遍历 shadowssdt表函数名地址

来源：互联网发布：淘宝p图软件哪个好编辑：程序博客网时间：2024/06/16 03:13
#include <ntifs.h>#include <ntimage.h>//#include "ntddk.h"    //SSDT结构体  typedef struct _SERVICE_DESCRIPTOR_TABLE {PULONG   ServiceTable;PULONG  CounterTable;ULONG   TableSize;PUCHAR  ArgumentTable;} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorShadowTable;typedef enum WIN_VER_DETAIL {WINDOWS_VERSION_NONE,       //  0WINDOWS_VERSION_2K,WINDOWS_VERSION_XP,WINDOWS_VERSION_2K3,WINDOWS_VERSION_2K3_SP1_SP2,WINDOWS_VERSION_VISTA_2008,WINDOWS_VERSION_7_7600_UP,WINDOWS_VERSION_7_7000} WIN_VER_DETAIL;WIN_VER_DETAIL WinVersion;WIN_VER_DETAIL GetWindowsVersion();__declspec(dllimport) _stdcall KeAddSystemServiceTable(PVOID, PVOID, PVOID, PVOID, PVOID);UCHAR *PsGetProcessImageFileName(__in PEPROCESS eprocess);VOID MyUnload(PDRIVER_OBJECT    pDriverObject){KdPrint(("驱动卸载成功\n"));}PVOID GetShadowTableAddress(){ULONG dwordatbyte, i;PUCHAR p = (PUCHAR)KeAddSystemServiceTable;for (i = 0; i < 0x1024; i++, p++)// 往下找一页 指针递增1 {__try{dwordatbyte = *(PULONG)p;}__except (EXCEPTION_EXECUTE_HANDLER){return FALSE;}if (MmIsAddressValid((PVOID)dwordatbyte)){if (memcmp((PVOID)dwordatbyte, KeServiceDescriptorTable, 16) == 0)//对比前16字节 相同则找到{if ((PVOID)dwordatbyte == KeServiceDescriptorTable)//排除自己{continue;}return (PVOID)dwordatbyte;}}}return FALSE;}WIN_VER_DETAIL GetWindowsVersion(){RTL_OSVERSIONINFOEXWosverinfo;if (WinVersion)return WinVersion;memset(&osverinfo, 0, sizeof(RTL_OSVERSIONINFOEXW));osverinfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOEXW);if (RtlGetVersion((RTL_OSVERSIONINFOW*)&osverinfo) != STATUS_SUCCESS){return WINDOWS_VERSION_NONE;}// KdPrint(("[xxxxxxxx] OSVersion NT %d.%d:%d sp%d.%d\n", // osverinfo.dwMajorVersion, osverinfo.dwMinorVersion, osverinfo.dwBuildNumber, // osverinfo.wServicePackMajor, osverinfo.wServicePackMinor));if (osverinfo.dwMajorVersion == 5 && osverinfo.dwMinorVersion == 0){WinVersion = WINDOWS_VERSION_2K;}else if (osverinfo.dwMajorVersion == 5 && osverinfo.dwMinorVersion == 1){WinVersion = WINDOWS_VERSION_XP;}else if (osverinfo.dwMajorVersion == 5 && osverinfo.dwMinorVersion == 2){if (osverinfo.wServicePackMajor == 0){WinVersion = WINDOWS_VERSION_2K3;}else{WinVersion = WINDOWS_VERSION_2K3_SP1_SP2;}}else if (osverinfo.dwMajorVersion == 6 && osverinfo.dwMinorVersion == 0){WinVersion = WINDOWS_VERSION_2K3_SP1_SP2;}else if (osverinfo.dwMajorVersion == 6 && osverinfo.dwMinorVersion == 1 && osverinfo.dwBuildNumber == 7000){WinVersion = WINDOWS_VERSION_7_7000;}else if (osverinfo.dwMajorVersion == 6 && osverinfo.dwMinorVersion == 1 && osverinfo.dwBuildNumber >= 7600){WinVersion = WINDOWS_VERSION_7_7600_UP;}return WinVersion;}NTSTATUS LookupProcessByName(IN PCHAR pcProcessName,OUT PEPROCESS *pEprocess){NTSTATUSstatus;ULONGuCount = 0;ULONGuLength = 0;PLIST_ENTRYpListActiveProcess;PEPROCESSpCurrentEprocess = NULL;ULONG ulNextProcess = 0;ULONG g_Offset_Eprocess_Flink;WIN_VER_DETAIL WinVer;char lpszProName[100];char *lpszAttackProName = NULL;if (!ARGUMENT_PRESENT(pcProcessName) || !ARGUMENT_PRESENT(pEprocess)){return STATUS_INVALID_PARAMETER;}if (KeGetCurrentIrql() > PASSIVE_LEVEL){return STATUS_UNSUCCESSFUL;}uLength = strlen(pcProcessName);WinVer = GetWindowsVersion();switch (WinVer){case WINDOWS_VERSION_XP:g_Offset_Eprocess_Flink = 0x88;break;case WINDOWS_VERSION_7_7600_UP:case WINDOWS_VERSION_7_7000:g_Offset_Eprocess_Flink = 0xb8;break;case WINDOWS_VERSION_VISTA_2008:g_Offset_Eprocess_Flink = 0x0a0;break;case WINDOWS_VERSION_2K3_SP1_SP2:g_Offset_Eprocess_Flink = 0x98;break;case WINDOWS_VERSION_2K3:g_Offset_Eprocess_Flink = 0x088;break;}if (!g_Offset_Eprocess_Flink){return STATUS_UNSUCCESSFUL;}pCurrentEprocess = PsGetCurrentProcess();ulNextProcess = (ULONG)pCurrentEprocess;__try{memset(lpszProName, 0, sizeof(lpszProName));if (uLength > 15){strncat(lpszProName, pcProcessName, 15);}while (1){lpszAttackProName = NULL;lpszAttackProName = (char *)PsGetProcessImageFileName(pCurrentEprocess);if (uLength > 15){if (lpszAttackProName &&strlen(lpszAttackProName) == uLength){if (_strnicmp(lpszProName, lpszAttackProName, uLength) == 0){*pEprocess = pCurrentEprocess;status = STATUS_SUCCESS;break;}}}else{if (lpszAttackProName &&strlen(lpszAttackProName) == uLength){if (_strnicmp(pcProcessName, lpszAttackProName, uLength) == 0){*pEprocess = pCurrentEprocess;status = STATUS_SUCCESS;break;}}}if ((uCount >= 1) && (ulNextProcess == (ULONG)pCurrentEprocess)){*pEprocess = 0x00000000;status = STATUS_NOT_FOUND;break;}pListActiveProcess = (LIST_ENTRY *)((ULONG)pCurrentEprocess + g_Offset_Eprocess_Flink);(ULONG)pCurrentEprocess = (ULONG)pListActiveProcess->Flink;(ULONG)pCurrentEprocess = (ULONG)pCurrentEprocess - g_Offset_Eprocess_Flink;uCount++;}}__except (EXCEPTION_EXECUTE_HANDLER){KdPrint(("LookupProcessByName:%08x\r\n", GetExceptionCode()));status = STATUS_NOT_FOUND;}return status;}NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING Reg_Path){int i = 0;PEPROCESS eprocess_explorer;pDriverObject->DriverUnload = MyUnload;KeServiceDescriptorShadowTable = GetShadowTableAddress();if (KeServiceDescriptorShadowTable){//我们得到一个gui进程的对象，因为我们切换进程的时候需要用到if (LookupProcessByName("explorer.exe", &eprocess_explorer) == STATUS_SUCCESS){KeAttachProcess(eprocess_explorer);//附加到目标进程//这里为什么要KeServiceDescriptorShadowTable[1]，正如我们所说的，第二个表才是ShadowSSDTint j = KeServiceDescriptorShadowTable[1].TableSize;for (i = 0; i < j; i++){DbgPrint("Number:%d  Address:0x%08X\r\n", i, KeServiceDescriptorShadowTable[1].ServiceTable[i]);}KeDetachProcess();//解除附加}}return STATUS_SUCCESS;}
阅读全文
0 0
遍历 shadowssdt表 函数名地址

遍历 shadowssdt表函数名地址
