zoukankan      html  css  js  c++  java

  • 获得内核模块 通过DriverSection

    /***************************************************************************************
* AUTHOR : yifi
* DATE   : 2016-1-20
* MODULE : EnumKernelModules.H
*
* IOCTRL Sample Driver
*
* Description:
*        Demonstrates communications between USER and KERNEL.
*
****************************************************************************************
* Copyright (C) 2010 yifi.
****************************************************************************************/

#ifndef CXX_ENUMKERNELMODULES_H
#define CXX_ENUMKERNELMODULES_H 


#include <ntifs.h>



typedef struct _LDR_DATA_TABLE_ENTRY64
{
    LIST_ENTRY64    InLoadOrderLinks;
    LIST_ENTRY64    InMemoryOrderLinks;
    LIST_ENTRY64    InInitializationOrderLinks;
    PVOID            DllBase;
    PVOID            EntryPoint;
    ULONG            SizeOfImage;
    UNICODE_STRING    FullDllName;
    UNICODE_STRING     BaseDllName;
    ULONG            Flags;
    USHORT            LoadCount;
    USHORT            TlsIndex;
    PVOID            SectionPointer;
    ULONG            CheckSum;
    PVOID            LoadedImports;
    PVOID            EntryPointActivationContext;
    PVOID            PatchInformation;
    LIST_ENTRY64    ForwarderLinks;
    LIST_ENTRY64    ServiceTagLinks;
    LIST_ENTRY64    StaticLinks;
    PVOID            ContextInformation;
    ULONG64            OriginalBase;
    LARGE_INTEGER    LoadTime;
} LDR_DATA_TABLE_ENTRY64, *PLDR_DATA_TABLE_ENTRY64;



typedef struct _LDR_DATA_TABLE_ENTRY32
{
    LIST_ENTRY32 InLoadOrderLinks;
    LIST_ENTRY32 InMemoryOrderLinks;
    LIST_ENTRY32 InInitializationOrderLinks;
    ULONG DllBase;
    ULONG EntryPoint;
    ULONG SizeOfImage;
    UNICODE_STRING32 FullDllName;
    UNICODE_STRING32 BaseDllName;
    ULONG Flags;
    USHORT LoadCount;
    USHORT TlsIndex;
    union {
        LIST_ENTRY32 HashLinks;
        struct {
            ULONG SectionPointer;
            ULONG  CheckSum;
        };
    };
    union {
        struct {
            ULONG  TimeDateStamp;
        };
        struct {
            ULONG LoadedImports;
        };
    };
} LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32;


#ifdef _WIN64
#define LDR_DATA_TABLE_ENTRY LDR_DATA_TABLE_ENTRY64
#define PLDR_DATA_TABLE_ENTRY PLDR_DATA_TABLE_ENTRY64
#else
#define LDR_DATA_TABLE_ENTRY LDR_DATA_TABLE_ENTRY32
#define PLDR_DATA_TABLE_ENTRY PLDR_DATA_TABLE_ENTRY32
#endif

VOID UnloadDirver(PDRIVER_OBJECT DriverObject);
BOOLEAN GetKernelModuleInformationByKernelModuleName(PDRIVER_OBJECT CurrentDriverObject);


#endif












 /***************************************************************************************
* AUTHOR : yifi
* DATE   : 2016-1-20
* MODULE : EnumKernelModules.C
* 
* Command: 
*    Source of IOCTRL Sample Driver
*
* Description:
*        Demonstrates communications between USER and KERNEL.
*
****************************************************************************************
* Copyright (C) 2010 yifi.
****************************************************************************************/

//#######################################################################################
//# I N C L U D E S
//#######################################################################################
/***************************************************************************************
* AUTHOR : yifi
* DATE   : 2016-9-8
* MODULE : KernelMode.C
* 
* Command: 
*    Source of IOCTRL Sample Driver
*
* Description:
*        Demonstrates communications between USER and KERNEL.
*
****************************************************************************************
* Copyright (C) 2010 yifi.
****************************************************************************************/

//#######################################################################################
//# I N C L U D E S
//#######################################################################################

#ifndef CXX_KERNELMODE_H
#    include "KernelMode.h"
#endif

NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegisterPath)
{
    GetKernelModuleInformationByKernelModuleName(DriverObject);

    return STATUS_SUCCESS;
}



BOOLEAN GetKernelModuleInformationByKernelModuleName(PDRIVER_OBJECT CurrentDriverObject)
{

    BOOLEAN bOk = FALSE;
    if (CurrentDriverObject)
    {
        PLDR_DATA_TABLE_ENTRY ListHead = NULL, ListFlink = NULL;



        ListHead = (PLDR_DATA_TABLE_ENTRY)CurrentDriverObject->DriverSection;  //dt _DriverObject
        DbgPrint("%S
", ListHead->BaseDllName.Buffer);
        if (ListHead->BaseDllName.Buffer)    //wcsstr(ListHead->BaseDllName.Buffer, wzKernelModuleName) != NULL)
        {


            //*KernelModuleBase = (PVOID)ListHead->DllBase;
            //*ulKernelModuleSize = ListHead->SizeOfImage;

            bOk = TRUE;
        }

        ListFlink = (PLDR_DATA_TABLE_ENTRY)ListHead->InLoadOrderLinks.Flink;

        while ((PLDR_DATA_TABLE_ENTRY)ListFlink != ListHead)
        {
            DbgPrint("%S
", ListFlink->BaseDllName.Buffer);
            if (ListFlink->BaseDllName.Buffer)//&&wcsstr(ListFlink->BaseDllName.Buffer, wzKernelModuleName) != NULL)
            {


                //*KernelModuleBase = (PVOID)ListFlink->DllBase;
                //*ulKernelModuleSize = ListFlink->SizeOfImage;

                bOk = TRUE;
            }

            ListFlink = (PLDR_DATA_TABLE_ENTRY)ListFlink->InLoadOrderLinks.Flink;
        }
    }

    return bOk;
}

//BOOLEAN GetKernelModuleInformationByKernelModuleName(WCHAR* wzKernelModuleName,PVOID* KernelModuleBase,ULONG32* ulKernelModuleSize)
//{
//
//    BOOLEAN bOk = FALSE;
//    if (CurrentDriverObject)
//    {
//        PLDR_DATA_TABLE_ENTRY ListHead = NULL, ListFlink = NULL;
//
//
//
//        ListHead    = (PLDR_DATA_TABLE_ENTRY)CurrentDriverObject->DriverSection;  //dt _DriverObject
//        DbgPrint("%S
",ListHead->BaseDllName.Buffer);
//        if (ListHead->BaseDllName.Buffer&&                                                         
//            wcsstr(ListHead->BaseDllName.Buffer,wzKernelModuleName)!=NULL)
//        {
//
//
//            *KernelModuleBase = (PVOID)ListHead->DllBase;
//            *ulKernelModuleSize = ListHead->SizeOfImage;
//
//            bOk = TRUE;
//        }
//
//        ListFlink   = (PLDR_DATA_TABLE_ENTRY)ListHead->InLoadOrderLinks.Flink;
//
//        while((PLDR_DATA_TABLE_ENTRY)ListFlink != ListHead)
//        {
//            DbgPrint("%S
",ListFlink->BaseDllName.Buffer);
//            if (ListFlink->BaseDllName.Buffer&&                                                         
//                wcsstr(ListFlink->BaseDllName.Buffer,wzKernelModuleName)!=NULL)
//            {
//
//
//                *KernelModuleBase = (PVOID)ListFlink->DllBase;
//                *ulKernelModuleSize = ListFlink->SizeOfImage;
//
//                bOk = TRUE;
//            }
//
//            ListFlink = (PLDR_DATA_TABLE_ENTRY)ListFlink->InLoadOrderLinks.Flink;
//        }
//    }
//
//    return bOk;
//}
  • 相关阅读:
    SSRF——和远程文件包含的区别在于远程文件包含多是包含攻击者的主机文件,SSRF是内网主机的文件
    SSRF中的绕过手段——字节总结得比较好,如何绕过SSRF的保护机制,DNS欺骗,使用IPV6地址,十六进制编码、八进制编码、双字编码、URL编码和混合编码等
    SSRF——服务端请求伪造,根因是file_get_contents,fsockopen,curl_exec函数调用,类似远程文件包含,不过是内网机器
    文件包含——本地文件包含和远程文件包含
    文件包含和目录遍历区别——目标都是信息泄露,但手段一个是利用函数来包含web目录以外的文件,另外一个是对web路径访问权限设置不严格导致
    DFS——单词分割,原来还是要使用cached dp才能避免不超时
    模块module间引用和使用本地maven库的jar包
    机器学习西瓜书白话解读笔记---0401-0404、信息和熵的度量
    机器学习实战笔记---0、读大纲
    心得体悟帖---201129(【社会规律】)
  • 原文地址:https://www.cnblogs.com/yifi/p/6527968.html
Copyright © 2011-2022 走看看