📄 dbkdrvr.c
字号:
struct input
{
int table; //0=SDT, 1=SSDT
int nr;
ULONG address;
UCHAR paramcount;
} *pinp;
pinp=Irp->AssociatedIrp.SystemBuffer;
__asm
{
cli
mov eax,CR0
and eax,not 0x10000
mov CR0,eax
}
if (pinp->table==0)
{
(ULONG)(KeServiceDescriptorTable->ServiceTable[pinp->nr])=pinp->address;
(UCHAR)(KeServiceDescriptorTable->ArgumentTable[pinp->nr])=pinp->paramcount;
}
else if (pinp->table==1)
{
(ULONG)(KeServiceDescriptorTableShadow->ServiceTable[pinp->nr])=pinp->address;
(UCHAR)(KeServiceDescriptorTableShadow->ArgumentTable[pinp->nr])=pinp->paramcount;
}
__asm
{
mov eax,CR0
xor eax,0x10000
mov CR0,eax
sti
}
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_GETSDTADDRESS:
{
// for undetected ... start.
struct outputTest
{
ULONG int1apihook; //address of the in1apihook function
ULONG OriginalInt1handler; //space to write the int1 handler
} *poutpTest;
// for undetected ... end.
struct input
{
int table; //0=SDT, 1=SSDT
int nr;
} *pinp;
struct output
{
ULONG address;
UCHAR paramcount;
} *poutp;
int table;
int nr;
pinp=Irp->AssociatedIrp.SystemBuffer;
table=pinp->table;
nr=pinp->nr;
poutp=Irp->AssociatedIrp.SystemBuffer;
if (table==0)
{
poutp->address=(ULONG)(KeServiceDescriptorTable->ServiceTable[nr]);
poutp->paramcount=(UCHAR)(KeServiceDescriptorTable->ArgumentTable[nr]);
}
else if (table==1)
{
poutp->address=(ULONG)(KeServiceDescriptorTableShadow->ServiceTable[nr]);
poutp->paramcount=(UCHAR)(KeServiceDescriptorTableShadow->ArgumentTable[nr]);
}
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_GETCR4:
{
// for undetected ... start.
struct outputTest
{
ULONG int1apihook; //address of the in1apihook function
ULONG OriginalInt1handler; //space to write the int1 handler
} *poutpTest;
// for undetected ... end.
//seems CR4 isn't seen as a register...
ULONG cr4reg=0;
cr4reg=getCR4();
*(ULONG*)Irp->AssociatedIrp.SystemBuffer=cr4reg;
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_GETCR3:
{
// for undetected ... start.
struct outputTest
{
ULONG int1apihook; //address of the in1apihook function
ULONG OriginalInt1handler; //space to write the int1 handler
} *poutpTest;
// for undetected ... end.
#ifndef AMD64
ULONG cr3reg=0;
PEPROCESS selectedprocess;
ntStatus=STATUS_SUCCESS;
//switch context to the selected process. (processid is stored in the systembuffer)
if (PsLookupProcessByProcessId((PVOID)(*(ULONG*)Irp->AssociatedIrp.SystemBuffer),&selectedprocess)==STATUS_SUCCESS)
{
__try
{
KAPC_STATE apc_state;
RtlZeroMemory(&apc_state,sizeof(apc_state));
//KeStackAttachProcess((PVOID)selectedprocess,&apc_state);
KeAttachProcess((PEPROCESS)selectedprocess);
__try
{
__asm
{
mov eax,CR3
mov cr3reg,eax
}
}
__finally
{
//KeUnstackDetachProcess(&apc_state);
KeDetachProcess();
}
}
__except(1)
{
ntStatus=STATUS_UNSUCCESSFUL;
break;
}
}
*(ULONG*)Irp->AssociatedIrp.SystemBuffer=cr3reg;
#else
ntStatus=STATUS_UNSUCCESSFUL; //not supported yet
#endif
break;
}
case IOCTL_CE_SETCR3:
{
// for undetected ... start.
struct outputTest
{
ULONG int1apihook; //address of the in1apihook function
ULONG OriginalInt1handler; //space to write the int1 handler
} *poutpTest;
// for undetected ... end.
#ifndef AMD64
struct input
{
ULONG ProcessID;
ULONG NewCR3;
} *pinp;
ULONG cr3reg;
PEPROCESS selectedprocess;
ntStatus=STATUS_SUCCESS;
pinp=Irp->AssociatedIrp.SystemBuffer;
cr3reg=pinp->NewCR3;
//switch context to the selected process. (processid is stored in the systembuffer)
if (PsLookupProcessByProcessId((PVOID)(pinp->ProcessID ^ 0xce),&selectedprocess)==STATUS_SUCCESS)
{
__try
{
KAPC_STATE apc_state;
RtlZeroMemory(&apc_state,sizeof(apc_state));
//KeStackAttachProcess((PKPROCESS)selectedprocess,&apc_state);
KeAttachProcess((PEPROCESS)selectedprocess);
__try
{
__asm
{
mov eax,cr3reg
mov CR3,eax
}
}
__finally
{
//KeUnstackDetachProcess(&apc_state);
KeDetachProcess();
}
}
__except(1)
{
ntStatus=STATUS_UNSUCCESSFUL;
break;
}
}
#else
ntStatus=STATUS_UNSUCCESSFUL; //not supported yet
#endif
break;
}
case IOCTL_CE_GETSDT:
{
// for undetected ... start.
struct output
{
ULONG int1apihook; //address of the in1apihook function
ULONG OriginalInt1handler; //space to write the int1 handler
} *poutp;
// for undetected ... end.
*(UINT_PTR*)Irp->AssociatedIrp.SystemBuffer=(UINT_PTR)KeServiceDescriptorTable;
//returns the address of KeServiceDescriptorTable
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_GETIDT:
{
// for undetected ... start.
struct output
{
ULONG int1apihook; //address of the in1apihook function
ULONG OriginalInt1handler; //space to write the int1 handler
} *poutp;
// for undetected ... end.
//returns the address of the IDT of the current CPU
IDT idt;
RtlZeroMemory(&idt,sizeof(IDT));
GetIDT(&idt);
RtlCopyMemory(Irp->AssociatedIrp.SystemBuffer,&idt,sizeof(IDT)); //copy idt
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_GETGDT:
{
/*
//returns the address of the IDT of the current CPU
GDT gdt;
RtlZeroMemory(&gdt,sizeof(GDT));
GetGDT(&gdt);
RtlCopyMemory(Irp->AssociatedIrp.SystemBuffer,&gdt,sizeof(GDT)); //copy gdt
*/
ntStatus=STATUS_SUCCESS;
break;
}
////max
case IOCTL_CE_HOOKINTS:
{
// for undetected ... start.
struct outputTest
{
ULONG int1apihookTest; //address of the in1apihook function
ULONG OriginalInt1handlerTest; //space to write the int1 handler
} *poutpTest;
// for undetected ... end.
IDT idt;
BYTE Processor;
GetIDT(&idt);
//DbgPrint("IOCTL_CE_HOOKINTS\n");
Processor=*(PCHAR)Irp->AssociatedIrp.SystemBuffer;
ntStatus=STATUS_SUCCESS;
if (IDTAddresses[Processor]==0)
{
//DbgPrint("Stored the IDT of this cpu\n");
IDTAddresses[Processor]=(UINT_PTR)idt.vector;
}
//DbgPrint("Calling HookInt1()\n");
if (HookInt1() )
{
DbgPrint("maxDBK Int1\n");
ntStatus=STATUS_SUCCESS;
}
else
{
DbgPrint("maxDBK Fail Int1\n");
ntStatus=STATUS_UNSUCCESSFUL;
}
break;
}
case IOCTL_CE_ISUSINGALTERNATEMETHOD:
{
// for undetected ... start.
struct output
{
ULONG int1apihook; //address of the in1apihook function
ULONG OriginalInt1handler; //space to write the int1 handler
} *poutp;
// for undetected ... end.
*(PBOOLEAN)(Irp->AssociatedIrp.SystemBuffer)=UsesAlternateMethod;
break;
}
case IOCTL_CE_USEALTERNATEMETHOD:
{
// for undetected ... start.
struct outputTest
{
ULONG int1apihookTest; //address of the in1apihook function
ULONG OriginalInt1handlerTest; //space to write the int1 handler
} *poutpTest;
// for undetected ... end.
struct output
{
ULONG int1apihook; //address of the in1apihook function
ULONG OriginalInt1handler; //space to write the int1 handler
} *poutp;
//DbgPrint("IOCTL_CE_USEALTERNATEMETHOD: (ULONG)int1apihook=%x (ULONG)OriginalInt1handler=%x",(ULONG)int1apihook,(ULONG)OriginalInt1handler);
poutp=Irp->AssociatedIrp.SystemBuff⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -