教你QQ华夏inlinehook保护恢复
游戏inlinehook了三个地方 可以用Xuetr 查看到
DbgUiRemoteBreakin
LoadLibraryExW
VirtualProtectEx
第二个直接恢复
第一个恢复后游戏退出,跟踪发现检游戏跳到自身模块后没检测可在游戏jmp直接hook到注入dll模块重写前5字节后再跳回原模块
static My_RecoveryHook_NtOpenProcess() {
BYTE JmpAddress = {0xE9,0,0,0,0};
p_TpHookAddress = (ULONG)0x7c97211c+5+*(ULONG*)0x7c97211d;
ULONG p_MyHookAddress=p_TpHookAddress+0x5;
//得使用者的EPROCESS
//将使用者的程名保存到str1中
DWORD dwOldProtect,nSize;
HANDLE hObjProcess=0 ;
*(ULONG *)(JmpAddress+1)=(ULONG)Nakd_NtOpenProcess - p_MyHookAddress;
hObjProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
VirtualProtect ((void *)(p_TpHookAddress) , 5, 64, &dwOldProtect);
WriteProcessMemory(hObjProcess, (void *)(p_TpHookAddress) , JmpAddress, 5, &nSize);
}
static Nakd_NtOpenProcess()
{
__asm
{
push 0x8//恢复原来的5个字
push 0x7C972168
mov eax,0x7c972123//跳转地址
jmp eax
}
}
页:
[1]