// 获取当前NtOpenProcess的地址 ULONG GetCurr_Addr() { /* LONG *SSDT_Adr,SSDT_NtOpenProcess_Cur_Addr,t_addr; KdPrint(("驱动成功被加载中.............................\n")); //读取SSDT表中索引值为0x7A的函数 //poi(poi(KeServiceDescriptorTable)+0x7a*4) t_addr=(LONG)KeServiceDescriptorTable->ServiceTableBase; KdPrint(("当前ServiceTableBase地址为%x \n",t_addr)); SSDT_Adr=(PLONG)(t_addr+0x7A*4); KdPrint(("当前t_addr+0x7A*4=%x \n",SSDT_Adr)); SSDT_NtOpenProcess_Cur_Addr=*SSDT_Adr; KdPrint(("当前SSDT_NtOpenProcess_Cur_Addr地址为%x \n",SSDT_NtOpenProcess_Cur_Addr));*/ /* */ ULONG SSDT_NtOpenProcess_Cur_Addr; //读取SSDT表中 NtOpenProcess当前地址 KeServiceDescriptorTable // [[KeServiceDescriptorTable]+0x7A*4] __asm { push ebx push eax mov ebx, KeServiceDescriptorTable mov ebx, [ebx] mov eax, 0x7A shl eax, 2 //imul eax, 4 // shl eax, 2 add ebx, eax mov ebx,[ebx] mov SSDT_NtOpenProcess_Cur_Addr, ebx pop eax pop ebx } KdPrint(("SSDT_NtOpenProcess_Cur_Addr=%x\n\n",SSDT_NtOpenProcess_Cur_Addr)); return SSDT_NtOpenProcess_Cur_Addr; } // 获取原函数地址 ULONG GetOld_Addr() { UNICODE_STRING Old_NtOpenProcess; ULONG Old_Addr; RtlInitUnicodeString(&Old_NtOpenProcess,L"NtOpenProcess"); Old_Addr = (ULONG)MmGetSystemRoutineAddress(&Old_NtOpenProcess); KdPrint(("SSDT_NtOpenProcess_Old_Addr=%x\n\n", Old_Addr)); return Old_Addr; }
