//搜索函数地址
ULONG sao_neihe(ULONG dizhi,ULONG daxiao, char*hanshuming, ULONG*dizhichu)
{
if (strstr(hanshuming, "KiFastCallEntry") != 0)
{
KdPrint(("进来了 \n"));
KdPrint(("基质%x 大小%x", dizhi, daxiao));
//UCHAR *p1 = (UCHAR*)g_StReloadKernel.OriginalKernelBase;//
UCHAR *p1 = (UCHAR*)dizhi;
UCHAR *p2 = NULL;
UCHAR n1 = 0;
//for (ULONG i = 0; i <= (ULONG)g_StReloadKernel.OriginalKernelsize; i++)
//for (ULONG i = 0; i <= (ULONG)0x10000; i++)
for (ULONG i = 0; i <= daxiao; i++)
{
if (MmIsAddressValid(p1 + i))
{
n1 = *(p1 + i);
p2 = (p1 + i);
if (*(p2 + 0) == 0x2b &&*(p2 + 1) == 0xe1 &&
*(p2 + 2) == 0xc1 && *(p2 + 3) == 0xe9 &&*(p2 + 4) == 0x02 &&
*(p2 + 5) == 0x8b && *(p2 + 6) == 0xfc //&&
/**(p2 + 7) == 0x3b && *(p2 + 8) == 0x35 && *(p2 + 9) == 0x98 && *(p2 + 10) == 0xe2 &&
*(p2 + 11) == 0x88 &&*(p2 + 12) == 0x80 &&
*(p2 + 12 + 11) == 0x8b && *(p2 + 12 + 12) == 0xe5*/
)
{
*dizhichu = (ULONG)(p1 + i);
return (ULONG)(p1 + i);
}
}
}
}
return 0;//失败
}
扫内核
猜你喜欢
转载自blog.csdn.net/qq1841370452/article/details/81606785
今日推荐
周排行