以PspExitThread为例介绍如何寻找未导出函数的函数地址

ntoskrnl.exe导出了很多内核例程供驱动开发人员方便的使用，它也隐藏了很多很强大的历程，防止驱动开发人员过于方便的用它们。比如PspExitThread，这个函数没什么特别的，但配合APC使用它就能杀死绝大多数的进程，包括一些杀毒软件在内。gussing.cnblogs.com

那么如何才能找到这些未导出的函数并使用它们呢？答案就是反汇编，借助强大的windbg，加上一点点汇编基础，操作系统在你面前就会变的很透明。还是以PspExitThread为例子，我们已经知道导出函数PsTerminateSystemThread会调用PspTerminateThreadByPointer()函数，PspTerminateThreadByPointer进而会调用PspExitThread，所谓的函数调用就是 call 指令加上一个函数地址，所以挖出PspExitThread的地址完全是有可能的。gussing.cnblogs.com

打开windbg的本地内核调试，把该加载的pdb都加载了，然后反汇编PsTerminateSystemThread：gussing.cnblogs.com

lkd> uf nt!PsTerminateSystemThread

nt!PsTerminateSystemThread:

805d2c36 8bff            mov     edi,edi

805d2c38 55              push    ebp

805d2c39 8bec            mov     ebp,esp

805d2c3b 64a124010000    mov     eax,dword ptr fs:[00000124h]

805d2c41 f6804802000010  test    byte ptr [eax+248h],10h

805d2c48 7507            jne     nt!PsTerminateSystemThread+0x1b (805d2c51)



nt!PsTerminateSystemThread+0x14:

805d2c4a b80d0000c0      mov     eax,0C000000Dh

805d2c4f eb09            jmp     nt!PsTerminateSystemThread+0x24 (805d2c5a)



nt!PsTerminateSystemThread+0x1b:

805d2c51 ff7508 push dword ptr [ebp+8]

805d2c54 50              push    eax

805d2c55 e828fcffff      call    nt!PspTerminateThreadByPointer (805d2882)



nt!PsTerminateSystemThread+0x24:

805d2c5a 5d              pop     ebp

805d2c5b c20400          ret     4

地址805d2c55处的call指令可以解析出PspTerminateThreadByPointer的地址。那么该call指令的地址又是如何得到的呢？看上面那行push dword ptr [ebp+8]，也就是“ff7508”，这是PspTerminateThreadByPointer函数调用的“特征码”，从PsTerminateSystemThread函数开始到PspTerminateThreadByPointer函数调用为止，该特征码都只出现一次，所以搜索到ff7508串就能很方便的定位到PspTerminateThreadByPointer。gussing.cnblogs.com

再看PspTerminateThreadByPointer函数（805d2882）的反汇编：gussing.cnblogs.com

lkd> uf 805d2882

nt!PspTerminateThreadByPointer:

805d2882 8bff            mov     edi,edi

805d2884 55              push    ebp

805d2885 8bec            mov     ebp,esp

805d2887 83ec0c          sub     esp,0Ch

805d288a 834df8ff        or      dword ptr [ebp-8],0FFFFFFFFh

805d288e 56              push    esi

805d288f 57              push    edi

805d2890 8b7d08          mov     edi,dword ptr [ebp+8]

805d2893 8db748020000    lea     esi,[edi+248h]

805d2899 f60640          test    byte ptr [esi],40h

805d289c c745f4c0bdf0ff  mov     dword ptr [ebp-0Ch],0FFF0BDC0h

805d28a3 7417            je      nt!PspTerminateThreadByPointer+0x3a (805d28bc)



nt!PspTerminateThreadByPointer+0x23:

805d28a5 8b8720020000    mov     eax,dword ptr [edi+220h]

805d28ab 0574010000      add     eax,174h

805d28b0 50              push    eax

805d28b1 57              push    edi

805d28b2 6852285d80      push    offset nt!PspExitNormalApc+0x54 (805d2852)

805d28b7 e894f1ffff      call    nt!PspCatchCriticalBreak (805d1a50)



nt!PspTerminateThreadByPointer+0x3a:

805d28bc 64a124010000    mov     eax,dword ptr fs:[00000124h]

805d28c2 3bf8            cmp     edi,eax

805d28c4 750e            jne     nt!PspTerminateThreadByPointer+0x52 (805d28d4)



nt!PspTerminateThreadByPointer+0x44:

805d28c6 33c0            xor     eax,eax

805d28c8 40              inc     eax

805d28c9 f00906          lock or dword ptr [esi],eax

805d28cc ff750c push dword ptr [ebp+0Ch]

805d28cf e8bef7ffff      call    nt!PspExitThread (805d2092)

。。。

如之前所述，call PspExitThread之前有一串特征码ff750c，从PspTerminateThreadByPointer函数开始到PspExitThread函数调用间只出现一次，搜索到串ff750c就能很方便的找到PspExitThreadgussing.cnblogs.com

最后提供一个寻找PspExitThread的例子，部分代码来自网上，（忘了谁写的了，谁提醒下我马上改）：

 

NTSTATUS PspTerminateThreadByPointer(PETHREAD Thread, NTSTATUS status);

typedef VOID (*MyPspExitThread)(NTSTATUS status);





ULONG GetPspTerminateThreadByPointer()

{

        char * PsTerminateSystemThreadAddr;

        int iLen;

        ULONG dwAddr;

        ULONG NtTerminateThreadAddr;

        char * pAddr;

gussing.cnblogs.com

                        PsTerminateSystemThreadAddr= (char *)PsTerminateSystemThread;

                        __asm

                        {

                                        __emit 0x90;

                                        __emit 0x90;

                        }

                        for (iLen=0;iLen<50;iLen++)

                        {

                                        if (*PsTerminateSystemThreadAddr == (char)0xff

                                                && *(PsTerminateSystemThreadAddr+1) == (char)0x75

                                                && *(PsTerminateSystemThreadAddr+2) == (char)0x08

                                                )

                                        {

                                                        __asm

                                                        {

                                                                        __emit 0x90;

                                                                        __emit 0x90;

                                                        }

                                                        PsTerminateSystemThreadAddr += 5;

                                                        dwAddr = *(ULONG *)PsTerminateSystemThreadAddr + (ULONG)PsTerminateSystemThreadAddr +4;



                                                        DbgPrint("[ring0] PspTerminateThreadByPointer:: 0x%x ",dwAddr);

                                                        return dwAddr;

                                                        //break;

                                        }

                                        PsTerminateSystemThreadAddr++;

                        }

        return FALSE;

}



gussing.cnblogs.com

PVOID GetPspExitThread()



{

#ifdef XP_SP3

        char* sPtr;

        ULONG end = (ULONG)GetPspTerminateThreadByPointer() + 0x60;

        sPtr = (char*)GetPspTerminateThreadByPointer();

        while ( (ULONG)sPtr <  end) //0x60 = ±??úé? PspTerminateThreadByPointer ·ê??3ì?è

        {

                //DbgPrint("[ring0] addr: 0x%x, val: 0x%x", sPtr, *(WORD*)sPtr);

                if ( *(WORD*)sPtr == 3189 )

                {gussing.cnblogs.com

                        return (PVOID)(*(ULONG*)(sPtr + 3) + sPtr + 7);        

                }

                sPtr ++;

        }gussing.cnblogs.com

        return NULL;

#else

        return NULL;

#endif



}