-
-
[旧帖] [原创]过GPK驱动源码,学习之用 0.00雪花
-
发表于: 2012-7-4 22:00 1680
-
#include "ntddk.h"
#include "windef.h"
typedef struct _ServiceDescriptorTable {
PVOID ServiceTableBase;
PVOID ServiceCounterTable;
unsigned int NumberOfServices;
PVOID ParamTableBase;
}*ssdt;
extern "C" ssdt KeServiceDescriptorTable;
char jmpcode=0xe9;
ULONG Objectaddr;
ULONG ntwriteaddr_7;
ULONG *realapc;
LONG Objectaddr_13;
ULONG Ntcreateaddr_7;
ULONG realNtCreateThread;
ULONG realGameAttachaddr;
ULONG SysAttachaddr_6;
ULONG realObcall;
ULONG realObcallpianyi;
ULONG jmpObcall;
ULONG *PrealObcall;
ULONG KeInitializeApcpushaddr;
ULONG KeInitializeApcaddr_6;
ULONG KeInitializeApcpushpianyi;
ULONG NtWriteaddr;
ULONG realNtWriteaddr;
ULONG SSDTIndextoFunAddr( int index)//返回索引号函数起始地址 10进制
{ LONG retaddr;
_asm
{
mov eax,KeServiceDescriptorTable
mov eax,[eax]
mov ebx,index
shl ebx,2
add eax,ebx
mov eax,[eax]
mov retaddr,eax
}
return retaddr;
}
void unload(PDRIVER_OBJECT DriverObject)
{
/////还原ob
// *(ULONG *)((*(ULONG *)(*(ULONG *)(Objectaddr+1)+1)+*(ULONG *)(Objectaddr+1)+5+4))=realObcallpianyi;
/*ULONG attachgameaddr;
UNICODE_STRING proname1;
RtlInitUnicodeString(&proname1,L"KeAttachProcess");
attachgameaddr=(ULONG)MmGetSystemRoutineAddress(&proname1);//获得keattachprocess函数地址
attachgameaddr=*(ULONG *)(attachgameaddr+1);//获得游戏push 地址
realGameAttachaddr=*(ULONG *)attachgameaddr;//获得游戏push 值为指针的值作为恢复地址
KdPrint(("恢复地址为%x",realGameAttachaddr));
*(ULONG *)(attachgameaddr+1)=realGameAttachaddr;
//*/
KdPrint(("123"));
}
_declspec (naked) void passKeApcIni()
{
char * curproc;
_asm {
push ebp
mov ebp, esp
sub esp, __LOCAL_SIZE
}
curproc= (char *)PsGetCurrentProcess()+0x174;
if (strcmp(curproc,"mir3.dat")==0)
{
_asm
{
mov esp, ebp
pop ebp
push KeInitializeApcpushaddr
retn
}
}
else
{_asm
{
mov esp, ebp
pop ebp
mov edi,edi
push ebp
mov ebp,esp
push realapc
retn
}
}
}
_declspec (naked) void passCreateThread()
{
char * curproc;
_asm {
push ebp
mov ebp, esp
sub esp, __LOCAL_SIZE
}
curproc= (char *)PsGetCurrentProcess()+0x174;
if (strcmp(curproc,"mir3.dat")==0)
{
_asm
{
mov esp, ebp
pop ebp
push realNtCreateThread
retn
}
}
else
{_asm
{
mov esp, ebp
pop ebp
push 28
push 0//可能会变
push Ntcreateaddr_7
retn
}
}
}
_declspec (naked) void passAttachprocess()
{
/* char * curproc;
_asm {
push ebp
mov ebp, esp
sub esp, __LOCAL_SIZE
}
curproc=(char *)PsGetCurrentProcess()+0x174;
{KdPrint(("1111%s ",curproc));//*/
_asm
{
//mov esp, ebp
// pop ebp
mov edi,edi
push ebp
mov ebp,esp
push esi
push SysAttachaddr_6//attachprocess函数+6
retn
}
}
_declspec (naked) void passNtwrite()
{
char * curproc;
_asm {
// add esp,4
push ebp
mov ebp, esp
sub esp, __LOCAL_SIZE
}
curproc= (char *)PsGetCurrentProcess()+0x174;
if (strcmp(curproc,"mir3.dat")==0)
{
_asm
{
mov esp, ebp
pop ebp
jmp realNtWriteaddr;
}
}
//
_asm{
mov esp, ebp
pop ebp
push 0x1c
push 0//可能会变
push ntwriteaddr_7
retn
}
}
_declspec (naked) void passObject()//需要call过去
{
char * curproc;
_asm {
// add esp,4
push ebp
mov ebp, esp
sub esp, __LOCAL_SIZE
}
curproc= (char *)PsGetCurrentProcess()+0x174;
if (strcmp(curproc,"mir3.dat")==0)
{
_asm
{
mov esp, ebp
pop ebp
//add esp,4
//push PrealObcall+5
push realObcall
retn
}
}
//
_asm{
mov esp, ebp
pop ebp
add esp,4
mov edi,edi
push ebp
mov ebp,esp
sub esp,10h
mov eax,[ebp+8]
push esi
push edi
jmp Objectaddr_13
}
}
DWORD GetProcessNameOffset()
{ PEPROCESS curproc;
DWORD procNameOffset;
curproc = PsGetCurrentProcess();
for(int i=0; i< 4096; i++)
{
if( !strncmp( "System", (PCHAR) curproc + i, strlen("System") ))
{
procNameOffset = i;
return procNameOffset;
}
}
return 0;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)
{
KIRQL Irql;
UNICODE_STRING proname,proname1,proname2;
RtlInitUnicodeString(&proname,L"ObCheckObjectAccess");
RtlInitUnicodeString(&proname1,L"KeAttachProcess");
RtlInitUnicodeString(&proname2,L"KeInitializeApc");
ULONG addrNtCreateThread;
addrNtCreateThread=SSDTIndextoFunAddr(53);
Ntcreateaddr_7=addrNtCreateThread+7;
Objectaddr=(ULONG)MmGetSystemRoutineAddress(&proname);
SysAttachaddr_6=(ULONG)MmGetSystemRoutineAddress(&proname1)+6;
Objectaddr_13=(ULONG)MmGetSystemRoutineAddress(&proname)+13;
KeInitializeApcpushaddr=(ULONG)MmGetSystemRoutineAddress(&proname2);
NtWriteaddr=SSDTIndextoFunAddr(277);
ntwriteaddr_7=NtWriteaddr+7;
BYTE *p;
p=(BYTE *)(KeInitializeApcpushaddr+6);
int i=0;
while(*p!=0xcc)
{
i++;
p++;
}
ULONG mem=0x123;
realapc= (ULONG *)ExAllocatePoolWithTag(NonPagedPool,i+1,mem);
KeInitializeApcaddr_6=KeInitializeApcpushaddr+6;
KeInitializeApcpushpianyi=*(ULONG *)(KeInitializeApcpushaddr+1);
KeInitializeApcpushaddr=*(ULONG *)(KeInitializeApcpushpianyi+1)+5+KeInitializeApcpushpianyi;
RtlCopyMemory((LONG *)((ULONG)realapc+1),(ULONG *)KeInitializeApcaddr_6,i);
p=(BYTE *)realapc;
*(BYTE *)(p)=0x8b;
Irql=KeRaiseIrqlToDpcLevel();
__asm //去掉页面保护
{
cli
mov eax,cr0
and eax,not 10000h //and eax,0FFFEFFFFh
mov cr0,eax
}
_asm
{
mov eax,KeServiceDescriptorTable
mov eax,[eax]
mov ebx,0x35
shl ebx,2
add eax,ebx
mov addrNtCreateThread,eax
}
////////obcheckobjectaccess的pass部分
PrealObcall=(ULONG *)(((*(ULONG *)(*(ULONG *)(Objectaddr+1)+1)+*(ULONG *)(Objectaddr+1)+5+4))-1);
realObcall=*(ULONG *)((*(ULONG *)(*(ULONG *)(Objectaddr+1)+1)+*(ULONG *)(Objectaddr+1)+5+4));
realObcallpianyi=realObcall;
jmpObcall=(ULONG )passObject-((*(ULONG *)(*(ULONG *)(Objectaddr+1)+1)+*(ULONG *)(Objectaddr+1)+5+4))-4;
*(ULONG *)((*(ULONG *)(*(ULONG *)(Objectaddr+1)+1)+*(ULONG *)(Objectaddr+1)+5+4))=jmpObcall;
realObcall=realObcall+(ULONG)PrealObcall+5;//call 的绝对地址
////结束
/////NtCreateThread
realNtCreateThread=*(ULONG *)(*(ULONG *)addrNtCreateThread+1);
*(ULONG *)addrNtCreateThread=(ULONG )passCreateThread;
//////pass ntwrite*/
realNtWriteaddr=*(ULONG *)(*(ULONG *)(NtWriteaddr+1)+1);
*(ULONG *)(*(ULONG *)(NtWriteaddr+1)+1)=(ULONG )passNtwrite-*(ULONG *)(NtWriteaddr+1)-5;
///
//RtlCopyMemory((LONG *)addr,(LONG *)&jmpcode,1);
//hookaddr=hookaddr-addr-5;
////////结束
////pass apc
*(ULONG *)(*(ULONG *)(KeInitializeApcaddr_6-5)+1)=(ULONG )passKeApcIni-(*(ULONG *)(KeInitializeApcaddr_6-5))-5;
/////APC结束
/////////attach
ULONG attachgameaddr;
attachgameaddr=(ULONG)MmGetSystemRoutineAddress(&proname1);//获得keattachprocess函数地址
attachgameaddr=*(ULONG *)(attachgameaddr+1);//获得游戏push 地址
realGameAttachaddr=*(ULONG *)(attachgameaddr+1);//获得游戏push 值为指针的值作为恢复地址
//KdPrint(("恢复地址为%x",realGameAttachaddr));
*(ULONG *)(attachgameaddr+1)=(ULONG )passAttachprocess-attachgameaddr-5;
////
////////结束
// RtlCopyMemory((LONG *)(addr+1),&hookaddr,4);
__asm
{
mov eax, cr0
or eax, 10000h
mov cr0, eax
sti
}
KeLowerIrql(Irql);
///*/
DriverObject->DriverUnload=unload;
return STATUS_SUCCESS;
}
#include "windef.h"
typedef struct _ServiceDescriptorTable {
PVOID ServiceTableBase;
PVOID ServiceCounterTable;
unsigned int NumberOfServices;
PVOID ParamTableBase;
}*ssdt;
extern "C" ssdt KeServiceDescriptorTable;
char jmpcode=0xe9;
ULONG Objectaddr;
ULONG ntwriteaddr_7;
ULONG *realapc;
LONG Objectaddr_13;
ULONG Ntcreateaddr_7;
ULONG realNtCreateThread;
ULONG realGameAttachaddr;
ULONG SysAttachaddr_6;
ULONG realObcall;
ULONG realObcallpianyi;
ULONG jmpObcall;
ULONG *PrealObcall;
ULONG KeInitializeApcpushaddr;
ULONG KeInitializeApcaddr_6;
ULONG KeInitializeApcpushpianyi;
ULONG NtWriteaddr;
ULONG realNtWriteaddr;
ULONG SSDTIndextoFunAddr( int index)//返回索引号函数起始地址 10进制
{ LONG retaddr;
_asm
{
mov eax,KeServiceDescriptorTable
mov eax,[eax]
mov ebx,index
shl ebx,2
add eax,ebx
mov eax,[eax]
mov retaddr,eax
}
return retaddr;
}
void unload(PDRIVER_OBJECT DriverObject)
{
/////还原ob
// *(ULONG *)((*(ULONG *)(*(ULONG *)(Objectaddr+1)+1)+*(ULONG *)(Objectaddr+1)+5+4))=realObcallpianyi;
/*ULONG attachgameaddr;
UNICODE_STRING proname1;
RtlInitUnicodeString(&proname1,L"KeAttachProcess");
attachgameaddr=(ULONG)MmGetSystemRoutineAddress(&proname1);//获得keattachprocess函数地址
attachgameaddr=*(ULONG *)(attachgameaddr+1);//获得游戏push 地址
realGameAttachaddr=*(ULONG *)attachgameaddr;//获得游戏push 值为指针的值作为恢复地址
KdPrint(("恢复地址为%x",realGameAttachaddr));
*(ULONG *)(attachgameaddr+1)=realGameAttachaddr;
//*/
KdPrint(("123"));
}
_declspec (naked) void passKeApcIni()
{
char * curproc;
_asm {
push ebp
mov ebp, esp
sub esp, __LOCAL_SIZE
}
curproc= (char *)PsGetCurrentProcess()+0x174;
if (strcmp(curproc,"mir3.dat")==0)
{
_asm
{
mov esp, ebp
pop ebp
push KeInitializeApcpushaddr
retn
}
}
else
{_asm
{
mov esp, ebp
pop ebp
mov edi,edi
push ebp
mov ebp,esp
push realapc
retn
}
}
}
_declspec (naked) void passCreateThread()
{
char * curproc;
_asm {
push ebp
mov ebp, esp
sub esp, __LOCAL_SIZE
}
curproc= (char *)PsGetCurrentProcess()+0x174;
if (strcmp(curproc,"mir3.dat")==0)
{
_asm
{
mov esp, ebp
pop ebp
push realNtCreateThread
retn
}
}
else
{_asm
{
mov esp, ebp
pop ebp
push 28
push 0//可能会变
push Ntcreateaddr_7
retn
}
}
}
_declspec (naked) void passAttachprocess()
{
/* char * curproc;
_asm {
push ebp
mov ebp, esp
sub esp, __LOCAL_SIZE
}
curproc=(char *)PsGetCurrentProcess()+0x174;
{KdPrint(("1111%s ",curproc));//*/
_asm
{
//mov esp, ebp
// pop ebp
mov edi,edi
push ebp
mov ebp,esp
push esi
push SysAttachaddr_6//attachprocess函数+6
retn
}
}
_declspec (naked) void passNtwrite()
{
char * curproc;
_asm {
// add esp,4
push ebp
mov ebp, esp
sub esp, __LOCAL_SIZE
}
curproc= (char *)PsGetCurrentProcess()+0x174;
if (strcmp(curproc,"mir3.dat")==0)
{
_asm
{
mov esp, ebp
pop ebp
jmp realNtWriteaddr;
}
}
//
_asm{
mov esp, ebp
pop ebp
push 0x1c
push 0//可能会变
push ntwriteaddr_7
retn
}
}
_declspec (naked) void passObject()//需要call过去
{
char * curproc;
_asm {
// add esp,4
push ebp
mov ebp, esp
sub esp, __LOCAL_SIZE
}
curproc= (char *)PsGetCurrentProcess()+0x174;
if (strcmp(curproc,"mir3.dat")==0)
{
_asm
{
mov esp, ebp
pop ebp
//add esp,4
//push PrealObcall+5
push realObcall
retn
}
}
//
_asm{
mov esp, ebp
pop ebp
add esp,4
mov edi,edi
push ebp
mov ebp,esp
sub esp,10h
mov eax,[ebp+8]
push esi
push edi
jmp Objectaddr_13
}
}
DWORD GetProcessNameOffset()
{ PEPROCESS curproc;
DWORD procNameOffset;
curproc = PsGetCurrentProcess();
for(int i=0; i< 4096; i++)
{
if( !strncmp( "System", (PCHAR) curproc + i, strlen("System") ))
{
procNameOffset = i;
return procNameOffset;
}
}
return 0;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)
{
KIRQL Irql;
UNICODE_STRING proname,proname1,proname2;
RtlInitUnicodeString(&proname,L"ObCheckObjectAccess");
RtlInitUnicodeString(&proname1,L"KeAttachProcess");
RtlInitUnicodeString(&proname2,L"KeInitializeApc");
ULONG addrNtCreateThread;
addrNtCreateThread=SSDTIndextoFunAddr(53);
Ntcreateaddr_7=addrNtCreateThread+7;
Objectaddr=(ULONG)MmGetSystemRoutineAddress(&proname);
SysAttachaddr_6=(ULONG)MmGetSystemRoutineAddress(&proname1)+6;
Objectaddr_13=(ULONG)MmGetSystemRoutineAddress(&proname)+13;
KeInitializeApcpushaddr=(ULONG)MmGetSystemRoutineAddress(&proname2);
NtWriteaddr=SSDTIndextoFunAddr(277);
ntwriteaddr_7=NtWriteaddr+7;
BYTE *p;
p=(BYTE *)(KeInitializeApcpushaddr+6);
int i=0;
while(*p!=0xcc)
{
i++;
p++;
}
ULONG mem=0x123;
realapc= (ULONG *)ExAllocatePoolWithTag(NonPagedPool,i+1,mem);
KeInitializeApcaddr_6=KeInitializeApcpushaddr+6;
KeInitializeApcpushpianyi=*(ULONG *)(KeInitializeApcpushaddr+1);
KeInitializeApcpushaddr=*(ULONG *)(KeInitializeApcpushpianyi+1)+5+KeInitializeApcpushpianyi;
RtlCopyMemory((LONG *)((ULONG)realapc+1),(ULONG *)KeInitializeApcaddr_6,i);
p=(BYTE *)realapc;
*(BYTE *)(p)=0x8b;
Irql=KeRaiseIrqlToDpcLevel();
__asm //去掉页面保护
{
cli
mov eax,cr0
and eax,not 10000h //and eax,0FFFEFFFFh
mov cr0,eax
}
_asm
{
mov eax,KeServiceDescriptorTable
mov eax,[eax]
mov ebx,0x35
shl ebx,2
add eax,ebx
mov addrNtCreateThread,eax
}
////////obcheckobjectaccess的pass部分
PrealObcall=(ULONG *)(((*(ULONG *)(*(ULONG *)(Objectaddr+1)+1)+*(ULONG *)(Objectaddr+1)+5+4))-1);
realObcall=*(ULONG *)((*(ULONG *)(*(ULONG *)(Objectaddr+1)+1)+*(ULONG *)(Objectaddr+1)+5+4));
realObcallpianyi=realObcall;
jmpObcall=(ULONG )passObject-((*(ULONG *)(*(ULONG *)(Objectaddr+1)+1)+*(ULONG *)(Objectaddr+1)+5+4))-4;
*(ULONG *)((*(ULONG *)(*(ULONG *)(Objectaddr+1)+1)+*(ULONG *)(Objectaddr+1)+5+4))=jmpObcall;
realObcall=realObcall+(ULONG)PrealObcall+5;//call 的绝对地址
////结束
/////NtCreateThread
realNtCreateThread=*(ULONG *)(*(ULONG *)addrNtCreateThread+1);
*(ULONG *)addrNtCreateThread=(ULONG )passCreateThread;
//////pass ntwrite*/
realNtWriteaddr=*(ULONG *)(*(ULONG *)(NtWriteaddr+1)+1);
*(ULONG *)(*(ULONG *)(NtWriteaddr+1)+1)=(ULONG )passNtwrite-*(ULONG *)(NtWriteaddr+1)-5;
///
//RtlCopyMemory((LONG *)addr,(LONG *)&jmpcode,1);
//hookaddr=hookaddr-addr-5;
////////结束
////pass apc
*(ULONG *)(*(ULONG *)(KeInitializeApcaddr_6-5)+1)=(ULONG )passKeApcIni-(*(ULONG *)(KeInitializeApcaddr_6-5))-5;
/////APC结束
/////////attach
ULONG attachgameaddr;
attachgameaddr=(ULONG)MmGetSystemRoutineAddress(&proname1);//获得keattachprocess函数地址
attachgameaddr=*(ULONG *)(attachgameaddr+1);//获得游戏push 地址
realGameAttachaddr=*(ULONG *)(attachgameaddr+1);//获得游戏push 值为指针的值作为恢复地址
//KdPrint(("恢复地址为%x",realGameAttachaddr));
*(ULONG *)(attachgameaddr+1)=(ULONG )passAttachprocess-attachgameaddr-5;
////
////////结束
// RtlCopyMemory((LONG *)(addr+1),&hookaddr,4);
__asm
{
mov eax, cr0
or eax, 10000h
mov cr0, eax
sti
}
KeLowerIrql(Irql);
///*/
DriverObject->DriverUnload=unload;
return STATUS_SUCCESS;
}
赞赏
他的文章
- [求助]自写KeStackAttachProcess问题 3478
- [求助]关于内存分页的问题 1020
- [求助]关于APC 1171
- [求助]ZwAllocateVirtualMemory的问题 1986
看原图
赞赏
雪币:
留言: