#include "stdafx.h"
#ifdef __cplusplus
extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
#endif
DWORD lpRet;//用来保存需要返回的地址,
DWORD patchCodeLen = 0;//用来保存需要hook几个字节
#define SystemExtendedProcessInformation 57
//定义两个进程对象,一个是NP进程自身,一个是游戏进程
PEPROCESS eprocess_np_gameguard;//这个是NP本身进程,这个NP进程是游戏创建的
PEPROCESS eprocess_game_process;//这个是游戏本身的进程
void lh89hUnload(IN PDRIVER_OBJECT DriverObject);
EXTERN_C UCHAR *PsGetProcessImageFileName(__in PEPROCESS eprocess);
typedef struct _SYSTEM_PROCESSES {
ULONG NextEntryDelta;
ULONG NumberOfThreads;
LARGE_INTEGER Reserved[3];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
HANDLE ProcessId;
HANDLE InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
ULONG PrivatePageCount;
VM_COUNTERS VirtualMemoryCounters;
IO_COUNTERS IoCounters;
SYSTEM_THREAD_INFORMATION Threads[0];
} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
unsigned char dis[2359] =
{
0xE9, 0x0A, 0x08, 0x00, 0x00, 0xE8, 0x19, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10,
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10,
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10,
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10,
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00,
0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x08,
0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00,
0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00,
0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00,
0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00,
0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x08, 0x00, 0x00, 0x08, 0x08,
0x00, 0x00, 0x10, 0x08, 0x00, 0x00, 0x10, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00,
0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x08, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00,
0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00,
0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00,
0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00,
0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x10, 0x08, 0x00, 0x00, 0x10, 0x08,
0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08,
0x00, 0x00, 0x08, 0x08, 0x00, 0x00, 0x08, 0x08, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00,
0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00,
0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00,
0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0xE8, 0x44, 0x04, 0x00, 0x00, 0x00,
0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x08,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00,
0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00,
0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00,
0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00,
0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x10,
0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x10,
0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x08, 0x00, 0x00, 0x00,
0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00,
0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x10, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00,
0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00,
0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x56,
0x36, 0x8B, 0x74, 0x24, 0x08, 0x33, 0xC0, 0x3E, 0x8A, 0x0E, 0x0F, 0xB6, 0xD1, 0x57, 0xE9, 0xE2,
0xF7, 0xFF, 0xFF, 0x5F, 0x3E, 0x0B, 0x04, 0x97, 0x5F, 0x46, 0xF6, 0xC4, 0x20, 0x74, 0x13, 0x3E,
0x8A, 0x06, 0x24, 0x38, 0xF6, 0xD8, 0x1B, 0xC0, 0x25, 0x00, 0xF0, 0xFF, 0xFF, 0x05, 0x00, 0x18,
0x00, 0x00, 0xF6, 0xC4, 0x40, 0x74, 0x13, 0x3E, 0x8A, 0x0E, 0x0F, 0xB6, 0xC1, 0x57, 0xE9, 0xB7,
0xFB, 0xFF, 0xFF, 0x5F, 0x3E, 0x8B, 0x04, 0x87, 0x5F, 0x46, 0xA8, 0x01, 0x74, 0x05, 0x83, 0xE0,
0xFE, 0xEB, 0xB4, 0xF6, 0xC4, 0x10, 0x74, 0x0D, 0xF6, 0xC1, 0x01, 0x74, 0x05, 0x83, 0xC8, 0x08,
0xEB, 0x03, 0x83, 0xC8, 0x10, 0xF6, 0xC4, 0x08, 0x53, 0x55, 0x57, 0xBF, 0x00, 0x02, 0x00, 0x00,
0xBD, 0x00, 0x04, 0x00, 0x00, 0xBB, 0x00, 0x01, 0x00, 0x00, 0x74, 0x55, 0x3E, 0x8A, 0x0E, 0x8A,
0xD1, 0x80, 0xE2, 0xC0, 0x46, 0x80, 0xE1, 0x07, 0x80, 0xFA, 0xC0, 0x74, 0x44, 0xA8, 0x04, 0x74,
0x1B, 0x84, 0xD2, 0x75, 0x07, 0x80, 0xF9, 0x06, 0x75, 0x37, 0x0B, 0xC7, 0x80, 0xFA, 0x40, 0x75,
0x02, 0x0B, 0xC3, 0x80, 0xFA, 0x80, 0x75, 0x29, 0x0B, 0xC7, 0xEB, 0x25, 0x80, 0xFA, 0x40, 0x75,
0x02, 0x0B, 0xC3, 0x80, 0xFA, 0x80, 0x75, 0x02, 0x0B, 0xC5, 0x80, 0xF9, 0x04, 0x75, 0x07, 0x3E,
0x8A, 0x0E, 0x80, 0xE1, 0x07, 0x46, 0x80, 0xF9, 0x05, 0x75, 0x06, 0x84, 0xD2, 0x75, 0x02, 0x0B,
0xC5, 0x84, 0xC0, 0x79, 0x0A, 0xA8, 0x04, 0x74, 0x04, 0x0B, 0xC7, 0xEB, 0x02, 0x0B, 0xC5, 0xA8,
0x08, 0x74, 0x0C, 0xA8, 0x02, 0x74, 0x05, 0x83, 0xC8, 0x20, 0xEB, 0x03, 0x83, 0xC8, 0x40, 0x85,
0xD8, 0x74, 0x01, 0x46, 0x85, 0xF8, 0x74, 0x02, 0x46, 0x46, 0x5F, 0x85, 0xE8, 0x5D, 0x5B, 0x74,
0x03, 0x83, 0xC6, 0x04, 0xA8, 0x10, 0x74, 0x01, 0x46, 0xA8, 0x20, 0x74, 0x02, 0x46, 0x46, 0xA8,
0x40, 0x74, 0x03, 0x83, 0xC6, 0x04, 0x36, 0x2B, 0x74, 0x24, 0x08, 0x36, 0x8B, 0x44, 0x24, 0x0C,
0x3E, 0x89, 0x30, 0x5E, 0xC2, 0x08, 0x00,
};
//一个纯净的函数
__declspec(naked) void ZwQuerySystemInformationHookZone(...)
{
_asm
{
_emit 0x90;
_emit 0x90;
_emit 0x90;
_emit 0x90;
_emit 0x90;
_emit 0x90;
_emit 0x90;
_emit 0x90;
_emit 0x90;
_emit 0x90;
_emit 0x90;
_emit 0x90;
_emit 0x90;
_emit 0x90;
_emit 0x90;
_emit 0x90;
jmp [lpRet]; //取这个指针的值,并跳转到8463ee43
}
}
typedef void (__stdcall *GETCODELENGTH)(PVOID code,DWORD *len);
typedef NTSTATUS (_stdcall * ZWQUERYINFORMATIONPROCESS)(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
ZWQUERYINFORMATIONPROCESS RealZwQuerySystemInformation;//原始函数
BOOLEAN IsFromDebugProcess(PEPROCESS EProcess)
{
//PsGetProcessImageFileName表示获取进程名字,参数为进程的EPROCESS
//如果是进程管理器的进程枚举的话,就返回TRUE,其他返回FALSE
//_stricmp比较字符串的吧,好像是不区分大小,不晓得是不是真滴
if (_stricmp((char *)PsGetProcessImageFileName(EProcess),"taskmgr.exe") == 0)
{
return TRUE;
}
return FALSE;
}
typedef enum WIN_VER_DETAIL {
WINDOWS_VERSION_NONE, // 0
WINDOWS_VERSION_2K,
WINDOWS_VERSION_XP,
WINDOWS_VERSION_2K3,
WINDOWS_VERSION_2K3_SP1_SP2,
WINDOWS_VERSION_VISTA_2008,
WINDOWS_VERSION_7_7600_UP,
WINDOWS_VERSION_7_7000
} WIN_VER_DETAIL;
WIN_VER_DETAIL WinVersion;
WIN_VER_DETAIL GetWindowsVersion()
{
RTL_OSVERSIONINFOEXW osverinfo;
if (WinVersion)
return WinVersion;
memset(&osverinfo,0,sizeof(RTL_OSVERSIONINFOEXW));
osverinfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOEXW);
if (RtlGetVersion((RTL_OSVERSIONINFOW*)&osverinfo) != STATUS_SUCCESS){
return WINDOWS_VERSION_NONE;
}
if (osverinfo.dwMajorVersion == 5 && osverinfo.dwMinorVersion == 0){
WinVersion = WINDOWS_VERSION_2K;
}
else if (osverinfo.dwMajorVersion == 5 && osverinfo.dwMinorVersion == 1){
WinVersion = WINDOWS_VERSION_XP;
}
else if (osverinfo.dwMajorVersion == 5 && osverinfo.dwMinorVersion == 2){
if (osverinfo.wServicePackMajor==0){
WinVersion = WINDOWS_VERSION_2K3;
}
else{
WinVersion = WINDOWS_VERSION_2K3_SP1_SP2;
}
}
else if (osverinfo.dwMajorVersion == 6 && osverinfo.dwMinorVersion == 0){
WinVersion = WINDOWS_VERSION_2K3_SP1_SP2;
}
else if (osverinfo.dwMajorVersion == 6 && osverinfo.dwMinorVersion == 1 && osverinfo.dwBuildNumber == 7000){
WinVersion = WINDOWS_VERSION_7_7000;
}
else if (osverinfo.dwMajorVersion == 6 && osverinfo.dwMinorVersion == 1 && osverinfo.dwBuildNumber >= 7600){
WinVersion = WINDOWS_VERSION_7_7600_UP;
}
return WinVersion;
}
ULONG GetProcessId(IN PEPROCESS pEprocess)
{
NTSTATUS status;
ULONG ulProcessId = 0;
ULONG g_Offset_Eprocess_ProcessId;//表示结构体的偏移量
WIN_VER_DETAIL WinVer;
if (!ARGUMENT_PRESENT(pEprocess) ||//ARGUMENT_PRESENT 表示是否为NULL
!MmIsAddressValid(pEprocess))//MmIsAddressValid判断地址是否有效
{
DbgPrint("我是aa");
return NULL;
}
if (KeGetCurrentIrql() > PASSIVE_LEVEL)//判断中断等级
{
DbgPrint("我是c");
return NULL;
}
WinVer = GetWindowsVersion();//获取系统的版本号
switch(WinVer)
{
case WINDOWS_VERSION_XP:
g_Offset_Eprocess_ProcessId = 0x84;
break;
case WINDOWS_VERSION_7_7600_UP:
case WINDOWS_VERSION_7_7000:
g_Offset_Eprocess_ProcessId = 0xb4;
break;
case WINDOWS_VERSION_VISTA_2008:
g_Offset_Eprocess_ProcessId = 0x09c;
break;
case WINDOWS_VERSION_2K3_SP1_SP2:
g_Offset_Eprocess_ProcessId = 0x94;
break;
case WINDOWS_VERSION_2K3:
g_Offset_Eprocess_ProcessId = 0x084;
break;
}
if (!g_Offset_Eprocess_ProcessId){
return NULL;
}
ulProcessId = *((PULONG)((ULONG)pEprocess + g_Offset_Eprocess_ProcessId));//加偏移量获取pid的值
DbgPrint("我是d%d",ulProcessId);
return ulProcessId;
}
//通过结构获取进程名
void GetProcessImageFileNameByPoint(PVOID Eprocess , LPCSTR ProcName)
{
//ProcName must be 64 bytes char*
LPCSTR ImageName ;
if (!Eprocess)
{
RtlZeroMemory((PVOID)ProcName , 64);
return;
}
ImageName = (LPCSTR)PsGetProcessImageFileName((PEPROCESS)Eprocess);//根据EPROCESS获取进程名
RtlZeroMemory((PVOID)ProcName , 64);
RtlCopyMemory((PVOID)ProcName , ImageName , 16);
return ;
}
DWORD aaa = 1111 ;
NTSTATUS __stdcall NewZwQuerySystemInformation( //当前的函数
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
)
{
//调用原始函数
//写过hook的都知道,先调用原始函数
//mov dword ptr ds:[0A2B7A950h],0A2B78010h
NTSTATUS ntStatus;
RealZwQuerySystemInformation = (ZWQUERYINFORMATIONPROCESS)ZwQuerySystemInformationHookZone;//强制转换
ntStatus = RealZwQuerySystemInformation( //调用原始函数
SystemInformationClass,//需要枚举的信息,type
SystemInformation, //缓冲区
SystemInformationLength, //缓冲区大小
ReturnLength);//实际大小
if(!NT_SUCCESS(ntStatus))
{
return ntStatus;
}
//这里必须判断枚举进程的是我们的taskmgr,OD,CE
//防止NP检查进程的时候,发现进程没有隐藏
//PsGetCurrentProcess 获取当前进程的EPROCESS结构体
if (IsFromDebugProcess(PsGetCurrentProcess()))
{
//如果是进程管理器来枚举的话
//反NP断链
//如果是这2个类型枚举的话
if(SystemInformationClass == SystemProcessesAndThreadsInformation || SystemInformationClass == SystemExtendedProcessInformation)
{
//开始XX
PSYSTEM_PROCESSES pptem;//进程结构体
WCHAR psname[512];
CHAR PsName[128];
ANSI_STRING AnSi;
UNICODE_STRING gmName;
BOOLEAN bHackGameMon=TRUE;
BOOLEAN bHackCsrss = TRUE;
int PID;
UNICODE_STRING string_unicode;
RtlInitAnsiString(&AnSi,"nihhaoa");
RtlAnsiStringToUnicodeString(&string_unicode,&AnSi,TRUE);
//赋值
pptem = (PSYSTEM_PROCESSES)SystemInformation;//给结构体赋值
//开始循环列表
while (pptem!=0)//如果这个结构体不为0
{
//如果UNICODE_STRING存在,就copy
//如果不做这个判断直接copy,如果为0,copy就会产生蓝屏。
if(pptem->ProcessName.Buffer!=0)//如果这个进程名字存在
{
//拷贝进程名字
wcsncpy(psname,pptem->ProcessName.Buffer,512-1);//后面是总个数,wchart为单位,2个字节
//转换为大写
_wcsupr(psname);//转换为大写,
//如果是csrss.exe进程,则替换为游戏的
//wcsstr搜索字符串
if(bHackGameMon && wcsstr(psname,L"DBGVIEW.EXE") && eprocess_game_process)//如果是这个进程名字的话
{
//替换ID
//*(&(pptem->ProcessId)) = (HANDLE)GetProcessId(eprocess_game_process);
PID = GetProcessId(eprocess_game_process);
pptem->ProcessId = (HANDLE)(PID+1);//这里加1是因为我的进程没隐藏掉
DbgPrint("我是CSRSS进程%d",pptem->ProcessId);//打印
//memcpy(&(pptem->ProcessId),&PID,4);
//替换进程名
GetProcessImageFileNameByPoint(eprocess_game_process,PsName);
if (strlen(PsName))//如果有值
{
RtlInitAnsiString(&AnSi,PsName);//初始化ansi码
if (RtlAnsiStringToUnicodeString(&gmName,&AnSi,TRUE) == STATUS_SUCCESS)//转换
{
pptem->ProcessName.Length = gmName.Length;
wcsncpy(pptem->ProcessName.Buffer,gmName.Buffer,gmName.Length/2);
//不用free,free了必蓝,原因是这个buffer还在使用
//RtlFreeUnicodeString(&gmName);
bHackGameMon = FALSE;
break;
}
}
//ANSI_STRING astr;
//RtlUnicodeStringToAnsiString(&astr,&(pptem->ProcessName),TRUE);
//DbgPrint("%Z\n",astr);//打印
//RtlFreeAnsiString(&astr);
//DbgPrint(pptem->ProcessName);
//wcsncpy(pptem->ProcessName.Buffer,string_unicode.Buffer,string_unicode.Length);
pptem->ProcessName.Length = string_unicode.Length;
wcsncpy(pptem->ProcessName.Buffer,string_unicode.Buffer,string_unicode.Length/2);
}
}
//继续下一个链表
pptem=(pptem->NextEntryDelta==0)?0:(PSYSTEM_PROCESSES)(pptem->NextEntryDelta+(char*)pptem);
}
}
}
return ntStatus;
}
//通过ZW名字获取SSDT的NT函数地址
DWORD GetFunctionAddresBy_SSDT(WCHAR* ZwFunctionName)
{
ULONG_PTR zwAddress;//zw函数地址
DWORD index;
if(ZwFunctionName!=NULL)
{
UNICODE_STRING functionName;
RtlInitUnicodeString(&functionName,ZwFunctionName);//赋值字符串
zwAddress = (ULONG_PTR)MmGetSystemRoutineAddress(&functionName);
index = *((DWORD*)(zwAddress+1));//获取服务号
}
return KeServiceDescriptorTable->ServiceTable[index];//返回SSDT函数的地址
}
//第一个参数表示HOOK的新函数,也就是我们自定义的函数
//第二个参数表示HOOK 函数的名字
BOOL HookApi(DWORD NewFunctionAddress,WCHAR* ZwFunctionName)
{
BYTE jmpCode[5]={0xe9,0x00,0x00,0x00,0x00};//e9 = jmp,后面4个字节表示地址,我们的新函数
DWORD oldFunctionAddress;//SSDT的函数地址
oldFunctionAddress = GetFunctionAddresBy_SSDT(ZwFunctionName);
GETCODELENGTH GetCodeLength;
GetCodeLength = (GETCODELENGTH)(&dis[0]);//给函数赋值,这个函数用来表示获取一行代码占多少个字节数
DWORD len = 0;
while (patchCodeLen < 5)
{
GetCodeLength((PVOID)(oldFunctionAddress+patchCodeLen),&len);
patchCodeLen+=len;
}
if (patchCodeLen > 16)//如果大于16的话直接返回FALSE
{
return FALSE;
}
DbgPrint("需要HOOK的字节数为:%d\n",patchCodeLen);
*(DWORD*)(&jmpCode[1]) = NewFunctionAddress - (oldFunctionAddress + 5);//通过+5规则获取我们需要跳转的地址
lpRet = oldFunctionAddress + patchCodeLen;
_asm
{
CLI ; //关闭中断
MOV EAX, CR0 ;
AND EAX, NOT 10000H ;
MOV CR0, EAX;
}
//把原始HOOK函数的前5个字节提取到我们自定义的函数上
memcpy(ZwQuerySystemInformationHookZone,(void *)oldFunctionAddress,patchCodeLen);
//把老方法的前5个字节给nop掉
memset((void *)oldFunctionAddress,0x90,patchCodeLen);
//把我们需要跳转的代码,填充到原始函数上
memcpy((void *)oldFunctionAddress,jmpCode,5);
_asm
{
MOV EAX, CR0;
OR EAX, 10000H;
MOV CR0, EAX ;
STI; //开启中断
}
}
void UnHookApi(WCHAR* ZwFunctionName)
{
UNICODE_STRING uniFunctionName;
DWORD oldFunctionAddress;
oldFunctionAddress=GetFunctionAddresBy_SSDT(ZwFunctionName);
if(patchCodeLen>0)
{
_asm
{
CLI ;
MOV EAX, CR0 ;
AND EAX, NOT 10000H ;
MOV CR0, EAX;
}
memcpy((PVOID)oldFunctionAddress,(PVOID)ZwQuerySystemInformationHookZone,patchCodeLen);
_asm
{
MOV EAX, CR0;
OR EAX, 10000H;
MOV CR0, EAX ;
STI;
}
}
}
BOOLEAN IsGameMonProcess(PEPROCESS EProcess)
{
if (_stricmp((char*)PsGetProcessImageFileName(EProcess),"abcdefg.exe") == 0)
{
return TRUE;
}
return FALSE;
}
VOID GameGuardNotifyRoutine(IN HANDLE hparentId, IN HANDLE PId,IN BOOLEAN bCreate)
{
PEPROCESS Eprocess;
PEPROCESS eprcx;
NTSTATUS rc;
//从函数可以得知这个函数是通过pid获得eprocess的
rc=PsLookupProcessByProcessId(PId,&Eprocess);//获取EPROCESS
if (!NT_SUCCESS(rc))
{
return ;
}
//调用PsLookupProcessByProcessId之后,记得要释放引用计数
ObDereferenceObject(Eprocess);
//如果这里为TRUE,则说明是进程创建
if (bCreate)
{
//我们就不要检查NP的进程信息。
//如果是建立进程,判断是否是NP进程,然后记录进程
if (IsGameMonProcess(Eprocess))
{
//是NP进程,那么我们就把进程对象保存
//因为这个对象要传到任务管理器的地方
//这是一个全局变量
//eprocess_np_gameguard = Eprocess;
eprocess_game_process = Eprocess;
DWORD a = (DWORD)GetProcessId(eprocess_game_process);
DbgPrint("记录下来了%d",a);
//hparentId这个参数是指明NP的父进程ID的,而NP是由游戏启动的,so,我们通过这个hparentId就可以得到游戏的EPROCESS对象
//rc=PsLookupProcessByProcessId(hparentId,&eprcx);//获取EPROCESS
//if (!NT_SUCCESS(rc))
//{
// return;
//}
//同样,保存进程对象到全局变量
//eprocess_game_process = eprcx;
//同理,要释放引用计数了
//ObDereferenceObject(eprcx);
}
}
else
{
//做后面的清理工作
//如果移除回调,则做清理
if (Eprocess==eprocess_game_process)
{
//进程对象清理
eprocess_game_process = NULL;
}
if (Eprocess==eprocess_np_gameguard)
{
eprocess_np_gameguard = NULL;
}
}
//到这里我们已经得到NP的进程和游戏的进程的对象,现在我们可以通过InlineHOOK,把数据给任务管理器
//我们得到np的和游戏的进程对象,剩下的最后一步,就是把这个对象给任务管理器,那么就达到了我们的目的
}
void GameGuardProcessNotifyRoutine()
{
//定义两个进程的eprocess对象
eprocess_np_gameguard = NULL;
eprocess_game_process = NULL;
//进程创建回调通知
PsSetCreateProcessNotifyRoutine(GameGuardNotifyRoutine, FALSE);
}
void DDK_UnLoad(IN PDRIVER_OBJECT DriverObject)
{
UnHookApi(L"ZwQuerySystemInformation");
PsSetCreateProcessNotifyRoutine(GameGuardNotifyRoutine, TRUE);
DbgPrint("Goodbye from DDK_UnLoad!\n");
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
BOOL rs;
KdPrint(("驱动被加载!!!"));//调试的时候可以用这个函数调试
DriverObject->DriverUnload=DDK_UnLoad;//设置卸载驱动函数
GameGuardProcessNotifyRoutine();//回调函数
rs = HookApi((DWORD)NewZwQuerySystemInformation,L"ZwQuerySystemInformation");
if(rs)
{
DbgPrint("Hook success");
}else
{
DbgPrint("Hook fatl");
}
return STATUS_SUCCESS;
}
浙公网安备 33010602011771号