|
|
提醒:若下载的软件是收费的"请不要付款",可能是骗子,请立即联系本站举报,执意要付款被骗后本站概不负责。(任何交易请走第三方中介,请勿直接付款交易以免被骗!切记).
#include "ntddk.h"
#define DELAY_ONE_MICROSECOND (-10)
#define DELAY_ONE_MILLISECOND (DELAY_ONE_MICROSECOND*1000)
KTIMER PassObjTimer;
KDPC PassObjDpc;
LARGE_INTEGER PassObjTime;
ULONGLONG ValIDAccessmask;
typedef struct _SYSTEM_SERVICE_TABLE
{
PVOID ServiceTableBase;
PVOID ServiceCounterTableBase;
ULONGLONG NumberOfServices;
PVOID ParamTableBase;
}SYSTEM_SERVICE_TABLE,*PSYSTEM_SERVICE_TABLE;
ULONGLONG MyGetKeServiceDescriptorTable64 ()
{
//LARGE_INTEGER addr;
__asm
{
// mov ecx, 0xC0000082;
//rdmsr
// mov addr.LowPart,eax
//mov addr.HighPart,edx
}
PUCHAR StartSearchAddress = (PUCHAR)__readmsr(0xC0000082);
PUCHAR EndSearchAddress = StartSearchAddress+ 500;
PUCHAR i= NULL;
UCHAR b1=0,b2=0,b3=0;
ULONG templong=0;
ULONGLONG addr = 0;
for (i = StartSearchAddress;i<EndSearchAddress;i++)
{
if(MmIsAddressValid(i)&& MmIsAddressValid(i+1)&&MmIsAddressValid(i+2))
{
b1=*i;
b2 = *(i+1);
b3 = *(i+2);
if(b1 == 0x4c&& b2 == 0x8d && b3 == 0x15)
{
memcpy(&templong,i+3,4);
addr = (ULONGLONG)templong + (ULONGLONG)i+7;
return addr;
}
}
}
KdPrint(("==%x",StartSearchAddress));
return 0;
}
ULONGLONG GetSSDTFunAddress64()
{
LONG dwtemp = 0;
ULONGLONG qwtemp=0,stb=0,ret=0;
PSYSTEM_SERVICE_TABLE ssdt = (PSYSTEM_SERVICE_TABLE)MyGetKeServiceDescriptorTable64();
stb = (ULONGLONG)(ssdt->ServiceTableBase);
qwtemp = stb + 4 * 144 ;
dwtemp = *(PLONG)qwtemp;
dwtemp = dwtemp >> 4;
ret = stb +(LONG64)dwtemp;
return ret;
}
ULONGLONG readpoint()
{
ULONGLONG readp,result;
UCHAR savehex[4];
ULONG debugobjectaddress;
readp =GetSSDTFunAddress64()+0x7c;
KdPrint(("==%p",readp));
savehex[3] = *(UCHAR*)(readp+6);
savehex[2] = *(UCHAR*)(readp+5);
savehex[1] = *(UCHAR*)(readp+4);
savehex[0] = *(UCHAR*)(readp+3);
debugobjectaddress = *(ULONG*)savehex +(ULONG)readp+7 ;
KdPrint(("%p",debugobjectaddress));
(ULONGLONG) result =(ULONGLONG)( readp&0xffffffff00000000) + (ULONGLONG)debugobjectaddress;
KdPrint(("hex==%x",*(ULONG*)savehex));
return result;
}
VOID RemoveVaildMaskObj(
__in struct _KDPC *Dpc,
__in_opt PVOID DeferredContext,
__in_opt PVOID SystemArgument1,
__in_opt PVOID SystemArgument2
)
{
__try
{
*((ULONG*)Validaccessmask) = 0x1F000F;
//*((ULONG*)validaccessmask) = 0;
KdPrint(("Validaccessmask==%x",*(ULONGLONG*)Validaccessmask ));
}
__except (1)
{
KeCancelTimer(&PassObjTimer);
return;
}
KeSetTimer(&PassObjTimer, PassObjTime, &PassObjDpc);
return;
}
VOID RecoveryValidAccessMask()
{
ULONGLONG resultaddress = readpoint();
Validaccessmask = *(ULONGLONG*)resultaddress +0x40 +0x1c ;
KdPrint(("Validaccessmask==%x",*(ULONGLONG*)Validaccessmask ));
PassObjTime.QuadPart = -10000 * 100;
KeInitializeTimer(&PassObjTimer);
KeInitializeDpc(&PassObjDpc, &RemoveVaildMaskObj, NULL);
KeSetTimer(&PassObjTimer, PassObjTime, &PassObjDpc);
}
VOID UnPassObjectMask()
{
KeCancelTimer(&PassObjTimer);
}
VOID Unload(PDRIVER_OBJECT pDriverObject)
{
UnPassObjectMask();
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING Reg_Path)
{
RecoveryValidAccessMask();
pDriverObject->DriverUnload = Unload;
return STATUS_SUCCESS;
}
联系我时,请说是在 挂海论坛 上看到的,谢谢! |
上一篇: DEBUG HOOK messagebox最标准写法下一篇: 【教程 han 源码】 开源自写钻皇菜单/第三课
免责声明:
1、本主题所有言论和图片纯属会员个人意见,与本论坛立场无关。一切关于该内容及资源商业行为与www.52ghai.com无关。
2、本站提供的一切资源内容信息仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负。
3、本站信息来自第三方用户,非本站自制,版权归原作者享有,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
4、如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵犯你版权的,请邮件与我们联系删除(邮箱:xhzlw@foxmail.com),本站将立即改正。
|
好评
贡献
海币
交易币
发表于 2016-4-4 15:47:49
收藏
转播
淘帖
支持
反对
提升卡
置顶卡
变色卡
千斤顶
照妖镜
楼主
哎呀好奇怪,我发主题了,怎么还是新手状态
