Software cracking has just been exposed to drive writing, and many things are not familiar with it. After a long time, we have recorded the process that may be valuable to everyone.
The problem we encountered at the beginning was that we could not debug the kernel because we needed to write the driver. Generally, kernel debugging is disabled by calling kddisabledebugger in the driver. A function is used to trace back to the driver to check whether the kernel is disabled successfully. Code Otherwise, the kddisabledebugger function is called cyclically.
My practice is to modify the kddisabledebugger code so that kernel debugging cannot be disabled no matter when it is called. It is nothing more than driving the endless loop that will cause the machine to become stuck, set a breakpoint on the kddisabledebugger. After the breakpoint is interrupted, change the kddisabledebugger and driver code, disable the breakpoint, and continue the kernel execution. I am using the following command to do this:
Then, the hook function in the driver is restored. In order to find the hook function in the kernel ssdt table and read the information on the Internet, some tools can do this, first, I have never used any tools, but I will not use them. Second, I want to find the specific inline hook address in the kernel, so I used the following windbg script to do this. Before running the script, I need to write down the values of eax, EBX, and ECx. After the script is run, it will be restored. Of course, you can also use pseudo registers in windbg, but the syntax is somewhat unfamiliar, so you can directly use the ready-made register. Before starting the game, dump it:
. Logopen c: \ logs \ beforehook.txt # Put it in a log because dump has many items.
R EBX = 0 # counter
# Traverse the ssdt table and dump the assembly code of each function. Because the size of each function is unknown, every function dumps 1000 rows.
R ECx = poi (NT! Keservicedescriptortable)
. For (r eax = ECx; @ eax <ECx + 0x474; reax = eax + 4; rebx = EBX + 1) {r EBX; U poi (@ eax) L1000}
# Save log
. Logclose
Next, after the game is started, dump it again and compare it with kdiff3 to find out which functions have been modified.
After you see the function to be hooked and add online information, refer to this article in the snow:
Http://bbs.pediy.com/showthread.php? T = 126802
However, the tragedy is that sometimes the Tx code is modified and the machine is restarted directly. See another article in the snow. Article , Solved the problem of restarting:
Http://bbs.pediy.com/showthread.php? T = 129810 & Highlight = DNF
A lot of things have been thoroughly studied by the heroes, but I am stupid and spend a lot of time figuring out the entire process. The complete-driven code can be found in my help post:
Http://www.ghoffice.com/bbs/read-htm-tid-91059.html
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
