-
-
腾讯游戏安全大赛2024决赛题解
-
发表于: 2024-4-22 00:57
-
决赛打五天,是真的顶级,但是五天比一年学的东西都多...
本题解题附件自取
<!--more-->
Key 和 User 默认读 C:\card.txt,如果找不到或者是错误,那么加载会失败,于是想到 hook NtCreateFile 获取到文件句柄,再 hook NtReadFile 找到文件内容写入的地址。
跟到后面可以找到文件内容(ReadFile第六个参数),在文件内容处下硬件读取断点,可以找到这里文件内容被被写入两个寄存器,随后又写入另外的内存(RCX所指向的内存)。
然后就直接 ret 了,这里将内存窗口转到 RCX 指向的地址,然后程序跳出来。
紧接着给末尾添 0 字节,然后将 r14 与 0x10 比较,小于跳出
这一次输出失败了,于是考虑换长度但是改一个字符,发现在另外的位置写了零字节
在跟的过程中,发现后面的一个内存就是长度
然后接着跟,会跟到一个找 - 的代码
很容易理解,因为 - 就是分隔 user 和 key 的,必然有一个遍历在找 - 的位置,那就直接跳到它找到了 - 的位置,发现有一个大跳转
随后会把 - 所处的地址存入栈中
紧接着跟,发现把User拷贝到下面的内存了
随后将key也写入下方的内存
然后开始循环 key,判断如果 -0x30 是否 >10,应该 key 只能是数字的判断。
于是我在循环这里下了一个软件断点,发现 RDI 会存储当前已遍历的十进制。
例如现在已经遍历到了 405,那么 rdi=0x195=405。
经过数次的循环,
可以发现 RDI=0xF17E203C,就是 4051574844,那么接下来就往下面跟看看跟 User 有什么样的关系。
取出ACE之后算出一个值 0x0000000020450083,最后很 0x1003F 相乘,得到 00000000F17E203D,刚好是题目所给 key 的十六进制表示。
后面通过一定的调试分析,发现一个规律
似乎它会把每一个字符加起来然后 *0x1003F,并且一定是 int。
先验证一遍ACE是否正确
发现果然如此,那么照样子算出 key 为 4007951923。
根据上面的分析,不难写出 keygen 程序
运行即可获得 key 的输出。
有这么几种方法:监控内核线程,在 shellcode 执行的时候拦截,把比较是否相等的代码patch掉。监控文件读写,在读文件的时候,判断如果是目标文件,让它返回正确的结果。
最后还是选择在文件处拦截,然后趁它读文件的时候遍历驱动模块改它代码,上面分析的 imul 关键指令在 Loader.sys+0xafc1c4 的位置
再调试一遍,决出关键一步,找到了 cmp 指令
如图所示的内存分别为实际输入的数值和通过 user 计算得到的key的数值,随后取出相比较,不相等显然跳转到 Fail 分支,因此这里改成 NOP 让它不跳转任意情况下跳转成功。
此时的 sys 基地址为 0xFFFFF806F82D0000,与该指令相减得到 0xa27e 的偏移,只需把这两个字节改成 0x90 即可达到任意的 user key 可以成功加载驱动。
我先使用了hook的方式去劫持,确保劫持的函数没错,再通过修改劫持时机和方式让方法满足要求
可以看到,先加载我写的驱动,后加载题目驱动,无论 user-key 正确与否,都加载成功
于是这里把修改的函数套到文件读取里面去拦截,达到读该文件时遍历模块,找到指定模块则写入指令。
下面是真正的代码(编译文件为XSafe2.sys)
该程序(附件中的XSafe2.sys)先加载,再加载Loader.sys同样可以任意user key加载成功并且不hook任何系统API和文件。
shellcode加载之后,会检测双机调试
但是有一定的延迟,说明是主动检测的不是被动触发的,刚好遇上这个题,猜测是检测了一个调试器标志位。
不过这里感觉是得先确定一下 shellcode 的位置的,因为它带反调,不知道它怎么反调的,突然想到之前一位神仙把蓝屏代码删了导致电脑爆炸,于是我也想效仿一下看看可不可彳亍。
这里去hook KeBugCheckEx,然后直接让它 sleep 一小时,防止它蓝我,我有更多时间可以去分析。
直接拿捏住了蓝屏。
在后面的分析中发现了 GameSec.exe 的内存一直在被读,估计是在搜索进程,然后读取进程的内存,这一部分后面没有分析太出来。
并且在运行的时候发现会读一些 exe 文件的字符串,在 shellcode 开头 + 80 的位置,这里后续没继续分析了。
随后想到去dump shellcode,这里注册回调的方式并不能成功拦截住,因此想到直接去 hook,判断线程起始位置是否在模块范围内,或者说在 Loader.sys 范围内,如果有都输出然后调试器看看内存像不像shellcode,无果,于是选择去跟一下,结果跟到一个类似shellcode的地方(很多浮点指令,看起来像垃圾指令的混淆),dump下来用 010 分析。
通过内存地址的特征可以发现,前八位可以通过 VAD 的方式去获取,后四个位每次加载似乎都是固定的,因此只需要爆破两个字节用一个特征去匹配就行了,这里。
vad.h
先加载 loader 再加载 search,成功输出 shellcode 的地址,特征码匹配前八个字节,在自己的环境只输出了一个地址,如果输出多个地址可以考虑加长特征码。
通过获取到线程结构得到它的线程上下文,输出 RIP 的值应该也行,通过PCHUNTER看到shellcode运行的线程
通过分析可知 shellcode 执行的线程具有如下特点:
与 TID=12 的线程入口相同
保持运行状态
据此可以筛选得到这个线程,通过线程结构体可以找到它的栈
多次运行发现栈中存在 GameSec.exe 这个字符串。并且在它 - 0x28 的位置有一个地址,那个地址前八位和shellcode一致,所以同样可以爆破+特征码匹配。
先运行 Loader.sys,再运行EmurateThread.sys,可以成功输出shellcode的地址。
随后我发现线程结构体中的 TrapFrame 有点东西,通过一段时间的运行之后,发现它的一些寄存器中会带上点东西
这里我选 Rdx,取前8位,暴力搜索4位(65536,可接受范围内)匹配。
先运行 Loader.sys 再运行 Search3.sys,可以直接得到 shellcode 的地址。
观察到 ETHTREAD 结构体中有个指针指向了距离shellcode比较近的位置
获取这个指针的前八位,然后爆破,匹配特征码。
先运行Loader.sys,再运行 Search4.sys,即可获得shellcode的地址。
挂起线程,此时会将线程上下文保存在栈顶中,再去遍历一遍栈,获得RIP指针,这里判断只需要拿 RSP 即可,当 [addr+0x180]-0x400==addr(+0x180是RSP相对于上下文结构体的偏移,0x400是context上下文大小)时,取出 RIP 即可。
先运行 Loader.sys,在运行search5.sys,即可输出shellcode。
#include <ntifs.h>#include <ntdef.h>#include <ntstatus.h>#include <ntddk.h>#define MAX_BACKTRACE_DEPTH 20#define SYMBOL L"\\??\\xia0ji2333"#define kprintf(format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, format, ##__VA_ARGS__)UINT64 BaseAddr=NULL, DLLSize=0;
void DeleteDevice(PDRIVER_OBJECT pDriver) {
kprintf(("Line %d:xia0ji233: start delete device\n"), __LINE__);
if (pDriver->DeviceObject) {
UNICODE_STRING Sym;
RtlInitUnicodeString(&Sym, SYMBOL);//CreateFile
kprintf(("Line %d:xia0ji233: Delete Symbol\n"), __LINE__);
IoDeleteSymbolicLink(&Sym);
kprintf(("Line %d:xia0ji233: Delete Device\n"), __LINE__);
IoDeleteDevice(pDriver->DeviceObject);
}
kprintf(("Line %d:xia0ji233: end delete device\n"), __LINE__);
}HANDLE FileHandler = NULL;
char newcode[] = {
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,//mov rax,xxx
0xFF,0xE0//jmp rax
};char oldcode[] = {
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,
};char newcode2[] = {
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,//mov rax,xxx
0xFF,0xE0//jmp rax
};char oldcode2[] = {
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,
};char* target;
char* target2;
KIRQL WPOFFx64(){ KIRQL irql = KeRaiseIrqlToDpcLevel();
UINT64 cr0 = __readcr0();
cr0 &= 0xfffffffffffeffff;
__writecr0(cr0);
_disable();
return irql;
}void WPONx64(KIRQL irql)
{ UINT64 cr0 = __readcr0();
cr0 |= 0x10000;
_enable();
__writecr0(cr0);
KeLowerIrql(irql);
}NTSTATUS Unhook() { KIRQL irql = WPOFFx64();
for (int i = 0; i < sizeof(newcode); i++) {
target[i] = oldcode[i];
}
WPONx64(irql);
return STATUS_SUCCESS;
}NTSTATUS Unhook2() { KIRQL irql = WPOFFx64();
for (int i = 0; i < sizeof(newcode2); i++) {
target2[i] = oldcode2[i];
}
WPONx64(irql);
return STATUS_SUCCESS;
}NTSTATUS Hook() { KIRQL irql = WPOFFx64();
for (int i = 0; i < sizeof(newcode); i++) {
target[i] = newcode[i];
}
WPONx64(irql);
return STATUS_SUCCESS;
}NTSTATUS Hook2() { KIRQL irql = WPOFFx64();
for (int i = 0; i < sizeof(newcode2); i++) {
target2[i] = newcode2[i];
}
WPONx64(irql);
return STATUS_SUCCESS;
}PDRIVER_OBJECT g_Object = NULL;typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;//驱动的进入点 DriverEntry
ULONG SizeOfImage;
UNICODE_STRING FullDllName;//驱动的满路径
UNICODE_STRING BaseDllName;//不带路径的驱动名字
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
union {
LIST_ENTRY HashLinks;
struct {
PVOID SectionPointer;
ULONG CheckSum;
};
};
union {
struct {
ULONG TimeDateStamp;
};
struct {
PVOID LoadedImports;
};
};
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;typedef NTSTATUS (* FuncPtr) (
_Out_ PHANDLE FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_opt_ PLARGE_INTEGER AllocationSize,
_In_ ULONG FileAttributes,
_In_ ULONG ShareAccess,
_In_ ULONG CreateDisposition,
_In_ ULONG CreateOptions,
_In_reads_bytes_opt_(EaLength) PVOID EaBuffer,
_In_ ULONG EaLength
);
typedef NTSTATUS (* FuncPtr2 )(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length) PVOID Buffer,
_In_ ULONG Length,
_In_opt_ PLARGE_INTEGER ByteOffset,
_In_opt_ PULONG Key
);
ULONG myCreateFile(_Out_ PHANDLE FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_opt_ PLARGE_INTEGER AllocationSize,
_In_ ULONG FileAttributes,
_In_ ULONG ShareAccess,
_In_ ULONG CreateDisposition,
_In_ ULONG CreateOptions,
_In_reads_bytes_opt_(EaLength) PVOID EaBuffer,
_In_ ULONG EaLength) {
Unhook();
FuncPtr func = (FuncPtr)target;
NTSTATUS s = func(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
if (!wcscmp(ObjectAttributes->ObjectName->Buffer, L"\\??\\C:\\card.txt")) {
kprintf(("call NtCreateFile(%p,%p,%S,%p,%p,%p,%p,%p,%p,%p,%p)\n"), FileHandle,DesiredAccess,ObjectAttributes->ObjectName->Buffer,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
DbgBreakPoint();
FileHandler = *FileHandle;
}
//DbgBreakPoint();
Hook();
return s;
}ULONG myReadFile(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length) PVOID Buffer,
_In_ ULONG Length,
_In_opt_ PLARGE_INTEGER ByteOffset,
_In_opt_ PULONG Key) {
Unhook2();
FuncPtr2 func = (FuncPtr2)target2;
if (FileHandler && FileHandler == FileHandle) {
kprintf(("call NtReadFile(%p,%p,%p,%p,%p,%p,%p,%p,%p)\n"), FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, Buffer, Length, ByteOffset, Key);
DbgBreakPoint();
FileHandler = 0;
}
//DbgBreakPoint();
NTSTATUS s = func(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key);
Hook2();
return s;
}void DriverUnload(PDRIVER_OBJECT pDriver) {
kprintf(("Line %d:xia0ji233: start unload\n"), __LINE__);
Unhook();
Unhook2();
DeleteDevice(pDriver);
}NTSTATUS DriverEntry( _In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath
) { DriverObject->DriverUnload = DriverUnload;
kprintf(("Line %d:xia0ji233: RegistryPath = %S\n"), __LINE__, RegistryPath->Buffer);
target = NtCreateFile;
target2 = NtReadFile;
kprintf(("Line %d:xia0ji233: NtCreateFile=%p NtReadFile=%p\n"), __LINE__, target,target2);
g_Object = DriverObject;
if (target&&target2) {
for (int i = 0; i < sizeof(oldcode); i++) {
oldcode[i] = target[i];
oldcode2[i] = target2[i];
}
*(UINT64*)(newcode + 2) = myCreateFile;
*(UINT64*)(newcode2 + 2) = myReadFile;
Hook();
Hook2();
}
else {
kprintf(("xia0ji233:hahaha"));
}
return 0;
}#include <ntifs.h>#include <ntdef.h>#include <ntstatus.h>#include <ntddk.h>#define MAX_BACKTRACE_DEPTH 20#define SYMBOL L"\\??\\xia0ji2333"#define kprintf(format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, format, ##__VA_ARGS__)UINT64 BaseAddr=NULL, DLLSize=0;
void DeleteDevice(PDRIVER_OBJECT pDriver) {
kprintf(("Line %d:xia0ji233: start delete device\n"), __LINE__);
if (pDriver->DeviceObject) {
UNICODE_STRING Sym;
RtlInitUnicodeString(&Sym, SYMBOL);//CreateFile
kprintf(("Line %d:xia0ji233: Delete Symbol\n"), __LINE__);
IoDeleteSymbolicLink(&Sym);
kprintf(("Line %d:xia0ji233: Delete Device\n"), __LINE__);
IoDeleteDevice(pDriver->DeviceObject);
}
kprintf(("Line %d:xia0ji233: end delete device\n"), __LINE__);
}HANDLE FileHandler = NULL;
char newcode[] = {
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,//mov rax,xxx
0xFF,0xE0//jmp rax
};char oldcode[] = {
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,
};char newcode2[] = {
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,//mov rax,xxx
0xFF,0xE0//jmp rax
};char oldcode2[] = {
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,
};char* target;
char* target2;
KIRQL WPOFFx64(){ KIRQL irql = KeRaiseIrqlToDpcLevel();
UINT64 cr0 = __readcr0();
cr0 &= 0xfffffffffffeffff;
__writecr0(cr0);
_disable();
return irql;
}void WPONx64(KIRQL irql)
{ UINT64 cr0 = __readcr0();
cr0 |= 0x10000;
_enable();
__writecr0(cr0);
KeLowerIrql(irql);
}NTSTATUS Unhook() { KIRQL irql = WPOFFx64();
for (int i = 0; i < sizeof(newcode); i++) {
target[i] = oldcode[i];
}
WPONx64(irql);
return STATUS_SUCCESS;
}NTSTATUS Unhook2() { KIRQL irql = WPOFFx64();
for (int i = 0; i < sizeof(newcode2); i++) {
target2[i] = oldcode2[i];
}
WPONx64(irql);
return STATUS_SUCCESS;
}NTSTATUS Hook() { KIRQL irql = WPOFFx64();
for (int i = 0; i < sizeof(newcode); i++) {
target[i] = newcode[i];
}
WPONx64(irql);
return STATUS_SUCCESS;
}NTSTATUS Hook2() { KIRQL irql = WPOFFx64();
for (int i = 0; i < sizeof(newcode2); i++) {
target2[i] = newcode2[i];
}
WPONx64(irql);
return STATUS_SUCCESS;
}PDRIVER_OBJECT g_Object = NULL;typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;//驱动的进入点 DriverEntry
ULONG SizeOfImage;
UNICODE_STRING FullDllName;//驱动的满路径
UNICODE_STRING BaseDllName;//不带路径的驱动名字
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
union {
LIST_ENTRY HashLinks;
struct {
PVOID SectionPointer;
ULONG CheckSum;
};
};
union {
struct {
ULONG TimeDateStamp;
};
struct {
PVOID LoadedImports;
};
};
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;typedef NTSTATUS (* FuncPtr) (
_Out_ PHANDLE FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_opt_ PLARGE_INTEGER AllocationSize,
_In_ ULONG FileAttributes,
_In_ ULONG ShareAccess,
_In_ ULONG CreateDisposition,
_In_ ULONG CreateOptions,
_In_reads_bytes_opt_(EaLength) PVOID EaBuffer,
_In_ ULONG EaLength
);
typedef NTSTATUS (* FuncPtr2 )(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length) PVOID Buffer,
_In_ ULONG Length,
_In_opt_ PLARGE_INTEGER ByteOffset,
_In_opt_ PULONG Key
);
ULONG myCreateFile(_Out_ PHANDLE FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_opt_ PLARGE_INTEGER AllocationSize,
_In_ ULONG FileAttributes,
_In_ ULONG ShareAccess,
_In_ ULONG CreateDisposition,
_In_ ULONG CreateOptions,
_In_reads_bytes_opt_(EaLength) PVOID EaBuffer,
_In_ ULONG EaLength) {
Unhook();
FuncPtr func = (FuncPtr)target;
NTSTATUS s = func(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
if (!wcscmp(ObjectAttributes->ObjectName->Buffer, L"\\??\\C:\\card.txt")) {
kprintf(("call NtCreateFile(%p,%p,%S,%p,%p,%p,%p,%p,%p,%p,%p)\n"), FileHandle,DesiredAccess,ObjectAttributes->ObjectName->Buffer,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
DbgBreakPoint();
FileHandler = *FileHandle;
}
//DbgBreakPoint();
Hook();
return s;
}ULONG myReadFile(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length) PVOID Buffer,
_In_ ULONG Length,
_In_opt_ PLARGE_INTEGER ByteOffset,
_In_opt_ PULONG Key) {
Unhook2();
FuncPtr2 func = (FuncPtr2)target2;
if (FileHandler && FileHandler == FileHandle) {
kprintf(("call NtReadFile(%p,%p,%p,%p,%p,%p,%p,%p,%p)\n"), FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, Buffer, Length, ByteOffset, Key);
DbgBreakPoint();
FileHandler = 0;
}
//DbgBreakPoint();
NTSTATUS s = func(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key);
Hook2();
return s;
}void DriverUnload(PDRIVER_OBJECT pDriver) {
kprintf(("Line %d:xia0ji233: start unload\n"), __LINE__);
Unhook();
Unhook2();
DeleteDevice(pDriver);
}NTSTATUS DriverEntry( _In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath
) { DriverObject->DriverUnload = DriverUnload;
kprintf(("Line %d:xia0ji233: RegistryPath = %S\n"), __LINE__, RegistryPath->Buffer);
target = NtCreateFile;
target2 = NtReadFile;
kprintf(("Line %d:xia0ji233: NtCreateFile=%p NtReadFile=%p\n"), __LINE__, target,target2);
g_Object = DriverObject;
if (target&&target2) {
for (int i = 0; i < sizeof(oldcode); i++) {
oldcode[i] = target[i];
oldcode2[i] = target2[i];
}
*(UINT64*)(newcode + 2) = myCreateFile;
*(UINT64*)(newcode2 + 2) = myReadFile;
Hook();
Hook2();
}
else {
kprintf(("xia0ji233:hahaha"));
}
return 0;
}#include<stdio.h>#include<string.h>int main(){
char user[]="xia0ji233";
int n=strlen(user);
unsigned key=0;
for(int i=0;i<n;i++){
key=(key+user[i])*0x1003F;
}
printf("%u\n",key);
}#include<stdio.h>#include<string.h>int main(){
char user[]="xia0ji233";
int n=strlen(user);
unsigned key=0;
for(int i=0;i<n;i++){
key=(key+user[i])*0x1003F;
}
printf("%u\n",key);
}#include <ntifs.h>#include <ntdef.h>#include <ntstatus.h>#include <ntddk.h>#define MAX_BACKTRACE_DEPTH 20#define SYMBOL L"\\??\\xia0ji2333"#define kprintf(format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, format, ##__VA_ARGS__)UINT64 BaseAddr=NULL, DLLSize=0;
void DeleteDevice(PDRIVER_OBJECT pDriver) {
kprintf(("Line %d:xia0ji233: start delete device\n"), __LINE__);
if (pDriver->DeviceObject) {
UNICODE_STRING Sym;
RtlInitUnicodeString(&Sym, SYMBOL);//CreateFile
kprintf(("Line %d:xia0ji233: Delete Symbol\n"), __LINE__);
IoDeleteSymbolicLink(&Sym);
kprintf(("Line %d:xia0ji233: Delete Device\n"), __LINE__);
IoDeleteDevice(pDriver->DeviceObject);
}
kprintf(("Line %d:xia0ji233: end delete device\n"), __LINE__);
}HANDLE FileHandler = NULL;
char newcode[] = {
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,//mov rax,xxx
0xFF,0xE0//jmp rax
};char oldcode[] = {
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,
};char newcode2[] = {
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,//mov rax,xxx
0xFF,0xE0//jmp rax
};char oldcode2[] = {
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,
};char* target;
char* target2;
KIRQL WPOFFx64(){ KIRQL irql = KeRaiseIrqlToDpcLevel();
UINT64 cr0 = __readcr0();
cr0 &= 0xfffffffffffeffff;
__writecr0(cr0);
_disable();
return irql;
}void WPONx64(KIRQL irql)
{ UINT64 cr0 = __readcr0();
cr0 |= 0x10000;
_enable();
__writecr0(cr0);
KeLowerIrql(irql);
}NTSTATUS Unhook() { KIRQL irql = WPOFFx64();
for (int i = 0; i < sizeof(newcode); i++) {
target[i] = oldcode[i];
}
WPONx64(irql);
return STATUS_SUCCESS;
}NTSTATUS Unhook2() { KIRQL irql = WPOFFx64();
for (int i = 0; i < sizeof(newcode2); i++) {
target2[i] = oldcode2[i];
}
WPONx64(irql);
return STATUS_SUCCESS;
}NTSTATUS Hook() { KIRQL irql = WPOFFx64();
for (int i = 0; i < sizeof(newcode); i++) {
target[i] = newcode[i];
}
WPONx64(irql);
return STATUS_SUCCESS;
}NTSTATUS Hook2() { KIRQL irql = WPOFFx64();
for (int i = 0; i < sizeof(newcode2); i++) {
target2[i] = newcode2[i];
}
WPONx64(irql);
return STATUS_SUCCESS;
}PDRIVER_OBJECT g_Object = NULL;typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;//驱动的进入点 DriverEntry
ULONG SizeOfImage;
UNICODE_STRING FullDllName;//驱动的满路径
UNICODE_STRING BaseDllName;//不带路径的驱动名字
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
union {
LIST_ENTRY HashLinks;
struct {
PVOID SectionPointer;
ULONG CheckSum;
};
};
union {
struct {
ULONG TimeDateStamp;
};
struct {
PVOID LoadedImports;
};
};
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;typedef NTSTATUS (* FuncPtr) (
_Out_ PHANDLE FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_opt_ PLARGE_INTEGER AllocationSize,
_In_ ULONG FileAttributes,
_In_ ULONG ShareAccess,
_In_ ULONG CreateDisposition,
_In_ ULONG CreateOptions,
_In_reads_bytes_opt_(EaLength) PVOID EaBuffer,
_In_ ULONG EaLength
);
typedef NTSTATUS (* FuncPtr2 )(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length) PVOID Buffer,
_In_ ULONG Length,
_In_opt_ PLARGE_INTEGER ByteOffset,
_In_opt_ PULONG Key
);
NTSTATUS EnumerateKernelThreads();typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)(ULONG, PVOID, ULONG, PULONG);
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER Reserved[3];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
ULONG BasePriority;
HANDLE ProcessId;
HANDLE InheritedFromProcessId;
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;typedef struct _SYSTEM_THREAD_INFORMATION {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
ULONG Priority;
LONG BasePriority;
ULONG ContextSwitchCount;
LONG State;
LONG WaitReason;
} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;typedef enum _SYSTEM_INFORMATION_CLASS {
SystemProcessInformation = 5
} SYSTEM_INFORMATION_CLASS;#define SystemModuleInformation 11ULONG myCreateFile(_Out_ PHANDLE FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_opt_ PLARGE_INTEGER AllocationSize,
_In_ ULONG FileAttributes,
_In_ ULONG ShareAccess,
_In_ ULONG CreateDisposition,
_In_ ULONG CreateOptions,
_In_reads_bytes_opt_(EaLength) PVOID EaBuffer,
_In_ ULONG EaLength) {
Unhook();
FuncPtr func = (FuncPtr)target;
NTSTATUS s = func(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
if (!wcscmp(ObjectAttributes->ObjectName->Buffer, L"\\??\\C:\\card.txt")) {
kprintf(("call NtCreateFile(%p,%p,%S,%p,%p,%p,%p,%p,%p,%p,%p)\n"), FileHandle,DesiredAccess,ObjectAttributes->ObjectName->Buffer,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
//DbgBreakPoint();
FileHandler = *FileHandle;
}
//DbgBreakPoint();
Hook();
return s;
}MDLWriteMemory(PVOID pBaseAddress, PVOID pWriteData, SIZE_T writeDataSize)
{ PMDL pMdl = NULL;
PVOID pNewAddress = NULL;
pMdl = MmCreateMdl(NULL, pBaseAddress, writeDataSize);
if (NULL == pMdl)
{
return FALSE;
}
MmBuildMdlForNonPagedPool(pMdl);
pNewAddress = MmMapLockedPages(pMdl, KernelMode);
if (NULL == pNewAddress)
{
IoFreeMdl(pMdl);
}
RtlCopyMemory(pNewAddress, pWriteData, writeDataSize);
MmUnmapLockedPages(pNewAddress, pMdl);
IoFreeMdl(pMdl);
return TRUE;
}VOID PatchInstr()
{ LDR_DATA_TABLE_ENTRY *TE, *Tmp;
TE = (LDR_DATA_TABLE_ENTRY*)g_Object->DriverSection;
PLIST_ENTRY LinkList;
;
int i = 0;
LinkList = TE->InLoadOrderLinks.Flink;
UNICODE_STRING name;
RtlInitUnicodeString(&name,L"Loader.sys");
;
while (LinkList != &TE->InLoadOrderLinks)
{
Tmp = (LDR_DATA_TABLE_ENTRY*)LinkList;
if (RtlEqualUnicodeString(&Tmp->BaseDllName, &name,FALSE)) {
kprintf(("DLLname:%S DLLBase=%p nowcode=%p\n"), Tmp->BaseDllName.Buffer,Tmp->DllBase,(ULONG64)(Tmp->DllBase) + 0xa27e);
char buffer[] = { 0x90,0x90 };
MDLWriteMemory((ULONG64)(Tmp->DllBase) + 0xa27e, buffer, 2);
return;
}
LinkList = LinkList->Flink;
i++;
}
}ULONG myReadFile(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length) PVOID Buffer,
_In_ ULONG Length,
_In_opt_ PLARGE_INTEGER ByteOffset,
_In_opt_ PULONG Key) {
Unhook2();
FuncPtr2 func = (FuncPtr2)target2;
if (FileHandler && FileHandler == FileHandle) {
kprintf(("call NtReadFile(%p,%p,%p,%p,%p,%p,%p,%p,%p)\n"), FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, Buffer, Length, ByteOffset, Key);
kprintf(("buffer in %p\n"), Buffer);
PatchInstr();
FileHandler = 0;
}
//DbgBreakPoint();
NTSTATUS s = func(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key);
Hook2();
return s;
}void DriverUnload(PDRIVER_OBJECT pDriver) {
kprintf(("Line %d:xia0ji233: start unload\n"), __LINE__);
Unhook();
Unhook2();
DeleteDevice(pDriver);
}NTSTATUS DriverEntry( _In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath
) { DriverObject->DriverUnload = DriverUnload;
kprintf(("Line %d:xia0ji233: RegistryPath = %S\n"), __LINE__, RegistryPath->Buffer);
target = NtCreateFile;
target2 = NtReadFile;
kprintf(("Line %d:xia0ji233: NtCreateFile=%p NtReadFile=%p\n"), __LINE__, target,target2);
g_Object = DriverObject;
if (target&&target2) {
for (int i = 0; i < sizeof(oldcode); i++) {
oldcode[i] = target[i];
oldcode2[i] = target2[i];
}
*(UINT64*)(newcode + 2) = myCreateFile;
*(UINT64*)(newcode2 + 2) = myReadFile;
Hook();
Hook2();
}
else {
kprintf(("xia0ji233:hahaha"));
}
return 0;
}int Filter(ULONG Start)
{ LDR_DATA_TABLE_ENTRY *TE, *Tmp;
TE = (LDR_DATA_TABLE_ENTRY*)g_Object->DriverSection;
PLIST_ENTRY LinkList;
;
int i = 0;
LinkList = TE->InLoadOrderLinks.Flink;
while (LinkList != &TE->InLoadOrderLinks)
{
Tmp = (LDR_DATA_TABLE_ENTRY*)LinkList;
ULONG BASE = Tmp->DllBase;
ULONG Size = Tmp->SizeOfImage;
if (Start >= BASE && Start < BASE + Size) {
return 0;
}
LinkList = LinkList->Flink;
i++;
}
return 1;
}#include <ntifs.h>#include <ntdef.h>#include <ntstatus.h>#include <ntddk.h>#define MAX_BACKTRACE_DEPTH 20#define SYMBOL L"\\??\\xia0ji2333"#define kprintf(format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, format, ##__VA_ARGS__)UINT64 BaseAddr=NULL, DLLSize=0;
void DeleteDevice(PDRIVER_OBJECT pDriver) {
kprintf(("Line %d:xia0ji233: start delete device\n"), __LINE__);
if (pDriver->DeviceObject) {
UNICODE_STRING Sym;
RtlInitUnicodeString(&Sym, SYMBOL);//CreateFile
kprintf(("Line %d:xia0ji233: Delete Symbol\n"), __LINE__);
IoDeleteSymbolicLink(&Sym);
kprintf(("Line %d:xia0ji233: Delete Device\n"), __LINE__);
IoDeleteDevice(pDriver->DeviceObject);
}
kprintf(("Line %d:xia0ji233: end delete device\n"), __LINE__);
}HANDLE FileHandler = NULL;
char newcode[] = {
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,//mov rax,xxx
0xFF,0xE0//jmp rax
};char oldcode[] = {
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,
};char newcode2[] = {
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,//mov rax,xxx
0xFF,0xE0//jmp rax
};char oldcode2[] = {
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,
};char* target;
char* target2;
KIRQL WPOFFx64(){ KIRQL irql = KeRaiseIrqlToDpcLevel();
UINT64 cr0 = __readcr0();
cr0 &= 0xfffffffffffeffff;
__writecr0(cr0);
_disable();
return irql;
}void WPONx64(KIRQL irql)
{ UINT64 cr0 = __readcr0();
cr0 |= 0x10000;
_enable();
__writecr0(cr0);
KeLowerIrql(irql);
}NTSTATUS Unhook() { KIRQL irql = WPOFFx64();
for (int i = 0; i < sizeof(newcode); i++) {
target[i] = oldcode[i];
}
WPONx64(irql);
return STATUS_SUCCESS;
}NTSTATUS Unhook2() { KIRQL irql = WPOFFx64();
for (int i = 0; i < sizeof(newcode2); i++) {
target2[i] = oldcode2[i];
}
WPONx64(irql);
return STATUS_SUCCESS;
}NTSTATUS Hook() { KIRQL irql = WPOFFx64();
for (int i = 0; i < sizeof(newcode); i++) {
target[i] = newcode[i];
}
WPONx64(irql);
return STATUS_SUCCESS;
}NTSTATUS Hook2() { KIRQL irql = WPOFFx64();
for (int i = 0; i < sizeof(newcode2); i++) {
target2[i] = newcode2[i];
}
WPONx64(irql);
return STATUS_SUCCESS;
}PDRIVER_OBJECT g_Object = NULL;typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;//驱动的进入点 DriverEntry
ULONG SizeOfImage;
UNICODE_STRING FullDllName;//驱动的满路径
UNICODE_STRING BaseDllName;//不带路径的驱动名字
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
union {
LIST_ENTRY HashLinks;
struct {
PVOID SectionPointer;
ULONG CheckSum;
};
};
union {
struct {
ULONG TimeDateStamp;
};
struct {
PVOID LoadedImports;
};
};
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;typedef NTSTATUS (* FuncPtr) (
_Out_ PHANDLE FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_opt_ PLARGE_INTEGER AllocationSize,
_In_ ULONG FileAttributes,
_In_ ULONG ShareAccess,
_In_ ULONG CreateDisposition,
_In_ ULONG CreateOptions,
_In_reads_bytes_opt_(EaLength) PVOID EaBuffer,
_In_ ULONG EaLength
);
typedef NTSTATUS (* FuncPtr2 )(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length) PVOID Buffer,
_In_ ULONG Length,
_In_opt_ PLARGE_INTEGER ByteOffset,
_In_opt_ PULONG Key
);
NTSTATUS EnumerateKernelThreads();typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)(ULONG, PVOID, ULONG, PULONG);
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER Reserved[3];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
ULONG BasePriority;
HANDLE ProcessId;
HANDLE InheritedFromProcessId;
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;typedef struct _SYSTEM_THREAD_INFORMATION {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
ULONG Priority;
LONG BasePriority;
ULONG ContextSwitchCount;
LONG State;
LONG WaitReason;
} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;typedef enum _SYSTEM_INFORMATION_CLASS {
SystemProcessInformation = 5
} SYSTEM_INFORMATION_CLASS;#define SystemModuleInformation 11ULONG myCreateFile(_Out_ PHANDLE FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_opt_ PLARGE_INTEGER AllocationSize,
_In_ ULONG FileAttributes,
_In_ ULONG ShareAccess,
_In_ ULONG CreateDisposition,
_In_ ULONG CreateOptions,
_In_reads_bytes_opt_(EaLength) PVOID EaBuffer,
_In_ ULONG EaLength) {
Unhook();
FuncPtr func = (FuncPtr)target;
NTSTATUS s = func(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
if (!wcscmp(ObjectAttributes->ObjectName->Buffer, L"\\??\\C:\\card.txt")) {
kprintf(("call NtCreateFile(%p,%p,%S,%p,%p,%p,%p,%p,%p,%p,%p)\n"), FileHandle,DesiredAccess,ObjectAttributes->ObjectName->Buffer,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
//DbgBreakPoint();
FileHandler = *FileHandle;
}
//DbgBreakPoint();
Hook();
return s;
}MDLWriteMemory(PVOID pBaseAddress, PVOID pWriteData, SIZE_T writeDataSize)
{ PMDL pMdl = NULL;
PVOID pNewAddress = NULL;
pMdl = MmCreateMdl(NULL, pBaseAddress, writeDataSize);
if (NULL == pMdl)
{
return FALSE;
}
MmBuildMdlForNonPagedPool(pMdl);
pNewAddress = MmMapLockedPages(pMdl, KernelMode);
if (NULL == pNewAddress)
{
IoFreeMdl(pMdl);
}
RtlCopyMemory(pNewAddress, pWriteData, writeDataSize);
MmUnmapLockedPages(pNewAddress, pMdl);
IoFreeMdl(pMdl);
return TRUE;
}VOID PatchInstr()
{ LDR_DATA_TABLE_ENTRY *TE, *Tmp;
TE = (LDR_DATA_TABLE_ENTRY*)g_Object->DriverSection;
PLIST_ENTRY LinkList;
;
int i = 0;
LinkList = TE->InLoadOrderLinks.Flink;
UNICODE_STRING name;
RtlInitUnicodeString(&name,L"Loader.sys");
;
while (LinkList != &TE->InLoadOrderLinks)
{
Tmp = (LDR_DATA_TABLE_ENTRY*)LinkList;
if (RtlEqualUnicodeString(&Tmp->BaseDllName, &name,FALSE)) {
kprintf(("DLLname:%S DLLBase=%p nowcode=%p\n"), Tmp->BaseDllName.Buffer,Tmp->DllBase,(ULONG64)(Tmp->DllBase) + 0xa27e);
char buffer[] = { 0x90,0x90 };
MDLWriteMemory((ULONG64)(Tmp->DllBase) + 0xa27e, buffer, 2);
return;
}
LinkList = LinkList->Flink;
i++;
}
}ULONG myReadFile(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length) PVOID Buffer,
_In_ ULONG Length,
_In_opt_ PLARGE_INTEGER ByteOffset,
_In_opt_ PULONG Key) {
Unhook2();
FuncPtr2 func = (FuncPtr2)target2;
if (FileHandler && FileHandler == FileHandle) {
kprintf(("call NtReadFile(%p,%p,%p,%p,%p,%p,%p,%p,%p)\n"), FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, Buffer, Length, ByteOffset, Key);
kprintf(("buffer in %p\n"), Buffer);
PatchInstr();
FileHandler = 0;
}
//DbgBreakPoint();
NTSTATUS s = func(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key);
Hook2();
return s;
}void DriverUnload(PDRIVER_OBJECT pDriver) {
kprintf(("Line %d:xia0ji233: start unload\n"), __LINE__);
Unhook();
Unhook2();
DeleteDevice(pDriver);
}NTSTATUS DriverEntry( _In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath
) { DriverObject->DriverUnload = DriverUnload;
kprintf(("Line %d:xia0ji233: RegistryPath = %S\n"), __LINE__, RegistryPath->Buffer);
target = NtCreateFile;
target2 = NtReadFile;
kprintf(("Line %d:xia0ji233: NtCreateFile=%p NtReadFile=%p\n"), __LINE__, target,target2);
g_Object = DriverObject;
if (target&&target2) {
for (int i = 0; i < sizeof(oldcode); i++) {
oldcode[i] = target[i];
oldcode2[i] = target2[i];
}
*(UINT64*)(newcode + 2) = myCreateFile;
*(UINT64*)(newcode2 + 2) = myReadFile;
Hook();
Hook2();
}
else {
kprintf(("xia0ji233:hahaha"));
}
return 0;
}int Filter(ULONG Start)
{ LDR_DATA_TABLE_ENTRY *TE, *Tmp;
TE = (LDR_DATA_TABLE_ENTRY*)g_Object->DriverSection;
PLIST_ENTRY LinkList;
;
int i = 0;
LinkList = TE->InLoadOrderLinks.Flink;
while (LinkList != &TE->InLoadOrderLinks)
{
Tmp = (LDR_DATA_TABLE_ENTRY*)LinkList;
ULONG BASE = Tmp->DllBase;
ULONG Size = Tmp->SizeOfImage;
if (Start >= BASE && Start < BASE + Size) {
return 0;
}
LinkList = LinkList->Flink;
i++;
}
return 1;
}#include <ntifs.h>#include <ntdef.h>#include <ntstatus.h>#include <ntddk.h>#define kprintf(format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, format, ##__VA_ARGS__)typedef struct _CALLBACK_ENTRY
{ LIST_ENTRY CallbackList;
OB_OPERATION Operations;
ULONG Active;
PVOID Handle;
POBJECT_TYPE ObjectType;
POB_PRE_OPERATION_CALLBACK PreOperation;
POB_POST_OPERATION_CALLBACK PostOperation;
ULONG unknown;
} CALLBACK_ENTRY, *PCALLBACK_ENTRY;typedef struct _LDR_DATA // 24 elements, 0xE0 bytes (sizeof)
{ /*0x000*/ struct _LIST_ENTRY InLoadOrderLinks; // 2 elements, 0x10 bytes (sizeof)
/*0x010*/ struct _LIST_ENTRY InMemoryOrderLinks; // 2 elements, 0x10 bytes (sizeof)
/*0x020*/ struct _LIST_ENTRY InInitializationOrderLinks; // 2 elements, 0x10 bytes (sizeof)
/*0x030*/ VOID* DllBase;
/*0x038*/ VOID* EntryPoint;
/*0x040*/ ULONG32 SizeOfImage;
/*0x044*/ UINT8 _PADDING0_[0x4];
/*0x048*/ struct _UNICODE_STRING FullDllName; // 3 elements, 0x10 bytes (sizeof)
/*0x058*/ struct _UNICODE_STRING BaseDllName; // 3 elements, 0x10 bytes (sizeof)
/*0x068*/ ULONG32 Flags;
/*0x06C*/ UINT16 LoadCount;
/*0x06E*/ UINT16 TlsIndex;
union // 2 elements, 0x10 bytes (sizeof)
{
/*0x070*/ struct _LIST_ENTRY HashLinks; // 2 elements, 0x10 bytes (sizeof)
struct // 2 elements, 0x10 bytes (sizeof)
{
/*0x070*/ VOID* SectionPointer;
/*0x078*/ ULONG32 CheckSum;
/*0x07C*/ UINT8 _PADDING1_[0x4];
};
};
union // 2 elements, 0x8 bytes (sizeof)
{
/*0x080*/ ULONG32 TimeDateStamp;
/*0x080*/ VOID* LoadedImports;
};
/*0x088*/ struct _ACTIVATION_CONTEXT* EntryPointActivationContext;
/*0x090*/ VOID* PatchInformation;
/*0x098*/ struct _LIST_ENTRY ForwarderLinks; // 2 elements, 0x10 bytes (sizeof)
/*0x0A8*/ struct _LIST_ENTRY ServiceTagLinks; // 2 elements, 0x10 bytes (sizeof)
/*0x0B8*/ struct _LIST_ENTRY StaticLinks; // 2 elements, 0x10 bytes (sizeof)
/*0x0C8*/ VOID* ContextInformation;
/*0x0D0*/ UINT64 OriginalBase;
/*0x0D8*/ union _LARGE_INTEGER LoadTime; // 4 elements, 0x8 bytes (sizeof)
}LDR_DATA, *PLDR_DATA;typedef struct _OBJECT_TYPE_INITIALIZER // 25 elements, 0x70 bytes (sizeof)
{ /*0x000*/ UINT16 Length;
union // 2 elements, 0x1 bytes (sizeof)
{
/*0x002*/ UINT8 ObjectTypeFlags;
struct // 7 elements, 0x1 bytes (sizeof)
{
/*0x002*/ UINT8 CaseInsensitive : 1; // 0 BitPosition
/*0x002*/ UINT8 UnnamedObjectsOnly : 1; // 1 BitPosition
/*0x002*/ UINT8 UseDefaultObject : 1; // 2 BitPosition
/*0x002*/ UINT8 SecurityRequired : 1; // 3 BitPosition
/*0x002*/ UINT8 MaintainHandleCount : 1; // 4 BitPosition
/*0x002*/ UINT8 MaintainTypeList : 1; // 5 BitPosition
/*0x002*/ UINT8 SupportsObjectCallbacks : 1; // 6 BitPosition
};
};
/*0x004*/ ULONG32 ObjectTypeCode;
/*0x008*/ ULONG32 InvalidAttributes;
/*0x00C*/ struct _GENERIC_MAPPING GenericMapping; // 4 elements, 0x10 bytes (sizeof)
/*0x01C*/ ULONG32 ValidAccessMask;
/*0x020*/ ULONG32 RetainAccess;
/*0x024*/ enum _POOL_TYPE PoolType;
/*0x028*/ ULONG32 DefaultPagedPoolCharge;
/*0x02C*/ ULONG32 DefaultNonPagedPoolCharge;
/*0x030*/ PVOID DumpProcedure;
/*0x038*/ PVOID OpenProcedure;
/*0x040*/ PVOID CloseProcedure;
/*0x048*/ PVOID DeleteProcedure;
/*0x050*/ PVOID ParseProcedure;
/*0x058*/ PVOID SecurityProcedure;
/*0x060*/ PVOID QueryNameProcedure;
/*0x068*/ PVOID OkayToCloseProcedure;
}OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;typedef struct _EX_PUSH_LOCK // 7 elements, 0x8 bytes (sizeof)
{ union // 3 elements, 0x8 bytes (sizeof)
{
struct // 5 elements, 0x8 bytes (sizeof)
{
/*0x000*/ UINT64 Locked : 1; // 0 BitPosition
/*0x000*/ UINT64 Waiting : 1; // 1 BitPosition
/*0x000*/ UINT64 Waking : 1; // 2 BitPosition
/*0x000*/ UINT64 MultipleShared : 1; // 3 BitPosition
/*0x000*/ UINT64 Shared : 60; // 4 BitPosition
};
/*0x000*/ UINT64 Value;
/*0x000*/ VOID* Ptr;
};
};typedef struct _MY_OBJECT_TYPE // 12 elements, 0xD0 bytes (sizeof)
{ /*0x000*/ struct _LIST_ENTRY TypeList; // 2 elements, 0x10 bytes (sizeof)
/*0x010*/ struct _UNICODE_STRING Name; // 3 elements, 0x10 bytes (sizeof)
/*0x020*/ VOID* DefaultObject;
/*0x028*/ UINT8 Index;
/*0x029*/ UINT8 _PADDING0_[0x3];
/*0x02C*/ ULONG32 TotalNumberOfObjects;
/*0x030*/ ULONG32 TotalNumberOfHandles;
/*0x034*/ ULONG32 HighWaterNumberOfObjects;
/*0x038*/ ULONG32 HighWaterNumberOfHandles;
/*0x03C*/ UINT8 _PADDING1_[0x4];
/*0x040*/ struct _OBJECT_TYPE_INITIALIZER TypeInfo; // 25 elements, 0x70 bytes (sizeof)
/*0x0B0*/ struct _EX_PUSH_LOCK TypeLock; // 7 elements, 0x8 bytes (sizeof)
/*0x0B8*/ ULONG32 Key;
/*0x0BC*/ UINT8 _PADDING2_[0x4];
/*0x0C0*/ struct _LIST_ENTRY CallbackList; // 2 elements, 0x10 bytes (sizeof)
}MY_OBJECT_TYPE, *PMY_OBJECT_TYPE;NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath);VOID UnloadDriver(PDRIVER_OBJECT DriverObject);
NTSTATUS EnumerateKernelThreads();typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)(ULONG, PVOID, ULONG, PULONG);
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER Reserved[3];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
ULONG BasePriority;
HANDLE ProcessId;
HANDLE InheritedFromProcessId;
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;typedef struct _SYSTEM_THREAD_INFORMATION {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
ULONG Priority;
LONG BasePriority;
ULONG ContextSwitchCount;
LONG State;
LONG WaitReason;
} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;typedef enum _SYSTEM_INFORMATION_CLASS {
SystemProcessInformation = 5
} SYSTEM_INFORMATION_CLASS;#define SystemModuleInformation 11PVOID obHandle;
DRIVER_INITIALIZE DriverEntry;PDRIVER_OBJECT g_Object = NULL;typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;//驱动的进入点 DriverEntry
ULONG SizeOfImage;
UNICODE_STRING FullDllName;//驱动的满路径
UNICODE_STRING BaseDllName;//不带路径的驱动名字
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
union {
LIST_ENTRY HashLinks;
struct {
PVOID SectionPointer;
ULONG CheckSum;
};
};
union {
struct {
ULONG TimeDateStamp;
};
struct {
PVOID LoadedImports;
};
};
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;MDLWriteMemory(PVOID pBaseAddress, PVOID pWriteData, SIZE_T writeDataSize)
{ PMDL pMdl = NULL;
PVOID pNewAddress = NULL;
pMdl = MmCreateMdl(NULL, pBaseAddress, writeDataSize);
if (NULL == pMdl)
{
return FALSE;
}
MmBuildMdlForNonPagedPool(pMdl);
pNewAddress = MmMapLockedPages(pMdl, KernelMode);
if (NULL == pNewAddress)
{
IoFreeMdl(pMdl);
}
RtlCopyMemory(pNewAddress, pWriteData, writeDataSize);
MmUnmapLockedPages(pNewAddress, pMdl);
IoFreeMdl(pMdl);
return TRUE;
}VOID PatchInstr()
{ LDR_DATA_TABLE_ENTRY *TE, *Tmp;
TE = (LDR_DATA_TABLE_ENTRY*)g_Object->DriverSection;
PLIST_ENTRY LinkList;
;
int i = 0;
LinkList = TE->InLoadOrderLinks.Flink;
UNICODE_STRING name;
RtlInitUnicodeString(&name,L"Loader.sys");
;
while (LinkList != &TE->InLoadOrderLinks)
{
Tmp = (LDR_DATA_TABLE_ENTRY*)LinkList;
if (RtlEqualUnicodeString(&Tmp->BaseDllName, &name,FALSE)) {
kprintf(("DLLname:%S DLLBase=%p nowcode=%p\n"), Tmp->BaseDllName.Buffer,Tmp->DllBase,(ULONG64)(Tmp->DllBase) + 0xa27e);
char buffer[] = { 0x90,0x90 };
MDLWriteMemory((ULONG64)(Tmp->DllBase) + 0xa27e, buffer, 2);
return;
}
LinkList = LinkList->Flink;
i++;
}
}// 文件回调OB_PREOP_CALLBACK_STATUS FileObjectpreCall(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation)
{ UNICODE_STRING DosName;
PFILE_OBJECT fileo = OperationInformation->Object;
HANDLE CurrentProcessId = PsGetCurrentProcessId();
UNREFERENCED_PARAMETER(RegistrationContext);
if (OperationInformation->ObjectType != *IoFileObjectType)
{
return OB_PREOP_SUCCESS;
}
// 过滤无效指针
if (fileo->FileName.Buffer == NULL ||
!MmIsAddressValid(fileo->FileName.Buffer) ||
fileo->DeviceObject == NULL ||
!MmIsAddressValid(fileo->DeviceObject))
{
return OB_PREOP_SUCCESS;
}
// 过滤无效路径
if (!_wcsicmp(fileo->FileName.Buffer, L"\\Endpoint") ||
!_wcsicmp(fileo->FileName.Buffer, L"?") ||
!_wcsicmp(fileo->FileName.Buffer, L"\\.\\.") ||
!_wcsicmp(fileo->FileName.Buffer, L"\\"))
{
return OB_PREOP_SUCCESS;
}
// 将对象转为DOS路径
RtlVolumeDeviceToDosName(fileo->DeviceObject, &DosName);
if (!wcscmp(fileo->FileName.Buffer, L"\\card.txt")) {
PETHREAD pct=PsGetCurrentThread();
PVOID addr=*(ULONG64*)((char*)pct + 0x450);
PatchInstr();
//EnumerateKernelThreads();
DbgBreakPoint();
}
return OB_PREOP_SUCCESS;
}VOID EnableObType(POBJECT_TYPE ObjectType)
{ PMY_OBJECT_TYPE myobtype = (PMY_OBJECT_TYPE)ObjectType;
myobtype->TypeInfo.SupportsObjectCallbacks = 1;
}VOID UnDriver(PDRIVER_OBJECT driver)
{ UNREFERENCED_PARAMETER(driver);
ObUnRegisterCallbacks(obHandle);
}NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath){ NTSTATUS status = STATUS_SUCCESS;
PLDR_DATA ldr;
kprintf(("hello xia0ji233\n"));
g_Object = Driver;
OB_CALLBACK_REGISTRATION obRegFileCallBack;
OB_OPERATION_REGISTRATION opRegFileCallBack;
// enable IoFileObjectType
EnableObType(*IoFileObjectType);
// bypass MmVerifyCallbackFunction
ldr = (PLDR_DATA)Driver->DriverSection;
ldr->Flags |= 0x20;
// 初始化回调
memset(&obRegFileCallBack, 0, sizeof(obRegFileCallBack));
obRegFileCallBack.Version = ObGetFilterVersion();
obRegFileCallBack.OperationRegistrationCount = 1;
obRegFileCallBack.RegistrationContext = NULL;
RtlInitUnicodeString(&obRegFileCallBack.Altitude, L"321000");
obRegFileCallBack.OperationRegistration = &opRegFileCallBack;
memset(&opRegFileCallBack, 0, sizeof(opRegFileCallBack));
opRegFileCallBack.ObjectType = IoFileObjectType;
opRegFileCallBack.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
opRegFileCallBack.PreOperation = (POB_PRE_OPERATION_CALLBACK)&FileObjectpreCall;
status = ObRegisterCallbacks(&obRegFileCallBack, &obHandle);
if (!NT_SUCCESS(status))
{
kprintf(("注册回调错误 \n"));
status = STATUS_UNSUCCESSFUL;
}
UNREFERENCED_PARAMETER(RegistryPath);
Driver->DriverUnload = &UnDriver;
return status;
}#include <ntifs.h>#include <ntdef.h>#include <ntstatus.h>#include <ntddk.h>#define kprintf(format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, format, ##__VA_ARGS__)typedef struct _CALLBACK_ENTRY
{ LIST_ENTRY CallbackList;
OB_OPERATION Operations;
ULONG Active;
PVOID Handle;
POBJECT_TYPE ObjectType;
POB_PRE_OPERATION_CALLBACK PreOperation;
POB_POST_OPERATION_CALLBACK PostOperation;
ULONG unknown;
} CALLBACK_ENTRY, *PCALLBACK_ENTRY;typedef struct _LDR_DATA // 24 elements, 0xE0 bytes (sizeof)
{ /*0x000*/ struct _LIST_ENTRY InLoadOrderLinks; // 2 elements, 0x10 bytes (sizeof)
/*0x010*/ struct _LIST_ENTRY InMemoryOrderLinks; // 2 elements, 0x10 bytes (sizeof)
/*0x020*/ struct _LIST_ENTRY InInitializationOrderLinks; // 2 elements, 0x10 bytes (sizeof)
/*0x030*/ VOID* DllBase;
/*0x038*/ VOID* EntryPoint;
/*0x040*/ ULONG32 SizeOfImage;
/*0x044*/ UINT8 _PADDING0_[0x4];
/*0x048*/ struct _UNICODE_STRING FullDllName; // 3 elements, 0x10 bytes (sizeof)
/*0x058*/ struct _UNICODE_STRING BaseDllName; // 3 elements, 0x10 bytes (sizeof)
/*0x068*/ ULONG32 Flags;
/*0x06C*/ UINT16 LoadCount;
/*0x06E*/ UINT16 TlsIndex;
union // 2 elements, 0x10 bytes (sizeof)
{
/*0x070*/ struct _LIST_ENTRY HashLinks; // 2 elements, 0x10 bytes (sizeof)
struct // 2 elements, 0x10 bytes (sizeof)
{
/*0x070*/ VOID* SectionPointer;
/*0x078*/ ULONG32 CheckSum;
/*0x07C*/ UINT8 _PADDING1_[0x4];
};
};
union // 2 elements, 0x8 bytes (sizeof)
{
/*0x080*/ ULONG32 TimeDateStamp;
/*0x080*/ VOID* LoadedImports;
};
/*0x088*/ struct _ACTIVATION_CONTEXT* EntryPointActivationContext;
/*0x090*/ VOID* PatchInformation;
/*0x098*/ struct _LIST_ENTRY ForwarderLinks; // 2 elements, 0x10 bytes (sizeof)
/*0x0A8*/ struct _LIST_ENTRY ServiceTagLinks; // 2 elements, 0x10 bytes (sizeof)
/*0x0B8*/ struct _LIST_ENTRY StaticLinks; // 2 elements, 0x10 bytes (sizeof)
/*0x0C8*/ VOID* ContextInformation;
/*0x0D0*/ UINT64 OriginalBase;
/*0x0D8*/ union _LARGE_INTEGER LoadTime; // 4 elements, 0x8 bytes (sizeof)
}LDR_DATA, *PLDR_DATA;typedef struct _OBJECT_TYPE_INITIALIZER // 25 elements, 0x70 bytes (sizeof)
{ /*0x000*/ UINT16 Length;
union // 2 elements, 0x1 bytes (sizeof)
{
/*0x002*/ UINT8 ObjectTypeFlags;
struct // 7 elements, 0x1 bytes (sizeof)
{
/*0x002*/ UINT8 CaseInsensitive : 1; // 0 BitPosition
/*0x002*/ UINT8 UnnamedObjectsOnly : 1; // 1 BitPosition
/*0x002*/ UINT8 UseDefaultObject : 1; // 2 BitPosition
/*0x002*/ UINT8 SecurityRequired : 1; // 3 BitPosition
/*0x002*/ UINT8 MaintainHandleCount : 1; // 4 BitPosition
/*0x002*/ UINT8 MaintainTypeList : 1; // 5 BitPosition
/*0x002*/ UINT8 SupportsObjectCallbacks : 1; // 6 BitPosition
};
};
/*0x004*/ ULONG32 ObjectTypeCode;
/*0x008*/ ULONG32 InvalidAttributes;
/*0x00C*/ struct _GENERIC_MAPPING GenericMapping; // 4 elements, 0x10 bytes (sizeof)
/*0x01C*/ ULONG32 ValidAccessMask;
/*0x020*/ ULONG32 RetainAccess;
/*0x024*/ enum _POOL_TYPE PoolType;
/*0x028*/ ULONG32 DefaultPagedPoolCharge;
/*0x02C*/ ULONG32 DefaultNonPagedPoolCharge;
/*0x030*/ PVOID DumpProcedure;
/*0x038*/ PVOID OpenProcedure;
/*0x040*/ PVOID CloseProcedure;
/*0x048*/ PVOID DeleteProcedure;
/*0x050*/ PVOID ParseProcedure;
/*0x058*/ PVOID SecurityProcedure;
/*0x060*/ PVOID QueryNameProcedure;
/*0x068*/ PVOID OkayToCloseProcedure;
}OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;typedef struct _EX_PUSH_LOCK // 7 elements, 0x8 bytes (sizeof)
{ union // 3 elements, 0x8 bytes (sizeof)
{
struct // 5 elements, 0x8 bytes (sizeof)
{
/*0x000*/ UINT64 Locked : 1; // 0 BitPosition
/*0x000*/ UINT64 Waiting : 1; // 1 BitPosition
/*0x000*/ UINT64 Waking : 1; // 2 BitPosition
/*0x000*/ UINT64 MultipleShared : 1; // 3 BitPosition
/*0x000*/ UINT64 Shared : 60; // 4 BitPosition
};
/*0x000*/ UINT64 Value;
/*0x000*/ VOID* Ptr;
};
};typedef struct _MY_OBJECT_TYPE // 12 elements, 0xD0 bytes (sizeof)
{ /*0x000*/ struct _LIST_ENTRY TypeList; // 2 elements, 0x10 bytes (sizeof)
/*0x010*/ struct _UNICODE_STRING Name; // 3 elements, 0x10 bytes (sizeof)
/*0x020*/ VOID* DefaultObject;
/*0x028*/ UINT8 Index;
/*0x029*/ UINT8 _PADDING0_[0x3];
/*0x02C*/ ULONG32 TotalNumberOfObjects;
/*0x030*/ ULONG32 TotalNumberOfHandles;
/*0x034*/ ULONG32 HighWaterNumberOfObjects;
/*0x038*/ ULONG32 HighWaterNumberOfHandles;
/*0x03C*/ UINT8 _PADDING1_[0x4];
/*0x040*/ struct _OBJECT_TYPE_INITIALIZER TypeInfo; // 25 elements, 0x70 bytes (sizeof)
/*0x0B0*/ struct _EX_PUSH_LOCK TypeLock; // 7 elements, 0x8 bytes (sizeof)
/*0x0B8*/ ULONG32 Key;
/*0x0BC*/ UINT8 _PADDING2_[0x4];
/*0x0C0*/ struct _LIST_ENTRY CallbackList; // 2 elements, 0x10 bytes (sizeof)
}MY_OBJECT_TYPE, *PMY_OBJECT_TYPE;NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath);VOID UnloadDriver(PDRIVER_OBJECT DriverObject);
NTSTATUS EnumerateKernelThreads();typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)(ULONG, PVOID, ULONG, PULONG);
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER Reserved[3];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
ULONG BasePriority;
HANDLE ProcessId;
HANDLE InheritedFromProcessId;
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;typedef struct _SYSTEM_THREAD_INFORMATION {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
ULONG Priority;
LONG BasePriority;
ULONG ContextSwitchCount;
LONG State;
LONG WaitReason;
} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;typedef enum _SYSTEM_INFORMATION_CLASS {
SystemProcessInformation = 5
} SYSTEM_INFORMATION_CLASS;#define SystemModuleInformation 11PVOID obHandle;
DRIVER_INITIALIZE DriverEntry;PDRIVER_OBJECT g_Object = NULL;typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;//驱动的进入点 DriverEntry
ULONG SizeOfImage;
UNICODE_STRING FullDllName;//驱动的满路径
UNICODE_STRING BaseDllName;//不带路径的驱动名字
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
union {
LIST_ENTRY HashLinks;
struct {
PVOID SectionPointer;
ULONG CheckSum;
};
};
union {
struct {
ULONG TimeDateStamp;
};
struct {
PVOID LoadedImports;
};
};
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;MDLWriteMemory(PVOID pBaseAddress, PVOID pWriteData, SIZE_T writeDataSize)
{[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
太强了
|
|
|
|
|
|
|
|
|
是的,一般虚拟机是没有这个,真机测试的时候是不能这么操作的,所以得用MDL,但是因为之前用的很多的hook都这么写的,虚拟机也没啥问题就一直懒得改了 |
