[求助]内核重载问题-编程技术-看雪-安全社区|安全招聘|kanxue.com

[求助]内核重载问题

发表于: 2014-4-24 12:22 3240

[求助]内核重载问题

foook

2014-4-24 12:22

3240

我在重载后想进行修复SSDT表和重定位表，进行PE头定位时发生蓝屏。
模块应该是成功载入了,我用windbg看了一下
这是内存中的ntoskrnl.exe文件，
83e38000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00  MZ.............
83e3800f 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00  .........@.....
83e3801e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............
83e3802d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............
83e3803c 78 02 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01  x...........!..
83e3804b 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d  L.!This program
83e3805a 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 cannot be run
83e38069 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a  in DOS mode....
83e38078 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00  $..............
83e38087 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............
83e38096 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............
83e380a5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............
83e380b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............
83e380c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............
83e380d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............
83e380e1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ........

这是我载入的内核模块
96000000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00  MZ.............
9600000f 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00  .........@.....
9600001e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............
9600002d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............
9600003c 78 02 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01  x...........!..
9600004b 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d  L.!This program
9600005a 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 cannot be run
96000069 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a  in DOS mode....
96000078 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00  $..............
96000087 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............
96000096 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............
960000a5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............
960000b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............

在进行定位时
NTSTATUS FixModule(PVOID NewModuleBase, PVOID  OldModuleBase)
{

PIMAGE_DOS_HEADER pModule_DOS_HEADER = (PIMAGE_DOS_HEADER)NewModuleBase;这句不会蓝屏。
但是下一句
PIMAGE_NT_HEADERS pModule_NT_HEADER = (PIMAGE_NT_HEADERS)((ULONG)NewModuleBase + (ULONG)pModule_DOS_HEADER->e_lfanew);
就蓝屏了。请问是怎么回事

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・0

支持

最新回复 (1)
Speeday 雪币： 458 活跃值： (306) 能力值： ( LV12，RANK：400 ) 在线值：发帖 22 回帖 353 粉丝 14 关注私信	Speeday 8 2 楼看起来有点像类型转换的问题，把PIMAGE_NT_HEADERS pModule_NT_HEADER = (PIMAGE_NT_HEADERS)((ULONG)NewModuleBase + (ULONG)pModule_DOS_HEADER->e_lfanew);改成： PIMAGE_NT_HEADERS pModule_NT_HEADER = (PIMAGE_NT_HEADERS)((ULONG)NewModuleBase + pModule_DOS_HEADER->e_lfanew); 试试。 2014-4-24 15:01 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

foook

发帖

回帖

RANK

关注

私信

他的文章

[求助]内核重载问题 3241

关于我们

联系我们

企业服务

看雪公众号

专注于PC、移动、智能设备安全研究及逆向工程的开发者社区

最新回复 (1)
Speeday 雪币： 458 活跃值： (306) 能力值： ( LV12，RANK：400 ) 在线值：发帖 22 回帖 353 粉丝 14 关注私信	Speeday 8 2 楼看起来有点像类型转换的问题，把PIMAGE_NT_HEADERS pModule_NT_HEADER = (PIMAGE_NT_HEADERS)((ULONG)NewModuleBase + (ULONG)pModule_DOS_HEADER->e_lfanew);改成： PIMAGE_NT_HEADERS pModule_NT_HEADER = (PIMAGE_NT_HEADERS)((ULONG)NewModuleBase + pModule_DOS_HEADER->e_lfanew); 试试。 2014-4-24 15:01 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复