这是个老版本的NP求教怎么过
开雪兔儿老是被他干掉
BOOLEAN IsObjectProcess(PVOID object)
{
if (object == NULL)
return FALSE;
if (!MmIsAddressValid(object))
return FALSE;
ULONG uObjectHeader = (ULONG)OBJECT_TO_OBJECT_HEADER(object);
if (uObjectHeader == 0
|| !MmIsAddressValid((PVOID)uObjectHeader))
return FALSE;
ULONG uObjectType = *(PLONG)(uObjectHeader + 8);
if (!MmIsAddressValid((PVOID)uObjectType))
return FALSE;
if (uObjectType != (ULONG)*PsProcessType)
{
return FALSE;
}
return TRUE;
}
BOOLEAN EnumHandleTableRoutine(IN PHANDLE_TABLE_ENTRY HandleTableEntry,
IN HANDLE Handle,
IN PVOID EnumParameter)
{
if (HandleTableEntry == NULL
|| EnumParameter == NULL)
return TRUE;
PVOID object = HandleTableEntry->Object;
if (object == NULL)
return TRUE;
PRetInfo pParame = (PRetInfo)EnumParameter;
if (IsObjectProcess(object))
{
PUCHAR p = (PUCHAR)object + 0x174;
UCHAR szBuf[17] = {0};
RtlCopyMemory(szBuf, p, 16);
if (_stricmp((const char*)szBuf, (const char*)pParame->pszImageName) == 0)
{
if (*(PULONG)((ULONG)object + 4) == 0)
{
pParame->eprocess = (PEPROCESS)object;
return TRUE;
}
}
}
return FALSE;
}
// 传入隐藏的进程名得到 进程的EPROCESS
PEPROCESS GetProcessNameByEprocess(PUCHAR pszName)
{
ULONG uPspCidTable = GetPspCidTableAddr();
HANDLE hand = NULL;
RetInfo info = {0};
info.pszImageName = pszName;
ExEnumHandleTable((PVOID)uPspCidTable, EnumHandleTableRoutine, &info, &hand);
if (info.eprocess == NULL)
return NULL;
return info.eprocess;
}
g_eMain = GetProcessNameByEprocess((PUCHAR)"CabalMain.exe");
g_eMon = GetProcessNameByEprocess((PUCHAR)"GameMon.des");
if (g_eMon != NULL && g_eMon != NULL)
{
KdPrint(("eMain = %08x, eMon = %08x\r\n", g_eMain, g_eMon));
FuckBreakLinkList(TRUE);
g_ProcessHead = ((PLIST_ENTRY)((ULONG)PsInitialSystemProcess + 0x88))->Blink;
InsertTailList(g_ProcessHead, (PLIST_ENTRY)((ULONG)g_eMain + 0x88));
InsertTailList(g_ProcessHead, (PLIST_ENTRY)((ULONG)g_eMon + 0x88));
}
这种代码怎么用?
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)