首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 求助问答
    3. 发新帖
未解决 [求助]ZwMapViewOfSection x64内核映射NTDLL 老蓝屏 要不映射成功 40000003 读写蓝
发表于: 2019-2-25 00:00 2871

未解决 [求助]ZwMapViewOfSection x64内核映射NTDLL 老蓝屏 要不映射成功 40000003 读写蓝

一学徒工 活跃值
2019-2-25 00:00
2871
ULONG GetFunctionId(char* functionName)

{

NTSTATUS ntstatus;
HANDLE hFile = NULL;
HANDLE hSection = NULL;
OBJECT_ATTRIBUTES object_attributes;
IO_STATUS_BLOCK io_status = { 0 };
ULONG64 baseaddress = NULL;
SIZE_T size = 0;
//模块基址
//        PVOID ModuleAddress = NULL;
//偏移量

PIMAGE_DOS_HEADER dos = NULL;


PIMAGE_DATA_DIRECTORY expdir = NULL;
PIMAGE_EXPORT_DIRECTORY exports = NULL;
ULONG ServiceId = 0;
ULONG addr;
ULONG Size;

PULONG functions;
PSHORT ordinals;
PULONG names;

ULONG max_name;
ULONG max_func;
ULONG i;


__try {

UNICODE_STRING DllName;
RtlInitUnicodeString(&DllName, L"\\SystemRoot\\system32\\ntdll.dll");
//初始化OBJECT_ATTRIBUTES结构
InitializeObjectAttributes(
&object_attributes,
&DllName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);
//打开文件
ntstatus = ZwCreateFile(
&hFile,
FILE_READ_ACCESS,
&object_attributes,
&io_status,
NULL,
0,
FILE_SHARE_READ,
FILE_OPEN,
0,
NULL,
0);
if (!NT_SUCCESS(ntstatus))
{
KdPrint(("[GetFunctionAddress] error0\n"));
KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));
return 0;
}
//创建区段
InitializeObjectAttributes(
&object_attributes,
NULL,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);

ntstatus = ZwCreateSection(
&hSection,
STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ,
&object_attributes,
0,
PAGE_READONLY,
SEC_IMAGE,
hFile);
if (!NT_SUCCESS(ntstatus))
{
KdPrint(("[GetFunctionAddress] error1\n"));
KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));
return 0;
}
//映射区段到进程虚拟空间
ntstatus = ZwMapViewOfSection( //参数我修改好多种了药不这点蓝要不返回  baseaddress=-0
hSection,
ZwCurrentProcess(), //ntddk.h定义的宏用来获取当前进程句柄
(PVOID*)&baseaddress,
1024,
0,
0,
&size,
ViewShare,
MEM_LARGE_PAGES,
PAGE_READONLY);
if (!NT_SUCCESS(ntstatus))
{
KdPrint(("[GetFunctionAddress] error2\n"));
KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));
return 0;
}

//验证基址
//KdPrint(("[GetFunctionAddress] BaseAddress:0x%x\n", dwOffset));
dos = (PIMAGE_DOS_HEADER)baseaddress;

PIMAGE_NT_HEADERS nt = (PIMAGE_NT_HEADERS)(baseaddress + dos->e_lfanew);
expdir = (PIMAGE_DATA_DIRECTORY)(&nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);

addr = expdir->VirtualAddress;//数据块起始RVA
Size = expdir->Size;//数据块长度

exports = (PIMAGE_EXPORT_DIRECTORY)(baseaddress + addr);

functions = (PULONG)(baseaddress + exports->AddressOfFunctions);
ordinals = (PSHORT)(baseaddress + exports->AddressOfNameOrdinals);
names = (PULONG)(baseaddress + exports->AddressOfNames);

max_name = exports->NumberOfNames;
max_func = exports->NumberOfFunctions;

ULONG Base = exports->Base;
ULONG funrav = 0;;
ULONG64 pFunctionAddress = 0;
for (i = 0; i < max_name; i++)
{
 
PCHAR ApiName = (PCHAR)(baseaddress + names[i]);
if (strncmp(ApiName, functionName,strlen(functionName)) == 0)
{
ULONG ord = ordinals[i] + Base - 1;
funrav = functions[ord];
pFunctionAddress = baseaddress + funrav;

break;
}
}


//KdPrint(("[GetFunctionAddress] %s:0x%x\n",FunctionName, pFunctionAddress));


ServiceId=*(PULONG)(pFunctionAddress + 4); 映射成功的话 这点蓝 返回值40000003
}
__except (1) {

/*********************************************************
__except(filter_Value) 参数取值:
EXCEPTION_CONTINUE_SEARCH; 0 转向上一层异常处理;
EXCEPTION_CONTINUE_EXECUTION - 1 重复执行错误指令;
EXCEPTION_EXECUTE_HANDLER 1  忽略该错误转到 __except 块处理;
**********************************************************/

KdPrint(("---错误代码已处理---"));
}
//打印导出函数服务号
//KdPrint(("[GetServiceId] ServiceId:0x%x\n",ServiceId));
//卸载区段,释放内存,关闭句柄
ZwUnmapViewOfSection(NtCurrentProcess(), (PVOID)baseaddress);
ZwClose(hSection);
ZwClose(hFile);

return 0;
}
网上找的代码 不知道为什么 这个函数 咋搞都不明白调试2天了  

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (4)
blindtiger
雪    币: 5734
活跃值: (1737)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
2
map 方式不对 没有对齐节表
2019-2-25 02:54
0
一学徒工
雪    币: 6
活跃值: (267)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
怎么对齐节表 是处理RVA吗 
2019-2-25 11:13
0
一学徒工
雪    币: 6
活跃值: (267)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
4
我知道了奇怪为啥我看网上代码都直接用了到我这就得对对齐节表了 是X86 X64问题吗 
2019-2-25 12:07
0
一学徒工
雪    币: 6
活跃值: (267)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
5
搞定了 R3没问题 一模一样的代码 VS 调试虚拟机 内核 出问题  我服了换成dbg没问题
2019-2-25 13:56
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//