【原创】X64 REMOVE PSPCIDTABLE

不废话 直接防码

补充代码有网了:【分享】x64 antidebug 不触发PG http://bbs.pediy.com/showthread.php?p=1385028#post1385028

有个BUG  如果 移出的目标有线程退出  那么 我的 系统线程就挂了   目测是枚举函数的 问题

这个   我就 不解决了   退出不蓝屏

因为 有 了新的 解决办法  这个 就扔掉了

#include "ntddk.h"

#include "commonfunc.h"

#define IMAGE_FILENAME_OFFSET 0x2e0

VOID startthread();

VOID stopthread();

KEVENT event;

HANDLE systemthreadhandle;

KTIMER cleartimer= { 0 };

KDPC cleardpc = { 0 };

BOOLEAN REMOVING = FALSE;

typedef struct _HANDLE_TABLE_ENTRY{

union{

VOID* Object;

ULONG32 ObAttributes;

PVOID64 InfoTable;

ULONG64 Value;

};

union{

ULONG32 GrantedAccess;

struct{

UINT16  GrantedAccessIndex;

UINT16 CreatorBackTraceIndex;

UINT8  _PADDING[0x4];

};

ULONG32  NextFreeTableEntry;

};

}HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;

typedef struct _save_handlentry{

struct _save_handlentry*head;

PVOID id;

char processname[17];

ULONG64 value;

ULONG32 GrantedAccess;

struct HANDLE_TABLE_ENTRY*address;

struct _save_handlentry*next;

}_save_handlentry, *p_save_handlentry;

ULONG64 SreachFunctionAddress(ULONG64 uAddress, UCHAR *Signature, ULONG addopcodelength, ULONG addopcodedatasize);

p_save_handlentry createlist(char*processname){

ULONG i;

p_save_handlentry phead = (p_save_handlentry) ExAllocatePool(NonPagedPool,sizeof(_save_handlentry));

p_save_handlentry ptail = phead;

ptail->next = NULL;

p_save_handlentry pnew = (p_save_handlentry)ExAllocatePool(NonPagedPool, sizeof(_save_handlentry));

memcpy(&pnew->processname, processname, 16);

pnew->address = 0;

pnew->id = 0;

pnew->value = 0;

pnew->GrantedAccess = 0;

pnew->head = NULL;

ptail->next = pnew;

pnew->next = NULL;

ptail->head = NULL;

return phead;

}

// 插入链表

p_save_handlentry insertlist(char*processname, ULONG GrantedAccess, ULONG64 value, PVOID id, PHANDLE_TABLE_ENTRY adress, p_save_handlentry phead){

p_save_handlentry p = phead->next;

while (p != NULL)

{

if (p->next == NULL){

break;

}

p = p->next;

}

p_save_handlentry pnew = (p_save_handlentry)ExAllocatePool(NonPagedPool, sizeof(_save_handlentry));

memcpy(&pnew->processname, processname, 16);

pnew->GrantedAccess = GrantedAccess;

pnew->id = id;

pnew->value = value;

pnew->address = adress;

p->next = pnew;

pnew->next = NULL;

pnew->head = p;

return pnew;

}

p_save_handlentry querylist(p_save_handlentry phead, ULONG64 id){

p_save_handlentry p = phead->next;

while (p != NULL)

{

if (p->id == id){

return p;

}

p = p->next;

}

return NULL;

}

//删除节点

void deletelist(p_save_handlentry pclid){

p_save_handlentry p, pp;

if (pclid->head != NULL){//头部

p = pclid->head;

pp = pclid->next;

if (pp == NULL){//最后节点

p->next = NULL;

ExFreePool(pclid);

return;

}

p->next = pp;//不是最后节点

pp->head = p;

ExFreePool(pclid);

return;

}

}

typedef NTSTATUS(__fastcall * pfnEnumObjectTable)(PVOID64 HANDLETABLE, PVOID CALLback, ULONG64 unKonw);

NTKERNELAPI CHAR* PsGetProcessImageFileName(PEPROCESS Process);

NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(HANDLE ProcessId, PEPROCESS *Process);

NTKERNELAPI NTSTATUS PsLookupThreadByThreadId(HANDLE Id, PETHREAD *Thread);

NTKERNELAPI PEPROCESS IoThreadToProcess(PETHREAD Thread);

pfnEnumObjectTable EnumObjectTablex = 0;;

PVOID64 PspCidTable=0;

NTSTATUS getenumhandletablefunc()

{

UCHAR  opcode[5] = { 0x89, 0x6c, 0x24, 0x30, 0xe8 };

UCHAR  opcode1[5] = { 0xdc, 0x48, 0x8b, 0xd1, 0x48 };

UNICODE_STRING64 ObFindHandleForObjectsign;

ULONG64 temp64 = 0;

NTSTATUS state = STATUS_SUCCESS;

RtlInitUnicodeString(&ObFindHandleForObjectsign, L"ObFindHandleForObject");//ObFindHandleForObject PAGE 0000000140319DB0 000000B4 00000048 00000028 R . . . . . .

temp64 = (ULONG64)MmGetSystemRoutineAddress(&ObFindHandleForObjectsign);

if (!MmIsAddressValid(temp64))

return state;

EnumObjectTablex = (pfnEnumObjectTable)SreachFunctionAddress(temp64, opcode,1,5);

PspCidTable = (PVOID64)SreachFunctionAddress(&PsLookupProcessByProcessId, opcode1, 3, 7);

PspCidTable = *(PVOID64*)PspCidTable;

if (!MmIsAddressValid(EnumObjectTablex) || !MmIsAddressValid(PspCidTable)){

DbgPrint("cant get EnumObjectTablex or  PspCidTable  \n");

}

DbgPrint("Super game protect start~\n");

}

p_save_handlentry mainphead = NULL;

PVOID64 psidprocessobject = 0;

PVOID64 pscidkthreadbject = 0;

ULONG64 passmaska = TRUE;

#define de_o -10

#define de_s de_o*1000

LARGE_INTEGER myxx;

VOID clearDEBUGTOOL(){

myxx.QuadPart = de_s;

myxx.QuadPart *= 2000;

while (passmaska==TRUE)

{

KeDelayExecutionThread(KernelMode, 0, &myxx);

if (REMOVING)

continue;

enumtable(2);

if (psidprocessobject!=0 ){

DbgPrint("clear psidprocessobject %p", *(ULONG64*)psidprocessobject);

*(ULONG64*)psidprocessobject = 0;

DbgPrint("clear psidprocessobject %p", *(ULONG64*)psidprocessobject);

psidprocessobject = 0;

}

DbgPrint("clearing...");

if (pscidkthreadbject != 0){

DbgPrint("clear pscidkthreadbject %p", *(ULONG64*)pscidkthreadbject);

*(ULONG64*)pscidkthreadbject = 0;

DbgPrint("clear pscidkthreadbject %p", *(ULONG64*)pscidkthreadbject);

pscidkthreadbject = 0;

}

continue;

}

DbgPrint("ending...");

KeSetEvent(&event, 0, TRUE);

}

BOOLEAN removdebugtoolhandle(PHANDLE_TABLE_ENTRY object, PHANDLE handle, ULONG64 Unkonw){

ULONG64 Pobject;

ULONG64 object_header;

ULONG32 object_type;

p_save_handlentry paddress;

Pobject = (object->Value)&~7;

object_header = Pobject - 0x30;//getobjectheader

object_type = (ULONG32)*(UINT8*)(object_header + 0x18);//pspcidtable object_header

if (!MmIsAddressValid(Pobject))

{

return FALSE;//is true

}

if ( object_type == 7 ){

if (strstr(PsGetProcessImageFileName(Pobject), "天网系统") != NULL || strstr(PsGetProcessImageFileName(Pobject), "cheatengine") != NULL || strstr(PsGetProcessImageFileName(Pobject), "ollyice") != NULL){

paddress = insertlist(Pobject + IMAGE_FILENAME_OFFSET, object->GrantedAccess, object->Value, handle, &object->Value, mainphead);

DbgPrint("process is look~");

psidprocessobject = &object->Value;

}

return FALSE;

}

if ( object_type == 8 ){

ULONG64 tempprocess;

tempprocess = IoThreadToProcess(Pobject);

if (strstr(PsGetProcessImageFileName(tempprocess), "天网系统") != NULL || strstr(PsGetProcessImageFileName(tempprocess), "cheatengine") != NULL || strstr(PsGetProcessImageFileName(tempprocess), "ollyice") != NULL ){

DbgPrint("thread is look~");

paddress = insertlist(Pobject + IMAGE_FILENAME_OFFSET, object->GrantedAccess, object->Value, handle, &object->Value, mainphead);

pscidkthreadbject = &object->Value;

}

return FALSE;

}

return FALSE;

}

BOOLEAN removepspcidtabl(HANDLE p){

if (PspCidTable == 0 || EnumObjectTablex == 0){

getenumhandletablefunc();

}

if (mainphead==NULL){

mainphead = createlist("system");

}

EnumObjectTablex(PspCidTable, removdebugtoolhandle, p);

}

PCREATE_PROCESS_NOTIFY_ROUTINE callback(HANDLE prid, HANDLE pid, BOOLEAN create){

ULONG64 EPROCESS;

PHANDLE_TABLE_ENTRY phdt;

p_save_handlentry tempsave;

EPROCESS = IoGetCurrentProcess();

if (!create && (strstr(PsGetProcessImageFileName(EPROCESS), "天网系统") != NULL || strstr(PsGetProcessImageFileName(EPROCESS), "cheatengine") != NULL || strstr(PsGetProcessImageFileName(EPROCESS), "ollyice") != NULL)){

REMOVING = TRUE;

tempsave = querylist(mainphead, pid);

if (tempsave != 0){

phdt = tempsave->address;

//phdt->GrantedAccess = tempsave->GrantedAccess;

phdt->Value = tempsave->value;

DbgPrint("pid %d pt:%p phdt:%p", tempsave->id, tempsave->address, phdt->Object);

//deletelist(tempsave);

stopthread();

startthread();

}

//  ObDereferenceObject(leprocess);

REMOVING = FALSE;

}

}

PCREATE_THREAD_NOTIFY_ROUTINE callback2(HANDLE processid, HANDLE threadid, BOOLEAN create){

ULONG64 EPROCESS;

PHANDLE_TABLE_ENTRY phdt;

p_save_handlentry tempsave;

EPROCESS = IoGetCurrentProcess();

if(!create && (strstr(PsGetProcessImageFileName(EPROCESS), "天网系统") != NULL || strstr(PsGetProcessImageFileName(EPROCESS), "cheatengine") != NULL || strstr(PsGetProcessImageFileName(EPROCESS), "ollyice") != NULL)){

REMOVING = TRUE;

tempsave = querylist(mainphead, threadid);

if (tempsave != 0){

phdt = tempsave->address;

//phdt->GrantedAccess = tempsave->GrantedAccess;

phdt->Value = tempsave->value;

DbgPrint("tid %d pt:%p phdt:%p", tempsave->id, tempsave->address, phdt->Object);

//  deletelist(tempsave);

stopthread();

startthread();

}

REMOVING = FALSE;

}

}

VOID startthread(){

KeInitializeEvent(

&event,

SynchronizationEvent,//SynchronizationEvent为同步事件

FALSE//  当是TRUE 时初始化事件是有信号状态.,当是FALSE时初始化事件是没信号状态,如果此处为TRUE,则为有信号状态,KeWaitForSingleObject会直接通过,此时需要调用KeResetEvent来设置为无信号

);

PsCreateSystemThread(&systemthreadhandle, THREAD_ALL_ACCESS, NULL, NULL, NULL, clearDEBUGTOOL, NULL);

}

VOID stopthread(){

ZwClose(systemthreadhandle);

}

/////////////////////////////////////

VOID clearprocessinformationRoutine(

_In_      struct _KDPC *Dpc,

_In_opt_  PVOID DeferredContext,

_In_opt_  PVOID SystemArgument1,

_In_opt_  PVOID SystemArgument2

)

{

UNREFERENCED_PARAMETER(Dpc);

UNREFERENCED_PARAMETER(DeferredContext);

UNREFERENCED_PARAMETER(SystemArgument1);

UNREFERENCED_PARAMETER(SystemArgument2);

LARGE_INTEGER lTime = { 0 };

ULONG ulMicroSecond = 0;

KIRQL irql;

//将定时器的时间设置为500ms

ulMicroSecond = 5000000;

//将32位整数转化成64位整数

lTime = RtlConvertLongToLargeInteger(-10 * ulMicroSecond);

enumtable(2);

KeSetTimer(&cleartimer, lTime, &cleardpc);

}

BOOLEAN bTimerStart = FALSE;

VOID startdpc(){

// DPC定时器是否开启标志

LARGE_INTEGER lTime = { 0 };

ULONG ulMicroSecond = 0;

// 初始化定时器

KeInitializeTimer(&cleartimer);

// 初始化DPC

KeInitializeDpc(&cleardpc, clearprocessinformationRoutine, NULL);

// 开始定时器

//将定时器的时间设置为500ms

ulMicroSecond = 5000000;

//将32位整数转化成64位整数

lTime = RtlConvertLongToLargeInteger(-10 * ulMicroSecond);

bTimerStart = KeSetTimer(&cleartimer, lTime, &cleardpc);

if (bTimerStart)

{

DbgPrint("定时器开启成功\n");

}

}

VOID stopdpc(){

if (bTimerStart)

KeCancelTimer(&cleartimer);

}

//////////////////////////////////////////

void  protectprocessforpspcidtable(){

if (mainphead==NULL)

{

mainphead = createlist("system");

}

PsSetCreateProcessNotifyRoutine(callback, FALSE);

PsSetCreateThreadNotifyRoutine(callback2);

//  startdpc();

startthread();

}

void  unprotectprocessforpspcidtable(){

passmaska = FALSE;

KeWaitForSingleObject(&event, Executive, KernelMode, TRUE, 0);

PsSetCreateProcessNotifyRoutine(callback, TRUE);

PsRemoveCreateThreadNotifyRoutine(callback2);

//stopdpc();

stopthread();

}

void enumtable(PHANDLE handle){

if (PspCidTable == 0 || EnumObjectTablex == 0){

getenumhandletablefunc();

}

if (mainphead == NULL){

mainphead = createlist("system");

}

EnumObjectTablex(PspCidTable, removdebugtoolhandle, handle);

}

版权声明:本文为博主原创文章,未经博主允许不得转载。

时间: 2024-11-05 18:57:09

【原创】X64 REMOVE PSPCIDTABLE的相关文章

汇编指令解析

X86架构 [原创]X86汇编之指令格式解析 [原创]汇编指令之OpCode快速入门 [原创]X64汇编之指令格式解析 ARM架构:

[原创] 【2014.12.02更新网盘链接】基于EasySysprep4.1的 Windows 7 x86/x64 『视频』封装

joinlidong 发表于 2014-11-29 14:25:50 https://www.itsk.com/thread-341565-1-4.html 上周末开始做的,结果没做完,零零散散通过视频拼接,每天录一点点,今天终于制作好并上传完毕.上周帖子:https://www.itiankong.net/thread-340974-1-1.html昨天晚上准备全部录完然后上传,结果我的渲染工具出现问题,后面几段没了声音,我着急又重新录了一遍,发现漏了一些细节,不过还好,大家见谅.大神勿喷,只

(原创) cocos2d-x 3.0+ lua 学习和工作(5) : table的remove的坑

本章主要讲下,table的remove,这个东西不注意就容易被坑(被坑的飘过~~~),当然,这里是针对数组table.即用ipairs方法遍历. 星月倾心贡献~~~ 看示例1:直接nil local tbl = { 1, 2, 3, 4, 5 } for k, v in ipairs( tbl ) do if v == 3 then tbl[k] = nil else print( "one: " .. k .. ":" .. v ) end end -- 再次输出

[原创]MinHook测试与分析(x64下 E9,EB,CALL指令测试,且逆推测试微软热补丁)

依稀记得第一次接触Hook的概念是在周伟民先生的书中-><<多任务下的数据结构与算法>>,当时觉得Hook很奇妙,有机会要学习到,正好近段日子找来了MiniHook,就一起分享一下. 本篇文章是在x64下测试与分析jmp+offset类型的Hook,并且逆推测出热补丁的简单用法,MinHook它的中心就是覆盖重写并且可以复原.知道大概的思路后后让我们先来具体的实现MinHook再去做测试. 首先是堆的申请(申请PAGE_SIZE大小自动生长的堆),以下是实现与卸载 1 NTS

【原创】leetCodeOj ---Remove Duplicates from Sorted List II 解题报告

明日珠海行,心情紧张,写博文压压惊 囧 ------------------------------------- 原题地址: https://oj.leetcode.com/problems/remove-duplicates-from-sorted-list-ii/ 题目内容: Given a sorted linked list, delete all nodes that have duplicate numbers, leaving only distinct numbers from

左右JAVA示例代码事件分发和监督机制来实现-绝对原创有用

文章标题:左右JAVA示例代码事件分发和监督机制来实现 文章地址: http://blog.csdn.net/5iasp/article/details/37054171 作者: javaboy2012Email:[email protected]qq:    1046011462 一.场景如果 如果有博客系统中须要实现例如以下功能: 系统中用户公布文章.改动文章.删除文章时,须要一些相关的操作须要运行. 公布文章后,给好友发送邮件通知.给用户加积分,对文章做全文索引. 改动文章后,给好友发送邮

LintCode - Remove Duplicates from Sorted List

LintCode - Remove Duplicates from Sorted List LintCode - Remove Duplicates from Sorted List Web Link Description Code - C Tips Web Link http://www.lintcode.com/en/problem/remove-duplicates-from-sorted-list/ Description Given a sorted linked list, del

leetCode 26.Remove Duplicates from Sorted Array(删除数组重复点) 解题思路和方法

Remove Duplicates from Sorted Array Given a sorted array, remove the duplicates in place such that each element appear only once and return the new length. Do not allocate extra space for another array, you must do this in place with constant memory.

leetCode 27.Remove Element (删除元素) 解题思路和方法

Remove Element Given an array and a value, remove all instances of that value in place and return the new length. The order of elements can be changed. It doesn't matter what you leave beyond the new length. 思路:此题和26题一脉相承,算法上不难,具体如代码所示: public class