typedef struct _SERVICE_DESCRIPTOR_TABLE

{
    SYSTEM_SERVICE_TABLE ntoskrnl;  // ntoskrnl.exe ( native api )

    SYSTEM_SERVICE_TABLE win32k;    // win32k.sys (gdi/user support)

     SYSTEM_SERVICE_TABLE Table3;    // not used

     SYSTEM_SERVICE_TABLE Table4;    // not used

}

System进程访问不到Win32k服务表
kd> dd KeServiceDescriptorTableShadow
8055ab40  804e3d20 00000000 0000011c 804d9f48
8055ab50  bf997600 00000000 0000029b bf998310
8055ab60  00000000 00000000 00000000 00000000
8055ab70  00000000 00000000 00000000 00000000
8055ab80  804e3d20 00000000 0000011c 804d9f48
8055ab90  00000000 00000000 00000000 00000000
8055aba0  00000000 00000000 00000000 00000000
8055abb0  00000000 00000000 00000000 00000000
kd> dd bf997600
bf997600  ???????? ???????? ???????? ????????
bf997610  ???????? ???????? ???????? ????????
bf997620  ???????? ???????? ???????? ????????
bf997630  ???????? ???????? ???????? ????????
bf997640  ???????? ???????? ???????? ????????
bf997650  ???????? ???????? ???????? ????????
bf997660  ???????? ???????? ???????? ????????
bf997670  ???????? ???????? ???????? ????????

切换为其他进程才能看到Win32k服务表
kd> .Process 81d253f8
Implicit process is now 81d253f8
WARNING: .cache forcedecodeuser is not enabled
kd> dd bf997600
bf997600  bf934ffe bf946a92 bf8bf295 bf93e718
bf997610  bf9480a9 bf935262 bf935307 bf839cb5
bf997620  bf9479d0 bf933a9d bf947fc8 bf90e7e0
bf997630  bf88e5fe bf80ba4f bf947e9a bf949694
bf997640  bf88d61c bf8a2669 bf947f78 bf9497c7
bf997650  bf81c2fc bf858a31 bf8daf38 bf8e6821
bf997660  bf90fa14 bf80e2f2 bf8fad2a bf94948e
bf997670  bf94a38b bf8102e8 bf80c235 bf8c5a6d

其原因让我百思不得其解,尽管system进程与Gdi无关(或许system他用不到),但是Win32k服务表我想应该是全局的,也应该能看到的呀?

希望有哪位高手指条明路.

[培训]内核驱动高级班，冲击BAT一流互联网大厂工 作，每周日13:00-18:00直播授课