-
-
另一种DWMHOOK
-
发表于: 2023-3-5 08:35
-
void SyscallCallBack(ULONG64 R10, ULONG64 RAX)
{
if (R10 != (ULONG64)((ULONG64)ZwWaitForSingleObject + 0x14)) { return; }
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | if (!LoopLock){ LoopLock = true; if (ThreadInit == false) { DWORD CurrentThreadId = GetCurrentThreadId(); ULONG64 ThreadStartAddress = GetThreadStartAddressByThreadId(CurrentThreadId); if (ThreadStartAddress > DwmCoreModle && ThreadStartAddress < DwmCoreModle + DwmCoreModleSize) { TarGetThreadId = CurrentThreadId; ThreadInit = true; } } if (pDxgiSwapChain != NULL && ThreadInit == true && GetCurrentThreadId() == TarGetThreadId) { PresentCallBack(pDxgiSwapChain); } LoopLock = false;} |
}
第二种:
int64 fastcall DxgkRender()
{
1 2 3 4 5 6 7 8 9 10 11 | if (PsGetThreadProcess(KeGetCurrentThread()) == DWMEprocess){ PKTRAP_FRAME ContextRecord = (PKTRAP_FRAME)(*(ULONG64 *)((ULONG64)KeGetCurrentThread() + 0x090)); ContextRecord->Rip = 0x00007DF420BB7790;}return g_DxgkRender(DeviceState);//g_DxgkRender(a1, a2, a3); |
}
hook win32k修改KTRAP_FRAME->RIP来进行HOOK
通过ProcessInstrumentationCallback来实现hook dwm 老技术了这都是没啥好说的 丢出来了
老群G了。群号:322595404
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2023-3-5 08:47
被BDBig编辑
,原因:
|
|
|---|---|
|
|
|
|
|
|
|
|
|
