求哪位大牛将DELPHI代码翻译成C++代码下
Delphi(Pascal) code
;显示LinkTable的信息
ShowLinkTableInfo proc ptrLT
pushad
invoke DbgPrint, $CTA0("\nThe LinkTable Info:\n")
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).ThreadHandle
invoke DbgPrint, $CTA0("ThreadHandle:%0X\n"), eax
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).Dr0Seg
invoke DbgPrint, $CTA0("Dr0Seg:%0X\n"), eax
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).Dr1Seg
invoke DbgPrint, $CTA0("Dr1Seg:%0X\n"), eax
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).Dr2Seg
invoke DbgPrint, $CTA0("Dr2Seg:%0X\n"), eax
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).Dr3Seg
invoke DbgPrint, $CTA0("Dr3Seg:%0X\n"), eax
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).Dr6Seg
invoke DbgPrint, $CTA0("Dr6Seg:%0X\n"), eax
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).Dr7Seg
invoke DbgPrint, $CTA0("Dr7Seg:%0X\n"), eax
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).LinkPtr
invoke DbgPrint, $CTA0("LinkPtr:%0X\n"), eax
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).NextLinkPtr
invoke DbgPrint, $CTA0("NextLinkPtr:%0X\n"), eax
popad
ret
ShowLinkTableInfo endp
;判断该线程是否存在
;如果不存在则返回0,存在则返回指向该链表的指针,1代表链表为空
ExsitsLinkTable proc pHandle
pushad
mov eax, threadCxtLink
.if !eax ;链表为空
pushad
invoke DbgPrint, $CTA0("\nLinkTable Is Null.\n")
popad
popad
mov eax, 1
ret
.endif
@@:
mov ebx, (LinkTable ptr [eax]).ThreadHandle
cmp ebx, pHandle ;如果匹配已经存在
je @F
mov eax, (LinkTable ptr [eax]).NextLinkPtr
.if !eax ;已经到达末尾,没有找到匹配
pushad
invoke DbgPrint, $CTA0("\pHandle Is Not Found.\n")
popad
popad
xor eax, eax
ret
.endif
jmp @B
@@:
pushad
invoke DbgPrint, $CTA0("\npHandle Is Exsits.\n")
popad
invoke ShowLinkTableInfo, eax
;返回链表指针
mov tmpLink, eax
popad
mov eax, tmpLink
ret
ExsitsLinkTable endp
;拷贝Context到LinkTable中
CopyContextToLinkTable proc ptrContext, ptrLT
pushad
mov ebx, ptrContext
mov edx, ptrLT
mov ecx, 4
@@:
mov eax, DWORD ptr [ebx + ecx]
mov DWORD ptr [edx + ecx], eax
add ecx, 4
cmp ecx, 18h
jbe @B
popad
ret
CopyContextToLinkTable endp
;添加LinkTable表
AddLinkTable proc pHandle, ptrContext
pushad
invoke ExsitsLinkTable, pHandle
.if eax > 1
;已经存在只需要更新dr寄存器即可
invoke CopyContextToLinkTable, eax, ptrContext
.else
push eax
invoke ExAllocatePool, 1, size LinkTable
.if eax
;申请内存成功
mov ebx, eax
pop eax
;置地一个元素
mov ecx, pHandle
mov (LinkTable ptr [ebx]).ThreadHandle, ecx
;拷贝dr寄存器的值
invoke CopyContextToLinkTable, ptrContext, ebx
;置另外两个元素
mov (LinkTable ptr [ebx]).LinkPtr, ebx
mov (LinkTable ptr [ebx]).NextLinkPtr, 0
invoke ShowLinkTableInfo, ebx
;把新的链表项添加到链表中
.if eax == 1
;如果链表为空,直接加在表头
mov threadCxtLink, ebx
.else
;如果链表不为空则加到末尾
mov eax, threadCxtLink
@@:
;指向下一个元素
mov ecx, (LinkTable ptr [eax]).NextLinkPtr
test ecx, ecx
je @F
mov eax, ecx
jmp @B
@@:
mov (LinkTable ptr [eax]).NextLinkPtr, ebx
.endif
.else
;申请内存失败
pop eax
pushad
invoke DbgPrint, $CTA0("\nAlloc Memory Faild.\n")
popad
jmp @F
.endif
.endif
@@:
popad
ret
AddLinkTable endp
;判断进程是否过虑进程
;如果是需要过虑的进程返回值为1,否则返回0
IsFilterProcess proc
pushad
;获取当前进程名
invoke PsGetCurrentProcess
mov ebx, eax
add ebx, nameOffset
invoke DbgPrint, $CTA0("\n%s: Call NtGetContextThread \n"), ebx
invoke strncmp, $CTA0("DNF.exe"), ebx, 7
test eax, eax
jne @F
popad
mov eax, 1
ret
@@:
popad
xor eax, eax
ret
IsFilterProcess endp
;显示Context的调试寄存器
ShowDrRegInfo proc ptrContext
pushad
invoke DbgPrint, $CTA0("\nThe Context Info:\n")
mov ebx, ptrContext
mov eax, DWORD ptr [ebx + 4]
invoke DbgPrint, $CTA0("Dr0:%0X\n"), eax
mov ebx, ptrContext
mov eax, DWORD ptr [ebx + 8]
invoke DbgPrint, $CTA0("Dr1:%0X\n"), eax
mov ebx, ptrContext
mov eax, DWORD ptr [ebx + 0ch]
invoke DbgPrint, $CTA0("Dr2:%0X\n"), eax
mov ebx, ptrContext
mov eax, DWORD ptr [ebx + 10h]
invoke DbgPrint, $CTA0("Dr3:%0X\n"), eax
mov ebx, ptrContext
mov eax, DWORD ptr [ebx + 14h]
invoke DbgPrint, $CTA0("Dr6:%0X\n"), eax
mov ebx, ptrContext
mov eax, DWORD ptr [ebx + 18h]
invoke DbgPrint, $CTA0("Dr7:%0X\n"), eax
popad
ret
ShowDrRegInfo endp
;恢复被隐藏的dr寄存器
RecoveryDrReg proc ptrContext, pHandle
pushad
;定位到LinkTable
mov ebx, threadCxtLink
NEXT:
test ebx, ebx
jne @F ;如果没有遍历完
popad
ret
@@:
mov eax, (LinkTable ptr [ebx]).ThreadHandle
cmp eax, pHandle
je @F ;如果找到匹配项
mov ebx, (LinkTable ptr [ebx]).NextLinkPtr
jmp NEXT
@@:
;拷贝完毕后立即结束
invoke CopyContextToLinkTable, ebx, ptrContext
xor ebx, ebx
jmp NEXT
RecoveryDrReg endp
;清空Context的dr寄存器
ClearDrReg proc ptrContext
pushad
mov ebx, ptrContext
mov ecx, 4
@@:
mov DWORD ptr [ebx + ecx], 0
add ecx, 4
cmp ecx, 18h
jbe @B
pushad
invoke DbgPrint, $CTA0("\n-------------ClearDrReg-------------\n")
popad
invoke ShowDrRegInfo, ptrContext
popad
ret
ClearDrReg endp
;NtGetContextThread钩子代码
NtGetContextThreadHookCode proc
;ebx存放CONTEXT指针
mov ebx, DWORD ptr [ebp + 10h]
;线程句柄
mov edx, DWORD ptr [ebp + 0ch]
pushad
invoke ShowDrRegInfo, ebx
invoke IsFilterProcess
.if eax ;如果是DNF.exe
invoke AddLinkTable, edx, ebx
invoke ClearDrReg, ebx
.else ;如果不是DNF.exe
invoke RecoveryDrReg, ebx, edx
.endif
invoke ShowDrRegInfo, ebx
;执行被覆盖的代码
popad
mov eax, esi
pop esi
leave
ret
NtGetContextThreadHookCode endp
;NtGetContextThread加跳转
HookNtGetContextThread proc
pushad
;头5字节跳转
mov eax, offset NtGetContextThreadHookCode
sub eax, NtGetContextThreadAddr;805c13e0h;805c13edh
sub eax, 5
mov ebx, NtGetContextThreadAddr;805c13e0h;805c13edh
mov cl, 0E9h
mov BYTE PTR [ebx], cl
mov DWORD PTR [ebx + 1], eax
popad
ret
HookNtGetContextThread endp
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
invoke DbgPrint, $CTA0("Begin")
invoke PsGetCurrentProcess
invoke GetNameOffset, eax
mov nameOffset, eax
cmp eax, -1
je @F
mov nameOffset, eax
cli
mov eax, cr0
and eax, not 10000h
mov cr0, eax
call Hook
call HookThread
call Dbg
call HookNtGetContextThread
mov eax, pDriverObject
assume eax : ptr DRIVER_OBJECT
mov [eax].DriverUnload, offset DriverUnload
assume eax : nothing
mov eax, cr0
or eax, 10000h
mov cr0, eax
sti
invoke DbgPrint, $CTA0("End")
@@:
mov eax, STATUS_SUCCESS
ret
DriverEntry endp
end DriverEntry
[课程]Linux pwn 探索篇!
