过QQ游戏大厅的SX保护
来源:互联网 发布:手机网络制式wcdma 编辑:程序博客网 时间:2024/05/01 15:46
早些时间看郁金香的教程,写过qq游戏练练看的挂,那时候CE附加QQ游戏大厅的时候貌似是没有任何保护的,昨天舍友让做个斗地主的记牌器,但是,我用CE附加的时候,被检测到了,其实不附加也会被检测,所以猜测可能只是检测窗口进程或是模块名称啥的吧,被检测到的时候主程序会退出,但是那个对话框还在,就是那个SX什么什么的,所以如果是QQgame启动了某个线程来检测非法的话,在主程序退出其他线程对象都释放掉的时候,那个检测的线程对象还是存在的(提示SX非法的对话框别关掉!)。借助pt很容易就找到了这个线程。
未开CE前线程状态:
开了CE被检测到后的线程状态:
然后该怎么办就不用说了吧,干掉这个线程就OK了。
若是嫌麻烦每次都要开pt找线程的话,可以写个结束这个模块内线程的程序
- #include "stdafx.h"
- #include "windows.h"
- #include "TlHelp32.h"
- const TCHAR QQ_GAME[] = _T("QQGame.exe");
- const TCHAR QQ_THREAD_DLL[] = _T("TenSLX.dll");
- typedef enum _THREADINFOCLASS {
- ThreadBasicInformation,
- ThreadTimes,
- ThreadPriority,
- ThreadBasePriority,
- ThreadAffinityMask,
- ThreadImpersonationToken,
- ThreadDescriptorTableEntry,
- ThreadEnableAlignmentFaultFixup,
- ThreadEventPair_Reusable,
- ThreadQuerySetWin32StartAddress,
- ThreadZeroTlsCell,
- ThreadPerformanceCount,
- ThreadAmILastThread,
- ThreadIdealProcessor,
- ThreadPriorityBoost,
- ThreadSetTlsArrayAddress,
- ThreadIsIoPending,
- ThreadHideFromDebugger,
- ThreadBreakOnTermination,
- MaxThreadInfoClass
- } THREADINFOCLASS;
- typedef LONG (__stdcall *_pfnZwQueryInformationThread) (
- IN HANDLE ThreadHandle,
- IN THREADINFOCLASS ThreadInformationClass,
- OUT PVOID ThreadInformation,
- IN ULONG ThreadInformationLength,
- OUT PULONG ReturnLength OPTIONAL
- );
- HANDLE m_GameProcessHandle;
- //记录QQ_THREAD_DLL信息
- BYTE * m_pmodBaseAddr;
- DWORD m_dwmodBaseSize;
- _pfnZwQueryInformationThread m_pfnZwQueryInformationThread;
- BOOL StartPatch();//PATCHQQ主函数
- DWORD EnablePrivilege (LPCTSTR name);//提权函数
- BOOL ListProcessModules(DWORD dwPID);//枚举指定进程的模块
- BOOL ListProcessThreads( DWORD dwOwnerPID);//枚举指定进程创建的线程,并结束掉QQ保护线程
- PVOID ShowThreadInfo(DWORD tid);//获取线程的起始地址
- int _tmain(int argc, _TCHAR* argv[])
- {
- m_pfnZwQueryInformationThread =(_pfnZwQueryInformationThread)\
- GetProcAddress (LoadLibrary(_T("ntdll.dll")),"ZwQueryInformationThread");
- if (StartPatch())
- {
- printf("可以CE附加QQ游戏大厅了\n");
- }
- else
- printf("失败!\n");
- return 0;
- }
- BOOL StartPatch()
- {
- if(0!=EnablePrivilege (SE_DEBUG_NAME))
- {
- return FALSE;
- }
- HANDLE hProcessSnap;
- PROCESSENTRY32 pe32;
- hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
- if( hProcessSnap == INVALID_HANDLE_VALUE )
- {
- return FALSE;
- }
- pe32.dwSize = sizeof( PROCESSENTRY32 );
- if( !Process32First( hProcessSnap, &pe32 ) )
- {
- CloseHandle( hProcessSnap );
- return FALSE;
- }
- BOOL bStartGame = FALSE;
- do
- {
- if (_tcscmp(pe32.szExeFile, QQ_GAME) == 0)
- {
- bStartGame = TRUE;
- m_GameProcessHandle = OpenProcess(PROCESS_VM_WRITE|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION,\
- FALSE, pe32.th32ProcessID);
- if (m_GameProcessHandle == NULL)
- {
- return FALSE;
- }
- for (int i=0; i<5;i++)
- {
- if (!ListProcessModules(pe32.th32ProcessID))
- {
- return FALSE;
- }
- }
- if (!ListProcessThreads(pe32.th32ProcessID))
- {
- return FALSE;
- }
- }
- } while( Process32Next( hProcessSnap, &pe32 ) );
- if (!bStartGame)
- {
- MessageBox(NULL,_T("运行QQ大厅后才能使用"),_T("提示"),MB_OK);
- return FALSE;
- }
- CloseHandle( hProcessSnap );
- return TRUE;
- }
- DWORD EnablePrivilege (LPCTSTR name)
- {
- HANDLE hToken;
- BOOL rv;
- //设置结构
- TOKEN_PRIVILEGES priv = { 1, {0, 0, SE_PRIVILEGE_ENABLED} };
- // 查找权限值
- LookupPrivilegeValue (
- 0,
- name,
- &priv.Privileges[0].Luid
- );
- // 打开本进程Token
- OpenProcessToken(
- GetCurrentProcess (),
- TOKEN_ADJUST_PRIVILEGES,
- &hToken
- );
- // 提权
- AdjustTokenPrivileges (
- hToken,
- FALSE,
- &priv,
- sizeof priv,
- 0,
- 0
- );
- // 返回值,错误信息,如果操作成功,则应为ERROR_SUCCESS,为O
- rv = GetLastError();
- // 关闭Token
- CloseHandle (hToken);
- return rv;
- }
- BOOL ListProcessModules(DWORD dwPID)
- {
- HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
- MODULEENTRY32 me32;
- hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwPID );
- if( hModuleSnap == INVALID_HANDLE_VALUE )
- {
- return( FALSE );
- }
- me32.dwSize = sizeof( MODULEENTRY32 );
- if( !Module32First( hModuleSnap, &me32 ) )
- {
- CloseHandle( hModuleSnap );
- return( FALSE );
- }
- do
- {
- if (_tcscmp(me32.szModule, QQ_THREAD_DLL) == 0)
- {
- m_pmodBaseAddr = me32.modBaseAddr;
- m_dwmodBaseSize = me32.modBaseSize;
- }
- }while( Module32Next( hModuleSnap, &me32 ));
- CloseHandle( hModuleSnap );
- return( TRUE );
- }
- BOOL ListProcessThreads( DWORD dwOwnerPID)
- {
- HANDLE hThreadSnap = INVALID_HANDLE_VALUE;
- THREADENTRY32 te32;
- PVOID addr;
- hThreadSnap = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 );
- if( hThreadSnap == INVALID_HANDLE_VALUE )
- return( FALSE );
- te32.dwSize = sizeof(THREADENTRY32 );
- if( !Thread32First( hThreadSnap, &te32 ) )
- {
- CloseHandle( hThreadSnap );
- return( FALSE );
- }
- do
- {
- if( te32.th32OwnerProcessID == dwOwnerPID )
- {
- addr = ShowThreadInfo(te32.th32ThreadID);
- if(((DWORD)addr>(DWORD)m_pmodBaseAddr)&&((DWORD)addr<\
- ((DWORD)m_pmodBaseAddr+(DWORD)m_dwmodBaseSize)))
- {
- HANDLE oth=OpenThread(THREAD_ALL_ACCESS,FALSE,te32.th32ThreadID);
- //关闭这个线程
- TerminateThread(oth, 0);
- }
- }
- } while( Thread32Next(hThreadSnap, &te32 ) );
- CloseHandle( hThreadSnap );
- return( TRUE );
- }
- PVOID ShowThreadInfo(DWORD tid)
- {
- PVOID startaddr;
- HANDLE thread;
- //thread = m_pfnOpenThread_ex(THREAD_ALL_ACCESS,FALSE,tid);
- thread=OpenThread(THREAD_ALL_ACCESS,FALSE,tid);
- if (thread == NULL)
- return FALSE;
- m_pfnZwQueryInformationThread(thread,
- ThreadQuerySetWin32StartAddress,
- &startaddr,
- sizeof(startaddr),
- NULL);
- CloseHandle (thread);
- return startaddr;
- }
#include "stdafx.h"#include "windows.h"#include "TlHelp32.h"const TCHAR QQ_GAME[] = _T("QQGame.exe");const TCHAR QQ_THREAD_DLL[] = _T("TenSLX.dll");typedef enum _THREADINFOCLASS { ThreadBasicInformation, ThreadTimes, ThreadPriority, ThreadBasePriority, ThreadAffinityMask, ThreadImpersonationToken, ThreadDescriptorTableEntry, ThreadEnableAlignmentFaultFixup, ThreadEventPair_Reusable, ThreadQuerySetWin32StartAddress, ThreadZeroTlsCell, ThreadPerformanceCount, ThreadAmILastThread, ThreadIdealProcessor, ThreadPriorityBoost, ThreadSetTlsArrayAddress, ThreadIsIoPending, ThreadHideFromDebugger, ThreadBreakOnTermination, MaxThreadInfoClass } THREADINFOCLASS;typedef LONG (__stdcall *_pfnZwQueryInformationThread) (IN HANDLE ThreadHandle, IN THREADINFOCLASS ThreadInformationClass, OUT PVOID ThreadInformation, IN ULONG ThreadInformationLength, OUT PULONG ReturnLength OPTIONAL );HANDLE m_GameProcessHandle;//记录QQ_THREAD_DLL信息BYTE * m_pmodBaseAddr; DWORD m_dwmodBaseSize;_pfnZwQueryInformationThread m_pfnZwQueryInformationThread;BOOL StartPatch();//PATCHQQ主函数DWORD EnablePrivilege (LPCTSTR name);//提权函数BOOL ListProcessModules(DWORD dwPID);//枚举指定进程的模块BOOL ListProcessThreads( DWORD dwOwnerPID);//枚举指定进程创建的线程,并结束掉QQ保护线程PVOID ShowThreadInfo(DWORD tid);//获取线程的起始地址int _tmain(int argc, _TCHAR* argv[]){m_pfnZwQueryInformationThread =(_pfnZwQueryInformationThread)\GetProcAddress (LoadLibrary(_T("ntdll.dll")),"ZwQueryInformationThread");if (StartPatch()){printf("可以CE附加QQ游戏大厅了\n");}elseprintf("失败!\n");return 0;}BOOL StartPatch(){if(0!=EnablePrivilege (SE_DEBUG_NAME)) {return FALSE; }HANDLE hProcessSnap;PROCESSENTRY32 pe32;hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );if( hProcessSnap == INVALID_HANDLE_VALUE ){return FALSE;}pe32.dwSize = sizeof( PROCESSENTRY32 );if( !Process32First( hProcessSnap, &pe32 ) ){CloseHandle( hProcessSnap );return FALSE;}BOOL bStartGame = FALSE;do{if (_tcscmp(pe32.szExeFile, QQ_GAME) == 0){bStartGame = TRUE;m_GameProcessHandle = OpenProcess(PROCESS_VM_WRITE|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION,\FALSE, pe32.th32ProcessID);if (m_GameProcessHandle == NULL){return FALSE;}for (int i=0; i<5;i++){if (!ListProcessModules(pe32.th32ProcessID)){return FALSE;}}if (!ListProcessThreads(pe32.th32ProcessID)){return FALSE;}}} while( Process32Next( hProcessSnap, &pe32 ) );if (!bStartGame){MessageBox(NULL,_T("运行QQ大厅后才能使用"),_T("提示"),MB_OK);return FALSE;}CloseHandle( hProcessSnap );return TRUE;}DWORD EnablePrivilege (LPCTSTR name) { HANDLE hToken; BOOL rv; //设置结构 TOKEN_PRIVILEGES priv = { 1, {0, 