能力值:
( LV2,RANK:10 )
|
-
-
2 楼
找了一个这个方法
从ntdll.dll导出该函数 ...
奇怪 既然 ntdll都有了 为啥在 ntoskrnl.inc 中申明
.386
.model flat, stdcall
option casemap:none
include ..\Macro\strings.mac
include windows.inc
include kernel32.inc
includelib kernel32.lib
;======================================
UNICODE_STRINGC STRUCT
_Length word ?
MaximumLength word ?
Buffer dword ?
UNICODE_STRINGC ENDS
_RtlInitUnicodeString typedef proto :dword,:dword
lpRtlInitUnicodeString typedef ptr _RtlInitUnicodeString
.const
dllname db 'ntdll.dll',0
szRtlInitUnicodeString db 'RtlInitUnicodeString',0
.data?
hdll dd ?
RtlInitUnicodeString lpRtlInitUnicodeString ?
SectionName UNICODE_STRING <?>
.code
start:
invoke LoadLibrary, addr dllname
mov hdll,eax
invoke GetProcAddress, hdll, addr szRtlInitUnicodeString
mov RtlInitUnicodeString,eax
invoke RtlInitUnicodeString, addr SectionName, $CTW0("\\Devices\\PhysicalMemory")
end start
|
能力值:
( LV9,RANK:330 )
|
-
-
3 楼
ntoskernel is in R0 mode
ntdll is r3
r3 code cannot call r0 code directly
|
|
|