撒旦飞洒地方
谢谢楼主分享
:)谢谢分享
看看效果咋样
//这是为了HOOK原来的ntos,转到新的os中
VOID (WINAPI *DUMMYFUCK )(INPVOID Object);
// VOID (WINAPI *PspUserThreadStartup )(INPVOID Object);
// VOID (WINAPI *PspSystemThreadStartup )(INPVOID Object);
HX_DYNC_FUNCTION dync_Old2New[]={
DECL_DYNCFUN_HOOK_Old2New(PspUserThreadStartup),
DECL_DYNCFUN_HOOK_Old2New(PspSystemThreadStartup),
DECL_DYNCFUN_HOOK_Old2New(ObCloseHandle),
DECL_DYNCFUN_HOOK_Old2New(PspProcessDelete),
DECL_DYNCFUN_HOOK_Old2New(pIofCallDriver),
DECL_DYNCFUN_HOOK_Old2New(KiTrap03),
DECL_DYNCFUN_HOOK_Old2New(ObpCreateHandle),//为了跳过ObCheckObjectAccess
/*
kd> dps nt!pIofCallDriver l8
8054c400804eedc8 nt!IopfCallDriver//就搞这个。归类到fengyue驱动去
8054c404804f12c0 nt!IopfCompleteRequest
8054c408804f0a00 nt!IopAllocateIrpPrivate
8054c40c804ef0e6 nt!IopFreeIrp
8054c41000000000
8054c41400000000
*/
//DECL_DYNCFUN_HOOK_Old2New(KeStackAttachProcess),
//DECL_DYNCFUN_HOOK_Old2New(KeAttachProcess),
};
//这个需要另外HOOK的函数 ,old os 中的,把这些不经过hookport的转到自己的实现中
HX_DYNC_FUNCTION dync_funs_hook[]={
DECL_DYNCFUN_HOOK(DbgkCreateThread),
DECL_DYNCFUN_HOOK(DbgkExitThread),
DECL_DYNCFUN_HOOK(DbgkExitProcess),
DECL_DYNCFUN_HOOK(DbgkMapViewOfSection),
DECL_DYNCFUN_HOOK(DbgkpMarkProcessPeb),
//DECL_DYNCFUN_HOOK(NtCreateDebugObject),
DECL_DYNCFUN_HOOK(DbgkForwardException),
//DECL_DYNCFUN_HOOK(KiDispatchException),
//使用强大的特征码直接patch KiDispatchException中比较debugport部分
//s -b 804d8000 806ce100 64 A1 24 01 00 00 8B 4044 39 B8 BC 00 00 00
};
//这是实现自己分发函数需要用到的
HX_DYNC_FUNCTION dync_funs[]={
DECL_DYNCFUN(KeUserExceptionDispatcher),
DECL_DYNCFUN(KeI386XMMIPresent),
DECL_DYNCFUN(PsImageNotifyEnabled),
DECL_DYNCFUN(PsNtDllPathName),
DECL_DYNCFUN(KeFeatureBits),
DECL_DYNCFUN(PsSystemDllBase),
DECL_DYNCFUN(PsGetNextProcess),
DECL_DYNCFUN(PsGetNextProcessThread),
:lol支持lz
:( sadsadsadsad
我来学习学习
看看效果咋样
这个必须拿走