能力值:
( LV11,RANK:190 )
|
-
-
2 楼
NtOpenProcess+0x224处 被hook了,比较深
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
那要怎么弄才能看到在哪HOOK了`
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
最近TX查外挂似乎很严啊,和谐了很多呢。
|
能力值:
( LV11,RANK:190 )
|
-
-
5 楼
+0x224是ObOpenObjectByPointer,用windbg看
805cc5fb ff75d4 push dword ptr [ebp-2Ch]
805cc5fe e8db7a0000 call nt!PsLookupProcessByProcessId (805d40de)
805cc603 ebde jmp nt!NtOpenProcess+0x1e7 (805cc5e3)
805cc605 8d45e0 lea eax,[ebp-20h]
805cc608 50 push eax
805cc609 ff75cc push dword ptr [ebp-34h]
805cc60c ff35b8495680 push dword ptr [nt!PsProcessType (805649b8)]
805cc612 56 push esi
805cc613 8d8548ffffff lea eax,[ebp-0B8h]
805cc619 50 push eax
805cc61a ff75c8 push dword ptr [ebp-38h]
805cc61d ff75dc push dword ptr [ebp-24h]
805cc620 e8bb42ab2d call ae0808e0 //HOOK位置
805cc625 8bf8 mov edi,eax
干净的:
805cc5fe e8db7a0000 call nt!PsLookupProcessByProcessId (805d40de)
805cc603 ebde jmp nt!NtOpenProcess+0x1e7 (805cc5e3)
805cc605 8d45e0 lea eax,[ebp-20h]
805cc608 50 push eax
805cc609 ff75cc push dword ptr [ebp-34h]
805cc60c ff35b8495680 push dword ptr [nt!PsProcessType (805649b8)]
805cc612 56 push esi
805cc613 8d8548ffffff lea eax,[ebp-0B8h]
805cc619 50 push eax
805cc61a ff75c8 push dword ptr [ebp-38h]
805cc61d ff75dc push dword ptr [ebp-24h]
805cc620 e84706ffff call nt!ObOpenObjectByPointer (805bcc6c) //原始
805cc625 8bf8 mov edi,eax
|
能力值:
( LV2,RANK:10 )
|
-
-
6 楼
谢谢5楼的大虾``
|
能力值:
( LV2,RANK:10 )
|
-
-
7 楼
`弱弱的问下``是看DNF.EXE 还是什么``
|
能力值:
( LV11,RANK:190 )
|
-
-
8 楼
....... 看内核
|
|
|
|
