《dnf》外挂源码

《dnf》外挂源码攻略

__asm { push push jmp } }
0x1c 804eb560h //共十个字节 [JmpAddress]
__declspec(naked) NTSTATUS __stdcall MyNtWriteVirtualMemory(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToWrite, PULONG NumberOfBytesReaded) { //跳过去 __asm { push 0x1c push 804eb560h //共十个字节 jmp [JmpAddress1] } } /////////////////////////////////////////////////// NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath) { DriverObject->DriverUnload = OnUnload; DbgPrint("Unhooker load"); Hook(); return STATUS_SUCCESS; } ///////////////////////////////////////////////////// VOID OnUnload(IN PDRIVER_OBJECT DriverObject) { DbgPrint("Unhooker unload!"); Unhook(); } ///////////////////////////////////////////////////// VOID Hook() { ULONG Address, Address1; Address = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0xBA * 4;//0x7A 为 NtOpenProcess 服务 ID Address1 = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x115 * 4;//0x7A 为

更多dnf相关攻略请点击查看气泡网DNF攻略专区

《dnf》外挂源码攻略

NtOpenProcess 服务 ID DbgPrint("Address:0x%08X",Address); OldServiceAddress = *(ULONG*)Address;//保存原来 NtOpenProcess 的地址 OldServiceAddress1 = *(ULONG*)Address1;//保存原来 NtOpenProcess 的地址 DbgPrint("OldServiceAddress:0x%08X",OldServiceAddress); DbgPrint("OldServiceAddress1:0x%08X",OldServiceAddress1); DbgPrint("MyNtOpenProcess:0x%08X",MyNtReadVirtualMemory); DbgPrint("MyNtOpenProcess:0x%08X",MyNtWriteVirtualMemory); JmpAddress = (ULONG)0x805b528a + 7; //跳转到 NtOpenProcess 函数头+10 的地方,这样 在其前面写的 JMP 都失效了 JmpAddress1 = (ULONG)0x805b5394 + 7; DbgPrint("JmpAddress:0x%08X",JmpAddress); DbgPrint("JmpAddress1:0x%08X",JmpAddress1); __asm { //去掉内存保护 cli mov eax,cr0 and eax,not 10000h mov cr0,eax } *((ULONG*)Address) = (ULONG)MyNtReadVirtualMemory;//HOOK SSDT *((ULONG*)Address1) = (ULONG)MyNtWriteVirtualMemory; __asm { //恢复内存保护 mov eax,cr0 or eax,10000h mov cr0,eax sti } } ////////////////////////////////////////////////////// VOID Unhook() { ULONG Address, Address1; Address = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0xBA * 4;//查找 SSDT Address1 = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x115 * 4;
__asm{ cli mov eax,cr0 and eax,not 10000h mov cr0,eax } *((ULONG*)Address) = (ULONG)OldServiceAddress;//还原 SSDT *((ULONG*)Address1) = (ULONG)OldServiceAddress1;//还原 SSDT __asm{ mov eax,cr0 or eax,10000h mov cr0,eax sti } DbgPrint("Unhook"); } 由于它不断对 DebugPort 清零,所以要修改调试相关函数,使得所有的访问 DebugPort 的地 方全部访问 EPROCESS 中的 ExitTime 字节,这样它怎么清零都无效了,也检测不到 代码: .386 .model flat, stdcall option casemap:none include dnf_hook.inc .const Dspdo_1 equ 80643db6h Dmpp_1 equ 80642d5eh Dmpp_2 equ 80642d64h Dct_1 equ 806445d3h Dqm_1 equ 80643089h Kde_1 equ 804ff5fdh Dfe_1 equ 80644340h Pcp_1 equ 805d1a0dh Mcp_1 equ 805b0c06h Mcp_2 equ 805b0d7fh Dmvos_1 equ 8064497fh Dumvos_1 equ 80644a45h Pet_1 equ 805d32f8h
Det_1 equ 8064486ch Dep_1 equ 806448e6h .code ;还原自己的 Hook DriverUnload proc pDriverObject:PDRIVER_OBJECT ret DriverUnload endp ModifyFuncAboutDbg proc addrOdFunc, cmd_1, cmd_2 pushad mov ebx, addrOdFunc mov eax, cmd_1 mov DWORD ptr [ebx], eax mov eax, cmd_2 mov DWORD ptr [ebx + 4], eax popad ret ModifyFuncAboutDbg endp DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING cli mov eax, cr0 and eax, not 10000h mov cr0, eax invoke ModifyFuncAboutDbg, Dspdo_1, 90784789h, 0fde89090h invoke ModifyFuncAboutDbg, Dmpp_1, 90787e39h, 950f9090h invoke ModifyFuncAboutDbg, Dct_1, 90785e39h, 840f9090h invoke ModifyFuncAboutDbg, Dqm_1, 9078408bh, 45899090h invoke ModifyFuncAboutDbg, Kde_1, 90787839h, 13749090h invoke ModifyFuncAboutDbg, Dfe_1, 9078418bh, 0d2329090h invoke ModifyFuncAboutDbg, Pcp_1, 90784389h, 45f69090h invoke ModifyFuncAboutDbg, Mcp_1, 90785e39h, 950f9090h invoke ModifyFuncAboutDbg, Mcp_2, 90784a89h, 5e399090h invoke ModifyFuncAboutDbg, Dmvos_1, 9078498bh, 0cb3b9090h invoke ModifyFuncAboutDbg, Dumvos_1, 00787983h, 74909090h invoke ModifyFuncAboutDbg, Pet_1, 00787f83h, 74909090h invoke ModifyFuncAboutDbg, Det_1, 9078498bh, 0c9859090h invoke ModifyFuncAboutDbg, Dep_1, 9078498bh, 0c9859090h ;invoke ModifyFuncAboutDbg, Dmpp_2, 8bc0950fh, 8b90c032h mov eax, pDriverObject assume eax : ptr DRIVER_OBJECT

更多dnf相关攻略请点击查看气泡网DNF攻略专区

《dnf》外挂源码攻略

mov [eax].DriverUnload, offset DriverUnload assume eax : nothing mov eax, cr0 or eax, 10000h mov cr0, eax sti mov eax, STATUS_SUCCESS ret DriverEntry endp end DriverEntry 绕过 NtOpenProcess,NtOpenThread,KiAttachProcess 以及最重要的,不能让它检测到有硬件断点,所以要对 CONTEXT 做一些伪装,把真实的 DR0～DR7 的数据存放到别的地方,OD 访问的时候返回正确的数据,如果是 DNF 要获取 上下文,就稍微做下手脚 代码: .386 .model flat, stdcall option casemap:none include dnf_hook.inc .const NtOpenProcessHookAddr equ 805cc626h NtOpenProcessRetAddr equ 805cc631h NtOpenProcessNoChange equ 805cc62ch NtOpenThreadHookAddr equ 805cc8a8h NtOpenThreadRetAddr equ 805cc8b3h NtOpenThreadNoChange equ 805cc8aeh KiAttachProcessAddr equ 804f9a08h KiAttachProcessRetAddr equ 804f9a0fh ObOpenObjectByPointerAddr equ 805bcc78h NtGetContextThreadAddr equ 805d2551h;805c76a3h NtGetContextThreadRetAddr equ 805c76a7h;805d2555h .data nameOffset dd ?
threadCxtLink dd 0 tmpLink dd ? .code GetProcessName proc invoke PsGetCurrentProcess mov ebx, eax add ebx, nameOffset invoke DbgPrint, ("n") push ebx invoke DbgPrint, ebx pop ebx invoke strncmp, ("DNF.exe"), ebx, 6 push eax invoke DbgPrint, ("n") pop eax ret GetProcessName endp HookCode proc ;执行被覆盖的代码 push dword ptr [ebp-38h] push dword ptr [ebp-24h] ;判断是否 dnf 的进程 invoke GetProcessName .if !eax ;如果是 DNF 自己的进程,那么跳转回去执行它的 Hook 代码 pushad invoke DbgPrint, ("nNotUnHookn") popad mov eax, NtOpenProcessNoChange;805c13e6h jmp eax .else ;如果不是 DNF 自己的进程, 那么直接调用 ObOpenObjectByPointer,再返回到后 面 pushad invoke DbgPrint, ("nUnHookn") popad mov eax, ObOpenObjectByPointerAddr;805b13f0h call eax mov ebx, NtOpenProcessRetAddr;805c13ebh jmp ebx .endif HookCode endp ;获取系统名称偏移
GetNameOffset proc epe local tmpOffset pushad mov ebx, epe invoke strlen, ("System") xor ecx, ecx @@: push eax push ecx invoke strncmp, ("System"), ebx, eax pop ecx .if !eax pop eax mov tmpOffset, ecx popad mov eax, tmpOffset ret .elseif pop eax inc ebx inc ecx cmp ecx, 4096 je @F jmp @B .endif @@: popad mov eax, -1 ret GetNameOffset endp Hook proc pushad ;头 5 字节跳转 mov eax, offset HookCode sub eax, NtOpenProcessHookAddr;805c13e0h;805c13edh sub eax, 5 mov ebx, NtOpenProcessHookAddr;805c13e0h;805c13edh mov cl, 0E9h mov BYTE PTR [ebx], cl mov DWORD PTR [ebx + 1], eax popad ret Hook endp
HookThreadCode proc ;执行被覆盖的代码 push dword ptr [ebp-34h] push dword ptr [ebp-20h] ;判断是否 dnf 的进程 invoke GetProcessName .if !eax ;如果是 DNF 自己的进程,那么跳转回去执行它的 Hook 代码 pushad invoke DbgPrint, ("nNotUnHookn") popad mov eax, NtOpenThreadNoChange;805c13e6h jmp eax .else ;如果不是 DNF 自己的进程, 那么直接调用 ObOpenObjectByPointer,再返回到后 面 pushad invoke DbgPrint, ("nUnHookn") popad mov eax, ObOpenObjectByPointerAddr;805b13f0h call eax mov ebx, NtOpenThreadRetAddr;805c13ebh jmp ebx .endif HookThreadCode endp HookThread proc pushad ;头 5 字节跳转 mov eax, offset HookThreadCode sub eax, NtOpenThreadHookAddr;805c13e0h;805c13edh sub eax, 5 mov ebx, NtOpenThreadHookAddr;805c13e0h;805c13edh mov cl, 0E9h mov BYTE PTR [ebx], cl mov DWORD PTR [ebx + 1], eax popad ret HookThread endp HookDbg proc mov edi, edi push ebp mov ebp, esp

更多dnf相关攻略请点击查看气泡网DNF攻略专区

《dnf》外挂源码攻略

push ebx push esi mov esi, KiAttachProcessRetAddr jmp esi HookDbg endp Dbg proc pushad ;头 5 字节跳转 mov eax, offset HookDbg sub eax, KiAttachProcessAddr;805c13e0h;805c13edh sub eax, 5 mov ebx, KiAttachProcessAddr;805c13e0h;805c13edh mov cl, 0E9h mov BYTE PTR [ebx], cl mov DWORD PTR [ebx + 1], eax popad ret Dbg endp ;还原自己的 Hook DriverUnload proc pDriverObject:PDRIVER_OBJECT cli mov eax, cr0 and eax, not 10000h mov cr0, eax ;还原进程处理 mov eax, 0ffc875ffh mov ebx, 805cc656h mov DWORD ptr [ebx], eax mov eax, 43e8dc75h mov DWORD ptr [ebx + 4], eax ;还原线程处理 mov eax, 0ffcc75ffh mov ebx, 805cc8d8h mov DWORD ptr [ebx], eax mov eax, 0c1e8e075h mov DWORD ptr [ebx + 4], eax ;还原调试处理 mov eax, 08b55ff8bh mov ebx, 804f9a08h mov DWORD ptr [ebx], eax mov eax, 08b5653ech
mov DWORD ptr [ebx + 4], eax mov eax, cr0 or eax, 10000h mov cr0, eax sti ret DriverUnload endp ;显示 LinkTable 的信息 ShowLinkTableInfo proc ptrLT pushad invoke DbgPrint, ("nThe LinkTable Info:n") mov ebx, ptrLT mov eax, (LinkTable ptr [ebx]).ThreadHandle invoke DbgPrint, ("ThreadHandle:%0Xn"), eax mov ebx, ptrLT mov eax, (LinkTable ptr [ebx]).Dr0Seg invoke DbgPrint, ("Dr0Seg:%0Xn"), eax mov ebx, ptrLT mov eax, (LinkTable ptr [ebx]).Dr1Seg invoke DbgPrint, ("Dr1Seg:%0Xn"), eax mov ebx, ptrLT mov eax, (LinkTable ptr [ebx]).Dr2Seg invoke DbgPrint, ("Dr2Seg:%0Xn"), eax mov ebx, ptrLT mov eax, (LinkTable ptr [ebx]).Dr3Seg invoke DbgPrint, ("Dr3Seg:%0Xn"), eax mov ebx, ptrLT mov eax, (LinkTable ptr [ebx]).Dr6Seg invoke DbgPrint, ("Dr6Seg:%0Xn"), eax mov ebx, ptrLT mov eax, (LinkTable ptr [ebx]).Dr7Seg invoke DbgPrint, ("Dr7Seg:%0Xn"), eax mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).LinkPtr invoke DbgPrint, ("LinkPtr:%0Xn"), eax mov ebx, ptrLT mov eax, (LinkTable ptr [ebx]).NextLinkPtr invoke DbgPrint, ("NextLinkPtr:%0Xn"), eax popad ret ShowLinkTableInfo endp ;判断该线程是否存在 ;如果不存在则返回 0,存在则返回指向该链表的指针,1 代表链表为空 ExsitsLinkTable proc pHandle pushad mov eax, threadCxtLink .if !eax ;链表为空 pushad invoke DbgPrint, ("nLinkTable Is Null.n") popad popad mov eax, 1 ret .endif @@: mov ebx, (LinkTable ptr [eax]).ThreadHandle cmp ebx, pHandle ;如果匹配已经存在 je @F mov eax, (LinkTable ptr [eax]).NextLinkPtr .if !eax ;已经到达末尾,没有找到匹配 pushad invoke DbgPrint, ("pHandle Is Not Found.n") popad popad xor eax, eax ret .endif jmp @B @@: pushad invoke DbgPrint, ("npHandle Is Exsits.n") popad invoke ShowLinkTableInfo, eax

更多dnf相关攻略请点击查看气泡网DNF攻略专区

《dnf》外挂源码攻略

;返回链表指针 mov tmpLink, eax popad mov eax, tmpLink ret ExsitsLinkTable endp ;拷贝 Context 到 LinkTable 中 CopyContextToLinkTable proc ptrContext, ptrLT pushad mov ebx, ptrContext mov edx, ptrLT mov ecx, 4 @@: mov eax, DWORD ptr [ebx + ecx] mov DWORD ptr [edx + ecx], eax add ecx, 4 cmp ecx, 18h jbe @B popad ret CopyContextToLinkTable endp ;添加 LinkTable 表 AddLinkTable proc pHandle, ptrContext pushad invoke ExsitsLinkTable, pHandle .if eax > 1 ;已经存在只需要更新 dr 寄存器即可 invoke CopyContextToLinkTable, eax, ptrContext .else push eax invoke ExAllocatePool, 1, size LinkTable .if eax ;申请内存成功 mov ebx, eax pop eax ;置地一个元素 mov ecx, pHandle mov (LinkTable ptr [ebx]).ThreadHandle, ecx ;拷贝 dr 寄存器的值 invoke CopyContextToLinkTable, ptrContext, ebx ;置另外两个元素 mov (LinkTable ptr [ebx]).LinkPtr, ebx
mov (LinkTable ptr [ebx]).NextLinkPtr, 0 invoke ShowLinkTableInfo, ebx ;把新的链表项添加到链表中 .if eax == 1 ;如果链表为空,直接加在表头 mov threadCxtLink, ebx .else ;如果链表不为空则加到末尾 mov eax, threadCxtLink @@: ;指向下一个元素 mov ecx, (LinkTable ptr [eax]).NextLinkPtr test ecx, ecx je @F mov eax, ecx jmp @B @@: mov (LinkTable ptr [eax]).NextLinkPtr, ebx .endif .else ;申请内存失败 pop eax pushad invoke DbgPrint, ("nAlloc Memory Faild.n") popad jmp @F .endif .endif @@: popad ret AddLinkTable endp ;判断进程是否过虑进程 ;如果是需要过虑的进程返回值为 1,否则返回 0 IsFilterProcess proc pushad ;获取当前进程名 invoke PsGetCurrentProcess mov ebx, eax add ebx, nameOffset invoke DbgPrint, ("n%s: Call NtGetContextThread n"), ebx invoke strncmp, ("DNF.exe"), ebx, 7
test eax, eax jne @F popad mov eax, 1 ret @@: popad xor eax, eax ret IsFilterProcess endp ;显示 Context 的调试寄存器 ShowDrRegInfo proc ptrContext pushad invoke DbgPrint, ("nThe Context Info:n") mov ebx, ptrContext mov eax, DWORD ptr [ebx + 4] invoke DbgPrint, ("Dr0:%0Xn"), eax mov ebx, ptrContext mov eax, DWORD ptr [ebx + 8] invoke DbgPrint, ("Dr1:%0Xn"), eax mov ebx, ptrContext mov eax, DWORD ptr [ebx + 0ch] invoke DbgPrint, ("Dr2:%0Xn"), eax mov ebx, ptrContext mov eax, DWORD ptr [ebx + 10h] invoke DbgPrint, ("Dr3:%0Xn"), eax mov ebx, ptrContext mov eax, DWORD ptr [ebx + 14h] invoke DbgPrint, ("Dr6:%0Xn"), eax mov ebx, ptrContext mov eax, DWORD ptr [ebx + 18h] invoke DbgPrint, ("Dr7:%0Xn"), eax popad ret ShowDrRegInfo endp ;恢复被隐藏的 dr 寄存器
RecoveryDrReg proc ptrContext, pHandle pushad ;定位到 LinkTable mov ebx, threadCxtLink NEXT: test ebx, ebx jne @F ;如果没有遍历完 popad ret @@: mov eax, (LinkTable ptr [ebx]).ThreadHandle cmp eax, pHandle je @F ;如果找到匹配项 mov ebx, (LinkTable ptr [ebx]).NextLinkPtr jmp NEXT @@: ;拷贝完毕后立即结束 invoke CopyContextToLinkTable, ebx, ptrContext xor ebx, ebx jmp NEXT RecoveryDrReg endp ;清空 Context 的 dr 寄存器 ClearDrReg proc ptrContext pushad mov ebx, ptrContext mov ecx, 4 @@: mov DWORD ptr [ebx + ecx], 0 add ecx, 4 cmp ecx, 18h jbe @B pushad invoke DbgPrint, ("n-------------ClearDrReg-------------n") popad invoke ShowDrRegInfo, ptrContext popad ret ClearDrReg endp ;NtGetContextThread 钩子代码 NtGetContextThreadHookCode proc ;ebx 存放 CONTEXT 指针 mov ebx, DWORD ptr [ebp + 10h]

更多dnf相关攻略请点击查看气泡网DNF攻略专区

《dnf》外挂源码攻略

;线程句柄 mov edx, DWORD ptr [ebp + 0ch] pushad invoke ShowDrRegInfo, ebx invoke IsFilterProcess .if eax ;如果是 DNF.exe invoke AddLinkTable, edx, ebx invoke ClearDrReg, ebx .else ;如果不是 DNF.exe invoke RecoveryDrReg, ebx, edx .endif invoke ShowDrRegInfo, ebx ;执行被覆盖的代码 popad mov eax, esi pop esi leave ret NtGetContextThreadHookCode endp ;NtGetContextThread 加跳转 HookNtGetContextThread proc pushad ;头 5 字节跳转 mov eax, offset NtGetContextThreadHookCode sub eax, NtGetContextThreadAddr;805c13e0h;805c13edh sub eax, 5 mov ebx, NtGetContextThreadAddr;805c13e0h;805c13edh mov cl, 0E9h mov BYTE PTR [ebx], cl mov DWORD PTR [ebx + 1], eax popad ret HookNtGetContextThread endp DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING invoke DbgPrint, ("Begin") invoke PsGetCurrentProcess invoke GetNameOffset, eax mov nameOffset, eax cmp eax, -1 je @F mov nameOffset, eax
cli mov eax, cr0 and eax, not 10000h mov cr0, eax call call call call Hook HookThread Dbg HookNtGetContextThread
mov eax, pDriverObject assume eax : ptr DRIVER_OBJECT mov [eax].DriverUnload, offset DriverUnload assume eax : nothing mov eax, cr0 or eax, 10000h mov cr0, eax sti invoke DbgPrint, ("End") @@: mov eax, STATUS_SUCCESS ret DriverEntry endp end DriverEntry 本人初学驱动,历经一月完成..已经很累了,心力交瘁唉,不舍得丢了,毕竟是自己的汗 . 水,特此发出来大家相互学交流.仅供参考,学谢谢.

更多dnf相关攻略请点击查看气泡网DNF攻略专区