function IsShadowTable(cs1:ULONG):boolean;
var
I:integer;
lppp:ULONG;
begin
lppp:= ULONG(GetImportFunAddr(@KeServiceDescriptorTable));
result:=True;
for I:=0 To 15 do
begin
if byte(pointer(cs1+I)^)<>byte(pointer(lppp+I)^) then
begin
Result:=false;
break;
end;
end;
end;
function FindShadowTable2:Pointer;
var
cPtr, pOpcode:ULONG;
cPtr2, pOpcode2:ULONG;
I:ULONG;
begin
Result:=nil;
cPtr:=ULONG(GetImportFunAddr(@KeAddSystemServiceTable));
cPtr2:=ULONG(GetImportFunAddr(@KeServiceDescriptorTable));
I:=cPtr;
While (I<(cPtr+$1000)) Do
begin
if MmIsAddressValid(Pointer(I)) then
begin
if IsShadowTable(I) then
begin
Result:=Pointer(I);
DbgPrint('%08x',Result);
end;
end;
I:=I+1;
end;
end;
自己解决了
function FindShadowTable2:Pointer;
var
cPtr, pOpcode:ULONG;
cPtr2, pOpcode2:ULONG;
I:ULONG;
begin
Result:=nil;
cPtr:=ULONG(GetImportFunAddr(@KeAddSystemServiceTable));
DbgPrint('cPtr %08x',cPtr);
cPtr2:=ULONG(GetImportFunAddr(@KeServiceDescriptorTable));
DbgPrint('cPtr2 %08x',cPtr2);
I:=cPtr;
While (I<(cPtr+$1000)) Do
begin
if MmIsAddressValid(Pointer(I)) then
begin
if word(pointer(I)^)=$888d then
begin
Result:=PPointer(I+2)^;
DbgPrint('good %08x',Result);
break
end;
end;
I:=I+1;
end;
end;
XP版可以直接硬编码
function FindShadowTable:Pointer;
var
lpKeServiceDescriptorTable:ULONG;
begin
lpKeServiceDescriptorTable := ULONG(GetImportFunAddr(@KeServiceDescriptorTable));
Result:=Pointer(lpKeServiceDescriptorTable-$40);
end;
