ofLONG //DbgPrintCALL: 0x08X - 0x08X cAbs ULONGpCode i i sizeofLONG break case 0x80: //CMP BYTE PTR X if PUCHARcAbs 1 0x7D memcpypCode i 1 PVOIDcAbs 1 3 i 3 continue break case 0xC2: //RET X if PUSHORTcAbs 1 0x10 memcpypCode i 1 PVOIDcAbs 1 sizeofUSHORT i sizeofUSHORT break /case 0xE9: //JMP oRel PLONGcAbs 1 if oRel cAbs TrgAddr BufferLength cRel GetRelAddroRel cAbs ULONGpCode i memcpypCode i 1 cRel sizeofLONG i 4 / if PUCHARcAbs 0x39PUCHARcAbs 0x89PUCHARcAbs 0x8D memcpypCode i 1 PVOIDcAbs 1 sizeofUSHORT i sizeofUSHORT continue /if PUCHARcAbs 0x70PUCHARcAbs ServiceTableBase 0xBA 4AddrWrite ULONGKeServiceDescriptorTable-ServiceTableBase 0x115 4AddrThread ULONGKeServiceDescriptorTable-ServiceTableBase 0x80 4AddrProcess ULONGKeServiceDescriptorTable-ServiceTableBase 0x7A 4 OldThread NTOPENTHREADPULONGAddrThread OldProcess NTOPENPROCESSPULONGAddrProcess DbgPrintMyThread:0x08X OldThread:0x08X MyThread OldThread DbgPrintMyProcess:0x08X OldProcess:0x08X MyProcess OldProcess__asm c li mov eaxcr0 and eaxnot 10000h mov cr0eax//记录 NtReadVirtualMemory/NtWriteVirtualMemory 前 16 字节OrgRead0 PULONGPULONGAddrReadOrgRead1 PULONGPULONGAddrRead 4OrgWrite0 PULONGPULONGAddrWriteOrgWrite1 PULONGPULONGAddrWrite 4//保存原代码BufferCodeMyThread ULONGOldThread ThreadLengthBufferCodeMyProcess ULONGOldProcess ProcessLength //SSDT HookPULONGAddrThread ULONGMyNtOpenThreadPULONGAddrProcess ULONGMyNtOpenProcess__asm mov eaxcr0 or eax10000h mov cr0eax stiDbgPrintHookedVOID Unhook ULONG AddrProcess AddrThread AddrThread ULONGKeServiceDescriptorTable-ServiceTableBase 0x80 4AddrProcess ULONGKeServiceDescriptorTable-ServiceTableBase 0x7A 4 __asm c li mov eaxcr0 and eaxnot 10000h mov cr0eax //恢复 SSDTPULONGAddrThread ULONGOldThread PULONGAddrProcess ULONGOldProcess __asm mov eaxcr0 or eax10000h mov cr0eax sti DbgPrintUnhooked学习各种外挂制作技术,马上去百度搜索 魔鬼作坊 点击第 一个站进入、快速成为做挂达人。
上一篇:
【精品】使用VC++6.0系统
下一篇:
让我掉下眼泪的