📄 dbkdrvr.c.svn-base
字号:
}
__except(1)
{
DbgPrint("Damn\n");
}
/*//allocate memory for stack
unsigned char *x;
ULONG cr3callbackstack;
ULONG cr3;
int i;
unsigned long long *PDPTable;
unsigned long long *PDTable;
PHYSICAL_ADDRESS physical;
//allocate memory for the pagetables of the process
//scan through the pagetables
//Get the CR3
//check if PAE is enabled or not (if 64-bit, yes+pml4)
//traverse the page tables to find out how many there are
cr3=getCR3();
cr3=cr3 & 0xfffffff0; //cr3 now contains the physical base address
//from 00000000 to 7fffffff is fake
//from 80000000 to ffffffff is real
if (FakeCR3==0)
{
//allocate a pagedirptr table
PDPTable=ExAllocatePoolWithTag(NonPagedPool,4096,0); //first 2 entries are fake, other 2 copies
RtlZeroMemory(PDPTable,4096);
ReadPhysicalMemory((char *)cr3,32,PDPTable);
//allocate 2 pagedir tables
PDTable=ExAllocatePoolWithTag(NonPagedPool,4096*2,0);
RtlZeroMemory(PDTable,4096*2);
for (i=0; i<((4096*2)/8); i++)
PDTable[i]=0x83;
physical=MmGetPhysicalAddress(&PDTable[0]);
PDPTable[0]=physical.QuadPart;
PDPTable[1]=physical.QuadPart;
PDPTable[0]++;
PDPTable[1]++;
physical=MmGetPhysicalAddress(&PDPTable[0]);
FakeCR3=(ULONG)(physical.QuadPart);
DbgPrint("FakeCR3=%x\n\r",FakeCR3);
}
ProtectedProcessID=PsGetCurrentProcessId();
ProtectedPEProcess=PsGetCurrentProcess();
ProtectedCR3=getCR3();
x=ExAllocatePoolWithTag(NonPagedPool,4096*4,0);
RtlZeroMemory(x,4096*4);
cr3callbackstack=(ULONG)x;
__try
{
vmx_register_cr3_callback(8,(ULONG)cr3_change_callback,0x10,cr3callbackstack+(4096*4)-4);
DbgPrint("cr3 callback registered. cr3callbackstack=%x\n",cr3callbackstack);
}
__except(1)
{
DbgPrint("Failed registering a cr3 callback\n");
}
*/
break;
}
case IOCTL_CE_GETPETHREAD:
{
*(PULONG)Irp->AssociatedIrp.SystemBuffer=getPEThread(*(PULONG)Irp->AssociatedIrp.SystemBuffer);
ntStatus= STATUS_SUCCESS;
break;
}
case IOCTL_CE_GETPEPROCESS:
{
UINT_PTR *processid;
PEPROCESS selectedprocess;
processid=Irp->AssociatedIrp.SystemBuffer;
if (processid==0)
{
ntStatus=STATUS_UNSUCCESSFUL;
}
else
{
if (PsLookupProcessByProcessId((PVOID)(*processid),&selectedprocess)==STATUS_SUCCESS)
*(PULONG)Irp->AssociatedIrp.SystemBuffer=(ULONG)selectedprocess;
else
*(PULONG)Irp->AssociatedIrp.SystemBuffer=0;
}
ObDereferenceObject(selectedprocess);
ntStatus= STATUS_SUCCESS;
break;
}
case IOCTL_CE_READPHYSICALMEMORY:
{
struct input
{
char *startaddress;
UINT_PTR bytestoread;
} *pinp;
pinp=Irp->AssociatedIrp.SystemBuffer;
ntStatus = ReadPhysicalMemory(pinp->startaddress, pinp->bytestoread, pinp);
break;
}
case IOCTL_CE_WRITEPHYSICALMEMORY:
{
HANDLE physmem;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
WCHAR physmemName[] = L"\\device\\physicalmemory";
UCHAR* memoryview;
RtlInitUnicodeString( &physmemString, physmemName );
InitializeObjectAttributes( &attributes, &physmemString, OBJ_CASE_INSENSITIVE, NULL, NULL );
ntStatus=ZwOpenSection( &physmem, SECTION_MAP_READ, &attributes );
if (ntStatus==STATUS_SUCCESS)
{
//hey look, it didn't kill it
struct input
{
char *startaddress;
UINT_PTR bytestoread;
} *pinp;
UCHAR* pinp2;
UINT_PTR length;
PHYSICAL_ADDRESS viewBase;
UINT_PTR offset;
UINT_PTR toread;
pinp=Irp->AssociatedIrp.SystemBuffer;
pinp2=(UCHAR *)pinp;
viewBase.QuadPart = (ULONGLONG)(pinp->startaddress);
length=0x2000;//pinp->bytestoread;
toread=pinp->bytestoread;
memoryview=NULL;
ntStatus=ZwMapViewOfSection(
physmem, //sectionhandle
NtCurrentProcess(), //processhandle
&memoryview, //BaseAddress
0L, //ZeroBits
length, //CommitSize
&viewBase, //SectionOffset
&length, //ViewSize
ViewShare,
0,
PAGE_READWRITE);
if (ntStatus==STATUS_SUCCESS)
{
offset=(UINT_PTR)(pinp->startaddress)-(UINT_PTR)viewBase.QuadPart;
RtlCopyMemory(&memoryview[offset],&pinp2[8],toread);
ZwUnmapViewOfSection(
NtCurrentProcess(), //processhandle
memoryview);
}
ZwClose(physmem);
}
break;
}
case IOCTL_CE_GETPHYSICALADDRESS:
{
struct input
{
UINT_PTR ProcessID;
PVOID BaseAddress;
} *pinp;
PEPROCESS selectedprocess;
PHYSICAL_ADDRESS physical;
ntStatus=STATUS_SUCCESS;
pinp=Irp->AssociatedIrp.SystemBuffer;
__try
{
//switch to the selected process
if (PsLookupProcessByProcessId((PVOID)(pinp->ProcessID),&selectedprocess)==STATUS_SUCCESS)
{
KAPC_STATE apc_state;
RtlZeroMemory(&apc_state,sizeof(apc_state));
KeStackAttachProcess((PVOID)selectedprocess,&apc_state);
__try
{
physical=MmGetPhysicalAddress(pinp->BaseAddress);
}
__finally
{
KeUnstackDetachProcess(&apc_state);
}
ObDereferenceObject(selectedprocess);
}
}
__except(1)
{
ntStatus=STATUS_UNSUCCESSFUL;
}
if (ntStatus==STATUS_SUCCESS)
RtlCopyMemory(Irp->AssociatedIrp.SystemBuffer,&physical.QuadPart,8);
break;
}
case IOCTL_CE_PROTECTME:
{
#ifdef AMD64
ntStatus=STATUS_UNSUCCESSFUL;
#else
struct input
{
HANDLE ProcessID;
ULONG DenyList;
ULONG GlobalDenyList; //ignored if it is a includelist
ULONG ListSize;
} *pinp;
UINT_PTR NextProcess;
UINT_PTR PreviousProcess;
pinp=Irp->AssociatedIrp.SystemBuffer;
if (ModuleList!=NULL)
MmFreeNonCachedMemory(ModuleList,ModuleListSize);
ModuleList=NULL;
ModuleListSize=0;
if (pinp->ListSize>0)
{
ModuleList=MmAllocateNonCachedMemory(pinp->ListSize);
if (ModuleList!=NULL)
{
__try
{
RtlCopyMemory(ModuleList,(PVOID)((UINT_PTR)(&(pinp->ListSize))+sizeof(pinp->ListSize)),pinp->ListSize);
ModuleListSize=pinp->ListSize;
}
__except(1)
{
}
}
}
DenyList=pinp->DenyList==1;
GlobalDenyList=pinp->GlobalDenyList==1;
ProtectedProcessID=pinp->ProcessID;
PsLookupProcessByProcessId((PVOID)(pinp->ProcessID),&ProtectedPEProcess);
if (ActiveLinkOffset!=0)
{
NextProcess=*(PUINT_PTR)((UINT_PTR)ProtectedPEProcess+ActiveLinkOffset)-ActiveLinkOffset;
PreviousProcess=*(PUINT_PTR)((UINT_PTR)ProtectedPEProcess+ActiveLinkOffset+4)-ActiveLinkOffset;
*(PUINT_PTR)(PreviousProcess+ActiveLinkOffset)=*(PULONG)((UINT_PTR)ProtectedPEProcess+ActiveLinkOffset); //the previous process points to me next process
*(PUINT_PTR)(NextProcess+ActiveLinkOffset+4)=*(PULONG)((UINT_PTR)ProtectedPEProcess+ActiveLinkOffset+4); //the next process points to the previous process
*(PUINT_PTR)((UINT_PTR)ProtectedPEProcess+ActiveLinkOffset)=(UINT_PTR)ProtectedPEProcess+ActiveLinkOffset;
*(PUINT_PTR)((UINT_PTR)ProtectedPEProcess+ActiveLinkOffset+4)=(UINT_PTR)ProtectedPEProcess+ActiveLinkOffset;
}
if (!ProtectOn)
{
//unlink this process from the activeprocess list
if (!ImageNotifyRoutineLoaded)
ImageNotifyRoutineLoaded=(PsSetLoadImageNotifyRoutine(LoadImageNotifyRoutine)==STATUS_SUCCESS);
//Hook
OldZwOpenProcess=(ZWOPENPROCESS)SYSTEMSERVICE(ZwOpenProcess);
OldZwQuerySystemInformation=(ZWQUERYSYSTEMINFORMATION)SYSTEMSERVICE(ZwQuerySystemInformation);
if ((KeServiceDescriptorTableShadow!=NULL) && (NtUserBuildHwndList_callnumber!=0) && (NtUserBuildHwndList_callnumber!=0) && (NtUserFindWindowEx_callnumber!=0) && (NtUserGetForegroundWindow_callnumber!=0))
{
OldNtUserQueryWindow=(NTUSERQUERYWINDOW)KeServiceDescriptorTableShadow->ServiceTable[NtUserQueryWindow_callnumber];
OldNtUserBuildHwndList=(NTUSERBUILDHWNDLIST)KeServiceDescriptorTableShadow->ServiceTable[NtUserBuildHwndList_callnumber];
OldNtUserFindWindowEx=(NTUSERFINDWINDOWEX)KeServiceDescriptorTableShadow->ServiceTable[NtUserFindWindowEx_callnumber];
OldNtUserGetForegroundWindow=(NTUSERGETFOREGROUNDWINDOW)KeServiceDescriptorTableShadow->ServiceTable[NtUserGetForegroundWindow_callnumber];
//now a extra check before I screw up the system
if (((UCHAR)KeServiceDescriptorTableShadow->ServiceTable[NtUserBuildHwndList_callnumber]!=0x1c) ||
((UCHAR)KeServiceDescriptorTableShadow->ServiceTable[NtUserQueryWindow_callnumber]!=0x08) ||
((UCHAR)KeServiceDescriptorTableShadow->ServiceTable[NtUserFindWindowEx_callnumber]!=0x14) ||
((UCHAR)KeServiceDescriptorTableShadow->ServiceTable[NtUserGetForegroundWindow_callnumber]!=0x0)
)
{
//NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO!
KeServiceDescriptorTableShadow=NULL; //disable it
NtUserBuildHwndList_callnumber=0;
NtUserQueryWindow_callnumber=0;
NtUserFindWindowEx_callnumber=0;
NtUserGetForegroundWindow_callnumber=0;
}
} else KeServiceDescriptorTableShadow=NULL; //do not enable hooking. All have to work, else none
ProtectOn=TRUE;
}
__asm
{
cli
mov eax,CR0
and eax,not 0x10000
mov CR0,eax
}
(ZWOPENPROCESS)(SYSTEMSERVICE(ZwOpenProcess))=NewZwOpenProcess;
(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation))=NewZwQuerySystemInformation;
if ((NtUserQueryWindow_callnumber!=0) && (KeServiceDescriptorTableShadow!=NULL))
(NTUSERQUERYWINDOW)(KeServiceDescriptorTableShadow->ServiceTable[NtUserQueryWindow_callnumber])=NewNtUserQueryWindow;
if ((NtUserFindWindowEx_callnumber!=0) && (KeServiceDescriptorTableShadow!=NULL))
(NTUSERFINDWINDOWEX)(KeServiceDescriptorTableShadow->ServiceTable[NtUserFindWindowEx_callnumber])=NewNtUserFindWindowEx;
if ((NtUserGetForegroundWindow_callnumber!=0) && (KeServiceDescriptorTableShadow!=NULL))
(NTUSERGETFOREGROUNDWINDOW)(KeServiceDescriptorTableShadow->ServiceTable[NtUserGetForegroundWindow_callnumber])=NewNtUserGetForegroundWindow;
if ((NtUserBuildHwndList_callnumber!=0) && (KeServiceDescriptorTableShadow!=NULL))
(NTUSERBUILDHWNDLIST)(KeServiceDescriptorTableShadow->ServiceTable[NtUserBuildHwndList_callnumber])=NewNtUserBuildHwndList;
__asm
{
mov eax,CR0
xor eax,0x10000
mov CR0,eax
sti
}
ntStatus=STATUS_SUCCESS;
#endif //not amd64
break;
}
case IOCTL_CE_DONTPROTECTME:
{
//Unhook();
if (ProtectOn)
ntStatus=STATUS_UNSUCCESSFUL;
else
ntStatus=STATUS_SUCCESS;
//ProtectOn=FALSE;
break;
}
case IOCTL_CE_SETSDTADDRESS:
{
struct input
{
int table; //0=SDT, 1=SSDT
int nr;
ULONG address;
UCHAR paramcount;
} *pinp;
pinp=Irp->AssociatedIrp.SystemBuffer;
__asm
{
cli
mov eax,CR0
and eax,not 0x10000
mov CR0,eax
}
if (pinp->table==0)
{
(ULONG)(KeServiceDescriptorTable->ServiceTable[pinp->nr])=pinp->address;
(UCHAR)(KeServiceDescriptorTable->ArgumentTable[pinp->nr])=pinp->paramcount;
}
else if (pinp->table==1)
{
(ULONG)(KeServiceDescriptorTableShadow->ServiceTable[pinp->nr])=pinp->address;
(UCHAR)(KeServiceDescriptorTableShadow->ArgumentTable[pinp->nr])=pinp->paramcount;
}
__asm
{
mov eax,CR0
xor eax,0x10000
mov CR0,eax
sti
}
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_GETSDTADDRESS:
{
struct input
{
int table; //0=SDT, 1=SSDT
int nr;
} *pinp;
struct output
{
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -