|
|
|
|
|
[求助]正在学习恢复SSDT的那个C++源码,遇到个小问题[已解决了]
void ReSSDT( IN HANDLE hDriver) { HMODULE hKernel; DWORD dwKSDT; // rva of KeServiceDescriptorTable DWORD dwKiServiceTable; // rva of KiServiceTable PMODULES pModules=(PMODULES)&pModules; DWORD dwNeededSize,rc; DWORD dwKernelBase,dwServices=0; PCHAR pKernelName; PDWORD pService; PIMAGE_FILE_HEADER pfh; PIMAGE_OPTIONAL_HEADER poh; PIMAGE_SECTION_HEADER psh; FARPROC NtQuerySystemInformationAddr=GetProcAddress(GetModuleHandle("ntdll.dll"),"NtQuerySystemInformation"); // get system modules - ntoskrnl is always first there rc=((PFNNtQuerySystemInformation)NtQuerySystemInformationAddr)(11,pModules,4,&dwNeededSize); if (rc==STATUS_INFO_LENGTH_MISMATCH) { pModules=(MODULES *)GlobalAlloc(GPTR,dwNeededSize); rc=((PFNNtQuerySystemInformation)NtQuerySystemInformationAddr)(11,pModules,dwNeededSize,NULL); } else { strange: return; } if (!NT_SUCCESS(rc)) goto strange; // imagebase dwKernelBase=(DWORD)pModules->smi.Base; // filename - it may be renamed in the boot.ini pKernelName=pModules->smi.ModuleNameOffset+pModules->smi.ImageName; // map ntoskrnl - hopefully it has relocs hKernel=LoadLibraryEx(pKernelName,0,DONT_RESOLVE_DLL_REFERENCES); if (!hKernel) { return; } GlobalFree(pModules); // our own export walker is useless here - we have GetProcAddress :) if (!(dwKSDT=(DWORD)GetProcAddress(hKernel,"KeServiceDescriptorTable"))) { return; } // get KeServiceDescriptorTable rva dwKSDT-=(DWORD)hKernel; // find KiServiceTable if (!(dwKiServiceTable=FindKiServiceTable(hKernel,dwKSDT))) { return; } // let's dump KiServiceTable contents // MAY FAIL!!! // should get right ServiceLimit here, but this is trivial in the kernel mode GetHeaders((PCHAR)hKernel,&pfh,&poh,&psh); for (pService=(PDWORD)((DWORD)hKernel+dwKiServiceTable); *pService-poh->ImageBase<poh->SizeOfImage; pService++,dwServices++) { ULONG ulAddr=*pService-poh->ImageBase+dwKernelBase; SetProc( hDriver,dwServices, &ulAddr ); //printf("%08X\n",ulAddr); } FreeLibrary(hKernel); } 请教下这部分如何翻译成DELPHI. |
|
|
|
[求助]正在学习恢复SSDT的那个C++源码,遇到个小问题[已解决了]
请问下你说的用错了哪一个函数的? |
|
|
|
[求助]正在学习恢复SSDT的那个C++源码,遇到个小问题[已解决了]
LZ你的驱动SYS文件的编译是用哪个代码编译的?Anskya的那个SSDT UnHook For Delphi的驱动吗? 还是VC的? |
|
|
|
|
|
[求助]VC的头能否帮忙翻译成DELPHI.自己不会VC.
谁能帮忙翻译那 LoadDriver UnloadDriver ReSSDT 这三个过程 在次感谢.我看来得慢慢学习VC好了.VC还真不懂.. |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值