反游戏内存扫描源码 Hook NtQueryVirtualMemory
反游戏内存扫描源码 Hook NtQueryVirtualMemory
//反扫描模块
NTSTATUS __stdcall NewZwQueryVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
IN ULONG MemoryInformationClass,
OUT PVOID MemoryInformation,
IN ULONG MemoryInformationLength,
OUT PULONG ReturnLength
)
{
ZWQUERYVIRTUALMEMORY OldZwQueryVirtualMemory;
NTSTATUS status;
PUNICODE_STRING SectionName;
WCHAR lpwzDllName = {0};
WCHAR lpAttackDll = {L"1",L"2",L"3",L"4",L"5"};//保护模块的名称防止被dump内存上传
OldZwQueryVirtualMemory = (ZWQUERYVIRTUALMEMORY)ZwQueryVirtualMemoryHookZone;
status = OldZwQueryVirtualMemory(
ProcessHandle,
BaseAddress,
MemoryInformationClass,
MemoryInformation,
MemoryInformationLength,
ReturnLength
);
if (status == STATUS_SUCCESS && MemoryInformationClass == MemorySectionName)
{
__try{
SectionName =(PUNICODE_STRING)MemoryInformation;
if (ValidateUnicodeString(SectionName))
{
if (SectionName->Buffer != NULL &&
SectionName->Length)
{
memcpy(lpwzDllName,SectionName->Buffer,SectionName->Length);
if (wcsstr(lpwzDllName,lpAttackDll) != 0 ||
wcsstr(lpwzDllName,lpAttackDll) != 0 ||
wcsstr(lpwzDllName,lpAttackDll) != 0 ||
wcsstr(lpwzDllName,lpAttackDll) != 0 ||
wcsstr(lpwzDllName,lpAttackDll) != 0)
{
//清零内存
memset(SectionName->Buffer,0,SectionName->MaximumLength);
}
}
}
}__except(1){
}
}
return status;
页:
[1]