转发——群里面转的,一个x64 查看 SSDT 表函数的WinDBG脚本
1 aS ufLinkS "<u><col fg=\\\"emphfg\\\"><link name=\\\"%p\\\" cmd=\\\"uf 0x%p\\\">"; 2 aS ufLinkE "</link></col></u>"; 3 4 r $t1 = nt!KeServiceDescriptorTable; 5 r $t2 = poi(@$t1 + 0x10); 6 r $t1 = poi(@$t1); 7 8 .printf "\n\nKeServiceDescriptorTable->KiServiceTable: %p\nKeServiceDescriptorTable->Count: %d\n", @$t1, @$t2; 9 .printf "\nOrd Address fnAddr Symbols\n"; 10 .printf "--------------------------------\n\n"; 11 12 .for (r $t0 = 0; @$t0 != @$t2; r $t0 = @$t0 + 1) 13 { 14 r @$t3 = (poi(@$t1 + @$t0 * 4)) & 0x00000000`FFFFFFFF; 15 $$.printf "2. %p\n", @$t3; 16 17 .if ( @$t3 & 0x80000000 ) 18 { 19 r @$t3 = (@$t3 >> 4) | 0xFFFFFFFF`F0000000; 20 r @$t3 = 0 - @$t3; 21 r @$t3 = @$t1 - @$t3; 22 } 23 .else 24 { 25 r @$t3 = (@$t3 >> 4); 26 r @$t3 = (@$t1 + @$t3); 27 } 28 29 .printf /D "[%3d] ${ufLinkS}%p${ufLinkE} (%y)\n", @$t0, @$t3, @$t3, @$t3, @$t3; 30 } 31 32 .printf "\n- end -\n";
执行这个脚本之后,效果
不知道谁写的,但是效果可以
