驱动开发内核枚举ShadowSSDT基址
微软安全技术分享
帮助5人
如下是闭源ARK工具的枚举效果:
先实现第一个功能,得到SSSDT表的基地址以及SSDT函数个数,完整代码如下所示。
// 署名权
// right to sign one's name on a piece of work
// PowerBy: LyShark
// Email: me@lyshark.com
#include <ntifs.h>
#pragma intrinsic(__readmsr)
typedef struct _SYSTEM_SERVICE_TABLE
{
PVOID ServiceTableBase;
PVOID ServiceCounterTableBase;
ULONGLONG NumberOfServices;
PVOID ParamTableBase;
} SYSTEM_SERVICE_TABLE, *PSYSTEM_SERVICE_TABLE;
PSYSTEM_SERVICE_TABLE KeServiceDescriptorTableShadow = 0;
ULONG64 ul64W32pServiceTable = 0;
// 获取 KeServiceDescriptorTableShadow 首地址
ULONGLONG GetKeServiceDescriptorTableShadow()
{
// 设置起始位置
PUCHAR StartSearchAddress = (PUCHAR)__readmsr(0xC0000082) - 0x1808FE;
// 设置结束位置
PUCHAR EndSearchAddress = StartSearchAddress 0x8192;
// DbgPrint("扫描起始地址: %p --> 扫描结束地址: %p \n", StartSearchAddress, EndSearchAddress);
PUCHAR ByteCode = NULL;
UCHAR OpCodeA = 0, OpCodeB = 0, OpCodeC = 0;
ULONGLONG addr = 0;
ULONG templong = 0;
for (ByteCode = StartSearchAddress; ByteCode < EndSearchAddress; ByteCode )
{
// 使用MmIsAddressValid()函数检查地址是否有页面错误
if (MmIsAddressValid(ByteCode) && MmIsAddressValid(ByteCode 1) && MmIsAddressValid(ByteCode 2))
{
OpCodeA = *ByteCode;
OpCodeB = *(ByteCode 1);
OpCodeC = *(ByteCode 2);
// 对比特征值 寻找 nt!KeServiceDescriptorTable 函数地址
/*
lyshark.com kd> u KiSystemServiceRepeat
nt!KiSystemServiceRepeat:
fffff802`7c1d2b94 4c8d15e59c3b00 lea r10,[nt!KeServiceDescriptorTable (fffff802`7c58c880)]
fffff802`7c1d2b9b 4c8d1dde1e3a00 lea r11,[nt!KeServiceDescriptorTableShadow (fffff802`7c574a80)]
fffff802`7c1d2ba2 f7437880000000 test dword ptr [rbx 78h],80h
fffff802`7c1d2ba9 7413 je nt!KiSystemServiceRepeat 0x2a (fffff802`7c1d2bbe)
fffff802`7c1d2bab f7437800002000 test dword ptr [rbx 78h],200000h
fffff802`7c1d2bb2 7407 je nt!KiSystemServiceRepeat 0x27 (fffff802`7c1d2bbb)
fffff802`7c1d2bb4 4c8d1d051f3a00 lea r11,[nt!KeServiceDescriptorTableFilter (fffff802`7c574ac0)]
fffff802`7c1d2bbb 4d8bd3 mov r10,r11
*/
if (OpCodeA == 0x4c && OpCodeB == 0x8d && OpCodeC == 0x1d)
{
// 获取高位地址fffff802
memcpy(&templong, ByteCode 3, 4);
// 与低位64da4880地址相加得到完整地址
addr = (ULONGLONG)templong (ULONGLONG)ByteCode 7;
return addr;
}
}
}
return 0;
}
// 得到SSSDT个数
ULONGLONG GetSSSDTCount()
{
PSYSTEM_SERVICE_TABLE pWin32k;
ULONGLONG W32pServiceTable;
pWin32k = (PSYSTEM_SERVICE_TABLE)((ULONG64)KeServiceDescriptorTableShadow sizeof(SYSTEM_SERVICE_TABLE));
W32pServiceTable = (ULONGLONG)(pWin32k->ServiceTableBase);
// DbgPrint("Count => %d \n", pWin32k->NumberOfServices);
return pWin32k->NumberOfServices;
}
VOID UnDriver(PDRIVER_OBJECT driver)
{
DbgPrint(("驱动程序卸载成功! \n"));
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
DbgPrint("hello lyshark.com \n");
KeServiceDescriptorTableShadow = (PSYSTEM_SERVICE_TABLE)GetKeServiceDescriptorTableShadow();
DbgPrint("[LyShark] SSSDT基地址 = 0x%p \n", KeServiceDescriptorTableShadow);
ULONGLONG count = GetSSSDTCount();
DbgPrint("[LyShark] SSSDT个数 = %d \n", count);
DriverObject->DriverUnload = UnDriver;
return STATUS_SUCCESS;
}
这段代码运行后即可得到SSSDT表基地址,以及该表中函数个数。
在此基础之上增加枚举计算过程即可,完整源代码如下所示。
SSSDT 函数起始index是0x1000,但W32pServiceTable是从基址开始记录的,这个误差则需要(index-0x1000)来得到,至于 4则是下一个元素与上一个元素的偏移。
计算公式:
- W32pServiceTable 4 * (index-0x1000)
// 署名权
// right to sign one's name on a piece of work
// PowerBy: LyShark
// Email: me@lyshark.com
#include <ntifs.h>
#pragma intrinsic(__readmsr)
typedef struct _SYSTEM_SERVICE_TABLE
{
PVOID ServiceTableBase;
PVOID ServiceCounterTableBase;
ULONGLONG NumberOfServices;
PVOID ParamTableBase;
} SYSTEM_SERVICE_TABLE, *PSYSTEM_SERVICE_TABLE;
PSYSTEM_SERVICE_TABLE KeServiceDescriptorTableShadow = 0;
ULONG64 ul64W32pServiceTable = 0;
// 获取 KeServiceDescriptorTableShadow 首地址
ULONGLONG GetKeServiceDescriptorTableShadow()
{
// 设置起始位置
PUCHAR StartSearchAddress = (PUCHAR)__readmsr(0xC0000082) - 0x1808FE;
// 设置结束位置
PUCHAR EndSearchAddress = StartSearchAddress 0x8192;
// DbgPrint("扫描起始地址: %p --> 扫描结束地址: %p \n", StartSearchAddress, EndSearchAddress);
PUCHAR ByteCode = NULL;
UCHAR OpCodeA = 0, OpCodeB = 0, OpCodeC = 0;
ULONGLONG addr = 0;
ULONG templong = 0;
for (ByteCode = StartSearchAddress; ByteCode < EndSearchAddress; ByteCode )
{
// 使用MmIsAddressValid()函数检查地址是否有页面错误
if (MmIsAddressValid(ByteCode) && MmIsAddressValid(ByteCode 1) && MmIsAddressValid(ByteCode 2))
{
OpCodeA = *ByteCode;
OpCodeB = *(ByteCode 1);
OpCodeC = *(ByteCode 2);
// 对比特征值 寻找 nt!KeServiceDescriptorTable 函数地址
/*
lyshark.com kd> u KiSystemServiceRepeat
nt!KiSystemServiceRepeat:
fffff802`7c1d2b94 4c8d15e59c3b00 lea r10,[nt!KeServiceDescriptorTable (fffff802`7c58c880)]
fffff802`7c1d2b9b 4c8d1dde1e3a00 lea r11,[nt!KeServiceDescriptorTableShadow (fffff802`7c574a80)]
fffff802`7c1d2ba2 f7437880000000 test dword ptr [rbx 78h],80h
fffff802`7c1d2ba9 7413 je nt!KiSystemServiceRepeat 0x2a (fffff802`7c1d2bbe)
fffff802`7c1d2bab f7437800002000 test dword ptr [rbx 78h],200000h
fffff802`7c1d2bb2 7407 je nt!KiSystemServiceRepeat 0x27 (fffff802`7c1d2bbb)
fffff802`7c1d2bb4 4c8d1d051f3a00 lea r11,[nt!KeServiceDescriptorTableFilter (fffff802`7c574ac0)]
fffff802`7c1d2bbb 4d8bd3 mov r10,r11
*/
if (OpCodeA == 0x4c && OpCodeB == 0x8d && OpCodeC == 0x1d)
{
// 获取高位地址fffff802
memcpy(&templong, ByteCode 3, 4);
// 与低位64da4880地址相加得到完整地址
addr = (ULONGLONG)templong (ULONGLONG)ByteCode 7;
return addr;
}
}
}
return 0;
}
// 得到SSSDT个数
ULONGLONG GetSSSDTCount()
{
PSYSTEM_SERVICE_TABLE pWin32k;
ULONGLONG W32pServiceTable;
pWin32k = (PSYSTEM_SERVICE_TABLE)((ULONG64)KeServiceDescriptorTableShadow sizeof(SYSTEM_SERVICE_TABLE));
W32pServiceTable = (ULONGLONG)(pWin32k->ServiceTableBase);
// DbgPrint("Count => %d \n", pWin32k->NumberOfServices);
return pWin32k->NumberOfServices;
}
VOID UnDriver(PDRIVER_OBJECT driver)
{
DbgPrint(("驱动程序卸载成功! \n"));
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
DbgPrint("hello lyshark.com \n");
KeServiceDescriptorTableShadow = (PSYSTEM_SERVICE_TABLE)GetKeServiceDescriptorTableShadow();
DbgPrint("[LyShark] SSSDT基地址 = 0x%p \n", KeServiceDescriptorTableShadow);
ULONGLONG count = GetSSSDTCount();
DbgPrint("[LyShark] SSSDT个数 = %d \n", count);
// 循环枚举SSSDT
for (size_t Index = 0; Index < count; Index )
{
PSYSTEM_SERVICE_TABLE pWin32k;
ULONGLONG W32pServiceTable;
pWin32k = (PSYSTEM_SERVICE_TABLE)((ULONG64)KeServiceDescriptorTableShadow sizeof(SYSTEM_SERVICE_TABLE));
W32pServiceTable = (ULONGLONG)(pWin32k->ServiceTableBase);
// 获取SSSDT地址
//ln win32k!W32pServiceTable ((poi(win32k!W32pServiceTable 4*(1-1000))&0x00000000`ffffffff)>>4)-10000000
//u win32k!W32pServiceTable ((poi(win32k!W32pServiceTable 4*(Index-0x1000))&0x00000000`ffffffff)>>4)-0x10000000
//u poi(win32k!W32pServiceTable 4*(1-0x1000))
//u poi(win32k!W32pServiceTable 4*(1-0x1000))&0x00000000`ffffffff
//u (poi(win32k!W32pServiceTable 4*(1-0x1000))&0x00000000`ffffffff)>>4
//u win32k!W32pServiceTable ((poi(win32k!W32pServiceTable 4*(1-0x1000))&0x00000000`ffffffff)>>4)-0x10000000
ULONGLONG qword_temp = 0;
LONG dw = 0;
// SSSDT 下标从1000开始,而W32pServiceTable是从0开始
// 4 则是每次向下4字节就是下一个地址
qword_temp = W32pServiceTable 4 * (Index - 0x1000);
dw = *(PLONG)qword_temp;
// dw = qword_temp & 0x00000000ffffffff;
dw = dw >> 4;
qword_temp = W32pServiceTable (LONG64)dw;
DbgPrint("[LyShark] ID: %d | SSSDT: 0x%p \n", Index, qword_temp);
}
DriverObject->DriverUnload = UnDriver;
return STATUS_SUCCESS;
}
枚举效果如下所示(存在问题):
注这一步必须要在GUI线程中执行,否则会异常,建议将枚举过程写成DLL文件,注入到explorer.exe进程内执行。
这篇好文章是转载于:学新通技术网
- 版权申明: 本站部分内容来自互联网,仅供学习及演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,请提供相关证据及您的身份证明,我们将在收到邮件后48小时内删除。
- 本站站名: 学新通技术网
- 本文地址: /boutique/detail/tanhfhehce
系列文章
更多
-
photoshop保存的图片太大微信发不了怎么办
PHP中文网 06-15 -
《学习通》视频自动暂停处理方法
HelloWorld317 07-05 -
Android 11 保存文件到外部存储,并分享文件
Luke 10-12 -
word里面弄一个表格后上面的标题会跑到下面怎么办
PHP中文网 06-20 -
photoshop扩展功能面板显示灰色怎么办
PHP中文网 06-14 -
微信公众号没有声音提示怎么办
PHP中文网 03-31 -
excel下划线不显示怎么办
PHP中文网 06-23 -
excel打印预览压线压字怎么办
PHP中文网 06-22 -
TikTok加速器哪个好免费的TK加速器推荐
TK小达人 10-01 -
怎样阻止微信小程序自动打开
PHP中文网 06-13
