getssdtserviceid_两种方法获取shadow ssdt

ULONG

GetShadowSsdtCurrentAddresses(

PSSDT_ADDRESS AddressInfo,

PULONG Length

)

{

PSYSTEM_SERVICE_TABLE KeServiceDescriptorTableShadow = NULL;

ULONG NumberOfService = 0;

ULONG ServiceId = 0;

PKAPC_STATE ApcState;

ULONG i;

if (AddressInfo == NULL || Length == NULL)

{

KdPrint(("[GetShadowSsdtCurrentAddresses] 输入参数无效"));

return 0;

}

//KdPrint(("pid = %d", PsGetCurrentProcessId()));

ServiceId = (ULONG)PsGetCurrentProcessId();

if (!g_CsrssProcess) {

PsLookupProcessByProcessId((PVOID)ScPsGetCsrssProcessId(), &g_CsrssProcess);

}

KeServiceDescriptorTableShadow = GetKeServiceDescriptorTableShadow();

if (KeServiceDescriptorTableShadow == NULL)

{

KdPrint(("[GetShadowSsdtCurrentAddresses] GetKeServiceDescriptorTableShadow failed"));

return 0;

}

NumberOfService = KeServiceDescriptorTableShadow->NumberOfService;

if (Length[0] < NumberOfService * sizeof(SSDT_ADDRESS))

{

Length[0] = NumberOfService * sizeof(SSDT_ADDRESS);

return 0;

}

ApcState = ExAllocatePoolWithTag(NonPagedPool, sizeof(KAPC_STATE), MEM_TAG);

KeStackAttachProcess((PRKPROCESS)g_CsrssProcess, ApcState);

for (ServiceId = 0; ServiceId < NumberOfService; ServiceId ++)

{

AddressInfo[ServiceId].FunAddress = (ULONG)

KeServiceDescriptorTableShadow->ServiceTableBase[ServiceId];

AddressInfo[ServiceId].nIndex = ServiceId;

}

KeUnstackDetachProcess(ApcState);

ExFreePool(ApcState);

Length[0] = NumberOfService * sizeof(SSDT_ADDRESS);

return NumberOfService;

}

///

//

//功能实现：枚举当前Shadow SSDT 表函数地址

//输入参数：void

//输出参数：返回Shadow ssdt table

//

///

PSYSTEM_SERVICE_TABLE

GetKeServiceDescriptorTableShadow(VOID)

{

PSYSTEM_SERVICE_TABLE ShadowTable = NULL;

ULONG ServiceTableAddress = 0;

PUCHAR cPtr = NULL;

for (cPtr = (PUCHAR)KeAddSystemServiceTable;

cPtr < (PUCHAR)KeAddSystemServiceTable + PAGE_SIZE;

cPtr += 1 )

{

if (!MmIsAddressValid(cPtr)) continue;

ServiceTableAddress = *(PULONG)cPtr;

if (!MmIsAddressValid((PVOID)ServiceTableAddress)) continue;

if (memcmp((PVOID)ServiceTableAddress, &KeServiceDescriptorTable, 16) == 0)

{

if ((PVOID)ServiceTableAddress == &KeServiceDescriptorTable) continue;

ShadowTable = (PSYSTEM_SERVICE_TABLE)ServiceTableAddress;

ShadowTable ++;

return ShadowTable;

}

}

return NULL;

}

//

// 方法2，通过硬编码实现，不通用

//

PSYSTEM_SERVICE_TABLE

GetKeServiceDescriptorTableShadow_2(VOID)

/*++

805ba5a3 8d8840a65580 lea ecx,nt!KeServiceDescriptorTableShadow (8055a640)[eax]

805ba5a9 833900 cmp dword ptr [ecx],0

--*/

{

PSYSTEM_SERVICE_TABLE ShadowTable;

ULONG ServiceTableAddress;

PUCHAR cPtr, pOpcode;

ULONG Length = 0;

for (cPtr = (PUCHAR)KeAddSystemServiceTable;

cPtr < (PUCHAR)KeAddSystemServiceTable + PAGE_SIZE;

cPtr += Length )

{

if (!MmIsAddressValid(cPtr)) return NULL;

Length = SizeOfCode(cPtr, &pOpcode);

if (!Length || (Length == 1 && *pOpcode == 0xC3)) return NULL;

if (*(PUSHORT)pOpcode == 0x888D)

{

ServiceTableAddress = *(PULONG)(pOpcode + 2);

ShadowTable = (PSYSTEM_SERVICE_TABLE)ServiceTableAddress;

ShadowTable ++;

return ShadowTable;

}

}

return NULL;

}