能力值:
( LV4,RANK:50 )
|
-
-
2 楼
估计Ki地址获取错误,用这个试试,XP SP3
//////////////////////////////////////////////////////////////////////
// 名称: GetKiAttachProcessAddr
// 作者: 飘云
// 功能: 获取GetKiAttachProcessAddr函数的地址
// 参数:
// 返回: 地址
//////////////////////////////////////////////////////////////////////
ULONG GetKiAttachProcessAddr()
{
BYTE* KeAttachProcessAddress = NULL; //KeAttachProcess函数地址
BYTE* p;
//特征码
BYTE Signature1 = 0x56,
Signature2 = 0x57,
Signature3 = 0xE8;
KeAttachProcessAddress = (BYTE *)GetFunctionAddrByName(L"KeAttachProcess");
if (KeAttachProcessAddress == NULL)
{
KdPrint(("[++++]KeAttachProcess地址获取失败\n"));
return 0;
}
else
{
p = KeAttachProcessAddress;
while (1)
{
if ((*(p - 1) == Signature1) && (*(p - 2) == Signature2) && (*p == Signature3))
{
//定位成功后取地址
KiAttachProcessAddress = (BYTE *)*(PULONG)(p + 1) + (ULONG)(p + 5);
KdPrint(("[++++]KiAttachProcessAddress:%0X\n", KiAttachProcessAddress));
return (ULONG)KiAttachProcessAddress;
break;
}
p++;
}
}
}
|
能力值:
( LV4,RANK:50 )
|
-
-
3 楼
#pragma PAGECODE
void ThePass_KiAttachProcessAddr(IN PUNICODE_STRING FullImageName,
IN HANDLE ProcessId, // where image is mapped
IN PIMAGE_INFO ImageInfo){
KIRQL Irql;
Irql=KeRaiseIrqlToDpcLevel();
UNICODE_STRING Dnfsysname;
ULONG Adr3=0,Size3=0;
MyEnumKernelModule("[URL="file://\\??\\c:\\windows\\system32\\tessafe.sys",&Adr3,&Size3"]\\??\\c:\\windows\\system32\\tessafe.sys",&Adr3,&Size3[/URL]);
RtlInitUnicodeString(&Dnfsysname,L"[URL="file://\\??\\C:\\WINDOWS\\system32\\TesSafe.sys"]\\??\\C:\\WINDOWS\\system32\\TesSafe.sys[/URL]");
KdPrint((" ThePass_KiAttachProcessAddr函数输出: 当前映像%wZ",FullImageName));
BOOL ISNAME=RtlEqualUnicodeString(FullImageName,&Dnfsysname,FALSE);//判断是够是加载TP
if (ISNAME==TRUE || Adr3!=0 )
{
ULONG KeStackAttachProcessAddr,KiAttachProcessAddr ,Call_KiAttachProcess;
KeStackAttachProcessAddr= GetNt_OldAddr(L"KeStackAttachProcess");
KdPrint(("KeStackAttachProcess=%X",KeStackAttachProcessAddr));
/*KeStackAttachProcess的下面代码可以作为特侦码查找KiAttachProcess
804f9ceb ff750c push dword ptr [ebp+0Ch]
804f9cee ff7508 push dword ptr [ebp+8]
804f9cf1 57 push edi
804f9cf2 56 push esi
804f9cf3 e86cfdffff call nt!KiAttachProcess (804f9a64)*/
BYTE KiAttach_BYTE[]={0x08,0x57,0x56,0xe8};
int n;
for (n=0;n<=100;)
{
if (*((BYTE*)(KeStackAttachProcessAddr+n) ) ==KiAttach_BYTE[0] && *((BYTE*)(KeStackAttachProcessAddr+n+1) ) ==KiAttach_BYTE[1] && *((BYTE*)(KeStackAttachProcessAddr+n+2) ) ==KiAttach_BYTE[2] && *((BYTE*)(KeStackAttachProcessAddr+n+3) ) ==KiAttach_BYTE[3] )
{
Call_KiAttachProcess=KeStackAttachProcessAddr+n+3;
KdPrint(("call KiAttachProcessAddr=%X",Call_KiAttachProcess));
}
n++;
}
//跳转码=目标地址-现在地址-5 目标地址=跳转码+现在地址+5
KiAttachProcessAddr=*((ULONG*)(Call_KiAttachProcess+1)) + Call_KiAttachProcess + 5;
KdPrint(("KiAttachProcessAddr=%X",KiAttachProcessAddr));
/*
前7字节原来为
804f9a64 8bff mov edi,edi
804f9a66 55 push ebp
804f9a67 8bec mov ebp,esp
804f9a69 53 push ebx
804f9a6a 56 push esi
被修改为
804f9a64 b87c6da0a9 mov eax,0A9A06D7Ch
804f9a69 ffe0 jmp eax
这里我偷懒 直接恢复前7字节
*/
char MacCode[]={(char)0x8b,(char)0xff,(char)0x55,(char)0x8b,(char)0xec,(char)0x53,(char)0x56};
///MacCode为原始的机器码,特别需要注意最后个字节有的XP系统不一样!
__asm //去掉页面保护
{
cli
mov eax,cr0
and eax,not 10000h //and eax,0FFFEFFFFh
mov cr0,eax
}
KIRQL IRQL2;
IRQL2= KeRaiseIrqlToDpcLevel();
RtlCopyMemory((char*)KiAttachProcessAddr,MacCode,7);//以字节写入
KeLowerIrql(IRQL2);
__asm //恢复页保护
{
mov eax,cr0
or eax,10000h //or eax,not 0FFFEFFFFh
mov cr0,eax
sti
}
}
KeLowerIrql(Irql);
}
#pragma PAGECODE
VOID Pass_KiAttachProcess(){
PsSetLoadImageNotifyRoutine(ThePass_KiAttachProcessAddr);
}
//驱动入口
#pragma INITCODE
extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING B) //TYPEDEF LONG NTSTATUS
{ //////////////////////////////////////////////////////////////////////////
Pass_KiAttachProcess();
以下省略
驱动卸载函数加入:
PsRemoveLoadImageNotifyRoutine(ThePass_KiAttachProcessAddr);
|
