设为首页 加入收藏

TOP

VC++实现恢复SSDT(三)
2013-05-03 18:09:51 来源: 作者: 【 】 浏览:159
Tags:实现 恢复 SSDT

 

  //方式3

  ULONG GetSSDTShadowAddress3()

  {

  return 0;

  }

  //方式4

  ULONG GetSSDTShadowAddress4()

  {

  return 0;

  }

  /*********************************************************************************

  *

  *   获得win32k.sys基址

  *   1、ZwQuerySystemInformation

  *   2、遍历DriverSection链表

  *

  **********************************************************************************/

  ULONG GetWin32Base1()

  {

  NTSTATUS status;

  ULONG i;

  ULONG size;

  ULONG address;

  PSYSMODULELIST List;

  ZwQuerySystemInformation( SystemModuleInformation ,&size,0,&size);

  KdPrint(("[FindModuleByAddress] size:0x%x\n",size));

  List=(PSYSMODULELIST)ExAllocatePool(NonPagedPool,size);

  if (List==NULL)

  {

  KdPrint(("[FindModuleByAddress] malloc memory failed\n"));

  ExFreePool( List );

  return 0;

  }

  status=ZwQuerySystemInformation(SystemModuleInformation,List,size,0);

  if (!NT_SUCCESS(status))

  {

  KdPrint(("[FindModuleByAddress] query failed\n"));

  //打印错误

  KdPrint(("[FindModuleByAddress] status: 0x%x\n",status));

  ExFreePool( List );

  return 0;

  }

  for ( i=0; i < List->ulCount; i++ )

  {

  if( strcmp(List->smi[i].ImageName,"\\SystemRoot\\System32\\win32k.sys") == 0)

  {

  KdPrint(("[GetWin32Base]name :%s\n",List->smi[i].ImageName));

  address = (ULONG)List->smi[i].Base;

  KdPrint(("[GetWin32Base1] win32k.sys address:0x%x\n",address));

  }

  }

  return address;

  }

  /*********************************************************************************************

  *

  *   驱动对象DRIVER_OBJECT中的DRIVER_SECTION

  *   LDR_DATA_TABLE_ENTRY结构包含系统加载模块链表及基址

  *

  *

  **********************************************************************************************/

  ULONG  GetWin32Base2( PDRIVER_OBJECT driver)

  {

  PLIST_ENTRY pList = NULL;

  PLDR_DATA_TABLE_ENTRY pLdr = NULL;

  ULONG BaseAddress = 0;

  pList = ( (PLIST_ENTRY)driver->DriverSection )->Flink;

  do

  {

  pLdr = CONTAINING_RECORD(

  pList,

  LDR_DATA_TABLE_ENTRY,

  InLoadOrderLinks

  );

  if( pLdr->EntryPoint != NULL && pLdr->FullDllName.Buffer!= NULL )

  {

  if( !_wcsicmp( pLdr->FullDllName.Buffer, L"\\SystemRoot\\System32\\win32k.sys"))

  {

  BaseAddress = (ULONG )pLdr->DllBase;

  KdPrint(("[GetWin32Base2] win32k.sys address:0x%x\n",BaseAddress));

  break ;

  }

  }

  pList = pList->Flink;

  }while( pList != ((PLIST_ENTRY)driver->DriverSection)->Flink );

  return BaseAddress;

  }

  /****************************************************************************************

  *

  *   根据传入的服务号得到Shadow 函数原始地址

  *

  ****************************************************************************************/

  ULONG FindShadowOriAddress( ULONG index )

  {

  //内核文件win32k.sys基地址

  //得到SSDT Shadow表的地址

  //得到文件偏移

  NTSTATUS status;

  ULONG size;

  ULONG BaseAddress;

  ULONG ShadowBase;

  ULONG ShadowAddress;

  ULONG SsdtRva;

  ULONG FileOffset = 0;

  UNICODE_STRING modulename;

  OBJECT_ATTRIBUTES  object_attributes;

  IO_STATUS_BLOCK io_status = {0};

  HANDLE hFile;

  //读取的位置

  ULONG location;

  LARGE_INTEGER offset;

  ULONG address;

  BaseAddress = GetWin32Base1();

  KdPrint(("[FindShadowOriAddress] BaseAddress:0x%x\n",BaseAddress));

  //经验证地址正确

  ShadowBase = GetSSDTShadowAddress2();

  ShadowAddress = *(PULONG)ShadowBase;

  KdPrint(("[FindShadowOriAddress] ShadowAddress:0x%x\n",ShadowAddress));

  //得到SSDT表的Rva

  SsdtRva = ShadowAddress - BaseAddress;

  //验证

  KdPrint(("[FindOriAddress] SsdtRva:0x%x\n",SsdtRva));

  //读取的位置

  location = SsdtRva + index * 4;

  offset.QuadPart =location;

  KdPrint(("[FindOriAddress] location:0x%x\n",location));

  //利用ZwReadFile读取文件

  //初始化OBJECT_ATTRIBUTES结构

  RtlInitUnicodeString(&modulename, L"\\SystemRoot\\system32\\win32k.sys");

  InitializeObjectAttributes(

  &object_attributes,

  &modulename,

  OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,

  NULL,

  NULL);

  //打开文件

  status = ZwCreateFile(

  &hFile,

  FILE_EXECUTE | SYNCHRONIZE,

  &object_attributes,

  &io_status,

  NULL,

  FILE_ATTRIBUTE_NORMAL,

  FILE_SHARE_READ,

  FILE_OPEN,

  FILE_NON_DIRECTORY_FILE |

  FILE_RANDOM_ACCESS |

  FILE_SYNCHRONOUS_IO_NONALERT,

  NULL,

  0);

  if( !NT_SUCCESS( status ))

  {

  KdPrint(("[FindOriAddress] open error\n"));

  KdPrint(("[FindOriAddress] status = 0x%x\n", status));

  ZwClose( hFile );

  return 0;

  }

  status = ZwReadFile(

  hFile,

  NULL,

  NULL,

  NULL,

  NULL,

  &address,

  sizeof(ULONG),

  &offset,

  NULL);

  if( !NT_SUCCESS( status ))

  {

  KdPrint(("[FindOriAddress] read error\n"));

  KdPrint(("[FindOriAddress] status = 0x%x\n", status));

  ZwClose( hFile );

  return 0;

  }

  KdPrint(("[FindOriAddress] address:0x%x\n",address));

  address = address;

  KdPrint(("[FindOriAddress] Oriaddress:0x%x\n",address));

  ZwClose( hFile );

  return address;

  }

        
首页 上一页 1 2 3 4 5 下一页 尾页 3/5/5
】【打印繁体】【投稿】【收藏】 【推荐】【举报】【评论】 【关闭】 【返回顶部
分享到: 
上一篇VC++实现枚举进程与模块 下一篇char [] 和 char * 区别

评论

帐  号: 密码: (新用户注册)
验 证 码:
表  情:
内  容: