過驅(qū)動保護(hù)之TesSafe（讀寫內(nèi)存 OD能附加下硬件斷點）

本文格式為Word版，下載可任意編輯——過驅(qū)動保護(hù)之TesSafe（讀寫內(nèi)存OD能附加下硬件斷點）

過驅(qū)動保護(hù)之TesSafe.sys對抗（過了后能讀寫內(nèi)存OD能附加下硬件斷點)

學(xué)習(xí)各種外掛制作技術(shù)，馬上去百度探尋\魔鬼作坊\點擊第一個站進(jìn)入、快速成為做掛達(dá)人。

由于我的C用的比較少，所以大部分都用的匯編，部分地方用匯編寫不是很便利，所以我用的C，由于只是學(xué)習(xí)，所以內(nèi)核地址我沒有計算都是硬編碼的。過DNF主要分為三步，可能我的思路不太正確，反正可以O(shè)D調(diào)試，下斷。

程序沒怎么修邊幅，由于只是測試，所以一般都沒有寫更改內(nèi)核后的恢復(fù)，不過不阻礙使用。

附加不了就是KiAttachProcess沒恢復(fù)。附加之后什么都沒有就是debugport被清零。

第一步，這也是最起碼的，你必需要能夠開啟游戲進(jìn)程和線程，能夠開打進(jìn)程和線程后不被檢測到

其次步，能夠讀寫進(jìn)村內(nèi)存

第三步，能夠用OD附加游戲進(jìn)程第四步，能夠下硬件斷點而不被檢測

在NtReadVirtualMemory，NtWriteVirtualMemory函數(shù)頭處有如下HOOK

moveax,TesSafeproc_Addrjmpeax

上述2條指令占8字節(jié)

跳過NtReadVirtualMemory，NtWriteVirtualMemory函數(shù)頭的鉤子

代碼:

#include

typedefstruct_SERVICE_DESCRIPTOR_TABLE{

PVOIDServiceTableBase;

PULONGServiceCounterTableBase;ULONGNumberOfService;ULONGParamTableBase;

}SERVICE_DESCRIPTOR_TABLE,*PSERVICE_DESCRIPTOR_TABLE;//由于KeServiceDescriptorTable只有一項,這里就簡單點了ExternPSERVICE_DESCRIPTOR_TABLEKeServiceDescriptorTable;//KeServiceDescriptorTable為導(dǎo)出函數(shù)/////////////////////////////////////VOIDHook();VOIDUnhook();

VOIDOnUnload(INPDRIVER_OBJECTDriverObject);//////////////////////////////////////

ULONGJmpAddress;//跳轉(zhuǎn)到NtOpenProcess里的地址ULONGJmpAddress1;//跳轉(zhuǎn)到NtOpenProcess里的地址

ULONGOldServiceAddress;//原來NtOpenProcess的服務(wù)地址ULONGOldServiceAddress1;//原來NtOpenProcess的服務(wù)地址//////////////////////////////////////

__declspec(naked)NTSTATUS__stdcallMyNtReadVirtualMemory(HANDLEProcessHandle,PVOIDBaseAddress,PVOIDBuffer,

ULONGNumberOfBytesToRead,PULONGNumberOfBytesReaded){

//跳過去__asm{

push0x1c

push804eb560h//共十個字節(jié)jmp[JmpAddress]}}

__declspec(naked)NTSTATUS__stdcallMyNtWriteVirtualMemory(HANDLEProcessHandle,PVOIDBaseAddress,PVOIDBuffer,

ULONGNumberOfBytesToWrite,PULONGNumberOfBytesReaded){

//跳過去__asm{

push0x1c

push804eb560h//共十個字節(jié)jmp[JmpAddress1]}}

///////////////////////////////////////////////////NTSTATUSDriverEntry(INPDRIVER_OBJECTDriverObject,PUNICODE_STRINGRegistryPath){

DriverObject->DriverUnload=OnUnload;DbgPrint(\Hook();

returnSTATUS_SUCCESS;}

/////////////////////////////////////////////////////

VOIDOnUnload(INPDRIVER_OBJECTDriverObject)

{

DbgPrint(\Unhook();}

/////////////////////////////////////////////////////VOIDHook(){

ULONGAddress,Address1;

Address=(ULONG)KeServiceDescriptorTable->ServiceTableBase+0xBA*4;//0x7A為NtOpenProcess服務(wù)ID

Address1=(ULONG)KeServiceDescriptorTable->ServiceTableBase+0x115*4;//0x7A為NtOpenProcess服務(wù)ID

DbgPrint(\

OldServiceAddress=*(ULONG*)Address;//保存原來NtOpenProcess的地址OldServiceAddress1=*(ULONG*)Address1;//保存原來NtOpenProcess的地址DbgPrint(\DbgPrint(\DbgPrint(\DbgPrint(\

JmpAddress=(ULONG)0x805b528a+7;//跳轉(zhuǎn)到NtOpenProcess函數(shù)頭＋10的地方，這樣在其前面寫的JMP都失效了

JmpAddress1=(ULONG)0x805b5394+7;DbgPrint(\DbgPrint(\__asm

{//去掉內(nèi)存保護(hù)cli

moveax,cr0andeax,not10000hmovcr0,eax}

*((ULONG*)Address)=(ULONG)MyNtReadVirtualMemory;//HOOKSSDT*((ULONG*)Address1)=(ULONG)MyNtWriteVirtualMemory;__asm

{//恢復(fù)內(nèi)存保護(hù)moveax,cr0oreax,10000hmovcr0,eaxsti}}

//////////////////////////////////////////////////////VOIDUnhook()

{

ULONGAddress,Address1;

Address=(ULONG)KeServiceDescriptorTable->ServiceTableBase+0xBA*4;//查找SSDTAddress1=(ULONG)KeServiceDescriptorTable->ServiceTableBase+0x115*4;__asm{cli

moveax,cr0andeax,not10000hmovcr0,eax}

*((ULONG*)Address)=(ULONG)OldServiceAddress;//還原SSDT*((ULONG*)Address1)=(ULONG)OldServiceAddress1;//還原SSDT__asm{

moveax,cr0oreax,10000hmovcr0,eaxsti}

DbgPrint(\}

由于它不斷對DebugPort清零，所以要修改調(diào)試相關(guān)函數(shù)，使得所有的訪問DebugPort的地方全部訪問EPROCESS中的

ExitTime字節(jié)，這樣它怎么清零都無效了，也檢測不到代碼:.386

.modelflat,stdcalloptioncasemap:noneincludednf_hook.inc.c*****t

Dspdo_1equ80643db6hDmpp_1equ80642d5ehDmpp_2equ80642d64hDct_1equ806445d3hDqm_1equ80643089hKde_1equ804ff5fdhDfe_1equ80644340hPcp_1equ805d1a0dhMcp_1equ805b0c06hMcp_2equ805b0d7fhDmvos_1equ8064497fhDumvos_1equ80644a45hPet_1equ805d32f8hDet_1equ8064486ch

Dep_1equ806448e6h.code

;還原自己的Hook

DriverUnloadprocpDriverObject:PDRIVER_OBJECTret

DriverUnloadendp

ModifyFuncAboutDbgprocaddrOdFunc,cmd_1,cmd_2pushad

movebx,addrOdFuncmoveax,cmd_1

movDWORDptr[ebx],eaxmoveax,cmd_2

movDWORDptr[ebx+4],eaxpopadret

ModifyFuncAboutDbgendp

DriverEntryprocpDriverObject:PDRIVER_OBJECT,pusRegistryPath:PUNICODE_STRINGcli

moveax,cr0

andeax,not10000hmovcr0,eax

invokeModifyFuncAboutDbg,Dspdo_1,90784789h,0fde89090hinvokeModifyFuncAboutDbg,Dmpp_1,90787e39h,950f9090hinvokeModifyFuncAboutDbg,Dct_1,90785e39h,840f9090hinvokeModifyFuncAboutDbg,Dqm_1,9078408bh,45899090hinvokeModifyFuncAboutDbg,Kde_1,90787839h,13749090hinvokeModifyFuncAboutDbg,Dfe_1,9078418bh,0d2329090hinvokeModifyFuncAboutDbg,Pcp_1,90784389h,45f69090hinvokeModifyFuncAboutDbg,Mcp_1,90785e39h,950f9090hinvokeModifyFuncAboutDbg,Mcp_2,90784a89h,5e399090hinvokeModifyFuncAboutDbg,Dmvos_1,9078498bh,0cb3b9090hinvokeModifyFuncAboutDbg,Dumvos_1,00787983h,74909090hinvokeModifyFuncAboutDbg,Pet_1,00787f83h,74909090hinvokeModifyFuncAboutDbg,Det_1,9078498bh,0c9859090hinvokeModifyFuncAboutDbg,Dep_1,9078498bh,0c9859090h;invokeModifyFuncAboutDbg,Dmpp_2,8bc0950fh,8b90c032h

moveax,pDriverObject

assumeeax:ptrDRIVER_OBJECT

mov[eax].DriverUnload,offsetDriverUnloadassumeeax:nothing

moveax,cr0

oreax,10000hmovcr0,eaxsti

moveax,STATUS_SUCCESSret

DriverEntryendpendDriverEntry

繞過NtOpenProcess，NtOpenThread，KiAttachProcess

以及最重要的，不能讓它檢測到有硬件斷點，所以要對CONTEXT做一些偽裝，把真實的DR0～DR7的數(shù)據(jù)存放到別的地方，

OD訪問的時候返回正確的數(shù)據(jù)，假使是DNF要獲取上下文，就稍微做下手腳代碼:.386

.modelflat,stdcalloptioncasemap:noneincludednf_hook.inc.c*****t

NtOpenProcessHookAddrequ805cc626hNtOpenProcessRetAddrequ805cc631hNtOpenProcessNoChangeequ805cc62chNtOpenThreadHookAddrequ805cc8a8hNtOpenThreadRetAddrequ805cc8b3hNtOpenThreadNoChangeequ805cc8aehKiAttachProcessAddrequ804f9a08hKiAttachProcessRetAddrequ804f9a0fh

ObOpenObjectByPointerAddrequ805bcc78h

NtGetContextThreadAddrequ805d2551h;805c76a3hNtGetContextThreadRetAddrequ805c76a7h;805d2555h.data

nameOffsetdd?threadCxtLinkdd0tmpLinkdd?.code

GetProcessNameproc

invokePsGetCurrentProcessmovebx,eax

addebx,nameOffset

invokeDbgPrint,$CTA0(\pushebx

invokeDbgPrint,ebxpopebx

invokestrncmp,$CTA0(\

pusheax

invokeDbgPrint,$CTA0(\popeaxret

GetProcessNameendpHookCodeproc;執(zhí)行被覆蓋的代碼

pushdwordptr[ebp-38h]pushdwordptr[ebp-24h];判斷是否dnf的進(jìn)程invokeGetProcessName

.if!eax;假使是DNF自己的進(jìn)程，那么跳轉(zhuǎn)回去執(zhí)行它的Hook代碼pushad

invokeDbgPrint,$CTA0(\popad

moveax,NtOpenProcessNoChange;805c13e6hjmpeax

.else;假使不是DNF自己的進(jìn)程，那么直接調(diào)用ObOpenObjectByPointer，再返回到后面pushad

invokeDbgPrint,$CTA0(\popad

moveax,ObOpenObjectByPointerAddr;805b13f0hcalleax

movebx,NtOpenProcessRetAddr;805c13ebhjmpebx.endif

HookCodeendp;獲取系統(tǒng)名稱偏移GetNameOffsetprocepelocaltmpOffsetpushad

movebx,epe

invokestrlen,$CTA0(\xorecx,ecx@@:pusheaxpushecx

invokestrncmp,$CTA0(\popecx.if!eax

popeax

movtmpOffset,ecxpopad

moveax,tmpOffset

ret.elseif

popeaxincebxincecx

cmpecx,4096je@Fjmp@B.endif@@:popad

moveax,-1ret

GetNameOffsetendpHookprocpushad

;頭5字節(jié)跳轉(zhuǎn)

moveax,offsetHookCode

subeax,NtOpenProcessHookAddr;805c13e0h;805c13edhsubeax,5

movebx,NtOpenProcessHookAddr;805c13e0h;805c13edhmovcl,0E9h

movBYTEPTR[ebx],cl

movDWORDPTR[ebx+1],eaxpopadret

Hookendp

HookThreadCodeproc;執(zhí)行被覆蓋的代碼

pushdwordptr[ebp-34h]pushdwordptr[ebp-20h];判斷是否dnf的進(jìn)程invokeGetProcessName

.if!eax;假使是DNF自己的進(jìn)程，那么跳轉(zhuǎn)回去執(zhí)行它的Hook代碼pushad

invokeDbgPrint,$CTA0(\popad

moveax,NtOpenThreadNoChange;805c13e6hjmpeax

.else;假使不是DNF自己的進(jìn)程，那么直接調(diào)用ObOpenObjectByPointer，再返回到后面pushad

invokeDbgPrint,$CTA0(\popad

moveax,ObOpenObjectByPointerAddr;805b13f0h

calleax

movebx,NtOpenThreadRetAddr;805c13ebhjmpebx.endif

HookThreadCodeendpHookThreadprocpushad

;頭5字節(jié)跳轉(zhuǎn)

moveax,offsetHookThreadCode

subeax,NtOpenThreadHookAddr;805c13e0h;805c13edhsubeax,5

movebx,NtOpenThreadHookAddr;805c13e0h;805c13edhmovcl,0E9h

movBYTEPTR[ebx],cl

movDWORDPTR[ebx+1],eaxpopadret

HookThreadendpHookDbgprocmovedi,edipushebp

movebp,esppushebxpushesi

movesi,KiAttachProcessRetAddrjmpesi

HookDbgendpDbgprocpushad

;頭5字節(jié)跳轉(zhuǎn)

moveax,offsetHookDbg

subeax,KiAttachProcessAddr;805c13e0h;805c13edhsubeax,5

movebx,KiAttachProcessAddr;805c13e0h;805c13edhmovcl,0E9h

movBYTEPTR[ebx],cl

movDWORDPTR[ebx+1],eaxpopadret

Dbgendp

;還原自己的Hook

DriverUnloadprocpDriverObject:PDRIVER_OBJECTcli

moveax,cr0

andeax,not10000hmovcr0,eax;還原進(jìn)程處理moveax,0ffc875ffhmovebx,805cc656h

movDWORDptr[ebx],eaxmoveax,43e8dc75h

movDWORDptr[ebx+4],eax;還原線程處理moveax,0ffcc75ffhmovebx,805cc8d8h

movDWORDptr[ebx],eaxmoveax,0c1e8e075h

movDWORDptr[ebx+4],eax;還原調(diào)試處理

moveax,08b55ff8bhmovebx,804f9a08h

movDWORDptr[ebx],eaxmoveax,08b5653ech

movDWORDptr[ebx+4],eaxmoveax,cr0

oreax,10000hmovcr0,eaxstiret

DriverUnloadendp

;顯示LinkTable的信息

ShowLinkTableInfoprocptrLTpushad

invokeDbgPrint,$CTA0(\

movebx,ptrLT

moveax,(LinkTableptr[ebx]).ThreadHandle

invokeDbgPrint,$CTA0(\

movebx,ptrLT

moveax,(LinkTableptr[ebx]).Dr0Seg

invokeDbgPrint,$CTA0(\

movebx,ptrLT

moveax,(LinkTableptr[ebx]).Dr1Seg

invokeDbgPrint,$CTA0(\

popad

invokeShowDrRegInfo,ptrContextpopadret

ClearDrRegendp

;NtGetContextThread鉤子代碼NtGetContextThreadHookCodeproc;ebx存放CONTEXT指針

movebx,DWORDptr[ebp+10h];線程句柄

movedx,DWORDptr[ebp+0ch]pushad

invokeShowDrRegInfo,ebxinvokeIsFilterProcess.ifeax;假使是DNF.exe

invokeAddLinkTable,edx,ebxinvokeClearDrReg,ebx.else;假使不是DNF.exe

invokeRecoveryDrReg,ebx,