-
-
未解决
R3跳过NTDLL调用内核函数参数问题
-
发表于:
2020-9-6 14:59
3767
-
系统是64位 在x32进程里hook ntdll!NtOpenProcess 然后转到自己驱动里 调用NtOpenProcess 参数是怎么转换的 ,试了几次无法调用成功
驱动层
case IOCTL_NtOpenProcess:
{
DBG_LOG_DEBUG("IOCTL_NtOpenProcess 被调用");
PAEAM_NtOpenProcess *ioBuffer = (PAEAM_NtOpenProcess *)pIoBuffer;
if (ioBuffer == NULL)
{
status = STATUS_INVALID_PARAMETER;
DBG_LOG_DEBUG("IOCTL_NtOpenProcess 被调用 失败了");
}
else
{
status = ddk::myNtOpenProcess(ioBuffer->ProcessHandle,ioBuffer->DesiredAccess,ioBuffer->ObjectAttributes,ioBuffer->ClientId);
}
break;
}
应用层
NTSTATUS NTAPI myNtOpenProcess
(
__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PCLIENT_ID ClientId)
{
NTSTATUS Status;
DWORD lResultLength;
PAEAM_NtOpenProcess_32 param;
param.ProcessHandle = ProcessHandle;
param.DesiredAccess = DesiredAccess;
param.ObjectAttributes = (ObjectAttributes;
param.ClientId = ClientId;
DeviceIoControl(g_Driver,IOCTL_NtOpenProcess, ¶m,sizeof(param),&Status,sizeof(Status),&lResultLength,0);
return Status;
}
[课程]FART 脱壳王!加量不加价!FART作者讲授!
最后于 2020-9-6 15:00
被~时光荏苒编辑
,原因: