- 注册时间
- 2011-3-6
- 最后登录
- 1970-1-1
该用户从未签到
|
ULONG64 onlythisfile_SreachFunctionAddress(ULONG64 uAddress, UCHAR *Signature,
ULONG addopcodelength, ULONG addopcodedatasize)
{
ULONG64
index = 0;
UCHAR *p = 0;
ULONG64
uRetAddress = 0;
ULONG32 temp64 = 0;
if (uAddress == 0){ return 0; }
p = (UCHAR*)uAddress;
for (index = 0; index<0x3000; index++)
{
if (*p == Signature[0] &&
*(p + 1) == Signature[1] &&
*(p + 2) == Signature[2] &&
*(p + 3) == Signature[3] &&
*(p + 4) == Signature[4])
{
uRetAddress = p+4;
temp64 = (ULONG32)(*(ULONG32*)(uRetAddress + addopcodelength));
;
uRetAddress = temp64 + uRetAddress + addopcodedatasize;
uRetAddress &= 0xfffffff0ffffffff;
return uRetAddress;
}
p++;
DbgPrint("++ %p ", p);
}
return 0;
}
externPVOID64__fastcallGetObjectByindex(ULONG64index,ULONG64ObTypeIndexTable);
voidinitgetobjectbbyindex(){
UCHARopcodethis[]={0x0f,0xb6,0x41,0xe8,0x48};
PVOIDdebugobject=0;
ObTypeIndexTable=(PVOID)onlythisfile_SreachFunctionAddress(FUCKGetFunctionAddr(L"ObGetObjectType"),opcodethis,3,7);
DbgPrint("ObTypeIndexTable%pxx:%p",ObTypeIndexTable,FUCKGetFunctionAddr(L"ObGetObjectType"));
debugobject=GetObjectByindex(0xb,ObTypeIndexTable);
DbgPrint("debugobject%p",debugobject);
}
.asm文件
.CODE
GetObjectByindexPROC
movrax,rcx
movrcx,rdx
movrax,[rcx+rax*8]
ret
GetObjectByindexENDP
END |
|