提取 ShadowSsdt 原始地址代码

标题：答复
作者：雪精灵
时间：2011-08-23 14:17:18

我是为了提取原始参数而已,才写了这个,什么老代码,,前面忽略的是简单才忽略,既然你没能力看懂,那就全部放出来好了

ShadowSsdt proc uses esi edi

  local hde:hde32s
  local pSSDT,pSSPT,Indent
  local pKERNEL_MODULE:KERNEL_MODULE
  local Shadow_ServiceTableBase
  local Shadow_NumberOfService
  local Shadow_ParamTableBase
  local Win32Path[MAX_PATH+1]:BYTE
  local ImageBase,Win32Ring0,dwdelta
  local szKeAddSystemServiceTable[30]:BYTE
  local hFile,FileSize,hFileMap,BaseAddress
  local Import_KeAddSystemServiceTable,Call_KeAddSystemServiceTable
  local ShadowSsdtName,VirtualSize

  xor eax, eax
  mov pSSDT, eax
  mov pSSPT, eax
  mov Indent, eax
  mov BaseAddress, eax
  mov hFile, eax
  mov hFileMap, eax
  m2m ShadowSsdtName, ShadowName
  invoke GetSystemDirectory,addr Win32Path,MAX_PATH
  invoke StrLen,addr Win32Path
  mov WORD ptr Win32Path[eax], "\"
  invoke StrCat,addr Win32Path,offset szWin32ksys
  invoke CreateFile,addr Win32Path,GENERIC_READ,FILE_SHARE_READ+FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL
  .if eax == INVALID_HANDLE_VALUE
    open_err:
    invoke wsprintf,offset TempBuf,offset szScanInline_Open,offset szWin32ksys
    invoke SetWindowText,hStausBar,offset TempBuf
    jmp err
  .endif
  mov hFile, eax
  invoke GetFileSize,eax,NULL
  mov FileSize, eax
  invoke CreateFileMapping,hFile,NULL,PAGE_READONLY,NULL,NULL,NULL
  or eax, eax
  jz open_err
  mov hFileMap, eax
  invoke MapViewOfFile,hFileMap,FILE_MAP_READ,NULL,NULL,NULL
  or eax, eax
  jz open_err
  mov BaseAddress, eax
  lea eax, szKeAddSystemServiceTable
  mov DWORD ptr[eax+00000000], 06441654Bh
  mov DWORD ptr[eax+00000004], 073795364h
  mov DWORD ptr[eax+00000008], 0536D6574h
  mov DWORD ptr[eax+00000012], 069767265h
  mov DWORD ptr[eax+00000016], 061546563h
  mov DWORD ptr[eax+00000020], 000656C62h
  invoke FindImport,BaseAddress,0,eax
  or eax, eax
  jz err
  mov Import_KeAddSystemServiceTable, eax
  mov esi, BaseAddress
  assume esi:ptr IMAGE_DOS_HEADER
  add esi, [esi].e_lfanew
  assume esi:ptr IMAGE_NT_HEADERS
  mov Call_KeAddSystemServiceTable, 0
  mov Indent, 0

comment/*
BOOLEAN  KeAddSystemServiceTable(
          IN  PVOID   ServiceTableBase,
          IN  PVOID   ServiceCounterTableBase,
          IN  ULONG   NumberOfService,
          IN  PVOID   ParamTableBase,
          IN  ULONG   InsertServiceTableIndex
          )

BF9B3B3A - BF800380 = 1B37BA
014B3B22   57               push edi
014B3B23   68 10E399BF      push BF99E310        ParamTableBase
014B3B28   FF35 0CE399BF    push dword ptr [BF99E30C]    NumberOfService
014B3B2E   8935 30899ABF    mov dword ptr [BF9A8930],esi
014B3B34   56               push esi          ServiceCounterTableBase
014B3B35   68 00D699BF      push BF99D600        ServiceTableBase
014B3B3A   FF15 580799BF    call dword ptr [BF990758]

$-18     > 57               push edi
$-17     > 68 10E399BF      push BF99E310
$-12     > FF35 0CE399BF    push dword ptr [BF99E30C]
$-C      > 8935 30899ABF    mov dword ptr [BF9A8930],esi
$-6      > 56               push esi
$-5      > 68 00D699BF      push BF99D600
$ ==>    > FF15 580799BF    call dword ptr [BF990758]

INIT:BF9B3B22                 push    edi          InsertServiceTableIndex
INIT:BF9B3B23                 push    offset unk_BF99E310    ParamTableBase
INIT:BF9B3B28                 push    dword_BF99E30C      NumberOfService
INIT:BF9B3B2E                 mov     dword_BF9A8930, esi
INIT:BF9B3B34                 push    esi          ServiceCounterTableBase
INIT:BF9B3B35                 push    offset off_BF99D600    ServiceTableBase
INIT:BF9B3B3A                 call    ds:KeAddSystemServiceTable
*/
  assume edi:nothing
  mov edi, BaseAddress
  add edi, [edi].IMAGE_DOS_HEADER.e_lfanew
  movzx eax, [edi].IMAGE_NT_HEADERS.FileHeader.NumberOfSections
  mov Indent, eax
  add edi, sizeof IMAGE_NT_HEADERS
  assume edi:ptr IMAGE_SECTION_HEADER
  mov VirtualSize, 0
  .repeat
    invoke StrCmp,edi,T("INIT")
    .if eax
      m2m VirtualSize, [edi].Misc.VirtualSize
      mov edi, [edi].PointerToRawData
      add edi, BaseAddress
      .break
    .endif
    add edi, sizeof IMAGE_SECTION_HEADER
    dec Indent
  .until Indent == 0
  cmp VirtualSize, 0
  je err
  mov Call_KeAddSystemServiceTable, 0
  mov Indent, 0
  .while TRUE
    invoke DisasmLen,edi,addr hde
    .if hde.len == 6 && hde.opcode == 0FFh && hde.modrm == 15h && hde.disp32
      mov eax, hde.disp32
      sub eax, [esi].OptionalHeader.ImageBase
      invoke RVAToFileMap,BaseAddress,eax
      .if eax == Import_KeAddSystemServiceTable
        mov Call_KeAddSystemServiceTable, edi
        .break
      .endif
    .endif
    mov eax, hde.len
    add edi, eax
    add Indent, eax
    mov eax, Indent
    .break .if eax >= VirtualSize
  .endw
  cmp Call_KeAddSystemServiceTable, 0
  jz err
  m2m ImageBase, [esi].OptionalHeader.ImageBase
  mov edi, Call_KeAddSystemServiceTable

  mov eax, DWORD ptr[edi-5+1]
  sub eax, [esi].OptionalHeader.ImageBase
  add eax, BaseAddress
  mov Shadow_ServiceTableBase, eax

  mov eax, DWORD ptr[edi-17h+1]
  sub eax, [esi].OptionalHeader.ImageBase
  add eax, BaseAddress
  mov Shadow_ParamTableBase, eax

  mov eax, DWORD ptr[edi-12h+2]
  sub eax, [esi].OptionalHeader.ImageBase
  add eax, BaseAddress
  m2m Shadow_NumberOfService, DWORD ptr[eax]

  invoke DumpKernelModule
  or eax, eax
  jz err
  mov esi, offset KernelModule
  assume esi:ptr KERNEL_MODULE
  .while [esi].BaseAddress
    invoke StrRChr,addr [esi].ImageName,"\"
    .if eax
      inc eax
    .else
      lea eax, [esi].ImageName
    .endif
    invoke strnicmp,eax,offset szWin32ksys
    .if eax
      mov eax, [esi].BaseAddress
      mov Win32Ring0, eax

      sub eax, ImageBase
      mov dwdelta, eax
      .break
    .endif
    add esi, sizeof KERNEL_MODULE
  .endw


  imul eax, Shadow_NumberOfService, 4
  invoke GlobalAlloc,GPTR,eax
  or eax, eax
  jz err
  mov pSSDT, eax
  imul eax, Shadow_NumberOfService, 4
  invoke Communications,IOCTL_DumpShadowSsdt,NULL,NULL,pSSDT,eax
  or eax, eax
  jz err

  invoke GlobalAlloc,GPTR,Shadow_NumberOfService
  or eax, eax
  jz err
  mov pSSPT, eax
  invoke Communications,IOCTL_DumpShadowSspt,NULL,NULL,pSSPT,Shadow_NumberOfService
  or eax, eax
  jz err

  mov esi, pSSDT
  mov edi, Shadow_ServiceTableBase
  mov Indent, 0
  .repeat
    ;; 序号
    invoke wsprintf,offset TempBuf,offset szD,Indent
    invoke ListView_AddItemEx,hMianDlg,92,NULL,Indent,0,offset TempBuf
    ;; 当前地址
    invoke wsprintf,offset TempBuf,offset sz08X,DWORD ptr[esi]
    invoke ListView_AddItemEx,hMianDlg,92,NULL,Indent,1,offset TempBuf
    ;; 原始地址
    mov eax, DWORD ptr[edi]
    add eax, dwdelta
    invoke wsprintf,offset TempBuf,offset sz08X,eax
    invoke ListView_AddItemEx,hMianDlg,92,NULL,Indent,2,offset TempBuf
    ;; 当前参数
    mov eax, Indent
    add eax, pSSPT
    movzx eax, BYTE ptr[eax]
    invoke wsprintf,offset TempBuf,offset szD,eax
    invoke ListView_AddItemEx,hMianDlg,92,NULL,Indent,3,offset TempBuf
    ;; 原始参数
    mov eax, Indent
    add eax, Shadow_ParamTableBase
    movzx eax, BYTE ptr[eax]
    invoke wsprintf,offset TempBuf,offset szD,eax
    invoke ListView_AddItemEx,hMianDlg,92,NULL,Indent,4,offset TempBuf
    ;; 名称
    .if ShadowSsdtName
      mov eax, ShadowSsdtName
      invoke ListView_AddItemEx,hMianDlg,92,NULL,Indent,5,DWORD ptr[eax]
      add ShadowSsdtName, 4
    .endif
    ;; 所属模块
    invoke GetBelongsSys,DWORD ptr[esi]
    .if eax
      mov ecx, eax
      invoke ListView_AddItemEx,hMianDlg,92,0,Indent,6,addr [ecx].KERNEL_MODULE.ImageName
    .endif
    add esi, 4
    add edi, 4
    inc Indent
    mov eax, Indent
  .until eax == Shadow_NumberOfService
  err:
  .if pSSDT
    invoke GlobalFree,pSSDT
  .endif
  .if pSSPT
    invoke GlobalFree,pSSPT
  .endif
  .if BaseAddress
    invoke UnmapViewOfFile,BaseAddress
  .endif
  .if hFile
    invoke ZwClose,hFile
  .endif
  .if hFileMap
    invoke ZwClose,hFileMap
  .endif
  ret

ShadowSsdt endp