📄 osinfo.c
字号:
pExpDir = (PIMAGE_EXPORT_DIRECTORY)dwOffset;
nNameCnt = pExpDir->NumberOfNames;
// RVA
pNameArray = (DWORD*)( (DWORD)hNtdll + pExpDir->AddressOfNames );
// FuncArray
pOrdNameArray = (WORD *)( (DWORD)hNtdll + pExpDir->AddressOfNameOrdinals );
pFuncArray = (DWORD*)( (DWORD)hNtdll + pExpDir->AddressOfFunctions );
for(j = 0; j < nNameCnt; j++)
{
pszName = (PCSTR)( pNameArray[j] + (DWORD)hNtdll );
if(_strnicmp(pszName, "Nt", 2) == 0)
{
pFunc = (VOID *)( (DWORD)hNtdll + pFuncArray[pOrdNameArray[j]] );
pSSDTEntry = (SSDTENTRY *)pFunc;
if(MOVEAX == pSSDTEntry->bMovEax)
{
strncpy(outBuf + pSSDTEntry->dwIndex * sizeof(SERVICENAME), pszName, sizeof(SERVICENAME)-1);
}
}
}
ExFreePool(g_pModuleList);
return STATUS_SUCCESS;
}
NTSTATUS GetServiceNamesFromKernal(PCHAR outBuf, ULONG ulBufLen)
{
NTSTATUS ns ;
BYTE * abName = NULL;
ULONG i = 0;
ULONG j = 0;
DWORD dwOffset = 0;
PIMAGE_EXPORT_DIRECTORY pExpDir = NULL;
ULONG nNameCnt = 0;
DWORD * pNameArray = NULL;
ULONG hKernal = g_ntoskrnl.ulBaseAddr;
DWORD * pFuncArray = NULL;
VOID * pFunc = NULL;
PCSTR pszName = NULL;
WORD * pOrdNameArray = NULL;
ULONG ulSrvHandle = 0;
// if(ulBufLen < g_ntoskrnl.ulSrvNum * sizeof(SERVICENAME))
// {
// return STATUS_UNSUCCESSFUL;
// }
dwOffset = hKernal;
// PE header
dwOffset += ((PIMAGE_DOS_HEADER)hKernal)->e_lfanew + sizeof( DWORD );
// DATA_DIRECTORY
dwOffset += sizeof( IMAGE_FILE_HEADER ) + sizeof( IMAGE_OPTIONAL_HEADER ) - IMAGE_NUMBEROF_DIRECTORY_ENTRIES * sizeof( IMAGE_DATA_DIRECTORY );
// EXPORT_DIRECTORY
dwOffset = hKernal + ((PIMAGE_DATA_DIRECTORY)dwOffset)->VirtualAddress;
pExpDir = (PIMAGE_EXPORT_DIRECTORY)dwOffset;
nNameCnt = pExpDir->NumberOfNames;
// RVA
pNameArray = (DWORD*)( (DWORD)hKernal + pExpDir->AddressOfNames );
// FuncArray
pOrdNameArray = (WORD *)( (DWORD)hKernal + pExpDir->AddressOfNameOrdinals );
pFuncArray = (DWORD*)( (DWORD)hKernal + pExpDir->AddressOfFunctions );
for(i = 0; i < g_ntoskrnl.ulSrvNum; i++)
{
ulSrvHandle = GetServiceAddr(i);
for(j = 0; j < nNameCnt; j++)
{
pszName = (PCSTR )( pNameArray[j] + (DWORD)hKernal );
pFunc = (VOID *)( (DWORD)hKernal + pFuncArray[pOrdNameArray[j]] );
if((ULONG)pFunc == ulSrvHandle)
{
strncpy(outBuf + i * sizeof(SERVICENAME), pszName, sizeof(SERVICENAME)-1);
break;
}
}
if(j == nNameCnt)
{
strncpy(outBuf + i * sizeof(SERVICENAME), "Unknown", sizeof(SERVICENAME)-1);
}
}
return STATUS_SUCCESS;
}
ULONG GetServiceAddr(ULONG ulServiceID)
{
ULONG ulAddress = (ULONG)KeServiceDescriptorTable.ServiceTableBase + ulServiceID * sizeof(ULONG);
return *((ULONG*)ulAddress);
}
void GetSSDTTable(PULONG outBuf)
{
ULONG i = 0;
for(i = 0; i < KeServiceDescriptorTable.NumberOfService; i++)
{
*(outBuf + i) = GetServiceAddr(i);
}
}
void IdentifySSDTHooks(PCHAR outBuf)
{
ULONG ulServiceHandle = 0;
ULONG i = 0;
for (i = 0; i < KeServiceDescriptorTable.NumberOfService; i++)
{
ulServiceHandle = GetServiceAddr(i);
if ((ulServiceHandle < g_ntoskrnl.ulBaseAddr)
|| (ulServiceHandle > g_ntoskrnl.ulEndAddr))
{
*(outBuf+i) = 1;
DbgPrint("System call %d is hooked at address %x!\n", i,
KeServiceDescriptorTable.ServiceTableBase);
}
else
{
*(outBuf+i) = 0;
}
}
}
NTSTATUS IoCompletionRoutine(IN PDEVICE_OBJECT pDeviceObject,IN PIRP pIrp,IN PVOID pContext)
{
PRKEVENT pKeEvent = (PRKEVENT)pContext;
KeSetEvent(pKeEvent, 0, FALSE);
return STATUS_SUCCESS;
}
VOID WorkItem_GetNT (IN PDEVICE_OBJECT pDeviceObject,IN PVOID pContext )
{
IO_STATUS_BLOCK IOStatusBlock;
NTSTATUS ntStatus;
KEVENT KeEvent;
PIRP pIrp = NULL;
PCHAR outbuf = NULL;
OBJECT_ATTRIBUTES objectAttributes;
HANDLE hLogFile;
IO_STATUS_BLOCK IoStatusBlock;
WCHAR logFileNameBuffer[] = L"\\??\\C:\\WorkItem.log";
UNICODE_STRING logFileUnicodeString;
KeInitializeEvent(&KeEvent, NotificationEvent, FALSE);
outbuf = ExAllocatePool(NonPagedPool, 4*1024);
pIrp = IoBuildDeviceIoControlRequest(IOCTL_DELAYGETNT, pDeviceObject,
NULL , 0,
outbuf, 4*1024,
FALSE , NULL, &IOStatusBlock);
if (NULL == pIrp)
{
return;
}
IoSetCompletionRoutine(pIrp, IoCompletionRoutine, &KeEvent, TRUE, FALSE, FALSE);
ntStatus = IoCallDriver(pDeviceObject, pIrp);
if (STATUS_PENDING == ntStatus)
{
KeWaitForSingleObject(&KeEvent, Executive, KernelMode, TRUE, NULL);
}
//完成输出
RtlInitUnicodeString( &logFileUnicodeString, logFileNameBuffer );
InitializeObjectAttributes( &objectAttributes, &logFileUnicodeString,
OBJ_CASE_INSENSITIVE, NULL, NULL );
ntStatus = ZwCreateFile( &hLogFile, FILE_WRITE_DATA|SYNCHRONIZE,
&objectAttributes, &IoStatusBlock, NULL,
FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ,
FILE_OPEN_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0 );
if( !NT_SUCCESS( ntStatus ) )
{
DbgPrint( "ZwCreateFile Failed!\n" );
ExFreePool(outbuf);
return;
}
ntStatus = ZwWriteFile(hLogFile,
NULL,
NULL,
NULL,
&IoStatusBlock,
outbuf,
4*1024,
NULL,
NULL );
if( !NT_SUCCESS( ntStatus ) )
{
DbgPrint( "ZwWriteFile Failed!\n" );
ExFreePool(outbuf);
return;
}
ZwClose( hLogFile );
ExFreePool(outbuf);
}
VOID DelayThread(IN PVOID pStartContext)
{
PIRP pIrp = (PIRP)pStartContext;
PIO_STACK_LOCATION pIrpSp;
ULONG outBufLength;
PCHAR outBuf;
PKTIMER pKeTimer = NULL;
LARGE_INTEGER iTimeOut;
pIrpSp = IoGetCurrentIrpStackLocation( pIrp );
outBufLength = pIrpSp->Parameters.DeviceIoControl.OutputBufferLength;
outBuf = pIrp->UserBuffer;
RtlCopyMemory(outBuf, (VOID*)(g_ntoskrnl.ulBaseAddr), min(4*1024, outBufLength));
pKeTimer = ExAllocatePool(NonPagedPool, sizeof(KTIMER));
KeInitializeTimer(pKeTimer);
iTimeOut.QuadPart = -2*1000*1000*10;
KeSetTimer(pKeTimer, iTimeOut, NULL);
KeWaitForSingleObject(pKeTimer, Executive, KernelMode, FALSE, &iTimeOut);
KeCancelTimer(pKeTimer);
ExFreePool(pKeTimer);
IoCompleteRequest( pIrp, IO_NO_INCREMENT );
PsTerminateSystemThread(STATUS_SUCCESS);
}
HANDLE OpenKeyByName(PCWSTR pwcsKeyName)
{
NTSTATUS status;
UNICODE_STRING uKeyName;
OBJECT_ATTRIBUTES oa;
HANDLE hKey;
RtlInitUnicodeString(&uKeyName, pwcsKeyName);
InitializeObjectAttributes(&oa, &uKeyName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
status = ZwOpenKey(&hKey, KEY_READ, &oa);
if (!NT_SUCCESS(status))
{
DbgPrint("ZwOpenKey Failed: 0x%08X\n", status);
return NULL;
}
return hKey;
}
PVOID GetKCBByHandle(HANDLE hKey)
{
NTSTATUS status;
PCM_KEY_BODY pKeyBody = NULL;
PVOID pKCB = NULL;
if (hKey == NULL)
return NULL;
status = ObReferenceObjectByHandle(hKey, KEY_READ, NULL, KernelMode, &pKeyBody, NULL);
if (!NT_SUCCESS(status))
{
DbgPrint("ObReferenceObjectByHandle Failed: %08X\n", status);
return NULL;
}
pKCB = pKeyBody->KeyControlBlock;
DbgPrint("Handle = 0x%08X, KeyControlBlock = 0x%08X\n", hKey, pKCB);
ObDereferenceObject(pKeyBody);
return pKCB;
}
VOID DumpKCB(PCHAR outBuf)
{
DUMPKCB tDumpKCB = {0};
tDumpKCB.hKey = OpenKeyByName(L"\\Registry\\Machine");
tDumpKCB.pKCB = GetKCBByHandle(tDumpKCB.hKey);
if(tDumpKCB.pKCB)
{
tDumpKCB.pHive = ((PCM_KEY_CONTROL_BLOCK)tDumpKCB.pKCB)->KeyHash.KeyHive;
tDumpKCB.ulCell= ((PCM_KEY_CONTROL_BLOCK)tDumpKCB.pKCB)->KeyHash.KeyCell;
}
RtlCopyMemory( outBuf, &tDumpKCB, sizeof( tDumpKCB ) );
ZwClose(tDumpKCB.hKey);
}
VOID DumpDeviceObjects(PWCHAR outBuf, ULONG ulBufLen)
{
NTSTATUS status;
UNICODE_STRING ustrDirectoryName;
OBJECT_ATTRIBUTES ObjectAttributes;
HANDLE hDirectoryHandle = NULL;
POBJECT_DIRECTORY pDirectoryObject = NULL;
ULONG i = 0;
PVOID pDeviceObject = NULL;
POBJECT_HEADER pObjectHeader = NULL;
POBJECT_NAME pObjectName = NULL;
POBJECT_DIRECTORY_ENTRY pDirectoryEntry = NULL;
ULONG j = 0;
WCHAR wsObjectName[_MAX_PATH] = {0};
RtlInitUnicodeString( &ustrDirectoryName, L"\\Device" );
InitializeObjectAttributes( &ObjectAttributes,
&ustrDirectoryName,
OBJ_KERNEL_HANDLE,
NULL,
NULL );
status = ZwOpenDirectoryObject(&hDirectoryHandle, DIRECTORY_QUERY, &ObjectAttributes);
if (!NT_SUCCESS( status ))
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -