【游戏漏洞】绕过PG 实现进程保护

admin 2022年6月8日06:33:13评论666 views字数 4477阅读14分55秒阅读模式

致力于分享游戏安全技术,提供专业的游戏安全资讯   

环境:win7 64  win8 win 10

 

SSDT HOOK NtOpenProcess //这一路径上的代码点 in line hook

ObRegisterCallbacks     //注册回调函数 过滤

 

NTSTATUS  

ObRegisterCallbacks (  

    _In_ POB_CALLBACK_REGISTRATION CallbackRegistration,  

    _Outptr_ PVOID *RegistrationHandle  

    );

 

上边这是函数定义 

第一个参数是注册回调的一些信息。

第二个参数返回此回调的指针:

创建一个进程会返回一个进程句柄,类似的创建一个回调会返回一个跟此回调相关的指针。

 

核心代码:

 

OB_PREOP_CALLBACK_STATUS RegProtectProcess_Callback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION pOperationInformation)

{

//DbgPrint("yjx:进入RegProtectProcess_Callback--------------OK---------");

HANDLE pid = PsGetProcessId((PEPROCESS)pOperationInformation->Object);

char szProcName[128] = { 0 };

UNREFERENCED_PARAMETER(RegistrationContext);


strcpy(szProcName, GetProcessImageNameByProcessID((ULONG)pid));


if (strstr(szProcName, "yjx150.exe"))

{

DbgPrint("yjx:进入RegProtectProcess_Callback--------------1111111111111111111111111111--------szProcName=%s -", szProcName);

if (pOperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)

{

if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE)

{

//Terminate the process, such as by calling the user-mode TerminateProcess routine..

pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE;

}

if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_OPERATION) == PROCESS_VM_OPERATION)

{

//Modify the address space of the process, such as by calling the user-mode WriteProcessMemory and VirtualProtectEx routines.

pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_OPERATION;

}

if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_READ) == PROCESS_VM_READ)

{

//Read to the address space of the process, such as by calling the user-mode ReadProcessMemory routine.

pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_READ;

}

if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_WRITE) == PROCESS_VM_WRITE)

{

//Write to the address space of the process, such as by calling the user-mode WriteProcessMemory routine.

pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_WRITE;

}

}

}

return OB_PREOP_SUCCESS;

}

 

HANDLE g_obHandle_callback=0;

HANDLE g_obHandle_callback2= 0;

//注册保护回调

NTSTATUS RegProtectProcess_callback()

{

NTSTATUS ret = 0;


//LARGE_INTEGER CallbackCookie = { 0 };

OB_CALLBACK_REGISTRATION obregCallBack;

OB_OPERATION_REGISTRATION opReg;

memset(&obregCallBack, 0, sizeof(obregCallBack));

RtlInitUnicodeString(&obregCallBack.Altitude, L"QQ150330575"); // 据说此值需要向微软申请,网络上多用"321000"来填写

obregCallBack.Version =  ObGetFilterVersion() ;//版本 OB_FLT_REGISTRATION_VERSION

obregCallBack.OperationRegistrationCount = 1; //一般为1

obregCallBack.RegistrationContext = NULL;

obregCallBack.OperationRegistration = &opReg; //

//

memset(&opReg, 0, sizeof(opReg)); //

opReg.ObjectType = PsProcessType; //是指我们要监视的对象类型 进程是PsProcessType 线程是PsThreadType

opReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE; //Operations 是指句柄怎么方式 是直接创建呢 还是复制句柄  这里一般填OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;

opReg.PreOperation = RegProtectProcess_Callback;  //注册回调函数  (POB_PRE_OPERATION_CALLBACK)

//保护自身进程对象不被打开

ret = ObRegisterCallbacks(&obregCallBack, &g_obHandle_callback); //NtOpenProcess 会走入回调中  NtOpenThread会进入 PsThreadType

//protectProcessCallback

//卸载用ObUnRegisterCallbacks(obHandle);

DbgPrint("yjx:---1111-----obHandle=%llx ret=%llx ------RegProtectProcess_callbackn", g_obHandle_callback,ret);

return ret;

}

 

NTSTATUS RegProtectProcess2()

{

 

OB_CALLBACK_REGISTRATION obregCallBack;

OB_OPERATION_REGISTRATION opReg;

 

memset(&obregCallBack, 0, sizeof(obregCallBack));

RtlInitUnicodeString(&obregCallBack.Altitude, L"Q150330575");// L"321000";

obregCallBack.Version = ObGetFilterVersion();

obregCallBack.OperationRegistrationCount = 1;

obregCallBack.RegistrationContext = NULL;

obregCallBack.OperationRegistration = &opReg; //注意这一条语句

 

  //下面请注意这个结构体的成员字段的设置

memset(&opReg, 0, sizeof(opReg)); //初始化结构体变量

opReg.ObjectType = PsProcessType;

opReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;

opReg.PreOperation = RegProtectProcess_Callback; //在这里注册一个回调函数指针

NTSTATUS ret= ObRegisterCallbacks(&obregCallBack, &g_obHandle_callback2); //在这里注册回调函数

DbgPrint("yjx:---L156-----obHandle=%llx ret=%llx ------RegProtectProcess2n", g_obHandle_callback2, ret);

return ret;


}




来源:通化程序员-公众号投稿

*转载请注明来自游戏安全实验室(GSLAB.QQ.COM)

近期精品文章:


【游戏漏洞】RPG游戏NPC数组链表嵌套结构

【游戏漏洞】棋牌游戏BUG分析之控制其他玩家炮倍

【游戏漏洞】RPG游戏通过选中怪物得到怪物NPC遍历

【游戏漏洞】Dnf游戏漏洞挖掘第4期 全屏秒杀+远程CALL



投稿文章:[email protected]

【游戏漏洞】绕过PG 实现进程保护

原文始发于微信公众号(游戏安全实验室):【游戏漏洞】绕过PG 实现进程保护

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年6月8日06:33:13
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【游戏漏洞】绕过PG 实现进程保护http://cn-sec.com/archives/1066442.html

发表评论

匿名网友 填写信息