Theqiqi_blog

遍历SSDT列表 def.h 参考之前的关于未导出结构体的文章 entry.c 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384#include "C:\D\test\CC++\cc++lib\driver\def.h"VOID TestEnumSSDT();VOID GetSSDT(PVOID* addr);NTSTATUS DriverUnload(PDRIVER_OBJECT pdriver){ DbgPrint("unload...\n"); return STATUS_SUCCESS;}static PDRIVER_OBJECT g_pdriver = NULL;NTSTATUS DriverEntry(PDRIVER_OBJECT pdrive ...

apc注入1.entry.c1234567891011121314151617181920//entry.c#include "Inject.h"BOOLEAN isdebug = TRUE;NTSTATUS DriverUnload(PDRIVER_OBJECT pdriver){ UnTestInjectAPC(); DebugMessage("unload...\n"); return STATUS_SUCCESS;}PDRIVER_OBJECT g_DriverObject = NULL;NTSTATUS DriverEntry(PDRIVER_OBJECT pdriver, PUNICODE_STRING path){ pdriver->DriverUnload = DriverUnload; DbgPrint("loading...\n"); g_DriverObject = pdriver; TestInjectAPC(); return STATUS_SUCCESS; ...

获取特定模块下的导出函数地址 NativeStructs.h NativeStructs.h需要在网上下载，或者复制前一篇文章的代码。 entry.c 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110#include <ntifs.h>#include <windef.h>#include "C:\D\test\CC++\cc++lib\driver\NativeStructs.h"#define Log(X) DbgPrint("qi:"X##)// 获取特定模块下的导出函数地址PVOID GetModuleExportAdd ...

未导出的结构体与函数1.PEStructs.h123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195 ...

获取特定进程内特定模块的基址写法一遍历驱动模块需要用到一些未导出的函数与结构体定义 entry.c 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184#incl ...

内核中进程与句柄互转123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177#include <ntifs.h>#define Log(X) DbgPrint("qi:"X##) ...

根据进程名获得pid,例如exploer.exe12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419 ...

获取自身驱动的模块地址和大小长度123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166//https://blog.csdn.net/i735740559/article/details/121010037#include <ntifs.h>#include & ...

使用系统api ZwOpenProcess打开句柄123456789101112131415161718192021222324HANDLE PidToHandle(ULONG PID){ if (!PID)return NULL; HANDLE hProcessHandle; OBJECT_ATTRIBUTES obj; CLIENT_ID clientid; clientid.UniqueProcess = PID; clientid.UniqueThread = 0; // 属性初始化 InitializeObjectAttributes(&obj, 0, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, 0, 0); NTSTATUS status = ZwOpenProcess(&hProcessHandle, PROCESS_ALL_ACCESS, &obj, &clientid); if (status == STATUS_SUCCESS) { DbgPrint("[*] 已 ...

驱动实现遍历系统进程 打印进程并打印进程名称123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354#include <ntddk.h>//https://bbs.kanxue.com/thread-263982.htm//[原创]驱动遍历系统进程 #define pid_offset 0x180#define list_offset 0x188#define name_offset 0x2e0NTSTATUS Get_Name();VOID DriverUnload(PDRIVER_OBJECT DriverObject){ UNREFERENCED_PARAMETER(DriverObject); DbgPrintEx(0, 0, "[%ws] Unload Successful \n", __FUNCTIONW__);}NTSTATUS DriverEntry(PDRI ...