[原创]腾讯游戏安全大赛题解 | 宜武汇-ag真人国际厅网站

#include

#include

#include

#include

#include

#define exp l"explorer"

#define processname l"workingservice"

dword old;

size_t written;

 

void unhook() {

    dword processid=0;

    byte ins[] = { 0x4c,0x8b,0xd1,0xb8,0x50 },buf;

    handle hsnap = createtoolhelp32snapshot(th32cs_snapprocess, 0);

    processentry32 pe32;

    pe32 = { sizeof(pe32) };

    bool ret = process32first(hsnap, &pe32);

    while (ret)

    {

        if (true) {

            processid=pe32.th32processid;

            handle ths = createtoolhelp32snapshot(th32cs_snapmodule, processid);

            if (!ths) {

                ret = process32next(hsnap, &pe32);

                continue;

            }

            moduleentry32 me;

            me.dwsize = sizeof(me);

            uint64 addr = 0;

            if (module32first(ths, &me))

            {

                do

                {

                    if (addr = (uint64)getprocaddress(me.hmodule, "zwprotectvirtualmemory"))

                    {

                        break;

                    }

                } while (module32next(ths, &me));

            }

 

            closehandle(ths);

            handle hprocess = openprocess(process_all_access, false, processid);

            if (!hprocess||addr==0) {

                ret = process32next(hsnap, &pe32);

                continue;

            }

            readprocessmemory(hprocess, (void *)addr, &buf, 1, &written);

            if (buf == 0xe9) {//识别到inline hook的标志

                virtualprotectex(hprocess, (void*)addr, 0x5, page_execute_readwrite, &old);

                writeprocessmemory(hprocess, (void*)addr, ins, 0x5, &written);

                printf("process %d,hook addr:%p\n",processid, addr);

                printf("written:%d\n", written);

                virtualprotectex(hprocess, (void*)addr, 0x5, old, &old);

            }

            closehandle(hprocess);

        }

        ret = process32next(hsnap, &pe32);

    }

 

dword findprocess() {

    handle hsnap = createtoolhelp32snapshot(th32cs_snapprocess, 0);

    processentry32 pe32;

    pe32 = { sizeof(pe32) };

    bool ret = process32first(hsnap, &pe32);

    while (ret)

    {

        if (!wcsncmp(pe32.szexefile, processname, lstrlenw(processname))) {

            printf("find workingservice.exe process %d\n", pe32.th32processid);

            return pe32.th32processid;

        }

        ret = process32next(hsnap, &pe32);

    }

    return 0;

int main() {

    dword processid = 0;

    unhook();

    do {

        processid = findprocess();

        printf("pid:%p\n", processid);

        if (!processid) {

            break;

        }

        handle hprocess = openprocess(process_all_access, false, processid);

        printf("hprocess:%p\n", hprocess);

        if (!hprocess) {

            break;

        }

        terminateprocess(hprocess, 0);

    } while (1);

    printf("terminate ok\n");

    system("pause");

原文链接:https://bbs.kanxue.com/thread-276894.htm

网络摘文,本文作者:15h,如若转载,请注明出处:https://www.15cov.cn/2023/08/27/原创腾讯游戏安全大赛题解/

发表评论

邮箱地址不会被公开。 必填项已用*标注

网站地图