请问delphi如何获取nt函数的服务号,函数地址+1确实能拿到,但是乱了,我贴出代码,牛牛们帮忙指正下。。。
type
TDWordArray = array [0..$FFFFF] of DWORD;
TWordArray = array [0..$FFFFF] of WORD;
var
dirsize: Cardinal;
imageinfo:LoadedImage;
ped:PImageExportDirectory;
pFunRVAs,pNameRVAs: ^TDWordArray;
i,kiss:Integer;
funName:string;
addre:DWORD;
begin
if MapAndLoad(PAnsiChar('ntdll.dll'),nil,@imageinfo,True,True) then begin
ped:=ImageDirectoryEntryToData(imageinfo.MappedAddress,False,IMAGE_DIRECTORY_ENTRY_EXPORT,dirsize);
pFunRVAs := ImageRvaToVa(imageinfo.FileHeader, imageinfo.MappedAddress,DWORD(ped^.AddressOfFunctions), nil);
pNameRVAs := ImageRvaToVa(imageinfo.FileHeader, imageinfo.MappedAddress,DWORD(ped^.AddressOfNames), nil);
for i := 0 to ped^.NumberOfFunctions -1 do
begin
try
funName:=PChar(ImageRvaToVa(imageinfo.FileHeader, imageinfo.MappedAddress,pNameRVAs^[i], nil));
if Copy(funName,1,2)='Nt' then begin
mmo1.Lines.Add(funName);
addre:=DWORD(ImageRvaToVa(imageinfo.FileHeader,imageinfo.MappedAddress,pFunRVAs^[i],nil));
addre:=addre+1;
mmo1.Lines.Add(IntToHex(PWORD(addre)^,2));
end;
except
end;
end;
UnMapAndLoad(@imageinfo);
end;
end;
我这里的一部分结果
NtAcceptConnectPort
681C
NtAccessCheck
C4
NtAccessCheckAndAuditAlarm
680C
NtAccessCheckByType
6850
NtAccessCheckByTypeAndAuditAlarm
00
NtAccessCheckByTypeResultList
00
NtAccessCheckByTypeResultListAndAuditAlarm
00
NtAccessCheckByTypeResultListAndAuditAlarmByHandle
00
NtAddAtom
01
NtAddBootEntry
02
NtAdjustGroupsToken
03
NtAdjustPrivilegesToken
04
NtAlertResumeThread
05
NtAlertThread
06
NtAllocateLocallyUniqueId
07
NtAllocateUserPhysicalPages
08
NtAllocateUuids
09
NtAllocateVirtualMemory
0A
NtAreMappedFilesTheSame
0B
NtAssignProcessToJobObject
0C
NtCallbackReturn
0D
NtCancelDeviceWakeupRequest
0E
[课程]Android-CTF解题方法汇总!