2008年8月27日星期三

Find PspTerminateProcess

#include
#include


int main(void)
{
ULONG hNtoskrnl=(ULONG)::LoadLibrary("ntoskrnl.exe");
if(hNtoskrnl == NULL)
return 0;

// 这个东西在查SSDT表时会得到,这里先用硬编码

ULONG KernelBase=0x804d5000;
ULONG pTerminateJobObject=0x8062c91f -KernelBase+hNtoskrnl;

PBYTE p=NULL;
BOOL bNext=FALSE;
ULONG PspTerminateAllProcessesInJob=0;
ULONG PspTerminateProcess=0;
// Ex***
ULONG ExAcquireResourceExclusiveLite=KernelBase-hNtoskrnl+(ULONG)::GetProcAddress((HMODULE)hNtoskrnl,"ExAcquireResourceExclusiveLite");
for(p=(PBYTE)pTerminateJobObject;(ULONG)p<0x100+pTerminateJobObject;p++)
{
if(*p == 0xE8)
{
printf("Find 0xE8 at 0x%0X , JMP to 0x%0X\n",p-hNtoskrnl+KernelBase,*(ULONG*)(p + 1)+((ULONG)p + 5 - hNtoskrnl + KernelBase));
if(bNext)
{
PspTerminateAllProcessesInJob=*(ULONG*)(p+1)+(ULONG)p-hNtoskrnl+KernelBase+5;
break;
}
if(*(ULONG*)(p + 1)+((ULONG)p + 5 - hNtoskrnl + KernelBase) == ExAcquireResourceExclusiveLite)
{
bNext=TRUE;
}
}
}
bNext=FALSE;
if(PspTerminateAllProcessesInJob != 0)
{
printf("Find PspTerminateAllProcessesInJob = 0x%0X\n",PspTerminateAllProcessesInJob);
ULONG temp=PspTerminateAllProcessesInJob-KernelBase+hNtoskrnl;
for(p=(PBYTE)(temp);(ULONG)p<0x100+temp;p++)
{
if(*p == 0xE8)
{
if(bNext)
{
PspTerminateProcess=*(ULONG*)(p+1)+(ULONG)p-hNtoskrnl+KernelBase+5;
break;
}
bNext=TRUE;
}
}
if(PspTerminateProcess != 0)
{
printf("Find PspTerminateProcess =0x%0X\n",PspTerminateProcess);
}

}
getchar();
return 0;

}

没有评论: