nolimitdestroye
Gold Üye
- Katılım
- 29 Haz 2022
- Mesajlar
- 211
- Beğeniler
- 41
SSDT'nin bulunduğu adrese return atıyor. ntoskrnl.exe'de exportlanmamış NtReadVirtualMemory gibi şeyleri bulmaya yarıyo ben kendim için daha kolay yolunu buldum o yüzden paylaşıyorum kolay gelsin.
Credits: EAC
auto FindKeServiceDescriptorTable64()
{
auto StartSearchAddress = __readmsr(0xC0000082); //KiSystemCall64
auto EndSearchAddress = (StartSearchAddress + 4096) & (~0x0FFF);
for (auto i = StartSearchAddress; i < EndSearchAddress; i++)
{
if (*(unsigned char*)i == 0x4C && *(unsigned char*)(i + 1) == 0x8D && *(unsigned char*)(i + 2) == 0x15 && *(unsigned char*)(i + 7) == 76 && *(unsigned char*)(i + 8) == 0x8D && *(unsigned char*)(i + 9) == 29)
{
auto pKeServiceDescriptorTable = (*(int*)(i + 3) + i + 7);
return pKeServiceDescriptorTable;
}
}
return 0ULL;
}
Credits: EAC
auto FindKeServiceDescriptorTable64()
{
auto StartSearchAddress = __readmsr(0xC0000082); //KiSystemCall64
auto EndSearchAddress = (StartSearchAddress + 4096) & (~0x0FFF);
for (auto i = StartSearchAddress; i < EndSearchAddress; i++)
{
if (*(unsigned char*)i == 0x4C && *(unsigned char*)(i + 1) == 0x8D && *(unsigned char*)(i + 2) == 0x15 && *(unsigned char*)(i + 7) == 76 && *(unsigned char*)(i + 8) == 0x8D && *(unsigned char*)(i + 9) == 29)
{
auto pKeServiceDescriptorTable = (*(int*)(i + 3) + i + 7);
return pKeServiceDescriptorTable;
}
}
return 0ULL;
}