-
-
[旧帖]
[己解决]请问我改如何从ShadowSSDT中得到NtUserSendInput的地址
0.00雪花
-
-
[旧帖] [己解决]请问我改如何从ShadowSSDT中得到NtUserSendInput的地址
0.00雪花
typedef NTSTATUS (NTAPI *NTPROC) ();
typedef NTPROC *PNTPROC;
#define NTPROC_ sizeof (NTPROC)
#pragma pack(1)
// -----------------------------------------------------------------
typedef struct _SYSTEM_SERVICE_TABLE {
PNTPROC ServiceTable; // array of entry points
UINT32 *CounterTable; // array of usage counters
UINT32 ServiceLimit; // number of table entries
CHAR *ArgumentTable; // array of byte counts
}
SYSTEM_SERVICE_TABLE,
* PSYSTEM_SERVICE_TABLE,
**PPSYSTEM_SERVICE_TABLE;
// -----------------------------------------------------------------
typedef struct _SERVICE_DESCRIPTOR_TABLE {
SYSTEM_SERVICE_TABLE ntoskrnl; // ntoskrnl.exe (native api)
SYSTEM_SERVICE_TABLE win32k; // win32k.sys (gdi/user support)
SYSTEM_SERVICE_TABLE Table3; // not used
SYSTEM_SERVICE_TABLE Table4; // not used
}
SERVICE_DESCRIPTOR_TABLE,
* PSERVICE_DESCRIPTOR_TABLE,
**PPSERVICE_DESCRIPTOR_TABLE;
#pragma pack()
// Import KeServiceDescriptorTable from ntoskrnl.exe.
__declspec(dllimport) SERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
__declspec(dllimport) KeAddSystemServiceTable (ULONG, ULONG, ULONG, ULONG, ULONG);
PSERVICE_DESCRIPTOR_TABLE
GetServiceDescriptorShadowTableAddress (
VOID
)
{
int Index;
UINT32 *U4Ptr;
// Make 100 attempts to match a valid address with that of KeServiceDescriptorTable
for (U4Ptr = (UINT32 *) KeAddSystemServiceTable, Index = 0; Index < 100; Index++) {
__try {
// try to obtain an address from KeAddSystemServiceTable
// if this address is NOT valid OR it itself is the address of KeServiceDescriptorTable
// OR its first entry is NOT equal to the first entry of KeServiceDescriptorTable
if (!MmIsAddressValid ((VOID *) *U4Ptr) || ((VOID *) *U4Ptr == &KeServiceDescriptorTable)
|| (memcmp ((VOID *) *U4Ptr, &KeServiceDescriptorTable, sizeof (SYSTEM_SERVICE_TABLE)) != 0)) {
// Proceed with the next address
U4Ptr = (UINT32 *) ((UINT32) U4Ptr + 1);
} else {
break;
}
} __except (EXCEPTION_EXECUTE_HANDLER) {
Index = 100;
break;
}
}
return Index == 100 ? NULL : (PSERVICE_DESCRIPTOR_TABLE) *U4Ptr;
}
SSTPtr = GetServiceDescriptorShadowTableAddress ();
NtUserSendInput = SSTPtr->win32k.ServiceTable[0x1E1]; // Blue-Screen, PAGE_FAULT_IN_NONPAGED_AREA
主要问题在代码最后一行。读取SSTPtr->ntoskrnl.ServiceTable是没有问题的,但就是无法读取win32k.ServiceTable。
请问我要如何做才能在Kernel里读取到呢?
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
