使用Windbg查看系统SSDT表与ShadowSSDT表

本文详细介绍了如何使用Windbg工具检查系统的System Service Dispatch Table (SSDT)和Shadow SSDT,包括验证win2k.sys符号信息的载入,并展示了查看这两个表内容的步骤。
摘要由CSDN通过智能技术生成
x86操作系统

1. 查看当前系统是否已经载入win2k.sys的相关符号信息:

kd> lm
start    end        module name
80586000 8058f000   kdcom      (deferred)             
80e03000 81391000   nt         (pdb symbols)          d:\symbols\websymbo\ntkrpamp.pdb\E2342527EA214C109CD28A19ED4FBCCE2\ntkrpamp.pdb
81391000 813e6000   hal        (deferred)             
81c3b000 81c78000   spaceport   (deferred)             
81c78000 81c8b000   volmgr     (deferred)             
81c8b000 81cd9000   volmgrx    (deferred)             
81cd9000 81ce0000   intelide   (deferred)             
81ce0000 81cee000   PCIIDEX    (deferred)             
81cee000 81d04800   vmci       (deferred)             
81d05000 81d1a000   mountmgr   (deferred)             
81d1a000 81d33000   lsi_sas    (deferred)             
81d33000 81d80000   storport   (deferred)             
81d80000 81d89000   atapi      (deferred)             
81d89000 81db4000   ataport    (deferred)             
81db4000 81dc8000   EhStorClass   (deferred)             
81dc8000 81de6000   luafv      (deferred)             
81e00000 81e26000   cdrom      (deferred)             
81e35000 81e81000   fltmgr     (deferred)             
81e81000 81e92000   fileinfo   (deferred)             
81e92000 81ec5000   WdFilter   (deferred)             
81ec5000 81f97000   ndis       (deferred)             
81f97000 81ff0000   NETIO      (deferred)             
82000000 82014000   rspndr     (deferred)             
8201a000 821e9000   tcpip      (deferred)             
821e9000 821f4000   BasicRender   (deferred)             
82200000 82208000   Null       (deferred)             
82208000 8220f000   Beep       (deferred)             
82210000 82254000   fwpkclnt   (deferred)             
82254000 82261000   wfplwfs    (deferred)             
82261000 822ca000   fvevol     (deferred)             
822ca000 822da000   agp440     (deferred)             
822da000 82320000   volsnap    (deferred)             
82320000 8234f000   rdyboost   (deferred)             
8234f000 82360000   mup        (deferred)             
82360000 82367980   vmrawdsk   (deferred)             
8236b000 82383000   disk       (deferred)             
82383000 823ce000   CLASSPNP   (deferred)             
823ce000 823de000   crashdmp   (deferred)             
823de000 823e9000   monitor    (deferred)             
823e9000 823f9000   lltdio     (deferred)             
87a13000 87aa5000   mcupdate_GenuineIntel   (deferred)             
87aa5000 87ae8000   CLFS       (deferred)             
87ae8000 87b04000   tm         (deferred)             
87b04000 87b17000   PSHED      (deferred)             
87b17000 87b20000   BOOTVID    (deferred)             
87b20000 87b94000   CI         (deferred)             
87b94000 87bcc000   msrpc      (deferred)             
87bcc000 87bde000   pdc        (deferred)             
87bde000 87bf3000   partmgr    (deferred)             
87e00000 87e20000   tpm        (deferred)             
87e29000 87eaa000   Wdf01000   (deferred)             
87eaa000 87eb8000   WDFLDR     (deferred)             
87eb8000 87ec8000   acpiex     (deferred)             
87ec8000 87ed2000   WppRecorder   (deferred)             
87ed2000 87f2a000   ACPI       (deferred)             
87f2a000 87f33000   WMILIB     (deferred)             
87f33000 87f3b000   msisadrv   (deferred)             
87f3b000 87f6d000   pci        (deferred)             
87f6d000 87fe7000   cng        (deferred)             
87ff1000 87ffc000   vdrvroot   (deferred)             
88000000 8802a000   ksecpkg    (deferred)             
8803c000 881cf000   Ntfs       (deferred)             
881cf000 881e5000   ksecdd     (deferred)             
881e5000 881f3000   pcw        (deferred)             
881f3000 881fc000   Fs_Rec     (deferred)             
8be0a000 8bf3a000   dxgkrnl    (deferred)             
8bf3a000 8bf48000   watchdog   (deferred)             
8bf48000 8bf8b000   dxgmms1    (deferred)             
8bf8b000 8bf9a000   BasicDisplay   (deferred)             
8bf9a000 8bfa8000   Npfs       (deferred)             
8bfa8000 8bfb2000   Msfs       (deferred)             
8bfb2000 8bfcf000   tdx        (deferred)             
8bfcf000 8bfdc000   TDI        (deferred)             
8bfdc000 8bfe5000   ws2ifsl    (deferred)             
8bfe5000 8bff9000   dump_dumpfve   (deferred)             
8c800000 8c81a000   usbccgp    (deferred)             
8c81a000 8c824000   hidusb     (deferred)             
8c82a000 8c889000   USBPORT    (deferred)             
8c889000 8c8a6200   E1G60I32   (deferred)             
8c8a7000 8c8b9000   usbehci    (deferred)             
8c8b9000 8c8be000   CmBatt     (deferred)             
8c8be000 8c8c9000   BATTC      (deferred)             
8c8c9000 8c8e0000   intelppm   (deferred)             
8c8e0000 8c8f9000   raspptp    (deferred)             
8c8f9000 8c914000   rasl2tp    (deferred)             
8c914000 8c929000   raspppoe   (deferred)             
8c929000 8c92a300   swenum     (deferred)             
8c92b000 8c96a000   ks         (deferred)             
8c96a000 8c973000   rdpbus     (deferred)             
8c973000 8c984000   NDProxy    (deferred)             
8c984000 8c98e000   flpydisk   (deferred)             
8c98e000 8c9e2000   u
本实例由VS2008开发,在提供了一套驱动开发框架的同时,又演示了如何获取Shadow SSDT函数原始地址的办法。 主要函数:ULONG GetShadowSSDT_Function_OriAddr(ULONG index); 原理说明: 根据特征码搜索导出函数KeAddSystemServiceTable来获取Shadow SSDT基址,以及通过ZwQuerySystemInformation()函数获取win32k.sys基址,然后解析PE定位到Shadow SSDT在win32k.sys的偏移地址,并通过进一步计算来得到Shadow SSDT函数的原始地址。 这里只测试了三个函数:(460)NtUserMessageCall、(475)NtUserPostMessage和(502)NtUserSendInput,具体使用时可以举一反三,网上完整的源代码实例并不太多,希望可以帮到真正有需要的朋友。 系统环境: 在WinXP SP3系统 + 瑞星杀毒软件 打印输出: [ LemonInfo : Loading Shadow SSDT Original Address Driver... ] [ LemonInfo : 创建“设备”值为:0 ] [ LemonInfo : 创建“设备”成功... ] [ LemonInfo : 创建“符号链接”状态值为:0 ] [ LemonInfo : 创建“符号链接”成功... ] [ LemonInfo : 驱动加载成功... ] [ LemonInfo : 派遣函数(DispatchRoutine) IRP 开始... ] [ LemonInfo : 派遣函数(DispatchRoutine) IRP Enter IRP_MJ_DEVICE_CONTROL... ] [ LemonInfo : 获取ShadowSSDT (460)NtUserMessageCall 函数的“当前地址”为:0xB83ECFC4,“起源地址”为:0xBF80EE6B ] [ LemonInfo : 获取ShadowSSDT (475)NtUserPostMessage 函数的“当前地址”为:0xB83ECFA3,“起源地址”为:0xBF8089B4 ] [ LemonInfo : 获取ShadowSSDT (502)NtUserSendInput 函数的“当前地址”为:0xBF8C31E7,“起源地址”为:0xBF8C31E7 ] [ LemonInfo : 派遣函数(DispatchRoutine) IRP_MJ_DEVICE_CONTROL 成功执行... ] [ LemonInfo : 派遣函数(DispatchRoutine) IRP 结束... ] [ LemonInfo : UnLoading Shadow SSDT Original Address Driver... ] [ LemonInfo : 删除“符号链接”成功... ] [ LemonInfo : 删除“设备”成功... ] [ LemonInfo : 驱动卸载成功... ]
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值