过HS保护(OD,CE)
来源:互联网 发布:javascript var prime 编辑:程序博客网 时间:2024/04/29 12:23
//---------------------------------------.
只贴部分代码,大多都是小技巧没什么特别的地方。
//------------------xxxx.h
#define PAGEDCODE code_seg("PAGED")
#define LOCKEDCODE code_seg()
#define INITCODE code_seg("INIT")
#define PAGEDDATA data_seg("PAGED")
#define LOCKEDDATA data_seg()
#define INITDATA data_seg("INIT")
typedef struct _DEVICE_CONTEXTSION
{
UNICODE_STRING driver_name;
UNICODE_STRING symbol_name;
PDEVICE_OBJECT device_object;
};
VOID DriverUnLoad(PDRIVER_OBJECT driver);
NTSTATUS DispatchIrp(PDEVICE_OBJECT driver,PIRP irp);
//----------------------------------------------
VOID LoadDriver_GetVersion(PDRIVER_OBJECT driver);
VOID Get_NtResumeThread();
VOID Hook_PsSuspendThread();
VOID My_PsSuspendThread();
VOID Un_PsSuspendThread();
VOID Enum_Thread(BOOL b_thread=FALSE); //TRUE表示暂停线程,FALSE表示结束线程
BOOL Enum_Module(ULONG Thread_StartAddr);
//--守护OD和CE--------------------------
VOID Hook_ObOpenObjectByPointer();
VOID Un_ObOpenObjectByPointer();
VOID SSDT_NtQuerySystemInformation();
VOID Un_NtQuerySystemInformation();
//------------------------------------
VOID Hook_NtOpenProcess();
VOID My_NtOpenProecss();
VOID Un_NtOpenProecss();
VOID Hook_NtReadVirtualMemory();
VOID My_NtReadVirtualMemory();
VOID Un_NtReadVirtualMemory();
VOID Hook_NtWriteVirtualMemory();
VOID My_NtWriteVirtualMemory();
VOID Un_NtWriteVirtualMemory();
VOID Hook_NtClose();
VOID My_NtClose();
VOID Un_NtClocse();
VOID Hook_NtDeviceIoControlFile();
VOID My_NtDeviceIoControlFile();
VOID Unnt_NtDeviceIoControlFile();
VOID Hook_KiAttachProcess();
VOID My_KiAttachProcess();
VOID Unnt_KiAttachProecss();
VOID Hook_IopXxxControlFile();
VOID My_IopXxxControlFile();
VOID Un_IopXxxControlFile();
VOID Hook_NtGetContextThread();
VOID My_NtGetContextThread();
VOID Un_NtGetContextThread();
VOID Hook_NtSetContextThread();
VOID My_NtSetContextThread();
VOID Un_NtSetContextThread();
VOID Hook_NtGetContextThread1();
VOID My_NtGetContextThread1();
VOID Un_NtGetContextThread1();
VOID Hook_NtQueryPerformanceCounter();
VOID My_NtQueryPerformanceCounter_1();
VOID My_NtQueryPerformanceCounter_2();
VOID Un_NtQueryPerformanceCounter();
VOID Hook_DebugPort();
VOID Un_DebugPort();
VOID Hook_NtSetInformationThread();
extern "C"
NTSTATUS __stdcall My_NtSetInformationThread ( __in HANDLE ThreadHandle,
__in THREADINFOCLASS ThreadInformationClass,
__in_bcount(ThreadInformationLength) PVOID ThreadInformation,
__in ULONG ThreadInformationLength
) ;
VOID Un_NtSetInnformationThread();
#endif
//--------------------------------xxx.cpp
#pragma INITCODE
extern "C"
NTSTATUS DriverEntry(PDRIVER_OBJECT driver,PUNICODE_STRING driver_object_name)
{
/*
1.绕过PsSuspendThread
2.枚举HS线程暂停
3.SSDT HOOK守护进程
1.NtOpenProcess
2.NtReadVirtualMemory
4.绕SSDT函数HOOK
1.NtOpenProcess
2.NtReadVirtualMemory
3.NtWriteVirtualMemory
4.NtClose
5.NtDeviceIoControlFile
6.KiAttachProcess
7.IopXxxControlFile
8.NtGetContextThread
9.NtSetContextThread
10.NtGetContextThread第二处
11.NtQueryPerformanceCounter
5.绕Shadow SSDT函数HOOK
1.HOOK KiFastCallEntry绕SSDT HOOK
2.绕NtGdiGetPixel
3.Hook Shadow SSDT守护窗口
6.(_EPROECSS+bc)DebugPort的处理
7.HOOK NtSetInformationThread (HideFromDebugPort) 0x11号功能
8.SSDT HOOK隐藏进程和模块
*/
//------------------------------------------------------------
LoadDriver_GetVersion(driver);
Get_NtResumeThread();
Hook_PsSuspendThread();
Enum_Thread(TRUE);
Hook_NtOpenProcess();
Hook_NtReadVirtualMemory();
Hook_NtWriteVirtualMemory();
Hook_NtClose();
Hook_NtDeviceIoControlFile();
Hook_KiAttachProcess();
Hook_IopXxxControlFile();
Hook_NtGetContextThread();
Hook_NtSetContextThread();
Hook_NtGetContextThread1();
Hook_NtQueryPerformanceCounter();
Hook_DebugPort();
Hook_NtSetInformationThread();
// Hook_ObOpenObjectByPointer();
SSDT_NtQuerySystemInformation();
//-------------------------------------------------------------
NTSTATUS status=STATUS_SUCCESS;
driver->MajorFunction[IRP_MJ_CREATE]=DispatchIrp;
driver->MajorFunction[IRP_MJ_READ]=DispatchIrp;
driver->MajorFunction[IRP_MJ_WRITE]=DispatchIrp;
driver->MajorFunction[IRP_MJ_CLOSE]=DispatchIrp;
driver->MajorFunction[IRP_MJ_DEVICE_CONTROL]=DispatchIrp;
driver->DriverUnload=DriverUnLoad;
UNICODE_STRING driver_name;
RtlInitUnicodeString(&driver_name,_Driver_name);
PDEVICE_OBJECT device_object;
status=IoCreateDevice(driver,NULL,&driver_name,FILE_DEVICE_UNKNOWN,NULL,FALSE,&device_object);
if(!NT_SUCCESS(status))
{
KdPrint(("创建设备失败!\n"));
return status;
}
KdPrint(("创建设备成功!\n"));
device_object->Flags |= DO_BUFFERED_IO;
UNICODE_STRING symbolic_name;
RtlInitUnicodeString(&symbolic_name,_Symbolic_name);
status=IoCreateSymbolicLink(&symbolic_name,&driver_name);
if(!NT_SUCCESS(status))
{
IoDeleteDevice(device_object);
KdPrint(("创建符号链接失败!\n"));
return status;
}
KdPrint(("创建符号链接成功!\n"));
return STATUS_SUCCESS;
}
#pragma PAGEDCODE
VOID DriverUnLoad(PDRIVER_OBJECT driver)
{
UNICODE_STRING symbol_name;
RtlInitUnicodeString(&symbol_name,_Symbolic_name);
IoDeleteSymbolicLink(&symbol_name);
IoDeleteDevice(driver->DeviceObject);
KdPrint(("删除设备成功!\n"));
//---------------------------------
Un_PsSuspendThread();
Un_NtOpenProecss();
Un_NtReadVirtualMemory();
Un_NtWriteVirtualMemory();
Un_NtClocse();
Unnt_NtDeviceIoControlFile();
Unnt_KiAttachProecss();
Un_IopXxxControlFile();
Un_NtGetContextThread();
Un_NtSetContextThread();
Un_NtGetContextThread1();
Un_NtQueryPerformanceCounter();
Un_DebugPort();
Un_NtSetInnformationThread();
// Un_ObOpenObjectByPointer();
Un_NtQuerySystemInformation();
Enum_Thread(FALSE);
}
#pragma PAGEDCODE
NTSTATUS DispatchIrp(PDEVICE_OBJECT driver,PIRP irp)
{
irp->IoStatus.Status=STATUS_SUCCESS;
irp->IoStatus.Information=0;
IoCompleteRequest(irp,IO_NO_INCREMENT);
KdPrint(("进入IRP例程!\n"));
return STATUS_SUCCESS;
}
//--------------------------------xxxx_struct.h
struct _SYSTEM_PROCESSOR_TIMES//处理器时间结构
{
LARGE_INTEGER IdleTime;
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;;
LARGE_INTEGER DpcTime;
LARGE_INTEGER InterruptTime;
ULONG InterruptCount;
};
typedef struct _SYSTEM_THREADS{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
LONG BasePriority;
ULONG ContextSwitches;
ULONG ThreadState;
ULONG WaitReason;
ULONG Reversed;//add by achillis
} SYSTEM_THREAD_INFORMATION,*PSYSTEM_THREADS;
typedef struct _SYSTEM_PROCESSES{
ULONG NextEntryDelta;
ULONG ThreadCount;
LARGE_INTEGER Reserved1[3];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG SessionId;
ULONG_PTR PageDirectoryBase;
VM_COUNTERS VmCounters;
ULONG PrivatePageCount;// add by achillis
IO_COUNTERS IoCounters;
_SYSTEM_THREADS Threads[1];
} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY
{
ULONG Unknow1;
ULONG Unknow2;
#ifdef _WIN64
ULONG Unknow3;
ULONG Unknow4:
#endif
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT ModuleNameOffset;
char ImageName[256];
}SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct _SYSTEM_MODULE_INFORMATION
{
ULONG Count;//内核中以加载的模块的个数
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
}SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation, // 0 Y N
SystemProcessorInformation, // 1 Y N
SystemPerformanceInformation, // 2 Y N
SystemTimeOfDayInformation, // 3 Y N
SystemNotImplemented1, // 4 Y N
SystemProcessesAndThreadsInformation, // 5 Y N
SystemCallCounts, // 6 Y N
SystemConfigurationInformation, // 7 Y N
SystemProcessorTimes, // 8 Y N
SystemGlobalFlag, // 9 Y Y
SystemNotImplemented2, // 10 Y N
SystemModuleInformation, // 11 Y N
SystemLockInformation, // 12 Y N
SystemNotImplemented3, // 13 Y N
SystemNotImplemented4, // 14 Y N
SystemNotImplemented5, // 15 Y N
SystemHandleInformation, // 16 Y N
SystemObjectInformation, // 17 Y N
SystemPagefileInformation, // 18 Y N
SystemInstructionEmulationCounts, // 19 Y N
SystemInvalidInfoClass1, // 20
SystemCacheInformation, // 21 Y Y
SystemPoolTagInformation, // 22 Y N
SystemProcessorStatistics, // 23 Y N
SystemDpcInformation, // 24 Y Y
SystemNotImplemented6, // 25 Y N
SystemLoadImage, // 26 N Y
SystemUnloadImage, // 27 N Y
SystemTimeAdjustment, // 28 Y Y
SystemNotImplemented7, // 29 Y N
SystemNotImplemented8, // 30 Y N
SystemNotImplemented9, // 31 Y N
SystemCrashDumpInformation, // 32 Y N
SystemExceptionInformation, // 33 Y N
SystemCrashDumpStateInformation, // 34 Y Y/N
SystemKernelDebuggerInformation, // 35 Y N
SystemContextSwitchInformation, // 36 Y N
SystemRegistryQuotaInformation, // 37 Y Y
SystemLoadAndCallImage, // 38 N Y
SystemPrioritySeparation, // 39 N Y
SystemNotImplemented10, // 40 Y N
SystemNotImplemented11, // 41 Y N
SystemInvalidInfoClass2, // 42
SystemInvalidInfoClass3, // 43
SystemTimeZoneInformation, // 44 Y N
SystemLookasideInformation, // 45 Y N
SystemSetTimeSlipEvent, // 46 N Y
SystemCreateSession, // 47 N Y
SystemDeleteSession, // 48 N Y
SystemInvalidInfoClass4, // 49
SystemRangeStartInformation, // 50 Y N
SystemVerifierInformation, // 51 Y Y
SystemAddVerifier, // 52 N Y
SystemSessionProcessesInformation // 53 Y N
}SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
extern "C"
NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation (__in SYSTEM_INFORMATION_CLASS SystemInformationClass,
__out_bcount_opt(SystemInformationLength) PVOID SystemInformation,
__in ULONG SystemInformationLength,
__out_opt PULONG ReturnLength
);
extern "C"
NTKERNELAPI NTSTATUS PsLookupThreadByThreadId (__in HANDLE ThreadId,
__deref_out PETHREAD * Thread
);
extern "C"
typedef
NTSTATUS __stdcall PsSuspendThread ( IN PETHREAD Thread,
OUT PULONG PreviousSuspendCount OPTIONAL
) ;
extern "C"
typedef
NTSTATUS __stdcall PsResumeThread ( IN PETHREAD Thread,
OUT PULONG PreviousSuspendCount OPTIONAL
) ;
extern "C"
typedef
NTSYSCALLAPI NTSTATUS (__stdcall* NtSetInformationThread) ( __in HANDLE ThreadHandle,
__in THREADINFOCLASS ThreadInformationClass,
__in_bcount(ThreadInformationLength) PVOID ThreadInformation,
__in ULONG ThreadInformationLength
) ;
extern "C"
typedef
NTKERNELAPI NTSTATUS __stdcall ObOpenObjectByPointer ( __in PVOID Object,
__in ULONG HandleAttributes,
__in_opt PACCESS_STATE PassedAccessState,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_TYPE ObjectType,
__in KPROCESSOR_MODE AccessMode,
__out PHANDLE Handle
) ;
extern "C"
typedef
NTSYSCALLAPI NTSTATUS NTAPI NtQuerySystemInformation ( __in SYSTEM_INFORMATION_CLASS SystemInformationClass,
__out_bcount_opt(SystemInformationLength) PVOID SystemInformation,
__in ULONG SystemInformationLength,
__out_opt PULONG ReturnLength
);
#endif
//------------------------------------------xxxx_ssdt.h
#define _windows_xp 51
#define _Game_Name "OD.exe"
#define _Game_Name1 "OllyDBG.EXE"
#define _Game_Name2 "OllyICE.exe"
#define _Game_Name3 "Cheat Engine.exe"
#define _Game_Name4 "Cheat Engine.ex"
#define _Game_Name5 "Cheat Engine"
#define _UGame_Name L"OD.exe"
#define _UGame_Name1 L"OllyDBG.EXE"
#define _UGame_Name2 L"OllyICE.exe"
#define _UGame_Name3 L"Cheat Engine.exe"
#define _UGame_Name4 L"Cheat Engine.ex"
#define _UGame_Name5 L"Cheat Engine"
PsSuspendThread* _PsSuspendThread;
PsResumeThread* _PsResumeThread;
NtSetInformationThread* _NtSetInformationThread;
//-------------------------------------------------
int in_NtResumeThread=0; //保存NtResumeThread的序号
int in_NtPsSuspendThread=0; //保存NtSuspendThread的序号
int in_NtOpenProcess=0; //保存NtOpenProcess的序号
int in_NtReadVirtualMemory=0; //保存NtReadVirtualMemory的序号
int in_NtWriteVirtualMemory=0;//保存NtWriteVirtualMemory的序号
int in_NtClose=0; //保存NtClose的序号
int in_NtDeviceIoControlFile=0;//保存NtDeviceIoControlFile的序号
int in_NtFsControlFile=0; //保存NtFsControlFile的序号
int in_NtGetContextThread=0; //保存NtGetContextThread的序号
int in_NtTerminateThread=0; //保存NtTerminateThread的序号
int in_NtSetContextThread=0; //保存NtSetContextThread的序号
int in_NtQueryPerformanceCounter=0; //保存NtQueryPerformanceCounter的序号
int in_NtSetInformationThread=0; //保存NtSetInformationThread的序号
int in_NtQuerySystemInformation=0; //保存NtQuerySystemInformation的序号
//-------------------------------------------------
ULONG addr_ObWatchHandles; //保存ObWatchHandles的地址
ULONG addr_SEH_prolog; //保存_SEH_prolog的地址
//-------------------------------------------------
ULONG addr_NtOpenThread; //保存NtOpenThread的地址
ULONG u_PsSuspendThread; //保存PsSuspendTHread的地址
ULONG push_addr_PsSuspendThread;
ULONG call_addr_PsSuspendThread;
ULONG addr_NtOpenProcess; //保存NtOpenProcess的地址
ULONG push_addr_NtOpenProcess;
ULONG call_addr_NtOpenProecss;
ULONG addr_NtReadVirtualMemory; //保存NtReadVirtualMemory的地址
ULONG push_addr_NtReadVirtualMemory;
ULONG call_addr_NtReadVirtualMemory;
ULONG addr_NtWriteVirtualMemory; //保存NtWriteVirtualMemory的地址
