Reverse developers in the development process, there are a lot of people may encounter such a problem:
Without opening the game, some of the function calls and normal use.
But after running in the game. This class direct function failure.
The most typical example is the FPS and DNF.
The vast majority detection platformer game will shield execute mouse and keyboard class functions taken over by the security system, the most typical function mouse_event ()
So is there any way to relieve this function or thinking shield it? The answer is yes.
Analysis:
First, the function fails, only for the game itself, when the game is minimized, normal function call, indicating that the protection is not directly HOOK R0 global, but after the game to run, go call HOOK function. The open Microsoft kernel function interface more and more strict, new out of the win10 and new versions of win7 system, want HOOK difficulty slowly increases in R0 layer, which is the drive to protect certain games because of a system failure in 10 .
确定了屏蔽函数是在游戏程序中调用而不是全局执行,还需确定以下几点:
1, when the mask function is performed (eg: start the game after the game starts or is completed)
2, the mask function is located (eg: a game after a module is loaded, it functions failure can be determined)
3, find HOOK mouse_event () place, to restore it (not necessarily directly HOOK mouse_event, more likely to be more of an inner call to the function HOOK)
First determine the first point: when to perform the shielding function is very simple, write a call mouse_event program, kept calling back and forth, and when failure to observe the function, tested, some FPS after the second process communication (a first appearance process, load modules and drivers, and then restart the loaded and driven by the protection process), i.e., the mask function is loaded.
The second point is followed by: the mask function on a basis of location on the function at the moment of failure, and other third-party tools PCHunter observed what modules are loaded.
Only 3 modules are loaded, and we did call the function fails, then the shield function given in three modules. And wherein the main module (exe module) can be ignored, the detection means do not generally present among the main thread. So only xxxbase.dll and bugxxx.dll. Want to test is very simple, you can not let it load dll. Of course, the game does not load the dll is not go up, but not the shadow mouse_event failure.
There is the game process, but mouse_event did not fail, indicating shielding function located xxxbase.dll somewhere.
Then, after loading xxxbase.dll, the mouse hook kernel, the kernel function is observed shielded.
Here, there are several ways to recover / prevent its next HOOK.
1, to the original function address, write code directly to restore the original appearance of the R0 layer
2, find the function BASE under HOOK directly or NOP JMP to prevent its execution (the current mainstream)
3, with the right tools to recover directly HOOK .
