跳到主要內容

Driver to bypass Hackshield memory protection


From: http://www.gamedeception.net/threads/20450-Driver-to-bypass-Hackshield-memory-protection?s=dcbea4ca9540d0e50ddd2fba5dce425f


ONLY FOR EDUCATIONAL PURPOSES !
This software is an exploit, because they shouldn't call ZwQueryInformationProcess, they should use ObReferenceObjectByHandle instead.

INTRODUCTION
HackShield memory protection works by hooking some functions in kernel space. EagleNT.sys is checking all parameters passed to hooked functions and then it blocks or allows operation. When HS memory unprotector driver is loaded, you can use OpenProcess, WriteProcessMemory and ReadProcessMemory like normal.

HOW MEMORY PROTECTION WORKS ?
HackShield is replacing three functions (NtReadVirtualMemory, NtWriteVirtualMemory and NtOpenProcess) to protect game memory.

 


HOW TO BYPASS MEMORY PROTECTION ?
It's easy. We should take a look on NtWriteVirtualMemory function. 

 

As we can see, they are placing 'call' to EagleNT.sys function (call 0xA4A5C800).
Just go to this function (0xA4A5C800).

 

As we can see, they are using ZwQueryInformationProcess function to translate HANDLE to process id (bad idea btw.). We can hook ZwQueryInformationProcess and if EgaleNt.sys is calling this, we can return 0 (or fake number) as process id. Thats all !


Next we should hook NtOpenProcess with small re-implementation of this function.

DOWNLOAD
This source code is not perfect, but you can improve it.
Attached Files Attached Files
2012/12/01 補檔
HS_UNP.rar (22.9 KB)

留言

  1. 不會用
    載點也開不起來!!!

    回覆刪除
  2. 好的一個參考,這三個HOOK直接用SSDT HOOK對付就搞定了!

    回覆刪除
  3. 上面的原始連結和下面的檔案下載連結全失效了
    可否請版大更新一下

    回覆刪除
  4. 洋蔥大您好

    不好意思,如果有空的話能否請教您幾個問題

    我之前試過直接調用OpenProcess直接硬開Maple的記憶體

    然後直接Access Denied,爬不少文以後得知這些關鍵的kernel函數被hs hook了

    原本採用Inndy大的clshack去改imagepath 不過好像失效了@@" 改了還是被抓XD



    如同這篇所述,所以這篇是在講如何在OpenProcess被hook的情況下,

    改去hook ZwQueryInformationProcess讓他回傳0 使HS不知道是我們的程式在做壞事嗎XD?


    那我還有幾個問題,誠心希望洋蔥大能抽空幫我解惑一下><

    因為上網查真的英文不好就看得很痛苦阿...

    我簡化一下我的問題:

    1. 此法就是看他怎麼hook的我們就再去hook別的東西 來應對他嗎?

    2. 那這個HS_UNP.rar裡面那些project要怎麼打開阿.. 要用Visual C嗎?

    3. 原作者是怎麼看到memory裡面的東西的 還可以翻成組語@@,是用「哪個工具」去開呢?

    另外,他是去偷看了哪個檔案才會有此結果(kernel32.dll嗎?)

    4. 組語有沒有推薦的教程可以學阿.. push mov那些指令, eax esp那些是暫存器嗎?

    有沒有教程有解釋他們的意義的


    不好意思我只是個小新手 能否請洋蔥大撥冗指點迷津一下...

    無論怎樣,真的萬分感謝您花時間看到這邊><

    回覆刪除
    回覆
    1. A1: 此為驅動過HS保護之源碼
      A2: VC+WDK
      A3: 很多工具都可以,例如PC hunter
      A4: Google

      刪除
    2. 感謝 放假的時候來研究一下 謝謝您! ^^

      刪除

張貼留言

本月最夯