[求助]弱弱的问一下高手的代码-软件逆向-看雪-安全社区|安全招聘|kanxue.com

最新回复 (5)
爱学习雪币： 205 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 23 粉丝 0 关注私信	爱学习 2 楼比如这些 #include <ntddk.h> #include "PE.h" typedef struct _tagSSDT { PVOID pvSSDTBase; PVOID pvServiceCounterTable; ULONG ulNumberOfServices; PVOID pvParamTableBase; } SSDT, PSSDT; extern PSSDT KeServiceDescriptorTable; // 2个结构体 typedef struct _SYSTEM_MODULE { ULONG Reserved[2]; ULONG Base; ULONG Size; ULONG Flags; USHORT Index; USHORT Unknown; USHORT LoadCount; USHORT ModuleNameOffset; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION, PSYSTEM_MODULE_INFORMATION; typedef struct _SYSTEM_MODULE_INFORMATION { ULONG uCount; SYSTEM_MODULE_INFORMATION aSM[]; }MODULE_LIST,PMODULE_LIST; NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation( ULONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength ); ULONG GetKernelBaseAddress(char lpszModule) { NTSTATUS nResult; ULONG ulNeededSize, uLoop, uKernelAddr; PMODULE_LIST pModuleList; uKernelAddr = 0; ZwQuerySystemInformation(11, &ulNeededSize, 0, &ulNeededSize); pModuleList = ExAllocatePool(NonPagedPool, ulNeededSize); nResult = ZwQuerySystemInformation(11, pModuleList, ulNeededSize, NULL); if (NT_SUCCESS(nResult)) { //ntoskrnl is always first there uKernelAddr = pModuleList->aSM[0].Base; strcpy(lpszModule,"\\SystemRoot\\System32\\"); strcat(lpszModule,pModuleList->aSM[0].ModuleNameOffset+pModuleList->aSM[0].ImageName); } ExFreePool(pModuleList); return uKernelAddr; } ULONG RVAToRaw(PVOID lpBase,ULONG VirtualAddress) { IMAGE_DOS_HEADER pDosHeader; IMAGE_NT_HEADERS pNtHeader; IMAGE_SECTION_HEADER pSectionHeader; ULONG NumOfSections,uLoop; pDosHeader=(IMAGE_DOS_HEADER)lpBase; if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) return 0; pNtHeader=(IMAGE_NT_HEADERS)((unsigned char)lpBase+pDosHeader->e_lfanew); NumOfSections=pNtHeader->FileHeader.NumberOfSections; pSectionHeader = (IMAGE_SECTION_HEADER)((ULONG)pNtHeader + sizeof(ULONG) + sizeof(IMAGE_FILE_HEADER) + pNtHeader->FileHeader.SizeOfOptionalHeader); VirtualAddress -= (ULONG)lpBase; for (uLoop=0;uLoop<NumOfSections;uLoop++) { pSectionHeader = (IMAGE_SECTION_HEADER)((ULONG)pSectionHeader + sizeof(IMAGE_SECTION_HEADER) * uLoop); if(VirtualAddress>pSectionHeader->VirtualAddress&&VirtualAddress<pSectionHeader->VirtualAddress+pSectionHeader->SizeOfRawData) { ULONG Offset = VirtualAddress-pSectionHeader->VirtualAddress + pSectionHeader->PointerToRawData; return Offset; } } return 0; } //服务停止时执行 void DriverUnload(PDRIVER_OBJECT pDriverObj) { DbgPrint("DriverUnload!"); } //StartService时调用 NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath ) { NTSTATUS status=STATUS_SUCCESS; ULONG uKernelMoule,uImageBase,uSSDTCount,uSSDTBase,uSSDTRaw,uLoop,uOldAddress,uNewAddress; PULONG lpArraySSDT; char szKernelPath[256]; ANSI_STRING aFileName; UNICODE_STRING uFileName; OBJECT_ATTRIBUTES ObjAttr; IO_STATUS_BLOCK ioStatus; FILE_POSITION_INFORMATION FilePos; HANDLE hFile; theDriverObject->DriverUnload=DriverUnload; // get system modules memset(szKernelPath,0,256); uKernelMoule = GetKernelBaseAddress(szKernelPath); uImageBase = ((IMAGE_NT_HEADERS)(uKernelMoule + ((IMAGE_DOS_HEADER)uKernelMoule)->e_lfanew))->OptionalHeader.ImageBase; DbgPrint("Kernel ImageBase: 0x%.8X", uImageBase); DbgPrint("Kernel Base: 0x%.8X", uKernelMoule); DbgPrint("Kernel Module Path: %s", szKernelPath); // uSSDTCount = KeServiceDescriptorTable->ulNumberOfServices; uSSDTBase = (ULONG)KeServiceDescriptorTable->pvSSDTBase; DbgPrint("SSDT BaseAddress: 0x%8X, SSDT Count: 0x%X", uSSDTBase, uSSDTCount); lpArraySSDT = ExAllocatePool(PagedPool, uSSDTCount * sizeof(ULONG)); if (lpArraySSDT == NULL) return status; //计算SSDT数组的文件偏移 uSSDTRaw = RVAToRaw(uKernelMoule, uSSDTBase); DbgPrint("SSDT RAW: 0x%.8X", uSSDTRaw); if (uSSDTRaw == 0) { DbgPrint("SSDT RAW Error"); ExFreePool(lpArraySSDT); return status; } RtlInitAnsiString(&aFileName,szKernelPath); status = RtlAnsiStringToUnicodeString(&uFileName, &aFileName, TRUE); if(!NT_SUCCESS(status)) { DbgPrint("RtlAnsiStringToUnicodeString Error"); ExFreePool(lpArraySSDT); return status; } InitializeObjectAttributes(&ObjAttr, &uFileName, OBJ_KERNEL_HANDLE \| OBJ_CASE_INSENSITIVE, NULL, NULL); status = ZwOpenFile(&hFile, FILE_READ_DATA, &ObjAttr, &ioStatus, FILE_SHARE_READ \| FILE_SHARE_WRITE \| FILE_SHARE_DELETE, FILE_SYNCHRONOUS_IO_NONALERT); if (NT_SUCCESS(status) && hFile) { FilePos.CurrentByteOffset.LowPart = uSSDTRaw;//1000;//uSSDTRaw; FilePos.CurrentByteOffset.HighPart = 0; status = ZwSetInformationFile(hFile, &ioStatus, &FilePos, sizeof(FILE_POSITION_INFORMATION), FilePositionInformation); if (NT_SUCCESS(status)) { status = ZwReadFile(hFile, NULL, NULL, NULL, &ioStatus, lpArraySSDT, uSSDTCount * sizeof(ULONG), NULL, NULL); if (NT_SUCCESS(status)) { for (uLoop=0; uLoop<uSSDTCount; uLoop++) { uOldAddress = (lpArraySSDT + uLoop) - uImageBase + uKernelMoule; uNewAddress = ((PULONG)uSSDTBase + uLoop); if (uOldAddress != uNewAddress) { DbgPrint("SSDT No.%X, Old: 0x%.8X, New: 0x%.8X", uLoop, uOldAddress, uNewAddress); /* __asm {//关中断 cli mov eax,cr0 and eax,~0x10000 mov cr0,eax } ((PULONG)uSSDTBase + uLoop) = uOldAddress; //fast_InterlockedExchange((uSSDTBase + uLoop), uOldAddress); __asm {//开中断 mov eax,cr0 or eax,0x10000 mov cr0,eax sti } */ } } DbgPrint("SSDT TheEnd..."); } else DbgPrint("Read File Error!"); } // else // DbgPrint("Set File Pos Error!"); if(hFile) ZwClose(hFile); } else DbgPrint("Open File Error!"); RtlFreeUnicodeString(&uFileName); ExFreePool(lpArraySSDT); return status; } 2008-11-30 10:59 0
fengjl 雪币： 160 活跃值： (272) 能力值： ( LV4，RANK：50 ) 在线值：发帖 16 回帖 112 粉丝 1 关注私信	fengjl 1 3 楼这格式不是很正确吗？ 2008-11-30 11:01 0
爱学习雪币： 205 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 23 粉丝 0 关注私信	爱学习 4 楼怎么没看到程序的主体呢? 我只会点Delphi.要学什么呢. 才能整合上面的代码,让它运行呢? 2008-11-30 11:07 0
fengjl 雪币： 160 活跃值： (272) 能力值： ( LV4，RANK：50 ) 在线值：发帖 16 回帖 112 粉丝 1 关注私信	fengjl 1 5 楼这些是c代码,entrydriver是驱动程序入口,需要ddk,如果是初学者，估计看的困难比较大，还是先从基本入手好 2008-11-30 11:20 0
bruclan 雪币： 229 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 30 粉丝 0 关注私信	bruclan 6 楼建议你先学习驱动程序设计，了解了基本的驱动编写知识和驱动程序结构后就行了，推荐你看看《Windows驱动开发技术详解》，这本书很不错 2008-12-6 19:38 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

爱学习

雪币： 205

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

7

回帖

23

粉丝

0

关注

私信

爱学习: 2 楼

比如这些

#include <ntddk.h>
#include "PE.h"

typedef struct _tagSSDT {
PVOID pvSSDTBase;
PVOID pvServiceCounterTable;
ULONG ulNumberOfServices;
PVOID pvParamTableBase;
} SSDT, *PSSDT;
extern PSSDT KeServiceDescriptorTable;

// 2个结构体
typedef struct _SYSTEM_MODULE
{
ULONG Reserved[2];
ULONG Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

typedef struct _SYSTEM_MODULE_INFORMATION
{
ULONG          uCount;
SYSTEM_MODULE_INFORMATION aSM[];
}MODULE_LIST,*PMODULE_LIST;

NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(
ULONG       SystemInformationClass,
PVOID       SystemInformation,
ULONG       SystemInformationLength,
PULONG       ReturnLength
);

ULONG GetKernelBaseAddress(char* lpszModule)
{
NTSTATUS nResult;
ULONG ulNeededSize, uLoop, uKernelAddr;
PMODULE_LIST pModuleList;

uKernelAddr = 0;
ZwQuerySystemInformation(11, &ulNeededSize, 0, &ulNeededSize);
pModuleList = ExAllocatePool(NonPagedPool, ulNeededSize);
nResult = ZwQuerySystemInformation(11, pModuleList, ulNeededSize, NULL);

if (NT_SUCCESS(nResult))
{
      //ntoskrnl is always first there
      uKernelAddr = pModuleList->aSM[0].Base;
      strcpy(lpszModule,"\\SystemRoot\\System32\\");
      strcat(lpszModule,pModuleList->aSM[0].ModuleNameOffset+pModuleList->aSM[0].ImageName);
}

ExFreePool(pModuleList);

return uKernelAddr;
}

ULONG RVAToRaw(PVOID lpBase,ULONG VirtualAddress)
{
IMAGE_DOS_HEADER *pDosHeader;
IMAGE_NT_HEADERS *pNtHeader;
IMAGE_SECTION_HEADER *pSectionHeader;
ULONG NumOfSections,uLoop;
pDosHeader=(IMAGE_DOS_HEADER*)lpBase;
if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
      return 0;
pNtHeader=(IMAGE_NT_HEADERS*)((unsigned char*)lpBase+pDosHeader->e_lfanew);
NumOfSections=pNtHeader->FileHeader.NumberOfSections;
pSectionHeader = (IMAGE_SECTION_HEADER*)((ULONG)pNtHeader + sizeof(ULONG) + sizeof(IMAGE_FILE_HEADER) + pNtHeader->FileHeader.SizeOfOptionalHeader);
VirtualAddress -= (ULONG)lpBase;
for (uLoop=0;uLoop<NumOfSections;uLoop++)
{
      pSectionHeader = (IMAGE_SECTION_HEADER*)((ULONG)pSectionHeader + sizeof(IMAGE_SECTION_HEADER) * uLoop);
      if(VirtualAddress>pSectionHeader->VirtualAddress&&VirtualAddress<pSectionHeader->VirtualAddress+pSectionHeader->SizeOfRawData)
      {
         ULONG Offset = VirtualAddress-pSectionHeader->VirtualAddress + pSectionHeader->PointerToRawData;
         return Offset;
      }
}
return 0;
}

//服务停止时执行
void DriverUnload(PDRIVER_OBJECT pDriverObj)
{
DbgPrint("DriverUnload!");
}

//StartService时调用
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
NTSTATUS status=STATUS_SUCCESS;
ULONG uKernelMoule,uImageBase,uSSDTCount,uSSDTBase,uSSDTRaw,uLoop,uOldAddress,uNewAddress;
PULONG lpArraySSDT;
char szKernelPath[256];
ANSI_STRING aFileName;
UNICODE_STRING uFileName;
OBJECT_ATTRIBUTES ObjAttr;
IO_STATUS_BLOCK ioStatus;
FILE_POSITION_INFORMATION FilePos;
HANDLE hFile;

theDriverObject->DriverUnload=DriverUnload;
// get system modules
memset(szKernelPath,0,256);
uKernelMoule = GetKernelBaseAddress(szKernelPath);
uImageBase  = ((IMAGE_NT_HEADERS*)(uKernelMoule + ((IMAGE_DOS_HEADER*)uKernelMoule)->e_lfanew))->OptionalHeader.ImageBase;
DbgPrint("Kernel ImageBase: 0x%.8X", uImageBase);
DbgPrint("Kernel Base: 0x%.8X", uKernelMoule);
DbgPrint("Kernel Module Path: %s", szKernelPath);
//
uSSDTCount = KeServiceDescriptorTable->ulNumberOfServices;
uSSDTBase  = (ULONG)KeServiceDescriptorTable->pvSSDTBase;
DbgPrint("SSDT BaseAddress: 0x%8X, SSDT Count: 0x%X", uSSDTBase, uSSDTCount);
lpArraySSDT = ExAllocatePool(PagedPool, uSSDTCount * sizeof(ULONG));
if (lpArraySSDT == NULL) return status;
//计算SSDT数组的文件偏移
uSSDTRaw = RVAToRaw(uKernelMoule, uSSDTBase);
DbgPrint("SSDT RAW: 0x%.8X", uSSDTRaw);
if (uSSDTRaw == 0)
{
      DbgPrint("SSDT RAW Error");
      ExFreePool(lpArraySSDT);
      return status;
}
RtlInitAnsiString(&aFileName,szKernelPath);
status = RtlAnsiStringToUnicodeString(&uFileName, &aFileName, TRUE);
if(!NT_SUCCESS(status))
{
      DbgPrint("RtlAnsiStringToUnicodeString Error");
      ExFreePool(lpArraySSDT);
      return status;
}

InitializeObjectAttributes(&ObjAttr, &uFileName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);
status = ZwOpenFile(&hFile, FILE_READ_DATA, &ObjAttr, &ioStatus, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_SYNCHRONOUS_IO_NONALERT);
if (NT_SUCCESS(status) && hFile)
{
      FilePos.CurrentByteOffset.LowPart = uSSDTRaw;//1000;//uSSDTRaw;
      FilePos.CurrentByteOffset.HighPart = 0;
      status = ZwSetInformationFile(hFile, &ioStatus, &FilePos, sizeof(FILE_POSITION_INFORMATION), FilePositionInformation);
      if (NT_SUCCESS(status))
      {
         status = ZwReadFile(hFile, NULL, NULL, NULL, &ioStatus, lpArraySSDT, uSSDTCount * sizeof(ULONG), NULL, NULL);
         if (NT_SUCCESS(status))
         {
            for (uLoop=0; uLoop<uSSDTCount; uLoop++)
            {
                  uOldAddress = *(lpArraySSDT + uLoop) - uImageBase + uKernelMoule;
                  uNewAddress = *((PULONG)uSSDTBase + uLoop);
                  if (uOldAddress != uNewAddress)
                  {
                     DbgPrint("SSDT No.%X, Old: 0x%.8X, New: 0x%.8X", uLoop, uOldAddress, uNewAddress);
/*                      __asm
                     {//关中断
                        cli
                        mov eax,cr0
                        and eax,~0x10000
                        mov cr0,eax
                     }
                     *((PULONG)uSSDTBase + uLoop) = uOldAddress;
                     //fast_InterlockedExchange(*(uSSDTBase + uLoop), uOldAddress);
                     __asm
                     {//开中断
                        mov  eax,cr0
                        or  eax,0x10000
                        mov  cr0,eax
                        sti
                     }
*/
                  }
            }
            DbgPrint("SSDT TheEnd...");

         }
         else
            DbgPrint("Read File Error!");
      }
//       else
//          DbgPrint("Set File Pos Error!");
      if(hFile)
         ZwClose(hFile);
}
else
      DbgPrint("Open File Error!");

RtlFreeUnicodeString(&uFileName);

ExFreePool(lpArraySSDT);
return status;
}

2008-11-30 10:59

0