看流星社区

 找回密码
 注册账号
查看: 2544|回复: 0

游戏保护大放送之HS

[复制链接]

该用户从未签到

发表于 2013-4-26 08:49:57 | 显示全部楼层 |阅读模式
本人不保证此办法现在还生效!蓝屏死机于本人无关

安博士hook和tp差不多都是那些关键敏感的函数。至于是哪些被hook请自己动手用工具查看一下。

直接上代码!

代码:
  1. #include "struct.h"
  2. #include "4BOD.h"

  3. //////////////////////////////////////////////////////////////////////////
  4. ULONG Pass_NtProcess();
  5. VOID UnDetour_NtProcess();

  6. ULONG Pass_NtWriteVirtualMemory();
  7. VOID UnDetour_NtWriteVirtualMemory();

  8. ULONG Pass_NtReadVirtualMemory();
  9. VOID UnDetour_NtReadVirtualMemory();

  10. ULONG Pass_KiAttachProcess();
  11. VOID UnDetour_KiAttachProcess();

  12. ULONG Pass_NtQueryInformationProcess();
  13. VOID UnDetour_NtQueryInformationProcess();

  14. ULONG Pass_PsSuspendThread();
  15. VOID UnDetour_PsSuspendThread();

  16. ULONG Pass_NtSetContextThread();
  17. VOID UnDetour_NtSetContextThread();

  18. ULONG Pass_NtGetContextThread();
  19. VOID UnDetour_NtGetContextThread();

  20. void Init_fun();


  21. ULONG SearchMutex();
  22. ULONG Pass_debugport();
  23. ULONG FindProcess();

  24. //////////////////////////////////////////////////////////////////////////

  25. ULONG KeStackAttachProcess_Addr;


  26. ULONG __stdcall IsNPCalled(HANDLE ProcessHandle);


  27. char g_pFindOrigCode[8];
  28. ULONG KiSystemService_hack_address;
  29. PULONG  pSSDTKernel;
  30. PSERVICE_DESCRIPTOR_TABLE_SHADOW _KeServiceDescriptorTable;
  31. PSERVICE_DESCRIPTOR_TABLE_SHADOW  ShadowTable;
  32. unsigned long SSDT_reentry_address,SSDTDW_reentry_address;


  33. void __declspec(naked) my_function_detour_KiFastCallEntry()
  34. {
  35.   __asm
  36.   {
  37.     cmp     ecx,10h
  38.     jne     SSDT
  39.     mov    edi,KeServiceDescriptorTable
  40.     sub    edi,0x10
  41.     jmp    [SSDTDW_reentry_address]
  42.       
  43. SSDT:
  44.     mov    edi,KeServiceDescriptorTable
  45.     add    edi,0x20
  46.     jmp    [SSDT_reentry_address]
  47.       

  48.   }

  49. }

  50. UCHAR findcode[]={0x83,0xf9,0x10,0x75};

  51. VOID FindHackAddr()
  52. {
  53.   ULONG  uSysenter;
  54.   ULONG i=0;
  55.   PUCHAR strSysenter;

  56.   __asm{
  57.       mov ecx,0x176
  58.       rdmsr
  59.       mov uSysenter,eax  //得到KiFastCallEntry地址
  60.     }
  61.   strSysenter=(PUCHAR)uSysenter;
  62.   for (i=0;i<0x100;i++)
  63.   {
  64.     if (
  65.       findcode[0]==strSysenter[i] &&
  66.       findcode[1]==strSysenter[i+1] &&
  67.       findcode[2]==strSysenter[i+2] &&
  68.       findcode[3]==strSysenter[i+3] )
  69.     {
  70.       break;
  71.     }

  72.   }

  73.   KiSystemService_hack_address=uSysenter+i;

  74. }

  75. ULONG HookSysCall()
  76. {
  77.   KIRQL  oldIrql;
  78.   ULONG  uSysenter;

  79.   unsigned char newcode[] = { 0xE9, 0x44, 0x33, 0x22, 0x11};

  80.   char *actual_function;

  81.   int i = 0;

  82.   FindHackAddr();

  83.   if (KiSystemService_hack_address==0)
  84.   {
  85.     dprintf("find hack address error!\n");
  86.     return 0;
  87.   }
  88. /*
  89.   __asm{
  90.       mov ecx,0x176
  91.       rdmsr
  92.       mov uSysenter,eax  //得到KiFastCallEntry地址
  93.      }

  94.   KiSystemService_hack_address=uSysenter+0xaf;

  95. */
  96.   

  97.   actual_function =(char*) KiSystemService_hack_address;



  98.   SSDT_reentry_address = KiSystemService_hack_address+0x20;
  99.   SSDTDW_reentry_address = KiSystemService_hack_address+0x5;

  100.   *( (unsigned long *)(&newcode[1]) ) = (ULONG)my_function_detour_KiFastCallEntry-KiSystemService_hack_address-5;


  101.   WPOFF();
  102.   oldIrql = KeRaiseIrqlToDpcLevel();
  103.   for(i=0;i < 5;i++)
  104.   {
  105.     g_pFindOrigCode[i] = actual_function[i];
  106.     actual_function[i] = newcode[i];
  107.   }
  108.   KeLowerIrql(oldIrql);
  109.   WPON();

  110.   return 1;
  111. }
  112. void RestoreSSDT()
  113. {
  114.   int i;
  115.   char *actual_function = (char *)(KiSystemService_hack_address);
  116.   KIRQL  oldIrql;
  117.   WPOFF();

  118.   KeRaiseIrql( DISPATCH_LEVEL,&oldIrql );

  119.   for(i=0;i < 5;i++)
  120.   {
  121.     actual_function[i] = g_pFindOrigCode[i];
  122.   }

  123.   KeLowerIrql( oldIrql );
  124.   ExFreePool(pSSDTKernel);

  125.   WPON();

  126. }


  127. unsigned long AddMyServiceTable()
  128. {
  129.   
  130.   
  131.   ULONG  nSDTKerCallLen;

  132.   
  133.   
  134.   __asm
  135.   {
  136.     pushad
  137.     mov   eax,KeServiceDescriptorTable
  138.     mov   _KeServiceDescriptorTable,eax
  139.     sub   eax,0x40
  140.     mov   ShadowTable,eax
  141.     popad
  142.   }
  143.   nSDTKerCallLen  =  _KeServiceDescriptorTable->ntoskrnl.NumberOfServices;
  144.   
  145.   
  146.   pSSDTKernel =  (PULONG)ExAllocatePool( NonPagedPool, nSDTKerCallLen*sizeof(ULONG) );
  147.   if(!pSSDTKernel)
  148.   {
  149.     DbgPrint("AddMyServiceTable  alloc fail\n");
  150.     return 0;
  151.   }
  152.   memset( (PVOID)pSSDTKernel, 0, nSDTKerCallLen*sizeof(ULONG));
  153.   
  154.   
  155.   //填充新的SSDT表
  156.   //
  157.   RtlCopyMemory( (PVOID)pSSDTKernel,(PVOID)_KeServiceDescriptorTable->ntoskrnl.ServiceTableBase,nSDTKerCallLen*sizeof(ULONG) );
  158.   
  159.   
  160.   RtlCopyMemory( (PVOID)&_KeServiceDescriptorTable->NotUse1,
  161.     (PVOID)&_KeServiceDescriptorTable->ntoskrnl,sizeof(SERVICE_DESCRIPTOR_TABLE) );
  162.   
  163.   
  164.   
  165.   RtlCopyMemory( (PVOID)&ShadowTable->NotUse1,(PVOID)&ShadowTable->ntoskrnl,sizeof(SERVICE_DESCRIPTOR_TABLE)*2);
  166.   
  167.   WPOFF();
  168.   RtlCopyMemory((PVOID)&_KeServiceDescriptorTable->NotUse1.ServiceTableBase, &pSSDTKernel, sizeof(ULONG));
  169.   
  170.   RtlCopyMemory((PVOID)&ShadowTable->NotUse1.ServiceTableBase, &pSSDTKernel, sizeof(ULONG));
  171.   
  172.   WPON();
  173.   
  174.   return 1;
  175. }

  176. void RePlaceSSDT()
  177. {
  178.   if (AddMyServiceTable())
  179.   {
  180.     HookSysCall();
  181.   }

  182. }

  183. //////////////////////////////////////////////////////////////////////////

  184. NTSTATUS
  185. DriverEntry(
  186.   PDRIVER_OBJECT pDriverObj,
  187.   PUNICODE_STRING pRegistryString
  188.   )
  189. {
  190.   NTSTATUS status = STATUS_SUCCESS;
  191.   UNICODE_STRING ustrLinkName;
  192.   UNICODE_STRING ustrDevName;   
  193.   PDEVICE_OBJECT pDevObj;

  194.   dprintf("[4BOD] DriverEntry\n");
  195.   
  196.   pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
  197.   pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
  198.   pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
  199.   pDriverObj->DriverUnload = DriverUnload;


  200.   RtlInitUnicodeString(&ustrDevName, DEVICE_NAME);
  201.   status = IoCreateDevice(pDriverObj,
  202.         0,
  203.         &ustrDevName,
  204.         FILE_DEVICE_UNKNOWN,
  205.         0,
  206.         FALSE,
  207.         &pDevObj);

  208.   if(!NT_SUCCESS(status))  {
  209.     dprintf("[4BOD] IoCreateDevice = 0x%x\n", status);
  210.     return status;
  211.   }

  212.   RtlInitUnicodeString(&ustrLinkName, LINK_NAME);
  213.   status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName);  
  214.   if(!NT_SUCCESS(status)) {
  215.     dprintf("[4BOD] IoCreateSymbolicLink = 0x%x\n", status);
  216.     IoDeleteDevice(pDevObj);  
  217.     return status;
  218.   }

  219.   Init_fun();

  220.   RePlaceSSDT();

  221. //  FindProcess();

  222. //  SearchMutex();
  223. //  Pass_debugport();

  224.    Pass_NtProcess();
  225.   
  226.   Pass_KiAttachProcess();
  227.    
  228.    Pass_NtReadVirtualMemory();
  229.      Pass_NtWriteVirtualMemory();

  230.   Pass_NtQueryInformationProcess();

  231.    Pass_PsSuspendThread();
  232.    Pass_NtSetContextThread();

  233.    Pass_NtGetContextThread();
  234.    

  235.   return STATUS_SUCCESS;
  236. }


  237. VOID
  238. DriverUnload(
  239.   PDRIVER_OBJECT pDriverObj
  240.   )
  241. {  
  242.   UNICODE_STRING strLink;
  243.   LARGE_INTEGER Delay;
  244.   RtlInitUnicodeString(&strLink, LINK_NAME);

  245.   UnDetour_NtGetContextThread();

  246.   UnDetour_NtSetContextThread();

  247.   UnDetour_PsSuspendThread();

  248.   UnDetour_NtQueryInformationProcess();

  249.    UnDetour_NtWriteVirtualMemory();
  250.    UnDetour_NtReadVirtualMemory();   
  251.   UnDetour_KiAttachProcess();   

  252.    UnDetour_NtProcess();
  253.   



  254.   RestoreSSDT();

  255.   Delay.QuadPart = -5000000;

  256.   KeDelayExecutionThread(KernelMode, TRUE, &Delay);


  257.   IoDeleteSymbolicLink(&strLink);
  258.   IoDeleteDevice(pDriverObj->DeviceObject);
  259.   dprintf("[4BOD] Unloaded\n");
  260. }


  261. NTSTATUS
  262. DispatchCreate(
  263.   PDEVICE_OBJECT pDevObj,
  264.   PIRP pIrp
  265.   )
  266. {
  267.   pIrp->IoStatus.Status = STATUS_SUCCESS;
  268.   pIrp->IoStatus.Information = 0;

  269.   dprintf("[4BOD] IRP_MJ_CREATE\n");

  270.   IoCompleteRequest(pIrp, IO_NO_INCREMENT);
  271.   return STATUS_SUCCESS;
  272. }


  273. NTSTATUS
  274. DispatchClose(
  275.   PDEVICE_OBJECT pDevObj,
  276.   PIRP pIrp
  277.   )
  278. {
  279.   pIrp->IoStatus.Status = STATUS_SUCCESS;
  280.   pIrp->IoStatus.Information = 0;

  281.   dprintf("[4BOD] IRP_MJ_CLOSE\n");

  282.   IoCompleteRequest(pIrp, IO_NO_INCREMENT);
  283.   return STATUS_SUCCESS;
  284. }


  285. NTSTATUS
  286. DispatchIoctl(
  287.   PDEVICE_OBJECT pDevObj,
  288.   PIRP pIrp
  289.   )
  290. {
  291.   NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST;
  292.   PIO_STACK_LOCATION pIrpStack;
  293.   ULONG uIoControlCode;
  294.   PVOID pIoBuffer;
  295.   ULONG uInSize;
  296.   ULONG uOutSize;

  297.   pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
  298.   uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;
  299.   pIoBuffer = pIrp->AssociatedIrp.SystemBuffer;
  300.   uInSize = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
  301.   uOutSize = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;

  302.   switch(uIoControlCode) {

  303.     case IOCTL_HELLO: {
  304.       
  305.       dprintf("[4BOD] Hello\n");
  306.       status = STATUS_SUCCESS;
  307.     }
  308.     break;
  309.    
  310.     //
  311.     // 添加执行代码
  312.     //

  313.   }

  314.   if(status == STATUS_SUCCESS)
  315.     pIrp->IoStatus.Information = uOutSize;
  316.   else
  317.     pIrp->IoStatus.Information = 0;
  318.   
  319.   /////////////////////////////////////
  320.   pIrp->IoStatus.Status = status;
  321.   IoCompleteRequest(pIrp, IO_NO_INCREMENT);

  322.   return status;
  323. }


  324. //////////////////////////////////////////////////////////////////////////



  325. //返回-1:拒绝访问
  326. //返回0 :走NP HOOK
  327. //返回1 :绕过NP HOOK
  328. //
  329. ////////////////////////////////////////////////////////////////////////////
  330. ULONG __stdcall IsNPCalled(HANDLE ProcessHandle)
  331. {
  332.   
  333.   NTSTATUS    status;
  334.   PEPROCESS   pEProcess=0;
  335.   char*       proname=0;


  336.   
  337.   
  338.   
  339.   if (!_stricmp("DNF.exe",GetProcessNameFromEProc(0)))
  340.   {
  341.     if (!ProcessHandle)
  342.     {
  343.       return 0;

  344.     }
  345.    
  346.     status = ObReferenceObjectByHandle(ProcessHandle,PROCESS_ALL_ACCESS,NULL,0,&pEProcess,NULL);
  347.    
  348.     if(!NT_SUCCESS(status))
  349.     {
  350.       DbgPrint("ObReferenceObjectByHandle fail! %08x \n",status);
  351.       return 0;
  352.       
  353.     }
  354.     ObDereferenceObject(pEProcess);
  355.     proname=GetProcessNameFromEProc(pEProcess);
  356.    
  357.     if (!_stricmp("OllyDBG.EXE",proname))
  358.     {
  359.       DbgPrint("ollydbg!!!!!!!!! \n");
  360.       return -1;
  361.     }

  362.     if (!_stricmp("Shadow.exe",proname))
  363.     {

  364.       return -1;
  365.     }
  366.     if (!_stricmp("taskmgr.exe",proname))
  367.     {

  368.       return -1;
  369.     }
  370.    
  371.    
  372.     return 0;
  373.   }
  374.   else if (!_stricmp("OllyDBG.EXE",GetProcessNameFromEProc(0)))
  375.   {
  376.    
  377.     return 1;
  378.   }
  379.   else if (!_stricmp("Shadow.exe",GetProcessNameFromEProc(0)))
  380.   {
  381.     return 1;
  382.   }
  383.   else if (!_stricmp("taskmgr.exe",GetProcessNameFromEProc(0)))
  384.   {
  385.     return 1;
  386.   }
  387.   else
  388.   {  
  389.     return 0;
  390.   }
  391.   
  392.   
  393. }



  394. //////////////////////////////////////////////////////////////////////////


  395. ULONG __stdcall IsNPCalled_EP(PEPROCESS EProcess)
  396. {
  397.   
  398.   
  399.   NTSTATUS    status;
  400.   PEPROCESS   pEProcess=0;
  401.   char*       proname=0;
  402.   
  403.   
  404.   if (!_stricmp("DNF.exe",GetProcessNameFromEProc(0)))
  405.   {
  406.     if (!EProcess)
  407.     {
  408.       return 0;

