RING3下SSDT原始位址的獲取

2021-05-02 09:36:08 字數 1912 閱讀 1437

#include "stdafx.h"

#include

#include

using namespace std;

#define rvatova(base,offset)             ((pvoid)((dword)(base)+(dword)(offset)))

#define ibasedd *(pdword)&ibase

#define status_info_length_mismatch      ((ntstatus)0xc0000004l)

#define nt_success(status)               ((ntstatus)(status) >= 0)

typedef struct image_fixup_entry, *pimage_fixup_entry;

typedef long ntstatus;

long ( __stdcall *ntquerysysteminformation )( dword, pvoid, dword, dword );

typedef struct _system_module_information system_module_information,*psystem_module_information;

typedef struct modules, *pmodules;

#define    systemmoduleinformation    11

dword getheaders(pchar ibase,

pimage_file_header *pfh,

pimage_optional_header *poh,

pimage_section_header *psh)

dword findkiservicetable(hmodule hmodule,dword dwksdt)}}

}*(pdword)&pbr+=pbr->sizeofblock;

}}   

return 0;

}int enumssdt()

if (!nt_success(rc))

dwkernelbase=(dword)pmodules->smi.base;   // imagebase

pkernelname=pmodules->smi.modulenameoffset+pmodules->smi.imagename;

hkernel=loadlibraryex(pkernelname,0,dont_resolve_dll_references);     // 對映ntoskrnl //高

if (!hkernel)

globalfree(pmodules);

if (!(dwksdt=(dword)getprocaddress(hkernel,"keservicedescriptortable"))) //在核心檔案中查詢keservicedescriptortable位址

dwksdt-=(dword)hkernel;       // 獲取 keservicedescriptortable rva

if (!(dwkiservicetable=findkiservicetable(hkernel,dwksdt)))   // 獲取kiservicetable位址

getheaders((char *)hkernel,&pfh,&poh,&psh);

int dwindex=0;

for (pservice=(pdword)((dword)hkernel+dwkiservicetable);

*pservice-poh->imagebasesizeofimage;

pservice++,dwservices++,dwindex++)

freelibrary(hkernel);

return 1;

}int main()

ring0和ring3的區別

現在 核心程式和應用程式之間的本質區別。除了能用wdk編寫核心程式和閱讀一部分windows的核心 之外,我們還需要了解它們的本質是什麼,它們和我們熟悉的應用程式有什麼區別。intel的x86處理器是通過ring級別來進行訪問控制的,級別共分4層,從ring0到ring3 後面簡稱r0 r1 r2 ...

ring3下利用WMI監視程序建立 vc版

include stdafx.h define win32 dcom include using namespace std include include pragma comment lib,wbemuuid.lib int main int argc,char argv iwbemlocato...

乙個簡單的程序 跳到ring3

typedef unsigned int u32 typedef unsigned short u16 typedef unsigned char u8 typedef struct descriptor 8 a?descriptor void set gdt desc struct desc st...