📄 osinfo.c
字号:
{
_snwprintf(outBuf, ulBufLen - 1, L"\tZwCreateDirectoryObject return 0x%08X\n", status);
return;
}
status = ObReferenceObjectByHandle( hDirectoryHandle,
0,
NULL,
KernelMode,
(PVOID *)&pDirectoryObject,
NULL );
if (!NT_SUCCESS( status ))
{
_snwprintf(outBuf, ulBufLen - 1, L"\tObReferenceObjectByHandle return 0x%08X\n", status);
ZwClose(hDirectoryHandle);
return;
}
RtlZeroMemory(outBuf, ulBufLen);
for(i = 0; i < NUMBER_HASH_BUCKETS; i++)
{
pDirectoryEntry = pDirectoryObject->HashBuckets[i];
while(pDirectoryEntry !=NULL)
{
pDeviceObject = pDirectoryEntry->Object;
pObjectHeader = (POBJECT_HEADER)((ULONG)pDeviceObject - sizeof(OBJECT_HEADER));
pObjectName = (POBJECT_NAME )((ULONG)pObjectHeader - pObjectHeader->NameOffset);
RtlZeroMemory(wsObjectName, sizeof(wsObjectName));
RtlCopyMemory(wsObjectName, pObjectName->Name.Buffer, pObjectName->Name.Length);
j += _snwprintf(outBuf+j, ulBufLen/2 - j - 1,
L"\t0x%08X\t%s\n",
pDeviceObject, wsObjectName);
pDirectoryEntry = pDirectoryEntry->ChainLink;
}
}
if(hDirectoryHandle)
ZwClose(hDirectoryHandle);
}
ULONG GetFunctionAddr(IN PCWSTR FunctionName)
{
UNICODE_STRING UniCodeFunctionName;
RtlInitUnicodeString( &UniCodeFunctionName, FunctionName );
return (ULONG)MmGetSystemRoutineAddress( &UniCodeFunctionName );
}
PFNPSLOOKUPPROCESSBYPROCESSID pfnPsLookupProcessByProcessId = 0;
// 在PsLookupProcessByProcessId函数中搜索特征串定位 PspCidTalbe
PVOID GetPspCidTable()
{
PUCHAR cPtr;
pfnPsLookupProcessByProcessId = (PFNPSLOOKUPPROCESSBYPROCESSID)GetFunctionAddr(L"PsLookupProcessByProcessId");
if(!pfnPsLookupProcessByProcessId)
return NULL;
for(cPtr = (PUCHAR)pfnPsLookupProcessByProcessId;
cPtr < (PUCHAR)pfnPsLookupProcessByProcessId + PAGE_SIZE;
cPtr ++)
{
if (*(PUSHORT)cPtr == 0x35FF && *(cPtr + 6) == 0xE8)
{
return (PVOID)(**(PULONG *)(cPtr + 2));
}
}
return NULL;
}
BOOLEAN EnumHandleCallback(PHANDLE_TABLE_ENTRY HandleTableEntry,
HANDLE Handle,
PVOID EnumParameter)
{
NTSTATUS ntStatus = 0;
HANDLE hCid = Handle;
PEPROCESS pEProcess = NULL;
ULONG uWalkTableCount = 0;
ULONG uWalkTablePage = 0;
PCHAR outBuf = EnumParameter;
ULONG ulBufLen = 0;
ULONG EPROC_NAME_OFFSET = 0x174;
CHAR strProcess[300] = {0};
ULONG j = 0;
if(EnumParameter== HandleTableEntry)
{
return TRUE;
}
if(outBuf == NULL)
return FALSE;
ulBufLen = *((ULONG*)outBuf);
*((ULONG*)outBuf) = 0;
if(!pfnPsLookupProcessByProcessId)
return FALSE;
for(uWalkTablePage=0;uWalkTablePage<0x10;uWalkTablePage++)
{
for(uWalkTableCount=0;uWalkTableCount<0x100;uWalkTableCount++)
{
if(HandleTableEntry->Object)
{
memset(strProcess, 0x00, sizeof(strProcess));
hCid=(HANDLE)((1024*uWalkTablePage)+(uWalkTableCount<<2));
if (hCid > (PVOID)4)
{
ntStatus = pfnPsLookupProcessByProcessId( hCid, &pEProcess );
if(NT_SUCCESS(ntStatus))
{
_snprintf(strProcess, sizeof(strProcess) - 1,
"\t%4d\t\t%s\n",
hCid, ((PUCHAR)pEProcess+EPROC_NAME_OFFSET));
DbgPrint(strProcess);
ObDereferenceObject( pEProcess );
}
}
else
{
if (hCid== 0)
{
_snprintf(strProcess, sizeof(strProcess) - 1,
"\t%4d\t\t%s\n",
hCid, "Idle");
DbgPrint(strProcess);
}
else if(hCid == (PVOID)4)
{
_snprintf(strProcess, sizeof(strProcess) - 1,
"\t%4d\t\t%s\n",
hCid, "System");
DbgPrint(strProcess);
}
}
j += _snprintf(outBuf + j, ulBufLen - j - 1, "%s", strProcess);
}
}
}
return TRUE;
}
VOID EnumProcess(PCHAR outBuf, ULONG ulBufLen)
{
PFNEXENUMHANDLETABLE pfnExEnumHandleTable = NULL;
PVOID pPspCidTable = NULL;
HANDLE hTable = NULL;
ULONG ulLen = 0;
if(outBuf == NULL || ulBufLen < sizeof(ulBufLen))
{
DbgPrint("OufBuf is too small!!");
return;
}
*((ULONG *)outBuf) = ulBufLen;
pfnExEnumHandleTable = (PFNEXENUMHANDLETABLE)GetFunctionAddr(L"ExEnumHandleTable");
if ( pfnExEnumHandleTable == NULL )
{
DbgPrint("Get ExEnumHandleTable Addr Error!!");
return;
}
DbgPrint("Address of ExEnumHandleTable:%x\n",pfnExEnumHandleTable);
pPspCidTable = GetPspCidTable();
DbgPrint("CidTable:%x\n",pPspCidTable);
if (!pfnExEnumHandleTable(pPspCidTable, EnumHandleCallback, outBuf, &hTable ))
{
DbgPrint( "ExEnumHandleTable failed.\n");
}
else
{
DbgPrint( "ExEnumHandleTable succeeded.\n");
}
ulLen = strlen(outBuf);
_snprintf(outBuf + ulLen, ulBufLen - ulLen - 1, "\nCidTable:%X\n",pPspCidTable);
}
NTSTATUS OSInfoDeviceControl(IN PDEVICE_OBJECT pDeviceObject,
IN PIRP pIrp)
{
PIO_STACK_LOCATION pIrpSp; // Pointer to current stack location
NTSTATUS ntStatus = STATUS_SUCCESS; // Assume success
ULONG inBufLength; // Input buffer length
ULONG outBufLength; // Output buffer length
PCHAR inBuf, outBuf; // pointer to Input and output buffer
OBJECT_ATTRIBUTES objectAttributes;
HANDLE hThreadHandle;
pIrpSp = IoGetCurrentIrpStackLocation( pIrp );
inBufLength = pIrpSp->Parameters.DeviceIoControl.InputBufferLength;
outBufLength = pIrpSp->Parameters.DeviceIoControl.OutputBufferLength;
inBuf = pIrpSp->Parameters.DeviceIoControl.Type3InputBuffer;
outBuf = pIrp->UserBuffer;
pIrp->IoStatus.Information = 0;
if(!outBufLength)
{
ntStatus = STATUS_INVALID_PARAMETER;
goto End;
}
__try
{
switch ( pIrpSp->Parameters.DeviceIoControl.IoControlCode )
{
case IOCTL_ASMINT3:
ASMINT(3);
break;
case IOCTL_GETKERNALBASEINFO:
ProbeForWrite( outBuf, sizeof( g_ntoskrnl ), sizeof( BYTE ) );
RtlCopyMemory( outBuf, &g_ntoskrnl, sizeof( g_ntoskrnl ) );
break;
case IOCTL_GETSSDT:
ProbeForWrite( outBuf, outBufLength, sizeof( ULONG ) );
GetSSDTTable((PULONG)outBuf);
break;
case IOCTL_GETSSDTHOOKFLAG:
ProbeForWrite( outBuf, outBufLength, sizeof( ULONG ) );
IdentifySSDTHooks(outBuf);
break;
case IOCTL_GETSERVICENAMES:
ProbeForWrite( outBuf, outBufLength, sizeof( CHAR ) );
GetServiceNames(outBuf, outBufLength);
break;
case IOCTL_GETSERVICENAMESKRL:
ProbeForWrite( outBuf, outBufLength, sizeof( CHAR ) );
GetServiceNamesFromKernal(outBuf, outBufLength);
break;
case IOCTL_SETWORKITEM:
if(!g_pWorkItem)
g_pWorkItem = IoAllocateWorkItem(pDeviceObject);
if (g_pWorkItem)
IoQueueWorkItem(g_pWorkItem, WorkItem_GetNT, DelayedWorkQueue, NULL);
break;
case IOCTL_DELAYGETNT:
//RtlCopyMemory(&g_Irp, pIrp, sizeof(IRP));
InitializeObjectAttributes(&objectAttributes, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
ntStatus = PsCreateSystemThread(&hThreadHandle, THREAD_ALL_ACCESS , &objectAttributes, 0, 0, DelayThread, pIrp);
if ( !NT_SUCCESS( ntStatus ) )
{
OSINFO_KDPRINT(("Couldn't SystemThread\n"));
break;
}
ZwClose(hThreadHandle);
IoMarkIrpPending(pIrp);
ntStatus = STATUS_PENDING;
return ntStatus;
case IOCTL_DUMPKCB:
ProbeForWrite( outBuf, sizeof( DUMPKCB ), sizeof( BYTE ) );
DumpKCB(outBuf);
break;
case IOCTL_DUMPDEVICEOBJECT:
ProbeForWrite( outBuf, outBufLength, sizeof( WCHAR ) );
DumpDeviceObjects((PWCHAR)outBuf, outBufLength);
break;
case IOCTL_ENUMPROCESS:
ProbeForWrite( outBuf, outBufLength, sizeof( CHAR ) );
EnumProcess(outBuf, outBufLength);
break;
default:
ProbeForWrite( outBuf, outBufLength, sizeof( CHAR ) );
strcpy(outBuf, "Unknown Event");
break;
}
}
__except ( EXCEPTION_EXECUTE_HANDLER )
{
ntStatus = GetExceptionCode();
}
End:
pIrp->IoStatus.Status = ntStatus;
IoCompleteRequest( pIrp, IO_NO_INCREMENT );
return ntStatus;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -