|
阅读:1501回复:6
如何挂钩影子表中的服务,最好有例子?谢谢!!!!!!!!!!
如何挂钩影子表中的服务,最好有例子?谢谢!!!!!!!!!!
|
|
驱动老牛
|
沙发#
发布于:2005-03-13 20:43
如何挂钩影子表中的服务,最好有例子?谢谢!!!!!!!!!! 啥是影子表 |
|
|
板凳#
发布于:2005-03-13 22:50
如何挂钩影子表中的服务,最好有例子?谢谢!!!!!!!!!! 影子表!可能是我太落伍了,怎么连名字也没有听说过 :D :P |
|
|
|
地板#
发布于:2005-03-14 05:37
不会吧
楼上两位.... service table有两份的啊 KeServiceTableDescriptorShadow啊 由win32k.sys实现的 includes the win32 USER and GDI services implemented in the kernel mode part of the win32 subsystem....节选自inside windows2000 我私下以为楼主说的是这个吧 |
|
|
地下室#
发布于:2005-03-14 08:19
怎么没有一点印象呢...
|
|
|
5楼#
发布于:2005-03-14 09:00
GetServiceDescriptorTableShadowAddress proc uses esi edi ebx
local dwThreadId:DWORD xor ebx, ebx ; = NULL. Assume ServiceDescriptorTableShadow will be not found mov eax, KeServiceDescriptorTable mov esi, [eax] ; Find KTHREAD.ServiceTable field ; For non-GUI threads this field == KeServiceDescriptorTable ; and it points to ServiceDescriptorTable ; For GUI threads ; ServiceDescriptorTableShadow ; Search KeServiceDescriptorTable offset in KTHREAD invoke KeGetCurrentThread mov edi, 200h-4 .while edi .break .if dword ptr [eax][edi] == esi dec edi .endw .if edi != 0 ; edi = offset to ServiceTable field in KTHREAD structure mov dwThreadId, 080h .while dwThreadId < 400h push eax ; reserve DWORD on stack invoke PsLookupThreadByThreadId, dwThreadId, esp pop ecx ; -> ETHREAD/KTHREAD .if eax == STATUS_SUCCESS push dword ptr [ecx][edi] fastcall ObfDereferenceObject, ecx pop eax .if eax != esi mov edx, MmSystemRangeStart mov edx, [edx] mov edx, [edx] .if eax > edx ; some stupid error checking mov ebx, eax invoke DbgPrint, $CTA0(\"FindShadowTable: Found in thread with ID: %X\\n\"), dwThreadId .break .endif .endif .endif add dwThreadId, 4 .endw .endif mov eax, ebx ret GetServiceDescriptorTableShadowAddress endp |
|
|
|
6楼#
发布于:2005-03-14 12:01
不会吧 如果楼主说的确实如此,是有两个,一个是为Ntoskrnl.exe的,一个是win32k.sys的,挂钩方法基本相同,而且系统根据and 服务号,0x0fff来区别的。前一个服务号都小于0x0fff,后一个都大于 |
|
|