由于我的C用的比较少，所以大部分都用的汇编，部分地方用汇编写不是很方便，所以我用的C，由于只是学习，所以内核地址我没有计算都是硬编码的。过DNF主要分为三步，也许我的思路不太正确，反正可以OD调试，下断。程序没怎么修边幅，因为只是测试，所以一般都没有写更改内核后的恢复，不过不妨碍使用。第一步，这也是最起码的，你必须要能够打开游戏进程和线程，能够开打进程和线程后不被检测到第二步，能够读写进村内存第三步，能够用OD附加游戏进程第四步，能够下硬件断点而不被检测跳过NtReadVirtualMemory，NtWriteVirtualMemory函数头的钩子代码:#includetypedef struct _SERVICE_DESCRIPTOR_TABLE PVOID ServiceTableBase; PULONG ServiceCounterTableBase; ULONG NumberOfService; ULONG ParamTableBase;SERVICE_DESCRIPTOR_TABLE,*PSERVICE_DESCRIPTOR_TABLE; /由于KeServiceDescriptorTable只有一项,这里就简单点了extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;/KeServiceDescriptorTable为导出函数/VOID Hook();VOID Unhook();VOID OnUnload(IN PDRIVER_OBJECT DriverObject);/ULONG JmpAddress;/跳转到NtOpenProcess里的地址ULONG JmpAddress1;/跳转到NtOpenProcess里的地址ULONG OldServiceAddress;/原来NtOpenProcess的服务地址ULONG OldServiceAddress1;/原来NtOpenProcess的服务地址/_declspec(naked) NTSTATUS _stdcall MyNtReadVirtualMemory(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToRead, PULONG NumberOfBytesReaded) /跳过去 _asm push 0x1c push 804eb560h /共十个字节 jmp JmpAddress _declspec(naked) NTSTATUS _stdcall MyNtWriteVirtualMemory(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToWrite, PULONG NumberOfBytesReaded) /跳过去 _asm push 0x1c push 804eb560h /共十个字节 jmp JmpAddress1 /NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath) DriverObject-DriverUnload = OnUnload; DbgPrint(Unhooker load); Hook(); return STATUS_SUCCESS;/VOID OnUnload(IN PDRIVER_OBJECT DriverObject) DbgPrint(Unhooker unload!); Unhook();/VOID Hook() ULONG Address, Address1; Address = (ULONG)KeServiceDescriptorTable-ServiceTableBase + 0xBA * 4;/0x7A为NtOpenProcess服务ID Address1 = (ULONG)KeServiceDescriptorTable-ServiceTableBase + 0x115 * 4;/0x7A为NtOpenProcess服务ID DbgPrint(Address:0x%08X,Address); OldServiceAddress = *(ULONG*)Address;/保存原来NtOpenProcess的地址 OldServiceAddress1 = *(ULONG*)Address1;/保存原来NtOpenProcess的地址 DbgPrint(OldServiceAddress:0x%08X,OldServiceAddress); DbgPrint(OldServiceAddress1:0x%08X,OldServiceAddress1); DbgPrint(MyNtOpenProcess:0x%08X,MyNtReadVirtualMemory); DbgPrint(MyNtOpenProcess:0x%08X,MyNtWriteVirtualMemory); JmpAddress = (ULONG)0x805b528a + 7; /跳转到NtOpenProcess函数头10的地方，这样在其前面写的JMP都失效了 JmpAddress1 = (ULONG)0x805b5394 + 7; DbgPrint(JmpAddress:0x%08X,JmpAddress); DbgPrint(JmpAddress1:0x%08X,JmpAddress1); _asm /去掉内存保护 cli mov eax,cr0 and eax,not 10000h mov cr0,eax *(ULONG*)Address) = (ULONG)MyNtReadVirtualMemory;/HOOK SSDT *(ULONG*)Address1) = (ULONG)MyNtWriteVirtualMemory; _asm /恢复内存保护 mov eax,cr0 or eax,10000h mov cr0,eax sti /VOID Unhook() ULONG Address, Address1; Address = (ULONG)KeServiceDescriptorTable-ServiceTableBase + 0xBA * 4;/查找SSDT Address1 = (ULONG)KeServiceDescriptorTable-ServiceTableBase + 0x115 * 4; _asm cli mov eax,cr0 and eax,not 10000h mov cr0,eax *(ULONG*)Address) = (ULONG)OldServiceAddress;/还原SSDT *(ULONG*)Address1) = (ULONG)OldServiceAddress1;/还原SSDT _asm mov eax,cr0 or eax,10000h mov cr0,eax sti DbgPrint(Unhook);由于它不断对DebugPort清零，所以要修改调试相关函数，使得所有的访问DebugPort的地方全部访问EPROCESS中的ExitTime字节，这样它怎么清零都无效了，也检测不到代码:.386.model flat, stdcalloption casemap:noneinclude dnf_hook.inc.constDspdo_1 equ 80643db6hDmpp_1 equ 80642d5ehDmpp_2 equ 80642d64hDct_1 equ 806445d3hDqm_1 equ 80643089hKde_1 equ 804ff5fdhDfe_1 equ 80644340hPcp_1 equ 805d1a0dhMcp_1 equ 805b0c06hMcp_2 equ 805b0d7fhDmvos_1 equ 8064497fhDumvos_1 equ 80644a45hPet_1 equ 805d32f8hDet_1 equ 8064486chDep_1 equ 806448e6h.code;还原自己的HookDriverUnload proc pDriverObject:PDRIVER_OBJECT ret DriverUnload endpModifyFuncAboutDbg proc addrOdFunc, cmd_1, cmd_2 pushad mov ebx, addrOdFunc mov eax, cmd_1 mov DWORD ptr ebx, eax mov eax, cmd_2 mov DWORD ptr ebx + 4, eax popad ret ModifyFuncAboutDbg endpDriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING cli mov eax, cr0 and eax, not 10000h mov cr0, eax