年末系列（2）-加速器

转：http://bbs.pediy.com/showthread.php?t=214926

重要的事情说三遍，
加速器，加速器，加速器

大部分代码因为硬盘没了，剩下核心功能代码还在，还可以看看仅作参考啦

无需任何hook，不卡HAL时钟，不会导致硬盘io锁死问题。
不需要DX初始化来让系统时钟重置。
支持x64(代码只支持win7x64——需要签名！！
支持更多系统需要把PFN的数据结构改成对应的系统的)

加速原理：
PTE篡改PFN+MmPfn加锁Lock PFN，然后系统线程里自己同步刷新进程时钟...
除了可以加速之外还可以锁时间（年月日）
老司机开车 代码讨论与各种扯淡的QQ群：48715131 

#include "stdafx.h"#include "PageHack.h"//////////////////////////////////////////////////////////////////////////#include <list>#include <algorithm>std::list <PEPROCESS> m_Process_Speed;//////////////////////////////////////////////////////////////////////////LONG g_ThreadLock = 0;BOOL b_Stop = FALSE;PVOID pBuffer = NULL;PVOID pKiUserSharedData = NULL;FAST_MUTEX g_Process_Lock;//////////////////////////////////////////////////////////////////////////#define KUSER_SHARED_DATA_RING0 0xFFFFF78000000000UI64#define KUSER_SHARED_DATA_RING3 0x7FFE0000ULONG   TickCountMultiplierOffset = 0x04;ULONG   TickCountLowOffset = 0x00;ULONG   TickCountLow320Offset = 0x320;ULONG   TickCountHigh1TimeOffset = 0x324;ULONG   TickCountHigh2TimeOffset = 0x328;ULONG   PerformanceCounterOffset = 0x3B8;ULONG   PerformanceCounterFlagOffset = 0x2ED;//////////////////////////////////////////////////////////////////////////EXTERN_C VOID  TimeUpdate(__in PVOID  StartContext){  ULONGLONG OldTickCount = 0;  ULONGLONG OldPerformanceCounter = 0;  //PVOID pKiUserSharedData = NULL;  auto speed = 5;  //pKiUserSharedData = StartContext;  KeLowerIrql(PASSIVE_LEVEL);  while (!b_Stop)  {    ULONGLONG NowTickCount = 0;    InterlockedIncrement(&g_ThreadLock);    Sleep(1);    if (!MmIsAddressValid(pKiUserSharedData))    {      return;    }    __try    {      memcpy(pKiUserSharedData, (PVOID)KUSER_SHARED_DATA_RING0, sizeof(KUSER_SHARED_DATA));      auto pTickCountMultiplier = (PULONG)((ULONG_PTR)pKiUserSharedData + TickCountMultiplierOffset);      //auto pTickCountLow = (PULONG)((ULONG_PTR)pKiUserSharedData + TickCountLowOffset);      auto pTickCountLow320 = (PULONGLONG)((ULONG_PTR)pKiUserSharedData + TickCountLow320Offset);      auto pFlags = (PBYTE)((ULONG_PTR)pKiUserSharedData + PerformanceCounterFlagOffset);      auto pPerformanceCounter = (PULONGLONG)((ULONG_PTR)pKiUserSharedData + PerformanceCounterOffset);      auto Mutil = (ULONGLONG)(*pTickCountMultiplier);      auto NowPerformanceCounter = *pPerformanceCounter;      //这里有个问题不能主动设置Flag,So 还需要hook NtQueryPerformanceCounter才行！      //如果主动flag|=1的话，会爆炸..      // (*pFlags)      if (*pFlags & 1)      {        if (OldPerformanceCounter == 0)        {          OldPerformanceCounter = NowPerformanceCounter;        }        auto pfix = NowPerformanceCounter - OldPerformanceCounter;        if (NowPerformanceCounter < OldPerformanceCounter)        {          pfix = 0;          OldPerformanceCounter = NowPerformanceCounter;        }        if (pfix != 0)        {          *pPerformanceCounter = NowPerformanceCounter;// +pfix * speed;//2倍速加速PerformanceCount!!        }      }      NowTickCount = (*pTickCountLow320) * Mutil;      if (OldTickCount == 0)      {        OldTickCount = NowTickCount;      }      auto delta = NowTickCount - OldTickCount;      if (OldTickCount > NowTickCount)      {        OldTickCount = NowTickCount;        delta = 0;      }      if (delta != 0)      {        *pTickCountLow320 = ((OldTickCount + delta*speed + Mutil) / Mutil);      }    }    __except (EXCEPTION_EXECUTE_HANDLER)    {    }    InterlockedDecrement(&g_ThreadLock);  }}//////////////////////////////////////////////////////////////////////////VOID LoadTLB(){  __try  {    auto Load = *(PULONG *)KUSER_SHARED_DATA_RING3;    DbgPrint("TLB CMD %d\r\n", Load);  }  __except (EXCEPTION_EXECUTE_HANDLER)  {    return;  }}VOID ModifyTLB(PHYSICAL_ADDRESS phys){  __try  {    auto Pte = MiGetPteAddress((PVOID)KUSER_SHARED_DATA_RING3);    Pte->PageFrameNumber = phys.QuadPart >> 12;    _ReadWriteBarrier();    __invlpg((PVOID)KUSER_SHARED_DATA_RING3);  }  __except (EXCEPTION_EXECUTE_HANDLER)  {  }}//////////////////////////////////////////////////////////////////////////_Use_decl_annotations_EXTERN_CVOID CreateProcessNotifyRoutine(__in HANDLE ParentId, __in HANDLE ProcessId, __in BOOLEAN Create){  PEPROCESS Process = NULL;  auto ns = PsLookupProcessByProcessId(ProcessId, &Process);  if (NT_SUCCESS(ns))  {    auto scop = std::experimental::make_scope_exit([&]() {ObDereferenceObject(Process); });    CHAR szName[17];    RtlZeroMemory(szName, 17);    RtlCopyMemory(szName, PsGetProcessImageFileName(Process), 16);    _strlwr(szName);    if (strstr(szName, "fifa16.exe") == NULL)    {      return;    }    if (Create)    {      ObReferenceObject(Process);      ExAcquireFastMutex(&g_Process_Lock);      m_Process_Speed.push_back(Process);      ExReleaseFastMutex(&g_Process_Lock);    }    else    {      ExAcquireFastMutex(&g_Process_Lock);      std::remove_if(m_Process_Speed.begin(), m_Process_Speed.end(), [&](PEPROCESS Cur) {return Process == Cur; });      ExReleaseFastMutex(&g_Process_Lock);    }    PHYSICAL_ADDRESS phys;    KAPC_STATE ApcState;    KeStackAttachProcess(Process, &ApcState);    auto scop2 = std::experimental::make_scope_exit([&]() {KeUnstackDetachProcess(&ApcState); });    if (Create)    {      memcpy(pKiUserSharedData, (PVOID)KUSER_SHARED_DATA_RING0, 0x1000);      phys = MmGetPhysicalAddress(pKiUserSharedData);          }    else    {      phys = MmGetPhysicalAddress((PVOID)KUSER_SHARED_DATA_RING0);    }    LoadTLB();    ModifyTLB(phys);    if (Create)    {      //修改PFN      //处理WorkingSet蓝屏问题      auto MmPfnDataBase = reinterpret_cast<PMMPFN>(PVOID(PFN_DATA_BASE));      auto Pte = MiGetPteAddress((PVOID)KUSER_SHARED_DATA_RING3);      auto PageFrameIndex = Pte->PageFrameNumber;      auto Pfn1 = &MmPfnDataBase[PageFrameIndex];      Pfn1->u3.e2.ReferenceCount = 2;      Pfn1->u2.ShareCount = 2;      Pfn1->u4.PrototypePte = 0;    }    return;  }  return;}//////////////////////////////////////////////////////////////////////////_Use_decl_annotations_EXTERN_CNTSTATUSMainDriverEntry(  IN PDRIVER_OBJECT DriverObject,  IN PUNICODE_STRING RegistryPath){  UNREFERENCED_PARAMETER(RegistryPath);  InitExtendApi();  ExInitializeFastMutex(&g_Process_Lock);  {    wchar_t fname[MAX_PATH];    UNICODE_STRING u_fname;    TIME_FIELDS tf;    LARGE_INTEGER time;    LARGE_INTEGER offset;    KeQuerySystemTime(&time);    RtlTimeToTimeFields(&time, &tf);    RtlStringCchPrintfW(fname, MAX_PATH, L"\\??\\Global\\C:\\$%d-%.2d-%.2d", tf.Year, tf.Month, tf.Day);    RtlInitUnicodeString(&u_fname, fname);  }  //auto ns = InitMapPage(&MapForTime);  pBuffer = ExAllocatePoolWithTag(NonPagedPool, 0x4000, 0);  pKiUserSharedData = (PVOID)(((ULONG_PTR)pBuffer + 0xFFF) & ~0xFFF);  //if (NT_SUCCESS(ns))  {    //开始搞起  //  auto scop = std::experimental::make_scope_exit([&]() { FiniMapPage(&MapForTime); });    auto ns = PsSetCreateProcessNotifyRoutine(CreateProcessNotifyRoutine, FALSE);    if (!NT_SUCCESS(ns))    {      return ns;    }    if (pKiUserSharedData)      CreateThread(TimeUpdate, pKiUserSharedData);    /*  auto scop2 = std::experimental::make_scope_exit([&]() { PsSetCreateProcessNotifyRoutine(CreateProcessNotifyRoutine, TRUE); });      if (!CreateThread(TimeUpdate, NULL))      {        return STATUS_UNSUCCESSFUL;      }      scop2.release();*/      //  scop.release();    DriverObject->DriverUnload = NULL;    return ns;  }  return STATUS_UNSUCCESSFUL;}_Use_decl_annotations_EXTERN_CvoidUnLoad(  __in PDRIVER_OBJECT driverObject  ){  UNREFERENCED_PARAMETER(driverObject);  DbgPrint("DrvUnLoad");  //b_Stop = TRUE;  //while (g_ThreadLock != 0) _mm_pause();  //PsSetCreateProcessNotifyRoutine(CreateProcessNotifyRoutine, TRUE);  //ExAcquireFastMutex(&g_Process_Lock);  //for (auto x:m_Process_Speed)  //{  //  KAPC_STATE Apc;  //  KeStackAttachProcess(x,&Apc);  //  ZwTerminateProcess()  //  KeUnstackDetachProcess(&Apc);  //}  //ExReleaseFastMutex(&g_Process_Lock);  //FiniMapPage(&MapForTime);  //ExFreePool(pBuffer);  //UnloadInlineHookEngine();  //LogTermination();  return;}