BOOL GetNtInformation( ULONG_PTR* ntBase, ULONG_PTR* ntSize ) { if (!ntBase || !ntSize) return false; LARGE_INTEGER ntTemp = { 0 }; PIMAGE_NT_HEADERS pNt = nullptr; PIMAGE_DOS_HEADER pDos = nullptr; auto pFind0 = (ULONG_PTR)MmGetSystemRoutineAddress; auto pFind = (PUCHAR)pFind0; for (unsigned int i = 0; i < 0x30; i++) { if (pFind[i] == 0x48 && pFind[i + 1] == 0x8B && pFind[i + 2] == 0x0D) { ntTemp.QuadPart = (ULONG_PTR)&pFind[i + 7]; ntTemp.LowPart += *(LONG*)&pFind[i + 3]; break; } } if (!ntTemp.QuadPart) return false; pDos = (PIMAGE_DOS_HEADER)(*(ULONG_PTR*)ntTemp.QuadPart); if (!pDos) return false; pNt = (PIMAGE_NT_HEADERS)((ULONG_PTR)pDos + pDos->e_lfanew); if (!pNt || pNt->Signature != IMAGE_NT_SIGNATURE) return false; __try { *ntBase = (ULONG_PTR)pDos; *ntSize = pNt->OptionalHeader.SizeOfImage; } __except (EXCEPTION_EXECUTE_HANDLER) { return false; } return true; }
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课