【求助】想做inline hook检测,将ntkrnlpa.exe映射到内存中,但是发现重定位表的数据错了,和硬盘上的不一样,这个是这么回事啊?
是和STUD_PE工具查看的重定位表比较的。
首先,每一个重定位块数据的VirtualAddress和SizeOfBlock都是正确的,就是每一个的word数据错了。
摘要代码如下:
void XRelocate(ULONG uBaseAddress, LONG lDeltaOfBase, ULONG BaseRelocAddress)
{
int i;
WORD *pSection;
int nCount;
PIMAGE_BASE_RELOCATION pBaseRelocation;
ULONG uOneNeedRelocateAddress;
ULONG uOneRelocateValue;
pBaseRelocation = (PIMAGE_BASE_RELOCATION)BaseRelocAddress;
while (pBaseRelocation->VirtualAddress != 0)
{
nCount = (pBaseRelocation->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION))/sizeof(WORD)-1;
dprintf("relocate address = [0x%08X], size = [0x%08X], number = [%d].", pBaseRelocation->VirtualAddress, pBaseRelocation->SizeOfBlock, nCount);
if (pBaseRelocation->VirtualAddress == 0xDB000)
{
pSection = (WORD*)(pBaseRelocation+sizeof(IMAGE_BASE_RELOCATION));
for(i=0; i<nCount; ++i)
{
dprintf("rva = [0x%04X].", (pSection[i)); [COLOR="Red"] //这里打印出的数据错了,和硬盘上的数据不一致[/COLOR]
}
}
pBaseRelocation = (PIMAGE_BASE_RELOCATION)((ULONG)pBaseRelocation+pBaseRelocation->SizeOfBlock);
}
}
void XInitApisOriginalCode(void)
{
ANSI_STRING astrFullPathName;
UNICODE_STRING ustrFullPathName;
PUNICODE_STRING pstrFullPathName = &ustrFullPathName;
ULONG i, j;
HANDLE hFile, hSection, hMod;
IMAGE_DOS_HEADER* pImageDosHeader;
IMAGE_OPTIONAL_HEADER* pImageOptionalHeader;
IMAGE_BASE_RELOCATION* pBaseRelocation;
DWORD* arrayOfFunctionAddresses;
DWORD* arrayOfFunctionNames;
WORD* arrayOfFunctionOrdinals;
DWORD functionOrdinal;
DWORD Base, functionAddress;
char* functionName;
PVOID pBaseAddress = NULL;
SIZE_T size = 0;
OBJECT_ATTRIBUTES oa = {sizeof oa, 0, pstrFullPathName, OBJ_CASE_INSENSITIVE};
IO_STATUS_BLOCK iosb;
NTSTATUS ntStatus;
XAPI *pApi = NULL;
char szKernelName[MAXIMUM_FILENAME_LENGTH] = "\\Device\\HarddiskVolume1\\Windows\\System32\\";
ULONG ntKernelBase = XGetSystemBase(szKernelName+strlen(szKernelName), MAXIMUM_FILENAME_LENGTH-strlen(szKernelName));
dprintf(szKernelName);
RtlInitAnsiString(&astrFullPathName, szKernelName);
RtlAnsiStringToUnicodeString(&ustrFullPathName, &astrFullPathName, TRUE);
ntStatus = ZwOpenFile(&hFile, FILE_EXECUTE | SYNCHRONIZE, &oa, &iosb, FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT);
if (!NT_SUCCESS(ntStatus))
{
dprintf("Failed to ZwOpenFile. [0x%08X]\n", ntStatus);
return;
}
oa.ObjectName = 0;
ntStatus = ZwCreateSection(&hSection, SECTION_ALL_ACCESS, &oa, 0, PAGE_EXECUTE, SEC_IMAGE, hFile);
if (!NT_SUCCESS(ntStatus))
{
dprintf("Failed to ZwCreateSection. [0x%08X]\n", ntStatus);
return;
}
ntStatus = ZwMapViewOfSection(hSection, NtCurrentProcess(), &pBaseAddress, 0, 1000, 0, &size, (SECTION_INHERIT)1, MEM_TOP_DOWN, PAGE_READWRITE);
if (!NT_SUCCESS(ntStatus))
{
dprintf("Failed to ZwMapViewOfSection. [0x%08X]\n", ntStatus);
return;
}
ntStatus = ZwClose(hFile);
if (!NT_SUCCESS(ntStatus))
{
dprintf("Failed to ZwClose. [0x%08X]\n", ntStatus);
return;
}
RtlFreeUnicodeString(&ustrFullPathName);
hMod = pBaseAddress;
pImageDosHeader = (IMAGE_DOS_HEADER *)hMod;
pImageOptionalHeader = (IMAGE_OPTIONAL_HEADER *) ((BYTE*)hMod+pImageDosHeader->e_lfanew+24); // 24是文件头的长度
pBaseRelocation = (IMAGE_BASE_RELOCATION*)((BYTE*) hMod + pImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
dprintf("relocation address: [0x%08X], rva : [0x%08X]\n", pBaseRelocation, pImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
XRelocate((ULONG)pBaseAddress, ntKernelBase-0x400000, (ULONG)pBaseRelocation);
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