ULONG push_addr_NtWriteVirtualMemory;
ULONG call_addr_NtWriteVirtualMemory;
ULONG addr_NtClose; //保存NtClose的地址
ULONG call_addr_NtClose;
ULONG addr_NtDeviceIoControlFile;//保存NtDeviceIoControlFile的地址
ULONG call_addr_NtDeviceIoControlFile;
ULONG addr_KiAttachProcess; //保存KiAttachProecss的地址
ULONG call_addr_KiAttachProcess;
ULONG addr_IopXxxControlFile; //保存IopXxxControlFile的地址
ULONG call_addr_IopXxxControlFile;
ULONG addr_NtGetContextThread; //保存NtGetContextThread的地址
ULONG call_addr_NtGetContextThread;
ULONG addr_NtSetContextThread; //保存NtSetContextThread的地址
ULONG call_addr_NtSetContextThread;
ULONG addr_NtGetContextThread1; //保存NtGetContextThread的第二处HOOK
ULONG call_addr_NtGetContextThread1;
ULONG Game_call_addr_1; //获取NtGetContextThread的第一个call地址
ULONG Game_call_addr_2; //获取NtGetContextThread的第二个call地址
ULONG addr_NtQueryPerformanceCounter; //保存NtQueryPerformanceCounter的第一个跳转地址
ULONG addr1_NtQueryPerformanceCounter;//保存NtQueryPerformanceCounter的第二个跳转地址
ULONG call_addr_NtQueryPerformanceCounter;
ULONG addr_NtSetInformationThread; //保存NtSetInformationThread的地址
ULONG addr1_NtSetInformationThread;
//-------------------------------------------------
typedef struct _ServiceDescriptorTable {
PVOID ServiceTableBase; //System Service Dispatch Table 的基地址
PVOID ServiceCounterTable;
//包含着 SSDT 中每个服务被调用次数的计数器。这个计数器一般由sysenter 更新。
unsigned int NumberOfServices;//由 ServiceTableBase 描述的服务的数目。
PVOID ParamTableBase; //包含每个系统服务参数字节数表的基地址-系统服务参数表
}*PServiceDescriptorTable;
extern "C" PServiceDescriptorTable KeServiceDescriptorTable;
#pragma pack(1)
typedef struct _JMPCODE
{
BYTE E9;
ULONG Fun_addr;
BYTE nop[2];
}jmp_code,*pjmp_code;
#pragma pack()
//-----------获取ssdt地址
#pragma PAGEDCODE
ULONG Getssdt_addr(int index)
{
ULONG* xfun_addr,x_serviceDescriptor,x_addr;
x_serviceDescriptor=(ULONG)KeServiceDescriptorTable->ServiceTableBase;
KdPrint(("当前ServiceDescriptorTable的地址为:%x\n",x_serviceDescriptor));
xfun_addr=(PULONG)(x_serviceDescriptor+index*4);
x_addr=*xfun_addr;
KdPrint(("当前Index=%d 函数地址为:%x\n",index,x_addr));
return x_addr;
}
//-----------------获取ssdt函数列表
#pragma PAGEDCODE
ULONG* Getsset_this(int index)
{
ULONG* xfun_addr,x_servicedescriptor;
x_servicedescriptor=(ULONG )KeServiceDescriptorTable->ServiceTableBase;
KdPrint(("当前ServiceDescriptorTable的地址为:%x\n",x_servicedescriptor));
xfun_addr=(PULONG)(x_servicedescriptor+index*4);
return xfun_addr;
}
KIRQL kirql;
#pragma PAGEDCODE
VOID PAGED_Open()
{
__asm
{
cli
push eax
mov eax,cr0
and eax,not 10000h
mov cr0,eax
pop eax
}
kirql=KeRaiseIrqlToDpcLevel();
}
#pragma PAGEDCODE
VOID PAGED_Exit()
{
KeLowerIrql(kirql);
__asm
{
push eax
mov eax,cr0
or eax,10000h
mov cr0,eax
pop eax
sti
}
}
#pragma PAGEDCODE
VOID LoadDriver_GetVersion(PDRIVER_OBJECT driver)
{
ULONG Majorversion,Minorversion,buildVersion;
PsGetVersion(&Majorversion,&Minorversion,&buildVersion,NULL);
DWORD dw_version=Majorversion*10+Minorversion;
switch(dw_version)
{
case _windows_xp:
KdPrint(("当前操作系统windows xp sp3!\n"));
in_NtPsSuspendThread=0xFE; //函数序号
in_NtResumeThread=0xCE;
in_NtOpenProcess=0x7A;
in_NtReadVirtualMemory=0xBA;
in_NtWriteVirtualMemory=0x115;
in_NtClose=0x19;
in_NtDeviceIoControlFile=0x42;
in_NtFsControlFile=0x54;
in_NtGetContextThread=0x55;
in_NtTerminateThread=0x102;
in_NtSetContextThread=0xD5;
in_NtQueryPerformanceCounter=0xA5;
in_NtSetInformationThread=0xE5;
in_NtQuerySystemInformation=0xAD;
break;
default:
driver->DriverUnload=DriverUnLoad;
break;
}
}
#pragma PAGEDCODE
VOID Get_NtResumeThread()
{
ULONG addr_NtResumeThread;
BYTE* _bp;
_bp=(BYTE*)Getssdt_addr(in_NtResumeThread);
do
{
if((*(_bp-4)==0x50)&&(*(_bp-3)==0xFF)&&(*(_bp)==0xE8)&&(*(_bp+5)==0x8B)&&(*(_bp+8)==0xE8))
{
break;
}
_bp++;
} while (1);
addr_NtResumeThread=(ULONG)_bp;
__asm
{
push eax
push ebx
mov eax,addr_NtResumeThread
add eax,1
mov ebx,[eax]
add eax,ebx
add eax,5
sub eax,1
mov addr_NtResumeThread,eax
pop ebx
pop eax
}
_PsResumeThread=(PsResumeThread*)addr_NtResumeThread;
KdPrint(("PsResumeThread的地址为:%x\n",addr_NtResumeThread));
}
jmp_code _jmp_code_PsSuspendThread;
pjmp_code _pjmp_code_PsSuspendThread;
#pragma INITCODE
VOID Hook_PsSuspendThread()
{
ULONG u_NtSuspendThread;
BYTE* _bp; //特征码搜索
_bp=(BYTE*)Getssdt_addr(in_NtPsSuspendThread);
do
{
if((*(_bp-9)==0x7c)&&(*(_bp-4)==0x50)&&(*(_bp-3)==0xFF)&&(*(_bp)==0xE8)&&(*(_bp+5)==0x8B)&&(*(_bp+7)==0x8B))
{
break;
}
_bp++;
}while(1);
u_NtSuspendThread=(ULONG)_bp;
__asm
{
push eax
mov eax,u_NtSuspendThread
add eax,1
mov ebx,[eax]
add eax,ebx
add eax,5
sub eax,1
mov u_NtSuspendThread,eax
pop eax
}
_PsSuspendThread=(PsSuspendThread*)u_NtSuspendThread;
KdPrint(("PsSuspendThread的地址为:%x\n",u_NtSuspendThread));
u_PsSuspendThread=u_NtSuspendThread+2;
KdPrint(("向PsSuspendThread写跳转的地址为:%x\n",u_PsSuspendThread));
ULONG u_addr_PsSuspendThread;
UNICODE_STRING push_addr;
RtlInitUnicodeString(&push_addr,L"NtOpenProcess");
push_addr_PsSuspendThread=(ULONG)MmGetSystemRoutineAddress(&push_addr);
__asm
{
push eax
mov eax,push_addr_PsSuspendThread
add eax,6
mov eax,[eax]
add eax,0x28
sub eax,0x284
mov u_addr_PsSuspendThread,eax
pop eax
}
addr_ObWatchHandles=u_addr_PsSuspendThread;
KdPrint(("ObWatchHandles的地址为:%x\n",u_addr_PsSuspendThread));
push_addr_PsSuspendThread=u_addr_PsSuspendThread+0x784;
KdPrint(("PsSuspendThread的push地址为:%x\n",push_addr_PsSuspendThread));
ULONG u_call_PsSuspendThread;
UNICODE_STRING call_addr;
RtlInitUnicodeString(&call_addr,L"NtOpenThread");
call_addr_PsSuspendThread=(ULONG)MmGetSystemRoutineAddress(&call_addr);
addr_NtOpenThread=call_addr_PsSuspendThread;
__asm
{
push eax
push ebx
mov eax,call_addr_PsSuspendThread
add eax,0xA
add eax,1
mov ebx,[eax]
add eax,ebx
add eax,5
sub eax,1
mov u_call_PsSuspendThread,eax
pop ebx
pop eax
}
addr_SEH_prolog=u_call_PsSuspendThread;
call_addr_PsSuspendThread=u_call_PsSuspendThread;
KdPrint(("PsSuspendThread的call地址为:%x\n",call_addr_PsSuspendThread));
_pjmp_code_PsSuspendThread=(pjmp_code)u_PsSuspendThread;
_jmp_code_PsSuspendThread.E9=_pjmp_code_PsSuspendThread->E9;
_jmp_code_PsSuspendThread.Fun_addr=_pjmp_code_PsSuspendThread->Fun_addr;
PAGED_Open();
_pjmp_code_PsSuspendThread->E9=0xE9;
_pjmp_code_PsSuspendThread->Fun_addr=(ULONG)((ULONG)My_PsSuspendThread-u_PsSuspendThread-5);
PAGED_Exit();
}
#pragma PAGEDCODE
VOID __declspec(naked) My_PsSuspendThread()
{
__asm
{
push push_addr_PsSuspendThread
mov eax,u_PsSuspendThread
add eax,0xA
push eax
mov eax,call_addr_PsSuspendThread
jmp eax
}
}
#pragma PAGEDCODE
VOID Un_PsSuspendThread()
{
PAGED_Open();
_pjmp_code_PsSuspendThread->E9=_jmp_code_PsSuspendThread.E9;
_pjmp_code_PsSuspendThread->Fun_addr=_jmp_code_PsSuspendThread.Fun_addr;
PAGED_Exit();
}
#pragma PAGEDCODE
BOOL Enum_Module(ULONG Thread_StartAddr)
{
NTSTATUS status;
PCHAR ModuleNames;
ULONG len;
PVOID pbuffer=NULL;
PSYSTEM_MODULE_INFORMATION Module_Enum;
status=ZwQuerySystemInformation((SYSTEM_INFORMATION_CLASS)11,NULL,0,&len);
pbuffer=ExAllocatePool(NonPagedPool,len);
if(pbuffer==NULL)
{
KdPrint(("分配内存失败!\r\n"));
return FALSE;
}
status=ZwQuerySystemInformation((SYSTEM_INFORMATION_CLASS)11,pbuffer,len,NULL);
Module_Enum=(PSYSTEM_MODULE_INFORMATION)pbuffer;
for(unsigned int i=0;i<Module_Enum->Count;i++)
{
if(ModuleNames=strstr(Module_Enum->Module.ImageName,"EagleXNt.sys"))
{
ULONG Module_Min=(ULONG)Module_Enum->Module.Base;
ULONG Module_Max=Module_Min+Module_Enum->Module.Size;
if((Module_Min<=Thread_StartAddr)&&(Thread_StartAddr<=Module_Max))
{
return TRUE;
}
}
}
ExFreePool(pbuffer);
return FALSE;
}
#pragma PAGEDCODE
VOID Enum_Thread(BOOL b_thread)
{
NTSTATUS status;
PVOID pbuffer=NULL;
ULONG len;
PSYSTEM_PROCESSES Process_Enum;
PSYSTEM_THREADS Thread_Enum;
status=ZwQuerySystemInformation((SYSTEM_INFORMATION_CLASS)5,NULL,0,&len);
KdPrint(("枚举进程时分配的内存大小:%d\n",len));
pbuffer=ExAllocatePool(NonPagedPool,len);
if(pbuffer==NULL)
{
KdPrint(("分配内存失败!\r\n"));
return ;
}
status=ZwQuerySystemInformation((SYSTEM_INFORMATION_CLASS)5,pbuffer,len,NULL);
Process_Enum=(PSYSTEM_PROCESSES)pbuffer;
do
{
if(Process_Enum->ThreadCount&&Process_Enum->ProcessId)
{
Thread_Enum=(PSYSTEM_THREADS)Process_Enum->Threads;
for(unsigned int i=0;i<Process_Enum->ThreadCount;i++)
{
BOOL bl_modlule=FALSE;
bl_modlule=Enum_Module((ULONG)Thread_Enum->StartAddress);
if(bl_modlule==TRUE)
{
PETHREAD thread_temp;
PsLookupThreadByThreadId(Thread_Enum->ClientId.UniqueThread,&thread_temp);
if(b_thread==TRUE)
{
_PsSuspendThread(thread_temp,NULL);
KdPrint(("暂停<->线程信息:Thread[%d] StartAddr=%08x TID:%d \r\n",i+1,Thread_Enum->StartAddress,Thread_Enum->ClientId.UniqueThread));
}
if(b_thread==FALSE)
{
_PsResumeThread(thread_temp,NULL);
KdPrint(("删除<->线程信息:Thread[%d] StartAddr=%08x TID:%d \r\n",i+1,Thread_Enum->StartAddress,Thread_Enum->ClientId.UniqueThread));
}
}
Thread_Enum++;
}
}
if(Process_Enum->NextEntryDelta==NULL)
{
break;
}
Process_Enum=(PSYSTEM_PROCESSES)(((PUCHAR)Process_Enum)+Process_Enum->NextEntryDelta);
}while(1);
ExFreePool(pbuffer);
}
jmp_code _jmp_code_NtOpenProecss;
pjmp_code _pjmp_code_NtOpenProecss;
#pragma INITCODE
VOID Hook_NtOpenProcess()
{
ULONG my_function_addr;
addr_NtOpenProcess=Getssdt_addr(in_NtOpenProcess);
addr_NtOpenProcess+=5;
KdPrint(("向NtOpenProcess写跳转地址为:%x\n",addr_NtOpenProcess));
__asm
{
push eax
mov eax,My_NtOpenProecss
mov my_function_addr,eax
pop eax
}
KdPrint(("自定义NtOpenProcess的地址为:%x\n",my_function_addr));
push_addr_NtOpenProcess=addr_ObWatchHandles+0x25c;
KdPrint(("NtOpenProcess的push地址为:%x\n",push_addr_NtOpenProcess));
call_addr_NtOpenProecss=addr_SEH_prolog;
KdPrint(("NtOpenProcess的call地址为:%x\n",call_addr_NtOpenProecss));
_pjmp_code_NtOpenProecss=(pjmp_code)addr_NtOpenProcess;
_jmp_code_NtOpenProecss.E9=_pjmp_code_NtOpenProecss->E9;
_jmp_code_NtOpenProecss.Fun_addr=_pjmp_code_NtOpenProecss->Fun_addr;
PAGED_Open();
_pjmp_code_NtOpenProecss->E9=0xE9;
_pjmp_code_NtOpenProecss->Fun_addr=(ULONG)(my_function_addr-addr_NtOpenProcess-5);
PAGED_Exit();
}
#pragma PAGEDCODE
VOID __declspec(naked) My_NtOpenProecss()
{
__asm
{
push push_addr_NtOpenProcess
mov eax,addr_NtOpenProcess
add eax,0xA
push eax
mov eax,call_addr_NtOpenProecss
jmp eax
}
}
#pragma PAGEDCODE
VOID Un_NtOpenProecss()
{
PAGED_Open();
_pjmp_code_NtOpenProecss->E9=_jmp_code_NtOpenProecss.E9;
_pjmp_code_NtOpenProecss->Fun_addr=_jmp_code_NtOpenProecss.Fun_addr;
PAGED_Exit();
}
jmp_code _jmp_code_NtReadVirtualMemory;
pjmp_code _pjmp_code_NtReadVirtualMemory;
#pragma INITCODE
VOID Hook_NtReadVirtualMemory()
{
ULONG My_Function_Addr;
addr_NtReadVirtualMemory=(ULONG)Getssdt_addr(in_NtReadVirtualMemory);
addr_NtReadVirtualMemory+=2;
KdPrint(("向NtReadVirtualMemory写跳转地址为:%x\n",addr_NtReadVirtualMemory));
__asm
{
push eax
mov eax,My_NtReadVirtualMemory
mov My_Function_Addr,eax
pop eax
}
KdPrint(("自定义NtReadVirtualMemory的地址为:%x\n",My_Function_Addr));
__asm
{
push eax
mov eax,addr_NtReadVirtualMemory
add eax,1
mov eax,[eax]
mov push_addr_NtReadVirtualMemory,eax
pop eax
}
KdPrint(("NtReadVirtualMemory的push地址为:%x\n",push_addr_NtReadVirtualMemory));
call_addr_NtReadVirtualMemory=addr_SEH_prolog;
KdPrint(("NtReadVirtualMemory的call地址为:%x\n",call_addr_NtReadVirtualMemory));
_pjmp_code_NtReadVirtualMemory=(pjmp_code)addr_NtReadVirtualMemory;
_jmp_code_NtReadVirtualMemory.E9=_pjmp_code_NtReadVirtualMemory->E9;
_jmp_code_NtReadVirtualMemory.Fun_addr=_pjmp_code_NtReadVirtualMemory->Fun_addr;
PAGED_Open();
_pjmp_code_NtReadVirtualMemory->E9=0xE9;
_pjmp_code_NtReadVirtualMemory->Fun_addr=(ULONG)(My_Function_Addr-addr_NtReadVirtualMemory-5);
PAGED_Exit();
}
#pragma PAGEDCODE
VOID __declspec(naked) My_NtReadVirtualMemory()
{
__asm
{
push push_addr_NtReadVirtualMemory
mov eax,addr_NtReadVirtualMemory
add eax,0xA
push eax
mov eax,call_addr_NtReadVirtualMemory
jmp eax
}
}
#pragma PAGEDCODE
VOID Un_NtReadVirtualMemory()
{
PAGED_Open();
_pjmp_code_NtReadVirtualMemory->E9=_jmp_code_NtReadVirtualMemory.E9;
_pjmp_code_NtReadVirtualMemory->Fun_addr=_jmp_code_NtReadVirtualMemory.Fun_addr;
PAGED_Exit();
}
jmp_code _jmp_code_NtWriteVirtrualMemory;
pjmp_code _pjmp_code_NtWriteVirtualMemory;
#pragma INITCODE
VOID Hook_NtWriteVirtualMemory()
{
ULONG My_Function_Addr;
addr_NtWriteVirtualMemory=(ULONG)Getssdt_addr(in_NtWriteVirtualMemory);
addr_NtWriteVirtualMemory+=2;
KdPrint(("向NtWriteVirtualMemory写跳转地址为:%x\n",addr_NtWriteVirtualMemory));
__asm
{
push eax
mov eax,My_NtWriteVirtualMemory
mov My_Function_Addr,eax
pop eax
}
KdPrint(("自定义NtWriteVirtualMemory的地址为:%x\n",My_Function_Addr));
__asm
{
push eax
mov eax,addr_NtWriteVirtualMemory
add eax,1
mov eax,[eax]
mov push_addr_NtWriteVirtualMemory,eax
pop eax
}
KdPrint(("NtWriteVirtualMemory的push地址为:%x\n",push_addr_NtWriteVirtualMemory));
call_addr_NtWriteVirtualMemory=addr_SEH_prolog;
KdPrint(("NtWriteVirtualMemory的call地址为:%x\n",call_addr_NtWriteVirtualMemory));
_pjmp_code_NtWriteVirtualMemory=(pjmp_code)addr_NtWriteVirtualMemory;
_jmp_code_NtWriteVirtrualMemory.E9=_pjmp_code_NtWriteVirtualMemory->E9;
_jmp_code_NtWriteVirtrualMemory.Fun_addr=_pjmp_code_NtWriteVirtualMemory->Fun_addr;
PAGED_Open();
_pjmp_code_NtWriteVirtualMemory->E9=0xE9;
_pjmp_code_NtWriteVirtualMemory->Fun_addr=(ULONG)(My_Function_Addr-addr_NtWriteVirtualMemory-5);
PAGED_Exit();
}
#pragma PAGEDCODE
VOID __declspec(naked) My_NtWriteVirtualMemory()
{
__asm
{
push push_addr_NtWriteVirtualMemory
mov eax,addr_NtWriteVirtualMemory
add eax,0xA
push eax
mov eax,call_addr_NtWriteVirtualMemory
jmp eax
}
}
#pragma PAGEDCODE
VOID Un_NtWriteVirtualMemory()
{
PAGED_Open();
_pjmp_code_NtWriteVirtualMemory->E9=_jmp_code_NtWriteVirtrualMemory.E9;
_pjmp_code_NtWriteVirtualMemory->Fun_addr=_jmp_code_NtWriteVirtrualMemory.Fun_addr;
PAGED_Exit();
}
jmp_code _jmp_code_NtClose;
pjmp_code _pjmp_code_NtClose;
#pragma INITCODE
VOID Hook_NtClose()
{
ULONG My_Function_Addr;
addr_NtClose=(ULONG)Getssdt_addr(in_NtClose);
call_addr_NtClose=addr_NtClose-0x1A2;
KdPrint(("NtClose的call地址为:%x\n",call_addr_NtClose));
addr_NtClose+=0x12;
KdPrint(("向NtClose写跳转的地址为:%x\n",addr_NtClose));
__asm
{
push eax
mov eax,My_NtClose
mov My_Function_Addr,eax
pop eax
}
KdPrint(("自定义NtClose的地址为:%x\n",My_Function_Addr));
_pjmp_code_NtClose=(pjmp_code)addr_NtClose;
_jmp_code_NtClose.E9=_pjmp_code_NtClose->E9;
_jmp_code_NtClose.Fun_addr=_pjmp_code_NtClose->Fun_addr;
_jmp_code_NtClose.nop[0]=_pjmp_code_NtClose->nop[0];
PAGED_Open();
_pjmp_code_NtClose->E9=0xE9;
_pjmp_code_NtClose->Fun_addr=(ULONG)(My_Function_Addr-addr_NtClose-5);
_pjmp_code_NtClose->nop[0]=0x90;
PAGED_Exit();
}
#pragma PAGEDCODE
VOID __declspec(naked) My_NtClose()
{
__asm
{
push 0
push eax
push dword ptr [ebp+8]
mov eax,addr_NtClose
add eax,0xB
push eax
mov eax,call_addr_NtClose
jmp eax
}
}
#pragma PAGEDCODE
VOID Un_NtClocse()
{
PAGED_Open();
_pjmp_code_NtClose->E9=_jmp_code_NtClose.E9;
_pjmp_code_NtClose->Fun_addr=_jmp_code_NtClose.Fun_addr;
_pjmp_code_NtClose->nop[0]=_jmp_code_NtClose.nop[0];
PAGED_Exit();
}
jmp_code _jmp_code_NtDeviceIoControlFile;
pjmp_code _pjmp_code_NtDeviceIoControlFile;
#pragma INITCODE
VOID Hook_NtDeviceIoControlFile()
{
ULONG My_Function_Addr;
ULONG u_NtFsControlFile;
addr_NtDeviceIoControlFile=(ULONG)Getssdt_addr(in_NtDeviceIoControlFile);
addr_NtDeviceIoControlFile+=0x1F;
KdPrint(("向NtDeviceIoControlFile写跳转的地址为:%x\n",addr_NtDeviceIoControlFile));
u_NtFsControlFile=(ULONG)Getssdt_addr(in_NtFsControlFile);
call_addr_IopXxxControlFile=u_NtFsControlFile;
u_NtFsControlFile=u_NtFsControlFile+0x25;
__asm
{
push eax
push ebx
mov eax,u_NtFsControlFile
add eax,1
mov ebx,[eax]
add eax,ebx
add eax,5
sub eax,1
mov call_addr_NtDeviceIoControlFile,eax
pop ebx
pop eax
}
addr_IopXxxControlFile=call_addr_NtDeviceIoControlFile;
KdPrint(("NtDeviceIoControlFile的call地址为:%x\n",call_addr_NtDeviceIoControlFile));
__asm
{
push eax
mov eax,My_NtDeviceIoControlFile
mov My_Function_Addr,eax
pop eax
}
KdPrint(("自定义NtDeviceIoControlFile的地址为:%x\n",My_Function_Addr));
_pjmp_code_NtDeviceIoControlFile=(pjmp_code)addr_NtDeviceIoControlFile;
_jmp_code_NtDeviceIoControlFile.E9=_pjmp_code_NtDeviceIoControlFile->E9;
_jmp_code_NtDeviceIoControlFile.Fun_addr=_pjmp_code_NtDeviceIoControlFile->Fun_addr;
PAGED_Open();
_pjmp_code_NtDeviceIoControlFile->E9=0xE9;
_pjmp_code_NtDeviceIoControlFile->Fun_addr=(ULONG)(My_Function_Addr-addr_NtDeviceIoControlFile-5);
PAGED_Exit();
}
#pragma PAGEDCODE
VOID __declspec(naked) My_NtDeviceIoControlFile()
{
__asm
{
push dword ptr [ebp+0Ch]
push dword ptr [ebp+8]
mov eax,addr_NtDeviceIoControlFile
add eax,0xB
push eax
mov eax,call_addr_NtDeviceIoControlFile
jmp eax
}
}
#pragma PAGEDCODE
VOID Unnt_NtDeviceIoControlFile()
{
PAGED_Open();
_pjmp_code_NtDeviceIoControlFile->E9=_jmp_code_NtDeviceIoControlFile.E9;
_pjmp_code_NtDeviceIoControlFile->Fun_addr=_jmp_code_NtDeviceIoControlFile.Fun_addr;
PAGED_Exit();
}
jmp_code _jmp_code_KiAttachProcess;
pjmp_code _pjmp_code_KiAttachProcess;
#pragma INITCODE
VOID Hook_KiAttachProcess()
{
ULONG My_Function_Addr;
ULONG u_KeAttachProcess;
UNICODE_STRING KeAttachProcess_name;
RtlInitUnicodeString(&KeAttachProcess_name,L"KeAttachProcess");
u_KeAttachProcess=(ULONG)MmGetSystemRoutineAddress(&KeAttachProcess_name);
KdPrint(("套出KeAttachProcess的地址为:%x\n",u_KeAttachProcess));
BYTE* _bp;
_bp=(BYTE*)u_KeAttachProcess;
do
{
if((*(_bp-2)==0x57)&&(*(_bp-1)==0x56)&&(*(_bp)==0xE8))
{
break;
}
_bp++;
}while(1);
addr_KiAttachProcess=(ULONG)_bp;
__asm
{
push eax
push ebx
mov eax,addr_KiAttachProcess
add eax,1
mov ebx,[eax]
add eax,ebx
add eax,5
sub eax,1
mov addr_KiAttachProcess,eax
pop ebx
pop eax
}
KdPrint(("KiAttachProcess的地址为%x\n",addr_KiAttachProcess));
call_addr_KiAttachProcess=addr_KiAttachProcess-0x488;
KdPrint(("KiAttachProcess的call地址为:%x\n",call_addr_KiAttachProcess));
addr_KiAttachProcess+=0x11;
KdPrint(("向KiAttachProcess写跳转地址:%x\n",addr_KiAttachProcess));
__asm
{
push eax
mov eax,My_KiAttachProcess
mov My_Function_Addr,eax
pop eax
}
KdPrint(("自定义KiAttachProcess的地址为:%x\n",My_Function_Addr));
_pjmp_code_KiAttachProcess=(pjmp_code)addr_KiAttachProcess;
_jmp_code_KiAttachProcess.E9=_pjmp_code_KiAttachProcess->E9;
_jmp_code_KiAttachProcess.Fun_addr=_pjmp_code_KiAttachProcess->Fun_addr;
_jmp_code_KiAttachProcess.nop[0]=_pjmp_code_KiAttachProcess->nop[0];
_jmp_code_KiAttachProcess.nop[1]=_pjmp_code_KiAttachProcess->nop[1];
PAGED_Open();
_pjmp_code_KiAttachProcess->E9=0xE9;
_pjmp_code_KiAttachProcess->Fun_addr=(ULONG)(My_Function_Addr-addr_KiAttachProcess-5);
_pjmp_code_KiAttachProcess->nop[0]=0x90;
_pjmp_code_KiAttachProcess->nop[1]=0x90;
PAGED_Exit();
}
#pragma PAGEDCODE
VOID __declspec(naked) My_KiAttachProcess()
{
__asm
{
inc word ptr [edi+60h]
lea ebx,[esi+34h]
push ebx
mov eax,addr_KiAttachProcess
add eax,0xD
push eax
mov eax,call_addr_KiAttachProcess
jmp eax
}
}
#pragma PAGEDCODE
VOID Unnt_KiAttachProecss()
{
PAGED_Open();
_pjmp_code_KiAttachProcess->E9=_jmp_code_KiAttachProcess.E9;
_pjmp_code_KiAttachProcess->Fun_addr=_jmp_code_KiAttachProcess.Fun_addr;
_pjmp_code_KiAttachProcess->nop[0]=_jmp_code_KiAttachProcess.nop[0];
_pjmp_code_KiAttachProcess->nop[1]=_jmp_code_KiAttachProcess.nop[1];
PAGED_Exit();
}
jmp_code _jmp_code_IopXxxControlFile;
pjmp_code _pjmp_code_IopXxxControlFile;
#pragma INITCODE
VOID Hook_IopXxxControlFile()
{
ULONG My_Function_Addr;
BYTE* _bp;
_bp=(BYTE*)addr_IopXxxControlFile;
do
{
if((*(_bp-11)==0x6A)&&(*(_bp-6)==0xFF)&&(*(_bp-3)==0xFF)&&(*(_bp)==0xE8)&&(*(_bp+5)==0x83)&&(*(_bp+9)==0x8B))
{
break;
}
_bp++;
}while(1);
addr_IopXxxControlFile=(ULONG)_bp-6;
KdPrint(("向IopXxxControlFile写跳转地址为:%x\n",addr_IopXxxControlFile));
_bp=(BYTE*)call_addr_IopXxxControlFile;
do
{
if((*(_bp-11)==0x6A)&&(*(_bp-6)==0xFF)&&(*(_bp-3)==0xFF)&&(*(_bp)==0xE8)&&(*(_bp+5)==0x83)&&(*(_bp+9)==0x8B))
{
break;
}
_bp++;
}while(1);
call_addr_IopXxxControlFile=(ULONG)_bp;
__asm
{
push eax
push ebx
mov eax,call_addr_IopXxxControlFile
add eax,1
mov ebx,[eax]
add eax,ebx
add eax,5
sub eax,1
mov call_addr_IopXxxControlFile,eax
pop ebx
pop eax
}
KdPrint(("IopXxxControlFile的call地址为:%x\n",call_addr_IopXxxControlFile));
__asm
{
push eax
mov eax,My_IopXxxControlFile
mov My_Function_Addr,eax
pop eax
}
KdPrint(("自定义IopXxxControlFile的地址为:%x\n",My_Function_Addr));
_pjmp_code_IopXxxControlFile=(pjmp_code)addr_IopXxxControlFile;
_jmp_code_IopXxxControlFile.E9=_pjmp_code_IopXxxControlFile->E9;
_jmp_code_IopXxxControlFile.Fun_addr=_pjmp_code_IopXxxControlFile->Fun_addr;
_jmp_code_IopXxxControlFile.nop[0]=_pjmp_code_IopXxxControlFile->nop[0];
PAGED_Open();
_pjmp_code_IopXxxControlFile->E9=0xE9;
_pjmp_code_IopXxxControlFile->Fun_addr=(ULONG)(My_Function_Addr-addr_IopXxxControlFile-5);
_pjmp_code_IopXxxControlFile->nop[0]=0x90;
PAGED_Exit();
}
只贴部分代码,大多都是小技巧没什么特别的地方。
//------------------xxxx.h
#define PAGEDCODE code_seg("PAGED")
#define LOCKEDCODE code_seg()
#define INITCODE code_seg("INIT")
#define PAGEDDATA data_seg("PAGED")
#define LOCKEDDATA data_seg()
#define INITDATA data_seg("INIT")
typedef struct _DEVICE_CONTEXTSION
{
UNICODE_STRING driver_name;
UNICODE_STRING symbol_name;
PDEVICE_OBJECT device_object;
};
VOID DriverUnLoad(PDRIVER_OBJECT driver);
NTSTATUS DispatchIrp(PDEVICE_OBJECT driver,PIRP irp);
//----------------------------------------------
VOID LoadDriver_GetVersion(PDRIVER_OBJECT driver);
VOID Get_NtResumeThread();
VOID Hook_PsSuspendThread();
VOID My_PsSuspendThread();
VOID Un_PsSuspendThread();
VOID Enum_Thread(BOOL b_thread=FALSE); //TRUE表示暂停线程,FALSE表示结束线程
BOOL Enum_Module(ULONG Thread_StartAddr);
//--守护OD和CE--------------------------
VOID Hook_ObOpenObjectByPointer();
VOID Un_ObOpenObjectByPointer();
VOID SSDT_NtQuerySystemInformation();
VOID Un_NtQuerySystemInformation();
//------------------------------------
VOID Hook_NtOpenProcess();
VOID My_NtOpenProecss();
VOID Un_NtOpenProecss();
VOID Hook_NtReadVirtualMemory();
VOID My_NtReadVirtualMemory();
VOID Un_NtReadVirtualMemory();
VOID Hook_NtWriteVirtualMemory();
VOID My_NtWriteVirtualMemory();
VOID Un_NtWriteVirtualMemory();
VOID Hook_NtClose();
VOID My_NtClose();
VOID Un_NtClocse();
VOID Hook_NtDeviceIoControlFile();
VOID My_NtDeviceIoControlFile();
VOID Unnt_NtDeviceIoControlFile();
VOID Hook_KiAttachProcess();
VOID My_KiAttachProcess();
VOID Unnt_KiAttachProecss();
VOID Hook_IopXxxControlFile();
VOID My_IopXxxControlFile();
VOID Un_IopXxxControlFile();
VOID Hook_NtGetContextThread();
VOID My_NtGetContextThread();
VOID Un_NtGetContextThread();
VOID Hook_NtSetContextThread();
VOID My_NtSetContextThread();
VOID Un_NtSetContextThread();
VOID Hook_NtGetContextThread1();
VOID My_NtGetContextThread1();
VOID Un_NtGetContextThread1();
VOID Hook_NtQueryPerformanceCounter();
VOID My_NtQueryPerformanceCounter_1();
VOID My_NtQueryPerformanceCounter_2();
VOID Un_NtQueryPerformanceCounter();
VOID Hook_DebugPort();
VOID Un_DebugPort();
VOID Hook_NtSetInformationThread();
extern "C"
NTSTATUS __stdcall My_NtSetInformationThread ( __in HANDLE ThreadHandle,
__in THREADINFOCLASS ThreadInformationClass,
__in_bcount(ThreadInformationLength) PVOID ThreadInformation,
__in ULONG ThreadInformationLength
) ;
VOID Un_NtSetInnformationThread();
#endif
//--------------------------------xxx.cpp
#pragma INITCODE
extern "C"
NTSTATUS DriverEntry(PDRIVER_OBJECT driver,PUNICODE_STRING driver_object_name)
{
/*
1.绕过PsSuspendThread
2.枚举HS线程暂停
3.SSDT HOOK守护进程
1.NtOpenProcess
2.NtReadVirtualMemory
4.绕SSDT函数HOOK
1.NtOpenProcess
2.NtReadVirtualMemory
3.NtWriteVirtualMemory
4.NtClose
5.NtDeviceIoControlFile
6.KiAttachProcess
7.IopXxxControlFile
8.NtGetContextThread
9.NtSetContextThread
10.NtGetContextThread第二处
11.NtQueryPerformanceCounter
5.绕Shadow SSDT函数HOOK
1.HOOK KiFastCallEntry绕SSDT HOOK
2.绕NtGdiGetPixel
3.Hook Shadow SSDT守护窗口
6.(_EPROECSS+bc)DebugPort的处理
7.HOOK NtSetInformationThread (HideFromDebugPort) 0x11号功能
8.SSDT HOOK隐藏进程和模块
*/
//------------------------------------------------------------
LoadDriver_GetVersion(driver);
Get_NtResumeThread();
Hook_PsSuspendThread();
Enum_Thread(TRUE);
Hook_NtOpenProcess();
Hook_NtReadVirtualMemory();
Hook_NtWriteVirtualMemory();
Hook_NtClose();
Hook_NtDeviceIoControlFile();
Hook_KiAttachProcess();
Hook_IopXxxControlFile();
Hook_NtGetContextThread();
Hook_NtSetContextThread();
Hook_NtGetContextThread1();
Hook_NtQueryPerformanceCounter();
Hook_DebugPort();
Hook_NtSetInformationThread();
// Hook_ObOpenObjectByPointer();
SSDT_NtQuerySystemInformation();
//-------------------------------------------------------------
NTSTATUS status=STATUS_SUCCESS;
driver->MajorFunction[IRP_MJ_CREATE]=DispatchIrp;
driver->MajorFunction[IRP_MJ_READ]=DispatchIrp;
driver->MajorFunction[IRP_MJ_WRITE]=DispatchIrp;
driver->MajorFunction[IRP_MJ_CLOSE]=DispatchIrp;
driver->MajorFunction[IRP_MJ_DEVICE_CONTROL]=DispatchIrp;
driver->DriverUnload=DriverUnLoad;
UNICODE_STRING driver_name;
RtlInitUnicodeString(&driver_name,_Driver_name);
PDEVICE_OBJECT device_object;
status=IoCreateDevice(driver,NULL,&driver_name,FILE_DEVICE_UNKNOWN,NULL,FALSE,&device_object);
if(!NT_SUCCESS(status))
{
KdPrint(("创建设备失败!\n"));
return status;
}
KdPrint(("创建设备成功!\n"));
device_object->Flags |= DO_BUFFERED_IO;
UNICODE_STRING symbolic_name;
