|
[原创]shoooo第二轮第二题
第二十一种 sys //shoooo25.c #include <ntddk.h> #pragma warning(disable:4047) typedef struct _KAPC_STATE { LIST_ENTRY ApcListHead[2]; PEPROCESS Process; BOOLEAN KernelApcInProgress; BOOLEAN KernelApcPending; BOOLEAN UserApcPending; } KAPC_STATE, *PKAPC_STATE; NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(ULONG ulProcId, PEPROCESS * pEProcess); NTKERNELAPI void KeStackAttachProcess(PVOID Process, PKAPC_STATE ApcState); NTKERNELAPI void KeUnstackDetachProcess(PKAPC_STATE ApcState); NTSTATUS UnhookSSDT(ULONG Base) { ULONG Address; Address = Base + 0x1810; __asm call Address return STATUS_SUCCESS; } VOID DriverUnload(PDRIVER_OBJECT pDriverObject) { PDEVICE_OBJECT pDeviceObject; UNICODE_STRING strSymbolicName; RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo25"); IoDeleteSymbolicLink(&strSymbolicName); pDeviceObject = pDriverObject->DeviceObject; IoDeleteDevice(pDeviceObject); return ; } NTSTATUS DispatchCreate(PDEVICE_OBJECT pDeviceObject, PIRP pIrp) { NTSTATUS status; status = STATUS_SUCCESS; pIrp->IoStatus.Status = status; pIrp->IoStatus.Information = 0; IoCompleteRequest(pIrp, IO_NO_INCREMENT); return status; } NTSTATUS DispatchClose(PDEVICE_OBJECT pDeviceObject,PIRP pIrp) { NTSTATUS status; status = STATUS_SUCCESS; pIrp->IoStatus.Status = status; pIrp->IoStatus.Information = 0; IoCompleteRequest(pIrp,IO_NO_INCREMENT); return status; } NTSTATUS DispatchControl(PDEVICE_OBJECT pDeviceObject, PIRP pIrp) { NTSTATUS status; PVOID DeviceExtension; PIO_STACK_LOCATION pIrpSp; char* SystemBufferIn; PVOID SystemBufferOut; ULONG InBufferLength; ULONG OutBufferLength; ULONG IoControlCode; DeviceExtension = pDeviceObject->DeviceExtension; pIrpSp = IoGetCurrentIrpStackLocation(pIrp); SystemBufferIn = pIrp->AssociatedIrp.SystemBuffer; SystemBufferOut = pIrp->AssociatedIrp.SystemBuffer; InBufferLength = pIrpSp->Parameters.DeviceIoControl.InputBufferLength; OutBufferLength = pIrpSp->Parameters.DeviceIoControl.OutputBufferLength; IoControlCode = pIrpSp->Parameters.DeviceIoControl.IoControlCode; switch (IoControlCode) { case 0x10C: if (InBufferLength != 4) { pIrp->IoStatus.Information = 0; pIrp->IoStatus.Status = STATUS_INVALID_PARAMETER; status = STATUS_SUCCESS; } else { status = UnhookSSDT(*(PULONG)SystemBufferIn); pIrp->IoStatus.Information = 0; pIrp->IoStatus.Status = status; status = STATUS_SUCCESS; } break ; default: status = STATUS_INVALID_DEVICE_REQUEST; pIrp->IoStatus.Information = 0; break ; } IoCompleteRequest(pIrp, IO_NO_INCREMENT); return status; } NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath) { NTSTATUS status; UNICODE_STRING strDeviceName; UNICODE_STRING strSymbolicName; PDEVICE_OBJECT pDeviceObject; ULONG cr4reg; RtlInitUnicodeString(&strDeviceName, L"\\Device\\shoooo25"); status = IoCreateDevice(pDriverObject, 0, &strDeviceName, 0x220000, 0, 0, &pDeviceObject); if (!NT_SUCCESS(status)) { return status; } RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo25"); status = IoCreateSymbolicLink(&strSymbolicName, &strDeviceName); if (!NT_SUCCESS(status)) { IoDeleteDevice(pDeviceObject); return status; } pDriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate; pDriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose; pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchControl; pDriverObject->DriverUnload = DriverUnload; return STATUS_SUCCESS; } exe #include <windows.h> #pragma comment (linker, "/subsystem:windows") #pragma comment (linker, "/entry:start") #pragma comment (linker, "/filealign:0x200") DWORD GetSysBase() { DWORD ZwQuerySystemInformation; DWORD status; ULONG PoolSize; char* Pool; char* ModuleStart; ULONG i; char* Name; ZwQuerySystemInformation = (DWORD)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwQuerySystemInformation"); PoolSize = 0x1000; Pool = (char *)VirtualAlloc(NULL, PoolSize, MEM_COMMIT, PAGE_READWRITE); do { __asm { push 0 push PoolSize push Pool push 0x0B call ZwQuerySystemInformation mov status, eax } if (status == 0xC0000004) { VirtualFree(Pool, 0, MEM_RELEASE); PoolSize = PoolSize * 2; Pool = (char *)VirtualAlloc(NULL, PoolSize, MEM_COMMIT, PAGE_READWRITE); continue ; } break ; }while(1); ModuleStart = Pool+4; for (i=0; i<*(LPDWORD)Pool; i++) { Name = strrchr(ModuleStart+0x1C+i*0x11C, '\\'); if (Name != NULL) Name = Name + 1; else Name = ModuleStart+0x1C+i*0x11C; if (Name != NULL) { if (stricmp(Name, "CrackMe.sys") == 0) { return *(LPDWORD)(ModuleStart + i*0x11C + 0x08); } } } return 0; } void start() { HWND hWnd; DWORD Tid = 0; DWORD Pid = 0; HANDLE hFile; DWORD base; DWORD temp; HANDLE hProcess; hWnd = FindWindow("#32770", "CrackMeApp"); Tid = GetWindowThreadProcessId(hWnd, &Pid); if (Pid == 0) return ; base = GetSysBase(); if (base == 0) return ; hFile = CreateFile("\\\\.\\shoooo25", GENERIC_READ | GENERIC_WRITE , 0 , FALSE, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile == INVALID_HANDLE_VALUE) return ; DeviceIoControl(hFile, 0x10C, &base, 4, NULL, 0, &temp, NULL); CloseHandle(hFile); hProcess = OpenProcess(PROCESS_TERMINATE, 0, Pid); TerminateProcess(hProcess, 0); } |
|
[原创]shoooo第二轮第二题
第二十种 驱动和第十九种shoooo24.sys一样 exe #include <windows.h> #pragma comment (linker, "/subsystem:windows") #pragma comment (linker, "/entry:start") #pragma comment (linker, "/filealign:0x200") DWORD GetSysBase() { DWORD ZwQuerySystemInformation; DWORD status; ULONG PoolSize; char* Pool; char* ModuleStart; ULONG i; char* Name; ZwQuerySystemInformation = (DWORD)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwQuerySystemInformation"); PoolSize = 0x1000; Pool = (char *)VirtualAlloc(NULL, PoolSize, MEM_COMMIT, PAGE_READWRITE); do { __asm { push 0 push PoolSize push Pool push 0x0B call ZwQuerySystemInformation mov status, eax } if (status == 0xC0000004) { VirtualFree(Pool, 0, MEM_RELEASE); PoolSize = PoolSize * 2; Pool = (char *)VirtualAlloc(NULL, PoolSize, MEM_COMMIT, PAGE_READWRITE); continue ; } break ; }while(1); ModuleStart = Pool+4; for (i=0; i<*(LPDWORD)Pool; i++) { Name = strrchr(ModuleStart+0x1C+i*0x11C, '\\'); if (Name != NULL) Name = Name + 1; else Name = ModuleStart+0x1C+i*0x11C; if (Name != NULL) { if (stricmp(Name, "CrackMe.sys") == 0) { return *(LPDWORD)(ModuleStart + i*0x11C + 0x08); } } } return 0; } void start() { HWND hWnd; DWORD Tid = 0; DWORD Pid = 0; HANDLE hFile; DWORD base; DWORD temp; HANDLE hProcess; hWnd = FindWindow("#32770", "CrackMeApp"); Tid = GetWindowThreadProcessId(hWnd, &Pid); if (Pid == 0) return ; base = GetSysBase(); if (base == 0) return ; hFile = CreateFile("\\\\.\\shoooo24", GENERIC_READ | GENERIC_WRITE , 0 , FALSE, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile == INVALID_HANDLE_VALUE) return ; DeviceIoControl(hFile, 0x108, &base, 4, NULL, 0, &temp, NULL); CloseHandle(hFile); DebugActiveProcess(Pid); ExitProcess(0); } |
|
[原创]shoooo第二轮第二题
第十九种 sys //shoooo24.c #include <ntddk.h> #pragma warning(disable:4047) typedef struct _KAPC_STATE { LIST_ENTRY ApcListHead[2]; PEPROCESS Process; BOOLEAN KernelApcInProgress; BOOLEAN KernelApcPending; BOOLEAN UserApcPending; } KAPC_STATE, *PKAPC_STATE; NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(ULONG ulProcId, PEPROCESS * pEProcess); NTKERNELAPI void KeStackAttachProcess(PVOID Process, PKAPC_STATE ApcState); NTKERNELAPI void KeUnstackDetachProcess(PKAPC_STATE ApcState); NTSTATUS FuckPID(ULONG Base) { *(PULONG)(Base+0x3074) = 0; return STATUS_SUCCESS; } VOID DriverUnload(PDRIVER_OBJECT pDriverObject) { PDEVICE_OBJECT pDeviceObject; UNICODE_STRING strSymbolicName; RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo24"); IoDeleteSymbolicLink(&strSymbolicName); pDeviceObject = pDriverObject->DeviceObject; IoDeleteDevice(pDeviceObject); return ; } NTSTATUS DispatchCreate(PDEVICE_OBJECT pDeviceObject, PIRP pIrp) { NTSTATUS status; status = STATUS_SUCCESS; pIrp->IoStatus.Status = status; pIrp->IoStatus.Information = 0; IoCompleteRequest(pIrp, IO_NO_INCREMENT); return status; } NTSTATUS DispatchClose(PDEVICE_OBJECT pDeviceObject,PIRP pIrp) { NTSTATUS status; status = STATUS_SUCCESS; pIrp->IoStatus.Status = status; pIrp->IoStatus.Information = 0; IoCompleteRequest(pIrp,IO_NO_INCREMENT); return status; } NTSTATUS DispatchControl(PDEVICE_OBJECT pDeviceObject, PIRP pIrp) { NTSTATUS status; PVOID DeviceExtension; PIO_STACK_LOCATION pIrpSp; char* SystemBufferIn; PVOID SystemBufferOut; ULONG InBufferLength; ULONG OutBufferLength; ULONG IoControlCode; DeviceExtension = pDeviceObject->DeviceExtension; pIrpSp = IoGetCurrentIrpStackLocation(pIrp); SystemBufferIn = pIrp->AssociatedIrp.SystemBuffer; SystemBufferOut = pIrp->AssociatedIrp.SystemBuffer; InBufferLength = pIrpSp->Parameters.DeviceIoControl.InputBufferLength; OutBufferLength = pIrpSp->Parameters.DeviceIoControl.OutputBufferLength; IoControlCode = pIrpSp->Parameters.DeviceIoControl.IoControlCode; switch (IoControlCode) { case 0x108: if (InBufferLength != 4) { pIrp->IoStatus.Information = 0; pIrp->IoStatus.Status = STATUS_INVALID_PARAMETER; status = STATUS_SUCCESS; } else { status = FuckPID(*(PULONG)SystemBufferIn); pIrp->IoStatus.Information = 0; pIrp->IoStatus.Status = status; status = STATUS_SUCCESS; } break ; default: status = STATUS_INVALID_DEVICE_REQUEST; pIrp->IoStatus.Information = 0; break ; } IoCompleteRequest(pIrp, IO_NO_INCREMENT); return status; } NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath) { NTSTATUS status; UNICODE_STRING strDeviceName; UNICODE_STRING strSymbolicName; PDEVICE_OBJECT pDeviceObject; ULONG cr4reg; RtlInitUnicodeString(&strDeviceName, L"\\Device\\shoooo24"); status = IoCreateDevice(pDriverObject, 0, &strDeviceName, 0x220000, 0, 0, &pDeviceObject); if (!NT_SUCCESS(status)) { return status; } RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo24"); status = IoCreateSymbolicLink(&strSymbolicName, &strDeviceName); if (!NT_SUCCESS(status)) { IoDeleteDevice(pDeviceObject); return status; } pDriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate; pDriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose; pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchControl; pDriverObject->DriverUnload = DriverUnload; return STATUS_SUCCESS; } exe #include <windows.h> #pragma comment (linker, "/subsystem:windows") #pragma comment (linker, "/entry:start") #pragma comment (linker, "/filealign:0x200") DWORD GetSysBase() { DWORD ZwQuerySystemInformation; DWORD status; ULONG PoolSize; char* Pool; char* ModuleStart; ULONG i; char* Name; ZwQuerySystemInformation = (DWORD)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwQuerySystemInformation"); PoolSize = 0x1000; Pool = (char *)VirtualAlloc(NULL, PoolSize, MEM_COMMIT, PAGE_READWRITE); do { __asm { push 0 push PoolSize push Pool push 0x0B call ZwQuerySystemInformation mov status, eax } if (status == 0xC0000004) { VirtualFree(Pool, 0, MEM_RELEASE); PoolSize = PoolSize * 2; Pool = (char *)VirtualAlloc(NULL, PoolSize, MEM_COMMIT, PAGE_READWRITE); continue ; } break ; }while(1); ModuleStart = Pool+4; for (i=0; i<*(LPDWORD)Pool; i++) { Name = strrchr(ModuleStart+0x1C+i*0x11C, '\\'); if (Name != NULL) Name = Name + 1; else Name = ModuleStart+0x1C+i*0x11C; if (Name != NULL) { if (stricmp(Name, "CrackMe.sys") == 0) { return *(LPDWORD)(ModuleStart + i*0x11C + 0x08); } } } return 0; } void start() { HWND hWnd; DWORD Tid = 0; DWORD Pid = 0; HANDLE hFile; DWORD base; DWORD temp; HANDLE hProcess; hWnd = FindWindow("#32770", "CrackMeApp"); Tid = GetWindowThreadProcessId(hWnd, &Pid); if (Pid == 0) return ; base = GetSysBase(); if (base == 0) return ; hFile = CreateFile("\\\\.\\shoooo24", GENERIC_READ | GENERIC_WRITE , 0 , FALSE, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile == INVALID_HANDLE_VALUE) return ; DeviceIoControl(hFile, 0x108, &base, 4, NULL, 0, &temp, NULL); CloseHandle(hFile); hProcess = OpenProcess(PROCESS_TERMINATE, 0, Pid); TerminateProcess(hProcess, 0); } |
|
[原创]shoooo第二轮第二题
第十八种 驱动同17楼的 exe #define _WIN32_WINNT 0x500 #include <windows.h> #pragma comment (linker, "/subsystem:windows") #pragma comment (linker, "/entry:start") void start() { HWND hWnd; DWORD Tid = 0; DWORD Pid = 0; HANDLE hFile = NULL; HANDLE hProcess = NULL; HANDLE hJob; DWORD temp = 0; hWnd = FindWindow("#32770", "CrackMeApp"); Tid = GetWindowThreadProcessId(hWnd, &Pid); if (hWnd == NULL) return ; hFile = CreateFile("\\\\.\\shoooo22", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); if (hFile == INVALID_HANDLE_VALUE) return ; DeviceIoControl(hFile, 0x100, &Pid, 4, &hProcess, 4, &temp, NULL); hJob = CreateJobObject(NULL, NULL); AssignProcessToJobObject(hJob, hProcess); TerminateJobObject(hJob, 0); CloseHandle(hFile); } |
|
[原创]shoooo第二轮第二题
第十七种 sys //shoooo23.c #include <ntddk.h> #pragma warning(disable:4047) typedef struct _KAPC_STATE { LIST_ENTRY ApcListHead[2]; PEPROCESS Process; BOOLEAN KernelApcInProgress; BOOLEAN KernelApcPending; BOOLEAN UserApcPending; } KAPC_STATE, *PKAPC_STATE; NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(ULONG ulProcId, PEPROCESS * pEProcess); NTKERNELAPI void KeStackAttachProcess(PVOID Process, PKAPC_STATE ApcState); NTKERNELAPI void KeUnstackDetachProcess(PKAPC_STATE ApcState); //404198 4031BC NTSTATUS MyWriteProcessMemory(ULONG PID) { NTSTATUS status; PEPROCESS EProcess = NULL; KAPC_STATE apc_state; ULONG i; ULONG Address = 0x404198; status = PsLookupProcessByProcessId(PID, &EProcess); if (NT_SUCCESS(status)) { RtlZeroMemory(&apc_state,sizeof(apc_state)); KeStackAttachProcess(EProcess, &apc_state); __try { *(PULONG)Address = 0x4031BC; } __except(1) { } KeUnstackDetachProcess(&apc_state); ObDereferenceObject(EProcess); } return status; } VOID DriverUnload(PDRIVER_OBJECT pDriverObject) { PDEVICE_OBJECT pDeviceObject; UNICODE_STRING strSymbolicName; RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo23"); IoDeleteSymbolicLink(&strSymbolicName); pDeviceObject = pDriverObject->DeviceObject; IoDeleteDevice(pDeviceObject); return ; } NTSTATUS DispatchCreate(PDEVICE_OBJECT pDeviceObject, PIRP pIrp) { NTSTATUS status; status = STATUS_SUCCESS; pIrp->IoStatus.Status = status; pIrp->IoStatus.Information = 0; IoCompleteRequest(pIrp, IO_NO_INCREMENT); return status; } NTSTATUS DispatchClose(PDEVICE_OBJECT pDeviceObject,PIRP pIrp) { NTSTATUS status; status = STATUS_SUCCESS; pIrp->IoStatus.Status = status; pIrp->IoStatus.Information = 0; IoCompleteRequest(pIrp,IO_NO_INCREMENT); return status; } NTSTATUS DispatchControl(PDEVICE_OBJECT pDeviceObject, PIRP pIrp) { NTSTATUS status; PVOID DeviceExtension; PIO_STACK_LOCATION pIrpSp; char* SystemBufferIn; PVOID SystemBufferOut; ULONG InBufferLength; ULONG OutBufferLength; ULONG IoControlCode; DeviceExtension = pDeviceObject->DeviceExtension; pIrpSp = IoGetCurrentIrpStackLocation(pIrp); SystemBufferIn = pIrp->AssociatedIrp.SystemBuffer; SystemBufferOut = pIrp->AssociatedIrp.SystemBuffer; InBufferLength = pIrpSp->Parameters.DeviceIoControl.InputBufferLength; OutBufferLength = pIrpSp->Parameters.DeviceIoControl.OutputBufferLength; IoControlCode = pIrpSp->Parameters.DeviceIoControl.IoControlCode; switch (IoControlCode) { case 0x104: if (InBufferLength != 4) { pIrp->IoStatus.Information = 0; pIrp->IoStatus.Status = STATUS_INVALID_PARAMETER; status = STATUS_SUCCESS; } else { status = MyWriteProcessMemory(*(PULONG)SystemBufferIn); pIrp->IoStatus.Information = 0; pIrp->IoStatus.Status = status; status = STATUS_SUCCESS; } break ; default: status = STATUS_INVALID_DEVICE_REQUEST; pIrp->IoStatus.Information = 0; break ; } IoCompleteRequest(pIrp, IO_NO_INCREMENT); return status; } NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath) { NTSTATUS status; UNICODE_STRING strDeviceName; UNICODE_STRING strSymbolicName; PDEVICE_OBJECT pDeviceObject; ULONG cr4reg; RtlInitUnicodeString(&strDeviceName, L"\\Device\\shoooo23"); status = IoCreateDevice(pDriverObject, 0, &strDeviceName, 0x220000, 0, 0, &pDeviceObject); if (!NT_SUCCESS(status)) { return status; } RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo23"); status = IoCreateSymbolicLink(&strSymbolicName, &strDeviceName); if (!NT_SUCCESS(status)) { IoDeleteDevice(pDeviceObject); return status; } pDriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate; pDriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose; pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchControl; pDriverObject->DriverUnload = DriverUnload; return STATUS_SUCCESS; } exe #include <windows.h> #pragma comment (linker, "/subsystem:windows") #pragma comment (linker, "/entry:start") void start() { HWND hWnd; DWORD Tid = 0; DWORD Pid = 0; HANDLE hFile = NULL; DWORD temp = 0; hWnd = FindWindow("#32770", "CrackMeApp"); Tid = GetWindowThreadProcessId(hWnd, &Pid); if (hWnd == NULL) return ; hFile = CreateFile("\\\\.\\shoooo23", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); if (hFile == INVALID_HANDLE_VALUE) return ; DeviceIoControl(hFile, 0x104, &Pid, 4, NULL, 0, &temp, NULL); SetForegroundWindow(hWnd); CloseHandle(hFile); } |
|
[原创]shoooo第二轮第二题
第十六种 sys //shoooo22.c #include <ntddk.h> #pragma warning(disable:4047) NTKERNELAPI NTSTATUS ObOpenObjectByPointer( IN PVOID Object, IN ULONG HandleAttributes, IN PACCESS_STATE PassedAccessState OPTIONAL, IN ACCESS_MASK DesiredAccess OPTIONAL, IN POBJECT_TYPE ObjectType OPTIONAL, IN KPROCESSOR_MODE AccessMode, OUT PHANDLE Handle ); NTKERNELAPI NTSTATUS PsLookupProcessByProcessId( IN ULONG ulProcId, OUT PEPROCESS * pEProcess ); NTSTATUS MyOpenProcess(ULONG PID, PHANDLE pHandle) { NTSTATUS status; PEPROCESS EProcess = NULL; HANDLE handle = NULL; UNICODE_STRING y; PULONG PsProcessType; status = PsLookupProcessByProcessId(PID, &EProcess); if (NT_SUCCESS(status)) { handle = 0; RtlInitUnicodeString(&y, L"PsProcessType"); PsProcessType = MmGetSystemRoutineAddress(&y); if (PsProcessType) { status = ObOpenObjectByPointer(EProcess, 0, 0, PROCESS_ALL_ACCESS, (PVOID)*PsProcessType, UserMode, &handle); if (NT_SUCCESS(status)) { *pHandle = handle; } } ObfDereferenceObject(EProcess); } return status; } VOID DriverUnload(PDRIVER_OBJECT pDriverObject) { PDEVICE_OBJECT pDeviceObject; UNICODE_STRING strSymbolicName; RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo22"); IoDeleteSymbolicLink(&strSymbolicName); pDeviceObject = pDriverObject->DeviceObject; IoDeleteDevice(pDeviceObject); return ; } NTSTATUS DispatchCreate(PDEVICE_OBJECT pDeviceObject, PIRP pIrp) { NTSTATUS status; status = STATUS_SUCCESS; pIrp->IoStatus.Status = status; pIrp->IoStatus.Information = 0; IoCompleteRequest(pIrp, IO_NO_INCREMENT); return status; } NTSTATUS DispatchClose(PDEVICE_OBJECT pDeviceObject,PIRP pIrp) { NTSTATUS status; status = STATUS_SUCCESS; pIrp->IoStatus.Status = status; pIrp->IoStatus.Information = 0; IoCompleteRequest(pIrp,IO_NO_INCREMENT); return status; } NTSTATUS DispatchControl(PDEVICE_OBJECT pDeviceObject, PIRP pIrp) { NTSTATUS status; PVOID DeviceExtension; PIO_STACK_LOCATION pIrpSp; PVOID SystemBufferIn; PVOID SystemBufferOut; ULONG InBufferLength; ULONG OutBufferLength; ULONG IoControlCode; DeviceExtension = pDeviceObject->DeviceExtension; pIrpSp = IoGetCurrentIrpStackLocation(pIrp); SystemBufferIn = pIrp->AssociatedIrp.SystemBuffer; SystemBufferOut = pIrp->AssociatedIrp.SystemBuffer; InBufferLength = pIrpSp->Parameters.DeviceIoControl.InputBufferLength; OutBufferLength = pIrpSp->Parameters.DeviceIoControl.OutputBufferLength; IoControlCode = pIrpSp->Parameters.DeviceIoControl.IoControlCode; switch (IoControlCode) { case 0x100: if (InBufferLength != 4 || OutBufferLength != 4) { pIrp->IoStatus.Information = 0; pIrp->IoStatus.Status = STATUS_INVALID_PARAMETER; status = STATUS_SUCCESS; } else { status = MyOpenProcess(*(PULONG)SystemBufferIn, SystemBufferOut); if (NT_SUCCESS(status)) { pIrp->IoStatus.Information = 4; pIrp->IoStatus.Status = STATUS_SUCCESS; } else { pIrp->IoStatus.Information = 0; pIrp->IoStatus.Status = status; } status = STATUS_SUCCESS; } break ; default: status = STATUS_INVALID_DEVICE_REQUEST; pIrp->IoStatus.Information = 0; break ; } IoCompleteRequest(pIrp, IO_NO_INCREMENT); return status; } NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath) { NTSTATUS status; UNICODE_STRING strDeviceName; UNICODE_STRING strSymbolicName; PDEVICE_OBJECT pDeviceObject; RtlInitUnicodeString(&strDeviceName, L"\\Device\\shoooo22"); status = IoCreateDevice(pDriverObject, 0, &strDeviceName, 0x220000, 0, 0, &pDeviceObject); if (!NT_SUCCESS(status)) { return status; } RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo22"); status = IoCreateSymbolicLink(&strSymbolicName, &strDeviceName); if (!NT_SUCCESS(status)) { IoDeleteDevice(pDeviceObject); return status; } pDriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate; pDriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose; pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchControl; pDriverObject->DriverUnload = DriverUnload; return STATUS_SUCCESS; } EXE #include <windows.h> #pragma comment (linker, "/subsystem:windows") #pragma comment (linker, "/entry:start") void start() { HWND hWnd; DWORD Tid = 0; DWORD Pid = 0; HANDLE hFile = NULL; HANDLE hProcess = NULL; DWORD temp = 0; hWnd = FindWindow("#32770", "CrackMeApp"); Tid = GetWindowThreadProcessId(hWnd, &Pid); if (hWnd == NULL) return ; hFile = CreateFile("\\\\.\\shoooo22", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); if (hFile == INVALID_HANDLE_VALUE) return ; DeviceIoControl(hFile, 0x100, &Pid, 4, &hProcess, 4, &temp, NULL); TerminateProcess(hProcess, 0); CloseHandle(hFile); } |
|
[原创]shoooo第二轮第二题
第十五种 //cpp #include <windows.h> #pragma comment (linker, "/subsystem:windows") #pragma comment (linker, "/entry:start") #pragma comment (linker, "/filealign:0x200") void start() { HWND hWnd; DWORD a; DWORD b; hWnd = FindWindow("#32770", "CrackMeApp"); a = (DWORD)GetProcAddress(LoadLibrary("dll.dll"), "hook"); b = (DWORD)GetProcAddress(LoadLibrary("dll.dll"), "unhook"); __asm call a Sleep(100); SetForegroundWindow(hWnd); Sleep(100); __asm call b } //dll #include <windows.h> #pragma comment (linker, "/subsystem:windows") #pragma comment (linker, "/entry:dllmain") #pragma comment (linker, "/filealign:0x200") HHOOK h = NULL; HMODULE b = NULL; void fk() { HWND hWnd = NULL; DWORD Tid = 0; DWORD Pid = 0; hWnd = FindWindow("#32770", "CrackMeApp"); Tid = GetWindowThreadProcessId(hWnd, &Pid); if (Pid == GetCurrentProcessId()) EndDialog(hWnd, 0); return ; } LRESULT CALLBACK GetMsgProc(int code, WPARAM wParam, LPARAM lParam) { fk(); return NULL; } extern "C" void __declspec(dllexport) hook() { h = SetWindowsHookEx(WH_GETMESSAGE, GetMsgProc, b, 0); } extern "C" void _declspec(dllexport) unhook() { UnhookWindowsHookEx(h); h = NULL; } BOOL __stdcall dllmain(HMODULE hModule, DWORD ud, LPVOID a) { if (DLL_PROCESS_ATTACH == ud) b = hModule; return TRUE; } |
|
[原创]shoooo第二轮第二题
第十四种 //cpp #include <windows.h> #pragma comment (linker, "/subsystem:windows") #pragma comment (linker, "/entry:start") #pragma comment (linker, "/filealign:0x200") void start() { HWND hWnd; DWORD a; DWORD b; hWnd = FindWindow("#32770", "CrackMeApp"); a = (DWORD)GetProcAddress(LoadLibrary("dll.dll"), "hook"); b = (DWORD)GetProcAddress(LoadLibrary("dll.dll"), "unhook"); __asm call a Sleep(100); SetForegroundWindow(hWnd); Sleep(100); __asm call b } //dll #include <windows.h> #pragma comment (linker, "/subsystem:windows") #pragma comment (linker, "/entry:dllmain") #pragma comment (linker, "/filealign:0x200") HHOOK h = NULL; HMODULE b = NULL; void fk() { HWND hWnd = NULL; DWORD Tid = 0; DWORD Pid = 0; hWnd = FindWindow("#32770", "CrackMeApp"); Tid = GetWindowThreadProcessId(hWnd, &Pid); if (Pid == GetCurrentProcessId()) PostQuitMessage(0); return ; } LRESULT CALLBACK GetMsgProc(int code, WPARAM wParam, LPARAM lParam) { fk(); return NULL; } extern "C" void __declspec(dllexport) hook() { h = SetWindowsHookEx(WH_GETMESSAGE, GetMsgProc, b, 0); } extern "C" void _declspec(dllexport) unhook() { UnhookWindowsHookEx(h); h = NULL; } BOOL __stdcall dllmain(HMODULE hModule, DWORD ud, LPVOID a) { if (DLL_PROCESS_ATTACH == ud) b = hModule; return TRUE; } |
|
[原创]shoooo第二轮第二题
第十三种 //cpp #include <windows.h> #pragma comment (linker, "/subsystem:windows") #pragma comment (linker, "/entry:start") #pragma comment (linker, "/filealign:0x200") void start() { HWND hWnd; DWORD a; DWORD b; hWnd = FindWindow("#32770", "CrackMeApp"); a = (DWORD)GetProcAddress(LoadLibrary("dll.dll"), "hook"); b = (DWORD)GetProcAddress(LoadLibrary("dll.dll"), "unhook"); __asm call a Sleep(100); SetForegroundWindow(hWnd); Sleep(100); __asm call b } //dll #include <windows.h> #pragma comment (linker, "/subsystem:windows") #pragma comment (linker, "/entry:dllmain") #pragma comment (linker, "/filealign:0x200") HHOOK h = NULL; HMODULE b = NULL; void fk() { HWND hWnd = NULL; DWORD Tid = 0; DWORD Pid = 0; hWnd = FindWindow("#32770", "CrackMeApp"); Tid = GetWindowThreadProcessId(hWnd, &Pid); if (Pid == GetCurrentProcessId()) ExitProcess(0); return ; } LRESULT CALLBACK GetMsgProc(int code, WPARAM wParam, LPARAM lParam) { fk(); return NULL; } extern "C" void __declspec(dllexport) hook() { h = SetWindowsHookEx(WH_GETMESSAGE, GetMsgProc, b, 0); } extern "C" void _declspec(dllexport) unhook() { UnhookWindowsHookEx(h); h = NULL; } BOOL __stdcall dllmain(HMODULE hModule, DWORD ud, LPVOID a) { if (DLL_PROCESS_ATTACH == ud) b = hModule; return TRUE; } |
|
[原创]shoooo第二轮第二题
第十二种方法 #include <windows.h> #pragma comment (linker, "/subsystem:windows") #pragma comment (linker, "/entry:start") void start() { HWND hWnd = NULL; DWORD Tid = 0; DWORD Pid = 0; HANDLE hProcess = NULL; hWnd = FindWindow("#32770", "CrackMeApp"); Tid = GetWindowThreadProcessId(hWnd, &Pid); hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION, FALSE, Pid); if (hProcess) { CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)&ExitProcess, NULL, 0, NULL); } } |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值