|
|
#include " assTp.h"
#include "xp_function.h"
#pragma INITCODE
extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT driver,PUNICODE_STRING str_unicode)
{
//--------------------------------
Driver_GetWindowVersion(driver);
Hook_NtOpenProcess();
Hook_NtOpenThread();
Reg_NtReadVirtualMemory();
Reg_NtWriteVirtualMemory();
Reg_KiAttachProcess();
Reg_DbgkpQueueMessage();
Reg_DbgkpSetProcessDebugObject();
Hook_NtGetContextThread();
Hook_NtSetContextThread();
Hook_DebugPort();
//-------------------------
NTSTATUS status=STATUS_SUCCESS;
driver->MajorFunction[IRP_MJ_CREATE]=Dispathch;
driver->MajorFunction[IRP_MJ_CLOSE]=Dispathch;
driver->MajorFunction[IRP_MJ_READ]=Dispathch;
driver->MajorFunction[IRP_MJ_WRITE]=Dispathch;
driver->MajorFunction[IRP_MJ_DEVICE_CONTROL]=Dispathch;
driver->DriverUnload=DriverUnload;
UNICODE_STRING device_name;
RtlInitUnicodeString(&device_name,_device_name);
PDEVICE_OBJECT device_object;
status=IoCreateDevice(driver,0,&device_name,FILE_DEVICE_UNKNOWN,0,FALSE,&device_object);
if(!NT_SUCCESS(status))
{
KdPrint(("创建设备失败......\n"));
return status;
}
KdPrint(("创建设备成功......\n"));
UNICODE_STRING symbolic_name;
RtlInitUnicodeString(&symbolic_name,_symbolc_name);
status=IoCreateSymbolicLink(&symbolic_name,&device_name);
if(!NT_SUCCESS(status))
{
KdPrint(("创建符号链接失败......\n"));
IoDeleteDevice(device_object);
return status;
}
KdPrint(("创建符号链接成功......\n"));
return STATUS_SUCCESS;
}
#pragma PAGEDCODE
VOID DriverUnload(PDRIVER_OBJECT driver)
{
UNICODE_STRING symbolic_name;
RtlInitUnicodeString(&symbolic_name,_symbolc_name);
IoDeleteSymbolicLink(&symbolic_name);
IoDeleteDevice(driver->DeviceObject);
KdPrint(("卸载设备成功......\n"));
//--------------------------------------
if(bc_open==TRUE)
{
UnHook_NtOpenProcess();
UnHook_ntOpenThread();
UnHook_NtGetContextThread();
UnHook_NtSetContextThread();
UnHook_DebugPort();
}
//---------------------------------
}
#pragma PAGEDCODE
NTSTATUS Dispathch(PDEVICE_OBJECT driver,PIRP irp)
{
irp->IoStatus.Status=STATUS_SUCCESS;
irp->IoStatus.Information=0;
IoCompleteRequest(irp,IO_NO_INCREMENT);
KdPrint(("进入Irp例程......\n"));
return STATUS_SUCCESS;
}
//----------------------------------------------------------------------------------
#pragma once
#ifndef XP_FUNCTION_H
#define XP_FUNCTION_H
#include "assTp.h"
#define _windows_xp 51
#define _Game_Name "DNF.exe"
#define _Game_Name1 "QQLogin.exe"
BOOL bc_open=FALSE;
//----------------------------
ANSI_STRING Game_String;
ANSI_STRING Game_String1;
//------函数序号---------------------------
int in_NtOpenProcess=0;
int in_NtOpenThread=0;
int in_NtQueryVirtualMemory=0;
int in_NtReadVirtualMemory=0;
int in_NtWriteVirtualMemory=0;
int in_NtGetContextThread=0;
int in_NtSetContextThread=0;
//---------跳转地址等-----------------------
ULONG call_NtOpenprocess;
ULONG addr_NtOpenProcess;
ULONG call_NtOpenThread;
ULONG addr_NtOpenThread;
ULONG addr_NtQueryVirtualMemory;
ULONG push_NtReadVirtualMemory;
ULONG addr_NtReadVirtualMemory;
ULONG push_NtWriteVirtualMemory;
ULONG addr_NtWriteVirtualMemory;
ULONG addr_KiAttachProcess;
ULONG addr_DbgkpQueueMessage;
ULONG addr_DbgkpSetProcessDebugObject;
ULONG addr_NtGetContextThread;
ULONG addr_NtSetContextThread;
//-----------共用函数-----------------------------
KIRQL kirql;
#pragma PAGEDCODE
VOID PAGED_Open()
{
__asm
{
cli
push eax
mov eax,cr0
and eax,not 10000h
mov cr0,eax
pop eax
}
kirql=KeRaiseIrqlToDpcLevel();
}
#pragma PAGEDCODE
VOID PAGED_Exit()
{
KeLowerIrql(kirql);
__asm
{
push eax
mov eax,cr0
or eax,10000h
mov cr0,eax
pop eax
sti
}
}
#pragma pack(1)
typedef struct Hook_Code
{
BYTE E9;
DWORD addr;
BYTE NOP;
}jmp_code,*pjmp_code;
#pragma pack()
#pragma PAGEDCODE
BOOL Driver_GetWindowVersion(PDRIVER_OBJECT driver)
{
ULONG uMajorfunction,uMinorfunction,uBulidfunction;
PsGetVersion(&uMajorfunction,&uMinorfunction,&uBulidfunction,NULL);
DWORD dw_verstion=uMajorfunction*10+uMinorfunction;
