|
发表于 2012-3-25 20:42:25
|
显示全部楼层
怎么知道 KeAttachProcess 里面有 KiAttachProcess 是因为。 在WINDBG 里面 使用了那么一句 命令:
uf KeAttachProcess .
然后慢慢看 。就发现了。 KiAttachProcess
另外。 这么声明 KeAttachProcess。 你就能使用了。- NTKERNELAPI
- VOID
- KeAttachProcess (
- IN PEPROCESS Process
- );
复制代码 对于这个 DbgkpSetProcessDebugObject。
找到一个人家写的。根据特征码查找。- ULONG GetFunctionAddress
- (
- IN ULONG FirstFeature,
- IN ULONG SecondFeature,
- IN ULONG ThirdFeature,
- IN ULONG FourthFeature
- )
- {
- NTSTATUS NtStatus=STATUS_SEVERITY_SUCCESS;
- ULONG SystemInformationLength=0;
- ULONG Index=0;
- ULONG Loop=0;
- ULONG ModuleBegin=0;
- ULONG ModuleFinish=0;
- PULONG SystemInformationBuffer=NULL;
- PSYSTEM_MODULE_INFORMATION SystemModulePointer=NULL;
- ULONG Value=0;
- ZwQuerySystemInformation(SystemModuleInformation,NULL,0,&SystemInformationLength);
- SystemInformationBuffer=ExAllocatePool(PagedPool,SystemInformationLength);
- if (SystemInformationBuffer==NULL)
- {
- return NtStatus;
- }
- NtStatus=ZwQuerySystemInformation
- (
- SystemModuleInformation,
- SystemInformationBuffer,
- SystemInformationLength,
- NULL
- );
- if (!NT_SUCCESS(NtStatus))
- {
- ExFreePool(SystemInformationBuffer);
- return NtStatus;
- }
- if (MmIsAddressValid(SystemInformationBuffer)==False)
- {
- ExFreePool(SystemInformationBuffer);
- return NtStatus;
- }
- SystemModulePointer=(PSYSTEM_MODULE_INFORMATION)(SystemInformationBuffer+1);
- for (Index=0;Index<*(ULONG*)SystemInformationBuffer;Index++)
- {
- ModuleBegin=(ULONG)SystemModulePointer[Index].Base;
- ModuleFinish=(ULONG)SystemModulePointer[Index].Base+SystemModulePointer[Index].Size;
- for (Loop=ModuleBeginAddress;Loop<ModuleFinishAddress;Loop++)
- {
- if
- (
- *(ULONG*)(Loop+0)==FirstFeature&&
- *(ULONG*)(Loop+4)==SecondFeature&&
- *(ULONG*)(Loop+8)==ThirdFeature&&
- *(ULONG*)(Loop+12)==FourthFeature
- )
- {
- Value=Loop;
- }
- }
- }
- ExFreePool(SystemInformationBuffer);
- return Value;
- }
复制代码 |
|