如何列出win32k.sys模塊的所有功能？

Krueger

我正在嘗試列出模塊win32k.sys (C:\Windows \ System32 \ win32k.sys) 的所有功能，但只返回了某些功能。

例如，如果您繼續使用PC Hunter ARK：Ring0掛鉤> Shadow SSDT可以看到至少列出了825個條目 (Windows 7 32bit) 。



雖然下面的代碼在執行時僅返回253個條目。

我如何獲得PC Hunter的相同結果？ 我看了看模塊的出口表，對嗎？ 還是大多數是導入函數（導入表）？

1. #include <ntddk.h>
   
2. #include <windef.h>
   
3. #include <ntimage.h>
   
4. 
   
5. DWORD GetDllFunctionAddress(char* lpFunctionName, PUNICODE_STRING pDllName)
   
6. {
   
7. #define SEC_IMAGE 0x1000000
   
8.     HANDLE hThread, hSection, hFile, hMod;
   
9.     SECTION_IMAGE_INFORMATION sii;
   
10.     IMAGE_DOS_HEADER* dosheader;
    
11.     IMAGE_OPTIONAL_HEADER* opthdr;
    
12.     IMAGE_EXPORT_DIRECTORY* pExportTable;
    
13.     DWORD* arrayOfFunctionAddresses;
    
14.     DWORD* arrayOfFunctionNames;
    
15.     WORD* arrayOfFunctionOrdinals;
    
16.     DWORD functionOrdinal;
    
17.     DWORD Base, x, functionAddress;
    
18.     char* functionName;
    
19.     STRING ntFunctionName, ntFunctionNameSearch;
    
20.     PVOID BaseAddress = NULL;
    
21.     SIZE_T size = 0;
    
22. 
    
23.     OBJECT_ATTRIBUTES oa = { sizeof oa, 0, pDllName, OBJ_CASE_INSENSITIVE };
    
24. 
    
25.     IO_STATUS_BLOCK iosb;
    
26. 
    
27.     ZwOpenFile(&hFile, FILE_EXECUTE | SYNCHRONIZE, &oa, &iosb, FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT);
    
28. 
    
29.     oa.ObjectName = 0;
    
30. 
    
31.     ZwCreateSection(&hSection, SECTION_ALL_ACCESS, &oa, 0, PAGE_EXECUTE, SEC_IMAGE, hFile);
    
32. 
    
33.     ZwMapViewOfSection(hSection, NtCurrentProcess(), &BaseAddress, 0, 1000, 0, &size, (SECTION_INHERIT)1, MEM_TOP_DOWN, PAGE_READWRITE);
    
34. 
    
35.     ZwClose(hFile);
    
36. 
    
37.     hMod = BaseAddress;
    
38. 
    
39.     dosheader = (IMAGE_DOS_HEADER *)hMod;
    
40. 
    
41.     opthdr = (IMAGE_OPTIONAL_HEADER *)((BYTE*)hMod + dosheader->e_lfanew + 24);
    
42. 
    
43.     pExportTable = (IMAGE_EXPORT_DIRECTORY*)((BYTE*)hMod + opthdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
    
44. 
    
45.     arrayOfFunctionAddresses = (DWORD*)((BYTE*)hMod + pExportTable->AddressOfFunctions);
    
46. 
    
47.     arrayOfFunctionNames = (DWORD*)((BYTE*)hMod + pExportTable->AddressOfNames);
    
48. 
    
49.     arrayOfFunctionOrdinals = (WORD*)((BYTE*)hMod + pExportTable->AddressOfNameOrdinals);
    
50. 
    
51.     Base = pExportTable->Base;
    
52. 
    
53.     RtlInitString(&ntFunctionNameSearch, lpFunctionName);
    
54. 
    
55.     DbgPrint("NumberOfEntries: %d", pExportTable->NumberOfFunctions);
    
56. 
    
57.     for (x = 0; x < pExportTable->NumberOfFunctions; x++)
    
58.     {
    
59.         functionName = (char*)((BYTE*)hMod + arrayOfFunctionNames[x]);
    
60. 
    
61.         DbgPrint("FuncName: %s\n", functionName);
    
62. 
    
63.         RtlInitString(&ntFunctionName, functionName);
    
64. 
    
65.         functionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1;
    
66. 
    
67.         functionAddress = (DWORD)((BYTE*)hMod + arrayOfFunctionAddresses[functionOrdinal]);
    
68.         if (RtlCompareString(&ntFunctionName, &ntFunctionNameSearch, TRUE) == 0)
    
69.         {
    
70.             ZwClose(hSection);
    
71.             return functionAddress;
    
72.         }
    
73.     }
    
74. 
    
75.     ZwClose(hSection);
    
76.     return 0;
    
77. }
    
78. 
    
79. //---------------------- DriverEntry() -------------------------
    
80. 
    
81. UNICODE_STRING dllName;
    
82. RtlInitUnicodeString(&dllName, L"\\Device\\HarddiskVolume1\\Windows\\System32\\win32k.sys");
    
83. GetDllFunctionAddress(ANSI_NULL, &dllName);

复制代码

輸出量:

1.        
   
2. NumberOfEntries: 253       
   
3. FuncName: BRUSHOBJ_hGetColorTransform        
   
4. FuncName: BRUSHOBJ_pvAllocRbrush        
   
5. FuncName: BRUSHOBJ_pvGetRbrush        
   
6. FuncName: BRUSHOBJ_ulGetBrushColor        
   
7. FuncName: CLIPOBJ_GetRgn        
   
8. FuncName: CLIPOBJ_bEnum        
   
9. FuncName: CLIPOBJ_cEnumStart        
   
10. FuncName: CLIPOBJ_ppoGetPath        
    
11. FuncName: EngAcquireFastMutex        
    
12. FuncName: EngAcquireSemaphore        
    
13. FuncName: EngAcquireSemaphoreNoWait        
    
14. FuncName: EngAcquireSemaphoreShared        
    
15. FuncName: EngAcquireSemaphoreSharedNoWait        
    
16. FuncName: EngAllocMem        
    
17. FuncName: EngAllocPrivateUserMem        
    
18. FuncName: EngAllocSectionMem        
    
19. FuncName: EngAllocUserMem        
    
20. FuncName: EngAlphaBlend        
    
21. FuncName: EngAssociateSurface        
    
22. FuncName: EngBitBlt        
    
23. FuncName: EngBugCheckEx        
    
24. FuncName: EngCTGetCurrentGamma        
    
25. FuncName: EngCTGetGammaTable        
    
26. FuncName: EngCheckAbort        
    
27. FuncName: EngClearEvent        
    
28. FuncName: EngCombineRgn        
    
29. FuncName: EngComputeGlyphSet        
    
30. FuncName: EngControlSprites        
    
31. FuncName: EngCopyBits        
    
32. FuncName: EngCopyRgn        
    
33. FuncName: EngCreateBitmap        
    
34. FuncName: EngCreateClip        
    
35. FuncName: EngCreateDeviceBitmap        
    
36. FuncName: EngCreateDeviceSurface        
    
37. FuncName: EngCreateDriverObj        
    
38. FuncName: EngCreateEvent        
    
39. FuncName: EngCreateFastMutex        
    
40. FuncName: EngCreatePalette        
    
41. FuncName: EngCreatePath        
    
42. FuncName: EngCreateRectRgn        
    
43. FuncName: EngCreateRedirectionDeviceBitmap        
    
44. FuncName: EngCreateSemaphore        
    
45. FuncName: EngCreateWnd        
    
46. FuncName: EngDebugBreak        
    
47. FuncName: EngDebugPrint        
    
48. FuncName: EngDeleteClip        
    
49. FuncName: EngDeleteDriverObj        
    
50. FuncName: EngDeleteEvent        
    
51. FuncName: EngDeleteFastMutex        
    
52. FuncName: EngDeleteFile        
    
53. FuncName: EngDeletePalette        
    
54. FuncName: EngDeletePath        
    
55. FuncName: EngDeleteRgn        
    
56. FuncName: EngDeleteSafeSemaphore        
    
57. FuncName: EngDeleteSemaphore        
    
58. FuncName: EngDeleteSurface        
    
59. FuncName: EngDeleteWnd        
    
60. FuncName: EngDeviceIoControl        
    
61. FuncName: EngDitherColor        
    
62. FuncName: EngDxIoctl        
    
63. FuncName: EngEnumForms        
    
64. FuncName: EngEqualRgn        
    
65. FuncName: EngEraseSurface        
    
66. FuncName: EngFileIoControl        
    
67. FuncName: EngFileWrite        
    
68. FuncName: EngFillPath        
    
69. FuncName: EngFindImageProcAddress        
    
70. FuncName: EngFindResource        
    
71. FuncName: EngFntCacheAlloc        
    
72. FuncName: EngFntCacheFault        
    
73. FuncName: EngFntCacheLookUp        
    
74. FuncName: EngFreeMem        
    
75. FuncName: EngFreeModule        
    
76. FuncName: EngFreePrivateUserMem        
    
77. FuncName: EngFreeSectionMem        
    
78. FuncName: EngFreeUserMem        
    
79. FuncName: EngGetCurrentCodePage        
    
80. FuncName: EngGetCurrentProcessId        
    
81. FuncName: EngGetCurrentThreadId        
    
82. FuncName: EngGetDriverName        
    
83. FuncName: EngGetFileChangeTime        
    
84. FuncName: EngGetFilePath        
    
85. FuncName: EngGetForm        
    
86. FuncName: EngGetLastError        
    
87. FuncName: EngGetPrinter        
    
88. FuncName: EngGetPrinterData        
    
89. FuncName: EngGetPrinterDataFileName        
    
90. FuncName: EngGetPrinterDriver        
    
91. FuncName: EngGetProcessHandle        
    
92. FuncName: EngGetRgnBox        
    
93. FuncName: EngGetRgnData        
    
94. FuncName: EngGetTickCount        
    
95. FuncName: EngGetType1FontList        
    
96. FuncName: EngGradientFill        
    
97. FuncName: EngHangNotification        
    
98. FuncName: EngInitializeSafeSemaphore        
    
99. FuncName: EngIntersectRgn        
    
100. FuncName: EngIsSemaphoreOwned        
     
101. FuncName: EngIsSemaphoreOwnedByCurrentThread        
     
102. FuncName: EngIsSemaphoreSharedByCurrentThread        
     
103. FuncName: EngLineTo        
     
104. FuncName: EngLoadImage        
     
105. FuncName: EngLoadModule        
     
106. FuncName: EngLoadModuleForWrite        
     
107. FuncName: EngLockDirectDrawSurface        
     
108. FuncName: EngLockDriverObj        
     
109. FuncName: EngLockSurface        
     
110. FuncName: EngLpkInstalled        
     
111. FuncName: EngMapEvent        
     
112. FuncName: EngMapFile        
     
113. FuncName: EngMapFontFile        
     
114. FuncName: EngMapFontFileFD        
     
115. FuncName: EngMapModule        
     
116. FuncName: EngMapSection        
     
117. FuncName: EngMarkBandingSurface        
     
118. FuncName: EngModifySurface        
     
119. FuncName: EngMovePointer        
     
120. FuncName: EngMulDiv        
     
121. FuncName: EngMultiByteToUnicodeN        
     
122. FuncName: EngMultiByteToWideChar        
     
123. FuncName: EngNineGrid        
     
124. FuncName: EngOffsetRgn        
     
125. FuncName: EngPaint        
     
126. FuncName: EngPlgBlt        
     
127. FuncName: EngProbeForRead        
     
128. FuncName: EngProbeForReadAndWrite        
     
129. FuncName: EngQueryDeviceAttribute        
     
130. FuncName: EngQueryLocalTime        
     
131. FuncName: EngQueryPalette        
     
132. FuncName: EngQueryPerformanceCounter        
     
133. FuncName: EngQueryPerformanceFrequency        
     
134. FuncName: EngQuerySystemAttribute        
     
135. FuncName: EngQueryW32kCddInterface        
     
136. FuncName: EngReadStateEvent        
     
137. FuncName: EngRectInRgn        
     
138. FuncName: EngReleaseFastMutex        
     
139. FuncName: EngReleaseSemaphore        
     
140. FuncName: EngRestoreFloatingPointState        
     
141. FuncName: EngSaveFloatingPointState        
     
142. FuncName: EngSecureMem        
     
143. FuncName: EngSetEvent        
     
144. FuncName: EngSetLastError        
     
145. FuncName: EngSetPointerShape        
     
146. FuncName: EngSetPointerTag        
     
147. FuncName: EngSetPrinterData        
     
148. FuncName: EngSetRectRgn        
     
149. FuncName: EngSort        
     
150. FuncName: EngStretchBlt        
     
151. FuncName: EngStretchBltROP        
     
152. FuncName: EngStrokeAndFillPath        
     
153. FuncName: EngStrokePath        
     
154. FuncName: EngSubtractRgn        
     
155. FuncName: EngTextOut        
     
156. FuncName: EngTransparentBlt        
     
157. FuncName: EngUnicodeToMultiByteN        
     
158. FuncName: EngUnionRgn        
     
159. FuncName: EngUnloadImage        
     
160. FuncName: EngUnlockDirectDrawSurface        
     
161. FuncName: EngUnlockDriverObj        
     
162. FuncName: EngUnlockSurface        
     
163. FuncName: EngUnmapEvent        
     
164. FuncName: EngUnmapFile        
     
165. FuncName: EngUnmapFontFile        
     
166. FuncName: EngUnmapFontFileFD        
     
167. FuncName: EngUnsecureMem        
     
168. FuncName: EngUpdateDeviceSurface        
     
169. FuncName: EngWaitForSingleObject        
     
170. FuncName: EngWideCharToMultiByte        
     
171. FuncName: EngWritePrinter        
     
172. FuncName: EngXorRgn        
     
173. FuncName: FLOATOBJ_Add        
     
174. FuncName: FLOATOBJ_AddFloat        
     
175. FuncName: FLOATOBJ_AddFloatObj        
     
176. FuncName: FLOATOBJ_AddLong        
     
177. FuncName: FLOATOBJ_Div        
     
178. FuncName: FLOATOBJ_DivFloat        
     
179. FuncName: FLOATOBJ_DivFloatObj        
     
180. FuncName: FLOATOBJ_DivLong        
     
181. FuncName: FLOATOBJ_Equal        
     
182. FuncName: FLOATOBJ_EqualLong        
     
183. FuncName: FLOATOBJ_GetFloat        
     
184. FuncName: FLOATOBJ_GetLong        
     
185. FuncName: FLOATOBJ_GreaterThan        
     
186. FuncName: FLOATOBJ_GreaterThanLong        
     
187. FuncName: FLOATOBJ_LessThan        
     
188. FuncName: FLOATOBJ_LessThanLong        
     
189. FuncName: FLOATOBJ_Mul        
     
190. FuncName: FLOATOBJ_MulFloat        
     
191. FuncName: FLOATOBJ_MulFloatObj        
     
192. FuncName: FLOATOBJ_MulLong        
     
193. FuncName: FLOATOBJ_Neg        
     
194. FuncName: FLOATOBJ_SetFloat        
     
195. FuncName: FLOATOBJ_SetLong        
     
196. FuncName: FLOATOBJ_Sub        
     
197. FuncName: FLOATOBJ_SubFloat        
     
198. FuncName: FLOATOBJ_SubFloatObj        
     
199. FuncName: FLOATOBJ_SubLong        
     
200. FuncName: FONTOBJ_cGetAllGlyphHandles        
     
201. FuncName: FONTOBJ_cGetGlyphs        
     
