分段特征码搜索
以搜索MiProcessLoaderEntry
函数地址为例,搜索到两段该函数的特征码,然后记下它们之间的间隔
遍历这个函数所在的地址,暴力遍历即可。
typedef VOID(*FunMiProcessLoaderEntry)(ULONG ulEntry, LOGICAL lflag);
NTSTATUS GetMiProcessLoaderEntryAddr(ULONG ulStartAddress,ULONG ulEndAddress,ULONG * retFunAddr) {
// 特征码
CHAR szCodeFlag1[] = { 0xB1,0x1B,0x88,0x45,0x0b };
CHAR szCodeFiag2[] = { 0x8B,0xCE,0xF0,0x0F,0xBA,0x29,0x1F };
// 遍历
for (size_t i = ulStartAddress; i < ulEndAddress; i++) {
if (memcmp(i, szCodeFlag1, 5) == 0) {
if (memcmp(i + 0x23, szCodeFiag2, 7) == 0) {
*retFunAddr = i;
return STATUS_SUCCESS;
}
}
}
return -1;
}
长特征码搜索
以搜索PspTerminateThreadByPointer
函数地址为例,从该函数开头找到足够长的一段特征码,然后去范围内遍历即可。
获取特征码:
1: kd> U PspTerminateThreadByPointer
nt!PspTerminateThreadByPointer:
840a4fe7 8bff mov edi,edi
840a4fe9 55 push ebp
840a4fea 8bec mov ebp,esp
840a4fec 83e4f8 and esp,0FFFFFFF8h
840a4fef 51 push ecx
840a4ff0 53 push ebx
840a4ff1 56 push esi
840a4ff2 8b7508 mov esi,dword ptr [ebp+8]
1: kd> dd PspTerminateThreadByPointer L8
840a4fe7 8b55ff8b f8e483ec 8b565351 8d570875
840a4ff7 000280be 4007f600 868d2874 00000150
遍历寻找函数地址:
typedef NTSTATUS(*FunPspTerminateThreadByPointer)(PETHREAD pEThread,NTSTATUS ExitStatus,BOOLEAN DirectTerminate);
NTSTATUS GetPspTerminateThreadByPointerAddr(ULONG ulStartAddress, ULONG ulEndAddress, ULONG* retFunAddr) {
// 8b55ff8b f8e483ec 8b565351 8d570875
// 000280be 4007f600 868d2874 00000150
ULONG ulCodeFlag0 = 0x8b55ff8b;
ULONG ulCodeFlag1 = 0xf8e483ec;
ULONG ulCodeFlag2 = 0x8b565351;
ULONG ulCodeFlag3 = 0x8d570875;
ULONG ulCodeFlag4 = 0x000280be;
ULONG ulCodeFlag5 = 0x4007f600;
ULONG ulCodeFlag6 = 0x868d2874;
ULONG ulCodeFlag7 = 0x00000150;
for (size_t i = ulStartAddress; i < ulEndAddress; i++)
{
if ((*(ULONG*)i == ulCodeFlag0) &&
(*(ULONG*)(i + 4 * 1) == ulCodeFlag1) &&
(*(ULONG*)(i + 4 * 2) == ulCodeFlag2) &&
(*(ULONG*)(i + 4 * 3) == ulCodeFlag3) &&
(*(ULONG*)(i + 4 * 4) == ulCodeFlag4) &&
(*(ULONG*)(i + 4 * 5) == ulCodeFlag5) &&
(*(ULONG*)(i + 4 * 6) == ulCodeFlag6) &&
(*(ULONG*)(i + 4 * 7) == ulCodeFlag7)) {
*retFunAddr = (PVOID*)i;
return STATUS_SUCCESS;
}
}
return -1;
}