找KiServiceTable
2013-12-16 00:00
176 查看
摘要: 看雪上常有各种“大牛”原创各种获取SSDT和SSDTShadow地址的帖子,小生不才,也分享一份去年获得的KiServiceTable基址获取方法(绝非原创);貌似改改,也是可以找W32pServiceTable基址。
已知
a1 = NtClearEvent地址;
a2 = NtClose地址;
a3 = NtOpenFile地址;
i1 = *(PULONG)((PUCHAR)ZwClearEvent+1);
i2 = *(PULONG)((PUCHAR)ZwClose+1);
i3 = *(PULONG)((PUCHAR)ZwOpenFile+1);
并且
a1 = KiServiceTable[i1];
a2 = KiServiceTable[i2];
a3 = KiServiceTable[i3];
b = Ntoskrnl的映像基址
s = Ntoskrnl的映像大小
求
KiServiceTable
已知
a1 = NtClearEvent地址;
a2 = NtClose地址;
a3 = NtOpenFile地址;
i1 = *(PULONG)((PUCHAR)ZwClearEvent+1);
i2 = *(PULONG)((PUCHAR)ZwClose+1);
i3 = *(PULONG)((PUCHAR)ZwOpenFile+1);
并且
a1 = KiServiceTable[i1];
a2 = KiServiceTable[i2];
a3 = KiServiceTable[i3];
b = Ntoskrnl的映像基址
s = Ntoskrnl的映像大小
求
KiServiceTable
for( a = b; a < s+b; a+=0x10 )
{
if( *(PULONG)s == a1 )
{
if( *(PULONG)(s + 4*(i2-i1)) == a2 )
{
if( *(PULONG)(s + 4*(i3-i1)) == a3 )
{
KiServiceTable = a;
break;
}
}
}
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 防止lj邮件用你的邮件服务器转发
- 反lj邮件技术 9个方法告别lj邮件
- 邮箱被盗客户险遭骗款 警方提醒企业多注意防范
- 如何保护电子邮件
- 【推荐】50本Fortran电子书教程资源pdf免费下载
- python中使用递归实现koch曲线绘制
- KSM(Kernel Samepage Merging) 剖析:Linux 内核中的内存去耦合[转]
- JS 代码收藏
- 字符串处理,数据类型
- @property,@synthesize
- 中小企业ERP实施警告:物料流水编码有危害
- php json_encode
- Web安全测试之XSS
- 随想-团队内部组织
- 出口易杨莹武:海外建仓实战技巧
- spark 之 SparkContext
- 学习linux能有什么用
- Android手动回收Bitma,引发Canvas: trying to use a recycle
- 腾创网络视频会议软件
- VS2010旗舰版+cocos2d-x-2.1.4安装 亲测