📄 dbkdrvr.c
字号:
if (KeAddSystemServiceTable((PULONG_PTR)functionlist, 0, 1, (PUCHAR)paramsizes, 2))
{
registered=1;
//DbgPrint("Register successfull\n");
DbgPrint("[0002]");
}
else
{
//DbgPrint("Register failed.\n");
DbgPrint("[0003]");
}
//DbgPrint("KeServiceDescriptorTable[0]=%p",&KeServiceDescriptorTable[0]);
//DbgPrint("KeServiceDescriptorTable[1]=%p",&KeServiceDescriptorTable[1]);
//DbgPrint("KeServiceDescriptorTable[2]=%p",&KeServiceDescriptorTable[2]);
//DbgPrint("KeServiceDescriptorTable[3]=%p",&KeServiceDescriptorTable[3]);
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath)
/*++
Routine Description:
This routine is called when the driver is loaded by NT.
Arguments:
DriverObject - Pointer to driver object created by system.
RegistryPath - Pointer to the name of the services node for this driver.
Return Value:
The function value is the final status from the initialization operation.
--*/
{
NTSTATUS ntStatus;
PVOID BufDriverString=NULL,BufProcessEventString=NULL,BufThreadEventString=NULL;
UNICODE_STRING uszDriverString;
UNICODE_STRING uszProcessEventString;
UNICODE_STRING uszThreadEventString;
PDEVICE_OBJECT pDeviceObject;
int i;
ULONG cr4reg;
HANDLE reg;
OBJECT_ATTRIBUTES oa;
pagedirstart = 0xc0000000;
__asm { nop };
if (pagedirstart != 0xc0000000)
return FALSE;
DbgPrint("[0004]");
//DbgPrint("maxDBK Loading driver.\n");
//DbgPrint("maxDBK Registry path = %S\n", RegistryPath->Buffer);
InitializeObjectAttributes(&oa,RegistryPath,OBJ_KERNEL_HANDLE ,NULL,NULL);
ntStatus=ZwOpenKey(®,KEY_QUERY_VALUE,&oa);
if (ntStatus == STATUS_SUCCESS)
{
UNICODE_STRING A,B,C,D;
PVOID buf;
PKEY_VALUE_PARTIAL_INFORMATION bufA,bufB,bufC,bufD;
ULONG ActualSize;
//DbgPrint("maxDBK DriverEntry Opened the key.\n");
DbgPrint("[0005]");
BufDriverString=ExAllocatePool(PagedPool,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100);
BufDeviceString=ExAllocatePool(PagedPool,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100);
BufProcessEventString=ExAllocatePool(PagedPool,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100);
BufThreadEventString=ExAllocatePool(PagedPool,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100);
bufA=BufDriverString;
bufB=BufDeviceString;
bufC=BufProcessEventString;
bufD=BufThreadEventString;
RtlInitUnicodeString(&A, L"A");
RtlInitUnicodeString(&B, L"B");
RtlInitUnicodeString(&C, L"C");
RtlInitUnicodeString(&D, L"D");
if (ntStatus == STATUS_SUCCESS)
ntStatus=ZwQueryValueKey(reg,&A,KeyValuePartialInformation ,bufA,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100,&ActualSize);
if (ntStatus == STATUS_SUCCESS)
ntStatus=ZwQueryValueKey(reg,&B,KeyValuePartialInformation ,bufB,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100,&ActualSize);
if (ntStatus == STATUS_SUCCESS)
ntStatus=ZwQueryValueKey(reg,&C,KeyValuePartialInformation ,bufC,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100,&ActualSize);
if (ntStatus == STATUS_SUCCESS)
ntStatus=ZwQueryValueKey(reg,&D,KeyValuePartialInformation ,bufD,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100,&ActualSize);
if (ntStatus == STATUS_SUCCESS)
{
//DbgPrint("maxDBK DriverEntry Read ok\n");
DbgPrint("[0006]");
RtlInitUnicodeString(&uszDriverString,(PCWSTR) bufA->Data);
RtlInitUnicodeString(&uszDeviceString,(PCWSTR) bufB->Data);
RtlInitUnicodeString(&uszProcessEventString,(PCWSTR) bufC->Data);
RtlInitUnicodeString(&uszThreadEventString,(PCWSTR) bufD->Data);
}
else
{
ExFreePool(bufA);
ExFreePool(bufB);
ExFreePool(bufC);
ExFreePool(bufD);
//DbgPrint("maxDBK DriverEntry Failed reading the value\n");
DbgPrint("[0007]");
ZwClose(reg);
return STATUS_UNSUCCESSFUL;;
}
}
else
{
DbgPrint("[0008]");
//DbgPrint("maxDBK DriverEntry Failed opening the key\n");
return STATUS_UNSUCCESSFUL;;
}
ntStatus = STATUS_SUCCESS;
// Point uszDriverString at the driver name
#ifndef CETC
// Create and initialize device object
ntStatus = IoCreateDevice(DriverObject,
0,
&uszDriverString,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&pDeviceObject);
if(ntStatus != STATUS_SUCCESS)
{
ExFreePool(BufDriverString);
ExFreePool(BufDeviceString);
ExFreePool(BufProcessEventString);
ExFreePool(BufThreadEventString);
ZwClose(reg);
return ntStatus;
}
// Point uszDeviceString at the device name
// Create symbolic link to the user-visible name
ntStatus = IoCreateSymbolicLink(&uszDeviceString, &uszDriverString);
if(ntStatus != STATUS_SUCCESS)
{
// Delete device object if not successful
IoDeleteDevice(pDeviceObject);
ExFreePool(BufDriverString);
ExFreePool(BufDeviceString);
ExFreePool(BufProcessEventString);
ExFreePool(BufThreadEventString);
ZwClose(reg);
return ntStatus;
}
#endif
// Load structure to point to IRP handlers...
