-
-
[旧帖]
[求助]获取Shadow SSDT 函数地址蓝屏?
0.00雪花
-
发表于:
2012-11-28 15:35
1671
-
[旧帖] [求助]获取Shadow SSDT 函数地址蓝屏?
0.00雪花
PULONG getAddressOfShadowTable()
{
PULONG p;
//兼容XP,2003和WIN7
//nt!KeAddSystemServiceTable+0x1a:
//83de0022 8d8840dbdb83 lea ecx,nt!KeServiceDescriptorTableShadow (83dbdb40)[eax]
//83de0028 833900 cmp dword ptr [ecx],0
//83de002b 7546 jne nt!KeAddSystemServiceTable+0x6b (83de0073)
//8d88两个字节,所以+2
p = (PULONG)((ULONG)KeAddSystemServiceTable + 0x1a + 2);
return (PULONG)(*p);
}
ULONG getShadowTable()
{
KeServiceDescriptorTableShadow = (PServiceDescriptorTableEntry) getAddressOfShadowTable();
DbgPrint("NumberOfServices: %d", KeServiceDescriptorTableShadow[1].NumberOfServices);//←这句正常输出Shadow SSDT函数数量
DbgPrint("addrFunc: %X", KeServiceDescriptorTableShadow->ServiceTableBase[1]);//←这句马上蓝屏
return TRUE;
}
急急急,新人求帮助
已解决!解决方法看五楼
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课