高版本Windows下SSDT函数获取例子完整工程

#include "ssdt.hpp" std::uintptr_t keServiceDescriptorTable{}; NTSTATUS getKernelModuleByName(const char* moduleName, std::uintptr_t* moduleStart, std::size_t* moduleSize) { if (!moduleStart || !moduleSize) return STATUS_INVALID_PARAMETER; std::size_t size{}; ZwQuerySystemInformation(0xB, nullptr, size, reinterpret_cast<PULONG>(&size));/* 0xB SystemModuleInformation */ const auto listHeader = ExAllocatePool(NonPagedPool, size); if (!listHeader) return STATUS_MEMORY_NOT_ALLOCATED; if (const auto status = ZwQuerySystemInformation(0xB, listHeader, size, reinterpret_cast<PULONG>(&size))) return status; auto currentModule = reinterpret_cast<PSYSTEM_MODULE_INFORMATION>(listHeader)->Module; for (std::size_t i{}; i < reinterpret_cast<PSYSTEM_MODULE_INFORMATION>(listHeader)->Count; ++i, ++currentModule) { const auto currentModuleName = reinterpret_cast<const char*>(currentModule->FullPathName + currentModule->OffsetToFileName); if (!strcmp(moduleName, currentModuleName)) { *moduleStart = reinterpret_cast<std::uintptr_t>(currentModule->ImageBase); *moduleSize = currentModule->ImageSize; return STATUS_SUCCESS; } } return STATUS_NOT_FOUND; } std::uintptr_t getImageSectionByName(const std::uintptr_t imageBase, const char* sectionName, std::size_t* sizeOut) { if (reinterpret_cast<PIMAGE_DOS_HEADER>(imageBase)->e_magic != 0x5A4D) return {}; const auto ntHeader = reinterpret_cast<PIMAGE_NT_HEADERS64>( imageBase + reinterpret_cast<PIMAGE_DOS_HEADER>(imageBase)->e_lfanew); const auto sectionCount = ntHeader->FileHeader.NumberOfSections; auto sectionHeader = IMAGE_FIRST_SECTION(ntHeader); for (std::size_t i{}; i < sectionCount; ++i, ++sectionHeader) { if (!strcmp(sectionName, reinterpret_cast<const char*>(sectionHeader->Name))) { if (sizeOut) *sizeOut = sectionHeader->Misc.VirtualSize; return imageBase + sectionHeader->VirtualAddress; } } return {}; } std::uintptr_t scanPattern(std::uint8_t* base, const std::size_t size, char* pattern, char* mask) { const auto patternSize = strlen(mask); for (std::size_t i = {}; i < size - patternSize; i++) { for (std::size_t j = {}; j < patternSize; j++) { if (mask[j] != '?' && *reinterpret_cast<std::uint8_t*>(base + i + j) != static_cast<std::uint8_t>(pattern[j])) break; if (j == patternSize - 1) return reinterpret_cast<std::uintptr_t>(base) + i; } } return {}; } std::uintptr_t getServiceDescriptorTable() { std::uintptr_t ntoskrnlBase {}; std::size_t ntoskrnlSize {}; if (!NT_SUCCESS(getKernelModuleByName("ntoskrnl.exe", &ntoskrnlBase, &ntoskrnlSize))) return {}; std::size_t ntoskrnlTextSize {}; const auto ntoskrnlText = getImageSectionByName(ntoskrnlBase, ".text", &ntoskrnlTextSize); if(!ntoskrnlText) return {}; auto keServiceDescriptorTableShadow = scanPattern(reinterpret_cast<std::uint8_t*>(ntoskrnlText), ntoskrnlTextSize, "\xC1\xEF\x07\x83\xE7\x20\x25\xFF\x0F", "xxxxxxxxx"); if (!keServiceDescriptorTableShadow) return {}; keServiceDescriptorTableShadow += 21; keServiceDescriptorTableShadow += *reinterpret_cast<std::int32_t*>(keServiceDescriptorTableShadow) + sizeof(std::int32_t); return keServiceDescriptorTableShadow; } std::uintptr_t GetSystemServiceDescriptorTableFunction(std::int32_t Index) { if (keServiceDescriptorTable == NULL) keServiceDescriptorTable = getServiceDescriptorTable(); const auto serviceTable = *reinterpret_cast<std::int32_t**>(keServiceDescriptorTable); return reinterpret_cast<std::uintptr_t>(serviceTable) + (serviceTable[Index & 0xFFF] >> 4); } void Unload(PDRIVER_OBJECT driverObject) { UNREFERENCED_PARAMETER(driverObject); DPRINT("Unload!\n"); } EXTERN_C NTSTATUS DriverEntry(const PDRIVER_OBJECT driverObject, const PUNICODE_STRING registryPath) { UNREFERENCED_PARAMETER(driverObject); UNREFERENCED_PARAMETER(registryPath); DPRINT("NtReadFile:%p Index:6\n", GetSystemServiceDescriptorTableFunction(6)); DbgBreakPoint();//正常运行这里要删掉。 driverObject->DriverUnload = Unload; return STATUS_SUCCESS; }