bool CHookDllApi::SUB_IsHook(char *lpszApi)
{
if(lpszApi==NULL || lpszApi[0]==NULL) return false;
//kernel
if(strcmp(lpszApi,"VirtualProtect")==NULL) return true;
if(strcmp(lpszApi,"ReadProcessMemory")==NULL) return true;
if(strcmp(lpszApi,"WriteProcessMemory")==NULL) return true;
if(strcmp(lpszApi,"MoveFileW")==NULL) return true;
if(strcmp(lpszApi,"OpenProcess")==NULL) return true;
if(strcmp(lpszApi,"MapViewOfFile")==NULL) return true;
if(strcmp(lpszApi,"MapViewOfFileEx")==NULL) return true;
if(strcmp(lpszApi,"VirtualProtectEx")==NULL) return true;
if(strcmp(lpszApi,"LoadLibraryExW")==NULL) return true;
if(strcmp(lpszApi,"CreateProcessInternalW")==NULL) return true;
//user
if(strcmp(lpszApi,"PostMessageA")==NULL) return true;
if(strcmp(lpszApi,"PostMessageW")==NULL) return true;
if(strcmp(lpszApi,"SendMessageW")==NULL) return true;
if(strcmp(lpszApi,"GetWindowThreadProcessId")==NULL) return true;
if(strcmp(lpszApi,"SendMessageA")==NULL) return true;
if(strcmp(lpszApi,"SetWindowsHookExA")==NULL) return true;
if(strcmp(lpszApi,"SetWindowsHookExW")==NULL) return true;
//ntdll
if(strcmp(lpszApi,"ZwProtectVirtualMemory")==NULL) return true;
if(strcmp(lpszApi,"ZwQuerySystemInformation")==NULL) return true;
if(strcmp(lpszApi,"ZwReadVirtualMemory")==NULL) return true;
if(strcmp(lpszApi,"ZwSuspendProcess")==NULL) return true;
if(strcmp(lpszApi,"ZwSuspendThread")==NULL) return true;
if(strcmp(lpszApi,"ZwTerminateProcess")==NULL) return true;
if(strcmp(lpszApi,"ZwTerminateThread")==NULL) return true;
if(strcmp(lpszApi,"ZwWriteVirtualMemory")==NULL) return true;
return false;
}
我只发现了这几个API 但有关进程隐藏的那几个API,没有发现被HOOK
NP是通过什么来隐藏自身和子game进程的呢?
我对Ring0级调试不太熟悉,追踪NP执行流程到启动驱动那一块时,就没有继续追踪下去了,很遗憾
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课