|  | 
 
 楼主|
发表于 2010-8-30 10:00:25
|
显示全部楼层 
| 本帖最后由 ok100fen 于 2010-8-30 13:59 编辑 
 别人的头文件,修改了一下名称,才可以
 原来真要明白原理才行
 
 
 复制代码typedef struct ServiceDescriptorEntry{
PVOID ServiceTableBase; 
PVOID ServiceCounterTableBase; 
ULONG NumberOfServices; 
PVOID ParamTableBase; 
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
typedef struct _SERVICE_DESCRIPTOR_TABLE{
ServiceDescriptorTableEntry_t ntoskrnl; // ntoskrnl.exe (native api)
ServiceDescriptorTableEntry_t win32k; // win32k.sys (gdi/user)
ServiceDescriptorTableEntry_t Table3; // not used
ServiceDescriptorTableEntry_t Table4; // not used
}SERVICE_DESCRIPTOR_TABLE,*PSERVICE_DESCRIPTOR_TABLE;
typedef enum _SYSTEM_INFORMATION_CLASS // Q S
{
SystemBasicInformation, // 00 Y N
SystemProcessorInformation, // 01 Y N
SystemPerformanceInformation, // 02 Y N
SystemTimeOfDayInformation, // 03 Y N
SystemNotImplemented1, // 04 Y N
SystemProcessesAndThreadsInformation, // 05 Y N
SystemCallCounts, // 06 Y N
SystemConfigurationInformation, // 07 Y N
SystemProcessorTimes, // 08 Y N
SystemGlobalFlag, // 09 Y Y
SystemNotImplemented2, // 10 Y N
SystemModuleInformation, // 11 Y N
SystemLockInformation, // 12 Y N
SystemNotImplemented3, // 13 Y N
SystemNotImplemented4, // 14 Y N
SystemNotImplemented5, // 15 Y N
SystemHandleInformation, // 16 Y N
SystemObjectInformation, // 17 Y N
SystemPagefileInformation, // 18 Y N
SystemInstructionEmulationCounts, // 19 Y N
SystemInvalidInfoClass1, // 20
SystemCacheInformation, // 21 Y Y
SystemPoolTagInformation, // 22 Y N
SystemProcessorStatistics, // 23 Y N
SystemDpcInformation, // 24 Y Y
SystemNotImplemented6, // 25 Y N
SystemLoadImage, // 26 N Y
SystemUnloadImage, // 27 N Y
SystemTimeAdjustment, // 28 Y Y
SystemNotImplemented7, // 29 Y N
SystemNotImplemented8, // 30 Y N
SystemNotImplemented9, // 31 Y N
SystemCrashDumpInformation, // 32 Y N
SystemExceptionInformation, // 33 Y N
SystemCrashDumpStateInformation, // 34 Y Y/N
SystemKernelDebuggerInformation, // 35 Y N
SystemContextSwitchInformation, // 36 Y N
SystemRegistryQuotaInformation, // 37 Y Y
SystemLoadAndCallImage, // 38 N Y
SystemPrioritySeparation, // 39 N Y
SystemNotImplemented10, // 40 Y N
SystemNotImplemented11, // 41 Y N
SystemInvalidInfoClass2, // 42
SystemInvalidInfoClass3, // 43
SystemTimeZoneInformation, // 44 Y N
SystemLookasideInformation, // 45 Y N
SystemSetTimeSlipEvent, // 46 N Y
SystemCreateSession, // 47 N Y
SystemDeleteSession, // 48 N Y
SystemInvalidInfoClass4, // 49
SystemRangeStartInformation, // 50 Y N
SystemVerifierInformation, // 51 Y Y
SystemAddVerifier, // 52 N Y
SystemSessionProcessesInformation // 53 Y N
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Reserved[2];
PVOID Base; //The base address of the module.
ULONG Size; //The size of the module.
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];//The filepath of the module.
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef struct _MODULE_LIST {
ULONG NumberOfModules;
SYSTEM_MODULE_INFORMATION SysModuleInfo[];
} MODULE_LIST, *PMODULE_LIST;
typedef struct _SECTION_IMAGE_INFORMATION {
PVOID EntryPoint; 
ULONG StackZeroBits; 
ULONG StackReserved; 
ULONG StackCommit; 
ULONG ImageSubsystem; 
unsigned char SubsystemVersionLow; 
unsigned char SubsystemVersionHigh; 
ULONG Unknown1; 
ULONG ImageCharacteristics; 
ULONG ImageMachineType; 
ULONG Unknown2[3];
} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;
NTSYSAPI NTSTATUS ZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength); 
extern PServiceDescriptorTableEntry_t KeServiceDescriptorTable;
ULONG GetKernelBaseAddress(OUT PCHAR lpszModule)
{
NTSTATUS ntStatus;
ULONG NeededSize, KernelAddr=0;
PMODULE_LIST pModuleList;
ZwQuerySystemInformation( SystemModuleInformation, &NeededSize, 0, &NeededSize);
pModuleList = ExAllocatePool( NonPagedPool, NeededSize );
ntStatus = ZwQuerySystemInformation( SystemModuleInformation, pModuleList, NeededSize, NULL );
if ( NT_SUCCESS(ntStatus) )
{
KernelAddr = (ULONG)pModuleList->SysModuleInfo[0].Base;
if (lpszModule)
{
strcpy( lpszModule, "\\SystemRoot\\System32\" );
strcat( lpszModule, pModuleList->SysModuleInfo[0].ModuleNameOffset+ pModuleList->SysModuleInfo[0].ImageName );
}
}
ExFreePool(pModuleList);
return KernelAddr;
}
ULONG RVAToRaw(IN ULONG lpBase, IN ULONG VirtualAddress )
{
IMAGE_DOS_HEADER *pDosHeader;
IMAGE_NT_HEADERS *pNtHeader;
IMAGE_SECTION_HEADER *pSectionHeader;
ULONG NumOfSections, i;
pDosHeader = (IMAGE_DOS_HEADER*)lpBase;
if ( pDosHeader->e_magic != IMAGE_DOS_SIGNATURE )
return 0;
pNtHeader =(IMAGE_NT_HEADERS*)( (unsigned char*)lpBase + pDosHeader->e_lfanew );
NumOfSections = pNtHeader->FileHeader.NumberOfSections;
pSectionHeader = (IMAGE_SECTION_HEADER*)((ULONG)pNtHeader + sizeof(ULONG) + sizeof(IMAGE_FILE_HEADER) 
+ pNtHeader->FileHeader.SizeOfOptionalHeader);
VirtualAddress -= (ULONG)lpBase;
for ( i=0; i<NumOfSections; i++ )
{
pSectionHeader = (IMAGE_SECTION_HEADER*)( (ULONG)pSectionHeader + sizeof(IMAGE_SECTION_HEADER) * i );
if( VirtualAddress > pSectionHeader->VirtualAddress && 
VirtualAddress < pSectionHeader->VirtualAddress + pSectionHeader->SizeOfRawData )
{
ULONG Offset = VirtualAddress - pSectionHeader->VirtualAddress + pSectionHeader->PointerToRawData;
return Offset;
}
}
return 0;
}
ULONG GetSSDTRealAddr(IN ULONG Index)
{
NTSTATUS ntStatus;
ULONG KernelVirtualBase, KernelImageBase,RealServiceAddress=0;
ULONG NumberOfServices, KiServiceTable, uSSDTRaw,KernelServiceTable;
char szKernelPath[256]; 
ANSI_STRING asFileName;
UNICODE_STRING usFileName;
OBJECT_ATTRIBUTES ObjAttr;
IO_STATUS_BLOCK ioStatus;
FILE_POSITION_INFORMATION FilePos;
HANDLE hFile;
KernelVirtualBase = GetKernelBaseAddress( szKernelPath );
KernelImageBase = ((IMAGE_NT_HEADERS*)(KernelVirtualBase + ((IMAGE_DOS_HEADER*)KernelVirtualBase)->e_lfanew))->OptionalHeader.ImageBase;
NumberOfServices = KeServiceDescriptorTable->NumberOfServices;
KiServiceTable = (ULONG)KeServiceDescriptorTable->ServiceTableBase;
if (Index>=NumberOfServices) return FALSE;
uSSDTRaw = RVAToRaw( KernelVirtualBase, KiServiceTable+Index*4);
if (uSSDTRaw)
{
RtlInitAnsiString( &asFileName, szKernelPath );
ntStatus = RtlAnsiStringToUnicodeString( &usFileName, &asFileName, TRUE );
if( NT_SUCCESS(ntStatus) )
{
InitializeObjectAttributes(&ObjAttr,&usFileName,OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,NULL,NULL);
ntStatus = ZwOpenFile(&hFile,FILE_READ_DATA,&ObjAttr,&ioStatus,FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,FILE_SYNCHRONOUS_IO_NONALERT );
if ( NT_SUCCESS(ntStatus) && hFile )
{
FilePos.CurrentByteOffset.LowPart = uSSDTRaw;
FilePos.CurrentByteOffset.HighPart = 0;
ntStatus = ZwSetInformationFile( hFile,&ioStatus,&FilePos,sizeof(FILE_POSITION_INFORMATION),FilePositionInformation );
if( NT_SUCCESS(ntStatus) )
{
ntStatus = ZwReadFile(hFile,NULL,NULL,NULL,&ioStatus,&KernelServiceTable,sizeof(ULONG),NULL,NULL );
if( NT_SUCCESS(ntStatus) )
{
RealServiceAddress=KernelServiceTable - KernelImageBase + KernelVirtualBase; 
}
}
ZwClose(hFile);
}
}
}
RtlFreeUnicodeString( &usFileName );
return RealServiceAddress;
}
ULONG GetExportFuncAddr(IN PCHAR lpFunctionName, IN PUNICODE_STRING pDllName) 
{
HANDLE hThread, hSection, hFile, hMod;
SECTION_IMAGE_INFORMATION sii;
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_OPTIONAL_HEADER pOptHeader;
PIMAGE_EXPORT_DIRECTORY pExportTable;
PULONG arrayOfFuncAddr,arrayOfFuncNames;
PSHORT arrayOfFuncOrdinals;
ULONG funcOrdinal,Base, i, FuncAddr;
PCHAR FuncName;
STRING ntFuncName, ntFuncNameSearch;
PVOID BaseAddress = NULL;
SIZE_T size = 0;
OBJECT_ATTRIBUTES ObjAttr;
IO_STATUS_BLOCK IoStatusBlock;
InitializeObjectAttributes(&ObjAttr,pDllName,OBJ_CASE_INSENSITIVE,NULL, NULL);
ZwOpenFile(&hFile,FILE_EXECUTE | SYNCHRONIZE,&ObjAttr,&IoStatusBlock,FILE_SHARE_READ,FILE_SYNCHRONOUS_IO_NONALERT);
ObjAttr.ObjectName = 0;
ZwCreateSection(&hSection,SECTION_ALL_ACCESS,&ObjAttr,0,PAGE_EXECUTE,0x1000000,hFile);
ZwMapViewOfSection(hSection,NtCurrentProcess(),&BaseAddress,0,1000, 0,&size,(SECTION_INHERIT)1,MEM_TOP_DOWN, PAGE_READWRITE); 
ZwClose(hFile);
hMod = BaseAddress;
pDosHeader = (PIMAGE_DOS_HEADER)hMod;
pOptHeader = (PIMAGE_OPTIONAL_HEADER)((PUCHAR)hMod + pDosHeader->e_lfanew + 24 );
pExportTable =(PIMAGE_EXPORT_DIRECTORY)((PUCHAR)hMod + pOptHeader->DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress);
arrayOfFuncAddr = (PULONG)( (PUCHAR)hMod + pExportTable->AddressOfFunctions);
arrayOfFuncNames = (PULONG)( (PUCHAR)hMod + pExportTable->AddressOfNames);
arrayOfFuncOrdinals = (PSHORT)( (PUCHAR)hMod + pExportTable->AddressOfNameOrdinals);
Base = pExportTable->Base;
RtlInitString(&ntFuncNameSearch, lpFunctionName);
for( i=0; i<pExportTable->NumberOfFunctions; i++ )
{
FuncName = (PCHAR)( (PUCHAR)hMod + arrayOfFuncNames[i]);
RtlInitString( &ntFuncName, FuncName );
funcOrdinal = arrayOfFuncOrdinals[i] + Base - 1; 
FuncAddr = (ULONG)( (PUCHAR)hMod + arrayOfFuncAddr[funcOrdinal]);
if (RtlCompareString(&ntFuncName, &ntFuncNameSearch, TRUE) == 0) 
{
ZwClose(hSection);
return FuncAddr;
}
}
ZwClose(hSection);
return 0;
}
ULONG GetSysCallIndex( PCHAR FuncName )//获得索引号
{
UNICODE_STRING usDllName;
ULONG FuncAddr;
ULONG SysCallIndex;
RtlInitUnicodeString( &usDllName, L"\\SystemRoot\\System32\\ntdll.dll" );
FuncAddr = GetExportFuncAddr(FuncName, &usDllName);
SysCallIndex = *( (PSHORT)(FuncAddr + 1) );
return SysCallIndex;
}
 | 
 |