两种方法获取shadow ssdt

zoukankan html css js c++ java

两种方法获取shadow ssdt
[cpp] view plain copy
print?

ULONG

GetShadowSsdtCurrentAddresses(

    PSSDT_ADDRESS   AddressInfo,

    PULONG          Length

    )

{

    PSYSTEM_SERVICE_TABLE KeServiceDescriptorTableShadow = NULL;

    ULONG NumberOfService = 0;

    ULONG ServiceId = 0;

    PKAPC_STATE ApcState;

    ULONG i;



    if (AddressInfo == NULL || Length == NULL)

    {

        KdPrint(("[GetShadowSsdtCurrentAddresses] 输入参数无效"));

        return 0;

    }



    //KdPrint(("pid = %d", PsGetCurrentProcessId()));

    ServiceId = (ULONG)PsGetCurrentProcessId();



    if (!g_CsrssProcess) {

        PsLookupProcessByProcessId((PVOID)ScPsGetCsrssProcessId(), &g_CsrssProcess);

    }



    KeServiceDescriptorTableShadow = GetKeServiceDescriptorTableShadow();



    if (KeServiceDescriptorTableShadow == NULL)

    {

        KdPrint(("[GetShadowSsdtCurrentAddresses] GetKeServiceDescriptorTableShadow failed"));

        return 0;

    }



    NumberOfService = KeServiceDescriptorTableShadow->NumberOfService;

    if (Length[0] < NumberOfService * sizeof(SSDT_ADDRESS))

    {

        Length[0] = NumberOfService * sizeof(SSDT_ADDRESS);

        return 0;

    }



    ApcState = ExAllocatePoolWithTag(NonPagedPool, sizeof(KAPC_STATE), MEM_TAG);

    KeStackAttachProcess((PRKPROCESS)g_CsrssProcess, ApcState);



    for (ServiceId = 0; ServiceId < NumberOfService; ServiceId ++)

    {

        AddressInfo[ServiceId].FunAddress = (ULONG)

            KeServiceDescriptorTableShadow->ServiceTableBase[ServiceId];

        AddressInfo[ServiceId].nIndex = ServiceId;

    }



    KeUnstackDetachProcess(ApcState);

    ExFreePool(ApcState);



    Length[0] = NumberOfService * sizeof(SSDT_ADDRESS);

    return NumberOfService;

}



///////////////////////////////////////////////////////////////////////////////////

//

//  功能实现：枚举当前Shadow SSDT 表函数地址

//  输入参数：void

//  输出参数：返回Shadow ssdt table

//

///////////////////////////////////////////////////////////////////////////////////

PSYSTEM_SERVICE_TABLE

GetKeServiceDescriptorTableShadow(VOID)

{

    PSYSTEM_SERVICE_TABLE ShadowTable = NULL;

    ULONG   ServiceTableAddress = 0;

    PUCHAR  cPtr = NULL;



    for (cPtr = (PUCHAR)KeAddSystemServiceTable;

         cPtr < (PUCHAR)KeAddSystemServiceTable + PAGE_SIZE;

         cPtr += 1 )

    {

        if (!MmIsAddressValid(cPtr))  continue;



        ServiceTableAddress = *(PULONG)cPtr;

        if (!MmIsAddressValid((PVOID)ServiceTableAddress)) continue;



        if (memcmp((PVOID)ServiceTableAddress, &KeServiceDescriptorTable, 16) == 0)

        {

            if ((PVOID)ServiceTableAddress == &KeServiceDescriptorTable) continue;

            ShadowTable = (PSYSTEM_SERVICE_TABLE)ServiceTableAddress;

            ShadowTable ++;

            return ShadowTable;

        }

    }

    return NULL;

}

//

// 方法2，通过硬编码实现，不通用

//

PSYSTEM_SERVICE_TABLE

GetKeServiceDescriptorTableShadow_2(VOID)

/*++

  KeAddSystemServiceTable函数

    805ba5a3 8d8840a65580    lea    ecx,nt!KeServiceDescriptorTableShadow (8055a640)[eax]

    805ba5a9 833900          cmp    dword ptr [ecx],0

--*/

{

    PSYSTEM_SERVICE_TABLE ShadowTable;

    ULONG   ServiceTableAddress;

    PUCHAR  cPtr, pOpcode;

    ULONG   Length = 0;



    for (cPtr = (PUCHAR)KeAddSystemServiceTable;

         cPtr < (PUCHAR)KeAddSystemServiceTable + PAGE_SIZE;

         cPtr += Length )

    {

        if (!MmIsAddressValid(cPtr))  return NULL;



        Length = SizeOfCode(cPtr, &pOpcode);



        if (!Length || (Length == 1 && *pOpcode == 0xC3)) return NULL;



        if (*(PUSHORT)pOpcode == 0x888D)

        {

            ServiceTableAddress = *(PULONG)(pOpcode + 2);

            ShadowTable = (PSYSTEM_SERVICE_TABLE)ServiceTableAddress;

            ShadowTable ++;

            return ShadowTable;

        }

    }

    return NULL;

