📄 ildriver.c
字号:
mov dl, cl
jnz oplab_6
mov cl, [eax]
movzx ecx, cl
push eax //
lea eax,OpCode2//
or edi, dword ptr [ecx*4+eax]
pop eax//
inc eax
cmp edi, 0xFFFFFFFF
jnz oplab_8
oplab_5:
xor eax, eax
jmp oplab_22
oplab_6:
cmp cl, 0xF7
jnz oplab_7
test byte ptr [eax], 0x38
jnz oplab_8
or edi, 0x2000
jmp oplab_8
oplab_7:
cmp cl, 0xF6
jnz oplab_8
test byte ptr [eax], 0x38
jnz oplab_8
or edi, 0x100
oplab_8:
test edi, 0x4000
jz oplab_17
mov cl, [eax]
push ebx
mov bl, cl
and bl, 0x38
inc eax
cmp bl, 0x20
pop ebx
jnz oplab_9
cmp dl, 0xFF
jnz oplab_9
or edi, 0x40000
oplab_9:
mov dl, cl
and dl, 0xC0
and cl, 0x7
cmp dl, 0xC0
jz oplab_17
cmp byte ptr [ebp-0x2C], 4
jnz oplab_15
cmp cl, 0x4
jnz oplab_10
mov cl, [eax]
or edi, 0x800
inc eax
and cl, 0x7
oplab_10:
cmp dl, 0x40
jnz oplab_12
oplab_11:
or edi, 0x1
jmp oplab_17
oplab_12:
cmp dl, 0x80
jnz oplab_14
oplab_13:
or edi,0x4
jmp oplab_17
oplab_14:
cmp cl, 0x5
jnz oplab_17
jmp oplab_13
oplab_15:
cmp dl, 0x40
jz oplab_11
cmp dl, 0x80
jz oplab_16
cmp cl, 0x6
jnz oplab_17
oplab_16:
or edi, 0x2
oplab_17:
push esi
mov ecx, edi
shr ecx, 0x8
mov esi, edi
and esi, 0x7
and ecx, 0x7
test edi, 0x1000
jz oplab_18
movzx edx, byte ptr [ebp-0x2C]
add esi, edx
oplab_18:
test edi, 0x2000
jz oplab_19
movzx edx, byte ptr [ebp-0x2B]
add ecx, edx
oplab_19:
test esi, esi
jbe oplab_20
add eax, esi
oplab_20:
test ecx, ecx
pop esi
jbe oplab_21
add eax, ecx
oplab_21:
sub eax, [ebp+8]
oplab_22:
pop edi
_emit 0xC9 //leave
retn 4
}
}
BOOL GetZwTerminateThreadAddr(void)
{
char* pfn;
int opLen;
BOOL result;
result=FALSE;
//找ZwTerminateThread地址,为啥非要自己搜?
//MmGetSystemRoutineAddress,EAT,IAT都不可靠?
pfn = (char*)ZwTerminateProcess;
if ( pfn < (char *)ZwTerminateProcess + 32)
{
while ( 1 )
{
opLen = GetOpLen(pfn);
if ( pfn != (char*)ZwTerminateProcess )
{
if ( !opLen )
break;
if ( opLen == 5 && *(BYTE *)pfn == 0xB8 )
{
myZwTerminateThread = (pfnZwTerminateThread)pfn;
result = TRUE;
break;
}
}
pfn += opLen;
if ( pfn >= ((char *)ZwTerminateProcess + 32) )
break;
}
}
return result;
}
ULONG SearchShadowSSDT()
{
char *pfn;
ULONG addr;
int len;
//从KeAddSystemServiceTable中搜索Shadow SSDT,不错的方法
pfn =(char*)KeAddSystemServiceTable;
len = 0;
while ( len < 0x1000 )
{
addr = *(ULONG*)pfn;
if ( MmIsAddressValid((PVOID)addr) ) // KeAddSystemServiceTable中搜索有效地址
{
if ( *(ULONG*)addr == (ULONG)(KeServiceDescriptorTable->ServiceTable)
&& addr != (ULONG)KeServiceDescriptorTable )
return addr;
}
++len;
pfn = pfn + 1;
}
return 0;
}
BOOL GetShdowSSDTAddr()
{
ULONG addr;
addr = SearchShadowSSDT();
pKeServiceDescriptorTableShadow = (PSERVICE_DESCRIPTOR_TABLE_SHADOW)addr;
return addr != 0;
}
ULONG SetShdowSSDTFunID()
{
ULONG result;
//Set Shadow SSDT Function ID
result = dwNtBuildNumber;
switch ( dwNtBuildNumber )
{
case 3790: // win2003
IdNtUserFindWindowEx = 0x179u;
IdNtUserGetForcegroundWindow = 0x193u;
IdNtUserBuildHwndList = 0x137u;
IdNtUserQueryWindow = 0x1E1u;
IdNtUserWindowFromPoint = 0x24Cu;
IdNtUserPostThreadMessage = 0x1DBu;
IdNtUserPostMessage = 0x1DAu;
IdNtUserSetParent = 0x20Eu;
break;
case 2600: // WinXP
IdNtUserFindWindowEx = 0x17Au;
IdNtUserGetForcegroundWindow = 0x194u;
IdNtUserBuildHwndList = 0x138u;
