How list all functions of win32k.sys module?

F

FLASHCODR

I'm trying list all functions of module win32k.sys (C:\Windows\System32\win32k.sys) but is returned only some functions.

For example if you go on PC Hunter ARK: Ring0 Hooks > Shadow SSDT can see at least 825 entries (Windows 7 32bit) listed.

1612619.png

While the code below when executed, returns only 253 entries.

How i can achieve the same result of PC Hunter? i tested seeing to exportation table of module, this is right? or majority are imported functions (importation table)?

#include <ntddk.h>
#include <windef.h>
#include <ntimage.h>

DWORD GetDllFunctionAddress(char* lpFunctionName, PUNICODE_STRING pDllName)
{
#define SEC_IMAGE 0x1000000
HANDLE hThread, hSection, hFile, hMod;
SECTION_IMAGE_INFORMATION sii;
IMAGE_DOS_HEADER* dosheader;
IMAGE_OPTIONAL_HEADER* opthdr;
IMAGE_EXPORT_DIRECTORY* pExportTable;
DWORD* arrayOfFunctionAddresses;
DWORD* arrayOfFunctionNames;
WORD* arrayOfFunctionOrdinals;
DWORD functionOrdinal;
DWORD Base, x, functionAddress;
char* functionName;
STRING ntFunctionName, ntFunctionNameSearch;
PVOID BaseAddress = NULL;
SIZE_T size = 0;

OBJECT_ATTRIBUTES oa = { sizeof oa, 0, pDllName, OBJ_CASE_INSENSITIVE };

IO_STATUS_BLOCK iosb;

ZwOpenFile(&hFile, FILE_EXECUTE | SYNCHRONIZE, &oa, &iosb, FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT);

oa.ObjectName = 0;

ZwCreateSection(&hSection, SECTION_ALL_ACCESS, &oa, 0, PAGE_EXECUTE, SEC_IMAGE, hFile);

ZwMapViewOfSection(hSection, NtCurrentProcess(), &BaseAddress, 0, 1000, 0, &size, (SECTION_INHERIT)1, MEM_TOP_DOWN, PAGE_READWRITE);

ZwClose(hFile);

hMod = BaseAddress;

dosheader = (IMAGE_DOS_HEADER *)hMod;

opthdr = (IMAGE_OPTIONAL_HEADER *)((BYTE*)hMod + dosheader->e_lfanew + 24);

pExportTable = (IMAGE_EXPORT_DIRECTORY*)((BYTE*)hMod + opthdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);

arrayOfFunctionAddresses = (DWORD*)((BYTE*)hMod + pExportTable->AddressOfFunctions);

arrayOfFunctionNames = (DWORD*)((BYTE*)hMod + pExportTable->AddressOfNames);

arrayOfFunctionOrdinals = (WORD*)((BYTE*)hMod + pExportTable->AddressOfNameOrdinals);

Base = pExportTable->Base;

RtlInitString(&ntFunctionNameSearch, lpFunctionName);

DbgPrint("NumberOfEntries: %d", pExportTable->NumberOfFunctions);

for (x = 0; x < pExportTable->NumberOfFunctions; x++)
{
functionName = (char*)((BYTE*)hMod + arrayOfFunctionNames[x]);

DbgPrint("FuncName: %s\n", functionName);

RtlInitString(&ntFunctionName, functionName);

functionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1;

functionAddress = (DWORD)((BYTE*)hMod + arrayOfFunctionAddresses[functionOrdinal]);
if (RtlCompareString(&ntFunctionName, &ntFunctionNameSearch, TRUE) == 0)
{
ZwClose(hSection);
return functionAddress;
}
}

ZwClose(hSection);
return 0;
}

//---------------------- DriverEntry() -------------------------

UNICODE_STRING dllName;
RtlInitUnicodeString(&dllName, L"\\Device\\HarddiskVolume1\\Windows\\System32\\win32k.sys");
GetDllFunctionAddress(ANSI_NULL, &dllName);

Code of reference

Continue reading...
 
Top Bottom