r5apex.exe
vmmprocess.get_module_base():
-/-
But I was able to parse the list returned by memprocfs::VmmProcess | pub fn map_vad
for the name of the process in the memprocfs::VmmProcessMapVadEntry | pub info: String
field. Do you think this is something we could get implemented and use as a backup in the future? Seems to be a solution or rather workaround to that "problem" as I am getting consistent results across different processes.
Thought I let you know about this. Since what anti-cheats can do, malware and all the other programs your DMA toolkit could be used on can do too. Could have genuine use besides, you know what.
This might be of use for CS too @S1ckZer. But you don't seem to have any issues in regards to your AL solution. I assume you actually restore some tables EAC gets rid of. Which would be the proper solution. But I am too lazy now that I found a quickfix.
Code:
let args = ["-printf", "-device", "fpga"].to_vec();
let vmm_path = "./target/debug/vmm.dll";
let current_dir = std::env::current_dir().unwrap_or_else(|e| {
println!("Failed to get current directory: {}", e);
return std::path::Path::new("").to_path_buf(); // Return an empty PathBuf as a fallback
});
let vmm = match memprocfs::Vmm::new(vmm_path, &args) {
Ok(vmm) => vmm,
Err(e) => {
println!(
"Failed to create Vmm object. Error: '{}'\nLibrary path '{}'\nCurrent directory '{}'",
e,
vmm_path,
current_dir.display()
);
return;
}
};
let vmmprocess = match vmm.process_from_name("r5apex.exe") {
Ok(vmmprocess) => {
println!("Process found! PID: {}", vmmprocess.pid);
vmmprocess
},
Err(e) => {
println!(
"Failed to find r5apex.exe. Error: '{}'",
e
);
return;
}
};
if let Ok(vad_all) = vmmprocess.map_vad(true) {
println!("Number of VAD entries: {}.", vad_all.len());
if let Some(vad_entry) = vad_all.iter().find(|vad| vad.info.ends_with("r5apex.exe")) {
println!("Found VAD entry: {:#X}", vad_entry.va_start);
} else {
println!("No VAD entry contains 'r5apex.exe' at the end.");
}
} else {
println!("Failed to retrieve VAD entries.");
}
Output:
PS C:\Users\micro\Downloads\rust-dma-al> cargo build
Compiling rust-dma-al v0.1.0 (C:\Users\micro\Downloads\rust-dma-al)
Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.54s
PS C:\Users\micro\Downloads\rust-dma-al> cargo run
Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.02s
Running `target\debug\rust-dma-al.exe`
[SYMBOL] Functionality may be limited. Extended debug information disabled.
[SYMBOL] Offline symbols unavailable - file 'info.db' not found.
[SYMBOL] Reason: Could not load PDB required file - symsrv.dll/dbghelp.dll.
[SYMBOL] Reason: Could not load PDB required file - libpdbcrust.dll/so.
Initialized 64-bit Windows 10.0.22621
[PLUGIN] Python initialization failed. Python 3.6 or later not found.
Process found! PID: 6700
Number of VAD entries: 820.
Found VAD entry: 0x7FF7C1890000