}

ULONG GetShadowSsdtCurrentAddresses( PSSDT_ADDRESS AddressInfo, PULONG Length ) { PSYSTEM_SERVICE_TABLE KeServiceDescriptorTableShadow = NULL; ULONG NumberOfService = 0; ULONG ServiceId = 0; PKAPC_STATE ApcState; ULONG i; if (AddressInfo == NULL || Length == NULL) { KdPrint(("[GetShadowSsdtCurrentAddresses] 输入参数无效")); return 0; } //KdPrint(("pid = %d", PsGetCurrentProcessId())); ServiceId = (ULONG)PsGetCurrentProcessId(); if (!g_CsrssProcess) { PsLookupProcessByProcessId((PVOID)ScPsGetCsrssProcessId(), &g_CsrssProcess); } KeServiceDescriptorTableShadow = GetKeServiceDescriptorTableShadow(); if (KeServiceDescriptorTableShadow == NULL) { KdPrint(("[GetShadowSsdtCurrentAddresses] GetKeServiceDescriptorTableShadow failed")); return 0; } NumberOfService = KeServiceDescriptorTableShadow->NumberOfService; if (Length[0] < NumberOfService * sizeof(SSDT_ADDRESS)) { Length[0] = NumberOfService * sizeof(SSDT_ADDRESS); return 0; } ApcState = ExAllocatePoolWithTag(NonPagedPool, sizeof(KAPC_STATE), MEM_TAG); KeStackAttachProcess((PRKPROCESS)g_CsrssProcess, ApcState); for (ServiceId = 0; ServiceId < NumberOfService; ServiceId ++) { AddressInfo[ServiceId].FunAddress = (ULONG) KeServiceDescriptorTableShadow->ServiceTableBase[ServiceId]; AddressInfo[ServiceId].nIndex = ServiceId; } KeUnstackDetachProcess(ApcState); ExFreePool(ApcState); Length[0] = NumberOfService * sizeof(SSDT_ADDRESS); return NumberOfService; } /////////////////////////////////////////////////////////////////////////////////// // // 功能实现：枚举当前Shadow SSDT 表函数地址 // 输入参数：void // 输出参数：返回Shadow ssdt table // /////////////////////////////////////////////////////////////////////////////////// PSYSTEM_SERVICE_TABLE GetKeServiceDescriptorTableShadow(VOID) { PSYSTEM_SERVICE_TABLE ShadowTable = NULL; ULONG ServiceTableAddress = 0; PUCHAR cPtr = NULL; for (cPtr = (PUCHAR)KeAddSystemServiceTable; cPtr < (PUCHAR)KeAddSystemServiceTable + PAGE_SIZE; cPtr += 1 ) { if (!MmIsAddressValid(cPtr)) continue; ServiceTableAddress = *(PULONG)cPtr; if (!MmIsAddressValid((PVOID)ServiceTableAddress)) continue; if (memcmp((PVOID)ServiceTableAddress, &KeServiceDescriptorTable, 16) == 0) { if ((PVOID)ServiceTableAddress == &KeServiceDescriptorTable) continue; ShadowTable = (PSYSTEM_SERVICE_TABLE)ServiceTableAddress; ShadowTable ++; return ShadowTable; } } return NULL; } // // 方法2，通过硬编码实现，不通用 // PSYSTEM_SERVICE_TABLE GetKeServiceDescriptorTableShadow_2(VOID) /*++ 805ba5a3 8d8840a65580 lea ecx,nt!KeServiceDescriptorTableShadow (8055a640)[eax] 805ba5a9 833900 cmp dword ptr [ecx],0 --*/ { PSYSTEM_SERVICE_TABLE ShadowTable; ULONG ServiceTableAddress; PUCHAR cPtr, pOpcode; ULONG Length = 0; for (cPtr = (PUCHAR)KeAddSystemServiceTable; cPtr < (PUCHAR)KeAddSystemServiceTable + PAGE_SIZE; cPtr += Length ) { if (!MmIsAddressValid(cPtr)) return NULL; Length = SizeOfCode(cPtr, &pOpcode); if (!Length || (Length == 1 && *pOpcode == 0xC3)) return NULL; if (*(PUSHORT)pOpcode == 0x888D) { ServiceTableAddress = *(PULONG)(pOpcode + 2); ShadowTable = (PSYSTEM_SERVICE_TABLE)ServiceTableAddress; ShadowTable ++; return ShadowTable; } } return NULL; }
查看全文

相关阅读:
.Net下的MSMQ（微软消息队列）的同步异步调用
 [收藏]JS获取网页中HTML元素的几种方法分析
 在FireFox下设为首页的解决方法
 如何创建和使用Web Service代理类
 [收藏]61条面向对象设计的经验原则
 [总结]DotNet中用到的加密算法总结
 如何把用SQL语句int型整数转换成二进制数
 彻底杜绝PHP的session,cookie,Cannot modify header错误
 MSN总是报80048820的错误，网上搜的一些资料解决不了，我找到了真正解决办法！
[收藏]MD5加密的javascript实现

原文地址：https://www.cnblogs.com/kuangke/p/5761555.html