原理:其实就是把原先的Dll内部的API代码复制到另一块内存执行 类似于内存加载的dll 方法很简单也很有效 某些游戏 dxf xf *p保护下的游戏基本都在用 对r0 hook毫无卵用
用途:规避R3下 hook
#include <Windows.h>
#define FunNumber 20
struct NtFunction
{
LPCSTR name;
PVOID Fun;
};
NtFunction list[FunNumber];
DWORD FunMem = 0;
DWORD Size = 0;
DWORD GetFunSpace()
{
return (DWORD)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtOpenProcessTokenEx")- (DWORD)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtOpenThreadTokenEx");
}
VOID EnDeFun()
{
if (!FunMem)
{
return;
}
for (int i=0;i< Size * FunNumber;i++)
{
*(BYTE*)(FunMem + i) = *(BYTE*)(FunMem + i) ^ 0x521314;
}
}
PVOID ExtNtDllFunciton(LPCSTR funname)
{
if (!FunMem)
{
Size = GetFunSpace();
FunMem = (DWORD)VirtualAlloc(NULL, Size * FunNumber, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
}
static DWORD Times = 0;
for (int i=0;i<20;i++)
{
if (lstrcmpA(list[i].name,funname)==0)
{
return list[i].Fun;
}
}
PVOID Address=GetProcAddress(GetModuleHandle(L"ntdll.dll"), funname);
if (Address)
{
memcpy((PVOID)(FunMem + Times * Size), Address, Size);
char* name = (char*)malloc(strlen(funname) + 1);
memcpy(name, funname, strlen(funname) + 1);
PVOID Address= (PVOID)(FunMem + Times * Size);
list[Times].name = name;
list[Times].Fun = Address;
Times++;
return Address;
}
return 0;
}
typedef NTSTATUS(NTAPI* PNtReadVirtualMemory)(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG NumberOfBytesToRead,
OUT PULONG NumberOfBytesReaded OPTIONAL);
int main()
{
printf("NtReadVirtualMemory %x NtWriteVirtualMemory %x NtReadVirtualMemory %x \n", ExtNtDllFunciton("NtReadVirtualMemory"), ExtNtDllFunciton("NtWriteVirtualMemory"), ExtNtDllFunciton("NtReadVirtualMemory"));
PNtReadVirtualMemory myReadMemory = (PNtReadVirtualMemory)ExtNtDllFunciton("NtReadVirtualMemory");
DWORD a = 123456;
DWORD b = 0;
myReadMemory(GetCurrentProcess(),&a,&b,4,NULL);
printf("Shadow NtReadVirtualMemory 结果 %d \n",b);
EnDeFun();//简单的对自己的代码加密一下
printf("Shadow Native API已经加密\n");
EnDeFun();//再次调用解密
printf("Shadow Native API已经解密\n");
system("pause");
}
shadow API生成情况:
shadow API调用情况:
对shadow API简单的加密: