获取SSDT服务表数据
#include <ntddk.h>
typedef struct _KSYSTEM_SERVICE_TABLE
{
PULONG ServiceTableBase; // SSDT (System Service Dispatch Table)的基地址
PULONG ServiceCounterTableBase; // 包含 SSDT 中每个服务被调用的次数
ULONGNumberOfService; // 服务函数的个数, NumberOfService * 4 就是整个地址表的大小
ULONGParamTableBase; // SSPT(System Service Parameter Table)的基地址
} KSYSTEM_SERVICE_TABLE, *PKSYSTEM_SERVICE_TABLE;
typedef struct _KSERVICE_TABLE_DESCRIPTOR
{
KSYSTEM_SERVICE_TABLEntoskrnl; // ntoskrnl.exe 的服务函数
KSYSTEM_SERVICE_TABLEwin32k;// win32k.sys 的服务函数(GDI32.dll/User32.dll 的内核支持)
KSYSTEM_SERVICE_TABLEnotUsed1;
KSYSTEM_SERVICE_TABLEnotUsed2;
} KSERVICE_TABLE_DESCRIPTOR, *PKSERVICE_TABLE_DESCRIPTOR;
//导出由 ntoskrnl.exe 所导出的 SSDT
extern "C"
{
extern PKSERVICE_TABLE_DESCRIPTOR KeServiceDescriptorTable;
}
void DriverUnload(PDRIVER_OBJECT lpd){
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)
{
_asm{
cli
mov eax,cr0
and eax, not 10000h
mov cr0,eax
}
ULONG i;
for(i=0;i<KeServiceDescriptorTable->ntoskrnl.NumberOfService;i++){
KdPrint(("SSDT函数地址: %d",KeServiceDescriptorTable->ntoskrnl.ServiceTableBase));
}
KdPrint(("修改内核保护成功!"));
_asm{
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
KdPrint(("撤销内核修改!"));
DriverObject->DriverUnload=DriverUnload;
return STATUS_UNSUCCESSFUL;
}
去年用masm写过现在在用vc写一遍
页:
[1]