需要了解 内核对象的结构
32位的代码
#include "ntddk.h"
VOID MyUnload(PDRIVER_OBJECT pDriverObject)
{
KdPrint(("驱动卸载成功\n"));
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING Reg_Path)
{
UNICODE_STRING mingzi;
PVOID dizhi1;
ULONG *biao_neihe1;//内核表的地址
int i=2;
RtlInitUnicodeString(&mingzi, L"ObGetObjectType");
dizhi1=MmGetSystemRoutineAddress(&mingzi);
if (!MmIsAddressValid(dizhi1))
{
KdPrint(("函数地址获取失败\n"));
}
else
{
KdPrint(("函数地址%x\n", dizhi1));
}
biao_neihe1 = *(ULONG**)((ULONG)dizhi1 + 15);
while (biao_neihe1[i])
{
KdPrint(("%d %wZ : %x\n", i, biao_neihe1[i] + 8, biao_neihe1[i]));//遍历内核表
i++;
}
pDriverObject->DriverUnload = MyUnload;
return STATUS_SUCCESS;
}
64位的代码
#include <ntddk.h>
VOID MyUnload(PDRIVER_OBJECT pDriverObject)
{
KdPrint(("驱动卸载成功\n"));
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING Reg_Path)
{
UNICODE_STRING funcName;
PVOID funcAddress;
ULONGLONG tmpAndData = 0xfffffff0ffffffff;
PVOID tempAddress = 0;
ULONG tempData;
PULONGLONG pIndexTableAddress;
ULONGLONG typeAddress;
POBJECT_TYPE objtype;
ULONGLONG Result[44];
ULONGLONG objectData;
int index = 2;
int i = 0;
RtlInitUnicodeString(&funcName, L"ObGetObjectType");
funcAddress = MmGetSystemRoutineAddress(&funcName);
if (!MmIsAddressValid(funcAddress))
{
KdPrint(("函数地址获取失败\n"));
return STATUS_UNSUCCESSFUL;
}
else
{
KdPrint(("函数地址0x%llx\n", funcAddress));
}
tempAddress = (PVOID)((ULONGLONG)funcAddress + 7);
memcpy(&tempData, tempAddress, 4);
//核心代码
pIndexTableAddress = (PULONGLONG)((ULONGLONG)funcAddress + 4 + (ULONGLONG)tempData + 7);
//少一个步骤:
pIndexTableAddress = (PULONGLONG)(((ULONGLONG)pIndexTableAddress) & tmpAndData);
KdPrint(("函数地址0x%llx\n", pIndexTableAddress));
/*
for (i = 0; i < 44; i++)
{
KdPrint(("函数地址0x%llx\n", pIndexTableAddress+i));
}
*/
while (pIndexTableAddress[index] != NULL)
{
DbgPrint("Result[%d]: %llx -- %wZ", index, pIndexTableAddress[index], pIndexTableAddress[index]+0x10);
index++;
}
pDriverObject->DriverUnload = MyUnload;
return STATUS_SUCCESS;
}