ULONG GetFunctionId(char* functionName)
{
NTSTATUS ntstatus;
HANDLE hFile = NULL;
HANDLE hSection = NULL;
OBJECT_ATTRIBUTES object_attributes;
IO_STATUS_BLOCK io_status = { 0 };
ULONG64 baseaddress = NULL;
SIZE_T size = 0;
//模块基址
// PVOID ModuleAddress = NULL;
//偏移量
PIMAGE_DOS_HEADER dos = NULL;
PIMAGE_DATA_DIRECTORY expdir = NULL;
PIMAGE_EXPORT_DIRECTORY exports = NULL;
ULONG ServiceId = 0;
ULONG addr;
ULONG Size;
PULONG functions;
PSHORT ordinals;
PULONG names;
ULONG max_name;
ULONG max_func;
ULONG i;
__try {
UNICODE_STRING DllName;
RtlInitUnicodeString(&DllName, L"\\SystemRoot\\system32\\ntdll.dll");
//初始化OBJECT_ATTRIBUTES结构
InitializeObjectAttributes(
&object_attributes,
&DllName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);
//打开文件
ntstatus = ZwCreateFile(
&hFile,
FILE_READ_ACCESS,
&object_attributes,
&io_status,
NULL,
0,
FILE_SHARE_READ,
FILE_OPEN,
0,
NULL,
0);
if (!NT_SUCCESS(ntstatus))
{
KdPrint(("[GetFunctionAddress] error0\n"));
KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));
return 0;
}
//创建区段
InitializeObjectAttributes(
&object_attributes,
NULL,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);
ntstatus = ZwCreateSection(
&hSection,
STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ,
&object_attributes,
0,
PAGE_READONLY,
SEC_IMAGE,
hFile);
if (!NT_SUCCESS(ntstatus))
{
KdPrint(("[GetFunctionAddress] error1\n"));
KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));
return 0;
}
//映射区段到进程虚拟空间
ntstatus = ZwMapViewOfSection( //参数我修改好多种了药不这点蓝要不返回
baseaddress=-0
hSection,
ZwCurrentProcess(), //ntddk.h定义的宏用来获取当前进程句柄
(PVOID*)&baseaddress,
1024,
0,
0,
&size,
ViewShare,
MEM_LARGE_PAGES,
PAGE_READONLY);
if (!NT_SUCCESS(ntstatus))
{
KdPrint(("[GetFunctionAddress] error2\n"));
KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));
return 0;
}
//验证基址
//KdPrint(("[GetFunctionAddress] BaseAddress:0x%x\n", dwOffset));
dos = (PIMAGE_DOS_HEADER)baseaddress;
PIMAGE_NT_HEADERS nt = (PIMAGE_NT_HEADERS)(baseaddress + dos->e_lfanew);
expdir = (PIMAGE_DATA_DIRECTORY)(&nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
addr = expdir->VirtualAddress;//数据块起始RVA
Size = expdir->Size;//数据块长度
exports = (PIMAGE_EXPORT_DIRECTORY)(baseaddress + addr);
functions = (PULONG)(baseaddress + exports->AddressOfFunctions);
ordinals = (PSHORT)(baseaddress + exports->AddressOfNameOrdinals);
names = (PULONG)(baseaddress + exports->AddressOfNames);
max_name = exports->NumberOfNames;
max_func = exports->NumberOfFunctions;
ULONG Base = exports->Base;
ULONG funrav = 0;;
ULONG64 pFunctionAddress = 0;
for (i = 0; i < max_name; i++)
{
PCHAR ApiName = (PCHAR)(baseaddress + names[i]);
if (strncmp(ApiName, functionName,strlen(functionName)) == 0)
{
ULONG ord = ordinals[i] + Base - 1;
funrav = functions[ord];
pFunctionAddress = baseaddress + funrav;
break;
}
}
//KdPrint(("[GetFunctionAddress] %s:0x%x\n",FunctionName, pFunctionAddress));
ServiceId=*(PULONG)(pFunctionAddress + 4); 映射成功的话 这点蓝 返回值40000003
}
__except (1) {
/*********************************************************
__except(filter_Value) 参数取值:
EXCEPTION_CONTINUE_SEARCH; 0 转向上一层异常处理;
EXCEPTION_CONTINUE_EXECUTION - 1 重复执行错误指令;
EXCEPTION_EXECUTE_HANDLER 1 忽略该错误转到 __except 块处理;
**********************************************************/
KdPrint(("---错误代码已处理---"));
}
//打印导出函数服务号
//KdPrint(("[GetServiceId] ServiceId:0x%x\n",ServiceId));
//卸载区段,释放内存,关闭句柄
ZwUnmapViewOfSection(NtCurrentProcess(), (PVOID)baseaddress);
ZwClose(hSection);
ZwClose(hFile);
return 0;
}
网上找的代码 不知道为什么 这个函数 咋搞都不明白调试2天了
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
