#转换统一驱动文件名路径为string

添加SSDT和SSSDT查看功能
DragonQuestHero · Nov 27, 2024 · f67f0e3 · f67f0e3
1 parent caf5357
commit f67f0e3
Show file tree

Hide file tree

Showing 18 changed files with 629 additions and 305 deletions.
diff --git a/Medusa/EzPdb/EzPdb.cpp b/Medusa/EzPdb/EzPdb.cpp
@@ -683,6 +683,12 @@ bool EzPdbLoad(IN std::string pdbPath, OUT PEZPDB Pdb)
 	//SymSetOptions(SYMOPT_UNDNAME | SYMOPT_DEFERRED_LOADS | SYMOPT_AUTO_PUBLICS | SYMOPT_LOAD_ANYTHING);
 
 	DWORD64 SymbolTable = SymLoadModuleEx(GetCurrentProcess(), NULL, pdbPath.c_str(), NULL, EZ_PDB_BASE_OF_DLL, pdbSize, NULL, NULL);
+	if (!SymbolTable && GetLastError() == ERROR_SUCCESS)
+	{
+		SymUnloadModule64(GetCurrentProcess(), EZ_PDB_BASE_OF_DLL);
+		SymCleanup(GetCurrentProcess());
+		SymbolTable = SymLoadModuleEx(GetCurrentProcess(), NULL, pdbPath.c_str(), NULL, EZ_PDB_BASE_OF_DLL, pdbSize, NULL, NULL);
+	}
 	if (!SymbolTable)
 	{
 		SymCleanup(GetCurrentProcess());

diff --git a/Medusa/IOCTLScanner.cc b/Medusa/IOCTLScanner.cc
@@ -156,34 +156,25 @@ bool IOCTLScanner::GetIOCTLFunction(ULONG64 Addr, KernelModules& _KernelModules,
 			_Model->setData(_Model->index(i, 2), ret2.str().data());
 			_Model->setData(_Model->index(i, 3), "");
 
-			std::string module_name;
 			bool found = false;
 			for (auto x : _KernelModules._KernelModuleListR0)
 			{
-				if (x.Check == 1 || x.Check == 2)
-				{
-					module_name = W_TO_C((WCHAR*)x.Name);
-				}
-				else
-				{
-					module_name = (char*)x.Name;
-				}
 				if (temp_list[i].Addr >= (ULONG64)x.Addr &&
 					temp_list[i].Addr < (ULONG64)x.Addr + (ULONG64)x.Size)
 				{
-					if (module_name == "ntoskrnl.exe" && !temp_list[i].Check)
+					if (x.Name == "ntoskrnl.exe" && !temp_list[i].Check)
 					{
 						found = true;
 					}
-					else if (name == module_name)
+					else if (name == x.Name)
 					{
 						found = true;
 					}
-					module_name = module_name + "+";
+					x.Name = x.Name + "+";
 					std::ostringstream ret;
 					ret << std::hex << "0x" << temp_list[i].Addr - x.Addr;
-					module_name = module_name + ret.str();
-					_Model->setData(_Model->index(i, 3), module_name.data());
+					x.Name = x.Name + ret.str();
+					_Model->setData(_Model->index(i, 3), x.Name.data());
 					break;
 				}
 			}
@@ -234,25 +225,16 @@ bool IOCTLScanner::QueryIOCTLHook(ULONG64 Addr, KernelModules& _KernelModules, s
 		for (int i = 0; i < 0x1b + 1; i++)
 		{
 			bool found = false;
-			std::string module_name;
 			for (auto x : _KernelModules._KernelModuleListR0)
 			{
-				if (x.Check == 1 || x.Check == 2)
-				{
-					module_name = W_TO_C((WCHAR*)x.Name);
-				}
-				else
-				{
-					module_name = (char*)x.Name;
-				}
 				if (temp_list[i].Addr >= (ULONG64)x.Addr &&
 					temp_list[i].Addr < (ULONG64)x.Addr + (ULONG64)x.Size)
 				{
-					if (module_name == "ntoskrnl.exe" && !temp_list[i].Check)
+					if (x.Name == "ntoskrnl.exe" && !temp_list[i].Check)
 					{
 						found = true;
 					}
-					else if (name == module_name)
+					else if (name == x.Name)
 					{
 						found = true;
 					}

diff --git a/Medusa/KernelModules.cc b/Medusa/KernelModules.cc
@@ -2,6 +2,8 @@
 
 #include "ntdll.h"
 
+#include "PDBInfo.h"
+
 
 
 bool KernelModules::GetKernelModuleListR3()
@@ -34,20 +36,21 @@ bool KernelModules::GetKernelModuleListR3()
 	for (DWORD i = 0; i < mem->NumberOfModules; i++)
 	{
 		PRTL_PROCESS_MODULE_INFORMATION processModule = &mem->Modules[i];
-		KernelModulesVector temp_list;
-		RtlZeroMemory(&temp_list, sizeof(KernelModulesVector));
+		KernelModulesVector temp_list = { 0 };
 		temp_list.Check = false;
 		temp_list.Addr = (ULONG64)processModule->ImageBase;
 		temp_list.Size = processModule->ImageSize;
-		RtlCopyMemory(temp_list.Path, processModule->FullPathName, 256);
-		RtlCopyMemory(temp_list.Name, processModule->FullPathName + processModule->OffsetToFileName, 256 - processModule->OffsetToFileName);
+		temp_list.Path = (char*)processModule->FullPathName;
+		char* temp_str = (char*)(processModule->FullPathName + processModule->OffsetToFileName);
+		temp_list.Name = temp_str;
 		_KernelModuleListR3.push_back(temp_list);
 	}
 	if (mem)
 	{
 		delete mem;
 		mem = NULL;
 	}
+	_KernelModuleList = _KernelModuleListR3;
 	return true;
 }
 
@@ -74,18 +77,37 @@ bool KernelModules::GetKernelModuleListR0()
 		}
 
 		DWORD dwRet = 0;
-		KernelModulesVector* temp_list = (KernelModulesVector*)new char[process_number * sizeof(KernelModulesVector)];
+		KernelModulesVector2* temp_list = (KernelModulesVector2*)new char[process_number * sizeof(KernelModulesVector2)];
 		if (!temp_list)
 		{
 			break;
 		}
 
-		DeviceIoControl(m_hDevice, TEST_GetALLKernelModule, 0, 0, temp_list, sizeof(KernelModulesVector) * process_number, &dwRet, NULL);
+		DeviceIoControl(m_hDevice, TEST_GetALLKernelModule, 0, 0, temp_list, sizeof(KernelModulesVector2) * process_number, &dwRet, NULL);
 		if (dwRet)
 		{
 			for (int i = 0; i < process_number; i++)
 			{
-				_KernelModuleListR0.push_back(temp_list[i]);
+				KernelModulesVector temp_list2;
+				if (temp_list[i].Check)
+				{
+					temp_list2.Addr = temp_list[i].Addr;
+					temp_list2.Check = temp_list[i].Check;
+					temp_list2.DriverObject = temp_list[i].DriverObject;
+					temp_list2.Size = temp_list[i].Size;
+					temp_list2.Name = W_TO_C(temp_list[i].Name);
+					temp_list2.Path = temp_list[i].Path;
+				}
+				else
+				{
+					temp_list2.Addr = temp_list[i].Addr;
+					temp_list2.Check = temp_list[i].Check;
+					temp_list2.DriverObject = temp_list[i].DriverObject;
+					temp_list2.Size = temp_list[i].Size;
+					temp_list2.Name = (char*)(temp_list[i].Name);
+					temp_list2.Path = temp_list[i].Path;
+				}
+				_KernelModuleListR0.push_back(temp_list2);
 			}
 		}
 		delete temp_list;
@@ -95,7 +117,7 @@ bool KernelModules::GetKernelModuleListR0()
 	} while (false);
 
 
-
+	_KernelModuleList = _KernelModuleListR0;
 
 
 	CloseHandle(m_hDevice);
@@ -184,4 +206,196 @@ bool KernelModules::DumpDriver(ULONG64 Address, ULONG64 Size,void*buffer)
 	} while (false);
 	CloseHandle(m_hDevice);
 	return false;
+}
+
+
+
+
+#define TEST_GetSSDTList CTL_CODE(FILE_DEVICE_UNKNOWN,0x7123,METHOD_BUFFERED ,FILE_ANY_ACCESS)
+#define TEST_GetSSDTListNumber CTL_CODE(FILE_DEVICE_UNKNOWN,0x7124,METHOD_BUFFERED ,FILE_ANY_ACCESS)
+
+#define TEST_GetSSSDTList CTL_CODE(FILE_DEVICE_UNKNOWN,0x7125,METHOD_BUFFERED ,FILE_ANY_ACCESS)
+#define TEST_GetSSSDTListNumber CTL_CODE(FILE_DEVICE_UNKNOWN,0x7126,METHOD_BUFFERED ,FILE_ANY_ACCESS)
+
+std::vector<SSDT_STRUCT2> KernelModules::GetALLSSDT(bool Setting_SSDT_SSSDT_PDB)
+{
+	if (!_KernelModuleList.size())
+	{
+		GetKernelModuleListR3();
+	}
+	_SSDTALL.clear();
+
+	HANDLE m_hDevice = CreateFileA("\\\\.\\IO_Control", GENERIC_READ | GENERIC_WRITE, 0,
+		NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+	if (INVALID_HANDLE_VALUE == m_hDevice)
+	{
+		return _SSDTALL;
+	}
+	do
+	{
+		DWORD process_number = 0;
+		DeviceIoControl(m_hDevice, TEST_GetSSDTListNumber, 0, 0, 0, 0, &process_number, NULL);
+		if (!process_number)
+		{
+			break;
+		}
+
+		DWORD dwRet = 0;
+		SSDT_STRUCT* temp_list = (SSDT_STRUCT*)new char[process_number * sizeof(SSDT_STRUCT)];
+		if (!temp_list)
+		{
+			break;
+		}
+
+		DeviceIoControl(m_hDevice, TEST_GetSSDTList, 0, 0, temp_list, sizeof(SSDT_STRUCT) * process_number, &dwRet, NULL);
+		if (dwRet)
+		{
+			ModuleExportFunc _ModuleExportFunc;
+
+			int index = GetDriversListIndexFromAddress(temp_list[0].Addr);
+
+			bool use_pdb = false;
+			PDBInfo _PDBInfo;
+			if (index != -1 && (_PDBInfo.QueryDownLoad(ConvertSystemRootPath(_KernelModuleList[index].Path)) || Setting_SSDT_SSSDT_PDB))
+			{
+				_PDBInfo.DownLoad(ConvertSystemRootPath(_KernelModuleList[index].Path), _KernelModuleList[index].Addr);
+				_PDBInfo.GetALL();
+				use_pdb = true;
+			}
+			std::vector<ExportFunc> ntos_func;
+			if (index != -1 && use_pdb == false)
+			{
+				ntos_func = _ModuleExportFunc.GetExportFunc(
+					_KernelModuleList[index].Addr, ConvertSystemRootPath(_KernelModuleList[index].Path));
+			}
+			for (int i = 0; i < process_number; i++)
+			{
+				SSDT_STRUCT2 temp_SSDT_STRUCT;
+				temp_SSDT_STRUCT.Addr = temp_list[i].Addr;
+				temp_SSDT_STRUCT.Index = temp_list[i].Index;
+				temp_SSDT_STRUCT.FuncName = "";
+				temp_SSDT_STRUCT.Modules = "";
+				if (index != -1)
+				{
+					if (use_pdb)
+					{
+						for (auto x : _PDBInfo._Symbol)
+						{
+							if (temp_list[i].Addr == x.Addr)
+							{
+								temp_SSDT_STRUCT.FuncName = x.Name;
+								break;
+							}
+						}
+					}
+					else
+					{
+						for (auto x : ntos_func)
+						{
+							if (x.Addr == temp_SSDT_STRUCT.Addr)
+							{
+								temp_SSDT_STRUCT.FuncName = x.Name;
+								break;
+							}
+						}
+					}
+					temp_SSDT_STRUCT.Modules = _KernelModuleList[index].Name;
+				}
+				_SSDTALL.push_back(temp_SSDT_STRUCT);
+			}
+		}
+		delete temp_list;
+	} while (false);
+	CloseHandle(m_hDevice);
+	return _SSDTALL;
+}
+
+
+std::vector<SSDT_STRUCT2> KernelModules::GetALLShadowSSDT(bool Setting_SSDT_SSSDT_PDB)
+{
+	if (!_KernelModuleList.size())
+	{
+		GetKernelModuleListR3();
+	}
+	_SSDTALL.clear();
+
+	HANDLE m_hDevice = CreateFileA("\\\\.\\IO_Control", GENERIC_READ | GENERIC_WRITE, 0,
+		NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+	if (INVALID_HANDLE_VALUE == m_hDevice)
+	{
+		return _SSDTALL;
+	}
+	do
+	{
+		DWORD process_number = 0;
+		DeviceIoControl(m_hDevice, TEST_GetSSSDTListNumber, 0, 0, 0, 0, &process_number, NULL);
+		if (!process_number)
+		{
+			break;
+		}
+
+		DWORD dwRet = 0;
+		SSDT_STRUCT* temp_list = (SSDT_STRUCT*)new char[process_number * sizeof(SSDT_STRUCT)];
+		if (!temp_list)
+		{
+			break;
+		}
+
+		DeviceIoControl(m_hDevice, TEST_GetSSSDTList, 0, 0, temp_list, sizeof(SSDT_STRUCT) * process_number, &dwRet, NULL);
+		if (dwRet)
+		{
+			ModuleExportFunc _ModuleExportFunc;
+			//没符号的情况下不支持查看了
+			/*std::vector<ExportFunc> win32k_func = _ModuleExportFunc.GetExportFunc(
+				_KernelModuleList[GetDriversListIndexFromName("win32k.sys")].Addr, 
+				ConvertSystemRootPath(_KernelModuleList[GetDriversListIndexFromName("win32k.sys")].Path));*/
+
+			int index = GetDriversListIndexFromAddress(temp_list[0].Addr);
+			bool use_pdb = false;
+			PDBInfo _PDBInfo;
+			if (index != -1 && (_PDBInfo.QueryDownLoad(ConvertSystemRootPath(_KernelModuleList[index].Path)) || Setting_SSDT_SSSDT_PDB))
+			{
+				_PDBInfo.DownLoad(ConvertSystemRootPath(_KernelModuleList[index].Path), _KernelModuleList[index].Addr);
+				_PDBInfo.GetALL();
+				use_pdb = true;
+			}
+
+
+			for (int i = 0; i < process_number; i++)
+			{
+				SSDT_STRUCT2 temp_SSDT_STRUCT;
+				temp_SSDT_STRUCT.Addr = temp_list[i].Addr;
+				temp_SSDT_STRUCT.Index = temp_list[i].Index;
+				temp_SSDT_STRUCT.FuncName = "";
+				temp_SSDT_STRUCT.Modules = "";
+				if (GetDriversListIndexFromAddress(temp_list[0].Addr))
+				{
+					/*for (auto x : win32k_func)
+					{
+						if (x.Addr == temp_SSDT_STRUCT.Addr)
+						{
+							temp_SSDT_STRUCT.FuncName = x.Name;
+							break;
+						}
+					}*/
+					temp_SSDT_STRUCT.Modules = _KernelModuleList[GetDriversListIndexFromAddress(temp_list[0].Addr)].Name;
+				}
+				if (use_pdb)
+				{
+					for (auto x : _PDBInfo._Symbol)
+					{
+						if (temp_list[i].Addr == x.Addr)
+						{
+							temp_SSDT_STRUCT.FuncName = x.Name;
+							break;
+						}
+					}
+				}
+				_SSDTALL.push_back(temp_SSDT_STRUCT);
+			}
+		}
+		delete temp_list;
+	} while (false);
+	CloseHandle(m_hDevice);
+	return _SSDTALL;
 }