超级模块中有个双开功能,能够双开腾讯的大部分游戏,例如DNF。于是就下载模块下来分析了一下。
随便在网上找一个用超级模块写的双开工具。然后OD载入,下bp DeleteFileA断点。
为什么要下deleteFile断点,而不是CreateFile,是因为该模块注册驱动文件后就会将驱动文件删除。
下了断点之后点击启动双开的时候,OD断下。查看堆栈,可以看到写出的驱动路径。
将驱动文件拷贝出来,文件大小只有3kb,用IDA打开。
INIT:00010985 ; NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
INIT:00010985 public DriverEntry
INIT:00010985 DriverEntry proc near
INIT:00010985
INIT:00010985 DriverObject = dword ptr 8
INIT:00010985 RegistryPath = dword ptr 0Ch
INIT:00010985
INIT:00010985 mov edi, edi
INIT:00010987 push ebp
INIT:00010988 mov ebp, esp
INIT:0001098A mov eax, dword_10904
INIT:0001098F test eax, eax
INIT:00010991 mov ecx, 0BB40h
INIT:00010996 jz short loc_1099C
INIT:00010998 cmp eax, ecx
INIT:0001099A jnz short loc_109BF
INIT:0001099C
INIT:0001099C loc_1099C: ; CODE XREF: DriverEntry+11j
INIT:0001099C mov edx, ds:KeTickCount
INIT:000109A2 mov eax, offset dword_10904
INIT:000109A7 shr eax, 8
INIT:000109AA xor eax, [edx]
INIT:000109AC and eax, 0FFFFh
INIT:000109B1 mov dword_10904, eax
INIT:000109B6 jnz short loc_109BF
INIT:000109B8 mov eax, ecx
INIT:000109BA mov dword_10904, eax
INIT:000109BF
INIT:000109BF loc_109BF: ; CODE XREF: DriverEntry+15j
INIT:000109BF ; DriverEntry+31j
INIT:000109BF not eax
INIT:000109C1 mov dword_10900, eax
INIT:000109C6 pop ebp
INIT:000109C7 jmp sub_106F8
INIT:000109C7 DriverEntry endp
.text:000106F8 ; int __stdcall sub_106F8(PDRIVER_OBJECT DeviceObject, int)
.text:000106F8 sub_106F8 proc near ; CODE XREF: DriverEntry+42j
.text:000106F8
.text:000106F8 SymbolicLinkName= UNICODE_STRING ptr -10h
.text:000106F8 DestinationString= UNICODE_STRING ptr -8
.text:000106F8 DeviceObject = dword ptr 8
.text:000106F8
.text:000106F8 mov edi, edi
.text:000106FA push ebp
.text:000106FB mov ebp, esp
.text:000106FD sub esp, 10h
.text:00010700 push esi
.text:00010701 mov esi, [ebp+DeviceObject]
.text:00010704 push edi
.text:00010705 mov edi, ds:RtlInitUnicodeString
.text:0001070B push offset word_106A6 ; SourceString
.text:00010710 lea eax, [ebp+DestinationString]
.text:00010713 push eax ; DestinationString
.text:00010714 mov dword ptr [esi+38h], offset sub_10486 //设置IRP处理函数
.text:0001071B mov dword ptr [esi+40h], offset sub_10486
.text:00010722 mov dword ptr [esi+70h], offset sub_104AA
.text:00010729 mov dword ptr [esi+34h], offset sub_10670
.text:00010730 call edi ; RtlInitUnicodeString //初始化设备名称
.text:00010732 lea eax, [ebp+DeviceObject]
.text:00010735 push eax ; DeviceObject
.text:00010736 push 0 ; Exclusive
.text:00010738 push 0 ; DeviceCharacteristics
.text:0001073A push 22h ; DeviceType
.text:0001073C lea eax, [ebp+DestinationString]
.text:0001073F push eax ; DeviceName
.text:00010740 push 0 ; DeviceExtensionSize
.text:00010742 push esi ; DriverObject
.text:00010743 call ds:IoCreateDevice //创建设备
.text:00010749 test eax, eax
.text:0001074B jl short loc_10780
.text:0001074D push offset word_106CA ; SourceString
.text:00010752 lea eax, [ebp+SymbolicLinkName]
.text:00010755 push eax ; DestinationString
.text:00010756 call edi ; RtlInitUnicodeString //初始化符号链接名称
.text:00010758 lea eax, [ebp+DestinationString]
.text:0001075B push eax ; DeviceName
.text:0001075C lea eax, [ebp+SymbolicLinkName]
.text:0001075F push eax ; SymbolicLinkName
.text:00010760 call ds:IoCreateSymbolicLink //创建符号链接
.text:00010766 mov esi, eax
.text:00010768 test esi, esi
.text:0001076A jge short loc_10779 //创建成功就跳过去
.text:0001076C push [ebp+DeviceObject] ; DeviceObject
.text:0001076F call ds:IoDeleteDevice //创建失败则删除设备
.text:00010775 mov eax, esi
.text:00010777 jmp short loc_10780
.text:00010779 ; ---------------------------------------------------------------------------
.text:00010779
.text:00010779 loc_10779: ; CODE XREF: sub_106F8+72j
.text:00010779 call sub_105C8
.text:0001077E xor eax, eax
.text:00010780
.text:00010780 loc_10780: ; CODE XREF: sub_106F8+53j
.text:00010780 ; sub_106F8+7Fj
.text:00010780 pop edi
.text:00010781 pop esi
.text:00010782 leave
.text:00010783 retn 8
.text:00010783 sub_106F8 endp
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!