Langouster 's Blog(虾 窝)

调用示例代码如下：

CallZwFunction("ZwProtectVirtualMemory",&status,5,(HANDLE)-1,&Addr2,&size,PAGE_EXECUTE_READWRITE,&old);

此函数中使用到两个函数，这两个函数相信很多人都有，但我还是贴一下这两个函数的代码吧

ULONG GetDllFunctionIndex(char* lpFunctionName)
{
 HANDLE  hSection, hFile, hMod;
 IMAGE_DOS_HEADER* dosheader;
 IMAGE_OPTIONAL_HEADER* opthdr;
 IMAGE_EXPORT_DIRECTORY* pExportTable;
 ULONG* arrayOfFunctionAddresses;
 ULONG* arrayOfFunctionNames;
 USHORT* arrayOfFunctionOrdinals;
 ULONG functionOrdinal;
 ULONG Base, x, functionAddress;
 char* functionName;
 STRING ntFunctionName, ntFunctionNameSearch;
 PVOID BaseAddress = NULL;
 SIZE_T size=0;
 OBJECT_ATTRIBUTES oa;// = {sizeof oa, 0, pDllName, OBJ_CASE_INSENSITIVE};
 IO_STATUS_BLOCK iosb;
 NTSTATUS status;
 ULONG uIndex=-1;
 UNICODE_STRING pDllName;

 RtlInitUnicodeString(&pDllName,L"\\SystemRoot\\system32\\ntdll.dll");
 InitializeObjectAttributes ( &oa, &pDllName, OBJ_KERNEL_HANDLE|OBJ_CASE_INSENSITIVE, NULL, NULL);

 status=ZwOpenFile(&hFile, FILE_EXECUTE | SYNCHRONIZE, &oa, &iosb, FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT);
 if(status!=STATUS_SUCCESS)
 {
  //FILE_SUPERSEDED
  KdPrint(("ZwOpenFile Error:0x%x,0x%x",status,iosb.Information));
  return 0;
 }
 oa.ObjectName = 0;
 status=ZwCreateSection(&hSection, SECTION_ALL_ACCESS, &oa, 0,PAGE_EXECUTE, 0x01000000, hFile);
 if(status!=STATUS_SUCCESS)
 {
  KdPrint(("ZwCreateSection Error"));
  ZwClose(hFile);
  return 0;
 }
 ZwMapViewOfSection(hSection, NtCurrentProcess(), &BaseAddress, 0, 1000, 0, &size, (SECTION_INHERIT)1, MEM_TOP_DOWN, PAGE_READWRITE);
 ZwClose(hFile);

 hMod = BaseAddress;
 dosheader = (IMAGE_DOS_HEADER *)hMod;
 opthdr =(IMAGE_OPTIONAL_HEADER *) ((BYTE*)hMod+dosheader->e_lfanew+24);
 pExportTable =(IMAGE_EXPORT_DIRECTORY*)((BYTE*) hMod + opthdr->DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress);
 // now we can get the exported functions, but note we convert from RVA to address
 arrayOfFunctionAddresses = (ULONG*)( (BYTE*)hMod + pExportTable->AddressOfFunctions);
 arrayOfFunctionNames = (ULONG*)( (BYTE*)hMod + pExportTable->AddressOfNames);
 arrayOfFunctionOrdinals = (USHORT*)( (BYTE*)hMod + pExportTable->AddressOfNameOrdinals);
 Base = pExportTable->Base;

 RtlInitString(&ntFunctionNameSearch, lpFunctionName);
 for(x = 0; x < pExportTable->NumberOfFunctions; x++)
 {
  functionName = (char*)( (BYTE*)hMod + arrayOfFunctionNames[x]);
  RtlInitString(&ntFunctionName, functionName);
  functionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1; // always need to add base, -1 as array counts from 0
  // this is the funny bit.  you would expect the function pointer to simply be arrayOfFunctionAddresses[x]...
  // oh no... thats too simple.  it is actually arrayOfFunctionAddresses[functionOrdinal]!!

  //KdPrint(("0x%x\t0x%x \n",x,functionOrdinal));
  functionAddress = (ULONG)( (BYTE*)hMod + arrayOfFunctionAddresses[functionOrdinal]);
  if (RtlCompareString(&ntFunctionName, &ntFunctionNameSearch, TRUE) == 0)
  {
   //INT3
   uIndex=*(PULONG)((PUCHAR)functionAddress+1);
   break;
   //return functionAddress;
  }
 }

 ZwClose(hSection);
 ZwUnmapViewOfSection(NtCurrentProcess(),BaseAddress);
 return uIndex;
}

PVOID GetSystemFunctionAddrW(CONST WCHAR *FunctionName)
{
 UNICODE_STRING uniFunctionName;

 RtlInitUnicodeString(&uniFunctionName,FunctionName);
 return MmGetSystemRoutineAddress(&uniFunctionName);
}