用驱动实现自己的 ZwOpenProcess ZwReadVirtualMemory ZwWriteVirtualMemory

ipaddress8086 · 发表于 2010-12-16 19:56:39

前几天网路上看到的驱动程式码

用WDK 7600.16385.1编译不出来sys我完全不会用看教学做编译失败
请问有办法编译成sys
我只有学过VB6能力不够呜呜

希望能编译成sys能让VB使用这各驱动请求大大帮忙了

// jhxxs.C

#include "dbghelp.h"
#include "jhxxs.h"
#include <stdio.h>

#include <ntdef.h>
#include <ntstatus.h>
#include <ntddk.h>
//
// A structure representing the instance information associated with
// a particular device
//

typedef struct _DEVICE_EXTENSION
{
ULONG StateVariable;

} DEVICE_EXTENSION, *PDEVICE_EXTENSION;

typedef struct _KAPC_STATE{
      LIST_ENTRY       ApcListHead[2];
      PEPROCESS       Process;
      UCHAR             KernelApcInProgress;
      UCHAR             KernelApcPending;
      UCHAR             UserApcPending;
}KAPC_STATE,*PKAPC_STATE;

NTKERNELAPI void KeStackAttachProcess(IN PEPROCESS Process, OUT PKAPC_STATE ApcState);

NTKERNELAPI void KeUnstackDetachProcess(IN PKAPC_STATE ApcState);

NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(IN ULONG ulProcId,OUT PEPROCESS * pEProcess);

NTKERNELAPI NTSTATUS ObOpenObjectByPointer(
IN PVOID Object,
IN ULONG HandleAttributes,
IN PACCESS_STATE PassedAccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PHANDLE Handle
      );
//
// Device driver routine declarations.
//

NTSTATUS
DriverEntry(
      IN PDRIVER_OBJECT             DriverObject,
      IN PUNICODE_STRING             RegistryPath
      );

NTSTATUS
JhxxsDispatchCreate(
      IN PDEVICE_OBJECT             DeviceObject,
      IN PIRP                                     Irp
      );

NTSTATUS
JhxxsDispatchClose(
      IN PDEVICE_OBJECT             DeviceObject,
      IN PIRP                                     Irp
      );

NTSTATUS
JhxxsDispatchDeviceControl(
      IN PDEVICE_OBJECT             DeviceObject,
      IN PIRP                                     Irp
      );

VOID
JhxxsUnload(
      IN PDRIVER_OBJECT             DriverObject
      );

#ifdef ALLOC_PRAGMA
#pragma alloc_text(INIT, DriverEntry)
#pragma alloc_text(PAGE, JhxxsDispatchCreate)
#pragma alloc_text(PAGE, JhxxsDispatchClose)
#pragma alloc_text(PAGE, JhxxsDispatchDeviceControl)
#pragma alloc_text(PAGE, JhxxsUnload)
#endif // ALLOC_PRAGMA

NTSTATUS
MyWriteMemory(IN HANDLE hProcess,OUT PVOID BaseAddress,IN PVOID Pbuff,IN ULONG BufferSize)
{
PEPROCESS EProcess;
KAPC_STATE ApcState;
PVOID writebuffer=NULL;
NTSTATUS status;

status = ObReferenceObjectByHandle(
               hProcess,
               PROCESS_VM_WRITE|PROCESS_VM_READ,
               NULL,
               KernelMode,
               &EProcess,
               NULL
               );

if(!NT_SUCCESS(status))
{
ObDereferenceObject(EProcess);
return STATUS_UNSUCCESSFUL;
}
writebuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys');

if(writebuffer==NULL)
{
ObDereferenceObject(EProcess);
ExFreePool (writebuffer);
return STATUS_UNSUCCESSFUL;
}
*(ULONG*)writebuffer=(ULONG)0x1;

if (MmIsAddressValid(Pbuff))
{
__try
{
ProbeForRead ((CONST PVOID)Pbuff, BufferSize, sizeof(CHAR));
RtlCopyMemory (writebuffer, Pbuff, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}

if (NT_SUCCESS(status))
{
KeStackAttachProcess (EProcess, &ApcState);
if (MmIsAddressValid(BaseAddress))
{
__try
{
ProbeForWrite ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR));
RtlCopyMemory (BaseAddress,writebuffer, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
KeUnstackDetachProcess (&ApcState);
}

ObDereferenceObject(EProcess);
ExFreePool (writebuffer);
return status;
}

NTSTATUS
MyReadMemory(IN HANDLE hProcess,IN PVOID BaseAddress,OUT PVOID Pbuff,IN ULONG BufferSize)
{
PEPROCESS EProcess;
KAPC_STATE ApcState;
PVOID readbuffer=NULL;
NTSTATUS status;

status = ObReferenceObjectByHandle(
               hProcess,
               PROCESS_VM_WRITE|PROCESS_VM_READ,
               NULL,
               KernelMode,
               &EProcess,
               NULL
               );

if(!NT_SUCCESS(status))
{
ObDereferenceObject(EProcess);
return STATUS_UNSUCCESSFUL;
}

readbuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys');

if(readbuffer==NULL)
{
ObDereferenceObject(EProcess);
ExFreePool (readbuffer);
return STATUS_UNSUCCESSFUL;
}
*(ULONG*)readbuffer=(ULONG)0x1;

KeStackAttachProcess (EProcess, &ApcState);
if (MmIsAddressValid(BaseAddress))
{
__try
{
ProbeForRead ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR));
RtlCopyMemory (readbuffer, BaseAddress, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
KeUnstackDetachProcess (&ApcState);

if(NT_SUCCESS(status))
{
      if (MmIsAddressValid(Pbuff))
      {
      __try
      {
      ProbeForWrite(Pbuff, BufferSize, sizeof(CHAR));
      RtlCopyMemory (Pbuff, readbuffer, BufferSize);
      }
      __except(EXCEPTION_EXECUTE_HANDLER)
      {
      status = STATUS_UNSUCCESSFUL;
      }
      }
      else
      {
      status = STATUS_UNSUCCESSFUL;
      }
}

ObDereferenceObject(EProcess);
ExFreePool (readbuffer);
return status;
}

NTSTATUS MyOpenProcess(ULONG PID, PHANDLE pHandle)
{
NTSTATUS status;
PEPROCESS EProcess = NULL;
HANDLE handle = NULL;
UNICODE_STRING y;
PULONG PsProcessType;

status = PsLookupProcessByProcessId(PID, &EProcess);
if (NT_SUCCESS(status))
{
handle = 0;
RtlInitUnicodeString(&y, L"PsProcessType");
PsProcessType = MmGetSystemRoutineAddress(&y);
if (PsProcessType)
{
   status = ObOpenObjectByPointer(EProcess, 0, 0, PROCESS_ALL_ACCESS, (PVOID)*PsProcessType, UserMode, &handle);
   if (NT_SUCCESS(status))
   {
            *pHandle = handle;
   }
}
ObfDereferenceObject(EProcess);
}
return status;
}

NTSTATUS
DriverEntry(
      IN PDRIVER_OBJECT             DriverObject,
      IN PUNICODE_STRING             RegistryPath
      )
{
      NTSTATUS                      status = STATUS_SUCCESS;
UNICODE_STRING             ntDeviceName;
      UNICODE_STRING             dosDeviceName;
PDEVICE_EXTENSION       deviceExtension;
      PDEVICE_OBJECT             deviceObject = NULL;
      BOOLEAN                               fSymbolicLink = FALSE;

      KdBreakPoint();
      RtlInitUnicodeString(&ntDeviceName, JHXXS_DEVICE_NAME_W);
status = IoCreateDevice(
            DriverObject,
            sizeof(DEVICE_EXTENSION),
            &ntDeviceName,
            FILE_DEVICE_JHXXS,
            0,
            TRUE,
            &deviceObject
            );

if (!NT_SUCCESS(status))
      {
            goto __failed;
      }

      deviceExtension = (PDEVICE_EXTENSION)deviceObject->DeviceExtension;
      RtlInitUnicodeString(&dosDeviceName, JHXXS_DOS_DEVICE_NAME_W);
      status = IoCreateSymbolicLink(&dosDeviceName, &ntDeviceName);
if (!NT_SUCCESS(status))
      {
            goto __failed;
}

      fSymbolicLink = TRUE;

DriverObject->MajorFunction[IRP_MJ_CREATE]       = JhxxsDispatchCreate;
DriverObject->MajorFunction[IRP_MJ_CLOSE]       = JhxxsDispatchClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = JhxxsDispatchDeviceControl;
DriverObject->DriverUnload                      = JhxxsUnload;

if (NT_SUCCESS(status))
         return status;

__failed:
      if (fSymbolicLink)
            IoDeleteSymbolicLink(&dosDeviceName);
      if (deviceObject)
            IoDeleteDevice(deviceObject);
      return status;
}

NTSTATUS
JhxxsDispatchCreate(
      IN PDEVICE_OBJECT             DeviceObject,
      IN PIRP                                     Irp
      )
{
      NTSTATUS status = STATUS_SUCCESS;

      Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);

return status;
}

NTSTATUS
JhxxsDispatchClose(
      IN PDEVICE_OBJECT             DeviceObject,
      IN PIRP                                     Irp
      )
{
      NTSTATUS status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
      Irp->IoStatus.Status = status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);

return status;
}

NTSTATUS
JhxxsDispatchDeviceControl(
      IN PDEVICE_OBJECT             DeviceObject,
      IN PIRP                                     Irp
      )
{
      NTSTATUS                      status = STATUS_SUCCESS;
PIO_STACK_LOCATION       irpStack;
PDEVICE_EXTENSION       deviceExtension;
      PVOID                               ioBuf;
ULONG                               inBufLength, outBufLength;
      ULONG                               ioControlCode;

      UCHAR             *buff =0;
      ULONG             OutByteCount =0;

      HANDLE             Writehandel;
      PVOID             WriteDstAddr;
      PVOID             WriteSrcAddr;
      ULONG             WriteSize;
      NTSTATUS          WriteReturn;

      HANDLE             Readhandel;
      PVOID             ReadBaseAddr;
      PVOID             ReadBuffer;
      ULONG             ReadSize;
      NTSTATUS          ReadReturn;

      ULONG             OpenPid;
      PHANDLE          PProcessHandle;
      NTSTATUS          OpenReturn;

irpStack = IoGetCurrentIrpStackLocation(Irp);
deviceExtension = (PDEVICE_EXTENSION)DeviceObject->DeviceExtension;
      Irp->IoStatus.Information = 0;
      ioBuf = Irp->AssociatedIrp.SystemBuffer;
      inBufLength = irpStack->;Parameters.DeviceIoControl.InputBufferLength;
outBufLength = irpStack->;Parameters.DeviceIoControl.OutputBufferLength;
ioControlCode = irpStack->;Parameters.DeviceIoControl.IoControlCode;

switch (ioControlCode)
      {
      case 0X0022E004:
            {
            buff=(UCHAR *)Irp->AssociatedIrp.SystemBuffer ;
            memmove(&Writehandel,&buff[0],4);
            memmove(&WriteDstAddr,&buff[4],4);
            memmove(&WriteSrcAddr,&buff[8],4);
            memmove(&WriteSize,&buff[12],4);

            WriteReturn=MyWriteMemory(Writehandel,WriteDstAddr,WriteSrcAddr,WriteSize);
            memmove(Irp->AssociatedIrp.SystemBuffer,&WriteReturn,4);
            OutByteCount=4;
            break;
            }

      case 0X0022E008:
            {
            buff=(UCHAR *)Irp->AssociatedIrp.SystemBuffer ;
            memmove(&Readhandel,&buff[0],4);
            memmove(&ReadBaseAddr,&buff[4],4);
            memmove(&ReadBuffer,&buff[8],4);
            memmove(&ReadSize,&buff[12],4);

            ReadReturn=MyReadMemory(Readhandel,ReadBaseAddr,ReadBuffer,ReadSize);
            memmove(&buff[0],&ReadReturn,4);
            OutByteCount=4;
            break;
            }

      case 0X0022E000:
            {
            OpenReturn = MyOpenProcess(*(PULONG)ioBuf,ioBuf);
            buff=(UCHAR *)Irp->AssociatedIrp.SystemBuffer ;
            memmove(&buff[4],&OpenReturn,4);
            OutByteCount=8;
            break;
            }

      case IOCTL_JHXXS_HELLO:
            {
         break;
            }

default:
      status = STATUS_INVALID_PARAMETER;
            break;
      }
      Irp->IoStatus.Status = status;
      Irp->IoStatus.Information = OutByteCount;
      IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}

VOID
JhxxsUnload(
      IN PDRIVER_OBJECT             DriverObject
      )
{
UNICODE_STRING dosDeviceName;
      RtlInitUnicodeString(&dosDeviceName, JHXXS_DOS_DEVICE_NAME_W);
IoDeleteSymbolicLink(&dosDeviceName);
      IoDeleteDevice(DriverObject->DeviceObject);
}

Tesla.Angela · 发表于 2010-12-16 23:28:59

楼主可以参考一下这个帖子：http://www.m5home.com/bbs/forum.php?mod=viewthread&tid=3614
另外我的电脑已经卸载了WDK，无法帮你了。

ipaddress8086 · 发表于 2010-12-18 07:46:13

回复 Tesla.Angela 的帖子

请问我用Microsoft Visual C++ 6.0 按 Build > Start Debug > Go 然后出现一个错误合WDK写的一个错误一样 (应该是有错误无法编译) 能请你用 C++检查吗造成你的困扰真的很抱歉非常想让这个驱动成功使用

Tesla.Angela · 发表于 2010-12-18 17:37:09

回复 ipaddress8086 的帖子

看来你不怎么明白我的话。。。
这个驱动编译成功了你也没用，因为游戏保护肯定会Hook Ke(Stack)AttachProcess，不可能仅仅Hook Nt***。。。
而且这么写内存肯定是不稳定的（不信你看看WRK中Nt***是怎么读写进程内存的），所以你没必要这样做。。。

马大哈 · 发表于 2010-12-19 15:59:30

驱动不稳定,就是蓝.........

ipaddress8086 · 发表于 2010-12-22 06:18:03

回复马大哈的帖子

请问我看了 VB小子玩转驱动程序文章加入了 sources makefile 这2各档案 sources里名字有改jhxxs.c 可是还是编译时出现1各错误

会蓝 HS Inline Hook很奇特 Intel的CPU不会蓝频而AMD的的CPU会蓝频会不会也是像这种情况 VirtualBox这软体体积满小的可以虚拟作业系统我是AMD的会蓝频在VirtualBox就不会

以下档案可以请看一下吗我是哪里做错了

Tesla.Angela · 发表于 2010-12-22 13:51:29

回复 ipaddress8086 的帖子

驱动的事情别找老马，老马看到驱动就蛋疼。

ipaddress8086 · 发表于 2010-12-22 17:28:37

回复 Tesla.Angela 的帖子

看的出来马大哈回覆每次有驱动都感觉放弃的样子

那我该看 VB小子玩转驱动程序文章看到底吗

还是先学 VC++语言再看 VB小子玩转驱动程序文章

我VC++语言的书本看一半就没再看了看的头好痛VB的模式忘不掉不知道要不要硬的头皮看到完

Tesla.Angela · 发表于 2010-12-22 23:46:31

回复 ipaddress8086 的帖子

我的建议是：C语言和驱动一起学。

马大哈 · 发表于 2010-12-24 17:59:57

的确看着驱动就蛋疼........

Tesla.Angela · 发表于 2010-12-26 12:19:08

只有这两段有用：

NTSTATUS
MyWriteMemory(IN HANDLE hProcess,OUT PVOID BaseAddress,IN PVOID Pbuff,IN ULONG BufferSize)
{
PEPROCESS EProcess;
KAPC_STATE ApcState;
PVOID writebuffer=NULL;
NTSTATUS status;
status = ObReferenceObjectByHandle(
hProcess,
PROCESS_VM_WRITE|PROCESS_VM_READ,
NULL,
KernelMode,
&EProcess,
NULL
);
if(!NT_SUCCESS(status))
{
ObDereferenceObject(EProcess);
return STATUS_UNSUCCESSFUL;
}
writebuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys');
if(writebuffer==NULL)
{
ObDereferenceObject(EProcess);
ExFreePool (writebuffer);
return STATUS_UNSUCCESSFUL;
}
*(ULONG*)writebuffer=(ULONG)0x1;
if (MmIsAddressValid(Pbuff))
{
__try
{
ProbeForRead ((CONST PVOID)Pbuff, BufferSize, sizeof(CHAR));
RtlCopyMemory (writebuffer, Pbuff, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
if (NT_SUCCESS(status))
{
KeStackAttachProcess (EProcess, &ApcState);
if (MmIsAddressValid(BaseAddress))
{
__try
{
ProbeForWrite ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR));
RtlCopyMemory (BaseAddress,writebuffer, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
KeUnstackDetachProcess (&ApcState);
}
ObDereferenceObject(EProcess);
ExFreePool (writebuffer);
return status;
}
NTSTATUS
MyReadMemory(IN HANDLE hProcess,IN PVOID BaseAddress,OUT PVOID Pbuff,IN ULONG BufferSize)
{
PEPROCESS EProcess;
KAPC_STATE ApcState;
PVOID readbuffer=NULL;
NTSTATUS status;
status = ObReferenceObjectByHandle(
hProcess,
PROCESS_VM_WRITE|PROCESS_VM_READ,
NULL,
KernelMode,
&EProcess,
NULL
);
if(!NT_SUCCESS(status))
{
ObDereferenceObject(EProcess);
return STATUS_UNSUCCESSFUL;
}
readbuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys');
if(readbuffer==NULL)
{
ObDereferenceObject(EProcess);
ExFreePool (readbuffer);
return STATUS_UNSUCCESSFUL;
}
*(ULONG*)readbuffer=(ULONG)0x1;
KeStackAttachProcess (EProcess, &ApcState);
if (MmIsAddressValid(BaseAddress))
{
__try
{
ProbeForRead ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR));
RtlCopyMemory (readbuffer, BaseAddress, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
KeUnstackDetachProcess (&ApcState);
if(NT_SUCCESS(status))
{
if (MmIsAddressValid(Pbuff))
{
__try
{
ProbeForWrite(Pbuff, BufferSize, sizeof(CHAR));
RtlCopyMemory (Pbuff, readbuffer, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
}
ObDereferenceObject(EProcess);
ExFreePool (readbuffer);
return status;
}
NTSTATUS MyOpenProcess(ULONG PID, PHANDLE pHandle)
{
NTSTATUS status;
PEPROCESS EProcess = NULL;
HANDLE handle = NULL;
UNICODE_STRING y;
PULONG PsProcessType;
status = PsLookupProcessByProcessId(PID, &EProcess);
if (NT_SUCCESS(status))
{
handle = 0;
RtlInitUnicodeString(&y, L"PsProcessType");
PsProcessType = MmGetSystemRoutineAddress(&y);
if (PsProcessType)
{
status = ObOpenObjectByPointer(EProcess, 0, 0, PROCESS_ALL_ACCESS, (PVOID)*PsProcessType, UserMode, &handle);
if (NT_SUCCESS(status))
{
*pHandle = handle;
}
}
ObfDereferenceObject(EProcess);
}
return status;
}

复制代码

其它地方可以参考我的驱动模板。

hotnetbar · 发表于 2011-2-10 19:03:13

學習學習

a627414850 · 发表于 2011-11-14 22:52:59

ObReferenceObjectByHandle 。。。。。。。。。。。。。。。。。。{:soso_e127:}{:soso_e140:}

dca100 · 发表于 2011-11-22 14:56:07

a627414850 发表于 2011-11-14 22:52
ObReferenceObjectByHandle 。。。。。。。。。。。。。。。。。。

不错学习了~~~

账号		自动登录	找回密码
密码			加入我们

用驱动实现自己的 ZwOpenProcess ZwReadVirtualMemory ZwWriteVirtualMemory

论坛牛人

贡献奖

关注奖

最佳版主

进步奖

人气王

疯狂作品奖

精英奖

赞助论坛勋章

乐于助人勋章