能力值:
( LV10,RANK:163 )
|
-
-
2 楼
#pragma PAGEDCODE
ULONG Get_KiFastCall_Addr()
{
__asm
{
pushad
mov ecx,0x176
rdmsr
mov addr_KiFastCall,eax
popad
}
return addr_KiFastCall;
}
#pragma PAGEDCODE
VOID Get_NtOpenProcess()
{
addr_NtOpenProcess=GetSSDT_Addr(in_NtOpenProcess);
KdPrint(("NtOpenProcess的地址为:%x\r\n",addr_NtOpenProcess));
Nt_OpenProcess=(_NtOpenProcess*)addr_NtOpenProcess;
jmp_NtOpenProcess=addr_NtOpenProcess+5;
KdPrint(("NtOpenProcess的跳转地址为:%x\r\n",jmp_NtOpenProcess));
}
#pragma PAGEDCODE
VOID Get_NtOpenSection()
{
addr_NtOpenSection=GetSSDT_Addr(in_NtOpenSection);
KdPrint(("NtOpenSection的地址为:%x\r\n",addr_NtOpenSection));
Nt_OpenSection=(_NtOpenSection*)addr_NtOpenSection;
jmp_NtOpenSection=addr_NtOpenSection+7;
push_NtOpenSection=GetSSDT_Addr(in_NtCreateSection);
__asm
{
push eax
mov eax,push_NtOpenSection
mov eax,[eax+3]
sub eax,0x2C
add eax,0x14
mov push_NtOpenSection,eax
pop eax
}
KdPrint(("NtOpenSection的push地址为:%x\r\n",push_NtOpenSection));
KdPrint(("NtOpensection的跳转地址为:%x\r\n",jmp_NtOpenSection));
}
#pragma PAGEDCODE
VOID Get_NtProtectVirtualMemroy()
{
addr_NtProtectVirtualMemory=GetSSDT_Addr(in_NtProtectVirtualMemory);
KdPrint(("NtProtectVirtualMemory的地址为:%x\r\n",addr_NtProtectVirtualMemory));
Nt_ProtectVirtualMemory=(_NtProtectVirtualMemory*)addr_NtProtectVirtualMemory;
jmp_NtProtectVirtualMemory=addr_NtProtectVirtualMemory+7;
push_NtProtectVirtualMemory=GetSSDT_Addr(in_NtQuerySection);
__asm
{
push eax
mov eax,push_NtProtectVirtualMemory
mov eax,[eax+3]
sub eax,0x148
add eax,0x130
mov push_NtProtectVirtualMemory,eax
pop eax
}
KdPrint(("NtProtectVirtualMemory的push地址为:%x\r\n",push_NtProtectVirtualMemory));
KdPrint(("NtProtectVirttualMemory的跳转地址为:%x\r\n",jmp_NtProtectVirtualMemory));
}
#pragma PAGEDCODE
VOID Get_NtReadVirtualMemory()
{
addr_NtReadVirtualMemory=GetSSDT_Addr(in_NtReadVirtualMemory);
KdPrint(("NtReadVirtualMemory的地址为:%x\r\n",addr_NtReadVirtualMemory));
Nt_ReadVirtualMemory=(_NtReadVirtualMemory*)addr_NtReadVirtualMemory;
jmp_NtReadVirtualMemory=addr_NtReadVirtualMemory+7;
push_NtReadVirtualMemory=GetSSDT_Addr(in_NtQueryVirtualMemory);
__asm
{
push eax
mov eax,push_NtReadVirtualMemory
mov eax,[eax+6]
sub eax,0x1E8
mov push_NtReadVirtualMemory,eax
pop eax
}
KdPrint(("NtReadVirtualMemory的push地址为:%x\r\n",push_NtReadVirtualMemory));
KdPrint(("NtReadVirtualMemory的跳转地址为:%x\r\n",jmp_NtReadVirtualMemory));
}
#pragma PAGEDCODE
VOID Get_NtWriteVirtualMemory()
{
addr_NtWriteVirtualMemory=GetSSDT_Addr(in_NtWriteVirtualMemroy);
