📄 ildriver.c
字号:
status = trueNtOpenProcess(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
}
return status;
}
NTSTATUS
myNtOpenThread(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PCLIENT_ID ClientId)
{
NTSTATUS status;
status = 0x8000000Eu;
if (ClientId)
{
ULONG tmp=(ULONG)ClientId->UniqueThread;
if ((tmp & 0xFFFFFFFC ) == (ULONG)g_IceTid ) // TID也过滤后两位
{
// 若要打开的是Ice的线程,就把当前线程的tid给它,够阴!
ClientId->UniqueThread = PsGetCurrentThreadId();
}
status = trueNtOpenThread(ThreadHandle, DesiredAccess, ObjectAttributes, ClientId);
}
return status;
}
BOOL HookNtOpenProcessAndThread(void)
{
PVOID *pAddr0;
PVOID *pAddr1;
if ( dwNtBuildNumber == 2600 )
{
pAddr1=&(KeServiceDescriptorTable->ServiceTable[0x7A]);
pAddr0=&(KeServiceDescriptorTable->ServiceTable[0x80]);
}
else
{
if ( dwNtBuildNumber <= 5999 || dwNtBuildNumber > 6001 )
return 0;
pAddr1 = &(KeServiceDescriptorTable->ServiceTable[0xC2]);
pAddr0 = &(KeServiceDescriptorTable->ServiceTable[0xC9]);
}
g_OriginalNtOpenProcess = *(DWORD *)pAddr0;
g_OriginalNtOpenThread = *(DWORD *)pAddr1;
trueNtOpenProcess = (pfnNtOpenProcess)g_OriginalNtOpenProcess;
trueNtOpenThread = (pfnNtOpenThread )g_OriginalNtOpenThread;
WPOFF();
*(DWORD *)pAddr0 = (DWORD)myNtOpenProcess;
*(DWORD *)pAddr1 = (DWORD)myNtOpenThread;
WPON();
return TRUE;
}
BOOL UnHookSSDT(void)
{
PVOID *pAddr0;
PVOID *pAddr1;
if ( dwNtBuildNumber == 2600 )
{
pAddr1=&(KeServiceDescriptorTable->ServiceTable[0x7A]); // NtOpenProcess的位置
pAddr0=&(KeServiceDescriptorTable->ServiceTable[0x80]); // NtOpenThread的位置
}
else
{
if ( dwNtBuildNumber <= 5999 || dwNtBuildNumber > 6001 )
return 0;
pAddr1 = &(KeServiceDescriptorTable->ServiceTable[0xC2]);
pAddr0 = &(KeServiceDescriptorTable->ServiceTable[0xC9]);
}
WPOFF();
*(DWORD *)pAddr1 = g_OriginalNtOpenProcess;
*(DWORD *)pAddr0 = g_OriginalNtOpenThread;
WPON();
return TRUE;
}
BOOL StoreEPROCESS(ULONG eProcess)
{
int cnt = 0;
if (eProcess)
{
if (EPROCESSArray[0])
{
while ( EPROCESSArray[cnt] != eProcess )
{
cnt++;
if ( cnt >= 100 )
return FALSE;
if ( !EPROCESSArray[cnt] )//若某项为零,放进去
{
EPROCESSArray[cnt] = eProcess;
break;
}
}
}
else
{
EPROCESSArray[cnt] = eProcess;
}
}
return TRUE;
}
BOOL SomeThingAboutEprocess(ULONG eProess)
{
int Index;
int target;
BOOL result;
char *v4;
Index = 0;
target = -1;
if ( eProess )
{
if ( (DWORD)EPROCESSArray )
{
while ( 1 )
{
if ( EPROCESSArray[Index] == eProess )
target = Index; //查找指定的eProcess
Index++;
if ( Index >= 100 )
break;
if ( !EPROCESSArray[Index] )
{
if ( target == -1 )
break;
v4 = &byte_12C84[4 * Index];
EPROCESSArray[target] = *(DWORD *)v4;
*(DWORD *)v4 = 0;
goto LABEL_9;
}
}
}
result = 0;
}
else
{
LABEL_9:
result = 1;
}
return result;
}
BOOL IsMyEprocess(PVOID eProess)
{
int Index;
BOOL result;
if ( EPROCESSArray[0] )
{
Index = 0;
while (EPROCESSArray[Index] != (ULONG)eProess )
{
if ( Index >= 100 || !EPROCESSArray[Index])
return 0;
Index++;
}
result = TRUE;
}
else
{
result = FALSE;
}
return result;
}
PEPROCESS IceGetEprocessByPid(ULONG pid)
{
PEPROCESS result;
PEPROCESS Object;
Object = 0;
if (NT_SUCCESS(PsLookupProcessByProcessId((PVOID)pid, &Object)))
{
ObfDereferenceObject((PVOID)Object);
result = Object;
}
else
{
result = 0;
}
return result;
}
BOOL IceSafeMemcpy(PVOID TargetAddr, PVOID SourceAddr, int len)
{
char result;
KIRQL oldIrql;
//自旋锁不可靠~~~
KeInitializeSpinLock(&g_SpinLock);
KeAcquireSpinLock(&g_SpinLock,&oldIrql);
if ( MmIsAddressValid(TargetAddr) && MmIsAddressValid(SourceAddr) )
{
WPOFF();
memcpy(TargetAddr, SourceAddr, len);
WPON();
KeReleaseSpinLock(&g_SpinLock, oldIrql);
result = TRUE;
}
else
{
result = FALSE;
}
return result;
}
BOOL InlineHookPspTerminateThreadByPointer(PVOID FunAddr, PVOID HookProc)
{
char *pfnBefore;
char result;
BYTE code[8]={0x90,0x90,0x90,0x90,0x90};
WORD newFunHead;
pfnBefore = (char *)FunAddr - 5;
newFunHead= 0xFF8B;
if ( !MmIsAddressValid((PVOID)pfnBefore))
{
result=FALSE;
}
else
{
if ( RtlCompareMemory(code,pfnBefore,5)==0
&& *(WORD *)FunAddr == (WORD)newFunHead ) // 验证函数头是否匹配
{
*(DWORD *)(code+1) = (DWORD)HookProc - (DWORD)FunAddr;
newFunHead= 0xF9EB; // 函数头改为跳转
code[0] = 0xE9;
IceSafeMemcpy((char *)FunAddr - 5, code, 5);
IceSafeMemcpy(FunAddr, &newFunHead, 2);
result = TRUE;
}
}
return result;
}
NTSTATUS
myPspTerminateThreadByPointer(
PETHREAD Thread,
NTSTATUS ExitStatus
)
{
NTSTATUS status;
PEPROCESS pEPROCESS;
pEPROCESS = IoThreadToProcess(Thread);
if ( IsMyEprocess(pEPROCESS) ) // 若当前线程所属的进程是自己,则拒绝
status = STATUS_ACCESS_DENIED;
else
status = newPspTerminateThreadByPointer(Thread, ExitStatus);
return status;
}
BOOL SearchPspTermiThreadAddress(void)
{
char *pfn;
int temlen;
char *nextOp;
for ( pfn = (char*)PsTerminateSystemThread; pfn < (char *)PsTerminateSystemThread + 0x1000; pfn += temlen )
{
temlen = SizeOfCode(pfn, &nextOp);
if ( !temlen )
break;
if ( *(BYTE*)nextOp == 0xE8 )
{
PspTerminateThreadByPointer = *(DWORD *)(nextOp + 1) + (DWORD)pfn + 5;
return TRUE;
}
}
return FALSE;
}
BOOL SetOneByteHookOnPspTerminateThreadByPointer(void)
{
BOOL result;
SearchPspTermiThreadAddress();
if ( PspTerminateThreadByPointer && dwNtBuildNumber == 2600 )
{
result = InlineHookPspTerminateThreadByPointer(
(PVOID)PspTerminateThreadByPointer,
(PVOID)myPspTerminateThreadByPointer);
bHookPspTerminateThreadByPointerSuccess = result;
newPspTerminateThreadByPointer =(pfnPspTerminateThreadByPointer)((char*)PspTerminateThreadByPointer + 2);
}
else
{
result = FALSE;
}
return result;
}
BOOL IceSleep(int time)
{
LARGE_INTEGER Interval;
NTSTATUS status;
Interval.QuadPart = -10000 * time;
status=KeDelayExecutionThread(0, 0, &Interval);
return NT_SUCCESS(status);
}
void UnHookPspTerminateThread(void)
{
char *pfBefore;
char OriginalCode[]="\x90\x90\x90\x90\x90";
WORD OriginalFunHead;
if ( bHookPspTerminateThreadByPointerSuccess )
{
pfBefore = (char *)PspTerminateThreadByPointer - 5;
OriginalFunHead = 0xFF8Bu;
if ( MmIsAddressValid((char *)PspTerminateThreadByPointer - 5) )
{
IceSafeMemcpy(pfBefore, OriginalCode, 5);
IceSafeMemcpy((PVOID)PspTerminateThreadByPointer, &OriginalFunHead, 2);
IceSleep(50);
}
}
}
HANDLE IceCreateFile(PCWSTR SourceString, ACCESS_MASK DesiredAccess, ULONG ShareAccess)
{
NTSTATUS ntStatus;
UNICODE_STRING uniFileName;
OBJECT_ATTRIBUTES objectAttributes;
HANDLE ntFileHandle;
IO_STATUS_BLOCK ioStatus;
if (KeGetCurrentIrql() > PASSIVE_LEVEL)
{
return 0;
}
RtlInitUnicodeString(&uniFileName, SourceString);
InitializeObjectAttributes(&objectAttributes, &uniFileName,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);
ntStatus = IoCreateFile(&ntFileHandle,
DesiredAccess,
&objectAttributes,
&ioStatus,
0,
FILE_ATTRIBUTE_NORMAL,
ShareAccess,
FILE_OPEN,
0,
NULL,
0,
0,
NULL,
IO_NO_PARAMETER_CHECKING);
if (!NT_SUCCESS(ntStatus))
{
return 0;
}
return ntFileHandle;
}
NTSTATUS CompleteRoutine(PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID Context)
{
Irp->UserIosb->Status = Irp->IoStatus.Status;
Irp->UserIosb->Information = Irp->IoStatus.Information;
KeSetEvent(Irp->UserEvent, IO_NO_INCREMENT,FALSE);
IoFreeIrp(Irp);
return STATUS_MORE_PROCESSING_REQUIRED;
}
BOOL IceForceDeleteFileByHandle(HANDLE FileHandle)
{
BOOL result;
PDEVICE_OBJECT pDeviceObj;
PIRP pIRP;
BOOL Flag;
PFILE_OBJECT targetFileObject;
PIO_STACK_LOCATION pIoStackLocation;
KEVENT Event;
char buffer[40];
unsigned int v12;
IO_STATUS_BLOCK iosb;
if ( ObReferenceObjectByHandle(FileHandle, DELETE, *IoFileObjectType, KernelMode, &targetFileObject, 0)>= 0 )
{
pDeviceObj = IoGetRelatedDeviceObject(targetFileObject);
pIRP = IoAllocateIrp(pDeviceObj->StackSize, TRUE);
if ( pIRP )
{
KeInitializeEvent(&Event, SynchronizationEvent, 0);
memset(buffer, 0, 40);
v12 = 0x80u;
pIRP->AssociatedIrp.SystemBuffer = buffer;
pIRP->UserEvent = &Event;
pIRP->UserIosb = &iosb;
pIRP->Tail.Overlay.OriginalFileObject = FileHandle;
pIRP->RequestorMode = KernelMode;
pIRP->Tail.Overlay.Thread = (PETHREAD)KeGetCurrentThread();
pIoStackLocation = IoGetNextIrpStackLocation(pIRP);
pIoStackLocation->MajorFunction = IRP_MJ_SET_INFORMATION ;
pIoStackLocation->DeviceObject = pDeviceObj ;
pIoStackLocation->FileObject = targetFileObject;
pIoStackLocation->Parameters.SetFile.Length = 40;
pIoStackLocation->Parameters.SetFile.FileInformationClass = 4;
pIoStackLocation->Parameters.SetFile.FileObject = targetFileObject;
pIoStackLocation->Context = (PVOID)&Event;
pIoStackLocation->CompletionRoutine = CompleteRoutine;
pIoStackLocation->Control = 0xE0;
IofCallDriver(pDeviceObj, pIRP);
KeWaitForSingleObject(&Event, Executive, KernelMode, TRUE, NULL);
Flag = 1;
}
else
{
Flag = 0;
}
ObfDereferenceObject(targetFileObject);
result = Flag;
}
else
{
result = 0;
}
return result;
}
BOOL IceForceDeleteFile(HANDLE hFileHandle)
{
BOOL Flag;
BOOL result;
PIRP pIrp;
PDEVICE_OBJECT pDevObj;
FILE_DISPOSITION_INFORMATION FileInformation;
PIO_STACK_LOCATION pIoStackLocation;
PFILE_OBJECT targetFileObject;
KEVENT Event;
IO_STATUS_BLOCK iosb;
IceForceDeleteFileByHandle(hFileHandle);
Flag = 0;
if (ObReferenceObjectByHandle(hFileHandle, DELETE, *IoFileObjectType, KernelMode, &targetFileObject, 0)>= 0 )
{
pDevObj = IoGetRelatedDeviceObject((PFILE_OBJECT)targetFileObject);
pIrp = IoAllocateIrp(pDevObj->StackSize, TRUE);
if ( pIrp )
{
KeInitializeEvent(&Event, SynchronizationEvent, 0);
FileInformation.DeleteFile = TRUE;
pIrp->AssociatedIrp.SystemBuffer = &FileInformation;
pIrp->UserEvent = &Event;
pIrp->UserIosb = (PIO_STATUS_BLOCK)&iosb;
pIrp->Tail.Overlay.OriginalFileObject = (PFILE_OBJECT)targetFileObject;
pIrp->Tail.Overlay.Thread = (PETHREAD)KeGetCurrentThread();
pIrp->RequestorMode = KernelMode;
pIoStackLocation=IoGetNextIrpStackLocation(pIrp);
pIoStackLocation->MajorFunction = IRP_MJ_SET_INFORMATION ;
pIoStackLocation->DeviceObject = pDevObj;
pIoStackLocation->FileObject = targetFileObject;
pIoStackLocation->Parameters.SetFile.Length = 1;
pIoStackLocation->Parameters.SetFile.FileInformationClass = FileDispositionInformation;
pIoStackLocation->Parameters.SetFile.FileObject = targetFileObject;
pIoStackLocation->CompletionRoutine = CompleteRoutine;
pIoStackLocation->Control = 0xE0 ;
pIoStackLocation->Context= (PVOID)&Event;
targetFileObject->SectionObjectPointer->DataSectionObject=0;
targetFileObject->SectionObjectPointer->ImageSectionObject=0;
IofCallDriver(pDevObj, pIrp);
KeWaitForSingleObject(&Event, Executive, KernelMode, TRUE, NULL);
Flag = 1;
}
ObfDereferenceObject(targetFileObject);
result = Flag;
}
else
{
result = 0;
}
return result;
}
void TerminateThreadApcRoutine(
KAPC *Apc,
PKNORMAL_ROUTINE *NormalRoutine,
PVOID *NormalContext,
PVOID *SystemArgument1,
PVOID *SystemArgument2)
{
WORD flagoffset;
PKTHREAD pCurThead;
flagoffset = GetThreadFlagOffset();
ExFreePoolWithTag(Apc, 0);
if ( flagoffset )
{
pCurThead = KeGetCurrentThread();
*(DWORD *)((char *)pCurThead + flagoffset) |= 0x10; // 设置SYSTEM_THEAD标志
PsTerminateSystemThread(0); // 结束自己
}
}
ULONG SetThreadListOffset(void)
{
ULONG result;
result = dwNtBuildNumber;
if ( dwNtBuildNumber == 2600 )
{ // WinXP
ThreadListEntryOffsetInEThread = 0x22C;
ThreadListHeadOffstInEprocess = 0x190;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -