#define VERSION_2K 50 #define VERSION_XP 51 #define VERSION_2K3 52 #define VERSION_XP64 52 #define VERSION_2K3_R2 52 #define VERSION_VISTA 60 #define VERSION_SERVER2008 60 #define VERSION_WIN7 61 #define VERSION_SERVER2008_R2 61 DWORD GetVersion() { DWORD ret = 0; ULONG MajVer,MinVer; PsGetVersion(&MajVer, //主版本 &MinVer, //次版本 0, 0); ret = MajVer; ret*=10; ret += MinVer; return ret; } DWORD GetKeSSDT_Shadow() { DWORD Ver = GetVersion(); DWORD KeShadowTable = 0; switch(Ver) { case VERSION_XP: KeShadowTable = (DWORD)KeServiceDescriptorTable - 0x40; break; default: break; } return KeShadowTable; } DWORD EnumSSDT_Shadow() { _asm int 3; DWORD TableBase = GetKeSSDT_Shadow(); DWORD* FunAddress; DWORD Count = 0; TableBase += 0x10; _asm { lea eax,Count mov ebx,TableBase mov ebx,[ebx + 0x8] mov [eax],ebx } KdPrint(("SSDT Shadow表有 %d 个函数",Count)); // DWORD* FunAddress = (DWORD *)TableBase; _asm { mov eax,TableBase mov FunAddress,eax mov ebx,FunAddress mov ebx,[ebx] mov FunAddress,ebx } // FunAddress=PDWORD(*FunAddress); for(DWORD i=0; i< Count; i++) { KdPrint(("/n %d :%x",i,*FunAddress)); FunAddress++; } }