| How d Gameguard work
1. Execution sequence
This is what gameguard doing first
00000011 오전 10:10:03 Type : Create
00000012 오전 10:10:03 Parent ID : 0xA78
00000013 오전 10:10:03 Process ID : 0x848
00000014 오전 10:10:03 EPROCESS : 0x82E45DA0
00000015 오전 10:10:03 Process Name : Loader.exe
usually Gameguard is loading before game
00000016 오전 10:10:04 Type : Create
00000017 오전 10:10:04 Parent ID : 0x848 – Loader.exe
00000018 오전 10:10:04 Process ID : 0x6B8
00000019 오전 10:10:04 EPROCESS : 0x83FC4DA0
00000020 오전 10:10:04 Process Name : game.exe
Lorder is runing game.exe
00000021 오전 10:10:04 Type : Destroy
00000022 오전 10:10:04 Parent ID : 0xA78
00000023 오전 10:10:04 Process ID : 0x848
00000024 오전 10:10:04 EPROCESS : 0x82E45DA0
00000025 오전 10:10:04 Process Name : Loader.exe
After Game.exe is run Lorder is destroyed
00000034 오전 10:10:05 Type : Create
00000035 오전 10:10:05 Parent ID : 0x6B8 – game.exe
00000036 오전 10:10:05 Process ID : 0x1C4
00000037 오전 10:10:05 EPROCESS : 0x819BBB28
00000038 오전 10:10:05 Process Name : GameGuard.des
i think GameGuard.des is resetting something. that is ran by game.exe
00000039 오전 10:10:08 Type : Create
00000040 오전 10:10:08 Parent ID : 0x6B8 – game.exe
00000041 오전 10:10:08 Process ID : 0x4A4
00000042 오전 10:10:08 EPROCESS : 0x829D0DA0
00000043 오전 10:10:08 Process Name : GameMon.des
gameMon.des is somekind of obseve process. when this thing load to memory. they starting SDT Restore.
00000044 오전 10:10:16 Type : Destroy
00000045 오전 10:10:16 Parent ID : 0x6B8 – game.exe
00000046 오전 10:10:16 Process ID : 0x1C4
00000047 오전 10:10:16 EPROCESS : 0x819BBB28
00000048 오전 10:10:16 Process Name : GameGuard.des
After that, gameMon.des is ran , GameGuard.des is destroyed
00000292 오전 10:11:02 Type : Destroy
00000293 오전 10:11:02 Parent ID : 0x848
00000294 오전 10:11:02 Process ID : 0x6B8
00000295 오전 10:11:02 EPROCESS : 0x83FC4DA0
00000296 오전 10:11:02 Process Name : game.exe
게임이 먼저 사용자의 요구에 따라 파괴된다.
00000297 오전 10:11:09 Type : Destroy
00000298 오전 10:11:09 Parent ID : 0x6B8 – game.exe
00000299 오전 10:11:09 Process ID : 0x4A4
00000300 오전 10:11:09 EPROCESS : 0x829D0DA0
00000301 오전 10:11:09 Process Name : GameMon.des
they do Injectionand , they inload npggNT.des
and that u use device . they unload that. and destroy GameMon.des
2. Hook Chain
GameGuard is trying to hooking
2.1 User Level
GameGuard is trying to injection all process . and npggNT.des help them
+ [0x7C930000] ntdll.dll
- target : 0x458AA5D0 ( npggNT.des), func : NtLoadDriver
- target : 0x458AA720 ( npggNT.des), func : NtOpenProcess
- target : 0x458AA020 ( npggNT.des), func : NtProtectVirtualMemory
- target : 0x458AD6A0 ( npggNT.des), func : NtQuerySystemInformatio
- target : 0x458AA270 ( npggNT.des), func : NtReadVirtualMemory
- target : 0x458AB9D0 ( npggNT.des), func : NtSuspendProcess
- target : 0x458AB5A0 ( npggNT.des), func : NtSuspendThread
- target : 0x458AB860 ( npggNT.des), func : NtTerminateProcess
- target : 0x458AB6F0 ( npggNT.des), func : NtTerminateThread
- target : 0x458AA430 ( npggNT.des), func : NtWriteVirtualMemory
- target : 0x458AD6A0 ( npggNT.des), func : RtlGetNativeSystemInfor
- target : 0x458AA5D0 ( npggNT.des), func : ZwLoadDriver
- target : 0x458AA720 ( npggNT.des), func : ZwOpenProcess
- target : 0x458AA020 ( npggNT.des), func : ZwProtectVirtualMemory
- target : 0x458AD6A0 ( npggNT.des), func : ZwQuerySystemInformatio
- target : 0x458AA270 ( npggNT.des), func : ZwReadVirtualMemory
- target : 0x458AB9D0 ( npggNT.des), func : ZwSuspendProcess
- target : 0x458AB5A0 ( npggNT.des), func : ZwSuspendThread
- target : 0x458AB860 ( npggNT.des), func : ZwTerminateProcess
- target : 0x458AB6F0 ( npggNT.des), func : ZwTerminateThread
- target : 0x458AA430 ( npggNT.des), func : ZwWriteVirtualMemory
+ [0x7C800000] kernel32.dll
- target : 0x458A70E0 ( npggNT.des), func : CreateProcessInternalW
- target : 0x458AAB80 ( npggNT.des), func : DebugActiveProcess
- target : 0x458AACA0 ( npggNT.des), func : DeviceIoControl
- target : 0x458ABB10 ( npggNT.des), func : GetProcAddress
- target : 0x458AAFA0 ( npggNT.des), func : LoadLibraryExW
- target : 0x458AD0B0 ( npggNT.des), func : MapViewOfFile
- target : 0x458AD310 ( npggNT.des), func : MapViewOfFileEx
- target : 0x458ABC50 ( npggNT.des), func : MoveFileW
- target : 0x458AA970 ( npggNT.des), func : OpenProcess
