终于找到了这两个地址，代码如下

ok100fen · 发表于 2010-8-30 09:57:49

#include <ntddk.h>
#include "ntimage.h"
#include "KernelVoid.h"
VOID Unload(IN PDRIVER_OBJECT DriverObject)
{
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
ULONG SSDT_NtOpenProcess_Addr;
KdPrint(("驱动加载成功"));
KvGetSSDTVoid("NtOpenProcess");
DbgPrint("NtOpenProcess的原始地址1=%x/n.",KvGetSSDTVoid("NtOpenProcess"));
_asm
{
push ebx
push eax
mov ebx,KeServiceDescriptorTable
mov ebx,[ebx]
mov eax,0x7a
shl eax,2
add ebx,eax
mov ebx,[ebx]
mov SSDT_NtOpenProcess_Addr,ebx
pop eax
pop ebx
}
KdPrint(("NtOpenProcess的当前地址=%x",SSDT_NtOpenProcess_Addr));
DriverObject->DriverUnload = Unload;
return STATUS_SUCCESS;
}

复制代码

ok100fen · 发表于 2010-8-30 10:00:25

本帖最后由 ok100fen 于 2010-8-30 13:59 编辑

别人的头文件，修改了一下名称，才可以
原来真要明白原理才行

typedef struct ServiceDescriptorEntry{
PVOID ServiceTableBase;
PVOID ServiceCounterTableBase;
ULONG NumberOfServices;
PVOID ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
typedef struct _SERVICE_DESCRIPTOR_TABLE{
ServiceDescriptorTableEntry_t ntoskrnl; // ntoskrnl.exe (native api)
ServiceDescriptorTableEntry_t win32k; // win32k.sys (gdi/user)
ServiceDescriptorTableEntry_t Table3; // not used
ServiceDescriptorTableEntry_t Table4; // not used
}SERVICE_DESCRIPTOR_TABLE,*PSERVICE_DESCRIPTOR_TABLE;
typedef enum _SYSTEM_INFORMATION_CLASS // Q S
{
SystemBasicInformation, // 00 Y N
SystemProcessorInformation, // 01 Y N
SystemPerformanceInformation, // 02 Y N
SystemTimeOfDayInformation, // 03 Y N
SystemNotImplemented1, // 04 Y N
SystemProcessesAndThreadsInformation, // 05 Y N
SystemCallCounts, // 06 Y N
SystemConfigurationInformation, // 07 Y N
SystemProcessorTimes, // 08 Y N
SystemGlobalFlag, // 09 Y Y
SystemNotImplemented2, // 10 Y N
SystemModuleInformation, // 11 Y N
SystemLockInformation, // 12 Y N
SystemNotImplemented3, // 13 Y N
SystemNotImplemented4, // 14 Y N
SystemNotImplemented5, // 15 Y N
SystemHandleInformation, // 16 Y N
SystemObjectInformation, // 17 Y N
SystemPagefileInformation, // 18 Y N
SystemInstructionEmulationCounts, // 19 Y N
SystemInvalidInfoClass1, // 20
SystemCacheInformation, // 21 Y Y
SystemPoolTagInformation, // 22 Y N
SystemProcessorStatistics, // 23 Y N
SystemDpcInformation, // 24 Y Y
SystemNotImplemented6, // 25 Y N
SystemLoadImage, // 26 N Y
SystemUnloadImage, // 27 N Y
SystemTimeAdjustment, // 28 Y Y
SystemNotImplemented7, // 29 Y N
SystemNotImplemented8, // 30 Y N
SystemNotImplemented9, // 31 Y N
SystemCrashDumpInformation, // 32 Y N
SystemExceptionInformation, // 33 Y N
SystemCrashDumpStateInformation, // 34 Y Y/N
SystemKernelDebuggerInformation, // 35 Y N
SystemContextSwitchInformation, // 36 Y N
SystemRegistryQuotaInformation, // 37 Y Y
SystemLoadAndCallImage, // 38 N Y
SystemPrioritySeparation, // 39 N Y
SystemNotImplemented10, // 40 Y N
SystemNotImplemented11, // 41 Y N
SystemInvalidInfoClass2, // 42
SystemInvalidInfoClass3, // 43
SystemTimeZoneInformation, // 44 Y N
SystemLookasideInformation, // 45 Y N
SystemSetTimeSlipEvent, // 46 N Y
SystemCreateSession, // 47 N Y
SystemDeleteSession, // 48 N Y
SystemInvalidInfoClass4, // 49
SystemRangeStartInformation, // 50 Y N
SystemVerifierInformation, // 51 Y Y
SystemAddVerifier, // 52 N Y
SystemSessionProcessesInformation // 53 Y N
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Reserved[2];
PVOID Base; //The base address of the module.
ULONG Size; //The size of the module.
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];//The filepath of the module.
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef struct _MODULE_LIST {
ULONG NumberOfModules;
SYSTEM_MODULE_INFORMATION SysModuleInfo[];
} MODULE_LIST, *PMODULE_LIST;
typedef struct _SECTION_IMAGE_INFORMATION {
PVOID EntryPoint;
ULONG StackZeroBits;
ULONG StackReserved;
ULONG StackCommit;
ULONG ImageSubsystem;
unsigned char SubsystemVersionLow;
unsigned char SubsystemVersionHigh;
ULONG Unknown1;
ULONG ImageCharacteristics;
ULONG ImageMachineType;
ULONG Unknown2[3];
} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;
NTSYSAPI NTSTATUS ZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength);
extern PServiceDescriptorTableEntry_t KeServiceDescriptorTable;
ULONG GetKernelBaseAddress(OUT PCHAR lpszModule)
{
NTSTATUS ntStatus;
ULONG NeededSize, KernelAddr=0;
PMODULE_LIST pModuleList;
ZwQuerySystemInformation( SystemModuleInformation, &NeededSize, 0, &NeededSize);
pModuleList = ExAllocatePool( NonPagedPool, NeededSize );
ntStatus = ZwQuerySystemInformation( SystemModuleInformation, pModuleList, NeededSize, NULL );
if ( NT_SUCCESS(ntStatus) )
{
KernelAddr = (ULONG)pModuleList->SysModuleInfo[0].Base;
if (lpszModule)
{
strcpy( lpszModule, "\\SystemRoot\\System32\" );
strcat( lpszModule, pModuleList->SysModuleInfo[0].ModuleNameOffset+ pModuleList->SysModuleInfo[0].ImageName );
}
}
ExFreePool(pModuleList);
return KernelAddr;
}
ULONG RVAToRaw(IN ULONG lpBase, IN ULONG VirtualAddress )
{
IMAGE_DOS_HEADER *pDosHeader;
IMAGE_NT_HEADERS *pNtHeader;
IMAGE_SECTION_HEADER *pSectionHeader;
ULONG NumOfSections, i;
pDosHeader = (IMAGE_DOS_HEADER*)lpBase;
if ( pDosHeader->e_magic != IMAGE_DOS_SIGNATURE )
return 0;
pNtHeader =(IMAGE_NT_HEADERS*)( (unsigned char*)lpBase + pDosHeader->e_lfanew );
NumOfSections = pNtHeader->FileHeader.NumberOfSections;
pSectionHeader = (IMAGE_SECTION_HEADER*)((ULONG)pNtHeader + sizeof(ULONG) + sizeof(IMAGE_FILE_HEADER)
+ pNtHeader->FileHeader.SizeOfOptionalHeader);
VirtualAddress -= (ULONG)lpBase;
for ( i=0; i<NumOfSections; i++ )
{
pSectionHeader = (IMAGE_SECTION_HEADER*)( (ULONG)pSectionHeader + sizeof(IMAGE_SECTION_HEADER) * i );
if( VirtualAddress > pSectionHeader->VirtualAddress &&
VirtualAddress < pSectionHeader->VirtualAddress + pSectionHeader->SizeOfRawData )
{
ULONG Offset = VirtualAddress - pSectionHeader->VirtualAddress + pSectionHeader->PointerToRawData;
return Offset;
}
}
return 0;
}
ULONG GetSSDTRealAddr(IN ULONG Index)
{
NTSTATUS ntStatus;
ULONG KernelVirtualBase, KernelImageBase,RealServiceAddress=0;
ULONG NumberOfServices, KiServiceTable, uSSDTRaw,KernelServiceTable;
char szKernelPath[256];
ANSI_STRING asFileName;
UNICODE_STRING usFileName;
OBJECT_ATTRIBUTES ObjAttr;
IO_STATUS_BLOCK ioStatus;
FILE_POSITION_INFORMATION FilePos;
HANDLE hFile;
KernelVirtualBase = GetKernelBaseAddress( szKernelPath );
KernelImageBase = ((IMAGE_NT_HEADERS*)(KernelVirtualBase + ((IMAGE_DOS_HEADER*)KernelVirtualBase)->e_lfanew))->OptionalHeader.ImageBase;
NumberOfServices = KeServiceDescriptorTable->NumberOfServices;
KiServiceTable = (ULONG)KeServiceDescriptorTable->ServiceTableBase;
if (Index>=NumberOfServices) return FALSE;
uSSDTRaw = RVAToRaw( KernelVirtualBase, KiServiceTable+Index*4);
