3.2.2 Shadow SSDT-（42课）

来源：用户分享时间：2025/6/18 8:25:41 本文由

说明：文章内容仅供预览，部分内容可能不全，需要完整文档或者需要复制内容，请下载word后使用。下载word有问题请添加微信号:xxxxxxx或QQ：xxxxxx 处理（尽可能给您提供完整文档），感谢您的支持与谅解。

3.2.2 Shadow SSDT-42课

A、Shadow SSDT表基址定位 B、Shadow SSDT表结构 C、Shadow SSDT HOOK 课时:45

KeServiceDescriptorTable //系统描述符表 extern

KeServiceDescriptorTableShadow //影子系统描述符表 win32k.sys bp win32k!NtUserPostMessage bp win32k!NtUserShowWindow bp win32k!NtUserFindWindow bp win32k!NtUserDestroyWindow

bp win32k!NtUserPostMessage Shadow SSDT表基址定位

系统只提供了KeServiceDescriptorTable导出 KeServiceDescriptorTableShadow是个未导出结构

dd poi(KeServiceDescriptorTable-0x40+0x10) //XP

RtlGetVersion PsGetVersion

Windows 2000: dwMajorVersion = 5 dwMinorVersion = 0 Windows XP: dwMajorVersion = 5 dwMinorVersion = 1 Windows 2003: dwMajorVersion = 5 dwMinorVersion = 1 Windows Vista: dwMajorVersion = 6 Operating system Version dwMajorVdwMinorVOther number on on Windows 7 6.1 6 1 OSVERSIONINFOEX.wProductType VER_NT_WORKSTATION Windows Server 2008 R2 6.1 6 1 OSVERSIONINFOEX.wProductType VER_NT_WORKSTATION Windows Server 2008 6.0 6 0 OSVERSIONINFOEX.wProductType VER_NT_WORKSTATION Windows Vista 6.0 6 0 OSVERSIONINFOEX.wProductType VER_NT_WORKSTATION Windows Server 2003 R2 5.2 Windows Home Server 5.2 5 5 2 2 GetSystemMetrics(SM_SERVERR2) !=OSVERSIONINFOEX.wSuiteMask VER_SUITE_WH_SERVER Windows Server 2003 5.2 Windows XP Professional5.2 Edition 5 5 2 2 GetSystemMetrics(SM_SERVERR2) =(OSVERSIONINFOEX.wProductType VER_NT_WORKSTATION) (SYSTEM_INFO.wProcessorArchitectu=PROCESSOR_ARCHITECTURE_AMDWindows XP Windows 2000 5.1 5.0 5 5 1 0 Not applicable Not applicable

DWORD Get_KeServiceDescriptorTableShadow_Addr() { DWORD KeServiceDescriptorTableShadow=0; DWORD Version=GetVersion(); switch (Version ) {

case VERSION_2K:

KeServiceDescriptorTableShadow=(DWORD)KeServiceDescriptorTable+0xE0; break;

case VERSION_2K3: break;

case VERSION_XP:

KeServiceDescriptorTableShadow=(DWORD)KeServiceDescriptorTable-0x40;

break; default: break; }

return KeServiceDescriptorTableShadow; }

dd poi(KeServiceDescriptorTableShadow+10) ///SSDT Shadow Base

NtUserDestroyWindow //ZwTerminateProcess NtUserFindWindowEx NtUserSetWindowLong NtUserPostMessage

NtUserGetForegroundWindow

#define VERSION_2K 50

#define VERSION_XP 51

#define VERSION_2K3 52 #define VERSION_XP64 52 #define VERSION_2K3_R2 52

#define VERSION_VISTA 60 #define VERSION_SERVER2008 60

#define VERSION_WIN7 61 #define VERSION_SERVER2008_R2 61 #pragma PAGECODE DWORD GetVersion() { ULONG rtn=0;

ULONG MajorVersion,MinorVersion,BuildNumber;

PsGetVersion(&MajorVersion,&MinorVersion,&BuildNumber,NULL);//系统版本.参数1主版本,参数2副版本,参数3时间序号,参数4字串 rtn=MajorVersion;

rtn=rtn *10;

rtn+=MinorVersion; //主版本+副版本 return rtn; }

#pragma PAGECODE

DWORD Get_KeServiceDescriptorTableShadow_Addr() { DWORD KeServiceDescriptorTableShadow=0; DWORD Version=GetVersion(); switch (Version ) {

case VERSION_2K:

KeServiceDescriptorTableShadow=(DWORD)KeServiceDescriptorTable+0xE0; break;

case VERSION_2K3: break;

case VERSION_XP:

搜索更多关于： 3.2.2 Shadow SSDT-（42课）的文档

3.2.2 Shadow SSDT-（42课）.doc 将本文的Word文档下载到电脑，方便复制、编辑、收藏和打印

下载这篇word文档

本文链接：https://www.diyifanwen.net/c8chht2ylp82b61z989kw_1.html（转载请注明文章来源）