|
|
马上注册,结交更多好友,享用更多功能^_^
您需要 登录 才可以下载或查看,没有账号?立即注册
x
- /***************************************************************************************
- * AUTHOR : pudge
- * DATE : 2012-9-8
- * MODULE : PassKddisabledebugger.C
- *
- * Command:
- * Source of IOCTRL Sample Driver
- *
- * Description:
- * Demonstrates communications between USER and KERNEL.
- *
- ****************************************************************************************
- * Copyright (C) 2010 pudge.
- ****************************************************************************************/
- //#######################################################################################
- //# I N C L U D E S
- //#######################################################################################
- #ifndef CXX_PASSKDDISABLEDEBUGGER_H
- #include "PassKddisabledebugger.h"
- #endif
- #include <ntddk.h>
- #include "function.h"
- #include "myfunc.h"
- VOID LoadImageRoutine(
- __in_opt PUNICODE_STRING FullImageName,
- __in HANDLE ProcessId,
- __in PIMAGE_INFO ImageInfo
- );
- void SearchFeatureEx(int nAddr,char* pFeature,int ModuleSize,int nLeng);
- void PassGlobalStaticCrcEx();
- DWORD NTAPI MyVectoredExceptionHead(EXCEPTION_POINTERS * ExceptionInfo);
- ULONG fuckaddr1;
- DWORD pShutdown[10000]={0};
- BYTE _pMirror[1282048]={0};
- DWORD pMirror=(DWORD)_pMirror;
- DWORD TesSafeBase=0;
- BYTE mKdDisableDebugger[5]={0};
- DWORD kdRet=0;
- int n=0;
- PDRIVER_OBJECT g_pObj=NULL;
- //////////////////////////////////////////////////////////////////////////
- //#######################################################################################
- //@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
- //@@@@@@@@ D R I V E R E N T R Y P O I N T @@@@@@@@
- //@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
- //#######################################################################################
- NTSTATUS
- DriverEntry(IN PDRIVER_OBJECT pDriverObj, IN PUNICODE_STRING pRegistryString)
- {
- NTSTATUS status = STATUS_SUCCESS;
- UNICODE_STRING ustrLinkName;
- UNICODE_STRING ustrDevName;
- PDEVICE_OBJECT pDevObj;
- int i = 0;
- g_pObj=pDriverObj;
- dprintf("EasySys Sample Driver\r\n"
- "Compiled %s %s\r\nIn DriverEntry : %wZ\r\n",
- __DATE__, __TIME__, pRegistryString);
- // Register dispatch routines
- /*
- for(i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
- {
- pDriverObj->MajorFunction[i] = DispatchCommon;
- }
- */
- pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
- pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
- // Dispatch routine for communications
- pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchDeviceControl;
- // Unload routine
- pDriverObj->DriverUnload = DriverUnload;
- // Initialize the device name.
- RtlInitUnicodeString(&ustrDevName, NT_DEVICE_NAME);
- // Create the device object and device extension
- status = IoCreateDevice(pDriverObj,
- 0,
- &ustrDevName,
- FILE_DEVICE_UNKNOWN,
- 0,
- FALSE,
- &pDevObj);
- if(!NT_SUCCESS(status))
- {
- dprintf("Error, IoCreateDevice = 0x%x\r\n", status);
- return status;
- }
- //// Get a pointer to our device extension
- //deviceExtension = (PDEVICE_EXTENSION) deviceObject->DeviceExtension;
- //// Save a pointer to the device object
- //deviceExtension->DeviceObject = deviceObject;
- if(IoIsWdmVersionAvailable(1,0x10))
- {
- //如果是支持符号链接用户相关性的系统
- RtlInitUnicodeString(&ustrLinkName, SYMBOLIC_LINK_GLOBAL_NAME);
- }
- else
- {
- //不支持
- RtlInitUnicodeString(&ustrLinkName, SYMBOLIC_LINK_NAME);
- }
-
- // Create a symbolic link to allow USER applications to access it.
- status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName);
-
- if(!NT_SUCCESS(status))
- {
- dprintf("Error, IoCreateSymbolicLink = 0x%x\r\n", status);
-
- IoDeleteDevice(pDevObj);
- return status;
- }
- //
- // TODO: Add initialization code here.
- //设备开始
-
-
- PsSetLoadImageNotifyRoutine(LoadImageRoutine);
-
-
- //
- //// Tell the I/O Manger to do BUFFERED IO
- //deviceObject->Flags |= DO_BUFFERED_IO;
- //// Save the DeviveObject
- //deviceExtension->DeviceObject = deviceObject;
- dprintf("DriverEntry Success\r\n");
- DbgPrint("DriverEntry Success\r\n");
- return STATUS_SUCCESS;
- }
- VOID
- DriverUnload(IN PDRIVER_OBJECT pDriverObj)
- {
-
- UNICODE_STRING strLink;
- // Unloading - no resources to free so just return.
- dprintf("Unloading...\r\n");;
- DbgPrint("Unloading...\r\n");
- //
- // TODO: Add uninstall code here.
- //关闭设备
-
- UnInLineHookEngine((int)KdDisableDebugger,(char *)mKdDisableDebugger,5);
- PsRemoveLoadImageNotifyRoutine(LoadImageRoutine);
- //NtFreeVirtualMemory((HANDLE)-1,pMirror,(PSIZE_T)0x139000,MEM_COMMIT);
- DbgPrint("unNotifyRoutine is OK");
- //
-
- // Delete the symbolic link
- RtlInitUnicodeString(&strLink, SYMBOLIC_LINK_NAME);
- IoDeleteSymbolicLink(&strLink);
- // Delete the DeviceObject
- IoDeleteDevice(pDriverObj->DeviceObject);
- dprintf("Unloaded Success\r\n");
- DbgPrint("Unloaded Success\r\n");
- return;
- }
- NTSTATUS
- DispatchCreate(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
- {
- pIrp->IoStatus.Status = STATUS_SUCCESS;
- pIrp->IoStatus.Information = 0;
- IoCompleteRequest(pIrp, IO_NO_INCREMENT);
-
- return STATUS_SUCCESS;
- }
- NTSTATUS
- DispatchClose(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
- {
- pIrp->IoStatus.Status = STATUS_SUCCESS;
- pIrp->IoStatus.Information = 0;
- IoCompleteRequest(pIrp, IO_NO_INCREMENT);
-
- // Return success
- return STATUS_SUCCESS;
- }
- NTSTATUS
- DispatchCommon(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
- {
- pIrp->IoStatus.Status = STATUS_SUCCESS;
- pIrp->IoStatus.Information = 0L;
- IoCompleteRequest( pIrp, 0 );
- // Return success
- return STATUS_SUCCESS;
- }
- NTSTATUS
- DispatchDeviceControl(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
- {
- NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST; // STATUS_UNSUCCESSFUL
- PIO_STACK_LOCATION pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
- ULONG uIoControlCode = 0;
- PVOID pIoBuffer = NULL;
- ULONG uInSize = 0;
- ULONG uOutSize = 0;
- // Get the IoCtrl Code
- uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;
- pIoBuffer = pIrp->AssociatedIrp.SystemBuffer;
- uInSize = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
- uOutSize = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
- switch(uIoControlCode)
- {
- case IOCTL_HELLO_WORLD:
- {
- dprintf("MY_CTL_CODE(0)=%d\r\n,MY_CTL_CODE");
- // Return success
- status = STATUS_SUCCESS;
- }
- break;
- case IOCTRL_REC_FROM_APP:
- {
- // Receive data form Application
- //dprintf("IOCTRL_REC_FROM_APP\r\n");
- // Do we have any data?
- if( uInSize > 0 )
- {
- dprintf("Get Data from App: %ws\r\n", pIoBuffer);
- }
- // Return success
- status = STATUS_SUCCESS;
- }
- break;
- case IOCTRL_SEND_TO_APP:
- {
- // Send data to Application
- //dprintf("IOCTRL_SEND_TO_APP\r\n");
-
- // If we have enough room copy the data upto the App - note copy the terminating character as well...
- if( uOutSize >= strlen( DATA_TO_APP ) + 1 )
- {
- RtlCopyMemory( pIoBuffer,
- DATA_TO_APP,
- strlen( DATA_TO_APP ) + 1 );
- // Update the length for the App
- pIrp->IoStatus.Information = strlen( DATA_TO_APP ) + 1;
- dprintf("Send Data to App: %s\r\n", pIoBuffer);
-
- // Return success
- status = STATUS_SUCCESS;
- }
- }
- break;
-
- //
- // TODO: Add execute code here.执行
-
-
- //
- default:
- {
- // Invalid code sent
- dprintf("Unknown IOCTL: 0x%X (%04X,%04X)\r\n",
- uIoControlCode,
- DEVICE_TYPE_FROM_CTL_CODE(uIoControlCode),
- IoGetFunctionCodeFromCtlCode(uIoControlCode));
- status = STATUS_INVALID_PARAMETER;
- }
- break;
- }
- if(status == STATUS_SUCCESS)
- {
- pIrp->IoStatus.Information = uOutSize;
- }
- else
- {
- pIrp->IoStatus.Information = 0;
- }
- // Complete the I/O Request
- pIrp->IoStatus.Status = status;
- IoCompleteRequest(pIrp, IO_NO_INCREMENT);
- return status;
- }
- __declspec(naked) void MyKdDisableDebugger()
- {
- __asm
- {
- push eax
- mov eax,[esp+0x4]
- sub eax,TesSafeBase
- add eax,pMirror
- mov [esp+0x4],eax
- pop eax
- jmp kdRet
- }
-
- }
- //
- // TODO: Add your module definitions here.
- //
- VOID LoadImageRoutine(
- __in_opt PUNICODE_STRING FullImageName,
- __in HANDLE ProcessId,
- __in PIMAGE_INFO ImageInfo
- )
- {
- if(wcsstr(FullImageName->Buffer, L"TesSafe.sys")!=0)
- {
-
- DbgPrint("TesSafe has been discovered");
- ULONG uImageInfo=(ULONG)ImageInfo->ImageBase;
- DbgPrint("TesSafeBase is %x",uImageInfo);
- TesSafeBase=uImageInfo;
-
- PMDL pMdl;
- pMdl = IoAllocateMdl(_pMirror,0x139000,FALSE,FALSE,NULL);
- MmProtectMdlSystemAddress(pMdl,PAGE_EXECUTE_READWRITE);
- IoFreeMdl(pMdl);
- //NtAllocateVirtualMemory((HANDLE)-1,pMirror,0,(PSIZE_T)0x139000,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
- UnInLineHookEngine((int)_pMirror,(char *)TesSafeBase,0x139000);
- //PassGlobalStaticCrcEx();
- kdRet=(DWORD)KdDisableDebugger+0x7;
- UnInLineHookEngine((int)mKdDisableDebugger,(char *)KdDisableDebugger,5);
- InLineHookEngine((ULONG)KdDisableDebugger,(int)MyKdDisableDebugger);
- DbgPrint("MirrorBase is %x",(int)pMirror);
- if(*(PUCHAR)(pMirror+0x92c1)==0x75)
- {
-
- *(PUSHORT)(pMirror+0x92c1)=0x9090;
- DbgPrint("TesSafeOffset1 is %x",pMirror+0x92c1);
- }
- if(*(PUCHAR)(pMirror+0x92c1+0x12e)==0x74)
- {
- *(PUCHAR)(pMirror+0x92c1+0x12e)=0xeb;
- DbgPrint("TesSafeOffset2 is %x",pMirror+0x92c1+0x12e);
- }
-
- }
- return;
- }
- /* EOF */
-
|
|
( 粤ICP备18085999号-1 | 粤公网安备 44051102000585号)
狗仔卡
发表于 2013-8-8 12:35:11
置顶卡
千斤顶
显身卡
发表于 2013-10-7 17:16:26