欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

win10 1909逆向----MiLocateAddress(查找虚拟地址的VAD),再代码实现。

程序员文章站 2022-03-30 10:42:16
...

win10 1909逆向----MiLocateAddress(查找虚拟地址的VAD),再代码实现。

win10 1909逆向----MiLocateAddress(查找虚拟地址的VAD),再代码实现。

win10 1909逆向----MiLocateAddress(查找虚拟地址的VAD),再代码实现。

//接下来用代码实现,因为懒,所以结构体能用就行,先上效果图:

win10 1909逆向----MiLocateAddress(查找虚拟地址的VAD),再代码实现。

接着上代码:

/*
功能:通过虚拟地址找到VAD【Virtual Address Descriptor虚拟地址描述符】
*/
#include <ntddk.h>


typedef struct _EX_PUSH_LOCK
{
	union
	{
		struct
		{

			UINT64 Locked : 1;
			UINT64 Waiting : 1;
			UINT64 Waking : 1;
			UINT64 MultipleShared : 1;
			UINT64 Shared : 60;
		};
		UINT64 Value;
		PVOID Ptr;
	};
}EX_PUSH_LOCK, *PEX_PUSH_LOCK;

typedef struct _MMVAD_SHORT
{

	RTL_BALANCED_NODE VadNode;
	UINT32 StartingVpn;
	UINT32 EndingVpn;
	UCHAR StartingVpnHigh;
	UCHAR EndingVpnHigh;
	UCHAR CommitChargeHigh;
	UCHAR SpareNT64VadUChar;
	INT32 ReferenceCount;
	EX_PUSH_LOCK PushLock;
	//下面用不到,省略
	UINT64 x1;
	UINT64 x2;

}MMVAD_SHORT, *PMMVAD_SHORT;

typedef struct _MMVAD
{
	MMVAD_SHORT Core;
	union
	{
		UINT32 LongFlags2;
		//现在用不到省略
		//MMVAD_FLAGS2 VadFlags2;

	}u2;
	PVOID Subsection;
	PVOID FirstPrototypePte;
	PVOID LastContiguousPte;
	LIST_ENTRY ViewLinks;
	PEPROCESS VadsProcess;
	PVOID u4;
	PVOID FileObject;
}MMVAD, *PMMVAD;

PMMVAD  MiLocateAddress(IN PVOID VirtualAddress, IN PEPROCESS pEprocess);

VOID Unload(PDRIVER_OBJECT pDriverObject)
{
	KdPrint(("end\n"));
	
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{

	NTSTATUS status = STATUS_SUCCESS;
	pDriverObject->DriverUnload = Unload;
	KdPrint(("start\n"));
    //首先找到要查找哪个进程的哪个虚拟地址
	PMMVAD Ret=MiLocateAddress((PVOID)0x400004,(PEPROCESS)0xffffdf8191cda080);
	KdPrint(("%llx\n", Ret));


	return status;
}
PMMVAD MiLocateAddress(IN PVOID VirtualAddress, IN PEPROCESS pEprocess)
{
	//首先得到进程的VADHINT,看是否有VAD命中,这样就不需要从头找起
	PMMVAD VadHint =(PMMVAD)(*(PUINT64)((UINT64)pEprocess + 0x660));
	PMMVAD VadRoot = (PMMVAD)(*(PUINT64)((UINT64)pEprocess + 0x658));
	if (VadHint == NULL)
	{
		return 0;
	}

	PUCHAR Vpn = (PUCHAR)((UINT64)VirtualAddress >> PAGE_SHIFT);
	//如果VPN在VADHINT范围内,直接返回VadHint
	if ((Vpn >= ((UINT64)VadHint->Core.StartingVpnHigh << 32 | VadHint->Core.StartingVpn)) && (Vpn <= ((UINT64)VadHint->Core.EndingVpnHigh << 32 | VadHint->Core.EndingVpn)))
		return VadHint;

	//否则,从VadRoot开始遍历
	while (TRUE)
	{
		if (Vpn > (VadRoot->Core.EndingVpnHigh << 32 | VadRoot->Core.EndingVpn))
		{
			VadRoot = VadRoot->Core.VadNode.Right;
		}
		else
		{
			if (Vpn >= (VadRoot->Core.StartingVpnHigh << 32 | VadRoot->Core.StartingVpn))
			{
				return VadRoot;
			}
			VadRoot = VadRoot->Core.VadNode.Left;
		}
		if (!VadRoot) return 0;
	}

	return 0;
}

 

 

相关标签: 内核

上一篇: PDK AM335x LCD驱动的移植,DTS配置

下一篇: Ubuntu matplotlib animation save 保存 使用 例子

推荐阅读