(转)shadow ssdt 服务表函数索引

http://www.cnblogs.com/gaozili/archive/2011/11/02/2233450.html

kd> dd nt!KeServiceDescriptorTableShadow L8
8055a6c0 804e36a8 00000000 0000011c 80513eb8
8055a6d0 bf997600 00000000 0000029b bf998310

bf997600为KeServiceDescriptorTableShadow函数表起始地址。


kd> dds bf997600 L0000029b
bf997600 bf934ffe win32k!NtGdiAbortDoc
bf997604 bf946a92 win32k!NtGdiAbortPath
bf997608 bf8bf295 win32k!NtGdiAddFontResourceW

bf997de4 bf84d0ed win32k!NtUserSetCapture
bf997de8 bf8fd95b win32k!NtUserSetClassLong
bf997dec bf911a9e win32k!NtUserSetClassWord
bf997df0 bf8cd389 win32k!NtUserSetClipboardData
bf997df4 bf908b12 win32k!NtUserSetClipboardViewer
bf997df8 bf8da65e win32k!NtUserSetConsoleReserveKeys
bf997dfc bf81c4af win32k!NtUserSetCursor
bf997e00 bf9120a0 win32k!NtUserSetCursorContents

NtUserSetClipboardData的索引号是 (bf997df0 - bf997600) = 7f0

posted @ 2012-12-21 15:02  himessage  阅读(418)  评论(0编辑  收藏  举报