欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  网络运营

游戏保护大放送之NP

程序员文章站 2022-04-22 10:45:12
本人寻求游戏安全方面的工作,请Email:wtxpwh@163.com联系 做挂者请绕道!   本人不保证此办法现在还生效!蓝屏死机于本人无关!   NP这个东西...
本人寻求游戏安全方面的工作,请Email:wtxpwh@163.com联系
做挂者请绕道!
 
本人不保证此办法现在还生效!蓝屏死机于本人无关!
 
NP这个东西会注入一个dll,直接在ring0下hook NtCreateSection拦截!
 
直接上代码!
 
代码:
 
#include "struct.h"
#include "4BOD.h"
 
//////////////////////////////////////////////////////////////////////////
ULONG Pass_NtProcess();
VOID UnDetour_NtProcess();
 
ULONG Pass_NtWriteVirtualMemory();
VOID UnDetour_NtWriteVirtualMemory();
 
ULONG Pass_NtReadVirtualMemory();
VOID UnDetour_NtReadVirtualMemory();
 
ULONG Pass_KiAttachProcess();
VOID UnDetour_KiAttachProcess();
 
ULONG Pass_KeStackAttachProcess();
VOID UnDetour_KeStackAttachProcess();
 
ULONG Pass_KeStackAttachProcess1();
VOID UnDetour_KeStackAttachProcess1();
 
ULONG Pass_MiDoMappedCopy1();
VOID UnDetour_MiDoMappedCopy1();
 
ULONG Pass_MiDoMappedCopy2();
VOID UnDetour_MiDoMappedCopy2();
 
ULONG Pass_MiDoPoolCopy1();
VOID UnDetour_MiDoPoolCopy1();
 
ULONG Pass_MiDoPoolCopy2();
VOID UnDetour_MiDoPoolCopy2();
 
ULONG Pass_NtOpenSection();
VOID UnDetour_NtOpenSection();
 
ULONG Pass_NtProtectVirtualMemory();
VOID UnDetour_NtProtectVirtualMemory();
 
ULONG Pass_NtProtectVirtualMemory2();
VOID UnDetour_NtProtectVirtualMemory2();
 
ULONG Pass_NtWriteFile();
VOID UnDetour_NtWriteFile();
 
 
ULONG Pass_NtDeviceIoControlFile();
VOID UnDetour_NtDeviceIoControlFile();
 
 
ULONG Pass_ObpCreateHandle();
VOID UnDetour_ObpCreateHandle();
 
ULONG Pass_NtCreateSection();
VOID UnDetour_NtCreateSection();
 
ULONG Pass_KeUnstackDetachProcess();
VOID UnDetour_KeUnstackDetachProcess();
 
ULONG Pass_NtQueryInformationProcess();
VOID UnDetour_NtQueryInformationProcess();
 
void Init_fun();
//////////////////////////////////////////////////////////////////////////
 
ULONG KeStackAttachProcess_Addr;
 
 
ULONG __stdcall IsNPCalled(HANDLE ProcessHandle);
 
 
char g_pFindOrigCode[8];
ULONG KiSystemService_hack_address;
PULONG  pSSDTKernel;
PSERVICE_DESCRIPTOR_TABLE_SHADOW _KeServiceDescriptorTable;
PSERVICE_DESCRIPTOR_TABLE_SHADOW  ShadowTable;
unsigned long SSDT_reentry_address,SSDTDW_reentry_address;
 
 
void __declspec(naked) my_function_detour_KiFastCallEntry()
{
  __asm
  {
    cmp     ecx,10h
    jne     SSDT
    mov    edi,KeServiceDescriptorTable
    sub    edi,0x10
    jmp    [SSDTDW_reentry_address]
     
SSDT:
    mov    edi,KeServiceDescriptorTable
    add    edi,0x20
    jmp    [SSDT_reentry_address]
     
 
  }
 
}
 
UCHAR findcode[]={0x83,0xf9,0x10,0x75};
 
VOID FindHackAddr()
{
  ULONG  uSysenter;
  ULONG i=0;
  PUCHAR strSysenter;
 
  __asm{
    mov ecx,0x176
      rdmsr
      mov uSysenter,eax  //得到KiFastCallEntry地址
  }
  strSysenter=(PUCHAR)uSysenter;
  for (i=0;i<0x100;i++)
  {
    if (
      findcode[0]==strSysenter[i] &&
      findcode[1]==strSysenter[i+1] &&
      findcode[2]==strSysenter[i+2] &&
      findcode[3]==strSysenter[i+3] )
    {
      break;
    }
   
  }
 
  KiSystemService_hack_address=uSysenter+i;
 
}
 
ULONG HookSysCall()
{
  KIRQL  oldIrql;
  ULONG  uSysenter;
 
  unsigned char newcode[] = { 0xE9, 0x44, 0x33, 0x22, 0x11};
 
  char *actual_function;
 
  int i = 0;
 
//   __asm{
//       mov ecx,0x176
//       rdmsr
//       mov uSysenter,eax  //得到KiFastCallEntry地址
//      }
 
//  KiSystemService_hack_address=uSysenter+0xB3;
 
  FindHackAddr();
 
  if (KiSystemService_hack_address==0)
  {
    dprintf("find hack address error!\n");
    return 0;
  }
 
 
 
  actual_function =(char*) KiSystemService_hack_address;
 
 
 
  SSDT_reentry_address = KiSystemService_hack_address+0x20;
  SSDTDW_reentry_address = KiSystemService_hack_address+0x5;
 
  *( (unsigned long *)(&newcode[1]) ) = (ULONG)my_function_detour_KiFastCallEntry-KiSystemService_hack_address-5;
 
 
  WPOFF();
  oldIrql = KeRaiseIrqlToDpcLevel();
  for(i=0;i < 5;i++)
  {
    g_pFindOrigCode[i] = actual_function[i];
    actual_function[i] = newcode[i];
  }
  KeLowerIrql(oldIrql);
  WPON();
 
  return 1;
}
void RestoreSSDT()
{
  int i;
  char *actual_function = (char *)(KiSystemService_hack_address);
  KIRQL  oldIrql;
  WPOFF();
 
  KeRaiseIrql( DISPATCH_LEVEL,&oldIrql );
 
  for(i=0;i < 5;i++)
  {
    actual_function[i] = g_pFindOrigCode[i];
  }
 
  KeLowerIrql( oldIrql );
  ExFreePool(pSSDTKernel);
 
  WPON();
 
}
 
 
unsigned long AddMyServiceTable()
{
 
 
  ULONG  nSDTKerCallLen;
 
 
 
  __asm
  {
    pushad
    mov   eax,KeServiceDescriptorTable
    mov   _KeServiceDescriptorTable,eax
    sub   eax,0x40
    mov   ShadowTable,eax
    popad
  }
  nSDTKerCallLen  =  _KeServiceDescriptorTable->ntoskrnl.NumberOfServices;
 
 
  pSSDTKernel =  (PULONG)ExAllocatePool( NonPagedPool, nSDTKerCallLen*sizeof(ULONG)/*,  'uvbs'*/ );
  if(!pSSDTKernel)
  {
    DbgPrint("AddMyServiceTable  alloc fail\n");
    return 0;
  }
  memset( (PVOID)pSSDTKernel, 0, nSDTKerCallLen*sizeof(ULONG));
 
 
  //填充新的SSDT表
  //
  RtlCopyMemory( (PVOID)pSSDTKernel,(PVOID)_KeServiceDescriptorTable->ntoskrnl.ServiceTableBase,nSDTKerCallLen*sizeof(ULONG) );
 
 
  RtlCopyMemory( (PVOID)&_KeServiceDescriptorTable->NotUse1,
    (PVOID)&_KeServiceDescriptorTable->ntoskrnl,sizeof(SERVICE_DESCRIPTOR_TABLE) );
 
 
 
  RtlCopyMemory( (PVOID)&ShadowTable->NotUse1,(PVOID)&ShadowTable->ntoskrnl,sizeof(SERVICE_DESCRIPTOR_TABLE)*2);
 
  WPOFF();
  RtlCopyMemory((PVOID)&_KeServiceDescriptorTable->NotUse1.ServiceTableBase, &pSSDTKernel, sizeof(ULONG));
 
  RtlCopyMemory((PVOID)&ShadowTable->NotUse1.ServiceTableBase, &pSSDTKernel, sizeof(ULONG));
 
  WPON();
 
  return 1;
}
 
void RePlaceSSDT()
{
  if (AddMyServiceTable())
  {
    HookSysCall();
  }
 
}
 
//////////////////////////////////////////////////////////////////////////
 
NTSTATUS
DriverEntry(
  PDRIVER_OBJECT pDriverObj,
  PUNICODE_STRING pRegistryString
  )
{
  NTSTATUS status = STATUS_SUCCESS;
  UNICODE_STRING ustrLinkName;
  UNICODE_STRING ustrDevName;   
  PDEVICE_OBJECT pDevObj;
 
  dprintf("[4BOD] DriverEntry\n");
 
  pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
  pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
  pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
  pDriverObj->DriverUnload = DriverUnload;
 
 
  RtlInitUnicodeString(&ustrDevName, DEVICE_NAME);
  status = IoCreateDevice(pDriverObj,
        0,
        &ustrDevName,
        FILE_DEVICE_UNKNOWN,
        0,
        FALSE,
        &pDevObj);
 
  if(!NT_SUCCESS(status))  {
    dprintf("[4BOD] IoCreateDevice = 0x%x\n", status);
    return status;
  }
 
  RtlInitUnicodeString(&ustrLinkName, LINK_NAME);
  status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName); 
  if(!NT_SUCCESS(status)) {
    dprintf("[4BOD] IoCreateSymbolicLink = 0x%x\n", status);
    IoDeleteDevice(pDevObj); 
    return status;
  }
 
 
   Init_fun();
   RePlaceSSDT();
 
  Pass_MiDoMappedCopy1();
  Pass_MiDoMappedCopy2();
  Pass_MiDoPoolCopy1();
  Pass_MiDoPoolCopy2();
 
 
  Pass_ObpCreateHandle();
  Pass_NtProcess();
 
  Pass_KiAttachProcess();
  Pass_KeStackAttachProcess();
     Pass_KeStackAttachProcess1();
    Pass_NtReadVirtualMemory();
     Pass_NtWriteVirtualMemory();
 
   Pass_NtOpenSection();
   Pass_NtCreateSection();
  Pass_KeUnstackDetachProcess();
 
  Pass_NtProtectVirtualMemory2();
  Pass_NtProtectVirtualMemory();
  
  Pass_NtWriteFile();
  Pass_NtDeviceIoControlFile();
 
  Pass_NtQueryInformationProcess();
 
  return STATUS_SUCCESS;
}
 
 
VOID
DriverUnload(
  PDRIVER_OBJECT pDriverObj
  )

  UNICODE_STRING strLink;
  LARGE_INTEGER Delay;
  RtlInitUnicodeString(&strLink, LINK_NAME);
 
  UnDetour_MiDoPoolCopy2();
  UnDetour_MiDoPoolCopy1();
  UnDetour_MiDoMappedCopy2();
  UnDetour_MiDoMappedCopy1(); 
 
  UnDetour_NtWriteVirtualMemory();
  UnDetour_NtReadVirtualMemory();
  UnDetour_KeStackAttachProcess1();
  UnDetour_KeStackAttachProcess();
  UnDetour_KiAttachProcess();
  UnDetour_NtOpenSection();
  UnDetour_NtCreateSection();
  UnDetour_KeUnstackDetachProcess();
 
  UnDetour_NtProcess();
  UnDetour_ObpCreateHandle();
 
  UnDetour_NtProtectVirtualMemory2();
  UnDetour_NtProtectVirtualMemory();
  
  UnDetour_NtWriteFile();
  UnDetour_NtDeviceIoControlFile();
 
  UnDetour_NtQueryInformationProcess();
 
  
 
  RestoreSSDT();
 
  Delay.QuadPart = -5000000;
 
  KeDelayExecutionThread(KernelMode, TRUE, &Delay);
 
 
  IoDeleteSymbolicLink(&strLink);
  IoDeleteDevice(pDriverObj->DeviceObject);
  dprintf("[4BOD] Unloaded\n");
}
 
 
NTSTATUS
DispatchCreate(
  PDEVICE_OBJECT pDevObj,
  PIRP pIrp
  )
{
  pIrp->IoStatus.Status = STATUS_SUCCESS;
  pIrp->IoStatus.Information = 0;
 
  dprintf("[4BOD] IRP_MJ_CREATE\n");
 
  IoCompleteRequest(pIrp, IO_NO_INCREMENT);
  return STATUS_SUCCESS;
}
 
 
NTSTATUS
DispatchClose(
  PDEVICE_OBJECT pDevObj,
  PIRP pIrp
  )
{
  pIrp->IoStatus.Status = STATUS_SUCCESS;
  pIrp->IoStatus.Information = 0;
 
  dprintf("[4BOD] IRP_MJ_CLOSE\n");
 
  IoCompleteRequest(pIrp, IO_NO_INCREMENT);
  return STATUS_SUCCESS;
}
 
 
NTSTATUS
DispatchIoctl(
  PDEVICE_OBJECT pDevObj,
  PIRP pIrp
  )
{
  NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST;
  PIO_STACK_LOCATION pIrpStack;
  ULONG uIoControlCode;
  PVOID pIoBuffer;
  ULONG uInSize;
  ULONG uOutSize;
 
  pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
  uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;
  pIoBuffer = pIrp->AssociatedIrp.SystemBuffer;
  uInSize = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
  uOutSize = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
 
  switch(uIoControlCode) {
 
    case IOCTL_HELLO: {
     
      dprintf("[4BOD] Hello\n");
      status = STATUS_SUCCESS;
    }
    break;
   
    //
    // 添加执行代码
    //
 
  }
 
  if(status == STATUS_SUCCESS)
    pIrp->IoStatus.Information = uOutSize;
  else
    pIrp->IoStatus.Information = 0;
 
  /////////////////////////////////////
  pIrp->IoStatus.Status = status;
  IoCompleteRequest(pIrp, IO_NO_INCREMENT);
 
  return status;
}
 
 
//////////////////////////////////////////////////////////////////////////
ULONG reentryadd_KiMoveApcState;
ULONG old_KiMoveApcState;
 
ULONG Init_KiMoveApcState()
{
  reentryadd_KiMoveApcState=KeStackAttachProcess_Addr-0x6AD;
  old_KiMoveApcState=KeStackAttachProcess_Addr-0x6b2;
  return 1;
 
}
 
 
VOID __declspec(naked) _KiMoveApcState (
                    __in PKAPC_STATE Source,
                    __out PKAPC_STATE Destination
                    )
{
  __asm
  {
    push 0
    call IsNPCalled
    cmp  eax,1
    jnz  KiMoveApcState_ENT1
    push ebp
    mov  ebp,esp
    jmp  [reentryadd_KiMoveApcState]
   
 
KiMoveApcState_ENT1:
    cmp  eax,0
    jnz  KiMoveApcState_ENT2
    jmp  [old_KiMoveApcState]
KiMoveApcState_ENT2:
    mov  eax,0
    ret  8
  }
 
 
}
 
 
 
//////////////////////////////////////////////////////////////////////////
 
void __declspec(naked) my_function_detour_KiAttachProcess()
{
  __asm
  {   
    inc     word ptr [edi+0x60]
    lea     ebx,[esi+0x34]
    push    ebx
    call    _KiMoveApcState
    _emit 0xEA
    _emit 0xAA
    _emit 0xAA
    _emit 0xAA
    _emit 0xAA
    _emit 0x08
    _emit 0x00
  }
}
 
//////////////////////////////////////////////////////////////////////////
 
char KiAttachProcess_g_oricode[8];
 
ULONG Pass_KiAttachProcess()

  char *actual_function;
  unsigned long reentry_address;
  KIRQL oldIrql;
  int i = 0;
  unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};
 
 
  actual_function = (char *)(KeStackAttachProcess_Addr-0x219);
 
  reentry_address = ((unsigned long)KeStackAttachProcess_Addr) - 0x20c;
 
  *( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_KiAttachProcess;
 
  for(i=0;i<200;i++)
  {
    if( (0xAA == ((unsigned char *)my_function_detour_KiAttachProcess)[i]) &&
      (0xAA == ((unsigned char *)my_function_detour_KiAttachProcess)[i+1]) &&
      (0xAA == ((unsigned char *)my_function_detour_KiAttachProcess)[i+2]) &&
      (0xAA == ((unsigned char *)my_function_detour_KiAttachProcess)[i+3]))
    {
      WPOFF();
      oldIrql = KeRaiseIrqlToDpcLevel();
      *( (unsigned long *)((ULONG)my_function_detour_KiAttachProcess+i) ) = reentry_address;
      KeLowerIrql(oldIrql);
      WPON();
      break;
    }
  }
 
  WPOFF();
  oldIrql = KeRaiseIrqlToDpcLevel();
  for(i=0;i < 7;i++)
  {
    KiAttachProcess_g_oricode[i] = actual_function[i];
    actual_function[i] = newcode[i];
  }
  KeLowerIrql(oldIrql);
  WPON();
 
  return 1;
 
}
 
VOID UnDetour_KiAttachProcess()
{
  char *actual_function = (char *)(KeStackAttachProcess_Addr-0x219);
  KIRQL oldIrql;
  int i = 0;
 
  WPOFF();
  oldIrql = KeRaiseIrqlToDpcLevel();
 
  for(i=0;i < 7;i++)
  {
    actual_function[i] = KiAttachProcess_g_oricode[i];
  }
  KeLowerIrql(oldIrql);
  WPON();
 
 
 
}
 
//返回-1:拒绝访问
//返回0 :走NP HOOK
//返回1 :绕过NP HOOK
//
////////////////////////////////////////////////////////////////////////////
ULONG __stdcall IsNPCalled(HANDLE ProcessHandle)
{
 
  NTSTATUS    status;
  PEPROCESS   pEProcess=0;
  char*       proname=0;
 
 
 
  if (!_stricmp("GameMon.des",GetProcessNameFromEProc(0)))
  {
    if (!ProcessHandle)
    {
      return 0;
 
    }
   
    status = ObReferenceObjectByHandle(ProcessHandle,PROCESS_ALL_ACCESS,NULL,0,&pEProcess,NULL);
   
    if(!NT_SUCCESS(status))
    {
      DbgPrint("ObReferenceObjectByHandle fail! %08x \n",status);
      return 0;
     
    }
    ObDereferenceObject(pEProcess);
    proname=GetProcessNameFromEProc(pEProcess);
   
    if (!_stricmp("OllyDBG.EXE",proname))
    {
     
      return -1;
    }
    else if (!_stricmp("ImmunityDebugger.exe",proname))
    {
      return -1;
    }
    else if (!_stricmp("DeRoX.exe",proname))
    {
      return -1;
    }
    else
    {
     
      return 0;
     
    }
   
    return 0;
  }
  else if (!_stricmp("AION.bin",GetProcessNameFromEProc(0)))
  {
   
    if (!ProcessHandle)
    {
      return 0;
     
    }
   
    status = ObReferenceObjectByHandle(ProcessHandle,PROCESS_ALL_ACCESS,NULL,0,&pEProcess,NULL);
   
    if(!NT_SUCCESS(status))
    {
      DbgPrint("ObReferenceObjectByHandle fail! %08x \n",status);
      return 0;
     
    }
    ObDereferenceObject(pEProcess);
    proname=GetProcessNameFromEProc(pEProcess);
   
    if (!_stricmp("OllyDBG.EXE",proname))
    {
     
      return -1;
    }
    else if (!_stricmp("ImmunityDebugger.exe",proname))
    {
      return -1;
    }
    else if (!_stricmp("DeRoX.exe",proname))
    {
      return -1;
    }
    else
    {
     
      return 0;
     
    }
    return 0;
   
  }
  else if (!_stricmp("OllyDBG.EXE",GetProcessNameFromEProc(0)))
  {
   
    return 1;
  }
  else if (!_stricmp("ImmunityDebugger.exe",GetProcessNameFromEProc(0)))
  {
   
    return 1;
  }
  else if (!_stricmp("DeRoX.exe",GetProcessNameFromEProc(0)))
  {
   
    return 1;
  }
  else
  { 
    return 0;
  }
 
 
}
 
 
 
//////////////////////////////////////////////////////////////////////////
 
 
 
ULONG __stdcall IsNPCalled_EP(PEPROCESS EProcess)
{
 
 
  NTSTATUS    status;
  PEPROCESS   pEProcess=0;
  char*       proname=0;
 
 
  if (!_stricmp("GameMon.des",GetProcessNameFromEProc(0)))
  {
    if (!EProcess)
    {
      return 0;
 
    }
   
 
    proname=GetProcessNameFromEProc(EProcess);
   
    if (!_stricmp("OllyDBG.EXE",proname))
    {
     
      return -1;
    }
    else if (!_stricmp("ImmunityDebugger.exe",proname))
    {
      return -1;
    }
    else if (!_stricmp("DeRoX.exe",proname))
    {
      return -1;
    }
    else
    {
     
      return 0;
     
    }
   
    return 0;
  }
  else if (!_stricmp("AION.bin",GetProcessNameFromEProc(0)))
  {
   
    if (!EProcess)
    {
      return 0;
     
    }
   
    proname=GetProcessNameFromEProc(EProcess);
   
    if (!_stricmp("OllyDBG.EXE",proname))
    {
     
      return -1;
    }
    else if (!_stricmp("ImmunityDebugger.exe",proname))
    {
      return -1;
    }
    else if (!_stricmp("DeRoX.exe",proname))
    {
      return -1;
    }
    else
    {
     
      return 0;
     
    }
    return 0;
   
  }
  else if (!_stricmp("OllyDBG.EXE",GetProcessNameFromEProc(0)))
  {
   
    return 1;
  }
  else if (!_stricmp("ImmunityDebugger.exe",GetProcessNameFromEProc(0)))
  {
   
    return 1;
  }
  else if (!_stricmp("DeRoX.exe",GetProcessNameFromEProc(0)))
  {
   
    return 1;
  }
  else
  { 
    return 0;
  }
 
 
}
 
//////////////////////////////////////////////////////////////////////////
ULONG reentryadd_KiAttachProcess;
ULONG old_KiAttachProcess;
 
ULONG Init_KiAttachProcess()
{
  reentryadd_KiAttachProcess=KeStackAttachProcess_Addr-0x225; 
  old_KiAttachProcess=KeStackAttachProcess_Addr-0x22a;
  return 1;
 
}
 
 
VOID __declspec(naked) _KiAttachProcess (
         __inout PRKTHREAD Thread,
         __in PRKPROCESS Process,
         __in PKLOCK_QUEUE_HANDLE LockHandle,
         __out PRKAPC_STATE SavedApcState
    )
{
 
  __asm
  {
    //push [esp+8]
    push 0
    call IsNPCalled_EP
    cmp  eax,1
    jnz  KiAttachProcess_ENT1
    push ebp
    mov  ebp,esp
    jmp  [reentryadd_KiAttachProcess]
     
     
KiAttachProcess_ENT1:
    cmp  eax,0
    jnz  KiAttachProcess_ENT2
    jmp  [old_KiAttachProcess]
KiAttachProcess_ENT2:
    mov  eax,0
    ret  0x10
  }
 
 
}
 
 
 
 
//////////////////////////////////////////////////////////////////////////
 
void __declspec(naked) my_function_detour_KeStackAttachProcess()
{
  __asm
  { 
   
    push edi
    push esi
    call  _KiAttachProcess
     
    _emit 0xEA
    _emit 0xAA
    _emit 0xAA
    _emit 0xAA
    _emit 0xAA
    _emit 0x08
    _emit 0x00
  }
}
 
//////////////////////////////////////////////////////////////////////////
 
char KeStackAttachProcess_g_oricode[8];
 
 
ULONG Pass_KeStackAttachProcess()

  char *actual_function;
  unsigned long reentry_address;
  KIRQL oldIrql;
  int i = 0;
  unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};
 
 
  actual_function = (char *)(KeStackAttachProcess_Addr+0x63);
 
  reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0x6a;
 
  *( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_KeStackAttachProcess;
 
  for(i=0;i<200;i++)
  {
    if( (0xAA == ((unsigned char *)my_function_detour_KeStackAttachProcess)[i]) &&
      (0xAA == ((unsigned char *)my_function_detour_KeStackAttachProcess)[i+1]) &&
      (0xAA == ((unsigned char *)my_function_detour_KeStackAttachProcess)[i+2]) &&
      (0xAA == ((unsigned char *)my_function_detour_KeStackAttachProcess)[i+3]))
    {
      WPOFF();
      oldIrql = KeRaiseIrqlToDpcLevel();
      *( (unsigned long *)((ULONG)my_function_detour_KeStackAttachProcess+i) ) = reentry_address;
      KeLowerIrql(oldIrql);
      WPON();
      break;
    }
  }
 
  WPOFF();
  oldIrql = KeRaiseIrqlToDpcLevel();
  for(i=0;i < 7;i++)
  {
    KeStackAttachProcess_g_oricode[i] = actual_function[i];
    actual_function[i] = newcode[i];
  }
  KeLowerIrql(oldIrql);
  WPON();
 
  return 1;
 
}
 
VOID UnDetour_KeStackAttachProcess()
{
  char *actual_function = (char *)(KeStackAttachProcess_Addr+0x63);
  KIRQL oldIrql;
  int i = 0;
 
  WPOFF();
  oldIrql = KeRaiseIrqlToDpcLevel();
 
  for(i=0;i < 7;i++)
  {
    actual_function[i] = KeStackAttachProcess_g_oricode[i];
  }
  KeLowerIrql(oldIrql);
  WPON();
 
 
 
}
 
//////////////////////////////////////////////////////////////////////////
 
void __declspec(naked) _detour_KeStackAttachProcess1()
{
  __asm
  {   
    push edi
    push esi
    mov   esi,esi
    call  _KiAttachProcess
     
    _emit 0xEA
    _emit 0xAA
    _emit 0xAA
    _emit 0xAA
    _emit 0xAA
    _emit 0x08
    _emit 0x00
  }
}
 
//////////////////////////////////////////////////////////////////////////
 
char KeStackAttachProcess1_g_oricode[8];
 
 
ULONG Pass_KeStackAttachProcess1()

  char *actual_function;
  unsigned long reentry_address;
  KIRQL oldIrql;
  int i = 0;
  unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};
 
 
  actual_function = (char *)(KeStackAttachProcess_Addr+0x76);
 
  reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0x7d;
 
  *( (unsigned long *)(&newcode[1]) ) = (unsigned long)_detour_KeStackAttachProcess1;
 
  for(i=0;i<200;i++)
  {
    if( (0xAA == ((unsigned char *)_detour_KeStackAttachProcess1)[i]) &&
      (0xAA == ((unsigned char *)_detour_KeStackAttachProcess1)[i+1]) &&
      (0xAA == ((unsigned char *)_detour_KeStackAttachProcess1)[i+2]) &&
      (0xAA == ((unsigned char *)_detour_KeStackAttachProcess1)[i+3]))
    {
      WPOFF();
      oldIrql = KeRaiseIrqlToDpcLevel();
      *( (unsigned long *)((ULONG)_detour_KeStackAttachProcess1+i) ) = reentry_address;
      KeLowerIrql(oldIrql);
      WPON();
      break;
    }
  }
 
  WPOFF();
  oldIrql = KeRaiseIrqlToDpcLevel();
  for(i=0;i < 7;i++)
  {
    KeStackAttachProcess1_g_oricode[i] = actual_function[i];
    actual_function[i] = newcode[i];
  }
  KeLowerIrql(oldIrql);
  WPON();
 
  return 1;
 
}
 
VOID UnDetour_KeStackAttachProcess1()
{
  char *actual_function = (char *)(KeStackAttachProcess_Addr+0x76);
  KIRQL oldIrql;
  int i = 0;
 
  WPOFF();
  oldIrql = KeRaiseIrqlToDpcLevel();
 
  for(i=0;i < 7;i++)
  {
    actual_function[i] = KeStackAttachProcess1_g_oricode[i];
  }
  KeLowerIrql(oldIrql);
  WPON();
 
 
 
}
//////////////////////////////////////////////////////////////////////////
 
 
void __declspec(naked) my_function_detour_KeUnstackDetachProcess()
{
  __asm
  { 
 
    lea     ebx,[esi+0x14C]
    push    ebx
    call  _KiMoveApcState
 
      _emit 0xEA
      _emit 0xAA
      _emit 0xAA
      _emit 0xAA
      _emit 0xAA
      _emit 0x08
      _emit 0x00
  }
}
//NtAllocateVirtualMemory
//////////////////////////////////////////////////////////////////////////
 
char KeUnstackDetachProcess_g_oricode[8];
 
ULONG KeUnstackDetachProcess_g_KiInsertQueueApc;
 
 
ULONG Pass_KeUnstackDetachProcess()

  char *actual_function;
 
  unsigned long reentry_address;
  KIRQL oldIrql;
  int i = 0;
  unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};
 
  KeUnstackDetachProcess_g_KiInsertQueueApc=GetFunctionAddr(L"KeUnstackDetachProcess");
 
  actual_function = (char *)(KeUnstackDetachProcess_g_KiInsertQueueApc+0xbe);
 
  reentry_address = ((unsigned long)KeUnstackDetachProcess_g_KiInsertQueueApc) + 0xca;
 
  *( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_KeUnstackDetachProcess;
 
  for(i=0;i<200;i++)
  {
    if( (0xAA == ((unsigned char *)my_function_detour_KeUnstackDetachProcess)[i]) &&
      (0xAA == ((unsigned char *)my_function_detour_KeUnstackDetachProcess)[i+1]) &&
      (0xAA == ((unsigned char *)my_function_detour_KeUnstackDetachProcess)[i+2]) &&
      (0xAA == ((unsigned char *)my_function_detour_KeUnstackDetachProcess)[i+3]))
    {
      WPOFF();
      oldIrql = KeRaiseIrqlToDpcLevel();
      *( (unsigned long *)((ULONG)my_function_detour_KeUnstackDetachProcess+i) ) = reentry_address;
      KeLowerIrql(oldIrql);
      WPON();
      break;
    }
  }
 
  WPOFF();
  oldIrql = KeRaiseIrqlToDpcLevel();
  for(i=0;i < 7;i++)
  {
    KeUnstackDetachProcess_g_oricode[i] = actual_function[i];
    actual_function[i] = newcode[i];
  }
  KeLowerIrql(oldIrql);
  WPON();
 
  return 1;
 
}
 
VOID UnDetour_KeUnstackDetachProcess()
{
  char *actual_function = (char *)(KeUnstackDetachProcess_g_KiInsertQueueApc+0xbe);
  KIRQL oldIrql;
  int i = 0;
 
  WPOFF();
  oldIrql = KeRaiseIrqlToDpcLevel();
 
  for(i=0;i < 7;i++)
  {
    actual_function[i] = KeUnstackDetachProcess_g_oricode[i];
  }
  KeLowerIrql(oldIrql);
  WPON();
 
 
 
}
 
//////////////////////////////////////////////////////////////////////////
 
 
 
ULONG reentryadd_KeStackAttachProcess;
ULONG old_KeStackAttachProcess;
 
ULONG Init_KeStackAttachProcess()
{
 
  reentryadd_KeStackAttachProcess=KeStackAttachProcess_Addr+5;
  old_KeStackAttachProcess=KeStackAttachProcess_Addr;
  return 1;
 
}
 
__declspec(naked) VOID _KeStackAttachProcess (
    __inout PRKPROCESS Process,
    __out PRKAPC_STATE ApcState
    )
                        
{
  __asm
  {
    push [esp+4]
    call IsNPCalled_EP
    cmp  eax,1
    jnz  KeStackAttachProcess_ENT1
    push ebp
    mov  ebp,esp
    jmp  [reentryadd_KeStackAttachProcess]
     
     
KeStackAttachProcess_ENT1:
    cmp  eax,0
    jnz  KeStackAttachProcess_ENT2
    jmp  [old_KeStackAttachProcess]
KeStackAttachProcess_ENT2:
    mov  eax,0
    ret  0x8
  }
 
   
}
//////////////////////////////////////////////////////////////////////////
/*
805be616 8d45d0          lea     eax,[ebp-30h]
805be619 50              push    eax
805be61a 51              push    ecx
805be61b e812b6f3ff      call    nt!KeStackAttachProcess (804f9c32)
805be620 c645ff01        mov     byte ptr [ebp-1],1
 
*/
 
void __declspec(naked) _detour_ObpCreateHandle()
{
  __asm
  {   
    lea     eax,[ebp-0x30]
    push    eax
    push    ecx
    call    _KeStackAttachProcess
     
    _emit 0xEA
    _emit 0xAA
    _emit 0xAA
    _emit 0xAA
    _emit 0xAA
    _emit 0x08
    _emit 0x00
  }
}
 
//////////////////////////////////////////////////////////////////////////
 
char ObpCreateHandle_g_oricode[12];
 
 
ULONG Pass_ObpCreateHandle()

  char *actual_function;
  unsigned long reentry_address;
  KIRQL oldIrql;
  int i = 0;
  unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00,0x90,0x90,0x90};
 
 
  actual_function = (char *)(KeStackAttachProcess_Addr+0xC49ae);
 
  reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0xC49b8;
 
  *( (unsigned long *)(&newcode[1]) ) = (unsigned long)_detour_ObpCreateHandle;
 
  for(i=0;i<200;i++)
  {
    if( (0xAA == ((unsigned char *)_detour_ObpCreateHandle)[i]) &&
      (0xAA == ((unsigned char *)_detour_ObpCreateHandle)[i+1]) &&
      (0xAA == ((unsigned char *)_detour_ObpCreateHandle)[i+2]) &&
      (0xAA == ((unsigned char *)_detour_ObpCreateHandle)[i+3]))
    {
      WPOFF();
      oldIrql = KeRaiseIrqlToDpcLevel();
      *( (unsigned long *)((ULONG)_detour_ObpCreateHandle+i) ) = reentry_address;
      KeLowerIrql(oldIrql);
      WPON();
      break;
    }
  }
 
  WPOFF();
  oldIrql = KeRaiseIrqlToDpcLevel();
  for(i=0;i < 10;i++)
  {
    ObpCreateHandle_g_oricode[i] = actual_function[i];
    actual_function[i] = newcode[i];
  }
  KeLowerIrql(oldIrql);
  WPON();
 
  return 1;
 
}
 
VOID UnDetour_ObpCreateHandle()
{
  char *actual_function = (char *)(KeStackAttachProcess_Addr+0xC49ae);
  KIRQL oldIrql;
  int i = 0;
 
  WPOFF();
  oldIrql = KeRaiseIrqlToDpcLevel();
 
  for(i=0;i < 10;i++)
  {
    actual_function[i] = ObpCreateHandle_g_oricode[i];
  }
  KeLowerIrql(oldIrql);
  WPON();
 
 
 
}
 
 
//////////////////////////////////////////////////////////////////////////
 
ULONG OldNtReadVirtualMemoryAdd;
ULONG reentryadd_NtReadVirtualMemory;
__declspec(naked) NTSTATUS NewNtReadVirtualMemory()
{
  __asm
  {
    push [esp+4]
    call IsNPCalled
    cmp  eax,1
    jnz  NtReadVirtualMemory_ENT1
    push 0x1c
    push 0x804daef0
    jmp  [reentryadd_NtReadVirtualMemory]
 
 
NtReadVirtualMemory_ENT1:
 
    cmp  eax,0
    jnz  NtReadVirtualMemory_ENT2
    jmp  [OldNtReadVirtualMemoryAdd]
 
NtReadVirtualMemory_ENT2:
    mov  eax,0
    ret  0x14
  }
 
}
 
 
 
//////////////////////////////////////////////////////////////////////////NtReadVirtualMemory
 
 
 
ULONG Pass_NtReadVirtualMemory()
{
  KIRQL oldIrql;
  ULONG  Address=0;
 
  Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0xBA * 4;    //得到NtReadVirtualMemory的服务地址 www.2cto.com
 
  (ULONG)OldNtReadVirtualMemoryAdd = *(ULONG*)Address;    //保存此地址
  reentryadd_NtReadVirtualMemory=OldNtReadVirtualMemoryAdd+7;
 
  WPOFF();
  oldIrql = KeRaiseIrqlToDpcLevel();
  *((ULONG*)Address) = (ULONG)NewNtReadVirtualMemory;  //HOOK SSDT
 
  KeLowerIrql(oldIrql);
  WPON();
  return 1;
}
 
//反补丁,用于最后恢复用
VOID UnDetour_NtReadVirtualMemory()
{
  KIRQL oldIrql;
  ULONG  Address=0;
 
  Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0xBA * 4;
 
  WPOFF();
  oldIrql = KeRaiseIrqlToDpcLevel();
 
  *((ULONG*)Address) = (ULONG)OldNtReadVirtualMemoryAdd;  //HOOK SSDT
  KeLowerIrql(oldIrql);
  WPON();
}
 
ULONG reentryadd_NtWriteVirtualMemory;
ULONG OldNtWriteVirtualMemoryAdd;
__declspec(naked) NTSTATUS NewNtWriteVirtualMemory()
{
 
  __asm
  {
    push [esp+4]
    call IsNPCalled
    cmp  eax,1
    jnz  NtWriteVirtualMemory_ENT1
    push 0x1c
    push 0x804daf08
    jmp  [reentryadd_NtWriteVirtualMemory]
     
     
NtWriteVirtualMemory_ENT1:
   
    cmp  eax,0
    jnz  NtWriteVirtualMemory_ENT2
    jmp  [OldNtWriteVirtualMemoryAdd]
     
NtWriteVirtualMemory_ENT2:
    mov  eax,0
    ret  0x14
  }
}
//////////////////////////////////////////////////////////////////////////
 
 
 
ULONG Pass_NtWriteVirtualMemory()
{
  KIRQL oldIrql;
  ULONG  Address=0;
 
  Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0x115 * 4;
 
  (ULONG)OldNtWriteVirtualMemoryAdd = *(ULONG*)Address;
  reentryadd_NtWriteVirtualMemory=OldNtWriteVirtualMemoryAdd+7;
 
  WPOFF();
  oldIrql = KeRaiseIrqlToDpcLevel();
 
  *((ULONG*)Address) = (ULONG)NewNtWriteVirtualMemory;  //HOOK SSDT
  KeLowerIrql(oldIrql);
  WPON();
 
  return 1;
}
 
VOID UnDetour_NtWriteVirtualMemory()
{
  KIRQL oldIrql;
  ULONG  Address=0;
 
  Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0x115 * 4;
 
  WPOFF();
  oldIrql = KeRaiseIrqlToDpcLevel();
 
  *((ULONG*)Address) = (ULONG)OldNtWriteVirtualMemoryAdd;  //HOOK SSDT
  KeLowerIrql(oldIrql);
  WPON();
}
//////////////////////////////////////////////////////////////////////////
 
void __declspec(naked) my_function_detour_MiDoMappedCopy1()
{
  __asm
  {   
    lea     eax,[ebp-0x64]
    push    eax
    push    dword ptr [ebp+8]
    call     _KeStackAttachProcess
 
     
    _emit 0xEA
    _emit 0xAA
    _emit 0xAA
    _emit 0xAA
    _emit 0xAA
    _emit 0x08
    _emit 0x00
  }
}
 
//////////////////////////////////////////////////////////////////////////
 
/*
804f9c32
 
  805b4e5f 8d459c          lea     eax,[ebp-64h]
  805b4e62 50              push    eax
  805b4e63 ff7508          push    dword ptr [ebp+8]
  805b4e66 e8c74df4ff      call    nt!KeStackAttachProcess (804f9c32)
  805b4e6b 897de0          mov     dword ptr [ebp-20h],edi
*/
 
char MiDoMappedCopy1_g_oricode[8];
 
ULONG Pass_MiDoMappedCopy1()

  char *actual_function;
  unsigned long reentry_address;
  KIRQL oldIrql;
  int i = 0;
  unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};
 
  actual_function = (char *)(KeStackAttachProcess_Addr+0xBB1f7);
 
  reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0xBB203;
 
  *( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_MiDoMappedCopy1;
 
  for(i=0;i<200;i++)
  {
    if( (0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy1)[i]) &&
      (0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy1)[i+1]) &&
      (0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy1)[i+2]) &&
      (0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy1)[i+3]))
    {
      WPOFF();
      oldIrql = KeRaiseIrqlToDpcLevel();
      *( (unsigned long *)((ULONG)my_function_detour_MiDoMappedCopy1+i) ) = reentry_address;
      KeLowerIrql(oldIrql);
      WPON();
      break;
    }
  }
 
  WPOFF();
  oldIrql = KeRaiseIrqlToDpcLevel();
  for(i=0;i < 7;i++)
  {
    MiDoMappedCopy1_g_oricode[i] = actual_function[i];
    actual_function[i] = newcode[i];
  }
  KeLowerIrql(oldIrql);
  WPON();
 
  return 1;
 
}
 
VOID UnDetour_MiDoMappedCopy1()
{
  char *actual_function = (char *)(KeStackAttachProcess_Addr+0xBB1f7);
  KIRQL oldIrql;
  int i = 0;
 
  WPOFF();
  oldIrql = KeRaiseIrqlToDpcLevel();
 
  for(i=0;i < 7;i++)
  {
    actual_function[i] = MiDoMappedCopy1_g_oricode[i];
  }
  KeLowerIrql(oldIrql);
  WPON();
 
 
 
}
//////////////////////////////////////////////////////////////////////////
 
void __declspec(naked) my_function_detour_MiDoMappedCopy2()
{
  __asm
  {   
    lea     eax,[ebp-0x64]
      push    eax
      push    dword ptr [ebp+0x10]
      call     _KeStackAttachProcess
     
      _emit 0xEA
      _emit 0xAA
      _emit 0xAA
      _emit 0xAA
      _emit 0xAA
      _emit 0x08
      _emit 0x00
  }
}
 
/*
804f9c32
 
805b4f19 8d459c          lea     eax,[ebp-64h]
805b4f1c 50              push    eax
805b4f1d ff7510          push    dword ptr [ebp+10h]
805b4f20 e80d4df4ff      call    nt!KeStackAttachProcess (804f9c32)
805b4f25 8b450c          mov     eax,dword ptr [ebp+0Ch]
 
*/
//////////////////////////////////////////////////////////////////////////
 
char MiDoMappedCopy2_g_oricode[8];
 
ULONG Pass_MiDoMappedCopy2()

  char *actual_function;
  unsigned long reentry_address;
  KIRQL oldIrql;
  int i = 0;
  unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};
 
  actual_function = (char *)(KeStackAttachProcess_Addr+0xBB2b1);
 
  reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0xBB2bd;
 
  *( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_MiDoMappedCopy2;
 
  for(i=0;i<200;i++)
  {
    if( (0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy2)[i]) &&
      (0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy2)[i+1]) &&
      (0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy2)[i+2]) &&
      (0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy2)[i+3]))
    {
      WPOFF();
      oldIrql = KeRaiseIrqlToDpcLevel();
      *( (unsigned long *)((ULONG)my_function_detour_MiDoMappedCopy2+i) ) = reentry_address;
      KeLowerIrql(oldIrql);
      WPON();
      break;
    }
  }
 
  WPOFF();
  oldIrql = KeRaiseIrqlToDpcLevel();
  for(i=0;i < 7;i++)
  {
    MiDoMappedCopy2_g_oricode[i] = actual_function[i];
    actual_function[i] = newcode[i];
  }
  KeLowerIrql(oldIrql);
  WPON();
 
  return 1;
 
}
 
VOID UnDetour_MiDoMappedCopy2()
{
  char *actual_function = (char *)(KeStackAttachProcess_Addr+0xBB2b1);
  KIRQL oldIrql;
  int i = 0;
 
  WPOFF();
  oldIrql = KeRaiseIrqlToDpcLevel();
 
  for(i=0;i < 7;i++)
  {
    actual_function[i] = MiDoMappedCopy2_g_oricode[i];
  }
  KeLowerIrql(oldIrql);
  WPON();
 
 
 
}
 
 
 
//////////////////////////////////////////////////////////////////////////
 
 
 
 
void __declspec(naked) my_function_detour_MiDoPoolCopy1()
{
  __asm
  {   
    lea     eax,[ebp-0x58]
    push    eax
    push    dword ptr [ebp+8]
    call     _KeStackAttachProcess
     
    _emit 0xEA
    _emit 0xAA
    _emit 0xAA
    _emit 0xAA
    _emit 0xAA
    _emit 0x08
    _emit 0x00
  }
}
 
/*
804f9c32
 
805b50b7 8d45a8          lea     eax,[ebp-58h]
805b50ba 50              push    eax
805b50bb ff7508          push    dword ptr [ebp+8]
805b50be e86f4bf4ff      call    nt!KeStackAttachProcess (804f9c32)
805b50c3 33f6            xor     esi,esi
 
*/
 
//////////////////////////////////////////////////////////////////////////
 
char MiDoPoolCopy1_g_oricode[8];
 
 
 
 
ULONG Pass_MiDoPoolCopy1()

  char *actual_function;
  unsigned long reentry_address;
  KIRQL oldIrql;
  int i = 0;
  unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};
 
  actual_function = (char *)(KeStackAttachProcess_Addr+0xBB44f);
 
  reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0xBB45b;
 
  *( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_MiDoPoolCopy1;
 
  for(i=0;i<200;i++)
  {
    if( (0xAA == ((unsigned char *)my_function_detour_MiDoPoolCopy1)[i]) &&
      (0xAA == ((unsigned char *)my_function_detour_MiDoPoolCopy1)[i+1]) &&
      (0xAA == ((unsigned char *)my_function_detour_MiDoPoolCopy1)[i+2]) &&
      (0xAA == ((unsigned char *)my_function_detour_MiDoPoolCopy1)[i+3]))
    {
      WPOFF();
      oldIrql = KeRaiseIrqlToDpcLevel();
      *( (unsigned long *)((ULONG)my_function_detour_MiDoPoolCopy1+i) ) = reentry_address;
      KeLowerIrql(oldIrql);
      WPON();
      break;
    }
  }
 
  WPOFF();
  oldIrql = KeRaiseIrqlToDpcLevel();
  for(i=0;i < 7;i++)
  {
    MiDoPoolCopy1_g_oricode[i] = actual_function[i];
    actual_function[i] = newcode[i];
  }
  KeLowerIrql(oldIrql);
  WPON();
 
  return 1;
 
}
 
VOID UnDetour_MiDoPoolCopy1()
{
  char *actual_function = (char *)(KeStackAttachProcess_Addr+0xBB44f);
  KIRQL oldIrql;
  int i = 0;
 
  WPOFF();
  oldIrql = KeRaiseIrqlToDpcLevel();
 
  for(i=0;i < 7;i++)
  {
    actual_function[i] = MiDoPoolCopy1_g_oricode[i];
  }
  KeLowerIrql(oldIrql);
  WPON();
 
 
 
}
//////////////////////////////////////////////////////////////////////////
 
void __declspec(naked) my_function_detour_MiDoPoolCopy2()
{
  __asm
  {   
    lea     eax,[ebp-0x58]
      push    eax
      push    dword ptr [ebp+0x10]
      call     _KeStackAttachProcess
     
      _emit 0xEA
      _emit 0xAA
      _emit 0xAA
      _emit 0xAA
      _emit 0xAA
      _emit 0x08
      _emit 0x00
  }
}
/*
804f9c32
 
  805b511c 8d45a8          lea     eax,[ebp-58h]
  805b511f 50              push    eax
  805b5120 ff7510          push    dword ptr [ebp+10h]
  805b5123 e80a4bf4ff      call    nt!KeStackAttachProcess (804f9c32)
  805b5128 8b450c          mov     eax,dword ptr [ebp+0Ch]
 
*/
//////////////////////////////////////////////////////////////////////////
 
char MiDoPoolCopy2_g_oricode[8];
 
 
ULONG Pass_MiDoPoolCopy2()

  char *actual_function;
  unsigned long reentry_address;
  KIRQL oldIrql;
  int i = 0;
  unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};
 
  actual_function = (char *)(KeStackAttachProcess_Addr+0xBB4b4);
 
  reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0xBB4c0;
 
  *( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_MiDoPoolCopy2;
 
  for(i=0;i<200;i++)
  {
    if( (0xAA == ((unsigned char *)my_function_detour_MiDoPoolCopy2)[i]) &&