-
-
[旧帖]
[求助]过T*驱动中遇到的问题
0.00雪花
-
发表于:
2014-3-24 11:29
1518
-
[旧帖] [求助]过T*驱动中遇到的问题
0.00雪花
#ifndef HOOKREAD
#define HOOKREAD
int nNtReadVirtualMemoryAddr;
int nNtReadVirtualMemoryAddr_3;
int nNtReadVirtualMemoryAddrJmp;
__declspec(naked) void MyNtReadVirtualMemory()
{
if(PanDuanProcessName("xyclient.exe")||PanDuanProcessName("DNF.exe")||PanDuanProcessName("TenSafe_1.exe")||PanDuanProcessName("TenSafe.exe")||PanDuanProcessName("QQLogin.exe")||PanDuanProcessName("CrossProxy.exe"))
{
__asm
{
//如果是DNF调用的
jmp nNtReadVirtualMemoryAddr
}
}
__asm
{
push 0x1c
push nNtReadVirtualMemoryAddr_3
jmp nNtReadVirtualMemoryAddrJmp
}
}
VOID HookReadVirtualMemory()
{
nNtReadVirtualMemoryAddr=GetSSDTFunctionAddr(186);
nNtReadVirtualMemoryAddr_3= nNtReadVirtualMemoryAddr+3;
nNtReadVirtualMemoryAddr_3=*((int*)nNtReadVirtualMemoryAddr_3);
nNtReadVirtualMemoryAddrJmp=nNtReadVirtualMemoryAddr+7;
SSDTHookEngine(186,(int)MyNtReadVirtualMemory);
//DbgPrint("nNtReadVirtualMemoryAddr_3=%x\n",nNtReadVirtualMemoryAddr_3);
}
VOID UnHookReadVirtualMemory()
{
SSDTUnHookEngine(186,nNtReadVirtualMemoryAddr);
}
#endif
这个是和尚老师的源码 hook NtReadVirtualMemory的 但是现在多了一处,
VOID HookReadVirtualMemory()方法中
nNtReadVirtualMemoryAddr_276 = nNtReadVirtualMemoryAddr + 276;
nNtReadVirtualMemoryAddr_276 = *((int*)nNtReadVirtualMemoryAddr_276);
nNtReadVirtualMemoryAddrJmp_111 = nNtReadVirtualMemoryAddr + 111;
加上这么一处绕过的
请大神们教教怎么写 谢谢了 新人
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法