分类
无聊代码

X64 枚举 内核 符号

`typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)
 (
 IN ULONG SystemInformationClass,
 OUT PVOID SystemInformation,
 IN ULONG Length,
 OUT PULONG ReturnLength
 );

typedef unsigned long DWORD;

typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY
 {
 ULONG Unknow1;
 ULONG Unknow2;
 ULONG Unknow3;
 ULONG Unknow4;
 PVOID Base;
 ULONG Size;
 ULONG Flags;
 USHORT Index;
 USHORT NameLength;
 USHORT LoadCount;
 USHORT ModuleNameOffset;
 char ImageName[256];
 } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;

typedef struct _SYSTEM_MODULE_INFORMATION
 {
 ULONG Count;//内核中以加载的模块的个数
 SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
 } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
 X64 枚举 内核 模块 需要的 结构体

ULONG64 EnumKM(char *HighlightDrvName) 枚举 内核模块 返回 基地址
 {
 ULONG NeedSize, i, ModuleCount, HLed=0, BufferSize = 0x5000;
 PVOID pBuffer = NULL;
 PCHAR pDrvName = NULL;
 NTSTATUS Result;
 ULONG64 address;
 PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;
 do
 {
 //分配内存
 pBuffer = malloc( BufferSize );
 if( pBuffer == NULL )
 return 0;
 //查询模块信息
 Result = ZwQuerySystemInformation( 11, pBuffer, BufferSize, &NeedSize );
 if( Result == 0xC0000004L )
 {
 free( pBuffer );
 BufferSize *= 2;
 }
 else if( Result<0 ) { //查询失败则退出 free( pBuffer ); return 0; } } while( Result == 0xC0000004L ); pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)pBuffer; //获得模块的总数量 ModuleCount = pSystemModuleInformation->Count;
 //遍历所有的模块
 for( i = 0; i < ModuleCount; i++ ) { if((ULONG64)(pSystemModuleInformation->Module[i].Base) > (ULONG64)0x8000000000000000)
 {
 pDrvName = pSystemModuleInformation->Module[i].ImageName+pSystemModuleInformation->Module[i].ModuleNameOffset;

if( _stricmp(pDrvName,HighlightDrvName)==0 )
 {
 address = (ULONG64)pSystemModuleInformation->Module[i].Base;

HLed=1;
 break;
 }

}
 }
 if (HLed == 0)
 return 0;
 free(pBuffer);
 return address;
 }
 BOOL CALLBACK EnumSymCallBack(PSYMBOL_INFO pSymInfo, ULONG SymbolSize, PVOID UserContext)回调 函数
 {
 if (strcmp((pSymInfo->Name), "PspCreateProcessNotifyRoutine") == 0)
 {
 printf("Oh,yeah! %s :%pn", pSymInfo->Name, pSymInfo->Address);
 }
 if (strcmp((pSymInfo->Name), "PspLoadImageNotifyRoutine") == 0)
 {
 printf("Oh,yeah! %s :%pn", pSymInfo->Name, pSymInfo->Address);
 }
 if (strcmp((pSymInfo->Name), "PspCreateThreadNotifyRoutine") == 0)
 {
 printf("Oh,yeah! %s :%pn", pSymInfo->Name, pSymInfo->Address);
 }
 if (strcmp((pSymInfo->Name), "PspCidTable") == 0)
 {
 printf("Oh,yeah! %s :%pn", pSymInfo->Name, pSymInfo->Address);
 }
 if (strcmp((pSymInfo->Name), "ExDestroyHandle") == 0)
 {
 printf("Oh,yeah! %s :%pn", pSymInfo->Name, pSymInfo->Address);
 }

return TRUE;
 }

void getallkrnladdress(ULONG64 ntkrnlmpBaseaddress){ 加载 符号链接 并枚举

HANDLE hProcess;
 DWORD64 BaseOfDll;
 PIMAGEHLP_SYMBOL pSymbol = NULL;

DWORD Options = SymGetOptions();

Options = Options | SYMOPT_DEBUG;
 SymSetOptions(Options);

hProcess = GetCurrentProcess();
 BOOL bRet = SymInitialize(hProcess, 0, FALSE);
 if (!bRet)
 {
 printf("SymInitialize error ...n");
 }
 char SymbolPath[256];
 GetCurrentDirectoryA(sizeof(SymbolPath), SymbolPath);
 strcat(SymbolPath, "symbols");
 SymSetSearchPath(hProcess, SymbolPath);

char FileName[256];
 GetSystemDirectoryA(FileName, sizeof(FileName));
 strcat(FileName, "ntkrnlmp.exe");
 HANDLE hFile = CreateFileA(FileName, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
 DWORD dwfilesize = GetFileSize(hFile, NULL);

BaseOfDll = SymLoadModule64(hProcess, NULL, FileName, NULL, ntkrnlmpBaseaddress, dwfilesize);
 if (BaseOfDll == 0)
 {
 DWORD nErr = GetLastError();
 }
 SymEnumSymbols(hProcess, BaseOfDll, 0, EnumSymCallBack, 0);
 SymUnloadModule64(hProcess, BaseOfDll);
 SymCleanup(hProcess);
 for (;;);

}
 int main() 用法
 {
 ULONG64 ntkrnlmpBaseaddress;
 ZwQuerySystemInformation=(ZWQUERYSYSTEMINFORMATION)GetProcAddress(LoadLibraryW(L"ntdll.dll"),"ZwQuerySystemInformation");
 ntkrnlmpBaseaddress=EnumKM("ntkrnlmp.exe");//获得 NT内核模块基地址

getallkrnladdress(ntkrnlmpBaseaddress);

getchar();
 return 0;
 }
 完整 SRC :http://pan.baidu.com/s/1sjuZg2D`
0 0 vote
文章评分

由FAKE

Через тернии к звездам,
через радость и слезы
Мы проложим дорогу

Subscribe
提醒
guest
你的昵称 用于分别你是谁
你的电子邮箱 用于被回复时通知
0 评论
Inline Feedbacks
View all comments