yAddress] malloc memory failed\n"));
ExFreePool( List );
return 0;
}
status=ZwQuerySystemInformation(SystemModuleInformation,List,size,0);
if (!NT_SUCCESS(status))
{
KdPrint(("[FindModuleByAddress] query failed\n"));
//打印错误
KdPrint(("[FindModuleByAddress] status: 0x%x\n",status));
ExFreePool( List );
return 0;
}
for ( i=0; i < List->ulCount; i++ )
{
if( strcmp(List->smi[i].ImageName,"\\SystemRoot\\System32\\win32k.sys") == 0)
{
KdPrint(("[GetWin32Base]name :%s\n",List->smi[i].ImageName));
address = (ULONG)List->smi[i].Base;
KdPrint(("[GetWin32Base1] win32k.sys address:0x%x\n",address));
}
}
return address;
}
/*********************************************************************************************
*
* 驱动对象DRIVER_OBJECT中的DRIVER_SECTION
* LDR_DATA_TABLE_ENTRY结构包含
系统加载模块链表及基址
*
*
**********************************************************************************************/
ULONG GetWin32Base2( PDRIVER_OBJECT driver)
{
PLIST_ENTRY pList = NULL;
PLDR_DATA_TABLE_ENTRY pLdr = NULL;
ULONG BaseAddress = 0;
pList = ( (PLIST_ENTRY)driver->DriverSection )->Flink;
do
{
pLdr = CONTAINING_RECORD(
pList,
LDR_DATA_TABLE_ENTRY,
InLoadOrderLinks
);
if( pLdr->EntryPoint != NULL && pLdr->FullDllName.Buffer!= NULL )
{
if( !_wcsicmp( pLdr->FullDllName.Buffer, L"\\SystemRoot\\System32\\win32k.sys"))
{
BaseAddress = (ULONG )pLdr->DllBase;
KdPrint(("[GetWin32Base2] win32k.sys address:0x%x\n",BaseAddress));
break ;
}
}
pList = pList->Flink;
}while( pList != ((PLIST_ENTRY)driver->DriverSection)->Flink );
return BaseAddress;
}
/****************************************************************************************
*
* 根据传入的服务号得到Shadow 函数原始地址
*
****************************************************************************************/
ULONG FindShadowOriAddress( ULONG index )
{
//内核文件win32k.sys基地址
//得到SSDT Shadow表的地址
//得到文件偏移
NTSTATUS status;
ULONG size;
ULONG BaseAddress;
ULONG ShadowBase;
ULONG ShadowAddress;
ULONG SsdtRva;
ULONG FileOffset = 0;
UNICODE_STRING modulename;
OBJECT_ATTRIBUTES object_attributes;
IO_STATUS_BLOCK io_status = {0};
HANDLE hFile;
//读取的位置
ULONG location;
LARGE_INTEGER offset;
ULONG address;
BaseAddress = GetWin32Base1();
KdPrint(("[FindShadowOriAddress] BaseAddress:0x%x\n",BaseAddress));
//经验证地址正确
ShadowBase = GetSSDTShadowAddress2();
ShadowAddress = *(PULONG)ShadowBase;
KdPrint(("[FindShadowOriAddress] ShadowAddress:0x%x\n",ShadowAddress));
//得到SSDT表的Rva
SsdtRva = ShadowAddress - BaseAddress;
//验证
KdPrint(("[FindOriAddress] SsdtRva:0x%x\n",SsdtRva));
//读取的位置
location = SsdtRva + index * 4;
offset.QuadPart =location;
KdPri |