|
|
发表于 2010-9-11 00:40:17
|
显示全部楼层
原理是找call或根据特征码辅助找call。给段demo src:
- Public Function FindPspTerminateThreadByPointer() As Long
- On Error Resume Next
- Dim i As Long
- Dim ubRt As Byte, ubLastAddr As Byte, b1 As Byte, b2 As Byte, b3 As Byte, b4 As Byte
- Dim AddressOfPsTerminateSystemThread As Long
- AddressOfPsTerminateSystemThread = GetSystemRoutineAddress("PsTerminateSystemThread")
- For i = 0 To 259
- Call GetByte(AddressOfPsTerminateSystemThread + i, ubRt)
- If ubRt = &HE8 Then
- Call GetByte(AddressOfPsTerminateSystemThread + i - 1, ubLastAddr)
- If ubLastAddr = &H50 Then
- Call GetByte(AddressOfPsTerminateSystemThread + i + 1, b1)
- Call GetByte(AddressOfPsTerminateSystemThread + i + 2, b2)
- Call GetByte(AddressOfPsTerminateSystemThread + i + 3, b3)
- Call GetByte(AddressOfPsTerminateSystemThread + i + 4, b4)
- FindPspTerminateThreadByPointer = GetTargetAddress(AddressOfPsTerminateSystemThread + i, b1, b2, b3, b4)
- Exit Function
- End If
- End If
- Next
- End Function
- Public Function FindKiInsertQueueApc() As Long '28 e8
- On Error Resume Next
- Dim i As Long
- Dim ubRt As Byte, ubLastAddr As Byte, b1 As Byte, b2 As Byte, b3 As Byte, b4 As Byte
- Dim AddressOfKeInsertQueueApc As Long
- AddressOfKeInsertQueueApc = GetSystemRoutineAddress("KeInsertQueueApc")
- For i = 0 To 259
- Call GetByte(AddressOfKeInsertQueueApc + i, ubRt)
- If ubRt = &HE8 Then
- Call GetByte(AddressOfKeInsertQueueApc + i - 1, ubLastAddr)
- If ubLastAddr = &H28 Then
- Call GetByte(AddressOfKeInsertQueueApc + i + 1, b1)
- Call GetByte(AddressOfKeInsertQueueApc + i + 2, b2)
- Call GetByte(AddressOfKeInsertQueueApc + i + 3, b3)
- Call GetByte(AddressOfKeInsertQueueApc + i + 4, b4)
- FindKiInsertQueueApc = GetTargetAddress(AddressOfKeInsertQueueApc + i, b1, b2, b3, b4)
- Exit Function
- End If
- End If
- Next
- End Function
|
|
发表于 2010-9-10 23:21:57
