【原创】获取指定index的 OBJECTTYPE
ULONG64 onlythisfile_SreachFunctionAddress(ULONG64 uAddress, UCHAR *Signature,ULONG addopcodelength, ULONG addopcodedatasize)
{
ULONG64
index = 0;
UCHAR *p = 0;
ULONG64
uRetAddress = 0;
ULONG32 temp64 = 0;
if (uAddress == 0){ return 0; }
p = (UCHAR*)uAddress;
for (index = 0; index<0x3000; index++)
{
if (*p == Signature &&
*(p + 1) == Signature &&
*(p + 2) == Signature &&
*(p + 3) == Signature &&
*(p + 4) == Signature)
{
uRetAddress = p+4;
temp64 = (ULONG32)(*(ULONG32*)(uRetAddress + addopcodelength));
;
uRetAddress = temp64 + uRetAddress + addopcodedatasize;
uRetAddress &= 0xfffffff0ffffffff;
return uRetAddress;
}
p++;
DbgPrint("++ %p ", p);
}
return 0;
}
externPVOID64__fastcallGetObjectByindex(ULONG64index,ULONG64ObTypeIndexTable);
voidinitgetobjectbbyindex(){
UCHARopcodethis[]={0x0f,0xb6,0x41,0xe8,0x48};
PVOIDdebugobject=0;
ObTypeIndexTable=(PVOID)onlythisfile_SreachFunctionAddress(FUCKGetFunctionAddr(L"ObGetObjectType"),opcodethis,3,7);
DbgPrint("ObTypeIndexTable%pxx:%p",ObTypeIndexTable,FUCKGetFunctionAddr(L"ObGetObjectType"));
debugobject=GetObjectByindex(0xb,ObTypeIndexTable);
DbgPrint("debugobject%p",debugobject);
}
.asm文件
.CODE
GetObjectByindexPROC
movrax,rcx
movrcx,rdx
movrax,
ret
GetObjectByindexENDP
END
页:
[1]