吃鸡这么火。。。。不如来一发穿墙~~斜眼笑

发表于 2017-11-04  910 次阅读


INT CalcShellcodeSize(UCHAR* adr) {

UCHAR *orgi = adr;
while (*adr != 0xC3)
{
adr++;
}
return (adr - orgi) + 1;
}
BOOLEAN replacedata(UCHAR *Original, ULONG64 Orig, ULONG64 Now) {
UCHAR *UL = (UCHAR*)&Orig;
INT Count = 0x1000;
INT NowCount = 0;
while (NowCount <= Count)
{
NowCount++;
if (Original[0] == UL[0] && Original[1] == UL[1] && Original[2] == UL[2] && Original[3] == UL[3] && Original[4] == UL[4])
{
break;
}
Original++;

}
if (Original)
{
*(ULONG64*)Original = Now;
return TRUE;
}
return FALSE;
}
VOID InstallAimBot(){

UCHAR jmp_code[] = "\xFF\x25\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF";
UCHAR TempCode[MAX_PATH * 2] = { 0 };

ULONG64 CodePage;
IOCTL_AllocateUserVirtualMemory(GameHanle, m_ProcessId, 0X1000, (ULONG64)&HookAim);//申请存放XX的位置
SIZE_T CodeSize= CalcShellcodeSize((UCHAR*)&AimBot);
IOCTL_AllocateUserVirtualMemory(GameHanle, m_ProcessId, 0X1000, (ULONG64)&CodePage);//申请CodePage
memcpy(TempCode, &AimBot, CodeSize);
replacedata(TempCode, 0X7FF686641B7E, GameBase + 0X42360A);//替换返回地址//TslGame.exe+42360A - 48 81 EC C0000000 - sub rsp,000000C0 { 192 }

replacedata(TempCode, 0x7FF686641BEC, HookAim + 0x5E);//替换坐标地址

replacedata(TempCode, 0x7FF686641B21, HookAim+0x60);//替换坐标地址
X64_Write_(GameHanle, CodePage, TempCode, CodeSize);
IOCTL_VirtualProtectEx(GameHanle, m_ProcessId, GameBase + 0X4235F0, 0x1000, PAGE_EXECUTE_READWRITE);//修改内存属性
memcpy(jmp_code + 6, &CodePage, 8);
X64_Write_(GameHanle, GameBase + 0X4235F0, jmp_code, 14);
//TslGame.exe+4235F0 - 48 89 5C 24 08 - mov [rsp+08],rbx

}

.code

AimBot Proc

mov [rsp+8], rbx
mov [rsp+10h], rsi
mov [rsp+18h], rdi
mov [rsp+20h], r14
push rbp
lea rbp, [rsp-57h] MOV RAX,7FF686641BECH
cmp Byte ptr[rax],0
jne VC
MOV RDI,7FF686641B21h;这里给坐标
mov eax,dword ptr[rdi+8] movsd xmm0, qword ptr [rdi] mov dword ptr [rdx+8], eax
movsd qword ptr[rdx],xmm0
VC:
MOV RAX,7FF686641B7EH
JMP RAX
int 3

AimBot Endp
end
只需要做内存页面属性检测即可防止普通的inline hook,例如正常的IMAGE映射的内存必然是带写时复制属性的,一旦修改该属性被移除。

本站文章基于国际协议BY-NA-SA 4.0协议共享;
如未特殊说明,本站文章皆为原创文章,请规范转载。

0

博客管理员