动态取得Ntoskrnl.exe导出函数地址

动态取得Ntoskrnl.exe导出函数地址

// GetDllFunctionAddress.cpp
//
// Generated by DriverWizard version DriverStudio 3.1.0 （Build 1722）
//

#include 

#include “..\SOURCES\type.h“
#include “..\SOURCES\debug.h“
#include “..\SOURCES\GetJmpAddress.h“
#include “..\SOURCES\IoCreateMdlFroAddress.h“
#include “Type.h“
#include “GetDllFunctionAddress.h“
__declspec（dllimport）NTSTATUS NTAPI
  IoFileReadFile（
    IN HANDLE  FileHandle
    OUT PIO_STATUS_BLOCK  IoStatusBlock
    OUT PVOID  Buffer
    IN ULONG  Length
    IN PLARGE_INTEGER  ByteOffset  OPTIONAL
	IN KPROCESSOR_MODE  AccessMode
    ）;
__declspec（dllimport）NTSTATUS  NTAPI
  IoFileCreateFile（
 OUT PHANDLE FileHandle
                  IN ACCESS_MASK  DesiredAccess
                  IN Pobject_ATTRIBUTES  objectAttributes
                  OUT PIO_STATUS_BLOCK  IoStatusBlock
                  IN PLARGE_INTEGER  AllocationSize OPTIONAL
                  IN ULONG  FileAttributes
                  IN ULONG  ShareAccess
                  IN ULONG  CreateDisposition
                  IN ULONG  CreateOptions
                  IN PVOID  EaBuffer OPTIONAL
                  IN ULONG  EaLength
                  ）;
__declspec（dllimport）NTSTATUS  NTAPI
  IoFileWriteFile（
                  IN HANDLE  FileHandle
                  OUT PIO_STATUS_BLOCK  IoStatusBlock
                  IN PVOID  Buffer
                  IN ULONG  Length
                  IN PLARGE_INTEGER  ByteOffset  OPTIONAL
				  IN KPROCESSOR_MODE  AccessMode）;
__declspec（dllimport）NTSTATUS  NTAPI
  IoFileClose（
                  IN HANDLE  FileHandle
				  IN KPROCESSOR_MODE  AccessMode）;
__declspec（dllimport）NTSTATUS NTAPI CheckHandle（OUT PHANDLE  FileHandle）;
__declspec（dllimport）NTSTATUS NTAPI CheckobjectAttributes（IN Pobject_ATTRIBUTES  objectAttributes）;
__declspec（dllimport）NTSTATUS NTAPI CheckIoStatusBlock（IN PIO_STATUS_BLOCK  IoStatusBlock）;
typedef struct {
    DWORD    dwNumberOfModules;
    SYSTEM_MODULE_INFORMATION    smi;
} MODULES *PMODULES;
NTSYSAPI
NTSTATUS
NTAPI
NtQuerySystemInformation（
IN SYSTEM_INFORMATION_CLASS SystemInformationClass
IN OUT PVOID SystemInformation
IN ULONG SystemInformationLength
OUT PULONG ReturnLength OPTIONAL
）;
DWORD pGetDllFunctionAddress（char* lpFunctionName 
							PUNICODE_STRING pDllName
							PVOID MoudelbaseAddress
							ULONG *FunctionRAV
							Pbase_ADDRESS_MESSAGE OutMoudelbaseAddress） 
{
    HANDLE hThread hSection hFile hMod;
    SECTION_IMAGE_INFORMATION sii;
    IMAGE_DOS_HEADER* dosheader;
    IMAGE_OPTIONAL_HEADER* opthdr;
    IMAGE_EXPORT_DIRECTORY* pExportTable;
    DWORD* arrayOfFunctionAddresses;
    DWORD* arrayOfFunctionNames;
    WORD* arrayOfFunctionOrdinals;
    DWORD functionOrdinal;
    DWORD base x functionAddress;
    char* functionName;
    STRING ntFunctionName ntFunctionNameSearch;
    PVOID baseAddress = NULL;
    SIZE_T size=0;
    NTSTATUS Status=0;
	IO_STATUS_BLOCK iosb;

 属性            大小     日期    时间   名称
----------- ---------  ---------- -----  ----

    .......       113  2010-04-23 20:08  GetDllFunctionAddressDll\buildchk_wxp_x86.err

    .......      2884  2010-04-23 20:08  GetDllFunctionAddressDll\buildchk_wxp_x86.log

     文件       4744  2010-04-23 20:11  GetDllFunctionAddressDll\buildfre_wxp_x86.log

     文件         81  2010-03-31 20:45  GetDllFunctionAddressDll\function.h

     文件      97242  2010-04-23 16:56  GetDllFunctionAddressDll\GetDllFunctionAddress.lib

     文件      39404  2010-04-01 16:59  GetDllFunctionAddressDll\GetDllFunctionAddressDll.aps

     文件       7377  2010-04-23 20:08  GetDllFunctionAddressDll\GetDllFunctionAddressDll.c

     文件        208  2010-04-02 17:24  GetDllFunctionAddressDll\GetDllFunctionAddressDll.def

     文件      20914  2010-04-02 22:04  GetDllFunctionAddressDll\GetDllFunctionAddressDll.dsp

     文件        343  2010-03-31 20:45  GetDllFunctionAddressDll\GetDllFunctionAddressDll.dsw

     文件       1587  2010-04-23 20:11  GetDllFunctionAddressDll\GetDllFunctionAddressDll.h

     文件      74752  2010-04-23 20:27  GetDllFunctionAddressDll\GetDllFunctionAddressDll.ncb

     文件     282112  2010-04-23 20:27  GetDllFunctionAddressDll\GetDllFunctionAddressDll.opt

     文件       2056  2010-03-31 20:45  GetDllFunctionAddressDll\GetDllFunctionAddressDll.rc

     文件         53  2010-04-01 16:33  GetDllFunctionAddressDll\GetFunctionAddressDll.def

     文件       9216  2010-04-22 21:45  GetDllFunctionAddressDll\IoFile.dll

     文件       5344  2010-04-22 21:45  GetDllFunctionAddressDll\IoFile.lib

     文件          0  2010-04-02 22:04  GetDllFunctionAddressDll\KeInsertQueueApc.c

     文件          0  2010-04-02 22:03  GetDllFunctionAddressDll\KeInsertQueueApc.h

     文件        308  2010-03-31 20:45  GetDllFunctionAddressDll\makefile

     文件       1215  2010-04-02 01:10  GetDllFunctionAddressDll\NtQuerySystemInformation.c

     文件       2786  2010-04-01 21:18  GetDllFunctionAddressDll\NtQuerySystemInformation.h

     文件       2000  2010-04-23 20:08  GetDllFunctionAddressDll\objchk_wxp_x86\i386\GetDllFunctionAddressDll.exp

     文件       3830  2010-04-23 20:08  GetDllFunctionAddressDll\objchk_wxp_x86\i386\GetDllFunctionAddressDll.lib

     文件      43223  2010-04-23 20:08  GetDllFunctionAddressDll\objchk_wxp_x86\i386\getdllfunctionaddressdll.obj

     文件        972  2010-04-23 20:08  GetDllFunctionAddressDll\objchk_wxp_x86\i386\getdllfunctionaddressdll.res

     文件       8836  2010-04-23 20:08  GetDllFunctionAddressDll\objchk_wxp_x86\i386\ntquerysysteminformation.obj

     文件       6752  2010-04-23 20:08  GetDllFunctionAddressDll\objchk_wxp_x86\i386\pslookupthreadbythreadid.obj

    .......      1006  2010-04-23 20:08  GetDllFunctionAddressDll\objchk_wxp_x86\_objects.mac

     文件       2037  2010-04-23 20:11  GetDllFunctionAddressDll\objfre_wxp_x86\i386\GetDllFunctionAddressDll.exp

............此处省略102个文件信息