过NGS 效验代码
Ps:代码写的丑,求不吐槽=====================================以下是代码
#include "stdafx.h"
#include "BlackCipherPass.h"
#include "PSAPI.h"
DWORD CreateProcessWAddr = (DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "CreateProcessW");
HMODULE MyModuleBase;
DWORD g_pi;
DWORD CreateProcessWRET;
DWORD ZwReadID = Get_ZwID("ZwReadVirtualMemory");
DWORD ReadProcessMemoryAddr = (DWORD)GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwReadVirtualMemory");
DWORD ReadProcessMemoryRET = (DWORD)GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwReadVirtualMemory") + 5;
DWORD AdumpAddr;
DWORD ALen;
CHAR* BCCRCNAME;
CRITICAL_SECTION g_cs;
BOOL g_bool;
//初始化BChook 参数1填入自DLL 句柄 通过Dllmain 可以获得 参数2 是BC效验的目标进程 参数3 是导出的目标进程Dump
void ReadProcessMemoryHook();
void InitBcHook(HMODULE hModule, CHAR* Name, DWORD dumpAddr, DWORD Len)
{
InitializeCriticalSection(&g_cs);
MyModuleBase = hModule;
Hook_JmpADDR(CreateProcessWAddr, (DWORD)HOOKCreateProcessW);
if (dumpAddr == 0 && Len == 0)
{
return;
}
Hook_JmpADDR(ReadProcessMemoryAddr, (DWORD)ReadProcessMemoryHook);
AdumpAddr = dumpAddr;
ALen = Len;
BCCRCNAME = Name;
}
void 处理CreateProcessW(wchar_t *路径, DWORD _RET, DWORD PI)
{
if (路径 && wcsstr(路径, L"BlackCipher.aes"))
{
DebugMsg("My 启动BlackCipher.aes");
g_pi = PI;
CreateProcessWRET = RM_4(_RET);
RM_4(_RET) = (DWORD)&HOOKCreateProcessWBack;
}
}
__declspec(naked) void HOOKCreateProcessWBack()
{
_asm{
pushad;
mov eax, g_pi;
push;
push;
push;
push;
call 注入DLL;
add esp, 0x10;
popad;
jmp CreateProcessWRET;
}
}
__declspec(naked) void HOOKCreateProcessW()
{
_asm{
mov edi, edi;
push ebp;
mov ebp, esp;
pushad;
push;
lea eax, ;
push eax;
push;
Call 处理CreateProcessW;
add esp, 0xc;
popad;
mov eax, CreateProcessWAddr;
add eax, 5;
jmp eax;
}
}
void 注入DLL(HANDLE hProcess, HANDLE hThread, DWORD dwProcessId, DWORD dwThreadId)
{
DebugMsg("My 开始注入到BlackCipher.aes");
LPVOID LoadLibraryWAddr = GetProcAddress(GetModuleHandleA("kernel32"), "LoadLibraryW");
DWORD dwAddr = AllocMem(hProcess, 4096);
WCHAR wcName = { 0 };
HANDLE hObject;
GetModuleFileNameW(MyModuleBase, wcName, 4096);
WriteProcessMemory(hProcess, (LPVOID)dwAddr, (LPCVOID)&wcName, 4096, 0);
hObject = CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)LoadLibraryWAddr, (LPVOID)dwAddr, 0, 0);
WaitForSingleObject(hObject, 0xFFFFFFFF);
DebugMsg("My 结束注入");
}
void ReadProcessMemory处理(HANDLE hProcess, DWORD Addrthsi);
__declspec(naked) void ReadProcessMemoryHook()
{
__asm{
mov eax, ZwReadID;
pushad;
lea eax, ;
push eax;
push;
Call ReadProcessMemory处理;
add esp, 0x8;
popad;
jmp ReadProcessMemoryRET
}
}
CHAR* BCGetRunFileName(HANDLE hProcess)
{
EnterCriticalSection(&g_cs);
static CHAR Name = { 0 };
g_bool = TRUE;
GetModuleBaseNameA(hProcess, 0, Name, 255);
g_bool = FALSE;
LeaveCriticalSection(&g_cs);
return Name;
}
void ReadProcessMemory处理(HANDLE hProcess, DWORD Addrthsi)
{
if (g_bool)
{
return;
}
if (!stricmp(BCGetRunFileName(hProcess), BCCRCNAME))
{
int py;
py = *(int*)(Addrthsi) - 0x400000;
if (py > ALen || py < 0)
{
return;
}
DebugMsg("My 确认NG正在访问主进程内存, 地址0x%08X", RM_4(Addrthsi));
RM_4(Addrthsi) = (AdumpAddr+ py);
}
} 说一句,这个是我和PASS HS一起用的, 所以有什么看不懂的地方,可以跟帖 謝謝大大分享
先推再研究
本來已打算放棄了XD 思路不錯,處理得很好
真是一股清流
:D
學習了 不過我喜歡在HOOKCreateProcessW那裏先掛起進程,
待注入DLL後再恢復 :lol 有神快拜:o:o:o 猛 先推~
學習了<(_ _)> 先推了~
慢慢來研究XD
m(_ _)m 我想問現在楓之谷引進了BlackCipher2 這套防掛軟體
還是有破解機會麻 QQDOG0908 發表於 2015-5-20 00:53
我想問現在楓之谷引進了BlackCipher2 這套防掛軟體
還是有破解機會麻
= =好像没用这个把? syoath 發表於 2015-5-20 01:26
= =好像没用这个把?
大大 請到消息那邊 我有事情要妳幫忙 QQDOG0908 發表於 2015-5-20 02:12
大大 請到消息那邊 我有事情要妳幫忙
NGS的在枫古 用的不是2 可怜的程序猿,今天约了吗 syoath 發表於 2015-5-20 13:17
NGS的在枫古 用的不是2
正確 是這樣沒錯 但是大大 妳是否可以看一下消息 我有事情需要跟妳做連繫 QQDOG0908 發表於 2015-5-20 23:19
正確 是這樣沒錯 但是大大 妳是否可以看一下消息 我有事情需要跟妳做連繫 ...
看了,找不到那个qq
頁:
[1]
2