-
-
超简单!获取SSDT函数列表与SSSDT函数列表
-
2023-2-6 19:07
-
R3下获取方法有点简单,加载符号,在函数地址判断硬编码,并取得功能号,直接上菜不废话了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 | #include <Windows.h>#include <ImageHlp.h>#pragma comment(lib,"DbgHelp.lib")#pragma comment(lib,"ImageHlp.lib")BOOL CALLBACK SymEnumShadowSSDT(PSYMBOL_INFO pSymInfo, ULONG SymbolSize, PVOID UserContext){ PDWORD pAddr = pSymInfo->Address; if (*pAddr == 0xB8D18B4C) { printf("%x,%s\n", *(pAddr + 1), pSymInfo->Name); } return TRUE;}BOOL CALLBACK SymEnumSSDT(PSYMBOL_INFO pSymInfo, ULONG SymbolSize, PVOID UserContext){ PDWORD pAddr = pSymInfo->Address; if (*pAddr == 0xB8D18B4C) { if (!strncmp(pSymInfo->Name, "Nt", 2)) printf("%x,%s\n", *(pAddr + 1), pSymInfo->Name); } return TRUE;}GetSym(char* exe, PSYM_ENUMERATESYMBOLS_CALLBACK EnumFunc){ SYMBOL_INFO sym = { 0 }; DWORD64 sModule; PLOADED_IMAGE pImage = { 0 }; HANDLE hProc = GetCurrentProcess(); SymInitialize(hProc, NULL, TRUE); pImage = ImageLoad(exe, NULL); sModule = SymLoadModuleEx(hProc, pImage->hFile, exe, pImage->ModuleName, pImage->MappedAddress, pImage->SizeOfImage, 0, 0); SymEnumSymbols(hProc, pImage->MappedAddress, NULL, EnumFunc, NULL);}int main(int argc, char* argv[]){ //GetSym("win32u.dll",SymEnumShadowSSDT); GetSym("ntdll.dll", SymEnumSSDT); system("pause"); return 0;} |
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
|
|
|---|---|
|
|
|
|
|
|
|
|
...GPT果然6 |
