ITIVE ,0,0);
ZwOpenFile(&hFile, FILE_EXECUTE | SYNCHRONIZE , &oa, &iosb, FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT);
oa.ObjectName = 0;
ZwCreateSection(&hSection, SECTION_ALL_ACCESS, &oa, 0,PAGE_EXECUTE, SEC_IMAGE, hFile);
ZwMapViewOfSection(hSection, NtCurrentProcess (), &base, 0, 1000, 0, &size,( SECTION_INHERIT ) 1 , MEM_TOP_DOWN , PAGE_READWRITE);
ZwClose(hFile);
kernelbase=GetModuleBase("ntoskrnl.exe");
imagebase=*(ULONG*)((ULONG)base+*(ULONG*)((ULONG)base+0x3C)+13*4);
offset=*(ULONG*)KeServiceDescriptorTable-GetModuleBase("ntoskrnl.exe");
RtlCopyMemory(realssdt,(PVOID )(offset+(ULONG)base),(KeServiceDescriptorTable->NumberOfServices*4));
for(i=0;iNumberOfServices;i++,realssdt++)
{
*realssdt=*realssdt-imagebase+kernelbase;//取得内存里正确的地址,然后修改回去
*(ULONG*)((ULONG)KeServiceDescriptorTable->ServiceTableBase+i*4)=*realssdt;
}
}
VOID FindDispatch(){//从atapi.sys文件读取原本的dispatch routine
NTSTATUS status;
HANDLE Handle;
UNICODE_STRING atapi;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK IoStatusBlock;
FILE_STANDARD_INFORMATION NumberOfBytes;
PVOID buf;
ULONG PE,opthead,init,initpointer,Length,secnum,rawsize,rawpointer,limIT,base;
int i;
RtlInITUnicodeString(&atapi,L"\\SystemRoot\\System32\\drivers\\atapi.sys");
ObjectAttributes.ObjectName = &atapi;
ObjectAttributes.Length = 24;
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.Attributes =576;
ObjectAttributes.SecurITyDescriptor = 0;
ObjectAttributes.SecurityQualITyOfService = 0;
status = IoCreateFile(&Handle,GENERIC_READ,&ObjectAttributes,&IoStatusBlock,0,FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,FILE_OPEN,0x50u,0,0,0,0,0);
if(status<0){
DbgPrint("Open File failed...%08x..",status);
return ;
}
status = ZwQueryInformationFile(Handle, &IoStatusBlock, &NumberOfBytes, 24, FileSta 上一页 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] ... 下一页 >>
|
