win7 sp1 让全系统可读PUBG

老版本可直接注册个object钩子即可全系统读写。
处理代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
OB_PREOP_CALLBACK_STATUS preCall(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION pOperationInformation)
{
	if (pOperationInformation->ObjectType != *PsProcessType)
	{
		return OB_PREOP_SUCCESS;
	}
	UNREFERENCED_PARAMETER(RegistrationContext);
	if (!_stricmp("TslGame.exe", PsGetProcessImageFileName((PEPROCESS)pOperationInformation->Object)))
	{
		if (pOperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
		{
			pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess = 0x1F1FFF;//0x1F1FFF;
		}
	}
	return OB_PREOP_SUCCESS;
}

前几日更新后发现无法读写获取等等。

Process Hacker查看句柄发现:
0x1f1fff (Query information, Set information, Set quotas, Set session ID, Create threads, Create processes, VM operation, Duplicate handles, Suspend/resume, Terminate, Synchronize, Delete, Read control, Write DAC, Write owner)

少了(VM read, VM write)

简单处理方法:
2292 0xFFFFFA8005C8FB60 0x0000000000000000 9 0xFFFFF8800604E660 BEDaisy.sys 2326 等待
内核结束掉BE驱动的线程即可。
底层基础不好,未做仔细分析。

代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
VOID PassBeThread(IN PVOID Nothing)
{
	DEF_StartAddress_Offset = GetStartAddressOffset();
	if (!DEF_StartAddress_Offset)
	{
		DbgPrint("Error offset\n");
		return;
	}
	while (TRUE)
	{
		bebase = GetKernelBase(&besize, "BEDaisy.sys");
		if (bebase)
		{
			KdPrint(("be mod[%p %.8x]\n", bebase, besize));
			PETHREAD ethread = NULL;
			for (ULONG i = 4; i < 0x40000; i = i + 4)
			{
				if (!NT_SUCCESS(PsLookupThreadByThreadId((HANDLE)i, &ethread)))
				{
					continue;
				}
				if (ethread != NULL)
				{
					PEPROCESS eprocess = PsGetThreadProcess(ethread);
					char *szName = PsGetProcessImageFileName(eprocess);
					PVOID startadr = GetThreadStartAdr(ethread);
					if (!_stricmp(szName, "System") && IsBeMod(startadr))
					{
						KdPrint(("%s %p %p\n", szName, ethread, startadr));
						KillThread(ethread);
						ObDereferenceObject(ethread);
						break;
					}
					ObDereferenceObject(ethread);
				}
			}
		}
		MySleep(1000);
		if (iskillthread == 1)
		{
			KdPrint(("kill my thread!\n"));
			iskillthread = 2;
			PsTerminateSystemThread(STATUS_SUCCESS);
		}
	}
}

至此即可做任何操作。

留言

2017-12-10
⬆︎TOP