VC++实现恢复SSDT

墨蓝 2022-08-18 14:23 89阅读 0赞

SSDT（System Services Descriptor Table），系统服务描述符表。这个表就是一个把ring3的Win32 API和ring0的内核API联系起来。SSDT并不仅仅只包含一个庞大的地址索引表，它还包含着一些其它有用的信息，诸如地址索引的基地址、服务函数个数等。  
　　通过修改此表的函数地址可以对常用windows函数及API进行hook，从而实现对一些关心的系统动作进行过滤、监控的目的。一些HIPS、防毒软件、系统监控、注册表监控软件往往会采用此接口来实现自己的监控模块，  
　　目前极个别病毒确实会采用这种方法来保护自己或者破坏防毒软件，但在这种病毒进入系统前如果防毒软件能够识别并清除它将没有机会发作.

SSDT到底是什么呢？打一个比方，SSDT相当于系统内部API的指向标，作用就是告诉系统，需要调用的API在什么地方。

请看源码解析

**\[cpp\]** [view plain][] [copy][view plain]

1.  /\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
2.  \*
3.  \*ZwQuerySystemInformation函数常用结构
4.  \*
5.  \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*/
6.  \#ifndef \_SPS\_H\_
7.  \#define \_SPS\_H\_ 1
8.  
9.  \#include <ntddk.h>
10. \#include "table.h"
11. \#include "pe.h"
12. 
13. \#endif
14. 
15. 
16. **typedef****enum** \_SYSTEM\_INFORMATION\_CLASS 
17. \{ 
18.  SystemBasicInformation, // 0 
19.  SystemProcessorInformation, // 1 
20.  SystemPerformanceInformation, // 2
21.  SystemTimeOfDayInformation, // 3
22.  SystemNotImplemented1, // 4
23.  SystemProcessesAndThreadsInformation, // 5
24.  SystemCallCounts, // 6
25.  SystemConfigurationInformation, // 7
26.  SystemProcessorTimes, // 8
27.  SystemGlobalFlag, // 9
28.  SystemNotImplemented2, // 10
29.  SystemModuleInformation, // 11 系统模块
30.  SystemLockInformation, // 12
31.  SystemNotImplemented3, // 13
32.  SystemNotImplemented4, // 14
33.  SystemNotImplemented5, // 15
34.  SystemHandleInformation, // 16
35.  SystemObjectInformation, // 17
36.  SystemPagefileInformation, // 18
37.  SystemInstructionEmulationCounts, // 19
38.  SystemInvalidInfoClass1, // 20
39.  SystemCacheInformation, // 21
40.  SystemPoolTagInformation, // 22
41.  SystemProcessorStatistics, // 23
42.  SystemDpcInformation, // 24
43.  SystemNotImplemented6, // 25
44.  SystemLoadImage, // 26
45.  SystemUnloadImage, // 27
46.  SystemTimeAdjustment, // 28
47.  SystemNotImplemented7, // 29
48.  SystemNotImplemented8, // 30
49.  SystemNotImplemented9, // 31
50.  SystemCrashDumpInformation, // 32
51.  SystemExceptionInformation, // 33
52.  SystemCrashDumpStateInformation, // 34
53.  SystemKernelDebuggerInformation, // 35
54.  SystemContextSwitchInformation, // 36
55.  SystemRegistryQuotaInformation, // 37
56.  SystemLoadAndCallImage, // 38
57.  SystemPrioritySeparation, // 39
58.  SystemNotImplemented10, // 40
59.  SystemNotImplemented11, // 41
60.  SystemInvalidInfoClass2, // 42
61.  SystemInvalidInfoClass3, // 43
62.  SystemTimeZoneInformation, // 44
63.  SystemLookasideInformation, // 45
64.  SystemSetTimeSlipEvent, // 46
65.  SystemCreateSession, // 47
66.  SystemDeleteSession, // 48
67.  SystemInvalidInfoClass4, // 49
68.  SystemRangeStartInformation, // 50
69.  SystemVerifierInformation, // 51
70.  SystemAddVerifier, // 52
71.  SystemSessionProcessesInformation // 53 
72. \}SYSTEM\_INFORMATION\_CLASS; //内核模块类型，我们要列举的是SystemProcessesAndThreadsInformation,进程和线程信
73. //线程信息
74. **typedef****struct** \_SYSTEM\_THREAD\_INFORMATION 
75. \{ 
76.  LARGE\_INTEGER KernelTime; 
77.  LARGE\_INTEGER UserTime; 
78.  LARGE\_INTEGER CreateTime; 
79. **ULONG** WaitTime; 
80. **PVOID** StartAddress; 
81.  CLIENT\_ID ClientId; 
82.  KPRIORITY Priority; 
83.  KPRIORITY BasePriority; 
84. **ULONG** ContextSwitchCount; 
85. **LONG** State; 
86. **LONG** WaitReason; 
87. \} SYSTEM\_THREAD\_INFORMATION, \*PSYSTEM\_THREAD\_INFORMATION; //线程结构
88. //进程信息
89. **typedef****struct** \_SYSTEM\_PROCESS\_INFORMATION 
90. \{ 
91. **ULONG** NextEntryDelta; //NextEntryOffset下一个进程结构的偏移量,每一个进程对应一个结构
92. //最后一个进程的NextEntryOffset=0
93. **ULONG** NumberOfThreads; //线程数目 
94.  LARGE\_INTEGER Reserved\[3\]; 
95.  LARGE\_INTEGER CreateTime; //创建时间 
96.  LARGE\_INTEGER UserTime; //用户模式(Ring 3)的CPU时间 
97.  LARGE\_INTEGER KernelTime; //内核模式(Ring 0)的CPU时间 
98.  UNICODE\_STRING ProcessName; //进程名 
99.  KPRIORITY BasePriority; //进程优先权 
100. **ULONG** ProcessId; //进程标识符 
101. **ULONG** InheritedFromProcessId; //父进程的标识符 
102. **ULONG** HandleCount; //句柄数目 
103. **ULONG** Reserved2\[2\]; 
104. **ULONG** PrivatePageCount; 
105.  VM\_COUNTERS VirtualMemoryCounters; //虚拟存储器的结构 
106.  IO\_COUNTERS IoCounters; //IO计数结构 
107.  SYSTEM\_THREAD\_INFORMATION Threads\[0\]; //进程相关线程的结构数组 
108. \} SYSTEM\_PROCESS\_INFORMATION, \*PSYSTEM\_PROCESS\_INFORMATION; 
109. //------------------------------------------------------------------------------
110. //模块信息
111. **typedef****struct** \_SYSTEM\_MODULE\_INFORMATION \{ 
112. **ULONG** Reserved\[2\]; 
113. **PVOID** Base; 
114. **ULONG** Size; 
115. **ULONG** Flags; 
116. **USHORT** Index; 
117. **USHORT** Unknown; 
118. **USHORT** LoadCount; 
119. **USHORT** ModuleNameOffset; 
120. **CHAR** ImageName\[256\]; 
121. \} SYSTEM\_MODULE\_INFORMATION, \*PSYSTEM\_MODULE\_INFORMATION; 
122. //模块列表
123. **typedef****struct** \_SYSMODULELIST\{ 
124. **ULONG** ulCount; 
125.  SYSTEM\_MODULE\_INFORMATION smi\[1\]; 
126. \} SYSMODULELIST, \*PSYSMODULELIST; 
127. //-----------------------------------------------------------------------------------
128. //DRIVER\_SECTION结构
129. **typedef****struct** \_LDR\_DATA\_TABLE\_ENTRY 
130. \{ 
131.  LIST\_ENTRY InLoadOrderLinks; 
132.  LIST\_ENTRY InMemoryOrderLinks; 
133.  LIST\_ENTRY InInitializationOrderLinks; 
134. **PVOID** DllBase; 
135. **PVOID** EntryPoint; 
136. **ULONG** SizeOfImage; 
137.  UNICODE\_STRING FullDllName; 
138.  UNICODE\_STRING BaseDllName; 
139. **ULONG** Flags; 
140. **USHORT** LoadCount; 
141. **USHORT** TlsIndex; 
142. **union** \{ 
143.  LIST\_ENTRY HashLinks; 
144. **struct**
145.  \{ 
146. **PVOID** SectionPointer; 
147. **ULONG** CheckSum; 
148.  \}; 
149.  \}; 
150. **union** \{ 
151. **struct**
152.  \{ 
153. **ULONG** TimeDateStamp; 
154.  \}; 
155. **struct**
156.  \{ 
157. **PVOID** LoadedImports; 
158.  \}; 
159.  \}; 
160. **struct** \_ACTIVATION\_CONTEXT \* EntryPointActivationContext; 
161. **PVOID** PatchInformation; 
162. \}LDR\_DATA\_TABLE\_ENTRY, \*PLDR\_DATA\_TABLE\_ENTRY; 
163. //===================================================================================
164. NTKERNELAPI NTSTATUS 
165. ZwQuerySystemInformation( 
166.  IN SYSTEM\_INFORMATION\_CLASS SystemInformationClass, 
167.  OUT **PVOID** SystemInformation, 
168.  IN **ULONG** SystemInformationLength, 
169.  OUT **PULONG** ReturnLength OPTIONAL 
170.  ); //最终是通过遍历EPROCESS获取的
171. 
172. **typedef** NTSTATUS (\*ZWQUERYSYSTEMINFORMATION)( 
173.  IN SYSTEM\_INFORMATION\_CLASS SystemInformationClass, 
174.  OUT **PVOID** SystemInformation, 
175.  IN **ULONG** SystemInformationLength, 
176.  OUT **PULONG** ReturnLength OPTIONAL 
177.  ); //定义结构
178. 
179. NTSYSAPI **BOOLEAN** NTAPI KeAddSystemServiceTable( 
180. **ULONG** lpAddressTable, 
181. **BOOLEAN** bUnknown, 
182. **ULONG** dwNumEntries, 
183. **ULONG** lpParameterTable, 
184. **ULONG** dwTableID 
185.  ); 
186. 
187. 
188. 
189. 
190. //\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*函数声明\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
191. //根据地址查找模块
192. **void** FindModuleByAddress( **ULONG** Address, **PVOID** buffer); 
193. //根据RVA查找SSDT 文件偏移
194. **ULONG** FindFileOffsetByRva( **ULONG** ModuleAddress,**ULONG** Rva); 
195. //路径解析出子进程名
196. **void** GetModuleName( **char** \*ProcessPath, **char** \*ProcessName); 
197. //根据服务号得到当前的地址
198. **ULONG** FindOriAddress( **ULONG** index ); 
199. //得到SSDT Shadow表地址
200. **ULONG** GetSSDTShadowAddress2(); 
201. 
202. **ULONG** GetWin32Base2( PDRIVER\_OBJECT driver); 
203. 
204. **ULONG** FindShadowOriAddress( **ULONG** index ); 
205. /\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* 
206. \* 
207. \*函数名：FindModuleByAddress 
208. \*功能描述：根据函数地址查找所属模块 
209. \* 
210. \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*/ 
211. /\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
212. \*
213. \* 原理： 利用ZwQuerySystemInformation传入SystemModuleInformation（11）得到系统模块列表
214. \* 得到每个模块的起始和结束地址
215. \* 比对地址，在那个范围就属于哪个模块
216. \* 得到模块名
217. \*
218. \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*/
219. \#include "refresh.h"
220. **void** FindModuleByAddress( **ULONG** Address, **PVOID** buffer) 
221. \{ 
222.  NTSTATUS status; 
223. **ULONG** size; 
224. **ULONG** i; 
225. **ULONG** minAddress; 
226. **ULONG** maxAddress; 
227.  PSYSMODULELIST List; 
228. 
229.  ZwQuerySystemInformation( SystemModuleInformation ,&size,0,&size); 
230.  KdPrint(("\[FindModuleByAddress\] size:0x%x\\n",size)); 
231.  List=(PSYSMODULELIST)ExAllocatePool(NonPagedPool,size); 
232. **if**(List==NULL) 
233.  \{ 
234.  KdPrint(("\[FindModuleByAddress\] malloc memory failed\\n")); 
235. **return** ; 
236.  \} 
237. 
238.  status=ZwQuerySystemInformation(SystemModuleInformation,List,size,0); 
239. **if**(!NT\_SUCCESS(status)) 
240.  \{ 
241.  KdPrint(("\[FindModuleByAddress\] query failed\\n")); 
242. //打印错误
243.  KdPrint(("\[FindModuleByAddress\] status: 0x%x\\n",status)); 
244.  ExFreePool( List ); 
245. **return** ; 
246.  \} 
247. //得到了模块链表
248. //判断模块名
249. **for**( i=0; i<List->ulCount; i++) 
250.  \{ 
251. //得到模块的范围
252.  minAddress = (**ULONG**)List->smi\[i\].Base; 
253.  maxAddress = minAddress + List->smi\[i\].Size; 
254. //判断地址
255. **if**( Address >= minAddress && Address <= maxAddress ) 
256.  \{ 
257.  memcpy( buffer, List->smi\[i\].ImageName,**sizeof**(List->smi\[i\].ImageName)); 
258.  KdPrint(("\[FindModuleByAddress\] modulename: %s\\n",buffer)); 
259. //释放内存
260.  ExFreePool(List); 
261. **break**; 
262.  \} 
263.  \} 
264. \} 
265. /\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
266. \*
267. \* 函数名:GetOriFunctionAddress
268. \* 功能描述:得到原始SSDT表中函数地址
269. \*
270. \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*/
271. /\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
272. \*
273. \* 原理： 找到内核文件，获取基址BaseAddress
274. \* 根据内核文件查找SSDT表的文件偏移SSDTFileOffset = SSDTRVA-（节RVA-节Offset）
275. \* 读取函数的文件偏移FunctionFileOffset
276. \* VA=BaseAddress+FunctionFileOffset-00400000=800d8000 + FunctionFileOffset
277. \*
278. \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*/
279. /\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
280. \*
281. \* 根据RVA查找所在的文件偏移：FileOffset = Rva- (节Rva - 节Offset)
282. \* 找到区块表
283. \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*/
284. **ULONG** FindFileOffsetByRva( **ULONG** ModuleAddress,**ULONG** Rva) 
285. \{ 
286.  PIMAGE\_DOS\_HEADER dos; 
287.  PIMAGE\_FILE\_HEADER file; 
288.  PIMAGE\_SECTION\_HEADER section; 
289. //区块数目
290. **ULONG** number; 
291. **ULONG** i; 
292. **ULONG** minAddress; 
293. **ULONG** maxAddress; 
294. **ULONG** SeFileOffset; 
295. **ULONG** FileOffset; 
296. 
297.  dos = (PIMAGE\_DOS\_HEADER)ModuleAddress; 
298.  file = (PIMAGE\_FILE\_HEADER)( ModuleAddress + dos->e\_lfanew + 4 ); 
299. //得到区块数量
300.  number = file->NumberOfSections; 
301.  KdPrint(("\[FindFileOffsetByRva\] number :0x%x\\n",number)); 
302. //得到第一个区块地址
303.  section = (PIMAGE\_SECTION\_HEADER)(ModuleAddress + dos->e\_lfanew + 4 + **sizeof**(IMAGE\_FILE\_HEADER) + file->SizeOfOptionalHeader); 
304. **for**( i=0;i<number;i++) 
305.  \{ 
306.  minAddress = section\[i\].VirtualAddress; 
307.  maxAddress = minAddress + section\[i\].SizeOfRawData; 
308.  SeFileOffset = section\[i\].PointerToRawData; 
309. **if**( Rva > minAddress && Rva < maxAddress) 
310.  \{ 
311.  KdPrint(("\[FindFileOffsetByRva\] minAddress :0x%x\\n",minAddress)); 
312.  KdPrint(("\[FindFileOffsetByRva\] SeFileOffset :0x%x\\n",SeFileOffset)); 
313.  FileOffset = Rva - ( minAddress - SeFileOffset); 
314.  KdPrint(("\[FindFileOffsetByRva\] FileOffset :0x%x\\n",FileOffset)); 
315. **break** ; 
316.  \} 
317.  \} 
318. **return** FileOffset; 
319. \} 
320. 
321. //路径解析出子进程名
322. **void** GetModuleName( **char** \*ProcessPath, **char** \*ProcessName) 
323. \{ 
324. **ULONG** n = strlen( ProcessPath) - 1; 
325. **ULONG** i = n; 
326.  KdPrint(("%d",n)); 
327. **while**( ProcessPath\[i\] != '\\\\') 
328.  \{ 
329.  i = i-1; 
330.  \} 
331.  strncpy( ProcessName, ProcessPath+i+1,n-i); 
332. \} 
333. 
334. /\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
335. \*
336. \* 根据传入的服务号得到函数原始地址
337. \*
338. \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*/
339. **ULONG** FindOriAddress( **ULONG** index ) 
340. \{ 
341. //根据传入的index得到函数VA地址
342. //重定位函数地址
343. //BaseAddress - 0x00400000 + \*(PULONG)(FileOffset+(index\*4))
344. //ZwQuerySystemInformation得到内核文件基地址
345. //得到SSDT表的地址
346. //得到SSDT RVA 查找SSDT RVA所在的节
347.  NTSTATUS status; 
348. **ULONG** size; 
349. **ULONG** BaseAddress; 
350. **ULONG** SsdtRva; 
351. **ULONG** FileOffset = 0; 
352. 
353.  PSYSMODULELIST list; 
354. **char** Name\[32\]=\{0\}; 
355. **char** PathName\[256\] = "\\\\SystemRoot\\\\system32\\\\"; 
356.  ANSI\_STRING name; 
357.  UNICODE\_STRING modulename; 
358. 
359.  OBJECT\_ATTRIBUTES object\_attributes; 
360.  IO\_STATUS\_BLOCK io\_status = \{0\}; 
361. **HANDLE** hFile; 
362. //读取的位置
363. **ULONG** location; 
364.  LARGE\_INTEGER offset; 
365. **ULONG** address; 
366. 
367. //得到需要申请的内存大小
368.  ZwQuerySystemInformation( SystemModuleInformation,&size,0,&size ); 
369. //申请内存
370.  list = (PSYSMODULELIST) ExAllocatePool( NonPagedPool,size ); 
371. //验证是否申请成功
372. **if**( list == NULL) 
373.  \{ 
374. //申请失败
375.  KdPrint(("\[FindOriAddress\] malloc memory failed\\n")); 
376.  ExFreePool(list); 
377. **return** 0; 
378.  \} 
379.  status = ZwQuerySystemInformation( SystemModuleInformation,list,size,0); 
380. **if**( !NT\_SUCCESS( status )) 
381.  \{ 
382. //获取信息失败
383.  KdPrint(("\[FindOriAddress\] query failed\\n")); 
384.  KdPrint(("\[FindOriAddress\] status:0x%x\\n",status)); 
385.  ExFreePool(list); 
386. **return** 0; 
387.  \} 
388. //得到模块基址,第一个模块为内核文件
389.  BaseAddress = (**ULONG** )list->smi\[0\].Base; 
390.  KdPrint(("\[FindOriAddress\] BaseAddress:0x%x\\n",BaseAddress)); 
391. //分离出内核文件名
392.  GetModuleName(list->smi\[0\].ImageName,Name); 
393.  KdPrint(("\[FindOriAddress\] processname:%s\\n",Name)); 
394.  strcat(PathName,Name); 
395.  RtlInitAnsiString(&name,PathName); 
396.  RtlAnsiStringToUnicodeString(&modulename,&name,TRUE); 
397.  KdPrint(("\[FindOriAddress\] modulename: %wZ\\n",&modulename)); 
398.  ExFreePool(list); 
399. //经验证地址正确
400. //得到SSDT表的Rva
401.  SsdtRva = (**ULONG**)KeServiceDescriptorTable->ServiceTableBase - BaseAddress; 
402. //验证
403.  KdPrint(("\[FindOriAddress\] SsdtRva:0x%x\\n",SsdtRva)); 
404. //根据RVA查找文件偏移,//得到文件偏移了
405.  FileOffset= FindFileOffsetByRva( BaseAddress,SsdtRva); 
406.  KdPrint(("\[FindOriAddress\] FileOffset:0x%x\\n",FileOffset)); 
407. //读取的位置
408.  location = FileOffset + index \* 4; 
409.  offset.QuadPart =location; 
410.  KdPrint(("\[FindOriAddress\] location:0x%x\\n",location)); 
411. //利用ZwReadFile读取文件
412. //初始化OBJECT\_ATTRIBUTES结构
413.  InitializeObjectAttributes( 
414.  &object\_attributes, 
415.  &modulename, 
416.  OBJ\_CASE\_INSENSITIVE | OBJ\_KERNEL\_HANDLE, 
417.  NULL, 
418.  NULL); 
419. //打开文件
420.  status = ZwCreateFile( 
421.  &hFile, 
422.  FILE\_EXECUTE | SYNCHRONIZE, 
423.  &object\_attributes, 
424.  &io\_status, 
425.  NULL, 
426.  FILE\_ATTRIBUTE\_NORMAL, 
427.  FILE\_SHARE\_READ, 
428.  FILE\_OPEN, 
429.  FILE\_NON\_DIRECTORY\_FILE | 
430.  FILE\_RANDOM\_ACCESS | 
431.  FILE\_SYNCHRONOUS\_IO\_NONALERT, 
432.  NULL, 
433.  0); 
434. **if**( !NT\_SUCCESS( status )) 
435.  \{ 
436.  KdPrint(("\[FindOriAddress\] open error\\n")); 
437.  KdPrint(("\[FindOriAddress\] status = 0x%x\\n", status)); 
438.  ZwClose( hFile ); 
439. **return** 0; 
440.  \} 
441.  status = ZwReadFile( 
442.  hFile, 
443.  NULL, 
444.  NULL, 
445.  NULL, 
446.  NULL, 
447.  &address, 
448. **sizeof**(**ULONG**), 
449.  &offset, 
450.  NULL); 
451. **if**( !NT\_SUCCESS( status )) 
452.  \{ 
453.  KdPrint(("\[FindOriAddress\] read error\\n")); 
454.  KdPrint(("\[FindOriAddress\] status = 0x%x\\n", status)); 
455.  ZwClose( hFile ); 
456. **return** 0; 
457.  \} 
458.  KdPrint(("\[FindOriAddress\] address:0x%x\\n",address)); 
459. //重定位
460.  address = BaseAddress - 0x00400000 + address; 
461.  KdPrint(("\[FindOriAddress\] Oriaddress:0x%x\\n",address)); 
462. //释放动态分配的内存
463.  RtlFreeUnicodeString(&modulename); 
464.  ZwClose( hFile ); 
465. **return** address; 
466. \} 
467. /\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
468. \*
469. \* 得到SSDT Shadow当前地址
470. \* 1、KeServiceDescriptorTable - 0x40 + 0x10
471. \* 2、搜索KeAddSystemServiceTable函数，特征码
472. \* 3、Kthread->ServiceTable指向
473. \* 4、MJ提出的搜索特定内存
474. \*
475. \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*/
476. //方式1,XP下-0x40;
477. **ULONG** GetSSDTShadowAddress1() 
478. \{ 
479. **ULONG** address; 
480. **ULONG** ssdt; 
481.  ssdt = (**ULONG**)KeServiceDescriptorTable; 
482.  address = ssdt - 0x30; 
483.  KdPrint(("\[GetSSDTShadowAddress\] ssdt:0x%x\\n",ssdt)); 
484.  KdPrint(("\[GetSSDTShadowAddress\] address:0x%x\\n",address)); 
485. **return** address; 
486. \} 
487. //方式2
488. **ULONG** GetSSDTShadowAddress2() 
489. \{ 
490. **ULONG** address; 
491. **PUCHAR** addr; 
492. **PUCHAR** p; 
493.  addr = (**PUCHAR**)KeAddSystemServiceTable; 
494. **for**( p=addr; p<addr+PAGE\_SIZE; p++) 
495.  \{ 
496. **if**(\*(**PUSHORT**)p == 0x888D) 
497.  \{ 
498.  address = \*(**PULONG**)((**ULONG**)p+2); 
499. **break**; 
500.  \} 
501.  \} 
502.  address = address + 0x10; 
503.  KdPrint(("\[GetSSDTShadowAddress\] address:0x%x\\n",address)); 
504. **return** address; 
505. \} 
506. //方式3
507. **ULONG** GetSSDTShadowAddress3() 
508. \{ 
509. **return** 0; 
510. \} 
511. //方式4
512. **ULONG** GetSSDTShadowAddress4() 
513. \{ 
514. **return** 0; 
515. \} 
516. /\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
517. \*
518. \* 获得win32k.sys基址
519. \* 1、ZwQuerySystemInformation
520. \* 2、遍历DriverSection链表
521. \*
522. \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*/
523. **ULONG** GetWin32Base1() 
524. \{ 
525.  NTSTATUS status; 
526. **ULONG** i; 
527. **ULONG** size; 
528. **ULONG** address; 
529.  PSYSMODULELIST List; 
530. 
531.  ZwQuerySystemInformation( SystemModuleInformation ,&size,0,&size); 
532.  KdPrint(("\[FindModuleByAddress\] size:0x%x\\n",size)); 
533.  List=(PSYSMODULELIST)ExAllocatePool(NonPagedPool,size); 
534. **if** (List==NULL) 
535.  \{ 
536.  KdPrint(("\[FindModuleByAddress\] malloc memory failed\\n")); 
537.  ExFreePool( List ); 
538. **return** 0; 
539.  \} 
540. 
541.  status=ZwQuerySystemInformation(SystemModuleInformation,List,size,0); 
542. **if** (!NT\_SUCCESS(status)) 
543.  \{ 
544.  KdPrint(("\[FindModuleByAddress\] query failed\\n")); 
545. //打印错误
546.  KdPrint(("\[FindModuleByAddress\] status: 0x%x\\n",status)); 
547.  ExFreePool( List ); 
548. **return** 0; 
549.  \} 
550. **for** ( i=0; i < List->ulCount; i++ ) 
551.  \{ 
552. 
553. **if**( strcmp(List->smi\[i\].ImageName,"\\\\SystemRoot\\\\System32\\\\win32k.sys") == 0) 
554.  \{ 
555.  KdPrint(("\[GetWin32Base\]name :%s\\n",List->smi\[i\].ImageName)); 
556.  address = (**ULONG**)List->smi\[i\].Base; 
557.  KdPrint(("\[GetWin32Base1\] win32k.sys address:0x%x\\n",address)); 
558.  \} 
559. 
560.  \} 
561. **return** address; 
562. \} 
563. /\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
564. \*
565. \* 驱动对象DRIVER\_OBJECT中的DRIVER\_SECTION
566. \* LDR\_DATA\_TABLE\_ENTRY结构包含系统加载模块链表及基址
567. \*
568. \*
569. \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*/
570. **ULONG** GetWin32Base2( PDRIVER\_OBJECT driver) 
571. \{ 
572.  PLIST\_ENTRY pList = NULL; 
573.  PLDR\_DATA\_TABLE\_ENTRY pLdr = NULL; 
574. **ULONG** BaseAddress = 0; 
575.  pList = ( (PLIST\_ENTRY)driver->DriverSection )->Flink; 
576. **do**
577.  \{ 
578.  pLdr = CONTAINING\_RECORD( 
579.  pList, 
580.  LDR\_DATA\_TABLE\_ENTRY, 
581.  InLoadOrderLinks 
582.  ); 
583. **if**( pLdr->EntryPoint != NULL && pLdr->FullDllName.Buffer!= NULL ) 
584.  \{ 
585. **if**( !\_wcsicmp( pLdr->FullDllName.Buffer, L"\\\\SystemRoot\\\\System32\\\\win32k.sys")) 
586.  \{ 
587.  BaseAddress = (**ULONG** )pLdr->DllBase; 
588.  KdPrint(("\[GetWin32Base2\] win32k.sys address:0x%x\\n",BaseAddress)); 
589. **break** ; 
590.  \} 
591.  \} 
592.  pList = pList->Flink; 
593.  \}**while**( pList != ((PLIST\_ENTRY)driver->DriverSection)->Flink ); 
594. **return** BaseAddress; 
595. \} 
596. /\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
597. \*
598. \* 根据传入的服务号得到Shadow 函数原始地址
599. \*
600. \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*/
601. **ULONG** FindShadowOriAddress( **ULONG** index ) 
602. \{ 
603. //内核文件win32k.sys基地址
604. //得到SSDT Shadow表的地址
605. //得到文件偏移
606.  NTSTATUS status; 
607. **ULONG** size; 
608. **ULONG** BaseAddress; 
609. **ULONG** ShadowBase; 
610. **ULONG** ShadowAddress; 
611. **ULONG** SsdtRva; 
612. **ULONG** FileOffset = 0; 
613.  UNICODE\_STRING modulename; 
614. 
615. 
616.  OBJECT\_ATTRIBUTES object\_attributes; 
617.  IO\_STATUS\_BLOCK io\_status = \{0\}; 
618. **HANDLE** hFile; 
619. //读取的位置
620. **ULONG** location; 
621.  LARGE\_INTEGER offset; 
622. **ULONG** address; 
623. 
624.  BaseAddress = GetWin32Base1(); 
625.  KdPrint(("\[FindShadowOriAddress\] BaseAddress:0x%x\\n",BaseAddress)); 
626. //经验证地址正确
627.  ShadowBase = GetSSDTShadowAddress2(); 
628.  ShadowAddress = \*(**PULONG**)ShadowBase; 
629.  KdPrint(("\[FindShadowOriAddress\] ShadowAddress:0x%x\\n",ShadowAddress)); 
630. //得到SSDT表的Rva
631.  SsdtRva = ShadowAddress - BaseAddress; 
632. //验证
633.  KdPrint(("\[FindOriAddress\] SsdtRva:0x%x\\n",SsdtRva)); 
634. //读取的位置
635.  location = SsdtRva + index \* 4; 
636.  offset.QuadPart =location; 
637.  KdPrint(("\[FindOriAddress\] location:0x%x\\n",location)); 
638. //利用ZwReadFile读取文件
639. //初始化OBJECT\_ATTRIBUTES结构
640.  RtlInitUnicodeString(&modulename, L"\\\\SystemRoot\\\\system32\\\\win32k.sys"); 
641.  InitializeObjectAttributes( 
642.  &object\_attributes, 
643.  &modulename, 
644.  OBJ\_CASE\_INSENSITIVE | OBJ\_KERNEL\_HANDLE, 
645.  NULL, 
646.  NULL); 
647. //打开文件
648.  status = ZwCreateFile( 
649.  &hFile, 
650.  FILE\_EXECUTE | SYNCHRONIZE, 
651.  &object\_attributes, 
652.  &io\_status, 
653.  NULL, 
654.  FILE\_ATTRIBUTE\_NORMAL, 
655.  FILE\_SHARE\_READ, 
656.  FILE\_OPEN, 
657.  FILE\_NON\_DIRECTORY\_FILE | 
658.  FILE\_RANDOM\_ACCESS | 
659.  FILE\_SYNCHRONOUS\_IO\_NONALERT, 
660.  NULL, 
661.  0); 
662. **if**( !NT\_SUCCESS( status )) 
663.  \{ 
664.  KdPrint(("\[FindOriAddress\] open error\\n")); 
665.  KdPrint(("\[FindOriAddress\] status = 0x%x\\n", status)); 
666.  ZwClose( hFile ); 
667. **return** 0; 
668.  \} 
669.  status = ZwReadFile( 
670.  hFile, 
671.  NULL, 
672.  NULL, 
673.  NULL, 
674.  NULL, 
675.  &address, 
676. **sizeof**(**ULONG**), 
677.  &offset, 
678.  NULL); 
679. **if**( !NT\_SUCCESS( status )) 
680.  \{ 
681.  KdPrint(("\[FindOriAddress\] read error\\n")); 
682.  KdPrint(("\[FindOriAddress\] status = 0x%x\\n", status)); 
683.  ZwClose( hFile ); 
684. **return** 0; 
685.  \} 
686.  KdPrint(("\[FindOriAddress\] address:0x%x\\n",address)); 
687.  address = address; 
688.  KdPrint(("\[FindOriAddress\] Oriaddress:0x%x\\n",address)); 
689.  ZwClose( hFile ); 
690. **return** address; 
691. \}

[view plain]: http://blog.csdn.net/itcastcpp/article/details/8107209#