关于SSDT 分类： windows驱动程序WDM 2013-09-25 14:51 339人阅读评论(0) 收藏

百度上比较好的解释是：SSDT的全称是System Services Descriptor Table，系统服务描述符表。这个表就是一个把ring3的Win32 API和ring0的内核API联系起来。SSDT并不仅仅只包含一个庞大的地址索引表，它还包含着一些其它有用的信息，诸如地址索引的基地址、服务函数个数等。

说白了，SSDT就是把系统两个不同级别的函数给关联起来，因为为了安全需要，我们平常所使用的API函数基本都是在ring3下的函数，ring3的级别比较低，但是有些涉及到系统底层的函数怎么办呢？Windows就给出一个SSDT表，把ring3和ring0的函数给关联起来，这样，我们就通过使用ring3的函数就可以直接做一些底层操作了。

好吧，既然有这个东西，谁最关心呢？当然是杀毒软件最关心了，因为为了阻止某些病毒不让他破坏系统的底层，杀毒软件会把SSDT中的地址给修改并转向，这样，当病毒或程序调用这些函数的时候，就无法找到真正的对应函数，从而调用失败。

不过这玩意已经没有什么神秘的了，道高一尺魔高一丈，现在的病毒已经可以绕过SSDT去直接调用底层函数了，或者说可以找出底层函数的真实地址了，这里，我们就简单利用KeServiceDescriptorTable这个函数来读取系统的SSDT表吧。

完整代码如下：

#include "stdafx.h"
#include <windows.h>
#include <iostream>
usingnamespace
std; 
  
#define RVATOVA(base,offset)             ((PVOID)((DWORD)(base)+(DWORD)(offset)))
#define ibaseDD *(PDWORD)&ibase
#define STATUS_INFO_LENGTH_MISMATCH      ((NTSTATUS)0xC0000004L)
#define NT_SUCCESS(Status)               ((NTSTATUS)(Status) >= 0)
  
  
typedefstruct
{ 
    WORD   offset:12;
    WORD   type:4;
} IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY;
  
  
typedefLONG
NTSTATUS; 
  
long( __stdcall *NtQuerySystemInformation )(
DWORD,PVOID,
DWORD,DWORD
); 
  
typedefstruct
_SYSTEM_MODULE_INFORMATION {//Information Class 11
    ULONG   Reserved[2];
    PVOID   Base;
    ULONG   Size;
    ULONG   Flags;
    USHORT   Index;
    USHORT   Unknown;
    USHORT   LoadCount;
    USHORT   ModuleNameOffset;
    CHAR   ImageName[256];
}SYSTEM_MODULE_INFORMATION,*PSYSTEM_MODULE_INFORMATION;
  
typedefstruct
{ 
    DWORD   dwNumberOfModules;
    SYSTEM_MODULE_INFORMATION    smi;
} MODULES, *PMODULES;
  
#define    SystemModuleInformation    11
  
  
  
  
DWORDGetHeaders(PCHAR
ibase, 
                 PIMAGE_FILE_HEADER *pfh,
                 PIMAGE_OPTIONAL_HEADER *poh,
                 PIMAGE_SECTION_HEADER *psh)
                   
{
    PIMAGE_DOS_HEADER mzhead=(PIMAGE_DOS_HEADER)ibase;
      
    if   ((mzhead->e_magic!=IMAGE_DOS_SIGNATURE)
 ||         
        (ibaseDD[mzhead->e_lfanew]!=IMAGE_NT_SIGNATURE))
        returnFALSE;
      
    *pfh=(PIMAGE_FILE_HEADER)&ibase[mzhead->e_lfanew];
    if(((PIMAGE_NT_HEADERS)*pfh)->Signature!=IMAGE_NT_SIGNATURE) 
        returnFALSE;
    *pfh=(PIMAGE_FILE_HEADER)((PBYTE)*pfh+sizeof(IMAGE_NT_SIGNATURE));
      
    *poh=(PIMAGE_OPTIONAL_HEADER)((PBYTE)*pfh+sizeof(IMAGE_FILE_HEADER));
    if((*poh)->Magic!=IMAGE_NT_OPTIONAL_HDR32_MAGIC)
        returnFALSE;
      
    *psh=(PIMAGE_SECTION_HEADER)((PBYTE)*poh+sizeof(IMAGE_OPTIONAL_HEADER));
    returnTRUE;
}
  
  
DWORDFindKiServiceTable(HMODULEhModule,DWORD
dwKSDT) 
{
    PIMAGE_FILE_HEADER    pfh;
    PIMAGE_OPTIONAL_HEADER    poh;
    PIMAGE_SECTION_HEADER    psh;
    PIMAGE_BASE_RELOCATION    pbr;
    PIMAGE_FIXUP_ENTRY    pfe;    
      
    DWORD   dwFixups=0,i,dwPointerRva,dwPointsToRva,dwKiServiceTable;
    BOOL   bFirstChunk;
      
    GetHeaders((char*)hModule,&pfh,&poh,&psh);
      
    // loop thru relocs to speed up the search
    if((poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress)
 &&
        (!((pfh->Characteristics)&IMAGE_FILE_RELOCS_STRIPPED))) {
          
        pbr=(PIMAGE_BASE_RELOCATION)RVATOVA(poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress,hModule);
          
        bFirstChunk=TRUE;
        // 1st IMAGE_BASE_RELOCATION.VirtualAddress of ntoskrnl is 0
        while(bFirstChunk || pbr->VirtualAddress)
 { 
            bFirstChunk=FALSE;
              
            pfe=(PIMAGE_FIXUP_ENTRY)((DWORD)pbr+sizeof(IMAGE_BASE_RELOCATION));
              
            for(i=0;i<(pbr->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))>>1;i++,pfe++)
 {
                if(pfe->type==IMAGE_REL_BASED_HIGHLOW)
 { 
                    dwFixups++;
                    dwPointerRva=pbr->VirtualAddress+pfe->offset;
                    // DONT_RESOLVE_DLL_REFERENCES flag means relocs aren't
 fixed 
                    dwPointsToRva=*(PDWORD)((DWORD)hModule+dwPointerRva)-(DWORD)poh->ImageBase;
                      
                    // does this reloc point to KeServiceDescriptorTable.Base?
                    if(dwPointsToRva==dwKSDT)
 { 
                        // check for mov [mem32],imm32. we are trying to
 find  
                        // "mov ds:_KeServiceDescriptorTable.Base, offset
 _KiServiceTable" 
                        // from the KiInitSystem.
                        if(*(PWORD)((DWORD)hModule+dwPointerRva-2)==0x05c7)
 {
                            // should check for a reloc presence on KiServiceTable
 here 
                            // but forget it
                            dwKiServiceTable=*(PDWORD)((DWORD)hModule+dwPointerRva+4)-poh->ImageBase;
                            returndwKiServiceTable;
                        }
                    }
                      
                } 
            }
            *(PDWORD)&pbr+=pbr->SizeOfBlock;
        }
    }    
      
      
      
    return0;
}
  
  
intEnumSSDT()
{
    HMODULE hKernel;
    DWORD   dwKSDT;               
// rva of KeServiceDescriptorTable
    DWORD   dwKiServiceTable;   
// rva of KiServiceTable
    PMODULES    pModules=(PMODULES)&pModules;
    DWORD   dwNeededSize,rc;
    DWORD   dwKernelBase,dwServices=0;
    PCHAR   pKernelName;
    PDWORD    pService;
    PIMAGE_FILE_HEADER    pfh;
    PIMAGE_OPTIONAL_HEADER    poh;
    PIMAGE_SECTION_HEADER    psh;
    NtQuerySystemInformation = (long(__stdcall*)(DWORD,PVOID,DWORD,DWORD))GetProcAddress(
 GetModuleHandle( "ntdll.dll" 
),"NtQuerySystemInformation" 
);  
    //通过NtQuerySystemInformation取得系统内核文件，判断为是ntoskrnl.exe ntkrnlmp.exe ntkrnlpa.exe
    rc=NtQuerySystemInformation(SystemModuleInformation,pModules,4,(ULONG)&dwNeededSize);
    if(rc==STATUS_INFO_LENGTH_MISMATCH)
//如果内存不够
    {
        pModules=(PMODULES)GlobalAlloc(GPTR,dwNeededSize) ;//重新分配内存
        rc=NtQuerySystemInformation(SystemModuleInformation,pModules,dwNeededSize,NULL);//系统内核文件是总是在第一个，枚举1次
    } 
      
    if(!NT_SUCCESS(rc))
    {
        cout <<"NtQuerySystemInformation() Failed
 !
";//NtQuerySystemInformation执行失败，检查当前进程权限
        return0;
    }
      
    dwKernelBase=(DWORD)pModules->smi.Base;  //
 imagebase 
    pKernelName=pModules->smi.ModuleNameOffset+pModules->smi.ImageName;
    hKernel=LoadLibraryEx(pKernelName,0,DONT_RESOLVE_DLL_REFERENCES);    //
 映射ntoskrnl //高  
    if(!hKernel)
    {
        cout <<"Failed to load 
";
        return0;        
    }
    GlobalFree(pModules);
    if(!(dwKSDT=(DWORD)GetProcAddress(hKernel,"KeServiceDescriptorTable")))//在内核文件中查找KeServiceDescriptorTable地址
    {
        cout <<"Can't find KeServiceDescriptorTable
";
        return0;
    }
      
    dwKSDT-=(DWORD)hKernel;      //
 获取 KeServiceDescriptorTable RVA 
    if(!(dwKiServiceTable=FindKiServiceTable(hKernel,dwKSDT)))  
// 获取KiServiceTable地址 
    {
        cout <<"Can't find KiServiceTable...
";
        return0;
    }
      
    GetHeaders((char*)hKernel,&pfh,&poh,&psh); 
      
    intdwIndex=0;
    for(pService=(PDWORD)((DWORD)hKernel+dwKiServiceTable);
        *pService-poh->ImageBase<poh->SizeOfImage;
        pService++,dwServices++,dwIndex++)
    {
        printf("0x%03X-0x%08X
",dwIndex,*pService-poh->ImageBase+dwKernelBase);  //SSDT索引和地址
    }
    FreeLibrary(hKernel);
    return1;
}
  
  
  
intmain()
{
    EnumSSDT();
  
    system("pause");
    return0;
}
 

关于SSDT 分类： windows驱动程序WDM 2013-09-25 14:51 339人阅读 评论(0) 收藏

关于SSDT 分类： windows驱动程序WDM 2013-09-25 14:51 339人阅读评论(0) 收藏