n",minAddress));
KdPrint(("[FindFileOffsetByRva] SeFileOffset :0x%x\n",SeFileOffset));
FileOffset = Rva - ( minAddress - SeFileOffset);
KdPrint(("[FindFileOffsetByRva] FileOffset :0x%x\n",FileOffset));
break ;
}
}
return FileOffset;
}
//路径解析出子进程名
void GetModuleName( char *ProcessPath, char *ProcessName)
{
ULONG n = strlen( ProcessPath) - 1;
ULONG i = n;
KdPrint(("%d",n));
while( ProcessPath[i] != '\\')
{
i = i-1;
}
strncpy( ProcessName, ProcessPath+i+1,n-i);
}
/****************************************************************************************
*
* 根据传入的服务号得到函数原始地址
*
****************************************************************************************/
ULONG FindOriAddress( ULONG index )
{
//根据传入的index得到函数VA地址
//重定位函数地址
//BaseAddress - 0x00400000 + *(PULONG)(FileOffset+(index*4))
//ZwQuerySystemInformation得到内核文件基地址
//得到SSDT表的地址
//得到SSDT RVA 查找SSDT RVA所在的节
NTSTATUS status;
ULONG size;
ULONG BaseAddress;
ULONG SsdtRva;
ULONG FileOffset = 0;
PSYSMODULELIST list;
char Name[32]={0};
char PathName[256] = "
\\SystemRoot\\system32\\";
ANSI_STRING name;
UNICODE_STRING modulename;
OBJECT_ATTRIBUTES object_attributes;
IO_STATUS_BLOCK io_status = {0};
HANDLE hFile;
//读取的位置
ULONG location;
LARGE_INTEGER offset;
ULONG address;
//得到需要申请的内存大小
ZwQuerySystemInformation( SystemModuleInformation,&size,0,&size );
//申请内存
list = (PSYSMODULELIST) ExAllocatePool( NonPagedPool,size );
//验证是否申请成功
if( list == NULL)
{
//申请失败
KdPrint(("[FindOriAddress] malloc memory failed\n"));
ExFreePool(list);
return 0;
}
status = ZwQuerySystemInformation( SystemModuleInformation,list,size,0);
if( !NT_SUCCESS( status ))
{
//获取信息失败
KdPrint(("[FindOriAddress] query failed\n"));
KdPrint(("[FindOriAddress] status:0x%x\n",status));
ExFreePool(list);
return 0;
}
//得到模块基址,第一个模块为内核文件
BaseAddress = (ULONG )list->smi[0].Base;
KdPrint(("[FindOriAddress] BaseAddress:0x%x\n",BaseAddress));
//分离出内核文件名
GetModuleName(list->smi[0].ImageName,Name);
KdPrint(("[FindOriAddress] processname:%s\n",Name));
strcat(PathName,Name);
RtlInitAnsiString(&name,PathName);
RtlAnsiStringToUnicodeString(&modulename,&name,TRUE);
KdPrint(("[FindOriAddress] modulename: %wZ\n",&modulename));
ExFreePool(list);
//经验证地址正确
//得到SSDT表的Rva
SsdtRva = (ULONG)KeServiceDescriptorTable->ServiceTableBase - BaseAddress;
//验证
KdPrint(("[FindOriAddress] SsdtRva:0x%x\n",SsdtRva));
//根据RVA查找文件偏移,//得到文件偏移了
FileOffset= FindFileOffsetByRva( BaseAddress,SsdtRva);
KdPrint(("[FindOriAddress] FileOffset:0x%x\n",FileOffset));
//读取的位置
location = FileOffset + index * 4;
offset.QuadPart =location;
KdPrint(("[FindOriAddress] location:0x%x\n",location));
//利用ZwReadFile读取文件
//初始化OBJECT_ATTRIBUTES结构
InitializeObjectAttributes(
& |