├── ReadMe.md
├── [1-1]SetupTestEnv
└── 软件下载地址.txt
├── [1-2]KrnlHW64
├── calc_ctl_code
│ ├── calc_ctl_code.sln
│ ├── calc_ctl_code.suo
│ ├── calc_ctl_code.vcxproj
│ ├── calc_ctl_code.vcxproj.filters
│ ├── calc_ctl_code.vcxproj.user
│ ├── main.cpp
│ └── x64
│ │ └── Release
│ │ └── calc_ctl_code.exe
└── sys
│ ├── MyDriver.c
│ ├── buildfre_win7_amd64.log
│ ├── makefile
│ ├── objfre_win7_amd64
│ └── amd64
│ │ ├── KmdManager.exe
│ │ ├── KrnlHW64.sys
│ │ └── calc_ctl_code.exe
│ ├── sources
│ ├── test.c
│ └── 含有多个C文件时用的source
├── [2-1]AboutKPP&DSE
├── 禁用DSE.txt
└── 禁用KPP.txt
├── [2-2]ScmDrvLoader
├── ScmDrvCtrl.h
├── ScmDrvLoader.sln
├── ScmDrvLoader.suo
├── ScmDrvLoader.vcxproj
├── ScmDrvLoader.vcxproj.filters
├── ScmDrvLoader.vcxproj.user
├── main.cpp
└── x64
│ └── Release
│ ├── KrnlHW64.sys
│ └── ScmDrvLoader.exe
├── [2-3]MemoryOperationTest
├── buildfre_win7_amd64.log
├── main.c
├── makefile
├── objfre_win7_amd64
│ └── amd64
│ │ └── SYS_FILE_NAME.sys
└── sources
├── [2-4]StringOperationTest
├── buildfre_win7_amd64.log
├── main.c
├── makefile
├── objfre_win7_amd64
│ └── amd64
│ │ └── SYS_FILE_NAME.sys
└── sources
├── [2-5]FileOperationTest
├── MyDriver.c
├── MyDriver.h
├── buildfre_win7_amd64.log
├── makefile
├── objfre_win7_amd64
│ └── amd64
│ │ └── MyDriver.sys
└── sources
├── [2-6]RegistryOperationTest
├── buildfre_win7_amd64.log
├── main.c
├── makefile
├── objfre_win7_amd64
│ └── amd64
│ │ └── SYS_FILE_NAME.sys
└── sources
├── [2-7]ProcessOperationTest
├── buildfre_win7_amd64.log
├── main.c
├── makefile
├── objfre_win7_amd64
│ └── amd64
│ │ └── SYS_FILE_NAME.sys
└── sources
├── [2-8]OtherFunction
├── MyDriver.c
├── MyDriver.h
├── buildfre_win7_amd64.log
├── makefile
└── sources
├── [3-1]Wow64&CompatibleMode
├── WOW64相关测试代码
│ ├── bin
│ │ └── Release
│ │ │ └── TestWow64.exe
│ └── main.c
└── 兼容模式相关测试代码
│ ├── _VB_CODE
│ ├── CCM.exe
│ ├── CCM.vbp
│ ├── CCM.vbw
│ └── Form1.frm
│ ├── bin
│ └── Release
│ │ └── CCM.exe
│ └── main.c
├── [3-2]DisableWin7KPP&DSE
├── ASM
│ ├── patch.asm
│ ├── patch.exe
│ ├── 一键破解.cmd
│ └── 编译.bat
└── VC
│ ├── disable_pgds.sln
│ ├── disable_pgds.vcxproj
│ ├── disable_pgds.vcxproj.filters
│ ├── disable_pgds.vcxproj.user
│ ├── main.cpp
│ ├── x64
│ └── Release
│ │ └── disable_pgds.exe
│ └── 说明.txt
├── [3-3]CalcSSDTFuncAddr
├── MyDriver.c
├── MyDriver.h
├── buildfre_win7_amd64.log
├── makefile
├── objfre_win7_amd64
│ └── amd64
│ │ └── MyDriver.sys
└── sources
├── [3-4]SSDTHookUnhook
├── hook
│ ├── LoadDrv.exe
│ ├── hookssdt_x64.sys
│ ├── src
│ │ ├── MyDriver.c
│ │ ├── MyDriver.h
│ │ ├── buildfre_win7_amd64.log
│ │ ├── hookssdt.h
│ │ ├── makefile
│ │ └── sources
│ └── 说明.txt
└── unhook
│ ├── EnumSSDT_x64_exe.exe
│ ├── EnumSSDT_x64_exe
│ ├── EnumSSDT_x64_exe.sln
│ ├── EnumSSDT_x64_exe.suo
│ └── EnumSSDT_x64_exe
│ │ ├── DrvCtrl.h
│ │ ├── EnumSSDT_x64_exe.vcxproj
│ │ ├── EnumSSDT_x64_exe.vcxproj.filters
│ │ ├── EnumSSDT_x64_exe.vcxproj.user
│ │ ├── GetNtos.h
│ │ └── main.cpp
│ ├── EnumSSDT_x64_sys
│ ├── MyDriver.c
│ ├── MyDriver.h
│ ├── buildfre_win7_amd64.log
│ ├── buildfre_win7_amd64.wrn
│ ├── makefile
│ └── sources
│ └── emSSDT64.sys
├── [3-5]SSSDTHookUnhook
├── hook
│ ├── Fuck3SDT.sys
│ ├── KillProcessByPostMessage.exe
│ ├── KillProcessByPostMessage
│ │ └── main.c
│ ├── MyDriver.exe
│ └── SSSDTHook_NtUserPostMessage
│ │ ├── exe
│ │ ├── MSSCCPRJ.SCC
│ │ ├── MyDriver.vbp
│ │ ├── MyDriver.vbw
│ │ ├── cls_Driver.cls
│ │ ├── frm_Main.frm
│ │ └── mod_DrvFunc.bas
│ │ └── sys
│ │ ├── LDE64x64.h
│ │ ├── MyDriver.c
│ │ ├── MyDriver.h
│ │ ├── buildfre_win7_amd64.log
│ │ ├── hook3sdt.h
│ │ ├── makefile
│ │ └── sources
└── unhook
│ ├── EnumSSSDT64.exe
│ ├── SSSDTx64.sys
│ ├── exe
│ ├── DrvCtrl.h
│ ├── EnumDrv.h
│ ├── EnumSSSDT64.sln
│ ├── EnumSSSDT64.suo
│ ├── EnumSSSDT64.vcxproj
│ ├── EnumSSSDT64.vcxproj.filters
│ ├── EnumSSSDT64.vcxproj.user
│ └── main.cpp
│ └── sys
│ ├── MyDriver.c
│ ├── MyDriver.h
│ ├── buildfre_win7_amd64.log
│ ├── makefile
│ └── sources
├── [3-6]InlineHookUnhook
├── hook
│ ├── exe
│ │ ├── MSSCCPRJ.SCC
│ │ ├── MyDriver.vbp
│ │ ├── MyDriver.vbw
│ │ ├── cls_Driver.cls
│ │ ├── frm_Main.frm
│ │ └── mod_DrvFunc.bas
│ ├── hook_ps.exe
│ ├── hook_ps.sys
│ └── sys
│ │ ├── HookFunc.h
│ │ ├── LDE64x64.h
│ │ ├── MyDriver.c
│ │ ├── MyDriver.h
│ │ ├── buildfre_win7_amd64.wrn
│ │ ├── makefile
│ │ └── sources
└── unhook
│ ├── ClrKIH64.sys
│ ├── GetKernelOriCode.exe
│ ├── exe
│ ├── DrvCtrl.h
│ ├── GetKernelOriCode.sln
│ ├── GetKernelOriCode.suo
│ ├── GetKernelOriCode.vcxproj
│ ├── GetKernelOriCode.vcxproj.filters
│ ├── GetKernelOriCode.vcxproj.user
│ └── main.cpp
│ └── sys
│ ├── MyDriver.c
│ ├── MyDriver.h
│ ├── buildfre_win7_amd64.log
│ ├── makefile
│ └── sources
├── [4-1]MonitorCreateExitProcessThread
├── monitor_create_process_x64.sys
├── src
│ ├── MyDriver.c
│ ├── MyDriver.h
│ ├── ProcessNotify.h
│ ├── buildfre_win7_amd64.log
│ ├── makefile
│ └── sources
└── 使用说明.txt
├── [4-2]MonitorLoadUnloadDllDriver
├── LoadImageNotifyX64.sys
├── src
│ ├── MyDriver.c
│ ├── MyDriver.h
│ ├── buildfre_win7_amd64.log
│ ├── makefile
│ └── sources
└── 测试说明.txt
├── [4-3]MonitorRegistryOperation
├── CmRegMonitor_x64.sys
├── src
│ ├── MyDriver.c
│ ├── MyDriver.h
│ ├── buildfre_win7_amd64.log
│ ├── makefile
│ ├── sources
│ └── testcode.h
└── 说明.txt
├── [4-4]MonitorFileOperation
├── MFTest.sys
├── WdmDrvLoader.exe
├── readme.txt
├── setup.inf
└── src
│ ├── WdmDrvLoader
│ ├── VB6StrFunc.h
│ ├── WdmDrvLoader.sln
│ ├── WdmDrvLoader.suo
│ ├── WdmDrvLoader.vcxproj
│ ├── WdmDrvLoader.vcxproj.filters
│ ├── WdmDrvLoader.vcxproj.user
│ └── main.cpp
│ └── driver
│ ├── MFTest.c
│ ├── buildfre_win7_amd64.log
│ ├── makefile
│ └── sources
├── [4-5]MonitorProcessThreadHandle
├── MyDriver.c
├── MyDriver.h
├── ProtectProcess.h
├── buildfre_win7_amd64.log
├── makefile
└── sources
├── [4-6]MonitorFileOperationByCallback
├── file_monitor_x64.sys
├── readme.txt
└── src
│ ├── MAKEFILE
│ ├── buildfre_win7_amd64.log
│ ├── main.c
│ ├── obstruct.h
│ └── sources
├── [4-7]MonitorInternetAccessByWFP
├── buildfre_win7_amd64.log
├── denyip.c
├── makefile
├── objfre_win7_amd64
│ └── amd64
│ │ └── WFP_TEST.sys
└── sources
├── [4-8]TimeChangeCallback
├── amd64
│ └── TimeNotify.sys
├── buildfre_win7_amd64.log
├── main.c
├── makefile
└── sources
├── [5-1]DrvInlineASM
├── Win64InlineASM.sys
├── src
│ ├── Win7x64Drv.c
│ ├── Win7x64Drv.h
│ ├── dbghelp.h
│ ├── makefile
│ └── sources
└── x64asm_to_x64bin.exe
├── [5-2]DkomHideProtect
├── MyDriver.sys
└── src
│ ├── MyDriver.c
│ ├── MyDriver.h
│ ├── buildfre_win7_amd64.log
│ ├── makefile
│ └── sources
├── [5-3]DriverEnumHide
├── EnumDriver.exe
├── EnumDriver
│ ├── EnumDriver.sln
│ ├── EnumDriver.suo
│ ├── EnumDriver.vcxproj
│ ├── EnumDriver.vcxproj.filters
│ ├── EnumDriver.vcxproj.user
│ └── main.cpp
├── HideDriver
│ ├── HideKM.c
│ ├── buildfre_win7_amd64.log
│ ├── makefile
│ └── sources
└── HideKM64.sys
├── [5-4]ForceKillProcess
├── FKP64.exe
├── Win7x64Drv.sys
├── exe
│ ├── MSSCCPRJ.SCC
│ ├── Mod_MemClr.bas
│ ├── Win7x64Drv.vbp
│ ├── Win7x64Drv.vbw
│ ├── cls_Driver.cls
│ └── form1.frm
└── sys
│ ├── Win7x64Drv.c
│ ├── Win7x64Drv.h
│ ├── buildfre_win7_amd64.log
│ ├── makefile
│ └── sources
├── [5-5]ForceProcMemRW
├── KRWProcess.sys
├── 模拟游戏.exe
├── 模拟游戏
│ ├── Form1.frm
│ ├── Game.vbp
│ └── Game.vbw
├── 模拟盗号.exe
├── 模拟盗号
│ ├── Form1.frm
│ ├── PlugIn.vbp
│ └── PlugIn.vbw
├── 驱动级模拟盗号.exe
├── 驱动级模拟盗号
│ ├── exe
│ │ ├── MSSCCPRJ.SCC
│ │ ├── Mod_MemClr.bas
│ │ ├── Win7x64Drv.vbp
│ │ ├── Win7x64Drv.vbw
│ │ ├── cls_Driver.cls
│ │ └── form1.frm
│ └── sys
│ │ ├── Win7x64Drv.c
│ │ ├── Win7x64Drv.h
│ │ ├── buildfre_win7_amd64.log
│ │ ├── makefile
│ │ └── sources
└── 驱动级游戏保护
│ └── 下载地址.txt
├── [5-6]EnumMsgHook
├── EnumMsgHook64.exe
├── EnumMsgHook64.sys
├── src
│ ├── exe
│ │ ├── DrvCtrl.h
│ │ ├── exe.sln
│ │ ├── exe.suo
│ │ ├── exe.vcxproj
│ │ ├── exe.vcxproj.filters
│ │ ├── exe.vcxproj.user
│ │ └── main.cpp
│ └── sys
│ │ ├── MyDriver.c
│ │ ├── MyDriver.h
│ │ ├── buildfre_win7_amd64.log
│ │ ├── buildfre_win7_amd64.wrn
│ │ ├── makefile
│ │ ├── rwkm.h
│ │ └── sources
└── 测试说明.txt
├── [5-7]UnlockFile
├── LockFile.exe
├── UnlockFile.sys
├── lockfile.xxx
├── src
│ ├── LockFile
│ │ └── main.cpp
│ └── UnlockFile
│ │ ├── EnumHandle.c
│ │ ├── buildfre_win7_amd64.log
│ │ ├── makefile
│ │ └── sources
└── 测试说明.txt
├── [5-8]PE32+
├── PE32结构图.jpg
├── PE64结构图.jpg
├── SimplePE64Viewer.exe
└── SimplePE64Viewer
│ ├── SimplePE64Viewer.sln
│ ├── SimplePE64Viewer.suo
│ ├── SimplePE64Viewer.vcxproj
│ ├── SimplePE64Viewer.vcxproj.filters
│ ├── SimplePE64Viewer.vcxproj.user
│ └── main.cpp
├── [6-1]RemoteThreadToSystemProcess
├── SuperInsertDll.exe
├── SuperInsertDll
│ ├── SuperInsertDll.sln
│ ├── SuperInsertDll.suo
│ ├── SuperInsertDll.vcxproj
│ ├── SuperInsertDll.vcxproj.filters
│ ├── SuperInsertDll.vcxproj.user
│ ├── main.cpp
│ ├── main.h
│ └── ntdll.lib
├── TestDll.dll
└── TestDll
│ ├── ReadMe.txt
│ ├── TestDll.cpp
│ ├── TestDll.sln
│ ├── TestDll.suo
│ ├── TestDll.vcxproj
│ ├── TestDll.vcxproj.filters
│ ├── TestDll.vcxproj.user
│ ├── dllmain.cpp
│ ├── stdafx.cpp
│ ├── stdafx.h
│ └── targetver.h
├── [6-2]Ring3InlineHookAntiHook
├── anti-hook
│ ├── AntiHook.exe
│ ├── AntiHook
│ │ ├── AntiHook.cpp
│ │ ├── AntiHook.sln
│ │ ├── AntiHook.suo
│ │ ├── AntiHook.vcxproj
│ │ ├── AntiHook.vcxproj.filters
│ │ ├── AntiHook.vcxproj.user
│ │ ├── ReadMe.txt
│ │ ├── _HookTest
│ │ │ ├── !!复制全部文件到C盘根目录
│ │ │ ├── AntiHook.exe
│ │ │ ├── Calculator.lnk
│ │ │ ├── HookDll.dll
│ │ │ ├── InjectDllx64.exe
│ │ │ ├── NtHookEngine.dll
│ │ │ └── desktop.ini
│ │ ├── stdafx.cpp
│ │ ├── stdafx.h
│ │ └── targetver.h
│ ├── Calculator.lnk
│ ├── HookDll.dll
│ ├── HookZwReadFile
│ │ ├── HookDll.cpp
│ │ ├── HookDll.sln
│ │ ├── HookDll.suo
│ │ ├── HookDll.vcxproj
│ │ ├── HookDll.vcxproj.filters
│ │ ├── HookDll.vcxproj.user
│ │ ├── ReadMe.txt
│ │ ├── __TEST
│ │ │ └── desktop.ini
│ │ ├── dllmain.cpp
│ │ ├── stdafx.cpp
│ │ ├── stdafx.h
│ │ └── targetver.h
│ ├── InjectDllx64.exe
│ ├── NtHookEngine.dll
│ ├── desktop.ini
│ └── 复制全部文件到C盘根目录
└── hook
│ ├── Calculator.lnk
│ ├── HookDll.dll
│ ├── HookDll
│ ├── HookDll.cpp
│ ├── HookDll.sln
│ ├── HookDll.suo
│ ├── HookDll.vcxproj
│ ├── HookDll.vcxproj.filters
│ ├── HookDll.vcxproj.user
│ ├── ReadMe.txt
│ ├── dllmain.cpp
│ ├── stdafx.cpp
│ ├── stdafx.h
│ └── targetver.h
│ ├── InjectDllx64.exe
│ ├── InjectDllx64
│ ├── InjectDllx64.sln
│ ├── InjectDllx64.suo
│ ├── InjectDllx64.vcxproj
│ ├── InjectDllx64.vcxproj.filters
│ ├── InjectDllx64.vcxproj.user
│ └── main.cpp
│ ├── MiniHookEngineForX86X64
│ ├── NtHookEngine.sln
│ ├── NtHookEngine
│ │ ├── NtHookEngine.cpp
│ │ ├── NtHookEngine.rc
│ │ ├── NtHookEngine.suo
│ │ ├── NtHookEngine.vcproj
│ │ ├── NtHookEngine.vcxproj
│ │ ├── NtHookEngine.vcxproj.filters
│ │ ├── NtHookEngine.vcxproj.user
│ │ ├── ReadMe.txt
│ │ ├── distorm.h
│ │ ├── distorm_x64.lib
│ │ ├── distorm_x86.lib
│ │ ├── resource.h
│ │ ├── stdafx.cpp
│ │ └── stdafx.h
│ ├── release
│ │ ├── NtHookEngine.dll
│ │ ├── NtHookEngine.exp
│ │ └── NtHookEngine.lib
│ └── x64
│ │ └── release
│ │ ├── NtHookEngine.dll
│ │ ├── NtHookEngine.exp
│ │ └── NtHookEngine.lib
│ ├── NtHookEngine.dll
│ ├── desktop.ini
│ └── 复制全部文件到C盘根目录
├── [6-3]Ring3EatIatHook
├── EAT_IAT_HOOK_TEST32
│ ├── main.cpp
│ └── test.exe
└── EAT_IAT_HOOK_TEST64
│ ├── main.cpp
│ └── test.exe
├── [7-1]EnumRemoveProcessThreadNotify
├── MyDriver.c
├── MyDriver.h
├── ProcNotify.h
├── ThrdNotify.h
├── buildfre_win7_amd64.log
├── makefile
├── objfre_win7_amd64
│ └── amd64
│ │ └── EnumProcessThreadNotify64.sys
└── sources
├── [7-2]EnumRemoveImageNotify
├── ImgNotify.h
├── MyDriver.c
├── MyDriver.h
├── buildfre_win7_amd64.log
├── makefile
├── objfre_win7_amd64
│ └── amd64
│ │ └── EnumRemoveImageNotify.sys
└── sources
├── [7-3]EnumRemoveCmpCallback
├── MyDriver.c
├── MyDriver.h
├── RegCallback.h
├── buildfre_win7_amd64.log
├── makefile
├── objfre_win7_amd64
│ └── amd64
│ │ └── EnumRemoveCmpCallback.sys
└── sources
├── [7-4]EnumRemoveObCallback
├── MyDriver.c
├── MyDriver.h
├── buildfre_win7_amd64.log
├── makefile
├── objfre_win7_amd64
│ └── amd64
│ │ └── EnumRemoveObCallback.sys
└── sources
└── [7-5]EnumAntiMiniFilter
├── MyDriver.c
├── MyDriver.h
├── buildfre_win7_amd64.log
├── makefile
├── objfre_win7_amd64
└── amd64
│ └── EnumAntiMiniFilter.sys
└── sources
/ReadMe.md:
--------------------------------------------------------------------------------
1 | ####WIN64驱动编程基础教程 作者:胡文亮
2 |
3 |
4 | 源码的编译环境是WDK7600
5 |
6 |
7 |
8 | -
9 | 以下是原文介绍
10 |
11 | -
12 |
13 |
14 | 【原创+福利+源码包】WIN64驱动编程基础教程(含PASS DSE的文件)
15 |
16 | 大家好,我的是Tesla.Angela。
17 |
18 | 这份教程本来是拿来出售的,不过由于某些原因导致部分章节出现在了互联网上,于是决定彻底公开了。
19 |
20 | 详细目录如下:
21 |
22 | 0.基础的基础
23 |
24 | |-学习WIN64驱动开发的硬件准备
25 |
26 | |-配置驱动开发环境
27 |
28 | ------------------------------
29 | 1.驱动级HelloWorld
30 |
31 | |-配置驱动测试环境
32 |
33 | |-编译和加载内核HelloWorld
34 |
35 | ------------------------------
36 | 2.内核编程基础
37 |
38 | |-WIN64内核编程的基本规则
39 |
40 | |-驱动程序与应用程序通信
41 |
42 | |-内核里使用内存
43 |
44 | |-内核里操作字符串
45 |
46 | |-内核里操作文件
47 |
48 | |-内核里操作注册表
49 |
50 | |-内核里操作进线程
51 |
52 | |-驱动里的其它常用代码
53 |
54 | ------------------------------
55 | 3.内核HOOK与UNHOOK
56 |
57 | |-系统调用、WOW64与兼容模式
58 |
59 | |-编程实现突破WIN7的PatchGuard
60 |
61 | |-系统服务描述表结构详解
62 |
63 | |-SSDT HOOK和UNHOOK
64 |
65 | |-SHADOW SSDT HOOK和UNHOOK
66 |
67 | |-INLINE HOOK和UNHOOK
68 |
69 | ------------------------------
70 | 4.无HOOK监控技术
71 |
72 | |-无HOOK监控进线程启动和退出
73 |
74 | |-无HOOK监控模块加载
75 |
76 | |-无HOOK监控注册表操作
77 |
78 | |-无HOOK监控文件操作
79 |
80 | |-无HOOK监控进线程句柄操作
81 |
82 | |-使用对象回调监视文件访问
83 |
84 | |-无HOOK监控网络访问
85 |
86 | |-无HOOK监视修改时间
87 |
88 | ------------------------------
89 | 5.零散内容
90 |
91 | |-驱动里实现内嵌汇编
92 |
93 | |-DKOM隐藏进程+保护进程
94 |
95 | |-枚举和隐藏内核模块
96 |
97 | |-强制结束进程
98 |
99 | |-强制读写进程内存
100 |
101 | |-枚举消息钩子
102 |
103 | |-强制解锁文件
104 |
105 | |-初步探索PE32+格式文件
106 |
107 | ------------------------------
108 | 6.用户态HOOK与UNHOOK
109 |
110 | |-RING3注射DLL到系统进程
111 |
112 | |-RING3的INLINE HOOK和UNHOOK
113 |
114 | |-RING3的EAT HOOK和IAT HOOK
115 |
116 | ------------------------------
117 | 7.反回调
118 |
119 | |-枚举与删除创建进线程回调
120 |
121 | |-枚举与删除加载映像回调
122 |
123 | |-枚举与删除注册表回调
124 |
125 | |-枚举与对抗MiniFilter
126 |
127 | |-枚举与删除对象回调
128 |
129 | 值得一提的是,这份教程的附件里,包含了一个过“数字签名强制”(DSE)的LIB,只要在程序里包含了这个LIB,就能无视DSE直接加载未签名的驱动。
130 |
131 | 当然,这个LIB只支持WIN7、WIN8和WIN8.1,对于未出现的系统,是不可能支持的。
132 |
133 | 本教程由于编写仓促,难免有错漏之处,欢迎指出。不过,本教程的文章和代码,绝对不会有故意插入的错误,所有代码都能“即抄即用”。
134 |
135 | 下载地址:http://pan.baidu.com/share/home?uk=1915097229#category/type=0
136 |
137 | 欢迎访问我的论坛:www.vbasm.com
138 |
139 | 欢迎加入我的内核编程群:204267013
140 |
141 | 欢迎使用我的ARK类工具:http://bbs.kafan.cn/thread-1426416-1-2.html
142 |
143 | 另外,原来的“WIN64内核编程基础班”已升级为“WINDOWS内核编程VIP讨论组”,欢迎加入,详情请加群后与群主私聊。
--------------------------------------------------------------------------------
/[1-1]SetupTestEnv/软件下载地址.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[1-1]SetupTestEnv/软件下载地址.txt
--------------------------------------------------------------------------------
/[1-2]KrnlHW64/calc_ctl_code/calc_ctl_code.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "calc_ctl_code", "calc_ctl_code.vcxproj", "{2E142E4E-1FF4-4555-9A11-2651A5D61F5F}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {2E142E4E-1FF4-4555-9A11-2651A5D61F5F}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {2E142E4E-1FF4-4555-9A11-2651A5D61F5F}.Debug|Win32.Build.0 = Debug|Win32
16 | {2E142E4E-1FF4-4555-9A11-2651A5D61F5F}.Debug|x64.ActiveCfg = Debug|x64
17 | {2E142E4E-1FF4-4555-9A11-2651A5D61F5F}.Debug|x64.Build.0 = Debug|x64
18 | {2E142E4E-1FF4-4555-9A11-2651A5D61F5F}.Release|Win32.ActiveCfg = Release|Win32
19 | {2E142E4E-1FF4-4555-9A11-2651A5D61F5F}.Release|Win32.Build.0 = Release|Win32
20 | {2E142E4E-1FF4-4555-9A11-2651A5D61F5F}.Release|x64.ActiveCfg = Release|x64
21 | {2E142E4E-1FF4-4555-9A11-2651A5D61F5F}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/[1-2]KrnlHW64/calc_ctl_code/calc_ctl_code.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[1-2]KrnlHW64/calc_ctl_code/calc_ctl_code.suo
--------------------------------------------------------------------------------
/[1-2]KrnlHW64/calc_ctl_code/calc_ctl_code.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | 源文件
20 |
21 |
22 |
--------------------------------------------------------------------------------
/[1-2]KrnlHW64/calc_ctl_code/calc_ctl_code.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/[1-2]KrnlHW64/calc_ctl_code/main.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | DWORD CTL_CODE_GEN(DWORD lngFunction)
5 | {
6 | //const DWORD FILE_DEVICE_UNKNOWN = 0x22;
7 | //const DWORD METHOD_BUFFERED = 0;
8 | //const DWORD FILE_ANY_ACCESS = 0;
9 | return (FILE_DEVICE_UNKNOWN * 65536) | (FILE_ANY_ACCESS * 16384) | (lngFunction * 4) | METHOD_BUFFERED;
10 | }
11 |
12 | int main()
13 | {
14 | _s:
15 | DWORD dw;
16 | printf("Input HEX CTL_CODE: ");scanf("%x",&dw);
17 | printf("Output: %ld(0x%X)\n\n",CTL_CODE_GEN(dw),CTL_CODE_GEN(dw));
18 | getchar();
19 | goto _s;
20 | }
--------------------------------------------------------------------------------
/[1-2]KrnlHW64/calc_ctl_code/x64/Release/calc_ctl_code.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[1-2]KrnlHW64/calc_ctl_code/x64/Release/calc_ctl_code.exe
--------------------------------------------------------------------------------
/[1-2]KrnlHW64/sys/MyDriver.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[1-2]KrnlHW64/sys/MyDriver.c
--------------------------------------------------------------------------------
/[1-2]KrnlHW64/sys/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the components of NT OS/2
5 | #
6 | !INCLUDE $(NTMAKEENV)\makefile.def
--------------------------------------------------------------------------------
/[1-2]KrnlHW64/sys/objfre_win7_amd64/amd64/KmdManager.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[1-2]KrnlHW64/sys/objfre_win7_amd64/amd64/KmdManager.exe
--------------------------------------------------------------------------------
/[1-2]KrnlHW64/sys/objfre_win7_amd64/amd64/KrnlHW64.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[1-2]KrnlHW64/sys/objfre_win7_amd64/amd64/KrnlHW64.sys
--------------------------------------------------------------------------------
/[1-2]KrnlHW64/sys/objfre_win7_amd64/amd64/calc_ctl_code.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[1-2]KrnlHW64/sys/objfre_win7_amd64/amd64/calc_ctl_code.exe
--------------------------------------------------------------------------------
/[1-2]KrnlHW64/sys/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=KrnlHW64
2 | TARGETTYPE=DRIVER
3 | TARGETPATH=obj
4 |
5 | INCLUDES=.\
6 |
7 | SOURCES = MyDriver.c
--------------------------------------------------------------------------------
/[1-2]KrnlHW64/sys/test.c:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | void nullproc()
4 | {
5 | DbgPrint("nullproc\n");
6 | }
--------------------------------------------------------------------------------
/[1-2]KrnlHW64/sys/含有多个C文件时用的source:
--------------------------------------------------------------------------------
1 | TARGETNAME=KrnlHW64
2 | TARGETTYPE=DRIVER
3 | TARGETPATH=obj
4 |
5 | INCLUDES=.\
6 |
7 | SOURCES = MyDriver.c \
8 | test.c
--------------------------------------------------------------------------------
/[2-1]AboutKPP&DSE/禁用DSE.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[2-1]AboutKPP&DSE/禁用DSE.txt
--------------------------------------------------------------------------------
/[2-1]AboutKPP&DSE/禁用KPP.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[2-1]AboutKPP&DSE/禁用KPP.txt
--------------------------------------------------------------------------------
/[2-2]ScmDrvLoader/ScmDrvLoader.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ScmDrvLoader", "ScmDrvLoader.vcxproj", "{AB7B78FA-C353-44BD-ADDC-4810A996B64F}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {AB7B78FA-C353-44BD-ADDC-4810A996B64F}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {AB7B78FA-C353-44BD-ADDC-4810A996B64F}.Debug|Win32.Build.0 = Debug|Win32
16 | {AB7B78FA-C353-44BD-ADDC-4810A996B64F}.Debug|x64.ActiveCfg = Debug|x64
17 | {AB7B78FA-C353-44BD-ADDC-4810A996B64F}.Debug|x64.Build.0 = Debug|x64
18 | {AB7B78FA-C353-44BD-ADDC-4810A996B64F}.Release|Win32.ActiveCfg = Release|Win32
19 | {AB7B78FA-C353-44BD-ADDC-4810A996B64F}.Release|Win32.Build.0 = Release|Win32
20 | {AB7B78FA-C353-44BD-ADDC-4810A996B64F}.Release|x64.ActiveCfg = Release|x64
21 | {AB7B78FA-C353-44BD-ADDC-4810A996B64F}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/[2-2]ScmDrvLoader/ScmDrvLoader.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[2-2]ScmDrvLoader/ScmDrvLoader.suo
--------------------------------------------------------------------------------
/[2-2]ScmDrvLoader/ScmDrvLoader.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | 源文件
20 |
21 |
22 |
23 |
24 | 头文件
25 |
26 |
27 |
--------------------------------------------------------------------------------
/[2-2]ScmDrvLoader/ScmDrvLoader.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/[2-2]ScmDrvLoader/main.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include "ScmDrvCtrl.h"
4 |
5 | #pragma comment(lib,"user32.lib")
6 |
7 |
8 | void GetAppPath(char *szCurFile) //最后带斜杠
9 | {
10 | GetModuleFileNameA(0,szCurFile,MAX_PATH);
11 | for(SIZE_T i=strlen(szCurFile)-1;i>=0;i--)
12 | {
13 | if(szCurFile[i]=='\\')
14 | {
15 | szCurFile[i+1]='\0';
16 | break;
17 | }
18 | }
19 | }
20 |
21 | int main()
22 | {
23 | BOOL b;
24 | cDrvCtrl dc;
25 | //设置驱动名称
26 | char szSysFile[MAX_PATH]={0};
27 | char szSvcLnkName[]="KrnlHW64";;
28 | GetAppPath(szSysFile);
29 | strcat(szSysFile,"KrnlHW64.sys");
30 | //安装并启动驱动
31 | b=dc.Install(szSysFile,szSvcLnkName,szSvcLnkName);
32 | b=dc.Start();
33 | printf("LoadDriver=%d\n",b);
34 | //“打开”驱动的符号链接
35 | dc.Open("\\\\.\\KrnlHW64");
36 | //使用控制码控制驱动(0x800:传入一个数字并返回一个数字)
37 | DWORD x=100,y=0,z=0;
38 | dc.IoControl(0x800,&x,sizeof(x),&y,sizeof(y),&z);
39 | printf("INPUT=%ld\nOUTPUT=%ld\nReturnBytesLength=%ld\n",x,y,z);
40 | //使用控制码控制驱动(0x801:在DBGVIEW里显示HELLOWORLD)
41 | dc.IoControl(0x801,0,0,0,0,0);
42 | //关闭符号链接句柄
43 | CloseHandle(dc.m_hDriver);
44 | //停止并卸载驱动
45 | b=dc.Stop();
46 | b=dc.Remove();
47 | printf("UnloadDriver=%d\n",b);
48 | getchar();
49 | return 0;
50 | }
--------------------------------------------------------------------------------
/[2-2]ScmDrvLoader/x64/Release/KrnlHW64.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[2-2]ScmDrvLoader/x64/Release/KrnlHW64.sys
--------------------------------------------------------------------------------
/[2-2]ScmDrvLoader/x64/Release/ScmDrvLoader.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[2-2]ScmDrvLoader/x64/Release/ScmDrvLoader.exe
--------------------------------------------------------------------------------
/[2-3]MemoryOperationTest/buildfre_win7_amd64.log:
--------------------------------------------------------------------------------
1 | BUILD: corrupt database (Directory error)
2 | BUILD: Computing Include file dependencies:
3 | BUILD: Examining f:\programming\class\win64oacr invalidate root:amd64fre /autocleanqueue
4 | 1>Compiling and Linking f:\programming\class\win641>'nmake.exe /nologo BUILDMSG=Stop. -i BUILD_PASS=PASS2 LINKONLY=1 NOPASS0=1 MAKEDIR_RELATIVE_TO_BASEDIR='
5 | 1>f:\programming\class\win641> C:\WinDDK\7600.16385.1\Bin\amd64\oacr\oacrlink /out:f:\programming\class\win641>Microsoft (R) Incremental Linker Version 9.00.30729.207
6 | 1>Copyright (C) Microsoft Corporation. All rights reserved.
7 | 1>/MERGE:_PAGE=PAGE
8 | 1>/MERGE:_TEXT=.text
9 | 1>/SECTION:INIT,d
10 | 1>/OPT:REF
11 | 1>/OPT:ICF
12 | 1>/IGNORE:4198,4010,4037,4039,4065,4070,4078,4087,4089,4221,4108,4088,4218,4218,4235
13 | 1>/INCREMENTAL:NO
14 | 1>/release
15 | 1>/NODEFAULTLIB
16 | 1>/WX
17 | 1>/debug
18 | 1>/debugtype:cv,fixup,pdata
19 | 1>/version:6.1
20 | 1>/osversion:6.1
21 | 1>C:\WinDDK\7600.16385.1\lib\win7\amd64\hotpatch.obj
22 | 1>/functionpadmin:6
23 | 1>/pdbcompress
24 | 1>/STACK:0x40000,0x1000
25 | 1>/driver
26 | 1>/base:0x10000
27 | 1>/subsystem:native,6.01
28 | 1>/entry:GsDriverEntry
29 | 1>/out:f:\programming\class\win641>f:\programming\class\win641>C:\WinDDK\7600.16385.1\lib\win7\amd64\BufferOverflowK.lib
30 | 1>C:\WinDDK\7600.16385.1\lib\win7\amd64\ntoskrnl.lib
31 | 1>C:\WinDDK\7600.16385.1\lib\win7\amd64\hal.lib
32 | 1>C:\WinDDK\7600.16385.1\lib\win7\amd64\wmilib.lib
33 | 1>main.obj : MSIL .netmodule or module compiled with /GL found; restarting link with /LTCG; add /LTCG to the link command line to improve linker performance
34 | 1>Microsoft (R) Incremental Linker Version 9.00.30729.207
35 | 1>Copyright (C) Microsoft Corporation. All rights reserved.
36 | 1>/MERGE:_PAGE=PAGE
37 | 1>/MERGE:_TEXT=.text
38 | 1>/SECTION:INIT,d
39 | 1>/OPT:REF
40 | 1>/OPT:ICF
41 | 1>/IGNORE:4198,4010,4037,4039,4065,4070,4078,4087,4089,4221,4108,4088,4218,4218,4235
42 | 1>/INCREMENTAL:NO
43 | 1>/release
44 | 1>/NODEFAULTLIB
45 | 1>/WX
46 | 1>/debug
47 | 1>/debugtype:cv,fixup,pdata
48 | 1>/version:6.1
49 | 1>/osversion:6.1
50 | 1>C:\WinDDK\7600.16385.1\lib\win7\amd64\hotpatch.obj
51 | 1>/functionpadmin:6
52 | 1>/pdbcompress
53 | 1>/STACK:0x40000,0x1000
54 | 1>/driver
55 | 1>/base:0x10000
56 | 1>/subsystem:native,6.01
57 | 1>/entry:GsDriverEntry
58 | 1>/out:f:\programming\class\win641>f:\programming\class\win641>C:\WinDDK\7600.16385.1\lib\win7\amd64\BufferOverflowK.lib
59 | 1>C:\WinDDK\7600.16385.1\lib\win7\amd64\ntoskrnl.lib
60 | 1>C:\WinDDK\7600.16385.1\lib\win7\amd64\hal.lib
61 | 1>C:\WinDDK\7600.16385.1\lib\win7\amd64\wmilib.lib
62 | 1>Generating code
63 | 1>Finished generating code
64 |
--------------------------------------------------------------------------------
/[2-3]MemoryOperationTest/main.c:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | void test()
4 | {
5 | PVOID ptr1 = ExAllocatePool(PagedPool,0x100);
6 | PVOID ptr2 = ExAllocatePool(NonPagedPool,0x200);
7 | RtlFillMemory(ptr2,0x200,0x90);
8 | RtlMoveMemory(ptr1,ptr2,0x50);
9 | ExFreePool(ptr1);
10 | ExFreePool(ptr2);
11 | }
12 |
13 | //以下两个函数,在HOOK修改内存时使用
14 | KIRQL WPOFFx64()
15 | {
16 | KIRQL irql=KeRaiseIrqlToDpcLevel();
17 | UINT64 cr0=__readcr0();
18 | cr0 &= 0xfffffffffffeffff;
19 | __writecr0(cr0);
20 | _disable();
21 | return irql;
22 | }
23 |
24 | void WPONx64(KIRQL irql)
25 | {
26 | UINT64 cr0=__readcr0();
27 | cr0 |= 0x10000;
28 | _enable();
29 | __writecr0(cr0);
30 | KeLowerIrql(irql);
31 | }
32 |
33 | //此函数有点吹毛求疵,不推荐使用,因为效率太低了。
34 | BOOLEAN SafeCopyMemory( PVOID pDestination, PVOID pSourceAddress, SIZE_T SizeOfCopy )
35 | {
36 | PMDL pMdl = NULL;
37 | PVOID pSafeAddress = NULL;
38 | if( !MmIsAddressValid(pDestination) || !MmIsAddressValid(pSourceAddress) )
39 | return FALSE;
40 | pMdl = IoAllocateMdl(pDestination, (ULONG)SizeOfCopy, FALSE, FALSE, NULL );
41 | if( !pMdl )
42 | return FALSE;
43 | __try
44 | {
45 | MmProbeAndLockPages( pMdl, KernelMode, IoReadAccess );
46 | }
47 | __except(EXCEPTION_EXECUTE_HANDLER)
48 | {
49 | IoFreeMdl( pMdl );
50 | return FALSE;
51 | }
52 | pSafeAddress = MmGetSystemAddressForMdlSafe( pMdl, NormalPagePriority );
53 | if( !pSafeAddress )
54 | return FALSE;
55 | __try
56 | {
57 | RtlMoveMemory(pSafeAddress, pSourceAddress, SizeOfCopy );
58 | }
59 | __except(EXCEPTION_EXECUTE_HANDLER)
60 | {
61 | ;
62 | }
63 | MmUnlockPages( pMdl );
64 | IoFreeMdl( pMdl );
65 | return TRUE;
66 | }
67 |
68 | VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
69 | {
70 | DbgPrint("[Memory]Unload...\n");
71 | return;
72 | }
73 |
74 | NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
75 | {
76 | DriverObject->DriverUnload = DriverUnload;
77 | DbgPrint("[Memory]Load...\n");
78 | test();
79 | return STATUS_SUCCESS;
80 | }
--------------------------------------------------------------------------------
/[2-3]MemoryOperationTest/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the driver components of the Windows NT DDK
5 | #
6 |
7 | !INCLUDE $(NTMAKEENV)\makefile.def
--------------------------------------------------------------------------------
/[2-3]MemoryOperationTest/objfre_win7_amd64/amd64/SYS_FILE_NAME.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[2-3]MemoryOperationTest/objfre_win7_amd64/amd64/SYS_FILE_NAME.sys
--------------------------------------------------------------------------------
/[2-3]MemoryOperationTest/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=SYS_FILE_NAME
2 | TARGETPATH=obj
3 | TARGETTYPE=DRIVER
4 | SOURCES=main.c
5 |
--------------------------------------------------------------------------------
/[2-4]StringOperationTest/buildfre_win7_amd64.log:
--------------------------------------------------------------------------------
1 | 0>Bad Path string: L'f:\programming\class\win64 F '
2 |
3 | 0>Bad Path string: L'f:\programming\class\win64 F '
4 |
5 | BUILD: Computing Include file dependencies:
6 | BUILD: Examining f:\programming\class\win64oacr invalidate root:amd64fre /autocleanqueue
7 | 1>Compiling and Linking f:\programming\class\win641>'nmake.exe /nologo BUILDMSG=Stop. -i BUILD_PASS=PASS2 LINKONLY=1 NOPASS0=1 MAKEDIR_RELATIVE_TO_BASEDIR='
8 | 1>f:\programming\class\win64
--------------------------------------------------------------------------------
/[2-4]StringOperationTest/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the driver components of the Windows NT DDK
5 | #
6 |
7 | !INCLUDE $(NTMAKEENV)\makefile.def
--------------------------------------------------------------------------------
/[2-4]StringOperationTest/objfre_win7_amd64/amd64/SYS_FILE_NAME.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[2-4]StringOperationTest/objfre_win7_amd64/amd64/SYS_FILE_NAME.sys
--------------------------------------------------------------------------------
/[2-4]StringOperationTest/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=SYS_FILE_NAME
2 | TARGETPATH=obj
3 | TARGETTYPE=DRIVER
4 | SOURCES=main.c
5 |
--------------------------------------------------------------------------------
/[2-5]FileOperationTest/MyDriver.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[2-5]FileOperationTest/MyDriver.c
--------------------------------------------------------------------------------
/[2-5]FileOperationTest/buildfre_win7_amd64.log:
--------------------------------------------------------------------------------
1 | BUILD: corrupt database (Directory error)
2 | BUILD: Computing Include file dependencies:
3 | BUILD: Examining i:\sellcode\win64oacr invalidate root:amd64fre /autocleanqueue
4 | 1>Compiling and Linking i:\sellcode\win641>'nmake.exe /nologo BUILDMSG=Stop. -i BUILD_PASS=PASS2 LINKONLY=1 NOPASS0=1 MAKEDIR_RELATIVE_TO_BASEDIR='
5 | 1>i:\sellcode\win641> C:\WinDDK\7600.16385.1\Bin\amd64\oacr\oacrlink /out:i:\sellcode\win641>Microsoft (R) Incremental Linker Version 9.00.30729.207
6 | 1>Copyright (C) Microsoft Corporation. All rights reserved.
7 | 1>/MERGE:_PAGE=PAGE
8 | 1>/MERGE:_TEXT=.text
9 | 1>/SECTION:INIT,d
10 | 1>/OPT:REF
11 | 1>/OPT:ICF
12 | 1>/IGNORE:4198,4010,4037,4039,4065,4070,4078,4087,4089,4221,4108,4088,4218,4218,4235
13 | 1>/INCREMENTAL:NO
14 | 1>/release
15 | 1>/NODEFAULTLIB
16 | 1>/WX
17 | 1>/debug
18 | 1>/debugtype:cv,fixup,pdata
19 | 1>/version:6.1
20 | 1>/osversion:6.1
21 | 1>C:\WinDDK\7600.16385.1\lib\win7\amd64\hotpatch.obj
22 | 1>/functionpadmin:6
23 | 1>/pdbcompress
24 | 1>/STACK:0x40000,0x1000
25 | 1>/driver
26 | 1>/base:0x10000
27 | 1>/subsystem:native,6.01
28 | 1>/entry:GsDriverEntry
29 | 1>/out:i:\sellcode\win641>i:\sellcode\win641>C:\WinDDK\7600.16385.1\lib\win7\amd64\BufferOverflowK.lib
30 | 1>C:\WinDDK\7600.16385.1\lib\win7\amd64\ntoskrnl.lib
31 | 1>C:\WinDDK\7600.16385.1\lib\win7\amd64\hal.lib
32 | 1>C:\WinDDK\7600.16385.1\lib\win7\amd64\wmilib.lib
33 | 1>mydriver.obj : MSIL .netmodule or module compiled with /GL found; restarting link with /LTCG; add /LTCG to the link command line to improve linker performance
34 | 1>Microsoft (R) Incremental Linker Version 9.00.30729.207
35 | 1>Copyright (C) Microsoft Corporation. All rights reserved.
36 | 1>/MERGE:_PAGE=PAGE
37 | 1>/MERGE:_TEXT=.text
38 | 1>/SECTION:INIT,d
39 | 1>/OPT:REF
40 | 1>/OPT:ICF
41 | 1>/IGNORE:4198,4010,4037,4039,4065,4070,4078,4087,4089,4221,4108,4088,4218,4218,4235
42 | 1>/INCREMENTAL:NO
43 | 1>/release
44 | 1>/NODEFAULTLIB
45 | 1>/WX
46 | 1>/debug
47 | 1>/debugtype:cv,fixup,pdata
48 | 1>/version:6.1
49 | 1>/osversion:6.1
50 | 1>C:\WinDDK\7600.16385.1\lib\win7\amd64\hotpatch.obj
51 | 1>/functionpadmin:6
52 | 1>/pdbcompress
53 | 1>/STACK:0x40000,0x1000
54 | 1>/driver
55 | 1>/base:0x10000
56 | 1>/subsystem:native,6.01
57 | 1>/entry:GsDriverEntry
58 | 1>/out:i:\sellcode\win641>i:\sellcode\win641>C:\WinDDK\7600.16385.1\lib\win7\amd64\BufferOverflowK.lib
59 | 1>C:\WinDDK\7600.16385.1\lib\win7\amd64\ntoskrnl.lib
60 | 1>C:\WinDDK\7600.16385.1\lib\win7\amd64\hal.lib
61 | 1>C:\WinDDK\7600.16385.1\lib\win7\amd64\wmilib.lib
62 | 1>Generating code
63 | 1>Finished generating code
64 |
--------------------------------------------------------------------------------
/[2-5]FileOperationTest/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the components of NT OS/2
5 | #
6 | !INCLUDE $(NTMAKEENV)\makefile.def
--------------------------------------------------------------------------------
/[2-5]FileOperationTest/objfre_win7_amd64/amd64/MyDriver.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[2-5]FileOperationTest/objfre_win7_amd64/amd64/MyDriver.sys
--------------------------------------------------------------------------------
/[2-5]FileOperationTest/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=MyDriver
2 | TARGETTYPE=DRIVER
3 | TARGETPATH=obj
4 |
5 | INCLUDES=.\
6 |
7 | SOURCES = MyDriver.c
--------------------------------------------------------------------------------
/[2-6]RegistryOperationTest/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the driver components of the Windows NT DDK
5 | #
6 |
7 | !INCLUDE $(NTMAKEENV)\makefile.def
--------------------------------------------------------------------------------
/[2-6]RegistryOperationTest/objfre_win7_amd64/amd64/SYS_FILE_NAME.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[2-6]RegistryOperationTest/objfre_win7_amd64/amd64/SYS_FILE_NAME.sys
--------------------------------------------------------------------------------
/[2-6]RegistryOperationTest/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=SYS_FILE_NAME
2 | TARGETPATH=obj
3 | TARGETTYPE=DRIVER
4 | SOURCES=main.c
5 |
--------------------------------------------------------------------------------
/[2-7]ProcessOperationTest/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the driver components of the Windows NT DDK
5 | #
6 |
7 | !INCLUDE $(NTMAKEENV)\makefile.def
--------------------------------------------------------------------------------
/[2-7]ProcessOperationTest/objfre_win7_amd64/amd64/SYS_FILE_NAME.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[2-7]ProcessOperationTest/objfre_win7_amd64/amd64/SYS_FILE_NAME.sys
--------------------------------------------------------------------------------
/[2-7]ProcessOperationTest/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=SYS_FILE_NAME
2 | TARGETPATH=obj
3 | TARGETTYPE=DRIVER
4 | SOURCES=main.c
5 |
--------------------------------------------------------------------------------
/[2-8]OtherFunction/MyDriver.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[2-8]OtherFunction/MyDriver.c
--------------------------------------------------------------------------------
/[2-8]OtherFunction/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the components of NT OS/2
5 | #
6 | !INCLUDE $(NTMAKEENV)\makefile.def
--------------------------------------------------------------------------------
/[2-8]OtherFunction/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=MyDriver
2 | TARGETTYPE=DRIVER
3 | TARGETPATH=obj
4 |
5 | INCLUDES=.\
6 |
7 | SOURCES = MyDriver.c
--------------------------------------------------------------------------------
/[3-1]Wow64&CompatibleMode/WOW64相关测试代码/bin/Release/TestWow64.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-1]Wow64&CompatibleMode/WOW64相关测试代码/bin/Release/TestWow64.exe
--------------------------------------------------------------------------------
/[3-1]Wow64&CompatibleMode/兼容模式相关测试代码/_VB_CODE/CCM.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-1]Wow64&CompatibleMode/兼容模式相关测试代码/_VB_CODE/CCM.exe
--------------------------------------------------------------------------------
/[3-1]Wow64&CompatibleMode/兼容模式相关测试代码/_VB_CODE/CCM.vbp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-1]Wow64&CompatibleMode/兼容模式相关测试代码/_VB_CODE/CCM.vbp
--------------------------------------------------------------------------------
/[3-1]Wow64&CompatibleMode/兼容模式相关测试代码/_VB_CODE/CCM.vbw:
--------------------------------------------------------------------------------
1 | Form1 = 109, 109, 1039, 653, , 21, 21, 951, 565, C
2 |
--------------------------------------------------------------------------------
/[3-1]Wow64&CompatibleMode/兼容模式相关测试代码/_VB_CODE/Form1.frm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-1]Wow64&CompatibleMode/兼容模式相关测试代码/_VB_CODE/Form1.frm
--------------------------------------------------------------------------------
/[3-1]Wow64&CompatibleMode/兼容模式相关测试代码/bin/Release/CCM.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-1]Wow64&CompatibleMode/兼容模式相关测试代码/bin/Release/CCM.exe
--------------------------------------------------------------------------------
/[3-1]Wow64&CompatibleMode/兼容模式相关测试代码/main.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 |
5 | typedef long (__stdcall *RTLGETVERSION)(POSVERSIONINFO);
6 |
7 | int main()
8 | {
9 | RTLGETVERSION RtlGetVersion=(RTLGETVERSION)GetProcAddress(GetModuleHandleA("ntdll.dll"),"RtlGetVersion");
10 | OSVERSIONINFO osv1={0},osv2={0};
11 | //way 1
12 | osv1.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
13 | GetVersionEx(&osv1);
14 | printf("Get Build Number by GetVersionEx: %ld\n",osv1.dwBuildNumber);
15 | //way 2
16 | osv2.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
17 | RtlGetVersion(&osv2);
18 | printf("Get Build Number by RtlGetVersion: %ld\n",osv2.dwBuildNumber);
19 | //show info
20 | getchar();
21 | return 0;
22 | }
23 |
--------------------------------------------------------------------------------
/[3-2]DisableWin7KPP&DSE/ASM/patch.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-2]DisableWin7KPP&DSE/ASM/patch.exe
--------------------------------------------------------------------------------
/[3-2]DisableWin7KPP&DSE/ASM/一键破解.cmd:
--------------------------------------------------------------------------------
1 | @ECHO OFF
2 |
3 | ECHO.
4 | ECHO Creating patched copies of winload, ntkrnlmp/ntoskrnl...
5 | ECHO.
6 | patch.exe
7 |
8 | ECHO.
9 | ECHO Creating BCD Entry...
10 | ECHO.
11 | set ENTRY_GUID={46595952-454E-4F50-4747-554944FFFFFF}
12 | bcdedit -create %ENTRY_GUID% -d "DriverSigning&PatchGuard Disabled" -application OSLOADER
13 | bcdedit -set %ENTRY_GUID% device partition=%SYSTEMDRIVE%
14 | bcdedit -set %ENTRY_GUID% osdevice partition=%SYSTEMDRIVE%
15 | bcdedit -set %ENTRY_GUID% systemroot \Windows
16 | bcdedit -set %ENTRY_GUID% path \Windows\system32\freeload.exe
17 | bcdedit -set %ENTRY_GUID% kernel goodkrnl.exe
18 | bcdedit -set %ENTRY_GUID% recoveryenabled 0
19 | bcdedit -set %ENTRY_GUID% nx OptOut
20 | bcdedit -set %ENTRY_GUID% nointegritychecks 1
21 | bcdedit -set %ENTRY_GUID% testsigning 1
22 | bcdedit -displayorder %ENTRY_GUID% -addlast
23 | bcdedit -timeout 5
24 | bcdedit -default %ENTRY_GUID%
25 |
26 | ECHO.
27 | ECHO Setting PEAUTH service to manual... (avoid BSOD at login screen)
28 | ECHO.
29 | sc config peauth start= demand
30 |
31 | ECHO.
32 | ECHO Complete!
33 | ECHO.
34 | PAUSE
35 |
--------------------------------------------------------------------------------
/[3-2]DisableWin7KPP&DSE/ASM/编译.bat:
--------------------------------------------------------------------------------
1 | set fasmbin=\asm\fasm\bin
2 | set fasminc=\asm\fasm\include
3 | @echo off
4 | if exist patch.exe del patch.exe
5 | %fasmbin%\fasm.exe patch.asm
6 | pause
7 |
--------------------------------------------------------------------------------
/[3-2]DisableWin7KPP&DSE/VC/disable_pgds.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "disable_pgds", "disable_pgds.vcxproj", "{A4335429-5109-4198-B541-E3AC53E11C91}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {A4335429-5109-4198-B541-E3AC53E11C91}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {A4335429-5109-4198-B541-E3AC53E11C91}.Debug|Win32.Build.0 = Debug|Win32
16 | {A4335429-5109-4198-B541-E3AC53E11C91}.Debug|x64.ActiveCfg = Debug|x64
17 | {A4335429-5109-4198-B541-E3AC53E11C91}.Debug|x64.Build.0 = Debug|x64
18 | {A4335429-5109-4198-B541-E3AC53E11C91}.Release|Win32.ActiveCfg = Release|Win32
19 | {A4335429-5109-4198-B541-E3AC53E11C91}.Release|Win32.Build.0 = Release|Win32
20 | {A4335429-5109-4198-B541-E3AC53E11C91}.Release|x64.ActiveCfg = Release|x64
21 | {A4335429-5109-4198-B541-E3AC53E11C91}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/[3-2]DisableWin7KPP&DSE/VC/disable_pgds.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | 源文件
20 |
21 |
22 |
--------------------------------------------------------------------------------
/[3-2]DisableWin7KPP&DSE/VC/disable_pgds.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/[3-2]DisableWin7KPP&DSE/VC/x64/Release/disable_pgds.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-2]DisableWin7KPP&DSE/VC/x64/Release/disable_pgds.exe
--------------------------------------------------------------------------------
/[3-2]DisableWin7KPP&DSE/VC/说明.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-2]DisableWin7KPP&DSE/VC/说明.txt
--------------------------------------------------------------------------------
/[3-3]CalcSSDTFuncAddr/MyDriver.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-3]CalcSSDTFuncAddr/MyDriver.c
--------------------------------------------------------------------------------
/[3-3]CalcSSDTFuncAddr/MyDriver.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | #define dprintf if (DBG) DbgPrint
4 |
5 | #define DEVICE_NAME L"\\Device\\MyDriver"
6 | #define LINK_NAME L"\\DosDevices\\MyDriver"
7 | #define LINK_GLOBAL_NAME L"\\DosDevices\\Global\\MyDriver"
8 |
9 | #define IOCTL_ULR3IN CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS) //In LONG
10 | #define IOCTL_USR3IN CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS) //In BSTR
11 | #define IOCTL_GetKPEB CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS) //Out LONG
12 | #define IOCTL_GetBSTR CTL_CODE(FILE_DEVICE_UNKNOWN, 0x804, METHOD_BUFFERED, FILE_ANY_ACCESS) //Out BSTR
13 | #define IOCTL_ReInline CTL_CODE(FILE_DEVICE_UNKNOWN, 0x803, METHOD_BUFFERED, FILE_ANY_ACCESS) //Test Call Only
14 | #define IOCTL_Struct CTL_CODE(FILE_DEVICE_UNKNOWN, 0x805, METHOD_BUFFERED, FILE_ANY_ACCESS) //I+O Struct
--------------------------------------------------------------------------------
/[3-3]CalcSSDTFuncAddr/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the components of NT OS/2
5 | #
6 | !INCLUDE $(NTMAKEENV)\makefile.def
--------------------------------------------------------------------------------
/[3-3]CalcSSDTFuncAddr/objfre_win7_amd64/amd64/MyDriver.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-3]CalcSSDTFuncAddr/objfre_win7_amd64/amd64/MyDriver.sys
--------------------------------------------------------------------------------
/[3-3]CalcSSDTFuncAddr/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=MyDriver
2 | TARGETTYPE=DRIVER
3 | TARGETPATH=obj
4 |
5 | INCLUDES=.\
6 |
7 | SOURCES = MyDriver.c
--------------------------------------------------------------------------------
/[3-4]SSDTHookUnhook/hook/LoadDrv.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-4]SSDTHookUnhook/hook/LoadDrv.exe
--------------------------------------------------------------------------------
/[3-4]SSDTHookUnhook/hook/hookssdt_x64.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-4]SSDTHookUnhook/hook/hookssdt_x64.sys
--------------------------------------------------------------------------------
/[3-4]SSDTHookUnhook/hook/src/MyDriver.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-4]SSDTHookUnhook/hook/src/MyDriver.c
--------------------------------------------------------------------------------
/[3-4]SSDTHookUnhook/hook/src/MyDriver.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | #define dprintf DbgPrint
4 |
5 | #define DEVICE_NAME L"\\Device\\hookssdt_x64"
6 | #define LINK_NAME L"\\DosDevices\\hookssdt_x64"
7 | #define LINK_GLOBAL_NAME L"\\DosDevices\\Global\\hookssdt_x64"
8 |
9 | #define IOCTL_ULR3IN CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS) //In LONG
10 | #define IOCTL_USR3IN CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS) //In BSTR
11 | #define IOCTL_GetKPEB CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS) //Out LONG
12 | #define IOCTL_GetBSTR CTL_CODE(FILE_DEVICE_UNKNOWN, 0x804, METHOD_BUFFERED, FILE_ANY_ACCESS) //Out BSTR
13 | #define IOCTL_ReInline CTL_CODE(FILE_DEVICE_UNKNOWN, 0x803, METHOD_BUFFERED, FILE_ANY_ACCESS) //Test Call Only
14 | #define IOCTL_Struct CTL_CODE(FILE_DEVICE_UNKNOWN, 0x805, METHOD_BUFFERED, FILE_ANY_ACCESS) //I+O Struct
--------------------------------------------------------------------------------
/[3-4]SSDTHookUnhook/hook/src/hookssdt.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-4]SSDTHookUnhook/hook/src/hookssdt.h
--------------------------------------------------------------------------------
/[3-4]SSDTHookUnhook/hook/src/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the components of NT OS/2
5 | #
6 | !INCLUDE $(NTMAKEENV)\makefile.def
--------------------------------------------------------------------------------
/[3-4]SSDTHookUnhook/hook/src/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=hookssdt_x64
2 | TARGETTYPE=DRIVER
3 | TARGETPATH=obj
4 |
5 | INCLUDES=.\
6 |
7 | SOURCES = MyDriver.c
--------------------------------------------------------------------------------
/[3-4]SSDTHookUnhook/hook/说明.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-4]SSDTHookUnhook/hook/说明.txt
--------------------------------------------------------------------------------
/[3-4]SSDTHookUnhook/unhook/EnumSSDT_x64_exe.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-4]SSDTHookUnhook/unhook/EnumSSDT_x64_exe.exe
--------------------------------------------------------------------------------
/[3-4]SSDTHookUnhook/unhook/EnumSSDT_x64_exe/EnumSSDT_x64_exe.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumSSDT_x64_exe", "EnumSSDT_x64_exe\EnumSSDT_x64_exe.vcxproj", "{FDD935F0-C907-472B-8671-3B4958AE66E2}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {FDD935F0-C907-472B-8671-3B4958AE66E2}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {FDD935F0-C907-472B-8671-3B4958AE66E2}.Debug|Win32.Build.0 = Debug|Win32
16 | {FDD935F0-C907-472B-8671-3B4958AE66E2}.Debug|x64.ActiveCfg = Debug|x64
17 | {FDD935F0-C907-472B-8671-3B4958AE66E2}.Debug|x64.Build.0 = Debug|x64
18 | {FDD935F0-C907-472B-8671-3B4958AE66E2}.Release|Win32.ActiveCfg = Release|Win32
19 | {FDD935F0-C907-472B-8671-3B4958AE66E2}.Release|Win32.Build.0 = Release|Win32
20 | {FDD935F0-C907-472B-8671-3B4958AE66E2}.Release|x64.ActiveCfg = Release|x64
21 | {FDD935F0-C907-472B-8671-3B4958AE66E2}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/[3-4]SSDTHookUnhook/unhook/EnumSSDT_x64_exe/EnumSSDT_x64_exe.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-4]SSDTHookUnhook/unhook/EnumSSDT_x64_exe/EnumSSDT_x64_exe.suo
--------------------------------------------------------------------------------
/[3-4]SSDTHookUnhook/unhook/EnumSSDT_x64_exe/EnumSSDT_x64_exe/DrvCtrl.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-4]SSDTHookUnhook/unhook/EnumSSDT_x64_exe/EnumSSDT_x64_exe/DrvCtrl.h
--------------------------------------------------------------------------------
/[3-4]SSDTHookUnhook/unhook/EnumSSDT_x64_exe/EnumSSDT_x64_exe/EnumSSDT_x64_exe.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | 源文件
20 |
21 |
22 |
23 |
24 | 头文件
25 |
26 |
27 | 头文件
28 |
29 |
30 |
--------------------------------------------------------------------------------
/[3-4]SSDTHookUnhook/unhook/EnumSSDT_x64_exe/EnumSSDT_x64_exe/EnumSSDT_x64_exe.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/[3-4]SSDTHookUnhook/unhook/EnumSSDT_x64_exe/EnumSSDT_x64_exe/GetNtos.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-4]SSDTHookUnhook/unhook/EnumSSDT_x64_exe/EnumSSDT_x64_exe/GetNtos.h
--------------------------------------------------------------------------------
/[3-4]SSDTHookUnhook/unhook/EnumSSDT_x64_exe/EnumSSDT_x64_exe/main.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-4]SSDTHookUnhook/unhook/EnumSSDT_x64_exe/EnumSSDT_x64_exe/main.cpp
--------------------------------------------------------------------------------
/[3-4]SSDTHookUnhook/unhook/EnumSSDT_x64_sys/MyDriver.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-4]SSDTHookUnhook/unhook/EnumSSDT_x64_sys/MyDriver.c
--------------------------------------------------------------------------------
/[3-4]SSDTHookUnhook/unhook/EnumSSDT_x64_sys/MyDriver.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | #define dprintf if (DBG) DbgPrint
4 |
5 | #define DEVICE_NAME L"\\Device\\emSSDT64"
6 | #define LINK_NAME L"\\DosDevices\\emSSDT64"
7 | #define LINK_GLOBAL_NAME L"\\DosDevices\\Global\\emSSDT64"
8 |
9 | #define IOCTL_ClrSSDTHOOK CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS) //Clear ssdt hook
10 | #define IOCTL_GetKiSrvTab CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS) //Get KiServiceTable
11 | #define IOCTL_GetFuncAddr CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS) //Get function address
--------------------------------------------------------------------------------
/[3-4]SSDTHookUnhook/unhook/EnumSSDT_x64_sys/buildfre_win7_amd64.wrn:
--------------------------------------------------------------------------------
1 | warnings in directory z:\
2 | mydriver.c and ..\mydriver.c exist
3 |
--------------------------------------------------------------------------------
/[3-4]SSDTHookUnhook/unhook/EnumSSDT_x64_sys/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the components of NT OS/2
5 | #
6 | !INCLUDE $(NTMAKEENV)\makefile.def
--------------------------------------------------------------------------------
/[3-4]SSDTHookUnhook/unhook/EnumSSDT_x64_sys/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=emSSDT64
2 | TARGETTYPE=DRIVER
3 | TARGETPATH=obj
4 |
5 | INCLUDES=.\
6 |
7 | SOURCES = MyDriver.c
--------------------------------------------------------------------------------
/[3-4]SSDTHookUnhook/unhook/emSSDT64.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-4]SSDTHookUnhook/unhook/emSSDT64.sys
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/hook/Fuck3SDT.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-5]SSSDTHookUnhook/hook/Fuck3SDT.sys
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/hook/KillProcessByPostMessage.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-5]SSSDTHookUnhook/hook/KillProcessByPostMessage.exe
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/hook/KillProcessByPostMessage/main.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 |
5 | int main()
6 | {
7 | DWORD pid,wpid,i,j;
8 | HWND hWnd;
9 | st:
10 | system("cls");
11 | printf("Input pid: ");
12 | scanf("%ld",&pid);
13 | for(i=100; i<0xffffff; i+=2)
14 | {
15 | GetWindowThreadProcessId(i,&wpid);
16 | if(wpid==pid && IsWindowVisible((HWND)i)==1)
17 | {
18 | hWnd=i;
19 | for(j=0; j<0x10000; j++)
20 | {
21 | PostMessage(hWnd,j,0,0);
22 | }
23 | }
24 | }
25 | printf("OK!");
26 | getchar();
27 | getchar();
28 | goto st;
29 | return 0;
30 | }
31 |
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/hook/MyDriver.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-5]SSSDTHookUnhook/hook/MyDriver.exe
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/hook/SSSDTHook_NtUserPostMessage/exe/MSSCCPRJ.SCC:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-5]SSSDTHookUnhook/hook/SSSDTHook_NtUserPostMessage/exe/MSSCCPRJ.SCC
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/hook/SSSDTHook_NtUserPostMessage/exe/MyDriver.vbp:
--------------------------------------------------------------------------------
1 | Type=Exe
2 | Reference=*\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\Windows\SysWOW64\stdole2.tlb#OLE Automation
3 | Class=cls_Driver; cls_Driver.cls
4 | Form=frm_Main.frm
5 | Module=mod_DrvFunc; mod_DrvFunc.bas
6 | Startup="frm_Main"
7 | HelpFile=""
8 | Title="MyDriver"
9 | ExeName32="MyDriver.exe"
10 | Command32=""
11 | Name="MyDriver"
12 | HelpContextID="0"
13 | CompatibleMode="0"
14 | MajorVer=1
15 | MinorVer=0
16 | RevisionVer=0
17 | AutoIncrementVer=0
18 | ServerSupportFiles=0
19 | VersionCompanyName="Tesla.Angela"
20 | CompilationType=0
21 | OptimizationType=0
22 | FavorPentiumPro(tm)=0
23 | CodeViewDebugInfo=0
24 | NoAliasing=0
25 | BoundsCheck=0
26 | OverflowCheck=0
27 | FlPointCheck=0
28 | FDIVCheck=0
29 | UnroundedFP=0
30 | StartMode=0
31 | Unattended=0
32 | Retained=0
33 | ThreadPerObject=0
34 | MaxNumberOfThreads=1
35 |
36 | [MS Transaction Server]
37 | AutoRefresh=1
38 |
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/hook/SSSDTHook_NtUserPostMessage/exe/MyDriver.vbw:
--------------------------------------------------------------------------------
1 | cls_Driver = 46, 45, 629, 474, C
2 | frm_Main = 69, 69, 656, 497, Z, 46, 46, 633, 474, C
3 | mod_DrvFunc = 23, 23, 610, 451, C
4 |
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/hook/SSSDTHook_NtUserPostMessage/exe/cls_Driver.cls:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-5]SSSDTHookUnhook/hook/SSSDTHook_NtUserPostMessage/exe/cls_Driver.cls
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/hook/SSSDTHook_NtUserPostMessage/exe/frm_Main.frm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-5]SSSDTHookUnhook/hook/SSSDTHook_NtUserPostMessage/exe/frm_Main.frm
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/hook/SSSDTHook_NtUserPostMessage/exe/mod_DrvFunc.bas:
--------------------------------------------------------------------------------
1 | Attribute VB_Name = "mod_DrvFunc"
2 | Option Explicit
3 |
4 | Public DrvController As New cls_Driver
5 |
6 | Public Declare Sub CopyMemory Lib "ntdll" Alias "RtlMoveMemory" (ByVal pDst As Long, ByVal pSrc As Long, ByVal BLen As Long)
7 | Public Declare Function GetCurrentProcessId Lib "kernel32" () As Long
8 |
9 | Public Sub HOOK_SSSDT()
10 | With DrvController
11 | .IoControl .CTL_CODE_GEN(&H800), 0, 0, 0, 0
12 | End With
13 | End Sub
14 |
15 | Public Sub UNHOOK_SSSDT()
16 | With DrvController
17 | .IoControl .CTL_CODE_GEN(&H801), 0, 0, 0, 0
18 | End With
19 | End Sub
20 |
21 |
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/hook/SSSDTHook_NtUserPostMessage/sys/MyDriver.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-5]SSSDTHookUnhook/hook/SSSDTHook_NtUserPostMessage/sys/MyDriver.c
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/hook/SSSDTHook_NtUserPostMessage/sys/MyDriver.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | #define dprintf if (DBG) DbgPrint
4 |
5 | #define DEVICE_NAME L"\\Device\\Fuck3SDT"
6 | #define LINK_NAME L"\\DosDevices\\Fuck3SDT"
7 | #define LINK_GLOBAL_NAME L"\\DosDevices\\Global\\Fuck3SDT"
8 |
9 | #define IOCTL_HOOK CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS) //In LONG
10 | #define IOCTL_UNHOOK CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS) //In BSTR
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/hook/SSSDTHook_NtUserPostMessage/sys/hook3sdt.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-5]SSSDTHookUnhook/hook/SSSDTHook_NtUserPostMessage/sys/hook3sdt.h
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/hook/SSSDTHook_NtUserPostMessage/sys/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the components of NT OS/2
5 | #
6 | !INCLUDE $(NTMAKEENV)\makefile.def
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/hook/SSSDTHook_NtUserPostMessage/sys/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=Fuck3SDT
2 | TARGETTYPE=DRIVER
3 | TARGETPATH=obj
4 |
5 | INCLUDES=.\
6 |
7 | SOURCES = MyDriver.c
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/unhook/EnumSSSDT64.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-5]SSSDTHookUnhook/unhook/EnumSSSDT64.exe
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/unhook/SSSDTx64.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-5]SSSDTHookUnhook/unhook/SSSDTx64.sys
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/unhook/exe/DrvCtrl.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-5]SSSDTHookUnhook/unhook/exe/DrvCtrl.h
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/unhook/exe/EnumDrv.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-5]SSSDTHookUnhook/unhook/exe/EnumDrv.h
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/unhook/exe/EnumSSSDT64.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumSSSDT64", "EnumSSSDT64.vcxproj", "{EEBD7B47-9840-4445-8E53-72EF7248F82E}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {EEBD7B47-9840-4445-8E53-72EF7248F82E}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {EEBD7B47-9840-4445-8E53-72EF7248F82E}.Debug|Win32.Build.0 = Debug|Win32
16 | {EEBD7B47-9840-4445-8E53-72EF7248F82E}.Debug|x64.ActiveCfg = Debug|x64
17 | {EEBD7B47-9840-4445-8E53-72EF7248F82E}.Debug|x64.Build.0 = Debug|x64
18 | {EEBD7B47-9840-4445-8E53-72EF7248F82E}.Release|Win32.ActiveCfg = Release|Win32
19 | {EEBD7B47-9840-4445-8E53-72EF7248F82E}.Release|Win32.Build.0 = Release|Win32
20 | {EEBD7B47-9840-4445-8E53-72EF7248F82E}.Release|x64.ActiveCfg = Release|x64
21 | {EEBD7B47-9840-4445-8E53-72EF7248F82E}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/unhook/exe/EnumSSSDT64.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-5]SSSDTHookUnhook/unhook/exe/EnumSSSDT64.suo
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/unhook/exe/EnumSSSDT64.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | 头文件
20 |
21 |
22 | 头文件
23 |
24 |
25 |
26 |
27 | 源文件
28 |
29 |
30 |
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/unhook/exe/EnumSSSDT64.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/unhook/exe/main.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-5]SSSDTHookUnhook/unhook/exe/main.cpp
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/unhook/sys/MyDriver.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-5]SSSDTHookUnhook/unhook/sys/MyDriver.c
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/unhook/sys/MyDriver.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | #define dprintf if (DBG) DbgPrint
4 |
5 | #define DEVICE_NAME L"\\Device\\SSSDTx64"
6 | #define LINK_NAME L"\\DosDevices\\SSSDTx64"
7 | #define LINK_GLOBAL_NAME L"\\DosDevices\\Global\\SSSDTx64"
8 |
9 | #define IOCTL_GET_W32PSRVT CTL_CODE(FILE_DEVICE_UNKNOWN, 0x806, METHOD_BUFFERED, FILE_ANY_ACCESS)
10 | #define IOCTL_GET_3SDTADDR CTL_CODE(FILE_DEVICE_UNKNOWN, 0x807, METHOD_BUFFERED, FILE_ANY_ACCESS)
11 | #define IOCTL_UNHOOK_SSSDT CTL_CODE(FILE_DEVICE_UNKNOWN, 0x808, METHOD_BUFFERED, FILE_ANY_ACCESS)
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/unhook/sys/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the components of NT OS/2
5 | #
6 | !INCLUDE $(NTMAKEENV)\makefile.def
--------------------------------------------------------------------------------
/[3-5]SSSDTHookUnhook/unhook/sys/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=SSSDTx64
2 | TARGETTYPE=DRIVER
3 | TARGETPATH=obj
4 |
5 | INCLUDES=.\
6 |
7 | SOURCES = MyDriver.c
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/hook/exe/MSSCCPRJ.SCC:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-6]InlineHookUnhook/hook/exe/MSSCCPRJ.SCC
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/hook/exe/MyDriver.vbp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-6]InlineHookUnhook/hook/exe/MyDriver.vbp
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/hook/exe/MyDriver.vbw:
--------------------------------------------------------------------------------
1 | cls_Driver = 46, 45, 629, 474, C
2 | frm_Main = 69, 69, 656, 497, , 46, 46, 633, 474, C
3 | mod_DrvFunc = 23, 23, 610, 451, C
4 |
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/hook/exe/cls_Driver.cls:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-6]InlineHookUnhook/hook/exe/cls_Driver.cls
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/hook/exe/frm_Main.frm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-6]InlineHookUnhook/hook/exe/frm_Main.frm
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/hook/exe/mod_DrvFunc.bas:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-6]InlineHookUnhook/hook/exe/mod_DrvFunc.bas
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/hook/hook_ps.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-6]InlineHookUnhook/hook/hook_ps.exe
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/hook/hook_ps.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-6]InlineHookUnhook/hook/hook_ps.sys
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/hook/sys/HookFunc.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-6]InlineHookUnhook/hook/sys/HookFunc.h
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/hook/sys/MyDriver.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-6]InlineHookUnhook/hook/sys/MyDriver.c
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/hook/sys/MyDriver.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | #define dprintf DbgPrint
4 | #define nprintf DbgPrint
5 |
6 | #define DEVICE_NAME L"\\Device\\hook_ps"
7 | #define LINK_NAME L"\\DosDevices\\hook_ps"
8 | #define LINK_GLOBAL_NAME L"\\DosDevices\\Global\\hook_ps"
9 |
10 | #define IOCTL_TEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x803, METHOD_BUFFERED, FILE_ANY_ACCESS)
11 |
12 | HANDLE FileHandle;
13 |
14 | VOID OccupyTaskhost()
15 | {
16 | NTSTATUS ntStatus;
17 | OBJECT_ATTRIBUTES ObjectAttributes;
18 | UNICODE_STRING UniFileName;
19 | IO_STATUS_BLOCK IoStatusBlock;
20 | PCWSTR FileName = L"\\??\\C:\\WINDOWS\\system32\\taskhost.exe";
21 | RtlInitUnicodeString(&UniFileName , FileName);
22 | InitializeObjectAttributes(&ObjectAttributes,&UniFileName,OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,NULL,NULL);
23 | ntStatus=ZwCreateFile(&FileHandle,GENERIC_READ,&ObjectAttributes,&IoStatusBlock,0,FILE_ATTRIBUTE_NORMAL,0,FILE_OPEN_IF,FILE_NON_DIRECTORY_FILE,NULL,0);
24 | if(!NT_SUCCESS(ntStatus))
25 | DbgPrint("[OccupyFile] = %d", ntStatus);
26 | else
27 | DbgPrint("[OccupyFile] Success.");
28 | }
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/hook/sys/buildfre_win7_amd64.wrn:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-6]InlineHookUnhook/hook/sys/buildfre_win7_amd64.wrn
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/hook/sys/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the components of NT OS/2
5 | #
6 | !INCLUDE $(NTMAKEENV)\makefile.def
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/hook/sys/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=hook_ps
2 | TARGETTYPE=DRIVER
3 | TARGETPATH=obj
4 |
5 | INCLUDES=.\
6 |
7 | SOURCES = MyDriver.c
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/unhook/ClrKIH64.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-6]InlineHookUnhook/unhook/ClrKIH64.sys
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/unhook/GetKernelOriCode.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-6]InlineHookUnhook/unhook/GetKernelOriCode.exe
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/unhook/exe/DrvCtrl.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-6]InlineHookUnhook/unhook/exe/DrvCtrl.h
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/unhook/exe/GetKernelOriCode.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "GetKernelOriCode", "GetKernelOriCode.vcxproj", "{B33670E5-EC6D-4F19-BB7B-4972B82D562B}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {B33670E5-EC6D-4F19-BB7B-4972B82D562B}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {B33670E5-EC6D-4F19-BB7B-4972B82D562B}.Debug|Win32.Build.0 = Debug|Win32
16 | {B33670E5-EC6D-4F19-BB7B-4972B82D562B}.Debug|x64.ActiveCfg = Debug|x64
17 | {B33670E5-EC6D-4F19-BB7B-4972B82D562B}.Debug|x64.Build.0 = Debug|x64
18 | {B33670E5-EC6D-4F19-BB7B-4972B82D562B}.Release|Win32.ActiveCfg = Release|Win32
19 | {B33670E5-EC6D-4F19-BB7B-4972B82D562B}.Release|Win32.Build.0 = Release|Win32
20 | {B33670E5-EC6D-4F19-BB7B-4972B82D562B}.Release|x64.ActiveCfg = Release|x64
21 | {B33670E5-EC6D-4F19-BB7B-4972B82D562B}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/unhook/exe/GetKernelOriCode.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-6]InlineHookUnhook/unhook/exe/GetKernelOriCode.suo
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/unhook/exe/GetKernelOriCode.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | 源文件
20 |
21 |
22 |
23 |
24 | 头文件
25 |
26 |
27 |
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/unhook/exe/GetKernelOriCode.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/unhook/exe/main.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-6]InlineHookUnhook/unhook/exe/main.cpp
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/unhook/sys/MyDriver.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[3-6]InlineHookUnhook/unhook/sys/MyDriver.c
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/unhook/sys/MyDriver.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | #define dprintf DbgPrint
4 |
5 | #define DEVICE_NAME L"\\Device\\ClrKIH64"
6 | #define LINK_NAME L"\\DosDevices\\ClrKIH64"
7 | #define LINK_GLOBAL_NAME L"\\DosDevices\\Global\\ClrKIH64"
8 |
9 | #define IOCTL_GET_CUR_CODE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS) //get current code
10 | #define IOCTL_SET_ORI_CODE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS) //clear inline hook
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/unhook/sys/buildfre_win7_amd64.log:
--------------------------------------------------------------------------------
1 | BUILD: corrupt database (Directory error)
2 | BUILD: Computing Include file dependencies:
3 | BUILD: Examining d:\programming\oacr invalidate root:amd64fre /autocleanqueue
4 | 1>Compiling and Linking d:\programming\1>'nmake.exe /nologo BUILDMSG=Stop. -i BUILD_PASS=PASS2 LINKONLY=1 NOPASS0=1 MAKEDIR_RELATIVE_TO_BASEDIR='
5 | 1>d:\programming\1> C:\WinDDK\7600.16385.1\Bin\amd64\oacr\oacrlink /out:d:\programming\1>Microsoft (R) Incremental Linker Version 9.00.30729.207
6 | 1>Copyright (C) Microsoft Corporation. All rights reserved.
7 | 1>/MERGE:_PAGE=PAGE
8 | 1>/MERGE:_TEXT=.text
9 | 1>/SECTION:INIT,d
10 | 1>/OPT:REF
11 | 1>/OPT:ICF
12 | 1>/IGNORE:4198,4010,4037,4039,4065,4070,4078,4087,4089,4221,4108,4088,4218,4218,4235
13 | 1>/INCREMENTAL:NO
14 | 1>/release
15 | 1>/NODEFAULTLIB
16 | 1>/WX
17 | 1>/debug
18 | 1>/debugtype:cv,fixup,pdata
19 | 1>/version:6.1
20 | 1>/osversion:6.1
21 | 1>C:\WinDDK\7600.16385.1\lib\win7\amd64\hotpatch.obj
22 | 1>/functionpadmin:6
23 | 1>/pdbcompress
24 | 1>/STACK:0x40000,0x1000
25 | 1>/driver
26 | 1>/base:0x10000
27 | 1>/subsystem:native,6.01
28 | 1>/entry:GsDriverEntry
29 | 1>/out:d:\programming\1>d:\programming\1>C:\WinDDK\7600.16385.1\lib\win7\amd64\BufferOverflowK.lib
30 | 1>C:\WinDDK\7600.16385.1\lib\win7\amd64\ntoskrnl.lib
31 | 1>C:\WinDDK\7600.16385.1\lib\win7\amd64\hal.lib
32 | 1>C:\WinDDK\7600.16385.1\lib\win7\amd64\wmilib.lib
33 | 1>mydriver.obj : MSIL .netmodule or module compiled with /GL found; restarting link with /LTCG; add /LTCG to the link command line to improve linker performance
34 | 1>Microsoft (R) Incremental Linker Version 9.00.30729.207
35 | 1>Copyright (C) Microsoft Corporation. All rights reserved.
36 | 1>/MERGE:_PAGE=PAGE
37 | 1>/MERGE:_TEXT=.text
38 | 1>/SECTION:INIT,d
39 | 1>/OPT:REF
40 | 1>/OPT:ICF
41 | 1>/IGNORE:4198,4010,4037,4039,4065,4070,4078,4087,4089,4221,4108,4088,4218,4218,4235
42 | 1>/INCREMENTAL:NO
43 | 1>/release
44 | 1>/NODEFAULTLIB
45 | 1>/WX
46 | 1>/debug
47 | 1>/debugtype:cv,fixup,pdata
48 | 1>/version:6.1
49 | 1>/osversion:6.1
50 | 1>C:\WinDDK\7600.16385.1\lib\win7\amd64\hotpatch.obj
51 | 1>/functionpadmin:6
52 | 1>/pdbcompress
53 | 1>/STACK:0x40000,0x1000
54 | 1>/driver
55 | 1>/base:0x10000
56 | 1>/subsystem:native,6.01
57 | 1>/entry:GsDriverEntry
58 | 1>/out:d:\programming\1>d:\programming\1>C:\WinDDK\7600.16385.1\lib\win7\amd64\BufferOverflowK.lib
59 | 1>C:\WinDDK\7600.16385.1\lib\win7\amd64\ntoskrnl.lib
60 | 1>C:\WinDDK\7600.16385.1\lib\win7\amd64\hal.lib
61 | 1>C:\WinDDK\7600.16385.1\lib\win7\amd64\wmilib.lib
62 | 1>Generating code
63 | 1>Finished generating code
64 |
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/unhook/sys/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the components of NT OS/2
5 | #
6 | !INCLUDE $(NTMAKEENV)\makefile.def
--------------------------------------------------------------------------------
/[3-6]InlineHookUnhook/unhook/sys/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=ClrKIH64
2 | TARGETTYPE=DRIVER
3 | TARGETPATH=obj
4 |
5 | INCLUDES=.\
6 |
7 | SOURCES = MyDriver.c
--------------------------------------------------------------------------------
/[4-1]MonitorCreateExitProcessThread/monitor_create_process_x64.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[4-1]MonitorCreateExitProcessThread/monitor_create_process_x64.sys
--------------------------------------------------------------------------------
/[4-1]MonitorCreateExitProcessThread/src/MyDriver.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[4-1]MonitorCreateExitProcessThread/src/MyDriver.c
--------------------------------------------------------------------------------
/[4-1]MonitorCreateExitProcessThread/src/MyDriver.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | #define dprintf DbgPrint
4 | #define DEVICE_NAME L"\\Device\\monitor_create_process_x64"
5 | #define LINK_NAME L"\\DosDevices\\monitor_create_process_x64"
6 | #define LINK_GLOBAL_NAME L"\\DosDevices\\Global\\monitor_create_process_x64"
--------------------------------------------------------------------------------
/[4-1]MonitorCreateExitProcessThread/src/ProcessNotify.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[4-1]MonitorCreateExitProcessThread/src/ProcessNotify.h
--------------------------------------------------------------------------------
/[4-1]MonitorCreateExitProcessThread/src/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the components of NT OS/2
5 | #
6 | !INCLUDE $(NTMAKEENV)\makefile.def
--------------------------------------------------------------------------------
/[4-1]MonitorCreateExitProcessThread/src/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=monitor_create_process_x64
2 | TARGETTYPE=DRIVER
3 | TARGETPATH=obj
4 | LINKER_FLAGS=/INTEGRITYCHECK
5 |
6 | INCLUDES=.\
7 |
8 | SOURCES = MyDriver.c
9 |
--------------------------------------------------------------------------------
/[4-1]MonitorCreateExitProcessThread/使用说明.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[4-1]MonitorCreateExitProcessThread/使用说明.txt
--------------------------------------------------------------------------------
/[4-2]MonitorLoadUnloadDllDriver/LoadImageNotifyX64.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[4-2]MonitorLoadUnloadDllDriver/LoadImageNotifyX64.sys
--------------------------------------------------------------------------------
/[4-2]MonitorLoadUnloadDllDriver/src/MyDriver.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[4-2]MonitorLoadUnloadDllDriver/src/MyDriver.c
--------------------------------------------------------------------------------
/[4-2]MonitorLoadUnloadDllDriver/src/MyDriver.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[4-2]MonitorLoadUnloadDllDriver/src/MyDriver.h
--------------------------------------------------------------------------------
/[4-2]MonitorLoadUnloadDllDriver/src/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the components of NT OS/2
5 | #
6 | !INCLUDE $(NTMAKEENV)\makefile.def
--------------------------------------------------------------------------------
/[4-2]MonitorLoadUnloadDllDriver/src/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=LoadImageNotifyX64
2 | TARGETTYPE=DRIVER
3 | TARGETPATH=obj
4 |
5 | INCLUDES=.\
6 |
7 | SOURCES = MyDriver.c
--------------------------------------------------------------------------------
/[4-2]MonitorLoadUnloadDllDriver/测试说明.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[4-2]MonitorLoadUnloadDllDriver/测试说明.txt
--------------------------------------------------------------------------------
/[4-3]MonitorRegistryOperation/CmRegMonitor_x64.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[4-3]MonitorRegistryOperation/CmRegMonitor_x64.sys
--------------------------------------------------------------------------------
/[4-3]MonitorRegistryOperation/src/MyDriver.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[4-3]MonitorRegistryOperation/src/MyDriver.c
--------------------------------------------------------------------------------
/[4-3]MonitorRegistryOperation/src/MyDriver.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | #define dprintf if (DBG) DbgPrint
4 |
5 | #define DEVICE_NAME L"\\Device\\CmRegMonitor"
6 | #define LINK_NAME L"\\DosDevices\\CmRegMonitor"
7 | #define LINK_GLOBAL_NAME L"\\DosDevices\\Global\\CmRegMonitor"
--------------------------------------------------------------------------------
/[4-3]MonitorRegistryOperation/src/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the components of NT OS/2
5 | #
6 | !INCLUDE $(NTMAKEENV)\makefile.def
--------------------------------------------------------------------------------
/[4-3]MonitorRegistryOperation/src/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=CmRegMonitor
2 | TARGETTYPE=DRIVER
3 | TARGETPATH=obj
4 |
5 | INCLUDES=.\
6 |
7 | SOURCES = MyDriver.c
--------------------------------------------------------------------------------
/[4-3]MonitorRegistryOperation/src/testcode.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[4-3]MonitorRegistryOperation/src/testcode.h
--------------------------------------------------------------------------------
/[4-3]MonitorRegistryOperation/说明.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[4-3]MonitorRegistryOperation/说明.txt
--------------------------------------------------------------------------------
/[4-4]MonitorFileOperation/MFTest.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[4-4]MonitorFileOperation/MFTest.sys
--------------------------------------------------------------------------------
/[4-4]MonitorFileOperation/WdmDrvLoader.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[4-4]MonitorFileOperation/WdmDrvLoader.exe
--------------------------------------------------------------------------------
/[4-4]MonitorFileOperation/readme.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[4-4]MonitorFileOperation/readme.txt
--------------------------------------------------------------------------------
/[4-4]MonitorFileOperation/setup.inf:
--------------------------------------------------------------------------------
1 | [Version]
2 | Signature = "$Windows NT$"
3 | Class = "ActivityMonitor" ;This is determined by the work this filter driver does
4 | ClassGuid = {D93806DA-228D-4a25-A065-5F676DEA1C05} ;This value is determined by the Class
5 | Provider = %TASOFT%
6 | DriverVer = 04/10/2012,1.0.0.1
7 | CatalogFile = MFTest.cat
8 |
9 |
10 | [DestinationDirs]
11 | DefaultDestDir = 12
12 | MiniFilter.DriverFiles = 12 ;%windir%\system32\drivers
13 |
14 | ;;
15 | ;; Default install sections
16 | ;;
17 |
18 | [DefaultInstall]
19 | OptionDesc = %ServiceDescription%
20 | CopyFiles = MiniFilter.DriverFiles
21 |
22 | [DefaultInstall.Services]
23 | AddService = %ServiceName%,,MiniFilter.Service
24 |
25 | ;;
26 | ;; Default uninstall sections
27 | ;;
28 |
29 | [DefaultUninstall]
30 | DelFiles = MiniFilter.DriverFiles
31 |
32 | [DefaultUninstall.Services]
33 | DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting
34 |
35 | ;
36 | ; Services Section
37 | ;
38 |
39 | [MiniFilter.Service]
40 | DisplayName = %ServiceName%
41 | Description = %ServiceDescription%
42 | ServiceBinary = %12%\%DriverName%.sys ;%windir%\system32\drivers\
43 | Dependencies = "FltMgr"
44 | ServiceType = 2 ;SERVICE_FILE_SYSTEM_DRIVER
45 | StartType = 3 ;SERVICE_DEMAND_START
46 | ErrorControl = 1 ;SERVICE_ERROR_NORMAL
47 | LoadOrderGroup = "FSFilter Activity Monitor"
48 | AddReg = MiniFilter.AddRegistry
49 |
50 | ;
51 | ; Registry Modifications
52 | ;
53 |
54 | [MiniFilter.AddRegistry]
55 | HKR,,"DebugFlags",0x00010001 ,0x0
56 | HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance%
57 | HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude%
58 | HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags%
59 |
60 | ;
61 | ; Copy Files
62 | ;
63 |
64 | [MiniFilter.DriverFiles]
65 | %DriverName%.sys
66 |
67 | [SourceDisksFiles]
68 | MFTest.sys = 1,,
69 |
70 | [SourceDisksNames]
71 | 1 = %DiskId1%,,,
72 |
73 | ;;
74 | ;; String Section
75 | ;;
76 |
77 | [Strings]
78 | TASOFT = "TASOFT"
79 | ServiceDescription = "MFTest Mini-Filter Driver"
80 | ServiceName = "MFTest"
81 | DriverName = MFTest
82 | DiskId1 = MFTest Device Installation Disk"
83 |
84 | ;Instances specific information.
85 | DefaultInstance = MFTest Instance"
86 | Instance1.Name = MFTest Instance"
87 | Instance1.Altitude = "270030"
88 | Instance1.Flags = 0x0 ; Allow all attachments
--------------------------------------------------------------------------------
/[4-4]MonitorFileOperation/src/WdmDrvLoader/VB6StrFunc.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[4-4]MonitorFileOperation/src/WdmDrvLoader/VB6StrFunc.h
--------------------------------------------------------------------------------
/[4-4]MonitorFileOperation/src/WdmDrvLoader/WdmDrvLoader.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "WdmDrvLoader", "WdmDrvLoader.vcxproj", "{6F744BCD-FB39-4B16-8CB4-E47F1F428B9E}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {6F744BCD-FB39-4B16-8CB4-E47F1F428B9E}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {6F744BCD-FB39-4B16-8CB4-E47F1F428B9E}.Debug|Win32.Build.0 = Debug|Win32
16 | {6F744BCD-FB39-4B16-8CB4-E47F1F428B9E}.Debug|x64.ActiveCfg = Debug|x64
17 | {6F744BCD-FB39-4B16-8CB4-E47F1F428B9E}.Debug|x64.Build.0 = Debug|x64
18 | {6F744BCD-FB39-4B16-8CB4-E47F1F428B9E}.Release|Win32.ActiveCfg = Release|Win32
19 | {6F744BCD-FB39-4B16-8CB4-E47F1F428B9E}.Release|Win32.Build.0 = Release|Win32
20 | {6F744BCD-FB39-4B16-8CB4-E47F1F428B9E}.Release|x64.ActiveCfg = Release|x64
21 | {6F744BCD-FB39-4B16-8CB4-E47F1F428B9E}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/[4-4]MonitorFileOperation/src/WdmDrvLoader/WdmDrvLoader.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[4-4]MonitorFileOperation/src/WdmDrvLoader/WdmDrvLoader.suo
--------------------------------------------------------------------------------
/[4-4]MonitorFileOperation/src/WdmDrvLoader/WdmDrvLoader.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | 源文件
20 |
21 |
22 |
--------------------------------------------------------------------------------
/[4-4]MonitorFileOperation/src/WdmDrvLoader/WdmDrvLoader.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/[4-4]MonitorFileOperation/src/driver/MFTest.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[4-4]MonitorFileOperation/src/driver/MFTest.c
--------------------------------------------------------------------------------
/[4-4]MonitorFileOperation/src/driver/buildfre_win7_amd64.log:
--------------------------------------------------------------------------------
1 | 0>Bad Path string: L'i:\sellcode\win64 F '
2 |
3 | BUILD: corrupt database (bad entry type)
4 | BUILD: Computing Include file dependencies:
5 | BUILD: Examining i:\sellcode\win64oacr invalidate root:amd64fre /autocleanqueue
6 | 1>Compiling and Linking i:\sellcode\win641>'nmake.exe /nologo BUILDMSG=Stop. -i BUILD_PASS=PASS2 LINKONLY=1 NOPASS0=1 MAKEDIR_RELATIVE_TO_BASEDIR='
7 | 1>i:\sellcode\win64
--------------------------------------------------------------------------------
/[4-4]MonitorFileOperation/src/driver/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the components of NT OS/2
5 | #
6 | !INCLUDE $(NTMAKEENV)\makefile.def
7 |
8 | !if $(FREEBUILD)
9 | MSC_WARNING_LEVEL=/W1
10 | !else
11 | MSC_WARNING_LEVEL=/W3
12 | !endif
--------------------------------------------------------------------------------
/[4-4]MonitorFileOperation/src/driver/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME = MFTest
2 | TARGETTYPE = DRIVER
3 | DRIVERTYPE = FS
4 | TARGETPATH = obj
5 |
6 | INCLUDES=.\
7 |
8 | TARGETLIBS = $(TARGETLIBS) \
9 | $(IFSKIT_LIB_PATH)\fltMgr.lib
10 |
11 | SOURCES = MFTest.c
--------------------------------------------------------------------------------
/[4-5]MonitorProcessThreadHandle/MyDriver.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include "MyDriver.h"
3 | #include "ProtectProcess.h"
4 |
5 | VOID DriverUnload(PDRIVER_OBJECT pDriverObj)
6 | {
7 | UNICODE_STRING strLink;
8 | //Disable ObCallback
9 | ObProtectProcess(0);
10 | RtlInitUnicodeString(&strLink, LINK_NAME);
11 | IoDeleteSymbolicLink(&strLink);
12 | IoDeleteDevice(pDriverObj->DeviceObject);
13 | DbgPrint("[MyDriver]Unloaded!\n");
14 | }
15 |
16 | NTSTATUS DispatchCreate(PDEVICE_OBJECT pDevObj, PIRP pIrp)
17 | {
18 | pIrp->IoStatus.Status = STATUS_SUCCESS;
19 | pIrp->IoStatus.Information = 0;
20 | IoCompleteRequest(pIrp, IO_NO_INCREMENT);
21 | return STATUS_SUCCESS;
22 | }
23 |
24 | NTSTATUS DispatchClose(PDEVICE_OBJECT pDevObj, PIRP pIrp)
25 | {
26 | pIrp->IoStatus.Status = STATUS_SUCCESS;
27 | pIrp->IoStatus.Information = 0;
28 | IoCompleteRequest(pIrp, IO_NO_INCREMENT);
29 | return STATUS_SUCCESS;
30 | }
31 |
32 | NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp)
33 | {
34 | NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST;
35 | PIO_STACK_LOCATION pIrpStack;
36 | ULONG uIoControlCode;
37 | PVOID pIoBuffer;
38 | ULONG uInSize;
39 | ULONG uOutSize;
40 | pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
41 | uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;
42 | pIoBuffer = pIrp->AssociatedIrp.SystemBuffer;
43 | uInSize = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
44 | uOutSize = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
45 | switch(uIoControlCode)
46 | {
47 |
48 | }
49 | if(status == STATUS_SUCCESS)
50 | pIrp->IoStatus.Information = uOutSize;
51 | else
52 | pIrp->IoStatus.Information = 0;
53 | pIrp->IoStatus.Status = status;
54 | IoCompleteRequest(pIrp, IO_NO_INCREMENT);
55 | return status;
56 | }
57 |
58 | NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
59 | {
60 | NTSTATUS status = STATUS_SUCCESS;
61 | UNICODE_STRING ustrLinkName;
62 | UNICODE_STRING ustrDevName;
63 | PDEVICE_OBJECT pDevObj;
64 | //PLDR_DATA ldr;
65 | pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
66 | pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
67 | pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
68 | pDriverObj->DriverUnload = DriverUnload;
69 | RtlInitUnicodeString(&ustrDevName, DEVICE_NAME);
70 | status = IoCreateDevice(pDriverObj, 0, &ustrDevName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDevObj);
71 | if(!NT_SUCCESS(status))
72 | return status;
73 | if(IoIsWdmVersionAvailable(1, 0x10))
74 | RtlInitUnicodeString(&ustrLinkName, LINK_GLOBAL_NAME);
75 | else
76 | RtlInitUnicodeString(&ustrLinkName, LINK_NAME);
77 | status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName);
78 | if(!NT_SUCCESS(status))
79 | {
80 | IoDeleteDevice(pDevObj);
81 | return status;
82 | }
83 | //Enable ObCallback
84 | BypassCheckSign(pDriverObj);
85 | ObProtectProcess(1);
86 | DbgPrint("[MyDriver]Loaded!\n");
87 | return STATUS_SUCCESS;
88 | }
--------------------------------------------------------------------------------
/[4-5]MonitorProcessThreadHandle/MyDriver.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | #define dprintf DbgPrint
4 |
5 | #define DEVICE_NAME L"\\Device\\MyDriver"
6 | #define LINK_NAME L"\\DosDevices\\MyDriver"
7 | #define LINK_GLOBAL_NAME L"\\DosDevices\\Global\\MyDriver"
8 |
--------------------------------------------------------------------------------
/[4-5]MonitorProcessThreadHandle/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the components of NT OS/2
5 | #
6 | !INCLUDE $(NTMAKEENV)\makefile.def
--------------------------------------------------------------------------------
/[4-5]MonitorProcessThreadHandle/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=MyDriver
2 | TARGETTYPE=DRIVER
3 | TARGETPATH=obj
4 |
5 | INCLUDES=.\
6 |
7 | SOURCES = MyDriver.c
--------------------------------------------------------------------------------
/[4-6]MonitorFileOperationByCallback/file_monitor_x64.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[4-6]MonitorFileOperationByCallback/file_monitor_x64.sys
--------------------------------------------------------------------------------
/[4-6]MonitorFileOperationByCallback/readme.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[4-6]MonitorFileOperationByCallback/readme.txt
--------------------------------------------------------------------------------
/[4-6]MonitorFileOperationByCallback/src/MAKEFILE:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the driver components of the Windows NT DDK
5 | #
6 |
7 | !INCLUDE $(NTMAKEENV)\makefile.def
8 |
9 |
--------------------------------------------------------------------------------
/[4-6]MonitorFileOperationByCallback/src/main.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[4-6]MonitorFileOperationByCallback/src/main.c
--------------------------------------------------------------------------------
/[4-6]MonitorFileOperationByCallback/src/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=file_monitor_x64
2 | TARGETTYPE=DRIVER
3 |
4 | MSC_WARNING_LEVEL=/W4 /WX
5 |
6 | #pragma warning( disable: 4201 ) // nonstandard extension used : nameless struct/union
7 | #pragma warning( disable: 4214 ) // nonstandard extension used : bit field types other than int
8 | MSC_WARNING_LEVEL=$(MSC_WARNING_LEVEL) /wd4201 /wd4214
9 |
10 | SOURCES=main.c
--------------------------------------------------------------------------------
/[4-7]MonitorInternetAccessByWFP/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the components.
5 | #
6 |
7 | # Ensure that build environment is at least Windows Vista
8 | # 0x500 == Windows 2000
9 | # 0x501 == Windows XP
10 | # 0x600 == Windows Vista
11 |
12 | !IF DEFINED(_NT_TARGET_VERSION)
13 | ! IF $(_NT_TARGET_VERSION)>=0x600
14 | ! INCLUDE $(NTMAKEENV)\makefile.def
15 | ! ELSE
16 | ! INCLUDE $(NTMAKEENV)\makefile.plt
17 | ! IF "$(BUILD_PASS)"=="PASS1"
18 | ! message BUILDMSG: Warning : The sample "$(MAKEDIR)" is not valid for the current OS target.
19 | ! ENDIF
20 | ! ENDIF
21 | !ELSE
22 | ! INCLUDE $(NTMAKEENV)\makefile.def
23 | !ENDIF
24 |
25 |
--------------------------------------------------------------------------------
/[4-7]MonitorInternetAccessByWFP/objfre_win7_amd64/amd64/WFP_TEST.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[4-7]MonitorInternetAccessByWFP/objfre_win7_amd64/amd64/WFP_TEST.sys
--------------------------------------------------------------------------------
/[4-7]MonitorInternetAccessByWFP/sources:
--------------------------------------------------------------------------------
1 |
2 | TARGETNAME=WFP_TEST
3 | TARGETTYPE=DRIVER
4 |
5 | INCLUDES=\
6 | $(DDK_INC_PATH);
7 |
8 | TARGETLIBS=\
9 | $(DDK_LIB_PATH)\ntoskrnl.lib \
10 | $(DDK_LIB_PATH)\ndis.lib \
11 | $(DDK_LIB_PATH)\fwpkclnt.lib \
12 | $(SDK_LIB_PATH)\uuid.lib
13 |
14 | C_DEFINES=$(C_DEFINES) -DBINARY_COMPATIBLE=0 -DNT -DUNICODE -D_UNICODE -DNDIS60 -DNDIS_SUPPORT_NDIS6
15 |
16 | SOURCES= denyip.c
--------------------------------------------------------------------------------
/[4-8]TimeChangeCallback/amd64/TimeNotify.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[4-8]TimeChangeCallback/amd64/TimeNotify.sys
--------------------------------------------------------------------------------
/[4-8]TimeChangeCallback/main.c:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | /*
4 | 以下代码为功能测试
5 | */
6 |
7 | NTKERNELAPI CHAR* PsGetProcessImageFileName(PEPROCESS Process);
8 |
9 | PVOID g_CbRegistration;
10 |
11 | VOID SetSystemTimeNotify
12 | (
13 | IN PVOID CallbackContext,
14 | IN PVOID Argument1,
15 | IN PVOID Argument2
16 | )
17 | {
18 | //此回调函数的IRQL为2,大部分内核函数不能在里面使用!否则BSOD!
19 | DbgPrint("[SetSystemTimeNotify]IRQL: %ld\n",KeGetCurrentIrql());
20 | }
21 |
22 | NTSTATUS RegisterSetSystemTimeNotify(BOOLEAN IsUndo)
23 | {
24 | if(!IsUndo)
25 | {
26 | PCALLBACK_OBJECT pCallBackObj;
27 | OBJECT_ATTRIBUTES oa ;
28 | UNICODE_STRING callbackname;
29 | NTSTATUS status;
30 | RtlInitUnicodeString(&callbackname,L"\\Callback\\SetSystemTime");
31 | InitializeObjectAttributes(&oa,&callbackname,OBJ_CASE_INSENSITIVE,0,0);
32 | status = ExCreateCallback(&pCallBackObj,&oa,TRUE,FALSE);
33 | if(!NT_SUCCESS( status ))
34 | return status;
35 | g_CbRegistration = ExRegisterCallback(pCallBackObj,SetSystemTimeNotify ,NULL);
36 | if(g_CbRegistration == NULL)
37 | return STATUS_UNSUCCESSFUL;
38 | ObDereferenceObject(pCallBackObj);
39 | return STATUS_SUCCESS;
40 | }
41 | else
42 | {
43 | if(g_CbRegistration == NULL)
44 | return STATUS_UNSUCCESSFUL;
45 | ExUnregisterCallback(g_CbRegistration);
46 | return STATUS_SUCCESS;
47 | }
48 | }
49 |
50 | /*
51 | 以下代码为模板
52 | */
53 |
54 | VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
55 | {
56 | RegisterSetSystemTimeNotify(0);
57 | DbgPrint("[DriverUnload]\n");
58 | }
59 |
60 | NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
61 | {
62 | DriverObject->DriverUnload = DriverUnload;
63 | RegisterSetSystemTimeNotify(0);
64 | DbgPrint("[DriverEntry]\n");
65 | return STATUS_SUCCESS;
66 | }
--------------------------------------------------------------------------------
/[4-8]TimeChangeCallback/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the driver components of the Windows NT DDK
5 | #
6 |
7 | !INCLUDE $(NTMAKEENV)\makefile.def
--------------------------------------------------------------------------------
/[4-8]TimeChangeCallback/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=TimeNotify
2 | TARGETPATH=.
3 | TARGETTYPE=DRIVER
4 | SOURCES=main.c
5 |
--------------------------------------------------------------------------------
/[5-1]DrvInlineASM/Win64InlineASM.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-1]DrvInlineASM/Win64InlineASM.sys
--------------------------------------------------------------------------------
/[5-1]DrvInlineASM/src/Win7x64Drv.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | #ifndef _Win7x64Drv_H
4 | #define _Win7x64Drv_H 1
5 | //============================================
6 | #define DEVICE_NAME L"\\Device\\devWin64InlineASM" //Driver Name
7 | #define LINK_NAME L"\\DosDevices\\Win64InlineASM" //Link Name
8 | //============================================
9 | #define IOCTL_BASE 0x800
10 | #define MY_CTL_CODE(i) \
11 | CTL_CODE(FILE_DEVICE_UNKNOWN, IOCTL_BASE+i, METHOD_BUFFERED, FILE_ANY_ACCESS)
12 | #define IOCTL_PauseThrdProtect MY_CTL_CODE(1)
13 | #define IOCTL_ResumeThrdProtect MY_CTL_CODE(2)
14 | #define IOCTL_ProtectProcess MY_CTL_CODE(3)
15 | #define IOCTL_UnprotectProcess MY_CTL_CODE(4)
16 | #define IOCTL_ProtectThread MY_CTL_CODE(5)
17 | //============================================
18 | #endif
--------------------------------------------------------------------------------
/[5-1]DrvInlineASM/src/dbghelp.h:
--------------------------------------------------------------------------------
1 | #ifndef _DBGHELP_H
2 | #define _DBGHELP_H 1
3 |
4 | #include
5 |
6 | #define dprintf DbgPrint
7 | #define nprintf DbgPrint
8 |
9 | #define kmalloc(_s) ExAllocatePoolWithTag(NonPagedPool, _s, 'SYSQ')
10 | #define kfree(_p) ExFreePool(_p)
11 |
12 | #endif
--------------------------------------------------------------------------------
/[5-1]DrvInlineASM/src/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the components of NT OS/2
5 | #
6 | !INCLUDE $(NTMAKEENV)\makefile.def
7 |
--------------------------------------------------------------------------------
/[5-1]DrvInlineASM/src/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=Win64InlineASM
2 | TARGETTYPE=DRIVER
3 | TARGETPATH=obj
4 |
5 |
6 | INCLUDES=.\
7 |
8 | SOURCES = Win7x64Drv.c
--------------------------------------------------------------------------------
/[5-1]DrvInlineASM/x64asm_to_x64bin.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-1]DrvInlineASM/x64asm_to_x64bin.exe
--------------------------------------------------------------------------------
/[5-2]DkomHideProtect/MyDriver.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-2]DkomHideProtect/MyDriver.sys
--------------------------------------------------------------------------------
/[5-2]DkomHideProtect/src/MyDriver.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-2]DkomHideProtect/src/MyDriver.c
--------------------------------------------------------------------------------
/[5-2]DkomHideProtect/src/MyDriver.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | #define dprintf DbgPrint //KdPrint
4 |
5 | #define DEVICE_NAME L"\\Device\\Win7x64HideProtect"
6 | #define LINK_NAME L"\\DosDevices\\Win7x64HideProtect"
7 | #define LINK_GLOBAL_NAME L"\\DosDevices\\Global\\Win7x64HideProtect"
8 |
9 | #define IOCTL_ULR3IN CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS) //In LONG
10 | #define IOCTL_USR3IN CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS) //In BSTR
11 | #define IOCTL_GetKPEB CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS) //Out LONG
12 | #define IOCTL_GetBSTR CTL_CODE(FILE_DEVICE_UNKNOWN, 0x804, METHOD_BUFFERED, FILE_ANY_ACCESS) //Out BSTR
13 | #define IOCTL_ReInline CTL_CODE(FILE_DEVICE_UNKNOWN, 0x803, METHOD_BUFFERED, FILE_ANY_ACCESS) //Test Call Only
14 | #define IOCTL_Struct CTL_CODE(FILE_DEVICE_UNKNOWN, 0x805, METHOD_BUFFERED, FILE_ANY_ACCESS) //I+O Struct
--------------------------------------------------------------------------------
/[5-2]DkomHideProtect/src/buildfre_win7_amd64.log:
--------------------------------------------------------------------------------
1 | BUILD: corrupt database (Directory error)
2 | BUILD: Computing Include file dependencies:
3 | BUILD: Examining i:\sellcode\win64oacr invalidate root:amd64fre /autocleanqueue
4 | 1>Compiling and Linking i:\sellcode\win641>'nmake.exe /nologo BUILDMSG=Stop. -i BUILD_PASS=PASS2 LINKONLY=1 NOPASS0=1 MAKEDIR_RELATIVE_TO_BASEDIR='
5 | 1>i:\sellcode\win64
--------------------------------------------------------------------------------
/[5-2]DkomHideProtect/src/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the components of NT OS/2
5 | #
6 | !INCLUDE $(NTMAKEENV)\makefile.def
--------------------------------------------------------------------------------
/[5-2]DkomHideProtect/src/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=MyDriver
2 | TARGETTYPE=DRIVER
3 | TARGETPATH=obj
4 |
5 | INCLUDES=.\
6 |
7 | SOURCES = MyDriver.c
--------------------------------------------------------------------------------
/[5-3]DriverEnumHide/EnumDriver.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-3]DriverEnumHide/EnumDriver.exe
--------------------------------------------------------------------------------
/[5-3]DriverEnumHide/EnumDriver/EnumDriver.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumDriver", "EnumDriver.vcxproj", "{6D8CF73B-DB93-4B72-B15A-4ADF57697195}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {6D8CF73B-DB93-4B72-B15A-4ADF57697195}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {6D8CF73B-DB93-4B72-B15A-4ADF57697195}.Debug|Win32.Build.0 = Debug|Win32
16 | {6D8CF73B-DB93-4B72-B15A-4ADF57697195}.Debug|x64.ActiveCfg = Debug|x64
17 | {6D8CF73B-DB93-4B72-B15A-4ADF57697195}.Debug|x64.Build.0 = Debug|x64
18 | {6D8CF73B-DB93-4B72-B15A-4ADF57697195}.Release|Win32.ActiveCfg = Release|Win32
19 | {6D8CF73B-DB93-4B72-B15A-4ADF57697195}.Release|Win32.Build.0 = Release|Win32
20 | {6D8CF73B-DB93-4B72-B15A-4ADF57697195}.Release|x64.ActiveCfg = Release|x64
21 | {6D8CF73B-DB93-4B72-B15A-4ADF57697195}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/[5-3]DriverEnumHide/EnumDriver/EnumDriver.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-3]DriverEnumHide/EnumDriver/EnumDriver.suo
--------------------------------------------------------------------------------
/[5-3]DriverEnumHide/EnumDriver/EnumDriver.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | 源文件
20 |
21 |
22 |
--------------------------------------------------------------------------------
/[5-3]DriverEnumHide/EnumDriver/EnumDriver.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/[5-3]DriverEnumHide/EnumDriver/main.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-3]DriverEnumHide/EnumDriver/main.cpp
--------------------------------------------------------------------------------
/[5-3]DriverEnumHide/HideDriver/HideKM.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-3]DriverEnumHide/HideDriver/HideKM.c
--------------------------------------------------------------------------------
/[5-3]DriverEnumHide/HideDriver/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the components of NT OS/2
5 | #
6 | !INCLUDE $(NTMAKEENV)\makefile.def
7 |
8 | # MSC_WARNING_LEVEL=/W1
--------------------------------------------------------------------------------
/[5-3]DriverEnumHide/HideDriver/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=HideKM64
2 | TARGETTYPE=DRIVER
3 | TARGETPATH=obj
4 |
5 | INCLUDES=.\
6 |
7 | SOURCES = HideKM.c
--------------------------------------------------------------------------------
/[5-3]DriverEnumHide/HideKM64.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-3]DriverEnumHide/HideKM64.sys
--------------------------------------------------------------------------------
/[5-4]ForceKillProcess/FKP64.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-4]ForceKillProcess/FKP64.exe
--------------------------------------------------------------------------------
/[5-4]ForceKillProcess/Win7x64Drv.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-4]ForceKillProcess/Win7x64Drv.sys
--------------------------------------------------------------------------------
/[5-4]ForceKillProcess/exe/MSSCCPRJ.SCC:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-4]ForceKillProcess/exe/MSSCCPRJ.SCC
--------------------------------------------------------------------------------
/[5-4]ForceKillProcess/exe/Mod_MemClr.bas:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-4]ForceKillProcess/exe/Mod_MemClr.bas
--------------------------------------------------------------------------------
/[5-4]ForceKillProcess/exe/Win7x64Drv.vbp:
--------------------------------------------------------------------------------
1 | Type=Exe
2 | Form=form1.frm
3 | Reference=*\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\Windows\SysWOW64\stdole2.tlb#OLE Automation
4 | Class=cls_Driver; cls_Driver.cls
5 | Module=Mod_MemClr; Mod_MemClr.bas
6 | IconForm="Form1"
7 | Startup="Form1"
8 | HelpFile=""
9 | Title="Win7x64Drv"
10 | ExeName32="Win7x64Drv.exe"
11 | Command32=""
12 | Name="Win7x64Drv"
13 | HelpContextID="0"
14 | CompatibleMode="0"
15 | MajorVer=1
16 | MinorVer=0
17 | RevisionVer=0
18 | AutoIncrementVer=0
19 | ServerSupportFiles=0
20 | VersionCompanyName="Tesla.Angela"
21 | VersionProductName="Win7x64Drv"
22 | CompilationType=0
23 | OptimizationType=0
24 | FavorPentiumPro(tm)=0
25 | CodeViewDebugInfo=0
26 | NoAliasing=0
27 | BoundsCheck=0
28 | OverflowCheck=0
29 | FlPointCheck=0
30 | FDIVCheck=0
31 | UnroundedFP=0
32 | StartMode=0
33 | Unattended=0
34 | Retained=0
35 | ThreadPerObject=0
36 | MaxNumberOfThreads=1
37 |
38 | [MS Transaction Server]
39 | AutoRefresh=1
40 |
--------------------------------------------------------------------------------
/[5-4]ForceKillProcess/exe/Win7x64Drv.vbw:
--------------------------------------------------------------------------------
1 | Form1 = 50, 50, 969, 583, C, 25, 25, 944, 558, C
2 | cls_Driver = 25, 25, 944, 558, C
3 | Mod_MemClr = 110, 110, 1049, 649, C
4 |
--------------------------------------------------------------------------------
/[5-4]ForceKillProcess/exe/cls_Driver.cls:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-4]ForceKillProcess/exe/cls_Driver.cls
--------------------------------------------------------------------------------
/[5-4]ForceKillProcess/exe/form1.frm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-4]ForceKillProcess/exe/form1.frm
--------------------------------------------------------------------------------
/[5-4]ForceKillProcess/sys/Win7x64Drv.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-4]ForceKillProcess/sys/Win7x64Drv.c
--------------------------------------------------------------------------------
/[5-4]ForceKillProcess/sys/Win7x64Drv.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | #ifndef _Win7x64Drv_H
4 | #define _Win7x64Drv_H 1
5 |
6 | #define DEVICE_NAME L"\\Device\\devWin7x64Drv" //Driver Name
7 | #define LINK_NAME L"\\DosDevices\\Win7x64Drv" //Link Name
8 |
9 | #define IOCTL_BASE 0x800
10 | #define MY_CTL_CODE(i) CTL_CODE(FILE_DEVICE_UNKNOWN, IOCTL_BASE+i, METHOD_BUFFERED, FILE_ANY_ACCESS)
11 |
12 | #define IOCTL_PsKillProcess64 MY_CTL_CODE(6)
13 | #define IOCTL_PsSuspendProcess64 MY_CTL_CODE(7)
14 | #define IOCTL_PsResumeProcess64 MY_CTL_CODE(8)
15 |
16 | #endif
--------------------------------------------------------------------------------
/[5-4]ForceKillProcess/sys/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the components of NT OS/2
5 | #
6 | !INCLUDE $(NTMAKEENV)\makefile.def
7 |
--------------------------------------------------------------------------------
/[5-4]ForceKillProcess/sys/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=Win7x64Drv
2 | TARGETTYPE=DRIVER
3 | TARGETPATH=obj
4 |
5 |
6 | INCLUDES=.\
7 |
8 | SOURCES = Win7x64Drv.c
--------------------------------------------------------------------------------
/[5-5]ForceProcMemRW/KRWProcess.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-5]ForceProcMemRW/KRWProcess.sys
--------------------------------------------------------------------------------
/[5-5]ForceProcMemRW/模拟游戏.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-5]ForceProcMemRW/模拟游戏.exe
--------------------------------------------------------------------------------
/[5-5]ForceProcMemRW/模拟游戏/Form1.frm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-5]ForceProcMemRW/模拟游戏/Form1.frm
--------------------------------------------------------------------------------
/[5-5]ForceProcMemRW/模拟游戏/Game.vbp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-5]ForceProcMemRW/模拟游戏/Game.vbp
--------------------------------------------------------------------------------
/[5-5]ForceProcMemRW/模拟游戏/Game.vbw:
--------------------------------------------------------------------------------
1 | Form1 = 44, 44, 971, 584, C, 22, 22, 949, 562, C
2 |
--------------------------------------------------------------------------------
/[5-5]ForceProcMemRW/模拟盗号.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-5]ForceProcMemRW/模拟盗号.exe
--------------------------------------------------------------------------------
/[5-5]ForceProcMemRW/模拟盗号/Form1.frm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-5]ForceProcMemRW/模拟盗号/Form1.frm
--------------------------------------------------------------------------------
/[5-5]ForceProcMemRW/模拟盗号/PlugIn.vbp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-5]ForceProcMemRW/模拟盗号/PlugIn.vbp
--------------------------------------------------------------------------------
/[5-5]ForceProcMemRW/模拟盗号/PlugIn.vbw:
--------------------------------------------------------------------------------
1 | Form1 = 44, 44, 971, 584, Z, 22, 22, 949, 562, C
2 |
--------------------------------------------------------------------------------
/[5-5]ForceProcMemRW/驱动级模拟盗号.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-5]ForceProcMemRW/驱动级模拟盗号.exe
--------------------------------------------------------------------------------
/[5-5]ForceProcMemRW/驱动级模拟盗号/exe/MSSCCPRJ.SCC:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-5]ForceProcMemRW/驱动级模拟盗号/exe/MSSCCPRJ.SCC
--------------------------------------------------------------------------------
/[5-5]ForceProcMemRW/驱动级模拟盗号/exe/Mod_MemClr.bas:
--------------------------------------------------------------------------------
1 | Attribute VB_Name = "Mod_MemClr"
2 | Option Explicit
3 |
4 | Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
5 | Private Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long
6 | Private Declare Function ZwClose Lib "NTDLL.DLL" (ByVal ObjectHandle As Long) As Long
7 | Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
8 | Private Declare Function NtUnmapViewOfSection Lib "NTDLL.DLL" (ByVal ProcessHandle As Long, ByVal BaseAddress As Long) As Long
9 | Private Declare Sub Sleep Lib "kernel32.dll" (ByVal dwMilliseconds As Long)
10 | Private Const PAGE_EXECUTE_READWRITE& = &H40
11 | Private Const STANDARD_RIGHTS_REQUIRED = &HF0000
12 | Private Const SYNCHRONIZE = &H100000
13 | Private Const SPECIFIC_RIGHTS_ALL = &HFFFF
14 | Private Const STANDARD_RIGHTS_ALL = &H1F0000
15 | Private Const PROCESS_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF
16 |
17 | Public Type LONGLONG
18 | low As Long
19 | high As Long
20 | End Type
21 |
--------------------------------------------------------------------------------
/[5-5]ForceProcMemRW/驱动级模拟盗号/exe/Win7x64Drv.vbp:
--------------------------------------------------------------------------------
1 | Type=Exe
2 | Form=form1.frm
3 | Reference=*\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\Windows\SysWOW64\stdole2.tlb#OLE Automation
4 | Class=cls_Driver; cls_Driver.cls
5 | Module=Mod_MemClr; Mod_MemClr.bas
6 | IconForm="Form1"
7 | Startup="Form1"
8 | HelpFile=""
9 | Title="Win7x64Drv"
10 | ExeName32="KRWProcess.exe"
11 | Path32="..\..\..\Test"
12 | Command32=""
13 | Name="Win7x64Drv"
14 | HelpContextID="0"
15 | CompatibleMode="0"
16 | MajorVer=1
17 | MinorVer=0
18 | RevisionVer=0
19 | AutoIncrementVer=0
20 | ServerSupportFiles=0
21 | VersionCompanyName="Tesla.Angela"
22 | VersionProductName="Win7x64Drv"
23 | CompilationType=0
24 | OptimizationType=0
25 | FavorPentiumPro(tm)=0
26 | CodeViewDebugInfo=0
27 | NoAliasing=0
28 | BoundsCheck=0
29 | OverflowCheck=0
30 | FlPointCheck=0
31 | FDIVCheck=0
32 | UnroundedFP=0
33 | StartMode=0
34 | Unattended=0
35 | Retained=0
36 | ThreadPerObject=0
37 | MaxNumberOfThreads=1
38 |
39 | [MS Transaction Server]
40 | AutoRefresh=1
41 |
--------------------------------------------------------------------------------
/[5-5]ForceProcMemRW/驱动级模拟盗号/exe/Win7x64Drv.vbw:
--------------------------------------------------------------------------------
1 | Form1 = 50, 50, 969, 583, C, 25, 25, 944, 558, C
2 | cls_Driver = 25, 25, 944, 558, C
3 | Mod_MemClr = 110, 110, 1049, 649, C
4 |
--------------------------------------------------------------------------------
/[5-5]ForceProcMemRW/驱动级模拟盗号/exe/cls_Driver.cls:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-5]ForceProcMemRW/驱动级模拟盗号/exe/cls_Driver.cls
--------------------------------------------------------------------------------
/[5-5]ForceProcMemRW/驱动级模拟盗号/exe/form1.frm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-5]ForceProcMemRW/驱动级模拟盗号/exe/form1.frm
--------------------------------------------------------------------------------
/[5-5]ForceProcMemRW/驱动级模拟盗号/sys/Win7x64Drv.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | #ifndef _Win7x64Drv_H
4 | #define _Win7x64Drv_H 1
5 |
6 | #define DEVICE_NAME L"\\Device\\devKRWProcess" //Driver Name
7 | #define LINK_NAME L"\\DosDevices\\KRWProcess" //Link Name
8 |
9 | #define IOCTL_BASE 0x800
10 | #define MY_CTL_CODE(i) CTL_CODE(FILE_DEVICE_UNKNOWN, IOCTL_BASE+i, METHOD_BUFFERED, FILE_ANY_ACCESS)
11 | #define IOCTL_InputProcessId MY_CTL_CODE(1)
12 | #define IOCTL_InputBaseAddress MY_CTL_CODE(2)
13 | #define IOCTL_InputReadWriteLen MY_CTL_CODE(3)
14 | #define IOCTL_KReadProcessMemory MY_CTL_CODE(4)
15 | #define IOCTL_KWriteProcessMemory MY_CTL_CODE(5)
16 | #define IOCTL_MmKillProcess64 MY_CTL_CODE(6) //PVASE
17 |
18 | #endif
--------------------------------------------------------------------------------
/[5-5]ForceProcMemRW/驱动级模拟盗号/sys/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the components of NT OS/2
5 | #
6 | !INCLUDE $(NTMAKEENV)\makefile.def
7 |
--------------------------------------------------------------------------------
/[5-5]ForceProcMemRW/驱动级模拟盗号/sys/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=KRWProcess
2 | TARGETTYPE=DRIVER
3 | TARGETPATH=obj
4 |
5 |
6 | INCLUDES=.\
7 |
8 | SOURCES = Win7x64Drv.c
--------------------------------------------------------------------------------
/[5-5]ForceProcMemRW/驱动级游戏保护/下载地址.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-5]ForceProcMemRW/驱动级游戏保护/下载地址.txt
--------------------------------------------------------------------------------
/[5-6]EnumMsgHook/EnumMsgHook64.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-6]EnumMsgHook/EnumMsgHook64.exe
--------------------------------------------------------------------------------
/[5-6]EnumMsgHook/EnumMsgHook64.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-6]EnumMsgHook/EnumMsgHook64.sys
--------------------------------------------------------------------------------
/[5-6]EnumMsgHook/src/exe/DrvCtrl.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-6]EnumMsgHook/src/exe/DrvCtrl.h
--------------------------------------------------------------------------------
/[5-6]EnumMsgHook/src/exe/exe.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "exe", "exe.vcxproj", "{3DBC5DEC-A3DB-4DA7-A494-1A867528C281}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {3DBC5DEC-A3DB-4DA7-A494-1A867528C281}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {3DBC5DEC-A3DB-4DA7-A494-1A867528C281}.Debug|Win32.Build.0 = Debug|Win32
16 | {3DBC5DEC-A3DB-4DA7-A494-1A867528C281}.Debug|x64.ActiveCfg = Debug|x64
17 | {3DBC5DEC-A3DB-4DA7-A494-1A867528C281}.Debug|x64.Build.0 = Debug|x64
18 | {3DBC5DEC-A3DB-4DA7-A494-1A867528C281}.Release|Win32.ActiveCfg = Release|Win32
19 | {3DBC5DEC-A3DB-4DA7-A494-1A867528C281}.Release|Win32.Build.0 = Release|Win32
20 | {3DBC5DEC-A3DB-4DA7-A494-1A867528C281}.Release|x64.ActiveCfg = Release|x64
21 | {3DBC5DEC-A3DB-4DA7-A494-1A867528C281}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/[5-6]EnumMsgHook/src/exe/exe.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-6]EnumMsgHook/src/exe/exe.suo
--------------------------------------------------------------------------------
/[5-6]EnumMsgHook/src/exe/exe.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | 源文件
20 |
21 |
22 |
23 |
24 | 头文件
25 |
26 |
27 |
--------------------------------------------------------------------------------
/[5-6]EnumMsgHook/src/exe/exe.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/[5-6]EnumMsgHook/src/exe/main.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-6]EnumMsgHook/src/exe/main.cpp
--------------------------------------------------------------------------------
/[5-6]EnumMsgHook/src/sys/MyDriver.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-6]EnumMsgHook/src/sys/MyDriver.c
--------------------------------------------------------------------------------
/[5-6]EnumMsgHook/src/sys/MyDriver.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | #define dprintf DbgPrint
4 |
5 | #define DEVICE_NAME L"\\Device\\EnumMsgHook64"
6 | #define LINK_NAME L"\\DosDevices\\EnumMsgHook64"
7 | #define LINK_GLOBAL_NAME L"\\DosDevices\\Global\\EnumMsgHook64"
8 |
9 | #define IOCTL_READ_KRNL_MM CTL_CODE(FILE_DEVICE_UNKNOWN, 0x804, METHOD_BUFFERED, FILE_ANY_ACCESS) //read kernel
10 | #define IOCTL_MODIFY_KN_MM CTL_CODE(FILE_DEVICE_UNKNOWN, 0x805, METHOD_BUFFERED, FILE_ANY_ACCESS) //write kernel
11 | #define IOCTL_SET_RWKM_ADR CTL_CODE(FILE_DEVICE_UNKNOWN, 0x809, METHOD_BUFFERED, FILE_ANY_ACCESS) //set address
12 | #define IOCTL_SET_RWKM_LEN CTL_CODE(FILE_DEVICE_UNKNOWN, 0x80A, METHOD_BUFFERED, FILE_ANY_ACCESS) //set length
13 |
14 | #define IOCTL_GET_PN_BY_ET CTL_CODE(FILE_DEVICE_UNKNOWN, 0x7FF, METHOD_BUFFERED, FILE_ANY_ACCESS) //set length
--------------------------------------------------------------------------------
/[5-6]EnumMsgHook/src/sys/buildfre_win7_amd64.wrn:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-6]EnumMsgHook/src/sys/buildfre_win7_amd64.wrn
--------------------------------------------------------------------------------
/[5-6]EnumMsgHook/src/sys/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the components of NT OS/2
5 | #
6 | !INCLUDE $(NTMAKEENV)\makefile.def
--------------------------------------------------------------------------------
/[5-6]EnumMsgHook/src/sys/rwkm.h:
--------------------------------------------------------------------------------
1 |
2 | BOOLEAN VxkCopyMemory( PVOID pDestination, PVOID pSourceAddress, SIZE_T SizeOfCopy )
3 | {
4 | PMDL pMdl = NULL;
5 | PVOID pSafeAddress = NULL;
6 | pMdl = IoAllocateMdl( pSourceAddress, (ULONG)SizeOfCopy, FALSE, FALSE, NULL );
7 | if( !pMdl ) return FALSE;
8 | __try
9 | {
10 | MmProbeAndLockPages( pMdl, KernelMode, IoReadAccess );
11 | }
12 | __except(EXCEPTION_EXECUTE_HANDLER)
13 | {
14 | IoFreeMdl( pMdl );
15 | return FALSE;
16 | }
17 | pSafeAddress = MmGetSystemAddressForMdlSafe( pMdl, NormalPagePriority );
18 | if( !pSafeAddress ) return FALSE;
19 | RtlCopyMemory( pDestination, pSafeAddress, SizeOfCopy );
20 | MmUnlockPages( pMdl );
21 | IoFreeMdl( pMdl );
22 | return TRUE;
23 | }
24 |
25 | ULONG64 rwkm_adr=0, rwkm_len=0;
--------------------------------------------------------------------------------
/[5-6]EnumMsgHook/src/sys/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=EnumMsgHook64
2 | TARGETTYPE=DRIVER
3 | TARGETPATH=obj
4 |
5 | INCLUDES=.\
6 |
7 | SOURCES = MyDriver.c
--------------------------------------------------------------------------------
/[5-6]EnumMsgHook/测试说明.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-6]EnumMsgHook/测试说明.txt
--------------------------------------------------------------------------------
/[5-7]UnlockFile/LockFile.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-7]UnlockFile/LockFile.exe
--------------------------------------------------------------------------------
/[5-7]UnlockFile/UnlockFile.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-7]UnlockFile/UnlockFile.sys
--------------------------------------------------------------------------------
/[5-7]UnlockFile/lockfile.xxx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-7]UnlockFile/lockfile.xxx
--------------------------------------------------------------------------------
/[5-7]UnlockFile/src/LockFile/main.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | typedef long (*RTLADJUSTPRIVILEGE)(ULONG,BOOLEAN,BOOLEAN,PBOOLEAN);
5 | typedef long (*NTDUPLICATEOBJECT)(HANDLE,HANDLE,HANDLE,PHANDLE,ACCESS_MASK,BOOLEAN,ULONG);
6 |
7 | void GetAllProcessA(int pids[],int *procount)
8 | {
9 | int i=0,c=0;
10 | HANDLE hProcess=0;
11 | for(i=8;i<19996;i+=4)
12 | {
13 | hProcess=OpenProcess(0x10,0,i);
14 | if (hProcess!=0)
15 | {
16 | pids[c]=i;
17 | CloseHandle(hProcess);
18 | c++;
19 | }
20 | }
21 | *procount=c;
22 | }
23 |
24 | int main()
25 | {
26 | BOOLEAN bRet;
27 | int pids[260];
28 | int procsnum=0;
29 | char pFile[260];
30 | RTLADJUSTPRIVILEGE getdbg=(RTLADJUSTPRIVILEGE)GetProcAddress(GetModuleHandleW(L"ntdll.dll"),"RtlAdjustPrivilege");
31 | NTDUPLICATEOBJECT NtDuplicateObject=(NTDUPLICATEOBJECT)GetProcAddress(GetModuleHandleW(L"ntdll.dll"),"NtDuplicateObject");
32 | getdbg(20,1,0,&bRet);
33 | memset(pids,0,4*260);
34 | memset(pFile,0,260);
35 | printf("Input the file name you want to protect: ");
36 | scanf("%s",pFile);
37 | HANDLE hsFile = CreateFileA(pFile, 0x80000000, 0, 0, 3, 0, 0);
38 | SetHandleInformation(hsFile,0,2);
39 | GetAllProcessA(pids,&procsnum);
40 | for(int i=0;i
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | 源文件
20 |
21 |
22 |
--------------------------------------------------------------------------------
/[5-8]PE32+/SimplePE64Viewer/SimplePE64Viewer.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/[5-8]PE32+/SimplePE64Viewer/main.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[5-8]PE32+/SimplePE64Viewer/main.cpp
--------------------------------------------------------------------------------
/[6-1]RemoteThreadToSystemProcess/SuperInsertDll.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-1]RemoteThreadToSystemProcess/SuperInsertDll.exe
--------------------------------------------------------------------------------
/[6-1]RemoteThreadToSystemProcess/SuperInsertDll/SuperInsertDll.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SuperInsertDll", "SuperInsertDll.vcxproj", "{45F6A4FE-C8F0-48F0-9030-F898EF3DBD91}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {45F6A4FE-C8F0-48F0-9030-F898EF3DBD91}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {45F6A4FE-C8F0-48F0-9030-F898EF3DBD91}.Debug|Win32.Build.0 = Debug|Win32
16 | {45F6A4FE-C8F0-48F0-9030-F898EF3DBD91}.Debug|x64.ActiveCfg = Debug|x64
17 | {45F6A4FE-C8F0-48F0-9030-F898EF3DBD91}.Debug|x64.Build.0 = Debug|x64
18 | {45F6A4FE-C8F0-48F0-9030-F898EF3DBD91}.Release|Win32.ActiveCfg = Release|Win32
19 | {45F6A4FE-C8F0-48F0-9030-F898EF3DBD91}.Release|Win32.Build.0 = Release|Win32
20 | {45F6A4FE-C8F0-48F0-9030-F898EF3DBD91}.Release|x64.ActiveCfg = Release|x64
21 | {45F6A4FE-C8F0-48F0-9030-F898EF3DBD91}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/[6-1]RemoteThreadToSystemProcess/SuperInsertDll/SuperInsertDll.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-1]RemoteThreadToSystemProcess/SuperInsertDll/SuperInsertDll.suo
--------------------------------------------------------------------------------
/[6-1]RemoteThreadToSystemProcess/SuperInsertDll/SuperInsertDll.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | 源文件
20 |
21 |
22 |
23 |
24 | 头文件
25 |
26 |
27 |
--------------------------------------------------------------------------------
/[6-1]RemoteThreadToSystemProcess/SuperInsertDll/SuperInsertDll.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/[6-1]RemoteThreadToSystemProcess/SuperInsertDll/main.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include "main.h"
4 |
5 | typedef long (__fastcall *RTLADJUSTPRIVILEGE64)(ULONG,ULONG,ULONG,PVOID);
6 | RTLADJUSTPRIVILEGE64 RtlAdjustPrivilege;
7 |
8 | int main()
9 | {
10 | WCHAR dllname[MAX_PATH]={0};//L"c:\\testdll.DLL";
11 | DWORD dwPID=0,dwRetVal=0;
12 | RtlAdjustPrivilege=(RTLADJUSTPRIVILEGE64)GetProcAddress(LoadLibraryW(L"ntdll.dll"),"RtlAdjustPrivilege");
13 | RtlAdjustPrivilege(20,1,0,&dwRetVal);//debug
14 | printf("input pid: ");scanf("%ld",&dwPID);
15 | printf("input dll full path: ");scanf("%ws",dllname);
16 | InjectDllExW(dwPID,dllname);
17 | getchar();
18 | printf("inject over!");
19 | getchar();
20 | return 0;
21 | }
--------------------------------------------------------------------------------
/[6-1]RemoteThreadToSystemProcess/SuperInsertDll/main.h:
--------------------------------------------------------------------------------
1 |
2 | #ifndef NT_SUCCESS
3 | #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
4 | #endif
5 | #ifndef STATUS_SUCCESS
6 | #define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
7 | #endif
8 | #ifndef STATUS_UNSUCCESSFUL
9 | #define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)
10 | #endif
11 |
12 | typedef struct _CLIENT_ID
13 | {
14 | HANDLE UniqueProcess;
15 | HANDLE UniqueThread;
16 | } CLIENT_ID, *PCLIENT_ID;
17 |
18 | typedef void* (__fastcall *LPFN_KernelBaseGetGlobalData)(void);
19 |
20 | BOOL WINAPI InjectDllExW(DWORD dwPID, PCWSTR pwszProxyFile)
21 | {
22 | BOOL ret = FALSE;
23 | HANDLE hToken = NULL;
24 | HANDLE hProcess = NULL;
25 | HANDLE hThread = NULL;
26 | FARPROC pfnThreadRtn = NULL;
27 | PWSTR pwszPara = NULL;
28 | PVOID pRemoteShellcode = NULL;
29 | CLIENT_ID Cid={0};
30 | hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE, dwPID);
31 | if(!hProcess)
32 | return FALSE;
33 | //Get Function Address
34 | pfnThreadRtn = GetProcAddress(GetModuleHandle(TEXT("Kernel32.dll")), "LoadLibraryW");
35 | //Set String to remote process
36 | size_t iProxyFileLen = wcslen(pwszProxyFile)*sizeof(WCHAR);
37 | pwszPara = (PWSTR)VirtualAllocEx(hProcess, NULL, iProxyFileLen, MEM_COMMIT, PAGE_READWRITE);
38 | if(!pwszPara)
39 | return FALSE;
40 | WriteProcessMemory(hProcess, pwszPara, (PVOID)pwszProxyFile, iProxyFileLen, NULL);
41 | //Start patch
42 | LPFN_KernelBaseGetGlobalData pKernelBaseGetGlobalData=NULL;
43 | UCHAR* pGlobalData=NULL;
44 | UCHAR* pMisc=NULL;
45 | ULONG PatchOffset=0;
46 | pKernelBaseGetGlobalData = (LPFN_KernelBaseGetGlobalData)GetProcAddress(LoadLibraryW(L"KernelBase.dll"),"KernelBaseGetGlobalData");
47 | pGlobalData = (UCHAR*)pKernelBaseGetGlobalData();
48 | OSVERSIONINFOA osi={0};
49 | osi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOA);
50 | GetVersionEx(&osi);
51 | //Get patch position by build number
52 | switch(osi.dwBuildNumber)
53 | {
54 | /*
55 | KERNELBASE!CreateRemoteThreadEx+0x224:
56 | 000007fe`fdb1b184 803db156050000 cmp byte ptr [KERNELBASE!KernelBaseGlobalData+0x5c (000007fe`fdb7083c)],0
57 | */
58 | case 7600:
59 | case 7601:
60 | {
61 | PatchOffset=0x5C;
62 | break;
63 | }
64 | /*
65 | KERNELBASE!CreateRemoteThreadEx+0x1a8:
66 | 000007fa`7859ef28 44380d35470b00 cmp byte ptr [KERNELBASE!KernelBaseGlobalData+0x4 (000007fa`78653664)],r9b
67 | */
68 | case 9200:
69 | {
70 | PatchOffset=0x4;
71 | break;
72 | }
73 | default:
74 | break;
75 | }
76 | printf("PatchOffset: %x\n",PatchOffset);
77 | pMisc = pGlobalData + PatchOffset;
78 | *pMisc = 1;
79 | //Create remote thread
80 | hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pfnThreadRtn, pwszPara, 0, NULL);
81 | WaitForSingleObject(hThread, INFINITE);
82 | CloseHandle(hThread);
83 | VirtualFreeEx(hProcess, pwszPara, 0, MEM_RELEASE);
84 | CloseHandle(hProcess);
85 | return TRUE;
86 | }
--------------------------------------------------------------------------------
/[6-1]RemoteThreadToSystemProcess/SuperInsertDll/ntdll.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-1]RemoteThreadToSystemProcess/SuperInsertDll/ntdll.lib
--------------------------------------------------------------------------------
/[6-1]RemoteThreadToSystemProcess/TestDll.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-1]RemoteThreadToSystemProcess/TestDll.dll
--------------------------------------------------------------------------------
/[6-1]RemoteThreadToSystemProcess/TestDll/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | 动态链接库:TestDll 项目概述
3 | ========================================================================
4 |
5 | 应用程序向导已为您创建了此 TestDll DLL。
6 |
7 | 本文件概要介绍组成 TestDll 应用程序的每个文件的内容。
8 |
9 |
10 | TestDll.vcxproj
11 | 这是使用应用程序向导生成的 VC++ 项目的主项目文件,
12 | 其中包含生成该文件的 Visual C++
13 | 的版本信息,以及有关使用应用程序向导选择的平台、配置和项目功能的信息。
14 |
15 | TestDll.vcxproj.filters
16 | 这是使用“应用程序向导”生成的 VC++ 项目筛选器文件。
17 | 它包含有关项目文件与筛选器之间的关联信息。 在 IDE
18 | 中,通过这种关联,在特定节点下以分组形式显示具有相似扩展名的文件。
19 | 例如,“.cpp”文件与“源文件”筛选器关联。
20 |
21 | TestDll.cpp
22 | 这是主 DLL 源文件。
23 |
24 | 此 DLL 在创建时不导出任何符号。 因此,在生成此 DLL 时
25 | 生成时不会产生 .lib 文件。 如果希望此项目
26 | 成为其他某个项目的项目依赖项,则需要
27 | 添加代码以从 DLL 导出某些符号,
28 | 以便产生一个导出库,或者,也可以在项目“属性页”对话框中的
29 | “链接器”文件夹中,将“常规”属性页上的
30 | “忽略输入库”属性设置为“是”。
31 |
32 | /////////////////////////////////////////////////////////////////////////////
33 | 其他标准文件:
34 |
35 | StdAfx.h,StdAfx.cpp
36 | 这些文件用于生成名为 TestDll.pch 的预编译头 (PCH) 文件和
37 | 名为 StdAfx.obj 的预编译类型文件。
38 |
39 | /////////////////////////////////////////////////////////////////////////////
40 | 其他注释:
41 |
42 | 应用程序向导使用“TODO:”注释来指示应添加或自定义的源代码部分。
43 |
44 | /////////////////////////////////////////////////////////////////////////////
45 |
--------------------------------------------------------------------------------
/[6-1]RemoteThreadToSystemProcess/TestDll/TestDll.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-1]RemoteThreadToSystemProcess/TestDll/TestDll.cpp
--------------------------------------------------------------------------------
/[6-1]RemoteThreadToSystemProcess/TestDll/TestDll.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TestDll", "TestDll.vcxproj", "{1F5E7610-AB49-4309-9A73-48A4407A9C71}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {1F5E7610-AB49-4309-9A73-48A4407A9C71}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {1F5E7610-AB49-4309-9A73-48A4407A9C71}.Debug|Win32.Build.0 = Debug|Win32
16 | {1F5E7610-AB49-4309-9A73-48A4407A9C71}.Debug|x64.ActiveCfg = Debug|x64
17 | {1F5E7610-AB49-4309-9A73-48A4407A9C71}.Debug|x64.Build.0 = Debug|x64
18 | {1F5E7610-AB49-4309-9A73-48A4407A9C71}.Release|Win32.ActiveCfg = Release|Win32
19 | {1F5E7610-AB49-4309-9A73-48A4407A9C71}.Release|Win32.Build.0 = Release|Win32
20 | {1F5E7610-AB49-4309-9A73-48A4407A9C71}.Release|x64.ActiveCfg = Release|x64
21 | {1F5E7610-AB49-4309-9A73-48A4407A9C71}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/[6-1]RemoteThreadToSystemProcess/TestDll/TestDll.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-1]RemoteThreadToSystemProcess/TestDll/TestDll.suo
--------------------------------------------------------------------------------
/[6-1]RemoteThreadToSystemProcess/TestDll/TestDll.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | 头文件
23 |
24 |
25 | 头文件
26 |
27 |
28 |
29 |
30 | 源文件
31 |
32 |
33 | 源文件
34 |
35 |
36 | 源文件
37 |
38 |
39 |
--------------------------------------------------------------------------------
/[6-1]RemoteThreadToSystemProcess/TestDll/TestDll.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/[6-1]RemoteThreadToSystemProcess/TestDll/dllmain.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-1]RemoteThreadToSystemProcess/TestDll/dllmain.cpp
--------------------------------------------------------------------------------
/[6-1]RemoteThreadToSystemProcess/TestDll/stdafx.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-1]RemoteThreadToSystemProcess/TestDll/stdafx.cpp
--------------------------------------------------------------------------------
/[6-1]RemoteThreadToSystemProcess/TestDll/stdafx.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-1]RemoteThreadToSystemProcess/TestDll/stdafx.h
--------------------------------------------------------------------------------
/[6-1]RemoteThreadToSystemProcess/TestDll/targetver.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-1]RemoteThreadToSystemProcess/TestDll/targetver.h
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook.exe
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/AntiHook.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/AntiHook.cpp
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/AntiHook.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "AntiHook", "AntiHook.vcxproj", "{C637C9FA-AA18-4D34-A3D9-233B445A41C4}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {C637C9FA-AA18-4D34-A3D9-233B445A41C4}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {C637C9FA-AA18-4D34-A3D9-233B445A41C4}.Debug|Win32.Build.0 = Debug|Win32
16 | {C637C9FA-AA18-4D34-A3D9-233B445A41C4}.Debug|x64.ActiveCfg = Release|x64
17 | {C637C9FA-AA18-4D34-A3D9-233B445A41C4}.Debug|x64.Build.0 = Release|x64
18 | {C637C9FA-AA18-4D34-A3D9-233B445A41C4}.Release|Win32.ActiveCfg = Release|Win32
19 | {C637C9FA-AA18-4D34-A3D9-233B445A41C4}.Release|Win32.Build.0 = Release|Win32
20 | {C637C9FA-AA18-4D34-A3D9-233B445A41C4}.Release|x64.ActiveCfg = Release|x64
21 | {C637C9FA-AA18-4D34-A3D9-233B445A41C4}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/AntiHook.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/AntiHook.suo
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/AntiHook.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | 头文件
23 |
24 |
25 | 头文件
26 |
27 |
28 |
29 |
30 | 源文件
31 |
32 |
33 | 源文件
34 |
35 |
36 |
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/AntiHook.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | 控制台应用程序:AntiHook 项目概述
3 | ========================================================================
4 |
5 | 应用程序向导已为您创建了此 AntiHook 应用程序。
6 |
7 | 本文件概要介绍组成 AntiHook 应用程序的每个文件的内容。
8 |
9 |
10 | AntiHook.vcxproj
11 | 这是使用应用程序向导生成的 VC++ 项目的主项目文件,
12 | 其中包含生成该文件的 Visual C++
13 | 的版本信息,以及有关使用应用程序向导选择的平台、配置和项目功能的信息。
14 |
15 | AntiHook.vcxproj.filters
16 | 这是使用“应用程序向导”生成的 VC++ 项目筛选器文件。
17 | 它包含有关项目文件与筛选器之间的关联信息。 在 IDE
18 | 中,通过这种关联,在特定节点下以分组形式显示具有相似扩展名的文件。
19 | 例如,“.cpp”文件与“源文件”筛选器关联。
20 |
21 | AntiHook.cpp
22 | 这是主应用程序源文件。
23 |
24 | /////////////////////////////////////////////////////////////////////////////
25 | 其他标准文件:
26 |
27 | StdAfx.h,StdAfx.cpp
28 | 这些文件用于生成名为 AntiHook.pch 的预编译头 (PCH) 文件和
29 | 名为 StdAfx.obj 的预编译类型文件。
30 |
31 | /////////////////////////////////////////////////////////////////////////////
32 | 其他注释:
33 |
34 | 应用程序向导使用“TODO:”注释来指示应添加或自定义的源代码部分。
35 |
36 | /////////////////////////////////////////////////////////////////////////////
37 |
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/_HookTest/!!复制全部文件到C盘根目录:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/_HookTest/!!复制全部文件到C盘根目录
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/_HookTest/AntiHook.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/_HookTest/AntiHook.exe
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/_HookTest/Calculator.lnk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/_HookTest/Calculator.lnk
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/_HookTest/HookDll.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/_HookTest/HookDll.dll
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/_HookTest/InjectDllx64.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/_HookTest/InjectDllx64.exe
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/_HookTest/NtHookEngine.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/_HookTest/NtHookEngine.dll
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/_HookTest/desktop.ini:
--------------------------------------------------------------------------------
1 | [LocalizedFileNames]
2 | Calculator.lnk=@%SystemRoot%\system32\shell32.dll,-22019
3 |
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/stdafx.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/stdafx.cpp
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/stdafx.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/stdafx.h
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/targetver.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/anti-hook/AntiHook/targetver.h
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/Calculator.lnk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/anti-hook/Calculator.lnk
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/HookDll.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/anti-hook/HookDll.dll
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/HookZwReadFile/HookDll.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/anti-hook/HookZwReadFile/HookDll.cpp
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/HookZwReadFile/HookDll.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HookDll", "HookDll.vcxproj", "{B26A90D2-84C8-421B-951B-1F155C5AC649}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {B26A90D2-84C8-421B-951B-1F155C5AC649}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {B26A90D2-84C8-421B-951B-1F155C5AC649}.Debug|Win32.Build.0 = Debug|Win32
16 | {B26A90D2-84C8-421B-951B-1F155C5AC649}.Debug|x64.ActiveCfg = Release|x64
17 | {B26A90D2-84C8-421B-951B-1F155C5AC649}.Debug|x64.Build.0 = Release|x64
18 | {B26A90D2-84C8-421B-951B-1F155C5AC649}.Release|Win32.ActiveCfg = Release|Win32
19 | {B26A90D2-84C8-421B-951B-1F155C5AC649}.Release|Win32.Build.0 = Release|Win32
20 | {B26A90D2-84C8-421B-951B-1F155C5AC649}.Release|x64.ActiveCfg = Release|x64
21 | {B26A90D2-84C8-421B-951B-1F155C5AC649}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/HookZwReadFile/HookDll.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/anti-hook/HookZwReadFile/HookDll.suo
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/HookZwReadFile/HookDll.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | 头文件
23 |
24 |
25 | 头文件
26 |
27 |
28 |
29 |
30 | 源文件
31 |
32 |
33 | 源文件
34 |
35 |
36 | 源文件
37 |
38 |
39 |
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/HookZwReadFile/HookDll.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/HookZwReadFile/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | 动态链接库:HookDll 项目概述
3 | ========================================================================
4 |
5 | 应用程序向导已为您创建了此 HookDll DLL。
6 |
7 | 本文件概要介绍组成 HookDll 应用程序的每个文件的内容。
8 |
9 |
10 | HookDll.vcxproj
11 | 这是使用应用程序向导生成的 VC++ 项目的主项目文件,
12 | 其中包含生成该文件的 Visual C++
13 | 的版本信息,以及有关使用应用程序向导选择的平台、配置和项目功能的信息。
14 |
15 | HookDll.vcxproj.filters
16 | 这是使用“应用程序向导”生成的 VC++ 项目筛选器文件。
17 | 它包含有关项目文件与筛选器之间的关联信息。 在 IDE
18 | 中,通过这种关联,在特定节点下以分组形式显示具有相似扩展名的文件。
19 | 例如,“.cpp”文件与“源文件”筛选器关联。
20 |
21 | HookDll.cpp
22 | 这是主 DLL 源文件。
23 |
24 | 此 DLL 在创建时不导出任何符号。 因此,在生成此 DLL 时
25 | 生成时不会产生 .lib 文件。 如果希望此项目
26 | 成为其他某个项目的项目依赖项,则需要
27 | 添加代码以从 DLL 导出某些符号,
28 | 以便产生一个导出库,或者,也可以在项目“属性页”对话框中的
29 | “链接器”文件夹中,将“常规”属性页上的
30 | “忽略输入库”属性设置为“是”。
31 |
32 | /////////////////////////////////////////////////////////////////////////////
33 | 其他标准文件:
34 |
35 | StdAfx.h,StdAfx.cpp
36 | 这些文件用于生成名为 HookDll.pch 的预编译头 (PCH) 文件和
37 | 名为 StdAfx.obj 的预编译类型文件。
38 |
39 | /////////////////////////////////////////////////////////////////////////////
40 | 其他注释:
41 |
42 | 应用程序向导使用“TODO:”注释来指示应添加或自定义的源代码部分。
43 |
44 | /////////////////////////////////////////////////////////////////////////////
45 |
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/HookZwReadFile/__TEST/desktop.ini:
--------------------------------------------------------------------------------
1 | [LocalizedFileNames]
2 | Calculator.lnk=@%SystemRoot%\system32\shell32.dll,-22019
3 |
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/HookZwReadFile/dllmain.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/anti-hook/HookZwReadFile/dllmain.cpp
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/HookZwReadFile/stdafx.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/anti-hook/HookZwReadFile/stdafx.cpp
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/HookZwReadFile/stdafx.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/anti-hook/HookZwReadFile/stdafx.h
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/HookZwReadFile/targetver.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/anti-hook/HookZwReadFile/targetver.h
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/InjectDllx64.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/anti-hook/InjectDllx64.exe
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/NtHookEngine.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/anti-hook/NtHookEngine.dll
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/desktop.ini:
--------------------------------------------------------------------------------
1 | [LocalizedFileNames]
2 | Calculator.lnk=@%SystemRoot%\system32\shell32.dll,-22019
3 |
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/anti-hook/复制全部文件到C盘根目录:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/anti-hook/复制全部文件到C盘根目录
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/Calculator.lnk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/hook/Calculator.lnk
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/HookDll.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/hook/HookDll.dll
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/HookDll/HookDll.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/hook/HookDll/HookDll.cpp
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/HookDll/HookDll.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HookDll", "HookDll.vcxproj", "{B26A90D2-84C8-421B-951B-1F155C5AC649}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {B26A90D2-84C8-421B-951B-1F155C5AC649}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {B26A90D2-84C8-421B-951B-1F155C5AC649}.Debug|Win32.Build.0 = Debug|Win32
16 | {B26A90D2-84C8-421B-951B-1F155C5AC649}.Debug|x64.ActiveCfg = Release|x64
17 | {B26A90D2-84C8-421B-951B-1F155C5AC649}.Debug|x64.Build.0 = Release|x64
18 | {B26A90D2-84C8-421B-951B-1F155C5AC649}.Release|Win32.ActiveCfg = Release|Win32
19 | {B26A90D2-84C8-421B-951B-1F155C5AC649}.Release|Win32.Build.0 = Release|Win32
20 | {B26A90D2-84C8-421B-951B-1F155C5AC649}.Release|x64.ActiveCfg = Release|x64
21 | {B26A90D2-84C8-421B-951B-1F155C5AC649}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/HookDll/HookDll.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/hook/HookDll/HookDll.suo
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/HookDll/HookDll.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | 头文件
23 |
24 |
25 | 头文件
26 |
27 |
28 |
29 |
30 | 源文件
31 |
32 |
33 | 源文件
34 |
35 |
36 | 源文件
37 |
38 |
39 |
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/HookDll/HookDll.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/HookDll/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | 动态链接库:HookDll 项目概述
3 | ========================================================================
4 |
5 | 应用程序向导已为您创建了此 HookDll DLL。
6 |
7 | 本文件概要介绍组成 HookDll 应用程序的每个文件的内容。
8 |
9 |
10 | HookDll.vcxproj
11 | 这是使用应用程序向导生成的 VC++ 项目的主项目文件,
12 | 其中包含生成该文件的 Visual C++
13 | 的版本信息,以及有关使用应用程序向导选择的平台、配置和项目功能的信息。
14 |
15 | HookDll.vcxproj.filters
16 | 这是使用“应用程序向导”生成的 VC++ 项目筛选器文件。
17 | 它包含有关项目文件与筛选器之间的关联信息。 在 IDE
18 | 中,通过这种关联,在特定节点下以分组形式显示具有相似扩展名的文件。
19 | 例如,“.cpp”文件与“源文件”筛选器关联。
20 |
21 | HookDll.cpp
22 | 这是主 DLL 源文件。
23 |
24 | 此 DLL 在创建时不导出任何符号。 因此,在生成此 DLL 时
25 | 生成时不会产生 .lib 文件。 如果希望此项目
26 | 成为其他某个项目的项目依赖项,则需要
27 | 添加代码以从 DLL 导出某些符号,
28 | 以便产生一个导出库,或者,也可以在项目“属性页”对话框中的
29 | “链接器”文件夹中,将“常规”属性页上的
30 | “忽略输入库”属性设置为“是”。
31 |
32 | /////////////////////////////////////////////////////////////////////////////
33 | 其他标准文件:
34 |
35 | StdAfx.h,StdAfx.cpp
36 | 这些文件用于生成名为 HookDll.pch 的预编译头 (PCH) 文件和
37 | 名为 StdAfx.obj 的预编译类型文件。
38 |
39 | /////////////////////////////////////////////////////////////////////////////
40 | 其他注释:
41 |
42 | 应用程序向导使用“TODO:”注释来指示应添加或自定义的源代码部分。
43 |
44 | /////////////////////////////////////////////////////////////////////////////
45 |
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/HookDll/dllmain.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/hook/HookDll/dllmain.cpp
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/HookDll/stdafx.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/hook/HookDll/stdafx.cpp
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/HookDll/stdafx.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/hook/HookDll/stdafx.h
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/HookDll/targetver.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/hook/HookDll/targetver.h
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/InjectDllx64.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/hook/InjectDllx64.exe
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/InjectDllx64/InjectDllx64.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "InjectDllx64", "InjectDllx64.vcxproj", "{5CD28E56-0B26-4D9A-B337-D584EE27EB69}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {5CD28E56-0B26-4D9A-B337-D584EE27EB69}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {5CD28E56-0B26-4D9A-B337-D584EE27EB69}.Debug|Win32.Build.0 = Debug|Win32
16 | {5CD28E56-0B26-4D9A-B337-D584EE27EB69}.Debug|x64.ActiveCfg = Debug|x64
17 | {5CD28E56-0B26-4D9A-B337-D584EE27EB69}.Debug|x64.Build.0 = Debug|x64
18 | {5CD28E56-0B26-4D9A-B337-D584EE27EB69}.Release|Win32.ActiveCfg = Release|Win32
19 | {5CD28E56-0B26-4D9A-B337-D584EE27EB69}.Release|Win32.Build.0 = Release|Win32
20 | {5CD28E56-0B26-4D9A-B337-D584EE27EB69}.Release|x64.ActiveCfg = Release|x64
21 | {5CD28E56-0B26-4D9A-B337-D584EE27EB69}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/InjectDllx64/InjectDllx64.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/hook/InjectDllx64/InjectDllx64.suo
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/InjectDllx64/InjectDllx64.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | 头文件
20 |
21 |
22 |
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/InjectDllx64/InjectDllx64.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/InjectDllx64/main.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | BOOL WINAPI InjectProxyW(DWORD dwPID, PCWSTR pwszProxyFile)
5 | {
6 | BOOL ret = FALSE;
7 | HANDLE hToken = NULL;
8 | HANDLE hProcess = NULL;
9 | HANDLE hThread = NULL;
10 | FARPROC pfnThreadRtn = NULL;
11 | PWSTR pwszPara = NULL;
12 | hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE, dwPID);
13 | pfnThreadRtn = GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
14 | size_t iProxyFileLen = wcslen(pwszProxyFile)*sizeof(WCHAR); //May be in your case iProxyFileLen containes invalid value.
15 | pwszPara = (PWSTR)VirtualAllocEx(hProcess, NULL, iProxyFileLen, MEM_COMMIT, PAGE_READWRITE);
16 | WriteProcessMemory(hProcess, pwszPara, (PVOID)pwszProxyFile, iProxyFileLen, NULL);
17 | hThread = CreateRemoteThread(hProcess, NULL, 1024, (LPTHREAD_START_ROUTINE)pfnThreadRtn, pwszPara, 0, NULL);
18 | WaitForSingleObject(hThread, INFINITE);
19 | CloseHandle(hThread);
20 | VirtualFreeEx(hProcess, pwszPara, 0, MEM_RELEASE);
21 | CloseHandle(hProcess);
22 | return(TRUE);
23 | }
24 |
25 | int main()
26 | {
27 | WCHAR dllname[MAX_PATH];
28 | DWORD dwPID=0;
29 | printf("input pid: ");scanf("%ld",&dwPID);
30 | printf("input dll full path: ");scanf("%ws",dllname);
31 | //InjectProxyW(dwPID,L"C:\\DLL_TEST.DLL");
32 | InjectProxyW(dwPID,dllname);
33 | getchar();
34 | printf("inject over!");
35 | getchar();
36 | return 0;
37 | }
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/NtHookEngine.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NtHookEngine", "NtHookEngine\NtHookEngine.vcxproj", "{99548A9D-3206-4547-90C0-D4120D4DB3B4}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {99548A9D-3206-4547-90C0-D4120D4DB3B4}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {99548A9D-3206-4547-90C0-D4120D4DB3B4}.Debug|Win32.Build.0 = Debug|Win32
16 | {99548A9D-3206-4547-90C0-D4120D4DB3B4}.Debug|x64.ActiveCfg = Debug|x64
17 | {99548A9D-3206-4547-90C0-D4120D4DB3B4}.Debug|x64.Build.0 = Debug|x64
18 | {99548A9D-3206-4547-90C0-D4120D4DB3B4}.Release|Win32.ActiveCfg = Release|Win32
19 | {99548A9D-3206-4547-90C0-D4120D4DB3B4}.Release|Win32.Build.0 = Release|Win32
20 | {99548A9D-3206-4547-90C0-D4120D4DB3B4}.Release|x64.ActiveCfg = Release|x64
21 | {99548A9D-3206-4547-90C0-D4120D4DB3B4}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/NtHookEngine/NtHookEngine.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/NtHookEngine/NtHookEngine.rc
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/NtHookEngine/NtHookEngine.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/NtHookEngine/NtHookEngine.suo
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/NtHookEngine/NtHookEngine.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 | Source Files
23 |
24 |
25 |
26 |
27 | Header Files
28 |
29 |
30 | Header Files
31 |
32 |
33 | Header Files
34 |
35 |
36 |
37 |
38 | Resource Files
39 |
40 |
41 |
42 |
43 |
44 |
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/NtHookEngine/NtHookEngine.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/NtHookEngine/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | DYNAMIC LINK LIBRARY : NtHookEngine Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this NtHookEngine DLL for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your NtHookEngine application.
9 |
10 |
11 | NtHookEngine.vcproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | NtHookEngine.cpp
18 | This is the main DLL source file.
19 |
20 | When created, this DLL does not export any symbols. As a result, it
21 | will not produce a .lib file when it is built. If you wish this project
22 | to be a project dependency of some other project, you will either need to
23 | add code to export some symbols from the DLL so that an export library
24 | will be produced, or you can set the Ignore Input Library property to Yes
25 | on the General propert page of the Linker folder in the project's Property
26 | Pages dialog box.
27 |
28 | /////////////////////////////////////////////////////////////////////////////
29 | Other standard files:
30 |
31 | StdAfx.h, StdAfx.cpp
32 | These files are used to build a precompiled header (PCH) file
33 | named NtHookEngine.pch and a precompiled types file named StdAfx.obj.
34 |
35 | /////////////////////////////////////////////////////////////////////////////
36 | Other notes:
37 |
38 | AppWizard uses "TODO:" comments to indicate parts of the source code you
39 | should add to or customize.
40 |
41 | /////////////////////////////////////////////////////////////////////////////
42 |
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/NtHookEngine/distorm_x64.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/NtHookEngine/distorm_x64.lib
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/NtHookEngine/distorm_x86.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/NtHookEngine/distorm_x86.lib
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/NtHookEngine/resource.h:
--------------------------------------------------------------------------------
1 | //{{NO_DEPENDENCIES}}
2 | // Microsoft Visual C++ generated include file.
3 | // Used by NtHookEngine.rc
4 |
5 | // Next default values for new objects
6 | //
7 | #ifdef APSTUDIO_INVOKED
8 | #ifndef APSTUDIO_READONLY_SYMBOLS
9 | #define _APS_NEXT_RESOURCE_VALUE 101
10 | #define _APS_NEXT_COMMAND_VALUE 40001
11 | #define _APS_NEXT_CONTROL_VALUE 1001
12 | #define _APS_NEXT_SYMED_VALUE 101
13 | #endif
14 | #endif
15 |
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/NtHookEngine/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // NtHookEngine.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/NtHookEngine/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | // Modify the following defines if you have to target a platform prior to the ones specified below.
9 | // Refer to MSDN for the latest info on corresponding values for different platforms.
10 | #ifndef WINVER // Allow use of features specific to Windows XP or later.
11 | #define WINVER 0x0501 // Change this to the appropriate value to target other versions of Windows.
12 | #endif
13 |
14 | #ifndef _WIN32_WINNT // Allow use of features specific to Windows XP or later.
15 | #define _WIN32_WINNT 0x0501 // Change this to the appropriate value to target other versions of Windows.
16 | #endif
17 |
18 | #ifndef _WIN32_WINDOWS // Allow use of features specific to Windows 98 or later.
19 | #define _WIN32_WINDOWS 0x0410 // Change this to the appropriate value to target Windows Me or later.
20 | #endif
21 |
22 | #ifndef _WIN32_IE // Allow use of features specific to IE 6.0 or later.
23 | #define _WIN32_IE 0x0600 // Change this to the appropriate value to target other versions of IE.
24 | #endif
25 |
26 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
27 | // Windows Header Files:
28 | #include
29 |
30 |
31 |
32 | // TODO: reference additional headers your program requires here
33 |
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/release/NtHookEngine.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/release/NtHookEngine.dll
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/release/NtHookEngine.exp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/release/NtHookEngine.exp
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/release/NtHookEngine.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/release/NtHookEngine.lib
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/x64/release/NtHookEngine.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/x64/release/NtHookEngine.dll
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/x64/release/NtHookEngine.exp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/x64/release/NtHookEngine.exp
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/x64/release/NtHookEngine.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/hook/MiniHookEngineForX86X64/x64/release/NtHookEngine.lib
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/NtHookEngine.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/hook/NtHookEngine.dll
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/desktop.ini:
--------------------------------------------------------------------------------
1 | [LocalizedFileNames]
2 | Calculator.lnk=@%SystemRoot%\system32\shell32.dll,-22019
3 |
--------------------------------------------------------------------------------
/[6-2]Ring3InlineHookAntiHook/hook/复制全部文件到C盘根目录:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-2]Ring3InlineHookAntiHook/hook/复制全部文件到C盘根目录
--------------------------------------------------------------------------------
/[6-3]Ring3EatIatHook/EAT_IAT_HOOK_TEST32/main.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-3]Ring3EatIatHook/EAT_IAT_HOOK_TEST32/main.cpp
--------------------------------------------------------------------------------
/[6-3]Ring3EatIatHook/EAT_IAT_HOOK_TEST32/test.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-3]Ring3EatIatHook/EAT_IAT_HOOK_TEST32/test.exe
--------------------------------------------------------------------------------
/[6-3]Ring3EatIatHook/EAT_IAT_HOOK_TEST64/main.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-3]Ring3EatIatHook/EAT_IAT_HOOK_TEST64/main.cpp
--------------------------------------------------------------------------------
/[6-3]Ring3EatIatHook/EAT_IAT_HOOK_TEST64/test.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[6-3]Ring3EatIatHook/EAT_IAT_HOOK_TEST64/test.exe
--------------------------------------------------------------------------------
/[7-1]EnumRemoveProcessThreadNotify/MyDriver.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[7-1]EnumRemoveProcessThreadNotify/MyDriver.c
--------------------------------------------------------------------------------
/[7-1]EnumRemoveProcessThreadNotify/MyDriver.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | #define dprintf DbgPrint
4 |
5 | #define DEVICE_NAME L"\\Device\\EnumProcessThreadNotify64"
6 | #define LINK_NAME L"\\DosDevices\\EnumProcessThreadNotify64"
7 | #define LINK_GLOBAL_NAME L"\\DosDevices\\Global\\EnumProcessThreadNotify64"
8 |
9 | //#define IOCTL_ULR3IN CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS) //In LONG
--------------------------------------------------------------------------------
/[7-1]EnumRemoveProcessThreadNotify/ProcNotify.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[7-1]EnumRemoveProcessThreadNotify/ProcNotify.h
--------------------------------------------------------------------------------
/[7-1]EnumRemoveProcessThreadNotify/ThrdNotify.h:
--------------------------------------------------------------------------------
1 |
2 | void CreateThreadNotify1
3 | (
4 | IN HANDLE ProcessId,
5 | IN HANDLE ThreadId,
6 | IN BOOLEAN Create
7 | )
8 | {
9 | DbgPrint("CreateThreadNotify1\n");
10 | }
11 |
12 | void CreateThreadNotify2
13 | (
14 | IN HANDLE ProcessId,
15 | IN HANDLE ThreadId,
16 | IN BOOLEAN Create
17 | )
18 | {
19 | DbgPrint("CreateThreadNotify2\n");
20 | }
21 |
22 | void CreateThreadNotifyTest(BOOLEAN Remove)
23 | {
24 | if(!Remove)
25 | {
26 | PsSetCreateThreadNotifyRoutine(CreateThreadNotify1);
27 | PsSetCreateThreadNotifyRoutine(CreateThreadNotify2);
28 | }
29 | else
30 | {
31 | PsRemoveCreateThreadNotifyRoutine(CreateThreadNotify1);
32 | PsRemoveCreateThreadNotifyRoutine(CreateThreadNotify2);
33 | }
34 | }
35 |
36 | ULONG64 FindPspCreateThreadNotifyRoutine()
37 | {
38 | ULONG64 i=0,pCheckArea=0;
39 | UNICODE_STRING unstrFunc;
40 | RtlInitUnicodeString(&unstrFunc, L"PsSetCreateThreadNotifyRoutine");
41 | pCheckArea = (ULONG64)MmGetSystemRoutineAddress (&unstrFunc);
42 | DbgPrint("PsSetCreateThreadNotifyRoutine: %llx",pCheckArea);
43 | for(i=pCheckArea;i
2 |
3 | #define dprintf DbgPrint
4 |
5 | #define DEVICE_NAME L"\\Device\\EnumRemoveImageNotify"
6 | #define LINK_NAME L"\\DosDevices\\EnumRemoveImageNotify"
7 | #define LINK_GLOBAL_NAME L"\\DosDevices\\Global\\EnumRemoveImageNotify"
8 |
9 | //#define IOCTL_ULR3IN CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS) //In LONG
--------------------------------------------------------------------------------
/[7-2]EnumRemoveImageNotify/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the components of NT OS/2
5 | #
6 | !INCLUDE $(NTMAKEENV)\makefile.def
--------------------------------------------------------------------------------
/[7-2]EnumRemoveImageNotify/objfre_win7_amd64/amd64/EnumRemoveImageNotify.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[7-2]EnumRemoveImageNotify/objfre_win7_amd64/amd64/EnumRemoveImageNotify.sys
--------------------------------------------------------------------------------
/[7-2]EnumRemoveImageNotify/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=EnumRemoveImageNotify
2 | TARGETTYPE=DRIVER
3 | TARGETPATH=obj
4 |
5 | INCLUDES=.\
6 |
7 | SOURCES = MyDriver.c
--------------------------------------------------------------------------------
/[7-3]EnumRemoveCmpCallback/MyDriver.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[7-3]EnumRemoveCmpCallback/MyDriver.c
--------------------------------------------------------------------------------
/[7-3]EnumRemoveCmpCallback/MyDriver.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | #define dprintf DbgPrint
4 |
5 | #define DEVICE_NAME L"\\Device\\EnumRemoveCmpCallback"
6 | #define LINK_NAME L"\\DosDevices\\EnumRemoveCmpCallback"
7 | #define LINK_GLOBAL_NAME L"\\DosDevices\\Global\\EnumRemoveCmpCallback"
8 |
9 | //#define IOCTL_ULR3IN CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS) //In LONG
--------------------------------------------------------------------------------
/[7-3]EnumRemoveCmpCallback/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the components of NT OS/2
5 | #
6 | !INCLUDE $(NTMAKEENV)\makefile.def
--------------------------------------------------------------------------------
/[7-3]EnumRemoveCmpCallback/objfre_win7_amd64/amd64/EnumRemoveCmpCallback.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[7-3]EnumRemoveCmpCallback/objfre_win7_amd64/amd64/EnumRemoveCmpCallback.sys
--------------------------------------------------------------------------------
/[7-3]EnumRemoveCmpCallback/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=EnumRemoveCmpCallback
2 | TARGETTYPE=DRIVER
3 | TARGETPATH=obj
4 |
5 | INCLUDES=.\
6 |
7 | SOURCES = MyDriver.c
--------------------------------------------------------------------------------
/[7-4]EnumRemoveObCallback/MyDriver.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include "MyDriver.h"
3 |
4 | VOID DriverUnload(PDRIVER_OBJECT pDriverObj)
5 | {
6 | UNICODE_STRING strLink;
7 | RtlInitUnicodeString(&strLink, LINK_NAME);
8 | IoDeleteSymbolicLink(&strLink);
9 | IoDeleteDevice(pDriverObj->DeviceObject);
10 | }
11 |
12 | NTSTATUS DispatchCreate(PDEVICE_OBJECT pDevObj, PIRP pIrp)
13 | {
14 | pIrp->IoStatus.Status = STATUS_SUCCESS;
15 | pIrp->IoStatus.Information = 0;
16 | IoCompleteRequest(pIrp, IO_NO_INCREMENT);
17 | return STATUS_SUCCESS;
18 | }
19 |
20 | NTSTATUS DispatchClose(PDEVICE_OBJECT pDevObj, PIRP pIrp)
21 | {
22 | pIrp->IoStatus.Status = STATUS_SUCCESS;
23 | pIrp->IoStatus.Information = 0;
24 | IoCompleteRequest(pIrp, IO_NO_INCREMENT);
25 | return STATUS_SUCCESS;
26 | }
27 |
28 | NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp)
29 | {
30 | NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST;
31 | PIO_STACK_LOCATION pIrpStack;
32 | ULONG uIoControlCode;
33 | PVOID pIoBuffer;
34 | ULONG uInSize;
35 | ULONG uOutSize;
36 | pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
37 | uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;
38 | pIoBuffer = pIrp->AssociatedIrp.SystemBuffer;
39 | uInSize = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
40 | uOutSize = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
41 | switch(uIoControlCode)
42 | {
43 | ;
44 | }
45 | if(status == STATUS_SUCCESS)
46 | pIrp->IoStatus.Information = uOutSize;
47 | else
48 | pIrp->IoStatus.Information = 0;
49 | pIrp->IoStatus.Status = status;
50 | IoCompleteRequest(pIrp, IO_NO_INCREMENT);
51 | return status;
52 | }
53 |
54 | NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
55 | {
56 | NTSTATUS status = STATUS_SUCCESS;
57 | UNICODE_STRING ustrLinkName;
58 | UNICODE_STRING ustrDevName;
59 | PDEVICE_OBJECT pDevObj;
60 | pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
61 | pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
62 | pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
63 | pDriverObj->DriverUnload = DriverUnload;
64 | RtlInitUnicodeString(&ustrDevName, DEVICE_NAME);
65 | status = IoCreateDevice(pDriverObj, 0, &ustrDevName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDevObj);
66 | if(!NT_SUCCESS(status))
67 | return status;
68 | if(IoIsWdmVersionAvailable(1, 0x10))
69 | RtlInitUnicodeString(&ustrLinkName, LINK_GLOBAL_NAME);
70 | else
71 | RtlInitUnicodeString(&ustrLinkName, LINK_NAME);
72 | status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName);
73 | if(!NT_SUCCESS(status))
74 | {
75 | IoDeleteDevice(pDevObj);
76 | return status;
77 | }
78 | //
79 | if(!GetVersionAndHardCode())
80 | {
81 | DbgPrint("GetVersionAndHardCode failed!\n");
82 | }
83 | else
84 | {
85 | EnumObCallbacks();
86 | }
87 | return STATUS_SUCCESS;
88 | }
--------------------------------------------------------------------------------
/[7-4]EnumRemoveObCallback/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the components of NT OS/2
5 | #
6 | !INCLUDE $(NTMAKEENV)\makefile.def
--------------------------------------------------------------------------------
/[7-4]EnumRemoveObCallback/objfre_win7_amd64/amd64/EnumRemoveObCallback.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[7-4]EnumRemoveObCallback/objfre_win7_amd64/amd64/EnumRemoveObCallback.sys
--------------------------------------------------------------------------------
/[7-4]EnumRemoveObCallback/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=EnumRemoveObCallback
2 | TARGETTYPE=DRIVER
3 | TARGETPATH=obj
4 |
5 | INCLUDES=.\
6 |
7 | SOURCES = MyDriver.c
--------------------------------------------------------------------------------
/[7-5]EnumAntiMiniFilter/MyDriver.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include "mydriver.h"
3 |
4 | VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
5 | {
6 | DbgPrint("EnumAntiMiniFilter unload\n");
7 | }
8 |
9 | NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
10 | {
11 | DriverObject->DriverUnload = DriverUnload;
12 | EnumMiniFilter();
13 | return STATUS_SUCCESS;
14 | }
--------------------------------------------------------------------------------
/[7-5]EnumAntiMiniFilter/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
3 | # file to this component. This file merely indirects to the real make file
4 | # that is shared by all the driver components of the Windows NT DDK
5 | #
6 |
7 | !INCLUDE $(NTMAKEENV)\makefile.def
--------------------------------------------------------------------------------
/[7-5]EnumAntiMiniFilter/objfre_win7_amd64/amd64/EnumAntiMiniFilter.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wanttobeno/Win64DriverStudy_Src/11ed0720a5d4b6d040ba35b05a22bf4bdbdfefea/[7-5]EnumAntiMiniFilter/objfre_win7_amd64/amd64/EnumAntiMiniFilter.sys
--------------------------------------------------------------------------------
/[7-5]EnumAntiMiniFilter/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=EnumAntiMiniFilter
2 | TARGETTYPE=DRIVER
3 | TARGETPATH=obj
4 | LINKER_FLAGS=/INTEGRITYCHECK
5 |
6 | INCLUDES=.\
7 |
8 | SOURCES = MyDriver.c
9 |
10 | C_DEFINES=$(C_DEFINES) -DBINARY_COMPATIBLE=0 -DNT -DUNICODE -D_UNICODE -DNDIS60 -DNDIS_SUPPORT_NDIS6
11 |
12 | TARGETLIBS=\
13 | $(DDK_LIB_PATH)\fltmgr.lib \
14 | $(DDK_LIB_PATH)\ntoskrnl.lib \
15 | $(DDK_LIB_PATH)\ndis.lib \
16 | $(DDK_LIB_PATH)\fwpkclnt.lib \
17 | $(SDK_LIB_PATH)\uuid.lib \
18 | $(IFSKIT_LIB_PATH)\fltMgr.lib
--------------------------------------------------------------------------------