combojiang大牛的关于获取SSDT原始地址的代码中

 // DONT_RESOLVE_DLL_REFERENCES flag means relocs aren't fixed

                    dwPointsToRva=*(PDWORD)((DWORD)hModule+dwPointerRva)-(DWORD)poh->ImageBase;

// does this reloc point to KeServiceDescriptorTable.Base?

                    if (dwPointsToRva==dwKSDT) {

                        // check for mov [mem32],imm32. we are trying to find 

                        // "mov ds:_KeServiceDescriptorTable.Base, offset _KiServiceTable"

                        // from the KiInitSystem.

 // our own export walker is useless here - we have GetProcAddress :)    

    if (!(dwKSDT=(DWORD)GetProcAddress(hKernel,"KeServiceDescriptorTable"))) {

        printf("Can't find KeServiceDescriptorTable/n");

        return;

    }

    // get KeServiceDescriptorTable rva

    dwKSDT-=(DWORD)hKernel;  

dwKSDT应该是相对于真实的装入地址的偏移？dwPointsToRva是相对于ImageBase的偏移，就是相对于理想中的装入地址的偏移？为什么这两者可以进行比较？

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！