0, SE_PRIVILEGE_ENABLED} }; // 查找权限值 LookupPrivilegeValue ( 0, name, &priv.Privileges[0].Luid ); // 打开本进程Token OpenProcessToken( GetCurrentProcess (), TOKEN_ADJUST_PRIVILEGES, &hToken ); // 提权 AdjustTokenPrivileges ( hToken, FALSE, &priv, sizeof priv, 0, 0 ); // 返回值,错误信息,如果操作成功,则应为ERROR_SUCCESS,为O rv = GetLastError(); // 关闭Token CloseHandle (hToken); return rv; } BOOL ListProcessModules(DWORD dwPID){HANDLE hModuleSnap = INVALID_HANDLE_VALUE;MODULEENTRY32 me32;hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwPID );if( hModuleSnap == INVALID_HANDLE_VALUE ){return( FALSE );}me32.dwSize = sizeof( MODULEENTRY32 );if( !Module32First( hModuleSnap, &me32 ) ){CloseHandle( hModuleSnap );return( FALSE );}do{if (_tcscmp(me32.szModule, QQ_THREAD_DLL) == 0){m_pmodBaseAddr = me32.modBaseAddr;m_dwmodBaseSize = me32.modBaseSize;}}while( Module32Next( hModuleSnap, &me32 ));CloseHandle( hModuleSnap );return( TRUE );}BOOL ListProcessThreads( DWORD dwOwnerPID) { HANDLE hThreadSnap = INVALID_HANDLE_VALUE; THREADENTRY32 te32; PVOID addr;hThreadSnap = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 ); if( hThreadSnap == INVALID_HANDLE_VALUE ) return( FALSE ); te32.dwSize = sizeof(THREADENTRY32 ); if( !Thread32First( hThreadSnap, &te32 ) ) {CloseHandle( hThreadSnap ); return( FALSE );}do { if( te32.th32OwnerProcessID == dwOwnerPID ){addr = ShowThreadInfo(te32.th32ThreadID);if(((DWORD)addr>(DWORD)m_pmodBaseAddr)&&((DWORD)addr<\((DWORD)m_pmodBaseAddr+(DWORD)m_dwmodBaseSize))){HANDLE oth=OpenThread(THREAD_ALL_ACCESS,FALSE,te32.th32ThreadID);//关闭这个线程TerminateThread(oth, 0);}}} while( Thread32Next(hThreadSnap, &te32 ) ); CloseHandle( hThreadSnap );return( TRUE );}PVOID ShowThreadInfo(DWORD tid) { PVOID startaddr; HANDLE thread; //thread = m_pfnOpenThread_ex(THREAD_ALL_ACCESS,FALSE,tid);thread=OpenThread(THREAD_ALL_ACCESS,FALSE,tid);if (thread == NULL) return FALSE;m_pfnZwQueryInformationThread(thread,ThreadQuerySetWin32StartAddress, &startaddr, sizeof(startaddr), NULL); CloseHandle (thread); return startaddr; }
0 0
- 过QQ游戏大厅的SX保护
- 过QQ游戏大厅的SX保护
- 过QQ游戏大厅的SX保护
- 过QQ游戏大厅SX非法
- 类似QQ游戏大厅导航的树型控件
- 关于QQ游戏大厅的架构我也想说几句
- qq游戏大厅中解析不安装apk的研究
- qq游戏大厅中解析不安装apk的研究
- QQ游戏大厅产品体验报告
- QQ大厅游戏 大家来找茬辅助
- 分析Android版QQ游戏大厅中游戏的启动机制
- QQ游戏大厅的你画我猜游戏白屏问题解决
- 游戏大厅的部分代码
- 过游戏保护驱动
- CTreeCtrl——类似QQ游戏大厅导航的树型控件
- android实现QQ游戏大厅一样的启动第三方APP
- 简单过QQ的nProtect键盘加密保护
- Visual C++开发类似QQ游戏大厅全过程
- 联想收购摩托罗拉的两大历史意义解读
- 辞旧迎新——2013年度总结
- oracle定期生成和删除表分区
- 随机读取N条记录(MySQL、SQL Server、Access、Oracle、postgreSQL)
- 字符串小写转换
- 过QQ游戏大厅的SX保护
- 数理篇
- Linux 静态库与动态库搜索路径设置
- BZOJ 1208: [HNOI2004]宠物收养所
- 1.9 UIApplication生命周期
- POJ 1151 线段树 矩形面积并
- 单片机位数
- Introducing the Selenium-WebDriver API by Example
- QQ2011多开的实现