I'm writing an program which enumerates hooks created by SetWindowsHookEx() Here is the process:
我正在编写一个程序,列举SetWindowsHookEx()创建的钩子。
- Use
GetProcAddress()to obtaingSharedInfoexported inUser32.dll(works, verified) - 使用GetProcAddress()获取在User32中导出的gSharedInfo。dll(工作,验证)
- Read User-Mode memory at
gSharedInfo + 8, the result should be a pointer of first handle entry. (works, verified) - 在gSharedInfo + 8处读取用户模式内存,结果应该是第一个句柄条目的指针。(工作、验证)
- Read User-Mode memory at
[gSharedInfo] + 8, the result should becountof handles to enumerate. (works, verified) - 在[gSharedInfo] + 8处读取用户模式内存,结果应该是计数句柄来枚举。(工作、验证)
- Read data from address obtained in step 2, repeat
counttimes - 从步骤2中获得的地址读取数据,重复计数时间
- Check if
HANDLEENTRY.bTypeis 5(which means it's a HHOOK). If so, print informations. - 检查是否HANDLEENTRY。bType是5(这意味着它是一个HHOOK)。如果是这样的话,打印信息。
The problem is, although step 1-3 only mess around with user mode memory, step 4 requires the program to read kernel memory. After some research I found that ZwSystemDebugControl can be used to access Kernel Memory from user mode. So I wrote the following function:
问题是,尽管步骤1-3只处理用户模式内存,但是步骤4要求程序读取内核内存。经过一些研究,我发现ZwSystemDebugControl可以用于从用户模式访问内核内存。所以我写了如下的函数:
BOOL GetKernelMemory(PVOID pKernelAddr, PBYTE pBuffer, ULONG uLength)
{
MEMORY_CHUNKS mc;
ULONG uReaded = 0;
mc.Address = (UINT)pKernelAddr; //Kernel Memory Address - input
mc.pData = (UINT)pBuffer;//User Mode Memory Address - output
mc.Length = (UINT)uLength; //length
ULONG st = -1;
ZWSYSTEMDEBUGCONTROL ZwSystemDebugControl = (ZWSYSTEMDEBUGCONTROL)GetProcAddress(
GetModuleHandleA("ntdll.dll"), "NtSystemDebugControl");
st = ZwSystemDebugControl(SysDbgCopyMemoryChunks_0, &mc, sizeof(MEMORY_CHUNKS), 0, 0, &uReaded);
return st == 0;
}
But the function above didn't work. uReaded is always 0 and st is always 0xC0000002. How do I resolve this error?
但上面的函数不起作用。uReaded总是0,st总是0xC0000002。如何解决这个错误?
my full program: http://pastebin.com/xzYfGdC5
我的完整的程序:http://pastebin.com/xzYfGdC5
2 个解决方案
#1
3
MSFT did not implement NtSystemDebugControl syscall after windows XP.
MSFT在windows XP之后没有实现NtSystemDebugControl syscall。
#2
0
The Meltdown vulnerability makes it possible to read Kernel memory from User Mode on most Intel CPUs with a speed of approximately 500kB/s. This works on most unpatched OS'es.
崩溃漏洞使得在大多数英特尔cpu上以大约500kB/s的速度从用户模式读取内核内存成为可能。这适用于大多数未修补的操作系统。
#1
3
MSFT did not implement NtSystemDebugControl syscall after windows XP.
MSFT在windows XP之后没有实现NtSystemDebugControl syscall。
#2
0
The Meltdown vulnerability makes it possible to read Kernel memory from User Mode on most Intel CPUs with a speed of approximately 500kB/s. This works on most unpatched OS'es.
崩溃漏洞使得在大多数英特尔cpu上以大约500kB/s的速度从用户模式读取内核内存成为可能。这适用于大多数未修补的操作系统。