获取指定index的 OBJECTTYPE

发表于 2015-08-07  295 次阅读


ULONG64 onlythisfile_SreachFunctionAddress(ULONG64 uAddress, UCHAR *Signature, ULONG addopcodelength, ULONG addopcodedatasize)
{
ULONG64 index = 0;
UCHAR *p = 0;
ULONG64 uRetAddress = 0;
ULONG32 temp64 = 0;
if (uAddress == 0){ return 0; }

p = (UCHAR*)uAddress;
for (index = 0; index<0x3000; index++) { if (*p == Signature[0] && *(p + 1) == Signature[1] && *(p + 2) == Signature[2] && *(p + 3) == Signature[3] && *(p + 4) == Signature[4]) { uRetAddress = p+4; temp64 = (ULONG32)(*(ULONG32*)(uRetAddress + addopcodelength)); ; uRetAddress = temp64 + uRetAddress + addopcodedatasize; uRetAddress &= 0xfffffff0ffffffff; return uRetAddress; } p++; DbgPrint("++ %p ", p); } return 0; } extern PVOID64 __fastcall GetObjectByindex(ULONG64 index, ULONG64 ObTypeIndexTable); void initgetobjectbbyindex(){ UCHAR opcodethis[] = { 0x0f,0xb6,0x41,0xe8,0x48 }; PVOID debugobject=0; ObTypeIndexTable = (PVOID)onlythisfile_SreachFunctionAddress(FUCKGetFunctionAddr(L"ObGetObjectType"), opcodethis, 3, 7); DbgPrint("ObTypeIndexTable %p xx :%p", ObTypeIndexTable, FUCKGetFunctionAddr(L"ObGetObjectType")); debugobject=GetObjectByindex(0xb, ObTypeIndexTable); DbgPrint("debugobject %p", debugobject); } .asm 文件 .CODE GetObjectByindex PROC mov rax, rcx mov rcx, rdx mov rax, [rcx+rax*8] ret GetObjectByindex ENDP END

本站文章基于国际协议BY-NA-SA 4.0协议共享;
如未特殊说明,本站文章皆为原创文章,请规范转载。

0

博客管理员