📄 main.cpp
字号:
{
WideCharToMultiByte(CP_OEMCP, 0, (LPCWSTR)lpProcInfo->ProcessName.Buffer, -1,
szProcName, sizeof(szProcName), NULL, NULL);
if (stricmp(szProcName, pszProcessFileName) == 0)
{
//PTHREAD_INFO pThreadInfo = GetThreadInfoPtr(lpProcInfo);
//for (i=0; i<lpProcInfo->dwThreadCount; i++)
//{
// pNtDriverControl->UnLockSaveObjects(dwProcessAccessType, pThreadInfo[i].dwThreadID);
//}
pNtDriverControl->UnLockSaveObjects(dwProcessAccessType | HE4_UNLOCK_FOR_PROCESS, lpProcInfo->dwProcessID);
}
}
if (lpProcInfo->dwOffset == 0)
break;
lpProcInfo = (PPROCESS_INFO)((CHAR*)lpProcInfo + lpProcInfo->dwOffset);
}
}
}
void DeleteProcessFromUnLockList(char* pszProcessFileName, He4HookDriverHide* pNtDriverControl)
{
if (pszProcessFileName == NULL || pNtDriverControl == NULL)
return;
NTSTATUS NtStatus;
PROCESS_INFO ProcInfo[1024];
PPROCESS_INFO lpProcInfo;
ULONG LehgthReturned = 0;
// ULONG i;
NtStatus = NtGetProcessList(ProcInfo, sizeof(ProcInfo), &LehgthReturned);
if (NtStatus == STATUS_SUCCESS)
{
lpProcInfo = ProcInfo;
EnableDebugPriv();
char szProcName[1024];
while (1)
{
if (lpProcInfo->ProcessName.Buffer != NULL)
{
WideCharToMultiByte(CP_OEMCP, 0, (LPCWSTR)lpProcInfo->ProcessName.Buffer, -1,
szProcName, sizeof(szProcName), NULL, NULL);
if (stricmp(szProcName, pszProcessFileName) == 0)
{
//PTHREAD_INFO pThreadInfo = GetThreadInfoPtr(lpProcInfo);
//for (i=0; i<lpProcInfo->dwThreadCount; i++)
//{
// pNtDriverControl->LockSaveObjects(pThreadInfo[i].dwThreadID);
//}
pNtDriverControl->LockSaveObjects(lpProcInfo->dwProcessID, TRUE);
}
}
if (lpProcInfo->dwOffset == 0)
break;
lpProcInfo = (PPROCESS_INFO)((CHAR*)lpProcInfo + lpProcInfo->dwOffset);
}
}
}
BOOL EnableDebugPriv(VOID)
{
HANDLE hToken;
LUID DebugValue;
TOKEN_PRIVILEGES tkp;
//
// Retrieve a handle of the access token
//
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
printf(" OpenProcessToken failed");
return FALSE;
}
//
// Enable the SE_DEBUG_NAME privilege
//
if (!LookupPrivilegeValue((LPSTR) NULL, SE_DEBUG_NAME, &DebugValue))
{
//printf("LookupPrivilegeValue failed with - \n");
printf(" LookupPrivilegeValue failed");
return FALSE;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = DebugValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES) NULL, (PDWORD) NULL);
//
// The return value of AdjustTokenPrivileges can't be tested
//
if (GetLastError() != ERROR_SUCCESS)
{
//printf("AdjustTokenPrivileges failed with -\n");
ConsoleErrorMessage();
return FALSE;
}
return TRUE;
}
void ShowProtectedFiles(He4HookDriverHide* pNtDriverControl)
{
if (pNtDriverControl == NULL)
return;
DWORD dwSizeListByBytes = pNtDriverControl->GetSaveListSizeByBytes();
if (dwSizeListByBytes)
{
FILEINFOSET *fis = (FILEINFOSET*) new char[dwSizeListByBytes+sizeof(DWORD)];
if (fis)
{
fis->dwSize = dwSizeListByBytes+sizeof(DWORD);
if (pNtDriverControl->GetSaveList(fis))
{
FILEINFO* fi;
fi = fis->FileInfo;
while (fis->dwSize >= SIZEOF_FILEINFOSET)
{
if (fi->dwSizeAnsiName > 1)
{
char szAccessType[10];
char* pszAccessType = szAccessType;
if (fi->dwAccessType & ACC_TYPE_READ)
*pszAccessType++ = 'R';
if (fi->dwAccessType & ACC_TYPE_WRITE)
*pszAccessType++ = 'W';
if (fi->dwAccessType & ACC_TYPE_DELETE)
*pszAccessType++ = 'D';
if (fi->dwAccessType & ACC_TYPE_VISIBLE)
*pszAccessType++ = 'V';
if (fi->dwAccessType & FILE_ACC_TYPE_EXCHANGE)
*pszAccessType++ = 'E';
if (pszAccessType == szAccessType)
*pszAccessType++ = '0';
*pszAccessType = 0;
if (fi->dwAccessType & FILE_ACC_TYPE_EXCHANGE)
{
printf("%s (%s) => ", fi->szNames + fi->dwOffsetToAnsiName, szAccessType);
wprintf(L"%s \n", fi->szNames + fi->dwOffsetToUniChangedName);
}
else
printf("%s (%s)\n", fi->szNames + fi->dwOffsetToAnsiName, szAccessType);
}
if (fis->dwSize >= (SIZEOF_FILEINFO_REAL + fi->dwSizeAllNamesArea))
fis->dwSize -= (SIZEOF_FILEINFO_REAL + fi->dwSizeAllNamesArea);
else
fis->dwSize = 0;
fi = (FILEINFO*)((char*)fi + SIZEOF_FILEINFO_REAL + fi->dwSizeAllNamesArea);
}
}
delete[] (char*)fis;
}
}
}
void ShowUnlockThreads(He4HookDriverHide* pNtDriverControl)
{
BOOL bThread;
if (pNtDriverControl == NULL)
return;
DWORD dwSizeListByBytes = pNtDriverControl->GetUnlockListSizeByBytes();
if (dwSizeListByBytes)
{
PUNLOCK_CLIENT_INFO_SET tis = (PUNLOCK_CLIENT_INFO_SET) new char[dwSizeListByBytes+sizeof(DWORD)];
if (tis)
{
tis->m_dwSize = dwSizeListByBytes+sizeof(DWORD);
if (pNtDriverControl->GetUnlockList(tis))
{
UNLOCK_CLIENT_INFO* ti;
ti = tis->m_CI;
while (tis->m_dwSize >= SIZEOF_UNLOCK_CLIENT_INFO_SET)
{
char szAccessType[10];
char* pszAccessType = szAccessType;
if (ti->m_dwUnlockFlags & ACC_TYPE_READ)
*pszAccessType++ = 'R';
if (ti->m_dwUnlockFlags & ACC_TYPE_WRITE)
*pszAccessType++ = 'W';
if (ti->m_dwUnlockFlags & ACC_TYPE_DELETE)
*pszAccessType++ = 'D';
if (ti->m_dwUnlockFlags & ACC_TYPE_VISIBLE)
*pszAccessType++ = 'V';
if (pszAccessType == szAccessType)
*pszAccessType++ = '0';
*pszAccessType = 0;
if (ti->m_dwUnlockFlags & HE4_UNLOCK_FOR_PROCESS)
bThread = FALSE;
else
bThread = TRUE;
printf("Client Id = %0x (%s) (%s)\n", ti->m_dwClientId, (bThread != TRUE ? "Process" : "Thread"), szAccessType);
if (tis->m_dwSize >= sizeof(UNLOCK_CLIENT_INFO))
tis->m_dwSize -= sizeof(UNLOCK_CLIENT_INFO);
else
tis->m_dwSize = 0;
ti++;
}
}
delete[] (char*)tis;
}
}
}
void ConsoleErrorMessage(void)
{
LPTSTR MsgBuf;
// char lpMultiByteStr[1024];
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
(LPTSTR) &MsgBuf,
0,
NULL
);
//MessageBox(GetForegroundWindow(), MsgBuf, _T("Error"), MB_OK);
// WideCharToMultiByte(CP_OEMCP, 0, (LPCWSTR)MsgBuf, -1,
// lpMultiByteStr, sizeof(lpMultiByteStr), NULL, NULL);
// printf("%s\n", lpMultiByteStr);
printf("%s\n", (char*)MsgBuf);
LocalFree(MsgBuf);
}
DWORD GetVersion(DWORD *pdwVer)
{
void** pParameterStack = (void **) &pdwVer;
DWORD dwRet = -1;
DWORD dwSericeId = (KE_SERVICE_TABLE_INDEX<<12) + HE4_SERVICE_INDEX_GET_VERSION; //00002000h
__asm
{
mov eax, [dwSericeId]
mov edx, pParameterStack
int 2eh
mov [dwRet], eax
}
return dwRet;
}
DWORD GetLocalBase(DWORD *pdwBase)
{
void** pParameterStack = (void **) &pdwBase;
DWORD dwRet = -1;
DWORD dwSericeId = (KE_SERVICE_TABLE_INDEX<<12) + HE4_SERVICE_INDEX_GET_LOCAL_BASE; //00002001h
__asm
{
mov eax, [dwSericeId]
mov edx, pParameterStack
int 2eh
mov [dwRet], eax
}
return dwRet;
}
void ShowDeviceCurrentVersion(void)
{
DWORD dwVersion = 0;
DWORD dwBase = 0;
GetVersion(&dwVersion);
GetLocalBase(&dwBase);
if (dwVersion != 0 && dwBase != 0)
printf("He4HooInv device installed - \n Version: %08X\n Base: %08X\n", dwVersion, dwBase);
else
printf("He4HooInv device not installed\n");
}
BOOL InstallNewDriver(He4HookDriverHide* pNtDriverControl)
{
if (pNtDriverControl == NULL)
return FALSE;
DWORD dwVersionOld = 0;
DWORD dwBaseOld = 0;
GetVersion(&dwVersionOld);
GetLocalBase(&dwBaseOld);
FILEINFOSET* fis = NULL;
BOOL bGetSaveList = FALSE;
DWORD dwSizeListByBytes = pNtDriverControl->GetSaveListSizeByBytes();
if (dwSizeListByBytes)
{
fis = (FILEINFOSET*) new char[dwSizeListByBytes+sizeof(DWORD)];
if (fis)
{
fis->dwSize = dwSizeListByBytes+sizeof(DWORD);
bGetSaveList = pNtDriverControl->GetSaveList(fis);
}
}
//if (pNtDriverControl->Install() == FALSE)
if (pNtDriverControl->LoadAndCallImage() == FALSE)
{
if (fis != NULL)
delete[] (char*)fis;
return FALSE;
}
DWORD dwVersionNew = 0;
DWORD dwBaseNew = 0;
GetVersion(&dwVersionNew);
GetLocalBase(&dwBaseNew);
if (dwVersionNew == dwVersionOld && dwBaseNew == dwBaseOld)
{
if (fis != NULL)
delete[] (char*)fis;
return FALSE;
}
if (bGetSaveList == TRUE)
pNtDriverControl->AddToSaveList(fis);
if (fis != NULL)
delete[] (char*)fis;
return TRUE;
}
void ShowStatistic(He4HookDriverHide* pNtDriverControl)
{
if (pNtDriverControl == NULL)
return;
HE4_STATISTIC_INFO StatInfo;
PHEAP_INFO_SET pHeapInfoSet;
if (pNtDriverControl->QueryStatistic(&StatInfo) == TRUE)
{
pHeapInfoSet = &(StatInfo.m_HeapInfoSet);
printf("\n m_DefaultHeapInfo:\n SystemMemoryUsage = %u\n HeapMemoryUsage = %u",
pHeapInfoSet->m_DefaultHeapInfo.m_dwSystemMemoryUsage,
pHeapInfoSet->m_DefaultHeapInfo.m_dwHeapMemoryUsage);
printf("\n UnlockListHeapInfo:\n SystemMemoryUsage = %u\n HeapMemoryUsage = %u",
pHeapInfoSet->m_UnlockListHeapInfo.m_dwSystemMemoryUsage,
pHeapInfoSet->m_UnlockListHeapInfo.m_dwHeapMemoryUsage);
printf("\n FSDefaultHeapInfo:\n SystemMemoryUsage = %u\n HeapMemoryUsage = %u",
pHeapInfoSet->m_FSDefaultHeapInfo.m_dwSystemMemoryUsage,
pHeapInfoSet->m_FSDefaultHeapInfo.m_dwHeapMemoryUsage);
printf("\n SOFileListHeapInfo:\n SystemMemoryUsage = %u\n HeapMemoryUsage = %u",
pHeapInfoSet->m_SOFileListHeapInfo.m_dwSystemMemoryUsage,
pHeapInfoSet->m_SOFileListHeapInfo.m_dwHeapMemoryUsage);
printf("\n LLDefaultHeapInfo:\n SystemMemoryUsage = %u\n HeapMemoryUsage = %u",
pHeapInfoSet->m_LLDefaultHeapInfo.m_dwSystemMemoryUsage,
pHeapInfoSet->m_LLDefaultHeapInfo.m_dwHeapMemoryUsage);
printf("\n MiscDefaultHeapInfo:\n SystemMemoryUsage = %u\n HeapMemoryUsage = %u",
pHeapInfoSet->m_MiscDefaultHeapInfo.m_dwSystemMemoryUsage,
pHeapInfoSet->m_MiscDefaultHeapInfo.m_dwHeapMemoryUsage);
printf("\n DHDefaultHeapInfo:\n SystemMemoryUsage = %u\n HeapMemoryUsage = %u",
pHeapInfoSet->m_DHDefaultHeapInfo.m_dwSystemMemoryUsage,
pHeapInfoSet->m_DHDefaultHeapInfo.m_dwHeapMemoryUsage);
// printf("\n BTreeDefaultHeapInfo:\n SystemMemoryUsage = %u\n HeapMemoryUsage = %u",
// pHeapInfoSet->m_BTreeDefaultHeapInfo.m_dwSystemMemoryUsage,
// pHeapInfoSet->m_BTreeDefaultHeapInfo.m_dwHeapMemoryUsage);
}
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -