门派介绍|||||||
身份介绍||||||
账号安全是第一 教你如何保护好自己的游戏账号
时值金秋，本应是喜庆丰年的节气，但天刀江湖却并不平静，除却即将到来的剑荡八荒新赛季引得风雨欲来，各路英雄摩拳擦掌以期名动武林，还有便是一些不法宵小也趁此战前集结、
　　时值金秋，本应是喜庆丰年的节气，但天刀江湖却并不平静，除却即将到来的剑荡八荒新赛季引得风雨欲来，各路英雄摩拳擦掌以期名动武林，还有便是一些不法宵小也趁此战前集结、人潮涌动之际展开了又一轮的骗术攻势和盗窃伎俩，使一些初涉江湖、&不谙世事&的少侠蒙受损失，其中最为恶劣的不法手段就是盗号，辛苦积攒的积蓄、装备一朝成空，个中滋味也只有当局者才能切身体会。那么本期攻略小编就带领大家深入了解盗号者的卑劣手段，正所谓知己知彼百战不殆，我等还未拔清青龙会余孽，怎能先败于这等见不得光的宵小?
　　一：不安全的网络环境
　　不少侠士喜欢在网吧进行游戏，喧闹的气氛还可以提升游戏热情，尤其是约上几个好友比邻而坐，谈笑间驰骋战场、攻克话本，的确快哉。但是很多不法盗号者也窥见了玩家这一习惯，在网吧等公共上网环境的电脑机器上加载病毒、木马等，这些病毒、木马将可以收集电脑运行过程中一切键入信息以及存储的图片，严重威胁玩家的网络信息安全。而很多时候，网吧为了考虑运行速度、软件冲突等因素，不会安装杀毒程序，只是简单以重启还原性的软件来抵御可能存在的病毒与木马，更有甚者，经网吧经营者授意而传播木马的案例屡见不鲜。那么面对这种情况，作为玩家我们应该如何应对呢?诚然，最一劳永逸的方法是尽量避免去网吧、网咖等公共上网环境，但是不免太过被动，在解答这个问题之前，让我们先继续看看还有哪些盗号手段。
　　二：贪小便宜心理
　　除了游戏运行环境的基础安全问题外，在游戏中我们也要时刻提防江湖上层出不穷的骗术，这些骗术往往也会导致我们的帐号信息泄漏，从而被盗。一般而言，诸多骗术都有一个核心手段，那就是利用他人贪小便宜的心理，其中最具代表性的便是在世界频道上会有一些小号喊话&&愿意出资多少多少点券只求带一个低级副本，甚至还可以先钱后带，如果小编是一名&涉世未深&且小具实力的玩家，看到这样的价格怎么能不心动!这要比普通带副本的价格高出十数倍了，还能先钱，看似那名喊话的小号是个诚意满满的土豪，但事实上，想必略微有些经验的玩家看到这样的喊话都会不禁勾起一丝冷笑&&骗傻子呢!通常这类骗子的伎俩就是假称点券充值会直接发送至邮箱，而索要上当者的电子邮箱，同时往该邮箱发送一封伪装成充值网站，实则是包含采集功能、或病毒的邮件，如果在贪心或者好奇心的驱使下点开并登录了该网站，那么所登录的帐号信息便会以多种形式反馈给盗号者，他们也就轻易掌握了这些关键性信息，而下载了邮件中所含附件的话，也会释放其中潜藏的病毒、木马，威胁电脑运行安全。这类骗术的应对方法非常简单，就是不理会那些&诱人&的喊话陷阱，尤其避免接收陌生人发送的任何可疑邮件、文件。
　　三：五花八门的&礼&包
　　众所周知，很多游戏都会投放各种礼包作为活动奖励等，也为了迎合玩家喜好，虽然往往内含东西价值不高，但是本着聊胜于无的心理，玩家们也都会乐此不疲地收集。而在天刀中，骗子们也充分利用了这种普遍性的&收礼&心理，他们会立一个非常好听的礼包名目，在聊天频道大肆宣扬，而实际上这些&礼包&所指向的网站通通都是钓鱼网站，所谓钓鱼网站，顾名思义，是常指伪装成官方网站，窃取用户提交的帐号、密码等私密信息的网站，通常该网站的地址与官方网站非常类似，甚至只有一个字母的差别，如果不仔细区别非常容易掉入陷阱，这些网站会让用户填写帐号、密码，甚至密保问答、动态密码等高度敏感的帐号信息，而在另一端，很可能盗号者已经做好登录游戏的准备，只要用户登录，所有的数据都会即时传送给盗号者。除了认准官方网站，谨慎区分虚假站址之外，我们能做的就是不相信那些非正规渠道的所谓&礼包&，哪怕噱头奖励再丰厚。
　　四：编造故事团伙作案
　　还有一类流传江湖已久的&经典&骗术，与上述的流程有些类似，只是手段更为隐蔽，而且多数属于团伙作案，有多个骗子轮流设局，使人防不胜防。这类骗术一般是以出售某些紧俏资源，比如心法、时装等，同时要价会微低于市场价格，或者&量大管够&，如果你表示出交易意向的话，他们就会以各种理由推诿游戏内的交易，&我师父朋友情缘帮友等等的不在线了，你加下他/她/它的YY、QQ号&，诸如此类，开始转移战场至游戏外的聊天工具上，而如果你依照他们的话去加这些YY、QQ号，那么一场或许很&盛大&的&表演&就会展开了，可能先是各种聊天博取好感和信任，或者是多人热烈讨论降低疑心，当你试图把话题拉回主要目的&&交易时，他们才会恍然大悟般发送来一个文件，谎称无法截图，让你下载该文件以确定交易物品的正确性，而这些文件，不需要疑惑，里面百分百都是病毒、木马。该类骗术的应对方法就是坚持&游戏问题，游戏解决&的原则，避免落入圈套。
　　以上便是三种最容易导致盗号的直接原因，不难看出，这些不法宵小拥有各种&高科技&手段，对于电脑不甚了解的玩家，可能就觉得应对病毒、木马是件很吃力的事，不要方!小编在这里介绍两款&防盗神器&，可以将以上三种被盗因素通通粉碎!
　　&神器&之一是腾讯电脑管家，这是一款小巧玲珑却兼具各种实用性功能的安全软件，不但有实时更新的病毒库可以抵御各种电脑病毒、清除潜藏木马，而且自带的垃圾清理、电脑加速、系统修复等功能也能在让爱机免受恶意软件打扰的同时拥有更畅快的运行速度，同时还会针对QQ各类游戏进行加速哦!
　　另外一款隆重登场的&神器&就是QQ安全中心APP，这款掌上&神器&拥有各种各样的神奇功能，扫描二维码可以免去键入帐号密码直接登录游戏，使采集类木马毫无用武之地，而动态密码登录都是以即时变换的动态密码作为验证信息，区别于传统的矩阵类数字密保，更有效地将盗号者阻于千里之外!安全中心还将记录所有帐号足迹，在发生可疑登录时及时提醒，同时可以在手机端使用一键禁止登录，将在线的游戏角色强行踢下线，最大限度避免蒙受被盜损失。安全中心还支持第三代密保&&&刷脸&，即便手机遗失，安全中心也依然会是铜墙铁壁，不会泄露帐号信息!
　　本期的帐号安全知识就普及到这里了，如果有其他游戏安全方面的疑问，欢迎加入客栈QQ群与我们进行讨论。保护自身帐号安全不但是为了维护自己的权益，同时也是为了打击宵小日益嚣张的气焰，更是为了游戏里相知相伴的朋友们，毕竟江湖，因你而在!保护帐号，人人有责。
　　了解更多精彩内容，请关注游戏专区！！
　　各位大侠，赶快加入我们的玩家交流群（）吧！还有更多福利等你来拿！打开QQ，扫描下方二维码就可以直接加入哟&&&
新 手 指 南
热 点 攻 略转转游戏安全上号器下载|转转游戏上号器官方版下载v1.11.1_乐游网软件下载
→ 转转游戏上号器官方版 v1.11.1
转转游戏上号器官方版v1.11.1( 游戏账号交易平台 )
转转游戏安全上号器下载，安全的游戏账号中间交易网站，是全网范围内唯一免费游戏交易平台，在这里告别中间商，告别不安全的账号交易，没有任何的收费项目，不扣费，保证你的利益安全，作为上号器，对方无需密码即可登录你的账号。
软件大小：4.8M
转转游戏安全上号器下载，安全的游戏账号中间交易网站，是全网范围内唯一免费游戏交易平台，在这里告别中间商，告别不安全的账号交易，没有任何的收费项目，不扣费，保证你的利益安全，作为上号器，对方无需密码即可登录你的账号。软件介绍转转游戏安全上号器是转转游戏开发的一款游戏租号工具，安全可靠，用户只能通过上号器才能登录租到的帐号，安全高效，拦截外挂，还有专业的客服为你排忧解难。有需要的朋友快来下载试试吧!问题解答怎样加入自动发货专区1 发布租号商品2 填写正确帐号密码3 关闭令牌，上号器保障，安全无忧4 发布成功，享自动发号常见问题1、点启动游戏后半天没有反映怎么办?绝地求生请手动打开Steam，其他游戏手动打开Wegame2、上号器无法正常使用怎么办?请及时将异常情况截图反馈给转转游戏官方客服，若客服无法协助登入游戏，可申请退款3、如何联系转转客服?当前唯一客服入口，点击上号器右下角“联系客服”按钮4、为什么到了密码输入框的时候就停止了?在上号器登录过程中请勿移动鼠标或操作键盘，否则将终止使用方法1、在转转租号平台上支付成功后收到消息2、查看解锁码3、在上号器上输入解锁码，即可上号游玩小编点评安全的账号交易，保证你的利益，同时也可以保护你的账号安全，在交易中避免点击不安全链接。
转转游戏上号器官方版 v1.11.1
451.9M中文
451.9M中文
◎ 我们收集了众多网友经常出现的问题，点击浏览：如果下载的时候提示 &Service Unavailable& ？请务必使用
下载本站软件！
◎ 游戏1号群：336883（满），游戏2号群：，欢迎加入。
◎ 本站仅创建用户沟通交流的平台，所展示的软件资源内容均来自于用户上传分享，版权问题均与我站无关。资源仅作为用户间分享讨论之用，如该软件触犯了您的权利，请发送至邮箱：，我们第一时间给予删除。注册小号实用小工具|批量注册游戏账号软件(开辅助必备小工具)1.0 免费版-东坡下载
东坡下载：内容最丰富最安全的下载站！
→ 批量注册游戏账号软件(开辅助必备小工具) 1.0 免费版
批量注册游戏小号软件注意事项1小时注册20个小号5小时后注册70个小号左右本辅助禁止和CF同时运行
现在不少人玩游戏，都会需要小号来帮助你。但是靠纯手动注册十分耗时间，不如选择批量注册游戏账号软件，来让你们快速注册游戏账号，更能让注册好的小号直接在游戏中登录！批量注册游戏账号软件怎么用批量注册游戏账号软件使用方法1、获得地址2、点击注册账号3、之后立即登录游戏批量注册游戏账号软件四大功能1.有的小伙伴注册号码非常麻烦，这个工具打开2-3步就完成了！2.防沉迷自动开启3.无视手机号码4.可无限注册
安卓官方手机版
IOS官方手机版
批量注册游戏账号软件(开辅助必备小工具)截图
批量注册游戏账号软件(开辅助必备小工具) 1.0 免费版
本类最新软件
1 网友 客人 发表于:
假的
本类软件推荐
3.8M / 02-22 / 3.7.3.5189 最新版
14.0M / 02-07 / 3.8.1.1014 官方最新版
1.3M / 01-17 / 2.10.91.91 官方最新版
9.5M / 12-29 / 1.1.5.346官方版
6.7M / 12-28 / 4.4.1.1313官网pc客户端
本类软件排行
本类软件必备
模拟平台对战工具
请简要描述您遇到的错误，我们将尽快予以修正。
轮坛转帖HTML方式
轮坛转帖UBB方式账号交易流程
非常抱歉，租号玩暂时未有"123"，您可点击申请增加该游戏
找不到想要玩的游戏？
非常抱歉，租号玩暂时未有"123"，您可点击申请增加该游戏
找不到想要玩的游戏？
非常抱歉，租号玩暂时未有"123"，您可点击申请增加该游戏
找不到想要玩的游戏？
非常抱歉，租号玩暂时未有"123"，您可点击申请增加该游戏
找不到想要玩的游戏？
非常抱歉，租号玩暂时未有"123"，您可点击申请增加该游戏
找不到想要玩的游戏？
非常抱歉，租号玩暂时未有"123"，您可点击申请增加该游戏
找不到想要玩的游戏？
免费玩专区
大吉大利，一起吃鸡
三亿玩家的枪战梦想
秀出精彩 铸就决胜之道
一起加速 畅想游戏快感
王者之师 荣耀而至
穿越火线：枪战王者
技术不落 精英在雄起
QQ飞车手游
青春 就要我行我速
浏览次数：249066次
浏览次数：222094次
如何查看解锁码
浏览次数：123678次
上号提示密码错误、QQ帐号冻结
浏览次数：105580次
账号上下架操作流程
浏览次数：99790次
上号提示游戏账号被封、限制登录
浏览次数：96345次
租号玩APP&[扫一扫]
投诉电话：
投诉电话：
友情链接：
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
维护制作 &&
租号玩通知[原创]游戏保护大放送之HS
本人不保证此办法现在还生效！蓝屏死机于本人无关
安博士hook和tp差不多都是那些关键敏感的函数。至于是哪些被hook请自己动手用工具查看一下。
直接上代码！
#include "struct.h"
#include "4BOD.h"
//////////////////////////////////////////////////////////////////////////
ULONG Pass_NtProcess();
VOID UnDetour_NtProcess();
ULONG Pass_NtWriteVirtualMemory();
VOID UnDetour_NtWriteVirtualMemory();
ULONG Pass_NtReadVirtualMemory();
VOID UnDetour_NtReadVirtualMemory();
ULONG Pass_KiAttachProcess();
VOID UnDetour_KiAttachProcess();
ULONG Pass_NtQueryInformationProcess();
VOID UnDetour_NtQueryInformationProcess();
ULONG Pass_PsSuspendThread();
VOID UnDetour_PsSuspendThread();
ULONG Pass_NtSetContextThread();
VOID UnDetour_NtSetContextThread();
ULONG Pass_NtGetContextThread();
VOID UnDetour_NtGetContextThread();
void Init_fun();
ULONG SearchMutex();
ULONG Pass_debugport();
ULONG FindProcess();
//////////////////////////////////////////////////////////////////////////
ULONG KeStackAttachProcess_A
ULONG __stdcall IsNPCalled(HANDLE ProcessHandle);
char g_pFindOrigCode[8];
ULONG KiSystemService_hack_
PULONG pSSDTK
PSERVICE_DESCRIPTOR_TABLE_SHADOW _KeServiceDescriptorT
PSERVICE_DESCRIPTOR_TABLE_SHADOW ShadowT
unsigned long SSDT_reentry_address,SSDTDW_reentry_
void __declspec(naked) my_function_detour_KiFastCallEntry()
edi,KeServiceDescriptorTable
[SSDTDW_reentry_address]
edi,KeServiceDescriptorTable
[SSDT_reentry_address]
UCHAR findcode[]={0x83,0xf9,0x10,0x75};
VOID FindHackAddr()
ULONG i=0;
PUCHAR strS
mov ecx,0x176
mov uSysenter,eax
//得到KiFastCallEntry地址
strSysenter=(PUCHAR)uS
for (i=0;i&0x100;i++)
findcode[0]==strSysenter[i] &&
findcode[1]==strSysenter[i+1] &&
findcode[2]==strSysenter[i+2] &&
findcode[3]==strSysenter[i+3] )
KiSystemService_hack_address=uSysenter+i;
ULONG HookSysCall()
unsigned char newcode[] = { 0xE9, 0x44, 0x33, 0x22, 0x11};
char *actual_
int i = 0;
FindHackAddr();
if (KiSystemService_hack_address==0)
dprintf("find hack address error!\n");
mov ecx,0x176
mov uSysenter,eax
//得到KiFastCallEntry地址
KiSystemService_hack_address=uSysenter+0
actual_function =(char*) KiSystemService_hack_
SSDT_reentry_address = KiSystemService_hack_address+0x20;
SSDTDW_reentry_address = KiSystemService_hack_address+0x5;
*( (unsigned long *)(&newcode[1]) ) = (ULONG)my_function_detour_KiFastCallEntry-KiSystemService_hack_address-5;
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i & 5;i++)
g_pFindOrigCode[i] = actual_function[i];
actual_function[i] = newcode[i];
KeLowerIrql(oldIrql);
void RestoreSSDT()
char *actual_function = (char *)(KiSystemService_hack_address);
KeRaiseIrql( DISPATCH_LEVEL,&oldIrql );
for(i=0;i & 5;i++)
actual_function[i] = g_pFindOrigCode[i];
KeLowerIrql( oldIrql );
ExFreePool(pSSDTKernel);
unsigned long AddMyServiceTable()
ULONG nSDTKerCallL
eax,KeServiceDescriptorTable
_KeServiceDescriptorTable,eax
ShadowTable,eax
nSDTKerCallLen = _KeServiceDescriptorTable-&ntoskrnl.NumberOfS
pSSDTKernel = (PULONG)ExAllocatePool( NonPagedPool, nSDTKerCallLen*sizeof(ULONG) );
if(!pSSDTKernel)
DbgPrint("AddMyServiceTable alloc fail\n");
memset( (PVOID)pSSDTKernel, 0, nSDTKerCallLen*sizeof(ULONG));
//填充新的SSDT表
RtlCopyMemory( (PVOID)pSSDTKernel,(PVOID)_KeServiceDescriptorTable-&ntoskrnl.ServiceTableBase,nSDTKerCallLen*sizeof(ULONG) );
RtlCopyMemory( (PVOID)&_KeServiceDescriptorTable-&NotUse1,
(PVOID)&_KeServiceDescriptorTable-&ntoskrnl,sizeof(SERVICE_DESCRIPTOR_TABLE) );
RtlCopyMemory( (PVOID)&ShadowTable-&NotUse1,(PVOID)&ShadowTable-&ntoskrnl,sizeof(SERVICE_DESCRIPTOR_TABLE)*2);
RtlCopyMemory((PVOID)&_KeServiceDescriptorTable-&NotUse1.ServiceTableBase, &pSSDTKernel, sizeof(ULONG));
RtlCopyMemory((PVOID)&ShadowTable-&NotUse1.ServiceTableBase, &pSSDTKernel, sizeof(ULONG));
void RePlaceSSDT()
if (AddMyServiceTable())
HookSysCall();
//////////////////////////////////////////////////////////////////////////
DriverEntry(
PDRIVER_OBJECT pDriverObj,
PUNICODE_STRING pRegistryString
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING ustrLinkN
UNICODE_STRING ustrDevN
PDEVICE_OBJECT pDevO
dprintf("[4BOD] DriverEntry\n");
pDriverObj-&MajorFunction[IRP_MJ_CREATE] = DispatchC
pDriverObj-&MajorFunction[IRP_MJ_CLOSE] = DispatchC
pDriverObj-&MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchI
pDriverObj-&DriverUnload = DriverU
RtlInitUnicodeString(&ustrDevName, DEVICE_NAME);
status = IoCreateDevice(pDriverObj,
&ustrDevName,
FILE_DEVICE_UNKNOWN,
&pDevObj);
if(!NT_SUCCESS(status)) {
dprintf("[4BOD] IoCreateDevice = 0x%x\n", status);
RtlInitUnicodeString(&ustrLinkName, LINK_NAME);
status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName);
if(!NT_SUCCESS(status)) {
dprintf("[4BOD] IoCreateSymbolicLink = 0x%x\n", status);
IoDeleteDevice(pDevObj);
Init_fun();
RePlaceSSDT();
// FindProcess();
// SearchMutex();
// Pass_debugport();
Pass_NtProcess();
Pass_KiAttachProcess();
Pass_NtReadVirtualMemory();
Pass_NtWriteVirtualMemory();
Pass_NtQueryInformationProcess();
Pass_PsSuspendThread();
Pass_NtSetContextThread();
Pass_NtGetContextThread();
return STATUS_SUCCESS;
DriverUnload(
PDRIVER_OBJECT pDriverObj
UNICODE_STRING strL
LARGE_INTEGER D
RtlInitUnicodeString(&strLink, LINK_NAME);
UnDetour_NtGetContextThread();
UnDetour_NtSetContextThread();
UnDetour_PsSuspendThread();
UnDetour_NtQueryInformationProcess();
UnDetour_NtWriteVirtualMemory();
UnDetour_NtReadVirtualMemory();
UnDetour_KiAttachProcess();
UnDetour_NtProcess();
RestoreSSDT();
Delay.QuadPart = -5000000;
KeDelayExecutionThread(KernelMode, TRUE, &Delay);
IoDeleteSymbolicLink(&strLink);
IoDeleteDevice(pDriverObj-&DeviceObject);
dprintf("[4BOD] Unloaded\n");
DispatchCreate(
PDEVICE_OBJECT pDevObj,
pIrp-&IoStatus.Status = STATUS_SUCCESS;
pIrp-&IoStatus.Information = 0;
dprintf("[4BOD] IRP_MJ_CREATE\n");
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
DispatchClose(
PDEVICE_OBJECT pDevObj,
pIrp-&IoStatus.Status = STATUS_SUCCESS;
pIrp-&IoStatus.Information = 0;
dprintf("[4BOD] IRP_MJ_CLOSE\n");
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
DispatchIoctl(
PDEVICE_OBJECT pDevObj,
NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST;
PIO_STACK_LOCATION pIrpS
ULONG uIoControlC
PVOID pIoB
ULONG uInS
ULONG uOutS
pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
uIoControlCode = pIrpStack-&Parameters.DeviceIoControl.IoControlC
pIoBuffer = pIrp-&AssociatedIrp.SystemB
uInSize = pIrpStack-&Parameters.DeviceIoControl.InputBufferL
uOutSize = pIrpStack-&Parameters.DeviceIoControl.OutputBufferL
switch(uIoControlCode) {
case IOCTL_HELLO: {
dprintf("[4BOD] Hello\n");
status = STATUS_SUCCESS;
// 添加执行代码
if(status == STATUS_SUCCESS)
pIrp-&IoStatus.Information = uOutS
pIrp-&IoStatus.Information = 0;
/////////////////////////////////////
pIrp-&IoStatus.Status =
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
//////////////////////////////////////////////////////////////////////////
//返回-1：拒绝访问
//返回0 ：走NP HOOK
//返回1 ：绕过NP HOOK
////////////////////////////////////////////////////////////////////////////
ULONG __stdcall IsNPCalled(HANDLE ProcessHandle)
pEProcess=0;
proname=0;
if (!_stricmp("DNF.exe",GetProcessNameFromEProc(0)))
if (!ProcessHandle)
status = ObReferenceObjectByHandle(ProcessHandle,PROCESS_ALL_ACCESS,NULL,0,&pEProcess,NULL);
if(!NT_SUCCESS(status))
DbgPrint("ObReferenceObjectByHandle fail! %08x \n",status);
ObDereferenceObject(pEProcess);
proname=GetProcessNameFromEProc(pEProcess);
if (!_stricmp("OllyDBG.EXE",proname))
DbgPrint("ollydbg!!!!!!!!! \n");
return -1;
if (!_stricmp("Shadow.exe",proname))
return -1;
if (!_stricmp("taskmgr.exe",proname))
return -1;
else if (!_stricmp("OllyDBG.EXE",GetProcessNameFromEProc(0)))
else if (!_stricmp("Shadow.exe",GetProcessNameFromEProc(0)))
else if (!_stricmp("taskmgr.exe",GetProcessNameFromEProc(0)))
//////////////////////////////////////////////////////////////////////////
ULONG __stdcall IsNPCalled_EP(PEPROCESS EProcess)
pEProcess=0;
proname=0;
if (!_stricmp("DNF.exe",GetProcessNameFromEProc(0)))
if (!EProcess)
proname=GetProcessNameFromEProc(EProcess);
if (!_stricmp("OllyDBG.EXE",proname))
DbgPrint("ollydbg!!!!!!!!! epepepepep\n");
return -1;
if (!_stricmp("Shadow.exe",proname))
return -1;
if (!_stricmp("taskmgr.exe",proname))
return -1;
else if (!_stricmp("OllyDBG.EXE",GetProcessNameFromEProc(0)))
else if (!_stricmp("Shadow.exe",GetProcessNameFromEProc(0)))
else if (!_stricmp("taskmgr.exe",GetProcessNameFromEProc(0)))
//////////////////////////////////////////////////////////////////////////
ULONG old_KiMoveApcS
ULONG Init_KiMoveApcState()
old_KiMoveApcState=KeStackAttachProcess_Addr-0x6b2;
VOID __declspec(naked) _KiMoveApcState (
__in PKAPC_STATE Source,
__out PKAPC_STATE Destination
[old_KiMoveApcState]
//////////////////////////////////////////////////////////////////////////
ULONG __stdcall fack(PEPROCESS Pep)
if (!_stricmp("DNF.exe",GetProcessNameFromEProc(0)))
if (!_stricmp("ollydbg.exe",GetProcessNameFromEProc(Pep)))
DbgPrint("dnf kiattachprocess ollydbg!!!\n");
__except(1)
DbgPrint("fack error!!\n");
unsigned long KiAttachProcess_reentry_
void __declspec(naked) my_function_detour_KiAttachProcess()
word ptr [edi+0x60]
ebx,[esi+0x34]
_KiMoveApcState
[KiAttachProcess_reentry_address]
//////////////////////////////////////////////////////////////////////////
char KiAttachProcess_g_oricode[8];
ULONG Pass_KiAttachProcess()
char *actual_
KIRQL oldI
int i = 0;
unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};
actual_function = (char *)(KeStackAttachProcess_Addr-0x219);
KiAttachProcess_reentry_address = (KeStackAttachProcess_Addr-0x20c);
*( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_KiAttachP
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i & 7;i++)
KiAttachProcess_g_oricode[i] = actual_function[i];
actual_function[i] = newcode[i];
KeLowerIrql(oldIrql);
VOID UnDetour_KiAttachProcess()
char *actual_function = (char *)(KeStackAttachProcess_Addr-0x219);
KIRQL oldI
int i = 0;
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i & 7;i++)
actual_function[i] = KiAttachProcess_g_oricode[i];
KeLowerIrql(oldIrql);
//////////////////////////////////////////////////////////////////////////
ULONG OldNtReadVirtualMemoryA
ULONG reentryadd_NtReadVirtualM
__declspec(naked) NTSTATUS NewNtReadVirtualMemory()
push [esp+4]
call IsNPCalled
NtReadVirtualMemory_ENT1
push 0x804daef0
eax, 0x8053cbe0
[reentryadd_NtReadVirtualMemory]
NtReadVirtualMemory_ENT1:
NtReadVirtualMemory_ENT2
[OldNtReadVirtualMemoryAdd]
NtReadVirtualMemory_ENT2:
//////////////////////////////////////////////////////////////////////////NtReadVirtualMemory
ULONG Pass_NtReadVirtualMemory()
KIRQL oldI
Address=0;
Address = (ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase + 0xBA * 4;
//得到NtReadVirtualMemory的服务地址
(ULONG)OldNtReadVirtualMemoryAdd = *(ULONG*)A
//保存此地址
reentryadd_NtReadVirtualMemory=OldNtReadVirtualMemoryAdd+0
oldIrql = KeRaiseIrqlToDpcLevel();
*((ULONG*)Address) = (ULONG)NewNtReadVirtualM //HOOK SSDT
KeLowerIrql(oldIrql);
//反补丁，用于最后恢复用
VOID UnDetour_NtReadVirtualMemory()
KIRQL oldI
Address=0;
Address = (ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase + 0xBA * 4;
oldIrql = KeRaiseIrqlToDpcLevel();
*((ULONG*)Address) = (ULONG)OldNtReadVirtualMemoryA //HOOK SSDT
KeLowerIrql(oldIrql);
ULONG reentryadd_NtWriteVirtualM
ULONG OldNtWriteVirtualMemoryA
__declspec(naked) NTSTATUS NewNtWriteVirtualMemory()
push [esp+4]
call IsNPCalled
NtWriteVirtualMemory_ENT1
push 0x804daf08
eax, 0x8053cbe0
[reentryadd_NtWriteVirtualMemory]
NtWriteVirtualMemory_ENT1:
NtWriteVirtualMemory_ENT2
[OldNtWriteVirtualMemoryAdd]
NtWriteVirtualMemory_ENT2:
//////////////////////////////////////////////////////////////////////////
ULONG Pass_NtWriteVirtualMemory()
KIRQL oldI
Address=0;
Address = (ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase + 0x115 * 4;
(ULONG)OldNtWriteVirtualMemoryAdd = *(ULONG*)A
reentryadd_NtWriteVirtualMemory=OldNtWriteVirtualMemoryAdd+0
oldIrql = KeRaiseIrqlToDpcLevel();
*((ULONG*)Address) = (ULONG)NewNtWriteVirtualM //HOOK SSDT
KeLowerIrql(oldIrql);
VOID UnDetour_NtWriteVirtualMemory()
KIRQL oldI
Address=0;
Address = (ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase + 0x115 * 4;
oldIrql = KeRaiseIrqlToDpcLevel();
*((ULONG*)Address) = (ULONG)OldNtWriteVirtualMemoryA //HOOK SSDT
KeLowerIrql(oldIrql);
//////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////NtOpenProcess
ULONG OldNtProcessA
ULONG reentryadd_NtWriteVirtualM
_NtOpenProcess (
__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PCLIENT_ID ClientId
KPROCESSOR_MODE PreviousM
NTSTATUS S
PEPROCESS P
PETHREAD T
CLIENT_ID CapturedCid={0};
BOOLEAN ObjectNameP
BOOLEAN ClientIdP
ACCESS_STATE AccessS
AUX_ACCESS_DATA AuxD
LUID SeDebugPrivilege = {0};
POBJECT_TYPE _PsProcessT
PsLookupProcessByProcessId(ClientId-&UniqueProcess,&tempeprocess);
if (!_stricmp("DNF.exe",GetProcessNameFromEProc(0)))
// ERROR_INVALID_PARAMETER
DbgPrint("dnf threadid %d KTHREAD %08x want openprocess %s\n",
PsGetCurrentThreadId(),PsGetCurrentThread(),GetProcessNameFromEProc(tempeprocess));
if (!_stricmp("OllyDBG.EXE",GetProcessNameFromEProc(tempeprocess)) )
return STATUS_INVALID_PARAMETER;
if (!_stricmp("DNF.exe",GetProcessNameFromEProc(tempeprocess)) )
// return STATUS_INVALID_PARAMETER;
if (!_stricmp("taskmgr.exe",GetProcessNameFromEProc(tempeprocess)) )
return STATUS_INVALID_PARAMETER;
__except (EXCEPTION_EXECUTE_HANDLER)
DbgPrint("GetExceptionCode %08x",GetExceptionCode());
// return GetExceptionCode();
return NtOpenProcess(ProcessHandle,DesiredAccess,ObjectAttributes, ClientId);
// DbgPrint("%s want openprocess %s\n",GetProcessNameFromEProc(0),GetProcessNameFromEProc(tempeprocess));
(ULONG)_PsProcessType=*(ULONG*)PsProcessT
PreviousMode = KeGetPreviousMode();
SeDebugPrivilege =RtlConvertLongToLuid(SE_DEBUG_PRIVILEGE);
if (PreviousMode != KernelMode) {
ProbeForWriteHandle (ProcessHandle);
ProbeForReadSmallStructure (ObjectAttributes,
sizeof(OBJECT_ATTRIBUTES),
sizeof(ULONG));
ObjectNamePresent = (BOOLEAN)ARGUMENT_PRESENT (ObjectAttributes-&ObjectName);
Attributes = ObSanitizeHandleAttributes (ObjectAttributes-&Attributes, UserMode);
if (ARGUMENT_PRESENT (ClientId)) {
ProbeForReadSmallStructure (ClientId, sizeof (CLIENT_ID), sizeof (ULONG));
CapturedCid = *ClientId;
ClientIdPresent = TRUE;
ClientIdPresent = FALSE;
__except (EXCEPTION_EXECUTE_HANDLER) {
return GetExceptionCode();
ObjectNamePresent = (BOOLEAN)ARGUMENT_PRESENT (ObjectAttributes-&ObjectName);
Attributes = ObSanitizeHandleAttributes (ObjectAttributes-&Attributes, KernelMode);
if (ARGUMENT_PRESENT (ClientId)) {
CapturedCid = *ClientId;
ClientIdPresent = TRUE;
ClientIdPresent = FALSE;
if (ObjectNamePresent && ClientIdPresent) {
return STATUS_INVALID_PARAMETER_MIX;
Status = SeCreateAccessState(
&AccessState,
DesiredAccess,
&_PsProcessType-&TypeInfo.GenericMapping
if ( !NT_SUCCESS(Status) ) {
if (SeSinglePrivilegeCheck( SeDebugPrivilege, PreviousMode )) {
if ( AccessState.RemainingDesiredAccess & MAXIMUM_ALLOWED ) {
AccessState.PreviouslyGrantedAccess |= PROCESS_ALL_ACCESS;
AccessState.PreviouslyGrantedAccess |= ( AccessState.RemainingDesiredAccess );
AccessState.RemainingDesiredAccess = 0;
if (ObjectNamePresent) {
Status = ObOpenObjectByName(
ObjectAttributes,
_PsProcessType,
PreviousMode,
&AccessState,
SeDeleteAccessState( &AccessState );
if ( NT_SUCCESS(Status) ) {
*ProcessHandle = H
__except (EXCEPTION_EXECUTE_HANDLER) {
return GetExceptionCode ();
if ( ClientIdPresent ) {
Thread = NULL;
if (CapturedCid.UniqueThread) {
Status = PsLookupProcessThreadByCid(
&CapturedCid,
if (!NT_SUCCESS(Status)) {
SeDeleteAccessState( &AccessState );
Status = PsLookupProcessByProcessId(
CapturedCid.UniqueProcess,
if ( !NT_SUCCESS(Status) ) {
SeDeleteAccessState( &AccessState );
// OpenObjectByAddress
Status = ObOpenObjectByPointer(
Attributes,
&AccessState,
_PsProcessType,
PreviousMode,
SeDeleteAccessState( &AccessState );
if (Thread) {
ObDereferenceObject(Thread);
ObDereferenceObject(Process);
if (NT_SUCCESS (Status)) {
*ProcessHandle = H
__except (EXCEPTION_EXECUTE_HANDLER) {
return GetExceptionCode ();
return STATUS_INVALID_PARAMETER_MIX;
ULONG Pass_NtProcess()
KIRQL oldI
Address=0;
Address = (ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase +
OldNtProcessAdd = *(ULONG*)A
oldIrql = KeRaiseIrqlToDpcLevel();
*((ULONG*)Address) = (ULONG)_NtOpenP //HOOK SSDT
KeLowerIrql(oldIrql);
VOID UnDetour_NtProcess()
KIRQL oldI
Address=0;
Address = (ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase +
oldIrql = KeRaiseIrqlToDpcLevel();
*((ULONG*)Address) = OldNtProcessA //HOOK SSDT
KeLowerIrql(oldIrql);
//////////////////////////////////////////////////////////////////////////
void Init_fun()
KeStackAttachProcess_Addr=GetFunctionAddr(L"KeStackAttachProcess");
Init_KiMoveApcState();
//////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////
#define SYSTEMSERVICE(Index)
*(PULONG)((ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase+ Index*4);
ULONG DbgkForwardExceptionAddr
ULONG KiDispatchExceptionAddr
ULONG DbgkpQueueMessageAddr
ULONG SearchMutex()
ULONG NtResumeThreadAddr
ULONG NtRaiseExceptionAddr
ULONG KiRaiseExceptionAddr
ULONG DbgkpSendApiMessageAddr
ULONG DbgkpProcessDebugPortMutex
ULONG PsResumeThreadAddr
NtResumeThreadAddr = SYSTEMSERVICE(206);
DbgPrint("NtResumeThreadAddr : %X\n", NtResumeThreadAddr);
for(i = NtResumeThreadA i & NtResumeThreadAddr + 0x7C; i++)
dwKey = *(PDWORD)i;
if (MmIsAddressValid(&dwKey))
if (dwKey == 0xE8E475FF)
dwKey = i + 4;
PsResumeThreadAddr = i + *(ULONG*)dwKey + 8;
DbgPrint("PsResumeThreadAddr : %X\n", PsResumeThreadAddr);
NtRaiseExceptionAddr = SYSTEMSERVICE(181);
DbgPrint("NtRaiseExceptionAddr : %X\n", NtRaiseExceptionAddr);
for(i = NtRaiseExceptionA i & NtRaiseExceptionAddr + 0x30; i++)
dwKey = *(PDWORD)i;
if (MmIsAddressValid(&dwKey))
if (dwKey == 0xE8505100)
dwKey = i + 4;
KiRaiseExceptionAddr = i + *(ULONG*)dwKey + 8;
DbgPrint("KiRaiseExceptionAddr : %X\n", KiRaiseExceptionAddr);
if (KiRaiseExceptionAddr & 0x)
for(i = KiRaiseExceptionA i & KiRaiseExceptionAddr + 0x197; i++)
dwKey = *(PDWORD)i;
if (MmIsAddressValid(&dwKey))
if (dwKey == 0xE853FFFF)
dwKey = i + 4;
KiDispatchExceptionAddr = i + *(ULONG*)dwKey + 8;
DbgPrint("KiDispatchExceptionAddr : %X\n", KiDispatchExceptionAddr);
if (KiDispatchExceptionAddr & 0x)
for(i = KiDispatchExceptionA i & KiDispatchExceptionAddr + 0x397; i++)
dwKey = *(PDWORD)i;
if (MmIsAddressValid(&dwKey))
if (dwKey == 0xE8565701)
dwKey = i + 4;
DbgkForwardExceptionAddr = i + *(ULONG*)dwKey + 8;
DbgPrint("DbgkForwardExceptionAddr : %X\n", DbgkForwardExceptionAddr);
if (DbgkForwardExceptionAddr & 0x)
for(i = DbgkForwardExceptionA i & DbgkForwardExceptionAddr + 0x8A; i++)
dwKey = *(PDWORD)i;
if (MmIsAddressValid(&dwKey))
if (dwKey == 0xE8508845)
dwKey = i + 4;
DbgkpSendApiMessageAddr = i + *(ULONG*)dwKey + 8;
DbgPrint("DbgkpSendApiMessageAddr : %X\n", DbgkpSendApiMessageAddr);
if (DbgkpSendApiMessageAddr & 0x)
for(i = DbgkpSendApiMessageA i & DbgkpSendApiMessageAddr + 0x55; i++)
dwKey = *(PDWORD)i;
if (MmIsAddressValid(&dwKey))
if (dwKey == 0xE8515052)
dwKey = i + 4;
DbgkpQueueMessageAddr = i + *(ULONG*)dwKey + 8;
DbgPrint("DbgkpQueueMessageAddr : %X\n", DbgkpQueueMessageAddr);
if (DbgkpQueueMessageAddr & 0x)
for(i = DbgkpQueueMessageA i & DbgkpQueueMessageAddr + 0x16F; i++)
dwKey = *(PDWORD)i;
if (MmIsAddressValid(&dwKey))
if (dwKey == 0xB93075FC)
dwKey = i + 4;
DbgkpProcessDebugPortMutex = *(ULONG*)dwK
DbgPrint("DbgkpProcessDebugPortMutex : %X\n", DbgkpProcessDebugPortMutex);
return DbgkpProcessDebugPortM
//////////////////////////////////////////////////////////////////////////
ULONG Pass_debugport()
KIRQL oldI
timestr[]={0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90};
char* g_KiDispatchException=(char*)(KiDispatchExceptionAddr+0x187);
char* g_PspCreateProcess=(char*)(KiDispatchExceptionAddr+0xD2599);
char* g_DbgkForwardException=(char*)(DbgkForwardExceptionAddr+0x3e);
char* g_DbgkpQueueMessage=(char*)(DbgkpQueueMessageAddr+0x7B);
char* g_DbgkCreateThread=(char*)(KiDispatchExceptionAddr+0x14515F);
char* g_DbgkExitThread=(char*)(KiDispatchExceptionAddr+0x1453F8);
char* g_DbgkMapViewOfSection=(char*)(KiDispatchExceptionAddr+0x14550B);
char* g_DbgkExitProcess=(char*)(KiDispatchExceptionAddr+0x145472);
char* g_DbgkUnMapViewOfSection=(char*)(KiDispatchExceptionAddr+0x1455D1);
char* g_PspExitThread=(char*)(KiDispatchExceptionAddr+0xD3E84);
char* g_DbgkpMarkProcessPeb=(char*)(KiDispatchExceptionAddr+0x1438EA);
char* g_MmCreatePeb=(char*)(KiDispatchExceptionAddr+0xB1907);
char* g_DbgkpSetProcessDebugObject=(char*)(KiDispatchExceptionAddr+0x144934);
char* g_DbgkpSetProcessDebugObject1=(char*)(KiDispatchExceptionAddr+0x144942);
char* g_DbgkpSetProcessDebugObject2=(char*)(KiDispatchExceptionAddr+0x14495C);
char* g_DbgkpSetProcessDebugObject3=(char*)(KiDispatchExceptionAddr+0x1449A6);
char* g_DbgkpSetProcessDebugObject4=(char*)(KiDispatchExceptionAddr+0x1449E8);
char* anti_DbgkExitThread=(char*)(KiDispatchExceptionAddr+0x1453F6);
char* anti_DbgkExitProcess=(char*)(KiDispatchExceptionAddr+0x145470);
char* anti_DbgkUnMapViewOfSection=(char*)(KiDispatchExceptionAddr+0x1455CF);
char* anti_DbgkMapViewOfSection=(char*)(KiDispatchExceptionAddr+0x145505);
char* anti_DbgkForwardException=(char*)(DbgkForwardExceptionAddr+0x38);
//nop create time
char* g_PspCreateProcess_time=(char*)(KiDispatchExceptionAddr+0xD2B15);
oldIrql = KeRaiseIrqlToDpcLevel();
memcpy(g_PspCreateProcess_time,timestr,9);
*(ULONG*)(&g_KiDispatchException[2])=0x70;
*(ULONG*)(&g_PspCreateProcess[2])=0x70;
*(ULONG*)(&g_DbgkForwardException[2])=0x70;
*(ULONG*)(&g_DbgkpQueueMessage[2])=0x70;
*(ULONG*)(&g_DbgkCreateThread[2])=0x70;
*(ULONG*)(&g_DbgkExitThread[2])=0x70;
*(ULONG*)(&g_DbgkMapViewOfSection[2])=0x70;
*(ULONG*)(&g_DbgkExitProcess[2])=0x70;
*(ULONG*)(&g_DbgkUnMapViewOfSection[2])=0x70;
*(ULONG*)(&g_PspExitThread[2])=0x70;
*(ULONG*)(&g_DbgkpMarkProcessPeb[2])=0x70;
*(ULONG*)(&g_MmCreatePeb[2])=0x70;
*(ULONG*)(&g_DbgkpSetProcessDebugObject[2])=0x70;
*(ULONG*)(&g_DbgkpSetProcessDebugObject1[2])=0x70;
*(ULONG*)(&g_DbgkpSetProcessDebugObject2[2])=0x70;
*(ULONG*)(&g_DbgkpSetProcessDebugObject3[2])=0x70;
*(ULONG*)(&g_DbgkpSetProcessDebugObject4[2])=0x70;
anti_DbgkExitThread[0]=0x90;
anti_DbgkExitThread[1]=0x90;
anti_DbgkExitProcess[0]=0x90;
anti_DbgkExitProcess[1]=0x90;
anti_DbgkUnMapViewOfSection[0]=0x90;
anti_DbgkUnMapViewOfSection[1]=0x90;
anti_DbgkMapViewOfSection[0]=0
anti_DbgkForwardException[0]=0
KeLowerIrql(oldIrql);
return STATUS_SUCCESS;
const int process_list_offset=0x88;
const int createtime_list_offset=0x70;
ULONG FindProcess()
ULONG cproc=0x;
ULONG TPID;
PLIST_ENTRY plist_active_
LARGE_INTEGER
temptime.QuadPart=0;
PsLookupProcessByProcessId((HANDLE)4,&tmpeprocess);
cproc=(ULONG)
if ((i&=1) && ((ULONG)tmpeprocess==cproc))
return 0x;
plist_active_procs=(LIST_ENTRY*)(cproc+process_list_offset);
cproc=(ULONG)plist_active_procs-&F
cproc=cproc-process_list_
*(LARGE_INTEGER*)(cproc+createtime_list_offset)=
//////////////////////////////////////////////////////////////////////////
typedef NTSTATUS (*NTQUERYINFORMATIONPROCESS)(
HANDLE ProcessHandle,
PROCESSINFOCLASS ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
NTQUERYINFORMATIONPROCESS OldNQueryInformationProcessA
typedef struct _PROCESS_DEBUG_PORT_INFO
HANDLE DebugP
} PROCESS_DEBUG_PORT_INFO;
//enum SYSTEM_INFORMATION_CLASS { SystemKernelDebuggerInformation = 35 };
//enum THREAD_INFO_CLASS { ThreadHideFromDebugger = 17 };
//enum PROCESS_INFO_CLASS { ProcessDebugPort = 7 };
NewNtQueryInformationProcess(
HANDLE ProcessHandle,
PROCESSINFOCLASS ProcessInformationClass,
PROCESS_DEBUG_PORT_INFO* ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
// PROCESS_DEBUG_PORT_INFO* tempPi;
if (!_stricmp("DNF.exe",GetProcessNameFromEProc(0)) ||
!_stricmp("AION.bin",GetProcessNameFromEProc(0)) ||
!_stricmp("GameMon.des",GetProcessNameFromEProc(0)))
if (ProcessInformationClass==7)
DbgPrint("%s NtQueryInformationProcess debugport!\n",GetProcessNameFromEProc(0));
ProcessInformation-&DebugPort=0;
// DbgPrint("%s NtQueryInformationProcess !\n",GetProcessNameFromEProc(0));
return OldNQueryInformationProcessAddr(ProcessHandle,ProcessInformationClass,ProcessInformation,ProcessInformationLength,ReturnLength);
ULONG Pass_NtQueryInformationProcess()
KIRQL oldI
Address=0;
Address = (ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase + 154 * 4;
(ULONG)OldNQueryInformationProcessAddr = *(ULONG*)A
oldIrql = KeRaiseIrqlToDpcLevel();
*((ULONG*)Address) = (ULONG)NewNtQueryInformationP //HOOK SSDT
KeLowerIrql(oldIrql);
VOID UnDetour_NtQueryInformationProcess()
KIRQL oldI
Address=0;
Address = (ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase + 154 * 4;
oldIrql = KeRaiseIrqlToDpcLevel();
*((ULONG*)Address) = (ULONG)OldNQueryInformationProcessA //HOOK SSDT
KeLowerIrql(oldIrql);
//////////////////////////////////////////////////////////////////////////
// NTSTATUS __declspec(naked) _PsSuspendThread(PETHREAD Thread, PULONG PreviousSuspendCount)
//////////////////////////////////////////////////////////////////////////
//unsigned long PsSuspendThread_reentry_
NTSTATUS __declspec(naked) _PsSuspendThread(PETHREAD Thread, PULONG PreviousSuspendCount)
push 0x804db9e8
esi,0x8053cbe0
esi,pssuspendthreadaddr
//////////////////////////////////////////////////////////////////////////
_NtSuspendThread(
__in HANDLE ThreadHandle,
__out_opt PULONG PreviousSuspendCount
PETHREAD T
ULONG LocalPreviousSuspendC
KPROCESSOR_MODE M
POBJECT_TYPE TempT
PAGED_CODE();
Mode = KeGetPreviousMode ();
if (Mode != KernelMode) {
if (ARGUMENT_PRESENT (PreviousSuspendCount)) {
ProbeForWriteUlong (PreviousSuspendCount);
} except (EXCEPTION_EXECUTE_HANDLER) {
return GetExceptionCode();
(ULONG)TempType=*(ULONG*)PsThreadT
st = ObReferenceObjectByHandle (ThreadHandle,
THREAD_SUSPEND_RESUME,
if (!NT_SUCCESS (st)) {
st = _PsSuspendThread (Thread, &LocalPreviousSuspendCount);
ObDereferenceObject (Thread);
if (ARGUMENT_PRESENT (PreviousSuspendCount)) {
*PreviousSuspendCount = LocalPreviousSuspendC
} except (EXCEPTION_EXECUTE_HANDLER) {
st = GetExceptionCode ();
//////////////////////////////////////////////////////////////////////////
typedef NTSTATUS(*NTSUSPENDTHREAD)(
__in HANDLE ThreadHandle,
__out_opt PULONG PreviousSuspendCount
NTSUSPENDTHREAD OldSuspendThreadA
NTSTATUS MyNtSuspendThread(
__in HANDLE ThreadHandle,
__out_opt PULONG PreviousSuspendCount
if (!_stricmp("DNF.exe",GetProcessNameFromEProc(0)))
return OldSuspendThreadAddr(ThreadHandle,PreviousSuspendCount);
return _NtSuspendThread(ThreadHandle,PreviousSuspendCount);
ULONG Pass_PsSuspendThread()
KIRQL oldI
Address=0;
LONG temp=0;
Address = (ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase + 254 * 4;
(ULONG)OldSuspendThreadAddr = *(ULONG*)A
temp=*(LONG*)((LONG)OldSuspendThreadAddr+0x65);
pssuspendthreadaddr=(LONG)OldSuspendThreadAddr+0x64+temp+5;
DbgPrint("pssuspendthreadaddr %08x\n",pssuspendthreadaddr);
oldIrql = KeRaiseIrqlToDpcLevel();
*((ULONG*)Address) = (ULONG)MyNtSuspendT //HOOK SSDT
KeLowerIrql(oldIrql);
VOID UnDetour_PsSuspendThread()
KIRQL oldI
Address=0;
Address = (ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase + 254 * 4;
oldIrql = KeRaiseIrqlToDpcLevel();
*((ULONG*)Address) = (ULONG)OldSuspendThreadA //HOOK SSDT
KeLowerIrql(oldIrql);
//////////////////////////////////////////////////////////////////////////
MyNtGetContextThread(
__in HANDLE ThreadHandle,
__inout PCONTEXT ThreadContext
KPROCESSOR_MODE M
NTSTATUS S
PETHREAD T
PKTHREAD CurrentT
POBJECT_TYPE TempT
PAGED_CODE();
// Get previous mode and reference specified thread.
CurrentThread = KeGetCurrentThread();
Mode = *(CCHAR*)((ULONG)CurrentThread+0x140);
(ULONG)TempType=*(ULONG*)PsThreadT
Status = ObReferenceObjectByHandle (ThreadHandle,
THREAD_GET_CONTEXT,
// If the reference was successful, the check if the specified thread
// is a system thread.
if (NT_SUCCESS (Status)) {
// If the thread is not a system thread, then attempt to get the
// context of the thread.
if (IS_SYSTEM_THREAD (Thread) == FALSE) {
Status = PsGetContextThread (Thread, ThreadContext, Mode);
Status = STATUS_INVALID_HANDLE;
ObDereferenceObject (Thread);
DbgPrint("%s MyNtGetContextThread ObReferenceObjectByHandle error! ThreadHandle %08x\n",GetProcessNameFromEProc(0),ThreadHandle);
//////////////////////////////////////////////////////////////////////////
MyNtSetContextThread(
__in HANDLE ThreadHandle,
__in PCONTEXT ThreadContext
KPROCESSOR_MODE M
NTSTATUS S
PETHREAD T
PKTHREAD CurrentT
POBJECT_TYPE TempT
PAGED_CODE();
// Get previous mode and reference specified thread.
CurrentThread = KeGetCurrentThread ();
Mode = *(CCHAR*)((ULONG)CurrentThread+0x140);
(ULONG)TempType=*(ULONG*)PsThreadT
Status = ObReferenceObjectByHandle (ThreadHandle,
THREAD_SET_CONTEXT,
// If the reference was successful, the check if the specified thread
// is a system thread.
if (NT_SUCCESS (Status)) {
// If the thread is not a system thread, then attempt to get the
// context of the thread.
if (IS_SYSTEM_THREAD (Thread) == FALSE) {
Status = PsSetContextThread (Thread, ThreadContext, Mode);
Status = STATUS_INVALID_HANDLE;
ObDereferenceObject (Thread);
DbgPrint("MyNtSetContextThread ObReferenceObjectByHandle error\n");
//////////////////////////////////////////////////////////////////////////
typedef NTSTATUS (*NTSETCONTEXTTHREAD)
__in HANDLE ThreadHandle,
__in PCONTEXT ThreadContext
NTSETCONTEXTTHREAD OldNtSetContextThreadA
NTSTATUS NewNtSetContextThread
__in HANDLE ThreadHandle,
__in PCONTEXT ThreadContext
if (!_stricmp("DNF.exe",GetProcessNameFromEProc(0)))
return OldNtSetContextThreadAddr(ThreadHandle,ThreadContext);
// DbgPrint("dnf ThreadHandle: %d NtSetContextThread\n",ThreadHandle);
// return 0;
// return OldNtSetContextThreadAddr(ThreadHandle,ThreadContext);
return MyNtSetContextThread(ThreadHandle,ThreadContext);
ULONG Pass_NtSetContextThread()
KIRQL oldI
Address=0;
Address = (ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase + 213 * 4;
(ULONG)OldNtSetContextThreadAddr = *(ULONG*)A
oldIrql = KeRaiseIrqlToDpcLevel();
*((ULONG*)Address) = (ULONG)NewNtSetContextT //HOOK SSDT
KeLowerIrql(oldIrql);
VOID UnDetour_NtSetContextThread()
KIRQL oldI
Address=0;
Address = (ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase + 213 * 4;
oldIrql = KeRaiseIrqlToDpcLevel();
*((ULONG*)Address) = (ULONG)OldNtSetContextThreadA //HOOK SSDT
KeLowerIrql(oldIrql);
//////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////
typedef NTSTATUS (*NTGETCONTEXTTHREAD)
__in HANDLE ThreadHandle,
__inout PCONTEXT ThreadContext
NTGETCONTEXTTHREAD OldNtGetContextThreadA
NTSTATUS NewNtGetContextThread
__in HANDLE ThreadHandle,
__inout PCONTEXT ThreadContext
NTSTATUS nTstatus=0;
if (!_stricmp("DNF.exe",GetProcessNameFromEProc(0)) ||
!_stricmp("AION.bin",GetProcessNameFromEProc(0)) ||
!_stricmp("GameMon.des",GetProcessNameFromEProc(0)))
if (-2==(LONG)ThreadHandle)
return OldNtGetContextThreadAddr(ThreadHandle,ThreadContext);
DbgPrint("dnf ThreadHandle: %d NtGetContextThread\n",ThreadHandle);
nTstatus=OldNtGetContextThreadAddr(ThreadHandle,ThreadContext);
ThreadContext-&Dr0=0;
ThreadContext-&Dr1=0;
ThreadContext-&Dr2=0;
ThreadContext-&Dr3=0;
// ThreadContext-&Dr6=0;
// ThreadContext-&Dr7=0;
DbgPrint("ThreadHandle:%d\nDr0=%08x\nDr1=%08x\nDr2=%08x\nDr3=%08x\n",ThreadHandle,
ThreadContext-&Dr0,ThreadContext-&Dr1,ThreadContext-&Dr2,ThreadContext-&Dr3);
// return OldNtGetContextThreadAddr(ThreadHandle,ThreadContext);
return MyNtGetContextThread(ThreadHandle,ThreadContext);
ULONG Pass_NtGetContextThread()
KIRQL oldI
Address=0;
Address = (ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase + 85 * 4;
(ULONG)OldNtGetContextThreadAddr = *(ULONG*)A
oldIrql = KeRaiseIrqlToDpcLevel();
*((ULONG*)Address) = (ULONG)NewNtGetContextT //HOOK SSDT
KeLowerIrql(oldIrql);
VOID UnDetour_NtGetContextThread()
KIRQL oldI
Address=0;
Address = (ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase + 85 * 4;
oldIrql = KeRaiseIrqlToDpcLevel();
*((ULONG*)Address) = (ULONG)OldNtGetContextThreadA //HOOK SSDT
KeLowerIrql(oldIrql);
//////////////////////////////////////////////////////////////////////////
支付方式：
最新回复 (23)
沙发，呵呵，
其实可以仿照360安全卫士的做法，修改nt!KiFastCallEntry函数中的代码，跳到自己的驱动中，
强势插入，123456
端板凳....这样的帖子，不留言都不好意思啊
看不懂也得支持
支持一下。。。。
版主太谦虚了。
看不懂，支持。
看来游戏保护要更新了&&希望能更变态,更难一些
前排留座 混个眼熟……
学习ing。。。后排靠前
站位，留名，学习，感谢！
没什么太多金子的代码，硬编是硬伤~
从SSDT到DEBUGPORT处理没看到任何亮点，，很平淡~
而且，这种东西放出来有意义？只会增加游戏公司的关注。
可以讲讲知识点，说说保护都干了什么，我们怎么搞定他，，这样更有意义吧，单单个质量不高的代码，貌似没多大用处，就连目前比较流行的reload kernel都没有。
顺便说句，靠这点代码找工作，估计找不到什么好工作，，个人见解~
给个分析的思路啊
思路更重要，长篇的贴代码论坛里已经有很多了。
看不出啥...只看到了满屏的代码...没看到什么独到的分析讲解....
没啥意思...
留名先，以后看看
怎么没有关于NtProtectVirtualMemory的
市面上流行的东西，用处不大。
哥们不一定新的就是好啊，白猫黑猫逮住老鼠就是好猫。至于讲解怎么搞定他，这是你的事情，我的代码只给你一些思路。现在伸手党太多！大脑退化的没有指甲大。
LZ虽然换了马甲，但仍然技压群雄！
这个我支持,
你要是讲解了,他说你没配图,要图文一起的
你配图了.又有人说应该说个视频
神一样的男子，膜拜
1.请先关注公众号。
2.点击菜单"更多"。
3.选择获取下载码。