请问delphi如何获取nt函数的服务号，函数地址+1确实能拿到，但是乱了，我贴出代码，牛牛们帮忙指正下。。。

type
  TDWordArray = array [0..$FFFFF] of DWORD;
  TWordArray = array [0..$FFFFF] of WORD;
var
  dirsize: Cardinal;
  imageinfo:LoadedImage;
  ped:PImageExportDirectory;
  pFunRVAs,pNameRVAs: ^TDWordArray;
  i,kiss:Integer;
  funName:string;
  addre:DWORD;
begin
  if MapAndLoad(PAnsiChar('ntdll.dll'),nil,@imageinfo,True,True) then begin
    ped:=ImageDirectoryEntryToData(imageinfo.MappedAddress,False,IMAGE_DIRECTORY_ENTRY_EXPORT,dirsize);
    pFunRVAs := ImageRvaToVa(imageinfo.FileHeader, imageinfo.MappedAddress,DWORD(ped^.AddressOfFunctions), nil);
    pNameRVAs := ImageRvaToVa(imageinfo.FileHeader, imageinfo.MappedAddress,DWORD(ped^.AddressOfNames), nil);
    for i := 0 to ped^.NumberOfFunctions -1 do
    begin
      try
        funName:=PChar(ImageRvaToVa(imageinfo.FileHeader, imageinfo.MappedAddress,pNameRVAs^[i], nil));
        if Copy(funName,1,2)='Nt' then begin
          mmo1.Lines.Add(funName);
          addre:=DWORD(ImageRvaToVa(imageinfo.FileHeader,imageinfo.MappedAddress,pFunRVAs^[i],nil));
          addre:=addre+1;
          mmo1.Lines.Add(IntToHex(PWORD(addre)^,2));
        end;
      except

      end;

    end;
    UnMapAndLoad(@imageinfo);
  end;
end;

我这里的一部分结果
NtAcceptConnectPort
681C
NtAccessCheck
C4
NtAccessCheckAndAuditAlarm
680C
NtAccessCheckByType
6850
NtAccessCheckByTypeAndAuditAlarm
00
NtAccessCheckByTypeResultList
00
NtAccessCheckByTypeResultListAndAuditAlarm
00
NtAccessCheckByTypeResultListAndAuditAlarmByHandle
00
NtAddAtom
01
NtAddBootEntry
02
NtAdjustGroupsToken
03
NtAdjustPrivilegesToken
04
NtAlertResumeThread
05
NtAlertThread
06
NtAllocateLocallyUniqueId
07
NtAllocateUserPhysicalPages
08
NtAllocateUuids
09
NtAllocateVirtualMemory
0A
NtAreMappedFilesTheSame
0B
NtAssignProcessToJobObject
0C
NtCallbackReturn
0D
NtCancelDeviceWakeupRequest
0E

[课程]Android-CTF解题方法汇总！