#include "ntddk.h"
ULONG64 fc_DbgkGetAdrress(PUNICODE_STRING64 funcstr){
UNICODE_STRING64 usFuncName;
RtlInitUnicodeString(&usFuncName, funcstr);
return MmGetSystemRoutineAddress(&usFuncName);
}
/**
#include "KernelStruct.h"
#include "ntimage.h"
void ZwFlushInstructionCache();
VOID NTAPI DbgkpWakeTarget(IN PDEBUG_EVENT DebugEvent);
NTKERNELAPI
VOID
KeStackAttachProcess(
__inout PEPROCESS PROCESS,
__out PKAPC_STATE ApcState
);
NTKERNELAPI
VOID
KeUnstackDetachProcess(
__in PKAPC_STATE ApcState
);
typedef VOID (__fastcall* KiCheckForKernelApcDelivery1)();
#define ProbeForWriteGenericType(Ptr, Type) \
do { \
if ((ULONG_PTR)(Ptr) + sizeof(Type) - 1 < (ULONG_PTR)(Ptr) || \
(ULONG_PTR)(Ptr) + sizeof(Type) - 1 >= (ULONG_PTR)MmUserProbeAddress) { \
ExRaiseAccessViolation(); \
} \
*(volatile Type *)(Ptr) = *(volatile Type *)(Ptr); \
} while (0)
#define ProbeForWriteHandle(Ptr) ProbeForWriteGenericType(Ptr, HANDLE)
#define PspSetProcessFlag(Flags, Flag) \
RtlInterlockedSetBitsDiscardReturn (Flags, Flag)
extern ProbeWrite(ULONG64 PTR);
typedef LONG(*EXSYSTEMEXCEPTIONFILTER)(VOID);
VOID ExfReleasePushLockShared(PEX_PUSH_LOCK PushLock);
VOID ExfAcquirePushLockShared(PEX_PUSH_LOCK PushLock);
NTSTATUS
NTAPI
DbgkpSendApiMessage(IN OUT PDBGKM_MSG ApiMsg,
IN ULONG SuspendProcess);
typedef NTSTATUS
(__fastcall*
proxyDbgkpSendApiMessage)(IN OUT PDBGKM_MSG ApiMsg,
IN ULONG SuspendProcess);
NTSTATUS
SeLocateProcessImageName(
_Inout_ PEPROCESS Process,
_Outptr_ PUNICODE_STRING *pImageFileName
);
#define EX_PUSH_LOCK_SHARE_INC ((ULONG_PTR)0x10)
#define EX_PUSH_LOCK_PTR_BITS ((ULONG_PTR)0xf)
#define EX_PUSH_LOCK_LOCK ((ULONG_PTR)0x1)
#define DBGKP_FIELD_FROM_IMAGE_OPTIONAL_HEADER(hdrs,field) \
((hdrs)->OptionalHeader.##field)
PVOID
ObFastReferenceObjectLocked(
IN PEX_FAST_REF FastRef
);
VOID
ObFastDereferenceObject(
IN PEX_FAST_REF FastRef,
IN PVOID Object
);
NTSTATUS
PsReferenceProcessFilePointer(
IN PEPROCESS Process,
OUT PVOID *OutFileObject
);
VOID
ExAcquirePushLockShared(
IN PEX_PUSH_LOCK PushLock
)
{
if (InterlockedCompareExchangePointer(&PushLock->Ptr,
(PVOID)(EX_PUSH_LOCK_SHARE_INC | EX_PUSH_LOCK_LOCK),
NULL) != NULL) {
ExfAcquirePushLockShared(PushLock);
}
}
VOID
ExReleasePushLockShared(
IN PEX_PUSH_LOCK PushLock
)
{
EX_PUSH_LOCK OldValue, NewValue;
OldValue.Value = EX_PUSH_LOCK_SHARE_INC | EX_PUSH_LOCK_LOCK;
NewValue.Value = 0;
if (InterlockedCompareExchangePointer(&PushLock->Ptr,
NewValue.Ptr,
OldValue.Ptr) != OldValue.Ptr) {
ExfReleasePushLockShared(PushLock);
}
}
VOID
KeEnterCriticalRegionThread(
PKTHREAD Thread
)
{
Thread->KernelApcDisable -= 1;
return;
}
typedef NTSTATUS
(*OBINSERTOBJECT)(
__in PVOID Object,
__inout_opt PACCESS_STATE PassedAccessState,
__in_opt ACCESS_MASK DesiredAccess,
__in ULONG ObjectPointerBias,
__out_opt PVOID *NewObject,
__out_opt PHANDLE Handle
);
typedef NTSTATUS(__stdcall *OBCREATEOBJECT)(
__in KPROCESSOR_MODE ProbeMode,
__in POBJECT_TYPE ObjectType,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in KPROCESSOR_MODE OwnershipMode,
__inout_opt PVOID ParseContext,
__in ULONG ObjectBodySize,
__in ULONG PagedPoolCharge,
__in ULONG NonPagedPoolCharge,
__out PVOID *Object
);
typedef NTSTATUS
(*OBOPENOBJECTBYPOINTER)(
__in PVOID Object,
__in ULONG HandleAttributes,
__in_opt PACCESS_STATE PassedAccessState,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_TYPE ObjectType,
__in KPROCESSOR_MODE AccessMode,
__out PHANDLE Handle
);
typedef NTSTATUS
(*ObDuplicateObject1)(
IN PEPROCESS_S SourceProcess,
IN HANDLE SourceHandle,
IN PEPROCESS_S TargetProcess OPTIONAL,
OUT PHANDLE TargetHandle OPTIONAL,
IN ACCESS_MASK DesiredAccess,
IN ULONG HandleAttributes,
IN ULONG Options,
IN KPROCESSOR_MODE PreviousMode
);
typedef NTSTATUS(__fastcall *PsGetNextProcessThreadx)(PEPROCESS_S process,PKTHREAD THREAD);
typedef NTSTATUS(__fastcall *DbgkpPostModuleMessagesx)(PEPROCESS_S process, PKTHREAD THREAD,PDEBUG_OBJECT debug);
typedef NTSTATUS(__fastcall *KeThawAllThreadsx)();
typedef NTSTATUS(__fastcall *PsResumeThreadx)(IN PETHREAD Thread, OUT PULONG PreviousSuspendCount OPTIONAL);
typedef NTSTATUS(__fastcall *PsSuspendThreadx)(IN PETHREAD Thread, OUT PULONG PreviousSuspendCount OPTIONAL);
typedef NTSTATUS(__fastcall *MmGetFileNameForSectionx)(IN PVOID Thread, OUT POBJECT_NAME_INFORMATION FileName OPTIONAL);
typedef NTSTATUS(__fastcall *PsTerminateProcessx)(IN PEPROCESS_S Process, NTSTATUS STATUS);
//proxyDbgkpSendApiMessage DbgkpSendApiMessage;
typedef NTSTATUS(__fastcall *PsGetNextProcessx)(POBJECT_TYPE object);
typedef NTSTATUS(__fastcall *LpcRequestWaitReplyPortExx)(PVOID64 port, PPORT_MESSAGE Message, PPORT_MESSAGE Buffer);
typedef
NTSTATUS
(__fastcall* DbgkpPostFakeThreadMessagesx)(IN PEPROCESS_S Process,
IN ULONG64 DebugObject,
IN PETHREAD StartThread,
OUT PETHREAD *FirstThread,
OUT PETHREAD *LastThread);
typedef NTSTATUS(__fastcall *KeFreezeAllThreadsx)();
ULONG64 __fastcall RtlImageNtHeader(PVOID64 ad);
LpcRequestWaitReplyPortExx LpcRequestWaitReplyPortEx;
PsGetNextProcessx PsGetNextProcess;
PsTerminateProcessx PsTerminateProcess;
MmGetFileNameForSectionx MmGetFileNameForSection;
KeThawAllThreadsx KeThawAllThreads;
PsGetNextProcessThreadx PsGetNextProcessThread;
DbgkpPostModuleMessagesx DbgkpPostModuleMessages;
EXSYSTEMEXCEPTIONFILTER ExSystemExceptionFilter;
OBINSERTOBJECT ObInsertObject;
OBCREATEOBJECT ObCreateObject;
OBOPENOBJECTBYPOINTER ObOpenObjectByPointer;
PsResumeThreadx PsResumeThread;
PsSuspendThreadx PsSuspendThread;
FAST_MUTEX DbgkFastMutex;
ULONG64 DbgkpProcessDebugPortMutex;
ObDuplicateObject1 ObDuplicateObject;
KiCheckForKernelApcDelivery1 KiCheckForKernelApcDelivery12;
POBJECT_TYPE_S DbgkDebugObjectType;
POBJECT_TYPE_S NewDbgObject;
POBJECT_TYPE_S *ObTypeIndexTable = 0;
ULONG64 *PspSystemDlls;
ULONG64 PspNotifyEnableMask;
DbgkpPostFakeThreadMessagesx DbgkpPostFakeThreadMessages;
KeFreezeAllThreadsx KeFreezeAllThreads;
VOID
NTAPI
DbgkpDeleteObject(IN PVOID DebugObject)
{
PAGED_CODE();
ASSERT(IsListEmpty(&((PDEBUG_OBJECT)DebugObject)->EventList));
}
VOID
__fastcall
DbgkpCloseObject(IN PEPROCESS OwnerProcess OPTIONAL,
IN PVOID ObjectBody,
IN ACCESS_MASK GrantedAccess,
IN ULONG HandleCount,
IN ULONG SystemHandleCount)
{
PDEBUG_OBJECT DebugObject = ObjectBody;
PEPROCESS_S Process = NULL;
BOOLEAN DebugPortCleared = FALSE;
PLIST_ENTRY DebugEventList;
PDEBUG_EVENT DebugEvent;
PAGED_CODE();
if (SystemHandleCount > 1) return;
ExAcquireFastMutex(&DebugObject->Mutex);
DebugObject->DebuggerInactive = TRUE;
DebugEventList = DebugObject->EventList.Flink;
InitializeListHead(&DebugObject->EventList);
ExReleaseFastMutex(&DebugObject->Mutex);
KeSetEvent(&DebugObject->EventsPresent, IO_NO_INCREMENT, FALSE);
while ((Process = PsGetNextProcess(Process)))
{
if (Process->Pcb.newdbgport == DebugObject)
{
ExAcquireFastMutex(&DbgkFastMutex);
if (Process->Pcb.newdbgport == DebugObject)
{
Process->Pcb.newdbgport = NULL;
DebugPortCleared = TRUE;
}
ExReleaseFastMutex(&DbgkFastMutex);
if (DebugPortCleared)
{
//DbgkpMarkProcessPeb(Process);
if (DebugObject->KillProcessOnExit)
{
PsTerminateProcess(Process, STATUS_DEBUGGER_INACTIVE);
}
ObDereferenceObject(DebugObject);
}
}
}
while (DebugEventList != &DebugObject->EventList)
{
DebugEvent = CONTAINING_RECORD(DebugEventList, DEBUG_EVENT, EventList);
DebugEventList
VT过游戏保护,调试有保护的游戏
4星 · 超过85%的资源 需积分: 42 38 浏览量
2017-01-25
12:45:50
上传
评论 6
收藏 902KB ZIP 举报 
VT过游戏保护,调试有保护的游戏 (208个子文件) 
dpg.asm 5KB Syscall.asm 4KB common-asm.asm 3KB VMXa.asm 2KB vmx-asm.asm 2KB SwapContext.asm 2KB regs.asm 1KB dbgfunc.asm 1KB WindowKrnlHwbreak.asm 1KB dbgkm.asm 14B dbgk.c 75KB dbgk1to2.c 73KB AntiAntiDebugALL.c 54KB Driver.c 30KB VMX.c 27KB VmxExitHandlers.c 24KB ProtectWindow.c 22KB LDasm.c 21KB snprintf.c 15KB EPT.c 14KB vmxdebug.c 13KB PageHook.c 12KB Utils.c 10KB R3EptHieMemPage.c 10KB HOOKfunctions.c 10KB initMiniHook.c 7KB DisablePG.c 6KB syscalhook.c 5KB hvm.c 5KB mem.c 4KB DRRWE.c 4KB SyscallHook.c 4KB initSsdtInlineHook.c 4KB common.c 4KB common.c 4KB HVM.c 3KB ActiveProcessDbgList.c 3KB Tests.c 3KB DbgIsMyProcess.c 2KB DBGTOOL.c 2KB AntiHookSwapContext.c 2KB newbp.c 931B EptHideDebugPort.c 18B VT_demo Package.vcxprojResolveAssemblyReference.cache 655B VT_demo.vcxproj.filters 7KB VT_demo Package.vcxproj.filters 361B KernelStruct.h 124KB LDE64x6412.h 77KB dbgk.h 18KB VMX.h 15KB amd64.h 14KB Native.h 13KB PE.h 11KB CPU.h 10KB gobalConter.h 10KB vmx.h 7KB VMCS.h 7KB eptcomm.h 6KB EPT.h 6KB vmcs.h 5KB Common.h 5KB ept.h 5KB EptHeader.h 4KB common.h 4KB VMProtectDDK.h 3KB Txoo.h 3KB VmxEvent.h 2KB Utils.h 2KB PageHook.h 2KB mem.h 1KB DRRWE.h 1KB hvm.h 1KB LDasm.h 795B SyscallHook.h 765B ActiveProcessDbgList.h 583B regs.h 571B dbgtool.h 504B HVM.h 478B driver.h 275B snprintf.h 252B R3EptHideMem.h 186B vstruct.h 174B Tests.h 163B VMMprocessList.h 150B VT_demo.inf 410B VT_demo.inf 410B VT_demo.inf 408B VT_demo.inf 406B VT_demo.inf 406B VT_demo.inf 389B VT_demo.lastbuildstate 222B VT_demo.lastbuildstate 188B VT_demo.lastbuildstate 186B VT_demo.lastbuildstate 186B VT_demo.lastbuildstate 184B VMProtectDDK32.lib 8KB VMProtectDDK64.lib 7KB VT_demo.log 135KB VT_demo.log 79KB VT_demo.log 7KB共 208 条
- 1
- 2
- 3
资源评论
shonker2018-10-07用不来 太强大 不懂- jxd78452962018-08-31除了源码啥说明都没有 差评
- viaboot2018-08-12用不来 太强大 不懂
jiandong34712017-10-11我去,这玩意就是看雪上发过的啊,我特么以为是新搞的什么东西
Sniper_quay2017-01-25太强了 很好用 膜拜下
