蹂躏D&F彻底之二让ce正常附加扫描

OD附加CE，Ctrl+G,ReadProcessMemory。

retn 14

**********************************************************************************************************************************

添加头文件

新建头文件rlNtReadProcessMemory.h

//他是XP
int nNtReadVirtualMemoryAddr;
int nNtReadVirtualMemoryAddr_3;
int nNtReadVirtualMemoryAddrJmp;

__declspec(naked) void MyNtReadVirtualMemory()
{
	if (PanDuanProcessName("DNF.exe") || PanDuanProcessName("TenSafe.exe") || PanDuanProcessName("QQLogin.exe"))
	{
		__asm
		{
			//如果是DNF调用的
			jmp nNtReadVirtualMemoryAddr
		}
	}

	__asm
	{
		push 0x1c
			push nNtReadVirtualMemoryAddr_3
			jmp nNtReadVirtualMemoryAddrJmp
	}


}

VOID HookReadVirtualMemory()
{
	nNtReadVirtualMemoryAddr = GetSSDTFunctionAddr(0x115);
	nNtReadVirtualMemoryAddr_3 = nNtReadVirtualMemoryAddr + 3;
	nNtReadVirtualMemoryAddr_3 = *((int*)nNtReadVirtualMemoryAddr_3);
	nNtReadVirtualMemoryAddrJmp = nNtReadVirtualMemoryAddr + 7;

	SSDTHookEngine(0x115, (int)MyNtReadVirtualMemory);
	//DbgPrint("nNtReadVirtualMemoryAddr_3=%x\n",nNtReadVirtualMemoryAddr_3);
}

VOID UnHookReadVirtualMemory()
{
	SSDTUnHookEngine(0x115, nNtReadVirtualMemoryAddr);
}

==========================================================OK版==================================================

rlTenD.cpp

#include <ntddk.h>
#include "rlTenD.h"

#include "rlNtOpenProcess.h"
#include "rlNtReadProcessMemory.h"


NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING str)
{

	//驱动 ->驱动卸载=卸载驱动
	pDriver->DriverUnload = UnloadDriver;

	HookNtOpenProcess();
	//调试输出
	DbgPrint("Loading MyDriver...\r");
	return 1;
}

void UnloadDriver(PDRIVER_OBJECT pDriver)
{
	UnHookNtOpenProcess();
	//调试输出
	DbgPrint("UnLoading MyDriver...\r");

}

rlTenD.h

	void UnloadDriver(PDRIVER_OBJECT pDriver);

rlNtOpenProcess.h

#include "函数.h"

//#ifndef HOOKNTOPENPROCESS
//#define HOOKNTOPENPROCESS

int nNtOpenProcessAddr;
int nHookNtOpenProcessAddr;
int nHookNtOpenProcessJmp;//我们要跳的地址
int nHookNtOpenProcessOldJmp;
int nObOpenObjectByPointerAddr;

__declspec(naked) void MyNtOpenProcess()
{
	__asm//恢复前面俩行
	{
		push    dword ptr[ebp - 38h]
		push    dword ptr[ebp - 24h]
	}
	if (PanDuanProcessName("DNF.exe") || PanDuanProcessName("TenSafe.exe") || PanDuanProcessName("QQLogin.exe"))//还有很多进程
	{
		__asm
		{
		//如果是DNF调用的
		jmp nHookNtOpenProcessOldJmp//HOOK
		}
	}

	__asm
	{
		call nObOpenObjectByPointerAddr
		jmp nHookNtOpenProcessJmp
	}
}

void HookNtOpenProcess()
{

	nNtOpenProcessAddr = GetFunCtionAddr(L"NtOpenProcess");
	char code[7] = { (char)0xff, (char)0x75, (char)0xc8, (char)0xff, (char)0x75, (char)0xdc, (char)0xe8 };//定义好特征码，方便找到HOOK地方

	nHookNtOpenProcessAddr=SearchFeature(nNtOpenProcessAddr, code, 7)-7;
	DbgPrint("nHookNtOpenProcessAddr=%x\r",nHookNtOpenProcessAddr);

	nHookNtOpenProcessJmp = nHookNtOpenProcessAddr + 11;
	nHookNtOpenProcessOldJmp = nHookNtOpenProcessAddr + 6;
	DbgPrint("nHookNtOpenProcessJmp=%x\n", nHookNtOpenProcessJmp);
	DbgPrint("nHookNtOpenProcessOldJmp=%x\n", nHookNtOpenProcessOldJmp);

	nObOpenObjectByPointerAddr=GetFunCtionAddr(L"ObOpenObjectByPointer");
	DbgPrint("nObOpenObjectByPointerAddr=%x\r", nObOpenObjectByPointerAddr);

	InLineHookEngine(nHookNtOpenProcessAddr, (int)MyNtOpenProcess);
}

void UnHookNtOpenProcess()
{
	char code[7] = { (char)0xff, (char)0x75, (char)0xc8, (char)0xff, (char)0x75, (char)0xdc, (char)0xe8 };//定义好特征码，方便找到HOOK地方
	UnInLineHookEngine(nHookNtOpenProcessAddr, code, 5);

}

//#endif

函数.h

#ifndef HANSHU
#define HANSHU


ULONG KeServiceDescriptorTable;

int  GetSSDTFunctionAddr(int nSSDTIndex);
int PanDuanProcessName(char *szName);
void MemoryWritable();
void MemoryNotWritable();
int SSDTHookEngine(int nSSDTIndex, int nFunctionAddr);
void SSDTUnHookEngine(int nSSDTIndex, int nFunctionAddr);
int GetCallAddr(int nCallAddr);

void CallHook(int nCallAddr, int nFunctionAddr)
{
	int nRCallAddr = (nFunctionAddr - nCallAddr - 4);
	MemoryWritable();
	__asm
	{
		mov eax, nCallAddr
			mov ebx, nRCallAddr
			mov dword ptr ds : [eax], ebx
	}
	MemoryNotWritable();
}

int GetCallAddr(int nCallAddr)
{
	return (*((int*)nCallAddr) + nCallAddr + 4);
}

int PanDuanProcessName(char *szName)
{
	int nEProcess;

	nEProcess = (int)PsGetCurrentProcess();

	char szProessaName[16];

	strcpy(szProessaName, (char*)(nEProcess + 0x174));

	//DbgPrint("------%s------\n",szProessaName);

	if (strcmp(szProessaName, szName) == 0)
	{
		//DbgPrint("冒险岛调用了此函数\n");
		return 1;
	}

	return 0;
}

int SearchFeature(int nAddr, char* pFeature, int nLeng)
{
	char szStatus[256] = "";
	int i = 5000;

	while (i--)
	{
		RtlMoveMemory(szStatus, (char*)nAddr, nLeng);

		if (RtlCompareMemory(pFeature, szStatus, nLeng) == nLeng)
		{
			return nAddr + nLeng;
		}
		nAddr++;
	}

	return 0;
}

int GetSSDTFunctionAddr(int nSSDTIndex)
{
	int Addr;

	__asm
	{
		mov ebx, nSSDTIndex
			shl ebx, 2
			mov eax, KeServiceDescriptorTable
			mov eax, [eax]
			add eax, ebx
			mov ecx, [eax]
			mov Addr, ecx
	}

	return Addr;
}


int SSDTHookEngine(int nSSDTIndex, int nFunctionAddr)
{
	MemoryWritable();

	int nOldAddr;

	__asm
	{
		mov ebx, nSSDTIndex
			shl ebx, 2
			mov eax, KeServiceDescriptorTable
			mov eax, [eax]
			add eax, ebx
			mov ecx, [eax]
			mov nOldAddr, ecx
			mov ecx, nFunctionAddr
			mov[eax], ecx
	}

	MemoryNotWritable();

	return nOldAddr;
}

void InLineHookEngine(int nRHookAddr, int nMyFunctionAddr)
{
	MemoryWritable();

	int nJmpAddr = nMyFunctionAddr - nRHookAddr - 5;

	__asm
	{
		mov eax, nRHookAddr
			mov byte ptr ds : [eax], 0xe9
			mov ebx, nJmpAddr
			mov dword ptr ds : [eax + 1], ebx
	}

	MemoryNotWritable();
}

void UnInLineHookEngine(int nRHookAddr, char *szMacCode, int nLeng)
{
	MemoryWritable();

	RtlMoveMemory((char*)nRHookAddr, szMacCode, nLeng);

	MemoryNotWritable();
}

void SSDTUnHookEngine(int nSSDTIndex, int nOldFunctionAddr)
{
	MemoryWritable();

	__asm
	{
		mov ebx, nSSDTIndex
			shl ebx, 2
			mov eax, KeServiceDescriptorTable
			mov eax, [eax]
			add eax, ebx
			mov ecx, nOldFunctionAddr
			mov[eax], ecx
	}

	MemoryNotWritable();
}

void MemoryWritable()
{
	__asm
	{
		cli
			mov eax, cr0
			and eax, not 10000h
			mov cr0, eax
	}
}

void MemoryNotWritable()
{
	__asm
	{
		mov     eax, cr0
			or     eax, 10000h
			mov     cr0, eax
			sti
	}
}

int GetFunCtionAddr(WCHAR* szFunCtionAName)
{
	UNICODE_STRING FsRtlLegalAnsiCharacterArray_String;
	RtlInitUnicodeString(&FsRtlLegalAnsiCharacterArray_String, szFunCtionAName);
	return (int)MmGetSystemRoutineAddress(&FsRtlLegalAnsiCharacterArray_String);
}

int GetKiAttachProcessAddr()
{
	char s = (char)0xe8;
	int	nCallAddr = SearchFeature(GetFunCtionAddr(L"KeAttachProcess"), &s, 1);

	if (nCallAddr == 0)
	{
		return 0;
	}
	int nKiAttachProcessAddr = *((int*)nCallAddr) + nCallAddr + 4;

	return nKiAttachProcessAddr;
}

#endif

rlNtReadProcessMemory.h

//他是XP
int nNtReadVirtualMemoryAddr;
int nNtReadVirtualMemoryAddr_3;
int nNtReadVirtualMemoryAddrJmp;

__declspec(naked) void MyNtReadVirtualMemory()
{
	if (PanDuanProcessName("DNF.exe") || PanDuanProcessName("TenSafe.exe") || PanDuanProcessName("QQLogin.exe"))
	{
		__asm
		{
			//如果是DNF调用的
			jmp nNtReadVirtualMemoryAddr
		}
	}

	__asm
	{
		push 0x1c
			push nNtReadVirtualMemoryAddr_3
			jmp nNtReadVirtualMemoryAddrJmp
	}


}

VOID HookReadVirtualMemory()
{
	nNtReadVirtualMemoryAddr = GetSSDTFunctionAddr(0x115);
	nNtReadVirtualMemoryAddr_3 = nNtReadVirtualMemoryAddr + 3;
	nNtReadVirtualMemoryAddr_3 = *((int*)nNtReadVirtualMemoryAddr_3);
	nNtReadVirtualMemoryAddrJmp = nNtReadVirtualMemoryAddr + 7;

	SSDTHookEngine(0x115, (int)MyNtReadVirtualMemory);
	//DbgPrint("nNtReadVirtualMemoryAddr_3=%x\n",nNtReadVirtualMemoryAddr_3);
}

VOID UnHookReadVirtualMemory()
{
	SSDTUnHookEngine(0x115, nNtReadVirtualMemoryAddr);
}

以上皆以这个为准。