正在写一个所有加载模块inlinehook检测的小程序,原理很简单,比较内存映象 与 原始文件的差异,网上的代码要邀请码,只好自己写写练练手
用下面的代码来重定位三类文件dll,exe,sys,但在处理某些文件时总感觉漏掉了一些重定位,偶暂时发现不了,借各位慧眼一用,哈哈
InitializeObjectAttributes (
&oa,
&uFullPath,
OBJ_CASE_INSENSITIVE,
NULL,
NULL
);
status = ZwOpenFile(
&hFile,
FILE_READ_ACCESS,
&oa,
&IoStatusBlock,
FILE_SHARE_READ,
FILE_SYNCHRONOUS_IO_NONALERT
);
if (!NT_SUCCESS(status))
{
KdPrint (("OpenFile error: %s\n", image));
goto Error;
}
oa.ObjectName = NULL;
status = ZwCreateSection(
&hSection,
SECTION_MAP_EXECUTE,
&oa,
0,
PAGE_EXECUTE,
SEC_IMAGE,
hFile
);
if (!NT_SUCCESS(status))
{
KdPrint (("CreateSection Error: %s", image));
goto Error;
}
size = 0;
status = ZwMapViewOfSection(
hSection,
NtCurrentProcess(),
&BaseAddress,
0,
1000,
0,
&size,
(SECTION_INHERIT)1,
MEM_TOP_DOWN,
PAGE_READWRITE
);
if (!NT_SUCCESS(status))
{
KdPrint (("MapViewSection Error: %s", image));
goto Error;
}
mBase = ExAllocatePool (NonPagedPool, size);
if (NULL == mBase)
{
goto Error;
}
RtlCopyMemory (mBase, BaseAddress, size);
DosHead = (PIMAGE_DOS_HEADER)mBase;
NtHeads = (PIMAGE_NT_HEADERS)((ULONG)DosHead + DosHead->e_lfanew);
RelocDir = (PIMAGE_BASE_RELOCATION)((ULONG)mBase + NtHeads->OptionalHeader.DataDirectory[5].VirtualAddress);
if (RelocDir != NULL)
{
FixAddrBase = RelocDir->VirtualAddress + (ULONG)mBase;
RelocSize = (RelocDir->SizeOfBlock - 8)/2;
for ( i = 0; i < RelocSize; i++)
{
Temp = *(PUSHORT)((ULONG)RelocDir + sizeof (IMAGE_BASE_RELOCATION) + i * 2);
if ( (Temp & 0xF000) == 0x3000)
{
Temp &= 0x0FFF;
FixAddr = FixAddrBase + (ULONG)Temp;
*(PULONG)FixAddr = *(PULONG)FixAddr + (ULONG)kBase - (ULONG)BaseAddress;
}
}
RelocDir = (ULONG)RelocDir + RelocDir->SizeOfBlock;
while (RelocDir->VirtualAddress != 0)
{
FixAddrBase = RelocDir->VirtualAddress + (ULONG)mBase;
RelocSize = (RelocDir->SizeOfBlock - 8)/2;
for ( i = 0; i < RelocSize; i++)
{
Temp = *(PUSHORT)((ULONG)RelocDir + sizeof (IMAGE_BASE_RELOCATION) + i * 2);
if ( (Temp & 0xF000) == 0x3000)
{
Temp &= 0x0FFF;
FixAddr = FixAddrBase + (ULONG)Temp;
*(PULONG)FixAddr = *(PULONG)FixAddr + (ULONG)kBase - (ULONG)BaseAddress;
}
}
RelocDir = (ULONG)RelocDir + RelocDir->SizeOfBlock;
}
}
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法