LycorisGuard
parent
8080e9d7d3
commit
94f523ced9
|
|
@ -3,15 +3,11 @@
|
||||||
# include "FileProtectX86.h"
|
# include "FileProtectX86.h"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
||||||
ULONG gC2pKeyCount = 0;
|
ULONG gC2pKeyCount = 0;
|
||||||
PDRIVER_OBJECT gDriverObject = NULL;
|
PDRIVER_OBJECT gDriverObject = NULL;
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
BOOLEAN bOk = FALSE;
|
BOOLEAN bOk = FALSE;
|
||||||
|
|
||||||
|
|
||||||
ULONG_PTR IndexOffsetOfFunction = 0;
|
ULONG_PTR IndexOffsetOfFunction = 0;
|
||||||
ULONG_PTR SSDTDescriptor = 0;
|
ULONG_PTR SSDTDescriptor = 0;
|
||||||
KIRQL Irql;
|
KIRQL Irql;
|
||||||
|
|
@ -22,15 +18,11 @@ pfnNtSetInformationFile Old_NtSetInformationFileWinXP = NULL;
|
||||||
pfnNtDeleteFile Old_NtDeleteFileWinXP = NULL;
|
pfnNtDeleteFile Old_NtDeleteFileWinXP = NULL;
|
||||||
//pfnNtCreateFile Old_NtCreateFileWinXP = NULL;
|
//pfnNtCreateFile Old_NtCreateFileWinXP = NULL;
|
||||||
pfnNtWriteFile Old_NtWriteFileWinXP = NULL;
|
pfnNtWriteFile Old_NtWriteFileWinXP = NULL;
|
||||||
NTSTATUS
|
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath)
|
||||||
DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath)
|
|
||||||
{
|
{
|
||||||
|
|
||||||
|
|
||||||
ULONG i;
|
ULONG i;
|
||||||
NTSTATUS status;
|
NTSTATUS status;
|
||||||
|
|
||||||
|
|
||||||
// 填写所有的分发函数的指针
|
// 填写所有的分发函数的指针
|
||||||
for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
|
for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
|
||||||
{
|
{
|
||||||
|
|
@ -55,14 +47,8 @@ NTSTATUS
|
||||||
// 绑定所有键盘设备
|
// 绑定所有键盘设备
|
||||||
status =c2pAttachDevices(DriverObject, RegisterPath);
|
status =c2pAttachDevices(DriverObject, RegisterPath);
|
||||||
|
|
||||||
#ifdef _WIN64
|
|
||||||
// SSDTDescriptor = GetKeServiceDescriptorTable64(); //获取SSDT表
|
|
||||||
// IndexOffsetOfFunction = 4;
|
|
||||||
|
|
||||||
#else
|
|
||||||
SSDTDescriptor = (ULONG_PTR)GetFunctionAddressByNameFromNtosExport(L"KeServiceDescriptorTable");
|
SSDTDescriptor = (ULONG_PTR)GetFunctionAddressByNameFromNtosExport(L"KeServiceDescriptorTable");
|
||||||
IndexOffsetOfFunction = 1;
|
IndexOffsetOfFunction = 1;
|
||||||
#endif
|
|
||||||
|
|
||||||
ulIndex = GetSSDTApiFunctionIndexFromNtdll("NtSetInformationFile");
|
ulIndex = GetSSDTApiFunctionIndexFromNtdll("NtSetInformationFile");
|
||||||
ulIndex1 = GetSSDTApiFunctionIndexFromNtdll("NtWriteFile");
|
ulIndex1 = GetSSDTApiFunctionIndexFromNtdll("NtWriteFile");
|
||||||
|
|
@ -72,9 +58,7 @@ NTSTATUS
|
||||||
HookWrite(ulIndex1);
|
HookWrite(ulIndex1);
|
||||||
HookDelete(ulIndex2);
|
HookDelete(ulIndex2);
|
||||||
|
|
||||||
|
|
||||||
return STATUS_SUCCESS;
|
return STATUS_SUCCESS;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -357,14 +341,11 @@ NTSTATUS c2pReadComplete(
|
||||||
// 获得这个缓冲区的长度。一般的说返回值有多长都保存在
|
// 获得这个缓冲区的长度。一般的说返回值有多长都保存在
|
||||||
// Information中。
|
