📄 dbkdrvr.c
字号:
length+=0x1000; //pinp->bytestoread; //in case of a overlapping region
toread=pinp->bytestoread;
memoryview=NULL;
DbgPrint("[0401]");
ntStatus=ZwMapViewOfSection(
physmem, //sectionhandle
NtCurrentProcess(), //processhandle
&memoryview, //BaseAddress
0L, //ZeroBits
length, //CommitSize
&viewBase, //SectionOffset
&length, //ViewSize
ViewShare,
0,
PAGE_READWRITE);
if (ntStatus==STATUS_SUCCESS)
{
offset=(UINT_PTR)(pinp->startaddress)-(UINT_PTR)viewBase.QuadPart;
RtlCopyMemory(pinp,&memoryview[offset],toread);
ZwUnmapViewOfSection(
NtCurrentProcess(), //processhandle
memoryview);
};
ZwClose(physmem);
};
}
__except(1)
{
//DbgPrint("Error while reading physical memory\n");
DbgPrint("Error while reading");
// for undetect... could be deleted.
}
break;
}
case IOCTL_CE_WRITEPHYSICALMEMORY:
{
// for undetected ... start.
struct outputTest
{
ULONG int1apihook; //address of the in1apihook function
ULONG OriginalInt1handler; //space to write the int1 handler
} *poutpTest;
// for undetected ... end.
HANDLE physmem;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
WCHAR physmemName[] = L"\\device\\physicalmemory";
UCHAR* memoryview;
RtlInitUnicodeString( &physmemString, physmemName );
InitializeObjectAttributes( &attributes, &physmemString, OBJ_CASE_INSENSITIVE, NULL, NULL );
ntStatus=ZwOpenSection( &physmem, SECTION_MAP_READ, &attributes );
if (ntStatus==STATUS_SUCCESS)
{
//hey look, it didn't kill it
struct input
{
char *startaddress;
UINT_PTR bytestoread;
} *pinp;
UCHAR* pinp2;
UINT_PTR length;
PHYSICAL_ADDRESS viewBase;
UINT_PTR offset;
UINT_PTR toread;
pinp=Irp->AssociatedIrp.SystemBuffer;
pinp2=(UCHAR *)pinp;
viewBase.QuadPart = (ULONGLONG)(pinp->startaddress);
length=0x0500;
length+=0x1500; //pinp->bytestoread;
toread=pinp->bytestoread;
memoryview=NULL;
ntStatus=ZwMapViewOfSection(
physmem, //sectionhandle
NtCurrentProcess(), //processhandle
&memoryview, //BaseAddress
0L, //ZeroBits
length, //CommitSize
&viewBase, //SectionOffset
&length, //ViewSize
ViewShare,
0,
PAGE_READWRITE);
if (ntStatus==STATUS_SUCCESS)
{
offset=(UINT_PTR)(pinp->startaddress)-(UINT_PTR)viewBase.QuadPart;
RtlCopyMemory(&memoryview[offset],&pinp2[8],toread);
ZwUnmapViewOfSection(
NtCurrentProcess(), //processhandle
memoryview);
}
ZwClose(physmem);
}
break;
}
case IOCTL_CE_GETPHYSICALADDRESS:
{
// for undetected ... start.
struct outputTest
{
ULONG int1apihook; //address of the in1apihook function
ULONG OriginalInt1handler; //space to write the int1 handler
} *poutpTest;
// for undetected ... end.
struct input
{
UINT_PTR ProcessID;
PVOID BaseAddress;
} *pinp;
PEPROCESS selectedprocess;
PHYSICAL_ADDRESS physical;
ntStatus=STATUS_SUCCESS;
pinp=Irp->AssociatedIrp.SystemBuffer;
DbgPrint("[0500] %x",(PVOID)(pinp->ProcessID ^ 0xce));
__try
{
//switch to the selected process
if (PsLookupProcessByProcessId((PVOID)(pinp->ProcessID ^ 0xce),&selectedprocess)==STATUS_SUCCESS)
{
KAPC_STATE apc_state;
RtlZeroMemory(&apc_state,sizeof(apc_state));
//KeStackAttachProcess((PVOID)selectedprocess,&apc_state);
KeAttachProcess((PEPROCESS)selectedprocess);
__try
{
physical=MmGetPhysicalAddress(pinp->BaseAddress);
}
__finally
{
//KeUnstackDetachProcess(&apc_state);
KeDetachProcess();
}
ObDereferenceObject(selectedprocess);
}
}
__except(1)
{
ntStatus=STATUS_UNSUCCESSFUL;
}
if (ntStatus==STATUS_SUCCESS)
{
RtlCopyMemory(Irp->AssociatedIrp.SystemBuffer,&physical.QuadPart,8);
DbgPrint("[0510] %x",physical);
DbgPrint("[0511] %x",&physical.QuadPart);
}
break;
}
case IOCTL_CE_PROTECTME:
{
// for undetected ... start.
struct outputTest
{
ULONG int1apihook; //address of the in1apihook function
ULONG OriginalInt1handler; //space to write the int1 handler
} *poutpTest;
// for undetected ... end.
#ifdef AMD64
ntStatus=STATUS_UNSUCCESSFUL;
#else
struct input
{
HANDLE ProcessID;
ULONG DenyList;
ULONG GlobalDenyList; //ignored if it is a includelist
ULONG ListSize;
} *pinp;
UINT_PTR NextProcess;
UINT_PTR PreviousProcess;
UINT_PTR TestProcess; // for undetect. could be deleted.
pinp=Irp->AssociatedIrp.SystemBuffer;
if (ModuleList!=NULL)
{
MmFreeNonCachedMemory(ModuleList,ModuleListSize);
}
ModuleList=NULL;
ModuleListSize=0;
if (pinp->ListSize>0)
{
ModuleList=MmAllocateNonCachedMemory(pinp->ListSize);
if (ModuleList!=NULL)
{
__try
{
RtlCopyMemory(ModuleList,(PVOID)((UINT_PTR)(&(pinp->ListSize))+sizeof(pinp->ListSize)),pinp->ListSize);
ModuleListSize=pinp->ListSize;
}
__except(1)
{
DbgPrint("Error Listing");
// for undetect... could be deleted.
}
}
}
DenyList=(pinp->DenyList==1);
GlobalDenyList=(pinp->GlobalDenyList==1);
ProtectedProcessID=pinp->ProcessID;
PsLookupProcessByProcessId((PVOID)(pinp->ProcessID),&ProtectedPEProcess);
if (ActiveLinkOffset!=0)
{
NextProcess=*(PUINT_PTR)((UINT_PTR)ProtectedPEProcess+ActiveLinkOffset)-ActiveLinkOffset;
PreviousProcess=*(PUINT_PTR)((UINT_PTR)ProtectedPEProcess+ActiveLinkOffset+4)-ActiveLinkOffset;
*(PUINT_PTR)(PreviousProcess+ActiveLinkOffset)=*(PULONG)((UINT_PTR)ProtectedPEProcess+ActiveLinkOffset); //the previous process points to me next process
*(PUINT_PTR)(NextProcess+ActiveLinkOffset+4)=*(PULONG)((UINT_PTR)ProtectedPEProcess+ActiveLinkOffset+4); //the next process points to the previous process
*(PUINT_PTR)((UINT_PTR)ProtectedPEProcess+ActiveLinkOffset)=(UINT_PTR)ProtectedPEProcess+ActiveLinkOffset;
*(PUINT_PTR)((UINT_PTR)ProtectedPEProcess+ActiveLinkOffset+4)=(UINT_PTR)ProtectedPEProcess+ActiveLinkOffset;
}
if (!ProtectOn)
{
//unlink this process from the activeprocess list
if (!ImageNotifyRoutineLoaded)
{
ImageNotifyRoutineLoaded=(PsSetLoadImageNotifyRoutine(LoadImageNotifyRoutine)==STATUS_SUCCESS);
}
//Hook
OldZwOpenProcess=(ZWOPENPROCESS)SYSTEMSERVICE(ZwOpenProcess);
ProtectOn=FALSE; // for undetected... could be deleted.
OldZwQuerySystemInformation=(ZWQUERYSYSTEMINFORMATION)SYSTEMSERVICE(ZwQuerySystemInformation);
if ((KeServiceDescriptorTableShadow!=NULL) && (NtUserBuildHwndList_callnumber!=0) && (NtUserBuildHwndList_callnumber!=0) && (NtUserFindWindowEx_callnumber!=0) && (NtUserGetForegroundWindow_callnumber!=0))
{
OldNtUserQueryWindow=(NTUSERQUERYWINDOW)KeServiceDescriptorTableShadow->ServiceTable[NtUserQueryWindow_callnumber];
OldNtUserBuildHwndList=(NTUSERBUILDHWNDLIST)KeServiceDescriptorTableShadow->ServiceTable[NtUserBuildHwndList_callnumber];
OldNtUserFindWindowEx=(NTUSERFINDWINDOWEX)KeServiceDescriptorTableShadow->ServiceTable[NtUserFindWindowEx_callnumber];
OldNtUserGetForegroundWindow=(NTUSERGETFOREGROUNDWINDOW)KeServiceDescriptorTableShadow->ServiceTable[NtUserGetForegroundWindow_callnumber];
//now a extra check before I screw up the system
if (((UCHAR)KeServiceDescriptorTableShadow->ServiceTable[NtUserBuildHwndList_callnumber]!=0x1c) ||
((UCHAR)KeServiceDescriptorTableShadow->ServiceTable[NtUserQueryWindow_callnumber]!=0x08) ||
((UCHAR)KeServiceDescriptorTableShadow->ServiceTable[NtUserFindWindowEx_callnumber]!=0x14) ||
((UCHAR)KeServiceDescriptorTableShadow->ServiceTable[NtUserGetForegroundWindow_callnumber]!=0x0)
)
{
//NO!
KeServiceDescriptorTableShadow=NULL; //disable it
NtUserBuildHwndList_callnumber=0;
NtUserQueryWindow_callnumber=0;
NtUserFindWindowEx_callnumber=0;
NtUserGetForegroundWindow_callnumber=0;
}
}
else
{
KeServiceDescriptorTableShadow=NULL; //do not enable hooking. All have to work, else none
}
ProtectOn=TRUE;
}
__asm
{
cli
mov eax,CR0
and eax,not 0x10000
mov CR0,eax
}
(ZWOPENPROCESS)(SYSTEMSERVICE(ZwOpenProcess))=NewZwOpenProcess;
(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation))=NewZwQuerySystemInformation;
if ((NtUserQueryWindow_callnumber!=0) && (KeServiceDescriptorTableShadow!=NULL))
(NTUSERQUERYWINDOW)(KeServiceDescriptorTableShadow->ServiceTable[NtUserQueryWindow_callnumber])=NewNtUserQueryWindow;
if ((NtUserFindWindowEx_callnumber!=0) && (KeServiceDescriptorTableShadow!=NULL))
(NTUSERFINDWINDOWEX)(KeServiceDescriptorTableShadow->ServiceTable[NtUserFindWindowEx_callnumber])=NewNtUserFindWindowEx;
if ((NtUserGetForegroundWindow_callnumber!=0) && (KeServiceDescriptorTableShadow!=NULL))
(NTUSERGETFOREGROUNDWINDOW)(KeServiceDescriptorTableShadow->ServiceTable[NtUserGetForegroundWindow_callnumber])=NewNtUserGetForegroundWindow;
if ((NtUserBuildHwndList_callnumber!=0) && (KeServiceDescriptorTableShadow!=NULL))
(NTUSERBUILDHWNDLIST)(KeServiceDescriptorTableShadow->ServiceTable[NtUserBuildHwndList_callnumber])=NewNtUserBuildHwndList;
__asm
{
mov eax,CR0
xor eax,0x10000
mov CR0,eax
sti
}
ntStatus=STATUS_SUCCESS;
#endif //not amd64
break;
}
case IOCTL_CE_DONTPROTECTME:
{
// for undetected ... start.
struct outputTest
{
ULONG int1apihook; //address of the in1apihook function
ULONG OriginalInt1handler; //space to write the int1 handler
} *poutpTest;
// for undetected ... end.
//Unhook();
if (ProtectOn)
ntStatus=STATUS_UNSUCCESSFUL;
else
ntStatus=STATUS_SUCCESS;
//ProtectOn=FALSE;
break;
}
case IOCTL_CE_SETSDTADDRESS:
{
// for undetected ... start.
struct outputTest
{
ULONG int1apihook; //address of the in1apihook function
ULONG OriginalInt1handler; //space to write the int1 handler
} *poutpTest;
// for undetected ... end.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -