读取SSDT当前函数地址

#include "ntddk.h"

VOID DriverUnload(PDRIVER_OBJECT driver)

{   

    DbgPrint("卸载成功\n\r");

}

typedef struct _ServiceDescriptorTable {

    PVOID ServiceTableBase;

    PVOID ServiceCounterTable;

    unsigned int NumberOfServices;

    PVOID ParamTableBase; 

}*PServiceDescriptorTable; 

extern PServiceDescriptorTable KeServiceDescriptorTable;



NTSTATUS DriverEntry(PDRIVER_OBJECT driver,PUNICODE_STRING str)

{



LONG *SSDT_Adr,STB_addr,SSDT_NtOpenProcess_dangqian_Addr;



    __asm

    {

        int 3

    }

DbgPrint("加载成功\n");

STB_addr=(LONG)KeServiceDescriptorTable->ServiceTableBase;

DbgPrint("当前服务表基址ServiceTableBase地址为%x \n",STB_addr);

SSDT_Adr=(PLONG)(STB_addr+0x7A*4);

DbgPrint("当前STB_addr+0x7A*4=%x \n",SSDT_Adr);

SSDT_NtOpenProcess_dangqian_Addr=*SSDT_Adr;

DbgPrint("当前SSDT_NtOpenProcess_Cur_Addr地址为%x\n",SSDT_NtOpenProcess_dangqian_Addr);

driver->DriverUnload=DriverUnload;

return STATUS_SUCCESS;

}