代码
比这篇新的文章:
在某个网页元素上面禁用右键菜单,Disable Browser Context Menu
比这篇旧的文章: 发芽网Roadmap
作者: killvxk, 点击1386次, 评论(0), 收藏者(0), , 打分:
所有评论,共0条:( 我也来说两句)
比这篇旧的文章: 发芽网Roadmap
搞下NP的小JJ
语言: C, 标签: 无 2009/04/23发布 10个月前更新作者: killvxk, 点击1386次, 评论(0), 收藏者(0), , 打分:
C语言: 搞下NP的小JJ
001 void CreateProcessNotifyRoutine(IN HANDLE ParentId, IN HANDLE ProcessId, IN BOOLEAN Create){
002 PEPROCESS currentEP = NULL;
003 unsigned long procID = (unsigned long)ProcessId;
004 procID ^= 0x1337;
005 PsLookupProcessByProcessId(ProcessId,¤tEP);
006 if(Create){
007 if(currentEP==NULL)
008 return;
009 if (strncmp((char*)currentEP+ProcessNameOffset,"GameMon",7)==0){
010 DbgPrint("Got GameMon");
011 gameMonProcId = procID;
012 }
013 ObDereferenceObject(currentEP);
014 }
015 else {
016 if(procID==gameMonProcId) {
017 gameMonProcId = -1;
018 DbgPrint("Removed");
019 resetParams();
020 }
021 }
022 }
023
024 NTSTATUS installHook() {
025 unsigned char toMove[7];
026 if(IopXxxCFAddress){
027 memcpy(originalIopXxxCFBytes,(void*)IopXxxCFAddress,7); //store original AOB for unhook
028 *(char*)&toMove[0] = 0xe9;
029 *(unsigned*)&toMove[1] = JMP(IopXxxCFAddress,NewIopXxxCF);
030 *(short*)&toMove[5] = 0x9090;
031
032 __asm {
033 cli
034 mov eax,CR0
035 and eax,not 0x10000
036 mov CR0,eax
037 }
038 memcpy((void*)IopXxxCFAddress,toMove,7);
039 __asm {
040 mov eax,CR0
041 xor eax,0x10000
042 mov CR0,eax
043 sti
044 }
045
046 Initialized = true;
047 PsSetCreateProcessNotifyRoutine(CreateProcessNotifyRoutine,false);
048 return STATUS_SUCCESS;
049 }
050 return STATUS_UNSUCCESSFUL;
051 }
052
053 NTSTATUS removeHook() {
054 if(IopXxxCFAddress){
055
056 __asm {
057 cli
058 mov eax,CR0
059 and eax,not 0x10000
060 mov CR0,eax
061 }
062 memcpy((void*)IopXxxCFAddress,originalIopXxxCFBytes,7); //unhook using stored AOB
063 __asm {
064 mov eax,CR0
065 xor eax,0x10000
066 mov CR0,eax
067 sti
068 }
069 resetParams();
070 Initialized = false;
071 PsSetCreateProcessNotifyRoutine(CreateProcessNotifyRoutine,true);
072
073 return STATUS_SUCCESS;
074 }
075 return STATUS_UNSUCCESSFUL;
076 }
077
078 NTSTATUS _stdcall NewIopXxxCF(HANDLE FileHandle, HANDLE Event, void* ApcRoutine, void* ApcContext, void* IoStatusBlock, unsigned long IoControlCode, char *InputBuffer, unsigned long InputBufferLength, char *OutputBuffer, unsigned long OutputBufferLength, unsigned unknown) {
079 NTSTATUS res = OldIopXxxCF(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,IoControlCode,InputBuffer,InputBufferLength,OutputBuffer,OutputBufferLength,unknown);
080 unsigned long processId = (unsigned long)PsGetCurrentProcessId();
081 processId ^= 0x1337;
082 if(processId!=gameMonProcId)
083 return res;
084 if (IoControlCode == 0x84020044) {//then its RVM
085 /* input:
086 0 = read address
087 4 = size
088 8 = readto address
089 12 = size?!?!
