- 注册时间
- 2010-8-21
- 最后登录
- 2017-5-27
- 在线时间
- 2 小时
编程入门
- 魔鬼币
- 542
|
xp sp3里面的:
nt!KeAddSystemServiceTable+0x1a:
80597810 8d88e03f5580 lea ecx,nt!KeServiceDescriptorTableShadow (80553fe0)[eax]
80597816 833900 cmp dword ptr [ecx],0
80597819 7546 jne nt!KeAddSystemServiceTable+0x6b (80597861)
2003 企业版 sp2的:
nt!KeAddSystemServiceTable+0x1a:
80915116 8d8840f48980 lea ecx,nt!KeServiceDescriptorTableShadow (8089f440)[eax]
8091511c 833900 cmp dword ptr [ecx],0
8091511f 7546 jne nt!KeAddSystemServiceTable+0x6b (80915167)
win7旗舰版sp1的:
nt!KeAddSystemServiceTable+0x1a:
83de0022 8d8840dbdb83 lea ecx,nt!KeServiceDescriptorTableShadow (83dbdb40)[eax]
83de0028 833900 cmp dword ptr [ecx],0
83de002b 7546 jne nt!KeAddSystemServiceTable+0x6b (83de0073)
上面都是 偏移0x1a,8d88占两个字节,所以在加上2,后面的四个字节就是shadow ssdt的地址了
所以就是 KeAddSystemServiceTable的地址+0x1a(偏移量)+2(汇编指令占用的两个字节)
//SSDT结构体
typedef struct ServiceDescriptorTable {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTable;
unsigned int NumberOfServices;
unsigned int *ParamTableBase;
}ServiceDescriptorTable,*PServiceDescriptorTable;
PServiceDescriptorTable KeServiceDescriptorTableShadow;
NTSYSAPI
BOOLEAN
NTAPI
KeAddSystemServiceTable (
IN PULONG_PTR Base,
IN PULONG Count OPTIONAL,
IN ULONG Limit,
IN PUCHAR Number,
IN ULONG Index
);
PULONG getAddressOfShadowTable()
{
PULONG p;
//兼容XP,2003和WIN7
//nt!KeAddSystemServiceTable+0x1a:
//83de0022 8d8840dbdb83 lea ecx,nt!KeServiceDescriptorTableShadow (83dbdb40)[eax]
//83de0028 833900 cmp dword ptr [ecx],0
//83de002b 7546 jne nt!KeAddSystemServiceTable+0x6b (83de0073)
//8d88两个字节,所以+2
p = (PULONG)((ULONG)KeAddSystemServiceTable+0x1a+2);
return (PULONG)(*p);
}
测试代码:
DbgPrint("address: 0x%X",getAddressOfShadowTable());
KeServiceDescriptorTableShadow = (PServiceDescriptorTable)getAddressOfShadowTable();
DbgPrint("num of services:%d",KeServiceDescriptorTableShadow[1].NumberOfServices);
下面是运行结果:
100.95681000 进入驱动程序入口!
100.96257782 address: 0x83D74B40
100.97072601 num of services:825
|
|
发表于 2017-5-17 11:01:55