遍历SSDT列表 def.h 参考之前的关于未导出结构体的文章 entry.c 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384#include "C:\D\test\CC++\cc++lib\driver\def.h"VOID TestEnumSSDT();VOID GetSSDT(PVOID* addr);NTSTATUS DriverUnload(PDRIVER_OBJECT pdriver){ DbgPrint("unload...\n"); return STATUS_SUCCESS;}static PDRIVER_OBJECT g_pdriver = NULL;NTSTATUS DriverEntry(PDRIVER_OBJECT pdriver, PUNICODE_STRING path){ pdriver->DriverUnload = DriverUnload; DbgPrint("loading...\n"); g_pdriver = pdriver; TestEnumSSDT(); return STATUS_SUCCESS;}VOID GetSSDT(PVOID* addr){ PLDR_DATA_TABLE_ENTRY entry = (PLDR_DATA_TABLE_ENTRY)g_pdriver->DriverSection; PLDR_DATA_TABLE_ENTRY head = entry; UNICODE_STRING temp = { 0 }; RtlInitUnicodeString(&temp, L"ntoskrnl.exe"); PCHAR start = NULL; ULONG size = 0; do { if (RtlCompareUnicodeString(&temp, &entry->BaseDllName, TRUE) == 0) { DbgPrint("wZ\n", &entry->BaseDllName); start = (PCHAR)entry->DllBase; size = entry->SizeOfImage; break; } entry = entry->InLoadOrderLinks.Flink; } while (entry != head); //4c8d15 //4c8d1d for (size_t i = 0; i < size; i++) { if (MmIsAddressValid(start)) { if (*start == (CHAR)0x4c && *(start + 1) == (CHAR)0x8d && *(start + 2) == (CHAR)0x15) { start += 7; if (MmIsAddressValid(start)) { if (*start == (CHAR)0x4c && *(start + 1) == (CHAR)0x8d && *(start + 2) == (CHAR)0x1d) { start += 7; if (MmIsAddressValid(start)) { *addr = (ULONG64)start + *(PULONG)(start - 4); return; } } } start++; } } }}VOID TestEnumSSDT(){ //KiSystemServiceRepeat //KeServiceDescriptorTable PVOID ssdt = NULL; GetSSDT(&ssdt); DbgPrint("%p\n", ssdt); if (!ssdt)return; ULONG index = *(PULONG)((ULONG64)ssdt + 0x10); ULONG temp = 0; for (size_t i = 0; i < index; i++) { temp = ((PULONG) * (PULONG64)ssdt)[i] >> 4; DebugMessage("index:%d,pfunc:%p\n", i, *(PULONG64)ssdt + temp); }}
