Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <stdio.h>
- #include <Windows.h>
- #include "DrvCtrl.h"
- bool EnableDebugPrivilege()
- {
- HANDLE hToken;
- LUID sedebugnameValue;
- TOKEN_PRIVILEGES tkp;
- if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
- {
- return FALSE;
- }
- if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))
- {
- CloseHandle(hToken);
- return false;
- }
- tkp.PrivilegeCount = 1;
- tkp.Privileges[0].Luid = sedebugnameValue;
- tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
- if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
- {
- CloseHandle(hToken);
- return false;
- }
- return true;
- }
- typedef struct _MEMORY_CHUNKS {
- UINT Address; //内核内存地址指针(要读的数据)
- UINT pData; //用户层内存地址指针(存放读出的数据)
- UINT Length; //读取的长度
- }MEMORY_CHUNKS, *PMEMORY_CHUNKS;
- typedef enum _SYSDBG_COMMAND {
- //以下5个在Windows NT各个版本上都有
- SysDbgGetTraceInformation = 1,
- SysDbgSetInternalBreakpoint = 2,
- SysDbgSetSpecialCall = 3,
- SysDbgClearSpecialCalls = 4,
- SysDbgQuerySpecialCalls = 5,
- // 以下是NT 5.1 新增的
- SysDbgDbgBreakPointWithStatus = 6,
- //获取KdVersionBlock
- SysDbgSysGetVersion = 7,
- //从内核空间拷贝到用户空间,或者从用户空间拷贝到用户空间
- //但是不能从用户空间拷贝到内核空间
- SysDbgCopyMemoryChunks_0 = 8,
- //SysDbgReadVirtualMemory = 8,
- //从用户空间拷贝到内核空间,或者从用户空间拷贝到用户空间
- //但是不能从内核空间拷贝到用户空间
- SysDbgCopyMemoryChunks_1 = 9,
- //SysDbgWriteVirtualMemory = 9,
- //从物理地址拷贝到用户空间,不能写到内核空间
- SysDbgCopyMemoryChunks_2 = 10,
- //SysDbgReadVirtualMemory = 10,
- //从用户空间拷贝到物理地址,不能读取内核空间
- SysDbgCopyMemoryChunks_3 = 11,
- //SysDbgWriteVirtualMemory = 11,
- //读写处理器相关控制块
- SysDbgSysReadControlSpace = 12,
- SysDbgSysWriteControlSpace = 13,
- //读写端口
- SysDbgSysReadIoSpace = 14,
- SysDbgSysWriteIoSpace = 15,
- //分别调用RDMSR@4和_WRMSR@12
- SysDbgSysReadMsr = 16,
- SysDbgSysWriteMsr = 17,
- //读写总线数据
- SysDbgSysReadBusData = 18,
- SysDbgSysWriteBusData = 19,
- SysDbgSysCheckLowMemory = 20,
- // 以下是NT 5.2 新增的
- //分别调用_KdEnableDebugger@0和_KdDisableDebugger@0
- SysDbgEnableDebugger = 21,
- SysDbgDisableDebugger = 22,
- //获取和设置一些调试相关的变量
- SysDbgGetAutoEnableOnEvent = 23,
- SysDbgSetAutoEnableOnEvent = 24,
- SysDbgGetPitchDebugger = 25,
- SysDbgSetDbgPrintBufferSize = 26,
- SysDbgGetIgnoreUmExceptions = 27,
