Windows驱动开发学习记录-Windbg打印Shadow SSDT 脚本
2021/11/26 7:11:43
本文主要是介绍Windows驱动开发学习记录-Windbg打印Shadow SSDT 脚本,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
一、脚本
-
X86环境
1 aS ufLinkS "<u><col fg=\\\"emphfg\\\"><link name=\\\"%p\\\" cmd=\\\"uf 0x%p\\\">"; 2 aS ufLinkE "</link></col></u>"; 3 4 r $t1 = nt!KeServiceDescriptorTableShadow; 5 r $t2 = @$t1 + 0x04*4; 6 r $t3 = poi(@$t2 + 0x8); 7 r $t2 = poi(@$t2); 8 9 .printf "\n\nKeServiceDescriptorTableShadow->W32pServiceTable: %p\nKeServiceDescriptorTableShadow->Count: %d\n", @$t2, @$t3; 10 .printf "\nOrd Address fnAddr Symbols\n"; 11 .printf "--------------------------------\n\n"; 12 13 .for (r $t0 = 0; @$t0 != @$t3; r $t0 = @$t0 + 1) 14 { 15 r @$t4 = (poi(@$t2 + @$t0 * 4)) 16 17 18 .printf /D "[%3d] ${ufLinkS}%p${ufLinkE} (%y)\n", @$t0, @$t4, @$t4, @$t4, @$t4; 19 } 20 21 .printf "\n- end -\n";
-
x64环境
1 aS ufLinkS "<u><col fg=\\\"emphfg\\\"><link name=\\\"%p\\\" cmd=\\\"uf 0x%p\\\">"; 2 aS ufLinkE "</link></col></u>"; 3 4 r $t1 = nt!KeServiceDescriptorTableShadow; 5 r $t2 = @$t1 + 0x08*4; 6 r $t3 = poi(@$t2 + 0x10); 7 r $t2 = poi(@$t2); 8 9 .printf "\n\nKeServiceDescriptorTableShadow->W32pServiceTable: %p\nKeServiceDescriptorTableShadow->Count: %d\n", @$t2, @$t3; 10 .printf "\nOrd Address Symbols\n"; 11 .printf "--------------------------------\n\n"; 12 13 .for (r $t0 = 0; @$t0 != @$t3; r $t0 = @$t0 + 1) 14 { 15 r @$t4 = (poi(@$t2 + @$t0 * 4)) & 0x00000000`FFFFFFFF; 16 $$.printf "2. %p\n", @$t4; 17 18 .if ( @$t4 & 0x80000000 ) 19 { 20 r @$t4 = (@$t4 >> 4) | 0xFFFFFFFF`F0000000; 21 r @$t4 = 0 - @$t4; 22 r @$t4 = @$t2 - @$t4; 23 } 24 .else 25 { 26 r @$t4 = (@$t4 >> 4); 27 r @$t4 = (@$t2 + @$t4); 28 } 29 30 .printf /D /os "[%3d] ${ufLinkS}%p${ufLinkE} (%y)\n", @$t0, @$t4, @$t4, @$t4, @$t4; 31 } 32 33 .printf "\n- end -\n";
二、使用方法
因为Shadow SSDT 的W32pServiceTable表数据在系统进程是不可访问的,所以要先附加到可以访问该数据的进程,我这里选的是桌面进程explorer.exe。
先执行 !process 0 0 explorer.exe,查找桌面进程的EPROCESS地址。
4: kd> !process 0 0 explorer.exe PROCESS 893e5bc0 SessionId: 1 Cid: 03b0 Peb: 7ffd6000 ParentCid: 0080 DirBase: be4bb6c0 ObjectTable: 9b2dbac8 HandleCount: 572. Image: explorer.exe
然后附加到该进程,.process 893e5bc0
4: kd> .process 893e5bc0 ReadVirtual: 893e5bd8 not properly sign extended Implicit process is now 893e5bc0 WARNING: .cache forcedecodeuser is not enabled
重新加载win32k.sys的符号
4: kd> .reload win32k.sys Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long. Run !sym noisy before .reload to track down problems loading symbols.
之后再执行脚本, "$><"后边加上脚本路径
4: kd> $><E:\驱动代码\x86SSDTShadow.txt
三、测试效果
-
x86(Win7 x86)
-
x64(Win10 x64)
这篇关于Windows驱动开发学习记录-Windbg打印Shadow SSDT 脚本的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
- 2024-05-15鸿蒙生态设备数量超8亿台
- 2024-05-13TiDB + ES:转转业财系统亿级数据存储优化实践
- 2024-05-09“2024鸿蒙零基础快速实战-仿抖音App开发(ArkTS版)”实战课程已上线
- 2024-05-09聊聊如何通过arthas-tunnel-server来远程管理所有需要arthas监控的应用
- 2024-05-09log4j2这么配就对了
- 2024-05-09nginx修改Content-Type
- 2024-05-09Redis多数据源,看这篇就够了
- 2024-05-09Google Chrome驱动程序 124.0.6367.62(正式版本)去哪下载?
- 2024-05-09有没有大佬知道这种数据应该怎么抓取呀?
- 2024-05-09这种运行结果里的10.100000001,怎么能最快改成10.1?