dnf驱动保护原理及过保护代码书写

合集下载

相关主题

dnf代码大全

1、下载文档前请自行甄别文档内容的完整性，平台不提供额外的编辑、内容补充、找答案等附加服务。
2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
3、如文档侵犯您的权益，请联系客服反馈,我们会尽快为您处理(人工客服工作时间：9:00-18:30)。

} void Unload(PDRIVER_OBJECT pDriverObject) { UnHook();//恢复所有修改过的代码 KdPrint(("驱动成功被卸载\n")); } //恢复 NtReadVittualMemory 的 hook void UnNtReadVittualMemory() { UNICODE_STRING FsRtlLegalAnsiCharacterArray_String; int FsRtlLegalAnsiCharacterArray_Addr; RtlInitUnicodeString(&FsRtlLegalAnsiCharacterArray_String,L"FsRtlLegalAnsiCharacterArray") ; FsRtlLegalAnsiCharacterArray_Addr=(int)MmGetSystemRoutineAddress(&FsRtlLegalAnsiChar acterArray_String); KdPrint(("FsRtlLegalAnsiCharacterArray=%x\n",FsRtlLegalAnsiCharacterArray_Addr)); __asm { c li mov eax,cr0 and eax,not 10000h mov cr0,eax mov eax,KeServiceDescriptorTable mov eax,[eax] add eax,0x2e8 mov eax,[eax] mov byte ptr ds:[eax],0x6a mov byte ptr ds:[eax+1],0x1c mov byte ptr ds:[eax+2],0x68 mov ebx,FsRtlLegalAnsiCharacterArray_Addr add ebx,0x1a18 mov dword ptr ds:[eax+3],ebx mov eax,cr0 or eax,10000h mov cr0,eax sti } } //恢复 NtWriteVitualMemory 的 hook void UnNtWriteVitualMemory() { UNICODE_STRING FsRtlLegalAnsiCharacterArray_String; int FsRtlLegalAnsiCharacterArray_Addr; RtlInitUnicodeString(&FsRtlLegalAnsiCharacterArray_String,L"FsRtlLegalAnsiCharacterArray")
dnf 驱动保护原理及过保护代码点击第一个站进入、快速成为做挂达人。
在偶看来 dnf 游戏一点也不好玩但是人家还这么火，所以外挂系统。经过分析 dnf 一共对 5 个函数做了手脚 NtWriteVitualMemory， //用户层写内存 NtReadVittualMemory，//用户层读内存 NtpenProcess， // 用户层得到进程句柄 NtOpenThread， //用户层创建线程 KiAttachProcess //用户层调试附加函数
{ push dword ptr [ebp-34h] push dword ptr [ebp-20h] // call ObOpenObjectByPointer_Addr mov ebx,KeServiceDescriptorTable mov ebx,[ebx] add ebx,0x200 mov ebx,[ebx] add ebx,0x21f push ebx jmp ObOpenObjectByPointer_Addr } } void UnNtOpenThread() { __asm { c li mov eax,cr0 and eax,not 10000h mov cr0,eax } __asm { //0x214 0x21f mov eax,KeServiceDescriptorTable mov eax,[eax] add eax,0x200 mov eax,[eax] add eax,0x214 mov ebx,MyNtOpenThread sub ebx,eax sub ebx,5 mov byte ptr ds:[eax],0xe9 mov dword ptr ds:[eax+1],ebx mov byte ptr ds:[eax+5],0x90 } __asm { mov eax,cr0 or eax,10000h mov cr0,eax sti }
; FsRtlLegalAnsiCharacterArray_Addr=(int)MmGetSystemRoutineAddress(&FsRtlLegalAnsiChar acterArray_String); KdPrint(("FsRtlLegalAnsiCharacterArray=%x\n",FsRtlLegalAnsiCharacterArray_Addr)); __asm { c li mov eax,cr0 and eax,not 10000h mov cr0,eax mov eax,KeServiceDescriptorTable mov eax,[eax] add eax,0x454 mov eax,[eax] mov byte ptr ds:[eax],0x6a mov byte ptr ds:[eax+1],0x1c mov byte ptr ds:[eax+2],0x68 mov ebx,FsRtlLegalAnsiCharacterArray_Addr add ebx,0x1a30 mov dword ptr ds:[eax+3],ebx mov eax,cr0 or eax,10000h mov cr0,eax sti } } int GetObOpenObjectByPointer() { UNICODE_STRING ObOpenObjectByPointer_Str; int ObOpenObjectByPointer_Addr; RtlInitUnicodeString(&ObOpenObjectByPointer_Str,L"ObOpenObjectByPointer"); return (int)MmGetSystemRoutineAddress(&ObOpenObjectByPointer_Str); } void __declspec(naked) MyNtOpenProcess() { int GetObOpenObjectByPointer_Addr; GetObOpenObjectByPointer_Addr=GetObOpenObjectByPointer(); // KdPrint(("ObOpenObjectByPointer=%x\n",ObOpenObjectByPointer_Addr)); __asm { push dword ptr [ebp-38h]//执行写入 jmp 的代码 push dword ptr [ebp-24h] mov eax,KeServiceDescriptorTable mov eax,[eax]
add eax,0x1e8 mov eax,[eax] add eax,0x229 push eax jmp GetObOpenObjectByPointer_Addr } } void UnNpenProcess() { _asm //去掉页面保护 { c li mov eax,cr0 and eax,not 10000h mov cr0,eax } _asm { mov eax,KeServiceDescriptorTable mov eax,[eax] add eax,0x1e8 mov eax,[eax] add eax,0x21e mov byte ptr ds:[eax],0xe9 mov ebx,MyNtOpenProcess sub ebx,eax sub ebx,5 mov DWORD ptr ds:[eax+1],ebx mov byte ptr ds:[eax+5],0x90 } _asm //恢复页面保护 { mov eax,cr0 or eax,10000h mov cr0,eax sti } } __declspec(naked) void MyNtOpenThread() { int ObOpenObjectByPointer_Addr; ObOpenObjectByPointer_Addr=GetObOpenObjectByPointer(); KdPrint(("ObOpenObjectByPointer=%x\n",ObOpenObjectByPointer_Addr)); __asm
} void UnHook() { _asm //去掉页面保护 { c li mov eax,cr0 and eax,not 10000h mov cr0,eax } _asm { mov eax,KeServiceDescriptorTable mov eax,[eax] add eax,0x1e8 mov eax,[eax] add eax,0x21e mov byte ptr ds:[eax],0xff mov byte ptr ds:[eax+1],0x75 mov byte ptr ds:[eax+2],0xc8 mov byte ptr ds:[eax+3],0xff mov byte ptr ds:[eax+4],0x75 mov byte ptr ds:[eax+5],0xdc } __asm { //0x214 0x21f mov eax,KeServiceDescriptorTable mov eax,[eax] add eax,0x200 mov eax,[eax] add eax,0x214 mov byte ptr ds:[eax],0xff mov byte ptr ds:[eax+1],0x75 mov byte ptr ds:[eax+2],0xcc mov byte ptr ds:[eax+3],0xff mov byte ptr ds:[eax+4],0x75 mov byte ptr ds:[eax+5],0xe0 } __asm { mov eax,KiAttachProcess_Addr sub eax,KeAttachProcess_e8 sub eax,4
#include "main.h" int KiAttachProcess_Addr; int KeAttachProcess_e8; void UnKiAttachProcess(); NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegistrPath) { UnNtWriteVitualMemory();//绕过 NtWriteVitualMemory hook UnNtReadVittualMemory();//绕过 NtReadVittualMemory hook UnNpenProcess(); //绕过 NtNpenProcess hook UnNtOpenThread(); //绕过 NtOpenProcess hook UnKiAttachProcess(); //绕过 KiAttachProcess hook pDriverObject->DriverUnload=Unload; KdPrint(("驱动加载成功\n")); return 0; } NTSTATUS CreateMyDevice(PDRIVER_OBJECT pDriverObject) { NTSTATUS status; PDRIVER_OBJECT pDevObj; UNICODE_STRING devName; UNICODE_STRING symlinkName; return STATUS_SUCCESS;/////