- 注册时间
- 2011-3-6
- 最后登录
- 1970-1-1
该用户从未签到
|
不废话直接防码
补充代码有网了:【分享】x64antidebug不触发PGhttp://bbs.pediy.com/showthread.php?p=1385028#post1385028
有个BUG如果移出的目标有线程退出那么我的系统线程就挂了目测是枚举函数的问题
这个我就不解决了退出不蓝屏
因为有了新的解决办法这个就扔掉了
#include"ntddk.h"
#include"commonfunc.h"
#defineIMAGE_FILENAME_OFFSET0x2e0
VOIDstartthread();
VOIDstopthread();
KEVENTevent;
HANDLEsystemthreadhandle;
KTIMERcleartimer={0};
KDPCcleardpc={0};
BOOLEANREMOVING=FALSE;
typedefstruct_HANDLE_TABLE_ENTRY{
union{
VOID*Object;
ULONG32ObAttributes;
PVOID64InfoTable;
ULONG64Value;
};
union{
ULONG32GrantedAccess;
struct{
UINT16GrantedAccessIndex;
UINT16CreatorBackTraceIndex;
UINT8_PADDING[0x4];
};
ULONG32NextFreeTableEntry;
};
}HANDLE_TABLE_ENTRY,*PHANDLE_TABLE_ENTRY;
typedefstruct_save_handlentry{
struct_save_handlentry*head;
PVOIDid;
charprocessname[17];
ULONG64value;
ULONG32GrantedAccess;
structHANDLE_TABLE_ENTRY*address;
struct_save_handlentry*next;
}_save_handlentry,*p_save_handlentry;
ULONG64SreachFunctionAddress(ULONG64uAddress,UCHAR*Signature,ULONGaddopcodelength,ULONGaddopcodedatasize);
p_save_handlentrycreatelist(char*processname){
ULONGi;
p_save_handlentryphead=(p_save_handlentry)ExAllocatePool(NonPagedPool,sizeof(_save_handlentry));
p_save_handlentryptail=phead;
ptail->next=NULL;
p_save_handlentrypnew=(p_save_handlentry)ExAllocatePool(NonPagedPool,sizeof(_save_handlentry));
memcpy(&pnew->processname,processname,16);
pnew->address=0;
pnew->id=0;
pnew->value=0;
pnew->GrantedAccess=0;
pnew->head=NULL;
ptail->next=pnew;
pnew->next=NULL;
ptail->head=NULL;
returnphead;
}
//插入链表
p_save_handlentryinsertlist(char*processname,ULONGGrantedAccess,ULONG64value,PVOIDid,PHANDLE_TABLE_ENTRYadress,p_save_handlentryphead){
p_save_handlentryp=phead->next;
while(p!=NULL)
{
if(p->next==NULL){
break;
}
p=p->next;
}
p_save_handlentrypnew=(p_save_handlentry)ExAllocatePool(NonPagedPool,sizeof(_save_handlentry));
memcpy(&pnew->processname,processname,16);
pnew->GrantedAccess=GrantedAccess;
pnew->id=id;
pnew->value=value;
pnew->address=adress;
p->next=pnew;
pnew->next=NULL;
pnew->head=p;
returnpnew;
}
p_save_handlentryquerylist(p_save_handlentryphead,ULONG64id){
p_save_handlentryp=phead->next;
while(p!=NULL)
{
if(p->id==id){
returnp;
}
p=p->next;
}
returnNULL;
}
//删除节点
voiddeletelist(p_save_handlentrypclid){
p_save_handlentryp,pp;
if(pclid->head!=NULL){//头部
p=pclid->head;
pp=pclid->next;
if(pp==NULL){//最后节点
p->next=NULL;
ExFreePool(pclid);
return;
}
p->next=pp;//不是最后节点
pp->head=p;
ExFreePool(pclid);
return;
}
}
typedefNTSTATUS(__fastcall*pfnEnumObjectTable)(PVOID64HANDLETABLE,PVOIDCALLback,ULONG64unKonw);
NTKERNELAPICHAR*PsGetProcessImageFileName(PEPROCESSProcess);
NTKERNELAPINTSTATUSPsLookupProcessByProcessId(HANDLEProcessId,PEPROCESS*Process);
NTKERNELAPINTSTATUSPsLookupThreadByThreadId(HANDLEId,PETHREAD*Thread);
NTKERNELAPIPEPROCESSIoThreadToProcess(PETHREADThread);
pfnEnumObjectTableEnumObjectTablex=0;;
PVOID64PspCidTable=0;
NTSTATUSgetenumhandletablefunc()
{
UCHARopcode[5]={0x89,0x6c,0x24,0x30,0xe8};
UCHARopcode1[5]={0xdc,0x48,0x8b,0xd1,0x48};
UNICODE_STRING64ObFindHandleForObjectsign;
ULONG64temp64=0;
NTSTATUSstate=STATUS_SUCCESS;
RtlInitUnicodeString(&ObFindHandleForObjectsign,L"ObFindHandleForObject");//ObFindHandleForObjectPAGE0000000140319DB0000000B40000004800000028R......
temp64=(ULONG64)MmGetSystemRoutineAddress(&ObFindHandleForObjectsign);
if(!MmIsAddressValid(temp64))
returnstate;
EnumObjectTablex=(pfnEnumObjectTable)SreachFunctionAddress(temp64,opcode,1,5);
PspCidTable=(PVOID64)SreachFunctionAddress(& sLookupProcessByProcessId,opcode1,3,7);
PspCidTable=*(PVOID64*)PspCidTable;
if(!MmIsAddressValid(EnumObjectTablex)||!MmIsAddressValid(PspCidTable)){
DbgPrint("cantgetEnumObjectTablexorPspCidTable\n");
}
DbgPrint("Supergameprotectstart~\n");
}
p_save_handlentrymainphead=NULL;
PVOID64psidprocessobject=0;
PVOID64pscidkthreadbject=0;
ULONG64passmaska=TRUE;
#definede_o-10
#definede_sde_o*1000
LARGE_INTEGERmyxx;
VOIDclearDEBUGTOOL(){
myxx.QuadPart=de_s;
myxx.QuadPart*=2000;
while(passmaska==TRUE)
{
KeDelayExecutionThread(KernelMode,0,&myxx);
if(REMOVING)
continue;
enumtable(2);
if(psidprocessobject!=0){
DbgPrint("clearpsidprocessobject%p",*(ULONG64*)psidprocessobject);
*(ULONG64*)psidprocessobject=0;
DbgPrint("clearpsidprocessobject%p",*(ULONG64*)psidprocessobject);
psidprocessobject=0;
}
DbgPrint("clearing...");
if(pscidkthreadbject!=0){
DbgPrint("clearpscidkthreadbject%p",*(ULONG64*)pscidkthreadbject);
*(ULONG64*)pscidkthreadbject=0;
DbgPrint("clearpscidkthreadbject%p",*(ULONG64*)pscidkthreadbject);
pscidkthreadbject=0;
}
continue;
}
DbgPrint("ending...");
KeSetEvent(&event,0,TRUE);
}
BOOLEANremovdebugtoolhandle(PHANDLE_TABLE_ENTRYobject,PHANDLEhandle,ULONG64Unkonw){
ULONG64Pobject;
ULONG64object_header;
ULONG32object_type;
p_save_handlentrypaddress;
Pobject=(object->Value)&~7;
object_header=Pobject-0x30;//getobjectheader
object_type=(ULONG32)*(UINT8*)(object_header+0x18);//pspcidtableobject_header
if(!MmIsAddressValid(Pobject))
{
returnFALSE;//istrue
}
if(object_type==7){
if(strstr(PsGetProcessImageFileName(Pobject),"天网系统")!=NULL||strstr(PsGetProcessImageFileName(Pobject),"cheatengine")!=NULL||strstr(PsGetProcessImageFileName(Pobject),"ollyice")!=NULL){
paddress=insertlist(Pobject+IMAGE_FILENAME_OFFSET,object->GrantedAccess,object->Value,handle,&object->Value,mainphead);
DbgPrint("processislook~");
psidprocessobject=&object->Value;
}
returnFALSE;
}
if(object_type==8){
ULONG64tempprocess;
tempprocess=IoThreadToProcess(Pobject);
if(strstr(PsGetProcessImageFileName(tempprocess),"天网系统")!=NULL||strstr(PsGetProcessImageFileName(tempprocess),"cheatengine")!=NULL||strstr(PsGetProcessImageFileName(tempprocess),"ollyice")!=NULL){
DbgPrint("threadislook~");
paddress=insertlist(Pobject+IMAGE_FILENAME_OFFSET,object->GrantedAccess,object->Value,handle,&object->Value,mainphead);
pscidkthreadbject=&object->Value;
}
returnFALSE;
}
returnFALSE;
}
BOOLEANremovepspcidtabl(HANDLEp){
if(PspCidTable==0||EnumObjectTablex==0){
getenumhandletablefunc();
}
if(mainphead==NULL){
mainphead=createlist("system");
}
EnumObjectTablex(PspCidTable,removdebugtoolhandle,p);
}
PCREATE_PROCESS_NOTIFY_ROUTINEcallback(HANDLEprid,HANDLEpid,BOOLEANcreate){
ULONG64EPROCESS;
PHANDLE_TABLE_ENTRYphdt;
p_save_handlentrytempsave;
EPROCESS=IoGetCurrentProcess();
if(!create&&(strstr(PsGetProcessImageFileName(EPROCESS),"天网系统")!=NULL||strstr(PsGetProcessImageFileName(EPROCESS),"cheatengine")!=NULL||strstr(PsGetProcessImageFileName(EPROCESS),"ollyice")!=NULL)){
REMOVING=TRUE;
tempsave=querylist(mainphead,pid);
if(tempsave!=0){
phdt=tempsave->address;
//phdt->GrantedAccess=tempsave->GrantedAccess;
phdt->Value=tempsave->value;
DbgPrint("pid%dpt:%pphdt:%p",tempsave->id,tempsave->address,phdt->Object);
//deletelist(tempsave);
stopthread();
startthread();
}
//ObDereferenceObject(leprocess);
REMOVING=FALSE;
}
}
PCREATE_THREAD_NOTIFY_ROUTINEcallback2(HANDLEprocessid,HANDLEthreadid,BOOLEANcreate){
ULONG64EPROCESS;
PHANDLE_TABLE_ENTRYphdt;
p_save_handlentrytempsave;
EPROCESS=IoGetCurrentProcess();
if(!create&&(strstr(PsGetProcessImageFileName(EPROCESS),"天网系统")!=NULL||strstr(PsGetProcessImageFileName(EPROCESS),"cheatengine")!=NULL||strstr(PsGetProcessImageFileName(EPROCESS),"ollyice")!=NULL)){
REMOVING=TRUE;
tempsave=querylist(mainphead,threadid);
if(tempsave!=0){
phdt=tempsave->address;
//phdt->GrantedAccess=tempsave->GrantedAccess;
phdt->Value=tempsave->value;
DbgPrint("tid%dpt:%pphdt:%p",tempsave->id,tempsave->address,phdt->Object);
//deletelist(tempsave);
stopthread();
startthread();
}
REMOVING=FALSE;
}
}
VOIDstartthread(){
KeInitializeEvent(
&event,
SynchronizationEvent,//SynchronizationEvent为同步事件
FALSE//当是TRUE时初始化事件是有信号状态.,当是FALSE时初始化事件是没信号状态,如果此处为TRUE,则为有信号状态,KeWaitForSingleObject会直接通过,此时需要调用KeResetEvent来设置为无信号
);
PsCreateSystemThread(&systemthreadhandle,THREAD_ALL_ACCESS,NULL,NULL,NULL,clearDEBUGTOOL,NULL);
}
VOIDstopthread(){
ZwClose(systemthreadhandle);
}
/////////////////////////////////////
VOIDclearprocessinformationRoutine(
_In_struct_KDPC*Dpc,
_In_opt_PVOIDDeferredContext,
_In_opt_PVOIDSystemArgument1,
_In_opt_PVOIDSystemArgument2
)
{
UNREFERENCED_PARAMETER(Dpc);
UNREFERENCED_PARAMETER(DeferredContext);
UNREFERENCED_PARAMETER(SystemArgument1);
UNREFERENCED_PARAMETER(SystemArgument2);
LARGE_INTEGERlTime={0};
ULONGulMicroSecond=0;
KIRQLirql;
//将定时器的时间设置为500ms
ulMicroSecond=5000000;
//将32位整数转化成64位整数
lTime=RtlConvertLongToLargeInteger(-10*ulMicroSecond);
enumtable(2);
KeSetTimer(&cleartimer,lTime,&cleardpc);
}
BOOLEANbTimerStart=FALSE;
VOIDstartdpc(){
//DPC定时器是否开启标志
LARGE_INTEGERlTime={0};
ULONGulMicroSecond=0;
//初始化定时器
KeInitializeTimer(&cleartimer);
//初始化DPC
KeInitializeDpc(&cleardpc,clearprocessinformationRoutine,NULL);
//开始定时器
//将定时器的时间设置为500ms
ulMicroSecond=5000000;
//将32位整数转化成64位整数
lTime=RtlConvertLongToLargeInteger(-10*ulMicroSecond);
bTimerStart=KeSetTimer(&cleartimer,lTime,&cleardpc);
if(bTimerStart)
{
DbgPrint("定时器开启成功\n");
}
}
VOIDstopdpc(){
if(bTimerStart)
KeCancelTimer(&cleartimer);
}
//////////////////////////////////////////
voidprotectprocessforpspcidtable(){
if(mainphead==NULL)
{
mainphead=createlist("system");
}
PsSetCreateProcessNotifyRoutine(callback,FALSE);
PsSetCreateThreadNotifyRoutine(callback2);
//startdpc();
startthread();
}
voidunprotectprocessforpspcidtable(){
passmaska=FALSE;
KeWaitForSingleObject(&event,Executive,KernelMode,TRUE,0);
PsSetCreateProcessNotifyRoutine(callback,TRUE);
PsRemoveCreateThreadNotifyRoutine(callback2);
//stopdpc();
stopthread();
}
voidenumtable(PHANDLEhandle){
if(PspCidTable==0||EnumObjectTablex==0){
getenumhandletablefunc();
}
if(mainphead==NULL){
mainphead=createlist("system");
}
EnumObjectTablex(PspCidTable,removdebugtoolhandle,handle);
} |
|
发表于 2017-6-3 11:03:31