OD附加CE,Ctrl+G,ReadProcessMemory。
retn 14
**********************************************************************************************************************************
添加头文件
新建头文件rlNtReadProcessMemory.h
//他是XP
int nNtReadVirtualMemoryAddr;
int nNtReadVirtualMemoryAddr_3;
int nNtReadVirtualMemoryAddrJmp;
__declspec(naked) void MyNtReadVirtualMemory()
{
if (PanDuanProcessName("DNF.exe") || PanDuanProcessName("TenSafe.exe") || PanDuanProcessName("QQLogin.exe"))
{
__asm
{
//如果是DNF调用的
jmp nNtReadVirtualMemoryAddr
}
}
__asm
{
push 0x1c
push nNtReadVirtualMemoryAddr_3
jmp nNtReadVirtualMemoryAddrJmp
}
}
VOID HookReadVirtualMemory()
{
nNtReadVirtualMemoryAddr = GetSSDTFunctionAddr(0x115);
nNtReadVirtualMemoryAddr_3 = nNtReadVirtualMemoryAddr + 3;
nNtReadVirtualMemoryAddr_3 = *((int*)nNtReadVirtualMemoryAddr_3);
nNtReadVirtualMemoryAddrJmp = nNtReadVirtualMemoryAddr + 7;
SSDTHookEngine(0x115, (int)MyNtReadVirtualMemory);
//DbgPrint("nNtReadVirtualMemoryAddr_3=%x\n",nNtReadVirtualMemoryAddr_3);
}
VOID UnHookReadVirtualMemory()
{
SSDTUnHookEngine(0x115, nNtReadVirtualMemoryAddr);
}
==========================================================OK版==================================================
rlTenD.cpp
#include <ntddk.h>
#include "rlTenD.h"
#include "rlNtOpenProcess.h"
#include "rlNtReadProcessMemory.h"
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING str)
{
//驱动 ->驱动卸载=卸载驱动
pDriver->DriverUnload = UnloadDriver;
HookNtOpenProcess();
//调试输出
DbgPrint("Loading MyDriver...\r");
return 1;
}
void UnloadDriver(PDRIVER_OBJECT pDriver)
{
UnHookNtOpenProcess();
//调试输出
DbgPrint("UnLoading MyDriver...\r");
}
rlTenD.h
void UnloadDriver(PDRIVER_OBJECT pDriver);
rlNtOpenProcess.h
#include "函数.h"
//#ifndef HOOKNTOPENPROCESS
//#define HOOKNTOPENPROCESS
int nNtOpenProcessAddr;
int nHookNtOpenProcessAddr;
int nHookNtOpenProcessJmp;//我们要跳的地址
int nHookNtOpenProcessOldJmp;
int nObOpenObjectByPointerAddr;
__declspec(naked) void MyNtOpenProcess()
{
__asm//恢复前面俩行
{
push dword ptr[ebp - 38h]
push dword ptr[ebp - 24h]
}
if (PanDuanProcessName("DNF.exe") || PanDuanProcessName("TenSafe.exe") || PanDuanProcessName("QQLogin.exe"))//还有很多进程
{
__asm
{
//如果是DNF调用的
jmp nHookNtOpenProcessOldJmp//HOOK
}
}
__asm
{
call nObOpenObjectByPointerAddr
jmp nHookNtOpenProcessJmp
}
}
void HookNtOpenProcess()
{
nNtOpenProcessAddr = GetFunCtionAddr(L"NtOpenProcess");
char code[7] = { (char)0xff, (char)0x75, (char)0xc8, (char)0xff, (char)0x75, (char)0xdc, (char)0xe8 };//定义好特征码,方便找到HOOK地方
nHookNtOpenProcessAddr=SearchFeature(nNtOpenProcessAddr, code, 7)-7;
DbgPrint("nHookNtOpenProcessAddr=%x\r",nHookNtOpenProcessAddr);
nHookNtOpenProcessJmp = nHookNtOpenProcessAddr + 11;
nHookNtOpenProcessOldJmp = nHookNtOpenProcessAddr + 6;
DbgPrint("nHookNtOpenProcessJmp=%x\n", nHookNtOpenProcessJmp);
DbgPrint("nHookNtOpenProcessOldJmp=%x\n", nHookNtOpenProcessOldJmp);
nObOpenObjectByPointerAddr=GetFunCtionAddr(L"ObOpenObjectByPointer");
DbgPrint("nObOpenObjectByPointerAddr=%x\r", nObOpenObjectByPointerAddr);
InLineHookEngine(nHookNtOpenProcessAddr, (int)MyNtOpenProcess);
}
void UnHookNtOpenProcess()
{
char code[7] = { (char)0xff, (char)0x75, (char)0xc8, (char)0xff, (char)0x75, (char)0xdc, (char)0xe8 };//定义好特征码,方便找到HOOK地方
UnInLineHookEngine(nHookNtOpenProcessAddr, code, 5);
}
//#endif
函数.h
#ifndef HANSHU
#define HANSHU
ULONG KeServiceDescriptorTable;
int GetSSDTFunctionAddr(int nSSDTIndex);
int PanDuanProcessName(char *szName);
void MemoryWritable();
void MemoryNotWritable();
int SSDTHookEngine(int nSSDTIndex, int nFunctionAddr);
void SSDTUnHookEngine(int nSSDTIndex, int nFunctionAddr);
int GetCallAddr(int nCallAddr);
void CallHook(int nCallAddr, int nFunctionAddr)
{
int nRCallAddr = (nFunctionAddr - nCallAddr - 4);
MemoryWritable();
__asm
{
mov eax, nCallAddr
mov ebx, nRCallAddr
mov dword ptr ds : [eax], ebx
}
MemoryNotWritable();
}
int GetCallAddr(int nCallAddr)
{
return (*((int*)nCallAddr) + nCallAddr + 4);
}
int PanDuanProcessName(char *szName)
{
int nEProcess;
nEProcess = (int)PsGetCurrentProcess();
char szProessaName[16];
strcpy(szProessaName, (char*)(nEProcess + 0x174));
//DbgPrint("------%s------\n",szProessaName);
if (strcmp(szProessaName, szName) == 0)
{
//DbgPrint("冒险岛调用了此函数\n");
return 1;
}
return 0;
}
int SearchFeature(int nAddr, char* pFeature, int nLeng)
{
char szStatus[256] = "";
int i = 5000;
while (i--)
{
RtlMoveMemory(szStatus, (char*)nAddr, nLeng);
if (RtlCompareMemory(pFeature, szStatus, nLeng) == nLeng)
{
return nAddr + nLeng;
}
nAddr++;
}
return 0;
}
int GetSSDTFunctionAddr(int nSSDTIndex)
{
int Addr;
__asm
{
mov ebx, nSSDTIndex
shl ebx, 2
mov eax, KeServiceDescriptorTable
mov eax, [eax]
add eax, ebx
mov ecx, [eax]
mov Addr, ecx
}
return Addr;
}
int SSDTHookEngine(int nSSDTIndex, int nFunctionAddr)
{
MemoryWritable();
int nOldAddr;
__asm
{
mov ebx, nSSDTIndex
shl ebx, 2
mov eax, KeServiceDescriptorTable
mov eax, [eax]
add eax, ebx
mov ecx, [eax]
mov nOldAddr, ecx
mov ecx, nFunctionAddr
mov[eax], ecx
}
MemoryNotWritable();
return nOldAddr;
}
void InLineHookEngine(int nRHookAddr, int nMyFunctionAddr)
{
MemoryWritable();
int nJmpAddr = nMyFunctionAddr - nRHookAddr - 5;
__asm
{
mov eax, nRHookAddr
mov byte ptr ds : [eax], 0xe9
mov ebx, nJmpAddr
mov dword ptr ds : [eax + 1], ebx
}
MemoryNotWritable();
}
void UnInLineHookEngine(int nRHookAddr, char *szMacCode, int nLeng)
{
MemoryWritable();
RtlMoveMemory((char*)nRHookAddr, szMacCode, nLeng);
MemoryNotWritable();
}
void SSDTUnHookEngine(int nSSDTIndex, int nOldFunctionAddr)
{
MemoryWritable();
__asm
{
mov ebx, nSSDTIndex
shl ebx, 2
mov eax, KeServiceDescriptorTable
mov eax, [eax]
add eax, ebx
mov ecx, nOldFunctionAddr
mov[eax], ecx
}
MemoryNotWritable();
}
void MemoryWritable()
{
__asm
{
cli
mov eax, cr0
and eax, not 10000h
mov cr0, eax
}
}
void MemoryNotWritable()
{
__asm
{
mov eax, cr0
or eax, 10000h
mov cr0, eax
sti
}
}
int GetFunCtionAddr(WCHAR* szFunCtionAName)
{
UNICODE_STRING FsRtlLegalAnsiCharacterArray_String;
RtlInitUnicodeString(&FsRtlLegalAnsiCharacterArray_String, szFunCtionAName);
return (int)MmGetSystemRoutineAddress(&FsRtlLegalAnsiCharacterArray_String);
}
int GetKiAttachProcessAddr()
{
char s = (char)0xe8;
int nCallAddr = SearchFeature(GetFunCtionAddr(L"KeAttachProcess"), &s, 1);
if (nCallAddr == 0)
{
return 0;
}
int nKiAttachProcessAddr = *((int*)nCallAddr) + nCallAddr + 4;
return nKiAttachProcessAddr;
}
#endif
rlNtReadProcessMemory.h
//他是XP
int nNtReadVirtualMemoryAddr;
int nNtReadVirtualMemoryAddr_3;
int nNtReadVirtualMemoryAddrJmp;
__declspec(naked) void MyNtReadVirtualMemory()
{
if (PanDuanProcessName("DNF.exe") || PanDuanProcessName("TenSafe.exe") || PanDuanProcessName("QQLogin.exe"))
{
__asm
{
//如果是DNF调用的
jmp nNtReadVirtualMemoryAddr
}
}
__asm
{
push 0x1c
push nNtReadVirtualMemoryAddr_3
jmp nNtReadVirtualMemoryAddrJmp
}
}
VOID HookReadVirtualMemory()
{
nNtReadVirtualMemoryAddr = GetSSDTFunctionAddr(0x115);
nNtReadVirtualMemoryAddr_3 = nNtReadVirtualMemoryAddr + 3;
nNtReadVirtualMemoryAddr_3 = *((int*)nNtReadVirtualMemoryAddr_3);
nNtReadVirtualMemoryAddrJmp = nNtReadVirtualMemoryAddr + 7;
SSDTHookEngine(0x115, (int)MyNtReadVirtualMemory);
//DbgPrint("nNtReadVirtualMemoryAddr_3=%x\n",nNtReadVirtualMemoryAddr_3);
}
VOID UnHookReadVirtualMemory()
{
SSDTUnHookEngine(0x115, nNtReadVirtualMemoryAddr);
}
以上皆以这个为准。