experiment: view ssdt's api on windbg

实验环境: windbg+win7x86家庭普通版+vmware9

SSDT结构定义
typedef struct _SYSTEM_SERVICE_TABLE

{

PVOID ServiceTableBase; //这个指向系统服务函数地址表

PULONG ServiceCounterTableBase;

ULONG NumberOfService; //服务函数的个数

ULONG ParamTableBase;

}SYSTEM_SERVICE_TABLE,*PSYSTEM_SERVICE_TABLE;

typedef struct _SERVICE_DESCRIPTOR_TABLE

{

SYSTEM_SERVICE_TABLE ntoskrnel; //ntoskrnl.exe的服务函数

SYSTEM_SERVICE_TABLE win32k; //win32k.sys的服务函数,(gdi.dll/user.dll的内核支持)

SYSTEM_SERVICE_TABLE NotUsed1;

SYSTEM_SERVICE_TABLE NotUsed2;

}SYSTEM_DESCRIPTOR_TABLE,*PSYSTEM_DESCRIPTOR_TABLE;

kd> x /n nt!*keservice*83fbd9c0 nt!KeServiceDescriptorTable = <no type information>83fbda00 nt!KeServiceDescriptorTableShadow = <no type information>

kd> dd KeServiceDescriptorTable83fbd9c0  83ed1d9c 00000000 00000191 83ed23e483fbd9d0  00000000 00000000 00000000 0000000083fbd9e0  83f306af 00000000 03276d53 00000bb883fbd9f0  00000011 00000100 5385d2ba d717548f83fbda00  83ed1d9c 00000000 00000191 83ed23e483fbda10  924c6000 00000000 00000339 924c702c83fbda20  00000000 00000000 83fbda24 0000034083fbda30  00000340 855c7b10 00000007 00000000

得到

ntoskrnel->ServiceTableBase = 83ed1d9c;

ntoskrnel->NumberOfService = 0x00000191;

将ntoskrnel的0x191个API列出:

kd> dd 83ed1d9c L19183ed1d9c  840cdc28 83f1440d 8405db68 83e7888a83ed1dac  840cf4ff 83f513fa 8413fb05 8413fb4e83ed1dbc  840523bd 84159368 8415a5c1 84048b9583ed1dcc  840d9b35 84132963 84085a56 840556cc83ed1ddc  83feb928 84124898 8403c14e 8407ea6283ed1dec  840cadf1 8402c238 840ca1fe 84049c0c83ed1dfc  840db5bc 8404c28f 840db39c 840d3afc83ed1e0c  8405e0f0 8411f657 840d0ec9 840db7ee83ed1e1c  840b41fc 840cef2e 84060d15 84054cf383ed1e2c  84046b70 840b4a83 8411f77f 840a6f0a83ed1e3c  84054702 8406621b 840220e3 84053ed183ed1e4c  83ed28bc 8401d5c3 84051ce7 8410bfb083ed1e5c  83e7ed56 84080b5f 8409937a 840cf42e83ed1e6c  84147412 84147132 840289b9 840f101383ed1e7c  8404fc9d 84054ce9 840f127f 840ccd0983ed1e8c  83e94d0c 84101c79 84057505 83ff9a5583ed1e9c  84095671 8415f068 840a41e4 840af66783ed1eac  84046977 841346de 84055e2a 84064d1e83ed1ebc  84026a36 8405a32f 84065196 840d54f983ed1ecc  83fe1406 8404675f 8402857f 84130df983ed1edc  84130e44 8415fafb 8415fac1 83ffc35f83ed1eec  84077f2b 8405a98d 840567f5 84130c0283ed1efc  840c5124 84053304 84059ac8 84024e6283ed1f0c  83ffc16b 840c3056 83ff9134 84064f3983ed1f1c  84102b36 841031f3 8407d96f 8404107b83ed1f2c  8415939b 8415a5f3 83fed6ad 8404091183ed1f3c  840df9df 840e86f6 84032328 840c83ca83ed1f4c  8411c4da 841575ef 83f68259 840864f083ed1f5c  840c0974 8411c5bb 8415959d 8415a7f383ed1f6c  840bba59 8415917b 84147f4c 840bdebf83ed1f7c  84122a0f 84039d81 840458ff 8405d11783ed1f8c  83fe990f 840544c2 840339cd 83e791b183ed1f9c  8402f130 841259b7 84125039 83f0d4db83ed1fac  83f276fc 8414839a 840aa6a2 840e9dc183ed1fbc  840e9d56 8412de37 84065daf 84132b5483ed1fcc  840e1c0a 8402e5c6 841484f4 84013e6783ed1fdc  83f3e5c7 8404a7ca 8411e7a1 840ce5fc83ed1fec  840b0f0d 83fed1ca 840e45c3 840e5cdd83ed1ffc  8412de1e 83fe7de9 83fe4c75 8401ab7883ed200c  83fe6426 83fd3a1c 83ff6e72 8405832b83ed201c  83fcd026 83fc86d5 83e78191 8401b1b183ed202c  84060851 8406535b 84123b57 8412412d83ed203c  8409b394 8415956c 8415a7c4 8404adb683ed204c  8404ee17 8404df39 84014d6b 8409758483ed205c  84146995 84064b92 8415f169 84086b1083ed206c  8410bca5 84134057 840a0642 84064add83ed207c  8415f49f 84024169 840240f9 840b60e283ed208c  8402d4b2 8402ef07 840669dc 840b8fff83ed209c  840a6b37 83fd20c7 840be674 8403a0c683ed20ac  840db977 840a2b6f 840b2d87 840cd2e483ed20bc  840a6c4e 8415ee0f 841476f1 8414898983ed20cc  84038506 84095970 841472a2 84146fc283ed20dc  8414735a 8414707a 8404b93f 8401af6083ed20ec  84035a51 841490e4 841491aa 8409740383ed20fc  840e85a7 840ac9a1 84159a3e 84159e8383ed210c  83f17d34 840cbb8c 83ff7f5c 84088d1183ed211c  840ad9f0 8415a381 83fe6b4a 8404f81e83ed212c  840d55d5 8404124c 84146ba2 840aa6d583ed213c  840e10ff 8411e7d4 8408b644 841485fe83ed214c  840b1d6d 840a706e 841478e4 83fd1bcf83ed215c  83f68e81 84033c3f 8415fe6b 8410bd6883ed216c  840a0cae 84056e8d 84035cc0 8415f57c83ed217c  84055ed6 840f0b05 840dedf8 8406527783ed218c  841312c4 8410d349 840cb9e6 8404b2d083ed219c  8404ee4c 841583fc 840a2c15 841585d383ed21ac  84158bc7 84084cd4 840bdddd 840cbaf783ed21bc  8415eece 84041729 8409f405 840b06a783ed21cc  840ab2c8 84050caa 8404ce67 83e94d5483ed21dc  8402c0a3 840b6c8c 83fec6a7 8414758083ed21ec  8411e8b9 840b482c 84146b46 83ffc88c83ed21fc  83ffe128 84148f38 8413209c 840850ed83ed220c  8407d873 84067b6a 83ed7c28 8405aa8e83ed221c  84055a8e 84102c81 840f0d4b 84148bd483ed222c  840f0898 83f303d3 84045a3d 8408d5e283ed223c  8408d165 8411ea85 840d5435 840928d983ed224c  84030ec3 83f3ec18 840e6904 841328fd83ed225c  840c534b 84147636 841471ea 83ffac7c83ed226c  84148d36 840e8176 840e791c 840efbbb83ed227c  840b2dbc 83fdff07 84159c7f 8415a16b83ed228c  84131cff 83fc59bd 83fe3895 83ff7ce183ed229c  83ff8250 8415abf5 8410cdda 8407e6de83ed22ac  841580b7 8415f435 8415f367 841033b983ed22bc  84146dea 840ab75c 84050cce 840f03ad83ed22cc  8405d314 8408d603 8414880c 840beaaf83ed22dc  84058780 84148146 84148dfb 83f0136283ed22ec  8415fe48 84038b82 8410be8e 84133d1783ed22fc  8415f3d2 8415f2fc 8410d95f 8405662683ed230c  841588cd 84158edf 840a30ee 84175d7a83ed231c  840e4e70 840ebb4d 83ed7d52 83eea4b983ed232c  84045b3e 83fe72d7 8405f427 8410d97983ed233c  841575ad 840679b7 83f21701 841474ca83ed234c  8415fb84 8415fd7b 8413289f 840e9e2d83ed235c  840da464 8404736f 840af9bf 840cd33483ed236c  840c4afa 83f2775f 84148478 840a49bb83ed237c  83f1a6a0 8415adf9 8411e74b 8410e1cf83ed238c  840dd503 840dd51d 840efd53 8405aeaf83ed239c  83e70b17 840b963a 8414c769 84102ed783ed23ac  84084e16 8407d435 84128904 8407cae783ed23bc  83ed77b1 8415f293 8415f22a 83f104b483ed23cc  840c3f2b 83ff42f7 8411e926 840b471c83ed23dc  83e7f5c5

查看ntoskrnel.exe中的导出API:

开始的几个API:

kd> u 840cdc28nt!NtAcceptConnectPort:

kd> u 83f1440dnt!NtAccessCheck:

kd> u 8405db68nt!NtAccessCheckAndAuditAlarm:

kd> u 83e7888ant!NtAccessCheckByType:

...

最后的几个API

kd> u 840c3f2bnt!NtWriteFile:kd> u 83ff42f7nt!NtWriteFileGather:kd> u 8411e926nt!NtWriteRequestData:kd> u 840b471cnt!NtWriteVirtualMemory:kd> u 83e7f5c5nt!NtYieldExecution: