dnf辅助外挂C源代码(仅供学习参考)

1、独钓寒江雪由于我的C用的比较少，所以大部分都用的汇编，部分地方用汇编写不是很方便，所以我用的C，由于只是学习，所以内核地址我没有计算都是硬编码的。过DNF主要分为三步，也许我的思路不太正确，反正可以OD调试，下断。程序没怎么修边幅，因为只是测试，所以一般都没有写更改内核后的恢复，不过不妨碍使用。第一步，这也是最起码的，你必须要能够打开游戏进程和线程，能够开打进程和线程后不被检测到第二步，能够读写进村内存第三步，能够用OD附加游戏进程第四步，能够下硬件断点而不被检测跳过NtReadVirtualMemory，NtWriteVirtualMemory函数头的钩子代码:#include typede

2、f struct _SERVICE_DESCRIPTOR_TABLEPVOID ServiceTableBase;PULONG ServiceCounterTableBase;ULONG NumberOfService;ULONG ParamTableBase;SERVICE_DESCRIPTOR_TABLE,*PSERVICE_DESCRIPTOR_TABLE; /由于KeServiceDescriptorTable只有一项,这里就简单点了extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;/KeServiceDescripto

3、rTable为导出函数/VOID Hook(;VOID Unhook(;VOID OnUnload(IN PDRIVER_OBJECT DriverObject;/ULONG JmpAddress;/跳转到NtOpenProcess里的地址ULONG JmpAddress1;/跳转到NtOpenProcess里的地址ULONG OldServiceAddress;/原来NtOpenProcess的服务地址ULONG OldServiceAddress1;/原来NtOpenProcess的服务地址/_declspec(naked NTSTATUS _stdcall MyNtReadVirtual

4、Memory(HANDLE ProcessHandle,PVOID BaseAddress,PVOID Buffer,ULONG NumberOfBytesToRead,PULONG NumberOfBytesReaded /跳过去_asmpush 0x1cpush 804eb560h /共十个字节jmp JmpAddress _declspec(naked NTSTATUS _stdcall MyNtWriteVirtualMemory(HANDLE ProcessHandle,PVOID BaseAddress,PVOID Buffer,ULONG NumberOfBytesToWrite

5、,PULONG NumberOfBytesReaded /跳过去_asmpush 0x1cpush 804eb560h /共十个字节jmp JmpAddress1 /NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPathDriverObject->DriverUnload = OnUnload;DbgPrint("Unhooker load"Hook(;return STATUS_SUCCESS;/VOID OnUnload(IN PDRIVER_OBJECT D

6、riverObjectDbgPrint("Unhooker unload!"Unhook(;/VOID Hook(ULONG Address, Address1;Address = (ULONGKeServiceDescriptorTable->ServiceTableBase + 0xBA * 4;/0x7A为NtOpenProcess服务IDAddress1 = (ULONGKeServiceDescriptorTable->ServiceTableBase + 0x115 * 4;/0x7A为NtOpenProcess服务IDDbgPrint("

7、Address:0x%08X",Address;OldServiceAddress = *(ULONG*Address;/保存原来NtOpenProcess的地址OldServiceAddress1 = *(ULONG*Address1;/保存原来NtOpenProcess的地址DbgPrint("OldServiceAddress:0x%08X",OldServiceAddress;DbgPrint("OldServiceAddress1:0x%08X",OldServiceAddress1;DbgPrint("MyNtOpenPr

8、ocess:0x%08X",MyNtReadVirtualMemory;DbgPrint("MyNtOpenProcess:0x%08X",MyNtWriteVirtualMemory;JmpAddress = (ULONG0x805b528a + 7; /跳转到NtOpenProcess函数头10的地方，这样在其前面写的JMP都失效了JmpAddress1 = (ULONG0x805b5394 + 7;DbgPrint("JmpAddress:0x%08X",JmpAddress;DbgPrint("JmpAddress1:0x%0

9、8X",JmpAddress1;_asm /去掉内存保护climov eax,cr0and eax,not 10000hmov cr0,eax*(ULONG*Address = (ULONGMyNtReadVirtualMemory;/HOOK SSDT*(ULONG*Address1 = (ULONGMyNtWriteVirtualMemory;_asm /恢复内存保护 mov eax,cr0or eax,10000hmov cr0,eaxsti/VOID Unhook(ULONG Address, Address1;Address = (ULONGKeServiceDescrip

10、torTable->ServiceTableBase + 0xBA * 4;/查找SSDTAddress1 = (ULONGKeServiceDescriptorTable->ServiceTableBase + 0x115 * 4;_asmclimov eax,cr0and eax,not 10000hmov cr0,eax*(ULONG*Address = (ULONGOldServiceAddress;/还原SSDT*(ULONG*Address1 = (ULONGOldServiceAddress1;/还原SSDT_asm mov eax,cr0or eax,10000hm

11、ov cr0,eaxstiDbgPrint("Unhook"由于它不断对DebugPort清零，所以要修改调试相关函数，使得所有的访问DebugPort的地方全部访问EPROCESS中的ExitTime字节，这样它怎么清零都无效了，也检测不到代码:.386.model flat, stdcalloption casemap:noneinclude dnf_hook.inc.constDspdo_1 equ 80643db6hDmpp_1 equ 80642d5ehDmpp_2 equ 80642d64hDct_1 equ 806445d3hDqm_1 equ 8064308

12、9hKde_1 equ 804ff5fdhDfe_1 equ 80644340hPcp_1 equ 805d1a0dhMcp_1 equ 805b0c06hMcp_2 equ 805b0d7fhDmvos_1 equ 8064497fhDumvos_1 equ 80644a45hPet_1 equ 805d32f8hDet_1 equ 8064486chDep_1 equ 806448e6h.code;还原自己的HookDriverUnload proc pDriverObject:PDRIVER_OBJECTret DriverUnload endpModifyFuncAboutDbg pr

13、oc addrOdFunc, cmd_1, cmd_2pushadmov ebx, addrOdFuncmov eax, cmd_1mov DWORD ptr ebx, eaxmov eax, cmd_2mov DWORD ptr ebx + 4, eaxpopadret ModifyFuncAboutDbg endpDriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRINGclimov eax, cr0and eax, not 10000hmov cr0, eaxinvoke ModifyFun

14、cAboutDbg, Dspdo_1, 90784789h, 0fde89090hinvoke ModifyFuncAboutDbg, Dmpp_1, 90787e39h, 950f9090hinvoke ModifyFuncAboutDbg, Dct_1, 90785e39h, 840f9090hinvoke ModifyFuncAboutDbg, Dqm_1, 9078408bh, 45899090hinvoke ModifyFuncAboutDbg, Kde_1, 90787839h, 13749090hinvoke ModifyFuncAboutDbg, Dfe_1, 9078418b

15、h, 0d2329090hinvoke ModifyFuncAboutDbg, Pcp_1, 90784389h, 45f69090hinvoke ModifyFuncAboutDbg, Mcp_1, 90785e39h, 950f9090hinvoke ModifyFuncAboutDbg, Mcp_2, 90784a89h, 5e399090hinvoke ModifyFuncAboutDbg, Dmvos_1, 9078498bh, 0cb3b9090hinvoke ModifyFuncAboutDbg, Dumvos_1, 00787983h, 74909090hinvoke Modi

16、fyFuncAboutDbg, Pet_1, 00787f83h, 74909090hinvoke ModifyFuncAboutDbg, Det_1, 9078498bh, 0c9859090hinvoke ModifyFuncAboutDbg, Dep_1, 9078498bh, 0c9859090h;invoke ModifyFuncAboutDbg, Dmpp_2, 8bc0950fh, 8b90c032hmov eax, pDriverObjectassume eax : ptr DRIVER_OBJECTmov eax.DriverUnload, offset DriverUnlo

17、adassume eax : nothingmov eax, cr0or eax, 10000hmov cr0, eaxstimov eax, STATUS_SUCCESSretDriverEntry endpend DriverEntry绕过NtOpenProcess，NtOpenThread，KiAttachProcess以及最重要的，不能让它检测到有硬件断点，所以要对CONTEXT做一些伪装，把真实的DR0DR7的数据存放到别的地方，OD访问的时候返回正确的数据，如果是DNF要获取上下文，就稍微做下手脚代码:.386.model flat, stdcalloption casemap:n

18、oneinclude dnf_hook.inc.constNtOpenProcessHookAddr equ 805cc626hNtOpenProcessRetAddr equ 805cc631hNtOpenProcessNoChange equ 805cc62chNtOpenThreadHookAddr equ 805cc8a8hNtOpenThreadRetAddr equ 805cc8b3hNtOpenThreadNoChange equ 805cc8aehKiAttachProcessAddr equ 804f9a08hKiAttachProcessRetAddr equ 804f9a

19、0fhObOpenObjectByPointerAddr equ 805bcc78hNtGetContextThreadAddr equ 805d2551h;805c76a3hNtGetContextThreadRetAddr equ 805c76a7h;805d2555h.datanameOffset dd ?threadCxtLink dd 0tmpLink dd ?.codeGetProcessName procinvoke PsGetCurrentProcessmov ebx, eaxadd ebx, nameOffsetinvoke DbgPrint, $CTA0("n&q

20、uot;push ebxinvoke DbgPrint, ebxpop ebxinvoke strncmp, $CTA0("DNF.exe", ebx, 6push eaxinvoke DbgPrint, $CTA0("n"pop eaxretGetProcessName endpHookCode proc;执行被覆盖的代码push dword ptr ebp-38hpush dword ptr ebp-24h;判断是否dnf的进程invoke GetProcessName.if !eax ;如果是DNF自己的进程，那么跳转回去执行它的Hook代码pus

21、hadinvoke DbgPrint, $CTA0("nNotUnHookn"popadmov eax, NtOpenProcessNoChange;805c13e6hjmp eax.else ;如果不是DNF自己的进程，那么直接调用ObOpenObjectByPointer，再返回到后面pushadinvoke DbgPrint, $CTA0("nUnHookn"popadmov eax, ObOpenObjectByPointerAddr;805b13f0hcall eaxmov ebx, NtOpenProcessRetAddr;805c13ebh

22、jmp ebx.endifHookCode endp;获取系统名称偏移GetNameOffset proc epelocal tmpOffsetpushadmov ebx, epeinvoke strlen, $CTA0("System"xor ecx, ecx:push eaxpush ecxinvoke strncmp, $CTA0("System", ebx, eaxpop ecx.if !eaxpop eaxmov tmpOffset, ecxpopadmov eax, tmpOffsetret.elseifpop eaxinc ebxinc e

23、cxcmp ecx, 4096je Fjmp B.endif:popadmov eax, -1retGetNameOffset endpHook procpushad;头5字节跳转mov eax, offset HookCodesub eax, NtOpenProcessHookAddr;805c13e0h;805c13edhsub eax, 5mov ebx, NtOpenProcessHookAddr;805c13e0h;805c13edhmov cl, 0E9hmov BYTE PTR ebx, clmov DWORD PTR ebx + 1, eaxpopadretHook endpH

24、ookThreadCode proc;执行被覆盖的代码push dword ptr ebp-34hpush dword ptr ebp-20h;判断是否dnf的进程invoke GetProcessName.if !eax ;如果是DNF自己的进程，那么跳转回去执行它的Hook代码pushadinvoke DbgPrint, $CTA0("nNotUnHookn"popadmov eax, NtOpenThreadNoChange;805c13e6hjmp eax.else ;如果不是DNF自己的进程，那么直接调用ObOpenObjectByPointer，再返回到后面pu

25、shadinvoke DbgPrint, $CTA0("nUnHookn"popadmov eax, ObOpenObjectByPointerAddr;805b13f0hcall eaxmov ebx, NtOpenThreadRetAddr;805c13ebhjmp ebx.endifHookThreadCode endpHookThread procpushad;头5字节跳转mov eax, offset HookThreadCodesub eax, NtOpenThreadHookAddr;805c13e0h;805c13edhsub eax, 5mov ebx,

26、NtOpenThreadHookAddr;805c13e0h;805c13edhmov cl, 0E9hmov BYTE PTR ebx, clmov DWORD PTR ebx + 1, eaxpopadretHookThread endpHookDbg procmov edi, edipush ebpmov ebp, esppush ebxpush esimov esi, KiAttachProcessRetAddrjmp esiHookDbg endpDbg procpushad;头5字节跳转mov eax, offset HookDbgsub eax, KiAttachProcessA

