[求助]请教堕落的天才和各位熟悉ring0滴大大-付费问答-看雪-安全社区|安全招聘|kanxue.com

最新回复 (1)
木桩雪币： 296 活跃值： (89) 能力值： ( LV15，RANK：340 ) 在线值：发帖 13 回帖 241 粉丝 4 关注私信	木桩 8 2 楼 SSDT函数编号是一定的，你可以用冰刃查看。比如这是我机器上导出的SSDT内容： SSDT(System Services Descriptor Table) KernelBase = 0x804D8000, KernelName = ntkrnlpa.exe ------------------------------------------------------------------ 0x0000 0x805A44BC 0x805A44BC NtAcceptConnectPort 0x0001 0x805F07EA 0x805F07EA NtAccessCheck 0x0002 0x805F4020 0x805F4020 NtAccessCheckAndAuditAlarm 0x0003 0x805F081C 0x805F081C NtAccessCheckByType 0x0004 0x805F405A 0x805F405A NtAccessCheckByTypeAndAuditAlarm 0x0005 0x805F0852 0x805F0852 NtAccessCheckByTypeResultList 0x0006 0x805F409E 0x805F409E NtAccessCheckByTypeResultListAndAuditAlarm 0x0007 0x805F40E2 0x805F40E2 NtAccessCheckByTypeResultListAndAuditAlarmByHandle 0x0008 0x8061501C 0x8061501C NtAddAtom 0x0009 0x80615D5E 0x80615D5E NtAddBootEntry 0x000A 0x805EBB9A 0x805EBB9A NtAdjustGroupsToken 0x000B 0x805EB7F2 0x805EB7F2 NtAdjustPrivilegesToken 0x000C 0x805D4816 0x805D4816 NtAlertResumeThread 0x000D 0x805D47C6 0x805D47C6 NtAlertThread 0x000E 0x80615642 0x80615642 NtAllocateLocallyUniqueId 0x000F 0x805B5DAE 0x805B5DAE NtAllocateUserPhysicalPages 0x0010 0x80614C5E 0x80614C5E NtAllocateUuids 0x0011 0x805A8946 0x805A8946 NtAllocateVirtualMemory 0x0012 0x805B03C6 0x805B03C6 NtAreMappedFilesTheSame 0x0013 0x805D62DA 0x805D62DA NtAssignProcessToJobObject 0x0014 0x8050286C 0x8050286C NtCallbackReturn 0x0015 0x80615D50 0x80615D50 NtCancelDeviceWakeupRequest 0x0016 0x80576A2E 0x80576A2E NtCancelIoFile 0x0017 0x805399AC 0x805399AC NtCancelTimer 0x0018 0x8060E24C 0x8060E24C NtClearEvent 0x0019 0x805BC328 0x805BC328 NtClose 0x001A 0x805F455A 0x805F455A NtCloseObjectAuditAlarm 0x001B 0x8062314E 0x8062314E NtCompactKeys 0x001C 0x805F8A4C 0x805F8A4C NtCompareTokens 0x001D 0x805A4BAA 0x805A4BAA NtCompleteConnectPort 0x001E 0x806233A2 0x806233A2 NtCompressKey 0x001F 0x805A445C 0x805A445C NtConnectPort 0x0020 0x80545C4C 0x80545C4C NtContinue 0x0021 0x80641528 0x80641528 NtCreateDebugObject 0x0022 0x805BE1DC 0x805BE1DC NtCreateDirectoryObject 0x0023 0x8060E29C 0x8060E29C NtCreateEvent 0x0024 0x806165D4 0x806165D4 NtCreateEventPair 0x0025 0x80578F8E 0x80578F8E NtCreateFile 0x0026 0x8057896C 0x8057896C NtCreateIoCompletion 0x0027 0x805D529E 0x805D529E NtCreateJobObject 0x0028 0x805D4FD6 0x805D4FD6 NtCreateJobSet 0x0029 0xBA6C00D0 [0x8062357E] NtCreateKey 0x002A 0x8057909C 0x8057909C NtCreateMailslotFile 0x002B 0x806169CC 0x806169CC NtCreateMutant 0x002C 0x80578FC8 0x80578FC8 NtCreateNamedPipeFile 0x002D 0x805AB87C 0x805AB87C NtCreatePagingFile 0x002E 0x805A4F78 0x805A4F78 NtCreatePort 0x002F 0x805D0F26 0x805D0F26 NtCreateProcess 0x0030 0x805D0E70 0x805D0E70 NtCreateProcessEx 0x0031 0x80616DEC 0x80616DEC NtCreateProfile 0x0032 0x805AB256 0x805AB256 NtCreateSection 0x0033 0x8061437C 0x8061437C NtCreateSemaphore 0x0034 0x805C3716 0x805C3716 NtCreateSymbolicLinkObject 0x0035 0x805D0D0E 0x805D0D0E NtCreateThread 0x0036 0x8061629C 0x8061629C NtCreateTimer 0x0037 0x805F8DF4 0x805F8DF4 NtCreateToken 0x0038 0x805A4F9C 0x805A4F9C NtCreateWaitablePort 0x0039 0x80642604 0x80642604 NtDebugActiveProcess 0x003A 0x80642754 0x80642754 NtDebugContinue 0x003B 0x80615CA0 0x80615CA0 NtDelayExecution 0x003C 0x806154D2 0x806154D2 NtDeleteAtom 0x003D 0x80615D50 0x80615D50 NtDeleteBootEntry 0x003E 0x80576B74 0x80576B74 NtDeleteFile 0x003F 0x80623A0E 0x80623A0E NtDeleteKey 0x0040 0x805F4666 0x805F4666 NtDeleteObjectAuditAlarm 0x0041 0x80623BDE 0x80623BDE NtDeleteValueKey 0x0042 0x80579154 0x80579154 NtDeviceIoControlFile 0x0043 0x806122FA 0x806122FA NtDisplayString 0x0044 0x805BDD04 0x805BDD04 NtDuplicateObject 0x0045 0x805ECA38 0x805ECA38 NtDuplicateToken 0x0046 0x80615D5E 0x80615D5E NtEnumerateBootEntries 0x0047 0xBA6C5E2C [0x80623DBE] NtEnumerateKey 0x0048 0x80615D42 0x80615D42 NtEnumerateSystemEnvironmentValuesEx 0x0049 0xBA6C61BA [0x80624028] NtEnumerateValueKey 0x004A 0x805B3ACE 0x805B3ACE NtExtendSection 0x004B 0x805ECBE4 0x805ECBE4 NtFilterToken 0x004C 0x80615286 0x80615286 NtFindAtom 0x004D 0x80576C40 0x80576C40 NtFlushBuffersFile 0x004E 0x805B6642 0x805B6642 NtFlushInstructionCache 0x004F 0x80624292 0x80624292 NtFlushKey 0x0050 0x805AC590 0x805AC590 NtFlushVirtualMemory 0x0051 0x805B65E4 0x805B65E4 NtFlushWriteBuffer 0x0052 0x805B6150 0x805B6150 NtFreeUserPhysicalPages 0x0053 0x805B2DAE 0x805B2DAE NtFreeVirtualMemory 0x0054 0x80579188 0x80579188 NtFsControlFile 0x0055 0x805D1220 0x805D1220 NtGetContextThread 0x0056 0x805C8394 0x805C8394 NtGetDevicePowerState 0x0057 0x80598FA6 0x80598FA6 NtGetPlugPlayEvent 0x0058 0x80521F58 0x80521F58 NtGetWriteWatch 0x0059 0x805F8740 0x805F8740 NtImpersonateAnonymousToken 0x005A 0x805A5006 0x805A5006 NtImpersonateClientOfPort 0x005B 0x805D749A 0x805D749A NtImpersonateThread 0x005C 0x80621556 0x80621556 NtInitializeRegistry 0x005D 0x805C817A 0x805C817A NtInitiatePowerAction 0x005E 0x805D4E9A 0x805D4E9A NtIsProcessInJob 0x005F 0x805C8380 0x805C8380 NtIsSystemResumeAutomatic 0x0060 0x805A5212 0x805A5212 NtListenPort 0x0061 0x80583FD6 0x80583FD6 NtLoadDriver 0x0062 0x806252AE 0x806252AE NtLoadKey 0x0063 0x80624EF8 0x80624EF8 NtLoadKey2 0x0064 0x805791BC 0x805791BC NtLockFile 0x0065 0x806128EC 0x806128EC NtLockProductActivationKeys 0x0066 0x8062344E 0x8062344E NtLockRegistryKey 0x0067 0x805B674A 0x805B674A NtLockVirtualMemory 0x0068 0x805BDFD2 0x805BDFD2 NtMakePermanentObject 0x0069 0x805BC3CC 0x805BC3CC NtMakeTemporaryObject 0x006A 0x805B520E 0x805B520E NtMapUserPhysicalPages 0x006B 0x805B575E 0x805B575E NtMapUserPhysicalPagesScatter 0x006C 0x805B1E36 0x805B1E36 NtMapViewOfSection 0x006D 0x80615D50 0x80615D50 NtModifyBootEntry 0x006E 0x80579DD4 0x80579DD4 NtNotifyChangeDirectoryFile 0x006F 0x80625278 0x80625278 NtNotifyChangeKey 0x0070 0x80624394 0x80624394 NtNotifyChangeMultipleKeys 0x0071 0x805BE2AE 0x805BE2AE NtOpenDirectoryObject 0x0072 0x8060E39C 0x8060E39C NtOpenEvent 0x0073 0x806166AC 0x806166AC NtOpenEventPair 0x0074 0x8057A08C 0x8057A08C NtOpenFile 0x0075 0x80578A44 0x80578A44 NtOpenIoCompletion 0x0076 0x805D5424 0x805D5424 NtOpenJobObject 0x0077 0xBA6C00B0 [0x80624914] NtOpenKey 0x0078 0x80616AA4 0x80616AA4 NtOpenMutant 0x0079 0x805F4128 0x805F4128 NtOpenObjectAuditAlarm 0x007A 0x805CB150 0x805CB150 NtOpenProcess 0x007B 0x805ED430 0x805ED430 NtOpenProcessToken 0x007C 0x805ED036 0x805ED036 NtOpenProcessTokenEx 0x007D 0x805AA27A 0x805AA27A NtOpenSection 0x007E 0x80614476 0x80614476 NtOpenSemaphore 0x007F 0x805C38FC 0x805C38FC NtOpenSymbolicLinkObject 0x0080 0x805CB3DC 0x805CB3DC NtOpenThread 0x0081 0x805ED44E 0x805ED44E NtOpenThreadToken 0x0082 0x805ED1A6 0x805ED1A6 NtOpenThreadTokenEx 0x0083 0x806163BE 0x806163BE NtOpenTimer 0x0084 0x806447F6 0x806447F6 NtPlugPlayControl 0x0085 0x805C9202 0x805C9202 NtPowerInformation 0x0086 0x805F77F2 0x805F77F2 NtPrivilegeCheck 0x0087 0x805F343A 0x805F343A NtPrivilegeObjectAuditAlarm 0x0088 0x805F3626 0x805F3626 NtPrivilegedServiceAuditAlarm 0x0089 0x805B8216 0x805B8216 NtProtectVirtualMemory 0x008A 0x8060E454 0x8060E454 NtPulseEvent 0x008B 0x80576E1E 0x80576E1E NtQueryAttributesFile 0x008C 0x80615D5E 0x80615D5E NtQueryBootEntryOrder 0x008D 0x80615D5E 0x80615D5E NtQueryBootOptions 0x008E 0x80540996 0x80540996 NtQueryDebugFilterState 0x008F 0x80610026 0x80610026 NtQueryDefaultLocale 0x0090 0x80610C86 0x80610C86 NtQueryDefaultUILanguage 0x0091 0x80579D6E 0x80579D6E NtQueryDirectoryFile 0x0092 0x805BE34E 0x805BE34E NtQueryDirectoryObject 0x0093 0x8057A0BC 0x8057A0BC NtQueryEaFile 0x0094 0x8060E51C 0x8060E51C NtQueryEvent 0x0095 0x80576F56 0x80576F56 NtQueryFullAttributesFile 0x0096 0x806154FA 0x806154FA NtQueryInformationAtom 0x0097 0x8057A928 0x8057A928 NtQueryInformationFile 0x0098 0x805D58F6 0x805D58F6 NtQueryInformationJobObject 0x0099 0x805A5270 0x805A5270 NtQueryInformationPort 0x009A 0x805CCCA4 0x805CCCA4 NtQueryInformationProcess 0x009B 0x805CB8D2 0x805CB8D2 NtQueryInformationThread 0x009C 0x805ED52E 0x805ED52E NtQueryInformationToken 0x009D 0x80610424 0x80610424 NtQueryInstallUILanguage 0x009E 0x8061726E 0x8061726E NtQueryIntervalProfile 0x009F 0x80578AEC 0x80578AEC NtQueryIoCompletion 0x00A0 0xBA6C6292 [0x80624C38] NtQueryKey 0x00A1 0x8062274C 0x8062274C NtQueryMultipleValueKey 0x00A2 0x80616B4C 0x80616B4C NtQueryMutant 0x00A3 0x805C4FE8 0x805C4FE8 NtQueryObject 0x00A4 0x80622DB2 0x80622DB2 NtQueryOpenSubKeys 0x00A5 0x806172FC 0x806172FC NtQueryPerformanceCounter 0x00A6 0x8057B70A 0x8057B70A NtQueryQuotaInformationFile 0x00A7 0x805B83D8 0x805B83D8 NtQuerySection 0x00A8 0x805BFE3A 0x805BFE3A NtQuerySecurityObject 0x00A9 0x8061452E 0x8061452E NtQuerySemaphore 0x00AA 0x805C399C 0x805C399C NtQuerySymbolicLinkObject 0x00AB 0x80615D7A 0x80615D7A NtQuerySystemEnvironmentValue 0x00AC 0x80615D34 0x80615D34 NtQuerySystemEnvironmentValueEx 0x00AD 0x80610D06 0x80610D06 NtQuerySystemInformation 0x00AE 0x806124C6 0x806124C6 NtQuerySystemTime 0x00AF 0x80616476 0x80616476 NtQueryTimer 0x00B0 0x80612558 0x80612558 NtQueryTimerResolution 0x00B1 0xBA6C6112 [0x80621638] NtQueryValueKey 0x00B2 0x805B8A66 0x805B8A66 NtQueryVirtualMemory 0x00B3 0x8057BBF4 0x8057BBF4 NtQueryVolumeInformationFile 0x00B4 0x805D0F6C 0x805D0F6C NtQueueApcThread 0x00B5 0x80545C94 0x80545C94 NtRaiseException 0x00B6 0x806141A0 0x806141A0 NtRaiseHardError 0x00B7 0x8057C394 0x8057C394 NtReadFile 0x00B8 0x8057C8FE 0x8057C8FE NtReadFileScatter 0x00B9 0x805A5CF8 0x805A5CF8 NtReadRequestData 0x00BA 0x805B40BA 0x805B40BA NtReadVirtualMemory 0x00BB 0x805D2430 0x805D2430 NtRegisterThreadTerminatePort 0x00BC 0x80616C84 0x80616C84 NtReleaseMutant 0x00BD 0x8061465E 0x8061465E NtReleaseSemaphore 0x00BE 0x80578DE4 0x80578DE4 NtRemoveIoCompletion 0x00BF 0x806426D4 0x806426D4 NtRemoveProcessDebug 0x00C0 0x80622FA4 0x80622FA4 NtRenameKey 0x00C1 0x8062515E 0x8062515E NtReplaceKey 0x00C2 0x805A5378 0x805A5378 NtReplyPort 0x00C3 0x805A6340 0x805A6340 NtReplyWaitReceivePort 0x00C4 0x805A5D48 0x805A5D48 NtReplyWaitReceivePortEx 0x00C5 0x805A5662 0x805A5662 NtReplyWaitReplyPort 0x00C6 0x805C8312 0x805C8312 NtRequestDeviceWakeup 0x00C7 0x805A28D6 0x805A28D6 NtRequestPort 0x00C8 0x805A2C02 0x805A2C02 NtRequestWaitReplyPort 0x00C9 0x805C8120 0x805C8120 NtRequestWakeupLatency 0x00CA 0x8060E62E 0x8060E62E NtResetEvent 0x00CB 0x80522440 0x80522440 NtResetWriteWatch 0x00CC 0x80621986 0x80621986 NtRestoreKey 0x00CD 0x805D4770 0x805D4770 NtResumeProcess 0x00CE 0x805D4652 0x805D4652 NtResumeThread 0x00CF 0x80621A28 0x80621A28 NtSaveKey 0x00D0 0x80621AB8 0x80621AB8 NtSaveKeyEx 0x00D1 0x80621B84 0x80621B84 NtSaveMergedKeys 0x00D2 0x805A3BF0 0x805A3BF0 NtSecureConnectPort 0x00D3 0x80615D5E 0x80615D5E NtSetBootEntryOrder 0x00D4 0x80615D5E 0x80615D5E NtSetBootOptions 0x00D5 0x805D1430 0x805D1430 NtSetContextThread 0x00D6 0x8064538C 0x8064538C NtSetDebugFilterState 0x00D7 0x8061404A 0x8061404A NtSetDefaultHardErrorPort 0x00D8 0x80610176 0x80610176 NtSetDefaultLocale 0x00D9 0x806109E8 0x806109E8 NtSetDefaultUILanguage 0x00DA 0x8057A5D0 0x8057A5D0 NtSetEaFile 0x00DB 0x8060E6EE 0x8060E6EE NtSetEvent 0x00DC 0x8060E7B8 0x8060E7B8 NtSetEventBoostPriority 0x00DD 0x80616968 0x80616968 NtSetHighEventPair 0x00DE 0x80616898 0x80616898 NtSetHighWaitLowEventPair 0x00DF 0x8064209E 0x8064209E NtSetInformationDebugObject 0x00E0 0x8057AF1A 0x8057AF1A NtSetInformationFile 0x00E1 0x805D6604 0x805D6604 NtSetInformationJobObject 0x00E2 0x80622318 0x80622318 NtSetInformationKey 0x00E3 0x805C455E 0x805C455E NtSetInformationObject 0x00E4 0x805CDB9A 0x805CDB9A NtSetInformationProcess 0x00E5 0x805CBE1E 0x805CBE1E NtSetInformationThread 0x00E6 0x805F9B6E 0x805F9B6E NtSetInformationToken 0x00E7 0x80616DD0 0x80616DD0 NtSetIntervalProfile 0x00E8 0x80578D82 0x80578D82 NtSetIoCompletion 0x00E9 0x805D359C 0x805D359C NtSetLdtEntries 0x00EA 0x80616904 0x80616904 NtSetLowEventPair 0x00EB 0x8061682C 0x8061682C NtSetLowWaitHighEventPair 0x00EC 0x8057B6E8 0x8057B6E8 NtSetQuotaInformationFile 0x00ED 0x805BFD6E 0x805BFD6E NtSetSecurityObject 0x00EE 0x80615FFE 0x80615FFE NtSetSystemEnvironmentValue 0x00EF 0x80615D34 0x80615D34 NtSetSystemEnvironmentValueEx 0x00F0 0x8060F054 0x8060F054 NtSetSystemInformation 0x00F1 0x80651E34 0x80651E34 NtSetSystemPowerState 0x00F2 0x806137CE 0x806137CE NtSetSystemTime 0x00F3 0x805C8034 0x805C8034 NtSetThreadExecutionState 0x00F4 0x80539B3C 0x80539B3C NtSetTimer 0x00F5 0x80612CA0 0x80612CA0 NtSetTimerResolution 0x00F6 0x80614B14 0x80614B14 NtSetUuidSeed 0x00F7 0xBA6C6324 [0x80621C3E] NtSetValueKey 0x00F8 0x8057BFFE 0x8057BFFE NtSetVolumeInformationFile 0x00F9 0x806122BE 0x806122BE NtShutdownSystem 0x00FA 0x8052751A 0x8052751A NtSignalAndWaitForSingleObject 0x00FB 0x8061701A 0x8061701A NtStartProfile 0x00FC 0x806171C4 0x806171C4 NtStopProfile 0x00FD 0x805D471A 0x805D471A NtSuspendProcess 0x00FE 0x805D458C 0x805D458C NtSuspendThread 0x00FF 0x806173E8 0x806173E8 NtSystemDebugControl 0x0100 0x805D7198 0x805D7198 NtTerminateJobObject 0x0101 0x805D267A 0x805D267A NtTerminateProcess 0x0102 0x805D2874 0x805D2874 NtTerminateThread 0x0103 0x805D48DA 0x805D48DA NtTestAlert 0x0104 0x80535EDC 0x80535EDC NtTraceEvent 0x0105 0x80615D6C 0x80615D6C NtTranslateFilePath 0x0106 0x8058416A 0x8058416A NtUnloadDriver 0x0107 0x80621F06 0x80621F06 NtUnloadKey 0x0108 0x806220F4 0x806220F4 NtUnloadKeyEx 0x0109 0x80579560 0x80579560 NtUnlockFile 0x010A 0x805B6CD8 0x805B6CD8 NtUnlockVirtualMemory 0x010B 0x805B2C44 0x805B2C44 NtUnmapViewOfSection 0x010C 0x805FAF26 0x805FAF26 NtVdmControl 0x010D 0x80641E06 0x80641E06 NtWaitForDebugEvent 0x010E 0x805C0490 0x805C0490 NtWaitForMultipleObjects 0x010F 0x805C03A6 0x805C03A6 NtWaitForSingleObject 0x0110 0x806167C8 0x806167C8 NtWaitHighEventPair 0x0111 0x80616764 0x80616764 NtWaitLowEventPair 0x0112 0x8057CDFC 0x8057CDFC NtWriteFile 0x0113 0x8057D3E0 0x8057D3E0 NtWriteFileGather 0x0114 0x805A5D20 0x805A5D20 NtWriteRequestData 0x0115 0x805B41C4 0x805B41C4 NtWriteVirtualMemory 0x0116 0x80505AB0 0x80505AB0 NtYieldExecution 0x0117 0x80617840 0x80617840 NtCreateKeyedEvent 0x0118 0x8061792A 0x8061792A NtOpenKeyedEvent 0x0119 0x806179DC 0x806179DC NtReleaseKeyedEvent 0x011A 0x80617C38 0x80617C38 NtWaitForKeyedEvent 0x011B 0x805CB652 0x805CB652 NtQueryPortInformationProcess ------------------------------------------------------------------ 可以看到 0x7A 就是 NtOpenProcess。当然你符号库全的话也可以直接拿WinDbg看，u 804E3F08 第一行就是函数名： nt!NtOpenProcess: ... 68c4000000 push 0C4h 2009-3-7 23:11 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (1)