RtlInitUnicodeString(&symbolic_name,_Symbolic_name);
status=IoCreateSymbolicLink(&symbolic_name,&driver_name);
if(!NT_SUCCESS(status))
{
IoDeleteDevice(device_object);
KdPrint(("创建符号链接失败!\n"));
return status;
}
KdPrint(("创建符号链接成功!\n"));
return STATUS_SUCCESS;
}
#pragma PAGEDCODE
VOID DriverUnLoad(PDRIVER_OBJECT driver)
{
UNICODE_STRING symbol_name;
RtlInitUnicodeString(&symbol_name,_Symbolic_name);
IoDeleteSymbolicLink(&symbol_name);
IoDeleteDevice(driver->DeviceObject);
KdPrint(("删除设备成功!\n"));
//---------------------------------
Un_PsSuspendThread();
Un_NtOpenProecss();
Un_NtReadVirtualMemory();
Un_NtWriteVirtualMemory();
Un_NtClocse();
Unnt_NtDeviceIoControlFile();
Unnt_KiAttachProecss();
Un_IopXxxControlFile();
Un_NtGetContextThread();
Un_NtSetContextThread();
Un_NtGetContextThread1();
Un_NtQueryPerformanceCounter();
Un_DebugPort();
Un_NtSetInnformationThread();
// Un_ObOpenObjectByPointer();
Un_NtQuerySystemInformation();
Enum_Thread(FALSE);
}
#pragma PAGEDCODE
NTSTATUS DispatchIrp(PDEVICE_OBJECT driver,PIRP irp)
{
irp->IoStatus.Status=STATUS_SUCCESS;
irp->IoStatus.Information=0;
IoCompleteRequest(irp,IO_NO_INCREMENT);
KdPrint(("进入IRP例程!\n"));
return STATUS_SUCCESS;
}
//--------------------------------xxxx_struct.h
struct _SYSTEM_PROCESSOR_TIMES//处理器时间结构
{
LARGE_INTEGER IdleTime;
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;;
LARGE_INTEGER DpcTime;
LARGE_INTEGER InterruptTime;
ULONG InterruptCount;
};
typedef struct _SYSTEM_THREADS{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
LONG BasePriority;
ULONG ContextSwitches;
ULONG ThreadState;
ULONG WaitReason;
ULONG Reversed;//add by achillis
} SYSTEM_THREAD_INFORMATION,*PSYSTEM_THREADS;
typedef struct _SYSTEM_PROCESSES{
ULONG NextEntryDelta;
ULONG ThreadCount;
LARGE_INTEGER Reserved1[3];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG SessionId;
ULONG_PTR PageDirectoryBase;
VM_COUNTERS VmCounters;
ULONG PrivatePageCount;// add by achillis
IO_COUNTERS IoCounters;
_SYSTEM_THREADS Threads[1];
} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY
{
ULONG Unknow1;
ULONG Unknow2;
#ifdef _WIN64
ULONG Unknow3;
ULONG Unknow4:
#endif
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT ModuleNameOffset;
char ImageName[256];
}SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct _SYSTEM_MODULE_INFORMATION
{
ULONG Count;//内核中以加载的模块的个数
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
}SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation, // 0 Y N
SystemProcessorInformation, // 1 Y N
SystemPerformanceInformation, // 2 Y N
SystemTimeOfDayInformation, // 3 Y N
SystemNotImplemented1, // 4 Y N
SystemProcessesAndThreadsInformation, // 5 Y N
SystemCallCounts, // 6 Y N
SystemConfigurationInformation, // 7 Y N
SystemProcessorTimes, // 8 Y N
SystemGlobalFlag, // 9 Y Y
SystemNotImplemented2, // 10 Y N
SystemModuleInformation, // 11 Y N
SystemLockInformation, // 12 Y N
SystemNotImplemented3, // 13 Y N
SystemNotImplemented4, // 14 Y N
SystemNotImplemented5, // 15 Y N
SystemHandleInformation, // 16 Y N
SystemObjectInformation, // 17 Y N
SystemPagefileInformation, // 18 Y N
SystemInstructionEmulationCounts, // 19 Y N
SystemInvalidInfoClass1, // 20
SystemCacheInformation, // 21 Y Y
SystemPoolTagInformation, // 22 Y N
SystemProcessorStatistics, // 23 Y N
SystemDpcInformation, // 24 Y Y
SystemNotImplemented6, // 25 Y N
SystemLoadImage, // 26 N Y
SystemUnloadImage, // 27 N Y
SystemTimeAdjustment, // 28 Y Y
SystemNotImplemented7, // 29 Y N
SystemNotImplemented8, // 30 Y N
SystemNotImplemented9, // 31 Y N
SystemCrashDumpInformation, // 32 Y N
SystemExceptionInformation, // 33 Y N
SystemCrashDumpStateInformation, // 34 Y Y/N
SystemKernelDebuggerInformation, // 35 Y N
SystemContextSwitchInformation, // 36 Y N
SystemRegistryQuotaInformation, // 37 Y Y
SystemLoadAndCallImage, // 38 N Y
SystemPrioritySeparation, // 39 N Y
SystemNotImplemented10, // 40 Y N
SystemNotImplemented11, // 41 Y N
SystemInvalidInfoClass2, // 42
SystemInvalidInfoClass3, // 43
SystemTimeZoneInformation, // 44 Y N
SystemLookasideInformation, // 45 Y N
SystemSetTimeSlipEvent, // 46 N Y
SystemCreateSession, // 47 N Y
SystemDeleteSession, // 48 N Y
SystemInvalidInfoClass4, // 49
SystemRangeStartInformation, // 50 Y N
SystemVerifierInformation, // 51 Y Y
SystemAddVerifier, // 52 N Y
SystemSessionProcessesInformation // 53 Y N
}SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
extern "C"
NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation (__in SYSTEM_INFORMATION_CLASS SystemInformationClass,
__out_bcount_opt(SystemInformationLength) PVOID SystemInformation,
__in ULONG SystemInformationLength,
__out_opt PULONG ReturnLength
);
extern "C"
NTKERNELAPI NTSTATUS PsLookupThreadByThreadId (__in HANDLE ThreadId,
__deref_out PETHREAD * Thread
);
extern "C"
typedef
NTSTATUS __stdcall PsSuspendThread ( IN PETHREAD Thread,
OUT PULONG PreviousSuspendCount OPTIONAL
) ;
extern "C"
typedef
NTSTATUS __stdcall PsResumeThread ( IN PETHREAD Thread,
OUT PULONG PreviousSuspendCount OPTIONAL
) ;
extern "C"
typedef
NTSYSCALLAPI NTSTATUS (__stdcall* NtSetInformationThread) ( __in HANDLE ThreadHandle,
__in THREADINFOCLASS ThreadInformationClass,
__in_bcount(ThreadInformationLength) PVOID ThreadInformation,
__in ULONG ThreadInformationLength
) ;
extern "C"
typedef
NTKERNELAPI NTSTATUS __stdcall ObOpenObjectByPointer ( __in PVOID Object,
__in ULONG HandleAttributes,
__in_opt PACCESS_STATE PassedAccessState,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_TYPE ObjectType,
__in KPROCESSOR_MODE AccessMode,
__out PHANDLE Handle
) ;
extern "C"
typedef
NTSYSCALLAPI NTSTATUS NTAPI NtQuerySystemInformation ( __in SYSTEM_INFORMATION_CLASS SystemInformationClass,
__out_bcount_opt(SystemInformationLength) PVOID SystemInformation,
__in ULONG SystemInformationLength,
__out_opt PULONG ReturnLength
);
#endif
//------------------------------------------xxxx_ssdt.h
#define _windows_xp 51
#define _Game_Name "OD.exe"
#define _Game_Name1 "OllyDBG.EXE"
#define _Game_Name2 "OllyICE.exe"
#define _Game_Name3 "Cheat Engine.exe"
#define _Game_Name4 "Cheat Engine.ex"
#define _Game_Name5 "Cheat Engine"
#define _UGame_Name L"OD.exe"
#define _UGame_Name1 L"OllyDBG.EXE"
#define _UGame_Name2 L"OllyICE.exe"
#define _UGame_Name3 L"Cheat Engine.exe"
#define _UGame_Name4 L"Cheat Engine.ex"
#define _UGame_Name5 L"Cheat Engine"
PsSuspendThread* _PsSuspendThread;
PsResumeThread* _PsResumeThread;
NtSetInformationThread* _NtSetInformationThread;
//-------------------------------------------------
int in_NtResumeThread=0; //保存NtResumeThread的序号
int in_NtPsSuspendThread=0; //保存NtSuspendThread的序号
int in_NtOpenProcess=0; //保存NtOpenProcess的序号
int in_NtReadVirtualMemory=0; //保存NtReadVirtualMemory的序号
int in_NtWriteVirtualMemory=0;//保存NtWriteVirtualMemory的序号
int in_NtClose=0; //保存NtClose的序号
int in_NtDeviceIoControlFile=0;//保存NtDeviceIoControlFile的序号
int in_NtFsControlFile=0; //保存NtFsControlFile的序号
int in_NtGetContextThread=0; //保存NtGetContextThread的序号
int in_NtTerminateThread=0; //保存NtTerminateThread的序号
int in_NtSetContextThread=0; //保存NtSetContextThread的序号
int in_NtQueryPerformanceCounter=0; //保存NtQueryPerformanceCounter的序号
int in_NtSetInformationThread=0; //保存NtSetInformationThread的序号
int in_NtQuerySystemInformation=0; //保存NtQuerySystemInformation的序号
//-------------------------------------------------
ULONG addr_ObWatchHandles; //保存ObWatchHandles的地址
ULONG addr_SEH_prolog; //保存_SEH_prolog的地址
//-------------------------------------------------
ULONG addr_NtOpenThread; //保存NtOpenThread的地址
ULONG u_PsSuspendThread; //保存PsSuspendTHread的地址
ULONG push_addr_PsSuspendThread;
ULONG call_addr_PsSuspendThread;
ULONG addr_NtOpenProcess; //保存NtOpenProcess的地址
ULONG push_addr_NtOpenProcess;
ULONG call_addr_NtOpenProecss;
ULONG addr_NtReadVirtualMemory; //保存NtReadVirtualMemory的地址
ULONG push_addr_NtReadVirtualMemory;
ULONG call_addr_NtReadVirtualMemory;
ULONG addr_NtWriteVirtualMemory; //保存NtWriteVirtualMemory的地址
ULONG push_addr_NtWriteVirtualMemory;
ULONG call_addr_NtWriteVirtualMemory;
ULONG addr_NtClose; //保存NtClose的地址
ULONG call_addr_NtClose;
ULONG addr_NtDeviceIoControlFile;//保存NtDeviceIoControlFile的地址
ULONG call_addr_NtDeviceIoControlFile;
ULONG addr_KiAttachProcess; //保存KiAttachProecss的地址
ULONG call_addr_KiAttachProcess;
ULONG addr_IopXxxControlFile; //保存IopXxxControlFile的地址
ULONG call_addr_IopXxxControlFile;
ULONG addr_NtGetContextThread; //保存NtGetContextThread的地址
ULONG call_addr_NtGetContextThread;
ULONG addr_NtSetContextThread; //保存NtSetContextThread的地址
ULONG call_addr_NtSetContextThread;
ULONG addr_NtGetContextThread1; //保存NtGetContextThread的第二处HOOK
ULONG call_addr_NtGetContextThread1;
ULONG Game_call_addr_1; //获取NtGetContextThread的第一个call地址
ULONG Game_call_addr_2; //获取NtGetContextThread的第二个call地址
ULONG addr_NtQueryPerformanceCounter; //保存NtQueryPerformanceCounter的第一个跳转地址
ULONG addr1_NtQueryPerformanceCounter;//保存NtQueryPerformanceCounter的第二个跳转地址
ULONG call_addr_NtQueryPerformanceCounter;
ULONG addr_NtSetInformationThread; //保存NtSetInformationThread的地址
ULONG addr1_NtSetInformationThread;
//-------------------------------------------------
typedef struct _ServiceDescriptorTable {
PVOID ServiceTableBase; //System Service Dispatch Table 的基地址
PVOID ServiceCounterTable;
//包含着 SSDT 中每个服务被调用次数的计数器。这个计数器一般由sysenter 更新。
unsigned int NumberOfServices;//由 ServiceTableBase 描述的服务的数目。
PVOID ParamTableBase; //包含每个系统服务参数字节数表的基地址-系统服务参数表
}*PServiceDescriptorTable;
extern "C" PServiceDescriptorTable KeServiceDescriptorTable;
#pragma pack(1)
typedef struct _JMPCODE
{
BYTE E9;
ULONG Fun_addr;
BYTE nop[2];
}jmp_code,*pjmp_code;
#pragma pack()
//-----------获取ssdt地址
#pragma PAGEDCODE
ULONG Getssdt_addr(int index)
{
ULONG* xfun_addr,x_serviceDescriptor,x_addr;
x_serviceDescriptor=(ULONG)KeServiceDescriptorTable->ServiceTableBase;
KdPrint(("当前ServiceDescriptorTable的地址为:%x\n",x_serviceDescriptor));
xfun_addr=(PULONG)(x_serviceDescriptor+index*4);
x_addr=*xfun_addr;
KdPrint(("当前Index=%d 函数地址为:%x\n",index,x_addr));
return x_addr;
}
//-----------------获取ssdt函数列表
#pragma PAGEDCODE
ULONG* Getsset_this(int index)
{
ULONG* xfun_addr,x_servicedescriptor;
x_servicedescriptor=(ULONG )KeServiceDescriptorTable->ServiceTableBase;
KdPrint(("当前ServiceDescriptorTable的地址为:%x\n",x_servicedescriptor));
xfun_addr=(PULONG)(x_servicedescriptor+index*4);
return xfun_addr;
}
KIRQL kirql;
#pragma PAGEDCODE
VOID PAGED_Open()
{
__asm
{
cli
push eax
mov eax,cr0
and eax,not 10000h
mov cr0,eax
pop eax
}
kirql=KeRaiseIrqlToDpcLevel();
}
#pragma PAGEDCODE
VOID PAGED_Exit()
{
KeLowerIrql(kirql);
__asm
{
push eax
mov eax,cr0
or eax,10000h
mov cr0,eax
pop eax
sti
}
}
#pragma PAGEDCODE
VOID LoadDriver_GetVersion(PDRIVER_OBJECT driver)
{
ULONG Majorversion,Minorversion,buildVersion;
PsGetVersion(&Majorversion,&Minorversion,&buildVersion,NULL);
DWORD dw_version=Majorversion*10+Minorversion;
switch(dw_version)
{
case _windows_xp:
KdPrint(("当前操作系统windows xp sp3!\n"));
in_NtPsSuspendThread=0xFE; //函数序号
in_NtResumeThread=0xCE;
in_NtOpenProcess=0x7A;
in_NtReadVirtualMemory=0xBA;
in_NtWriteVirtualMemory=0x115;
in_NtClose=0x19;
in_NtDeviceIoControlFile=0x42;
in_NtFsControlFile=0x54;
in_NtGetContextThread=0x55;
in_NtTerminateThread=0x102;
in_NtSetContextThread=0xD5;
in_NtQueryPerformanceCounter=0xA5;
in_NtSetInformationThread=0xE5;
in_NtQuerySystemInformation=0xAD;
break;
default:
driver->DriverUnload=DriverUnLoad;
break;
}
}
#pragma PAGEDCODE
VOID Get_NtResumeThread()
{
ULONG addr_NtResumeThread;
BYTE* _bp;
_bp=(BYTE*)Getssdt_addr(in_NtResumeThread);
do
{
if((*(_bp-4)==0x50)&&(*(_bp-3)==0xFF)&&(*(_bp)==0xE8)&&(*(_bp+5)==0x8B)&&(*(_bp+8)==0xE8))
{
break;
}
_bp++;
} while (1);
addr_NtResumeThread=(ULONG)_bp;
__asm
{
push eax
push ebx
mov eax,addr_NtResumeThread
add eax,1
mov ebx,[eax]
add eax,ebx
add eax,5
sub eax,1
mov addr_NtResumeThread,eax
pop ebx
pop eax
}
_PsResumeThread=(PsResumeThread*)addr_NtResumeThread;
KdPrint(("PsResumeThread的地址为:%x\n",addr_NtResumeThread));
}
jmp_code _jmp_code_PsSuspendThread;
pjmp_code _pjmp_code_PsSuspendThread;
#pragma INITCODE
VOID Hook_PsSuspendThread()
{
ULONG u_NtSuspendThread;
BYTE* _bp; //特征码搜索
_bp=(BYTE*)Getssdt_addr(in_NtPsSuspendThread);
do
{
if((*(_bp-9)==0x7c)&&(*(_bp-4)==0x50)&&(*(_bp-3)==0xFF)&&(*(_bp)==0xE8)&&(*(_bp+5)==0x8B)&&(*(_bp+7)==0x8B))
{
break;
}
_bp++;
}while(1);
u_NtSuspendThread=(ULONG)_bp;
__asm
{
push eax
mov eax,u_NtSuspendThread
add eax,1
mov ebx,[eax]
add eax,ebx
add eax,5
sub eax,1
mov u_NtSuspendThread,eax
pop eax
}
