基于本文,我使用以下代码获取影子表的地址,并且从 WinXP x86 到 Win8.1 x86(经过测试的操作系统)完美运行,仅在无法找到地址的 Win10 x86 上工作。
#include <ntddk.h>
#include "ntapi.h"
typedef NTPROC * PNTPROC;
typedef struct tag_SYSTEM_SERVICE_TABLE {
PNTPROC ServiceTable; // array of entry points to the calls
int CounterTable; // array of usage counters
ULONG ServiceLimit; // number of table entries
PCHAR ArgumentTable; // array of argument counts
} SYSTEM_SERVICE_TABLE, *PSYSTEM_SERVICE_TABLE, **PPSYSTEM_SERVICE_TABLE;
typedef struct tag_SERVICE_DESCRIPTOR_TABLE {
SYSTEM_SERVICE_TABLE ntoskrnl; // main native API table
SYSTEM_SERVICE_TABLE win32k; // win subsystem, in shadow table
SYSTEM_SERVICE_TABLE sst3;
SYSTEM_SERVICE_TABLE sst4;
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE, **PPSERVICE_DESCRIPTOR_TABLE;
extern "C" NTOSAPI SYSTEM_SERVICE_TABLE KeServiceDescriptorTable;
extern "C" __declspec(dllimport) NTSTATUS NTAPI KeAddSystemServiceTable(ULONG, ULONG, ULONG, ULONG, ULONG);
PSERVICE_DESCRIPTOR_TABLE __stdcall GetServiceDescriptorShadowTableAddress() {
char * check = (char *)KeAddSystemServiceTable;
PSERVICE_DESCRIPTOR_TABLE rc = NULL; int i;
for (i = 0; i < 1024; i++) {
rc = *(PPSERVICE_DESCRIPTOR_TABLE)check;
if (!MmIsAddressValid(rc) || ((PVOID)rc == (PVOID)&KeServiceDescriptorTable)
|| (memcmp(rc, &KeServiceDescriptorTable, sizeof(SYSTEM_SERVICE_TABLE)))) {
check++; rc = NULL;
}
if (rc)
break;
}
return rc;
}
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject) {
DbgPrint("DriverUnload()!\n");
return;
}
extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath) {
NTSTATUS NtStatus = STATUS_SUCCESS;
pDriverObject->DriverUnload = DriverUnload;
DbgPrint("DriverEntry()!\n");
PSERVICE_DESCRIPTOR_TABLE pShadow = GetServiceDescriptorShadowTableAddress();
if (pShadow) {
DbgPrint("SSDT Shadow address found!");
}
else
DbgPrint("Error: Can't get Win32k Address!\n");
return NtStatus;
}
有人可以帮忙吗?