HanDs
管理员

[Visual Studio文章] 提取游戏驱动保护 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

思路:     驱动加载都会调用IopLoadDriver这函数,这函数的+662附近,有DriverEntry和REGPATH调用,所以HOOK这个点,在HOOK函数里提取出来REGPATH键下的IMAGEPATH值就是驱动文件路径.因为游戏驱动保护一但加载起来就会删除,XUETR也是这样.但是HOOK这个点驱动还没删除.所以就可以提取出来文件
代码:

#include <ntddk.h>
#include <ntstatus.h>

char  JmpCode[6] = {0xe9,0x00,0x00,0x00,0x00,0x90};
char  OldByte[6] = {0};
ULONG uHookAddr = 0;
ULONG JmpBackAddr = 0;
VOID GetSysPath(PUNICODE_STRING pRegPath)
{
        OBJECT_ATTRIBUTES Oa={0},Ob={0},Oc={0};
        HANDLE hKey,hFile,hFile1;
        NTSTATUS status;
        IO_STATUS_BLOCK Ib;
        WCHAR buf[255] = {0};
        ULONG uSize = 0;
        PKEY_VALUE_PARTIAL_INFORMATION pvpi;
        UNICODE_STRING uValue  = RTL_CONSTANT_STRING(L"ImagePath");
        UNICODE_STRING uFilePath;
        IO_STATUS_BLOCK ib = {0},ic = {0};
        PWCHAR data = NULL;
        FILE_STANDARD_INFORMATION fi = {0};
        UNICODE_STRING uNewFile = RTL_CONSTANT_STRING(L"\\??\\C:\\1.SYS");
//        UNICODE_STRING uSysPath;
//        uSysPath.Buffer = buf;
//        RtlCopyUnicodeString(uSysPath,pRegPath);
//        RtlAppendUnicodeToString(uSysPath,L"\\ImagePath");
        InitializeObjectAttributes(&Oa,pRegPath,OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,NULL,NULL);
       
        status = ZwOpenKey(&hKey,KEY_ALL_ACCESS,&Oa);
        if (!NT_SUCCESS(status))
        {
                DbgPrint("OpenKey Error!");
                return;
        }
        status = ZwQueryValueKey(hKey,&uValue,KeyValuePartialInformation,NULL,0,&uSize);

        pvpi = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePool(PagedPool,uSize);
        status = ZwQueryValueKey(hKey,&uValue,KeyValuePartialInformation,pvpi,uSize,&uSize);
        if (!NT_SUCCESS(status))
        {
                DbgPrint("ZwQueryValueKey Error!");
                return;
        }
        uFilePath.Buffer = (PWCHAR)ExAllocatePool(PagedPool,255);
        RtlInitUnicodeString(&uFilePath,pvpi->Data);
        DbgPrint("%S",uFilePath.Buffer);
    InitializeObjectAttributes(&Ob,&uFilePath,OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,NULL,NULL);
        status = ZwCreateFile(&hFile,GENERIC_READ,&Ob,&ib,NULL,
                FILE_ATTRIBUTE_NORMAL,FILE_SHARE_WRITE|FILE_SHARE_READ,
                FILE_OPEN,
                FILE_SYNCHRONOUS_IO_NONALERT,
                NULL,0);
        if (!NT_SUCCESS(status))
        {
                __asm int 3
                DbgPrint("1 Error");
                return;
        }
        ZwQueryInformationFile(hFile,&Ob,&fi,sizeof(FILE_STANDARD_INFORMATION),FileStandardInformation);
        data = (PWCHAR)ExAllocatePool(PagedPool,(ULONG)fi.EndOfFile.QuadPart);
        status = ZwReadFile(hFile,NULL,NULL,NULL,&ib,data,(ULONG)fi.EndOfFile.QuadPart,NULL,NULL);
        if (!NT_SUCCESS(status))
        {
                DbgPrint("%x",status);
                DbgPrint("2 Error");
                return;
        }
       
        InitializeObjectAttributes(&Oc,&uNewFile,OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,NULL,NULL);
        status = ZwCreateFile(&hFile1,GENERIC_WRITE,&Oc,&ic,NULL,
                FILE_ATTRIBUTE_NORMAL,FILE_SHARE_WRITE|FILE_SHARE_READ,
                FILE_OPEN_IF,FILE_SYNCHRONOUS_IO_NONALERT,NULL,0);
        if (!NT_SUCCESS(status))
        {
                DbgPrint("%x",status);
                DbgPrint("3 Error");
                return;
        }
        status = ZwWriteFile(hFile1,NULL,NULL,NULL,&ic,data,(ULONG)fi.EndOfFile.QuadPart,NULL,NULL);
        if (!NT_SUCCESS(status))
        {
                DbgPrint("%x",status);
                DbgPrint("4 Error");
                return;
        }
        DbgPrint("%S",pvpi->Data);
        ZwClose(hFile1);
        ZwClose(hFile);
        ExFreePool(data);
}

__declspec(naked)GetSysFile()
{
        _asm
        {
                push    dword ptr [ebp-0x90]
                pushad
                pushfd
                mov eax,dword ptr [ebp-0x90] //regpath
                push eax
                call GetSysPath
                popfd
                popad
                jmp JmpBackAddr
        }
       

}

VOID HookFunc()
{

 

        DbgPrint("Enter The Hook Proc -.-");
        uHookAddr = 0x805810e2; //IopLoadDriver+663
        RtlCopyMemory(OldByte,(VOID*)0x805810e2,6);//保存原来的指令
        *(ULONG*)(&JmpCode[1]) = (ULONG)GetSysFile - (ULONG)uHookAddr -5;
        JmpBackAddr = uHookAddr +6;
        _asm
        {
                cli
                push eax
                mov eax,cr0
                and eax,not 10000h
                mov cr0,eax
                pop eax
        }
        RtlCopyMemory((VOID*)0x805810e2,JmpCode,6);
        _asm
        {
                push eax
                mov eax,cr0
                or eax,10000h
                mov cr0,eax
                pop eax
                sti
        }
}

VOID UnHookFunc()
{
        _asm
        {
                        cli
                        push eax
                        mov eax,cr0
                        and eax,not 10000h
                        mov cr0,eax
                        pop eax
        }
        RtlCopyMemory((VOID*)0x805810e2,OldByte,6);
        _asm
        {
                        push eax
                        mov eax,cr0
                        or eax,10000h
                        mov cr0,eax
                        pop eax
                        sti
        }
}
VOID Unload(PDRIVER_OBJECT pDriverObj)
{
        UnHookFunc();
        DbgPrint("Unload");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj,PUNICODE_STRING pRegPath)
{
        DbgPrint("Load");
        HookFunc();
        pDriverObj->DriverUnload = Unload;
        return STATUS_SUCCESS;
}

代码存在的问题:
IopLoadDriver的地址是硬编码,所以不同的机子.....
有可能会蓝屏的原因:
如果驱动文件是以独占方式打开的,因为代码里调用了ZWCREATEFILE,就会蓝屏解决方式:
把线程挂起....


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
提取 游戏 驱动 保护
#1楼
发帖时间:2016-7-9   |   查看数:0   |   回复数:0
游客组
快速回复