【ACCESS精品源码栏目提醒】:网学会员在ACCESS精品源码频道为大家收集整理了“(精品)这个是过TX游戏自我保护驱动的源代码【整理】 - 培训教程“提供大家参考,希望对大家有所帮助!
????????????????TX??????·×??????±????¤??????????????????ú????????????????????qq????????DNF??????°????????QQ??????·???? include include include include Common.h typedef struct _KAPC_STATE LIST_ENTRY ApcListHead2 PVOID Process BOOLEAN KernelApcInProgress BOOLEAN KernelApcPending BOOLEAN UserApcPending KAPC_STATE PKAPC_STATE ULONG g_nOpenIndex 0 ULONG g_nThreadIndex 0 ULONG g_nReadIndex 0 ULONG g_nWriteIndex 0 ULONG g_NtOpenProcess 0 ULONG g_NtOpenThread 0 ULONG g_NtReadVirtualMemory 0 ULONG g_NtWriteVirtualMemory 0 ULONG g_KiAttachProcess 0 ULONG g_PsCreateSystemThread 0 ULONG g_PsCreateSystemThreadAddr 0 BYTE g_NtOpenProcessSave0x300 BYTE g_NtOpenThreadSave0x300 BYTE g_NtReadVirtualMemorySave0x10 BYTE g_NtWriteVirtualMemorySave0x10 BYTE g_KiAttachProcessSave0x10 INLINEHOOK g_hPsCreateSystemThread VOID NTAPI MyThreadPVOID pContext __asm push eax cli mov eax cr0 and eax not 0x10000 mov cr0 eax pop eax if g_NtOpenProcess memcpyPVOIDg_NtOpenProcess PVOIDg_NtOpenProcessSave sizeofg_NtOpenProcessSave // DbgPrint????????NtOpenProcess???????? if g_NtOpenThread memcpyPVOIDg_NtOpenThread PVOIDg_NtOpenThreadSave sizeofg_NtOpenThreadSave // DbgPrint????????NtOpenThread???????? if g_NtReadVirtualMemory memcpyPVOIDg_NtReadVirtualMemory PVOIDg_NtReadVirtualMemorySave sizeofg_NtReadVirtualMemorySave // DbgPrint????????NtReadVirtualMemory???????? if g_NtWriteVirtualMemory memcpyPVOIDg_NtWriteVirtualMemory PVOIDg_NtWriteVirtualMemorySave sizeofg_NtWriteVirtualMemorySave // DbgPrint????????NtWriteVirtualMemory???????? if g_KiAttachProcess memcpyPVOIDg_KiAttachProcess PVOIDg_KiAttachProcessSave sizeofg_KiAttachProcessSave // DbgPrint????????KiAttachProcess???????? __asm push eax mov eax cr0 or eax 0x10000 sti pop eax DbgPrint???????????????? PsTerminateSystemThreadSTATUS_SUCCESS __declspecnaked NTSTATUS MyPsCreateSystemThread_PHANDLE ThreadHandleULONG DesiredAccessPOBJECT_ATTRIBUTES ObjectAttributesHANDLE ProcessHandlePCLIENT_ID ClientIdPKSTART_ROUTINE StartRoutinePVOID StartContext __asm jmp dword ptr g_PsCreateSystemThreadAddr NTSTATUS MyPsCreateSystemThreadPHANDLE ThreadHandleULONG DesiredAccessPOBJECT_ATTRIBUTES ObjectAttributesHANDLE ProcessHandlePCLIENT_ID ClientIdPKSTART_ROUTINE StartRoutinePVOID StartContext PDWORD Addr PDWORDStartRoutine HANDLE hThread NULL if Addr 0x81EC8B55 Addr 1 0x94EC Addr 0x0149F6E9 Addr 1 0xB2120100 Addr 0x01F1DFE9 Addr 1 0x13A5F300 Addr 0x02120FE9 Addr 1 0x6E800 DbgPrint??????¨????????????????:XnStartRoutine // MyPsCreateSystemThread_hThread ACCESS_MASK0 NULLHANDLE0 NULL MyThread NULL // ZwClosehThread StartRoutine MyThread return MyPsCreateSystemThread_ThreadHandle DesiredAccess ObjectAttributes ProcessHandle ClientId StartRoutine StartContext ULONG GetKiAttachProcessAddr ULONG DisassemblerLen 0 Size 0 PBYTE FunctionAddr PBYTEGetFunctionAddrLKeStackAttachProcess do DisassemblerLen GetOpCodeSizeFunctionAddr FunctionAddr FunctionAddr DisassemblerLen Size Size DisassemblerLen if Size 0x100 PWORDFunctionAddr 0x8C2 return 0 while FunctionAddr 0xE8 return LONGFunctionAddr PLONGFunctionAddr 1 5 VOID Hook g_nOpenIndex GetFunctionIndexNtOpenProcess g_nThreadIndex GetFunctionIndexNtOpenThread g_nReadIndex GetFunctionIndexNtReadVirtualMemory g_nWriteIndex GetFunctionIndexNtWriteVirtualMemory g_NtOpenProcess KeServiceDescriptorTable-ServiceTableBaseg_nOpenIndex g_NtOpenThread KeServiceDescriptorTable-ServiceTableBaseg_nThreadIndex g_NtReadVirtualMemory KeServiceDescriptorTable-ServiceTableBaseg_nReadIndex g_NtWriteVirtualMemory KeServiceDescriptorTable-ServiceTableBaseg_nWriteIndex g g_PsCreateSystemThread GetFunctionAddrLPsCreateSystemThread if g_NtOpenProcess memcpyPVOIDg_NtOpenProcessSave PVOIDg_NtOpenProcess sizeofg_NtOpenProcessSave DbgPrintNtOpenProcess ??????·:08X g_NtOpenProcess else DbgPrint????????NtOpenProcess??????·??§°?? if g_NtOpenThread memcpyPVOIDg_NtOpenThreadSave PVOIDg_NtOpenThread sizeofg_NtOpenThreadSave DbgPrintNtOpenThread ??????·:08X g_NtOpenThread else DbgPrint????????NtOpenThread??????·??§°?? if g_NtReadVirtualMemory memcpyPVOIDg_NtReadVirtualMemorySave PVOIDg_NtReadVirtualMemory sizeofg_NtReadVirtualMemorySave DbgPrintNtReadVirtualMemory ??????·:08X g_NtReadVirtualMemory else DbgPrint????????NtReadVirtualMemory??????·??§°?? if g_NtWriteVirtualMemory memcpyPVOIDg_NtWriteVirtualMemorySave PVOIDg_NtWriteVirtualMemory sizeofg_NtWriteVirtualMemorySave DbgPrintNtWriteVirtualMemory ??????·:08X g_NtWriteVirtualMemory else DbgPrint????????NtWriteVirtualMemory??????·??§°?? if g_KiAttachProcess memcpyPVOIDg_KiAttachProcessSave PVOIDg_KiAttachProcess sizeofg_KiAttachProcessSave DbgPrintKiAttachProcess ??????·:08X g_KiAttachProcess else DbgPrint????????KiAttachProcess??????·??§°?? HookFunctiong_PsCreateSystemThread ULONGMyPsCreateSystemThread g_hPsCreateSystemThread g_PsCreateSystemThreadAddr VOID UnHook UnHookFunctiong_hPsCreateSystemThread void OnUnloadPDRIVER_OBJECT pDriverObj UnHook DbgPrint???????????????? // ??????????????ò??????????±??÷????DriverEntry???????? NTSTATUS DriverEntryPDRIVER_OBJECT pDriverObj PUNICODE_STRING pRegistryString pDriverObj-DriverUnload OnUnload DbgPrint???????????????? Hook return STATUS_SUCCESS X