Driver to bypass Hackshield memory protection
with source code
HackShield memory protection works by hooking some functions in kernel space. EagleNT.sys is checking all parameters passed to hooked functions and then it blocks or allows operation. When HS memory unprotector driver is loaded, you can use OpenProcess, WriteProcessMemory and ReadProcessMemory like normal.
How memory protection works?
HackShield is replacing three functions (NtReadVirtualMemory, NtWriteVirtualMemory and NtOpenProcess) to protect game memory.
Hackshield01.PNG
How to bypass memory protection?
It's easy. We should take a look on NtWriteVirtualMemory function.
Hackshield02.PNG
As we can see, they are placing 'call' to EagleNT.sys function (call 0xA4A5C800).
Just go to this function (0xA4A5C800).
Hackshield03.PNG
As we can see, they are using ZwQueryInformationProcess function to translate HANDLE to process id (bad idea btw.). We can hook ZwQueryInformationProcess and if EgaleNt.sys is calling this, we can return 0 (or fake number) as process id. Thats all !
Next we should hook NtOpenProcess with small re-implementation of this function.
This material is for EDUCATIONAL PURPOSES only!
Author: Chris (aka kill1212)
Please register or login to download attachments.