驱动编程:注册表回调,进程回调,文件回调,进程隐藏断链,窗口保护
2024-06-09 03:11:56
#include "struct.h"#define debug_pott_offset 0x298
//#define debug_pott_offset 0x1f0DWORD changge_size_NtClose = 0; //NtClose被修改了N字节
PUCHAR ori_head_NtClose = NULL; //NtClose的前N字节数组
PVOID ori_addr_NtClose = NULL; //NtClose的原函数DWORD changge_size_NtContinue = 0; //NtContinue被修改了N字节
PUCHAR ori_head_NtContinue = NULL; //NtContinue的前N字节数组
PVOID ori_addr_NtContinue = NULL; //NtContinue的原函数DWORD changge_size_NtQueryObject = 0; //NtQueryObject被修改了N字节
PUCHAR ori_head_NtQueryObject = NULL; //NtQueryObject的前N字节数组
PVOID ori_addr_NtQueryObject = NULL; //NtQueryObject的原函数DWORD changge_size_NtOpenProcess = 0; //NtOpenProcess被修改了N字节
PUCHAR ori_head_NtOpenProcess = NULL; //NtOpenProcess的前N字节数组
PVOID ori_addr_NtOpenProcess = NULL; //NtOpenProcess的原函数DWORD changge_size_NtQuerySystemTime = 0; //NtQuerySystemTime被修改了N字节
PBYTE ori_head_NtQuerySystemTime = NULL; //NtQuerySystemTime的前N字节数组
PVOID ori_addr_NtQuerySystemTime = NULL; //NtQuerySystemTime的原函数DWORD changge_size_NtCreateFile = 0; //NtCreateFile被修改了N字节
PBYTE ori_head_NtCreateFile = NULL; //NtCreateFile的前N字节数组
PVOID ori_addr_NtCreateFile = NULL; //NtCreateFile的原函数DWORD changge_size_NtYieldExecution = 0; //NtYieldExecution被修改了N字节
PBYTE ori_head_NtYieldExecution = NULL; //NtYieldExecution的前N字节数组
PVOID ori_addr_NtYieldExecution = NULL; //NtYieldExecution的原函数DWORD changge_size_NtQueueApcThread = 0; //NtQueueApcThread被修改了N字节
PBYTE ori_head_NtQueueApcThread = NULL; //NtQueueApcThread的前N字节数组
PVOID ori_addr_NtQueueApcThread = NULL; //NtQueueApcThread的原函数DWORD changge_size_NtSystemDebugControl = 0; //NtSystemDebugControl被修改了N字节
PUCHAR ori_head_NtSystemDebugControl = NULL; //NtSystemDebugControl的前N字节数组
PVOID ori_addr_NtSystemDebugControl = NULL; //NtSystemDebugControl的原函数DWORD changge_size_NtOpenFile = 0; //NtOpenFile被修改了N字节
PUCHAR ori_head_NtOpenFile = NULL; //NtOpenFile的前N字节数组
PVOID ori_addr_NtOpenFile = NULL; //NtOpenFile的原函数DWORD changge_size_NtCreateThreadEx = 0; //NtCreateThreadEx被修改了N字节
PBYTE ori_head_NtCreateThreadEx = NULL; //NtCreateThreadEx的前N字节数组
PVOID ori_addr_NtCreateThreadEx = NULL; //NtCreateThreadEx的原函数DWORD changge_size_NtQueryDirectoryFile = 0; //NtCreateThreadEx被修改了N字节
PBYTE ori_head_NtQueryDirectoryFile = NULL; //NtCreateThreadEx的前N字节数组
PVOID ori_addr_NtQueryDirectoryFile = NULL; //NtCreateThreadEx的原函数DWORD changge_size_NtSetDebugFilterState = 0; //NtSetDebugFilterState被修改了N字节
PBYTE ori_head_NtSetDebugFilterState = NULL; //NtSetDebugFilterState的前N字节数组
PVOID ori_addr_NtSetDebugFilterState = NULL; //NtSetDebugFilterState的原函数DWORD changge_size_NtQuerySystemInformation = 0; //NtQuerySystemInformation被修改了N字节
PBYTE ori_head_NtQuerySystemInformation = NULL; //NtQuerySystemInformation的前N字节数组
PVOID ori_addr_NtQuerySystemInformation = NULL; //NtQuerySystemInformation的原函数DWORD changge_size_NtQueryInformationThread = 0; //NtQueryInformationThread被修改了N字节
PBYTE ori_head_NtQueryInformationThread = NULL; //NtQueryInformationThread的前N字节数组
PVOID ori_addr_NtQueryInformationThread = NULL; //NtQueryInformationThread的原函数DWORD changge_size_NtQueryInformationProcess = 0; //NtQueryInformationProcess被修改了N字节
PBYTE ori_head_NtQueryInformationProcess = NULL; //NtQueryInformationProcess的前N字节数组
PVOID ori_addr_NtQueryInformationProcess = NULL; //NtQueryInformationProcess的原函数DWORD changge_size_NtSetInformationProcess = 0; //NtSetInformationProcess被修改了N字节
PBYTE ori_head_NtSetInformationProcess = NULL; //NtSetInformationProcess的前N字节数组
PVOID ori_addr_NtSetInformationProcess = NULL; //NtSetInformationProcess的原函数DWORD changge_size_NtQueryPerformanceCounter = 0; //NtQueryPerformanceCounter被修改了N字节
PBYTE ori_head_NtQueryPerformanceCounter = NULL; //NtQueryPerformanceCounter的前N字节数组
PVOID ori_addr_NtQueryPerformanceCounter = NULL; //NtQueryPerformanceCounter的原函数DWORD changge_size_NtUserGetDC = 0; //NtUserGetDC被修改了N字节
PBYTE ori_head_NtUserGetDC = NULL; //NtUserGetDC的前N字节数组
PVOID ori_addr_NtUserGetDC = NULL; //NtUserGetDC的原函数DWORD changge_size_NtUserGetDCEx = 0; //NtUserGetDCEx被修改了N字节
PBYTE ori_head_NtUserGetDCEx = NULL; //NtUserGetDCEx的前N字节数组
PVOID ori_addr_NtUserGetDCEx = NULL; //NtUserGetDCEx的原函数DWORD changge_size_NtUserGetWindowDC = 0; //NtUserGetWindowDC被修改了N字节
PBYTE ori_head_NtUserGetWindowDC = NULL; //NtUserGetWindowDC的前N字节数组
PVOID ori_addr_NtUserGetWindowDC = NULL; //NtUserGetWindowDC的原函数DWORD changge_size_NtGdiGetPixel = 0; //NtGdiGetPixel被修改了N字节
PBYTE ori_head_NtGdiGetPixel = NULL; //NtGdiGetPixel的前N字节数组
PVOID ori_addr_NtGdiGetPixel = NULL; //NtGdiGetPixel的原函数DWORD changge_size_NtUserBlockInput = 0; //NtUserBlockInput被修改了N字节
PBYTE ori_head_NtUserBlockInput = NULL; //NtUserBlockInput的前N字节数组
PVOID ori_addr_NtUserBlockInput = NULL; //NtUserBlockInput的原函数DWORD changge_size_NtUserFindWindowEx = 0; //NtUserFindWindowEx被修改了N字节
PBYTE ori_head_NtUserFindWindowEx = NULL; //NtUserFindWindowEx的前N字节数组
PVOID ori_addr_NtUserFindWindowEx = NULL; //NtUserFindWindowEx的原函数DWORD changge_size_NtUserBuildHwndList = 0; //NtUserBuildHwndList被修改了N字节
PBYTE ori_head_NtUserBuildHwndList = NULL; //NtUserBuildHwndList的前N字节数组
PVOID ori_addr_NtUserBuildHwndList = NULL; //NtUserBuildHwndList的原函数DWORD changge_size_NtUserWindowFromPoint = 0; //NtUserWindowFromPoint被修改了N字节
PBYTE ori_head_NtUserWindowFromPoint = NULL; //NtUserWindowFromPoint的前N字节数组
PVOID ori_addr_NtUserWindowFromPoint = NULL; //NtUserWindowFromPoint的原函数DWORD changge_size_NtUserGetForegroundWindow = 0; //NtUserGetForegroundWindow被修改了N字节
PBYTE ori_head_NtUserGetForegroundWindow = NULL; //NtUserGetForegroundWindow的前N字节数组
PVOID ori_addr_NtUserGetForegroundWindow = NULL; //NtUserGetForegroundWindow的原函数DWORD changge_size_NtUserWindowFromPhysicalPoint = 0; //NtUserWindowFromPhysicalPoint被修改了N字节
PBYTE ori_head_NtUserWindowFromPhysicalPoint = NULL; //NtUserWindowFromPhysicalPoint的前N字节数组
PVOID ori_addr_NtUserWindowFromPhysicalPoint = NULL; //NtUserWindowFromPhysicalPoint的原函数#define ERROR_INVALID_WINDOW_HANDLE 1400L#define MAX_PROTECT 21typedef DWORD(FASTCALL *Q_NtUserCallOneParam)(DWORD, DWORD);typedef HDC(FASTCALL *Q_NtUserGetDC)(HWND);
typedef HDC(FASTCALL *Q_NtUserGetWindowDC)(HWND);
typedef INT_PTR(FASTCALL *Q_ValidateHwnd)(HWND hwnd);
typedef DWORD(FASTCALL *Q_NtUserGetForegroundWindow)();
typedef DWORD(FASTCALL *Q_NtGdiGetPixel)(HDC, int, int);
typedef HWND(FASTCALL *Q_NtUserWindowFromPoint)(INT_PTR);
typedef HDC(FASTCALL *Q_NtUserGetDCEx)(HWND, HANDLE, ULONG);
typedef INT_PTR(FASTCALL *Q_NtUserGetClassName)(HWND, LPTSTR, int);
typedef INT_PTR(FASTCALL *Q_NtUserWindowFromPhysicalPoint)(INT_PTR);
typedef INT_PTR(FASTCALL *Q_NtUserPhysicalToLogicalPoint)(HWND, INT_PTR);
typedef NTSTATUS(FASTCALL *Q_NtUserBuildHwndList)(DWORD, DWORD, DWORD, DWORD, UINT, HWND*, DWORD*);
typedef INT_PTR(FASTCALL *Q_NtUserMessageCall)(INT_PTR, unsigned int, INT_PTR, INT_PTR, INT_PTR, int);
typedef NTSTATUS(FASTCALL *Q_NtUserFindWindowEx)(HWND, HWND, PUNICODE_STRING, PUNICODE_STRING, ULONG);INT_PTR FASTCALL _ValidateHwnd(HWND hwnd);
NTSTATUS FASTCALL _NtUserBlockInput(BOOLEAN);
DWORD FASTCALL _NtGdiGetPixel(HDC, int, int);
DWORD FASTCALL _NtUserGetForegroundWindow();
HWND FASTCALL _NtUserWindowFromPoint(INT_PTR);
INT_PTR FASTCALL _NtUserGetClassName(HWND, LPTSTR, int);
INT_PTR FASTCALL _NtUserWindowFromPhysicalPoint(INT_PTR);
INT_PTR FASTCALL _NtUserMessageCall(INT_PTR, UINT, INT_PTR, INT_PTR, INT_PTR, int);
NTSTATUS FASTCALL _NtUserBuildHwndList(HDESK, HWND, ULONG, DWORD, UINT, HWND*, ULONG*);
NTSTATUS FASTCALL _NtUserFindWindowEx(HWND, HWND, PUNICODE_STRING, PUNICODE_STRING, ULONG);NTSTATUS FASTCALL NtSetInformationProcess(HANDLE, PROCESSINFOCLASS, PVOID, ULONG);#define PROCESS_DEBUG_INHERIT 0x00000001 // default for a non-debugged process
#define PROCESS_NO_DEBUG_INHERIT 0x00000002 // default for a debugged process
#define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004ULONG_PTR NtUserGetDC;
ULONG_PTR NtGdiBitBlt;
ULONG_PTR ValidateHwnd;
ULONG_PTR NtGdiGetPixel;
ULONG_PTR NtUserGetDCEx;
ULONG_PTR NtGdiStretchBlt;
ULONG_PTR NtUserBlockInput;
ULONG_PTR NtUserGetWindowDC;
ULONG_PTR NtUserQueryWindow;
ULONG_PTR NtUserGetClassName;
ULONG_PTR NtUserFindWindowEx;
ULONG_PTR NtUserCallOneParam;
ULONG_PTR NtUserBuildHwndList;
ULONG_PTR NtUserWindowFromPoint;
ULONG_PTR NtUserGetForegroundWindow;
ULONG_PTR NtUserWindowFromPhysicalPoint;#define PROCESS_COUNT 13extern BOOLEAN g_start_hook;
extern PEPROCESS SystemProcess;
extern PEPROCESS CsrssProcess;
extern PEPROCESS win32k_Process;
extern PBYTE KiSuspendThread;
extern PVOID g_start_obfile;
extern PVOID g_start_obprocess;
extern BOOLEAN g_delete_driver;
extern ULONG_PTR NtQueueApcThread;
extern POBJECT_TYPE* IoDeviceObjectType;
extern POBJECT_TYPE* IoDriverObjectType;
extern PDRIVER_OBJECT Selfdriverobject;
extern char AccessProcess[PROCESS_COUNT][20];
extern SAVE_DEBUG_REGISTERS ArrayDebugRegister[100]; //Max 100 threadsULONG_PTR QNtClose;
ULONG_PTR QNtCreateFile;
ULONG_PTR QNtQueryObject;
ULONG_PTR NtQueueApcThread;
ULONG_PTR NtSetDebugFilterState;ULONG_PTR NtContinue = NULL;
ULONG_PTR QNtQueryObject = NULL;
ULONG_PTR NtQueryValueKey = NULL;
ULONG_PTR NtYieldExecution = NULL;
ULONG_PTR NtCreateThreadEx = NULL;
ULONG_PTR NtSuspendProcess = NULL;
ULONG_PTR NtQuerySystemTime = NULL;
ULONG_PTR ObCheckObjectAccess = NULL;
ULONG_PTR NtQueryPerformanceCounter = NULL;
PDRIVER_DISPATCH NtfsCreateDispatch = NULL;LARGE_INTEGER NativeSysTime = { 0 };
DWORD ValueProcessBreakOnTermination = 0;
BOOLEAN IsProcessHandleTracingEnabled = FALSE;
DWORD ValueProcessDebugFlags = PROCESS_DEBUG_INHERIT;DWORD changge_size_ValidateHwnd = 0; //ValidateHwnd被修改了N字节
PUCHAR ori_head_ValidateHwnd = NULL; //ValidateHwnd的前N字节数组
PVOID ori_addr_ValidateHwnd = NULL; //ValidateHwnd的原函数DWORD changge_size_ObCheckObjectAccess = 0; //ObCheckObjectAccess被修改了N字节
PBYTE ori_head_ObCheckObjectAccess = NULL; //ObCheckObjectAccess的前N字节数组
PVOID ori_addr_ObCheckObjectAccess = NULL; //ObCheckObjectAccess的原函数DWORD changge_size_DbgkForwardException = 0; //DbgkForwardException被修改了N字节
PBYTE ori_head_DbgkForwardException = NULL; //DbgkForwardException的前N字节数组
PVOID ori_addr_DbgkForwardException = NULL; //DbgkForwardException的原函数DWORD changge_size_ObpCallPreOperationCallbacks = 0; //ObpCallPreOperationCallbacks被修改了N字节
PBYTE ori_head_ObpCallPreOperationCallbacks = NULL; //ObpCallPreOperationCallbacks的前N字节数组
PVOID ori_addr_ObpCallPreOperationCallbacks = NULL; //ObpCallPreOperationCallbacks的原函数#define ProtectTools1 "MDebug.exe"
#define ProtectTools2 "Ollydbg.exe"
#define ProtectTools3 "[LCG].exe"
#define ProtectTools4 "HawkOD.exe"
#define ProtectTools5 "FackTpProtect"
#define ProtectTools6 "apimonitor"
#define ProtectTools7 "PCHunter64.exe"
#define ProtectTools8 "windbg32.exe"
#define ProtectTools9 "x32dbg.exe"
#define ProtectTools10 "cheatengine"
#define ProtectTools11 "吾爱破解[LCG].exe"
#define ProtectTools12 "5410.exe" #define VMwareTools1 "vmacthlp"
#define VMwareTools2 "VGAuthService"#define PassGame1 "DNF.exe"
#define PassGame2 "GaneApp.exe"
#define PassGame3 "Client.exe"
#define PassGame4 "cstrike-online.exe"
#define PassGame5 "KartRider.exe"
#define PassGame6 "CA.exe"#define ProtectImageName1 "smss"
#define ProtectImageName2 "explorer"
#define ProtectImageName3 "dwm.exe"BOOLEAN ISProtectDebuger(IN DWORD ProcessId)
{BOOL bret = FALSE;NTSTATUS Ntstatus;PEPROCESS Process;Ntstatus = PsLookupProcessByProcessId((HANDLE)ProcessId, (PEPROCESS*)&Process);//获取EPROCESSif (NT_SUCCESS(Ntstatus)){if ((_stricmp(PsGetProcessImageFileName(Process), ProtectTools1) == 0) || \(_stricmp(PsGetProcessImageFileName(Process), ProtectTools2) == 0) || \(strstr(PsGetProcessImageFileName(Process), ProtectTools3) != 0) || \(_stricmp(PsGetProcessImageFileName(Process), ProtectTools4) == 0) || \(_stricmp(PsGetProcessImageFileName(Process), ProtectTools8) == 0) || \(_stricmp(PsGetProcessImageFileName(Process), ProtectTools9) == 0) || \(strstr(PsGetProcessImageFileName(Process), ProtectTools10) != 0) || \(_stricmp(PsGetProcessImageFileName(Process), ProtectTools11) == 0) ||\(_stricmp(PsGetProcessImageFileName(Process), ProtectTools12) == 0)){bret = TRUE;}ObDereferenceObject(Process);}return bret;
}BOOLEAN ISProtectTools(IN DWORD ProcessId)
{BOOL bret = FALSE;NTSTATUS Ntstatus;PEPROCESS Process;Ntstatus = PsLookupProcessByProcessId((HANDLE)ProcessId, (PEPROCESS*)&Process);//获取EPROCESSif (NT_SUCCESS(Ntstatus)){if ((_stricmp(PsGetProcessImageFileName(Process), ProtectTools1) == 0) || \(_stricmp(PsGetProcessImageFileName(Process), ProtectTools2) == 0) || \(strstr(PsGetProcessImageFileName(Process), ProtectTools3) != 0) || \(_stricmp(PsGetProcessImageFileName(Process), ProtectTools4) == 0) || \(strstr(PsGetProcessImageFileName(Process), ProtectTools5) != 0) || \(strstr(PsGetProcessImageFileName(Process), ProtectTools6) != 0) || \(_stricmp(PsGetProcessImageFileName(Process), ProtectTools7) == 0) || \(_stricmp(PsGetProcessImageFileName(Process), ProtectTools8) == 0) || \(_stricmp(PsGetProcessImageFileName(Process), ProtectTools9) == 0) || \(strstr(PsGetProcessImageFileName(Process), ProtectTools10) != 0) || \(_stricmp(PsGetProcessImageFileName(Process), ProtectTools11) == 0) || \(_stricmp(PsGetProcessImageFileName(Process), ProtectTools12) == 0)){bret = TRUE;}ObDereferenceObject(Process);}return bret;
}BOOLEAN ISVMwareTools(IN DWORD ProcessId)
{BOOL bret = FALSE;NTSTATUS Ntstatus;PEPROCESS Process;Ntstatus = PsLookupProcessByProcessId((HANDLE)ProcessId, (PEPROCESS*)&Process);//获取EPROCESSif (NT_SUCCESS(Ntstatus)){if ((strstr(PsGetProcessImageFileName(Process), VMwareTools1)) || \(strstr(PsGetProcessImageFileName(Process), VMwareTools2))){bret = TRUE;}ObDereferenceObject(Process);}return bret;
}BOOLEAN IsWhiteList(IN DWORD ProcessId)
{BOOL bret = FALSE;NTSTATUS Ntstatus;PEPROCESS Process;Ntstatus = PsLookupProcessByProcessId((HANDLE)ProcessId, (PEPROCESS*)&Process);//获取EPROCESSif (NT_SUCCESS(Ntstatus)){if (strstr(PsGetProcessImageFileName(Process), ProtectImageName1) ||strstr(PsGetProcessImageFileName(Process), ProtectImageName2) ||(_stricmp(PsGetProcessImageFileName(Process), ProtectImageName3) == 0)){bret = TRUE;}ObDereferenceObject(Process);}return bret;
}BOOLEAN ISAttachProcess(IN PEPROCESS Process)
{if (MmIsAddressValid(Process + debug_pott_offset) && \*(PULONG_PTR)((PBYTE)Process + debug_pott_offset)){return TRUE;}else{return FALSE;}
}BOOLEAN IsWindowClassBad(IN PUNICODE_STRING lpszClass)
{WCHAR nameCopy[400];static const WCHAR * BadWindowClassList[] ={L"OLLYDBG",L"Zeta Debugger",L"Rock Debugger",L"ObsidianGUI",L"ID", //Immunity DebuggerL"WinDbgFrameClass", //WinDBGL"idawindow",L"tnavbox",L"idaview",L"tgrzoom"L"Cheat",L"Engine",L"Previous",L"首次扫描",L"再次扫描",L"撤销扫描",L"内存浏览",L"手动添加地址"};if (!lpszClass || lpszClass->Length == 0 || !lpszClass->Buffer){return FALSE;}memset(nameCopy, 0, sizeof(nameCopy));if (lpszClass->Length > (sizeof(nameCopy) - sizeof(WCHAR))){return FALSE;}memcpy(nameCopy, lpszClass->Buffer, lpszClass->Length);for (int i = 0; i < _countof(BadWindowClassList); i++){if (wcsistr(nameCopy, BadWindowClassList[i])){return TRUE;}}return FALSE;}BOOLEAN IsWindowNameBad(IN PUNICODE_STRING lpszWindow)
{WCHAR nameCopy[400];static const WCHAR * BadWindowTextList[] ={L"OLLYDBG",L"ida",L"disassembly",L"scylla",L"Debug",L"[CPU",L"Immunity",L"Windbg",L"x32_dbg",L"5410",L"Windbg",L"Import reconstructor"L"Cheat",L"Engine",L"Previous",L"首次扫描",L"再次扫描",L"撤销扫描",L"内存浏览",L"手动添加地址"};if (!lpszWindow || lpszWindow->Length == 0 || !lpszWindow->Buffer){return FALSE;}memset(nameCopy, 0, sizeof(nameCopy));if (lpszWindow->Length > (sizeof(nameCopy) - sizeof(WCHAR))){return FALSE;}memcpy(nameCopy, lpszWindow->Buffer, lpszWindow->Length);for (int i = 0; i < _countof(BadWindowTextList); i++){if (wcsistr(nameCopy, BadWindowTextList[i])){return TRUE;}}return FALSE;}BOOLEAN IsProcessBad(IN PUNICODE_STRING process)
{WCHAR nameCopy[400];static const WCHAR * BadProcessnameList[] ={L"ollydbg.exe",L"MDebug.exe",L"HawkOD.exe",L"idaw.exe",L"idaw64.exe",L"HawkOD.exe",L"PCHunter64.exe",L"cheatengine.exe",L"FackTpProtect.exe",L"5410.exe",L"x32dbg.exe",L"windbg.exe",L"吾爱破解[LCG].exe",};if (!process || process->Length == 0 || !process->Buffer){return FALSE;}memset(nameCopy, 0, sizeof(nameCopy));if (process->Length > (sizeof(nameCopy) - sizeof(WCHAR))){return FALSE;}memcpy(nameCopy, process->Buffer, process->Length);for (int i = 0; i < _countof(BadProcessnameList); i++){if (!wcsistr(nameCopy, BadProcessnameList[i])){return TRUE;}}return FALSE;
}BOOLEAN FASTCALL IsPassGame(IN DWORD ProcessId)
{BOOL bret = FALSE;NTSTATUS Ntstatus;PEPROCESS Process;Ntstatus = PsLookupProcessByProcessId((HANDLE)ProcessId, (PEPROCESS*)&Process);//获取EPROCESSif (NT_SUCCESS(Ntstatus)){if ((_stricmp(PsGetProcessImageFileName(Process), PassGame1) == 0) || \(_stricmp(PsGetProcessImageFileName(Process), PassGame2) == 0) || \(_stricmp(PsGetProcessImageFileName(Process), PassGame3) == 0) || \(_stricmp(PsGetProcessImageFileName(Process), PassGame4) == 0) || \(_stricmp(PsGetProcessImageFileName(Process), PassGame5) == 0) || \(_stricmp(PsGetProcessImageFileName(Process), PassGame6) == 0)){bret = TRUE;}ObDereferenceObject(Process);}return bret;
}void FilterProcess(IN PSYSTEM_PROCESS_INFORMATION pInfo)
{PSYSTEM_PROCESS_INFORMATION pPrev = pInfo;while (TRUE){if (IsProcessBad(&pInfo->ImageName) || ISProtectTools(pInfo->ProcessId)){if (pInfo->ImageName.Buffer)RtlZeroMemory(pInfo->ImageName.Buffer, pInfo->ImageName.Length);if (pInfo->NextEntryOffset == 0) //last element{pPrev->NextEntryOffset = 0;}else{pPrev->NextEntryOffset += pInfo->NextEntryOffset;}}else{pPrev = pInfo;}if (pInfo->NextEntryOffset == 0){break;}else{pInfo = (PSYSTEM_PROCESS_INFORMATION)((DWORD_PTR)pInfo + pInfo->NextEntryOffset);}}
}void FilterObject(IN POBJECT_TYPE_INFORMATION pObject)
{UNICODE_STRING DebugObject;RtlInitUnicodeString(&DebugObject, L"DebugObject");if (pObject->TypeName.Length == 0 || pObject->TypeName.Buffer == 0){return;}if (RtlEqualUnicodeString(&pObject->TypeName, &DebugObject, FALSE)) //DebugObject{pObject->TotalNumberOfObjects = 0;pObject->TotalNumberOfHandles = 0;}
}void FilterObjects(IN POBJECT_TYPES_INFORMATION pObjectTypes)
{POBJECT_TYPE_INFORMATION pObject = pObjectTypes->TypeInformation;for (ULONG i = 0; i < pObjectTypes->NumberOfTypes; i++){FilterObject(pObject);pObject = (POBJECT_TYPE_INFORMATION)(((PCHAR)(pObject + 1) + ALIGN_UP(pObject->TypeName.MaximumLength, ULONG_PTR)));}
}NTSTATUS RemoveProcessFromSysProcessInfo(IN PVOID SystemInformation,IN ULONG SystemInformationLength)
{//// Check the size of the base container//PSYSTEM_PROCESS_INFORMATION moduleInfo, prevPointer, currPointer, nextPointer;if (SystemInformationLength < sizeof(SYSTEM_PROCESS_INFORMATION))return STATUS_INFO_LENGTH_MISMATCH;//// Get a pointer to the modules and loop each index//moduleInfo = (PSYSTEM_PROCESS_INFORMATION)SystemInformation;prevPointer = NULL;currPointer = NULL;nextPointer = NULL;for (;;){//// Does this process match?//if (ISProtectTools(moduleInfo->ProcessId))currPointer = moduleInfo;//// Validate pointer//if (moduleInfo->NextEntryOffset == 0)break;ULONG_PTR nextIndex = (ULONG_PTR)moduleInfo + moduleInfo->NextEntryOffset;ULONG_PTR maxOffset = (ULONG_PTR)FIELD_OFFSET(SYSTEM_PROCESS_INFORMATION, ParentProcessId);
#define IS_IN_BOUNDS(var, start, size) (((ULONG_PTR)(var)) < ((ULONG_PTR)start + (size)))if (!IS_IN_BOUNDS(nextIndex + maxOffset, SystemInformation, SystemInformationLength))break;//// If this flag was set, get the next pointer in the list and exit//if (currPointer){nextPointer = (PSYSTEM_PROCESS_INFORMATION)nextIndex;break;}//// Move to next index//prevPointer = moduleInfo;moduleInfo = (PSYSTEM_PROCESS_INFORMATION)nextIndex;}if (!currPointer)return STATUS_NOT_FOUND;//// Was there a previous pointer?//if (prevPointer){//// Link it to the next, or set it to 0//if (nextPointer)prevPointer->NextEntryOffset = (ULONG)((ULONG_PTR)nextPointer - (ULONG_PTR)prevPointer);elseprevPointer->NextEntryOffset = 0;}//// Calculate the size of the target entry and zero it//SIZE_T zeroLength = 0;if (nextPointer){//// There was another entry after this, so determine// the delta between them//zeroLength = (ULONG_PTR)nextPointer - (ULONG_PTR)currPointer;}else{//// Data is from 'currPointer' to SystemInformation buffer end//zeroLength = ((ULONG_PTR)SystemInformation + SystemInformationLength) - (ULONG_PTR)currPointer;}RtlSecureZeroMemory(currPointer, zeroLength);return STATUS_SUCCESS;
}DWORD HwndToProcessId(IN HWND hwnd)
{QWORD unknown = ((Q_ValidateHwnd)ori_addr_ValidateHwnd)(hwnd);if (!unknown)return 0;if (_bittest((const signed __int32 *)(unknown + 288), 0xAu)){return *(DWORD*)(unknown + 296);}else{return PsGetThreadProcessId(*(QWORD*)*(QWORD**)(unknown + 16));}
}HWND FASTCALL _NtUserGetWindowFromDC(IN HDC hdc)
{return (HWND)(((Q_NtUserCallOneParam)NtUserCallOneParam)((ULONG)hdc, 0x03));
}//函数检索指定坐标点的像素的RGB颜色值
DWORD FASTCALL _NtGdiGetPixel(IN HDC hDC,IN int XPos,IN int YPos)
{HWND hd;ULONG ProcessID;hd = _NtUserGetWindowFromDC(hDC);if (!ISProtectTools((DWORD)PsGetCurrentProcessId()) && !IsWhiteList((DWORD)PsGetCurrentProcessId())){ProcessID = HwndToProcessId(hd);if (ISProtectTools(ProcessID)){return 0;}}return ((Q_NtGdiGetPixel)ori_addr_NtGdiGetPixel)(hDC, XPos, YPos);
}HWND FASTCALL _NtUserWindowFromPoint(IN INT_PTR a1)
{HWND hwnd;DWORD ProcessID;hwnd = ((Q_NtUserWindowFromPoint)ori_addr_NtUserWindowFromPoint)(a1);if (!ISProtectTools((DWORD)PsGetCurrentProcessId()) && !IsWhiteList((DWORD)PsGetCurrentProcessId())){ProcessID = HwndToProcessId(hwnd);if (ProcessID == NULL || ISProtectTools(ProcessID)){return 0;}}return hwnd;
}NTSTATUS FASTCALL _NtUserFindWindowEx(IN HWND a1,IN HWND a2,IN PUNICODE_STRING a3,IN PUNICODE_STRING a4,IN ULONG a5)
{HWND result;result = ((Q_NtUserFindWindowEx)ori_addr_NtUserFindWindowEx)(a1, a2, a3, a4, a5);if (result == NULL){return 0;}if (IsWindowClassBad(a3) || IsWindowNameBad(a4)){return 0;}if (!ISProtectTools(PsGetCurrentProcessId())){ULONG ProcessID = HwndToProcessId(result);if (ISProtectTools(ProcessID)){return 0;}}return result;}DWORD FASTCALL _NtUserGetForegroundWindow()
{ return 0;
}NTSTATUS FASTCALL _NtUserBuildHwndList(IN HDESK hdesk,IN HWND hwndNext,IN ULONG fEnumChildren,IN DWORD idThread,IN UINT cHwndMax,OUT HWND *phwndFirst,OUT ULONG* pcHwndNeeded)
{NTSTATUS result;result = ((Q_NtUserBuildHwndList)ori_addr_NtUserBuildHwndList)(hdesk, hwndNext, fEnumChildren, idThread, cHwndMax, phwndFirst, pcHwndNeeded);if (result == STATUS_SUCCESS &&!ISProtectTools(PsGetCurrentProcessId())){for (UINT i = 0; i < *pcHwndNeeded; i++){if (phwndFirst[i] != 0){DWORD ProcessID = HwndToProcessId((HWND)phwndFirst[i]);if (ISProtectTools(ProcessID) && !IsWhiteList((DWORD)PsGetCurrentProcessId())){phwndFirst[i] += 66;}}}}return result;}INT_PTR FASTCALL _NtUserWindowFromPhysicalPoint(IN INT_PTR a1)
{HWND hd;ULONG processId;if (a1 == NULL){return 0;}hd = ((Q_NtUserWindowFromPhysicalPoint)ori_addr_NtUserWindowFromPhysicalPoint)(a1);if (hd == NULL){return 0;}if (!ISProtectTools(PsGetCurrentProcessId()) && !IsWhiteList((DWORD)PsGetCurrentProcessId())){processId = HwndToProcessId((HWND)hd);if (ISProtectTools(processId)){return 0;}}return hd;
}HDC FASTCALL _NtUserGetDC(IN HWND hWnd)
{if (!ISProtectTools(PsGetCurrentProcessId()) && !IsWhiteList((DWORD)PsGetCurrentProcessId())){DWORD processId = HwndToProcessId(hWnd);if (ISProtectTools(processId)){return 0;}}return ((Q_NtUserGetDC)ori_addr_NtUserGetDC)(hWnd);
}HDC FASTCALL _NtUserGetDCEx(IN HWND hWnd,IN HANDLE hRegion,IN ULONG Flags)
{if (!ISProtectTools(PsGetCurrentProcessId()) && !IsWhiteList((DWORD)PsGetCurrentProcessId())){DWORD processId = HwndToProcessId(hWnd);if (ISProtectTools(processId)){return 0;}}return ((Q_NtUserGetDCEx)ori_addr_NtUserGetDCEx)(hWnd, hRegion, Flags);
}HDC FASTCALL _NtUserGetWindowDC(IN HWND hWnd)
{if (!ISProtectTools(PsGetCurrentProcessId()) && !IsWhiteList((DWORD)PsGetCurrentProcessId())){DWORD processId = HwndToProcessId(hWnd);if (ISProtectTools(processId)){return 0;}}return ((Q_NtUserGetWindowDC)ori_addr_NtUserGetWindowDC)(hWnd);
}NTSTATUS FASTCALL _NtUserBlockInput(IN BOOLEAN fBlockIt)
{typedef NTSTATUS(FASTCALL *Q_NtUserBlockInput)(BOOLEAN);if (ISAttachProcess(PsGetCurrentProcess())){static BOOL isBlocked = FALSE;if (isBlocked == FALSE && fBlockIt != FALSE){isBlocked = TRUE;return TRUE;}else if (isBlocked != FALSE && fBlockIt == FALSE){isBlocked = FALSE;return TRUE;}}else{return ((Q_NtUserBlockInput)ori_addr_NtUserBlockInput)(fBlockIt);}
}INT_PTR FASTCALL _ValidateHwnd(IN HWND hwnd)
{if (!ISProtectTools((DWORD)PsGetCurrentProcessId()) && !IsWhiteList((DWORD)PsGetCurrentProcessId())){DWORD ProcessID = HwndToProcessId(hwnd);if (ISProtectTools(ProcessID)){return NULL;}}return ((Q_ValidateHwnd)ori_addr_ValidateHwnd)(hwnd);
}//功能:注册进程回调
BOOLEAN RegisterProcessCallBack()
{typedef struct _OB_CALLBACK{LIST_ENTRY ListEntry;ULONG64 Unknown;ULONG64 ObHandle;ULONG64 ObjTypeAddr;ULONG64 PreCall;ULONG64 PostCall;} OB_CALLBACK, *POB_CALLBACK;NTSTATUS status = STATUS_SUCCESS;OB_CALLBACK_REGISTRATION obReg;OB_OPERATION_REGISTRATION opReg;memset(&obReg, 0, sizeof(obReg));obReg.Version = ObGetFilterVersion();obReg.OperationRegistrationCount = 1;obReg.RegistrationContext = NULL;RtlInitUnicodeString(&obReg.Altitude, L"lalala");obReg.OperationRegistration = &opReg;memset(&opReg, 0, sizeof(opReg));opReg.ObjectType = PsProcessType;opReg.Operations = OB_OPERATION_HANDLE_CREATE;opReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)&ProcessCallback;status = ObRegisterCallbacks(&obReg, &g_start_obprocess);if (NT_SUCCESS(status)){return TRUE;}else{return FALSE;}}//功能:进程回调处理函数
OB_PREOP_CALLBACK_STATUS ProcessCallback(IN PVOID RegistrationContext,IN POB_PRE_OPERATION_INFORMATION pOperationInformation)
{HANDLE pid = PsGetProcessId(pOperationInformation->Object);//char szProcName[16] = { 0 };UNREFERENCED_PARAMETER(RegistrationContext);//strcpy(szProcName, GetProcessNameByProcessId(pid));if (ISProtectTools(pid) && !ISProtectTools((DWORD)PsGetCurrentProcess())){if (pOperationInformation->Operation == OB_OPERATION_HANDLE_CREATE){if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE)//进程终止{pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE;}if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_OPERATION) == PROCESS_VM_OPERATION)//openprocess{pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_OPERATION;}if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_READ) == PROCESS_VM_READ)//内存读{pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_READ;}if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_WRITE) == PROCESS_VM_WRITE)//内存写{pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_WRITE;}}}return OB_PREOP_SUCCESS;
}//功能:文件回调处理函数
OB_PREOP_CALLBACK_STATUS FileCallback(PVOID RegistrationContext,POB_PRE_OPERATION_INFORMATION OperationInformation)
{UNICODE_STRING DosName;PFILE_OBJECT fileo = OperationInformation->Object;ACCESS_MASK amask = OperationInformation->Parameters->CreateHandleInformation.DesiredAccess;static WCHAR* protect[] ={ L"HawkOD",L"Ollydbg",L"x32dbg",L"5410",L"吾爱破解",L"PCHunter64",L"Cheat Engine",L"CE64",L"cheatengine" };if (!IsPassGame(PsGetCurrentProcessId())){return OB_PREOP_SUCCESS;}
// for (int i = 0; i < PROCESS_COUNT; i++)
// {
// if (_stricmp(PsGetProcessImageFileName(PsGetCurrentProcess()), AccessProcess[i]) == 0) //检查信任列表
// {
// return OB_PREOP_SUCCESS;
// }
// }UNREFERENCED_PARAMETER(RegistrationContext);if (OperationInformation->ObjectType != *IoFileObjectType)return OB_PREOP_SUCCESS;if (fileo->FileName.Buffer == NULL ||!MmIsAddressValid(fileo->FileName.Buffer) ||fileo->DeviceObject == NULL ||!MmIsAddressValid(fileo->DeviceObject)) //过滤1:无效指针return OB_PREOP_SUCCESS;if (!_wcsicmp(fileo->FileName.Buffer, L"\\Endpoint") ||!_wcsicmp(fileo->FileName.Buffer, L"?") ||!_wcsicmp(fileo->FileName.Buffer, L"\\.\\.")
// || !_wcsicmp(fileo->FileName.Buffer, L"\\")) //过滤2:无效路径return OB_PREOP_SUCCESS;__try{RtlVolumeDeviceToDosName(fileo->DeviceObject, &DosName);for (int i = 0; i < _countof(protect); i++){if (wcsistr(fileo->FileName.Buffer, protect[i])){fileo->Size = 1;OperationInformation->ObjectType = *PsProcessType;OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = DELETE;return OB_PREOP_SUCCESS;}}}__except (1){}return OB_PREOP_SUCCESS;
}//功能:注册文件回调
BOOLEAN RegisterFileCallBack()
{NTSTATUS status;OB_CALLBACK_REGISTRATION obReg;OB_OPERATION_REGISTRATION opReg;PLDR_DATA_TABLE_ENTRY ldr;// enable IoFileObjectType((POBJECT_TYPE_S)*IoFileObjectType)->TypeInfo.SupportsObjectCallbacks = TRUE;// init callbacksmemset(&obReg, 0, sizeof(obReg));obReg.Version = ObGetFilterVersion();obReg.OperationRegistrationCount = 1;obReg.RegistrationContext = NULL;RtlInitUnicodeString(&obReg.Altitude, L"321000");obReg.OperationRegistration = &opReg;memset(&opReg, 0, sizeof(opReg));opReg.ObjectType = IoFileObjectType;opReg.Operations = OB_OPERATION_HANDLE_CREATE;opReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)&FileCallback;// register callbacksstatus = ObRegisterCallbacks(&obReg, &g_start_obfile);if (NT_SUCCESS(status)){return TRUE;}else{return FALSE;}}//功能:注册表回调处理函数
NTSTATUS RegistryCallBack(IN PVOID CallbackContext,IN PVOID Argument1,IN PVOID Argument2)
{BOOLEAN GetRegistryObjectCompleteName(PUNICODE_STRING, PVOID);//定义变量NTSTATUS CallbackStatus = STATUS_SUCCESS;// if (_stricmp("regedit.exe", (const char*)PsGetProcessImageFileName(PsGetCurrentProcess())) != 0)// return CallbackStatus;
#define REGISTRY_POOL_TAG 'pRE'ULONG uRegNotifStyle;UNICODE_STRING registryPath;//static WCHAR* protectname = L"\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist";static WCHAR* protectname = L"UserAssist";static WCHAR* protectname2 = L"Count";registryPath.Length = 0;registryPath.MaximumLength = 2048 * sizeof(WCHAR);registryPath.Buffer = ExAllocatePoolWithTag(NonPagedPoolMustSucceed, registryPath.MaximumLength, REGISTRY_POOL_TAG);RtlZeroMemory(registryPath.Buffer, registryPath.MaximumLength);//设置变量uRegNotifStyle = (ULONG)Argument1;//REG_NOTIFY_CLASS//操作类型switch (uRegNotifStyle){case RegNtPreOpenKeyEx:case RegNtPreCreateKeyEx: //即将打开的注册表项{PREG_CREATE_KEY_INFORMATION pRegCreateKeyEx = (PREG_CREATE_KEY_INFORMATION)Argument2;GetRegistryObjectCompleteName(®istryPath, pRegCreateKeyEx->RootObject);if (wcsistr(registryPath.Buffer, protectname) || \wcsistr(registryPath.Buffer, protectname2)){CallbackStatus = STATUS_CALLBACK_BYPASS;}break;}case RegNtPostCreateKey:{PREG_POST_CREATE_KEY_INFORMATION createKey = (PREG_POST_CREATE_KEY_INFORMATION)Argument2;if (NT_SUCCESS(createKey->Status)){GetRegistryObjectCompleteName(®istryPath, *(PVOID*)createKey->Object);if (wcsistr(registryPath.Buffer, protectname) || \wcsistr(registryPath.Buffer, protectname2)){CallbackStatus = STATUS_CALLBACK_BYPASS;}}break;}case RegNtPostOpenKey:{PREG_POST_OPEN_KEY_INFORMATION openKey = (PREG_POST_OPEN_KEY_INFORMATION)Argument2;if (NT_SUCCESS(openKey->Status)){GetRegistryObjectCompleteName(®istryPath, *(PVOID*)openKey->Object);if (wcsistr(registryPath.Buffer, protectname) || \wcsistr(registryPath.Buffer, protectname2)){CallbackStatus = STATUS_CALLBACK_BYPASS;}}break;}case RegNtQueryKey: //将要查询的键{PREG_QUERY_KEY_INFORMATION pRegQueryKey = (PREG_QUERY_KEY_INFORMATION)Argument2;GetRegistryObjectCompleteName(®istryPath, pRegQueryKey->Object);if (wcsistr(registryPath.Buffer, protectname) || \wcsistr(registryPath.Buffer, protectname2)){CallbackStatus = STATUS_CALLBACK_BYPASS;}break;}case RegNtQueryValueKey:{PREG_QUERY_VALUE_KEY_INFORMATION queryValueKey = (PREG_QUERY_VALUE_KEY_INFORMATION)Argument2;GetRegistryObjectCompleteName(®istryPath, queryValueKey->Object);if (wcsistr(registryPath.Buffer, protectname) || \wcsistr(registryPath.Buffer, protectname2)){CallbackStatus = STATUS_CALLBACK_BYPASS;}break;}case RegNtEnumerateKey: //子项被列举的关键{PREG_ENUMERATE_KEY_INFORMATION pRegEnumerateKey = (PREG_ENUMERATE_KEY_INFORMATION)Argument2;GetRegistryObjectCompleteName(®istryPath, pRegEnumerateKey->Object);if (wcsistr(registryPath.Buffer, protectname) || \wcsistr(registryPath.Buffer, protectname2)){CallbackStatus = STATUS_CALLBACK_BYPASS;}break;}case RegNtEnumerateValueKey:{PREG_ENUMERATE_VALUE_KEY_INFORMATION enumerateValueKey = (PREG_ENUMERATE_VALUE_KEY_INFORMATION)Argument2;GetRegistryObjectCompleteName(®istryPath, enumerateValueKey->Object);if (wcsistr(registryPath.Buffer, protectname) || \wcsistr(registryPath.Buffer, protectname2)){CallbackStatus = STATUS_CALLBACK_BYPASS;}break;}case RegNtPreSetValueKey: //注册表项的值输入一个新的设置{PREG_SET_VALUE_KEY_INFORMATION pRegSetValueKeyInfo = (PREG_SET_VALUE_KEY_INFORMATION)Argument2;GetRegistryObjectCompleteName(®istryPath, pRegSetValueKeyInfo->Object);if (wcsistr(registryPath.Buffer, protectname) || \wcsistr(registryPath.Buffer, protectname2)){CallbackStatus = STATUS_CALLBACK_BYPASS;}break;}case RegNtPreDeleteValueKey: //注册表项的值被删除{PREG_DELETE_VALUE_KEY_INFORMATION pRegDeleteValueKey = (PREG_DELETE_VALUE_KEY_INFORMATION)Argument2;GetRegistryObjectCompleteName(®istryPath, pRegDeleteValueKey->Object);if (wcsistr(registryPath.Buffer, protectname) || \wcsistr(registryPath.Buffer, protectname2)){CallbackStatus = STATUS_CALLBACK_BYPASS;}break;}case RegNtPreDeleteKey: //注册表项被删除{PREG_DELETE_KEY_INFORMATION pRegDeleteKey = (PREG_DELETE_KEY_INFORMATION)Argument2;GetRegistryObjectCompleteName(®istryPath, pRegDeleteKey->Object);if (wcsistr(registryPath.Buffer, protectname) || \wcsistr(registryPath.Buffer, protectname2)){CallbackStatus = STATUS_CALLBACK_BYPASS;}break;}default:break;}ExFreePoolWithTag(registryPath.Buffer, REGISTRY_POOL_TAG);return CallbackStatus;
}//功能:保护进程短链
VOID ProcessBreakChain()
{KIRQL irql;int i = 0;PLIST_ENTRY entry;LARGE_INTEGER liInterval;PEPROCESS_S SystemProcess;NTSTATUS Status = PsLookupProcessByProcessId((HANDLE)4, &SystemProcess);if (!NT_SUCCESS(Status)){SystemProcess = PsGetCurrentProcess();}else{ObfDereferenceObject(SystemProcess);}while (1){if (g_delete_driver == TRUE)break;for (entry = SystemProcess->ActiveProcessLinks.Flink; entry != &entry; entry = entry->Flink){if (g_delete_driver == TRUE)break;PEPROCESS_S Process = (PEPROCESS_S)((PBYTE)entry - 0x188);if (ISProtectTools(PsGetProcessId(Process)) || ISVMwareTools(PsGetProcessId(Process))){__try{irql = cli();RemoveEntryList(entry);sti(irql);}__except (1){}}}if (g_delete_driver == TRUE)break;liInterval.QuadPart = -10 * 1000 * 1000 * 2; 延迟2秒钟运行 ;KeDelayExecutionThread(KernelMode, TRUE, &liInterval);}PsTerminateSystemThread(STATUS_SUCCESS);
}//功能:过滤非执行CALLBACK进程
NTSTATUS FASTCALL _ObpCallPreOperationCallbacks(ULONG_PTR a1,ULONG_PTR a2,ULONG_PTR a3)
{if ((ISProtectTools(PsGetCurrentProcessId()))){return STATUS_SUCCESS;}typedef INT_PTR(FASTCALL *Q_ObpCallPreOperationCallbacks)(INT_PTR, INT_PTR, INT_PTR);return ((Q_ObpCallPreOperationCallbacks)ori_addr_ObpCallPreOperationCallbacks)(a1, a2, a3);
}//功能:过滤游戏打开保护进程权限
BOOLEAN FASTCALL _ObCheckObjectAccess(IN PVOID Object,IN OUT PACCESS_STATE AccessState,IN BOOLEAN TypeMutexLocked,IN KPROCESSOR_MODE AccessMode,OUT PNTSTATUS AccessStatus)
{for (int i = 0; i < PROCESS_COUNT; i++){if (_stricmp(PsGetProcessImageFileName(PsGetCurrentProcess()), AccessProcess[i]) == 0) //检查信任列表{goto __ret__;}}if (!ISProtectTools(PsGetCurrentProcessId()) && MmIsAddressValid(Object)){if (IsProcess(Object) && ISProtectTools(PsGetProcessId(Object))){*AccessStatus = STATUS_ACCESS_DENIED;return FALSE;}else if (IsThread(Object) && ISProtectTools(PsGetThreadProcessId(Object))){*AccessStatus = STATUS_ACCESS_DENIED;return FALSE;}}
__ret__:return ((BOOLEAN(FASTCALL*)(PVOID, PACCESS_STATE, BOOLEAN, KPROCESSOR_MODE, PNTSTATUS))\ori_addr_ObCheckObjectAccess)(Object, AccessState, TypeMutexLocked,AccessMode, AccessStatus);
}NTSTATUS FASTCALL _NtOpenProcess(OUT PHANDLE ProcessHandle,IN ACCESS_MASK AccessMask,IN POBJECT_ATTRIBUTES ObjectAttributes,IN PCLIENT_ID ClientId)
{PEPROCESS Process = NULL;typedef NTSTATUS(FASTCALL *Q_NtOpenProcess)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PCLIENT_ID);if (ProcessHandle != NtCurrentProcess()){Process = HandleToProcess(ProcessHandle);}if (ISAttachProcess(PsGetCurrentProcess()) && Process != NULL && \!_stricmp(PsGetProcessImageFileName(Process), "csrss.exe")){return STATUS_ACCESS_DENIED;}return ((Q_NtOpenProcess)ori_addr_NtOpenProcess)(ProcessHandle, AccessMask, ObjectAttributes, ClientId);;
}NTSTATUS FASTCALL _NtQueryInformationThread(IN HANDLE ThreadHandle,IN THREADINFOCLASS ThreadInformationClass,OUT PVOID ThreadInformation,IN ULONG ThreadInformationLength,OUT PULONG ReturnLength OPTIONAL)
{NTSTATUS Status;typedef NTSTATUS(FASTCALL *Q_NtQueryInformationThread)(HANDLE, THREADINFOCLASS, PVOID, ULONG, PULONG);Status = ((Q_NtQueryInformationThread)ori_addr_NtQueryInformationThread)\(ThreadHandle, ThreadInformationClass, ThreadInformation, ThreadInformationLength, ReturnLength);__try{if (ThreadInformationClass == ThreadWow64Context &&ThreadInformationLength == 0x2CC &&ThreadInformation != NULL &&ThreadHandle != NULL)//ThreadWow64Context {PETHREAD Thread = NULL;PWOW64_CONTEXT Context = ThreadInformation;if (ThreadHandle != NtCurrentThread()){Thread = HandleToThread(ThreadHandle);}//游戏或辅助进程获取CONTEXTif ((ISAttachProcess(PsGetCurrentProcess()) && \ThreadHandle == NtCurrentThread()) || \(Thread != NULL && \ISAttachProcess(PsGetThreadProcess(Thread)))){Context->Dr0 = 0;Context->Dr1 = 0;Context->Dr2 = 0;Context->Dr3 = 0;Context->Dr6 = 0;Context->Dr7 = 0;}}}__except (1){}return Status;
}NTSTATUS FASTCALL _NtSetInformationThread(IN HANDLE ThreadHandle,IN THREADINFOCLASS ThreadInformationClass,IN PVOID ThreadInformation,IN ULONG ThreadInformationLength)
{NTSTATUS status;PVOID Object;typedef NTSTATUS(FASTCALL *Q_NtSetInformationThread)(HANDLE, THREADINFOCLASS, PVOID, ULONG);status = ObReferenceObjectByHandle(ThreadHandle, GENERIC_READ, 0, KernelMode, &Object, NULL);if (NT_SUCCESS(status)){ObDereferenceObject(Object); }if(ThreadInformationClass != ThreadHideFromDebugger){status = ((Q_NtSetInformationThread)SymbolsInfo.NtSetInformationThread)\(ThreadHandle, ThreadInformationClass, ThreadInformation, ThreadInformationLength);}return status;
}NTSTATUS FASTCALL _NtClose(IN HANDLE ObjectHandle)
{typedef NTSTATUS(FASTCALL *Q_NtClose)(HANDLE);if (ISAttachProcess(PsGetCurrentProcess())){//使用一个无效的句柄调用 NtClose 将会产生一个STATUS_INVALID_HANDLE (0xC0000008) 异常。PVOID Object;NTSTATUS Status;Status = ((Q_NtClose)ori_addr_NtClose)(ObjectHandle);if (Status == STATUS_INVALID_HANDLE){Status = STATUS_SUCCESS;}}else{return ((Q_NtClose)ori_addr_NtClose)(ObjectHandle);}
}VOID remote_breackpoint(IN PEPROCESS Process,OUT PVOID* StartRoutine,IN PBYTE opcode_buffer,IN BOOLEAN iswow64)
{static BYTE new_opcode[] = { 0xcc, //int 30x6a, 0x00, //push 0 0x6a, 0xfe, //push -0x2 ; ExitStatus0xe8, 0x90, 0x90, 0x90, 0x90 }; //call _RtlExitUserThread@4 ; RtlExitUserThread(x)int num = 0;DWORD addr[2] = { 0 };HANDLE hProcess = NULL;PBYTE _DbgBreakPoint = NULL;PBYTE _RtlExitUserThread = NULL;for (int i = 0; i < 0x50; i++){if ((iswow64 && opcode_buffer[i] == 0xe8 && opcode_buffer[i - 1] == 0) || (!iswow64 && opcode_buffer[i] == 0xe8)){addr[num] = ((PBYTE)*StartRoutine + 12 + i) + 5 + *(PDWORD)((PBYTE)opcode_buffer + i + 1);if (++num == 2){break;}}}if (addr[0] == 0 || addr[1] == 0){return;}_DbgBreakPoint = (PBYTE)addr[0];_RtlExitUserThread = (PBYTE)addr[1];_DbgBreakPoint += 2;*(PDWORD)(new_opcode + 6) = (DWORD)(_RtlExitUserThread - _DbgBreakPoint - 10);if (hProcess = MyOpenProcess(PsGetProcessId(Process))){//change_game_codeDWORD oldprotect;MyZwProtectVirtualMemory(hProcess, _DbgBreakPoint, 10, PAGE_EXECUTE_READWRITE, &oldprotect);MyZwWriteVirtualMemory(hProcess, _DbgBreakPoint, new_opcode, 10);MyZwProtectVirtualMemory(hProcess, _DbgBreakPoint, 10, oldprotect, &oldprotect);*StartRoutine = _DbgBreakPoint;ZwClose(hProcess);}
}VOID change_remote_breakpoint(IN PEPROCESS Process, OUT PVOID* StartRoutine)
{BYTE opcode_buffer[0x50] = { 0 };static BYTE opcode_32[13] = {0x64, 0xA1, 0x18, 0x00, 0x00, 0x00, //mov eax, large fs:18h0x8B, 0x40, 0x30, //mov eax, [eax+30h]0x80, 0x78, 0x02, 0x00 //cmp byte ptr [eax+2], 0};static BYTE opcode_64[9] = {0x00, //xx0x48, 0x8B, 0x48, 0x60, //mov rcx, [rax + 60h]0x80, 0x79, 0x02, 0x00, //cmp byte ptr[rcx + 2], 0};MyZwReadVirtualMemory(NtCurrentProcess(), (PBYTE)*StartRoutine + 12, &opcode_buffer, 0x50);for (int i = 0; i < 13; i++){if (opcode_32[i] != opcode_buffer[i])goto __x64__;}remote_breackpoint(Process, StartRoutine, opcode_buffer, TRUE);return;__x64__:for (int i = 0; i < 9; i++){if (opcode_64[i] != opcode_buffer[i])return;}remote_breackpoint(Process, StartRoutine, opcode_buffer, FALSE);return;
}NTSTATUS FASTCALL _NtCreateThreadEx(OUT PHANDLE ThreadHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,IN HANDLE ProcessHandle,IN PVOID StartRoutine,IN PVOID StartContext,IN ULONG CreateThreadFlags,IN SIZE_T ZeroBits OPTIONAL,IN SIZE_T StackSize OPTIONAL,IN SIZE_T MaximumStackSize OPTIONAL,IN PVOID AttributeList)
{typedef NTSTATUS(FASTCALL *Q_NtCreateThreadEx)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, HANDLE, PVOID, PVOID, ULONG, SIZE_T, SIZE_T, SIZE_T, PVOID);if (CreateThreadFlags & THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER){CreateThreadFlags ^= THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER;}if (ISProtectTools(PsGetCurrentProcessId())){PEPROCESS Process = NULL;if (ProcessHandle != NtCurrentProcess())Process = HandleToProcess(ProcessHandle);if (Process != NULL && ISAttachProcess(Process)){change_remote_breakpoint(Process, &StartRoutine);}}__ret__:return ((Q_NtCreateThreadEx)ori_addr_NtCreateThreadEx)(ThreadHandle, DesiredAccess, ObjectAttributes, \ProcessHandle, StartRoutine, StartContext, CreateThreadFlags, ZeroBits, StackSize, MaximumStackSize, AttributeList);
}NTSTATUS FASTCALL _NtQuerySystemInformation(IN ULONG SystemInformationClass,IN PVOID SystemInformation,IN ULONG SystemInformationLength,OUT PULONG ReturnLength)
{typedef struct _SYSTEM_SESSION_PROCESS_INFORMATION{ULONG SessionId;ULONG BufferLength;PVOID Buffer;} SYSTEM_SESSION_PROCESS_INFORMATION, *PSYSTEM_SESSION_PROCESS_INFORMATION;NTSTATUS Status;typedef NTSTATUS(FASTCALL *Q_NtQuerySystemInformation)(ULONG, PVOID, ULONG, PULONG);Status = ((Q_NtQuerySystemInformation)ori_addr_NtQuerySystemInformation)(SystemInformationClass,SystemInformation,SystemInformationLength,ReturnLength);if (!NT_SUCCESS(Status) || !MmIsAddressValid(SystemInformation)){return Status;}__try{if (SystemInformationClass == SystemProcessesAndThreadsInformation){RemoveProcessFromSysProcessInfo(SystemInformation, SystemInformationLength);}else if (SystemInformationClass == SystemSessionProcessesInformation){if (SystemInformation && SystemInformationLength >= sizeof(SYSTEM_SESSION_PROCESS_INFORMATION)){PSYSTEM_SESSION_PROCESS_INFORMATION sessInfo = (PSYSTEM_SESSION_PROCESS_INFORMATION)SystemInformation;if (sessInfo->Buffer)RemoveProcessFromSysProcessInfo(sessInfo->Buffer, sessInfo->BufferLength);}}else if (SystemInformationClass == SystemKernelDebuggerInformation){((PSYSTEM_KERNEL_DEBUGGER_INFORMATION)SystemInformation)->DebuggerEnabled = 0;((PSYSTEM_KERNEL_DEBUGGER_INFORMATION)SystemInformation)->DebuggerNotPresent = 1;}else if (SystemInformationClass == 149)//SystemKernelDebuggerInformationEx{typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX{BOOLEAN BootedDebug;BOOLEAN DebuggerEnabled;BOOLEAN DebuggerPresent;} SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION_EX;PSYSTEM_KERNEL_DEBUGGER_INFORMATION_EX debugInfoEx = (PSYSTEM_KERNEL_DEBUGGER_INFORMATION_EX)SystemInformation;debugInfoEx->BootedDebug = FALSE;debugInfoEx->DebuggerEnabled = FALSE;debugInfoEx->DebuggerPresent = FALSE;}else if (SystemInformationClass == SystemHandleInformation){PSYSTEM_HANDLE_INFORMATION_EX pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION)SystemInformation;for (int i = 0; i < pSysHandleInfo->NumberOfHandles; i++){if (ISProtectTools(pSysHandleInfo->Information[i].ProcessID)){RtlZeroMemory(&pSysHandleInfo->Information[i], 16);}}}else if (SystemInformationClass == SystemModuleInformation){PSYSTEM_MODULE_INFORMATION moduleinfo = SystemInformation;for (DWORD i = 0; i < moduleinfo->Count; i++){PBYTE findstr = moduleinfo->Module[i].ImageName + moduleinfo->Module[i].ModuleNameOffset;if (strstr(findstr, "PCHunter64al") ||strstr(findstr, "dbk64.sys") ||strstr(findstr, "dbk32.sys")){DWORD length = strlen(findstr);memset(findstr, '\0', length + 1);memcpy(findstr, "calc.exe", strlen("kdcom.exe") + 1);moduleinfo->Module[i].Size = moduleinfo->Module[i-1].Size;}}}}__except (1){Status = GetExceptionCode();}return Status;
}NTSTATUS FASTCALL _NtQueryInformationProcess(IN HANDLE ProcessHandle,IN PROCESSINFOCLASS ProcessInformationClass,OUT PVOID ProcessInformation,IN ULONG ProcessInformationLength,OUT PULONG ReturnLength OPTIONAL)
{if (ProcessInformationClass == ProcessTimes && ISAttachProcess(PsGetCurrentProcess())){return STATUS_ACCESS_DENIED;}typedef NTSTATUS(FASTCALL *Q_NtQueryInformationProcess)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);NTSTATUS Status = ((Q_NtQueryInformationProcess)ori_addr_NtQueryInformationProcess)(ProcessHandle,ProcessInformationClass,ProcessInformation,ProcessInformationLength,ReturnLength);if (!NT_SUCCESS(Status) || !MmIsAddressValid(ProcessInformation)){return Status;}__try{PEPROCESS Process = NULL;if (ProcessHandle != NtCurrentProcess())Process = HandleToProcess(ProcessHandle);if (ProcessInformationClass == ProcessBasicInformation){if ((ISAttachProcess(PsGetCurrentProcess()) && ProcessHandle == NtCurrentProcess()) ||(Process != NULL && ISAttachProcess(HandleToProcess(ProcessHandle)))){if (ISProtectTools(((PPROCESS_BASIC_INFORMATION)ProcessInformation)->InheritedFromUniqueProcessId))((PPROCESS_BASIC_INFORMATION)ProcessInformation)->InheritedFromUniqueProcessId = PsGetProcessId(win32k_Process);}return Status;}switch (ProcessInformationClass){case ProcessDebugPort:{*(PHANDLE)ProcessInformation = 0;break;}case ProcessDebugObjectHandle:{*((HANDLE *)ProcessInformation) = 0;return STATUS_PORT_NOT_SET;}case ProcessDebugFlags:{if ((ISAttachProcess(PsGetCurrentProcess()) && ProcessHandle == NtCurrentProcess()) ||(Process != NULL && ISAttachProcess(HandleToProcess(ProcessHandle)))){*((ULONG*)ProcessInformation) = ((ValueProcessDebugFlags & PROCESS_NO_DEBUG_INHERIT) != 0) ? 0 : PROCESS_DEBUG_INHERIT;}else{*((ULONG*)ProcessInformation) = 0;}break;}case ProcessBreakOnTermination:{*((PDWORD)ProcessInformation) = ValueProcessBreakOnTermination;break;}case ProcessHandleTracing:{if (!IsProcessHandleTracingEnabled)return STATUS_INVALID_PARAMETER;elsereturn STATUS_SUCCESS;}}}__except (1){return GetExceptionCode();}return Status;
}NTSTATUS FASTCALL _NtSetInformationProcess(IN HANDLE ProcessHandle,IN PROCESSINFOCLASS ProcessInformationClass,IN PVOID ProcessInformation,IN DWORD ProcessInformationLength)
{PEPROCESS Process = NULL;typedef NTSTATUS (FASTCALL *Q_NtSetInformationProcess)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG);if (!MmIsAddressValid(ProcessInformation)){goto __ret__;}if (ProcessHandle != NtCurrentProcess()){Process = HandleToProcess(ProcessHandle);}if ((ProcessHandle == NtCurrentProcess() && ISAttachProcess(PsGetCurrentProcess())) || (Process != NULL && ISAttachProcess(Process))){if (ProcessInformationClass == ProcessBreakOnTermination){if (ProcessInformationLength != sizeof(ULONG)){return STATUS_INFO_LENGTH_MISMATCH;}if (ProcessInformation == NULL){return STATUS_ACCESS_VIOLATION;}
// A process must have debug privileges enabled to set the ProcessBreakOnTermination flag
// if (!HasDebugPrivileges(NtCurrentProcess()))
// {
// return STATUS_PRIVILEGE_NOT_HELD;
// }ValueProcessBreakOnTermination = *((PDWORD)ProcessInformation);return STATUS_SUCCESS;}//不允许更改调试继承标志,并跟踪要在NtQIP中报告的新值if (ProcessInformationClass == ProcessDebugFlags){if (ProcessInformationLength != sizeof(ULONG)){return STATUS_INFO_LENGTH_MISMATCH;}if (ProcessInformation == NULL){return STATUS_ACCESS_VIOLATION;}ULONG Flags = *(ULONG*)ProcessInformation;if ((Flags & (~PROCESS_DEBUG_INHERIT)) != 0){return STATUS_INVALID_PARAMETER;}if ((Flags & PROCESS_DEBUG_INHERIT) != 0){ValueProcessDebugFlags &= ~PROCESS_NO_DEBUG_INHERIT;}else{ValueProcessDebugFlags |= PROCESS_NO_DEBUG_INHERIT;}return STATUS_SUCCESS;}//PROCESS_HANDLE_TRACING_ENABLE -> ULONG, PROCESS_HANDLE_TRACING_ENABLE_EX -> ULONG,ULONGif (ProcessInformationClass == ProcessHandleTracing){长度为0,表示我们应该禁用跟踪BOOLEAN enable = ProcessInformationLength != 0; if (enable){if (ProcessInformationLength != sizeof(ULONG) && ProcessInformationLength != (sizeof(ULONG) * 2)){return STATUS_INFO_LENGTH_MISMATCH;}// NtSetInformationProcess 将取消引用此指针if (ProcessInformation == NULL){return STATUS_ACCESS_VIOLATION;}PPROCESS_HANDLE_TRACING_ENABLE_EX phtEx = (PPROCESS_HANDLE_TRACING_ENABLE_EX)ProcessInformation;if (phtEx->Flags != 0){return STATUS_INVALID_PARAMETER;}}IsProcessHandleTracingEnabled = enable;return STATUS_SUCCESS;}}__ret__:return ((Q_NtSetInformationProcess)ori_addr_NtSetInformationProcess)(ProcessHandle, ProcessInformationClass, ProcessInformation, ProcessInformationLength);
}NTSTATUS FASTCALL _NtQueryObject(IN HANDLE Handle,IN OBJECT_INFORMATION_CLASS ObjectInformationClass,IN PVOID ObjectInformation,IN ULONG ObjectInformationLength,OUT PULONG ReturnLength)
{typedef enum _OBJECT_INFORMATION_CLASS{ObjectBasicInformation,ObjectNameInformation,ObjectTypeInformation,ObjectTypesInformation,ObjectDataInformation} OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS;typedef NTSTATUS(FASTCALL*Q_NtQueryObject)(HANDLE, OBJECT_INFORMATION_CLASS, PVOID, ULONG, PULONG);NTSTATUS Status = ((Q_NtQueryObject)ori_addr_NtQueryObject)(Handle,ObjectInformationClass,ObjectInformation,ObjectInformationLength,ReturnLength);if ((NT_SUCCESS(Status) || Status == STATUS_INFO_LENGTH_MISMATCH ) && \ISAttachProcess(PsGetCurrentProcess()) && MmIsAddressValid(ObjectInformation)){__try{if (ObjectInformationClass == ObjectTypeInformation){FilterObjects((POBJECT_TYPES_INFORMATION)ObjectInformation);}else if (ObjectInformationClass == ObjectTypesInformation){FilterObject((POBJECT_TYPE_INFORMATION)ObjectInformation);}}__except (1){}}return Status;
}NTSTATUS FASTCALL _NtYieldExecution()
{/*ntdll函数NtYieldExecution或其kernel32等效的SwitchToThread函数允许当前的线程提供放弃其余的时间片,并允许下一个预定的线程执行。 如果没有线程被调度执行(或者当系统以特定的方式忙碌时)不允许发生切换),则ntdll NtYieldExecution()函数返回STATUS_NO_YIELD_PERFORMED(0x40000024)状态,这导致kernel32 SwitchToThread()函数返回零。 当一个应用程序被调试时,单步执行的行为代码导致调试事件,并且通常导致不允许收益。 但是,这是绝望的用于检测调试器的不可靠方法,因为它还将检测以高优先级运行的线程的存在。*/typedef NTSTATUS(FASTCALL *Q_NtYieldExecution)();NTSTATUS Status = ((Q_NtYieldExecution)ori_addr_NtYieldExecution)();if (ISAttachProcess(PsGetCurrentProcess())){return STATUS_NO_YIELD_PERFORMED;}else{return Status;}
}NTSTATUS FASTCALL _NtSystemDebugControl(IN DWORD ControlCode, IN PVOID InputBuffer,IN ULONG InputBufferLength,IN PVOID OutputBuffer,IN ULONG OutputBufferLength,OUT PULONG ReturnLength)
{
#define SysDbgGetTriageDump 29typedef NTSTATUS (FASTCALL *Q_NtSystemDebugControl)(DWORD, PVOID, ULONG, PVOID, ULONG, PULONG);if (ISAttachProcess(PsGetCurrentProcess())){if (ControlCode == SysDbgGetTriageDump)return STATUS_INFO_LENGTH_MISMATCH;return STATUS_DEBUGGER_INACTIVE; }return ((Q_NtSystemDebugControl)ori_addr_NtSystemDebugControl)(ControlCode, InputBuffer, InputBufferLength, OutputBuffer, OutputBufferLength, ReturnLength);
}NTSTATUS FASTCALL _NtQuerySystemTime(IN PLARGE_INTEGER SystemTime)
{typedef NTSTATUS(FASTCALL *Q_NtQuerySystemTime)(PLARGE_INTEGER);if (ISAttachProcess(PsGetCurrentProcess())){if (!NativeSysTime.QuadPart){((Q_NtQuerySystemTime)ori_addr_NtQuerySystemTime)(&NativeSysTime);}else{NativeSysTime.QuadPart++;}NTSTATUS ntStat = ((Q_NtQuerySystemTime)ori_addr_NtQuerySystemTime)(&NativeSysTime);if (ntStat == STATUS_SUCCESS){if (SystemTime){SystemTime->QuadPart = NativeSysTime.QuadPart;}}return ntStat;}else{return ((Q_NtQuerySystemTime)ori_addr_NtQuerySystemTime)(&NativeSysTime);}
}NTSTATUS FASTCALL _NtQueryPerformanceCounter(OUT PLARGE_INTEGER PerformanceCounter,OUT PLARGE_INTEGER PerformanceFrequency)
{typedef NTSTATUS(FASTCALL *Q_NtQueryPerformanceCounter)(PLARGE_INTEGER, PLARGE_INTEGER);static LARGE_INTEGER OnePerformanceCounter = { 0 };static LARGE_INTEGER OnePerformanceFrequency = { 0 };if (!OnePerformanceCounter.QuadPart && ISAttachProcess(PsGetCurrentProcess())){((Q_NtQueryPerformanceCounter)ori_addr_NtQueryPerformanceCounter)(&OnePerformanceCounter, &OnePerformanceFrequency);}else{OnePerformanceCounter.QuadPart++;}NTSTATUS ntStat = ((Q_NtQueryPerformanceCounter)ori_addr_NtQueryPerformanceCounter)(PerformanceCounter, PerformanceFrequency);if (ntStat == STATUS_SUCCESS && ISAttachProcess(PsGetCurrentProcess())){if (PerformanceFrequency) //OPTIONAL{PerformanceFrequency->QuadPart = OnePerformanceFrequency.QuadPart;}if (PerformanceCounter){PerformanceCounter->QuadPart = OnePerformanceCounter.QuadPart;}}return ntStat;}NTSTATUS FASTCALL _NtSetDebugFilterState(IN ULONG ComponentId,IN ULONG Level,IN BOOLEAN State)
{return STATUS_ACCESS_DENIED;
}NTSTATUS FASTCALL _NtQueueApcThread(IN HANDLE ThreadHandle,IN PVOID ApcRoutine,IN PVOID ApcArgument1,IN PVOID ApcArgument2,IN PVOID ApcArgument3)
{typedef NTSTATUS(FASTCALL *Q_NtQueueApcThread)(HANDLE, PVOID, PVOID, PVOID, PVOID);if (!ISProtectTools(PsGetCurrentProcessId()) ||PsGetCurrentProcess() != win32k_Process ||PsGetCurrentProcess() != CsrssProcess){PETHREAD Thread = HandleToThread(ThreadHandle);if (Thread == NULL || ThreadHandle == NtCurrentThread()){return ((Q_NtQueueApcThread)ori_addr_NtQueueApcThread)(ThreadHandle, ApcRoutine, ApcArgument1, ApcArgument2, ApcArgument3);}else{if (ISProtectTools(PsGetThreadProcessId(Thread))){return STATUS_UNSUCCESSFUL;}return ((Q_NtQueueApcThread)ori_addr_NtQueueApcThread)(ThreadHandle, ApcRoutine, ApcArgument1, ApcArgument2, ApcArgument3);}}else{return ((Q_NtQueueApcThread)ori_addr_NtQueueApcThread)(ThreadHandle, ApcRoutine, ApcArgument1, ApcArgument2, ApcArgument3);}
}NTSTATUS FASTCALL _NtOpenFile(PHANDLE FileHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,PIO_STATUS_BLOCK IoStatusBlock,ULONG ShareAccess,ULONG OpenOptions)
{UNICODE_STRING uFakeObjectName = { 0 };static WCHAR* wszRegeditPath = L"??C:windowsregedit.exe";typedef NTSTATUS(FASTCALL *Q_NtOpenFile)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PIO_STATUS_BLOCK, ULONG, ULONG);if (ObjectAttributes && ObjectAttributes->ObjectName->Length > 0 && \ValidateUnicodeString(ObjectAttributes->ObjectName)){if (IsPassGame(PsGetCurrentProcessId())){if (wcsistr(ObjectAttributes->ObjectName->Buffer, L"Cheat Engine") ||wcsistr(ObjectAttributes->ObjectName->Buffer, L"PCHunter64") ||wcsistr(ObjectAttributes->ObjectName->Buffer, L"5410")||wcsistr(ObjectAttributes->ObjectName->Buffer, L"cheatengine")){RtlInitUnicodeString(&uFakeObjectName, wszRegeditPath);ObjectAttributes->ObjectName = &uFakeObjectName;}}}return ((Q_NtOpenFile)ori_addr_NtOpenFile)(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, ShareAccess, OpenOptions);}NTSTATUS FASTCALL _NtCreateFile(OUT PHANDLE FileHandle,IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes,OUT PIO_STATUS_BLOCK IoStatusBlock,OUT PLARGE_INTEGER AllocationSize,IN ULONG FileAttributes,IN ULONG ShareAccess,IN ULONG CreateDisposition,IN ULONG CreateOptions,IN PVOID EaBuffer,IN ULONG EaLength)
{UNICODE_STRING uFakeObjectName = { 0 };static WCHAR* wszRegeditPath = L"??C:windowsregedit.exe";typedef NTSTATUS(FASTCALL *Q_NtCreateFile)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PIO_STATUS_BLOCK, PLARGE_INTEGER, ULONG, ULONG, ULONG, ULONG, PVOID, ULONG);if ( ObjectAttributes && ObjectAttributes->ObjectName->Length > 0 && \ValidateUnicodeString(ObjectAttributes->ObjectName)){if (IsPassGame(PsGetCurrentProcessId())){if (wcsistr(ObjectAttributes->ObjectName->Buffer, L"Cheat Engine") ||wcsistr(ObjectAttributes->ObjectName->Buffer, L"PCHunter64") ||wcsistr(ObjectAttributes->ObjectName->Buffer, L"5410") ||wcsistr(ObjectAttributes->ObjectName->Buffer, L"cheatengine")){RtlInitUnicodeString(&uFakeObjectName, wszRegeditPath);ObjectAttributes->ObjectName = &uFakeObjectName;}}}return ((Q_NtCreateFile)ori_addr_NtCreateFile)(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);
}NTSTATUS FASTCALL _NtQueryDirectoryFile(IN HANDLE FileHandle,IN HANDLE Event OPTIONAL,IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,IN PVOID ApcContext OPTIONAL,OUT PIO_STATUS_BLOCK IoStatusBlock,OUT PVOID FileInformation,IN ULONG FileInformationLength,IN FILE_INFORMATION_CLASS FileInformationClass,IN BOOLEAN ReturnSingleEntry,IN PUNICODE_STRING FileName OPTIONAL,IN BOOLEAN RestartScan)
{typedef NTSTATUS(FASTCALL *Q_NtQueryDirectoryFile)(HANDLE, HANDLE, PIO_APC_ROUTINE, PVOID, PIO_STATUS_BLOCK, PVOID, ULONG, FILE_INFORMATION_CLASS, BOOLEAN, PUNICODE_STRING, BOOLEAN);typedef struct _FILE_BOTH_DIRECTORY_INFORMATION {ULONG NextEntryOffset;ULONG FileIndex;LARGE_INTEGER CreationTime;LARGE_INTEGER LastAccessTime;LARGE_INTEGER LastWriteTime;LARGE_INTEGER ChangeTime;LARGE_INTEGER EndOfFile;LARGE_INTEGER AllocationSize;ULONG FileAttributes;ULONG FileNameLength;ULONG EaSize;CHAR ShortNameLength;WCHAR ShortName[12];WCHAR FileName[ANYSIZE_ARRAY];} FILE_BOTH_DIRECTORY_INFORMATION, *PFILE_BOTH_DIRECTORY_INFORMATION,FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;NTSTATUS Status;Status = ((Q_NtQueryDirectoryFile)ori_addr_NtQueryDirectoryFile)(\FileHandle, Event, ApcRoutine, ApcContext, \IoStatusBlock, FileInformation, FileInformationLength, \FileInformationClass, ReturnSingleEntry, FileName, RestartScan);if (!NT_SUCCESS(Status)){return Status;}if (FileIdBothDirectoryInformation == FileInformationClass){FILE_BOTH_DIRECTORY_INFORMATION* pFileInfo = (FILE_BOTH_DIRECTORY_INFORMATION*)FileInformation;FILE_BOTH_DIRECTORY_INFORMATION* pLastFileInfo = NULL;BOOL bLastFlag = FALSE;do{bLastFlag = !(pFileInfo->NextEntryOffset);if (wcsistr(pFileInfo->FileName, L"Cheat Engine") ||wcsistr(pFileInfo->FileName, L"PCHunter64") ||wcsistr(pFileInfo->FileName, L"5410") ||wcsistr(pFileInfo->FileName, L"cheatengine")){if (bLastFlag) //链表里最后一个文件{pLastFileInfo->NextEntryOffset = 0;break;}else{int iPos = (ULONG)pFileInfo - (ULONG)FileInformation;int iLeft = (ULONG)FileInformationLength - iPos - pFileInfo->NextEntryOffset;RtlCopyMemory((PVOID)pFileInfo, (PVOID)((char *)pFileInfo + pFileInfo->NextEntryOffset), iLeft);continue;}}pLastFileInfo = pFileInfo;pFileInfo = (PFILE_BOTH_DIRECTORY_INFORMATION)((CHAR*)pFileInfo + pFileInfo->NextEntryOffset);} while (!bLastFlag);}return Status;
}NTSTATUS FASTCALL _NtContinue(IN PCONTEXT ThreadContext,IN BOOLEAN RaiseAlert)
{int ThreadDebugContextFindExistingSlotIndex();void ThreadDebugContextRemoveEntry(const int index);typedef NTSTATUS(FASTCALL *Q_NtContinue)(PCONTEXT, BOOLEAN);int index = ThreadDebugContextFindExistingSlotIndex();if (ThreadContext){if (index != -1){ThreadContext->Dr0 = ArrayDebugRegister[index].Dr0;ThreadContext->Dr1 = ArrayDebugRegister[index].Dr1;ThreadContext->Dr2 = ArrayDebugRegister[index].Dr2;ThreadContext->Dr3 = ArrayDebugRegister[index].Dr3;ThreadContext->Dr6 = ArrayDebugRegister[index].Dr6;ThreadContext->Dr7 = ArrayDebugRegister[index].Dr7;ThreadDebugContextRemoveEntry(index);}}return ((Q_NtContinue)ori_addr_NtContinue)(ThreadContext, RaiseAlert);
}BOOLEAN FASTCALL _DbgkForwardException(
IN PEXCEPTION_RECORD64 ExceptionRecord,
IN BOOLEAN DebugException,
IN BOOLEAN SecondChance)
{extern ULONG_PTR _read_r12();typedef BOOLEAN(FASTCALL *Q_DbgkForwardException)(PEXCEPTION_RECORD64, BOOLEAN, BOOLEAN);void FASTCALL _KiUserExceptionDispatcher(PEXCEPTION_RECORD pExcptRec, PCONTEXT ContextFrame);PCONTEXT r12 = (PCONTEXT)_read_r12();if (ISAttachProcess(PsGetCurrentProcess())){//DbgBreakPoint();//return FALSE;BOOLEAN bret = FALSE;if (ExceptionRecord->ExceptionCode != STATUS_WX86_BREAKPOINT &&ExceptionRecord->ExceptionCode != STATUS_WX86_SINGLE_STEP && ExceptionRecord->ExceptionCode != STATUS_ACCESS_VIOLATION &&ExceptionRecord->ExceptionCode != STATUS_BREAKPOINT &&ExceptionRecord->ExceptionCode != STATUS_SINGLE_STEP){_KiUserExceptionDispatcher(ExceptionRecord, r12);return FALSE;}bret = ((Q_DbgkForwardException)ori_addr_DbgkForwardException)(ExceptionRecord, DebugException, SecondChance);if (!bret) _KiUserExceptionDispatcher(ExceptionRecord, r12);return bret;}return ((Q_DbgkForwardException)ori_addr_DbgkForwardException)(ExceptionRecord, DebugException, SecondChance);
}VOID change_anitanit_debug(IN BOOLEAN open)
{if (open == TRUE){ori_head_ObCheckObjectAccess = sale_hook(ObCheckObjectAccess, _ObCheckObjectAccess,&ori_addr_ObCheckObjectAccess, &changge_size_ObCheckObjectAccess);ori_head_DbgkForwardException = sale_hook(SymbolsInfo.DbgkForwardException, _DbgkForwardException,&ori_addr_DbgkForwardException, &changge_size_DbgkForwardException);ori_head_ObpCallPreOperationCallbacks = sale_hook(SymbolsInfo.ObpCallPreOperationCallbacks, _ObpCallPreOperationCallbacks,&ori_addr_ObpCallPreOperationCallbacks, &changge_size_ObpCallPreOperationCallbacks); }else{sale_unhook(ObCheckObjectAccess, ori_head_ObCheckObjectAccess, changge_size_ObCheckObjectAccess);sale_unhook(SymbolsInfo.DbgkForwardException, ori_head_DbgkForwardException, changge_size_DbgkForwardException);sale_unhook(SymbolsInfo.ObpCallPreOperationCallbacks, ori_head_ObpCallPreOperationCallbacks, changge_size_ObpCallPreOperationCallbacks); }
}VOID change_shadow_service(IN BOOLEAN open)
{typedef struct _KSERVICE_TABLE_DESCRIPTOR{PVOID ServiceTableBase;PVOID ServiceCounterTableBase;ULONGLONG NumberOfServices;PVOID ParamTableBase;} KSERVICE_TABLE_DESCRIPTOR, *PKSERVICE_TABLE_DESCRIPTOR;ULONG_PTR ServiceAddress;PULONG W32pServiceTable;PKSERVICE_TABLE_DESCRIPTOR SSDTShadow = SymbolsInfo.KeServiceDescriptorTableShadow;KeAttachProcess((PRKPROCESS)win32k_Process);if (open == TRUE){W32pServiceTable = SSDTShadow[1].ServiceTableBase;NtUserGetDC = (ULONG_PTR)(((QWORD)(W32pServiceTable[10] >> 4)+ (QWORD)W32pServiceTable) & 0xfffffff000ffffff);NtUserGetDCEx = (ULONG_PTR)(((QWORD)(W32pServiceTable[146] >> 4)+ (QWORD)W32pServiceTable) & 0xfffffff000ffffff);NtUserGetWindowDC = (ULONG_PTR)(((QWORD)(W32pServiceTable[100] >> 4)+ (QWORD)W32pServiceTable) & 0xfffffff000ffffff);NtGdiBitBlt = (ULONG_PTR)(((QWORD)(W32pServiceTable[8] >> 4)+ (QWORD)W32pServiceTable) & 0xfffffff000ffffff);NtGdiStretchBlt = (ULONG_PTR)(((QWORD)(W32pServiceTable[49] >> 4)+ (QWORD)W32pServiceTable) & 0xfffffff000ffffff);NtUserBlockInput = (ULONG_PTR)(((QWORD)(W32pServiceTable[643] >> 4)+ (QWORD)W32pServiceTable) & 0xfffffff000ffffff);NtUserQueryWindow = (ULONG_PTR)(((QWORD)(W32pServiceTable[16] >> 4)+ (QWORD)W32pServiceTable) & 0xfffffff000ffffff);NtUserFindWindowEx = (ULONG_PTR)(((QWORD)(W32pServiceTable[110] >> 4)+ (QWORD)W32pServiceTable) & 0xfffffff000ffffff);NtUserBuildHwndList = (ULONG_PTR)(((QWORD)(W32pServiceTable[28] >> 4)+ (QWORD)W32pServiceTable) & 0xfffffff000ffffff);NtUserGetClassName = (ULONG_PTR)(((QWORD)(W32pServiceTable[123] >> 4)+ (QWORD)W32pServiceTable) & 0xfffffff000ffffff);NtGdiGetPixel = (ULONG_PTR)(((QWORD)(W32pServiceTable[191] >> 4)+ (QWORD)W32pServiceTable) & 0xfffffff000ffffff);NtUserCallOneParam = (ULONG_PTR)(((QWORD)(W32pServiceTable[2] >> 4)+ (QWORD)W32pServiceTable) & 0xfffffff000ffffff);NtUserWindowFromPoint = (ULONG_PTR)(((QWORD)(W32pServiceTable[20] >> 4)+ (QWORD)W32pServiceTable) & 0xfffffff000ffffff);NtUserGetForegroundWindow = (ULONG_PTR)(((QWORD)(W32pServiceTable[60] >> 4)+ (QWORD)W32pServiceTable) & 0xfffffff000ffffff);NtUserWindowFromPhysicalPoint = (ULONG_PTR)(((QWORD)(W32pServiceTable[823] >> 4)+ (QWORD)W32pServiceTable) & 0xfffffff000ffffff);ori_head_NtUserGetDC = sale_hook(NtUserGetDC, (PVOID)_NtUserGetDC,&ori_addr_NtUserGetDC, &changge_size_NtUserGetDC);ori_head_NtUserGetDCEx = sale_hook(NtUserGetDCEx, (PVOID)_NtUserGetDCEx,&ori_addr_NtUserGetDCEx, &changge_size_NtUserGetDCEx);// ori_head_NtUserGetWindowDC = sale_hook(NtUserGetWindowDC, (PVOID)_NtUserGetWindowDC,
// &ori_addr_NtUserGetWindowDC, &changge_size_NtUserGetWindowDC);ori_head_NtGdiGetPixel = sale_hook(NtGdiGetPixel, (PVOID)_NtGdiGetPixel,&ori_addr_NtGdiGetPixel, &changge_size_NtGdiGetPixel);ori_head_NtUserBlockInput = sale_hook(NtUserBlockInput, (PVOID)_NtUserBlockInput,&ori_addr_NtUserBlockInput, &changge_size_NtUserBlockInput);ori_head_NtUserFindWindowEx = sale_hook(NtUserFindWindowEx, (PVOID)_NtUserFindWindowEx,&ori_addr_NtUserFindWindowEx, &changge_size_NtUserFindWindowEx);ori_head_NtUserBuildHwndList = sale_hook(NtUserBuildHwndList, (PVOID)_NtUserBuildHwndList,&ori_addr_NtUserBuildHwndList, &changge_size_NtUserBuildHwndList);ori_head_NtUserWindowFromPoint = sale_hook(NtUserWindowFromPoint, (PVOID)_NtUserWindowFromPoint,&ori_addr_NtUserWindowFromPoint, &changge_size_NtUserWindowFromPoint);ori_head_NtUserGetForegroundWindow = sale_hook(NtUserGetForegroundWindow, (PVOID)_NtUserGetForegroundWindow,&ori_addr_NtUserGetForegroundWindow, &changge_size_NtUserGetForegroundWindow);ori_head_NtUserWindowFromPhysicalPoint = sale_hook(NtUserWindowFromPhysicalPoint, (PVOID)_NtUserWindowFromPhysicalPoint,&ori_addr_NtUserWindowFromPhysicalPoint, &changge_size_NtUserWindowFromPhysicalPoint);ULONG_PTR addr = (ULONG_PTR)NtUserQueryWindow + 0x1f;addr = *(PDWORD)(addr + 1) + 5 + addr;ori_head_ValidateHwnd = sale_hook(addr, (PVOID)_ValidateHwnd,&ori_addr_ValidateHwnd, &changge_size_ValidateHwnd);}else{sale_unhook(NtUserGetDC, ori_head_NtUserGetDC, changge_size_NtUserGetDC);sale_unhook(NtUserGetDCEx, ori_head_NtUserGetDCEx, changge_size_NtUserGetDCEx);// sale_unhook(NtUserGetWindowDC, ori_head_NtUserGetWindowDC, changge_size_NtUserGetWindowDC);sale_unhook(NtGdiGetPixel, ori_head_NtGdiGetPixel, changge_size_NtGdiGetPixel);sale_unhook(NtUserBlockInput, ori_head_NtUserBlockInput, changge_size_NtUserBlockInput);sale_unhook(NtUserFindWindowEx, ori_head_NtUserFindWindowEx, changge_size_NtUserFindWindowEx);sale_unhook(NtUserBuildHwndList, ori_head_NtUserBuildHwndList, changge_size_NtUserBuildHwndList);sale_unhook(NtUserWindowFromPoint, ori_head_NtUserWindowFromPoint, changge_size_NtUserWindowFromPoint);sale_unhook(NtUserGetForegroundWindow, ori_head_NtUserGetForegroundWindow, changge_size_NtUserGetForegroundWindow);sale_unhook(NtUserWindowFromPhysicalPoint, ori_head_NtUserWindowFromPhysicalPoint, changge_size_NtUserWindowFromPhysicalPoint);ULONG_PTR addr = (ULONG_PTR)NtUserQueryWindow + 0x1f;addr = *(PDWORD)(addr + 1) + 5 + addr;sale_unhook(addr, ori_head_ValidateHwnd, changge_size_ValidateHwnd);}KeDetachProcess();
}VOID change_ssdt_hook(IN BOOLEAN open)
{if (open){ori_head_NtClose = sale_hook(QNtClose, (PVOID)_NtClose,&ori_addr_NtClose, &changge_size_NtClose);ori_head_NtContinue = sale_hook(NtContinue, (PVOID)_NtContinue,&ori_addr_NtContinue, &changge_size_NtContinue);ori_head_NtOpenProcess = sale_hook(NtOpenProcess, (PVOID)_NtOpenProcess,&ori_addr_NtOpenProcess, &changge_size_NtOpenProcess);ori_head_NtQueryObject = sale_hook(QNtQueryObject, (PVOID)_NtQueryObject,&ori_addr_NtQueryObject, &changge_size_NtQueryObject);ori_head_NtOpenFile = sale_hook(NtOpenFile, (PVOID)_NtOpenFile,&ori_addr_NtOpenFile, &changge_size_NtOpenFile);ori_head_NtCreateFile = sale_hook(NtCreateFile, (PVOID)_NtCreateFile,&ori_addr_NtCreateFile, &changge_size_NtCreateFile);ori_head_NtQuerySystemTime = sale_hook(NtQuerySystemTime, (PVOID)_NtQuerySystemTime,&ori_addr_NtQuerySystemTime, &changge_size_NtQuerySystemTime);ori_head_NtQueryDirectoryFile = sale_hook(NtQueryDirectoryFile, (PVOID)_NtQueryDirectoryFile,&ori_addr_NtQueryDirectoryFile, &changge_size_NtQueryDirectoryFile);ori_head_NtYieldExecution = sale_hook(NtYieldExecution, (PVOID)_NtYieldExecution,&ori_addr_NtYieldExecution, &changge_size_NtYieldExecution);ori_head_NtQueueApcThread = sale_hook(NtQueueApcThread, (PVOID)_NtQueueApcThread,&ori_addr_NtQueueApcThread, &changge_size_NtQueueApcThread);ori_head_NtCreateThreadEx = sale_hook(NtCreateThreadEx, (PVOID)_NtCreateThreadEx,&ori_addr_NtCreateThreadEx, &changge_size_NtCreateThreadEx);ori_head_NtSystemDebugControl = sale_hook(SymbolsInfo.NtSystemDebugControl, (PVOID)_NtSystemDebugControl,&ori_addr_NtSystemDebugControl, &changge_size_NtSystemDebugControl);ori_head_NtSetDebugFilterState = sale_hook(NtSetDebugFilterState, (PVOID)_NtSetDebugFilterState,&ori_addr_NtSetDebugFilterState, &changge_size_NtSetDebugFilterState);ori_head_NtQuerySystemInformation = sale_hook(NtQuerySystemInformation, (PVOID)_NtQuerySystemInformation,&ori_addr_NtQuerySystemInformation, &changge_size_NtQuerySystemInformation);ori_head_NtQueryInformationThread = sale_hook(SymbolsInfo.NtQueryInformationThread, (PVOID)_NtQueryInformationThread,&ori_addr_NtQueryInformationThread, &changge_size_NtQueryInformationThread);ori_head_NtQueryInformationProcess = sale_hook(NtQueryInformationProcess, (PVOID)_NtQueryInformationProcess,&ori_addr_NtQueryInformationProcess, &changge_size_NtQueryInformationProcess);ori_head_NtSetInformationProcess = sale_hook(NtSetInformationProcess, (PVOID)_NtSetInformationProcess,&ori_addr_NtSetInformationProcess, &changge_size_NtSetInformationProcess);
// ori_head_NtQueryPerformanceCounter = sale_hook(NtQueryPerformanceCounter, (PVOID)_NtQueryPerformanceCounter,
// &ori_addr_NtQueryPerformanceCounter, &changge_size_NtQueryPerformanceCounter);}else{ sale_unhook(QNtClose, ori_head_NtClose, changge_size_NtClose);sale_unhook(NtContinue, ori_head_NtContinue, changge_size_NtContinue);sale_unhook(NtOpenProcess, ori_head_NtOpenProcess, changge_size_NtOpenProcess);sale_unhook(QNtQueryObject, ori_head_NtQueryObject, changge_size_NtQueryObject);sale_unhook(NtOpenFile, ori_head_NtOpenFile, changge_size_NtOpenFile);sale_unhook(NtCreateFile, ori_head_NtCreateFile, changge_size_NtCreateFile);sale_unhook(NtQueryDirectoryFile, ori_head_NtQueryDirectoryFile, changge_size_NtQueryDirectoryFile);sale_unhook(NtYieldExecution, ori_head_NtYieldExecution, changge_size_NtYieldExecution);sale_unhook(NtQuerySystemTime, ori_head_NtQuerySystemTime, changge_size_NtQuerySystemTime);sale_unhook(NtQueueApcThread, ori_head_NtQueueApcThread, changge_size_NtQueueApcThread);sale_unhook(NtCreateThreadEx, ori_head_NtCreateThreadEx, changge_size_NtCreateThreadEx);sale_unhook(SymbolsInfo.NtSystemDebugControl, ori_head_NtSystemDebugControl, changge_size_NtSystemDebugControl);sale_unhook(NtSetDebugFilterState, ori_head_NtSetDebugFilterState, changge_size_NtSetDebugFilterState);sale_unhook(NtQuerySystemInformation, ori_head_NtQuerySystemInformation, changge_size_NtQuerySystemInformation);sale_unhook(SymbolsInfo.NtQueryInformationThread, ori_head_NtQueryInformationThread, changge_size_NtQueryInformationThread);sale_unhook(NtQueryInformationProcess, ori_head_NtQueryInformationProcess, changge_size_NtQueryInformationProcess);sale_unhook(NtSetInformationProcess, ori_head_NtSetInformationProcess, changge_size_NtSetInformationProcess);
// sale_unhook(NtQueryPerformanceCounter, ori_head_NtQueryPerformanceCounter, changge_size_NtQueryPerformanceCounter);}
}
//功能:过滤游戏打开保护进程权限
BOOLEAN FASTCALL _ObCheckObjectAccess(IN PVOID Object,IN OUT PACCESS_STATE AccessState,IN BOOLEAN TypeMutexLocked,IN KPROCESSOR_MODE AccessMode,OUT PNTSTATUS AccessStatus)
{for (int i = 0; i < PROCESS_COUNT; i++){if (_stricmp(PsGetProcessImageFileName(PsGetCurrentProcess()), AccessProcess[i]) == 0) //检查信任列表{goto __ret__;}}if (!ISProtectTools(PsGetCurrentProcessId()) && MmIsAddressValid(Object)){if (IsProcess(Object) && ISProtectTools(PsGetProcessId(Object))){*AccessStatus = STATUS_ACCESS_DENIED;return FALSE;}else if (IsThread(Object) && ISProtectTools(PsGetThreadProcessId(Object))){*AccessStatus = STATUS_ACCESS_DENIED;return FALSE;}}
__ret__:return ((BOOLEAN(FASTCALL*)(PVOID, PACCESS_STATE, BOOLEAN, KPROCESSOR_MODE, PNTSTATUS))\ori_addr_ObCheckObjectAccess)(Object, AccessState, TypeMutexLocked,AccessMode, AccessStatus);
}//功能:保护进程断链
VOID ProcessBreakChain()
{KIRQL irql;int i = 0;PLIST_ENTRY entry;LARGE_INTEGER liInterval;PEPROCESS_S SystemProcess;NTSTATUS Status = PsLookupProcessByProcessId((HANDLE)4, &SystemProcess);if (!NT_SUCCESS(Status)){SystemProcess = PsGetCurrentProcess();}else{ObfDereferenceObject(SystemProcess);}while (1){if (g_delete_driver == TRUE)break;for (entry = SystemProcess->ActiveProcessLinks.Flink; entry != &entry; entry = entry->Flink){if (g_delete_driver == TRUE)break;PEPROCESS_S Process = (PEPROCESS_S)((PBYTE)entry - 0x188);if (ISProtectTools(PsGetProcessId(Process)) || ISVMwareTools(PsGetProcessId(Process))){__try{irql = cli();RemoveEntryList(entry);sti(irql);}__except (1){}}}if (g_delete_driver == TRUE)break;liInterval.QuadPart = -10 * 1000 * 1000 * 2; 延迟2秒钟运行 ;KeDelayExecutionThread(KernelMode, TRUE, &liInterval);}PsTerminateSystemThread(STATUS_SUCCESS);
}
文件回调
//功能:文件回调处理函数
OB_PREOP_CALLBACK_STATUS FileCallback(PVOID RegistrationContext,POB_PRE_OPERATION_INFORMATION OperationInformation)
{UNICODE_STRING DosName;PFILE_OBJECT fileo = OperationInformation->Object;ACCESS_MASK amask = OperationInformation->Parameters->CreateHandleInformation.DesiredAccess;static WCHAR* protect[] ={ L"HawkOD",L"Ollydbg",L"x32dbg",L"5410",L"吾爱破解",L"PCHunter64",L"Cheat Engine",L"CE64",L"cheatengine" };if (!IsPassGame(PsGetCurrentProcessId())){return OB_PREOP_SUCCESS;}
// for (int i = 0; i < PROCESS_COUNT; i++)
// {
// if (_stricmp(PsGetProcessImageFileName(PsGetCurrentProcess()), AccessProcess[i]) == 0) //检查信任列表
// {
// return OB_PREOP_SUCCESS;
// }
// }UNREFERENCED_PARAMETER(RegistrationContext);if (OperationInformation->ObjectType != *IoFileObjectType)return OB_PREOP_SUCCESS;if (fileo->FileName.Buffer == NULL ||!MmIsAddressValid(fileo->FileName.Buffer) ||fileo->DeviceObject == NULL ||!MmIsAddressValid(fileo->DeviceObject)) //过滤1:无效指针return OB_PREOP_SUCCESS;if (!_wcsicmp(fileo->FileName.Buffer, L"\\Endpoint") ||!_wcsicmp(fileo->FileName.Buffer, L"?") ||!_wcsicmp(fileo->FileName.Buffer, L"\\.\\.")
// || !_wcsicmp(fileo->FileName.Buffer, L"\\")) //过滤2:无效路径return OB_PREOP_SUCCESS;__try{RtlVolumeDeviceToDosName(fileo->DeviceObject, &DosName);for (int i = 0; i < _countof(protect); i++){if (wcsistr(fileo->FileName.Buffer, protect[i])){fileo->Size = 1;OperationInformation->ObjectType = *PsProcessType;OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = DELETE;return OB_PREOP_SUCCESS;}}}__except (1){}return OB_PREOP_SUCCESS;
}//功能:注册文件回调
BOOLEAN RegisterFileCallBack()
{NTSTATUS status;OB_CALLBACK_REGISTRATION obReg;OB_OPERATION_REGISTRATION opReg;PLDR_DATA_TABLE_ENTRY ldr;// enable IoFileObjectType((POBJECT_TYPE_S)*IoFileObjectType)->TypeInfo.SupportsObjectCallbacks = TRUE;// init callbacksmemset(&obReg, 0, sizeof(obReg));obReg.Version = ObGetFilterVersion();obReg.OperationRegistrationCount = 1;obReg.RegistrationContext = NULL;RtlInitUnicodeString(&obReg.Altitude, L"321000");obReg.OperationRegistration = &opReg;memset(&opReg, 0, sizeof(opReg));opReg.ObjectType = IoFileObjectType;opReg.Operations = OB_OPERATION_HANDLE_CREATE;opReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)&FileCallback;// register callbacksstatus = ObRegisterCallbacks(&obReg, &g_start_obfile);if (NT_SUCCESS(status)){return TRUE;}else{return FALSE;}}监控注册表_注册表表回调
g_start_cmst = CmRegisterCallback(RegistryCallBack, NULL, &g_start_cmhandle);//注册注册表回调函数 RegistryCallBack,
//功能:注册表回调处理函数
NTSTATUS RegistryCallBack(IN PVOID CallbackContext,IN PVOID Argument1,IN PVOID Argument2)
{BOOLEAN GetRegistryObjectCompleteName(PUNICODE_STRING, PVOID);//定义变量NTSTATUS CallbackStatus = STATUS_SUCCESS;// if (_stricmp("regedit.exe", (const char*)PsGetProcessImageFileName(PsGetCurrentProcess())) != 0)// return CallbackStatus;
#define REGISTRY_POOL_TAG 'pRE'ULONG uRegNotifStyle;UNICODE_STRING registryPath;//static WCHAR* protectname = L"\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist";static WCHAR* protectname = L"UserAssist";static WCHAR* protectname2 = L"Count";registryPath.Length = 0;registryPath.MaximumLength = 2048 * sizeof(WCHAR);registryPath.Buffer = ExAllocatePoolWithTag(NonPagedPoolMustSucceed, registryPath.MaximumLength, REGISTRY_POOL_TAG);RtlZeroMemory(registryPath.Buffer, registryPath.MaximumLength);//设置变量uRegNotifStyle = (ULONG)Argument1;//REG_NOTIFY_CLASS//操作类型switch (uRegNotifStyle){case RegNtPreOpenKeyEx:case RegNtPreCreateKeyEx: //即将打开的注册表项{PREG_CREATE_KEY_INFORMATION pRegCreateKeyEx = (PREG_CREATE_KEY_INFORMATION)Argument2;GetRegistryObjectCompleteName(®istryPath, pRegCreateKeyEx->RootObject);if (wcsistr(registryPath.Buffer, protectname) || \wcsistr(registryPath.Buffer, protectname2)){CallbackStatus = STATUS_CALLBACK_BYPASS;}break;}case RegNtPostCreateKey:{PREG_POST_CREATE_KEY_INFORMATION createKey = (PREG_POST_CREATE_KEY_INFORMATION)Argument2;if (NT_SUCCESS(createKey->Status)){GetRegistryObjectCompleteName(®istryPath, *(PVOID*)createKey->Object);if (wcsistr(registryPath.Buffer, protectname) || \wcsistr(registryPath.Buffer, protectname2)){CallbackStatus = STATUS_CALLBACK_BYPASS;}}break;}case RegNtPostOpenKey:{PREG_POST_OPEN_KEY_INFORMATION openKey = (PREG_POST_OPEN_KEY_INFORMATION)Argument2;if (NT_SUCCESS(openKey->Status)){GetRegistryObjectCompleteName(®istryPath, *(PVOID*)openKey->Object);if (wcsistr(registryPath.Buffer, protectname) || \wcsistr(registryPath.Buffer, protectname2)){CallbackStatus = STATUS_CALLBACK_BYPASS;}}break;}case RegNtQueryKey: //将要查询的键{PREG_QUERY_KEY_INFORMATION pRegQueryKey = (PREG_QUERY_KEY_INFORMATION)Argument2;GetRegistryObjectCompleteName(®istryPath, pRegQueryKey->Object);if (wcsistr(registryPath.Buffer, protectname) || \wcsistr(registryPath.Buffer, protectname2)){CallbackStatus = STATUS_CALLBACK_BYPASS;}break;}case RegNtQueryValueKey:{PREG_QUERY_VALUE_KEY_INFORMATION queryValueKey = (PREG_QUERY_VALUE_KEY_INFORMATION)Argument2;GetRegistryObjectCompleteName(®istryPath, queryValueKey->Object);if (wcsistr(registryPath.Buffer, protectname) || \wcsistr(registryPath.Buffer, protectname2)){CallbackStatus = STATUS_CALLBACK_BYPASS;}break;}case RegNtEnumerateKey: //子项被列举的关键{PREG_ENUMERATE_KEY_INFORMATION pRegEnumerateKey = (PREG_ENUMERATE_KEY_INFORMATION)Argument2;GetRegistryObjectCompleteName(®istryPath, pRegEnumerateKey->Object);if (wcsistr(registryPath.Buffer, protectname) || \wcsistr(registryPath.Buffer, protectname2)){CallbackStatus = STATUS_CALLBACK_BYPASS;}break;}case RegNtEnumerateValueKey:{PREG_ENUMERATE_VALUE_KEY_INFORMATION enumerateValueKey = (PREG_ENUMERATE_VALUE_KEY_INFORMATION)Argument2;GetRegistryObjectCompleteName(®istryPath, enumerateValueKey->Object);if (wcsistr(registryPath.Buffer, protectname) || \wcsistr(registryPath.Buffer, protectname2)){CallbackStatus = STATUS_CALLBACK_BYPASS;}break;}case RegNtPreSetValueKey: //注册表项的值输入一个新的设置{PREG_SET_VALUE_KEY_INFORMATION pRegSetValueKeyInfo = (PREG_SET_VALUE_KEY_INFORMATION)Argument2;GetRegistryObjectCompleteName(®istryPath, pRegSetValueKeyInfo->Object);if (wcsistr(registryPath.Buffer, protectname) || \wcsistr(registryPath.Buffer, protectname2)){CallbackStatus = STATUS_CALLBACK_BYPASS;}break;}case RegNtPreDeleteValueKey: //注册表项的值被删除{PREG_DELETE_VALUE_KEY_INFORMATION pRegDeleteValueKey = (PREG_DELETE_VALUE_KEY_INFORMATION)Argument2;GetRegistryObjectCompleteName(®istryPath, pRegDeleteValueKey->Object);if (wcsistr(registryPath.Buffer, protectname) || \wcsistr(registryPath.Buffer, protectname2)){CallbackStatus = STATUS_CALLBACK_BYPASS;}break;}case RegNtPreDeleteKey: //注册表项被删除{PREG_DELETE_KEY_INFORMATION pRegDeleteKey = (PREG_DELETE_KEY_INFORMATION)Argument2;GetRegistryObjectCompleteName(®istryPath, pRegDeleteKey->Object);if (wcsistr(registryPath.Buffer, protectname) || \wcsistr(registryPath.Buffer, protectname2)){CallbackStatus = STATUS_CALLBACK_BYPASS;}break;}default:break;}ExFreePoolWithTag(registryPath.Buffer, REGISTRY_POOL_TAG);return CallbackStatus;
}
进程隐藏-断链
//功能:保护进程短链
VOID ProcessBreakChain()
{KIRQL irql;int i = 0;PLIST_ENTRY entry;LARGE_INTEGER liInterval;PEPROCESS_S SystemProcess;NTSTATUS Status = PsLookupProcessByProcessId((HANDLE)4, &SystemProcess);if (!NT_SUCCESS(Status)){SystemProcess = PsGetCurrentProcess();}else{ObfDereferenceObject(SystemProcess);}while (1){if (g_delete_driver == TRUE)break;for (entry = SystemProcess->ActiveProcessLinks.Flink; entry != &entry; entry = entry->Flink){if (g_delete_driver == TRUE)break;PEPROCESS_S Process = (PEPROCESS_S)((PBYTE)entry - 0x188);if (ISProtectTools(PsGetProcessId(Process)) || ISVMwareTools(PsGetProcessId(Process))){__try{irql = cli();RemoveEntryList(entry);sti(irql);}__except (1){}}}if (g_delete_driver == TRUE)break;liInterval.QuadPart = -10 * 1000 * 1000 * 2; 延迟2秒钟运行 ;KeDelayExecutionThread(KernelMode, TRUE, &liInterval);}PsTerminateSystemThread(STATUS_SUCCESS);
}
驱动编程:注册表回调,进程回调,文件回调,进程隐藏断链,窗口保护相关推荐
- 注册表中shell文件不见了_win7系统注册表中的shell文件不小心被删除的解决方法...
我们在操作电脑的时候,win7系统注册表中的shell文件不小心被删除的问题对于我们来说其实是比较少见的,一般情况下的正常使用都不会遇到win7系统注册表中的shell文件不小心被删除的状况.但在wi ...
- 谷歌浏览器本地项目登录失败(cookie未保存)、谷歌浏览器重装失败、谷歌浏览器禁用自动升级、注册表中的谷歌浏览器文件夹删除报错等问题
问题汇总 谷歌浏览器本地跑Vue项目或别的项目,在登录页面登录时,登录不成功. 谷歌浏览器卸载之后重装失败 注册表中的谷歌浏览器文件夹删除时,报错 谷歌浏览器禁用自动升级 重要的提示:别的系统我不太清 ...
- 不用注册表删除搜狗输入法残留文件夹
搜狗输入法平时用着其实还可以,为了精简电脑,本来觉得不好用的Win10输入法慢慢变得只能且简洁了,不得不删除Sogou输入法,删的时候总是残留两个文件夹特别烦人,自己试了很多方法都不可以,注册表也是了 ...
- Windows下通过注册表修改某个类型文件的默认打开方式和文件图标
一不小心把文件打开方式改了,怎么操作都改不回原来的,在网上找了半天才找到通过修改注册表实现的方法,现在总结一下- - 以下都以.cpp文件为例(因为我就是改了cpp文件的打开方式),其他类型的只要把c ...
- 【注册表】编辑REG文件基本语句——注册表的增删改
前言 我们知道regedit是注册表编辑器,通过注册表我们可以完成电脑中的各种设置功能.这篇文章主要是对reg文件的探索,它是注册表文件,就是你可以在这个文件中写一个指令来修改相应的注册表项,实现对注 ...
- qsettings删除注册表_QSettings读写ini文件和注册表
qt4.0一个非常有用的类QSettings QSettings是qt4.0提供的一个读取配置文件的类,在windows平台,它提供了ini文件读些,注册表读写的功能. 而且使用也非常简单.大家可以参 ...
- linux内核定义注册设备,linux字符型设备驱动 一.注册设备并创建设备文件
1.字符设备 字符设备.字符设备驱动与用户空间访问该设备的程序三者之间的关系 Linux内核中: a -- 使用cdev结构体来描述字符设备; b -- 通过其成员dev_t来定义设备号(分为主.次设 ...
- 关于CAD2022重装显示已安装,需要删除注册表中的CAD文件(需仔细)
(win+r)输入 regedit HKEY_CLASSES_ROOT \ Installer \ Products \ FEE98B82101540801220FCF3A3907BD7 ...
- windows7自己加载的驱动在注册表中的位置
HKEY_LOVAL_MACHINE->SYSTEM->CurrentControlSet->Services->驱动名
最新文章
- Spring MVC使用拦截器实现权限控制
- 让面试官颤抖的 HTTP 2.0 协议面试题
- c语言中参数的传递方式是,C语言函数的参数及传递方式
- 快来!前端君喊你加入快驾网智囊团
- wpsppt流程图联系效果_| JEAM | 文章精选:大城市收取交通拥堵费的影响与效果
- oracle ocm 考题,2012年10 月oracle 10g ocm 认证 考试 真题 题库
- Hibernate延迟加载策略
- lightNLP:框架功能丰富,开箱即用
- Bailian3255 十进制到六进制【进制】
- 计算两个经纬度之间的距离软件_小程序使用腾讯位置服务计算两地之间的距离(有源码)...
- 静态路由实验:Dynagen-Dynamips + WinPcap + SecureCRT
- Python批量查询恶意地址信息
- word for Mac 符号插入
- 1周前,一个对外挂一无所知的人,在的成长过程(经典推荐)
- java detach_Java Node.detach方法代码示例
- eclipse4.7的tomcat插件安装(三只小猫)
- 获取网易云榜单列表100首音乐
- windows和linux下安装STAF
- 密码学系列之:Argon2加密算法详解
- CentOS防攻击设置
热门文章
- Dell ObjectScale:通往应用现代化的存储捷径
- 《南茜的早晨》与《亡命鸡礼花》的dvd和原声音乐cd……大雅与大俗……Orz
- 搭档之家:“假欧冠决赛”竟1万多人观看,刺不刺激,惊不惊喜,意不意外?
- Windows共享上网的详细设置
- android 静音接口,android 静音方法
- 服务器千兆网卡显示百兆,windows10系统查看网卡是千兆还是百兆的方法
- 解决QT提示No previous extern declaration for non-static variable 'sss'
- [GYCTF2020]Blacklist
- LINUX之静态库共享库
- 《深度学习导论及案例分析》一导读