// Information中。
|
||||||
|
|
||||||
|
|
||||||
buf_len = Irp->IoStatus.Information;
|
buf_len = Irp->IoStatus.Information;
|
||||||
numKeys = Irp->IoStatus.Information / sizeof(KEYBOARD_INPUT_DATA);
|
numKeys = Irp->IoStatus.Information / sizeof(KEYBOARD_INPUT_DATA);
|
||||||
|
|
||||||
__try
|
__try
|
||||||
{
|
{
|
||||||
|
|
||||||
|
|
||||||
if (NT_SUCCESS(IoQueryFileDosDeviceName((PFILE_OBJECT)IrpSp->FileObject, &ObjetNameInfor)))
|
if (NT_SUCCESS(IoQueryFileDosDeviceName((PFILE_OBJECT)IrpSp->FileObject, &ObjetNameInfor)))
|
||||||
{
|
{
|
||||||
if(wcsstr(ObjetNameInfor->Name.Buffer,L"Shine.txt")!=0)
|
if(wcsstr(ObjetNameInfor->Name.Buffer,L"Shine.txt")!=0)
|
||||||
|
|
@ -379,34 +360,27 @@ NTSTATUS c2pReadComplete(
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
//通过EProcess获得进程名称
|
//ͨ¹ýProcess»ñµÃ½ø³ÌÃû³Æ
|
||||||
|
|
||||||
|
|
||||||
for(i = 0; i < numKeys; i++)
|
for(i = 0; i < numKeys; i++)
|
||||||
{
|
{
|
||||||
// DbgPrint("%02X %d\n",pKeyData[i].MakeCode,pKeyData[i].Flags);
|
// DbgPrint("%02X %d\n",pKeyData[i].MakeCode,pKeyData[i].Flags);
|
||||||
|
|
||||||
if(pKeyData[i].MakeCode == 0x1d&&pKeyData[i].Flags ==KEY_MAKE)
|
if(pKeyData[i].MakeCode == 0x1d && pKeyData[i].Flags == KEY_MAKE)
|
||||||
{
|
{
|
||||||
//左Ctrl
|
//左Ctrl
|
||||||
bOk = TRUE;
|
bOk = TRUE;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(pKeyData[i].MakeCode == 0x2e&&pKeyData[i].Flags==KEY_MAKE&&bOk==TRUE) //按下
|
if(pKeyData[i].MakeCode == 0x2e && pKeyData[i].Flags == KEY_MAKE && bOk == TRUE ) //°´ÏÂ
|
||||||
{
|
{
|
||||||
pKeyData[i].MakeCode = 0x20;
|
pKeyData[i].MakeCode = 0x20;
|
||||||
bOk = FALSE;
|
bOk = FALSE;
|
||||||
DbgPrint("aaaaaaaaaaaaaa");
|
DbgPrint("aaaaaaaaaaaaaa");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
//… 这里可以做进一步的处理。我这里很简单的打印出所有的扫
|
//… 这里可以做进一步的处理。我这里很简单的打印出所有的扫
|
||||||
// 描码。
|
// 描码。
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
// for(i=0;i<buf_len;++i)
|
// for(i=0;i<buf_len;++i)
|
||||||
// {
|
// {
|
||||||
//DbgPrint("ctrl2cap: %2x\r\n", buf[i]);
|
//DbgPrint("ctrl2cap: %2x\r\n", buf[i]);
|
||||||
|
|
@ -463,74 +437,51 @@ NTSTATUS c2pDispatchRead(
|
||||||
return IoCallDriver( devExt->LowerDeviceObject, Irp );
|
return IoCallDriver( devExt->LowerDeviceObject, Irp );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
VOID HookSSDT(ULONG_PTR ulIndex)
|
VOID HookSSDT(ULONG_PTR ulIndex)
|
||||||
{
|
{
|
||||||
|
|
||||||
PULONG32 ServiceTableBase = NULL;
|
PULONG32 ServiceTableBase = NULL;
|
||||||
|
|
||||||
ServiceTableBase = (PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; //数组首地址
|
ServiceTableBase = (PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; //数组首地址
|
||||||
|
|
||||||
Old_NtSetInformationFileWinXP = (pfnNtSetInformationFile)ServiceTableBase[ulIndex]; //先保存原先的函数地址
|
Old_NtSetInformationFileWinXP = (pfnNtSetInformationFile)ServiceTableBase[ulIndex]; //先保存原先的函数地址
|
||||||
|
|
||||||
|
|
||||||
WPOFF();
|
WPOFF();
|
||||||
ServiceTableBase[ulIndex] = (ULONG32)Fake_NtSetInformationFileWinXP; //将KeBugCheckEx函数的偏移地址放入SSDT表中
|
ServiceTableBase[ulIndex] = (ULONG32)Fake_NtSetInformationFileWinXP; //将KeBugCheckEx函数的偏移地址放入SSDT表中
|
||||||
WPON();
|
WPON();
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
VOID HookWrite(ULONG_PTR ulIndex)
|
VOID HookWrite(ULONG_PTR ulIndex)
|
||||||
{
|
{
|
||||||
PULONG32 ServiceTableBase = NULL;
|
PULONG32 ServiceTableBase = NULL;
|
||||||
|
|
||||||
ServiceTableBase = (PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; //数组首地址
|
ServiceTableBase = (PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; //数组首地址
|
||||||
|
|
||||||
Old_NtWriteFileWinXP = (pfnNtWriteFile)ServiceTableBase[ulIndex]; //先保存原先的函数地址
|
Old_NtWriteFileWinXP = (pfnNtWriteFile)ServiceTableBase[ulIndex]; //先保存原先的函数地址
|
||||||
|
|
||||||
|
|
||||||
WPOFF();
|
WPOFF();
|
||||||
ServiceTableBase[ulIndex] = (ULONG32)Fake_NtWriteFileWinXP; //将KeBugCheckEx函数的偏移地址放入SSDT表中
|
ServiceTableBase[ulIndex] = (ULONG32)Fake_NtWriteFileWinXP; //将KeBugCheckEx函数的偏移地址放入SSDT表中
|
||||||
WPON();
|
WPON();
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
VOID HookDelete(ULONG_PTR ulIndex)
|
VOID HookDelete(ULONG_PTR ulIndex)
|
||||||
{
|
{
|
||||||
PULONG32 ServiceTableBase = NULL;
|
PULONG32 ServiceTableBase = NULL;
|
||||||
|
|
||||||
ServiceTableBase = (PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; //数组首地址
|
ServiceTableBase = (PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; //数组首地址
|
||||||
|
|
||||||
Old_NtDeleteFileWinXP = (pfnNtDeleteFile)ServiceTableBase[ulIndex]; //先保存原先的函数地址
|
Old_NtDeleteFileWinXP = (pfnNtDeleteFile)ServiceTableBase[ulIndex]; //先保存原先的函数地址
|
||||||
|
|
||||||
|
|
||||||
WPOFF();
|
WPOFF();
|
||||||
ServiceTableBase[ulIndex] = (ULONG32)Fake_NtDeleteFileWinXP; //将KeBugCheckEx函数的偏移地址放入SSDT表中
|
ServiceTableBase[ulIndex] = (ULONG32)Fake_NtDeleteFileWinXP; //将KeBugCheckEx函数的偏移地址放入SSDT表中
|
||||||
WPON();
|
WPON();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
VOID
|
VOID
|
||||||
UnHookSSDT(ULONG_PTR ulIndex)
|
UnHookSSDT(ULONG_PTR ulIndex)
|
||||||
{
|
{
|
||||||
|
|
||||||
PULONG32 ServiceTableBase = NULL;
|
PULONG32 ServiceTableBase = NULL;
|
||||||
ServiceTableBase=(PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase;
|
ServiceTableBase=(PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase;
|
||||||
|
|
||||||
WPOFF();
|
WPOFF();
|
||||||
ServiceTableBase[ulIndex] = (ULONG32)Old_NtSetInformationFileWinXP;
|
ServiceTableBase[ulIndex] = (ULONG32)Old_NtSetInformationFileWinXP;
|
||||||
WPON();
|
WPON();
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
VOID
|
VOID
|
||||||
UnHookSSDTWrite(ULONG_PTR ulIndex)
|
UnHookSSDTWrite(ULONG_PTR ulIndex)
|
||||||
{
|
{
|
||||||
|
|
@ -544,25 +495,18 @@ VOID
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
VOID
|
VOID
|
||||||
UnHookSSDTDelete(ULONG_PTR ulIndex)
|
UnHookSSDTDelete(ULONG_PTR ulIndex)
|
||||||
{
|
{
|
||||||
|
|
||||||
PULONG32 ServiceTableBase = NULL;
|
PULONG32 ServiceTableBase = NULL;
|
||||||
ServiceTableBase=(PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase;
|
ServiceTableBase=(PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase;
|
||||||
|
|
||||||
WPOFF();
|
WPOFF();
|
||||||
ServiceTableBase[ulIndex] = (ULONG32)Old_NtDeleteFileWinXP;
|
ServiceTableBase[ulIndex] = (ULONG32)Old_NtDeleteFileWinXP;
|
||||||
WPON();
|
WPON();
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
NTSTATUS Fake_NtSetInformationFileWinXP(
|
NTSTATUS Fake_NtSetInformationFileWinXP(
|
||||||
__in HANDLE FileHandle,
|
__in HANDLE FileHandle,
|
||||||
__out PIO_STATUS_BLOCK IoStatusBlock,
|
__out PIO_STATUS_BLOCK IoStatusBlock,
|
||||||
|
|
@ -582,14 +526,14 @@ NTSTATUS Fake_NtSetInformationFileWinXP(
|
||||||
{
|
{
|
||||||
if(wcsstr((ObjetNameInfor->Name).Buffer,L"D:\\Shine.txt"))
|
if(wcsstr((ObjetNameInfor->Name).Buffer,L"D:\\Shine.txt"))
|
||||||
{
|
{
|
||||||
if(FileInformationClass==FileRenameInformation)
|
if(FileInformationClass == FileRenameInformation)
|
||||||
{
|
{
|
||||||
return;
|
return STATUS_ACCESS_DENIED;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
Old_NtSetInformationFileWinXP(FileHandle,IoStatusBlock,FileInformation,Length,FileInformationClass);
|
return Old_NtSetInformationFileWinXP(FileHandle,IoStatusBlock,FileInformation,Length,FileInformationClass);
|
||||||
}
|
}
|
||||||
|
|
||||||
NTSTATUS
|
NTSTATUS
|
||||||
|
|
@ -605,8 +549,6 @@ NTSTATUS
|
||||||
__in_opt PULONG Key
|
__in_opt PULONG Key
|
||||||
)
|
)
|
||||||
{
|
{
|
||||||
|
|
||||||
|
|
||||||
NTSTATUS Status;
|
NTSTATUS Status;
|
||||||
PFILE_OBJECT hObject;
|
PFILE_OBJECT hObject;
|
||||||
POBJECT_NAME_INFORMATION ObjetNameInfor;
|
POBJECT_NAME_INFORMATION ObjetNameInfor;
|
||||||
|
|
@ -618,11 +560,11 @@ NTSTATUS
|
||||||
{
|
{
|
||||||
if(wcsstr((ObjetNameInfor->Name).Buffer,L"D:\\Shine.txt"))
|
if(wcsstr((ObjetNameInfor->Name).Buffer,L"D:\\Shine.txt"))
|
||||||
{
|
{
|
||||||
return;
|
return STATUS_ACCESS_DENIED;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
Old_NtWriteFileWinXP(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key);
|
return Old_NtWriteFileWinXP(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -632,10 +574,9 @@ NTSTATUS Fake_NtDeleteFileWinXP(
|
||||||
{
|
{
|
||||||
if(wcsstr((ObjectAttributes->ObjectName)->Buffer,L"D:\\Shine.txt"))
|
if(wcsstr((ObjectAttributes->ObjectName)->Buffer,L"D:\\Shine.txt"))
|
||||||
{
|
{
|
||||||
return;
|
return STATUS_ACCESS_DENIED;
|
||||||
}
|
}
|
||||||
Old_NtDeleteFileWinXP(ObjectAttributes);
|
return Old_NtDeleteFileWinXP(ObjectAttributes);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -655,36 +596,6 @@ PVOID
|
||||||
return FunctionAddress;
|
return FunctionAddress;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
PVOID GetKeServiceDescriptorTable64()
|
|
||||||
{
|
|
||||||
PUCHAR StartSearchAddress = (PUCHAR)__readmsr(0xC0000082);
|
|
||||||
PUCHAR EndSearchAddress = StartSearchAddress + 0x500;
|
|
||||||
PUCHAR i = NULL;
|
|
||||||
UCHAR b1=0,b2=0,b3=0;
|
|
||||||
ULONG_PTR ulv1 = 0;
|
|
||||||
PVOID FunctionAddress = 0;
|
|
||||||
for(i=StartSearchAddress;i<EndSearchAddress;i++)
|
|
||||||
{
|
|
||||||
if( MmIsAddressValid(i) && MmIsAddressValid(i+1) && MmIsAddressValid(i+2) )
|
|
||||||
{
|
|
||||||
b1=*i;
|
|
||||||
b2=*(i+1);
|
|
||||||
b3=*(i+2);
|
|
||||||
if( b1==0x4c && b2==0x8d && b3==0x15 )
|
|
||||||
{
|
|
||||||
memcpy(&ulv1,i+3,4);
|
|
||||||
FunctionAddress = (ULONG_PTR)ulv1 + (ULONG_PTR)i + 7;
|
|
||||||
return FunctionAddress;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
LONG GetSSDTApiFunctionIndexFromNtdll(char* szFindFunctionName)
|
LONG GetSSDTApiFunctionIndexFromNtdll(char* szFindFunctionName)
|
||||||
{
|
{
|
||||||
|
|
||||||
|
|
@ -705,9 +616,7 @@ LONG GetSSDTApiFunctionIndexFromNtdll(char* szFindFunctionName)
|
||||||
Status = MapFileInUserSpace(wzNtdll, NtCurrentProcess(), &MapBase, &ViewSize);
|
Status = MapFileInUserSpace(wzNtdll, NtCurrentProcess(), &MapBase, &ViewSize);
|
||||||
if (!NT_SUCCESS(Status))
|
if (!NT_SUCCESS(Status))
|
||||||
{
|
{
|
||||||
|
|
||||||
return STATUS_UNSUCCESSFUL;
|
return STATUS_UNSUCCESSFUL;
|
||||||
|
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
|
@ -745,10 +654,6 @@ LONG GetSSDTApiFunctionIndexFromNtdll(char* szFindFunctionName)
|
||||||
return ulIndex;
|
return ulIndex;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
NTSTATUS
|
NTSTATUS
|
||||||
MapFileInUserSpace(WCHAR* wzFilePath,IN HANDLE hProcess OPTIONAL,
|
MapFileInUserSpace(WCHAR* wzFilePath,IN HANDLE hProcess OPTIONAL,
|
||||||
OUT PVOID *BaseAddress,
|
OUT PVOID *BaseAddress,
|
||||||
|
|
@ -808,7 +713,6 @@ NTSTATUS
|
||||||
if (!NT_SUCCESS(Status))
|
if (!NT_SUCCESS(Status))
|
||||||
{
|
{
|
||||||
return Status;
|
return Status;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!hProcess){
|
if (!hProcess){
|
||||||
|
|
@ -835,10 +739,6 @@ NTSTATUS
|
||||||
return Status;
|
return Status;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
ULONG_PTR GetFunctionAddressByIndexFromSSDT32(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor)
|
ULONG_PTR GetFunctionAddressByIndexFromSSDT32(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor)
|
||||||
{
|
{
|
||||||
ULONG_PTR ServiceTableBase= 0 ;
|
ULONG_PTR ServiceTableBase= 0 ;
|
||||||
|
|
@ -849,23 +749,6 @@ ULONG_PTR GetFunctionAddressByIndexFromSSDT32(ULONG_PTR ulIndex,ULONG_PTR SSDTDe
|
||||||
return (*(PULONG_PTR)(ServiceTableBase + 4 * ulIndex));
|
return (*(PULONG_PTR)(ServiceTableBase + 4 * ulIndex));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
ULONG_PTR GetFunctionAddressByIndexFromSSDT64(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor)
|
|
||||||
{
|
|
||||||
LONG ulv1 = 0;
|
|
||||||
ULONG_PTR ulv2 = 0;
|
|
||||||
ULONG_PTR ServiceTableBase= 0 ;
|
|
||||||
PSYSTEM_SERVICE_TABLE64 SSDT = (PSYSTEM_SERVICE_TABLE64)SSDTDescriptor;
|
|
||||||
ServiceTableBase=(ULONG_PTR)(SSDT ->ServiceTableBase);
|
|
||||||
ulv2 = ServiceTableBase + 4 * ulIndex;
|
|
||||||
ulv1 = *(PLONG)ulv2;
|
|
||||||
ulv1 = ulv1>>4;
|
|
||||||
return ServiceTableBase + (ULONG_PTR)ulv1;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
VOID WPOFF()
|
VOID WPOFF()
|
||||||
{
|
{
|
||||||
ULONG_PTR cr0 = 0;
|
ULONG_PTR cr0 = 0;
|
||||||
|
|
@ -873,16 +756,14 @@ VOID WPOFF()
|
||||||
cr0 =__readcr0();
|
cr0 =__readcr0();
|
||||||
cr0 &= 0xfffffffffffeffff;
|
cr0 &= 0xfffffffffffeffff;
|
||||||
__writecr0(cr0);
|
__writecr0(cr0);
|
||||||
// _disable(); //这句话 屏蔽也没有啥
|
//_disable();
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
VOID WPON()
|
VOID WPON()
|
||||||
{
|
{
|
||||||
|
|
||||||
ULONG_PTR cr0=__readcr0();
|
ULONG_PTR cr0=__readcr0();
|
||||||
cr0 |= 0x10000;
|
cr0 |= 0x10000;
|
||||||
// _enable(); //这句话 屏蔽也没有啥
|
//_enable();
|
||||||
__writecr0(cr0);
|
__writecr0(cr0);
|
||||||
KeLowerIrql(Irql);
|
KeLowerIrql(Irql);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -15,14 +15,6 @@ NTSTATUS
|
||||||
|
|
||||||
#define SEC_IMAGE 0x01000000
|
#define SEC_IMAGE 0x01000000
|
||||||
|
|
||||||
|
|
||||||
typedef struct _SYSTEM_SERVICE_TABLE64{
|
|
||||||
PVOID ServiceTableBase;
|
|
||||||
PVOID ServiceCounterTableBase;
|
|
||||||
ULONG64 NumberOfServices;
|
|
||||||
PVOID ParamTableBase;
|
|
||||||
} SYSTEM_SERVICE_TABLE64, *PSYSTEM_SERVICE_TABLE64;
|
|
||||||
|
|
||||||
typedef struct _SYSTEM_SERVICE_TABLE32 {
|
typedef struct _SYSTEM_SERVICE_TABLE32 {
|
||||||
PVOID ServiceTableBase;
|
PVOID ServiceTableBase;
|
||||||
PVOID ServiceCounterTableBase;
|
PVOID ServiceCounterTableBase;
|
||||||
|
|
@ -147,9 +139,6 @@ NTSYSAPI
|
||||||
RtlImageNtHeader(PVOID Base);
|
RtlImageNtHeader(PVOID Base);
|
||||||
|
|
||||||
PVOID GetFunctionAddressByNameFromSSDT(CHAR* szFunctionName,ULONG_PTR SSDTDescriptor);
|
PVOID GetFunctionAddressByNameFromSSDT(CHAR* szFunctionName,ULONG_PTR SSDTDescriptor);
|
||||||
ULONG_PTR GetFunctionAddressByIndexFromSSDT64(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor);
|
|
||||||
PVOID GetKeServiceDescriptorTable64();
|
|
||||||
|
|
||||||
ULONG_PTR GetFunctionAddressByIndexFromSSDT32(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor);
|
ULONG_PTR GetFunctionAddressByIndexFromSSDT32(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor);
|
||||||
PVOID
|
PVOID
|
||||||
GetFunctionAddressByNameFromNtosExport(WCHAR *wzFunctionName);
|
GetFunctionAddressByNameFromNtosExport(WCHAR *wzFunctionName);
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue