-
-
[求助] Windows内核驱动通过系统回调获取驱动路径
-
发表于: 2025-5-17 15:31
-
#include <aux_klib.h>
const UCHAR OPCODE_PSP[] = { 0x00, 0xe8 };
const UCHAR OPCODE_LEA_R13_1[] = { 0x00, 0x4c };
const UCHAR OPCODE_LEA_R13_2[] = { 0x00, 0x8d };
const UCHAR OPCODE_LEA_R13_3[] = { 0x00, 0x2d };
ULONG64 GetKernelBaseAddress()
{
NTSTATUS status;
ULONG modulesSize = 0;
PAUX_MODULE_EXTENDED_INFO modules;
ULONG numberOfModules;
status = AuxKlibInitialize();
if (!NT_SUCCESS(status))
return 0;
status = AuxKlibQueryModuleInformation(&modulesSize, sizeof(AUX_MODULE_EXTENDED_INFO), NULL);
if (!NT_SUCCESS(status) || modulesSize == 0)
return 0;
numberOfModules = modulesSize / sizeof(AUX_MODULE_EXTENDED_INFO);
modules = (AUX_MODULE_EXTENDED_INFO*)ExAllocatePoolWithTag(PagedPool, modulesSize, DRIVER_TAG);
if (modules == NULL)
return 0;
RtlZeroMemory(modules, modulesSize);
status = AuxKlibQueryModuleInformation(&modulesSize, sizeof(AUX_MODULE_EXTENDED_INFO), modules);
if (!NT_SUCCESS(status))
{
ExFreePoolWithTag(modules, DRIVER_TAG);
return 0;
}
ULONG64 baseAddr = (ULONG64)modules[0].BasicInfo.ImageBase;
ExFreePoolWithTag(modules, DRIVER_TAG);
return baseAddr;
}
ULONG64 VerifyOffsets(LONG OffsetAddr, ULONG64 InstructionAddr)
{
ULONG64 ReturnAddr = OffsetAddr + 7 + InstructionAddr;
ULONG64 KernelBaseAddr = GetKernelBaseAddress();
if (KernelBaseAddr != 0)
{
if (ReturnAddr - KernelBaseAddr > 0x1000000)
{
DbgPrint("[Driver] -> Mismatch Between Kernel Base Address And Expected Return Address: %llx !\n", ReturnAddr - KernelBaseAddr);
return 0;
}
return ReturnAddr;
}
else
{
DbgPrint("[Driver] -> Unable to Get Kernel Base Address! \n");
return 0;
}
}
ULONG64 FindPspCreateProcessNotifyRoutine()
{
UNICODE_STRING func;
RtlInitUnicodeString(&func, L"PsSetCreateProcessNotifyRoutine");
ULONG64 funcAddr = (ULONG64)MmGetSystemRoutineAddress(&func);
LONG OffsetAddr = 0;
for (ULONG64 instructionAddr = funcAddr; instructionAddr < funcAddr + 20; instructionAddr++)
{
if ((*(PUCHAR)instructionAddr == OPCODE_PSP[1]))
{
OffsetAddr = 0;
memcpy(&OffsetAddr, (PUCHAR)(instructionAddr + 1), 4);
funcAddr = funcAddr + (instructionAddr - funcAddr) + OffsetAddr + 5;
break;
}
}
for (ULONG64 instructionAddr = funcAddr; instructionAddr < funcAddr + 0xff; instructionAddr++)
{
if (*(PUCHAR)instructionAddr == OPCODE_LEA_R13_1[1] && *(PUCHAR)(instructionAddr + 1) == OPCODE_LEA_R13_2[1] && *(PUCHAR)(instructionAddr + 2) == OPCODE_LEA_R13_3[1])
{
OffsetAddr = 0;
memcpy(&OffsetAddr, (PUCHAR)(instructionAddr + 3), 4);
return VerifyOffsets(OffsetAddr, instructionAddr);
}
}
DbgPrint("[Driver] -> Could not locate Process Callback Array! \n");
return 0;
}已经获取到了CreateProcess回调入口,现在我想获取是不是指定驱动创建的回调如果是则移除
|
|
|---|---|
