I'm writing an program which enumerates hooks created by SetWindowsHookEx()
Here is the process:
GetProcAddress()
to obtain gSharedInfo
exported in User32.dll
(works, verified) gSharedInfo + 8
, the result should be a pointer of first handle entry. (works, verified) [gSharedInfo] + 8
, the result should be count
of handles to enumerate. (works, verified) count
times HANDLEENTRY.bType
is 5(which means it's a HHOOK). If so, print informations. The problem is, although step 1-3 only mess around with user mode memory, step 4 requires the program to read kernel memory. After some research I found that ZwSystemDebugControl
can be used to access Kernel Memory from user mode. So I wrote the following function:
BOOL GetKernelMemory(PVOID pKernelAddr, PBYTE pBuffer, ULONG uLength)
{
MEMORY_CHUNKS mc;
ULONG uReaded = 0;
mc.Address = (UINT)pKernelAddr; //Kernel Memory Address - input
mc.pData = (UINT)pBuffer;//User Mode Memory Address - output
mc.Length = (UINT)uLength; //length
ULONG st = -1;
ZWSYSTEMDEBUGCONTROL ZwSystemDebugControl = (ZWSYSTEMDEBUGCONTROL)GetProcAddress(
GetModuleHandleA("ntdll.dll"), "NtSystemDebugControl");
st = ZwSystemDebugControl(SysDbgCopyMemoryChunks_0, &mc, sizeof(MEMORY_CHUNKS), 0, 0, &uReaded);
return st == 0;
}
But the function above didn't work. uReaded
is always 0 and st
is always 0xC0000002. How do I resolve this error?
my full program: http://pastebin.com/xzYfGdC5
在Windows XP之后,MSFT没有实现NtSystemDebugControl
系统调用。
The Meltdown vulnerability makes it possible to read Kernel memory from User Mode on most Intel CPUs with a speed of approximately 500kB/s. This works on most unpatched OS'es.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.