R3 R0窗口句柄分析 对抗GetWindow保护窗口源码

小子不忘记

R3 R0窗口句柄分析 对抗GetWindow 保护窗口

系统版本:Microsoft Windows [版本 10.0.18362.175]

1. 
   
2. //用户层========================
   
3. //本来以为移除就好!最后竟然无法修改内存!!!!!
   
4. struct tagWnd_r3
   
5. {
   
6.    __int64 h; //0x0000
   
7.     __int64 offset; //0x0008
   
8.     char pad_0x0010[0x38]; //0x0010
   
9.     __int64 nextOffset; //0x0048
   
10.     __int64 piveOffset; //0x0050
    
11.     char pad_0x0058[0xF8]; //0x0058
    
12.     PWCHAR name; //0x0150
    
13. };
    
14. 
    
15. tagWnd_r3* ValidateHwnd(HWND hwnd)
    
16. {
    
17.    HMODULE hModule = GetModuleHandle(TEXT("user32.dll"));
    
18.    if(hModule!=0)
    
19.    {
    
20.       UINT_PTR ulGetMsgFunc = (UINT_PTR)GetProcAddress(hModule,"GetWindowTextA");
    
21.       if(ulGetMsgFunc !=0)
    
22.       {
    
23.          UINT_PTR ptr = (UINT_PTR)memchr((PVOID)ulGetMsgFunc,0xE8,100);
    
24.          UINT_PTR addr = *(PLONG)(ptr + 1) + ptr +5;
    
25.          tagWnd_r3* (__fastcall * _ValidateHwnd)(HWND hwnd) = (tagWnd_r3* (__fastcall *)(HWND)) addr;
    
26.          return _ValidateHwnd(hwnd);
    
27.       }
    
28.    }
    
29.    return nullptr;
    
30. }
    
31. 
    
32. //获取下一个窗口对象
    
33. tagWnd_r3* GetNextHwnd(tagWnd_r3* hwnd)
    
34. {
    
35.   tagWnd_r3* Next = nullptr;
    
36.   Next = (tagWnd_r3* )((INT_PTR)hwnd - hwnd->offset + hwnd->nextOffset);
    
37.    return Next;
    
38. }
    
39. 
    
40. //获取上一个窗口对象
    
41. tagWnd_r3* GetPrveHwnd(tagWnd_r3* hwnd)
    
42. {
    
43.   tagWnd_r3* Prve = nullptr;
    
44.   Prve = (tagWnd_r3* )((INT_PTR)hwnd - hwnd->offset + hwnd->piveOffset);
    
45.    return Prve;
    
46. }
    
47. 
    
48. void RemoveHwnd(tagWnd_r3* hwnd)
    
49. {
    
50.     tagWnd_r3* Next = GetNextHwnd(hwnd);
    
51.     tagWnd_r3* Prve = GetPrveHwnd(hwnd);
    
52. 
    
53.    Prve->nextOffset = hwnd->nextOffset;
    
54.    Next->piveOffset = hwnd->piveOffset;
    
55. }
    
56. 
    
57. int main(){
    
58.    tagWnd_r3* h =  ValidateHwnd((HWND)0x00070354);
    
59. 
    
60.    RemoveHwnd(h);//在共享表中移除 可是这块共享内存无法修改!暂时没有办法
    
61. }
    
62. 
    
63. //内核层r0===============================
    
64. //测试了下  窗口会卡死不能动
    
65. typedef struct _tagWnd
    
66. {
    
67.     THRDESKHEAD hwnd; //0x0000
    
68.     char pad_0x0008[0x40]; //0x0018
    
69.     _tagWnd* spwndNext; //0x0058
    
70.     _tagWnd*  spwndPrev; //0x0060
    
71.     _tagWnd*  spwndParent; //0x0068
    
72.     _tagWnd*  spwndChild; //0x0070
    
73.     _tagWnd*  spwndOwner; //0x0078
    
74.     char pad_0x0080[0x38]; //0x0080
    
75.     PWCHAR strName; //0x00B8
    
76. } tagWnd, *pTagWnd;
    
77. 
    
78. pTagWnd getWindowTagWnd(ULONG hwnd)
    
79. {
    
80.     ULONG cx = hwnd & 0xffff;
    
81. 
    
82.     ULONG_PTR gpKernelHandleTable = *(PULONG_PTR)g_gpKernelHandleTable;//g_gpKernelHandleTable这个可以根据符号找到或者特征码
    
83. 
    
84.     if(!MmIsAddressValid((PVOID)gpKernelHandleTable))
    
85.     {
    
86.         return nullptr;
    
87.     }
    
88.     ////g_gSharedInfo 这个可以根据符号找到或者特征码
    
89.     ULONG_PTR gSharedInfo = (ULONG_PTR)g_gSharedInfo + 0x10;
    
90.     gSharedInfo =  *(PULONG_PTR)gSharedInfo;
    
91. 
    
92.     gSharedInfo = gSharedInfo * cx;
    
93. 
    
94.     gSharedInfo = gSharedInfo >> 5;
    
95.     gSharedInfo = gSharedInfo * 0x18;
    
96. 
    
97.     gpKernelHandleTable = gpKernelHandleTable+ gSharedInfo;
    
98.      if(!MmIsAddressValid((PVOID)gpKernelHandleTable))
    
99.     {
    
100.         return nullptr;
     
101.     }
     
102.     pTagWnd tagWnd = (pTagWnd)( *(PULONG_PTR)gpKernelHandleTable);
     
103. 
     
104.     return tagWnd;
     
105. }
     
106. 
     
107. bool RemoveWnd(ULONG hwnd)
     
108. {
     
109.     // auto Wnd =  getWindowTagWnd(0x10010);
     
110.     auto removeWnd = getWindowTagWnd(hwnd);
     
111. 
     
112.     removeWnd->spwndPrev->spwndNext = removeWnd->spwndNext;
     
113.     removeWnd->spwndNext->spwndPrev = removeWnd->spwndPrev;
     
114. 
     
115.      return true;
     
116. }
     

复制代码