qwqdanchun
/
DICHook
mirror of https://github.com/qwqdanchun/DICHook.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

qwq 

pwp
This commit is contained in:
CSlime 2021-10-19 19:44:12 +08:00
parent 2eea8b18d0
commit 6595d2756b
17 changed files with 3541 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
DICHook_OpenSource.sln Normal file
View File

@ -0,0 +1,51 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.31515.178
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DICHook_OpenSource", "DICHook_OpenSource\DICHook_OpenSource.vcxproj", "{788C82FC-D258-4C61-A8DA-C12DC560FCAD}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|ARM = Debug|ARM
Debug|ARM64 = Debug|ARM64
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|ARM = Release|ARM
Release|ARM64 = Release|ARM64
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{788C82FC-D258-4C61-A8DA-C12DC560FCAD}.Debug|ARM.ActiveCfg = Debug|ARM
{788C82FC-D258-4C61-A8DA-C12DC560FCAD}.Debug|ARM.Build.0 = Debug|ARM
{788C82FC-D258-4C61-A8DA-C12DC560FCAD}.Debug|ARM.Deploy.0 = Debug|ARM
{788C82FC-D258-4C61-A8DA-C12DC560FCAD}.Debug|ARM64.ActiveCfg = Debug|ARM64
{788C82FC-D258-4C61-A8DA-C12DC560FCAD}.Debug|ARM64.Build.0 = Debug|ARM64
{788C82FC-D258-4C61-A8DA-C12DC560FCAD}.Debug|ARM64.Deploy.0 = Debug|ARM64
{788C82FC-D258-4C61-A8DA-C12DC560FCAD}.Debug|x64.ActiveCfg = Debug|x64
{788C82FC-D258-4C61-A8DA-C12DC560FCAD}.Debug|x64.Build.0 = Debug|x64
{788C82FC-D258-4C61-A8DA-C12DC560FCAD}.Debug|x64.Deploy.0 = Debug|x64
{788C82FC-D258-4C61-A8DA-C12DC560FCAD}.Debug|x86.ActiveCfg = Debug|Win32
{788C82FC-D258-4C61-A8DA-C12DC560FCAD}.Debug|x86.Build.0 = Debug|Win32
{788C82FC-D258-4C61-A8DA-C12DC560FCAD}.Debug|x86.Deploy.0 = Debug|Win32
{788C82FC-D258-4C61-A8DA-C12DC560FCAD}.Release|ARM.ActiveCfg = Release|ARM
{788C82FC-D258-4C61-A8DA-C12DC560FCAD}.Release|ARM.Build.0 = Release|ARM
{788C82FC-D258-4C61-A8DA-C12DC560FCAD}.Release|ARM.Deploy.0 = Release|ARM
{788C82FC-D258-4C61-A8DA-C12DC560FCAD}.Release|ARM64.ActiveCfg = Release|ARM64
{788C82FC-D258-4C61-A8DA-C12DC560FCAD}.Release|ARM64.Build.0 = Release|ARM64
{788C82FC-D258-4C61-A8DA-C12DC560FCAD}.Release|ARM64.Deploy.0 = Release|ARM64
{788C82FC-D258-4C61-A8DA-C12DC560FCAD}.Release|x64.ActiveCfg = Release|x64
{788C82FC-D258-4C61-A8DA-C12DC560FCAD}.Release|x64.Build.0 = Release|x64
{788C82FC-D258-4C61-A8DA-C12DC560FCAD}.Release|x64.Deploy.0 = Release|x64
{788C82FC-D258-4C61-A8DA-C12DC560FCAD}.Release|x86.ActiveCfg = Release|Win32
{788C82FC-D258-4C61-A8DA-C12DC560FCAD}.Release|x86.Build.0 = Release|Win32
{788C82FC-D258-4C61-A8DA-C12DC560FCAD}.Release|x86.Deploy.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {0F5EA8A1-6BCE-462A-87DA-DD9CA15E4D26}
EndGlobalSection
EndGlobal

609
DICHook_OpenSource/DDKCommon.cpp Normal file
View File

@ -0,0 +1,609 @@
#include "DDKCommon.h"
#include "MyMemoryIo64.h"
#pragma comment(lib,"oldnames.lib")
typedef struct _SBYTEINFO_3 {
UCHAR RawByte;
UCHAR Hi : 1; //Hi 4 bit is ??
UCHAR Lo : 1; //Lo 4 bit is ??
UCHAR All : 1;
UCHAR No : 1;
}SBYTEINFO_3, *PSBYTEINFO_3;
typedef struct _SBYTEINFO_2 {
UCHAR RawByte;
BOOLEAN All;
}SBYTEINFO_2, *PSBYTEINFO_2;
void AnsiToUnicode(LPCSTR AnsiStr, LPWSTR UnicodeStrBuffer, ULONG MaxLenth) {
int len = strlen(AnsiStr);
if (len > MaxLenth)len = MaxLenth;
UnicodeStrBuffer[len] = 0;
for (int i = 0; i < len; ++i) {
UnicodeStrBuffer[i] = AnsiStr[i];
}
return;
}
void UnicodeToAnsi(LPCWSTR UnicodeStr, LPSTR AnsiStrBuffer, ULONG MaxLenth) {
int len = wcslen(UnicodeStr);
if (len > MaxLenth)len = MaxLenth;
AnsiStrBuffer[len] = 0;
for (int i = 0; i < len; ++i) {
AnsiStrBuffer[i] = UnicodeStr[i];
}
return;
}
static ULONG64 g_per = 0;
static BOOL g_first = TRUE;
ULONG64 GetRealTime() {
if (g_first) {
g_first = FALSE;
ULONG64 fir, sec;
fir = AsmRdtsc();
Sleep(50);
sec = AsmRdtsc();
g_per = (sec - fir) / 50;
}
return AsmRdtsc() / g_per;
}
static ULONG64 g_per_micro = 0;
static BOOL g_first_micro = TRUE;
ULONG64 GetRealMicroTime() {
if (g_first_micro) {
g_first_micro = FALSE;
ULONG64 fir, sec;
fir = AsmRdtsc();
Sleep(50);
sec = AsmRdtsc();
g_per_micro = (sec - fir) / 50000;
}
return AsmRdtsc() / g_per_micro;
}
VOID Sleep(LONG Millsecond) {
LARGE_INTEGER t;
t.QuadPart = Millsecond;
//µ¥Î»:100ÄÉÃë
t.QuadPart *= -10 * 1000;
KeDelayExecutionThread(KernelMode, FALSE, &t);
return;
}
VOID ForceSleep(LONG Millsecond) {
KeStallExecutionProcessor(Millsecond * 1000);
}
LPWSTR WINAPI StrStrIW(LPCWSTR lpszStr, LPCWSTR lpszSearch)
{
int iLen;
LPCWSTR end;
if (!lpszStr || !lpszSearch || !*lpszSearch)
return NULL;
iLen = wcslen(lpszSearch);
end = lpszStr + wcslen(lpszStr);
while (lpszStr + iLen <= end)
{
if (!wcsnicmp(lpszStr, lpszSearch, iLen))
return (LPWSTR)lpszStr;
lpszStr++;
}
return NULL;
}
LPWSTR WINAPI StrStrNIW(LPCWSTR lpszStr, LPCWSTR lpszSearch, SIZE_T max_chars)
{
int iLen;
LPCWSTR end;
if (!lpszStr || !lpszSearch || !*lpszSearch || !max_chars)
return NULL;
iLen = wcslen(lpszSearch);
end = lpszStr + max_chars;
while (lpszStr + iLen <= end)
{
if (!wcsnicmp(lpszStr, lpszSearch, iLen))
return (LPWSTR)lpszStr;
lpszStr++;
}
return NULL;
}
LPSTR WINAPI StrStrIA(LPCSTR lpszStr, LPCSTR lpszSearch)
{
int iLen;
LPCSTR end;
if (!lpszStr || !lpszSearch || !*lpszSearch)
return NULL;
iLen = strlen(lpszSearch);
end = lpszStr + strlen(lpszStr);
while (lpszStr + iLen <= end)
{
if (!strnicmp(lpszStr, lpszSearch, iLen))
return (LPSTR)lpszStr;
lpszStr++;
}
return NULL;
}
LPSTR WINAPI StrStrNIA(LPCSTR lpszStr, LPCSTR lpszSearch, SIZE_T max_chars)
{
int iLen;
LPCSTR end;
if (!lpszStr || !lpszSearch || !*lpszSearch || !max_chars)
return NULL;
iLen = strlen(lpszSearch);
end = lpszStr + max_chars;
while (lpszStr + iLen <= end)
{
if (!strnicmp(lpszStr, lpszSearch, iLen))
return (LPSTR)lpszStr;
lpszStr++;
}
return NULL;
}
UCHAR CharToByte(UCHAR c) {
if (c >= '0' && c <= '9') return(c - 48);
else if (c >= 'A' && c <= 'F')return(c - 55);
else if (c >= 'a' && c <= 'f')return(c - 87);
return 0;
}
#define STRTOBYTE(h) (CharToByte(h[0]) * 0x10 + CharToByte(h[1]))
UCHAR StrToByte(const char* hex) {
return CharToByte(hex[0]) * 0x10 + CharToByte(hex[1]);
}
ULONG __strlen__(LPCSTR str) {
register ULONG len = 0;
while (*str++)++len;
return len;
}
#define CHECKCHARVALID(v) ((v >= '0' && v <= '9') || (v >= 'A' && v <= 'F') || (v >= 'a' && v <= 'f') || v == '?')
ULONG CheckForSignureCode(LPCSTR scode) {
ULONG len = __strlen__(scode);
LPCSTR str = scode;
if (len % 2)return FALSE;
str = scode;
ULONG Type = 1;
for (int i = 0; i < len; i += 2) {
if (!CHECKCHARVALID(scode[i]) || !CHECKCHARVALID(scode[i + 1]))return 0;
if (scode[i] == '?' && scode[i + 1] != '?') {
return 3;
}
if (scode[i + 1] == '?' && scode[i] != '?') {
return 3;
}
if (scode[i] == '?' && scode[i + 1] == '?')Type = 2;
}
return Type;
}
#define HI4BIT(v) (v>>4)
#define LO4BIT(v) (v&0x0f)
BOOLEAN __forceinline CompareByte_3(UCHAR byte, PSBYTEINFO_3 sbyte) {
if (sbyte->No)return byte == sbyte->RawByte;
if (sbyte->All) return TRUE;
if (sbyte->Hi) {
return sbyte->RawByte == LO4BIT(byte);
}
if (sbyte->Lo) {
return sbyte->RawByte == HI4BIT(byte);
}
return FALSE;
}
VOID __forceinline convert_scode_sbyte_3(LPCSTR SignatureCode, PSBYTEINFO_3 rawbyte) {
ULONG len = __strlen__(SignatureCode) / 2;
memset(rawbyte, 0, len * sizeof(SBYTEINFO_3));
for (int i = 0; i < len; i++) {
LPCSTR scode = SignatureCode + i * 2;
if (scode[0] == '?' && scode[1] == '?') {
rawbyte[i].All = TRUE;
continue;
}
if (scode[0] == '?') {
rawbyte[i].Hi = TRUE;
rawbyte[i].RawByte = CharToByte(scode[1]);
continue;
}
if (scode[1] == '?') {
rawbyte[i].Lo = TRUE;
rawbyte[i].RawByte = CharToByte(scode[0]);
continue;
}
rawbyte[i].RawByte = STRTOBYTE(scode);
rawbyte[i].No = TRUE;
}
}
VOID __forceinline convert_scode_sbyte_2(LPCSTR SignatureCode, PSBYTEINFO_2 rawbyte) {
ULONG len = __strlen__(SignatureCode) / 2;
memset(rawbyte, 0, len * sizeof(SBYTEINFO_2));
for (int i = 0; i < len; i++) {
LPCSTR scode = SignatureCode + i * 2;
if (scode[0] == '?') {
rawbyte[i].All = TRUE;
continue;
}
rawbyte[i].RawByte = STRTOBYTE(scode);
}
}
INT64 FindSignatureCode_3_nocheck(const PUCHAR Memory, UINT64 MemoryLenth, LPCSTR SignatureCode, UINT64 Pos) {
ULONG len = __strlen__(SignatureCode) / 2;
if (len > 100)
return -1;
SBYTEINFO_3 rawbyte[100];
memset(rawbyte, 0, sizeof(rawbyte));
convert_scode_sbyte_3(SignatureCode, rawbyte);
register PSBYTEINFO_3 sbyte = rawbyte;
UINT64 opos = 0;
register UINT64 cmppos = 0;
register BOOLEAN Hit = FALSE;
for (UINT64 i = Pos; i < MemoryLenth; ++i) {
if (CompareByte_3(Memory[i], sbyte)) {
if (!Hit) {
opos = i;
Hit = TRUE;
}
++sbyte;
if (++cmppos == len) {
return i - (len - 1);
}
}
else {
if (Hit) {
if (Hit)i = opos;
Hit = FALSE;
cmppos = 0;
sbyte = rawbyte;
}
}
}
return -1;
}
INT64 FindSignatureCode_2_nocheck(const PUCHAR Memory, UINT64 MemoryLenth, LPCSTR SignatureCode, UINT64 Pos) {
ULONG len = __strlen__(SignatureCode) / 2;
ULONG PoolSize = len * sizeof(SBYTEINFO_2);
if (len > 100)
return -1;
SBYTEINFO_2 rawbyte[100];
memset(rawbyte, 0, sizeof(rawbyte));
convert_scode_sbyte_2(SignatureCode, rawbyte);
register PSBYTEINFO_2 sbyte = rawbyte;
UINT64 opos = 0;
register UINT64 cmppos = 0;
register BOOLEAN Hit = FALSE;
for (register UINT64 i = Pos; i < MemoryLenth; ++i) {
if (sbyte->All || (Memory[i] == sbyte->RawByte)) {
if (!Hit) {
opos = i;
Hit = TRUE;
}
++sbyte;
if (++cmppos == len) {
return i - (len - 1);
}
}
else {
if (Hit) {
i = opos;
Hit = FALSE;
cmppos = 0;
sbyte = rawbyte;
}
}
}
return -1;
}
INT64 FindSignatureCode_nocheck(LPCVOID Memory, UINT64 MemoryLenth, LPCSTR SignatureCode, UINT64 Pos) {
CHAR realPattern[300];
RtlZeroMemory(realPattern, sizeof(realPattern));
int len = strlen(SignatureCode);
int j = 0;
for (int i = 0; i < len; i++) {
if (SignatureCode[i] != ' ') {
realPattern[j++] = SignatureCode[i];
if (j > 299)
break;
}
}
ULONG type = CheckForSignureCode(realPattern);
if (!type)return -1;
if (type == 3)return FindSignatureCode_3_nocheck((const PUCHAR)Memory, MemoryLenth, realPattern, Pos);
if (type == 2 || type == 1) return FindSignatureCode_2_nocheck((const PUCHAR)Memory, MemoryLenth, realPattern, Pos);
return -1;
}
ULONG64 ScanSection(LPCSTR SectionName, LPCSTR Pattern) {
PIMAGE_NT_HEADERS pHdr;
PIMAGE_SECTION_HEADER pFirstSec;
PIMAGE_SECTION_HEADER pSec;
PUCHAR ntosBase;
ntosBase = (PUCHAR)KGetNtoskrnl();
if (!ntosBase)
return NULL;
IMAGE_DOS_HEADER* idh = (IMAGE_DOS_HEADER*)ntosBase;
pHdr = (IMAGE_NT_HEADERS*)(ntosBase + idh->e_lfanew);
pFirstSec = IMAGE_FIRST_SECTION(pHdr);
for (pSec = pFirstSec; pSec < pFirstSec + pHdr->FileHeader.NumberOfSections; pSec++)
{
CHAR Name[9];
RtlZeroMemory(&Name, 9);
memcpy(Name, pSec->Name, 8);
if (!strcmp(SectionName, Name))
{
PUCHAR pFound = NULL;
INT64 pos = FindSignatureCode_nocheck(ntosBase + pSec->VirtualAddress, pSec->Misc.VirtualSize, Pattern, 0);
if (pos != -1)
{
return (ULONG64)(pos + ntosBase + pSec->VirtualAddress);
}
}
}
return NULL;
}
ULONG64 ScanSection_Image(LPCVOID hImage, LPCSTR SectionName, LPCSTR Pattern) {
PIMAGE_NT_HEADERS pHdr;
PIMAGE_SECTION_HEADER pFirstSec;
PIMAGE_SECTION_HEADER pSec;
PUCHAR ntosBase;
ntosBase = (PUCHAR)hImage;
if (!ntosBase)
return NULL;
IMAGE_DOS_HEADER* idh = (IMAGE_DOS_HEADER*)ntosBase;
pHdr = (IMAGE_NT_HEADERS*)(ntosBase + idh->e_lfanew);
pFirstSec = IMAGE_FIRST_SECTION(pHdr);
for (pSec = pFirstSec; pSec < pFirstSec + pHdr->FileHeader.NumberOfSections; pSec++)
{
CHAR Name[9];
RtlZeroMemory(&Name, 9);
memcpy(Name, pSec->Name, 8);
if (!strcmp(SectionName, Name))
{
PUCHAR pFound = NULL;
INT64 pos = FindSignatureCode_nocheck(ntosBase + pSec->VirtualAddress, pSec->Misc.VirtualSize, Pattern, 0);
if (pos != -1)
{
return (ULONG64)(pos + ntosBase + pSec->VirtualAddress);
}
}
}
return NULL;
}
PVOID KGetDriverImageBase2(PCHAR name) {
PVOID addr = 0;
ULONG size = 0;
NTSTATUS status = ZwQuerySystemInformation(SystemModuleInformation, 0, 0, &size);
if (STATUS_INFO_LENGTH_MISMATCH != status) {
return addr;
}
PSYSTEM_MODULE_INFORMATION modules = (PSYSTEM_MODULE_INFORMATION)ExAllocatePoolWithTag(NonPagedPoolNx, size, POOL_TAG);
if (!modules) {
return addr;
}
if (!NT_SUCCESS(status = ZwQuerySystemInformation(SystemModuleInformation, modules, size, 0))) {
return addr;
}
int name_len = strlen(name);
for (ULONG i = 0; i < modules->NumberOfModules; ++i) {
SYSTEM_MODULE m = modules->Modules[i];
UCHAR buf[256 + 1];
RtlZeroMemory(buf, sizeof(buf));
memcpy(buf, m.FullPathName, 256);
if (StrStrIA((LPCSTR)buf, name)) {
addr = m.ImageBase;
break;
}
}
ExFreePoolWithTag(modules, POOL_TAG);
return addr;
}
ULONG KGetDriverImageSize2(PCHAR name) {
ULONG addr = 0;
ULONG size = 0;
NTSTATUS status = ZwQuerySystemInformation(SystemModuleInformation, 0, 0, &size);
if (STATUS_INFO_LENGTH_MISMATCH != status) {
return addr;
}
PSYSTEM_MODULE_INFORMATION modules = (PSYSTEM_MODULE_INFORMATION)ExAllocatePoolWithTag(NonPagedPoolNx, size, POOL_TAG);
if (!modules) {
return addr;
}
if (!NT_SUCCESS(status = ZwQuerySystemInformation(SystemModuleInformation, modules, size, 0))) {
return addr;
}
for (ULONG i = 0; i < modules->NumberOfModules; ++i) {
SYSTEM_MODULE m = modules->Modules[i];
UCHAR buf[256 + 1];
RtlZeroMemory(buf, sizeof(buf));
memcpy(buf, m.FullPathName, 256);
if (StrStrIA((LPCSTR)buf, name)) {
addr = m.ImageSize;
break;
}
}
ExFreePoolWithTag(modules, POOL_TAG);
return addr;
}
PVOID KGetDriverImageBase(LPCWSTR DriverName) {
CHAR str[300];
UnicodeToAnsi(DriverName, str, 300);
return KGetDriverImageBase2(str);
}
ULONG KGetDriverImageSize(LPCWSTR DriverName) {
CHAR str[300];
UnicodeToAnsi(DriverName, str, 300);
return KGetDriverImageSize2(str);
}
ULONG64 KGetProcessCr3(PEPROCESS Process) {
return *(PULONG64)(((PUCHAR)Process) + 0x28);
}
ULONG g_cachedBuildNumber = 0;
ULONG KGetBuildNumber() {
if (g_cachedBuildNumber)
return g_cachedBuildNumber;
RTL_OSVERSIONINFOW ow;
if (!NT_SUCCESS(RtlGetVersion(&ow))) {
return 0;
}
g_cachedBuildNumber = ow.dwBuildNumber;
return ow.dwBuildNumber;
}
PVOID g_NtoskrnlBase = 0;
PVOID g_HaldllBase = 0;
PVOID KGetNtoskrnl() {
if (g_NtoskrnlBase) {
return g_NtoskrnlBase;
}
g_NtoskrnlBase = KGetDriverImageBase2("ntoskrnl.exe");
return g_NtoskrnlBase;
}
PVOID KGetProcAddress(PVOID ModuleHandle, LPCSTR ProcName) {
IMAGE_DOS_HEADER *idh = (IMAGE_DOS_HEADER *)ModuleHandle;
IMAGE_NT_HEADERS64 *inh = (IMAGE_NT_HEADERS64 *)(idh->e_lfanew + (PUCHAR)idh);
IMAGE_EXPORT_DIRECTORY *ied = (IMAGE_EXPORT_DIRECTORY *)((PUCHAR)ModuleHandle + inh->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
for (int i = 0; i < ied->NumberOfNames; i++) {
WORD index = ((WORD *)((PUCHAR)ModuleHandle + ied->AddressOfNameOrdinals))[i];
ULONG NameRVA = ((ULONG *)((PUCHAR)ModuleHandle + ied->AddressOfNames))[i];
PCSTR Name = (PCSTR)(((ULONG64)ModuleHandle) + NameRVA);
if (!strcmp(Name, ProcName)) {
ULONG FunRVA = ((ULONG *)((PUCHAR)ModuleHandle + ied->AddressOfFunctions))[index];
PUCHAR FunAddress = ((PUCHAR)ModuleHandle + FunRVA);
BOOLEAN IsBoundImport = FALSE;
ULONG BoundImportNameLenth = 0;
for (ULONG i = 0; i < 50; i++) {
PUCHAR pAddr = FunAddress + i;
UCHAR c = *pAddr;
if (c == '.' && i > 0) {
IsBoundImport = TRUE;
BoundImportNameLenth = i;
break;
}
else {
if (!((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || (c >= '0' && c <= '9'))) {
break;
}
}
}
if (IsBoundImport) {
UCHAR BoundImportModuleName[160];
RtlZeroMemory(BoundImportModuleName, sizeof(BoundImportModuleName));
memcpy(BoundImportModuleName, FunAddress, BoundImportNameLenth);
LPCSTR BoundImportFunctionName = (LPCSTR)(FunAddress + BoundImportNameLenth + 1);
ULONG64 base = (ULONG64)KGetDriverImageBase2((PCHAR)BoundImportModuleName);
if (base) {
return KGetProcAddress((PVOID)base, BoundImportFunctionName);
}
}
return FunAddress;
}
}
return NULL;
}
PVOID64 KGetPteBase_Signature() {
DWORD64 Ntoskrnl = (DWORD64)KGetNtoskrnl();
DWORD64 Fun = (DWORD64)KGetProcAddress((PVOID)Ntoskrnl, "MmGetVirtualForPhysical");
DWORD64 pos = FindSignatureCode_nocheck((LPCVOID)Fun, 0x200, "48BA????????????????48C1E219", 0);
if (pos == -1)return NULL;
return *(PVOID64 *)(pos + Fun + 2);
}
PVOID64 KGetPteBase() {
ULONG BuildNumber = KGetBuildNumber();
ULONG64 pte_base = 0;
if (BuildNumber < 14316) {
//win10
pte_base = 0xFFFFF68000000000;
}
else {
ULONG64 cr3_mask = ~(ULONG64)0xFFF;
ULONG64 cr3 = __readcr3() & cr3_mask;
PHYSICAL_ADDRESS phy;
phy.QuadPart = cr3;
ULONG64 vir = (ULONG64)MmGetVirtualForPhysical(phy);
if (vir) {
for (int i = 0; i < 0x200; i++) {
HardwarePteX64 v;
v.all = *(ULONG64*)(vir + i * 8);
if ((v.page_frame_number << 12) == cr3) {
ULONG64 addon = (ULONG64)i << 39;
pte_base = 0xFFFF000000000000 | addon;
break;
}
}
}
else {
pte_base = (ULONG64)KGetPteBase_Signature();
}
}
return (PVOID64)pte_base;
}
BOOL KIsAddressValid(PVOID Address) {
return MmiGetPhysicalAddress(Address) != 0;
}
VOID KRaiseIrqlToDpcOrHigh(PIRQL_STATE state) {
state->old_irql = __readcr8();
if (state->old_irql < DISPATCH_LEVEL) {
__writecr8(DISPATCH_LEVEL);
}
}
VOID KLowerIrqlToState(PIRQL_STATE state) {
if (state->old_irql < DISPATCH_LEVEL) {
__writecr8(state->old_irql);
}
}
ULONG64 KGetRspBase() {
return __readgsqword(0x1A8);
}

101
DICHook_OpenSource/DDKCommon.h Normal file
View File

@ -0,0 +1,101 @@
#pragma once
#ifndef __DDKCOMMON_INCLUDED_
#pragma comment(lib,"oldnames.lib")
#pragma comment(linker,"/INCREMENTAL:NO")
#include "ntifs.h"
#include "ntimage.h"
#include "MyPEB.h"
#include "NtFunctionDefine.h"
#include "KernelAsm.h"
#include "MyMemoryIo64.h"
//#define print DbgPrint
#define print
#define WIN10 (10240)
#define WIN10_1507 (10240)
#define WIN10_1511 (10586)
#define WIN10_1607 (14393)
#define WIN10_1703 (15063)
#define WIN10_1709 (16299)
#define WIN10_1803 (17134)
#define WIN10_1809 (17763)
#define WIN10_1903 (18362)
#define WIN10_1909 (18363)
#define WIN10_2004 (19041)
#define WIN10_21H1 (19043)
#define POOL_TAG 'enoN'
typedef struct _XINPUT_GAMEPAD
{
WORD wButtons;
BYTE bLeftTrigger;
BYTE bRightTrigger;
SHORT sThumbLX;
SHORT sThumbLY;
SHORT sThumbRX;
SHORT sThumbRY;
} XINPUT_GAMEPAD, * PXINPUT_GAMEPAD;
typedef struct _XINPUT_STATE
{
DWORD dwPacketNumber;
XINPUT_GAMEPAD Gamepad;
} XINPUT_STATE, * PXINPUT_STATE;
typedef struct _KBuffer {
PVOID Address;
ULONG Size;
}KBuffer, * PKBuffer;
#ifdef __cplusplus
extern "C"{
#endif
LPWSTR WINAPI StrStrIW(LPCWSTR lpszStr, LPCWSTR lpszSearch);
LPSTR WINAPI StrStrIA(LPCSTR lpszStr, LPCSTR lpszSearch);
VOID Sleep(LONG Millsecond);
ULONG64 GetRealTime();
ULONG64 GetRealMicroTime();
LPSTR WINAPI StrStrIA(LPCSTR lpszStr, LPCSTR lpszSearch);
LPWSTR WINAPI StrStrIW(LPCWSTR lpszStr, LPCWSTR lpszSearch);
LPWSTR WINAPI StrStrNIW(LPCWSTR lpszStr, LPCWSTR lpszSearch, SIZE_T max_chars);
LPSTR WINAPI StrStrNIA(LPCSTR lpszStr, LPCSTR lpszSearch, SIZE_T max_chars);
INT64 FindSignatureCode_nocheck(LPCVOID Memory, UINT64 MemoryLenth, LPCSTR SignatureCode, UINT64 Pos);
ULONG64 ScanSection(LPCSTR SectionName, LPCSTR Pattern);
ULONG64 ScanSection_Image(LPCVOID hImage, LPCSTR SectionName, LPCSTR Pattern);
ULONG64 KGetProcessCr3(PEPROCESS Process);
PVOID KGetDriverImageBase(LPCWSTR DriverName);
PVOID KGetDriverImageBase2(PCHAR name);
ULONG KGetDriverImageSize(LPCWSTR DriverName);
PVOID KGetProcAddress(PVOID ModuleHandle, LPCSTR ProcName);
ULONG KGetBuildNumber();
PVOID KGetNtoskrnl();
PVOID64 KGetPteBase();
typedef struct _IRQL_STATE {
ULONG old_irql;
}IRQL_STATE, * PIRQL_STATE;
VOID KRaiseIrqlToDpcOrHigh(PIRQL_STATE state);
VOID KLowerIrqlToState(PIRQL_STATE state);
ULONG64 KGetRspBase();
#ifdef __cplusplus
}
#endif
#endif // !__DDKCOMMON_INCLUDED_

32
DICHook_OpenSource/DICHook_OpenSource.inf Normal file
View File

@ -0,0 +1,32 @@
;
; DICHook_OpenSource.inf
;
[Version]
Signature="$WINDOWS NT$"
Class=System
ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318}
Provider=%ManufacturerName%
DriverVer=
CatalogFile=DICHook_OpenSource.cat
[DestinationDirs]
DefaultDestDir = 12
[SourceDisksNames]
1 = %DiskName%,,,""
[SourceDisksFiles]
[Manufacturer]
%ManufacturerName%=Standard,NT$ARCH$
[Standard.NT$ARCH$]
[Strings]
ManufacturerName="<Your manufacturer name>" ;TODO: Replace with your manufacturer name
ClassName=""
DiskName="DICHook_OpenSource Source Disk"

181
DICHook_OpenSource/DICHook_OpenSource.vcxproj Normal file
View File

@ -0,0 +1,181 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM">
<Configuration>Debug</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM">
<Configuration>Release</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM64">
<Configuration>Debug</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM64">
<Configuration>Release</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{788C82FC-D258-4C61-A8DA-C12DC560FCAD}</ProjectGuid>
<TemplateGuid>{dd38f7fc-d7bd-488b-9242-7d8754cde80d}</TemplateGuid>
<TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
<MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
<Configuration>Debug</Configuration>
<Platform Condition="'$(Platform)' == ''">Win32</Platform>
<RootNamespace>DICHook_OpenSource</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<TargetVersion>Windows7</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<EnableInf2cat>false</EnableInf2cat>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>TurnOffAllWarnings</WarningLevel>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
<BufferSecurityCheck>false</BufferSecurityCheck>
<ControlFlowGuard>false</ControlFlowGuard>
<FloatingPointModel>Fast</FloatingPointModel>
</ClCompile>
<Link>
<TreatLinkerWarningAsErrors>false</TreatLinkerWarningAsErrors>
<AdditionalDependencies>oldnames.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<Inf Include="DICHook_OpenSource.inf" />
</ItemGroup>
<ItemGroup>
<FilesToPackage Include="$(TargetPath)" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="DDKCommon.cpp" />
<ClCompile Include="HwidHook.cpp" />
<ClCompile Include="main.cpp" />
<ClCompile Include="MyMemoryIo64.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="DDKCommon.h" />
<ClInclude Include="HwidHook.h" />
<ClInclude Include="KernelAsm.h" />
<ClInclude Include="MyMemoryIo64.h" />
<ClInclude Include="MyPEB.h" />
<ClInclude Include="NtFunctionDefine.h" />
<ClInclude Include="vtstruct.h" />
</ItemGroup>
<ItemGroup>
<MASM Include="KernelAsm.asm" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

68
DICHook_OpenSource/DICHook_OpenSource.vcxproj.filters Normal file
View File

@ -0,0 +1,68 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
<Filter Include="Driver Files">
<UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
<Extensions>inf;inv;inx;mof;mc;</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<Inf Include="DICHook_OpenSource.inf">
<Filter>Driver Files</Filter>
</Inf>
</ItemGroup>
<ItemGroup>
<ClCompile Include="DDKCommon.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="HwidHook.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="main.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="MyMemoryIo64.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="DDKCommon.h">
<Filter>Source Files</Filter>
</ClInclude>
<ClInclude Include="HwidHook.h">
<Filter>Source Files</Filter>
</ClInclude>
<ClInclude Include="KernelAsm.h">
<Filter>Source Files</Filter>
</ClInclude>
<ClInclude Include="MyMemoryIo64.h">
<Filter>Source Files</Filter>
</ClInclude>
<ClInclude Include="MyPEB.h">
<Filter>Source Files</Filter>
</ClInclude>
<ClInclude Include="NtFunctionDefine.h">
<Filter>Source Files</Filter>
</ClInclude>
<ClInclude Include="vtstruct.h">
<Filter>Source Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<MASM Include="KernelAsm.asm">
<Filter>Source Files</Filter>
</MASM>
</ItemGroup>
</Project>

6
DICHook_OpenSource/DICHook_OpenSource.vcxproj.user Normal file
View File

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<SignMode>Off</SignMode>
</PropertyGroup>
</Project>

681
DICHook_OpenSource/HwidHook.cpp Normal file
View File

@ -0,0 +1,681 @@
#include "DDKCommon.h"
#include "HwidHook.h"
#include "ntddndis.h"
#include "kernelasm.h"
#include "ntifs.h"
#include "NtFunctionDefine.h"
#include "MyPEB.h"
#define printf
typedef struct _HOOK_DEVICE_IO_CONTEXT {
PVOID JmpPage;
PVOID Object;
ULONG64 iosb;
ULONG IoControlCode;
ULONG64 InputBuffer;
ULONG InputBufferLength;
ULONG64 OutputBuffer;
ULONG OutputBufferLength;
}HOOK_DEVICE_IO_CONTEXT;
typedef struct _HOOK_NTQUERY_CONTEXT {
PVOID JmpPage;
ULONG FsInformationClass;
ULONG64 FsInformation;
ULONG Length;
}HOOK_NTQUERY_CONTEXT;
typedef BOOL(*fnIoCtlPostCallback)(HOOK_DEVICE_IO_CONTEXT *);
fnIoCtlPostCallback g_IoCtlPostCallback = 0;
typedef void(*fndiccabk)(ULONG64, ULONG64, ULONG64, ULONG64, ULONG64);
typedef void(*fnntqcabk)(ULONG64, ULONG64, ULONG64);
typedef VOID(*fnExtraCallback)(VOID);
fndiccabk dicpostcabk = 0;
fndiccabk dicprecabk = 0;
fnntqcabk ntqcabk = 0;
fnExtraCallback pcabk = 0;
#include "vtstruct.h"
ULONG64 Search_FsInformation = 0;
ULONG Search_Length = 0;
ULONG64 Search_Object = 0;
ULONG64 pRetCodePage = 0;
ULONG64 pNtQueryRetCodePage = 0;
ULONG64 NtDeviceIoControlFileRet = 0;
ULONG64 NtFsControlFileRet = 0;
ULONG64 NtQueryVolumeInformationFileRet = 0;
ULONG RspOffset = 0;
ULONG RspOffset_NtQuery = 0;
ULONG NtDevice_Offset_Object = 0;
ULONG NtQuery_StackSize = 0;
LONG NtQuery_Offset_FsInformation = 0;
LONG NtQuery_Offset_Length = 0;
ULONG64 MyAllocEx() {
return 0;
}
VOID TestDeviceIoControl() {
HANDLE FileHandle = 0;
UNICODE_STRING name;
RtlInitUnicodeString(&name, L"\\??\\C:");
OBJECT_ATTRIBUTES oa;
InitializeObjectAttributes(&oa, &name, OBJ_CASE_INSENSITIVE, 0, 0);
IO_STATUS_BLOCK iosb;
RtlZeroMemory(&iosb, sizeof(IO_STATUS_BLOCK));
NTSTATUS stats = ZwCreateFile(&FileHandle, FILE_GENERIC_READ, &oa, &iosb, 0, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN_IF, FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE, 0, 0);
RtlZeroMemory(&iosb, sizeof(IO_STATUS_BLOCK));
PFILE_OBJECT obj = 0;
OBJECT_HANDLE_INFORMATION objhandle = { 0 };
RtlZeroMemory(&objhandle, sizeof(objhandle));
stats = ObReferenceObjectByHandle(FileHandle, 0, *IoFileObjectType, KernelMode, (PVOID *)&obj, &objhandle);
if (!NT_SUCCESS(stats)) {
ZwClose(FileHandle);
KeBugCheck(0x56009);
}
ObDereferenceObject(obj);
Search_Object = (ULONG64)obj;
typedef NTSTATUS
(*NTAPI fnNtDeviceIoControlFile)(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_ ULONG IoControlCode,
_In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer,
_In_ ULONG InputBufferLength,
_Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer,
_In_ ULONG OutputBufferLength
);
fnNtDeviceIoControlFile pNtDeviceIoControlFile = (fnNtDeviceIoControlFile)KGetProcAddress(KGetNtoskrnl(), "NtDeviceIoControlFile");
UCHAR Input[4] = { 0 };
UCHAR Output[4] = { 0 };
ULONG64 Magic[2];
Magic[0] = 0x1122334455667788;
Magic[1] = 0x8877665544772299;
pNtDeviceIoControlFile(FileHandle, 0, 0, 0, &iosb, IOCTL_NDIS_QUERY_GLOBAL_STATS, Input, 4, Output, 4);
ZwClose(FileHandle);
}
VOID TestNtQueryVolumeInformationFile() {
HANDLE FileHandle = 0;
UNICODE_STRING name;
RtlInitUnicodeString(&name, L"\\??\\C:");
OBJECT_ATTRIBUTES oa;
InitializeObjectAttributes(&oa, &name, OBJ_CASE_INSENSITIVE, 0, 0);
IO_STATUS_BLOCK iosb;
RtlZeroMemory(&iosb, sizeof(IO_STATUS_BLOCK));
NTSTATUS stats = ZwCreateFile(&FileHandle, FILE_GENERIC_READ, &oa, &iosb, 0, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN_IF, FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE, 0, 0);
RtlZeroMemory(&iosb, sizeof(IO_STATUS_BLOCK));
FILE_FS_OBJECTID_INFORMATION *pinfo = (FILE_FS_OBJECTID_INFORMATION *)ExAllocatePoolWithTag(NonPagedPoolNx, 0x2000, POOL_TAG);
RtlZeroMemory(pinfo, sizeof(FILE_FS_OBJECTID_INFORMATION));
ULONG64 Mark[2];
Mark[0] = 0xCC22334455666688;
Mark[1] = 0xAA77665544333399;
Search_FsInformation = (ULONG64)pinfo;
Search_Length = 0x1238;
NtQueryVolumeInformationFile(FileHandle, &iosb, pinfo, 0x1238, FileFsObjectIdInformation);
ExFreePoolWithTag(pinfo, POOL_TAG);
ZwClose(FileHandle);
}
ULONG64 GetIopDispatchAllocateIrp() {
ULONG BuildNumber = KGetBuildNumber();
if (BuildNumber >= 15063) {
//8B 05 ?? ?? ?? ?? 44 8A C2
ULONG64 pos = ScanSection(".text", "8B05????????448AC2");
if (pos) {
return *(LONG *)(pos + 2) + pos + 6;
}
else {
pos = ScanSection(".text", "8B05????????440FB6C2");
if (pos) {
return *(LONG *)(pos + 2) + pos + 6;
}
}
}
return 0;
}
BOOL InitStackSize() {
ULONG64 ntos = (ULONG64)KGetNtoskrnl();
ULONG64 pNtQueryVolumeInformationFile = (ULONG64)KGetProcAddress((PVOID)ntos, "NtQueryVolumeInformationFile");
//63 ?? 24 ?? ?? 00 00
ULONG64 pos = FindSignatureCode_nocheck((LPCVOID)pNtQueryVolumeInformationFile, 0x200, "63??24????0000", 0);
if (pos == -1)return FALSE;
NtQuery_StackSize = *(ULONG *)(pos + pNtQueryVolumeInformationFile + 3) - 0x28;
return TRUE;
}
namespace DispatchControl {
BOOLEAN enable_ntq = TRUE;
BOOLEAN enable = FALSE;
BOOLEAN Inited = FALSE;
}
VOID DispatchCallback(ULONG64 pRsp) {
static const unsigned char shellcode[] = "\x48\xB9\x00\x00\x00\x00\x00\x10\x00\x00\x51\x48\xB9\x00\x00\x00\x00\x00\x10\x00\x00\x50\xC7\x04\x24\x00\x00\x00\x10\xC7\x44\x24\x04\x00\x00\x00\x10\xC3"
;
KIRQL irql = AsmReadCr8() & 0xFF;
if (irql >= DISPATCH_LEVEL)return;
ULONG64 RFlag = AsmGetRFlags();
if (RFlag & 0x10000) {
return;
}
int Pid = (int)PsGetProcessId(PsGetCurrentThreadProcess());
if ((int)Pid != 4) {
if (pcabk) {
pcabk();
}
}
ULONG64 Low = 0, High = 0;
IoGetStackLimits(&Low, &High);
if (DispatchControl::Inited == FALSE) {
if (RspOffset == 0 || DispatchControl::enable_ntq ? RspOffset_NtQuery == 0 : false) {
PULONG64 Rsp = (PULONG64)pRsp;
for (int i = 0; (ULONG64)Rsp < High - 8; Rsp++, i++) {
if (RspOffset == 0) {
if (Rsp[0] == 0x1122334455667788) {
if (Rsp[1] == 0x8877665544772299) {
//DbgBreakPoint();
ULONG64 OLRSP = (ULONG64)Rsp;
for (int j = 0; OLRSP > pRsp && j < 0x1000; OLRSP -= 8, j += 8) {
if (*(ULONG64*)OLRSP == NtDeviceIoControlFileRet) {
RspOffset = OLRSP - pRsp;
//printf("[112233] RspOffset %x\n", RspOffset);
ULONG64 OOLRSP = OLRSP;
for (int p = 0; OOLRSP > pRsp && p < 0x1000; OOLRSP -= 8, p += 8) {
//search arg offset
if (NtDevice_Offset_Object)
break;
if (NtDevice_Offset_Object == 0) {
if (*(ULONG64*)OOLRSP == Search_Object) {
NtDevice_Offset_Object = OOLRSP - pRsp;
continue;
}
}
}
break;
}
}
}
}
if (RspOffset)break;
}
if (RspOffset_NtQuery == 0 && DispatchControl::enable_ntq) {
if (Rsp[0] == 0xCC22334455666688) {
if (Rsp[1] == 0xAA77665544333399) {
ULONG64 OLRSP = (ULONG64)Rsp;
for (int j = 0; OLRSP > pRsp && j < 0x800; OLRSP -= 8, j += 8) {
if (*(ULONG64*)OLRSP == NtQueryVolumeInformationFileRet) {
RspOffset_NtQuery = OLRSP - pRsp;
ULONG64 OOLRSP = OLRSP;
for (int p = 0; OOLRSP > pRsp && p < 0x800; OOLRSP -= 8, p += 8) {
//search arg offset
if (NtQuery_Offset_FsInformation && NtQuery_Offset_Length)
break;
if (NtQuery_Offset_FsInformation == 0) {
if (*(ULONG64*)OOLRSP == Search_FsInformation) {
NtQuery_Offset_FsInformation = OOLRSP - pRsp;
continue;
}
}
if (NtQuery_Offset_Length == 0) {
if (*(ULONG*)OOLRSP == Search_Length) {
NtQuery_Offset_Length = OOLRSP - pRsp;
continue;
}
}
}
if (NtQuery_Offset_Length == 0) {
KeBugCheck(0x33221);
}
if (NtQuery_Offset_FsInformation == 0) {
KeBugCheck(0x33222);
}
break;
}
}
printf("[112233] RspOffset_NtQuery:%x\n", RspOffset_NtQuery);
printf("[112233] FsInformation:%x Length:%x\n", NtQuery_Offset_FsInformation, NtQuery_Offset_Length);
}
}
if (RspOffset_NtQuery)break;
}
}
//printf("[112233] RspOffset:%x RspOffset_Ntquery:%x\n", RspOffset, RspOffset_NtQuery);
}
}
if (RspOffset) {
if (High - pRsp > RspOffset) {
if (*(ULONG64 *)(pRsp + RspOffset) == NtDeviceIoControlFileRet || *(ULONG64*)(pRsp + RspOffset) == NtFsControlFileRet) {
ULONG64 LRSP = (ULONG64)(pRsp + RspOffset);
ULONG64 Object = *(ULONG64 *)(pRsp + NtDevice_Offset_Object);
ULONG64 iosb = *(ULONG64*)(LRSP + 8 + 0x90);
ULONG ControlCode = *(ULONG *)(LRSP + 8 + 0x98);
ULONG64 InputBuffer = *(ULONG64 *)(LRSP + 8 + 0xA0);
ULONG InputBufferLength = *(ULONG *)(LRSP + 8 + 0xA8);
ULONG64 OutputBuffer = *(ULONG64 *)(LRSP + 8 + 0xB0);
ULONG OutputBufferLength = *(ULONG *)(LRSP + 8 + 0xB8);
HOOK_DEVICE_IO_CONTEXT lContext;
RtlZeroMemory(&lContext, sizeof(lContext));
lContext.iosb = iosb;
lContext.InputBuffer = InputBuffer;
lContext.InputBufferLength = InputBufferLength;
lContext.OutputBuffer = OutputBuffer;
lContext.OutputBufferLength = OutputBufferLength;
lContext.IoControlCode = ControlCode;
lContext.Object = (PVOID)Object;
if (g_IoCtlPostCallback(&lContext)) {
HOOK_DEVICE_IO_CONTEXT *Context = (HOOK_DEVICE_IO_CONTEXT *)ExAllocatePoolWithTag(NonPagedPoolNx, sizeof(lContext), POOL_TAG);
RtlZeroMemory(Context, sizeof(HOOK_DEVICE_IO_CONTEXT));
memcpy(Context, &lContext, sizeof(lContext));
PUCHAR JmpPage = (PUCHAR)ExAllocatePoolWithTag(NonPagedPool, sizeof(shellcode)+1, POOL_TAG);
memcpy(JmpPage, shellcode, sizeof(shellcode));
ULONG offset = 0;
*(ULONG64 *)(JmpPage + 0x2 + offset) = *(ULONG64 *)(LRSP + 0x70);
*(ULONG64 *)(JmpPage + 0xd + offset) = (ULONG64)Context;
LARGE_INTEGER Addr;
Addr.QuadPart = pRetCodePage;
*(ULONG *)(JmpPage + 0x19 + offset) = Addr.LowPart;
*(ULONG *)(JmpPage + 0x21 + offset) = Addr.HighPart;
Context->JmpPage = JmpPage;
*(ULONG64 *)(LRSP + 0x70) = (ULONG64)JmpPage;
}
return;
}
}
}
if (RspOffset_NtQuery && DispatchControl::enable_ntq) {
if (High - pRsp > RspOffset_NtQuery) {
if (*(ULONG64 *)(pRsp + RspOffset_NtQuery) == NtQueryVolumeInformationFileRet) {
ULONG64 LRSP = (ULONG64)(pRsp + RspOffset_NtQuery);
ULONG FsInfomationClass = *(ULONG *)(LRSP + 8 + NtQuery_StackSize + 0x28);
ULONG64 FsInformation = *(ULONG64 *)(pRsp + NtQuery_Offset_FsInformation);
ULONG Length = *(ULONG *)(pRsp + NtQuery_Offset_Length);
printf("[112233] NtQ Class %d FsInfomation %p Length %x\n", FsInfomationClass, FsInformation, Length);
HOOK_NTQUERY_CONTEXT* Context = (HOOK_NTQUERY_CONTEXT*)ExAllocatePoolWithTag(NonPagedPoolNx, sizeof(HOOK_NTQUERY_CONTEXT), POOL_TAG);
RtlZeroMemory(Context, sizeof(HOOK_NTQUERY_CONTEXT));
Context->FsInformation = FsInformation;
Context->FsInformationClass = FsInfomationClass;
Context->Length = Length;
PUCHAR JmpPage = (PUCHAR)ExAllocatePoolWithTag(NonPagedPool, sizeof(shellcode)+1, POOL_TAG);
memcpy(JmpPage, shellcode, sizeof(shellcode));
ULONG offset = 0;
*(ULONG64 *)(JmpPage + 0x2 + offset) = *(ULONG64 *)(LRSP + 8 + NtQuery_StackSize);
*(ULONG64 *)(JmpPage + 0xd + offset) = (ULONG64)Context;
LARGE_INTEGER Addr;
Addr.QuadPart = pNtQueryRetCodePage;
*(ULONG *)(JmpPage + 0x19 + offset) = Addr.LowPart;
*(ULONG *)(JmpPage + 0x21 + offset) = Addr.HighPart;
Context->JmpPage = JmpPage;
*(ULONG64 *)(LRSP + 8 + NtQuery_StackSize) = (ULONG64)JmpPage;
}
}
}
return;
}
BOOLEAN g_hooked = FALSE;
VOID InstallHook(fnIoCtlPostCallback PostCallback, PVOID PreCallback, PVOID NtQueryPre) {
if (g_hooked == TRUE) {
return;
}
static unsigned char shellcode[] = "\x50\x53\x51\x52\x56\x57\x55\x41\x50\x41\x51\x41\x52\x41\x53\x41\x54\x41\x55\x41\x56\x41\x57\x9C\x48\x8D\x8C\x24\x80\x00\x00\x00\x48\xB8\x00\x00\x00\x00\x00\x01\x00\x00\x48\x35\xFF\xFF\xFF\x7F\x48\x93\xE8\x30\x00\x00\x00\xFF\xD3\xE8\x3E\x00\x00\x00\x9D\x41\x5F\x41\x5E\x41\x5D\x41\x5C\x41\x5B\x41\x5A\x41\x59\x41\x58\x5D\x5F\x5E\x5A\x59\x5B\x58\x50\xC7\x04\x24\x00\x00\x00\x10\xC7\x44\x24\x04\x00\x00\x00\x10\xC3\x4C\x8D\x5C\x24\x08\x48\x83\xE4\xF0\x41\x53\x41\x53\x48\x83\xEC\x30\x41\xFF\x63\xF8\x41\x5B\x48\x83\xC4\x38\x5C\x41\xFF\xE3"
;
static unsigned char shellcode2[] = "\x50\x53\x51\x52\x56\x57\x55\x41\x50\x41\x51\x41\x52\x41\x53\x41\x54\x41\x55\x41\x56\x41\x57\x9C\x48\xB8\x00\x00\x00\x00\x00\x01\x00\x00\x48\x35\xFF\xFF\xFF\x7F\x48\x93\xE8\x20\x00\x00\x00\xFF\xD3\xE8\x2E\x00\x00\x00\x9D\x41\x5F\x41\x5E\x41\x5D\x41\x5C\x41\x5B\x41\x5A\x41\x59\x41\x58\x5D\x5F\x5E\x5A\x59\x5B\x58\xC3\x4C\x8D\x5C\x24\x08\x48\x83\xE4\xF0\x41\x53\x41\x53\x48\x83\xEC\x30\x41\xFF\x63\xF8\x41\x5B\x48\x83\xC4\x38\x5C\x41\xFF\xE3"
;
static unsigned char shellcode3[] = "\x50\x53\x51\x52\x56\x57\x55\x41\x50\x41\x51\x41\x52\x41\x53\x41\x54\x41\x55\x41\x56\x41\x57\x9C\x48\x89\xC2\x48\xB8\x00\x00\x00\x00\x01\x00\x00\x00\x48\x35\xFF\xFF\xFF\x7F\x48\x93\xE8\x20\x00\x00\x00\xFF\xD3\xE8\x2E\x00\x00\x00\x9D\x41\x5F\x41\x5E\x41\x5D\x41\x5C\x41\x5B\x41\x5A\x41\x59\x41\x58\x5D\x5F\x5E\x5A\x59\x5B\x58\xC3\x4C\x8D\x5C\x24\x08\x48\x83\xE4\xF0\x41\x53\x41\x53\x48\x83\xEC\x30\x41\xFF\x63\xF8\x41\x5B\x48\x83\xC4\x38\x5C\x41\xFF\xE3"
;
static unsigned char shellcode4[] = "\x53\x51\x52\x56\x57\x55\x41\x50\x41\x51\x41\x52\x41\x53\x41\x54\x41\x55\x41\x56\x41\x57\x9C\x48\x89\xC2\x48\xB8\x00\x00\x00\x00\x01\x00\x00\x00\x48\x35\xFF\xFF\xFF\x7F\x48\x93\xE8\x1F\x00\x00\x00\xFF\xD3\xE8\x2D\x00\x00\x00\x9D\x41\x5F\x41\x5E\x41\x5D\x41\x5C\x41\x5B\x41\x5A\x41\x59\x41\x58\x5D\x5F\x5E\x5A\x59\x5B\xC3\x4C\x8D\x5C\x24\x08\x48\x83\xE4\xF0\x41\x53\x41\x53\x48\x83\xEC\x30\x41\xFF\x63\xF8\x41\x5B\x48\x83\xC4\x38\x5C\x41\xFF\xE3"
;
if (!InitStackSize())KeBugCheck(0x897877);
ULONG BuildNumber = KGetBuildNumber();
ULONG64 ntos = (ULONG64)KGetNtoskrnl();
ULONG offset = 0;
ULONG64 ViPacketLookaside = 0;
//ViPacketLookaside
//48 8B F9 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C9
//48 8D 0D ?? ?? ?? ?? 66 89 74 24 ?? 41 B9 00 02 00 00 C7 44 24 ?? 49 72 70 74
//48 8B D3 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? F0 FF 0D
ULONG64 pos = ScanSection("PAGEVRFY", "488BF9488D0D????????E8????????33C9");
if (pos) {
ViPacketLookaside = *(LONG*)(pos + 6) + pos + 10;
}
else {
pos = ScanSection("PAGEVRFY", "48 8D 0D ?? ?? ?? ?? 66 89 74 24 ?? 41 B9 00 02 00 00 C7 44 24 ?? 49 72 70 74");
if (pos) {
ViPacketLookaside = *(LONG*)(pos + 3) + pos + 7;
}
else {
pos = ScanSection("PAGEVRFY", "48 8B D3 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? F0 FF 0D");
if (pos) {
ViPacketLookaside = *(LONG*)(pos + 6) + pos + 10;
}
}
}
if (!ViPacketLookaside) {
KeBugCheck(0x957778);
}
//DbgPrint("[112233] ViPacketLookaside %p\n", ViPacketLookaside);
//48 8D 0D ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 01 00 00 00 E8
if (*(ULONG64 *)(ViPacketLookaside + 0x30) == 0) {
pos = ScanSection("PAGEVRFY", "488D0D????????C705????????01000000E8");
if (!pos) {
pos = ScanSection("PAGE", "488D0D????????C705????????01000000E8");
if (!pos)KeBugCheck(0x957776);
}
ULONG64 VfInitVerifierComponents = *(LONG *)(pos + 3) + pos + 7;
typedef ULONG64(*fnVfInitVerifierComponents)(ULONG64, ULONG64, ULONG64);
fnVfInitVerifierComponents v = (fnVfInitVerifierComponents)VfInitVerifierComponents;
v(0, 0, 0);
}
ULONG64 VfIoDisabled = 0;
if (BuildNumber < 10240) {
//win7 8B 05 ?? ?? ?? ?? 33 FF 49 8B F1
pos = ScanSection("PAGEVRFY", "8B05????????33FF498BF1");
if (!pos) KeBugCheck(0x6765544);
VfIoDisabled = *(LONG *)(pos + 2) + pos + 6;
}
else {
//8B 05 ?? ?? ?? ?? 40 FE C5
pos = ScanSection("PAGEVRFY", "8B05????????40FEC5");
if (!pos) KeBugCheck(0x6765544);
VfIoDisabled = *(LONG *)(pos + 2) + pos + 6;
}
ULONG64 IovAllocateIrp = 0;
ULONG64 pIoAllocateIrp = 0;
ULONG64 IopDispatchAllocateIrp = 0;
if (BuildNumber < 10240) {
//48 8D 05 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 89 05
pos = ScanSection("PAGEVRFY", "488D05????????488D15????????488905");
if (!pos) KeBugCheck(0x6725544);
IovAllocateIrp = *(LONG *)(pos + 3) + pos + 7;
pIoAllocateIrp = *(LONG *)(pos + 17) + pos + 21;
*(ULONG64 *)(pIoAllocateIrp) = IovAllocateIrp;
}
else if (BuildNumber >= 10240 && BuildNumber <= 14393) {
//48 8D 05 ?? ?? ?? ?? 48 87 05 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? 48 87 0D ?? ?? ?? ?? 48 8D 05
pos = ScanSection(".text", "488D05????????488705????????488D0D????????48870D????????488D05");
if (!pos) KeBugCheck(0x6725544);
IovAllocateIrp = *(LONG *)(pos + 3) + pos + 7;
pIoAllocateIrp = *(LONG *)(pos + 10) + pos + 14;
*(ULONG64 *)(pIoAllocateIrp) = IovAllocateIrp;
}
else if (BuildNumber >= 15063) {
//87 05 ?? ?? ?? ?? 87 0D
pos = ScanSection(".text", "8705????????870D");
if (!pos) KeBugCheck(0x6725544);
IopDispatchAllocateIrp = *(LONG *)(pos + 2) + pos + 6;
//if (!IopDispatchAllocateIrp)return;
*(int *)(IopDispatchAllocateIrp) = 1;
}
ULONG bn = KGetBuildNumber();
//E8 ?? ?? ?? ?? 48 8B D8 48 89 84 24 ?? ?? ?? ?? 48 85 C0
//E8 ?? ?? ?? ?? 48 83 C4
ULONG64 pNtDeviceIoControlFile = (ULONG64)KGetProcAddress((PVOID)ntos, "NtDeviceIoControlFile");
pos = FindSignatureCode_nocheck((LPCVOID)pNtDeviceIoControlFile, 0x200, "E8????????4883C4", 0);
if (pos == -1)KeBugCheck(0x89997);
NtDeviceIoControlFileRet = pos + pNtDeviceIoControlFile + 5;
ULONG64 pNtFsControlFile = (ULONG64)KGetProcAddress((PVOID)ntos, "NtFsControlFile");
pos = FindSignatureCode_nocheck((LPCVOID)pNtFsControlFile, 0x200, "E8????????4883C4", 0);
if (pos == -1)KeBugCheck(0x89998);
NtFsControlFileRet = pos + pNtFsControlFile + 5;
//printf("[112233] NtDeviceIoControlFileRet %p\n", NtDeviceIoControlFileRet);
//printf("[112233] NtFsControlFileRet %p\n", NtFsControlFileRet);
//DbgPrint("[112233] IoCreateFileRet:%p\n", IoCreateFileRet);
//45 33 C9 ?? ?? ?? ?? 48 8B 15 ?? ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ??
//DbgPrint("[112233] IopCreateFileRet:%p\n", IopCreateFileRet);
//DbgBreakPoint();
ULONG64 pNtQueryVolumeInformationFile = (ULONG64)KGetProcAddress((PVOID)ntos, "NtQueryVolumeInformationFile");
if (BuildNumber < WIN10_1507) {
//4C E8 ?? ?? ?? ?? 48
pos = FindSignatureCode_nocheck((LPCVOID)pNtQueryVolumeInformationFile, 0x1000, "4CE8????????48", 0);
if (pos == -1)KeBugCheck(0x89967);
NtQueryVolumeInformationFileRet = pos + pNtQueryVolumeInformationFile + 6;
}
else if (BuildNumber >= WIN10_1507 && BuildNumber <= WIN10_1607) {
//4C ?? ?? ?? FF 15 ?? ?? ?? ?? ?? ?? ?? 48
pos = FindSignatureCode_nocheck((LPCVOID)pNtQueryVolumeInformationFile, 0x1000, "4C??????FF15??????????????48", 0);
if (pos == -1)KeBugCheck(0x89967);
NtQueryVolumeInformationFileRet = pos + pNtQueryVolumeInformationFile + 10;
}
else if (BuildNumber >= WIN10_1703) {
//4C ?? 8B ?? E8 ?? ?? ?? ?? ?? 89
//4C ?? 8B ?? E8 ?? ?? ?? ?? ?? 8B ?? 48 89 44 24
//4C E8 ?? ?? ?? ?? ?? 8B ?? 48 89 44 24
//4C ?? 8B ?? E8 ?? ?? ?? ?? 48 89 44 24
pos = FindSignatureCode_nocheck((LPCVOID)pNtQueryVolumeInformationFile, 0x1000, "4C ?? 8B ?? E8 ?? ?? ?? ?? ?? 89", 0);
if (pos != -1) {
NtQueryVolumeInformationFileRet = pos + pNtQueryVolumeInformationFile + 9;
}
else {
pos = FindSignatureCode_nocheck((LPCVOID)pNtQueryVolumeInformationFile, 0x600, "4C ?? 8B ?? E8 ?? ?? ?? ?? ?? 8B ?? 48 89 44 24", 0);
if (pos != -1) {
NtQueryVolumeInformationFileRet = pos + pNtQueryVolumeInformationFile + 9;
}
else {
pos = FindSignatureCode_nocheck((LPCVOID)pNtQueryVolumeInformationFile, 0x800, "4C E8 ?? ?? ?? ?? ?? 8B ?? 48 89 44 24", 0);
if (pos != -1) {
NtQueryVolumeInformationFileRet = pos + pNtQueryVolumeInformationFile + 6;
}
else {
KeBugCheck(0x89967);
}
}
}
}
//DbgPrint("[112233] NtQueryVolumeInformationFile %p\n", pNtQueryVolumeInformationFile);
//DbgPrint("[112233] NtQueryVolumeInformationFileRet %p\n", NtQueryVolumeInformationFileRet);
if (!NtQueryVolumeInformationFileRet)
KeBugCheck(0x89967);
if (BuildNumber < 10240) {
*(ULONG64*)(pIoAllocateIrp) = IovAllocateIrp;
}
else if (BuildNumber >= 10240 && BuildNumber <= 14393) {
*(ULONG64*)(pIoAllocateIrp) = IovAllocateIrp;
}
else if (BuildNumber >= 15063) {
*(int*)(IopDispatchAllocateIrp) = 1;
}
KIRQL irql = KeRaiseIrqlToDpcLevel();
pRetCodePage = (ULONG64)ExAllocatePool(NonPagedPool, 0x500);
memcpy((PVOID)pRetCodePage, shellcode2, sizeof(shellcode2));
*(ULONG64*)(pRetCodePage + 0x1A) = ((ULONG64)PreCallback) ^ 0x7fffffff;
pNtQueryRetCodePage = (ULONG64)ExAllocatePool(NonPagedPool, 0x500);
memcpy((PVOID)pNtQueryRetCodePage, shellcode3, sizeof(shellcode3));
*(ULONG64*)(pNtQueryRetCodePage + 0x1D) = ((ULONG64)NtQueryPre) ^ 0x7fffffff;
g_IoCtlPostCallback = PostCallback;
PUCHAR pcode = (PUCHAR)ExAllocatePool(NonPagedPool, 0x500);
memcpy(pcode, shellcode, sizeof(shellcode));
*(ULONG64 *)(pcode + 0x22 + offset) = ((ULONG64)DispatchCallback) ^ 0x7fffffff;
ULONG64 pfn = *(ULONG64*)(ViPacketLookaside + 0x30);
ULONG64 Origin = pfn;
if (MmiGetPhysicalAddress((PVOID)pfn)) {
if (*(ULONG64*)pfn == *(ULONG64*)shellcode) {
LARGE_INTEGER new_addr;
new_addr.LowPart = *(ULONG*)(pfn + 0x5A + offset);
new_addr.HighPart = *(ULONG*)(pfn + 0x62 + offset);
Origin = new_addr.QuadPart;
}
}
LARGE_INTEGER Addr;
Addr.QuadPart = (ULONG64)MyAllocEx;
*(ULONG *)(pcode + 0x5A + offset) = Addr.LowPart;
*(ULONG *)(pcode + 0x62 + offset) = Addr.HighPart;
InterlockedExchange64((volatile LONG64*)(ViPacketLookaside + 0x30), (LONG64)pcode);
*(DWORD*)(pcode + sizeof(shellcode)) = 0xDEADBEEF;
*(int*)(VfIoDisabled) = 0;
KeLowerIrql(irql);
//*(int *)(IopDispatchAllocateIrp) = 1;
TestDeviceIoControl();
TestNtQueryVolumeInformationFile();
DispatchControl::Inited = TRUE;
}
BOOL FnDICPostCallback(HOOK_DEVICE_IO_CONTEXT *Context) {
if (Context) {
PFILE_OBJECT FileObject = (PFILE_OBJECT)Context->Object;
if (dicpostcabk) {
dicpostcabk(Context->IoControlCode, Context->InputBuffer, Context->InputBufferLength, Context->OutputBuffer, Context->OutputBufferLength);
}
return TRUE;
}
return FALSE;
}
VOID FnDICPreCallback(HOOK_DEVICE_IO_CONTEXT *aContext){
if (aContext) {
HOOK_DEVICE_IO_CONTEXT Context = *aContext;
ExFreePoolWithTag(Context.JmpPage, POOL_TAG);
ExFreePoolWithTag(aContext, POOL_TAG);
if (dicprecabk) {
dicprecabk(Context.IoControlCode, Context.InputBuffer, Context.InputBufferLength, Context.OutputBuffer, Context.OutputBufferLength);
}
}
}
VOID FnNtQueryPreCallback(HOOK_NTQUERY_CONTEXT *aContext) {
if (aContext) {
HOOK_NTQUERY_CONTEXT Context = *aContext;
ExFreePoolWithTag(Context.JmpPage, POOL_TAG);
ExFreePoolWithTag(aContext, POOL_TAG);
if (ntqcabk) {
ntqcabk(Context.FsInformationClass, Context.FsInformation, Context.Length);
}
}
}
BOOL DICPostCallback(HOOK_DEVICE_IO_CONTEXT* Context) {
//提升irql至2,关闭smap
IRQL_STATE state;
KRaiseIrqlToDpcOrHigh(&state);
Cr4 cr4;
cr4.all = __readcr4();
bool smap = cr4.fields.smap == 1;
if (smap) {
cr4.fields.smap = 0;
__writecr4(cr4.all);
}
BOOL ret = FnDICPostCallback(Context);
if (smap) {
cr4.fields.smap = 1;
__writecr4(cr4.all);
}
KLowerIrqlToState(&state);
return ret;
}
VOID DICPreCallback(HOOK_DEVICE_IO_CONTEXT* aContext) {
//提升irql至2,关闭smap
IRQL_STATE state;
KRaiseIrqlToDpcOrHigh(&state);
Cr4 cr4;
cr4.all = __readcr4();
bool smap = cr4.fields.smap == 1;
if (smap) {
cr4.fields.smap = 0;
__writecr4(cr4.all);
}
FnDICPreCallback(aContext);
if (smap) {
cr4.fields.smap = 1;
__writecr4(cr4.all);
}
KLowerIrqlToState(&state);
}
VOID NtQueryPreCallback(HOOK_NTQUERY_CONTEXT* aContext) {
//提升irql至2,关闭smap
IRQL_STATE state;
KRaiseIrqlToDpcOrHigh(&state);
Cr4 cr4;
cr4.all = __readcr4();
bool smap = cr4.fields.smap == 1;
if (smap) {
cr4.fields.smap = 0;
__writecr4(cr4.all);
}
FnNtQueryPreCallback(aContext);
if (smap) {
cr4.fields.smap = 1;
__writecr4(cr4.all);
}
KLowerIrqlToState(&state);
}
VOID setpcabk(PVOID fun) {
pcabk = (fnExtraCallback)fun;
InstallHook(DICPostCallback, DICPreCallback, NtQueryPreCallback);
}
VOID setdicpostcabk(PVOID func) {
dicpostcabk = (fndiccabk)func;
InstallHook(DICPostCallback, DICPreCallback, NtQueryPreCallback);
}
VOID setdicprecabk(PVOID func) {
dicprecabk = (fndiccabk)func;
InstallHook(DICPostCallback, DICPreCallback, NtQueryPreCallback);
}
VOID setntqcabk(PVOID func) {
ntqcabk = (fnntqcabk)func;
}
VOID setntqhookstats(BOOL stats) {
DispatchControl::enable_ntq = stats;
}

26
DICHook_OpenSource/HwidHook.h Normal file
View File

@ -0,0 +1,26 @@
#pragma once
#ifndef _SPOOFER_INCLUDED_
#define _SPOOFER_INCLUDED_
#include "ntifs.h"
#include "DDKCommon.h"
#ifdef __cplusplus
extern "C" {
#endif
VOID setpcabk(PVOID fun);
VOID setdicpostcabk(PVOID func);
VOID setdicprecabk(PVOID func);
VOID setntqcabk(PVOID func);
VOID setntqhookstats(BOOL stats);
#ifdef __cplusplus
}
#endif
#endif // !_SPOOFER_INCLUDED_

270
DICHook_OpenSource/KernelAsm.asm Normal file
View File

@ -0,0 +1,270 @@
.code
_text SEGMENT
ReadSsQ PROC
db 36h,48h, 08bh, 01h
ret
ReadSsQ ENDP
AsmInt2F PROC
int 2Fh
ret
AsmInt2F ENDP
AsmIntE1 PROC
int 0E1h
ret
AsmIntE1 ENDP
AsmRdtsc PROC
rdtsc
and rax,0FFFFFFFFh
and rdx,0FFFFFFFFh
rol rdx,32
or rax,rdx
ret
AsmRdtsc ENDP
AsmGetRFlags PROC
pushfq
pop rax
ret
AsmGetRFlags ENDP
AsmGetRSP PROC
mov rax,rsp
add rax,8
ret
AsmGetRSP ENDP
AsmReadCr0 PROC
mov rax,cr0
ret
AsmReadCr0 ENDP
AsmReadCr2 PROC
mov rax,cr2
ret
AsmReadCr2 ENDP
AsmReadCr3 PROC
mov rax,cr3
ret
AsmReadCr3 ENDP
AsmReadCr4 PROC
mov rax,cr4
ret
AsmReadCr4 ENDP
AsmReadCr8 PROC
mov rax,cr8
ret
AsmReadCr8 ENDP
AsmReadMsr PROC
and rcx,0FFFFFFFFh
rdmsr
and rax,0FFFFFFFFh
and rdx,0FFFFFFFFh
rol rdx,32
or rax,rdx
ret
AsmReadMsr ENDP
AsmWriteMsr PROC
and rcx,0FFFFFFFFh
mov eax,edx
shr rdx,32
wrmsr
ret
AsmWriteMsr ENDP
AsmReadGs PROC
mov rax,gs:[rcx]
ret
AsmReadGs ENDP
AsmWriteCr4 PROC
mov cr4,rcx
ret
AsmWriteCr4 ENDP
AsmWriteCr0 PROC
mov cr0,rcx
ret
AsmWriteCr0 ENDP
AsmWriteCr8 PROC
mov cr8,rcx
ret
AsmWriteCr8 ENDP
AsmCpuid PROC
;rcx=eax rdx=ecx r8=pcpuidret
push rbx
push r11
mov r11,r8
mov eax,ecx
mov ecx,edx
cpuid
mov dword ptr[r11],eax
mov dword ptr[r11+4],ebx
mov dword ptr[r11+8],ecx
mov dword ptr[r11+12],edx
pop r11
pop rbx
ret
AsmCpuid ENDP
AsmGetLDTR PROC
sldt ax
ret
AsmGetLDTR ENDP
AsmGetEs PROC
xor rax,rax
mov ax,es
ret
AsmGetEs ENDP
AsmGetCs PROC
xor rax,rax
mov ax,cs
ret
AsmGetCs ENDP
AsmGetDs PROC
xor rax,rax
mov ax,ds
ret
AsmGetDs ENDP
AsmGetFs PROC
xor rax,rax
mov ax,fs
ret
AsmGetFs ENDP
AsmGetGs PROC
xor rax,rax
mov ax,gs
ret
AsmGetGs ENDP
AsmGetSs PROC
xor rax,rax
mov ax,ss
ret
AsmGetSs ENDP
AsmGetTr PROC
xor rax,rax
str rax
ret
AsmGetTr ENDP
AsmGetIdtBase PROC
sub rsp,10h
sidt qword ptr[rsp]
mov rax,qword ptr[rsp+2]
add rsp,10h
ret
AsmGetIdtBase ENDP
AsmGetIdtLimit PROC
sub rsp,10h
sidt qword ptr[rsp]
xor rax,rax
mov ax,word ptr[rsp]
add rsp,10h
ret
AsmGetIdtLimit ENDP
AsmGetGdtBase PROC
sub rsp,10h
sgdt qword ptr[rsp]
mov rax,qword ptr[rsp+2]
add rsp,10h
ret
AsmGetGdtBase ENDP
AsmGetGdtLimit PROC
sub rsp,10h
sgdt qword ptr[rsp]
xor rax,rax
mov ax,word ptr[rsp]
add rsp,10h
ret
AsmGetGdtLimit ENDP
AsmGetDr7 PROC
xor rax,rax
mov rax,dr7
ret
AsmGetDr7 ENDP
AsmSti Proc
sti
ret
AsmSti Endp
AsmCli Proc
cli
ret
AsmCli Endp
AsmLoadAccessRightsByte PROC
lar rax, rcx
ret
AsmLoadAccessRightsByte ENDP
AsmInvpcid Proc
invpcid rcx,oword ptr[rdx]
ret
AsmInvpcid Endp
_text ENDS
END

172
DICHook_OpenSource/KernelAsm.h Normal file
View File

@ -0,0 +1,172 @@
#pragma once
#ifndef _KernelAsm_INCLUDED_
#define _KernelAsm_INCLUDED_
#include "ntifs.h"
#undef KernelAsm_EXTERN
#define KernelAsm_EXTERN extern
#ifdef __cplusplus
#undef KernelAsm_EXTERN
#define KernelAsm_EXTERN extern "C"
#endif // __cplusplus
typedef struct _CpuidRet {
ULONG EAX;
ULONG EBX;
ULONG ECX;
ULONG EDX;
}CpuidRet;
typedef struct
{
unsigned PE : 1;
unsigned MP : 1;
unsigned EM : 1;
unsigned TS : 1;
unsigned ET : 1;
unsigned NE : 1;
unsigned Reserved_1 : 10;
unsigned WP : 1;
unsigned Reserved_2 : 1;
unsigned AM : 1;
unsigned Reserved_3 : 10;
unsigned NW : 1;
unsigned CD : 1;
unsigned PG : 1;
unsigned Reserved_64 : 32;
}_CR0;
typedef struct
{
unsigned VME : 1;
unsigned PVI : 1;
unsigned TSD : 1;
unsigned DE : 1;
unsigned PSE : 1;
unsigned PAE : 1;
unsigned MCE : 1;
unsigned PGE : 1;
unsigned PCE : 1;
unsigned OSFXSR : 1;
unsigned PSXMMEXCPT : 1;
unsigned UNKONOWN_1 : 1; //These are zero
unsigned UNKONOWN_2 : 1; //These are zero
unsigned VMXE : 1; //It's zero in normal
unsigned Reserved : 18; //These are zero
unsigned Reserved_64 : 32;
}_CR4;
typedef struct
{
unsigned CF : 1;
unsigned Unknown_1 : 1; //Always 1
unsigned PF : 1;
unsigned Unknown_2 : 1; //Always 0
unsigned AF : 1;
unsigned Unknown_3 : 1; //Always 0
unsigned ZF : 1;
unsigned SF : 1;
unsigned TF : 1;
unsigned IF : 1;
unsigned DF : 1;
unsigned OF : 1;
unsigned TOPL : 2;
unsigned NT : 1;
unsigned Unknown_4 : 1;
unsigned RF : 1;
unsigned VM : 1;
unsigned AC : 1;
unsigned VIF : 1;
unsigned VIP : 1;
unsigned ID : 1;
unsigned Reserved : 10; //Always 0
unsigned Reserved_64 : 32; //Always 0
}_EFLAGS;
typedef struct
{
unsigned SSE3 : 1;
unsigned PCLMULQDQ : 1;
unsigned DTES64 : 1;
unsigned MONITOR : 1;
unsigned DS_CPL : 1;
unsigned VMX : 1;
unsigned SMX : 1;
unsigned EIST : 1;
unsigned TM2 : 1;
unsigned SSSE3 : 1;
unsigned Reserved : 22;
unsigned Reserved_64 : 32;
}_CPUID_ECX;
typedef struct _IA32_FEATURE_CONTROL_MSR
{
unsigned Lock : 1; // Bit 0 is the lock bit - cannot be modified once lock is set
unsigned EnableVmxonSMX : 1; // Undefined
unsigned EnableVmxon : 1; // Bit 2. If this bit is clear, VMXON causes a general protection exception
unsigned Reserved2 : 29; // Undefined
unsigned Reserved3 : 32; // Undefined
} IA32_FEATURE_CONTROL_MSR;
KernelAsm_EXTERN ULONG64 ReadSsQ(PULONG64);
KernelAsm_EXTERN VOID AsmInt2F();
KernelAsm_EXTERN VOID AsmIntE1();
KernelAsm_EXTERN ULONG64 AsmRdtsc();
KernelAsm_EXTERN ULONG64 AsmGetRFlags();
KernelAsm_EXTERN ULONG64 AsmGetRSP();
KernelAsm_EXTERN ULONG64 AsmReadCr0();
KernelAsm_EXTERN ULONG64 AsmReadCr2();
KernelAsm_EXTERN ULONG64 AsmReadCr3();
KernelAsm_EXTERN ULONG64 AsmReadCr4();
KernelAsm_EXTERN ULONG64 AsmReadCr8();
KernelAsm_EXTERN ULONG64 AsmReadMsr(ULONG Msr);
KernelAsm_EXTERN ULONG64 AsmWriteMsr(ULONG Msr, ULONG64 value);
KernelAsm_EXTERN ULONG64 AsmReadGs(ULONG offset);
KernelAsm_EXTERN VOID AsmWriteCr0(ULONG64 Cr0);
KernelAsm_EXTERN VOID AsmWriteCr4(ULONG64 Cr4);
KernelAsm_EXTERN VOID AsmWriteCr8(ULONG64 Cr8);
KernelAsm_EXTERN VOID AsmCpuid(ULONG Eax, ULONG Ecx, CpuidRet* ret);
KernelAsm_EXTERN ULONG64 AsmGetEs();
KernelAsm_EXTERN ULONG64 AsmGetCs();
KernelAsm_EXTERN ULONG64 AsmGetDs();
KernelAsm_EXTERN ULONG64 AsmGetFs();
KernelAsm_EXTERN ULONG64 AsmGetGs();
KernelAsm_EXTERN ULONG64 AsmGetSs();
KernelAsm_EXTERN ULONG64 AsmGetTr();
KernelAsm_EXTERN USHORT AsmGetLDTR();
KernelAsm_EXTERN ULONG64 AsmGetIdtBase();
KernelAsm_EXTERN UINT16 AsmGetIdtLimit();
KernelAsm_EXTERN ULONG64 AsmGetGdtBase();
KernelAsm_EXTERN UINT16 AsmGetGdtLimit();
KernelAsm_EXTERN ULONG64 AsmGetDr7();
KernelAsm_EXTERN ULONG64 AsmLoadAccessRightsByte(ULONG64 segment_selector);
typedef struct _INVPCID_CTX {
ULONG64 PCID : 12;
ULONG64 Reserved : 52;
ULONG64 LinearAddress;
}INVPCID_CTX, * PINVPCID_CTX;
KernelAsm_EXTERN VOID AsmInvpcid(ULONG64 type, PINVPCID_CTX pDesc);
KernelAsm_EXTERN VOID AsmSti();
KernelAsm_EXTERN VOID AsmCli();
#define AsmGetCr0 AsmReadCr0
#define AsmGetCr3 AsmReadCr3
#define AsmGetCr4 AsmReadCr4
#define AsmGetCr8 AsmReadCr8
#define AsmReadES AsmGetEs
#define AsmReadCS AsmGetCs
#define AsmReadDS AsmGetDs
#define AsmReadFS AsmGetFs
#define AsmReadGS AsmGetGs
#define AsmReadSS AsmGetSs
#define AsmReadTR AsmGetTr
#define AsmReadLDTR AsmGetLDTR
#endif // !_KernelAsm_INCLUDED_

131
DICHook_OpenSource/MyMemoryIo64.cpp Normal file
View File

@ -0,0 +1,131 @@
#include "MyMemoryIo64.h"
DWORD64 g_PteBase = NULL;
DWORD64 g_PdeBase = NULL;
DWORD64 g_PpeBase = NULL;
DWORD64 g_PxeBase = NULL;
union VirtualAddress {
ULONG64 all;
struct {
ULONG64 offset : 12;
ULONG64 pte_index : 9;
ULONG64 pde_index : 9;
ULONG64 ppe_index : 9;
ULONG64 pxe_index : 9;
ULONG64 head : 16;
};
};
DWORD64 MmiGetPteAddress(PVOID64 Address) {
return ((((((DWORD64)Address) & 0x0000FFFFFFFFF000) >> 12) << 3) + g_PteBase);
}
DWORD64 MmiGetPdeAddress(PVOID64 Address) {
return ((((((DWORD64)Address) & 0x0000FFFFFFFFF000) >> 21) << 3) + g_PdeBase);
}
DWORD64 MmiGetPpeAddress(PVOID64 Address) {
return ((((((DWORD64)Address) & 0x0000FFFFFFFFF000) >> 30) << 3) + g_PpeBase);
}
DWORD64 MmiGetPxeAddress(PVOID64 Address) {
return ((((((DWORD64)Address) & 0x0000FFFFFFFFF000) >> 39) << 3) + g_PxeBase);
}
bool g_invpcid_enable = 0;
bool g_clfsh_enable = 0;
BOOLEAN Mmi_Init() {
if (g_PteBase)
return TRUE;
g_PteBase = (DWORD64)KGetPteBase();
if (g_PteBase == 0) {
KeBugCheck(0x8787878);
return FALSE;
}
g_PdeBase = MmiGetPteAddress((PVOID)g_PteBase);
g_PpeBase = MmiGetPteAddress((PVOID)g_PdeBase);
g_PxeBase = MmiGetPteAddress((PVOID)g_PpeBase);
CpuidRet cpuid_ret;
memset(&cpuid_ret, 0, sizeof(cpuid_ret));
AsmCpuid(7, 0, &cpuid_ret);
g_invpcid_enable = cpuid_ret.EBX & 0x400;
AsmCpuid(1, 0, &cpuid_ret);
g_clfsh_enable = cpuid_ret.EDX & 0x80000;
return TRUE;
}
VOID MmiClearPteBase() {
g_PteBase = 0;
g_PdeBase = 0;
g_PpeBase = 0;
g_PxeBase = 0;
}
VOID MmiFlushTLB(PVOID LinearAddress) {
/*if (g_invpcid_enable) {
BOOL i_enable = AsmGetRFlags() & 0x200;
if (i_enable)
_disable();
CR4 cr4;
cr4.all = __readcr4();
if (cr4.PCIDE) {
INVPCID_CTX ctx;
ctx.LinearAddress = (ULONG64)LinearAddress;
ctx.PCID = __readcr3() & 0xFFF;
if (ctx.PCID != 0) {
AsmInvpcid(0, &ctx);
return;
}
}
if (i_enable)
_enable();
}*/
/*if (g_clfsh_enable) {
_mm_mfence();
_mm_clflush(LinearAddress);
}
else*/
__invlpg(LinearAddress);
}
ULONG64 MmiGetPhysicalAddress(PVOID va) {
HardwarePteX64 PageEntry[3] = { 0 };
HardwarePteX64 page;
PULONG64 p_pxe = (PULONG64)MmiGetPxeAddress(va);
page.all = *p_pxe;
if (page.valid == 0)
return 0;
if (page.large_page) {
ULONG64 off = (ULONG64)va & 0x7FFFFFFFFF;
ULONG64 PhyAdd = page.page_frame_number << 12;
PhyAdd += off;
return PhyAdd;
}
PULONG64 p_ppe = (PULONG64)MmiGetPpeAddress(va);
page.all = *p_ppe;
if (page.valid == 0)
return 0;
if (page.large_page) {
ULONG64 off = (ULONG64)va & 0x3FFFFFFF;
ULONG64 PhyAdd = page.page_frame_number << 12;
PhyAdd += off;
return PhyAdd;
}
PULONG64 p_pde = (PULONG64)MmiGetPdeAddress(va);
page.all = *p_pde;
if (page.valid == 0)
return 0;
if (page.large_page) {
ULONG64 off = (ULONG64)va & 0x1FFFFF;
ULONG64 PhyAdd = page.page_frame_number << 12;
PhyAdd += off;
return PhyAdd;
}
PULONG64 p_pte = (PULONG64)MmiGetPteAddress(va);
page.all = *p_pte;
if (page.valid == 0)
return 0;
ULONG64 off = (ULONG64)va & 0xFFF;
ULONG64 PhyAdd = page.page_frame_number << 12;
PhyAdd += off;
return PhyAdd;
}

156
DICHook_OpenSource/MyMemoryIo64.h Normal file
View File

@ -0,0 +1,156 @@
#pragma once
#ifndef __MyMempryIO64___Included___
#define __MyMempryIO64___Included___
#include "ntifs.h"
#include "windef.h"
#include "ntimage.h"
#include "intrin.h"
#include "DDKCommon.h"
struct HardwarePteX64 {
union
{
ULONG64 all;
struct {
ULONG64 valid : 1; //!< [0]
ULONG64 write : 1; //!< [1]
ULONG64 owner : 1; //!< [2]
ULONG64 write_through : 1; //!< [3] PWT
ULONG64 cache_disable : 1; //!< [4] PCD
ULONG64 accessed : 1; //!< [5]
ULONG64 dirty : 1; //!< [6]
ULONG64 large_page : 1; //!< [7] PAT
ULONG64 global : 1; //!< [8]
ULONG64 copy_on_write : 1; //!< [9]
ULONG64 prototype : 1; //!< [10]
ULONG64 reserved0 : 1; //!< [11]
ULONG64 page_frame_number : 36; //!< [12:47]
ULONG64 reserved1 : 4; //!< [48:51]
ULONG64 software_ws_index : 11; //!< [52:62]
ULONG64 no_execute : 1; //!< [63]
};
};
};
struct CR4 {
union {
ULONG64 all;
struct {
ULONG64 VME : 1;
ULONG64 PVI : 1;
ULONG64 TSD : 1;
ULONG64 DE : 1;
ULONG64 PSE : 1;
ULONG64 PAE : 1;
ULONG64 MCE : 1;
ULONG64 PGE : 1;
ULONG64 PCE : 1;
ULONG64 OSFXSR : 1;
ULONG64 OSXMMEXCPT : 1;
ULONG64 UMIP : 1;
ULONG64 LA57 : 1;
ULONG64 VMXE : 1;
ULONG64 SMXE : 1;
ULONG64 Reversed1 : 1;
ULONG64 FSGSBASE : 1;
ULONG64 PCIDE : 1;
ULONG64 OSXSAVE : 1;
ULONG64 Reversed2 : 1;
ULONG64 SMEP : 1;
ULONG64 SMAP : 1;
ULONG64 PKE : 1;
};
};
};
typedef struct _MyVirtualAddress {
union {
struct {
ULONG64 offset : 12;
ULONG64 pte_index : 9;
ULONG64 pde_index : 9;
ULONG64 ppe_index : 9;
ULONG64 pxe_index : 9;
};
ULONG64 VirtualAddress;
};
}MyVirtualAddress, *PMyVirtualAddress;
typedef struct _MyPageTableEntry {
union {
struct {
ULONG64 Present : 1;
ULONG64 Writable : 1;
ULONG64 UserAccessible : 1;
ULONG64 WriteThrough : 1;
ULONG64 DisableCache : 1;
ULONG64 Accessd : 1;
ULONG64 Dirty : 1;
ULONG64 HugePage : 1;
ULONG64 Global : 1;
ULONG64 Available1 : 3;
ULONG64 PhysicalAddress : 40;
ULONG64 Available2 : 11;
ULONG64 NoExecute : 1;
};
ULONG64 Value;
};
}MyPageTableEntry, *PMyPageTableEntry;
#define MmiInvaildAddressValue ((PVOID64)~0)
#define MmiEntryToAddress(v) (((ULONG64)v)&0x000FFFFFFFFFF000)
#define MmiEntryFlag_Present ((ULONG64)0x0000000000000001)
#define MmiEntryFlag_Write ((ULONG64)0x0000000000000002)
#define MmiEntryFlag_UserAccessible ((ULONG64)0x0000000000000004)
#define MmiEntryFlag_WriteThrough ((ULONG64)0x0000000000000008)
#define MmiEntryFlag_DisableCache ((ULONG64)0x0000000000000010)
#define MmiEntryFlag_Accessed ((ULONG64)0x0000000000000020)
#define MmiEntryFlag_Dirty ((ULONG64)0x0000000000000040)
#define MmiEntryFlag_HugePage ((ULONG64)0x0000000000000080)
#define MmiEntryFlag_Global ((ULONG64)0x0000000000000100)
#define MmiEntryFlag_NoExecute ((ULONG64)0x8000000000000000)
#define MmiEntryFlag_EntryPage (MmiEntryFlag_Present | MmiEntryFlag_Write | MmiEntryFlag_Accessed | MmiEntryFlag_Dirty)
#define MmiEntryFlag_ReadOnlyPage (MmiEntryFlag_Present | MmiEntryFlag_Accessed | MmiEntryFlag_Dirty)
#define MmiCheckFlag(e,f) (e&f)
#define MmiMakeVirtualAddressHigh16(pxe) ((pxe&0x100)?((ULONG64)0xFFFF000000000000):((ULONG64)0x0000000000000000))
#define MmiMakeVirtualAddress_PXE(pxe) (MmiMakeVirtualAddressHigh16(pxe)|(((ULONG64)pxe)<<39))
#define MmiMakeVirtualAddress_PPE(pxe,ppe) (MmiMakeVirtualAddressHigh16(pxe)|(((ULONG64)pxe)<<39)|(((ULONG64)ppe)<<30))
#define MmiMakeVirtualAddress_PDE(pxe,ppe,pde) (MmiMakeVirtualAddressHigh16(pxe)|(((ULONG64)pxe)<<39)|(((ULONG64)ppe)<<30)|(((ULONG64)pde)<<21))
#define MmiMakeVirtualAddress_PTE(pxe,ppe,pde,pte) (MmiMakeVirtualAddressHigh16(pxe)|(((ULONG64)pxe)<<39)|(((ULONG64)ppe)<<30)|(((ULONG64)pde)<<21)|(((ULONG64)pte)<<12))
#define MmiMakeVirtualAddress(pxe,ppe,pde,pte,o) (MmiMakeVirtualAddressHigh16(pxe)|(((ULONG64)pxe)<<39)|(((ULONG64)ppe)<<30)|(((ULONG64)pde)<<21)|(((ULONG64)pte)<<12)|((ULONG64)o))
#define MmiVA_GetPXEIndex(v) ((((ULONG64)v)&((ULONG64)0x0000FF8000000000))>>39)
#define MmiVA_GetPPEIndex(v) ((((ULONG64)v)&((ULONG64)0x0000007FC0000000))>>30)
#define MmiVA_GetPDEIndex(v) ((((ULONG64)v)&((ULONG64)0x000000003FE00000))>>21)
#define MmiVA_GetPTEIndex(v) ((((ULONG64)v)&((ULONG64)0x00000000001FF000))>>12)
#define MmiVA_GetOFFSET(v) (((ULONG64)v)&((ULONG64)0x0000000000000FFF))
#define MmiGetPhysicalPFN(p) (((ULONG64)(p)&0x0000FFFFFFFFF000)>>12)
#define MmiGetCr3() (MmiEntryToAddress(__readcr3()))
#ifdef __cplusplus
extern "C" {
#endif
BOOLEAN Mmi_Init();
VOID MmiClearPteBase();
DWORD64 MmiGetPteAddress(PVOID64 Address);
DWORD64 MmiGetPdeAddress(PVOID64 Address);
DWORD64 MmiGetPpeAddress(PVOID64 Address);
DWORD64 MmiGetPxeAddress(PVOID64 Address);
VOID MmiFlushTLB(PVOID LinearAddress);
DWORD64 MmiGetPhysicalAddress(PVOID VirtualAddress);
ULONG64 MmiGetPhysicalAddress(PVOID va);
#ifdef __cplusplus
}
#endif
#endif // !__MempryIO___Included___

139
DICHook_OpenSource/MyPEB.h Normal file
View File

@ -0,0 +1,139 @@
#pragma once
#ifndef __MYPEB_INCLUDED__
#define __MYPEB_INCLUDED__
#include "ntifs.h"
#include "windef.h"
typedef struct _MYUNICODE_STRING32
{
USHORT Length;
USHORT MaximumLength;
ULONG Buffer;
} MYUNICODE_STRING32, *PMYUNICODE_STRING32;
typedef struct _MYPEB32
{
UCHAR InheritedAddressSpace;
UCHAR ReadImageFileExecOptions;
UCHAR BeingDebugged;
UCHAR BitField;
ULONG Mutant;
ULONG ImageBaseAddress;
ULONG Ldr;
ULONG ProcessParameters;
ULONG SubSystemData;
ULONG ProcessHeap;
ULONG FastPebLock;
ULONG AtlThunkSListPtr;
ULONG IFEOKey;
ULONG CrossProcessFlags;
ULONG UserSharedInfoPtr;
ULONG SystemReserved;
ULONG AtlThunkSListPtr32;
ULONG ApiSetMap;
} MYPEB32, *PMYPEB32;
typedef struct _PEB_LDR_DATA32
{
ULONG Length;
BOOLEAN Initialized;
ULONG SsHandle;
LIST_ENTRY32 InLoadOrderModuleList;
LIST_ENTRY32 InMemoryOrderModuleList;
LIST_ENTRY32 InInitializationOrderModuleList;
ULONG EntryInProgress;
} PEB_LDR_DATA32, *PPEB_LDR_DATA32;
typedef struct _LDR_DATA_TABLE_ENTRY32
{
LIST_ENTRY32 InLoadOrderLinks;
LIST_ENTRY32 InMemoryOrderModuleList;
LIST_ENTRY32 InInitializationOrderModuleList;
ULONG DllBase;
ULONG EntryPoint;
ULONG SizeOfImage;
MYUNICODE_STRING32 FullDllName;
MYUNICODE_STRING32 BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
union
{
LIST_ENTRY32 HashLinks;
ULONG SectionPointer;
};
ULONG CheckSum;
union
{
ULONG TimeDateStamp;
ULONG LoadedImports;
};
ULONG EntryPointActivationContext;
ULONG PatchInformation;
} LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32;
typedef struct _PEB_LDR_DATA
{
DWORD Length;
UCHAR Initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID EntryInProgress;
}PEB_LDR_DATA, *PPEB_LDR_DATA;
typedef struct _LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
DWORD SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
DWORD Flags;
WORD LoadCount;
WORD TlsIndex;
LIST_ENTRY HashLinks;
PVOID SectionPointer;
DWORD CheckSum;
DWORD TimeDateStamp;
PVOID LoadedImports;
PVOID EntryPointActivationContext;
PVOID PatchInformation;
}LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
typedef struct _MYPEB
{
UCHAR InheritedAddressSpace;
UCHAR ReadImageFileExecOptions;
UCHAR BeingDebugged;
UCHAR SpareBool;
PVOID Mutant;
PVOID ImageBaseAddress;
PPEB_LDR_DATA Ldr;
}MYPEB, *PMYPEB;
#ifdef __cplusplus
extern "C"{
#endif
NTKERNELAPI PPEB NTAPI PsGetProcessPeb(IN PEPROCESS Process);
NTKERNELAPI PPEB NTAPI PsGetProcessWow64Process(PEPROCESS Process);
#ifdef __cplusplus
}
#endif
#endif // !__MYPEB_INCLUDED

248
DICHook_OpenSource/NtFunctionDefine.h Normal file
View File

@ -0,0 +1,248 @@
#pragma once
#ifndef _EXPORTS__INDLC
#define _EXPORTS__INDLC
#include "ntifs.h"
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemNotImplemented1,
SystemProcessesAndThreadsInformation,
SystemCallCounts,
SystemConfigurationInformation,
SystemProcessorTimes,
SystemGlobalFlag,
SystemNotImplemented2,
SystemModuleInformation,
SystemLockInformation,
SystemNotImplemented3,
SystemNotImplemented4,
SystemNotImplemented5,
SystemHandleInformation,
SystemObjectInformation,
SystemPagefileInformation,
SystemInstructionEmulationCounts,
SystemInvalidInfoClass1,
SystemCacheInformation,
SystemPoolTagInformation,
SystemProcessorStatistics,
SystemDpcInformation,
SystemNotImplemented6,
SystemLoadImage,
SystemUnloadImage,
SystemTimeAdjustment,
SystemNotImplemented7,
SystemNotImplemented8,
SystemNotImplemented9,
SystemCrashDumpInformation,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemLoadAndCallImage,
SystemPrioritySeparation,
SystemNotImplemented10,
SystemNotImplemented11,
SystemInvalidInfoClass2,
SystemInvalidInfoClass3,
SystemTimeZoneInformation,
SystemLookasideInformation,
SystemSetTimeSlipEvent,
SystemCreateSession,
SystemDeleteSession,
SystemInvalidInfoClass4,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemAddVerifier,
SystemSessionProcessesInformation
} SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_HANDLE_INFORMATION {
USHORT ProcessId;
USHORT CreatorBackTraceIndex;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
typedef struct _SYSTEM_HANDLE_INFORMATION_EX {
ULONG NumberOfHandles;
SYSTEM_HANDLE_INFORMATION Information[1];
} SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX;
typedef struct _SYSTEM_THREAD_INFORMATION {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
LONG State;
LONG WaitReason;
} SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION;
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved1[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters;
SYSTEM_THREAD_INFORMATION Threads[1];
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
typedef struct _SYSTEM_MODULE {
HANDLE Section;
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[MAXIMUM_FILENAME_LENGTH];
} SYSTEM_MODULE, * PSYSTEM_MODULE;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG NumberOfModules;
SYSTEM_MODULE Modules[1];
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
typedef struct _SYSTEM_BIGPOOL_ENTRY
{
union {
PVOID VirtualAddress;
ULONG_PTR NonPaged : 1;
};
ULONG_PTR SizeInBytes;
union {
UCHAR Tag[4];
ULONG TagUlong;
};
} SYSTEM_BIGPOOL_ENTRY, *PSYSTEM_BIGPOOL_ENTRY;
typedef struct _SYSTEM_BIGPOOL_INFORMATION {
ULONG Count;
SYSTEM_BIGPOOL_ENTRY AllocatedInfo[ANYSIZE_ARRAY];
} SYSTEM_BIGPOOL_INFORMATION, *PSYSTEM_BIGPOOL_INFORMATION;
/*typedef struct _IMAGE_RUNTIME_FUNCTION_ENTRY {
DWORD BeginAddress;
DWORD EndAddress;
union {
DWORD UnwindInfoAddress;
DWORD UnwindData;
} DUMMYUNIONNAME;
} RUNTIME_FUNCTION, * PRUNTIME_FUNCTION, _IMAGE_RUNTIME_FUNCTION_ENTRY, * _PIMAGE_RUNTIME_FUNCTION_ENTRY;*/
typedef enum _MYOBJECT_INFORMATION_CLASS
{
myObjectBasicInformation = 0,
myObjectNameInformation,
myObjectTypeInformation,
myObjectTypesInformation,
myObjectHandleFlagInformation,
myObjectSessionInformation,
myMaxObjectInfoClass
} MYOBJECT_INFORMATION_CLASS, * PMYOBJECT_INFORMATION_CLASS;
typedef struct _MYOBJECT_HANDLE_ATTRIBUTE_INFORMATION
{
BOOLEAN Inherit;
BOOLEAN ProtectFromClose;
} MYOBJECT_HANDLE_ATTRIBUTE_INFORMATION, * PMYOBJECT_HANDLE_ATTRIBUTE_INFORMATION;
typedef struct _MYOBJECT_TYPE_INFORMATION
{
UNICODE_STRING TypeName;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG TotalPagedPoolUsage;
ULONG TotalNonPagedPoolUsage;
ULONG TotalNamePoolUsage;
ULONG TotalHandleTableUsage;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
ULONG HighWaterPagedPoolUsage;
ULONG HighWaterNonPagedPoolUsage;
ULONG HighWaterNamePoolUsage;
ULONG HighWaterHandleTableUsage;
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ULONG ValidAccessMask;
BOOLEAN SecurityRequired;
BOOLEAN MaintainHandleCount;
ULONG PoolType;
ULONG DefaultPagedPoolCharge;
ULONG DefaultNonPagedPoolCharge;
} MYOBJECT_TYPE_INFORMATION, * PMYOBJECT_TYPE_INFORMATION;
typedef struct _MYOBJECT_NAME_INFORMATION
{
UNICODE_STRING Name;
} MYOBJECT_NAME_INFORMATION, * PMYOBJECT_NAME_INFORMATION;
#ifdef __cplusplus
extern "C" {
#endif
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
NTKERNELAPI NTSTATUS ObReferenceObjectByName(__in PUNICODE_STRING ObjectName,
__in ULONG Attributes,
__in_opt PACCESS_STATE AccessState,
__in_opt ACCESS_MASK DesiredAccess,
__in POBJECT_TYPE ObjectType,
__in KPROCESSOR_MODE AccessMode,
__inout_opt PVOID ParseContext,
__out PVOID * Object
);
extern POBJECT_TYPE *IoDriverObjectType;
NTKERNELAPI
UCHAR* PsGetProcessImageFileName(__in PEPROCESS Process);
NTKERNELAPI HANDLE PsGetProcessInheritedFromUniqueProcessId(IN PEPROCESS Process);
NTKERNELAPI
PVOID
PsGetProcessSectionBaseAddress(
__in PEPROCESS Process
);
PEJOB NTAPI PsGetProcessJob(PEPROCESS Process);
PEPROCESS NTAPI PsGetCurrentThreadProcess(VOID);
POBJECT_TYPE NTAPI ObGetObjectType(IN PVOID pObject);
NTSTATUS NTAPI ZwQueryInformationProcess(
_In_ HANDLE ProcessHandle,
_In_ PROCESSINFOCLASS ProcessInformationClass,
_Out_ PVOID ProcessInformation,
_In_ ULONG ProcessInformationLength,
_Out_opt_ PULONG ReturnLength
);
#ifdef __cplusplus
}
#endif
#endif // !_EXPORTS__INDLC

65
DICHook_OpenSource/main.cpp Normal file
View File

@ -0,0 +1,65 @@
#include "DDKCommon.h"
#include "MyMemoryIo64.h"
#include "HwidHook.h"
#include <ntddndis.h>
VOID NtDeviceIoControlFileCallback(ULONG64 IoControlCode, ULONG64 InputBuffer, ULONG64 InputBufferLength, ULONG64 OutputBuffer, ULONG64 OutputBufferLength) {
//此时irql == 2 !
//
//修改物理Mac地址例子
if (IoControlCode == IOCTL_NDIS_QUERY_GLOBAL_STATS &&
InputBufferLength >= 4 && MmiGetPhysicalAddress((PVOID)InputBuffer) && MmiGetPhysicalAddress((PVOID)(InputBuffer + 4 - 1)) &&
OutputBufferLength >= 6 && MmiGetPhysicalAddress((PVOID)OutputBuffer) && MmiGetPhysicalAddress((PVOID)(OutputBuffer + 6 - 1))) {
DWORD Code = *(DWORD*)(InputBuffer);
switch (Code) {
case OID_802_3_PERMANENT_ADDRESS:
case OID_802_3_CURRENT_ADDRESS:
case OID_802_5_PERMANENT_ADDRESS:
case OID_802_5_CURRENT_ADDRESS:
{
PUCHAR pMac = (PUCHAR)OutputBuffer;
pMac[0] = 0x00; pMac[1] = 0x11; pMac[2] = 0x22; pMac[3] = 0x33; pMac[4] = 0x44; pMac[5] = 0x55;
break;
}
default:
break;
}
}
}
VOID NtQueryVolumeInformationFileCallback(ULONG64 FsInformationClass, ULONG64 FsInformation, ULONG64 Length) {
//此时irql == 2 !
//
//修改分区序列号例子
switch (FsInformationClass)
{
case FileFsVolumeInformation:
{
if (Length >= sizeof(FILE_FS_VOLUME_INFORMATION) &&
MmiGetPhysicalAddress((PVOID)FsInformation) &&
MmiGetPhysicalAddress((PVOID)(FsInformation + sizeof(FILE_FS_VOLUME_INFORMATION) - 1))) {
PFILE_FS_VOLUME_INFORMATION pinfo = (PFILE_FS_VOLUME_INFORMATION)FsInformation;
pinfo->VolumeSerialNumber = 0;
}
break;
}
default:
break;
}
}
extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT drv, PUNICODE_STRING reg_path) {
Mmi_Init();
GetRealTime();//初始化GetRealTime
//设置是否启用 NtQueryVolumeInformationFile Hook,TRUE为开启,FALSE为关闭
//注意,win10 1507 - win10 1709不支持NtQueryVolumeInformationFile Hook,因为无法从堆栈中获取到参数
//NtQueryVolumeInformationFile Hook 完美兼容win7以及win10 1803及以上版本
setntqhookstats(FALSE);
//设置NtDeviceIoControlFile Hook的Callback,win7,win10全系统兼容
setdicprecabk(NtDeviceIoControlFileCallback);
//设置NtQueryVolumeInformationFile Hook的Callback
setntqcabk(NtQueryVolumeInformationFileCallback);
return STATUS_SUCCESS;
}

605
DICHook_OpenSource/vtstruct.h Normal file
View File

@ -0,0 +1,605 @@
#pragma once
#ifndef _VTSTRUCT__INCLUDED__
#define _VTSTRUCT__INCLUDED__
#include "ntifs.h"
enum class Msr : unsigned long {
kIa32ApicBase = 0x01B,
kIa32FeatureControl = 0x03A,
kIa32SysenterCs = 0x174,
kIa32SysenterEsp = 0x175,
kIa32SysenterEip = 0x176,
kIa32Debugctl = 0x1D9,
kIa32MtrrCap = 0xFE,
kIa32MtrrDefType = 0x2FF,
kIa32MtrrPhysBaseN = 0x200,
kIa32MtrrPhysMaskN = 0x201,
kIa32MtrrFix64k00000 = 0x250,
kIa32MtrrFix16k80000 = 0x258,
kIa32MtrrFix16kA0000 = 0x259,
kIa32MtrrFix4kC0000 = 0x268,
kIa32MtrrFix4kC8000 = 0x269,
kIa32MtrrFix4kD0000 = 0x26A,
kIa32MtrrFix4kD8000 = 0x26B,
kIa32MtrrFix4kE0000 = 0x26C,
kIa32MtrrFix4kE8000 = 0x26D,
kIa32MtrrFix4kF0000 = 0x26E,
kIa32MtrrFix4kF8000 = 0x26F,
kIa32VmxBasic = 0x480,
kIa32VmxPinbasedCtls = 0x481,
kIa32VmxProcBasedCtls = 0x482,
kIa32VmxExitCtls = 0x483,
kIa32VmxEntryCtls = 0x484,
kIa32VmxMisc = 0x485,
kIa32VmxCr0Fixed0 = 0x486,
kIa32VmxCr0Fixed1 = 0x487,
kIa32VmxCr4Fixed0 = 0x488,
kIa32VmxCr4Fixed1 = 0x489,
kIa32VmxVmcsEnum = 0x48A,
kIa32VmxProcBasedCtls2 = 0x48B,
kIa32VmxEptVpidCap = 0x48C,
kIa32VmxTruePinbasedCtls = 0x48D,
kIa32VmxTrueProcBasedCtls = 0x48E,
kIa32VmxTrueExitCtls = 0x48F,
kIa32VmxTrueEntryCtls = 0x490,
kIa32VmxVmfunc = 0x491,
kIa32Efer = 0xC0000080,
kIa32Star = 0xC0000081,
kIa32Lstar = 0xC0000082,
kIa32Fmask = 0xC0000084,
kIa32FsBase = 0xC0000100,
kIa32GsBase = 0xC0000101,
kIa32KernelGsBase = 0xC0000102,
kIa32TscAux = 0xC0000103,
};
enum class VmcsField : unsigned __int32 {
// 16-Bit Control Field
kVirtualProcessorId = 0x00000000,
kPostedInterruptNotification = 0x00000002,
kEptpIndex = 0x00000004,
// 16-Bit Guest-State Fields
kGuestEsSelector = 0x00000800,
kGuestCsSelector = 0x00000802,
kGuestSsSelector = 0x00000804,
kGuestDsSelector = 0x00000806,
kGuestFsSelector = 0x00000808,
kGuestGsSelector = 0x0000080a,
kGuestLdtrSelector = 0x0000080c,
kGuestTrSelector = 0x0000080e,
kGuestInterruptStatus = 0x00000810,
kPmlIndex = 0x00000812,
// 16-Bit Host-State Fields
kHostEsSelector = 0x00000c00,
kHostCsSelector = 0x00000c02,
kHostSsSelector = 0x00000c04,
kHostDsSelector = 0x00000c06,
kHostFsSelector = 0x00000c08,
kHostGsSelector = 0x00000c0a,
kHostTrSelector = 0x00000c0c,
// 64-Bit Control Fields
kIoBitmapA = 0x00002000,
kIoBitmapAHigh = 0x00002001,
kIoBitmapB = 0x00002002,
kIoBitmapBHigh = 0x00002003,
kMsrBitmap = 0x00002004,
kMsrBitmapHigh = 0x00002005,
kVmExitMsrStoreAddr = 0x00002006,
kVmExitMsrStoreAddrHigh = 0x00002007,
kVmExitMsrLoadAddr = 0x00002008,
kVmExitMsrLoadAddrHigh = 0x00002009,
kVmEntryMsrLoadAddr = 0x0000200a,
kVmEntryMsrLoadAddrHigh = 0x0000200b,
kExecutiveVmcsPointer = 0x0000200c,
kExecutiveVmcsPointerHigh = 0x0000200d,
kTscOffset = 0x00002010,
kTscOffsetHigh = 0x00002011,
kVirtualApicPageAddr = 0x00002012,
kVirtualApicPageAddrHigh = 0x00002013,
kApicAccessAddr = 0x00002014,
kApicAccessAddrHigh = 0x00002015,
kEptPointer = 0x0000201a,
kEptPointerHigh = 0x0000201b,
kEoiExitBitmap0 = 0x0000201c,
kEoiExitBitmap0High = 0x0000201d,
kEoiExitBitmap1 = 0x0000201e,
kEoiExitBitmap1High = 0x0000201f,
kEoiExitBitmap2 = 0x00002020,
kEoiExitBitmap2High = 0x00002021,
kEoiExitBitmap3 = 0x00002022,
kEoiExitBitmap3High = 0x00002023,
kEptpListAddress = 0x00002024,
kEptpListAddressHigh = 0x00002025,
kVmreadBitmapAddress = 0x00002026,
kVmreadBitmapAddressHigh = 0x00002027,
kVmwriteBitmapAddress = 0x00002028,
kVmwriteBitmapAddressHigh = 0x00002029,
kVirtualizationExceptionInfoAddress = 0x0000202a,
kVirtualizationExceptionInfoAddressHigh = 0x0000202b,
kXssExitingBitmap = 0x0000202c,
kXssExitingBitmapHigh = 0x0000202d,
kEnclsExitingBitmap = 0x0000202e,
kEnclsExitingBitmapHigh = 0x0000202f,
kTscMultiplier = 0x00002032,
kTscMultiplierHigh = 0x00002033,
// 64-Bit Read-Only Data Field
kGuestPhysicalAddress = 0x00002400,
kGuestPhysicalAddressHigh = 0x00002401,
// 64-Bit Guest-State Fields
kVmcsLinkPointer = 0x00002800,
kVmcsLinkPointerHigh = 0x00002801,
kGuestIa32Debugctl = 0x00002802,
kGuestIa32DebugctlHigh = 0x00002803,
kGuestIa32Pat = 0x00002804,
kGuestIa32PatHigh = 0x00002805,
kGuestIa32Efer = 0x00002806,
kGuestIa32EferHigh = 0x00002807,
kGuestIa32PerfGlobalCtrl = 0x00002808,
kGuestIa32PerfGlobalCtrlHigh = 0x00002809,
kGuestPdptr0 = 0x0000280a,
kGuestPdptr0High = 0x0000280b,
kGuestPdptr1 = 0x0000280c,
kGuestPdptr1High = 0x0000280d,
kGuestPdptr2 = 0x0000280e,
kGuestPdptr2High = 0x0000280f,
kGuestPdptr3 = 0x00002810,
kGuestPdptr3High = 0x00002811,
kGuestIa32Bndcfgs = 0x00002812,
kGuestIa32BndcfgsHigh = 0x00002813,
// 64-Bit Host-State Fields
kHostIa32Pat = 0x00002c00,
kHostIa32PatHigh = 0x00002c01,
kHostIa32Efer = 0x00002c02,
kHostIa32EferHigh = 0x00002c03,
kHostIa32PerfGlobalCtrl = 0x00002c04,
kHostIa32PerfGlobalCtrlHigh = 0x00002c05,
// 32-Bit Control Fields
kPinBasedVmExecControl = 0x00004000,
kCpuBasedVmExecControl = 0x00004002,
kExceptionBitmap = 0x00004004,
kPageFaultErrorCodeMask = 0x00004006,
kPageFaultErrorCodeMatch = 0x00004008,
kCr3TargetCount = 0x0000400a,
kVmExitControls = 0x0000400c,
kVmExitMsrStoreCount = 0x0000400e,
kVmExitMsrLoadCount = 0x00004010,
kVmEntryControls = 0x00004012,
kVmEntryMsrLoadCount = 0x00004014,
kVmEntryIntrInfoField = 0x00004016,
kVmEntryExceptionErrorCode = 0x00004018,
kVmEntryInstructionLen = 0x0000401a,
kTprThreshold = 0x0000401c,
kSecondaryVmExecControl = 0x0000401e,
kPleGap = 0x00004020,
kPleWindow = 0x00004022,
// 32-Bit Read-Only Data Fields
kVmInstructionError = 0x00004400, // See: VM-Instruction Error Numbers
kVmExitReason = 0x00004402,
kVmExitIntrInfo = 0x00004404,
kVmExitIntrErrorCode = 0x00004406,
kIdtVectoringInfoField = 0x00004408,
kIdtVectoringErrorCode = 0x0000440a,
kVmExitInstructionLen = 0x0000440c,
kVmxInstructionInfo = 0x0000440e,
// 32-Bit Guest-State Fields
kGuestEsLimit = 0x00004800,
kGuestCsLimit = 0x00004802,
kGuestSsLimit = 0x00004804,
kGuestDsLimit = 0x00004806,
kGuestFsLimit = 0x00004808,
kGuestGsLimit = 0x0000480a,
kGuestLdtrLimit = 0x0000480c,
kGuestTrLimit = 0x0000480e,
kGuestGdtrLimit = 0x00004810,
kGuestIdtrLimit = 0x00004812,
kGuestEsArBytes = 0x00004814,
kGuestCsArBytes = 0x00004816,
kGuestSsArBytes = 0x00004818,
kGuestDsArBytes = 0x0000481a,
kGuestFsArBytes = 0x0000481c,
kGuestGsArBytes = 0x0000481e,
kGuestLdtrArBytes = 0x00004820,
kGuestTrArBytes = 0x00004822,
kGuestInterruptibilityInfo = 0x00004824,
kGuestActivityState = 0x00004826,
kGuestSmbase = 0x00004828,
kGuestSysenterCs = 0x0000482a,
kVmxPreemptionTimerValue = 0x0000482e,
// 32-Bit Host-State Field
kHostIa32SysenterCs = 0x00004c00,
// Natural-Width Control Fields
kCr0GuestHostMask = 0x00006000,
kCr4GuestHostMask = 0x00006002,
kCr0ReadShadow = 0x00006004,
kCr4ReadShadow = 0x00006006,
kCr3TargetValue0 = 0x00006008,
kCr3TargetValue1 = 0x0000600a,
kCr3TargetValue2 = 0x0000600c,
kCr3TargetValue3 = 0x0000600e,
// Natural-Width Read-Only Data Fields
kExitQualification = 0x00006400,
kIoRcx = 0x00006402,
kIoRsi = 0x00006404,
kIoRdi = 0x00006406,
kIoRip = 0x00006408,
kGuestLinearAddress = 0x0000640a,
// Natural-Width Guest-State Fields
kGuestCr0 = 0x00006800,
kGuestCr3 = 0x00006802,
kGuestCr4 = 0x00006804,
kGuestEsBase = 0x00006806,
kGuestCsBase = 0x00006808,
kGuestSsBase = 0x0000680a,
kGuestDsBase = 0x0000680c,
kGuestFsBase = 0x0000680e,
kGuestGsBase = 0x00006810,
kGuestLdtrBase = 0x00006812,
kGuestTrBase = 0x00006814,
kGuestGdtrBase = 0x00006816,
kGuestIdtrBase = 0x00006818,
kGuestDr7 = 0x0000681a,
kGuestRsp = 0x0000681c,
kGuestRip = 0x0000681e,
kGuestRflags = 0x00006820,
kGuestPendingDbgExceptions = 0x00006822,
kGuestSysenterEsp = 0x00006824,
kGuestSysenterEip = 0x00006826,
// Natural-Width Host-State Fields
kHostCr0 = 0x00006c00,
kHostCr3 = 0x00006c02,
kHostCr4 = 0x00006c04,
kHostFsBase = 0x00006c06,
kHostGsBase = 0x00006c08,
kHostTrBase = 0x00006c0a,
kHostGdtrBase = 0x00006c0c,
kHostIdtrBase = 0x00006c0e,
kHostIa32SysenterEsp = 0x00006c10,
kHostIa32SysenterEip = 0x00006c12,
kHostRsp = 0x00006c14,
kHostRip = 0x00006c16
};
enum class InvVpidType : ULONG_PTR {
kIndividualAddressInvalidation = 0,
kSingleContextInvalidation = 1,
kAllContextInvalidation = 2,
kSingleContextInvalidationExceptGlobal = 3,
};
struct InvVpidDescriptor {
USHORT vpid;
USHORT reserved1;
ULONG32 reserved2;
ULONG64 linear_address;
};
enum class InvEptType : ULONG_PTR {
kSingleContextInvalidation = 1,
kGlobalInvalidation = 2,
};
union EptPointer {
ULONG64 all;
struct {
ULONG64 memory_type : 3; //!< [0:2]
ULONG64 page_walk_length : 3; //!< [3:5]
ULONG64 enable_accessed_and_dirty_flags : 1; //!< [6]
ULONG64 reserved1 : 5; //!< [7:11]
ULONG64 pml4_address : 36; //!< [12:48-1]
ULONG64 reserved2 : 16; //!< [48:63]
} fields;
};
struct InvEptDescriptor {
EptPointer ept_pointer;
ULONG64 reserved1;
};
union Ia32VmxBasicMsr {
unsigned __int64 all;
struct {
unsigned revision_identifier : 31; //!< [0:30]
unsigned reserved1 : 1; //!< [31]
unsigned region_size : 12; //!< [32:43]
unsigned region_clear : 1; //!< [44]
unsigned reserved2 : 3; //!< [45:47]
unsigned supported_ia64 : 1; //!< [48]
unsigned supported_dual_moniter : 1; //!< [49]
unsigned memory_type : 4; //!< [50:53]
unsigned vm_exit_report : 1; //!< [54]
unsigned vmx_capability_hint : 1; //!< [55]
unsigned reserved3 : 8; //!< [56:63]
} fields;
};
union VmxVmEntryControls {
unsigned int all;
struct {
unsigned reserved1 : 2; //!< [0:1]
unsigned load_debug_controls : 1; //!< [2]
unsigned reserved2 : 6; //!< [3:8]
unsigned ia32e_mode_guest : 1; //!< [9]
unsigned entry_to_smm : 1; //!< [10]
unsigned deactivate_dual_monitor_treatment : 1; //!< [11]
unsigned reserved3 : 1; //!< [12]
unsigned load_ia32_perf_global_ctrl : 1; //!< [13]
unsigned load_ia32_pat : 1; //!< [14]
unsigned load_ia32_efer : 1; //!< [15]
unsigned load_ia32_bndcfgs : 1; //!< [16]
unsigned conceal_vmentries_from_intel_pt : 1; //!< [17]
} fields;
};
union VmxVmExitControls {
unsigned int all;
struct {
unsigned reserved1 : 2; //!< [0:1]
unsigned save_debug_controls : 1; //!< [2]
unsigned reserved2 : 6; //!< [3:8]
unsigned host_address_space_size : 1; //!< [9]
unsigned reserved3 : 2; //!< [10:11]
unsigned load_ia32_perf_global_ctrl : 1; //!< [12]
unsigned reserved4 : 2; //!< [13:14]
unsigned acknowledge_interrupt_on_exit : 1; //!< [15]
unsigned reserved5 : 2; //!< [16:17]
unsigned save_ia32_pat : 1; //!< [18]
unsigned load_ia32_pat : 1; //!< [19]
unsigned save_ia32_efer : 1; //!< [20]
unsigned load_ia32_efer : 1; //!< [21]
unsigned save_vmx_preemption_timer_value : 1; //!< [22]
unsigned clear_ia32_bndcfgs : 1; //!< [23]
unsigned conceal_vmexits_from_intel_pt : 1; //!< [24]
} fields;
};
union VmxPinBasedControls {
unsigned int all;
struct {
unsigned external_interrupt_exiting : 1; //!< [0]
unsigned reserved1 : 2; //!< [1:2]
unsigned nmi_exiting : 1; //!< [3]
unsigned reserved2 : 1; //!< [4]
unsigned virtual_nmis : 1; //!< [5]
unsigned activate_vmx_peemption_timer : 1; //!< [6]
unsigned process_posted_interrupts : 1; //!< [7]
} fields;
};
union VmxProcessorBasedControls {
unsigned int all;
struct {
unsigned reserved1 : 2; //!< [0:1]
unsigned interrupt_window_exiting : 1; //!< [2]
unsigned use_tsc_offseting : 1; //!< [3]
unsigned reserved2 : 3; //!< [4:6]
unsigned hlt_exiting : 1; //!< [7]
unsigned reserved3 : 1; //!< [8]
unsigned invlpg_exiting : 1; //!< [9]
unsigned mwait_exiting : 1; //!< [10]
unsigned rdpmc_exiting : 1; //!< [11]
unsigned rdtsc_exiting : 1; //!< [12]
unsigned reserved4 : 2; //!< [13:14]
unsigned cr3_load_exiting : 1; //!< [15]
unsigned cr3_store_exiting : 1; //!< [16]
unsigned reserved5 : 2; //!< [17:18]
unsigned cr8_load_exiting : 1; //!< [19]
unsigned cr8_store_exiting : 1; //!< [20]
unsigned use_tpr_shadow : 1; //!< [21]
unsigned nmi_window_exiting : 1; //!< [22]
unsigned mov_dr_exiting : 1; //!< [23]
unsigned unconditional_io_exiting : 1; //!< [24]
unsigned use_io_bitmaps : 1; //!< [25]
unsigned reserved6 : 1; //!< [26]
unsigned monitor_trap_flag : 1; //!< [27]
unsigned use_msr_bitmaps : 1; //!< [28]
unsigned monitor_exiting : 1; //!< [29]
unsigned pause_exiting : 1; //!< [30]
unsigned activate_secondary_control : 1; //!< [31]
} fields;
};
/// See: Definitions of Secondary Processor-Based VM-Execution Controls
union VmxSecondaryProcessorBasedControls {
unsigned int all;
struct {
unsigned virtualize_apic_accesses : 1; //!< [0]
unsigned enable_ept : 1; //!< [1]
unsigned descriptor_table_exiting : 1; //!< [2]
unsigned enable_rdtscp : 1; //!< [3]
unsigned virtualize_x2apic_mode : 1; //!< [4]
unsigned enable_vpid : 1; //!< [5]
unsigned wbinvd_exiting : 1; //!< [6]
unsigned unrestricted_guest : 1; //!< [7]
unsigned apic_register_virtualization : 1; //!< [8]
unsigned virtual_interrupt_delivery : 1; //!< [9]
unsigned pause_loop_exiting : 1; //!< [10]
unsigned rdrand_exiting : 1; //!< [11]
unsigned enable_invpcid : 1; //!< [12]
unsigned enable_vm_functions : 1; //!< [13]
unsigned vmcs_shadowing : 1; //!< [14]
unsigned reserved1 : 1; //!< [15]
unsigned rdseed_exiting : 1; //!< [16]
unsigned reserved2 : 1; //!< [17]
unsigned ept_violation_ve : 1; //!< [18]
unsigned reserved3 : 1; //!< [19]
unsigned enable_xsaves_xstors : 1; //!< [20]
unsigned reserved4 : 1; //!< [21]
unsigned mode_based_execute_control_for_ept : 1; //!< [22]
unsigned reserved5 : 2; //!< [23:24]
unsigned use_tsc_scaling : 1; //!< [25]
} fields;
};
/// See: Guest Register State
union VmxRegmentDescriptorAccessRight {
unsigned int all;
struct {
unsigned type : 4; //!< [0:3]
unsigned system : 1; //!< [4]
unsigned dpl : 2; //!< [5:6]
unsigned present : 1; //!< [7]
unsigned reserved1 : 4; //!< [8:11]
unsigned avl : 1; //!< [12]
unsigned l : 1; //!< [13] Reserved (except for CS) 64-bit mode
unsigned db : 1; //!< [14]
unsigned gran : 1; //!< [15]
unsigned unusable : 1; //!< [16] Segment unusable
unsigned reserved2 : 15; //!< [17:31]
} fields;
};
union Cr0 {
ULONG_PTR all;
struct {
unsigned pe : 1; //!< [0] Protected Mode Enabled
unsigned mp : 1; //!< [1] Monitor Coprocessor FLAG
unsigned em : 1; //!< [2] Emulate FLAG
unsigned ts : 1; //!< [3] Task Switched FLAG
unsigned et : 1; //!< [4] Extension Type FLAG
unsigned ne : 1; //!< [5] Numeric Error
unsigned reserved1 : 10; //!< [6:15]
unsigned wp : 1; //!< [16] Write Protect
unsigned reserved2 : 1; //!< [17]
unsigned am : 1; //!< [18] Alignment Mask
unsigned reserved3 : 10; //!< [19:28]
unsigned nw : 1; //!< [29] Not Write-Through
unsigned cd : 1; //!< [30] Cache Disable
unsigned pg : 1; //!< [31] Paging Enabled
} fields;
};
static_assert(sizeof(Cr0) == sizeof(void*), "Size check");
/// See: CONTROL REGISTERS
union Cr4 {
ULONG_PTR all;
struct {
unsigned vme : 1; //!< [0] Virtual Mode Extensions
unsigned pvi : 1; //!< [1] Protected-Mode Virtual Interrupts
unsigned tsd : 1; //!< [2] Time Stamp Disable
unsigned de : 1; //!< [3] Debugging Extensions
unsigned pse : 1; //!< [4] Page Size Extensions
unsigned pae : 1; //!< [5] Physical Address Extension
unsigned mce : 1; //!< [6] Machine-Check Enable
unsigned pge : 1; //!< [7] Page Global Enable
unsigned pce : 1; //!< [8] Performance-Monitoring Counter Enable
unsigned osfxsr : 1; //!< [9] OS Support for FXSAVE/FXRSTOR
unsigned osxmmexcpt : 1; //!< [10] OS Support for Unmasked SIMD Exceptions
unsigned reserved1 : 2; //!< [11:12]
unsigned vmxe : 1; //!< [13] Virtual Machine Extensions Enabled
unsigned smxe : 1; //!< [14] SMX-Enable Bit
unsigned reserved2 : 2; //!< [15:16]
unsigned pcide : 1; //!< [17] PCID Enable
unsigned osxsave : 1; //!< [18] XSAVE and Processor Extended States-Enable
unsigned reserved3 : 1; //!< [19]
unsigned smep : 1; //!< [20] Supervisor Mode Execution Protection Enable
unsigned smap : 1; //!< [21] Supervisor Mode Access Protection Enable
} fields;
};
static_assert(sizeof(Cr4) == sizeof(void*), "Size check");
/// Represents a stack layout after PUSHAQ
union GpRegistersX64 {
ULONG_PTR all[16];
struct {
ULONG_PTR r15;
ULONG_PTR r14;
ULONG_PTR r13;
ULONG_PTR r12;
ULONG_PTR r11;
ULONG_PTR r10;
ULONG_PTR r9;
ULONG_PTR r8;
ULONG_PTR di;
ULONG_PTR si;
ULONG_PTR bp;
ULONG_PTR sp;
ULONG_PTR bx;
ULONG_PTR dx;
ULONG_PTR cx;
ULONG_PTR ax;
};
};
/// Represents a stack layout after PUSHAD
struct GpRegistersX86 {
ULONG_PTR di;
ULONG_PTR si;
ULONG_PTR bp;
ULONG_PTR sp;
ULONG_PTR bx;
ULONG_PTR dx;
ULONG_PTR cx;
ULONG_PTR ax;
};
/// Represents a stack layout after PUSHAx
#if defined(_AMD64_)
using GpRegisters = GpRegistersX64;
#else
using GpRegisters = GpRegistersX86;
#endif
struct KtrapFrameX86 {
ULONG reserved1[26];
ULONG ip; //!< Called EIP in _KTRAP_FRAME
ULONG reserved2[2];
ULONG sp; //!< Called HardwareEsp in _KTRAP_FRAME
ULONG reserved3[5];
};
static_assert(sizeof(KtrapFrameX86) == 0x8c, "structure size mismatch");
#if !defined(__clang__)
static_assert(FIELD_OFFSET(KtrapFrameX86, ip) == 0x68, "structure size mismatch");
static_assert(FIELD_OFFSET(KtrapFrameX86, sp) == 0x74, "structure size mismatch");
#endif
/// nt!_KTRAP_FRAME on x64
struct KtrapFrameX64 {
ULONG64 reserved1[45];
ULONG64 ip; //!< Called EIP in _KTRAP_FRAME
ULONG64 reserved2[2];
ULONG64 sp; //!< Called Rsp in _KTRAP_FRAME
ULONG64 reserved3;
};
static_assert(sizeof(KtrapFrameX64) == 0x190, "structure size mismatch");
#if !defined(__clang__)
static_assert(FIELD_OFFSET(KtrapFrameX64, ip) == 0x168, "structure size mismatch");
static_assert(FIELD_OFFSET(KtrapFrameX64, sp) == 0x180, "structure size mismatch");
#endif
/// See: Stack Usage on Transfers to Interrupt and Exception-Handling Routines
struct MachineFrame {
ULONG_PTR ip;
ULONG_PTR cs;
ULONG_PTR flags;
ULONG_PTR sp;
ULONG_PTR ss;
};
#if defined(_AMD64_)
using KtrapFrame = KtrapFrameX64;
#else
using KtrapFrame = KtrapFrameX86;
#endif
struct VmmInitialStack {
GpRegisters gp_regs;
KtrapFrame trap_frame;
//ProcessorData* processor_data;
};
union MovCrQualification {
ULONG_PTR all;
struct {
ULONG_PTR control_register : 4; //!< [0:3]
ULONG_PTR access_type : 2; //!< [4:5]
ULONG_PTR lmsw_operand_type : 1; //!< [6]
ULONG_PTR reserved1 : 1; //!< [7]
ULONG_PTR gp_register : 4; //!< [8:11]
ULONG_PTR reserved2 : 4; //!< [12:15]
ULONG_PTR lmsw_source_data : 16; //!< [16:31]
ULONG_PTR reserved3 : 32; //!< [32:63]
} fields;
};
#endif // !_VTSTRUCT__INCLUDED__
/// See: BASIC VMX INFORMATION