关于不用汇编获取IDT的方式
#include <WinDef.h>#include<ntddk.h>
typedef union _KIDTENTRY64 {
struct {
USHORT OffsetLow;
USHORT Selector;
USHORT IstIndex : 3;
USHORT Reserved0 : 5;
USHORT Type : 5;
USHORT Dpl : 2;
USHORT Present : 1;
USHORT OffsetMiddle;
ULONG OffsetHigh;
ULONG Reserved1;
};
ULONG64 Alignment;
} KIDTENTRY64, *PKIDTENTRY64;
typedef struct _AMD64_DESCRIPTOR {
USHORTPad;
USHORTLimit;
ULONG64 Base;
} AMD64_DESCRIPTOR, *PAMD64_DESCRIPTOR;
typedef NTSTATUS(NTAPI *_KeSetAffinityThread)(
IN PKTHREAD Thread,
IN KAFFINITY Affinity);
PKIDTENTRY64 *g_ppIdtEntry;
VOID GetIDT()
{
PKIDTENTRY64 Idt;
KAFFINITY Processor = KeQueryActiveProcessors();
UNICODE_STRING ustrKeSetAffinityThread;
_KeSetAffinityThread KeSetAffinityThread;
RtlInitUnicodeString(&ustrKeSetAffinityThread, L"KeSetAffinityThread");
KeSetAffinityThread = (_KeSetAffinityThread)MmGetSystemRoutineAddress(&ustrKeSetAffinityThread);
LONG Count = 0;
for (LONG i = 0; i < Processor; i++)
{
LONG a = Processor & (1 << i);
if (a != 0)
{
KeSetAffinityThread(KeGetCurrentThread(), (KAFFINITY)a);
Idt = KeGetPcr()->IdtBase;//主要是巨硬封装好的函数
g_ppIdtEntry = Idt;
DbgPrint("%d%p \r\n", Count, g_ppIdtEntry);
Count++;
continue;
}
break;
}
}
VOID IDTUnload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("卸载成功");
ExFreePoolWithTag(g_ppIdtEntry, 'gidt');
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRINGRegistryPath)
{
NTSTATUS Status = STATUS_SUCCESS;
g_ppIdtEntry = (PKIDTENTRY64 *)ExAllocatePoolWithTag(NonPagedPool, sizeof(PKIDTENTRY64) * KeNumberProcessors,'gidt');
if (!MmIsAddressValid(g_ppIdtEntry))
{
DbgPrint("g_ppIdtEntry Error ");
return Status;
}
GetIDT();
for (size_t i = 0; i < KeNumberProcessors; i++)
{
DbgPrint("%0.8X %0.8X %0.8X %p\r\n",
g_ppIdtEntry.OffsetHigh,
g_ppIdtEntry.OffsetMiddle,
g_ppIdtEntry.OffsetLow,
(((ULONGLONG)g_ppIdtEntry.OffsetHigh << 32) | //(直接+也可以)
((ULONGLONG)g_ppIdtEntry.OffsetMiddle << 16) |
(ULONG)g_ppIdtEntry.OffsetLow));
}
DriverObject->DriverUnload = IDTUnload;
return Status;
}
页:
[1]