-
-
[求助]Ring0注入Ring3奇怪问题
-
发表于:
2010-11-8 21:32
6193
-
我吧下面代码用 NtAllocateVirtualMemory 从Ring0注入 explorer.exe,然后用APC启动。
用调试器附加,发现运行正常。这段代码功能是取得 loadlibrary 和 GetProcAddress地址。
但是这loadlibrary 用起来有问题,load系统dll,kernel32.dll一切正常。但laod我自己写的dll,哪怕是个空dll也会报错,访问冲突。问题在哪呢?
系统 win7 x64
void getload()
{
GEtkernel32base mGEtkernel32base = (GEtkernel32base)0x1111111111111111;
//mGEtkernel32base = Getkernel32base;
PVOID baseaddress = NULL;
//模块基址
//偏移量
PIMAGE_DOS_HEADER dos = NULL;
PIMAGE_NT_HEADERS nt = NULL;
PIMAGE_DATA_DIRECTORY expdir = NULL;
PIMAGE_EXPORT_DIRECTORY exports = NULL;
ULONG64 addr;
ULONG64 Size;
PULONG functions;
PSHORT ordinals;
PULONG names;
ULONG64 max_name;
ULONG64 max_func;
ULONG64 i;
LOadLibraryA LoadLibraryAAddress;
GEtProcAddress GetProcAddressAddress;
Test test =NULL;
BOOL cmp=FALSE;
int cmpi = 0;
int cmpok = 0;
char* functionName;
char* LoadLibraryC = "LoadLibraryA";
char* GetProcAddressC = "GetProcAddress";
ULONG64 hNtDll;
MEssageBoxA mMessageBoxA;
WInExec WinExec;
if(mGEtkernel32base == (GEtkernel32base)0x1111111111111111)
{
return;
}
baseaddress = mGEtkernel32base();
dos =(PIMAGE_DOS_HEADER) baseaddress;
nt =(PIMAGE_NT_HEADERS)((ULONG64) baseaddress + dos->e_lfanew);
expdir = (PIMAGE_DATA_DIRECTORY)(nt->OptionalHeader.DataDirectory + IMAGE_DIRECTORY_ENTRY_EXPORT);
/*
ZwClose( hFile );
ZwUnmapViewOfSection( NtCurrentProcess(), baseaddress);
ZwClose( hSection);
return 0;*/
addr = expdir->VirtualAddress;//数据块起始RVA
Size = expdir->Size; //数据块长度
exports =(PIMAGE_EXPORT_DIRECTORY)((ULONG64) baseaddress + addr);
functions =(PULONG)((ULONG64) baseaddress + exports->AddressOfFunctions);
ordinals =(PSHORT)((ULONG64) baseaddress + exports->AddressOfNameOrdinals);
names =(PULONG)((ULONG64) baseaddress + exports->AddressOfNames);
max_name =exports->NumberOfNames;
max_func =exports->NumberOfFunctions;
for (i = 0; i < max_name; i++)
{
ULONG ord = ordinals[i];
if(i >= max_name || ord >= max_func)
{
return;
}
if (functions[ord] < addr || functions[ord] >= addr + Size)
{
functionName = (char*) ((BYTE*)baseaddress + names[i]);
//ProbeForRead(functionName,8,8);
cmp=TRUE;
cmpi=0;
//int ti = sizeof("LoadLibraryA");
while(cmpi<sizeof("LoadLibraryA"))
{
if(functionName[cmpi]!=LoadLibraryC[cmpi])
{
cmp = FALSE;
break;
}
if(functionName[cmpi]==0x00 ||LoadLibraryC[cmpi]==0x00)
{
if(functionName[cmpi]!=LoadLibraryC[cmpi])
{
cmp = FALSE;
}
break;
}
cmpi++;
}
if(cmp)
{
LoadLibraryAAddress =(LOadLibraryA)((ULONG64) baseaddress + functions[ord]);
cmpok++;
//break;
}
cmp=TRUE;
cmpi=0;
while(cmpi<sizeof("GetProcAddressAddress"))
{
if(functionName[cmpi]!=GetProcAddressC[cmpi])
{
cmp = FALSE;
break;
}
if(functionName[cmpi]==0x00 ||GetProcAddressC[cmpi]==0x00)
{
if(functionName[cmpi]!=GetProcAddressC[cmpi])
{
cmp = FALSE;
}
break;
}
cmpi++;
}
if(cmp)
{
GetProcAddressAddress =(GEtProcAddress)((ULONG64) baseaddress + functions[ord]);
cmpok++;
//break;
}
if(cmpok>=2)
{
break;
}
/*
if (mstrcmp(functionName, "LoadLibraryA" ,sizeof("LoadLibraryA")) == 0)
{
LoadLibraryAAddress =(LOadLibraryA)((ULONG64) baseaddress + functions[ord]);
break;
}*/
/*
if (mstrcmp(functionName, "GetProcAddress" ,sizeof("GetProcAddress")) == 0)
{
GetProcAddressAddress =(GEtProcAddress)((ULONG64) baseaddress + functions[ord]);
}*/
//functionName = (char*)( (BYTE*)hMod + arrayOfFunctionNames[x]);
/*RtlInitString(&ntFunctionName, functionName);
if (RtlCompareString(&ntFunctionName, &ntFunctionNameSearch, TRUE) == 0)
{
pFunctionAddress =(ULONG)((ULONG) baseaddress + functions[ord]);
break;
}*/
}
}
//i = (DWORD64)Getkernel32base();
hNtDll = LoadLibraryAAddress( "kernel32.dll" );
//hNtDll = mLoadLibraryA( "Symbols.exe" );
GetProcAddressAddress =(GEtProcAddress)GetProcAddressAddress(hNtDll, "GetProcAddress");
//mMessageBoxA(NULL,NULL,NULL,MB_OK );
LoadLibraryAAddress = (LOadLibraryA)GetProcAddressAddress(hNtDll, "LoadLibraryA");
WinExec =(WInExec)GetProcAddressAddress(hNtDll, "WinExec");
WinExec("E:\\temp\\pg\\Symbols.exe",5);
//hNtDll = LoadLibraryAAddress( "Symdll.dll" );
//hNtDll = mLoadLibraryA( "Symbols.exe" );
//test =(Test)GetProcAddressAddress(hNtDll, "?test@@YA_KXZ");
//mMessageBoxA(NULL,NULL,NULL,0 );
//*(ULONG64*)((ULONG64)getload-9)= test();
//KdPrint(("[GetFunctionAddress] %s:0x%x\n",FunctionName, pFunctionAddress));
//ServiceId = 0;
return ;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
