如何解决C ++中的内存更改检测功能无法正确检测到某些恶意软件
我为基于 Windows 的私人在线游戏安装了防作弊系统。 我拥有的最受欢迎的功能之一是内存更改检测。 用于内存更改检测的源代码:
bool MEMORY_PROTECTION_INIT() // OK
{
bool ClearFileMapping = 0;
if((FileMappingHandle=CreateFileMapping(INVALID_HANDLE_VALUE,PAGE_READWRITE,sizeof(HACK_VERIFY_FILE_MAPPING),"Local\\HACK_VERIFY_FILE_MAPPING")) == 0)
{
return 0;
}
if(GetLastError() == ERROR_ALREADY_EXISTS)
{
ClearFileMapping = 0;
}
else
{
ClearFileMapping = 1;
}
if((lpHackVerifyFileMapping=(HACK_VERIFY_FILE_MAPPING*)MapViewOfFile(FileMappingHandle,FILE_MAP_ALL_ACCESS,sizeof(HACK_VERIFY_FILE_MAPPING))) == 0)
{
return 0;
}
if(ClearFileMapping != 0)
{
lpHackVerifyFileMapping->Clear();
}
MemoryProtectionTime = GetTickCount();
return 1;
}
bool MEMORY_PROTECTION_SCAN() // OK
{
if(gMemoryguardSwitch == 0 || (gMemoryguardNumber & MEMORY_GUARD_NUMBER_INJECT) == 0)
{
return 1;
}
for(DWORD n=0;n < lpHackVerifyFileMapping->WriteVirtualMemoryCount;n++)
{
HACK_VERIFY_FILE* lpHackVerifyFile = &lpHackVerifyFileMapping->WriteVirtualMemoryTable[n];
if(lpHackVerifyFile->time >= MemoryProtectionTime)
{
if(lpHackVerifyFile->spid != GetCurrentProcessId())
{
if(lpHackVerifyFile->tpid == GetCurrentProcessId())
{
CHClientdisconnectSend(CLIENT_disCONNECT_MEMORY_DETECTION,lpHackVerifyFile->spid);
return 1;
}
}
}
}
return 1;
}
bool HANDLE_PROTECTION_INIT() // OK
{
CProcessQuery ProcessQuery;
HANDLE HandleValue = OpenProcess(PROCESS_VM_READ,GetCurrentProcessId());
if(ProcessQuery.Fetch(SystemExtendedHandleinformation,sizeof(SYstem_HANDLE_INFO_EX)) != 0)
{
SYstem_HANDLE_INFO_EX* lpSystemHandleInfo = ProcessQuery.GetExtendedHandleInfo();
if(lpSystemHandleInfo != 0)
{
SYstem_HANDLE_ENTRY_INFO_EX* lpSystemHandleEntryInfo = lpSystemHandleInfo->Handles;
if(lpSystemHandleEntryInfo != 0)
{
for(DWORD n=0;n < lpSystemHandleInfo->NumberOfHandles;n++,lpSystemHandleEntryInfo++)
{
if(lpSystemHandleEntryInfo->UniqueProcessId == GetCurrentProcessId() && lpSystemHandleEntryInfo->HandleValue == ((DWORD)HandleValue))
{
HandleProtectionNumber = (DWORD)lpSystemHandleEntryInfo->ObjectTypeIndex;
HandleProtectionObject = (DWORD)lpSystemHandleEntryInfo->Object;
ProcessQuery.Close();
return 1;
}
}
}
}
}
ProcessQuery.Close();
return 0;
}
bool HANDLE_PROTECTION_SCAN() // OK
{
if(gMemoryguardSwitch == 0 || (gMemoryguardNumber & MEMORY_GUARD_NUMBER_HANDLE) == 0)
{
return 1;
}
static CProcessQuery ProcessQuery;
std::map<DWORD,std::vector<DWORD>> HandleProtectionTable;
if(ProcessQuery.Fetch(SystemExtendedHandleinformation,lpSystemHandleEntryInfo++)
{
if(lpSystemHandleEntryInfo->UniqueProcessId != GetCurrentProcessId() && lpSystemHandleEntryInfo->ObjectTypeIndex == HandleProtectionNumber && lpSystemHandleEntryInfo->Object == ((LPVOID)HandleProtectionObject) && (lpSystemHandleEntryInfo->GrantedAccess & PROCESS_VM_WRITE) != 0)
{
std::map<DWORD,std::vector<DWORD>>::iterator it = HandleProtectionTable.find(lpSystemHandleEntryInfo->UniqueProcessId);
if(it == HandleProtectionTable.end())
{
HandleProtectionTable.insert(std::pair<DWORD,std::vector<DWORD>>(lpSystemHandleEntryInfo->UniqueProcessId,std::vector<DWORD>(1,lpSystemHandleEntryInfo->HandleValue)));
continue;
}
else
{
if(it->second.size() >= 10)
{
CHClientdisconnectSend(CLIENT_disCONNECT_MEMORY_DETECTION,lpSystemHandleEntryInfo->UniqueProcessId);
return 0;
}
else
{
it->second.push_back(lpSystemHandleEntryInfo->HandleValue);
continue;
}
}
}
}
}
}
}
return 1;
}
bool MEMORY_CHECK_ATTACH() // OK
{
CCRC32 CRC32;
MODULEINFO ModuleInfo;
memset(&ModuleInfo,sizeof(ModuleInfo));
if(GetModuleinformation(GetCurrentProcess(),GetModuleHandle(0),&ModuleInfo,sizeof(ModuleInfo)) == 0)
{
return 0;
}
IMAGE_NT_HEADERS32* lpNtHeader = (IMAGE_NT_HEADERS32*)((DWORD)ModuleInfo.lpBaSEOfDll+((IMAGE_DOS_HEADER*)ModuleInfo.lpBaSEOfDll)->e_lfanew);
IMAGE_SECTION_HEADER* lpSectionHeader = (IMAGE_SECTION_HEADER*)((DWORD)lpNtHeader+sizeof(IMAGE_NT_HEADERS32));
for(int n=0;n < lpNtHeader->FileHeader.NumberOfSections;n++)
{
MEMORY_CHECK_SOURCE data;
data.VirtualAddress = (DWORD)ModuleInfo.lpBaSEOfDll+lpSectionHeader[n].VirtualAddress;
data.VirtualSize = lpSectionHeader[n].Misc.VirtualSize;
data.VirtualChecksum = CRC32.FullCRC((BYTE*)data.VirtualAddress,data.VirtualSize);
MemoryCheckSource.insert(std::pair<DWORD,MEMORY_CHECK_SOURCE>(data.VirtualAddress,data));
break;
}
return 1;
}
bool MEMORY_CHECK_DETACH() // OK
{
CCRC32 CRC32;
for(std::map<DWORD,MEMORY_CHECK_SOURCE>::iterator it=MemoryCheckSource.begin();it != MemoryCheckSource.end();it++)
{
if(it->second.VirtualChecksum != CRC32.FullCRC((BYTE*)it->second.VirtualAddress,it->second.VirtualSize))
{
return 0;
}
}
return 1;
}
由于某些原因,它在某些恶意软件上可以正常工作,但是该功能未检测到某些软件(也在进行内存更改)。 经过几次检查,我意识到两种作弊方式之间的区别是内存基址。 对于该功能检测到的地址,正在调用Heap(id2)的基地址为 0x30000 。尽管该功能未检测到的软件-调用heap(id2)的基地址(-相同用法)为 0x10000 (第一个)。
有什么想法我应该做些什么改变以确保阻止这些作弊?
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
