|
阅读:918回复:2
请大家来看一下,我想不通。
我已经可以正确得到ntoskrnl.exe module的基址了,
但是使用softice调试以下函数时,发现FunName和pOldFun完全对应不起来.也就是说,所有几百个函数名称和函数地址全部无法一一对应. 大家注意看有头像的地方: FARPROC HookFunction( PCHAR pModuleBase, PCHAR HookFunName, FARPROC HookFun ) { PIMAGE_DOS_HEADER pDosHdr; PIMAGE_NT_HEADERS pNtHdr; PIMAGE_SECTION_HEADER pSecHdr; PIMAGE_EXPORT_DIRECTORY pExtDir; UINT ui,uj; PCHAR FunName; DWORD *dwAddrName; DWORD *dwAddrFun; FARPROC pOldFun; ULONG uAttrib; pDosHdr = ( PIMAGE_DOS_HEADER )pModuleBase; if ( IMAGE_DOS_SIGNATURE == pDosHdr->e_magic ) { pNtHdr = ( PIMAGE_NT_HEADERS )( pModuleBase + pDosHdr->e_lfanew ); if( IMAGE_NT_SIGNATURE == pNtHdr->Signature || IMAGE_NT_SIGNATURE1 == pNtHdr->Signature ) { pSecHdr = ( PIMAGE_SECTION_HEADER )( pModuleBase + pDosHdr->e_lfanew + sizeof( IMAGE_NT_HEADERS ) ); for ( ui = 0; ui < (UINT)pNtHdr->FileHeader.NumberOfSections; ui++ ) { if ( !strcmp( pSecHdr->Name, \".edata\" ) ) { pExtDir = ( PIMAGE_EXPORT_DIRECTORY )( pModuleBase + pSecHdr->VirtualAddress ); dwAddrName = ( PDWORD )(pModuleBase + pExtDir->AddressOfNames ); dwAddrFun = ( PDWORD )(pModuleBase + pExtDir->AddressOfFunctions ); for ( uj = 0; uj < (UINT)pExtDir->NumberOfFunctions; uj++ ) { FunName = pModuleBase + *dwAddrName; //if( !strcmp( FunName, HookFunName ) ) // :D :D :D为调试方便,上句话被我注释掉了 { DbgPrint(\" HOOK %s()\\n\",FunName); DisableWriteProtect( &uAttrib ); pOldFun = ( FARPROC )( pModuleBase + *dwAddrFun ); //*dwAddrFun = ( PCHAR )HookFun - pModuleBase; // :D :D :D为调试方便,上句话被我注释掉了 EnableWriteProtect( uAttrib ); // :D :D :D我在此下断点,使用softice察看FunName和pOldFun,发现pOldFun的真正函数名称永远不是FunName. //return pOldFun; // :D :D :D为调试方便,上句话被我注释掉了 } dwAddrName ++; dwAddrFun ++; } } pSecHdr++; } } } return NULL; } 请大家出主意,谢谢了! |
|
|
|
沙发#
发布于:2005-03-07 12:40
看不懂!
|
|
|
|
板凳#
发布于:2005-03-07 15:18
看不懂! 我就是那只猴子,得慢慢看 |
|
|
