直接贴代码
需要注意 g_PromotePid 以及 ustrAltitude 这两处需要修改一下
ustrAltitude找个ARK工具比如pchunter看一下反作弊挂的钩子层级是多少,比它低就行
#include <ntifs.h>
PVOID g_RegisterCallBackHandle = NULL;
HANDLE g_PromotePid = NULL;
VOID UnLoadDriver(PDRIVER_OBJECT pObj)
{
if(g_RegisterCallBackHandle!=NULL)
ObUnRegisterCallbacks(g_RegisterCallBackHandle);
return;
}
OB_PREOP_CALLBACK_STATUS PobPreOperationCallback(
PVOID RegistrationContext,
POB_PRE_OPERATION_INFORMATION OperationInformation
)
{
if (g_PromotePid == PsGetCurrentProcessId())
{
DbgPrintEx(0, 77, "Hero 检测到CE进程, 准备提权");
if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
{
OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = PROCESS_ALL_ACCESS;
}
else if (OperationInformation->Operation == OB_OPERATION_HANDLE_DUPLICATE)
{
OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess = PROCESS_ALL_ACCESS;
}
}
return OB_PREOP_SUCCESS;
}
//0x120 bytes (sizeof)
struct _LDR_DATA_TABLE_ENTRY
{
struct _LIST_ENTRY InLoadOrderLinks; //0x0
struct _LIST_ENTRY InMemoryOrderLinks; //0x10
struct _LIST_ENTRY InInitializationOrderLinks; //0x20
VOID* DllBase; //0x30
VOID* EntryPoint; //0x38
ULONG SizeOfImage; //0x40
struct _UNICODE_STRING FullDllName; //0x48
struct _UNICODE_STRING BaseDllName; //0x58
union
{
UCHAR FlagGroup[4]; //0x68
ULONG Flags; //0x68
struct
{
ULONG PackagedBinary : 1; //0x68
ULONG MarkedForRemoval : 1; //0x68
ULONG ImageDll : 1; //0x68
ULONG LoadNotificationsSent : 1; //0x68
ULONG TelemetryEntryProcessed : 1; //0x68
ULONG ProcessStaticImport : 1; //0x68
ULONG InLegacyLists : 1; //0x68
ULONG InIndexes : 1; //0x68
ULONG ShimDll : 1; //0x68
ULONG InExceptionTable : 1; //0x68
ULONG ReservedFlags1 : 2; //0x68
ULONG LoadInProgress : 1; //0x68
ULONG LoadConfigProcessed : 1; //0x68
ULONG EntryProcessed : 1; //0x68
ULONG ProtectDelayLoad : 1; //0x68
ULONG ReservedFlags3 : 2; //0x68
ULONG DontCallForThreads : 1; //0x68
ULONG ProcessAttachCalled : 1; //0x68
ULONG ProcessAttachFailed : 1; //0x68
ULONG CorDeferredValidate : 1; //0x68
ULONG CorImage : 1; //0x68
ULONG DontRelocate : 1; //0x68
ULONG CorILOnly : 1; //0x68
ULONG ChpeImage : 1; //0x68
ULONG ReservedFlags5 : 2; //0x68
ULONG Redirected : 1; //0x68
ULONG ReservedFlags6 : 2; //0x68
ULONG CompatDatabaseProcessed : 1; //0x68
};
};
};
NTSTATUS DriverEntry(PDRIVER_OBJECT pObj, PUNICODE_STRING pReg)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
pObj->DriverUnload = UnLoadDriver;
DbgPrintEx(0, 77, "Hero oldFlags = %x", ((struct _LDR_DATA_TABLE_ENTRY*)pObj->DriverSection)->Flags);
//过掉ObRegisterCallbacks的微软签名检测
((struct _LDR_DATA_TABLE_ENTRY*)pObj->DriverSection)->Flags = 0x20;
DbgPrintEx(0, 77, "Hero newFlags = %x", ((struct _LDR_DATA_TABLE_ENTRY*)pObj->DriverSection)->Flags);
//注意修改为CE的进程PID
g_PromotePid = (HANDLE)18528;
OB_OPERATION_REGISTRATION obOperationRegistration = { 0 };
obOperationRegistration.ObjectType = PsProcessType;
obOperationRegistration.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
obOperationRegistration.PreOperation = PobPreOperationCallback;
OB_CALLBACK_REGISTRATION obCallBackRegistration = { 0 };
//这里的层级需要比游戏保护的层级低
//可以使用ARK工具查看
UNICODE_STRING ustrAltitude = RTL_CONSTANT_STRING(L"1000");
obCallBackRegistration.Version = ObGetFilterVersion();
obCallBackRegistration.OperationRegistrationCount = 1;
obCallBackRegistration.Altitude = ustrAltitude;
obCallBackRegistration.OperationRegistration = &obOperationRegistration;
ntStatus = ObRegisterCallbacks(&obCallBackRegistration, &g_RegisterCallBackHandle);
DbgPrintEx(0, 77, "Hero Status = %x", ntStatus);
return ntStatus;
}