- 注册时间
- 2011-3-6
- 最后登录
- 1970-1-1
该用户从未签到
|
反游戏内存扫描源码 Hook NtQueryVirtualMemory
- //反扫描模块
- NTSTATUS __stdcall NewZwQueryVirtualMemory(
- IN HANDLE ProcessHandle,
- IN PVOID BaseAddress,
- IN ULONG MemoryInformationClass,
- OUT PVOID MemoryInformation,
- IN ULONG MemoryInformationLength,
- OUT PULONG ReturnLength
- )
- {
- ZWQUERYVIRTUALMEMORY OldZwQueryVirtualMemory;
- NTSTATUS status;
- PUNICODE_STRING SectionName;
- WCHAR lpwzDllName[260] = {0};
- WCHAR lpAttackDll[5][260] = {L"1",L"2",L"3",L"4",L"5"};//保护模块的名称 防止被dump内存上传
- OldZwQueryVirtualMemory = (ZWQUERYVIRTUALMEMORY)ZwQueryVirtualMemoryHookZone;
- status = OldZwQueryVirtualMemory(
- ProcessHandle,
- BaseAddress,
- MemoryInformationClass,
- MemoryInformation,
- MemoryInformationLength,
- ReturnLength
- );
- if (status == STATUS_SUCCESS && MemoryInformationClass == MemorySectionName)
- {
- __try{
- SectionName =(PUNICODE_STRING)MemoryInformation;
- if (ValidateUnicodeString(SectionName))
- {
- if (SectionName->Buffer != NULL &&
- SectionName->Length)
- {
- memcpy(lpwzDllName,SectionName->Buffer,SectionName->Length);
- if (wcsstr(lpwzDllName,lpAttackDll[0]) != 0 ||
- wcsstr(lpwzDllName,lpAttackDll[1]) != 0 ||
- wcsstr(lpwzDllName,lpAttackDll[2]) != 0 ||
- wcsstr(lpwzDllName,lpAttackDll[3]) != 0 ||
- wcsstr(lpwzDllName,lpAttackDll[4]) != 0)
- {
- //清零内存
- memset(SectionName->Buffer,0,SectionName->MaximumLength);
- }
- }
- }
- }__except(1){
-
- }
- }
- return status;
|
|
发表于 2018-3-8 11:08:09
