首页 > WinDriver > WD-遍历IAT(特例NTOS)
2014七月18

WD-遍历IAT(特例NTOS)

WinDriver

原NTOS的IAT只能通过IMAGE_DIRECTORY_ENTRY_IAT(12)来获得,因为NTOS加载完后,INIT方式加载,所以IMAGE_DIRECTORY_ENTRY_IMPORT对应的区域被释放了!

坑爹啊!

可以用windbg很直观的看到:

X86:

reloadntos.png

x64:

reloadntos64.png

其他的IAT遍历代码如下:

View Code CPP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

NTSTATUS EnumIATTable(ULONG_PTR pBase)
{
	PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)pBase;
	PIMAGE_NT_HEADERS pNt = NULL;
	PIMAGE_IMPORT_DESCRIPTOR pImport = NULL;
	PIMAGE_THUNK_DATA pThunk = NULL;
 
	if (NULL == pDos
		|| IMAGE_DOS_SIGNATURE != pDos->e_magic)
	{
		return STATUS_INVALID_IMAGE_FORMAT;
	}
 
	pNt = (PIMAGE_NT_HEADERS)((PUCHAR)pBase+pDos->e_lfanew);
	if (IMAGE_NT_SIGNATURE != pNt->Signature)
	{
		return STATUS_INVALID_IMAGE_FORMAT;
	}
 
	pImport = (PIMAGE_IMPORT_DESCRIPTOR)((PUCHAR)pBase+pNt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
 
	// 枚举打印
	while (NULL !=pImport
		&& MmIsAddressValid(pImport)
		&&pImport->Name != 0)
	{
		pThunk = (PIMAGE_THUNK_DATA)((PUCHAR)pBase+pImport->FirstThunk);
		while (NULL != pThunk
			&& MmIsAddressValid(pThunk)
			&& pThunk->u1.Function != 0)
		{
			KdPrint(("[EnumIATTable]-Import Module:%s-function:%p\r\n", (PUCHAR)pBase+pImport->Name, pThunk->u1.Function));
			pThunk++;
		}
 
		pImport++;
	}
 
	return STATUS_SUCCESS;
}


文章作者:hgy413
本文地址:https://hgy413.com/1552.html
版权所有 © 转载时必须以链接形式注明作者和原始出处!

本文的评论功能被关闭了.

文章搜索

博主QQ:80718901

博主公开博客:CSDN博客

00:00/00:00

文章分类

Meta