木桩

雪币： 296

活跃值： (89)

能力值：

( LV15，RANK：340 )

在线值：

发帖

回帖

241

粉丝

关注

私信

木桩 8: 2 楼

SSDT函数编号是一定的，你可以用冰刃查看。比如这是我机器上导出的SSDT内容：

SSDT(System Services Descriptor Table)
KernelBase = 0x804D8000, KernelName = ntkrnlpa.exe
------------------------------------------------------------------
0x0000 0x805A44BC 0x805A44BC NtAcceptConnectPort
0x0001 0x805F07EA 0x805F07EA NtAccessCheck
0x0002 0x805F4020 0x805F4020 NtAccessCheckAndAuditAlarm
0x0003 0x805F081C 0x805F081C NtAccessCheckByType
0x0004 0x805F405A 0x805F405A NtAccessCheckByTypeAndAuditAlarm
0x0005 0x805F0852 0x805F0852 NtAccessCheckByTypeResultList
0x0006 0x805F409E 0x805F409E NtAccessCheckByTypeResultListAndAuditAlarm
0x0007 0x805F40E2 0x805F40E2 NtAccessCheckByTypeResultListAndAuditAlarmByHandle
0x0008 0x8061501C 0x8061501C NtAddAtom
0x0009 0x80615D5E 0x80615D5E NtAddBootEntry
0x000A 0x805EBB9A 0x805EBB9A NtAdjustGroupsToken
0x000B 0x805EB7F2 0x805EB7F2 NtAdjustPrivilegesToken
0x000C 0x805D4816 0x805D4816 NtAlertResumeThread
0x000D 0x805D47C6 0x805D47C6 NtAlertThread
0x000E 0x80615642 0x80615642 NtAllocateLocallyUniqueId
0x000F 0x805B5DAE 0x805B5DAE NtAllocateUserPhysicalPages
0x0010 0x80614C5E 0x80614C5E NtAllocateUuids
0x0011 0x805A8946 0x805A8946 NtAllocateVirtualMemory
0x0012 0x805B03C6 0x805B03C6 NtAreMappedFilesTheSame
0x0013 0x805D62DA 0x805D62DA NtAssignProcessToJobObject
0x0014 0x8050286C 0x8050286C NtCallbackReturn
0x0015 0x80615D50 0x80615D50 NtCancelDeviceWakeupRequest
0x0016 0x80576A2E 0x80576A2E NtCancelIoFile
0x0017 0x805399AC 0x805399AC NtCancelTimer
0x0018 0x8060E24C 0x8060E24C NtClearEvent
0x0019 0x805BC328 0x805BC328 NtClose
0x001A 0x805F455A 0x805F455A NtCloseObjectAuditAlarm
0x001B 0x8062314E 0x8062314E NtCompactKeys
0x001C 0x805F8A4C 0x805F8A4C NtCompareTokens
0x001D 0x805A4BAA 0x805A4BAA NtCompleteConnectPort
0x001E 0x806233A2 0x806233A2 NtCompressKey
0x001F 0x805A445C 0x805A445C NtConnectPort
0x0020 0x80545C4C 0x80545C4C NtContinue
0x0021 0x80641528 0x80641528 NtCreateDebugObject
0x0022 0x805BE1DC 0x805BE1DC NtCreateDirectoryObject
0x0023 0x8060E29C 0x8060E29C NtCreateEvent
0x0024 0x806165D4 0x806165D4 NtCreateEventPair
0x0025 0x80578F8E 0x80578F8E NtCreateFile
0x0026 0x8057896C 0x8057896C NtCreateIoCompletion
0x0027 0x805D529E 0x805D529E NtCreateJobObject
0x0028 0x805D4FD6 0x805D4FD6 NtCreateJobSet
0x0029 0xBA6C00D0 [0x8062357E] NtCreateKey
0x002A 0x8057909C 0x8057909C NtCreateMailslotFile
0x002B 0x806169CC 0x806169CC NtCreateMutant
0x002C 0x80578FC8 0x80578FC8 NtCreateNamedPipeFile
0x002D 0x805AB87C 0x805AB87C NtCreatePagingFile
0x002E 0x805A4F78 0x805A4F78 NtCreatePort
0x002F 0x805D0F26 0x805D0F26 NtCreateProcess
0x0030 0x805D0E70 0x805D0E70 NtCreateProcessEx
0x0031 0x80616DEC 0x80616DEC NtCreateProfile
0x0032 0x805AB256 0x805AB256 NtCreateSection
0x0033 0x8061437C 0x8061437C NtCreateSemaphore
0x0034 0x805C3716 0x805C3716 NtCreateSymbolicLinkObject
0x0035 0x805D0D0E 0x805D0D0E NtCreateThread
0x0036 0x8061629C 0x8061629C NtCreateTimer
0x0037 0x805F8DF4 0x805F8DF4 NtCreateToken
0x0038 0x805A4F9C 0x805A4F9C NtCreateWaitablePort
0x0039 0x80642604 0x80642604 NtDebugActiveProcess
0x003A 0x80642754 0x80642754 NtDebugContinue
0x003B 0x80615CA0 0x80615CA0 NtDelayExecution
0x003C 0x806154D2 0x806154D2 NtDeleteAtom
0x003D 0x80615D50 0x80615D50 NtDeleteBootEntry
0x003E 0x80576B74 0x80576B74 NtDeleteFile
0x003F 0x80623A0E 0x80623A0E NtDeleteKey
0x0040 0x805F4666 0x805F4666 NtDeleteObjectAuditAlarm
0x0041 0x80623BDE 0x80623BDE NtDeleteValueKey
0x0042 0x80579154 0x80579154 NtDeviceIoControlFile
0x0043 0x806122FA 0x806122FA NtDisplayString
0x0044 0x805BDD04 0x805BDD04 NtDuplicateObject
0x0045 0x805ECA38 0x805ECA38 NtDuplicateToken
0x0046 0x80615D5E 0x80615D5E NtEnumerateBootEntries
0x0047 0xBA6C5E2C [0x80623DBE] NtEnumerateKey
0x0048 0x80615D42 0x80615D42 NtEnumerateSystemEnvironmentValuesEx
0x0049 0xBA6C61BA [0x80624028] NtEnumerateValueKey
0x004A 0x805B3ACE 0x805B3ACE NtExtendSection
0x004B 0x805ECBE4 0x805ECBE4 NtFilterToken
0x004C 0x80615286 0x80615286 NtFindAtom
0x004D 0x80576C40 0x80576C40 NtFlushBuffersFile
0x004E 0x805B6642 0x805B6642 NtFlushInstructionCache
0x004F 0x80624292 0x80624292 NtFlushKey
0x0050 0x805AC590 0x805AC590 NtFlushVirtualMemory
0x0051 0x805B65E4 0x805B65E4 NtFlushWriteBuffer
0x0052 0x805B6150 0x805B6150 NtFreeUserPhysicalPages
0x0053 0x805B2DAE 0x805B2DAE NtFreeVirtualMemory
0x0054 0x80579188 0x80579188 NtFsControlFile
0x0055 0x805D1220 0x805D1220 NtGetContextThread
0x0056 0x805C8394 0x805C8394 NtGetDevicePowerState
0x0057 0x80598FA6 0x80598FA6 NtGetPlugPlayEvent
0x0058 0x80521F58 0x80521F58 NtGetWriteWatch
0x0059 0x805F8740 0x805F8740 NtImpersonateAnonymousToken
0x005A 0x805A5006 0x805A5006 NtImpersonateClientOfPort
0x005B 0x805D749A 0x805D749A NtImpersonateThread
0x005C 0x80621556 0x80621556 NtInitializeRegistry
0x005D 0x805C817A 0x805C817A NtInitiatePowerAction
0x005E 0x805D4E9A 0x805D4E9A NtIsProcessInJob
0x005F 0x805C8380 0x805C8380 NtIsSystemResumeAutomatic
0x0060 0x805A5212 0x805A5212 NtListenPort
0x0061 0x80583FD6 0x80583FD6 NtLoadDriver
0x0062 0x806252AE 0x806252AE NtLoadKey
0x0063 0x80624EF8 0x80624EF8 NtLoadKey2
0x0064 0x805791BC 0x805791BC NtLockFile
0x0065 0x806128EC 0x806128EC NtLockProductActivationKeys
0x0066 0x8062344E 0x8062344E NtLockRegistryKey
0x0067 0x805B674A 0x805B674A NtLockVirtualMemory
0x0068 0x805BDFD2 0x805BDFD2 NtMakePermanentObject
0x0069 0x805BC3CC 0x805BC3CC NtMakeTemporaryObject
0x006A 0x805B520E 0x805B520E NtMapUserPhysicalPages
0x006B 0x805B575E 0x805B575E NtMapUserPhysicalPagesScatter
0x006C 0x805B1E36 0x805B1E36 NtMapViewOfSection
0x006D 0x80615D50 0x80615D50 NtModifyBootEntry
0x006E 0x80579DD4 0x80579DD4 NtNotifyChangeDirectoryFile
0x006F 0x80625278 0x80625278 NtNotifyChangeKey
0x0070 0x80624394 0x80624394 NtNotifyChangeMultipleKeys
0x0071 0x805BE2AE 0x805BE2AE NtOpenDirectoryObject
0x0072 0x8060E39C 0x8060E39C NtOpenEvent
0x0073 0x806166AC 0x806166AC NtOpenEventPair
0x0074 0x8057A08C 0x8057A08C NtOpenFile
0x0075 0x80578A44 0x80578A44 NtOpenIoCompletion
0x0076 0x805D5424 0x805D5424 NtOpenJobObject
0x0077 0xBA6C00B0 [0x80624914] NtOpenKey
0x0078 0x80616AA4 0x80616AA4 NtOpenMutant
0x0079 0x805F4128 0x805F4128 NtOpenObjectAuditAlarm
0x007A 0x805CB150 0x805CB150 NtOpenProcess
0x007B 0x805ED430 0x805ED430 NtOpenProcessToken
0x007C 0x805ED036 0x805ED036 NtOpenProcessTokenEx
0x007D 0x805AA27A 0x805AA27A NtOpenSection
0x007E 0x80614476 0x80614476 NtOpenSemaphore
0x007F 0x805C38FC 0x805C38FC NtOpenSymbolicLinkObject
0x0080 0x805CB3DC 0x805CB3DC NtOpenThread
0x0081 0x805ED44E 0x805ED44E NtOpenThreadToken
0x0082 0x805ED1A6 0x805ED1A6 NtOpenThreadTokenEx
0x0083 0x806163BE 0x806163BE NtOpenTimer
0x0084 0x806447F6 0x806447F6 NtPlugPlayControl
0x0085 0x805C9202 0x805C9202 NtPowerInformation
0x0086 0x805F77F2 0x805F77F2 NtPrivilegeCheck
0x0087 0x805F343A 0x805F343A NtPrivilegeObjectAuditAlarm
0x0088 0x805F3626 0x805F3626 NtPrivilegedServiceAuditAlarm
0x0089 0x805B8216 0x805B8216 NtProtectVirtualMemory
0x008A 0x8060E454 0x8060E454 NtPulseEvent
0x008B 0x80576E1E 0x80576E1E NtQueryAttributesFile
0x008C 0x80615D5E 0x80615D5E NtQueryBootEntryOrder
0x008D 0x80615D5E 0x80615D5E NtQueryBootOptions
0x008E 0x80540996 0x80540996 NtQueryDebugFilterState
0x008F 0x80610026 0x80610026 NtQueryDefaultLocale
0x0090 0x80610C86 0x80610C86 NtQueryDefaultUILanguage
0x0091 0x80579D6E 0x80579D6E NtQueryDirectoryFile
0x0092 0x805BE34E 0x805BE34E NtQueryDirectoryObject
0x0093 0x8057A0BC 0x8057A0BC NtQueryEaFile
0x0094 0x8060E51C 0x8060E51C NtQueryEvent
0x0095 0x80576F56 0x80576F56 NtQueryFullAttributesFile
0x0096 0x806154FA 0x806154FA NtQueryInformationAtom
0x0097 0x8057A928 0x8057A928 NtQueryInformationFile
0x0098 0x805D58F6 0x805D58F6 NtQueryInformationJobObject
0x0099 0x805A5270 0x805A5270 NtQueryInformationPort
0x009A 0x805CCCA4 0x805CCCA4 NtQueryInformationProcess
0x009B 0x805CB8D2 0x805CB8D2 NtQueryInformationThread
0x009C 0x805ED52E 0x805ED52E NtQueryInformationToken
0x009D 0x80610424 0x80610424 NtQueryInstallUILanguage
0x009E 0x8061726E 0x8061726E NtQueryIntervalProfile
0x009F 0x80578AEC 0x80578AEC NtQueryIoCompletion
0x00A0 0xBA6C6292 [0x80624C38] NtQueryKey
0x00A1 0x8062274C 0x8062274C NtQueryMultipleValueKey
0x00A2 0x80616B4C 0x80616B4C NtQueryMutant
0x00A3 0x805C4FE8 0x805C4FE8 NtQueryObject
0x00A4 0x80622DB2 0x80622DB2 NtQueryOpenSubKeys
0x00A5 0x806172FC 0x806172FC NtQueryPerformanceCounter
0x00A6 0x8057B70A 0x8057B70A NtQueryQuotaInformationFile
0x00A7 0x805B83D8 0x805B83D8 NtQuerySection
0x00A8 0x805BFE3A 0x805BFE3A NtQuerySecurityObject
0x00A9 0x8061452E 0x8061452E NtQuerySemaphore
0x00AA 0x805C399C 0x805C399C NtQuerySymbolicLinkObject
0x00AB 0x80615D7A 0x80615D7A NtQuerySystemEnvironmentValue
0x00AC 0x80615D34 0x80615D34 NtQuerySystemEnvironmentValueEx
0x00AD 0x80610D06 0x80610D06 NtQuerySystemInformation
0x00AE 0x806124C6 0x806124C6 NtQuerySystemTime
0x00AF 0x80616476 0x80616476 NtQueryTimer
0x00B0 0x80612558 0x80612558 NtQueryTimerResolution
0x00B1 0xBA6C6112 [0x80621638] NtQueryValueKey
0x00B2 0x805B8A66 0x805B8A66 NtQueryVirtualMemory
0x00B3 0x8057BBF4 0x8057BBF4 NtQueryVolumeInformationFile
0x00B4 0x805D0F6C 0x805D0F6C NtQueueApcThread
0x00B5 0x80545C94 0x80545C94 NtRaiseException
0x00B6 0x806141A0 0x806141A0 NtRaiseHardError
0x00B7 0x8057C394 0x8057C394 NtReadFile
0x00B8 0x8057C8FE 0x8057C8FE NtReadFileScatter
0x00B9 0x805A5CF8 0x805A5CF8 NtReadRequestData
0x00BA 0x805B40BA 0x805B40BA NtReadVirtualMemory
0x00BB 0x805D2430 0x805D2430 NtRegisterThreadTerminatePort
0x00BC 0x80616C84 0x80616C84 NtReleaseMutant
0x00BD 0x8061465E 0x8061465E NtReleaseSemaphore
0x00BE 0x80578DE4 0x80578DE4 NtRemoveIoCompletion
0x00BF 0x806426D4 0x806426D4 NtRemoveProcessDebug
0x00C0 0x80622FA4 0x80622FA4 NtRenameKey
0x00C1 0x8062515E 0x8062515E NtReplaceKey
0x00C2 0x805A5378 0x805A5378 NtReplyPort
0x00C3 0x805A6340 0x805A6340 NtReplyWaitReceivePort
0x00C4 0x805A5D48 0x805A5D48 NtReplyWaitReceivePortEx
0x00C5 0x805A5662 0x805A5662 NtReplyWaitReplyPort
0x00C6 0x805C8312 0x805C8312 NtRequestDeviceWakeup
0x00C7 0x805A28D6 0x805A28D6 NtRequestPort
0x00C8 0x805A2C02 0x805A2C02 NtRequestWaitReplyPort
0x00C9 0x805C8120 0x805C8120 NtRequestWakeupLatency
0x00CA 0x8060E62E 0x8060E62E NtResetEvent
0x00CB 0x80522440 0x80522440 NtResetWriteWatch
0x00CC 0x80621986 0x80621986 NtRestoreKey
0x00CD 0x805D4770 0x805D4770 NtResumeProcess
0x00CE 0x805D4652 0x805D4652 NtResumeThread
0x00CF 0x80621A28 0x80621A28 NtSaveKey
0x00D0 0x80621AB8 0x80621AB8 NtSaveKeyEx
0x00D1 0x80621B84 0x80621B84 NtSaveMergedKeys
0x00D2 0x805A3BF0 0x805A3BF0 NtSecureConnectPort
0x00D3 0x80615D5E 0x80615D5E NtSetBootEntryOrder
0x00D4 0x80615D5E 0x80615D5E NtSetBootOptions
0x00D5 0x805D1430 0x805D1430 NtSetContextThread
0x00D6 0x8064538C 0x8064538C NtSetDebugFilterState
0x00D7 0x8061404A 0x8061404A NtSetDefaultHardErrorPort
0x00D8 0x80610176 0x80610176 NtSetDefaultLocale
0x00D9 0x806109E8 0x806109E8 NtSetDefaultUILanguage
0x00DA 0x8057A5D0 0x8057A5D0 NtSetEaFile
0x00DB 0x8060E6EE 0x8060E6EE NtSetEvent
0x00DC 0x8060E7B8 0x8060E7B8 NtSetEventBoostPriority
0x00DD 0x80616968 0x80616968 NtSetHighEventPair
0x00DE 0x80616898 0x80616898 NtSetHighWaitLowEventPair
0x00DF 0x8064209E 0x8064209E NtSetInformationDebugObject
0x00E0 0x8057AF1A 0x8057AF1A NtSetInformationFile
0x00E1 0x805D6604 0x805D6604 NtSetInformationJobObject
0x00E2 0x80622318 0x80622318 NtSetInformationKey
0x00E3 0x805C455E 0x805C455E NtSetInformationObject
0x00E4 0x805CDB9A 0x805CDB9A NtSetInformationProcess
0x00E5 0x805CBE1E 0x805CBE1E NtSetInformationThread
0x00E6 0x805F9B6E 0x805F9B6E NtSetInformationToken
0x00E7 0x80616DD0 0x80616DD0 NtSetIntervalProfile
0x00E8 0x80578D82 0x80578D82 NtSetIoCompletion
0x00E9 0x805D359C 0x805D359C NtSetLdtEntries
0x00EA 0x80616904 0x80616904 NtSetLowEventPair
0x00EB 0x8061682C 0x8061682C NtSetLowWaitHighEventPair
0x00EC 0x8057B6E8 0x8057B6E8 NtSetQuotaInformationFile
0x00ED 0x805BFD6E 0x805BFD6E NtSetSecurityObject
0x00EE 0x80615FFE 0x80615FFE NtSetSystemEnvironmentValue
0x00EF 0x80615D34 0x80615D34 NtSetSystemEnvironmentValueEx
0x00F0 0x8060F054 0x8060F054 NtSetSystemInformation
0x00F1 0x80651E34 0x80651E34 NtSetSystemPowerState
0x00F2 0x806137CE 0x806137CE NtSetSystemTime
0x00F3 0x805C8034 0x805C8034 NtSetThreadExecutionState
0x00F4 0x80539B3C 0x80539B3C NtSetTimer
0x00F5 0x80612CA0 0x80612CA0 NtSetTimerResolution
0x00F6 0x80614B14 0x80614B14 NtSetUuidSeed
0x00F7 0xBA6C6324 [0x80621C3E] NtSetValueKey
0x00F8 0x8057BFFE 0x8057BFFE NtSetVolumeInformationFile
0x00F9 0x806122BE 0x806122BE NtShutdownSystem
0x00FA 0x8052751A 0x8052751A NtSignalAndWaitForSingleObject
0x00FB 0x8061701A 0x8061701A NtStartProfile
0x00FC 0x806171C4 0x806171C4 NtStopProfile
0x00FD 0x805D471A 0x805D471A NtSuspendProcess
0x00FE 0x805D458C 0x805D458C NtSuspendThread
0x00FF 0x806173E8 0x806173E8 NtSystemDebugControl
0x0100 0x805D7198 0x805D7198 NtTerminateJobObject
0x0101 0x805D267A 0x805D267A NtTerminateProcess
0x0102 0x805D2874 0x805D2874 NtTerminateThread
0x0103 0x805D48DA 0x805D48DA NtTestAlert
0x0104 0x80535EDC 0x80535EDC NtTraceEvent
0x0105 0x80615D6C 0x80615D6C NtTranslateFilePath
0x0106 0x8058416A 0x8058416A NtUnloadDriver
0x0107 0x80621F06 0x80621F06 NtUnloadKey
0x0108 0x806220F4 0x806220F4 NtUnloadKeyEx
0x0109 0x80579560 0x80579560 NtUnlockFile
0x010A 0x805B6CD8 0x805B6CD8 NtUnlockVirtualMemory
0x010B 0x805B2C44 0x805B2C44 NtUnmapViewOfSection
0x010C 0x805FAF26 0x805FAF26 NtVdmControl
0x010D 0x80641E06 0x80641E06 NtWaitForDebugEvent
0x010E 0x805C0490 0x805C0490 NtWaitForMultipleObjects
0x010F 0x805C03A6 0x805C03A6 NtWaitForSingleObject
0x0110 0x806167C8 0x806167C8 NtWaitHighEventPair
0x0111 0x80616764 0x80616764 NtWaitLowEventPair
0x0112 0x8057CDFC 0x8057CDFC NtWriteFile
0x0113 0x8057D3E0 0x8057D3E0 NtWriteFileGather
0x0114 0x805A5D20 0x805A5D20 NtWriteRequestData
0x0115 0x805B41C4 0x805B41C4 NtWriteVirtualMemory
0x0116 0x80505AB0 0x80505AB0 NtYieldExecution
0x0117 0x80617840 0x80617840 NtCreateKeyedEvent
0x0118 0x8061792A 0x8061792A NtOpenKeyedEvent
0x0119 0x806179DC 0x806179DC NtReleaseKeyedEvent
0x011A 0x80617C38 0x80617C38 NtWaitForKeyedEvent
0x011B 0x805CB652 0x805CB652 NtQueryPortInformationProcess
------------------------------------------------------------------

可以看到 0x7A 就是 NtOpenProcess。

当然你符号库全的话也可以直接拿WinDbg看，u 804E3F08 第一行就是函数名：
nt!NtOpenProcess:
... 68c4000000 push 0C4h

2009-3-7 23:11

[旧帖] [求助]请教堕落的天才和各位熟悉ring0滴大大 0.00雪花