x86操作系统
发现当前系统并没有加载win32k.pdb这个符号。那么我们需要进行第二步操作;
2. 进入到一个GUI进程环境中,这个时候系统会自动加载win32k.sys:
首先我们枚举出当前系统所有进程,目标寻找explorer.exe
我们找到explorer.exe的EPROCESS地址是86b84540,因此我们用命令进入explorer.exe的领空:
完成之后我们让Windbg重新载入符号:
这个时候win32k.pdb已经被加载到windbg空间中了,那我们就可以通过符号来查询我们的SSDT与Shadow SSDT的列表了。
这个时候我们要做的第一步是找到系统导出的KeServiceDescriptorTable地址:
这个时候我们看到:
81017400这个地址就是我们要查看的nt! KeServiceDescriptorTable的首地址。
我们这里介绍一下另外一个数据结构:
其中 81017400 这个地址指向了 KSERVICE_TABLE_DESCRIPTOR 结构体的首地址,即 KSYSTEM_SERVICE_TABLE ntoskrnl;
ntoskrnl这个变量里面存放的就是我们的SSDT表。
而win32k原本应该是存放Shadow SSDT表的,但是我们看内存区域 81017410 这个里面的内存是0,即里面没有内容。因为Windows将完整的 KSERVICE_TABLE_DESCRIPTOR 数据存在了另外一个地方。我们需要使用另外一个命令来查看:
我们在这次的结果里面看到第五行的地址很眼熟,是81017400。这是一个惊人的发现!
因为我们在查看nt!KeServiceDescriptorTable的时候返回的首地址就是它!
那么,我们再来看看这次返回的首地址:810173c0,看看它的内容是什么——80efb4d0 00000000 000001ad 80efbb88。我们发现,它的内容与81017400地址中的内容惊人的一致。那么来说,nt!KeServiceDescriptorTableShadow就是nt!KeService DescriptorTable的副本,但是有一点不同就是KeServiceDescriptorTableShadow的win32k子项里面是有数据的!说明这个里面存放的就是我们寻找的ShadowSSDT表。
这个正式我们的SSDT表实际内容
ShadowSSDT表的内容:
注:强行加载某一PDB的代码是
1. 查看当前系统是否已经载入win2k.sys的相关符号信息:
- kd> lm
- start end module name
- 80586000 8058f000 kdcom (deferred)
- 80e03000 81391000 nt (pdb symbols) d:\symbols\websymbo\ntkrpamp.pdb\E2342527EA214C109CD28A19ED4FBCCE2\ntkrpamp.pdb
- 81391000 813e6000 hal (deferred)
- 81c3b000 81c78000 spaceport (deferred)
- 81c78000 81c8b000 volmgr (deferred)
- 81c8b000 81cd9000 volmgrx (deferred)
- 81cd9000 81ce0000 intelide (deferred)
- 81ce0000 81cee000 PCIIDEX (deferred)
- 81cee000 81d04800 vmci (deferred)
- 81d05000 81d1a000 mountmgr (deferred)
- 81d1a000 81d33000 lsi_sas (deferred)
- 81d33000 81d80000 storport (deferred)
- 81d80000 81d89000 atapi (deferred)
- 81d89000 81db4000 ataport (deferred)
- 81db4000 81dc8000 EhStorClass (deferred)
- 81dc8000 81de6000 luafv (deferred)
- 81e00000 81e26000 cdrom (deferred)
- 81e35000 81e81000 fltmgr (deferred)
- 81e81000 81e92000 fileinfo (deferred)
- 81e92000 81ec5000 WdFilter (deferred)
- 81ec5000 81f97000 ndis (deferred)
- 81f97000 81ff0000 NETIO (deferred)
- 82000000 82014000 rspndr (deferred)
- 8201a000 821e9000 tcpip (deferred)
- 821e9000 821f4000 BasicRender (deferred)
- 82200000 82208000 Null (deferred)
- 82208000 8220f000 Beep (deferred)
- 82210000 82254000 fwpkclnt (deferred)
- 82254000 82261000 wfplwfs (deferred)
- 82261000 822ca000 fvevol (deferred)
- 822ca000 822da000 agp440 (deferred)
- 822da000 82320000 volsnap (deferred)
- 82320000 8234f000 rdyboost (deferred)
- 8234f000 82360000 mup (deferred)
- 82360000 82367980 vmrawdsk (deferred)
- 8236b000 82383000 disk (deferred)
- 82383000 823ce000 CLASSPNP (deferred)
- 823ce000 823de000 crashdmp (deferred)
- 823de000 823e9000 monitor (deferred)
- 823e9000 823f9000 lltdio (deferred)
- 87a13000 87aa5000 mcupdate_GenuineIntel (deferred)
- 87aa5000 87ae8000 CLFS (deferred)
- 87ae8000 87b04000 tm (deferred)
- 87b04000 87b17000 PSHED (deferred)
- 87b17000 87b20000 BOOTVID (deferred)
- 87b20000 87b94000 CI (deferred)
- 87b94000 87bcc000 msrpc (deferred)
- 87bcc000 87bde000 pdc (deferred)
- 87bde000 87bf3000 partmgr (deferred)
- 87e00000 87e20000 tpm (deferred)
- 87e29000 87eaa000 Wdf01000 (deferred)
- 87eaa000 87eb8000 WDFLDR (deferred)
- 87eb8000 87ec8000 acpiex (deferred)
- 87ec8000 87ed2000 WppRecorder (deferred)
- 87ed2000 87f2a000 ACPI (deferred)
- 87f2a000 87f33000 WMILIB (deferred)
- 87f33000 87f3b000 msisadrv (deferred)
- 87f3b000 87f6d000 pci (deferred)
- 87f6d000 87fe7000 cng (deferred)
- 87ff1000 87ffc000 vdrvroot (deferred)
- 88000000 8802a000 ksecpkg (deferred)
- 8803c000 881cf000 Ntfs (deferred)
- 881cf000 881e5000 ksecdd (deferred)
- 881e5000 881f3000 pcw (deferred)
- 881f3000 881fc000 Fs_Rec (deferred)
- 8be0a000 8bf3a000 dxgkrnl (deferred)
- 8bf3a000 8bf48000 watchdog (deferred)
- 8bf48000 8bf8b000 dxgmms1 (deferred)
- 8bf8b000 8bf9a000 BasicDisplay (deferred)
- 8bf9a000 8bfa8000 Npfs (deferred)
- 8bfa8000 8bfb2000 Msfs (deferred)
- 8bfb2000 8bfcf000 tdx (deferred)
- 8bfcf000 8bfdc000 TDI (deferred)
- 8bfdc000 8bfe5000 ws2ifsl (deferred)
- 8bfe5000 8bff9000 dump_dumpfve (deferred)
- 8c800000 8c81a000 usbccgp (deferred)
- 8c81a000 8c824000 hidusb (deferred)
- 8c82a000 8c889000 USBPORT (deferred)
- 8c889000 8c8a6200 E1G60I32 (deferred)
- 8c8a7000 8c8b9000 usbehci (deferred)
- 8c8b9000 8c8be000 CmBatt (deferred)
- 8c8be000 8c8c9000 BATTC (deferred)
- 8c8c9000 8c8e0000 intelppm (deferred)
- 8c8e0000 8c8f9000 raspptp (deferred)
- 8c8f9000 8c914000 rasl2tp (deferred)
- 8c914000 8c929000 raspppoe (deferred)
- 8c929000 8c92a300 swenum (deferred)
- 8c92b000 8c96a000 ks (deferred)
- 8c96a000 8c973000 rdpbus (deferred)
- 8c973000 8c984000 NDProxy (deferred)
- 8c984000 8c98e000 flpydisk (deferred)
- 8c98e000 8c9e2000 usbhub (deferred)
- 8c9e2000 8c9eb000 USBD (deferred)
- 8c9eb000 8c9ff000 HIDCLASS (deferred)
- 8ca00000 8ca06780 HIDPARSE (deferred)
- 8ca07000 8ca10000 mouhid (deferred)
- 8ca10000 8ca1b000 dump_diskdump (deferred)
- 8ca1b000 8ca34000 dump_LSI_SAS (deferred)
- 8ca3a000 8ca7e000 netbt (deferred)
- 8ca7e000 8caf1000 afd (deferred)
- 8caf1000 8cb16000 pacer (deferred)
- 8cb16000 8cb24000 netbios (deferred)
- 8cb24000 8cb45580 vmhgfs (deferred)
- 8cb46000 8cb9f000 rdbss (deferred)
- 8cb9f000 8cbbb000 vm3dmp (deferred)
- 8cbbb000 8cbff000 udfs (deferred)
- 8cc00000 8cc70000 csc (deferred)
- 8cc70000 8cc86000 wanarp (deferred)
- 8cc86000 8cc91000 nsiproxy (deferred)
- 8cc91000 8cc9c000 npsvctrig (deferred)
- 8cc9c000 8cca7000 mssmbios (deferred)
- 8cca7000 8ccb5000 discache (deferred)
- 8ccb5000 8ccd0000 dfsc (deferred)
- 8ccd0000 8ccdb000 usbuhci (deferred)
- 8ccde000 8cce9000 ndistapi (deferred)
- 8cce9000 8cd0f000 ndiswan (deferred)
- 8cd0f000 8cd26000 rassstp (deferred)
- 8cd26000 8cd38000 AgileVpn (deferred)
- 8cd38000 8cd5b000 tunnel (deferred)
- 8cd5b000 8cd68000 CompositeBus (deferred)
- 8cd68000 8cd72000 kdnic (deferred)
- 8cd72000 8cd80000 umbus (deferred)
- 8cd80000 8cd9b000 i8042prt (deferred)
- 8cd9b000 8cda8000 kbdclass (deferred)
- 8cda8000 8cda9280
发现当前系统并没有加载win32k.pdb这个符号。那么我们需要进行第二步操作;
2. 进入到一个GUI进程环境中,这个时候系统会自动加载win32k.sys:
首先我们枚举出当前系统所有进程,目标寻找explorer.exe
- kd> !Process 0 0
- **** NT ACTIVE PROCESS DUMP ****
- PROCESS 845c0cc0 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
- DirBase: 00185000 ObjectTable: 87c03000 HandleCount: <Data Not Accessible>
- Image: System
- PROCESS 858a69c0 SessionId: none Cid: 0200 Peb: 7f0db000 ParentCid: 0004
- DirBase: 3e0a7020 ObjectTable: 8b1cdec0 HandleCount: <Data Not Accessible>
- Image: smss.exe
- PROCESS 85ea4bc0 SessionId: 0 Cid: 0264 Peb: 7f55f000 ParentCid: 025c
- DirBase: 3e0a7060 ObjectTable: 8c436740 HandleCount: <Data Not Accessible>
- Image: csrss.exe
- PROCESS 84669cc0 SessionId: 1 Cid: 029c Peb: 7f04a000 ParentCid: 0200
- DirBase: 3e0a7080 ObjectTable: 00000000 HandleCount: 0.
- Image: smss.exe
- PROCESS 845b8040 SessionId: 0 Cid: 02a4 Peb: 7fcd8000 ParentCid: 025c
- DirBase: 3e0a70a0 ObjectTable: 8b1fec00 HandleCount: <Data Not Accessible>
- Image: wininit.exe
- PROCESS 84655cc0 SessionId: 1 Cid: 02ac Peb: 7f0a4000 ParentCid: 029c
- DirBase: 3e0a7040 ObjectTable: 87cdde00 HandleCount: <Data Not Accessible>
- Image: csrss.exe
- PROCESS 84662cc0 SessionId: 1 Cid: 02cc Peb: 7f2d9000 ParentCid: 029c
- DirBase: 3e0a70c0 ObjectTable: 87cc6a00 HandleCount: <Data Not Accessible>
- Image: winlogon.exe
- PROCESS 8463fcc0 SessionId: 0 Cid: 02f8 Peb: 7f42d000 ParentCid: 02a4
- DirBase: 3e0a70e0 ObjectTable: 91325f00 HandleCount: <Data Not Accessible>
- Image: services.exe
- PROCESS 845a0900 SessionId: 0 Cid: 0300 Peb: 7f885000 ParentCid: 02a4
- DirBase: 3e0a7100 ObjectTable: 91328a00 HandleCount: <Data Not Accessible>
- Image: lsass.exe
- PROCESS 857b0040 SessionId: 0 Cid: 0364 Peb: 7f08f000 ParentCid: 02f8
- DirBase: 3e0a7120 ObjectTable: 9be2f480 HandleCount: <Data Not Accessible>
- Image: svchost.exe
- PROCESS 8608e040 SessionId: 0 Cid: 0394 Peb: 7f43f000 ParentCid: 02f8
- DirBase: 3e0a7140 ObjectTable: 9be62640 HandleCount: <Data Not Accessible>
- Image: svchost.exe
- PROCESS 860b5cc0 SessionId: 1 Cid: 03dc Peb: 7f353000 ParentCid: 02cc
- DirBase: 3e0a7160 ObjectTable: 00000000 HandleCount: 0.
- Image: LogonUI.exe
- PROCESS 860f5cc0 SessionId: 1 Cid: 0428 Peb: 7f1bd000 ParentCid: 02cc
- DirBase: 3e0a7180 ObjectTable: 9bf3e840 HandleCount: <Data Not Accessible>
- Image: dwm.exe
- PROCESS 86163040 SessionId: 0 Cid: 0474 Peb: 7f145000 ParentCid: 02f8
- DirBase: 3e0a71a0 ObjectTable: 9cc01300 HandleCount: <Data Not Accessible>
- Image: svchost.exe
- PROCESS 86168200 SessionId: 0 Cid: 0490 Peb: 7fe6f000 ParentCid: 02f8
- DirBase: 3e0a71c0 ObjectTable: 9cc19880 HandleCount: <Data Not Accessible>
- Image: svchost.exe
- PROCESS 861819c0 SessionId: 0 Cid: 04c4 Peb: 7f6f7000 ParentCid: 02f8
- DirBase: 3e0a71e0 ObjectTable: 9cc696c0 HandleCount: <Data Not Accessible>
- Image: svchost.exe
- PROCESS 8618ca00 SessionId: 0 Cid: 04fc Peb: 7f4af000 ParentCid: 02f8
- DirBase: 3e0a7200 ObjectTable: 9cc7cbc0 HandleCount: <Data Not Accessible>
- Image: svchost.exe
- PROCESS 85f3b6c0 SessionId: 0 Cid: 0560 Peb: 7f1ef000 ParentCid: 02f8
- DirBase: 3e0a7220 ObjectTable: 9ccb56c0 HandleCount: <Data Not Accessible>
- Image: svchost.exe
- PROCESS 85f96040 SessionId: 0 Cid: 05f4 Peb: 7f0b4000 ParentCid: 02f8
- DirBase: 3e0a7240 ObjectTable: 9cd30980 HandleCount: <Data Not Accessible>
- Image: spoolsv.exe
- PROCESS 861d4580 SessionId: 0 Cid: 0630 Peb: 7fedf000 ParentCid: 02f8
- DirBase: 3e0a7280 ObjectTable: 9cd4a280 HandleCount: <Data Not Accessible>
- Image: svchost.exe
- PROCESS 869b5040 SessionId: 0 Cid: 06f8 Peb: 7fc77000 ParentCid: 02f8
- DirBase: 3e0a72a0 ObjectTable: 9cdcc800 HandleCount: <Data Not Accessible>
- Image: MsMpEng.exe
- PROCESS 869e7040 SessionId: 0 Cid: 0730 Peb: 7f17b000 ParentCid: 02f8
- DirBase: 3e0a72c0 ObjectTable: 9f869940 HandleCount: <Data Not Accessible>
- Image: vmtoolsd.exe
- PROCESS 86b6a9c0 SessionId: 1 Cid: 08b0 Peb: 7feda000 ParentCid: 02f8
- DirBase: 3e0a7360 ObjectTable: 9cde4740 HandleCount: <Data Not Accessible>
- Image: taskhostex.exe
- PROCESS 86b84540 SessionId: 1 Cid: 0914 Peb: 7f7bc000 ParentCid: 08ec
- DirBase: 3e0a73e0 ObjectTable: 9e0d83c0 HandleCount: <Data Not Accessible>
- Image: explorer.exe
- PROCESS 8515f040 SessionId: 0 Cid: 09f0 Peb: 7fa7b000 ParentCid: 02f8
- DirBase: 3e0a7440 ObjectTable: 9e1c0a80 HandleCount: <Data Not Accessible>
- Image: msdtc.exe
- PROCESS 86b28cc0 SessionId: 0 Cid: 0a34 Peb: 7f6cd000 ParentCid: 02f8
- DirBase: 3e0a7460 ObjectTable: 9e645bc0 HandleCount: <Data Not Accessible>
- Image: svchost.exe
- PROCESS 86a804c0 SessionId: 1 Cid: 0b4c Peb: 7f16f000 ParentCid: 0364
- DirBase: 3e0a7320 ObjectTable: 9e6bae80 HandleCount: <Data Not Accessible>
- Image: LiveComm.exe
- PROCESS 86c8fcc0 SessionId: 0 Cid: 0b6c Peb: 7fc8b000 ParentCid: 02f8
- DirBase: 3e0a7480 ObjectTable: 9e6ce3c0 HandleCount: <Data Not Accessible>
- Image: svchost.exe
- PROCESS 86c31cc0 SessionId: 0 Cid: 0ce4 Peb: 7fcf3000 ParentCid: 04fc
- DirBase: 3e0a74e0 ObjectTable: 9e765b40 HandleCount: <Data Not Accessible>
- Image: dasHost.exe
- PROCESS 86c45040 SessionId: 1 Cid: 0d8c Peb: 7f68d000 ParentCid: 0364
- DirBase: 3e0a7520 ObjectTable: 9e686a00 HandleCount: <Data Not Accessible>
- Image: RuntimeBroker.exe
- PROCESS 86b13540 SessionId: 1 Cid: 0e64 Peb: 7fb2c000 ParentCid: 0914
- DirBase: 3e0a7560 ObjectTable: a1666640 HandleCount: <Data Not Accessible>
- Image: VMwareTray.exe
- PROCESS 869eca40 SessionId: 1 Cid: 0ecc Peb: 7fcbf000 ParentCid: 0914
- DirBase: 3e0a75a0 ObjectTable: a17c5f40 HandleCount: <Data Not Accessible>
- Image: vmtoolsd.exe
- PROCESS 85ea5040 SessionId: 0 Cid: 0ee4 Peb: 7f429000 ParentCid: 02f8
- DirBase: 3e0a75c0 ObjectTable: a16afb80 HandleCount: <Data Not Accessible>
- Image: SearchIndexer.exe
- PROCESS 84739740 SessionId: 0 Cid: 0b54 Peb: 7f4df000 ParentCid: 0364
- DirBase: 3e0a7640 ObjectTable: a3e86440 HandleCount: <Data Not Accessible>
- Image: dllhost.exe
- PROCESS 847b0cc0 SessionId: 0 Cid: 0e0c Peb: 7f8cc000 ParentCid: 02f8
- DirBase: 3e0a7500 ObjectTable: a3fe4980 HandleCount: <Data Not Accessible>
- Image: wmpnetwk.exe
- PROCESS 8542a9c0 SessionId: 0 Cid: 02b4 Peb: 7f98f000 ParentCid: 0178
- DirBase: 3e0a7920 ObjectTable: a9d4f340 HandleCount: <Data Not Accessible>
- Image: MpCmdRun.exe
- PROCESS 85406740 SessionId: 0 Cid: 0198 Peb: 7faae000 ParentCid: 06f8
- DirBase: 3e0a7940 ObjectTable: a9ca8800 HandleCount: <Data Not Accessible>
- Image: MpCmdRun.exe
- PROCESS 84ed1cc0 SessionId: 0 Cid: 0bb8 Peb: 7fbfd000 ParentCid: 0198
- DirBase: 3e0a7900 ObjectTable: aa4d4580 HandleCount: <Data Not Accessible>
- Image: conhost.exe
- PROCESS 84d2e200 SessionId: 0 Cid: 0a8c Peb: 7fe37000 ParentCid: 02f8
- DirBase: 3e0a740
我们找到explorer.exe的EPROCESS地址是86b84540,因此我们用命令进入explorer.exe的领空:
- kd> .process 86b84540
- Implicit process is now 86b84540
- WARNING: .cache forcedecodeuser is not enabled
完成之后我们让Windbg重新载入符号:
- kd> .reload
- Connected to Windows 7 9200 x86 compatible target at (Thu Jan 16 14:55:08.096 2014 (UTC + 8:00)), ptr64 FALSE
- Loading Kernel Symbols
- ...............................................................
- ................................................................
- ......................
- Loading User Symbols
- ................................................................
- ...
- Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
- Run !sym noisy before .reload to track down problems loading symbols.
- .............................................................
- ................................................................
- .......
- Loading unloaded module list
- ............................
这个时候win32k.pdb已经被加载到windbg空间中了,那我们就可以通过符号来查询我们的SSDT与Shadow SSDT的列表了。
这个时候我们要做的第一步是找到系统导出的KeServiceDescriptorTable地址:
- kd> dd nt!KeServiceDescriptorTable
- 81017400 80efb4d0 00000000 000001ad 80efbb88
- 81017410 00000000 00000000 00000000 00000000
- 81017420 80e8e42a 87f7f0b0 ffd5826a ffffffff
- 81017430 06060001 00010001 00000001 00000000
- 81017440 00000000 00000000 00000014 00000001
- 81017450 00000014 00000003 00000004 00000001
- 81017460 00000000 00000000 00000000 7ffeffff
- 81017470 80000000 83000000 87951000 0003ff7d
这个时候我们看到:
81017400这个地址就是我们要查看的nt! KeServiceDescriptorTable的首地址。
我们这里介绍一下另外一个数据结构:
- typedef struct _KSYSTEM_SERVICE_TABLE
- {
- PULONG ServiceTableBase; // SSDT (System Service Dispatch Table)的基地址
- PULONG ServiceCounterTableBase; // 包含 SSDT 中每个服务被调用的次数
- ULONG NumberOfService; // 服务函数的个数, NumberOfService * 4 就是整个地址表的大小
- ULONG ParamTableBase; // SSPT(System Service Parameter Table)的基地址
- } KSYSTEM_SERVICE_TABLE, *PKSYSTEM_SERVICE_TABLE;
- typedef struct _KSERVICE_TABLE_DESCRIPTOR
- {
- KSYSTEM_SERVICE_TABLE ntoskrnl; // ntoskrnl.exe 的服务函数(SSDT)
- KSYSTEM_SERVICE_TABLE win32k; // win32k.sys 的服务函数(GDI32.dll/User32.dll 的内核支持,Shadow SSDT)
- KSYSTEM_SERVICE_TABLE notUsed1;
- KSYSTEM_SERVICE_TABLE notUsed2;
- } KSERVICE_TABLE_DESCRIPTOR, *PKSERVICE_TABLE_DESCRIPTOR;
其中 81017400 这个地址指向了 KSERVICE_TABLE_DESCRIPTOR 结构体的首地址,即 KSYSTEM_SERVICE_TABLE ntoskrnl;
ntoskrnl这个变量里面存放的就是我们的SSDT表。
而win32k原本应该是存放Shadow SSDT表的,但是我们看内存区域 81017410 这个里面的内存是0,即里面没有内容。因为Windows将完整的 KSERVICE_TABLE_DESCRIPTOR 数据存在了另外一个地方。我们需要使用另外一个命令来查看:
- kd> dd nt!KeServiceDescriptorTableShadow
- 810173c0 80efb4d0 00000000 000001ad 80efbb88
- 810173d0 8f712000 00000000 000003d8 8f713340
- 810173e0 80ee1ea3 00026161 00001388 00000000
- 810173f0 00200000 00000040 a0ef3fff 00000009
- 81017400 80efb4d0 00000000 000001ad 80efbb88
- 81017410 00000000 00000000 00000000 00000000
- 81017420 80e8e42a 87f7f0b0 ffd5826a ffffffff
- 81017430 06060001 00010001 00000001 00000000
我们在这次的结果里面看到第五行的地址很眼熟,是81017400。这是一个惊人的发现!
因为我们在查看nt!KeServiceDescriptorTable的时候返回的首地址就是它!
那么,我们再来看看这次返回的首地址:810173c0,看看它的内容是什么——80efb4d0 00000000 000001ad 80efbb88。我们发现,它的内容与81017400地址中的内容惊人的一致。那么来说,nt!KeServiceDescriptorTableShadow就是nt!KeService DescriptorTable的副本,但是有一点不同就是KeServiceDescriptorTableShadow的win32k子项里面是有数据的!说明这个里面存放的就是我们寻找的ShadowSSDT表。
OK,下面我们就来查看SSDT表的内容:
- kd> dds 80efb4d0 L000001ad
- 80efb4d0 80ed5901 nt!NtWorkerFactoryWorkerReady
- 80efb4d4 80e741e2 nt!NtYieldExecution
- 80efb4d8 81126540 nt!NtWriteVirtualMemory
- 80efb4dc 811ae0af nt!NtWriteRequestData
- 80efb4e0 81163478 nt!NtWriteFileGather
- 80efb4e4 8105548f nt!NtWriteFile
- 80efb4e8 811f3434 nt!NtWaitLowEventPair
- 80efb4ec 811f33cb nt!NtWaitHighEventPair
- ...
- ...
- ...
这个正式我们的SSDT表实际内容
ShadowSSDT表的内容:
- kd> dds 8f712000 L000003d8
- 8f712000 8f6051a3 win32k!NtUserYieldTask
- 8f712004 8f668e22 win32k!NtGdiWidenPath
- 8f712008 8f6692bc win32k!NtGdiUpdateColors
- 8f71200c 8f66af6d win32k!NtGdiUnrealizeObject
- 8f712010 8f66ae25 win32k!NtGdiUnmapMemFont
- 8f712014 8f68a84c win32k!NtGdiUnloadPrinterDriver
- 8f712018 8f4561d7 win32k!NtGdiTransparentBlt
- 8f71201c 8f4ef8d6 win32k!NtGdiTransformPoints
- 8f712020 8f66ba58 win32k!NtGdiSwapBuffers
- 8f712024 8f668a89 win32k!NtGdiStrokePath
- 8f712028 8f668ba9 win32k!NtGdiStrokeAndFillPath
- 8f71202c 8f504c5d win32k!NtGdiStretchDIBitsInternal
- 8f712030 8f4bfb5b win32k!NtGdiStretchBlt
- 8f712034 8f431ee6 win32k!NtGdiStartPage
- ...
- ...
- ...
注:强行加载某一PDB的代码是
- .reload /i XXXX.exe