KiServiceTable tak di export oleh kernel.
Cara nak dapatkannya ialah dari KeServiceDescriptorTable
typedef struct ServiceDescriptorTable {
SDE ServiceDescriptor[4];
} SDT;
typedef struct ServiceDescriptorEntry {
PDWORD KiServiceTable;
PDWORD CounterTableBase;
DWORD ServiceLimit;
PBYTE ArgumentTable;
} SDE;
KeServiceDescriptorTable.ServiceDescriptor[0].KiServiceTable < pointer ke KiServiceTable
KeServiceDescriptorTable.ServiceDescriptor[0].ServiceLimit < size array KiServiceTable
ServiceDescriptor yang lain tak pakai.
(KeServiceDescriptorTable.ServiceDescriptor[1], KeServiceDescriptorTable.ServiceDescriptor[2], KeServiceDescriptorTable.ServiceDescriptor[3], semua ni tak pakai)
ref:http://www.thehackademy.net/madchat/vxdevl/library/Defeating%20Kernel%20Native%20API%20Hookers%20by%20Direct%20KiServiceTable%20Restoration.pdf
Cara nak dapatkannya ialah dari KeServiceDescriptorTable
typedef struct ServiceDescriptorTable {
SDE ServiceDescriptor[4];
} SDT;
typedef struct ServiceDescriptorEntry {
PDWORD KiServiceTable;
PDWORD CounterTableBase;
DWORD ServiceLimit;
PBYTE ArgumentTable;
} SDE;
KeServiceDescriptorTable.ServiceDescriptor[0].KiServiceTable < pointer ke KiServiceTable
KeServiceDescriptorTable.ServiceDescriptor[0].ServiceLimit < size array KiServiceTable
ServiceDescriptor yang lain tak pakai.
(KeServiceDescriptorTable.ServiceDescriptor[1], KeServiceDescriptorTable.ServiceDescriptor[2], KeServiceDescriptorTable.ServiceDescriptor[3], semua ni tak pakai)
ref:http://www.thehackademy.net/madchat/vxdevl/library/Defeating%20Kernel%20Native%20API%20Hookers%20by%20Direct%20KiServiceTable%20Restoration.pdf
No comments:
Post a Comment
Terima kasih