一、脚本
-
X86环境
aS ufLinkS "<u><col fg=\\\"emphfg\\\"><link name=\\\"%p\\\" cmd=\\\"uf 0x%p\\\">";
aS ufLinkE "</link></col></u>";
r $t1 = nt!KeServiceDescriptorTableShadow;
r $t2 = @$t1 + 0x04*4;
r $t3 = poi(@$t2 + 0x8);
r $t2 = poi(@$t2);
.printf "\n\nKeServiceDescriptorTableShadow->W32pServiceTable: %p\nKeServiceDescriptorTableShadow->Count: %d\n", @$t2, @$t3;
.printf "\nOrd Address fnAddr Symbols\n";
.printf "--------------------------------\n\n";
.for (r $t0 = 0; @$t0 != @$t3; r $t0 = @$t0 + 1)
{
r @$t4 = (poi(@$t2 + @$t0 * 4))
.printf /D "[%3d] ${ufLinkS}%p${ufLinkE} (%y)\n", @$t0, @$t4, @$t4, @$t4, @$t4;
}
.printf "\n- end -\n";
x64环境
aS ufLinkS "<u><col fg=\\\"emphfg\\\"><link name=\\\"%p\\\" cmd=\\\"uf 0x%p\\\">";
aS ufLinkE "</link></col></u>";
r $t1 = nt!KeServiceDescriptorTableShadow;
r $t2 = @$t1 + 0x08*4;
r $t3 = poi(@$t2 + 0x10);
r $t2 = poi(@$t2);
.printf "\n\nKeServiceDescriptorTableShadow->W32pServiceTable: %p\nKeServiceDescriptorTableShadow->Count: %d\n", @$t2, @$t3;
.printf "\nOrd Address Symbols\n";
.printf "--------------------------------\n\n";
.for (r $t0 = 0; @$t0 != @$t3; r $t0 = @$t0 + 1)
{
r @$t4 = (poi(@$t2 + @$t0 * 4)) & 0x00000000`FFFFFFFF;
$$.printf "2. %p\n", @$t4;
.if ( @$t4 & 0x80000000 )
{
r @$t4 = (@$t4 >> 4) | 0xFFFFFFFF`F0000000;
r @$t4 = 0 - @$t4;
r @$t4 = @$t2 - @$t4;
}
.else
{
r @$t4 = (@$t4 >> 4);
r @$t4 = (@$t2 + @$t4);
}
.printf /D /os "[%3d] ${ufLinkS}%p${ufLinkE} (%y)\n", @$t0, @$t4, @$t4, @$t4, @$t4;
}
.printf "\n- end -\n";
二、使用方法
因为Shadow SSDT 的W32pServiceTable表数据在系统进程是不可访问的,所以要先附加到可以访问该数据的进程,我这里选的是桌面进程explorer.exe。
先执行 !process 0 0 explorer.exe,查找桌面进程的EPROCESS地址。
0: kd> !process 0 0 explorer.exe
Failed to get VadRoot
PROCESS 8a373b88 SessionId: 0 Cid: 05f8 Peb: 7ffd8000 ParentCid: 05d4
DirBase: 0aac01c0 ObjectTable: e196cab0 HandleCount: 367.
Image: explorer.exe
然后附加到该进程,.process 8a373b88
0: kd> .process 8a373b88 ReadVirtual: 8a373ba0 not properly sign extended Implicit process is now 8a373b88 WARNING: .cache forcedecodeuser is not enabled
之后再执行脚本, "$><"后边加上脚本路径
0: kd> $><E:\驱动代码\x86SSDTShadow.txt
三、测试效果
-
x86(WinXP x86)
-
x64(Win10 x64)