|
|
本帖最后由 ramonliu 于 2013-10-29 01:03 编辑
網上大都是32位元, 再不然是WinXP 64位元, 研究了一下, 弄了一個腳本,
可以正常地在Win7x64, 如下:
$$ Windows 7 SP1 x64
$$ variables
aS ufLinkS "<u><col fg=\\\"emphfg\\\"><link name=\\\"%p\\\" cmd=\\\"u 0x%p\\\">";
aS ufLinkE "</link></col></u>";
r $t1 = nt!KeServiceDescriptorTable;
r $t2 = poi(@$t1 + 10);
r $t3 = poi(@$t1);
.printf "\nServiceDescriptorTable = 0x%p\n", @$t1;
.printf "ServiceSectionCount = 0x%X\n", @$t2;
.printf "ServiceTable = 0x%p\n", @$t3;
.printf " Index FunctionAddr Symbols\n";
.printf "---------------------------------------------\n\n";
.for (r $t0 = 0; @$t0 < @$t2; r $t0 = @$t0 + 1)
{
$$ FuncAddr=([KeServiceDescriptortable+index*4] >>4 +KeServiceDescriptortable)&0xFFFFFFF0.
r $t4 = (dwo((@$t3 + (@$t0 * 4))) >> 4);
.if (@$t4 > 0x7ffffff)
{
r $t5 = @$t3 + @$t4 - 10000000;
}
.else
{
r $t5 = @$t3 + @$t4;
}
.printf /D "[%4d] ${ufLinkS}%p${ufLinkE}: (%y)\n", @$t0, @$t5, @$t5, @$t5, @$t5;
}
.printf "\n- end -\n";
ad ufLinkS;
ad ufLinkE;
腳本使用方法:
指令=> $$><e:\ssdt2.wbs |
评分
-
查看全部评分
|
发表于 2013-10-28 20:47:01
发表于 2013-10-29 15:26:08
发表于 2013-10-29 22:29:03
