-
-
[求助]暴力搜索SwapContext的地址
-
发表于: 2009-2-17 15:18
-
怎么搜不到呢?
xp _sp2
windbg查看结果
kd> u swapcontext
nt!SwapContext:
80541ab0 0ac9 or cl,cl
80541ab2 26c6462d02 mov byte ptr es:[esi+2Dh],2
80541ab7 9c pushfd
80541ab8 8b0b mov ecx,dword ptr [ebx]
80541aba 83bb9409000000 cmp dword ptr [ebx+994h],0
80541ac1 51 push ecx
80541ac2 0f8535010000 jne nt!SwapContext+0x14d (80541bfd)
80541ac8 833d0cb0558000 cmp dword ptr [nt!PPerfGlobalGroupMask (8055b00c)],0
搜索代码:
OldSwapContext = GetSwapContextAddr("ntkrnlpa.exe", OTHER_MODULE);
PCHAR
GetSwapContextAddr(PCHAR pModuleName , ULONG Flag) //Flag:SYS_MODULE ,OTHER_MODULE
{
NTSTATUS Status;
ULONG size, Index;
PULONG buffer;
ULONG DriverAddress;
PSYSTEM_MODULE_INFORMATION pModuleInfo;
SYSTEM_MODULE pModule;
ULONG CurAddr, i;
//SwapContext特征码
ULONG code1_xpsp2=0xc626c90a, code2_xpsp2=0x9c022d46, code3_xpsp2=0x05408b8d,code4_xpsp2=0xdde80000;
dprintf("进入 GetSwapContextAddr 例程\n");
Status = ZwQuerySystemInformation(SystemModuleInformation,&size,0,&size);
if(NULL == (buffer = (PULONG)ExAllocatePool(PagedPool,size)))
{
dprintf("ExAlloctePool 失败!status :%x\n",Status);
return 0;
}
Status = ZwQuerySystemInformation(SystemModuleInformation,buffer,size,0);
if(!NT_SUCCESS(Status))
{
dprintf("ZwQueryInformation 调用失败!Status : %x \n",Status);
return 0;
}
pModuleInfo = (SYSTEM_MODULE_INFORMATION *)buffer;
if(Flag == SYS_MODULE)
{
pModule = pModuleInfo->Modules[0];
DriverAddress = (ULONG)pModule.ImageBaseAddress;
dprintf("获得系统驱动基址 : %x \n",DriverAddress);
}
else if(Flag == OTHER_MODULE)
{
for(Index= 0; Index < pModuleInfo->ModulesCount; Index++)
{
if(_stricmp(pModuleInfo->Modules[Index].Name +pModuleInfo->Modules[Index].NameOffset, pModuleName) == 0)
{
DriverAddress = (ULONG)pModuleInfo->Modules[Index].ImageBaseAddress;
dprintf("获得 %s 基址 : %x \n", pModuleName, DriverAddress);
break;
}
}
}
CurAddr = (ULONG)DriverAddress;
for(i = CurAddr; i <= CurAddr + 0x2000; i++)
{
if(*((ULONG *)i) == code1_xpsp2 &&
*((ULONG *)(i+4)) == code2_xpsp2 &&
*((ULONG *)(i+8)) == code3_xpsp2 &&
*((ULONG *)(i+12)) == code4_xpsp2)
{
DriverAddress = i;
break;
}
else
DriverAddress = 0;
}
dprintf("获得 SwapContext 基址 : %x\n",DriverAddress);
dprintf("退出 GetSwapContextAddr 例程\n");
return (PCHAR)DriverAddress;
}
这样搜,搜不到啊?
为什么?
xp _sp2
windbg查看结果
kd> u swapcontext
nt!SwapContext:
80541ab0 0ac9 or cl,cl
80541ab2 26c6462d02 mov byte ptr es:[esi+2Dh],2
80541ab7 9c pushfd
80541ab8 8b0b mov ecx,dword ptr [ebx]
80541aba 83bb9409000000 cmp dword ptr [ebx+994h],0
80541ac1 51 push ecx
80541ac2 0f8535010000 jne nt!SwapContext+0x14d (80541bfd)
80541ac8 833d0cb0558000 cmp dword ptr [nt!PPerfGlobalGroupMask (8055b00c)],0
搜索代码:
OldSwapContext = GetSwapContextAddr("ntkrnlpa.exe", OTHER_MODULE);
PCHAR
GetSwapContextAddr(PCHAR pModuleName , ULONG Flag) //Flag:SYS_MODULE ,OTHER_MODULE
{
NTSTATUS Status;
ULONG size, Index;
PULONG buffer;
ULONG DriverAddress;
PSYSTEM_MODULE_INFORMATION pModuleInfo;
SYSTEM_MODULE pModule;
ULONG CurAddr, i;
//SwapContext特征码
ULONG code1_xpsp2=0xc626c90a, code2_xpsp2=0x9c022d46, code3_xpsp2=0x05408b8d,code4_xpsp2=0xdde80000;
dprintf("进入 GetSwapContextAddr 例程\n");
Status = ZwQuerySystemInformation(SystemModuleInformation,&size,0,&size);
if(NULL == (buffer = (PULONG)ExAllocatePool(PagedPool,size)))
{
dprintf("ExAlloctePool 失败!status :%x\n",Status);
return 0;
}
Status = ZwQuerySystemInformation(SystemModuleInformation,buffer,size,0);
if(!NT_SUCCESS(Status))
{
dprintf("ZwQueryInformation 调用失败!Status : %x \n",Status);
return 0;
}
pModuleInfo = (SYSTEM_MODULE_INFORMATION *)buffer;
if(Flag == SYS_MODULE)
{
pModule = pModuleInfo->Modules[0];
DriverAddress = (ULONG)pModule.ImageBaseAddress;
dprintf("获得系统驱动基址 : %x \n",DriverAddress);
}
else if(Flag == OTHER_MODULE)
{
for(Index= 0; Index < pModuleInfo->ModulesCount; Index++)
{
if(_stricmp(pModuleInfo->Modules[Index].Name +pModuleInfo->Modules[Index].NameOffset, pModuleName) == 0)
{
DriverAddress = (ULONG)pModuleInfo->Modules[Index].ImageBaseAddress;
dprintf("获得 %s 基址 : %x \n", pModuleName, DriverAddress);
break;
}
}
}
CurAddr = (ULONG)DriverAddress;
for(i = CurAddr; i <= CurAddr + 0x2000; i++)
{
if(*((ULONG *)i) == code1_xpsp2 &&
*((ULONG *)(i+4)) == code2_xpsp2 &&
*((ULONG *)(i+8)) == code3_xpsp2 &&
*((ULONG *)(i+12)) == code4_xpsp2)
{
DriverAddress = i;
break;
}
else
DriverAddress = 0;
}
dprintf("获得 SwapContext 基址 : %x\n",DriverAddress);
dprintf("退出 GetSwapContextAddr 例程\n");
return (PCHAR)DriverAddress;
}
这样搜,搜不到啊?
为什么?
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
