关于不用汇编获取IDT的方式

admin

1. #include <WinDef.h>
   
2. #include<ntddk.h>
   
3. 
   
4.    typedef union _KIDTENTRY64 {
   
5.     struct {
   
6.      USHORT OffsetLow;
   
7.      USHORT Selector;
   
8.      USHORT IstIndex : 3;
   
9.      USHORT Reserved0 : 5;
   
10.      USHORT Type : 5;
    
11.      USHORT Dpl : 2;
    
12.      USHORT Present : 1;
    
13.      USHORT OffsetMiddle;
    
14.      ULONG OffsetHigh;
    
15.      ULONG Reserved1;
    
16.     };
    
17.     ULONG64 Alignment;
    
18.    } KIDTENTRY64, *PKIDTENTRY64;
    
19.    typedef struct _AMD64_DESCRIPTOR {
    
20.     USHORT  Pad[3];
    
21.     USHORT  Limit;
    
22.     ULONG64 Base;
    
23.    } AMD64_DESCRIPTOR, *PAMD64_DESCRIPTOR;
    
24.    typedef NTSTATUS(NTAPI *_KeSetAffinityThread)(
    
25.     IN PKTHREAD Thread,
    
26.     IN KAFFINITY Affinity);
    
27.    PKIDTENTRY64 *g_ppIdtEntry;
    
28. 
    
29. 
    
30. VOID GetIDT()
    
31. {
    
32. PKIDTENTRY64 Idt;
    
33. KAFFINITY Processor = KeQueryActiveProcessors();
    
34. UNICODE_STRING ustrKeSetAffinityThread;
    
35. _KeSetAffinityThread KeSetAffinityThread;
    
36. RtlInitUnicodeString(&ustrKeSetAffinityThread, L"KeSetAffinityThread");
    
37. KeSetAffinityThread = (_KeSetAffinityThread)MmGetSystemRoutineAddress(&ustrKeSetAffinityThread);
    
38. LONG Count = 0;
    
39. for (LONG i = 0; i < Processor; i++)
    
40. {
    
41.    LONG a = Processor & (1 << i);
    
42.    if (a != 0)
    
43.    {
    
44.     KeSetAffinityThread(KeGetCurrentThread(), (KAFFINITY)a);
    
45.     Idt = KeGetPcr()->IdtBase;//主要是巨硬封装好的函数
    
46.     g_ppIdtEntry[Count] = Idt;
    
47.     DbgPrint("%d  %p \r\n", Count, g_ppIdtEntry[Count]);
    
48.     Count++;
    
49.     continue;
    
50.    }
    
51.    break;
    
52. }
    
53. }
    
54. VOID IDTUnload(IN PDRIVER_OBJECT DriverObject)
    
55. {
    
56. DbgPrint("卸载成功");
    
57. ExFreePoolWithTag(g_ppIdtEntry, 'gidt');
    
58. }
    
59. NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING  RegistryPath)
    
60. {
    
61. NTSTATUS Status = STATUS_SUCCESS;
    
62. 
    
63. g_ppIdtEntry = (PKIDTENTRY64 *)ExAllocatePoolWithTag(NonPagedPool, sizeof(PKIDTENTRY64) * KeNumberProcessors,'gidt');
    
64. if (!MmIsAddressValid(g_ppIdtEntry))
    
65. {
    
66.    DbgPrint("g_ppIdtEntry Error ");
    
67.    return Status;
    
68. }
    
69. GetIDT();
    
70. for (size_t i = 0; i < KeNumberProcessors; i++)
    
71. {
    
72.    DbgPrint("%0.8X %0.8X %0.8X %p\r\n",
    
73.     g_ppIdtEntry[0].OffsetHigh,
    
74.     g_ppIdtEntry[0].OffsetMiddle,
    
75.     g_ppIdtEntry[0].OffsetLow,
    
76.     (((ULONGLONG)g_ppIdtEntry[0].OffsetHigh << 32) |               //(直接+也可以)
    
77.     ((ULONGLONG)g_ppIdtEntry[0].OffsetMiddle << 16) |
    
78.     (ULONG)g_ppIdtEntry[0].OffsetLow));
    
79. }
    
80. 
    
81. DriverObject->DriverUnload = IDTUnload;
    
82. return Status;
    
83. }

复制代码