if (uSSDTRaw)
{
RtlInitAnsiString( &asFileName, szKernelPath );
ntStatus = RtlAnsiStringToUnicodeString( &usFileName, &asFileName, TRUE );
if( NT_SUCCESS(ntStatus) )
{
InitializeObjectAttributes(&ObjAttr,&usFileName,OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,NULL,NULL);
ntStatus = ZwOpenFile(&hFile,FILE_READ_DATA,&ObjAttr,&ioStatus,FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,FILE_SYNCHRONOUS_IO_NONALERT );
if ( NT_SUCCESS(ntStatus) && hFile )
{
FilePos.CurrentByteOffset.LowPart = uSSDTRaw;
FilePos.CurrentByteOffset.HighPart = 0;
ntStatus = ZwSetInformationFile( hFile,&ioStatus,&FilePos,sizeof(FILE_POSITION_INFORMATION),FilePositionInformation );
if( NT_SUCCESS(ntStatus) )
{
ntStatus = ZwReadFile(hFile,NULL,NULL,NULL,&ioStatus,&KernelServiceTable,sizeof(ULONG),NULL,NULL );
if( NT_SUCCESS(ntStatus) )
{
RealServiceAddress=KernelServiceTable - KernelImageBase + KernelVirtualBase;
}
}
ZwClose(hFile);
}
}
}
RtlFreeUnicodeString( &usFileName );
return RealServiceAddress;
}
ULONG GetExportFuncAddr(IN PCHAR lpFunctionName, IN PUNICODE_STRING pDllName)
{
HANDLE hThread, hSection, hFile, hMod;
SECTION_IMAGE_INFORMATION sii;
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_OPTIONAL_HEADER pOptHeader;
PIMAGE_EXPORT_DIRECTORY pExportTable;
PULONG arrayOfFuncAddr,arrayOfFuncNames;
PSHORT arrayOfFuncOrdinals;
ULONG funcOrdinal,Base, i, FuncAddr;
PCHAR FuncName;
STRING ntFuncName, ntFuncNameSearch;
PVOID BaseAddress = NULL;
SIZE_T size = 0;
OBJECT_ATTRIBUTES ObjAttr;
IO_STATUS_BLOCK IoStatusBlock;
InitializeObjectAttributes(&ObjAttr,pDllName,OBJ_CASE_INSENSITIVE,NULL, NULL);
ZwOpenFile(&hFile,FILE_EXECUTE | SYNCHRONIZE,&ObjAttr,&IoStatusBlock,FILE_SHARE_READ,FILE_SYNCHRONOUS_IO_NONALERT);
ObjAttr.ObjectName = 0;
ZwCreateSection(&hSection,SECTION_ALL_ACCESS,&ObjAttr,0,PAGE_EXECUTE,0x1000000,hFile);
ZwMapViewOfSection(hSection,NtCurrentProcess(),&BaseAddress,0,1000, 0,&size,(SECTION_INHERIT)1,MEM_TOP_DOWN, PAGE_READWRITE);
ZwClose(hFile);
hMod = BaseAddress;
pDosHeader = (PIMAGE_DOS_HEADER)hMod;
pOptHeader = (PIMAGE_OPTIONAL_HEADER)((PUCHAR)hMod + pDosHeader->e_lfanew + 24 );
pExportTable =(PIMAGE_EXPORT_DIRECTORY)((PUCHAR)hMod + pOptHeader->DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress);
arrayOfFuncAddr = (PULONG)( (PUCHAR)hMod + pExportTable->AddressOfFunctions);
arrayOfFuncNames = (PULONG)( (PUCHAR)hMod + pExportTable->AddressOfNames);
arrayOfFuncOrdinals = (PSHORT)( (PUCHAR)hMod + pExportTable->AddressOfNameOrdinals);
Base = pExportTable->Base;
RtlInitString(&ntFuncNameSearch, lpFunctionName);
for( i=0; i<pExportTable->NumberOfFunctions; i++ )
{
FuncName = (PCHAR)( (PUCHAR)hMod + arrayOfFuncNames[i]);
RtlInitString( &ntFuncName, FuncName );
funcOrdinal = arrayOfFuncOrdinals[i] + Base - 1;
FuncAddr = (ULONG)( (PUCHAR)hMod + arrayOfFuncAddr[funcOrdinal]);
if (RtlCompareString(&ntFuncName, &ntFuncNameSearch, TRUE) == 0)
{
ZwClose(hSection);
return FuncAddr;
}
}
ZwClose(hSection);
return 0;
}
ULONG GetSysCallIndex( PCHAR FuncName )//获得索引号
{
UNICODE_STRING usDllName;
ULONG FuncAddr;
ULONG SysCallIndex;
RtlInitUnicodeString( &usDllName, L"\\SystemRoot\\System32\\ntdll.dll" );
FuncAddr = GetExportFuncAddr(FuncName, &usDllName);
SysCallIndex = *( (PSHORT)(FuncAddr + 1) );
return SysCallIndex;
}

复制代码

xiaoly99 · 发表于 2010-8-30 13:21:39

回复 2# ok100fen
OK爷爷,您搞不清楚啊?
TA那个是sssdt.h,我这个是KernelVoid.h,我这个是修改过的,不是TA的.
是我为了方便加了个Kv******,原来是没有的.

xiaoly99 · 发表于 2010-8-30 13:23:51

再说了,您这个0x7A是硬编码,这段代码仅仅能在XP上运行.

ok100fen · 发表于 2010-8-30 14:55:36

用微软宏取得地址的代码

#include <ntddk.h>
VOID Unload(IN PDRIVER_OBJECT DriverObject)
{
}
#pragma pack(1) //SSDT表的结构
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase; //Used only in checked build
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()

__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable; //变量名是不能变的,因为是从外部导入

//取函数在SSDT中的位置
#define SYSTEMSERVICE(_function)  KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]
//取函数的索引
#define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
NTSYSAPI NTSTATUS NTAPI ZwOpenProcess(OUT PHANDLE ProcessHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,IN PCLIENT_ID ClientId OPTIONAL);

typedef NTSTATUS (*ZWOPENPROCESS)(OUT PHANDLE ProcessHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,IN PCLIENT_ID ClientId OPTIONAL);

NTSTATUS  DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{



   SYSTEMSERVICE(ZwOpenProcess);


   KdPrint(("NtOpenProcess的地址=%x",SYSTEMSERVICE(ZwOpenProcess)));

      DriverObject->DriverUnload = Unload;

return STATUS_SUCCESS;
}

ok100fen · 发表于 2010-8-30 17:36:19

#include <ntddk.h>
#include "ntimage.h"
#include "KernelVoid.h"

VOID Unload(IN PDRIVER_OBJECT DriverObject)
{
}

NTSTATUS  DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{

                  ULONG XXXX;
                  XXXX=KvGetKernelVoid(L"NtOpenProcess");

                  KdPrint(("内核函数地址=%x",XXXX));

                  DriverObject->DriverUnload = Unload;

return STATUS_SUCCESS;
}