编程技术-过EAC HV检测

检测代码：

EasyAntiCheat.sys+7DBE6 - 0F78 0A               - vmread [rdx],ecx
EasyAntiCheat.sys+7DBE9 - 0F94 C0               - sete al
EasyAntiCheat.sys+7DBEC - 0F92 C1               - setb cl
EasyAntiCheat.sys+7DBEF - 12 C1                 - adc al,cl
EasyAntiCheat.sys+7DBF1 - C3                    - ret

EasyAntiCheat.sys+7DBFE - 53                    - push rbx
EasyAntiCheat.sys+7DBFF - 57                    - push rdi
EasyAntiCheat.sys+7DC00 - 48 8B F9              - mov rdi,rcx
EasyAntiCheat.sys+7DC03 - 48 33 C0              - xor rax,rax
EasyAntiCheat.sys+7DC06 - F0 FE 07              - lock inc byte ptr [rdi]
EasyAntiCheat.sys+7DC09 - 0FA2                  - cpuid 
EasyAntiCheat.sys+7DC0B - F0 FE 0F              - lock dec [rdi]
EasyAntiCheat.sys+7DC0E - 5F                    - pop rdi
EasyAntiCheat.sys+7DC0F - 5B                    - pop rbx
EasyAntiCheat.sys+7DC10 - C3                    - ret 

EasyAntiCheat.sys+7DC29 - 0F01 3A               - invplg [rdx]
EasyAntiCheat.sys+7DC2C - F0 FE 01              - lock inc byte ptr [rcx]
EasyAntiCheat.sys+7DC2F - 8A 02                 - mov al,[rdx]
EasyAntiCheat.sys+7DC31 - FF D2                 - call rdx
EasyAntiCheat.sys+7DC33 - F0 FE 09              - lock dec [rcx]
EasyAntiCheat.sys+7DC36 - C3                    - ret

之前通过拦截vmread 向客户及注入异常发现无济于事（vmread后还有代码在检测HV），由于本人能力有限，跟不到后面的检测代码，于是就想出了一个办法过掉检测，这里给大家分享一下：

host拦截到vmread指令后，直接修改guest 的rip到自己的驱动代码里面让他一直循环，这样检测HV的这条线程就到vmread不会继续往下执行了。

vmwrite(guest_rip,&EAC_FUCK);

QWORD EAC_FUCK() {

	while (true)
	{
		Kernel_Sleep(10u);
	}
   //可以添加一个全局变量控制循环，跳出循环后要结束线程，不然会炸。
   PsTerminateSystemThread(STATUS_SUCCESS);
   return 0;
}

各位老哥，多发点文章给我学习学习.