KdPrint(("NtWriteVirtualMemory的地址为:%x\r\n",addr_NtWriteVirtualMemory));
Nt_WriteVirtualMemory=(_NtWriteVirtualMemory*)addr_NtWriteVirtualMemory;
jmp_NtWriteVirtualMemory=addr_NtWriteVirtualMemory+7;
push_NtWriteVirtualMemory=GetSSDT_Addr(in_NtQueryVirtualMemory);
__asm
{
push eax
mov eax,push_NtWriteVirtualMemory
mov eax,[eax+6]
sub eax,0x1D0
mov push_NtWriteVirtualMemory,eax
pop eax
}
KdPrint(("NtWriteVirtualMemory的push地址为:%x\r\n",push_NtWriteVirtualMemory));
KdPrint(("NtWriteVirtualMemory的跳转地址为:%x\r\n",jmp_NtWriteVirtualMemory));
}
#pragma PAGEDCODE
VOID Get_MmMapViewOfSection()
{
addr_NtMapViewOfSection=GetSSDT_Addr(in_NtMapViewOfSection);
BYTE* _bp=(BYTE*)addr_NtMapViewOfSection;
do
{
if((*(_bp-5)==0x8B)&&(*(_bp-1)==0x53)&&(*(_bp)==0xE8)&&(*(_bp+5)==0x8B)&&(*(_bp+7)==0x89))
{
addr_MmMapViewOfSection=(ULONG)_bp;
break;
}
_bp++;
}while(1);
__asm
{
push eax
push ebx
mov eax,addr_MmMapViewOfSection
mov ebx,[eax+1]
add eax,ebx
add eax,5
mov addr_MmMapViewOfSection,eax
pop ebx
pop eax
}
KdPrint(("MmMapViewOfSection的地址为:%x\r\n",addr_MmMapViewOfSection));
jmp_MmMapViewOfSection=addr_MmMapViewOfSection+5;
KdPrint(("MmMapViewOfSection的跳转地址为:%x\r\n",jmp_MmMapViewOfSection));
ObQueryNameString=GetSSDT_Addr(in_NtQueryVirtualMemory);
BYTE* _bp1=(BYTE*)ObQueryNameString;
do
{
if((*(_bp1-10)==0x68)&&(*(_bp1-5)==0x68)&&(*(_bp1)==0xE8)&&(*(_bp1+5)==0xC7)&&(*(_bp1+12)==0x83))
{
ObQueryNameString=(ULONG)_bp1-10;
break;
}
_bp1++;
}while(1);
Ob_QueryNameString=(_ObQueryNameString*)ObQueryNameString;
KdPrint(("ObQueryNameString的地址为:%x\r\n",ObQueryNameString));
}
#pragma PAGEDCODE
VOID Get_KeAttachProcess()
{
UNICODE_STRING u_KeAttachProcess;
RtlInitUnicodeString(&u_KeAttachProcess,L"KeAttachProcess");
addr_KeAttachProcess=(ULONG)MmGetSystemRoutineAddress(&u_KeAttachProcess);
KdPrint(("KeAttachProcess的地址为:%x\r\n",addr_KeAttachProcess));
Ke_AttachProcess=(_KeAttachProcess*)addr_KeAttachProcess;
jmp_KeAttachProcess=addr_KeAttachProcess+5;
KdPrint(("KeAttachProcess的跳转地址为:%x\r\n",jmp_KeAttachProcess));
}
#pragma PAGEDCODE
VOID Get_KeStackAttachProcess()
{
UNICODE_STRING u_KeStackAttachProcess;
RtlInitUnicodeString(&u_KeStackAttachProcess,L"KeStackAttachProcess");
addr_KeStackAttachProcess=(ULONG)MmGetSystemRoutineAddress(&u_KeStackAttachProcess);
KdPrint(("KeStackAttachProcess的地址为:%x\r\n",addr_KeStackAttachProcess));
Ke_StackAttachProcess=(_KeStackAttachProcess*)addr_KeStackAttachProcess;
jmp_KeStackAttachProess=addr_KeStackAttachProcess+5;
KdPrint(("KiStackAttachProecss的跳转地址为:%x\r\n",jmp_KeStackAttachProess));
}
#pragma PAGEDCODE
VOID Get_NtDeviceIoControlFile()
{
addr_NtDeviceIoControlFile=GetSSDT_Addr(in_NtDeviceIoControlFile);
Nt_DeviceIoControlFile=(_NtDeviceIoControlFile*)addr_NtDeviceIoControlFile;
KdPrint(("NtDeviceIoControlFile的地址为:%x\r\n",addr_NtDeviceIoControlFile));
jmp_NtDeviceIoControlFile=addr_NtDeviceIoControlFile+5;
KdPrint(("NtDeviceIoControlFile的跳转地址为:%x\r\n",jmp_NtDeviceIoControlFile));
}
#pragma PAGEDCODE
VOID Get_NtWriteFile()
{
addr_NtWriteFile=GetSSDT_Addr(in_NtWriteFile);
Nt_WriteFile=(_NtWriteFile*)addr_NtWriteFile;
KdPrint(("NtWriteFile的地址为:%x\r\n",addr_NtWriteFile));
push_NtWriteFile=GetSSDT_Addr(in_NtUnlockFile);
__asm
{
push eax
mov eax,push_NtWriteFile
add eax,2
mov eax,[eax+1]
sub eax,0x1ac
add eax,0x3bc
mov push_NtWriteFile,eax
pop eax
}
jmp_NtWriteFile=addr_NtWriteFile+7;
KdPrint(("NtWriteFile的push地址为:%x\r\n",push_NtWriteFile));
KdPrint(("NtWriteFile的跳转地址为:%x\r\n",jmp_NtWriteFile));
}
#pragma PAGEDCODE
VOID Get_IofCallDriver()
{
__asm
{
push dword ptr[IofCallDriver]
pop addr_IofCallDriver
}
KdPrint(("IofCallDriver的地址为:%x\r\n",addr_IofCallDriver));
Iof_CallDriver=(_IofCallDriver*)addr_IofCallDriver;
__asm
{
push eax
mov eax,addr_IofCallDriver
mov eax,[eax+2]
add eax,4
mov jmp_IofCallDriver,eax
pop eax
}
KdPrint(("IofCallDriver的跳转地址为:%x\r\n",jmp_IofCallDriver));
}
#pragma PAGEDCODE
VOID Get_KiAttachProcess()
{
BYTE* _bp=(BYTE*)addr_KeAttachProcess;
while(1)
{
if((*(_bp-5)==0xFF)&&(*(_bp-1)==0x56)&&(*(_bp)==0xE8)&&(*(_bp+5)==0x5F)&&(*(_bp+7)==0x5D))
{
addr_KiAttachProcess=(ULONG)_bp;
break;
}
_bp++;
}
__asm
{
push eax
push ebx
mov eax,addr_KiAttachProcess
mov ebx,[eax+1]
add eax,ebx
add eax,5
mov addr_KiAttachProcess,eax
pop ebx
pop eax
}
KdPrint(("KiAttachProcess的地址为:%x\r\n",addr_KiAttachProcess));
Ki_AttachProcess=(_KiAttachProcess*)addr_KiAttachProcess;
jmp_KiAttachProcess=(ULONG)(addr_KiAttachProcess+5);
KdPrint(("KiAttachProcess的跳转地址为:%x\r\n",jmp_KiAttachProcess));
}
#pragma PAGEDCODE
VOID Get_KiMoveApcState()
{
BYTE* _bp=(BYTE*)addr_KiAttachProcess;
while(1)
{
if((*(_bp-4)==0x8D)&&(*(_bp-1)==0x53)&&(*(_bp)==0xE8)&&(*(_bp+5)==0x89)&&(*(_bp+8)==0x89))
{
addr_KiMoveApcState=(ULONG)_bp;
break;
}
_bp++;
}
__asm
{
push eax
push ebx
mov eax,addr_KiMoveApcState
mov ebx,[eax+1]
add eax,ebx
add eax,5
mov addr_KiMoveApcState,eax
pop ebx
pop eax
}
KdPrint(("KiMoveApcState的地址为:%x\r\n",addr_KiMoveApcState));
Ki_MoveApcState=(_KiMoveApcState*)addr_KiMoveApcState;
jmp_KiMoveApcState=(ULONG)(addr_KiMoveApcState+5);
KdPrint(("KiMoveApcState的跳转地址为:%x\r\n",jmp_KiMoveApcState));
}
#pragma PAGEDCODE
VOID Get_NtSetInformationThread()
{
addr_NtSetInformationThread=GetSSDT_Addr(in_NtSetInformationThread);
Nt_SetInformationThread=(_NtSetInformationThread*)addr_NtSetInformationThread;
KdPrint(("NtSetInformationThread的地址为:%x\r\n",addr_NtSetInformationThread));
}
jmp_code jmp_code_MmMapViewOfSection;
pjmp_code pjmp_code_MmMapViewOfSection;
#pragma PAGEDCODE
VOID Hook_MmMapViewOfSection()
{
pjmp_code_MmMapViewOfSection=(pjmp_code)addr_MmMapViewOfSection;
jmp_code_MmMapViewOfSection.E9=pjmp_code_MmMapViewOfSection->E9;
jmp_code_MmMapViewOfSection.Addr=pjmp_code_MmMapViewOfSection->Addr;
ULONG u_addr;
__asm
{
push eax
mov eax,My_MmMapViewOfSection
mov u_addr,eax
pop eax
}
PAGED_Open();
pjmp_code_MmMapViewOfSection->E9=0xE9;
pjmp_code_MmMapViewOfSection->Addr=(ULONG)(u_addr-addr_MmMapViewOfSection-5);
PAGED_Exit();
}
jmp_code jmp_code_KiFastCallEntry;
pjmp_code pjmp_code_KiFastCallEntry;
#pragma INITCODE
VOID Hook_KiFastCall()
{
BYTE* _bp=(BYTE*)Get_KiFastCall_Addr();
while(1)
{
if((*(_bp-8)==0x8B)&&(*(_bp-5)==0x33)&&(*(_bp-3)==0x8A)&&(*(_bp)==0x8B)&&(*(_bp+2)==0x8B))
{
hook_KiFastCall=(ULONG)_bp;
KdPrint(("HOOK KiFastCallEntry的地址为:%x\n",hook_KiFastCall));
break;
}
_bp++;
}
ULONG u_function_addr;
__asm
{
push eax
mov eax,My_KiFastCall
mov u_function_addr,eax
pop eax
}
jmp_KiFastCall=hook_KiFastCall+5;
pjmp_code_KiFastCallEntry=(pjmp_code)hook_KiFastCall;
jmp_code_KiFastCallEntry.E9=pjmp_code_KiFastCallEntry->E9;
jmp_code_KiFastCallEntry.Addr=pjmp_code_KiFastCallEntry->Addr;
PAGED_Open();
pjmp_code_KiFastCallEntry->E9=0xE9;
pjmp_code_KiFastCallEntry->Addr=(ULONG)(u_function_addr-hook_KiFastCall-5);
PAGED_Exit();
}
//------------------------------------------------------------------------------------
#pragma PAGEDCODE
extern "C"
NTSTATUS __declspec(naked) My_NtOpenProcess(__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PCLIENT_ID ClientId
)
{
__asm
{
push 0C4h
push dword ptr jmp_NtOpenProcess
ret
}
}
#pragma PAGEDCODE
extern "C"
NTSTATUS __declspec(naked) My_NtOpenSection(__out PHANDLE SectionHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes
)
{
_asm
{
push 18h
push push_NtOpenSection
push dword ptr jmp_NtOpenSection
ret
}
}
#pragma PAGEDCODE
extern "C"
NTSTATUS __declspec(naked) My_NtProtectVirtualMemory( __in HANDLE ProcessHandle,
__inout PVOID * BaseAddress,
__inout PSIZE_T RegionSize,
__in ULONG NewProtect,
__out PULONG OldProtect
)
{
__asm
{
push 44h
push push_NtProtectVirtualMemory
push dword ptr jmp_NtProtectVirtualMemory
ret
}
}
#pragma PAGEDCODE
extern "C"
NTSTATUS __declspec(naked) My_NtReadVirtualMemory ( __in HANDLE ProcessHandle,
__in_opt PVOID BaseAddress,
__out_bcount(BufferSize) PVOID Buffer,
__in SIZE_T BufferSize,
__out_opt PSIZE_T NumberOfBytesRead
)
{
__asm
{
push 1Ch
push push_NtReadVirtualMemory
push dword ptr jmp_NtReadVirtualMemory
ret
}
}
#pragma PAGEDCODE
extern "C"
NTSTATUS __declspec(naked) My_NtWriteVirtualMemory ( __in HANDLE ProcessHandle,
__in_opt PVOID BaseAddress,
__in_bcount(BufferSize) CONST VOID * Buffer,
__in SIZE_T BufferSize,
__out_opt PSIZE_T NumberOfBytesWritten
)
{
__asm
{
push 1Ch
push push_NtWriteVirtualMemory
push dword ptr jmp_NtWriteVirtualMemory
ret
}
}
#pragma PAGEDCODE
extern "C"
VOID __declspec(naked) My_KeAttachProcess(__inout PRKPROCESS Process)
{
__asm
{
mov edi,edi
push ebp
mov ebp,esp
push dword ptr jmp_KeAttachProcess
ret
}
}
#pragma PAGEDCODE
extern "C"
VOID __declspec(naked) My_KeStackAttachProcess ( __inout PRKPROCESS PROCESS,
__out PRKAPC_STATE ApcState
)
{
__asm
{
mov edi,edi
push ebp
mov ebp,esp
push dword ptr jmp_KeStackAttachProess
ret
}
}
#pragma PAGEDCODE
extern "C"
NTSTATUS __declspec(naked) My_NtDeviceIoControlFile ( __in HANDLE FileHandle,
__in_opt HANDLE Event,
__in_opt PIO_APC_ROUTINE ApcRoutine,
__in_opt PVOID ApcContext,
__out PIO_STATUS_BLOCK IoStatusBlock,
__in ULONG IoControlCode,
__in_bcount_opt(InputBufferLength) PVOID InputBuffer,
__in ULONG InputBufferLength,
__out_bcount_opt(OutputBufferLength) PVOID OutputBuffer,
__in ULONG OutputBufferLength
)
{
__asm
{
mov edi,edi
push ebp
mov ebp,esp
push dword ptr jmp_NtDeviceIoControlFile
ret
}
}
#pragma PAGEDCODE
extern "C"
NTSTATUS __declspec(naked) My_NtWriteFile ( __in HANDLE FileHandle,
__in_opt HANDLE Event,
__in_opt PIO_APC_ROUTINE ApcRoutine,
__in_opt PVOID ApcContext,
__out PIO_STATUS_BLOCK IoStatusBlock,
__in_bcount(Length) PVOID Buffer,
__in ULONG Length,
__in_opt PLARGE_INTEGER ByteOffset,
__in_opt PULONG Key
)
{
__asm
{
push 64h
push dword ptr push_NtWriteFile
push dword ptr jmp_NtWriteFile
ret
}
}
extern "C"
NTSTATUS __declspec(naked) My_IofCallDriver ( IN PDEVICE_OBJECT DeviceObject,
IN OUT PIRP Irp
)
{
__asm
{
outs dx,byte ptr [esi]
add dword ptr[edi-80h],ecx
push dword ptr jmp_IofCallDriver
ret
}
}
extern "C"
NTSTATUS __stdcall My_NtSetInformationThread ( __in HANDLE ThreadHandle,
__in THREADINFOCLASS ThreadInformationClass,
__in_bcount(ThreadInformationLength) PVOID ThreadInformation,
__in ULONG ThreadInformationLength
)
{
if(ThreadInformationClass==0x11)
{
KdPrint(("发现Anti行为!\n"));
ThreadInformationClass=(THREADINFOCLASS)0xFF;
return STATUS_SUCCESS;
}
return Nt_SetInformationThread(ThreadHandle,ThreadInformationClass,ThreadInformation,ThreadInformationLength);
}
extern "C"
VOID __declspec(naked) My_KiAttachProcess ( __inout PRKTHREAD Thread,
__in PRKPROCESS Process,
__in PKLOCK_QUEUE_HANDLE LockHandle,
__out PRKAPC_STATE SavedApcState
)
{
__asm
{
mov edi,edi
push ebp
mov ebp,esp
push dword ptr jmp_KiAttachProcess
ret
}
}
extern "C"
VOID __declspec(naked) My_KiMoveApcState ( __in PKAPC_STATE Source,
__out PKAPC_STATE Destination
)
{
__asm
{
mov edi,edi
push ebp
mov ebp,esp
push dword ptr jmp_KiMoveApcState
ret
}
}
//-------------------------------------------------------------------
ANSI_STRING str_b0;
ANSI_STRING str_b1;
ANSI_STRING str_b2;
ANSI_STRING str_b3;
ANSI_STRING str_b4;
ANSI_STRING str_b5;
ANSI_STRING str_b6;
PEPROCESS eprocess_KiFastCallEntry;
#pragma PAGEDCODE
VOID __declspec(naked) My_KiFastCall()
{
__asm
{
pushad
pushfd
}
eprocess_KiFastCallEntry=IoGetCurrentProcess();
RtlInitString(&str_b0,(PCSZ)((ULONG)eprocess_KiFastCallEntry+0x174));
RtlInitString(&str_b1,_process_name7);
RtlInitString(&str_b2,_process_name8);
RtlInitString(&str_b3,_process_name9);
RtlInitString(&str_b4,_process_name10);
RtlInitString(&str_b5,_process_name11);
RtlInitString(&str_b6,_process_name12);
//-------------------------------------------------------
if( (RtlCompareString(&str_b1,&str_b0,TRUE)==0)||
(RtlCompareString(&str_b2,&str_b0,TRUE)==0)||
(RtlCompareString(&str_b3,&str_b0,TRUE)==0)||
(RtlCompareString(&str_b4,&str_b0,TRUE)==0)||
(RtlCompareString(&str_b5,&str_b0,TRUE)==0)||
(RtlCompareString(&str_b6,&str_b0,TRUE)==0) )
{
__asm
{
popfd
popad
pushad
pushfd
mov edi,dword ptr [edi]
mov ebx,dword ptr [edi+eax*4]
cmp eax,in_NtOpenProcess
jz __NtOpenProcess_OD
mov eax,in_NtOpenSection
jz __NtOpenSecion_OD
cmp eax,in_NtProtectVirtualMemory
jz __NtProtectVirtualMemory_OD
cmp eax,in_NtReadVirtualMemory
jz __NtReadVirtualMemory_OD
cmp eax,in_NtWriteVirtualMemroy
jz __NtWriteVirtualMemory_OD
cmp ebx,addr_KeAttachProcess
jz __KeAttachProcess_OD
cmp ebx,addr_KeStackAttachProcess
jz __KeStackAttachProcess_OD
cmp eax,in_NtDeviceIoControlFile
jz __NtDeviceIoControlFile_OD
cmp eax,in_NtWriteFile
jz __NtWriteFile_OD
cmp ebx,addr_IofCallDriver
jz __IofCallDriver_OD
cmp eax,in_NtSetInformationThread
jz __NtSetInformationThread_OD
cmp ebx,addr_KiAttachProcess
jz __KiAttachProcess_OD
cmp ebx,addr_KiMoveApcState
jz __KiMoveApcState_OD
popfd
popad
mov edi,dword ptr [edi]
mov ebx,dword ptr [edi+eax*4]
jmp dword ptr jmp_KiFastCall
__NtOpenProcess_OD:
popfd
popad
mov edi,dword ptr [edi]
mov ebx,dword ptr [edi+eax*4]
mov ebx,My_NtOpenProcess
jmp dword ptr jmp_KiFastCall
__NtOpenSecion_OD:
popfd
popad
mov edi,dword ptr [edi]
mov ebx,dword ptr [edi+eax*4]
mov ebx,My_NtOpenSection
jmp dword ptr jmp_KiFastCall
__NtProtectVirtualMemory_OD:
popfd
popad
mov edi,dword ptr [edi]
mov ebx,dword ptr [edi+eax*4]
mov ebx,My_NtProtectVirtualMemory
jmp dword ptr jmp_KiFastCall
__NtReadVirtualMemory_OD:
popfd
popad
mov edi,dword ptr [edi]
mov ebx,dword ptr [edi+eax*4]
mov ebx,My_NtReadVirtualMemory
jmp dword ptr jmp_KiFastCall
__NtWriteVirtualMemory_OD:
popfd
popad
mov edi,dword ptr [edi]
mov ebx,dword ptr [edi+eax*4]
mov ebx,My_NtWriteVirtualMemory
jmp dword ptr jmp_KiFastCall
__KeAttachProcess_OD:
popfd
popad
mov edi,dword ptr [edi]
mov ebx,dword ptr [edi+eax*4]
mov ebx,My_KeAttachProcess
jmp dword ptr jmp_KiFastCall
__KeStackAttachProcess_OD:
popfd
popad
mov edi,dword ptr [edi]
mov ebx,dword ptr [edi+eax*4]
mov ebx,My_KeStackAttachProcess
jmp dword ptr jmp_KiFastCall
__NtDeviceIoControlFile_OD:
popfd
popad
mov edi,dword ptr [edi]
mov ebx,dword ptr [edi+eax*4]
mov ebx,My_NtDeviceIoControlFile
jmp dword ptr jmp_KiFastCall
__NtWriteFile_OD:
popfd
popad
mov edi,dword ptr [edi]
mov ebx,dword ptr [edi+eax*4]
mov ebx,My_NtWriteFile
jmp dword ptr jmp_KiFastCall
__IofCallDriver_OD:
popfd
popad
mov edi,dword ptr [edi]
mov ebx,dword ptr [edi+eax*4]
mov ebx,My_IofCallDriver
jmp dword ptr jmp_KiFastCall
__NtSetInformationThread_OD:
popfd
popad
mov edi,dword ptr [edi]
mov ebx,dword ptr [edi+eax*4]
mov ebx,My_NtSetInformationThread
jmp dword ptr jmp_KiFastCall
__KiAttachProcess_OD:
popfd
popad
mov edi,dword ptr [edi]
mov ebx,dword ptr [edi+eax*4]
mov ebx,My_KiAttachProcess
jmp dword ptr jmp_KiFastCall
__KiMoveApcState_OD:
popfd
popad
mov edi,dword ptr [edi]
mov ebx,dword ptr [edi+eax*4]
mov ebx,My_KiMoveApcState
jmp dword ptr jmp_KiFastCall
}
}
__asm
{
popfd
popad
mov edi,dword ptr [edi]
mov ebx,dword ptr [edi+eax*4]
jmp dword ptr jmp_KiFastCall
}
}
#pragma PAGEDCODE
VOID UnHook_KiFastCall()
{
PAGED_Open();
pjmp_code_KiFastCallEntry->E9=jmp_code_KiFastCallEntry.E9;
pjmp_code_KiFastCallEntry->Addr=jmp_code_KiFastCallEntry.Addr;
PAGED_Exit();
}
|
恭喜你答对了。
这。。还真不是一般的难懂..
