开发者

c grammar LONG (NTAPI name) (type1,type2...);

问答 作者:

I am reading a ring 0 privilege acquiring source code in windows XP

in that code,

there are 2 lines

which are

LONG (NTAPI *NtSystemDebugControl)     (int,void*,DWORD,void*,DWORD,DWORD*);
*(DWORD*)   &a开发者_JS百科mp;NtSystemDebugControl =(DWORD)GetProcAddress(LoadLibrary("ntdll"),"NtSystemDebugControl");

it is first time I see such a grammar

what does both of 2 lines means?

The first line creates a function pointer, the second one initializes the function pointer in a rather horrible way (It will fail on 64-bit machines, though that is probably insignificant in this case).

If you're asking what GetProcAddress does I suggest reading about it in MSDN.

ULONG_PTR, it's here for a reason. In the case of DWORD's being compatible with x64 and x86, it is crucial for success. Use it :) The alternative for x64 is DWORD64 typecasting, instead. GetProcAddress returns the offset for NtSystemDebugControl inside ntdll

The address associated with ntdll.dll!NtSystemDebugControl when viewed on the stack is now pointed to the function pointer which is defined in the typedef.

From here on you can initiate the pointer as such:

NtSystemDebugControl My_NtSystemDebugControl;
if (My_NtSystemDebugControl != NULL) {
    My_NtSystemDebugControl(...);
}

Basically what this did is resolve the api at runtime without needing to link it at compile time. If your application is viewed in CFF Explorer then the IAT (Import-Address-Table) will only contain GetProcAddress, and LoadLibrary. But NtSystemDebugControl won't be present as it is being resolved at runtime.

The advantages to this is, it hinders heuristic analysis in a lot of anti-viruses, it makes your binary size smaller since you aren't linking a ton of useless libraries at compile-time, and it gives you much more flexibility by only defining functions that you need, and not the entire library!

Also, you should attempt to use GetModuleHandle("ntdll"), and comparing the result to != NULL before going into LoadLibrary("ntdll") as it's much less intrusive!

继续阅读:cgrammar

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9