  409.     }
  410.    
  411.   
  412.     proname=GetProcessNameFromEProc(EProcess);
  413.    
  414.     if (!_stricmp("OllyDBG.EXE",proname))
  415.     {
  416.       DbgPrint("ollydbg!!!!!!!!! epepepepep\n");
  417.       return -1;
  418.     }
  419.     if (!_stricmp("Shadow.exe",proname))
  420.     {

  421.       return -1;
  422.     }
  423.     if (!_stricmp("taskmgr.exe",proname))
  424.     {

  425.       return -1;
  426.     }
  427.    
  428.     return 0;
  429.   }
  430.   else if (!_stricmp("OllyDBG.EXE",GetProcessNameFromEProc(0)))
  431.   {
  432.    
  433.     return 1;
  434.   }
  435.   else if (!_stricmp("Shadow.exe",GetProcessNameFromEProc(0)))
  436.   {

  437.     return 1;
  438.   }
  439.   else if (!_stricmp("taskmgr.exe",GetProcessNameFromEProc(0)))
  440.   {
  441.     return 1;
  442.   }
  443.   else
  444.   {  
  445.     return 0;
  446.   }
  447.   
  448.   
  449. }

  450. //////////////////////////////////////////////////////////////////////////
  451. ULONG old_KiMoveApcState;

  452. ULONG Init_KiMoveApcState()
  453. {

  454.   old_KiMoveApcState=KeStackAttachProcess_Addr-0x6b2;
  455.   return 1;

  456. }


  457. VOID __declspec(naked) _KiMoveApcState (
  458.                     __in PKAPC_STATE Source,
  459.                     __out PKAPC_STATE Destination
  460.                     )
  461. {
  462.   __asm
  463.   {
  464.     jmp  [old_KiMoveApcState]

  465.   }


  466. }



  467. //////////////////////////////////////////////////////////////////////////
  468. ULONG __stdcall fack(PEPROCESS Pep)
  469. {
  470.   __try
  471.   {
  472.     if (!_stricmp("DNF.exe",GetProcessNameFromEProc(0)))
  473.     {
  474.       if (!_stricmp("ollydbg.exe",GetProcessNameFromEProc(Pep)))
  475.       {
  476.         DbgPrint("dnf kiattachprocess ollydbg!!!\n");
  477.         return 1;
  478.       }
  479.     }
  480.   }
  481.   __except(1)
  482.   {
  483.     DbgPrint("fack error!!\n");
  484.   }
  485.   return 0;
  486. }

  487. unsigned long KiAttachProcess_reentry_address;

  488. void __declspec(naked) my_function_detour_KiAttachProcess()
  489. {
  490.   __asm
  491.   {   
  492.     inc     word ptr [edi+0x60]
  493.     lea     ebx,[esi+0x34]
  494.     push    ebx
  495.     call    _KiMoveApcState
  496.     jmp     [KiAttachProcess_reentry_address]

  497.   }
  498. }

  499. //////////////////////////////////////////////////////////////////////////

  500. char KiAttachProcess_g_oricode[8];

  501. ULONG Pass_KiAttachProcess()
  502. {  
  503.   char *actual_function;
  504.   
  505.   KIRQL oldIrql;
  506.   int i = 0;
  507.   unsigned char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08,0x00};


  508.   actual_function = (char *)(KeStackAttachProcess_Addr-0x219);

  509.   KiAttachProcess_reentry_address = (KeStackAttachProcess_Addr-0x20c);

  510.   *( (unsigned long *)(&newcode[1]) ) = (unsigned long)my_function_detour_KiAttachProcess;


  511.   WPOFF();
  512.   oldIrql = KeRaiseIrqlToDpcLevel();
  513.   for(i=0;i < 7;i++)
  514.   {
  515.     KiAttachProcess_g_oricode[i] = actual_function[i];
  516.     actual_function[i] = newcode[i];
  517.   }
  518.   KeLowerIrql(oldIrql);
  519.   WPON();

  520.   return 1;

  521. }

  522. VOID UnDetour_KiAttachProcess()
  523. {
  524.   char *actual_function = (char *)(KeStackAttachProcess_Addr-0x219);
  525.   KIRQL oldIrql;
  526.   int i = 0;

  527.   WPOFF();
  528.   oldIrql = KeRaiseIrqlToDpcLevel();

  529.   for(i=0;i < 7;i++)
  530.   {
  531.     actual_function[i] = KiAttachProcess_g_oricode[i];
  532.   }
  533.   KeLowerIrql(oldIrql);
  534.   WPON();



  535. }



  536. //////////////////////////////////////////////////////////////////////////

  537. ULONG OldNtReadVirtualMemoryAdd;
  538. ULONG reentryadd_NtReadVirtualMemory;
  539. __declspec(naked) NTSTATUS NewNtReadVirtualMemory()
  540. {

  541.   __asm
  542.   {
  543.     push [esp+4]
  544.     call IsNPCalled
  545.     cmp  eax,1
  546.     jnz  NtReadVirtualMemory_ENT1
  547.     push 0x1c
  548.     push 0x804daef0
  549.     mov  eax, 0x8053cbe0
  550.     call eax
  551.     jmp  [reentryadd_NtReadVirtualMemory]


  552. NtReadVirtualMemory_ENT1:

  553.     cmp  eax,0
  554.     jnz  NtReadVirtualMemory_ENT2
  555.     jmp  [OldNtReadVirtualMemoryAdd]

  556. NtReadVirtualMemory_ENT2:
  557.     mov  eax,0
  558.     ret  0x14
  559.   }

  560. }



  561. //////////////////////////////////////////////////////////////////////////NtReadVirtualMemory



  562. ULONG Pass_NtReadVirtualMemory()
  563. {
  564.   KIRQL oldIrql;
  565.   ULONG  Address=0;

  566.   Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0xBA * 4;    //得到NtReadVirtualMemory的服务地址

  567.   (ULONG)OldNtReadVirtualMemoryAdd = *(ULONG*)Address;    //保存此地址
  568.   reentryadd_NtReadVirtualMemory=OldNtReadVirtualMemoryAdd+0xc;

  569.   WPOFF();
  570.   oldIrql = KeRaiseIrqlToDpcLevel();
  571.   *((ULONG*)Address) = (ULONG)NewNtReadVirtualMemory;  //HOOK SSDT
  572.   
  573.   KeLowerIrql(oldIrql);
  574.   WPON();
  575.   return 1;
  576. }

  577. //反补丁,用于最后恢复用
  578. VOID UnDetour_NtReadVirtualMemory()
  579. {
  580.   KIRQL oldIrql;
  581.   ULONG  Address=0;

  582.   Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0xBA * 4;

  583.   WPOFF();
  584.   oldIrql = KeRaiseIrqlToDpcLevel();

  585.   *((ULONG*)Address) = (ULONG)OldNtReadVirtualMemoryAdd;  //HOOK SSDT
  586.   KeLowerIrql(oldIrql);
  587.   WPON();
  588. }

  589. ULONG reentryadd_NtWriteVirtualMemory;
  590. ULONG OldNtWriteVirtualMemoryAdd;
  591. __declspec(naked) NTSTATUS NewNtWriteVirtualMemory()
  592. {

  593.   __asm
  594.   {
  595.     push [esp+4]
  596.     call IsNPCalled
  597.     cmp  eax,1
  598.     jnz  NtWriteVirtualMemory_ENT1
  599.     push 0x1c
  600.     push 0x804daf08
  601.     mov  eax, 0x8053cbe0
  602.     call eax
  603.     jmp  [reentryadd_NtWriteVirtualMemory]


  604. NtWriteVirtualMemory_ENT1:

  605.     cmp  eax,0
  606.     jnz  NtWriteVirtualMemory_ENT2
  607.     jmp  [OldNtWriteVirtualMemoryAdd]

  608. NtWriteVirtualMemory_ENT2:
  609.     mov  eax,0
  610.     ret  0x14
  611.   }



  612. }
  613. //////////////////////////////////////////////////////////////////////////



  614. ULONG Pass_NtWriteVirtualMemory()
  615. {
  616.   KIRQL oldIrql;
  617.   ULONG  Address=0;

  618.   Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0x115 * 4;

  619.   (ULONG)OldNtWriteVirtualMemoryAdd = *(ULONG*)Address;
  620.   reentryadd_NtWriteVirtualMemory=OldNtWriteVirtualMemoryAdd+0xc;

  621.   WPOFF();
  622.   oldIrql = KeRaiseIrqlToDpcLevel();

  623.   *((ULONG*)Address) = (ULONG)NewNtWriteVirtualMemory;  //HOOK SSDT
  624.   KeLowerIrql(oldIrql);
  625.   WPON();

  626.   return 1;
  627. }

  628. VOID UnDetour_NtWriteVirtualMemory()
  629. {
  630.   KIRQL oldIrql;
  631.   ULONG  Address=0;

  632.   Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0x115 * 4;

  633.   WPOFF();
  634.   oldIrql = KeRaiseIrqlToDpcLevel();

  635.   *((ULONG*)Address) = (ULONG)OldNtWriteVirtualMemoryAdd;  //HOOK SSDT
  636.   KeLowerIrql(oldIrql);
  637.   WPON();
  638. }
  639. //////////////////////////////////////////////////////////////////////////



  640. //////////////////////////////////////////////////////////////////////////NtOpenProcess


  641. ULONG OldNtProcessAdd;

  642. ULONG reentryadd_NtWriteVirtualMemory;


  643. NTSTATUS
  644. _NtOpenProcess (
  645.          __out PHANDLE ProcessHandle,
  646.          __in ACCESS_MASK DesiredAccess,
  647.          __in POBJECT_ATTRIBUTES ObjectAttributes,
  648.          __in_opt PCLIENT_ID ClientId
  649.          )
  650. {

  651.   HANDLE Handle;
  652.   KPROCESSOR_MODE PreviousMode;
  653.   NTSTATUS Status;
  654.   PEPROCESS Process;
  655.   PETHREAD Thread;
  656.   CLIENT_ID CapturedCid={0};
  657.   BOOLEAN ObjectNamePresent;
  658.   BOOLEAN ClientIdPresent;
  659.   ACCESS_STATE AccessState;
  660.   AUX_ACCESS_DATA AuxData;
  661.   ULONG Attributes;
  662.   LUID SeDebugPrivilege = {0};
  663.   POBJECT_TYPE _PsProcessType;
  664.   PEPROCESS tempeprocess;

  665.   PsLookupProcessByProcessId(ClientId->UniqueProcess,&tempeprocess);

  666.   if (!_stricmp("DNF.exe",GetProcessNameFromEProc(0)))
  667.   {
  668.    
  669.   //  ERROR_INVALID_PARAMETER

  670.     __try
  671.     {
  672.   //    DbgPrint("dnf threadid %d KTHREAD %08x want openprocess %s\n",
  673.   //    PsGetCurrentThreadId(),PsGetCurrentThread(),GetProcessNameFromEProc(tempeprocess));

  674.       if (!_stricmp("OllyDBG.EXE",GetProcessNameFromEProc(tempeprocess)) )
  675.       {
  676.         return STATUS_INVALID_PARAMETER;
  677.       }
  678.       if (!_stricmp("DNF.exe",GetProcessNameFromEProc(tempeprocess)) )
  679.       {
  680.       //  return STATUS_INVALID_PARAMETER;
  681.       }
  682.       if (!_stricmp("taskmgr.exe",GetProcessNameFromEProc(tempeprocess)) )
  683.       {
  684.         return STATUS_INVALID_PARAMETER;
  685.       }
  686.       

  687.     }
  688.     __except (EXCEPTION_EXECUTE_HANDLER)
  689.     {
  690.       DbgPrint("GetExceptionCode %08x",GetExceptionCode());
  691.     //  return GetExceptionCode();
  692.     }
  693.    

  694.     return NtOpenProcess(ProcessHandle,DesiredAccess,ObjectAttributes, ClientId);
  695.   }

  696. //  DbgPrint("%s want openprocess %s\n",GetProcessNameFromEProc(0),GetProcessNameFromEProc(tempeprocess));

  697.   (ULONG)_PsProcessType=*(ULONG*)PsProcessType;
  698.   PreviousMode = KeGetPreviousMode();
  699.   SeDebugPrivilege =RtlConvertLongToLuid(SE_DEBUG_PRIVILEGE);
  700.   if (PreviousMode != KernelMode) {
  701.     __try {
  702.       ProbeForWriteHandle (ProcessHandle);

  703.       ProbeForReadSmallStructure (ObjectAttributes,
  704.         sizeof(OBJECT_ATTRIBUTES),
  705.         sizeof(ULONG));
  706.       ObjectNamePresent = (BOOLEAN)ARGUMENT_PRESENT (ObjectAttributes->ObjectName);
  707.       Attributes = ObSanitizeHandleAttributes (ObjectAttributes->Attributes, UserMode);

  708.       if (ARGUMENT_PRESENT (ClientId)) {
  709.         ProbeForReadSmallStructure (ClientId, sizeof (CLIENT_ID), sizeof (ULONG));
  710.         CapturedCid = *ClientId;
  711.         ClientIdPresent = TRUE;
  712.       } else {
  713.         ClientIdPresent = FALSE;
  714.       }
  715.     }
  716.     __except (EXCEPTION_EXECUTE_HANDLER) {
  717.       return GetExceptionCode();
  718.     }
  719.   } else {
  720.     ObjectNamePresent = (BOOLEAN)ARGUMENT_PRESENT (ObjectAttributes->ObjectName);
  721.     Attributes = ObSanitizeHandleAttributes (ObjectAttributes->Attributes, KernelMode);
  722.     if (ARGUMENT_PRESENT (ClientId)) {
  723.       CapturedCid = *ClientId;
  724.       ClientIdPresent = TRUE;
  725.     } else {
  726.       ClientIdPresent = FALSE;
  727.     }
  728.   }

  729.   if (ObjectNamePresent && ClientIdPresent) {
  730.     return STATUS_INVALID_PARAMETER_MIX;
  731.   }

  732.   Status = SeCreateAccessState(
  733.     &AccessState,
  734.     &AuxData,
  735.     DesiredAccess,
  736.     &_PsProcessType->TypeInfo.GenericMapping
  737.     );

  738.   if ( !NT_SUCCESS(Status) ) {

  739.     return Status;
  740.   }
  741.   
  742.   if (SeSinglePrivilegeCheck( SeDebugPrivilege, PreviousMode )) {

  743.     if ( AccessState.RemainingDesiredAccess & MAXIMUM_ALLOWED ) {
  744.       AccessState.PreviouslyGrantedAccess |= PROCESS_ALL_ACCESS;

  745.     } else {

  746.       AccessState.PreviouslyGrantedAccess |= ( AccessState.RemainingDesiredAccess );
  747.     }

  748.     AccessState.RemainingDesiredAccess = 0;

  749.   }
  750.   if (ObjectNamePresent) {


  751.     Status = ObOpenObjectByName(
  752.       ObjectAttributes,
  753.       _PsProcessType,
  754.       PreviousMode,
  755.       &AccessState,
  756.       0,
  757.       NULL,
  758.       &Handle
  759.       );

  760.     SeDeleteAccessState( &AccessState );

  761.     if ( NT_SUCCESS(Status) ) {
  762.       __try {
  763.         *ProcessHandle = Handle;
  764.       }
  765.       __except (EXCEPTION_EXECUTE_HANDLER) {
  766.         return GetExceptionCode ();
  767.       }
  768.     }
  769.     return Status;
  770.   }

  771.   if ( ClientIdPresent ) {

  772.     Thread = NULL;
  773.     if (CapturedCid.UniqueThread) {
  774.       Status = PsLookupProcessThreadByCid(
  775.         &CapturedCid,
  776.         &Process,
  777.         &Thread
  778.         );

  779.       if (!NT_SUCCESS(Status)) {
  780.         SeDeleteAccessState( &AccessState );
  781.         return Status;
  782.       }
  783.     } else {
  784.       Status = PsLookupProcessByProcessId(
  785.         CapturedCid.UniqueProcess,
  786.         &Process
  787.         );

  788.       if ( !NT_SUCCESS(Status) ) {
  789.         SeDeleteAccessState( &AccessState );
  790.         return Status;
  791.       }
  792.     }

  793.     //
  794.     // OpenObjectByAddress
  795.     //
  796.     Status = ObOpenObjectByPointer(
  797.       Process,
  798.       Attributes,
  799.       &AccessState,
  800.       0,
  801.       _PsProcessType,
  802.       PreviousMode,
  803.       &Handle
  804.       );

  805.     SeDeleteAccessState( &AccessState );

  806.     if (Thread) {
  807.       ObDereferenceObject(Thread);
  808.     }

  809.     ObDereferenceObject(Process);

  810.     if (NT_SUCCESS (Status)) {

  811.       __try {
  812.         *ProcessHandle = Handle;
  813.       }
  814.       __except (EXCEPTION_EXECUTE_HANDLER) {
  815.         return GetExceptionCode ();
  816.       }
  817.     }
  818.     return Status;
  819.   }
  820.   return STATUS_INVALID_PARAMETER_MIX;
  821. }


  822. ULONG Pass_NtProcess()
  823. {

  824.   KIRQL oldIrql;
  825.   ULONG  Address=0;

  826.   Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase +  0x7A * 4;

  827.   OldNtProcessAdd = *(ULONG*)Address;

  828.   WPOFF();
  829.   oldIrql = KeRaiseIrqlToDpcLevel();

  830.   *((ULONG*)Address) = (ULONG)_NtOpenProcess;  //HOOK SSDT
  831.   KeLowerIrql(oldIrql);
  832.   WPON();

  833.   return 1;
  834. }

  835. VOID UnDetour_NtProcess()
  836. {
  837.   KIRQL oldIrql;
  838.   ULONG  Address=0;

  839.   Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase +  0x7A * 4;

  840.   WPOFF();
  841.   oldIrql = KeRaiseIrqlToDpcLevel();

  842.   *((ULONG*)Address) = OldNtProcessAdd;  //HOOK SSDT
  843.   KeLowerIrql(oldIrql);
  844.   WPON();

  845. }

  846. //////////////////////////////////////////////////////////////////////////


  847. void Init_fun()
  848. {
  849.   KeStackAttachProcess_Addr=GetFunctionAddr(L"KeStackAttachProcess");
  850.   Init_KiMoveApcState();
  851. }
  852. //////////////////////////////////////////////////////////////////////////


  853. //////////////////////////////////////////////////////////////////////////



  854. #define SYSTEMSERVICE(Index)    *(PULONG)((ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase+ Index*4);   

  855. ULONG DbgkForwardExceptionAddr    =    0;
  856. ULONG KiDispatchExceptionAddr    =    0;
  857. ULONG DbgkpQueueMessageAddr        =    0;

  858. ULONG SearchMutex()
  859. {
  860.   ULONG NtResumeThreadAddr        =    0;
  861.   ULONG NtRaiseExceptionAddr        =    0;
  862.   ULONG KiRaiseExceptionAddr        =    0;


  863.   ULONG DbgkpSendApiMessageAddr    =    0;

  864.   ULONG DbgkpProcessDebugPortMutex    =0;   
  865.   ULONG PsResumeThreadAddr          =0;        
  866.   DWORD dwKey;
  867.   ULONG i;


  868.   NtResumeThreadAddr = SYSTEMSERVICE(206);
  869.   DbgPrint("NtResumeThreadAddr : %X\n", NtResumeThreadAddr);

  870.   for(i = NtResumeThreadAddr; i < NtResumeThreadAddr + 0x7C; i++)
  871.   {
  872.     dwKey = *(PDWORD)i;
  873.     if (MmIsAddressValid(&dwKey))
  874.     {
  875.       if (dwKey == 0xE8E475FF)
  876.       {
  877.         dwKey = i + 4;
  878.         PsResumeThreadAddr = i + *(ULONG*)dwKey + 8;
  879.       }
  880.     }
  881.   }
  882.   DbgPrint("PsResumeThreadAddr : %X\n", PsResumeThreadAddr);

  883.   NtRaiseExceptionAddr = SYSTEMSERVICE(181);
  884.   DbgPrint("NtRaiseExceptionAddr : %X\n", NtRaiseExceptionAddr);

  885.   for(i = NtRaiseExceptionAddr; i < NtRaiseExceptionAddr + 0x30; i++)
  886.   {
  887.     dwKey = *(PDWORD)i;
  888.     if (MmIsAddressValid(&dwKey))
  889.     {
  890.       if (dwKey == 0xE8505100)
  891.       {
  892.         dwKey = i + 4;
  893.         KiRaiseExceptionAddr = i + *(ULONG*)dwKey + 8;
  894.       }
  895.     }
  896.   }
  897.   DbgPrint("KiRaiseExceptionAddr : %X\n", KiRaiseExceptionAddr);

  898.   if (KiRaiseExceptionAddr > 0x80000000)
  899.   {
  900.     for(i = KiRaiseExceptionAddr; i < KiRaiseExceptionAddr + 0x197; i++)
  901.     {
  902.       dwKey = *(PDWORD)i;
  903.       if (MmIsAddressValid(&dwKey))
  904.       {
  905.         if (dwKey == 0xE853FFFF)
  906.         {
  907.           dwKey = i + 4;
  908.           KiDispatchExceptionAddr = i + *(ULONG*)dwKey + 8;
  909.         }
  910.       }
  911.     }
  912.     DbgPrint("KiDispatchExceptionAddr : %X\n", KiDispatchExceptionAddr);
  913.   }

  914.   if (KiDispatchExceptionAddr > 0x80000000)
  915.   {
  916.     for(i = KiDispatchExceptionAddr; i < KiDispatchExceptionAddr + 0x397; i++)
  917.     {
  918.       dwKey = *(PDWORD)i;
  919.       if (MmIsAddressValid(&dwKey))
  920.       {
  921.         if (dwKey == 0xE8565701)
  922.         {
  923.           dwKey = i + 4;
  924.           DbgkForwardExceptionAddr = i + *(ULONG*)dwKey + 8;
  925.         }
  926.       }
  927.     }
  928.     DbgPrint("DbgkForwardExceptionAddr : %X\n", DbgkForwardExceptionAddr);
  929.   }


  930.   if (DbgkForwardExceptionAddr > 0x80000000)
  931.   {
  932.     for(i = DbgkForwardExceptionAddr; i < DbgkForwardExceptionAddr + 0x8A; i++)
  933.     {
  934.       dwKey = *(PDWORD)i;
  935.       if (MmIsAddressValid(&dwKey))
  936.       {
  937.         if (dwKey == 0xE8508845)
  938.         {
  939.           dwKey = i + 4;
  940.           DbgkpSendApiMessageAddr = i + *(ULONG*)dwKey + 8;
  941.         }
  942.       }
  943.     }
  944.     DbgPrint("DbgkpSendApiMessageAddr : %X\n", DbgkpSendApiMessageAddr);
  945.   }

  946.   if (DbgkpSendApiMessageAddr > 0x80000000)
  947.   {
  948.     for(i = DbgkpSendApiMessageAddr; i < DbgkpSendApiMessageAddr + 0x55; i++)
  949.     {
  950.       dwKey = *(PDWORD)i;
  951.       if (MmIsAddressValid(&dwKey))
  952.       {
  953.         if (dwKey == 0xE8515052)
  954.         {
  955.           dwKey = i + 4;
  956.           DbgkpQueueMessageAddr = i + *(ULONG*)dwKey + 8;
  957.         }
  958.       }
  959.     }
  960.     DbgPrint("DbgkpQueueMessageAddr : %X\n", DbgkpQueueMessageAddr);
  961.   }

  962.   if (DbgkpQueueMessageAddr > 0x80000000)
  963.   {
  964.     for(i = DbgkpQueueMessageAddr; i < DbgkpQueueMessageAddr + 0x16F; i++)
  965.     {
  966.       dwKey = *(PDWORD)i;
  967.       if (MmIsAddressValid(&dwKey))
  968.       {
  969.         if (dwKey == 0xB93075FC)
  970.         {
  971.           dwKey = i + 4;
  972.           DbgkpProcessDebugPortMutex = *(ULONG*)dwKey;
  973.         }
  974.       }
  975.     }
  976.     DbgPrint("DbgkpProcessDebugPortMutex : %X\n", DbgkpProcessDebugPortMutex);
  977.   }

  978.   return DbgkpProcessDebugPortMutex;

  979. }

  980. //////////////////////////////////////////////////////////////////////////
  981. ULONG Pass_debugport()
  982. {
  983.   KIRQL oldIrql;

  984.   char  timestr[]={0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90};

  985.   char* g_KiDispatchException=(char*)(KiDispatchExceptionAddr+0x187);
  986.   char* g_PspCreateProcess=(char*)(KiDispatchExceptionAddr+0xD2599);
  987.   char* g_DbgkForwardException=(char*)(DbgkForwardExceptionAddr+0x3e);
  988.   char* g_DbgkpQueueMessage=(char*)(DbgkpQueueMessageAddr+0x7B);
  989.   char* g_DbgkCreateThread=(char*)(KiDispatchExceptionAddr+0x14515F);
  990.   char* g_DbgkExitThread=(char*)(KiDispatchExceptionAddr+0x1453F8);
  991.   char* g_DbgkMapViewOfSection=(char*)(KiDispatchExceptionAddr+0x14550B);
  992.   char* g_DbgkExitProcess=(char*)(KiDispatchExceptionAddr+0x145472);
  993.   char* g_DbgkUnMapViewOfSection=(char*)(KiDispatchExceptionAddr+0x1455D1);
  994.   char* g_PspExitThread=(char*)(KiDispatchExceptionAddr+0xD3E84);
  995.   char* g_DbgkpMarkProcessPeb=(char*)(KiDispatchExceptionAddr+0x1438EA);
  996.   char* g_MmCreatePeb=(char*)(KiDispatchExceptionAddr+0xB1907);
  997.   char* g_DbgkpSetProcessDebugObject=(char*)(KiDispatchExceptionAddr+0x144934);
  998.   char* g_DbgkpSetProcessDebugObject1=(char*)(KiDispatchExceptionAddr+0x144942);
  999.   char* g_DbgkpSetProcessDebugObject2=(char*)(KiDispatchExceptionAddr+0x14495C);
  1000.   char* g_DbgkpSetProcessDebugObject3=(char*)(KiDispatchExceptionAddr+0x1449A6);
  1001.   char* g_DbgkpSetProcessDebugObject4=(char*)(KiDispatchExceptionAddr+0x1449E8);

  1002.   

  1003. //nop

  1004.   char* anti_DbgkExitThread=(char*)(KiDispatchExceptionAddr+0x1453F6);
  1005.   char* anti_DbgkExitProcess=(char*)(KiDispatchExceptionAddr+0x145470);
  1006.   char* anti_DbgkUnMapViewOfSection=(char*)(KiDispatchExceptionAddr+0x1455CF);

  1007. //jmp

  1008.   char* anti_DbgkMapViewOfSection=(char*)(KiDispatchExceptionAddr+0x145505);
  1009.   char* anti_DbgkForwardException=(char*)(DbgkForwardExceptionAddr+0x38);

  1010. //nop create time

  1011.   char* g_PspCreateProcess_time=(char*)(KiDispatchExceptionAddr+0xD2B15);



  1012.   WPOFF();
  1013.   oldIrql = KeRaiseIrqlToDpcLevel();

  1014.   memcpy(g_PspCreateProcess_time,timestr,9);

  1015.   *(ULONG*)(&g_KiDispatchException[2])=0x70;
  1016.   *(ULONG*)(&g_PspCreateProcess[2])=0x70;
  1017.   *(ULONG*)(&g_DbgkForwardException[2])=0x70;
  1018.   *(ULONG*)(&g_DbgkpQueueMessage[2])=0x70;
  1019.   *(ULONG*)(&g_DbgkCreateThread[2])=0x70;
  1020.   *(ULONG*)(&g_DbgkExitThread[2])=0x70;
  1021.   *(ULONG*)(&g_DbgkMapViewOfSection[2])=0x70;
  1022.   *(ULONG*)(&g_DbgkExitProcess[2])=0x70;
  1023.   *(ULONG*)(&g_DbgkUnMapViewOfSection[2])=0x70;
  1024.   *(ULONG*)(&g_PspExitThread[2])=0x70;
  1025.   *(ULONG*)(&g_DbgkpMarkProcessPeb[2])=0x70;
  1026.   *(ULONG*)(&g_MmCreatePeb[2])=0x70;
  1027.   *(ULONG*)(&g_DbgkpSetProcessDebugObject[2])=0x70;
  1028.   *(ULONG*)(&g_DbgkpSetProcessDebugObject1[2])=0x70;
  1029.   *(ULONG*)(&g_DbgkpSetProcessDebugObject2[2])=0x70;
  1030.   *(ULONG*)(&g_DbgkpSetProcessDebugObject3[2])=0x70;
  1031.   *(ULONG*)(&g_DbgkpSetProcessDebugObject4[2])=0x70;

  1032. //
  1033. //   anti_DbgkExitThread[0]=0x90;
  1034. //   anti_DbgkExitThread[1]=0x90;
  1035. //   anti_DbgkExitProcess[0]=0x90;
  1036. //   anti_DbgkExitProcess[1]=0x90;
  1037. //   anti_DbgkUnMapViewOfSection[0]=0x90;
  1038. //   anti_DbgkUnMapViewOfSection[1]=0x90;
  1039. //
  1040. //   anti_DbgkMapViewOfSection[0]=0xeb;
  1041. //   anti_DbgkForwardException[0]=0xeb;


  1042.   KeLowerIrql(oldIrql);
  1043.   WPON();

  1044.   

  1045.   return STATUS_SUCCESS;

  1046. }
  1047. const int process_list_offset=0x88;
  1048. const int createtime_list_offset=0x70;

  1049. ULONG FindProcess()
  1050. {
  1051.   ULONG cproc=0x00000000;
  1052.   ULONG  i=0;
  1053.   ULONG TPID;
  1054.   PEPROCESS tmpeprocess;
  1055.   PLIST_ENTRY plist_active_procs;
  1056.   LARGE_INTEGER temptime;
  1057.   temptime.QuadPart=0;


  1058.   PsLookupProcessByProcessId((HANDLE)4,&tmpeprocess);
  1059.   cproc=(ULONG)tmpeprocess;


  1060.   while (1)
  1061.   {
  1062.    
  1063.     if ((i>=1) && ((ULONG)tmpeprocess==cproc))
  1064.     {
  1065.       break;
  1066.       return 0x00000000;
  1067.     }
  1068.     else
  1069.     {
  1070.       plist_active_procs=(LIST_ENTRY*)(cproc+process_list_offset);
  1071.       cproc=(ULONG)plist_active_procs->Flink;
  1072.       cproc=cproc-process_list_offset;

  1073.       *(LARGE_INTEGER*)(cproc+createtime_list_offset)=temptime;

  1074.       i++;

  1075.     }

  1076.   }


  1077.   return 1;
  1078. }

  1079. //////////////////////////////////////////////////////////////////////////


  1080. typedef NTSTATUS (*NTQUERYINFORMATIONPROCESS)(
  1081.   __in       HANDLE ProcessHandle,
  1082.   __in       PROCESSINFOCLASS ProcessInformationClass,
  1083.   __out      PVOID ProcessInformation,
  1084.   __in       ULONG ProcessInformationLength,
  1085.   __out_opt  PULONG ReturnLength
  1086.   );

  1087. NTQUERYINFORMATIONPROCESS OldNQueryInformationProcessAddr;

  1088. typedef struct _PROCESS_DEBUG_PORT_INFO     
  1089. {   
  1090.       
  1091.    HANDLE DebugPort;   
  1092.       
  1093. } PROCESS_DEBUG_PORT_INFO;   
  1094.       
  1095.         
  1096.         
  1097. //enum SYSTEM_INFORMATION_CLASS { SystemKernelDebuggerInformation = 35 };   
  1098.       
  1099. //enum THREAD_INFO_CLASS { ThreadHideFromDebugger = 17 };   
  1100.       
  1101. //enum PROCESS_INFO_CLASS { ProcessDebugPort = 7 };



  1102. NTSTATUS  NewNtQueryInformationProcess(
  1103.   __in       HANDLE ProcessHandle,
  1104.   __in       PROCESSINFOCLASS ProcessInformationClass,
  1105.   __out      PROCESS_DEBUG_PORT_INFO* ProcessInformation,
  1106.   __in       ULONG ProcessInformationLength,
  1107.   __out_opt  PULONG ReturnLength
  1108.   )
  1109. {
  1110. //  PROCESS_DEBUG_PORT_INFO* tempPi;
  1111.   if (!_stricmp("DNF.exe",GetProcessNameFromEProc(0)) ||
  1112.     !_stricmp("AION.bin",GetProcessNameFromEProc(0)) ||
  1113.     !_stricmp("GameMon.des",GetProcessNameFromEProc(0)))
  1114.   {
  1115.     if (ProcessInformationClass==7)
  1116.     {
  1117.       DbgPrint("%s NtQueryInformationProcess debugport!\n",GetProcessNameFromEProc(0));
  1118.       ProcessInformation->DebugPort=0;
  1119.       return 0;
  1120.     }

  1121.   }

  1122. //  DbgPrint("%s NtQueryInformationProcess !\n",GetProcessNameFromEProc(0));

  1123.   return OldNQueryInformationProcessAddr(ProcessHandle,ProcessInformationClass,ProcessInformation,ProcessInformationLength,ReturnLength);

  1124. }



  1125. ULONG Pass_NtQueryInformationProcess()
  1126. {
  1127.   KIRQL oldIrql;
  1128.   ULONG  Address=0;

  1129.   Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 154 * 4;

  1130.   (ULONG)OldNQueryInformationProcessAddr = *(ULONG*)Address;


  1131.   WPOFF();
  1132.   oldIrql = KeRaiseIrqlToDpcLevel();

  1133.   *((ULONG*)Address) = (ULONG)NewNtQueryInformationProcess;  //HOOK SSDT
  1134.   KeLowerIrql(oldIrql);
  1135.   WPON();

  1136.   return 1;
  1137. }

  1138. VOID UnDetour_NtQueryInformationProcess()
  1139. {
  1140.   KIRQL oldIrql;
  1141.   ULONG  Address=0;

  1142.   Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 154 * 4;

  1143.   WPOFF();
  1144.   oldIrql = KeRaiseIrqlToDpcLevel();

  1145.   *((ULONG*)Address) = (ULONG)OldNQueryInformationProcessAddr;  //HOOK SSDT
  1146.   KeLowerIrql(oldIrql);
  1147.   WPON();
  1148. }
  1149. //////////////////////////////////////////////////////////////////////////

  1150. // NTSTATUS __declspec(naked) _PsSuspendThread(PETHREAD Thread, PULONG PreviousSuspendCount)
  1151. // {
  1152. //
  1153. // }



  1154. //////////////////////////////////////////////////////////////////////////

  1155. //unsigned long PsSuspendThread_reentry_address;
  1156. ULONG pssuspendthreadaddr;

  1157. NTSTATUS __declspec(naked) _PsSuspendThread(PETHREAD Thread, PULONG PreviousSuspendCount)
  1158. {
  1159.   __asm
  1160.   {   
  1161.     push 0x18
  1162.     push 0x804db9e8
  1163.     mov   esi,0x8053cbe0
  1164.     call esi
  1165.     mov  esi,pssuspendthreadaddr
  1166.     add  esi,0xc
  1167.     jmp  esi

  1168.   }
  1169. }
  1170. //////////////////////////////////////////////////////////////////////////



  1171. NTSTATUS
  1172. _NtSuspendThread(
  1173.     __in HANDLE ThreadHandle,
  1174.     __out_opt PULONG PreviousSuspendCount
  1175.     )

  1176. {
  1177.     PETHREAD Thread;
  1178.     NTSTATUS st;
  1179.     ULONG LocalPreviousSuspendCount;
  1180.     KPROCESSOR_MODE Mode;
  1181.   POBJECT_TYPE TempType;

  1182. //   PAGED_CODE();

  1183.     Mode = KeGetPreviousMode ();

  1184.     try {

  1185.         if (Mode != KernelMode) {
  1186.             if (ARGUMENT_PRESENT (PreviousSuspendCount)) {
  1187.                 ProbeForWriteUlong (PreviousSuspendCount);
  1188.             }
  1189.         }
  1190.     } except (EXCEPTION_EXECUTE_HANDLER) {

  1191.         return GetExceptionCode();
  1192.     }

  1193.   (ULONG)TempType=*(ULONG*)PsThreadType;
  1194.     st = ObReferenceObjectByHandle (ThreadHandle,
  1195.                                     THREAD_SUSPEND_RESUME,
  1196.                                     TempType,
  1197.                                     Mode,
  1198.                                     &Thread,
  1199.                                     NULL);

  1200.     if (!NT_SUCCESS (st)) {
  1201.         return st;
  1202.     }

  1203.     st = _PsSuspendThread (Thread, &LocalPreviousSuspendCount);

  1204.     ObDereferenceObject (Thread);

  1205.     try {

  1206.         if (ARGUMENT_PRESENT (PreviousSuspendCount)) {
  1207.             *PreviousSuspendCount = LocalPreviousSuspendCount;
  1208.         }

  1209.     } except (EXCEPTION_EXECUTE_HANDLER) {

  1210.         st = GetExceptionCode ();

  1211.     }

  1212.     return st;

  1213. }

  1214. //////////////////////////////////////////////////////////////////////////
  1215. typedef NTSTATUS(*NTSUSPENDTHREAD)(
  1216.   __in HANDLE ThreadHandle,
  1217.   __out_opt PULONG PreviousSuspendCount
  1218.   );

  1219. NTSUSPENDTHREAD OldSuspendThreadAddr;

  1220. NTSTATUS MyNtSuspendThread(
  1221.   __in HANDLE ThreadHandle,
  1222.   __out_opt PULONG PreviousSuspendCount
  1223.   )
  1224. {
  1225.   if (!_stricmp("DNF.exe",GetProcessNameFromEProc(0)))
  1226.   {
  1227.     return OldSuspendThreadAddr(ThreadHandle,PreviousSuspendCount);
  1228.   }
  1229.   return _NtSuspendThread(ThreadHandle,PreviousSuspendCount);

  1230. }

  1231. ULONG Pass_PsSuspendThread()
  1232. {  
  1233.   KIRQL oldIrql;
  1234.   ULONG  Address=0;
  1235.   LONG temp=0;

  1236.   Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 254 * 4;

  1237.   (ULONG)OldSuspendThreadAddr = *(ULONG*)Address;
  1238.   temp=*(LONG*)((LONG)OldSuspendThreadAddr+0x65);
  1239.   pssuspendthreadaddr=(LONG)OldSuspendThreadAddr+0x64+temp+5;

  1240.   DbgPrint("pssuspendthreadaddr %08x\n",pssuspendthreadaddr);


  1241.   WPOFF();
  1242.   oldIrql = KeRaiseIrqlToDpcLevel();

  1243.   *((ULONG*)Address) = (ULONG)MyNtSuspendThread;  //HOOK SSDT
  1244.   KeLowerIrql(oldIrql);
  1245.   WPON();

  1246.   return 1;

  1247. }

  1248. VOID UnDetour_PsSuspendThread()
  1249. {
  1250.   KIRQL oldIrql;
  1251.   ULONG  Address=0;

  1252.   Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 254 * 4;

  1253.   WPOFF();
  1254.   oldIrql = KeRaiseIrqlToDpcLevel();

  1255.   *((ULONG*)Address) = (ULONG)OldSuspendThreadAddr;  //HOOK SSDT
  1256.   KeLowerIrql(oldIrql);
  1257.   WPON();
  1258. }



  1259. //////////////////////////////////////////////////////////////////////////


  1260. NTSTATUS
  1261. MyNtGetContextThread(
  1262.     __in HANDLE ThreadHandle,
  1263.     __inout PCONTEXT ThreadContext
  1264.     )

  1265. {

  1266.     KPROCESSOR_MODE Mode;
  1267.     NTSTATUS Status;
  1268.     PETHREAD Thread;
  1269.     PKTHREAD CurrentThread;
  1270.   POBJECT_TYPE TempType;


  1271.   //  PAGED_CODE();

  1272.     //
  1273.     // Get previous mode and reference specified thread.
  1274.     //

  1275.     CurrentThread = KeGetCurrentThread();
  1276.     Mode = *(CCHAR*)((ULONG)CurrentThread+0x140);

  1277.   (ULONG)TempType=*(ULONG*)PsThreadType;

  1278.     Status = ObReferenceObjectByHandle (ThreadHandle,
  1279.                                         THREAD_GET_CONTEXT,
  1280.                                         TempType,
  1281.                                         Mode,
  1282.                                         &Thread,
  1283.                                         NULL);

  1284.     //
  1285.     // If the reference was successful, the check if the specified thread
  1286.     // is a system thread.
  1287.     //

  1288.     if (NT_SUCCESS (Status)) {

  1289.         //
  1290.         // If the thread is not a system thread, then attempt to get the
  1291.         // context of the thread.
  1292.         //

  1293.         if (IS_SYSTEM_THREAD (Thread) == FALSE) {

  1294.             Status = PsGetContextThread (Thread, ThreadContext, Mode);

  1295.         } else {
  1296.             Status = STATUS_INVALID_HANDLE;
  1297.         }