27、ddr;805c13e0h;805c13edhsub eax, 5mov ebx, KiAttachProcessAddr;805c13e0h;805c13edhmov cl, 0E9hmov BYTE PTR ebx, clmov DWORD PTR ebx + 1, eaxpopadretDbg endp;还原自己的HookDriverUnload proc pDriverObject:PDRIVER_OBJECTclimov eax, cr0and eax, not 10000hmov cr0, eax;还原进程处理mov eax, 0ffc875ffhmov ebx, 805cc656

28、hmov DWORD ptr ebx, eaxmov eax, 43e8dc75hmov DWORD ptr ebx + 4, eax;还原线程处理mov eax, 0ffcc75ffhmov ebx, 805cc8d8hmov DWORD ptr ebx, eaxmov eax, 0c1e8e075hmov DWORD ptr ebx + 4, eax;还原调试处理mov eax, 08b55ff8bhmov ebx, 804f9a08hmov DWORD ptr ebx, eaxmov eax, 08b5653echmov DWORD ptr ebx + 4, eaxmov eax, cr

29、0or eax, 10000hmov cr0, eaxstiret DriverUnload endp;显示LinkTable的信息ShowLinkTableInfo proc ptrLTpushadinvoke DbgPrint, $CTA0("nThe LinkTable Info:n"mov ebx, ptrLTmov eax, (LinkTable ptr ebx.ThreadHandleinvoke DbgPrint, $CTA0("ThreadHandle:%0Xn", eaxmov ebx, ptrLTmov eax, (LinkTable

30、 ptr ebx.Dr0Seginvoke DbgPrint, $CTA0("Dr0Seg:%0Xn", eaxmov ebx, ptrLTmov eax, (LinkTable ptr ebx.Dr1Seginvoke DbgPrint, $CTA0("Dr1Seg:%0Xn", eaxmov ebx, ptrLTmov eax, (LinkTable ptr ebx.Dr2Seginvoke DbgPrint, $CTA0("Dr2Seg:%0Xn", eaxmov ebx, ptrLTmov eax, (LinkTable pt

31、r ebx.Dr3Seginvoke DbgPrint, $CTA0("Dr3Seg:%0Xn", eaxmov ebx, ptrLTmov eax, (LinkTable ptr ebx.Dr6Seginvoke DbgPrint, $CTA0("Dr6Seg:%0Xn", eaxmov ebx, ptrLTmov eax, (LinkTable ptr ebx.Dr7Seginvoke DbgPrint, $CTA0("Dr7Seg:%0Xn", eaxmov ebx, ptrLTmov eax, (LinkTable ptr e

32、bx.LinkPtrinvoke DbgPrint, $CTA0("LinkPtr:%0Xn", eaxmov ebx, ptrLTmov eax, (LinkTable ptr ebx.NextLinkPtrinvoke DbgPrint, $CTA0("NextLinkPtr:%0Xn", eaxpopadretShowLinkTableInfo endp ;判断该线程是否存在;如果不存在则返回0，存在则返回指向该链表的指针，1代表链表为空ExsitsLinkTable proc pHandlepushadmov eax, threadCxtLink

33、.if !eax ;链表为空pushadinvoke DbgPrint, $CTA0("nLinkTable Is Null.n"popad popadmov eax, 1ret.endif:mov ebx, (LinkTable ptr eax.ThreadHandlecmp ebx, pHandle ;如果匹配已经存在je Fmov eax, (LinkTable ptr eax.NextLinkPtr.if !eax ;已经到达末尾，没有找到匹配pushadinvoke DbgPrint, $CTA0("pHandle Is Not Found.n"

34、;popadpopadxor eax, eaxret.endifjmp B:pushadinvoke DbgPrint, $CTA0("npHandle Is Exsits.n"popadinvoke ShowLinkTableInfo, eax;返回链表指针mov tmpLink, eaxpopadmov eax, tmpLinkretExsitsLinkTable endp;拷贝Context到LinkTable中CopyContextToLinkTable proc ptrContext, ptrLTpushadmov ebx, ptrContextmov edx,

