对付DNF硬件断点的NtGetContextThread的写法
合集下载
相关主题
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
VOID AddLinkTable(DWORD ThreadHandle, PCONTEXT pThreadContext) { PTHREADCONTEXTLINK pData = NULL; // 节点数据 KIRQL irql; // 中断级别
if (IsListEmpty(&linkListHead))
VOID ShowDrRegInfo(PCONTEXT pThreadContext); VOID ClearDrReg(PCONTEXT pThreadContext); VOID AddLinkTable(DWORD ThreadHandle, PCONTEXT pThreadContext); VOID RecoveryDrReg(DWORD ThreadHandle,PCONTEXT pThreadContext); DWORD ExsitsLinkTable(DWORD ThreadHandle);
((PTHREADCONTEXTLINK)Value)->Dr0Seg = pThreadContext->Dr0;
恢复部分 //NtGetContextThreadStop();
//*****************H
部
分
*******************************************************************************
***********
#pragma once
名称 __declspec(naked) VOID __stdcall HookFunc_NtGetContextThread() { __asm { pushad mov edx,DWORD ptr[ebp+0x8] //线程句柄 mov ThreadHandle,edx mov ebx,DWORD ptr[ebp+0xC] //CONTEXT 指针 mov pThreadContext,ebx popad }
InsertHeadList(&linkListHead,&pData->ListEntry); // 解锁,注意这里的 irql 不是指针
KeReleaseSpinLock(&spin_lock, irql);
return;
}else
{ //如果不为空,先判断是不是存在了
DWORD Value = ExsitsLinkTable(ThreadHandle);
//RecoveryDrReg(ThreadHandle,pThreadContext);
}
//执行被覆盖的代码
__asm
{
mov eax, esi
pop esi
leave
retn 8
\n",(char
}
}
//恢复被隐藏的 Dr 寄存器 VOID RecoveryDrReg(DWORD ThreadHandle,PCONTEXT pThreadContext) { if (IsListEmpty(&linkListHead)) { //链表为空 dprintf("[ByPassTp] 链表为空!\n"); return; } PTHREADCONTEXTLINK pTarget = NULL; // 节点数据 PLIST_ENTRY pListWalker = &linkListHead; //pListWalker 的节点的头部地址 pTarget = CONTAINING_RECORD(&linkListHead, //用这个宏,可以得到节点的头部地址 THREADCONTEXTLINK, ListEntry); dprintf("链表头 = %08X\n",pTarget); dprintf("线程句柄 = %08X\n",ThreadHandle); while(pTarget !=NULL) { pListWalker = pListWalker->Blink; pTarget = CONTAINING_RECORD(pListWalker,THREADCONTEXTLINK,ListEntry); // 用 这 个宏,可以得到包含着 if (pTarget->ThreadHandle == ThreadHandle) { pTarget->Dr0Seg = pThreadContext->Dr0; pTarget->Dr1Seg = pThreadContext->Dr1; pTarget->Dr2Seg = pThreadContext->Dr2; pTarget->Dr3Seg = pThreadContext->Dr3; pTarget->Dr6Seg = pThreadContext->Dr6; pTarget->Dr7Seg = pThreadContext->Dr7; break; } } return; }
RtlInitAnsiString(&CurrentProcessNameForGetContextThread,(char
*)((DWORD)ProcessEPROCESSForGetContextThread+0x174));
//将我们要比对的进程名放入 GameProcessName
RtlInitAnsiString(&GameProcessNameForGetContextThread,"DNF.exe");
if (NULL == pData) return;
//拷贝第一个元素
pData->ThreadHandle = ThreadHandle; //拷贝 Dr 寄存器的值
pData->Dr0Seg = pThreadContext->Dr0;
pData->Dr1Seg = pThreadContext->Dr1;
pData->Dr2Seg = pThreadContext->Dr2;
pData->Dr3Seg = pThreadContext->Dr3;
