-
-
[旧帖] [求助][求助][求助][求助][求助]win7下无法从win32k.sys读取正确的Shadow 函数原始地址 0.00雪花
-
发表于: 2010-12-27 14:21
-
SSDT Shadow表的真实地址-win32k.sys地址得到Rva,代码测试在xp,2000下可以读取正确的函数原始地址,在win7读取的却是错误的,求高手解答原因!!
代码如下
NTSTATUS RestoreShadow()
{
NTSTATUS status;
HANDLE hFile;//文件句柄
OBJECT_ATTRIBUTES ObjAttr;
UNICODE_STRING ustrWin32k;
IO_STATUS_BLOCK ioStatus;
ULONG ulShadowRaw = 0;
ULONG ulShadowBase = 0;
PVOID PoolArea = NULL;
LARGE_INTEGER Offset;
ULONG OrigAddress = 0;
ULONG CurAddress = 0;
ULONG i = 0;
ULONG ulCount = 0;
PULONG pAddr;
KeServiceDescriptorTableShadow = (PServiceDescriptorTableEntry) getAddressOfShadowTable();
ulCount = KeServiceDescriptorTableShadow[1].NumberOfServices; KdPrint(("ulCount=%d \n",ulCount));
ulShadowBase = *(ULONG*)&KeServiceDescriptorTableShadow[1].ServiceTableBase;//得到基址
KdPrint(("ulShadowBase=%x \n",ulShadowBase));
ulShadowRaw = ulShadowBase - (ULONG)pWin32kBase;
KdPrint(("ulShadowRaw=%x \n",ulShadowRaw));
RtlInitUnicodeString(&ustrWin32k, L"\\SystemRoot\\System32\\win32k.sys");
PoolArea = ExAllocatePool( PagedPool, sizeof(ULONG) * ulCount );
if (!PoolArea) {
return STATUS_UNSUCCESSFUL;
}
RtlZeroMemory(&ObjAttr, sizeof(ObjAttr) );
//获取Win32k.sys的属性
InitializeObjectAttributes(
&ObjAttr,
&ustrWin32k,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
NULL,
NULL);
//打开文件win32K.SYS
status = IoCreateFile(
&hFile,
FILE_READ_ATTRIBUTES,
&ObjAttr,
&ioStatus,
0,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
0,
NULL,
0,
0,
NULL,
IO_NO_PARAMETER_CHECKING);
if ( !NT_SUCCESS(status) ) {
goto __exit;
}
//设置文件偏移
Offset.LowPart = ulShadowRaw;
Offset.HighPart = 0;
//开始读取数据
status = ZwReadFile (
hFile,
NULL,
NULL,
NULL,
&ioStatus,
//从文件读出到分配空间
PoolArea,
ulCount*sizeof(ULONG),
//偏移
&Offset,
NULL);
if ( !NT_SUCCESS(status) ) {
goto __exit;
}
//改变指针类型
pAddr = (PULONG)PoolArea;
KdPrint(("pAddr=%x \n",pAddr));
OrigAddress = *pAddr;//指向原始地址
KdPrint(("OrigAddress=%x \n",OrigAddress));
__exit:
if (PoolArea) {
ExFreePool(PoolArea);
//释放空间
}
if (hFile) {
ZwClose(hFile);
//关闭句柄
}
return status;
}
代码如下
NTSTATUS RestoreShadow()
{
NTSTATUS status;
HANDLE hFile;//文件句柄
OBJECT_ATTRIBUTES ObjAttr;
UNICODE_STRING ustrWin32k;
IO_STATUS_BLOCK ioStatus;
ULONG ulShadowRaw = 0;
ULONG ulShadowBase = 0;
PVOID PoolArea = NULL;
LARGE_INTEGER Offset;
ULONG OrigAddress = 0;
ULONG CurAddress = 0;
ULONG i = 0;
ULONG ulCount = 0;
PULONG pAddr;
KeServiceDescriptorTableShadow = (PServiceDescriptorTableEntry) getAddressOfShadowTable();
ulCount = KeServiceDescriptorTableShadow[1].NumberOfServices; KdPrint(("ulCount=%d \n",ulCount));
ulShadowBase = *(ULONG*)&KeServiceDescriptorTableShadow[1].ServiceTableBase;//得到基址
KdPrint(("ulShadowBase=%x \n",ulShadowBase));
ulShadowRaw = ulShadowBase - (ULONG)pWin32kBase;
KdPrint(("ulShadowRaw=%x \n",ulShadowRaw));
RtlInitUnicodeString(&ustrWin32k, L"\\SystemRoot\\System32\\win32k.sys");
PoolArea = ExAllocatePool( PagedPool, sizeof(ULONG) * ulCount );
if (!PoolArea) {
return STATUS_UNSUCCESSFUL;
}
RtlZeroMemory(&ObjAttr, sizeof(ObjAttr) );
//获取Win32k.sys的属性
InitializeObjectAttributes(
&ObjAttr,
&ustrWin32k,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
NULL,
NULL);
//打开文件win32K.SYS
status = IoCreateFile(
&hFile,
FILE_READ_ATTRIBUTES,
&ObjAttr,
&ioStatus,
0,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
0,
NULL,
0,
0,
NULL,
IO_NO_PARAMETER_CHECKING);
if ( !NT_SUCCESS(status) ) {
goto __exit;
}
//设置文件偏移
Offset.LowPart = ulShadowRaw;
Offset.HighPart = 0;
//开始读取数据
status = ZwReadFile (
hFile,
NULL,
NULL,
NULL,
&ioStatus,
//从文件读出到分配空间
PoolArea,
ulCount*sizeof(ULONG),
//偏移
&Offset,
NULL);
if ( !NT_SUCCESS(status) ) {
goto __exit;
}
//改变指针类型
pAddr = (PULONG)PoolArea;
KdPrint(("pAddr=%x \n",pAddr));
OrigAddress = *pAddr;//指向原始地址
KdPrint(("OrigAddress=%x \n",OrigAddress));
__exit:
if (PoolArea) {
ExFreePool(PoolArea);
//释放空间
}
if (hFile) {
ZwClose(hFile);
//关闭句柄
}
return status;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
