http://bbs.pediy.com/thread-210481.htm
来看雪一年了,在这里面学到了很多知识,非常感谢各位前辈对知识的分享和不懈的研究,也非常感谢各位大神对我们这些小白的照顾,特别要感谢MaMy、hksoobe、luolinlove等大神的指导。我也一直非常希望能为看雪贡献一点什么,但是小白的理解估计大神也看不上,这次也是注册看雪一周年,冲着这个也来发表一点自己的理解吧,写的不好还望各位看官海涵
PS:我们不生产技术,只是技术的搬运工
进入正题:
SSSDT就是win32k.sys里面的函数,大多数都跟图形相关,比如什么NtUserGetDCEx或者NtUserCreateWindowEx等。所以要查看这些内核函数地址,光在驱动中进行和SSDT一样的访问会引发异常蓝屏的。
所以有前辈就想出办法,在驱动程序里面调用KeAttachProces到csrss.exe中,获取这个系统进程的地址空间从而在驱动中获取SSSDT中的函数地址,传送门:http://bbs.pediy.com/showthread.php?p=1245567#post1245567。
但是我自己可能没有领略到这个方法的精髓,不论怎么做还是蓝屏了,所以就想了另外一个办法,用一个控制台应用程序自己加载自己的驱动(当然是用虚拟机里面的测试模式),然后再在驱动里面打印SSSDT中的各个函数地址,关于怎么自己加载驱动请看http://www.mengwuji.net/forum.php?mod=viewthread&tid=2859&page=1#pid56859。
这样做了以后居然成功了,驱动程序成功打印出来了SSSDT中的函数地址而不蓝屏。驱动程序里面打印SSSDT函数地址的代码我会在最后给出。现在看一下一小部分打印出来的样子:
Shadow SSDT ID:4902, Address:FFFFF960000FBC30! Shadow SSDT ID:4903, Address:FFFFF960001A1AB0! Shadow SSDT ID:4904, Address:FFFFF9600019F5F4! Shadow SSDT ID:4905, Address:FFFFF960001A2418! Shadow SSDT ID:4906, Address:FFFFF960001A11C8! Shadow SSDT ID:4907, Address:FFFFF9600019FAB0! Shadow SSDT ID:4908, Address:FFFFF960001A9EE0! Shadow SSDT ID:4909, Address:FFFFF9600019B15C!
kd> u FFFFF960001A392C win32k!NtUserQueryDisplayConfig: fffff960`001a392c ?? ??? ^ Memory access error in 'u FFFFF960001A392C' kd> u FFFFF960000FBC30; win32k!NtUserSwitchDesktop: fffff960`000fbc30 ?? ??? ^ Memory access error in 'u FFFFF960000FBC30;' kd> u FFFFF960001A1AB0; win32k!NtUserTestForInteractiveUser: fffff960`001a1ab0 ?? ??? ^ Memory access error in 'u FFFFF960001A1AB0;' kd> u FFFFF9600019F5F4; win32k!NtUserTrackPopupMenuEx: fffff960`0019f5f4 ?? ??? ^ Memory access error in 'u FFFFF9600019F5F4;'
typedef struct _SYSTEM_SERVICE_TABLE{ PVOID ServiceTableBase; PVOID ServiceCounterTableBase; ULONGLONG NumberOfServices; PVOID ParamTableBase; } SYSTEM_SERVICE_TABLE, *PSYSTEM_SERVICE_TABLE; PSYSTEM_SERVICE_TABLE g_KeServiceDescriptorTableShadow = NULL; ULONGLONG GetKeServiceDescriptorTableShadow64() { PUCHAR StartSearchAddress = (PUCHAR)__readmsr(0xC0000082); PUCHAR EndSearchAddress = StartSearchAddress + 0x500; PUCHAR i = NULL; UCHAR b1=0,b2=0,b3=0; ULONG templong=0; ULONGLONG addr=0; for(i=StartSearchAddress;iServiceTableBase); qwTemp = W32pServiceTable + 4 * (Index-0x1000); dwTemp = *(PLONG)qwTemp; dwTemp = dwTemp >> 4; qwTemp = W32pServiceTable + (LONG64)dwTemp; return qwTemp; } VOID PrintShadowSSDT() { ULONG64 i = 0; for (i=0x1000; i<0x1338; ++i) { DbgPrintEx(DPFLTR_IHVDRIVER_ID, 2, "Shadow SSDT ID:%d, Address:%p!\n", i, GetSSSDTFuncCurAddr64(i)); } }
PCWSTR g_SSSDTTableName[830] = { L"NtUserGetThreadState", L"NtUserPeekMessage", L"NtUserCallOneParam", L"NtUserGetKeyState", L"NtUserInvalidateRect", L"NtUserCallNoParam", L"NtUserGetMessage", L"NtUserMessageCall", L"NtGdiBitBlt", L"NtGdiGetCharSet", L"NtUserGetDC", L"NtGdiSelectBitmap", L"NtUserWaitMessage", L"NtUserTranslateMessage", L"NtUserGetProp", L"NtUserPostMessage", L"NtUserQueryWindow", L"NtUserTranslateAccelerator", L"NtGdiFlush", L"NtUserRedrawWindow", L"NtUserWindowFromPoint", L"NtUserCallMsgFilter", L"NtUserValidateTimerCallback", L"NtUserBeginPaint", L"NtUserSetTimer", L"NtUserEndPaint", L"NtUserSetCursor", L"NtUserKillTimer", L"NtUserBuildHwndList", L"NtUserSelectPalette", L"NtUserCallNextHookEx", L"NtUserHideCaret", L"NtGdiIntersectClipRect", L"NtUserCallHwndLock", L"NtUserGetProcessWindowStation", L"NtGdiDeleteObjectApp", L"NtUserSetWindowPos", L"NtUserShowCaret", L"NtUserEndDeferWindowPosEx", L"NtUserCallHwndParamLock", L"NtUserVkKeyScanEx", L"NtGdiSetDIBitsToDeviceInternal", L"NtUserCallTwoParam", L"NtGdiGetRandomRgn", L"NtUserCopyAcceleratorTable", L"NtUserNotifyWinEvent", L"NtGdiExtSelectClipRgn", L"NtUserIsClipboardFormatAvailable", L"NtUserSetScrollInfo", L"NtGdiStretchBlt", L"NtUserCreateCaret", L"NtGdiRectVisible", L"NtGdiCombineRgn", L"NtGdiGetDCObject", L"NtUserDispatchMessage", L"NtUserRegisterWindowMessage", L"NtGdiExtTextOutW", L"NtGdiSelectFont", L"NtGdiRestoreDC", L"NtGdiSaveDC", L"NtUserGetForegroundWindow", L"NtUserShowScrollBar", L"NtUserFindExistingCursorIcon", L"NtGdiGetDCDword", L"NtGdiGetRegionData", L"NtGdiLineTo", L"NtUserSystemParametersInfo", L"NtGdiGetAppClipBox", L"NtUserGetAsyncKeyState", L"NtUserGetCPD", L"NtUserRemoveProp", L"NtGdiDoPalette", L"NtGdiPolyPolyDraw", L"NtUserSetCapture", L"NtUserEnumDisplayMonitors", L"NtGdiCreateCompatibleBitmap", L"NtUserSetProp", L"NtGdiGetTextCharsetInfo", L"NtUserSBGetParms", L"NtUserGetIconInfo", L"NtUserExcludeUpdateRgn", L"NtUserSetFocus", L"NtGdiExtGetObjectW", L"NtUserDeferWindowPos", L"NtUserGetUpdateRect", L"NtGdiCreateCompatibleDC", L"NtUserGetClipboardSequenceNumber", L"NtGdiCreatePen", L"NtUserShowWindow", L"NtUserGetKeyboardLayoutList", L"NtGdiPatBlt", L"NtUserMapVirtualKeyEx", L"NtUserSetWindowLong", L"NtGdiHfontCreate", L"NtUserMoveWindow", L"NtUserPostThreadMessage", L"NtUserDrawIconEx", L"NtUserGetSystemMenu", L"NtGdiDrawStream", L"NtUserInternalGetWindowText", L"NtUserGetWindowDC", L"NtGdiD3dDrawPrimitives2", L"NtGdiInvertRgn", L"NtGdiGetRgnBox", L"NtGdiGetAndSetDCDword", L"NtGdiMaskBlt", L"NtGdiGetWidthTable", L"NtUserScrollDC", L"NtUserGetObjectInformation", L"NtGdiCreateBitmap", L"NtUserFindWindowEx", L"NtGdiPolyPatBlt", L"NtUserUnhookWindowsHookEx", L"NtGdiGetNearestColor", L"NtGdiTransformPoints", L"NtGdiGetDCPoint", L"NtGdiCreateDIBBrush", L"NtGdiGetTextMetricsW", L"NtUserCreateWindowEx", L"NtUserSetParent", L"NtUserGetKeyboardState", L"NtUserToUnicodeEx", L"NtUserGetControlBrush", L"NtUserGetClassName", L"NtGdiAlphaBlend", L"NtGdiDdBlt", L"NtGdiOffsetRgn", L"NtUserDefSetText", L"NtGdiGetTextFaceW", L"NtGdiStretchDIBitsInternal", L"NtUserSendInput", L"NtUserGetThreadDesktop", L"NtGdiCreateRectRgn", L"NtGdiGetDIBitsInternal", L"NtUserGetUpdateRgn", L"NtGdiDeleteClientObj", L"NtUserGetIconSize", L"NtUserFillWindow", L"NtGdiExtCreateRegion", L"NtGdiComputeXformCoefficients", L"NtUserSetWindowsHookEx", L"NtUserNotifyProcessCreate", L"NtGdiUnrealizeObject", L"NtUserGetTitleBarInfo", L"NtGdiRectangle", L"NtUserSetThreadDesktop", L"NtUserGetDCEx", L"NtUserGetScrollBarInfo", L"NtGdiGetTextExtent", L"NtUserSetWindowFNID", L"NtGdiSetLayout", L"NtUserCalcMenuBar", L"NtUserThunkedMenuItemInfo", L"NtGdiExcludeClipRect", L"NtGdiCreateDIBSection", L"NtGdiGetDCforBitmap", L"NtUserDestroyCursor", L"NtUserDestroyWindow", L"NtUserCallHwndParam", L"NtGdiCreateDIBitmapInternal", L"NtUserOpenWindowStation", L"NtGdiDdDeleteSurfaceObject", L"NtGdiDdCanCreateSurface", L"NtGdiDdCreateSurface", L"NtUserSetCursorIconData", L"NtGdiDdDestroySurface", L"NtUserCloseDesktop", L"NtUserOpenDesktop", L"NtUserSetProcessWindowStation", L"NtUserGetAtomName", L"NtGdiDdResetVisrgn", L"NtGdiExtCreatePen", L"NtGdiCreatePaletteInternal", L"NtGdiSetBrushOrg", L"NtUserBuildNameList", L"NtGdiSetPixel", L"NtUserRegisterClassExWOW", L"NtGdiCreatePatternBrushInternal", L"NtUserGetAncestor", L"NtGdiGetOutlineTextMetricsInternalW", L"NtGdiSetBitmapBits", L"NtUserCloseWindowStation", L"NtUserGetDoubleClickTime", L"NtUserEnableScrollBar", L"NtGdiCreateSolidBrush", L"NtUserGetClassInfoEx", L"NtGdiCreateClientObj", L"NtUserUnregisterClass", L"NtUserDeleteMenu", L"NtGdiRectInRegion", L"NtUserScrollWindowEx", L"NtGdiGetPixel", L"NtUserSetClassLong", L"NtUserGetMenuBarInfo", L"NtGdiDdCreateSurfaceEx", L"NtGdiDdCreateSurfaceObject", L"NtGdiGetNearestPaletteIndex", L"NtGdiDdLockD3D", L"NtGdiDdUnlockD3D", L"NtGdiGetCharWidthW", L"NtUserInvalidateRgn", L"NtUserGetClipboardOwner", L"NtUserSetWindowRgn", L"NtUserBitBltSysBmp", L"NtGdiGetCharWidthInfo", L"NtUserValidateRect", L"NtUserCloseClipboard", L"NtUserOpenClipboard", L"NtGdiGetStockObject", L"NtUserSetClipboardData", L"NtUserEnableMenuItem", L"NtUserAlterWindowStyle", L"NtGdiFillRgn", L"NtUserGetWindowPlacement", L"NtGdiModifyWorldTransform", L"NtGdiGetFontData", L"NtUserGetOpenClipboardWindow", L"NtUserSetThreadState", L"NtGdiOpenDCW", L"NtUserTrackMouseEvent", L"NtGdiGetTransform", L"NtUserDestroyMenu", L"NtGdiGetBitmapBits", L"NtUserConsoleControl", L"NtUserSetActiveWindow", L"NtUserSetInformationThread", L"NtUserSetWindowPlacement", L"NtUserGetControlColor", L"NtGdiSetMetaRgn", L"NtGdiSetMiterLimit", L"NtGdiSetVirtualResolution", L"NtGdiGetRasterizerCaps", L"NtUserSetWindowWord", L"NtUserGetClipboardFormatName", L"NtUserRealInternalGetMessage", L"NtUserCreateLocalMemHandle", L"NtUserAttachThreadInput", L"NtGdiCreateHalftonePalette", L"NtUserPaintMenuBar", L"NtUserSetKeyboardState", L"NtGdiCombineTransform", L"NtUserCreateAcceleratorTable", L"NtUserGetCursorFrameInfo", L"NtUserGetAltTabInfo", L"NtUserGetCaretBlinkTime", L"NtGdiQueryFontAssocInfo", L"NtUserProcessConnect", L"NtUserEnumDisplayDevices", L"NtUserEmptyClipboard", L"NtUserGetClipboardData", L"NtUserRemoveMenu", L"NtGdiSetBoundsRect", L"NtGdiGetBitmapDimension", L"NtUserConvertMemHandle", L"NtUserDestroyAcceleratorTable", L"NtUserGetGUIThreadInfo", L"NtGdiCloseFigure", L"NtUserSetWindowsHookAW", L"NtUserSetMenuDefaultItem", L"NtUserCheckMenuItem", L"NtUserSetWinEventHook", L"NtUserUnhookWinEvent", L"NtUserLockWindowUpdate", L"NtUserSetSystemMenu", L"NtUserThunkedMenuInfo", L"NtGdiBeginPath", L"NtGdiEndPath", L"NtGdiFillPath", L"NtUserCallHwnd", L"NtUserDdeInitialize", L"NtUserModifyUserStartupInfoFlags", L"NtUserCountClipboardFormats", L"NtGdiAddFontMemResourceEx", L"NtGdiEqualRgn", L"NtGdiGetSystemPaletteUse", L"NtGdiRemoveFontMemResourceEx", L"NtUserEnumDisplaySettings", L"NtUserPaintDesktop", L"NtGdiExtEscape", L"NtGdiSetBitmapDimension", L"NtGdiSetFontEnumeration", L"NtUserChangeClipboardChain", L"NtUserSetClipboardViewer", L"NtUserShowWindowAsync", L"NtGdiCreateColorSpace", L"NtGdiDeleteColorSpace", L"NtUserActivateKeyboardLayout", L"NtGdiAbortDoc", L"NtGdiAbortPath", L"NtGdiAddEmbFontToDC", L"NtGdiAddFontResourceW", L"NtGdiAddRemoteFontToDC", L"NtGdiAddRemoteMMInstanceToDC", L"NtGdiAngleArc", L"NtGdiAnyLinkedFonts", L"NtGdiArcInternal", L"NtGdiBRUSHOBJ_DeleteRbrush", L"NtGdiBRUSHOBJ_hGetColorTransform", L"NtGdiBRUSHOBJ_pvAllocRbrush", L"NtGdiBRUSHOBJ_pvGetRbrush", L"NtGdiBRUSHOBJ_ulGetBrushColor", L"NtGdiBeginGdiRendering", L"NtGdiCLIPOBJ_bEnum", L"NtGdiCLIPOBJ_cEnumStart", L"NtGdiCLIPOBJ_ppoGetPath", L"NtGdiCancelDC", L"NtGdiChangeGhostFont", L"NtGdiCheckBitmapBits", L"NtGdiClearBitmapAttributes", L"NtGdiClearBrushAttributes", L"NtGdiColorCorrectPalette", L"NtGdiConfigureOPMProtectedOutput", L"NtGdiConvertMetafileRect", L"NtGdiCreateBitmapFromDxSurface", L"NtGdiCreateColorTransform", L"NtGdiCreateEllipticRgn", L"NtGdiCreateHatchBrushInternal", L"NtGdiCreateMetafileDC", L"NtGdiCreateOPMProtectedOutputs", L"NtGdiCreateRoundRectRgn", L"NtGdiCreateServerMetaFile", L"NtGdiD3dContextCreate", L"NtGdiD3dContextDestroy", L"NtGdiD3dContextDestroyAll", L"NtGdiD3dValidateTextureStageState", L"NtGdiDDCCIGetCapabilitiesString", L"NtGdiDDCCIGetCapabilitiesStringLength", L"NtGdiDDCCIGetTimingReport", L"NtGdiDDCCIGetVCPFeature", L"NtGdiDDCCISaveCurrentSettings", L"NtGdiDDCCISetVCPFeature", L"NtGdiDdAddAttachedSurface", L"NtGdiDdAlphaBlt", L"NtGdiDdAttachSurface", L"NtGdiDdBeginMoCompFrame", L"NtGdiDdCanCreateD3DBuffer", L"NtGdiDdColorControl", L"NtGdiDdCreateD3DBuffer", L"NtGdiDdCreateDirectDrawObject", L"NtGdiDdCreateFullscreenSprite", L"NtGdiDdCreateMoComp", L"NtGdiDdDDIAcquireKeyedMutex", L"NtGdiDdDDICheckExclusiveOwnership", L"NtGdiDdDDICheckMonitorPowerState", L"NtGdiDdDDICheckOcclusion", L"NtGdiDdDDICheckSharedResourceAccess", L"NtGdiDdDDICheckVidPnExclusiveOwnership", L"NtGdiDdDDICloseAdapter", L"NtGdiDdDDIConfigureSharedResource", L"NtGdiDdDDICreateAllocation", L"NtGdiDdDDICreateContext", L"NtGdiDdDDICreateDCFromMemory", L"NtGdiDdDDICreateDevice", L"NtGdiDdDDICreateKeyedMutex", L"NtGdiDdDDICreateOverlay", L"NtGdiDdDDICreateSynchronizationObject", L"NtGdiDdDDIDestroyAllocation", L"NtGdiDdDDIDestroyContext", L"NtGdiDdDDIDestroyDCFromMemory", L"NtGdiDdDDIDestroyDevice", L"NtGdiDdDDIDestroyKeyedMutex", L"NtGdiDdDDIDestroyOverlay", L"NtGdiDdDDIDestroySynchronizationObject", L"NtGdiDdDDIEscape", L"NtGdiDdDDIFlipOverlay", L"NtGdiDdDDIGetContextSchedulingPriority", L"NtGdiDdDDIGetDeviceState", L"NtGdiDdDDIGetDisplayModeList", L"NtGdiDdDDIGetMultisampleMethodList", L"NtGdiDdDDIGetOverlayState", L"NtGdiDdDDIGetPresentHistory", L"NtGdiDdDDIGetPresentQueueEvent", L"NtGdiDdDDIGetProcessSchedulingPriorityClass", L"NtGdiDdDDIGetRuntimeData", L"NtGdiDdDDIGetScanLine", L"NtGdiDdDDIGetSharedPrimaryHandle", L"NtGdiDdDDIInvalidateActiveVidPn", L"NtGdiDdDDILock", L"NtGdiDdDDIOpenAdapterFromDeviceName", L"NtGdiDdDDIOpenAdapterFromHdc", L"NtGdiDdDDIOpenKeyedMutex", L"NtGdiDdDDIOpenResource", L"NtGdiDdDDIOpenSynchronizationObject", L"NtGdiDdDDIPollDisplayChildren", L"NtGdiDdDDIPresent", L"NtGdiDdDDIQueryAdapterInfo", L"NtGdiDdDDIQueryAllocationResidency", L"NtGdiDdDDIQueryResourceInfo", L"NtGdiDdDDIQueryStatistics", L"NtGdiDdDDIReleaseKeyedMutex", L"NtGdiDdDDIReleaseProcessVidPnSourceOwners", L"NtGdiDdDDIRender", L"NtGdiDdDDISetAllocationPriority", L"NtGdiDdDDISetContextSchedulingPriority", L"NtGdiDdDDISetDisplayMode", L"NtGdiDdDDISetDisplayPrivateDriverFormat", L"NtGdiDdDDISetGammaRamp", L"NtGdiDdDDISetProcessSchedulingPriorityClass", L"NtGdiDdDDISetQueuedLimit", L"NtGdiDdDDISetVidPnSourceOwner", L"NtGdiDdDDISharedPrimaryLockNotification", L"NtGdiDdDDISharedPrimaryUnLockNotification", L"NtGdiDdDDISignalSynchronizationObject", L"NtGdiDdDDIUnlock", L"NtGdiDdDDIUpdateOverlay", L"NtGdiDdDDIWaitForIdle", L"NtGdiDdDDIWaitForSynchronizationObject", L"NtGdiDdDDIWaitForVerticalBlankEvent", L"NtGdiDdDeleteDirectDrawObject", L"NtGdiDdDestroyD3DBuffer", L"NtGdiDdDestroyFullscreenSprite", L"NtGdiDdDestroyMoComp", L"NtGdiDdEndMoCompFrame", L"NtGdiDdFlip", L"NtGdiDdFlipToGDISurface", L"NtGdiDdGetAvailDriverMemory", L"NtGdiDdGetBltStatus", L"NtGdiDdGetDC", L"NtGdiDdGetDriverInfo", L"NtGdiDdGetDriverState", L"NtGdiDdGetDxHandle", L"NtGdiDdGetFlipStatus", L"NtGdiDdGetInternalMoCompInfo", L"NtGdiDdGetMoCompBuffInfo", L"NtGdiDdGetMoCompFormats", L"NtGdiDdGetMoCompGuids", L"NtGdiDdGetScanLine", L"NtGdiDdLock", L"NtGdiDdNotifyFullscreenSpriteUpdate", L"NtGdiDdQueryDirectDrawObject", L"NtGdiDdQueryMoCompStatus", L"DxEngVisRgnUniq", L"NtGdiDdReenableDirectDrawObject", L"NtGdiDdReleaseDC", L"NtGdiDdRenderMoComp", L"NtGdiDdSetColorKey", L"NtGdiDdSetExclusiveMode", L"NtGdiDdSetGammaRamp", L"NtGdiDdSetOverlayPosition", L"NtGdiDdUnattachSurface", L"NtGdiDdUnlock", L"NtGdiDdUpdateOverlay", L"NtGdiDdWaitForVerticalBlank", L"NtGdiDeleteColorTransform", L"NtGdiDescribePixelFormat", L"NtGdiDestroyOPMProtectedOutput", L"NtGdiDestroyPhysicalMonitor", L"NtGdiDoBanding", L"NtGdiDrawEscape", L"NtGdiDvpAcquireNotification", L"NtGdiDvpCanCreateVideoPort", L"NtGdiDvpColorControl", L"NtGdiDvpCreateVideoPort", L"NtGdiDvpDestroyVideoPort", L"NtGdiDvpFlipVideoPort", L"NtGdiDvpGetVideoPortBandwidth", L"NtGdiDvpGetVideoPortConnectInfo", L"NtGdiDvpGetVideoPortField", L"NtGdiDvpGetVideoPortFlipStatus", L"NtGdiDvpGetVideoPortInputFormats", L"NtGdiDvpGetVideoPortLine", L"NtGdiDvpGetVideoPortOutputFormats", L"NtGdiDvpGetVideoSignalStatus", L"NtGdiDvpReleaseNotification", L"NtGdiDvpUpdateVideoPort", L"NtGdiDvpWaitForVideoPortSync", L"NtGdiDxgGenericThunk", L"NtGdiEllipse", L"NtGdiEnableEudc", L"NtGdiEndDoc", L"NtGdiEndGdiRendering", L"NtGdiEndPage", L"NtGdiEngAlphaBlend", L"NtGdiEngAssociateSurface", L"NtGdiEngBitBlt", L"NtGdiEngCheckAbort", L"NtGdiEngComputeGlyphSet", L"NtGdiEngCopyBits", L"NtGdiEngCreateBitmap", L"NtGdiEngCreateClip", L"NtGdiEngCreateDeviceBitmap", L"NtGdiEngCreateDeviceSurface", L"NtGdiEngCreatePalette", L"NtGdiEngDeleteClip", L"NtGdiEngDeletePalette", L"NtGdiEngDeletePath", L"NtGdiEngDeleteSurface", L"NtGdiEngEraseSurface", L"NtGdiEngFillPath", L"NtGdiEngGradientFill", L"NtGdiEngLineTo", L"NtGdiEngLockSurface", L"NtGdiEngMarkBandingSurface", L"NtGdiEngPaint", L"NtGdiEngPlgBlt", L"NtGdiEngStretchBlt", L"NtGdiEngStretchBltROP", L"NtGdiEngStrokeAndFillPath", L"NtGdiEngStrokePath", L"NtGdiEngTextOut", L"NtGdiEngTransparentBlt", L"NtGdiEngUnlockSurface", L"NtGdiEnumFonts", L"NtGdiEnumObjects", L"NtGdiEudcLoadUnloadLink", L"NtGdiExtFloodFill", L"NtGdiFONTOBJ_cGetAllGlyphHandles", L"NtGdiFONTOBJ_cGetGlyphs", L"NtGdiFONTOBJ_pQueryGlyphAttrs", L"NtGdiFONTOBJ_pfdg", L"NtGdiFONTOBJ_pifi", L"NtGdiFONTOBJ_pvTrueTypeFontFile", L"NtGdiFONTOBJ_pxoGetXform", L"NtGdiFONTOBJ_vGetInfo", L"NtGdiFlattenPath", L"NtGdiFontIsLinked", L"NtGdiForceUFIMapping", L"NtGdiFrameRgn", L"NtGdiFullscreenControl", L"NtGdiGetBoundsRect", L"NtGdiGetCOPPCompatibleOPMInformation", L"NtGdiGetCertificate", L"NtGdiGetCertificateSize", L"NtGdiGetCharABCWidthsW", L"NtGdiGetCharacterPlacementW", L"NtGdiGetColorAdjustment", L"NtGdiGetColorSpaceforBitmap", L"NtGdiGetDeviceCaps", L"NtGdiGetDeviceCapsAll", L"NtGdiGetDeviceGammaRamp", L"NtGdiGetDeviceWidth", L"NtGdiGetDhpdev", L"NtGdiGetETM", L"NtGdiGetEmbUFI", L"NtGdiGetEmbedFonts", L"NtGdiGetEudcTimeStampEx", L"NtGdiGetFontFileData", L"NtGdiGetFontFileInfo", L"NtGdiGetFontResourceInfoInternalW", L"NtGdiGetFontUnicodeRanges", L"NtGdiGetGlyphIndicesW", L"NtGdiGetGlyphIndicesWInternal", L"NtGdiGetGlyphOutline", L"NtGdiGetKerningPairs", L"NtGdiGetLinkedUFIs", L"NtGdiGetMiterLimit", L"NtGdiGetMonitorID", L"NtGdiGetNumberOfPhysicalMonitors", L"NtGdiGetOPMInformation", L"NtGdiGetOPMRandomNumber", L"NtGdiGetObjectBitmapHandle", L"NtGdiGetPath", L"NtGdiGetPerBandInfo", L"NtGdiGetPhysicalMonitorDescription", L"NtGdiGetPhysicalMonitors", L"NtGdiGetRealizationInfo", L"NtGdiGetServerMetaFileBits", L"DxgStubQueryDirectDrawObject", L"NtGdiGetStats", L"NtGdiGetStringBitmapW", L"NtGdiGetSuggestedOPMProtectedOutputArraySize", L"NtGdiGetTextExtentExW", L"NtGdiGetUFI", L"NtGdiGetUFIPathname", L"NtGdiGradientFill", L"NtGdiHLSurfGetInformation", L"NtGdiHLSurfSetInformation", L"NtGdiHT_Get8BPPFormatPalette", L"NtGdiHT_Get8BPPMaskPalette", L"NtGdiIcmBrushInfo", L"WatchdogDrvResetDevice", L"EngGetForm", L"NtGdiMakeFontDir", L"NtGdiMakeInfoDC", L"NtGdiMakeObjectUnXferable", L"NtGdiMakeObjectXferable", L"NtGdiMirrorWindowOrg", L"NtGdiMonoBitmap", L"NtGdiMoveTo", L"NtGdiOffsetClipRgn", L"NtGdiPATHOBJ_bEnum", L"NtGdiPATHOBJ_bEnumClipLines", L"NtGdiPATHOBJ_vEnumStart", L"NtGdiPATHOBJ_vEnumStartClipLines", L"NtGdiPATHOBJ_vGetBounds", L"NtGdiPathToRegion", L"NtGdiPlgBlt", L"NtGdiPolyDraw", L"NtGdiPolyTextOutW", L"NtGdiPtInRegion", L"NtGdiPtVisible", L"NtGdiQueryFonts", L"NtGdiRemoveFontResourceW", L"NtGdiRemoveMergeFont", L"NtGdiResetDC", L"NtGdiResizePalette", L"NtGdiRoundRect", L"NtGdiSTROBJ_bEnum", L"NtGdiSTROBJ_bEnumPositionsOnly", L"NtGdiSTROBJ_bGetAdvanceWidths", L"NtGdiSTROBJ_dwGetCodePage", L"NtGdiSTROBJ_vEnumStart", L"NtGdiScaleViewportExtEx", L"NtGdiScaleWindowExtEx", L"NtGdiSelectBrush", L"NtGdiSelectClipPath", L"NtGdiSelectPen", L"NtGdiSetBitmapAttributes", L"NtGdiSetBrushAttributes", L"NtGdiSetColorAdjustment", L"NtGdiSetColorSpace", L"NtGdiSetDeviceGammaRamp", L"NtGdiSetFontXform", L"NtGdiSetIcmMode", L"NtGdiSetLinkedUFIs", L"NtGdiSetMagicColors", L"NtGdiSetOPMSigningKeyAndSequenceNumbers", L"NtGdiSetPUMPDOBJ", L"NtGdiSetPixelFormat", L"NtGdiSetRectRgn", L"NtGdiSetSizeDevice", L"NtGdiSetSystemPaletteUse", L"NtGdiSetTextJustification", L"NtGdiSfmGetNotificationTokens", L"NtGdiStartDoc", L"NtGdiStartPage", L"NtGdiStrokeAndFillPath", L"NtGdiStrokePath", L"NtGdiSwapBuffers", L"NtGdiTransparentBlt", L"NtGdiUMPDEngFreeUserMem", L"DxgStubQueryDirectDrawObject", L"WatchdogDrvResetDevice", L"NtGdiUpdateColors", L"NtGdiUpdateTransform", L"NtGdiWidenPath", L"NtGdiXFORMOBJ_bApplyXform", L"NtGdiXFORMOBJ_iGetXform", L"NtGdiXLATEOBJ_cGetPalette", L"NtGdiXLATEOBJ_hGetColorTransform", L"NtGdiXLATEOBJ_iXlate", L"NtUserAddClipboardFormatListener", L"NtUserAssociateInputContext", L"NtUserBlockInput", L"NtUserBuildHimcList", L"NtUserBuildPropList", L"NtUserCalculatePopupWindowPosition", L"NtUserCallHwndOpt", L"NtUserChangeDisplaySettings", L"NtUserChangeWindowMessageFilterEx", L"NtUserCheckAccessForIntegrityLevel", L"NtUserCheckDesktopByThreadId", L"NtUserCheckWindowThreadDesktop", L"NtUserChildWindowFromPointEx", L"NtUserClipCursor", L"NtUserCreateDesktopEx", L"NtUserCreateInputContext", L"NtUserCreateWindowStation", L"NtUserCtxDisplayIOCtl", L"NtUserDestroyInputContext", L"NtUserDisableThreadIme", L"NtUserDisplayConfigGetDeviceInfo", L"NtUserDisplayConfigSetDeviceInfo", L"NtUserDoSoundConnect", L"NtUserDoSoundDisconnect", L"NtUserDragDetect", L"NtUserDragObject", L"NtUserDrawAnimatedRects", L"NtUserDrawCaption", L"NtUserDrawCaptionTemp", L"NtUserDrawMenuBarTemp", L"NtUserDwmStartRedirection", L"NtUserDwmStopRedirection", L"NtUserEndMenu", L"NtUserEndTouchOperation", L"NtUserEvent", L"NtUserFlashWindowEx", L"NtUserFrostCrashedWindow", L"NtUserGetAppImeLevel", L"NtUserGetCaretPos", L"NtUserGetClipCursor", L"NtUserGetClipboardViewer", L"NtUserGetComboBoxInfo", L"NtUserGetCursorInfo", L"NtUserGetDisplayConfigBufferSizes", L"NtUserGetGestureConfig", L"NtUserGetGestureExtArgs", L"NtUserGetGestureInfo", L"NtUserGetGuiResources", L"NtUserGetImeHotKey", L"NtUserGetImeInfoEx", L"NtUserGetInputLocaleInfo", L"NtUserGetInternalWindowPos", L"NtUserGetKeyNameText", L"NtUserGetKeyboardLayoutName", L"NtUserGetLayeredWindowAttributes", L"NtUserGetListBoxInfo", L"NtUserGetMenuIndex", L"NtUserGetMenuItemRect", L"NtUserGetMouseMovePointsEx", L"NtUserGetPriorityClipboardFormat", L"NtUserGetRawInputBuffer", L"NtUserGetRawInputData", L"NtUserGetRawInputDeviceInfo", L"NtUserGetRawInputDeviceList", L"NtUserGetRegisteredRawInputDevices", L"NtUserGetTopLevelWindow", L"NtUserGetTouchInputInfo", L"NtUserGetUpdatedClipboardFormats", L"NtUserGetWOWClass", L"NtUserGetWindowCompositionAttribute", L"NtUserGetWindowCompositionInfo", L"NtUserGetWindowDisplayAffinity", L"NtUserGetWindowMinimizeRect", L"NtUserGetWindowRgnEx", L"NtUserGhostWindowFromHungWindow", L"NtUserHardErrorControl", L"NtUserHiliteMenuItem", L"NtUserHungWindowFromGhostWindow", L"NtUserHwndQueryRedirectionInfo", L"NtUserHwndSetRedirectionInfo", L"NtUserImpersonateDdeClientWindow", L"NtUserInitTask", L"NtUserInitialize", L"NtUserInitializeClientPfnArrays", L"NtUserInjectGesture", L"NtUserInternalGetWindowIcon", L"NtUserIsTopLevelWindow", L"NtUserIsTouchWindow", L"NtUserLoadKeyboardLayoutEx", L"NtUserLockWindowStation", L"NtUserLockWorkStation", L"NtUserLogicalToPhysicalPoint", L"NtUserMNDragLeave", L"NtUserMNDragOver", L"NtUserMagControl", L"NtUserMagGetContextInformation", L"NtUserMagSetContextInformation", L"NtUserManageGestureHandlerWindow", L"NtUserMenuItemFromPoint", L"NtUserMinMaximize", L"NtUserModifyWindowTouchCapability", L"NtUserNotifyIMEStatus", L"NtUserOpenInputDesktop", L"NtUserOpenThreadDesktop", L"NtUserPaintMonitor", L"NtUserPhysicalToLogicalPoint", L"NtUserPrintWindow", L"NtUserQueryDisplayConfig", L"NtUserQueryInformationThread", L"NtUserQueryInputContext", L"NtUserQuerySendMessage", L"NtUserRealChildWindowFromPoint", L"NtUserRealWaitMessageEx", L"NtUserRegisterErrorReportingDialog", L"NtUserRegisterHotKey", L"NtUserRegisterRawInputDevices", L"NtUserRegisterServicesProcess", L"NtUserRegisterSessionPort", L"NtUserRegisterTasklist", L"NtUserRegisterUserApiHook", L"NtUserRemoteConnect", L"NtUserRemoteRedrawRectangle", L"NtUserRemoteRedrawScreen", L"NtUserRemoteStopScreenUpdates", L"NtUserRemoveClipboardFormatListener", L"NtUserResolveDesktopForWOW", L"NtUserSendTouchInput", L"NtUserSetAppImeLevel", L"NtUserSetChildWindowNoActivate", L"NtUserSetClassWord", L"NtUserSetCursorContents", L"NtUserSetDisplayConfig", L"NtUserSetGestureConfig", L"NtUserSetImeHotKey", L"NtUserSetImeInfoEx", L"NtUserSetImeOwnerWindow", L"NtUserSetInternalWindowPos", L"NtUserSetLayeredWindowAttributes", L"NtUserSetMenu", L"NtUserSetMenuContextHelpId", L"NtUserSetMenuFlagRtoL", L"NtUserSetMirrorRendering", L"NtUserSetObjectInformation", L"NtUserSetProcessDPIAware", L"NtUserSetShellWindowEx", L"NtUserSetSysColors", L"NtUserSetSystemCursor", L"NtUserSetSystemTimer", L"NtUserSetThreadLayoutHandles", L"NtUserSetWindowCompositionAttribute", L"NtUserSetWindowDisplayAffinity", L"NtUserSetWindowRgnEx", L"NtUserSetWindowStationUser", L"NtUserSfmDestroyLogicalSurfaceBinding", L"NtUserSfmDxBindSwapChain", L"NtUserSfmDxGetSwapChainStats", L"NtUserSfmDxOpenSwapChain", L"NtUserSfmDxQuerySwapChainBindingStatus", L"NtUserSfmDxReleaseSwapChain", L"NtUserSfmDxReportPendingBindingsToDwm", L"NtUserSfmDxSetSwapChainBindingStatus", L"NtUserSfmDxSetSwapChainStats", L"NtUserSfmGetLogicalSurfaceBinding", L"NtUserShowSystemCursor", L"NtUserSoundSentry", L"NtUserSwitchDesktop", L"NtUserTestForInteractiveUser", L"NtUserTrackPopupMenuEx", L"NtUserUnloadKeyboardLayout", L"NtUserUnlockWindowStation", L"NtUserUnregisterHotKey", L"NtUserUnregisterSessionPort", L"NtUserUnregisterUserApiHook", L"NtUserUpdateInputContext", L"NtUserUpdateInstance", L"NtUserUpdateLayeredWindow", L"NtUserUpdatePerUserSystemParameters", L"NtUserUpdateWindowTransform", L"NtUserUserHandleGrantAccess", L"NtUserValidateHandleSecure", L"NtUserWaitForInputIdle", L"NtUserWaitForMsgAndEvent", L"NtUserWindowFromPhysicalPoint" };
NTSTATUS NtUserCreateWindowEx( ULONG32 dwExStyle, ULONG64 qwMaybeClassVer, PLARGE_STRING pStrClassName, PLARGE_STRING pStrWindowName, ULONG32 dwStyle, ULONG32 x, ULONG32 y, ULONG32 nWidth, ULONG32 nHeight, ULONG64 parentHWND, ULONG64 hMenu, ULONG64 hInstance, ULONG64 pParam, ULONG32 dwFlags, ULONG64 pActivationContextInformation );
kd> !process 0 0 省略 PROCESS fffffa801b0ce9e0 SessionId: 1 Cid: 017c Peb: 7fffffdf000 ParentCid: 0174 DirBase: 0eb60000 ObjectTable: fffff8a008922590 HandleCount: 263. Image: csrss.exe 省略 kd> .process fffffa801b0ce9e0 Implicit process is now fffffa80`1b0ce9e0 WARNING: .cache forcedecodeuser is not enabled kd> u NtUserCreateWindowEx fffff960`000b2b04 488bc4 mov rax,rsp fffff960`000b2b07 4c894820 mov qword ptr [rax+20h],r9 fffff960`000b2b0b 4c894018 mov qword ptr [rax+18h],r8 fffff960`000b2b0f 48895010 mov qword ptr [rax+10h],rdx
typedef struct _LARGE_STRING{ USHORT Length; UCHAR MaxinumLength; UCHAR bAnsi; PULONG64 Buffer; }LARGE_STRING, *PLARGE_STRING; LONG GetShadowSSDTFuncIDByName(PCWSTR name) { UNICODE_STRING BaseFuncName; UNICODE_STRING DestFuncName; LONG i = 0; RtlInitUnicodeString(&DestFuncName, name); for (i = 0; i < 401; ++i) { RtlInitUnicodeString(&BaseFuncName, g_SSSDTTableName[i]); if (RtlEqualUnicodeString(&BaseFuncName, &DestFuncName, FALSE)) { return i+0x1000; } } return -1; } ULONGLONG GetSSSDTFuncCurAddr64(LONG Index) { ULONGLONG qwTemp=0; LONG dwTemp=0; PSYSTEM_SERVICE_TABLE pWin32k; pWin32k = (PSYSTEM_SERVICE_TABLE)((ULONG64)g_KeServiceDescriptorTableShadow + sizeof(SYSTEM_SERVICE_TABLE)); if (!g_SSSDTTableAddress) { g_SSSDTTableAddress=(ULONGLONG)(pWin32k->ServiceTableBase); DbgPrintEx(DPFLTR_IHVDRIVER_ID, 2, "g_SSSDTTableAddress地址:%p\n", g_SSSDTTableAddress); } qwTemp = g_SSSDTTableAddress + 4 * (Index-0x1000); dwTemp = *(PLONG)qwTemp; dwTemp = dwTemp >> 4; qwTemp = g_SSSDTTableAddress + (LONG64)dwTemp; return qwTemp; } typedef NTSTATUS (__fastcall *pMyNtUserCreateWindowEx)( ULONG32 dwExStyle, ULONG64 qwMaybeClassVer, PLARGE_STRING pStrClassName, PLARGE_STRING pStrWindowName, ULONG32 dwStyle, ULONG32 x, ULONG32 y, ULONG32 nWidth, ULONG32 nHeight, ULONG64 parentHWND, ULONG64 hMenu, ULONG64 hInstance, ULONG64 pParam, ULONG32 dwFlags, ULONG64 pActivationContextInformation ); //NtUserCreateWindowEx 将头部数据取出来的地址 PVOID ori_func_NtUserCreateWindowEx = NULL; //NtUserCreateWindowEx 的代理函数 NTSTATUS Proxy_NtUserCreateWindowEx( ULONG32 dwExStyle, ULONG64 qwMaybeClassVer, PLARGE_STRING pStrClassName, PLARGE_STRING pStrWindowName, ULONG32 dwStyle, ULONG32 x, ULONG32 y, ULONG32 nWidth, ULONG32 nHeight, ULONG64 parentHWND, ULONG64 hMenu, ULONG64 hInstance, ULONG64 pParam, ULONG32 dwFlags, ULONG64 pActivationContextInformation ) { ANSI_STRING aString1; UNICODE_STRING uWindowName; if (pStrWindowName) { if (pStrWindowName->Buffer) { if (pStrWindowName->bAnsi) { RtlInitAnsiString(&aString1, (PCSZ)pStrWindowName->Buffer); RtlAnsiStringToUnicodeString(&uWindowName, &aString1, TRUE); DbgPrintEx(DPFLTR_IHVDRIVER_ID, 2, "创建的窗口名称:%wZ\n", uWindowName); RtlFreeUnicodeString(&uWindowName); } else { RtlInitUnicodeString(&uWindowName, (PCWSTR)pStrWindowName->Buffer); DbgPrintEx(DPFLTR_IHVDRIVER_ID, 2, "创建的窗口名称:%wZ\n", uWindowName); } } } if (hInstance) { DbgPrintEx(DPFLTR_IHVDRIVER_ID, 2, "创建的窗口实例:%p\n", hInstance); } return ((pMyNtUserCreateWindowEx)ori_func_NtUserCreateWindowEx)(dwExStyle, qwMaybeClassVer, pStrClassName, pStrWindowName, dwStyle, x, y, nWidth, nHeight, parentHWND, hMenu, hInstance, pParam, dwFlags, pActivationContextInformation); } VOID HookNtUserCreateWindowEx() { KIRQL irql; UCHAR jmp_code[]="\xFF\x25\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"; UCHAR fill_code15[]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"; UCHAR jmp_code_orifunc[]="\xFF\x25\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"; ULONG64 tmpv = 0; ULONG64 funcAddr = GetSSSDTFuncCurAddr64(GetShadowSSDTFuncIDByName(L"NtUserCreateWindowEx")); if (g_SSSDTTableAddress) { //step1:由于NtUserCreateWindowEx有15需要覆盖,所以申请15+14个字节的空间,并保存函数的前15个字节 ori_func_NtUserCreateWindowEx=kmalloc(15+14); DbgPrint("ori_func_NtUserCreateWindowEx地址为:%p\n", ori_func_NtUserCreateWindowEx); irql = WPOFF(); memcpy(ori_func_NtUserCreateWindowEx, (PVOID)funcAddr, 15); WPON(irql); //step2:填充跳转回原方法 tmpv = funcAddr + 15; memcpy(jmp_code_orifunc+6,&tmpv,8); memcpy((PUCHAR)ori_func_NtUserCreateWindowEx+15,jmp_code_orifunc,14); //step3:填充NtUserCreateWindowEx的前15个字节nop irql = WPOFF(); memcpy((PVOID)funcAddr,fill_code15,15); WPON(irql); //step4:填充NtUserCreateWindowEx跳转 tmpv = (ULONG64)Proxy_NtUserCreateWindowEx; memcpy(jmp_code+6,&tmpv,8); irql = WPOFF(); memcpy((PVOID)funcAddr,jmp_code,14); WPON(irql); DbgPrint("HOOK NtUserCreateWindowEx成功\n"); } else { DbgPrint("HOOK NtUserCreateWindowEx失败\n"); } }