dnf过保护.doc

广海原文如下： #include ntddk.h #define ThreadLength 0x190 //要保存的 NtOpenThread 原代码的长度 #define ProcessLength 0x184 //要保存的 NtOpenProcess 原代码的长度 #define DeviceLink L\\Device\\DNFCracker #define SymbolicLink L\\DosDevices\\DNFCracker #define IOCTL_RESTORE (ULONG)CTL_CODE(FILE_DEVICE_UNKNOWN, 0x886, METHOD_BUFFERED, FILE_ANY_ACCESS) typedef NTSTATUS (* NTOPENTHREAD)( OUT PHANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN OPTIONAL PCLIENT_ID ClientId ); typedef NTSTATUS (* NTOPENPROCESS)( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId ); typedef struct _SERVICE_DESCRIPTOR_TABLE { PVOID ServiceTableBase; PULONG ServiceCounterTableBase; ULONG NumberOfService; ULONG ParamTableBase; } SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE; extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable; VOID Hook(); VOID Unhook(); NTOPENTHREAD OldThread; NTOPENPROCESS OldProcess; ULONG AddrRead, AddrWrite; //原 NtReadVirtualMemory/NtWriteVirtualMemory 的前 16 字节代码 ULONG OrgRead[2], OrgWrite[2]; //保存 NtOpenThread/NtOpenProcess 代码 UCHAR MyThread[ThreadLength], MyProcess[ProcessLength]; NTSTATUS MyNtOpenThread( PHANDLE ThreadHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId) { ACCESS_MASK oDA; OBJECT_ATTRIBUTES oOA; CLIENT_ID oCID; NTSTATUS statusF, statusT; oDA = DesiredAccess; oOA = *ObjectAttributes; oCID = *ClientId; statusF = OldThread(ThreadHandle, oDA, oOA, oCID); statusT = ((NTOPENTHREAD)MyThread)(ThreadHandle, DesiredAccess, ObjectAttributes, ClientId); return statusT; } NTSTATUS MyNtOpenProcess( PHANDLE ProcessHandle, ACCES