This page looks best with JavaScript enabled

【Android】CheatEngine With Kernel Module

 ·  ☕ 3 min read · 👀... views

Sometimes, we have to face the situation where we need to read or write process memory but want the process to be completely unaware. In general, users can achieve this by utilizing the process_vm_readv and process_vm_writev syscalls provided from Android kernel. However, there are several methods to detect such malicious behaviors. Some anti-cheaters insert a type of special memory pages into the game’s memory, they can detect these memory pages being read or written by mincore. The detection mechanism is primarily based on the page fault interrupt. While the specific details of this detection principle are beyond the scope of this article, you can refer to additional resources if you are interested:

  1. https://blog.csdn.net/qq_30275375/article/details/123611213
  2. https://bbs.kanxue.com/thread-277144.htm

In order to access process’s memory without being detected, we need to find a as simple as possible way. One such approach is to utilize a kernel module for reading and writing phy memory. Thankfully, there are numerous open-source projects available that can be compiled and employed directly. In this artical, I will introduce a straightforward solution to compile and utilize a kernel module to access process’s memory.

Build Android Kernel

Before compiling the android kernel module, we must first compile the android kernel consistent with our phone to retrive header files. Such as the version of android kernel in my phone is 5.15.41, so I set branch to the common-android13-5.15

1
2
3
4
5
mkdir android-kernel
cd android-kernel

repo init -u https://android.googlesource.com/kernel/manifest -b common-android13-5.15
repo sync

Build Kernel

LTO=thin BUILD_CONFIG=common/build.config.gki.aarch64 build/build.sh

// If you want to get kernel img with KernelSU, you can proceed to the following commands
curl -LSs "https://raw.githubusercontent.com/tiann/KernelSU/main/kernel/setup.sh" | bash -
LTO=thin BUILD_CONFIG=common/build.config.gki.aarch64 build/build.sh

Build rwMem Kernel Module

Once the kernel module is built, we can proceed to select an open-source project and compile it. I opted for the rwMem project, which offers a straightforward implementation for accessing physical memory. And @richar add hardware breakpoints feature to this project, and make this project support CheatEngine 7.5 version.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
sudo apt install pahole
git clone https://github.com/ri-char/rwMem.git
export PATH=/home/qfrost/android-kernel/prebuilts/clang/host/linux-x86/clang-r450784e/bin:$PATH

// build rwMem.ko
cd rwMem/rwMem
make CC=clang LLVM=1 KDIR=/home/qfrost/android-kernel/out/android13-5.15/common

// build hwBreakpointProc1.ko
cd rwMem/hwBreakpoint
make CC=clang LLVM=1 KDIR=/home/qfrost/android-kernel/out/android13-5.15/common

You will get rwMem.ko under the project root folder if you compile rwMem successfully.

We can use following commands to load the kernel module.

OP591BL1:/data/data/com.termux/files/home # insmod rwMem.ko
OP591BL1:/data/data/com.termux/files/home # lsmod | grep "rw"
rwMem                  28672  0

Build CEServer

Defaultly, CheatEngine using process_vm_readv and process_vm_writev to access process memory. Now I want to use abilities providing from rwProcMem kernel module to read and write process memory by CheatEngine. It requires us to modify the source of CE-Server. Luckily, rwMem completes this work. It is very troublesome to build CE-Server on the computer, we must have environment allowing us cross compile Android programs. So I choose to compile CE-Server on my Android device.

Firstly, install termux. Copy rwMem/CEServer folders to your Android device.

1
2
3
4
5
6
7
pkg install clang

mv CEServer /data/data/com.termux/files/home/
cd /data/data/com.termux/files/home/
chmod -R 777 testCEServer
cd CEServer
g++ *.cpp -lz

We will obtain the result named a.out file in the current working directory. Running this program, the CE-Server will be started, and output the port of reverse proxy.

CE-Server

After getting this port, we can connect CE-Server using CheatEngine program.

1
adb forward tcp:3168 tcp:3168

CE-Network

After waiting a few seconds, we will get process list of phone
CE-process_list

Okey, you can attach any processes and search what you want to get by CheatEngine using rwProcMem kernel module.
CE-use

Reference

  1. https://source.android.com/docs/setup/build/building-kernels?hl=zh-cn
  2. https://kernelsu.org/guide/how-to-build.html
Share on

Qfrost
WRITTEN BY
Qfrost
CTFer, Anti-Cheater, LLVM Committer