游戏保护大放送之梦幻诛仙保护
本人寻求游戏安全方面的工作，请Email:联系
做挂者请绕道！
本人不保证此办法现在还生效！蓝屏死机于本人无关！
完美保护里面有个反调试比较BT，不过多开更bt。（梦幻诛仙为例）
第一，先说一些ssdt hook和inline hook的解决办法，也就是hook Kifastcallentry 来搞。
第二，附加卡死情况的解决。完美驱动会获取FastMutex而不释放，导致卡死情况。
发一小段代码
ULONG ExReleaseFastMutex_addr,ReExReleaseFastMutex_
char g_ExReleaseFastMutex[8];
VOID GetExReleaseFastMutexAddr()
&&& ULONG& Address=0;
&&& ULONG temp_
&&& char* temp_cr=0;
&&& Address = (ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase + 269 * 4;&&&&&&&&
&&& temp_addr = *(ULONG*)A
&&& temp_addr=temp_addr+0x19A;
&&& temp_cr=(char*)temp_
&&& ExReleaseFastMutex_addr=*((ULONG*)&temp_cr[2]);
&&& ExReleaseFastMutex_addr=*(ULONG*)ExReleaseFastMutex_
VOID __declspec(naked)MyExReleaseFastMutex()
&&&&&&& cmp&&&&&&& ecx,DbgkpProcessDebugPortMutexaddr
&&&&&&& jnz&&&&&&& ONMYFAST
&&&&&&& mov&&&&&&& ecx,pMyDbgkpProcessDebugPortMutex
&&&&&&& xor&&&& eax, eax
&&&&&&& mov&&&& al, [ecx + 0x1c]
&&&&&&& jmp&&&&&&& [ReExReleaseFastMutex_addr]
VOID Patch_ExReleaseFastMutex()
&&& KIRQL oldI
&&& unsigned char newcode[] = { 0xE9, 0x44, 0x33, 0x22, 0x11};
&&& GetExReleaseFastMutexAddr();
&&& ReExReleaseFastMutex_addr=ExReleaseFastMutex_addr+5;
&&& *( (ULONG *)(&newcode[1]) ) =(ULONG)MyExReleaseFastMutex-ExReleaseFastMutex_addr-5;
&&& OFF();
&&& oldIrql = KeRaiseIrqlToDpcLevel();
&&& memcpy(g_ExReleaseFastMutex,(VOID*)ExReleaseFastMutex_addr,5);
&&& memcpy((VOID*)ExReleaseFastMutex_addr,newcode,5);
&&& KeLowerIrql(oldIrql);
&&& WPON();
VOID UnPatch_ExReleaseFastMutex()
&&& KIRQL oldI
&&& WPOFF();
&&& oldIrql = KeRaiseIrqlToDpcLevel();
&&& memcpy((VOID*)ExReleaseFastMutex_addr,g_ExReleaseFastMutex,5);
&&& KeLowerIrql(oldIrql);
&&& WPON();
第三，int 1 int 3处理。以前的版本完美驱动有2个监视线程，你只要hook创建线程的内核函数就可以把他干掉。最后更新后就不能干了，干掉后游戏启动不了。所有只能找到一些关键点来patch。如果不patch的话就不能恢复IDT，会重启。
第四，ring3和ring0的通信。应用层和驱动层是通过int 0x22来通信的，int 0x23没有怎么分析。自己要接管int 0x22的通信，也就是把他的替换成我们的代码。
第五，游戏多开。这个比过保护都困难。梦诛好像只能2开。他多开是这样检测的，在驱动里有8个字节的空间，其实是2个结构体。结构体原型如下：
typedef struct WMGAMEOPEN
&&& ULONG PID;&& //游戏进程
&&& PEPROCESS eP&& //游戏进程的EPROCESS
每启动一个游戏驱动里就会记录一条，总共能记录2条，也就只能2开。而且游戏会定时和驱动通讯来验证游戏进程的pid等是否吻合。如果这2个记录里没有这个游戏的pid，那就等着重启吧。
最后丫丫一下他的驱动，他公共有2个驱动一个只是一个loader，没有什么作用，另一个才是真真管用的。pp_data0.。。。不过pe被破坏了。
下面见代码。
#include &struct.h&
#include &4BOD.h&
#include &stdio.h&
//////////////////////////////////////////////////////////////////////////
&&&&&& IN PDEVICE_OBJECT DeviceObject,
&&&&&& IN PVOID Context
ULONG Pass_NtCreateDebugObject();
VOID UnDetour_NtCreateDebugObject();
ULONG Pass_NtDebugActiveProcess();
VOID UnDetour_NtDebugActiveProcess();
ULONG Pass_NtDebugContinue();
VOID UnDetour_NtDebugContinue();
ULONG Pass_NtWaitForDebugEvent();
VOID UnDetour_NtWaitForDebugEvent();
VOID Patch_ExAcquireFastMutex();
VOID UnPatch_ExAcquireFastMutex();
VOID Patch_ExReleaseFastMutex();
VOID UnPatch_ExReleaseFastMutex();
VOID HookNtQuerySystemInformation();
VOID UnhookNtQuerySystemInformation();
VOID InitFastMutex();
VOID HookRtlMoveMemory();
VOID UnHookRtlMoveMemory();
ULONG Bak_IDT();
ULONG Pass_INT1();
VOID UnDetour_INT1();
ULONG Pass_INT3();
VOID UnDetour_INT3();
VOID My_INT1();
VOID My_INT3();
void patch_DbgkForwardException();
ULONG Pass_debugport();
VOID UnDetour_debugport();
VOID& mydebugport();
ULONG ChangeProcessDebugPort();
#pragma alloc_text(NONPAGED, My_INT1)
#pragma alloc_text(NONPAGED, My_INT3)
#pragma alloc_text(NONPAGED, mydebugport)
#pragma alloc_text(NONPAGED, OnTimer)
ULONG int22
//////////////////////////////////////////////////////////////////////////
char g_pFindOrigCode[8];
ULONG KiSystemService_hack_
PULONG& pSSDTKernel,pSSWDTK
PSERVICE_DESCRIPTOR_TABLE_SHADOW _KeServiceDescriptorT
PSERVICE_DESCRIPTOR_TABLE_SHADOW& ShadowT
unsigned long SSDT_reentry_address,SSDTDW_reentry_
void __declspec(naked) my_function_detour_KiFastCallEntry()
&&& cmp&&&& ecx,10h
&&& jne&&&& SSDT
&&& mov&&& edi,KeServiceDescriptorTable
&&& sub&&& edi,0x10
&&& jmp&&& [SSDTDW_reentry_address]
&&& mov&&& edi,KeServiceDescriptorTable
&&& add&&& edi,0x20
&&& jmp&&& [SSDT_reentry_address]
ULONG HookSysCall()
& KIRQL& oldI
& ULONG& uS
& unsigned char newcode[] = { 0xE9, 0x44, 0x33, 0x22, 0x11};
& char *actual_
& int i = 0;
&&&&& mov ecx,0x176
&&&&& rdmsr
&&&&& mov uSysenter,eax& //得到KiFastCallEntry 地址
& KiSystemService_hack_address=uSysenter+0xAF;
& actual_function =(char*) KiSystemService_hack_
& SSDT_reentry_address = KiSystemService_hack_address+0x20;
& SSDTDW_reentry_address = KiSystemService_hack_address+0x5;
& *( (unsigned long *)(&newcode[1]) ) = (ULONG)my_function_detour_KiFastCallEntry-KiSystemService_hack_address-5;
& WPOFF();
& oldIrql = KeRaiseIrqlToDpcLevel();
& for(i=0;i & 5;i++)
&&& g_pFindOrigCode[i] = actual_function[i];
&&& actual_function[i] = newcode[i];
& KeLowerIrql(oldIrql);
& return 1;
void RestoreSSDT()
& char *actual_function = (char *)(KiSystemService_hack_address);
& KIRQL& oldI
& WPOFF();
& KeRaiseIrql( DISPATCH_LEVEL,&oldIrql );
& for(i=0;i & 5;i++)
&&& actual_function[i] = g_pFindOrigCode[i];
& KeLowerIrql( oldIrql );
& ExFreePool(pSSDTKernel);
& ExFreePool(pSSWDTKernel);
PVOID GetInfoTable(ULONG ATableType)
& ULONG mSize = 0x4000;
& PVOID mPtr = NULL;
&&NTSTATUS St;
&&& mPtr = ExAllocatePool(PagedPool, mSize);
&&& memset(mPtr, 0, mSize);
&&& if (mPtr)
&&&&& St = ZwQuerySystemInformation(ATableType, mPtr, mSize, NULL);
&&& } else return NULL;
&&& if (St == STATUS_INFO_LENGTH_MISMATCH)
&&&&& ExFreePool(mPtr);
&&&&& mSize = mSize * 2;
& } while (St == STATUS_INFO_LENGTH_MISMATCH);
& if (St == STATUS_SUCCESS) return mP
& ExFreePool(mPtr);
& return NULL;
HANDLE GetCsrPid()
& HANDLE Process, hO
& HANDLE CsrId = (HANDLE)0;
& OBJECT_ATTRIBUTES
& CLIENT_ID
& UCHAR Buff[0x100];
& POBJECT_NAME_INFORMATION ObjName = (PVOID)&B
& PSYSTEM_HANDLE_INFORMATION_EX H
& Handles = GetInfoTable(SystemHandleInformation);
& if (!Handles) return CsrId;
& for (r = 0; r & Handles-&NumberOfH r++)
&&& if (Handles-&Information[r].ObjectTypeNumber == 21) //Port object
&&&&& InitializeObjectAttributes(&obj, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
&&&&& cid.UniqueProcess = (HANDLE)Handles-&Information[r].ProcessId;
&&&&& cid.UniqueThread = 0;
&&&&& if (NT_SUCCESS(NtOpenProcess(&Process, PROCESS_DUP_HANDLE, &obj, &cid)))
&&&&&&& if (NT_SUCCESS(ZwDuplicateObject(Process, (HANDLE)Handles-&Information[r].Handle,NtCurrentProcess(), &hObject, 0, 0, DUPLICATE_SAME_ACCESS)))
&&&&&&&&& if (NT_SUCCESS(ZwQueryObject(hObject, ObjectNameInformation, ObjName, 0x100, NULL)))
&&&&&&&&& {
&&&&&&&&&&& if (ObjName-&Name.Buffer && !wcsncmp(L&\\Windows\\ApiPort&, ObjName-&Name.Buffer, 20))
&&&&&&&&&&& {
&&&&&&&&&&&&& CsrId = (HANDLE)Handles-&Information[r].ProcessId;
&&&&&&&&&&& }
&&&&&&&&& }
&&&&&&&&& ZwClose(hObject);
&&&&&&& ZwClose(Process);
& ExFreePool(Handles);
& return CsrId;
unsigned long AddMyServiceTable()
& ULONG& nSDTKerCallLen,nSWDTKerCallL
& NTSTATUS
& PEPROCESS crsEP
&&& pushad
&&& mov&& eax,KeServiceDescriptorTable
&&& mov&& _KeServiceDescriptorTable,eax
&&& sub&& eax,0x40
&&& mov&& ShadowTable,eax
& nSDTKerCallLen& =& _KeServiceDescriptorTable-&ntoskrnl.NumberOfS
& nSWDTKerCallLen& =& ShadowTable-&win32k.NumberOfS
& pSSDTKernel =& (PULONG)ExAllocatePool( NonPagedPool, nSDTKerCallLen*sizeof(ULONG));
& pSSWDTKernel=&& (PULONG)ExAllocatePool( NonPagedPool, nSWDTKerCallLen*sizeof(ULONG));
& if(!pSSDTKernel || !pSSWDTKernel)
&&& DbgPrint(&AddMyServiceTable& alloc fail\n&);
&&& return 0;
& memset( (PVOID)pSSDTKernel, 0, nSDTKerCallLen*sizeof(ULONG));
& memset( (PVOID)pSSWDTKernel, 0, nSWDTKerCallLen*sizeof(ULONG));
& //填充新的SSDT表
& RtlCopyMemory( (PVOID)pSSDTKernel,(PVOID)_KeServiceDescriptorTable-&ntoskrnl.ServiceTableBase,nSDTKerCallLen*sizeof(ULONG) );
& RtlCopyMemory( (PVOID)&_KeServiceDescriptorTable-&NotUse1,(PVOID)&_KeServiceDescriptorTable-&ntoskrnl,sizeof(SERVICE_DESCRIPTOR_TABLE) );
& status = PsLookupProcessByProcessId((HANDLE)GetCsrPid(), &crsEProc);
&&if (!NT_SUCCESS( status ))
&&& DbgPrint(&PsLookupProcessByProcessId() error\n&);
& KeAttachProcess(crsEProc);
&&& RtlCopyMemory( (PVOID)pSSWDTKernel,(PVOID)ShadowTable-&win32k.ServiceTableBase,nSWDTKerCallLen*sizeof(ULONG) );
& __finally
&&& KeDetachProcess();
& RtlCopyMemory( (PVOID)&ShadowTable-&NotUse1,(PVOID)&ShadowTable-&ntoskrnl,sizeof(SERVICE_DESCRIPTOR_TABLE));
& RtlCopyMemory( (PVOID)&ShadowTable-&NotUse2,(PVOID)&ShadowTable-&win32k,sizeof(SERVICE_DESCRIPTOR_TABLE));
& WPOFF();
& RtlCopyMemory((PVOID)&_KeServiceDescriptorTable-&NotUse1.ServiceTableBase, &pSSDTKernel, sizeof(ULONG));
& RtlCopyMemory((PVOID)&ShadowTable-&NotUse1.ServiceTableBase, &pSSDTKernel, sizeof(ULONG));
& RtlCopyMemory((PVOID)&ShadowTable-&NotUse2.ServiceTableBase, &pSSWDTKernel, sizeof(ULONG));
& return 1;
void RePlaceSSDT()
& if (AddMyServiceTable())
&&& HookSysCall();
//////////////////////////////////////////////////////////////////////////
DriverEntry(
& PDRIVER_OBJECT pDriverObj,
& PUNICODE_STRING pRegistryString
& NTSTATUS status = STATUS_SUCCESS;
& UNICODE_STRING ustrLinkN
& UNICODE_STRING ustrDevN&&&
& PDEVICE_OBJECT pDevO
& dprintf(&[4BOD] DriverEntry\n&);
& pDriverObj-&MajorFunction[IRP_MJ_CREATE] = DispatchC
& pDriverObj-&MajorFunction[IRP_MJ_CLOSE] = DispatchC
& pDriverObj-&MajorFunction[IRP_MJ_DEVICE_CO***OL] = DispatchI
& pDriverObj-&DriverUnload = DriverU
& RtlInitUnicodeString(&ustrDevName, DEVICE_NAME);
& status = IoCreateDevice(pDriverObj,
&&&&&&& 0,
&&&&&&& &ustrDevName,
&&&&&&& FILE_DEVICE_UNKNOWN,
&&&&&&& 0,
&&&&&&& FALSE,
&&&&&&& &pDevObj);
& if(!NT_SUCCESS(status))& {
&&& dprintf(&[4BOD] IoCreateDevice = 0x%x\n&, status);
& RtlInitUnicodeString(&ustrLinkName, LINK_NAME);
& status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName);&
& if(!NT_SUCCESS(status)) {
&&& dprintf(&[4BOD] IoCreateSymbolicLink = 0x%x\n&, status);
&&& IoDeleteDevice(pDevObj);&
& mybackupmem=(char*)ExAllocatePool(NonPagedPool,0xd800);
&& Bak_IDT();
&&& RePlaceSSDT();
& InitFastMutex();
//& ChangeProcessDebugPort();
& Pass_debugport();
//& HookRtlMoveMemory();
& Patch_ExAcquireFastMutex();&&
& Patch_ExReleaseFastMutex();
& HookNtQuerySystemInformation();
&& Pass_NtCreateDebugObject();
&& Pass_NtDebugActiveProcess();
&& Pass_NtDebugContinue();
&& Pass_NtWaitForDebugEvent();
&& IoInitializeTimer(pDevObj,OnTimer,NULL);
&& IoStartTimer(pDevObj);
& return STATUS_SUCCESS;
DriverUnload(
& PDRIVER_OBJECT pDriverObj
& UNICODE_STRING strL
& LARGE_INTEGER D
& RtlInitUnicodeString(&strLink, LINK_NAME);
& IoStopTimer(pDriverObj-&DeviceObject);
& ExFreePool(mybackupmem);
& UnPatch_ExReleaseFastMutex();
& UnPatch_ExAcquireFastMutex();
& UnDetour_NtWaitForDebugEvent();
& UnDetour_NtDebugContinue();
& UnDetour_NtDebugActiveProcess();
& UnDetour_NtCreateDebugObject();
& UnhookNtQuerySystemInformation();
//& UnHookRtlMoveMemory();
& RestoreSSDT();
&& UnDetour_INT1();
&&& UnDetour_INT3();
& Delay.QuadPart = -5000000;
& KeDelayExecutionThread(KernelMode, TRUE, &Delay);
& IoDeleteSymbolicLink(&strLink);
& IoDeleteDevice(pDriverObj-&DeviceObject);
& dprintf(&[4BOD] Unloaded\n&);
DispatchCreate(
& PDEVICE_OBJECT pDevObj,
& PIRP pIrp
& pIrp-&IoStatus.Status = STATUS_SUCCESS;
& pIrp-&rmation = 0;
& dprintf(&[4BOD] IRP_MJ_CREATE\n&);
& IoCompleteRequest(pIrp, IO_NO_INCREMENT);
& return STATUS_SUCCESS;
DispatchClose(
& PDEVICE_OBJECT pDevObj,
& PIRP pIrp
& pIrp-&IoStatus.Status = STATUS_SUCCESS;
& pIrp-&rmation = 0;
& dprintf(&[4BOD] IRP_MJ_CLOSE\n&);
& IoCompleteRequest(pIrp, IO_NO_INCREMENT);
& return STATUS_SUCCESS;
DispatchIoctl(
& PDEVICE_OBJECT pDevObj,
& PIRP pIrp
& NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST;
& PIO_STACK_LOCATION pIrpS
& ULONG uIoControlC
& PVOID pIoB
& ULONG uInS
& ULONG uOutS
& pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
& uIoControlCode = pIrpStack-&Parameters.DeviceIoControl.IoControlC
& pIoBuffer = pIrp-&AssociatedIrp.SystemB
& uInSize = pIrpStack-&Parameters.DeviceIoControl.InputBufferL
& uOutSize = pIrpStack-&Parameters.DeviceIoControl.OutputBufferL
& switch(uIoControlCode) {
&&& case /*IOCTL_HELLO*/0x: {
&&&&& dprintf(&[4BOD] Hello\n&);
&&&&& status = STATUS_SUCCESS;
&&& // 添加执行代码
&&if(status == STATUS_SUCCESS)
&&& pIrp-&rmation = uOutS
&&& pIrp-&rmation = 0;
& /////////////////////////////////////
& pIrp-&IoStatus.Status =
& IoCompleteRequest(pIrp, IO_NO_INCREMENT);
//////////////////////////////////////////////////////////////////////////
ULONG OldNtCreateDebugObjectA&
ULONG reentryadd_NtCreateDebugO
__declspec(naked) NTSTATUS NewNtCreateDebugObject()
&&& push 0x1c
&&& push 0x804e1ea8
& &&jmp& [reentryadd_NtCreateDebugObject]
ULONG Pass_NtCreateDebugObject()
& KIRQL oldI
& ULONG& Address=0;
& Address = (ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase + 33 * 4;&&&
& OldNtCreateDebugObjectAdd = *(ULONG*)A&&& //保存此地址
& reentryadd_NtCreateDebugObject=OldNtCreateDebugObjectAdd+7;
& WPOFF();
& oldIrql = KeRaiseIrqlToDpcLevel();
& *((ULONG*)Address) = (ULONG)NewNtCreateDebugO& //HOOK SSDT
& KeLowerIrql(oldIrql);
& return 1;
//反补丁，用于最后恢复用
VOID UnDetour_NtCreateDebugObject()
& KIRQL oldI
& ULONG& Address=0;
& Address = (ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase + 33 * 4;
& WPOFF();
& oldIrql = KeRaiseIrqlToDpcLevel();
& *((ULONG*)Address) = OldNtCreateDebugObjectA& //HOOK SSDT
& KeLowerIrql(oldIrql);
//////////////////////////////////////////////////////////////////////////
ULONG OldNtDebugActiveProcessA&
ULONG reentryadd_NtDebugActiveP
__declspec(naked) NTSTATUS NewNtDebugActiveProcess()
&&& mov& edi,edi
&&& push ebp
&&& mov ebp,esp
&&& jmp& [reentryadd_NtDebugActiveProcess]
ULONG Pass_NtDebugActiveProcess()
& KIRQL oldI
& ULONG& Address=0;
& Address = (ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase + 57 * 4;&&&
& OldNtDebugActiveProcessAdd = *(ULONG*)A&&&
& reentryadd_NtDebugActiveProcess=OldNtDebugActiveProcessAdd+5;
& WPOFF();
& oldIrql = KeRaiseIrqlToDpcLevel();
& *((ULONG*)Address) = (ULONG)NewNtDebugActiveP& //HOOK SSDT
& KeLowerIrql(oldIrql);
& return 1;
VOID UnDetour_NtDebugActiveProcess()
& KIRQL oldI
& ULONG& Address=0;
& Address = (ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase + 57 * 4;
& WPOFF();
& oldIrql = KeRaiseIrqlToDpcLevel();
& *((ULONG*)Address) = OldNtDebugActiveProcessA& //HOOK SSDT
& KeLowerIrql(oldIrql);
//////////////////////////////////////////////////////////////////////////
ULONG OldNtDebugContinueA&
ULONG reentryadd_NtDebugC
__declspec(naked) NTSTATUS NewNtDebugContinue()
&&& push 0x24
&&& push 0x804e1f08
&&& jmp& [reentryadd_NtDebugContinue]
ULONG Pass_NtDebugContinue()
& KIRQL oldI
& ULONG& Address=0;
& Address = (ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase + 58 * 4;&&&
& OldNtDebugContinueAdd = *(ULONG*)A&&&
& reentryadd_NtDebugContinue=OldNtDebugContinueAdd+7;
& WPOFF();
& oldIrql = KeRaiseIrqlToDpcLevel();
& *((ULONG*)Address) = (ULONG)NewNtDebugC& //HOOK SSDT
& KeLowerIrql(oldIrql);
& return 1;
VOID UnDetour_NtDebugContinue()
& KIRQL oldI
& ULONG& Address=0;
& Address = (ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase +58 * 4;
& WPOFF();
& oldIrql = KeRaiseIrqlToDpcLevel();
& *((ULONG*)Address) = OldNtDebugContinueA& //HOOK SSDT
& KeLowerIrql(oldIrql);
//////////////////////////////////////////////////////////////////////////
ULONG OldNtWaitForDebugEventA
ULONG reentryadd_NtWaitForDebugE
__declspec(naked) NTSTATUS NewNtWaitForDebugEvent()
&&& push 0xA0
&&& push 0x804e1ee0
&&& jmp& [reentryadd_NtWaitForDebugEvent]
ULONG Pass_NtWaitForDebugEvent()
& KIRQL oldI
& ULONG& Address=0;
& Address = (ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase + 269 * 4;&&&
& OldNtWaitForDebugEventAdd = *(ULONG*)A&&&
& reentryadd_NtWaitForDebugEvent=OldNtWaitForDebugEventAdd+10;
& WPOFF();
& oldIrql = KeRaiseIrqlToDpcLevel();
& *((ULONG*)Address) = (ULONG)NewNtWaitForDebugE& //HOOK SSDT
& KeLowerIrql(oldIrql);
& return 1;
VOID UnDetour_NtWaitForDebugEvent()
& KIRQL oldI
& ULONG& Address=0;
& Address = (ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase + 269 * 4;
& WPOFF();
& oldIrql = KeRaiseIrqlToDpcLevel();
& *((ULONG*)Address) = OldNtWaitForDebugEventA& //HOOK SSDT
& KeLowerIrql(oldIrql);
//////////////////////////////////////////////////////////////////////////
#define SYSTEMSERVICE(Index)&&& *(PULONG)((ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase+ Index*4);&&
ULONG DbgkForwardExceptionAddr&&& =&&& 0;
ULONG KiDispatchExceptionAddr&&& =&&& 0;
ULONG DbgkpQueueMessageAddr&&&&&&& =&&& 0;
ULONG SearchMutex()
& ULONG NtResumeThreadAddr&&&&&&& =&&& 0;
& ULONG NtRaiseExceptionAddr&&&&&&& =&&& 0;
& ULONG KiRaiseExceptionAddr&&&&&&& =&&& 0;
& ULONG DbgkpSendApiMessageAddr&&& =&&& 0;
& ULONG DbgkpProcessDebugPortMutex&&& =0;&&&
& ULONG PsResumeThreadAddr&&&&&&&&& =0;&&&&&&&
& DWORD dwK
& NtResumeThreadAddr = SYSTEMSERVICE(206);
& DbgPrint(&NtResumeThreadAddr : %X\n&, NtResumeThreadAddr);
& for(i = NtResumeThreadA i & NtResumeThreadAddr + 0x7C; i++)
&&& dwKey = *(PDWORD)i;
&&& if (MmIsAddressValid(&dwKey))
&&&&& if (dwKey == 0xE8E475FF)
&&&&&&& dwKey = i + 4;
&&&&&&& PsResumeThreadAddr = i + *(ULONG*)dwKey + 8;
& DbgPrint(&PsResumeThreadAddr : %X\n&, PsResumeThreadAddr);
& NtRaiseExceptionAddr = SYSTEMSERVICE(181);
& DbgPrint(&NtRaiseExceptionAddr : %X\n&, NtRaiseExceptionAddr);
& for(i = NtRaiseExceptionA i & NtRaiseExceptionAddr + 0x30; i++)
&&& dwKey = *(PDWORD)i;
&&& if (MmIsAddressValid(&dwKey))
&&&&& if (dwKey == 0xE8505100)
&&&&&&& dwKey = i + 4;
&&&&&&& KiRaiseExceptionAddr = i + *(ULONG*)dwKey + 8;
& DbgPrint(&KiRaiseExceptionAddr : %X\n&, KiRaiseExceptionAddr);
& if (KiRaiseExceptionAddr & 0x)
&&& for(i = KiRaiseExceptionA i & KiRaiseExceptionAddr + 0x197; i++)
&&&&& dwKey = *(PDWORD)i;
&&&&& if (MmIsAddressValid(&dwKey))
&&&&&&& if (dwKey == 0xE853FFFF)
&&&&&&&&& dwKey = i + 4;
&&&&&&&&& KiDispatchExceptionAddr = i + *(ULONG*)dwKey + 8;
&&& DbgPrint(&KiDispatchExceptionAddr : %X\n&, KiDispatchExceptionAddr);
& if (KiDispatchExceptionAddr & 0x)
&&& for(i = KiDispatchExceptionA i & KiDispatchExceptionAddr + 0x397; i++)
&&&&& dwKey = *(PDWORD)i;
&&&&& if (MmIsAddressValid(&dwKey))
&&&&&&& if (dwKey == 0xE8565701)
&&&&&&&&& dwKey = i + 4;
&&&&&&&&& DbgkForwardExceptionAddr = i + *(ULONG*)dwKey + 8;
&&& DbgPrint(&DbgkForwardExceptionAddr : %X\n&, DbgkForwardExceptionAddr);
& if (DbgkForwardExceptionAddr & 0x)
&&& for(i = DbgkForwardExceptionA i & DbgkForwardExceptionAddr + 0x8A; i++)
&&&&& dwKey = *(PDWORD)i;
&&&&& if (MmIsAddressValid(&dwKey))
&&&&&&& if (dwKey == 0xE8508845)
&&&&&&&&& dwKey = i + 4;
&&&&&&&&& DbgkpSendApiMessageAddr = i + *(ULONG*)dwKey + 8;
&&& DbgPrint(&DbgkpSendApiMessageAddr : %X\n&, DbgkpSendApiMessageAddr);
& if (DbgkpSendApiMessageAddr & 0x)
&&& for(i = DbgkpSendApiMessageA i & DbgkpSendApiMessageAddr + 0x55; i++)
&&&&& dwKey = *(PDWORD)i;
&&&&& if (MmIsAddressValid(&dwKey))
&&&&&&& if (dwKey == 0xE8515052)
&&&&&&&&& dwKey = i + 4;
&&&&&&&&& DbgkpQueueMessageAddr = i + *(ULONG*)dwKey + 8;
&&& DbgPrint(&DbgkpQueueMessageAddr : %X\n&, DbgkpQueueMessageAddr);
& if (DbgkpQueueMessageAddr & 0x)
&&& for(i = DbgkpQueueMessageA i & DbgkpQueueMessageAddr + 0x16F; i++)
&&&&& dwKey = *(PDWORD)i;
&&&&& if (MmIsAddressValid(&dwKey))
&&&&&&& if (dwKey == 0xB93075FC)
&&&&&&&&& dwKey = i + 4;
&&&&&&&&& DbgkpProcessDebugPortMutex = *(ULONG*)dwK
&&& DbgPrint(&DbgkpProcessDebugPortMutex : %X\n&, DbgkpProcessDebugPortMutex);
& return DbgkpProcessDebugPortM
//////////////////////////////////////////////////////////////////////////
FAST_MUTEX MyDbgkpProcessDebugPortM
ULONG* pMyDbgkpProcessDebugPortM
ULONG DbgkpProcessDebugPortM
VOID InitFastMutex()
& DbgkpProcessDebugPortMutexaddr=SearchMutex();
& ExInitializeFastMutex(&MyDbgkpProcessDebugPortMutex);
& pMyDbgkpProcessDebugPortMutex=(ULONG*)&MyDbgkpProcessDebugPortM
//////////////////////////////////////////////////////////////////////////
ULONG ExReleaseFastMutex_addr,ReExReleaseFastMutex_
char g_ExReleaseFastMutex[8];
VOID GetExReleaseFastMutexAddr()
& ULONG& Address=0;
& ULONG temp_
& char* temp_cr=0;
& Address = (ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase + 269 * 4;&&&
& temp_addr = *(ULONG*)A
& temp_addr=temp_addr+0x19A;
& temp_cr=(char*)temp_
& ExReleaseFastMutex_addr=*((ULONG*)&temp_cr[2]);
& ExReleaseFastMutex_addr=*(ULONG*)ExReleaseFastMutex_
VOID __declspec(naked)MyExReleaseFastMutex()
&&& cmp&&& ecx,DbgkpProcessDebugPortMutexaddr
&&& jnz&&& ONMYFAST
&&& mov&&& ecx,pMyDbgkpProcessDebugPortMutex
&&& xor&&&& eax, eax
&&& mov&&&& al, [ecx + 0x1c]
&&& jmp&&& [ReExReleaseFastMutex_addr]
VOID Patch_ExReleaseFastMutex()
& KIRQL oldI
& unsigned char newcode[] = { 0xE9, 0x44, 0x33, 0x22, 0x11};
& GetExReleaseFastMutexAddr();
& ReExReleaseFastMutex_addr=ExReleaseFastMutex_addr+5;
& *( (ULONG *)(&newcode[1]) ) =(ULONG)MyExReleaseFastMutex-ExReleaseFastMutex_addr-5;
& WPOFF();
& oldIrql = KeRaiseIrqlToDpcLevel();
& memcpy(g_ExReleaseFastMutex,(VOID*)ExReleaseFastMutex_addr,5);
& memcpy((VOID*)ExReleaseFastMutex_addr,newcode,5);
&&KeLowerIrql(oldIrql);
VOID UnPatch_ExReleaseFastMutex()
& KIRQL oldI
& WPOFF();
& oldIrql = KeRaiseIrqlToDpcLevel();
& memcpy((VOID*)ExReleaseFastMutex_addr,g_ExReleaseFastMutex,5);
& KeLowerIrql(oldIrql);
//////////////////////////////////////////////////////////////////////////
ULONG ExAcquireFastMutex_addr,ReExAcquireFastMutex_
char g_ExAcquireFastMutex[8];
VOID GetExAcquireFastMutexAddr()
& ULONG& Address=0;
& ULONG temp_
& char* temp_cr=0;
& Address = (ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase + 269 * 4;&&&
& temp_addr = *(ULONG*)A
& temp_addr=temp_addr+0x10D;
& temp_cr=(char*)temp_
& ExAcquireFastMutex_addr=*((ULONG*)&temp_cr[2]);
& ExAcquireFastMutex_addr=*(ULONG*)ExAcquireFastMutex_
VOID __declspec(naked)MyExAcquireFastMutex()
&&& cmp&&& ecx,DbgkpProcessDebugPortMutexaddr
&&& jnz&&& ONMYFAST
&&& mov&&& ecx,pMyDbgkpProcessDebugPortMutex
&&& mov&&&& eax,dword ptr ds:[0xFFFE0080]
&&& jmp&&& [ReExAcquireFastMutex_addr]
VOID Patch_ExAcquireFastMutex()
& KIRQL oldI
& unsigned char newcode[] = { 0xE9, 0x44, 0x33, 0x22, 0x11};
& GetExAcquireFastMutexAddr();
& ReExAcquireFastMutex_addr=ExAcquireFastMutex_addr+5;
& *( (ULONG *)(&newcode[1]) ) =(ULONG)MyExAcquireFastMutex-ExAcquireFastMutex_addr-5;
& WPOFF();
& oldIrql = KeRaiseIrqlToDpcLevel();
& memcpy(g_ExAcquireFastMutex,(VOID*)ExAcquireFastMutex_addr,5);
& memcpy((VOID*)ExAcquireFastMutex_addr,newcode,5);
& KeLowerIrql(oldIrql);
VOID UnPatch_ExAcquireFastMutex()
& KIRQL oldI
& WPOFF();
& oldIrql = KeRaiseIrqlToDpcLevel();
& memcpy((VOID*)ExAcquireFastMutex_addr,g_ExAcquireFastMutex,5);
& KeLowerIrql(oldIrql);
//////////////////////////////////////////////////////////////////////////
ULONG GetIDTAdd(unsigned long i)
& IDTINFO&&& idt_&&&
& IDTE***Y*& idt_&&&&
& IDTE***Y *
& __asm& sidt& idt_info
& idt_entries = (IDTE***Y*) MAKELONG(idt_info.LowIDTbase,idt_info.HiIDTbase);
& ii = &idt_entries[i];
& return (unsigned long)MAKELONG(ii-&OffsetLow, ii-&OffsetHigh);
//////////////////////////////////////////////////////////////////////////
&ULONG INT1_ISR_ADD;
&ULONG INT3_ISR_ADD;
ULONG Bak_IDT()
& INT1_ISR_ADD=GetIDTAdd(1);
& INT3_ISR_ADD=GetIDTAdd(3);
& return STATUS_SUCCESS;
//////////////////////////////////////////////////////////////////////////
char old_int1[8];
ULONG Pass_INT1()
& KIRQL oldI
& ULONG int1begin=0;
& unsigned char newcode[] = { 0xE9, 0x44, 0x33, 0x22, 0x11,0x90};
& int1begin=GetIDTAdd(1);
& *( (ULONG *)(&newcode[1]) ) = INT1_ISR_ADD-int1begin-5;
& WPOFF();
& oldIrql = KeRaiseIrqlToDpcLevel();
& memcpy(old_int1,(VOID*)int1begin,6);
& memcpy((VOID*)int1begin,newcode,6);
& KeLowerIrql(oldIrql);
& return STATUS_SUCCESS;
VOID UnDetour_INT1()
& KIRQL oldI
& ULONG int1begin=0;
& int1begin=GetIDTAdd(1);
& if (INT1_ISR_ADD!=int1begin)
&&& WPOFF();
&&& oldIrql = KeRaiseIrqlToDpcLevel();
&&& memcpy((VOID*)int1begin,old_int1,6);
&&& KeLowerIrql(oldIrql);
&&& WPON();
//////////////////////////////////////////////////////////////////////////
char old_int3[8];
ULONG Pass_INT3()
& KIRQL oldI
& ULONG int3begin=0;
& unsigned char newcode[] = { 0xE9, 0x44, 0x33, 0x22, 0x11,0x90};
& int3begin=GetIDTAdd(3);
& *( (ULONG *)(&newcode[1]) ) = INT3_ISR_ADD-int3begin-5;
& WPOFF();
& oldIrql = KeRaiseIrqlToDpcLevel();
& memcpy(old_int3,(VOID*)int3begin,6);
& memcpy((VOID*)int3begin,newcode,6);
& KeLowerIrql(oldIrql);
& return STATUS_SUCCESS;
VOID UnDetour_INT3()
& KIRQL oldI
& ULONG int3begin=0;
& int3begin=GetIDTAdd(3);
& if (INT3_ISR_ADD!=int3begin)
&&& WPOFF();
&&& oldIrql = KeRaiseIrqlToDpcLevel();
&&& memcpy((VOID*)int3begin,old_int3,6);
&&& KeLowerIrql(oldIrql);
&&& WPON();
VOID Pass_Reboot(char* addr)
//& KIRQL oldI
& unsigned char newcode[] = { 0x90, 0x90, 0x90, 0x90, 0x90,0x90};
& WPOFF();
//& oldIrql = KeRaiseIrqlToDpcLevel();
& memcpy(addr,newcode,6);
//& KeLowerIrql(oldIrql);
unsigned long int1_xx=0;
unsigned long int3_xx=0;
unsigned long int22_xx=0;
VOID OnTimer(
&&&&&& IN PDEVICE_OBJECT DeviceObject,
&&&&&& IN PVOID Context
& //&& LARGE_INTEGER D
& //&& Delay.QuadPart = -5000000;
& //&& KeDelayExecutionThread(KernelMode, TRUE, &Delay);
& ULONG patch_
& char* tmp_char=0;
& if (GetIDTAdd(0x22))
&&& if (!int22_xx)
&&&&& int22_xx=1;
&&&&& int22addr=GetIDTAdd(0x22);
&&&&& memaddress=int22addr-0xac15;
&&&&& patch_add=int22addr+0x11555c;
& //&&& debugportoffsetaddr=int22addr+0x4C4B;
&&&&& tmp_char=(char*)patch_
&&&&& Pass_Reboot(tmp_char);
& //&&& Pass_debugport();
&&& int22_xx=0;
& if (INT1_ISR_ADD!=GetIDTAdd(1))
&&& if (!int1_xx)
&&&&& int1_xx=1;
&&&&& Pass_INT1();&
&&& int1_xx=0;
& if (INT3_ISR_ADD!=GetIDTAdd(3))
&&& if (!int3_xx)
&&&&& int3_xx=1;
&&&&& Pass_INT3();&
&&& int3_xx=0;
//////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////
// nt!RtlMoveMemory:
// &&&&&&&&&&&&& push&&& esi
// &&&&&&&&&&&&& push&&& edi
// b742410&&&&&&& mov&&&& esi,dword ptr [esp+10h]
// b7c240c&&&&&&& mov&&&& edi,dword ptr [esp+0Ch]
char oldint1code[]={0x0f,0xa0,0x6a,0x30,0x0f,0xa1};
char oldint3code[]={0x0f,0xa0,0x6a,0x30,0x0f,0xa1};
ULONG RtlMoveMemoryA
void __stdcall memoutmsg()
& //& DbgPrint(&%s pid %08x movemem addr %08x\n&,GetProcessNameFromEProc(0),PsGetCurrentProcessId(),gmem );
& memcpy(mybackupmem,(char*)memaddress,0xd800);
& for (ii=0;ii&6;ii++)
&&& mybackupmem[ii+0x55f3]=oldint1code[ii];
& for (ii=0;ii&6;ii++)
&&& mybackupmem[ii+0x5859]=oldint3code[ii];
& //& DbgPrint(&mybackupmem& oldcode %08x \n&,*(ULONG*)&mybackupmem[0xacf0]);
VOID __declspec(naked)_RtlMoveMemory(
&&&&&&&&&&&&&&&&&& // VOID& *Destination,
&&&&&&&&&&&&&&&&&& //VOID&& *Source,
&&&&&&&&&&&&&&&&&& //ULONG& Length
&&&&&&&&&&&&&&&&&& )
&&& mov&& eax,memaddress
&&& cmp&& dword ptr [esp+8],eax
&&& jnz&& NOZX
&&& mov&& eax,int22_xx
&&& cmp&& eax,1
&&& jnz&& NOZX
&&& pushad
&&& call& memoutmsg
&&& mov&& eax,mybackupmem
&&& mov&& dword ptr [esp+8],eax
&&& push&&& esi
&&& push&&& edi
&&& mov&&&& esi,dword ptr [esp+10h]
&&& mov&&&& eax,RtlMoveMemoryAddr
&&& add&&&& eax,6
&&& jmp&&&& eax
char g_RtlMoveMemory[8];
VOID HookRtlMoveMemory()
& KIRQL oldI
& unsigned char newcode[] = { 0xE9, 0x44, 0x33, 0x22, 0x11,0x90};
& RtlMoveMemoryAddr=GetFunctionAddr(L&RtlMoveMemory&);
& *( (ULONG *)(&newcode[1]) ) =(ULONG)_RtlMoveMemory-RtlMoveMemoryAddr-5;
& WPOFF();
& oldIrql = KeRaiseIrqlToDpcLevel();
& memcpy(g_RtlMoveMemory,(void*)RtlMoveMemoryAddr,6);
& memcpy((void*)RtlMoveMemoryAddr,newcode,6);
& KeLowerIrql(oldIrql);
VOID UnHookRtlMoveMemory()
& KIRQL oldI
& WPOFF();
& oldIrql = KeRaiseIrqlToDpcLevel();
& memcpy((void*)RtlMoveMemoryAddr,g_RtlMoveMemory,6);
& KeLowerIrql(oldIrql);
//////////////////////////////////////////////////////////////////////////
void patch_DbgkForwardException()
& KIRQL oldI
& char newcode[]={0xeb,0x04};
& patchadd=DbgkForwardExceptionAddr+0x38;
& WPOFF();
& oldIrql = KeRaiseIrqlToDpcLevel();
& memcpy((void*)patchadd,newcode,2);
& KeLowerIrql(oldIrql);
//////////////////////////////////////////////////////////////////////////
NTAPI NtQuerySystemInformation(
&&&&&&&&&&&&&&&& IN ULONG SystemInformationClass,
&&&&&&&&&&&&&&&& IN PVOID SystemInformation,
&&&&&&&&&&&&&&&& IN ULONG SystemInformationLength,
&&&&&&&&&&&&&&&& OUT PULONG ReturnLength);
typedef NTSTATUS (*NTQUERYSYSTEMINFORMATION)
&ULONG SystemInformationCLass,
&PVOID SystemInformation,
&ULONG SystemInformationLength,
&PULONG ReturnLength
NTQUERYSYSTEMINFORMATION OldNtQuerySystemI
typedef struct _SYSTEM_BASIC_INFORMATION {
& BYTE Reserved1[24];
& PVOID Reserved2[4];
& CCHAR NumberOfP
} SYSTEM_BASIC_INFORMATION;
NTSTATUS NewNtQuerySystemInformation(
&&&&&&&&&&&&&&&&&& IN ULONG SystemInformationClass,
&&&&&&&&&&&&&&&&&& IN PVOID SystemInformation,
&&&&&&&&&&&&&&&&&& IN ULONG SystemInformationLength,
&&&&&&&&&&&&&&&&&& OUT PULONG ReturnLength)
& NTSTATUS ntS
& UNICODE_STRING
//& __asm{ int 3}
& ntStatus = OldNtQuerySystemInformation(
&&& SystemInformationClass,
&&& SystemInformation,
&&& SystemInformationLength,
&&& ReturnLength );
//& DbgPrint(&OldNtQuerySystemInformation ntStatus %08x\n&,ntStatus);
& if (!_stricmp(GetProcessNameFromEProc(0),&patcher.exe&) || !_stricmp(GetProcessNameFromEProc(0),&gameclient.exe&))
&&& if( NT_SUCCESS(ntStatus))
&&& //& DbgPrint(&%s querysysteminfo,systeminfoclass %d\n&,GetProcessNameFromEProc(0),SystemInformationClass);
&&&&& if (SystemInformationClass == 0)
&&&&&&& struct _SYSTEM_BASIC_INFORMATION *sysbinfo = (struct _SYSTEM_BASIC_INFORMATION *)SystemI
&&&&&&& sysbinfo-&NumberOfProcessors=1;
&&&&& //& DbgPrint(&process num %d \n&,sysbinfo-&NumberOfProcessors);
&&&&& if (SystemInformationClass == 1)
&&&&&&& PSYSTEM_PROCESS_INFORMATION syspinfo = (PSYSTEM_PROCESS_INFORMATION)SystemI
&&&&& //& DbgPrint(&process handle cou %d& proname %wZ pid %d\n&,syspinfo-&HandleCount,syspinfo-&ImageName,syspinfo-&UniqueProcessId);
&&&&& if(SystemInformationClass == 5)
&&&&&&& struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemI
&&&&&&& struct _SYSTEM_PROCESSES *prev = NULL;
&&&&&&& while(curr)
&&&&&&&&& if (curr-&ProcessName.Buffer != NULL)
&&&&&&&&& {
&&&&&&&&&&& RtlInitUnicodeString(&gamename,L&gameclient.exe&);
&&&&& &&&&&&if(!RtlCompareUnicodeString(&(curr-&ProcessName),&gamename,FALSE))
&&&&&&&&&&& {
//&&&&&&&&&&&&& DbgPrint(&FIND GAMECLIENT PDI %d\n&,curr-&ProcessId);
&&&&&&&&&&&&& if(prev)
&&&&&&&&&&&&& {
&&&&&&&&&&&&&&& if(curr-&NextEntryDelta)
&&&&&&&&&&&&&&& {
&&&&&&&&&&&&&&&&& prev-&NextEntryDelta += curr-&NextEntryD
&&&&&&&&&&&&&&& }
&&&&&&&&&&&&&&& else
&&&&&&&&&&&&&&& {
&&&&&&&&&&&&&&&&& prev-&NextEntryDelta = 0;
&&&&&&&&&&&&&&& }
&&&&&&&&&&&&& }
&&&&&&&&&&&&& else
&&&&&&&&&&&&& {
&& &&&&&&&&&&&&&if(curr-&NextEntryDelta)
&&&&&&&&&&&&&&& {
&&&&&&&&&&&&&&&&& (char *)SystemInformation += curr-&NextEntryD
&&&&&&&&&&&&&&& }
&&&&&&&&&&&&&&& else
&&&&&&&&&&&&&&& {
&&&&&&&&&&&&&&&&& SystemInformation = NULL;
&&&&&&&&&&&&&&& }
&&&&&&&& &&&&&}
&&&&&&&&&&& }
&&&&&&&&&&& else
&&&&&&&&&&& {
&&&&&&&&&&&&& prev =
&&&&&&&&&&& }
&&&&&&&&& }
&&&&&&&&& if(curr-&NextEntryDelta)
&&&&&&&&& {
&&&&&&&&&&& ((char *)curr += curr-&NextEntryDelta);
&&&&&&&&& }
&&&&&&&&& else
&&&&&&&&& {
&&&&&&&&&&& curr = NULL;
&&&&&&&&& }
& if (!_stricmp(GetProcessNameFromEProc(0),&gameclient.exe&))
&&& if( NT_SUCCESS(ntStatus))
&&&&& if(SystemInformationClass == 5)
&&&&&&& DbgPrint(&gameclient.exe call NtQuerySystemInformation!\n&);
& return ntS
VOID HookNtQuerySystemInformation()
& ULONG* addr_NtQuerySystemInformation=(ULONG*)((ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase+173*4);
& OldNtQuerySystemInformation=(NTQUERYSYSTEMINFORMATION)(*addr_NtQuerySystemInformation);
& WPOFF();
& *addr_NtQuerySystemInformation=(ULONG)NewNtQuerySystemI
VOID UnhookNtQuerySystemInformation()
& ULONG* addr_NtQuerySystemInformation=(ULONG*)((ULONG)_KeServiceDescriptorTable-&NotUse1.ServiceTableBase+173*4);
& WPOFF();
& *addr_NtQuerySystemInformation=(ULONG)OldNtQuerySystemI
ULONG Pass_debugport()
& KIRQL oldI
& char& timestr[]={0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90};
& char* g_KiDispatchException=(char*)(KiDispatchExceptionAddr+0x187);
& char* g_PspCreateProcess=(char*)(KiDispatchExceptionAddr+0xD2599);
& char* g_DbgkForwardException=(char*)(DbgkForwardExceptionAddr+0x3e);
& char* g_DbgkpQueueMessage=(char*)(DbgkpQueueMessageAddr+0x7B);
& char* g_DbgkCreateThread=(char*)(KiDispatchExceptionAddr+0x14515F);
& char* g_DbgkExitThread=(char*)(KiDispatchExceptionAddr+0x1453F8);
& char* g_DbgkMapViewOfSection=(char*)(KiDispatchExceptionAddr+0x14550B);
& char* g_DbgkExitProcess=(char*)(KiDispatchExceptionAddr+0x145472);
& char* g_DbgkUnMapViewOfSection=(char*)(KiDispatchExceptionAddr+0x1455D1);
& char* g_PspExitThread=(char*)(KiDispatchExceptionAddr+0xD3E84);
& char* g_DbgkpMarkProcessPeb=(char*)(KiDispatchExceptionAddr+0x1438EA);
& char* g_MmCreatePeb=(char*)(KiDispatchExceptionAddr+0xB1907);
& char* g_DbgkpSetProcessDebugObject=(char*)(KiDispatchExceptionAddr+0x144934);
& char* g_DbgkpSetProcessDebugObject1=(char*)(KiDispatchExceptionAddr+0x144942);
& char* g_DbgkpSetProcessDebugObject2=(char*)(KiDispatchExceptionAddr+0x14495C);
& char* g_DbgkpSetProcessDebugObject3=(char*)(KiDispatchExceptionAddr+0x1449A6);
& char* g_DbgkpSetProcessDebugObject4=(char*)(KiDispatchExceptionAddr+0x1449E8);
& char* anti_DbgkExitThread=(char*)(KiDispatchExceptionAddr+0x1453F6);
& char* anti_DbgkExitProcess=(char*)(KiDispatchExceptionAddr+0x145470);
& char* anti_DbgkUnMapViewOfSection=(char*)(KiDispatchExceptionAddr+0x1455CF);
& char* anti_DbgkMapViewOfSection=(char*)(KiDispatchExceptionAddr+0x145505);
& char* anti_DbgkForwardException=(char*)(DbgkForwardExceptionAddr+0x38);
//nop create time
& char* g_PspCreateProcess_time=(char*)(KiDispatchExceptionAddr+0xD2B15);
& WPOFF();
& oldIrql = KeRaiseIrqlToDpcLevel();
& memcpy(g_PspCreateProcess_time,timestr,9);
& *(ULONG*)(&g_KiDispatchException[2])=0x70;
& *(ULONG*)(&g_PspCreateProcess[2])=0x70;
& *(ULONG*)(&g_DbgkForwardException[2])=0x70;
& *(ULONG*)(&g_DbgkpQueueMessage[2])=0x70;
& *(ULONG*)(&g_DbgkCreateThread[2])=0x70;
& *(ULONG*)(&g_DbgkExitThread[2])=0x70;
& *(ULONG*)(&g_DbgkMapViewOfSection[2])=0x70;
& *(ULONG*)(&g_DbgkExitProcess[2])=0x70;
& *(ULONG*)(&g_DbgkUnMapViewOfSection[2])=0x70;
& *(ULONG*)(&g_PspExitThread[2])=0x70;
& *(ULONG*)(&g_DbgkpMarkProcessPeb[2])=0x70;
& *(ULONG*)(&g_MmCreatePeb[2])=0x70;
& *(ULONG*)(&g_DbgkpSetProcessDebugObject[2])=0x70;
& *(ULONG*)(&g_DbgkpSetProcessDebugObject1[2])=0x70;
& *(ULONG*)(&g_DbgkpSetProcessDebugObject2[2])=0x70;
& *(ULONG*)(&g_DbgkpSetProcessDebugObject3[2])=0x70;
& *(ULONG*)(&g_DbgkpSetProcessDebugObject4[2])=0x70;
& anti_DbgkExitThread[0]=0x90;
& anti_DbgkExitThread[1]=0x90;
& anti_DbgkExitProcess[0]=0x90;
& anti_DbgkExitProcess[1]=0x90;
& anti_DbgkUnMapViewOfSection[0]=0x90;
& anti_DbgkUnMapViewOfSection[1]=0x90;
& anti_DbgkMapViewOfSection[0]=0
& anti_DbgkForwardException[0]=0
& KeLowerIrql(oldIrql);
& return STATUS_SUCCESS;
const int process_list_offset=0x88;
const int process_debugport_offset=0
const int process_createtime_offset=0x70;
ULONG ChangeProcessDebugPort()
& ULONG i=0;
& ULONG cproc=0x;
& PEPROCESS
& PLIST_E***Y plist_active_
& PsLookupProcessByProcessId((HANDLE)4,&tmpeprocess);
& cproc=(ULONG)
& while (1)
&&& if ((i&=1) && (start==cproc))
&&&&& return 0x;
&&&&& *(ULONG*)(cproc+process_createtime_offset)=*(ULONG*)(cproc+process_debugport_offset);
&&&&& plist_active_procs=(LIST_E***Y*)(cproc+process_list_offset);
&&&&& cproc=(ULONG)plist_active_procs-&F
&&&&& cproc=cproc-process_list_
&&&&& i++;
(window.slotbydup=window.slotbydup || []).push({
id: '2467140',
container: s,
size: '1000,90',
display: 'inlay-fix'
(window.slotbydup=window.slotbydup || []).push({
id: '2467141',
container: s,
size: '1000,90',
display: 'inlay-fix'
(window.slotbydup=window.slotbydup || []).push({
id: '2467142',
container: s,
size: '1000,90',
display: 'inlay-fix'
(window.slotbydup=window.slotbydup || []).push({
id: '2467143',
container: s,
size: '1000,90',
display: 'inlay-fix'
(window.slotbydup=window.slotbydup || []).push({
id: '2467148',
container: s,
size: '1000,90',
display: 'inlay-fix'