ULONG* KiAttachProcessAddress;
__declspec(naked) void Nake_KiAttachProcess()
{
__asm
{
mov edi,edi
push ebp
mov ebp,esp
push ebx
push esi
mov eax,KiAttachProcessAddress //注意这个是全局变量 BYTE*
add eax,7
jmp eax
}
}
NTSTATUS My_RecoveryHook_KiAttachProcess()
{
BYTE *KeAttachProcessAddress = NULL; //KeAttachProcess函数地址
BYTE *pKiAddrToKe;
BYTE *p;
BYTE MovEaxAddress[5] = {0xB8,0,0,0,0}; //
BYTE JmpEax[2] = {0xff,0xe0};
KIRQL Irql;
//特征码
BYTE Signature1 = 0x56, //p-1
Signature2 = 0x57, //p-2
Signature3 = 0x5F, //p-3
Signature4 = 0x5E, //p+5
Signature5 = 0xE8; //p第一个字节
//获得KeAttachProcess地址,然后通过特征码找到
//KeAttachProcess的地址
KeAttachProcessAddress = (BYTE*)GetNt_OldAddr(L"KeAttachProcess");
if (KeAttachProcessAddress == NULL)
{
KdPrint(("KeAttachProcess地址获取失败/n"));
return 0;
}
//将p指向KeAttachProcess函数开始处
p = KeAttachProcessAddress;
while (1)
{
if ((*(p-1) == Signature1) &&
(*(p-2) == Signature2) &&
(*(p+5) == Signature3) &&
(*(p+6) == Signature4) &&
(*p == Signature5))
{
//获的KiAttachProcess函数的地址
KiAttachProcessAddress = (ULONG *)(*(PULONG)(p+1)+(ULONG)(p+5));
break;
}
//推动指针
p++;
}
//计算中继函数地址
*(ULONG *)(MovEaxAddress+1)=(ULONG)Nake_KiAttachProcess;
WPOFF(); //清除CR0
//提升IRQL中断级
Irql=KeRaiseIrqlToDpcLevel();
//写入
RtlCopyMemory(KiAttachProcessAddress,MovEaxAddress,5);
RtlCopyMemory(KeAttachProcessAddress+5,JmpEax,2);
//恢复Irql
KeLowerIrql(Irql);
WPON(); //恢复CR0
return STATUS_SUCCESS;
}
求助为什么运行这个代码时会出错??
[课程]Linux pwn 探索篇!
