能力值:
( LV2,RANK:10 )
|
-
-
2 楼
帮你顶起,等待高人回答
|
能力值:
( LV6,RANK:90 )
|
-
-
3 楼
有方法,看看这个函数是哪个模块导出的,然后自己加载该模块,根据导出表找到
xxopenprocess原始代码的所在位置,读取开头的10个字节,放在你自己的函数里面
怎么放进你的函数,你可以自己申请一段内存,然后在内存里生成你的函数代码,再把这10个字节填充到相应位置
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
看不懂~~帮你顶起来吧
|
能力值:
( LV6,RANK:90 )
|
-
-
5 楼
UCHAR CodeBuff[10];
status = ZwQuerySystemInformation(SystemModuleInformation,NULL,0,&length);
if (status == STATUS_INFO_LENGTH_MISMATCH)
{
SysInfo = ExAllocatePool(NonPagedPool,length);
if (NULL == SysInfo)
{
return;
}
}
status = ZwQuerySystemInformation(SystemModuleInformation,SysInfo,length,&length);
pSmi = (PSYSTEM_MODULE_INFORMATION)((char*)SysInfo+4);
kBase = (ULONG)(pSmi->Base);
kSize = (ULONG)(pSmi->Size);
InitializeObjectAttributes (
&ob,
&pdte->FullDllName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL
);
status = ZwOpenFile(
&hFile,
FILE_READ_ACCESS,
&ob,
&IoStatusBlock,
FILE_SHARE_READ,
FILE_SYNCHRONOUS_IO_NONALERT
);
ob.ObjectName = NULL;
status = ZwCreateSection(
&hSection,
SECTION_MAP_EXECUTE,
&ob,
0,
PAGE_EXECUTE,
SEC_IMAGE,
hFile
);
size = 0;
status = ZwMapViewOfSection(
hSection,
NtCurrentProcess(),
&BaseAddress,
0,
1000,
0,
&size,
(SECTION_INHERIT)1,
MEM_TOP_DOWN,
PAGE_READWRITE
);
mBase = ExAllocatePool (NonPagedPool, size);
RtlCopyMemory (mBase, BaseAddress, size);
DosHead = (PIMAGE_DOS_HEADER)mBase;
NtHeads = (PIMAGE_NT_HEADERS)((ULONG)DosHead + DosHead->e_lfanew);
ExportDir = (PIMAGE_EXPORT_DIRECTORY)((PUCHAR)mBase + NtHeads->OptionalHeader.DataDirectory[0].VirtualAddress);
RelocDir = (PIMAGE_BASE_RELOCATION)((ULONG)mBase + NtHeads->OptionalHeader.DataDirectory[5].VirtualAddress);
Name = mBase + ExportDir->AddressOfNames;
Ordinal = mBase + ExportDir->AddressOfNameOrdinals;
Function = mBase + ExportDir->AddressOfFunctions;
if (RelocDir != NULL)
{
while (RelocDir->VirtualAddress != 0 || RelocDir->SizeOfBlock != 0)
{
FixAddrBase = RelocDir->VirtualAddress + (ULONG)mBase;
RelocSize = (RelocDir->SizeOfBlock - 8)/2;
for ( i = 0; i < RelocSize; i++)
{
Temp = *(PUSHORT)((ULONG)RelocDir + sizeof (IMAGE_BASE_RELOCATION) + i * 2);
if ( (Temp & 0xF000) == 0x3000)
{
Temp &= 0x0FFF;
FixAddr = FixAddrBase + (ULONG)Temp;
*(PULONG)FixAddr = *(PULONG)FixAddr + (ULONG)kBase - (ULONG)NtHeads->OptionalHeader.ImageBase;
}
}
RelocDir = (ULONG)RelocDir + RelocDir->SizeOfBlock;
}
}
for (i = 0; i < ExportDir->NumberOfNames; i++)
{
SystemFunName = (PCHAR)(*(PULONG)(Name + i * 4) + (ULONG)Base);
index = *((PUSHORT)(Ordinal + i * 2));
Address = *((PULONG)(Function + index * 4));
if (Flag == 0)
{
if (!stricmp ("NtOpenProcess", SystemFunName))
{
break;
}
}
}
memcopy (CodeBuff, Address + mBase, 10);
//到这里就获得了原始ntopenprocess函数开头10字节代码
MyNtOpenProcessAdddress = MyNtProcessBorn (CodeBuff);
//好了,什么都有了,ssdthook就ok了
ULONG MyNtProcessBorn (PUCHAR CodeBuff)
{
PUCHAR Temp;
ULONG myntopenprocessaddress;
myntopenprocessaddress = ExAllocatePool (NonPagedPool, 15);
memcpy (myntprocessaddress, CodeBuff, 10);
Temp = (PUCHAR)myntprocessaddress + 10;
*(PUCHAR)Temp = 0xE9;
Temp += 1;
offset = (ULONG)realntopenprocessaddress - (ULONG)Temp - 4;
*(PULONG)Temp = offset;
return myntopenprocessaddress;
}
|
能力值:
( LV6,RANK:90 )
|
-
-
6 楼
哦,还少了个源文件的定义,pdte->FullDllName,换成 ntopenprocess所在模块的原始文件的全路径就ok了
|
