-
-
未解决
怎么在win10 1809或新版本上获取KeServiceDescriptorTableShadow地址
-
发表于:
2020-4-30 06:49
2967
-
未解决 怎么在win10 1809或新版本上获取KeServiceDescriptorTableShadow地址
插入代码
ULONG64 GetKeServiceDescriptorTableShadow64()
{
PUCHAR StartSearchAddress = (PUCHAR)__readmsr(0xC0000082);
PUCHAR EndSearchAddress = StartSearchAddress + 0x500;
PUCHAR i = NULL;
UCHAR b1 = 0, b2 = 0, b3 = 0;
ULONG templong = 0;
ULONG64 addr = 0;
for (i = StartSearchAddress; i<EndSearchAddress; i++)
{
if (MmIsAddressValid(i) && MmIsAddressValid(i + 1) && MmIsAddressValid(i + 2))
{
b1 = i;
b2 = (i + 1);
b3 = *(i + 2);
if (b1 == 0x4c && b2 == 0x8d && b3 == 0x1d) //4c8d1d
{
memcpy(&templong, i + 3, 4);
addr = (ULONG64)templong + (ULONG64)i + 7;
return addr;
}
}
}
return addr;
}
这个方法已经无效了
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)