#include "stdafx.h"
#include "SysBase.h"
#define AVA_EXE "DNF.exe"
//#define AVA_EXE "QQ賣.exe"
//#define AVA_EXE "XClient.exe"
//////////////////////////////////////////////////////////////////////////////
#ifdef __cplusplus
extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
#endif
void OnUnload(IN PDRIVER_OBJECT DriverObject);
void WaitTesSafeThread(IN PVOID pContext);
NTSTATUS GetTesSafeInfo();
NTSTATUS GetSysBaseInfo();
NTSTATUS ExitHook();
NTSTATUS StartHook();
NTSTATUS IoGetCurrentProcessHok();
NTSTATUS IoGetCurrentProcessHok();//开始挂勾
VOID Un_IoGetCurrentProcessHok();//卸载代码
DWORD GetTesSafeIoGetCurrentProcess_Prt();//得到TesSafe 调用 IoGetCurrentProcess 指针
NTSTATUS TesSafe_IoGetCurrentProcessHok();//开始挂勾TesSafe
NTSTATUS TesSafe_MmIsAddressValidHok();//开始挂勾
VOID Fcuk_DebugPortZero();
void PassKiAttachProcess();
DWORD GetTesSafeResert();
VOID SetnGetContextHook();
VOID UnSetnGetContextHook();
/////////////////////////////////////////////////////////////////////////////////////////////////////
HANDLE hThreadWait = NULL; //临听等待线程句柄
ULONG TesSafe_Base = NULL; //腾迅驱动基址
ULONG ntoskrnl_Base = NULL;
ULONG ntkrnlpa_Base = NULL;
ULONG NTKL64G_Base = NULL;
ULONG KDCOM_Base = NULL;
ULONG ntoskrnl_Size = 0;
ULONG ntkrnlpa_Size = 0;
ULONG NTKL64G_Size = 0;
ULONG TesSafe_Size = 0;
ULONG KDCOM_Size = 0;
BOOLEAN IoGetCurrentProcess_Mark = FALSE;
DWORD IoGetCurrentProcess_Addr = 0;
DWORD IoGetCurrentProcess_Addr_Ret;
unsigned char IoGetCurrentProcess_Code[] = {0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0};//原始IoGetCurrentProcess的代码
PEPROCESS AVA_EPROCESS = NULL;
PEPROCESS CurrentProcessEPROCESS=NULL;
DWORD TesSafeIoGetCurrentProcess_Prt = 0;
BOOLEAN TesSafe_IoGetCurrentProcess_Mark = FALSE;
DWORD MmIsAddressValid_Addr = 0;
DWORD TesSafe_MmIsAddressValid_Addr = 0;
DWORD TesSafe_MmIsAddressValid_Mark = FALSE;
DWORD OldNGCTServerID;//保存写的服务ID
DWORD OldNSCTServerID;//保存读的服务ID
DWORD GctID=0;
DWORD SctID=0;
/////////////////////////////////////////勾子得到DNF.exe PE结构指针函数//////////////////////////////////////////////////
VOID Get_AVA_PEPROCESS()
{
ANSI_STRING Str_A,Str_B;
if (AVA_EPROCESS==NULL)
{
RtlInitAnsiString(&Str_A,AVA_EXE);//转换字符串
RtlInitAnsiString(&Str_B,(c**t char*)PsGetProcessImageFileName(CurrentProcessEPROCESS));//转换字符串
DbgPrint("PEPROCESS 结构指针: 0x%08X 进程: %s \n", CurrentProcessEPROCESS,(c**t char*)PsGetProcessImageFileName(CurrentProcessEPROCESS));
if (RtlCompareString(&Str_A,&Str_B,TRUE)==0)//对比字符串
{
DbgPrint("PEPROCESS 结构指针: 0x%08X 进程: %s \n", CurrentProcessEPROCESS,(c**t char*)PsGetProcessImageFileName(CurrentProcessEPROCESS));
AVA_EPROCESS=CurrentProcessEPROCESS;
Un_IoGetCurrentProcessHok();
TesSafe_IoGetCurrentProcessHok();
GetTesSafeResert();
TesSafe_MmIsAddressValidHok();
Fcuk_DebugPortZero();
PassKiAttachProcess();
SetnGetContextHook();
}
}
}
///////////////////////////////去除硬件断点////////////////////////////////////////
NTSTATUS _declspec(naked) Nakd_NtGetThreadContext(HANDLE hThread, PCONTEXT pContext)
{
__asm
{
jmp DWORD ptr[OldNGCTServerID]
}
}
NTSTATUS _declspec(naked) Nakd_NtSetThreadContext(HANDLE hThread, PCONTEXT pContext)
{
__asm
{
jmp DWORD ptr[OldNSCTServerID]
}
}
NTSTATUS MyNtGetThreadContext(HANDLE hThread, PCONTEXT pContext)
{
if (_stricmp((c**t char*)PsGetProcessImageFileName(PsGetCurrentProcess()),AVA_EXE))
{
return Nakd_NtGetThreadContext(hThread, pContext);
}
return STATUS_SUCCESS;
}
NTSTATUS MyNtSetThreadContext(HANDLE hThread, PCONTEXT pContext)
{
if (_stricmp((c**t char*)PsGetProcessImageFileName(PsGetCurrentProcess()),AVA_EXE))
{
return Nakd_NtSetThreadContext(hThread, pContext);
}
return STATUS_SUCCESS;
}
VOID SetnGetContextHook()
{
if (!GctID)
{
return;
}
DWORD Addr_NGCT;
DWORD Addr_NSCT;
Addr_NGCT = (ULONG)KeServiceDescriptorTable->ServiceTableBase + GctID * 4; //0x80 为NtGetContextThread 服务ID
Addr_NSCT = (ULONG)KeServiceDescriptorTable->ServiceTableBase + SctID * 4; //0x80 为NtSetContextThread 服务ID
OldNGCTServerID=*((DWORD*)Addr_NGCT);//保存旧的SSDT服务ID
OldNSCTServerID=*((DWORD*)Addr_NSCT);//保存旧的SSDT服务ID
KIRQL oldIrql;
oldIrql = KeRaiseIrqlToDpcLevel();
WPOFF();
*((ULONG*)Addr_NGCT) = (ULONG)MyNtGetThreadContext; //HOOK SSDT
*((ULONG*)Addr_NSCT) = (ULONG)MyNtSetThreadContext; //HOOK SSDT
WPON();
KeLowerIrql(oldIrql);
}
VOID UnSetnGetContextHook()
{
if (!GctID)
{
return;
}
DWORD Addr_NGCT;
DWORD Addr_NSCT;
Addr_NGCT = (ULONG)KeServiceDescriptorTable->ServiceTableBase + GctID * 4; //0x80 为NtGetContextThread 服务ID
Addr_NSCT = (ULONG)KeServiceDescriptorTable->ServiceTableBase + SctID * 4; //0x80 为NtSetContextThread 服务ID
KIRQL oldIrql;
oldIrql = KeRaiseIrqlToDpcLevel();
WPOFF();
*((ULONG*)Addr_NGCT) = OldNGCTServerID; //UNHOOK SSDT
*((ULONG*)Addr_NSCT) = OldNSCTServerID; //UNHOOK SSDT
WPON();
KeLowerIrql(oldIrql);
}
//这个是为了得到白名单的PEPROCESS用的//当得到AVA的EPROCESS后这个勾子卸载掉
void __declspec(naked) My_IoGetCurrentProcess() //替代函数
{
__asm
{
mov eax, dword ptr fs:[0x124]
mov eax, dword ptr [eax+0x44]
pushad
mov CurrentProcessEPROCESS,eax
call Get_AVA_PEPROCESS
popad
jmp IoGetCurrentProcess_Addr_Ret
}
}
NTSTATUS IoGetCurrentProcessHok()//开始挂勾
{
//标记勾子
IoGetCurrentProcess_Mark = TRUE;
//计算返回地址
IoGetCurrentProcess_Addr_Ret = IoGetCurrentProcess_Addr + 0x9;
//备份挂勾函数代码
RtlCopyMemory(IoGetCurrentProcess_Code,(PVOID)IoGetCurrentProcess_Addr,0xA);
KIRQL oldIrql;
ULONG JmpCode = (ULONG)My_IoGetCurrentProcess - IoGetCurrentProcess_Addr - 0x5;//计算跳转代码
oldIrql = KeRaiseIrqlToDpcLevel();
WPOFF();
__asm
{
MOV EBX,IoGetCurrentProcess_Addr
MOV DL,0xE9
MOV BYTE PTR [EBX],DL
ADD EBX,0x1
MOV EDX,JmpCode
MOV DWORD PTR [EBX],EDX
}
WPON();
KeLowerIrql(oldIrql);
return STATUS_SUCCESS;
}
VOID Un_IoGetCurrentProcessHok()//卸载代码
{
KIRQL oldIrql;
oldIrql = KeRaiseIrqlToDpcLevel();
if (IoGetCurrentProcess_Mark)
{
WPOFF();
memcpy((PVOID)IoGetCurrentProcess_Addr,IoGetCurrentProcess_Code,0xA);
WPON();
}
IoGetCurrentProcess_Mark = FALSE;
KeLowerIrql(oldIrql);
}
/////////////////////////////////////////得到DNF.exe 调用函数IoGetCurrentProcess指针//////////////////////////////////////////////////
//得到系TesSafe调用的IoGetCurrentProcess内核函数地址
DWORD GetTesSafeIoGetCurrentProcess_Prt()
{
DWORD pMemoryStart = TesSafe_Base;
DWORD pMemoryEnd = (TesSafe_Base + TesSafe_Size);
DWORD Begin;
DWORD End;
for(pMemoryStart; pMemoryStart != pMemoryEnd; pMemoryStart += 1024)
{
Begin = pMemoryStart;
End = pMemoryStart + 1024;
for(Begin; Begin != End; Begin += 4)
{
if (*(DWORD*)Begin==IoGetCurrentProcess_Addr)
{
return Begin;
}
}
}
return 0;
}
DWORD GetTesSafeResert()
{
DWORD pMemoryStart = TesSafe_Base;
DWORD pMemoryEnd = (TesSafe_Base + TesSafe_Size);
DWORD Begin;
DWORD End;
for(pMemoryStart; pMemoryStart != pMemoryEnd; pMemoryStart += 1024)
{
Begin = pMemoryStart;
End = pMemoryStart + 1024;
for(Begin; Begin != End; Begin += 1)
{
if (*(BYTE*)Begin==0x8B&&
*(BYTE*)(Begin + 2)==0x53&&
*(BYTE*)(Begin + 3)==0x56&&
*(BYTE*)(Begin + 4)==0x57&&
*(BYTE*)(Begin + 5)==0xEB&&
*(BYTE*)(Begin + 7)==0xFF)
{
DbgPrint("TesSafeResert 指针: 0x%08X \n", Begin);
WPOFF();
*(DWORD*)(Begin) = 0x900004C2;
WPON();
return Begin;
}
}
}
return 0;
}
//这个是给TesSaft.sys专用的
void __declspec(naked) TesSafe_IoGetCurrentProcess()
{
__asm
{
mov eax,AVA_EPROCESS
retn
}
}
NTSTATUS TesSafe_IoGetCurrentProcessHok()//开始挂勾
{
TesSafeIoGetCurrentProcess_Prt = GetTesSafeIoGetCurrentProcess_Prt();
DbgPrint("TesSafeIoGetCurrentProcess_Prt 指针: 0x%08X \n", TesSafeIoGetCurrentProcess_Prt);
if (TesSafeIoGetCurrentProcess_Prt)
{
WPOFF();
*(DWORD*)TesSafeIoGetCurrentProcess_Prt = (DWORD)TesSafe_IoGetCurrentProcess;
WPON();
TesSafe_IoGetCurrentProcess_Mark = TRUE;
}
return STATUS_SUCCESS;
}
VOID Un_TesSafe_IoGetCurrentProcessHok()//卸载代码
{
if (TesSafe_IoGetCurrentProcess_Mark && GetModBase("TesSafe.sys"))
{
WPOFF();
*(DWORD*)TesSafeIoGetCurrentProcess_Prt = (DWORD)IoGetCurrentProcess_Addr;
WPON();
TesSafe_IoGetCurrentProcess_Mark = FALSE;
}
}
/////////////////////////////////////////得到DNF.exe 调用函数MmIsAddressValid指针//////////////////////////////////////////////////
//得到系TesSafe调用的 MmIsAddressValid 内核函数地址
DWORD GetTesSafeIoGetMmIsAddressValid_Prt()
{
DWORD pMemoryStart = TesSafe_Base;
DWORD pMemoryEnd = (TesSafe_Base + TesSafe_Size);
DWORD Begin;
DWORD End;
for(pMemoryStart; pMemoryStart != pMemoryEnd; pMemoryStart += 1024)
{
Begin = pMemoryStart;
End = pMemoryStart + 1024;
for(Begin; Begin != End; Begin += 4)
{
if (*(DWORD*)Begin==MmIsAddressValid_Addr)
{
return Begin;
}
}
}
return 0;
}
//这个是给TesSaft.sys专用的//不同系统有所区别在retn
void __declspec(naked) TesSafe_MmIsAddressValid()
{
__asm
{
xor al, al
retn 4
}
}
NTSTATUS TesSafe_MmIsAddressValidHok()//开始挂勾
{
TesSafe_MmIsAddressValid_Mark = TRUE;
TesSafe_MmIsAddressValid_Addr = GetTesSafeIoGetMmIsAddressValid_Prt();
DbgPrint("TesSafe_MmIsAddressValid_Addr 指针: 0x%08X to 0x%08X\n", TesSafe_MmIsAddressValid_Addr,(DWORD)TesSafe_MmIsAddressValid);
WPOFF();
*(DWORD*)TesSafe_MmIsAddressValid_Addr = (DWORD)TesSafe_MmIsAddressValid;
WPON();
return STATUS_SUCCESS;
}
VOID Un_TesSafe_MmIsAddressValidHok()//卸载代码
{
if (TesSafe_MmIsAddressValid_Mark && GetModBase("TesSafe.sys"))
{
WPOFF();
*(DWORD*)TesSafe_MmIsAddressValid_Addr = (DWORD)MmIsAddressValid_Addr;
WPON();
TesSafe_MmIsAddressValid_Mark = FALSE;
}
}
////////////////////////////////干掉DebugPort清零//////////////////////////////////
VOID Fcuk_DebugPortZero()
{
ULONG DebugPortOffset=0;
DWORD pMemoryStart = TesSafe_Base;
DWORD pMemoryEnd = (TesSafe_Base + TesSafe_Size);
DWORD Begin;
DWORD End;
for(pMemoryStart; pMemoryStart != pMemoryEnd; pMemoryStart += 1024)
{
Begin = pMemoryStart;
End = pMemoryStart + 1024;
for(Begin; Begin != End; Begin += 1)
{
if (*(BYTE*)Begin==0x8B&&
*(BYTE*)(Begin + 3)==0x8B&&
*(BYTE*)(Begin + 5)==0xA1&&
*(BYTE*)(Begin + 10)==0x8B&&
*(BYTE*)(Begin + 13)==0x8B)
{
DebugPortOffset=*(ULONG*)(Begin+0x6);
DbgPrint("DebugPortOffset 指针: 0x%08X \n", DebugPortOffset);
DebugPortOffset=*(ULONG*)DebugPortOffset+4;
DbgPrint("DebugPortOffset 指针: 0x%08X \n", DebugPortOffset);
DebugPortOffset=*(ULONG*)(*(ULONG*)(Begin+0x6))+4;
DbgPrint("DebugPortOffset 指针: 0x%08X \n", DebugPortOffset);
WPOFF();
*(ULONG*)DebugPortOffset=0x70;
WPON();
return;
}
}
}
return;
}
void PassKiAttachProcess()
{
ULONG addr_KiAttachProcess=0;
UNICODE_STRING u_KeAttachProcess;
BYTE _bp1[]={0x8B,0xFF,0x55,0x8B,0xEC,0x53,0x56};
BYTE* _bp=NULL;
RtlInitUnicodeString(&u_KeAttachProcess,L"KeAttachProcess");
_bp=(BYTE*)MmGetSystemRoutineAddress(&u_KeAttachProcess);
while(1)
{
if((*(_bp-6)==0x50)&&(*(_bp-5)==0xFF)&&(*(_bp)==0xE8)&&(*(_bp+5)==0x5F)&&(*(_bp+8)==0xC2))
{
addr_KiAttachProcess=(ULONG)_bp;
__asm
{
push eax
push ebx
mov eax,addr_KiAttachProcess
mov ebx,[eax+1]
add eax,ebx
add eax,5
mov addr_KiAttachProcess,eax
pop ebx
pop eax
}
break;
}
_bp++;
}
WPOFF();
RtlCopyBytes((void*)addr_KiAttachProcess,_bp1,7);
WPON();
}
///////////////////////////////////////////////////////////////////////////////////////////////////
//驱动入口
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
DbgPrint("驱动加载...\n");
DriverObject->DriverUnload = OnUnload;
NTSTATUS ntStatus = PsCreateSystemThread(&hThreadWait,0,NULL,(HANDLE)0,NULL,WaitTesSafeThread,NULL);
KdPrint(("创建线程...\n", ntStatus));
return STATUS_SUCCESS;
}
void WaitTesSafeThread(IN PVOID pContext)
{
LARGE_INTEGER liInterval;
liInterval.QuadPart = - 10 * 1000 * 1000;
do
{
DbgPrint("等待 TesSafe.sys ...\n");
TesSafe_Base = GetModBase("TesSafe.sys");
KeDelayExecutionThread(KernelMode,TRUE,&liInterval);
}while(!TesSafe_Base);
DbgPrint("定位 TesSafe.sys ...\n");
GetSysBaseInfo();
GetTesSafeInfo();
StartHook();
}
//驱动卸载
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
PVOID objtowait = 0;
if (hThreadWait)
{
TesSafe_Base=1;
ObReferenceObjectByHandle(hThreadWait,THREAD_ALL_ACCESS,NULL,KernelMode,&objtowait,NULL);
KeWaitForSingleObject(objtowait,Executive,KernelMode,FALSE,NULL);
ObDereferenceObject(&objtowait);
}
ExitHook();
DbgPrint("卸载驱动...\n");
}
NTSTATUS GetTesSafeInfo()
{
TesSafe_Base = GetModBase("TesSafe.sys");
TesSafe_Size = GetModSize("TesSafe.sys");
DbgPrint("地址: 0x%08X 大小: 0x%08X --- TesSafe.sys\n", TesSafe_Base,TesSafe_Size);
return STATUS_SUCCESS;
}
NTSTATUS GetSysBaseInfo()
{
ntoskrnl_Base = GetModBase("ntoskrnl.exe");
if (ntoskrnl_Base)
{
GctID=85;
SctID=213;
}
ntoskrnl_Size = GetModSize("ntoskrnl.exe");
ntkrnlpa_Base = GetModBase("ntkrnlpa.exe");
ntkrnlpa_Size = GetModSize("ntkrnlpa.exe");
NTKL64G_Base = GetModBase("NTKL64G.exe");
NTKL64G_Size = GetModBase("NTKL64G.exe");
if (NTKL64G_Base)
{
GctID=85;
SctID=213;
}
DbgPrint("地址: 0x%08X 大小: 0x%08X --- ntoskrnl.exe\n", ntoskrnl_Base,ntoskrnl_Size);
DbgPrint("地址: 0x%08X 大小: 0x%08X --- ntkrnlpa.exe\n", ntkrnlpa_Base,ntkrnlpa_Size);
DbgPrint("地址: 0x%08X 大小: 0x%08X --- NTKL64G.exe\n", NTKL64G_Base,NTKL64G_Size);
//得到kdcom.dll 的镜像地址
KDCOM_Base = GetModBase("kdcom.DLL");
KDCOM_Size = GetModSize("kdcom.DLL");
DbgPrint("地址: 0x%08X 大小: 0x%08X --- kdcom.DLL\n", KDCOM_Base,KDCOM_Size);
//得到系统的IoGetCurrentProcess内核函数地址
IoGetCurrentProcess_Addr = GetFunAddress(L"IoGetCurrentProcess");
DbgPrint("地址: 0x%08X --- IoGetCurrentProcess_Addr \n", IoGetCurrentProcess_Addr);
//得到系统的IoGetCurrentProcess内核函数地址
MmIsAddressValid_Addr = GetFunAddress(L"MmIsAddressValid");
DbgPrint("地址: 0x%08X --- MmIsaddressValid \n", MmIsAddressValid_Addr);
return STATUS_SUCCESS;
}
NTSTATUS StartHook()
{
IoGetCurrentProcessHok();//开始挂勾
DbgPrint("加载勾子...\n");
return STATUS_SUCCESS;
}
NTSTATUS ExitHook()
{
DbgPrint("卸载勾子...\n");
Un_IoGetCurrentProcessHok();
Un_TesSafe_IoGetCurrentProcessHok();
Un_TesSafe_MmIsAddressValidHok();
UnSetnGetContextHook();
return STATUS_SUCCESS;
}
|