程序博客网 > 淘宝购物车怎么发链接

基于文件与内容比较检测SSDT变化

来源:互联网 发布:淘宝购物车怎么发链接 编辑:程序博客网 时间:2024/05/16 09:55

在DriverEntry中FindOriAddress(3)得到文件基址中的SSDT索引号为3的函数地址

调试结果如下:



通过脚本查看到的SSDT的信息如下图:


脚本来源于:http://bbs.pediy.com/showthread.php?t=34018

$$ ntcall Script v0.1$$ by 小喂 2006.10.29$$   $$><d:\ntcall.txtaS ufLinkS "<u><col fg=\\\"emphfg\\\"><link name=\\\"%x\\\" cmd=\\\"uf 0x%x\\\">";aS ufLinkE "</link></col></u>";r $t1 = nt!KeServiceDescriptorTable;r $t2 = poi(@$t1 + 8);r $t1 = poi(@$t1);.printf "\nOrd   Address   fnAddr   Symbols\n";.printf "--------------------------------\n\n";.for (r $t0 = 0; @$t0 != @$t2; r $t0 = @$t0 + 1){    r $t3 = poi(@$t1);    .printf /D "[%3d] %X: ${ufLinkS}%X${ufLinkE} (%y)\n", @$t0, @$t1, @$t3, @$t3, @$t3, @$t3;    r $t1 = @$t1 + 4;}.printf "\n- end -\n";ad ufLinkS;ad ufLinkE;


Driver.cpp内容:

#include "Driver.h"//#include <windows.h>#include "ntimage.h"//#include "ntos.h"//#include "wdbgexts.h"//#include "ntdbg.h"//#include <zwapi.h>#include <string.h>/************************************************************************* 函数名称:GetServiceId* 功能描述:取得ntoskrnl.exe SSDT导出函数服务号,(只能取得导出函数)* 参数列表:      FunctionName:函数名* 返回值:返回导出服务号*************************************************************************/ULONG GetServiceId(PCWSTR FunctionName){UNICODE_STRING UnicodeFunctionName;ULONG address;ULONG ServiceId;RtlInitUnicodeString(&UnicodeFunctionName, FunctionName);address = (ULONG)MmGetSystemRoutineAddress(&UnicodeFunctionName);//打印函数地址KdPrint(("[GetServiceId] address:0x%x\n", address));//打印服务号ServiceId = *(PSHORT)(address+1);KdPrint(("[GetServiceId] ServiceId:0x%x\n", ServiceId));return ServiceId;}/************************************************************************* 函数名称:RVA2PTR* 功能描述:根据内存基址,得到RVA对应的文件偏移地址* 参数列表:ULONG ImageBase--文件内存基址*          ULONG Rva--要转换的RVA地址    * 返回值:ULONG 相应的文件偏移地址*************************************************************************/ULONG RVA2PTR(ULONG ImageBase, ULONG Rva){PIMAGE_DOS_HEADER pDosHeader = NULL;PIMAGE_NT_HEADERS pNtHeader = NULL;PIMAGE_OPTIONAL_HEADER pOptHeader = NULL;PIMAGE_SECTION_HEADER pSecHeader = NULL;ULONG dwNumOfSections = 0;ULONG i = 0;ULONG dwFileOffset = 0;pDosHeader = (PIMAGE_DOS_HEADER)ImageBase;pNtHeader = (PIMAGE_NT_HEADERS)((ULONG)ImageBase + pDosHeader->e_lfanew);pOptHeader = (PIMAGE_OPTIONAL_HEADER)&pNtHeader->OptionalHeader;dwNumOfSections = pNtHeader->FileHeader.NumberOfSections;pSecHeader = (PIMAGE_SECTION_HEADER)((ULONG)pOptHeader + pNtHeader->FileHeader.SizeOfOptionalHeader);for (i = 0; i < dwNumOfSections; i++){ULONG dwMinAddr = pSecHeader->VirtualAddress;ULONG dwMaxAddr = dwMinAddr + pSecHeader->Misc.VirtualSize;if (Rva >= dwMinAddr && Rva < dwMaxAddr){dwFileOffset = Rva - dwMinAddr + pSecHeader->PointerToRawData;break;}pSecHeader++;}return dwFileOffset;}/************************************************************************* 函数名称:GetModuleName* 功能描述:从输入的路径中得到程序名* 参数列表:char *processPath  输入的路径名,如D:\peinfo.exe   char *processName  返回的进程名,如peinfo.exe*                * 返回值:返回到参数中,processName*************************************************************************/void GetModuleName(char *processPath, char *processName){ULONG nLen = strlen(processPath) - 1;ULONG i = nLen; KdPrint(("[GetModuleName] i = %d", nLen));while (processPath[i] != '\\'){i = i - 1;}strncpy(processName, processPath+i+1, nLen - i );}/************************************************************************* 函数名称:FindOriAddress* 功能描述:根据SSDT索引号从原始文件中得到SSDT表中的函数地址,用于对比   文件中的SSDT与内存中的SSDT索引中的函数地址是否变化,检测是   否HOOK了SSDT中的函数* 参数列表:ULONG index 索引号*                * 返回值:文件中函数地址*************************************************************************/ULONG FindOriAddress(ULONG index){ULONG size = 0;NTSTATUS status;ULONG baseAddress;PSYSTEM_MODULE_INFORMATION list = NULL;char szFileName[256] = {0};char szKernelName[256] = "\\SystemRoot\\system32\\";UNICODE_STRING unKernelName;ANSI_STRING anKernelName;ULONG rvaOfsstd = 0;ULONG offsetOfsstd = 0;LARGE_INTEGER locationOfServiceId;OBJECT_ATTRIBUTES object_attributes;IO_STATUS_BLOCK io_status = {0};HANDLE hFile;ULONG dwOriAddr;ZwQuerySystemInformation(SystemModuleInformation, &size, 0, &size);KdPrint(("[FindOriAddress]:size:0x%x\n", size));list = (PSYSTEM_MODULE_INFORMATION)ExAllocatePool(NonPagedPool, size);if (NULL == list){KdPrint(("[FindOriAddress]:ExAllocatePool error\n"));ExFreePool(list);return -1;}status = ZwQuerySystemInformation(SystemModuleInformation, list, size, 0);if (!NT_SUCCESS(status)){KdPrint(("[FindOriAddress]:ZwQuerySystemInformation error\n"));ExFreePool(list);return -1;}baseAddress = (ULONG)list->Module[0].Base;KdPrint(("[FindOriAddress]:baseAddress=0x%x\n", baseAddress));//分离出内核文件名GetModuleName(list->Module[0].ImageName, szFileName);KdPrint(("[FindOriAddress]:szFileName=%s\n", szFileName));strcat(szKernelName, szFileName);RtlInitAnsiString(&anKernelName, szKernelName);RtlAnsiStringToUnicodeString(&unKernelName, &anKernelName, TRUE);KdPrint(("[FindOriAddress]:unKernelName=%wZ\n", unKernelName));ExFreePool(list);//得到SSDT表的RVArvaOfsstd = (ULONG)KeServiceDescriptorTable.ServiceTableBase - baseAddress;offsetOfsstd = (ULONG)RVA2PTR(baseAddress, rvaOfsstd);//得到SSDT表的FileOffsetoffsetOfsstd = RVA2PTR(baseAddress, rvaOfsstd);KdPrint(("[FindOriAddress]:offsetOfsstd=0x%x\n", offsetOfsstd));locationOfServiceId.QuadPart = offsetOfsstd + index * 4;KdPrint(("[FindOriAddress]:locationOfServiceId=0x%x\n", locationOfServiceId));KdPrint(("[FindOriAddress]:当前ssdt对应的地址=0x%x\n", locationOfServiceId));InitializeObjectAttributes(&object_attributes, &unKernelName, OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE, NULL, NULL);//打开文件status = ZwCreateFile(&hFile,FILE_EXECUTE| SYNCHRONIZE, &object_attributes, &io_status, NULL,FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_RANDOM_ACCESS, NULL, 0);if (!NT_SUCCESS(status)){KdPrint(("[FindOriAddress] error ZwCreateFile\n"));KdPrint(("[FindOriAddress] ntstatus = 0x%x\n", status));return 0;}//读取文件status = ZwReadFile(hFile, NULL, NULL, NULL, NULL, &dwOriAddr, sizeof(ULONG), &locationOfServiceId, NULL);if (!NT_SUCCESS(status)){KdPrint(("[FindOriAddress] error ZwReadFile\n"));KdPrint(("[FindOriAddress] ntstatus = 0x%x\n", status));return 0;}//重定位dwOriAddr = baseAddress - 0x400000 + dwOriAddr;KdPrint(("[FindOriAddress] dwOriAddr = 0x%x\n", dwOriAddr));RtlFreeUnicodeString(&unKernelName);return dwOriAddr;}/************************************************************************* 函数名称:FindModuleByAddress* 功能描述:根据输入的内核地址,返回该地址所在的模块路径* 参数列表:ULONG Address---要查询的内核地址*          PVOID name_buffer---接收返回的模块路径      * 返回值:无,返回模块路径到参数name_buffer中*************************************************************************/void FindModuleByAddress(ULONG Address, PVOID name_buffer){ULONG size = 0;PSYSTEM_MODULE_INFORMATION list;NTSTATUS status;ULONG i = 0;ULONG minAddress = 0;ULONG maxAddress = 0;ZwQuerySystemInformation(SystemModuleInformation, &size, 0, &size);KdPrint(("[FindModuleByAddress]:size:0x%x\n", size));list = (PSYSTEM_MODULE_INFORMATION)ExAllocatePool(NonPagedPool, size);if (NULL == list){KdPrint(("[FindModuleByAddress]:ExAllocatePool error\n"));ExFreePool(list);return ;}status = ZwQuerySystemInformation(SystemModuleInformation, list, size, 0);if (!NT_SUCCESS(status)){KdPrint(("[FindModuleByAddress]:ZwQuerySystemInformation error\n"));ExFreePool(list);return ;}for (i = 0; i < list->Count; i++){minAddress = (ULONG)list->Module[i].Base;maxAddress = minAddress + list->Module[i].Size;if (Address >= minAddress && Address <= maxAddress){memcpy(name_buffer, list->Module[i].ImageName, sizeof(list->Module[i].ImageName));KdPrint(("[FindModuleByAddress]:ModuleName:%s \n", name_buffer));ExFreePool(list);return ;}}ExFreePool(list);return;}/************************************************************************* 函数名称:GetFunctionId* 功能描述:解析ntdll.dll的IAT,得到ssdt函数的服务号* 参数列表:PUNICODE_STRING DllName---Dll名称*          FunctionName---要查找的函数名称      * 返回值:返回导出服务号*************************************************************************/ULONG GetFunctionId(PUNICODE_STRING DllName, char* FunctionName){ULONG ServiceId = 0; NTSTATUS ntstatus;HANDLE hFile = NULL;HANDLE hSection = NULL;OBJECT_ATTRIBUTES object_attributes;IO_STATUS_BLOCK io_status = {0};PVOID baseaddress = NULL;SIZE_T size = 0;ULONG virual_size = 0;PVOID ModuleBase = NULL;ULONG addr = 0;//偏移量ULONG dwOffset  = 0;PIMAGE_DOS_HEADER pDosHeader = NULL;PIMAGE_NT_HEADERS pNTHeader = NULL;IMAGE_DATA_DIRECTORY DataDirectory = {0};PIMAGE_EXPORT_DIRECTORY pExportDirectory = NULL;PULONG functions = NULL;PUSHORT ordinals = NULL;PULONG names = NULL;ULONG iNumOfName = 0;ULONG iNumOfFuncs = 0;ULONG pFuncAddr = 0; ULONG i = 0;ULONG j = 0;InitializeObjectAttributes(&object_attributes, DllName, OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE, NULL, NULL);//打开文件ntstatus = ZwCreateFile(&hFile,FILE_EXECUTE| SYNCHRONIZE, &object_attributes, &io_status, NULL,FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_RANDOM_ACCESS, NULL, 0);if (!NT_SUCCESS(ntstatus)){KdPrint(("[GetFunctionAddress] error ZwCreateFile\n"));KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));return 0;}InitializeObjectAttributes(&object_attributes, NULL, OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE, NULL, NULL);//创建区段ntstatus = ZwCreateSection(&hSection, SECTION_ALL_ACCESS, &object_attributes, 0, PAGE_EXECUTE, SEC_IMAGE, hFile);if (!NT_SUCCESS(ntstatus)){KdPrint(("[GetFunctionAddress] error ZwCreateSection\n"));KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));ZwClose(hFile);return 0;}//映射区段到进程内存地址空间ntstatus = ZwMapViewOfSection(hSection, NtCurrentProcess(), &baseaddress, 0, 1024, 0, &size, (SECTION_INHERIT)ViewShare  , MEM_TOP_DOWN, PAGE_READWRITE);if (!NT_SUCCESS(ntstatus)){KdPrint(("[GetFunctionAddress] error ZwMapViewOfSection\n"));KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));ZwClose(hSection);ZwClose(hFile);return 0;}ZwClose(hFile);//得到模块基址dwOffset = (ULONG)baseaddress;//验证基址KdPrint(("[GetFunctionAddress] baseaddress = 0x%x\n", dwOffset));//Dos头部pDosHeader = (PIMAGE_DOS_HEADER)baseaddress;//PE文件头pNTHeader = (PIMAGE_NT_HEADERS)( (ULONG)baseaddress + pDosHeader->e_lfanew);KdPrint(("[GetFunctionAddress] pNTHeader = 0x%x\n", pNTHeader));//数据目录 DataDirectory = (IMAGE_DATA_DIRECTORY)(pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]); // + IMAGE_DIRECTORY_ENTRY_EXPORTKdPrint(("[GetFunctionAddress] DataDirectory = 0x%x\n", DataDirectory));addr = DataDirectory.VirtualAddress;virual_size = DataDirectory.Size;//导出表pExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((ULONG)baseaddress + addr);//导出表的三个数组指针 functions =  (PULONG)( (ULONG)baseaddress + pExportDirectory->AddressOfFunctions );ordinals = (PUSHORT)((ULONG)baseaddress + pExportDirectory->AddressOfNameOrdinals);names = (PULONG)((ULONG)baseaddress + pExportDirectory->AddressOfNames);iNumOfName = (ULONG)pExportDirectory->NumberOfNames;iNumOfFuncs = (ULONG)pExportDirectory->NumberOfFunctions;for( i=0; i < iNumOfFuncs; i++)       //i<AddressOfFunctions 中个元素个数{if(*functions)                         //AddressOfFunctions  VA != NULL{    for( j = 0; j < iNumOfName; j++)                  // j < NumberOfNames{if(i==ordinals[j])               //pwOrds is a pointer to AddressOfNameOrdinals{  PCHAR pCurFuncName=(PCHAR)baseaddress + names[j];KdPrint(("[GetFunctionAddress] funcName:%s\n", pCurFuncName));if (strcmp(pCurFuncName, FunctionName) == 0){ULONG offsetfunction = *functions;pFuncAddr = (ULONG)((ULONG)baseaddress + functions[0]);ULONG pFuncAddr2 = (ULONG)((ULONG)baseaddress + offsetfunction);KdPrint(("[GetFunctionAddress]:pFuncAddr:0x%x\n",  pFuncAddr));KdPrint(("[GetFunctionAddress]:pFuncAddr2:0x%x\n",  pFuncAddr2));break;}}}functions++;}break;}KdPrint(("[GetFunctionAddress]:%s:0x%x\n", FunctionName, pFuncAddr));//ServiceId = *(PSHORT)(pFuncAddr+1);ServiceId = 1;KdPrint(("[GetFunctionAddress]:ServiceId:0x%x\n", ServiceId));ZwUnmapViewOfSection(NtCurrentProcess(), baseaddress);ZwClose(hSection);return ServiceId;}/************************************************************************* 函数名称:DriverEntry* 功能描述:初始化驱动程序,定位和申请硬件资源,创建内核对象* 参数列表:      pDriverObject:从I/O管理器中传进来的驱动对象      pRegistryPath:驱动程序在注册表的中的路径* 返回 值:返回初始化驱动状态*************************************************************************/#pragma INITCODEextern "C" NTSTATUS DriverEntry (IN PDRIVER_OBJECT pDriverObject,IN PUNICODE_STRING pRegistryPath) {_asm int 3NTSTATUS status;KdPrint(("Enter DriverEntry\n"));GetServiceId(L"ZwCreateFile");KdPrint(("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n"));UNICODE_STRING dllName;ULONG ZwCreateProcessEx_ServiceId;RtlInitUnicodeString(&dllName, L"\\??\\c:\\windows\\system32\\ntdll.dll");ZwCreateProcessEx_ServiceId = GetFunctionId(&dllName, "ZwCreateProcessEx");KdPrint(("bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb\n"));KdPrint(("enter FindOriAddress\n"));FindOriAddress(3);KdPrint(("out FindOriAddress\n"));//注册其他驱动调用函数入口pDriverObject->DriverUnload = HelloDDKUnload;pDriverObject->MajorFunction[IRP_MJ_CREATE] = HelloDDKDispatchRoutine;pDriverObject->MajorFunction[IRP_MJ_CLOSE] = HelloDDKDispatchRoutine;pDriverObject->MajorFunction[IRP_MJ_WRITE] = HelloDDKDispatchRoutine;pDriverObject->MajorFunction[IRP_MJ_READ] = HelloDDKDispatchRoutine;//创建驱动设备对象status = CreateDevice(pDriverObject);KdPrint(("DriverEntry end\n"));return status;}/************************************************************************* 函数名称:CreateDevice* 功能描述:初始化设备对象* 参数列表:      pDriverObject:从I/O管理器中传进来的驱动对象* 返回 值:返回初始化状态*************************************************************************/#pragma INITCODENTSTATUS CreateDevice (IN PDRIVER_OBJECTpDriverObject) {NTSTATUS status;PDEVICE_OBJECT pDevObj;PDEVICE_EXTENSION pDevExt;//创建设备名称UNICODE_STRING devName;RtlInitUnicodeString(&devName,L"\\Device\\MyDDKDevice");//创建设备status = IoCreateDevice( pDriverObject,sizeof(DEVICE_EXTENSION),&(UNICODE_STRING)devName,FILE_DEVICE_UNKNOWN,0, TRUE,&pDevObj );if (!NT_SUCCESS(status))return status;pDevObj->Flags |= DO_BUFFERED_IO;pDevExt = (PDEVICE_EXTENSION)pDevObj->DeviceExtension;pDevExt->pDevice = pDevObj;pDevExt->ustrDeviceName = devName;//创建符号链接UNICODE_STRING symLinkName;RtlInitUnicodeString(&symLinkName,L"\\??\\HelloDDK");pDevExt->ustrSymLinkName = symLinkName;status = IoCreateSymbolicLink( &symLinkName,&devName );if (!NT_SUCCESS(status)) {IoDeleteDevice( pDevObj );return status;}return STATUS_SUCCESS;}/************************************************************************* 函数名称:HelloDDKUnload* 功能描述:负责驱动程序的卸载操作* 参数列表:      pDriverObject:驱动对象* 返回 值:返回状态*************************************************************************/#pragma PAGEDCODEVOID HelloDDKUnload (IN PDRIVER_OBJECT pDriverObject) {PDEVICE_OBJECTpNextObj;KdPrint(("Enter DriverUnload\n"));pNextObj = pDriverObject->DeviceObject;while (pNextObj != NULL) {PDEVICE_EXTENSION pDevExt = (PDEVICE_EXTENSION)pNextObj->DeviceExtension;//删除符号链接UNICODE_STRING pLinkName = pDevExt->ustrSymLinkName;IoDeleteSymbolicLink(&pLinkName);pNextObj = pNextObj->NextDevice;IoDeleteDevice( pDevExt->pDevice );}}/************************************************************************* 函数名称:HelloDDKDispatchRoutine* 功能描述:对读IRP进行处理* 参数列表:      pDevObj:功能设备对象      pIrp:从IO请求包* 返回 值:返回状态*************************************************************************/#pragma PAGEDCODENTSTATUS HelloDDKDispatchRoutine(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp) {KdPrint(("Enter HelloDDKDispatchRoutine\n"));NTSTATUS status = STATUS_SUCCESS;// 完成IRPpIrp->IoStatus.Status = status;pIrp->IoStatus.Information = 0;// bytes xferedIoCompleteRequest( pIrp, IO_NO_INCREMENT );KdPrint(("Leave HelloDDKDispatchRoutine\n"));return status;}

Driver.h内容如下:

/************************************************************************* 文件名称:Driver.h                                                 *************************************************************************/#pragma once#ifdef __cplusplusextern "C"{#endif#include <NTDDK.h>#ifdef __cplusplus}#endif #define PAGEDCODE code_seg("PAGE")#define LOCKEDCODE code_seg()#define INITCODE code_seg("INIT")#define PAGEDDATA data_seg("PAGE")#define LOCKEDDATA data_seg()#define INITDATA data_seg("INIT")#define arraysize(p) (sizeof(p)/sizeof((p)[0]))typedef struct _DEVICE_EXTENSION {PDEVICE_OBJECT pDevice;UNICODE_STRING ustrDeviceName;//设备名称UNICODE_STRING ustrSymLinkName;//符号链接名} DEVICE_EXTENSION, *PDEVICE_EXTENSION;typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {HANDLE Section;PVOID MappedBase;PVOID Base;ULONG Size;ULONG Flags;USHORT LoadOrderIndex;USHORT InitOrderIndex;USHORT LoadCount;USHORT PathLength;CHAR ImageName[256];} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;typedef struct _SYSTEM_MODULE_INFORMATION {ULONG Count;SYSTEM_MODULE_INFORMATION_ENTRY Module[1];} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;typedef enum _SYSTEM_INFORMATION_CLASS{SystemBasicInformation,//  0 Y NSystemProcessorInformation,//  1 Y NSystemPerformanceInformation,//  2 Y NSystemTimeOfDayInformation,//  3 Y NSystemNotImplemented1,//  4 Y NSystemProcessesAndThreadsInformation,//  5 Y NSystemCallCounts,//  6 Y NSystemConfigurationInformation,//  7 Y NSystemProcessorTimes,//  8 Y NSystemGlobalFlag,//  9 Y YSystemNotImplemented2,// 10 Y NSystemModuleInformation,// 11 Y NSystemLockInformation,// 12 Y NSystemNotImplemented3,// 13 Y NSystemNotImplemented4,// 14 Y NSystemNotImplemented5,// 15 Y NSystemHandleInformation,// 16 Y NSystemObjectInformation,// 17 Y NSystemPagefileInformation,// 18 Y NSystemInstructionEmulationCounts,// 19 Y NSystemInvalidInfoClass1,// 20SystemCacheInformation,// 21 Y YSystemPoolTagInformation,// 22 Y NSystemProcessorStatistics,// 23 Y NSystemDpcInformation,// 24 Y YSystemNotImplemented6,// 25 Y NSystemLoadImage,// 26 N YSystemUnloadImage,// 27 N YSystemTimeAdjustment,// 28 Y YSystemNotImplemented7,// 29 Y NSystemNotImplemented8,// 30 Y NSystemNotImplemented9,// 31 Y NSystemCrashDumpInformation,// 32 Y NSystemExceptionInformation,// 33 Y NSystemCrashDumpStateInformation,// 34 Y Y/NSystemKernelDebuggerInformation,// 35 Y NSystemContextSwitchInformation,// 36 Y NSystemRegistryQuotaInformation,// 37 Y YSystemLoadAndCallImage,// 38 N YSystemPrioritySeparation,// 39 N YSystemNotImplemented10,// 40 Y NSystemNotImplemented11,// 41 Y NSystemInvalidInfoClass2,// 42SystemInvalidInfoClass3,// 43SystemTimeZoneInformation,// 44 Y NSystemLookasideInformation,// 45 Y NSystemSetTimeSlipEvent,// 46 N YSystemCreateSession,// 47 N YSystemDeleteSession,// 48 N YSystemInvalidInfoClass4,// 49SystemRangeStartInformation,// 50 Y NSystemVerifierInformation,// 51 Y YSystemAddVerifier,// 52 N YSystemSessionProcessesInformation// 53 Y N} SYSTEM_INFORMATION_CLASS;#pragma pack(1)  typedef struct ServiceDescriptorEntry{      unsigned int *ServiceTableBase;      unsigned int *ServiceCountTableBase;      unsigned int NumberOfServices;      unsigned char *ParamTableBase;  }ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;  #pragma pack()  extern "C" __declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;  extern "C"  NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(    IN ULONG SystemInformationClass,    IN PVOID SystemInformation,    IN ULONG SystemInformationLength,    OUT PULONG ReturnLength);  // 函数声明NTSTATUS CreateDevice (IN PDRIVER_OBJECT pDriverObject);VOID HelloDDKUnload (IN PDRIVER_OBJECT pDriverObject);NTSTATUS HelloDDKDispatchRoutine(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp);ULONG GetServiceId(PCWSTR FunctionName);ULONG GetFunctionId(PUNICODE_STRING DllName, char* FunctionName);void FindModuleByAddress(ULONG Address, PVOID buffer);ULONG RVA2PTR(ULONG ImageBase, ULONG Rva);void GetModuleName(char *processPath, char *processName);ULONG FindOriAddress(ULONG index);


淘宝购物车怎么发链接 淘宝购物车怎么发链接
原创粉丝点击
热门IT博客
怎么在淘宝上赚钱怎么在淘宝上赚钱
java项目的心得体会java项目的心得体会
linux如何删除出文件
淘宝第三方平台有哪些
免费相册视频制作软件
送货单软件排行
儿童拼音软件
象棋高手学软件
社交网络英文翻译
林萍在日本 淘宝
淘宝微海报在哪里设置
淘宝网凤意羽绒服女装
北京海量数据招聘
简述linux unix gnu
java new的用法
sql replace 正则
网络打印app
缠中说禅用的炒股软件
mac pro 13高清壁纸
汕头 经济特区 知乎
热门问题 老师的惩罚 人脸识别 我在镇武司摸鱼那些年 重生之率土为王 我在大康的咸鱼生活 盘龙之生命进化 天生仙种 凡人之先天五行 春回大明朝 姑娘不必设防,我是瞎子 台北旅行攻略 台北有什么好玩的 台北游玩攻略 台北故宫博物院旅游 台北旅游景点 台北酒店攻略 花莲到台北怎么走 台北君悦酒店 台北一日游攻略 台北免税店购物攻略 台北桃园机场 台北松山机场 台北故宫门票 台北王朝大酒店 花莲到台北交通 台北旅行路线 台北晶华酒店 花莲到台北时刻表 台北必去景点 台北温泉酒店 台北自由行价格 台北大安森林公园 太北 京台高速能到台北吗 台南 台南市 厦门市和台南市的市树 两张电信卡可以放一台手机吗 台卡图片 九台卡伦招聘信息 台卡架 展示牌 桌牌台卡 台卡批发 促销台卡 桌卡台卡 台卡设计 台卡模板 台卡制作 台卡尺寸 姓名台卡 展示牌台卡

程序博客网,程序员的互联网技术博客家园。csdn论坛精品 msdn技术资料都在这里