一种获取minifilter各种pre/post函数地址的方法

admin 2024年6月8日13:54:10评论2 views字数 14911阅读49分42秒阅读模式

一种获取fsfilter各种
pre/post函数地址的方法
首先下载这个驱动项目
https://github.com/wqreytuk/article/blob/main/rwetrytuo
234234sdf.7z
密码是1
post operation 地址获取
然后在C:\Users\Administrator\Desktop\winobj源码阅读
笔记\rwetrytuo234awradfa234sdf\FsFilter.cpp的79行
加一行代码:
这样在执行到pre/post函数的时候会自动断到调试器中
启动驱动,就会断到调试器里面,然后加载驱动符号看调用栈
DbgBreakPoint();
0: kd> k
# Child-SP RetAddr Call
Site
00 ffffd601`ebaae120 fffff800`50945b87
FsFilterDemo2!OnPostCreate+0x1b
[c:\users\administrator\desktop\winobj源码阅读笔记
\rwetrytuo234awradfa234sdf\fsfilter.cpp @ 79]
01 ffffd601`ebaae1b0 fffff800`5094545b
FLTMGR!FltpPerformPostCallbacksWorker+0x347
02 ffffd601`ebaae280 fffff800`509471a2
FLTMGR!FltpPassThroughCompletionWorker+0xfb
03 ffffd601`ebaae320 fffff800`50979f54
FLTMGR!FltpLegacyProcessingAfterPreCallbacksComp
leted+0x322
04 ffffd601`ebaae390 fffff800`4e610665
FLTMGR!FltpCreate+0x324
05 ffffd601`ebaae440 fffff800`4e60b674
nt!IofCallDriver+0x55
06 ffffd601`ebaae480 fffff800`4e9edf3b
nt!IoCallDriverWithTracing+0x34
07 ffffd601`ebaae4d0 fffff800`4ea06647
nt!IopParseDevice+0x11bb
08 ffffd601`ebaae640 fffff800`4e9fd5fa
nt!ObpLookupObjectName+0x1117
09 ffffd601`ebaae810 fffff800`4ea6d46b
nt!ObOpenObjectByNameEx+0x1fa
0a ffffd601`ebaae940 fffff800`4ea6c098
nt!IopCreateFile+0x132b
0b ffffd601`ebaaea00 fffff800`4e810ef5
nt!NtOpenFile+0x58
0c ffffd601`ebaaea90 00007ffe`b35cd644
nt!KiSystemServiceCopyEnd+0x25
0d 000000f6`ea8ce398 00007ffe`b357bb2a
ntdll!NtOpenFile+0x14
0e 000000f6`ea8ce3a0 00007ffe`b357b99e
ntdll!LdrpMapResourceFile+0x112
看调用栈中的第二个地址
这个地址往前几条指令就是call到我们的post函数的地方
0f 000000f6`ea8ce4b0 00007ffe`b356533c
ntdll!LdrMapAndVerifyResourceFile+0x9a
10 000000f6`ea8ce530 00007ffe`b35658ac
ntdll!LdrLoadAlternateResourceModuleEx+0x49c
11 000000f6`ea8cf040 00007ffe`b3563d98
ntdll!LdrpLoadResourceFromAlternativeModule+0x1e
c
12 000000f6`ea8cf1b0 00007ffe`b3599041
ntdll!LdrpSearchResourceSection_U+0x1cc
13 000000f6`ea8cf320 00007ffe`b12c8e89
ntdll!RtlFindMessage+0x61
14 000000f6`ea8cf3a0 00000000`00000000
0x00007ffe`b12c8e89
FLTMGR!FltpPerformPostCallbacksWorker+0x347
0: kd> u
FLTMGR!FltpPerformPostCallbacksWorker+0x347-20
L10
FLTMGR!FltpPerformPostCallbacksWorker+0x327:
fffff800`50945b67 080f or byte
ptr [rdi],cl
fffff800`50945b69 852b test dword
ptr [rbx],ebp
fffff800`50945b6b ae scas byte
ptr [rdi]
fffff800`50945b6c 0000 add byte
ptr [rax],al
可以看到调用指令是这个
fffff800`50945b6e 498b4520 mov
rax,qword ptr [r13+20h]
fffff800`50945b72 488d542448 lea rdx,
[rsp+48h]
fffff800`50945b77 4d8b4728 mov
r8,qword ptr [r15+28h]
fffff800`50945b7b 4533c9 xor
r9d,r9d
fffff800`50945b7e 488bcd mov
rcx,rbp
fffff800`50945b81 ff15c1ae0200 call qword
ptr [FLTMGR!_guard_dispatch_icall_fptr
(fffff800`50970a48)]
fffff800`50945b87 8bc8 mov
ecx,eax
fffff800`50945b89 83e901 sub ecx,1
fffff800`50945b8c 0f84f6020000 je
FLTMGR!FltpPerformPostCallbacksWorker+0x648
(fffff800`50945e88)
fffff800`50945b92 83f901 cmp ecx,1
fffff800`50945b95 0f8419ae0000 je
FLTMGR!FltpPerformPostCallbacksWorker+0xb174
(fffff800`509509b4)
fffff800`50945b9b 0fb6bc24d8000000 movzx
edi,byte ptr [rsp+0D8h]
fffff800`50945b81 ff15c1ae0200 call qword
ptr [FLTMGR!_guard_dispatch_icall_fptr
(fffff800`50970a48)]
是dispatch_call,函数地址就保存在rax中,那么我们就可以
下条件断点
下完之后让调试器跑一会儿,因该就能搜集到几乎所有的post
operation了
pre operation 地址获取
把前面加的那个DbgBreakPoint删掉
然后再在C:\Users\Administrator\Desktop\winobj源码阅
读笔记\rwetrytuo234awradfa234sdf\FsFilter.cpp的214
行加入DbgBreakPoint();
重新安装驱动并启动
操作同上
ba e1 fffff800`50945b81 "r rax;u rax;g"
0: kd> k
# Child-SP RetAddr Call
Site
00 ffffc905`8e579490 fffff803`469d64cc
FsFilterDemo2!OnPreWrite+0x18
[c:\users\administrator\desktop\winobj源码阅读笔记
\rwetrytuo234awradfa234sdf\fsfilter.cpp @ 215]
01 ffffc905`8e579530 fffff803`469d5f7a
FLTMGR!FltpPerformPreCallbacksWorker+0x36c
02 ffffc905`8e579650 fffff803`469d5021
FLTMGR!FltpPassThroughInternal+0xca
03 ffffc905`8e5796a0 fffff803`469d4a2b
FLTMGR!FltpPassThrough+0x541
04 ffffc905`8e579730 fffff803`45010665
FLTMGR!FltpDispatch+0x8b
05 ffffc905`8e579790 fffff803`4540142c
nt!IofCallDriver+0x55
06 ffffc905`8e5797d0 fffff803`453ce0d9
nt!IopSynchronousServiceTail+0x34c
07 ffffc905`8e579870 fffff803`454687c6
nt!IopWriteFile+0x23d
08 ffffc905`8e579970 fffff803`45210ef5
nt!NtWriteFile+0x996
09 ffffc905`8e579a90 00007ffb`9b60d0e4
nt!KiSystemServiceCopyEnd+0x25
0a 0000005c`50c7c508 00007ffb`991d5326
ntdll!NtWriteFile+0x14
0b 0000005c`50c7c510 0000005c`50c7cc20
0x00007ffb`991d5326
0c 0000005c`50c7c518 00007ffb`991d5fe6
0x0000005c`50c7cc20
0d 0000005c`50c7c520 00000000`00000000
0x00007ffb`991d5fe6
0: kd> u
FLTMGR!FltpPerformPreCallbacksWorker+0x36c-20
L10
FLTMGR!FltpPerformPreCallbacksWorker+0x34c:
fffff803`469d64ac 4883781000 cmp qword
ptr [rax+10h],0
fffff803`469d64b1 0f8564a60000 jne
FLTMGR!FltpPerformPreCallbacksWorker+0xa9bb
(fffff803`469e0b1b)
fffff803`469d64b7 498b4618 mov
rax,qword ptr [r14+18h]
fffff803`469d64bb 4c8d45b7 lea r8,
[rbp-49h]
fffff803`469d64bf 488d55df lea rdx,
[rbp-21h]
fffff803`469d64c3 488bce mov
rcx,rsi
fffff803`469d64c6 ff157ca50200 call qword
ptr [FLTMGR!_guard_dispatch_icall_fptr
(fffff803`46a00a48)]
fffff803`469d64cc 894597 mov dword
ptr [rbp-69h],eax
fffff803`469d64cf 8bf0 mov
esi,eax
fffff803`469d64d1 83f802 cmp eax,2
fffff803`469d64d4 0f8421060000 je
FLTMGR!FltpPerformPreCallbacksWorker+0x99b
(fffff803`469d6afb)
fffff803`469d64da 488b0577430200 mov
rax,qword ptr [FLTMGR!FltGlobals+0x1258
(fffff803`469fa858)]
在fffff803`469d64c6下条件断点
注意事项
为了不让我们的演示驱动一直触发,我们需要将dbgbreak指
令删掉,在调试器中将其修改为90即可
fffff803`469d64e1 4883781800 cmp qword
ptr [rax+18h],0
fffff803`469d64e6 0f85e9a60000 jne
FLTMGR!FltpPerformPreCallbacksWorker+0xaa75
(fffff803`469e0bd5)
fffff803`469d64ec 4883782000 cmp qword
ptr [rax+20h],0
fffff803`469d64f1 0f85dea60000 jne
FLTMGR!FltpPerformPreCallbacksWorker+0xaa75
(fffff803`469e0bd5)
ba e1 fffff803`469d64c6 "r rax;u rax;g"
0: kd> bl
0: kd> k
# Child-SP RetAddr Call
Site
00 ffffc905`8e579490 fffff803`469d64cc
FsFilterDemo2!OnPreWrite+0x18
[c:\users\administrator\desktop\winobj源码阅读笔记
\rwetrytuo234awradfa234sdf\fsfilter.cpp @ 215]
01 ffffc905`8e579530 fffff803`469d5f7a
FLTMGR!FltpPerformPreCallbacksWorker+0x36c
02 ffffc905`8e579650 fffff803`469d5021
FLTMGR!FltpPassThroughInternal+0xca
03 ffffc905`8e5796a0 fffff803`469d4a2b
FLTMGR!FltpPassThrough+0x541
04 ffffc905`8e579730 fffff803`45010665
FLTMGR!FltpDispatch+0x8b
05 ffffc905`8e579790 fffff803`4540142c
nt!IofCallDriver+0x55
06 ffffc905`8e5797d0 fffff803`453ce0d9
nt!IopSynchronousServiceTail+0x34c
07 ffffc905`8e579870 fffff803`454687c6
nt!IopWriteFile+0x23d
08 ffffc905`8e579970 fffff803`45210ef5
nt!NtWriteFile+0x996
09 ffffc905`8e579a90 00007ffb`9b60d0e4
nt!KiSystemServiceCopyEnd+0x25
0a 0000005c`50c7c508 00007ffb`991d5326
ntdll!NtWriteFile+0x14
0b 0000005c`50c7c510 0000005c`50c7cc20
0x00007ffb`991d5326
0c 0000005c`50c7c518 00007ffb`991d5fe6
0x0000005c`50c7cc20
0d 0000005c`50c7c520 00000000`00000000
0x00007ffb`991d5fe6
0: kd> u FsFilterDemo2!OnPreWrite+0x18 -10 L10
FsFilterDemo2!OnPreWrite+0x8
[c:\users\administrator\desktop\winobj源码阅读笔记
\rwetrytuo234awradfa234sdf\fsfilter.cpp @ 212]:
fffff803`5c702cf8 2410 and al,10h
fffff803`5c702cfa 48894c2408 mov qword
ptr [rsp+8],rcx
fffff803`5c702cff 56 push rsi
fffff803`5c702d00 57 push rdi
fffff803`5c702d01 4881ec88000000 sub
rsp,88h
fffff803`5c702d08 cc int 3
fffff803`5c702d09 488d05f0220000 lea rax,
[FsFilterDemo2!WPP_GLOBAL_Control
(fffff803`5c705000)]
fffff803`5c702d10 483905e9220000 cmp qword
ptr [FsFilterDemo2!WPP_GLOBAL_Control
(fffff803`5c705000)],rax
fffff803`5c702d17 0f848a000000 je
FsFilterDemo2!OnPreWrite+0xb7
(fffff803`5c702da7)
fffff803`5c702d1d b840000000 mov
eax,40h
fffff803`5c702d22 486bc000 imul
rax,rax,0
fffff803`5c702d26 488b0dd3220000 mov
rcx,qword ptr [FsFilterDemo2!WPP_GLOBAL_Control
(fffff803`5c705000)]
fffff803`5c702d2d 4803c8 add
rcx,rax
fffff803`5c702d30 488bc1 mov
rax,rcx
fffff803`5c702d33 b904000000 mov ecx,4
fffff803`5c702d38 486bc900 imul
rcx,rcx,0
0: kd> eb fffff803`5c702d08 90
0: kd> u FsFilterDemo2!OnPreWrite+0x18 -10 L10
FsFilterDemo2!OnPreWrite+0x8
[c:\users\administrator\desktop\winobj源码阅读笔记
\rwetrytuo234awradfa234sdf\fsfilter.cpp @ 212]:
fffff803`5c702cf8 2410 and al,10h
fffff803`5c702cfa 48894c2408 mov qword
ptr [rsp+8],rcx
fffff803`5c702cff 56 push rsi
fffff803`5c702d00 57 push rdi
fffff803`5c702d01 4881ec88000000 sub
rsp,88h
fffff803`5c702d08 90 nop
fffff803`5c702d09 488d05f0220000 lea rax,
[FsFilterDemo2!WPP_GLOBAL_Control
(fffff803`5c705000)]
fffff803`5c702d10 483905e9220000 cmp qword
ptr [FsFilterDemo2!WPP_GLOBAL_Control
(fffff803`5c705000)],rax
fffff803`5c702d17 0f848a000000 je
FsFilterDemo2!OnPreWrite+0xb7
(fffff803`5c702da7)
fffff803`5c702d1d b840000000 mov
eax,40h
fffff803`5c702d22 486bc000 imul
rax,rax,0
fffff803`5c702d26 488b0dd3220000 mov
rcx,qword ptr [FsFilterDemo2!WPP_GLOBAL_Control
(fffff803`5c705000)]
fffff803`5c702d2d 4803c8 add
rcx,rax
fffff803`5c702d30 488bc1 mov
rax,rcx
fffff803`5c702d33 b904000000 mov ecx,4
fffff803`5c702d38 486bc900 imul
rcx,rcx,0
忽略单步异常,省得他老是断

一种获取minifilter各种pre/post函数地址的方法
结果
运行驱动前先拍个快照
放行个10分钟左右就差不多了
然后将调试器的输出排序去重处理一下即可
这个时候,你break调试器是没反应的,所以我建议直接挂起
虚拟机,然后重启windbg
然后resume虚拟机
直接搜索rax=,使用如下正则替换
之后排序去重
之后使用提换正则^为u (注意u后面有一个空格)
在调试器中执行命令即可
获取到的所有pre函数地址如下:(post同理)
使用的正则替换表达式为
.*?rax=
:
.*?kd\>.*?$
ffff.*?$
FsFilterDemo2!OnPreWrite
[c\users\administrator\desktop\winobj源码阅读笔记
\rwetrytuo234awradfa234sdf\fsfilter.cpp @ 212]
Wof!WofPreAcquireForSectionCreationCallback
Wof!WofPreCreateCallback
Wof!WofPreFileSystemControlCallback
Wof!WofPreReadCallback
fileinfo!FIPreCleanupCallback
fileinfo!FIPreCloseCallback
fileinfo!FIPreCreateCallback
fileinfo!FIPreFSControlCallback
fileinfo!FIPreQueryInformationCallback
fileinfo!FIPreReadWriteCallback
klbackupflt+0x5c40
klbackupflt+0x5da0
klbackupflt+0x5df0
klbackupflt+0x5eb0
klif+0x43d30
klif+0xcb4f0
klif+0xcbe40
klif+0xcf510
klif+0xd1540
klif+0xd2200
klif+0xd25d0
luafv!LuafvPreAcquireForSectionSynchronization
luafv!LuafvPreCleanup
luafv!LuafvPreClose
luafv!LuafvPreCreate
luafv!LuafvPreFileSystemControl
luafv!LuafvPreLockControl
luafv!LuafvPreNetworkQueryOpen
luafv!LuafvPreQueryInformation
luafv!LuafvPreRedirect
luafv!LuafvPreRedirectWithCallback
luafv!LuafvPreReleaseForSectionSynchronization
luafv!LuafvPreWrite
wcifs!WcPreAcquireForSectionSynchronization
wcifs!WcPreCleanup
wcifs!WcPreClose
wcifs!WcPreCreate
wcifs!WcPreFsControl
wcifs!WcPreLockControl
wcifs!WcPreNetworkQueryOpen
wcifs!WcPreQueryInformation
wcifs!WcPreQueryVolumeInformation
wcifs!WcPreRead
wcifs!WcPreReleaseForSectionSynchronization
问题
但是我们现在还不知道这些函数究竟对应的是什么操作,通过
上面的操作,我们已经知道了哪些驱动注册了filter
0: kd> lm m *klbackupflt*
Browse full module list
start end module
name
fffff803`48be0000 fffff803`48c17000
klbackupflt (no symbols)
0: kd> lmDvmklbackupflt
Browse full module list
start end module
name
fffff803`48be0000 fffff803`48c17000
klbackupflt (no symbols)
Loaded symbol image file: klbackupflt.sys
Image path:
\SystemRoot\system32\DRIVERS\KES-21-
9\klbackupflt.sys
Image name: klbackupflt.sys
Browse all global symbols functions data
Timestamp: Fri Nov 25 04:40:13 2022
(637FD6AD)
CheckSum: 0003B9F0
这时候我们只需要使用ida打开驱动文件
在导入表搜索FltRegisterFilter
找到偏移量
ImageSize: 00037000
File version: 30.1083.0.320
Product version: 30.1083.0.320
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
Information from resource tables:
CompanyName: AO Kaspersky Lab
ProductName: Coretech Delivery
InternalName: klbackupflt
ProductVersion: 30.1083.0.320-
0349ffd299
FileVersion: 30.1083.0.320
FileDescription: Backup File Filter
[fre_win7_x64]
LegalCopyright: © 2022 AO Kaspersky
Lab. All Rights Reserved.
LegalTrademarks: Registered trademarks
and service marks are the property of their
respective owners

一种获取minifilter各种pre/post函数地址的方法
在windbg中获取resgistration变量的地址
0: kd> u 006449 + klbackupflt -10
klbackupflt+0x6439:
fffff803`48be6439 8d0599800200 lea eax,
[klbackupflt+0x2e4d8 (fffff803`48c0e4d8)]
fffff803`48be643f 488bcf mov
rcx,rdi
fffff803`48be6442 488d15b77b0200 lea rdx,
[klbackupflt+0x2e000 (fffff803`48c0e000)]
fffff803`48be6449 e862ab0100 call
klbackupflt+0x20fb0 (fffff803`48c00fb0)
fffff803`48be644e 8bd8 mov
ebx,eax
fffff803`48be6450 85c0 test
eax,eax
fffff803`48be6452 7812 js
klbackupflt+0x6466 (fffff803`48be6466)
fffff803`48be6454 488b0d7d800200 mov
rcx,qword ptr [klbackupflt+0x2e4d8
(fffff803`48c0e4d8)]
0: kd> dt _FLT_REGISTRATION fffff80348c0e000
FLTMGR!_FLT_REGISTRATION
+0x000 Size : 0x68
+0x002 Version : 0x202
+0x004 Flags : 1
获取到OPERATION_REGISTRATION的地址
0xfffff80348c0a920
这个东西是一个数组,最后以0x80结尾
+0x008 ContextRegistration :
0xfffff803`48c0a840 _FLT_CONTEXT_REGISTRATION
+0x010 OperationRegistration :
0xfffff803`48c0a920 _FLT_OPERATION_REGISTRATION
+0x018 FilterUnloadCallback :
0xfffff803`48be5f40 long +0
+0x020 InstanceSetupCallback :
0xfffff803`48be56c0 long +0
+0x028 InstanceQueryTeardownCallback : (null)
+0x030 InstanceTeardownStartCallback :
0xfffff803`48be5b20 void +0
+0x038 InstanceTeardownCompleteCallback :
0xfffff803`48be1360 void +0
+0x040 GenerateFileNameCallback : (null)
+0x048 NormalizeNameComponentCallback :
(null)
+0x050 NormalizeContextCleanupCallback :
(null)
+0x058 TransactionNotificationCallback :
(null)
+0x060 NormalizeNameComponentExCallback :
(null)
+0x068 SectionNotificationCallback :
0x00000000`00c80090 long +c80090
每一个entry都是一个FLT_OPERATION_REGISTRATION结构
体,占用0x20bytes
0: kd> dq /c 1 0xfffff80348c0a920 L40
fffff803`48c0a920 00000000`00000000
fffff803`48c0a928 fffff803`48be5c40
fffff803`48c0a930 fffff803`48be5c90
fffff803`48c0a938 00000000`00000000
fffff803`48c0a940 00000000`00000002
fffff803`48c0a948 00000000`00000000
fffff803`48c0a950 00000000`00000000
fffff803`48c0a958 00000000`00000000
fffff803`48c0a960 00000001`00000004
fffff803`48c0a968 fffff803`48be5da0
fffff803`48c0a970 00000000`00000000
fffff803`48c0a978 00000000`00000000
fffff803`48c0a980 00000001`00000006
fffff803`48c0a988 fffff803`48be5cf0
fffff803`48c0a990 fffff803`48be5d40
fffff803`48c0a998 00000000`00000000
fffff803`48c0a9a0 00000000`0000000d
fffff803`48c0a9a8 fffff803`48be5df0
fffff803`48c0a9b0 fffff803`48be5e40
fffff803`48c0a9b8 00000000`00000000
fffff803`48c0a9c0 00000000`00000012
fffff803`48c0a9c8 00000000`00000000
fffff803`48c0a9d0 00000000`00000000
fffff803`48c0a9d8 00000000`00000000
fffff803`48c0a9e0 00000000`0000001b
fffff803`48c0a9e8 fffff803`48be5f00
fffff803`48c0a9f0 00000000`00000000
fffff803`48c0a9f8 00000000`00000000
fffff803`48c0aa00 00000000`000000ff
每个entry的第一个doword就是IRP_MJ_CODE
fffff803`48c0aa08 fffff803`48be5eb0
fffff803`48c0aa10 00000000`00000000
fffff803`48c0aa18 00000000`00000000
fffff803`48c0aa20 00000000`000000fe
fffff803`48c0aa28 00000000`00000000
fffff803`48c0aa30 00000000`00000000
fffff803`48c0aa38 00000000`00000000
fffff803`48c0aa40 00000000`00000080
#define IRP_MJ_CREATE 0x00
#define IRP_MJ_CREATE_NAMED_PIPE 0x01
#define IRP_MJ_CLOSE 0x02
#define IRP_MJ_READ 0x03
#define IRP_MJ_WRITE 0x04
#define IRP_MJ_QUERY_INFORMATION 0x05
#define IRP_MJ_SET_INFORMATION 0x06
#define IRP_MJ_QUERY_EA 0x07
#define IRP_MJ_SET_EA 0x08
#define IRP_MJ_FLUSH_BUFFERS 0x09
#define IRP_MJ_QUERY_VOLUME_INFORMATION 0x0a
#define IRP_MJ_SET_VOLUME_INFORMATION 0x0b
#define IRP_MJ_DIRECTORY_CONTROL 0x0c
#define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d
#define IRP_MJ_DEVICE_CONTROL 0x0e
#define IRP_MJ_INTERNAL_DEVICE_CONTROL 0x0f
#define IRP_MJ_SHUTDOWN 0x10
#define IRP_MJ_LOCK_CONTROL 0x11
#define IRP_MJ_CLEANUP 0x12
#define IRP_MJ_CREATE_MAILSLOT 0x13
#define IRP_MJ_QUERY_SECURITY 0x14
#define IRP_MJ_SET_SECURITY 0x15
然后执行命令:

一种获取minifilter各种pre/post函数地址的方法
自己对照code标注出每个函数的意义
pre同理
#define IRP_MJ_POWER 0x16
#define IRP_MJ_SYSTEM_CONTROL 0x17
#define IRP_MJ_DEVICE_CHANGE 0x18
#define IRP_MJ_QUERY_QUOTA 0x19
#define IRP_MJ_SET_QUOTA 0x1a
#define IRP_MJ_PNP 0x1b
#define IRP_MJ_PNP_POWER
IRP_MJ_PNP // Obsolete....
#define IRP_MJ_MAXIMUM_FUNCTION 0x1b
dx @$myArrayAddr = 0xfffff80348c0a920
dx -g @$tableEntry = *
(FLTMGR!_FLT_OPERATION_REGISTRATION(*)
[0x100])@$myArrayAddr

 

https://gitee.com/wochinijiamile/smartya/raw/master/asduiasgdiuasgdiuagdiuasgid/%E4%B8%80%E7%A7%8D%E8%8E%B7%E5%8F%96minifilter%E5%90%84%E7%A7%8Dprepost%E5%87%BD%E6%95%B0%E5%9C%B0%E5%9D%80%E7%9A%84%E6%96%B9%E6%B3%95.pdf

 

 

原文始发于微信公众号():一种获取minifilter各种pre/post函数地址的方法

原文始发于微信公众号():一种获取minifilter各种pre/post函数地址的方法

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年6月8日13:54:10
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   一种获取minifilter各种pre/post函数地址的方法https://cn-sec.com/archives/2830759.html

发表评论

匿名网友 填写信息