-
-
[原创]X64 枚举 内核 符号~~~~
-
发表于: 2015-9-4 16:16 5689
-
typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)
(
IN ULONG SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG Length,
OUT PULONG ReturnLength
);
typedef unsigned long DWORD;
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY
{
ULONG Unknow1;
ULONG Unknow2;
ULONG Unknow3;
ULONG Unknow4;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT ModuleNameOffset;
char ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct _SYSTEM_MODULE_INFORMATION
{
ULONG Count;//内核中以加载的模块的个数
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
X64 枚举 内核 模块 需要的 结构体
ULONG64 EnumKM(char *HighlightDrvName) 枚举 内核模块 返回 基地址
{
ULONG NeedSize, i, ModuleCount, HLed=0, BufferSize = 0x5000;
PVOID pBuffer = NULL;
PCHAR pDrvName = NULL;
NTSTATUS Result;
ULONG64 address;
PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;
do
{
//分配内存
pBuffer = malloc( BufferSize );
if( pBuffer == NULL )
return 0;
//查询模块信息
Result = ZwQuerySystemInformation( 11, pBuffer, BufferSize, &NeedSize );
if( Result == 0xC0000004L )
{
free( pBuffer );
BufferSize *= 2;
}
else if( Result<0 )
{
//查询失败则退出
free( pBuffer );
return 0;
}
}
while( Result == 0xC0000004L );
pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)pBuffer;
//获得模块的总数量
ModuleCount = pSystemModuleInformation->Count;
//遍历所有的模块
for( i = 0; i < ModuleCount; i++ )
{
if((ULONG64)(pSystemModuleInformation->Module[i].Base) > (ULONG64)0x8000000000000000)
{
pDrvName = pSystemModuleInformation->Module[i].ImageName+pSystemModuleInformation->Module[i].ModuleNameOffset;
if( _stricmp(pDrvName,HighlightDrvName)==0 )
{
address = (ULONG64)pSystemModuleInformation->Module[i].Base;
HLed=1;
break;
}
}
}
if (HLed == 0)
return 0;
free(pBuffer);
return address;
}
BOOL CALLBACK EnumSymCallBack(PSYMBOL_INFO pSymInfo, ULONG SymbolSize, PVOID UserContext)回调 函数
{
if (strcmp((pSymInfo->Name), "PspCreateProcessNotifyRoutine") == 0)
{
printf("Oh,yeah! %s :%p\n", pSymInfo->Name, pSymInfo->Address);
}
if (strcmp((pSymInfo->Name), "PspLoadImageNotifyRoutine") == 0)
{
printf("Oh,yeah! %s :%p\n", pSymInfo->Name, pSymInfo->Address);
}
if (strcmp((pSymInfo->Name), "PspCreateThreadNotifyRoutine") == 0)
{
printf("Oh,yeah! %s :%p\n", pSymInfo->Name, pSymInfo->Address);
}
if (strcmp((pSymInfo->Name), "PspCidTable") == 0)
{
printf("Oh,yeah! %s :%p\n", pSymInfo->Name, pSymInfo->Address);
}
if (strcmp((pSymInfo->Name), "ExDestroyHandle") == 0)
{
printf("Oh,yeah! %s :%p\n", pSymInfo->Name, pSymInfo->Address);
}
return TRUE;
}
void getallkrnladdress(ULONG64 ntkrnlmpBaseaddress){ 加载 符号链接 并枚举
HANDLE hProcess;
DWORD64 BaseOfDll;
PIMAGEHLP_SYMBOL pSymbol = NULL;
DWORD Options = SymGetOptions();
Options = Options | SYMOPT_DEBUG;
SymSetOptions(Options);
hProcess = GetCurrentProcess();
BOOL bRet = SymInitialize(hProcess, 0, FALSE);
if (!bRet)
{
printf("SymInitialize error ...\n");
}
char SymbolPath[256];
GetCurrentDirectoryA(sizeof(SymbolPath), SymbolPath);
strcat(SymbolPath, "\\symbols");
SymSetSearchPath(hProcess, SymbolPath);
char FileName[256];
GetSystemDirectoryA(FileName, sizeof(FileName));
strcat(FileName, "\\ntkrnlmp.exe");
HANDLE hFile = CreateFileA(FileName, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
DWORD dwfilesize = GetFileSize(hFile, NULL);
BaseOfDll = SymLoadModule64(hProcess, NULL, FileName, NULL, ntkrnlmpBaseaddress, dwfilesize);
if (BaseOfDll == 0)
{
DWORD nErr = GetLastError();
}
SymEnumSymbols(hProcess, BaseOfDll, 0, EnumSymCallBack, 0);
SymUnloadModule64(hProcess, BaseOfDll);
SymCleanup(hProcess);
for (;;);
}
int main() 用法
{
ULONG64 ntkrnlmpBaseaddress;
ZwQuerySystemInformation=(ZWQUERYSYSTEMINFORMATION)GetProcAddress(LoadLibraryW(L"ntdll.dll"),"ZwQuerySystemInformation");
ntkrnlmpBaseaddress=EnumKM("ntkrnlmp.exe");//获得 NT内核模块基地址
getallkrnladdress(ntkrnlmpBaseaddress);
getchar();
return 0;
}
完整 SRC :http://pan.baidu.com/s/1sjuZg2D
网上代码 抄抄改改 就好了 ,听说老大 都不用硬编码了 所以 ~~~~
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
- [原创]PatchGuard自效验粗略分析 18055
- [讨论]PUBG 2018.3.9更新的代码页防止更改 19527
- [原创]VT调试器 X64 66632