0

基于本文,我使用以下代码获取影子表的地址,并且从 WinXP x86 到 Win8.1 x86(经过测试的操作系统)完美运行,仅在无法找到地址的 Win10 x86 上工作。

#include <ntddk.h>
#include "ntapi.h"

typedef NTPROC * PNTPROC;

typedef struct tag_SYSTEM_SERVICE_TABLE {
    PNTPROC   ServiceTable; // array of entry points to the calls
    int  CounterTable; // array of usage counters
    ULONG ServiceLimit; // number of table entries
    PCHAR ArgumentTable; // array of argument counts
} SYSTEM_SERVICE_TABLE, *PSYSTEM_SERVICE_TABLE, **PPSYSTEM_SERVICE_TABLE;

typedef struct tag_SERVICE_DESCRIPTOR_TABLE {
    SYSTEM_SERVICE_TABLE ntoskrnl; // main native API table
    SYSTEM_SERVICE_TABLE win32k; // win subsystem, in shadow table
    SYSTEM_SERVICE_TABLE sst3;
    SYSTEM_SERVICE_TABLE sst4;
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE, **PPSERVICE_DESCRIPTOR_TABLE;

extern "C" NTOSAPI SYSTEM_SERVICE_TABLE KeServiceDescriptorTable;
extern "C" __declspec(dllimport) NTSTATUS NTAPI KeAddSystemServiceTable(ULONG, ULONG, ULONG, ULONG, ULONG);

PSERVICE_DESCRIPTOR_TABLE __stdcall GetServiceDescriptorShadowTableAddress() {
    char * check = (char *)KeAddSystemServiceTable;
    PSERVICE_DESCRIPTOR_TABLE rc = NULL; int i;
    for (i = 0; i < 1024; i++) {
        rc = *(PPSERVICE_DESCRIPTOR_TABLE)check;
        if (!MmIsAddressValid(rc) || ((PVOID)rc == (PVOID)&KeServiceDescriptorTable)
            || (memcmp(rc, &KeServiceDescriptorTable, sizeof(SYSTEM_SERVICE_TABLE)))) {
            check++; rc = NULL;
        }
        if (rc)
            break;
    }
    return rc;
}

VOID DriverUnload(IN PDRIVER_OBJECT DriverObject) {
    DbgPrint("DriverUnload()!\n");
    return;
}

extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath) {

    NTSTATUS NtStatus = STATUS_SUCCESS;

    pDriverObject->DriverUnload = DriverUnload;
    DbgPrint("DriverEntry()!\n");


    PSERVICE_DESCRIPTOR_TABLE pShadow = GetServiceDescriptorShadowTableAddress();
        if (pShadow) {

               DbgPrint("SSDT Shadow address found!");
        }
        else
            DbgPrint("Error: Can't get Win32k Address!\n");



    return NtStatus;
}

ntapi.h

有人可以帮忙吗?

4

0 回答 0