_PsSuspendThread=(PsSuspendThread*)u_NtSuspendThread;
KdPrint(("PsSuspendThread的地址为:%x\n",u_NtSuspendThread));
u_PsSuspendThread=u_NtSuspendThread+2;
KdPrint(("向PsSuspendThread写跳转的地址为:%x\n",u_PsSuspendThread));
ULONG u_addr_PsSuspendThread;
UNICODE_STRING push_addr;
RtlInitUnicodeString(&push_addr,L"NtOpenProcess");
push_addr_PsSuspendThread=(ULONG)MmGetSystemRoutineAddress(&push_addr);
__asm
{
push eax
mov eax,push_addr_PsSuspendThread
add eax,6
mov eax,[eax]
add eax,0x28
sub eax,0x284
mov u_addr_PsSuspendThread,eax
pop eax
}
addr_ObWatchHandles=u_addr_PsSuspendThread;
KdPrint(("ObWatchHandles的地址为:%x\n",u_addr_PsSuspendThread));
push_addr_PsSuspendThread=u_addr_PsSuspendThread+0x784;
KdPrint(("PsSuspendThread的push地址为:%x\n",push_addr_PsSuspendThread));
ULONG u_call_PsSuspendThread;
UNICODE_STRING call_addr;
RtlInitUnicodeString(&call_addr,L"NtOpenThread");
call_addr_PsSuspendThread=(ULONG)MmGetSystemRoutineAddress(&call_addr);
addr_NtOpenThread=call_addr_PsSuspendThread;
__asm
{
push eax
push ebx
mov eax,call_addr_PsSuspendThread
add eax,0xA
add eax,1
mov ebx,[eax]
add eax,ebx
add eax,5
sub eax,1
mov u_call_PsSuspendThread,eax
pop ebx
pop eax
}
addr_SEH_prolog=u_call_PsSuspendThread;
call_addr_PsSuspendThread=u_call_PsSuspendThread;
KdPrint(("PsSuspendThread的call地址为:%x\n",call_addr_PsSuspendThread));
_pjmp_code_PsSuspendThread=(pjmp_code)u_PsSuspendThread;
_jmp_code_PsSuspendThread.E9=_pjmp_code_PsSuspendThread->E9;
_jmp_code_PsSuspendThread.Fun_addr=_pjmp_code_PsSuspendThread->Fun_addr;
PAGED_Open();
_pjmp_code_PsSuspendThread->E9=0xE9;
_pjmp_code_PsSuspendThread->Fun_addr=(ULONG)((ULONG)My_PsSuspendThread-u_PsSuspendThread-5);
PAGED_Exit();
}
#pragma PAGEDCODE
VOID __declspec(naked) My_PsSuspendThread()
{
__asm
{
push push_addr_PsSuspendThread
mov eax,u_PsSuspendThread
add eax,0xA
push eax
mov eax,call_addr_PsSuspendThread
jmp eax
}
}
#pragma PAGEDCODE
VOID Un_PsSuspendThread()
{
PAGED_Open();
_pjmp_code_PsSuspendThread->E9=_jmp_code_PsSuspendThread.E9;
_pjmp_code_PsSuspendThread->Fun_addr=_jmp_code_PsSuspendThread.Fun_addr;
PAGED_Exit();
}
#pragma PAGEDCODE
BOOL Enum_Module(ULONG Thread_StartAddr)
{
NTSTATUS status;
PCHAR ModuleNames;
ULONG len;
PVOID pbuffer=NULL;
PSYSTEM_MODULE_INFORMATION Module_Enum;
status=ZwQuerySystemInformation((SYSTEM_INFORMATION_CLASS)11,NULL,0,&len);
pbuffer=ExAllocatePool(NonPagedPool,len);
if(pbuffer==NULL)
{
KdPrint(("分配内存失败!\r\n"));
return FALSE;
}
status=ZwQuerySystemInformation((SYSTEM_INFORMATION_CLASS)11,pbuffer,len,NULL);
Module_Enum=(PSYSTEM_MODULE_INFORMATION)pbuffer;
for(unsigned int i=0;i<Module_Enum->Count;i++)
{
if(ModuleNames=strstr(Module_Enum->Module.ImageName,"EagleXNt.sys"))
{
ULONG Module_Min=(ULONG)Module_Enum->Module.Base;
ULONG Module_Max=Module_Min+Module_Enum->Module.Size;
if((Module_Min<=Thread_StartAddr)&&(Thread_StartAddr<=Module_Max))
{
return TRUE;
}
}
}
ExFreePool(pbuffer);
return FALSE;
}
#pragma PAGEDCODE
VOID Enum_Thread(BOOL b_thread)
{
NTSTATUS status;
PVOID pbuffer=NULL;
ULONG len;
PSYSTEM_PROCESSES Process_Enum;
PSYSTEM_THREADS Thread_Enum;
status=ZwQuerySystemInformation((SYSTEM_INFORMATION_CLASS)5,NULL,0,&len);
KdPrint(("枚举进程时分配的内存大小:%d\n",len));
pbuffer=ExAllocatePool(NonPagedPool,len);
if(pbuffer==NULL)
{
KdPrint(("分配内存失败!\r\n"));
return ;
}
status=ZwQuerySystemInformation((SYSTEM_INFORMATION_CLASS)5,pbuffer,len,NULL);
Process_Enum=(PSYSTEM_PROCESSES)pbuffer;
do
{
if(Process_Enum->ThreadCount&&Process_Enum->ProcessId)
{
Thread_Enum=(PSYSTEM_THREADS)Process_Enum->Threads;
for(unsigned int i=0;i<Process_Enum->ThreadCount;i++)
{
BOOL bl_modlule=FALSE;
bl_modlule=Enum_Module((ULONG)Thread_Enum->StartAddress);
if(bl_modlule==TRUE)
{
PETHREAD thread_temp;
PsLookupThreadByThreadId(Thread_Enum->ClientId.UniqueThread,&thread_temp);
if(b_thread==TRUE)
{
_PsSuspendThread(thread_temp,NULL);
KdPrint(("暂停<->线程信息:Thread[%d] StartAddr=%08x TID:%d \r\n",i+1,Thread_Enum->StartAddress,Thread_Enum->ClientId.UniqueThread));
}
if(b_thread==FALSE)
{
_PsResumeThread(thread_temp,NULL);
KdPrint(("删除<->线程信息:Thread[%d] StartAddr=%08x TID:%d \r\n",i+1,Thread_Enum->StartAddress,Thread_Enum->ClientId.UniqueThread));
}
}
Thread_Enum++;
}
}
if(Process_Enum->NextEntryDelta==NULL)
{
break;
}
Process_Enum=(PSYSTEM_PROCESSES)(((PUCHAR)Process_Enum)+Process_Enum->NextEntryDelta);
}while(1);
ExFreePool(pbuffer);
}
jmp_code _jmp_code_NtOpenProecss;
pjmp_code _pjmp_code_NtOpenProecss;
#pragma INITCODE
VOID Hook_NtOpenProcess()
{
ULONG my_function_addr;
addr_NtOpenProcess=Getssdt_addr(in_NtOpenProcess);
addr_NtOpenProcess+=5;
KdPrint(("向NtOpenProcess写跳转地址为:%x\n",addr_NtOpenProcess));
__asm
{
push eax
mov eax,My_NtOpenProecss
mov my_function_addr,eax
pop eax
}
KdPrint(("自定义NtOpenProcess的地址为:%x\n",my_function_addr));
push_addr_NtOpenProcess=addr_ObWatchHandles+0x25c;
KdPrint(("NtOpenProcess的push地址为:%x\n",push_addr_NtOpenProcess));
call_addr_NtOpenProecss=addr_SEH_prolog;
KdPrint(("NtOpenProcess的call地址为:%x\n",call_addr_NtOpenProecss));
_pjmp_code_NtOpenProecss=(pjmp_code)addr_NtOpenProcess;
_jmp_code_NtOpenProecss.E9=_pjmp_code_NtOpenProecss->E9;
_jmp_code_NtOpenProecss.Fun_addr=_pjmp_code_NtOpenProecss->Fun_addr;
PAGED_Open();
_pjmp_code_NtOpenProecss->E9=0xE9;
_pjmp_code_NtOpenProecss->Fun_addr=(ULONG)(my_function_addr-addr_NtOpenProcess-5);
PAGED_Exit();
}
#pragma PAGEDCODE
VOID __declspec(naked) My_NtOpenProecss()
{
__asm
{
push push_addr_NtOpenProcess
mov eax,addr_NtOpenProcess
add eax,0xA
push eax
mov eax,call_addr_NtOpenProecss
jmp eax
}
}
#pragma PAGEDCODE
VOID Un_NtOpenProecss()
{
PAGED_Open();
_pjmp_code_NtOpenProecss->E9=_jmp_code_NtOpenProecss.E9;
_pjmp_code_NtOpenProecss->Fun_addr=_jmp_code_NtOpenProecss.Fun_addr;
PAGED_Exit();
}
jmp_code _jmp_code_NtReadVirtualMemory;
pjmp_code _pjmp_code_NtReadVirtualMemory;
#pragma INITCODE
VOID Hook_NtReadVirtualMemory()
{
ULONG My_Function_Addr;
addr_NtReadVirtualMemory=(ULONG)Getssdt_addr(in_NtReadVirtualMemory);
addr_NtReadVirtualMemory+=2;
KdPrint(("向NtReadVirtualMemory写跳转地址为:%x\n",addr_NtReadVirtualMemory));
__asm
{
push eax
mov eax,My_NtReadVirtualMemory
mov My_Function_Addr,eax
pop eax
}
KdPrint(("自定义NtReadVirtualMemory的地址为:%x\n",My_Function_Addr));
__asm
{
push eax
mov eax,addr_NtReadVirtualMemory
add eax,1
mov eax,[eax]
mov push_addr_NtReadVirtualMemory,eax
pop eax
}
KdPrint(("NtReadVirtualMemory的push地址为:%x\n",push_addr_NtReadVirtualMemory));
call_addr_NtReadVirtualMemory=addr_SEH_prolog;
KdPrint(("NtReadVirtualMemory的call地址为:%x\n",call_addr_NtReadVirtualMemory));
_pjmp_code_NtReadVirtualMemory=(pjmp_code)addr_NtReadVirtualMemory;
_jmp_code_NtReadVirtualMemory.E9=_pjmp_code_NtReadVirtualMemory->E9;
_jmp_code_NtReadVirtualMemory.Fun_addr=_pjmp_code_NtReadVirtualMemory->Fun_addr;
PAGED_Open();
_pjmp_code_NtReadVirtualMemory->E9=0xE9;
_pjmp_code_NtReadVirtualMemory->Fun_addr=(ULONG)(My_Function_Addr-addr_NtReadVirtualMemory-5);
PAGED_Exit();
}
#pragma PAGEDCODE
VOID __declspec(naked) My_NtReadVirtualMemory()
{
__asm
{
push push_addr_NtReadVirtualMemory
mov eax,addr_NtReadVirtualMemory
add eax,0xA
push eax
mov eax,call_addr_NtReadVirtualMemory
jmp eax
}
}
#pragma PAGEDCODE
VOID Un_NtReadVirtualMemory()
{
PAGED_Open();
_pjmp_code_NtReadVirtualMemory->E9=_jmp_code_NtReadVirtualMemory.E9;
_pjmp_code_NtReadVirtualMemory->Fun_addr=_jmp_code_NtReadVirtualMemory.Fun_addr;
PAGED_Exit();
}
jmp_code _jmp_code_NtWriteVirtrualMemory;
pjmp_code _pjmp_code_NtWriteVirtualMemory;
#pragma INITCODE
VOID Hook_NtWriteVirtualMemory()
{
ULONG My_Function_Addr;
addr_NtWriteVirtualMemory=(ULONG)Getssdt_addr(in_NtWriteVirtualMemory);
addr_NtWriteVirtualMemory+=2;
KdPrint(("向NtWriteVirtualMemory写跳转地址为:%x\n",addr_NtWriteVirtualMemory));
__asm
{
push eax
mov eax,My_NtWriteVirtualMemory
mov My_Function_Addr,eax
pop eax
}
KdPrint(("自定义NtWriteVirtualMemory的地址为:%x\n",My_Function_Addr));
__asm
{
push eax
mov eax,addr_NtWriteVirtualMemory
add eax,1
mov eax,[eax]
mov push_addr_NtWriteVirtualMemory,eax
pop eax
}
KdPrint(("NtWriteVirtualMemory的push地址为:%x\n",push_addr_NtWriteVirtualMemory));
call_addr_NtWriteVirtualMemory=addr_SEH_prolog;
KdPrint(("NtWriteVirtualMemory的call地址为:%x\n",call_addr_NtWriteVirtualMemory));
_pjmp_code_NtWriteVirtualMemory=(pjmp_code)addr_NtWriteVirtualMemory;
_jmp_code_NtWriteVirtrualMemory.E9=_pjmp_code_NtWriteVirtualMemory->E9;
_jmp_code_NtWriteVirtrualMemory.Fun_addr=_pjmp_code_NtWriteVirtualMemory->Fun_addr;
PAGED_Open();
_pjmp_code_NtWriteVirtualMemory->E9=0xE9;
_pjmp_code_NtWriteVirtualMemory->Fun_addr=(ULONG)(My_Function_Addr-addr_NtWriteVirtualMemory-5);
PAGED_Exit();
}
#pragma PAGEDCODE
VOID __declspec(naked) My_NtWriteVirtualMemory()
{
__asm
{
push push_addr_NtWriteVirtualMemory
mov eax,addr_NtWriteVirtualMemory
add eax,0xA
push eax
mov eax,call_addr_NtWriteVirtualMemory
jmp eax
}
}
#pragma PAGEDCODE
VOID Un_NtWriteVirtualMemory()
{
PAGED_Open();
_pjmp_code_NtWriteVirtualMemory->E9=_jmp_code_NtWriteVirtrualMemory.E9;
_pjmp_code_NtWriteVirtualMemory->Fun_addr=_jmp_code_NtWriteVirtrualMemory.Fun_addr;
PAGED_Exit();
}
jmp_code _jmp_code_NtClose;
pjmp_code _pjmp_code_NtClose;
#pragma INITCODE
VOID Hook_NtClose()
{
ULONG My_Function_Addr;
addr_NtClose=(ULONG)Getssdt_addr(in_NtClose);
call_addr_NtClose=addr_NtClose-0x1A2;
KdPrint(("NtClose的call地址为:%x\n",call_addr_NtClose));
addr_NtClose+=0x12;
KdPrint(("向NtClose写跳转的地址为:%x\n",addr_NtClose));
__asm
{
push eax
mov eax,My_NtClose
mov My_Function_Addr,eax
pop eax
}
KdPrint(("自定义NtClose的地址为:%x\n",My_Function_Addr));
_pjmp_code_NtClose=(pjmp_code)addr_NtClose;
_jmp_code_NtClose.E9=_pjmp_code_NtClose->E9;
_jmp_code_NtClose.Fun_addr=_pjmp_code_NtClose->Fun_addr;
_jmp_code_NtClose.nop[0]=_pjmp_code_NtClose->nop[0];
PAGED_Open();
_pjmp_code_NtClose->E9=0xE9;
_pjmp_code_NtClose->Fun_addr=(ULONG)(My_Function_Addr-addr_NtClose-5);
_pjmp_code_NtClose->nop[0]=0x90;
PAGED_Exit();
}
#pragma PAGEDCODE
VOID __declspec(naked) My_NtClose()
{
__asm
{
push 0
push eax
push dword ptr [ebp+8]
mov eax,addr_NtClose
add eax,0xB
push eax
mov eax,call_addr_NtClose
jmp eax
}
}
#pragma PAGEDCODE
VOID Un_NtClocse()
{
PAGED_Open();
_pjmp_code_NtClose->E9=_jmp_code_NtClose.E9;
_pjmp_code_NtClose->Fun_addr=_jmp_code_NtClose.Fun_addr;
_pjmp_code_NtClose->nop[0]=_jmp_code_NtClose.nop[0];
PAGED_Exit();
}
jmp_code _jmp_code_NtDeviceIoControlFile;
pjmp_code _pjmp_code_NtDeviceIoControlFile;
#pragma INITCODE
VOID Hook_NtDeviceIoControlFile()
{
ULONG My_Function_Addr;
ULONG u_NtFsControlFile;
addr_NtDeviceIoControlFile=(ULONG)Getssdt_addr(in_NtDeviceIoControlFile);
addr_NtDeviceIoControlFile+=0x1F;
KdPrint(("向NtDeviceIoControlFile写跳转的地址为:%x\n",addr_NtDeviceIoControlFile));
u_NtFsControlFile=(ULONG)Getssdt_addr(in_NtFsControlFile);
call_addr_IopXxxControlFile=u_NtFsControlFile;
u_NtFsControlFile=u_NtFsControlFile+0x25;
__asm
{
push eax
push ebx
mov eax,u_NtFsControlFile
add eax,1
mov ebx,[eax]
add eax,ebx
add eax,5
sub eax,1
mov call_addr_NtDeviceIoControlFile,eax
pop ebx
pop eax
}
addr_IopXxxControlFile=call_addr_NtDeviceIoControlFile;
KdPrint(("NtDeviceIoControlFile的call地址为:%x\n",call_addr_NtDeviceIoControlFile));
__asm
{
push eax
mov eax,My_NtDeviceIoControlFile
mov My_Function_Addr,eax
pop eax
}
KdPrint(("自定义NtDeviceIoControlFile的地址为:%x\n",My_Function_Addr));
_pjmp_code_NtDeviceIoControlFile=(pjmp_code)addr_NtDeviceIoControlFile;
_jmp_code_NtDeviceIoControlFile.E9=_pjmp_code_NtDeviceIoControlFile->E9;
_jmp_code_NtDeviceIoControlFile.Fun_addr=_pjmp_code_NtDeviceIoControlFile->Fun_addr;
PAGED_Open();
_pjmp_code_NtDeviceIoControlFile->E9=0xE9;
_pjmp_code_NtDeviceIoControlFile->Fun_addr=(ULONG)(My_Function_Addr-addr_NtDeviceIoControlFile-5);
PAGED_Exit();
}
#pragma PAGEDCODE
VOID __declspec(naked) My_NtDeviceIoControlFile()
{
__asm
{
push dword ptr [ebp+0Ch]
push dword ptr [ebp+8]
mov eax,addr_NtDeviceIoControlFile
add eax,0xB
push eax
mov eax,call_addr_NtDeviceIoControlFile
jmp eax
}
}
#pragma PAGEDCODE
VOID Unnt_NtDeviceIoControlFile()
{
PAGED_Open();
_pjmp_code_NtDeviceIoControlFile->E9=_jmp_code_NtDeviceIoControlFile.E9;
_pjmp_code_NtDeviceIoControlFile->Fun_addr=_jmp_code_NtDeviceIoControlFile.Fun_addr;
PAGED_Exit();
}
jmp_code _jmp_code_KiAttachProcess;
pjmp_code _pjmp_code_KiAttachProcess;
#pragma INITCODE
VOID Hook_KiAttachProcess()
{
ULONG My_Function_Addr;
ULONG u_KeAttachProcess;
UNICODE_STRING KeAttachProcess_name;
RtlInitUnicodeString(&KeAttachProcess_name,L"KeAttachProcess");
u_KeAttachProcess=(ULONG)MmGetSystemRoutineAddress(&KeAttachProcess_name);
