蹂躏D&F彻底之一

最新推荐文章于 2021-09-10 21:58:49 发布

EXPENF

最新推荐文章于 2021-09-10 21:58:49 发布

阅读量898

点赞数

本文链接：https://blog.csdn.net/EXPENF/article/details/42764143

版权

*********************************************************标准************************************************************

//rlTenD.cpp<pre name="code" class="cpp"><span style="font-family: Arial, Helvetica, sans-serif;">#include <ntddk.h></span>

#include "rlTenD.h"NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING str){//驱动 ->驱动卸载=卸载驱动pDriver->DriverUnload = UnloadDriver;//调试输出DbgPrint("Loading MyDriver...\r");return 1;}void UnloadDriver(PDRIVER_OBJECT pDriver){//调试输出DbgPrint("UnLoading MyDriver...\r");}

//rlTenD.h
void UnloadDriver(PDRIVER_OBJECT pDriver);

******************************************************开始蹂躏*************************************************************
1.新建头文件rlNtOpenProcess.h，添加（预编译指令）代码：

#ifndef HOOKNTOPENPROCESS
#define HOOKNTOPENPROCESS

#endif

并添加头文件。

2.新建头文件函数.h，添加代码：

#ifndef HANSHU
#define HANSHU


extern "C" long KeServiceDescriptorTable;

int  GetSSDTFunctionAddr(int nSSDTIndex);
bool PanDuanProcessName(char *szName);
void MemoryWritable();
void MemoryNotWritable();
int SSDTHookEngine(int nSSDTIndex,int nFunctionAddr);
void SSDTUnHookEngine(int nSSDTIndex,int nFunctionAddr);
int GetCallAddr(int nCallAddr);

void CallHook(int nCallAddr,int nFunctionAddr)
{
	int nRCallAddr=(nFunctionAddr-nCallAddr-4);
	MemoryWritable();
	__asm
	{
		mov eax,nCallAddr
			mov ebx,nRCallAddr
			mov dword ptr ds:[eax],ebx
	}
	MemoryNotWritable();
}

int GetCallAddr(int nCallAddr)
{
	return (*((int*)nCallAddr)+nCallAddr+4);
}

bool PanDuanProcessName(char *szName)
{
	int nEProcess;
	
	nEProcess=(int)PsGetCurrentProcess();
	
	char szProessaName[16];
		
	strcpy(szProessaName,(char*)(nEProcess+0x174));

	//DbgPrint("------%s------\n",szProessaName);
	
	if(strcmp(szProessaName,szName)==0)
	{
		//DbgPrint("冒险岛调用了此函数\n");
		return true;
	}
	
	return false;
}

int SearchFeature(int nAddr,char* pFeature,int nLeng)
{
	char szStatus[256]="";
	int i=5000;
	
	while(i--)
	{
		RtlMoveMemory(szStatus,(char*)nAddr,nLeng);
		
		if (RtlCompareMemory(pFeature,szStatus,nLeng)==nLeng)
		{
			return nAddr+nLeng;
		}
		nAddr++;
	}
	
	return 0;
}

int GetSSDTFunctionAddr(int nSSDTIndex)
{
	int Addr;
	
	__asm
	{
		mov ebx,nSSDTIndex
		shl ebx,2
		mov eax,KeServiceDescriptorTable
		mov eax,[eax]
		add eax,ebx
		mov ecx,[eax]
		mov Addr,ecx
	}
	
	return Addr;
}


int SSDTHookEngine(int nSSDTIndex,int nFunctionAddr)
{
	MemoryWritable();
	
	int nOldAddr;
	
	__asm
	{
		mov ebx,nSSDTIndex
		shl ebx,2
		mov eax,KeServiceDescriptorTable
		mov eax,[eax]
		add eax,ebx
		mov ecx,[eax]
		mov nOldAddr,ecx
		mov ecx,nFunctionAddr
		mov [eax],ecx
	}
	
	MemoryNotWritable();
	
	return nOldAddr;
}

void InLineHookEngine(int nRHookAddr,int nMyFunctionAddr)
{
	MemoryWritable();
	
	int nJmpAddr=nMyFunctionAddr-nRHookAddr-5;
	
	__asm
	{
		mov eax,nRHookAddr
		mov byte ptr ds:[eax],0xe9
		mov ebx,nJmpAddr
		mov dword ptr ds:[eax+1],ebx
	}
	
	MemoryNotWritable();
}

void UnInLineHookEngine(int nRHookAddr,char *szMacCode,int nLeng)
{
	MemoryWritable();
	
	RtlMoveMemory((char*)nRHookAddr,szMacCode,nLeng);
	
	MemoryNotWritable();
}

void SSDTUnHookEngine(int nSSDTIndex,int nOldFunctionAddr)
{
	MemoryWritable();
	
	__asm
	{
		mov ebx,nSSDTIndex
		shl ebx,2
		mov eax,KeServiceDescriptorTable
		mov eax,[eax]
		add eax,ebx
		mov ecx,nOldFunctionAddr
		mov [eax],ecx
	}
	
	MemoryNotWritable();
}

void MemoryWritable()
{
	__asm 
	{
		cli
		mov eax,cr0
		and eax,not 10000h 
		mov cr0,eax	
	}
}

void MemoryNotWritable()
{
	__asm 
	{  
		mov     eax, cr0 
		or     eax, 10000h 
		mov     cr0, eax 
		sti 
	} 
}

int GetFunCtionAddr(WCHAR* szFunCtionAName)
{
	UNICODE_STRING FsRtlLegalAnsiCharacterArray_String;
	RtlInitUnicodeString(&FsRtlLegalAnsiCharacterArray_String,szFunCtionAName);
	return (int)MmGetSystemRoutineAddress(&FsRtlLegalAnsiCharacterArray_String);
}

int GetKiAttachProcessAddr()
{
	char s=(char)0xe8;
	int	nCallAddr=SearchFeature(GetFunCtionAddr(L"KeAttachProcess"),&s,1);
	
	if (nCallAddr==0)
	{
		return 0;
	}
	int nKiAttachProcessAddr=*((int*)nCallAddr)+nCallAddr+4;
	
	return nKiAttachProcessAddr;
}

#endif

并添加头文件。

======================================================OK版===============================================

rlTenD.cpp

#include <ntddk.h>
#include "rlTenD.h"

#include "rlNtOpenProcess.h"


NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING str)
{

	//驱动 ->驱动卸载=卸载驱动
	pDriver->DriverUnload = UnloadDriver;

	HookNtOpenProcess();
	//调试输出
	DbgPrint("Loading MyDriver...\r");
	return 1;
}

void UnloadDriver(PDRIVER_OBJECT pDriver)
{
	UnHookNtOpenProcess();
	//调试输出
	DbgPrint("UnLoading MyDriver...\r");

}

rlTenD.h

void UnloadDriver(PDRIVER_OBJECT pDriver);

rlNtOpenProcess.h

#include "函数.h"

#ifndef HOOKNTOPENPROCESS
#define HOOKNTOPENPROCESS

int nNtOpenProcessAddr;
int nHookNtOpenProcessAddr;
int nHookNtOpenProcessJmp;//我们要跳的地址
int nHookNtOpenProcessOldJmp;
int nObOpenObjectByPointerAddr;

__declspec(naked) void MyNtOpenProcess()
{
	__asm//恢复前面俩行
	{
<span style="color:#ff0000;">		push    dword ptr[ebp - 38h]
		push    dword ptr[ebp - 24h]</span>
	}
	if <span style="color:#ff0000;">(PanDuanProcessName("DNF.exe") || PanDuanProcessName("TenSafe.exe") || PanDuanProcessName("QQLogin.exe"))</span>//还有很多进程
	{
		__asm
		{
		//如果是DNF调用的
		jmp nHookNtOpenProcessOldJmp//HOOK
		}
	}

	__asm
	{
		call nObOpenObjectByPointerAddr
		jmp nHookNtOpenProcessJmp
	}
}

void HookNtOpenProcess()
{

	nNtOpenProcessAddr = GetFunCtionAddr(L"NtOpenProcess");
	char code[7] = { (char)0xff, (char)0x75, (char)0xc8, (char)0xff, (char)0x75, (char)0xdc, (char)0xe8 };//定义好特征码，方便找到HOOK地方

	nHookNtOpenProcessAddr=SearchFeature(nNtOpenProcessAddr, code, 7)-7;
	DbgPrint("nHookNtOpenProcessAddr=%x\r",nHookNtOpenProcessAddr);

	nHookNtOpenProcessJmp = nHookNtOpenProcessAddr + 11;
	nHookNtOpenProcessOldJmp = nHookNtOpenProcessAddr + 6;
	DbgPrint("nHookNtOpenProcessJmp=%x\n", nHookNtOpenProcessJmp);
	DbgPrint("nHookNtOpenProcessOldJmp=%x\n", nHookNtOpenProcessOldJmp);

	nObOpenObjectByPointerAddr=GetFunCtionAddr(L"ObOpenObjectByPointer");
	DbgPrint("nObOpenObjectByPointerAddr=%x\r", nObOpenObjectByPointerAddr);

	InLineHookEngine(nHookNtOpenProcessAddr, (int)MyNtOpenProcess);
}

void UnHookNtOpenProcess()
{
	<span style="color:#ff0000;">char code[7] = { (char)0xff, (char)0x75, (char)0xc8, (char)0xff, (char)0x75, (char)0xdc, (char)0xe8 };</span>//定义好特征码，方便找到HOOK地方
	UnInLineHookEngine(nHookNtOpenProcessAddr, code, 5);

