21,616
社区成员
发帖
与我相关
我的任务
分享怎么R0下获取SSDT起源地址
.兄弟们没有完整的驱动源码 给学习下?
下面的源码是我在网上找的。。
粘贴进我的驱动源码里面里面。。报好多错
'PIMAGE_DOS_HEADER' :undeclared identifier
'PIMAGE_DATA_DIRECTORY' : undeclared identifier
'expdir' : undeclaredidentifier
'PIMAGE_EXPORT_DIRECTORY' : undeclared identifier
我想问问 这几个数据类型 应该添加哪几个头文件- -
还有好几个错误 麻烦兄弟们给看下 谢谢大家喽
下面的源码是我在网上找的。。
粘贴进我的驱动源码里面里面。。报好多错
'PIMAGE_DOS_HEADER' :undeclared identifier
'PIMAGE_DATA_DIRECTORY' : undeclared identifier
'expdir' : undeclaredidentifier
'PIMAGE_EXPORT_DIRECTORY' : undeclared identifier
我想问问 这几个数据类型 应该添加哪几个头文件- -
还有好几个错误 麻烦兄弟们给看下 谢谢大家喽
//得到ntoskrnl.exe SSDT导出函数服务号
ULONG GetServiceId( PCWSTR FunctionName ) //PCWSTR常量指针,指向16位UNICODE
{
UNICODE_STRING UnicodeFunctionName;
ULONG address;
ULONG ServiceId;
RtlInitUnicodeString( &UnicodeFunctionName, FunctionName );
//MmGetSystemRoutineAddress函数是从Ntoskrnl.exe和HAL中查找导出函数地址
address = (ULONG)MmGetSystemRoutineAddress( &UnicodeFunctionName );
//打印导出函数地址
KdPrint(("[GetServiceId] address:0x%x\n",address));
ServiceId = *(PSHORT)(address + 1);
//打印导出函数服务号
KdPrint(("[GetServiceId] ServiceId:0x%x\n",ServiceId));
return ServiceId;
}
/**************************************************************************************
*
* 函数名: GetFunctionAddress
* 参数:
[IN] PUNICODE_STRING DllName,
[IN] char* FunctionName FunctionName
* 功能描述: 解析PE的EAT表获取导出函数地址
* 返回值: ULONG address
* 作者: sysdog
* 修改记录:
*
***************************************************************************************/
/***************************************************************************************
*
* 原理: R0下没有LoadLibrary函数
* 利用ZwCreateFile打开文件
* 利用ZwCreateSection创建区段
* 利用ZwMapViewOfSection映射区段到当前进程的虚拟内存
* 定位PE Header地址
* 定位第一个数据目录
* 到EAT导出表
* 搜索函数名,定位函数地址
****************************************************************************************/
ULONG GetFunctionId( PUNICODE_STRING DllName, char* FunctionName )
{
NTSTATUS ntstatus;
HANDLE hFile = NULL, hSection = NULL ;
OBJECT_ATTRIBUTES object_attributes;
IO_STATUS_BLOCK io_status = {0};
PVOID baseaddress = NULL;
SIZE_T size = 0;
//模块基址
PVOID ModuleAddress = NULL;
//偏移量
ULONG dwOffset = 0;
PIMAGE_DOS_HEADER dos = NULL;
PIMAGE_NT_HEADERS nt = NULL;
PIMAGE_DATA_DIRECTORY expdir = NULL;
PIMAGE_EXPORT_DIRECTORY exports = NULL;
ULONG addr;
ULONG Size;
PULONG functions;
PSHORT ordinals;
PULONG names;
ULONG max_name;
ULONG max_func;
ULONG i;
ULONG pFunctionAddress;
ULONG ServiceId;
//初始化OBJECT_ATTRIBUTES结构
InitializeObjectAttributes(
&object_attributes,
DllName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);
//打开文件
ntstatus = ZwCreateFile(
&hFile,
FILE_EXECUTE | SYNCHRONIZE,
&object_attributes,
&io_status,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
FILE_NON_DIRECTORY_FILE |
FILE_RANDOM_ACCESS |
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0);
if( !NT_SUCCESS( ntstatus ))
{
KdPrint(("[GetFunctionAddress] error0\n"));
KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));
return 0;
}
//创建区段
InitializeObjectAttributes(
&object_attributes,
NULL,
OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,
NULL,
NULL);
ntstatus = ZwCreateSection(
&hSection,
SECTION_ALL_ACCESS,
&object_attributes,
0,
PAGE_EXECUTE,
SEC_IMAGE,
hFile);
if( !NT_SUCCESS( ntstatus ))
{
KdPrint(("[GetFunctionAddress] error1\n"));
KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));
return 0;
}
//映射区段到进程虚拟空间
ntstatus = ZwMapViewOfSection(
hSection,
NtCurrentProcess(), //ntddk.h定义的宏用来获取当前进程句柄
&baseaddress,
0,
1000,
0,
&size,
(SECTION_INHERIT)1,
MEM_TOP_DOWN,
PAGE_READWRITE);
if( !NT_SUCCESS( ntstatus ))
{
KdPrint(("[GetFunctionAddress] error2\n"));
KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));
return 0;
}
ZwClose( hFile );
//得到模块基址
dwOffset = ( ULONG )baseaddress;
//验证基址
KdPrint(("[GetFunctionAddress] BaseAddress:0x%x\n", dwOffset));
dos =(PIMAGE_DOS_HEADER) baseaddress;
nt =(PIMAGE_NT_HEADERS)((ULONG) baseaddress + dos->e_lfanew);
expdir = (PIMAGE_DATA_DIRECTORY)(nt->OptionalHeader.DataDirectory + IMAGE_DIRECTORY_ENTRY_EXPORT);
addr = expdir->VirtualAddress;//数据块起始RVA
Size = expdir->Size; //数据块长度
exports =(PIMAGE_EXPORT_DIRECTORY)((ULONG) baseaddress + addr);
functions =(PULONG)((ULONG) baseaddress + exports->AddressOfFunctions);
ordinals =(PSHORT)((ULONG) baseaddress + exports->AddressOfNameOrdinals);
names =(PULONG)((ULONG) baseaddress + exports->AddressOfNames);
max_name =exports->NumberOfNames;
max_func =exports->NumberOfFunctions;
for (i = 0; i < max_name; i++)
{
ULONG ord = ordinals[i];
if(i >= max_name || ord >= max_func)
{
return 0;
}
if (functions[ord] < addr || functions[ord] >= addr + Size)
{
if (strcmp((PCHAR) baseaddress + names[i], FunctionName) == 0)
{
pFunctionAddress =(ULONG)((ULONG) baseaddress + functions[ord]);
break;
}
}
}
KdPrint(("[GetFunctionAddress] %s:0x%x\n",FunctionName, pFunctionAddress));
ServiceId = *(PSHORT)(pFunctionAddress + 1);
//打印导出函数服务号
KdPrint(("[GetServiceId] ServiceId:0x%x\n",ServiceId));
//卸载区段,释放内存
ZwUnmapViewOfSection( NtCurrentProcess(), baseaddress);
ZwClose( hSection);
return ServiceId;
}
...全文
请发表友善的回复…
发表回复
