YY帐号登录
登录前请仔细阅读
当前线路已中断，请切换到另一条线路继续观看。
扫描分享到微信
表情加载中...
贵族LV3专属
贵族LV3专属
LV3贵族用户可以发送表情，快去升级吧
LV3-LV4贵族最多同时发 1 个表情
LV5-LV10贵族最多同时发 2 个表情
LV11 以上贵族最多同时发 3 个表情
大家都在看
0来源：有关传媒
任务说明：新用户注册账号（含第三方登录授权）
30天内绑定手机，即可参与抢红钻！抢到为止！
任务奖励：
今日剩余：
任务说明：新用户注册30天内，成功分享
5位 正在直播的主播，即可参与抢红钻！抢到为止！
任务奖励：
今日剩余：
任务说明：新用户注册账号（含第三方授权）后，连续登录
3天、7天 ，即可参与抢红钻！抢到为止！
任务详情：
任务说明：新用户注册30天内，
充值Y币，即可参与抢红钻！抢到为止！
任务奖励：
今日剩余：
登录手机YY
任务说明：
新用户注册30天内登录手机YY，即可参与抢红钻！抢到为止！
任务奖励：
今日剩余：
任务说明：
成功注册后的
第2周、第3周、第4周的周三和周六 登录直播间，即可参与抢红钻！
今日可抢：
今日剩余：199951 份
今天已抢光！明天赶早哟~
绑定手机成功，您可以去领红钻了~
下载手机 YY
扫描二维码下载手机YY，尽享精彩直播！[求助] DNF已经可以调试，不能下断点，附上驱动源码，请大侠们指点一下。|::::广海游戏:::: - ★广海社区★ -
授人以鱼不如授人以渔 - Powered by phpwind
查看完整版本: [--
[求助] DNF已经可以调试，不能下断点，附上驱动源码，请大侠们指点一下。
驱动源码：&&#include &ntddk.h&&#define ThreadLength 0x190 &#define ProcessLength 0x184 &#define DeviceLink L&\\Device\\DNFCracker&&#define SymbolicLink L&\\DosDevices\\DNFCracker&&#define IOCTL_RESTORE (ULONG)CTL_CODE(FILE_DEVICE_UNKNOWN, 0x886, METHOD_BUFFERED, FILE_ANY_ACCESS)&&&#define BYTE unsigned char&#define FAILED_TO_OBTAIN_FUNCTION_ADDRESSES -1&typedef struct _SYSTEM_MODULE_INFORMATION_E***Y {& HANDLE S& PVOID MappedB& PVOID B& ULONG S& ULONG F& USHORT LoadOrderI& USHORT InitOrderI& USHORT LoadC& USHORT PathL& CHAR ImageName[256];&} SYSTEM_MODULE_INFORMATION_E***Y, *PSYSTEM_MODULE_INFORMATION_E***Y;&&&typedef struct _SYSTEM_MODULE_INFORMATION {& ULONG C& SYSTEM_MODULE_INFORMATION_E***Y Module[1];&} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;&&&NTSTATUS ZwQuerySystemInformation(ULONG systemInformationClass,& PVOID systemInformation,& ULONG systemInformationLength,& PULONG returnLength);&&&UCHAR* PsGetProcessImageFileName(IN PEPROCESS Process );&&&typedef NTSTATUS (* NTOPENTHREAD)(& OUT PHANDLE ThreadHandle,& IN ACCESS_MASK DesiredAccess,& IN POBJECT_ATTRIBUTES ObjectAttributes,& IN OPTIONAL PCLIENT_ID ClientId&);&typedef NTSTATUS (* NTOPENPROCESS)(& OUT PHANDLE ProcessHandle,& IN ACCESS_MASK DesiredAccess,& IN POBJECT_ATTRIBUTES ObjectAttributes,& IN PCLIENT_ID ClientId&);&typedef struct _SERVICE_DESCRIPTOR_TABLE&{&    PVOID    ServiceTableB&    PULONG   ServiceCounterTableB&    ULONG    NumberOfS&    ULONG    ParamTableB&}&SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;&extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorT&&&#define NAKED _declspec(naked)&&&#pragma pack(1)&typedef struct _TOP5CODE&{&  UCHAR   &  ULONG      &}TOP5CODE,*PTOP5CODE;&#pragma pack( )& &typedef struct _ServiceDescriptorTable {&  PVOID ServiceTableB   &  PVOID ServiceCounterT &  unsigned int NumberOfS&  PVOID ParamTableB &}*PServiceDescriptorT& &ULONG MyGetFunAddress( IN PCWSTR FunctionName)&{&  UNICODE_STRING UniCodeFunctionN&  RtlInitUnicodeString( &UniCodeFunctionName, FunctionName );&  return (ULONG)MmGetSystemRoutineAddress( &UniCodeFunctionName );   &}& &ULONG myGetCurrentAddress(IN ULONG index)&{&  ULONG    SSDT_Cur_A&  __asm&  {&    push  ebx&    push  eax&    mov    ebx,KeServiceDescriptorTable&    mov    ebx,[ebx]&    mov    eax,index&    shl    eax,2&    add    ebx,eax&    mov    ebx,[ebx]&    mov    SSDT_Cur_Addr,ebx&    pop    eax&    pop    ebx&  }& &  return  SSDT_Cur_A&}& &VOID WPOFF()&{&  __asm&  {&    cli&    mov eax,cr0&    and eax,not 10000h&    mov cr0,eax&  }&}& &VOID WPON()&{&  __asm&  {&    mov eax,cr0&    or eax,10000h&    mov cr0,eax&    sti&  }&}&&&NTSTATUS MyEnumKernelModule(IN CHAR* str,OUT ULONG *moduleadd,OUT ULONG *modulesie)&{&  NTSTATUS status = STATUS_SUCCESS;&  ULONG   n       = 0;&  ULONG   i       = 0;&  PSYSTEM_MODULE_INFORMATION_E***Y   module = NULL;&  PVOID   pbuftmp = NULL;&  ANSI_STRING    ModuleName1,ModuleName2;&  BOOLEAN  tlgstst= FALSE; & &  status = ZwQuerySystemInformation(11, &n, 0, &n);& &  pbuftmp = ExAllocatePool(NonPagedPool, n);& &  status = ZwQuerySystemInformation(11, pbuftmp, n, NULL);& &  module = (PSYSTEM_MODULE_INFORMATION_E***Y)((PULONG )pbuftmp + 1 );& &  RtlInitAnsiString(&ModuleName1,str);&  //&  n       = *((PULONG)pbuftmp );&  for ( i = 0; i & i++ )&  {&    RtlInitAnsiString(&ModuleName2,(PCSZ)&module.ImageName);&    if (RtlCompareString(&ModuleName1,&ModuleName2,TRUE) == 0)&    {&      DbgPrint(&MyEnumKernelModule:%s:%0X \n&,ModuleName2.Buffer,module.Base);&      *moduleadd  = (ULONG)module.B&      *modulesie  = module.S&      tlgstst = TRUE;&     &    }&  }&  ExFreePool(pbuftmp);&  if (tlgstst == FALSE)&  {&    return  FAILED_TO_OBTAIN_FUNCTION_ADDRESSES;&  }& &}& &BOOLEAN MatchByte(BYTE bSrc, BYTE bDest)&{& if ( bDest == 'X' || bDest == 'x' )& return TRUE;& else if ( bSrc == 'X' || bSrc == 'x' )& return TRUE;& else& return bSrc == bD&}&&&BYTE *FindBytePattern(BYTE *pPattern, size_t length, BYTE *pRangeBegin, BYTE *pRangeEnd)&{& BYTE *pIter = pRangeB& BYTE *pPatternIter = NULL;& BYTE *pMatcher = NULL;&&& if ( NULL == pPattern ) return NULL;& if ( NULL == pRangeBegin ) return NULL;& if ( NULL == pRangeEnd ) return NULL;& if ( pRangeEnd - pRangeBegin &= 0 ) return NULL;&&& while ( pIter & pRangeEnd ) {& pPatternIter = pP& pMatcher = pI& while ( MatchByte(*pPatternIter, *pMatcher) ) {& pPatternIter++;& pMatcher++;& }&&& if ( pPatternIter - pPattern == length )& {& return pI& }& else& {& pPatternIter = pP& pIter++;& }& }&&& return NULL;&}&&&BYTE *g_pTesSafeAddress = NULL;&ULONG g_TesSafeSize = 0;&NTSTATUS GetTesSafeAddress(BYTE **ppAddress, ULONG *pSize)&{& NTSTATUS status = STATUS_UNSUCCESSFUL;& if ( g_pTesSafeAddress == NULL )& {& status = MyEnumKernelModule(&\\??\\c:\\windows\\system32\\tessafe.sys&, &(ULONG)g_pTesSafeAddress, &g_TesSafeSize);& if (!NT_SUCCESS(status))& {& DbgPrint(&TesSafe is not loaded yet\n&);&& }& }& else& {& *ppAddress = g_pTesSafeA& *pSize = g_TesSafeS& }& & return STATUS_SUCCESS;&}&&&VOID Hook();&VOID Unhook();&NTOPENTHREAD OldT&NTOPENPROCESS OldP&ULONG AddrRead, AddrW&ULONG OrgRead[2], OrgWrite[2];&ULONG OrgKdDD[2];&UCHAR MyThread[ThreadLength], MyProcess[ProcessLength];& &NTSTATUS My_RecoveryHook_NtReadAndWriteMemory()&{&  BYTE  Push1Ch[2]  = {0x6a,0x1c};  &  //BYTE  PushAdd[5]  = {0x68,0x12,0x34,0x56,0x78};  &  BYTE  PushAdd_ReadMemory[5]  = {0x68,0xd8,0xa4,0x4d,0x80};&  BYTE  PushAdd_WriteMemory[5] = {0x68,0xf0,0xa4,0x4d,0x80};&  KIRQL  I&  BYTE  *NtReadVirtualMemoryAddress    = NULL; &  BYTE  *NtWriteVirtualMemoryAddress  = NULL;  & &  NtReadVirtualMemoryAddress = (BYTE*)myGetCurrentAddress(0xBA);&  if (NtReadVirtualMemoryAddress == NULL)&  {&    KdPrint((&Failed to get address of NtReadVirtualMemory! \n&));&    return  FAILED_TO_OBTAIN_FUNCTION_ADDRESSES;&  }&  NtWriteVirtualMemoryAddress = (BYTE*)myGetCurrentAddress(0x115);&  if (NtWriteVirtualMemoryAddress == NULL)&  {&    KdPrint((&Failed to get address of NtWriteVirtualMemory! \n&));&    return  FAILED_TO_OBTAIN_FUNCTION_ADDRESSES;&  }&&&  WPOFF(); &  Irql=KeRaiseIrqlToDpcLevel();&  RtlCopyMemory(NtReadVirtualMemoryAddress,Push1Ch,2);&  RtlCopyMemory(NtReadVirtualMemoryAddress+2,PushAdd_ReadMemory,5);& &  RtlCopyMemory(NtWriteVirtualMemoryAddress,Push1Ch,2);&  RtlCopyMemory(NtWriteVirtualMemoryAddress+2,PushAdd_WriteMemory,5);&  KeLowerIrql(Irql);&  WPON();    & &  return  STATUS_SUCCESS;&}&PEPROCESS  processEPROCESS = NULL; &ANSI_STRING  p_str1,p_str2;      &BYTE    *ObOpenObjectByPointerAddress  = NULL;&BYTE    *p_OpenProcess_TpHookAddress = NULL; &BYTE    *p_OpenThread_TpHookAddress = NULL;       &BYTE    *p_OpenProcess_ReturnAddress = NULL;   &BYTE    *p_OpenThread_ReturnAddress = NULL; &BYTE    *p_MyHookAddress = NULL;       &#define DNF_EXE  &DNF.exe&  & &//NtOpenThread用到的全局变量[为了方便堆栈平衡的处理使用全局变量]&PEPROCESS  threadEPROCESS = NULL;  //保存访问者的EPROCESS&ANSI_STRING  t_str1,t_str2;      //保存进程名称&&&//////////////////////////////////////////////////////////////////////&//  名称:  Nakd_NtOpenThread&//  功能:  My_RecoveryHook_NtOpenThread的中继函数&//  参数:  &//  返回:  &//////////////////////////////////////////////////////////////////////&static NAKED VOID  Nakd_NtOpenThread()&{&    //获得调用者的EPROCESS&    threadEPROCESS = IoGetCurrentProcess();&    //将调用者的进程名保存到str1中&    RtlInitAnsiString(&t_str1,(PCSZ)((ULONG)threadEPROCESS+0x174));&    //将我们要比对的进程名放入str2&    RtlInitAnsiString(&t_str2,DNF_EXE);&    if (RtlCompareString(&t_str1,&t_str2,TRUE) == 0)&    {&        //说明是DNF进程访问了这里&        __asm&        {&            push    dword ptr [ebp-34h]&            push    dword ptr [ebp-20h]&            push  p_OpenThread_ReturnAddress&                mov    eax,p_OpenThread_TpHookAddress&                jmp    eax&        }&    }&    else&    {&        __asm&        {&            push    dword ptr [ebp-34h]&            push    dword ptr [ebp-20h]&            push    p_OpenThread_ReturnAddress& mov    eax,ObOpenObjectByPointerAddress& jmp    eax&        }&    }&}&&&//////////////////////////////////////////////////////////////////////&//  名称:  My_RecoveryHook_NtOpenProcess&//  功能:  解除游戏保护对NtOpenProcess的HOOK&//  参数:  &//  返回:  状态&//////////////////////////////////////////////////////////////////////&NTSTATUS My_RecoveryHook_NtOpenThread()&{& BYTE    *NtOpenThreadAddress      = NULL;  //NtOpenProcess的地址& BYTE    *p = NULL;      //临时& TOP5CODE  *top5code = NULL;  //保存5字节内容& BYTE    JmpAddress[6] = {0xE9,0,0,0,0,0x90};& BYTE *pHookAddress = NULL;& // 从805c2724这个位置开始，也就是NtOpenThread + 0x202的位置& BYTE bHookPattern[] = { 0x50,0xff,0x75,0xd0,0xff,0x35,'x','x','x','x',0x56,0x8d,0x85,0x4c,0xff,0xff,0xff,0x50,0xff,0x75,0xcc,0xff,0x75,0xe0,0xe8,'x','x','x','x',0x8b,0xf8,0x8d,0x85,0x4c,0xff,0xff,0xff,0x50, };& KIRQL    I& int i = 0;&&&    //获取NtOpenProcess的地址&    NtOpenThreadAddress = (BYTE*)MyGetFunAddress(L&NtOpenThread&);&    if (NtOpenThreadAddress == NULL)&    {&        KdPrint((&NtOpenProcess地址获取失败\n&));&        return  FAILED_TO_OBTAIN_FUNCTION_ADDRESSES;&    }&    //获取ObOpenObjectByPointer的地址&    ObOpenObjectByPointerAddress = (BYTE*)MyGetFunAddress(L&ObOpenObjectByPointer&);&    if (ObOpenObjectByPointerAddress == NULL)&    {&        KdPrint((&ObOpenObjectByPointer地址获取失败\n&));&        return  FAILED_TO_OBTAIN_FUNCTION_ADDRESSES;&    }& &    *(ULONG *)(JmpAddress+1)=(ULONG)Nakd_NtOpenThread - (ULONG)p - 5;&&&    //将p指向NtOpenProcess函数开始处&    p = NtOpenThreadA & pHookAddress = FindBytePattern(& bHookPattern, sizeof(bHookPattern), NtOpenThreadAddress, NtOpenThreadAddress + 1024);& if ( NULL == pHookAddress )& return STATUS_UNSUCCESSFUL;& p = pHookAddress + 0x18;&&&    //将top5code指向 p 的当前处&    //用以取出 call [地址] 这5字节里面的地址&    top5code = (TOP5CODE*)p;&    p_OpenThread_TpHookAddress = (BYTE*)((ULONG)p+5+top5code-&address);&&&    //找到我们写入自定义函数的地址&    p_MyHookAddress = p-6;&&&    //保存调用ObOpenObjectByPointer函数以后的返回地址&    p_OpenThread_ReturnAddress = p+5;&&&    //将一条JMP Nakd_NtOpenProcess写入到数组中&    *(ULONG *)(JmpAddress+1)=(ULONG)Nakd_NtOpenThread - ((ULONG)p_MyHookAddress+5);&&&    WPOFF();  //清除CR0&    //提升IRQL中断级&    Irql=KeRaiseIrqlToDpcLevel();&    //写入&    RtlCopyMemory(p_MyHookAddress,JmpAddress,sizeof(JmpAddress));&    //恢复Irql&    KeLowerIrql(Irql);&    WPON();    //恢复CR0&&&    return  STATUS_SUCCESS;&}&&&static NAKED VOID  Nakd_NtOpenProcess()&{&  processEPROCESS = IoGetCurrentProcess();&  RtlInitAnsiString(&p_str1,(PCSZ)((ULONG)processEPROCESS+0x174));&  RtlInitAnsiString(&p_str2,DNF_EXE);&  if (RtlCompareString(&p_str1,&p_str2,TRUE) == 0)&  {&    __asm&    {&      push    dword ptr [ebp-38h]&      push    dword ptr [ebp-24h]&      push  p_OpenProcess_ReturnAddress&      mov    eax,p_OpenProcess_TpHookAddress&      jmp    eax&    }&  }&  else&  {&    __asm&    {&      push    dword ptr [ebp-38h]&      push    dword ptr [ebp-24h]&      push  p_OpenProcess_ReturnAddress&      mov    eax,ObOpenObjectByPointerAddress&      jmp    eax&    }&  }&}& & &NTSTATUS My_RecoveryHook_NtOpenProcess()&{& BYTE    *NtOpenProcessAddress      = NULL;  & BYTE    *p = NULL;     & TOP5CODE  *top5code = NULL;  & BYTE    JmpAddress[6] = {0xE9,0,0,0,0,0x90};& BYTE *pHookAddress = NULL;& // 从805c24a2这个位置开始，也就是NtOpenProcess + 0x20c的位置& BYTE bHookPattern[] = { 0x50,0xff,0x75,0xcc,0xff, 0x35,'x','x','x','x',0x56,0x8d,0x85,0x48,0xff,0xff,0xff,0x50,0xff,0x75,0xc8,0xff,0x75,0xdc,0xe8,'x','x','x','x',0x8b,0xf8,0x8d,0x85,0x48,0xff,0xff,0xff,0x50 };& KIRQL    I&& &    NtOpenProcessAddress = (BYTE*)MyGetFunAddress(L&NtOpenProcess&);&    if (NtOpenProcessAddress == NULL)&    {&      KdPrint((&Failed to get address of NtOpenProcess\n&));&      return  FAILED_TO_OBTAIN_FUNCTION_ADDRESSES;&    }&&&    ObOpenObjectByPointerAddress = (BYTE*)MyGetFunAddress(L&ObOpenObjectByPointer&);&    if (ObOpenObjectByPointerAddress == NULL)&    {&      KdPrint((&Failed to get address of ObOpenObjectByPointer\n&));&      return  FAILED_TO_OBTAIN_FUNCTION_ADDRESSES;&    }&&&    p = NtOpenProcessA & pHookAddress = FindBytePattern(& bHookPattern, sizeof(bHookPattern), NtOpenProcessAddress, NtOpenProcessAddress + 1024);& if ( NULL == pHookAddress )& return STATUS_UNSUCCESSFUL;& p = pHookAddress + 0x18;&&&    top5code = (TOP5CODE*)p;&    p_OpenProcess_TpHookAddress = (BYTE*)((ULONG)p+5+top5code-&address);& &    p_MyHookAddress = p-6;&    p_OpenProcess_ReturnAddress = p+5;& &    *(ULONG *)(JmpAddress+1)=(ULONG)Nakd_NtOpenProcess - (ULONG)p_MyHookAddress - 5;& &    WPOFF(); &    Irql=KeRaiseIrqlToDpcLevel();&    RtlCopyMemory(p_MyHookAddress, JmpAddress, sizeof(JmpAddress));&    KeLowerIrql(Irql);&    WPON();    & &  return  STATUS_SUCCESS;&} &&&ULONG    uNtSetContextThreadA&ULONG    uNtGetContextThreadA&ULONG    TenNtSetContextThread, &      TenNtGetContextT&static NAKED NTSTATUS Nakd_NtGetThreadContext(HANDLE hThread, PCONTEXT pContext)&{&  __asm&  {&    jmp    dword ptr[TenNtGetContextThread]&  }&}& &static NAKED NTSTATUS Nakd_NtSetThreadContext(HANDLE hThread, PCONTEXT pContext)&{&  __asm&  {&    jmp    dword ptr[TenNtSetContextThread]&  }&}& & &NTSTATUS MyNtGetThreadContext(HANDLE hThread, PCONTEXT pContext)&{& const char *pszName = (const char*)PsGetProcessImageFileName(PsGetCurrentProcess());& HANDLE hCallingThread = PsGetCurrentThreadId();&&& KdPrint((&[MyNtGetThreadContext] pszName: %s, hThread:%x, hCallingThread: %d\n&, pszName));& if ( _stricmp(pszName, DNF_EXE) )& {& NTSTATUS result = Nakd_NtGetThreadContext(hThread, pContext);& // KdPrint((&[MyNtGetThreadContext] result: %d\n&, result));&& }& return STATUS_SUCCESS;&}& & &NTSTATUS MyNtSetThreadContext(HANDLE hThread, PCONTEXT pContext)&{& const char *pszName = (const char*)PsGetProcessImageFileName(PsGetCurrentProcess());& KdPrint((&[MyNtGetThreadContext] pszName: %s, hThread:%x, hCallingThread: %d\n&, pszName));&&& if ( _stricmp(pszName, DNF_EXE) )& {& NTSTATUS result = Nakd_NtSetThreadContext(hThread, pContext); & // KdPrint((&[MyNtSetThreadContext] result: %d\n&, result));&& }& if ( pContext-&Dr7 == 0x101 )& {& return Nakd_NtSetThreadContext(hThread, pContext); & }& return STATUS_SUCCESS; &}&&&NTSTATUS My_Recovery_HardwareBreakpoint()&{&  KIRQL    I&  uNtSetContextThreadAddress = (ULONG)KeServiceDescriptorTable-&ServiceTableBase+0xD5 * 4;&  uNtGetContextThreadAddress = (ULONG)KeServiceDescriptorTable-&ServiceTableBase+0x55 * 4;& &  TenNtSetContextThread = *(ULONG*)uNtSetContextThreadA&  TenNtGetContextThread = *(ULONG*)uNtGetContextThreadA& &  KdPrint((&TenNtSetContextThread:%0X\n&,TenNtSetContextThread));&  KdPrint((&TenNtGetContextThread:%0X\n&,TenNtGetContextThread));& &  KdPrint((&Process:%0X \n&,(ULONG)p_MyHookAddress));&  KdPrint((&Thread:%0X \n&,(ULONG)p_MyHookAddress));& &  WPOFF();  &  Irql=KeRaiseIrqlToDpcLevel();& &  *(ULONG*)uNtGetContextThreadAddress = (ULONG)MyNtGetThreadC&  *(ULONG*)uNtSetContextThreadAddress = (ULONG)MyNtSetThreadC& &  KeLowerIrql(Irql);&  WPON();    & &  return STATUS_UNSUCCESSFUL; &}&&&NTSTATUS DispatchIoCtrl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)&{&    ULONG ioControlC&    ULONG inBufLength, outBufL& & NTSTATUS status = STATUS_SUCCESS;& PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(Irp);& &    inBufLength = irpStack-&Parameters.DeviceIoControl.InputBufferL&    outBufLength = irpStack-&Parameters.DeviceIoControl.OutputBufferL&    ioControlCode = irpStack-&Parameters.DeviceIoControl.IoControlC& &    switch (ioControlCode)& {& default:& DbgPrint(&Unknown IOCTL: 0x%X (%04X)&,& ioControlCode, IoGetFunctionCodeFromCtlCode(ioControlCode));& status = STATUS_INVALID_PARAMETER;& Irp-&rmation = 0;&    }& & Irp-&IoStatus.Status =&    IoCompleteRequest(Irp, IO_NO_INCREMENT);&   &}&&&NTSTATUS DispatchCreateClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)&{& Irp-&IoStatus.Status = STATUS_SUCCESS;& Irp-&rmation = 0;&    IoCompleteRequest(Irp, IO_NO_INCREMENT);&    return Irp-&IoStatus.S&}&&&VOID OnUnload(IN PDRIVER_OBJECT DriverObject)&{& UNICODE_STRING usL & & DbgPrint(&DNF Cracker Unloaded!&);& & RtlInitUnicodeString(&usLink, SymbolicLink);&    IoDeleteSymbolicLink(&usLink);&    IoDeleteDevice(DriverObject-&DeviceObject);&}&&&VOID My_RecoveryHook_AntiRestart()&{& KIRQL    I& NTSTATUS status = STATUS_UNSUCCESSFUL;& BYTE *pTesSafeAddress = NULL;& ULONG lTesSafeSize = 0;& BYTE *pHookAddress = NULL;& BYTE  JUMP[1] = {0xeb};& BYTE RET[1]={0xC3};& BYTE *RestartCheckFunction1HookPoint, &&&*RestartCheckFunction2HookPoint,&&&*RestartFunctionHookPoint = 0;&&& if ( !NT_SUCCESS(GetTesSafeAddress(&pTesSafeAddress, &lTesSafeSize)) )& {&& }&&& RestartCheckFunction1HookPoint = pTesSafeAddress + 0x5f72;  //insert ret at begin& RestartCheckFunction2HookPoint = pTesSafeAddress + 0x41e0; // insert ret at begin& RestartFunctionHookPoint = pTesSafeAddress + 0x163c; //restart function. insert ret at begin.&&& WPOFF();  & Irql=KeRaiseIrqlToDpcLevel();& & RtlCopyMemory(RestartCheckFunction1HookPoint, RET, sizeof(RET));& RtlCopyMemory(RestartCheckFunction2HookPoint, RET, sizeof(RET));& RtlCopyMemory(RestartFunctionHookPoint, RET, sizeof(RET));&&& KeLowerIrql(Irql);& WPON();  &}&&&NTSTATUS ModifyKiAttachProcessHook()&{& KIRQL I& NTSTATUS status = STATUS_UNSUCCESSFUL;& BYTE *pTesSafeAddress = NULL;& ULONG lTesSafeSize = 0;& BYTE *pHookAddress = NULL;& BYTE bHookPattern[] = { 0x8b, 0xff, 0x55, 0x8b, 0xec, 0x81, 0xec, 0x00, 0x01, 0x00, 0x00, 0x60, 0x9c, 0xb8, 'x', 'x', 'x', 'x', 0x33, 0xc9, 0x41, 0xf0, 0x0f, 0xc1, 0x08, 0xff, 0x15, 0x4c, 'x', 'x', 'x', 0x89, 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0x3b, 0x05, 0xe0, 'x', 'x', 'x', 0x75, 0x05, 0xe9, 0xc0, 0x00, 0x00, 0x00, 0x6a, 0x10, 0xff, 0x75, 0xfc, 0xe8, 0x76, 0xfb, 0xff, 0xff, 0x0f, 0xb6, 0xc0, 0x85, 0xc0, 0x74, 0x05, 0xe9, 0xaa, 0x00, 0x00, 0x00, 0x6a, 0x10, 0xff, 0x75, 0x0c, 0xe8, 0x20, 0xfc, 0xff, 0xff, 0x0f, 0xb6, 0xc0, 0x85, 0xc0, 0x75, 0x05, 0xe9, 0x94, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x00, 0x8b, 0x40, 0x04, 0x89, 0x45, 0xf8, 0x83, 0x3d, 0x58, 'x', 'x', 'x', 'x', 0x74, 0x1d, 0x8b, 0x45, 0xf8, 0x3b, 0x05, 0x58, 'x', 'x', 'x', 0x72, 0x12 };& BYTE bReplaces[] = { 0xe9, 0xec, 0x00, 0x00, 0x00 };&&& if ( !NT_SUCCESS(GetTesSafeAddress(&pTesSafeAddress, &lTesSafeSize)) )& {& return STATUS_UNSUCCESSFUL;& }&&& pHookAddress = FindBytePattern(& bHookPattern, sizeof(bHookPattern), pTesSafeAddress, pTesSafeAddress + lTesSafeSize);& if ( NULL == pHookAddress )& return STATUS_UNSUCCESSFUL;&&& WPOFF();  & Irql=KeRaiseIrqlToDpcLevel();& & // eb b0f834cd e9& // ed b0f834ce 000000ec& RtlCopyMemory(pHookAddress + 0xd, bReplaces, sizeof(bReplaces));&&& KeLowerIrql(Irql);& WPON();  &&&&}&&&BOOLEAN UnHookTesSafeHooks()&{& BYTE *pTesSafeAddress = NULL;& ULONG lTesSafeSize = 0;&&& return NT_SUCCESS(GetTesSafeAddress(&pTesSafeAddress, &lTesSafeSize));&}&&&VOID HookNtNFuncs()&{& if ( UnHookTesSafeHooks() )& {& My_RecoveryHook_AntiRestart();& ModifyKiAttachProcessHook();& My_RecoveryHook_NtReadAndWriteMemory();& My_RecoveryHook_NtOpenProcess();& My_RecoveryHook_NtOpenThread();& My_Recovery_HardwareBreakpoint();& }&}&&&NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)&{& NTSTATUS& PDEVICE_OBJECT DvcO& UNICODE_STRING usDevice, usL& PLIST_E***Y pLE = (PLIST_E***Y)DriverObject-&DriverS& & & pLE-&Flink-&Blink = pLE-&B& pLE-&Blink-&Flink = pLE-&F& & DriverObject-&DriverUnload = OnU& & & RtlInitUnicodeString(&usDevice, DeviceLink);& status = IoCreateDevice(DriverObject, 0, &usDevice, FILE_DEVICE_UNKNOWN, 0, TRUE, &DvcObj);& if (!NT_SUCCESS(status))& {& DbgPrint(&Failed to create device!\n&);&& }& & & RtlInitUnicodeString(&usLink, SymbolicLink);&    status = IoCreateSymbolicLink(&usLink, &usDevice);&    if (!NT_SUCCESS(status))&    {&        IoDeleteDevice(DriverObject-&DeviceObject);& DbgPrint(&Failed to create symbolic link!\n&);&       &    }& & & DriverObject-&MajorFunction[IRP_MJ_SHUTDOWN] =&    DriverObject-&MajorFunction[IRP_MJ_CREATE] =&    DriverObject-&MajorFunction[IRP_MJ_CLOSE] = DispatchCreateC& DriverObject-&MajorFunction[IRP_MJ_DEVICE_CO***OL] = DispatchIoC&&& HookNtNFuncs();& DbgPrint(&DNF Cracker Loaded!&);& return STATUS_SUCCESS;&}&&我的驱动没有过内核调试禁用保护，我是直接在windbg里设置了下面这么一个断点过内核调试保护的：&&bp KdDisableDebugger&eb nt!KdDisableDebugger+26 75;eb nt!KdDisableDebugger+41 75;ebTesSafe+5069 74;eb TesSafe+2703 75;bd 0;g&&问题&&启动dnf以后，可以用OD调试了，我试过我爱破解版本的OD，也试过郁金香版本的OD，可以附加dnf，但是附加的时候，我在CPU窗口看不到汇编代码，如果我在OD里中断dnf运行，eip的值竟然是这么一个值，这个值导致我没有办法恢复dnf的执行。&&我也可以在数据窗口里dd一些内存地址，查看内存数据，但是我设置了硬件写入断点以后，看到内存那个值已经改变了，但OD就是不能中断dnf，哪位大侠帮我看看是不是我的驱动出问题了，还是OD设置有问题。&&&我还是第一次用广海，不知道怎么悬赏，有帮忙解决的大侠，可以给50金钱。&&&谢谢&killmyday&&&
debugPort有没有处理掉？
没有处理，因为我看了可以做内核调试，就觉得这个可能没有必要，就没有处理了，这个debug port跟设置硬件断点有关系吗？我一直以为debug port是跟内核调试有关系的。我先试试，谢谢指点。
CPU窗口看不到汇编代码。。。我也一样&应该就是debugPort的问题&好像就是说OD收不到信息了
是因为debugPort没有搞定。另外如果搞定了，记得分享下。。谢谢先。。。
搞定啦，现在已经可以在我设置的内存位置中断了，再次感谢，这是恢复Debugport的代码：&&NTSTATUS My_Recovery_Debugport()&{&&&&&BYTE&&*sd1 = NULL,*sd2 = NULL,*pd = NULL;&&&&&BYTE&&*p;&&&&&KIRQL&&I&&&&&BYTE&&C390[2] = {0xc3,0x90};&&&&&NTSTATUS status = STATUS_UNSUCCESSFUL;&&&&&BYTE *pTesSafeAddress = NULL;&&&&&ULONG lTesSafeSize = 0;&&&&&ULONG i = 0, number = 0;& &&&&&if ( !NT_SUCCESS(GetTesSafeAddress(&pTesSafeAddress, &lTesSafeSize)) )&&&&&{&&&&&&&&&return FAILED_TO_OBTAIN_FUNCTION_ADDRESSES;&&&&&}&&&&&&p = pTesSafeAddress + 20;&&&&&for (i = 0; i & lTesSafeSize - 20; i++,p++)&&&&&{&&&&&if ((*(p-1) == 0x18) &&&&&&&&&&&(*(p-2) == 0x87) &&&&&&&&&&&(*(p-3) == 0xDB) &&&&&&&&&&&(*(p-4) == 0x33) &&&&&&&&&&&(*(p-5) == 0x07) &&&&&&&&&&&(*(p-6) == 0x03) &&&&&&&&&&&(*p&&&&== 0x33) &&&&&&&&&&&(*(p+1) == 0xC0) &&&&&&&&&&&(*(p+7) == 0x3B) &&&&&&&&&&&(*(p+8) == 0xD8) )&&&&&{&&&&&&&&&KdPrint((&--SD1 -- %0X \n&,(ULONG)p));&&&&&&&&&sd1 =&&&&&&&&&number += 1; &&&&&}&&&&&if ((*(p-1) == 0x07) &&&&&&&&&&&(*(p-2) == 0x87) &&&&&&&&&&&(*(p-3) == 0xC0) &&&&&&&&&&&(*(p-4) == 0x33) &&&&&&&&&&&(*(p+14)== 0x89) &&&&&&&&&&&(*(p+15)== 0x1C) &&&&&&&&&&&(*(p+16)== 0x38) &&&&&&&&&&&(*p&&&&== 0xA1))&&&&&{&&&&&&&&&KdPrint((&--SD2 -- %0X \n&,(ULONG)p));&&&&&&&&&sd2 =&&&&&&&&&number += 1;&&&&&&&}&&&&&if ((*(p-2) == 0xE3) &&&&&&&&&&&(*(p-3) == 0xC1) &&&&&&&&&&&(*(p-7) == 0xF3) &&&&&&&&&&&(*(p-8) == 0x33) &&&&&&&&&&&(*(p-10)== 0xEB) &&&&&&&&&&&(*(p-11)== 0xC1) &&&&&&&&&&&(*(p+1) == 0xF3) &&&&&&&&&&&(*(p+2) == 0x42) &&&&&&&&&&&(*(p+3) == 0x3B) &&&&&&&&&&&(*(p+4) == 0xD1) &&&&&&&&&&&(*p&&&&== 0x33))&&&&&{&&&&&&&&&KdPrint((&--PD -- %0X \n&,(ULONG)p));&&&&&&&&&pd =&&&&&&&&&number+=1; &&&&&}&&&&&if (number &= 3)&&&&&{&&&&&&&&&KdPrint((&number %d ---quit\n&,number));&&&&&&&&&&&&&&}&&&&&}& &&&&&while (1)&&&&&{&&&&&&&&&if ((*(pd-1) == 0xcc) && (*(pd-2) == 0xcc))&&&&&&&&&{&&&&&&&&&&&&&KdPrint((&pd address:%0X \n&,(ULONG)pd));&&&&&&&&&&&&&WPOFF(); &&&&&&&&&&&&&Irql=KeRaiseIrqlToDpcLevel();&&&&&&&&&&&&&RtlCopyMemory(pd,C390,2);&&&&&&&&&&&&&KeLowerIrql(Irql);&&&&&&&&&&&&&WPON();&&&&&&&&&&&&&&&&&&&&&&&&&&}&&&&&&&&&pd--;&&&&&}&&&&&while (1)&&&&&{&&&&&&&&&if ((*(sd1-1) == 0xcc) && (*(sd1-2) == 0xcc))&&&&&&&&&{&&&&&&&&&&&&&KdPrint((&sd1 address:%0X \n&,(ULONG)sd1));&&&&&&&&&&&&&WPOFF();&&&&&&&&&&&&&&&Irql=KeRaiseIrqlToDpcLevel();&&&&&&&&&&&&&RtlCopyMemory(sd1,C390,2);&&&&&&&&&&&&&KeLowerIrql(Irql);&&&&&&&&&&&&&WPON();&&&&&&&&&&&&&&&&&&&&&&&&&&}&&&&&&&&&sd1--;&&&&&}&&&&&while (1)&&&&&{&&&&&&&&&if ((*(sd2-1) == 0xcc) && (*(sd2-2) == 0xcc))&&&&&&&&&{&&&&&&&&&&&&&KdPrint((&sd2 address:%0X \n&,(ULONG)sd2));&&&&&&&&&&&&&WPOFF(); &&&&&&&&&&&&&Irql=KeRaiseIrqlToDpcLevel();&&&&&&&&&&&&&RtlCopyMemory(sd2,C390,2);&&&&&&&&&&&&&KeLowerIrql(Irql);&&&&&&&&&&&&&WPON();&& &&&&&&&&&&&&&&&&&&&&&&}&&&&&&&&&sd2--;&&&&&}& &&&&&return&&STATUS_SUCCESS;&}&&这段代码也是我从网上找资料找到的，里面TX如何清零的代码我还没有搞大明白，等搞明白了，一定跟大家分享一下。哈哈。&&&@bobo1kiss，我怎么把分给你？&再次感谢。&
不用了哈哈，感谢你能把源码放出，我仅代表我朝全体人民表示非常欣慰 咩哈哈哈
呵呵&&什么时候能写个DNF外挂源码 出来看看，支持无私奉献
不错&&谢谢
BYTE bHookPattern[] = { 0x50,0xff,0x75,0xd0,0xff,0x35,'x','x','x','x',0x56,0x8d,0x85,0x4c,0xff,0xff,0xff,0x50,0xff,0x75,0xcc,0xff,0x75,0xe0,0xe8,'x','x','x','x',0x8b,0xf8,0x8d,0x85,0x4c,0xff,0xff,0xff,0x50, };& &未见过如此多代码，请问楼主这部分什么意思？&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
感谢楼主的分享精神。
我得好好研究下，谢谢无私分享！
都是大牛啊，膜拜啊
能请教个问题吗&我刚刚学驱动&我ddk编译报错了一个地方 &mini_ddk.c(191) : error C4013: 'GetTesSafeAddress' assuming extern returning int&&if ( !NT_SUCCESS(GetTesSafeAddress(&pTesSafeAddress, &lTesSafeSize)) )&{ &&&&&FAILED_TO_OBTAIN_FUNCTION_ADDRESSES;&}
MyEnumKernelModule:\??\C:\WINDOWS\system32\TesSafe.sys:B7167000 &--SD2 -- B716968A &--PD -- B716B221 &--SD1 -- B716BF73 &number 3 ---quit&pd address:B716B1E0 &sd1 address:B716BF2C &sd2 address:B7169638 &TenNtSetContextThread:805D273A&TenNtGetContextThread:805D252A&Process:805CC8E0 &Thread:805CC8E0 &DNF Cracker Loaded!&请问 这个算成功了吗 可是为什么可执行模块没有exe呢 全是dll
高手。。。。。。。。。。。。。。。。。
围观。直接给个成品吧
#define ThreadLength 0x190&&&#define ProcessLength 0x184&&& 长度是不是不对啊。
很久没能在广海看到这样的帖子了
这是什么？
LZ研究得不错，把过程写得很好。谢谢
驱动正真的好难学
新手学习一下
查看完整版本: [--
Powered by
Time 0.114652 second(s),query:2 Gzip enabled