WinDbg x86下查看SSDT SSSDT
<ul class="text" style="margin:0px; padding:0px; list-style:none; font-size:14px; word-wrap:break-word; color:rgb(63,62,60); font-family:'Hiragino Sans GB',微软雅黑,黑体,Arial,sans-serif">前提:设置好操作系统的符号表
SSDT表的查看:
kd> x nt!kes*des*table*
80553fe0 nt!KeServiceDescriptorTableShadow =
80554020 nt!KeServiceDescriptorTable =
kd> dd 80554020
80554020 80502b9c 00000000 0000011c 80503010
80554030 00000000 00000000 00000000 00000000
80554040 00000000 00000000 00000000 00000000
80554050 00000000 00000000 00000000 00000000
80554060 00002710 bf80c0a9 00000000 00000000
80554070 f7a58a80 f71feb60 82ec3a90 806e2f40
80554080 00000000 00000000 4422b408 00000000
80554090 08174448 01cd7c5e 00000000 00000000
kd> dds 80502b9c L11c
80502b9c 8059a9f4 nt!NtAcceptConnectPort
80502ba0 805e7e6e nt!NtAccessCheck
80502ba4 805eb6b4 nt!NtAccessCheckAndAuditAlarm
SSSDT的查看
SSSDT在没有GDI的进程中是无法加载显示的 所以要附加到一个GDI进程
shadowSSDT查看
1. 在虚拟机中运行mspaint.exe(GDI进程)
2. !process 0 0
3. .process /p mspaint的eprocess
4.
kd > x nt!*kes*des*table*
80553fe0 nt!KeServiceDescriptorTableShadow =
80554020 nt!KeServiceDescriptorTable =
kd > dd 80553fe0
80553fe0 80502b9c 00000000 0000011c 80503010
80553ff0 bf99a100 00000000 0000029b bf99ae10
80554000 00000000 00000000 00000000 00000000
80554010 00000000 00000000 00000000 00000000
kd > dds bf99a100 L29b
bf99a100 bf93637f win32k!NtGdiAbortDoc
页:
[1]