📄 mydriver.c
字号:
// MyDriver.cpp : Defines the entry point for the application.
//
/*
#include "stdafx.h"
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// TODO: Place code here.
return 0;
}
*/
//-------------------------------------------------------------------------------------------------------------
//包含必要头文件:
//我的头文件:
#include "MyDriver.h"
//-------------------------------------------------------------------------------------------------------------
//全局变量在这里定义:
ULONG g_dwTickCountLow = 0xBB40; //dword_109D4
ULONG g_dwTickCount = 0xFFFF44BF; //dword_109D0
CCHAR g_byNumberProcess= 0x01; //dword_10980
DWORD g_pstrRegPath = 0x01; //dword_10984
BYTE g_byUnkBuffer[0x80] = {0}; //dword_10A00
BYTE g_byUnkData[0xB0] = { 0x8B, 0xFF, 0x1E, 0x06, 0x0F, 0xA0, 0x60, 0x66, 0xB8, 0x23,
0x00, 0x66, 0x8E, 0xD8, 0x66, 0x8E, 0xC0, 0x66, 0xB8, 0x30,
0x00, 0x66, 0x8E, 0xE0, 0xF7, 0x44, 0x24, 0x34, 0x03, 0x00,
0x00, 0x00, 0x74, 0x75, 0x8B, 0x44, 0x24, 0x30, 0x50, 0xE8,
0x84, 0xFF, 0xFF, 0xFF, 0x03, 0x44, 0x24, 0x30, 0x66, 0x81,
0x38, 0x0F, 0x31, 0x75, 0x60, 0x83, 0xC0, 0x02, 0x89, 0x44,
0x24, 0x30, 0x0F, 0x31, 0x25, 0xFF, 0x00, 0x00, 0x00, 0x03,
0x05, 0xE8, 0x09, 0x01, 0x00, 0x01, 0x05, 0xE0, 0x09, 0x01,
0x00, 0x73, 0x06, 0xFF, 0x05, 0xE4, 0x09, 0x01, 0x00, 0x57,
0x0F, 0x01, 0x4C, 0x24, 0xFE, 0x5F, 0x8D, 0x7F, 0x08, 0x66,
0x8B, 0x47, 0x06, 0xC1, 0xE0, 0x10, 0x66, 0x8B, 0x07, 0xA3,
0xEC, 0x09, 0x01, 0x00, 0x61, 0xA1, 0xE0, 0x09, 0x01, 0x00,
0x8B, 0x15, 0xE4, 0x09, 0x01, 0x00, 0x0F, 0xA1, 0x07, 0x1F,
0x83, 0xC4, 0x04, 0xF7, 0x44, 0x24, 0x08, 0x00, 0x01, 0x00,
0x00, 0x75, 0x01, 0xCF, 0x2E, 0xFF, 0x25, 0xEC, 0x09, 0x01,
0x00, 0x61, 0x0F, 0xA1, 0x07, 0x1F, 0x2E, 0xFF, 0x25, 0x00,
0x0A, 0x01, 0x00
};
//
ULONG g_dwMasterIrpType= 0x00; //dword_109E0
ULONG g_dwMasterIrpFlag= 0x00; //dword_109E4
PMDL g_mdlMasterIrpMdlAddress = NULL; //dword_109E8
//-------------------------------------------------------------------------------------------------------------
//这里开始声明函数:
#ifdef __NMAKE_BUILD__
extern "C"
{
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
}
#endif //__NMAKE_BUILD__ end.
//----------------------------------------------------------------------------------------------------------
//如果不用NMAKE编译的话,可以在头文件里取掉这个标志:
#ifndef __NMAKE_BUILD__
//----------------------------------------------------------------------------------------------------------
//
//Routine Description:
//
// Installable driver initialization entry point.
// This entry point is called directly by the I/O system.
//
//Arguments:
//
// DriverObject - pointer to the driver object
//
// RegistryPath - pointer to a unicode string representing the path
// to driver-specific key in the registry
//
//Return Value:
//
// STATUS_SUCCESS if successful,
// STATUS_UNSUCCESSFUL otherwise
NTSTATUS _stdcall _DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
ULONG ncount = g_dwTickCountLow;
ULONG a = 0xBB40;
if( !g_dwTickCountLow || g_dwTickCountLow == a )
{
ncount = (g_dwTickCountLow >> 0x08) ^ KeTickCount.LowPart;
ncount &= 0xFFFF;
g_dwTickCountLow = ncount;
if(ncount)
{
ncount = a;
g_dwTickCountLow = ncount;
}
}
g_dwTickCount = ~ncount;
return _mgMain( DriverObject , RegistryPath );
}
#else //__NMAKE_BUILD__ else.
//---------------------------------------------------------------------------------------------------------
//nmake 编译驱动的时候默认的入口必须是这个:
//不然会提示找不到入口:
//CPP文件必须用extern "C",不然找不到函数:
//
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
return ntStatus;
}
#endif //__NMAKE_BUILD__ end.
//----------------------------------------------------------------------------------------------------------
//
NTSTATUS _mgMain(IN PDRIVER_OBJECT pDriverObj, IN PUNICODE_STRING RegistryPath)
{
UNICODE_STRING DestinationString;
PDEVICE_OBJECT DeviceObject;
UNICODE_STRING SymbolicLinkName;
BYTE qipBuffer[0x18];
memset( g_byUnkBuffer ,0x00 , 0x80);
if( *KeNumberProcessors >= 0x20 ){ g_byNumberProcess = 0x20; }
else{ g_byNumberProcess = *KeNumberProcessors; }
memset( qipBuffer , 0x00 , 0x18 );
ZwQueryInformationProcess( (HANDLE)0xFFFFFFFF, 0x00 ,qipBuffer ,0x18 , 0x00 );
g_pstrRegPath = (DWORD)RegistryPath;
RtlInitUnicodeString(&DestinationString, L"\\Device\\FRDTSC0");
IoCreateDevice(pDriverObj, 0, &DestinationString, FILE_DEVICE_UNKNOWN, 0, FALSE, &DeviceObject);
RtlInitUnicodeString(&SymbolicLinkName, L"\\DosDevices\\FRDTSC0");
IoCreateSymbolicLink(&SymbolicLinkName, &DestinationString);
pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
pDriverObj->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
/*
int __stdcall sub_1075E(PDRIVER_OBJECT DriverObject, int a2)
{
PDRIVER_OBJECT v3; // esi@4
char ProcessInformation; // [sp+8h] [bp-2Ch]@4
int v5; // [sp+10h] [bp-24h]@4
UNICODE_STRING DestinationString; // [sp+28h] [bp-Ch]@4
PDEVICE_OBJECT DeviceObject; // [sp+30h] [bp-4h]@4
UNICODE_STRING SymbolicLinkName; // [sp+20h] [bp-14h]@4
memset(&dword_10A00, 0, 0x80u);
if ( KeNumberProcessors >= 32 )
dword_10980 = 32;
else
dword_10980 = KeNumberProcessors;
memset(&ProcessInformation, 0, 0x18u);
ZwQueryInformationProcess((HANDLE)0xFFFFFFFF, 0, &ProcessInformation, 0x18u, 0);
dword_10984 = v5;
RtlInitUnicodeString(&DestinationString, L"\\Device\\FRDTSC0");
v3 = DriverObject;
IoCreateDevice(DriverObject, 0, &DestinationString, 0x22u, 0, 0, &DeviceObject);
RtlInitUnicodeString(&SymbolicLinkName, L"\\DosDevices\\FRDTSC0");
IoCreateSymbolicLink(&SymbolicLinkName, &DestinationString);
v3->MajorFunction[2] = (PDRIVER_DISPATCH)sub_10486;
v3->MajorFunction[0] = (PDRIVER_DISPATCH)sub_10486;
v3->MajorFunction[14] = (PDRIVER_DISPATCH)sub_106A4;
v3->DriverUnload = (PDRIVER_UNLOAD)sub_1071C;
return 0;
}
*/
VOID DriverUnload( PDRIVER_OBJECT pDriverObj )
{
UNICODE_STRING strLink;
mgZwSetInformationThread( 0x756E686F );
RtlInitUnicodeString(&strLink, L"\\DosDevices\\FRDTSC0" );
IoDeleteSymbolicLink(&strLink);
IoDeleteDevice(pDriverObj->DeviceObject);
}
NTSTATUS DispatchCreate(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
IofCompleteRequest( pIrp , 0 );
return STATUS_SUCCESS;
}
NTSTATUS DispatchClose(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
IofCompleteRequest( pIrp , 0 );
return STATUS_SUCCESS;
}
NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
NTSTATUS status = STATUS_INVALID_PARAMETER;
PIO_STACK_LOCATION pIrpStack;
PIRP pMIrp = NULL;
UCHAR ucMF = 0;
ULONG ulFlags = 0;
pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
ucMF = pIrpStack->MinorFunction >= 0x08;
ulFlags = pIrpStack->Flags;
pMIrp = pIrp->AssociatedIrp.MasterIrp;
//
if ( ucMF )
{
ulFlags = 0;
}
//
if ( ulFlags != 0x20)
{
status = STATUS_INVALID_PARAMETER;
}else{
g_mdlMasterIrpMdlAddress = pMIrp->MdlAddress;
g_dwMasterIrpType = pMIrp->Type;
g_dwMasterIrpFlag = ulFlags;
//
mgZwSetInformationThread( pMIrp->Type );
status = 0;
}
//
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = status;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
/*
NTSTATUS __stdcall mgZwSetInformationThread( ULONG dwType )
{
__asm{
xor ecx,ecx
cmp dword ptr[g_byNumberProcess] , ecx
mov dword ptr[ ebp - 8 ], ecx
jle _1069B
push ebx
push esi
mov esi , ZwSetInformationThread
mov ebx , dword ptr[g_byUnkBuffer]
_1060E:
xor eax ,eax
inc eax
shl eax, cl
mov ecx, g_pstrRegPath
and ecx, eax
cmp ecx, eax
mov dword ptr[ebp - 4] , eax
jnz _10683
push 0x04
lea eax, dword ptr[ebp - 4]
push eax
push 4
push -2
call esi
sidt fword ptr [ ebp - 0x0E ]
cmp dwType , 0x686F6F6B
jnz _10656
push ebx
push g_byUnkData
push 0x0D
push dword ptr[ ebp -0x0C ]
call mgModfiy
mov eax ,cr4
or eax , 0x04
mov cr4 , eax
jmp _10676
_10656:
cmp dwType , 0x756E686F
jnz _10676
mov eax, cr4
and eax, 0xFFFFFFFB
mov cr4, eax
push 0
push dword ptr[ebx]
push 0x0D
push dword ptr[ ebp - 0x0C ]
call mgModfiy
_10676:
push 4
push g_pstrRegPath
push 4
push -2
call esi
_10683:
mov ecx, dword ptr[ ebp - 8 ]
inc ecx
add ebx,4
cmp ecx , dword ptr[g_byNumberProcess];
mov dword ptr [ebp-8], ecx
jl _1060E
_1069B:
}
return STATUS_SUCCESS;
}
*/
NTSTATUS mgZwSetInformationThread( ULONG dwType )
{
ULONG ulNumProcess = 0;
PBYTE pbuf = NULL;
UCHAR bybuf= 0;
NTSTATUS nResult = 0;
ULONG ThreadInfo = 0;
BYTE buffer[6] = {0};
if ( ulNumProcess = g_byNumberProcess > 0 )
{
pbuf = g_byUnkBuffer;
do
{
nResult = 1 << bybuf;
ThreadInfo = 1<< bybuf;
if ( (g_pstrRegPath & nResult ) == 0 )
{
ZwSetInformationThread( (HANDLE)0xFFFFFFFE,ThreadAffinityMask , &ThreadInfo, 0x04 );
if( dwType == 0x686F6F6B )
{
mgModfiy( &buffer[2], 0x0D , g_byUnkData ,pbuf );
__asm //mov eax, cr4
{
_emit 0x0F
_emit 0x20
_emit 0xE0
}
__asm //or eax, 4
{
or eax, 0x04
}
__asm //mov cr4, eax
{
_emit 0x0F
_emit 0x22
_emit 0xE0
}
}
} else if( dwType == 0x756E686F ){
__asm //mov eax, cr4
{
_emit 0x0F
_emit 0x20
_emit 0xE0
}
__asm
{
and eax, 0xFFFFFFFB
}
_asm //mov cr4, eax
{
_emit 0x0F
_emit 0x22
_emit 0xE0
}
mgModfiy( &buffer[2] , 0x0D , pbuf , 0x00 );
}
//
nResult = ZwSetInformationThread ( (HANDLE)0xFFFFFFFE ,ThreadAffinityMask , (PVOID)g_pstrRegPath , 0x04 );
//
ulNumProcess ++ ;
pbuf += 0x04 ;
} while ( (int)ulNumProcess < g_byNumberProcess );
}
return nResult ;
}
NTSTATUS mgModfiy( PVOID unk1 , ULONG dwunk, PVOID unkbuf1, PVOID unkbuf2)
{
int a = 0;
int b = 0;
int c = 0;
if( unkbuf1 )
{
a = dwunk;
b = (int)unk1;
b = b + ( a * 8 );
a = *(PWORD)(b + 6);
c = *(PWORD)b;
a = a << 0x10;
a = a + c;
if( (int)unkbuf1 != a )
{
if( unkbuf2 ){ *(PDWORD)unkbuf2 = a; }
__asm
{
pushf
cli
}
*(PWORD)b = (WORD)unkbuf1;
*(PWORD)(b+6) = (WORD)unkbuf1 >> 0x10;
__asm
{
popf
}
}
}
return STATUS_SUCCESS;
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -