获取Ntdll常用服务信息和Ntos服务信息

Ntdll

公式 写好枚举等结构

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
enum
{
    ZW_CREATE_THREAD = 0,
    ZW_CREATE_THREAD_EX,
    ZW_SUSPEND_THREAD,
    ZW_SUSPEND_PROCESS,
    ZW_PROTECT_VIRTUAL_MEMORY,
    ZW_SHUTDOWN_SYSTEM,
    ZW_TERMINATE_THREAD,
    ZW_SET_CONTEXT_THREAD,
    ZW_TERMINATE_JOB_OBJECT,
    ZW_SYSTEM_DEBUG_CONTROL,
    ZW_CREATE_USER_PROCESS,
    ZW_DEBUG_ACTIVE_PROCESS,
    ZW_SET_SYSTEM_POWER_STATE,
    ZW_INITIATE_POWER_ACTION,
    ZW_QUEUE_APC_THREAD,
    ZW_QUERY_INFORMATION_THREAD,
    ZW_QUERY_INFORMATION_JOB_OBJECT,
    ZW_READ_VIRTUAL_MEMORY,
    ZW_WRITE_VIRTUAL_MEMORY,
    ZW_TERMINATE_PROCESS,
    ZW_CREATE_SECTION,
    ZW_CREATE_PROCESS_EX,
    ZW_CREATE_PAGING_FILE,

    // REG
    ZW_OPEN_KEY,
    ZW_CREATE_KEY,
    ZW_DELETE_KEY,
    ZW_DELETE_VALUE_KEY,
    ZW_SET_VALUE_KEY,
    ZW_QUERY_VALUE_KEY,
    ZW_ENUMERATE_VALUE_KEY,
    ZW_ENUMERATE_KEY,
    ZW_QUERY_KEY,
    ZW_CLOSE_HANDLE,
    ZW_OPEN_KEY_EX,
    ZW_RENAME_KEY,
    ZW_RESTORE_KEY,
    ZW_SET_SECURITY_OBJECT,

    // SYS
    ZW_WRITE_FILE,
    ZW_OPEN_SECTION,
    ZW_LOAD_DRIVER,
    ZW_SET_SYSTEM_INFORMATION,
    ZW_REQUEST_WAIT_REPLY_PORT,
    ZW_SET_SYSTEM_TIME,
    ZW_DEVICE_IO_CONTROL_FILE,
    ZW_REPLY_PORT,
    ZW_UNMAP_VIEWOFSECTION,
    ZW_FREE_VIRTUAL_MEMORY,
    ZW_ALPC_SEND_WAIT_RECEIVE_PORT,
    ZW_RAISE_HARD_ERROR,
    ZW_FS_CONTROL_FILE,

    // PSMON 
    ZW_TEST_ALERT,
    ZW_OPEN_PROCESS,
    ZW_SET_INFORMATION_PROCESS,

    // time
    ZW_SET_TIMER,
    ZW_QUERY_VIRTUAL_MEMORY,

    //< FOR HOOK
    ZW_DISPLAY_STRING,
    
    NT_DLL_INFOS,
};


typedef struct
{
    PVOID ServiceAddress;
    char* ServiceName;
}NTDLL_INFO;


extern NTDLL_INFO __NtdllInfos[NT_DLL_INFOS];

写好函数名称

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
void InitializeNtdllModule()
{
    int i;
    ULONG NumberOfServices = 0;

    memset(&__NtdllInfos, 0, sizeof(__NtdllInfos));

   __NtdllInfos[ZW_CREATE_THREAD].ServiceName = "NtCreateThread";
   __NtdllInfos[ZW_SUSPEND_THREAD].ServiceName = "NtSuspendThread";
   __NtdllInfos[ZW_SUSPEND_PROCESS].ServiceName = "NtSuspendProcess";
   __NtdllInfos[ZW_PROTECT_VIRTUAL_MEMORY].ServiceName = "NtProtectVirtualMemory";
   __NtdllInfos[ZW_SHUTDOWN_SYSTEM].ServiceName = "NtShutdownSystem";
   __NtdllInfos[ZW_TERMINATE_THREAD].ServiceName = "NtTerminateThread";
   __NtdllInfos[ZW_SET_CONTEXT_THREAD].ServiceName = "NtSetContextThread";
   __NtdllInfos[ZW_TERMINATE_JOB_OBJECT].ServiceName = "NtTerminateJobObject";
   __NtdllInfos[ZW_SYSTEM_DEBUG_CONTROL].ServiceName = "NtSystemDebugControl";
   __NtdllInfos[ZW_DEBUG_ACTIVE_PROCESS].ServiceName = "NtDebugActiveProcess";
   __NtdllInfos[ZW_SET_SYSTEM_POWER_STATE].ServiceName = "NtSetSystemPowerState";
   __NtdllInfos[ZW_INITIATE_POWER_ACTION].ServiceName = "NtInitiatePowerAction";
   __NtdllInfos[ZW_QUEUE_APC_THREAD].ServiceName = "NtQueueApcThread";
   __NtdllInfos[ZW_QUERY_INFORMATION_THREAD].ServiceName = "NtQueryInformationThread";
   __NtdllInfos[ZW_QUERY_INFORMATION_JOB_OBJECT].ServiceName = "NtQueryInformationJobObject";
   __NtdllInfos[ZW_READ_VIRTUAL_MEMORY].ServiceName = "NtReadVirtualMemory";
   __NtdllInfos[ZW_WRITE_VIRTUAL_MEMORY].ServiceName = "NtWriteVirtualMemory";
   __NtdllInfos[ZW_TERMINATE_PROCESS].ServiceName = "ZwTerminateProcess";
   __NtdllInfos[ZW_CREATE_SECTION].ServiceName = "ZwCreateSection";
   __NtdllInfos[ZW_OPEN_PROCESS].ServiceName = "NtOpenProcess";
   __NtdllInfos[ZW_SET_INFORMATION_PROCESS].ServiceName = "NtSetInformationProcess";


   if (__OsVersion == WINVISTA_VERSION ||
       __OsVersion == WIN7_VERSION ||
       __OsVersion == WIN8_VERSION ||
       __OsVersion == WIN8_VERSION_1 ||
       __OsVersion == WIN8_VERSION_1_9600 ||
       __OsVersion == WIN10_VERSION_10240)
   {
       __NtdllInfos[ZW_CREATE_THREAD_EX].ServiceName = "NtCreateThreadEx";
       __NtdllInfos[ZW_CREATE_USER_PROCESS].ServiceName = "NtCreateUserProcess";
   }

   __NtdllInfos[ZW_OPEN_KEY].ServiceName = "ZwOpenKey";
   __NtdllInfos[ZW_CREATE_KEY].ServiceName = "ZwCreateKey";
   __NtdllInfos[ZW_DELETE_KEY].ServiceName = "ZwDeleteKey";
   __NtdllInfos[ZW_DELETE_VALUE_KEY].ServiceName = "ZwDeleteValueKey";
   __NtdllInfos[ZW_SET_VALUE_KEY].ServiceName = "ZwSetValueKey";
   __NtdllInfos[ZW_QUERY_VALUE_KEY].ServiceName = "ZwQueryValueKey";
   __NtdllInfos[ZW_ENUMERATE_VALUE_KEY].ServiceName = "ZwEnumerateValueKey";
   __NtdllInfos[ZW_ENUMERATE_KEY].ServiceName = "ZwEnumerateKey";
   __NtdllInfos[ZW_QUERY_KEY].ServiceName = "ZwQueryKey";
   __NtdllInfos[ZW_CLOSE_HANDLE].ServiceName = "ZwClose";
   __NtdllInfos[ZW_RENAME_KEY].ServiceName = "ZwRenameKey";

   if (__OsVersion == WINVISTA_VERSION ||
       __OsVersion == WIN7_VERSION ||
       __OsVersion == WIN8_VERSION ||
       __OsVersion == WIN8_VERSION_1 ||
       __OsVersion == WIN8_VERSION_1_9600 ||
       __OsVersion == WIN10_VERSION_10240)
   {
       __NtdllInfos[ZW_OPEN_KEY_EX].ServiceName = "ZwOpenKeyEx";
   }

   // SYS
   __NtdllInfos[ZW_WRITE_FILE].ServiceName = "ZwWriteFile";
   __NtdllInfos[ZW_OPEN_SECTION].ServiceName = "ZwOpenSection";
   __NtdllInfos[ZW_LOAD_DRIVER].ServiceName = "ZwLoadDriver";
   __NtdllInfos[ZW_SET_SYSTEM_INFORMATION].ServiceName = "ZwSetSystemInformation";
   __NtdllInfos[ZW_REQUEST_WAIT_REPLY_PORT].ServiceName = "ZwRequestWaitReplyPort";
   __NtdllInfos[ZW_SET_SYSTEM_TIME].ServiceName = "ZwSetSystemTime";
   __NtdllInfos[ZW_DEVICE_IO_CONTROL_FILE].ServiceName = "ZwDeviceIoControlFile";
   __NtdllInfos[ZW_RESTORE_KEY].ServiceName = "ZwRestoreKey";
   __NtdllInfos[ZW_REPLY_PORT].ServiceName = "NtReplyPort";
   __NtdllInfos[ZW_UNMAP_VIEWOFSECTION].ServiceName = "ZwUnmapViewOfSection";
   __NtdllInfos[ZW_FREE_VIRTUAL_MEMORY].ServiceName = "ZwFreeVirtualMemory";
   __NtdllInfos[ZW_CREATE_PROCESS_EX].ServiceName = "NtCreateProcessEx";
   __NtdllInfos[ZW_RAISE_HARD_ERROR].ServiceName = "NtRaiseHardError";
   __NtdllInfos[ZW_FS_CONTROL_FILE].ServiceName = "NtFsControlFile";

   if (__OsVersion == WINVISTA_VERSION ||
       __OsVersion == WIN7_VERSION ||
       __OsVersion == WIN8_VERSION ||
       __OsVersion == WIN8_VERSION_1 ||
       __OsVersion == WIN8_VERSION_1_9600 ||
       __OsVersion == WIN10_VERSION_10240)
   {
       __NtdllInfos[ZW_ALPC_SEND_WAIT_RECEIVE_PORT].ServiceName = "NtAlpcSendWaitReceivePort";
   }

   // PSMON
   __NtdllInfos[ZW_TEST_ALERT].ServiceName = "NtTestAlert";

   // Timer
   __NtdllInfos[ZW_SET_TIMER].ServiceName = "NtSetTimer";
   __NtdllInfos[ZW_QUERY_VIRTUAL_MEMORY].ServiceName = "ZwQueryVirtualMemory";

   for (i = 0; i < NT_DLL_INFOS; i++)
   {
       if (__NtdllInfos[i].ServiceName != NULL)
       {
           NumberOfServices++;
       }
   }

   GetNtServiceAddress(NumberOfServices);

}

获取函数地址

1
2
3
4
5
6
7
8
9
10
11
void GetNtServiceAddress(ULONG NumberOfServices)
{
    if (__OsVersion == WIN10_VERSION_10240)
    {
        GetNtServiceAddressInternal1(NumberOfServices);
    }
    else
    {
        GetNtServiceAddressInternal2(NumberOfServices);
    }
}

解析PE结构

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
void GetNtServiceAddressInternal1(ULONG NumberOfServices)
{
    PVOID v1 = NULL;

    IMAGE_DOS_HEADER* ImageDosHeader;
    IMAGE_OPTIONAL_HEADER32* ImageOptionalHeader32;
    IMAGE_EXPORT_DIRECTORY* ImageExportDirectory;

    ULONG* AddressOfFunctions;
    ULONG* AddressOfNames;
    USHORT* AddressOfNameOrdinals;
    ULONG Ordinals;
    ULONG i, ServiceAddress;
    char* ServiceName;

    ULONG j = 0;
    ULONG k = 0;

    __try
    {
        v1 = __NtdllImageBase;
        if (v1 == NULL)
            return;

        ImageDosHeader = (IMAGE_DOS_HEADER*)v1;
        ImageOptionalHeader32 = (IMAGE_OPTIONAL_HEADER32*)((UINT8*)v1 + ImageDosHeader->e_lfanew + 24);
        ImageExportDirectory = (IMAGE_EXPORT_DIRECTORY*)((UINT8*)v1 + ImageOptionalHeader32->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
        AddressOfFunctions = (ULONG*)((UINT8*)v1 + ImageExportDirectory->AddressOfFunctions);
        AddressOfNames = (ULONG*)((UINT8*)v1 + ImageExportDirectory->AddressOfNames);
        AddressOfNameOrdinals = (USHORT*)((UINT8*)v1 + ImageExportDirectory->AddressOfNameOrdinals);

        for (i = 0; i < ImageExportDirectory->NumberOfFunctions; i++)
        {
            ServiceName = (char*)((UINT8*)v1 + AddressOfNames[i]);

            Ordinals = AddressOfNameOrdinals[i];
            ServiceAddress = (ULONG)((UINT8*)v1 + AddressOfFunctions[Ordinals]);

            for (j = 0; j < NT_DLL_INFOS; j++)
            {
                if (__NtdllInfos[j].ServiceAddress == NULL && __NtdllInfos[j].ServiceName != NULL)
                {
                    if (_stricmp(ServiceName, __NtdllInfos[j].ServiceName) == 0)
                    {
                        __NtdllInfos[j].ServiceAddress = (PVOID)ServiceAddress;
                        k++;
                        break;
                    }
                }
            }

            if (k >= NumberOfServices)
                break;
        }
    }
    __except (EXCEPTION_EXECUTE_HANDLER)
    {

    }

    return;
}

不是WIN10_VERSION_10240版本,区别在于需要加上base-1得到Ordinals。上面直接用AddressOfNameOrdinals就行

1
2
3
4
5
6
7
8
9
10
11
AddressOfNameOrdinals = (USHORT*)((UINT8*)v1 + ImageExportDirectory->AddressOfNameOrdinals);
Base = ImageExportDirectory->Base;

        for (i = 0; i < ImageExportDirectory->NumberOfFunctions; i++)
        {
            ServiceName = (char*)((UINT8*)v1 + AddressOfNames[i]);

            Ordinals = AddressOfNameOrdinals[i] + Base - 1;
            ServiceAddress = (ULONG)((UINT8*)v1 + AddressOfFunctions[Ordinals]);
            ......
        }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
void GetNtServiceAddressInternal2(ULONG NumberOfServices)
{
    PVOID v1 = NULL;

    IMAGE_DOS_HEADER* ImageDosHeader;
    IMAGE_OPTIONAL_HEADER32* ImageOptionalHeader32;
    IMAGE_EXPORT_DIRECTORY* ImageExportDirectory;

    ULONG* AddressOfFunctions;
    ULONG* AddressOfNames;
    USHORT* AddressOfNameOrdinals;

    ULONG Ordinals;
    ULONG Base, i, ServiceAddress;
    char* ServiceName;

    ULONG j = 0;
    ULONG k = 0;

    __try
    {
        v1 = __NtdllImageBase;
        if (v1 == NULL)
            return;

        ImageDosHeader = (IMAGE_DOS_HEADER*)v1;
        ImageOptionalHeader32 = (IMAGE_OPTIONAL_HEADER32*)((UINT8*)v1 + ImageDosHeader->e_lfanew + 24);
        ImageExportDirectory = (IMAGE_EXPORT_DIRECTORY*)((UINT8*)v1 + ImageOptionalHeader32->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
        AddressOfFunctions = (ULONG*)((UINT8*)v1 + ImageExportDirectory->AddressOfFunctions);
        AddressOfNames = (ULONG*)((UINT8*)v1 + ImageExportDirectory->AddressOfNames);
        AddressOfNameOrdinals = (USHORT*)((UINT8*)v1 + ImageExportDirectory->AddressOfNameOrdinals);

        Base = ImageExportDirectory->Base;

        for (i = 0; i < ImageExportDirectory->NumberOfFunctions; i++)
        {
            ServiceName = (char*)((UINT8*)v1 + AddressOfNames[i]);

            Ordinals = AddressOfNameOrdinals[i] + Base - 1;
            ServiceAddress = (ULONG)((UINT8*)v1 + AddressOfFunctions[Ordinals]);

            for (j = 0; j < NT_DLL_INFOS; j++)
            {
                if (__NtdllInfos[j].ServiceAddress == NULL && __NtdllInfos[j].ServiceName != NULL)
                {
                    if (_stricmp(ServiceName, __NtdllInfos[j].ServiceName) == 0)
                    {
                        __NtdllInfos[j].ServiceAddress = (PVOID)ServiceAddress;
                        k++;
                        break;
                    }
                }
            }

            if (k >= NumberOfServices)
                break;
        }
    }
    __except (EXCEPTION_EXECUTE_HANDLER)
    {

    }

    return;
}

Ntos服务号、函数地址

用函数名的Unicode调MmGetSystemRoutineAddress获取函数地址

1
2
3
4
5
6
7
8
9
10
11
12
ULONG __NtReadVirtualMemoryServiceIdentity = 0;
typedef NTKERNELAPI BOOLEAN(*PFN_PSGETPROCESSEXITPROCESSCALLED)(PEPROCESS EProcess);
void InitializeNtosKernel()
{
    UNICODE_STRING v1;

    if (__NtReadVirtualMemoryServiceIdentity == 0)
        __NtReadVirtualMemoryServiceIdentity = GetNtServiceIdentity((PVOID)__NtdllInfos[ZW_READ_VIRTUAL_MEMORY].ServiceAddress);

    RtlInitUnicodeString(&v1, L"PsGetProcessExitProcessCalled");
    __PsGetProcessExitProcessCalled = (PFN_PSGETPROCESSEXITPROCESSCALLED)MmGetSystemRoutineAddress(&v1);
}

地址转服务号

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
ULONG GetNtServiceIdentity(PVOID ServiceAddress)
{
    PUCHAR v1;
    ULONG ServiceIdentity;

    if (ServiceAddress == NULL)
    {
        return 0;
    }

    v1 = (PUCHAR)ServiceAddress;
    if (*v1 != (UCHAR)0xB8)
    {
        return 0;
    }

    ServiceIdentity = *(PULONG)(v1 + 1);
    if (!IS_VALID_ID(ServiceIdentity))
    {
        return 0;
    }

    return ServiceIdentity;
}