查找SSDT HOOK的过程

lkd> dd keservicedescriptortable
808a8320  80834bf0 00000000 00000128 80835094   //SSDT表
808a8330  00000000 00000000 00000000 00000000
808a8340  00000008 00002710 bf89ccc3 00000000
808a8350  8aeaa4b8 8b103140 8af0ba70 80a72380
808a8360  00000000 00000000 ffc46536 ffffffff
808a8370  3c2e67f6 01cae297 00000000 00000000
808a8380  00000000 00000000 00000000 00000000
808a8390  00000000 00000000 00000000 00000000
lkd> u zwopenprocess
nt!ZwOpenProcess:
8082fa38 b880000000      mov     eax,80h    //在SSDT中的位置是0x80
8082fa3d 8d542404        lea     edx,[esp+4]
8082fa41 9c              pushfd
8082fa42 6a08            push    8
8082fa44 e8f1b70500      call    nt!KiSystemService (8088b23a)
8082fa49 c21000          ret     10h
nt!ZwOpenProcessToken:
8082fa4c b881000000      mov     eax,81h
8082fa51 8d542404        lea     edx,[esp+4]
lkd> dd 0x80834bf0+80*4    //查找被HOOK的值
80834df0  a761c1aa 8096a8dc 8096a544 809287fa
80834e00  80994094 8093fb5e 80946fc8 8096a8fa
80834e10  8096a6b2 80995dea 8091c562 80944bc0
80834e20  80975070 80971200 809713de 8093405c
80834e30  8098d854 808ee714 80995cc4 80995cc4
80834e40  8088963c 8098ed18 80990522 808f1b7c
80834e50  809388f6 80995cc4 808f1ece 8098d918
80834e60  808ee894 80994f94 808f2726 80951e4e
lkd> u a761c1aa    //新的函数
*** ERROR: Module load completed but symbols could not be loaded for \??\G:\WINDOWS\system32\lt.sys
lt+0x31aa:
a761c1aa 8bff            mov     edi,edi
a761c1ac 55              push    ebp
a761c1ad 8bec            mov     ebp,esp
a761c1af 83ec10          sub     esp,10h
a761c1b2 56              push    esi
a761c1b3 8b7514          mov     esi,dword ptr [ebp+14h]
a761c1b6 57              push    edi
a761c1b7 33c0            xor     eax,eax