文章插图
有了数组地址接下来就是要对数组进行解密,如何解密?
- 1.首先拿到数组指针
pPspLoadImageNotifyRoutineAddress + sizeof(PVOID) * i此处的i也就是下标 。 - 2.得到的新地址在与
pNotifyRoutineAddress & 0xfffffffffffffff8进行与运算 。 - 3.最后
*(PVOID *)pNotifyRoutineAddress取出里面的参数 。
// 署名权// right to sign one's name on a piece of work// PowerBy: LyShark// Email: me@lyshark.com#include <ntddk.h>#include <windef.h>// 指定内存区域的特征码扫描PVOID SearchMemory(PVOID pStartAddress, PVOID pEndAddress, PUCHAR pMemoryData, ULONG ulMemoryDataSize){ PVOID pAddress = NULL; PUCHAR i = NULL; ULONG m = 0; // 扫描内存 for (i = (PUCHAR)pStartAddress; i < (PUCHAR)pEndAddress; i++) {// 判断特征码for (m = 0; m < ulMemoryDataSize; m++){if (*(PUCHAR)(i + m) != pMemoryData[m]){break;}}// 判断是否找到符合特征码的地址if (m >= ulMemoryDataSize){// 找到特征码位置, 获取紧接着特征码的下一地址pAddress = (PVOID)(i + ulMemoryDataSize);break;} } return pAddress;}// 根据特征码获取 PspLoadImageNotifyRoutine 数组地址PVOID SearchPspLoadImageNotifyRoutine(PUCHAR pSpecialData, ULONG ulSpecialDataSize){ UNICODE_STRING ustrFuncName; PVOID pAddress = NULL; LONG lOffset = 0; PVOID pPsSetLoadImageNotifyRoutine = NULL; PVOID pPspLoadImageNotifyRoutine = NULL; // 先获取 PsSetLoadImageNotifyRoutineEx 函数地址 RtlInitUnicodeString(&ustrFuncName, L"PsSetLoadImageNotifyRoutineEx"); pPsSetLoadImageNotifyRoutine = MmGetSystemRoutineAddress(&ustrFuncName); if (NULL == pPsSetLoadImageNotifyRoutine) {return pPspLoadImageNotifyRoutine; } // 查找 PspLoadImageNotifyRoutine函数地址 pAddress = SearchMemory(pPsSetLoadImageNotifyRoutine, (PVOID)((PUCHAR)pPsSetLoadImageNotifyRoutine + 0xFF), pSpecialData, ulSpecialDataSize); if (NULL == pAddress) {return pPspLoadImageNotifyRoutine; } // 先获取偏移, 再计算地址 lOffset = *(PLONG)pAddress; pPspLoadImageNotifyRoutine = (PVOID)((PUCHAR)pAddress + sizeof(LONG) + lOffset); return pPspLoadImageNotifyRoutine;}VOID UnDriver(PDRIVER_OBJECT Driver){}NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath){ DbgPrint("hello lyshark.com \n"); PVOID pPspLoadImageNotifyRoutineAddress = NULL; RTL_OSVERSIONINFOW osInfo = { 0 }; UCHAR pSpecialData[50] = { 0 }; ULONG ulSpecialDataSize = 0; // 获取系统版本信息, 判断系统版本 RtlGetVersion(&osInfo); if (10 == osInfo.dwMajorVersion) {// 48 8d 0d 88 e8 db ff// 查找指令 lea rcx,[nt!PspLoadImageNotifyRoutine (fffff804`44313ce0)]/*nt!PsSetLoadImageNotifyRoutineEx+0x41:fffff801`80748a81 488d0dd8d3dbfflearcx,[nt!PspLoadImageNotifyRoutine (fffff801`80505e60)]fffff801`80748a88 4533c0xorr8d,r8dfffff801`80748a8b 488d0cd9learcx,[rcx+rbx*8]fffff801`80748a8f 488bd7movrdx,rdifffff801`80748a92 e80584a3ffcallnt!ExCompareExchangeCallBack (fffff801`80180e9c)fffff801`80748a97 84c0testal,alfffff801`80748a99 0f849f000000jent!PsSetLoadImageNotifyRoutineEx+0xfe (fffff801`80748b3e)Branch*/pSpecialData[0] = 0x48;pSpecialData[1] = 0x8D;pSpecialData[2] = 0x0D;ulSpecialDataSize = 3; } // 根据特征码获取地址 获取 PspLoadImageNotifyRoutine 数组地址 pPspLoadImageNotifyRoutineAddress = SearchPspLoadImageNotifyRoutine(pSpecialData, ulSpecialDataSize); DbgPrint("[LyShark] PspLoadImageNotifyRoutine = 0x%p \n", pPspLoadImageNotifyRoutineAddress); // 遍历回调 ULONG i = 0; PVOID pNotifyRoutineAddress = NULL; // 获取 PspLoadImageNotifyRoutine 数组地址 if (NULL == pPspLoadImageNotifyRoutineAddress) {return FALSE; } // 获取回调地址并解密 for (i = 0; i < 64; i++) {pNotifyRoutineAddress = *(PVOID *)((PUCHAR)pPspLoadImageNotifyRoutineAddress + sizeof(PVOID) * i);pNotifyRoutineAddress = (PVOID)((ULONG64)pNotifyRoutineAddress & 0xfffffffffffffff8);if (MmIsAddressValid(pNotifyRoutineAddress)){pNotifyRoutineAddress = *(PVOID *)pNotifyRoutineAddress;DbgPrint("[LyShark] 序号: %d | 回调地址: 0x%p \n", i, pNotifyRoutineAddress);} } Driver->DriverUnload = UnDriver; return STATUS_SUCCESS;}运行这段完整的程序代码,输出如下效果:
文章插图
目前系统中只有两个回调,所以枚举出来的只有两条 , 打开ARK验证一下会发现完全正确,忽略
pyark这是后期打开的 。
文章插图
推荐阅读
- 前端开发日常——CSS动画无限轮播
- git clone开启云上AI开发
- 驱动开发:内核枚举ShadowSSDT基址
- 【番外篇】Rust环境搭建+基础开发入门+Rust与.NET6、C++的基础运算性能比较
- 驱动开发:Win10内核枚举SSDT表基址
- Tomcat 调优之从 Linux 内核源码层面看 Tcp backlog
- 驱动开发:内核特征码扫描PE代码段
- 驱动开发:内核枚举Minifilter微过滤驱动
- Vue3 JS 与 SCSS 变量相互使用
- 24 Node.js躬行记——低代码