-
-
[求助]ssdt的索引值问题
-
2008-4-26 19:43
-
如果一个函数最后是像下面调用:
; __stdcall NtUserSetWindowsHookEx(x, x, x, x, x, x)
_NtUserSetWindowsHookEx@24 proc near
mov eax, 1225h ;超出了我ssdt(ntoskrlpa)索引值,比如我的(见后面)才129h
mov edx, 7FFE0300h
call dword ptr [edx]
retn 18h
_NtUserSetWindowsHookEx@24 endp
lkd> dd keservicedescriptortable
8087b180 847a51a8 00000000 00000129 848379b0
8087b190 00000000 00000000 00000000 00000000
8087b1a0 00000000 00000000 00000000 00000000
8087b1b0 00000000 00000000 00000000 00000000
8087b1c0 00002710 bf80db87 00000000 00000000
8087b1d0 f3e91a80 f36659e0 841020f4 80a11f40
8087b1e0 00000000 00000000 00000000 00000000
8087b1f0 277d3640 01c8a787 00000000 00000000
Windows是怎么处理的?
; __stdcall NtUserSetWindowsHookEx(x, x, x, x, x, x)
_NtUserSetWindowsHookEx@24 proc near
mov eax, 1225h ;超出了我ssdt(ntoskrlpa)索引值,比如我的(见后面)才129h
mov edx, 7FFE0300h
call dword ptr [edx]
retn 18h
_NtUserSetWindowsHookEx@24 endp
lkd> dd keservicedescriptortable
8087b180 847a51a8 00000000 00000129 848379b0
8087b190 00000000 00000000 00000000 00000000
8087b1a0 00000000 00000000 00000000 00000000
8087b1b0 00000000 00000000 00000000 00000000
8087b1c0 00002710 bf80db87 00000000 00000000
8087b1d0 f3e91a80 f36659e0 841020f4 80a11f40
8087b1e0 00000000 00000000 00000000 00000000
8087b1f0 277d3640 01c8a787 00000000 00000000
Windows是怎么处理的?
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
