-
-
[分享]发布一个 遍历shadowssdt函数名_驱动源码
-
发表于:
2017-5-23 06:45
8329
-
[分享]发布一个 遍历shadowssdt函数名_驱动源码
#include <ntifs.h>
#include <ntimage.h>
//#include "ntddk.h"
//SSDT结构体
typedef struct _SERVICE_DESCRIPTOR_TABLE {
PULONG ServiceTable;
PULONG CounterTable;
ULONG TableSize;
PUCHAR ArgumentTable;
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;
extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorShadowTable;
typedef enum WIN_VER_DETAIL {
WINDOWS_VERSION_NONE, // 0
WINDOWS_VERSION_2K,
WINDOWS_VERSION_XP,
WINDOWS_VERSION_2K3,
WINDOWS_VERSION_2K3_SP1_SP2,
WINDOWS_VERSION_VISTA_2008,
WINDOWS_VERSION_7_7600_UP,
WINDOWS_VERSION_7_7000
} WIN_VER_DETAIL;
WIN_VER_DETAIL WinVersion;
WIN_VER_DETAIL GetWindowsVersion();
__declspec(dllimport) _stdcall KeAddSystemServiceTable(PVOID, PVOID, PVOID, PVOID, PVOID);
UCHAR *PsGetProcessImageFileName(__in PEPROCESS eprocess);
VOID MyUnload(PDRIVER_OBJECT pDriverObject)
{
KdPrint(("驱动卸载成功\n"));
}
PVOID GetShadowTableAddress()
{
ULONG dwordatbyte, i;
PUCHAR p = (PUCHAR)KeAddSystemServiceTable;
for (i = 0; i < 0x1024; i++, p++)// 往下找一页 指针递增1
{
__try
{
dwordatbyte = *(PULONG)p;
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
return FALSE;
}
if (MmIsAddressValid((PVOID)dwordatbyte))
{
if (memcmp((PVOID)dwordatbyte, KeServiceDescriptorTable, 16) == 0)//对比前16字节 相同则找到
{
if ((PVOID)dwordatbyte == KeServiceDescriptorTable)//排除自己
{
continue;
}
return (PVOID)dwordatbyte;
}
}
}
return FALSE;
}
WIN_VER_DETAIL GetWindowsVersion()
{
RTL_OSVERSIONINFOEXW osverinfo;
if (WinVersion)
return WinVersion;
memset(&osverinfo, 0, sizeof(RTL_OSVERSIONINFOEXW));
osverinfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOEXW);
if (RtlGetVersion((RTL_OSVERSIONINFOW*)&osverinfo) != STATUS_SUCCESS){
return WINDOWS_VERSION_NONE;
}
// KdPrint(("[xxxxxxxx] OSVersion NT %d.%d:%d sp%d.%d\n",
// osverinfo.dwMajorVersion, osverinfo.dwMinorVersion, osverinfo.dwBuildNumber,
// osverinfo.wServicePackMajor, osverinfo.wServicePackMinor));
if (osverinfo.dwMajorVersion == 5 && osverinfo.dwMinorVersion == 0){
WinVersion = WINDOWS_VERSION_2K;
}
else if (osverinfo.dwMajorVersion == 5 && osverinfo.dwMinorVersion == 1){
WinVersion = WINDOWS_VERSION_XP;
}
else if (osverinfo.dwMajorVersion == 5 && osverinfo.dwMinorVersion == 2){
if (osverinfo.wServicePackMajor == 0){
WinVersion = WINDOWS_VERSION_2K3;
}
else{
WinVersion = WINDOWS_VERSION_2K3_SP1_SP2;
}
}
else if (osverinfo.dwMajorVersion == 6 && osverinfo.dwMinorVersion == 0){
WinVersion = WINDOWS_VERSION_2K3_SP1_SP2;
}
else if (osverinfo.dwMajorVersion == 6 && osverinfo.dwMinorVersion == 1 && osverinfo.dwBuildNumber == 7000){
WinVersion = WINDOWS_VERSION_7_7000;
}
else if (osverinfo.dwMajorVersion == 6 && osverinfo.dwMinorVersion == 1 && osverinfo.dwBuildNumber >= 7600){
WinVersion = WINDOWS_VERSION_7_7600_UP;
}
return WinVersion;
}
NTSTATUS LookupProcessByName(IN PCHAR pcProcessName,OUT PEPROCESS *pEprocess)
{
NTSTATUS status;
ULONG uCount = 0;
ULONG uLength = 0;
PLIST_ENTRY pListActiveProcess;
PEPROCESS pCurrentEprocess = NULL;
ULONG ulNextProcess = 0;
ULONG g_Offset_Eprocess_Flink;
WIN_VER_DETAIL WinVer;
char lpszProName[100];
char *lpszAttackProName = NULL;
if (!ARGUMENT_PRESENT(pcProcessName) || !ARGUMENT_PRESENT(pEprocess))
{
return STATUS_INVALID_PARAMETER;
}
if (KeGetCurrentIrql() > PASSIVE_LEVEL)
{
return STATUS_UNSUCCESSFUL;
}
uLength = strlen(pcProcessName);
WinVer = GetWindowsVersion();
switch (WinVer)
{
case WINDOWS_VERSION_XP:
g_Offset_Eprocess_Flink = 0x88;
break;
case WINDOWS_VERSION_7_7600_UP:
case WINDOWS_VERSION_7_7000:
g_Offset_Eprocess_Flink = 0xb8;
break;
case WINDOWS_VERSION_VISTA_2008:
g_Offset_Eprocess_Flink = 0x0a0;
break;
case WINDOWS_VERSION_2K3_SP1_SP2:
g_Offset_Eprocess_Flink = 0x98;
break;
case WINDOWS_VERSION_2K3:
g_Offset_Eprocess_Flink = 0x088;
break;
}
if (!g_Offset_Eprocess_Flink){
return STATUS_UNSUCCESSFUL;
}
pCurrentEprocess = PsGetCurrentProcess();
ulNextProcess = (ULONG)pCurrentEprocess;
__try
{
memset(lpszProName, 0, sizeof(lpszProName));
if (uLength > 15)
{
strncat(lpszProName, pcProcessName, 15);
}
while (1)
{
lpszAttackProName = NULL;
lpszAttackProName = (char *)PsGetProcessImageFileName(pCurrentEprocess);
if (uLength > 15)
{
if (lpszAttackProName &&
strlen(lpszAttackProName) == uLength)
{
if (_strnicmp(lpszProName, lpszAttackProName, uLength) == 0)
{
*pEprocess = pCurrentEprocess;
status = STATUS_SUCCESS;
break;
}
}
}
else
{
if (lpszAttackProName &&
strlen(lpszAttackProName) == uLength)
{
if (_strnicmp(pcProcessName, lpszAttackProName, uLength) == 0)
{
*pEprocess = pCurrentEprocess;
status = STATUS_SUCCESS;
break;
}
}
}
if ((uCount >= 1) && (ulNextProcess == (ULONG)pCurrentEprocess))
{
*pEprocess = 0x00000000;
status = STATUS_NOT_FOUND;
break;
}
pListActiveProcess = (LIST_ENTRY *)((ULONG)pCurrentEprocess + g_Offset_Eprocess_Flink);
(ULONG)pCurrentEprocess = (ULONG)pListActiveProcess->Flink;
(ULONG)pCurrentEprocess = (ULONG)pCurrentEprocess - g_Offset_Eprocess_Flink;
uCount++;
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
KdPrint(("LookupProcessByName:%08x\r\n", GetExceptionCode()));
status = STATUS_NOT_FOUND;
}
return status;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING Reg_Path)
{
int i = 0;
PEPROCESS eprocess_explorer;
pDriverObject->DriverUnload = MyUnload;
KeServiceDescriptorShadowTable = GetShadowTableAddress();
if (KeServiceDescriptorShadowTable)
{
//我们得到一个gui进程的对象,因为我们切换进程的时候需要用到
if (LookupProcessByName("explorer.exe", &eprocess_explorer) == STATUS_SUCCESS)
{
KeAttachProcess(eprocess_explorer);//附加到目标进程
//这里为什么要KeServiceDescriptorShadowTable[1],正如我们所说的,第二个表才是ShadowSSDT
int j = KeServiceDescriptorShadowTable[1].TableSize;
for (i = 0; i < j; i++)
{
DbgPrint("Number:%d Address:0x%08X\r\n", i, KeServiceDescriptorShadowTable[1].ServiceTable[i]);
}
KeDetachProcess();//解除附加
}
}
return STATUS_SUCCESS;
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