}

#endif

函数.h

#ifndef HANSHU
#define HANSHU


ULONG KeServiceDescriptorTable;

int  GetSSDTFunctionAddr(int nSSDTIndex);
int PanDuanProcessName(char *szName);
void MemoryWritable();
void MemoryNotWritable();
int SSDTHookEngine(int nSSDTIndex, int nFunctionAddr);
void SSDTUnHookEngine(int nSSDTIndex, int nFunctionAddr);
int GetCallAddr(int nCallAddr);

void CallHook(int nCallAddr, int nFunctionAddr)
{
	int nRCallAddr = (nFunctionAddr - nCallAddr - 4);
	MemoryWritable();
	__asm
	{
		mov eax, nCallAddr
			mov ebx, nRCallAddr
			mov dword ptr ds : [eax], ebx
	}
	MemoryNotWritable();
}

int GetCallAddr(int nCallAddr)
{
	return (*((int*)nCallAddr) + nCallAddr + 4);
}

int PanDuanProcessName(char *szName)
{
	int nEProcess;

	nEProcess = (int)PsGetCurrentProcess();

	char szProessaName[16];

	strcpy(szProessaName, (char*)(nEProcess + 0x174));

	//DbgPrint("------%s------\n",szProessaName);

	if (strcmp(szProessaName, szName) == 0)
	{
		//DbgPrint("冒险岛调用了此函数\n");
		return 1;
	}

	return 0;
}

int SearchFeature(int nAddr, char* pFeature, int nLeng)
{
	char szStatus[256] = "";
	int i = 5000;

	while (i--)
	{
		RtlMoveMemory(szStatus, (char*)nAddr, nLeng);

		if (RtlCompareMemory(pFeature, szStatus, nLeng) == nLeng)
		{
			return nAddr + nLeng;
		}
		nAddr++;
	}

	return 0;
}

int GetSSDTFunctionAddr(int nSSDTIndex)
{
	int Addr;

	__asm
	{
		mov ebx, nSSDTIndex
			shl ebx, 2
			mov eax, KeServiceDescriptorTable
			mov eax, [eax]
			add eax, ebx
			mov ecx, [eax]
			mov Addr, ecx
	}

	return Addr;
}


int SSDTHookEngine(int nSSDTIndex, int nFunctionAddr)
{
	MemoryWritable();

	int nOldAddr;

	__asm
	{
		mov ebx, nSSDTIndex
			shl ebx, 2
			mov eax, KeServiceDescriptorTable
			mov eax, [eax]
			add eax, ebx
			mov ecx, [eax]
			mov nOldAddr, ecx
			mov ecx, nFunctionAddr
			mov[eax], ecx
	}

	MemoryNotWritable();

	return nOldAddr;
}

void InLineHookEngine(int nRHookAddr, int nMyFunctionAddr)
{
	MemoryWritable();

	int nJmpAddr = nMyFunctionAddr - nRHookAddr - 5;

	__asm
	{
		mov eax, nRHookAddr
			mov byte ptr ds : [eax], 0xe9
			mov ebx, nJmpAddr
			mov dword ptr ds : [eax + 1], ebx
	}

	MemoryNotWritable();
}

void UnInLineHookEngine(int nRHookAddr, char *szMacCode, int nLeng)
{
	MemoryWritable();

	RtlMoveMemory((char*)nRHookAddr, szMacCode, nLeng);

	MemoryNotWritable();
}

void SSDTUnHookEngine(int nSSDTIndex, int nOldFunctionAddr)
{
	MemoryWritable();

	__asm
	{
		mov ebx, nSSDTIndex
			shl ebx, 2
			mov eax, KeServiceDescriptorTable
			mov eax, [eax]
			add eax, ebx
			mov ecx, nOldFunctionAddr
			mov[eax], ecx
	}

	MemoryNotWritable();
}

void MemoryWritable()
{
	__asm
	{
		cli
			mov eax, cr0
			and eax, not 10000h
			mov cr0, eax
	}
}

void MemoryNotWritable()
{
	__asm
	{
		mov     eax, cr0
			or     eax, 10000h
			mov     cr0, eax
			sti
	}
}

int GetFunCtionAddr(WCHAR* szFunCtionAName)
{
	UNICODE_STRING FsRtlLegalAnsiCharacterArray_String;
	RtlInitUnicodeString(&FsRtlLegalAnsiCharacterArray_String, szFunCtionAName);
	return (int)MmGetSystemRoutineAddress(&FsRtlLegalAnsiCharacterArray_String);
}

int GetKiAttachProcessAddr()
{
	char s = (char)0xe8;
	int	nCallAddr = SearchFeature(GetFunCtionAddr(L"KeAttachProcess"), &s, 1);

	if (nCallAddr == 0)
	{
		return 0;
	}
	int nKiAttachProcessAddr = *((int*)nCallAddr) + nCallAddr + 4;

	return nKiAttachProcessAddr;
}

#endif

EXPENF

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
蹂躏D&F彻底之一

*********************************************************标准************************************************************//rlTenD.cpp#include #include "rlTenD.h"NTSTATUS DriverEntry(PDRIVER_OBJECT pDr
复制链接

扫一扫