X64 枚举 内核 符号

发表于 2015-09-04  414 次阅读


typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)
(
IN ULONG SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG Length,
OUT PULONG ReturnLength
);

typedef unsigned long DWORD;

typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY
{
ULONG Unknow1;
ULONG Unknow2;
ULONG Unknow3;
ULONG Unknow4;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT ModuleNameOffset;
char ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;

typedef struct _SYSTEM_MODULE_INFORMATION
{
ULONG Count;//内核中以加载的模块的个数
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
X64 枚举 内核 模块 需要的 结构体

ULONG64 EnumKM(char *HighlightDrvName) 枚举 内核模块 返回 基地址
{
ULONG NeedSize, i, ModuleCount, HLed=0, BufferSize = 0x5000;
PVOID pBuffer = NULL;
PCHAR pDrvName = NULL;
NTSTATUS Result;
ULONG64 address;
PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;
do
{
//分配内存
pBuffer = malloc( BufferSize );
if( pBuffer == NULL )
return 0;
//查询模块信息
Result = ZwQuerySystemInformation( 11, pBuffer, BufferSize, &NeedSize );
if( Result == 0xC0000004L )
{
free( pBuffer );
BufferSize *= 2;
}
else if( Result<0 ) { //查询失败则退出 free( pBuffer ); return 0; } } while( Result == 0xC0000004L ); pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)pBuffer; //获得模块的总数量 ModuleCount = pSystemModuleInformation->Count;
//遍历所有的模块
for( i = 0; i < ModuleCount; i++ ) { if((ULONG64)(pSystemModuleInformation->Module[i].Base) > (ULONG64)0x8000000000000000)
{
pDrvName = pSystemModuleInformation->Module[i].ImageName+pSystemModuleInformation->Module[i].ModuleNameOffset;

if( _stricmp(pDrvName,HighlightDrvName)==0 )
{
address = (ULONG64)pSystemModuleInformation->Module[i].Base;

HLed=1;
break;
}

}
}
if (HLed == 0)
return 0;
free(pBuffer);
return address;
}
BOOL CALLBACK EnumSymCallBack(PSYMBOL_INFO pSymInfo, ULONG SymbolSize, PVOID UserContext)回调 函数
{
if (strcmp((pSymInfo->Name), "PspCreateProcessNotifyRoutine") == 0)
{
printf("Oh,yeah! %s :%p\n", pSymInfo->Name, pSymInfo->Address);
}
if (strcmp((pSymInfo->Name), "PspLoadImageNotifyRoutine") == 0)
{
printf("Oh,yeah! %s :%p\n", pSymInfo->Name, pSymInfo->Address);
}
if (strcmp((pSymInfo->Name), "PspCreateThreadNotifyRoutine") == 0)
{
printf("Oh,yeah! %s :%p\n", pSymInfo->Name, pSymInfo->Address);
}
if (strcmp((pSymInfo->Name), "PspCidTable") == 0)
{
printf("Oh,yeah! %s :%p\n", pSymInfo->Name, pSymInfo->Address);
}
if (strcmp((pSymInfo->Name), "ExDestroyHandle") == 0)
{
printf("Oh,yeah! %s :%p\n", pSymInfo->Name, pSymInfo->Address);
}

return TRUE;
}

void getallkrnladdress(ULONG64 ntkrnlmpBaseaddress){ 加载 符号链接 并枚举

HANDLE hProcess;
DWORD64 BaseOfDll;
PIMAGEHLP_SYMBOL pSymbol = NULL;

DWORD Options = SymGetOptions();

Options = Options | SYMOPT_DEBUG;
SymSetOptions(Options);

hProcess = GetCurrentProcess();
BOOL bRet = SymInitialize(hProcess, 0, FALSE);
if (!bRet)
{
printf("SymInitialize error ...\n");
}
char SymbolPath[256];
GetCurrentDirectoryA(sizeof(SymbolPath), SymbolPath);
strcat(SymbolPath, "\\symbols");
SymSetSearchPath(hProcess, SymbolPath);

char FileName[256];
GetSystemDirectoryA(FileName, sizeof(FileName));
strcat(FileName, "\\ntkrnlmp.exe");
HANDLE hFile = CreateFileA(FileName, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
DWORD dwfilesize = GetFileSize(hFile, NULL);

BaseOfDll = SymLoadModule64(hProcess, NULL, FileName, NULL, ntkrnlmpBaseaddress, dwfilesize);
if (BaseOfDll == 0)
{
DWORD nErr = GetLastError();
}
SymEnumSymbols(hProcess, BaseOfDll, 0, EnumSymCallBack, 0);
SymUnloadModule64(hProcess, BaseOfDll);
SymCleanup(hProcess);
for (;;);

}
int main() 用法
{
ULONG64 ntkrnlmpBaseaddress;
ZwQuerySystemInformation=(ZWQUERYSYSTEMINFORMATION)GetProcAddress(LoadLibraryW(L"ntdll.dll"),"ZwQuerySystemInformation");
ntkrnlmpBaseaddress=EnumKM("ntkrnlmp.exe");//获得 NT内核模块基地址

getallkrnladdress(ntkrnlmpBaseaddress);

getchar();
return 0;
}
完整 SRC :http://pan.baidu.com/s/1sjuZg2D

本站文章基于国际协议BY-NA-SA 4.0协议共享;
如未特殊说明,本站文章皆为原创文章,请规范转载。

0

博客管理员