Guest User

Untitled

a guest
Jan 10th, 2018
206
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.62 KB | None | 0 0
  1. #include <ntdef.h>
  2. #include <ntifs.h>
  3. #include "Types.h"
  4.  
  5. PLOAD_IMAGE_NOTIFY_ROUTINE NotifyImageLoadCallback(PUNICODE_STRING w_FullImageName, HANDLE w_ProcessId, PIMAGE_INFO w_ImageInfo)
  6. {
  7. if (wcsstr(w_FullImageName->Buffer, L"\\TslGame\\Binaries\\Win64\\TslGame.exe") && wcsstr(w_FullImageName->Buffer, L"Device"))
  8. {
  9. PUID = w_ProcessId;
  10. PUBase = GetSectionBaseAddress(w_ProcessId);
  11. DbgPrintEx(0, 0, "base : %llx %d %ws\r\n", PUBase, w_ProcessId, w_FullImageName->Buffer);
  12. }
  13. }
  14.  
  15. NTKERNELAPI PVOID PsGetProcessSectionBaseAddress(__in PEPROCESS Process);
  16.  
  17. // 例程忽略PE头并获得实际的游戏基地址
  18. DWORD64 GetSectionBaseAddress(HANDLE w_pid)
  19. {
  20. NTSTATUS ntStatus = STATUS_SUCCESS;
  21. PEPROCESS targetProcess;
  22. PVOID value = 0;
  23.  
  24. ntStatus = PsLookupProcessByProcessId((HANDLE)w_pid, &targetProcess);
  25.  
  26. if (ntStatus != STATUS_SUCCESS || !targetProcess)
  27. return 0;
  28.  
  29. __try
  30. {
  31. KeAttachProcess((PKPROCESS)targetProcess);
  32. value = PsGetProcessSectionBaseAddress(targetProcess);
  33. KeDetachProcess();
  34. }
  35. __except (GetExceptionCode())
  36. {
  37. return 0;
  38. }
  39.  
  40. return (DWORD64)value;
  41. }
  42.  
  43. VOID Unload(PDRIVER_OBJECT DriverObject)
  44. {
  45. PsRemoveLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)NotifyImageLoadCallback);
  46.  
  47. UNICODE_STRING usDosDeviceName;
  48.  
  49. RtlInitUnicodeString(&usDosDeviceName, L"\\DosDevices\\BcDirver");
  50. IoDeleteSymbolicLink(&usDosDeviceName);
  51.  
  52. IoDeleteDevice(DriverObject->DeviceObject);
  53. }
  54.  
  55. // This is where the magic happens.
  56. // You can also try to direct write to the usermode app buffer,
  57. // I just did it always this way
  58. // Also MmCopyVirtualMemory can be used, I think...
  59. NTSTATUS ReadMemOutputClient(pReadStruct w_poReadStruct)
  60. {
  61. PEPROCESS hClient, hGame;
  62.  
  63. KAPC_STATE apc_state;
  64. NTSTATUS NtStatus = STATUS_SUCCESS;
  65.  
  66. // sanity check, you can change this if you happen to
  67. // expand the protocol
  68. if (PUBase == 0 && w_poReadStruct->ProtocolMsg != PROTO_GET_BASEADDR)
  69. {
  70. return STATUS_UNSUCCESSFUL;
  71. }
  72.  
  73. // get the game and a handle
  74. PsLookupProcessByProcessId(PUID, &hGame);
  75. PsLookupProcessByProcessId((HANDLE)w_poReadStruct->UserPID, &hClient);
  76.  
  77. // allocate kernel memory for cache buffer
  78. DriverBuffer = ExAllocatePoolWithTag(NonPagedPool, w_poReadStruct->ReadSize, 'Sys');
  79.  
  80. if (DriverBuffer == NULL)
  81. {
  82. return STATUS_MEMORY_NOT_ALLOCATED;
  83. }
  84.  
  85. // get baseaddr is a req from usermode app to receive the baseaddr
  86. if (w_poReadStruct->ProtocolMsg == PROTO_GET_BASEADDR)
  87. {
  88. __try
  89. {
  90. KeStackAttachProcess(hClient, &apc_state);
  91. ProbeForRead((CONST PVOID)w_poReadStruct->UserBufferAdress, w_poReadStruct->ReadSize, sizeof(CHAR));
  92. RtlCopyMemory(w_poReadStruct->UserBufferAdress, &PUBase, w_poReadStruct->ReadSize);
  93. DbgPrintEx(0, 0, "read size : %x \r\n", w_poReadStruct->ReadSize);
  94. KeUnstackDetachProcess(&apc_state);
  95. }
  96. __except (EXCEPTION_EXECUTE_HANDLER)
  97. {
  98. KeUnstackDetachProcess(&apc_state);
  99. NtStatus = STATUS_ABANDONED;
  100. }
  101. }
  102.  
  103. // normal read means game-->usermode app transfer
  104. else if (w_poReadStruct->ProtocolMsg == PROTO_NORMAL_READ)
  105. {
  106. // transfer the data from game to kernel
  107. __try
  108. {
  109. KeStackAttachProcess(hGame, &apc_state);
  110. ProbeForRead((CONST PVOID)w_poReadStruct->GameAddressOffset, w_poReadStruct->ReadSize, sizeof(CHAR));
  111. RtlCopyMemory(DriverBuffer, w_poReadStruct->GameAddressOffset, w_poReadStruct->ReadSize);
  112. KeUnstackDetachProcess(&apc_state);
  113. }
  114. __except (EXCEPTION_EXECUTE_HANDLER)
  115. {
  116. KeUnstackDetachProcess(&apc_state);
  117. NtStatus = STATUS_ABANDONED;
  118. }
  119. // transfer the data from kernel to usermode app
  120. __try
  121. {
  122. KeStackAttachProcess(hClient, &apc_state);
  123. ProbeForRead((CONST PVOID)w_poReadStruct->UserBufferAdress, w_poReadStruct->ReadSize, sizeof(CHAR));
  124. RtlCopyMemory(w_poReadStruct->UserBufferAdress, DriverBuffer, w_poReadStruct->ReadSize);
  125. KeUnstackDetachProcess(&apc_state);
  126. }
  127. __except (EXCEPTION_EXECUTE_HANDLER)
  128. {
  129. KeUnstackDetachProcess(&apc_state);
  130. NtStatus = STATUS_ABANDONED;
  131. }
  132. }
  133. else if (w_poReadStruct->ProtocolMsg == PROTO_NORMAL_WRITE)
  134. {
  135. // transfer the data from game to kernel
  136. __try
  137. {
  138. KeStackAttachProcess(hClient, &apc_state);
  139. ProbeForRead((CONST PVOID)w_poReadStruct->UserBufferAdress, w_poReadStruct->ReadSize, sizeof(CHAR));
  140. RtlCopyMemory(DriverBuffer, w_poReadStruct->UserBufferAdress, w_poReadStruct->ReadSize);
  141. KeUnstackDetachProcess(&apc_state);
  142. }
  143. __except (EXCEPTION_EXECUTE_HANDLER)
  144. {
  145. KeUnstackDetachProcess(&apc_state);
  146. NtStatus = STATUS_ABANDONED;
  147. }
  148. __try
  149. {
  150. KeStackAttachProcess(hGame, &apc_state);
  151. ProbeForRead((CONST PVOID)w_poReadStruct->GameAddressOffset, w_poReadStruct->ReadSize, sizeof(CHAR));
  152. RtlCopyMemory(w_poReadStruct->GameAddressOffset, DriverBuffer, w_poReadStruct->ReadSize);
  153. KeUnstackDetachProcess(&apc_state);
  154. }
  155. __except (EXCEPTION_EXECUTE_HANDLER)
  156. {
  157. KeUnstackDetachProcess(&apc_state);
  158. NtStatus = STATUS_ABANDONED;
  159. }
  160.  
  161. }
  162. ExFreePool(DriverBuffer);
  163.  
  164. return NtStatus;
  165.  
  166. }
  167.  
  168. // basic IOCTL communication routine
  169. NTSTATUS WriteBufferedIO(PDEVICE_OBJECT DeviceObject, PIRP Irp)
  170. {
  171. NTSTATUS NtStatus = STATUS_SUCCESS;
  172. PIO_STACK_LOCATION pIoStackIrp = NULL;
  173. pReadStruct readStruct;
  174.  
  175. pIoStackIrp = IoGetCurrentIrpStackLocation(Irp);
  176.  
  177. if (pIoStackIrp)
  178. {
  179. // Read the struct from the IRP and store inside readStruct
  180. readStruct = (pReadStruct)Irp->AssociatedIrp.SystemBuffer;
  181. if (readStruct)
  182. {
  183. // do the magic the client (um app) wants to
  184. if (readStruct->ReadSize)
  185. {
  186. ReadMemOutputClient(readStruct);
  187. }
  188. }
  189. }
  190.  
  191. return NtStatus;
  192. }
  193.  
  194. // dummy routine
  195. NTSTATUS UnSupportedIrpFunction(PDEVICE_OBJECT DeviceObject, PIRP Irp)
  196. {
  197. NTSTATUS NtStatus = STATUS_NOT_SUPPORTED;
  198. DbgPrintEx(0, 0, "Unsupported Irp Function \r\n");
  199. return NtStatus;
  200. }
  201.  
  202. // driver entrypoint
  203. NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT pDriverObject, _In_ PUNICODE_STRING RegistryPath)
  204. {
  205. PUBase = 0;
  206.  
  207. NTSTATUS status = STATUS_SUCCESS;
  208.  
  209. RtlInitUnicodeString(&dev, L"\\Device\\bambooqj");
  210. RtlInitUnicodeString(&dos, L"\\DosDevices\\bambooqj");
  211.  
  212. status = IoCreateDevice(pDriverObject, 0, &dev, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDeviceObject);
  213.  
  214. if (status == STATUS_SUCCESS)
  215. {
  216. for (UINT32 uiIndex = 0; uiIndex < IRP_MJ_MAXIMUM_FUNCTION; uiIndex++)
  217. {
  218. pDriverObject->MajorFunction[uiIndex] = UnSupportedIrpFunction;
  219. }
  220.  
  221. pDriverObject->MajorFunction[IRP_MJ_WRITE] = WriteBufferedIO;
  222. pDriverObject->DriverUnload = Unload;
  223.  
  224. pDeviceObject->Flags |= DO_BUFFERED_IO;
  225. pDeviceObject->Flags &= (~DO_DEVICE_INITIALIZING);
  226.  
  227. IoCreateSymbolicLink(&dos, &dev);
  228. }
  229. else
  230. {
  231. return STATUS_UNSUCCESSFUL;
  232. }
  233.  
  234. PsSetLoadImageNotifyRoutine(NotifyImageLoadCallback);
  235.  
  236. return STATUS_SUCCESS;
  237. }
Advertisement
Add Comment
Please, Sign In to add comment