object_attributes,
&modulename,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);
//打开文件
status = ZwCreateFile(
&hFile,
FILE_EXECUTE | SYNCHRONIZE,
&object_attributes,
&io_status,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
FILE_NON_DIRECTORY_FILE |
FILE_RANDOM_ACCESS |
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0);
if( !NT_SUCCESS( status ))
{
KdPrint(("[FindOriAddress] open error\n"));
KdPrint(("[FindOriAddress] status = 0x%x\n", status));
ZwClose( hFile );
return 0;
}
status = ZwReadFile(
hFile,
NULL,
NULL,
NULL,
NULL,
&address,
sizeof(ULONG),
&offset,
NULL);
if( !NT_SUCCESS( status ))
{
KdPrint(("[FindOriAddress] read error\n"));
KdPrint(("[FindOriAddress] status = 0x%x\n", status));
ZwClose( hFile );
return 0;
}
KdPrint(("[FindOriAddress] address:0x%x\n",address));
//重定位
address = BaseAddress - 0x00400000 + address;
KdPrint(("[FindOriAddress] Oriaddress:0x%x\n",address));
//释放动态分配的内存
RtlFreeUnicodeString(&modulename);
ZwClose( hFile );
return address;
}
/******************************************************************************************
*
* 得到SSDT Shadow当前地址
* 1、KeServiceDescriptorTable - 0x40 + 0x10
* 2、搜索KeAddSystemServiceTable函数,特征码
* 3、Kthread->ServiceTable指向
* 4、MJ提出的搜索特定内存
*
*******************************************************************************************/
//方式1,XP下-0x40;
ULONG GetSSDTShadowAddress1()
{
ULONG address;
ULONG ssdt;
ssdt = (ULONG)KeServiceDescriptorTable;
address = ssdt - 0x30;
KdPrint(("[GetSSDTShadowAddress] ssdt:0x%x\n",ssdt));
KdPrint(("[GetSSDTShadowAddress] address:0x%x\n",address));
return address;
}
//方式2
ULONG GetSSDTShadowAddress2()
{
ULONG address;
PUCHAR addr;
PUCHAR p;
addr = (PUCHAR)KeAddSystemServiceTable;
for( p=addr; p {
if(*(PUSHORT)p == 0x888D)
{
address = *(PULONG)((ULONG)p+2);
break;
}
}
address = address + 0x10;
KdPrint(("[GetSSDTShadowAddress] address:0x%x\n",address));
return address;
}
//方式3
ULONG GetSSDTShadowAddress3()
{
return 0;
}
//方式4
ULONG GetSSDTShadowAddress4()
{
return 0;
}
/*********************************************************************************
*
* 获得win32k.sys基址
* 1、ZwQuerySystemInformation
* 2、遍历DriverSection链表
*
**********************************************************************************/
ULONG GetWin32Base1()
{
NTSTATUS status;
ULONG i;
ULONG size;
ULONG address;
PSYSMODULELIST List;
ZwQuerySystemInformation( SystemModuleInformation ,&size,0,&size);
KdPrint(("[FindModuleByAddress] size:0x%x\n",size));
List=(PSYSMODULELIST)ExAllocatePool(NonPagedPool,size);
if (List==NULL)
{
KdPrint(("[FindModuleB |