IdNtUserQueryWindow = 0x1E3u;
IdNtUserWindowFromPoint = 0x250u;
IdNtUserPostMessage = 0x1DBu;
IdNtUserSetParent = 0x211u;
IdNtUserPostThreadMessage = 0x1DCu;
break;
case 6000: // Vista
IdNtUserFindWindowEx = 0x187u;
IdNtUserGetForcegroundWindow = 0x1A2u;
IdNtUserBuildHwndList = 0x142u;
IdNtUserQueryWindow = 0x1F8u;
IdNtUserWindowFromPoint = 0x269u;
IdNtUserPostMessage = 0x1F1u;
IdNtUserSetParent = 0x226u;
IdNtUserPostThreadMessage = 0x1F2u;
break;
}
return result;
}
char* GetSystemHandleInfo(SYSTEM_INFORMATION_CLASS SystemInformationClass)
{
ULONG buflen;
char* buf;
NTSTATUS status;
buflen = 0x4000;
while ( 1 )
{
buf = ExAllocatePool(PagedPool, buflen);
//这里稍有改动,应是先判断再清零
if ( !buf )
break;
memset(buf, 0, buflen);
status = ZwQuerySystemInformation(SystemHandleInformation, buf, buflen, 0);
if ( status != STATUS_INFO_LENGTH_MISMATCH )
{
if ( !status )
return buf;
ExFreePoolWithTag(buf, 0);
return 0;
}
ExFreePoolWithTag(buf, 0);
buflen *= 2;
}
return 0;
}
HANDLE GetCsrssPid(void)
{
char* pBuf;
HANDLE result;
PSYSTEM_HANDLE_INFORMATION pSysHandleInfo;
DWORD HandleCount;
HANDLE dwCsrssPid;
DWORD cnt;
OBJECT_ATTRIBUTES ObjectAttributes;
CLIENT_ID ClientId;
HANDLE hSourceProcess;
HANDLE Handle;
char ObjectInformation[0x400];
PUNICODE_STRING namebuffer;
BOOL bFound=FALSE;//自己加的标志
//通过查找\\Windows\\ApiPort对象的所有者来确定Csrss.exe
dwCsrssPid = 0;
pBuf = GetSystemHandleInfo(SystemHandleInformation);
if ( pBuf )
{
HandleCount = *(DWORD*)pBuf;
cnt = 0;
if ( HandleCount )
{
pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION)((char *)pBuf + 4);
do
{
if ( pSysHandleInfo->ObjectTypeNumber == 21 ) // 21=OB_TYPE_PORT
{
ObjectAttributes.Length = 24;
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.Attributes = 0x200u;
ObjectAttributes.ObjectName = 0;
ObjectAttributes.SecurityDescriptor = 0;
ObjectAttributes.SecurityQualityOfService = 0;
ClientId.UniqueProcess = (HANDLE)pSysHandleInfo->ProcessId;
ClientId.UniqueThread = 0;
if ( NtOpenProcess(&hSourceProcess, 0x40u, &ObjectAttributes, &ClientId) >= 0 )
{
if ( NT_SUCCESS(ZwDuplicateObject(
hSourceProcess,
(HANDLE)pSysHandleInfo->Handle,
(HANDLE)0xFFFFFFFF,
&Handle,
0,
0,
DUPLICATE_SAME_ACCESS)))
{
if ( ZwQueryObject(Handle, ObjectNameInfo, &ObjectInformation, 0x100u, 0) >= 0 )
{
//下面这句是自己改的
namebuffer=(PUNICODE_STRING)ObjectInformation;
if ( namebuffer->Buffer)
{
if ( !wcsncmp(L"\\Windows\\ApiPort", namebuffer->Buffer, 16) )
{
dwCsrssPid =(HANDLE)(pSysHandleInfo->ProcessId); // 偏移为0的地方即PID
bFound=TRUE; //这是自己加的,原代码是遍历完所有句柄之后才退出
}
}
}
ZwClose(Handle);
}
ZwClose(hSourceProcess);
}
}
if (bFound) break;//这一句也是后来加的
++cnt;
pSysHandleInfo ++;
}
while ( cnt < HandleCount);
}
ExFreePoolWithTag(pBuf, 0);
result = dwCsrssPid;
}
else
{
result = 0;
}
return result;
}
HWND
newNtUserFindWindowEx(
HWND hwndParent,
HWND hwndChildAfter,
PUNICODE_STRING ucClassName,
PUNICODE_STRING ucWindowName,
DWORD dwUnknown
)
{
HWND hWnd;
HWND hWndResult;
hWnd = oldNtUserFindWindowEx(hwndParent, hwndChildAfter, ucClassName, ucWindowName, dwUnknown);
if ( PsGetCurrentProcessId() == (HANDLE)g_IcePid || (HANDLE)oldNtUserQueryWindow(hWnd, 0) != g_IcePid )
hWndResult = hWnd;
else
hWndResult = 0;
return hWndResult;
}
BOOL
newNtUserPostMessage(
HWND hWnd,
UINT Msg,
WPARAM wParam,
LPARAM lParam)
{
HANDLE curPid;
BOOL result;
curPid = (HANDLE)oldNtUserQueryWindow(hWnd, 0);
if ( PsGetCurrentProcessId() == (HANDLE)g_IcePid || curPid != g_IcePid )
result = oldNtUserPostMessage(hWnd, Msg, wParam, lParam);
else
result = 0;
return result;
}
NTSTATUS
newNtUserBuildHwndList(
HDESK hDesktop,
HWND hwndParent,
BOOLEAN bChildren,
ULONG dwThreadId,
ULONG lParam,
HWND* pWnd,
PULONG pBufSize)
{
NTSTATUS result;
ULONG Cnt;
ULONG i;
NTSTATUS status;
if ( PsGetCurrentProcessId() == g_IcePid )
{
result = oldNtUserBuildHwndList(hDesktop, hwndParent, bChildren, dwThreadId, lParam, pWnd, pBufSize);
}
else
{
if ( bChildren != TRUE || oldNtUserQueryWindow(hwndParent, 0) != (DWORD)g_IcePid )
{
status = oldNtUserBuildHwndList(hDesktop, hwndParent, bChildren, dwThreadId, lParam, pWnd, pBufSize);
if ( !status )
{
Cnt = 0;
if ( *pBufSize )
{
do
{
if ( oldNtUserQueryWindow(pWnd[Cnt], 0) == (DWORD)g_IcePid )
{
for ( i = Cnt; i < *pBufSize - 1; i++ )
{
pWnd[i] = pWnd[i + 1];// 把后面数据往前挪
}
pWnd[*pBufSize-1] = 0; // 最后一项置0
*pBufSize=*pBufSize-1; //总数减1
}
Cnt++;
}
while ( Cnt < *pBufSize );
}
}
result = status;
}
else
{
result = STATUS_UNSUCCESSFUL;
}
}
return result;
}
HWND
newNtUserGetForegroundWindow(VOID)
{
HWND hTopWnd;
hTopWnd = oldNtUserGetForcegroundWindow();
if ( PsGetCurrentProcessId() != g_IcePid )
{
if ( (HANDLE)oldNtUserQueryWindow(hTopWnd, 0) == g_IcePid ) // QUERY_WINDOW_UNIQUE_PROCESS_ID
hTopWnd = LastTopWindowHandle;
else
LastTopWindowHandle = hTopWnd;
}
return hTopWnd;
}
DWORD
newNtUserQueryWindow(
HWND hWnd,
DWORD Index)
{
ULONG result;
if ( PsGetCurrentProcessId() == g_IcePid || (HANDLE)oldNtUserQueryWindow(hWnd, 0) != g_IcePid )// QUERY_WINDOW_UNIQUE_PROCESS_ID
result = oldNtUserQueryWindow(hWnd, Index);
else
result = 0;
return result;
}
HWND
newNtUserWindowFromPoint(
LONG X,
LONG Y)
{
HANDLE wndpid;
HWND hWndResult;
HWND hTmp;
hTmp = oldNtUserWindowFromPoint(X, Y);
wndpid = (HANDLE)oldNtUserQueryWindow(hTmp, 0); // 获取窗口所属的进程pid
if ( PsGetCurrentProcessId() == (HANDLE)g_IcePid || wndpid != g_IcePid )
hWndResult = hTmp;
else
hWndResult = 0;
return hWndResult;
}
BOOL
newNtUserPostThreadMessage(
DWORD idThread,
UINT Msg,
WPARAM wParam,
LPARAM lParam)
{
BOOL result;
if ( (HANDLE)idThread == g_IceTid )
result = 0;
else
result = oldNtUserPostThreadMessage(idThread, Msg, wParam, lParam);
return result;
}
HWND
newNtUserSetParent(
HWND hWndChild,
HWND hWndNewParent)
{
HANDLE curWndPid;
HWND hResult;
curWndPid = (HANDLE)oldNtUserQueryWindow(hWndChild, 0); // 查窗口所属的进程
if ( PsGetCurrentProcessId() == (HANDLE)g_IcePid || curWndPid != g_IcePid )
hResult = oldNtUserSetParent(hWndChild, hWndNewParent);
else
hResult = 0;
return hResult;
}
NTSTATUS
myNtOpenProcess(
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PCLIENT_ID ClientId)
{
NTSTATUS status = 0x8000000E;
if (ClientId)
{
ULONG tmp=(ULONG)ClientId->UniqueProcess;
if ( (tmp & 0xFFFFFFFC )== (ULONG)g_IcePid ) // pid过滤后两位了
{
//这一句相当阴险,以其人之道还制其人之身
ClientId->UniqueProcess = PsGetCurrentProcessId();
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -