- 注册时间
- 2011-8-8
- 最后登录
- 1970-1-1
该用户从未签到
|
//用windbg提取自己的系统的代码修改才能用哟,直接用我的代码可能会蓝屏的,即使同是XP系统 由于文件版本不同也可能有差异
#include <ntddk.h>
int pfun=0;
int nt_ExRaiseDatatypeMisalignment=0x8060bb68;
int nt_MmUserProbeAddress=0x80559a54;
int nt_PsProcessType =0x8055b2d8;
int nt_SeCreateAccessState =0x805e8112;
int nt_SeSinglePrivilegeCheck =0x805ef058;
int nt_ObOpenObjectByName=0x805b1ffa;
int nt_SeDeleteAccessState=0x805e7ed4;
int nt_PsLookupProcessThreadByCid =0x805ca34e;
int nt_PsLookupProcessByProcessId =0x805ca40a;
int nt_ObOpenObjectByPointer=0x805b23ca; //MyObOpenObjectByPointer
int nt_ObfDereferenceObject=0x80523b92;
int nt_ObReferenceObjectByPointer=0x805238ec;
int nt_ObpCreateHandle =0x805b3d4c;
void MyObOpenObjectByPointer(void);
void InitApi(void)
{
//初始化
nt_ObOpenObjectByPointer=(int)MyObOpenObjectByPointer; //MyObOpenObjectByPointer
}
__declspec(naked) void MyObOpenObjectByPointer(void)
{
_asm {
// kd> u nt!ObOpenObjectByPointer l 60
// nt!ObOpenObjectByPointer:
// 805b23ca 8bff mov edi,edi
mov edi,edi
// 805b23cc 55 push ebp
push ebp
// 805b23cd 8bec mov ebp,esp
mov ebp,esp
// 805b23cf 81ec94000000 sub esp,94h
sub esp,94h
// 805b23d5 53 push ebx
push ebx
// 805b23d6 8b5d08 mov ebx,dword ptr [ebp+8]
mov ebx,dword ptr [ebp+8]
// 805b23d9 56 push esi
push esi
// 805b23da 57 push edi
push edi
// 805b23db ff751c push dword ptr [ebp+1Ch]
push dword ptr [ebp+1Ch]
// 805b23de 33ff xor edi,edi
xor edi,edi
// 805b23e0 ff7518 push dword ptr [ebp+18h]
push dword ptr [ebp+18h]
// 805b23e3 897dfc mov dword ptr [ebp-4],edi
mov dword ptr [ebp-4],edi
// 805b23e6 57 push edi
push edi
// 805b23e7 53 push ebx
push ebx
// 805b23e8 e8ff14f7ff call nt!ObReferenceObjectByPointer (805238ec)
call nt_ObReferenceObjectByPointer
// 805b23ed 8bf0 mov esi,eax
mov esi,eax
// 805b23ef 3bf7 cmp esi,edi
cmp esi,edi
// 805b23f1 0f8c84000000 jl nt!ObOpenObjectByPointer+0xb1 (805b247b)
jl L805b247b
// 805b23f7 8b4510 mov eax,dword ptr [ebp+10h]
mov eax,dword ptr [ebp+10h]
// 805b23fa 3bc7 cmp eax,edi
cmp eax,edi
// 805b23fc 7528 jne nt!ObOpenObjectByPointer+0x5c (805b2426)
jne L805b2426
// 805b23fe 8b43f0 mov eax,dword ptr [ebx-10h]
mov eax,dword ptr [ebx-10h]
// 805b2401 83c068 add eax,68h
add eax,68h
// 805b2404 50 push eax
push eax
// 805b2405 ff7514 push dword ptr [ebp+14h]
push dword ptr [ebp+14h]
// 805b2408 8d45e0 lea eax,[ebp-20h]
lea eax,[ebp-20h]
// 805b240b 50 push eax
push eax
// 805b240c 8d856cffffff lea eax,[ebp-94h]
lea eax,[ebp-94h]
// 805b2412 50 push eax
push eax
// 805b2413 e8fa5c0300 call nt!SeCreateAccessState (805e8112)
call nt_SeCreateAccessState
// 805b2418 3bc7 cmp eax,edi
cmp eax,edi
// 805b241a 7d04 jge nt!ObOpenObjectByPointer+0x56 (805b2420)
jge L805b2420
// 805b241c 8bf0 mov esi,eax
mov esi,eax
// 805b241e eb2c jmp nt!ObOpenObjectByPointer+0x82 (805b244c)
jmp L805b244c
L805b2420:
// 805b2420 8d856cffffff lea eax,[ebp-94h]
lea eax,[ebp-94h]
L805b2426:
// 805b2426 8b4bf0 mov ecx,dword ptr [ebx-10h]
mov ecx,dword ptr [ebx-10h]
// 805b2429 8945fc mov dword ptr [ebp-4],eax
mov dword ptr [ebp-4],eax
// 805b242c 8b450c mov eax,dword ptr [ebp+0Ch]
mov eax,dword ptr [ebp+0Ch]
// 805b242f 854164 test dword ptr [ecx+64h],eax
test dword ptr [ecx+64h],eax
// 805b2432 7421 je nt!ObOpenObjectByPointer+0x8b (805b2455)
je L805b2455
// 805b2434 8d856cffffff lea eax,[ebp-94h]
lea eax,[ebp-94h]
// 805b243a 3945fc cmp dword ptr [ebp-4],eax
cmp dword ptr [ebp-4],eax
// 805b243d 7508 jne nt!ObOpenObjectByPointer+0x7d (805b2447)
jne L805b2447
// 805b243f ff75fc push dword ptr [ebp-4]
push dword ptr [ebp-4]
// 805b2442 e88d5a0300 call nt!SeDeleteAccessState (805e7ed4)
call nt_SeDeleteAccessState
L805b2447:
// 805b2447 be0d0000c0 mov esi,0C000000Dh
mov esi,0C000000Dh
L805b244c:
// 805b244c 8bcb mov ecx,ebx
mov ecx,ebx
// 805b244e e83f17f7ff call nt!ObfDereferenceObject (80523b92)
call nt_ObfDereferenceObject
// 805b2453 eb3e jmp nt!ObOpenObjectByPointer+0xc9 (805b2493)
jmp L805b2493
L805b2455:
// 805b2455 8d4d08 lea ecx,[ebp+8]
lea ecx,[ebp+8]
// 805b2458 51 push ecx
push ecx
// 805b2459 57 push edi
push edi
// 805b245a ff751c push dword ptr [ebp+1Ch]
push dword ptr [ebp+1Ch]
// 805b245d 57 push edi
push edi
// 805b245e 50 push eax
push eax
// 805b245f 57 push edi
push edi
// 805b2460 ff75fc push dword ptr [ebp-4]
push dword ptr [ebp-4]
// 805b2463 ff7518 push dword ptr [ebp+18h]
push dword ptr [ebp+18h]
// 805b2466 53 push ebx
push ebx
// 805b2467 6a01 push 1
push 1
// 805b2469 e8de180000 call nt!ObpCreateHandle (805b3d4c)
call nt_ObpCreateHandle
// 805b246e 8bf0 mov esi,eax
mov esi,eax
// 805b2470 3bf7 cmp esi,edi
cmp esi,edi
// 805b2472 7d28 jge nt!ObOpenObjectByPointer+0xd2 (805b249c)
jge L805b249c
// 805b2474 8bcb mov ecx,ebx
mov ecx,ebx
// 805b2476 e81717f7ff call nt!ObfDereferenceObject (80523b92)
call nt_ObfDereferenceObject
L805b247b:
// 805b247b 8b4520 mov eax,dword ptr [ebp+20h]
mov eax,dword ptr [ebp+20h]
// 805b247e 8938 mov dword ptr [eax],edi
mov dword ptr [eax],edi
L805b2480:
// 805b2480 8d856cffffff lea eax,[ebp-94h]
lea eax,[ebp-94h]
// 805b2486 3945fc cmp dword ptr [ebp-4],eax
cmp dword ptr [ebp-4],eax
// 805b2489 7508 jne nt!ObOpenObjectByPointer+0xc9 (805b2493)
jne L805b2493
// 805b248b ff75fc push dword ptr [ebp-4]
push dword ptr [ebp-4]
// 805b248e e8415a0300 call nt!SeDeleteAccessState (805e7ed4)
call nt_SeDeleteAccessState
L805b2493:
// 805b2493 5f pop edi
pop edi
// 805b2494 8bc6 mov eax,esi
mov eax,esi
// 805b2496 5e pop esi
pop esi
// 805b2497 5b pop ebx
pop ebx
// 805b2498 c9 leave
leave
// 805b2499 c21c00 ret 1Ch
ret 1Ch
L805b249c:
// 805b249c 8b4520 mov eax,dword ptr [ebp+20h]
mov eax,dword ptr [ebp+20h]
// 805b249f 8b4d08 mov ecx,dword ptr [ebp+8]
mov ecx,dword ptr [ebp+8]
// 805b24a2 8908 mov dword ptr [eax],ecx
mov dword ptr [eax],ecx
// 805b24a4 ebda jmp nt!ObOpenObjectByPointer+0xb6 (805b2480)
jmp L805b2480
// 805b24a6 cc int 3
int 3
// 805b24a7 cc int 3
int 3
// 805b24a8 cc int 3
int 3
// 805b24a9 cc int 3
int 3
// 805b24aa cc int 3
int 3
// 805b24ab cc int 3
int 3
}
} |
|