forked from cheat-engine/cheat-engine
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdeepkernel.c
164 lines (131 loc) · 3.67 KB
/
deepkernel.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
#pragma warning( disable: 4100 4103)
#include "deepkernel.h"
#include "DBKFunc.h"
#include <windef.h>
#include "vmxhelper.h"
BOOLEAN MakeWritableKM(PVOID StartAddress,UINT_PTR size)
{
#ifndef AMD64
UINT_PTR PTE,PDE;
struct PTEStruct *x;
UINT_PTR CurrentAddress=(UINT_PTR)StartAddress;
while (CurrentAddress<((UINT_PTR)StartAddress+size))
{
//find the PTE or PDE of the selected address
PTE=(UINT_PTR)CurrentAddress;
PTE=PTE/0x1000*PTESize+0xc0000000;
PTE=(UINT_PTR)StartAddress;
PTE=PTE/0x1000*PTESize+0xc0000000;
//now check if the address in PTE is valid by checking the page table directory at 0xc0300000 (same location as CR3 btw)
PDE=PTE/0x1000*PTESize+0xc0000000; //same formula
x=(PVOID)PDE;
if ((x->P==0) && (x->A2==0))
{
CurrentAddress+=PAGE_SIZE_LARGE;
continue;
}
if (x->PS==1)
{
//big page, no pte
x->RW=1;
CurrentAddress+=PAGE_SIZE_LARGE;
continue;
}
CurrentAddress+=0x1000;
x=(PVOID)PTE;
if ((x->P==0) && (x->A2==0))
continue; //see for explenation the part of the PDE
x->RW=1;
}
return TRUE;
#else
return FALSE;
#endif
}
BOOLEAN MakeWritable(PVOID StartAddress,UINT_PTR size,BOOLEAN usecopyonwrite)
{
#ifndef AMD64
struct PTEStruct *x;
unsigned char y;
UINT_PTR CurrentAddress=(UINT_PTR)StartAddress;
//Makes usermode <0x80000000 writable
if (((UINT_PTR)StartAddress>=0x80000000) || ((UINT_PTR)StartAddress+size>=0x80000000))
return MakeWritableKM(StartAddress,size); //safety check: don't do kernelmemory with this routine
//4kb pages (assumption, I know, but thats the system i'm working with)
//PTE/0x1000*4+0xc0000000;
while (CurrentAddress<((UINT_PTR)StartAddress+size))
{
__try
{
y=*(PCHAR)CurrentAddress; //page it in if it wasn't loaded already (BSOD if kernelmode address)
x=(PVOID)(CurrentAddress/0x1000*PTESize+0xc0000000);
if (x->RW==0) //if it's read only then
{
if (usecopyonwrite)
x->A1=1; //set the copy-on-write bit to 1
else
x->RW=1; //just writable
}
}
__except(1)
{
//ignore and continue
}
CurrentAddress+=0x1000;
}
return TRUE;
#else
return FALSE;
#endif
}
//this unit will contain the functions and other crap used by the hider function
BOOLEAN CheckImageName(IN PUNICODE_STRING FullImageName, IN char* List,int listsize)
{
#ifndef AMD64
/*
pre:List has been initialized and all entries are UPPERCASE. Each entry is seperated
by a 0-marker so just setting the pointer ro the start and doing a compare will work
*/
ANSI_STRING tempstring;
int i;
DbgPrint("Checking this image name...\n");
RtlZeroMemory(&tempstring,sizeof(ANSI_STRING));
if (RtlUnicodeStringToAnsiString(&tempstring,FullImageName,TRUE)== STATUS_SUCCESS)
{
char *p;
INT_PTR modulesize;
__try
{
RtlUpperString(&tempstring,&tempstring);
p=List;
for (i=0;i<listsize;i++)
{
if (List[i]=='\0')
{
modulesize=i-(INT_PTR)(p-List);
if (modulesize>=0)
{
DbgPrint("Checking %s with %s\n",&tempstring.Buffer[tempstring.Length-modulesize],p);
if ((tempstring.Length>=modulesize) && (strcmp(p,&tempstring.Buffer[tempstring.Length-modulesize])==0))
{
//we have a match!!!
DbgPrint("It's a match with %s\n",p);
return TRUE;
}
}
p=&List[i+1];
}
}
}
__finally
{
RtlFreeAnsiString(&tempstring);
}
}
DbgPrint("No match\n");
#endif
return FALSE;
}
VOID LoadImageNotifyRoutine(IN PUNICODE_STRING FullImageName, IN HANDLE ProcessId, IN PIMAGE_INFO ImageInfo)
{
}