- 注册时间
- 2011-8-8
- 最后登录
- 1970-1-1
该用户从未签到
|
游戏inlinehook了三个地方 可以用Xuetr 查看到
DbgUiRemoteBreakin
LoadLibraryExW
VirtualProtectEx
第二个直接恢复
第一个恢复后游戏退出,跟踪发现检游戏跳到自身模块后没检测可在游戏jmp直接hook到注入dll模块重写前5字节后再跳回原模块
static My_RecoveryHook_NtOpenProcess()
{ BYTE JmpAddress[5] = {0xE9,0,0,0,0};
p_TpHookAddress = (ULONG)0x7c97211c+5+*(ULONG*)0x7c97211d;
ULONG p_MyHookAddress=p_TpHookAddress+0x5;
//?得?用者的EPROCESS
//将?用者的?程名保存到str1中
DWORD dwOldProtect,nSize;
HANDLE hObjProcess=0 ;
*(ULONG *)(JmpAddress+1)=(ULONG)Nakd_NtOpenProcess - p_MyHookAddress;
hObjProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
VirtualProtect ((void *)(p_TpHookAddress) , 5, 64, &dwOldProtect);
WriteProcessMemory(hObjProcess, (void *)(p_TpHookAddress) , JmpAddress, 5, &nSize);
}
static Nakd_NtOpenProcess()
{
__asm
{
push 0x8//恢复原来的5个字
push 0x7C972168
mov eax,0x7c972123//跳转地址
jmp eax
}
} |
|
发表于 2013-7-10 14:26:04
