【vc++精品源码栏目提醒】:以下是网学会员为您推荐的vc++精品源码-过DNF驱动保护源代码详解 - 软件工程,希望本篇文章对您学习有所帮助。
过 DNF 驱动保护的文源代码(vc vc vc)学习各种外挂制作技术,马上去百度搜索 魔鬼作坊 点击第 一个站进入、快速成为做挂达人。
include ntddk.hdefine ThreadLength 0x190 //要保存的 NtOpenThread 原代码的长度define ProcessLength 0x184 //要保存的 NtOpenProcess 原代码的长度define DeviceLink LDeviceDNFCrackerdefine SymbolicLink LDosDevicesDNFCrackerdefine IOCTL_RESTORE ULONGCTL_CODEFILE_DEVICE_UNKNOWN 0x886METHOD_BUFFERED FILE_ANY_ACCESStypedef NTSTATUS NTOPENTHREADOUT PHANDLE ThreadHandleIN ACCESS_MASK DesiredAccessIN POBJECT_ATTRIBUTES ObjectAttributesIN OPTIONAL PCLIENT_ID ClientIdtypedef NTSTATUS NTOPENPROCESSOUT PHANDLE ProcessHandleIN ACCESS_MASK DesiredAccessIN POBJECT_ATTRIBUTES ObjectAttributesIN PCLIENT_ID ClientIdtypedef struct _SERVICE_DESCRIPTOR_TABLE PVOID ServiceTableBase PULONG ServiceCounterTableBase ULONG NumberOfService ULONG ParamTableBaseSERVICE_DESCRIPTOR_TABLE PSERVICE_DESCRIPTOR_TABLEextern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTableVOID HookVOID UnhookNTOPENTHREAD OldThreadNTOPENPROCESS OldProcessULONG AddrRead AddrWrite//原 NtReadVirtualMemory/NtWriteVirtualMemory 的前 16 字节代码ULONG OrgRead2 OrgWrite2//保存 NtOpenThread/NtOpenProcess 代码UCHAR MyThreadThreadLength MyProcessProcessLengthNTSTATUS MyNtOpenThread PHANDLE ThreadHandle ACCESS_MASK DesiredAccess POBJECT_ATTRIBUTES ObjectAttributes PCLIENT_ID ClientIdACCESS_MASK oDAOBJECT_ATTRIBUTES oOACLIENT_ID oCIDNTSTATUS statusF statusToDA DesiredAccessoOA ObjectAttributesoCID ClientIdstatusF OldThreadThreadHandle oDA oOA oCIDstatusT NTOPENTHREADMyThreadThreadHandle DesiredAccessObjectAttributes ClientIdreturn statusTNTSTATUS MyNtOpenProcess PHANDLE ProcessHandle ACCESS_MASK DesiredAccess POBJECT_ATTRIBUTES ObjectAttributes PCLIENT_ID ClientIdACCESS_MASK oDAOBJECT_ATTRIBUTES oOACLIENT_ID oCIDNTSTATUS statusF statusToDA DesiredAccessoOA ObjectAttributesoCID ClientIdstatusF OldProcessProcessHandle oDA oOA oCIDstatusT NTOPENPROCESSMyProcessProcessHandle DesiredAccess ObjectAttributesClientIdreturn statusTNTSTATUS DispatchIoCtrlIN PDEVICE_OBJECT DeviceObject IN PIRP Irp ULONG ioControlCode ULONG inBufLength outBufLength //PUCHAR InputBuffer OutputBufferNTSTATUS status STATUS_SUCCESSPIO_STACK_LOCATION irpStack IoGetCurrentIrpStackLocationIrp inBufLength irpStack-Parameters.DeviceIoControl.InputBufferLength outBufLength irpStack-Parameters.DeviceIoControl.OutputBufferLength ioControlCode irpStack-Parameters.DeviceIoControl.IoControlCode switch ioControlCode case IOCTL_RESTORE: //InputBuffer PUCHARIrp-AssociatedIrp.SystemBuffer //OutputBuffer PUCHARIrp-AssociatedIrp.SystemBuffer //恢复 NtReadVirtualMemory/NtWriteVirtualMemory 前 16 字节 PULONGPULONGAddrRead OrgRead0 PULONGPULONGAddrRead 4 OrgRead1 PULONGPULONGAddrWrite OrgWrite0 PULONGPULONGAddrWrite 4 OrgWrite1 Irp-IoStatus.Information outBufLength break default: DbgPrintUnknown IOCTL: 0xX 04X ioControlCode IoGetFunctionCodeFromCtlCodeioControlCode status STATUS_INVALID_PARAMETER Irp-IoStatus.Information 0 //完成 IRPIrp-IoStatus.Status status IoCompleteRequestIrp IO_NO_INCREMENT return statusNTSTATUS DispatchCreateCloseIN PDEVICE_OBJECT DeviceObject IN PIRP IrpIrp-IoStatus.Status STATUS_SUCCESSIrp-IoStatus.Information 0 IoCompleteRequestIrp IO_NO_INCREMENT return Irp-IoStatus.StatusVOID OnUnloadIN PDRIVER_OBJECT DriverObjectUNICODE_STRING usLink/ULONG ifor i 0 i ThreadLength i 4 DbgPrint02x 02x 02x 02xn MyThread MyThreadi 1 MyThreadi 2MyThreadi 3 DbgPrint02x 02x 02x 02xn MyProcess MyProcessi 1 MyProcessi 2MyProcessi 3/UnhookDbgPrintDNF Cracker UnloadedRtlInitUnicodeStringusLink SymbolicLink IoDeleteSymbolicLinkusLink IoDeleteDeviceDriverObject-DeviceObjectNTSTATUS DriverEntryIN PDRIVER_OBJECT DriverObject IN PUNICODE_STRINGRegistryPathNTSTATUS statusPDEVICE_OBJECT DvcObjUNICODE_STRING usDevice usLinkPLIST_ENTRY pLE PLIST_ENTRYDriverObject-DriverSection//隐藏驱动pLE-Flink-Blink pLE-BlinkpLE-Blink-Flink pLE-FlinkDriverObject-DriverUnload OnUnload//创建虚拟设备RtlInitUnicodeStringusDevice DeviceLinkstatus IoCreateDeviceDriverObject 0 usDevice FILE_DEVICE_UNKNOWN 0 TRUEDvcObjif NT_SUCCESSstatus DbgPrintFailed to create devicen return status//创建符号链接RtlInitUnicodeStringusLink SymbolicLink status IoCreateSymbolicLinkusLink usDevice if NT_SUCCESSstatus IoDeleteDeviceDriverObject-DeviceObject DbgPrintFailed to create symbolic linkn return status //调度函数分配DriverObject-MajorFunctionIRP_MJ_SHUTDOWN DriverObject-MajorFunctionIRP_MJ_CREATE DriverObject-MajorFunctionIRP_MJ_CLOSE DispatchCreateCloseDriverObject-MajorFunctionIRP_MJ_DEVICE_CONTROL DispatchIoCtrlHookDbgPrintDNF Cracker Loadedreturn STATUS_SUCCESS// OrgRel 原相对跳转地址// CurAbs 当前代码绝对地址// MyAbs 替换代码绝对地址// CodeLen 跳转代码占据的长度// 返回值 到替换代码的相对地址LONG GetRelAddrLONG OrgRel ULONG CurAbs ULONG MyAbs // ULONG CodeLenULONG TrgAbsTrgAbs CurAbs OrgRel // CodeLen //目的地址return TrgAbs - MyAbs// 保存原来整个函数的代码// pCode 用来保存代码的数组的地址// TrgAddr 要保存的函数的地址// BufferLength 整个函数占用的大小VOID BufferCodePUCHAR pCode ULONG TrgAddr ULONG BufferLengthULONG cAbs iLONG oRel cRelmemsetpCode 0x90 BufferLengthfor i 0 i BufferLength i cAbs TrgAddr i pCode PUCHARcAbs switch PUCHARcAbs case 0x0F: //JXX NEAR X if PUCHARcAbs 1 0x80PUCHARcAbs 1 TrgAddr BufferLength oRel cAbs 6 TrgAddr //判断跳转是否在过程范围内 pCodei 1 PUCHARcAbs 1 cRel GetRelAddroRel cAbs ULONGpCode i memcpypCode i 2 cRel sizeofLONG //DbgPrintJXX: 0x08X - 0x08X cAbs ULONGpCode i i sizeofLONG 1 break case 0xE8: //CALL oRel PLONGcAbs 1 if oRel cAbs 5 TrgAddr BufferLength oRel cAbs 5 TrgAddr //判断跳转是否在过程范围内 cRel GetRelAddroRel cAbs ULONGpCode i memcpypCode i 1 cRel size
上一篇:
【精品】使用VC++6.0系统
下一篇:
湖南成考生选择专业从哪些方面出发?