-
-
[旧帖] [分享]通过SSDT Hook 绕过读内存保护 NtReadVirtualMemory 0.00雪花
-
发表于: 2011-6-6 21:42
-
通过SSDT Hook 绕过读内存保护 NtReadVirtualMemory
#pragma PAGECODE
__declspec(naked) VOID yjxsoft_com_NtReadVirtualMemory()
{
//KdPrint(("yjxsoft_com_NtReadVirtualMemory\n"));
__asm
{
//
push 0x1c
push readpush ////压栈参数
//
jmp readjmpaddr
}
}
mov eax, KeServiceDescriptorTable
mov eax,[eax] //address of KeServiceDescriptorTable
mov ssdtaddr,eax
mov eax,ssdtaddr
add eax,2e8h //0xBA * 4 ntreadvirtualmemoryaddr ssdt186
mov eax,DWORD PTR [eax]
mov oldreadaddr,eax
mov ebx,DWORD PTR [eax+3h]
mov readpush,ebx
add eax,7h
mov readjmpaddr,eax
#pragma PAGECODE
__declspec(naked) VOID yjxsoft_com_NtReadVirtualMemory()
{
//KdPrint(("yjxsoft_com_NtReadVirtualMemory\n"));
__asm
{
//
push 0x1c
push readpush ////压栈参数
//
jmp readjmpaddr
}
}
mov eax, KeServiceDescriptorTable
mov eax,[eax] //address of KeServiceDescriptorTable
mov ssdtaddr,eax
mov eax,ssdtaddr
add eax,2e8h //0xBA * 4 ntreadvirtualmemoryaddr ssdt186
mov eax,DWORD PTR [eax]
mov oldreadaddr,eax
mov ebx,DWORD PTR [eax+3h]
mov readpush,ebx
add eax,7h
mov readjmpaddr,eax
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
