📄 dbkdrvr.c
字号:
ntStatus = IoCreateSymbolicLink(&uszDeviceString, &uszDriverString);
if(ntStatus != STATUS_SUCCESS)
{
// Delete device object if not successful
IoDeleteDevice(pDeviceObject);
ExFreePool(BufDriverString);
ExFreePool(BufDeviceString);
ExFreePool(BufProcessEventString);
ExFreePool(BufThreadEventString);
ZwClose(reg);
return ntStatus;
}
#endif
// Load structure to point to IRP handlers...
DriverObject->DriverUnload = MSJUnloadDriver;
DriverObject->MajorFunction[IRP_MJ_CREATE] = MSJDispatchCreate;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = MSJDispatchClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = MSJDispatchIoctl;
DebuggedProcessID=0;
ProtectOn=FALSE;
ImageNotifyRoutineLoaded=FALSE;
LastForegroundWindow=0;
ProtectedProcessID=0;
ModuleList=NULL;
ModuleListSize=0;
newthreaddatafiller=IoAllocateWorkItem(pDeviceObject);
//
//Processlist init
#ifndef CETC
ProcessEvent=IoCreateNotificationEvent(&uszProcessEventString, &ProcessEventHandle);
KeClearEvent(ProcessEvent);
ProcessEventCount=0;
KeInitializeSpinLock(&ProcesslistSL);
#endif
CreateProcessNotifyRoutineEnabled=FALSE;
//threadlist init
#ifndef CETC
ThreadEvent=IoCreateNotificationEvent(&uszThreadEventString, &ThreadEventHandle);
KeClearEvent(ThreadEvent);
#endif
ThreadEventCount=0;
for (i=0; i<32;i++)
IDTAddresses[i]=0; //init. I dont know for sure if it gets set to NULL by default so let's be sure
RtlZeroMemory(&DebugEvents[0],50*sizeof(DebugEvent));
BufferSize=0;
processlist=NULL;
OriginalInt1.wHighOffset=0;
OriginalInt3.wHighOffset=0;
ChangeRegistersOnBP=FALSE;
for (i=0;i<4;i++)
ChangeRegs[i].Active=FALSE;
//determine if PAE is used
cr4reg=getCR4();
if ((cr4reg & 0x20)==0x20)
{
PTESize=8; //pae
PAGE_SIZE_LARGE=0x200000;
MAX_PDE_POS=0xC0604000;
}
else
{
PTESize=4;
PAGE_SIZE_LARGE=0x400000;
MAX_PDE_POS=0xC0301000;
}
#ifdef CETC
DbgPrint("Going to initialice CETC\n");
InitializeCETC();
#endif
UsesAlternateMethod=FALSE;
//hideme(DriverObject); //ok, for those that see this, enabling this WILL fuck up try except routines, even in usermode you'll get a blue sreen
//thisDriverObject=DriverObject;
// Return success (don't do the devicestring, I need it for unload)
ExFreePool(BufDriverString);
ExFreePool(BufProcessEventString);
ExFreePool(BufThreadEventString);
ZwClose(reg);
return ntStatus;
}
NTSTATUS MSJDispatchCreate(IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information=0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return(STATUS_SUCCESS);
}
NTSTATUS MSJDispatchClose(IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information=0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return(STATUS_SUCCESS);
}
NTSTATUS MSJDispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
NTSTATUS ntStatus;
PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(Irp);
switch(irpStack->Parameters.DeviceIoControl.IoControlCode)
{
case IOCTL_CE_READMEMORY:
__try
{
struct input
{
UINT_PTR processid;
char *startaddress;
unsigned short int bytestoread;
} *pinp,inp;
PEPROCESS selectedprocess;
pinp=Irp->AssociatedIrp.SystemBuffer;
ntStatus=ReadProcessMemory(pinp->processid,NULL,pinp->startaddress,pinp->bytestoread,pinp) ? STATUS_SUCCESS : STATUS_UNSUCCESSFUL;
}
__except(1)
{
ntStatus = STATUS_UNSUCCESSFUL;
};
break;
case IOCTL_CE_WRITEMEMORY:
__try
{
struct input
{
UINT_PTR processid;
void *startaddress;
unsigned short int bytestowrite;
} *pinp,inp;
PEPROCESS selectedprocess;
pinp=Irp->AssociatedIrp.SystemBuffer;
ntStatus=WriteProcessMemory(pinp->processid,NULL,pinp->startaddress,pinp->bytestowrite,(PVOID)((UINT_PTR)pinp+sizeof(inp))) ? STATUS_SUCCESS : STATUS_UNSUCCESSFUL;
}
__except(1)
{
//something went wrong and I don't know what
ntStatus = STATUS_UNSUCCESSFUL;
};
break;
case IOCTL_CE_OPENPROCESS:
{
HANDLE ProcessHandle;
CLIENT_ID ClientID;
OBJECT_ATTRIBUTES ObjectAttributes;
PHANDLE pid;
PEPROCESS selectedprocess;
UNICODE_STRING y;
PVOID *PsProcessType;
RtlZeroMemory(&ObjectAttributes,sizeof(OBJECT_ATTRIBUTES));
ntStatus=STATUS_SUCCESS;
pid=Irp->AssociatedIrp.SystemBuffer;
ClientID.UniqueProcess=*pid;
ClientID.UniqueThread=0;
ProcessHandle=0;
__try
{
ProcessHandle=0;
//ntStatus=ZwOpenProcess(&ProcessHandle,PROCESS_ALL_ACCESS,&ObjectAttributes,&ClientID);
if (PsLookupProcessByProcessId((PVOID)(*pid),&selectedprocess)==STATUS_SUCCESS)
{
RtlInitUnicodeString(&y, L"PsProcessType");
PsProcessType=MmGetSystemRoutineAddress(&y);
if (PsProcessType)
{
ACCESS_STATE AccessState;
DbgPrint("Calling ObOpenObjectByPointer\n");
ntStatus=ObOpenObjectByPointer (
selectedprocess,
0,
NULL,
PROCESS_ALL_ACCESS,
(PVOID)*PsProcessType,
UserMode,
&ProcessHandle);
DbgPrint("ntStatus=%x",ntStatus);
}
else DbgPrint("PsProcessType not found\n");
}
}
__except(1)
{
ntStatus=STATUS_UNSUCCESSFUL;
}
*pid=ProcessHandle;
break;
}
case IOCTL_CE_OPENTHREAD:
{
HANDLE ThreadHandle;
CLIENT_ID ClientID;
OBJECT_ATTRIBUTES ObjectAttributes;
PHANDLE tid;
RtlZeroMemory(&ObjectAttributes,sizeof(OBJECT_ATTRIBUTES));
ntStatus=STATUS_SUCCESS;
tid=Irp->AssociatedIrp.SystemBuffer;
ClientID.UniqueProcess=0;
ClientID.UniqueThread=*tid;
ThreadHandle=0;
__try
{
ThreadHandle=0;
ntStatus=ZwOpenThread(&ThreadHandle,PROCESS_ALL_ACCESS,&ObjectAttributes,&ClientID);
}
__except(1)
{
ntStatus=STATUS_UNSUCCESSFUL;
}
*tid=ThreadHandle;
break;
}
case IOCTL_CE_MAKEWRITABLE:
{
struct InputBuf
{
PVOID StartAddress;
ULONG Size;
BYTE CopyOnWrite;
} *PInputBuf;
PInputBuf=Irp->AssociatedIrp.SystemBuffer;
ntStatus=MakeWritable(PInputBuf->StartAddress,PInputBuf->Size,(PInputBuf->CopyOnWrite==1)) ? STATUS_SUCCESS : STATUS_UNSUCCESSFUL;
break;
}
case IOCTL_CE_QUERY_VIRTUAL_MEMORY:
{
struct InputBuf
{
UINT_PTR ProcessID;
UINT_PTR StartAddress;
} *PInputBuf;
struct OutputBuf
{
UINT_PTR length;
UINT_PTR protection;
} *POutputBuf;
UINT_PTR BaseAddress;
PEPROCESS selectedprocess;
ntStatus=STATUS_SUCCESS;
PInputBuf=Irp->AssociatedIrp.SystemBuffer;
POutputBuf=Irp->AssociatedIrp.SystemBuffer;
ntStatus=GetMemoryRegionData(PInputBuf->ProcessID,NULL,(PVOID)(PInputBuf->StartAddress),&(POutputBuf->protection),&(POutputBuf->length),&BaseAddress) ? STATUS_SUCCESS : STATUS_UNSUCCESSFUL;
break;
}
case IOCTL_CE_TEST: //just a test to see it's working
{
ULONG ThreadID;
ThreadID=*(ULONG*)Irp->AssociatedIrp.SystemBuffer;
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_GETPETHREAD:
{
*(PULONG)Irp->AssociatedIrp.SystemBuffer=getPEThread(*(PULONG)Irp->AssociatedIrp.SystemBuffer);
ntStatus= STATUS_SUCCESS;
break;
}
case IOCTL_CE_GETPEPROCESS:
{
UINT_PTR *processid;
PEPROCESS selectedprocess;
processid=Irp->AssociatedIrp.SystemBuffer;
if (PsLookupProcessByProcessId((PVOID)(*processid),&selectedprocess)==STATUS_SUCCESS)
*(PULONG)Irp->AssociatedIrp.SystemBuffer=(ULONG)selectedprocess;
else
*(PULONG)Irp->AssociatedIrp.SystemBuffer=0;
ObDereferenceObject(selectedprocess);
ntStatus= STATUS_SUCCESS;
break;
}
case IOCTL_CE_READPHYSICALMEMORY:
{
HANDLE physmem;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
WCHAR physmemName[] = L"\\device\\physicalmemory";
UCHAR* memoryview;
__try
{
RtlInitUnicodeString( &physmemString, physmemName );
InitializeObjectAttributes( &attributes, &physmemString, OBJ_CASE_INSENSITIVE, NULL, NULL );
ntStatus=ZwOpenSection( &physmem, SECTION_MAP_READ, &attributes );
if (ntStatus==STATUS_SUCCESS)
{
//hey look, it didn't kill it
struct input
{
char *startaddress;
UINT_PTR bytestoread;
} *pinp;
UINT_PTR length;
PHYSICAL_ADDRESS viewBase;
UINT_PTR offset;
UINT_PTR toread;
pinp=Irp->AssociatedIrp.SystemBuffer;
viewBase.QuadPart = (ULONGLONG)(pinp->startaddress);
length=0x2000;//pinp->bytestoread; //in case of a overlapping region
toread=pinp->bytestoread;
memoryview=NULL;
ntStatus=ZwMapViewOfSection(
physmem, //sectionhandle
NtCurrentProcess(), //processhandle
&memoryview, //BaseAddress
0L, //ZeroBits
length, //CommitSize
&viewBase, //SectionOffset
&length, //ViewSize
ViewShare,
0,
PAGE_READWRITE);
if (ntStatus==STATUS_SUCCESS)
{
offset=(UINT_PTR)(pinp->startaddress)-(UINT_PTR)viewBase.QuadPart;
RtlCopyMemory(pinp,&memoryview[offset],toread);
ZwUnmapViewOfSection(
NtCurrentProcess(), //processhandle
memoryview);
};
ZwClose(physmem);
};
}
__except(1)
{
DbgPrint("Error while reading physical memory\n");
}
break;
}
case IOCTL_CE_WRITEPHYSICALMEMORY:
{
HANDLE physmem;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
WCHAR physmemName[] = L"\\device\\physicalmemory";
UCHAR* memoryview;
RtlInitUnicodeString( &physmemString, physmemName );
InitializeObjectAttributes( &attributes, &physmemString, OBJ_CASE_INSENSITIVE, NULL, NULL );
ntStatus=ZwOpenSection( &physmem, SECTION_MAP_READ, &attributes );
if (ntStatus==STATUS_SUCCESS)
{
//hey look, it didn't kill it
struct input
{
char *startaddress;
UINT_PTR bytestoread;
} *pinp;
UCHAR* pinp2;
UINT_PTR length;
PHYSICAL_ADDRESS viewBase;
UINT_PTR offset;
UINT_PTR toread;
pinp=Irp->AssociatedIrp.SystemBuffer;
pinp2=(UCHAR *)pinp;
viewBase.QuadPart = (ULONGLONG)(pinp->startaddress);
length=0x2000;//pinp->bytestoread;
toread=pinp->bytestoread;
memoryview=NULL;
ntStatus=ZwMapViewOfSection(
physmem, //sectionhandle
NtCurrentProcess(), //processhandle
&memoryview, //BaseAddress
0L, //ZeroBits
length, //CommitSize
&viewBase, //SectionOffset
&length, //ViewSize
ViewShare,
0,
PAGE_READWRITE);
if (ntStatus==STATUS_SUCCESS)
{
offset=(UINT_PTR)(pinp->startaddress)-(UINT_PTR)viewBase.QuadPart;
RtlCopyMemory(&memoryview[offset],&pinp2[8],toread);
ZwUnmapViewOfSection(
NtCurrentProcess(), //processhandle
memoryview);
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -