Mirrors
/
Windows-Rootkits
mirror of https://github.com/ciyze0101/Windows-Rootkits
6
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add Comment 

Add Comment
This commit is contained in:
LycorisGuard 2018-08-14 13:58:20 +08:00
parent 895c86c51a
commit ee2cc8b2b0
7 changed files with 39 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
GetKernel32Addressx64/GetKernel32Addressx64.exe
View File

Binary file not shown.

BIN
GetKernel32Addressx64/GetKernel32Addressx64.suo
View File

Binary file not shown.

55
GetKernel32Addressx64/GetKernel32Addressx64/GetKernel32Addressx64.cpp
View File

@ -20,29 +20,40 @@ extern "C" PVOID64 _cdecl GetPeb();
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
}UNICODE_STRING, *PUNICODE_STRING;
int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
PVOID64 Peb = GetPeb();
PVOID64 LDR_DATA_Addr = *(PVOID64**)((BYTE*)Peb+0x018);
UNICODE_STRING* FullName;
HMODULE hKernel32 = NULL;
LIST_ENTRY* pNode = NULL;
pNode =(LIST_ENTRY*)(*(PVOID64**)((BYTE*)LDR_DATA_Addr+0x30));
while(true)
{
FullName = (UNICODE_STRING*)((BYTE*)pNode+0x38);
if(*(FullName->Buffer+12)=='\0')
{
hKernel32 = (HMODULE)(*((ULONG64*)((BYTE*)pNode+0x10)));
break;
}
pNode = pNode->Flink;
}
printf("%S : %p",FullName->Buffer,hKernel32);
return 0;
PVOID64 Peb = NULL;
PVOID64 LDR_DATA_Addr = NULL;
UNICODE_STRING* FullName;
HMODULE hKernel32 = NULL;
LIST_ENTRY* pNode = NULL;
// For win7 x64 TEST
Peb = GetPeb();
if(Peb == NULL)
return 0;
LDR_DATA_Addr = *(PVOID64**)((BYTE*)Peb+0x018);
if(LDR_DATA_Addr == NULL)
return 0;
pNode =(LIST_ENTRY*)(*(PVOID64**)((BYTE*)LDR_DATA_Addr+0x30));
while(true)
{
FullName = (UNICODE_STRING*)((BYTE*)pNode+0x38);
if(*(FullName->Buffer + 12) == '\0')
{
hKernel32 = (HMODULE)(*((ULONG64*)((BYTE*)pNode+0x10)));
break;
}
pNode = pNode->Flink;
}
printf("%S : %p",FullName->Buffer,hKernel32);
return 0;
}

3
GetKernel32Addressx64/GetKernel32Addressx64/GetKernel32Addressx64.vcxproj.user
View File

@ -1,3 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
</Project>

1
GetKernel32Addressx64/GetKernel32Addressx64/ReadMe.txt
View File

@ -1 +0,0 @@

10
GetKernel32Addressx64/GetKernel32Addressx64/Resource.h
View File

@ -3,15 +3,15 @@
// Used by GetKernel32Addressx64.rc
//
#define IDS_APP_TITLE 103
#define IDS_APP_TITLE 103
// 新对象的下一组默认值
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 101
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1000
#define _APS_NEXT_SYMED_VALUE 101
#define _APS_NEXT_RESOURCE_VALUE 101
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1000
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif

1
GetKernel32Addressx64/ReadMe.txt
View File

@ -11,3 +11,4 @@ in x86
ntdll->kernel32
the offset in the PEB is different from x64 and x86
This demo is only Test on Win7 x64