📄 newkernelhandler.pas.svn-base
字号:
unit NewKernelHandler;
interface
uses windows,sysutils,tlhelp32;
const dbkdll='DBK32.dll';
type TReadProcessMemory=function(hProcess: THandle; const lpBaseAddress: Pointer; lpBuffer: Pointer; nSize: DWORD; var lpNumberOfBytesRead: DWORD): BOOL; stdcall;
type TWriteProcessMemory=function(hProcess: THandle; const lpBaseAddress: Pointer; lpBuffer: Pointer; nSize: DWORD; var lpNumberOfBytesWritten: DWORD): BOOL; stdcall;
type TGetThreadContext=function(hThread: THandle; var lpContext: TContext): BOOL; stdcall;
type TSetThreadContext=function(hThread: THandle; const lpContext: TContext): BOOL; stdcall;
type TSuspendThread=function(hThread: THandle): DWORD; stdcall;
type TResumeThread=function(hThread: THandle): DWORD; stdcall;
type TOpenProcess=function(dwDesiredAccess: DWORD; bInheritHandle: BOOL; dwProcessId: DWORD): THandle; stdcall;
type TCreateToolhelp32Snapshot=function(dwFlags, th32ProcessID: DWORD): THandle; stdcall;
type TProcess32First=function(hSnapshot: THandle; var lppe: TProcessEntry32): BOOL; stdcall;
type TProcess32Next=function(hSnapshot: THandle; var lppe: TProcessEntry32): BOOL; stdcall;
type TThread32First=function (hSnapshot: THandle; var lpte: TThreadEntry32): BOOL; stdcall;
type TThread32Next=function (hSnapshot: THandle; var lpte: TThreadENtry32): BOOL; stdcall;
type TModule32First=function (hSnapshot: THandle; var lpme: TModuleEntry32): BOOL; stdcall;
type TModule32Next=function (hSnapshot: THandle; var lpme: TModuleEntry32): BOOL; stdcall;
type THeap32ListFirst=function (hSnapshot: THandle; var lphl: THeapList32): BOOL; stdcall;
type THeap32ListNext=function (hSnapshot: THandle; var lphl: THeapList32): BOOL; stdcall;
type TIsWow64Process=function (processhandle: THandle; var isWow: BOOL): BOOL; stdcall;
type TWaitForDebugEvent=function(var lpDebugEvent: TDebugEvent; dwMilliseconds: DWORD): BOOL; stdcall;
type TContinueDebugEvent=function(dwProcessId, dwThreadId, dwContinueStatus: DWORD): BOOL; stdcall;
type TDebugActiveProcess=function(dwProcessId: DWORD): BOOL; stdcall;
type TStopDebugging=function: BOOL; stdcall;
type TStopRegisterChange=function(regnr:integer):BOOL; stdcall;
type TVirtualProtect=function(lpAddress: Pointer; dwSize, flNewProtect: DWORD; var OldProtect: DWORD): BOOL; stdcall;
type TVirtualProtectEx=function(hProcess: THandle; lpAddress: Pointer; dwSize, flNewProtect: DWORD; var OldProtect: DWORD): BOOL; stdcall;
type TVirtualQueryEx=function(hProcess: THandle; lpAddress: Pointer; var lpBuffer: TMemoryBasicInformation; dwLength: DWORD): DWORD; stdcall;
type TVirtualAllocEx=function(hProcess: THandle; lpAddress: Pointer; dwSize, flAllocationType: DWORD; flProtect: DWORD): Pointer; stdcall;
type TCreateRemoteThread=function(hProcess: THandle; lpThreadAttributes: Pointer; dwStackSize: DWORD; lpStartAddress: TFNThreadStartRoutine; lpParameter: Pointer; dwCreationFlags: DWORD; var lpThreadId: DWORD): THandle; stdcall;
type TOpenThread=function(dwDesiredAccess:DWORD;bInheritHandle:BOOL;dwThreadId:DWORD):THANDLE; stdcall;
type TGetPEProcess=function(ProcessID:DWORD):DWORD; stdcall;
type TGetPEThread=function(Threadid: dword):dword; stdcall;
type TGetDebugportOffset=function:DWORD; stdcall;
type TGetProcessnameOffset=function:DWORD; stdcall;
type TGetThreadsProcessOffset=function: dword; stdcall;
type TGetThreadListEntryOffset=function: dword; stdcall;
type TSetGlobalDebugState=function(state: boolean): BOOL; stdcall;
type TGetPhysicalAddress=function(hProcess:THandle;lpBaseAddress:pointer;var Address:int64): BOOL; stdcall;
type TProtectMe=function(ProtectedProcessID: dword; denylist,globaldenylist:BOOL;list:pchar; listsize:dword):BOOL; stdcall;
type TGetCR4=function:DWORD; stdcall;
type TGetCR3=function(hProcess:THANDLE;var CR3: DWORD):BOOL; stdcall;
type TSetCR3=function(hProcess:THANDLE;CR3: DWORD):BOOL; stdcall;
type TGetCR0=function:DWORD; stdcall;
type TGetSDT=function:DWORD; stdcall;
type TGetSDTShadow=function:DWORD; stdcall;
type TCreateRemoteAPC=function(threadid: dword; lpStartAddress: TFNAPCProc): THandle; stdcall;
type TsetAlternateDebugMethod=function(var int1apihook:dword; var OriginalInt1handler:dword):BOOL; stdcall;
type TgetAlternateDebugMethod=function:BOOL; stdcall;
type TChangeRegOnBP=function(Processid:dword; address: dword; debugreg: integer; changeEAX,changeEBX,changeECX,changeEDX,changeESI,changeEDI,changeEBP,changeESP,changeEIP,changeCF,changePF,changeAF,changeZF,changeSF,changeOF:BOOLEAN; newEAX,newEBX,newECX,newEDX,newESI,newEDI,newEBP,newESP,newEIP:DWORD; newCF,newPF,newAF,newZF,newSF,newOF:BOOLEAN):BOOLEAN; stdcall;
type TDebugProcess=function(processid:dword;address:DWORD;size: byte;debugtype:byte):BOOL; stdcall;
type TRetrieveDebugData=function(Buffer: pointer):integer; stdcall;
type TGetProcessNameFromID=function(processid:dword; buffer:pchar;buffersize:dword):integer; stdcall;
type TGetProcessNameFromPEProcess=function(peprocess:dword; buffer:pchar;buffersize:dword):integer; stdcall;
type TStartProcessWatch=function:BOOL;stdcall;
type TWaitForProcessListData=function(processpointer:pointer;threadpointer:pointer;timeout:dword):dword; stdcall;
type TIsValidHandle=function(hProcess:THandle):BOOL; stdcall;
type TGetIDTCurrentThread=function:dword; stdcall;
type TGetIDTs=function(idtstore: pointer; maxidts: integer):integer; stdcall;
type TMakeWritable=function(Address,Size:dword;copyonwrite:boolean): boolean; stdcall;
type TGetLoadedState=function : BOOLEAN; stdcall;
type TDBKTest=function:boolean; stdcall;
type TDBKSuspendThread=function(ThreadID:dword):boolean; stdcall;
type TDBKResumeThread=function(ThreadID:dword):boolean; stdcall;
type TDBKSuspendProcess=function(ProcessID:dword):boolean; stdcall;
type TDBKResumeProcess=function(ProcessID:dword):boolean; stdcall;
type TKernelAlloc=function(size: dword):pointer; stdcall;
type TGetKProcAddress=function(s: pwidechar):pointer; stdcall;
type TGetSDTEntry=function (nr: integer; address: PDWORD; paramcount: PBYTE):boolean; stdcall;
type TSetSDTEntry=function (nr: integer; address: DWORD; paramcount: BYTE):boolean; stdcall;
type TGetSSDTEntry=function (nr: integer; address: PDWORD; paramcount: PBYTE):boolean; stdcall;
type TSetSSDTEntry=function (nr: integer; address: DWORD; paramcount: BYTE):boolean; stdcall;
type TGetGDT=function(var limit: word):dword; stdcall;
type TuseIOCTL=procedure(use: boolean); stdcall;
type TMakeKernelCopy=function(Base: dword; size: dword): bool; stdcall;
//-----------------------------------DBVM-------------------------------------//
type Tdbvm_version=function: dword; stdcall;
type Tdbvm_changeselectors=function(cs,ss,ds,es,fs,gs: dword): DWORD; stdcall;
type Tdbvm_restore_interrupts=function: DWORD; stdcall;
type Tdbvm_block_interrupts=function: DWORD; stdcall;
procedure DONTUseDBKQueryMemoryRegion;
procedure DONTUseDBKReadWriteMemory;
procedure DONTUseDBKOpenProcess;
procedure UseDBKQueryMemoryRegion;
procedure UseDBKReadWriteMemory;
procedure UseDBKOpenProcess;
procedure DBKFileAsMemory(filename:string); overload;
procedure DBKFileAsMemory; overload;
procedure DBKPhysicalMemory;
procedure DBKProcessMemory;
procedure LoadDBK32;
Procedure ProtectProcess(processid: dword);
Procedure ProtectCE;
//I could of course have made it a parameter thing, but I'm lazy
var
ReadProcessMemory :TReadProcessMemory;
WriteProcessMemory :TWriteProcessMemory;
GetThreadContext :TGetThreadContext;
SetThreadContext :TSetThreadContext;
SuspendThread :TSuspendThread;
ResumeThread :TResumeThread;
OpenProcess :TOpenProcess;
CreateToolhelp32Snapshot: TCreateToolhelp32Snapshot;
Process32First :TProcess32First;
Process32Next :TProcess32Next;
Thread32First :TThread32First;
Thread32Next :TThread32Next;
Module32First :TModule32First;
Module32Next :TModule32Next;
Heap32ListFirst :THeap32ListFirst;
Heap32ListNext :THeap32ListNext;
IsWow64Process :TIsWow64Process;
WaitForDebugEvent :TWaitForDebugEvent;
ContinueDebugEvent :TContinueDebugEvent;
DebugActiveProcess :TDebugActiveProcess;
StopDebugging :TStopDebugging;
StopRegisterChange :TStopRegisterChange;
VirtualProtect :TVirtualProtect;
VirtualProtectEx :TVirtualProtectEx;
VirtualQueryEx :TVirtualQueryEx;
VirtualAllocEx :TVirtualAllocEx;
CreateRemoteThread :TCreateRemoteThread;
OpenThread :TOpenThread;
GetPEProcess :TGetPEProcess;
GetPEThread :TGetPEThread;
GetThreadsProcessOffset:TGetThreadsProcessOffset;
GetThreadListEntryOffset:TGetThreadListEntryOffset;
GetProcessnameOffset :TGetProcessnameOffset;
GetDebugportOffset :TGetDebugportOffset;
GetPhysicalAddress :TGetPhysicalAddress;
ProtectMe :TProtectMe;
GetCR4 :TGetCR4;
GetCR3 :TGetCR3;
SetCR3 :TSetCR3;
GetCR0 :TGetCR0;
GetSDT :TGetSDT;
GetSDTShadow :TGetSDTShadow;
setAlternateDebugMethod: TsetAlternateDebugMethod;
getAlternateDebugMethod: TgetAlternateDebugMethod;
SetGlobalDebugState :TSetGlobalDebugState;
DebugProcess :TDebugProcess;
ChangeRegOnBP :TChangeRegOnBP;
RetrieveDebugData :TRetrieveDebugData;
StartProcessWatch :TStartProcessWatch;
WaitForProcessListData:TWaitForProcessListData;
GetProcessNameFromID :TGetProcessNameFromID;
GetProcessNameFromPEProcess:TGetProcessNameFromPEProcess;
KernelOpenProcess :TOpenProcess;
KernelReadProcessMemory :TReadProcessMemory;
KernelWriteProcessMemory:TWriteProcessMemory;
KernelVirtualAllocEx :TVirtualAllocEx;
IsValidHandle :TIsValidHandle;
GetIDTCurrentThread :TGetIDTCurrentThread;
GetIDTs :TGetIDTs;
MakeWritable :TMakeWritable;
GetLoadedState :TGetLoadedState;
dbktest :TDBKTest;
DBKSuspendThread :TDBKSuspendThread;
DBKResumeThread :TDBKResumeThread;
DBKSuspendProcess :TDBKSuspendProcess;
DBKResumeProcess :TDBKResumeProcess;
KernelAlloc :TKernelAlloc;
GetKProcAddress :TGetKProcAddress;
GetSDTEntry :TGetSDTEntry;
SetSDTEntry :TSetSDTEntry;
GetSSDTEntry :TGetSSDTEntry;
SetSSDTEntry :TSetSSDTEntry;
ReadPhysicalMemory :TReadProcessMemory;
WritePhysicalMemory :TWriteProcessMemory;
CreateRemoteAPC :TCreateRemoteAPC;
GetGDT :TGetGDT;
useIOCTL :TuseIOCTL;
MakeKernelCopy :TMakeKernelCopy;
//dbvm
dbvm_version :Tdbvm_version;
dbvm_changeselectors :Tdbvm_changeselectors;
dbvm_block_interrupts :Tdbvm_block_interrupts;
dbvm_restore_interrupts :Tdbvm_restore_interrupts;
var WindowsKernel: Thandle;
DarkByteKernel: Thandle;
Usephysical: boolean;
UseFileAsMemory: boolean;
usedbkquery:boolean;
DBKReadWrite: boolean;
DenyList:boolean;
DenyListGlobal: boolean;
ModuleListSize: integer;
ModuleList: pointer;
implementation
uses
{$ifdef cemain}
plugin,
{$endif}
filehandler; //so I can let readprocessmemory point to ReadProcessMemoryFile in filehandler
procedure LoadDBK32;
begin
if DarkByteKernel=0 then
begin
DarkByteKernel:= LoadLibrary(dbkdll);
if DarkByteKernel=0 then exit; //raise exception.Create('Failed to open DBK32.dll');
//the driver is loaded (I hope)
KernelVirtualAllocEx:=GetProcAddress(darkbytekernel,'VAE');
KernelOpenProcess:=GetProcAddress(darkbytekernel,'OP');
KernelReadProcessMemory:=GetProcAddresS(darkbytekernel,'RPM');
KernelWriteProcessMemory:=GetProcAddress(darkbytekernel,'WPM');
GetPEProcess:=GetProcAddress(DarkByteKernel,'GetPEProcess');
GetPEThread:=GetProcAddress(DarkByteKernel,'GetPEThread');
GetProcessnameOffset:=GetProcAddress(DarkByteKernel,'GetProcessnameOffset');
GetThreadsProcessOffset:=GetProcAddress(DarkByteKernel,'GetThreadsProcessOffset');
GetThreadListEntryOffset:=GetProcAddress(DarkByteKernel,'GetThreadListEntryOffset');
GetDebugportOffset:=GetProcAddresS(DarkByteKernel,'GetDebugportOffset');
GetPhysicalAddress:=GetProcAddresS(DarkByteKernel,'GetPhysicalAddress');
GetCR4:=GetProcAddress(DarkByteKernel,'GetCR4');
GetCR3:=GetProcAddress(DarkByteKernel,'GetCR3');
SetCR3:=GetProcAddress(DarkByteKernel,'SetCR3');
GetCR0:=GetProcAddress(DarkByteKernel,'GetCR0');
GetSDT:=GetProcAddress(DarkByteKernel,'GetSDT');
GetSDTShadow:=GetProcAddress(DarkByteKernel,'GetSDTShadow');
setAlternateDebugMethod:=GetProcAddress(DarkByteKernel,'setAlternateDebugMethod');
getAlternateDebugMethod:=GetProcAddress(DarkByteKernel,'getAlternateDebugMethod');
DebugProcess:=GetProcAddress(DarkByteKernel,'DebugProcess');
StopDebugging:=GetProcAddress(DarkByteKernel,'StopDebugging');
StopRegisterChange:=GetProcAddress(DarkByteKernel,'StopRegisterChange');
RetrieveDebugData:=GetProcAddress(DarkByteKernel,'RetrieveDebugData');
ChangeRegOnBP:=GetProcAddress(DarkByteKernel,'ChangeRegOnBP');
StartProcessWatch:=GetProcAddress(DarkByteKernel,'StartProcessWatch');
WaitForProcessListData:=GetProcAddress(DarkByteKernel,'WaitForProcessListData');
GetProcessNameFromID:=GetProcAddress(DarkByteKernel,'GetProcessNameFromID');
GetProcessNameFromPEProcess:=GetProcAddress(DarkByteKernel,'GetProcessNameFromPEProcess');
IsValidHandle:=GetProcAddress(DarkByteKernel,'IsValidHandle');
GetIDTs:=GetProcAddress(DarkByteKernel,'GetIDTs');
GetIDTCurrentThread:=GetProcAddress(DarkByteKernel,'GetIDTCurrentThread');
GetGDT:=GetProcAddress(DarkByteKernel,'GetGDT');
MakeWritable:=GetProcAddress(DarkByteKernel,'MakeWritable');
GetLoadedState:=GetProcAddress(darkbytekernel,'GetLoadedState');
DBKTest:=GetProcAddress(darkbytekernel,'test');
useIOCTL:=GetProcAddress(darkbytekernel,'useIOCTL');
DBKResumeThread:=GetProcAddress(darkByteKernel,'DBKResumeThread');
DBKSuspendThread:=GetProcAddress(darkByteKernel,'DBKSuspendThread');
DBKResumeProcess:=GetProcAddress(darkByteKernel,'DBKResumeProcess');
DBKSuspendProcess:=GetProcAddress(darkByteKernel,'DBKSuspendProcess');
KernelAlloc:=GetProcAddress(darkbyteKernel,'KernelAlloc');
GetKProcAddress:=GetProcAddress(darkbytekernel,'GetKProcAddress');
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -