《由于我的C用的比较少所以大部分都用的汇编部分地方用》由会员分享,可在线阅读,更多相关《由于我的C用的比较少所以大部分都用的汇编部分地方用(18页珍藏版)》请在金锄头文库上搜索。
1、由于我的C用的比较少,所以大部分都用的汇编,部分地方用汇编写不是很方便,所以我用的C,由于只是学习,所以内核地址我没有计算都是硬编码的。过DNF主要分为三步,也许我的思路不太正确,反正可以OD调试,下断。程序没怎么修边幅,因为只是测试,所以一般都没有写更改内核后的恢复,不过不妨碍使用。第一步,这也是最起码的,你必须要能够打开游戏进程和线程,能够开打进程和线程后不被检测到第二步,能够读写进村内存第三步,能够用OD附加游戏进程第四步,能够下硬件断点而不被检测跳过NtReadVirtualMemory,NtWriteVirtualMemory函数头的钩子代码:#includetypedef stru
2、ct _SERVICE_DESCRIPTOR_TABLE PVOID ServiceTableBase; PULONG ServiceCounterTableBase; ULONG NumberOfService; ULONG ParamTableBase;SERVICE_DESCRIPTOR_TABLE,*PSERVICE_DESCRIPTOR_TABLE; /由于KeServiceDescriptorTable只有一项,这里就简单点了extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;/KeServiceDescriptorT
3、able为导出函数/VOID Hook();VOID Unhook();VOID OnUnload(IN PDRIVER_OBJECT DriverObject);/ULONG JmpAddress;/跳转到NtOpenProcess里的地址ULONG JmpAddress1;/跳转到NtOpenProcess里的地址ULONG OldServiceAddress;/原来NtOpenProcess的服务地址ULONG OldServiceAddress1;/原来NtOpenProcess的服务地址/_declspec(naked) NTSTATUS _stdcall MyNtReadVirtu
4、alMemory(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToRead, PULONG NumberOfBytesReaded) /跳过去 _asm push 0x1c push 804eb560h /共十个字节 jmp JmpAddress _declspec(naked) NTSTATUS _stdcall MyNtWriteVirtualMemory(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG Numbe
5、rOfBytesToWrite, PULONG NumberOfBytesReaded) /跳过去 _asm push 0x1c push 804eb560h /共十个字节 jmp JmpAddress1 /NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath) DriverObject-DriverUnload = OnUnload; DbgPrint(Unhooker load); Hook(); return STATUS_SUCCESS;/VOID OnUnload(IN PDR
6、IVER_OBJECT DriverObject) DbgPrint(Unhooker unload!); Unhook();/VOID Hook() ULONG Address, Address1; Address = (ULONG)KeServiceDescriptorTable-ServiceTableBase + 0xBA * 4;/0x7A为NtOpenProcess服务ID Address1 = (ULONG)KeServiceDescriptorTable-ServiceTableBase + 0x115 * 4;/0x7A为NtOpenProcess服务ID DbgPrint(
7、Address:0x%08X,Address); OldServiceAddress = *(ULONG*)Address;/保存原来NtOpenProcess的地址 OldServiceAddress1 = *(ULONG*)Address1;/保存原来NtOpenProcess的地址 DbgPrint(OldServiceAddress:0x%08X,OldServiceAddress); DbgPrint(OldServiceAddress1:0x%08X,OldServiceAddress1); DbgPrint(MyNtOpenProcess:0x%08X,MyNtReadVirtu
8、alMemory); DbgPrint(MyNtOpenProcess:0x%08X,MyNtWriteVirtualMemory); JmpAddress = (ULONG)0x805b528a + 7; /跳转到NtOpenProcess函数头10的地方,这样在其前面写的JMP都失效了 JmpAddress1 = (ULONG)0x805b5394 + 7; DbgPrint(JmpAddress:0x%08X,JmpAddress); DbgPrint(JmpAddress1:0x%08X,JmpAddress1); _asm /去掉内存保护 cli mov eax,cr0 and ea
9、x,not 10000h mov cr0,eax *(ULONG*)Address) = (ULONG)MyNtReadVirtualMemory;/HOOK SSDT *(ULONG*)Address1) = (ULONG)MyNtWriteVirtualMemory; _asm /恢复内存保护 mov eax,cr0 or eax,10000h mov cr0,eax sti /VOID Unhook() ULONG Address, Address1; Address = (ULONG)KeServiceDescriptorTable-ServiceTableBase + 0xBA *
10、4;/查找SSDT Address1 = (ULONG)KeServiceDescriptorTable-ServiceTableBase + 0x115 * 4; _asm cli mov eax,cr0 and eax,not 10000h mov cr0,eax *(ULONG*)Address) = (ULONG)OldServiceAddress;/还原SSDT *(ULONG*)Address1) = (ULONG)OldServiceAddress1;/还原SSDT _asm mov eax,cr0 or eax,10000h mov cr0,eax sti DbgPrint(U
11、nhook);由于它不断对DebugPort清零,所以要修改调试相关函数,使得所有的访问DebugPort的地方全部访问EPROCESS中的ExitTime字节,这样它怎么清零都无效了,也检测不到代码:.386.model flat, stdcalloption casemap:noneinclude dnf_hook.inc.constDspdo_1 equ 80643db6hDmpp_1 equ 80642d5ehDmpp_2 equ 80642d64hDct_1 equ 806445d3hDqm_1 equ 80643089hKde_1 equ 804ff5fdhDfe_1 equ 80
12、644340hPcp_1 equ 805d1a0dhMcp_1 equ 805b0c06hMcp_2 equ 805b0d7fhDmvos_1 equ 8064497fhDumvos_1 equ 80644a45hPet_1 equ 805d32f8hDet_1 equ 8064486chDep_1 equ 806448e6h.code;还原自己的HookDriverUnload proc pDriverObject:PDRIVER_OBJECT ret DriverUnload endpModifyFuncAboutDbg proc addrOdFunc, cmd_1, cmd_2 pushad mov ebx, addrOdFunc mov eax, cmd_1 mov DWORD ptr ebx, eax mov eax, cmd_2 mov DWORD ptr ebx + 4, eax popad ret ModifyFuncAboutDbg endpDriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING cli mov eax, cr0 and eax, not 10000h mov cr0, eax
