在笔者上一篇文章《驱动开发:内核特征码搜索函数封装》中为了定位特征的方便我们封装实现了一个可以传入数组实现的SearchSpecialCode定位函数,该定位函数其实还不能算的上简单,本章LyShark将对特征码定位进行简化,让定位变得更简单,并运用定位代码实现扫描内核PE的.text代码段,并从代码段中得到某个特征所在内存位置 。
老样子为了后续教程能够继续,先来定义一个lyshark.h头文件,该头文件中包含了我们本篇文章所必须要使用到的结构体定义,这些定义的函数如果不懂请去看LyShark以前的文章,这里就不罗嗦了 。
#include <ntifs.h>#include <ntimage.h>typedef struct _KLDR_DATA_TABLE_ENTRY{ LIST_ENTRY64 InLoadOrderLinks; ULONG64 __Undefined1; ULONG64 __Undefined2; ULONG64 __Undefined3; ULONG64 NonPagedDebugInfo; ULONG64 DllBase; ULONG64 EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; USHORT LoadCount; USHORT __Undefined5; ULONG64 __Undefined6; ULONG CheckSum; ULONG __padding1; ULONG TimeDateStamp; ULONG __padding2;}KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;typedef struct _RTL_PROCESS_MODULE_INFORMATION{ HANDLE Section; PVOID MappedBase; PVOID ImageBase; ULONG ImageSize; ULONG Flags; USHORT LoadOrderIndex; USHORT InitOrderIndex; USHORT LoadCount; USHORT OffsetToFileName; UCHAR FullPathName[256];} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;typedef struct _RTL_PROCESS_MODULES{ ULONG NumberOfModules; RTL_PROCESS_MODULE_INFORMATION Modules[1];} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;typedef enum _SYSTEM_INFORMATION_CLASS{ SystemBasicInformation = 0x0, SystemProcessorInformation = 0x1, SystemPerformanceInformation = 0x2, SystemTimeOfDayInformation = 0x3, SystemPathInformation = 0x4, SystemProcessInformation = 0x5, SystemCallCountInformation = 0x6, SystemDeviceInformation = 0x7, SystemProcessorPerformanceInformation = 0x8, SystemFlagsInformation = 0x9, SystemCallTimeInformation = 0xa, SystemModuleInformation = 0xb, SystemLocksInformation = 0xc, SystemStackTraceInformation = 0xd, SystemPagedPoolInformation = 0xe, SystemNonPagedPoolInformation = 0xf, SystemHandleInformation = 0x10, SystemObjectInformation = 0x11, SystemPageFileInformation = 0x12, SystemVdmInstemulInformation = 0x13, SystemVdmBopInformation = 0x14, SystemFileCacheInformation = 0x15, SystemPoolTagInformation = 0x16, SystemInterruptInformation = 0x17, SystemDpcBehaviorInformation = 0x18, SystemFullMemoryInformation = 0x19, SystemLoadGdiDriverInformation = 0x1a, SystemUnloadGdiDriverInformation = 0x1b, SystemTimeAdjustmentInformation = 0x1c, SystemSummaryMemoryInformation = 0x1d, SystemMirrorMemoryInformation = 0x1e, SystemPerformanceTraceInformation = 0x1f, SystemObsolete0 = 0x20, SystemExceptionInformation = 0x21, SystemCrashDumpStateInformation = 0x22, SystemKernelDebuggerInformation = 0x23, SystemContextSwitchInformation = 0x24, SystemRegistryQuotaInformation = 0x25, SystemExtendServiceTableInformation = 0x26, SystemPrioritySeperation = 0x27, SystemVerifierAddDriverInformation = 0x28, SystemVerifierRemoveDriverInformation = 0x29, SystemProcessorIdleInformation = 0x2a, SystemLegacyDriverInformation = 0x2b, SystemCurrentTimeZoneInformation = 0x2c, SystemLookasideInformation = 0x2d, SystemTimeSlipNotification = 0x2e, SystemSessionCreate = 0x2f, SystemSessionDetach = 0x30, SystemSessionInformation = 0x31, SystemRangeStartInformation = 0x32, SystemVerifierInformation = 0x33, SystemVerifierThunkExtend = 0x34, SystemSessionProcessInformation = 0x35, SystemLoadGdiDriverInSystemSpace = 0x36, SystemNumaProcessorMap = 0x37, SystemPrefetcherInformation = 0x38, SystemExtendedProcessInformation = 0x39, SystemRecommendedSharedDataAlignment = 0x3a, SystemComPlusPackage = 0x3b, SystemNumaAvailableMemory = 0x3c, SystemProcessorPowerInformation = 0x3d, SystemEmulationBasicInformation = 0x3e, SystemEmulationProcessorInformation = 0x3f, SystemExtendedHandleInformation = 0x40, SystemLostDelayedWriteInformation = 0x41, SystemBigPoolInformation = 0x42, SystemSessionPoolTagInformation = 0x43, SystemSessionMappedViewInformation = 0x44, SystemHotpatchInformation = 0x45, SystemObjectSecurityMode = 0x46, SystemWatchdogTimerHandler = 0x47, SystemWatchdogTimerInformation = 0x48, SystemLogicalProcessorInformation = 0x49, SystemWow64SharedInformationObsolete = 0x4a, SystemRegisterFirmwareTableInformationHandler = 0x4b, SystemFirmwareTableInformation = 0x4c, SystemModuleInformationEx = 0x4d, SystemVerifierTriageInformation = 0x4e, SystemSuperfetchInformation = 0x4f, SystemMemoryListInformation = 0x50, SystemFileCacheInformationEx = 0x51, SystemThreadPriorityClientIdInformation = 0x52, SystemProcessorIdleCycleTimeInformation = 0x53, SystemVerifierCancellationInformation = 0x54, SystemProcessorPowerInformationEx = 0x55, SystemRefTraceInformation = 0x56, SystemSpecialPoolInformation = 0x57, SystemProcessIdInformation = 0x58, SystemErrorPortInformation = 0x59, SystemBootEnvironmentInformation = 0x5a, SystemHypervisorInformation = 0x5b, SystemVerifierInformationEx = 0x5c, SystemTimeZoneInformation = 0x5d, SystemImageFileExecutionOptionsInformation = 0x5e, SystemCoverageInformation = 0x5f, SystemPrefetchPatchInformation = 0x60, SystemVerifierFaultsInformation = 0x61, SystemSystemPartitionInformation = 0x62, SystemSystemDiskInformation = 0x63, SystemProcessorPerformanceDistribution = 0x64, SystemNumaProximityNodeInformation = 0x65, SystemDynamicTimeZoneInformation = 0x66, SystemCodeIntegrityInformation = 0x67, SystemProcessorMicrocodeUpdateInformation = 0x68, SystemProcessorBrandString = 0x69, SystemVirtualAddressInformation = 0x6a, SystemLogicalProcessorAndGroupInformation = 0x6b, SystemProcessorCycleTimeInformation = 0x6c, SystemStoreInformation = 0x6d, SystemRegistryAppendString = 0x6e, SystemAitSamplingValue = 0x6f, SystemVhdBootInformation = 0x70, SystemCpuQuotaInformation = 0x71, SystemNativeBasicInformation = 0x72, SystemErrorPortTimeouts = 0x73, SystemLowPriorityIoInformation = 0x74, SystemBootEntropyInformation = 0x75, SystemVerifierCountersInformation = 0x76, SystemPagedPoolInformationEx = 0x77, SystemSystemPtesInformationEx = 0x78, SystemNodeDistanceInformation = 0x79, SystemAcpiAuditInformation = 0x7a, SystemBasicPerformanceInformation = 0x7b, SystemQueryPerformanceCounterInformation = 0x7c, SystemSessionBigPoolInformation = 0x7d, SystemBootGraphicsInformation = 0x7e, SystemScrubPhysicalMemoryInformation = 0x7f, SystemBadPageInformation = 0x80, SystemProcessorProfileControlArea = 0x81, SystemCombinePhysicalMemoryInformation = 0x82, SystemEntropyInterruptTimingInformation = 0x83, SystemConsoleInformation = 0x84, SystemPlatformBinaryInformation = 0x85, SystemThrottleNotificationInformation = 0x86, SystemHypervisorProcessorCountInformation = 0x87, SystemDeviceDataInformation = 0x88, SystemDeviceDataEnumerationInformation = 0x89, SystemMemoryTopologyInformation = 0x8a, SystemMemoryChannelInformation = 0x8b, SystemBootLogoInformation = 0x8c, SystemProcessorPerformanceInformationEx = 0x8d, SystemSpare0 = 0x8e, SystemSecureBootPolicyInformation = 0x8f, SystemPageFileInformationEx = 0x90, SystemSecureBootInformation = 0x91, SystemEntropyInterruptTimingRawInformation = 0x92, SystemPortableWorkspaceEfiLauncherInformation = 0x93, SystemFullProcessInformation = 0x94, SystemKernelDebuggerInformationEx = 0x95, SystemBootMetadataInformation = 0x96, SystemSoftRebootInformation = 0x97, SystemElamCertificateInformation = 0x98, SystemOfflineDumpConfigInformation = 0x99, SystemProcessorFeaturesInformation = 0x9a, SystemRegistryReconciliationInformation = 0x9b, MaxSystemInfoClass = 0x9c,} SYSTEM_INFORMATION_CLASS;// 声明函数// By: Lyshark.comNTSYSAPI PIMAGE_NT_HEADERS NTAPI RtlImageNtHeader(_In_ PVOID Base);NTSTATUS NTAPI ZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);typedef VOID(__cdecl *PMiProcessLoaderEntry)(PKLDR_DATA_TABLE_ENTRY section, IN LOGICAL Insert);typedef NTSTATUS(*NTQUERYSYSTEMINFORMATION)(IN ULONG SystemInformationClass, OUT PVOID SystemInformation, IN ULONG_PTR SystemInformationLength, OUT PULONG_PTR ReturnLength OPTIONAL);
经验总结扩展阅读
- 驱动开发:内核枚举Minifilter微过滤驱动
- 软件开发工程师工资一般多少 收入高吗
- 软件开发需要学什么 都有哪些课程
- Vue3 JS 与 SCSS 变量相互使用
- 24 Node.js躬行记——低代码
- 驱动开发:内核枚举PspCidTable句柄表
- 驱动开发:内核枚举DpcTimer定时器
- 如何更新电脑的显卡驱动(笔记本显卡驱动要不要更新)
- 你Win7系统如何将显卡驱动更新到最新版本
- envoy开发调试环境搭建