KingDriver.rar

#include "func.h" #include <ntimage.h> #define PROCESS_ALL_ACCESS_THREAD (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | THREAD_ALL_ACCESS|0xFFFF) //全局进程对象 PEPROCESS global_peprocess = NULL; PEPROCESS global_peprocess2 = NULL; // char GAME_NAME[128] = "DNF.exe"; char DEBUG_NAME[128] = "TestMain.exe"; /* 防止TP使用NtRemoveProcessDebug函数清空调试端口 */ NTSTATUS My_NtRemoveProcessDebug(IN HANDLE ProcessHandle, IN HANDLE DebugHandle) { return STATUS_SUCCESS; } /************************************************************************ 函数名称：PassValidAccessMask 函数功能：修改ValidAccessMask值为0x1F000F 思路：解决调试权限清零 dt _OBJECT_TYPE_INITIALIZER fffffa80`03cdd380+40 eq fffffa8003cdd380+40+0x1c 00000000 为0后无法附加 ************************************************************************/ PVOID pNtCreateDebugObject; PVOID pDbgkDebugObject; PVOID pDebugObject; PVOID pValidMask; PVOID pTargetAddr; VOID PassValidAccessMask() { ////win7下恢复调试权限，win10会蓝屏所以注释掉了 //PUCHAR StartSearchAddress = (PUCHAR)GetSSDTFunctionAddress(144); //pNtCreateDebugObject = (PVOID)GetSSDTFunctionAddress(144); ////DbgPrint("pNtCreateDebugObject:%p\n", pNtCreateDebugObject); //pTargetAddr = (PVOID)(((ULONG64)pNtCreateDebugObject) + 0x7c); ////DbgPrint("pTargetAddr:%p\n", pTargetAddr); //PUCHAR EndSearchAddress = StartSearchAddress + 0x100; //PUCHAR i = 0; //UCHAR b1 = 0, b2 = 0, b3 = 0; //LONG temp = 0; //LONGLONG addr = 0; //for (i = StartSearchAddress; i < EndSearchAddress; i++) //{ // if (MmIsAddressValid(i) && MmIsAddressValid(i + 1) && MmIsAddressValid(i + 2)) // { // b1 = *i; // b2 = *(i + 1); // b3 = *(i + 2); // if (b1 == 0x48 && b2 == 0x8b && b3 == 0x15) // { // memcpy_s(&temp, 4, i + 3, 4); // addr = (LONGLONG)temp + (LONGLONG)i + 7; // //DbgPrint("ValidAccessMask未修改:%llx\n", *(ULONG *)((*(ULONGLONG *)addr) + 0x40 + 0x1C)); // *(ULONG *)((*(ULONGLONG *)addr) + 0x40 + 0x1C) = 0x1f000f; // //DbgPrint("ValidAccessMask修改后:%llx\n", *(ULONG *)((*(ULONGLONG *)addr) + 0x40 + 0x1C)); // } // } //} _disable(); //如果存在我的调试器 __try { if (MmIsAddressValid(global_peprocess)) { if (global_peprocess != NULL) { //恢复进程打开的句柄权限 RestoreObjectAccess(global_peprocess); } } else { global_peprocess = NULL; } } __except (EXCEPTION_EXECUTE_HANDLER){} //这个是恢复游戏进程句柄权限 //if (MmIsAddressValid(global_peprocess2)) //{ // if (global_peprocess2 != NULL) // { // //恢复进程打开的句柄权限 // RestoreObjectAccess2(global_peprocess2); // } //} //else //{ // global_peprocess2 = NULL; //} _enable(); } /************************************************************************ 函数名称：TimerRoutine 函数功能：全局调试对象权限的计时器 500ms一次 ************************************************************************/ KTIMER Timer = { 0 }; // 用于全局调试对象权限的计时器 KDPC myDpc = { 0 }; // 用于全局调试对象权限的计时器 VOID TimerRoutine( _In_ struct _KDPC *Dpc, _In_opt_ PVOID DeferredContext, _In_opt_ PVOID SystemArgument1, _In_opt_ PVOID SystemArgument2 ) { LARGE_INTEGER lTime = { 0 }; ULONG ulMicroSecond = 0; //将定时器的时间设置为500ms ulMicroSecond = 5000; //将32位整数转化成64位整数 lTime = RtlConvertLongToLargeInteger(-10 * ulMicroSecond); PassValidAccessMask(); //ViewHandle(); KeSetTimer(&Timer, lTime, &myDpc); } /************************************************************************ 函数名称：SetDPCTimerForDbgAccess 函数功能：设置定时器 ************************************************************************/ VOID SetDPCTimerForDbgAccess() { BOOLEAN bTimerStart = FALSE; // DPC定时器是否开启标志 LARGE_INTEGER lTime = { 0 }; ULONG ulMicroSecond = 0; // 初始化定时器 KeInitializeTimer(&Timer); // 初始化DPC KeInitializeDpc(&myDpc, TimerRoutine, NULL); // 开始定时器 //将定时器的时间设置为500ms ulMicroSecond = 5000; //将32位整数转化成64位整数 lTime = RtlConvertLongToLargeInteger(-10 * ulMicroSecond); bTimerStart = KeSetTimer(&Timer, lTime, &myDpc); if (bTimerStart) { DbgPrint("定时器开启成功...\n"); } } VOID CancelTimer() { global_peprocess = NULL; global_peprocess2 = NULL; //取消DPC定时器 KeCancelTimer(&Timer);//取消定时器 } PVOID GetDriverEntryByImageBase(PVOID ImageBase) { PIMAGE_DOS_HEADER pDOSHeader; PIMAGE_NT_HEADERS64 pNTHeader; PVOID pEntryPoint; pDOSHeader = (PIMAGE_DOS_HEADER)ImageBase; pNTHeader = (PIMAGE_NT_HEADERS64)((ULONG64)ImageBase + pDOSHeader->e_lfanew); pEntryPoint = (PVOID)((ULONG64)ImageBase + pNTHeader->OptionalHeader.AddressOfEntryPoint); return pEntryPoint; } VOID UnicodeToChar(PUNICODE_STRING dst, char *src) { ANSI_STRING string; RtlUnicodeStringToAnsiString(&string, dst, TRUE); strcpy(src, string.Buffer); RtlFreeAnsiString(&string); } BOOLEAN VxkCopyMemory(PVOID pDestination, PVOID pSourceAddress, SIZE_T SizeOfCopy) { PMDL pMdl = NULL; PVOID pSafeAddress = NULL; pMdl = IoAllocateMdl(pSourceAddress, (ULONG)SizeOfCopy, FALSE, FALSE, NULL); if (!pMdl) return FALSE; __try { MmProbeAndLockPages(pMdl, KernelMode, IoReadAccess); } __except (EXCEPTION_EXECUTE_HANDLER) { IoFreeMdl(pMdl); return FALSE; } pSafeAddress = MmGetSystemAddressForMdlSafe(pMdl, NormalPagePriority); if (!pSafeAddress) return FALSE; KIRQL irql = WPOFFx64(); RtlCopyMemory(pDestination, pSafeAddress, SizeOfCopy); WPONx64(irql); MmUnlockPages(pMdl); IoFreeMdl(pMdl); return TRUE; } void DenyLoadDriver(PVOID DriverEntry) { UCHAR fuck[] = "\xB8\x22\x00\x00\xC0\xC3"; VxkCopyMemory(DriverEntry, fuck, sizeof(fuck)); } /************************************************************************ 函数名称：LoadImageNotifyRoutine 函数功能：模块加载回调通知 ************************************************************************/ VOID LoadImageNotifyRoutine ( __in_opt PUNICODE_STRING FullImageName, __in HANDLE ProcessId, __in PIMAGE_INFO ImageInfo ) { PVOID pDrvEntry; char szFullImageName[260] = { 0 }; if (FullImageName != NULL && MmIsAddressValid(FullImageName)) { if (ProcessId == 0) { DbgPrint("[LoadImageNotifyX64]%wZ\n", FullImageName); pDrvEntry = GetDriverEntryByImageBase(ImageInfo->ImageBase); DbgPrint("[LoadImageNotifyX64]DriverEntry: %p\n", pDrvEntry); UnicodeToChar(FullImageName, szFullImageName); if (strstr(_strlwr(szFullImageName), "tesxnginx.sys")) { DbgPrint("Deny load [tesxnginx.SYS]"); //禁止加载tesxnginx.sys DenyLoadDriver(pDrvEntry); } } } } BOOLEAN IsProtectedProcessName(PEPROCESS eprocess) { char *Name = PsGetProcessImageFileName(eprocess); if (!_stricmp(GAME_NAME, Name)) return TRUE; else return FALSE; } BOOLEAN IsDebugProcessName(PEPROCESS eprocess) { char *Name = PsGetProcessImageFileName(eprocess); if (!_stricmp(DEBUG_NAME, Name)) return TRUE; else return FALSE; } PSPTERMINATETHREADBYPOINTER PspTerminateThreadByPointer = NULL; VOID CreateThreadNotify( IN HANDLE ProcessId, IN HANDLE ThreadId, IN BOOLEAN Create) { PEPROCESS Process = NULL; PETHREAD Thread = NULL; UCHAR *pszImageName = NULL; NTSTATUS status; UCHAR *pWin32Address = NULL; //KdBreakPoint(); status = PsLookupProcessByProcessId(ProcessId, &Process);//1.通过进程ID,获取EPROCESS if (!NT_SUCCESS(status)) return; status = PsLookupThreadByThreadId(ThreadId, &Thread);//2.通过线程ID,获取ETHREAD pszImageName = PsGetProcessImageFileName(Process);//3.通过EPROCESS获取进程名 ULONG32 callcode = 0; ULONG64 AddressOfPspTTBP = 0, AddressOfPsTST = 0, i = 0; if (PspTerminateThreadByPointer == NULL) { AddressOfPsTST = (ULONG64)GetFunctionAddr(L"PsTerminateSystemThread"); if (AddressOfPsTST == 0) return STATUS_UNSUCCESSFUL; for (i