//VS2005創(chuàng)建的工程，系統(tǒng)xp?sp2??

??

//++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++??

??

//stdafx.h文件??

#ifndef?_WIN32_WINNT????????//?Allow?use?of?features?specific?to?Windows?XP?or?later.?????????????????????

#define?_WIN32_WINNT?0x0501?//?Change?this?to?the?appropriate?value?to?target?other?versions?of?Windows.??

#endif????????????????????????

??

#ifdef?__cplusplus??

extern?"C"???

{??

??

#endif??

??

#include?<ntddk.h>??

#include?<ntddstor.h>??

#include?<mountdev.h>??

#include?<ntddvol.h>??

??

//注意：全局變量要在這里定義??

??

//系統(tǒng)服務(wù)描述符表-在ntoskrnl.exe中導出KeServiceDescriptorTable這個表??

#pragma?pack(1)??

typedef?struct?_ServiceDescriptorTable??

{??

????//System?Service?Dispatch?Table的基地址??

????PVOID?ServiceTableBase;????????

????//SSDT中每個服務(wù)被調(diào)用次數(shù)的計數(shù)器。這個計數(shù)器一般由sysenter?更新。??

????PVOID?ServiceCounterTable;???

????//由?ServiceTableBase?描述的服務(wù)的數(shù)目。??

????unsigned?int?NumberOfServices;????

????//每個系統(tǒng)服務(wù)參數(shù)字節(jié)數(shù)表的基地址-系統(tǒng)服務(wù)參數(shù)表SSPT???

????PVOID?ParamTableBase;???

}*PServiceDescriptorTable;????

#pragma?pack()??

??

//導出系統(tǒng)服務(wù)描述符表SSDT的指針??

extern??PServiceDescriptorTable??KeServiceDescriptorTable;???

??

#ifdef?__cplusplus??

}??

#endif??

??

//++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++??

??

//ReadSsdtForFuntion.cpp文件??

#include?"stdafx.h"??

??

//由SSDT索引號獲取當前函數(shù)地址,如：????

//NtOpenProcess??[[KeServiceDescriptorTable]+0x7A*4]????

??

void?ReadSsdtForFuntionUnload(IN?PDRIVER_OBJECT?DriverObject);??

NTSTATUS?ReadSsdtForFuntionCreateClose(IN?PDEVICE_OBJECT?DeviceObject,?IN?PIRP?Irp);??

NTSTATUS?ReadSsdtForFuntionDefaultHandler(IN?PDEVICE_OBJECT?DeviceObject,?IN?PIRP?Irp);??

??

//1.純匯編讀取內(nèi)核函數(shù)的地址??

LONG?GetFunctionAddr_ASM(PServiceDescriptorTable?KeServiceDescriptorTable,?LONG?lgSsdtIndex);??

??

//2.用指針讀取內(nèi)核函數(shù)的地址??

LONG?GetFunticonAddr(PServiceDescriptorTable?KeServiceDescriptorTable,?LONG?lgSsdtIndex);??

??

??

#ifdef?__cplusplus??

extern?"C"?NTSTATUS?DriverEntry(IN?PDRIVER_OBJECT?DriverObject,?IN?PUNICODE_STRING??RegistryPath);??

#endif??

??

NTSTATUS?DriverEntry(IN?PDRIVER_OBJECT?DriverObject,?IN?PUNICODE_STRING??RegistryPath)??

{??

????UNICODE_STRING?DeviceName,Win32Device;??

????PDEVICE_OBJECT?DeviceObject?=?NULL;??

????NTSTATUS?status;??

????unsigned?i;??

??

????//SSDT表的范圍??

????LONG?lgSsdtNumber?=?-1;??

??

????RtlInitUnicodeString(&DeviceName,L"\\Device\\ReadSsdtForFuntion0");??

????RtlInitUnicodeString(&Win32Device,L"\\DosDevices\\ReadSsdtForFuntion0");??

??

????//設(shè)置默認處理例程??

????for?(i?=?0;?i?<=?IRP_MJ_MAXIMUM_FUNCTION;?i++)??

????????DriverObject->MajorFunction[i]?=?ReadSsdtForFuntionDefaultHandler;??

??

????//設(shè)置創(chuàng)建例程??

????DriverObject->MajorFunction[IRP_MJ_CREATE]?=?ReadSsdtForFuntionCreateClose;??

????//設(shè)置關(guān)閉例程??

????DriverObject->MajorFunction[IRP_MJ_CLOSE]?=?ReadSsdtForFuntionCreateClose;??

??????

????//設(shè)置卸載例程??

????DriverObject->DriverUnload?=?ReadSsdtForFuntionUnload;??

??

????//創(chuàng)建設(shè)備對象??

????status?=?IoCreateDevice(DriverObject,??

????????????????????????????0,??

????????????????????????????&DeviceName,??

????????????????????????????FILE_DEVICE_UNKNOWN,??

????????????????????????????0,??

????????????????????????????FALSE,??

????????????????????????????&DeviceObject);??

????if?(!NT_SUCCESS(status))??

????????return?status;??

????if?(!DeviceObject)??

????????return?STATUS_UNEXPECTED_IO_ERROR;??

??

????DeviceObject->Flags?|=?DO_DIRECT_IO;??

????DeviceObject->AlignmentRequirement?=?FILE_WORD_ALIGNMENT;??

??

????//創(chuàng)建符號連接??

????status?=?IoCreateSymbolicLink(&Win32Device,?&DeviceName);??

????if?(!NT_SUCCESS(status))??

????????return?status;??

??

????//初始化完成，可以工作了??

????DeviceObject->Flags?&=?~DO_DEVICE_INITIALIZING;??

??

????//設(shè)置測試斷點??

????__asm?int?3??

??

????//獲取SSDT表的范圍??

????lgSsdtNumber?=?KeServiceDescriptorTable->NumberOfServices;??

??

????//使用方法1.遍歷SSDT??

????KdPrint(("使用方法1.遍歷SSDT\r\n"));??

????for?(i?=?0;?i?<?lgSsdtNumber;?i++)??

????{??

????????KdPrint(("Index:%04X--FunAddr:%08X\r\n",?i,?GetFunctionAddr_ASM(KeServiceDescriptorTable,?i)));??

????}??

??

????//使用方法2.遍歷SSDT??

????KdPrint(("使用方法2.遍歷SSDT\r\n"));??

????for?(i?=?0;?i?<?lgSsdtNumber;?i++)??

????{??

????????KdPrint(("Index:%04X--FunAddr:%08X\r\n",?i,?GetFunticonAddr(KeServiceDescriptorTable,?i)));??

????}??

??

????return?STATUS_SUCCESS;??

}??

??

??

//1.使用匯編的方法讀取內(nèi)核函數(shù)的地址??

LONG?GetFunctionAddr_ASM(PServiceDescriptorTable?KeServiceDescriptorTable,?LONG?lgSsdtIndex)??

{??

????LONG?lgSsdtFunAddr?=?0;??

??

????//lgSsdtFunAddr?=?[[KeServiceDescriptorTable]+lgSsdtIndex*4]??

????__asm??

????{??????

????????push?ebx??

????????push?eax??

????????mov?ebx,?KeServiceDescriptorTable??

????????mov?ebx,?[ebx]??//SSDT表的基地址??

????????mov?eax,?lgSsdtIndex??

????????shl?eax,?2????????

????????add?ebx,?eax??????????

????????mov?ebx,?[ebx]??

????????mov?lgSsdtFunAddr,?ebx??

????????pop??eax??????

????????pop??ebx??

????}??

??

????return?lgSsdtFunAddr;??

}??

??

//2.使用指針的方法獲取函數(shù)的地址??

LONG?GetFunticonAddr(PServiceDescriptorTable?KeServiceDescriptorTable,?LONG?lgSsdtIndex)??

{??

????LONG?lgSsdtAddr?=?0;??

????//獲取SSDT表的基址??

????lgSsdtAddr?=?(LONG)KeServiceDescriptorTable->ServiceTableBase;??

??

????PLONG?plgSsdtFunAddr?=?0;???

????//獲取內(nèi)核函數(shù)的地址指針??

????plgSsdtFunAddr?=?(PLONG)(lgSsdtAddr+lgSsdtIndex*4);??

??

????//返回內(nèi)核函數(shù)的地址??

????return?(*plgSsdtFunAddr);?????

}??

??

??

void?ReadSsdtForFuntionUnload(IN?PDRIVER_OBJECT?DriverObject)??

{??

????UNICODE_STRING?Win32Device;??

????RtlInitUnicodeString(&Win32Device,L"\\DosDevices\\ReadSsdtForFuntion0");??

????IoDeleteSymbolicLink(&Win32Device);??

????IoDeleteDevice(DriverObject->DeviceObject);??

}??

??

NTSTATUS?ReadSsdtForFuntionCreateClose(IN?PDEVICE_OBJECT?DeviceObject,?IN?PIRP?Irp)??

{??

????Irp->IoStatus.Status?=?STATUS_SUCCESS;??

????Irp->IoStatus.Information?=?0;??

????IoCompleteRequest(Irp,?IO_NO_INCREMENT);??

????return?STATUS_SUCCESS;??

}??

??

NTSTATUS?ReadSsdtForFuntionDefaultHandler(IN?PDEVICE_OBJECT?DeviceObject,?IN?PIRP?Irp)??

{??

????Irp->IoStatus.Status?=?STATUS_NOT_SUPPORTED;??

????Irp->IoStatus.Information?=?0;??

????IoCompleteRequest(Irp,?IO_NO_INCREMENT);??

????return?Irp->IoStatus.Status;??

}??

??

//參考資料：??

//郁金香老師講課資料??

總結(jié)

以上是生活随笔為你收集整理的SSDT表的遍历（源码）的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。