all repos — gemini-redirect @ a426696024418031df1f0b35f4a364f9fe47881a

content/blog/woce-1.md (view raw)

  1+++
  2title = "Writing our own Cheat Engine: Introduction"
  3date = 2021-02-07
  4updated = 2021-02-16
  5[taxonomies]
  6category = ["sw"]
  7tags = ["windows", "rust", "hacking"]
  8+++
  9
 10This is part 1 on the *Writing our own Cheat Engine* series:
 11
 12* Part 1: Introduction
 13* [Part 2: Exact Value scanning](/blog/woce-2)
 14
 15[Cheat Engine][ce] is a tool designed to modify single player games and contains other useful tools within itself that enable its users to debug games or other applications. It comes with a memory scanner, (dis)assembler, inspection tools and a handful other things. In this series, we will be writing our own tiny Cheat Engine capable of solving all steps of the tutorial, and diving into how it all works underneath.
 16
 17Needless to say, we're doing this for private and educational purposes only. One has to make sure to not violate the EULA or ToS of the specific application we're attaching to. This series, much like cheatengine.org, does not condone the illegal use of the code shared.
 18
 19Cheat Engine is a tool for Windows, so we will be developing for Windows as well. However, you can also [read memory from Linux-like systems][linux-readmem]. [GameConqueror][game-conqueror] is a popular alternative to Cheat Engine on Linux systems, so if you feel adventurous, you could definitely follow along too! The techniques shown in this series apply regardless of how we read memory from a process. You will learn a fair bit about doing FFI in Rust too.
 20
 21We will be developing the application in Rust, because it enables us to interface with the Windows API easily, is memory safe (as long as we're careful with `unsafe`!), and is speedy (we will need this for later steps in the Cheat Engine tutorial). You could use any language of your choice though. For example, [Python also makes it relatively easy to use the Windows API][python-ctypes]. You don't need to be a Rust expert to follow along, but this series assumes some familiarity with C-family languages. Slightly advanced concepts like the use of `unsafe` or the `MaybeUninit` type will be briefly explained. What a `fn` is or what `let` does will not be explained.
 22
 23[Cheat Engine's source code][ce-code] is mostly written in Pascal and C. And it's *a lot* of code, with a very flat project structure, and files ranging in the thousand lines of code each. It's daunting[^1]. It's a mature project, with a lot of knowledge encoded in the code base, and a lot of features like distributed scanning or an entire disassembler. Unfortunately, there's not a lot of comments. For these reasons, I'll do some guesswork when possible as to how it's working underneath, rather than actually digging into what Cheat Engine is actually doing.
 24
 25With that out of the way, let's get started!
 26
 27## Welcome to the Cheat Engine Tutorial
 28
 29<details open><summary>Cheat Engine Tutorial: Step 1</summary>
 30
 31> This tutorial will teach you the basics of cheating in video games. It will also show you foundational aspects of using Cheat Engine (or CE for short). Follow the steps below to get started.
 32>
 33> 1. Open Cheat Engine if it currently isn't running.
 34> 2. Click on the "Open Process" icon (it's the top-left icon with the computer on it, below "File".).
 35> 3. With the Process List window now open, look for this tutorial's process in the list. It will look something like > "00001F98-Tutorial-x86_64.exe" or "0000047C-Tutorial-i386.exe". (The first 8 numbers/letters will probably be different.)
 36> 4. Once you've found the process, click on it to select it, then click the "Open" button. (Don't worry about all the > other buttons right now. You can learn about them later if you're interested.)
 37>
 38> Congratulations! If you did everything correctly, the process window should be gone with Cheat Engine now attached to the > tutorial (you will see the process name towards the top-center of CE).
 39>
 40> Click the "Next" button below to continue, or fill in the password and click the "OK" button to proceed to that step.)
 41>
 42> If you're having problems, simply head over to forum.cheatengine.org, then click on "Tutorials" to view beginner-friendly > guides!
 43
 44</details>
 45
 46## Enumerating processes
 47
 48Our first step is attaching to the process we want to work with. But we need a way to find that process in the first place! Having to open the task manager, look for the process we care about, noting down the process ID (PID), and slapping it in the source code is not satisfying at all. Instead, let's enumerate all the processes from within the program, and let the user select one by typing its name.
