【最新】过DNF驱动保护的源代码
合集下载
相关主题
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
switch (ioControlCode) {
case IOCTL_RESTORE: //InputBuffer = (PUCHAR)Irp->AssociatedIrp.SystemBuffer; //OutputBuffer = (PUCHAR)Irp->AssociatedIrp.SystemBuffer; //恢复 NtReadVirtualMemory/NtWriteVirtualMemory 前 16 字节 *(PULONG)(*(PULONG)AddrRead) = OrgRead[0]; *(PULONG)(*(PULONG)AddrRead + 4) = OrgRead[1]; *(PULONG)(*(PULONG)AddrWrite) = OrgWrite[0]; *(PULONG)(*(PULONG)AddrWrite + 4) = OrgWrite[1]; Irp->IoStatus.Information = outBufLength; break; default: DbgPrint("Unknown IOCTL: 0x%X (%04X)", ioControlCode, IoGetFunctionCodeFromCtlCode(ioControlCode)); status = STATUS_INVALID_PARAMETER; Irp->IoStatus.Information = 0; }
RtlInitUnicodeString(&usLink, SymbolicLink); IoDeleteSymbolicLink(&usLink); IoDeleteDevice(DriverObject->DeviceObject);
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) { NTSTATUS status; PDEVICE_OBJECT DvcObj; UNICODE_STRING usDevice, usLink; PLIST_ENTRY pLE = (PLIST_ENTRY)DriverObject->DriverSection;
NTSTATUS MyNtOpenThread( PHANDLE ThreadHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId)
{ ACCESS_MASK oDA; OBJECT_ATTRIBUTES oOA; CLIENT_ID oCID; NTSTATUS statusF, statusT;
NTSTATUS DispatchIoCtrl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) {
ULONG ioControlCode; ULONG inBufLength, outBufLength; //PUCHAR InputBuffer, OutputBuffer; NTSTATUS status = STATUS_SUCCESS; PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(Irp);
#define DeviceLink L"\\Device\\DNFCracker" #define SymbolicLink L"\\DosDevices\\DNFCracker" #define IOCTL_RESTORE (ULONG)CTL_CODE(FILE_DEVICE_UNKNOWN, METHOD_BUFFERED, FILE_ANY_ACCESS)
typedef NTSTATUS (* NTOPENPROCESS)( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId );
PCLIENT_ID ClientId)
{
ACCESS_MASK oDA;
OBJECT_ATTRIBUTES oOA;
CLIENT_ID oCID;
NTSTATUS statusF, statusT;
oDA = DesiredAccess;
DesiredAccess,
oOA = *ObjectAttributes; oCID = *ClientId;
VOID Hook(); VOID Unhook();
NTOPENTHREAD OldThread; NTOPENPROCESS OldProcess; ULONG AddrRead, AddrWrite; //原 NtReadVirtualMemory/NtWriteVirtualMemory 的前 16 字节代码 ULONG OrgRead[2], OrgWrite[2]; //保存 NtOpenThread/NtOpenProcess 代码 UCHAR MyThread[ThreadLength], MyProcess[ProcessLength];
0x886,
typedef NTSTATUS (* NTOPENTHREAD)( OUT PHANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN OPTIONAL PCLIENT_ID ClientId );
DbgPrint("%02x %02x %02x %02x\n", MyThread, MyThread[i + 1], MyThread[i + 2], MyThread[i + 3]);
DbgPrint("%02x %02x %02x %02x\n", MyProcess, MyProcess[i + 1], MyProcess[i + 2], MyProcess[i + 3]); } */ Unhook(); DbgPrint("DNF Cracker Unloaded!");
inBufLength = irpStack->Parameters.DeviceIoControl.InputBufferLength; outBufLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength; ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
ObjectAttributes, ClientId);
return statusT;
}
NTSTATUS MyNtOpenProcess(
Biblioteka Baidu
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
//隐藏驱动 pLE->Flink->Blink = pLE->Blink; pLE->Blink->Flink = pLE->Flink;
DriverObject->DriverUnload = OnUnload;
//创建虚拟设备 RtlInitUnicodeString(&usDevice, DeviceLink); status = IoCreateDevice(DriverObject, 0, &usDevice, FILE_DEVICE_UNKNOWN, 0, TRUE, &DvcObj); if (!NT_SUCCESS(status)) {
DriverObject->MajorFunction[IRP_MJ_CREATE] = DriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchCreateClose; DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoCtrl;
IoCompleteRequest(Irp, IO_NO_INCREMENT); return Irp->IoStatus.Status; }
VOID OnUnload(IN PDRIVER_OBJECT DriverObject) { UNICODE_STRING usLink; /*ULONG i; for (i = 0; i < ThreadLength; i += 4) {
oDA = DesiredAccess; oOA = *ObjectAttributes; oCID = *ClientId;
statusF = OldThread(ThreadHandle, oDA, &oOA, &oCID);
statusT
=
((NTOPENTHREAD)MyThread)(ThreadHandle,
IoDeleteDevice(DriverObject->DeviceObject); DbgPrint("Failed to create symbolic link!\n");
return status; }
//调度函数分配 DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] =
DbgPrint("Failed to create device!\n"); return status; }
//创建符号链接 RtlInitUnicodeString(&usLink, SymbolicLink);
status = IoCreateSymbolicLink(&usLink, &usDevice); if (!NT_SUCCESS(status)) {
typedef struct _SERVICE_DESCRIPTOR_TABLE {
PVOID ServiceTableBase; PULONG ServiceCounterTableBase; ULONG NumberOfService; ULONG ParamTableBase; } SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE; extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
过 DNF 驱动保护的文源代码(vc)
学习各种外挂制作技术,马上去百度搜索 "魔鬼作坊" 点击第 一个站进入、快速成为做挂达人。
#include "ntddk.h"
#define ThreadLength 0x190 //要保存的 NtOpenThread 原代码的长度 #define ProcessLength 0x184 //要保存的 NtOpenProcess 原代码的长度
//完成 IRP Irp->IoStatus.Status = status;
IoCompleteRequest(Irp, IO_NO_INCREMENT); return status;
}
NTSTATUS DispatchCreateClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) { Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0;
statusF = OldProcess(ProcessHandle, oDA, &oOA, &oCID); statusT = ((NTOPENPROCESS)MyProcess)(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId); return statusT; }
case IOCTL_RESTORE: //InputBuffer = (PUCHAR)Irp->AssociatedIrp.SystemBuffer; //OutputBuffer = (PUCHAR)Irp->AssociatedIrp.SystemBuffer; //恢复 NtReadVirtualMemory/NtWriteVirtualMemory 前 16 字节 *(PULONG)(*(PULONG)AddrRead) = OrgRead[0]; *(PULONG)(*(PULONG)AddrRead + 4) = OrgRead[1]; *(PULONG)(*(PULONG)AddrWrite) = OrgWrite[0]; *(PULONG)(*(PULONG)AddrWrite + 4) = OrgWrite[1]; Irp->IoStatus.Information = outBufLength; break; default: DbgPrint("Unknown IOCTL: 0x%X (%04X)", ioControlCode, IoGetFunctionCodeFromCtlCode(ioControlCode)); status = STATUS_INVALID_PARAMETER; Irp->IoStatus.Information = 0; }
RtlInitUnicodeString(&usLink, SymbolicLink); IoDeleteSymbolicLink(&usLink); IoDeleteDevice(DriverObject->DeviceObject);
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) { NTSTATUS status; PDEVICE_OBJECT DvcObj; UNICODE_STRING usDevice, usLink; PLIST_ENTRY pLE = (PLIST_ENTRY)DriverObject->DriverSection;
NTSTATUS MyNtOpenThread( PHANDLE ThreadHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId)
{ ACCESS_MASK oDA; OBJECT_ATTRIBUTES oOA; CLIENT_ID oCID; NTSTATUS statusF, statusT;
NTSTATUS DispatchIoCtrl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) {
ULONG ioControlCode; ULONG inBufLength, outBufLength; //PUCHAR InputBuffer, OutputBuffer; NTSTATUS status = STATUS_SUCCESS; PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(Irp);
#define DeviceLink L"\\Device\\DNFCracker" #define SymbolicLink L"\\DosDevices\\DNFCracker" #define IOCTL_RESTORE (ULONG)CTL_CODE(FILE_DEVICE_UNKNOWN, METHOD_BUFFERED, FILE_ANY_ACCESS)
typedef NTSTATUS (* NTOPENPROCESS)( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId );
PCLIENT_ID ClientId)
{
ACCESS_MASK oDA;
OBJECT_ATTRIBUTES oOA;
CLIENT_ID oCID;
NTSTATUS statusF, statusT;
oDA = DesiredAccess;
DesiredAccess,
oOA = *ObjectAttributes; oCID = *ClientId;
VOID Hook(); VOID Unhook();
NTOPENTHREAD OldThread; NTOPENPROCESS OldProcess; ULONG AddrRead, AddrWrite; //原 NtReadVirtualMemory/NtWriteVirtualMemory 的前 16 字节代码 ULONG OrgRead[2], OrgWrite[2]; //保存 NtOpenThread/NtOpenProcess 代码 UCHAR MyThread[ThreadLength], MyProcess[ProcessLength];
0x886,
typedef NTSTATUS (* NTOPENTHREAD)( OUT PHANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN OPTIONAL PCLIENT_ID ClientId );
DbgPrint("%02x %02x %02x %02x\n", MyThread, MyThread[i + 1], MyThread[i + 2], MyThread[i + 3]);
DbgPrint("%02x %02x %02x %02x\n", MyProcess, MyProcess[i + 1], MyProcess[i + 2], MyProcess[i + 3]); } */ Unhook(); DbgPrint("DNF Cracker Unloaded!");
inBufLength = irpStack->Parameters.DeviceIoControl.InputBufferLength; outBufLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength; ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
ObjectAttributes, ClientId);
return statusT;
}
NTSTATUS MyNtOpenProcess(
Biblioteka Baidu
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
//隐藏驱动 pLE->Flink->Blink = pLE->Blink; pLE->Blink->Flink = pLE->Flink;
DriverObject->DriverUnload = OnUnload;
//创建虚拟设备 RtlInitUnicodeString(&usDevice, DeviceLink); status = IoCreateDevice(DriverObject, 0, &usDevice, FILE_DEVICE_UNKNOWN, 0, TRUE, &DvcObj); if (!NT_SUCCESS(status)) {
DriverObject->MajorFunction[IRP_MJ_CREATE] = DriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchCreateClose; DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoCtrl;
IoCompleteRequest(Irp, IO_NO_INCREMENT); return Irp->IoStatus.Status; }
VOID OnUnload(IN PDRIVER_OBJECT DriverObject) { UNICODE_STRING usLink; /*ULONG i; for (i = 0; i < ThreadLength; i += 4) {
oDA = DesiredAccess; oOA = *ObjectAttributes; oCID = *ClientId;
statusF = OldThread(ThreadHandle, oDA, &oOA, &oCID);
statusT
=
((NTOPENTHREAD)MyThread)(ThreadHandle,
IoDeleteDevice(DriverObject->DeviceObject); DbgPrint("Failed to create symbolic link!\n");
return status; }
//调度函数分配 DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] =
DbgPrint("Failed to create device!\n"); return status; }
//创建符号链接 RtlInitUnicodeString(&usLink, SymbolicLink);
status = IoCreateSymbolicLink(&usLink, &usDevice); if (!NT_SUCCESS(status)) {
typedef struct _SERVICE_DESCRIPTOR_TABLE {
PVOID ServiceTableBase; PULONG ServiceCounterTableBase; ULONG NumberOfService; ULONG ParamTableBase; } SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE; extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
过 DNF 驱动保护的文源代码(vc)
学习各种外挂制作技术,马上去百度搜索 "魔鬼作坊" 点击第 一个站进入、快速成为做挂达人。
#include "ntddk.h"
#define ThreadLength 0x190 //要保存的 NtOpenThread 原代码的长度 #define ProcessLength 0x184 //要保存的 NtOpenProcess 原代码的长度
//完成 IRP Irp->IoStatus.Status = status;
IoCompleteRequest(Irp, IO_NO_INCREMENT); return status;
}
NTSTATUS DispatchCreateClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) { Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0;
statusF = OldProcess(ProcessHandle, oDA, &oOA, &oCID); statusT = ((NTOPENPROCESS)MyProcess)(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId); return statusT; }