新方法获取shadow ssdt地址---直接内存读取法(简单易懂),...
xp sp3里面的:
nt!KeAddSystemServiceTable+0x1a:
80597810 8d88e03f5580 lea ecx,nt!KeServiceDescriptorTableShadow (80553fe0)
80597816 833900 cmp dword ptr ,0
80597819 7546 jne nt!KeAddSystemServiceTable+0x6b (80597861)
2003 企业版 sp2的:
nt!KeAddSystemServiceTable+0x1a:
80915116 8d8840f48980 lea ecx,nt!KeServiceDescriptorTableShadow (8089f440)
8091511c 833900 cmp dword ptr ,0
8091511f 7546 jne nt!KeAddSystemServiceTable+0x6b (80915167)
win7旗舰版sp1的:
nt!KeAddSystemServiceTable+0x1a:
83de0022 8d8840dbdb83 lea ecx,nt!KeServiceDescriptorTableShadow (83dbdb40)
83de0028 833900 cmp dword ptr ,0
83de002b 7546 jne nt!KeAddSystemServiceTable+0x6b (83de0073)
上面都是 偏移0x1a,8d88占两个字节,所以在加上2,后面的四个字节就是shadow ssdt的地址了
所以就是 KeAddSystemServiceTable的地址+0x1a(偏移量)+2(汇编指令占用的两个字节)
//SSDT结构体
typedef struct ServiceDescriptorTable {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTable;
unsigned int NumberOfServices;
unsigned int *ParamTableBase;
}ServiceDescriptorTable,*PServiceDescriptorTable;
PServiceDescriptorTable KeServiceDescriptorTableShadow;
NTSYSAPI
BOOLEAN
NTAPI
KeAddSystemServiceTable (
IN PULONG_PTR Base,
IN PULONG Count OPTIONAL,
IN ULONG Limit,
IN PUCHAR Number,
IN ULONG Index
);
PULONG getAddressOfShadowTable()
{
PULONG p;
//兼容XP,2003和WIN7
//nt!KeAddSystemServiceTable+0x1a:
//83de0022 8d8840dbdb83 lea ecx,nt!KeServiceDescriptorTableShadow (83dbdb40)
//83de0028 833900 cmp dword ptr ,0
//83de002b 7546 jne nt!KeAddSystemServiceTable+0x6b (83de0073)
//8d88两个字节,所以+2
p = (PULONG)((ULONG)KeAddSystemServiceTable+0x1a+2);
return (PULONG)(*p);
}
测试代码:
DbgPrint("address: 0x%X",getAddressOfShadowTable());
KeServiceDescriptorTableShadow = (PServiceDescriptorTable)getAddressOfShadowTable();
DbgPrint("num of services:%d",KeServiceDescriptorTableShadow.NumberOfServices);
下面是运行结果:
100.95681000进入驱动程序入口!
100.96257782address: 0x83D74B40
100.97072601num of services:825
页:
[1]