long funHookNtdll(unsigned long * AddrOfWantFunc)
{
long ret = 0;
WCHAR SourceString[70] = L"\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll";
UNICODE_STRING usNtdll;
HANDLE hFile = NULL;
IO_STATUS_BLOCK IoStatus;
OBJECT_ATTRIBUTES ObjAtt;
NTSTATUS staus;
HANDLE hSection = NULL;
VOID * pMapBase = NULL;
SIZE_T iViewSize = 0;
unsigned long ExportBase = 0;
unsigned short * AddrOrd = NULL;
unsigned long * AddrFun = NULL;
unsigned long * AddrName = NULL;
unsigned char * pExport = NULL;
unsigned char * pOptHead = NULL;
unsigned char * Buff = NULL;
unsigned long FuncBase = 0;
char * pszFunName = NULL;
long i = 0;
char szFindFunc[20] = "ZwCreateProcessEx";
STRING sFindFunc;
STRING sFunName;
RtlInitString(&sFindFunc , szFindFunc);
RtlInitUnicodeString(&usNtdll , SourceString);
InitializeObjectAttributes(&ObjAtt, &usNtdll , OBJ_CASE_INSENSITIVE , NULL, NULL); // OBJECT_ATTRIBUTES 必须先利用此函数 进行初始化 后才能进行Name的赋值
staus = ZwOpenFile( &hFile , SYNCHRONIZE | FILE_EXECUTE , &ObjAtt , &IoStatus , FILE_SHARE_READ , FILE_SYNCHRONOUS_IO_NONALERT);
if(STATUS_SUCCESS != staus)
{
DbgPrint("zwopenfile fail 0x%X !\n" , IoStatus.Status);
ret = -2;
goto CleanUp;
}
DbgPrint("zwopenfile ok!\n");
ObjAtt.ObjectName = NULL;
staus = ZwCreateSection(&hSection , SECTION_ALL_ACCESS , &ObjAtt , 0 , PAGE_EXECUTE , 0x1000000 , hFile);
if(STATUS_SUCCESS != staus)
{
DbgPrint("ZwCreateSection Fail 0x%X !\n" , staus);
ret = -4;
goto CleanUp;
}
DbgPrint("ZwCreateSection Ok! \n");
staus = ZwMapViewOfSection(hSection , (HANDLE)0xFFFFFFFF , &pMapBase , 0 , PAGE_SIZE , 0 , &iViewSize , ViewShare , MEM_TOP_DOWN , 4);
if( ! NT_SUCCESS(staus) )
{
DbgPrint("ZwMapViewOfSection Fail 0x%X !\n" , staus);
DbgPrint("base 0x%X\n" , pMapBase);
ret = -5;
goto CleanUp;
}
DbgPrint("ZwMapViewOfSection Ok 0x%X !\n" , staus);
DbgPrint("base 0x%X\n" , pMapBase);
Buff = (unsigned char *)pMapBase;
pOptHead = Buff + *(unsigned long *)(Buff + 0x3C) + 0x18;
pExport = Buff + *(unsigned long *)(pOptHead + 0x60);
AddrFun = (unsigned long *)(Buff + *(unsigned long *)(pExport + 0x1C));
AddrName = (unsigned long *)(Buff + *(unsigned long *)(pExport + 0x20));
AddrOrd = (unsigned short *)(Buff + *(unsigned long *)(pExport + 0x24));
ExportBase = *(unsigned long *)(pExport + 0x10);
for(i = 0; i < *(unsigned long *)(pExport + 0x14) ; i++)
{
pszFunName = (char *)(Buff + AddrName[i]);
//FuncBase = (unsigned long)(Buff + AddrFun[AddrOrd[i]]);
//DbgPrint("addr of fun 0x%X\n" , FuncBase);
RtlInitString(&sFunName , pszFunName);
if( ! RtlCompareString(&sFunName , &sFindFunc , 1))
{
DbgPrint("Name %s\n" , pszFunName);
FuncBase = (unsigned long)(Buff + AddrFun[ AddrOrd[i] ]);
*AddrOfWantFunc = FuncBase;
break;
}
}
CleanUp :
if(NULL != pMapBase)
{
ZwUnmapViewOfSection((HANDLE)0xFFFFFFFF , pMapBase);
pMapBase = NULL;
}
if(NULL != hSection)
{
ZwClose(hSection);
hSection = NULL;
}
if(NULL != hFile)
{
ZwClose(hFile);
hFile = NULL;
}
return ret;
}
上面是我获得ntdll的ZwCreateProcessEx地址的函数
funHookNtdll(&pZwCreateProcessEx);
DbgPrint("0x%X Get ok! \n" , pZwCreateProcessEx);
IndexNtCreateProcess = *(unsigned long *)((unsigned char *)pZwCreateProcessEx + 1); // 获得SSDT的索引
当我想用上面的方法获得SSDT的索引是总是蓝,这是怎么回事,谢谢大家,请多多关照
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
