SSDT原始地址, 现在地址

最新推荐文章于 2022-03-17 16:00:19 发布

wangsizhe09

最新推荐文章于 2022-03-17 16:00:19 发布

阅读量711

点赞数

分类专栏： Rootkit﹏文章标签： listview header image module list byte

本文链接：https://blog.youkuaiyun.com/wangsizhe09/article/details/5911844

版权

Rootkit﹏专栏收录该内容

15 篇文章

订阅专栏

#include <windows.h> #include <winnt.h> #include <WindowsX.h> #include <commctrl.h> #include <stdio.h> #define ibaseDD *(PDWORD)&ibase HINSTANCE g_hInst; HWND hWinMain,hList; #define ID_LISTVIEW 104 #pragma comment(lib,"comctl32") typedef ULONG NTSTATUS; #define RVATOVA(base,offset) ((PVOID)((DWORD)(base)+(DWORD)(offset))) #define ibaseDD *(PDWORD)&ibase #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) typedef struct { WORD offset:12; WORD type:4; } IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY; typedef ULONG (WINAPI *ZWQUERYSYSTEMINFORMATION)( DWORD SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL; typedef enum _SYSDBG_COMMAND { // 以下是NT 5.1 新增的 //从内核空间拷贝到用户空间，或者从用户空间拷贝到用户空间 //但是不能从用户空间拷贝到内核空间 SysDbgReadVirtualMemory = 8, //从用户空间拷贝到内核空间，或者从用户空间拷贝到用户空间 //但是不能从内核空间拷贝到用户空间 SysDbgWriteVirtualMemory = 9, } SYSDBG_COMMAND, *PSYSDBG_COMMAND; typedef struct _MEMORY_CHUNKS { ULONG Address; PVOID Data; ULONG Length; }MEMORY_CHUNKS, *PMEMORY_CHUNKS; typedef NTSTATUS (NTAPI * ZWSYSTEMDEBUGCONTROL) ( SYSDBG_COMMAND ControlCode, PVOID InputBuffer, ULONG InputBufferLength, PVOID OutputBuffer, ULONG OutputBufferLength, PULONG ReturnLength ); ZWSYSTEMDEBUGCONTROL ZwSystemDebugControl = NULL; typedef struct _SYSTEM_MODULE_INFORMATION { //Information Class 11 ULONG Reserved[2]; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT Unknown; USHORT LoadCount; USHORT ModuleNameOffset; CHAR ImageName[256]; }SYSTEM_MODULE_INFORMATION,*PSYSTEM_MODULE_INFORMATION; #define SystemModuleInformation 11 typedef struct { CHAR fname[100]; ULONG address1; ULONG address2; } SSDT_LIST_ENTRY; SSDT_LIST_ENTRY *ssdt_list; / BOOL LocateNtdllEntry() { HMODULE ntdll_dll = NULL; if (!(ntdll_dll = GetModuleHandle("ntdll.dll"))) return FALSE; if ( !( ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(ntdll_dll, "ZwQuerySystemInformation" ))) return FALSE; if ( !( ZwSystemDebugControl = (ZWSYSTEMDEBUGCONTROL)GetProcAddress(ntdll_dll, "ZwSystemDebugControl" ))) return FALSE; return TRUE; } // BOOL DebugPrivilege(TCHAR *PName,BOOL bEnable) { BOOL fOk = FALSE; HANDLE hToken; TOKEN_PRIVILEGES tp; if(OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,&hToken)) { tp.PrivilegeCount = 1; tp.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0; LookupPrivilegeValue(NULL,PName,&tp.Privileges[0].Luid); AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL); fOk=(GetLastError() == ERROR_SUCCESS); CloseHandle(hToken); } return fOk; } // DWORD GetHeaders(PCHAR ibase, PIMAGE_FILE_HEADER *pfh, PIMAGE_OPTIONAL_HEADER *poh, PIMAGE_SECTION_HEADER *psh) { PIMAGE_DOS_HEADER mzhead=(PIMAGE_DOS_HEADER)ibase; if ((mzhead->e_magic!=IMAGE_DOS_SIGNATURE) || (ibaseDD[mzhead->e_lfanew]!=IMAGE_NT_SIGNATURE)) return FALSE; *pfh=(PIMAGE_FILE_HEADER)&ibase[mzhead->e_lfanew]; if (((PIMAGE_NT_HEADERS)*pfh)->Signature!=IMAGE_NT_SIGNATURE) return FALSE; *pfh=(PIMAGE_FILE_HEADER)((PBYTE)*pfh+sizeof(IMAGE_NT_SIGNATURE)); *poh=(PIMAGE_OPTIONAL_HEADER)((PBYTE)*pfh+sizeof(IMAGE_FILE_HEADER)); if ((*poh)->Magic!=IMAGE_NT_OPTIONAL_HDR32_MAGIC) return FALSE; *psh=(PIMAGE_SECTION_HEADER)((PBYTE)*poh+sizeof(IMAGE_OPTIONAL_HEADER)); return TRUE; } // // 搜索函数名称 // void FindExport() { PIMAGE_FILE_HEADER pfh; PIMAGE_OPTIONAL_HEADER poh; PIMAGE_SECTION_HEADER psh; PIMAGE_EXPORT_DIRECTORY ped; DWORD *arrayOfFunctionNames; DWORD* arrayOfFunctionAddresses; WORD* arrayOfFunctionOrdinals; DWORD functionOrdinal,functionAddress; HMODULE hNtdll=GetModuleHandle(TEXT("ntdll.dll")); GetHeaders((PCHAR)hNtdll,&pfh,&poh,&psh); if (poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress) { ped=(PIMAGE_EXPORT_DIRECTORY)(poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress+(BYTE*)hNtdll); arrayOfFunctionNames=(DWORD*)(ped->AddressOfNames+(BYTE*)hNtdll); arrayOfFunctionAddresses = (DWORD*)( (BYTE*)hNtdll + ped->AddressOfFunctions); arrayOfFunctionNames = (DWORD*)( (BYTE*)hNtdll + ped->AddressOfNames); arrayOfFunctionOrdinals = (WORD*)( (BYTE*)hNtdll + ped->AddressOfNameOrdinals); for (int i=0;i<(int)(ped->NumberOfNames);i++) { char* fun_name= (char*)((BYTE*)hNtdll + arrayOfFunctionNames[i]); functionOrdinal = arrayOfFunctionOrdinals[i] + ped->Base - 1; functionAddress = (DWORD)( (BYTE*)hNtdll + arrayOfFunctionAddresses[functionOrdinal]); if (fun_name[0]=='N'&&fun_name[1]=='t') { WORD number=*((WORD*)(functionAddress+1)); if (number>ped->NumberOfNames) continue; lstrcpy(ssdt_list[number].fname,fun_name); } } } } DWORD FindKiServiceTable(HMODULE hModule,DWORD dwKSDT) { PIMAGE_FILE_HEADER pfh; PIMAGE_OPTIONAL_HEADER poh; PIMAGE_SECTION_HEADER psh; PIMAGE_BASE_RELOCATION pbr; PIMAGE_FIXUP_ENTRY pfe; DWORD dwFixups=0,i,dwPointerRva,dwPointsToRva,dwKiServiceTable; BOOL bFirstChunk; GetHeaders((PCHAR)hModule,&pfh,&poh,&psh); // loop thru relocs to speed up the search if ((poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress) && (!((pfh->Characteristics)&IMAGE_FILE_RELOCS_STRIPPED))) { pbr=(PIMAGE_BASE_RELOCATION)RVATOVA(poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress,hModule); bFirstChunk=TRUE; // 1st IMAGE_BASE_RELOCATION.VirtualAddress of ntoskrnl is 0 while (bFirstChunk || pbr->VirtualAddress) { bFirstChunk=FALSE; pfe=(PIMAGE_FIXUP_ENTRY)((DWORD)pbr+sizeof(IMAGE_BASE_RELOCATION)); for (i=0;i<(pbr->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))>>1;i++,pfe++) { if (pfe->type==IMAGE_REL_BASED_HIGHLOW) { dwFixups++; dwPointerRva=pbr->VirtualAddress+pfe->offset; // DONT_RESOLVE_DLL_REFERENCES flag means relocs aren't fixed dwPointsToRva=*(PDWORD)((DWORD)hModule+dwPointerRva)-(DWORD)poh->ImageBase; // does this reloc point to KeServiceDescriptorTable.Base? if (dwPointsToRva==dwKSDT) { // check for mov [mem32],imm32. we are trying to find // "mov ds:_KeServiceDescriptorTable.Base, offset _KiServiceTable" // from the KiInitSystem. if (*(PWORD)((DWORD)hModule+dwPointerRva-2)==0x05c7) { // should check for a reloc presence on KiServiceTable here // but forget it dwKiServiceTable=*(PDWORD)((DWORD)hModule+dwPointerRva+4)-poh->ImageBase; return dwKiServiceTable; } } } // should never get here } *(PDWORD)&pbr+=pbr->SizeOfBlock; } } return 0; } DWORD dwKSDT; // rva of KeServiceDescriptorTable DWORD dwKiServiceTable; // rva of KiServiceTable DWORD dwKernelBase,dwServices=0; // void GetSSDT() { HMODULE hKernel; PCHAR pKernelName; PDWORD pService; PIMAGE_FILE_HEADER pfh; PIMAGE_OPTIONAL_HEADER poh; PIMAGE_SECTION_HEADER psh; ULONG n; // get system modules - ntoskrnl is always first there ZwQuerySystemInformation(SystemModuleInformation,&n,0,&n); PULONG p=new ULONG[n]; ZwQuerySystemInformation(SystemModuleInformation,p,n*sizeof(*p),0); PSYSTEM_MODULE_INFORMATION module=PSYSTEM_MODULE_INFORMATION(p+1); // imagebase dwKernelBase=(DWORD)module->Base; // filename - it may be renamed in the boot.ini pKernelName=module->ModuleNameOffset+module->ImageName; // map ntoskrnl - hopefully it has relocs hKernel=LoadLibraryEx(pKernelName,0,DONT_RESOLVE_DLL_REFERENCES); if (!hKernel) { return; } // our own export walker is useless here - we have GetProcAddress :) if (!(dwKSDT=(DWORD)GetProcAddress(hKernel,"KeServiceDescriptorTable"))) { return; } // get KeServiceDescriptorTable rva dwKSDT-=(DWORD)hKernel; // find KiServiceTable if (!(dwKiServiceTable=FindKiServiceTable(hKernel,dwKSDT))) { return; } // let's dump KiServiceTable contents // MAY FAIL!!! // should get right ServiceLimit here, but this is trivial in the kernel mode GetHeaders((PCHAR)hKernel,&pfh,&poh,&psh); dwServices=0; for (pService=(PDWORD)((DWORD)hKernel+dwKiServiceTable); *pService-poh->ImageBase<poh->SizeOfImage; pService++,dwServices++) { ssdt_list[dwServices].address1=*pService-poh->ImageBase+dwKernelBase; } FreeLibrary(hKernel); //读取现在的 MEMORY_CHUNKS QueryBuff; DWORD *address2=new DWORD[dwServices]; QueryBuff.Address = dwKernelBase+dwKiServiceTable; QueryBuff.Data = address2; QueryBuff.Length = sizeof(DWORD)*dwServices; DWORD ReturnLength; ZwSystemDebugControl ( SysDbgReadVirtualMemory, &QueryBuff, sizeof(MEMORY_CHUNKS), NULL, 0, &ReturnLength ); LV_ITEM lvi; lvi.mask = LVIF_TEXT; char tmp[10]; ListView_DeleteAllItems(hList); for (int j=0;j<(int)dwServices;j++) { lvi.iItem=j; lvi.iSubItem=0; lvi.pszText=tmp; wsprintf(tmp,"0x%02X",j); ListView_InsertItem(hList,&lvi); ListView_SetItemText(hList,j,1,ssdt_list[j].fname); wsprintf(tmp,"0x%08X",ssdt_list[j].address1); ListView_SetItemText(hList,j,2,tmp); wsprintf(tmp,"0x%08X",address2[j]); ssdt_list[j].address2=address2[j]; ListView_SetItemText(hList,j,3,tmp); //搜索模块 for (int i=0;i<(int)*p;i++) { if (ssdt_list[j].address2 > ( DWORD)module[i].Base&&ssdt_list[j].address2 < (DWORD)module[i].Base + module[i].Size ) { ListView_SetItemText(hList,j,4,module[i].ImageName); break; } } } delete [] p; delete [] address2; } int main() { ssdt_list=new SSDT_LIST_ENTRY[500]; LocateNtdllEntry(); FindExport(); DebugPrivilege (SE_DEBUG_NAME,TRUE); GetSSDT(); //恢复SSDT DWORD *address1=new DWORD[dwServices]; for (int i=0;i<(int)dwServices;i++) { //address1[i]=ssdt_list[i].address1; printf("原始地址：0x%08X,现在地址：0x%08X,SSDTName=%s/n",ssdt_list[i].address1,ssdt_list[i].address2,ssdt_list[i].fname); } MEMORY_CHUNKS QueryBuff; QueryBuff.Address=dwKiServiceTable+dwKernelBase; QueryBuff.Data=address1; QueryBuff.Length=dwServices*sizeof(DWORD); DWORD ReturnLength; ZwSystemDebugControl ( SysDbgWriteVirtualMemory, &QueryBuff, sizeof(MEMORY_CHUNKS), NULL, 0, &ReturnLength ); printf("恢复SSDT成功!/n"); // system("pause"); return 0; }