本文由 资源共享网 – zgwxw 发布,转载请注明出处,如有问题请联系我们!汇编语言C++教程2021年机构系统全方位培训教程(驱动过检+Lua+C+课件)
教程格式: 视频
资源语言: 中文
其它开发语言资源(汇编语言C++教程2021年机构系统全方位培训教程(驱动过检+Lua+C+课件))网址:https://www.08i8.com/ttkfzy/detail83611.html;转载请注明!
资源语言: 中文
用到的工具
附如曾工具包
D003-区动保护
COO2-游戏外挂技术(中级班)LUA脚本部分
BO02-游甫助技术(中级班)
A001-游对6甫助技术(初级班)
000-预习课
// 注意32位与64位的对齐大小 #ifndef _WIN64 #pragma pack(1) #endif typedef struct _LDR_DATA_TABLE_ENTRY { LIST_ENTRY InLoadOrderLinks; LIST_ENTRY InMemoryOrderLinks; LIST_ENTRY InInitializationOrderLinks; PVOID DllBase; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; USHORT LoadCount; USHORT TlsIndex; union { LIST_ENTRY HashLinks; struct { PVOID SectionPointer; ULONG CheckSum; }; }; union { ULONG TimeDateStamp; PVOID LoadedImports; }; PVOID EntryPointActivationContext; PVOID PatchInformation; LIST_ENTRY ForwarderLinks; LIST_ENTRY ServiceTagLinks; LIST_ENTRY StaticLinks; } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; #ifndef _WIN64 #pragma pack() #endif VOID ProcessNotifyExRoutine_call_back(PEPROCESS pEProcess, HANDLE hProcessId, PPS_CREATE_NOTIFY_INFO CreateInfo); // 编程方式绕过签名检查 BOOLEAN BypassCheckSign(PDRIVER_OBJECT pDriverObject) { #ifdef _WIN64 typedef struct _KLDR_DATA_TABLE_ENTRY { LIST_ENTRY listEntry; ULONG64 __Undefined1; ULONG64 __Undefined2; ULONG64 __Undefined3; ULONG64 NonPagedDebugInfo; ULONG64 DllBase; ULONG64 EntryPoint; ULONG SizeOfImage; UNICODE_STRING path; UNICODE_STRING name; ULONG Flags; USHORT LoadCount; USHORT __Undefined5; ULONG64 __Undefined6; ULONG CheckSum; ULONG __padding1; ULONG TimeDateStamp; ULONG __padding2; } KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY; #else typedef struct _KLDR_DATA_TABLE_ENTRY { LIST_ENTRY listEntry; ULONG unknown1; ULONG unknown2; ULONG unknown3; ULONG unknown4; ULONG unknown5; ULONG unknown6; ULONG unknown7; UNICODE_STRING path; UNICODE_STRING name; ULONG Flags; } KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY; #endif PKLDR_DATA_TABLE_ENTRY pLdrData = (PKLDR_DATA_TABLE_ENTRY)pDriverObject->DriverSection; pLdrData->Flags = pLdrData->Flags | 0x20; return TRUE; } // 拒绝加载驱动 NTSTATUS DenyLoadDriver(PVOID pImageBase) { NTSTATUS status = STATUS_SUCCESS; PMDL pMdl = NULL; PVOID pVoid = NULL; ULONG ulShellcodeLength = 16; UCHAR pShellcode[16] = { 0xB8, 0x22, 0x00, 0x00, 0xC0, 0xC3, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 }; PIMAGE_DOS_HEADER pDosHeader = pImageBase; PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)((PUCHAR)pDosHeader + pDosHeader->e_lfanew); //找到DriverEntry的基址 PVOID pDriverEntry = (PVOID)((PUCHAR)pDosHeader + pNtHeaders->OptionalHeader.AddressOfEntryPoint); pMdl = MmCreateMdl(NULL, pDriverEntry, ulShellcodeLength); MmBuildMdlForNonPagedPool(pMdl); pVoid = MmMapLockedPages(pMdl, KernelMode); RtlCopyMemory(pVoid, pShellcode, ulShellcodeLength); MmUnmapLockedPages(pVoid, pMdl); IoFreeMdl(pMdl); return status; } // 拒绝加载 DLL 模块 BOOLEAN DenyLoadDll(PVOID pLoadImageBase) { // DLL拒绝加载, 不能类似驱动那样直接在入口点返回拒绝加载信息. 这样达不到卸载DLL的效果. // 将文件头 前0x200 字节数据置零 ULONG ulDataSize = 0x200; // 创建 MDL 方式修改内存 PMDL pMdl = MmCreateMdl(NULL, pLoadImageBase, ulDataSize); if (NULL == pMdl) { KdPrint(("yjx:R0->MmCreateMdl", 0)); return FALSE; } MmBuildMdlForNonPagedPool(pMdl); PVOID pVoid = MmMapLockedPages(pMdl, KernelMode); if (NULL == pVoid) { IoFreeMdl(pMdl); KdPrint(("yjx:R0->MmMapLockedPages", 0)); return FALSE; } // 置零 RtlZeroMemory(pVoid, ulDataSize); // 释放 MDL MmUnmapLockedPages(pVoid, pMdl); IoFreeMdl(pMdl); return TRUE; } // 回调函数 VOID LoadImage_callback( _In_ PUNICODE_STRING FullImageName, // pid into which image is being mapped _In_ HANDLE ProcessId, _In_ PIMAGE_INFO ImageInfo ) { // 显示加载模块信息 DbgPrint("[%d][%wZ][%d][0x%p]\n", ProcessId, FullImageName, ImageInfo->ImageSize, ImageInfo->ImageBase); // 拒绝加载指定模块 if (NULL != wcsstr(FullImageName->Buffer, L"DriverTest.sys") || NULL != wcsstr(FullImageName->Buffer, L"Test.dll")) { // Driver if (0 == ProcessId) { DbgPrint("Deny Load Driver\n"); DenyLoadDriver(ImageInfo->ImageBase); } // Dll else { DbgPrint("Deny Load DLL\n"); DenyLoadDll(ImageInfo->ImageBase); } } } // NTSTATUS 安装进程监控() { NTSTATUS status = PsSetLoadImageNotifyRoutine(LoadImage_callback); if (!NT_SUCCESS(status)) { KdPrint(("yjx:R0->PsSetCreateProcessNotifyRoutineEx", status)); } return status; } // 删除回调函数 NTSTATUS 移出进程监控() { NTSTATUS status = PsRemoveLoadImageNotifyRoutine(LoadImage_callback); if (!NT_SUCCESS(status)) { KdPrint(("yjx:R0->PsSetCreateProcessNotifyRoutineEx", status)); } return status; } //进程监控回调函数 // 回调函数 VOID LoadImageNotify_callback( _In_ PUNICODE_STRING FullImageName, // pid into which image is being mapped _In_ HANDLE ProcessId, _In_ PIMAGE_INFO ImageInfo ) { // 显示加载模块信息 KdPrint(("yjx:R0->[%d][%wZ][%d][0x%p]\n", ProcessId, FullImageName, ImageInfo->ImageSize, ImageInfo->ImageBase)); // 拒绝加载指定模块 if (NULL != wcsstr(FullImageName->Buffer, L"DriverTest.sys") || NULL != wcsstr(FullImageName->Buffer, L"Test.dll")) { // Driver if (0 == ProcessId) { KdPrint(("yjx:R0->Deny Load Driver\n")); DenyLoadDriver(ImageInfo->ImageBase); } // Dll else { KdPrint(("yjx:R0->Deny Load DLL\n")); DenyLoadDll(ImageInfo->ImageBase); } } } VOID DriverUnload( IN PDRIVER_OBJECT DriverObject) { DriverObject; return; } NTSTATUS DefaultMajorFunction( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) { UNREFERENCED_PARAMETER(DeviceObject); Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0; IoCompleteRequest(Irp, IO_NO_INCREMENT); return Irp->IoStatus.Status; } NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) { UNREFERENCED_PARAMETER(RegistryPath); PDEVICE_OBJECT DeviceObject = NULL; NTSTATUS status = STATUS_SUCCESS;; DeviceObject; //set callback functions DriverObject->DriverUnload = DriverUnload; for (unsigned int i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++) { DriverObject->MajorFunction[i] = DefaultMajorFunction; } //DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DefaultMajorFunction; //内核层实现监控模块的加载,包括加载DLL模块、内核模块等 return STATUS_SUCCESS; }
其它开发语言资源(汇编语言C++教程2021年机构系统全方位培训教程(驱动过检+Lua+C+课件))网址:https://www.08i8.com/ttkfzy/detail83611.html;转载请注明!
与《汇编语言C++教程2021年机构系统全方位培训教程(驱动过检+Lua+C+课件)》相关的《经验教程》
Flutter(跨平台)开发全套教程及课件(王红元 coderwhy)
Flutter 是由 Google 开发的一个跨平台移动应用开发框架。它使用 Dart 语言作为开发语言,并且可以构建高性能、美观且流畅的移动应用程序。Flutter 的特点包括:跨平台:Flutter 可以同时在 Android 和 iOS 平台上运行,只需编写一套代码即可,大大减少了开发人员的工作量。快速开发:Flutter 提供了丰富的组件库和现成的UI控件,可以快速搭建用户界面,同时具备热...
30 33113 0
IT资料大全【视频+课件】
全套IT资料教程包含UI设计,web前端,Java开发,人工智能,软件测试,c,Python,PHP以及各科学习资料,均有配套资料+视频
50 13045 0
Flutter(跨平台)开发全套教程及课件(王红元 coderwhy)
Flutter 是由 Google 开发的一个跨平台移动应用开发框架。它使用 Dart 语言作为开发语言,并且可以构建高性能、美观且流畅的移动应用程序。Flutter 的特点包括:跨平台:Flutter 可以同时在 Android 和 iOS 平台上运行,只需编写一套代码即可,大大减少了开发人员的工作量。快速开发:Flutter 提供了丰富的组件库和现成的UI控件,可以快速搭建用户界面,同时具备热...
30 33113 0