📄 newkernelhandler.pas
字号:
unit NewKernelHandler;
interface
uses windows,sysutils;
type TReadProcessMemory=function(hProcess: THandle; const lpBaseAddress: Pointer; lpBuffer: Pointer; nSize: DWORD; var lpNumberOfBytesRead: DWORD): BOOL; stdcall;
type TWriteProcessMemory=function(hProcess: THandle; const lpBaseAddress: Pointer; lpBuffer: Pointer; nSize: DWORD; var lpNumberOfBytesWritten: DWORD): BOOL; stdcall;
type TGetThreadContext=function(hThread: THandle; var lpContext: TContext): BOOL; stdcall;
type TSetThreadContext=function(hThread: THandle; const lpContext: TContext): BOOL; stdcall;
type TSuspendThread=function(hThread: THandle): DWORD; stdcall;
type TResumeThread=function(hThread: THandle): DWORD; stdcall;
type TOpenProcess=function(dwDesiredAccess: DWORD; bInheritHandle: BOOL; dwProcessId: DWORD): THandle; stdcall;
type TWaitForDebugEvent=function(var lpDebugEvent: TDebugEvent; dwMilliseconds: DWORD): BOOL; stdcall;
type TContinueDebugEvent=function(dwProcessId, dwThreadId, dwContinueStatus: DWORD): BOOL; stdcall;
type TDebugActiveProcess=function(dwProcessId: DWORD): BOOL; stdcall;
type TStopDebugging=function: BOOL; stdcall;
type TStopRegisterChange=function(regnr:integer):BOOL; stdcall;
type TVirtualProtect=function(lpAddress: Pointer; dwSize, flNewProtect: DWORD; var OldProtect: DWORD): BOOL; stdcall;
type TVirtualProtectEx=function(hProcess: THandle; lpAddress: Pointer; dwSize, flNewProtect: DWORD; var OldProtect: DWORD): BOOL; stdcall;
type TVirtualQueryEx=function(hProcess: THandle; lpAddress: Pointer; var lpBuffer: TMemoryBasicInformation; dwLength: DWORD): DWORD; stdcall;
type TVirtualAllocEx=function(hProcess: THandle; lpAddress: Pointer; dwSize, flAllocationType: DWORD; flProtect: DWORD): Pointer; stdcall;
type TCreateRemoteThread=function(hProcess: THandle; lpThreadAttributes: Pointer; dwStackSize: DWORD; lpStartAddress: TFNThreadStartRoutine; lpParameter: Pointer; dwCreationFlags: DWORD; var lpThreadId: DWORD): THandle; stdcall;
type TOpenThread=function(dwDesiredAccess:DWORD;bInheritHandle:BOOL;dwThreadId:DWORD):THANDLE; stdcall;
type TGetPEProcess=function(ProcessID:DWORD):DWORD; stdcall;
type TGetPEThread=function(Threadid: dword):dword; stdcall;
type TGetDebugportOffset=function:DWORD; stdcall;
type TGetProcessnameOffset=function:DWORD; stdcall;
type TGetThreadsProcessOffset=function: dword; stdcall;
type TGetThreadListEntryOffset=function: dword; stdcall;
type TGetPhysicalAddress=function(hProcess:THandle;lpBaseAddress:pointer;var Address:int64): BOOL; stdcall;
type TProtectMe=function(ProtectedProcessID: dword; denylist,globaldenylist:BOOL;list:pchar; listsize:dword):BOOL; stdcall;
type TGetCR4=function:DWORD; stdcall;
type TGetCR3=function(hProcess:THANDLE;var CR3: DWORD):BOOL; stdcall;
type TSetCR3=function(hProcess:THANDLE;CR3: DWORD):BOOL; stdcall;
type TGetSDT=function:DWORD; stdcall;
type TGetSDTShadow=function:DWORD; stdcall;
type TCreateRemoteAPC=function(threadid: dword; lpStartAddress: TFNAPCProc): THandle; stdcall;
type TsetAlternateDebugMethod=function(var int1apihook:dword; var OriginalInt1handler:dword):BOOL; stdcall;
type TgetAlternateDebugMethod=function:BOOL; stdcall;
type TChangeRegOnBP=function(Processid:dword; address: dword; debugreg: integer; changeEAX,changeEBX,changeECX,changeEDX,changeESI,changeEDI,changeEBP,changeESP,changeEIP,changeCF,changePF,changeAF,changeZF,changeSF,changeOF:BOOLEAN; newEAX,newEBX,newECX,newEDX,newESI,newEDI,newEBP,newESP,newEIP:DWORD; newCF,newPF,newAF,newZF,newSF,newOF:BOOLEAN):BOOLEAN; stdcall;
type TDebugProcess=function(processid:dword;address:DWORD;size: byte;debugtype:byte):BOOL; stdcall;
type TRetrieveDebugData=function(Buffer: pointer):integer; stdcall;
type TGetProcessNameFromID=function(processid:dword; buffer:pchar;buffersize:dword):integer; stdcall;
type TGetProcessNameFromPEProcess=function(peprocess:dword; buffer:pchar;buffersize:dword):integer; stdcall;
type TStartProcessWatch=function:BOOL;stdcall;
type TWaitForProcessListData=function(processpointer:pointer;threadpointer:pointer;timeout:dword):dword; stdcall;
type TIsValidHandle=function(hProcess:THandle):BOOL; stdcall;
type TGetIDTCurrentThread=function:dword; stdcall;
type TGetIDTs=function(idtstore: pointer; maxidts: integer):integer; stdcall;
type TMakeWritable=function(Address,Size:dword;copyonwrite:boolean): boolean; stdcall;
type TGetLoadedState=function : BOOLEAN; stdcall;
type TDBKTest=function:boolean; stdcall;
type TDBKSuspendThread=function(ThreadID:dword):boolean; stdcall;
type TDBKResumeThread=function(ThreadID:dword):boolean; stdcall;
type TDBKSuspendProcess=function(ProcessID:dword):boolean; stdcall;
type TDBKResumeProcess=function(ProcessID:dword):boolean; stdcall;
type TKernelAlloc=function(size: dword):pointer; stdcall;
type TGetKProcAddress=function(s: pwidechar):pointer; stdcall;
type TProtect2=function(var testprotect:dword; var NewObOpenObjectByPointer: dword; var OriginalObOpenObjectByPointer: dword):boolean; stdcall;
type TuseIOCTL=procedure(use: boolean); stdcall;
procedure DONTUseDBKQueryMemoryRegion;
procedure DONTUseDBKReadWriteMemory;
procedure DONTUseDBKOpenProcess;
procedure UseDBKQueryMemoryRegion;
procedure UseDBKReadWriteMemory;
procedure UseDBKOpenProcess;
procedure DBKFileAsMemory(filename:string); overload;
procedure DBKFileAsMemory; overload;
procedure DBKPhysicalMemory;
procedure DBKProcessMemory;
procedure LoadDBK32;
Procedure ProtectProcess(processid: dword);
Procedure ProtectCE;
//I could of course have made it a parameter thing, but I'm lazy
var
ReadProcessMemory :TReadProcessMemory;
WriteProcessMemory :TWriteProcessMemory;
GetThreadContext :TGetThreadContext;
SetThreadContext :TSetThreadContext;
SuspendThread :TSuspendThread;
ResumeThread :TResumeThread;
OpenProcess :TOpenProcess;
WaitForDebugEvent :TWaitForDebugEvent;
ContinueDebugEvent :TContinueDebugEvent;
DebugActiveProcess :TDebugActiveProcess;
StopDebugging :TStopDebugging;
StopRegisterChange :TStopRegisterChange;
VirtualProtect :TVirtualProtect;
VirtualProtectEx :TVirtualProtectEx;
VirtualQueryEx :TVirtualQueryEx;
VirtualAllocEx :TVirtualAllocEx;
CreateRemoteThread :TCreateRemoteThread;
OpenThread :TOpenThread;
GetPEProcess :TGetPEProcess;
GetPEThread :TGetPEThread;
GetThreadsProcessOffset:TGetThreadsProcessOffset;
GetThreadListEntryOffset:TGetThreadListEntryOffset;
GetProcessnameOffset :TGetProcessnameOffset;
GetDebugportOffset :TGetDebugportOffset;
GetPhysicalAddress :TGetPhysicalAddress;
ProtectMe :TProtectMe;
GetCR4 :TGetCR4;
GetCR3 :TGetCR3;
SetCR3 :TSetCR3;
GetSDT :TGetSDT;
GetSDTShadow :TGetSDT;
setAlternateDebugMethod: TsetAlternateDebugMethod;
getAlternateDebugMethod: TgetAlternateDebugMethod;
DebugProcess :TDebugProcess;
ChangeRegOnBP :TChangeRegOnBP;
RetrieveDebugData :TRetrieveDebugData;
StartProcessWatch :TStartProcessWatch;
WaitForProcessListData:TWaitForProcessListData;
GetProcessNameFromID :TGetProcessNameFromID;
GetProcessNameFromPEProcess:TGetProcessNameFromPEProcess;
KernelOpenProcess :TOpenProcess;
KernelReadProcessMemory :TReadProcessMemory;
KernelWriteProcessMemory:TWriteProcessMemory;
KernelVirtualAllocEx :TVirtualAllocEx;
IsValidHandle :TIsValidHandle;
GetIDTCurrentThread :TGetIDTCurrentThread;
GetIDTs :TGetIDTs;
MakeWritable :TMakeWritable;
GetLoadedState :TGetLoadedState;
dbktest :TDBKTest;
DBKSuspendThread :TDBKSuspendThread;
DBKResumeThread :TDBKResumeThread;
DBKSuspendProcess :TDBKSuspendProcess;
DBKResumeProcess :TDBKResumeProcess;
KernelAlloc :TKernelAlloc;
GetKProcAddress :TGetKProcAddress;
Protect2 :TProtect2;
CreateRemoteAPC :TCreateRemoteAPC;
useIOCTL :TuseIOCTL;
var WindowsKernel: Thandle;
DarkByteKernel: Thandle;
Usephysical: boolean;
UseFileAsMemory: boolean;
usedbkquery:boolean;
DBKReadWrite: boolean;
DenyList:boolean;
DenyListGlobal: boolean;
ModuleListSize: integer;
ModuleList: pointer;
implementation
uses filehandler; //so I can let readprocessmemory point to ReadProcessMemoryFile in filehandler
procedure LoadDBK32;
begin
if DarkByteKernel=0 then
begin
DarkByteKernel:= LoadLibrary('DBK32.dll');
if DarkByteKernel=0 then raise exception.Create('Failed to open DBK32.dll');
//the driver is loaded (I hope)
KernelVirtualAllocEx:=GetProcAddress(darkbytekernel,'VAE');
KernelOpenProcess:=GetProcAddress(darkbytekernel,'OP');
KernelReadProcessMemory:=GetProcAddresS(darkbytekernel,'RPM');
KernelWriteProcessMemory:=GetProcAddress(darkbytekernel,'WPM');
GetPEProcess:=GetProcAddress(DarkByteKernel,'GetPEProcess');
GetPEThread:=GetProcAddress(DarkByteKernel,'GetPEThread');
GetProcessnameOffset:=GetProcAddress(DarkByteKernel,'GetProcessnameOffset');
GetThreadsProcessOffset:=GetProcAddress(DarkByteKernel,'GetThreadsProcessOffset');
GetThreadListEntryOffset:=GetProcAddress(DarkByteKernel,'GetThreadListEntryOffset');
GetDebugportOffset:=GetProcAddresS(DarkByteKernel,'GetDebugportOffset');
GetPhysicalAddress:=GetProcAddresS(DarkByteKernel,'GetPhysicalAddress');
GetCR4:=GetProcAddress(DarkByteKernel,'GetCR4');
GetCR3:=GetProcAddress(DarkByteKernel,'GetCR3');
SetCR3:=GetProcAddress(DarkByteKernel,'SetCR3');
GetSDT:=GetProcAddress(DarkByteKernel,'GetSDT');
GetSDTShadow:=GetProcAddress(DarkByteKernel,'GetSDTShadow');
setAlternateDebugMethod:=GetProcAddress(DarkByteKernel,'setAlternateDebugMethod');
getAlternateDebugMethod:=GetProcAddress(DarkByteKernel,'getAlternateDebugMethod');
DebugProcess:=GetProcAddress(DarkByteKernel,'DebugProcess');
StopDebugging:=GetProcAddress(DarkByteKernel,'StopDebugging');
StopRegisterChange:=GetProcAddress(DarkByteKernel,'StopRegisterChange');
RetrieveDebugData:=GetProcAddress(DarkByteKernel,'RetrieveDebugData');
ChangeRegOnBP:=GetProcAddress(DarkByteKernel,'ChangeRegOnBP');
StartProcessWatch:=GetProcAddress(DarkByteKernel,'StartProcessWatch');
WaitForProcessListData:=GetProcAddress(DarkByteKernel,'WaitForProcessListData');
GetProcessNameFromID:=GetProcAddress(DarkByteKernel,'GetProcessNameFromID');
GetProcessNameFromPEProcess:=GetProcAddress(DarkByteKernel,'GetProcessNameFromPEProcess');
IsValidHandle:=GetProcAddress(DarkByteKernel,'IsValidHandle');
GetIDTs:=GetProcAddress(DarkByteKernel,'GetIDTs');
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -