当前位置:免费黑客网-黑客技术,黑客工具,黑客联盟,黑客基地,黑客网站,黑客论坛DDOS黑客技术加密解密
日期:2016-04-26 22:13:48  来源:网络

游戏保护大放送之NP

本人寻求游戏安全方面的工作,请Email:wtxpwh@163.com联系做挂者请绕道!本人不保证此办法现在还生效!蓝屏死机于本人无关!NP这个东西会注入一个dll,,直接在ring0下hook NtCreateSection拦截!直接上代码!代码:#include "struct.h"#include "4BOD.h"//////////////////////////////////////////////////////////////////////////ULONG Pass_NtProcess();VOID UnDetour_NtProcess();ULONG Pass_NtWriteVirtualMemory();VOID UnDetour_NtWriteVirtualMemory();ULONG Pass_NtReadVirtualMemory();VOID UnDetour_NtReadVirtualMemory();ULONG Pass_KiAttachProcess();VOID UnDetour_KiAttachProcess();ULONG Pass_KeStackAttachProcess();VOID UnDetour_KeStackAttachProcess();ULONG Pass_KeStackAttachProcess1();VOID UnDetour_KeStackAttachProcess1();ULONG Pass_MiDoMappedCopy1();VOID UnDetour_MiDoMappedCopy1();ULONG Pass_MiDoMappedCopy2();VOID UnDetour_MiDoMappedCopy2();ULONG Pass_MiDoPoolCopy1();VOID UnDetour_MiDoPoolCopy1();ULONG Pass_MiDoPoolCopy2();VOID UnDetour_MiDoPoolCopy2();ULONG Pass_NtOpenSection();VOID UnDetour_NtOpenSection();ULONG Pass_NtProtectVirtualMemory();VOID UnDetour_NtProtectVirtualMemory();ULONG Pass_NtProtectVirtualMemory2();VOID UnDetour_NtProtectVirtualMemory2();ULONG Pass_NtWriteFile();VOID UnDetour_NtWriteFile();ULONG Pass_NtDeviceIoControlFile();VOID UnDetour_NtDeviceIoControlFile();ULONG Pass_ObpCreateHandle();VOID UnDetour_ObpCreateHandle();ULONG Pass_NtCreateSection();VOID UnDetour_NtCreateSection();ULONG Pass_KeUnstackDetachProcess();VOID UnDetour_KeUnstackDetachProcess();ULONG Pass_NtQueryInformationProcess();VOID UnDetour_NtQueryInformationProcess();void Init_fun();//////////////////////////////////////////////////////////////////////////ULONG KeStackAttachProcess_Addr;ULONG __stdcall IsNPCalled(HANDLE ProcessHandle);char g_pFindOrigCode[8];ULONG KiSystemService_hack_address;PULONG pSSDTKernel;PSERVICE_DESCRIPTOR_TABLE_SHADOW _KeServiceDescriptorTable;PSERVICE_DESCRIPTOR_TABLE_SHADOW ShadowTable;unsigned long SSDT_reentry_address,SSDTDW_reentry_address;void __declspec(naked) my_function_detour_KiFastCallEntry(){ __asm { cmp ecx,10h jne SSDT mov edi,KeServiceDescriptorTable sub edi,0x10 jmp [SSDTDW_reentry_address]SSDT: mov edi,KeServiceDescriptorTable add edi,0x20 jmp [SSDT_reentry_address] }}UCHAR findcode[]={0x83,0xf9,0x10,0x75};VOID FindHackAddr(){ ULONG uSysenter; ULONG i=0; PUCHAR strSysenter; __asm{ mov ecx,0x176 rdmsr mov uSysenter,eax //得到KiFastCallEntry地址 } strSysenter=(PUCHAR)uSysenter; for (i=0;i<0x100;i++) { if ( findcode[0]==strSysenter[i] && findcode[1]==strSysenter[i+1] && findcode[2]==strSysenter[i+2] && findcode[3]==strSysenter[i+3] ) { break; } } KiSystemService_hack_address=uSysenter+i;}ULONG HookSysCall(){ KIRQL oldIrql; ULONG uSysenter; unsigned char newcode[] = { 0xE9, 0x44, 0x33, 0x22, 0x11}; char *actual_function; int i = 0;// __asm{// mov ecx,0x176// rdmsr// mov uSysenter,eax //得到KiFastCallEntry地址// }// KiSystemService_hack_address=uSysenter+0xB3; FindHackAddr(); if (KiSystemService_hack_address==0) { dprintf("find hack address error!\n"); return 0; } actual_function =(char*) KiSystemService_hack_address; SSDT_reentry_address = KiSystemService_hack_address+0x20; SSDTDW_reentry_address = KiSystemService_hack_address+0x5; *( (unsigned long *)(&newcode[1]) ) = (ULONG)my_function_detour_KiFastCallEntry-KiSystemService_hack_address-5; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); for(i=0;i < 5;i++) { g_pFindOrigCode[i] = actual_function[i]; actual_function[i] = newcode[i]; } KeLowerIrql(oldIrql); WPON(); return 1;}void RestoreSSDT(){ int i; char *actual_function = (char *)(KiSystemService_hack_address); KIRQL oldIrql; WPOFF(); KeRaiseIrql( DISPATCH_LEVEL,&oldIrql ); for(i=0;i < 5;i++) { actual_function[i] = g_pFindOrigCode[i]; } KeLowerIrql( oldIrql ); ExFreePool(pSSDTKernel); WPON();}unsigned long AddMyServiceTable(){ ULONG nSDTKerCallLen; __asm { pushad mov eax,KeServiceDescriptorTable mov _KeServiceDescriptorTable,eax sub eax,0x40 mov ShadowTable,eax popad } nSDTKerCallLen = _KeServiceDescriptorTable->ntoskrnl.NumberOfServices; pSSDTKernel = (PULONG)ExAllocatePool( NonPagedPool, nSDTKerCallLen*sizeof(ULONG)/*, 'uvbs'*/ ); if(!pSSDTKernel) { DbgPrint("AddMyServiceTable alloc fail\n"); return 0; } memset( (PVOID)pSSDTKernel, 0, nSDTKerCallLen*sizeof(ULONG)); //填充新的SSDT表 // RtlCopyMemory( (PVOID)pSSDTKernel,(PVOID)_KeServiceDescriptorTable->ntoskrnl.ServiceTableBase,nSDTKerCallLen*sizeof(ULONG) ); RtlCopyMemory( (PVOID)&_KeServiceDescriptorTable->NotUse1, (PVOID)&_KeServiceDescriptorTable->ntoskrnl,sizeof(SERVICE_DESCRIPTOR_TABLE) ); RtlCopyMemory( (PVOID)&ShadowTable->NotUse1,(PVOID)&ShadowTable->ntoskrnl,sizeof(SERVICE_DESCRIPTOR_TABLE)*2); WPOFF(); RtlCopyMemory((PVOID)&_KeServiceDescriptorTable->NotUse1.ServiceTableBase, &pSSDTKernel, sizeof(ULONG)); RtlCopyMemory((PVOID)&ShadowTable->NotUse1.ServiceTableBase, &pSSDTKernel, sizeof(ULONG)); WPON(); return 1;}void RePlaceSSDT(){ if (AddMyServiceTable()) { HookSysCall(); }}//////////////////////////////////////////////////////////////////////////NTSTATUSDriverEntry( PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString ){ NTSTATUS status = STATUS_SUCCESS; UNICODE_STRING ustrLinkName; UNICODE_STRING ustrDevName; PDEVICE_OBJECT pDevObj; dprintf("[4BOD] DriverEntry\n"); pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreate; pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchClose; pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl; pDriverObj->DriverUnload = DriverUnload; RtlInitUnicodeString(&ustrDevName, DEVICE_NAME); status = IoCreateDevice(pDriverObj, 0, &ustrDevName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDevObj); if(!NT_SUCCESS(status)) { dprintf("[4BOD] IoCreateDevice = 0x%x\n", status); return status; } RtlInitUnicodeString(&ustrLinkName, LINK_NAME); status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName); if(!NT_SUCCESS(status)) { dprintf("[4BOD] IoCreateSymbolicLink = 0x%x\n", status); IoDeleteDevice(pDevObj); return status; } Init_fun(); RePlaceSSDT(); Pass_MiDoMappedCopy1(); Pass_MiDoMappedCopy2(); Pass_MiDoPoolCopy1(); Pass_MiDoPoolCopy2(); Pass_ObpCreateHandle(); Pass_NtProcess(); Pass_KiAttachProcess(); Pass_KeStackAttachProcess(); Pass_KeStackAttachProcess1(); Pass_NtReadVirtualMemory(); Pass_NtWriteVirtualMemory(); Pass_NtOpenSection(); Pass_NtCreateSection(); Pass_KeUnstackDetachProcess(); Pass_NtProtectVirtualMemory2(); Pass_NtProtectVirtualMemory(); Pass_NtWriteFile(); Pass_NtDeviceIoControlFile(); Pass_NtQueryInformationProcess(); return STATUS_SUCCESS;}VOIDDriverUnload( PDRIVER_OBJECT pDriverObj ){ UNICODE_STRING strLink; LARGE_INTEGER Delay; RtlInitUnicodeString(&strLink, LINK_NAME); UnDetour_MiDoPoolCopy2(); UnDetour_MiDoPoolCopy1(); UnDetour_MiDoMappedCopy2(); UnDetour_MiDoMappedCopy1(); UnDetour_NtWriteVirtualMemory(); UnDetour_NtReadVirtualMemory(); UnDetour_KeStackAttachProcess1(); UnDetour_KeStackAttachProcess(); UnDetour_KiAttachProcess(); UnDetour_NtOpenSection(); UnDetour_NtCreateSection(); UnDetour_KeUnstackDetachProcess(); UnDetour_NtProcess(); UnDetour_ObpCreateHandle(); UnDetour_NtProtectVirtualMemory2(); UnDetour_NtProtectVirtualMemory(); UnDetour_NtWriteFile(); UnDetour_NtDeviceIoControlFile(); UnDetour_NtQueryInformationProcess(); RestoreSSDT(); Delay.QuadPart = -5000000; KeDelayExecutionThread(KernelMode, TRUE, &Delay); IoDeleteSymbolicLink(&strLink); IoDeleteDevice(pDriverObj->DeviceObject); dprintf("[4BOD] Unloaded\n");}NTSTATUSDispatchCreate( PDEVICE_OBJECT pDevObj, PIRP pIrp ){ pIrp->IoStatus.Status = STATUS_SUCCESS; pIrp->IoStatus.Information = 0; dprintf("[4BOD] IRP_MJ_CREATE\n"); IoCompleteRequest(pIrp, IO_NO_INCREMENT); return STATUS_SUCCESS;}NTSTATUSDispatchClose( PDEVICE_OBJECT pDevObj, PIRP pIrp ){ pIrp->IoStatus.Status = STATUS_SUCCESS; pIrp->IoStatus.Information = 0; dprintf("[4BOD] IRP_MJ_CLOSE\n"); IoCompleteRequest(pIrp, IO_NO_INCREMENT); return STATUS_SUCCESS;}NTSTATUSDispatchIoctl( PDEVICE_OBJECT pDevObj, PIRP pIrp ){ NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST; PIO_STACK_LOCATION pIrpStack; ULONG uIoControlCode; PVOID pIoBuffer; ULONG uInSize; ULONG uOutSize; pIrpStack = IoGetCurrentIrpStackLocation(pIrp); uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode; pIoBuffer = pIrp->AssociatedIrp.SystemBuffer; uInSize = pIrpStack->Parameters.DeviceIoControl.InputBufferLength; uOutSize = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength; switch(uIoControlCode) { case IOCTL_HELLO: { dprintf("[4BOD] Hello\n"); status = STATUS_SUCCESS; } break; // // 添加执行代码 // } if(status == STATUS_SUCCESS) pIrp->IoStatus.Information = uOutSize; else pIrp->IoStatus.Information = 0; ///////////////////////////////////// pIrp->IoStatus.Status = status; IoCompleteRequest(pIrp, IO_NO_INCREMENT); return status;}//////////////////////////////////////////////////////////////////////////ULONG reentryadd_KiMoveApcState;ULONG old_KiMoveApcState;ULONG Init_KiMoveApcState(){ reentryadd_KiMoveApcState=KeStackAttachProcess_Addr-0x6AD; old_KiMoveApcState=KeStackAttachProcess_Addr-0x6b2; return 1;}VOID __declspec(naked) _KiMoveApcState ( __in PKAPC_STATE Source, __out PKAPC_STATE Destination ){ __asm { push 0 call IsNPCalled cmp eax,1 jnz KiMoveApcState_ENT1 push ebp mov ebp,esp jmp [reentryadd_KiMoveApcState]KiMoveApcState_ENT1: cmp eax,0 jnz KiMoveApcState_ENT2 jmp [old_KiMoveApcState]KiMoveApcState_ENT2: mov eax,0 ret 8 }}//////////////////////////////////////////////////////////////////////////void __declspec(naked) my_function_detour_KiAttachProcess(){ __asm { inc word ptr [edi+0x60] lea ebx,[esi+0x34] push ebx call _KiMoveApcState _emit 0xEA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0x08 _emit 0x00 }}//////////////////////////////////////////////////////////////////////////char KiAttachProcess_g_oricode[8];ULONG Pass_KiAttachProcess(){ char *actual_function; unsigned long reentry_address; KIRQL oldIrql; int i = 0; unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00}; actual_function = (char *)(KeStackAttachProcess_Addr-0x219); reentry_address = ((unsigned long)KeStackAttachProcess_Addr) - 0x20c; *( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_KiAttachProcess; for(i=0;i<200;i++) { if( (0xAA == ((unsigned char *)my_function_detour_KiAttachProcess)[i]) && (0xAA == ((unsigned char *)my_function_detour_KiAttachProcess)[i+1]) && (0xAA == ((unsigned char *)my_function_detour_KiAttachProcess)[i+2]) && (0xAA == ((unsigned char *)my_function_detour_KiAttachProcess)[i+3])) { WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *( (unsigned long *)((ULONG)my_function_detour_KiAttachProcess+i) ) = reentry_address; KeLowerIrql(oldIrql); WPON(); break; } } WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); for(i=0;i < 7;i++) { KiAttachProcess_g_oricode[i] = actual_function[i]; actual_function[i] = newcode[i]; } KeLowerIrql(oldIrql); WPON(); return 1;}VOID UnDetour_KiAttachProcess(){ char *actual_function = (char *)(KeStackAttachProcess_Addr-0x219); KIRQL oldIrql; int i = 0; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); for(i=0;i < 7;i++) { actual_function[i] = KiAttachProcess_g_oricode[i]; } KeLowerIrql(oldIrql); WPON();}//返回-1:拒绝访问//返回0 :走NP HOOK//返回1 :绕过NP HOOK//////////////////////////////////////////////////////////////////////////////ULONG __stdcall IsNPCalled(HANDLE ProcessHandle){ NTSTATUS status; PEPROCESS pEProcess=0; char* proname=0; if (!_stricmp("GameMon.des",GetProcessNameFromEProc(0))) { if (!ProcessHandle) { return 0; } status = ObReferenceObjectByHandle(ProcessHandle,PROCESS_ALL_ACCESS,NULL,0,&pEProcess,NULL); if(!NT_SUCCESS(status)) { DbgPrint("ObReferenceObjectByHandle fail! %08x \n",status); return 0; } ObDereferenceObject(pEProcess); proname=GetProcessNameFromEProc(pEProcess); if (!_stricmp("OllyDBG.EXE",proname)) { return -1; } else if (!_stricmp("ImmunityDebugger.exe",proname)) { return -1; } else if (!_stricmp("DeRoX.exe",proname)) { return -1; } else { return 0; } return 0; } else if (!_stricmp("AION.bin",GetProcessNameFromEProc(0))) { if (!ProcessHandle) { return 0; } status = ObReferenceObjectByHandle(ProcessHandle,PROCESS_ALL_ACCESS,NULL,0,&pEProcess,NULL); if(!NT_SUCCESS(status)) { DbgPrint("ObReferenceObjectByHandle fail! %08x \n",status); return 0; } ObDereferenceObject(pEProcess); proname=GetProcessNameFromEProc(pEProcess); if (!_stricmp("OllyDBG.EXE",proname)) { return -1; } else if (!_stricmp("ImmunityDebugger.exe",proname)) { return -1; } else if (!_stricmp("DeRoX.exe",proname)) { return -1; } else { return 0; } return 0; } else if (!_stricmp("OllyDBG.EXE",GetProcessNameFromEProc(0))) { return 1; } else if (!_stricmp("ImmunityDebugger.exe",GetProcessNameFromEProc(0))) { return 1; } else if (!_stricmp("DeRoX.exe",GetProcessNameFromEProc(0))) { return 1; } else { return 0; }}//////////////////////////////////////////////////////////////////////////ULONG __stdcall IsNPCalled_EP(PEPROCESS EProcess){ NTSTATUS status; PEPROCESS pEProcess=0; char* proname=0; if (!_stricmp("GameMon.des",GetProcessNameFromEProc(0))) { if (!EProcess) { return 0; } proname=GetProcessNameFromEProc(EProcess); if (!_stricmp("OllyDBG.EXE",proname)) { return -1; } else if (!_stricmp("ImmunityDebugger.exe",proname)) { return -1; } else if (!_stricmp("DeRoX.exe",proname)) { return -1; } else { return 0; } return 0; } else if (!_stricmp("AION.bin",GetProcessNameFromEProc(0))) { if (!EProcess) { return 0; } proname=GetProcessNameFromEProc(EProcess); if (!_stricmp("OllyDBG.EXE",proname)) { return -1; } else if (!_stricmp("ImmunityDebugger.exe",proname)) { return -1; } else if (!_stricmp("DeRoX.exe",proname)) { return -1; } else { return 0; } return 0; } else if (!_stricmp("OllyDBG.EXE",GetProcessNameFromEProc(0))) { return 1; } else if (!_stricmp("ImmunityDebugger.exe",GetProcessNameFromEProc(0))) { return 1; } else if (!_stricmp("DeRoX.exe",GetProcessNameFromEProc(0))) { return 1; } else { return 0; }}//////////////////////////////////////////////////////////////////////////ULONG reentryadd_KiAttachProcess;ULONG old_KiAttachProcess;ULONG Init_KiAttachProcess(){ reentryadd_KiAttachProcess=KeStackAttachProcess_Addr-0x225; old_KiAttachProcess=KeStackAttachProcess_Addr-0x22a; return 1;}VOID __declspec(naked) _KiAttachProcess ( __inout PRKTHREAD Thread, __in PRKPROCESS Process, __in PKLOCK_QUEUE_HANDLE LockHandle, __out PRKAPC_STATE SavedApcState ){ __asm { //push [esp+8] push 0 call IsNPCalled_EP cmp eax,1 jnz KiAttachProcess_ENT1 push ebp mov ebp,esp jmp [reentryadd_KiAttachProcess]KiAttachProcess_ENT1: cmp eax,0 jnz KiAttachProcess_ENT2 jmp [old_KiAttachProcess]KiAttachProcess_ENT2: mov eax,0 ret 0x10 }}//////////////////////////////////////////////////////////////////////////void __declspec(naked) my_function_detour_KeStackAttachProcess(){ __asm { push edi push esi call _KiAttachProcess _emit 0xEA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0x08 _emit 0x00 }}//////////////////////////////////////////////////////////////////////////char KeStackAttachProcess_g_oricode[8];ULONG Pass_KeStackAttachProcess(){ char *actual_function; unsigned long reentry_address; KIRQL oldIrql; int i = 0; unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00}; actual_function = (char *)(KeStackAttachProcess_Addr+0x63); reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0x6a; *( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_KeStackAttachProcess; for(i=0;i<200;i++) { if( (0xAA == ((unsigned char *)my_function_detour_KeStackAttachProcess)[i]) && (0xAA == ((unsigned char *)my_function_detour_KeStackAttachProcess)[i+1]) && (0xAA == ((unsigned char *)my_function_detour_KeStackAttachProcess)[i+2]) && (0xAA == ((unsigned char *)my_function_detour_KeStackAttachProcess)[i+3])) { WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *( (unsigned long *)((ULONG)my_function_detour_KeStackAttachProcess+i) ) = reentry_address; KeLowerIrql(oldIrql); WPON(); break; } } WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); for(i=0;i < 7;i++) { KeStackAttachProcess_g_oricode[i] = actual_function[i]; actual_function[i] = newcode[i]; } KeLowerIrql(oldIrql); WPON(); return 1;}VOID UnDetour_KeStackAttachProcess(){ char *actual_function = (char *)(KeStackAttachProcess_Addr+0x63); KIRQL oldIrql; int i = 0; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); for(i=0;i < 7;i++) { actual_function[i] = KeStackAttachProcess_g_oricode[i]; } KeLowerIrql(oldIrql); WPON();}//////////////////////////////////////////////////////////////////////////void __declspec(naked) _detour_KeStackAttachProcess1(){ __asm { push edi push esi mov esi,esi call _KiAttachProcess _emit 0xEA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0x08 _emit 0x00 }}//////////////////////////////////////////////////////////////////////////char KeStackAttachProcess1_g_oricode[8];ULONG Pass_KeStackAttachProcess1(){ char *actual_function; unsigned long reentry_address; KIRQL oldIrql; int i = 0; unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00}; actual_function = (char *)(KeStackAttachProcess_Addr+0x76); reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0x7d; *( (unsigned long *)(&newcode[1]) ) = (unsigned long)_detour_KeStackAttachProcess1; for(i=0;i<200;i++) { if( (0xAA == ((unsigned char *)_detour_KeStackAttachProcess1)[i]) && (0xAA == ((unsigned char *)_detour_KeStackAttachProcess1)[i+1]) && (0xAA == ((unsigned char *)_detour_KeStackAttachProcess1)[i+2]) && (0xAA == ((unsigned char *)_detour_KeStackAttachProcess1)[i+3])) { WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *( (unsigned long *)((ULONG)_detour_KeStackAttachProcess1+i) ) = reentry_address; KeLowerIrql(oldIrql); WPON(); break; } } WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); for(i=0;i < 7;i++) { KeStackAttachProcess1_g_oricode[i] = actual_function[i]; actual_function[i] = newcode[i]; } KeLowerIrql(oldIrql); WPON(); return 1;}VOID UnDetour_KeStackAttachProcess1(){ char *actual_function = (char *)(KeStackAttachProcess_Addr+0x76); KIRQL oldIrql; int i = 0; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); for(i=0;i < 7;i++) { actual_function[i] = KeStackAttachProcess1_g_oricode[i]; } KeLowerIrql(oldIrql); WPON();}//////////////////////////////////////////////////////////////////////////void __declspec(naked) my_function_detour_KeUnstackDetachProcess(){ __asm { lea ebx,[esi+0x14C] push ebx call _KiMoveApcState _emit 0xEA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0x08 _emit 0x00 }}//NtAllocateVirtualMemory//////////////////////////////////////////////////////////////////////////char KeUnstackDetachProcess_g_oricode[8];ULONG KeUnstackDetachProcess_g_KiInsertQueueApc;ULONG Pass_KeUnstackDetachProcess(){ char *actual_function; unsigned long reentry_address; KIRQL oldIrql; int i = 0; unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};KeUnstackDetachProcess_g_KiInsertQueueApc=GetFunctionAddr(L"KeUnstackDetachProcess"); actual_function = (char *)(KeUnstackDetachProcess_g_KiInsertQueueApc+0xbe); reentry_address = ((unsigned long)KeUnstackDetachProcess_g_KiInsertQueueApc) + 0xca; *( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_KeUnstackDetachProcess; for(i=0;i<200;i++) { if( (0xAA == ((unsigned char *)my_function_detour_KeUnstackDetachProcess)[i]) && (0xAA == ((unsigned char *)my_function_detour_KeUnstackDetachProcess)[i+1]) && (0xAA == ((unsigned char *)my_function_detour_KeUnstackDetachProcess)[i+2]) && (0xAA == ((unsigned char *)my_function_detour_KeUnstackDetachProcess)[i+3])) { WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *( (unsigned long *)((ULONG)my_function_detour_KeUnstackDetachProcess+i) ) = reentry_address; KeLowerIrql(oldIrql); WPON(); break; } } WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); for(i=0;i < 7;i++) { KeUnstackDetachProcess_g_oricode[i] = actual_function[i]; actual_function[i] = newcode[i]; } KeLowerIrql(oldIrql); WPON(); return 1;}VOID UnDetour_KeUnstackDetachProcess(){ char *actual_function = (char *)(KeUnstackDetachProcess_g_KiInsertQueueApc+0xbe); KIRQL oldIrql; int i = 0; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); for(i=0;i < 7;i++) { actual_function[i] = KeUnstackDetachProcess_g_oricode[i]; }KeLowerIrql(oldIrql); WPON();}//////////////////////////////////////////////////////////////////////////ULONG reentryadd_KeStackAttachProcess;ULONG old_KeStackAttachProcess;ULONG Init_KeStackAttachProcess(){ reentryadd_KeStackAttachProcess=KeStackAttachProcess_Addr+5; old_KeStackAttachProcess=KeStackAttachProcess_Addr; return 1;}__declspec(naked) VOID _KeStackAttachProcess ( __inout PRKPROCESS Process, __out PRKAPC_STATE ApcState ) { __asm { push [esp+4] call IsNPCalled_EP cmp eax,1 jnz KeStackAttachProcess_ENT1 push ebp mov ebp,esp jmp [reentryadd_KeStackAttachProcess]KeStackAttachProcess_ENT1: cmp eax,0 jnz KeStackAttachProcess_ENT2 jmp [old_KeStackAttachProcess]KeStackAttachProcess_ENT2: mov eax,0 ret 0x8 }}///////////////////////////////////////////////////////////////////////////*805be616 8d45d0 lea eax,[ebp-30h]805be619 50 push eax805be61a 51 push ecx805be61b e812b6f3ff call nt!KeStackAttachProcess (804f9c32)805be620 c645ff01 mov byte ptr [ebp-1],1*/void __declspec(naked) _detour_ObpCreateHandle(){ __asm { lea eax,[ebp-0x30] push eax push ecx call _KeStackAttachProcess _emit 0xEA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0x08 _emit 0x00 }}//////////////////////////////////////////////////////////////////////////char ObpCreateHandle_g_oricode[12];ULONG Pass_ObpCreateHandle(){ char *actual_function; unsigned long reentry_address; KIRQL oldIrql; int i = 0; unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00,0x90,0x90,0x90}; actual_function = (char *)(KeStackAttachProcess_Addr+0xC49ae); reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0xC49b8; *( (unsigned long *)(&newcode[1]) ) = (unsigned long)_detour_ObpCreateHandle; for(i=0;i<200;i++) { if( (0xAA == ((unsigned char *)_detour_ObpCreateHandle)[i]) && (0xAA == ((unsigned char *)_detour_ObpCreateHandle)[i+1]) && (0xAA == ((unsigned char *)_detour_ObpCreateHandle)[i+2]) && (0xAA == ((unsigned char *)_detour_ObpCreateHandle)[i+3])) { WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *( (unsigned long *)((ULONG)_detour_ObpCreateHandle+i) ) = reentry_address; KeLowerIrql(oldIrql); WPON(); break; } } WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); for(i=0;i < 10;i++) { ObpCreateHandle_g_oricode[i] = actual_function[i]; actual_function[i] = newcode[i]; } KeLowerIrql(oldIrql); WPON(); return 1;}VOID UnDetour_ObpCreateHandle(){ char *actual_function = (char *)(KeStackAttachProcess_Addr+0xC49ae); KIRQL oldIrql; int i = 0; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); for(i=0;i < 10;i++) { actual_function[i] = ObpCreateHandle_g_oricode[i]; } KeLowerIrql(oldIrql); WPON();}//////////////////////////////////////////////////////////////////////////ULONG OldNtReadVirtualMemoryAdd;ULONG reentryadd_NtReadVirtualMemory;__declspec(naked) NTSTATUS NewNtReadVirtualMemory(){ __asm { push [esp+4] call IsNPCalled cmp eax,1 jnz NtReadVirtualMemory_ENT1 push 0x1c push 0x804daef0 jmp [reentryadd_NtReadVirtualMemory]NtReadVirtualMemory_ENT1: cmp eax,0 jnz NtReadVirtualMemory_ENT2 jmp [OldNtReadVirtualMemoryAdd]NtReadVirtualMemory_ENT2: mov eax,0 ret 0x14 }}//////////////////////////////////////////////////////////////////////////NtReadVirtualMemoryULONG Pass_NtReadVirtualMemory(){ KIRQL oldIrql; ULONG Address=0; Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0xBA * 4; //得到NtReadVirtualMemory的服务地址 www.2cto.com (ULONG)OldNtReadVirtualMemoryAdd = *(ULONG*)Address; //保存此地址 reentryadd_NtReadVirtualMemory=OldNtReadVirtualMemoryAdd+7; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *((ULONG*)Address) = (ULONG)NewNtReadVirtualMemory; //HOOK SSDT KeLowerIrql(oldIrql); WPON(); return 1;}//反补丁,用于最后恢复用VOID UnDetour_NtReadVirtualMemory(){ KIRQL oldIrql; ULONG Address=0; Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0xBA * 4; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *((ULONG*)Address) = (ULONG)OldNtReadVirtualMemoryAdd; //HOOK SSDT KeLowerIrql(oldIrql); WPON();}ULONG reentryadd_NtWriteVirtualMemory;ULONG OldNtWriteVirtualMemoryAdd;__declspec(naked) NTSTATUS NewNtWriteVirtualMemory(){ __asm { push [esp+4] call IsNPCalled cmp eax,1 jnz NtWriteVirtualMemory_ENT1 push 0x1c push 0x804daf08 jmp [reentryadd_NtWriteVirtualMemory]NtWriteVirtualMemory_ENT1: cmp eax,0 jnz NtWriteVirtualMemory_ENT2 jmp [OldNtWriteVirtualMemoryAdd]NtWriteVirtualMemory_ENT2: mov eax,0 ret 0x14 }}//////////////////////////////////////////////////////////////////////////ULONG Pass_NtWriteVirtualMemory(){ KIRQL oldIrql; ULONG Address=0; Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0x115 * 4; (ULONG)OldNtWriteVirtualMemoryAdd = *(ULONG*)Address; reentryadd_NtWriteVirtualMemory=OldNtWriteVirtualMemoryAdd+7; WPOFF();oldIrql = KeRaiseIrqlToDpcLevel(); *((ULONG*)Address) = (ULONG)NewNtWriteVirtualMemory; //HOOK SSDT KeLowerIrql(oldIrql); WPON(); return 1;}VOID UnDetour_NtWriteVirtualMemory(){ KIRQL oldIrql; ULONG Address=0; Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0x115 * 4; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *((ULONG*)Address) = (ULONG)OldNtWriteVirtualMemoryAdd; //HOOK SSDT KeLowerIrql(oldIrql); WPON();}//////////////////////////////////////////////////////////////////////////void __declspec(naked) my_function_detour_MiDoMappedCopy1(){ __asm { lea eax,[ebp-0x64] push eax push dword ptr [ebp+8] call _KeStackAttachProcess _emit 0xEA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0x08 _emit 0x00 }}///////////////////////////////////////////////////////////////////////////*804f9c32 805b4e5f 8d459c lea eax,[ebp-64h] 805b4e62 50 push eax 805b4e63 ff7508 push dword ptr [ebp+8] 805b4e66 e8c74df4ff call nt!KeStackAttachProcess (804f9c32) 805b4e6b 897de0 mov dword ptr [ebp-20h],edi*/char MiDoMappedCopy1_g_oricode[8];ULONG Pass_MiDoMappedCopy1(){ char *actual_function; unsigned long reentry_address; KIRQL oldIrql; int i = 0; unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00}; actual_function = (char *)(KeStackAttachProcess_Addr+0xBB1f7); reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0xBB203; *( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_MiDoMappedCopy1; for(i=0;i<200;i++) { if( (0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy1)[i]) && (0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy1)[i+1]) && (0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy1)[i+2]) && (0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy1)[i+3])) { WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *( (unsigned long *)((ULONG)my_function_detour_MiDoMappedCopy1+i) ) = reentry_address; KeLowerIrql(oldIrql); WPON(); break; } } WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); for(i=0;i < 7;i++) { MiDoMappedCopy1_g_oricode[i] = actual_function[i]; actual_function[i] = newcode[i]; } KeLowerIrql(oldIrql); WPON(); return 1;}VOID UnDetour_MiDoMappedCopy1(){ char *actual_function = (char *)(KeStackAttachProcess_Addr+0xBB1f7); KIRQL oldIrql; int i = 0; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); for(i=0;i < 7;i++) { actual_function[i] = MiDoMappedCopy1_g_oricode[i]; } KeLowerIrql(oldIrql); WPON();}//////////////////////////////////////////////////////////////////////////void __declspec(naked) my_function_detour_MiDoMappedCopy2(){ __asm { lea eax,[ebp-0x64] push eax push dword ptr [ebp+0x10] call _KeStackAttachProcess _emit 0xEA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0x08 _emit 0x00 }}/*804f9c32805b4f19 8d459c lea eax,[ebp-64h]805b4f1c 50 push eax805b4f1d ff7510 push dword ptr [ebp+10h]805b4f20 e80d4df4ff call nt!KeStackAttachProcess (804f9c32)805b4f25 8b450c mov eax,dword ptr [ebp+0Ch]*///////////////////////////////////////////////////////////////////////////char MiDoMappedCopy2_g_oricode[8];ULONG Pass_MiDoMappedCopy2(){ char *actual_function; unsigned long reentry_address; KIRQL oldIrql; int i = 0; unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00}; actual_function = (char *)(KeStackAttachProcess_Addr+0xBB2b1); reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0xBB2bd; *( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_MiDoMappedCopy2; for(i=0;i<200;i++) { if( (0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy2)[i]) && (0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy2)[i+1]) && (0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy2)[i+2]) && (0xAA == ((unsigned char *)my_function_detour_MiDoMappedCopy2)[i+3])) { WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *( (unsigned long *)((ULONG)my_function_detour_MiDoMappedCopy2+i) ) = reentry_address; KeLowerIrql(oldIrql); WPON(); break; } } WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); for(i=0;i < 7;i++) { MiDoMappedCopy2_g_oricode[i] = actual_function[i]; actual_function[i] = newcode[i]; } KeLowerIrql(oldIrql); WPON(); return 1;}VOID UnDetour_MiDoMappedCopy2(){ char *actual_function = (char *)(KeStackAttachProcess_Addr+0xBB2b1); KIRQL oldIrql; int i = 0; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); for(i=0;i < 7;i++) { actual_function[i] = MiDoMappedCopy2_g_oricode[i]; } KeLowerIrql(oldIrql); WPON();}//////////////////////////////////////////////////////////////////////////void __declspec(naked) my_function_detour_MiDoPoolCopy1(){ __asm { lea eax,[ebp-0x58] push eax push dword ptr [ebp+8] call _KeStackAttachProcess _emit 0xEA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0x08 _emit 0x00 }}/*804f9c32805b50b7 8d45a8 lea eax,[ebp-58h]805b50ba 50 push eax805b50bb ff7508 push dword ptr [ebp+8]805b50be e86f4bf4ff call nt!KeStackAttachProcess (804f9c32)805b50c3 33f6 xor esi,esi*///////////////////////////////////////////////////////////////////////////char MiDoPoolCopy1_g_oricode[8];ULONG Pass_MiDoPoolCopy1(){ char *actual_function; unsigned long reentry_address; KIRQL oldIrql; int i = 0; unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00}; actual_function = (char *)(KeStackAttachProcess_Addr+0xBB44f); reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0xBB45b; *( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_MiDoPoolCopy1; for(i=0;i<200;i++) { if( (0xAA == ((unsigned char *)my_function_detour_MiDoPoolCopy1)[i]) && (0xAA == ((unsigned char *)my_function_detour_MiDoPoolCopy1)[i+1]) && (0xAA == ((unsigned char *)my_function_detour_MiDoPoolCopy1)[i+2]) && (0xAA == ((unsigned char *)my_function_detour_MiDoPoolCopy1)[i+3])) { WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *( (unsigned long *)((ULONG)my_function_detour_MiDoPoolCopy1+i) ) = reentry_address; KeLowerIrql(oldIrql); WPON(); break; } } WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); for(i=0;i < 7;i++) { MiDoPoolCopy1_g_oricode[i] = actual_function[i]; actual_function[i] = newcode[i]; } KeLowerIrql(oldIrql); WPON(); return 1;}VOID UnDetour_MiDoPoolCopy1(){ char *actual_function = (char *)(KeStackAttachProcess_Addr+0xBB44f); KIRQL oldIrql; int i = 0; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); for(i=0;i < 7;i++) { actual_function[i] = MiDoPoolCopy1_g_oricode[i]; } KeLowerIrql(oldIrql); WPON();}//////////////////////////////////////////////////////////////////////////void __declspec(naked) my_function_detour_MiDoPoolCopy2(){ __asm { lea eax,[ebp-0x58] push eax push dword ptr [ebp+0x10] call _KeStackAttachProcess _emit 0xEA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0x08 _emit 0x00 }}/*804f9c32 805b511c 8d45a8 lea eax,[ebp-58h] 805b511f 50 push eax 805b5120 ff7510 push dword ptr [ebp+10h] 805b5123 e80a4bf4ff call nt!KeStackAttachProcess (804f9c32) 805b5128 8b450c mov eax,dword ptr [ebp+0Ch]*///////////////////////////////////////////////////////////////////////////char MiDoPoolCopy2_g_oricode[8];ULONG Pass_MiDoPoolCopy2(){ char *actual_function; unsigned long reentry_address; KIRQL oldIrql; int i = 0; unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00}; actual_function = (char *)(KeStackAttachProcess_Addr+0xBB4b4); reentry_address = ((unsigned long)KeStackAttachProcess_Addr) + 0xBB4c0; *( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_MiDoPoolCopy2; for(i=0;i<200;i++) { if( (0xAA == ((unsigned char *)my_function_detour_MiDoPoolCopy2)[i]) && (0xAA == ((unsigned char *)my_function_detour_MiDoPoolCopy2)[i+1]) && (0xAA == ((unsigned char *)my_function_detour_MiDoPoolCopy2)[i+2]) && (0xAA == ((unsigned char *)my_function_detour_MiDoPoolCopy2)[i+3])) { WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *( (unsigned long *)((ULONG)my_function_detour_MiDoPoolCopy2+i) ) = reentry_address; KeLowerIrql(oldIrql); WPON(); break; } } WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); for(i=0;i < 7;i++) { MiDoPoolCopy2_g_oricode[i] = actual_function[i]; actual_function[i] = newcode[i]; } KeLowerIrql(oldIrql); WPON(); return 1;}VOID UnDetour_MiDoPoolCopy2(){ char *actual_function = (char *)(KeStackAttachProcess_Addr+0xBB4b4); KIRQL oldIrql; int i = 0; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); for(i=0;i < 7;i++) { actual_function[i] = MiDoPoolCopy2_g_oricode[i]; } KeLowerIrql(oldIrql); WPON();}//////////////////////////////////////////////////////////////////////////NtOpenProcessULONG OldNtProcessAdd;ULONG reentryadd_NtWriteVirtualMemory;NTSTATUS_NtOpenProcess ( __out PHANDLE ProcessHandle, __in ACCESS_MASK DesiredAccess, __in POBJECT_ATTRIBUTES ObjectAttributes, __in_opt PCLIENT_ID ClientId ){ HANDLE Handle; KPROCESSOR_MODE PreviousMode; NTSTATUS Status; PEPROCESS Process; PETHREAD Thread; CLIENT_ID CapturedCid={0}; BOOLEAN ObjectNamePresent; BOOLEAN ClientIdPresent; ACCESS_STATE AccessState; AUX_ACCESS_DATA AuxData; ULONG Attributes; LUID SeDebugPrivilege = {0}; POBJECT_TYPE _PsProcessType; PEPROCESS tempeprocess; if (!_stricmp("GameMon.des",GetProcessNameFromEProc(0))) { PsLookupProcessByProcessId(ClientId->UniqueProcess,&tempeprocess); __try { if (!_stricmp("OllyDBG.EXE",GetProcessNameFromEProc(tempeprocess)) || !_stricmp("ImmunityDebugger.exe",GetProcessNameFromEProc(tempeprocess)) || !_stricmp("DeRoX.exe",GetProcessNameFromEProc(tempeprocess))) { return STATUS_ACCESS_DENIED; } } __except (EXCEPTION_EXECUTE_HANDLER) { DbgPrint("GetExceptionCode %08x",GetExceptionCode()); // return GetExceptionCode(); } return NtOpenProcess(ProcessHandle,DesiredAccess,ObjectAttributes, ClientId); } (ULONG)_PsProcessType=*(ULONG*)PsProcessType; PreviousMode = KeGetPreviousMode(); SeDebugPrivilege =RtlConvertLongToLuid(SE_DEBUG_PRIVILEGE); if (PreviousMode != KernelMode) { __try { ProbeForWriteHandle (ProcessHandle); ProbeForReadSmallStructure (ObjectAttributes, sizeof(OBJECT_ATTRIBUTES), sizeof(ULONG)); ObjectNamePresent = (BOOLEAN)ARGUMENT_PRESENT (ObjectAttributes->ObjectName); Attributes = ObSanitizeHandleAttributes (ObjectAttributes->Attributes, UserMode); if (ARGUMENT_PRESENT (ClientId)) { ProbeForReadSmallStructure (ClientId, sizeof (CLIENT_ID), sizeof (ULONG)); CapturedCid = *ClientId; ClientIdPresent = TRUE; } else { ClientIdPresent = FALSE; } } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } } else { ObjectNamePresent = (BOOLEAN)ARGUMENT_PRESENT (ObjectAttributes->ObjectName); Attributes = ObSanitizeHandleAttributes (ObjectAttributes->Attributes, KernelMode); if (ARGUMENT_PRESENT (ClientId)) { CapturedCid = *ClientId; ClientIdPresent = TRUE; } else { ClientIdPresent = FALSE; } } if (ObjectNamePresent && ClientIdPresent) { return STATUS_INVALID_PARAMETER_MIX; } Status = SeCreateAccessState( &AccessState, &AuxData, DesiredAccess, &_PsProcessType->TypeInfo.GenericMapping ); if ( !NT_SUCCESS(Status) ) { return Status; } if (SeSinglePrivilegeCheck( SeDebugPrivilege, PreviousMode )) { if ( AccessState.RemainingDesiredAccess & MAXIMUM_ALLOWED ) { AccessState.PreviouslyGrantedAccess |= PROCESS_ALL_ACCESS; } else { AccessState.PreviouslyGrantedAccess |= ( AccessState.RemainingDesiredAccess ); } AccessState.RemainingDesiredAccess = 0; } if (ObjectNamePresent) { Status = ObOpenObjectByName( ObjectAttributes, _PsProcessType, PreviousMode, &AccessState, 0, NULL, &Handle ); SeDeleteAccessState( &AccessState ); if ( NT_SUCCESS(Status) ) { __try { *ProcessHandle = Handle; } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode (); } } return Status; } if ( ClientIdPresent ) { Thread = NULL; if (CapturedCid.UniqueThread) { Status = PsLookupProcessThreadByCid( &CapturedCid, &Process, &Thread ); if (!NT_SUCCESS(Status)) { SeDeleteAccessState( &AccessState ); return Status; } } else { Status = PsLookupProcessByProcessId( CapturedCid.UniqueProcess, &Process ); if ( !NT_SUCCESS(Status) ) { SeDeleteAccessState( &AccessState ); return Status; } } // // OpenObjectByAddress // Status = ObOpenObjectByPointer( Process, Attributes, &AccessState, 0, _PsProcessType, PreviousMode, &Handle ); SeDeleteAccessState( &AccessState ); if (Thread) { ObDereferenceObject(Thread); } ObDereferenceObject(Process); if (NT_SUCCESS (Status)) { __try { *ProcessHandle = Handle; } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode (); } } return Status; } return STATUS_INVALID_PARAMETER_MIX;}ULONG Pass_NtProcess(){ KIRQL oldIrql; ULONG Address=0; Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0x7A * 4; OldNtProcessAdd = *(ULONG*)Address; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *((ULONG*)Address) = (ULONG)_NtOpenProcess; //HOOK SSDT KeLowerIrql(oldIrql); WPON(); return 1;}VOID UnDetour_NtProcess(){ KIRQL oldIrql; ULONG Address=0; Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0x7A * 4; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *((ULONG*)Address) = OldNtProcessAdd; //HOOK SSDT KeLowerIrql(oldIrql); WPON();}//////////////////////////////////////////////////////////////////////////NTKERNELAPIPEPROCESSPsGetThreadProcess( IN PETHREAD Thread );typedef NTSTATUS (*NTCREATESECTION)( OUT PHANDLE SectionHandle, IN ULONG DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG PageAttributess, IN ULONG SectionAttributes, IN HANDLE FileHandle OPTIONAL );//////////////////////////////////////////////////////////////////////////NTCREATESECTION OldZwCreateSection;NTSTATUSNTAPINewNtCreateSection( OUT PHANDLE SectionHandle, IN ULONG DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG PageAttributess, IN ULONG SectionAttributes, IN HANDLE FileHandle OPTIONAL ){ PFILE_OBJECT pFileObject; OBJECT_HANDLE_INFORMATION HandleInformationObject; ANSI_STRING ansi_FileName; UNICODE_STRING uni_DosName, uni_FullName; char * ParentImage; NTSTATUS nStatus=0; ParentImage=GetProcessNameFromEProc( PsGetThreadProcess(PsGetCurrentThread()));// DbgPrint("调用者%s",GetProcessNameFromEProc( PsGetThreadProcess(PsGetCurrentThread()) )); if (!_stricmp(ParentImage,"ImmunityDebugger.exe") || !_stricmp(ParentImage,"DeRoX.exe") || !_stricmp(ParentImage,"OllyDBG.EXE")) { nStatus=ObReferenceObjectByHandle(FileHandle,0,0,KernelMode,&pFileObject,&HandleInformationObject); if(pFileObject != NULL && nStatus==0) { uni_DosName.Buffer = (PWSTR)ExAllocatePool(PagedPool,16); uni_DosName.MaximumLength = 8; uni_FullName.Buffer = (PWSTR)ExAllocatePool(PagedPool,0x200); uni_FullName.MaximumLength = 0x200; RtlVolumeDeviceToDosName(pFileObject->DeviceObject, &uni_DosName); RtlCopyUnicodeString(&uni_FullName, &uni_DosName); RtlAppendUnicodeStringToString(&uni_FullName,&((PFILE_OBJECT)pFileObject)->FileName); RtlUnicodeStringToAnsiString(&ansi_FileName,&uni_FullName,TRUE); // DbgPrint("被调者%s",ansi_FileName.Buffer); ansi_FileName.Buffer = _strupr(ansi_FileName.Buffer); if(strstr(ansi_FileName.Buffer,"\\BIN32\\GAMEGUARD\\NPGGNT.DES")) { *SectionHandle = NULL; //返回SectionHandle无效 ObDereferenceObject(pFileObject); DbgPrint("DENIED NPGGNT.DES OK!"); RtlFreeAnsiString(&ansi_FileName); ExFreePool(uni_DosName.Buffer); ExFreePool(uni_FullName.Buffer); return STATUS_ACCESS_DENIED; } ObDereferenceObject(pFileObject); RtlFreeAnsiString(&ansi_FileName); ExFreePool(uni_DosName.Buffer); ExFreePool(uni_FullName.Buffer); return OldZwCreateSection(SectionHandle,DesiredAccess,ObjectAttributes, MaximumSize,PageAttributess,SectionAttributes,FileHandle); } } return OldZwCreateSection(SectionHandle,DesiredAccess,ObjectAttributes, MaximumSize,PageAttributess,SectionAttributes,FileHandle);}//////////////////////////////////////////////////////////////////////////ULONG Pass_NtCreateSection(){ char *actual_function; KIRQL oldIrql; ULONG Address=0; Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0x32 * 4; (unsigned long)OldZwCreateSection=*(unsigned long*)Address; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *(unsigned long*)Address=(unsigned long)NewNtCreateSection; KeLowerIrql(oldIrql); WPON(); return 1;}VOID UnDetour_NtCreateSection(){ ULONG Address=0; KIRQL oldIrql; Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0x32 * 4; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *(unsigned long*)Address=(unsigned long)OldZwCreateSection; KeLowerIrql(oldIrql); WPON();}//////////////////////////////////////////////////////////////////////////ULONG OldNtOpenSectionAdd; //原来NtReadVirtualMemory的服务地址ULONG reentryadd_NtOpenSection;__declspec(naked) NTSTATUS NewNtOpenSection(){ __asm { push 0 call IsNPCalled cmp eax,0 jnz NtOpenSection_ENT1 jmp [OldNtOpenSectionAdd]NtOpenSection_ENT1: push 0x18 push 0x804dad00 jmp [reentryadd_NtOpenSection] }}ULONG Pass_NtOpenSection(){ KIRQL oldIrql; ULONG Address=0; Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0x7d * 4; OldNtOpenSectionAdd = *(ULONG*)Address; //保存此地址 reentryadd_NtOpenSection=OldNtOpenSectionAdd+7; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *((ULONG*)Address) = (ULONG)NewNtOpenSection; //HOOK SSDT KeLowerIrql(oldIrql); WPON(); return 1;}//反补丁,用于最后恢复用VOID UnDetour_NtOpenSection(){ KIRQL oldIrql; ULONG Address=0; Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0x7d * 4; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *((ULONG*)Address) = OldNtOpenSectionAdd; //HOOK SSDT KeLowerIrql(oldIrql); WPON();}//////////////////////////////////////////////////////////////////////////ULONG OldNtProtectVirtualMemoryAdd; //原来NtReadVirtualMemory的服务地址ULONG reentryadd_NtProtectVirtualMemory;__declspec(naked) NTSTATUS NewNtProtectVirtualMemory(){ __asm { push 0 call IsNPCalled cmp eax,0 jnz NtProtectVirtualMemory_ENT1 jmp [OldNtProtectVirtualMemoryAdd]NtProtectVirtualMemory_ENT1: push 0x44 push 0x804db098 jmp [reentryadd_NtProtectVirtualMemory] }}ULONG Pass_NtProtectVirtualMemory(){ KIRQL oldIrql; ULONG Address=0; Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0x89 * 4; OldNtProtectVirtualMemoryAdd = *(ULONG*)Address; //保存此地址 reentryadd_NtProtectVirtualMemory=OldNtProtectVirtualMemoryAdd+7; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *((ULONG*)Address) = (ULONG)NewNtProtectVirtualMemory; //HOOK SSDT KeLowerIrql(oldIrql); WPON(); return 1;}//反补丁,用于最后恢复用VOID UnDetour_NtProtectVirtualMemory(){ KIRQL oldIrql; ULONG Address=0; Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0x89 * 4; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *((ULONG*)Address) = OldNtProtectVirtualMemoryAdd; //HOOK SSDT KeLowerIrql(oldIrql); WPON();}//////////////////////////////////////////////////////////////////////////void __declspec(naked) my_function_detour_NtProtectVirtualMemory2(){ __asm { lea ecx,[ebp-0x54] push ecx push eax call _KeStackAttachProcess _emit 0xEA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0x08 _emit 0x00 }}/*805b941e805b952c 8d4dac lea ecx,[ebp-54h]805b952f 51 push ecx805b9530 50 push eax805b9531 e8fc06f4ff call nt!KeStackAttachProcess (804f9c32)805b9536 c745d801000000 mov dword ptr [ebp-28h],1*///////////////////////////////////////////////////////////////////////////char NtProtectVirtualMemory2_g_oricode[8];ULONG NtProtectVirtualMemory2_g_KiInsertQueueApc;ULONG Pass_NtProtectVirtualMemory2(){ char *_actual_function; unsigned long _reentry_address; KIRQL oldIrql; int i = 0; unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00}; ULONG Address=0; Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0x89 * 4; NtProtectVirtualMemory2_g_KiInsertQueueApc = *(ULONG*)Address; //保存此地址 _actual_function = (char *)(NtProtectVirtualMemory2_g_KiInsertQueueApc+0x10E); _reentry_address = ((unsigned long)NtProtectVirtualMemory2_g_KiInsertQueueApc) + 0x118; *( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_NtProtectVirtualMemory2; for(i=0;i<200;i++) { if( (0xAA == ((unsigned char *)my_function_detour_NtProtectVirtualMemory2)[i]) && (0xAA == ((unsigned char *)my_function_detour_NtProtectVirtualMemory2)[i+1]) && (0xAA == ((unsigned char *)my_function_detour_NtProtectVirtualMemory2)[i+2]) && (0xAA == ((unsigned char *)my_function_detour_NtProtectVirtualMemory2)[i+3])) { WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *( (unsigned long *)((ULONG)my_function_detour_NtProtectVirtualMemory2+i) ) = _reentry_address; KeLowerIrql(oldIrql); WPON(); break; } } WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); for(i=0;i < 7;i++) { NtProtectVirtualMemory2_g_oricode[i]=_actual_function[i]; _actual_function[i] = newcode[i]; } KeLowerIrql(oldIrql); WPON(); return 1;}VOID UnDetour_NtProtectVirtualMemory2(){ char *actual_function = (char *)(NtProtectVirtualMemory2_g_KiInsertQueueApc+0x10E); KIRQL oldIrql; int i = 0; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); for(i=0;i < 7;i++) { actual_function[i] = NtProtectVirtualMemory2_g_oricode[i]; } KeLowerIrql(oldIrql); WPON();}//////////////////////////////////////////////////////////////////////////ULONG OldNtWriteFileAdd; //原来NtReadVirtualMemory的服务地址ULONG reentryadd_NtWriteFile;__declspec(naked) NTSTATUS NewNtWriteFile(){ __asm { push 0 call IsNPCalled cmp eax,0 jnz NtWriteFile_ENT1 jmp [OldNtWriteFileAdd]NtWriteFile_ENT1: push 0x64 push 0x804da508 jmp [reentryadd_NtWriteFile] }}ULONG Pass_NtWriteFile(){ KIRQL oldIrql; ULONG Address=0; Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0x112 * 4; OldNtWriteFileAdd = *(ULONG*)Address; //保存此地址 reentryadd_NtWriteFile=OldNtWriteFileAdd+7; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *((ULONG*)Address) = (ULONG)NewNtWriteFile; //HOOK SSDT KeLowerIrql(oldIrql); WPON(); return 1;}//反补丁,用于最后恢复用VOID UnDetour_NtWriteFile(){ KIRQL oldIrql; ULONG Address=0; Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0x112 * 4; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *((ULONG*)Address) = OldNtWriteFileAdd; //HOOK SSDT KeLowerIrql(oldIrql); WPON();}//////////////////////////////////////////////////////////////////////////ULONG OldNtDeviceIoControlFileAdd; //原来NtReadVirtualMemory的服务地址ULONG reentryadd_NtDeviceIoControlFile;__declspec(naked) NTSTATUS NewNtDeviceIoControlFile(){ __asm { push 0 call IsNPCalled cmp eax,0 jnz NtDeviceIoControlFile_ENT1 jmp [OldNtDeviceIoControlFileAdd]NtDeviceIoControlFile_ENT1: push ebp mov ebp,esp jmp [reentryadd_NtDeviceIoControlFile] }}ULONG Pass_NtDeviceIoControlFile(){ KIRQL oldIrql; ULONG Address=0; Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0x42 * 4; OldNtDeviceIoControlFileAdd = *(ULONG*)Address; //保存此地址 reentryadd_NtDeviceIoControlFile=OldNtDeviceIoControlFileAdd+5; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *((ULONG*)Address) = (ULONG)NewNtDeviceIoControlFile; //HOOK SSDT KeLowerIrql(oldIrql); WPON(); return 1;}//反补丁,用于最后恢复用VOID UnDetour_NtDeviceIoControlFile(){ KIRQL oldIrql; ULONG Address=0; Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0x42 * 4; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *((ULONG*)Address) = OldNtDeviceIoControlFileAdd; //HOOK SSDT KeLowerIrql(oldIrql); WPON();}//////////////////////////////////////////////////////////////////////////void Init_fun(){ KeStackAttachProcess_Addr=GetFunctionAddr(L"KeStackAttachProcess"); Init_KeStackAttachProcess(); Init_KiAttachProcess(); Init_KiMoveApcState();}////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////typedef NTSTATUS (*NTQUERYINFORMATIONPROCESS)( __in HANDLE ProcessHandle, __in PROCESSINFOCLASS ProcessInformationClass, __out PVOID ProcessInformation, __in ULONG ProcessInformationLength, __out_opt PULONG ReturnLength );NTQUERYINFORMATIONPROCESS OldNQueryInformationProcessAddr;typedef struct _PROCESS_DEBUG_PORT_INFO{ HANDLE DebugPort;} PROCESS_DEBUG_PORT_INFO;//enum SYSTEM_INFORMATION_CLASS { SystemKernelDebuggerInformation = 35 };//enum THREAD_INFO_CLASS { ThreadHideFromDebugger = 17 };//enum PROCESS_INFO_CLASS { ProcessDebugPort = 7 };NTSTATUS NewNtQueryInformationProcess( __in HANDLE ProcessHandle, __in PROCESSINFOCLASS ProcessInformationClass, __out PROCESS_DEBUG_PORT_INFO* ProcessInformation, __in ULONG ProcessInformationLength, __out_opt PULONG ReturnLength ){ // PROCESS_DEBUG_PORT_INFO* tempPi; if (!_stricmp("AION.bin",GetProcessNameFromEProc(0)) || !_stricmp("GameMon.des",GetProcessNameFromEProc(0))) { if (ProcessInformationClass==7) { DbgPrint("%s NtQueryInformationProcess debugport!\n",GetProcessNameFromEProc(0)); ProcessInformation->DebugPort=0; return 0; } DbgPrint("%s NtQueryInformationProcess ProcessInformationClass=%d\n",GetProcessNameFromEProc(0),ProcessInformationClass); } // DbgPrint("%s NtQueryInformationProcess !\n",GetProcessNameFromEProc(0)); return OldNQueryInformationProcessAddr(ProcessHandle,ProcessInformationClass,ProcessInformation,ProcessInformationLength,ReturnLength);}ULONG Pass_NtQueryInformationProcess(){ KIRQL oldIrql; ULONG Address=0; Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 154 * 4; (ULONG)OldNQueryInformationProcessAddr = *(ULONG*)Address; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *((ULONG*)Address) = (ULONG)NewNtQueryInformationProcess; //HOOK SSDT KeLowerIrql(oldIrql); WPON(); return 1;}VOID UnDetour_NtQueryInformationProcess(){ KIRQL oldIrql; ULONG Address=0; Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 154 * 4; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); *((ULONG*)Address) = (ULONG)OldNQueryInformationProcessAddr; //HOOK SSDT KeLowerIrql(oldIrql); WPON();} 本文章原创来源:http://www.hackwd.com/

Tags:[db:关键词]

作者:Hacker

文章评论评论内容只代表网友观点,与本站立场无关!

   评论摘要(共 0 条,得分 0 分,平均 0 分) 查看完整评论
关于本站 - 网站帮助 - 广告合作 - 下载声明 - 友情连接- 网站地图
Copyright © 2015-2016 Hackwd.Com. All Rights Reserved .
本站内容来源网络收集,仅供用于黑客技术安全学习参考,请遵守相关法律法规
打造国内最大的黑客技术资源免费发布站
提供最权威的黑客攻防教程,黑客安全工具
免费黑客网-黑客技术,黑客工具,黑客联盟,黑客基地,黑客网站,黑客论坛