首页
社区
课程
招聘
[注意]最新版本的NP有了一点改动
发表于: 2008-5-10 21:26 16736

[注意]最新版本的NP有了一点改动

zhuwg 活跃值
11
2008-5-10 21:26
16736

最近又无聊了
听某兄弟说np又不能xx了

下载回来1份看看

测试版本
nProtect GameGuard Module
npggNT.des
87.0 KB (89,179 )
版本 2007, 8, 7, 1

nProtect Game Monitor
GameMon.des
2.46 MB (2,582,042 ֽ)

发现hook已经有了变化
SSDT hook 无
shadow 1个sendinput
inline +了KeSetProfileIrql

ntoskrnl.exe-->KeAttachProcess, Type: Inline - RelativeJump at address 0x804EC938 hook handler located in [dump_wmimmc.sys]
ntoskrnl.exe-->KeStackAttachProcess, Type: Inline - RelativeJump at address 0x804F2743 hook handler located in [dump_wmimmc.sys]
ntoskrnl.exe-->NtOpenProcess, Type: Inline - RelativeJump at address 0x80574C96 hook handler located in [dump_wmimmc.sys]
ntoskrnl.exe-->NtProtectVirtualMemory, Type: Inline - RelativeJump at address 0x80575045 hook handler located in [dump_wmimmc.sys]
ntoskrnl.exe-->NtDeviceIoControlFile, Type: Inline - RelativeJump at address 0x8057CF7B hook handler located in [dump_wmimmc.sys]
ntoskrnl.exe-->NtReadVirtualMemory, Type: Inline - RelativeJump at address 0x8057F48E hook handler located in [dump_wmimmc.sys]
ntoskrnl.exe-->NtWriteVirtualMemory, Type: Inline - RelativeJump at address 0x8057F5E0 hook handler located in [dump_wmimmc.sys]
ntoskrnl.exe-->KeSetProfileIrql, Type: Inline - RelativeCall at address 0x806A4116 hook handler located in [ntoskrnl.exe]

hook指向ntoskrnl.exe内部  不过偶只能比较肯定是np
测试机器是新ghost的系统 没有安装任何东西

r3的选择一个
[956]EXPLORER.EXE-->ntdll.dll-->NtDeviceIoControlFile, Type: Inline - RelativeJump at address 0x7C92D8E3 hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->ntdll.dll-->NtLoadDriver, Type: Inline - RelativeJump at address 0x7C92DB6E hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->ntdll.dll-->NtOpenProcess, Type: Inline - RelativeJump at address 0x7C92DD7B hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump at address 0x7C92DEB6 hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->ntdll.dll-->NtQuerySystemInformation, Type: Inline - RelativeJump at address 0x7C92E1AA hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->ntdll.dll-->NtReadVirtualMemory, Type: Inline - RelativeJump at address 0x7C92E2BB hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->ntdll.dll-->NtSuspendProcess, Type: Inline - RelativeJump at address 0x7C92E83A hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->ntdll.dll-->NtSuspendThread, Type: Inline - RelativeJump at address 0x7C92E84F hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->ntdll.dll-->NtTerminateProcess, Type: Inline - RelativeJump at address 0x7C92E88E hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->ntdll.dll-->NtTerminateThread, Type: Inline - RelativeJump at address 0x7C92E8A3 hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump at address 0x7C92EA32 hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump at address 0x7C801A5D hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump at address 0x7C801AD0 hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump at address 0x7C801AF1 hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->kernel32.dll-->ReadProcessMemory, Type: Inline - RelativeJump at address 0x7C8021CC hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->kernel32.dll-->WriteProcessMemory, Type: Inline - RelativeJump at address 0x7C80220F hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump at address 0x7C80AC28 hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->kernel32.dll-->MapViewOfFileEx, Type: Inline - RelativeJump at address 0x7C80B71E hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->kernel32.dll-->MapViewOfFile, Type: Inline - RelativeJump at address 0x7C80B78D hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump at address 0x7C8191EB hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C81E079 hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->kernel32.dll-->MoveFileW, Type: Inline - RelativeJump at address 0x7C839659 hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->kernel32.dll-->DebugActiveProcess, Type: Inline - RelativeJump at address 0x7C859F0B hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->advapi32.dll-->CreateProcessWithLogonW, Type: Inline - RelativeJump at address 0x77DE5C9D hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->user32.dll-->GetWindowThreadProcessId, Type: Inline - RelativeJump at address 0x77D18A80 hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->user32.dll+0x00008B80, Type: Inline - RelativeJump at address 0x77D18B80 hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->user32.dll-->PostMessageW, Type: Inline - RelativeJump at address 0x77D18CCB hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->user32.dll-->SendMessageW, Type: Inline - RelativeJump at address 0x77D1B8BA hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->user32.dll-->PostMessageA, Type: Inline - RelativeJump at address 0x77D1CB85 hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump at address 0x77D2E4AF hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->user32.dll-->SendInput, Type: Inline - RelativeJump at address 0x77D2F118 hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->user32.dll-->SendInput, Type: Inline - RelativeJump at address 0x77D2F122 hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->user32.dll-->SendMessageA, Type: Inline - RelativeJump at address 0x77D2F39A hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump at address 0x77D311E9 hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->user32.dll-->SetCursorPos, Type: Inline - RelativeJump at address 0x77D55E4B hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->user32.dll-->mouse_event, Type: Inline - RelativeJump at address 0x77D662FD hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->user32.dll-->keybd_event, Type: Inline - RelativeJump at address 0x77D66341 hook handler located in [npggNT.des]
[956]EXPLORER.EXE-->gdi32.dll-->GetPixel, Type: Inline - RelativeJump at address 0x77EFB471 hook handler located in [npggNT.des]

基本上没有多少变化

notify已经只有1个process了


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 7
支持
分享
最新回复 (21)
雪    币: 1946
活跃值: (248)
能力值: (RANK:330 )
在线值:
发帖
回帖
粉丝
2
zhuwg很强大
2008-5-10 21:33
0
雪    币: 62
活跃值: (12)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
想请教下楼主,这些都是怎末分析得到的?
2008-5-10 22:23
0
雪    币: 150
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
请问楼主用的是什么工具?
2008-5-10 23:38
0
雪    币: 207
活跃值: (10)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
5
LZ本身就是一把倚天剑
2008-5-10 23:45
0
雪    币: 2067
活跃值: (82)
能力值: ( LV9,RANK:180 )
在线值:
发帖
回帖
粉丝
6
高高手
太強了.
2008-5-11 04:13
0
雪    币: 287
活跃值: (102)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
7
霸王卸甲之击破NP保护
2008-5-11 10:20
0
雪    币: 287
活跃值: (102)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
8
现在用SSDT hook还可以过NP吗
2008-5-11 10:22
0
雪    币: 272
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
9
嘿嘿,我有100%包过NP ,HS的方法,只要不公开了,它再升10次级都能过,
不过现在只能在单核机器上跑。。。。。。。。。
2008-5-12 12:59
0
雪    币: 427
活跃值: (412)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
10
RKU可以看到这些的。
2008-5-12 18:33
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
11
膜拜,崇拜,不知道庸俗很么来表达~
2008-5-12 19:52
0
雪    币: 1481
活跃值: (874)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
12
进来膜拜下~
2008-5-13 13:06
0
雪    币: 150
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
13
哈哈 谦虚的楼主也已经成了膜拜的对象了 ... 楼主能不能教我实现一下 KiAttachProcess ? 你那个帖子里是伪代码 WRK里的代码我又编译不了 ... 楼主是怎么做的 ?
2008-5-13 18:05
0
雪    币: 201
活跃值: (15)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
14
游戏或游戏防护程序已被非法修改

这个问题还在求解中
2008-5-14 21:14
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
15
第2次进来膜拜~~~~~~学习学习
2008-5-29 18:18
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
16
楼主有没有开学习班啊,教学费学习逆向啊~
2008-5-29 18:33
0
雪    币: 0
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
17
嘿嘿,我知道你是什么方法,在双核机器上蓝屏,这个问题其实已经解决了!!!
2008-5-31 00:53
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
18
能不能告訴我,如何過NP 嗎?
2008-6-3 08:48
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
19
大侠.能偷偷滴告诉小弟吗!感激不尽呀。就算那么一点点TS..........

我EMAIL:tmgame001@163.com
2008-6-11 21:54
0
雪    币: 272
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
20
shadow 中才封了一个??

起码也得封了安装钩子和发送消息以及窗体查询吧
2008-7-5 12:11
0
雪    币: 141
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
21
好不幸 我的是双核
2008-7-6 10:07
0
雪    币: 111
活跃值: (20)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
jjh
22
%100包过NP,HS。。。高手啊,可否透露下?
2008-7-7 10:47
0
游客
登录 | 注册 方可回帖
返回
//