ULONG
GetDllFunctionIndex(
IN CONST char* lpFunctionName
)
{
HANDLE hSection = NULL;
HANDLE hFile = NULL;
HANDLE hMod = NULL;
IMAGE_DOS_HEADER* dosheader = NULL;
IMAGE_OPTIONAL_HEADER* opthdr = NULL;
IMAGE_EXPORT_DIRECTORY* pExportTable = NULL;
ULONG* arrayOfFunctionAddresses = NULL;
ULONG* arrayOfFunctionNames = NULL;
USHORT* arrayOfFunctionOrdinals = NULL;
ULONG functionOrdinal = 0;
ULONG Base = 0;
ULONG x = 0;
ULONG_PTR functionAddress = 0;
char* functionName = NULL;
STRING ntFunctionName = {0};
STRING ntFunctionNameSearch = {0};
PVOID BaseAddress = NULL;
SIZE_T size = 0;
OBJECT_ATTRIBUTES oa = {0};// = {sizeof oa, 0, pDllName, OBJ_CASE_INSENSITIVE};
IO_STATUS_BLOCK iosb = {0};
NTSTATUS status = STATUS_SUCCESS;
ULONG uIndex = -1;
UNICODE_STRING pDllName = {0};
RtlInitUnicodeString(&pDllName,L"\\SystemRoot\\system32\\ntdll.dll");
InitializeObjectAttributes ( &oa, &pDllName, OBJ_KERNEL_HANDLE|OBJ_CASE_INSENSITIVE, NULL, NULL);
status=ZwOpenFile(&hFile, FILE_EXECUTE | SYNCHRONIZE, &oa, &iosb, FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT);
if(status!=STATUS_SUCCESS)
{
//FILE_SUPERSEDED
KdPrint(("ZwOpenFile Error:0x%x,0x%x",status,iosb.Information));
return 0;
}
oa.ObjectName = 0;
status=ZwCreateSection(&hSection, SECTION_ALL_ACCESS, &oa, 0,PAGE_EXECUTE, 0x01000000, hFile);
if(status!=STATUS_SUCCESS)
{
KdPrint(("ZwCreateSection Error"));
ZwClose(hFile);
return 0;
}
ZwMapViewOfSection(hSection, NtCurrentProcess(), &BaseAddress, 0, 1000, 0, &size, (SECTION_INHERIT)1, MEM_TOP_DOWN, PAGE_READWRITE);
ZwClose(hFile);
hMod = BaseAddress;
dosheader = (IMAGE_DOS_HEADER *)hMod;
opthdr = (IMAGE_OPTIONAL_HEADER *) ((unsigned char*)hMod+dosheader->e_lfanew+24);
pExportTable = (IMAGE_EXPORT_DIRECTORY*)((unsigned char*) hMod + opthdr->DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress);
arrayOfFunctionAddresses = (ULONG*)( (unsigned char*)hMod + pExportTable->AddressOfFunctions);
arrayOfFunctionNames = (ULONG*)( (unsigned char*)hMod + pExportTable->AddressOfNames);
arrayOfFunctionOrdinals = (USHORT*)( (unsigned char*)hMod + pExportTable->AddressOfNameOrdinals);
Base = pExportTable->Base;
RtlInitString(&ntFunctionNameSearch, lpFunctionName);
for(x = 0; x < pExportTable->NumberOfFunctions; x++)
{
functionName = (char*)( (unsigned char*)hMod + arrayOfFunctionNames[x]);
RtlInitString(&ntFunctionName, functionName);
if (RtlCompareString(&ntFunctionName, &ntFunctionNameSearch, TRUE) == 0)
{
functionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1;
functionAddress = (ULONG_PTR)( (unsigned char*)hMod + arrayOfFunctionAddresses[functionOrdinal]);
#ifdef _AMD64_
uIndex=*(PULONG)((PUCHAR)functionAddress+4);
#else
uIndex=*(PULONG)((PUCHAR)functionAddress+1);
#endif
break;
}
}
ZwClose(hSection);
ZwUnmapViewOfSection(NtCurrentProcess(),BaseAddress);
return uIndex;
}內核模式下獲取SSDT服務索引代碼
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章