|
|
请教问题,在这里先谢了,顺便祝论坛越办越好。
Hook函数的时候,偏移量和位移是怎么算出来的
ULONGLONG GetSSDTFuncCurAddr(ULONG id)
{
LONG dwtmp = 0;
ULONGLONG add = 0;
PULONG ServiceTableBase = NULL;
ServiceTableBase = (PULONG)KeServiceDescriptorTable->ServiceTableBase;
dwtmp = ServiceTableBase[id];
ShowStuff0(dwtmp);
dwtmp = dwtmp >> 4;
add = ((LONGLONG)dwtmp + (ULONGLONG)ServiceTableBase);//&0xFFFFFFF0;
return add;
}
dwtmp >> 4这句,右移四位,为什么要右移
#define SETBIT(x,y) x|=(1<<y) //将X的第Y位置1
#define CLRBIT(x,y) x&=~(1<<y) //将X的第Y位清0
#define GETBIT(x,y) (x & (1 << y)) //取X的第Y位,返回0或非0
ULONG GetOffsetAddress(ULONGLONG FuncAddr, CHAR ParamCount)
{
LONG dwtmp = 0, i;
CHAR b = 0, bits[4] = { 0 };
PULONG ServiceTableBase = NULL;
ServiceTableBase = (PULONG)KeServiceDescriptorTable->ServiceTableBase;
dwtmp = (LONG)(FuncAddr - (ULONGLONG)ServiceTableBase);
dwtmp = dwtmp << 4;
//处理参数
if (ParamCount>4)
ParamCount = ParamCount - 4;
else
ParamCount = 0;
//获得dwtmp的第一个字节
memcpy(&b, &dwtmp, 1);
//处理低四位,填写参数个数
for (i = 0; i<4; i++)
{
bits[i] = GETBIT(ParamCount, i);
if (bits[i])
SETBIT(b, i);
else
CLRBIT(b, i);
}
//把数据复制回去
memcpy(&dwtmp, &b, 1);
return dwtmp;
}
ParamCount参数为什么要这样处理
|
|
发表于 2016-1-15 15:45:44
发表于 2016-1-15 16:14:16