能力值:
( LV9,RANK:380 )
|
-
-
2 楼
shadowssdt 要挂靠到gui,亲,你attack了吗?
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
先Attach 到 gui 线程 然后才可以 shadow hook
|
能力值:
( LV3,RANK:20 )
|
-
-
4 楼
谢谢二位的帮助,
|
能力值:
( LV4,RANK:50 )
|
-
-
5 楼
Attach to csrss.exe
|
能力值:
( LV3,RANK:20 )
|
-
-
6 楼
各位老大,能不能给个Demo参考一下,别逗小弟了,搞不懂
|
能力值:
( LV3,RANK:20 )
|
-
-
7 楼
感谢各位的帮助,问题已经解决,
以下给我的实现代码,再次感谢几个大哥帮忙
NTSTATUS RestoreShadow()
{
NTSTATUS status;
HANDLE hFile;//文件句柄
OBJECT_ATTRIBUTES ObjAttr;
UNICODE_STRING ustrWin32k;
IO_STATUS_BLOCK ioStatus;
ULONG ulShadowRaw = 0;
ULONG ulShadowBase = 0;
PVOID PoolArea = NULL;
FILE_POSITION_INFORMATION fpi;
LARGE_INTEGER Offset;
ULONG OrigAddress = 0;
ULONG CurAddress = 0;
ULONG i = 0;
ULONG ulCount = 0;
PULONG pAddr;
ULONG hookAddr=0;
if ( pWin32kBase == NULL ||
KeServiceDescriptorTableShadow == NULL)
{
//dprintf("Error.");
return STATUS_UNSUCCESSFUL;
}
//索引为1的项目?
ulCount = KeServiceDescriptorTableShadow[1].Limit;//Linit就是表中函数的个数
//dprintf("Count Of Shadow : %d\n", ulCount );
ulShadowBase = *(ULONG*)&KeServiceDescriptorTableShadow[1].Base;//得到基址
//dprintf("ulShadowBase = 0x%X\n",ulShadowBase);
//镜像中的偏移,file offset???
ulShadowRaw = ulShadowBase - (ULONG)pWin32kBase;
//ulShadowRaw = RVAToRaw(pWin32kBase,ulShadowBase);
//dprintf("ulShadowRaw = 0x%X\n",ulShadowRaw);
RtlInitUnicodeString(&ustrWin32k, L"\\SystemRoot\\System32\\win32k.sys");
//分配空间
PoolArea = ExAllocatePool( PagedPool, sizeof(ULONG) * ulCount );
//分配空间,用于保存读取到的数据,因为每个地址的长度sizeof(ULONG),个数是ulCount,所以相乘
if (!PoolArea) {
//dprintf("PoolArea is null\n");
return STATUS_UNSUCCESSFUL;
}
RtlZeroMemory(&ObjAttr, sizeof(ObjAttr) );
//获取Win32k.sys的属性
InitializeObjectAttributes(
&ObjAttr,
&ustrWin32k,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
NULL,
NULL);
//打开文件win32K.SYS
status = IoCreateFile(
&hFile,
FILE_READ_ATTRIBUTES,
&ObjAttr,
&ioStatus,
0,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
0,
NULL,
0,
0,
NULL,
IO_NO_PARAMETER_CHECKING);
if ( !NT_SUCCESS(status) ) {
//dprintf("IoCreateFile Error : 0x%X", status);
goto __exit;
}
//设置文件偏移
Offset.LowPart = ulShadowRaw;
Offset.HighPart = 0;
//开始读取数据
status = ZwReadFile (
hFile,
NULL,
NULL,
NULL,
&ioStatus,
//从文件读出到分配空间
PoolArea,
ulCount*sizeof(ULONG),
//偏移
&Offset,
NULL);
if ( !NT_SUCCESS(status) ) {
//dprintf("ZwReadFile Error : 0x%X");
goto __exit;
}
//改变指针类型
pAddr = (PULONG)PoolArea;
//比较原始地址与当前的地址并且输出调试
_asm
{
CLI
MOV EAX,CR0
AND EAX,NOT 10000H
MOV CR0,EAX
}
OrigAddress = *pAddr;//指向原始地址
_asm
{
MOV EAX,CR0
OR EAX,10000h
MOV CR0,EAX
STI
}
__exit:
if (PoolArea) {
ExFreePool(PoolArea);
//释放空间
}
if (hFile) {
ZwClose(hFile);
//关闭句柄
}
return status;
}
|
