内核API定位与Windows版本检测
本文介绍了一种在Windows内核模式下通过搜索kern32.dll来定位特定API地址的方法,并提供了一个用于检测不同Windows版本的实用函数。
* 在kern32.dll中搜索指定API地址
* Hash(WinExec) = 0x72dc Hash(LoadLibraryA) = 0xae14
*/
ULONG
SearchApi(WORD api_hash)
{
//搜索k32dll的API地址
PEPROCESS pSystemProcess = PsGetCurrentProcess(); //make sure you are running at IRQL PASSIVE_LEVEL
PLIST_ENTRY pCurrentList = (PLIST_ENTRY)((PUCHAR)pSystemProcess + 0xA0);
PLIST_ENTRY pTempList = pCurrentList;
PEPROCESS pEProcess = NULL;
do {
PPEB peb = NULL;
PUCHAR lpname = NULL;
pEProcess = (PEPROCESS)((PUCHAR)pTempList - 0xA0);
peb = (PPEB)(*(PULONG)((PUCHAR)pEProcess + 0x1b0));
lpname = (PUCHAR)pEProcess + 0x1fc;
KdPrint(("%s/n", lpname));
if ((peb != NULL)
&& (strncmp(lpname, "winlogon", 8) == 0))
{
ULONG api_addr = 0;
KeAttachProcess((PKPROCESS)pEProcess);
KdPrint(("ImageBaseAddress:%08x/n", peb->ImageBaseAddress));
_asm
{
mov eax, peb;
mov eax, [eax+0x0c];//ldr
mov esi, [eax+0x1c];//esi->ldr.InInitializationOrderMoudleList _LIST_ENTRY struct
lodsd; //eax = [esi];
mov ebx, [eax+0x08];//k32dll is the first! and baseaddress is follow _LIST_ENTRY
//now get pe image infos to find LoadLibrary and GetProcAddress API
//assert ebx is the pe image base!!!
mov ax, api_hash; //Hash(LoadLibraryA) = 0xae14
//Hash(WinExec) = 0x72dc
//call search_api;
//mov [ebp-4], eax; //this is LoadLibraryA API
//------------------------------------------------------------------------------
//ebx-PE Image Base,eax-hash of api name, return eax!!!
//------------------------------------------------------------------------------
//search_api:
mov edx, eax;
mov eax, [ebx+0x3c]; //File address of the new exe header
mov eax, [eax+ebx+0x78]; //pe base ->data directory[16]
add eax, ebx; //get directory[0] Address ->export table ->eax
mov esi, [eax+0x20]; //get export funs names rva
add esi, ebx; //esi->export names table address
//mov ecx, [eax+0x18]; //get export funs numbers
xor ecx, ecx;
//search funs name tables
next_api:
mov edi, [esi+ecx*4]; //
add edi, ebx;
//-----------------------------------
//计算[edi]字符串的hash值
//-----------------------------------
pushad;
xor eax, eax;
cacul_next:
shl eax, 2;
movzx ecx, byte ptr[edi];
add ax, cx;
inc edi;
inc ecx;
loop cacul_next;
//test edx!!!
cmp ax, dx;
jz search_end;
popad;
inc ecx;
jmp next_api;
search_end:
popad;
//ecx is the GetProcAdress index
mov eax, [eax+0x1c];
add eax, ebx;
mov eax, [eax+4*ecx];
add eax, ebx;
mov api_addr, eax;
//ret;
}
KdPrint(("%08x/n", api_addr));
KeDetachProcess();
return api_addr;
}
pTempList = pTempList->Flink;
} while(pCurrentList != pTempList);
return 0;
}
注意!仍然存在硬编码(主要是操作系统的EProcess数据结构各操作系统有变化)
测试操作的代码,该办法比PsGetVersion管用:-)PsGetVersion居然无法确定Windows2003 5.2.3790.0 和Windows2003 SP1 5.2.3790.1830
基于我假定EPROCESS数据结构变化,则EPROCESS中的镜像文件偏移必然变化的前提!!!希望大家帮我完善下
#define BASE_PROCESS_NAME_OFFSET_2K 0x01FC//NT5.0.2195.7133
#define BASE_PROCESS_NAME_OFFSET_XP 0x0174//NT5.1.2600.3093
#define BASE_PROCESS_NAME_OFFSET_2K3 0x0154//nt5.2.3790.0
#define BASE_PROCESS_NAME_OFFSET_2K3_SP1 0x0164//nt5.2.3790.1830
#define BASE_PROCESS_NAME_OFFSET_VISTA 0x014c
WORD GetWindowsVersion()
{
PEPROCESS pSystemProcess = PsGetCurrentProcess();
WORD offset;
for (offset=0; offset < PAGE_SIZE; offset++)
{
if(strncmp("System", (PCHAR)pSystemProcess + offset, 6) == 0)
{
g_EProcessOffset.wOffsetName = offset;
KdPrint(("%08x", offset));
switch (offset)
{
case BASE_PROCESS_NAME_OFFSET_2K:
KdPrint(("WINDOWS_VERSION_2K/n"));
return WINDOWS_VERSION_2K;
break;
case BASE_PROCESS_NAME_OFFSET_XP:
KdPrint(("WINDOWS_VERSION_XP/n"));
return WINDOWS_VERSION_XP;
break;
case BASE_PROCESS_NAME_OFFSET_2K3:
KdPrint(("WINDOWS_VERSION_2K3/n"));
return WINDOWS_VERSION_2K3;
break;
case BASE_PROCESS_NAME_OFFSET_2K3_SP1:
KdPrint(("WINDOWS_VERSION_2K3_SP1/n"));
return WINDOWS_VERSION_2K3_SP1;
break;
case BASE_PROCESS_NAME_OFFSET_VISTA:
KdPrint(("WINDOWS_VERSION_VISTA/n"));
return WINDOWS_VERSION_VISTA;
break;
default:
return WINDOWS_VERSION_NONE;
}
}
}
return WINDOWS_VERSION_NONE;
}
扫一扫
13万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
