4.ring0-遍历IAT（特例NTOS）

原NTOS的IAT只能通过IMAGE_DIRECTORY_ENTRY_IAT（12）来获得，因为NTOS加载完后，INIT方式加载，所以IMAGE_DIRECTORY_ENTRY_IMPORT对应的区域被释放了！
坑爹啊，
可以用windbg很直观的看到：
X86：

x64:

其他的IAT遍历代码如下：

NTSTATUS EnumIATTable(ULONG_PTR pBase)
{
	PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)pBase;
	PIMAGE_NT_HEADERS pNt = NULL;
	PIMAGE_IMPORT_DESCRIPTOR pImport = NULL;
	PIMAGE_THUNK_DATA pThunk = NULL;
 
	if (NULL == pDos
		|| IMAGE_DOS_SIGNATURE != pDos->e_magic)
	{
		return STATUS_INVALID_IMAGE_FORMAT;
	}
 
	pNt = (PIMAGE_NT_HEADERS)((PUCHAR)pBase+pDos->e_lfanew);
	if (IMAGE_NT_SIGNATURE != pNt->Signature)
	{
		return STATUS_INVALID_IMAGE_FORMAT;
	}
 
	pImport = (PIMAGE_IMPORT_DESCRIPTOR)((PUCHAR)pBase+pNt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
 
	// 枚举打印
	while (NULL !=pImport
		&& MmIsAddressValid(pImport)
		&&pImport->Name != 0)
	{
		pThunk = (PIMAGE_THUNK_DATA)((PUCHAR)pBase+pImport->FirstThunk);
		while (NULL != pThunk
			&& MmIsAddressValid(pThunk)
			&& pThunk->u1.Function != 0)
		{
			KdPrint(("[EnumIATTable]-Import Module:%s-function:%p\r\n", (PUCHAR)pBase+pImport->Name, pThunk->u1.Function));
			pThunk++;
		}
 
		pImport++;
	}
 
	return STATUS_SUCCESS;
}