分类
游戏安全

EasyAntiCheat KernelMode Driver Some Information

dumped time: 2020/6/2
game:apex legends

eac runtime import:[Eac Runtime__2020_6_2_Import]
hwid ioctl 转储

EAC->IoBuildDeviceIoControlRequest ret:FFFFF80CE7C816B7 Code:7c088 InternalDeviceIoControl:0
EAC->IoBuildDeviceIoControlRequest ret:FFFFF80CE7C816B7 Code:2d1400 InternalDeviceIoControl:0
EAC->IoBuildDeviceIoControlRequest ret:FFFFF80CE7C816B7 Code:2d1400 InternalDeviceIoControl:0
EAC->IoBuildDeviceIoControlRequest ret:FFFFF80CE7C816B7 Code:7c088 InternalDeviceIoControl:0
EAC->IoBuildDeviceIoControlRequest ret:FFFFF80CE7C816B7 Code:2d1400 InternalDeviceIoControl:0
EAC->IoBuildDeviceIoControlRequest ret:FFFFF80CE7C816B7 Code:2d1400 InternalDeviceIoControl:0
EAC->IoBuildDeviceIoControlRequest ret:FFFFF80CE7C816B7 Code:2d1400 InternalDeviceIoControl:0
EAC->IoBuildDeviceIoControlRequest ret:FFFFF80CE7C816B7 Code:2d1400 InternalDeviceIoControl:0
EAC->NtDeviceIoControlFile ret:FFFFF80CE7CBAB68 Code:170002

读取所有驱动程序可执行段 疑似对其进行效验和

Ac_MmCopyMemory: addressFFFFF80AECD5D000 NumberOfBytes:3000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD5E000 NumberOfBytes:2000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD5F000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC496000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD7B000 NumberOfBytes:a5000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC497000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD7C000 NumberOfBytes:a4000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD7D000 NumberOfBytes:a3000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD7E000 NumberOfBytes:a2000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC498000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD7F000 NumberOfBytes:a1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD80000 NumberOfBytes:a0000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC499000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD81000 NumberOfBytes:9f000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD82000 NumberOfBytes:9e000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD83000 NumberOfBytes:9d000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC49A000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD84000 NumberOfBytes:9c000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD85000 NumberOfBytes:9b000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD86000 NumberOfBytes:9a000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC49B000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD87000 NumberOfBytes:99000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD88000 NumberOfBytes:98000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD89000 NumberOfBytes:97000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC49C000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD8A000 NumberOfBytes:96000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD8B000 NumberOfBytes:95000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC49D000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD8C000 NumberOfBytes:94000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD8D000 NumberOfBytes:93000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD8E000 NumberOfBytes:92000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC49E000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD8F000 NumberOfBytes:91000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD90000 NumberOfBytes:90000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC49F000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD91000 NumberOfBytes:8f000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD92000 NumberOfBytes:8e000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD93000 NumberOfBytes:8d000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD94000 NumberOfBytes:8c000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC4A0000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD95000 NumberOfBytes:8b000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD96000 NumberOfBytes:8a000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC4A1000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC4A2000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD97000 NumberOfBytes:89000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD98000 NumberOfBytes:88000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC4A3000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD99000 NumberOfBytes:87000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD9A000 NumberOfBytes:86000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC4A4000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC4A5000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
  ((void (__fastcall *)(signed __int64, _QWORD, signed __int64))loc_FFFFF801657D54F0)(
                      v30,
                      v10->crc_Table,
                      4i64 * v10->unsignedC);
                    v31 = *(_DWORD *)(v27 + 8 * v28 + 12);
                    if ( v31 )
                    {
                      v32 = 0;
                      if ( v31 )
                      {
                        v33 = 0i64;
                        do
                        {
                          ++v32;
                          *(_DWORD *)(v33 + *(_QWORD *)(v27 + 8 * v28 + 16)) ^= *(_DWORD *)(v27 + 8 * v28);
                          v33 += 4i64;
                        }
                        while ( v32 < *(_DWORD *)(v27 + 8 * v28 + 12) );
                      }
                    }
                    dword_FFFFF801657F3AB8 = 1702630466;
                  }
                  v8 = v37;
                }
                MEMORY[0](-8790095216480i64);
              }
              v34 = get_driver_Crc(v10, v8, v7, *(_QWORD *)(v6 + 0x10), v5, a5);
              v35 = v10->crc_Table;
              v9 = v34 == 0 ? 0xC0000005 : 0;
              if ( v35 )
                free(v35);
              free((__int64)v10);
LABEL_48:
              if ( (v9 & 0x80000000) == 0 && *a5 )
                return v9;
              goto LABEL_50;
            }
          }
        }
      }

char __fastcall get_driver_Crc(struct_v8 *a1, __int64 a2, unsigned __int64 a3, __int64 a4, _QWORD *a5, _DWORD *a6)
{
  unsigned __int64 v6; // rdi
  char v7; // si
  struct_v8 *v8; // r13
  __int64 address; // r15
  unsigned __int64 v10; // rdi
  unsigned __int64 v11; // rbp
  char *buffer; // rax
  __int64 buffer_2; // r12
  unsigned __int64 v14; // rbx
  unsigned __int64 max_ptr; // rdi
  unsigned __int64 local_ptr; // rsi
  __int64 v17; // rdx
  unsigned __int64 v19; // [rsp+60h] [rbp+8h]
  char *buffer_1; // [rsp+68h] [rbp+10h]
  __int64 v21; // [rsp+78h] [rbp+20h]

  v21 = a4;
  v6 = a1->unsigned8;
  v7 = 0;
  v8 = a1;
  address = a2 & ~(v6 - 1);
  v10 = a3 / v6 * v6;
  if ( a3 % a1->unsigned8 )
    v10 += a1->unsigned8;
  v11 = address & 0xFFFFFFFFFFFFF000ui64;
  buffer = (char *)allocate();
  buffer_2 = (__int64)buffer;
  buffer_1 = buffer;
  if ( buffer )
  {
    if ( Eac_MemCopy(address & 0xFFFFFFFFFFFFF000ui64, (v10 + 0xFFF) & 0xFFFFFFFFFFFFF000ui64, buffer) == ((v10 + 0xFFF) & 0xFFFFFFFFFFFFF000ui64) )
    {
      v14 = address + buffer_2 - v11;
      max_ptr = v14 + v10;
      local_ptr = address + buffer_2 - v11;
      if ( v14 < max_ptr )
      {
        do
        {
          v19 = (local_ptr - (buffer_2 - v11) - v21) / v8->unsigned8;
          if ( v19 < v8->unsignedC
            && *(_DWORD *)(v8->crc_Table + 4 * v19) != (unsigned int)sub_FFFFF801657C5C80(
                                                                       local_ptr,
                                                                       v8->unsigned8,
                                                                       0i64) )
          {
            v17 = (unsigned int)*a6;
            *(_QWORD *)(*a5 + 8 * v17) = local_ptr - (buffer_2 - v11);
            *a6 = v17 + 1;
          }
          local_ptr += v8->unsigned8;
        }
        while ( local_ptr < max_ptr );
        buffer_2 = (__int64)buffer_1;
      }
      v7 = 1;
    }
    free(buffer_2);
  }
  return v7;
}

申请大量用户模式内存 我只是截取了一小段 ps:内部反作弊模块的内存应该是这里申请的

eAc alloc retaddress:FFFFF80AEFF8FCDF: alloc_ptr:0000000002EF0000 alloc_size:18000 Protect:4
eAc alloc retaddress:FFFFF80AEFF8FCDF: alloc_ptr:000001F14E0B0000 alloc_size:10000 Protect:4
eAc alloc retaddress:FFFFF80AEFF8FCDF: alloc_ptr:000001F14E0C0000 alloc_size:1000 Protect:4
eAc alloc retaddress:FFFFF80AEFF8FCDF: alloc_ptr:000001F14E0D0000 alloc_size:1000 Protect:64
eAc alloc retaddress:FFFFF80AEFF8FCDF: alloc_ptr:000001F14E0E0000 alloc_size:1000 Protect:64
eAc alloc retaddress:FFFFF80AEFF8FCDF: alloc_ptr:000001F14E0F0000 alloc_size:1000 Protect:64
eAc alloc retaddress:FFFFF80AEFF8FCDF: alloc_ptr:000001F14E100000 alloc_size:1000 Protect:4
eAc alloc retaddress:FFFFF80AEFF8FCDF: alloc_ptr:000001F14E110000 alloc_size:1000 Protect:4

在我的分析中 他们驱动程序启动时会进行读取piddb_cache里面已经加载的驱动程序 其结构包含 驱动程序镜像名 驱动程序时间戳
而之后游戏运行后 会稳定的读取18bytes 内存可能是映射过来的

eAc_MmCopyMemory: addressFFFFE60401CCE600 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE604009141F0 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE60401FDD160 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE60400CE71F0 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE60400CDE060 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE60402042070 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE60401BDDB70 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE604020FA2C0 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE604067D9B00 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE6041118C260 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE60401DFB2D0 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE60400CDD740 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE6040215FBF0 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE604055BFAD0 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE60411280A70 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE60400DF9250 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE60401EED570 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE60400CDD710 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE6040208B090 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE60400D0D210 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE6041104C940 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL

关于读取内存

__int64 __fastcall Eac_MemCopy(unsigned __int64 address, unsigned __int64 size, char *buffer)
{
  __int64 v3; // rbx
  char *v4; // rbp
  unsigned __int64 v5; // rsi
  __int64 v6; // r13
  unsigned __int64 v7; // rcx
  unsigned __int64 v8; // rdi
  unsigned __int64 v9; // r8
  unsigned __int64 v10; // rsi
  unsigned int v11; // er12
  int v12; // eax
  unsigned __int64 v13; // r15
  signed __int64 v14; // r14
  __int64 v15; // rax
  __int64 (__fastcall *v16)(__int64, signed __int64, signed __int64); // rdi
  signed __int64 v17; // r8
  __int64 v18; // rax
  __int64 v19; // rdi
  signed __int64 v20; // r14
  int v22; // [rsp+20h] [rbp-48h]
  unsigned __int64 v23; // [rsp+28h] [rbp-40h]
  int v24; // [rsp+70h] [rbp+8h]
  unsigned __int64 v25; // [rsp+88h] [rbp+20h]

  v3 = 0i64;
  v4 = buffer;
  v5 = address;
  if ( address && size > 0 && address > MEMORY[0] && buffer )
  {
    memset(buffer, 0, size);
    if ( MEMORY[0xFFFFF7800000026C] > 6u || MEMORY[0xFFFFF7800000026C] == 6 && MEMORY[0xFFFFF78000000270] == 3 )//判断系统版本 如果 大于等于win8那么使用MmCopyMemory
    {
      v3 = Call_MmCopyMemory(address, size, buffer);
    }
    else
    {
      v6 = 0i64;
      if ( address > MEMORY[0] )
      {
        v7 = address & 0xFFFFFFFFFFFFF000ui64;
        v8 = v5 - (v5 & 0xFFFFFFFFFFFFF000ui64);
        v25 = v5 & 0xFFFFFFFFFFFFF000ui64;
        v9 = (((v5 + size + 4095) & 0xFFFFFFFFFFFFF000ui64) - (v5 & 0xFFFFFFFFFFFFF000ui64)) >> 12;
        v10 = size + v5 - ((v5 + size) & 0xFFFFFFFFFFFFF000ui64);
        v23 = v8;
        v22 = v9;
        v11 = 0;
        if ( (unsigned int)v9 > 0 )
        {
          v12 = v9 - 1;
          v24 = v9 - 1;
          while ( 1 )
          {
            v13 = 0i64;
            if ( !v11 )
              v13 = v8;
            if ( v11 != v12 || (v14 = v10) == 0 )
              v14 = 4096i64;
            if ( unk_FFFFF801657F3B20 )
            {
              v15 = unk_FFFFF801657F3B20(v7);
              v7 = v25;
              LODWORD(v9) = v22;
            }
            else
            {
              v15 = unk_FFFFF801657F3B18;
            }
            if ( !v15 )
              goto LABEL_29;
            v16 = qword_FFFFF801657F3B38;
            if ( qword_FFFFF801657F3B38 )
              break;
            v16 = (__int64 (__fastcall *)(__int64, signed __int64, signed __int64))qword_FFFFF801657F3B30;
            if ( qword_FFFFF801657F3B30 )
            {
              v17 = 1i64;
LABEL_24:
              v18 = v16(v15, 4096i64, v17);
              v19 = v18;
              if ( v18 )
              {
                v20 = v14 - v13;
                ((void (__fastcall *)(char *, unsigned __int64, signed __int64))loc_FFFFF801657D54F0)(
                  &v4[v6],
                  v18 + v13,
                  v20);
                v6 += v20;
                if ( unk_FFFFF801657F3B40 )
                  unk_FFFFF801657F3B40(v19, 4096i64);
              }
              LODWORD(v9) = v22;
              v7 = v25;
            }
            v8 = v23;
LABEL_29:
            v12 = v24;
            v7 += 4096i64;
            ++v11;
            v25 = v7;
            if ( v11 >= (unsigned int)v9 )
              goto LABEL_30;
          }
          v17 = 4i64;
          goto LABEL_24;
        }
      }
LABEL_30:
      v3 = v6;
    }
  }
  return v3;
}
0 0 vote
文章评分

由FAKE

Через тернии к звездам,
через радость и слезы
Мы проложим дорогу

Subscribe
提醒
guest
你的昵称 用于分别你是谁
你的电子邮箱 用于被回复时通知
0 评论
Inline Feedbacks
View all comments