-
-
[求助]求证,EPROCESS结构中的Peb指针偏移是这样吗
-
发表于:
2010-5-18 15:16
4573
-
[求助]求证,EPROCESS结构中的Peb指针偏移是这样吗
ntbuildernumber = NtBuildNumber
if (ntbuildernumber > 0x1B58 )
{
if ( ntbuildernumber == 7022
|| ntbuildernumber == 7048
|| ntbuildernumber == 7068
|| ntbuildernumber == 7100
|| ntbuildernumber == 7600 )
pebOffset = 0x1A8u;
}
else
{
switch ( ntbuildernumber )
{
case 0x1B58:
pebOffset = 0x1A0u;
break;
case 0x893:
case 0xA28:
pebOffset = 0x1B0u;
break;
case 0xECE:
pebOffset = (-((unsigned int)CurSerPackVersion > 0) & 0x10) + 400;
break;
default:
if ( ntbuildernumber == 6000
|| (unsigned int)ntbuildernumber > 0x1770 && (unsigned int)ntbuildernumber <= 0x1772 )
pebOffset = 0x188u;
break;
}
}
只有xp系统,不晓得其他是否这样。
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
