- 注册时间
- 2011-3-6
- 最后登录
- 1970-1-1
该用户从未签到
|
驱动保护已经过掉了 可以附加并调试
但它会检测调试工具
检测的非常快 打开后1分钟左右就发现了
于是自己写起了个驱动保护
一、 窗口检测 ShadowSSDT hook
NtUserFindWindowEx
NtUserQueryWindow
NtUserBuildHwndList
NtUserGetForegroundWindow
NtUserWindowFromPoint
二、进程检测
1、SSDT Hook :
NtOpenProcess
NtReadVirtualMemory
NtQuerySystemInformation
2、 inline hook
ObReferenceObjectByHandle
KeStachAttachProcess
KeAttachProcess
MiDoPoolCopy
3、 EPROCESS 断链
4、开启一条内核线程 定时2秒 枚举系统所有句柄
发现有我的进程、线程句柄 上去ZwClose
到此觉得已经非常安全了 因为 我的子对话框也显示不出来了
打开游戏几秒后 我崩溃了 还是弹出 非法模块
已经拿它没办法了 请高手支点招- NTSTATUS MyQuerySystemHandle(
- IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
- OUT PVOID SystemInformation,
- IN ULONG SystemInformationLength,
- OUT PULONG ReturnLength OPTIONAL )
- {
- NTSTATUS status;
- ULONG index;
- PSYSTEM_HANDLE_INFORMATION_EX HandleTable;
- status =RealNtQuerySystemInformation(SystemHandleInformation,SystemInformation,SystemInformationLength,ReturnLength);
- if(!NT_SUCCESS(status))
- return status;
- HandleTable=(PSYSTEM_HANDLE_INFORMATION)((PULONG)SystemInformation);
- for (index =0 ;index!=*(PULONG)SystemInformation;index++)
- {
- if (HandleTable->Information[index].ProcessId == ProcessIdToProtect)
- {
- HandleTable->Information[index].ProcessId =NULL;
- HandleTable->Information[index].ObjectTypeNumber=NULL;
- HandleTable->Information[index].Object=NULL;
- HandleTable->Information[index].Handle=NULL;
- HandleTable->Information[index].GrantedAccess=NULL;
- HandleTable->Information[index].Flags=NULL;
- }
- }
- return status;
- }
- NTSTATUS MyNtQuerySystemInformation(
- IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
- OUT PVOID SystemInformation,
- IN ULONG SystemInformationLength,
- OUT PULONG ReturnLength OPTIONAL )
- {
- if (SystemInformationClass ==SystemHandleInformation)
- {
- return MyQuerySystemHandle(SystemInformationClass,SystemInformation,SystemInformationLength,ReturnLength);
- }
- return RealNtQuerySystemInformation(SystemInformationClass,SystemInformation,SystemInformationLength,ReturnLength);
- }
复制代码 |
|