能力值:
![]()
(RANK:650 )
|
-
-
2 楼
第二种
1 2 3 4 5 6 7 8 9 10 | void start()
{
HWND hWnd;
hWnd = FindWindow("#32770", "CrackMeApp");
PostMessage(hWnd, WM_CLOSE, 0, 0);
}
|
|
能力值:
![]()
(RANK:650 )
|
-
-
3 楼
第三种
1 2 3 4 5 6 7 8 9 10 | void start()
{
HWND hWnd;
hWnd = FindWindow("#32770", "CrackMeApp");
SendMessage(hWnd, WM_SYSCOMMAND, SC_CLOSE, 0);
}
|
|
能力值:
![]()
(RANK:650 )
|
-
-
4 楼
第四种
1 2 3 4 5 6 7 8 9 10 | void start()
{
HWND hWnd;
hWnd = FindWindow("#32770", "CrackMeApp");
PostMessage(hWnd, WM_SYSCOMMAND, SC_CLOSE, 0);
}
|
|
能力值:
![]()
(RANK:650 )
|
-
-
5 楼
第五种
1 2 3 4 5 6 7 8 9 10 | void start()
{
HWND hWnd;
hWnd = FindWindow("#32770", "CrackMeApp");
SendMessageTimeout(hWnd, WM_CLOSE, 0, 0, 0, 1000, NULL);
}
|
|
能力值:
![]()
(RANK:650 )
|
-
-
6 楼
第六种
1 2 3 4 5 6 7 8 9 10 | void start()
{
HWND hWnd;
hWnd = FindWindow("#32770", "CrackMeApp");
SendMessageTimeout(hWnd, WM_SYSCOMMAND, SC_CLOSE, 0, 0, 1000, NULL);
}
|
|
能力值:
![]()
(RANK:650 )
|
-
-
7 楼
第七种
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | void start()
{
HWND hWnd;
DWORD Tid;
DWORD Pid;
DWORD OpenThread;
HANDLE hThread;
hWnd = FindWindow("#32770", "CrackMeApp");
Tid = GetWindowThreadProcessId(hWnd, &Pid);
OpenThread = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"), "OpenThread");
__asm
{
push Tid
push 0
push THREAD_TERMINATE
call OpenThread
mov hThread, eax
}
TerminateThread(hThread, 0);
}
|
|
能力值:
![]()
(RANK:650 )
|
-
-
8 楼
第八种
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | void start()
{
HWND hWnd;
hWnd = FindWindow("#32770", "CrackMeApp");
SetActiveWindow(hWnd);
SetForegroundWindow(hWnd);
keybd_event(VK_MENU,0,0,0);
keybd_event(VK_F4,0,0,0);
keybd_event(VK_MENU,0,KEYEVENTF_KEYUP,0);
keybd_event(VK_F4,0,KEYEVENTF_KEYUP,0);
}
|
|
能力值:
![]()
(RANK:650 )
|
-
-
9 楼
第九种
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | void start()
{
HWND hWnd;
RECT rc;
hWnd = FindWindow("#32770", "CrackMeApp");
GetWindowRect(hWnd, &rc);
SetCursorPos(rc.right-10, rc.top+10);
SetActiveWindow(hWnd);
SetForegroundWindow(hWnd);
Sleep(500);
mouse_event(MOUSEEVENTF_LEFTDOWN, 0, 0, 0, 0);
Sleep(10);
mouse_event(MOUSEEVENTF_LEFTUP,0,0,0,0);
Sleep(10);
}
|
|
能力值:
![]()
(RANK:650 )
|
-
-
10 楼
第十种
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | void start()
{
HWND hWnd;
hWnd = FindWindow("#32770", "CrackMeApp");
SetActiveWindow(hWnd);
SetForegroundWindow(hWnd);
Sleep(200);
keybd_event(VK_ESCAPE,0,0,0);
keybd_event(VK_ESCAPE,0,KEYEVENTF_KEYUP,0);
}
|
|
能力值:
![]()
(RANK:650 )
|
-
-
11 楼
第十一种方法
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
void start()
{
HWND hWnd;
DWORD Tid;
DWORD Pid;
DWORD OpenThread;
DWORD EP;
HANDLE hThread;
CONTEXT context;
hWnd = FindWindow("#32770", "CrackMeApp");
Tid = GetWindowThreadProcessId(hWnd, &Pid);
OpenThread = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"), "OpenThread");
__asm
{
mov eax, dword ptr [ExitProcess]
mov EP, eax
push Tid
push 0
push THREAD_SUSPEND_RESUME | THREAD_GET_CONTEXT | THREAD_SET_CONTEXT
call OpenThread
mov hThread, eax
}
SuspendThread(hThread);
context.ContextFlags = CONTEXT_CONTROL;
GetThreadContext(hThread, &context);
context.Eip = EP;
context.ContextFlags = CONTEXT_CONTROL;
SetThreadContext(hThread, &context);
ResumeThread(hThread);
SetActiveWindow(hWnd);
SetForegroundWindow(hWnd);
}
|
能力值:
![]()
(RANK:650 )
|
-
-
12 楼
裁判检查完上面的我再继续
|
能力值:
![]()
(RANK:650 )
|
-
-
13 楼
第十二种方法
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | void start()
{
HWND hWnd = NULL;
DWORD Tid = 0;
DWORD Pid = 0;
HANDLE hProcess = NULL;
hWnd = FindWindow("#32770", "CrackMeApp");
Tid = GetWindowThreadProcessId(hWnd, &Pid);
hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION, FALSE, Pid);
if (hProcess)
{
CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)&ExitProcess, NULL, 0, NULL);
}
}
|
|
能力值:
![]()
(RANK:650 )
|
-
-
14 楼
第十三种 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | //cpp
void start()
{
HWND hWnd;
DWORD a;
DWORD b;
hWnd = FindWindow("#32770", "CrackMeApp");
a = (DWORD)GetProcAddress(LoadLibrary("dll.dll"), "hook");
b = (DWORD)GetProcAddress(LoadLibrary("dll.dll"), "unhook");
__asm call a
Sleep(100);
SetForegroundWindow(hWnd);
Sleep(100);
__asm call b
}
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | //dll
HHOOK h = NULL;
HMODULE b = NULL;
void fk()
{
HWND hWnd = NULL;
DWORD Tid = 0;
DWORD Pid = 0;
hWnd = FindWindow("#32770", "CrackMeApp");
Tid = GetWindowThreadProcessId(hWnd, &Pid);
if (Pid == GetCurrentProcessId())
ExitProcess(0);
return ;
}
LRESULT CALLBACK GetMsgProc(int code, WPARAM wParam, LPARAM lParam)
{
fk();
return NULL;
}
extern "C" void __declspec(dllexport) hook()
{
h = SetWindowsHookEx(WH_GETMESSAGE, GetMsgProc, b, 0);
}
extern "C" void _declspec(dllexport) unhook()
{
UnhookWindowsHookEx(h);
h = NULL;
}
BOOL __stdcall dllmain(HMODULE hModule, DWORD ud, LPVOID a)
{
if (DLL_PROCESS_ATTACH == ud)
b = hModule;
return TRUE;
}
|
|
能力值:
![]()
(RANK:650 )
|
-
-
15 楼
第十四种
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | //cpp
void start()
{
HWND hWnd;
DWORD a;
DWORD b;
hWnd = FindWindow("#32770", "CrackMeApp");
a = (DWORD)GetProcAddress(LoadLibrary("dll.dll"), "hook");
b = (DWORD)GetProcAddress(LoadLibrary("dll.dll"), "unhook");
__asm call a
Sleep(100);
SetForegroundWindow(hWnd);
Sleep(100);
__asm call b
}
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | //dll
HHOOK h = NULL;
HMODULE b = NULL;
void fk()
{
HWND hWnd = NULL;
DWORD Tid = 0;
DWORD Pid = 0;
hWnd = FindWindow("#32770", "CrackMeApp");
Tid = GetWindowThreadProcessId(hWnd, &Pid);
if (Pid == GetCurrentProcessId())
PostQuitMessage(0);
return ;
}
LRESULT CALLBACK GetMsgProc(int code, WPARAM wParam, LPARAM lParam)
{
fk();
return NULL;
}
extern "C" void __declspec(dllexport) hook()
{
h = SetWindowsHookEx(WH_GETMESSAGE, GetMsgProc, b, 0);
}
extern "C" void _declspec(dllexport) unhook()
{
UnhookWindowsHookEx(h);
h = NULL;
}
BOOL __stdcall dllmain(HMODULE hModule, DWORD ud, LPVOID a)
{
if (DLL_PROCESS_ATTACH == ud)
b = hModule;
return TRUE;
}
|
|
能力值:
![]()
(RANK:650 )
|
-
-
16 楼
第十五种
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | //cpp
void start()
{
HWND hWnd;
DWORD a;
DWORD b;
hWnd = FindWindow("#32770", "CrackMeApp");
a = (DWORD)GetProcAddress(LoadLibrary("dll.dll"), "hook");
b = (DWORD)GetProcAddress(LoadLibrary("dll.dll"), "unhook");
__asm call a
Sleep(100);
SetForegroundWindow(hWnd);
Sleep(100);
__asm call b
}
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | //dll
HHOOK h = NULL;
HMODULE b = NULL;
void fk()
{
HWND hWnd = NULL;
DWORD Tid = 0;
DWORD Pid = 0;
hWnd = FindWindow("#32770", "CrackMeApp");
Tid = GetWindowThreadProcessId(hWnd, &Pid);
if (Pid == GetCurrentProcessId())
EndDialog(hWnd, 0);
return ;
}
LRESULT CALLBACK GetMsgProc(int code, WPARAM wParam, LPARAM lParam)
{
fk();
return NULL;
}
extern "C" void __declspec(dllexport) hook()
{
h = SetWindowsHookEx(WH_GETMESSAGE, GetMsgProc, b, 0);
}
extern "C" void _declspec(dllexport) unhook()
{
UnhookWindowsHookEx(h);
h = NULL;
}
BOOL __stdcall dllmain(HMODULE hModule, DWORD ud, LPVOID a)
{
if (DLL_PROCESS_ATTACH == ud)
b = hModule;
return TRUE;
}
|
|
能力值:
![]()
(RANK:650 )
|
-
-
17 楼
第十六种
sys
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 | //shoooo22.c
NTKERNELAPI
NTSTATUS
ObOpenObjectByPointer(
IN PVOID Object,
IN ULONG HandleAttributes,
IN PACCESS_STATE PassedAccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PHANDLE Handle
);
NTKERNELAPI
NTSTATUS
PsLookupProcessByProcessId(
IN ULONG ulProcId,
OUT PEPROCESS * pEProcess
);
NTSTATUS MyOpenProcess(ULONG PID, PHANDLE pHandle)
{
NTSTATUS status;
PEPROCESS EProcess = NULL;
HANDLE handle = NULL;
UNICODE_STRING y;
PULONG PsProcessType;
status = PsLookupProcessByProcessId(PID, &EProcess);
if (NT_SUCCESS(status))
{
handle = 0;
RtlInitUnicodeString(&y, L"PsProcessType");
PsProcessType = MmGetSystemRoutineAddress(&y);
if (PsProcessType)
{
status = ObOpenObjectByPointer(EProcess, 0, 0, PROCESS_ALL_ACCESS, (PVOID)*PsProcessType, UserMode, &handle);
if (NT_SUCCESS(status))
{
*pHandle = handle;
}
}
ObfDereferenceObject(EProcess);
}
return status;
}
VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
PDEVICE_OBJECT pDeviceObject;
UNICODE_STRING strSymbolicName;
RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo22");
IoDeleteSymbolicLink(&strSymbolicName);
pDeviceObject = pDriverObject->DeviceObject;
IoDeleteDevice(pDeviceObject);
return ;
}
NTSTATUS DispatchCreate(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
NTSTATUS status;
status = STATUS_SUCCESS;
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
NTSTATUS DispatchClose(PDEVICE_OBJECT pDeviceObject,PIRP pIrp)
{
NTSTATUS status;
status = STATUS_SUCCESS;
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
return status;
}
NTSTATUS DispatchControl(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
NTSTATUS status;
PVOID DeviceExtension;
PIO_STACK_LOCATION pIrpSp;
PVOID SystemBufferIn;
PVOID SystemBufferOut;
ULONG InBufferLength;
ULONG OutBufferLength;
ULONG IoControlCode;
DeviceExtension = pDeviceObject->DeviceExtension;
pIrpSp = IoGetCurrentIrpStackLocation(pIrp);
SystemBufferIn = pIrp->AssociatedIrp.SystemBuffer;
SystemBufferOut = pIrp->AssociatedIrp.SystemBuffer;
InBufferLength = pIrpSp->Parameters.DeviceIoControl.InputBufferLength;
OutBufferLength = pIrpSp->Parameters.DeviceIoControl.OutputBufferLength;
IoControlCode = pIrpSp->Parameters.DeviceIoControl.IoControlCode;
switch (IoControlCode)
{
case 0x100:
if (InBufferLength != 4 || OutBufferLength != 4)
{
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = STATUS_INVALID_PARAMETER;
status = STATUS_SUCCESS;
}
else
{
status = MyOpenProcess(*(PULONG)SystemBufferIn, SystemBufferOut);
if (NT_SUCCESS(status))
{
pIrp->IoStatus.Information = 4;
pIrp->IoStatus.Status = STATUS_SUCCESS;
}
else
{
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = status;
}
status = STATUS_SUCCESS;
}
break ;
default:
status = STATUS_INVALID_DEVICE_REQUEST;
pIrp->IoStatus.Information = 0;
break ;
}
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
NTSTATUS status;
UNICODE_STRING strDeviceName;
UNICODE_STRING strSymbolicName;
PDEVICE_OBJECT pDeviceObject;
RtlInitUnicodeString(&strDeviceName, L"\\Device\\shoooo22");
status = IoCreateDevice(pDriverObject, 0, &strDeviceName,
0x220000, 0, 0, &pDeviceObject);
if (!NT_SUCCESS(status))
{
return status;
}
RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo22");
status = IoCreateSymbolicLink(&strSymbolicName, &strDeviceName);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(pDeviceObject);
return status;
}
pDriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchControl;
pDriverObject->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
|
EXE
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | void start()
{
HWND hWnd;
DWORD Tid = 0;
DWORD Pid = 0;
HANDLE hFile = NULL;
HANDLE hProcess = NULL;
DWORD temp = 0;
hWnd = FindWindow("#32770", "CrackMeApp");
Tid = GetWindowThreadProcessId(hWnd, &Pid);
if (hWnd == NULL)
return ;
hFile = CreateFile("\\\\.\\shoooo22", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
return ;
DeviceIoControl(hFile, 0x100, &Pid, 4, &hProcess, 4, &temp, NULL);
TerminateProcess(hProcess, 0);
CloseHandle(hFile);
}
|
|
能力值:
![]()
(RANK:650 )
|
-
-
18 楼
第十七种
sys
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 | //shoooo23.c
typedef struct _KAPC_STATE {
LIST_ENTRY ApcListHead[2];
PEPROCESS Process;
BOOLEAN KernelApcInProgress;
BOOLEAN KernelApcPending;
BOOLEAN UserApcPending;
} KAPC_STATE, *PKAPC_STATE;
NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(ULONG ulProcId, PEPROCESS * pEProcess);
NTKERNELAPI void KeStackAttachProcess(PVOID Process, PKAPC_STATE ApcState);
NTKERNELAPI void KeUnstackDetachProcess(PKAPC_STATE ApcState);
//404198 4031BC
NTSTATUS MyWriteProcessMemory(ULONG PID)
{
NTSTATUS status;
PEPROCESS EProcess = NULL;
KAPC_STATE apc_state;
ULONG i;
ULONG Address = 0x404198;
status = PsLookupProcessByProcessId(PID, &EProcess);
if (NT_SUCCESS(status))
{
RtlZeroMemory(&apc_state,sizeof(apc_state));
KeStackAttachProcess(EProcess, &apc_state);
__try
{
*(PULONG)Address = 0x4031BC;
}
__except(1)
{
}
KeUnstackDetachProcess(&apc_state);
ObDereferenceObject(EProcess);
}
return status;
}
VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
PDEVICE_OBJECT pDeviceObject;
UNICODE_STRING strSymbolicName;
RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo23");
IoDeleteSymbolicLink(&strSymbolicName);
pDeviceObject = pDriverObject->DeviceObject;
IoDeleteDevice(pDeviceObject);
return ;
}
NTSTATUS DispatchCreate(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
NTSTATUS status;
status = STATUS_SUCCESS;
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
NTSTATUS DispatchClose(PDEVICE_OBJECT pDeviceObject,PIRP pIrp)
{
NTSTATUS status;
status = STATUS_SUCCESS;
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
return status;
}
NTSTATUS DispatchControl(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
NTSTATUS status;
PVOID DeviceExtension;
PIO_STACK_LOCATION pIrpSp;
char* SystemBufferIn;
PVOID SystemBufferOut;
ULONG InBufferLength;
ULONG OutBufferLength;
ULONG IoControlCode;
DeviceExtension = pDeviceObject->DeviceExtension;
pIrpSp = IoGetCurrentIrpStackLocation(pIrp);
SystemBufferIn = pIrp->AssociatedIrp.SystemBuffer;
SystemBufferOut = pIrp->AssociatedIrp.SystemBuffer;
InBufferLength = pIrpSp->Parameters.DeviceIoControl.InputBufferLength;
OutBufferLength = pIrpSp->Parameters.DeviceIoControl.OutputBufferLength;
IoControlCode = pIrpSp->Parameters.DeviceIoControl.IoControlCode;
switch (IoControlCode)
{
case 0x104:
if (InBufferLength != 4)
{
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = STATUS_INVALID_PARAMETER;
status = STATUS_SUCCESS;
}
else
{
status = MyWriteProcessMemory(*(PULONG)SystemBufferIn);
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = status;
status = STATUS_SUCCESS;
}
break ;
default:
status = STATUS_INVALID_DEVICE_REQUEST;
pIrp->IoStatus.Information = 0;
break ;
}
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
NTSTATUS status;
UNICODE_STRING strDeviceName;
UNICODE_STRING strSymbolicName;
PDEVICE_OBJECT pDeviceObject;
ULONG cr4reg;
RtlInitUnicodeString(&strDeviceName, L"\\Device\\shoooo23");
status = IoCreateDevice(pDriverObject, 0, &strDeviceName,
0x220000, 0, 0, &pDeviceObject);
if (!NT_SUCCESS(status))
{
return status;
}
RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo23");
status = IoCreateSymbolicLink(&strSymbolicName, &strDeviceName);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(pDeviceObject);
return status;
}
pDriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchControl;
pDriverObject->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
|
exe
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | void start()
{
HWND hWnd;
DWORD Tid = 0;
DWORD Pid = 0;
HANDLE hFile = NULL;
DWORD temp = 0;
hWnd = FindWindow("#32770", "CrackMeApp");
Tid = GetWindowThreadProcessId(hWnd, &Pid);
if (hWnd == NULL)
return ;
hFile = CreateFile("\\\\.\\shoooo23", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
return ;
DeviceIoControl(hFile, 0x104, &Pid, 4, NULL, 0, &temp, NULL);
SetForegroundWindow(hWnd);
CloseHandle(hFile);
}
|
|
能力值:
![]()
(RANK:650 )
|
-
-
19 楼
第十八种
驱动同17楼的 exe
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | void start()
{
HWND hWnd;
DWORD Tid = 0;
DWORD Pid = 0;
HANDLE hFile = NULL;
HANDLE hProcess = NULL;
HANDLE hJob;
DWORD temp = 0;
hWnd = FindWindow("#32770", "CrackMeApp");
Tid = GetWindowThreadProcessId(hWnd, &Pid);
if (hWnd == NULL)
return ;
hFile = CreateFile("\\\\.\\shoooo22", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
return ;
DeviceIoControl(hFile, 0x100, &Pid, 4, &hProcess, 4, &temp, NULL);
hJob = CreateJobObject(NULL, NULL);
AssignProcessToJobObject(hJob, hProcess);
TerminateJobObject(hJob, 0);
CloseHandle(hFile);
}
|
|
能力值:
![]()
(RANK:650 )
|
-
-
20 楼
第十九种
sys
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 | //shoooo24.c
typedef struct _KAPC_STATE {
LIST_ENTRY ApcListHead[2];
PEPROCESS Process;
BOOLEAN KernelApcInProgress;
BOOLEAN KernelApcPending;
BOOLEAN UserApcPending;
} KAPC_STATE, *PKAPC_STATE;
NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(ULONG ulProcId, PEPROCESS * pEProcess);
NTKERNELAPI void KeStackAttachProcess(PVOID Process, PKAPC_STATE ApcState);
NTKERNELAPI void KeUnstackDetachProcess(PKAPC_STATE ApcState);
NTSTATUS FuckPID(ULONG Base)
{
*(PULONG)(Base+0x3074) = 0;
return STATUS_SUCCESS;
}
VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
PDEVICE_OBJECT pDeviceObject;
UNICODE_STRING strSymbolicName;
RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo24");
IoDeleteSymbolicLink(&strSymbolicName);
pDeviceObject = pDriverObject->DeviceObject;
IoDeleteDevice(pDeviceObject);
return ;
}
NTSTATUS DispatchCreate(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
NTSTATUS status;
status = STATUS_SUCCESS;
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
NTSTATUS DispatchClose(PDEVICE_OBJECT pDeviceObject,PIRP pIrp)
{
NTSTATUS status;
status = STATUS_SUCCESS;
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
return status;
}
NTSTATUS DispatchControl(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
NTSTATUS status;
PVOID DeviceExtension;
PIO_STACK_LOCATION pIrpSp;
char* SystemBufferIn;
PVOID SystemBufferOut;
ULONG InBufferLength;
ULONG OutBufferLength;
ULONG IoControlCode;
DeviceExtension = pDeviceObject->DeviceExtension;
pIrpSp = IoGetCurrentIrpStackLocation(pIrp);
SystemBufferIn = pIrp->AssociatedIrp.SystemBuffer;
SystemBufferOut = pIrp->AssociatedIrp.SystemBuffer;
InBufferLength = pIrpSp->Parameters.DeviceIoControl.InputBufferLength;
OutBufferLength = pIrpSp->Parameters.DeviceIoControl.OutputBufferLength;
IoControlCode = pIrpSp->Parameters.DeviceIoControl.IoControlCode;
switch (IoControlCode)
{
case 0x108:
if (InBufferLength != 4)
{
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = STATUS_INVALID_PARAMETER;
status = STATUS_SUCCESS;
}
else
{
status = FuckPID(*(PULONG)SystemBufferIn);
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = status;
status = STATUS_SUCCESS;
}
break ;
default:
status = STATUS_INVALID_DEVICE_REQUEST;
pIrp->IoStatus.Information = 0;
break ;
}
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
NTSTATUS status;
UNICODE_STRING strDeviceName;
UNICODE_STRING strSymbolicName;
PDEVICE_OBJECT pDeviceObject;
ULONG cr4reg;
RtlInitUnicodeString(&strDeviceName, L"\\Device\\shoooo24");
status = IoCreateDevice(pDriverObject, 0, &strDeviceName,
0x220000, 0, 0, &pDeviceObject);
if (!NT_SUCCESS(status))
{
return status;
}
RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo24");
status = IoCreateSymbolicLink(&strSymbolicName, &strDeviceName);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(pDeviceObject);
return status;
}
pDriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchControl;
pDriverObject->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
|
exe
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 | DWORD GetSysBase()
{
DWORD ZwQuerySystemInformation;
DWORD status;
ULONG PoolSize;
char* Pool;
char* ModuleStart;
ULONG i;
char* Name;
ZwQuerySystemInformation = (DWORD)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwQuerySystemInformation");
PoolSize = 0x1000;
Pool = (char *)VirtualAlloc(NULL, PoolSize, MEM_COMMIT, PAGE_READWRITE);
do
{
__asm
{
push 0
push PoolSize
push Pool
push 0x0B
call ZwQuerySystemInformation
mov status, eax
}
if (status == 0xC0000004)
{
VirtualFree(Pool, 0, MEM_RELEASE);
PoolSize = PoolSize * 2;
Pool = (char *)VirtualAlloc(NULL, PoolSize, MEM_COMMIT, PAGE_READWRITE);
continue ;
}
break ;
}while(1);
ModuleStart = Pool+4;
for (i=0; i<*(LPDWORD)Pool; i++)
{
Name = strrchr(ModuleStart+0x1C+i*0x11C, '\\');
if (Name != NULL)
Name = Name + 1;
else
Name = ModuleStart+0x1C+i*0x11C;
if (Name != NULL)
{
if (stricmp(Name, "CrackMe.sys") == 0)
{
return *(LPDWORD)(ModuleStart + i*0x11C + 0x08);
}
}
}
return 0;
}
void start()
{
HWND hWnd;
DWORD Tid = 0;
DWORD Pid = 0;
HANDLE hFile;
DWORD base;
DWORD temp;
HANDLE hProcess;
hWnd = FindWindow("#32770", "CrackMeApp");
Tid = GetWindowThreadProcessId(hWnd, &Pid);
if (Pid == 0)
return ;
base = GetSysBase();
if (base == 0)
return ;
hFile = CreateFile("\\\\.\\shoooo24", GENERIC_READ | GENERIC_WRITE , 0 , FALSE, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
return ;
DeviceIoControl(hFile, 0x108, &base, 4, NULL, 0, &temp, NULL);
CloseHandle(hFile);
hProcess = OpenProcess(PROCESS_TERMINATE, 0, Pid);
TerminateProcess(hProcess, 0);
}
|
|
能力值:
![]()
(RANK:650 )
|
-
-
21 楼
第二十种
驱动和第十九种shoooo24.sys一样
exe
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 | DWORD GetSysBase()
{
DWORD ZwQuerySystemInformation;
DWORD status;
ULONG PoolSize;
char* Pool;
char* ModuleStart;
ULONG i;
char* Name;
ZwQuerySystemInformation = (DWORD)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwQuerySystemInformation");
PoolSize = 0x1000;
Pool = (char *)VirtualAlloc(NULL, PoolSize, MEM_COMMIT, PAGE_READWRITE);
do
{
__asm
{
push 0
push PoolSize
push Pool
push 0x0B
call ZwQuerySystemInformation
mov status, eax
}
if (status == 0xC0000004)
{
VirtualFree(Pool, 0, MEM_RELEASE);
PoolSize = PoolSize * 2;
Pool = (char *)VirtualAlloc(NULL, PoolSize, MEM_COMMIT, PAGE_READWRITE);
continue ;
}
break ;
}while(1);
ModuleStart = Pool+4;
for (i=0; i<*(LPDWORD)Pool; i++)
{
Name = strrchr(ModuleStart+0x1C+i*0x11C, '\\');
if (Name != NULL)
Name = Name + 1;
else
Name = ModuleStart+0x1C+i*0x11C;
if (Name != NULL)
{
if (stricmp(Name, "CrackMe.sys") == 0)
{
return *(LPDWORD)(ModuleStart + i*0x11C + 0x08);
}
}
}
return 0;
}
void start()
{
HWND hWnd;
DWORD Tid = 0;
DWORD Pid = 0;
HANDLE hFile;
DWORD base;
DWORD temp;
HANDLE hProcess;
hWnd = FindWindow("#32770", "CrackMeApp");
Tid = GetWindowThreadProcessId(hWnd, &Pid);
if (Pid == 0)
return ;
base = GetSysBase();
if (base == 0)
return ;
hFile = CreateFile("\\\\.\\shoooo24", GENERIC_READ | GENERIC_WRITE , 0 , FALSE, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
return ;
DeviceIoControl(hFile, 0x108, &base, 4, NULL, 0, &temp, NULL);
CloseHandle(hFile);
DebugActiveProcess(Pid);
ExitProcess(0);
}
|
|
能力值:
![]()
(RANK:650 )
|
-
-
22 楼
第二十一种
sys
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 | //shoooo25.c
typedef struct _KAPC_STATE {
LIST_ENTRY ApcListHead[2];
PEPROCESS Process;
BOOLEAN KernelApcInProgress;
BOOLEAN KernelApcPending;
BOOLEAN UserApcPending;
} KAPC_STATE, *PKAPC_STATE;
NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(ULONG ulProcId, PEPROCESS * pEProcess);
NTKERNELAPI void KeStackAttachProcess(PVOID Process, PKAPC_STATE ApcState);
NTKERNELAPI void KeUnstackDetachProcess(PKAPC_STATE ApcState);
NTSTATUS UnhookSSDT(ULONG Base)
{
ULONG Address;
Address = Base + 0x1810;
__asm call Address
return STATUS_SUCCESS;
}
VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
PDEVICE_OBJECT pDeviceObject;
UNICODE_STRING strSymbolicName;
RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo25");
IoDeleteSymbolicLink(&strSymbolicName);
pDeviceObject = pDriverObject->DeviceObject;
IoDeleteDevice(pDeviceObject);
return ;
}
NTSTATUS DispatchCreate(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
NTSTATUS status;
status = STATUS_SUCCESS;
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
NTSTATUS DispatchClose(PDEVICE_OBJECT pDeviceObject,PIRP pIrp)
{
NTSTATUS status;
status = STATUS_SUCCESS;
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
return status;
}
NTSTATUS DispatchControl(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
NTSTATUS status;
PVOID DeviceExtension;
PIO_STACK_LOCATION pIrpSp;
char* SystemBufferIn;
PVOID SystemBufferOut;
ULONG InBufferLength;
ULONG OutBufferLength;
ULONG IoControlCode;
DeviceExtension = pDeviceObject->DeviceExtension;
pIrpSp = IoGetCurrentIrpStackLocation(pIrp);
SystemBufferIn = pIrp->AssociatedIrp.SystemBuffer;
SystemBufferOut = pIrp->AssociatedIrp.SystemBuffer;
InBufferLength = pIrpSp->Parameters.DeviceIoControl.InputBufferLength;
OutBufferLength = pIrpSp->Parameters.DeviceIoControl.OutputBufferLength;
IoControlCode = pIrpSp->Parameters.DeviceIoControl.IoControlCode;
switch (IoControlCode)
{
case 0x10C:
if (InBufferLength != 4)
{
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = STATUS_INVALID_PARAMETER;
status = STATUS_SUCCESS;
}
else
{
status = UnhookSSDT(*(PULONG)SystemBufferIn);
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = status;
status = STATUS_SUCCESS;
}
break ;
default:
status = STATUS_INVALID_DEVICE_REQUEST;
pIrp->IoStatus.Information = 0;
break ;
}
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
NTSTATUS status;
UNICODE_STRING strDeviceName;
UNICODE_STRING strSymbolicName;
PDEVICE_OBJECT pDeviceObject;
ULONG cr4reg;
RtlInitUnicodeString(&strDeviceName, L"\\Device\\shoooo25");
status = IoCreateDevice(pDriverObject, 0, &strDeviceName,
0x220000, 0, 0, &pDeviceObject);
if (!NT_SUCCESS(status))
{
return status;
}
RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo25");
status = IoCreateSymbolicLink(&strSymbolicName, &strDeviceName);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(pDeviceObject);
return status;
}
pDriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchControl;
pDriverObject->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
|
exe
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 | DWORD GetSysBase()
{
DWORD ZwQuerySystemInformation;
DWORD status;
ULONG PoolSize;
char* Pool;
char* ModuleStart;
ULONG i;
char* Name;
ZwQuerySystemInformation = (DWORD)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwQuerySystemInformation");
PoolSize = 0x1000;
Pool = (char *)VirtualAlloc(NULL, PoolSize, MEM_COMMIT, PAGE_READWRITE);
do
{
__asm
{
push 0
push PoolSize
push Pool
push 0x0B
call ZwQuerySystemInformation
mov status, eax
}
if (status == 0xC0000004)
{
VirtualFree(Pool, 0, MEM_RELEASE);
PoolSize = PoolSize * 2;
Pool = (char *)VirtualAlloc(NULL, PoolSize, MEM_COMMIT, PAGE_READWRITE);
continue ;
}
break ;
}while(1);
ModuleStart = Pool+4;
for (i=0; i<*(LPDWORD)Pool; i++)
{
Name = strrchr(ModuleStart+0x1C+i*0x11C, '\\');
if (Name != NULL)
Name = Name + 1;
else
Name = ModuleStart+0x1C+i*0x11C;
if (Name != NULL)
{
if (stricmp(Name, "CrackMe.sys") == 0)
{
return *(LPDWORD)(ModuleStart + i*0x11C + 0x08);
}
}
}
return 0;
}
void start()
{
HWND hWnd;
DWORD Tid = 0;
DWORD Pid = 0;
HANDLE hFile;
DWORD base;
DWORD temp;
HANDLE hProcess;
hWnd = FindWindow("#32770", "CrackMeApp");
Tid = GetWindowThreadProcessId(hWnd, &Pid);
if (Pid == 0)
return ;
base = GetSysBase();
if (base == 0)
return ;
hFile = CreateFile("\\\\.\\shoooo25", GENERIC_READ | GENERIC_WRITE , 0 , FALSE, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
return ;
DeviceIoControl(hFile, 0x10C, &base, 4, NULL, 0, &temp, NULL);
CloseHandle(hFile);
hProcess = OpenProcess(PROCESS_TERMINATE, 0, Pid);
TerminateProcess(hProcess, 0);
}
|
|
能力值:
( LV11,RANK:188 )
|
-
-
23 楼
膜拜LZ
顶礼膜拜发帖时间。
|
能力值:
( LV4,RANK:50 )
|
-
-
24 楼
KeAttachProcess
|
能力值:
( LV6,RANK:90 )
|
-
-
25 楼
只能膜拜,无法学习。
|
|
|
|
