自己写的代码还是太菜。。。
无聊的时候写了个获取PspExitThread原始的玩意,于是蓝屏了。。。#include <ntddk.h>
#include <windef.h>
#include <ntimage.h>
#include "LDE64.h"
ULONG32 Rva_PsTST;
ULONG32 Rva_PspTTBP;
ULONG32 Rva_PspET;
ULONG RvaToRaw(PIMAGE_SECTION_HEADER pSections,USHORT SectionNumbers,ULONG dwRvaAddr)
{
USHORT i;
ULONG AposRva;
ULONG dwOffset;
for(i=0;i<=SectionNumbers-1;i++)
{
if(dwRvaAddr>=pSections.VirtualAddress && dwRvaAddr<pSections.VirtualAddress+pSections.Misc.VirtualSize)
{
AposRva=dwRvaAddr-pSections.VirtualAddress;
dwOffset=pSections.PointerToRawData+AposRva;
break;
}
}
return dwOffset;
}
void GetPspExitThread()
{
NTSTATUS st;
HANDLE hFile;
OBJECT_ATTRIBUTES oa;
UNICODE_STRING uniFileName;
BYTE ansFuncName="PsTerminateSystemThread";
IO_STATUS_BLOCK iosb;
LARGE_INTEGER Offset;
IMAGE_DOS_HEADER DosHead;
IMAGE_NT_HEADERS64 NtHead;
PIMAGE_SECTION_HEADER pSection;
IMAGE_EXPORT_DIRECTORY ExpDir;
PULONG32 FuncRva;
PULONG32 NameRva;
PUSHORT OridRva;
PVOID PsBuffer;
PVOID PspBuffer;
BYTE pName={0};
ULONG i;
ULONG64 j;
ULONG64 k;
ULONG pLen=0;
RtlInitUnicodeString(&uniFileName,L"C:\\Windows\\System32\\ntoskrnl.exe");
InitializeObjectAttributes(&oa,&uniFileName,OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,NULL,NULL);
st=IoCreateFile(&hFile,GENERIC_READ,&oa,&iosb,0,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_READ,FILE_OPEN,0,NULL,0,0,NULL,IO_NO_PARAMETER_CHECKING);
if(NT_SUCCESS(st))
{
RtlZeroMemory(&Offset,sizeof(Offset));
st=ZwReadFile(hFile,NULL,NULL,NULL,&iosb,&DosHead,sizeof(DosHead),&Offset,NULL);
if(NT_SUCCESS(st) && DosHead.e_magic==0x5A4D)
{
Offset.LowPart=DosHead.e_lfanew;
st=ZwReadFile(hFile,NULL,NULL,NULL,&iosb,&NtHead,sizeof(NtHead),&Offset,NULL);
if(NT_SUCCESS(st) && NtHead.Signature==0x4550)
{
pSection=ExAllocatePool(NonPagedPool,NtHead.FileHeader.NumberOfSections * sizeof(IMAGE_SECTION_HEADER));
Offset.LowPart+=sizeof(NtHead);
ZwReadFile(hFile,NULL,NULL,NULL,&iosb,pSection,NtHead.FileHeader.NumberOfSections * sizeof(IMAGE_SECTION_HEADER),&Offset,NULL);
Offset.LowPart=RvaToRaw(pSection,NtHead.FileHeader.NumberOfSections,NtHead.OptionalHeader.DataDirectory.VirtualAddress);
ZwReadFile(hFile,NULL,NULL,NULL,&iosb,&ExpDir,sizeof(ExpDir),&Offset,NULL);
Offset.LowPart=RvaToRaw(pSection,NtHead.FileHeader.NumberOfSections,ExpDir.AddressOfFunctions);
FuncRva=ExAllocatePool(NonPagedPool,4 * ExpDir.NumberOfFunctions);
ZwReadFile(hFile,NULL,NULL,NULL,&iosb,FuncRva,4 * ExpDir.NumberOfFunctions,&Offset,NULL);
Offset.LowPart=RvaToRaw(pSection,NtHead.FileHeader.NumberOfSections,ExpDir.AddressOfNames);
NameRva=ExAllocatePool(NonPagedPool,4 * ExpDir.NumberOfNames);
ZwReadFile(hFile,NULL,NULL,NULL,&iosb,NameRva,4 * ExpDir.NumberOfNames,&Offset,NULL);
Offset.LowPart=RvaToRaw(pSection,NtHead.FileHeader.NumberOfSections,ExpDir.AddressOfNameOrdinals);
OridRva=ExAllocatePool(NonPagedPool,2 * ExpDir.NumberOfFunctions);
ZwReadFile(hFile,NULL,NULL,NULL,&iosb,OridRva,2 * ExpDir.NumberOfFunctions,&Offset,NULL);
for(i=1;i<=ExpDir.NumberOfNames;i++)
{
Offset.LowPart=RvaToRaw(pSection,NtHead.FileHeader.NumberOfSections,NameRva);
ZwReadFile(hFile,NULL,NULL,NULL,&iosb,pName,23,&Offset,NULL);
if(RtlCompareMemory(pName,ansFuncName,23)==23)
{
Rva_PsTST=FuncRva-ExpDir.Base];
PsBuffer=ExAllocatePool(NonPagedPool,50);
Offset.LowPart=RvaToRaw(pSection,NtHead.FileHeader.NumberOfSections,Rva_PsTST);
ZwReadFile(hFile,NULL,NULL,NULL,&iosb,PsBuffer,50,&Offset,NULL);
for(j=(ULONG64)PsBuffer;j<=(ULONG64)PsBuffer+50;j+=pLen)
{
pLen=SizeOfCode((PVOID)j,64);
if(pLen==5 && *(PBYTE)j==0xE8)
{
Rva_PspTTBP=(ULONG32)(*(PULONG32)(j+1)+(j-(ULONG64)PsBuffer)+5);
PspBuffer=ExAllocatePool(NonPagedPool,0x100);
Offset.LowPart=RvaToRaw(pSection,NtHead.FileHeader.NumberOfSections,Rva_PspTTBP);
ZwReadFile(hFile,NULL,NULL,NULL,&iosb,PspBuffer,0x100,&Offset,NULL);
pLen=0;
for(k=(ULONG64)PspBuffer;k<=(ULONG64)PspBuffer+0x100;k+=pLen)
{
pLen=SizeOfCode((PVOID)k,64);
if(pLen==5 && *(PBYTE)k==0xE8)
{
Rva_PspET=(ULONG32)(*(PULONG32)(k+1)+(k-(ULONG64)PspBuffer)+5);
break;
}
}
}
}
}
}
}
}
ZwClose(hFile);
}
} 用符号!!!
页:
[1]