-
-
[求助]内核重载问题
-
发表于: 2014-4-24 12:22
-
我在重载后想进行修复SSDT表和重定位表,进行PE头定位时发生蓝屏。
模块应该是成功载入了,我用windbg看了一下
这是内存中的ntoskrnl.exe文件,
83e38000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 MZ.............
83e3800f 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 .........@.....
83e3801e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
83e3802d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
83e3803c 78 02 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 x...........!..
83e3804b 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d L.!This program
83e3805a 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 cannot be run
83e38069 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a in DOS mode....
83e38078 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 $..............
83e38087 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
83e38096 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
83e380a5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
83e380b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
83e380c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
83e380d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
83e380e1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
这是我载入的内核模块
96000000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 MZ.............
9600000f 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 .........@.....
9600001e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
9600002d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
9600003c 78 02 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 x...........!..
9600004b 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d L.!This program
9600005a 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 cannot be run
96000069 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a in DOS mode....
96000078 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 $..............
96000087 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
96000096 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
960000a5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
960000b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
在进行定位时
NTSTATUS FixModule(PVOID NewModuleBase, PVOID OldModuleBase)
{
PIMAGE_DOS_HEADER pModule_DOS_HEADER = (PIMAGE_DOS_HEADER)NewModuleBase;这句不会蓝屏。
但是下一句
PIMAGE_NT_HEADERS pModule_NT_HEADER = (PIMAGE_NT_HEADERS)((ULONG)NewModuleBase + (ULONG)pModule_DOS_HEADER->e_lfanew);
就蓝屏了。请问是怎么回事
模块应该是成功载入了,我用windbg看了一下
这是内存中的ntoskrnl.exe文件,
83e38000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 MZ.............
83e3800f 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 .........@.....
83e3801e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
83e3802d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
83e3803c 78 02 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 x...........!..
83e3804b 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d L.!This program
83e3805a 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 cannot be run
83e38069 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a in DOS mode....
83e38078 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 $..............
83e38087 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
83e38096 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
83e380a5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
83e380b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
83e380c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
83e380d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
83e380e1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
这是我载入的内核模块
96000000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 MZ.............
9600000f 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 .........@.....
9600001e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
9600002d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
9600003c 78 02 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 x...........!..
9600004b 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d L.!This program
9600005a 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 cannot be run
96000069 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a in DOS mode....
96000078 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 $..............
96000087 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
96000096 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
960000a5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
960000b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
在进行定位时
NTSTATUS FixModule(PVOID NewModuleBase, PVOID OldModuleBase)
{
PIMAGE_DOS_HEADER pModule_DOS_HEADER = (PIMAGE_DOS_HEADER)NewModuleBase;这句不会蓝屏。
但是下一句
PIMAGE_NT_HEADERS pModule_NT_HEADER = (PIMAGE_NT_HEADERS)((ULONG)NewModuleBase + (ULONG)pModule_DOS_HEADER->e_lfanew);
就蓝屏了。请问是怎么回事
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
