-
-
汇编难题~~没人来
-
发表于: 2013-1-5 07:13
-
ULONG CreateMapFileAndReturnBaseAddress(IN PUNICODE_STRING pDriverName)
{
NTSTATUS ntstatus;
HANDLE hFile = NULL;
// HANDLE hSection = NULL ;
OBJECT_ATTRIBUTES object_attributes;
IO_STATUS_BLOCK io_status = {0};
PVOID baseaddress = NULL;
SIZE_T size = 0;
//模块基址
PVOID ModuleAddress = NULL;
InitializeObjectAttributes(
&object_attributes,
pDriverName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);
//打开文件
ntstatus = ZwCreateFile(
&hFile,
FILE_EXECUTE | SYNCHRONIZE,
&object_attributes,
&io_status,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
FILE_NON_DIRECTORY_FILE |
FILE_RANDOM_ACCESS |
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0);
if( !NT_SUCCESS( ntstatus ))
{
KdPrint(("[GetFunctionAddress] error0\n"));
KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));
return 0;
}
//创建区段
InitializeObjectAttributes(
&object_attributes,
NULL,
OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,
NULL,
NULL);
ntstatus = ZwCreateSection(
&hSection,
SECTION_ALL_ACCESS,
&object_attributes,
0,
PAGE_EXECUTE,
SEC_IMAGE,
hFile);
if( !NT_SUCCESS( ntstatus ))
{
KdPrint(("[GetFunctionAddress] error1\n"));
KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));
return 0;
}
//映射区段到进程虚拟空间
ntstatus = ZwMapViewOfSection(
hSection,
NtCurrentProcess(), //ntddk.h定义的宏用来获取当前进程句柄
&baseaddress,
0,
1000,
0,
&size,
(SECTION_INHERIT)1,
MEM_TOP_DOWN,
PAGE_READWRITE);
if( !NT_SUCCESS( ntstatus ))
{
return 0;
}
//得到模块基址
ZwClose(hFile);
DbgPrint("baseadress:%x\n",baseaddress);
return baseaddress;
}
ULONG GetImageImportDescriptorPointer(ULONG hMod)
{
/*++
VOID
--*/
IMAGE_DOS_HEADER * dosheader;
IMAGE_OPTIONAL_HEADER * optheader;
PVOID BaseAddress = NULL;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc;
dosheader= (IMAGE_DOS_HEADER *)hMod;
optheader =(IMAGE_OPTIONAL_HEADER *)(hMod+dosheader->e_lfanew+24);
pImportDesc = (IMAGE_IMPORT_DESCRIPTOR *)(hMod+ optheader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
if( NULL == pImportDesc) return 0;
else
{
return pImportDesc;
}
}
DWORD GetFunctionRav(IN char* lpFunctionName, IN char* lpFunctionLibrary, OUT DWORD* pThunk, OUT DWORD* pRVA)
{
/*++
VOID
--*/
UNICODE_STRING driverName;
ULONG BaseAddress;
// IMAGE_IMPORT_DESCRIPTOR *pImportDesc;
IMAGE_THUNK_DATA* thunk;
PIMAGE_IMPORT_DESCRIPTOR pImport;
UCHAR *pszModName;
DWORD firstThunkList;
DWORD ret;
BOOLEAN isOrdinal;
BOOLEAN foundIt;
int x=0;
SIZE_T size=0;
RtlInitUnicodeString(&driverName,L"\\Device\\HarddiskVolume1\\");
BaseAddress= CreateMapFileAndReturnBaseAddress(&driverName); //得到基地址
DbgPrint("test_sysnap.sys BaseAddress is 0x%x\n",BaseAddress);
pImport = GetImageImportDescriptorPointer(BaseAddress); //得到导入表地址
if (pImport == 0)
{
DbgPrint("Not found Import BaseAddress!\n");
return ;
}
//遍历IMPORT DIRECTORY TABLE,找到ntoskrnl.exe对应的IMAGE_IMPORT_DESCRIPTOR
while (pImport->FirstThunk)
{
pszModName = (UCHAR *) ( BaseAddress + pImport->Name);
if (_stricmp(pszModName, lpFunctionLibrary) == 0 )
{
foundIt = TRUE;
DbgPrint(" Module Name is:%s\n",pszModName);
break;
}
pImport++;
}
if(foundIt==FALSE)
{
return 0;
}
thunk = (IMAGE_THUNK_DATA*)( BaseAddress+ pImport->OriginalFirstThunk);
firstThunkList = (DWORD)(BaseAddress + pImport->FirstThunk);
foundIt = FALSE;
while(thunk->u1.Function)
{
isOrdinal = 0;
if(thunk->u1.Function >= 0x01000000) isOrdinal = TRUE;
if(!isOrdinal)
{
//IMAGE_IMPORT_BY_NAME
char* functionName = (char*)( BaseAddress + (DWORD)thunk->u1.AddressOfData + 2 );
if (_stricmp(functionName, lpFunctionName) == 0 )
{
*pThunk = pImport->FirstThunk;
*pRVA = x;
foundIt = TRUE;
break;
}
}
if(isOrdinal)
{
ZwClose(hSection);
return (DWORD) NULL;
}
x++;
thunk++;
firstThunkList++;
}
if(foundIt==FALSE)
{
ZwClose(hSection);
return 0;
}
ZwClose(hSection);
return 1;
}
想写lib接口 但是不懂radasm
翻译成asm一下。。。。。。
非常感谢,win32内核汇编什么书籍比较好,老是请人翻译不好意思啊~~~~~
.code
{
NTSTATUS ntstatus;
HANDLE hFile = NULL;
// HANDLE hSection = NULL ;
OBJECT_ATTRIBUTES object_attributes;
IO_STATUS_BLOCK io_status = {0};
PVOID baseaddress = NULL;
SIZE_T size = 0;
//模块基址
PVOID ModuleAddress = NULL;
InitializeObjectAttributes(
&object_attributes,
pDriverName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);
//打开文件
ntstatus = ZwCreateFile(
&hFile,
FILE_EXECUTE | SYNCHRONIZE,
&object_attributes,
&io_status,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
FILE_NON_DIRECTORY_FILE |
FILE_RANDOM_ACCESS |
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0);
if( !NT_SUCCESS( ntstatus ))
{
KdPrint(("[GetFunctionAddress] error0\n"));
KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));
return 0;
}
//创建区段
InitializeObjectAttributes(
&object_attributes,
NULL,
OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,
NULL,
NULL);
ntstatus = ZwCreateSection(
&hSection,
SECTION_ALL_ACCESS,
&object_attributes,
0,
PAGE_EXECUTE,
SEC_IMAGE,
hFile);
if( !NT_SUCCESS( ntstatus ))
{
KdPrint(("[GetFunctionAddress] error1\n"));
KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));
return 0;
}
//映射区段到进程虚拟空间
ntstatus = ZwMapViewOfSection(
hSection,
NtCurrentProcess(), //ntddk.h定义的宏用来获取当前进程句柄
&baseaddress,
0,
1000,
0,
&size,
(SECTION_INHERIT)1,
MEM_TOP_DOWN,
PAGE_READWRITE);
if( !NT_SUCCESS( ntstatus ))
{
return 0;
}
//得到模块基址
ZwClose(hFile);
DbgPrint("baseadress:%x\n",baseaddress);
return baseaddress;
}
ULONG GetImageImportDescriptorPointer(ULONG hMod)
{
/*++
VOID
--*/
IMAGE_DOS_HEADER * dosheader;
IMAGE_OPTIONAL_HEADER * optheader;
PVOID BaseAddress = NULL;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc;
dosheader= (IMAGE_DOS_HEADER *)hMod;
optheader =(IMAGE_OPTIONAL_HEADER *)(hMod+dosheader->e_lfanew+24);
pImportDesc = (IMAGE_IMPORT_DESCRIPTOR *)(hMod+ optheader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
if( NULL == pImportDesc) return 0;
else
{
return pImportDesc;
}
}
DWORD GetFunctionRav(IN char* lpFunctionName, IN char* lpFunctionLibrary, OUT DWORD* pThunk, OUT DWORD* pRVA)
{
/*++
VOID
--*/
UNICODE_STRING driverName;
ULONG BaseAddress;
// IMAGE_IMPORT_DESCRIPTOR *pImportDesc;
IMAGE_THUNK_DATA* thunk;
PIMAGE_IMPORT_DESCRIPTOR pImport;
UCHAR *pszModName;
DWORD firstThunkList;
DWORD ret;
BOOLEAN isOrdinal;
BOOLEAN foundIt;
int x=0;
SIZE_T size=0;
RtlInitUnicodeString(&driverName,L"\\Device\\HarddiskVolume1\\");
BaseAddress= CreateMapFileAndReturnBaseAddress(&driverName); //得到基地址
DbgPrint("test_sysnap.sys BaseAddress is 0x%x\n",BaseAddress);
pImport = GetImageImportDescriptorPointer(BaseAddress); //得到导入表地址
if (pImport == 0)
{
DbgPrint("Not found Import BaseAddress!\n");
return ;
}
//遍历IMPORT DIRECTORY TABLE,找到ntoskrnl.exe对应的IMAGE_IMPORT_DESCRIPTOR
while (pImport->FirstThunk)
{
pszModName = (UCHAR *) ( BaseAddress + pImport->Name);
if (_stricmp(pszModName, lpFunctionLibrary) == 0 )
{
foundIt = TRUE;
DbgPrint(" Module Name is:%s\n",pszModName);
break;
}
pImport++;
}
if(foundIt==FALSE)
{
return 0;
}
thunk = (IMAGE_THUNK_DATA*)( BaseAddress+ pImport->OriginalFirstThunk);
firstThunkList = (DWORD)(BaseAddress + pImport->FirstThunk);
foundIt = FALSE;
while(thunk->u1.Function)
{
isOrdinal = 0;
if(thunk->u1.Function >= 0x01000000) isOrdinal = TRUE;
if(!isOrdinal)
{
//IMAGE_IMPORT_BY_NAME
char* functionName = (char*)( BaseAddress + (DWORD)thunk->u1.AddressOfData + 2 );
if (_stricmp(functionName, lpFunctionName) == 0 )
{
*pThunk = pImport->FirstThunk;
*pRVA = x;
foundIt = TRUE;
break;
}
}
if(isOrdinal)
{
ZwClose(hSection);
return (DWORD) NULL;
}
x++;
thunk++;
firstThunkList++;
}
if(foundIt==FALSE)
{
ZwClose(hSection);
return 0;
}
ZwClose(hSection);
return 1;
}
想写lib接口 但是不懂radasm
翻译成asm一下。。。。。。
非常感谢,win32内核汇编什么书籍比较好,老是请人翻译不好意思啊~~~~~
.code
|
|
|---|---|
|
|
|
|
|
|
|
|
翻译
|
|
|
来人啊
|
|
|
|
|
|
汇编难题
|
