怼DNF驱动保护-读写代码
SIZE_T dxf_pml4_entry = 0;SIZE_T pml4_table = { 0 };
VOID ProcessCallBack(
IN HANDLE hParentId,
IN HANDLE hProcessId,
IN BOOLEAN bCreate)
{
if (bCreate)
{
//为true表示创建进程
PEPROCESS EProcess = NULL;
if (NT_SUCCESS(PsLookupProcessByProcessId(hProcessId, &EProcess)))
{
auto ImageName = ddk::Nt_Util::GetProcessFullName(EProcess);
std::transform(ImageName.begin(), ImageName.end(), ImageName.begin(), towlower);
if (ImageName.find(XOR_STRING_W(L"dnf.exe")) != std::wstring::npos)
{
LOG_DEBUG("%S\r\n", ImageName.c_str());
SIZE_T pml4_entry = *reinterpret_cast<SIZE_T*>(reinterpret_cast<SIZE_T>(EProcess) + GetDirectoryTableBase());
dxf_pml4_entry = pml4_entry;
PHYSICAL_ADDRESS pml4 = { 0ull };
pml4.QuadPart = pml4_entry;
//映射整个pml4表
PVOID pml4_map_table = MmMapIoSpace(pml4, PAGE_SIZE, MmNonCached);//改成进程挂靠
//保存到一个页面中
memcpy(pml4_table, pml4_map_table, PAGE_SIZE);
MmUnmapIoSpace(pml4_map_table, 0x1000);
}
}
}
}
//PML4T(Page Map Level4 Table)及表内的PML4E结构,每个表为4K,内含512个PML4E结构,每个8字节
//打印一个虚拟地址每级页表对应的值
NTSTATUS GetMemoryPageValue(SIZE_T virtual_address, SIZE_T DirectoryTableBase)
{
LOG_DEBUG("Memory: pml4 Entry : %llx", DirectoryTableBase);
ddk::Nt_MemUtil::VIR_ADDRESS* xxxx = (ddk::Nt_MemUtil::VIR_ADDRESS*)virtual_address;
//UINT32 pml4_index = (virtual_address & ((SIZE_T)0x1ff << 39)) >> 39; //参考VIR_ADDRESS
UINT32 pml4_index = xxxx->PML4_Index;
LOG_DEBUG("Memory: pml4 index : %lx", pml4_index);
PHYSICAL_ADDRESS pml4 = { 0ull };
pml4.QuadPart = DirectoryTableBase + pml4_index * 0x8; //UtilpAddressToPxe
//也可以直接用系统映射的虚拟地址PTE
PVOID pml4_map_address = MmMapIoSpace(pml4, sizeof(SIZE_T), MmNonCached);
LOG_DEBUG("Memory: pml4 map virtual_address : %llx", pml4_map_address);
if (!pml4_map_address)
{
return STATUS_MEMORY_NOT_ALLOCATED;
}
SIZE_T pml4_value = *reinterpret_cast<SIZE_T*>(pml4_map_address);
LOG_DEBUG(0, 0, "Memory: pml4 value : %llx", pml4_value);
MmUnmapIoSpace(pml4_map_address, sizeof(SIZE_T));
SIZE_T pdpt_entry = pml4_value & ((SIZE_T)0xfffffff << 12);//UtilpAddressToPte
LOG_DEBUG("Memory: pdpt Entry : %llx", pdpt_entry);
//UINT32 pdpt_index = (virtual_address & ((SIZE_T)0x1ff << 30)) >> 30; //PDPT_Index
UINT32 pdpt_index = xxxx->PDPT_Index;
LOG_DEBUG("Memory: pdpt index : %lx", pdpt_index);
PHYSICAL_ADDRESS pdpt = { 0ull };
pdpt.QuadPart = pdpt_entry + pdpt_index * 0x8;
PVOID pdpt_map_address = MmMapIoSpace(pdpt, sizeof(SIZE_T), MmNonCached);
LOG_DEBUG("Memory: pdpt map virtual_address : %llx", pdpt_map_address);
if (!pdpt_map_address) {
return STATUS_MEMORY_NOT_ALLOCATED;
}
SIZE_T pdpt_value = *reinterpret_cast<SIZE_T*>(pdpt_map_address);
LOG_DEBUG("Memory: pdpt value : %llx", pdpt_value);
MmUnmapIoSpace(pdpt_map_address, sizeof(SIZE_T));
SIZE_T pd_entry = pdpt_value & ((SIZE_T)0xfffffff << 12); //UtilpAddressToPde
LOG_DEBUG("Memory: pd Entry : %llx", pd_entry);
UINT32 pd_index = (virtual_address & ((SIZE_T)0x1ff << 21)) >> 21; //PD_Index
LOG_DEBUG("Memory: pd index : %lx", pd_index);
PHYSICAL_ADDRESS pd = { 0ull };
pd.QuadPart = pd_entry + pd_index * 0x8;
PVOID pd_map_address = MmMapIoSpace(pd, sizeof(SIZE_T), MmNonCached);
LOG_DEBUG("Memory: pd map virtual_address : %llx", pd_map_address);
if (!pd_map_address)
{
return STATUS_MEMORY_NOT_ALLOCATED;
}
SIZE_T pd_value = *reinterpret_cast<SIZE_T*>(pd_map_address);
LOG_DEBUG("Memory: pd value : %llx", pd_value);
MmUnmapIoSpace(pd_map_address, sizeof(SIZE_T));
SIZE_T pt_entry = pd_value & ((SIZE_T)0xfffffff << 12);
LOG_DEBUG("Memory: pt Entry : %llx", pt_entry);
//UINT32 pt_index = (virtual_address & ((SIZE_T)0x1ff << 12)) >> 12;//PT_Index
UINT32 pt_index = xxxx->PT_Index;
LOG_DEBUG("Memory: pt index : %lx", pt_index);
PHYSICAL_ADDRESS pt = { 0ull };
pt.QuadPart = pt_entry + pt_index * 0x8;
PVOID pt_map_address = MmMapIoSpace(pt, sizeof(SIZE_T), MmNonCached);
LOG_DEBUG("Memory: pt map virtual_address : %llx", pt_map_address);
if (!pt_map_address) {
return STATUS_MEMORY_NOT_ALLOCATED;
}
SIZE_T pt_value = *reinterpret_cast<SIZE_T*>(pt_map_address);
LOG_DEBUG("Memory: pt value : %llx", pt_value);
MmUnmapIoSpace(pt_map_address, sizeof(SIZE_T));
SIZE_T phsical_address = pt_value & ((SIZE_T)0xfffffff << 12); //PageOffset
LOG_DEBUG("Memory: phsical_address : %llx", phsical_address);
//SIZE_T pt_value = *reinterpret_cast<SIZE_T*>(pt_map_address);
return STATUS_SUCCESS;
}
VOID FuckDxf()
{
//进程回调
PsSetCreateProcessNotifyRoutine(ProcessCallBack, FALSE); //第一个参数是回调函数地址,第二个是启动进程监控
}
VOID UnFuckDxf()
{
PsSetCreateProcessNotifyRoutine(ProcessCallBack, TRUE);
}
啦看看老师 我爱代码论坛这是个好地方!
546 为什么这么牛逼
页:
[1]