090 16 = handle
091
092 output:
093 0 = size
094 */
095 try {
096 unsigned long readAddr = *(unsigned long*)&InputBuffer[0];
097 unsigned long readLen = *(unsigned long*)&OutputBuffer[0];
098 unsigned long readToAddr = *(unsigned long*)&InputBuffer[8];
099 unsigned long hProcess = *(unsigned long*)&InputBuffer[16];
100 if (mapleProcHandle==0) {
101 PEPROCESS curEP = NULL;
102 NTSTATUS ntStatus;
103 ntStatus = ObReferenceObjectByHandle((HANDLE)hProcess,PROCESS_ALL_ACCESS,*PsProcessType,KernelMode,&curEP,NULL);
104 if (NT_SUCCESS(ntStatus)) {
105 //DbgPrint("Got the EP of %s (%x)",(char*)curEP+ProcessNameOffset,hProcess);
106 if(!strncmp((char*)curEP+ProcessNameOffset,"MapleStory",10)) {
107 if((firstHandle != 0) && (firstHandle != hProcess))
108 mapleProcHandle = hProcess;
109 else
110 firstHandle = hProcess;
111 } else {
112 }
113 ObDereferenceObject(curEP);
114 }
115 }
116 //ref 1
117 if(hProcess==mapleProcHandle) {
118 if(!memoryBuffer) {
119 NTSTATUS status;
120 OBJECT_ATTRIBUTES oa;
121 IO_STATUS_BLOCK iostatus;
122 HANDLE hfile; // the output from this process
123 RtlInitUnicodeString(&memoryNameUnicodeString, memoryNameBuffer);
124 InitializeObjectAttributes(&oa, &memoryNameUnicodeString, OBJ_CASE_INSENSITIVE, NULL, NULL);
125 status = ZwCreateFile(&hfile, GENERIC_READ, &oa, &iostatus, NULL, 0, FILE_SHARE_READ, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
126 if(NT_SUCCESS(status)) {
127 FILE_STANDARD_INFORMATION si;
128 ZwQueryInformationFile(hfile, &iostatus, &si, sizeof(si), FileStandardInformation);
129 allocatedSize = si.EndOfFile.LowPart;
130 maxAddr = minAddr+allocatedSize;
131 memoryBuffer = ExAllocatePoolWithTag(PagedPool,allocatedSize,'KiKi');
132 if(memoryBuffer!=NULL) {
133 status = ZwReadFile(hfile, NULL, NULL, NULL, &iostatus, memoryBuffer, allocatedSize, NULL, NULL);
134 ZwClose(&hfile);
135 }
136 } else {
137 DbgPrint("Error: dump.bin is missing");
138 }
139 }
140 if ((readAddr >= minAddr) && (readAddr <= maxAddr)) {
141 unsigned offset = readAddr-minAddr;
142 DbgPrint("Reading %x bytes between %x-%x",readLen,readAddr,readAddr+readLen);
143 //ref 2
144 memcpy((void*)readToAddr,&memoryBuffer[offset],readLen);
145 }
146 //}
147 }
148 } except(1) {
149 DbgPrint("WTF WOWOWOW EXCEPTION");
150 }
151 }
152 return res;
153 }
154
155 NTSTATUS _declspec(naked) _stdcall OldIopXxxCF(HANDLE FileHandle, HANDLE Event, void* ApcRoutine, void* ApcContext, void* IoStatusBlock, unsigned long IoControlCode, char *InputBuffer, unsigned long InputBufferLength, char *OutputBuffer, unsigned long OutputBufferLength, unsigned unknown){
156 _asm {
157 push dword ptr [IopXxxCFPush1]
158 push dword ptr [IopXxxCFPush2]
159 jmp dword ptr [IopXxxCFRetAddress]
160 }
161 }
162
163 unsigned Enable() {
164 if(!Initialized){
165 if(installHook()==STATUS_SUCCESS){
166 DbgPrint("Done Init");
167 return 0;
168 }
169 }
170 DbgPrint("Init already");
171 return 1;
172 }
173
174 NTSTATUS MSJDispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
175 {
176 NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
177 PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(Irp);
178 switch( irpStack->Parameters.DeviceIoControl.IoControlCode )
179 {
180 case IOCTL_ENABLE: {
181 *(unsigned*)Irp->AssociatedIrp.SystemBuffer = Enable();
182 ntStatus = STATUS_SUCCESS;
183 break;
184 }
185
186 case IOCTL_DISABLE: {
187 if(Initialized)
188 removeHook();
189
190 ntStatus = STATUS_SUCCESS;
191 break;
192 }
193
194 default:
195 ;
196 }
197
198 Irp->IoStatus.Status = ntStatus;
199 if(ntStatus == STATUS_SUCCESS){
200 Irp->IoStatus.Information = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
201 } else {
202 Irp->IoStatus.Information = 0;
203 }
204
205 IoCompleteRequest(Irp, IO_NO_INCREMENT);
206 return ntStatus;
207 }
208
209 NTSTATUS MSJDispatchStub(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) {
210 Irp->IoStatus.Status = STATUS_SUCCESS;
211 Irp->IoStatus.Information = 0;
212
213 IoCompleteRequest(Irp, IO_NO_INCREMENT);
214
215 return STATUS_SUCCESS;
216 }
217
218 void MSJUnloadDriver(IN PDRIVER_OBJECT DriverObject) {
219 DbgPrint("Unloading driver");
220 if(Initialized)
221 removeHook();
222 IoDeleteSymbolicLink(&deviceLinkUnicodeString);
223 IoDeleteDevice(DriverObject->DeviceObject);
224 }
225
226 NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,
227 IN PUNICODE_STRING RegistryPath)
228 {
229 NTSTATUS ntStatus;
230 PDEVICE_OBJECT DeviceObject;
231
232 int i=0;
233
234 RtlInitUnicodeString(&deviceNameUnicodeString, deviceNameBuffer);
235 RtlInitUnicodeString(&deviceLinkUnicodeString, deviceLinkBuffer);
236
237 ntStatus = IoCreateDevice(DriverObject,
238 0,
239 &deviceNameUnicodeString,
240 FILE_DEVICE_UNKNOWN,
241 0,
242 TRUE,
243 &DeviceObject);
244
245 if( NT_SUCCESS(ntStatus) ) {
246 UNICODE_STRING temp;
247 RtlInitUnicodeString( &temp, L"NtDeviceIoControlFile");
248 IopXxxCFAddress = (unsigned long)MmGetSystemRoutineAddress(&temp);
249 if(IopXxxCFAddress){
250 IopXxxCFAddress += 37;
251 IopXxxCFAddress += *(unsigned*)(IopXxxCFAddress+1);
252 IopXxxCFAddress += 5;
253 IopXxxCFRetAddress = IopXxxCFAddress+7;
254 IopXxxCFPush1 = *(unsigned char*)(IopXxxCFAddress+1);
255 IopXxxCFPush2 = *(unsigned*)(IopXxxCFAddress+3);
256 GetProcessNameOffset();
257 DbgPrint("Driver loaded, ProcessNameOffset %x\nIopXxxCF Address: %x, IopXxxCF Push1: %x, IopXxxCF Push2: %x",ProcessNameOffset,IopXxxCFAddress,IopXxxCFPush1,IopXxxCFPush2);
258 } else {
259 DbgPrint("Driver loaded, error getting addresses");
260 }
261 ntStatus = IoCreateSymbolicLink(&deviceLinkUnicodeString,
262 &deviceNameUnicodeString);
263 }
264
265 if( NT_SUCCESS(ntStatus) ){
266
267 }
268
269 for( i=0; i<IRP_MJ_MAXIMUM_FUNCTION; i++ ){
270 DriverObject->MajorFunction[i] = MSJDispatchStub;
271 }
272
273 DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = MSJDispatchIoctl;
274 DriverObject->DriverUnload = MSJUnloadDriver;
275
276 return STATUS_SUCCESS;
277 }
002 PEPROCESS currentEP = NULL;
003 unsigned long procID = (unsigned long)ProcessId;
004 procID ^= 0x1337;
005 PsLookupProcessByProcessId(ProcessId,¤tEP);
006 if(Create){
007 if(currentEP==NULL)
008 return;
009 if (strncmp((char*)currentEP+ProcessNameOffset,"GameMon",7)==0){
010 DbgPrint("Got GameMon");
011 gameMonProcId = procID;
012 }
013 ObDereferenceObject(currentEP);
014 }
015 else {
016 if(procID==gameMonProcId) {
017 gameMonProcId = -1;
018 DbgPrint("Removed");
019 resetParams();
020 }
021 }
022 }
023
024 NTSTATUS installHook() {
025 unsigned char toMove[7];
026 if(IopXxxCFAddress){
027 memcpy(originalIopXxxCFBytes,(void*)IopXxxCFAddress,7); //store original AOB for unhook
028 *(char*)&toMove[0] = 0xe9;
029 *(unsigned*)&toMove[1] = JMP(IopXxxCFAddress,NewIopXxxCF);
030 *(short*)&toMove[5] = 0x9090;
031
032 __asm {
033 cli
034 mov eax,CR0
035 and eax,not 0x10000
036 mov CR0,eax
037 }
038 memcpy((void*)IopXxxCFAddress,toMove,7);
039 __asm {
040 mov eax,CR0
041 xor eax,0x10000
042 mov CR0,eax
043 sti
044 }
045
046 Initialized = true;
047 PsSetCreateProcessNotifyRoutine(CreateProcessNotifyRoutine,false);
048 return STATUS_SUCCESS;
049 }
050 return STATUS_UNSUCCESSFUL;
051 }
052
053 NTSTATUS removeHook() {
054 if(IopXxxCFAddress){
055
056 __asm {
057 cli
058 mov eax,CR0
059 and eax,not 0x10000
060 mov CR0,eax
061 }
062 memcpy((void*)IopXxxCFAddress,originalIopXxxCFBytes,7); //unhook using stored AOB
063 __asm {
064 mov eax,CR0
065 xor eax,0x10000
066 mov CR0,eax
067 sti
068 }
069 resetParams();
070 Initialized = false;
071 PsSetCreateProcessNotifyRoutine(CreateProcessNotifyRoutine,true);
072
073 return STATUS_SUCCESS;
074 }
075 return STATUS_UNSUCCESSFUL;
076 }
077
078 NTSTATUS _stdcall NewIopXxxCF(HANDLE FileHandle, HANDLE Event, void* ApcRoutine, void* ApcContext, void* IoStatusBlock, unsigned long IoControlCode, char *InputBuffer, unsigned long InputBufferLength, char *OutputBuffer, unsigned long OutputBufferLength, unsigned unknown) {
079 NTSTATUS res = OldIopXxxCF(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,IoControlCode,InputBuffer,InputBufferLength,OutputBuffer,OutputBufferLength,unknown);
080 unsigned long processId = (unsigned long)PsGetCurrentProcessId();
081 processId ^= 0x1337;
082 if(processId!=gameMonProcId)
083 return res;
084 if (IoControlCode == 0x84020044) {//then its RVM
085 /* input:
086 0 = read address
087 4 = size
088 8 = readto address
089 12 = size?!?!
090 16 = handle
091
092 output:
093 0 = size
094 */
095 try {
096 unsigned long readAddr = *(unsigned long*)&InputBuffer[0];
097 unsigned long readLen = *(unsigned long*)&OutputBuffer[0];
098 unsigned long readToAddr = *(unsigned long*)&InputBuffer[8];
099 unsigned long hProcess = *(unsigned long*)&InputBuffer[16];
100 if (mapleProcHandle==0) {
101 PEPROCESS curEP = NULL;
102 NTSTATUS ntStatus;
103 ntStatus = ObReferenceObjectByHandle((HANDLE)hProcess,PROCESS_ALL_ACCESS,*PsProcessType,KernelMode,&curEP,NULL);
104 if (NT_SUCCESS(ntStatus)) {
105 //DbgPrint("Got the EP of %s (%x)",(char*)curEP+ProcessNameOffset,hProcess);
106 if(!strncmp((char*)curEP+ProcessNameOffset,"MapleStory",10)) {
107 if((firstHandle != 0) && (firstHandle != hProcess))
108 mapleProcHandle = hProcess;
109 else
110 firstHandle = hProcess;
111 } else {
112 }
113 ObDereferenceObject(curEP);
114 }
115 }
116 //ref 1
117 if(hProcess==mapleProcHandle) {
118 if(!memoryBuffer) {
119 NTSTATUS status;
120 OBJECT_ATTRIBUTES oa;
121 IO_STATUS_BLOCK iostatus;
122 HANDLE hfile; // the output from this process
123 RtlInitUnicodeString(&memoryNameUnicodeString, memoryNameBuffer);
124 InitializeObjectAttributes(&oa, &memoryNameUnicodeString, OBJ_CASE_INSENSITIVE, NULL, NULL);
125 status = ZwCreateFile(&hfile, GENERIC_READ, &oa, &iostatus, NULL, 0, FILE_SHARE_READ, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
126 if(NT_SUCCESS(status)) {
127 FILE_STANDARD_INFORMATION si;
128 ZwQueryInformationFile(hfile, &iostatus, &si, sizeof(si), FileStandardInformation);
129 allocatedSize = si.EndOfFile.LowPart;
130 maxAddr = minAddr+allocatedSize;
131 memoryBuffer = ExAllocatePoolWithTag(PagedPool,allocatedSize,'KiKi');
132 if(memoryBuffer!=NULL) {
133 status = ZwReadFile(hfile, NULL, NULL, NULL, &iostatus, memoryBuffer, allocatedSize, NULL, NULL);
134 ZwClose(&hfile);
135 }
136 } else {
137 DbgPrint("Error: dump.bin is missing");
138 }
139 }
140 if ((readAddr >= minAddr) && (readAddr <= maxAddr)) {
141 unsigned offset = readAddr-minAddr;
142 DbgPrint("Reading %x bytes between %x-%x",readLen,readAddr,readAddr+readLen);
143 //ref 2
144 memcpy((void*)readToAddr,&memoryBuffer[offset],readLen);
145 }
146 //}
147 }
148 } except(1) {
149 DbgPrint("WTF WOWOWOW EXCEPTION");
150 }
151 }
152 return res;
153 }
154
155 NTSTATUS _declspec(naked) _stdcall OldIopXxxCF(HANDLE FileHandle, HANDLE Event, void* ApcRoutine, void* ApcContext, void* IoStatusBlock, unsigned long IoControlCode, char *InputBuffer, unsigned long InputBufferLength, char *OutputBuffer, unsigned long OutputBufferLength, unsigned unknown){
156 _asm {
157 push dword ptr [IopXxxCFPush1]
158 push dword ptr [IopXxxCFPush2]
159 jmp dword ptr [IopXxxCFRetAddress]
160 }
161 }
162
163 unsigned Enable() {
164 if(!Initialized){
165 if(installHook()==STATUS_SUCCESS){
166 DbgPrint("Done Init");
167 return 0;
168 }
169 }
170 DbgPrint("Init already");
171 return 1;
172 }
173
174 NTSTATUS MSJDispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
175 {
176 NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
177 PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(Irp);
178 switch( irpStack->Parameters.DeviceIoControl.IoControlCode )
179 {
180 case IOCTL_ENABLE: {
181 *(unsigned*)Irp->AssociatedIrp.SystemBuffer = Enable();
182 ntStatus = STATUS_SUCCESS;
183 break;
184 }
185
186 case IOCTL_DISABLE: {
187 if(Initialized)
188 removeHook();
189
190 ntStatus = STATUS_SUCCESS;
191 break;
192 }
193
194 default:
195 ;
196 }
197
198 Irp->IoStatus.Status = ntStatus;
199 if(ntStatus == STATUS_SUCCESS){
200 Irp->IoStatus.Information = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
201 } else {
202 Irp->IoStatus.Information = 0;
203 }
204
205 IoCompleteRequest(Irp, IO_NO_INCREMENT);
206 return ntStatus;
207 }
208
209 NTSTATUS MSJDispatchStub(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) {
210 Irp->IoStatus.Status = STATUS_SUCCESS;
211 Irp->IoStatus.Information = 0;
212
213 IoCompleteRequest(Irp, IO_NO_INCREMENT);
214
215 return STATUS_SUCCESS;
216 }
217
218 void MSJUnloadDriver(IN PDRIVER_OBJECT DriverObject) {
219 DbgPrint("Unloading driver");
220 if(Initialized)
221 removeHook();
222 IoDeleteSymbolicLink(&deviceLinkUnicodeString);
223 IoDeleteDevice(DriverObject->DeviceObject);
224 }
225
226 NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,
227 IN PUNICODE_STRING RegistryPath)
228 {
229 NTSTATUS ntStatus;
230 PDEVICE_OBJECT DeviceObject;
231
232 int i=0;
233
234 RtlInitUnicodeString(&deviceNameUnicodeString, deviceNameBuffer);
235 RtlInitUnicodeString(&deviceLinkUnicodeString, deviceLinkBuffer);
236
237 ntStatus = IoCreateDevice(DriverObject,
238 0,
239 &deviceNameUnicodeString,
240 FILE_DEVICE_UNKNOWN,
241 0,
242 TRUE,
243 &DeviceObject);
244
245 if( NT_SUCCESS(ntStatus) ) {
246 UNICODE_STRING temp;
247 RtlInitUnicodeString( &temp, L"NtDeviceIoControlFile");
248 IopXxxCFAddress = (unsigned long)MmGetSystemRoutineAddress(&temp);
249 if(IopXxxCFAddress){
250 IopXxxCFAddress += 37;
251 IopXxxCFAddress += *(unsigned*)(IopXxxCFAddress+1);
252 IopXxxCFAddress += 5;
253 IopXxxCFRetAddress = IopXxxCFAddress+7;
254 IopXxxCFPush1 = *(unsigned char*)(IopXxxCFAddress+1);
255 IopXxxCFPush2 = *(unsigned*)(IopXxxCFAddress+3);
256 GetProcessNameOffset();
257 DbgPrint("Driver loaded, ProcessNameOffset %x\nIopXxxCF Address: %x, IopXxxCF Push1: %x, IopXxxCF Push2: %x",ProcessNameOffset,IopXxxCFAddress,IopXxxCFPush1,IopXxxCFPush2);
258 } else {
259 DbgPrint("Driver loaded, error getting addresses");
260 }
261 ntStatus = IoCreateSymbolicLink(&deviceLinkUnicodeString,
262 &deviceNameUnicodeString);
263 }
264
265 if( NT_SUCCESS(ntStatus) ){
266
267 }
268
269 for( i=0; i<IRP_MJ_MAXIMUM_FUNCTION; i++ ){
270 DriverObject->MajorFunction[i] = MSJDispatchStub;
271 }
272
273 DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = MSJDispatchIoctl;
274 DriverObject->DriverUnload = MSJUnloadDriver;
275
276 return STATUS_SUCCESS;
277 }
所有评论,共0条:( 我也来说两句)