qwqdanchun
/
DICHook
mirror of https://github.com/qwqdanchun/DICHook.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

pwp 

pwp
This commit is contained in:
CSlime 2021-10-20 17:26:57 +08:00
parent 05ba625669
commit b4c63ab569
1 changed files with 12 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
DICHook_OpenSource/DICHook.cpp
View File

@ -197,7 +197,7 @@ VOID DispatchCallback(ULONG64 pRsp) {
if (RspOffset == 0) {
if (Rsp[0] == 0x1122334455667788) {
if (Rsp[1] == 0x8877665544772299) {
//搜索栈上Object偏移
//搜索栈上Object偏移
ULONG64 OLRSP = (ULONG64)Rsp;
for (int j = 0; OLRSP > pRsp && j < 0x1000; OLRSP -= 8, j += 8) {
if (*(ULONG64*)OLRSP == NtDeviceIoControlFileRet) {
@ -226,7 +226,7 @@ VOID DispatchCallback(ULONG64 pRsp) {
if (RspOffset_NtQuery == 0 && DispatchControl::enable_ntq) {
if (Rsp[0] == 0xCC22334455666688) {
if (Rsp[1] == 0xAA77665544333399) {
//搜索栈上参数偏移
//搜索栈上参数偏移
ULONG64 OLRSP = (ULONG64)Rsp;
for (int j = 0; OLRSP > pRsp && j < 0x800; OLRSP -= 8, j += 8) {
if (*(ULONG64*)OLRSP == NtQueryVolumeInformationFileRet) {
@ -250,7 +250,7 @@ VOID DispatchCallback(ULONG64 pRsp) {
}
}
//搜不到就蓝屏
//搜不到就蓝屏
if (NtQuery_Offset_Length == 0) {
KeBugCheck(0x33221);
}
@ -458,7 +458,7 @@ VOID InstallHook(fnIoCtlPostCallback PostCallback, PVOID PreCallback, PVOID NtQu
ULONG bn = KGetBuildNumber();
//搜索调用NtDeviceIoControlFile的时候堆栈中会出现的返回地址
//搜索调用NtDeviceIoControlFile的时候堆栈中会出现的返回地址
//E8 ?? ?? ?? ?? 48 8B D8 48 89 84 24 ?? ?? ?? ?? 48 85 C0
//E8 ?? ?? ?? ?? 48 83 C4
ULONG64 pNtDeviceIoControlFile = (ULONG64)KGetProcAddress((PVOID)ntos, "NtDeviceIoControlFile");
@ -473,7 +473,7 @@ VOID InstallHook(fnIoCtlPostCallback PostCallback, PVOID PreCallback, PVOID NtQu
//printf("[112233] NtDeviceIoControlFileRet %p\n", NtDeviceIoControlFileRet);
//printf("[112233] NtFsControlFileRet %p\n", NtFsControlFileRet);
//搜索调用NtQueryVolumeInformationFile的时候堆栈中会出现的返回地址
//搜索调用NtQueryVolumeInformationFile的时候堆栈中会出现的返回地址
//NtQueryVolumeInformationFileRet
ULONG64 pNtQueryVolumeInformationFile = (ULONG64)KGetProcAddress((PVOID)ntos, "NtQueryVolumeInformationFile");
if (BuildNumber < WIN10_1507) {
@ -545,7 +545,10 @@ VOID InstallHook(fnIoCtlPostCallback PostCallback, PVOID PreCallback, PVOID NtQu
memcpy(pcode, shellcode, sizeof(shellcode));
*(ULONG64 *)(pcode + 0x22) = ((ULONG64)DispatchCallback) ^ 0x7fffffff;
//修改ViPacketLookaside.AllocEx
//ViPacketLookaside.Region=0
//防止RtlpInterlockedPopEntrySList返回值
*(ULONG64*)(ViPacketLookaside + 0x8) = 0;
//修改ViPacketLookaside.AllocEx
ULONG64 pfn = *(ULONG64*)(ViPacketLookaside + 0x30);
LARGE_INTEGER Addr;
@ -599,7 +602,7 @@ VOID FnNtQueryPreCallback(HOOK_NTQUERY_CONTEXT *aContext) {
}
BOOL DICPostCallback(HOOK_DEVICE_IO_CONTEXT* Context) {
//提升irql至2,关闭smap
//提升irql至2,关闭smap
IRQL_STATE state;
KRaiseIrqlToDpcOrHigh(&state);
Cr4 cr4;
@ -618,7 +621,7 @@ BOOL DICPostCallback(HOOK_DEVICE_IO_CONTEXT* Context) {
return ret;
}
VOID DICPreCallback(HOOK_DEVICE_IO_CONTEXT* aContext) {
//提升irql至2,关闭smap
//提升irql至2,关闭smap
IRQL_STATE state;
KRaiseIrqlToDpcOrHigh(&state);
Cr4 cr4;
@ -636,7 +639,7 @@ VOID DICPreCallback(HOOK_DEVICE_IO_CONTEXT* aContext) {
KLowerIrqlToState(&state);
}
VOID NtQueryPreCallback(HOOK_NTQUERY_CONTEXT* aContext) {
//提升irql至2,关闭smap
//提升irql至2,关闭smap
IRQL_STATE state;
KRaiseIrqlToDpcOrHigh(&state);
Cr4 cr4;