能力值:
( LV12,RANK:210 )
|
-
-
2 楼
//得到ntoskrnl.exe SSDT导出函数服务号
ULONG GetServiceId( PCWSTR FunctionName ) //PCWSTR常量指针,指向16位UNICODE
{
UNICODE_STRING UnicodeFunctionName;
ULONG address;
ULONG ServiceId;
RtlInitUnicodeString( &UnicodeFunctionName, FunctionName );
//MmGetSystemRoutineAddress函数是从Ntoskrnl.exe和HAL中查找导出函数地址
address = (ULONG)MmGetSystemRoutineAddress( &UnicodeFunctionName );
//打印导出函数地址
KdPrint(("[GetServiceId] address:0x%x\n",address));
ServiceId = *(PSHORT)(address + 1);
//打印导出函数服务号
KdPrint(("[GetServiceId] ServiceId:0x%x\n",ServiceId));
return ServiceId;
}
/**************************************************************************************
*
* 函数名: GetFunctionAddress
* 参数:
[IN] PUNICODE_STRING DllName,
[IN] char* FunctionName FunctionName
* 功能描述: 解析PE的EAT表获取导出函数地址
* 返回值: ULONG address
* 作者: sysdog
* 修改记录:
*
***************************************************************************************/
/***************************************************************************************
*
* 原理: R0下没有LoadLibrary函数
* 利用ZwCreateFile打开文件
* 利用ZwCreateSection创建区段
* 利用ZwMapViewOfSection映射区段到当前进程的虚拟内存
* 定位PE Header地址
* 定位第一个数据目录
* 到EAT导出表
* 搜索函数名,定位函数地址
****************************************************************************************/
ULONG GetFunctionId( PUNICODE_STRING DllName, char* FunctionName )
{
NTSTATUS ntstatus;
HANDLE hFile = NULL, hSection = NULL ;
OBJECT_ATTRIBUTES object_attributes;
IO_STATUS_BLOCK io_status = {0};
PVOID baseaddress = NULL;
SIZE_T size = 0;
//模块基址
PVOID ModuleAddress = NULL;
//偏移量
ULONG dwOffset = 0;
PIMAGE_DOS_HEADER dos = NULL;
PIMAGE_NT_HEADERS nt = NULL;
PIMAGE_DATA_DIRECTORY expdir = NULL;
PIMAGE_EXPORT_DIRECTORY exports = NULL;
ULONG addr;
ULONG Size;
PULONG functions;
PSHORT ordinals;
PULONG names;
ULONG max_name;
ULONG max_func;
ULONG i;
ULONG pFunctionAddress;
ULONG ServiceId;
//初始化OBJECT_ATTRIBUTES结构
InitializeObjectAttributes(
&object_attributes,
DllName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);
//打开文件
ntstatus = ZwCreateFile(
&hFile,
FILE_EXECUTE | SYNCHRONIZE,
&object_attributes,
&io_status,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
FILE_NON_DIRECTORY_FILE |
FILE_RANDOM_ACCESS |
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0);
if( !NT_SUCCESS( ntstatus ))
{
KdPrint(("[GetFunctionAddress] error0\n"));
KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));
return 0;
}
//创建区段
InitializeObjectAttributes(
&object_attributes,
NULL,
OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,
NULL,
NULL);
ntstatus = ZwCreateSection(
&hSection,
SECTION_ALL_ACCESS,
&object_attributes,
0,
PAGE_EXECUTE,
SEC_IMAGE,
hFile);
if( !NT_SUCCESS( ntstatus ))
{
KdPrint(("[GetFunctionAddress] error1\n"));
KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));
return 0;
}
//映射区段到进程虚拟空间
ntstatus = ZwMapViewOfSection(
hSection,
NtCurrentProcess(), //ntddk.h定义的宏用来获取当前进程句柄
&baseaddress,
0,
1000,
0,
&size,
(SECTION_INHERIT)1,
MEM_TOP_DOWN,
PAGE_READWRITE);
if( !NT_SUCCESS( ntstatus ))
{
KdPrint(("[GetFunctionAddress] error2\n"));
KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));
return 0;
}
ZwClose( hFile );
//得到模块基址
dwOffset = ( ULONG )baseaddress;
//验证基址
KdPrint(("[GetFunctionAddress] BaseAddress:0x%x\n", dwOffset));
dos =(PIMAGE_DOS_HEADER) baseaddress;
nt =(PIMAGE_NT_HEADERS)((ULONG) baseaddress + dos->e_lfanew);
expdir = (PIMAGE_DATA_DIRECTORY)(nt->OptionalHeader.DataDirectory + IMAGE_DIRECTORY_ENTRY_EXPORT);
addr = expdir->VirtualAddress;//数据块起始RVA
Size = expdir->Size; //数据块长度
exports =(PIMAGE_EXPORT_DIRECTORY)((ULONG) baseaddress + addr);
functions =(PULONG)((ULONG) baseaddress + exports->AddressOfFunctions);
ordinals =(PSHORT)((ULONG) baseaddress + exports->AddressOfNameOrdinals);
names =(PULONG)((ULONG) baseaddress + exports->AddressOfNames);
max_name =exports->NumberOfNames;
max_func =exports->NumberOfFunctions;
for (i = 0; i < max_name; i++)
{
ULONG ord = ordinals[i];
if(i >= max_name || ord >= max_func)
{
return 0;
}
if (functions[ord] < addr || functions[ord] >= addr + Size)
{
if (strcmp((PCHAR) baseaddress + names[i], FunctionName) == 0)
{
pFunctionAddress =(ULONG)((ULONG) baseaddress + functions[ord]);
break;
}
}
}
KdPrint(("[GetFunctionAddress] %s:0x%x\n",FunctionName, pFunctionAddress));
ServiceId = *(PSHORT)(pFunctionAddress + 1);
//打印导出函数服务号
KdPrint(("[GetServiceId] ServiceId:0x%x\n",ServiceId));
//卸载区段,释放内存
ZwUnmapViewOfSection( NtCurrentProcess(), baseaddress);
ZwClose( hSection);
return ServiceId;
}
|
能力值:
( LV12,RANK:210 )
|
-
-
3 楼
贴段代码
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
收下了 呵~
|
能力值:
( LV3,RANK:20 )
|
-
-
5 楼
学习了..的确很好很强大...
|
能力值:
( LV4,RANK:50 )
|
-
-
6 楼
学习的很用心,看好你。。。
|
能力值:
( LV9,RANK:610 )
|
-
-
7 楼
偶现在ring0能搞定的绝不麻烦ring3,ring3能搞定的绝不麻烦ring0,比如获取SSDT的服务号,ring0也可以从ntdll中取啊
|
能力值:
( LV12,RANK:210 )
|
-
-
8 楼
没错啊 ring0可以从ntdll中取啊 我没说不能
那个简单用哪个
|
能力值:
( LV12,RANK:210 )
|
-
-
9 楼
R0下:1)利用MmGetSystemRoutineAddress函数获取ntoskrnl.exe导出表中函数地址
2)同样解析ntdll.dll导出表:1、利用ZwQuerySystemInformation获取ntdll.dll基址 2、ZwCreateFile ZwCreateSection ZwMapViewOfSection映射内存获得ntdll.dll基址
|
能力值:
( LV2,RANK:10 )
|
-
-
10 楼
原来sysdog就是竹君
|
能力值:
( LV12,RANK:210 )
|
-
-
11 楼
暴漏目标了
|
能力值:
( LV2,RANK:10 )
|
-
-
12 楼
sd老师到哪里都跑不掉的
、
|