Public Function FindPspTerminateThreadByPointer() As Long
On Error Resume Next
Dim i As Long
Dim ubRt As Byte, ubLastAddr As Byte, b1 As Byte, b2 As Byte, b3 As Byte, b4 As Byte
Dim AddressOfPsTerminateSystemThread As Long
AddressOfPsTerminateSystemThread = GetSystemRoutineAddress("PsTerminateSystemThread")
For i = 0 To 259
Call GetByte(AddressOfPsTerminateSystemThread + i, ubRt)
If ubRt = &HE8 Then
Call GetByte(AddressOfPsTerminateSystemThread + i - 1, ubLastAddr)
If ubLastAddr = &H50 Then
Call GetByte(AddressOfPsTerminateSystemThread + i + 1, b1)
Call GetByte(AddressOfPsTerminateSystemThread + i + 2, b2)
Call GetByte(AddressOfPsTerminateSystemThread + i + 3, b3)
Call GetByte(AddressOfPsTerminateSystemThread + i + 4, b4)
FindPspTerminateThreadByPointer = GetTargetAddress(AddressOfPsTerminateSystemThread + i, b1, b2, b3, b4)
Exit Function
End If
End If
Next
End Function
Public Function FindKiInsertQueueApc() As Long '28 e8
On Error Resume Next
Dim i As Long
Dim ubRt As Byte, ubLastAddr As Byte, b1 As Byte, b2 As Byte, b3 As Byte, b4 As Byte
Dim AddressOfKeInsertQueueApc As Long
AddressOfKeInsertQueueApc = GetSystemRoutineAddress("KeInsertQueueApc")
For i = 0 To 259
Call GetByte(AddressOfKeInsertQueueApc + i, ubRt)
If ubRt = &HE8 Then
Call GetByte(AddressOfKeInsertQueueApc + i - 1, ubLastAddr)
If ubLastAddr = &H28 Then
Call GetByte(AddressOfKeInsertQueueApc + i + 1, b1)
Call GetByte(AddressOfKeInsertQueueApc + i + 2, b2)
Call GetByte(AddressOfKeInsertQueueApc + i + 3, b3)
Call GetByte(AddressOfKeInsertQueueApc + i + 4, b4)
FindKiInsertQueueApc = GetTargetAddress(AddressOfKeInsertQueueApc + i, b1, b2, b3, b4)
Exit Function
End If
End If
Next
End Function
貌似就是汇编中的Call后的4字节:o 回复 3# 腾袭
问题是要知道获取哪个call后面的四字节。 回复 4# Tesla.Angela
嗯{:1_95:}
页:
[1]