dword getorgwindowsservicetable()1.mb45.n)v|
char fun1[30];[l9i4
char fun2[30];d3&et`
byte codebuffer[0x0f];qvc qb i
ulsize readlen,pos;u0h6=/br47
char* functionname;ov !b
char *readbuffer;p }e !brq
pefile.m_openmode = pe_open_no_import|pe_open_sys;$+|&u
if(gppsloadedmodulelistheader==null)oa zr)=8d8
return 0;8|s-pl
ntkernelbaseaddress = getkernelname(&gszkernelname[tstrlen(gszkernelname)],null);d_lsld
if(ntkernelbaseaddress==0)njra7:
return 0;|b y[,
}apci~hsg
fun1[0]=0;(y>, xt
fun2[0]=0;e9bp "#c
for(n=0;n<(dword)pefile.m_exportfunccount;n++)a3,~a7 u!
o if(fun1[0]==0)ec]t'a$@
er}/6[
if(fun2[0]==0)4ee+c-d8c
gz/]g j#
}tfm9 _$9d
-myl~ev(g
*f##gcjz|
pefile2.m_openmode=pe_open_no_import|pe_open_dll;k4_-io|r
bok = pefile2.open(gszntdllname,&hfile2);?>xl.uv$c
if(bok==false)dc"irw
: pefile.close();~2~tlb;
return 0;kt;=vw
}grts 3
ntdlladdr1 = pefile2.getexportfunc(fun1);/y? r#
ntdlladdr2 = pefile2.getexportfunc(fun2);+fit?q
memset(codebuffer,0,sizeof(codebuffer));c/byw:
readlen = pefile2.readimagememory(ntdlladdr1,codebuffer,sizeof(codebuffer));molwfpo/r
if(readlen!=sizeof(codebuffer))3 ]5|z
n&br&q
servicenum1 = *(dword*)&codebuffer[1];n%97jd3w
memset(codebuffer,0,sizeof(codebuffer));>yz~t|o
readlen = pefile2.readimagememory(ntdlladdr2,codebuffer,sizeof(codebuffer));#kwh5/
servicenum2 = *(dword*)&codebuffer[1];^hvwho
8d@q;-g
dbgprint("%s = %08x %08x %08x/n",fun1,ntdlladdr1,servicenum1,func1addr);&-?
readlen = pefile2.readimagememory(pefile2.m_exportfunc[n].address,codebuffer,sizeof(codebuffer));bo[(s|
if(readlen9 )k;r42,
if(*(dword*)&codebuffer[1] > maxservicenum&&codebuffer[0]==0xb8)e+7a:f
[-g$?-v
}a}}$vei&}k":z
tdbj _&x*
pefile2.close();4[ws5a
if(servicenum1>servicenum2)j;'k^qgfz
^_^<]t.
readbuffer = new char[0x1007];w9nl3u
memset(readbuffer,0,0x1007);8l+24[,
readbufferlen = 0x1000;[;e=j8 !
ulong keservicedescriptortablefilepos=0;(f@w]zttm
bool bfindok=false;tnn`n@
break;7v|g}q0 /
}%,w0:zc`j/
}r*q}[mt
else," v&~n>
xn@4ms;p
keservicedescriptortablefilepos=m;y9fe v/.
bfindok=true;yv? mz
break;}wynmu
}xkr8~nj:v
}raf9$!pgp
}+jz s|o`
if(bfindok)break;z&i8<. u
*(dword*)&readbuffer[0] = *(dword*)&readbuffer[0xffd];6m0kxp_ee
}sd!i nm
if(bfindok)}'^$tj
e9va,r
},vk8-ba
}[ zq~c6nl
delete readbuffer;9y8+uw"2
pefile.close();f/( ;qgi
return keservicedescriptortablefilepos;j+7> ei
}
RING3下SSDT原始位址的獲取
include stdafx.h include include using namespace std define rvatova base,offset pvoid dword base dword offset define ibasedd pdword ibase define statu...
ssdt函式索引號 SSDT索引號的獲取
系統服務描述符表,system service dispatch table,ssdt windows在核心層提供了兩張表,分別為ssdt system service descriptor table,系統服務描述表 和shadow ssdt 使用者層的api實現,實際是層簡單的包裝,最終都是轉到...
列舉SSDT 系統服務表中的函式位址
網上關於ssdt的有很多的部落格可以參考,我就不囉嗦了直接上碼 include ssdt服務表中,各項對應的函式名稱,num 代表引數 4的大小 char funcname typedef struct ksystem service tableksystem service table,pksys...