📄 dbkdrvr.c
字号:
}
ZwClose(physmem);
}
break;
}
case IOCTL_CE_GETPHYSICALADDRESS:
{
struct input
{
UINT_PTR ProcessID;
PVOID BaseAddress;
} *pinp;
PEPROCESS selectedprocess;
PHYSICAL_ADDRESS physical;
ntStatus=STATUS_SUCCESS;
pinp=Irp->AssociatedIrp.SystemBuffer;
__try
{
//switch to the selected process
if (PsLookupProcessByProcessId((PVOID)(pinp->ProcessID),&selectedprocess)==STATUS_SUCCESS)
{
KAPC_STATE apc_state;
RtlZeroMemory(&apc_state,sizeof(apc_state));
KeStackAttachProcess((PVOID)selectedprocess,&apc_state);
__try
{
physical=MmGetPhysicalAddress(pinp->BaseAddress);
}
__finally
{
KeUnstackDetachProcess(&apc_state);
}
ObDereferenceObject(selectedprocess);
}
}
__except(1)
{
ntStatus=STATUS_UNSUCCESSFUL;
}
if (ntStatus==STATUS_SUCCESS)
RtlCopyMemory(Irp->AssociatedIrp.SystemBuffer,&physical.QuadPart,8);
break;
}
case IOCTL_CE_PROTECTME:
{
#ifdef AMD64
ntStatus=STATUS_UNSUCCESSFUL;
#else
struct input
{
HANDLE ProcessID;
ULONG DenyList;
ULONG GlobalDenyList; //ignored if it is a includelist
ULONG ListSize;
} *pinp;
UINT_PTR NextProcess;
UINT_PTR PreviousProcess;
pinp=Irp->AssociatedIrp.SystemBuffer;
if (ModuleList!=NULL)
MmFreeNonCachedMemory(ModuleList,ModuleListSize);
ModuleList=NULL;
ModuleListSize=0;
if (pinp->ListSize>0)
{
ModuleList=MmAllocateNonCachedMemory(pinp->ListSize);
if (ModuleList!=NULL)
{
__try
{
RtlCopyMemory(ModuleList,(PVOID)((UINT_PTR)(&(pinp->ListSize))+sizeof(pinp->ListSize)),pinp->ListSize);
ModuleListSize=pinp->ListSize;
}
__except(1)
{
}
}
}
DenyList=pinp->DenyList==1;
GlobalDenyList=pinp->GlobalDenyList==1;
ProtectedProcessID=pinp->ProcessID;
PsLookupProcessByProcessId((PVOID)(pinp->ProcessID),&ProtectedPEProcess);
if (ActiveLinkOffset!=0)
{
NextProcess=*(PUINT_PTR)((UINT_PTR)ProtectedPEProcess+ActiveLinkOffset)-ActiveLinkOffset;
PreviousProcess=*(PUINT_PTR)((UINT_PTR)ProtectedPEProcess+ActiveLinkOffset+4)-ActiveLinkOffset;
*(PUINT_PTR)(PreviousProcess+ActiveLinkOffset)=*(PULONG)((UINT_PTR)ProtectedPEProcess+ActiveLinkOffset); //the previous process points to me next process
*(PUINT_PTR)(NextProcess+ActiveLinkOffset+4)=*(PULONG)((UINT_PTR)ProtectedPEProcess+ActiveLinkOffset+4); //the next process points to the previous process
*(PUINT_PTR)((UINT_PTR)ProtectedPEProcess+ActiveLinkOffset)=(UINT_PTR)ProtectedPEProcess+ActiveLinkOffset;
*(PUINT_PTR)((UINT_PTR)ProtectedPEProcess+ActiveLinkOffset+4)=(UINT_PTR)ProtectedPEProcess+ActiveLinkOffset;
}
if (!ProtectOn)
{
//unlink this process from the activeprocess list
if (!ImageNotifyRoutineLoaded)
ImageNotifyRoutineLoaded=(PsSetLoadImageNotifyRoutine(LoadImageNotifyRoutine)==STATUS_SUCCESS);
//Hook
OldZwOpenProcess=(ZWOPENPROCESS)SYSTEMSERVICE(ZwOpenProcess);
OldZwQuerySystemInformation=(ZWQUERYSYSTEMINFORMATION)SYSTEMSERVICE(ZwQuerySystemInformation);
if ((KeServiceDescriptorTableShadow!=NULL) && (NtUserBuildHwndList_callnumber!=0) && (NtUserBuildHwndList_callnumber!=0) && (NtUserFindWindowEx_callnumber!=0) && (NtUserGetForegroundWindow_callnumber!=0))
{
OldNtUserQueryWindow=(NTUSERQUERYWINDOW)KeServiceDescriptorTableShadow->ServiceTable[NtUserQueryWindow_callnumber];
OldNtUserBuildHwndList=(NTUSERBUILDHWNDLIST)KeServiceDescriptorTableShadow->ServiceTable[NtUserBuildHwndList_callnumber];
OldNtUserFindWindowEx=(NTUSERFINDWINDOWEX)KeServiceDescriptorTableShadow->ServiceTable[NtUserFindWindowEx_callnumber];
OldNtUserGetForegroundWindow=(NTUSERGETFOREGROUNDWINDOW)KeServiceDescriptorTableShadow->ServiceTable[NtUserGetForegroundWindow_callnumber];
//now a extra check before I screw up the system
if (((UCHAR)KeServiceDescriptorTableShadow->ServiceTable[NtUserBuildHwndList_callnumber]!=0x1c) ||
((UCHAR)KeServiceDescriptorTableShadow->ServiceTable[NtUserQueryWindow_callnumber]!=0x08) ||
((UCHAR)KeServiceDescriptorTableShadow->ServiceTable[NtUserFindWindowEx_callnumber]!=0x14) ||
((UCHAR)KeServiceDescriptorTableShadow->ServiceTable[NtUserGetForegroundWindow_callnumber]!=0x0)
)
{
//NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO!
KeServiceDescriptorTableShadow=NULL; //disable it
NtUserBuildHwndList_callnumber=0;
NtUserQueryWindow_callnumber=0;
NtUserFindWindowEx_callnumber=0;
NtUserGetForegroundWindow_callnumber=0;
}
} else KeServiceDescriptorTableShadow=NULL; //do not enable hooking. All have to work, else none
ProtectOn=TRUE;
}
__asm
{
cli
mov eax,CR0
and eax,not 0x10000
mov CR0,eax
}
(ZWOPENPROCESS)(SYSTEMSERVICE(ZwOpenProcess))=NewZwOpenProcess;
(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation))=NewZwQuerySystemInformation;
if ((NtUserQueryWindow_callnumber!=0) && (KeServiceDescriptorTableShadow!=NULL))
(NTUSERQUERYWINDOW)(KeServiceDescriptorTableShadow->ServiceTable[NtUserQueryWindow_callnumber])=NewNtUserQueryWindow;
if ((NtUserFindWindowEx_callnumber!=0) && (KeServiceDescriptorTableShadow!=NULL))
(NTUSERFINDWINDOWEX)(KeServiceDescriptorTableShadow->ServiceTable[NtUserFindWindowEx_callnumber])=NewNtUserFindWindowEx;
if ((NtUserGetForegroundWindow_callnumber!=0) && (KeServiceDescriptorTableShadow!=NULL))
(NTUSERGETFOREGROUNDWINDOW)(KeServiceDescriptorTableShadow->ServiceTable[NtUserGetForegroundWindow_callnumber])=NewNtUserGetForegroundWindow;
if ((NtUserBuildHwndList_callnumber!=0) && (KeServiceDescriptorTableShadow!=NULL))
(NTUSERBUILDHWNDLIST)(KeServiceDescriptorTableShadow->ServiceTable[NtUserBuildHwndList_callnumber])=NewNtUserBuildHwndList;
__asm
{
mov eax,CR0
or eax,0x10000
mov CR0,eax
sti
}
ntStatus=STATUS_SUCCESS;
#endif //not amd64
break;
}
case IOCTL_CE_DONTPROTECTME:
{
//Unhook();
if (ProtectOn)
ntStatus=STATUS_UNSUCCESSFUL;
else
ntStatus=STATUS_SUCCESS;
//ProtectOn=FALSE;
break;
}
case IOCTL_CE_GETCR4:
{
//seems CR4 isn't seen as a register...
ULONG cr4reg=0;
cr4reg=getCR4();
*(ULONG*)Irp->AssociatedIrp.SystemBuffer=cr4reg;
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_GETCR3:
{
#ifndef AMD64
ULONG cr3reg=0;
PEPROCESS selectedprocess;
ntStatus=STATUS_SUCCESS;
//switch context to the selected process. (processid is stored in the systembuffer)
if (PsLookupProcessByProcessId((PVOID)(*(ULONG*)Irp->AssociatedIrp.SystemBuffer),&selectedprocess)==STATUS_SUCCESS)
{
__try
{
KAPC_STATE apc_state;
RtlZeroMemory(&apc_state,sizeof(apc_state));
KeStackAttachProcess((PVOID)selectedprocess,&apc_state);
__try
{
__asm
{
mov eax,CR3
mov cr3reg,eax
}
}
__finally
{
KeUnstackDetachProcess(&apc_state);
}
}
__except(1)
{
ntStatus=STATUS_UNSUCCESSFUL;
break;
}
}
*(ULONG*)Irp->AssociatedIrp.SystemBuffer=cr3reg;
#else
ntStatus=STATUS_UNSUCCESSFUL; //not supported yet
#endif
break;
}
case IOCTL_CE_SETCR3:
{
#ifndef AMD64
struct input
{
ULONG ProcessID;
ULONG NewCR3;
} *pinp;
ULONG cr3reg;
PEPROCESS selectedprocess;
ntStatus=STATUS_SUCCESS;
pinp=Irp->AssociatedIrp.SystemBuffer;
cr3reg=pinp->NewCR3;
//switch context to the selected process. (processid is stored in the systembuffer)
if (PsLookupProcessByProcessId((PVOID)(pinp->ProcessID),&selectedprocess)==STATUS_SUCCESS)
{
__try
{
KAPC_STATE apc_state;
RtlZeroMemory(&apc_state,sizeof(apc_state));
KeStackAttachProcess((PKPROCESS)selectedprocess,&apc_state);
__try
{
__asm
{
mov eax,cr3reg
mov CR3,eax
}
}
__finally
{
KeUnstackDetachProcess(&apc_state);
}
}
__except(1)
{
ntStatus=STATUS_UNSUCCESSFUL;
break;
}
}
#else
ntStatus=STATUS_UNSUCCESSFUL; //not supported yet
#endif
break;
}
case IOCTL_CE_GETSDT:
{
//returns the address of KeServiceDescriptorTable
ntStatus=STATUS_SUCCESS;
*(UINT_PTR*)Irp->AssociatedIrp.SystemBuffer=(UINT_PTR)KeServiceDescriptorTable;
break;
}
case IOCTL_CE_GETIDT:
{
//returns the address of the IDT of the current CPU
IDT idt;
RtlZeroMemory(&idt,sizeof(IDT));
GetIDT(&idt);
RtlCopyMemory(Irp->AssociatedIrp.SystemBuffer,&idt,sizeof(IDT)); //copy idt
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_HOOKINTS:
{
IDT idt;
BYTE Processor;
GetIDT(&idt);
//DbgPrint("IOCTL_CE_HOOKINTS\n");
Processor=*(PCHAR)Irp->AssociatedIrp.SystemBuffer;
ntStatus=STATUS_SUCCESS;
if (IDTAddresses[Processor]==0)
{
//DbgPrint("Stored the IDT of this cpu\n");
IDTAddresses[Processor]=(UINT_PTR)idt.vector;
}
//DbgPrint("Calling HookInt1()\n");
if (HookInt1() /*&& HookInt3()*/)
ntStatus=STATUS_SUCCESS;
else
ntStatus=STATUS_UNSUCCESSFUL;
break;
}
case IOCTL_CE_ISUSINGALTERNATEMETHOD:
{
*(PBOOLEAN)(Irp->AssociatedIrp.SystemBuffer)=UsesAlternateMethod;
break;
}
case IOCTL_CE_USEALTERNATEMETHOD:
{
struct output
{
ULONG int1apihook; //address of the in1apihook function
ULONG OriginalInt1handler; //space to write the int1 handler
} *poutp;
DbgPrint("IOCTL_CE_USEALTERNATEMETHOD: (ULONG)int1apihook=%x (ULONG)OriginalInt1handler=%x",(ULONG)int1apihook,(ULONG)OriginalInt1handler);
poutp=Irp->AssociatedIrp.SystemBuffer;
poutp->int1apihook=(ULONG)int1apihook;
poutp->OriginalInt1handler=(ULONG)OriginalInt1handler;
UsesAlternateMethod=TRUE;
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_STOPDEBUGGING:
{
StopDebugging();
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_STOP_DEBUGPROCESS_CHANGEREG:
{
struct input
{
int debugreg;
} *pinp;
pinp=Irp->AssociatedIrp.SystemBuffer;
StopChangeRegOnBP(pinp->debugreg);
break;
}
case IOCTL_CE_DEBUGPROCESS_CHANGEREG:
{
struct input
{
DWORD ProcessID;
int debugreg;
ChangeReg CR;
} *pinp;
pinp=Irp->AssociatedIrp.SystemBuffer;
ChangeRegOnBP(pinp->ProcessID, pinp->debugreg, &(pinp->CR));
ntStatus=STATUS_SUCCESS; //always succeeds, else the memory was unwritable and thus a blue screen of death
break;
}
case IOCTL_CE_DEBUGPROCESS:
{
struct input
{
DWORD ProcessID;
DWORD Address;
BYTE Length;
BYTE RWE;
} *pinp;
pinp=Irp->AssociatedIrp.SystemBuffer;
if (DebugProcess(pinp->ProcessID, pinp->Address, pinp->Length,pinp->RWE))
{
ntStatus=STATUS_SUCCESS;
}
else
{
ntStatus=STATUS_UNSUCCESSFUL;
}
break;
}
case IOCTL_CE_RETRIEVEDEBUGDATA:
{
*(PUCHAR)Irp->AssociatedIrp.SystemBuffer=BufferSize;
RtlCopyMemory((PVOID)((UINT_PTR)Irp->AssociatedIrp.SystemBuffer+1),&DebugEvents[0],BufferSize*sizeof(DebugEvent));
BufferSize=0; //there's room for new events
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_STARTPROCESSWATCH:
{
KIRQL OldIrql;
KeAcquireSpinLock(&ProcesslistSL,&OldIrql);
ProcessEventCount=0;
KeReleaseSpinLock(&ProcesslistSL,OldIrql);
if (!CreateProcessNotifyRoutineEnabled)
{
CreateProcessNotifyRoutineEnabled=(PsSetCreateProcessNotifyRoutine(CreateProcessNotifyRoutine,FALSE)==STATUS_SUCCESS);
CreateThreadNotifyRoutineEnabled=(PsSetCreateThreadNotifyRoutine(CreateThreadNotifyRoutine)==STATUS_SUCCESS);
}
ntStatus=(CreateProcessNotifyRoutineEnabled) ? STATUS_SUCCESS : STATUS_UNSUCCESSFUL;
break;
}
case IOCTL_CE_GETPROCESSEVENTS:
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -