- 注册时间
- 2011-3-6
- 最后登录
- 1970-1-1
该用户从未签到
|
楼主 |
发表于 2012-10-18 20:35:33
|
显示全部楼层
- //////////////////////////////////////////////////////////////////////////
- typedef NTSYSAPI NTSTATUS (__stdcall *ZWCREATEMUTANT)(
- OUT PHANDLE MutantHandle,
- IN ACCESS_MASK DesiredAccess,
- IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
- IN BOOLEAN InitialOwner );
- ZWCREATEMUTANT OrgZwCreateMutant;
- ULONG g_mutex_count=0;
- NTSTATUS __stdcall MyZwCreateMutant(
- OUT PHANDLE MutantHandle,
- IN ACCESS_MASK DesiredAccess,
- IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
- IN BOOLEAN InitialOwner )
- {
- PUNICODE_STRING p_mutex_name;
- UNICODE_STRING uni_count;
- WCHAR wzCount[3];
- UNICODE_STRING tmpunicodestring,tmpunicodestring1;
- OBJECT_ATTRIBUTES tmpobjatus;
- NTSTATUS nTstatus;
- __try
- {
- if (!strcmp(GetProcessNameFromEProc(0),"DragonNest.exe"))
- {
- if(ObjectAttributes==NULL)
- return OrgZwCreateMutant(MutantHandle,DesiredAccess,ObjectAttributes,InitialOwner);
- p_mutex_name=ObjectAttributes->ObjectName;
- if(p_mutex_name )
- {
- if (p_mutex_name->Buffer)
- {
- // dprintf("mutex %S\n",p_mutex_name->Buffer);
- if (!wcscmp(p_mutex_name->Buffer,L"Global\\MutexDragonNest"))
- {
- // return OrgZwCreateMutant(MutantHandle,DesiredAccess,ObjectAttributes,InitialOwner);
- dprintf("fack mutex!\n");
- return STATUS_SUCCESS;
- // DbgBreakPoint();
-
- nTstatus=OrgZwCreateMutant(MutantHandle,DesiredAccess,ObjectAttributes,InitialOwner);
-
- while(1)
- {
-
- if (nTstatus==STATUS_OBJECT_NAME_EXISTS)
- {
- dprintf("STATUS_OBJECT_NAME_EXISTS\n");
- g_mutex_count++;
- if(g_mutex_count==20) g_mutex_count=0;
- dprintf("g_mutex_count %d\n",g_mutex_count);
- uni_count.Buffer=(PWSTR)ExAllocatePool(PagedPool,BUFFER_SIZE);
- uni_count.MaximumLength=BUFFER_SIZE;
- nTstatus=RtlIntegerToUnicodeString(g_mutex_count,10,&uni_count);
- if (NT_SUCCESS(nTstatus))
- {
- dprintf("uni_count %wZ\n",uni_count);
- RtlInitUnicodeString(&tmpunicodestring1,L"Global\\MutexDragonNest");
- tmpunicodestring.Buffer=(PWSTR)ExAllocatePool(PagedPool,BUFFER_SIZE);
- tmpunicodestring.MaximumLength=BUFFER_SIZE;
- //wcscpy(tmpunicodestring.Buffer,L"Global\\MutexDragonNest");
- RtlCopyUnicodeString(&tmpunicodestring,&tmpunicodestring1);
- RtlAppendUnicodeStringToString(&tmpunicodestring,&uni_count);
- DbgPrint("tmpunicodestring %wZ\n",&tmpunicodestring);
- InitializeObjectAttributes(&tmpobjatus,&tmpunicodestring,ObjectAttributes->Attributes,
- ObjectAttributes->RootDirectory,ObjectAttributes->SecurityDescriptor);
- nTstatus=OrgZwCreateMutant(MutantHandle,DesiredAccess,&tmpobjatus,InitialOwner);
- dprintf("name %wZ\n",tmpobjatus.ObjectName);
- RtlFreeUnicodeString(&tmpunicodestring);
- }
- else
- {
- dprintf("RtlIntegerToUnicodeString error!\n");
- }
- RtlFreeUnicodeString(&uni_count);
- // RtlInitUnicodeString(&uni_count,wzCount);
- }
- else
- {
- dprintf("CreateMutex sucess! Mutex name %S\n",p_mutex_name->Buffer);
- return nTstatus;
- }
- }
-
- }
- }
- }
- }
- }
- __except(1)
- {
- dprintf("MyZwCreateMutant error\n");
- }
- return OrgZwCreateMutant(MutantHandle,DesiredAccess,ObjectAttributes,InitialOwner);
- }
- ULONG Pass_NtCreateMutant()
- {
- KIRQL oldIrql;
- ULONG Address=0;
- Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 43 * 4;
- (ULONG)OrgZwCreateMutant = *(ULONG*)Address; //保存此地址
- WPOFF();
- oldIrql = KeRaiseIrqlToDpcLevel();
- *((ULONG*)Address) = (ULONG)MyZwCreateMutant; //HOOK SSDT
- KeLowerIrql(oldIrql);
- WPON();
- return 1;
- }
- //反补丁,用于最后恢复用
- VOID UnDetour_NtCreateMutant()
- {
- KIRQL oldIrql;
- ULONG Address=0;
- Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 43 * 4;
- WPOFF();
- oldIrql = KeRaiseIrqlToDpcLevel();
- *((ULONG*)Address) = (ULONG)OrgZwCreateMutant; //HOOK SSDT
- KeLowerIrql(oldIrql);
- WPON();
- }
- //////////////////////////////////////////////////////////////////////////
- typedef NTSTATUS (*NTQUERYSYSTEMINFORMATION)
- (
- ULONG SystemInformationCLass,
- PVOID SystemInformation,
- ULONG SystemInformationLength,
- PULONG ReturnLength
- );
- NTQUERYSYSTEMINFORMATION OldNtQuerySystemInformation;
- typedef struct _SYSTEM_BASIC_INFORMATION {
- BYTE Reserved1[24];
- PVOID Reserved2[4];
- CCHAR NumberOfProcessors;
- } SYSTEM_BASIC_INFORMATION;
- NTSTATUS NewNtQuerySystemInformation(
- IN ULONG SystemInformationClass,
- IN PVOID SystemInformation,
- IN ULONG SystemInformationLength,
- OUT PULONG ReturnLength)
- {
- NTSTATUS ntStatus;
- UNICODE_STRING gamename;
- UNICODE_STRING launchername;
- ntStatus = OldNtQuerySystemInformation(
- SystemInformationClass,
- SystemInformation,
- SystemInformationLength,
- ReturnLength );
- if (!_stricmp(GetProcessNameFromEProc(0),"DragonNest.exe") || !_stricmp(GetProcessNameFromEProc(0),"dnlauncher.exe"))
- {
- if( NT_SUCCESS(ntStatus))
- {
- if(SystemInformationClass == 5)
- {
- struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation;
- struct _SYSTEM_PROCESSES *prev = NULL;
- while(curr)
- {
- if (curr->ProcessName.Buffer != NULL)
- {
- // dprintf("processid %d\n",curr->ProcessId);
- RtlInitUnicodeString(&gamename,L"DragonNest.exe");
- RtlInitUnicodeString(&launchername,L"dnlauncher.exe");
-
- if((!RtlCompareUnicodeString(&(curr->ProcessName),&gamename,FALSE) && (ULONG)PsGetCurrentProcessId()!=curr->ProcessId) ||
- !RtlCompareUnicodeString(&(curr->ProcessName),&launchername,FALSE))
- {
- // dprintf("FIND DNF PDI %d\n",curr->ProcessId);
- if(prev)
- {
- if(curr->NextEntryDelta)
- {
- prev->NextEntryDelta += curr->NextEntryDelta;
- }
- else
- {
- prev->NextEntryDelta = 0;
- }
- }
- else
- {
- if(curr->NextEntryDelta)
- {
- (char *)SystemInformation += curr->NextEntryDelta;
- }
- else
- {
- SystemInformation = NULL;
- }
- }
- }
- else
- {
- prev = curr;
- }
- }
- if(curr->NextEntryDelta)
- {
- ((char *)curr += curr->NextEntryDelta);
- }
- else
- {
- curr = NULL;
- }
- }
- }
- }
- }
- return ntStatus;
- }
- ULONG Pass_NtQuerySystemInformation()
- {
- KIRQL oldIrql;
- ULONG Address=0;
- Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 173 * 4;
- (ULONG)OldNtQuerySystemInformation = *(ULONG*)Address; //保存此地址
- WPOFF();
- oldIrql = KeRaiseIrqlToDpcLevel();
- *((ULONG*)Address) = (ULONG)NewNtQuerySystemInformation; //HOOK SSDT
- KeLowerIrql(oldIrql);
- WPON();
- return 1;
- }
- //反补丁,用于最后恢复用
- VOID UnDetour_NtQuerySystemInformation()
- {
- KIRQL oldIrql;
- ULONG Address=0;
- Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 173 * 4;
- WPOFF();
- oldIrql = KeRaiseIrqlToDpcLevel();
- *((ULONG*)Address) = (ULONG)OldNtQuerySystemInformation; //HOOK SSDT
- KeLowerIrql(oldIrql);
- WPON();
- }
- //////////////////////////////////////////////////////////////////////////
- /*
- 805c1148 8bff mov edi,edi
- 805c114a 55 push ebp
- 805c114b 8bec mov ebp,esp
- 805c114d 83ec10 sub esp,10h
- */
- VOID UnHook()
- {
- KIRQL oldIrql;
- unsigned char oldcode[]={0x8b,0xff,0x55,0x8b,0xec,0x83,0xec,0x10};
- unsigned char* obcheckobjectaccessptr=(unsigned char*)GetFunctionAddr(L"ObCheckObjectAccess");
-
- ULONG Address=(ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 257 * 4;
- unsigned char* ntterminateprocessptr=(unsigned char*)(*(ULONG*)Address);
-
- if (obcheckobjectaccessptr[0]==0x68)
- {
-
- WPOFF();
- oldIrql = KeRaiseIrqlToDpcLevel();
- RtlCopyMemory(obcheckobjectaccessptr,oldcode,8);
- KeLowerIrql(oldIrql);
- WPON();
- }
- if (ntterminateprocessptr[0]==0x68)
- {
-
- WPOFF();
- oldIrql = KeRaiseIrqlToDpcLevel();
- RtlCopyMemory(ntterminateprocessptr,oldcode,8);
- KeLowerIrql(oldIrql);
- WPON();
- }
- }
- //////////////////////////////////////////////////////////////////////////NtOpenProcess
- typedef NTSTATUS (*NTOPENPROCESS) (
- __out PHANDLE ProcessHandle,
- __in ACCESS_MASK DesiredAccess,
- __in POBJECT_ATTRIBUTES ObjectAttributes,
- __in_opt PCLIENT_ID ClientId
- );
- NTOPENPROCESS OldNtProcessAdd;
- NTOPENPROCESS HookedNtOpenProcess;
- extern POBJECT_TYPE PsProcessType;
- NTSTATUS
- NewNtOpenProcess (
- __out PHANDLE ProcessHandle,
- __in ACCESS_MASK DesiredAccess,
- __in POBJECT_ATTRIBUTES ObjectAttributes,
- __in_opt PCLIENT_ID ClientId
- )
- {
- HANDLE Handle;
- KPROCESSOR_MODE PreviousMode;
- NTSTATUS Status;
- PEPROCESS Process;
- PETHREAD Thread;
- CLIENT_ID CapturedCid={0};
- BOOLEAN ObjectNamePresent;
- BOOLEAN ClientIdPresent;
- ACCESS_STATE AccessState;
- AUX_ACCESS_DATA AuxData;
- ULONG Attributes;
- LUID SeDebugPrivilege = {0};
- POBJECT_TYPE _PsProcessType;
- PEPROCESS tempeprocess;
- if (!strcmp("Open.exe",GetProcessNameFromEProc(0)))
- {
- DbgPrint("open.exe openprocess!\n");
- }
- if (!strcmp("HProtect.exe",GetProcessNameFromEProc(0)) || !strcmp("zhengtu2.dat",GetProcessNameFromEProc(0)))
- {
- // return HookedNtOpenProcess(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId);
- PsLookupProcessByProcessId(ClientId->UniqueProcess,&tempeprocess);
- __try
- {
- if (
- !strcmp("DML.exe",GetProcessNameFromEProc(tempeprocess)) ||
- (!strcmp("DragonNest.exe",GetProcessNameFromEProc(tempeprocess)) && PsGetCurrentProcessId()!=ClientId->UniqueProcess)
- /*!strcmp("DeRoX.exe",GetProcessNameFromEProc(tempeprocess))*/
- )
- {
- return STATUS_ACCESS_DENIED;
- }
- }
- __except (EXCEPTION_EXECUTE_HANDLER)
- {
- dprintf("GetExceptionCode %08x\n",GetExceptionCode());
- return GetExceptionCode();
- }
-
- }
- // UnHook();
- (ULONG)_PsProcessType=*(ULONG*)PsProcessType;
- PreviousMode = KeGetPreviousMode();
- SeDebugPrivilege =RtlConvertLongToLuid(SE_DEBUG_PRIVILEGE);
- if (PreviousMode != KernelMode) {
- __try {
- ProbeForWriteHandle (ProcessHandle);
- ProbeForReadSmallStructure (ObjectAttributes,
- sizeof(OBJECT_ATTRIBUTES),
- sizeof(ULONG));
- ObjectNamePresent = (BOOLEAN)ARGUMENT_PRESENT (ObjectAttributes->ObjectName);
- Attributes = ObSanitizeHandleAttributes (ObjectAttributes->Attributes, UserMode);
- if (ARGUMENT_PRESENT (ClientId)) {
- ProbeForReadSmallStructure (ClientId, sizeof (CLIENT_ID), sizeof (ULONG));
- CapturedCid = *ClientId;
- ClientIdPresent = TRUE;
- } else {
- ClientIdPresent = FALSE;
- }
- }
- __except (EXCEPTION_EXECUTE_HANDLER) {
- return GetExceptionCode();
- }
- } else {
- ObjectNamePresent = (BOOLEAN)ARGUMENT_PRESENT (ObjectAttributes->ObjectName);
- Attributes = ObSanitizeHandleAttributes (ObjectAttributes->Attributes, KernelMode);
- if (ARGUMENT_PRESENT (ClientId)) {
- CapturedCid = *ClientId;
- ClientIdPresent = TRUE;
- } else {
- ClientIdPresent = FALSE;
- }
- }
- if (ObjectNamePresent && ClientIdPresent) {
- return STATUS_INVALID_PARAMETER_MIX;
- }
- Status = SeCreateAccessState(
- &AccessState,
- &AuxData,
- DesiredAccess,
- &_PsProcessType->TypeInfo.GenericMapping
- );
- if ( !NT_SUCCESS(Status) ) {
- return Status;
- }
- if (SeSinglePrivilegeCheck( SeDebugPrivilege, PreviousMode )) {
- if ( AccessState.RemainingDesiredAccess & MAXIMUM_ALLOWED ) {
- AccessState.PreviouslyGrantedAccess |= PROCESS_ALL_ACCESS;
- } else {
- AccessState.PreviouslyGrantedAccess |= ( AccessState.RemainingDesiredAccess );
- }
- AccessState.RemainingDesiredAccess = 0;
- }
- if (ObjectNamePresent) {
- Status = ObOpenObjectByName(
- ObjectAttributes,
- _PsProcessType,
- PreviousMode,
- &AccessState,
- 0,
- NULL,
- &Handle
- );
- SeDeleteAccessState( &AccessState );
- if ( NT_SUCCESS(Status) ) {
- __try {
- *ProcessHandle = Handle;
- }
- __except (EXCEPTION_EXECUTE_HANDLER) {
- return GetExceptionCode ();
- }
- }
- return Status;
- }
- if ( ClientIdPresent ) {
- Thread = NULL;
- if (CapturedCid.UniqueThread) {
- Status = PsLookupProcessThreadByCid(
- &CapturedCid,
- &Process,
- &Thread
- );
- if (!NT_SUCCESS(Status)) {
- SeDeleteAccessState( &AccessState );
- return Status;
- }
- } else {
- Status = PsLookupProcessByProcessId(
- CapturedCid.UniqueProcess,
- &Process
- );
- if ( !NT_SUCCESS(Status) ) {
- SeDeleteAccessState( &AccessState );
- return Status;
- }
- }
- //
- // OpenObjectByAddress
- //
- Status = ObOpenObjectByPointer(
- Process,
- Attributes,
- &AccessState,
- 0,
- _PsProcessType,
- PreviousMode,
- &Handle
- );
- SeDeleteAccessState( &AccessState );
- if (Thread) {
- ObDereferenceObject(Thread);
- }
- ObDereferenceObject(Process);
- if (NT_SUCCESS (Status)) {
- __try {
- *ProcessHandle = Handle;
- }
- __except (EXCEPTION_EXECUTE_HANDLER) {
- return GetExceptionCode ();
- }
- }
- return Status;
- }
- return STATUS_INVALID_PARAMETER_MIX;
- }
- ULONG Pass_NtOpenProcess()
- {
- KIRQL oldIrql;
- ULONG Address=0;
- Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0x7A * 4;
- (ULONG)OldNtProcessAdd = *(ULONG*)Address;
- WPOFF();
- oldIrql = KeRaiseIrqlToDpcLevel();
- *((ULONG*)Address) = (ULONG)NewNtOpenProcess; //HOOK SSDT
- KeLowerIrql(oldIrql);
- WPON();
- return 1;
- }
- VOID UnDetour_NtOpenProcess()
- {
- KIRQL oldIrql;
- ULONG Address=0;
- Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0x7A * 4;
- WPOFF();
- oldIrql = KeRaiseIrqlToDpcLevel();
- *((ULONG*)Address) =(ULONG) OldNtProcessAdd; //HOOK SSDT
- KeLowerIrql(oldIrql);
- WPON();
- }
- //////////////////////////////////////////////////////////////////////////
- typedef
- NTSTATUS
- (*NTREADVIRTUALMEMORY)(
- IN HANDLE ProcessHandle,
- IN PVOID BaseAddress,
- OUT PVOID Buffer,
- IN ULONG NumberOfBytesToRead,
- OUT PULONG NumberOfBytesReaded OPTIONAL );
- NTREADVIRTUALMEMORY OldNtReadVirtualMemoryAdd;
- NTREADVIRTUALMEMORY HookedNtReadVirtualMemoryAdd;
- NTSTATUS NewNtReadVirtualMemory(
- IN HANDLE ProcessHandle,
- IN PVOID BaseAddress,
- OUT PVOID Buffer,
- IN ULONG NumberOfBytesToRead,
- OUT PULONG NumberOfBytesReaded OPTIONAL
- )
- {
- NTSTATUS status;
- PEPROCESS pEProcess=0;
- char* proname=0;
-
- if (!strcmp("HProtect.exe",GetProcessNameFromEProc(0)) || !strcmp("zhengtu2.dat",GetProcessNameFromEProc(0)))
- {
- return HookedNtReadVirtualMemoryAdd(ProcessHandle,BaseAddress,Buffer,NumberOfBytesToRead,NumberOfBytesReaded);
- if (!ProcessHandle)
- {
- return 0;
- }
- status = ObReferenceObjectByHandle(ProcessHandle,PROCESS_ALL_ACCESS,NULL,0,&pEProcess,NULL);
- if(!NT_SUCCESS(status))
- {
- dprintf("ObReferenceObjectByHandle fail! %08x \n",status);
- return 0;
- }
- ObDereferenceObject(pEProcess);
- proname=GetProcessNameFromEProc(pEProcess);
- if (PsGetCurrentProcessId()!=PsGetProcessId(pEProcess))
- {
- if (!strcmp("DragonNest.exe",proname) || !strcmp("MDL.exe",proname))
- {
- return STATUS_ACCESS_DENIED;
- }
- }
- }
- return OldNtReadVirtualMemoryAdd(ProcessHandle,BaseAddress,Buffer,NumberOfBytesToRead,NumberOfBytesReaded);
- }
- //////////////////////////////////////////////////////////////////////////NtReadVirtualMemory
- ULONG Pass_NtReadVirtualMemory()
- {
- KIRQL oldIrql;
- ULONG Address=0;
- Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0xBA * 4; //得到NtReadVirtualMemory的服务地址
- (ULONG)OldNtReadVirtualMemoryAdd = *(ULONG*)Address; //保存此地址
- WPOFF();
- oldIrql = KeRaiseIrqlToDpcLevel();
- *((ULONG*)Address) = (ULONG)NewNtReadVirtualMemory; //HOOK SSDT
- KeLowerIrql(oldIrql);
- WPON();
- return 1;
- }
- //反补丁,用于最后恢复用
- VOID UnDetour_NtReadVirtualMemory()
- {
- KIRQL oldIrql;
- ULONG Address=0;
- Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0xBA * 4;
- WPOFF();
- oldIrql = KeRaiseIrqlToDpcLevel();
- *((ULONG*)Address) = (ULONG)OldNtReadVirtualMemoryAdd; //HOOK SSDT
- KeLowerIrql(oldIrql);
- WPON();
- }
- //////////////////////////////////////////////////////////////////////////
- typedef NTSTATUS (*NTWRITEVIRTUALMEMORY)(
- IN HANDLE ProcessHandle,
- IN PVOID BaseAddress,
- IN PVOID Buffer,
- IN ULONG NumberOfBytesToWrite,
- OUT PULONG NumberOfBytesWritten OPTIONAL );
- NTWRITEVIRTUALMEMORY OldNtWriteVirtualMemoryAdd;
- NTWRITEVIRTUALMEMORY HookedNtWriteVirtualMemoryAdd;
-
- NTSTATUS
- NTAPI
- NewNtWriteVirtualMemory(
- IN HANDLE ProcessHandle,
- IN PVOID BaseAddress,
- IN PVOID Buffer,
- IN ULONG NumberOfBytesToWrite,
- OUT PULONG NumberOfBytesWritten OPTIONAL )
- {
- if (!strcmp("HProtect.exe",GetProcessNameFromEProc(0)) || !strcmp("zhengtu2.dat",GetProcessNameFromEProc(0)))
- {
- return HookedNtWriteVirtualMemoryAdd(ProcessHandle,BaseAddress,Buffer,NumberOfBytesToWrite,NumberOfBytesWritten);
- }
- return OldNtWriteVirtualMemoryAdd(ProcessHandle,BaseAddress,Buffer,NumberOfBytesToWrite,NumberOfBytesWritten);
- }
- ULONG Pass_NtWriteVirtualMemory()
- {
- KIRQL oldIrql;
- ULONG Address=0;
- Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 277 * 4;
- (ULONG)OldNtWriteVirtualMemoryAdd = *(ULONG*)Address; //保存此地址
- WPOFF();
- oldIrql = KeRaiseIrqlToDpcLevel();
- *((ULONG*)Address) = (ULONG)NewNtWriteVirtualMemory; //HOOK SSDT
- KeLowerIrql(oldIrql);
- WPON();
- return 1;
- }
- //反补丁,用于最后恢复用
- VOID UnDetour_NtWriteVirtualMemory()
- {
- KIRQL oldIrql;
- ULONG Address=0;
- Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 277 * 4;
- WPOFF();
- oldIrql = KeRaiseIrqlToDpcLevel();
- *((ULONG*)Address) = (ULONG)OldNtWriteVirtualMemoryAdd; //HOOK SSDT
- KeLowerIrql(oldIrql);
- WPON();
- }
- //////////////////////////////////////////////////////////////////////////
-
- typedef NTSTATUS (*NTCREATESEMAPHORE)(
- OUT PHANDLE SemaphoreHandle,
- IN ACCESS_MASK DesiredAccess,
- IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
- IN ULONG InitialCount,
- IN ULONG MaximumCount );
- NTCREATESEMAPHORE OrgNtCreateSemaphore;
- ULONG semhandle=0;
- NTSTATUS __stdcall MyNtCreateSemaphore(
- OUT PHANDLE SemaphoreHandle,
- IN ACCESS_MASK DesiredAccess,
- IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
- IN ULONG InitialCount,
- IN ULONG MaximumCount
- )
- {
- PUNICODE_STRING p_mutex_name;
- UNICODE_STRING uni_count={0};
- HANDLE tmphand;
- NTSTATUS nTstatus;
- __try
- {
- if (!strcmp(GetProcessNameFromEProc(0),"DragonNest.exe"))
- {
- if(ObjectAttributes==NULL)
- return OrgNtCreateSemaphore(SemaphoreHandle,DesiredAccess,ObjectAttributes,InitialCount,MaximumCount);
- p_mutex_name=ObjectAttributes->ObjectName;
- if(p_mutex_name )
- {
- if (p_mutex_name->Buffer)
- {
- //dprintf("Semaphore %S\n",p_mutex_name->Buffer);
- //dnx_57987675368241
- if (wcsstr(p_mutex_name->Buffer,L"dnx_57987675368241"))
- {
- /*
- nTstatus=OrgNtCreateSemaphore(SemaphoreHandle,DesiredAccess,ObjectAttributes,InitialCount,MaximumCount);
- dprintf("Semaphore %S\n",p_mutex_name->Buffer);
- dprintf("OrgNtCreateSemaphore nTstatus %08x\n",nTstatus);
- // semhandle=(ULONG)*SemaphoreHandle;
- // dprintf("DragonNest pid %d MyNtCreateSemaphore dnx_57987675368241 handle %08x\n",PsGetCurrentProcessId(),semhandle);
- return nTstatus;
- */
-
- while(1)
- {
- nTstatus=OrgNtCreateSemaphore(SemaphoreHandle,DesiredAccess,ObjectAttributes,InitialCount,MaximumCount);
- if (nTstatus==STATUS_OBJECT_NAME_EXISTS)
- {
- dprintf("STATUS_OBJECT_NAME_EXISTS\n");
- if (SemaphoreHandle)
- {
- dprintf("SemaphoreHandle %08x\n",*(ULONG*)SemaphoreHandle);
- tmphand=*(HANDLE*)SemaphoreHandle;
- if (tmphand)
- {
- ZwClose(tmphand);
- }
- }
-
- g_Sem_count++;
- if(g_Sem_count==20) g_Sem_count=0;
- uni_count.Buffer=(PWSTR)ExAllocatePool(PagedPool,BUFFER_SIZE);
- uni_count.MaximumLength=BUFFER_SIZE;
- nTstatus=RtlIntegerToUnicodeString(g_Sem_count,10,&uni_count);
- if (NT_SUCCESS(nTstatus))
- {
- p_mutex_name->MaximumLength=0x100;
- RtlAppendUnicodeStringToString(p_mutex_name,&uni_count);
- }
- else
- {
- dprintf("RtlIntegerToUnicodeString error!\n");
- }
- RtlFreeUnicodeString(&uni_count);
- // RtlInitUnicodeString(&uni_count,wzCount);
- }
- else
- {
- dprintf("CreateSemaphore sucess! Semaphore name %S\n",p_mutex_name->Buffer);
- return nTstatus;
- }
- }
- // MaximumCount=10;
- // dprintf("DragonNest CreateSemaphore MaximumCount :%d InitialCount :%d\n",MaximumCount,InitialCount);
- // dprintf("fack mutex!\n");
- // return STATUS_SUCCESS;
- }
- }
- }
- }
- }
- __except(1)
- {
- dprintf("MyNtCreateSemaphore error\n");
- }
- return OrgNtCreateSemaphore(SemaphoreHandle,DesiredAccess,ObjectAttributes,InitialCount,MaximumCount);
- }
- ULONG Pass_NtCreateSemaphore()
- {
- KIRQL oldIrql;
- ULONG Address=0;
- Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 51 * 4;
- (ULONG)OrgNtCreateSemaphore = *(ULONG*)Address; //保存此地址
- WPOFF();
- oldIrql = KeRaiseIrqlToDpcLevel();
- *((ULONG*)Address) = (ULONG)MyNtCreateSemaphore; //HOOK SSDT
- KeLowerIrql(oldIrql);
- WPON();
- return 1;
- }
- //反补丁,用于最后恢复用
- VOID UnDetour_NtCreateSemaphore()
- {
- KIRQL oldIrql;
- ULONG Address=0;
- Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 51 * 4;
- WPOFF();
- oldIrql = KeRaiseIrqlToDpcLevel();
- *((ULONG*)Address) = (ULONG)OrgNtCreateSemaphore; //HOOK SSDT
- KeLowerIrql(oldIrql);
- WPON();
- }
- //////////////////////////////////////////////////////////////////////////
- typedef NTSTATUS (*NTRELEASESEMAPHORE)(
- IN HANDLE SemaphoreHandle,
- IN ULONG ReleaseCount,
- OUT PULONG PreviousCount OPTIONAL );
- NTRELEASESEMAPHORE OrgNtReleaseSemaphore;
- NTSTATUS __stdcall MyNtReleaseSemaphore(
- IN HANDLE SemaphoreHandle,
- IN ULONG ReleaseCount,
- OUT PULONG PreviousCount OPTIONAL
- )
- {
- UNICODE_STRING semaphorename;
- __try
- {
- if (!strcmp(GetProcessNameFromEProc(0),"DragonNest.exe"))
- {
- if (semhandle==(ULONG)SemaphoreHandle)
- {
- dprintf("DragonNest pid %d ReleaseSemaphore handle %08x\n",PsGetCurrentProcessId(),SemaphoreHandle);
- }
-
- /*
- if (!GetObjectNameFromHandle(SemaphoreHandle,&semaphorename))
- {
- if (!wcscmp(semaphorename.Buffer,L"dnx_57987675368241"))
- {
- dprintf("DragonNest pid %d ReleaseSemaphore name %wZ\n",PsGetCurrentProcessId(),&semaphorename);
- }
-
- }
- */
- }
- }
- __except(1)
- {
- dprintf("MyNtReleaseSemaphore error!\n");
- }
- return OrgNtReleaseSemaphore(SemaphoreHandle,ReleaseCount,PreviousCount);
- }
- ULONG Pass_NtReleaseSemaphore()
- {
- KIRQL oldIrql;
- ULONG Address=0;
- Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 189 * 4;
- (ULONG)OrgNtReleaseSemaphore = *(ULONG*)Address; //保存此地址
- WPOFF();
- oldIrql = KeRaiseIrqlToDpcLevel();
- *((ULONG*)Address) = (ULONG)MyNtReleaseSemaphore; //HOOK SSDT
- KeLowerIrql(oldIrql);
- WPON();
- return 1;
- }
- //反补丁,用于最后恢复用
- VOID UnDetour_NtReleaseSemaphore()
- {
- KIRQL oldIrql;
- ULONG Address=0;
- Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 189 * 4;
- WPOFF();
- oldIrql = KeRaiseIrqlToDpcLevel();
- *((ULONG*)Address) = (ULONG)OrgNtReleaseSemaphore; //HOOK SSDT
- KeLowerIrql(oldIrql);
- WPON();
- }
- //////////////////////////////////////////////////////////////////////////
- typedef NTSTATUS (*NTOPENSEMAPHORE)(
- OUT PHANDLE SemaphoreHandle,
- IN ACCESS_MASK DesiredAccess,
- IN POBJECT_ATTRIBUTES ObjectAttributes );
- NTOPENSEMAPHORE OrgNtOpenSemaphore;
- NTSTATUS __stdcall MyNtOpenSemaphore(
- OUT PHANDLE SemaphoreHandle,
- IN ACCESS_MASK DesiredAccess,
- IN POBJECT_ATTRIBUTES ObjectAttributes )
- {
- PUNICODE_STRING p_mutex_name;
- __try
- {
- if (!strcmp(GetProcessNameFromEProc(0),"DragonNest.exe"))
- {
- // dprintf("DragonNest pid %d OpenSemaphore\n",PsGetCurrentProcessId());
- p_mutex_name=ObjectAttributes->ObjectName;
- if(p_mutex_name )
- {
- if (p_mutex_name->Buffer)
- {
- if (wcsstr(p_mutex_name->Buffer,L"dnx_57987675368241"))
- {
- dprintf("DragonNest PID %d NtOpenSemaphore name %S\n",PsGetCurrentProcessId(),p_mutex_name->Buffer);
- }
- }
- }
-
- }
- }
- __except(1)
- {
- dprintf("MyNtOpenSemaphore error!\n");
- }
- return OrgNtOpenSemaphore(SemaphoreHandle,DesiredAccess,ObjectAttributes);
- }
- ULONG Pass_NtOpenSemaphore()
- {
- KIRQL oldIrql;
- ULONG Address=0;
- Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 126 * 4;
- (ULONG)OrgNtOpenSemaphore = *(ULONG*)Address; //保存此地址
- WPOFF();
- oldIrql = KeRaiseIrqlToDpcLevel();
- *((ULONG*)Address) = (ULONG)MyNtOpenSemaphore; //HOOK SSDT
- KeLowerIrql(oldIrql);
- WPON();
- return 1;
- }
- //反补丁,用于最后恢复用
- VOID UnDetour_NtOpenSemaphore()
- {
- KIRQL oldIrql;
- ULONG Address=0;
- Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 126 * 4;
- WPOFF();
- oldIrql = KeRaiseIrqlToDpcLevel();
- *((ULONG*)Address) = (ULONG)OrgNtOpenSemaphore; //HOOK SSDT
- KeLowerIrql(oldIrql);
- WPON();
- }
- //////////////////////////////////////////////////////////////////////////
-
- typedef NTSTATUS (*NTWAITFORSINGLEOBJECT)(
- IN HANDLE ObjectHandle,
- IN BOOLEAN Alertable,
- IN PLARGE_INTEGER TimeOut );
- NTWAITFORSINGLEOBJECT OrgNtWaitForSingleObject;
- NTSTATUS __stdcall MyNtWaitForSingleObject(
- IN HANDLE ObjectHandle,
- IN BOOLEAN Alertable,
- IN PLARGE_INTEGER TimeOut )
- {
- UNICODE_STRING Objectname;
- __try
- {
- if (!strcmp(GetProcessNameFromEProc(0),"DragonNest.exe"))
- {
- if (semhandle==(ULONG)ObjectHandle)
- {
- dprintf("DragonNest pid %d MyNtWaitForSingleObject name %wZ TimeOut %d\n",PsGetCurrentProcessId(),&Objectname,TimeOut);
- }
- /*
- if (!GetObjectNameFromHandle(ObjectHandle,&Objectname))
- {
- if (!wcscmp(Objectname.Buffer,L"dnx_57987675368241"))
- {
- dprintf("DragonNest pid %d MyNtWaitForSingleObject name %wZ TimeOut %d\n",PsGetCurrentProcessId(),&Objectname,TimeOut);
- }
-
- }
- */
- }
- }
- __except(1)
- {
- dprintf("MyNtOpenSemaphore error!\n");
- }
- return OrgNtWaitForSingleObject(ObjectHandle,Alertable,TimeOut);
- }
- ULONG Pass_NtWaitForSingleObject()
- {
- KIRQL oldIrql;
- ULONG Address=0;
- Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 271 * 4;
- (ULONG)OrgNtWaitForSingleObject = *(ULONG*)Address; //保存此地址
- WPOFF();
- oldIrql = KeRaiseIrqlToDpcLevel();
- *((ULONG*)Address) = (ULONG)MyNtWaitForSingleObject; //HOOK SSDT
- KeLowerIrql(oldIrql);
- WPON();
- return 1;
- }
- //反补丁,用于最后恢复用
- VOID UnDetour_NtWaitForSingleObject()
- {
- KIRQL oldIrql;
- ULONG Address=0;
- Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 271 * 4;
- WPOFF();
- oldIrql = KeRaiseIrqlToDpcLevel();
- *((ULONG*)Address) = (ULONG)OrgNtWaitForSingleObject; //HOOK SSDT
- KeLowerIrql(oldIrql);
- WPON();
- }
- //////////////////////////////////////////////////////////////////////////
- //////////////////////////////////////////////////////////////////////////
- typedef UINT_PTR (*NTUSERQUERYWINDOW)(
- IN ULONG WindowHandle,
- IN ULONG TypeInformation);
- NTUSERQUERYWINDOW OldNtUserQueryWindow;
- NTSTATUS FindNtUserQueryWindow()
- {
- NTSTATUS status=0;
- KeAttachProcess(crsEProc);
- __try
- {
- if (KeServiceDescriptorTableShadow!=NULL)
- {
- OldNtUserQueryWindow = (NTUSERQUERYWINDOW)KeServiceDescriptorTableShadow[1].ServiceTableBase[0x1E3];
- }
- }
- __finally
- {
- KeDetachProcess();
- }
- return status ;
- }
- //////////////////////////////////////////////////////////////////////////
- unsigned int getAddressOfShadowTable()
- {
- unsigned int i;
- unsigned char *p;
- unsigned int dwordatbyte;
- p = (unsigned char*) KeAddSystemServiceTable;
- for(i = 0; i < 4096; i++, p++)
- {
- __try
- {
- dwordatbyte = *(unsigned int*)p;
- }
- __except(EXCEPTION_EXECUTE_HANDLER)
- {
- return 0;
- }
- if(MmIsAddressValid((PVOID)dwordatbyte))
- {
- if(memcmp((PVOID)dwordatbyte, &KeServiceDescriptorTable, 16) == 0)
- {
- if((PVOID)dwordatbyte == &KeServiceDescriptorTable)
- {
- continue;
- }
- return dwordatbyte;
- }
- }
- }
- return 0;
- }
- ULONG getShadowTable()
- {
- KeServiceDescriptorTableShadow = (PSERVICE_DESCRIPTOR_TABLE) getAddressOfShadowTable();
- if(KeServiceDescriptorTableShadow == NULL)
- {
- dprintf("hooker.sys: Couldnt find shadowtable!\n");
- return FALSE;
- }
- else
- {
- dprintf("hooker.sys: Shadowtable has been found!\n");
- dprintf("hooker.sys: Shadowtable entries: %d\n", KeServiceDescriptorTableShadow[1].NumberOfServices);
- return TRUE;
- }
- }
- //6A 30 PUSH 0x30
- //68 70D898BF PUSH 0xBF98D870
- unsigned long reentry_ntuserfinwind;
- UCHAR g_oldcode_ntuserfindwind[8];
- __declspec(naked) NTSTATUS _NtUserFindWindowEx(
- HANDLE hwndParent,
- HANDLE hwndChild,
- PUNICODE_STRING pstrClassName ,
- PUNICODE_STRING pstrWindowName ,
- DWORD dwType)
- {
- __asm
- {
- push 0x30
- push 0xBF98D870
- jmp [reentry_ntuserfinwind]
- }
- }
- NTSTATUS InitSWSSDT()
- {
- NTSTATUS status;
- getShadowTable();
-
- status = PsLookupProcessByProcessId((HANDLE)GetCsrPid(), &crsEProc);
- if (!NT_SUCCESS( status ))
- {
- dprintf("PsLookupProcessByProcessId() error\n");
- }
- FindNtUserQueryWindow();
- return status;
- }
- char* GetProcessName( ULONG nProcessId)
- {
- NTSTATUS rStutus;
- PEPROCESS curproc;
- rStutus=PsLookupProcessByProcessId((HANDLE)nProcessId,&curproc);
- if (!rStutus)
- {
- ObDereferenceObject(curproc);
- return GetProcessNameFromEProc(curproc);
- }
- return 0;
- }
- NTSTATUS MyNtUserFindWindowEx(
- IN HANDLE hwndParent,
- IN HANDLE hwndChild,
- IN PUNICODE_STRING pstrClassName OPTIONAL,
- IN PUNICODE_STRING pstrWindowName OPTIONAL,
- IN DWORD dwType)
- {
- ULONG result;
- UNICODE_STRING CLASSNAME;
- //UNICODE_STRING FIXCLASSNAME;
- ULONG FindProcessID;
- char* szFindProcessName;
- ULONG ProcessID;
- result = _NtUserFindWindowEx(hwndParent, hwndChild, pstrClassName, pstrWindowName, dwType);
- if (!_stricmp("DragonNest.exe",GetProcessNameFromEProc(0)))
- {
-
- ProcessID = OldNtUserQueryWindow(result, 0);
-
- if (ProcessID!=(ULONG)PsGetCurrentProcessId())
- {
- if (pstrClassName!=0)
- {
- RtlInitUnicodeString(&CLASSNAME,L"DRAGONNEST");
- if (!RtlCompareUnicodeString(pstrClassName,&CLASSNAME,FALSE))
- {
- return 0;
- }
- }
- if (pstrWindowName!=0)
- {
- RtlInitUnicodeString(&CLASSNAME,L"龙之谷");
- if (!RtlCompareUnicodeString(pstrWindowName,&CLASSNAME,FALSE))
- {
- return 0;
- }
- RtlInitUnicodeString(&CLASSNAME,L"DML");
- if (!RtlCompareUnicodeString(pstrWindowName,&CLASSNAME,FALSE))
- {
- return 0;
- }
- }
- }
-
- }
- return result;
- }
- typedef NTSTATUS (*NTUSERFINDWINDOWEX)(
- HANDLE hwndParent,
- HANDLE hwndChild,
- PUNICODE_STRING pstrClassName ,
- PUNICODE_STRING pstrWindowName ,
- DWORD dwType);
- NTUSERFINDWINDOWEX g_OriginalNtUserFindWindowEx;
- NTSTATUS HookFindWindow()
- {
- NTSTATUS status=0;
- unsigned char newcode[] = { 0xE9, 0x44, 0x33, 0x22, 0x11,0x90,0x90};
- KeAttachProcess(crsEProc);
- __try
- {
- if (KeServiceDescriptorTableShadow!=NULL)
- {
- g_OriginalNtUserFindWindowEx = (NTUSERFINDWINDOWEX)KeServiceDescriptorTableShadow[1].ServiceTableBase[0x17A];
- memcpy(g_oldcode_ntuserfindwind,(UCHAR*)g_OriginalNtUserFindWindowEx,7);
- reentry_ntuserfinwind=(unsigned long)g_OriginalNtUserFindWindowEx+7;
- *( (unsigned long *)(&newcode[1]) ) = (unsigned long)MyNtUserFindWindowEx-(unsigned long)g_OriginalNtUserFindWindowEx-5;
- }
- else
- KeServiceDescriptorTableShadow=NULL;
- WPOFF();
- if (KeServiceDescriptorTableShadow!=NULL )
- {
- memcpy((UCHAR*)g_OriginalNtUserFindWindowEx,newcode,7);
- }
- WPON();
- }
- __finally
- {
- KeDetachProcess();
- }
- return status ;
- }
- NTSTATUS UnHookFindWindow()
- {
- NTSTATUS status;
- KeAttachProcess(crsEProc);
- __try
- {
- WPOFF();
- if (KeServiceDescriptorTableShadow!=NULL)
- {
- memcpy((UCHAR*)g_OriginalNtUserFindWindowEx,g_oldcode_ntuserfindwind,7);
- }
- WPON();
- }
- __finally
- {
- KeDetachProcess();
- Sleep(50);
- }
- return 0;
- }
- /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
- //////////////////////////////////////////////////////////////////////////
- ULONG OldNtUserPostMessage;
- NTSTATUS __declspec(naked) MyNtUserPostMessage()
- {
- __asm
- {
- push ebp
- mov ebp,esp
- push esi
- mov eax,OldNtUserPostMessage
- add eax,6
- jmp eax
- }
-
- }
- NTSTATUS HookNtUserPostMessage()
- {
- KIRQL oldIrql;
- ULONG Address=0;
- __try
- {
- KeAttachProcess(crsEProc);
- Address = (ULONG)ShadowTable->NotUse2.ServiceTableBase + 475 * 4;
- (ULONG)OldNtUserPostMessage = *(ULONG*)Address;
- WPOFF();
- oldIrql = KeRaiseIrqlToDpcLevel();
- *((ULONG*)Address) = (ULONG)MyNtUserPostMessage; //HOOK SSDT
- KeLowerIrql(oldIrql);
- WPON();
-
- }
- __finally
- {
- KeDetachProcess();
- }
- return 0 ;
- }
- NTSTATUS UnHookNtUserPostMessage()
- {
- KIRQL oldIrql;
- ULONG Address=0;
- __try
- {
- KeAttachProcess(crsEProc);
- Address = (ULONG)ShadowTable->NotUse2.ServiceTableBase +475 * 4;
- WPOFF();
- oldIrql = KeRaiseIrqlToDpcLevel();
- *((ULONG*)Address) = (ULONG)OldNtUserPostMessage; //HOOK SSDT
- KeLowerIrql(oldIrql);
- WPON();
- }
- __finally
- {
- KeDetachProcess();
- }
- return 0;
- }
- //////////////////////////////////////////////////////////////////////////
- ULONG OldNtUserMessageCall;
- NTSTATUS __declspec(naked) MyNtUserMessageCall()
- {
- __asm
- {
- push ebp
- mov ebp,esp
- sub esp,0xc
- mov eax,OldNtUserMessageCall
- add eax,8
- jmp eax
- }
- }
- NTSTATUS HookNtUserMessageCall()
- {
- KIRQL oldIrql;
- ULONG Address=0;
-
- __try
- {
- KeAttachProcess(crsEProc);
- Address = (ULONG)ShadowTable->NotUse2.ServiceTableBase + 460 * 4;
- (ULONG)OldNtUserMessageCall = *(ULONG*)Address;
- WPOFF();
- oldIrql = KeRaiseIrqlToDpcLevel();
- *((ULONG*)Address) = (ULONG)MyNtUserMessageCall; //HOOK SSDT
- KeLowerIrql(oldIrql);
- WPON();
- }
- __finally
- {
- KeDetachProcess();
- }
- return 0 ;
- }
- NTSTATUS UnHookNtUserMessageCall()
- {
- KIRQL oldIrql;
- ULONG Address=0;
-
- __try
- {
- KeAttachProcess(crsEProc);
- Address = (ULONG)ShadowTable->NotUse2.ServiceTableBase +460 * 4;
- WPOFF();
- oldIrql = KeRaiseIrqlToDpcLevel();
- *((ULONG*)Address) = (ULONG)OldNtUserMessageCall; //HOOK SSDT
- KeLowerIrql(oldIrql);
- WPON();
- }
- __finally
- {
- KeDetachProcess();
- }
- return 0;
- }
- //////////////////////////////////////////////////////////////////////////
- typedef struct tagKEYBDINPUT {
- SHORT wVk;
- SHORT wScan;
- ULONG dwFlags;
- ULONG time;
- ULONG_PTR dwExtraInfo;
- } KEYBDINPUT, *PKEYBDINPUT;
- typedef struct tagMOUSEINPUT {
- LONG dx;
- LONG dy;
- ULONG mouseData;
- ULONG dwFlags;
- ULONG time;
- ULONG_PTR dwExtraInfo;
- } MOUSEINPUT, *PMOUSEINPUT;
- typedef struct tagHARDWAREINPUT {
- ULONG uMsg;
- SHORT wParamL;
- SHORT wParamH;
- } HARDWAREINPUT, *PHARDWAREINPUT;
- typedef struct tagINPUT {
- ULONG type;
- union {MOUSEINPUT mi;
- KEYBDINPUT ki;
- HARDWAREINPUT hi;
- };
- }INPUT, *PINPUT;
- typedef ULONG (NTAPI*NTUSERSENDINPUT)(ULONG,PINPUT,int);
- NTUSERSENDINPUT OldNtUserSendInput;
- //ULONG OldNtUserSendInputree;
- NTSTATUS __declspec(naked) _NtUserSendInput(IN ULONG nInputs,IN PINPUT pInputs,IN int cbSize)
- {
- __asm
- {
- push 0x18
- push 0xbf98f050
- mov eax,OldNtUserSendInput
- add eax,7
- jmp eax
- }
- }
- ULONG NTAPI MyNtUserSendInput(IN ULONG nInputs,IN PINPUT pInputs,IN int cbSize)
- {
- if (!strcmp(GetProcessNameFromEProc(0),"DragonNest.exe"))
- {
- dprintf("DragonNest NtUserSendInput\n");
-
- }
- return OldNtUserSendInput(nInputs,pInputs,cbSize);
- // return _NtUserSendInput(nInputs,pInputs,cbSize);
- }
- NTSTATUS HookNtUserSendInput()
- {
- KIRQL oldIrql;
- ULONG Address=0;
-
- __try
- {
- KeAttachProcess(crsEProc);
- Address = (ULONG)ShadowTable->NotUse2.ServiceTableBase + 502 * 4;
- (ULONG)OldNtUserSendInput = *(ULONG*)Address;
- // OldNtUserSendInputree=OldNtUserSendInput+7;
- WPOFF();
- oldIrql = KeRaiseIrqlToDpcLevel();
- *((ULONG*)Address) = (ULONG)_NtUserSendInput; //HOOK SSDT
- KeLowerIrql(oldIrql);
- WPON();
- }
- __finally
- {
- KeDetachProcess();
- }
- return 0 ;
- }
- NTSTATUS UnHookNtUserSendInput()
- {
- KIRQL oldIrql;
- ULONG Address=0;
-
- __try
- {
- KeAttachProcess(crsEProc);
- Address = (ULONG)ShadowTable->NotUse2.ServiceTableBase +502 * 4;
- WPOFF();
- oldIrql = KeRaiseIrqlToDpcLevel();
- *((ULONG*)Address) = (ULONG)OldNtUserSendInput; //HOOK SSDT
- KeLowerIrql(oldIrql);
- WPON();
- }
- __finally
- {
- KeDetachProcess();
- }
- return 0;
- }
- //////////////////////////////////////////////////////////////////////////
- NTSTATUS GetHookedFunAdd()
- {
- ULONG Address=0;
- Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0x7A * 4;
-
- (ULONG)HookedNtOpenProcess = *(ULONG*)Address;
- Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 0xBA * 4;
- (ULONG)HookedNtReadVirtualMemoryAdd = *(ULONG*)Address;
- Address = (ULONG)_KeServiceDescriptorTable->NotUse1.ServiceTableBase + 277 * 4;
- (ULONG)HookedNtWriteVirtualMemoryAdd = *(ULONG*)Address;
-
- return 0;
- }
复制代码 |
|