 49
 50From a quick [DuckDuckGo search][ddg-enumproc], we find an official tutorial for [Enumerating All Processes][tut-enumproc], which leads to the [`EnumProcesses`][api-enumproc] call. Cool! Let's slap in the [`winapi`][winapi-crate] crate on `Cargo.toml`, because I don't want to write all the definitions by myself:
 51
 52```toml
 53[dependencies]
 54winapi = { version = "0.3.9", features = ["psapi"] }
 55```
 56
 57Because [`EnumProcesses`][api-enumproc] is in `Psapi.h` (you can see this in the online page of its documentation), we know we'll need the `psapi` crate feature. Another option is to search for it in the [`winapi` documentation][winapi-doc] and noting down the parent module where its stored.
 58
 59The documentation for the method has the following remark:
 60
 61> It is a good idea to use a large array, because it is hard to predict how many processes there will be at the time you call **EnumProcesses**.
 62
 63*Sidenote: reading the documentation for the methods we'll use from the Windows API is extremely important. There's a lot of gotchas involved, so we need to make sure we're extra careful.*
 64
 651024 is a pretty big number, so let's go with that:
 66
 67```rust
 68use std::io;
 69use std::mem;
 70use winapi::shared::minwindef::{DWORD, FALSE};
 71
 72pub fn enum_proc() -> io::Result<Vec<u32>> {
 73    let mut pids = Vec::<DWORD>::with_capacity(1024);
 74    let mut size = 0;
 75    // SAFETY: the pointer is valid and the size matches the capacity.
 76    if unsafe {
 77        winapi::um::psapi::EnumProcesses(
 78            pids.as_mut_ptr(),
 79            (pids.capacity() * mem::size_of::<DWORD>()) as u32,
 80            &mut size,
 81        )
 82    } == FALSE
 83    {
 84        return Err(io::Error::last_os_error());
 85    }
 86
 87    todo!()
 88}
 89```
 90
 91We allocate enough space[^2] for 1024 `pids` in a vector[^3], and pass a mutable pointer to the contents to `EnumProcesses`. Note that the size of the array is in *bytes*, not items, so we need to multiply the capacity by the size of `DWORD`. The API likes to use `u32` for sizes, unlike Rust which uses `usize`, so we need a cast.
 92
 93Last, we need another mutable variable where the amount of bytes written is stored, `size`.
 94
 95> If the function fails, the return value is zero. To get extended error information, call [`GetLastError`][getlasterr].
 96
 97That's precisely what we do. If it returns false (zero), we return the last OS error. Rust provides us with [`std::io::Error::last_os_error`][lasterr], which essentially makes that same call but returns a proper `io::Error` instance. Cool!
 98
 99> To determine how many processes were enumerated, divide the *lpcbNeeded* value by `sizeof(DWORD)`.
100
101Easy enough:
102
103```rust
104let count = size as usize / mem::size_of::<DWORD>();
105// SAFETY: the call succeeded and count equals the right amount of items.
106unsafe { pids.set_len(count) };
107Ok(pids)
108```
109
110Rust doesn't know that the memory for `count` items were initialized by the call, but we do, so we make use of the [`Vec::set_len`][vecsetlen] call to indicate this. The Rust documentation even includes a FFI similar to our code!
111
112Let's give it a ride:
113
114```rust
115fn main() {
116    dbg!(enum_proc().unwrap().len());
117}
118```
119
120```
121>cargo run
122   Compiling memo v0.1.0
123    Finished dev [unoptimized + debuginfo] target(s) in 0.20s
124     Running `target\debug\memo.exe`
125[src\main.rs:27] enum_proc().unwrap().len() = 178
126```
127
128It works! But currently we only have a bunch of process identifiers, with no way of knowing which process they refer to.
129
130> To obtain process handles for the processes whose identifiers you have just obtained, call the [`OpenProcess`][openproc] function.
131
132Oh!
133
134## Opening a process
135
136The documentation for `OpenProcess` also contains the following:
137
138> When you are finished with the handle, be sure to close it using the [`CloseHandle`](closehandle) function.
139
140This sounds to me like the perfect time to introduce a custom `struct Process` with an `impl Drop`! We're using `Drop` to cleanup resources, not behaviour, so it's fine. [Using `Drop` to cleanup behaviour is a bad idea][drop-behaviour]. But anyway, let's get back to the code:
141
142```rust
143use std::ptr::NonNull;
144use winapi::ctypes::c_void;
145
146pub struct Process {
147    pid: u32,
148    handle: NonNull<c_void>,
149}
150
151impl Process {
152    pub fn open(pid: u32) -> io::Result<Self> {
153        todo!()
154    }
155}
156
157impl Drop for Process {
158    fn drop(&mut self) {
159        todo!()
160    }
161}
162```
163
164For `open`, we'll want to use `OpenProcess` (and we also need to add the `processthreadsapi` feature to the `winapi` dependency in `Cargo.toml`). It returns a `HANDLE`, which is a nullable mutable pointer to `c_void`. If it's null, the call failed, and if it's non-null, it succeeded and we have a valid handle. This is why we use Rust's [`NonNull`][nonnull]:
165
166```rust
167// SAFETY: the call doesn't have dangerous side-effects.
168NonNull::new(unsafe { winapi::um::processthreadsapi::OpenProcess(0, FALSE, pid) })
169    .map(|handle| Self { pid, handle })
170    .ok_or_else(io::Error::last_os_error)
171```
172
173`NonNull` will return `Some` if the pointer is non-null. We map the non-null pointer to a `Process` instance with `Self { .. }`. `ok_or_else` converts the `Option` to a `Result` with the error builder function we provide if it was `None`.
174
175The first parameter is a bitflag of permissions we want to have. For now, we can leave it as zero (all bits unset, no specific permissions granted). The second one is whether we want to inherit the handle, which we don't, and the third one is the process identifier. Let's close the resource handle on `Drop` (after adding `handleapi` to the crate features):
176
177```rust
178// SAFETY: the handle is valid and non-null.
179unsafe { winapi::um::handleapi::CloseHandle(self.handle.as_mut()) };
180```
181
182`CloseHandle` can actually fail (for example, on double-close), but given our invariants, it won't. You could add an `assert!` to panic if this is not the case.
183
184We can now open processes, and they will be automatically closed on `Drop`. Does any of this work though?
185
186```rust
187fn main() {
188    let mut success = 0;
189    let mut failed = 0;
190    enum_proc().unwrap().into_iter().for_each(|pid| match Process::open(pid) {
191        Ok(_) => success += 1,
192        Err(_) => failed += 1,
193    });
194
195    eprintln!("Successfully opened {}/{} processes", success, success + failed);
196}
197```
198
199```
200>cargo run
201   Compiling memo v0.1.0
202    Finished dev [unoptimized + debuginfo] target(s) in 0.36s
203     Running `target\debug\memo.exe`
204Successfully opened 0/191 processes
205```
206
207…nope. Maybe the documentation for `OpenProcess` says something?
208
209> `dwDesiredAccess`
210>
211> The access to the process object. This access right is checked against the security descriptor for the process. This parameter can be **one or more** of the process access rights.
212
213One or more, but we're setting zero permissions. I told you, reading the documentation is important[^4]! The [Process Security and Access Rights][proc-rights] page lists all possible values we could use. `PROCESS_QUERY_INFORMATION` seems to be appropriated:
214
215> Required to retrieve certain information about a process, such as its token, exit code, and priority class
216
217```rust
218OpenProcess(winapi::um::winnt::PROCESS_QUERY_INFORMATION, ...)
219```
220
221Does this fix it?
222
223```rust
224>cargo run
225   Compiling memo v0.1.0
226    Finished dev [unoptimized + debuginfo] target(s) in 0.36s
227     Running `target\debug\memo.exe`
228Successfully opened 69/188 processes
229```
230
231*Nice*. It does solve it. But why did we only open 69 processes out of 188? Does it help if we run our code as administrator? Let's search for `cmd` in the Windows menu and right click to Run as administrator, then `cd` into our project and try again:
232
233```
234>cargo run
235    Finished dev [unoptimized + debuginfo] target(s) in 0.01s
236     Running `target\debug\memo.exe`
237Successfully opened 77/190 processes
238```
239
240We're able to open a few more, so it does help. In general, we'll want to run as administrator, so normal programs can't sniff on what we're doing, and so that we have permission to do more things.
