主要思想就是用暴力搜索内存的方法将驱动程序一个个枚举出来,
下面是主要算法:
PVOID GetDriverBaseAdress(void)
{ NTSTATUS status ;
ULONG size,index;
PULONG buf;
PSYSTEM_MODULE_INFORMATION module;
PVOID driverAddress=0;
char *sysname[256];
char *hljname[256];
ZwQuerySystemInformation(SystemModuleInformation,&size, 0, &size);
if(NULL==(buf = (PULONG)ExAllocatePool(PagedPool, size)))
{
DbgPrint("failed alloc memory failed \n");
return 0;
}
status=ZwQuerySystemInformation(SystemModuleInformation,buf, size , 0);
if(!NT_SUCCESS( status ))
{
DbgPrint("failed query\n");
return 0;
}
module = (PSYSTEM_MODULE_INFORMATION)(( PULONG )buf + 1);
for (index = 0; index < *buf; index++)
{
driverAddress = module[index].Base;
DbgPrint("Module found at:%x\n",driverAddress);
sysname[index] = module[index].ImageName+ module[index].ModuleNameOffset;
DbgPrint("Module found at:%s\n",sysname[index]);
hljname[index]=module[index].ImageName;
DbgPrint("imagename found at:%s\n",hljname[index]);
}
ExFreePool(buf);
return driverAddress;
}
下面是试验结果:
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法