【原创】获取指定index的 OBJECTTYPE

最新推荐文章于 2024-05-24 08:20:13 发布

qq_18942885

最新推荐文章于 2024-05-24 08:20:13 发布

阅读量600

点赞数

分类专栏： windwos内核逆向汇编

本文链接：https://blog.csdn.net/qq_18942885/article/details/48026919

版权

windwos内核同时被 3 个专栏收录

22 篇文章 7 订阅

订阅专栏

逆向

21 篇文章 1 订阅

订阅专栏

汇编

11 篇文章 1 订阅

订阅专栏

ULONG64 onlythisfile_SreachFunctionAddress(ULONG64 uAddress, UCHAR *Signature, ULONG addopcodelength, ULONG addopcodedatasize)
{
ULONG64 index = 0;
UCHAR *p = 0;
ULONG64 uRetAddress = 0;
ULONG32 temp64 = 0;
if (uAddress == 0){ return 0; }

p = (UCHAR*)uAddress;
for (index = 0; index<0x3000; index++)
{

if (*p == Signature[0] &&
*(p + 1) == Signature[1] &&
*(p + 2) == Signature[2] &&
*(p + 3) == Signature[3] &&
*(p + 4) == Signature[4])
{

uRetAddress = p+4;

temp64 = (ULONG32)(*(ULONG32*)(uRetAddress + addopcodelength));
;

uRetAddress = temp64 + uRetAddress + addopcodedatasize;

uRetAddress &= 0xfffffff0ffffffff;

return uRetAddress;
}
p++;

DbgPrint("++ %p ", p);

}
return 0;
}

extern PVOID64 __fastcall GetObjectByindex(ULONG64 index, ULONG64 ObTypeIndexTable);

void initgetobjectbbyindex(){
  UCHAR opcodethis[] = { 0x0f,0xb6,0x41,0xe8,0x48 };
  PVOID debugobject=0;
  ObTypeIndexTable = (PVOID)onlythisfile_SreachFunctionAddress(FUCKGetFunctionAddr(L"ObGetObjectType"), opcodethis, 3, 7);
  DbgPrint("ObTypeIndexTable %p   xx :%p", ObTypeIndexTable, FUCKGetFunctionAddr(L"ObGetObjectType"));

  debugobject=GetObjectByindex(0xb, ObTypeIndexTable);
  DbgPrint("debugobject %p", debugobject);
}
.asm 文件

.CODE

GetObjectByindex PROC

mov   rax, rcx
mov     rcx, rdx
mov     rax, [rcx+rax*8]
ret
GetObjectByindex ENDP
END