- SysDbgSetIgnoreUmExceptions = 28
- } SYSDBG_COMMAND, *PSYSDBG_COMMAND;
- //定义ZwSystemDebugControl函数指针类型
- typedef DWORD(WINAPI *ZWSYSTEMDEBUGCONTROL)(DWORD, PVOID,
- DWORD, PVOID, DWORD, PVOID);
- BOOL GetKernelMemory(PVOID pKernelAddr, PBYTE pBuffer, ULONG uLength)
- {
- MEMORY_CHUNKS mc;
- ULONG uReaded = 0;
- mc.Address = (UINT)pKernelAddr; //Kernel Memory Address - input
- mc.pData = (UINT)pBuffer;//User Mode Memory Address - output
- mc.Length = (UINT)uLength; //length
- ULONG st = -1;
- ZWSYSTEMDEBUGCONTROL ZwSystemDebugControl = (ZWSYSTEMDEBUGCONTROL)GetProcAddress(
- GetModuleHandleA("ntdll.dll"), "NtSystemDebugControl");
- st = ZwSystemDebugControl(SysDbgCopyMemoryChunks_0, &mc, sizeof(MEMORY_CHUNKS), 0, 0, &uReaded);
- return st == 0;
- }
- void RKM(UINT64 Address, PVOID Buffer, SIZE_T Length)
- {
- /*
- IoControl(hMyDrv ,CTL_CODE_GEN(0x809), &Address, 8, NULL, 0); //address
- IoControl(hMyDrv ,CTL_CODE_GEN(0x80A), &Length, 8, NULL, 0); //length
- IoControl(hMyDrv ,CTL_CODE_GEN(0x804), NULL, 0, Buffer, Length); //get buffer
- */
- GetKernelMemory((PVOID)Address, (PBYTE)Buffer, Length);
- }
- void WKM(UINT64 Address, PVOID Buffer, SIZE_T Length)
- {
- IoControl(hMyDrv ,CTL_CODE_GEN(0x809), &Address, 8, NULL, 0); //address
- IoControl(hMyDrv ,CTL_CODE_GEN(0x80A), &Length, 8, NULL, 0); //length
- IoControl(hMyDrv ,CTL_CODE_GEN(0x805), Buffer, Length, NULL, 0); //set buffer
- }
- UINT64 GetQWORD(UINT64 address)
- {
- UINT64 y=0;
- RKM(address,&y,8);
- return y;
- }
- UINT32 GetDWORD(UINT64 address)
- {
- UINT32 y=0;
- RKM(address,&y,4);
- return y;
- }
- PUCHAR GetPNbyET(UINT64 ethread)
- {
- PUCHAR y = (PUCHAR)malloc(16);
- IoControl(hMyDrv ,CTL_CODE_GEN(0x7FF), ðread, 8, y, 16);
- return y;
- }
- /*
- lkd> dt win32k!tagsharedinfo
- +0x000 psi : Ptr64 tagSERVERINFO
- +0x008 aheList : Ptr64 _HANDLEENTRY
- +0x010 HeEntrySize : Uint4B
- +0x018 pDispInfo : Ptr64 tagDISPLAYINFO
- +0x020 ulSharedDelta : Uint8B
- +0x028 awmControl : [31] _WNDMSG
- +0x218 DefWindowMsgs : _WNDMSG
- +0x228 DefWindowSpecMsgs : _WNDMSG
- lkd> dt win32k!tagSERVERINFO
- +0x000 dwSRVIFlags : Uint4B
- +0x008 cHandleEntries : Uint8B
- +0x010 mpFnidPfn : [32] Ptr64 int64
- +0x110 aStoCidPfn : [7] Ptr64 int64
- [省略......]
- */
- /*win32k!_HANDLEENTRY
- +0x000 phead : Ptr64 _HEAD
- +0x008 pOwner : Ptr64 Void
- +0x010 bType : UChar
- +0x011 bFlags : UChar
- +0x012 wUniq : Uint2B*/
- typedef struct _HANDLEENTRY
- {
- UINT64 phead;
- UINT64 pOwner;
- UCHAR bType;
- UCHAR bFlags;
- USHORT wUniq;
- }HANDLEENTRY,*PHANDLEENTRY;
- /*
- lkd> dt win32k!taghook
- +0x000 head : _THRDESKHEAD
- +0x028 phkNext : Ptr64 tagHOOK
- +0x030 iHook : Int4B
- +0x038 offPfn : Uint8B
- +0x040 flags : Uint4B
- +0x044 ihmod : Int4B
- +0x048 ptiHooked : Ptr64 tagTHREADINFO
- +0x050 rpdesk : Ptr64 tagDESKTOP
- +0x058 nTimeout : Pos 0, 7 Bits
- +0x058 fLastHookHung : Pos 7, 1 Bit
- lkd> dt_THRDESKHEAD
- win32k!_THRDESKHEAD
- +0x000 h : Ptr64 Void
- +0x008 cLockObj : Uint4B
- +0x010 pti : Ptr64 tagTHREADINFO
- +0x018 rpdesk : Ptr64 tagDESKTOP
- +0x020 pSelf : Ptr64 UChar
- */
- typedef struct _HOOK_INFO
- {
- HANDLE hHandle; //钩子的句柄 句柄是全局的 可以UnhookWindowsHookEx 把钩子卸掉
- int Unknown1;
- PVOID Win32Thread; //一个指向 win32k!_W32THREAD 结构体的指针
- PVOID Unknown2;
- PVOID SelfHook; //指向结构体的首地址
- PVOID NextHook; //指向下一个钩子结构体
- int iHookType; //钩子的类型, winuser.h 中有定义
- PVOID OffPfn; //钩子函数的地址偏移,相对于所在模块的偏移
- int iHookFlags;
- int iMod; //钩子函数做在模块的索引号码,通过查询 WowProcess 结构可以得到模块的基地址。
- PVOID Win32ThreadHooked; // ???被钩的线程的结构指针,不知道
- //下面还有,省略。。。
- } HOOK_INFO,*PHOOK_INFO;
- char *GetHookType(int Id)
- {
- switch(Id)
- {
- case -1:
- {
- return "WH_MSGFILTER";
- }
- case 0:
- {
- return "WH_JOURNALRECORD";
- }
- case 1:
- {
- return "WH_JOURNALPLAYBACK";
- }
- case 2:
- {
- return "WH_KEYBOARD";
- }
- case 3:
- {
- return "WH_GETMESSAGE";
- }
- case 4:
- {
- return "WH_CALLWNDPROC";
- }
- case 5:
- {
- return "WH_CBT";
- }
- case 6:
- {
- return "WH_SYSMSGFILTER";
- }
- case 7:
- {
- return "WH_MOUSE";
- }
- case 8:
- {
- return "WH_HARDWARE";
- }
- case 9:
- {
- return "WH_DEBUG";
- }
- case 10:
- {
- return "WH_SHELL";
- }
- case 11:
- {
- return "WH_FOREGROUNDIDLE";
- }
- case 12:
- {
- return "WH_CALLWNDPROCRET";
- }
- case 13:
- {
- return "WH_KEYBOARD_LL";
- }
- case 14:
- {
- return "WH_MOUSE_LL";
- }
- default:
- {
- return "????";
- }
- }
- }
- char *GetHookFlagString(int Flag)
- {
- if(Flag==1 || Flag==3)
- return "Global";
- else
- return "Local";
- }
- void EnumMsgHook()
- {
- int i = 0;
- UINT64 pgSharedInfo = (UINT64)GetProcAddress(GetModuleHandleA("user32.dll"), "gSharedInfo");
- UINT64 phe = *(UINT64*)(pgSharedInfo + 8); //+0x008 aheList : Ptr64 _HANDLEENTRY
- UINT64 count = *(UINT64*)(*(UINT64*)(pgSharedInfo) + 8);
- HANDLEENTRY heStruct = {0};
- HOOK_INFO Hook = {0};
- for(i = 0; i < count; i ++)
- {
- memcpy(&heStruct, (PVOID)(phe + i * sizeof(HANDLEENTRY)), sizeof(HANDLEENTRY));
- if(heStruct.bType == 5)
- {
- GetKernelMemory((PVOID)heStruct.phead, (PBYTE)&Hook, sizeof(HOOK_INFO));
- printf("hHandle: 0x%llx\n",Hook.hHandle);
- printf("iHookFlags: %s\n", GetHookFlagString(Hook.iHookFlags));
- printf("iHookType: %s\n", GetHookType(Hook.iHookType));
- printf("OffPfn: 0x%llx\n",Hook.OffPfn);
- printf("ETHREAD: 0x%llx\n",GetQWORD((UINT64)(Hook.Win32Thread)));
- printf("ProcessName: %s\n\n", GetPNbyET(GetQWORD((UINT64)(Hook.Win32Thread))));
- }
- }
- }
- int main()
- {
- printf("%d\n", EnableDebugPrivilege());
- EnumMsgHook();
- getchar();
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement