ntinternals.cpp

此为破解装载器一书中的源代码,在看雪论坛下载的,

//
// Credits goes to Shub-Nigurrath [ARTeam]
// February 2005

#include "NTInternals.h"

NTSTATUS NTAPI NTInternals::ZwSuspendThread(HANDLE hThread, PULONG pSuspendCount) 
{
	
	FARPROC addrIDP;
	
	HINSTANCE hKer;
	HANDLE hProcess = GetCurrentProcess();

	fcnZwSuspendThread fcn;

	hKer = GetModuleHandle("NTDLL");
	
	addrIDP = GetProcAddress(hKer, "ZwSuspendThread");
	
	//Check API
	if (addrIDP!=NULL) {
		fcn=(fcnZwSuspendThread)addrIDP;
		return fcn(hThread, pSuspendCount);
	}

	return 0;
}

NTSTATUS STDCALL NTInternals::ZwSuspendProcess(HANDLE Process)  
{
	
	FARPROC addrIDP;
	
	HINSTANCE hKer;
	HANDLE hProcess = GetCurrentProcess();
	
	fcnZwSuspendProcess fcn;

	hKer = GetModuleHandle("NTDLL");
		
	addrIDP = GetProcAddress(hKer, "ZwSuspendProcess");
	
		//Check API
	if (addrIDP!=NULL) {	
		fcn=(fcnZwSuspendProcess)addrIDP;
		return fcn(Process);
	}
	
	return 0;
}

NTSTATUS STDCALL NTInternals::ZwResumeProcess(HANDLE Process) 
{
	
	FARPROC addrIDP;
	
	HINSTANCE hKer;
	HANDLE hProcess = GetCurrentProcess();

	fcnZwSuspendProcess fcn;

	hKer = GetModuleHandle("NTDLL");
	
	addrIDP = GetProcAddress(hKer, "ZwResumeProcess");
	
	//Check API
	if (addrIDP!=NULL) {	
		fcn=(fcnZwResumeProcess)addrIDP;
		return fcn(Process);
	}
	
	return 0;
}

WINBOOL STDCALL NTInternals::DebugActiveProcessStop(DWORD dwProcessId) 
{
	
	FARPROC addrIDP;
	
	HINSTANCE hKer;
	HANDLE hProcess = GetCurrentProcess();
	
	fcnDebugActiveProcessStop fcn;

	hKer = GetModuleHandle("Kernel32");
		
	addrIDP = GetProcAddress(hKer, "DebugActiveProcessStop");
	
	//Check API
	if (addrIDP!=NULL) {	
		fcn=(fcnDebugActiveProcessStop)addrIDP;
		return fcn(dwProcessId);
	}

	return 0;
}

// ---------------------------------------------------------------------------------------------------
// IsDebuggerPresent patching routine
// ---------------------------------------------------------------------------------------------------
BOOL NTInternals::HideDebugger(HANDLE thread, HANDLE hproc)
{
	CONTEXT victimContext; 

	// This function is used to patch the IsDebuggerPresent API
	// which might be called from debugged program (e.g. ASProtect) in order to detect debugger
	// presence. This function is mainly based on FS:[0] treating.
	// In an x86 environment, the FS register points to the current
	// value of the Thread Information Block (TIB) structure.
	// One element in the TIB structure is a pointer to an EXCEPTION_RECORD
	// structure, which in turn contains a pointer to an exception
	// handling callback function. Thus, each thread has its own exception callback function.
	// The x86 compiler builds exception-handling structures on the stack
	// as it processes functions. The FS register always points to the TIB,
	// which in turn contains a pointer to an EXCEPTION_RECORD structure.
	// The EXCEPTION_RECORD structure points to the exception handler function. 
	
	// EXCEPTION_RECORD structures form a linked list: the new EXCEPTION_RECORD
	// structure contains a pointer to the previous EXCEPTION_RECORD structure,
	// and so on. On Intel-based machines, the head of the list is always pointed
	// to by the first DWORD in the thread information block, FS:[0] 
	
	//77E5276B >  64:A1 18000000  MOV EAX,DWORD PTR FS:[18]
	//77E52771    8B40 30         MOV EAX,DWORD PTR DS:[EAX+30]
	//77E52774    0FB640 02       MOVZX EAX,BYTE PTR DS:[EAX+2]
	//77E52778    C3              RETN
	
	// Set up the victimContex access flag
	victimContext.ContextFlags = CONTEXT_SEGMENTS;
	// Fill the victim context structure with process data
	if (!GetThreadContext(thread, &victimContext))
		return FALSE;
	
	// GetThreadSelectorEntry is only functional on x86-based systems.
	// For systems that are not x86-based, the function returns FALSE
	// The GetThreadSelectorEntry function fills this structure with
	// information from an entry in the descriptor table. You can use
	// this information to convert a segment-relative address to a linear virtual address.
	// The base address of a segment is the address of offset 0 in the segment.
	// To calculate this value, combine the BaseLow, BaseMid, and BaseHi members
	
	LDT_ENTRY sel;
	if (!GetThreadSelectorEntry(thread, victimContext.SegFs, &sel))
		return FALSE;
	
	DWORD fsbase = (sel.HighWord.Bytes.BaseHi << 8| sel.HighWord.Bytes.BaseMid) << 16 | sel.BaseLow;
	DWORD RVApeb;
	SIZE_T numread;
	
	if (!ReadProcessMemory(hproc, (LPCVOID)(fsbase + 0x30), &RVApeb, 4, &numread) || numread != 4)
		return FALSE;
	
	WORD beingDebugged;
	if (!ReadProcessMemory(hproc, (LPCVOID)(RVApeb + 2), &beingDebugged, 2, &numread) || numread != 2)
		return FALSE;
	
	beingDebugged = 0;
	
	if (!WriteProcessMemory(hproc, (LPVOID)(RVApeb + 2), &beingDebugged, 2, &numread) || numread != 2)
		return FALSE;
	
	return TRUE;
}

DWORD STDCALL NTInternals::GetProcessId(HANDLE Process) {
	
	FARPROC addrIDP;
	
	HINSTANCE hKer;
	HANDLE hProcess = GetCurrentProcess();
		
	fcnGetProcessId fcn;
	
	hKer = GetModuleHandle("Kernel32");
		
	addrIDP = GetProcAddress(hKer, "GetProcessId");
	
	//Check API
	if (addrIDP!=NULL) {
		fcn=(fcnGetProcessId)addrIDP;
		return fcn(Process);
	}
	
	return 0;
}