游戏保护大放送之NP
程序员文章站
2022-04-22 10:45:12
本人寻求游戏安全方面的工作,请Email:wtxpwh@163.com联系
做挂者请绕道!
本人不保证此办法现在还生效!蓝屏死机于本人无关!
NP这个东西...
本人寻求游戏安全方面的工作,请Email:wtxpwh@163.com联系
做挂者请绕道!
本人不保证此办法现在还生效!蓝屏死机于本人无关!
NP这个东西会注入一个dll,直接在ring0下hook NtCreateSection拦截!
直接上代码!
代码:
#include "struct.h"
#include "4BOD.h"
//////////////////////////////////////////////////////////////////////////
ULONG Pass_NtProcess();
VOID UnDetour_NtProcess();
ULONG Pass_NtWriteVirtualMemory();
VOID UnDetour_NtWriteVirtualMemory();
ULONG Pass_NtReadVirtualMemory();
VOID UnDetour_NtReadVirtualMemory();
ULONG Pass_KiAttachProcess();
VOID UnDetour_KiAttachProcess();
ULONG Pass_KeStackAttachProcess();
VOID UnDetour_KeStackAttachProcess();
ULONG Pass_KeStackAttachProcess1();
VOID UnDetour_KeStackAttachProcess1();
ULONG Pass_MiDoMappedCopy1();
VOID UnDetour_MiDoMappedCopy1();
ULONG Pass_MiDoMappedCopy2();
VOID UnDetour_MiDoMappedCopy2();
ULONG Pass_MiDoPoolCopy1();
VOID UnDetour_MiDoPoolCopy1();
ULONG Pass_MiDoPoolCopy2();
VOID UnDetour_MiDoPoolCopy2();
ULONG Pass_NtOpenSection();
VOID UnDetour_NtOpenSection();
ULONG Pass_NtProtectVirtualMemory();
VOID UnDetour_NtProtectVirtualMemory();
ULONG Pass_NtProtectVirtualMemory2();
VOID UnDetour_NtProtectVirtualMemory2();
ULONG Pass_NtWriteFile();
VOID UnDetour_NtWriteFile();
ULONG Pass_NtDeviceIoControlFile();
VOID UnDetour_NtDeviceIoControlFile();
ULONG Pass_ObpCreateHandle();
VOID UnDetour_ObpCreateHandle();
ULONG Pass_NtCreateSection();
VOID UnDetour_NtCreateSection();
ULONG Pass_KeUnstackDetachProcess();
VOID UnDetour_KeUnstackDetachProcess();
ULONG Pass_NtQueryInformationProcess();
VOID UnDetour_NtQueryInformationProcess();
void Init_fun();
//////////////////////////////////////////////////////////////////////////
ULONG KeStackAttachProcess_Addr;
ULONG __stdcall IsNPCalled(HANDLE ProcessHandle);
char g_pFindOrigCode[8];
ULONG KiSystemService_hack_address;
PULONG pSSDTKernel;
PSERVICE_DESCRIPTOR_TABLE_SHADOW _KeServiceDescriptorTable;
PSERVICE_DESCRIPTOR_TABLE_SHADOW ShadowTable;
unsigned long SSDT_reentry_address,SSDTDW_reentry_address;
void __declspec(naked) my_function_detour_KiFastCallEntry()
{
__asm
{
cmp ecx,10h
jne SSDT
mov edi,KeServiceDescriptorTable
sub edi,0x10
jmp [SSDTDW_reentry_address]
SSDT:
mov edi,KeServiceDescriptorTable
add edi,0x20
jmp [SSDT_reentry_address]
}
}
UCHAR findcode[]={0x83,0xf9,0x10,0x75};
VOID FindHackAddr()
{
ULONG uSysenter;
ULONG i=0;
PUCHAR strSysenter;
__asm{
mov ecx,0x176
rdmsr
mov uSysenter,eax //得到KiFastCallEntry地址
}
strSysenter=(PUCHAR)uSysenter;
for (i=0;i<0x100;i++)
{
if (
findcode[0]==strSysenter[i] &&
findcode[1]==strSysenter[i+1] &&
findcode[2]==strSysenter[i+2] &&
findcode[3]==strSysenter[i+3] )
{
break;
}
}
KiSystemService_hack_address=uSysenter+i;
}
ULONG HookSysCall()
{
KIRQL oldIrql;
ULONG uSysenter;
unsigned char newcode[] = { 0xE9, 0x44, 0x33, 0x22, 0x11};
char *actual_function;
int i = 0;
// __asm{
// mov ecx,0x176
// rdmsr
// mov uSysenter,eax //得到KiFastCallEntry地址
// }
// KiSystemService_hack_address=uSysenter+0xB3;
FindHackAddr();
if (KiSystemService_hack_address==0)
{
dprintf("find hack address error!\n");
return 0;
}
actual_function =(char*) KiSystemService_hack_address;
SSDT_reentry_address = KiSystemService_hack_address+0x20;
SSDTDW_reentry_address = KiSystemService_hack_address+0x5;
*( (unsigned long *)(&newcode[1]) ) = (ULONG)my_function_detour_KiFastCallEntry-KiSystemService_hack_address-5;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 5;i++)
{
g_pFindOrigCode[i] = actual_function[i];
actual_function[i] = newcode[i];
}
KeLowerIrql(oldIrql);
WPON();
return 1;
}
void RestoreSSDT()
{
int i;
char *actual_function = (char *)(KiSystemService_hack_address);
KIRQL oldIrql;
WPOFF();
KeRaiseIrql( DISPATCH_LEVEL,&oldIrql );
for(i=0;i < 5;i++)
{
actual_function[i] = g_pFindOrigCode[i];
}
KeLowerIrql( oldIrql );
ExFreePool(pSSDTKernel);
WPON();
}
unsigned long AddMyServiceTable()
{
ULONG nSDTKerCallLen;
__asm
{
pushad
mov eax,KeServiceDescriptorTable
mov _KeServiceDescriptorTable,eax
sub eax,0x40
mov ShadowTable,eax
popad
}
nSDTKerCallLen = _KeServiceDescriptorTable->ntoskrnl.NumberOfServices;
pSSDTKernel = (PULONG)ExAllocatePool( NonPagedPool, nSDTKerCallLen*sizeof(ULONG)/*, 'uvbs'*/ );
if(!pSSDTKernel)
{
DbgPrint("AddMyServiceTable alloc fail\n");
return 0;
}
memset( (PVOID)pSSDTKernel, 0, nSDTKerCallLen*sizeof(ULONG));
//填充新的SSDT表
//
RtlCopyMemory( (PVOID)pSSDTKernel,(PVOID)_KeServiceDescriptorTable->ntoskrnl.ServiceTableBase,nSDTKerCallLen*sizeof(ULONG) );
RtlCopyMemory( (PVOID)&_KeServiceDescriptorTable->NotUse1,
(PVOID)&_KeServiceDescriptorTable->ntoskrnl,sizeof(SERVICE_DESCRIPTOR_TABLE) );
RtlCopyMemory( (PVOID)&ShadowTable->NotUse1,(PVOID)&ShadowTable->ntoskrnl,sizeof(SERVICE_DESCRIPTOR_TABLE)*2);
WPOFF();
RtlCopyMemory((PVOID)&_KeServiceDescriptorTable->NotUse1.ServiceTableBase, &pSSDTKernel, sizeof(ULONG));
RtlCopyMemory((PVOID)&ShadowTable->NotUse1.ServiceTableBase, &pSSDTKernel, sizeof(ULONG));
WPON();
return 1;
}
void RePlaceSSDT()
{
if (AddMyServiceTable())
{
HookSysCall();
}
}
//////////////////////////////////////////////////////////////////////////
NTSTATUS
DriverEntry(
PDRIVER_OBJECT pDriverObj,
PUNICODE_STRING pRegistryString
)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING ustrLinkName;
UNICODE_STRING ustrDevName;
PDEVICE_OBJECT pDevObj;
dprintf("[4BOD] DriverEntry\n");
pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
pDriverObj->DriverUnload = DriverUnload;
RtlInitUnicodeString(&ustrDevName, DEVICE_NAME);
status = IoCreateDevice(pDriverObj,
0,
&ustrDevName,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&pDevObj);
if(!NT_SUCCESS(status)) {
dprintf("[4BOD] IoCreateDevice = 0x%x\n", status);
return status;
}
RtlInitUnicodeString(&ustrLinkName, LINK_NAME);
status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName);
if(!NT_SUCCESS(status)) {
dprintf("[4BOD] IoCreateSymbolicLink = 0x%x\n", status);
IoDeleteDevice(pDevObj);
return status;
}
Init_fun();
RePlaceSSDT();
Pass_MiDoMappedCopy1();
Pass_MiDoMappedCopy2();
Pass_MiDoPoolCopy1();
Pass_MiDoPoolCopy2();
Pass_ObpCreateHandle();
Pass_NtProcess();
Pass_KiAttachProcess();
Pass_KeStackAttachProcess();
Pass_KeStackAttachProcess1();
Pass_NtReadVirtualMemory();
Pass_NtWriteVirtualMemory();
Pass_NtOpenSection();
Pass_NtCreateSection();
Pass_KeUnstackDetachProcess();
Pass_NtProtectVirtualMemory2();
Pass_NtProtectVirtualMemory();
Pass_NtWriteFile();
Pass_NtDeviceIoControlFile();
Pass_NtQueryInformationProcess();
return STATUS_SUCCESS;
}
VOID
DriverUnload(
PDRIVER_OBJECT pDriverObj
)
{
UNICODE_STRING strLink;
LARGE_INTEGER Delay;
RtlInitUnicodeString(&strLink, LINK_NAME);
UnDetour_MiDoPoolCopy2();
UnDetour_MiDoPoolCopy1();
UnDetour_MiDoMappedCopy2();
UnDetour_MiDoMappedCopy1();
UnDetour_NtWriteVirtualMemory();
UnDetour_NtReadVirtualMemory();
UnDetour_KeStackAttachProcess1();
UnDetour_KeStackAttachProcess();
UnDetour_KiAttachProcess();
UnDetour_NtOpenSection();
UnDetour_NtCreateSection();
UnDetour_KeUnstackDetachProcess();
UnDetour_NtProcess();
UnDetour_ObpCreateHandle();
UnDetour_NtProtectVirtualMemory2();
UnDetour_NtProtectVirtualMemory();
UnDetour_NtWriteFile();
UnDetour_NtDeviceIoControlFile();
UnDetour_NtQueryInformationProcess();
RestoreSSDT();
Delay.QuadPart = -5000000;
KeDelayExecutionThread(KernelMode, TRUE, &Delay);
IoDeleteSymbolicLink(&strLink);
IoDeleteDevice(pDriverObj->DeviceObject);
dprintf("[4BOD] Unloaded\n");
}
NTSTATUS
DispatchCreate(
PDEVICE_OBJECT pDevObj,
PIRP pIrp
)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
dprintf("[4BOD] IRP_MJ_CREATE\n");
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS
DispatchClose(
PDEVICE_OBJECT pDevObj,
PIRP pIrp
)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
dprintf("[4BOD] IRP_MJ_CLOSE\n");
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS
DispatchIoctl(
PDEVICE_OBJECT pDevObj,
PIRP pIrp
)
{
NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST;
PIO_STACK_LOCATION pIrpStack;
