买了本《ROOTKITS －Windows内核的安全防护》

看了前面几章，想亲手写几个HOOK　API做下实验，里面有个例子是HideProcessHookMdl

有部分代码如下：

#pragma pack(1)
typedef struct ServiceDescriptorEntry {
        unsigned int *ServiceTableBase;
        unsigned int *ServiceCounterTableBase; //Used only in checked build
        unsigned int NumberOfServices;
        unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()

__declspec(dllimport)  ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
#define SYSTEMSERVICE(_function)  KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]

......
......
......

NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject,
    　　　　 IN PUNICODE_STRING theRegistryPath)
{
  // Register a dispatch function for Unload
  theDriverObject->DriverUnload  = OnUnload;

  // Initialize global times to zero
  // These variables will account for the
  // missing time our hidden processes are
  // using.
  m_UserTime.QuadPart = m_KernelTime.QuadPart = 0;

  // save old system call locations
  OldZwQuerySystemInformation =(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation));

  // Map the memory into our domain so we can change the permissions on the MDL
  g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);
  if(!g_pmdlSystemCall)
      return STATUS_UNSUCCESSFUL;

  MmBuildMdlForNonPagedPool(g_pmdlSystemCall);

  // Change the flags of the MDL
  g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;

  MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode);

  // hook system calls
  HOOK_SYSCALL( ZwQuerySystemInformation, NewZwQuerySystemInformation, OldZwQuerySystemInformation );
                              
  return STATUS_SUCCESS;
}

有几个疑问：
１.　__declspec(dllimport) 　ServiceDescriptorTableEntry_t KeServiceDescriptorTable;　为什么要以DLL导出变量形式，而我在PE段里面没有看到导出的变量
２.　当定义了KeServiceDescriptorTable　之后，它的初始化在哪里完成的？
　　是不是下面几句初始化的？

　　  g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);
  if(!g_pmdlSystemCall)
      return STATUS_UNSUCCESSFUL;

  MmBuildMdlForNonPagedPool(g_pmdlSystemCall);

３.　MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);　这个函数的主要作用是什么？

小弟初学，想学精点，还望大哥们赐教

[培训]科锐逆向工程师培训第53期2025年7月8日开班！