Подскажите мне, есть ли возможность получить базовый адрес ntoskrnl.exe руками? Пишу ring0 shellcode, и никак не могу придумать где бы этот адрес выцепить
Отрывок из книги Windows NT 2000 Native API Reference, Gary Nebbett: ZwQuerySystemInformation ZwQuerySystemInformation queries information about the system. NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL ); Parameters SystemInformationClass The type of system information to be queried.The permitted values are a subset of the enumeration SYSTEM_INFORMATION_CLASS, described in the following section. SystemInformation Points to a caller-allocated buffer or variable that receives the requested system information. SystemInformationLength The size in bytes of SystemInformation, which the caller should set according to the given SystemInformationClass. ReturnLength Optionally points to a variable that receives the number of bytes actually returned to SystemInformation; if SystemInformationLength is too small to contain the available information, the variable is normally set to zero except for two information classes (6 and 11) when it is set to the number of bytes required for the available information. If this information is not needed, ReturnLength may be a null pointer. Return Value Returns STATUS_SUCCESS or an error status, such as STATUS_INVALID_INFO_CLASS, STATUS_NOT_IMPLEMENTED or STATUS_INFO_LENGTH_MISMATCH. Related Win32 Functions GetSystemInfo, GetTimeZoneInformation, GetSystemTimeAdjustment, PSAPI functions, and performance counters. Remarks ZwQuerySystemInformation is the source of much of the information displayed by “Performance Monitor” for the classes Cache, Memory, Objects, Paging File, Process, Processor, System, and Thread. It is also frequently used by resource kit utilities that display information about the system. The ReturnLength information is not always valid (depending on the information class), even when the routine returns STATUS_SUCCESS.When the return value indicates STATUS_INFO_LENGTH_MISMATCH, only some of the information classes return an estimate of the required length. Some information classes are implemented only in the “checked” version of the kernel. Some, such as SystemCallCounts, return useful information only in “checked” versions of the kernel. Some information classes require certain flags to have been set in NtGlobalFlags at boot time. For example, SystemObjectInformation requires that FLG_MAINTAIN_OBJECT_TYPELIST be set at boot time. Information class SystemNotImplemented1 (4) would return STATUS_NOT_IMPLEMENTED if it were not for the fact that it uses DbgPrint to print the text “EX: SystemPathInformation now available via SharedUserData.” and then calls DbgBreakPoint.The breakpoint exception is caught by a frame based exception handler (in the absence of intervention by a debugger) and causes ZwQuerySystemInformation to return with STATUS_BREAKPOINT.
http://www.eeye.com/~data/publish/whitepapers/research/OT20050205.FILE .pdf вот тут есть хинт как получить указатель на ntoskrnl. Код (Text): mov esi, dword prt ds:[0ffdff038h] ; addr IDT lodsd cdq lodsd ; addr NTOSKRNL @base_loop: dec eax cmp dword prt [eax], 00905a4dh jnz @base_loop
SYSTEM_INFORMATION_CLASS The system information classes available in the “free” (retail) build of the system are listed below along with a remark as to whether the information class can be queried, set, or both. Some of the information classes labeled “SystemNotImplementedXxx” are implemented in the “checked” build, and a few of these classes are briefly described later. Query Set typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation, // 0 Y N SystemProcessorInformation, // 1 Y N SystemPerformanceInformation, // 2 Y N SystemTimeOfDayInformation, // 3 Y N SystemNotImplemented1, // 4 Y N SystemProcessesAndThreadsInformation, // 5 Y N SystemCallCounts, // 6 Y N SystemConfigurationInformation, // 7 Y N SystemProcessorTimes, // 8 Y N SystemGlobalFlag, // 9 Y Y SystemNotImplemented2, // 10 Y N SystemModuleInformation, // 11 Y N SystemLockInformation, // 12 Y N SystemNotImplemented3, // 13 Y N SystemNotImplemented4, // 14 Y N SystemNotImplemented5, // 15 Y N SystemHandleInformation, // 16 Y N SystemObjectInformation, // 17 Y N SystemPagefileInformation, // 18 Y N SystemInstructionEmulationCounts, // 19 Y N SystemInvalidInfoClass1, // 20 SystemCacheInformation, // 21 Y Y SystemPoolTagInformation, // 22 Y N SystemProcessorStatistics, // 23 Y N SystemDpcInformation, // 24 Y Y SystemNotImplemented6, // 25 Y N SystemLoadImage, // 26 N Y SystemUnloadImage, // 27 N Y SystemTimeAdjustment, // 28 Y Y SystemNotImplemented7, // 29 Y N SystemNotImplemented8, // 30 Y N SystemNotImplemented9, // 31 Y N SystemCrashDumpInformation, // 32 Y N SystemExceptionInformation, // 33 Y N SystemCrashDumpStateInformation, // 34 Y Y/N SystemKernelDebuggerInformation, // 35 Y N SystemContextSwitchInformation, // 36 Y N SystemRegistryQuotaInformation, // 37 Y Y SystemLoadAndCallImage, // 38 N Y SystemPrioritySeparation, // 39 N Y SystemNotImplemented10, // 40 Y N SystemNotImplemented11, // 41 Y N SystemInvalidInfoClass2, // 42 SystemInvalidInfoClass3, // 43 SystemTimeZoneInformation, // 44 Y N SystemLookasideInformation, // 45 Y N SystemSetTimeSlipEvent, // 46 N Y SystemCreateSession, // 47 N Y SystemDeleteSession, // 48 N Y SystemInvalidInfoClass4, // 49 SystemRangeStartInformation, // 50 Y N SystemVerifierInformation, // 51 Y Y SystemAddVerifier, // 52 N Y SystemSessionProcessesInformation // 53 Y N } SYSTEM_INFORMATION_CLASS; SystemModuleInformation typedef struct _SYSTEM_MODULE_INFORMATION { // Information Class 11 ULONG Reserved[2]; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT Unknown; USHORT LoadCount; USHORT ModuleNameOffset; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; Members Base The base address of the module. Size The size of the module. Flags A bit array of flags describing the state of the module. Index The index of the module in the array of modules. Unknown Normally contains zero; interpretation unknown. LoadCount The number of references to the module. ModuleNameOffset The offset to the final filename component of the image name. ImageName The filepath of the module. Remarks The data returned to the SystemInformation buffer is a ULONG count of the number of modules followed immediately by an array of SYSTEM_MODULE_INFORMATION. The system modules are the Portable Executable (PE) format files loaded into the kernel address space (ntoskrnl.exe, hal.dll, device drivers, and so on) and ntdll.dll. The PSAPI function EnumDeviceDrivers uses this information class to obtain a list of the device drivers in the system. It is also used by the PSAPI functions GetDeviceDriverFileName and GetDeviceDriverBaseName. The code in Example 1.3 uses this information class.
Son of God Нафига стока постить ? ЗЫ. и как он должен получить адрес ZwQuerySystemInformation в шеллкоде не зная базового адреса ntoskrnl ?
