bgPrint("[LyShark] 特征码匹配地址: %p \n", (PUCHAR)base + i);
return STATUS_SUCCESS;
}
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
return STATUS_UNHANDLED_EXCEPTION;
}
return STATUS_NOT_FOUND;
}
// 扫描代码段中的指令片段
NTSTATUS ByLySharkComUtilScanSection(IN PCCHAR section, IN PUCHAR pattern, IN UCHAR wildcard, IN ULONG_PTR len, OUT PVOID* ppFound)
{
NT_ASSERT(ppFound != 0);
if (ppFound == 0)
return STATUS_INVALID_PARAMETER;
// 获取内核第一个模块的基地址
PVOID base = LySharkToolsUtilKernelBase(0);
if (!base)
return STATUS_NOT_FOUND;
// 得到NT头部PE32+结构
PIMAGE_NT_HEADERS64 pHdr = RtlImageNtHeader(base);
if (!pHdr)
return STATUS_INVALID_IMAGE_FORMAT;
// 首先寻找代码段
PIMAGE_SECTION_HEADER pFirstSection = (PIMAGE_SECTION_HEADER)(pHdr + 1);
for (PIMAGE_SECTION_HEADER pSection = pFirstSection; pSection < pFirstSection + pHdr->FileHeader.NumberOfSections; pSection++)
{
ANSI_STRING LySharkSection, LySharkText;
RtlInitAnsiString(&LySharkSection, section);
RtlInitAnsiString(&LySharkText, (PCCHAR)pSection->Name);
// 判断是不是我们要找的.text节
if (RtlCompareString(&LySharkSection, &LySharkText, TRUE) == 0)
{
// 如果是则开始匹配特征码
return UtilLySharkSearchPattern(pattern, wildcard, len, (PUCHAR)base + pSection->VirtualAddress, pSection->Misc.VirtualSize, ppFound);
}
}
return STATUS_NOT_FOUND;
}
VOID UnDriver(PDRIVER_OBJECT driver)
{
DbgPrint(("Uninstall Driver Is OK \n"));
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)
{
DbgPrint("hello lyshark.com \n");
PMiProcessLoaderEntry m_MiProcessLoaderEntry = NULL;
RTL_OSVERSIONINFOW Version = { 0 };
Version.dwOSVersionInfoSize = sizeof(Version);
RtlGetVersion(&Version);
//获取内核版本号
DbgPrint("主版本: %d -->次版本: %d --> 编译版本: %d", Version.dwMajorVersion, Version.dwMinorVersion, Version.dwBuildNumber);
if (Version.dwMajorVersion == 10)
{
// 如果是 win10 18363 则匹配特征
if (Version.dwBuildNumber == 18363)
{
CHAR pattern[] = "\x48\x89\x5c\x24\x08";
int pattern_size = sizeof(pattern) - 1;
ByLySharkComUtilScanSection(".text", (PUCHAR)pattern, 0xCC, pattern_size, (PVOID *)&m_MiProcessLoaderEntry);
DbgPrint("[LyShark] 输出首地址: %p", m_MiProcessLoaderEntry);
}
}
Driver->DriverUnload = UnDriver;
return STATUS_SUCCESS;
}
代码中首先判断系统主版本windows 10 18363 如果是则执行匹配,只匹配.text 也就是代码段中的数据,当遇到0xcc 时则取消继续,否则继续执行枚举,程序输出效果如下所示。
在WinDBG中输入命令!dh 0xfffff8007f600000 解析出内核PE头数据,可以看到如下所示,对比无误。
|