pass all use tessafe.sys protect game(转)

 inline hook PsCreateSystemThread,其HOOK函数中建立一个线程用于改写TX inline hook的一些内核函数的前几个字节

;write by y3y3y3 from www.unpack.cn
.386 
.model flat, stdcall 
option casemap:none

include C:\RadASM\masm32\include\w2k\ntstatus.inc 
include C:\RadASM\masm32\include\w2k\ntddk.inc 
include C:\RadASM\masm32\include\w2k\ntoskrnl.inc 
include C:\RadASM\masm32\include\w2k\w2kundoc.inc 
includelib C:\RadASM\masm32\lib\w2k\ntoskrnl.lib 
include C:\RadASM\\masm32\Macros\Strings.mac

    
.data 
CCOUNTED_UNICODE_STRING "KeAttachProcess",KeAttachProcess_String, 4
CCOUNTED_UNICODE_STRING "PsCreateSystemThread", PsCreateSystemThread_String, 4
CCOUNTED_UNICODE_STRING "ObOpenObjectByPointer",ObOpenObjectByPointer_String,4
CCOUNTED_UNICODE_STRING "NtOpenProcess",NtOpenProcess_String,4
CCOUNTED_UNICODE_STRING "NtOpenThread", NtOpenThread_String,4
PsCreateSystemThread_addr dd ?
NtWriteVirtualMemory_addr dd ?
NtReadVirtualMemory_addr dd ?
ObOpenObjectByPointer_addr dd ?
NtOpenThread_addr dd ?
NtOpenProcess_addr dd ?
KiAttachProcess_addr dd ?
NtWriteVirtualMemory_oldbyte db 10 dup (0)
PsCreateSystemThread_oldbyte db 10 dup (0)
NtReadVirtualMemory_oldbyte db 10 dup (0)
KiAttachProcess_oldbyte db 10 dup (0)
threadproc dd ?
sysbase dd ?
hook    dd ?
.code

Getaddr proc apiString:dword
invoke MmGetSystemRoutineAddress,apiString
ret
Getaddr endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::: 
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING 
local pDeviceObject:PVOID 
    pushad//保存现状

    
    cli 
    mov eax, cr0 
    and eax,0fffeffffh
    mov cr0, eax //改内存的写保护
    
    mov edi, dword ptr [KeServiceDescriptorTable]//得到地址
    mov ebx, [edi] //此时EBX指向SSDT表啦
    mov esi, [ebx+(115h*4)] //从SSDT表里得到内核函数NtWriteVirtualMemory的地址
    
    mov ecx,9
    mov NtWriteVirtualMemory_addr ,esi
    mov edi,offset NtWriteVirtualMemory_oldbyte
    rep movsb                   //把NtWriteVirtualMemory函数前9个字节保存下
    
    mov ecx,9
    mov esi, [ebx+(0bah*4)] 
    mov NtReadVirtualMemory_addr,esi         //把NtReadVirtualMemory函数前9个字节保存下
    mov edi,offset NtReadVirtualMemory_oldbyte
    rep movsb
    
    invoke Getaddr,offset KeAttachProcess_String
    add eax,47h
    mov edx,dword ptr [eax+1]
    lea eax,dword ptr [edx+eax+5]
    mov KiAttachProcess_addr,eax
    mov ecx,9
    mov esi,eax
    mov edi,offset KiAttachProcess_oldbyte
    rep movsb
    
    invoke Getaddr,offset ObOpenObjectByPointer_String
    mov ObOpenObjectByPointer_addr,eax
    
    invoke Getaddr,offset NtOpenProcess_String
    mov NtOpenProcess_addr,eax   //得到一些内核函数的地址,保存起来
    
    invoke Getaddr,offset NtOpenThread_String
    mov NtOpenThread_addr,eax
  

    invoke Getaddr,offset PsCreateSystemThread_String
    mov PsCreateSystemThread_addr,eax
    mov ecx,9
    mov esi,eax                   
    mov edi,offset PsCreateSystemThread_oldbyte   //把PsCreateSystemThread函数前9个字节保存下
    rep movsb
     
    mov edx,offset ThreadHook
    sub edx,eax       //得到ThreadHook函数和PsCreateSystemThread函数的间距
    sub edx,5         //好改写PsCreateSystemThread函数前五个字节,使跳转到ThreadHook函数
    mov dword ptr [hook],edx//把间距保存在内存变量HOOK里
   

    mov eax,PsCreateSystemThread_addr // 改写PsCreateSystemThread函数前五个字节,使跳转到ThreadHook函数
    mov byte ptr [eax],0e9h
    push dword ptr [hook]
    pop dword ptr [eax+1]
    
    mov eax, cr0
    or eax,10000h
    mov cr0, eax 
    sti 
    
    mov eax, pDriverObject 
    assume eax:PTR DRIVER_OBJECT 
    mov [eax].DriverUnload, offset DriverUnload 
    assume eax:nothing

    popad 
    mov eax, STATUS_SUCCESS 
    ret 
    
DriverEntry endp 
ThreadHook proc
     pushad
     mov eax,dword ptr [esp+18h+20h]
     cmp byte ptr [eax-4],65h ;tessafe 'e'== 65h
jne @F

     cli 
        mov eax, cr0 
        and eax,0fffeffffh
        mov cr0, eax 
        mov eax,dword ptr [esp+18h+20h]
        mov threadproc,eax
        mov ecx,eax
        and ecx,0ffh;取TX驱动地址最后一个byte
        add ecx,2f00h
        sub eax,ecx
        mov sysbase,eax;base+2f00h+last byte == threadproc addr
        mov dword ptr [esp+18h+20h],offset Thread
        mov eax, cr0
        or eax,10000h
        mov cr0, eax 
        sti

@@:     popad
        mov edi,edi
     push ebp
     mov ebp,esp
     push PsCreateSystemThread_addr
     add dword ptr [esp],5
     ret
ThreadHook endp

Thread proc
    
     pushad
     cli 
        mov eax, cr0 
        and eax,0fffeffffh
        mov cr0, eax

     mov eax,sysbase
     add eax,1000h;缩小范围,开始搜索特征码
@@: cmp dword ptr [eax],8b005587h
     je @F
     add eax,1
     jmp @B
@@: mov edx,dword ptr [eax-6]
     mov byte ptr [edx],70h;patch debugproc clear 0 //大体意思就是改写这些内核函数的前几个字字,不让TX HOOK
@@: cmp byte ptr [eax],0C3h
     je @F
     add eax,1
     jmp @B
@@: mov edx,dword ptr [eax+6]
     mov byte ptr [edx],0 ;patch mon Ntopenprocess
        
        mov ecx,9
     mov edi,NtReadVirtualMemory_addr
        mov esi,offset NtReadVirtualMemory_oldbyte
        rep movsb

     mov ecx,9
     mov edi,NtWriteVirtualMemory_addr
        mov esi,offset NtWriteVirtualMemory_oldbyte
        rep movsb
        
        mov ecx,9
        mov edi,KiAttachProcess_addr
        mov esi,offset KiAttachProcess_oldbyte
        rep movsb
        
        ;mov ecx,9
        ;mov edi,PsCreateSystemThread_addr 
        ;mov esi,offset PsCreateSystemThread_oldbyte
        ;rep movsb

     mov eax,NtOpenProcess_addr
     add eax,13bh
     mov edx,ObOpenObjectByPointer_addr
     sub edx,eax
     sub edx,5
     mov dword ptr [eax+1],edx

     mov eax,NtOpenThread_addr
     add eax,151h
     mov edx,ObOpenObjectByPointer_addr
     sub edx,eax
     sub edx,5
     mov dword ptr [eax+1],edx

        mov eax, cr0
        or eax,10000h
        mov cr0, eax 
        sti 
     
     popad
     push threadproc
     ret

Thread endp

DriverUnload proc pDriverObject:PDRIVER_OBJECT

     pushad
     cli 
        mov eax, cr0 
        and eax,0fffeffffh
        mov cr0, eax 
        
        mov ecx,9
        mov edi,PsCreateSystemThread_addr 
        mov esi,offset PsCreateSystemThread_oldbyte
        rep movsb
        
        mov eax, cr0
        or eax,10000h
        mov cr0, eax 
        sti 
        popad
        ret

DriverUnload endp 
end DriverEntry

你可能感兴趣的:(SYS,use,pass,protect,tessafe)