Mirrors
/
Windows-Rootkits
mirror of https://github.com/ciyze0101/Windows-Rootkits
6
0
Fork 0
Code Issues Projects Releases Wiki Activity

update 

update
This commit is contained in:
LycorisGuard 2018-08-15 00:27:32 +08:00
parent eae3805066
commit a216bd710d
10 changed files with 794 additions and 749 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

391
ZwQueryVirtualMemory/Common.c Normal file
View File

@ -0,0 +1,391 @@
#include "Common.h"
ULONG_PTR ObjectTableOffsetOf_EPROCESS = 0;
ULONG_PTR PreviousModeOffsetOf_KTHREAD = 0;
ULONG_PTR IndexOffsetOfFunction = 0;
ULONG_PTR SSDTDescriptor = 0;
ULONG_PTR HighUserAddress = 0;
WIN_VERSION WinVersion = WINDOWS_UNKNOW;
ULONG_PTR LdrInPebOffset = 0;
ULONG_PTR ModListInLdrOffset = 0;
ULONG_PTR ObjectHeaderSize = 0;
ULONG_PTR ObjectTypeOffsetOf_Object_Header =0;
WIN_VERSION GetWindowsVersion()
{
RTL_OSVERSIONINFOEXW osverInfo = {sizeof(osverInfo)};
pfnRtlGetVersion RtlGetVersion = NULL;
WIN_VERSION WinVersion;
WCHAR szRtlGetVersion[] = L"RtlGetVersion";
RtlGetVersion = (pfnRtlGetVersion)GetFunctionAddressByName(szRtlGetVersion);
if (RtlGetVersion)
{
RtlGetVersion((PRTL_OSVERSIONINFOW)&osverInfo);
}
else
{
PsGetVersion(&osverInfo.dwMajorVersion, &osverInfo.dwMinorVersion, &osverInfo.dwBuildNumber, NULL);
}
if(osverInfo.dwMajorVersion == 6 && osverInfo.dwMinorVersion == 1 && osverInfo.dwBuildNumber == 7600)
{
DbgPrint("WINDOWS 7\r\n");
WinVersion = WINDOWS_7_7600;
}
else if(osverInfo.dwMajorVersion == 6 && osverInfo.dwMinorVersion == 1 && osverInfo.dwBuildNumber == 7601)
{
DbgPrint("WINDOWS 7\r\n");
WinVersion = WINDOWS_7_7601;
}
else if(osverInfo.dwMajorVersion == 6 && osverInfo.dwMinorVersion == 2 && osverInfo.dwBuildNumber == 9200)
{
DbgPrint("WINDOWS 8\r\n");
WinVersion = WINDOWS_8_9200;
}
else if(osverInfo.dwMajorVersion == 6 && osverInfo.dwMinorVersion == 3 && osverInfo.dwBuildNumber == 9600)
{
DbgPrint("WINDOWS 8.1\r\n");
WinVersion = WINDOWS_8_9600;
}
else if(osverInfo.dwMajorVersion == 10 && osverInfo.dwMinorVersion == 0 && osverInfo.dwBuildNumber == 10240)
{
DbgPrint("WINDOWS 10 10240\r\n");
WinVersion = WINDOWS_10_10240;
}
else if(osverInfo.dwMajorVersion == 10 && osverInfo.dwMinorVersion == 0 && osverInfo.dwBuildNumber == 10586)
{
DbgPrint("WINDOWS 10 10586\r\n");
WinVersion = WINDOWS_10_10586;
}
else if(osverInfo.dwMajorVersion == 10 && osverInfo.dwMinorVersion == 0 && osverInfo.dwBuildNumber == 14393)
{
DbgPrint("WINDOWS 10 14393\r\n");
WinVersion = WINDOWS_10_14393;
}
else if(osverInfo.dwMajorVersion == 10 && osverInfo.dwMinorVersion == 0 && osverInfo.dwBuildNumber == 15063)
{
DbgPrint("WINDOWS 10 15063\r\n");
WinVersion = WINDOWS_10_15063;
}
else if(osverInfo.dwMajorVersion == 10 && osverInfo.dwMinorVersion == 0 && osverInfo.dwBuildNumber == 16299)
{
DbgPrint("WINDOWS 10 16299\r\n");
WinVersion = WINDOWS_10_16299;
}
else if(osverInfo.dwMajorVersion == 10 && osverInfo.dwMinorVersion == 0 && osverInfo.dwBuildNumber == 17134)
{
DbgPrint("WINDOWS 10 17134\r\n");
WinVersion = WINDOWS_10_17134;
}
else
{
DbgPrint("This is a new os\r\n");
WinVersion = WINDOWS_UNKNOW;
}
return WinVersion;
}
PVOID
GetFunctionAddressByName(WCHAR *wzFunction)
{
UNICODE_STRING uniFunction;
PVOID AddrBase = NULL;
if (wzFunction && wcslen(wzFunction) > 0)
{
RtlInitUnicodeString(&uniFunction, wzFunction); //常量指针
AddrBase = MmGetSystemRoutineAddress(&uniFunction); //在System 进程 第一个模块 Ntosknrl.exe ExportTable
}
return AddrBase;
}
VOID InitGlobalVariable()
{
WinVersion = GetWindowsVersion();
switch(WinVersion)
{
#ifdef _WIN32
case WINDOWS_XP:
{
ObjectHeaderSize = 0x18;
ObjectTypeOffsetOf_Object_Header = 0x8;
LdrInPebOffset = 0x00c;
ModListInLdrOffset = 0x00c;
ObjectHeaderSize = 0x18;
ObjectTableOffsetOf_EPROCESS = 0x0c4;
PreviousModeOffsetOf_KTHREAD = 0x140;
HighUserAddress = 0x80000000;
break;
}
#else
case WINDOWS_7_7601:
{
LdrInPebOffset = 0x018;
ModListInLdrOffset = 0x010;
ObjectTableOffsetOf_EPROCESS = 0x200;
PreviousModeOffsetOf_KTHREAD = 0x1f6;
HighUserAddress = 0x80000000000;
break;
}
#endif
default:
return;
}
}
BOOLEAN IsRealProcess(PEPROCESS EProcess)
{
ULONG_PTR ObjectType;
ULONG_PTR ObjectTypeAddress;
BOOLEAN bRet = FALSE;
ULONG_PTR ProcessType = ((ULONG_PTR)*PsProcessType);
if (ProcessType && EProcess && MmIsAddressValid((PVOID)(EProcess)))
{
ObjectType = KeGetObjectType((PVOID)EProcess); //*PsProcessType
if (ObjectType &&
ProcessType == ObjectType &&
!IsProcessDie(EProcess))
{
bRet = TRUE;
}
}
return bRet;
}
ULONG_PTR KeGetObjectType(PVOID Object)
{
ULONG_PTR ObjectType = 0;
pfnObGetObjectType ObGetObjectType = NULL;
if (NULL == MmIsAddressValid ||!Object||!MmIsAddressValid(Object))
{
return 0;
}
if (WinVersion==WINDOWS_XP)
{
ULONG SizeOfObjectHeader = 0, ObjectTypeOffset = 0;
ULONG_PTR ObjectTypeAddress = 0;
ObjectTypeAddress = (ULONG_PTR)Object - ObjectHeaderSize + ObjectTypeOffsetOf_Object_Header;
if (MmIsAddressValid((PVOID)ObjectTypeAddress))
{
ObjectType = *(ULONG_PTR*)ObjectTypeAddress;
}
}
else
{
//高版本使用函数
ObGetObjectType = (pfnObGetObjectType)GetFunctionAddressByName(L"ObGetObjectType");
if (ObGetObjectType)
{
ObjectType = ObGetObjectType(Object);
}
}
return ObjectType;
}
BOOLEAN IsProcessDie(PEPROCESS EProcess)
{
BOOLEAN bDie = FALSE;
if (MmIsAddressValid &&
EProcess &&
MmIsAddressValid(EProcess) &&
MmIsAddressValid((PVOID)((ULONG_PTR)EProcess + ObjectTableOffsetOf_EPROCESS)))
{
PVOID ObjectTable = *(PVOID*)((ULONG_PTR)EProcess + ObjectTableOffsetOf_EPROCESS );
if (!ObjectTable||!MmIsAddressValid(ObjectTable) )
{
DbgPrint("Process is Die\r\n");
bDie = TRUE;
}
}
else
{
DbgPrint("Process is Die2\r\n");
bDie = TRUE;
}
return bDie;
}
CHAR ChangePreMode(PETHREAD EThread)
{
CHAR PreMode = *(PCHAR)((ULONG_PTR)EThread + PreviousModeOffsetOf_KTHREAD);
*(PCHAR)((ULONG_PTR)EThread + PreviousModeOffsetOf_KTHREAD) = KernelMode;
return PreMode;
}
VOID RecoverPreMode(PETHREAD EThread, CHAR PreMode)
{
*(PCHAR)((ULONG_PTR)EThread + PreviousModeOffsetOf_KTHREAD) = PreMode;
}
BOOLEAN NtPathToDosPathW(WCHAR* wzFullNtPath,WCHAR* wzFullDosPath)
{
WCHAR wzDosDevice[4] = {0};
WCHAR wzNtDevice[64] = {0};
WCHAR *RetStr = NULL;
size_t NtDeviceLen = 0;
short i = 0;
if(!wzFullNtPath||!wzFullDosPath)
{
return FALSE;
}
for(i=65;i<26+65;i++)
{
wzDosDevice[0] = i;
wzDosDevice[1] = L':';
if(NtQueryDosDevice(wzDosDevice,wzNtDevice,64))
{
if(wzNtDevice)
{
NtDeviceLen = wcslen(wzNtDevice);
if(!_wcsnicmp(wzNtDevice,wzFullNtPath,NtDeviceLen))
{
wcscpy(wzFullDosPath,wzDosDevice);
wcscat(wzFullDosPath,wzFullNtPath+NtDeviceLen);
return TRUE;
}
}
}
}
return FALSE;
}
ULONG
NtQueryDosDevice(WCHAR* wzDosDevice,WCHAR* wzNtDevice,
ULONG ucchMax)
{
NTSTATUS Status;
POBJECT_DIRECTORY_INFORMATION ObjectDirectoryInfor;
OBJECT_ATTRIBUTES oa;
UNICODE_STRING uniString;
HANDLE hDirectory;
HANDLE hDevice;
ULONG ulReturnLength;
ULONG ulNameLength;
ULONG ulLength;
ULONG Context;
BOOLEAN bRestartScan;
WCHAR* Ptr = NULL;
UCHAR szBuffer[512] = {0};
RtlInitUnicodeString (&uniString,L"\\??");
InitializeObjectAttributes(&oa,
&uniString,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
Status = ZwOpenDirectoryObject(&hDirectory,DIRECTORY_QUERY,&oa);
if(!NT_SUCCESS(Status))
{
return 0;
}
ulLength = 0;
if (wzDosDevice != NULL)
{
RtlInitUnicodeString (&uniString,(PWSTR)wzDosDevice);
InitializeObjectAttributes(&oa,&uniString,OBJ_CASE_INSENSITIVE,hDirectory,NULL);
Status = ZwOpenSymbolicLinkObject(&hDevice,GENERIC_READ,&oa);
if(!NT_SUCCESS (Status))
{
ZwClose(hDirectory);
return 0;
}
uniString.Length = 0;
uniString.MaximumLength = (USHORT)ucchMax * sizeof(WCHAR);
uniString.Buffer = wzNtDevice;
ulReturnLength = 0;
Status = ZwQuerySymbolicLinkObject (hDevice,&uniString,&ulReturnLength);
ZwClose(hDevice);
ZwClose(hDirectory);
if (!NT_SUCCESS (Status))
{
return 0;
}
ulLength = uniString.Length / sizeof(WCHAR);
if (ulLength < ucchMax)
{
wzNtDevice[ulLength] = UNICODE_NULL;
ulLength++;
}
else
{
return 0;
}
}
else
{
bRestartScan = TRUE;
Context = 0;
Ptr = wzNtDevice;
ObjectDirectoryInfor = (POBJECT_DIRECTORY_INFORMATION)szBuffer;
while (TRUE)
{
Status = ZwQueryDirectoryObject(hDirectory,szBuffer,sizeof (szBuffer),TRUE,bRestartScan,&Context,&ulReturnLength);
if(!NT_SUCCESS(Status))
{
if (Status == STATUS_NO_MORE_ENTRIES)
{
*Ptr = UNICODE_NULL;
ulLength++;
Status = STATUS_SUCCESS;
}
else
{
ulLength = 0;
}
break;
}
if (!wcscmp (ObjectDirectoryInfor->TypeName.Buffer, L"SymbolicLink"))
{
ulNameLength = ObjectDirectoryInfor->Name.Length / sizeof(WCHAR);
if (ulLength + ulNameLength + 1 >= ucchMax)
{
ulLength = 0;
break;
}
memcpy(Ptr,ObjectDirectoryInfor->Name.Buffer,ObjectDirectoryInfor->Name.Length);
Ptr += ulNameLength;
ulLength += ulNameLength;
*Ptr = UNICODE_NULL;
Ptr++;
ulLength++;
}
bRestartScan = FALSE;
}
ZwClose(hDirectory);
}
return ulLength;
}

60
ZwQueryVirtualMemory/Common.h Normal file
View File

@ -0,0 +1,60 @@
#pragma once
#include "ZwQueryVirtualMemory.h"
typedef enum WIN_VERSION {
WINDOWS_XP,
WINDOWS_7_7600,
WINDOWS_7_7601,
WINDOWS_8_9200,
WINDOWS_8_9600,
WINDOWS_10_10240,
WINDOWS_10_10586,
WINDOWS_10_14393,
WINDOWS_10_15063,
WINDOWS_10_16299,
WINDOWS_10_17134,
WINDOWS_UNKNOW
} WIN_VERSION;
WIN_VERSION GetWindowsVersion();
PVOID
GetFunctionAddressByName(WCHAR *wzFunction);
typedef
NTSTATUS
(*pfnRtlGetVersion)(OUT PRTL_OSVERSIONINFOW lpVersionInformation);
ULONG_PTR KeGetObjectType(PVOID Object);
typedef ULONG_PTR
(*pfnObGetObjectType)(PVOID pObject);
BOOLEAN IsProcessDie(PEPROCESS EProcess);
ULONG_PTR KeGetObjectType(PVOID Object);
BOOLEAN IsRealProcess(PEPROCESS EProcess) ;
CHAR ChangePreMode(PETHREAD EThread);
VOID RecoverPreMode(PETHREAD EThread, CHAR PreMode);
VOID InitGlobalVariable();//³õʼ»¯Ò»Ð©Æ«ÒÆ
BOOLEAN NtPathToDosPathW(WCHAR* wzFullNtPath,WCHAR* wzFullDosPath);
extern
NTSTATUS
NTAPI
ZwQueryDirectoryObject (
__in HANDLE DirectoryHandle,
__out_bcount_opt(Length) PVOID Buffer,
__in ULONG Length,
__in BOOLEAN ReturnSingleEntry,
__in BOOLEAN RestartScan,
__inout PULONG Context,
__out_opt PULONG ReturnLength
);
typedef struct _OBJECT_DIRECTORY_INFORMATION
{
UNICODE_STRING Name;
UNICODE_STRING TypeName;
} OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION;
ULONG
NtQueryDosDevice(WCHAR* wzDosDevice,WCHAR* wzNtDevice,
ULONG ucchMax);

356
ZwQueryVirtualMemory/CommonR0.c
View File

@ -1,356 +0,0 @@
#include "CommonR0.h"
ULONG_PTR ObjectTableOffsetOf_EPROCESS = 0;
ULONG_PTR PreviousModeOffsetOf_KTHREAD = 0;
ULONG_PTR IndexOffsetOfFunction = 0;
ULONG_PTR SSDTDescriptor = 0;
ULONG_PTR HighUserAddress = 0;
WIN_VERSION WinVersion = WINDOWS_UNKNOW;
ULONG_PTR LdrInPebOffset = 0;
ULONG_PTR ModListInLdrOffset = 0;
ULONG_PTR ObjectHeaderSize = 0;
ULONG_PTR ObjectTypeOffsetOf_Object_Header =0;
WIN_VERSION GetWindowsVersion()
{
RTL_OSVERSIONINFOEXW osverInfo = {sizeof(osverInfo)};
pfnRtlGetVersion RtlGetVersion = NULL;
WIN_VERSION WinVersion;
WCHAR wzRtlGetVersion[] = L"RtlGetVersion";
RtlGetVersion = GetFunctionAddressByName(wzRtlGetVersion); //Ntoskrnl.exe 导出表
if (RtlGetVersion)
{
RtlGetVersion((PRTL_OSVERSIONINFOW)&osverInfo);
}
else
{
PsGetVersion(&osverInfo.dwMajorVersion, &osverInfo.dwMinorVersion, &osverInfo.dwBuildNumber, NULL); //Documet
}
DbgPrint("Build Number: %d\r\n", osverInfo.dwBuildNumber);
if (osverInfo.dwMajorVersion == 5 && osverInfo.dwMinorVersion == 1)
{
DbgPrint("WINDOWS_XP\r\n");
WinVersion = WINDOWS_XP;
}
else if (osverInfo.dwMajorVersion == 6 && osverInfo.dwMinorVersion == 1)
{
DbgPrint("WINDOWS 7\r\n");
WinVersion = WINDOWS_7;
}
else if (osverInfo.dwMajorVersion == 6 &&
osverInfo.dwMinorVersion == 2 &&
osverInfo.dwBuildNumber == 9200)
{
DbgPrint("WINDOWS 8\r\n");
WinVersion = WINDOWS_8;
}
else if (osverInfo.dwMajorVersion == 6 &&
osverInfo.dwMinorVersion == 3 &&
osverInfo.dwBuildNumber == 9600)
{
DbgPrint("WINDOWS 8.1\r\n");
WinVersion = WINDOWS_8_1;
}
else
{
DbgPrint("WINDOWS_UNKNOW\r\n");
WinVersion = WINDOWS_UNKNOW;
}
return WinVersion;
}
PVOID
GetFunctionAddressByName(WCHAR *wzFunction)
{
UNICODE_STRING uniFunction;
PVOID AddrBase = NULL;
if (wzFunction && wcslen(wzFunction) > 0)
{
RtlInitUnicodeString(&uniFunction, wzFunction); //常量指针
AddrBase = MmGetSystemRoutineAddress(&uniFunction); //在System 进程 第一个模块 Ntosknrl.exe ExportTable
}
return AddrBase;
}
VOID InitGlobalVariable()
{
WinVersion = GetWindowsVersion();
switch(WinVersion)
{
case WINDOWS_XP:
{
ObjectHeaderSize = 0x18;
ObjectTypeOffsetOf_Object_Header = 0x8;
LdrInPebOffset = 0x00c;
ModListInLdrOffset = 0x00c;
ObjectHeaderSize = 0x18;
ObjectTableOffsetOf_EPROCESS = 0x0c4;
PreviousModeOffsetOf_KTHREAD = 0x140;
HighUserAddress = 0x80000000;
break;
}
case WINDOWS_7:
{
LdrInPebOffset = 0x018;
ModListInLdrOffset = 0x010;
ObjectTableOffsetOf_EPROCESS = 0x200;
PreviousModeOffsetOf_KTHREAD = 0x1f6;
HighUserAddress = 0x80000000000;
break;
}
}
}
BOOLEAN IsRealProcess(PEPROCESS EProcess)
{
ULONG_PTR ObjectType;
ULONG_PTR ObjectTypeAddress;
BOOLEAN bRet = FALSE;
ULONG_PTR ProcessType = ((ULONG_PTR)*PsProcessType);
if (ProcessType && EProcess && MmIsAddressValid((PVOID)(EProcess)))
{
ObjectType = KeGetObjectType((PVOID)EProcess); //*PsProcessType
if (ObjectType &&
ProcessType == ObjectType &&
!IsProcessDie(EProcess))
{
bRet = TRUE;
}
}
return bRet;
}
ULONG_PTR KeGetObjectType(PVOID Object)
{
ULONG_PTR ObjectType = NULL;
pfnObGetObjectType ObGetObjectType = NULL;
if (!MmIsAddressValid ||!Object||!MmIsAddressValid(Object))
{
return NULL;
}
if (WinVersion==WINDOWS_XP)
{
ULONG SizeOfObjectHeader = 0, ObjectTypeOffset = 0, ObjectTypeAddress = 0;
ObjectTypeAddress = (ULONG_PTR)Object - ObjectHeaderSize + ObjectTypeOffsetOf_Object_Header;
if (MmIsAddressValid((PVOID)ObjectTypeAddress))
{
ObjectType = *(ULONG_PTR*)ObjectTypeAddress;
}
}
else
{
//高版本使用函数
ObGetObjectType = (pfnObGetObjectType)GetFunctionAddressByName(L"ObGetObjectType");
if (ObGetObjectType)
{
ObjectType = ObGetObjectType(Object);
}
}
return ObjectType;
}
BOOLEAN IsProcessDie(PEPROCESS EProcess)
{
BOOLEAN bDie = FALSE;
if (MmIsAddressValid &&
EProcess &&
MmIsAddressValid(EProcess) &&
MmIsAddressValid((PVOID)((ULONG_PTR)EProcess + ObjectTableOffsetOf_EPROCESS)))
{
PVOID ObjectTable = *(PVOID*)((ULONG_PTR)EProcess + ObjectTableOffsetOf_EPROCESS );
if (!ObjectTable||!MmIsAddressValid(ObjectTable) )
{
DbgPrint("Process is Die\r\n");
bDie = TRUE;
}
}
else
{
DbgPrint("Process is Die2\r\n");
bDie = TRUE;
}
return bDie;
}
CHAR ChangePreMode(PETHREAD EThread)
{
CHAR PreMode = *(PCHAR)((ULONG_PTR)EThread + PreviousModeOffsetOf_KTHREAD);
*(PCHAR)((ULONG_PTR)EThread + PreviousModeOffsetOf_KTHREAD) = KernelMode;
return PreMode;
}
VOID RecoverPreMode(PETHREAD EThread, CHAR PreMode)
{
*(PCHAR)((ULONG_PTR)EThread + PreviousModeOffsetOf_KTHREAD) = PreMode;
}
BOOLEAN NtPathToDosPathW(WCHAR* wzFullNtPath,WCHAR* wzFullDosPath)
{
WCHAR wzDosDevice[4] = {0};
WCHAR wzNtDevice[64] = {0};
WCHAR *RetStr = NULL;
size_t NtDeviceLen = 0;
short i = 0;
if(!wzFullNtPath||!wzFullDosPath)
{
return FALSE;
}
for(i=65;i<26+65;i++)
{
wzDosDevice[0] = i;
wzDosDevice[1] = L':';
if(NtQueryDosDevice(wzDosDevice,wzNtDevice,64))
{
if(wzNtDevice)
{
NtDeviceLen = wcslen(wzNtDevice);
if(!_wcsnicmp(wzNtDevice,wzFullNtPath,NtDeviceLen))
{
wcscpy(wzFullDosPath,wzDosDevice);
wcscat(wzFullDosPath,wzFullNtPath+NtDeviceLen);
return TRUE;
}
}
}
}
}
ULONG
NtQueryDosDevice(WCHAR* wzDosDevice,WCHAR* wzNtDevice,
ULONG ucchMax)
{
NTSTATUS Status;
POBJECT_DIRECTORY_INFORMATION ObjectDirectoryInfor;
OBJECT_ATTRIBUTES oa;
UNICODE_STRING uniString;
HANDLE hDirectory;
HANDLE hDevice;
ULONG ulReturnLength;
ULONG ulNameLength;
ULONG ulLength;
ULONG Context;
BOOLEAN bRestartScan;
WCHAR* Ptr = NULL;
UCHAR szBuffer[512] = {0};
RtlInitUnicodeString (&uniString,L"\\??");
InitializeObjectAttributes(&oa,
&uniString,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
Status = ZwOpenDirectoryObject(&hDirectory,DIRECTORY_QUERY,&oa);
if(!NT_SUCCESS(Status))
{
return 0;
}
ulLength = 0;
if (wzDosDevice != NULL)
{
RtlInitUnicodeString (&uniString,(PWSTR)wzDosDevice);
InitializeObjectAttributes(&oa,&uniString,OBJ_CASE_INSENSITIVE,hDirectory,NULL);
Status = ZwOpenSymbolicLinkObject(&hDevice,GENERIC_READ,&oa);
if(!NT_SUCCESS (Status))
{
ZwClose(hDirectory);
return 0;
}
uniString.Length = 0;
uniString.MaximumLength = (USHORT)ucchMax * sizeof(WCHAR);
uniString.Buffer = wzNtDevice;
ulReturnLength = 0;
Status = ZwQuerySymbolicLinkObject (hDevice,&uniString,&ulReturnLength);
ZwClose(hDevice);
ZwClose(hDirectory);
if (!NT_SUCCESS (Status))
{
return 0;
}
ulLength = uniString.Length / sizeof(WCHAR);
if (ulLength < ucchMax)
{
wzNtDevice[ulLength] = UNICODE_NULL;
ulLength++;
}
else
{
return 0;
}
}
else
{
bRestartScan = TRUE;
Context = 0;
Ptr = wzNtDevice;
ObjectDirectoryInfor = (POBJECT_DIRECTORY_INFORMATION)szBuffer;
while (TRUE)
{
Status = ZwQueryDirectoryObject(hDirectory,szBuffer,sizeof (szBuffer),TRUE,bRestartScan,&Context,&ulReturnLength);
if(!NT_SUCCESS(Status))
{
if (Status == STATUS_NO_MORE_ENTRIES)
{
*Ptr = UNICODE_NULL;
ulLength++;
Status = STATUS_SUCCESS;
}
else
{
ulLength = 0;
}
break;
}
if (!wcscmp (ObjectDirectoryInfor->TypeName.Buffer, L"SymbolicLink"))
{
ulNameLength = ObjectDirectoryInfor->Name.Length / sizeof(WCHAR);
if (ulLength + ulNameLength + 1 >= ucchMax)
{
ulLength = 0;
break;
}
memcpy(Ptr,ObjectDirectoryInfor->Name.Buffer,ObjectDirectoryInfor->Name.Length);
Ptr += ulNameLength;
ulLength += ulNameLength;
*Ptr = UNICODE_NULL;
Ptr++;
ulLength++;
}
bRestartScan = FALSE;
}
ZwClose(hDirectory);
}
return ulLength;
}

53
ZwQueryVirtualMemory/CommonR0.h
View File

@ -1,53 +0,0 @@
#pragma once
#include "ZwQueryVirtualMemory.h"
typedef enum WIN_VERSION {
WINDOWS_UNKNOW,
WINDOWS_XP,
WINDOWS_7,
WINDOWS_8,
WINDOWS_8_1
} WIN_VERSION;
WIN_VERSION GetWindowsVersion();
PVOID
GetFunctionAddressByName(WCHAR *wzFunction);
typedef
NTSTATUS
(*pfnRtlGetVersion)(OUT PRTL_OSVERSIONINFOW lpVersionInformation);
ULONG_PTR KeGetObjectType(PVOID Object);
typedef ULONG_PTR
(*pfnObGetObjectType)(PVOID pObject);
BOOLEAN IsProcessDie(PEPROCESS EProcess);
ULONG_PTR KeGetObjectType(PVOID Object);
BOOLEAN IsRealProcess(PEPROCESS EProcess) ;
CHAR ChangePreMode(PETHREAD EThread);
VOID RecoverPreMode(PETHREAD EThread, CHAR PreMode);
VOID InitGlobalVariable();//³õʼ»¯Ò»Ð©Æ«ÒÆ
BOOLEAN NtPathToDosPathW(WCHAR* wzFullNtPath,WCHAR* wzFullDosPath);
extern
NTSTATUS
NTAPI
ZwQueryDirectoryObject (
__in HANDLE DirectoryHandle,
__out_bcount_opt(Length) PVOID Buffer,
__in ULONG Length,
__in BOOLEAN ReturnSingleEntry,
__in BOOLEAN RestartScan,
__inout PULONG Context,
__out_opt PULONG ReturnLength
);
typedef struct _OBJECT_DIRECTORY_INFORMATION
{
UNICODE_STRING Name;
UNICODE_STRING TypeName;
} OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION;
ULONG
NtQueryDosDevice(WCHAR* wzDosDevice,WCHAR* wzNtDevice,
ULONG ucchMax);

428
ZwQueryVirtualMemory/GetSSDTFuncAddress.c
View File

@ -1,159 +1,154 @@
#include "GetSSDTFuncAddress.h"
#include "CommonR0.h"
#include "Common.h"
ULONG_PTR IndexOffset = 0;
extern WIN_VERSION WinVersion;
ULONG_PTR GetFuncAddress(char* szFuncName)
{
ULONG_PTR SSDTDescriptor = 0;
ULONG_PTR ulIndex = 0;
ULONG_PTR SSDTFuncAddress = 0;
ULONG_PTR SSDTDescriptor = 0;
ULONG_PTR ulIndex = 0;
ULONG_PTR SSDTFuncAddress = 0;
WinVersion = GetWindowsVersion();
WinVersion = GetWindowsVersion();
switch(WinVersion)
{
#ifdef _WIN64
case WINDOWS_7_7601:
{
SSDTDescriptor = GetKeServiceDescriptorTable64();
IndexOffset = 4;
break;
}
#else
case WINDOWS_XP:
{
SSDTDescriptor = (ULONG_PTR)GetFunctionAddressByName(L"KeServiceDescriptorTable");
IndexOffset = 1;
break;
}
#endif
default:
return 0;
}
switch(WinVersion)
{
case WINDOWS_7:
{
SSDTDescriptor = GetKeServiceDescriptorTable64();
IndexOffset = 4;
break;
}
case WINDOWS_XP:
{
SSDTDescriptor = (ULONG_PTR)GetFunctionAddressByName(L"KeServiceDescriptorTable");
IndexOffset = 1;
break;
}
}
ulIndex = GetSSDTApiFunIndex(szFuncName);
SSDTFuncAddress = GetSSDTApiFunAddress(ulIndex,SSDTDescriptor);
return SSDTFuncAddress;
ulIndex = GetSSDTApiFunIndex(szFuncName);
SSDTFuncAddress = GetSSDTApiFunAddress(ulIndex,SSDTDescriptor);
return SSDTFuncAddress;
}
ULONG_PTR GetSSDTApiFunAddress(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor)
{
ULONG_PTR SSDTFuncAddress = 0;
switch(WinVersion)
{
case WINDOWS_7:
{
SSDTFuncAddress = GetSSDTFunctionAddress64(ulIndex,SSDTDescriptor);
break;
}
ULONG_PTR SSDTFuncAddress = 0;
switch(WinVersion)
{
#ifdef _WIN64
case WINDOWS_7_7601:
{
SSDTFuncAddress = GetSSDTFunctionAddress64(ulIndex,SSDTDescriptor);
break;
}
#else
case WINDOWS_XP:
{
SSDTFuncAddress = GetSSDTFunctionAddress32(ulIndex,SSDTDescriptor);
break;
}
#endif
default:
return 0;
}
case WINDOWS_XP:
{
SSDTFuncAddress = GetSSDTFunctionAddress32(ulIndex,SSDTDescriptor);
break;
}
}
return 0;
}
ULONG_PTR GetSSDTFunctionAddress32(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor)
{
ULONG_PTR ServiceTableBase= 0 ;
PSYSTEM_SERVICE_TABLE32 SSDT = (PSYSTEM_SERVICE_TABLE32)SSDTDescriptor;
ULONG_PTR ServiceTableBase= 0 ;
PSYSTEM_SERVICE_TABLE32 SSDT = (PSYSTEM_SERVICE_TABLE32)SSDTDescriptor;
ServiceTableBase=(ULONG_PTR)(SSDT ->ServiceTableBase);
ServiceTableBase=(ULONG_PTR)(SSDT ->ServiceTableBase);
return (ULONG_PTR)(((ULONG*)ServiceTableBase)[(ULONG)ulIndex]);
return (ULONG_PTR)(((ULONG*)ServiceTableBase)[(ULONG)ulIndex]);
}
ULONG_PTR GetSSDTFunctionAddress64(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor)
{
LONG dwTemp=0;
ULONG_PTR qwTemp=0;
ULONG_PTR ServiceTableBase= 0 ;
ULONG_PTR FuncAddress =0;
PSYSTEM_SERVICE_TABLE64 SSDT = (PSYSTEM_SERVICE_TABLE64)SSDTDescriptor;
ServiceTableBase=(ULONG_PTR)(SSDT ->ServiceTableBase);
qwTemp = ServiceTableBase + 4 * ulIndex;
dwTemp = *(PLONG)qwTemp;
dwTemp = dwTemp>>4;
FuncAddress = ServiceTableBase + (ULONG_PTR)dwTemp;
return FuncAddress;
LONG dwTemp=0;
ULONG_PTR qwTemp=0;
ULONG_PTR ServiceTableBase= 0 ;
ULONG_PTR FuncAddress =0;
PSYSTEM_SERVICE_TABLE64 SSDT = (PSYSTEM_SERVICE_TABLE64)SSDTDescriptor;
ServiceTableBase=(ULONG_PTR)(SSDT ->ServiceTableBase);
qwTemp = ServiceTableBase + 4 * ulIndex;
dwTemp = *(PLONG)qwTemp;
dwTemp = dwTemp>>4;
FuncAddress = ServiceTableBase + (ULONG_PTR)dwTemp;
return FuncAddress;
}
LONG GetSSDTApiFunIndex(IN LPSTR lpszFunName)
{
LONG Index = -1;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
PVOID MapBase = NULL;
PIMAGE_NT_HEADERS NtHeader;
PIMAGE_EXPORT_DIRECTORY ExportTable;
ULONG* FunctionAddresses;
ULONG* FunctionNames;
USHORT* FunIndexs;
ULONG ulFunIndex;
ULONG i;
CHAR* FunName;
SIZE_T ViewSize=0;
ULONG_PTR FunAddress;
WCHAR wzNtdll[] = L"\\SystemRoot\\System32\\ntdll.dll";
LONG Index = -1;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
PVOID MapBase = NULL;
PIMAGE_NT_HEADERS NtHeader;
PIMAGE_EXPORT_DIRECTORY ExportTable;
ULONG* FunctionAddresses;
ULONG* FunctionNames;
USHORT* FunIndexs;
ULONG ulFunIndex;
ULONG i;
CHAR* FunName;
SIZE_T ViewSize=0;
ULONG_PTR FunAddress;
WCHAR wzNtdll[] = L"\\SystemRoot\\System32\\ntdll.dll";
Status = MapFileInUserSpace(wzNtdll, NtCurrentProcess(), &MapBase, &ViewSize);
if (!NT_SUCCESS(Status))
{
Status = MapFileInUserSpace(wzNtdll, NtCurrentProcess(), &MapBase, &ViewSize);
if (!NT_SUCCESS(Status))
{
return STATUS_UNSUCCESSFUL;
}
else
{
__try{
NtHeader = RtlImageNtHeader(MapBase);
if (NtHeader && NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress){
ExportTable =(IMAGE_EXPORT_DIRECTORY *)((ULONG_PTR)MapBase + NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
FunctionAddresses = (ULONG*)((ULONG_PTR)MapBase + ExportTable->AddressOfFunctions);
FunctionNames = (ULONG*)((ULONG_PTR)MapBase + ExportTable->AddressOfNames);
FunIndexs = (USHORT*)((ULONG_PTR)MapBase + ExportTable->AddressOfNameOrdinals);
for(i = 0; i < ExportTable->NumberOfNames; i++)
{
FunName = (LPSTR)((ULONG_PTR)MapBase + FunctionNames[i]);
if (_stricmp(FunName, lpszFunName) == 0)
{
ulFunIndex = FunIndexs[i];
FunAddress = (ULONG_PTR)((ULONG_PTR)MapBase + FunctionAddresses[ulFunIndex]);
Index=*(ULONG*)(FunAddress+IndexOffset);
break;
}
}
}
}__except(EXCEPTION_EXECUTE_HANDLER)
{
}
}
return STATUS_UNSUCCESSFUL;
if (Index == -1)
{
DbgPrint("%s Get Index Error\n", lpszFunName);
}
}
else
{
__try{
NtHeader = RtlImageNtHeader(MapBase);
if (NtHeader && NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress){
ExportTable =(IMAGE_EXPORT_DIRECTORY *)((ULONG_PTR)MapBase + NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
FunctionAddresses = (ULONG*)((ULONG_PTR)MapBase + ExportTable->AddressOfFunctions);
FunctionNames = (ULONG*)((ULONG_PTR)MapBase + ExportTable->AddressOfNames);
FunIndexs = (USHORT*)((ULONG_PTR)MapBase + ExportTable->AddressOfNameOrdinals);
for(i = 0; i < ExportTable->NumberOfNames; i++)
{
FunName = (LPSTR)((ULONG_PTR)MapBase + FunctionNames[i]);
if (_stricmp(FunName, lpszFunName) == 0)
{
ulFunIndex = FunIndexs[i];
FunAddress = (ULONG_PTR)((ULONG_PTR)MapBase + FunctionAddresses[ulFunIndex]);
Index=*(ULONG*)(FunAddress+IndexOffset);
break;
}
}
}
}__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
}
if (Index == -1)
{
DbgPrint("%s Get Index Error\n", lpszFunName);
}
ZwUnmapViewOfSection(NtCurrentProcess(), MapBase);
return Index;
ZwUnmapViewOfSection(NtCurrentProcess(), MapBase);
return Index;
}
@ -161,118 +156,117 @@ LONG GetSSDTApiFunIndex(IN LPSTR lpszFunName)
ULONG_PTR GetKeServiceDescriptorTable64()
{
PUCHAR StartSearchAddress = (PUCHAR)__readmsr(0xC0000082);
PUCHAR EndSearchAddress = StartSearchAddress + 0x500;
PUCHAR i = NULL;
UCHAR b1=0,b2=0,b3=0;
ULONG_PTR Temp = 0;
ULONG_PTR Address = 0;
for(i=StartSearchAddress;i<EndSearchAddress;i++)
{
if( MmIsAddressValid(i) && MmIsAddressValid(i+1) && MmIsAddressValid(i+2) )
{
b1=*i;
b2=*(i+1);
b3=*(i+2);
if( b1==0x4c && b2==0x8d && b3==0x15 ) //4c8d15
{
memcpy(&Temp,i+3,4);
Address = (ULONG_PTR)Temp + (ULONG_PTR)i + 7;
return Address;
}
}
}
return 0;
PUCHAR StartSearchAddress = (PUCHAR)__readmsr(0xC0000082);
PUCHAR EndSearchAddress = StartSearchAddress + 0x500;
PUCHAR i = NULL;
UCHAR b1=0,b2=0,b3=0;
ULONG_PTR Temp = 0;
ULONG_PTR Address = 0;
for(i=StartSearchAddress;i<EndSearchAddress;i++)
{
if( MmIsAddressValid(i) && MmIsAddressValid(i+1) && MmIsAddressValid(i+2) )
{
b1=*i;
b2=*(i+1);
b3=*(i+2);
if( b1==0x4c && b2==0x8d && b3==0x15 ) //4c8d15
{
memcpy(&Temp,i+3,4);
Address = (ULONG_PTR)Temp + (ULONG_PTR)i + 7;
return Address;
}
}
}
return 0;
}
NTSTATUS
MapFileInUserSpace(IN LPWSTR lpszFileName,IN HANDLE ProcessHandle OPTIONAL,
OUT PVOID *BaseAddress,
OUT PSIZE_T ViewSize OPTIONAL)
MapFileInUserSpace(IN LPWSTR lpszFileName,IN HANDLE ProcessHandle OPTIONAL,
OUT PVOID *BaseAddress,
OUT PSIZE_T ViewSize OPTIONAL)
{
NTSTATUS Status = STATUS_INVALID_PARAMETER;
HANDLE hFile = NULL;
HANDLE hSection = NULL;
OBJECT_ATTRIBUTES oa;
SIZE_T MapViewSize = 0;
IO_STATUS_BLOCK Iosb;
UNICODE_STRING uniFileName;
NTSTATUS Status = STATUS_INVALID_PARAMETER;
HANDLE hFile = NULL;
HANDLE hSection = NULL;
OBJECT_ATTRIBUTES oa;
SIZE_T MapViewSize = 0;
IO_STATUS_BLOCK Iosb;
UNICODE_STRING uniFileName;
if (!lpszFileName || !BaseAddress){
return Status;
}
if (!lpszFileName || !BaseAddress){
return Status;
}
RtlInitUnicodeString(&uniFileName, lpszFileName);
InitializeObjectAttributes(&oa,
&uniFileName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL
);
RtlInitUnicodeString(&uniFileName, lpszFileName);
InitializeObjectAttributes(&oa,
&uniFileName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL
);
Status = IoCreateFile(&hFile,
GENERIC_READ | SYNCHRONIZE,
&oa,
&Iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0,
CreateFileTypeNone,
NULL,
IO_NO_PARAMETER_CHECKING
);
Status = IoCreateFile(&hFile,
GENERIC_READ | SYNCHRONIZE,
&oa,
&Iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0,
CreateFileTypeNone,
NULL,
IO_NO_PARAMETER_CHECKING
);
if (!NT_SUCCESS(Status))
{
DbgPrint("ZwCreateFile Failed! Error=%08x\n",Status);
return Status;
}
if (!NT_SUCCESS(Status))
{
DbgPrint("ZwCreateFile Failed! Error=%08x\n",Status);
return Status;
}
oa.ObjectName = NULL;
Status = ZwCreateSection(&hSection,
SECTION_QUERY | SECTION_MAP_READ,
&oa,
NULL,
PAGE_WRITECOPY,
SEC_IMAGE,
hFile
);
ZwClose(hFile);
if (!NT_SUCCESS(Status))
{
DbgPrint("ZwCreateSection Failed! Error=%08x\n",Status);
return Status;
oa.ObjectName = NULL;
Status = ZwCreateSection(&hSection,
SECTION_QUERY | SECTION_MAP_READ,
&oa,
NULL,
PAGE_WRITECOPY,
SEC_IMAGE,
hFile
);
ZwClose(hFile);
if (!NT_SUCCESS(Status))
{
DbgPrint("ZwCreateSection Failed! Error=%08x\n",Status);
return Status;
}
}
if (!ProcessHandle){
ProcessHandle = NtCurrentProcess();
}
if (!ProcessHandle){
ProcessHandle = NtCurrentProcess();
}
Status = ZwMapViewOfSection(hSection,
ProcessHandle,
BaseAddress,
0,
0,
0,
ViewSize ? ViewSize : &MapViewSize,
ViewUnmap,
0,
PAGE_WRITECOPY
);
ZwClose(hSection);
if (!NT_SUCCESS(Status))
{
DbgPrint("ZwMapViewOfSection Failed! Error=%08x\n",Status);
return Status;
}
Status = ZwMapViewOfSection(hSection,
ProcessHandle,
BaseAddress,
0,
0,
0,
ViewSize ? ViewSize : &MapViewSize,
ViewUnmap,
0,
PAGE_WRITECOPY
);
ZwClose(hSection);
if (!NT_SUCCESS(Status))
{
DbgPrint("ZwMapViewOfSection Failed! Error=%08x\n",Status);
return Status;
}
return Status;
return Status;
}

28
ZwQueryVirtualMemory/GetSSDTFuncAddress.h
View File

@ -6,32 +6,32 @@
#define SEC_IMAGE 0x01000000
typedef struct _SYSTEM_SERVICE_TABLE64{
PVOID ServiceTableBase;
PVOID ServiceCounterTableBase;
ULONG64 NumberOfServices;
PVOID ParamTableBase;
PVOID ServiceTableBase;
PVOID ServiceCounterTableBase;
ULONG64 NumberOfServices;
PVOID ParamTableBase;
} SYSTEM_SERVICE_TABLE64, *PSYSTEM_SERVICE_TABLE64;
typedef struct _SYSTEM_SERVICE_TABLE32 {
PVOID ServiceTableBase;
PVOID ServiceCounterTableBase;
ULONG32 NumberOfServices;
PVOID ParamTableBase;
PVOID ServiceTableBase;
PVOID ServiceCounterTableBase;
ULONG32 NumberOfServices;
PVOID ParamTableBase;
} SYSTEM_SERVICE_TABLE32, *PSYSTEM_SERVICE_TABLE32;
NTSYSAPI
PIMAGE_NT_HEADERS
NTAPI
RtlImageNtHeader(PVOID Base);
PIMAGE_NT_HEADERS
NTAPI
RtlImageNtHeader(PVOID Base);
ULONG_PTR GetFuncAddress(char* szFuncName);
LONG GetSSDTApiFunIndex(IN LPSTR lpszFunName);
NTSTATUS
MapFileInUserSpace(IN LPWSTR lpszFileName,IN HANDLE ProcessHandle OPTIONAL,
OUT PVOID *BaseAddress,
OUT PSIZE_T ViewSize OPTIONAL);
MapFileInUserSpace(IN LPWSTR lpszFileName,IN HANDLE ProcessHandle OPTIONAL,
OUT PVOID *BaseAddress,
OUT PSIZE_T ViewSize OPTIONAL);
ULONG_PTR GetSSDTApiFunAddress(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor);

177
ZwQueryVirtualMemory/ZwQueryVirtualMemory.c
View File

@ -4,10 +4,10 @@
* MODULE : ZwQueryVirtualMemory.C
*
* Command:
* Source of IOCTRL Sample Driver
* Source of IOCTRL Sample Driver
*
* Description:
* Demonstrates communications between USER and KERNEL.
* Demonstrates communications between USER and KERNEL.
*
****************************************************************************************
* Copyright (C) 2010 MZ.
@ -18,8 +18,8 @@
//#######################################################################################
#ifndef CXX_ZWQUERYVIRTUALMEMORY_H
# include "ZwQueryVirtualMemory.h"
#include "CommonR0.h"
# include "ZwQueryVirtualMemory.h"
#include "Common.h"
#include "GetSSDTFuncAddress.h"
#endif
@ -43,105 +43,102 @@ pfnNtQueryVirtualMemory NtQueryVirtualMemoryAddress = NULL;
NTSTATUS
DriverEntry(IN PDRIVER_OBJECT pDriverObj, IN PUNICODE_STRING pRegistryString)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING ustrLinkName;
UNICODE_STRING ustrDevName;
PDEVICE_OBJECT pDevObj;
int i = 0;
PEPROCESS Eprocess ;
HANDLE Id ;
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING ustrLinkName;
UNICODE_STRING ustrDevName;
PDEVICE_OBJECT pDevObj;
PEPROCESS Process = NULL;
HANDLE Id = NULL;
WinVersion = GetWindowsVersion();
InitGlobalVariable();
NtQueryVirtualMemoryAddress = (pfnNtQueryVirtualMemory)GetFuncAddress("NtQueryVirtualMemory");
WinVersion = GetWindowsVersion();
InitGlobalVariable();
NtQueryVirtualMemoryAddress = (pfnNtQueryVirtualMemory)GetFuncAddress("NtQueryVirtualMemory");
Process = PsGetCurrentProcess();
Id = PsGetProcessId(Process);
EnumMoudleByNtQueryVirtualMemory((ULONG)Id);
pDriverObj->DriverUnload = DriverUnload;
//Eprocess = PsGetCurrentProcess();
//Id= PsGetProcessId(Eprocess);
EnumMoudleByNtQueryVirtualMemory((ULONG)1592);
pDriverObj->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
return STATUS_SUCCESS;
}
VOID
DriverUnload(IN PDRIVER_OBJECT pDriverObj)
{
return;
{
return;
}
NTSTATUS EnumMoudleByNtQueryVirtualMemory(ULONG ProcessId)
{
NTSTATUS Status;
PEPROCESS EProcess = NULL;
HANDLE hProcess = NULL;
ULONG ulRet = 0;
WCHAR DosPath[260] = {0};
NTSTATUS Status;
PEPROCESS Process = NULL;
HANDLE hProcess = NULL;
SIZE_T ulRet = 0;
WCHAR DosPath[260] = {0};
if (ProcessId)
{
Status = PsLookupProcessByProcessId((HANDLE)ProcessId, &EProcess);
if (!NT_SUCCESS(Status))
{
return Status;
}
}
if (IsRealProcess(EProcess)) //判断是否为僵尸进程,我只是判断了对象类型和句柄表是否存在
{
ObfDereferenceObject(EProcess);
Status = ObOpenObjectByPointer(EProcess,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
NULL,
GENERIC_ALL,
*PsProcessType,
KernelMode,
&hProcess
);
if (NT_SUCCESS(Status))
{
ULONG_PTR ulBase = 0;
//改变PreviousMode
PETHREAD EThread = PsGetCurrentThread();
CHAR PreMode = ChangePreMode(EThread); //KernelMode
do
{
MEMORY_BASIC_INFORMATION mbi = {0};
Status = NtQueryVirtualMemoryAddress(hProcess,
(PVOID)ulBase,
MemoryBasicInformation,
&mbi,
sizeof(MEMORY_BASIC_INFORMATION),
&ulRet);
if (NT_SUCCESS(Status))
{
//如果是Image 再查询SectionName,即FileObject Name
if (mbi.Type==MEM_IMAGE)
{
MEMORY_SECTION_NAME msn = {0};
Status = NtQueryVirtualMemoryAddress(hProcess,
(PVOID)ulBase,
MemorySectionName,
&msn,
sizeof(MEMORY_SECTION_NAME),
&ulRet);
if (NT_SUCCESS(Status))
{
DbgPrint("SectionName:%wZ\r\n",&(msn.Name));
NtPathToDosPathW(msn.Name.Buffer,DosPath);
DbgPrint("DosName:%S\r\n",DosPath);
}
}
ulBase += mbi.RegionSize;
}
else ulBase += PAGE_SIZE;
} while (ulBase < (ULONG_PTR)HighUserAddress);
NtClose(hProcess);
RecoverPreMode(EThread,PreMode);
}
}
return Status;
if (ProcessId)
{
Status = PsLookupProcessByProcessId((HANDLE)ProcessId, &Process);
if (!NT_SUCCESS(Status))
{
return Status;
}
}
if (IsRealProcess(Process)) //判断是否为僵尸进程,我只是判断了对象类型和句柄表是否存在
{
ObfDereferenceObject(Process);
Status = ObOpenObjectByPointer(Process,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
NULL,
GENERIC_ALL,
*PsProcessType,
KernelMode,
&hProcess
);
if (NT_SUCCESS(Status))
{
ULONG_PTR ulBase = 0;
//改变PreviousMode
PETHREAD EThread = PsGetCurrentThread();
CHAR PreMode = ChangePreMode(EThread); //KernelMode
do
{
MEMORY_BASIC_INFORMATION mbi = {0};
Status = NtQueryVirtualMemoryAddress(hProcess,
(PVOID)ulBase,
MemoryBasicInformation,
&mbi,
sizeof(MEMORY_BASIC_INFORMATION),
&ulRet);
if (NT_SUCCESS(Status))
{
//如果是Image 再查询SectionName,即FileObject Name
if (mbi.Type==MEM_IMAGE)
{
MEMORY_SECTION_NAME msn = {0};
Status = NtQueryVirtualMemoryAddress(hProcess,
(PVOID)ulBase,
MemorySectionName,
&msn,
sizeof(MEMORY_SECTION_NAME),
&ulRet);
if (NT_SUCCESS(Status))
{
DbgPrint("SectionName:%wZ\r\n",&(msn.Name));
NtPathToDosPathW(msn.Name.Buffer,DosPath);
DbgPrint("DosName:%S\r\n",DosPath);
}
}
ulBase += mbi.RegionSize;
}
else ulBase += PAGE_SIZE;
} while (ulBase < (ULONG_PTR)HighUserAddress);
NtClose(hProcess);
RecoverPreMode(EThread,PreMode);
}
}
return Status;
}

34
ZwQueryVirtualMemory/ZwQueryVirtualMemory.h
View File

@ -14,34 +14,34 @@ VOID DriverUnload(IN PDRIVER_OBJECT pDriverObj);
typedef enum _MEMORY_INFORMATION_CLASS
{
MemoryBasicInformation, //内存基本信息
MemoryWorkingSetList,
MemorySectionName //内存映射文件名信息
MemoryBasicInformation, //内存基本信息
MemoryWorkingSetList,
MemorySectionName //内存映射文件名信息
}MEMORY_INFORMATION_CLASS;
typedef NTSTATUS
(*pfnNtQueryVirtualMemory)(HANDLE ProcessHandle,PVOID BaseAddress,
MEMORY_INFORMATION_CLASS MemoryInformationClass,
PVOID MemoryInformation,
SIZE_T MemoryInformationLength,
PSIZE_T ReturnLength);
(*pfnNtQueryVirtualMemory)(HANDLE ProcessHandle,PVOID BaseAddress,
MEMORY_INFORMATION_CLASS MemoryInformationClass,
PVOID MemoryInformation,
SIZE_T MemoryInformationLength,
PSIZE_T ReturnLength);
//MemoryBasicInformation
typedef struct _MEMORY_BASIC_INFORMATION {
PVOID BaseAddress; //查询内存块所占的第一个页面基地址
PVOID AllocationBase; //内存块所占的第一块区域基地址小于等于BaseAddress
DWORD AllocationProtect; //区域被初次保留时赋予的保护属性
SIZE_T RegionSize; //从BaseAddress开始具有相同属性的页面的大小
DWORD State; //页面的状态有三种可能值MEM_COMMIT、MEM_FREE和MEM_RESERVE
DWORD Protect; //页面的属性其可能的取值与AllocationProtect相同
DWORD Type; //该内存块的类型有三种可能值MEM_IMAGE、MEM_MAPPED和MEM_PRIVATE
PVOID BaseAddress; //查询内存块所占的第一个页面基地址
PVOID AllocationBase; //内存块所占的第一块区域基地址小于等于BaseAddress
DWORD AllocationProtect; //区域被初次保留时赋予的保护属性
SIZE_T RegionSize; //从BaseAddress开始具有相同属性的页面的大小
DWORD State; //页面的状态有三种可能值MEM_COMMIT、MEM_FREE和MEM_RESERVE
DWORD Protect; //页面的属性其可能的取值与AllocationProtect相同
DWORD Type; //该内存块的类型有三种可能值MEM_IMAGE、MEM_MAPPED和MEM_PRIVATE
} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;
NTSTATUS EnumMoudleByNtQueryVirtualMemory(ULONG ProcessId);
//MemorySectionName
typedef struct _MEMORY_SECTION_NAME {
UNICODE_STRING Name;
WCHAR Buffer[260];
UNICODE_STRING Name;
WCHAR Buffer[260];
}MEMORY_SECTION_NAME,*PMEMORY_SECTION_NAME;

4
ZwQueryVirtualMemory/ZwQueryVirtualMemory.vcxproj
View File

@ -55,11 +55,11 @@
<ItemGroup>
<ClCompile Include=".\ZwQueryVirtualMemory.c" />
<ClCompile Include=".\ZwQueryVirtualMemory.h" />
<ClCompile Include="CommonR0.c" />
<ClCompile Include="Common.c" />
<ClCompile Include="GetSSDTFuncAddress.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="CommonR0.h" />
<ClInclude Include="Common.h" />
<ClInclude Include="GetSSDTFuncAddress.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />

12
ZwQueryVirtualMemory/sources Normal file
View File

@ -0,0 +1,12 @@
TARGETNAME=ZwQueryVirtualMemory
#TARGETPATH=$(BASEDIR)\lib
TARGETPATH=obj
TARGETTYPE=DRIVER
INCLUDES=.\
SOURCES= \
ZwQueryVirtualMemory.c \
GetSSDTFuncAddress.c \
Common.c