快速定位模块
快速定位模块①lm获取基址
start end module name
804d8000 806d0480 nt
②循环读取内存pe头
.for(r@eax=0;@eax<5;r@eax=@eax+1) {dt _IMAGE_SECTION_HEADER 804d8000+poi(804d8000+0x3c)+0xf8+0x28*@eax}
nt!_IMAGE_SECTION_HEADER
+0x000 Name : ".text"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x600
+0x010 SizeOfRawData : 0x6b600
+0x014 PointerToRawData : 0x600
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0x68000020
③计算绝对地址
kd> u 804d8000+0x600
nt!_imp__VidInitialize:
804d8600 34a8 xor al,0A8h
804d8602 aa stos byte ptr es:
804d8603 f8 clc
nt!_imp__VidDisplayString:
804d8604 94 xchg eax,esp
804d8605 b6aa mov dh,0AAh
804d8607 f8 clc
nt!_imp__VidSetTextColor:
804d8608 2eac lods byte ptr cs:
804d860a aa stos byte ptr es:
根据此脚本,我第一次惊讶的发现,ntos居然有20个pe节
kd> .for(r@eax=0;@eax<20;r@eax=@eax+1) {dt _IMAGE_SECTION_HEADER 804d8000+poi(804d8000+0x3c)+0xf8+0x28*@eax}
nt!_IMAGE_SECTION_HEADER
+0x000 Name : ".text"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x600
+0x010 SizeOfRawData : 0x6b600
+0x014 PointerToRawData : 0x600
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0x68000020
nt!_IMAGE_SECTION_HEADER
+0x000 Name : "POOLMI"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x6bc00
+0x010 SizeOfRawData : 0x1200
+0x014 PointerToRawData : 0x6bc00
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0x68000020
nt!_IMAGE_SECTION_HEADER
+0x000 Name : "MISYSPTE"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x6ce00
+0x010 SizeOfRawData : 0x700
+0x014 PointerToRawData : 0x6ce00
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0x68000020
nt!_IMAGE_SECTION_HEADER
+0x000 Name : "POOLCODE"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x6d500
+0x010 SizeOfRawData : 0x1300
+0x014 PointerToRawData : 0x6d500
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0x68000020
nt!_IMAGE_SECTION_HEADER
+0x000 Name : ".data"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x6e800
+0x010 SizeOfRawData : 0x16f00
+0x014 PointerToRawData : 0x6e800
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0xc8000040
nt!_IMAGE_SECTION_HEADER
+0x000 Name : "INITDATA"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x85700
+0x010 SizeOfRawData : 0x80
+0x014 PointerToRawData : 0x85700
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0xc8000040
nt!_IMAGE_SECTION_HEADER
+0x000 Name : "INITCONS"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x85780
+0x010 SizeOfRawData : 0x1a80
+0x014 PointerToRawData : 0x85780
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0x48000040
nt!_IMAGE_SECTION_HEADER
+0x000 Name : "PAGE"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x87200
+0x010 SizeOfRawData : 0xe1200
+0x014 PointerToRawData : 0x87200
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0x60000020
nt!_IMAGE_SECTION_HEADER
+0x000 Name : "PAGELK"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x168400
+0x010 SizeOfRawData : 0xe100
+0x014 PointerToRawData : 0x168400
+0x018 PointerToRelocations : 0x80640400
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0x60000020
nt!_IMAGE_SECTION_HEADER
+0x000 Name : "PAGEVRFY"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x176500
+0x010 SizeOfRawData : 0xeb00
+0x014 PointerToRawData : 0x176500
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0x60000020
nt!_IMAGE_SECTION_HEADER
+0x000 Name : "PAGEWMI"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x185000
+0x010 SizeOfRawData : 0x1800
+0x014 PointerToRawData : 0x185000
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0x60000020
nt!_IMAGE_SECTION_HEADER
+0x000 Name : "PAGEKD"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x186800
+0x010 SizeOfRawData : 0x3e00
+0x014 PointerToRawData : 0x186800
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0x60000020
nt!_IMAGE_SECTION_HEADER
+0x000 Name : "PAGESPEC"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x18a600
+0x010 SizeOfRawData : 0xe80
+0x014 PointerToRawData : 0x18a600
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0x60000020
nt!_IMAGE_SECTION_HEADER
+0x000 Name : "PAGEHDLS"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x18b480
+0x010 SizeOfRawData : 0x1e00
+0x014 PointerToRawData : 0x18b480
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0x60000020
nt!_IMAGE_SECTION_HEADER
+0x000 Name : ".edata"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x18d280
+0x010 SizeOfRawData : 0xb600
+0x014 PointerToRawData : 0x18d280
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0x40000040
nt!_IMAGE_SECTION_HEADER
+0x000 Name : "PAGEDATA"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x198880
+0x010 SizeOfRawData : 0x1600
+0x014 PointerToRawData : 0x198880
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0xc0000040
nt!_IMAGE_SECTION_HEADER
+0x000 Name : "PAGECONS"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x199e80
+0x010 SizeOfRawData : 0x3080
+0x014 PointerToRawData : 0x199e80
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0x40000040
nt!_IMAGE_SECTION_HEADER
+0x000 Name : "PAGEKD"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x19cf00
+0x010 SizeOfRawData : 0xc080
+0x014 PointerToRawData : 0x19cf00
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0xc0000040
nt!_IMAGE_SECTION_HEADER
+0x000 Name : "PAGECONS"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x1a8f80
+0x010 SizeOfRawData : 0x200
+0x014 PointerToRawData : 0x1a8f80
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0xc0000040
nt!_IMAGE_SECTION_HEADER
+0x000 Name : "PAGELKCO"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x1a9180
+0x010 SizeOfRawData : 0x100
+0x014 PointerToRawData : 0x1a9180
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0x40000040
nt!_IMAGE_SECTION_HEADER
+0x000 Name : "PAGEVRFC"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x1a9280
+0x010 SizeOfRawData : 0x3480
+0x014 PointerToRawData : 0x1a9280
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0x40000040
nt!_IMAGE_SECTION_HEADER
+0x000 Name : "PAGEVRFD"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x1ac700
+0x010 SizeOfRawData : 0x680
+0x014 PointerToRawData : 0x1ac700
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0xc0000040
nt!_IMAGE_SECTION_HEADER
+0x000 Name : "INIT"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x1acd80
+0x010 SizeOfRawData : 0x2ab80
+0x014 PointerToRawData : 0x1acd80
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0xe2000020
nt!_IMAGE_SECTION_HEADER
+0x000 Name : ".rsrc"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x1d7900
+0x010 SizeOfRawData : 0x10600
+0x014 PointerToRawData : 0x1d7900
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0x40000040
nt!_IMAGE_SECTION_HEADER
+0x000 Name : ".reloc"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x1e7f00
+0x010 SizeOfRawData : 0x10580
+0x014 PointerToRawData : 0x1e7f00
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0x42000040
nt!_IMAGE_SECTION_HEADER
+0x000 Name : ""
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0
+0x010 SizeOfRawData : 0
+0x014 PointerToRawData : 0
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics: 0
nt!_IMAGE_SECTION_HEADER
+0x000 Name : ""
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0
+0x010 SizeOfRawData : 0
+0x014 PointerToRawData : 0
+0x018 PointerToRelocations : 0xf8aaa834
+0x01c PointerToLinenumbers : 0xf8aab694
+0x020 NumberOfRelocations : 0xac2e
+0x022 NumberOfLinenumbers : 0xf8aa
+0x024 Characteristics: 0xf8aaaa7c
nt!_IMAGE_SECTION_HEADER
+0x000 Name : "???"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0xf8aaa94e
+0x010 SizeOfRawData : 0xf8aab66a
+0x014 PointerToRawData : 0xf8aab634
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0x806ee5d6
+0x020 NumberOfRelocations : 0xe560
+0x022 NumberOfLinenumbers : 0x806e
+0x024 Characteristics: 0x806d86c8
nt!_IMAGE_SECTION_HEADER
+0x000 Name : "???"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x806d3720
+0x010 SizeOfRawData : 0x806d36e0
+0x014 PointerToRawData : 0x806d7b88
+0x018 PointerToRelocations : 0x806d7c18
+0x01c PointerToLinenumbers : 0x806d874c
+0x020 NumberOfRelocations : 0x4d2c
+0x022 NumberOfLinenumbers : 0x806d
+0x024 Characteristics: 0x806d98b8
nt!_IMAGE_SECTION_HEADER
+0x000 Name : "???"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x806d992c
+0x010 SizeOfRawData : 0x806d993c
+0x014 PointerToRawData : 0x806d2628
+0x018 PointerToRelocations : 0x806d872e
+0x01c PointerToLinenumbers : 0x806d86e0
+0x020 NumberOfRelocations : 0x69ee
+0x022 NumberOfLinenumbers : 0x806d
+0x024 Characteristics: 0x806d3cac
nt!_IMAGE_SECTION_HEADER
+0x000 Name : "P<m???"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x806ee0b8
+0x010 SizeOfRawData : 0x806d90be
+0x014 PointerToRawData : 0x806d8fb8
+0x018 PointerToRelocations : 0x806d775c
+0x01c PointerToLinenumbers : 0x806d7778
+0x020 NumberOfRelocations : 0x38f4
+0x022 NumberOfLinenumbers : 0x806d
+0x024 Characteristics: 0x806d77aa
nt!_IMAGE_SECTION_HEADER
+0x000 Name : "???"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x806d86c2
+0x010 SizeOfRawData : 0x806d99b8
+0x014 PointerToRawData : 0x806d61a2
+0x018 PointerToRelocations : 0x806d63ea
+0x01c PointerToLinenumbers : 0x806d54ce
+0x020 NumberOfRelocations : 0x53d0
+0x022 NumberOfLinenumbers : 0x806d
+0x024 Characteristics: 0x806d6458
页:
[1]