YY帐号登录
登录前请仔细阅读
当前线路已中断,请切换到另一条线路继续观看。
扫描分享到微信
表情加载中...
贵族LV3专属
贵族LV3专属
LV3贵族用户可以发送表情,快去升级吧
LV3-LV4贵族最多同时发 1 个表情
LV5-LV10贵族最多同时发 2 个表情
LV11 以上贵族最多同时发 3 个表情
大家都在看
0来源:有关传媒
任务说明:新用户注册账号(含第三方登录授权)
30天内绑定手机,即可参与抢红钻!抢到为止!
任务奖励:
今日剩余:
任务说明:新用户注册30天内,成功分享
5位 正在直播的主播,即可参与抢红钻!抢到为止!
任务奖励:
今日剩余:
任务说明:新用户注册账号(含第三方授权)后,连续登录
3天、7天 ,即可参与抢红钻!抢到为止!
任务详情:
任务说明:新用户注册30天内,
充值Y币,即可参与抢红钻!抢到为止!
任务奖励:
今日剩余:
登录手机YY
任务说明:
新用户注册30天内登录手机YY,即可参与抢红钻!抢到为止!
任务奖励:
今日剩余:
任务说明:
成功注册后的
第2周、第3周、第4周的周三和周六 登录直播间,即可参与抢红钻!
今日可抢:
今日剩余:199951 份
今天已抢光!明天赶早哟~
绑定手机成功,您可以去领红钻了~
下载手机 YY
扫描二维码下载手机YY,尽享精彩直播![求助] DNF已经可以调试,不能下断点,附上驱动源码,请大侠们指点一下。|::::广海游戏:::: - ★广海社区★ -
授人以鱼不如授人以渔 - Powered by phpwind
查看完整版本: [--
[求助] DNF已经可以调试,不能下断点,附上驱动源码,请大侠们指点一下。
驱动源码:&include &ntddk.h&define ThreadLength 0x190 define ProcessLength 0x184 define DeviceLink L&\\Device\\DNFCracker&define SymbolicLink L&\\DosDevices\\DNFCracker&define IOCTL_RESTORE (ULONG)CTL_CODE(FILE_DEVICE_UNKNOWN, 0x886, METHOD_BUFFERED, FILE_ANY_ACCESS)&&define BYTE unsigned chardefine FAILED_TO_OBTAIN_FUNCTION_ADDRESSES -1&typedef struct _SYSTEM_MODULE_INFORMATION_E***Y {& HANDLE S& PVOID MappedB& PVOID B& ULONG S& ULONG F& USHORT LoadOrderI& USHORT InitOrderI& USHORT LoadC& USHORT PathL& CHAR ImageName[256];&} SYSTEM_MODULE_INFORMATION_E***Y, *PSYSTEM_MODULE_INFORMATION_E***Y;&&&typedef struct _SYSTEM_MODULE_INFORMATION {& ULONG C& SYSTEM_MODULE_INFORMATION_E***Y Module[1];&} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;&&&NTSTATUS ZwQuerySystemInformation(ULONG systemInformationClass,& PVOID systemInformation,& ULONG systemInformationLength,& PULONG returnLength);&&&UCHAR* PsGetProcessImageFileName(IN PEPROCESS Process );&&&typedef NTSTATUS (* NTOPENTHREAD)(& OUT PHANDLE ThreadHandle,& IN ACCESS_MASK DesiredAccess,& IN POBJECT_ATTRIBUTES ObjectAttributes,& IN OPTIONAL PCLIENT_ID ClientId&);&typedef NTSTATUS (* NTOPENPROCESS)(& OUT PHANDLE ProcessHandle,& IN ACCESS_MASK DesiredAccess,& IN POBJECT_ATTRIBUTES ObjectAttributes,& IN PCLIENT_ID ClientId&);&typedef struct _SERVICE_DESCRIPTOR_TABLE&{& PVOID ServiceTableB& PULONG ServiceCounterTableB& ULONG NumberOfS& ULONG ParamTableB&}&SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;&extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorT&&define NAKED _declspec(naked)&&pragma pack(1)&typedef struct _TOP5CODE&{& UCHAR & ULONG &}TOP5CODE,*PTOP5CODE;pragma pack( )& &typedef struct _ServiceDescriptorTable {& PVOID ServiceTableB & PVOID ServiceCounterT & unsigned int NumberOfS& PVOID ParamTableB &}*PServiceDescriptorT& &ULONG MyGetFunAddress( IN PCWSTR FunctionName)&{& UNICODE_STRING UniCodeFunctionN& RtlInitUnicodeString( &UniCodeFunctionName, FunctionName );& return (ULONG)MmGetSystemRoutineAddress( &UniCodeFunctionName ); &}& &ULONG myGetCurrentAddress(IN ULONG index)&{& ULONG SSDT_Cur_A& __asm& {& push ebx& push eax& mov ebx,KeServiceDescriptorTable& mov ebx,[ebx]& mov eax,index& shl eax,2& add ebx,eax& mov ebx,[ebx]& mov SSDT_Cur_Addr,ebx& pop eax& pop ebx& }& & return SSDT_Cur_A&}& &VOID WPOFF()&{& __asm& {& cli& mov eax,cr0& and eax,not 10000h& mov cr0,eax& }&}& &VOID WPON()&{& __asm& {& mov eax,cr0& or eax,10000h& mov cr0,eax& sti& }&}&&&NTSTATUS MyEnumKernelModule(IN CHAR* str,OUT ULONG *moduleadd,OUT ULONG *modulesie)&{& NTSTATUS status = STATUS_SUCCESS;& ULONG n = 0;& ULONG i = 0;& PSYSTEM_MODULE_INFORMATION_E***Y module = NULL;& PVOID pbuftmp = NULL;& ANSI_STRING ModuleName1,ModuleName2;& BOOLEAN tlgstst= FALSE; & & status = ZwQuerySystemInformation(11, &n, 0, &n);& & pbuftmp = ExAllocatePool(NonPagedPool, n);& & status = ZwQuerySystemInformation(11, pbuftmp, n, NULL);& & module = (PSYSTEM_MODULE_INFORMATION_E***Y)((PULONG )pbuftmp + 1 );& & RtlInitAnsiString(&ModuleName1,str);& //& n = *((PULONG)pbuftmp );& for ( i = 0; i & i++ )& {& RtlInitAnsiString(&ModuleName2,(PCSZ)&module.ImageName);& if (RtlCompareString(&ModuleName1,&ModuleName2,TRUE) == 0)& {& DbgPrint(&MyEnumKernelModule:%s:%0X \n&,ModuleName2.Buffer,module.Base);& *moduleadd = (ULONG)module.B& *modulesie = module.S& tlgstst = TRUE;& & }& }& ExFreePool(pbuftmp);& if (tlgstst == FALSE)& {& return FAILED_TO_OBTAIN_FUNCTION_ADDRESSES;& }& &}& &BOOLEAN MatchByte(BYTE bSrc, BYTE bDest)&{& if ( bDest == 'X' || bDest == 'x' )& return TRUE;& else if ( bSrc == 'X' || bSrc == 'x' )& return TRUE;& else& return bSrc == bD&}&&&BYTE *FindBytePattern(BYTE *pPattern, size_t length, BYTE *pRangeBegin, BYTE *pRangeEnd)&{& BYTE *pIter = pRangeB& BYTE *pPatternIter = NULL;& BYTE *pMatcher = NULL;&&& if ( NULL == pPattern ) return NULL;& if ( NULL == pRangeBegin ) return NULL;& if ( NULL == pRangeEnd ) return NULL;& if ( pRangeEnd - pRangeBegin &= 0 ) return NULL;&&& while ( pIter & pRangeEnd ) {& pPatternIter = pP& pMatcher = pI& while ( MatchByte(*pPatternIter, *pMatcher) ) {& pPatternIter++;& pMatcher++;& }&&& if ( pPatternIter - pPattern == length )& {& return pI& }& else& {& pPatternIter = pP& pIter++;& }& }&&& return NULL;&}&&&BYTE *g_pTesSafeAddress = NULL;&ULONG g_TesSafeSize = 0;&NTSTATUS GetTesSafeAddress(BYTE **ppAddress, ULONG *pSize)&{& NTSTATUS status = STATUS_UNSUCCESSFUL;& if ( g_pTesSafeAddress == NULL )& {& status = MyEnumKernelModule(&\\??\\c:\\windows\\system32\\tessafe.sys&, &(ULONG)g_pTesSafeAddress, &g_TesSafeSize);& if (!NT_SUCCESS(status))& {& DbgPrint(&TesSafe is not loaded yet\n&);&& }& }& else& {& *ppAddress = g_pTesSafeA& *pSize = g_TesSafeS& }& & return STATUS_SUCCESS;&}&&&VOID Hook();&VOID Unhook();&NTOPENTHREAD OldT&NTOPENPROCESS OldP&ULONG AddrRead, AddrW&ULONG OrgRead[2], OrgWrite[2];&ULONG OrgKdDD[2];&UCHAR MyThread[ThreadLength], MyProcess[ProcessLength];& &NTSTATUS My_RecoveryHook_NtReadAndWriteMemory()&{& BYTE Push1Ch[2] = {0x6a,0x1c}; & //BYTE PushAdd[5] = {0x68,0x12,0x34,0x56,0x78}; & BYTE PushAdd_ReadMemory[5] = {0x68,0xd8,0xa4,0x4d,0x80};& BYTE PushAdd_WriteMemory[5] = {0x68,0xf0,0xa4,0x4d,0x80};& KIRQL I& BYTE *NtReadVirtualMemoryAddress = NULL; & BYTE *NtWriteVirtualMemoryAddress = NULL; & & NtReadVirtualMemoryAddress = (BYTE*)myGetCurrentAddress(0xBA);& if (NtReadVirtualMemoryAddress == NULL)& {& KdPrint((&Failed to get address of NtReadVirtualMemory! \n&));& return FAILED_TO_OBTAIN_FUNCTION_ADDRESSES;& }& NtWriteVirtualMemoryAddress = (BYTE*)myGetCurrentAddress(0x115);& if (NtWriteVirtualMemoryAddress == NULL)& {& KdPrint((&Failed to get address of NtWriteVirtualMemory! \n&));& return FAILED_TO_OBTAIN_FUNCTION_ADDRESSES;& }&&& WPOFF(); & Irql=KeRaiseIrqlToDpcLevel();& RtlCopyMemory(NtReadVirtualMemoryAddress,Push1Ch,2);& RtlCopyMemory(NtReadVirtualMemoryAddress+2,PushAdd_ReadMemory,5);& & RtlCopyMemory(NtWriteVirtualMemoryAddress,Push1Ch,2);& RtlCopyMemory(NtWriteVirtualMemoryAddress+2,PushAdd_WriteMemory,5);& KeLowerIrql(Irql);& WPON(); & & return STATUS_SUCCESS;&}&PEPROCESS processEPROCESS = NULL; &ANSI_STRING p_str1,p_str2; &BYTE *ObOpenObjectByPointerAddress = NULL;&BYTE *p_OpenProcess_TpHookAddress = NULL; &BYTE *p_OpenThread_TpHookAddress = NULL; &BYTE *p_OpenProcess_ReturnAddress = NULL; &BYTE *p_OpenThread_ReturnAddress = NULL; &BYTE *p_MyHookAddress = NULL; define DNF_EXE &DNF.exe& & &//NtOpenThread用到的全局变量[为了方便堆栈平衡的处理使用全局变量]&PEPROCESS threadEPROCESS = NULL; //保存访问者的EPROCESS&ANSI_STRING t_str1,t_str2; //保存进程名称&&&//////////////////////////////////////////////////////////////////////&// 名称: Nakd_NtOpenThread&// 功能: My_RecoveryHook_NtOpenThread的中继函数&// 参数: &// 返回: &//////////////////////////////////////////////////////////////////////&static NAKED VOID Nakd_NtOpenThread()&{& //获得调用者的EPROCESS& threadEPROCESS = IoGetCurrentProcess();& //将调用者的进程名保存到str1中& RtlInitAnsiString(&t_str1,(PCSZ)((ULONG)threadEPROCESS+0x174));& //将我们要比对的进程名放入str2& RtlInitAnsiString(&t_str2,DNF_EXE);& if (RtlCompareString(&t_str1,&t_str2,TRUE) == 0)& {& //说明是DNF进程访问了这里& __asm& {& push dword ptr [ebp-34h]& push dword ptr [ebp-20h]& push p_OpenThread_ReturnAddress& mov eax,p_OpenThread_TpHookAddress& jmp eax& }& }& else& {& __asm& {& push dword ptr [ebp-34h]& push dword ptr [ebp-20h]& push p_OpenThread_ReturnAddress& mov eax,ObOpenObjectByPointerAddress& jmp eax& }& }&}&&&//////////////////////////////////////////////////////////////////////&// 名称: My_RecoveryHook_NtOpenProcess&// 功能: 解除游戏保护对NtOpenProcess的HOOK&// 参数: &// 返回: 状态&//////////////////////////////////////////////////////////////////////&NTSTATUS My_RecoveryHook_NtOpenThread()&{& BYTE *NtOpenThreadAddress = NULL; //NtOpenProcess的地址& BYTE *p = NULL; //临时& TOP5CODE *top5code = NULL; //保存5字节内容& BYTE JmpAddress[6] = {0xE9,0,0,0,0,0x90};& BYTE *pHookAddress = NULL;& // 从805c2724这个位置开始,也就是NtOpenThread + 0x202的位置& BYTE bHookPattern[] = { 0x50,0xff,0x75,0xd0,0xff,0x35,'x','x','x','x',0x56,0x8d,0x85,0x4c,0xff,0xff,0xff,0x50,0xff,0x75,0xcc,0xff,0x75,0xe0,0xe8,'x','x','x','x',0x8b,0xf8,0x8d,0x85,0x4c,0xff,0xff,0xff,0x50, };& KIRQL I& int i = 0;&&& //获取NtOpenProcess的地址& NtOpenThreadAddress = (BYTE*)MyGetFunAddress(L&NtOpenThread&);& if (NtOpenThreadAddress == NULL)& {& KdPrint((&NtOpenProcess地址获取失败\n&));& return FAILED_TO_OBTAIN_FUNCTION_ADDRESSES;& }& //获取ObOpenObjectByPointer的地址& ObOpenObjectByPointerAddress = (BYTE*)MyGetFunAddress(L&ObOpenObjectByPointer&);& if (ObOpenObjectByPointerAddress == NULL)& {& KdPrint((&ObOpenObjectByPointer地址获取失败\n&));& return FAILED_TO_OBTAIN_FUNCTION_ADDRESSES;& }& & *(ULONG *)(JmpAddress+1)=(ULONG)Nakd_NtOpenThread - (ULONG)p - 5;&&& //将p指向NtOpenProcess函数开始处& p = NtOpenThreadA & pHookAddress = FindBytePattern(& bHookPattern, sizeof(bHookPattern), NtOpenThreadAddress, NtOpenThreadAddress + 1024);& if ( NULL == pHookAddress )& return STATUS_UNSUCCESSFUL;& p = pHookAddress + 0x18;&&& //将top5code指向 p 的当前处& //用以取出 call [地址] 这5字节里面的地址& top5code = (TOP5CODE*)p;& p_OpenThread_TpHookAddress = (BYTE*)((ULONG)p+5+top5code-&address);&&& //找到我们写入自定义函数的地址& p_MyHookAddress = p-6;&&& //保存调用ObOpenObjectByPointer函数以后的返回地址& p_OpenThread_ReturnAddress = p+5;&&& //将一条JMP Nakd_NtOpenProcess写入到数组中& *(ULONG *)(JmpAddress+1)=(ULONG)Nakd_NtOpenThread - ((ULONG)p_MyHookAddress+5);&&& WPOFF(); //清除CR0& //提升IRQL中断级& Irql=KeRaiseIrqlToDpcLevel();& //写入& RtlCopyMemory(p_MyHookAddress,JmpAddress,sizeof(JmpAddress));& //恢复Irql& KeLowerIrql(Irql);& WPON(); //恢复CR0&&& return STATUS_SUCCESS;&}&&&static NAKED VOID Nakd_NtOpenProcess()&{& processEPROCESS = IoGetCurrentProcess();& RtlInitAnsiString(&p_str1,(PCSZ)((ULONG)processEPROCESS+0x174));& RtlInitAnsiString(&p_str2,DNF_EXE);& if (RtlCompareString(&p_str1,&p_str2,TRUE) == 0)& {& __asm& {& push dword ptr [ebp-38h]& push dword ptr [ebp-24h]& push p_OpenProcess_ReturnAddress& mov eax,p_OpenProcess_TpHookAddress& jmp eax& }& }& else& {& __asm& {& push dword ptr [ebp-38h]& push dword ptr [ebp-24h]& push p_OpenProcess_ReturnAddress& mov eax,ObOpenObjectByPointerAddress& jmp eax& }& }&}& & &NTSTATUS My_RecoveryHook_NtOpenProcess()&{& BYTE *NtOpenProcessAddress = NULL; & BYTE *p = NULL; & TOP5CODE *top5code = NULL; & BYTE JmpAddress[6] = {0xE9,0,0,0,0,0x90};& BYTE *pHookAddress = NULL;& // 从805c24a2这个位置开始,也就是NtOpenProcess + 0x20c的位置& BYTE bHookPattern[] = { 0x50,0xff,0x75,0xcc,0xff, 0x35,'x','x','x','x',0x56,0x8d,0x85,0x48,0xff,0xff,0xff,0x50,0xff,0x75,0xc8,0xff,0x75,0xdc,0xe8,'x','x','x','x',0x8b,0xf8,0x8d,0x85,0x48,0xff,0xff,0xff,0x50 };& KIRQL I&& & NtOpenProcessAddress = (BYTE*)MyGetFunAddress(L&NtOpenProcess&);& if (NtOpenProcessAddress == NULL)& {& KdPrint((&Failed to get address of NtOpenProcess\n&));& return FAILED_TO_OBTAIN_FUNCTION_ADDRESSES;& }&&& ObOpenObjectByPointerAddress = (BYTE*)MyGetFunAddress(L&ObOpenObjectByPointer&);& if (ObOpenObjectByPointerAddress == NULL)& {& KdPrint((&Failed to get address of ObOpenObjectByPointer\n&));& return FAILED_TO_OBTAIN_FUNCTION_ADDRESSES;& }&&& p = NtOpenProcessA & pHookAddress = FindBytePattern(& bHookPattern, sizeof(bHookPattern), NtOpenProcessAddress, NtOpenProcessAddress + 1024);& if ( NULL == pHookAddress )& return STATUS_UNSUCCESSFUL;& p = pHookAddress + 0x18;&&& top5code = (TOP5CODE*)p;& p_OpenProcess_TpHookAddress = (BYTE*)((ULONG)p+5+top5code-&address);& & p_MyHookAddress = p-6;& p_OpenProcess_ReturnAddress = p+5;& & *(ULONG *)(JmpAddress+1)=(ULONG)Nakd_NtOpenProcess - (ULONG)p_MyHookAddress - 5;& & WPOFF(); & Irql=KeRaiseIrqlToDpcLevel();& RtlCopyMemory(p_MyHookAddress, JmpAddress, sizeof(JmpAddress));& KeLowerIrql(Irql);& WPON(); & & return STATUS_SUCCESS;&} &&&ULONG uNtSetContextThreadA&ULONG uNtGetContextThreadA&ULONG TenNtSetContextThread, & TenNtGetContextT&static NAKED NTSTATUS Nakd_NtGetThreadContext(HANDLE hThread, PCONTEXT pContext)&{& __asm& {& jmp dword ptr[TenNtGetContextThread]& }&}& &static NAKED NTSTATUS Nakd_NtSetThreadContext(HANDLE hThread, PCONTEXT pContext)&{& __asm& {& jmp dword ptr[TenNtSetContextThread]& }&}& & &NTSTATUS MyNtGetThreadContext(HANDLE hThread, PCONTEXT pContext)&{& const char *pszName = (const char*)PsGetProcessImageFileName(PsGetCurrentProcess());& HANDLE hCallingThread = PsGetCurrentThreadId();&&& KdPrint((&[MyNtGetThreadContext] pszName: %s, hThread:%x, hCallingThread: %d\n&, pszName));& if ( _stricmp(pszName, DNF_EXE) )& {& NTSTATUS result = Nakd_NtGetThreadContext(hThread, pContext);& // KdPrint((&[MyNtGetThreadContext] result: %d\n&, result));&& }& return STATUS_SUCCESS;&}& & &NTSTATUS MyNtSetThreadContext(HANDLE hThread, PCONTEXT pContext)&{& const char *pszName = (const char*)PsGetProcessImageFileName(PsGetCurrentProcess());& KdPrint((&[MyNtGetThreadContext] pszName: %s, hThread:%x, hCallingThread: %d\n&, pszName));&&& if ( _stricmp(pszName, DNF_EXE) )& {& NTSTATUS result = Nakd_NtSetThreadContext(hThread, pContext); & // KdPrint((&[MyNtSetThreadContext] result: %d\n&, result));&& }& if ( pContext-&Dr7 == 0x101 )& {& return Nakd_NtSetThreadContext(hThread, pContext); & }& return STATUS_SUCCESS; &}&&&NTSTATUS My_Recovery_HardwareBreakpoint()&{& KIRQL I& uNtSetContextThreadAddress = (ULONG)KeServiceDescriptorTable-&ServiceTableBase+0xD5 * 4;& uNtGetContextThreadAddress = (ULONG)KeServiceDescriptorTable-&ServiceTableBase+0x55 * 4;& & TenNtSetContextThread = *(ULONG*)uNtSetContextThreadA& TenNtGetContextThread = *(ULONG*)uNtGetContextThreadA& & KdPrint((&TenNtSetContextThread:%0X\n&,TenNtSetContextThread));& KdPrint((&TenNtGetContextThread:%0X\n&,TenNtGetContextThread));& & KdPrint((&Process:%0X \n&,(ULONG)p_MyHookAddress));& KdPrint((&Thread:%0X \n&,(ULONG)p_MyHookAddress));& & WPOFF(); & Irql=KeRaiseIrqlToDpcLevel();& & *(ULONG*)uNtGetContextThreadAddress = (ULONG)MyNtGetThreadC& *(ULONG*)uNtSetContextThreadAddress = (ULONG)MyNtSetThreadC& & KeLowerIrql(Irql);& WPON(); & & return STATUS_UNSUCCESSFUL; &}&&&NTSTATUS DispatchIoCtrl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)&{& ULONG ioControlC& ULONG inBufLength, outBufL& & NTSTATUS status = STATUS_SUCCESS;& PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(Irp);& & inBufLength = irpStack-&Parameters.DeviceIoControl.InputBufferL& outBufLength = irpStack-&Parameters.DeviceIoControl.OutputBufferL& ioControlCode = irpStack-&Parameters.DeviceIoControl.IoControlC& & switch (ioControlCode)& {& default:& DbgPrint(&Unknown IOCTL: 0x%X (%04X)&,& ioControlCode, IoGetFunctionCodeFromCtlCode(ioControlCode));& status = STATUS_INVALID_PARAMETER;& Irp-&rmation = 0;& }& & Irp-&IoStatus.Status =& IoCompleteRequest(Irp, IO_NO_INCREMENT);& &}&&&NTSTATUS DispatchCreateClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)&{& Irp-&IoStatus.Status = STATUS_SUCCESS;& Irp-&rmation = 0;& IoCompleteRequest(Irp, IO_NO_INCREMENT);& return Irp-&IoStatus.S&}&&&VOID OnUnload(IN PDRIVER_OBJECT DriverObject)&{& UNICODE_STRING usL & & DbgPrint(&DNF Cracker Unloaded!&);& & RtlInitUnicodeString(&usLink, SymbolicLink);& IoDeleteSymbolicLink(&usLink);& IoDeleteDevice(DriverObject-&DeviceObject);&}&&&VOID My_RecoveryHook_AntiRestart()&{& KIRQL I& NTSTATUS status = STATUS_UNSUCCESSFUL;& BYTE *pTesSafeAddress = NULL;& ULONG lTesSafeSize = 0;& BYTE *pHookAddress = NULL;& BYTE JUMP[1] = {0xeb};& BYTE RET[1]={0xC3};& BYTE *RestartCheckFunction1HookPoint, &&&*RestartCheckFunction2HookPoint,&&&*RestartFunctionHookPoint = 0;&&& if ( !NT_SUCCESS(GetTesSafeAddress(&pTesSafeAddress, &lTesSafeSize)) )& {&& }&&& RestartCheckFunction1HookPoint = pTesSafeAddress + 0x5f72; //insert ret at begin& RestartCheckFunction2HookPoint = pTesSafeAddress + 0x41e0; // insert ret at begin& RestartFunctionHookPoint = pTesSafeAddress + 0x163c; //restart function. insert ret at begin.&&& WPOFF(); & Irql=KeRaiseIrqlToDpcLevel();& & RtlCopyMemory(RestartCheckFunction1HookPoint, RET, sizeof(RET));& RtlCopyMemory(RestartCheckFunction2HookPoint, RET, sizeof(RET));& RtlCopyMemory(RestartFunctionHookPoint, RET, sizeof(RET));&&& KeLowerIrql(Irql);& WPON(); &}&&&NTSTATUS ModifyKiAttachProcessHook()&{& KIRQL I& NTSTATUS status = STATUS_UNSUCCESSFUL;& BYTE *pTesSafeAddress = NULL;& ULONG lTesSafeSize = 0;& BYTE *pHookAddress = NULL;& BYTE bHookPattern[] = { 0x8b, 0xff, 0x55, 0x8b, 0xec, 0x81, 0xec, 0x00, 0x01, 0x00, 0x00, 0x60, 0x9c, 0xb8, 'x', 'x', 'x', 'x', 0x33, 0xc9, 0x41, 0xf0, 0x0f, 0xc1, 0x08, 0xff, 0x15, 0x4c, 'x', 'x', 'x', 0x89, 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0x3b, 0x05, 0xe0, 'x', 'x', 'x', 0x75, 0x05, 0xe9, 0xc0, 0x00, 0x00, 0x00, 0x6a, 0x10, 0xff, 0x75, 0xfc, 0xe8, 0x76, 0xfb, 0xff, 0xff, 0x0f, 0xb6, 0xc0, 0x85, 0xc0, 0x74, 0x05, 0xe9, 0xaa, 0x00, 0x00, 0x00, 0x6a, 0x10, 0xff, 0x75, 0x0c, 0xe8, 0x20, 0xfc, 0xff, 0xff, 0x0f, 0xb6, 0xc0, 0x85, 0xc0, 0x75, 0x05, 0xe9, 0x94, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x00, 0x8b, 0x40, 0x04, 0x89, 0x45, 0xf8, 0x83, 0x3d, 0x58, 'x', 'x', 'x', 'x', 0x74, 0x1d, 0x8b, 0x45, 0xf8, 0x3b, 0x05, 0x58, 'x', 'x', 'x', 0x72, 0x12 };& BYTE bReplaces[] = { 0xe9, 0xec, 0x00, 0x00, 0x00 };&&& if ( !NT_SUCCESS(GetTesSafeAddress(&pTesSafeAddress, &lTesSafeSize)) )& {& return STATUS_UNSUCCESSFUL;& }&&& pHookAddress = FindBytePattern(& bHookPattern, sizeof(bHookPattern), pTesSafeAddress, pTesSafeAddress + lTesSafeSize);& if ( NULL == pHookAddress )& return STATUS_UNSUCCESSFUL;&&& WPOFF(); & Irql=KeRaiseIrqlToDpcLevel();& & // eb b0f834cd e9& // ed b0f834ce 000000ec& RtlCopyMemory(pHookAddress + 0xd, bReplaces, sizeof(bReplaces));&&& KeLowerIrql(Irql);& WPON(); &&&&}&&&BOOLEAN UnHookTesSafeHooks()&{& BYTE *pTesSafeAddress = NULL;& ULONG lTesSafeSize = 0;&&& return NT_SUCCESS(GetTesSafeAddress(&pTesSafeAddress, &lTesSafeSize));&}&&&VOID HookNtNFuncs()&{& if ( UnHookTesSafeHooks() )& {& My_RecoveryHook_AntiRestart();& ModifyKiAttachProcessHook();& My_RecoveryHook_NtReadAndWriteMemory();& My_RecoveryHook_NtOpenProcess();& My_RecoveryHook_NtOpenThread();& My_Recovery_HardwareBreakpoint();& }&}&&&NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)&{& NTSTATUS& PDEVICE_OBJECT DvcO& UNICODE_STRING usDevice, usL& PLIST_E***Y pLE = (PLIST_E***Y)DriverObject-&DriverS& & & pLE-&Flink-&Blink = pLE-&B& pLE-&Blink-&Flink = pLE-&F& & DriverObject-&DriverUnload = OnU& & & RtlInitUnicodeString(&usDevice, DeviceLink);& status = IoCreateDevice(DriverObject, 0, &usDevice, FILE_DEVICE_UNKNOWN, 0, TRUE, &DvcObj);& if (!NT_SUCCESS(status))& {& DbgPrint(&Failed to create device!\n&);&& }& & & RtlInitUnicodeString(&usLink, SymbolicLink);& status = IoCreateSymbolicLink(&usLink, &usDevice);& if (!NT_SUCCESS(status))& {& IoDeleteDevice(DriverObject-&DeviceObject);& DbgPrint(&Failed to create symbolic link!\n&);& & }& & & DriverObject-&MajorFunction[IRP_MJ_SHUTDOWN] =& DriverObject-&MajorFunction[IRP_MJ_CREATE] =& DriverObject-&MajorFunction[IRP_MJ_CLOSE] = DispatchCreateC& DriverObject-&MajorFunction[IRP_MJ_DEVICE_CO***OL] = DispatchIoC&&& HookNtNFuncs();& DbgPrint(&DNF Cracker Loaded!&);& return STATUS_SUCCESS;&}&&我的驱动没有过内核调试禁用保护,我是直接在windbg里设置了下面这么一个断点过内核调试保护的:&&bp KdDisableDebugger&eb nt!KdDisableDebugger+26 75;eb nt!KdDisableDebugger+41 75;ebTesSafe+5069 74;eb TesSafe+2703 75;bd 0;g&&问题&&启动dnf以后,可以用OD调试了,我试过我爱破解版本的OD,也试过郁金香版本的OD,可以附加dnf,但是附加的时候,我在CPU窗口看不到汇编代码,如果我在OD里中断dnf运行,eip的值竟然是这么一个值,这个值导致我没有办法恢复dnf的执行。&&我也可以在数据窗口里dd一些内存地址,查看内存数据,但是我设置了硬件写入断点以后,看到内存那个值已经改变了,但OD就是不能中断dnf,哪位大侠帮我看看是不是我的驱动出问题了,还是OD设置有问题。&&&我还是第一次用广海,不知道怎么悬赏,有帮忙解决的大侠,可以给50金钱。&&&谢谢&killmyday&&&
debugPort有没有处理掉?
没有处理,因为我看了可以做内核调试,就觉得这个可能没有必要,就没有处理了,这个debug port跟设置硬件断点有关系吗?我一直以为debug port是跟内核调试有关系的。我先试试,谢谢指点。
CPU窗口看不到汇编代码。。。我也一样&应该就是debugPort的问题&好像就是说OD收不到信息了
是因为debugPort没有搞定。另外如果搞定了,记得分享下。。谢谢先。。。
搞定啦,现在已经可以在我设置的内存位置中断了,再次感谢,这是恢复Debugport的代码:&&NTSTATUS My_Recovery_Debugport()&{&&&&&BYTE&&*sd1 = NULL,*sd2 = NULL,*pd = NULL;&&&&&BYTE&&*p;&&&&&KIRQL&&I&&&&&BYTE&&C390[2] = {0xc3,0x90};&&&&&NTSTATUS status = STATUS_UNSUCCESSFUL;&&&&&BYTE *pTesSafeAddress = NULL;&&&&&ULONG lTesSafeSize = 0;&&&&&ULONG i = 0, number = 0;& &&&&&if ( !NT_SUCCESS(GetTesSafeAddress(&pTesSafeAddress, &lTesSafeSize)) )&&&&&{&&&&&&&&&return FAILED_TO_OBTAIN_FUNCTION_ADDRESSES;&&&&&}&&&&&&p = pTesSafeAddress + 20;&&&&&for (i = 0; i & lTesSafeSize - 20; i++,p++)&&&&&{&&&&&if ((*(p-1) == 0x18) &&&&&&&&&&&(*(p-2) == 0x87) &&&&&&&&&&&(*(p-3) == 0xDB) &&&&&&&&&&&(*(p-4) == 0x33) &&&&&&&&&&&(*(p-5) == 0x07) &&&&&&&&&&&(*(p-6) == 0x03) &&&&&&&&&&&(*p&&&&== 0x33) &&&&&&&&&&&(*(p+1) == 0xC0) &&&&&&&&&&&(*(p+7) == 0x3B) &&&&&&&&&&&(*(p+8) == 0xD8) )&&&&&{&&&&&&&&&KdPrint((&--SD1 -- %0X \n&,(ULONG)p));&&&&&&&&&sd1 =&&&&&&&&&number += 1; &&&&&}&&&&&if ((*(p-1) == 0x07) &&&&&&&&&&&(*(p-2) == 0x87) &&&&&&&&&&&(*(p-3) == 0xC0) &&&&&&&&&&&(*(p-4) == 0x33) &&&&&&&&&&&(*(p+14)== 0x89) &&&&&&&&&&&(*(p+15)== 0x1C) &&&&&&&&&&&(*(p+16)== 0x38) &&&&&&&&&&&(*p&&&&== 0xA1))&&&&&{&&&&&&&&&KdPrint((&--SD2 -- %0X \n&,(ULONG)p));&&&&&&&&&sd2 =&&&&&&&&&number += 1;&&&&&&&}&&&&&if ((*(p-2) == 0xE3) &&&&&&&&&&&(*(p-3) == 0xC1) &&&&&&&&&&&(*(p-7) == 0xF3) &&&&&&&&&&&(*(p-8) == 0x33) &&&&&&&&&&&(*(p-10)== 0xEB) &&&&&&&&&&&(*(p-11)== 0xC1) &&&&&&&&&&&(*(p+1) == 0xF3) &&&&&&&&&&&(*(p+2) == 0x42) &&&&&&&&&&&(*(p+3) == 0x3B) &&&&&&&&&&&(*(p+4) == 0xD1) &&&&&&&&&&&(*p&&&&== 0x33))&&&&&{&&&&&&&&&KdPrint((&--PD -- %0X \n&,(ULONG)p));&&&&&&&&&pd =&&&&&&&&&number+=1; &&&&&}&&&&&if (number &= 3)&&&&&{&&&&&&&&&KdPrint((&number %d ---quit\n&,number));&&&&&&&&&&&&&&}&&&&&}& &&&&&while (1)&&&&&{&&&&&&&&&if ((*(pd-1) == 0xcc) && (*(pd-2) == 0xcc))&&&&&&&&&{&&&&&&&&&&&&&KdPrint((&pd address:%0X \n&,(ULONG)pd));&&&&&&&&&&&&&WPOFF(); &&&&&&&&&&&&&Irql=KeRaiseIrqlToDpcLevel();&&&&&&&&&&&&&RtlCopyMemory(pd,C390,2);&&&&&&&&&&&&&KeLowerIrql(Irql);&&&&&&&&&&&&&WPON();&&&&&&&&&&&&&&&&&&&&&&&&&&}&&&&&&&&&pd--;&&&&&}&&&&&while (1)&&&&&{&&&&&&&&&if ((*(sd1-1) == 0xcc) && (*(sd1-2) == 0xcc))&&&&&&&&&{&&&&&&&&&&&&&KdPrint((&sd1 address:%0X \n&,(ULONG)sd1));&&&&&&&&&&&&&WPOFF();&&&&&&&&&&&&&&&Irql=KeRaiseIrqlToDpcLevel();&&&&&&&&&&&&&RtlCopyMemory(sd1,C390,2);&&&&&&&&&&&&&KeLowerIrql(Irql);&&&&&&&&&&&&&WPON();&&&&&&&&&&&&&&&&&&&&&&&&&&}&&&&&&&&&sd1--;&&&&&}&&&&&while (1)&&&&&{&&&&&&&&&if ((*(sd2-1) == 0xcc) && (*(sd2-2) == 0xcc))&&&&&&&&&{&&&&&&&&&&&&&KdPrint((&sd2 address:%0X \n&,(ULONG)sd2));&&&&&&&&&&&&&WPOFF(); &&&&&&&&&&&&&Irql=KeRaiseIrqlToDpcLevel();&&&&&&&&&&&&&RtlCopyMemory(sd2,C390,2);&&&&&&&&&&&&&KeLowerIrql(Irql);&&&&&&&&&&&&&WPON();&& &&&&&&&&&&&&&&&&&&&&&&}&&&&&&&&&sd2--;&&&&&}& &&&&&return&&STATUS_SUCCESS;&}&&这段代码也是我从网上找资料找到的,里面TX如何清零的代码我还没有搞大明白,等搞明白了,一定跟大家分享一下。哈哈。&&&@bobo1kiss,我怎么把分给你?&再次感谢。&
不用了哈哈,感谢你能把源码放出,我仅代表我朝全体人民表示非常欣慰 咩哈哈哈
呵呵&&什么时候能写个DNF外挂源码 出来看看,支持无私奉献
不错&&谢谢
BYTE bHookPattern[] = { 0x50,0xff,0x75,0xd0,0xff,0x35,'x','x','x','x',0x56,0x8d,0x85,0x4c,0xff,0xff,0xff,0x50,0xff,0x75,0xcc,0xff,0x75,0xe0,0xe8,'x','x','x','x',0x8b,0xf8,0x8d,0x85,0x4c,0xff,0xff,0xff,0x50, };& &未见过如此多代码,请问楼主这部分什么意思?&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
感谢楼主的分享精神。
我得好好研究下,谢谢无私分享!
都是大牛啊,膜拜啊
能请教个问题吗&我刚刚学驱动&我ddk编译报错了一个地方 &mini_ddk.c(191) : error C4013: 'GetTesSafeAddress' assuming extern returning int&&if ( !NT_SUCCESS(GetTesSafeAddress(&pTesSafeAddress, &lTesSafeSize)) )&{ &&&&&FAILED_TO_OBTAIN_FUNCTION_ADDRESSES;&}
MyEnumKernelModule:\??\C:\WINDOWS\system32\TesSafe.sys:B7167000 &--SD2 -- B716968A &--PD -- B716B221 &--SD1 -- B716BF73 &number 3 ---quit&pd address:B716B1E0 &sd1 address:B716BF2C &sd2 address:B7169638 &TenNtSetContextThread:805D273A&TenNtGetContextThread:805D252A&Process:805CC8E0 &Thread:805CC8E0 &DNF Cracker Loaded!&请问 这个算成功了吗 可是为什么可执行模块没有exe呢 全是dll
高手。。。。。。。。。。。。。。。。。
围观。直接给个成品吧
#define ThreadLength 0x190&&define ProcessLength 0x184&&& 长度是不是不对啊。
很久没能在广海看到这样的帖子了
这是什么?
LZ研究得不错,把过程写得很好。谢谢
驱动正真的好难学
新手学习一下
查看完整版本: [--
Powered by
Time 0.114652 second(s),query:2 Gzip enabled