win10 shadow ssdt 与 NtUserBuildHwndList

win10下获取ServiceDescriptorTableShadow这些与win7差不多,略过。

  • hook
    FFFFF960F4B119F0 FF25 B2AB0000 jmp qword ptr [rip+ABB2]
    直接修改rip+ABB2指针的值 及得保存原来的。

NtUserBuildHwndList 这个函数在win7 下

1
2
3
4
5
6
7
typedef NTSTATUS(__fastcall *TYPENtUserBuildHwndList)(IN HDESK hdesk,
	IN HWND hwndNext,
	IN ULONG fEnumChildren,
	IN DWORD idThread,
	IN UINT cHwndMax,
	OUT HWND *phwndFirst,
	OUT ULONG* pcHwndNeeded);

最初直接套用,发现蓝屏。 ida查看伪代码发现
win7:

1
2
3
4
5
6
7
__int64 __fastcall NtUserBuildHwndList(__int64 a1, __int64 a2, PVOID Address, unsigned int a4, unsigned int a5, PVOID phwndFirst, unsigned __int64 pcHwndNeeded)
      if ( a5 > 0x1FFFFFFF )
        ExRaiseAccessViolation();
      ProbeForWrite(phwndFirst, 8 * v25, 4u);
      v26 = (_DWORD *)pcHwndNeeded;
      v27 = (_DWORD *)pcHwndNeeded;
      if ( pcHwndNeeded >= (unsigned __int64)W32UserProbeAddress )

win10:

1
2
3
4
5
6
7
__int64 __fastcall NtUserBuildHwndList(__int64 a1, __int64 a2, int a3, int a4, PVOID Address, __int64 a6, PVOID Addressa, unsigned __int64 a8)
 ProbeForWrite(Addressa, 8i64 * (unsigned int)a6, 4u);
      v13 = (_DWORD *)a8;
      v20 = (_DWORD *)a8;
      if ( a8 >= *(_QWORD *)W32UserProbeAddress )
        v20 = *(_DWORD **)W32UserProbeAddress;
      *v20 = *v20;

可以知道是在参数a7 之前加入了一个参数 也就是 phwndFirst 之前
google:
链接 好像被墙。

so
win10:

1
2
3
4
5
6
7
8
typedef NTSTATUS(__fastcall *TYPENtUserBuildHwndListWin10)(IN HDESK hdesk,
	IN HWND hwndNext,
	IN ULONG fEnumChildren,
	IN DWORD idThread,
	PVOID a5,
	IN UINT cHwndMax,
	OUT HWND *phwndFirst,
	OUT ULONG* pcHwndNeeded);

留言

2017-12-16
⬆︎TOP