分类
无聊代码

获取指定index的 OBJECTTYPE

ULONG64 onlythisfile_SreachFunctionAddress(ULONG64 uAddress, UCHAR *Signature, ULONG addopcodelength, ULONG addopcodedatasize)
{
ULONG64  index = 0;
UCHAR *p = 0;
ULONG64  uRetAddress = 0;
ULONG32 temp64 = 0;
if (uAddress == 0){ return 0; }

p = (UCHAR*)uAddress;
for (index = 0; index<0x3000; index++)
{

if (*p == Signature[0] &&
*(p + 1) == Signature[1] &&
*(p + 2) == Signature[2] &&
*(p + 3) == Signature[3] &&
*(p + 4) == Signature[4])
{

uRetAddress = p+4;

temp64 = (ULONG32)(*(ULONG32*)(uRetAddress + addopcodelength));
;

uRetAddress = temp64 + uRetAddress + addopcodedatasize;

uRetAddress &= 0xfffffff0ffffffff;

return uRetAddress;
}
p++;

DbgPrint("++ %p ", p);

}
return 0;
}
extern PVOID64 __fastcall   GetObjectByindex(ULONG64 index, ULONG64 ObTypeIndexTable);
void initgetobjectbbyindex(){
  UCHAR opcodethis[] = { 0x0f,0xb6,0x41,0xe8,0x48 };
  PVOID debugobject=0;
  ObTypeIndexTable = (PVOID)onlythisfile_SreachFunctionAddress(FUCKGetFunctionAddr(L"ObGetObjectType"), opcodethis, 3, 7);
  DbgPrint("ObTypeIndexTable %p   xx :%p", ObTypeIndexTable, FUCKGetFunctionAddr(L"ObGetObjectType"));

  debugobject=GetObjectByindex(0xb, ObTypeIndexTable);
  DbgPrint("debugobject %p", debugobject);
}
.asm 文件 

.CODE

GetObjectByindex PROC

 mov   rax, rcx
mov     rcx, rdx
mov     rax, [rcx+rax*8]
 ret
GetObjectByindex ENDP
END 
0 0 vote
文章评分

由FAKE

Через тернии к звездам,
через радость и слезы
Мы проложим дорогу

Subscribe
提醒
guest
0 评论
Inline Feedbacks
View all comments