lkd> dd KeServiceDescriptorTable
80563520 804e58b0 00000000 0000011c 80519054
80563530 00000000 00000000 00000000 00000000
80563540 00000000 00000000 00000000 00000000
80563550 00000000 00000000 00000000 00000000
80563560 00000002 00002710 bf80c275 00000000
80563570 f8bb2a80 f824c9e0 82b410f0 80712040
80563580 00000000 00000000 ffeced30 ffffffff
80563590 dfed6a70 01c9c215 00000000 00000000
lkd> dd 804e58b0
804e58b0 80589daf 805824dd 805965d8 8059baf2
804e58c0 8059665f 80640776 806428ff 80642948
804e58d0 8057eaf3 8065063f 8063ff37 80595ac3
804e58e0 8063824e 8058697f 8059b052 8062f072
804e58f0 805adcb9 80571fb2 805e66e1 f8a48f73
804e5900 804e5ec4 8065062b 805dea6a 804ed822
804e5910 805718c4 f88ba2b6 80596208 80656951
804e5920 8059572f 8058a3c9 80656bbf 8059508e
lkd> u 80589daf //这不是应该是nt!NtAcceptConnectPort吗?
nt!RtlFindUnicodePrefix+0xb54:
80589daf 689c000000 push 9Ch
80589db4 6830834f80 push offset nt!FsRtlFastCheckLockForRead+0xc6 (804f8330)
80589db9 e8c5a0f5ff call nt!CIsqrt+0x2d7 (804e3e83)
80589dbe 64a124010000 mov eax,dword ptr fs:[00000124h]
80589dc4 8a8040010000 mov al,byte ptr [eax+140h]
80589dca 884590 mov byte ptr [ebp-70h],al
80589dcd 84c0 test al,al
80589dcf 0f849b8a0200 je nt!NtVdmControl+0x5a5 (805b2870)
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法