首页
社区
课程
招聘
[分享]x64内核下hook NtMapViewOfSection拿完整dll路径
发表于: 2023-3-24 16:25 7004

[分享]x64内核下hook NtMapViewOfSection拿完整dll路径

2023-3-24 16:25
7004

通过 SectionHandle 拿到完整DLL路径

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
//win 10 1903
ULONG g_Offset_ControlArea = 0x28;
ULONG g_Offset_FileObjectInControlArea = 0x40;
 
//写在HOOK内
 
//----------------------
    PEPROCESS process;
    if (NT_SUCCESS(PsLookupProcessByProcessId(PsGetCurrentProcessId(), &process)))
    {
        PCHAR image_name = PsGetProcessImageFileName(process);
        //测试程序
        if (!_stricmp(image_name, "ntcsb.exe"))
        {
            PVOID Section = NULL;
            NTSTATUS Status = ObReferenceObjectByHandle(SectionHandle, SECTION_MAP_READ, *MmSectionObjectType, UserMode, (PVOID*)&Section, NULL);
            if (NT_SUCCESS(Status))
            {
                PVOID ControlArea = *(PVOID*)((ULONG_PTR)Section + g_Offset_ControlArea);
                if (ControlArea)
                {
                    PVOID FileObject = (PVOID)((ULONG_PTR)ControlArea + g_Offset_FileObjectInControlArea);
                    if (FileObject)
                    {
                        FileObject = *(PVOID*)FileObject;
                        if (FileObject)
                        {
                            //去掉低位的标志
                            FileObject = (PVOID)((ULONG_PTR)FileObject & 0xFFFFFFFFFFFFFFF0);
                            ULONG ReturnLength = 1024;
                            //获取完整路径
                            POBJECT_NAME_INFORMATION ObjectNameInfo = (POBJECT_NAME_INFORMATION)ExAllocatePoolWithTag(PagedPool, ReturnLength, 'bsmi');
                            if (ObjectNameInfo && NT_SUCCESS(ObQueryNameString(FileObject, ObjectNameInfo, ReturnLength, &ReturnLength)))
                            {
                                mydbg("当前DLL的名称为 %d %wZ", (ULONG)(ULONG_PTR)PsGetCurrentProcessId(), &ObjectNameInfo->Name);
                                ExFreePool(ObjectNameInfo);
                            }
                        }
                    }
                }
                ObDereferenceObject(Section);
            }
        }
        ObDereferenceObject(process);
        process = NULL;
    }

输出效果:

1
2
3
4
5
6
7
8
9
10
当前DLL的名称为 1424 \Device\HarddiskVolume3\Windows\System32\user32.dll
当前DLL的名称为 1424 \Device\HarddiskVolume3\Windows\System32\win32u.dll
当前DLL的名称为 1424 \Device\HarddiskVolume3\Windows\System32\gdi32.dll
当前DLL的名称为 1424 \Device\HarddiskVolume3\Windows\System32\gdi32full.dll
当前DLL的名称为 1424 \Device\HarddiskVolume3\Windows\System32\imm32.dll
当前DLL的名称为 1424 \Device\HarddiskVolume3\Windows\System32\imm32.dll
当前DLL的名称为 1424 \Device\HarddiskVolume3\Windows\System32\winmm.dll
当前DLL的名称为 1424 \Device\HarddiskVolume3\Windows\System32\msvcrt.dll
当前DLL的名称为 1424 \Device\HarddiskVolume3\Windows\System32\winmmbase.dll
...

来源是这里
https://bbs.kanxue.com/thread-202283.htm
根据这东西搞了一波吧


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

最后于 2023-3-27 21:04 被maxwudi编辑 ,原因: 编辑标题
收藏
免费 2
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//