网站说建设中/厦门网站推广公司哪家好
win32位的SSDT表是导出的,根本不用找.但x64的就不导出了
win7 x64下:
要得到SSDT的地址,首先找到KiSystemCall64的地址,在它的下面就有SSDT的线索
找的KiSystemCall64只需要读出MSR(特别模块寄存器)c0000082的值,便是KiSystemCall64的地址:
以下使用Windbg调试:
3: kd> rdmsr c0000082
msr[c0000082] = fffff800`03ed9640
3: kd> u fffff800`03ed9640
nt!KiSystemCall64:
fffff800`03ed9640 0f01f8 swapgs
fffff800`03ed9643 654889242510000000 mov qword ptr gs:[10h],rsp
fffff800`03ed964c 65488b2425a8010000 mov rsp,qword ptr gs:[1A8h]
fffff800`03ed9655 6a2b push 2Bh
fffff800`03ed9657 65ff342510000000 push qword ptr gs:[10h]
fffff800`03ed965f 4153 push r11
fffff800`03ed9661 6a33 push 33h
fffff800`03ed9663 51 push rcx看一下KiSystemCall64的下面
3: kd> uf nt!KiSystemCall64
Flow analysis was incomplete, some code may be missing
nt!KiSystemCall64:
fffff800`03ed9640 0f01f8 swapgs
fffff800`03ed9643 654889242510000000 mov qword ptr gs:[10h],rsp
fffff800`03ed964c 65488b2425a8010000 mov rsp,qword ptr gs:[1A8h]
fffff800`03ed9655 6a2b push 2Bh
fffff800`03ed9657 65ff342510000000 push qword ptr gs:[10h]
fffff800`03ed965f 4153 push r11
fffff800`03ed9661 6a33 push 33h
fffff800`03ed9663 51 push rcx
fffff800`03ed9664 498bca mov rcx,r10
fffff800`03ed9667 4883ec08 sub rsp,8
fffff800`03ed966b 55 push rbp
fffff800`03ed966c 4881ec58010000 sub rsp,158h
fffff800`03ed9673 488dac2480000000 lea rbp,[rsp+80h]
fffff800`03ed967b 48899dc0000000 mov qword ptr [rbp+0C0h],rbx
fffff800`03ed9682 4889bdc8000000 mov qword ptr [rbp+0C8h],rdi
fffff800`03ed9689 4889b5d0000000 mov qword ptr [rbp+0D0h],rsi
fffff800`03ed9690 c645ab02 mov byte ptr [rbp-55h],2
fffff800`03ed9694 65488b1c2588010000 mov rbx,qword ptr gs:[188h]
fffff800`03ed969d 0f0d8bd8010000 prefetchw [rbx+1D8h]
fffff800`03ed96a4 0fae5dac stmxcsr dword ptr [rbp-54h]
fffff800`03ed96a8 650fae142580010000 ldmxcsr dword ptr gs:[180h]
fffff800`03ed96b1 807b0300 cmp byte ptr [rbx+3],0
fffff800`03ed96b5 66c785800000000000 mov word ptr [rbp+80h],0
fffff800`03ed96be 0f848c000000 je nt!KiSystemCall64+0x110 (fffff800`03ed9750) Branchnt!KiSystemCall64+0x84:
fffff800`03ed96c4 488945b0 mov qword ptr [rbp-50h],rax
fffff800`03ed96c8 48894db8 mov qword ptr [rbp-48h],rcx
fffff800`03ed96cc 488955c0 mov qword ptr [rbp-40h],rdx
fffff800`03ed96d0 f6430303 test byte ptr [rbx+3],3
fffff800`03ed96d4 4c8945c8 mov qword ptr [rbp-38h],r8
fffff800`03ed96d8 4c894dd0 mov qword ptr [rbp-30h],r9
fffff800`03ed96dc 7405 je nt!KiSystemCall64+0xa3 (fffff800`03ed96e3) Branchnt!KiSystemCall64+0x9e:
fffff800`03ed96de e80d140000 call nt!KiSaveDebugRegisterState (fffff800`03edaaf0)nt!KiSystemCall64+0xa3:
fffff800`03ed96e3 f6430380 test byte ptr [rbx+3],80h
fffff800`03ed96e7 7442 je nt!KiSystemCall64+0xeb (fffff800`03ed972b) Branchnt!KiSystemCall64+0xa9:
fffff800`03ed96e9 b9020100c0 mov ecx,0C0000102h
fffff800`03ed96ee 0f32 rdmsr
fffff800`03ed96f0 48c1e220 shl rdx,20h
fffff800`03ed96f4 480bc2 or rax,rdx
fffff800`03ed96f7 483983b8000000 cmp qword ptr [rbx+0B8h],rax
fffff800`03ed96fe 742b je nt!KiSystemCall64+0xeb (fffff800`03ed972b) Branchnt!KiSystemCall64+0xc0:
fffff800`03ed9700 483983b0010000 cmp qword ptr [rbx+1B0h],rax
fffff800`03ed9707 7422 je nt!KiSystemCall64+0xeb (fffff800`03ed972b) Branchnt!KiSystemCall64+0xc9:
fffff800`03ed9709 488b93b8010000 mov rdx,qword ptr [rbx+1B8h]
fffff800`03ed9710 0fba6b4c0b bts dword ptr [rbx+4Ch],0Bh
fffff800`03ed9715 66ff8bc4010000 dec word ptr [rbx+1C4h]
fffff800`03ed971c 48898280000000 mov qword ptr [rdx+80h],rax
fffff800`03ed9723 fb sti
fffff800`03ed9724 e8170b0000 call nt!KiUmsCallEntry (fffff800`03eda240)
fffff800`03ed9729 eb0f jmp nt!KiSystemCall64+0xfa (fffff800`03ed973a) Branchnt!KiSystemCall64+0xeb:
fffff800`03ed972b f6430340 test byte ptr [rbx+3],40h
fffff800`03ed972f 7409 je nt!KiSystemCall64+0xfa (fffff800`03ed973a) Branchnt!KiSystemCall64+0xf1:
fffff800`03ed9731 f00fbaab0001000008 lock bts dword ptr [rbx+100h],8nt!KiSystemCall64+0xfa:
fffff800`03ed973a 488b45b0 mov rax,qword ptr [rbp-50h]
fffff800`03ed973e 488b4db8 mov rcx,qword ptr [rbp-48h]
fffff800`03ed9742 488b55c0 mov rdx,qword ptr [rbp-40h]
fffff800`03ed9746 4c8b45c8 mov r8,qword ptr [rbp-38h]
fffff800`03ed974a 4c8b4dd0 mov r9,qword ptr [rbp-30h]
fffff800`03ed974e 6690 xchg ax,axnt!KiSystemCall64+0x110:
fffff800`03ed9750 fb sti
fffff800`03ed9751 48898be0010000 mov qword ptr [rbx+1E0h],rcx
fffff800`03ed9758 8983f8010000 mov dword ptr [rbx+1F8h],eax
fffff800`03ed975e 4889a3d8010000 mov qword ptr [rbx+1D8h],rsp
fffff800`03ed9765 8bf8 mov edi,eax
fffff800`03ed9767 c1ef07 shr edi,7
fffff800`03ed976a 83e720 and edi,20h
fffff800`03ed976d 25ff0f0000 and eax,0FFFhnt!KiSystemServiceRepeat:
fffff800`03ed9772 4c8d15c7202300 lea r10,[nt!KeServiceDescriptorTable (fffff800`0410b840)]
fffff800`03ed9779 4c8d1d00212300 lea r11,[nt!KeServiceDescriptorTableShadow (fffff800`0410b880)]
以下无用代码省略...可以看到,在fffff800`03ed9772处出现了[nt!KeServiceDescriptorTable] 也就是SSDT地址,前3个字节是汇编指令,后4个字节储存的就是SSDT的偏移地址,为0x002320c7(00是高位,c7是低位,所以逆过来),fffff800`03ed9772+002320c7+7便可以得到SSDT的地址([lea r10,XXXXXXXX]指令的长度是7个字节,所以还要加7),
所以从KiSystemCall64开始向下500个地址内搜索4c 8d 15就可以找到lea r10,[nt!KeServiceDescriptorTable (fffff800`0410b840)]这条指令
具体实现代码:
ULONGLONG GetSsdt()
{PUCHAR startaddr = (PUCHAR)__readmsr(0xC0000082);PUCHAR Endaddr = startaddr + 0x500;PUCHAR i = NULL;UCHAR b1, b2, b3;ULONG offset = 0;ULONGLONG addr = 0;for (i = startaddr; i < Endaddr; i++){b1 = *i;b2 = *(i + 1);b3 = *(i + 2);if (b1 == 0x4c && b2 == 0x8d && b3 == 0x15){memcpy(&offset, i + 3, 4);addr = (ULONGLONG)offset + (ULONGLONG)i + 7;return addr;}}return 0;
}
win10 x64可以参考:https://blog.csdn.net/qq_41655422/article/details/102531163