DriverObject->DriverUnload = MSJUnloadDriver;
DriverObject->MajorFunction[IRP_MJ_CREATE] = MSJDispatchCreate;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = MSJDispatchClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = MSJDispatchIoctl;
DebuggedProcessID=0;
ProtectOn=FALSE;
ImageNotifyRoutineLoaded=FALSE;
LastForegroundWindow=0;
ProtectedProcessID=0;
ModuleList=NULL;
ModuleListSize=0;
newthreaddatafiller=IoAllocateWorkItem(pDeviceObject);
//
//Processlist init
#ifndef CETC
ProcessEvent=IoCreateNotificationEvent(&uszProcessEventString, &ProcessEventHandle);
KeClearEvent(ProcessEvent);
ProcessEventCount=0;
KeInitializeSpinLock(&ProcesslistSL);
#endif
CreateProcessNotifyRoutineEnabled=FALSE;
//threadlist init
#ifndef CETC
ThreadEvent=IoCreateNotificationEvent(&uszThreadEventString, &ThreadEventHandle);
KeClearEvent(ThreadEvent);
#endif
ThreadEventCount=0;
for (i=0; i<32;i++)
IDTAddresses[i]=0; //init. I dont know for sure if it gets set to NULL by default so let's be sure
RtlZeroMemory(&DebugEvents[0],50*sizeof(DebugEvent));
BufferSize=0;
processlist=NULL;
OriginalInt1.wHighOffset=0;
OriginalInt3.wHighOffset=0;
ChangeRegistersOnBP=FALSE;
for (i=0;i<4;i++)
ChangeRegs[i].Active=FALSE;
//determine if PAE is used
cr4reg=getCR4();
if ((cr4reg & 0x20)==0x20)
{
PTESize=8; //pae
PAGE_SIZE_LARGE=0x200000;
MAX_PDE_POS=0xC0604000;
}
else
{
PTESize=4;
PAGE_SIZE_LARGE=0x400000;
MAX_PDE_POS=0xC0301000;
}
#ifdef CETC
DbgPrint("[0009]");
//DbgPrint("Going to initialice CETC\n");
InitializeCETC();
#endif
UsesAlternateMethod=FALSE;
// hideme(DriverObject); //ok, for those that see this, enabling this WILL fuck up try except routines, even in usermode you'll get a blue sreen
// Return success (don't do the devicestring, I need it for unload)
ExFreePool(BufDriverString);
ExFreePool(BufProcessEventString);
ExFreePool(BufThreadEventString);
ZwClose(reg);
{
UNICODE_STRING y;
RtlInitUnicodeString(&y, L"KeAttachProcess");
AddressOfKeAttachProcess=MmGetSystemRoutineAddress(&y);
}
AddressOfInterrupt1Handler=interrupt1;
return ntStatus;
}
NTSTATUS MSJDispatchCreate(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information=0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return(STATUS_SUCCESS);
}
NTSTATUS MSJDispatchClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information=0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return(STATUS_SUCCESS);
}
NTSTATUS MSJDispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(Irp);
switch(irpStack->Parameters.DeviceIoControl.IoControlCode)
{
case IOCTL_CE_READMEMORY:
{
// for undetected ... start.
struct output
{
ULONG int1apihook; //address of the in1apihook function
ULONG OriginalInt1handler; //space to write the int1 handler
} *poutp;
// for undetected ... end.
struct input
{
UINT_PTR processid;
char *startaddress;
unsigned short int bytestoread;
//} *pinp,inp;
} *pinp;
pinp=NULL;
//PEPROCESS selectedprocess;
pinp=Irp->AssociatedIrp.SystemBuffer;
DbgPrint("[0110]%x",pinp->processid);
DbgPrint("[0111]%x",pinp->processid ^ 0xce);
__try
{
BOOL bRead = FALSE;
ntStatus= STATUS_UNSUCCESSFUL;
//DbgPrint("[0120]%x",pinp->processid ^ 0xce);
//DbgPrint("maxDBK READMEMORY processid before pid=%p\n", pinp->processid);
//DbgPrint("maxDBK READMEMORY processid after pid=%p\n", pinp->processid ^ 0xce);
bRead = ReadProcessMemory(pinp->processid ^ 0xce,NULL,pinp->startaddress ,pinp->bytestoread & 0xFFFFFFFF,pinp);
if (bRead)
{
DbgPrint("[0121]");
//DbgPrint("maxDBK READMEMORY success.\n");
ntStatus= STATUS_SUCCESS;
}
}
__except(1)
{
DbgPrint("[0130]");
ntStatus = STATUS_UNSUCCESSFUL;
};
break;
}
case IOCTL_CE_WRITEMEMORY:
{
// for undetected ... start.
struct output
{
ULONG int1apihook; //address of the in1apihook function
ULONG OriginalInt1handler; //space to write the int1 handler
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -