signed int __cdecl sub_1BCCE() // g_pSSDT_NumberOfServices为指向存放函数地址的内存块 { signed int v0; // edi@1 void *dwKeServiceDescriptorTable; // eax@6 HANDLE dwCsrss32Pid; // eax@19 char v4; // [sp+8h] [bp-2Ch]@21 STRING DestinationString; // [sp+20h] [bp-14h]@6 int dwBase_win32k.sys; // [sp+28h] [bp-Ch]@1 int MemoryDescriptorList; // [sp+2Ch] [bp-8h]@1 PVOID pCsrss32EPROCESS; // [sp+30h] [bp-4h]@20 v0 = 0; if ( FindModuleBaseAndSize(g_strwin32k_sys, (int)&dwBase_win32k.sys, (int)&MemoryDescriptorList) )// 找到win32k.sys的基地址和长度 { if ( !sub_1AA8E() ) return -1073741823; } else { v0 = 1; } RtlInitAnsiString(&DestinationString, "KeServiceDescriptorTable"); dwKeServiceDescriptorTable = subGetFunAddr((int)&DestinationString); g_dwKeServiceDescriptorTable = (int)dwKeServiceDescriptorTable; if ( !dwKeServiceDescriptorTable || !MmIsAddressValid(dwKeServiceDescriptorTable) || !sub_18FFA() || (g_dwSSDT_NumberOfServices = *(_DWORD *)(g_dwKeServiceDescriptorTable + 8), !g_dwSSDT_NumberOfServices) || (g_dwSSDT_ServiceTableBase = *(_DWORD *)g_dwKeServiceDescriptorTable, !g_dwSSDT_ServiceTableBase) || !sub_1AA16(g_dwSSDT_NumberOfServices) ) // 保存g_dwSSDT_NumberOfServices return -1073741823; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwCreateKey + 1002) = HookZwCreateKey; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwQueryValueKey + 1002) = hookZwQueryValueKey; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwDeleteKey + 1002) = hookZwDeleteKey; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwDeleteValueKey + 1002) = hookZwDeleteValueKey; *((_DWORD *)g_pSSDT_NumberOfServices + dword_1CF0C + 1002) = sub_114DA; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwReplaceKey + 1002) = hookZwReplaceKey; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwRestoreKey + 1002) = hookZwRestoreKey; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwSetValueKey + 1002) = hookZwSetValueKey; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwCreateFile + 1002) = hookZwCreateFile; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwFsControlFile + 1002) = hookZwFsControlFile; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwSetInformationFile + 1002) = hookZwSetInformationFile; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwWriteFile + 1002) = hookZwWriteFile; *((_DWORD *)g_pSSDT_NumberOfServices + dword_1D1B0 + 1002) = sub_11EC6; *((_DWORD *)g_pSSDT_NumberOfServices + dword_1CEBC + 1002) = sub_1201A; *((_DWORD *)g_pSSDT_NumberOfServices + dword_1CEEC + 1002) = sub_12174; *((_DWORD *)g_pSSDT_NumberOfServices + dword_1CF44 + 1002) = sub_122E0; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwOpenThread + 1002) = hookZwOpenThread; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwDeleteFile + 1002) = hookZwDeleteFile; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwOpenFile + 1002) = hookZwOpenFile; *((_DWORD *)g_pSSDT_NumberOfServices + dword_1D004 + 1002) = sub_127AE; *((_DWORD *)g_pSSDT_NumberOfServices + dword_1CEF4 + 1002) = sub_128E8; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwTerminateProcess + 1002) = hookZwTerminateProcess; *((_DWORD *)g_pSSDT_NumberOfServices + dword_1CE20 + 1002) = sub_12B3E; *((_DWORD *)g_pSSDT_NumberOfServices + dword_1CE50 + 1002) = sub_12C74; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwSetInformationThread + 1002) = hookZwSetInformationThread; *((_DWORD *)g_pSSDT_NumberOfServices + dword_1CE2C + 1002) = sub_12EBE; *((_DWORD *)g_pSSDT_NumberOfServices + dword_1CF58 + 1002) = sub_12FF4; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwAdjustPrivilegesToken + 1002) = hookZwAdjustPrivilegesToken; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwRequestWaitReplyPort + 1002) = hookZwRequestWaitReplyPort; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwCreateSection + 1002) = hookZwCreateSection; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwOpenSection + 1002) = hookZwOpenSection; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwCreateSymbolicLinkObject + 1002) = hookZwCreateSymbolicLinkObject; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwOpenSymbolicLinkObject + 1002) = hookZwOpenSymbolicLinkObject; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwLoadDriver + 1002) = hookZwLoadDriver; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwUnloadDriver + 1002) = hookZwUnloadDriver; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwQuerySystemInformation + 1002) = hookZwQuerySystemInformation; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwSetSystemInformation + 1002) = hookZwSetSystemInformation; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwSetSystemTime + 1002) = hookZwSetSystemTime; *((_DWORD *)g_pSSDT_NumberOfServices + dword_1CFF4 + 1002) = sub_13F28; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CE58 & 0xFFF) + 3004) = sub_14068; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CF68 & 0xFFF) + 3004) = sub_141B0; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CFDC & 0xFFF) + 3004) = sub_142C8; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CF88 & 0xFFF) + 3004) = sub_143FC; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CEA4 & 0xFFF) + 3004) = sub_1451C; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CE44 & 0xFFF) + 3004) = sub_1470E; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CF1C & 0xFFF) + 3004) = sub_1483C; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CF70 & 0xFFF) + 3004) = sub_14978; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwOpenProcess + 1002) = hookZwOpenProcess; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwDeviceIoControlFile + 1002) = hookZwDeviceIoControlFile; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwOpenKey + 1002) = hookZwOpenKey; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwDuplicateObject + 1002) = hookZwDuplicateObject; *((_DWORD *)g_pSSDT_NumberOfServices + dword_1CE9C + 1002) = sub_14FA4; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CF6C & 0xFFF) + 3004) = sub_150EC; *((_DWORD *)g_pSSDT_NumberOfServices + dword_1CEB8 + 1002) = sub_10F08; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CE6C & 0xFFF) + 3004) = sub_15204; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CE94 & 0xFFF) + 3004) = sub_15336; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CFF0 & 0xFFF) + 3004) = sub_1544A; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CFC0 & 0xFFF) + 3004) = sub_1556C; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1D1D0 & 0xFFF) + 3004) = sub_156AC; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CE04 & 0xFFF) + 3004) = sub_157D6; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CEB4 & 0xFFF) + 3004) = sub_15900; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CF24 & 0xFFF) + 3004) = sub_15A2E; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CF94 & 0xFFF) + 3004) = sub_15B58; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1D000 & 0xFFF) + 3004) = sub_15C74; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CEA0 & 0xFFF) + 3004) = sub_15DBE; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CE30 & 0xFFF) + 3004) = sub_15EE0; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CF98 & 0xFFF) + 3004) = sub_15FFC; *((_DWORD *)g_pSSDT_NumberOfServices + dword_1CF54 + 1002) = sub_16118; *((_DWORD *)g_pSSDT_NumberOfServices + dword_1CFBC + 1002) = sub_16230; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CE00 & 0xFFF) + 3004) = sub_16388; *((_DWORD *)g_pSSDT_NumberOfServices + dword_1CEAC + 1002) = sub_164AA; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwUnmapViewOfSection + 1002) = hookZwUnmapViewOfSection; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1D1C8 & 0xFFF) + 3004) = sub_16710; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwSetSecurityObject + 1002) = hookZwSetSecurityObject; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CFA4 & 0xFFF) + 3004) = sub_16980; if ( (_WORD)NtBuildNumber == 2600 ) *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CE5C & 0xFFF) + 3004) = sub_16AA2; else *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CE5C & 0xFFF) + 3004) = sub_16B72; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CFFC & 0xFFF) + 3004) = sub_16C4A; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CE78 & 0xFFF) + 3004) = sub_16D5A; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwAllocateVirtualMemory + 1002) = hookZwAllocateVirtualMemory; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CE88 & 0xFFF) + 3004) = sub_16FA6; *((_DWORD *)g_pSSDT_NumberOfServices + dword_1CFC4 + 1002) = sub_171E0; *((_DWORD *)g_pSSDT_NumberOfServices + dword_1CE8C + 1002) = sub_170BE; *((_DWORD *)g_pSSDT_NumberOfServices + dword_1D1C0 + 1002) = sub_1730C; *((_DWORD *)g_pSSDT_NumberOfServices + dword_1CDF4 + 1002) = sub_17424; *((_DWORD *)g_pSSDT_NumberOfServices + dword_1CEFC + 1002) = sub_17558; *((_DWORD *)g_pSSDT_NumberOfServices + dword_1CF5C + 1002) = sub_17694; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwFreeVirtualMemory + 1002) = hookZwFreeVirtualMemory; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CFD4 & 0xFFF) + 3004) = sub_178D6; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1D1CC & 0xFFF) + 3004) = sub_179F8; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwEnumerateValueKey + 1002) = hookZwEnumerateValueKey; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwQueryKey + 1002) = hookZwQueryKey; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwEnumerateKey + 1002) = hookZwEnumerateKey; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwConnectPort + 1002) = hookZwConnectPort; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwSecureConnectPort + 1002) = hookZwSecureConnectPort; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwAlpcConnectPort + 1002) = hookZwAlpcConnectPort; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CED0 & 0xFFF) + 3004) = sub_182CC; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwSetTimer + 1002) = hookZwSetTimer; *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwSetTimer + 4005) = 1; *((_DWORD *)g_pSSDT_NumberOfServices + (dword_1CE64 & 0xFFF) + 3004) = sub_18528; if ( sub_1A838() < 0 ) { ExFreePool(g_pSSDT_NumberOfServices); return -1073741823; } PsSetCreateProcessNotifyRoutine((PCREATE_PROCESS_NOTIFY_ROUTINE)NotifyRoutine, 0); if ( v0 ) { *((_DWORD *)g_pSSDT_NumberOfServices + g_dwServiceID_ZwSetSystemInformation + 4005) = 1; } else { dwCsrss32Pid = GetCsrssProcessId(); if ( dwCsrss32Pid ) { if ( PsLookupProcessByProcessId(dwCsrss32Pid, &pCsrss32EPROCESS) >= 0 ) { KeStackAttachProcess(pCsrss32EPROCESS, &v4); sub_1B38A(dwBase_win32k.sys, MemoryDescriptorList); KeUnstackDetachProcess(&v4); ObfDereferenceObject(pCsrss32EPROCESS); } } } return 0; }