-
-
[求助]X64找SSDT疑惑(结贴吧)
-
发表于:
2012-2-17 15:05
5853
-
ULONGLONG GetKeServiceDescriptorTable64()
{
//Pattern
char KiSystemServiceStart_pattern[14] = "\x8B\xF8\xC1\xEF\x07\x83\xE7\x20\x25\xFF\x0F\x00\x00";
//Scan boundaries
×××××××××××××××××××××××××不明白×××××××
ULONGLONG CodeScanStart = (ULONGLONG)&_strnicmp;
ULONGLONG CodeScanEnd = (ULONGLONG)&KdDebuggerNotPresent;
×××××××××××××××××××××××××不明白×××××××
//Another needed variables
UNICODE_STRING Symbol;
ULONGLONG i, tbl_address, b;
//Loop - to find the KiSystemServiceStart function
for (i = 0; i < CodeScanEnd - CodeScanStart; i++)
{
//Check if those bytes are equal to our pattern-bytes
if (!memcmp((char*)(ULONGLONG)CodeScanStart +i, (char*)KiSystemServiceStart_pattern,14))
{
//Search lea rdx, * - by opcodes: 4c 8d
for (b = 0; b < 50; b++)
{
tbl_address = ((ULONGLONG)CodeScanStart+i+b);
//Check for lea rdx, * and calculate base address from relative address
if (*(USHORT*) ((ULONGLONG)tbl_address ) == (USHORT)0x8d4c)
return ((LONGLONG)tbl_address +7) + *(LONG*)(tbl_address +3);
}
}
}
搜索的范围为什么是×号代码处的地方?求解释.谢谢了。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
