韩国三款网络游戏反黑保护体系
韩国三款网络游戏反黑保护体系:nProtect GameGuard(NP),HackShield(HS),X-trap三款的驱动程序分别是:dump_wmimmc.sys(NP的驱动), EagleNT.sys(HS的驱动),XDva219.sys(X-trap的驱动);
它们在ring0层的处理:
一.x-trap 2571版(不同版本会有小区别):
9个SSDT HOOK:
0x42NtDeviceIoControlFile10 0x8057a24a 0xb6488bec C:\WINDOWS\system32\XDva219.sys Yes
0x7aNtOpenProcess 4 0x805cc408 0xb648fd78 C:\WINDOWS\system32\XDva219.sys Yes
0x7dNtOpenSection 3 0x805ab3d2 0xb6488486 C:\WINDOWS\system32\XDva219.sys Yes
0x89NtProtectVirtualMemory 5 0x805b93e6 0xb648fc40 C:\WINDOWS\system32\XDva219.sys Yes
0xbaNtReadVirtualMemory 5 0x805b528a 0xb648fa5a C:\WINDOWS\system32\XDva219.sys Yes
0xfeNtSuspendThread 2 0x805d58bc 0xb648f858 C:\WINDOWS\system32\XDva219.sys Yes
0x101 NtTerminateProcess 2 0x805d39aa 0xb648fab4 C:\WINDOWS\system32\XDva219.sys Yes
0x112 NtWriteFile 9 0x8057def2 0xb648f9e0 C:\WINDOWS\system32\XDva219.sys Yes
0x115 NtWriteVirtualMemory5 0x805b5394 0xb648a248 C:\WINDOWS\system32\XDva219.sys Yes
5个SSDT Shadow HOOK:
0xbfNtGdiGetPixel 3 0xbf8633a7 0xb648f7cc C:\WINDOWS\system32\XDva219.sys Yes
0x1db NtUserPostMessage 4 0xbf808934 0xb648f4da C:\WINDOWS\system32\XDva219.sys Yes
0x1f6 NtUserSendInput 3 0xbf8c3127 0xb648f638 C:\WINDOWS\system32\XDva219.sys Yes
0x225 NtUserSetWindowsHookEx 6 0xbf852727 0xb648a0f8 C:\WINDOWS\system32\XDva219.sys Yes
0x239 NtUserTranslateMessage 2 0xbf848947 0xb648f304 C:\WINDOWS\system32\XDva219.sys Yes
1个IDT HOOK(有的版本HOOK了int1 和int3)
0x10008:b648e672 C:\WINDOWS\system32\XDva219.sys P0 i486 中断门
二.HackShield(仙剑OL用的版本)
1个SSDT Shadow HOOK
0x1f6 NtUserSendInput 3 0xbf8c3127 0xb230de60 C:\WINDOWS\system32\drivers\EagleNT.sys Yes
6个inline HOOK
0x804f9a21 nt!KeUnstackDetachProcess + 0x33d 5 call 804f9580call b230b650C:\WINDOWS\system32\drivers\EagleNT.sys
0x8057a26f nt!NtDeviceIoControlFile + 0x25 5 call 80581232call b230b8e0C:\WINDOWS\system32\drivers\EagleNT.sys
0x805b5291 nt!NtReadVirtualMemory + 0x7 5 call 8053cb90call b230be10C:\WINDOWS\system32\drivers\EagleNT.sys
0x805b539b nt!NtWriteVirtualMemory + 0x75 call 8053cb90call b230bf60C:\WINDOWS\system32\drivers\EagleNT.sys
0x805bd510 nt!NtClose + 0x18 5 call 805bd356call b230ba00C:\WINDOWS\system32\drivers\EagleNT.sys
0x805cc412 nt!NtOpenProcess + 0xa 5 call 8053cb90call b230bbb0C:\WINDOWS\system32\drivers\EagleNT.sys
有的版本还有IDT HOOK
三.nProtect GameGuard 最新1254版
1个SSDT Shadow HOOK:
0x1db NtUserPostMessage 4 0xbf808934 0xb532fba0 I:\Program Files\盛大网络\永恒之塔\AION\bin32\GameGuard\dump_wmimmc.sys Yes
12个inline hook:
0x804f9580 nt!KeReleaseInterruptSpinLock + 0x3e 5 mov edi, edi ... jmp b5331ad0I:\Program Files\盛大网络\永恒之塔\AION\bin32\GameGuard\dump_wmimmc.sys
0x804f9a08 nt!KeUnstackDetachProcess + 0x324 5 mov edi, edi ... jmp b53319c0I:\Program Files\盛大网络\永恒之塔\AION\bin32\GameGuard\dump_wmimmc.sys
0x804f9b32 nt!KeAttachProcess 5 mov edi, edi ... jmp b53317a0I:\Program Files\盛大网络\永恒之塔\AION\bin32\GameGuard\dump_wmimmc.sys
0x804f9c32 nt!KeStackAttachProcess 5 mov edi, edi ... jmp b5331640I:\Program Files\盛大网络\永恒之塔\AION\bin32\GameGuard\dump_wmimmc.sys
0x8057a24a nt!NtDeviceIoControlFile5 mov edi, edi ... jmp b532f180I:\Program Files\盛大网络\永恒之塔\AION\bin32\GameGuard\dump_wmimmc.sys
0x8057def2 nt!NtWriteFile 5 push 64 ... jmp b532f540I:\Program Files\盛大网络\永恒之塔\AION\bin32\GameGuard\dump_wmimmc.sys
0x805ab3d2 nt!NtOpenSection 5 push 18 ... jmp b532f241I:\Program Files\盛大网络\永恒之塔\AION\bin32\GameGuard\dump_wmimmc.sys
0x805b528a nt!NtReadVirtualMemory 5 push 1c ... jmp b532e9e3I:\Program Files\盛大网络\永恒之塔\AION\bin32\GameGuard\dump_wmimmc.sys
0x805b5394 nt!NtWriteVirtualMemory5 push 1c ... jmp b532ebb4I:\Program Files\盛大网络\永恒之塔\AION\bin32\GameGuard\dump_wmimmc.sys
0x805b93e6 nt!NtProtectVirtualMemory 5 push 44 ... jmp b532ed76I:\Program Files\盛大网络\永恒之塔\AION\bin32\GameGuard\dump_wmimmc.sys
0x805cc408 nt!NtOpenProcess 5 push 000000c4jmp b532e7e2I:\Program Files\盛大网络\永恒之塔\AION\bin32\GameGuard\dump_wmimmc.sys
0xbf8c3127 win32k!NtUserSendInput 5 push 18 ... jmp b532f5b4I:\Program Files\盛大网络\永恒之塔\AION\bin32\GameGuard\dump_wmimmc.sys
nProtect GameGuard利用DKOM技术隐藏进程,想要恢复断链也是完全可以的 我的目标破掉hs
··· 劲舞团貌似就是 HS
页:
[1]