  1298.         ObDereferenceObject (Thread);
  1299.     }
  1300.   else
  1301.   {
  1302.     DbgPrint("%s MyNtGetContextThread ObReferenceObjectByHandle error! ThreadHandle %08x\n",GetProcessNameFromEProc(0),ThreadHandle);
  1303.   }

  1304.     return Status;
  1305. }


  1306. //////////////////////////////////////////////////////////////////////////



  1307. NTSTATUS
  1308. MyNtSetContextThread(
  1309.     __in HANDLE ThreadHandle,
  1310.     __in PCONTEXT ThreadContext
  1311.     )

  1312. {
  1313.     KPROCESSOR_MODE Mode;
  1314.     NTSTATUS Status;
  1315.     PETHREAD Thread;
  1316.     PKTHREAD CurrentThread;
  1317.   POBJECT_TYPE TempType;

  1318. //    PAGED_CODE();

  1319.     //
  1320.     // Get previous mode and reference specified thread.
  1321.     //

  1322.     CurrentThread = KeGetCurrentThread ();
  1323.      Mode = *(CCHAR*)((ULONG)CurrentThread+0x140);

  1324.    (ULONG)TempType=*(ULONG*)PsThreadType;

  1325.     Status = ObReferenceObjectByHandle (ThreadHandle,
  1326.                                         THREAD_SET_CONTEXT,
  1327.                                         TempType,
  1328.                                         Mode,
  1329.                                         &Thread,
  1330.                                         NULL);

  1331.     //
  1332.     // If the reference was successful, the check if the specified thread
  1333.     // is a system thread.
  1334.     //

  1335.     if (NT_SUCCESS (Status)) {

  1336.         //
  1337.         // If the thread is not a system thread, then attempt to get the
  1338.         // context of the thread.
  1339.         //

  1340.         if (IS_SYSTEM_THREAD (Thread) == FALSE) {

  1341.             Status = PsSetContextThread (Thread, ThreadContext, Mode);

  1342.         } else {
  1343.             Status = STATUS_INVALID_HANDLE;
  1344.         }

  1345.         ObDereferenceObject (Thread);
  1346.     }
  1347.   else
  1348.   {
  1349.     DbgPrint("MyNtSetContextThread ObReferenceObjectByHandle error\n");
  1350.   }

  1351.     return Status;
  1352. }
  1353. //////////////////////////////////////////////////////////////////////////
  1354. typedef NTSTATUS (*NTSETCONTEXTTHREAD)
  1355.   (
  1356.   __in HANDLE ThreadHandle,
  1357.   __in PCONTEXT ThreadContext
  1358.   );

  1359. NTSETCONTEXTTHREAD OldNtSetContextThreadAddr;


  1360. NTSTATUS NewNtSetContextThread
  1361.   (
  1362.   __in HANDLE ThreadHandle,
  1363.   __in PCONTEXT ThreadContext
  1364.   )
  1365. {
  1366.   if (!_stricmp("DNF.exe",GetProcessNameFromEProc(0)))
  1367.   {
  1368.     return OldNtSetContextThreadAddr(ThreadHandle,ThreadContext);
  1369.   //  DbgPrint("dnf ThreadHandle: %d NtSetContextThread\n",ThreadHandle);
  1370.   //  return 0;
  1371.   }
  1372. //  return OldNtSetContextThreadAddr(ThreadHandle,ThreadContext);

  1373.   return MyNtSetContextThread(ThreadHandle,ThreadContext);

  1374. }

  1375. ULONG Pass_NtSetContextThread()
  1376. {
  1377.   KIRQL oldIrql;
  1378.   ULONG  Address=0;

  1379.   Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 213 * 4;

  1380.   (ULONG)OldNtSetContextThreadAddr = *(ULONG*)Address;


  1381.   WPOFF();
  1382.   oldIrql = KeRaiseIrqlToDpcLevel();

  1383.   *((ULONG*)Address) = (ULONG)NewNtSetContextThread;  //HOOK SSDT
  1384.   KeLowerIrql(oldIrql);
  1385.   WPON();

  1386.   return 1;
  1387. }

  1388. VOID UnDetour_NtSetContextThread()
  1389. {
  1390.   KIRQL oldIrql;
  1391.   ULONG  Address=0;

  1392.   Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 213 * 4;

  1393.   WPOFF();
  1394.   oldIrql = KeRaiseIrqlToDpcLevel();

  1395.   *((ULONG*)Address) = (ULONG)OldNtSetContextThreadAddr;  //HOOK SSDT
  1396.   KeLowerIrql(oldIrql);
  1397.   WPON();
  1398. }
  1399. //////////////////////////////////////////////////////////////////////////


  1400. //////////////////////////////////////////////////////////////////////////
  1401. typedef NTSTATUS (*NTGETCONTEXTTHREAD)
  1402.   (
  1403.   __in HANDLE ThreadHandle,
  1404.   __inout PCONTEXT ThreadContext
  1405.   );

  1406. NTGETCONTEXTTHREAD OldNtGetContextThreadAddr;


  1407. NTSTATUS NewNtGetContextThread
  1408.   (
  1409.   __in HANDLE ThreadHandle,
  1410.   __inout PCONTEXT ThreadContext
  1411.   )
  1412. {
  1413.   NTSTATUS nTstatus=0;
  1414.   if (!_stricmp("DNF.exe",GetProcessNameFromEProc(0)) ||
  1415.     !_stricmp("AION.bin",GetProcessNameFromEProc(0)) ||
  1416.     !_stricmp("GameMon.des",GetProcessNameFromEProc(0)))
  1417.   {
  1418.    
  1419. //     if (-2==(LONG)ThreadHandle)
  1420. //     {
  1421. //       return OldNtGetContextThreadAddr(ThreadHandle,ThreadContext);
  1422. //     }

  1423.     DbgPrint("dnf ThreadHandle: %d NtGetContextThread\n",ThreadHandle);

  1424.     nTstatus=OldNtGetContextThreadAddr(ThreadHandle,ThreadContext);

  1425.    
  1426.     ThreadContext->Dr0=0;
  1427.     ThreadContext->Dr1=0;
  1428.     ThreadContext->Dr2=0;
  1429.     ThreadContext->Dr3=0;

  1430.   //  ThreadContext->Dr6=0;
  1431.   //  ThreadContext->Dr7=0;

  1432. //     DbgPrint("ThreadHandle:%d\nDr0=%08x\nDr1=%08x\nDr2=%08x\nDr3=%08x\n",ThreadHandle,
  1433. //         ThreadContext->Dr0,ThreadContext->Dr1,ThreadContext->Dr2,ThreadContext->Dr3);

  1434.     return nTstatus;
  1435.    
  1436.   }
  1437. //
  1438. //  return OldNtGetContextThreadAddr(ThreadHandle,ThreadContext);
  1439.   return MyNtGetContextThread(ThreadHandle,ThreadContext);
  1440. }

  1441. ULONG Pass_NtGetContextThread()
  1442. {
  1443.   KIRQL oldIrql;
  1444.   ULONG  Address=0;

  1445.   Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 85 * 4;

  1446.   (ULONG)OldNtGetContextThreadAddr = *(ULONG*)Address;


  1447.   WPOFF();
  1448.   oldIrql = KeRaiseIrqlToDpcLevel();

  1449.   *((ULONG*)Address) = (ULONG)NewNtGetContextThread;  //HOOK SSDT
  1450.   KeLowerIrql(oldIrql);
  1451.   WPON();

  1452.   return 1;
  1453. }

  1454. VOID UnDetour_NtGetContextThread()
  1455. {
  1456.   KIRQL oldIrql;
  1457.   ULONG  Address=0;

  1458.   Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 85 * 4;

  1459.   WPOFF();
  1460.   oldIrql = KeRaiseIrqlToDpcLevel();

  1461.   *((ULONG*)Address) = (ULONG)OldNtGetContextThreadAddr;  //HOOK SSDT
  1462.   KeLowerIrql(oldIrql);
  1463.   WPON();
  1464. }
  1465. //////////////////////////////////////////////////////////////////////////
复制代码
点击按钮快速添加回复内容: 支持 高兴 激动 给力 加油 苦寻 生气 回帖 路过 感恩
您需要登录后才可以回帖 登录 | 注册账号

本版积分规则

小黑屋|手机版|Archiver|看流星社区 |网站地图

GMT+8, 2024-3-29 19:38

Powered by Kanliuxing X3.4

© 2010-2019 kanliuxing.com

快速回复 返回顶部 返回列表