本帖最后由 最后的戴托纳 于 2023-3-31 04:24 编辑 [Ruby] 纯文本查看 复制代码
早在大概20年左右 我就注意到了github dma的项目
也就是这个 https://github.com/slack2450/csgo-dma-overlay
该项目使用了DMA来绕过反作弊实际原理比这个更加复杂一些
不过这篇帖子只讨论关于DMA部分的内容
其实DMA全称Direct Memory Access,即直接存储器访问
也就是利用PCIE设备来直接读写物理内存这种方式绕过了操作系统
做到了可以在目标机上没有任何代码运行的情况下做到读写内存的操作
这个项目是DMA的发源地 https://github.com/ufrisk/pcileech
具体关于DMA物理读写设备的原理都可以参考这个项目包括上面那个CSGO的读写绘制也是依赖了pcileech
大概年前 通过一位朋友拿到了一块DMA读写设备
拿回来了以后一直压箱底 没有去玩 不得不说万能的朋友圈真是啥都有
今天有空于是拿出来试了试首先是下载DMA依赖
或者我喜欢称之为基础库
因为DMA只能读物理内存
但当前的操作系统都有虚拟内存到物理内存的转换一个物理内存可以对应多个虚拟内存等等知识不再具体聊下去了
所以pcileech这个装备库就帮你完成了绝大多数的工作你可以直接输入虚拟内存 然后他会自动帮你转换再通过DMA设备进行读取内容总之这个库的功能十分强大
[C++] 纯文本查看 复制代码
char* temp_str[] = { "","-device","FPGA" }; VMM_HANDLE handle = VMMDLL_Initialize(3, temp_str); SIZE_T pcPIDs; VMMDLL_PidList(handle, nullptr, &pcPIDs); DWORD* pPIDs = (DWORD*)new char[pcPIDs * 4]; VMMDLL_PidList(handle, pPIDs, &pcPIDs); for (int i = 0; i < pcPIDs; i++) { VMMDLL_PROCESS_INFORMATION ProcessInformation = { 0 }; ProcessInformation.magic = VMMDLL_PROCESS_INFORMATION_MAGIC; ProcessInformation.wVersion = VMMDLL_PROCESS_INFORMATION_VERSION; SIZE_T pcbProcessInformation = sizeof(VMMDLL_PROCESS_INFORMATION); VMMDLL_ProcessGetInformation(handle, pPIDs[i], &ProcessInformation, &pcbProcessInformation); std::cout << pPIDs[i] << "---" << ProcessInformation.szName; VMMDLL_MAP_MODULEENTRY* ppModuleMapEntry = nullptr; VMMDLL_Map_GetModuleFromNameU(handle, pPIDs[i], ProcessInformation.szName, &ppModuleMapEntry,VMMDLL_MODULE_FLAG_NORMAL); if (ppModuleMapEntry) { std::cout << "---" << ppModuleMapEntry->uszFullName << std::endl; if (ProcessInformation.szName == std::string("dwm.exe")) { std::cout << "IMAGE:"<<std::hex << ppModuleMapEntry->vaBase << std::endl; ULONG temp = 0; VMMDLL_MemRead(handle, pPIDs[i], ppModuleMapEntry->vaBase, (PBYTE)&temp, 4); std::cout << "temp:" << temp << std::endl; temp = 0; VMMDLL_MemWrite(handle, pPIDs[i], ppModuleMapEntry->vaBase, (PBYTE)&temp, 4); VMMDLL_MemRead(handle, pPIDs[i], ppModuleMapEntry->vaBase, (PBYTE)&temp, 4); std::cout << "temp:" << temp << std::endl; } } else { std::cout << std::endl; } }[C++] 纯文本查看 复制代码
typedef struct tdVMMDLL_PROCESS_INFORMATION { ULONG64 magic; WORD wVersion; WORD wSize; VMMDLL_MEMORYMODEL_TP tpMemoryModel; // as given by VMMDLL_MEMORYMODEL_* enum VMMDLL_SYSTEM_TP tpSystem; // as given by VMMDLL_SYSTEM_* enum BOOL fUserOnly; // only user mode pages listed DWORD dwPID; DWORD dwPPID; DWORD dwState; CHAR szName[16]; CHAR szNameLong[64]; ULONG64 paDTB; ULONG64 paDTB_UserOpt; // may not exist struct { ULONG64 vaEPROCESS; ULONG64 vaPEB; ULONG64 _Reserved1; BOOL fWow64; DWORD vaPEB32; // WoW64 only DWORD dwSessionId; ULONG64 qwLUID; CHAR szSID[MAX_PATH]; VMMDLL_PROCESS_INTEGRITY_LEVEL IntegrityLevel; } win; } VMMDLL_PROCESS_INFORMATION, *PVMMDLL_PROCESS_INFORMATION;同时VMMDLL_Map_GetModuleFromName这个函数还能获取模块地址以及模块大小等等信息[C++] 纯文本查看 复制代码
typedef struct tdVMMDLL_MAP_MODULEENTRY { QWORD vaBase; QWORD vaEntry; DWORD cbImageSize; BOOL fWoW64; union { LPSTR uszText; LPWSTR wszText; }; // U/W dependant DWORD _Reserved3; DWORD _Reserved4; union { LPSTR uszFullName; LPWSTR wszFullName; }; // U/W dependant VMMDLL_MODULE_TP tp; DWORD cbFileSizeRaw; DWORD cSection; DWORD cEAT; DWORD cIAT; DWORD _Reserved2; QWORD _Reserved1[3]; PVMMDLL_MAP_MODULEENTRY_DEBUGINFO pExDebugInfo; // not included by default - use VMMDLL_MODULE_FLAG_DEBUGINFO to include. PVMMDLL_MAP_MODULEENTRY_VERSIONINFO pExVersionInfo; // not included by default - use VMMDLL_MODULE_FLAG_VERSIONINFO to include. } VMMDLL_MAP_MODULEENTRY, *PVMMDLL_MAP_MODULEENTRY;拿到MZ 完全没问题查看全部评分
