windows10 x64 shadowssdt遍历函数名 | 宜武汇-ag真人国际厅网站

#include

#include

 

extern_c pvoid ntapi rtlfindexportedroutinebyname(  _in_ pvoid imagebase, _in_ pcch routinename);

 

pulong w32pservicetable = null;

 

typedef struct _ldr_data_table_entry {

    list_entry inloadordermodulelist;

    list_entry inmemoryordermodulelist;

    list_entry ininitializationorderlinks;

    pvoid dllbase;

    pvoid entrypoint;

    ulong sizeofimage;

    unicode_string fulldllname;

    unicode_string basedllname;

    ulong flags;

    ushort loadcount;

    ushort tlsindex;

    list_entry hashlinks;

    pvoid sectionpointer;

    ulong checksum;

    ulong timedatestamp;

} ldr_data_table_entry, * pldr_data_table_entry;

 

pvoid getsystemroutineaddress(pcwstr routine_name) {

    unicode_string name;

    rtlinitunicodestring(&name, routine_name);

    return mmgetsystemroutineaddress(&name);

 

pvoid getsystemmodulebase(lpcwstr module_name) {

    plist_entry module_list = reinterpret_cast(getsystemroutineaddress(l"psloadedmodulelist"));

    if (!module_list) {

        return null;

    }

    for (plist_entry link = module_list; link != module_list->blink; link = link->flink) {

        ldr_data_table_entry* entry = containing_record(link, ldr_data_table_entry, inloadordermodulelist);

        unicode_string name;

        rtlinitunicodestring(&name, module_name);

        if (rtlequalunicodestring(&entry->basedllname, &name, true)) {

            return entry->dllbase;

        }

    }

    return null;

 

ulong64 getshadowssdtfunccuraddr(ulong id) {

    long dwtmp = 0;

    pulong servicetablebase = null;

    servicetablebase = w32pservicetable;

    dwtmp = servicetablebase[id];

    dwtmp = dwtmp >> 4;

    return (longlong)dwtmp (ulonglong)servicetablebase;

 

ntstatus getpeppocess(const char* process_name, peprocess* process) {

    peprocess sys_process = psinitialsystemprocess;

    peprocess curr_entry = sys_process;

    char image_name[15];

    do {

        rtlcopymemory((pvoid)(&image_name), (pvoid)((uintptr_t)curr_entry 0x5a8), sizeof(image_name));

        if (strstr(image_name, process_name)) {

            ulong active_threads;

            rtlcopymemory((pvoid)&active_threads, (pvoid)((uintptr_t)curr_entry 0x5f0), sizeof(active_threads));

            if (active_threads) {

                *process = curr_entry;

                return status_success;

            }

        }

        plist_entry list = (plist_entry)((uintptr_t)(curr_entry) 0x448);

        curr_entry = (peprocess)((uintptr_t)list->flink - 0x448);

    } while (curr_entry != sys_process);

    return status_not_found;

 

void enumshadowssdt() {

 

    peprocess winlogon = null;

    kapc_state apc_state;

    ntstatus status = status_unsuccessful;

    status = getpeppocess(("winlogon.exe"), &winlogon);

 

    kestackattachprocess(winlogon, &apc_state);

 

    pvoid win32kbase = getsystemmodulebase(l"win32k.sys");

 

    w32pservicetable =  (pulong)rtlfindexportedroutinebyname(win32kbase,"w32pservicetable");

 

    dbgprintex(77, 0, "[%s] win32k.sys = 0x%llx\n", __function__, win32kbase);

 

 

    dbgprintex(77, 0, "[%s] w32pservicetable = 0x%llx\n", __function__, w32pservicetable);

 

 

    pimage_dos_header lpdosheader = (pimage_dos_header)win32kbase;

 

    pimage_nt_headers64 lpntheader = (pimage_nt_headers64)((ulong64)win32kbase lpdosheader->e_lfanew);

 

    if (!lpntheader->optionalheader.datadirectory[image_directory_entry_export].size) {

        return;

    }

 

    if (!lpntheader->optionalheader.datadirectory[image_directory_entry_export].virtualaddress) {

        return;

    }

 

    pimage_export_directory lpexports = (pimage_export_directory)((ulong64)win32kbase (ulong64)lpntheader->optionalheader.datadirectory[image_directory_entry_export].virtualaddress);

 

    pulong lpdwfunname = (pulong)((ulong64)win32kbase (ulong64)lpexports->addressofnames);

 

    pushort lpword = (pushort)((ulong64)win32kbase (ulong64)lpexports->addressofnameordinals);

 

    pulong lpdwfunaddr = (pulong)((ulong64)win32kbase (ulong64)lpexports->addressoffunctions);

 

    for (ulong i = 0; i <= lpexports->numberofnames - 1; i ) {

        char* pfunname = (char*)(lpdwfunname[i] (ulong64)win32kbase);

        if(strstr(pfunname,"__win32kstub_"))

        {

            pvoid _functionaddress = (pvoid)(lpdwfunaddr[lpword[i]] (ulong64)win32kbase);

            char* functionname = strstr(pfunname, "nt");

            ulong lfunctionindex = *(ulong*)((puchar)_functionaddress 1);

            ulong64 functionaddress = getshadowssdtfunccuraddr(lfunctionindex);

            dbgprintex(77, 0, "[%s] \nindex: %d \naddress: 0x%llx \n", functionname, lfunctionindex, functionaddress);

        }

    }

 

    keunstackdetachprocess(&apc_state);

 

 

 

void driverunload(pdriver_object drv_obj [[maybe_unused]] ) {

 

 

extern_c ntstatus driverentry(pdriver_object drv_obj [[maybe_unused]], punicode_string reg_path [[maybe_unused]] ) {

    enumshadowssdt();

    drv_obj->driverunload = driverunload;

    return status_success;

原文链接:https://bbs.kanxue.com/thread-273038.htm

网络摘文,本文作者:15h,如若转载,请注明出处:https://www.15cov.cn/2023/08/27/windows10-x64-shadowssdt遍历函数名/

发表评论

邮箱地址不会被公开。 必填项已用*标注

网站地图