另一种简便的Ring0恢复SSDTShadow主要源码
来源:互联网 发布:现货黄金源码 编辑:程序博客网 时间:2024/06/07 03:31
//Ring0恢复SSDTShadow主要源码 By VirusWizard
//主要思路和恢复SSDT是一样的。不多说了
NTSTATUS GetOrigShadowTable(
)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
HANDLE hFile = 0;
OBJECT_ATTRIBUTES ObjAttr = {0};
UNICODE_STRING ustrWin32k = {0};
IO_STATUS_BLOCK ioStatus = {0};
FILE_POSITION_INFORMATION fpi = {0};
ULONG ulOffsetOfShadow = 0;
PIMAGE_NT_HEADERS pNtHdr = NULL;
LARGE_INTEGER Offset = {0};
if (!KeServiceDescriptorTableShadow)
{
return STATUS_UNSUCCESSFUL;
}
dprintf("CountOfSSDTShadow : %d\n", KeServiceDescriptorTableShadow[1].Limit + 1);
g_pOrigSSDTShadow = ExAllocatePool(
PagedPool,
(KeServiceDescriptorTableShadow[1].Limit + 1) * sizeof(ULONG));
if ( !g_pOrigSSDTShadow )
{
dprintf("[GetOrigShadowTable] AllocateMemory Error.\n");
return STATUS_UNSUCCESSFUL;
}
RtlInitUnicodeString(&ustrWin32k, L"\\SystemRoot\\System32\\win32k.sys");
dprintf("ustrWin32k : %S.\n", ustrWin32k.Buffer);
InitializeObjectAttributes(
&ObjAttr,
&ustrWin32k,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
NULL,
NULL
);
status = ZwCreateFile(
&hFile,
GENERIC_READ,
&ObjAttr,
&ioStatus,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
FILE_NON_DIRECTORY_FILE | FILE_RANDOM_ACCESS | FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0
);
if ( !NT_SUCCESS(status) )
{
dprintf("ZwCreateFile Error.status = 0x%08X.\n", status);
goto __exit;
}
pNtHdr = RtlImageNtHeader(g_pWin32kBase);
ulOffsetOfShadow = RvaToOffset(pNtHdr, (ULONG)KeServiceDescriptorTableShadow[1].Base - (ULONG)g_pWin32kBase);
dprintf("ulOffsetOfSSDT : 0x%08X.\n", ulOffsetOfShadow);
if (ulOffsetOfShadow)
{
Offset.LowPart = ulOffsetOfShadow;
Offset.HighPart = 0;
status = ZwReadFile (
hFile,
NULL,
NULL,
NULL,
&ioStatus,
g_pOrigSSDTShadow,
KeServiceDescriptorTableShadow[1].Limit * sizeof(ULONG),
&Offset,
NULL
);
if ( NT_SUCCESS(status) )
{
ULONG i;
dprintf("ReadOrigShadowSuccess.\n");
for (i = 0;i < KeServiceDescriptorTableShadow[1].Limit;i++)
{
dprintf("Index : 0x%03X,ShadowRoutineAddr : 0x%08X\n", i,((ULONG *)g_pOrigSSDTShadow));
}
}
}
__exit:
if (hFile)
{
ZwClose(hFile);
}
return status;
}
//主要思路和恢复SSDT是一样的。不多说了
NTSTATUS GetOrigShadowTable(
)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
HANDLE hFile = 0;
OBJECT_ATTRIBUTES ObjAttr = {0};
UNICODE_STRING ustrWin32k = {0};
IO_STATUS_BLOCK ioStatus = {0};
FILE_POSITION_INFORMATION fpi = {0};
ULONG ulOffsetOfShadow = 0;
PIMAGE_NT_HEADERS pNtHdr = NULL;
LARGE_INTEGER Offset = {0};
if (!KeServiceDescriptorTableShadow)
{
return STATUS_UNSUCCESSFUL;
}
dprintf("CountOfSSDTShadow : %d\n", KeServiceDescriptorTableShadow[1].Limit + 1);
g_pOrigSSDTShadow = ExAllocatePool(
PagedPool,
(KeServiceDescriptorTableShadow[1].Limit + 1) * sizeof(ULONG));
if ( !g_pOrigSSDTShadow )
{
dprintf("[GetOrigShadowTable] AllocateMemory Error.\n");
return STATUS_UNSUCCESSFUL;
}
RtlInitUnicodeString(&ustrWin32k, L"\\SystemRoot\\System32\\win32k.sys");
dprintf("ustrWin32k : %S.\n", ustrWin32k.Buffer);
InitializeObjectAttributes(
&ObjAttr,
&ustrWin32k,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
NULL,
NULL
);
status = ZwCreateFile(
&hFile,
GENERIC_READ,
&ObjAttr,
&ioStatus,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
FILE_NON_DIRECTORY_FILE | FILE_RANDOM_ACCESS | FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0
);
if ( !NT_SUCCESS(status) )
{
dprintf("ZwCreateFile Error.status = 0x%08X.\n", status);
goto __exit;
}
pNtHdr = RtlImageNtHeader(g_pWin32kBase);
ulOffsetOfShadow = RvaToOffset(pNtHdr, (ULONG)KeServiceDescriptorTableShadow[1].Base - (ULONG)g_pWin32kBase);
dprintf("ulOffsetOfSSDT : 0x%08X.\n", ulOffsetOfShadow);
if (ulOffsetOfShadow)
{
Offset.LowPart = ulOffsetOfShadow;
Offset.HighPart = 0;
status = ZwReadFile (
hFile,
NULL,
NULL,
NULL,
&ioStatus,
g_pOrigSSDTShadow,
KeServiceDescriptorTableShadow[1].Limit * sizeof(ULONG),
&Offset,
NULL
);
if ( NT_SUCCESS(status) )
{
ULONG i;
dprintf("ReadOrigShadowSuccess.\n");
for (i = 0;i < KeServiceDescriptorTableShadow[1].Limit;i++)
{
dprintf("Index : 0x%03X,ShadowRoutineAddr : 0x%08X\n", i,((ULONG *)g_pOrigSSDTShadow));
}
}
}
__exit:
if (hFile)
{
ZwClose(hFile);
}
return status;
}
- 另一种简便的Ring0恢复SSDTShadow主要源码
- windows下类softice的ring0调试器源码
- 备份和恢复 Windows 共享信息的简便方法
- 自己用Qt写的简便计算器,共享源码
- 简便使用jQuery-源码阅读全局架构设计的理解
- 总结进入RING0的方法
- 天杀的ring0源代码
- 邪恶的RING0注射SHELLCODE
- ring0调用Ring3的代码
- ring0下cr0的作用
- ring3与ring0的通信
- ring0和ring3的区别
- ring0实现进程的隐藏
- ring3与ring0的通信
- ring0下的 fs:[124]
- ring0下的 fs:[124]
- ring0下cr0的作用
- FileStatus的主要方法的使用(源码)
- 移植uip-0.9到u-boot中出现undefined reference to `strstr'错误的解决过程
- spring 3.0MVC 一个简单demo
- C#操作XML大全
- Undraw the Trees UVA10562
- Anatomy of a Program in Memory
- 另一种简便的Ring0恢复SSDTShadow主要源码
- Spring mvc系列一之 Spring mvc简单配置
- 去噪:用于验证码图片识别的类续(C#代码)
- Spring mvc系列二之 控制器多方法访问
- RootKit hook之[一] Object Hook
- 定义一个三角形类Ctriangle,求三角形面积和周长。
- Linux下高并发socket最大连接数所受的各种限制
- 服务器Mcrypt.so加密库未安装
- 指针数组和数组指针