-
-
[求助]PsSetLoadImageNotifyRoutine,在回调中修改导入表蓝屏
-
发表于:
2015-3-11 21:44
7126
-
[求助]PsSetLoadImageNotifyRoutine,在回调中修改导入表蓝屏
系统是win8.1 x64,目前在尝试驱动中修改导入表。
在LoadImageRoutine中的相关代码如下:
if (ImageInfo->SystemModeImage)
{
}
else
{
pProcessBase = GetProcessBaseAddress(ProcessId); //获取进程基址
if (pProcessBase == ImageInfo->ImageBase) //如果exe基址=映像基址,就修改导入表
{
PVOID ulImageBase = ImageInfo->ImageBase;
pDos = (PIMAGE_DOS_HEADER)ulImageBase;
///////////////
ProbeForRead(pDos, sizeof(IMAGE_DOS_HEADER), 1);
pHeader = (PIMAGE_NT_HEADERS)((ULONG)uImageBase + pDos->e_lfanew); //此行蓝屏,windbg提示访问越界
///////////////
pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG)pHeader->OptionalHeader.DataDirectory[1].VirtualAddress + ulImageBase);
............. //后面就不贴了,直接蓝在上面
这个GetProcessBaseAddress也是抄的,
功底太烂试着找点代码,结果还跑不起来
PVOID GetProcessBaseAddress(IN HANDLE PID)
{
NTSTATUS status;
HANDLE hProcess = NULL;
CLIENT_ID clientid;
OBJECT_ATTRIBUTES ObjectAttributes;
PPROCESS_BASIC_INFORMATION pProcessBaseInfo;
ULONG returnedLength;
PPEB Peb;
PVOID ImageBase = NULL;
if (KeGetCurrentIrql() >= DISPATCH_LEVEL)
{
return ImageBase;
}
InitializeObjectAttributes(&ObjectAttributes, 0, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, 0, 0);
clientid.UniqueProcess = PID;
clientid.UniqueThread = 0;
status = ZwOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &clientid);
if (!NT_SUCCESS(status))
{
return ImageBase;
}
pProcessBaseInfo = (PPROCESS_BASIC_INFORMATION)ExAllocatePoolWithTag(NonPagedPool, sizeof(PROCESS_BASIC_INFORMATION), 'abcd');
if (pProcessBaseInfo == NULL)
{
ZwClose(hProcess);
return ImageBase;
}
RtlZeroMemory(pProcessBaseInfo, sizeof(PROCESS_BASIC_INFORMATION));
status = ZwQueryInformationProcess(hProcess, ProcessBasicInformation, pProcessBaseInfo, sizeof(PROCESS_BASIC_INFORMATION), &returnedLength);
if (NT_SUCCESS(status))
{
Peb = (PPEB)pProcessBaseInfo->PebBaseAddress;
ImageBase = Peb->ImageBaseAddress;
}
ZwClose(hProcess);
ExFreePool(pProcessBaseInfo);
return ImageBase;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课