-
-
[旧帖]
[原创]驱动中获取PsActiveProcessHead变量地址的五种方法
0.00雪花
-
发表于:
2012-2-11 03:48
4683
-
[旧帖] [原创]驱动中获取PsActiveProcessHead变量地址的五种方法
0.00雪花
ULONG FindPsActiveProcessHead1()
{
//1.从KdEnableDebugger地址找到KdInitSystem地址
//nt!KdEnableDebugger 804f7810
//804f7837 6a00 push 0
//804f7839 6a00 push 0
//804f783b c605ecab558001 mov byte ptr [nt!PoHiberInProgress (8055abec)],1
//804f7842 e8f7951600 call nt!KdInitSystem (80660e3e)
//804f7847 e8649a1600 call nt!KdpRestoreAllBreakpoints (806612b0)
ULONG i;
PCALL_CODE pCall;
PUCHAR pKdInitSystem=NULL;
PUCHAR p=(PUCHAR)GetExportFuncAddress(L"KdEnableDebugger");
KdPrint(("KdEnableDebugger地址=%x\n",p));
if (!p)
{
KdPrint(("获取KdEnableDebugger地址失败\n"));
return 0;
}
for (i=0;i<100;i++,p++)
{
if ((*p==0x6a)&&
(*(p+1)==0x00)&&
(*(p+2)==0x6a)&&
(*(p+3)==0x00)&&
(*(p+4)==0xc6)&&
(*(p+5)==0x05)&&
(*(p+0xb)==0xe8)&&
(*(p+0x10)==0xe8) )
{
pCall=(PCALL_CODE)(p+0xb);
pKdInitSystem=p+0xb+pCall->address+5;
KdPrint(("KdInitSystem地址=%x\n",pKdInitSystem));
break;
}
}
if (!pKdInitSystem)
{
KdPrint(("获取KdInitSystem地址失败\n"));
return 0;
}
//2.从KdInitSystem地址找到KdDebuggerDataBlock地址
//nt!KdInitSystem 80660e3e
//80660e8e 6890020000 push 290h
//80660e93 68606b5480 push offset nt!KdDebuggerDataBlock (80546b60)
//80660e98 be74926780 mov esi,offset nt!KdpDebuggerDataListHead (80679274)
p=pKdInitSystem;
for (i=0;i<100;i++,p++)
{
if ((*p==0x68)&&
(*(p+5)==0x68)&&
(*(p+0xA)==0xbe))
{
pCall=(PCALL_CODE)(p+5);
KdPrint(("KdDebuggerDataBlock地址=%x\n",pCall->address));
KdPrint(("PsActiveProcessHead地址=%x\n",((PKDDEBUGGER_DATA64)pCall->address)->PsActiveProcessHead));
return ((PKDDEBUGGER_DATA64)pCall->address)->PsActiveProcessHead;
}
}
KdPrint(("获取KdDebuggerDataBlock地址失败\n"));
return 0;
}
NTSTATUS FindPsActiveProcessHead(ULONG *pPsActiveProcessHead)
{
PEPROCESS process;
PLIST_ENTRY pList=NULL;
NTSTATUS status=PsLookupProcessByProcessId((HANDLE)4,&process);
if (!NT_SUCCESS(status))
{
KdPrint(("获取process失败\n"));
return status;
}
//xp _EPROCESS +0x088 ActiveProcessLinks : _LIST_ENTRY
pList=(PLIST_ENTRY)((PUCHAR)process+0x88);
KdPrint(("PsActiveProcessHead地址=%x\n",pList->Blink));
*pPsActiveProcessHead=(ULONG)pList->Blink;
ObDereferenceObject(process);
return status;
}
ULONG FindPsActiveProcessHead3()
{
ULONG addr=*(PULONG)PsInitialSystemProcess;
//xp _EPROCESS +0x088 ActiveProcessLinks : _LIST_ENTRY
PLIST_ENTRY pList=(PLIST_ENTRY)(addr+0x88);
KdPrint(("PsActiveProcessHead地址=%x\n",pList->Blink));
return (ULONG)pList->Blink;
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!