您好,登錄后才能下訂單哦!
今天小編給大家分享一下C語言驅(qū)動(dòng)開發(fā)內(nèi)核特征碼掃描PE代碼怎么寫的相關(guān)知識(shí)點(diǎn),內(nèi)容詳細(xì),邏輯清晰,相信大部分人都還太了解這方面的知識(shí),所以分享這篇文章給大家參考一下,希望大家閱讀完這篇文章后有所收獲,下面我們一起來了解一下吧。
為了后續(xù)教程能夠繼續(xù),先來定義一個(gè)lyshark.h
頭文件,該頭文件中包含了我們本篇文章所必須要使用到的結(jié)構(gòu)體定義
#include <ntifs.h> #include <ntimage.h> typedef struct _KLDR_DATA_TABLE_ENTRY { LIST_ENTRY64 InLoadOrderLinks; ULONG64 __Undefined1; ULONG64 __Undefined2; ULONG64 __Undefined3; ULONG64 NonPagedDebugInfo; ULONG64 DllBase; ULONG64 EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; USHORT LoadCount; USHORT __Undefined5; ULONG64 __Undefined6; ULONG CheckSum; ULONG __padding1; ULONG TimeDateStamp; ULONG __padding2; }KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY; typedef struct _RTL_PROCESS_MODULE_INFORMATION { HANDLE Section; PVOID MappedBase; PVOID ImageBase; ULONG ImageSize; ULONG Flags; USHORT LoadOrderIndex; USHORT InitOrderIndex; USHORT LoadCount; USHORT OffsetToFileName; UCHAR FullPathName[256]; } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION; typedef struct _RTL_PROCESS_MODULES { ULONG NumberOfModules; RTL_PROCESS_MODULE_INFORMATION Modules[1]; } RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES; typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation = 0x0, SystemProcessorInformation = 0x1, SystemPerformanceInformation = 0x2, SystemTimeOfDayInformation = 0x3, SystemPathInformation = 0x4, SystemProcessInformation = 0x5, SystemCallCountInformation = 0x6, SystemDeviceInformation = 0x7, SystemProcessorPerformanceInformation = 0x8, SystemFlagsInformation = 0x9, SystemCallTimeInformation = 0xa, SystemModuleInformation = 0xb, SystemLocksInformation = 0xc, SystemStackTraceInformation = 0xd, SystemPagedPoolInformation = 0xe, SystemNonPagedPoolInformation = 0xf, SystemHandleInformation = 0x10, SystemObjectInformation = 0x11, SystemPageFileInformation = 0x12, SystemVdmInstemulInformation = 0x13, SystemVdmBopInformation = 0x14, SystemFileCacheInformation = 0x15, SystemPoolTagInformation = 0x16, SystemInterruptInformation = 0x17, SystemDpcBehaviorInformation = 0x18, SystemFullMemoryInformation = 0x19, SystemLoadGdiDriverInformation = 0x1a, SystemUnloadGdiDriverInformation = 0x1b, SystemTimeAdjustmentInformation = 0x1c, SystemSummaryMemoryInformation = 0x1d, SystemMirrorMemoryInformation = 0x1e, SystemPerformanceTraceInformation = 0x1f, SystemObsolete0 = 0x20, SystemExceptionInformation = 0x21, SystemCrashDumpStateInformation = 0x22, SystemKernelDebuggerInformation = 0x23, SystemContextSwitchInformation = 0x24, SystemRegistryQuotaInformation = 0x25, SystemExtendServiceTableInformation = 0x26, SystemPrioritySeperation = 0x27, SystemVerifierAddDriverInformation = 0x28, SystemVerifierRemoveDriverInformation = 0x29, SystemProcessorIdleInformation = 0x2a, SystemLegacyDriverInformation = 0x2b, SystemCurrentTimeZoneInformation = 0x2c, SystemLookasideInformation = 0x2d, SystemTimeSlipNotification = 0x2e, SystemSessionCreate = 0x2f, SystemSessionDetach = 0x30, SystemSessionInformation = 0x31, SystemRangeStartInformation = 0x32, SystemVerifierInformation = 0x33, SystemVerifierThunkExtend = 0x34, SystemSessionProcessInformation = 0x35, SystemLoadGdiDriverInSystemSpace = 0x36, SystemNumaProcessorMap = 0x37, SystemPrefetcherInformation = 0x38, SystemExtendedProcessInformation = 0x39, SystemRecommendedSharedDataAlignment = 0x3a, SystemComPlusPackage = 0x3b, SystemNumaAvailableMemory = 0x3c, SystemProcessorPowerInformation = 0x3d, SystemEmulationBasicInformation = 0x3e, SystemEmulationProcessorInformation = 0x3f, SystemExtendedHandleInformation = 0x40, SystemLostDelayedWriteInformation = 0x41, SystemBigPoolInformation = 0x42, SystemSessionPoolTagInformation = 0x43, SystemSessionMappedViewInformation = 0x44, SystemHotpatchInformation = 0x45, SystemObjectSecurityMode = 0x46, SystemWatchdogTimerHandler = 0x47, SystemWatchdogTimerInformation = 0x48, SystemLogicalProcessorInformation = 0x49, SystemWow64SharedInformationObsolete = 0x4a, SystemRegisterFirmwareTableInformationHandler = 0x4b, SystemFirmwareTableInformation = 0x4c, SystemModuleInformationEx = 0x4d, SystemVerifierTriageInformation = 0x4e, SystemSuperfetchInformation = 0x4f, SystemMemoryListInformation = 0x50, SystemFileCacheInformationEx = 0x51, SystemThreadPriorityClientIdInformation = 0x52, SystemProcessorIdleCycleTimeInformation = 0x53, SystemVerifierCancellationInformation = 0x54, SystemProcessorPowerInformationEx = 0x55, SystemRefTraceInformation = 0x56, SystemSpecialPoolInformation = 0x57, SystemProcessIdInformation = 0x58, SystemErrorPortInformation = 0x59, SystemBootEnvironmentInformation = 0x5a, SystemHypervisorInformation = 0x5b, SystemVerifierInformationEx = 0x5c, SystemTimeZoneInformation = 0x5d, SystemImageFileExecutionOptionsInformation = 0x5e, SystemCoverageInformation = 0x5f, SystemPrefetchPatchInformation = 0x60, SystemVerifierFaultsInformation = 0x61, SystemSystemPartitionInformation = 0x62, SystemSystemDiskInformation = 0x63, SystemProcessorPerformanceDistribution = 0x64, SystemNumaProximityNodeInformation = 0x65, SystemDynamicTimeZoneInformation = 0x66, SystemCodeIntegrityInformation = 0x67, SystemProcessorMicrocodeUpdateInformation = 0x68, SystemProcessorBrandString = 0x69, SystemVirtualAddressInformation = 0x6a, SystemLogicalProcessorAndGroupInformation = 0x6b, SystemProcessorCycleTimeInformation = 0x6c, SystemStoreInformation = 0x6d, SystemRegistryAppendString = 0x6e, SystemAitSamplingValue = 0x6f, SystemVhdBootInformation = 0x70, SystemCpuQuotaInformation = 0x71, SystemNativeBasicInformation = 0x72, SystemErrorPortTimeouts = 0x73, SystemLowPriorityIoInformation = 0x74, SystemBootEntropyInformation = 0x75, SystemVerifierCountersInformation = 0x76, SystemPagedPoolInformationEx = 0x77, SystemSystemPtesInformationEx = 0x78, SystemNodeDistanceInformation = 0x79, SystemAcpiAuditInformation = 0x7a, SystemBasicPerformanceInformation = 0x7b, SystemQueryPerformanceCounterInformation = 0x7c, SystemSessionBigPoolInformation = 0x7d, SystemBootGraphicsInformation = 0x7e, SystemScrubPhysicalMemoryInformation = 0x7f, SystemBadPageInformation = 0x80, SystemProcessorProfileControlArea = 0x81, SystemCombinePhysicalMemoryInformation = 0x82, SystemEntropyInterruptTimingInformation = 0x83, SystemConsoleInformation = 0x84, SystemPlatformBinaryInformation = 0x85, SystemThrottleNotificationInformation = 0x86, SystemHypervisorProcessorCountInformation = 0x87, SystemDeviceDataInformation = 0x88, SystemDeviceDataEnumerationInformation = 0x89, SystemMemoryTopologyInformation = 0x8a, SystemMemoryChannelInformation = 0x8b, SystemBootLogoInformation = 0x8c, SystemProcessorPerformanceInformationEx = 0x8d, SystemSpare0 = 0x8e, SystemSecureBootPolicyInformation = 0x8f, SystemPageFileInformationEx = 0x90, SystemSecureBootInformation = 0x91, SystemEntropyInterruptTimingRawInformation = 0x92, SystemPortableWorkspaceEfiLauncherInformation = 0x93, SystemFullProcessInformation = 0x94, SystemKernelDebuggerInformationEx = 0x95, SystemBootMetadataInformation = 0x96, SystemSoftRebootInformation = 0x97, SystemElamCertificateInformation = 0x98, SystemOfflineDumpConfigInformation = 0x99, SystemProcessorFeaturesInformation = 0x9a, SystemRegistryReconciliationInformation = 0x9b, MaxSystemInfoClass = 0x9c, } SYSTEM_INFORMATION_CLASS; // 聲明函數(shù) // By: Lyshark.com NTSYSAPI PIMAGE_NT_HEADERS NTAPI RtlImageNtHeader(_In_ PVOID Base); NTSTATUS NTAPI ZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); typedef VOID(__cdecl *PMiProcessLoaderEntry)(PKLDR_DATA_TABLE_ENTRY section, IN LOGICAL Insert); typedef NTSTATUS(*NTQUERYSYSTEMINFORMATION)(IN ULONG SystemInformationClass, OUT PVOID SystemInformation, IN ULONG_PTR SystemInformationLength, OUT PULONG_PTR ReturnLength OPTIONAL);
我們繼續(xù),首先實(shí)現(xiàn)特征碼字符串的解析與掃描實(shí)現(xiàn)此處UtilLySharkSearchPattern
函數(shù)就是LyShark
封裝過的,這里依次介紹一下參數(shù)傳遞的含義。
pattern 用于傳入一段字符串特征值(以\x開頭)
len 代表輸入特征碼長(zhǎng)度(除去\x后的長(zhǎng)度)
base 代表掃描內(nèi)存的基地址
size 代表需要向下掃描的長(zhǎng)度
ppFound 代表掃描到首地址以后返回的內(nèi)存地址
這段代碼該如何使用,如下我們以定位IoInitializeTimer
為例,演示UtilLySharkSearchPattern
如何定位特征的,如下代碼pattern
變量中就是我們需要定位的特征值,pattern_size
則是需要定位的特征碼長(zhǎng)度,在address
地址位置向下掃描128
字節(jié),找到則返回到find_address
變量?jī)?nèi)。
// 署名權(quán) // right to sign one's name on a piece of work // PowerBy: LyShark // Email: me@lyshark.com #include "lyshark.h" PVOID GetIoInitializeTimerAddress() { PVOID VariableAddress = 0; UNICODE_STRING uioiTime = { 0 }; RtlInitUnicodeString(&uioiTime, L"IoInitializeTimer"); VariableAddress = (PVOID)MmGetSystemRoutineAddress(&uioiTime); if (VariableAddress != 0) { return VariableAddress; } return 0; } // 對(duì)指定內(nèi)存執(zhí)行特征碼掃描 NTSTATUS UtilLySharkSearchPattern(IN PUCHAR pattern, IN ULONG_PTR len, IN const VOID* base, IN ULONG_PTR size, OUT PVOID* ppFound) { // 計(jì)算匹配長(zhǎng)度 // LyShark.com 特征碼掃描 NT_ASSERT(ppFound != 0 && pattern != 0 && base != 0); if (ppFound == 0 || pattern == 0 || base == 0) { return STATUS_INVALID_PARAMETER; } __try { for (ULONG_PTR i = 0; i < size - len; i++) { BOOLEAN found = TRUE; for (ULONG_PTR j = 0; j < len; j++) { if (pattern[j] != ((PUCHAR)base)[i + j]) { found = FALSE; break; } } if (found != FALSE) { *ppFound = (PUCHAR)base + i; DbgPrint("[LyShark.com] 特征碼匹配地址: %p \n", (PUCHAR)base + i); return STATUS_SUCCESS; } } } __except (EXCEPTION_EXECUTE_HANDLER) { return STATUS_UNHANDLED_EXCEPTION; } return STATUS_NOT_FOUND; } VOID UnDriver(PDRIVER_OBJECT driver) { DbgPrint(("Uninstall Driver Is OK \n")); } NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath) { DbgPrint(("hello lyshark.com \n")); // 返回匹配長(zhǎng)度5 CHAR pattern[] = "\x48\x89\x6c\x24\x10"; PVOID *find_address = NULL; int pattern_size = sizeof(pattern) - 1; DbgPrint("匹配長(zhǎng)度: %d \n", pattern_size); // 得到基地址 PVOID address = GetIoInitializeTimerAddress(); // 掃描特征 NTSTATUS nt = UtilLySharkSearchPattern((PUCHAR)pattern, pattern_size, address, 128, &find_address); DbgPrint("[LyShark 返回地址 => ] 0x%p \n", (ULONG64)find_address); Driver->DriverUnload = UnDriver; return STATUS_SUCCESS; }
運(yùn)行驅(qū)動(dòng)程序完成特征定位,并對(duì)比定位效果。
如上述所示定位函數(shù)我們已經(jīng)封裝好了,相信你也能感受到這種方式要比使用數(shù)組更方便,為了能定位到內(nèi)核PE結(jié)構(gòu)我們需要使用RtlImageNtHeader
來解析,這個(gè)內(nèi)核函數(shù)專門用來得到內(nèi)核程序的PE頭部結(jié)構(gòu)的,在下方案例中首先我們使用封裝過的LySharkToolsUtilKernelBase
函數(shù)拿到內(nèi)核基址,拿到基址以后可以直接使用RtlImageNtHeader
對(duì)其PE頭部進(jìn)行解析,如下所示。
// 署名權(quán) // right to sign one's name on a piece of work // PowerBy: LyShark // Email: me@lyshark.com #include "lyshark.h" // 定義全局變量 static PVOID g_KernelBase = 0; static ULONG g_KernelSize = 0; // 得到KernelBase基地址 // lyshark.com PVOID LySharkToolsUtilKernelBase(OUT PULONG pSize) { NTSTATUS status = STATUS_SUCCESS; ULONG bytes = 0; PRTL_PROCESS_MODULES pMods = 0; PVOID checkPtr = 0; UNICODE_STRING routineName; if (g_KernelBase != 0) { if (pSize) { *pSize = g_KernelSize; } return g_KernelBase; } RtlInitUnicodeString(&routineName, L"NtOpenFile"); checkPtr = MmGetSystemRoutineAddress(&routineName); if (checkPtr == 0) return 0; __try { status = ZwQuerySystemInformation(SystemModuleInformation, 0, bytes, &bytes); if (bytes == 0) { return 0; } pMods = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPoolNx, bytes, L"LyShark"); RtlZeroMemory(pMods, bytes); status = ZwQuerySystemInformation(SystemModuleInformation, pMods, bytes, &bytes); if (NT_SUCCESS(status)) { PRTL_PROCESS_MODULE_INFORMATION pMod = pMods->Modules; for (ULONG i = 0; i < pMods->NumberOfModules; i++) { if (checkPtr >= pMod[i].ImageBase && checkPtr < (PVOID)((PUCHAR)pMod[i].ImageBase + pMod[i].ImageSize)) { g_KernelBase = pMod[i].ImageBase; g_KernelSize = pMod[i].ImageSize; if (pSize) { *pSize = g_KernelSize; } break; } } } } __except (EXCEPTION_EXECUTE_HANDLER) { return 0; } if (pMods) { ExFreePoolWithTag(pMods, L"LyShark"); } DbgPrint("KernelBase = > %p \n", g_KernelBase); return g_KernelBase; } VOID UnDriver(PDRIVER_OBJECT driver) { DbgPrint(("Uninstall Driver Is OK \n")); } NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath) { DbgPrint(("hello lyshark.com \n")); // 獲取內(nèi)核第一個(gè)模塊的基地址 PVOID base = LySharkToolsUtilKernelBase(0); if (!base) return STATUS_NOT_FOUND; // 得到NT頭部PE32+結(jié)構(gòu) // lyshark.com PIMAGE_NT_HEADERS64 pHdr = RtlImageNtHeader(base); if (!pHdr) return STATUS_INVALID_IMAGE_FORMAT; // 首先尋找代碼段 PIMAGE_SECTION_HEADER pFirstSection = (PIMAGE_SECTION_HEADER)(pHdr + 1); for (PIMAGE_SECTION_HEADER pSection = pFirstSection; pSection < pFirstSection + pHdr->FileHeader.NumberOfSections; pSection++) { ANSI_STRING LySharkSection, LySharkName; RtlInitAnsiString(&LySharkSection, ".text"); RtlInitAnsiString(&LySharkName, (PCCHAR)pSection->Name); DbgPrint("[LyShark.PE] 名字: %Z | 地址: %p | 長(zhǎng)度: %d \n", LySharkName, (PUCHAR)base + pSection->VirtualAddress, pSection->Misc.VirtualSize); } Driver->DriverUnload = UnDriver; return STATUS_SUCCESS; }
運(yùn)行這段驅(qū)動(dòng)程序,你會(huì)得到當(dāng)前內(nèi)核的所有PE節(jié)信息,枚舉效果如下所示。
既然能夠得到PE頭部數(shù)據(jù)了,那么我們只需要掃描這段空間并得到匹配到的數(shù)據(jù)即可,其實(shí)很容易實(shí)現(xiàn),如下代碼所示。
// 署名權(quán) // right to sign one's name on a piece of work // PowerBy: LyShark // Email: me@lyshark.com #include "lyshark.h" // 定義全局變量 static PVOID g_KernelBase = 0; static ULONG g_KernelSize = 0; // 得到KernelBase基地址 // lyshark.com PVOID LySharkToolsUtilKernelBase(OUT PULONG pSize) { NTSTATUS status = STATUS_SUCCESS; ULONG bytes = 0; PRTL_PROCESS_MODULES pMods = 0; PVOID checkPtr = 0; UNICODE_STRING routineName; if (g_KernelBase != 0) { if (pSize) { *pSize = g_KernelSize; } return g_KernelBase; } RtlInitUnicodeString(&routineName, L"NtOpenFile"); checkPtr = MmGetSystemRoutineAddress(&routineName); if (checkPtr == 0) return 0; __try { status = ZwQuerySystemInformation(SystemModuleInformation, 0, bytes, &bytes); if (bytes == 0) { return 0; } pMods = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPoolNx, bytes, L"LyShark"); RtlZeroMemory(pMods, bytes); status = ZwQuerySystemInformation(SystemModuleInformation, pMods, bytes, &bytes); if (NT_SUCCESS(status)) { PRTL_PROCESS_MODULE_INFORMATION pMod = pMods->Modules; for (ULONG i = 0; i < pMods->NumberOfModules; i++) { if (checkPtr >= pMod[i].ImageBase && checkPtr < (PVOID)((PUCHAR)pMod[i].ImageBase + pMod[i].ImageSize)) { g_KernelBase = pMod[i].ImageBase; g_KernelSize = pMod[i].ImageSize; if (pSize) { *pSize = g_KernelSize; } break; } } } } __except (EXCEPTION_EXECUTE_HANDLER) { return 0; } if (pMods) { ExFreePoolWithTag(pMods, L"LyShark"); } DbgPrint("KernelBase = > %p \n", g_KernelBase); return g_KernelBase; } // 對(duì)指定內(nèi)存執(zhí)行特征碼掃描 NTSTATUS UtilLySharkSearchPattern(IN PUCHAR pattern, IN UCHAR wildcard, IN ULONG_PTR len, IN const VOID* base, IN ULONG_PTR size, OUT PVOID* ppFound) { NT_ASSERT(ppFound != 0 && pattern != 0 && base != 0); if (ppFound == 0 || pattern == 0 || base == 0) { return STATUS_INVALID_PARAMETER; } __try { for (ULONG_PTR i = 0; i < size - len; i++) { BOOLEAN found = TRUE; for (ULONG_PTR j = 0; j < len; j++) { if (pattern[j] != wildcard && pattern[j] != ((PUCHAR)base)[i + j]) { found = FALSE; break; } } if (found != FALSE) { *ppFound = (PUCHAR)base + i; DbgPrint("[LyShark] 特征碼匹配地址: %p \n", (PUCHAR)base + i); return STATUS_SUCCESS; } } } __except (EXCEPTION_EXECUTE_HANDLER) { return STATUS_UNHANDLED_EXCEPTION; } return STATUS_NOT_FOUND; } // 掃描代碼段中的指令片段 NTSTATUS ByLySharkComUtilScanSection(IN PCCHAR section, IN PUCHAR pattern, IN UCHAR wildcard, IN ULONG_PTR len, OUT PVOID* ppFound) { NT_ASSERT(ppFound != 0); if (ppFound == 0) return STATUS_INVALID_PARAMETER; // 獲取內(nèi)核第一個(gè)模塊的基地址 PVOID base = LySharkToolsUtilKernelBase(0); if (!base) return STATUS_NOT_FOUND; // 得到NT頭部PE32+結(jié)構(gòu) PIMAGE_NT_HEADERS64 pHdr = RtlImageNtHeader(base); if (!pHdr) return STATUS_INVALID_IMAGE_FORMAT; // 首先尋找代碼段 PIMAGE_SECTION_HEADER pFirstSection = (PIMAGE_SECTION_HEADER)(pHdr + 1); for (PIMAGE_SECTION_HEADER pSection = pFirstSection; pSection < pFirstSection + pHdr->FileHeader.NumberOfSections; pSection++) { ANSI_STRING LySharkSection, LySharkText; RtlInitAnsiString(&LySharkSection, section); RtlInitAnsiString(&LySharkText, (PCCHAR)pSection->Name); // 判斷是不是我們要找的.text節(jié) if (RtlCompareString(&LySharkSection, &LySharkText, TRUE) == 0) { // 如果是則開始匹配特征碼 return UtilLySharkSearchPattern(pattern, wildcard, len, (PUCHAR)base + pSection->VirtualAddress, pSection->Misc.VirtualSize, ppFound); } } return STATUS_NOT_FOUND; } VOID UnDriver(PDRIVER_OBJECT driver) { DbgPrint(("Uninstall Driver Is OK \n")); } NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath) { DbgPrint("hello lyshark.com \n"); PMiProcessLoaderEntry m_MiProcessLoaderEntry = NULL; RTL_OSVERSIONINFOW Version = { 0 }; Version.dwOSVersionInfoSize = sizeof(Version); RtlGetVersion(&Version); //獲取內(nèi)核版本號(hào) DbgPrint("主版本: %d -->次版本: %d --> 編譯版本: %d", Version.dwMajorVersion, Version.dwMinorVersion, Version.dwBuildNumber); if (Version.dwMajorVersion == 10) { // 如果是 win10 18363 則匹配特征 if (Version.dwBuildNumber == 18363) { CHAR pattern[] = "\x48\x89\x5c\x24\x08"; int pattern_size = sizeof(pattern) - 1; ByLySharkComUtilScanSection(".text", (PUCHAR)pattern, 0xCC, pattern_size, (PVOID *)&m_MiProcessLoaderEntry); DbgPrint("[LyShark] 輸出首地址: %p", m_MiProcessLoaderEntry); } } Driver->DriverUnload = UnDriver; return STATUS_SUCCESS; }
代碼中首先判斷系統(tǒng)主版本windows 10 18363
如果是則執(zhí)行匹配,只匹配.text
也就是代碼段中的數(shù)據(jù),當(dāng)遇到0xcc
時(shí)則取消繼續(xù),否則繼續(xù)執(zhí)行枚舉,程序輸出效果如下所示。
在WinDBG中輸入命令!dh 0xfffff8007f600000
解析出內(nèi)核PE頭數(shù)據(jù),可以看到如下所示,對(duì)比無誤。
以上就是“C語言驅(qū)動(dòng)開發(fā)內(nèi)核特征碼掃描PE代碼怎么寫”這篇文章的所有內(nèi)容,感謝各位的閱讀!相信大家閱讀完這篇文章都有很大的收獲,小編每天都會(huì)為大家更新不同的知識(shí),如果還想學(xué)習(xí)更多的知識(shí),請(qǐng)關(guān)注億速云行業(yè)資訊頻道。
免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。