35、ptrLTmov ecx, 4:mov eax, DWORD ptr ebx + ecxmov DWORD ptr edx + ecx, eaxadd ecx, 4cmp ecx, 18hjbe BpopadretCopyContextToLinkTable endp;添加LinkTable表AddLinkTable proc pHandle, ptrContextpushadinvoke ExsitsLinkTable, pHandle.if eax > 1;已经存在只需要更新dr寄存器即可invoke CopyContextToLinkTable, eax, ptrContext.e

36、lsepush eaxinvoke ExAllocatePool, 1, size LinkTable.if eax;申请内存成功mov ebx, eaxpop eax;置地一个元素mov ecx, pHandlemov (LinkTable ptr ebx.ThreadHandle, ecx;拷贝dr寄存器的值invoke CopyContextToLinkTable, ptrContext, ebx;置另外两个元素mov (LinkTable ptr ebx.LinkPtr, ebxmov (LinkTable ptr ebx.NextLinkPtr, 0invoke ShowLinkTa

37、bleInfo, ebx;把新的链表项添加到链表中.if eax = 1;如果链表为空，直接加在表头mov threadCxtLink, ebx.else;如果链表不为空则加到末尾mov eax, threadCxtLink:;指向下一个元素mov ecx, (LinkTable ptr eax.NextLinkPtrtest ecx, ecxje Fmov eax, ecxjmp B:mov (LinkTable ptr eax.NextLinkPtr, ebx.endif.else;申请内存失败pop eaxpushadinvoke DbgPrint, $CTA0("nAlloc

38、 Memory Faild.n"popadjmp F.endif.endif:popadretAddLinkTable endp;判断进程是否过虑进程;如果是需要过虑的进程返回值为1，否则返回0IsFilterProcess procpushad;获取当前进程名invoke PsGetCurrentProcessmov ebx, eaxadd ebx, nameOffsetinvoke DbgPrint, $CTA0("n%s: Call NtGetContextThread n", ebxinvoke strncmp, $CTA0("DNF.exe&q

39、uot;, ebx, 7test eax, eaxjne Fpopadmov eax, 1ret:popadxor eax, eaxretIsFilterProcess endp;显示Context的调试寄存器ShowDrRegInfo proc ptrContextpushadinvoke DbgPrint, $CTA0("nThe Context Info:n"mov ebx, ptrContextmov eax, DWORD ptr ebx + 4invoke DbgPrint, $CTA0("Dr0:%0Xn", eaxmov ebx, ptrC

40、ontextmov eax, DWORD ptr ebx + 8invoke DbgPrint, $CTA0("Dr1:%0Xn", eaxmov ebx, ptrContextmov eax, DWORD ptr ebx + 0chinvoke DbgPrint, $CTA0("Dr2:%0Xn", eaxmov ebx, ptrContextmov eax, DWORD ptr ebx + 10hinvoke DbgPrint, $CTA0("Dr3:%0Xn", eaxmov ebx, ptrContextmov eax, DW

41、ORD ptr ebx + 14hinvoke DbgPrint, $CTA0("Dr6:%0Xn", eaxmov ebx, ptrContextmov eax, DWORD ptr ebx + 18hinvoke DbgPrint, $CTA0("Dr7:%0Xn", eaxpopadretShowDrRegInfo endp;恢复被隐藏的dr寄存器RecoveryDrReg proc ptrContext, pHandlepushad;定位到LinkTablemov ebx, threadCxtLinkNEXT:test ebx, ebxjne F

42、 ;如果没有遍历完popadret:mov eax, (LinkTable ptr ebx.ThreadHandlecmp eax, pHandleje F ;如果找到匹配项mov ebx, (LinkTable ptr ebx.NextLinkPtrjmp NEXT:;拷贝完毕后立即结束invoke CopyContextToLinkTable, ebx, ptrContextxor ebx, ebxjmp NEXTRecoveryDrReg endp;清空Context的dr寄存器ClearDrReg proc ptrContextpushadmov ebx, ptrContextmov ecx, 4:mov DWORD ptr ebx + ecx, 0add ecx, 4cmp ecx, 18hjbe B