遍历内核模块,输出模块名称,基址以及大小。
这里只遍历模块名,其他类似。
#include <ntddk.h>
typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG32 SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
UINT32 Unknow[17];
}LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
VOID DriverUnload(PDRIVER_OBJECT driver)
{
DbgPrint("内核程序停止运行n");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path)
{
PLDR_DATA_TABLE_ENTRY pLDRlist = (PLDR_DATA_TABLE_ENTRY)driver->DriverSection;
LIST_ENTRY listEntry = pLDRlist->InLoadOrderLinks;
PLIST_ENTRY pFlink = listEntry.Flink;
PLIST_ENTRY pTmpFlink = listEntry.Flink;
do
{
DbgPrint("BaseDllName: %wZn", &pLDRlist->BaseDllName);
pLDRlist = (PLDR_DATA_TABLE_ENTRY)pFlink;
listEntry = pLDRlist->InLoadOrderLinks;
pFlink = listEntry.Flink;
} while (pFlink != pTmpFlink);
driver->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
编写一个函数,找到一个未导出的函数,并调用。(例子:找到PspTerminateProcess,通过调用这个函数结束记事本进程)
使用偏移
#include <ntddk.h>
typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG32 SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
UINT32 Unknow[17];
}LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
typedef NTSTATUS(__stdcall* PspTerminateProcess)(INT32,INT32);
VOID DriverUnload(PDRIVER_OBJECT driver)
{
DbgPrint("内核程序停止运行n");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path)
{
DbgPrint("driver: %xn", driver);
PLDR_DATA_TABLE_ENTRY pLDRlist = (PLDR_DATA_TABLE_ENTRY)driver->DriverSection;
LIST_ENTRY listEntry = pLDRlist->InLoadOrderLinks;
PLIST_ENTRY pFlink = listEntry.Flink;
PLIST_ENTRY pTmpFlink = listEntry.Flink;
UNICODE_STRING ntName;
RtlInitUnicodeString(&ntName, L"ntoskrnl.exe");
do
{
if (RtlCompareUnicodeString(&ntName, &pLDRlist->BaseDllName, FALSE) == 0)
{
DbgPrint("BaseDllName: %wZn", &pLDRlist->BaseDllName);
DbgPrint("DllBase: %xn", pLDRlist->DllBase);
PspTerminateProcess pSp = (PspTerminateProcess)((INT)(pLDRlist->DllBase) + 0x1574CE);
pSp(0x81a12020, 0);
break;
}
else {
pLDRlist = (PLDR_DATA_TABLE_ENTRY)pFlink;
listEntry = pLDRlist->InLoadOrderLinks;
pFlink = listEntry.Flink;
}
} while (pFlink != pTmpFlink);
driver->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}怕各位不理解,来说一下几个关键点:
PspTerminateProcess pSp = (PspTerminateProcess)((INT)(pLDRlist->DllBase) + 0x1574CE);中的0x1574CE,为偏移:计算方法:
-
找到函数所在内核的内核偏移
-
找到该函数在内核中的偏移:
-
计算
pSp(0x81a12020, 0);中的0x81a12020在windbg中,可以使用!process 0 0查看:
使用暴力搜索
#include <ntddk.h>
typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG32 SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
UINT32 Unknow[17];
}LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
typedef NTSTATUS(__stdcall* PspTerminateProcess)(INT32,INT32);
VOID DriverUnload(PDRIVER_OBJECT driver)
{
DbgPrint("内核程序停止运行n");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path)
{
try
{
DbgPrint("driver: %xn", driver);
PLDR_DATA_TABLE_ENTRY pLDRlist = (PLDR_DATA_TABLE_ENTRY)driver->DriverSection;
LIST_ENTRY listEntry = pLDRlist->InLoadOrderLinks;
PLIST_ENTRY pFlink = listEntry.Flink;
PLIST_ENTRY pTmpFlink = listEntry.Flink;
UNICODE_STRING ntName;
RtlInitUnicodeString(&ntName, L"ntoskrnl.exe");
UINT32 unDllBase = 0;
UINT32 unSizeOfImage = 0;
UINT32 shellcode[] = {
0x0124a164,0x758b0000,0x44703b08,0x0db80775,
0xebc00000,0xbe8d575a,0x00000248,0x200147f6,
0x868d1274,0x00000174,0x48685650,0xe88062f5
};
UINT32 uLength = sizeof(shellcode);
do
{
if (RtlCompareUnicodeString(&ntName, &pLDRlist->BaseDllName, FALSE) == 0)
{
DbgPrint("BaseDllName: %wZn", &pLDRlist->BaseDllName);
DbgPrint("DllBase: %xn", pLDRlist->DllBase);
//PspTerminateProcess pSp = (PspTerminateProcess)((INT)(pLDRlist->DllBase) + 0x1574CE);
//pSp(0x81a12020, 0);
unDllBase = (UINT32)pLDRlist->DllBase;
unSizeOfImage = (UINT32)pLDRlist->SizeOfImage;
DbgPrint("uLength: %dn", uLength);
DbgPrint("unDllBase: %xn", unDllBase);
DbgPrint("unSizeOfImage: %xn", unSizeOfImage);
for (UINT32 i = unDllBase; i < unDllBase + unSizeOfImage - uLength; i++)
{
//DbgPrint("i: %xn", i);
if (RtlCompareMemory(shellcode, i, uLength) == uLength)
{
DbgPrint("Yesn");
PspTerminateProcess psp = (PspTerminateProcess)(i - 0x6);
psp(0x81d448b8, 0);
break;
}
}
break;
}
else {
pLDRlist = (PLDR_DATA_TABLE_ENTRY)pFlink;
listEntry = pLDRlist->InLoadOrderLinks;
pFlink = listEntry.Flink;
}
} while (pFlink != pTmpFlink);
}
__except (EXCEPTION_EXECUTE_HANDLER) {
DbgPrint("run errorn");
}
DbgPrint("NOn");
driver->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
特征:
原文始发于微信公众号(loochSec):驱动第一次作业
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论