202. FuncName: FONTOBJ_pQueryGlyphAttrs        
     
203. FuncName: FONTOBJ_pfdg        
     
204. FuncName: FONTOBJ_pifi        
     
205. FuncName: FONTOBJ_pjOpenTypeTablePointer        
     
206. FuncName: FONTOBJ_pvTrueTypeFontFile        
     
207. FuncName: FONTOBJ_pwszFontFilePaths        
     
208. FuncName: FONTOBJ_pxoGetXform        
     
209. FuncName: FONTOBJ_vGetInfo        
     
210. FuncName: HT_ComputeRGBGammaTable        
     
211. FuncName: HT_Get8BPPFormatPalette        
     
212. FuncName: HT_Get8BPPMaskPalette        
     
213. FuncName: HeapVidMemAllocAligned        
     
214. FuncName: PALOBJ_cGetColors        
     
215. FuncName: PATHOBJ_bCloseFigure        
     
216. FuncName: PATHOBJ_bEnum        
     
217. FuncName: PATHOBJ_bEnumClipLines        
     
218. FuncName: PATHOBJ_bMoveTo        
     
219. FuncName: PATHOBJ_bPolyBezierTo        
     
220. FuncName: PATHOBJ_bPolyLineTo        
     
221. FuncName: PATHOBJ_vEnumStart        
     
222. FuncName: PATHOBJ_vEnumStartClipLines        
     
223. FuncName: PATHOBJ_vGetBounds        
     
224. FuncName: RtlAnsiCharToUnicodeChar        
     
225. FuncName: RtlMultiByteToUnicodeN        
     
226. FuncName: RtlRaiseException        
     
227. FuncName: RtlUnicodeToMultiByteN        
     
228. FuncName: RtlUnicodeToMultiByteSize        
     
229. FuncName: RtlUnwind        
     
230. FuncName: RtlUpcaseUnicodeChar        
     
231. FuncName: RtlUpcaseUnicodeToMultiByteN        
     
232. FuncName: STROBJ_bEnum        
     
233. FuncName: STROBJ_bEnumPositionsOnly        
     
234. FuncName: STROBJ_bGetAdvanceWidths        
     
235. FuncName: STROBJ_dwGetCodePage        
     
236. FuncName: STROBJ_fxBreakExtra        
     
237. FuncName: STROBJ_fxCharacterExtra        
     
238. FuncName: STROBJ_vEnumStart        
     
239. FuncName: VidMemFree        
     
240. FuncName: WNDOBJ_bEnum        
     
241. FuncName: WNDOBJ_cEnumStart        
     
242. FuncName: WNDOBJ_vSetConsumer        
     
243. FuncName: XFORMOBJ_bApplyXform        
     
244. FuncName: XFORMOBJ_iGetFloatObjXform        
     
245. FuncName: XFORMOBJ_iGetXform        
     
246. FuncName: XLATEOBJ_cGetPalette        
     
247. FuncName: XLATEOBJ_hGetColorTransform        
     
248. FuncName: XLATEOBJ_iXlate        
     
249. FuncName: XLATEOBJ_piVector        
     
250. FuncName: _abnormal_termination        
     
251. FuncName: _except_handler2        
     
252. FuncName: _global_unwind2        
     
253. FuncName: _itoa        
     
254. FuncName: _itow        
     
255. FuncName: _local_unwind2        
     
256. FuncName: èâ’[        
     

复制代码

參考代碼 > https://www.geek-share.com/detail/2388547280.html

Krueger

我認為PC Hunter列出的功能來自user32.dll和gdi32.dll，而不是來自win32k.sys。:D

Tesla.Angela

SSSDT不等同于WIN32K导出表。

tangptr@126.com

Krueger 发表于 2020-8-3 03:43
我認為PC Hunter列出的功能來自user32.dll和gdi32.dll，而不是來自win32k.sys。:D

PCH里的SSSDT那些名字应该是硬编码出来的。（函数名是提前列好的）
你可以自己过一遍W32pServiceTable的指针，按指针搜索win32k.pdb文件里的函数名。

Krueger

tangptr@126.com 发表于 2020-8-6 09:18
PCH里的SSSDT那些名字应该是硬编码出来的。（函数名是提前列好的）
你可以自己过一遍W32pServiceTable的 ...

謝謝師父 解決了

用symbol来获得ShadowSSDT的原始地址和函数名 > https://blog.csdn.net/whatday/article/details/9959077

獲取SSDT,SSSDT原始函數地址 -  开发者知识库 > https://www.itdaan.com/tw/192e1e7d0834cc2e420106b525d80aee