Ps:本文仅为学习研究结果(通用xp和win7),私自用于任何商业活动造成的后果请自行承担
此文重点:
1、劫持rasadhlp.dll实现对TSALogin.exe的完美注入.(不少朋友对怎么注入这个exe一直不懂)
2、安装消息勾子,判断当前输入焦点
3、自己构造ZwSetContextThread,和ZwGetContextThread
4、设置硬件断点,监视键盘输入,保存未加密虚键码和加密虚键码
5、实现解密
unsigned int WINAPI _WorkThread(void * lpPram)
{
TCHAR tcWorkDll[MAX_PATH];
GetModuleFileName(nullptr,g_tcExeDir,MAX_PATH);
*( _tcsrchr(g_tcExeDir,'\\') +1 )=0;
_stprintf_s(tcWorkDll,_T("%s%s"),g_tcExeDir,_T("tencent_Login.dll"));
hTestModule=LoadLibrary(tcWorkDll);
return 0;
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
if (ul_reason_for_call == DLL_PROCESS_ATTACH)
{//我最后测试是tgp。但是发现tgp没加密,其实游戏都是加密的,如jfzr,fifa3等
if(IsSpecifyProcessName(_T("tgp_daemon.exe")))
{
hWorkThread=(HANDLE)_beginthreadex(NULL,NULL,_WorkThread,NULL,NULL,NULL);
}
using namespace AheadLib;
return Load();
}
else if (ul_reason_for_call == DLL_PROCESS_DETACH)
{
using namespace AheadLib;
Free();
}
return TRUE;
}
BOOL WINAPI myCreateProcess(LPCWSTR lpApplicationName,LPWSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCWSTR lpCurrentDirectory,LPSTARTUPINFOW lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation
)
{
BOOL bRet =FALSE;
CHAR tcText[MAX_PATH];
if( _tcsstr(lpCommandLine,_T("TASLogin.exe")) )
{
GetModuleFileNameA(g_hMod,tcText,MAX_PATH);
return DetourCreateProcessWithDll(lpApplicationName,lpCommandLine,lpProcessAttributes,lpThreadAttributes,
bInheritHandles,dwCreationFlags,lpEnvironment,lpCurrentDirectory,lpStartupInfo,lpProcessInformation,tcText,RealCreateProcess);
}
return RealCreateProcess(lpApplicationName,lpCommandLine,lpProcessAttributes,lpThreadAttributes,
bInheritHandles,dwCreationFlags,lpEnvironment,lpCurrentDirectory,lpStartupInfo,lpProcessInformation);
}
void StartWork()
{
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
TCHAR tcText[100];
TCHAR lpProcessName[50]={0} ;
_tcscpy_s(lpProcessName, GetCurProcessName().c_str());
if( !_tcsicmp ( lpProcessName,_T("tgp_daemon.exe")) )
{
DetourAttach((PVOID*)&RealCreateProcess,myCreateProcess); //HOOK CreateProcess,实现完美注入TSALogin.exe
}
if( !_tcsicmp ( lpProcessName,_T("TASLogin.exe")) )
{
DWORD dwOldProtect;
//自己构造 ZwSetContextThread ZwGetContextThread,因为等会这2个函数会被TX hook,所以我们先构造一份自己的
ZwSetContextThread=(fnZwSetContextThread)GetProcAddress(GetModuleHandle(_T("ntdll")),"ZwSetContextThread");
ZwGetContextThread=(fnZwGetContextThread)GetProcAddress(GetModuleHandle(_T("ntdll")),"ZwGetContextThread");
ReadProcessMemory((HANDLE)-1,(VOID*)ZwSetContextThread,g_ZwSetContextThreadZone,5,nullptr);
ReadProcessMemory((HANDLE)-1,(VOID*)ZwGetContextThread,g_ZwGetContextThreadZone,5,nullptr);
VirtualProtect(g_ZwSetContextThreadZone,10,PAGE_EXECUTE_READWRITE,&dwOldProtect);
VirtualProtect(g_ZwGetContextThreadZone,10,PAGE_EXECUTE_READWRITE,&dwOldProtect);
*(BYTE*)(g_ZwGetContextThreadZone+5)=0xE9;
*(BYTE*)(g_ZwSetContextThreadZone+5)=0xE9;
*(DWORD*)( g_ZwGetContextThreadZone+6)= (DWORD)ZwGetContextThread - (DWORD)g_ZwGetContextThreadZone -5;
*(DWORD*)( g_ZwSetContextThreadZone+6 )=(DWORD)ZwSetContextThread -(DWORD)g_ZwSetContextThreadZone -5;
/*_stprintf_s(tcText,_T("g_ZwGetContextThreadZone = 0x%x,g_ZwSetContextThreadZone =0x%x"),g_ZwGetContextThreadZone,g_ZwSetContextThreadZone);
OutputDebugString(tcText);*/
//Hook RtlDispatchException
ProcessDispatchException(); //设置硬件断点,监视键盘输入
g_hHookId=SetWindowsHookEx(WH_GETMESSAGE,GetMsgProc,g_hMod,GetCurrentThreadId());
OutputDebugString(_T("TSALogin.exe注入成功"));
}
DetourTransactionCommit();
}
extern void StartWork();
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
g_hMod=hModule;
StartWork();
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
[注意]APP应用上架合规检测服务,协助应用顺利上架!