KdPrint(("套出KeAttachProcess的地址为:%x\n",u_KeAttachProcess));
BYTE* _bp;
_bp=(BYTE*)u_KeAttachProcess;
do
{
if((*(_bp-2)==0x57)&&(*(_bp-1)==0x56)&&(*(_bp)==0xE8))
{
break;
}
_bp++;
}while(1);
addr_KiAttachProcess=(ULONG)_bp;
__asm
{
push eax
push ebx
mov eax,addr_KiAttachProcess
add eax,1
mov ebx,[eax]
add eax,ebx
add eax,5
sub eax,1
mov addr_KiAttachProcess,eax
pop ebx
pop eax
}
KdPrint(("KiAttachProcess的地址为%x\n",addr_KiAttachProcess));
call_addr_KiAttachProcess=addr_KiAttachProcess-0x488;
KdPrint(("KiAttachProcess的call地址为:%x\n",call_addr_KiAttachProcess));
addr_KiAttachProcess+=0x11;
KdPrint(("向KiAttachProcess写跳转地址:%x\n",addr_KiAttachProcess));
__asm
{
push eax
mov eax,My_KiAttachProcess
mov My_Function_Addr,eax
pop eax
}
KdPrint(("自定义KiAttachProcess的地址为:%x\n",My_Function_Addr));
_pjmp_code_KiAttachProcess=(pjmp_code)addr_KiAttachProcess;
_jmp_code_KiAttachProcess.E9=_pjmp_code_KiAttachProcess->E9;
_jmp_code_KiAttachProcess.Fun_addr=_pjmp_code_KiAttachProcess->Fun_addr;
_jmp_code_KiAttachProcess.nop[0]=_pjmp_code_KiAttachProcess->nop[0];
_jmp_code_KiAttachProcess.nop[1]=_pjmp_code_KiAttachProcess->nop[1];
PAGED_Open();
_pjmp_code_KiAttachProcess->E9=0xE9;
_pjmp_code_KiAttachProcess->Fun_addr=(ULONG)(My_Function_Addr-addr_KiAttachProcess-5);
_pjmp_code_KiAttachProcess->nop[0]=0x90;
_pjmp_code_KiAttachProcess->nop[1]=0x90;
PAGED_Exit();
}
#pragma PAGEDCODE
VOID __declspec(naked) My_KiAttachProcess()
{
__asm
{
inc word ptr [edi+60h]
lea ebx,[esi+34h]
push ebx
mov eax,addr_KiAttachProcess
add eax,0xD
push eax
mov eax,call_addr_KiAttachProcess
jmp eax
}
}
#pragma PAGEDCODE
VOID Unnt_KiAttachProecss()
{
PAGED_Open();
_pjmp_code_KiAttachProcess->E9=_jmp_code_KiAttachProcess.E9;
_pjmp_code_KiAttachProcess->Fun_addr=_jmp_code_KiAttachProcess.Fun_addr;
_pjmp_code_KiAttachProcess->nop[0]=_jmp_code_KiAttachProcess.nop[0];
_pjmp_code_KiAttachProcess->nop[1]=_jmp_code_KiAttachProcess.nop[1];
PAGED_Exit();
}
jmp_code _jmp_code_IopXxxControlFile;
pjmp_code _pjmp_code_IopXxxControlFile;
#pragma INITCODE
VOID Hook_IopXxxControlFile()
{
ULONG My_Function_Addr;
BYTE* _bp;
_bp=(BYTE*)addr_IopXxxControlFile;
do
{
if((*(_bp-11)==0x6A)&&(*(_bp-6)==0xFF)&&(*(_bp-3)==0xFF)&&(*(_bp)==0xE8)&&(*(_bp+5)==0x83)&&(*(_bp+9)==0x8B))
{
break;
}
_bp++;
}while(1);
addr_IopXxxControlFile=(ULONG)_bp-6;
KdPrint(("向IopXxxControlFile写跳转地址为:%x\n",addr_IopXxxControlFile));
_bp=(BYTE*)call_addr_IopXxxControlFile;
do
{
if((*(_bp-11)==0x6A)&&(*(_bp-6)==0xFF)&&(*(_bp-3)==0xFF)&&(*(_bp)==0xE8)&&(*(_bp+5)==0x83)&&(*(_bp+9)==0x8B))
{
break;
}
_bp++;
}while(1);
call_addr_IopXxxControlFile=(ULONG)_bp;
__asm
{
push eax
push ebx
mov eax,call_addr_IopXxxControlFile
add eax,1
mov ebx,[eax]
add eax,ebx
add eax,5
sub eax,1
mov call_addr_IopXxxControlFile,eax
pop ebx
pop eax
}
KdPrint(("IopXxxControlFile的call地址为:%x\n",call_addr_IopXxxControlFile));
__asm
{
push eax
mov eax,My_IopXxxControlFile
mov My_Function_Addr,eax
pop eax
}
KdPrint(("自定义IopXxxControlFile的地址为:%x\n",My_Function_Addr));
_pjmp_code_IopXxxControlFile=(pjmp_code)addr_IopXxxControlFile;
_jmp_code_IopXxxControlFile.E9=_pjmp_code_IopXxxControlFile->E9;
_jmp_code_IopXxxControlFile.Fun_addr=_pjmp_code_IopXxxControlFile->Fun_addr;
_jmp_code_IopXxxControlFile.nop[0]=_pjmp_code_IopXxxControlFile->nop[0];
PAGED_Open();
_pjmp_code_IopXxxControlFile->E9=0xE9;
_pjmp_code_IopXxxControlFile->Fun_addr=(ULONG)(My_Function_Addr-addr_IopXxxControlFile-5);
_pjmp_code_IopXxxControlFile->nop[0]=0x90;
PAGED_Exit();
}
共条评分
回复
举报
在线那个谁
UID:23
- 注册时间2013-05-25
- 最后登录2013-10-26
- 在线时间182小时
- 发帖417
- 搜Ta的帖子
- 精华0
- 访问TA的空间加好友用道具
总版主
- 加关注
- 发消息
只看该作者沙发 发表于: 10-10
#pragma PAGEDCODE
VOID __declspec(naked) My_IopXxxControlFile()
{
__asm
{
push dword ptr [ebp-40h]
push dword ptr [ebp-24h]
mov eax,addr_IopXxxControlFile
add eax,0xB
push eax
mov eax,call_addr_IopXxxControlFile
jmp eax
}
}
#pragma PAGEDCODE
VOID Un_IopXxxControlFile()
{
PAGED_Open();
_pjmp_code_IopXxxControlFile->E9=_jmp_code_IopXxxControlFile.E9;
_pjmp_code_IopXxxControlFile->Fun_addr=_jmp_code_IopXxxControlFile.Fun_addr;
_pjmp_code_IopXxxControlFile->nop[0]=_jmp_code_IopXxxControlFile.nop[0];
PAGED_Exit();
}
jmp_code _jmp_code_NtGetContextThread;
pjmp_code _pjmp_code_NtGetContextThread;
#pragma INITCODE
VOID Hook_NtGetContextThread()
{
ULONG My_Function_Addr;
BYTE* _bp;
_bp=(BYTE*)Getssdt_addr(in_NtGetContextThread);
do
{
if((*(_bp-15)==0x50)&&(*(_bp-5)==0x6A)&&(*(_bp-3)==0xFF)&&(*(_bp)==0xE8)&&(*(_bp+5)==0x8B)&&(*(_bp+7)==0x85))
{
break;
}
_bp++;
} while (1);
addr_NtGetContextThread=(ULONG)_bp-5;
KdPrint(("向NtGetContextThread写跳转的地址为:%x\n",addr_NtGetContextThread));
_bp=(BYTE*)Getssdt_addr(in_NtTerminateThread);
do
{
if((*(_bp-15)==0x50)&&(*(_bp-5)==0x6A)&&(*(_bp-3)==0xFF)&&(*(_bp)==0xE8)&&(*(_bp+5)==0x8B)&&(*(_bp+7)==0x85))
{
break;
}
_bp++;
} while (1);
call_addr_NtGetContextThread=(ULONG)_bp;
KdPrint(("NtGetContextThread的call来自于:%x\n",call_addr_NtGetContextThread));
__asm
{
push eax
push ebx
mov eax,call_addr_NtGetContextThread
add eax,1
mov ebx,[eax]
add eax,ebx
add eax,5
sub eax,1
mov call_addr_NtGetContextThread,eax
pop ebx
pop eax
}
call_addr_NtSetContextThread=call_addr_NtGetContextThread;
KdPrint(("从NtTerminateThread获取的NtGetContextThread的call ObReferenceObjectByHandle的地址为:%x\n",call_addr_NtGetContextThread));
__asm
{
push eax
mov eax,My_NtGetContextThread
mov My_Function_Addr,eax
pop eax
}
KdPrint(("自定义NtGetContextThread的地址为:%x\n",My_Function_Addr));
Game_call_addr_1=addr_NtGetContextThread+5;
__asm
{
push eax
push ebx
mov eax,Game_call_addr_1
add eax,1
mov ebx,[eax]
add eax,ebx
add eax,5
sub eax,1
mov Game_call_addr_1,eax
pop ebx
pop eax
}
KdPrint(("获取NtGetContextThread的call获取的第一个call地址为:%x\n",Game_call_addr_1));
_pjmp_code_NtGetContextThread=(pjmp_code)addr_NtGetContextThread;
_jmp_code_NtGetContextThread.E9=_pjmp_code_NtGetContextThread->E9;
_jmp_code_NtGetContextThread.Fun_addr=_pjmp_code_NtGetContextThread->Fun_addr;
PAGED_Open();
_pjmp_code_NtGetContextThread->E9=0xE9;
_pjmp_code_NtGetContextThread->Fun_addr=(ULONG)(My_Function_Addr-addr_NtGetContextThread-5);
PAGED_Exit();
}
PEPROCESS eprocess;
ANSI_STRING GetProcess_1;
ANSI_STRING OD_Name_1;
ANSI_STRING OD_Name_2;
ANSI_STRING OD_Name_3;
#pragma PAGEDCODE
VOID __declspec(naked) My_NtGetContextThread()
{
__asm
{
pushad
pushf
}
eprocess=PsGetCurrentProcess();
RtlInitAnsiString(&GetProcess_1,(PCSZ)((ULONG)eprocess+0x174));
RtlInitAnsiString(&OD_Name_1,_Game_Name);
RtlInitAnsiString(&OD_Name_2,_Game_Name1);
RtlInitAnsiString(&OD_Name_3,_Game_Name2);
if(RtlCompareString(&GetProcess_1,&OD_Name_1,TRUE)==0)
{
__asm
{
popf
popad
push 8
push dword ptr [ebp+8]
mov eax,addr_NtGetContextThread
add eax,0xA
push eax
jmp call_addr_NtGetContextThread
}
}
else
{
if(RtlCompareString(&GetProcess_1,&OD_Name_2,TRUE)==0)
{
__asm
{
popf
popad
push 8
push dword ptr [ebp+8]
mov eax,addr_NtGetContextThread
add eax,0xA
push eax
jmp call_addr_NtGetContextThread
}
}
else
{
if(RtlCompareString(&GetProcess_1,&OD_Name_3,TRUE)!=0)
{
__asm
{
popf
popad
push 8
push dword ptr [ebp+8]
mov eax,addr_NtGetContextThread
add eax,0xA
push eax
jmp call_addr_NtGetContextThread
}
}
else
{
__asm
{
popf
popad
push 8
push dword ptr [ebp+8]
mov eax,addr_NtGetContextThread
add eax,0xA
push eax
jmp Game_call_addr_1
}
}
}
}
}
#pragma PAGEDCODE
VOID Un_NtGetContextThread()
{
PAGED_Open();
_pjmp_code_NtGetContextThread->E9=_jmp_code_NtGetContextThread.E9;
_pjmp_code_NtGetContextThread->Fun_addr=_jmp_code_NtGetContextThread.Fun_addr;
PAGED_Exit();
}
jmp_code _jmp_code_NtSetContextThread;
pjmp_code _pjmp_code_NtSetContextThread;
#pragma INITCODE
VOID Hook_NtSetContextThread()
{
ULONG My_Function_Addr;
BYTE* _bp;
_bp=(BYTE*)Getssdt_addr(in_NtSetContextThread);
do
{
if((*(_bp-15)==0x50)&&(*(_bp-5)==0x6A)&&(*(_bp-3)==0xFF)&&(*(_bp)==0xE8)&&(*(_bp+5)==0x8B)&&(*(_bp+7)==0x85))
{
break;
}
_bp++;
} while (1);
addr_NtSetContextThread=(ULONG)_bp-5;
KdPrint(("向NtSetContextThread写跳转地址的:%x\n",addr_NtSetContextThread));
__asm
{
push eax
mov eax,My_NtSetContextThread
mov My_Function_Addr,eax
pop eax
}
KdPrint(("自定义NtSetContextThread的地址为:%x\n",My_Function_Addr));
_pjmp_code_NtSetContextThread=(pjmp_code)addr_NtSetContextThread;
_jmp_code_NtSetContextThread.E9=_pjmp_code_NtSetContextThread->E9;
_jmp_code_NtSetContextThread.Fun_addr=_pjmp_code_NtSetContextThread->Fun_addr;
PAGED_Open();
_pjmp_code_NtSetContextThread->E9=0xE9;
_pjmp_code_NtSetContextThread->Fun_addr=(ULONG)(My_Function_Addr-addr_NtSetContextThread-5);
PAGED_Exit();
}
#pragma PAGEDCODE
VOID __declspec(naked) My_NtSetContextThread()
{
__asm
{
push 1
push dword ptr [ebp+8]
mov eax,addr_NtSetContextThread
add eax,0xA
push eax
mov eax,call_addr_NtSetContextThread
jmp eax
}
}
#pragma PAGEDCODE
VOID Un_NtSetContextThread()
{
PAGED_Open();
_pjmp_code_NtSetContextThread->E9=_jmp_code_NtSetContextThread.E9;
_pjmp_code_NtSetContextThread->Fun_addr=_jmp_code_NtSetContextThread.Fun_addr;
PAGED_Exit();
}
jmp_code _jmp_code_NtGetContextThread1;
pjmp_code _pjmp_code_NtGetContextThread1;
#pragma INITCODE
VOID Hook_NtGetContextThread1()
{
ULONG My_Function_Addr;
BYTE* _bp;
_bp=(BYTE*)Getssdt_addr(in_NtGetContextThread);
do
{
if((*(_bp-7)==0xBE)&&(*(_bp-2)==0x8B)&&(*(_bp-1)==0xCF)&&(*(_bp)==0xE8)&&(*(_bp+5)==0x5F)&&(*(_bp+6)==0x8B))
{
break;
}
_bp++;
} while (1);
addr_NtGetContextThread1=(ULONG)_bp-9;
KdPrint(("向NtGetContextThread写跳转地址为:%x\n",addr_NtGetContextThread1));
_bp=(BYTE*)Getssdt_addr(in_NtTerminateThread);
do
{
if((*(_bp-9)==0xE8)&&(*(_bp-4)==0x8B)&&(*(_bp-2)==0x8B)&&(*(_bp)==0xE8)&&(*(_bp+5)==0x8B)&&(*(_bp+6)==0xC7))
{
break;
}
_bp++;
} while (1);
call_addr_NtGetContextThread1=(ULONG)_bp;
__asm
{
push eax
push ebx
mov eax,call_addr_NtGetContextThread1
add eax,1
mov ebx,[eax]
add eax,ebx
add eax,5
sub eax,1
mov call_addr_NtGetContextThread1,eax
pop ebx
pop eax
}
KdPrint(("从NtTerminateThread获取的NtGetContextThread的第二个call地址为:%x\n",call_addr_NtGetContextThread1));
__asm
{
push eax
mov eax,My_NtGetContextThread1
mov My_Function_Addr,eax
pop eax
}
KdPrint(("NtGetContextThread的第二个自写函数地址为:%x\n",My_Function_Addr));
Game_call_addr_2=addr_NtGetContextThread1+9;
__asm
{
push eax
push ebx
mov eax,Game_call_addr_2
add eax,1
mov ebx,[eax]
add eax,ebx
add eax,5
sub eax,1
mov Game_call_addr_2,eax
pop ebx
pop eax
}
KdPrint(("获取NtGetContextThread的call获取的第二个call地址为:%x\n",Game_call_addr_2));
_pjmp_code_NtGetContextThread1=(pjmp_code)addr_NtGetContextThread1;
_jmp_code_NtGetContextThread1.E9=_pjmp_code_NtGetContextThread1->E9;
_jmp_code_NtGetContextThread1.Fun_addr=_pjmp_code_NtGetContextThread1->Fun_addr;
_jmp_code_NtGetContextThread1.nop[0]=_pjmp_code_NtGetContextThread1->nop[0];
_jmp_code_NtGetContextThread1.nop[1]=_pjmp_code_NtGetContextThread1->nop[1];
PAGED_Open();
_pjmp_code_NtGetContextThread1->E9=0xE9;
_pjmp_code_NtGetContextThread1->Fun_addr=(ULONG)(My_Function_Addr-addr_NtGetContextThread1-5);
_pjmp_code_NtGetContextThread1->nop[0]=0x90;
_pjmp_code_NtGetContextThread1->nop[1]=0x90;
PAGED_Exit();
}
PEPROCESS eprocess_temp;
ANSI_STRING GetProcess_temp1;
ANSI_STRING OD_Name_temp1;
ANSI_STRING OD_Name_temp2;
ANSI_STRING OD_Name_temp3;
#pragma PAGEDCODE
VOID __declspec(naked) My_NtGetContextThread1()
{
__asm
{
pushad
pushf
}
eprocess_temp=PsGetCurrentProcess();
RtlInitAnsiString(&GetProcess_temp1,(PCSZ)((ULONG)eprocess_temp+0x174));
RtlInitAnsiString(&OD_Name_temp1,_Game_Name);
RtlInitAnsiString(&OD_Name_temp2,_Game_Name1);
RtlInitAnsiString(&OD_Name_temp3,_Game_Name2);
if(RtlCompareString(&GetProcess_temp1,&OD_Name_temp1,TRUE)==0)
{
__asm
{
popf
popad
jmp __tiao2
mov esi,0C0000008h
__tiao2:
mov ecx,edi
mov eax,addr_NtGetContextThread1
add eax,0xE
push eax
jmp call_addr_NtGetContextThread1
}
}
else
{
if(RtlCompareString(&GetProcess_temp1,&OD_Name_temp2,TRUE)==0)
{
__asm
{
popf
popad
jmp __tiaotemp1
mov esi,0C0000008h
__tiaotemp1:
mov ecx,edi
mov eax,addr_NtGetContextThread1
add eax,0xE
push eax
jmp call_addr_NtGetContextThread1
}
}
else
{
if(RtlCompareString(&GetProcess_temp1,&OD_Name_temp3,TRUE)==0)
{
__asm
{
popf
popad
jmp __tiaotemp2
mov esi,0C0000008h
__tiaotemp2:
mov ecx,edi
mov eax,addr_NtGetContextThread1
add eax,0xE
push eax
jmp call_addr_NtGetContextThread1
}
}
else
{
__asm
{
popf
popad
jmp __tiaotemp3
mov esi,0C0000008h
__tiaotemp3:
mov ecx,edi
mov eax,addr_NtGetContextThread1
add eax,0xE
push eax
jmp Game_call_addr_2
}
}
}
}
}
#pragma PAGEDCODE
VOID Un_NtGetContextThread1()
{
PAGED_Open();
_pjmp_code_NtGetContextThread1->E9=_jmp_code_NtGetContextThread1.E9;
_pjmp_code_NtGetContextThread1->Fun_addr=_jmp_code_NtGetContextThread1.Fun_addr;
_pjmp_code_NtGetContextThread1->nop[0]=_jmp_code_NtGetContextThread1.nop[0];
_pjmp_code_NtGetContextThread1->nop[1]=_pjmp_code_NtGetContextThread1->nop[1];
PAGED_Exit();
}
jmp_code _jmp_code_NtQueryPerformanceCounter;
pjmp_code _pjmp_code_NtQueryPerformanceCounter;
jmp_code _jmp_code_NtQueryPerformanceCounter_1;
pjmp_code _pjmp_code_NtQueryPerformanceCounter_1;
#pragma INITCODE
VOID Hook_NtQueryPerformanceCounter()
{
ULONG My_temp;
BYTE* _bp;
_bp=(BYTE*)addr_NtOpenThread;
do
{
if((*(_bp-18)==0xC3)&&(*(_bp-14)==0x8B)&&(*(_bp-7)==0xEB)&&(*(_bp)==0xE8)&&(*(_bp+5)==0xC2)&&(*(_bp+6)==0x10))
{
break;
}
_bp++;
} while (1);
call_addr_NtQueryPerformanceCounter=(ULONG)_bp;
__asm
{
push eax
push ebx
mov eax,call_addr_NtQueryPerformanceCounter
add eax,1
mov ebx,[eax]
add eax,ebx
add eax,5
sub eax,1
mov call_addr_NtQueryPerformanceCounter,eax
pop ebx
pop eax
}
call_addr_NtQueryPerformanceCounter=call_addr_NtQueryPerformanceCounter-addr_NtQueryPerformanceCounter;
KdPrint(("NtQueryPerformanceCounter的call地址为:%x\n",call_addr_NtQueryPerformanceCounter));
_bp=(BYTE*)Getssdt_addr(in_NtQueryPerformanceCounter);
do
{
if((*(_bp-10)==0x8B)&&(*(_bp-7)==0x89)&&(*(_bp-4)==0x83)&&(*(_bp)==0xEB)&&(*(_bp+2)==0x8B)&&(*(_bp+5)==0x8B))
{
break;
}
_bp++;
} while (1);
addr_NtQueryPerformanceCounter=(ULONG)_bp;
KdPrint(("第一个NtQueryPerformanceCounter的JMP地址为:%x\n",addr_NtQueryPerformanceCounter));
_bp=(BYTE*)addr_NtQueryPerformanceCounter;
do
{
if((*(_bp-11)==0xC3)&&(*(_bp-10)==0x8B)&&(*(_bp-7)==0x83)&&(*(_bp-3)==0x8B)&&(*(_bp)==0xEB)&&(*(_bp+5)==0x50)&&(*(_bp+6)==0xFF))
{
break;
}
_bp++;
} while (1);
addr1_NtQueryPerformanceCounter=(ULONG)_bp;
KdPrint(("第二个NtQueryPerformanceCounter的JMP地址为:%x\n",addr1_NtQueryPerformanceCounter));
__asm
{
push eax
mov eax,My_NtQueryPerformanceCounter_1
mov My_temp,eax
pop eax
}
KdPrint(("NtQueryPerformanceCounter第一个自定义函数地址为:%x\n",My_temp));
_pjmp_code_NtQueryPerformanceCounter=(pjmp_code)addr_NtQueryPerformanceCounter;
_jmp_code_NtQueryPerformanceCounter.E9=_pjmp_code_NtQueryPerformanceCounter->E9;
_jmp_code_NtQueryPerformanceCounter.Fun_addr=_pjmp_code_NtQueryPerformanceCounter->Fun_addr;
PAGED_Open();
_pjmp_code_NtQueryPerformanceCounter->E9=0xE9;
_pjmp_code_NtQueryPerformanceCounter->Fun_addr=(ULONG)(My_temp-addr_NtQueryPerformanceCounter-5);
PAGED_Exit();
__asm
{
push eax
mov eax,My_NtQueryPerformanceCounter_2
mov My_temp,eax
pop eax
}
KdPrint(("NtQueryPerformanceCounter第二个自定义函数地址为:%x\n",My_temp));
_pjmp_code_NtQueryPerformanceCounter_1=(pjmp_code)addr1_NtQueryPerformanceCounter;
_jmp_code_NtQueryPerformanceCounter_1.E9=_pjmp_code_NtQueryPerformanceCounter_1->E9;
_jmp_code_NtQueryPerformanceCounter_1.Fun_addr=_pjmp_code_NtQueryPerformanceCounter_1->Fun_addr;
PAGED_Open();
_pjmp_code_NtQueryPerformanceCounter_1->E9=0xE9;
_pjmp_code_NtQueryPerformanceCounter_1->Fun_addr=(ULONG)(My_temp-addr1_NtQueryPerformanceCounter-5);
PAGED_Exit();
}
#pragma PAGEDCODE
VOID __declspec(naked)My_NtQueryPerformanceCounter_1()
{
__asm
{
mov eax,addr_NtQueryPerformanceCounter
add eax,0x47
push eax
xor eax,eax
jmp call_addr_NtQueryPerformanceCounter
}
}
#pragma PAGEDCODE
VOID __declspec(naked)My_NtQueryPerformanceCounter_2()
{
__asm
{
pushad
mov eax,addr1_NtQueryPerformanceCounter
add eax,0x2D
push eax
popad
jmp call_addr_NtQueryPerformanceCounter
}
}
#pragma PAGEDCODE
VOID Un_NtQueryPerformanceCounter()
{
PAGED_Open();
_pjmp_code_NtQueryPerformanceCounter->E9=_jmp_code_NtQueryPerformanceCounter.E9;
_pjmp_code_NtQueryPerformanceCounter->Fun_addr=_jmp_code_NtQueryPerformanceCounter.Fun_addr;
_pjmp_code_NtQueryPerformanceCounter_1->E9=_jmp_code_NtQueryPerformanceCounter_1.E9;
_pjmp_code_NtQueryPerformanceCounter_1->Fun_addr=_jmp_code_NtQueryPerformanceCounter_1.Fun_addr;
PAGED_Exit();
}
struct _str_index
{
ULONG KiDispatchException; //1处
ULONG NtQueryInformationProcess; //1处
ULONG PspCreateProcess; //1处
ULONG PsGetProcessDebugPort; //1处
ULONG PsIsProcessBeingDebugged; //1处
ULONG NtTerminateProcess; //1处
ULONG PspTerminateProcess; //1处
ULONG PspExitThread; //1处
ULONG PspProcessDelete[2]; //3处
ULONG ObpCloseHandleTableEntry; //1处
ULONG ObpCloseHandle; //1处
ULONG MmCreatePeb; //1处
ULONG DbgkCreateThread; //1处
ULONG DbgkExitThread; //1处
ULONG DbgkExitProcess; //1处
ULONG DbgkMapViewOfSection; //1处
ULONG DbgkUnMapViewOfSection; //1处
ULONG DbgkpMarkProcessPeb; //1处
ULONG DbgkpCloseObject[2]; //3处
ULONG DbgkCopyProcessDebugPort[3]; //4处
ULONG DbgkOpenProcessDebugPort[1]; //2处
ULONG DbgkpQueueMessage; //1处
ULONG DbgkClearProcessDebugObject[1]; //2处
ULONG DbgkpSetProcessDebugObject[4]; //5处
ULONG DbgkForwardException; //1处
}str_index,*pstr_index;
BYTE debugport_in[2]={0xBC,0x00}; //还原修改的函数
BYTE debugPort_out[2]={0x5C,0x02}; //将DebugPort+bc移至DebugPort+25C
#pragma PAGEDCODE
VOID Hook_DebugPort()
{
/*
1.枚举模块获取首地址
2.定位函数地址
3.修改函数
*/
NTSTATUS status;
ULONG len;
PVOID Buffer=NULL;
PCHAR GamePath;
ULONG addr_start;
ULONG addr_size;
PSYSTEM_MODULE_INFORMATION enum_module;
ZwQuerySystemInformation((SYSTEM_INFORMATION_CLASS)11,NULL,0,&len);
Buffer=ExAllocatePool(NonPagedPool,len);
if(Buffer==NULL)
{
KdPrint(("分配内存失败!\r\n"));
return ;
}
status=ZwQuerySystemInformation((SYSTEM_INFORMATION_CLASS)11,Buffer,len,NULL);
enum_module=(PSYSTEM_MODULE_INFORMATION)Buffer;
addr_start=(ULONG)enum_module->Module[0].Base;
addr_size=addr_start+(ULONG)enum_module->Module[0].Size;
ExFreePool(Buffer);
KdPrint(("模块名:%s 入口地址为:%x 模块结束地址:%x\r\n",enum_module->Module[0].ImageName,addr_start,addr_size));
BYTE* _bp;
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-9)==0x64)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x39)&&(*(_bp+6)==0x74)&&(*(_bp+8)==0x6A)&&(*(_bp+10)==0x8D))
{
str_index.KiDispatchException=(ULONG)_bp+2;
KdPrint(("KiDispatchException访问DebugPort的地址为:%x\n",str_index.KiDispatchException));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-19)==0xE8)&&(*(_bp-14)==0x85)&&(*(_bp-12)==0x0F)&&(*(_bp-6)==0x8B)&&(*(_bp)==0x8B)&&(*(_bp+6)==0xF7))
{
str_index.NtQueryInformationProcess=(ULONG)_bp+2;
KdPrint(("NtQueryInformationProecss访问DebugPort的地址为:%x\n",str_index.NtQueryInformationProcess));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-13)==0x8B)&&(*(_bp-11)==0x3B)&&(*(_bp-9)==0x0F)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x89)&&(*(_bp+6)==0xF6)&&(*(_bp+10)==0x74))
{
str_index.PspCreateProcess=(ULONG)_bp+2;
KdPrint(("PspCreateProess访问DebugPort的地址为:%x\n",str_index.PspCreateProcess));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-5)==0x8B)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x8B)&&(*(_bp+1)==0x80)&&(*(_bp+2)==0xBC)&&(*(_bp+6)==0x5D)&&(*(_bp+7)==0xC2)&&(*(_bp+8)==0x04))
{
str_index.PsGetProcessDebugPort=(ULONG)_bp+2;
KdPrint(("PsGetProcessDeubugPort访问DebugPort的地址为:%x\n",str_index.PsGetProcessDebugPort));
break;
}
_bp++;
}while(1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-5)==0x8B)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x83)&&(*(_bp+1)==0xB8)&&(*(_bp+7)==0x0F)&&(*(_bp+10)==0x5D)&&(*(_bp+11)==0xC2))
{
str_index.PsIsProcessBeingDebugged=(ULONG)_bp+2;
KdPrint(("PsIsProcessBeingDebugged访问DebugPort的地址为:%x\n",str_index.PsIsProcessBeingDebugged));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-9)==0x81)&&(*(_bp-2)==0x74)&&(*(_bp)==0x83)&&(*(_bp+1)==0xBB)&&(*(_bp+2)==0xBC)&&(*(_bp+7)==0x74)&&(*(_bp+9)==0x80))
{
str_index.NtTerminateProcess=(ULONG)_bp+2;
KdPrint(("NtTerminateProecss访问DebugPort的地址为:%x\n",str_index.NtTerminateProcess));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-6)==0x8B)&&(*(_bp-4)==0x85)&&(*(_bp-2)==0x75)&&(*(_bp)==0x39)&&(*(_bp+1)==0x86)&&(*(_bp+2)==0xBC)&&(*(_bp+6)==0x74)&&(*(_bp+8)==0x56))
{
str_index.PspTerminateProcess=(ULONG)_bp+2;
KdPrint(("PspTerminateProecss访问DebugPort的地址为:%x\n",str_index.PspTerminateProcess));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-5)==0xE8)&&(*(_bp)==0x83)&&(*(_bp+1)==0xBF)&&(*(_bp+2)==0xBC)&&(*(_bp+7)==0x74)&&(*(_bp+9)==0xF6))
{
str_index.PspExitThread=(ULONG)_bp+2;
KdPrint(("PspExitThread访问DebugPort的地址为:%x\n",str_index.PspExitThread));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-8)==0x8B)&&(*(_bp-5)==0xE8)&&(*(_bp)==0x83)&&(*(_bp+1)==0xBF)&&(*(_bp+2)==0xBC)&&(*(_bp+7)==0x74)&&(*(_bp+9)==0xF6))
{
str_index.PspProcessDelete[0]=(ULONG)_bp+2;
KdPrint(("第一处PspProcessDelete访问DebugPotr的地址为:%x\n",str_index.PspProcessDelete[0]));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-11)==0xE8)&&(*(_bp-6)==0x89)&&(*(_bp-4)==0x66)&&(*(_bp)==0x8D)&&(*(_bp+1)==0xBE)&&(*(_bp+2)==0xBC)&&(*(_bp+6)==0x8B))
{
str_index.PspProcessDelete[1]=(ULONG)_bp+2;
KdPrint(("第二处PspProcessDelete访问DebugPotr的地址为:%x\n",str_index.PspProcessDelete[1]));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-9)==0x81)&&(*(_bp-2)==0x74)&&(*(_bp)==0x83)&&(*(_bp+1)==0xBB)&&(*(_bp+2)==0xBC)&&(*(_bp+7)==0x74))
{
str_index.PspProcessDelete[2]=(ULONG)_bp+2;
KdPrint(("第三处PspProcessDelete访问DebugPotr的地址为:%x\n",str_index.PspProcessDelete[2]));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-9)==0x64)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x83)&&(*(_bp+1)==0xB8)&&(*(_bp+2)==0xBC)&&(*(_bp+7)==0x74))
{
str_index.ObpCloseHandleTableEntry=(ULONG)_bp+2;
KdPrint(("ObpCloseHandleTableEntry访问DebugPort的地址为:%x\n",str_index.ObpCloseHandleTableEntry));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-9)==0xF6)&&(*(_bp-2)==0x75)&&(*(_bp)==0x39)&&(*(_bp+1)==0x8B)&&(*(_bp+2)==0xBC)&&(*(_bp+6)==0x74))
{
str_index.ObpCloseHandle=(ULONG)_bp+2;
KdPrint(("ObpCloseHandle访问DebugPort的地址为:%x\n",str_index.ObpCloseHandle));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-8)==0x8B)&&(*(_bp-5)==0x89)&&(*(_bp-2)==0x33)&&(*(_bp)==0x39)&&(*(_bp+1)==0x9E)&&(*(_bp+6)==0x0F))
{
str_index.MmCreatePeb=(ULONG)_bp+2;
KdPrint(("MmCreatePeb访问DebugPort的地址为:%x\n",str_index.MmCreatePeb));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-6)==0x50)&&(*(_bp-5)==0xE8)&&(*(_bp)==0x39)&&(*(_bp+1)==0x9E)&&(*(_bp+2)==0xBC)&&(*(_bp+6)==0x0F)&&(*(_bp+12)==0x39))
{
str_index.DbgkCreateThread=(ULONG)_bp+2;
KdPrint(("DbgkCreateThread访问DebugPort的地址为:%x\n",str_index.DbgkCreateThread));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-9)==0xF6)&&(*(_bp-2)==0x75)&&(*(_bp)==0x8B)&&(*(_bp+1)==0x89)&&(*(_bp+2)==0xBC)&&(*(_bp+6)==0x85))
{
str_index.DbgkExitThread=(ULONG)_bp+2;
KdPrint(("DbgkExitThread访问DebugPort的地址为:%x\n",str_index.DbgkExitThread));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)str_index.DbgkExitThread+10;
do
{
if((*(_bp-9)==0xF6)&&(*(_bp-2)==0x75)&&(*(_bp)==0x8B)&&(*(_bp+1)==0x89)&&(*(_bp+2)==0xBC)&&(*(_bp+6)==0x85))
{
str_index.DbgkExitProcess=(ULONG)_bp+2;
KdPrint(("DbgkExitProcess访问DebugProt的地址为:%x\n",str_index.DbgkExitProcess));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-6)==0x74)&&(*(_bp-4)==0x33)&&(*(_bp-2)==0xEB)&&(*(_bp)==0x8B)&&(*(_bp+1)==0x89)&&(*(_bp+6)==0x3B))
{
str_index.DbgkMapViewOfSection=(ULONG)_bp+2;
KdPrint(("DbgkMapViewOfSection访问DebugPort的地址为:%x\n",str_index.DbgkMapViewOfSection));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-9)==0xF6)&&(*(_bp-2)==0x75)&&(*(_bp)==0x83)&&(*(_bp+1)==0xB9)&&(*(_bp+2)==0xBC)&&(*(_bp+7)==0x74))
{
str_index.DbgkUnMapViewOfSection=(ULONG)_bp+2;
KdPrint(("DbgkUnMapViewOfSection访问DebugPort的地址为:%x\n",str_index.DbgkUnMapViewOfSection));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-11)==0xFF)&&(*(_bp-5)==0x89)&&(*(_bp-2)==0x33)&&(*(_bp)==0x39)&&(*(_bp+1)==0xBE)&&(*(_bp+6)==0x0F)&&(*(_bp+9)==0x8B))
{
str_index.DbgkpMarkProcessPeb=(ULONG)_bp+2;
KdPrint(("DbgkpMarkProcessPeb访问DebugPort的地址为:%x\n",str_index.DbgkpMarkProcessPeb));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-5)==0xEB)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x81)&&(*(_bp+1)==0xC3)&&(*(_bp+2)==0xBC)&&(*(_bp+6)==0x39)&&(*(_bp+8)==0x75))
{
str_index.DbgkpCloseObject[0]=(ULONG)_bp+2;
KdPrint(("第一个DbgkpCloseObject访问DeBugPort的地址为:%x\n",str_index.DbgkpCloseObject[0]));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-5)==0xFF)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x05)&&(*(_bp+1)==0xBC)&&(*(_bp+5)==0x8B)&&(*(_bp+7)==0x33))
{
str_index.DbgkpCloseObject[1]=(ULONG)_bp+1;
KdPrint(("第二个DbgkpCloseObject访问DebugPort的地址为:%x\n",str_index.DbgkpCloseObject[1]));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-6)==0xC6)&&(*(_bp-2)==0xFF)&&(*(_bp)==0x39)&&(*(_bp+1)==0x9F)&&(*(_bp+6)==0x75)&&(*(_bp+8)==0x8B))
{
str_index.DbgkpCloseObject[2]=(ULONG)_bp+2;
KdPrint(("第三个DbgkpCloseObject访问DebugPort的地址为:%x\n",str_index.DbgkpCloseObject[2]));
break;
}
_bp++;
}while(1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-6)==0x55)&&(*(_bp-5)==0x8B)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x83)&&(*(_bp+1)==0xA0)&&(*(_bp+2)==0xBC)&&(*(_bp+7)==0x56))
{
str_index.DbgkCopyProcessDebugPort[0]=(ULONG)_bp+2;
KdPrint(("第一个DbgkCopyProcessDebugPort访问DebugPort的地址为:%x\n",str_index.DbgkCopyProcessDebugPort[0]));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-4)==0x56)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x81)&&(*(_bp+1)==0xC6)&&(*(_bp+2)=0xBC)&&(*(_bp+6)==0x83)&&(*(_bp+9)==0x74))
{
str_index.DbgkCopyProcessDebugPort[1]=(ULONG)_bp+2;
KdPrint(("第二个DbgkCopyProcessDebugPort访问DebugPort的地址为:%x\n",str_index.DbgkCopyProcessDebugPort[1]));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-8)==0xE8)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x89)&&(*(_bp+1)==0xB0)&&(*(_bp+2)==0xBC)&&(*(_bp+6)==0x8B))
{
str_index.DbgkCopyProcessDebugPort[2]=(ULONG)_bp+2;
KdPrint(("第三个DbgkCopyProcessDebugPort访问DebugPort的地址为:%x\n",str_index.DbgkCopyProcessDebugPort[2]));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-5)==0x51)&&(*(_bp-4)==0x56)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x81)&&(*(_bp+1)==0xC6)&&(*(_bp+6)==0x83)&&(*(_bp+9)==0xC7))
{
str_index.DbgkCopyProcessDebugPort[3]=(ULONG)_bp+2;
KdPrint(("第四个DbgkCopyProcessDebugPort访问DebugPort的地址为:%x\n",str_index.DbgkCopyProcessDebugPort[3]));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-5)==0x51)&&(*(_bp-4)==0x56)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x81)&&(*(_bp+1)==0xC6)&&(*(_bp+6)==0x83)&&(*(_bp+9)==0xC7))
{
str_index.DbgkOpenProcessDebugPort[0]=(ULONG)_bp+2;
KdPrint(("第一个DbgkOpenProcessDebugPort的访问地址为:%x\n",str_index.DbgkOpenProcessDebugPort[0]));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-9)==0xFF)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x8B)&&(*(_bp+1)==0x80)&&(*(_bp+6)==0x89)&&(*(_bp+9)==0x8B))
{
str_index.DbgkOpenProcessDebugPort[1]=(ULONG)_bp+2;
KdPrint(("第二个DbgkOpenProcessDebugPort访问DebugPort的地址为:%x\n",str_index.DbgkOpenProcessDebugPort[1]));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-9)==0xFF)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x8B)&&(*(_bp+1)==0x80)&&(*(_bp+6)==0x89)&&(*(_bp+9)==0x8B))
{
str_index.DbgkpQueueMessage=(ULONG)_bp+2;
KdPrint(("DbgkpQueueMessage访问DebugPort的地址为:%x\n",str_index.DbgkpQueueMessage));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-5)==0xFF)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x05)&&(*(_bp+1)==0xBC)&&(*(_bp+5)==0x8B)&&(*(_bp+7)==0x33))
{
str_index.DbgkClearProcessDebugObject[0]=(ULONG)_bp+1;
KdPrint(("DbgkClearProcessDebugObject访问DebugPort的地址为:%x\n",str_index.DbgkClearProcessDebugObject[0]));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-6)==0xC6)&&(*(_bp-2)==0xFF)&&(*(_bp)==0x39)&&(*(_bp+1)==0x9F)&&(*(_bp+6)==0x75)&&(*(_bp+8)==0x8B))
{
str_index.DbgkClearProcessDebugObject[1]=(ULONG)_bp+2;
KdPrint(("DbgkClearProcessDebugObject访问DebugPort的地址为:%x\n",str_index.DbgkClearProcessDebugObject[1]));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-6)==0xC6)&&(*(_bp-2)==0xFF)&&(*(_bp)==0x39)&&(*(_bp+1)==0x9F)&&(*(_bp+6)==0x75)&&(*(_bp+8)==0x8B))
{
str_index.DbgkpSetProcessDebugObject[0]=(ULONG)_bp+2;
KdPrint(("第一个DbgkpSetProcessDebugObject访问DebugPort的地址为:%x\n",str_index.DbgkpSetProcessDebugObject[0]));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-6)==0x8B)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x89)&&(*(_bp+1)==0x87)&&(*(_bp+6)==0xE8)&&(*(_bp+11)==0xFF))
{
str_index.DbgkpSetProcessDebugObject[1]=(ULONG)_bp+2;
KdPrint(("第二个DbgkpSetProcessDebugObject访问DebugPort的地址为:%x\n",str_index.DbgkpSetProcessDebugObject[1]));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-6)==0x8B)&&(*(_bp-4)==0x85)&&(*(_bp-2)==0x74)&&(*(_bp)==0x83)&&(*(_bp+1)==0xA7)&&(*(_bp+7)==0xB9))
{
str_index.DbgkpSetProcessDebugObject[2]=(ULONG)_bp+2;
KdPrint(("第三个DbgkpSetProcessDebugObject访问DebugPort的地址为:%x\n",str_index.DbgkpSetProcessDebugObject[2]));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-6)==0xC6)&&(*(_bp-2)==0xFF)&&(*(_bp)==0x83)&&(*(_bp+1)==0xBF)&&(*(_bp+7)==0x74)&&(*(_bp+9)==0xC7))
{
str_index.DbgkpSetProcessDebugObject[3]=(ULONG)_bp+2;
KdPrint(("第四个DbgkpSetProcessDebugObject访问DebugPort的地址为:%x\n",str_index.DbgkpSetProcessDebugObject[3]));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-7)==0xE8)&&(*(_bp-2)==0xEB)&&(*(_bp)==0x83)&&(*(_bp+1)==0xA7)&&(*(_bp+7)==0xC7))
{
str_index.DbgkpSetProcessDebugObject[4]=(ULONG)_bp+2;
KdPrint(("第五个DbgkpSetProcessDebugObject访问DebugPort的地址为:%x\n",str_index.DbgkpSetProcessDebugObject[4]));
break;
}
_bp++;
} while (1);
_bp=(BYTE*)addr_start;
do
{
if((*(_bp-6)==0x74)&&(*(_bp-4)==0x33)&&(*(_bp-2)==0xEB)&&(*(_bp)==0x8B)&&(*(_bp+1)==0x81)&&(*(_bp+6)==0x32)&&(*(_bp+8)==0xEB))
{
str_index.DbgkForwardException=(ULONG)_bp+2;
KdPrint(("DbgkForwardException访问DeubugPort的地址为:%x\n",str_index.DbgkForwardException));
break;
}
_bp++;
} while (1);
PAGED_Open();
RtlCopyMemory((PVOID)str_index.KiDispatchException,debugPort_out,2);
RtlCopyMemory((PVOID)str_index.NtQueryInformationProcess,debugPort_out,2);
RtlCopyMemory((PVOID)str_index.PspCreateProcess,debugPort_out,2);
RtlCopyMemory((PVOID)str_index.PsGetProcessDebugPort,debugPort_out,2);
RtlCopyMemory((PVOID)str_index.PsIsProcessBeingDebugged,debugPort_out,2);
RtlCopyMemory((PVOID)str_index.NtTerminateProcess,debugPort_out,2);
RtlCopyMemory((PVOID)str_index.PspTerminateProcess,debugPort_out,2);
RtlCopyMemory((PVOID)str_index.PspExitThread,debugPort_out,2);
RtlCopyMemory((PVOID)str_index.PspProcessDelete[0],debugPort_out,2);
RtlCopyMemory((PVOID)str_index.PspProcessDelete[1],debugPort_out,2);
RtlCopyMemory((PVOID)str_index.PspProcessDelete[2],debugPort_out,2);
RtlCopyMemory((PVOID)str_index.ObpCloseHandleTableEntry,debugPort_out,2);
RtlCopyMemory((PVOID)str_index.ObpCloseHandle,debugPort_out,2);
RtlCopyMemory((PVOID)str_index.MmCreatePeb,debugPort_out,2);
RtlCopyMemory((PVOID)str_index.DbgkCreateThread,debugPort_out,2);
RtlCopyMemory((PVOID)str_index.DbgkExitThread,debugPort_out,2);
RtlCopyMemory((PVOID)str_index.DbgkExitProcess,debugPort_out,2);
RtlCopyMemory((PVOID)str_index.DbgkMapViewOfSection,debugPort_out,2);
RtlCopyMemory((PVOID)str_index.DbgkUnMapViewOfSection,debugPort_out,2);
RtlCopyMemory((PVOID)str_index.DbgkpMarkProcessPeb,debugPort_out,2);
RtlCopyMemory((PVOID)str_index.DbgkpCloseObject[0],debugPort_out,2);
RtlCopyMemory((PVOID)str_index.DbgkpCloseObject[1],debugPort_out,2);
RtlCopyMemory((PVOID)str_index.DbgkpCloseObject[2],debugPort_out,2);
RtlCopyMemory((PVOID)str_index.DbgkCopyProcessDebugPort[0],debugPort_out,2);
RtlCopyMemory((PVOID)str_index.DbgkCopyProcessDebugPort[1],debugPort_out,2);
RtlCopyMemory((PVOID)str_index.DbgkCopyProcessDebugPort[2],debugPort_out,2);
RtlCopyMemory((PVOID)str_index.DbgkCopyProcessDebugPort[3],debugPort_out,2);
RtlCopyMemory((PVOID)str_index.DbgkOpenProcessDebugPort[0],debugPort_out,2);
RtlCopyMemory((PVOID)str_index.DbgkOpenProcessDebugPort[1],debugPort_out,2);
RtlCopyMemory((PVOID)str_index.DbgkpQueueMessage,debugPort_out,2);
RtlCopyMemory((PVOID)str_index.DbgkClearProcessDebugObject[0],debugPort_out,2);
RtlCopyMemory((PVOID)str_index.DbgkClearProcessDebugObject[1],debugPort_out,2);
RtlCopyMemory((PVOID)str_index.DbgkpSetProcessDebugObject[0],debugPort_out,2);
RtlCopyMemory((PVOID)str_index.DbgkpSetProcessDebugObject[1],debugPort_out,2);
RtlCopyMemory((PVOID)str_index.DbgkpSetProcessDebugObject[2],debugPort_out,2);
RtlCopyMemory((PVOID)str_index.DbgkpSetProcessDebugObject[3],debugPort_out,2);
RtlCopyMemory((PVOID)str_index.DbgkpSetProcessDebugObject[4],debugPort_out,2);
RtlCopyMemory((PVOID)str_index.DbgkForwardException,debugPort_out,2);
PAGED_Exit();
}
#pragma PAGEDCODE
VOID Un_DebugPort()
{
PAGED_Open();
RtlCopyMemory((PVOID)str_index.KiDispatchException,debugport_in,2);
RtlCopyMemory((PVOID)str_index.NtQueryInformationProcess,debugport_in,2);
RtlCopyMemory((PVOID)str_index.PspCreateProcess,debugport_in,2);
RtlCopyMemory((PVOID)str_index.PsGetProcessDebugPort,debugport_in,2);
RtlCopyMemory((PVOID)str_index.PsIsProcessBeingDebugged,debugport_in,2);
RtlCopyMemory((PVOID)str_index.NtTerminateProcess,debugport_in,2);
RtlCopyMemory((PVOID)str_index.PspTerminateProcess,debugport_in,2);
RtlCopyMemory((PVOID)str_index.PspExitThread,debugport_in,2);
RtlCopyMemory((PVOID)str_index.PspProcessDelete[0],debugport_in,2);
RtlCopyMemory((PVOID)str_index.PspProcessDelete[1],debugport_in,2);
RtlCopyMemory((PVOID)str_index.PspProcessDelete[2],debugport_in,2);
RtlCopyMemory((PVOID)str_index.ObpCloseHandleTableEntry,debugport_in,2);
RtlCopyMemory((PVOID)str_index.ObpCloseHandle,debugport_in,2);
RtlCopyMemory((PVOID)str_index.MmCreatePeb,debugport_in,2);
RtlCopyMemory((PVOID)str_index.DbgkCreateThread,debugport_in,2);
RtlCopyMemory((PVOID)str_index.DbgkExitThread,debugport_in,2);
RtlCopyMemory((PVOID)str_index.DbgkExitProcess,debugport_in,2);
RtlCopyMemory((PVOID)str_index.DbgkMapViewOfSection,debugport_in,2);
RtlCopyMemory((PVOID)str_index.DbgkUnMapViewOfSection,debugport_in,2);
RtlCopyMemory((PVOID)str_index.DbgkpMarkProcessPeb,debugport_in,2);
RtlCopyMemory((PVOID)str_index.DbgkpCloseObject[0],debugport_in,2);
RtlCopyMemory((PVOID)str_index.DbgkpCloseObject[1],debugport_in,2);
RtlCopyMemory((PVOID)str_index.DbgkpCloseObject[2],debugport_in,2);
RtlCopyMemory((PVOID)str_index.DbgkCopyProcessDebugPort[0],debugport_in,2);
RtlCopyMemory((PVOID)str_index.DbgkCopyProcessDebugPort[1],debugport_in,2);
RtlCopyMemory((PVOID)str_index.DbgkCopyProcessDebugPort[2],debugport_in,2);
RtlCopyMemory((PVOID)str_index.DbgkCopyProcessDebugPort[3],debugport_in,2);
RtlCopyMemory((PVOID)str_index.DbgkOpenProcessDebugPort[0],debugport_in,2);
RtlCopyMemory((PVOID)str_index.DbgkOpenProcessDebugPort[1],debugport_in,2);
RtlCopyMemory((PVOID)str_index.DbgkpQueueMessage,debugport_in,2);
RtlCopyMemory((PVOID)str_index.DbgkClearProcessDebugObject[0],debugport_in,2);
RtlCopyMemory((PVOID)str_index.DbgkClearProcessDebugObject[1],debugport_in,2);
RtlCopyMemory((PVOID)str_index.DbgkpSetProcessDebugObject[0],debugport_in,2);
RtlCopyMemory((PVOID)str_index.DbgkpSetProcessDebugObject[1],debugport_in,2);
RtlCopyMemory((PVOID)str_index.DbgkpSetProcessDebugObject[2],debugport_in,2);
RtlCopyMemory((PVOID)str_index.DbgkpSetProcessDebugObject[3],debugport_in,2);
RtlCopyMemory((PVOID)str_index.DbgkpSetProcessDebugObject[4],debugport_in,2);
RtlCopyMemory((PVOID)str_index.DbgkForwardException,debugport_in,2);
PAGED_Exit();
}
#pragma INITCODE
VOID Hook_NtSetInformationThread()
{
addr_NtSetInformationThread=(ULONG)Getsset_this(in_NtSetInformationThread);
addr1_NtSetInformationThread=(ULONG)Getssdt_addr(in_NtSetInformationThread);
_NtSetInformationThread=(NtSetInformationThread*)addr1_NtSetInformationThread;
PAGED_Open();
*((ULONG*)addr_NtSetInformationThread)=(ULONG)My_NtSetInformationThread;
PAGED_Exit();
}
#pragma PAGEDCODE
extern "C"
NTSTATUS __stdcall My_NtSetInformationThread ( __in HANDLE ThreadHandle,
__in THREADINFOCLASS ThreadInformationClass,
__in_bcount(ThreadInformationLength) PVOID ThreadInformation,
__in ULONG ThreadInformationLength
)
{
if(ThreadInformationClass==0x11)
{
KdPrint(("发现ANTI行为!\r\n"));
KdPrint(("NtSetInformationThread的参数:%8x %8x %8x %8x",ThreadHandle,ThreadInformationClass,ThreadInformation,ThreadInformationLength));
ThreadInformationClass=(THREADINFOCLASS)0xFF;
KdPrint(("NtSetInformationThread的修改后的参数:%8x %8x %8x %8x",ThreadHandle,ThreadInformationClass,ThreadInformation,ThreadInformationLength));
return STATUS_SUCCESS;
}
return ((NtSetInformationThread)_NtSetInformationThread)(ThreadHandle,ThreadInformationClass,ThreadInformation,ThreadInformationLength);
}
#pragma PAGEDCODE
VOID Un_NtSetInnformationThread()
{
PAGED_Open();
*((ULONG*)addr_NtSetInformationThread)=addr1_NtSetInformationThread;
PAGED_Exit();
}
#endif
- 过HS保护(OD,CE)
- OD/CE 过掉TMD壳附加检查
- 过HS多开源码
- [持续更新]过SOD检测OD方法
- 过压保护器
- 过TP驱动保护
- 电源过流保护
- 过游戏保护驱动
- 三段式过流保护
- CE+OD实例——查找人物包裹信息
- OD+CE查找“植物大战僵尸”太阳数目地址
- ce+od无法同时附加进程的问题
- CE 调试遇到保护的一种解决办法
- 过温和欠温保护
- 过充保护,过充恢复,过放保护,过放恢复
- [Debuggers] OD加强版 自动过anti,不飞不飞
- CE+OD无法附加游戏进程的破解方法-不再为不能附加而烦恼了
- 过TP保护与解除游戏驱动保护(可以借鉴)
- linux常见问题解决方法之一
- 完全过TP源码(转)
- xcode中混用arc和非arc模式
- unrecognized/unsupported machine ID
- Android 4.1项目:使用新浪微博分享时报:
- 过HS保护(OD,CE)
- GridView 合并单元格(多列)及特定条件的数据高亮显示实现
- XSS之xssprotect
- 程序猿的九&九
- Linux 防火墙与NAT服务
- excel vba 连接 postgreSQL
- java实现两个整数的互换
- ShadowWalker1.0学习笔记4 ——Hook IDT
- C# 图片识别(支持21种语言)