241
242## Getting the name of a process
243
244We're not done enumerating things just yet. To get the "name" of a process, we need to enumerate the modules that it has loaded, and only then can we get the module base name. The first module is the program itself, so we don't need to enumerate *all* modules, just the one is enough.
245
246For this we want [`EnumProcessModules`][mod-enumproc] and [`GetModuleBaseNameA`][mod-name]. I'm using the ASCII variant of `GetModuleBaseName` because I'm too lazy to deal with UTF-16 of the `W` (wide, unicode) variants.
247
248```rust
249use std::mem::MaybeUninit;
250use winapi::shared::minwindef::HMODULE;
251
252pub fn name(&self) -> io::Result<String> {
253    let mut module = MaybeUninit::<HMODULE>::uninit();
254    let mut size = 0;
255    // SAFETY: the pointer is valid and the size is correct.
256    if unsafe {
257        winapi::um::psapi::EnumProcessModules(
258            self.handle.as_ptr(),
259            module.as_mut_ptr(),
260            mem::size_of::<HMODULE>() as u32,
261            &mut size,
262        )
263    } == FALSE
264    {
265        return Err(io::Error::last_os_error());
266    }
267
268    // SAFETY: the call succeeded, so module is initialized.
269    let module = unsafe { module.assume_init() };
270    todo!()
271}
272```
273
274`EnumProcessModules` takes a pointer to an array of `HMODULE`. We could use a `Vec` of capacity one to hold the single module, but in memory, a pointer a single item can be seen as a pointer to an array of items. `MaybeUninit` helps us reserve enough memory for the one item we need.
275
276With the module handle, we can retrieve its base name:
277
278```rust
279let mut buffer = Vec::<u8>::with_capacity(64);
280// SAFETY: the handle, module and buffer are all valid.
281let length = unsafe {
282    winapi::um::psapi::GetModuleBaseNameA(
283        self.handle.as_ptr(),
284        module,
285        buffer.as_mut_ptr().cast(),
286        buffer.capacity() as u32,
287    )
288};
289if length == 0 {
290    return Err(io::Error::last_os_error());
291}
292
293// SAFETY: the call succeeded and length represents bytes.
294unsafe { buffer.set_len(length as usize) };
295Ok(String::from_utf8(buffer).unwrap())
296```
297
298Similar to how we did with `EnumProcesses`, we create a buffer that will hold the ASCII string of the module's base name[^5]. The call wants us to pass a pointer to a mutable buffer of `i8`, but Rust's `String::from_utf8` wants a `Vec<u8>`, so instead we declare a buffer of `u8` and `.cast()` the pointer in the call. You could also do this with `as _`, and Rust would infer the right type, but `cast` is neat.
299
300We `unwrap` the creation of the UTF-8 string because the buffer should contain only ASCII characters (which are also valid UTF-8). We could use the `unsafe` variant to create the string, but what if somehow it contains non-ASCII characters? The less `unsafe`, the better.
301
302Let's see it in action:
303
304```rust
305fn main() {
306    enum_proc()
307        .unwrap()
308        .into_iter()
309        .for_each(|pid| match Process::open(pid) {
310            Ok(proc) => match proc.name() {
311                Ok(name) => println!("{}: {}", pid, name),
312                Err(e) => println!("{}: (failed to get name: {})", pid, e),
313            },
314            Err(e) => eprintln!("failed to open {}: {}", pid, e),
315        });
316}
317```
318
319```
320>cargo run
321   Compiling memo v0.1.0
322    Finished dev [unoptimized + debuginfo] target(s) in 0.32s
323     Running `target\debug\memo.exe`
324failed to open 0: The parameter is incorrect. (os error 87)
325failed to open 4: Access is denied. (os error 5)
326...
327failed to open 5940: Access is denied. (os error 5)
3285608: (failed to get name: Access is denied. (os error 5))
329...
3301704: (failed to get name: Access is denied. (os error 5))
331failed to open 868: Access is denied. (os error 5)
332...
333```
334
335That's not good. What's up with that? Maybe…
336
337> The handle must have the `PROCESS_QUERY_INFORMATION` and `PROCESS_VM_READ` access rights.
338
339…I should've read the documentation. Okay, fine:
340
341```rust
342use winapi::um::winnt;
343OpenProcess(winnt::PROCESS_QUERY_INFORMATION | winnt::PROCESS_VM_READ, ...)
344```
345
346```
347>cargo run
348   Compiling memo v0.1.0 (C:\Users\L\Desktop\memo)
349    Finished dev [unoptimized + debuginfo] target(s) in 0.35s
350     Running `target\debug\memo.exe`
351failed to open 0: The parameter is incorrect. (os error 87)
352failed to open 4: Access is denied. (os error 5)
353...
3549348: cheatengine-x86_64.exe
3553288: Tutorial-x86_64.exe
3568396: cmd.exe
3574620: firefox.exe
3587964: cargo.exe
35910052: cargo.exe
3605756: memo.exe
361```
362
363Hooray 🎉! There's some processes we can't open, but that's because they're system processes. Security works!
364
365## Finale
366
367That was a fairly long post when all we did was print a bunch of pids and their corresponding name. But in all fairness, we also laid out a good foundation for what's coming next.
368
369You can [obtain the code for this post][code] over at my GitHub. At the end of every post, the last commit will be tagged, so you can `git checkout step1` to see the final code for any blog post.
370
371In the [next post](/blog/woce-2), we'll tackle the second step of the tutorial: Exact Value scanning.
372
373### Footnotes
374
375[^1]: You could say I simply love reinventing the wheel, which I do, but in this case, the codebase contains *far* more features than we're interested in. The (apparent) lack of structure and documentation regarding the code, along with the unfortunate [lack of license][lack-license] for the source code, make it a no-go. There's a license, but I think that's for the distributed program itself.
376
377[^2]: If it turns out that there are more than 1024 processes, our code will be unaware of those extra processes. The documentation suggests to perform the call again with a larger buffer if `count == provided capacity`, but given I have under 200 processes on my system, it seems unlikely we'll reach this limit. If you're worried about hitting this limit, simply use a larger limit or retry with a larger vector.
378
379[^3]: C code would likely use [`GlobalAlloc`][global-alloc] here, but Rust's `Vec` handles the allocation for us, making the code both simpler and more idiomatic. In general, if you see calls to `GlobalAlloc` when porting some code to Rust, you can probably replace it with a `Vec`.
380
381[^4]: This will be a recurring theme.
382
383[^5]: …and similar to `EnumProcesses`, if the name doesn't fit in our buffer, the result will be truncated.
384
385[ce]: https://cheatengine.org/
386[python-ctypes]: https://lonami.dev/blog/ctypes-and-windows/
387[ce-code]: https://github.com/cheat-engine/cheat-engine/
388[linux-readmem]: https://stackoverflow.com/q/12977179/4759433
389[game-conqueror]: https://github.com/scanmem/scanmem
390[ddg-enumproc]: https://ddg.gg/winapi%20enumerate%20all%20processes
391[tut-enumproc]: https://docs.microsoft.com/en-us/windows/win32/psapi/enumerating-all-processes
392[api-enumproc]: https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-enumprocesses
393[winapi-crate]: https://crates.io/crates/winapi
394[winapi-doc]: https://docs.rs/winapi/
395[getlasterr]: https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-getlasterror
396[lasterr]: https://doc.rust-lang.org/stable/std/io/struct.Error.html#method.last_os_error
397[vecsetlen]: https://doc.rust-lang.org/stable/std/vec/struct.Vec.html#method.set_len
398[openproc]: https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess
399[closehandle]: https://docs.microsoft.com/en-us/windows/win32/api/handleapi/nf-handleapi-closehandle
400[drop-behaviour]: https://internals.rust-lang.org/t/pre-rfc-leave-auto-trait-for-reliable-destruction/13825
401[nonnull]: https://doc.rust-lang.org/stable/std/ptr/struct.NonNull.html
402[proc-rights]: https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
403[mod-enumproc]: https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-enumprocessmodules
404[mod-name]: https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-getmodulebasenamea
405[code]: https://github.com/lonami/memo
406[lack-license]: https://github.com/cheat-engine/cheat-engine/issues/60
407[global-alloc]: https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-globalalloc