ce吧 关注:196,170贴子:3,799,494
  • 13回复贴,共1

度娘秒删帖啊!我的天啊。

只看楼主收藏回复

好久都没来了,发现老朋友都不在了,先默哀三分钟。
我是一个无聊的人,无聊到爆,尤其喜欢看人装逼,特别喜欢那种不懂装懂的装逼,特来劲。
现在发现还是做个伸手党比较舒心,太舒服啦!!!


1楼2016-09-25 00:19回复
    NTSTATUS DispatchRoutine( PDEVICE_OBJECT pdo, PIRP Irp){ NTSTATUS status; PIO_STACK_LOCATION pisl; ULONG cbin; ULONG cbout; ULONG code; ULONG info = 0; CHAR InputData[40] = {0}; PVOID OutBuffer ; PCHAR buffer; LONG len = 0, pid = 0, add = 0; status = STATUS_SUCCESS; pisl = IoGetCurrentIrpStackLocation(Irp);// pisl->DeviceObject->CurrentIrp->RequestorMode = 0; //得到输入缓冲区大小 cbin = pisl->Parameters.DeviceIoControl.InputBufferLength; //得到输出缓冲区大小 cbout = pisl->Parameters.DeviceIoControl.OutputBufferLength; //得到IOCTL码 code = pisl->Parameters.DeviceIoControl.IoControlCode; // DbgPrint("%d-%d-%d", IOCTL_SET_ADAPTOR_MAC, IOCTL_SET_DISK_SERIAL, code); switch (code) { // process request case IOCTL_READ: //只是测试,所以只弄了读内存的部分,写内存的看看教程自己加也不会难 { if (cbin == 12) { //PKTHREAD XXX = KeGetCurrentThread(); //*((char*)XXX + 0x140) = KernelMode; 这里修改PreviousMode,但是测试没有用 //KeSetPriorityThread(XXX, LOW_REALTIME_PRIORITY); //KeSetBasePriorityThread(XXX, LOW_REALTIME_PRIORITY); //DbgPrint("Mode = %d - %X", ExGetPreviousMode(), *((char*)XXX + 0x140)); RtlCopyMemory(&pid, (char*)pisl->Parameters.DeviceIoControl.Type3InputBuffer + 0, 4); RtlCopyMemory(&add, (char*)pisl->Parameters.DeviceIoControl.Type3InputBuffer + 4, 4); RtlCopyMemory(&len, (char*)pisl->Parameters.DeviceIoControl.Type3InputBuffer + 8, 4); DbgPrint("IOCTL_READ : %d - %08X -%d", pid, add, len); OutBuffer = Irp->UserBuffer; if (len<12) { buffer = (PVOID)ExAllocatePool(PagedPool, 12); } else { buffer = (PVOID)ExAllocatePool(PagedPool, len); } RtlCopyMemory(buffer, pisl->Parameters.DeviceIoControl.Type3InputBuffer,12); CreateThreadTest(buffer); //创建内核线程来读取内存 RtlCopyMemory(OutBuffer, buffer, len); ExFreePool(buffer); // test(pid); // *((char*)XXX + 0x140) = UserMode; //还原 PreviousMode } info = cbout; break; } } Irp->IoStatus.Status = status; Irp->IoStatus.Information = info; IoCompleteRequest(Irp, IO_NO_INCREMENT); return STATUS_SUCCESS;}


    2楼2016-09-25 00:20
    回复
      超爱这个表情


      3楼2016-09-25 00:21
      回复
        大神写个一键挑战来看看啊


        IP属地:江西来自Android客户端4楼2016-09-25 09:22
        回复
          ((char*)XXX + 0x140) = KernelMode;
          这句是什么意思?KernelMode是函数还是什么?xxx+0x140是线程的什么?


          IP属地:云南5楼2016-09-25 09:41
          回复
            case DbgKdReadVirtualMemoryApi:
            KdpReadVirtualMemory(&ManipulateState,&MessageData,ContextRecord);
            break;
            case DbgKdReadVirtualMemory64Api:
            KdpReadVirtualMemory64(&ManipulateState,&MessageData,ContextRecord);
            break;
            case DbgKdWriteVirtualMemoryApi:
            KdpWriteVirtualMemory(&ManipulateState,&MessageData,ContextRecord);
            break;
            case DbgKdWriteVirtualMemory64Api:
            KdpWriteVirtualMemory64(&ManipulateState,&MessageData,ContextRecord);
            break;
            case DbgKdReadPhysicalMemoryApi:
            KdpReadPhysicalMemory(&ManipulateState,&MessageData,ContextRecord);
            break;
            case DbgKdWritePhysicalMemoryApi:
            KdpWritePhysicalMemory(&ManipulateState,&MessageData,ContextRecord);
            break;
            case DbgKdGetContextApi:
            KdpGetContext(&ManipulateState,&MessageData,ContextRecord);
            break;
            case DbgKdSetContextApi:
            KdpSetContext(&ManipulateState,&MessageData,ContextRecord);
            break;
            case DbgKdWriteBreakPointApi:
            KdpWriteBreakpoint(&ManipulateState,&MessageData,ContextRecord);
            break;
            case DbgKdRestoreBreakPointApi:
            KdpRestoreBreakpoin(&ManipulateState,&MessageData,ContextRecord);
            break;
            case DbgKdReadControlSpaceApi:
            KdpReadControlSpace(&ManipulateState,&MessageData,ContextRecord);
            break;
            case DbgKdWriteControlSpaceApi:
            KdpWriteControlSpace(&ManipulateState,&MessageData,ContextRecord);
            break;
            case DbgKdReadIoSpaceApi:
            KdpReadIoSpace(&ManipulateState,&MessageData,ContextRecord);
            break;
            case DbgKdWriteIoSpaceApi:
            KdpWriteIoSpace(&ManipulateState,&MessageData,ContextRecord);
            break;
            case DbgKdContinueApi:
            if (NT_SUCCESS(ManipulateState.u.Continue.ContinueStatus) != FALSE) {
            return ContinueSuccess;
            } else {
            return ContinueError;
            }
            break;
            case DbgKdContinueApi2:
            if (NT_SUCCESS(ManipulateState.u.Continue2.ContinueStatus) != FALSE) {
            KdpGetStateChange(&ManipulateState,ContextRecord);
            return ContinueSuccess;
            } else {
            return ContinueError;
            }
            break;
            case DbgKdRebootApi:
            KdpReboot();
            break;
            case DbgKdReadMachineSpecificRegister:
            KdpReadMachineSpecificRegister(&ManipulateState,&MessageData,ContextRecord);
            break;
            case DbgKdWriteMachineSpecificRegister:
            KdpWriteMachineSpecificRegister(&ManipulateState,&MessageData,ContextRecord);
            break;
            case DbgKdSetSpecialCallApi:
            KdSetSpecialCall(&ManipulateState,ContextRecord);
            break;
            case DbgKdClearSpecialCallsApi:
            KdClearSpecialCalls();
            break;
            case DbgKdSetInternalBreakPointApi:
            KdSetInternalBreakpoint(&ManipulateState);
            break;
            case DbgKdGetInternalBreakPointApi:
            KdGetInternalBreakpoint(&ManipulateState);
            break;
            case DbgKdGetVersionApi:
            KdpGetVersion(&ManipulateState);
            break;
            case DbgKdCauseBugCheckApi:
            KdpCauseBugCheck(&ManipulateState);
            break;
            case DbgKdPageInApi:
            KdpNotSupported(&ManipulateState);
            break;
            case DbgKdWriteBreakPointExApi:
            Status = KdpWriteBreakPointEx(&ManipulateState,
            &MessageData,
            ContextRecord);
            if (Status) {
            ManipulateState.ApiNumber = DbgKdContinueApi;
            ManipulateState.u.Continue.ContinueStatus = Status;
            return ContinueError;
            }
            break;
            case DbgKdRestoreBreakPointExApi:
            KdpRestoreBreakPointEx(&ManipulateState,&MessageData,ContextRecord);
            break;
            case DbgKdSwitchProcessor:
            KdPortRestore ();
            ContinueStatus = KeSwitchFrozenProcessor(ManipulateState.Processor);
            KdPortSave ();
            return ContinueStatus;
            case DbgKdSearchMemoryApi:
            KdpSearchMemory(&ManipulateState, &MessageData, ContextRecord);
            break;


            6楼2016-09-25 21:45
            回复
              每天做个笔记也是一个好习惯


              9楼2016-09-26 22:56
              回复
                #include "ntddk.h"#include <WinDef.h>#include "ntimage.h"int NtosVersion; //判断操作系统内核标志wchar_t NtosVersionName[4][128]={L"\\??\\C:\\WINDOWS\\system32\\ntoskrnl.exe",L"\\??\\C:\\WINDOWS\\system32\\ntkrnlpa.exe",L"\\??\\C:\\WINDOWS\\system32\\ntkrnlmp.exe",L"\\??\\C:\\WINDOWS\\system32\\ntkrpamp.exe"};char NtosVersionNameA[4][128]={"C:\\WINDOWS\\system32\\ntoskrnl.exe","C:\\WINDOWS\\system32\\ntkrnlpa.exe","C:\\WINDOWS\\system32\\ntkrnlmp.exe","C:\\WINDOWS\\system32\\ntkrpamp.exe"};ULONG SSDTNumber=0;KIRQL Irql;BOOLEAN IsGetSSDT=false;typedef struct _SSDTInformation{ ULONG index; ULONG CurrentAddress; ULONG OriginalAddress; char FunctionName[16]; //函数名 char KernelMouduleName[64]; //内核模块名 ULONG KernelMouduleBase; //内核模块基址}SSDTInformation,*PSSDTInformation;PSSDTInformation SSDT;//SSDT= (PSSDTInformation)ExAllocatePool(NonPagedPool,sizeof(SSDTInformation)*512);#pragma pack(1)typedef struct ServiceDescriptorEntry { unsigned int *ServiceTableBase; unsigned int *ServiceCounterTableBase; unsigned int NumberOfServices; unsigned char *ParamTableBase;} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;#pragma pack()extern"C" __declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;ServiceDescriptorTableEntry_t *pNewSSDT;ULONG OldImageBase=0; //当前内核在内存中的地址ULONG ImageBase=0; //文件中的基址//恢复内存保护 void PageProtectOn(){ __asm{ mov eax,cr0 or eax,10000h mov cr0,eax sti }}//去掉内存保护void PageProtectOff(){ __asm{ cli mov eax,cr0 and eax,not 10000h mov cr0,eax }}typedef enum _SYSTEM_INFORMATION_CLASS{ SystemModuleInformation = 11,} SYSTEM_INFORMATION_CLASS;typedef struct _SYSTEM_MODULE_INFORMATION{ ULONG Reserved[2]; PBYTE Base; ULONG Size; ULONG Flags; USHORT Index; USHORT Unknown; USHORT LoadCount; USHORT ModuleNameOffset; CHAR ImageName[256];} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;typedef struct _SYSTEM_MODULE_INFO_LIST{ ULONG ulCount; SYSTEM_MODULE_INFORMATION smi[1];} SYSTEM_MODULE_INFO_LIST, *PSYSTEM_MODULE_INFO_LIST;typedef struct _MY_IMAGE_BASE_RELOCATION { ULONG VirtualAddress; ULONG SizeOfBlock; USHORT TypeOffset[1];} MY_IMAGE_BASE_RELOCATION;extern"C" NTSTATUS __stdcall ZwQuerySystemInformation( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength );VOID SetNewSSDT(PVOID pNewImage){ ULONG uIndex; ULONG uNewKernelInc,uOffset; //新内核地址-老内核地址,得到相对偏移 uNewKernelInc = (ULONG)pNewImage -OldImageBase; //老内核的ssdt指针加上相对偏移,得到新内核的ssdt指针 pNewSSDT = (ServiceDescriptorTableEntry_t *)((ULONG)&KeServiceDescriptorTable + uNewKernelInc); if (!MmIsAddressValid(pNewSSDT)) { KdPrint(("pNewSSDT is unaviable!")); return; } //由于数量是一个数值,因此不必作相对偏移 pNewSSDT->NumberOfServices = KeServiceDescriptorTable.NumberOfServices; //计算相对函数地址 uOffset = (ULONG)KeServiceDescriptorTable.ServiceTableBase -OldImageBase; //得到新的ssdt函数表地址 pNewSSDT->ServiceTableBase = (unsigned int*)((ULONG)pNewImage + uOffset); if (!MmIsAddressValid(pNewSSDT->ServiceTableBase)) { KdPrint(("pNewSSDT->ServiceTableBase: %X",pNewSSDT->ServiceTableBase)); return; } //依次遍历 for (uIndex = 0;uIndex<pNewSSDT->NumberOfServices;uIndex++) { //新的函数地址再加上相对加载地址,得到现在的ssdt函数地址 pNewSSDT->ServiceTableBase[uIndex] = pNewSSDT->ServiceTableBase[uIndex]-ImageBase+OldImageBase; //DbgPrint("%d->%08x\n",uIndex,pNewSSDT->ServiceTableBase[uIndex]); //打印SSDT索引号和地址 } // //保存SSDT信息 // SSDT= (PSSDTInformation)ExAllocatePool(NonPagedPool,sizeof(SSDTInformation)*pNewSSDT->NumberOfServices); if(SSDT==NULL) { DbgPrint("申请内存失败\n"); return;


                10楼2016-09-26 23:02
                回复
                  } else { IsGetSSDT=true; } for (uIndex = 0;uIndex<pNewSSDT->NumberOfServices;uIndex++) { SSDT[uIndex].index = uIndex; //序号 SSDT[uIndex].OriginalAddress=pNewSSDT->ServiceTableBase[uIndex]; //原始地址 SSDT[uIndex].CurrentAddress=KeServiceDescriptorTable.ServiceTableBase[uIndex]; } SSDTNumber=pNewSSDT->NumberOfServices; //有多少项}BOOLEAN LoadKernel(){ NTSTATUS status; UNICODE_STRING uFileName; HANDLE hFile; OBJECT_ATTRIBUTES ObjAttr; IO_STATUS_BLOCK IoStatusBlock; LARGE_INTEGER FileOffset; ULONG retsize; PVOID lpVirtualPointer; ULONG uLoop; ULONG SectionVirtualAddress,SectionSize; PIMAGE_DOS_HEADER ImageDosHeader; PIMAGE_NT_HEADERS ImageNtHeader; PIMAGE_SECTION_HEADER lpImageSectionHeader; InitializeObjectAttributes(&ObjAttr,\ &uFileName,\ OBJ_CASE_INSENSITIVE,\ NULL,\ NULL); RtlInitUnicodeString(&uFileName,NtosVersionName[NtosVersion]); //打开文件 status = ZwCreateFile(\ &hFile,\ FILE_ALL_ACCESS,\ &ObjAttr,\ &IoStatusBlock,\ 0,\ FILE_ATTRIBUTE_NORMAL,\ FILE_SHARE_READ,\ FILE_OPEN,\ FILE_NON_DIRECTORY_FILE,\ NULL,\ 0); if(!NT_SUCCESS(status)) { KdPrint(("CreateFile Failed!\n")); return false; } //读取DOS头 FileOffset.QuadPart = 0; ImageDosHeader=(PIMAGE_DOS_HEADER)ExAllocatePool(NonPagedPool, sizeof(IMAGE_DOS_HEADER)); //记得释放 status = ZwReadFile(hFile,\ NULL,\ NULL,\ NULL,\ &IoStatusBlock,\ ImageDosHeader,\ sizeof(IMAGE_DOS_HEADER),\ &FileOffset,\ 0); if(!NT_SUCCESS(status)) { KdPrint(("Read ImageDosHeader Failed!")); ZwClose(hFile); return false; } //读取NT头 ImageNtHeader=(PIMAGE_NT_HEADERS)ExAllocatePool(NonPagedPool, sizeof(IMAGE_NT_HEADERS)); //记得释放 FileOffset.QuadPart = ImageDosHeader->e_lfanew; status = ZwReadFile(hFile,\ NULL,\ NULL,\ NULL,\ &IoStatusBlock,\ ImageNtHeader,\ sizeof(IMAGE_NT_HEADERS),\ &FileOffset,\ 0); if(!NT_SUCCESS(status)) { KdPrint(("Read ImageNtHeaders Failed!")); ZwClose(hFile); return false; } ImageBase=ImageNtHeader->OptionalHeader.ImageBase; //读取区表 lpImageSectionHeader = (PIMAGE_SECTION_HEADER)ExAllocatePool(NonPagedPool,sizeof(IMAGE_SECTION_HEADER)*ImageNtHeader->FileHeader.NumberOfSections); FileOffset.QuadPart += sizeof(IMAGE_NT_HEADERS); status = ZwReadFile(hFile,\ NULL,\ NULL,\ NULL,\ &IoStatusBlock,\ lpImageSectionHeader,\ sizeof(IMAGE_SECTION_HEADER)*ImageNtHeader->FileHeader.NumberOfSections,\ &FileOffset,\ 0); if(!NT_SUCCESS(status)) { KdPrint(("Read ImageSectionHeader Failed!")); ExFreePool(lpImageSectionHeader); ZwClose(hFile); return false; } //COPY数据到内存 lpVirtualPointer = ExAllocatePool(NonPagedPool,\ ImageNtHeader->OptionalHeader.SizeOfImage); if(lpVirtualPointer == 0) { KdPrint(("lpVirtualPointer Alloc space Failed!")); ZwClose(hFile); return false; } memset(lpVirtualPointer,0,ImageNtHeader->OptionalHeader.SizeOfImage); //COPY DOS头 RtlCopyMemory(lpVirtualPointer,\ ImageDosHeader,\ sizeof(IMAGE_DOS_HEADER)); //COPY NT头 RtlCopyMemory((PVOID)((ULONG)lpVirtualPointer+ImageDosHeader->e_lfanew),\ ImageNtHeader,\ sizeof(IMAGE_NT_HEADERS)); //COPY 区表 RtlCopyMemory((PVOID)((ULONG)lpVirtualPointer+ImageDosHeader->e_lfanew+sizeof(IMAGE_NT_HEADERS)),\ lpImageSectionHeader,\ sizeof(IMAGE_SECTION_HEADER)*ImageNtHeader->FileHeader.NumberOfSections); //依次COPY 各区段数据 for(uLoop = 0;uLoop < ImageNtHeader->FileHeader.NumberOfSections;uLoop++) { SectionVirtualAddress = lpImageSectionHeader[uLoop].VirtualAddress;//对应区段相对偏移 if(lpImageSectionHeader[uLoop].Misc.VirtualSize > lpImageSectionHeader[uLoop].SizeOfRawData) SectionSize = lpImageSectionHeader[uLoop].Misc.VirtualSize;//取最大的占用空间 else SectionSize = lpImageSectionHeader[uLoop].SizeOfRawData; FileOffset.QuadPart = lpImageSectionHeader[uLoop].PointerToRawData;//对应区段的超始地址 status = ZwReadFile(hFile,\ NULL,\ NULL,\ NULL,\ &IoStatusBlock,\ (PVOID)((ULONG)lpVirtualPointer+SectionVirtualAddress),\ SectionSize,\ &FileOffset,\ 0); if(!NT_SUCCESS(status)) { KdPrint(("SectionData Read Failed!")); ExFreePool(lpImageSectionHeader); ExFreePool(lpVirtualPointer); ZwClose(hFile); return false; } } SetNewSSDT(lpVirtualPointer); ExFreePool(lpImageSectionHeader);//释放区段内存空间 ExFreePool(ImageNtHeader); ZwClose(hFile);//关闭句柄 return true;}// 获取kernel模块的信息NTSTATUS GetKernelModuleInfo(){ NTSTATUS status = STATUS_UNSUCCESSFUL; PSYSTEM_MODULE_INFO_LIST pSysModInfoList = NULL; ULONG ulLength = 0; status = ZwQuerySystemInformation(SystemModuleInformation, pSysModInfoList, ulLength, &ulLength); if(status != STATUS_INFO_LENGTH_MISMATCH) { return STATUS_UNSUCCESSFUL; } pSysModInfoList = (PSYSTEM_MODULE_INFO_LIST)ExAllocatePool(NonPagedPool, ulLength); if(NULL == pSysModInfoList) { return STATUS_UNSUCCESSFUL; } status = ZwQuerySystemInformation(SystemModuleInformation, pSysModInfoList, ulLength, &ulLength); if(!NT_SUCCESS(status)) { ExFreePool(pSysModInfoList); return STATUS_UNSUCCESSFUL; } OldImageBase=(ULONG)pSysModInfoList->smi[0].Base; //得到当前内核的基址 if(strstr(pSysModInfoList->smi[0].ImageName,"ntoskrnl.exe")) { NtosVersion=0; } if(strstr(pSysModInfoList->smi[0].ImageName,"ntkrnlpa.exe")) { NtosVersion=1; } if(strstr(pSysModInfoList->smi[0].ImageName,"ntkrnlmp.exe")) { NtosVersion=2; } if(strstr(pSysModInfoList->smi[0].ImageName,"ntkrpamp.exe")) { NtosVersion=3; } ExFreePool(pSysModInfoList); return STATUS_SUCCESS;}NTSTATUS Status;HANDLE FileHandle;IO_STATUS_BLOCK ioStatus;FILE_STANDARD_INFORMATION FileInformation;BOOLEAN GetSSDTName(){ if (KeGetCurrentIrql() > PASSIVE_LEVEL) { return STATUS_UNSUCCESSFUL; } //设置NTDLL路径 UNICODE_STRING uniFileName; RtlInitUnicodeString(&uniFileName, L"\\SystemRoot\\system32\\ntdll.dll"); //初始化打开文件的属性 OBJECT_ATTRIBUTES objectAttributes; InitializeObjectAttributes(&objectAttributes, &uniFileName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL); ////创建文件 Status = IoCreateFile(&FileHandle, FILE_READ_ATTRIBUTES | SYNCHRONIZE, &objectAttributes, &ioStatus, 0, FILE_READ_ATTRIBUTES, FILE_SHARE_READ, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0, CreateFileTypeNone, NULL, IO_NO_PARAMETER_CHECKING); if (!NT_SUCCESS(Status)) { DbgPrint("IoCreateFile failed!status:0x%08x\n", Status); return false; }


                  11楼2016-09-26 23:03
                  回复
                    //获取文件信息 Status = ZwQueryInformationFile(FileHandle, &ioStatus, &FileInformation, sizeof(FILE_STANDARD_INFORMATION), FileStandardInformation); if (!NT_SUCCESS(Status)) { DbgPrint("ZwQueryInformationFile failed!status:0x%08x\n", Status); ZwClose( FileHandle ); return false; } //判断文件大小是否过大 if (FileInformation.EndOfFile.HighPart != 0) { DbgPrint("File Size Too High"); ZwClose(FileHandle); return false; } //取文件大小 ULONG uFileSize = FileInformation.EndOfFile.LowPart; //分配内存 PVOID pBuffer = ExAllocatePoolWithTag(PagedPool, uFileSize, (ULONG)"NTDLL"); if (pBuffer == NULL) { DbgPrint("ExAllocatePoolWithTag() == NULL"); ZwClose(FileHandle); return false; } //从头开始读取文件 LARGE_INTEGER byteOffset; byteOffset.LowPart = 0; byteOffset.HighPart = 0; Status = ZwReadFile(FileHandle, NULL, NULL, NULL, &ioStatus, pBuffer, uFileSize, &byteOffset, NULL); if (!NT_SUCCESS(Status)) { DbgPrint("ZwReadFile failed!status:0x%08x\n", Status); ZwClose(FileHandle); return false; } //取出导出表 PIMAGE_DOS_HEADER pDosHeader; PIMAGE_NT_HEADERS pNtHeaders; PIMAGE_SECTION_HEADER pSectionHeader; ULONG FileOffset; PIMAGE_EXPORT_DIRECTORY pExportDirectory; //DLL内存数据转成DOS头结构 pDosHeader = (PIMAGE_DOS_HEADER)pBuffer; //取出PE头结构 pNtHeaders = (PIMAGE_NT_HEADERS)((ULONG)pBuffer + pDosHeader->e_lfanew); //判断PE头导出表表是否为空 if (pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress == 0) { DbgPrint("VirtualAddress == 0"); return false; } //取出导出表偏移 FileOffset = pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; //取出节头结构 pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pNtHeaders + sizeof(IMAGE_NT_HEADERS)); PIMAGE_SECTION_HEADER pOldSectionHeader = pSectionHeader; //遍历节结构进行地址运算 for (WORD Index = 0; Index < pNtHeaders->FileHeader.NumberOfSections; Index++, pSectionHeader++) { if (pSectionHeader->VirtualAddress <= FileOffset && FileOffset <= pSectionHeader->VirtualAddress + pSectionHeader->SizeOfRawData) { FileOffset = FileOffset - pSectionHeader->VirtualAddress + pSectionHeader->PointerToRawData; } } //导出表地址 pExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((ULONG)pBuffer + FileOffset); //取出导出表函数地址 PULONG AddressOfFunctions; FileOffset = pExportDirectory->AddressOfFunctions; //遍历节结构进行地址运算 pSectionHeader = pOldSectionHeader; for (WORD Index = 0; Index < pNtHeaders->FileHeader.NumberOfSections; Index++, pSectionHeader++) { if (pSectionHeader->VirtualAddress <= FileOffset && FileOffset <= pSectionHeader->VirtualAddress + pSectionHeader->SizeOfRawData) { FileOffset = FileOffset - pSectionHeader->VirtualAddress + pSectionHeader->PointerToRawData; } } AddressOfFunctions = (PULONG)((ULONG)pBuffer + FileOffset); //取出导出表函数名字 PUSHORT AddressOfNameOrdinals; FileOffset = pExportDirectory->AddressOfNameOrdinals; //遍历节结构进行地址运算 pSectionHeader = pOldSectionHeader; for (WORD Index = 0; Index < pNtHeaders->FileHeader.NumberOfSections; Index++, pSectionHeader++) { if (pSectionHeader->VirtualAddress <= FileOffset && FileOffset <= pSectionHeader->VirtualAddress + pSectionHeader->SizeOfRawData) { FileOffset = FileOffset - pSectionHeader->VirtualAddress + pSectionHeader->PointerToRawData; } } AddressOfNameOrdinals = (PUSHORT)((ULONG)pBuffer + FileOffset); //取出导出表函数序号 PULONG AddressOfNames; FileOffset = pExportDirectory->AddressOfNames; //遍历节结构进行地址运算 pSectionHeader = pOldSectionHeader; for (WORD Index = 0; Index < pNtHeaders->FileHeader.NumberOfSections; Index++, pSectionHeader++) { if (pSectionHeader->VirtualAddress <= FileOffset && FileOffset <= pSectionHeader->VirtualAddress + pSectionHeader->SizeOfRawData) { FileOffset = FileOffset - pSectionHeader->VirtualAddress + pSectionHeader->PointerToRawData; } } AddressOfNames = (PULONG)((ULONG)pBuffer + FileOffset); //分析导出表 ULONG uNameOffset; ULONG uOffset; LPSTR FunName; PVOID pFuncAddr; ULONG uServerIndex; ULONG uAddressOfNames; for (ULONG uIndex = 0; uIndex < pExportDirectory->NumberOfNames; uIndex++, AddressOfNames++, AddressOfNameOrdinals++) { uAddressOfNames = *AddressOfNames; pSectionHeader = pOldSectionHeader; for (WORD Index = 0; Index < pNtHeaders->FileHeader.NumberOfSections; Index++, pSectionHeader++) { if (pSectionHeader->VirtualAddress <= uAddressOfNames && uAddressOfNames <= pSectionHeader->VirtualAddress + pSectionHeader->SizeOfRawData) { uOffset = uAddressOfNames - pSectionHeader->VirtualAddress + pSectionHeader->PointerToRawData; } } FunName = (LPSTR)((ULONG)pBuffer + uOffset); if (FunName[0] == 'Z' && FunName[1] == 'w') { pSectionHeader = pOldSectionHeader; uOffset = (ULONG)AddressOfFunctions[*AddressOfNameOrdinals]; for (WORD Index = 0; Index < pNtHeaders->FileHeader.NumberOfSections; Index++, pSectionHeader++) { if (pSectionHeader->VirtualAddress <= uOffset&& uOffset <= pSectionHeader->VirtualAddress + pSectionHeader->SizeOfRawData) { uNameOffset = uOffset - pSectionHeader->VirtualAddress + pSectionHeader->PointerToRawData; } } pFuncAddr = (PVOID)((ULONG)pBuffer + uNameOffset); uServerIndex = *(PULONG)((ULONG)pFuncAddr + 1); FunName[0] = 'N'; FunName[1] = 't'; //KdPrint(("序列号为:%d,函数名为: %s\n", uServerIndex, FunName)); RtlCopyMemory(SSDT[uServerIndex].FunctionName,FunName,sizeof(char)*15); //保存函数名 SSDT[uServerIndex].KernelMouduleBase=OldImageBase; //保存内核模块基址 RtlCopyMemory(SSDT[uServerIndex].KernelMouduleName,NtosVersionNameA[NtosVersion],sizeof(char)*63); //保存内核模块名 } } ExFreePoolWithTag(pBuffer , (ULONG)"NTDLL"); ZwClose(FileHandle); return true;}void DriverUnload(PDRIVER_OBJECT pDriverObject){ if(IsGetSSDT) { ExFreePool(SSDT); } DbgPrint("Driver Unload...\n");}NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegsiterPath){ int i=0; pDriverObject->DriverUnload = DriverUnload; if(NT_SUCCESS(GetKernelModuleInfo())) //获取当前内核信息 { if(LoadKernel()) //加载内核 { if(GetSSDTName()) { for(int i=0;i<SSDTNumber;i++) { DbgPrint("序号:%d 当前地址:%08x 原始地址:%08x 函数名:%s 内核模块:%s 模块基址:%08x\n",SSDT[i].index,SSDT[i].CurrentAddress,SSDT[i].OriginalAddress,SSDT[i].FunctionName,SSDT[i].KernelMouduleName,SSDT[i].KernelMouduleBase); } } else { DbgPrint("GetSSDTName failed!\n"); } } else { DbgPrint("LoadKernel failed!\n"); } } else { DbgPrint("GetKernelModuleInfo failed!\n"); } DbgPrint("Driver Onload...\n"); return STATUS_SUCCESS;}


                    12楼2016-09-26 23:09
                    回复
                      必须要过掉 ZwOpenProcess ,NtReadProcessMemory,NtWriteProcessMemory这三个函数HOOK才能读写


                      13楼2016-09-26 23:16
                      回复
                        NTSTATUS DispatchRoutine( PDEVICE_OBJECT pdo, PIRP Irp){ NTSTATUS status; PIO_STACK_LOCATION pisl; ULONG cbin; ULONG cbout; ULONG code; ULONG info = 0; CHAR InputData[40] = {0}; PVOID OutBuffer ; PCHAR buffer; LONG len = 0, pid = 0, add = 0; status = STATUS_SUCCESS; pisl = IoGetCurrentIrpStackLocation(Irp);// pisl->DeviceObject->CurrentIrp->RequestorMode = 0; //得到输入缓冲区大小 cbin = pisl->Parameters.DeviceIoControl.InputBufferLength; //得到输出缓冲区大小 cbout = pisl->Parameters.DeviceIoControl.OutputBufferLength; //得到IOCTL码 code = pisl->Parameters.DeviceIoControl.IoControlCode; // DbgPrint("%d-%d-%d", IOCTL_SET_ADAPTOR_MAC, IOCTL_SET_DISK_SERIAL, code); switch (code) { // process request case IOCTL_READ: //只是测试,所以只弄了读内存的部分,写内存的看看教程自己加也不会难 { if (cbin == 12) { //PKTHREAD XXX = KeGetCurrentThread(); //*((char*)XXX + 0x140) = KernelMode; 这里修改PreviousMode,但是测试没有用 //KeSetPriorityThread(XXX, LOW_REALTIME_PRIORITY); //KeSetBasePriorityThread(XXX, LOW_REALTIME_PRIORITY); //DbgPrint("Mode = %d - %X", ExGetPreviousMode(), *((char*)XXX + 0x140)); RtlCopyMemory(&pid, (char*)pisl->Parameters.DeviceIoControl.Type3InputBuffer + 0, 4); RtlCopyMemory(&add, (char*)pisl->Parameters.DeviceIoControl.Type3InputBuffer + 4, 4); RtlCopyMemory(&len, (char*)pisl->Parameters.DeviceIoControl.Type3InputBuffer + 8, 4); DbgPrint("IOCTL_READ : %d - %08X -%d", pid, add, len); OutBuffer = Irp->UserBuffer; if (len<12) { buffer = (PVOID)ExAllocatePool(PagedPool, 12); } else { buffer = (PVOID)ExAllocatePool(PagedPool, len); } RtlCopyMemory(buffer, pisl->Parameters.DeviceIoControl.Type3InputBuffer,12); CreateThreadTest(buffer); //创建内核线程来读取内存 RtlCopyMemory(OutBuffer, buffer, len); ExFreePool(buffer); // test(pid); // *((char*)XXX + 0x140) = UserMode; //还原 PreviousMode } info = cbout; break; } } Irp->IoStatus.Status = status; Irp->IoStatus.Information = info; IoCompleteRequest(Irp, IO_NO_INCREMENT); return STATUS_SUCCESS;}


                        14楼2016-09-26 23:25
                        回复
                          #include "stdafx.h"
                          #include "Core.h"
                          #include "GameFun.h"
                          #include "Map.h"
                          #include "MemPatch.h"
                          #include <shlwapi.h>
                          #include <TLHELP32.H>
                          #include "publib.h"
                          #include "publib_m.h"
                          #ifdef _DEBUG
                          #define new DEBUG_NEW
                          #endif
                          //
                          //TODO: If this DLL is dynamically linked against the MFC DLLs,
                          // any functions exported from this DLL which call into
                          // MFC must have the AFX_MANAGE_STATE macro added at the
                          // very beginning of the function.
                          //
                          // For example:
                          //
                          // extern "C" BOOL PASCAL EXPORT ExportedFunction()
                          // {
                          // AFX_MANAGE_STATE(AfxGetStaticModuleState());
                          // // normal function body here
                          // }
                          //
                          // It is very important that this macro appear in each
                          // function, prior to any calls into MFC. This means that
                          // it must appear as the first statement within the
                          // function, even before any object variable declarations
                          // as their constructors may generate calls into the MFC
                          // DLL.
                          //
                          // Please see MFC Technical Notes 33 and 58 for additional
                          // details.
                          //
                          // CCoreApp
                          BEGIN_MESSAGE_MAP(CCoreApp, CWinApp)
                          END_MESSAGE_MAP()
                          int ConfusionPeHeader(LPCSTR lpszMoudleName);
                          BOOL HideMyMoudle(LPCSTR lpszMoudleName);
                          DWORD WINAPI HelpSelfProcess(LPVOID lpParameter);
                          int WINAPI HelpSelfProcess_g();
                          // CCoreApp construction
                          CCoreApp::CCoreApp()
                          {
                          // TODO: add construction code here,
                          // Place all significant initialization in InitInstance
                          }
                          extern DWORD GAME_ADDR_ROLE_BASE;
                          // The one and only CCoreApp object
                          CCoreApp theApp;
                          int roomst=0;
                          int attackspeed=0;
                          int pickspeed=0;
                          int attack=0;
                          //int isstop=0;
                          int bloodexit=0;//为1锁血。为0不锁
                          int bossAdd=0;//为1boss房加攻击。为0不加
                          int monstAdd=0;//为1普通怪房加攻击。为0不加
                          int isdisconnect=0; //是否断线
                          int isMail;//为1开启邮寄 为0不开启
                          int mailMoney;//保留身上有多少钱
                          char mailName[80];//收件人名字
                          char mailNr[80];//邮寄内容
                          int isWzjb;//是否只进王者级别地图 1是 0不是
                          DWORD WINAPI LockBloodProc(
                          LPVOID lpParameter
                          )
                          {
                          CGameFun g;
                          while (1)
                          {
                          if (bloodexit)
                          {
                          //OutputDebugString("锁血");
                          g.LockBlood();
                          }
                          else
                          {
                          //OutputDebugString("停止锁血");
                          }
                          Sleep(50);
                          }
                          return 1;
                          }
                          DWORD WINAPI SellGoodsProc(
                          LPVOID lpParameter
                          )
                          {
                          CGameFun g;
                          g.SellAllGoods();
                          return 1;
                          }
                          DWORD WINAPI EditAttackProc1(
                          LPVOID lpParameter
                          )
                          {
                          int i=0;
                          CGameFun g;


                          15楼2016-09-27 21:11
                          回复
                            表示看不懂


                            IP属地:陕西来自Android客户端16楼2016-09-27 21:11
                            回复