某驱动保护检测 请高手赐教
驱动保护已经过掉了 可以附加并调试但它会检测调试工具
检测的非常快 打开后1分钟左右就发现了
于是自己写起了个驱动保护
一、 窗口检测 ShadowSSDT hook
NtUserFindWindowEx
NtUserQueryWindow
NtUserBuildHwndList
NtUserGetForegroundWindow
NtUserWindowFromPoint
二、进程检测
1、SSDT Hook :
NtOpenProcess
NtReadVirtualMemory
NtQuerySystemInformation
2、 inline hook
ObReferenceObjectByHandle
KeStachAttachProcess
KeAttachProcess
MiDoPoolCopy
3、 EPROCESS 断链
4、开启一条内核线程 定时2秒 枚举系统所有句柄
发现有我的进程、线程句柄 上去ZwClose
到此觉得已经非常安全了 因为 我的子对话框也显示不出来了
打开游戏几秒后 我崩溃了 还是弹出 非法模块
已经拿它没办法了 请高手支点招NTSTATUS MyQuerySystemHandle(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL )
{
NTSTATUS status;
ULONG index;
PSYSTEM_HANDLE_INFORMATION_EX HandleTable;
status =RealNtQuerySystemInformation(SystemHandleInformation,SystemInformation,SystemInformationLength,ReturnLength);
if(!NT_SUCCESS(status))
return status;
HandleTable=(PSYSTEM_HANDLE_INFORMATION)((PULONG)SystemInformation);
for (index =0 ;index!=*(PULONG)SystemInformation;index++)
{
if (HandleTable->Information.ProcessId == ProcessIdToProtect)
{
HandleTable->Information.ProcessId =NULL;
HandleTable->Information.ObjectTypeNumber=NULL;
HandleTable->Information.Object=NULL;
HandleTable->Information.Handle=NULL;
HandleTable->Information.GrantedAccess=NULL;
HandleTable->Information.Flags=NULL;
}
}
return status;
}
NTSTATUS MyNtQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL )
{
if (SystemInformationClass ==SystemHandleInformation)
{
return MyQuerySystemHandle(SystemInformationClass,SystemInformation,SystemInformationLength,ReturnLength);
}
return RealNtQuerySystemInformation(SystemInformationClass,SystemInformation,SystemInformationLength,ReturnLength);
}
页:
[1]