📄 dbkdrvr.c
字号:
{
KIRQL OldIrql;
KeAcquireSpinLock(&ProcesslistSL,&OldIrql);
*(PUCHAR)Irp->AssociatedIrp.SystemBuffer=ProcessEventCount;
RtlCopyMemory((PVOID)((UINT_PTR)Irp->AssociatedIrp.SystemBuffer+1),&ProcessEventdata[0],ProcessEventCount*sizeof(ProcessEventdta));
ProcessEventCount=0; //there's room for new events
KeReleaseSpinLock(&ProcesslistSL,OldIrql);
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_GETTHREADEVENTS:
{
KIRQL OldIrql;
KeAcquireSpinLock(&ProcesslistSL,&OldIrql);
*(PUCHAR)Irp->AssociatedIrp.SystemBuffer=ThreadEventCount;
RtlCopyMemory((PVOID)((UINT_PTR)Irp->AssociatedIrp.SystemBuffer+1),&ThreadEventData[0],ThreadEventCount*sizeof(ThreadEventDta));
ThreadEventCount=0; //there's room for new events
KeReleaseSpinLock(&ProcesslistSL,OldIrql);
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_CREATEAPC:
{
struct input
{
ULONG threadid;
PVOID addresstoexecute;
} *inp;
inp=Irp->AssociatedIrp.SystemBuffer;
CreateRemoteAPC(inp->threadid,inp->addresstoexecute);
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_SUSPENDTHREAD:
{
struct input
{
ULONG threadid;
} *inp;
inp=Irp->AssociatedIrp.SystemBuffer;
DbgPrint("CE_SUSPENDTHREAD\n");
DBKSuspendThread(inp->threadid);
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_RESUMETHREAD:
{
struct input
{
ULONG threadid;
} *inp;
inp=Irp->AssociatedIrp.SystemBuffer;
DbgPrint("CE_RESUMETHREAD\n");
DBKResumeThread(inp->threadid);
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_SUSPENDPROCESS:
{
struct input
{
ULONG processid;
} *inp;
inp=Irp->AssociatedIrp.SystemBuffer;
DbgPrint("IOCTL_CE_SUSPENDPROCESS\n");
DBKSuspendProcess(inp->processid);
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_RESUMEPROCESS:
{
struct input
{
ULONG processid;
} *inp;
inp=Irp->AssociatedIrp.SystemBuffer;
DbgPrint("IOCTL_CE_RESUMEPROCESS\n");
DBKResumeProcess(inp->processid);
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_ALLOCATEMEM:
{
struct input
{
ULONG ProcessID;
PVOID BaseAddress;
ULONG Size;
ULONG AllocationType;
ULONG Protect;
} *inp;
PEPROCESS selectedprocess;
PVOID BaseAddress;
SIZE_T RegionSize;
inp=Irp->AssociatedIrp.SystemBuffer;
BaseAddress=inp->BaseAddress;
RegionSize=inp->Size;
if (PsLookupProcessByProcessId((PVOID)(inp->ProcessID),&selectedprocess)==STATUS_SUCCESS)
{
__try
{
KAPC_STATE apc_state;
RtlZeroMemory(&apc_state,sizeof(apc_state));
KeStackAttachProcess((PVOID)selectedprocess,&apc_state); //local process is much more fun!!!!
DbgPrint("Switched Process\n");
__try
{
DbgPrint("Calling ZwAllocateVirtualMemory\n");
ntStatus=ZwAllocateVirtualMemory((HANDLE)-1,&BaseAddress,0, &RegionSize, inp->AllocationType, inp->Protect);
if (ntStatus==STATUS_SUCCESS)
{
int i;
char *x;
x=BaseAddress;
for (i=0; i < (int)RegionSize;i++)
x[i]=0x90;
}
DbgPrint("ntStatus=%x\n");
DbgPrint("BaseAddress=%p\n",BaseAddress);
DbgPrint("RegionSize=%x\n",RegionSize);
*(PULONG)Irp->AssociatedIrp.SystemBuffer=(ULONG)BaseAddress;
}
__finally
{
KeUnstackDetachProcess(&apc_state);
}
}
__except(1)
{
ntStatus=STATUS_UNSUCCESSFUL;
break;
}
ObDereferenceObject(selectedprocess);
}
break;
}
case IOCTL_CE_ALLOCATEMEM_NONPAGED:
{
struct input
{
ULONG Size;
} *inp;
PVOID address;
inp=Irp->AssociatedIrp.SystemBuffer;
address=ExAllocatePoolWithTag(NonPagedPool,inp->Size,0);
*(PULONG)Irp->AssociatedIrp.SystemBuffer=(ULONG)address;
if (address==0)
ntStatus=STATUS_UNSUCCESSFUL;
else
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_GETPROCADDRESS:
{
struct input
{
PCWSTR s;
} *inp;
UNICODE_STRING y;
PVOID x;
inp=Irp->AssociatedIrp.SystemBuffer;
RtlInitUnicodeString(&y, inp->s);
x=MmGetSystemRoutineAddress(&y);
RtlCopyMemory(Irp->AssociatedIrp.SystemBuffer,&x,4);
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_PROTECT2:
{
struct output
{
PVOID testprotect;
PVOID NewObOpenObjectByPointer;
PVOID OriginalObOpenObjectByPointer;
} *outp;
outp=Irp->AssociatedIrp.SystemBuffer;
outp->testprotect=&testprotect;
outp->NewObOpenObjectByPointer=NewObOpenObjectByPointer;
outp->OriginalObOpenObjectByPointer=OriginalObOpenObjectByPointer;
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_GETDC:
{
HWND handle;
if (RealNtUserGetDC==NULL)
{
ntStatus=STATUS_UNSUCCESSFUL;
break;
}
handle=(HWND)*(PULONG)Irp->AssociatedIrp.SystemBuffer;
*(HDC *)Irp->AssociatedIrp.SystemBuffer=RealNtUserGetDC(handle);
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_GETVERSION:
{
*(PULONG)Irp->AssociatedIrp.SystemBuffer=dbkversion;
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_INITIALIZE:
{
//find the KeServiceDescriptorTableShadow
struct input
{
ULONG AddressOfWin32K;
ULONG SizeOfWin32K;
ULONG NtUserBuildHwndList_callnumber;
ULONG NtUserQueryWindow_callnumber;
ULONG NtUserFindWindowEx_callnumber;
ULONG NtUserGetForegroundWindow_callnumber;
ULONG ActiveLinkOffset;
ULONG ProcessNameOffset;
ULONG DebugportOffset;
} *pinp;
int i;
PSERVICE_DESCRIPTOR_TABLE PossibleKeServiceDescriptorTableShow; //long name's are FUN!!!!
PossibleKeServiceDescriptorTableShow=KeServiceDescriptorTable;
ntStatus=STATUS_UNSUCCESSFUL;
pinp=Irp->AssociatedIrp.SystemBuffer;
NtUserBuildHwndList_callnumber=pinp->NtUserBuildHwndList_callnumber;
NtUserQueryWindow_callnumber=pinp->NtUserQueryWindow_callnumber;
NtUserFindWindowEx_callnumber=pinp->NtUserFindWindowEx_callnumber;
NtUserGetForegroundWindow_callnumber=pinp->NtUserGetForegroundWindow_callnumber;
ActiveLinkOffset=pinp->ActiveLinkOffset;
ProcessNameOffset=pinp->ProcessNameOffset;
DebugportOffset=pinp->DebugportOffset;
//in win2k sp4 the distance is even bigger than -6, at least 21 entries down to find it
i=-25;//takes some longer to load now....
while (i<25)
{
if (IsAddressSafe((UINT_PTR)&PossibleKeServiceDescriptorTableShow[i])) //dont want to crash for a page pault now do we?
{
/*
look for a entry that looks like:
unsigned int *ServiceTable=Region of Win32K.sys
unsigned int *ServiceCounterTableBase=00000000 but lets be safe and dont check it in case of a checked build
unsigned int NumberOfServices=smaller than 0xffff;
unsigned char *ParamTableBase=Region of Win32K.sys;
*/
if (((UINT_PTR)PossibleKeServiceDescriptorTableShow[i].ServiceTable>=pinp->AddressOfWin32K) &&
((UINT_PTR)PossibleKeServiceDescriptorTableShow[i].ServiceTable<(pinp->AddressOfWin32K+pinp->SizeOfWin32K)) &&
((UINT_PTR)PossibleKeServiceDescriptorTableShow[i].ArgumentTable>=pinp->AddressOfWin32K) &&
((UINT_PTR)PossibleKeServiceDescriptorTableShow[i].ArgumentTable<(pinp->AddressOfWin32K+pinp->SizeOfWin32K)) &&
(PossibleKeServiceDescriptorTableShow[i].TableSize<0xffff)
)
{
//found it!!!!!!
KeServiceDescriptorTableShadow=&PossibleKeServiceDescriptorTableShow[i];
ntStatus=STATUS_SUCCESS;
*(UINT_PTR*)Irp->AssociatedIrp.SystemBuffer=(UINT_PTR)KeServiceDescriptorTableShadow;
DbgPrint("KeServiceDescriptorTableShadow[0]=%p",&KeServiceDescriptorTableShadow[0]);
DbgPrint("KeServiceDescriptorTableShadow[1]=%p",&KeServiceDescriptorTableShadow[1]);
DbgPrint("KeServiceDescriptorTableShadow[2]=%p",&KeServiceDescriptorTableShadow[2]);
DbgPrint("KeServiceDescriptorTableShadow[3]=%p",&KeServiceDescriptorTableShadow[3]);
AddSystemServices();
break;
}
}
i++;
}
break;
}
default:
break;
}
Irp->IoStatus.Status = ntStatus;
// Set # of bytes to copy back to user-mode...
if(ntStatus == STATUS_SUCCESS)
Irp->IoStatus.Information = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
else
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return ntStatus;
}
typedef NTSTATUS (*PSRCTNR)(__in PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine);
PSRCTNR PsRemoveCreateThreadNotifyRoutine2;
typedef NTSTATUS (*PSRLINR)(__in PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine);
PSRLINR PsRemoveLoadImageNotifyRoutine2;
void MSJUnloadDriver(PDRIVER_OBJECT DriverObject)
{
if (ProtectOn)
return;
if (KeServiceDescriptorTableShadow && registered) //I can't unload without a shadotw table (system service registered)
{
//1 since my routine finds the address of the 2nd element
KeServiceDescriptorTableShadow[1].ArgumentTable=NULL;
KeServiceDescriptorTableShadow[1].CounterTable=NULL;
KeServiceDescriptorTableShadow[1].ServiceTable=NULL;
KeServiceDescriptorTableShadow[1].TableSize=0;
KeServiceDescriptorTable[2].ArgumentTable=NULL;
KeServiceDescriptorTable[2].CounterTable=NULL;
KeServiceDescriptorTable[2].ServiceTable=NULL;
KeServiceDescriptorTable[2].TableSize=0;
}
if (OriginalInt1.wHighOffset!=0) //hidden feature: unloading WILL be able to stop the hook so it can be enabled a second time (e.g something overwrote my hook)
{
int i;
for (i=0;i<32;i++)
{
if (IDTAddresses[i]!=0)
{
((PINT_VECTOR)(IDTAddresses[i]))[1]=OriginalInt1;
//((PINT_VECTOR)(IDTAddresses[i]))[3]=OriginalInt3;
};
};
}
if ((CreateProcessNotifyRoutineEnabled) || (ImageNotifyRoutineLoaded))
{
PVOID x;
RtlInitUnicodeString(&uszDeviceString, L"PsRemoveCreateThreadNotifyRoutine");
PsRemoveCreateThreadNotifyRoutine2=MmGetSystemRoutineAddress(&uszDeviceString);
RtlInitUnicodeString(&uszDeviceString, L"PsRemoveCreateThreadNotifyRoutine");
PsRemoveLoadImageNotifyRoutine2=MmGetSystemRoutineAddress(&uszDeviceString);
RtlInitUnicodeString(&uszDeviceString, L"ObOpenObjectByName");
x=MmGetSystemRoutineAddress(&uszDeviceString);
DbgPrint("ObOpenObjectByName=%p\n",x);
if ((PsRemoveCreateThreadNotifyRoutine2) && (PsRemoveLoadImageNotifyRoutine2))
{
DbgPrint("Stopping processwatch\n");
if (CreateProcessNotifyRoutineEnabled)
{
PsSetCreateProcessNotifyRoutine(CreateProcessNotifyRoutine,TRUE);
PsRemoveCreateThreadNotifyRoutine2(CreateThreadNotifyRoutine);
}
if (ImageNotifyRoutineLoaded)
PsRemoveLoadImageNotifyRoutine2(LoadImageNotifyRoutine);
}
else return; //leave now!!!!!
}
//Unhook();
IoDeleteDevice(DriverObject->DeviceObject);
ZwClose(ProcessEventHandle);
#ifdef CETC
#ifndef CETC_RELEASE
UnloadCETC(); //not possible in the final build
#endif
#endif
#ifndef CETC_RELEASE
IoDeleteSymbolicLink(&uszDeviceString);
ExFreePool(BufDeviceString);
#endif
}
void Unhook(void)
{
#ifndef AMD64
if (ProtectOn)
{
__asm
{
cli
mov eax,CR0
and eax,not 0x10000 //disable bit
mov CR0,eax
}
(ZWOPENPROCESS)(SYSTEMSERVICE(ZwOpenProcess))=OldZwOpenProcess;
(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation))=OldZwQuerySystemInformation;
if ((NtUserBuildHwndList_callnumber!=0) && (KeServiceDescriptorTableShadow!=NULL))
(NTUSERBUILDHWNDLIST)(KeServiceDescriptorTableShadow->ServiceTable[NtUserBuildHwndList_callnumber])=OldNtUserBuildHwndList;
if ((NtUserQueryWindow_callnumber!=0) && (KeServiceDescriptorTableShadow!=NULL))
(NTUSERQUERYWINDOW)(KeServiceDescriptorTableShadow->ServiceTable[NtUserQueryWindow_callnumber])=OldNtUserQueryWindow;
if ((NtUserFindWindowEx_callnumber!=0) && (KeServiceDescriptorTableShadow!=NULL))
(NTUSERFINDWINDOWEX)(KeServiceDescriptorTableShadow->ServiceTable[NtUserFindWindowEx_callnumber])=OldNtUserFindWindowEx;
if ((NtUserGetForegroundWindow_callnumber!=0) && (KeServiceDescriptorTableShadow!=NULL))
(NTUSERGETFOREGROUNDWINDOW)(KeServiceDescriptorTableShadow->ServiceTable[NtUserGetForegroundWindow_callnumber])=OldNtUserGetForegroundWindow;
__asm
{
mov eax,CR0
or eax,0x10000 //re-enable this bit
mov CR0,eax
sti
}
ProtectOn=FALSE;
}
#endif
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -