如何访问受保护进程的 .exe 地址?
[英]How do I accessing a protected process's .exe address?
问题描述
I am writing anti cheat software for a video game.
我正在为视频游戏编写反作弊软件。 Using CreateToolhelp32Snapshot I can get a list of open processes.使用 CreateToolhelp32Snapshot 我可以获得打开的进程列表。 From there I would like to find the address of each process and read through its .exe file.从那里我想找到每个进程的地址并通读它的 .exe 文件。 While this works for most processes, protected processes deny access to methods such as OpenProcess or GetModuleFileNameEx.虽然这适用于大多数进程,但受保护的进程拒绝访问 OpenProcess 或 GetModuleFileNameEx 等方法。 Assuming my application is being run as administrator, is there a work around to finding protected processes addresses?假设我的应用程序以管理员身份运行,是否有办法找到受保护的进程地址?
1 个解决方案
解决方案1
0 2020-05-15 22:27:49
Cheat Engine is not a Protected Process and neither are 99.9% of cheats.作弊引擎不是受保护的进程,99.9% 的作弊也不是。 You can check the certificate for the exe in Process Hacker and you will see it only has Code Signing and no Protected Process designation.您可以在 Process Hacker 中检查 exe 的证书,您将看到它只有代码签名,没有受保护的进程名称。
If you cannot access a cheat's memory it's because they're protecting it with a kernel driver.如果您无法访问作弊者的内存,那是因为他们使用内核驱动程序保护它。 You must also be running in kernel if you want to touch the process.如果你想接触进程,你也必须在内核中运行。 If they have somehow created a PP then you need to be in kernel.如果他们以某种方式创建了一个 PP,那么您需要在内核中。
There are many usermode methods they can use to protect themselves as well, they can simply hook OpenProcess() in every running process including yours and return 0 when you're trying to open their process.他们也可以使用许多用户模式方法来保护自己,他们可以简单地在每个正在运行的进程(包括您的进程)中挂钩 OpenProcess() 并在您尝试打开他们的进程时返回 0。
You would need to get a copy of the cheat and reverse engineer it to figure out how it's protecting itself, then you can start removing or bypassing these protections.您需要获取作弊的副本并对其进行逆向工程以弄清楚它是如何保护自己的,然后您就可以开始删除或绕过这些保护措施。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.