ULONG uIoControlCode;
PVOID pIoBuffer;
ULONG uInSize;
ULONG uOutSize;
pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;
pIoBuffer = pIrp->AssociatedIrp.SystemBuffer;
uInSize = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
uOutSize = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
switch(uIoControlCode) {
case IOCTL_HELLO: {
dprintf("[4BOD] Hello\n");
status = STATUS_SUCCESS;
}
break;
//
// 添加执行代码
//
}
if(status == STATUS_SUCCESS)
pIrp->IoStatus.Information = uOutSize;
else
pIrp->IoStatus.Information = 0;
/////////////////////////////////////
pIrp->IoStatus.Status = status;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
//////////////////////////////////////////////////////////////////////////
ULONG reentryadd_KiMoveApcState;
ULONG old_KiMoveApcState;
ULONG Init_KiMoveApcState()
{
reentryadd_KiMoveApcState=KeStackAttachProcess_Addr-0x6AD;
old_KiMoveApcState=KeStackAttachProcess_Addr-0x6b2;
return 1;
}
VOID __declspec(naked) _KiMoveApcState (
__in PKAPC_STATE Source,
__out PKAPC_STATE Destination
)
{
__asm
{
push 0
call IsNPCalled
cmp eax,1
jnz KiMoveApcState_ENT1
push ebp
mov ebp,esp
jmp [reentryadd_KiMoveApcState]
KiMoveApcState_ENT1:
cmp eax,0
jnz KiMoveApcState_ENT2
jmp [old_KiMoveApcState]
KiMoveApcState_ENT2:
mov eax,0
ret 8
}
}
//////////////////////////////////////////////////////////////////////////
void __declspec(naked) my_function_detour_KiAttachProcess()
{
__asm
{
inc word ptr [edi+0x60]
lea ebx,[esi+0x34]
push ebx
call _KiMoveApcState
_emit 0xEA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0x08
_emit 0x00
}
}
//////////////////////////////////////////////////////////////////////////
char KiAttachProcess_g_oricode[8];
ULONG Pass_KiAttachProcess()
{
char *actual_function;
unsigned long reentry_address;
KIRQL oldIrql;
int i = 0;
unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};
actual_function = (char *)(KeStackAttachProcess_Addr-0x219);
reentry_address = ((unsigned long)KeStackAttachProcess_Addr) - 0x20c;
*( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_KiAttachProcess;
for(i=0;i<200;i++)
{
if( (0xAA == ((unsigned char *)my_function_detour_KiAttachProcess)[i]) &&
(0xAA == ((unsigned char *)my_function_detour_KiAttachProcess)[i+1]) &&
(0xAA == ((unsigned char *)my_function_detour_KiAttachProcess)[i+2]) &&
(0xAA == ((unsigned char *)my_function_detour_KiAttachProcess)[i+3]))
{
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
*( (unsigned long *)((ULONG)my_function_detour_KiAttachProcess+i) ) = reentry_address;
KeLowerIrql(oldIrql);
WPON();
break;
}
}
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
KiAttachProcess_g_oricode[i] = actual_function[i];
actual_function[i] = newcode[i];
}
KeLowerIrql(oldIrql);
WPON();
return 1;
}
VOID UnDetour_KiAttachProcess()
{
char *actual_function = (char *)(KeStackAttachProcess_Addr-0x219);
KIRQL oldIrql;
int i = 0;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
actual_function[i] = KiAttachProcess_g_oricode[i];
}
KeLowerIrql(oldIrql);
WPON();
}
//返回-1:拒绝访问
//返回0 :走NP HOOK
//返回1 :绕过NP HOOK
//
////////////////////////////////////////////////////////////////////////////
ULONG __stdcall IsNPCalled(HANDLE ProcessHandle)
{
NTSTATUS status;
PEPROCESS pEProcess=0;
char* proname=0;
if (!_stricmp("GameMon.des",GetProcessNameFromEProc(0)))
{
if (!ProcessHandle)
{
return 0;
}
status = ObReferenceObjectByHandle(ProcessHandle,PROCESS_ALL_ACCESS,NULL,0,&pEProcess,NULL);
if(!NT_SUCCESS(status))
{
DbgPrint("ObReferenceObjectByHandle fail! %08x \n",status);
return 0;
}
ObDereferenceObject(pEProcess);
proname=GetProcessNameFromEProc(pEProcess);
if (!_stricmp("OllyDBG.EXE",proname))
{
return -1;
}
else if (!_stricmp("ImmunityDebugger.exe",proname))
{
return -1;
}
else if (!_stricmp("DeRoX.exe",proname))
{
return -1;
}
else
{
return 0;
}
return 0;
}
else if (!_stricmp("AION.bin",GetProcessNameFromEProc(0)))
{
if (!ProcessHandle)
{
return 0;
}
status = ObReferenceObjectByHandle(ProcessHandle,PROCESS_ALL_ACCESS,NULL,0,&pEProcess,NULL);
if(!NT_SUCCESS(status))
{
DbgPrint("ObReferenceObjectByHandle fail! %08x \n",status);
return 0;
}
ObDereferenceObject(pEProcess);
proname=GetProcessNameFromEProc(pEProcess);
if (!_stricmp("OllyDBG.EXE",proname))
{
return -1;
}
else if (!_stricmp("ImmunityDebugger.exe",proname))
{
return -1;
}
else if (!_stricmp("DeRoX.exe",proname))
{
return -1;
}
else
{
return 0;
}
return 0;
}
else if (!_stricmp("OllyDBG.EXE",GetProcessNameFromEProc(0)))
{
return 1;
}
else if (!_stricmp("ImmunityDebugger.exe",GetProcessNameFromEProc(0)))
{
return 1;
}
else if (!_stricmp("DeRoX.exe",GetProcessNameFromEProc(0)))
{
return 1;
}
else
{
return 0;
}
}
//////////////////////////////////////////////////////////////////////////
ULONG __stdcall IsNPCalled_EP(PEPROCESS EProcess)
{
NTSTATUS status;
PEPROCESS pEProcess=0;
char* proname=0;
if (!_stricmp("GameMon.des",GetProcessNameFromEProc(0)))
{
if (!EProcess)
{
return 0;
}
proname=GetProcessNameFromEProc(EProcess);
if (!_stricmp("OllyDBG.EXE",proname))
{
return -1;
}
else if (!_stricmp("ImmunityDebugger.exe",proname))
{
return -1;
}
else if (!_stricmp("DeRoX.exe",proname))
{
return -1;
}
else
{
return 0;
}
return 0;
}
else if (!_stricmp("AION.bin",GetProcessNameFromEProc(0)))
{
if (!EProcess)
{
return 0;
}
proname=GetProcessNameFromEProc(EProcess);
if (!_stricmp("OllyDBG.EXE",proname))
{
return -1;
}
else if (!_stricmp("ImmunityDebugger.exe",proname))
{
return -1;
}
else if (!_stricmp("DeRoX.exe",proname))
{
return -1;
}
else
{
return 0;
}
return 0;
}
else if (!_stricmp("OllyDBG.EXE",GetProcessNameFromEProc(0)))
{
return 1;
}
else if (!_stricmp("ImmunityDebugger.exe",GetProcessNameFromEProc(0)))
{
return 1;
}
else if (!_stricmp("DeRoX.exe",GetProcessNameFromEProc(0)))
{
return 1;
}
else
{
return 0;
}
}
//////////////////////////////////////////////////////////////////////////
ULONG reentryadd_KiAttachProcess;
ULONG old_KiAttachProcess;
ULONG Init_KiAttachProcess()
{
reentryadd_KiAttachProcess=KeStackAttachProcess_Addr-0x225;
old_KiAttachProcess=KeStackAttachProcess_Addr-0x22a;
return 1;
}
VOID __declspec(naked) _KiAttachProcess (
__inout PRKTHREAD Thread,
__in PRKPROCESS Process,
__in PKLOCK_QUEUE_HANDLE LockHandle,
__out PRKAPC_STATE SavedApcState
)
{
__asm
{
//push [esp+8]
push 0
call IsNPCalled_EP
cmp eax,1
jnz KiAttachProcess_ENT1
push ebp
mov ebp,esp
jmp [reentryadd_KiAttachProcess]
KiAttachProcess_ENT1:
cmp eax,0
jnz KiAttachProcess_ENT2
jmp [old_KiAttachProcess]
KiAttachProcess_ENT2:
mov eax,0
ret 0x10
}
}
//////////////////////////////////////////////////////////////////////////
void __declspec(naked) my_function_detour_KeStackAttachProcess()
{
__asm
{
push edi
push esi
call _KiAttachProcess
_emit 0xEA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0x08
_emit 0x00
}
}
//////////////////////////////////////////////////////////////////////////
char KeStackAttachProcess_g_oricode[8];
ULONG Pass_KeStackAttachProcess()
{
char *actual_function;
unsigned long reentry_address;
KIRQL oldIrql;
int i = 0;
unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};
actual_function = (char *)(KeStackAttachProcess_Addr+0x63);
reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0x6a;
*( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_KeStackAttachProcess;
for(i=0;i<200;i++)
{
if( (0xAA == ((unsigned char *)my_function_detour_KeStackAttachProcess)[i]) &&
(0xAA == ((unsigned char *)my_function_detour_KeStackAttachProcess)[i+1]) &&
(0xAA == ((unsigned char *)my_function_detour_KeStackAttachProcess)[i+2]) &&
(0xAA == ((unsigned char *)my_function_detour_KeStackAttachProcess)[i+3]))
{
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
*( (unsigned long *)((ULONG)my_function_detour_KeStackAttachProcess+i) ) = reentry_address;
KeLowerIrql(oldIrql);
WPON();
break;
}
}
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
KeStackAttachProcess_g_oricode[i] = actual_function[i];
actual_function[i] = newcode[i];
}
KeLowerIrql(oldIrql);
WPON();
return 1;
}
VOID UnDetour_KeStackAttachProcess()
{
char *actual_function = (char *)(KeStackAttachProcess_Addr+0x63);
KIRQL oldIrql;
int i = 0;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
actual_function[i] = KeStackAttachProcess_g_oricode[i];
}
KeLowerIrql(oldIrql);
WPON();
}
//////////////////////////////////////////////////////////////////////////
void __declspec(naked) _detour_KeStackAttachProcess1()
{
__asm
{
push edi
push esi
mov esi,esi
call _KiAttachProcess
_emit 0xEA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0x08
_emit 0x00
}
}
//////////////////////////////////////////////////////////////////////////
char KeStackAttachProcess1_g_oricode[8];
ULONG Pass_KeStackAttachProcess1()
{
char *actual_function;
unsigned long reentry_address;
KIRQL oldIrql;
int i = 0;
unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};
actual_function = (char *)(KeStackAttachProcess_Addr+0x76);
reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0x7d;
*( (unsigned long *)(&newcode[1]) ) = (unsigned long)_detour_KeStackAttachProcess1;
for(i=0;i<200;i++)
{
if( (0xAA == ((unsigned char *)_detour_KeStackAttachProcess1)[i]) &&
(0xAA == ((unsigned char *)_detour_KeStackAttachProcess1)[i+1]) &&
(0xAA == ((unsigned char *)_detour_KeStackAttachProcess1)[i+2]) &&
(0xAA == ((unsigned char *)_detour_KeStackAttachProcess1)[i+3]))
{
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
*( (unsigned long *)((ULONG)_detour_KeStackAttachProcess1+i) ) = reentry_address;
KeLowerIrql(oldIrql);
WPON();
break;
}
}
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
KeStackAttachProcess1_g_oricode[i] = actual_function[i];
actual_function[i] = newcode[i];
}
KeLowerIrql(oldIrql);
WPON();
return 1;
}
VOID UnDetour_KeStackAttachProcess1()
{
char *actual_function = (char *)(KeStackAttachProcess_Addr+0x76);
KIRQL oldIrql;
int i = 0;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
actual_function[i] = KeStackAttachProcess1_g_oricode[i];
}
KeLowerIrql(oldIrql);
WPON();
}
//////////////////////////////////////////////////////////////////////////
void __declspec(naked) my_function_detour_KeUnstackDetachProcess()
{
__asm
{
lea ebx,[esi+0x14C]
push ebx
call _KiMoveApcState
_emit 0xEA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0x08
_emit 0x00
}
}
//NtAllocateVirtualMemory
//////////////////////////////////////////////////////////////////////////
char KeUnstackDetachProcess_g_oricode[8];
ULONG KeUnstackDetachProcess_g_KiInsertQueueApc;
ULONG Pass_KeUnstackDetachProcess()
{
char *actual_function;
unsigned long reentry_address;
KIRQL oldIrql;
int i = 0;
unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};
KeUnstackDetachProcess_g_KiInsertQueueApc=GetFunctionAddr(L"KeUnstackDetachProcess");
actual_function = (char *)(KeUnstackDetachProcess_g_KiInsertQueueApc+0xbe);
reentry_address = ((unsigned long)KeUnstackDetachProcess_g_KiInsertQueueApc) + 0xca;
*( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_KeUnstackDetachProcess;
for(i=0;i<200;i++)
{
if( (0xAA == ((unsigned char *)my_function_detour_KeUnstackDetachProcess)[i]) &&
(0xAA == ((unsigned char *)my_function_detour_KeUnstackDetachProcess)[i+1]) &&
(0xAA == ((unsigned char *)my_function_detour_KeUnstackDetachProcess)[i+2]) &&
(0xAA == ((unsigned char *)my_function_detour_KeUnstackDetachProcess)[i+3]))
{
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
*( (unsigned long *)((ULONG)my_function_detour_KeUnstackDetachProcess+i) ) = reentry_address;
KeLowerIrql(oldIrql);
WPON();
break;
}
}
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
KeUnstackDetachProcess_g_oricode[i] = actual_function[i];
actual_function[i] = newcode[i];
}
KeLowerIrql(oldIrql);
WPON();
return 1;
}
VOID UnDetour_KeUnstackDetachProcess()
{
char *actual_function = (char *)(KeUnstackDetachProcess_g_KiInsertQueueApc+0xbe);
KIRQL oldIrql;
int i = 0;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
actual_function[i] = KeUnstackDetachProcess_g_oricode[i];
}
KeLowerIrql(oldIrql);
WPON();
}
//////////////////////////////////////////////////////////////////////////
ULONG reentryadd_KeStackAttachProcess;
ULONG old_KeStackAttachProcess;
ULONG Init_KeStackAttachProcess()
{
reentryadd_KeStackAttachProcess=KeStackAttachProcess_Addr+5;
old_KeStackAttachProcess=KeStackAttachProcess_Addr;
return 1;
}
__declspec(naked) VOID _KeStackAttachProcess (
__inout PRKPROCESS Process,
__out PRKAPC_STATE ApcState
)
{
__asm
{
push [esp+4]
call IsNPCalled_EP
cmp eax,1
jnz KeStackAttachProcess_ENT1
push ebp
mov ebp,esp
jmp [reentryadd_KeStackAttachProcess]
KeStackAttachProcess_ENT1:
cmp eax,0
jnz KeStackAttachProcess_ENT2
jmp [old_KeStackAttachProcess]
KeStackAttachProcess_ENT2:
mov eax,0
ret 0x8
}
}
//////////////////////////////////////////////////////////////////////////
/*
805be616 8d45d0 lea eax,[ebp-30h]
805be619 50 push eax
805be61a 51 push ecx
805be61b e812b6f3ff call nt!KeStackAttachProcess (804f9c32)
805be620 c645ff01 mov byte ptr [ebp-1],1
*/
void __declspec(naked) _detour_ObpCreateHandle()
{
__asm
{
lea eax,[ebp-0x30]
push eax
push ecx
call _KeStackAttachProcess
_emit 0xEA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0x08
_emit 0x00
}
}
//////////////////////////////////////////////////////////////////////////
char ObpCreateHandle_g_oricode[12];
ULONG Pass_ObpCreateHandle()
{
char *actual_function;
unsigned long reentry_address;
KIRQL oldIrql;
int i = 0;
unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00,0x90,0x90,0x90};
actual_function = (char *)(KeStackAttachProcess_Addr+0xC49ae);
reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0xC49b8;
*( (unsigned long *)(&newcode[1]) ) = (unsigned long)_detour_ObpCreateHandle;
for(i=0;i<200;i++)
{
if( (0xAA == ((unsigned char *)_detour_ObpCreateHandle)[i]) &&
(0xAA == ((unsigned char *)_detour_ObpCreateHandle)[i+1]) &&
(0xAA == ((unsigned char *)_detour_ObpCreateHandle)[i+2]) &&
(0xAA == ((unsigned char *)_detour_ObpCreateHandle)[i+3]))
{
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
*( (unsigned long *)((ULONG)_detour_ObpCreateHandle+i) ) = reentry_address;
KeLowerIrql(oldIrql);
WPON();
break;
}
}
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 10;i++)
{
ObpCreateHandle_g_oricode[i] = actual_function[i];
actual_function[i] = newcode[i];
}
KeLowerIrql(oldIrql);
WPON();
return 1;
}
VOID UnDetour_ObpCreateHandle()
{
char *actual_function = (char *)(KeStackAttachProcess_Addr+0xC49ae);
KIRQL oldIrql;
int i = 0;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 10;i++)
{
actual_function[i] = ObpCreateHandle_g_oricode[i];
}
KeLowerIrql(oldIrql);
WPON();
}
//////////////////////////////////////////////////////////////////////////
ULONG OldNtReadVirtualMemoryAdd;
ULONG reentryadd_NtReadVirtualMemory;
__declspec(naked) NTSTATUS NewNtReadVirtualMemory()
{
__asm
{
push [esp+4]
call IsNPCalled
cmp eax,1
jnz NtReadVirtualMemory_ENT1
push 0x1c
push 0x804daef0
jmp [reentryadd_NtReadVirtualMemory]
NtReadVirtualMemory_ENT1:
cmp eax,0
jnz NtReadVirtualMemory_ENT2
jmp [OldNtReadVirtualMemoryAdd]
NtReadVirtualMemory_ENT2:
mov eax,0
ret 0x14
}
}
//////////////////////////////////////////////////////////////////////////NtReadVirtualMemory
ULONG Pass_NtReadVirtualMemory()
{
KIRQL oldIrql;
ULONG Address=0;
Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0xBA * 4; //得到NtReadVirtualMemory的服务地址 www.2cto.com
(ULONG)OldNtReadVirtualMemoryAdd = *(ULONG*)Address; //保存此地址
reentryadd_NtReadVirtualMemory=OldNtReadVirtualMemoryAdd+7;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
*((ULONG*)Address) = (ULONG)NewNtReadVirtualMemory; //HOOK SSDT
KeLowerIrql(oldIrql);
WPON();
return 1;
}
//反补丁,用于最后恢复用
VOID UnDetour_NtReadVirtualMemory()
{
KIRQL oldIrql;
ULONG Address=0;
Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0xBA * 4;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
*((ULONG*)Address) = (ULONG)OldNtReadVirtualMemoryAdd; //HOOK SSDT
KeLowerIrql(oldIrql);
WPON();
}
ULONG reentryadd_NtWriteVirtualMemory;
ULONG OldNtWriteVirtualMemoryAdd;
__declspec(naked) NTSTATUS NewNtWriteVirtualMemory()
{
__asm
{
push [esp+4]
call IsNPCalled
cmp eax,1
jnz NtWriteVirtualMemory_ENT1
push 0x1c
push 0x804daf08
jmp [reentryadd_NtWriteVirtualMemory]
NtWriteVirtualMemory_ENT1:
cmp eax,0
jnz NtWriteVirtualMemory_ENT2
jmp [OldNtWriteVirtualMemoryAdd]
NtWriteVirtualMemory_ENT2:
mov eax,0
ret 0x14
}
}
//////////////////////////////////////////////////////////////////////////
ULONG Pass_NtWriteVirtualMemory()
{
KIRQL oldIrql;
ULONG Address=0;
Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0x115 * 4;
(ULONG)OldNtWriteVirtualMemoryAdd = *(ULONG*)Address;
reentryadd_NtWriteVirtualMemory=OldNtWriteVirtualMemoryAdd+7;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
*((ULONG*)Address) = (ULONG)NewNtWriteVirtualMemory; //HOOK SSDT
KeLowerIrql(oldIrql);
WPON();
return 1;
}
VOID UnDetour_NtWriteVirtualMemory()
{
KIRQL oldIrql;
ULONG Address=0;
Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0x115 * 4;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
*((ULONG*)Address) = (ULONG)OldNtWriteVirtualMemoryAdd; //HOOK SSDT
KeLowerIrql(oldIrql);
WPON();
}
//////////////////////////////////////////////////////////////////////////
void __declspec(naked) my_function_detour_MiDoMappedCopy1()
{
__asm
{
lea eax,[ebp-0x64]
push eax
push dword ptr [ebp+8]
call _KeStackAttachProcess
_emit 0xEA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0x08
_emit 0x00
}
}
//////////////////////////////////////////////////////////////////////////
/*
804f9c32
805b4e5f 8d459c lea eax,[ebp-64h]
805b4e62 50 push eax
805b4e63 ff7508 push dword ptr [ebp+8]
805b4e66 e8c74df4ff call nt!KeStackAttachProcess (804f9c32)
805b4e6b 897de0 mov dword ptr [ebp-20h],edi
*/
char MiDoMappedCopy1_g_oricode[8];
ULONG Pass_MiDoMappedCopy1()
{
char *actual_function;
unsigned long reentry_address;
KIRQL oldIrql;
int i = 0;
unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};
actual_function = (char *)(KeStackAttachProcess_Addr+0xBB1f7);
reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0xBB203;
*( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_MiDoMappedCopy1;
for(i=0;i<200;i++)
{
if( (0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy1)[i]) &&
(0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy1)[i+1]) &&
(0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy1)[i+2]) &&
(0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy1)[i+3]))
{
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
*( (unsigned long *)((ULONG)my_function_detour_MiDoMappedCopy1+i) ) = reentry_address;
KeLowerIrql(oldIrql);
WPON();
break;
}
}
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
MiDoMappedCopy1_g_oricode[i] = actual_function[i];
actual_function[i] = newcode[i];
}
KeLowerIrql(oldIrql);
WPON();
return 1;
}
VOID UnDetour_MiDoMappedCopy1()
{
char *actual_function = (char *)(KeStackAttachProcess_Addr+0xBB1f7);
KIRQL oldIrql;
int i = 0;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
actual_function[i] = MiDoMappedCopy1_g_oricode[i];
}
KeLowerIrql(oldIrql);
WPON();
}
//////////////////////////////////////////////////////////////////////////
void __declspec(naked) my_function_detour_MiDoMappedCopy2()
{
__asm
{
lea eax,[ebp-0x64]
push eax
push dword ptr [ebp+0x10]
call _KeStackAttachProcess
_emit 0xEA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0x08
_emit 0x00
}
}
/*
804f9c32
805b4f19 8d459c lea eax,[ebp-64h]
805b4f1c 50 push eax
805b4f1d ff7510 push dword ptr [ebp+10h]
805b4f20 e80d4df4ff call nt!KeStackAttachProcess (804f9c32)
805b4f25 8b450c mov eax,dword ptr [ebp+0Ch]
*/
//////////////////////////////////////////////////////////////////////////
char MiDoMappedCopy2_g_oricode[8];
ULONG Pass_MiDoMappedCopy2()
{
char *actual_function;
unsigned long reentry_address;
KIRQL oldIrql;
int i = 0;
unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};
actual_function = (char *)(KeStackAttachProcess_Addr+0xBB2b1);
reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0xBB2bd;
*( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_MiDoMappedCopy2;
for(i=0;i<200;i++)
{
if( (0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy2)[i]) &&
(0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy2)[i+1]) &&
(0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy2)[i+2]) &&
(0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy2)[i+3]))
{
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
*( (unsigned long *)((ULONG)my_function_detour_MiDoMappedCopy2+i) ) = reentry_address;
KeLowerIrql(oldIrql);
WPON();
break;
}
}
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
MiDoMappedCopy2_g_oricode[i] = actual_function[i];
actual_function[i] = newcode[i];
}
KeLowerIrql(oldIrql);
WPON();
return 1;
}
VOID UnDetour_MiDoMappedCopy2()
{
char *actual_function = (char *)(KeStackAttachProcess_Addr+0xBB2b1);
KIRQL oldIrql;
int i = 0;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
actual_function[i] = MiDoMappedCopy2_g_oricode[i];
}
KeLowerIrql(oldIrql);
WPON();
}
//////////////////////////////////////////////////////////////////////////
void __declspec(naked) my_function_detour_MiDoPoolCopy1()
{
__asm
{
lea eax,[ebp-0x58]
push eax
push dword ptr [ebp+8]
call _KeStackAttachProcess
_emit 0xEA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0x08
_emit 0x00
}
}
/*
804f9c32
805b50b7 8d45a8 lea eax,[ebp-58h]
805b50ba 50 push eax
805b50bb ff7508 push dword ptr [ebp+8]
805b50be e86f4bf4ff call nt!KeStackAttachProcess (804f9c32)
805b50c3 33f6 xor esi,esi
*/
//////////////////////////////////////////////////////////////////////////
char MiDoPoolCopy1_g_oricode[8];
ULONG Pass_MiDoPoolCopy1()
{
char *actual_function;
unsigned long reentry_address;
KIRQL oldIrql;
int i = 0;
unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};
actual_function = (char *)(KeStackAttachProcess_Addr+0xBB44f);
reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0xBB45b;
*( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_MiDoPoolCopy1;
for(i=0;i<200;i++)
{
if( (0xAA == ((unsigned char *)my_function_detour_MiDoPoolCopy1)[i]) &&
(0xAA == ((unsigned char *)my_function_detour_MiDoPoolCopy1)[i+1]) &&
(0xAA == ((unsigned char *)my_function_detour_MiDoPoolCopy1)[i+2]) &&
(0xAA == ((unsigned char *)my_function_detour_MiDoPoolCopy1)[i+3]))
{
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
*( (unsigned long *)((ULONG)my_function_detour_MiDoPoolCopy1+i) ) = reentry_address;
KeLowerIrql(oldIrql);
WPON();
break;
}
}
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
MiDoPoolCopy1_g_oricode[i] = actual_function[i];
actual_function[i] = newcode[i];
}
KeLowerIrql(oldIrql);
WPON();
return 1;
}
VOID UnDetour_MiDoPoolCopy1()
{
char *actual_function = (char *)(KeStackAttachProcess_Addr+0xBB44f);
KIRQL oldIrql;
int i = 0;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
actual_function[i] = MiDoPoolCopy1_g_oricode[i];
}
KeLowerIrql(oldIrql);
WPON();
}
//////////////////////////////////////////////////////////////////////////
void __declspec(naked) my_function_detour_MiDoPoolCopy2()
{
__asm
{
lea eax,[ebp-0x58]
push eax
push dword ptr [ebp+0x10]
call _KeStackAttachProcess
_emit 0xEA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0x08
_emit 0x00
}
}
/*
804f9c32
805b511c 8d45a8 lea eax,[ebp-58h]
805b511f 50 push eax
805b5120 ff7510 push dword ptr [ebp+10h]
805b5123 e80a4bf4ff call nt!KeStackAttachProcess (804f9c32)
805b5128 8b450c mov eax,dword ptr [ebp+0Ch]
*/
//////////////////////////////////////////////////////////////////////////
char MiDoPoolCopy2_g_oricode[8];
ULONG Pass_MiDoPoolCopy2()
{
char *actual_function;
unsigned long reentry_address;
KIRQL oldIrql;
int i = 0;
unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};
actual_function = (char *)(KeStackAttachProcess_Addr+0xBB4b4);
reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0xBB4c0;
*( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_MiDoPoolCopy2;
for(i=0;i<200;i++)
{
if( (0xAA == ((unsigned char *)my_function_detour_MiDoPoolCopy2)[i]) &&
做挂者请绕道!
本人不保证此办法现在还生效!蓝屏死机于本人无关!
NP这个东西会注入一个dll,直接在ring0下hook NtCreateSection拦截!
直接上代码!
代码:
#include "struct.h"
#include "4BOD.h"
//////////////////////////////////////////////////////////////////////////
ULONG Pass_NtProcess();
VOID UnDetour_NtProcess();
ULONG Pass_NtWriteVirtualMemory();
VOID UnDetour_NtWriteVirtualMemory();
ULONG Pass_NtReadVirtualMemory();
VOID UnDetour_NtReadVirtualMemory();
ULONG Pass_KiAttachProcess();
VOID UnDetour_KiAttachProcess();
ULONG Pass_KeStackAttachProcess();
VOID UnDetour_KeStackAttachProcess();
ULONG Pass_KeStackAttachProcess1();
VOID UnDetour_KeStackAttachProcess1();
ULONG Pass_MiDoMappedCopy1();
VOID UnDetour_MiDoMappedCopy1();
ULONG Pass_MiDoMappedCopy2();
VOID UnDetour_MiDoMappedCopy2();
ULONG Pass_MiDoPoolCopy1();
VOID UnDetour_MiDoPoolCopy1();
ULONG Pass_MiDoPoolCopy2();
VOID UnDetour_MiDoPoolCopy2();
ULONG Pass_NtOpenSection();
VOID UnDetour_NtOpenSection();
ULONG Pass_NtProtectVirtualMemory();
VOID UnDetour_NtProtectVirtualMemory();
ULONG Pass_NtProtectVirtualMemory2();
VOID UnDetour_NtProtectVirtualMemory2();
ULONG Pass_NtWriteFile();
VOID UnDetour_NtWriteFile();
ULONG Pass_NtDeviceIoControlFile();
VOID UnDetour_NtDeviceIoControlFile();
ULONG Pass_ObpCreateHandle();
VOID UnDetour_ObpCreateHandle();
ULONG Pass_NtCreateSection();
VOID UnDetour_NtCreateSection();
ULONG Pass_KeUnstackDetachProcess();
VOID UnDetour_KeUnstackDetachProcess();
ULONG Pass_NtQueryInformationProcess();
VOID UnDetour_NtQueryInformationProcess();
void Init_fun();
//////////////////////////////////////////////////////////////////////////
ULONG KeStackAttachProcess_Addr;
ULONG __stdcall IsNPCalled(HANDLE ProcessHandle);
char g_pFindOrigCode[8];
ULONG KiSystemService_hack_address;
PULONG pSSDTKernel;
PSERVICE_DESCRIPTOR_TABLE_SHADOW _KeServiceDescriptorTable;
PSERVICE_DESCRIPTOR_TABLE_SHADOW ShadowTable;
unsigned long SSDT_reentry_address,SSDTDW_reentry_address;
void __declspec(naked) my_function_detour_KiFastCallEntry()
{
__asm
{
cmp ecx,10h
jne SSDT
mov edi,KeServiceDescriptorTable
sub edi,0x10
jmp [SSDTDW_reentry_address]
SSDT:
mov edi,KeServiceDescriptorTable
add edi,0x20
jmp [SSDT_reentry_address]
}
}
UCHAR findcode[]={0x83,0xf9,0x10,0x75};
VOID FindHackAddr()
{
ULONG uSysenter;
ULONG i=0;
PUCHAR strSysenter;
__asm{
mov ecx,0x176
rdmsr
mov uSysenter,eax //得到KiFastCallEntry地址
}
strSysenter=(PUCHAR)uSysenter;
for (i=0;i<0x100;i++)
{
if (
findcode[0]==strSysenter[i] &&
findcode[1]==strSysenter[i+1] &&
findcode[2]==strSysenter[i+2] &&
findcode[3]==strSysenter[i+3] )
{
break;
}
}
KiSystemService_hack_address=uSysenter+i;
}
ULONG HookSysCall()
{
KIRQL oldIrql;
ULONG uSysenter;
unsigned char newcode[] = { 0xE9, 0x44, 0x33, 0x22, 0x11};
char *actual_function;
int i = 0;
// __asm{
// mov ecx,0x176
// rdmsr
// mov uSysenter,eax //得到KiFastCallEntry地址
// }
// KiSystemService_hack_address=uSysenter+0xB3;
FindHackAddr();
if (KiSystemService_hack_address==0)
{
dprintf("find hack address error!\n");
return 0;
}
actual_function =(char*) KiSystemService_hack_address;
SSDT_reentry_address = KiSystemService_hack_address+0x20;
SSDTDW_reentry_address = KiSystemService_hack_address+0x5;
*( (unsigned long *)(&newcode[1]) ) = (ULONG)my_function_detour_KiFastCallEntry-KiSystemService_hack_address-5;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 5;i++)
{
g_pFindOrigCode[i] = actual_function[i];
actual_function[i] = newcode[i];
}
KeLowerIrql(oldIrql);
WPON();
return 1;
}
void RestoreSSDT()
{
int i;
char *actual_function = (char *)(KiSystemService_hack_address);
KIRQL oldIrql;
WPOFF();
KeRaiseIrql( DISPATCH_LEVEL,&oldIrql );
for(i=0;i < 5;i++)
{
actual_function[i] = g_pFindOrigCode[i];
}
KeLowerIrql( oldIrql );
ExFreePool(pSSDTKernel);
WPON();
}
unsigned long AddMyServiceTable()
{
ULONG nSDTKerCallLen;
__asm
{
pushad
mov eax,KeServiceDescriptorTable
mov _KeServiceDescriptorTable,eax
sub eax,0x40
mov ShadowTable,eax
popad
}
nSDTKerCallLen = _KeServiceDescriptorTable->ntoskrnl.NumberOfServices;
pSSDTKernel = (PULONG)ExAllocatePool( NonPagedPool, nSDTKerCallLen*sizeof(ULONG)/*, 'uvbs'*/ );
if(!pSSDTKernel)
{
DbgPrint("AddMyServiceTable alloc fail\n");
return 0;
}
memset( (PVOID)pSSDTKernel, 0, nSDTKerCallLen*sizeof(ULONG));
//填充新的SSDT表
//
RtlCopyMemory( (PVOID)pSSDTKernel,(PVOID)_KeServiceDescriptorTable->ntoskrnl.ServiceTableBase,nSDTKerCallLen*sizeof(ULONG) );
RtlCopyMemory( (PVOID)&_KeServiceDescriptorTable->NotUse1,
(PVOID)&_KeServiceDescriptorTable->ntoskrnl,sizeof(SERVICE_DESCRIPTOR_TABLE) );
RtlCopyMemory( (PVOID)&ShadowTable->NotUse1,(PVOID)&ShadowTable->ntoskrnl,sizeof(SERVICE_DESCRIPTOR_TABLE)*2);
WPOFF();
RtlCopyMemory((PVOID)&_KeServiceDescriptorTable->NotUse1.ServiceTableBase, &pSSDTKernel, sizeof(ULONG));
RtlCopyMemory((PVOID)&ShadowTable->NotUse1.ServiceTableBase, &pSSDTKernel, sizeof(ULONG));
WPON();
return 1;
}
void RePlaceSSDT()
{
if (AddMyServiceTable())
{
HookSysCall();
}
}
//////////////////////////////////////////////////////////////////////////
NTSTATUS
DriverEntry(
PDRIVER_OBJECT pDriverObj,
PUNICODE_STRING pRegistryString
)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING ustrLinkName;
UNICODE_STRING ustrDevName;
PDEVICE_OBJECT pDevObj;
dprintf("[4BOD] DriverEntry\n");
pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
pDriverObj->DriverUnload = DriverUnload;
RtlInitUnicodeString(&ustrDevName, DEVICE_NAME);
status = IoCreateDevice(pDriverObj,
0,
&ustrDevName,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&pDevObj);
if(!NT_SUCCESS(status)) {
dprintf("[4BOD] IoCreateDevice = 0x%x\n", status);
return status;
}
RtlInitUnicodeString(&ustrLinkName, LINK_NAME);
status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName);
if(!NT_SUCCESS(status)) {
dprintf("[4BOD] IoCreateSymbolicLink = 0x%x\n", status);
IoDeleteDevice(pDevObj);
return status;
}
Init_fun();
RePlaceSSDT();
Pass_MiDoMappedCopy1();
Pass_MiDoMappedCopy2();
Pass_MiDoPoolCopy1();
Pass_MiDoPoolCopy2();
Pass_ObpCreateHandle();
Pass_NtProcess();
Pass_KiAttachProcess();
Pass_KeStackAttachProcess();
Pass_KeStackAttachProcess1();
Pass_NtReadVirtualMemory();
Pass_NtWriteVirtualMemory();
Pass_NtOpenSection();
Pass_NtCreateSection();
Pass_KeUnstackDetachProcess();
Pass_NtProtectVirtualMemory2();
Pass_NtProtectVirtualMemory();
Pass_NtWriteFile();
Pass_NtDeviceIoControlFile();
Pass_NtQueryInformationProcess();
return STATUS_SUCCESS;
}
VOID
DriverUnload(
PDRIVER_OBJECT pDriverObj
)
{
UNICODE_STRING strLink;
LARGE_INTEGER Delay;
RtlInitUnicodeString(&strLink, LINK_NAME);
UnDetour_MiDoPoolCopy2();
UnDetour_MiDoPoolCopy1();
UnDetour_MiDoMappedCopy2();
UnDetour_MiDoMappedCopy1();
UnDetour_NtWriteVirtualMemory();
UnDetour_NtReadVirtualMemory();
UnDetour_KeStackAttachProcess1();
UnDetour_KeStackAttachProcess();
UnDetour_KiAttachProcess();
UnDetour_NtOpenSection();
UnDetour_NtCreateSection();
UnDetour_KeUnstackDetachProcess();
UnDetour_NtProcess();
UnDetour_ObpCreateHandle();
UnDetour_NtProtectVirtualMemory2();
UnDetour_NtProtectVirtualMemory();
UnDetour_NtWriteFile();
UnDetour_NtDeviceIoControlFile();
UnDetour_NtQueryInformationProcess();
RestoreSSDT();
Delay.QuadPart = -5000000;
KeDelayExecutionThread(KernelMode, TRUE, &Delay);
IoDeleteSymbolicLink(&strLink);
IoDeleteDevice(pDriverObj->DeviceObject);
dprintf("[4BOD] Unloaded\n");
}
NTSTATUS
DispatchCreate(
PDEVICE_OBJECT pDevObj,
PIRP pIrp
)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
dprintf("[4BOD] IRP_MJ_CREATE\n");
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS
DispatchClose(
PDEVICE_OBJECT pDevObj,
PIRP pIrp
)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
dprintf("[4BOD] IRP_MJ_CLOSE\n");
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS
DispatchIoctl(
PDEVICE_OBJECT pDevObj,
PIRP pIrp
)
{
NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST;
PIO_STACK_LOCATION pIrpStack;
ULONG uIoControlCode;
PVOID pIoBuffer;
ULONG uInSize;
ULONG uOutSize;
pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;
pIoBuffer = pIrp->AssociatedIrp.SystemBuffer;
uInSize = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
uOutSize = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
switch(uIoControlCode) {
case IOCTL_HELLO: {
dprintf("[4BOD] Hello\n");
status = STATUS_SUCCESS;
}
break;
//
// 添加执行代码
//
}
if(status == STATUS_SUCCESS)
pIrp->IoStatus.Information = uOutSize;
else
pIrp->IoStatus.Information = 0;
/////////////////////////////////////
pIrp->IoStatus.Status = status;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
//////////////////////////////////////////////////////////////////////////
ULONG reentryadd_KiMoveApcState;
ULONG old_KiMoveApcState;
ULONG Init_KiMoveApcState()
{
reentryadd_KiMoveApcState=KeStackAttachProcess_Addr-0x6AD;
old_KiMoveApcState=KeStackAttachProcess_Addr-0x6b2;
return 1;
}
VOID __declspec(naked) _KiMoveApcState (
__in PKAPC_STATE Source,
__out PKAPC_STATE Destination
)
{
__asm
{
push 0
call IsNPCalled
cmp eax,1
jnz KiMoveApcState_ENT1
push ebp
mov ebp,esp
jmp [reentryadd_KiMoveApcState]
KiMoveApcState_ENT1:
cmp eax,0
jnz KiMoveApcState_ENT2
jmp [old_KiMoveApcState]
KiMoveApcState_ENT2:
mov eax,0
ret 8
}
}
//////////////////////////////////////////////////////////////////////////
void __declspec(naked) my_function_detour_KiAttachProcess()
{
__asm
{
inc word ptr [edi+0x60]
lea ebx,[esi+0x34]
push ebx
call _KiMoveApcState
_emit 0xEA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0x08
_emit 0x00
}
}
//////////////////////////////////////////////////////////////////////////
char KiAttachProcess_g_oricode[8];
ULONG Pass_KiAttachProcess()
{
char *actual_function;
unsigned long reentry_address;
KIRQL oldIrql;
int i = 0;
unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};
actual_function = (char *)(KeStackAttachProcess_Addr-0x219);
reentry_address = ((unsigned long)KeStackAttachProcess_Addr) - 0x20c;
*( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_KiAttachProcess;
for(i=0;i<200;i++)
{
if( (0xAA == ((unsigned char *)my_function_detour_KiAttachProcess)[i]) &&
(0xAA == ((unsigned char *)my_function_detour_KiAttachProcess)[i+1]) &&
(0xAA == ((unsigned char *)my_function_detour_KiAttachProcess)[i+2]) &&
(0xAA == ((unsigned char *)my_function_detour_KiAttachProcess)[i+3]))
{
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
*( (unsigned long *)((ULONG)my_function_detour_KiAttachProcess+i) ) = reentry_address;
KeLowerIrql(oldIrql);
WPON();
break;
}
}
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
KiAttachProcess_g_oricode[i] = actual_function[i];
actual_function[i] = newcode[i];
}
KeLowerIrql(oldIrql);
WPON();
return 1;
}
VOID UnDetour_KiAttachProcess()
{
char *actual_function = (char *)(KeStackAttachProcess_Addr-0x219);
KIRQL oldIrql;
int i = 0;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
actual_function[i] = KiAttachProcess_g_oricode[i];
}
KeLowerIrql(oldIrql);
WPON();
}
//返回-1:拒绝访问
//返回0 :走NP HOOK
//返回1 :绕过NP HOOK
//
////////////////////////////////////////////////////////////////////////////
ULONG __stdcall IsNPCalled(HANDLE ProcessHandle)
{
NTSTATUS status;
PEPROCESS pEProcess=0;
char* proname=0;
if (!_stricmp("GameMon.des",GetProcessNameFromEProc(0)))
{
if (!ProcessHandle)
{
return 0;
}
status = ObReferenceObjectByHandle(ProcessHandle,PROCESS_ALL_ACCESS,NULL,0,&pEProcess,NULL);
if(!NT_SUCCESS(status))
{
DbgPrint("ObReferenceObjectByHandle fail! %08x \n",status);
return 0;
}
ObDereferenceObject(pEProcess);
proname=GetProcessNameFromEProc(pEProcess);
if (!_stricmp("OllyDBG.EXE",proname))
{
return -1;
}
else if (!_stricmp("ImmunityDebugger.exe",proname))
{
return -1;
}
else if (!_stricmp("DeRoX.exe",proname))
{
return -1;
}
else
{
return 0;
}
return 0;
}
else if (!_stricmp("AION.bin",GetProcessNameFromEProc(0)))
{
if (!ProcessHandle)
{
return 0;
}
status = ObReferenceObjectByHandle(ProcessHandle,PROCESS_ALL_ACCESS,NULL,0,&pEProcess,NULL);
if(!NT_SUCCESS(status))
{
DbgPrint("ObReferenceObjectByHandle fail! %08x \n",status);
return 0;
}
ObDereferenceObject(pEProcess);
proname=GetProcessNameFromEProc(pEProcess);
if (!_stricmp("OllyDBG.EXE",proname))
{
return -1;
}
else if (!_stricmp("ImmunityDebugger.exe",proname))
{
return -1;
}
else if (!_stricmp("DeRoX.exe",proname))
{
return -1;
}
else
{
return 0;
}
return 0;
}
else if (!_stricmp("OllyDBG.EXE",GetProcessNameFromEProc(0)))
{
return 1;
}
else if (!_stricmp("ImmunityDebugger.exe",GetProcessNameFromEProc(0)))
{
return 1;
}
else if (!_stricmp("DeRoX.exe",GetProcessNameFromEProc(0)))
{
return 1;
}
else
{
return 0;
}
}
//////////////////////////////////////////////////////////////////////////
ULONG __stdcall IsNPCalled_EP(PEPROCESS EProcess)
{
NTSTATUS status;
PEPROCESS pEProcess=0;
char* proname=0;
if (!_stricmp("GameMon.des",GetProcessNameFromEProc(0)))
{
if (!EProcess)
{
return 0;
}
proname=GetProcessNameFromEProc(EProcess);
if (!_stricmp("OllyDBG.EXE",proname))
{
return -1;
}
else if (!_stricmp("ImmunityDebugger.exe",proname))
{
return -1;
}
else if (!_stricmp("DeRoX.exe",proname))
{
return -1;
}
else
{
return 0;
}
return 0;
}
else if (!_stricmp("AION.bin",GetProcessNameFromEProc(0)))
{
if (!EProcess)
{
return 0;
}
proname=GetProcessNameFromEProc(EProcess);
if (!_stricmp("OllyDBG.EXE",proname))
{
return -1;
}
else if (!_stricmp("ImmunityDebugger.exe",proname))
{
return -1;
}
else if (!_stricmp("DeRoX.exe",proname))
{
return -1;
}
else
{
return 0;
}
return 0;
}
else if (!_stricmp("OllyDBG.EXE",GetProcessNameFromEProc(0)))
{
return 1;
}
else if (!_stricmp("ImmunityDebugger.exe",GetProcessNameFromEProc(0)))
{
return 1;
}
else if (!_stricmp("DeRoX.exe",GetProcessNameFromEProc(0)))
{
return 1;
}
else
{
return 0;
}
}
//////////////////////////////////////////////////////////////////////////
ULONG reentryadd_KiAttachProcess;
ULONG old_KiAttachProcess;
ULONG Init_KiAttachProcess()
{
reentryadd_KiAttachProcess=KeStackAttachProcess_Addr-0x225;
old_KiAttachProcess=KeStackAttachProcess_Addr-0x22a;
return 1;
}
VOID __declspec(naked) _KiAttachProcess (
__inout PRKTHREAD Thread,
__in PRKPROCESS Process,
__in PKLOCK_QUEUE_HANDLE LockHandle,
__out PRKAPC_STATE SavedApcState
)
{
__asm
{
//push [esp+8]
push 0
call IsNPCalled_EP
cmp eax,1
jnz KiAttachProcess_ENT1
push ebp
mov ebp,esp
jmp [reentryadd_KiAttachProcess]
KiAttachProcess_ENT1:
cmp eax,0
jnz KiAttachProcess_ENT2
jmp [old_KiAttachProcess]
KiAttachProcess_ENT2:
mov eax,0
ret 0x10
}
}
//////////////////////////////////////////////////////////////////////////
void __declspec(naked) my_function_detour_KeStackAttachProcess()
{
__asm
{
push edi
push esi
call _KiAttachProcess
_emit 0xEA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0x08
_emit 0x00
}
}
//////////////////////////////////////////////////////////////////////////
char KeStackAttachProcess_g_oricode[8];
ULONG Pass_KeStackAttachProcess()
{
char *actual_function;
unsigned long reentry_address;
KIRQL oldIrql;
int i = 0;
unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};
actual_function = (char *)(KeStackAttachProcess_Addr+0x63);
reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0x6a;
*( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_KeStackAttachProcess;
for(i=0;i<200;i++)
{
if( (0xAA == ((unsigned char *)my_function_detour_KeStackAttachProcess)[i]) &&
(0xAA == ((unsigned char *)my_function_detour_KeStackAttachProcess)[i+1]) &&
(0xAA == ((unsigned char *)my_function_detour_KeStackAttachProcess)[i+2]) &&
(0xAA == ((unsigned char *)my_function_detour_KeStackAttachProcess)[i+3]))
{
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
*( (unsigned long *)((ULONG)my_function_detour_KeStackAttachProcess+i) ) = reentry_address;
KeLowerIrql(oldIrql);
WPON();
break;
}
}
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
KeStackAttachProcess_g_oricode[i] = actual_function[i];
actual_function[i] = newcode[i];
}
KeLowerIrql(oldIrql);
WPON();
return 1;
}
VOID UnDetour_KeStackAttachProcess()
{
char *actual_function = (char *)(KeStackAttachProcess_Addr+0x63);
KIRQL oldIrql;
int i = 0;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
actual_function[i] = KeStackAttachProcess_g_oricode[i];
}
KeLowerIrql(oldIrql);
WPON();
}
//////////////////////////////////////////////////////////////////////////
void __declspec(naked) _detour_KeStackAttachProcess1()
{
__asm
{
push edi
push esi
mov esi,esi
call _KiAttachProcess
_emit 0xEA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0x08
_emit 0x00
}
}
//////////////////////////////////////////////////////////////////////////
char KeStackAttachProcess1_g_oricode[8];
ULONG Pass_KeStackAttachProcess1()
{
char *actual_function;
unsigned long reentry_address;
KIRQL oldIrql;
int i = 0;
unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};
actual_function = (char *)(KeStackAttachProcess_Addr+0x76);
reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0x7d;
*( (unsigned long *)(&newcode[1]) ) = (unsigned long)_detour_KeStackAttachProcess1;
for(i=0;i<200;i++)
{
if( (0xAA == ((unsigned char *)_detour_KeStackAttachProcess1)[i]) &&
(0xAA == ((unsigned char *)_detour_KeStackAttachProcess1)[i+1]) &&
(0xAA == ((unsigned char *)_detour_KeStackAttachProcess1)[i+2]) &&
(0xAA == ((unsigned char *)_detour_KeStackAttachProcess1)[i+3]))
{
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
*( (unsigned long *)((ULONG)_detour_KeStackAttachProcess1+i) ) = reentry_address;
KeLowerIrql(oldIrql);
WPON();
break;
}
}
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
KeStackAttachProcess1_g_oricode[i] = actual_function[i];
actual_function[i] = newcode[i];
}
KeLowerIrql(oldIrql);
WPON();
return 1;
}
VOID UnDetour_KeStackAttachProcess1()
{
char *actual_function = (char *)(KeStackAttachProcess_Addr+0x76);
KIRQL oldIrql;
int i = 0;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
actual_function[i] = KeStackAttachProcess1_g_oricode[i];
}
KeLowerIrql(oldIrql);
WPON();
}
//////////////////////////////////////////////////////////////////////////
void __declspec(naked) my_function_detour_KeUnstackDetachProcess()
{
__asm
{
lea ebx,[esi+0x14C]
push ebx
call _KiMoveApcState
_emit 0xEA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0x08
_emit 0x00
}
}
//NtAllocateVirtualMemory
//////////////////////////////////////////////////////////////////////////
char KeUnstackDetachProcess_g_oricode[8];
ULONG KeUnstackDetachProcess_g_KiInsertQueueApc;
ULONG Pass_KeUnstackDetachProcess()
{
char *actual_function;
unsigned long reentry_address;
KIRQL oldIrql;
int i = 0;
unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};
KeUnstackDetachProcess_g_KiInsertQueueApc=GetFunctionAddr(L"KeUnstackDetachProcess");
actual_function = (char *)(KeUnstackDetachProcess_g_KiInsertQueueApc+0xbe);
reentry_address = ((unsigned long)KeUnstackDetachProcess_g_KiInsertQueueApc) + 0xca;
*( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_KeUnstackDetachProcess;
for(i=0;i<200;i++)
{
if( (0xAA == ((unsigned char *)my_function_detour_KeUnstackDetachProcess)[i]) &&
(0xAA == ((unsigned char *)my_function_detour_KeUnstackDetachProcess)[i+1]) &&
(0xAA == ((unsigned char *)my_function_detour_KeUnstackDetachProcess)[i+2]) &&
(0xAA == ((unsigned char *)my_function_detour_KeUnstackDetachProcess)[i+3]))
{
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
*( (unsigned long *)((ULONG)my_function_detour_KeUnstackDetachProcess+i) ) = reentry_address;
KeLowerIrql(oldIrql);
WPON();
break;
}
}
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
KeUnstackDetachProcess_g_oricode[i] = actual_function[i];
actual_function[i] = newcode[i];
}
KeLowerIrql(oldIrql);
WPON();
return 1;
}
VOID UnDetour_KeUnstackDetachProcess()
{
char *actual_function = (char *)(KeUnstackDetachProcess_g_KiInsertQueueApc+0xbe);
KIRQL oldIrql;
int i = 0;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
actual_function[i] = KeUnstackDetachProcess_g_oricode[i];
}
KeLowerIrql(oldIrql);
WPON();
}
//////////////////////////////////////////////////////////////////////////
ULONG reentryadd_KeStackAttachProcess;
ULONG old_KeStackAttachProcess;
ULONG Init_KeStackAttachProcess()
{
reentryadd_KeStackAttachProcess=KeStackAttachProcess_Addr+5;
old_KeStackAttachProcess=KeStackAttachProcess_Addr;
return 1;
}
__declspec(naked) VOID _KeStackAttachProcess (
__inout PRKPROCESS Process,
__out PRKAPC_STATE ApcState
)
{
__asm
{
push [esp+4]
call IsNPCalled_EP
cmp eax,1
jnz KeStackAttachProcess_ENT1
push ebp
mov ebp,esp
jmp [reentryadd_KeStackAttachProcess]
KeStackAttachProcess_ENT1:
cmp eax,0
jnz KeStackAttachProcess_ENT2
jmp [old_KeStackAttachProcess]
KeStackAttachProcess_ENT2:
mov eax,0
ret 0x8
}
}
//////////////////////////////////////////////////////////////////////////
/*
805be616 8d45d0 lea eax,[ebp-30h]
805be619 50 push eax
805be61a 51 push ecx
805be61b e812b6f3ff call nt!KeStackAttachProcess (804f9c32)
805be620 c645ff01 mov byte ptr [ebp-1],1
*/
void __declspec(naked) _detour_ObpCreateHandle()
{
__asm
{
lea eax,[ebp-0x30]
push eax
push ecx
call _KeStackAttachProcess
_emit 0xEA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0x08
_emit 0x00
}
}
//////////////////////////////////////////////////////////////////////////
char ObpCreateHandle_g_oricode[12];
ULONG Pass_ObpCreateHandle()
{
char *actual_function;
unsigned long reentry_address;
KIRQL oldIrql;
int i = 0;
unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00,0x90,0x90,0x90};
actual_function = (char *)(KeStackAttachProcess_Addr+0xC49ae);
reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0xC49b8;
*( (unsigned long *)(&newcode[1]) ) = (unsigned long)_detour_ObpCreateHandle;
for(i=0;i<200;i++)
{
if( (0xAA == ((unsigned char *)_detour_ObpCreateHandle)[i]) &&
(0xAA == ((unsigned char *)_detour_ObpCreateHandle)[i+1]) &&
(0xAA == ((unsigned char *)_detour_ObpCreateHandle)[i+2]) &&
(0xAA == ((unsigned char *)_detour_ObpCreateHandle)[i+3]))
{
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
*( (unsigned long *)((ULONG)_detour_ObpCreateHandle+i) ) = reentry_address;
KeLowerIrql(oldIrql);
WPON();
break;
}
}
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 10;i++)
{
ObpCreateHandle_g_oricode[i] = actual_function[i];
actual_function[i] = newcode[i];
}
KeLowerIrql(oldIrql);
WPON();
return 1;
}
VOID UnDetour_ObpCreateHandle()
{
char *actual_function = (char *)(KeStackAttachProcess_Addr+0xC49ae);
KIRQL oldIrql;
int i = 0;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 10;i++)
{
actual_function[i] = ObpCreateHandle_g_oricode[i];
}
KeLowerIrql(oldIrql);
WPON();
}
//////////////////////////////////////////////////////////////////////////
ULONG OldNtReadVirtualMemoryAdd;
ULONG reentryadd_NtReadVirtualMemory;
__declspec(naked) NTSTATUS NewNtReadVirtualMemory()
{
__asm
{
push [esp+4]
call IsNPCalled
cmp eax,1
jnz NtReadVirtualMemory_ENT1
push 0x1c
push 0x804daef0
jmp [reentryadd_NtReadVirtualMemory]
NtReadVirtualMemory_ENT1:
cmp eax,0
jnz NtReadVirtualMemory_ENT2
jmp [OldNtReadVirtualMemoryAdd]
NtReadVirtualMemory_ENT2:
mov eax,0
ret 0x14
}
}
//////////////////////////////////////////////////////////////////////////NtReadVirtualMemory
ULONG Pass_NtReadVirtualMemory()
{
KIRQL oldIrql;
ULONG Address=0;
Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0xBA * 4; //得到NtReadVirtualMemory的服务地址 www.2cto.com
(ULONG)OldNtReadVirtualMemoryAdd = *(ULONG*)Address; //保存此地址
reentryadd_NtReadVirtualMemory=OldNtReadVirtualMemoryAdd+7;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
*((ULONG*)Address) = (ULONG)NewNtReadVirtualMemory; //HOOK SSDT
KeLowerIrql(oldIrql);
WPON();
return 1;
}
//反补丁,用于最后恢复用
VOID UnDetour_NtReadVirtualMemory()
{
KIRQL oldIrql;
ULONG Address=0;
Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0xBA * 4;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
*((ULONG*)Address) = (ULONG)OldNtReadVirtualMemoryAdd; //HOOK SSDT
KeLowerIrql(oldIrql);
WPON();
}
ULONG reentryadd_NtWriteVirtualMemory;
ULONG OldNtWriteVirtualMemoryAdd;
__declspec(naked) NTSTATUS NewNtWriteVirtualMemory()
{
__asm
{
push [esp+4]
call IsNPCalled
cmp eax,1
jnz NtWriteVirtualMemory_ENT1
push 0x1c
push 0x804daf08
jmp [reentryadd_NtWriteVirtualMemory]
NtWriteVirtualMemory_ENT1:
cmp eax,0
jnz NtWriteVirtualMemory_ENT2
jmp [OldNtWriteVirtualMemoryAdd]
NtWriteVirtualMemory_ENT2:
mov eax,0
ret 0x14
}
}
//////////////////////////////////////////////////////////////////////////
ULONG Pass_NtWriteVirtualMemory()
{
KIRQL oldIrql;
ULONG Address=0;
Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0x115 * 4;
(ULONG)OldNtWriteVirtualMemoryAdd = *(ULONG*)Address;
reentryadd_NtWriteVirtualMemory=OldNtWriteVirtualMemoryAdd+7;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
*((ULONG*)Address) = (ULONG)NewNtWriteVirtualMemory; //HOOK SSDT
KeLowerIrql(oldIrql);
WPON();
return 1;
}
VOID UnDetour_NtWriteVirtualMemory()
{
KIRQL oldIrql;
ULONG Address=0;
Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0x115 * 4;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
*((ULONG*)Address) = (ULONG)OldNtWriteVirtualMemoryAdd; //HOOK SSDT
KeLowerIrql(oldIrql);
WPON();
}
//////////////////////////////////////////////////////////////////////////
void __declspec(naked) my_function_detour_MiDoMappedCopy1()
{
__asm
{
lea eax,[ebp-0x64]
push eax
push dword ptr [ebp+8]
call _KeStackAttachProcess
_emit 0xEA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0x08
_emit 0x00
}
}
//////////////////////////////////////////////////////////////////////////
/*
804f9c32
805b4e5f 8d459c lea eax,[ebp-64h]
805b4e62 50 push eax
805b4e63 ff7508 push dword ptr [ebp+8]
805b4e66 e8c74df4ff call nt!KeStackAttachProcess (804f9c32)
805b4e6b 897de0 mov dword ptr [ebp-20h],edi
*/
char MiDoMappedCopy1_g_oricode[8];
ULONG Pass_MiDoMappedCopy1()
{
char *actual_function;
unsigned long reentry_address;
KIRQL oldIrql;
int i = 0;
unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};
actual_function = (char *)(KeStackAttachProcess_Addr+0xBB1f7);
reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0xBB203;
*( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_MiDoMappedCopy1;
for(i=0;i<200;i++)
{
if( (0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy1)[i]) &&
(0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy1)[i+1]) &&
(0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy1)[i+2]) &&
(0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy1)[i+3]))
{
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
*( (unsigned long *)((ULONG)my_function_detour_MiDoMappedCopy1+i) ) = reentry_address;
KeLowerIrql(oldIrql);
WPON();
break;
}
}
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
MiDoMappedCopy1_g_oricode[i] = actual_function[i];
actual_function[i] = newcode[i];
}
KeLowerIrql(oldIrql);
WPON();
return 1;
}
VOID UnDetour_MiDoMappedCopy1()
{
char *actual_function = (char *)(KeStackAttachProcess_Addr+0xBB1f7);
KIRQL oldIrql;
int i = 0;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
actual_function[i] = MiDoMappedCopy1_g_oricode[i];
}
KeLowerIrql(oldIrql);
WPON();
}
//////////////////////////////////////////////////////////////////////////
void __declspec(naked) my_function_detour_MiDoMappedCopy2()
{
__asm
{
lea eax,[ebp-0x64]
push eax
push dword ptr [ebp+0x10]
call _KeStackAttachProcess
_emit 0xEA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0x08
_emit 0x00
}
}
/*
804f9c32
805b4f19 8d459c lea eax,[ebp-64h]
805b4f1c 50 push eax
805b4f1d ff7510 push dword ptr [ebp+10h]
805b4f20 e80d4df4ff call nt!KeStackAttachProcess (804f9c32)
805b4f25 8b450c mov eax,dword ptr [ebp+0Ch]
*/
//////////////////////////////////////////////////////////////////////////
char MiDoMappedCopy2_g_oricode[8];
ULONG Pass_MiDoMappedCopy2()
{
char *actual_function;
unsigned long reentry_address;
KIRQL oldIrql;
int i = 0;
unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};
actual_function = (char *)(KeStackAttachProcess_Addr+0xBB2b1);
reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0xBB2bd;
*( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_MiDoMappedCopy2;
for(i=0;i<200;i++)
{
if( (0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy2)[i]) &&
(0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy2)[i+1]) &&
(0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy2)[i+2]) &&
(0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy2)[i+3]))
{
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
*( (unsigned long *)((ULONG)my_function_detour_MiDoMappedCopy2+i) ) = reentry_address;
KeLowerIrql(oldIrql);
WPON();
break;
}
}
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
MiDoMappedCopy2_g_oricode[i] = actual_function[i];
actual_function[i] = newcode[i];
}
KeLowerIrql(oldIrql);
WPON();
return 1;
}
VOID UnDetour_MiDoMappedCopy2()
{
char *actual_function = (char *)(KeStackAttachProcess_Addr+0xBB2b1);
KIRQL oldIrql;
int i = 0;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
actual_function[i] = MiDoMappedCopy2_g_oricode[i];
}
KeLowerIrql(oldIrql);
WPON();
}
//////////////////////////////////////////////////////////////////////////
void __declspec(naked) my_function_detour_MiDoPoolCopy1()
{
__asm
{
lea eax,[ebp-0x58]
push eax
push dword ptr [ebp+8]
call _KeStackAttachProcess
_emit 0xEA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0x08
_emit 0x00
}
}
/*
804f9c32
805b50b7 8d45a8 lea eax,[ebp-58h]
805b50ba 50 push eax
805b50bb ff7508 push dword ptr [ebp+8]
805b50be e86f4bf4ff call nt!KeStackAttachProcess (804f9c32)
805b50c3 33f6 xor esi,esi
*/
//////////////////////////////////////////////////////////////////////////
char MiDoPoolCopy1_g_oricode[8];
ULONG Pass_MiDoPoolCopy1()
{
char *actual_function;
unsigned long reentry_address;
KIRQL oldIrql;
int i = 0;
unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};
actual_function = (char *)(KeStackAttachProcess_Addr+0xBB44f);
reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0xBB45b;
*( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_MiDoPoolCopy1;
for(i=0;i<200;i++)
{
if( (0xAA == ((unsigned char *)my_function_detour_MiDoPoolCopy1)[i]) &&
(0xAA == ((unsigned char *)my_function_detour_MiDoPoolCopy1)[i+1]) &&
(0xAA == ((unsigned char *)my_function_detour_MiDoPoolCopy1)[i+2]) &&
(0xAA == ((unsigned char *)my_function_detour_MiDoPoolCopy1)[i+3]))
{
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
*( (unsigned long *)((ULONG)my_function_detour_MiDoPoolCopy1+i) ) = reentry_address;
KeLowerIrql(oldIrql);
WPON();
break;
}
}
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
MiDoPoolCopy1_g_oricode[i] = actual_function[i];
actual_function[i] = newcode[i];
}
KeLowerIrql(oldIrql);
WPON();
return 1;
}
VOID UnDetour_MiDoPoolCopy1()
{
char *actual_function = (char *)(KeStackAttachProcess_Addr+0xBB44f);
KIRQL oldIrql;
int i = 0;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
for(i=0;i < 7;i++)
{
actual_function[i] = MiDoPoolCopy1_g_oricode[i];
}
KeLowerIrql(oldIrql);
WPON();
}
//////////////////////////////////////////////////////////////////////////
void __declspec(naked) my_function_detour_MiDoPoolCopy2()
{
__asm
{
lea eax,[ebp-0x58]
push eax
push dword ptr [ebp+0x10]
call _KeStackAttachProcess
_emit 0xEA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0x08
_emit 0x00
}
}
/*
804f9c32
805b511c 8d45a8 lea eax,[ebp-58h]
805b511f 50 push eax
805b5120 ff7510 push dword ptr [ebp+10h]
805b5123 e80a4bf4ff call nt!KeStackAttachProcess (804f9c32)
805b5128 8b450c mov eax,dword ptr [ebp+0Ch]
*/
//////////////////////////////////////////////////////////////////////////
char MiDoPoolCopy2_g_oricode[8];
ULONG Pass_MiDoPoolCopy2()
{
char *actual_function;
unsigned long reentry_address;
KIRQL oldIrql;
int i = 0;
unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};
actual_function = (char *)(KeStackAttachProcess_Addr+0xBB4b4);
reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0xBB4c0;
*( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_MiDoPoolCopy2;
for(i=0;i<200;i++)
{
if( (0xAA == ((unsigned char *)my_function_detour_MiDoPoolCopy2)[i]) &&
上一篇: 扫描危险网址和文件的七种在线工具
下一篇: Nessus5.X部署手记