pData->Dr6Seg = pThreadContext->Dr6;
pData->Dr7Seg = pThreadContext->Dr7;
//如果为空就插到头
if
(RtlCompareString(&CurrentProcessNameForGetContextThread,
&GameProcessNameForGetContextThread,TRUE) == 0)
{
dprintf("[ByPassTp] DnfThreadHandle = %08X\n",ThreadHandle);
{
//如果链表为空
KeInitializeSpinLock(&spin_lock);
// 锁定,注意这里的 irql 是个指针
KeAcquireSpinLock(&spin_lock, &irql);
pData
=
(PTHREADCONTEXTLINK)ExAllocatePool(PagedPool,sizeof(THREADCONTEXTLINK));
对付 DNF 硬件断点的 NtGetContextThread 的写法
学习各种高级外挂制作技术,马上去百度搜索 "魔鬼作坊",点击第一个站进入, 快速成为做挂达人。
初始化部分
//NtGetContextThread(对付硬件断点)
// HookAddr_NtGetContextThread = FindHookNtGetContextThread();
extern DWORD HookAddr_NtGetContextThread; DWORD FindHookNtGetContextThread(); VOID __stdcall HookFunc_NtGetContextThread();
//******************CPP
部
分
*******************************************************************************
DWORD ThreadHandle=0; PCONTEXT pThreadContext =0; LIST_ENTRY linkListHead; // 链表 KSPIN_LOCK spin_lock; // 自旋锁
//----------------// 后继 //----------------// 前驱 //----------------// 数据域 // ThreadHandle // Dr0 // Dr1 // ..... // Dr7 //----------------DWORD HookAddr_NtGetContextThread = 0; //NtGetContextThread(Thread+0x8,ThreadContext+0xC) //获得调用者的 EPROCESS PEPROCESS ProcessEPROCESSForGetContextThread = NULL; //保存访问者的 EPROCESS ANSI_STRING CurrentProcessNameForGetContextThread,GameProcessNameForGetContextThread; //保存进程
dprintf("\n==============================================\n");
}else
{
dprintf("[ByPassTp]
%s
访
问
NtGetContextThread
*)((DWORD)ProcessEPROCESSForGetContextThread+0x174));
#include "struct.h" #include "Common.h"
typedef struct _THREADCONTEXTLINK { LIST_ENTRY ListEntry; //主要是为了把数据连接到一起 DWORD ThreadHandle; DWORD Dr0Seg; DWORD Dr1Seg; DWORD Dr2Seg; DWORD Dr3Seg; DWORD Dr6Seg; DWORD Dr7Seg; }THREADCONTEXTLINK,*PTHREADCONTEXTLINK;
if (Value > 1)
{
dprintf("存在了,不用插入了!");
KeInitializeSpinLock(&spin_lock);
// 锁定,注意这里的 irql 是个指针
KeAcquireSpinLock(&spin_lock, &irql);
//拷贝 Dr 寄存器的值到链表元素里(更新 Dr 数据)
********
#ifdef __cplusplus
extern "C" {
#endif
#include <ntddk.h>
#include <string.h>
#ifdef __cplusplus
}; // extern "C"
#endif
#include "_NtGetContextThread.h"
//
dprintf("[ByPassTp]
HookAddr_NtGetContextThread
=
%08X\r\n",HookAddr_NtGetContextThread);
// JmpHookInitialFun(NtGetContextThread); [font=宋体][/font]
挂钩部分 //NtGetContextThreadStart();
dprintf("[ByPassTp] DnfpThreadContext = %08X\n",pThreadContext);
ShowDrRegInfo(pThreadContext);
AddLinkTable(ThreadHandle,pThreadContext);
ClearDrReg(pThreadContext);
ProcessEPROCESSForGetContextThread = IoGetCurrentProcess(); //-->EPROCESS
//将调用者的进程名保存到 CurrentProcessName 中
//dprintf("[By源自文库assTp]
调
用
进
程
:%s\r\n",(char
*)((DWORD)ProcessEPROCESSForOpenProcess+0x174));
if (IsListEmpty(&linkListHead))
VOID ShowDrRegInfo(PCONTEXT pThreadContext); VOID ClearDrReg(PCONTEXT pThreadContext); VOID AddLinkTable(DWORD ThreadHandle, PCONTEXT pThreadContext); VOID RecoveryDrReg(DWORD ThreadHandle,PCONTEXT pThreadContext); DWORD ExsitsLinkTable(DWORD ThreadHandle);
((PTHREADCONTEXTLINK)Value)->Dr0Seg = pThreadContext->Dr0;
恢复部分 //NtGetContextThreadStop();
//*****************H
部
分
*******************************************************************************
***********
#pragma once
名称 __declspec(naked) VOID __stdcall HookFunc_NtGetContextThread() { __asm { pushad mov edx,DWORD ptr[ebp+0x8] //线程句柄 mov ThreadHandle,edx mov ebx,DWORD ptr[ebp+0xC] //CONTEXT 指针 mov pThreadContext,ebx popad }
InsertHeadList(&linkListHead,&pData->ListEntry); // 解锁,注意这里的 irql 不是指针
KeReleaseSpinLock(&spin_lock, irql);
return;
}else
{ //如果不为空,先判断是不是存在了
DWORD Value = ExsitsLinkTable(ThreadHandle);
//RecoveryDrReg(ThreadHandle,pThreadContext);
}
//执行被覆盖的代码
__asm
{
mov eax, esi
pop esi
leave
retn 8
\n",(char
}
}
//恢复被隐藏的 Dr 寄存器 VOID RecoveryDrReg(DWORD ThreadHandle,PCONTEXT pThreadContext) { if (IsListEmpty(&linkListHead)) { //链表为空 dprintf("[ByPassTp] 链表为空!\n"); return; } PTHREADCONTEXTLINK pTarget = NULL; // 节点数据 PLIST_ENTRY pListWalker = &linkListHead; //pListWalker 的节点的头部地址 pTarget = CONTAINING_RECORD(&linkListHead, //用这个宏,可以得到节点的头部地址 THREADCONTEXTLINK, ListEntry); dprintf("链表头 = %08X\n",pTarget); dprintf("线程句柄 = %08X\n",ThreadHandle); while(pTarget !=NULL) { pListWalker = pListWalker->Blink; pTarget = CONTAINING_RECORD(pListWalker,THREADCONTEXTLINK,ListEntry); // 用 这 个宏,可以得到包含着 if (pTarget->ThreadHandle == ThreadHandle) { pTarget->Dr0Seg = pThreadContext->Dr0; pTarget->Dr1Seg = pThreadContext->Dr1; pTarget->Dr2Seg = pThreadContext->Dr2; pTarget->Dr3Seg = pThreadContext->Dr3; pTarget->Dr6Seg = pThreadContext->Dr6; pTarget->Dr7Seg = pThreadContext->Dr7; break; } } return; }
RtlInitAnsiString(&CurrentProcessNameForGetContextThread,(char
*)((DWORD)ProcessEPROCESSForGetContextThread+0x174));
//将我们要比对的进程名放入 GameProcessName
RtlInitAnsiString(&GameProcessNameForGetContextThread,"DNF.exe");
if (NULL == pData) return;
//拷贝第一个元素
pData->ThreadHandle = ThreadHandle; //拷贝 Dr 寄存器的值
pData->Dr0Seg = pThreadContext->Dr0;
pData->Dr1Seg = pThreadContext->Dr1;
pData->Dr2Seg = pThreadContext->Dr2;
pData->Dr3Seg = pThreadContext->Dr3;
pData->Dr6Seg = pThreadContext->Dr6;
pData->Dr7Seg = pThreadContext->Dr7;
//如果为空就插到头
if
(RtlCompareString(&CurrentProcessNameForGetContextThread,
&GameProcessNameForGetContextThread,TRUE) == 0)
{
dprintf("[ByPassTp] DnfThreadHandle = %08X\n",ThreadHandle);
{
//如果链表为空
KeInitializeSpinLock(&spin_lock);
// 锁定,注意这里的 irql 是个指针
KeAcquireSpinLock(&spin_lock, &irql);
pData
=
(PTHREADCONTEXTLINK)ExAllocatePool(PagedPool,sizeof(THREADCONTEXTLINK));
对付 DNF 硬件断点的 NtGetContextThread 的写法
学习各种高级外挂制作技术,马上去百度搜索 "魔鬼作坊",点击第一个站进入, 快速成为做挂达人。
初始化部分
//NtGetContextThread(对付硬件断点)
// HookAddr_NtGetContextThread = FindHookNtGetContextThread();
extern DWORD HookAddr_NtGetContextThread; DWORD FindHookNtGetContextThread(); VOID __stdcall HookFunc_NtGetContextThread();
//******************CPP
部
分
*******************************************************************************
DWORD ThreadHandle=0; PCONTEXT pThreadContext =0; LIST_ENTRY linkListHead; // 链表 KSPIN_LOCK spin_lock; // 自旋锁
//----------------// 后继 //----------------// 前驱 //----------------// 数据域 // ThreadHandle // Dr0 // Dr1 // ..... // Dr7 //----------------DWORD HookAddr_NtGetContextThread = 0; //NtGetContextThread(Thread+0x8,ThreadContext+0xC) //获得调用者的 EPROCESS PEPROCESS ProcessEPROCESSForGetContextThread = NULL; //保存访问者的 EPROCESS ANSI_STRING CurrentProcessNameForGetContextThread,GameProcessNameForGetContextThread; //保存进程
dprintf("\n==============================================\n");
}else
{
dprintf("[ByPassTp]
%s
访
问
NtGetContextThread
*)((DWORD)ProcessEPROCESSForGetContextThread+0x174));
#include "struct.h" #include "Common.h"
typedef struct _THREADCONTEXTLINK { LIST_ENTRY ListEntry; //主要是为了把数据连接到一起 DWORD ThreadHandle; DWORD Dr0Seg; DWORD Dr1Seg; DWORD Dr2Seg; DWORD Dr3Seg; DWORD Dr6Seg; DWORD Dr7Seg; }THREADCONTEXTLINK,*PTHREADCONTEXTLINK;
if (Value > 1)
{
dprintf("存在了,不用插入了!");
KeInitializeSpinLock(&spin_lock);
// 锁定,注意这里的 irql 是个指针
KeAcquireSpinLock(&spin_lock, &irql);
//拷贝 Dr 寄存器的值到链表元素里(更新 Dr 数据)
********
#ifdef __cplusplus
extern "C" {
#endif
#include <ntddk.h>
#include <string.h>
#ifdef __cplusplus
}; // extern "C"
#endif
#include "_NtGetContextThread.h"
//
dprintf("[ByPassTp]
HookAddr_NtGetContextThread
=
%08X\r\n",HookAddr_NtGetContextThread);
// JmpHookInitialFun(NtGetContextThread); [font=宋体][/font]
挂钩部分 //NtGetContextThreadStart();
dprintf("[ByPassTp] DnfpThreadContext = %08X\n",pThreadContext);
ShowDrRegInfo(pThreadContext);
AddLinkTable(ThreadHandle,pThreadContext);
ClearDrReg(pThreadContext);
ProcessEPROCESSForGetContextThread = IoGetCurrentProcess(); //-->EPROCESS
//将调用者的进程名保存到 CurrentProcessName 中
//dprintf("[By源自文库assTp]
调
用
进
程
:%s\r\n",(char
*)((DWORD)ProcessEPROCESSForOpenProcess+0x174));