switch(dw_verstion)
{
case _windows_xp:
KdPrint(("当前系统是windows xp......\n"));
in_NtOpenProcess=0x7A;
in_NtOpenThread=0x80;
in_NtQueryVirtualMemory=0x0B2;
in_NtReadVirtualMemory=0x0BA;
in_NtWriteVirtualMemory=0x115;
in_NtGetContextThread=0x55;
in_NtSetContextThread=0xD5;
break;
default:
DriverUnload(driver);
break;
}
return TRUE;
}
typedef struct _ServiceDescriptorTable {
PVOID ServiceTableBase; //System Service Dispatch Table 的基地址
PVOID ServiceCounterTable;
//包含着 SSDT 中每个服务被调用次数的计数器。这个计数器一般由sysenter 更新。
unsigned int NumberOfServices;//由 ServiceTableBase 描述的服务的数目。
PVOID ParamTableBase; //包含每个系统服务参数字节数表的基地址-系统服务参数表
}*PServiceDescriptorTable;
extern "C" PServiceDescriptorTable KeServiceDescriptorTable;
#pragma PAGEDCODE
ULONG Getssdt_addr(int index)
{
ULONG* function_addr,u_addr,u_function;
u_addr=(ULONG)KeServiceDescriptorTable->ServiceTableBase;
function_addr=(PULONG)(u_addr+index*4);
u_function=*function_addr;
return u_function;
}
#pragma PAGEDCODE
ULONG* Getssdt_this(int index)
{
ULONG* function_addr,u_addr;
u_addr=(ULONG)KeServiceDescriptorTable->ServiceTableBase;
function_addr=(PULONG)(u_addr+index*4);
return function_addr;
}
//---------------------------------------
jmp_code jmp_code_NtOpenProcess;
pjmp_code pjmp_code_NtOpenProcess;
#pragma INITCODE
VOID Hook_NtOpenProcess()
{
bc_open=TRUE;
BYTE *_bp;
_bp=(BYTE*)Getssdt_addr(in_NtOpenProcess);
while(1)
{
if((*(_bp-7)==0x8B)&&(*(_bp-4)==0x3b)&&(*(_bp-2)==0x74)&&(*(_bp)==0xE8)&&(*(_bp+5)==0x8B)&&(*(_bp+8)==0xE8))
{
call_NtOpenprocess=(ULONG)_bp;
break;
}
_bp++;
}
__asm
{
push eax
push ebx
mov eax,call_NtOpenprocess
mov ebx,[eax+1]
add eax,ebx
add eax,5
mov call_NtOpenprocess,eax
pop ebx
pop eax
}
_bp=(BYTE*)call_NtOpenprocess;
while(1)
{
if((*(_bp)==0x8B)&&(*(_bp+2)==0x55)&&(*(_bp+3)==0x8B)&&(*(_bp+5)==0x81)&&(*(_bp+11)==0x53)&&(*(_bp+12)==0x8B))
{
call_NtOpenprocess=(ULONG)_bp;
break;
}
_bp++;
}
call_NtOpenThread=call_NtOpenprocess;
KdPrint(("NtOpenProcess的call地址为:%x\n",call_NtOpenprocess));
KdPrint(("NtOpenThread的call地址为:%x\n",call_NtOpenThread));
_bp=(BYTE*)Getssdt_addr(in_NtOpenProcess);
while(1)
{
if((*(_bp-7)==0x50)&&(*(_bp-6)==0xff)&&(*(_bp-3)==0xff)&&(*(_bp)==0xE8)&&(*(_bp+5)==0x8B)&&(*(_bp+7)==0x8D)&&(*(_bp+13)==0x50))
{
addr_NtOpenProcess=(ULONG)_bp-6;
break;
}
_bp++;
}
ULONG addr_myfunction;
__asm
{
push eax
mov eax,My_NtOpenProcess
mov addr_myfunction,eax
pop eax
}
pjmp_code_NtOpenProcess=(pjmp_code)addr_NtOpenProcess;
jmp_code_NtOpenProcess.E9=pjmp_code_NtOpenProcess->E9;
jmp_code_NtOpenProcess.addr=pjmp_code_NtOpenProcess->addr;
jmp_code_NtOpenProcess.NOP=pjmp_code_NtOpenProcess->NOP;
PAGED_Open();
pjmp_code_NtOpenProcess->E9=0xE9;
pjmp_code_NtOpenProcess->addr=(ULONG)(addr_myfunction-addr_NtOpenProcess-5);
pjmp_code_NtOpenProcess->NOP=0x90;
PAGED_Exit();
}
ANSI_STRING Eprocess_String;
PEPROCESS Eproecss_NtOpenProcess;
#pragma PAGEDCODE
VOID __declspec(naked) My_NtOpenProcess()
{
Eproecss_NtOpenProcess=IoGetCurrentProcess();
RtlInitString(&Game_String,_Game_Name);
RtlInitString(&Game_String1,_Game_Name1);
RtlInitString(&Eprocess_String,(PCSZ)((ULONG)Eproecss_NtOpenProcess+0x174));
if(RtlCompareString(&Eprocess_String,&Game_String,TRUE)==0)
{
KdPrint(("Game Process.......\n"));
__asm
{
push dword ptr [ebp-38h]
push dword ptr [ebp-24h]
mov eax,addr_NtOpenProcess
add eax,6
jmp eax
}
}
else
{
if((RtlCompareString(&Eprocess_String,&Game_String1,TRUE)==0))
{
KdPrint(("Game Process.......\n"));
__asm
{
push dword ptr [ebp-38h]
push dword ptr [ebp-24h]
mov eax,addr_NtOpenProcess
add eax,6
jmp eax
}
}
else
{
__asm
{
push dword ptr [ebp-38h]
push dword ptr [ebp-24h]
mov eax,addr_NtOpenProcess
add eax,0xB
push eax
jmp call_NtOpenprocess
}
}
}
}
#pragma PAGEDCODE
VOID UnHook_NtOpenProcess()
{
PAGED_Open();
pjmp_code_NtOpenProcess->E9=jmp_code_NtOpenProcess.E9;
pjmp_code_NtOpenProcess->addr=jmp_code_NtOpenProcess.addr;
pjmp_code_NtOpenProcess->NOP=jmp_code_NtOpenProcess.NOP;
PAGED_Exit();
}
jmp_code jmp_code_NtOpenThread;
pjmp_code pjmp_code_NtOpenThread;
#pragma INITCODE
VOID Hook_NtOpenThread()
{
BYTE* _bp=(BYTE*)Getssdt_addr(in_NtOpenThread);
while(1)
{
if((*(_bp-7)==0x50)&&(*(_bp-6)==0xff)&&(*(_bp-3)==0xff)&&(*(_bp)==0xE8)&&(*(_bp+5)==0x8B)&&(*(_bp+7)==0x8D)&&(*(_bp+13)==0x50))
{
addr_NtOpenThread=(ULONG)_bp-6;
break;
}
_bp++;
}
ULONG addr_myfuntion;
__asm
{
push eax
mov eax,My_NtOpenThread
mov addr_myfuntion,eax
pop eax
}
pjmp_code_NtOpenThread=(pjmp_code)addr_NtOpenThread;
jmp_code_NtOpenThread.E9=pjmp_code_NtOpenThread->E9;
jmp_code_NtOpenThread.addr=pjmp_code_NtOpenThread->addr;
jmp_code_NtOpenThread.NOP=pjmp_code_NtOpenThread->NOP;
PAGED_Open();
pjmp_code_NtOpenThread->E9=0xE9;
pjmp_code_NtOpenThread->addr=(ULONG)(addr_myfuntion-addr_NtOpenThread-5);
pjmp_code_NtOpenThread->NOP=0x90;
PAGED_Exit();
}
#pragma PAGEDCODE
VOID __declspec(naked) My_NtOpenThread()
{
__asm
{
push dword ptr [ebp-34h]
push dword ptr [ebp-20h]
mov eax,addr_NtOpenThread
add eax,0xB
push eax
jmp call_NtOpenThread
}
}
#pragma PAGEDCODE
VOID UnHook_ntOpenThread()
{
PAGED_Open();
pjmp_code_NtOpenThread->E9=jmp_code_NtOpenThread.E9;
pjmp_code_NtOpenThread->addr=jmp_code_NtOpenThread.addr;
pjmp_code_NtOpenThread->NOP=jmp_code_NtOpenThread.NOP;
PAGED_Exit();
}
jmp_code jmp_code_NtReadVirtualMemory;
pjmp_code pjmp_code_NtReadVirtualMemory;
#pragma INITCODE
VOID Reg_NtReadVirtualMemory()
{
addr_NtQueryVirtualMemory=Getssdt_addr(in_NtQueryVirtualMemory);
__asm
{
push eax
mov eax,addr_NtQueryVirtualMemory
mov eax,[eax+6]
sub eax,0x1E8
mov push_NtReadVirtualMemory,eax
pop eax
}
addr_NtReadVirtualMemory=Getssdt_addr(in_NtReadVirtualMemory);
BYTE b_push_1[]={0x6a,0x1c};
PAGED_Open();
RtlCopyBytes((void*)addr_NtReadVirtualMemory,b_push_1,2);
PAGED_Exit();
pjmp_code_NtReadVirtualMemory=(pjmp_code)(addr_NtReadVirtualMemory+2);
jmp_code_NtReadVirtualMemory.E9=pjmp_code_NtReadVirtualMemory->E9;
jmp_code_NtReadVirtualMemory.addr=pjmp_code_NtReadVirtualMemory->addr;
PAGED_Open();
pjmp_code_NtReadVirtualMemory->E9=0x68;
pjmp_code_NtReadVirtualMemory->addr=push_NtReadVirtualMemory;
PAGED_Exit();
}
jmp_code jmp_code_NtWriteVirtualMemory;
pjmp_code pjmp_code_NtWriteVirtualMemory;
#pragma INITCODE
VOID Reg_NtWriteVirtualMemory()
{
addr_NtQueryVirtualMemory=Getssdt_addr(in_NtQueryVirtualMemory);
__asm
{
push eax
mov eax,addr_NtQueryVirtualMemory
mov eax,[eax+6]
sub eax,0x1D0
mov push_NtWriteVirtualMemory,eax
pop eax
}
addr_NtWriteVirtualMemory=Getssdt_addr(in_NtWriteVirtualMemory);
BYTE b_push_1[]={0x6a,0x1c};
PAGED_Open();
RtlCopyBytes((void*)addr_NtWriteVirtualMemory,b_push_1,2);
PAGED_Exit();
pjmp_code_NtWriteVirtualMemory=(pjmp_code)(addr_NtWriteVirtualMemory+2);
jmp_code_NtWriteVirtualMemory.E9=pjmp_code_NtWriteVirtualMemory->E9;
jmp_code_NtWriteVirtualMemory.addr=pjmp_code_NtWriteVirtualMemory->addr;
PAGED_Open();
pjmp_code_NtWriteVirtualMemory->E9=0x68;
pjmp_code_NtWriteVirtualMemory->addr=push_NtWriteVirtualMemory;
PAGED_Exit();
}
#pragma INITCODE
VOID Reg_KiAttachProcess()
{
UNICODE_STRING u_KeAttachProcess;
RtlInitUnicodeString(&u_KeAttachProcess,L"KeAttachProcess");
BYTE* _bp=(BYTE*)MmGetSystemRoutineAddress(&u_KeAttachProcess);
while(1)
{
if((*(_bp-6)==0x50)&&(*(_bp-5)==0xFF)&&(*(_bp)==0xE8)&&(*(_bp+5)==0x5F)&&(*(_bp+8)==0xC2))
{
addr_KiAttachProcess=(ULONG)_bp;
__asm
{
push eax
push ebx
mov eax,addr_KiAttachProcess
mov ebx,[eax+1]
add eax,ebx
add eax,5
mov addr_KiAttachProcess,eax
pop ebx
pop eax
}
break;
}
_bp++;
}
BYTE _bp1[]={0x8B,0xFF,0x55,0x8B,0xEC,0x53,0x56};
PAGED_Open();
RtlCopyBytes((void*)addr_KiAttachProcess,_bp1,7);
PAGED_Exit();
}
#pragma INITCODE
VOID Reg_DbgkpQueueMessage()
{
BYTE* _bp=(BYTE*)Getssdt_addr(in_NtOpenProcess);
while(1)
{
if((*(_bp)==0x8B)&&(*(_bp+3)==0x89)&&(*(_bp+10)==0x74)&&(*(_bp+11)==0x48)&&(*(_bp+12)==0x68))
{
addr_DbgkpQueueMessage=(ULONG)_bp-0xD;
break;
}
_bp++;
}
KdPrint(("DbgQueueMessage的地址为:%x\n",addr_DbgkpQueueMessage));
BYTE b_byte[]={0x8B,0xFF,0x55,0x8B,0xEC,0x81,0xEC};
PAGED_Open();
RtlCopyBytes((void*)addr_DbgkpQueueMessage,b_byte,7);
PAGED_Exit();
}
#pragma PAGEDCODE
VOID Reg_DbgkpSetProcessDebugObject()
{
BYTE* _bp=(BYTE*)addr_DbgkpQueueMessage;
while(1)
{
if((*(_bp)==0x64)&&(*(_bp+6)==0x89)&&(*(_bp+9)==0x8D)&&(*(_bp+15)==0x89)&&(*(_bp+21)==0x33))
{
addr_DbgkpSetProcessDebugObject=(ULONG)_bp-0xB;
break;
}
_bp++;
}
KdPrint(("DbgkpSetProcessDebugObject的地址为:%x\n",addr_DbgkpSetProcessDebugObject));
BYTE b_byte[]={0x8B,0xFF,0x55,0x8B,0xEC,0x83,0xEC};
PAGED_Open();
RtlCopyBytes((void*)addr_DbgkpSetProcessDebugObject,b_byte,7);
PAGED_Exit();
}
extern "C"
typedef
NTSYSCALLAPI NTSTATUS (__stdcall* Nt_NtGetContextThread)(__in HANDLE ThreadHandle,__inout PCONTEXT ThreadContext);
Nt_NtGetContextThread* nt_ntgetcontextthread;
PEPROCESS eprocess_NtGetContextThread;
ANSI_STRING ntgetcontextthread_eproecss;
ANSI_STRING ntgetcontextthread_Game_string;
#pragma PAGEDCODE
extern "C"
NTSTATUS __stdcall My_NtGetContextThread(__in HANDLE ThreadHandle,__inout PCONTEXT ThreadContext)
{
eprocess_NtGetContextThread=IoGetCurrentProcess();
RtlInitString(&ntgetcontextthread_eproecss,(PCSZ)((ULONG)eprocess_NtGetContextThread+0x174));
RtlInitString(&ntgetcontextthread_Game_string,_Game_Name);
if(RtlCompareString(&ntgetcontextthread_eproecss,&ntgetcontextthread_Game_string,TRUE)==0)
{
return STATUS_SUCCESS;
}
return ((NTSTATUS(NTAPI*)(HANDLE,PCONTEXT))nt_ntgetcontextthread)(ThreadHandle,ThreadContext);
}
#pragma INITCODE
VOID Hook_NtGetContextThread()
{
ULONG* u_NtGetContextThread;
u_NtGetContextThread=Getssdt_this(in_NtGetContextThread);
addr_NtGetContextThread=Getssdt_addr(in_NtGetContextThread);
KdPrint(("当前NtGetContextThread的地址为:%x\n",addr_NtGetContextThread));
nt_ntgetcontextthread=(Nt_NtGetContextThread*)addr_NtGetContextThread;
PAGED_Open();
*u_NtGetContextThread=(ULONG)My_NtGetContextThread;
PAGED_Exit();
}
#pragma PAGEDCODE
VOID UnHook_NtGetContextThread()
{
ULONG u_NtGetContextThread;
u_NtGetContextThread=(ULONG)KeServiceDescriptorTable->ServiceTableBase+in_NtGetContextThread*4;
PAGED_Open();
*((ULONG*)u_NtGetContextThread)=addr_NtGetContextThread;
PAGED_Exit();
}
extern "C"
typedef
NTSYSCALLAPI NTSTATUS (__stdcall* Nt_NtSetContextThread)(__in HANDLE ThreadHandle,__in PCONTEXT ThreadContext);
Nt_NtSetContextThread* nt_ntsetcontextthread;
PEPROCESS eprocess_NtSetContextThread;
ANSI_STRING ntsetcontextthread_eprocess;
ANSI_STRING ntsetcontextthread_Game_String;
#pragma PAGEDCODE
extern "C"
NTSTATUS __stdcall My_NtSetContextThread(__in HANDLE ThreadHandle,__in PCONTEXT ThreadContext)
{
eprocess_NtSetContextThread=IoGetCurrentProcess();
RtlInitString(&ntsetcontextthread_eprocess,(PCSZ)((ULONG)eprocess_NtSetContextThread+0x174));
RtlInitString(&ntsetcontextthread_Game_String,_Game_Name);
if(RtlCompareString(&ntsetcontextthread_eprocess,&ntsetcontextthread_Game_String,TRUE)==0)
{
return STATUS_SUCCESS;
}
if(ThreadContext->Dr7==0x101)
{
return ((NTSTATUS(NTAPI*)(HANDLE,PCONTEXT))nt_ntsetcontextthread)(ThreadHandle,ThreadContext);
}
return ((NTSTATUS(NTAPI*)(HANDLE,PCONTEXT))nt_ntsetcontextthread)(ThreadHandle,ThreadContext);
}
#pragma INITCODE
VOID Hook_NtSetContextThread()
{
ULONG* u_NtSetContextThread;
u_NtSetContextThread=Getssdt_this(in_NtSetContextThread);
addr_NtSetContextThread=Getssdt_addr(in_NtSetContextThread);
KdPrint(("当前NtSetContextThread的地址为:%x\n",addr_NtSetContextThread));
nt_ntsetcontextthread=(Nt_NtSetContextThread*)addr_NtSetContextThread;
PAGED_Open();
*u_NtSetContextThread=(ULONG)My_NtSetContextThread;
PAGED_Exit();
}
#pragma PAGEDCODE
VOID UnHook_NtSetContextThread()
{
ULONG u_NtSetContextThread;
u_NtSetContextThread=(ULONG)KeServiceDescriptorTable->ServiceTableBase+in_NtSetContextThread*4;
PAGED_Open();
(*(ULONG*)u_NtSetContextThread)=addr_NtSetContextThread;
PAGED_Exit();
}
struct _str_debugport
{
ULONG KiDispatchException; //1处
ULONG NtQueryInformationProcess; //1处
ULONG PspCreateProcess; //1处
ULONG PsGetProcessDebugPort; //1处
ULONG PsIsProcessBeingDebugged; //1处
ULONG NtTerminateProcess; //1处
ULONG PspTerminateProcess; //1处
ULONG PspExitThread; //1处
ULONG PspProcessDelete; //3处
ULONG ObpCloseHandleTableEntry; //1处
ULONG ObpCloseHandle; //1处
ULONG MmCreatePeb; //1处
ULONG DbgkCreateThread; //1处
ULONG DbgkExitThread; //1处
ULONG DbgkExitProcess; //1处
ULONG DbgkMapViewOfSection; //1处
ULONG DbgkUnMapViewOfSection; //1处
ULONG DbgkpMarkProcessPeb; //1处
ULONG DbgkpCloseObject; //3处
ULONG DbgkCopyProcessDebugPort[3]; //4处
ULONG DbgkOpenProcessDebugPort; //2处
ULONG DbgkpQueueMessage; //1处
ULONG DbgkClearProcessDebugObject; //2处
ULONG DbgkpSetProcessDebugObject[5]; //5处
ULONG DbgkForwardException; //1处
}str_debugport;
BYTE b_byte1[]={0xBC,0x00};
BYTE b_byte2[]={0x5C,0x02};
#pragma PAGEDCODE
VOID Hook_DebugPort()
{
NTSTATUS status;
ULONG len;
PVOID p_Buffer;
PSYSTEM_MODULE_INFORMATION Mode_data;
status=ZwQuerySystemInformation((SYSTEM_INFORMATION_CLASS)11,NULL,0,&len);
p_Buffer=ExAllocatePool(NonPagedPool,len);
if(p_Buffer==NULL)
{
KdPrint(("分配内存出错!\r\n"));
return ;
}
status=ZwQuerySystemInformation((SYSTEM_INFORMATION_CLASS)11,p_Buffer,len,0);
Mode_data=(PSYSTEM_MODULE_INFORMATION)p_Buffer;
ULONG u_addr=(ULONG)Mode_data->Module[0].Base;
ExFreePool(p_Buffer);
BYTE* _bp;
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-9)==0x64)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x39)&&(*(_bp+1)==0xB8)&&(*(_bp+6)==0x74))
{
str_debugport.KiDispatchException=(ULONG)_bp+2;
KdPrint(("KiDispatchException的地址为:%x\r\n",str_debugport.KiDispatchException));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-6)==0x8B)&&(*(_bp)==0x8B)&&(*(_bp+1)==0x81)&&(*(_bp+6)==0xF7)&&(*(_bp+8)==0x1B))
{
str_debugport.NtQueryInformationProcess=(ULONG)_bp+2;
KdPrint(("NtQueryInformationProcess的地址为:%x\r\n",str_debugport.NtQueryInformationProcess));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-9)==0x0F)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x89)&&(*(_bp+1)==0x83)&&(*(_bp+6)==0xF6))
{
str_debugport.PspCreateProcess=(ULONG)_bp+2;
KdPrint(("spCreateProcess的地址为:%x\r\n",str_debugport.PspCreateProcess));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-5)==0x8B)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x8B)&&(*(_bp+1)==0x80)&&(*(_bp+2)==0xBC)&&(*(_bp+6)==0x5D))
{
str_debugport.PsGetProcessDebugPort=(ULONG)_bp+2;
KdPrint(("sGetProcessDeubgPort的地址为:%x\r\n",str_debugport.PsGetProcessDebugPort));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-5)==0x8B)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x83)&&(*(_bp+1)==0xB8)&&(*(_bp+7)==0x0F))
{
str_debugport.PsIsProcessBeingDebugged=(ULONG)_bp+2;
KdPrint(("sIsProcessBeingDebugged的地址为:%x\r\n",str_debugport.PsIsProcessBeingDebugged));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-9)==0x81)&&(*(_bp-2)==0x74)&&(*(_bp)==0x83)&&(*(_bp+1)==0xBB)&&(*(_bp+7)==0x74))
{
str_debugport.NtTerminateProcess=(ULONG)_bp+2;
KdPrint(("NtTerminateProcess的地址为:%x\r\n",str_debugport.NtTerminateProcess));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-4)==0x85)&&(*(_bp-2)==0x75)&&(*(_bp)==0x39)&&(*(_bp+1)==0x86)&&(*(_bp+8)==0x56))
{
str_debugport.PspTerminateProcess=(ULONG)_bp+2;
KdPrint(("spTerminateProcess的地址为:%x\r\n",str_debugport.PspTerminateProcess));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-5)==0xE8)&&(*(_bp)==0x83)&&(*(_bp+1)==0xBF)&&(*(_bp+7)==0x74)&&(*(_bp+9)==0xF6))
{
str_debugport.PspExitThread=(ULONG)_bp+2;
KdPrint(("spExitThread的地址为:%x\r\n",str_debugport.PspExitThread));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-6)==0x89)&&(*(_bp-4)==0x66)&&(*(_bp)==0x8D)&&(*(_bp+1)==0xBE)&&(*(_bp+6)==0x8B))
{
str_debugport.PspProcessDelete=(ULONG)_bp+2;
KdPrint(("spProcessDelte的地址为:%x\r\n",str_debugport.PspProcessDelete));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-9)==0x64)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x83)&&(*(_bp+1)==0xB8)&&(*(_bp+2)==0xBC)&&(*(_bp+7)==0x74))
{
str_debugport.ObpCloseHandleTableEntry=(ULONG)_bp+2;
KdPrint(("ObpCloseHandleTableEntry的地址为:%x\r\n",str_debugport.ObpCloseHandleTableEntry));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-9)==0xF6)&&(*(_bp-2)==0x75)&&(*(_bp)==0x39)&&(*(_bp+1)==0x8B)&&(*(_bp+6)==0x74))
{
str_debugport.ObpCloseHandle=(ULONG)_bp+2;
KdPrint(("ObpCloseHandle的地址为:%x\r\n",str_debugport.ObpCloseHandle));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-5)==0x89)&&(*(_bp-2)==0x33)&&(*(_bp)==0x39)&&(*(_bp+1)==0x9E)&&(*(_bp+6)==0x0F))
{
str_debugport.MmCreatePeb=(ULONG)_bp+2;
KdPrint(("MmCreatePeb的地址为:%x\r\n",str_debugport.MmCreatePeb));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-6)==0x50)&&(*(_bp-5)==0xE8)&&(*(_bp)==0x39)&&(*(_bp+1)==0x9E)&&(*(_bp+6)==0x0F))
{
str_debugport.DbgkCreateThread=(ULONG)_bp+2;
KdPrint(("DbgkCreateThread的地址为:%x\r\n",str_debugport.DbgkCreateThread));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-2)==0x75)&&(*(_bp)==0x8B)&&(*(_bp+1)==0x89)&&(*(_bp+6)==0x85)&&(*(_bp+8)==0x74))
{
str_debugport.DbgkExitThread=(ULONG)_bp+2;
KdPrint(("DgbkExitThread的地址为:%x\r\n",str_debugport.DbgkExitThread));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-9)==0xF6)&&(*(_bp-2)==0x75)&&(*(_bp)==0x8B)&&(*(_bp+1)==0x89)&&(*(_bp+6)==0x85)&&(*(_bp+8)==0x74))
{
str_debugport.DbgkExitProcess=(ULONG)_bp+2;
KdPrint(("DbgkExitProcess的地址为:%x\r\n",str_debugport.DbgkExitProcess));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-2)==0xEB)&&(*(_bp)==0x8B)&&(*(_bp+1)==0x89)&&(*(_bp+6)==0x3B)&&(*(_bp+8)==0x74))
{
str_debugport.DbgkMapViewOfSection=(ULONG)_bp+2;
KdPrint(("DbgkMapViewOfSection的地址为:%x\r\n",str_debugport.DbgkMapViewOfSection));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-2)==0x75)&&(*(_bp)==0x83)&&(*(_bp+1)==0xB9)&&(*(_bp+7)==0x74)&&(*(_bp+9)==0x8B))
{
str_debugport.DbgkUnMapViewOfSection=(ULONG)_bp+2;
KdPrint(("DbgkUnmapViewOfsection的地址为:%x\r\n",str_debugport.DbgkUnMapViewOfSection));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-5)==0x89)&&(*(_bp-2)==0x33)&&(*(_bp)==0x39)&&(*(_bp+1)==0xBE)&&(*(_bp+6)==0x0F))
{
str_debugport.DbgkpMarkProcessPeb=(ULONG)_bp+2;
KdPrint(("DbgkMarkProcessPeb的地址为:%x\r\n",str_debugport.DbgkpMarkProcessPeb));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-5)==0xEB)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x81)&&(*(_bp+1)==0xC3)&&(*(_bp+6)==0x39))
{
str_debugport.DbgkpCloseObject=(ULONG)_bp+2;
KdPrint(("DbgkCloseObject的地址为:%x\r\n",str_debugport.DbgkpCloseObject));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-3)==0x8B)&&(*(_bp)==0x83)&&(*(_bp+1)==0xA0)&&(*(_bp+7)==0x56)&&(*(_bp+8)==0x8B))
{
str_debugport.DbgkCopyProcessDebugPort[0]=(ULONG)_bp+2;
KdPrint(("DbgkCopyProcessDebugPort的第一处地址为:%x\r\n",str_debugport.DbgkCopyProcessDebugPort[0]));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-4)==0x56)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x81)&&(*(_bp+1)==0xC6)&&(*(_bp+6)==0x83))
{
str_debugport.DbgkCopyProcessDebugPort[1]=(ULONG)_bp+2;
KdPrint(("DbgkCopyProcessDebugPort的第二处地址为:%x\r\n",str_debugport.DbgkCopyProcessDebugPort[1]));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-8)==0xE8)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x89)&&(*(_bp+1)==0xB0)&&(*(_bp+6)==0x8B))
{
str_debugport.DbgkCopyProcessDebugPort[2]=(ULONG)_bp+2;
KdPrint(("DbgkCopyProcessDebugPort的第三处地址为:%x\r\n",str_debugport.DbgkCopyProcessDebugPort[2]));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-4)==0x56)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x81)&&(*(_bp+1)==0xC6)&&(*(_bp+6)==0x83))
{
str_debugport.DbgkOpenProcessDebugPort=(ULONG)_bp+2;
KdPrint(("DbgkOpenProcessDebugPort的地址为:%x\r\n",str_debugport.DbgkOpenProcessDebugPort));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-9)==0xFF)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x8B)&&(*(_bp+1)==0x80)&&(*(_bp+2)==0xBC)&&(*(_bp+6)==0x89)&&(*(_bp+9)==0x8B))
{
str_debugport.DbgkpQueueMessage=(ULONG)_bp+2;
KdPrint(("DbgkpQueueMessage的地址为:%x\r\n",str_debugport.DbgkpQueueMessage));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-5)==0xFF)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x05)&&(*(_bp+1)==0xBC)&&(*(_bp+5)==0x8B))
{
str_debugport.DbgkClearProcessDebugObject=(ULONG)_bp+1;
KdPrint(("DbgkClearProcessDebugObject的地址为:%x\r\n",str_debugport.DbgkClearProcessDebugObject));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-6)==0xC6)&&(*(_bp-2)==0xFF)&&(*(_bp)==0x39)&&(*(_bp+1)==0x9F)&&(*(_bp+6)==0x75))
{
str_debugport.DbgkpSetProcessDebugObject[0]=(ULONG)_bp+2;
KdPrint(("DbgkpSetProcessDebugObject的第一处地址为:%x\r\n",str_debugport.DbgkpSetProcessDebugObject[0]));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-6)==0x8B)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x89)&&(*(_bp+1)==0x87)&&(*(_bp+6)==0xE8))
{
str_debugport.DbgkpSetProcessDebugObject[1]=(ULONG)_bp+2;
KdPrint(("DbgkpSetProcessDebugObject的第二处地址为:%x\r\n",str_debugport.DbgkpSetProcessDebugObject[1]));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-4)==0x85)&&(*(_bp-2)==0x74)&&(*(_bp)==0x83)&&(*(_bp+1)==0xA7)&&(*(_bp+7)==0xB9))
{
str_debugport.DbgkpSetProcessDebugObject[2]=(ULONG)_bp+2;
KdPrint(("DbgkpSetProcessDebugObject的第三处地址为:%x\r\n",str_debugport.DbgkpSetProcessDebugObject[2]));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-6)==0xC6)&&(*(_bp-2)==0xFF)&&(*(_bp)==0x83)&&(*(_bp+1)==0xBF)&&(*(_bp+7)==0x74))
{
str_debugport.DbgkpSetProcessDebugObject[3]=(ULONG)_bp+2;
KdPrint(("DbgkpSetProcessDebugObject的第四处地址为:%x\r\n",str_debugport.DbgkpSetProcessDebugObject[3]));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-7)==0xE8)&&(*(_bp-2)==0xEB)&&(*(_bp)==0x83)&&(*(_bp+1)==0xA7)&&(*(_bp+7)==0xC7))
{
str_debugport.DbgkpSetProcessDebugObject[4]=(ULONG)_bp+2;
KdPrint(("DbgkpSetProcessDebugObject的第五处地址为:%x\r\n",str_debugport.DbgkpSetProcessDebugObject[4]));
break;
}
_bp++;
}
_bp=(BYTE*)u_addr;
while(1)
{
if((*(_bp-4)==0x33)&&(*(_bp-2)==0xEB)&&(*(_bp)==0x8B)&&(*(_bp+1)==0x81)&&(*(_bp+6)==0x32))
{
str_debugport.DbgkForwardException=(ULONG)_bp+2;
KdPrint(("DbgkForwardException的地址为:%x\r\n",str_debugport.DbgkForwardException));
break;
}
_bp++;
}
PAGED_Open();
RtlCopyMemory((VOID*)str_debugport.KiDispatchException,b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.NtQueryInformationProcess,b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.PspCreateProcess,b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.PsGetProcessDebugPort,b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.PsIsProcessBeingDebugged,b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.NtTerminateProcess,b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.PspTerminateProcess,b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.PspExitThread,b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.PspProcessDelete,b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.ObpCloseHandleTableEntry,b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.ObpCloseHandle,b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.MmCreatePeb,b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.DbgkCreateThread,b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.DbgkExitThread,b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.DbgkExitProcess,b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.DbgkMapViewOfSection,b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.DbgkUnMapViewOfSection,b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.DbgkpMarkProcessPeb,b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.DbgkpCloseObject,b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.DbgkCopyProcessDebugPort[0],b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.DbgkCopyProcessDebugPort[1],b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.DbgkCopyProcessDebugPort[2],b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.DbgkOpenProcessDebugPort,b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.DbgkpQueueMessage,b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.DbgkClearProcessDebugObject,b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.DbgkpSetProcessDebugObject[0],b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.DbgkpSetProcessDebugObject[1],b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.DbgkpSetProcessDebugObject[2],b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.DbgkpSetProcessDebugObject[3],b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.DbgkpSetProcessDebugObject[4],b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.DbgkpSetProcessDebugObject[5],b_byte2,2);
RtlCopyMemory((VOID*)str_debugport.DbgkForwardException,b_byte2,2);
PAGED_Exit();
}
#pragma PAGEDCODE
VOID UnHook_DebugPort()
{
PAGED_Open();
RtlCopyMemory((VOID*)str_debugport.KiDispatchException,b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.NtQueryInformationProcess,b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.PspCreateProcess,b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.PsGetProcessDebugPort,b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.PsIsProcessBeingDebugged,b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.NtTerminateProcess,b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.PspTerminateProcess,b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.PspExitThread,b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.PspProcessDelete,b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.ObpCloseHandleTableEntry,b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.ObpCloseHandle,b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.MmCreatePeb,b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.DbgkCreateThread,b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.DbgkExitThread,b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.DbgkExitProcess,b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.DbgkMapViewOfSection,b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.DbgkUnMapViewOfSection,b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.DbgkpMarkProcessPeb,b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.DbgkpCloseObject,b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.DbgkCopyProcessDebugPort[0],b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.DbgkCopyProcessDebugPort[1],b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.DbgkCopyProcessDebugPort[2],b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.DbgkOpenProcessDebugPort,b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.DbgkpQueueMessage,b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.DbgkClearProcessDebugObject,b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.DbgkpSetProcessDebugObject[0],b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.DbgkpSetProcessDebugObject[1],b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.DbgkpSetProcessDebugObject[2],b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.DbgkpSetProcessDebugObject[3],b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.DbgkpSetProcessDebugObject[4],b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.DbgkpSetProcessDebugObject[5],b_byte1,2);
RtlCopyMemory((VOID*)str_debugport.DbgkForwardException,b_byte1,2);
PAGED_Exit();
}
#endif |
|
发表于 2013-10-11 16:25:58