📄 dbkdrvr.c
字号:
} *poutp;
// for undetected ... end.
struct input
{
UINT_PTR processid;
void *startaddress;
unsigned short int bytestowrite;
} *pinp,inp;
PEPROCESS selectedprocess;
pinp=Irp->AssociatedIrp.SystemBuffer;
__try
{
BOOL bRead = FALSE;
ntStatus= STATUS_UNSUCCESSFUL;
bRead = WriteProcessMemory(pinp->processid ^ 0xce,NULL,pinp->startaddress,pinp->bytestowrite,(PVOID)((UINT_PTR)pinp+sizeof(inp)));
if (bRead)
{
ntStatus= STATUS_SUCCESS;
}
}
__except(1)
{
//something went wrong and I don't know what
ntStatus = STATUS_UNSUCCESSFUL;
};
break;
}
case IOCTL_CE_OPENPROCESS:
{
// for undetected ... start.
struct output
{
ULONG int1apihook; //address of the in1apihook function
ULONG OriginalInt1handler; //space to write the int1 handler
} *poutp;
// for undetected ... end.
HANDLE ProcessHandle;
CLIENT_ID ClientID;
OBJECT_ATTRIBUTES ObjectAttributes;
UINT_PTR *temppid;
PHANDLE pid;
PEPROCESS selectedprocess;
UNICODE_STRING y;
PVOID *PsProcessType;
RtlZeroMemory(&ObjectAttributes,sizeof(OBJECT_ATTRIBUTES));
ntStatus=STATUS_SUCCESS;
temppid = Irp->AssociatedIrp.SystemBuffer;
pid = Irp->AssociatedIrp.SystemBuffer;
DbgPrint("[0210] %x",*temppid);
//DbgPrint("[0210b] %x",*pid);
*temppid = *temppid ^ 0x18;
*temppid = *temppid ^ 0xce;
*temppid = *temppid ^ 0x18;
//DbgPrint("[0211] %x",(*temppid ^ 0xce));
//DbgPrint("[0212] %x",Irp->AssociatedIrp.SystemBuffer);
//DbgPrint("[0216] %x",pid);
//DbgPrint("[0216b] %x",temppid);
DbgPrint("[0217] %x",*pid);
DbgPrint("[0217b] %x",*temppid);
ClientID.UniqueProcess=*pid;
ClientID.UniqueThread=0;
ProcessHandle=0;
__try
{
ProcessHandle=0;
//ntStatus=ZwOpenProcess(&ProcessHandle,PROCESS_ALL_ACCESS,&ObjectAttributes,&ClientID);
if (PsLookupProcessByProcessId((PVOID)(*pid),&selectedprocess)==STATUS_SUCCESS)
{
//DbgPrint("maxDBK OPENPROCESS Enter PsLookup.\n");
//DbgPrint("[0220] %x",*pid);
RtlInitUnicodeString(&y, L"PsProcessType");
PsProcessType=MmGetSystemRoutineAddress(&y);
if (PsProcessType)
{
ACCESS_STATE AccessState;
//DbgPrint("Calling ObOpenObjectByPointer\n");
ntStatus=ObOpenObjectByPointer (
selectedprocess,
0,
NULL,
PROCESS_ALL_ACCESS,
(PVOID)*PsProcessType,
UserMode,
&ProcessHandle);
//DbgPrint("maxDBK OPENPROCESS Open Pointer ntStatus=%x",ntStatus);
//DbgPrint("[0221] %x",ntStatus);
}
else
{
//DbgPrint("[0230] %x",*pid);
//DbgPrint("maxDBK OPENPROCESS Process Type not found.\n");
}
}
else
{
//DbgPrint("[0240] %x",*pid);
//DbgPrint("maxDBK OPENPROCESS don't enter psLookUp.\n");
}
}
__except(1)
{
ntStatus=STATUS_UNSUCCESSFUL;
}
DbgPrint("[0250] %x",ProcessHandle);
*pid=ProcessHandle;
DbgPrint("[0251] %x",*pid);
break;
}
case IOCTL_CE_OPENTHREAD:
{
// for undetected ... start.
struct output
{
ULONG int1apihook; //address of the in1apihook function
ULONG OriginalInt1handler; //space to write the int1 handler
} *poutp;
// for undetected ... end.
HANDLE ThreadHandle;
CLIENT_ID ClientID;
OBJECT_ATTRIBUTES ObjectAttributes;
PHANDLE tid;
RtlZeroMemory(&ObjectAttributes,sizeof(OBJECT_ATTRIBUTES));
ntStatus=STATUS_SUCCESS;
tid=Irp->AssociatedIrp.SystemBuffer;
ClientID.UniqueProcess=0;
ClientID.UniqueThread=*tid;
ThreadHandle=0;
__try
{
ThreadHandle=0;
ntStatus=ZwOpenThread(&ThreadHandle,PROCESS_ALL_ACCESS,&ObjectAttributes,&ClientID);
}
__except(1)
{
ntStatus=STATUS_UNSUCCESSFUL;
}
*tid=ThreadHandle;
break;
}
case IOCTL_CE_MAKEWRITABLE:
{
// for undetected ... start.
struct output
{
ULONG int1apihook; //address of the in1apihook function
ULONG OriginalInt1handler; //space to write the int1 handler
} *poutp;
// for undetected ... end.
struct InputBuf
{
PVOID StartAddress;
ULONG Size;
BYTE CopyOnWrite;
} *PInputBuf;
PInputBuf=Irp->AssociatedIrp.SystemBuffer;
ntStatus=MakeWritable(PInputBuf->StartAddress,PInputBuf->Size,(PInputBuf->CopyOnWrite==1)) ? STATUS_SUCCESS : STATUS_UNSUCCESSFUL;
break;
}
case IOCTL_CE_QUERY_VIRTUAL_MEMORY:
{
// for undetected ... start.
struct outputTest
{
ULONG int1apihook; //address of the in1apihook function
ULONG OriginalInt1handler; //space to write the int1 handler
} *poutpTest;
// for undetected ... end.
struct InputBuf
{
UINT_PTR ProcessID;
UINT_PTR StartAddress;
} *PInputBuf;
struct OutputBuf
{
UINT_PTR length;
UINT_PTR protection;
} *POutputBuf;
UINT_PTR BaseAddress;
PEPROCESS selectedprocess;
PInputBuf =Irp->AssociatedIrp.SystemBuffer;
POutputBuf=Irp->AssociatedIrp.SystemBuffer;
__try
{
BOOL bRead = FALSE;
ntStatus= STATUS_UNSUCCESSFUL;
bRead = GetMemoryRegionData(PInputBuf->ProcessID ^ 0xce,NULL,(PVOID)(PInputBuf->StartAddress),&(POutputBuf->protection),&(POutputBuf->length),&BaseAddress);
if (bRead)
{
ntStatus= STATUS_SUCCESS;
}
}
__except(1)
{
ntStatus=STATUS_UNSUCCESSFUL;
}
break;
}
case IOCTL_CE_TEST: //just a test to see it's working
{
ULONG ThreadID;
ThreadID=*(ULONG*)Irp->AssociatedIrp.SystemBuffer;
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_GETPETHREAD:
{
// for undetected ... start.
struct output
{
ULONG int1apihook; //address of the in1apihook function
ULONG OriginalInt1handler; //space to write the int1 handler
} *poutp;
// for undetected ... end.
*(PULONG)Irp->AssociatedIrp.SystemBuffer=getPEThread(*(PULONG)Irp->AssociatedIrp.SystemBuffer);
ntStatus= STATUS_SUCCESS;
break;
}
case IOCTL_CE_GETPEPROCESS:
{
// for undetected ... start.
struct output
{
ULONG int1apihook; //address of the in1apihook function
ULONG OriginalInt1handler; //space to write the int1 handler
} *poutp;
// for undetected ... end.
UINT_PTR *processid;
PEPROCESS selectedprocess;
processid=Irp->AssociatedIrp.SystemBuffer;
*processid=*processid ^ 0xce;
DbgPrint("[0300] %x",*processid);
if (*processid==0x0badffdd)
{
*(PULONG)Irp->AssociatedIrp.SystemBuffer=(ULONG)&AddressOfInterrupt1Handler;
ntStatus=STATUS_SUCCESS;
break;
}
DbgPrint("[0300] %x",*processid);
if (*processid==0xdeadabcd)
{
*(PULONG)Irp->AssociatedIrp.SystemBuffer=(ULONG)&AddressOfKeAttachProcess;
ntStatus=STATUS_SUCCESS;
break;
}
DbgPrint("[0300] %x",*processid);
if (*processid==0xcdcdcdcd)
{
*(PULONG)Irp->AssociatedIrp.SystemBuffer=(ULONG)NewPsGetContextThread;
ntStatus=STATUS_SUCCESS;
break;
}
DbgPrint("[0300] %x",*processid);
if (*processid==0xcececece)
{
*(PULONG)Irp->AssociatedIrp.SystemBuffer=(ULONG)&OldPsGetContextThread;
ntStatus=STATUS_SUCCESS;
break;
}
DbgPrint("[0300] %x",*processid);
if (PsLookupProcessByProcessId((PVOID)(*processid) ,&selectedprocess)==STATUS_SUCCESS)
*(PULONG)Irp->AssociatedIrp.SystemBuffer=(ULONG)selectedprocess;
else
*(PULONG)Irp->AssociatedIrp.SystemBuffer=0;
ObDereferenceObject(selectedprocess);
ntStatus= STATUS_SUCCESS;
break;
}
case IOCTL_CE_READPHYSICALMEMORY:
{
// for undetected ... start.
struct output
{
ULONG int1apihook; //address of the in1apihook function
ULONG OriginalInt1handler; //space to write the int1 handler
} *poutp;
// for undetected ... end.
HANDLE physmem;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
WCHAR physmemName[] = L"\\device\\physicalmemory";
UCHAR* memoryview;
DbgPrint("[0400]");
__try
{
RtlInitUnicodeString( &physmemString, physmemName );
InitializeObjectAttributes( &attributes, &physmemString, OBJ_CASE_INSENSITIVE, NULL, NULL );
ntStatus=ZwOpenSection( &physmem, SECTION_MAP_READ, &attributes );
if (ntStatus==STATUS_SUCCESS)
{
//hey look, it didn't kill it
struct input
{
char *startaddress;
UINT_PTR bytestoread;
} *pinp;
UINT_PTR length;
PHYSICAL_ADDRESS viewBase;
UINT_PTR offset;
UINT_PTR toread;
pinp=Irp->AssociatedIrp.SystemBuffer;
viewBase.QuadPart = (ULONGLONG)(pinp->startaddress);
length=0x1000;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -