在Win7下很多XP的驱动都不适用了!前几个月研究了一下盛*大游戏的泡泡*堂的Hack*Shield驱动保护发现Hook了十多个内核函数,Ring 3和 Ring 0的双重保护
现在暂时发现钩住了一下函数
hook NtOpenProcess
hook NtReadVirtualMemory
hook NtWriteVirtualMemory
Hook NtClose
Hook NtProtectVirtualMemory
Hook NtGetContextThread
其中HOOK NtGetContextThread中用了两个钩子,恢复起来有些麻烦,但还是给恢复了
Ring 3层的程序通过DeviceIoControl传递游戏进程ID给驱动,然后驱动就执行相关的动作!现在给出部分关键的代码!
Ring 3层:
// 安装驱动的线程函数
UINT __cdecl CDriverProtectDlg::InstallDriverThread(LPVOID pParam)
{
CDriverProtectDlg* pDlg = NULL;
pDlg = (CDriverProtectDlg*)pParam;
pDlg->UpdateData(TRUE);
if (pDlg->strPath.IsEmpty())
{
AfxMessageBox(L"请选择驱动路径!");
return 0;
}
if (pDlg->strrGamePath.IsEmpty())
{
AfxMessageBox(L"请选择游戏路径!");
return 0;
}
if (!pDlg->LoadNTDriver(L"HelloDDK",pDlg->strPath.GetBuffer()))
{
pDlg->UnloadNTDriver(L"HelloDDK");
pDlg->LoadNTDriver(L"HelloDDK",pDlg->strPath.GetBuffer());
}
HANDLE hDevice =
::CreateFileW(L"\\\\.\\HelloDDK",
GENERIC_READ | GENERIC_WRITE,
0, // share mode none
NULL, // no security
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL ); // no template
if (hDevice == INVALID_HANDLE_VALUE)
{
pDlg->m_DriverINFORMATION.SetWindowTextW(L"打开驱动错误!");
return 1;
}
DWORD Pid = pDlg->TransferProcessID(pDlg->strrGamePath.GetBuffer());
int a = (int)Pid;
UCHAR* InputBuffer = new UCHAR[a];
UCHAR* OutputBuffer= new UCHAR[a];
BOOL bRet;
DWORD dwOutput;
//输入缓冲区作为输入,输出缓冲区作为输出
bRet = DeviceIoControl(hDevice, IOCTL_TEST1, InputBuffer, a, OutputBuffer, a, &dwOutput, NULL);
if (bRet)
{
pDlg->m_DriverINFORMATION.SetWindowTextW(L"开启保护成功!");
}
CloseHandle(hDevice);
delete []InputBuffer;
delete []OutputBuffer;
//AfxEndThread(0);
ResumeThread(pDlg->ProcessMainThread);
pDlg = NULL;
return 0;
}
UINT __cdecl CDriverProtectDlg::UnInstallDriverThread(LPVOID pParam)
{
CDriverProtectDlg* pDlg = NULL;
pDlg = (CDriverProtectDlg*)pParam;
pDlg->UpdateData(TRUE);
if (pDlg->strPath.IsEmpty())
{
AfxMessageBox(L"请选择驱动路径!");
return 0;
}
if (pDlg->strrGamePath.IsEmpty())
{
AfxMessageBox(L"请选择游戏路径!");
return 0;
}
pDlg->UnloadNTDriver(L"HelloDDK");
//AfxEndThread(0);
pDlg = NULL;
return 0;
}
Ring 0层的:
#include "HookNtOpenProcess.h"
#include "Function.h"
int nNtOpenProcessAddr;
int nHookNtOpenProcessAddr;
int nHookNtOpenPrpcessJmp;
int nHookNtOpenPrpcessOldJmp;
int nObOpenObjectByPointerAddr;
extern int GameProcessID;
static __declspec(naked) void MyNtOpenProcess()
{
__asm
{
push dword ptr [ebp-4]
push dword ptr [ebp-4]
push dword ptr [ebp+0x0C]
push dword ptr [ebp+8]
}
if (PanDuanProcessID()==GameProcessID)
{
__asm
{
jmp nHookNtOpenPrpcessOldJmp
call nObOpenObjectByPointerAddr
jmp nHookNtOpenPrpcessJmp
}
}
else
{
__asm
{
call nObOpenObjectByPointerAddr
jmp nHookNtOpenPrpcessJmp
}
}
}
void HookNtOpenProcess()
{
//DbgPrint("要HOOK的进程ID为:%d",GameProcessID);
nNtOpenProcessAddr=GetFunCtionAddr(L"NtOpenProcess");
char code[13] = {(char)0xFF,(char)0x75,(char)0xFC,(char)0xFF,(char)0x75,(char)0xFC,(char)0xFF,(char)0x75,(char)0x0C,(char)0xFF,(char)0x75,(char)0x08,(char)0xE8};
nHookNtOpenProcessAddr=SearchFeature(nNtOpenProcessAddr,code,13)-13;
//DbgPrint("nHookNtOpenProcessAddr=%x\n",nHookNtOpenProcessAddr);
nHookNtOpenPrpcessJmp=nHookNtOpenProcessAddr+17;
nHookNtOpenPrpcessOldJmp=nHookNtOpenProcessAddr+12;
//DbgPrint("nHookNtOpenPrpcessJmp=%x\n",nHookNtOpenPrpcessJmp);
//DbgPrint("nHookNtOpenPrpcessOldJmp=%x\n",nHookNtOpenPrpcessOldJmp);
nObOpenObjectByPointerAddr = GetCallAddr(nHookNtOpenPrpcessOldJmp+1);
//DbgPrint("nObOpenObjectByPointerAddr=%x\n",nObOpenObjectByPointerAddr);
InLineHookEngine(nHookNtOpenProcessAddr,(int)MyNtOpenProcess);
}
void UnHookNtOpenProcess()
{
char code[13] = {(char)0xFF,(char)0x75,(char)0xFC,(char)0xFF,(char)0x75,(char)0xFC,(char)0xFF,(char)0x75,(char)0x0C,(char)0xFF,(char)0x75,(char)0x08,(char)0xE8};
UnInLineHookEngine(nHookNtOpenProcessAddr,code,5);
}
DriverProtect.rar 为Ring 3层的源码
driver.rar 为Ring 0层的驱动文件及调试用的PDB文件
然后这些代码就可以让CE正常打开进程扫描,修改游戏内存数据了!OD附加功能还在开放中。
如果有志同道合的朋友可以加我这个群一起交流:C/C++,汇编语言,驱动交流群:177822398、 177822108
DriverProtect.rar
driver.rar
[课程]Linux pwn 探索篇!
