两种方法获取shadow ssdt

最新推荐文章于 2020-12-22 10:56:43 发布

aijia1857

最新推荐文章于 2020-12-22 10:56:43 发布

阅读量301

点赞数

原文链接：http://www.cnblogs.com/kuangke/p/5761555.html

版权

[cpp] view plain copy

print ?

ULONG
GetShadowSsdtCurrentAddresses(
PSSDT_ADDRESS AddressInfo,
PULONG Length
)
{
PSYSTEM_SERVICE_TABLE KeServiceDescriptorTableShadow = NULL;
ULONG NumberOfService = 0;
ULONG ServiceId = 0;
PKAPC_STATE ApcState;
ULONG i;
if (AddressInfo == NULL || Length == NULL)
{
KdPrint(("[GetShadowSsdtCurrentAddresses] 输入参数无效"));
return 0;
}
//KdPrint(("pid = %d", PsGetCurrentProcessId()));
ServiceId = (ULONG)PsGetCurrentProcessId();
if (!g_CsrssProcess) {
PsLookupProcessByProcessId((PVOID)ScPsGetCsrssProcessId(), &g_CsrssProcess);
}
KeServiceDescriptorTableShadow = GetKeServiceDescriptorTableShadow();
if (KeServiceDescriptorTableShadow == NULL)
{
KdPrint(("[GetShadowSsdtCurrentAddresses] GetKeServiceDescriptorTableShadow failed"));
return 0;
}
NumberOfService = KeServiceDescriptorTableShadow->NumberOfService;
if (Length[0] < NumberOfService * sizeof(SSDT_ADDRESS))
{
Length[0] = NumberOfService * sizeof(SSDT_ADDRESS);
return 0;
}
ApcState = ExAllocatePoolWithTag(NonPagedPool, sizeof(KAPC_STATE), MEM_TAG);
KeStackAttachProcess((PRKPROCESS)g_CsrssProcess, ApcState);
for (ServiceId = 0; ServiceId < NumberOfService; ServiceId ++)
{
AddressInfo[ServiceId].FunAddress = (ULONG)
KeServiceDescriptorTableShadow->ServiceTableBase[ServiceId];
AddressInfo[ServiceId].nIndex = ServiceId;
}
KeUnstackDetachProcess(ApcState);
ExFreePool(ApcState);
Length[0] = NumberOfService * sizeof(SSDT_ADDRESS);
return NumberOfService;
}
///
//
// 功能实现：枚举当前Shadow SSDT 表函数地址
// 输入参数：void
// 输出参数：返回Shadow ssdt table
//
///
PSYSTEM_SERVICE_TABLE
GetKeServiceDescriptorTableShadow(VOID)
{
PSYSTEM_SERVICE_TABLE ShadowTable = NULL;
ULONG ServiceTableAddress = 0;
PUCHAR cPtr = NULL;
for (cPtr = (PUCHAR)KeAddSystemServiceTable;
cPtr < (PUCHAR)KeAddSystemServiceTable + PAGE_SIZE;
cPtr += 1 )
{
if (!MmIsAddressValid(cPtr)) continue;
ServiceTableAddress = *(PULONG)cPtr;
if (!MmIsAddressValid((PVOID)ServiceTableAddress)) continue;
if (memcmp((PVOID)ServiceTableAddress, &KeServiceDescriptorTable, 16) == 0)
{
if ((PVOID)ServiceTableAddress == &KeServiceDescriptorTable) continue;
ShadowTable = (PSYSTEM_SERVICE_TABLE)ServiceTableAddress;
ShadowTable ++;
return ShadowTable;
}
}
return NULL;
}
//
// 方法2，通过硬编码实现，不通用
//
PSYSTEM_SERVICE_TABLE
GetKeServiceDescriptorTableShadow_2(VOID)
/*++
KeAddSystemServiceTable函数
805ba5a3 8d8840a65580 lea ecx,nt!KeServiceDescriptorTableShadow (8055a640)[eax]
805ba5a9 833900 cmp dword ptr [ecx],0
--*/
{
PSYSTEM_SERVICE_TABLE ShadowTable;
ULONG ServiceTableAddress;
PUCHAR cPtr, pOpcode;
ULONG Length = 0;
for (cPtr = (PUCHAR)KeAddSystemServiceTable;
cPtr < (PUCHAR)KeAddSystemServiceTable + PAGE_SIZE;
cPtr += Length )
{
if (!MmIsAddressValid(cPtr)) return NULL;
Length = SizeOfCode(cPtr, &pOpcode);
if (!Length || (Length == 1 && *pOpcode == 0xC3)) return NULL;
if (*(PUSHORT)pOpcode == 0x888D)
{
ServiceTableAddress = *(PULONG)(pOpcode + 2);
ShadowTable = (PSYSTEM_SERVICE_TABLE)ServiceTableAddress;
ShadowTable ++;
return ShadowTable;
}
}
return NULL;
}

ULONG GetShadowSsdtCurrentAddresses( PSSDT_ADDRESS AddressInfo, PULONG Length ) { PSYSTEM_SERVICE_TABLE KeServiceDescriptorTableShadow = NULL; ULONG NumberOfService = 0; ULONG ServiceId = 0; PKAPC_STATE ApcState; ULONG i; if (AddressInfo == NULL || Length == NULL) { KdPrint(("[GetShadowSsdtCurrentAddresses] 输入参数无效")); return 0; } //KdPrint(("pid = %d", PsGetCurrentProcessId())); ServiceId = (ULONG)PsGetCurrentProcessId(); if (!g_CsrssProcess) { PsLookupProcessByProcessId((PVOID)ScPsGetCsrssProcessId(), &g_CsrssProcess); } KeServiceDescriptorTableShadow = GetKeServiceDescriptorTableShadow(); if (KeServiceDescriptorTableShadow == NULL) { KdPrint(("[GetShadowSsdtCurrentAddresses] GetKeServiceDescriptorTableShadow failed")); return 0; } NumberOfService = KeServiceDescriptorTableShadow->NumberOfService; if (Length[0] < NumberOfService * sizeof(SSDT_ADDRESS)) { Length[0] = NumberOfService * sizeof(SSDT_ADDRESS); return 0; } ApcState = ExAllocatePoolWithTag(NonPagedPool, sizeof(KAPC_STATE), MEM_TAG); KeStackAttachProcess((PRKPROCESS)g_CsrssProcess, ApcState); for (ServiceId = 0; ServiceId < NumberOfService; ServiceId ++) { AddressInfo[ServiceId].FunAddress = (ULONG) KeServiceDescriptorTableShadow->ServiceTableBase[ServiceId]; AddressInfo[ServiceId].nIndex = ServiceId; } KeUnstackDetachProcess(ApcState); ExFreePool(ApcState); Length[0] = NumberOfService * sizeof(SSDT_ADDRESS); return NumberOfService; } /// // // 功能实现：枚举当前Shadow SSDT 表函数地址 // 输入参数：void // 输出参数：返回Shadow ssdt table // /// PSYSTEM_SERVICE_TABLE GetKeServiceDescriptorTableShadow(VOID) { PSYSTEM_SERVICE_TABLE ShadowTable = NULL; ULONG ServiceTableAddress = 0; PUCHAR cPtr = NULL; for (cPtr = (PUCHAR)KeAddSystemServiceTable; cPtr < (PUCHAR)KeAddSystemServiceTable + PAGE_SIZE; cPtr += 1 ) { if (!MmIsAddressValid(cPtr)) continue; ServiceTableAddress = *(PULONG)cPtr; if (!MmIsAddressValid((PVOID)ServiceTableAddress)) continue; if (memcmp((PVOID)ServiceTableAddress, &KeServiceDescriptorTable, 16) == 0) { if ((PVOID)ServiceTableAddress == &KeServiceDescriptorTable) continue; ShadowTable = (PSYSTEM_SERVICE_TABLE)ServiceTableAddress; ShadowTable ++; return ShadowTable; } } return NULL; } // // 方法2，通过硬编码实现，不通用 // PSYSTEM_SERVICE_TABLE GetKeServiceDescriptorTableShadow_2(VOID) /*++ 805ba5a3 8d8840a65580 lea ecx,nt!KeServiceDescriptorTableShadow (8055a640)[eax] 805ba5a9 833900 cmp dword ptr [ecx],0 --*/ { PSYSTEM_SERVICE_TABLE ShadowTable; ULONG ServiceTableAddress; PUCHAR cPtr, pOpcode; ULONG Length = 0; for (cPtr = (PUCHAR)KeAddSystemServiceTable; cPtr < (PUCHAR)KeAddSystemServiceTable + PAGE_SIZE; cPtr += Length ) { if (!MmIsAddressValid(cPtr)) return NULL; Length = SizeOfCode(cPtr, &pOpcode); if (!Length || (Length == 1 && *pOpcode == 0xC3)) return NULL; if (*(PUSHORT)pOpcode == 0x888D) { ServiceTableAddress = *(PULONG)(pOpcode + 2); ShadowTable = (PSYSTEM_SERVICE_TABLE)ServiceTableAddress; ShadowTable ++; return ShadowTable; } } return NULL; }

转载于:https://www.cnblogs.com/kuangke/p/5761555.html

aijia1857

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
两种方法获取shadow ssdt

[cpp] view plain copy print?ULONGGetShadowSsdtCurrentAddresses(PSSDT_ADDRESSAddressInfo,PULONGLength){PSYSTEM_SERVICE_TABLE...
复制链接

扫一扫