forked from 1401199262/AntiScreenCapture-r0
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathClear.cpp
253 lines (198 loc) · 7.09 KB
/
Clear.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
#include "headers.h"
struct piddbcache
{
LIST_ENTRY List;
UNICODE_STRING DriverName;
ULONG TimeDateStamp;
NTSTATUS LoadStatus;
char _0x0028[16];
};
typedef struct _RTL_PROCESS_MODULE_INFORMATION
{
HANDLE Section;
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[256];
} RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION;
typedef struct _RTL_PROCESS_MODULES
{
ULONG NumberOfModules;
RTL_PROCESS_MODULE_INFORMATION Modules[1];
} RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES;
template <typename t = void*>
t find_pattern(void* start, size_t length, const char* pattern, const char* mask) {
const auto data = static_cast<const char*>(start);
const auto pattern_length = strlen(mask);
for (size_t i = 0; i <= length - pattern_length; i++)
{
bool accumulative_found = true;
for (size_t j = 0; j < pattern_length; j++)
{
if (!MmIsAddressValid(reinterpret_cast<void*>(reinterpret_cast<uintptr_t>(data) + i + j)))
{
accumulative_found = false;
break;
}
if (data[i + j] != pattern[j] && mask[j] != '?')
{
accumulative_found = false;
break;
}
}
if (accumulative_found)
{
return (t)(reinterpret_cast<uintptr_t>(data) + i);
}
}
return (t)nullptr;
}
uintptr_t dereference(uintptr_t address, unsigned int offset) {
if (address == 0)
return 0;
return address + (int)((*(int*)(address + offset) + offset) + sizeof(int));
}
BOOLEAN bDataCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
for (; *szMask; ++szMask, ++pData, ++bMask)
if (*szMask == 'x' && *pData != *bMask)
return 0;
return (*szMask) == 0;
}
UINT64 FindPattern(UINT64 dwAddress, UINT64 dwLen, BYTE* bMask, char* szMask)
{
for (UINT64 i = 0; i < dwLen; i++)
if (bDataCompare((BYTE*)(dwAddress + i), bMask, szMask))
return (UINT64)(dwAddress + i);
return 0;
}
PVOID FindPatternPvoid(UINT64 dwAddress, UINT64 dwLen, BYTE* bMask, char* szMask)
{
for (UINT64 i = 0; i < dwLen; i++)
if (bDataCompare((BYTE*)(dwAddress + i), bMask, szMask))
return (PVOID)(dwAddress + i);
return 0;
}
BOOLEAN CleanUnloadedDrivers()
{
ULONG bytes = 0;
NTSTATUS status = ZwQuerySystemInformation(SystemModuleInformation, 0, bytes, &bytes);
if (!bytes)
{
return FALSE;
}
PRTL_PROCESS_MODULES modules = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPool, bytes, 'g53a');
status = ZwQuerySystemInformation(SystemModuleInformation, modules, bytes, &bytes);
if (!NT_SUCCESS(status))
{
return FALSE;
}
PRTL_PROCESS_MODULE_INFORMATION module = modules->Modules;
UINT64 ntoskrnlBase = 0, ntoskrnlSize = 0;
for (ULONG i = 0; i < modules->NumberOfModules; i++)
{
if (!strcmp((char*)module[i].FullPathName, "\\SystemRoot\\system32\\ntoskrnl.exe"))
{
ntoskrnlBase = (UINT64)module[i].ImageBase;
ntoskrnlSize = (UINT64)module[i].ImageSize;
break;
}
}
if (modules)
ExFreePoolWithTag(modules, 0);
if (ntoskrnlBase <= 0)
{
return FALSE;
}
// NOTE: 4C 8B ? ? ? ? ? 4C 8B C9 4D 85 ? 74 + 3] + current signature address = MmUnloadedDrivers
UINT64 mmUnloadedDriversPtr = FindPattern((UINT64)ntoskrnlBase, (UINT64)ntoskrnlSize, (BYTE*)"\x4C\x8B\x00\x00\x00\x00\x00\x4C\x8B\xC9\x4D\x85\x00\x74", "xx?????xxxxx?x");
if (!mmUnloadedDriversPtr)
{
return FALSE;
}
UINT64 mmUnloadedDrivers = (UINT64)((PUCHAR)mmUnloadedDriversPtr + *(PULONG)((PUCHAR)mmUnloadedDriversPtr + 3) + 7);
UINT64 bufferPtr = *(UINT64*)mmUnloadedDrivers;
// NOTE: 0x7D0 is the size of the MmUnloadedDrivers array for win 7 and above
PVOID newBuffer = ExAllocatePoolWithTag(NonPagedPoolNx, 0x7D0, 'g53a');
if (!newBuffer)
return FALSE;
memset(newBuffer, 0, 0x7D0);
// NOTE: replace MmUnloadedDrivers
*(UINT64*)mmUnloadedDrivers = (UINT64)newBuffer;
// NOTE: clean the old buffer
ExFreePoolWithTag((PVOID)bufferPtr, 'g53a'); // 'MmDT'
return TRUE;
}
void clean_piddb_cache() {
ULONG bytes = 0;
NTSTATUS status = ZwQuerySystemInformation(SystemModuleInformation, 0, bytes, &bytes);
PRTL_PROCESS_MODULES modules = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPool, bytes, 'g53a'); // 'ENON'
status = ZwQuerySystemInformation(SystemModuleInformation, modules, bytes, &bytes);
PRTL_PROCESS_MODULE_INFORMATION module = modules->Modules;
UINT64 ntoskrnlBase = 0, ntoskrnlSize = 0;
for (ULONG i = 0; i < modules->NumberOfModules; i++)
{
if (!strcmp((char*)module[i].FullPathName, "\\SystemRoot\\system32\\ntoskrnl.exe"))
{
ntoskrnlBase = (UINT64)module[i].ImageBase;
ntoskrnlSize = (UINT64)module[i].ImageSize;
break;
}
}
if (modules)
ExFreePoolWithTag(modules, 0);
PRTL_AVL_TABLE PiDDBCacheTable;
PiDDBCacheTable = (PRTL_AVL_TABLE)dereference(find_pattern<uintptr_t>((void*)ntoskrnlBase, ntoskrnlSize, "\x48\x8D\x0D\x00\x00\x00\x00\x4C\x89\x35\x00\x00\x00\x00\x49\x8B\xE9", "xxx????xxx????xxx"), 3);
if (!PiDDBCacheTable)
{
PiDDBCacheTable = (PRTL_AVL_TABLE)dereference(find_pattern<uintptr_t>((void*)ntoskrnlBase, ntoskrnlSize, "\x48\x8D\x0D\x00\x00\x00\x00\x4C\x89\x35\x00\x00\x00\x00\xBB\x00\x00\x00\x00", "xxx????xxx????x????"), 3);
if (!PiDDBCacheTable)
{
}
else
{
uintptr_t entry_address = uintptr_t(PiDDBCacheTable->BalancedRoot.RightChild) + sizeof(RTL_BALANCED_LINKS);
piddbcache* entry = (piddbcache*)(entry_address);
/*capcom.sys(drvmap) : 0x57CD1415 iqvw64e.sys(kdmapper) : 0x5284EAC3*/
if (entry->TimeDateStamp == 0x57CD1415 || entry->TimeDateStamp == 0x5284EAC3) {
entry->TimeDateStamp = 0x57EAC1; //change timestamp
entry->DriverName = RTL_CONSTANT_STRING(L"allah5635.sys"); //change driver name
}
ULONG count = 0;
for (auto link = entry->List.Flink; link != entry->List.Blink; link = link->Flink, count++)
{
piddbcache* cache_entry = (piddbcache*)(link);
if (cache_entry->TimeDateStamp == 0x57CD1415 || cache_entry->TimeDateStamp == 0x5284EAC3) {
cache_entry->TimeDateStamp = 0x57EAC1 + count;
cache_entry->DriverName = RTL_CONSTANT_STRING(L"allah5635.sys");
}
//DbgPrint("cache_entry count: %lu name: %wZ \t\t stamp: %x\n", count, cache_entry->DriverName, cache_entry->TimeDateStamp);
}
}
}
else
{
uintptr_t entry_address = uintptr_t(PiDDBCacheTable->BalancedRoot.RightChild) + sizeof(RTL_BALANCED_LINKS);
piddbcache* entry = (piddbcache*)(entry_address);
/*capcom.sys(drvmap) : 0x57CD1415 iqvw64e.sys(kdmapper) : 0x5284EAC3*/
if (entry->TimeDateStamp == 0x57CD1415 || entry->TimeDateStamp == 0x5284EAC3) {
entry->TimeDateStamp = 0x57EAC1; //change timestamp
entry->DriverName = RTL_CONSTANT_STRING(L"allah5635.sys"); //change driver name
}
ULONG count = 0;
for (auto link = entry->List.Flink; link != entry->List.Blink; link = link->Flink, count++)
{
piddbcache* cache_entry = (piddbcache*)(link);
if (cache_entry->TimeDateStamp == 0x57CD1415 || cache_entry->TimeDateStamp == 0x5284EAC3) {
cache_entry->TimeDateStamp = 0x57EAC1 + count;
cache_entry->DriverName = RTL_CONSTANT_STRING(L"allah5635.sys");
}
//DbgPrint("cache_entry count: %lu name: %wZ \t\t stamp: %x\n", count, cache_entry->DriverName, cache_entry->TimeDateStamp);
}
}
}