📄 wii128unctions.pas
字号:
unit wii128unctions;
interface
uses Windows, SysUtils, winsvc, psapi, Classes, types, registry;
//xp sp2
//ThreadsProcess=220
//ThreadListEntry=22c
const
currentversion = 2000007;
const
FILE_ANY_ACCESS = 0;
const
FILE_SPECIAL_ACCESS = FILE_ANY_ACCESS;
const
FILE_READ_ACCESS = $0001;
const
FILE_WRITE_ACCESS = $0002;
const
FILE_RW_ACCESS = FILE_READ_ACCESS or FILE_WRITE_ACCESS;
const
METHOD_BUFFERED = 0;
const
METHOD_IN_DIRECT = 1;
const
METHOD_OUT_DIRECT = 2;
const
METHOD_NEITHER = 3;
const
FILE_DEVICE_UNKNOWN = $00000022;
const
IOCTL_UNKNOWN_BASE = FILE_DEVICE_UNKNOWN;
const
IOCTL_CE_READMEMORY = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0800) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_WRITEMEMORY = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0801) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_OPENPROCESS = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0802) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_QUERY_VIRTUAL_MEMORY =
(IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0803) shl 2) or (METHOD_BUFFERED) or
(FILE_RW_ACCESS shl 14);
const
IOCTL_CE_TEST = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0804) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_GETPEPROCESS = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0805) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_READPHYSICALMEMORY =
(IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0806) shl 2) or (METHOD_BUFFERED) or
(FILE_RW_ACCESS shl 14);
const
IOCTL_CE_WRITEPHYSICALMEMORY =
(IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0807) shl 2) or (METHOD_BUFFERED) or
(FILE_RW_ACCESS shl 14);
const
IOCTL_CE_GETPHYSICALADDRESS =
(IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0808) shl 2) or (METHOD_BUFFERED) or
(FILE_RW_ACCESS shl 14);
const
IOCTL_CE_PROTECTME = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0809) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_GETCR3 = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $080a) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_SETCR3 = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $080b) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_GETSDT = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $080c) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_INITIALIZE = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $080d) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_DONTPROTECTME = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $080e) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_GETIDT = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $080f) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_HOOKINTS = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0810) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_DEBUGPROCESS = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0811) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_RETRIEVEDEBUGDATA = (IOCTL_UNKNOWN_BASE shl 16) or
(($7a + $0812) shl 2) or (METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_STARTPROCESSWATCH = (IOCTL_UNKNOWN_BASE shl 16) or
(($7a + $0813) shl 2) or (METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_GETPROCESSEVENTS = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0814) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_GETTHREADEVENTS = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0815) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_GETVERSION = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0816) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_GETCR4 = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0817) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_OPENTHREAD = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0818) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_MAKEWRITABLE = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0819) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_DEBUGPROCESS_CHANGEREG =
(IOCTL_UNKNOWN_BASE shl 16) or (($7a + $081a) shl 2) or (METHOD_BUFFERED) or
(FILE_RW_ACCESS shl 14);
const
IOCTL_CE_STOPDEBUGGING = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $081b) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_STOP_DEBUGPROCESS_CHANGEREG =
(IOCTL_UNKNOWN_BASE shl 16) or (($7a + $081c) shl 2) or (METHOD_BUFFERED) or
(FILE_RW_ACCESS shl 14);
const
IOCTL_CE_USEALTERNATEMETHOD =
(IOCTL_UNKNOWN_BASE shl 16) or (($7a + $081d) shl 2) or (METHOD_BUFFERED) or
(FILE_RW_ACCESS shl 14);
const
IOCTL_CE_ISUSINGALTERNATEMETHOD =
(IOCTL_UNKNOWN_BASE shl 16) or (($7a + $081e) shl 2) or (METHOD_BUFFERED) or
(FILE_RW_ACCESS shl 14);
const
IOCTL_CE_ALLOCATEMEM = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $081f) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_CREATEAPC = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0820) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_GETPETHREAD = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0821) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_SUSPENDTHREAD = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0822) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_RESUMETHREAD = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0823) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_SUSPENDPROCESS = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0824) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_RESUMEPROCESS = (IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0825) shl 2) or
(METHOD_BUFFERED) or (FILE_RW_ACCESS shl 14);
const
IOCTL_CE_ALLOCATEMEM_NONPAGED =
(IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0826) shl 2) or (METHOD_BUFFERED) or
(FILE_RW_ACCESS shl 14);
const
IOCTL_CE_GETPROCADDRESS =
(IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0827) shl 2) or (METHOD_BUFFERED) or
(FILE_RW_ACCESS shl 14);
const
IOCTL_CE_SETSDTADDRESS =
(IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0828) shl 2) or (METHOD_BUFFERED) or
(FILE_RW_ACCESS shl 14);
const
IOCTL_CE_GETSDTADDRESS =
(IOCTL_UNKNOWN_BASE shl 16) or (($7a + $0829) shl 2) or (METHOD_BUFFERED) or
(FILE_RW_ACCESS shl 14);
const
IOCTL_CE_GETGDT =
(IOCTL_UNKNOWN_BASE shl 16) or (($7a + $082a) shl 2) or (METHOD_BUFFERED) or
(FILE_RW_ACCESS shl 14);
const
IOCTL_CE_SETCR4 =
(IOCTL_UNKNOWN_BASE shl 16) or (($7a + $082b) shl 2) or (METHOD_BUFFERED) or
(FILE_RW_ACCESS shl 14);
const
IOCTL_CE_VMXCONFIG =
(IOCTL_UNKNOWN_BASE shl 16) or (($7a + $082c) shl 2) or (METHOD_BUFFERED) or
(FILE_RW_ACCESS shl 14);
const
IOCTL_CE_READ_PORT_UCHAR =
(IOCTL_UNKNOWN_BASE shl 16) or (($7a + $082d) shl 2) or (METHOD_BUFFERED) or
(FILE_RW_ACCESS shl 14);
const
IOCTL_CE_WRITE_PORT_UCHAR =
(IOCTL_UNKNOWN_BASE shl 16) or (($7a + $082e) shl 2) or (METHOD_BUFFERED) or
(FILE_RW_ACCESS shl 14);
type
TDeviceIoControl = function(hDevice: THandle; dwIoControlCode: DWORD;
lpInBuffer: Pointer; nInBufferSize: DWORD; lpOutBuffer: Pointer;
nOutBufferSize: DWORD; var lpBytesReturned: DWORD;
lpOverlapped: POverlapped): BOOL; stdcall;
type
thandlelist = record
processhandle: thandle;
processid: dword;
validhandle: boolean;
end;
type
TClient_ID = record
processid: thandle;
threadid: thandle;
end;
type
PClient_ID = ^TClient_ID;
type
THookIDTThread = class(tthread)
public
cpunr: byte;
done: boolean;
succeeded: boolean;
procedure Execute; override;
end;
type
THookIDTConstantly = class(tthread)
public
procedure Execute; override;
end;
var
cpuidt: array of dword;
type
TGetIDTThread = class(tthread)
public
cpunr: byte;
done: boolean;
procedure Execute; override;
end;
var
hdevice: thandle; //handle to my the device driver
handlelist: array of thandlelist;
driverloc: string;
iamprotected: boolean;
SDTShadow: DWORD;
debugport, processname: dword;
ThreadsProcess, ThreadListEntry: dword;
processeventname, threadeventname: string;
processevent, threadevent: thandle;
ownprocess: thandle; //needed for simple kernelmemory access
Successfullyloaded: boolean;
usealternatedebugmethod: boolean;
function CTL_CODE(DeviceType, Func, Method, Access: integer): integer;
function IsValidHandle(hProcess: THandle): BOOL; stdcall;
function {OpenProcess}OP(dwDesiredAccess: DWORD; bInheritHandle: BOOL;
dwProcessId: DWORD): THANDLE; stdcall;
function {OpenThread}OT(dwDesiredAccess: DWORD; bInheritHandle: BOOL;
dwThreadId: DWORD): THANDLE; stdcall;
function {ReadProcessMemory}RPM(hProcess: THANDLE; lpBaseAddress: pointer;
lpBuffer: pointer; nSize: DWORD; var NumberOfBytesRead: DWORD): BOOL; stdcall;
function {WriteProcessMemory}WPM(hProcess: THANDLE; lpBaseAddress: pointer;
lpBuffer: pointer; nSize: DWORD; var NumberOfBytesWritten: DWORD): BOOL; stdcall;
function {VirtualQueryEx}VQE(hProcess: THandle; address: pointer;
var mbi: _MEMORY_BASIC_INFORMATION; bufsize: DWORD): dword; stdcall;
function {NtOpenProcess}NOP(var Handle: THandle; AccessMask: dword;
objectattributes: pointer; clientid: PClient_ID): DWORD; stdcall;
function {NtOpenThread}NtOT(var Handle: THandle; AccessMask: dword;
objectattributes: pointer; clientid: PClient_ID): DWORD; stdcall;
function {VirtualAllocEx}VAE(hProcess: THandle; lpAddress: Pointer;
dwSize, flAllocationType: DWORD; flProtect: DWORD): Pointer; stdcall;
function CreateRemoteAPC(threadid: dword; lpStartAddress: TFNAPCProc): THandle; stdcall;
function GetMaxPEProc(ProcessID: dword): dword; stdcall;
function GetPEThread(Threadid: dword): dword; stdcall;
function GetDebugportOffset: DWORD; stdcall;
function GetProcessnameOffset: dword; stdcall;
function GetThreadsProcessOffset: dword; stdcall;
function GetThreadListEntryOffset: dword; stdcall;
function imax_wpp(PortNum: dword; writeByte: byte ): dword; stdcall;
function imax_rpp(PortNum: dword): dword; stdcall;
function ReadPhysicalMemory(hProcess: THANDLE; lpBaseAddress: pointer;
lpBuffer: pointer; nSize: DWORD; var NumberOfBytesRead: DWORD): BOOL; stdcall;
function WritePhysicalMemory(hProcess: THANDLE; lpBaseAddress: pointer;
lpBuffer: pointer; nSize: DWORD; var NumberOfBytesWritten: DWORD): BOOL; stdcall;
function GetPhysicalAddress(hProcess: THandle; lpBaseAddress: pointer;
var Address: int64): BOOL; stdcall;
function ProtectMe(ProtectedProcessID: dword; denylist, globaldenylist: BOOL; list: PChar;
listsize: dword): BOOL; stdcall; //or should I give it a array of processid's?
function UnprotectMe: bool; stdcall;
function GetCR4: DWORD; stdcall;
function GetCR3(hProcess: THANDLE; var CR3: DWORD): BOOL; stdcall;
function SetCR3(hProcess: THANDLE; CR3: DWORD): BOOL; stdcall;
function GetSDT: DWORD; stdcall;
function GetSDTShadow: DWORD; stdcall;
function setAlternateDebugMethod(var int1apihook: dword;
var OriginalInt1handler: dword): BOOL; stdcall;
function getAlternateDebugMethod: BOOL; stdcall;
function DebugProcess(processid: dword; address: DWORD; size: byte; debugtype: byte): BOOL;
stdcall;
function StopDebugging: BOOL; stdcall;
function StopRegisterChange(regnr: integer): BOOL; stdcall;
function RetrieveDebugData(Buffer: pointer): integer; stdcall;
function ChangeRegOnBP(Processid: dword; address: dword; debugreg: integer;
changeEAX, changeEBX, changeECX, changeEDX, changeESI, changeEDI, changeEBP,
changeESP, changeEIP, changeCF, changePF, changeAF, changeZF, changeSF, changeOF: boolean;
newEAX, newEBX, newECX, newEDX, newESI, newEDI, newEBP, newESP, newEIP: DWORD;
newCF, newPF, newAF, newZF, newSF, newOF: boolean): boolean; stdcall;
function StartProcessWatch: BOOL; stdcall;
function WaitForProcessListData(processpointer: pointer; threadpointer: pointer;
timeout: dword): dword; stdcall;
function GetMaxPPNameFromPid(peprocess: dword; buffer: PChar; buffersize: dword): integer;
stdcall;
function GetProcessNameFromID(processid: dword; buffer: pointer; buffersize: dword): integer;
stdcall;
function MakeWritable(Address, Size: dword; copyonwrite: boolean): boolean; stdcall;
function RewriteKernel32: boolean; stdcall;
function RestoreKernel32: boolean; stdcall;
function InitializeDriver(Address, size: dword): BOOL; stdcall;
function GetWin32KAddress(var address: DWORD; var size: dworD): boolean;
function GetDriverVersion: dword;
function GetIDTCurrentThread: dword; stdcall;
function GetIDTs(idtstore: pointer; maxidts: integer): integer; stdcall;
function GetLoadedState: boolean; stdcall;
function test: boolean; stdcall;
procedure useIOCTL(use: boolean); stdcall;
function DBKSuspendThread(ThreadID: dword): boolean; stdcall;
function DBKResumeThread(ThreadID: dword): boolean; stdcall;
function DBKSuspendProcess(ProcessID: dword): boolean; stdcall;
function DBKResumeProcess(ProcessID: dword): boolean; stdcall;
function KernelAlloc(size: dword): pointer; stdcall;
function GetKProcAddress(s: pwidechar): pointer; stdcall;
function GetSDTEntry(nr: integer; address: PDWORD; paramcount: PBYTE): boolean; stdcall;
function SetSDTEntry(nr: integer; address: DWORD; paramcount: byte): boolean; stdcall;
function GetSSDTEntry(nr: integer; address: PDWORD; paramcount: PBYTE): boolean; stdcall;
function SetSSDTEntry(nr: integer; address: DWORD; paramcount: byte): boolean; stdcall;
function GetGDT(limit: pword): dword; stdcall;
var
hooker: THookIDTConstantly;
kernel32dll: thandle;
ioctl: boolean;
implementation
procedure FSC;
asm
MOV EDX,ESP
SYSENTER
end;
function GetLoadedState: boolean; stdcall;
begin
Result := (hdevice <> INVALID_HANDLE_VALUE) and Successfullyloaded;
end;
procedure useIOCTL(use: boolean); stdcall;
begin
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -