[技巧]在驱动里获得系统盘盘符等信息
这些东西都保存在了KUSER_SHARED_DATA结构里。这个结构体在内核里的地址是0xFFFFF78000000000(X64)和0xFFDF0000(X86)。
它在WIN7X64系统的定义是:lkd> dt_KUSER_SHARED_DATA 0xFFFFF78000000000
nt!_KUSER_SHARED_DATA
+0x000 TickCountLowDeprecated : 0
+0x004 TickCountMultiplier : 0xfa00000
+0x008 InterruptTime : _KSYSTEM_TIME
+0x014 SystemTime : _KSYSTEM_TIME
+0x020 TimeZoneBias : _KSYSTEM_TIME
+0x02c ImageNumberLow : 0x8664
+0x02e ImageNumberHigh: 0x8664
+0x030 NtSystemRoot : "C:\Windows"
+0x238 MaxStackTraceDepth : 0
+0x23c CryptoExponent : 0
+0x240 TimeZoneId : 0
+0x244 LargePageMinimum : 0x200000
+0x248 Reserved2 : 0
+0x264 NtProductType : 1 ( NtProductWinNt )
+0x268 ProductTypeIsValid : 0x1 ''
+0x26c NtMajorVersion : 6
+0x270 NtMinorVersion : 1
+0x274 ProcessorFeatures : ""
+0x2b4 Reserved1 : 0x7ffeffff
+0x2b8 Reserved3 : 0x80000000
+0x2bc TimeSlip : 0
+0x2c0 AlternativeArchitecture : 0 ( StandardDesign )
+0x2c4 AltArchitecturePad : 0
+0x2c8 SystemExpirationDate : _LARGE_INTEGER 0x0
+0x2d0 SuiteMask : 0x110
+0x2d4 KdDebuggerEnabled : 0x1 ''
+0x2d5 NXSupportPolicy: 0x2 ''
+0x2d8 ActiveConsoleId: 1
+0x2dc DismountCount : 0
+0x2e0 ComPlusPackage : 0xffffffff
+0x2e4 LastSystemRITEventTickCount : 0x415df2a
+0x2e8 NumberOfPhysicalPages : 0xfff8e
+0x2ec SafeBootMode : 0 ''
+0x2ed TscQpcData : 0x28 '('
+0x2ed TscQpcEnabled : 0y0
+0x2ed TscQpcSpareFlag: 0y0
+0x2ed TscQpcShift : 0y001010 (0xa)
+0x2ee TscQpcPad : ""
+0x2f0 SharedDataFlags: 0xe
+0x2f0 DbgErrorPortPresent : 0y0
+0x2f0 DbgElevationEnabled : 0y1
+0x2f0 DbgVirtEnabled : 0y1
+0x2f0 DbgInstallerDetectEnabled : 0y1
+0x2f0 DbgSystemDllRelocated : 0y0
+0x2f0 DbgDynProcessorEnabled : 0y0
+0x2f0 DbgSEHValidationEnabled : 0y0
+0x2f0 SpareBits : 0y0000000000000000000000000 (0)
+0x2f4 DataFlagsPad : 0
+0x2f8 TestRetInstruction : 0xc3
+0x300 SystemCall : 0
+0x304 SystemCallReturn : 0
+0x308 SystemCallPad : 0
+0x320 TickCount : _KSYSTEM_TIME
+0x320 TickCountQuad : 0x42ef92
+0x320 ReservedTickCountOverlay : 0x42ef92
+0x32c TickCountPad : 0
+0x330 Cookie : 0xce57007a
+0x334 CookiePad : 0
+0x338 ConsoleSessionForegroundProcessId : 1876
+0x340 Wow64SharedInformation : 0x77489ce9
+0x380 UserModeGlobalLogger : 0
+0x3a0 ImageFileExecutionOptions : 0
+0x3a4 LangGenerationCount : 1
+0x3a8 Reserved5 : 0
+0x3b0 InterruptTimeBias : 0
+0x3b8 TscQpcBias : 0
+0x3c0 ActiveProcessorCount : 2
+0x3c4 ActiveGroupCount : 1
+0x3c6 Reserved4 : 0
+0x3c8 AitSamplingValue : 0
+0x3cc AppCompatFlag : 1
+0x3d0 SystemDllNativeRelocation : 0xffffffff`fe420000
+0x3d8 SystemDllWowRelocation : 0xf95e0000
+0x3dc XStatePad : 0
+0x3e0 XState : _XSTATE_CONFIGURATION
在XP上的信息似乎少了些:
lkd> dt_KUSER_SHARED_DATA 0xffdf0000
ntdll!_KUSER_SHARED_DATA
+0x000 TickCountLow : 0xc22e
+0x004 TickCountMultiplier : 0xfa00000
+0x008 InterruptTime : _KSYSTEM_TIME
+0x014 SystemTime : _KSYSTEM_TIME
+0x020 TimeZoneBias : _KSYSTEM_TIME
+0x02c ImageNumberLow : 0x14c
+0x02e ImageNumberHigh: 0x14c
+0x030 NtSystemRoot : 0x43
+0x238 MaxStackTraceDepth : 0
+0x23c CryptoExponent : 0
+0x240 TimeZoneId : 0
+0x244 Reserved2 : 0
+0x264 NtProductType : 1 ( NtProductWinNt )
+0x268 ProductTypeIsValid : 0x1 ''
+0x26c NtMajorVersion : 5
+0x270 NtMinorVersion : 1
+0x274 ProcessorFeatures : ""
+0x2b4 Reserved1 : 0x7ffeffff
+0x2b8 Reserved3 : 0x80000000
+0x2bc TimeSlip : 0
+0x2c0 AlternativeArchitecture : 0 ( StandardDesign )
+0x2c8 SystemExpirationDate : _LARGE_INTEGER 0x0
+0x2d0 SuiteMask : 0x110
+0x2d4 KdDebuggerEnabled : 0 ''
+0x2d5 NXSupportPolicy: 0x2 ''
+0x2d8 ActiveConsoleId: 0
+0x2dc DismountCount : 0
+0x2e0 ComPlusPackage : 0xffffffff
+0x2e4 LastSystemRITEventTickCount : 0xbaaa2
+0x2e8 NumberOfPhysicalPages : 0x3ff7a
+0x2ec SafeBootMode : 0 ''
+0x2f0 TraceLogging : 0
+0x2f8 TestRetInstruction : 0xc3
+0x300 SystemCall : 0x7c92e510
+0x304 SystemCallReturn : 0x7c92e514
+0x308 SystemCallPad : 0
+0x320 TickCount : _KSYSTEM_TIME
+0x320 TickCountQuad : 0
+0x330 Cookie : 0x3bee61dc 占领沙发 谢楼主分享 可以借鉴下de 谢谢分享 试了下,,确实给力
页:
[1]