-
Notifications
You must be signed in to change notification settings - Fork 12
/
SSDT.c
35 lines (30 loc) · 885 Bytes
/
SSDT.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#include "SSDT.h"
ULONG64* GetSSDTBase()
{
//ÏȲ»¿¼ÂÇ KVAS
ULONG64 lstar = __readmsr(0xC0000082);
for (int i = 0; i < 1024; i++)
{
if (*(PUCHAR)(lstar + i) == 0x4c && *(PUCHAR)(lstar + i + 2) == 0x15)
{
if (*(PUCHAR)(lstar + i + 7) == 0x4c && *(PUCHAR)(lstar + i + 9) == 0x1d)
{
if (*(PUCHAR)(lstar + i + 14) == 0xf7 && *(PUCHAR)(lstar + i + 15) == 0x43)
{
ULONG64 KiSystemServiceRepeat = (ULONG64)(PUCHAR)lstar + i;
ULONG offset = *(ULONG*)(KiSystemServiceRepeat + 3);
ULONG64 SSDTBase = KiSystemServiceRepeat + offset + 7; //7= lea r10,[nt!KeServiceDescriptorTable]
return SSDTBase;
}
}
}
}
return NULL;
}
ULONG64 GetNTAPIAddress()
{
int SyscallNumber = 0x002c; //NtTerminateProcess = 0x002c;
ULONG64* ssdt = GetSSDTBase();
ULONG64 address = ((*(ULONG*)(*ssdt + SyscallNumber * 4)) >> 4) + *ssdt;
return address;
}