- target : 0x458A8F80 ( npggNT.des), func : ReadProcessMemory
- target : 0x458A96D0 ( npggNT.des), func : VirtualProtect
- target : 0x458A9DB0 ( npggNT.des), func : VirtualProtectEx
- target : 0x458A9240 ( npggNT.des), func : WriteProcessMemory
+ [0x77F50000] ADVAPI32.dll
- target : 0x458AB4D0 ( npggNT.des), func : CreateProcessWithLogonW
+ [0x77E20000] GDI32.dll
- target : 0x458ABE40 ( npggNT.des), func : GetPixel
+ [0x77CF0000] USER32.dll
- target : 0x458AC080 ( npggNT.des), func : GetWindowThreadProcessI
- target : 0x458A7FE0 ( npggNT.des), func : PostMessageA
- target : 0x458A8350 ( npggNT.des), func : PostMessageW
- target : 0x458A7410 ( npggNT.des), func : SendInput
- target : 0x458A87F0 ( npggNT.des), func : SendMessageA
- target : 0x458A8A10 ( npggNT.des), func : SendMessageW
- target : 0x458A8A40 ( npggNT.des), func : SetCursorPos
- target : 0x458A8BA0 ( npggNT.des), func : SetWindowsHookExA
- target : 0x458A8DF0 ( npggNT.des), func : SetWindowsHookExW
- target : 0x458A78B0 ( npggNT.des), func : keybd_event
- target : 0x458A7D70 ( npggNT.des), func : mouse_event
+ [0x762B0000] WINSTA.dll
- target : 0x458AD570 ( npggNT.des), func : WinStationTerminateProc
* -usually they do detect macro,hacks
2.2 Kernel Level
GameGuard use this sys file "dump_wmimmc.sys" they trying to run SSDT Hooking
service number______________ : 31
+ related nt function list_
- NtConnectPort
- ZwConnectPort
- hook_type________________ : entry hooking
- redirected address_______ : 0x848B2560
* hook module information__
- not found. maybe it is on the nonpaged pool area.
service number______________ : 122
+ related nt function list_
- NtOpenProcess
- ZwOpenProcess
- hook_type________________ : entry hooking
- redirected address_______ : 0xF7A6C682
* hook module information__
- not found. maybe it is on the nonpaged pool area.
service number______________ : 128
service number______________ : 137
+ related nt function list_
- NtProtectVirtualMemory
- ZwProtectVirtualMemory
- hook_type________________ : entry hooking
- redirected address_______ : 0xF7A6C7FA
* hook module information__
- not found. maybe it is on the nonpaged pool area.
service number______________ : 186
+ related nt function list_
- NtReadVirtualMemory
- ZwReadVirtualMemory
- hook_type________________ : entry hooking
- redirected address_______ : 0xF7A6C702
* hook module information__
- not found. maybe it is on the nonpaged pool area.
service number______________ : 277
+ related nt function list_
- NtWriteVirtualMemory
- ZwWriteVirtualMemory
- hook_type________________ : entry hooking
- redirected address_______ : 0xF7A6C77E
* hook module information__
- not found. maybe it is on the nonpaged pool area.
service number______________ : 502
+ related function list____
- SendInput
- hook_type________________ : entry hooking
- redirected address_______ : 0xF7A6C962
* hook module information__
- not found. maybe it is on the nonpaged pool area.
module name______________________ : ntoskrnl.exe
- base address__________________ : 0x804D9000
- entry point address___________ : 0x806AE2BE
- module full path______________ : \WINDOWS\system32\ntoskrnl.exe
+ hooked function list__________
+ hooked function name_______ : KeAttachProcess
- hook type_______________ : opcode patching
- redirected address______ : 0xF79A513E
- hook module information_ : not found.
+ hooked function name_______ : KeStackAttachProcess
- hook type_______________ : opcode patching
- redirected address______ : 0xF79A5038
- hook module information_ : not found.
* 보호하는 Process로의 메모리 공간전환을 근본적으로 차단하고자
설치한 Hook으로 보인다.
3. Miscellaneous
GameMon.des는 C:\MyDocuments\Local Settings\Temp에
they make these file
np5A.tmp np5B.tmp np5C.tmp np5D.tmp np5E.tmp np5F.tmp np60.tmp np61.tmp
they are all diffrent file , they are PE format
ggscan.des << this file is only load by GameMon.des
omg that was hard ;;
uhh. i cant speak english not that well so ;; srry for that ;
thats all i can explain that to u
__________________ This is my Freaken maple Account Man lol
KMS-Account
Lvl 200- Bishop (KMS)
Lvl 111- Fire Mage (KMS)
Lvl 80 -Hermit (KMS)
Lvl 72 -Theif Master (KMS)
GMS-Account
Lvl 24 -Archer (GMS) 
Click that to get free NX cash... sign up and do surveys. You will get money rite after that | 
Linear Mode
