MmGetSystemRoutineAddress和MiFindExportedRoutineByName函数的 exported

MmGetSystemRoutineAddress和MiFindExportedRoutineByName函数的实现代码

MmGetSystemRoutineAddress这个函数也是比较有用的，是得到系统导出函数的地址，不过网上都是写了一堆汇编代码在哪里，根本没有可读性，还不如用IDA看呢。

下面的函数是摘自ReactOS项目的代码：

1. PVOID
2. NTAPI
3. MmGetSystemRoutineAddress(INPUNICODE_STRINGSystemRoutineName)
4. {
5. PVOIDProcAddress=NULL;
6. ANSI_STRINGAnsiRoutineName;
7. NTSTATUSStatus;
8. PLIST_ENTRYNextEntry;
9. PLDR_DATA_TABLE_ENTRYLdrEntry;
10. BOOLEANFound=FALSE;
11. UNICODE_STRINGKernelName=RTL_CONSTANT_STRING(L"ntoskrnl.exe");
12. UNICODE_STRINGHalName=RTL_CONSTANT_STRING(L"hal.dll");
13. ULONGModules=0;
14. ERESOURCEPsLoadedModuleResource;
17. Status=RtlUnicodeStringToAnsiString(&AnsiRoutineName,
18. SystemRoutineName,
19. TRUE);
20. if(!NT_SUCCESS(Status))returnNULL;
23. KeEnterCriticalRegion();
24. ExAcquireResourceSharedLite(&PsLoadedModuleResource,TRUE);
27. NextEntry=PsLoadedModuleList.Flink;
28. while(NextEntry!=&PsLoadedModuleList)
29. {
31. LdrEntry=CONTAINING_RECORD(NextEntry,
32. LDR_DATA_TABLE_ENTRY,
33. InLoadOrderLinks);
36. if(RtlEqualUnicodeString(&KernelName,&LdrEntry->BaseDllName,TRUE))
37. {
39. Found=TRUE;
40. Modules++;
41. }
42. elseif(RtlEqualUnicodeString(&HalName,&LdrEntry->BaseDllName,TRUE))
43. {
45. Found=TRUE;
46. Modules++;
47. }
50. if(Found)
51. {
53. ProcAddress=MiFindExportedRoutineByName(LdrEntry->DllBase,
54. &AnsiRoutineName);
57. if(ProcAddress)break;
58. if(Modules==2)break;
59. }
62. NextEntry=NextEntry->Flink;
63. }
66. ExReleaseResourceLite(&PsLoadedModuleResource);
67. KeLeaveCriticalRegion();
70. RtlFreeAnsiString(&AnsiRoutineName);
71. returnProcAddress;
72. }

MiFindExportedRoutineByName——EAT中定位到指定函数

MmGetSystemRoutineAddress实际调用的MiFindExportedRoutineByName

1. PVOID
2. MiFindExportedRoutineByName(
3. INPVOIDDllBase,
4. INPANSI_STRINGAnsiImageRoutineName
5. )
6. {
7. USHORTOrdinalNumber;
8. PULONGNameTableBase;
9. PUSHORTNameOrdinalTableBase;
10. PULONGAddr;
11. LONGHigh;
12. LONGLow;
13. LONGMiddle;
14. LONGResult;
15. ULONGE--xportSize;//保存表项的大小
16. PVOIDFunctionAddress;
17. PIMAGE_EXPORT_DIRECTORYExportDirectory;
19. PAGED_CODE();
21. ExportDirectory=(PIMAGE_EXPORT_DIRECTORY)RtlImageDirectoryEntryToData(
22. DllBase,
23. TRUE,
24. IMAGE_DIRECTORY_ENTRY_EXPORT,
25. &ExportSize);
27. if(ExportDirectory==NULL){
28. returnNULL;
29. }
31. NameTableBase=(PULONG)((PCHAR)DllBase+(ULONG)ExportDirectory->AddressOfNames);
32. NameOrdinalTableBase=(PUSHORT)((PCHAR)DllBase+(ULONG)ExportDirectory->AddressOfNameOrdinals);
34. //二分查找法
35. Low=0;
36. Middle=0;
37. High=ExportDirectory->NumberOfNames-1;
39. while(High>=Low){
40. Middle=(Low+High)>>1;
42. Result=strcmp(AnsiImageRoutineName->Buffer,
43. (PCHAR)DllBase+NameTableBase[Middle]);
45. if(Result<0){
46. High=Middle-1;
47. }
48. elseif(Result>0){
49. Low=Middle+1;
50. }
51. else{
52. break;
53. }
54. }
56. //如果High<Low，表明没有在EAT中找到这个函数；否则，返回此函数的索引
57. if(High<Low){
58. returnNULL;
59. }
61. OrdinalNumber=NameOrdinalTableBase[Middle];
63. //如果索引值大于EAT中已有的函数数量，则查找失败
64. if((ULONG)OrdinalNumber>=ExportDirectory->NumberOfFunctions){
65. returnNULL;
66. }
68. Addr=(PULONG)((PCHAR)DllBase+(ULONG)ExportDirectory->AddressOfFunctions);
70. FunctionAddress=(PVOID)((PCHAR)DllBase+Addr[OrdinalNumber]);
71. ASSERT((FunctionAddress<=(PVOID)ExportDirectory)||
72. (FunctionAddress>=(PVOID)((PCHAR)ExportDirectory+ExportSize)));
74. returnFunctionAddress;
75. }

在模块中定位指定函数名的地址，这个算法挺不错的

爱华网本文地址 » http://www.aihuau.com/a/25101015/272179.html