VOID EnumModuleDWM(PEPROCESS Process) { if (Passshots == TRUE) { SIZE_T Peb = 0; SIZE_T Ldr = 0; PLIST_ENTRY ModListHead = 0; PLIST_ENTRY Module = 0; ANSI_STRING AnsiString; KAPC_STATE ks; //EPROCESS地址无效则退出 if (!MmIsAddressValid(Process)) return; //获取PEB地址 Peb = (SIZE_T)PsGetProcessPeb(Process); //PEB地址无效则退出 if (!Peb) return; //依附进程 KeStackAttachProcess(Process, &ks); __try { //获得LDR地址 Ldr = Peb + (SIZE_T)LdrInPebOffset; //测试是否可读,不可读则抛出异常退出 ProbeForRead((CONST PVOID)Ldr, 8, 8); //获得链表头 ModListHead = (PLIST_ENTRY)(*(PULONG64)Ldr + ModListInPebOffset); //再次测试可读性 ProbeForRead((CONST PVOID)ModListHead, 8, 8); //获得第一个模块的信息 Module = ModListHead->Flink; while (ModListHead != Module) { UNICODE_STRING MANE = (((PLDR_DATA_TABLE_ENTRY)Module)->BaseDllName); UNICODE_STRING pDllName; RtlInitUnicodeString(&pDllName, L"dwmcore.dll"); if (RtlCompareUnicodeString(&pDllName, &MANE, FALSE) == 0) { //56 57 41 54 48 81 EC E0 01 00 00 //F3 0F 10 05 42 BF 02 00 F3 0F 11 44 24 5C if (OsVersion.dwBuildNumber == 7601) { dwmcorePatch = (PVOID)scanPattern(reinterpret_cast(((PLDR_DATA_TABLE_ENTRY)Module)->DllBase), (((PLDR_DATA_TABLE_ENTRY)Module)->SizeOfImage), "\xf3\x0f\x10\x05\x00\x00\x00\x00\xf3\x0f\x11\x44\x24\x5c", "xxxx????xxxxxx"); if (IsAddressSafe((UINT_PTR)dwmcorePatch) == TRUE) { dwmcoreDATA = ReadMemoryex(dwmcorePatch, 8, dwmcoreDATA); UCHAR HIDECODE[] = "\x90\x90\x90\x90\x90\x90\x90\x90"; MMWriteProcessMemory(Process, dwmcorePatch, 8, HIDECODE); } } if (OsVersion.dwBuildNumber > 19041) { dwmcorePatch = (PVOID)scanPattern(reinterpret_cast(((PLDR_DATA_TABLE_ENTRY)Module)->DllBase), (((PLDR_DATA_TABLE_ENTRY)Module)->SizeOfImage), "\xf3\x0f\x10\x05\x00\x00\x00\x00\x4c\x8d\x48\xf0\x83\x65\xe0\x00", "xxxx????xxxxxxxx"); if (IsAddressSafe((UINT_PTR)dwmcorePatch) == TRUE) { dwmcoreDATA = ReadMemoryex(dwmcorePatch, 8, dwmcoreDATA); UCHAR HIDECODE[] = "\x90\x90\x90\x90\x90\x90\x90\x90"; MMWriteProcessMemory(Process, dwmcorePatch, 8, HIDECODE); } } if (OsVersion.dwBuildNumber < 19041 && OsVersion.dwBuildNumber > 9600) { //488d05????????488bcfe8 dwmcorePatch = (PVOID)scanPattern(reinterpret_cast(((PLDR_DATA_TABLE_ENTRY)Module)->DllBase), (((PLDR_DATA_TABLE_ENTRY)Module)->SizeOfImage), "\x48\x8d\x05\x00\x00\x00\x00\x48\x8b\xcf\xe8\x00\x00\x00\x00\x8b\xd8", "xxx????xxxx????xx"); if (IsAddressSafe((UINT_PTR)dwmcorePatch) == TRUE) { dwmcoreDATA = ReadMemoryex(dwmcorePatch, 7, dwmcoreDATA); UCHAR HIDECODE[] = "\x90\x90\x90\x90\x90\x90\x90"; MMWriteProcessMemory(Process, dwmcorePatch, 7, HIDECODE); } } DebugPrint("dwmcore: %p", dwmcorePatch); } Module = Module->Flink; //测试下一个模块信息的可读性 ProbeForRead((CONST PVOID)Module, 80, 8); } } __except (EXCEPTION_EXECUTE_HANDLER) { ; } //取消依附进程 KeUnstackDetachProcess(&ks); //WriteMemory(PsGetProcessId(Process), dwmcorePatch, 8, dwmcoreDATA); } }