[LyShark.com] 特征码匹配地址: %p \n", (PUCHAR)base + i);
return STATUS_SUCCESS;
}
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
return STATUS_UNHANDLED_EXCEPTION;
}
return STATUS_NOT_FOUND;
}
VOID UnDriver(PDRIVER_OBJECT driver)
{
DbgPrint(("Uninstall Driver Is OK \n"));
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)
{
DbgPrint(("hello lyshark.com \n"));
// 返回匹配长度5
CHAR pattern[] = "\x48\x89\x6c\x24\x10";
PVOID *find_address = NULL;
int pattern_size = sizeof(pattern) - 1;
DbgPrint("匹配长度: %d \n", pattern_size);
// 得到基地址
PVOID address = GetIoInitializeTimerAddress();
// 扫描特征
NTSTATUS nt = UtilLySharkSearchPattern((PUCHAR)pattern, pattern_size, address, 128, &find_address);
DbgPrint("[LyShark 返回地址 => ] 0x%p \n", (ULONG64)find_address);
Driver->DriverUnload = UnDriver;
return STATUS_SUCCESS;
}
运行驱动程序完成特征定位,并对比定位效果。
如上述所示定位函数我们已经封装好了,相信你也能感受到这种方式要比使用数组更方便,为了能定位到内核PE结构我们需要使用RtlImageNtHeader
来解析,这个内核函数专门用来得到内核程序的PE头部结构的,在下方案例中首先我们使用封装过的LySharkToolsUtilKernelBase
函数拿到内核基址,如果你不懂函数实现细节请阅读《驱动开发:内核取ntoskrnl模块基地址》
这篇文章,拿到基址以后可以直接使用RtlImageNtHeader
对其PE头部进行解析,如下所示。
// 署名权
// right to sign one's name on a piece of work
// PowerBy: LyShark
// Email: me@lyshark.com
#include "lyshark.h"
// 定义全局变量
static PVOID g_KernelBase = 0;
static ULONG g_KernelSize = 0;
// 得到KernelBase基地址
// lyshark.com
PVOID LySharkToolsUtilKernelBase(OUT PULONG pSize)
{
NTSTATUS status = STATUS_SUCCESS;
ULONG bytes = 0;
PRTL_PROCESS_MODULES pMods = 0;
PVOID checkPtr = 0;
UNICODE_STRING routineName;
if (g_KernelBase != 0)
{
if (pSize)
{
*pSize = g_KernelSize;
}
return g_KernelBase;
}
RtlInitUnicodeString(&routineName, L"NtOpenFile");
checkPtr = MmGetSystemRoutineAddress(&routineName);
if (checkPtr == 0)
return 0;
__try
{
status = ZwQuerySystemInformation(SystemModuleInformation, 0, bytes, &bytes);
if (bytes == 0)
{
return 0;
}
pMods = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPoolNx, bytes, L"LyShark");
RtlZeroMemory(pMods, bytes);
status = ZwQuerySystemInformation(SystemModuleInformation, pMods, bytes, &bytes);
if (NT_SUCCESS(status))
{
PRTL_PROCESS_MODULE_INFORMATION pMod = pMods->Modules;
for (ULONG i = 0; i < pMods->NumberOfModules; i++)
{
if (checkPtr >= pMod[i].ImageBase && checkPtr < (PVOID)((PUCHAR)pMod[i].ImageBase + pMod[i].ImageSize))
{
g_KernelBase = pMod[i].ImageBase;
g_KernelSize = pMod[i].ImageSize;
if (pSize)
{
*pSize = g_KernelSize;
}
break;
}
}
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
return 0;
}
if (pMods)
{
ExFreePoolWithTag(pMods, L"LyShark");
}
DbgPrint("KernelBase = > %p \n", g_KernelBase);
return g_KernelBase;
}
VOID UnDriver(PDRIVER_OBJECT driver)
{
DbgPrint(("Uninstall Driver Is OK \n"));
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)
{
DbgPrint(("hello lyshark.com \n"));
// 获取内核第一个模块的基地址
PVOID base = LySharkToolsUtilKernelBase(0);
if (!bas