过龙腾世界的驱动保护
来源:互联网 发布:证券时报数据宝 编辑:程序博客网 时间:2024/06/02 09:56
//////////////////////////////////////////////////////////////////////////
//define
#define SsdtTbaleSize 0x11C//////////////////////////////////////////////////////////////////////////
//全局
ULONG ZwHookOpenProcess = 0;
ULONG ZwHookWriteVirtualMemory = 0;
ULONG ZwHookQuerySystemInformation = 0;
DWORD oldssdt[SsdtTbaleSize] = {0};
VOID SaveOldSSdt()
{
//保存没有被HOOK前的SSDT表
PVOID pssdttableaddr = (PVOID)KeServiceDescriptorTable->ServiceTableBase;
RtlCopyMemory( oldssdt , pssdttableaddr , SsdtTbaleSize*sizeof(DWORD) );
KdPrint( ("SaveOldSSdt OK") );
}
ULONG GetFunctionId( char* FunctionName )
{
NTSTATUS ntstatus;
HANDLE hFile = NULL;
HANDLE hSection = NULL ;
OBJECT_ATTRIBUTES object_attributes;
IO_STATUS_BLOCK io_status = {0};
PVOID baseaddress = NULL;
SIZE_T size = 0;
//模块基址
PVOID ModuleAddress = NULL;
//偏移量
ULONG dwOffset = 0;
PIMAGE_DOS_HEADER dos = NULL;
PIMAGE_NT_HEADERS nt = NULL;
PIMAGE_DATA_DIRECTORY expdir = NULL;
PIMAGE_EXPORT_DIRECTORY exports = NULL;
ULONG addr;
ULONG Size;
PULONG functions;
PSHORT ordinals;
PULONG names;
ULONG max_name;
ULONG max_func;
ULONG i;
ULONG pFunctionAddress;
ULONG ServiceId;
UNICODE_STRING DllName;
RtlInitUnicodeString( &DllName, L"\\SystemRoot\\system32\\ntdll.dll");
//初始化OBJECT_ATTRIBUTES结构
InitializeObjectAttributes(
&object_attributes,
&DllName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);
//打开文件
ntstatus = ZwCreateFile(
&hFile,
FILE_EXECUTE | SYNCHRONIZE,
&object_attributes,
&io_status,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
FILE_NON_DIRECTORY_FILE |
FILE_RANDOM_ACCESS |
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0);
if( !NT_SUCCESS( ntstatus ))
{
KdPrint(("[GetFunctionAddress] error0\n"));
KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));
return 0;
}
//创建区段
InitializeObjectAttributes(
&object_attributes,
NULL,
OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,
NULL,
NULL);
ntstatus = ZwCreateSection(
&hSection,
SECTION_ALL_ACCESS,
&object_attributes,
0,
PAGE_EXECUTE,
SEC_IMAGE,
hFile);
if( !NT_SUCCESS( ntstatus ))
{
KdPrint(("[GetFunctionAddress] error1\n"));
KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));
return 0;
}
//映射区段到进程虚拟空间
ntstatus = ZwMapViewOfSection(
hSection,
NtCurrentProcess(), //ntddk.h定义的宏用来获取当前进程句柄
&baseaddress,
0,
1000,
0,
&size,
(SECTION_INHERIT)1,
MEM_TOP_DOWN,
PAGE_READWRITE);
if( !NT_SUCCESS( ntstatus ))
{
KdPrint(("[GetFunctionAddress] error2\n"));
KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));
return 0;
}
//得到模块基址
dwOffset = ( ULONG )baseaddress;
//验证基址
//KdPrint(("[GetFunctionAddress] BaseAddress:0x%x\n", dwOffset));
dos =(PIMAGE_DOS_HEADER) baseaddress;
nt =(PIMAGE_NT_HEADERS)((ULONG) baseaddress + dos->e_lfanew);
expdir = (PIMAGE_DATA_DIRECTORY)(nt->OptionalHeader.DataDirectory +IMAGE_DIRECTORY_ENTRY_EXPORT);
addr = expdir->VirtualAddress;//数据块起始RVA
Size = expdir->Size; //数据块长度
exports =(PIMAGE_EXPORT_DIRECTORY)((ULONG) baseaddress + addr);
functions =(PULONG)((ULONG) baseaddress + exports->AddressOfFunctions);
ordinals =(PSHORT)((ULONG) baseaddress + exports->AddressOfNameOrdinals);
names =(PULONG)((ULONG) baseaddress + exports->AddressOfNames);
max_name =exports->NumberOfNames;
max_func =exports->NumberOfFunctions;
for (i = 0; i < max_name; i++)
{
ULONG ord = ordinals[i];
if(i >= max_name || ord >= max_func)
{
return 0;
}
if (functions[ord] < addr || functions[ord] >= addr + Size)
{
if (strcmp((PCHAR) baseaddress + names[i], FunctionName) == 0)
{
pFunctionAddress =(ULONG)((ULONG) baseaddress + functions[ord]);
break;
}
}
}
//KdPrint(("[GetFunctionAddress] %s:0x%x\n",FunctionName, pFunctionAddress));
ServiceId = *(PSHORT)(pFunctionAddress + 1);
//打印导出函数服务号
//KdPrint(("[GetServiceId] ServiceId:0x%x\n",ServiceId));
//卸载区段,释放内存,关闭句柄
ZwUnmapViewOfSection( NtCurrentProcess(), baseaddress);
ZwClose( hSection);
ZwClose( hFile );
return ServiceId;
}
VOID InitSystemCallIndex()
{
ZwOpenProcessIndex = GetFunctionId( "ZwOpenProcess" );
ZwHookOpenProcess = (KeServiceDescriptorTable->ServiceTableBase)[ZwOpenProcessIndex];
KdPrint(("[InitSystemCallIndex]ZwHookOpenProcess:0x%x,Orgin addrs:0x%x,Hook:0x%x\n",ZwOpenProcessIndex,oldssdt[ZwOpenProcessIndex], ZwHookOpenProcess));
ZwWriteVirtualMemoryIndex = GetFunctionId( "ZwWriteVirtualMemory" );
ZwHookWriteVirtualMemory = (KeServiceDescriptorTable->ServiceTableBase)[ZwWriteVirtualMemoryIndex];
KdPrint(("[InitSystemCallIndex]ZwWriteVirtualMemoryIndex:0x%x,Orgin addrs:0x%x,Hook:0x%x\n",ZwWriteVirtualMemoryIndex ,oldssdt[ZwWriteVirtualMemoryIndex],ZwHookWriteVirtualMemory ));
ZwQuerySystemInformationIndex = GetFunctionId( "ZwQuerySystemInformation" );
ZwHookQuerySystemInformation = (KeServiceDescriptorTable->ServiceTableBase)[ZwQuerySystemInformationIndex];
KdPrint(("[InitSystemCallIndex]ZwQuerySystemInformationIndex:0x%x,Orgin addrs:0x%x,Hook:0x%x\n",ZwQuerySystemInformationIndex ,oldssdt[ZwQuerySystemInformationIndex] , ZwHookQuerySystemInformation));
}
ULONG CalcJmpCode(ULONG des , ULONG org )
{
return ( des - org - 5 );
}
VOID ModifyJmpCode2( ULONG myZwFuction , ULONG zwHookFuction)
{
BYTE JmpCode[5] = { 0xE9 , 0 , 0 , 0 , 0 };
DWORD addr = (DWORD)myZwFuction;
if( !MmIsAddressValid((PVOID)addr) )
{
KdPrint( ("MmIsAddressValid 0x%x Error\n" , addr ) );
return ;
}
KdPrint( ("inline hook addr:0x%x\n" ,addr ) );
//计算跳转地址
addr = CalcJmpCode( addr , zwHookFuction );
*(DWORD*)&JmpCode[1]=(DWORD)addr;
if( !MmIsAddressValid((PVOID)zwHookFuction) )
{
KdPrint( ("MmIsAddressValid 0x%x Error\n" , zwHookFuction ) );
return ;
}
RtlCopyMemory( (PVOID)zwHookFuction , JmpCode , 5 );
}
VOID inlineHook()
{
//这个是转到系统函数
WPOFF();
if( ZwHookQuerySystemInformation != oldssdt[ZwQuerySystemInformationIndex] )
{
ModifyJmpCode2( (ULONG)oldssdt[ZwQuerySystemInformationIndex] ,(ULONG)ZwHookQuerySystemInformation );
}
if( ZwHookOpenProcess != oldssdt[ZwOpenProcessIndex] )
{
ModifyJmpCode2( (ULONG)oldssdt[ZwOpenProcessIndex] , (ULONG)ZwHookOpenProcess );
}
if( ZwHookWriteVirtualMemory != oldssdt[ZwWriteVirtualMemoryIndex] )
{
ModifyJmpCode2( (ULONG)oldssdt[ZwWriteVirtualMemoryIndex] ,(ULONG)ZwHookWriteVirtualMemory );
}
WPON();
}
VOID Kill()
{
InitSystemCallIndex();
inlineHook();
}
//define
#define SsdtTbaleSize 0x11C//////////////////////////////////////////////////////////////////////////
//全局
ULONG ZwHookOpenProcess = 0;
ULONG ZwHookWriteVirtualMemory = 0;
ULONG ZwHookQuerySystemInformation = 0;
DWORD oldssdt[SsdtTbaleSize] = {0};
VOID SaveOldSSdt()
{
//保存没有被HOOK前的SSDT表
PVOID pssdttableaddr = (PVOID)KeServiceDescriptorTable->ServiceTableBase;
RtlCopyMemory( oldssdt , pssdttableaddr , SsdtTbaleSize*sizeof(DWORD) );
KdPrint( ("SaveOldSSdt OK") );
}
ULONG GetFunctionId( char* FunctionName )
{
NTSTATUS ntstatus;
HANDLE hFile = NULL;
HANDLE hSection = NULL ;
OBJECT_ATTRIBUTES object_attributes;
IO_STATUS_BLOCK io_status = {0};
PVOID baseaddress = NULL;
SIZE_T size = 0;
//模块基址
PVOID ModuleAddress = NULL;
//偏移量
ULONG dwOffset = 0;
PIMAGE_DOS_HEADER dos = NULL;
PIMAGE_NT_HEADERS nt = NULL;
PIMAGE_DATA_DIRECTORY expdir = NULL;
PIMAGE_EXPORT_DIRECTORY exports = NULL;
ULONG addr;
ULONG Size;
PULONG functions;
PSHORT ordinals;
PULONG names;
ULONG max_name;
ULONG max_func;
ULONG i;
ULONG pFunctionAddress;
ULONG ServiceId;
UNICODE_STRING DllName;
RtlInitUnicodeString( &DllName, L"\\SystemRoot\\system32\\ntdll.dll");
//初始化OBJECT_ATTRIBUTES结构
InitializeObjectAttributes(
&object_attributes,
&DllName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);
//打开文件
ntstatus = ZwCreateFile(
&hFile,
FILE_EXECUTE | SYNCHRONIZE,
&object_attributes,
&io_status,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
FILE_NON_DIRECTORY_FILE |
FILE_RANDOM_ACCESS |
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0);
if( !NT_SUCCESS( ntstatus ))
{
KdPrint(("[GetFunctionAddress] error0\n"));
KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));
return 0;
}
//创建区段
InitializeObjectAttributes(
&object_attributes,
NULL,
OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,
NULL,
NULL);
ntstatus = ZwCreateSection(
&hSection,
SECTION_ALL_ACCESS,
&object_attributes,
0,
PAGE_EXECUTE,
SEC_IMAGE,
hFile);
if( !NT_SUCCESS( ntstatus ))
{
KdPrint(("[GetFunctionAddress] error1\n"));
KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));
return 0;
}
//映射区段到进程虚拟空间
ntstatus = ZwMapViewOfSection(
hSection,
NtCurrentProcess(), //ntddk.h定义的宏用来获取当前进程句柄
&baseaddress,
0,
1000,
0,
&size,
(SECTION_INHERIT)1,
MEM_TOP_DOWN,
PAGE_READWRITE);
if( !NT_SUCCESS( ntstatus ))
{
KdPrint(("[GetFunctionAddress] error2\n"));
KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));
return 0;
}
//得到模块基址
dwOffset = ( ULONG )baseaddress;
//验证基址
//KdPrint(("[GetFunctionAddress] BaseAddress:0x%x\n", dwOffset));
dos =(PIMAGE_DOS_HEADER) baseaddress;
nt =(PIMAGE_NT_HEADERS)((ULONG) baseaddress + dos->e_lfanew);
expdir = (PIMAGE_DATA_DIRECTORY)(nt->OptionalHeader.DataDirectory +IMAGE_DIRECTORY_ENTRY_EXPORT);
addr = expdir->VirtualAddress;//数据块起始RVA
Size = expdir->Size; //数据块长度
exports =(PIMAGE_EXPORT_DIRECTORY)((ULONG) baseaddress + addr);
functions =(PULONG)((ULONG) baseaddress + exports->AddressOfFunctions);
ordinals =(PSHORT)((ULONG) baseaddress + exports->AddressOfNameOrdinals);
names =(PULONG)((ULONG) baseaddress + exports->AddressOfNames);
max_name =exports->NumberOfNames;
max_func =exports->NumberOfFunctions;
for (i = 0; i < max_name; i++)
{
ULONG ord = ordinals[i];
if(i >= max_name || ord >= max_func)
{
return 0;
}
if (functions[ord] < addr || functions[ord] >= addr + Size)
{
if (strcmp((PCHAR) baseaddress + names[i], FunctionName) == 0)
{
pFunctionAddress =(ULONG)((ULONG) baseaddress + functions[ord]);
break;
}
}
}
//KdPrint(("[GetFunctionAddress] %s:0x%x\n",FunctionName, pFunctionAddress));
ServiceId = *(PSHORT)(pFunctionAddress + 1);
//打印导出函数服务号
//KdPrint(("[GetServiceId] ServiceId:0x%x\n",ServiceId));
//卸载区段,释放内存,关闭句柄
ZwUnmapViewOfSection( NtCurrentProcess(), baseaddress);
ZwClose( hSection);
ZwClose( hFile );
return ServiceId;
}
VOID InitSystemCallIndex()
{
ZwOpenProcessIndex = GetFunctionId( "ZwOpenProcess" );
ZwHookOpenProcess = (KeServiceDescriptorTable->ServiceTableBase)[ZwOpenProcessIndex];
KdPrint(("[InitSystemCallIndex]ZwHookOpenProcess:0x%x,Orgin addrs:0x%x,Hook:0x%x\n",ZwOpenProcessIndex,oldssdt[ZwOpenProcessIndex], ZwHookOpenProcess));
ZwWriteVirtualMemoryIndex = GetFunctionId( "ZwWriteVirtualMemory" );
ZwHookWriteVirtualMemory = (KeServiceDescriptorTable->ServiceTableBase)[ZwWriteVirtualMemoryIndex];
KdPrint(("[InitSystemCallIndex]ZwWriteVirtualMemoryIndex:0x%x,Orgin addrs:0x%x,Hook:0x%x\n",ZwWriteVirtualMemoryIndex ,oldssdt[ZwWriteVirtualMemoryIndex],ZwHookWriteVirtualMemory ));
ZwQuerySystemInformationIndex = GetFunctionId( "ZwQuerySystemInformation" );
ZwHookQuerySystemInformation = (KeServiceDescriptorTable->ServiceTableBase)[ZwQuerySystemInformationIndex];
KdPrint(("[InitSystemCallIndex]ZwQuerySystemInformationIndex:0x%x,Orgin addrs:0x%x,Hook:0x%x\n",ZwQuerySystemInformationIndex ,oldssdt[ZwQuerySystemInformationIndex] , ZwHookQuerySystemInformation));
}
ULONG CalcJmpCode(ULONG des , ULONG org )
{
return ( des - org - 5 );
}
VOID ModifyJmpCode2( ULONG myZwFuction , ULONG zwHookFuction)
{
BYTE JmpCode[5] = { 0xE9 , 0 , 0 , 0 , 0 };
DWORD addr = (DWORD)myZwFuction;
if( !MmIsAddressValid((PVOID)addr) )
{
KdPrint( ("MmIsAddressValid 0x%x Error\n" , addr ) );
return ;
}
KdPrint( ("inline hook addr:0x%x\n" ,addr ) );
//计算跳转地址
addr = CalcJmpCode( addr , zwHookFuction );
*(DWORD*)&JmpCode[1]=(DWORD)addr;
if( !MmIsAddressValid((PVOID)zwHookFuction) )
{
KdPrint( ("MmIsAddressValid 0x%x Error\n" , zwHookFuction ) );
return ;
}
RtlCopyMemory( (PVOID)zwHookFuction , JmpCode , 5 );
}
VOID inlineHook()
{
//这个是转到系统函数
WPOFF();
if( ZwHookQuerySystemInformation != oldssdt[ZwQuerySystemInformationIndex] )
{
ModifyJmpCode2( (ULONG)oldssdt[ZwQuerySystemInformationIndex] ,(ULONG)ZwHookQuerySystemInformation );
}
if( ZwHookOpenProcess != oldssdt[ZwOpenProcessIndex] )
{
ModifyJmpCode2( (ULONG)oldssdt[ZwOpenProcessIndex] , (ULONG)ZwHookOpenProcess );
}
if( ZwHookWriteVirtualMemory != oldssdt[ZwWriteVirtualMemoryIndex] )
{
ModifyJmpCode2( (ULONG)oldssdt[ZwWriteVirtualMemoryIndex] ,(ULONG)ZwHookWriteVirtualMemory );
}
WPON();
}
VOID Kill()
{
InitSystemCallIndex();
inlineHook();
}
0 0
- 过龙腾世界的驱动保护
- 过TP驱动保护
- 过游戏保护驱动
- IGBT的驱动和过流保护电路的研究
- IGBT的驱动和过流保护电路的研究
- 过TX DXF驱动保护的文源代码
- INLINE HOOK过驱动保护的理论知识和大概思路
- 过 DNF TP 驱动保护(一)
- 过 DNF TP 驱动保护(二)
- 过 DNF TP 驱动保护(一)
- 过 DNF TP 驱动保护(二)
- 过 DNF TP 驱动保护(一)
- 过 DNF TP 驱动保护(二)
- 过 DNF TP 驱动保护(一)
- 过 DNF TP 驱动保护(二)
- 过 DNF TP 驱动保护(一)
- 过 DNF TP 驱动保护(二)
- 过TP保护与解除游戏驱动保护(可以借鉴)
- 一个半路出家程序猿的旅途
- android代码片段
- 栈和队列(链表)
- C#学习8
- ios接收notification重复
- 过龙腾世界的驱动保护
- 自定义 Android 对话框 (AlertDialog) 的样式
- 微信 动画表情 骰子 猜拳
- 六步骤搞定一个项目
- 2014 手机站优化新方案
- Python入门
- 公司平面图与老板之关系
- 零碎笔记
- C/C++ 笔试、面试题目大汇总