遍历 shadowssdt表 函数名地址
来源:互联网 发布:淘宝p图软件哪个好 编辑:程序博客网 时间:2024/06/16 03:13
#include <ntifs.h>#include <ntimage.h>//#include "ntddk.h" //SSDT结构体 typedef struct _SERVICE_DESCRIPTOR_TABLE {PULONG ServiceTable;PULONG CounterTable;ULONG TableSize;PUCHAR ArgumentTable;} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorShadowTable;typedef enum WIN_VER_DETAIL {WINDOWS_VERSION_NONE, // 0WINDOWS_VERSION_2K,WINDOWS_VERSION_XP,WINDOWS_VERSION_2K3,WINDOWS_VERSION_2K3_SP1_SP2,WINDOWS_VERSION_VISTA_2008,WINDOWS_VERSION_7_7600_UP,WINDOWS_VERSION_7_7000} WIN_VER_DETAIL;WIN_VER_DETAIL WinVersion;WIN_VER_DETAIL GetWindowsVersion();__declspec(dllimport) _stdcall KeAddSystemServiceTable(PVOID, PVOID, PVOID, PVOID, PVOID);UCHAR *PsGetProcessImageFileName(__in PEPROCESS eprocess);VOID MyUnload(PDRIVER_OBJECT pDriverObject){KdPrint(("驱动卸载成功\n"));}PVOID GetShadowTableAddress(){ULONG dwordatbyte, i;PUCHAR p = (PUCHAR)KeAddSystemServiceTable;for (i = 0; i < 0x1024; i++, p++)// 往下找一页 指针递增1 {__try{dwordatbyte = *(PULONG)p;}__except (EXCEPTION_EXECUTE_HANDLER){return FALSE;}if (MmIsAddressValid((PVOID)dwordatbyte)){if (memcmp((PVOID)dwordatbyte, KeServiceDescriptorTable, 16) == 0)//对比前16字节 相同则找到{if ((PVOID)dwordatbyte == KeServiceDescriptorTable)//排除自己{continue;}return (PVOID)dwordatbyte;}}}return FALSE;}WIN_VER_DETAIL GetWindowsVersion(){RTL_OSVERSIONINFOEXWosverinfo;if (WinVersion)return WinVersion;memset(&osverinfo, 0, sizeof(RTL_OSVERSIONINFOEXW));osverinfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOEXW);if (RtlGetVersion((RTL_OSVERSIONINFOW*)&osverinfo) != STATUS_SUCCESS){return WINDOWS_VERSION_NONE;}// KdPrint(("[xxxxxxxx] OSVersion NT %d.%d:%d sp%d.%d\n", // osverinfo.dwMajorVersion, osverinfo.dwMinorVersion, osverinfo.dwBuildNumber, // osverinfo.wServicePackMajor, osverinfo.wServicePackMinor));if (osverinfo.dwMajorVersion == 5 && osverinfo.dwMinorVersion == 0){WinVersion = WINDOWS_VERSION_2K;}else if (osverinfo.dwMajorVersion == 5 && osverinfo.dwMinorVersion == 1){WinVersion = WINDOWS_VERSION_XP;}else if (osverinfo.dwMajorVersion == 5 && osverinfo.dwMinorVersion == 2){if (osverinfo.wServicePackMajor == 0){WinVersion = WINDOWS_VERSION_2K3;}else{WinVersion = WINDOWS_VERSION_2K3_SP1_SP2;}}else if (osverinfo.dwMajorVersion == 6 && osverinfo.dwMinorVersion == 0){WinVersion = WINDOWS_VERSION_2K3_SP1_SP2;}else if (osverinfo.dwMajorVersion == 6 && osverinfo.dwMinorVersion == 1 && osverinfo.dwBuildNumber == 7000){WinVersion = WINDOWS_VERSION_7_7000;}else if (osverinfo.dwMajorVersion == 6 && osverinfo.dwMinorVersion == 1 && osverinfo.dwBuildNumber >= 7600){WinVersion = WINDOWS_VERSION_7_7600_UP;}return WinVersion;}NTSTATUS LookupProcessByName(IN PCHAR pcProcessName,OUT PEPROCESS *pEprocess){NTSTATUSstatus;ULONGuCount = 0;ULONGuLength = 0;PLIST_ENTRYpListActiveProcess;PEPROCESSpCurrentEprocess = NULL;ULONG ulNextProcess = 0;ULONG g_Offset_Eprocess_Flink;WIN_VER_DETAIL WinVer;char lpszProName[100];char *lpszAttackProName = NULL;if (!ARGUMENT_PRESENT(pcProcessName) || !ARGUMENT_PRESENT(pEprocess)){return STATUS_INVALID_PARAMETER;}if (KeGetCurrentIrql() > PASSIVE_LEVEL){return STATUS_UNSUCCESSFUL;}uLength = strlen(pcProcessName);WinVer = GetWindowsVersion();switch (WinVer){case WINDOWS_VERSION_XP:g_Offset_Eprocess_Flink = 0x88;break;case WINDOWS_VERSION_7_7600_UP:case WINDOWS_VERSION_7_7000:g_Offset_Eprocess_Flink = 0xb8;break;case WINDOWS_VERSION_VISTA_2008:g_Offset_Eprocess_Flink = 0x0a0;break;case WINDOWS_VERSION_2K3_SP1_SP2:g_Offset_Eprocess_Flink = 0x98;break;case WINDOWS_VERSION_2K3:g_Offset_Eprocess_Flink = 0x088;break;}if (!g_Offset_Eprocess_Flink){return STATUS_UNSUCCESSFUL;}pCurrentEprocess = PsGetCurrentProcess();ulNextProcess = (ULONG)pCurrentEprocess;__try{memset(lpszProName, 0, sizeof(lpszProName));if (uLength > 15){strncat(lpszProName, pcProcessName, 15);}while (1){lpszAttackProName = NULL;lpszAttackProName = (char *)PsGetProcessImageFileName(pCurrentEprocess);if (uLength > 15){if (lpszAttackProName &&strlen(lpszAttackProName) == uLength){if (_strnicmp(lpszProName, lpszAttackProName, uLength) == 0){*pEprocess = pCurrentEprocess;status = STATUS_SUCCESS;break;}}}else{if (lpszAttackProName &&strlen(lpszAttackProName) == uLength){if (_strnicmp(pcProcessName, lpszAttackProName, uLength) == 0){*pEprocess = pCurrentEprocess;status = STATUS_SUCCESS;break;}}}if ((uCount >= 1) && (ulNextProcess == (ULONG)pCurrentEprocess)){*pEprocess = 0x00000000;status = STATUS_NOT_FOUND;break;}pListActiveProcess = (LIST_ENTRY *)((ULONG)pCurrentEprocess + g_Offset_Eprocess_Flink);(ULONG)pCurrentEprocess = (ULONG)pListActiveProcess->Flink;(ULONG)pCurrentEprocess = (ULONG)pCurrentEprocess - g_Offset_Eprocess_Flink;uCount++;}}__except (EXCEPTION_EXECUTE_HANDLER){KdPrint(("LookupProcessByName:%08x\r\n", GetExceptionCode()));status = STATUS_NOT_FOUND;}return status;}NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING Reg_Path){int i = 0;PEPROCESS eprocess_explorer;pDriverObject->DriverUnload = MyUnload;KeServiceDescriptorShadowTable = GetShadowTableAddress();if (KeServiceDescriptorShadowTable){//我们得到一个gui进程的对象,因为我们切换进程的时候需要用到if (LookupProcessByName("explorer.exe", &eprocess_explorer) == STATUS_SUCCESS){KeAttachProcess(eprocess_explorer);//附加到目标进程//这里为什么要KeServiceDescriptorShadowTable[1],正如我们所说的,第二个表才是ShadowSSDTint j = KeServiceDescriptorShadowTable[1].TableSize;for (i = 0; i < j; i++){DbgPrint("Number:%d Address:0x%08X\r\n", i, KeServiceDescriptorShadowTable[1].ServiceTable[i]);}KeDetachProcess();//解除附加}}return STATUS_SUCCESS;}
阅读全文
0 0
- 遍历 shadowssdt表 函数名地址
- shadowssdt 地址 数量 遍历
- 用symbol来获得ShadowSSDT的原始地址和函数名
- 函数名&函数名取地址
- c++函数名地址验证
- c++函数名地址验证
- 函数名之标号地址
- 函数名/函数地址/函数指针
- 数组名取地址 函数名取地址
- 函数名地址、函数名取地址、函数名解引用问题
- 导入表结构复习 导入模块,函数名称,地址遍历
- DELPHI 遍历 ACCESS 表名,字段名
- 将函数名(地址)作为参数传递
- Linux 主机名服务名地址转换函数
- kettle中循环遍历不同地址不同库名
- [AHK]遍历access表名
- 使用Windbg查看系统SSDT表与ShadowSSDT表
- ShadowSSDT Hook
- 每天学一点Swift----面向对象上(一)
- C++搜索与回溯算法之迷宫问题
- Mac下的Ruby版本升级
- Struts 2配置详解
- 一入侯门“深”似海,深度学习深几许(入门系列之一)
- 遍历 shadowssdt表 函数名地址
- 大牛公司的github
- 【必看】Linux开发入门实战笔记系列(一):lseek 函数用法
- Linux学习 高级网络配置
- jQuery jqXHR对象的属性和方法
- Qt与halcon的联合编程
- Linux学习 邮件
- 微信小程序 三 圆形图片
- HTML+CSS编写静态网站-14 课后作业03