-
-
[求助]如何加载驱动文件?
-
发表于:
2008-2-5 00:00
11677
-
希望给出实例,最好是Delphi实现...
还有一个问题..
恢复SSDT完整源程序 sys+exe
http://www.gyzy.org/blog/read.php?42
其中,EXE里面这个函数不明白是什么意思,大牛们帮忙看一下,缺少这个函数貌似无法加载驱动,还有,谁会翻译成Delphi?...
void ReSSDT( IN HANDLE hDriver)
{
HMODULE hKernel;
DWORD dwKSDT; // rva of KeServiceDescriptorTable
DWORD dwKiServiceTable; // rva of KiServiceTable
PMODULES pModules=(PMODULES)&pModules;
DWORD dwNeededSize,rc;
DWORD dwKernelBase,dwServices=0;
PCHAR pKernelName;
PDWORD pService;
PIMAGE_FILE_HEADER pfh;
PIMAGE_OPTIONAL_HEADER poh;
PIMAGE_SECTION_HEADER psh;
FARPROC NtQuerySystemInformationAddr=GetProcAddress(GetModuleHandle("ntdll.dll"),"NtQuerySystemInformation");
// get system modules - ntoskrnl is always first there
rc=((PFNNtQuerySystemInformation)NtQuerySystemInformationAddr)(11,pModules,4,&dwNeededSize);
if (rc==STATUS_INFO_LENGTH_MISMATCH) {
pModules=(MODULES *)GlobalAlloc(GPTR,dwNeededSize);
rc=((PFNNtQuerySystemInformation)NtQuerySystemInformationAddr)(11,pModules,dwNeededSize,NULL);
} else {
strange:
printf("strange NtQuerySystemInformation()!\n");
return;
}
if (!NT_SUCCESS(rc)) goto strange;
// imagebase
dwKernelBase=(DWORD)pModules->smi.Base;
// filename - it may be renamed in the boot.ini
pKernelName=pModules->smi.ModuleNameOffset+pModules->smi.ImageName;
// map ntoskrnl - hopefully it has relocs
hKernel=LoadLibraryEx(pKernelName,0,DONT_RESOLVE_DLL_REFERENCES);
if (!hKernel) {
printf("Failed to load! LastError=%i\n",GetLastError());
return;
}
GlobalFree(pModules);
// our own export walker is useless here - we have GetProcAddress :)
if (!(dwKSDT=(DWORD)GetProcAddress(hKernel,"KeServiceDescriptorTable"))) {
printf("Can't find KeServiceDescriptorTable\n");
return;
}
// get KeServiceDescriptorTable rva
dwKSDT-=(DWORD)hKernel;
// find KiServiceTable
if (!(dwKiServiceTable=FindKiServiceTable(hKernel,dwKSDT))) {
printf("Can't find KiServiceTable...\n");
return;
}
printf("&KiServiceTable==%08X\n\nDumping 'old' ServiceTable:\n\n",dwKiServiceTable+dwKernelBase);
// let's dump KiServiceTable contents
// MAY FAIL!!!
// should get right ServiceLimit here, but this is trivial in the kernel mode
GetHeaders((PCHAR)hKernel,&pfh,&poh,&psh);
for (pService=(PDWORD)((DWORD)hKernel+dwKiServiceTable);
*pService-poh->ImageBase<poh->SizeOfImage;
pService++,dwServices++)
{
ULONG ulAddr=*pService-poh->ImageBase+dwKernelBase;
SetProc( hDriver,dwServices, &ulAddr );
//printf("%08X\n",ulAddr);
}
printf("\n\nPossibly KiServiceLimit==%08X\n",dwServices);
FreeLibrary(hKernel);
}
[课程]FART 脱壳王!加量不加价!FART作者讲授!