-
-
未解决 [讨论] MMapDrvier后使用PEB遍历触发KERNEL-SECURITY-CHECK-FAILURE
-
2020-8-6 13:18
-
测试环境:1803/1903
本人刚入坑驱动汇编不行调试也不咋地,如果能借助VS还行,map后的蓝屏真的好难,望大佬支招!!!
1)mapDriver是没有问题的,但是调用到GetProcessModules就来事了
2)正常编译调用获取也是正常的
正常编译调用
MMapDriver来自Blackbone的BBMapDriver
GetProcessModules来自网络零碎照搬
typedef struct _LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
union
{
LIST_ENTRY HashLinks;
struct Section
{
PVOID SectionPointer;
ULONG CheckSum;
};
};
union
{
ULONG TimeDateStamp;
PVOID LoadedImports;
};
PVOID EntryPointActivationContext;
PVOID PatchInformation;
} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
typedef struct _RTL_USER_PROCESS_PARAMETERS {
BYTE Reserved1[16];
PVOID Reserved2[10];
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
} RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;
typedef struct _PEB_LDR_DATA {
BYTE Reserved1[8];
PVOID Reserved2[3];
LIST_ENTRY InMemoryOrderModuleList;
} PEB_LDR_DATA, * PPEB_LDR_DATA;
typedef PPEB(__stdcall* PFNPsGetProcessPeb)(PEPROCESS hGame);
typedef ULONG PPS_POST_PROCESS_INIT_ROUTINE;
typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
BYTE Reserved4[104];
PVOID Reserved5[52];
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
BYTE Reserved6[128];
PVOID Reserved7[1];
ULONG SessionId;
} PEB, * PPEB;
这里就是详细的日了dog遍历
NTSTATUS GetProcessModules(IN HANDLE hProcess,UNICODE_STRING ModuleName, OUT ULONGLONG *Modules)
{
NTSTATUS status = STATUS_SUCCESS;
PEPROCESS pProcess;
PPEB pPEB = NULL;
PPEB_LDR_DATA pPebLdrData = NULL;
PLDR_DATA_TABLE_ENTRY pLdrDataEntry = NULL;
PLIST_ENTRY pListEntryStart = NULL;
PLIST_ENTRY pListEntryEnd = NULL;
KAPC_STATE KAPC = { 0 };
status = PsLookupProcessByProcessId(hProcess, &pProcess);
if (!NT_SUCCESS(status))
{
DbgPrint("[TEST] PsLookupProcessByProcessId failed \n");
return status;
}
ObDereferenceObject(pProcess);
pPEB = PsGetProcessPeb(pProcess);
if (pPEB == NULL)
{
DbgPrint("[TEST] Get pPEB Failed!\n");
return STATUS_UNSUCCESSFUL;
}
KeStackAttachProcess(pProcess, &KAPC);
pPebLdrData = pPEB->Ldr;
pListEntryStart = pListEntryEnd = pPebLdrData->InMemoryOrderModuleList.Flink;
do
{
pLdrDataEntry = (PLDR_DATA_TABLE_ENTRY)CONTAINING_RECORD(pListEntryStart, LDR_DATA_TABLE_ENTRY, InMemoryOrderModuleList);
if (pLdrDataEntry->BaseDllName.Buffer)
{
DbgPrint("[TEST] %wZ\n", pLdrDataEntry->BaseDllName);
if (RtlCompareUnicodeString(&pLdrDataEntry->BaseDllName, &ModuleName, TRUE) == 0)
{
DbgPrint("[TEST] Get dllBase break\n");
*Modules = (ULONGLONG)pLdrDataEntry->DllBase;
break;
}
}
pListEntryStart = pListEntryStart->Flink;
} while (pListEntryStart != pListEntryEnd);
KeUnstackDetachProcess(&KAPC);
return status;
}
然后就
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
