说说过游戏保护二
原创
©著作权归作者所有:来自51CTO博客作者wx634e1c97257c6的原创作品,请联系作者获取转载授权,否则将追究法律责任
这仅仅是RING 3的普通运用而已, 千万不要认为做外挂的不会驱动. 相反,与游戏开发公司那点可怜的薪水比起来. 外挂的利润只会让更多的驱动开发者
加入这一行列. 即使你HOOK接管了这一切函数,不管是inline还是普通的ssdt. 下面的驱动很轻易的就能突破任意的HOOK.
复制内容到剪贴板
代码:
.....................
NTSTATUS NTAPI GetRealAddress(PIMPORT_ENTRY Import)
{
MODULE_INFORMATION mi,idmi;
DWORD i,j;
DWORD dwKernelBase;
NTSTATUS status;
PDWORD KiServiceTable;
UNICODE_STRING NtdllName;
if (KeGetCurrentIrql()!=PASSIVE_LEVEL) return STATUS_PASSIVE_LEVEL_REQUIRED;
RtlZeroMemory(&mi,sizeof(mi));
if (!NT_SUCCESS(status=MapKernelImage(&mi,&dwKernelBase))) return status;
RtlZeroMemory(&idmi,sizeof(idmi));
RtlInitUnicodeString(&NtdllName, L"\\SystemRoot\\System32\\ntdll.dll");
if (!NT_SUCCESS(status=MapPeImage(&idmi,&NtdllName))) return status;
try {
for (i=0;Import.szName;i++){
Import.dwAddress=0;
switch (Import.dwType) {
case IMPORT_BY_NAME:
if (!(Import.dwAddress=GetProcRva(mi.hModule,Import.szName))) {
#ifdef DEBUG
DbgPrint("GetRealAddress(): Failed to get %s rva!\n",Import.szName);
#endif
}
break;
case IMPORT_BY_RVA:
Import.dwAddress=(DWORD)Import.szName;
break;
case IMPORT_BY_ADDRESS:
Import.dwAddress=(DWORD)Import.szName-dwKernelBase;
break;
case IMPORT_BY_SERVICE_ID:
// do not search this rva if it has been already found
if (!KiServiceTable_RVA) {
if (!(KiServiceTable_RVA=FindKiServiceTable(mi.hModule))) {
#ifdef DEBUG
DbgPrint("GetRealAddress(): Failed to get KiServiceTable RVA!\n");
#endif
break;
}
}
KiServiceTable=(PDWORD)(KiServiceTable_RVA+mi.hModule);
Import.dwAddress=KiServiceTable[(DWORD)Import.szName]-mi.dwImageBase;
break;
case IMPORT_BY_SERVICE_NAME:
if (!KiServiceTable_RVA){
if (!(KiServiceTable_RVA=FindKiServiceTable(mi.hModule))) break;
}
Import.dwId=GetIdForName(idmi.hModule,Import.szName);
KiServiceTable=(PDWORD)(KiServiceTable_RVA+mi.hModule);
Import.dwAddress=KiServiceTable[Import.dwId]-mi.dwImageBase;
break;
default:
break;
} //Case End
if (Import.dwId==0){
if (!KiServiceTable_RVA)
KiServiceTable_RVA=FindKiServiceTable(mi.hModule);
KiServiceTable=(PDWORD)(KiServiceTable_RVA+mi.hModule);
for (j=0;KiServiceTable[j];j++){if (Import.dwAddress==KiServiceTable[j]-mi.dwImageBase){Import.dwId=j;break;}}
}
Import.dwAddress=dwKernelBase+Import.dwAddress;
}
}except(EXCEPTION_EXECUTE_HANDLER){
return STATUS_ADD_FUNCTION_FAILED;
}
try {
UnmapPeImage(&mi);
UnmapPeImage(&idmi);
}except(EXCEPTION_EXECUTE_HANDLER){
return STATUS_CODE_REBUILDING_FAILED;
}
return STATUS_SUCCESS;
}
...........
恩..这不是完整的代码,这理所当然,不是么?
面对任何HOOK,只需要从NT的内核文件中取出其真实的地址,很轻易的就可以饶过SSDT的HOOK,INLINE HOOK只需要恢复代码即可.
更何况你的驱动肯定会比外挂的驱动还晚加载.
即使除开上面这些不谈,你依然要面对你的驱动被PATCH,又或者被个假冒的驱动所替代. 更别说 lpk.dll usp10.dll 了.
这时候你应该会想反驳我,看看 nPROTECT ,安博士 吧. 好的,那么我们来看看下面这段函数