table of Contents
SSDt view the table with ShadowSSDT table.
A Dian SSDT table
1. What is the SSDT table
SSDT a system service table, we call ring3 many functions call the SSDT table
Step 2. View
1. Using x command
Premise need to load a good sign.
x nt!kes*des*table*
KeServiceDescriptorTableShadow is ShadowSSDT table
KeServiceDescriptorTable is SSDT table.
2. Check the value of the address
Use dd command to view inside the address values are as follows.
First, the selected position can be seen. This is the SSDT table start address. * Behind 0x11C
is the number of the table
We can use the dds command to view the table.
Dds command to see Lecture About windbg debugger command
dds Address L11C This command means that the address shows the address which points to the value displayed in four bytes.
Shown below:
If you can see the symbols have the function name which addresses these latter points
You can use uf to disassemble the function of all assembly
Two Dian ShadowSSDT table
1. What is ShadowSSDT table
All GUI ring3 will call to the table.
2. How to View.
System system process is not loaded ShadowSSDT table. So we have to switch to invoke the GUI process space of view.
1.在系统中运行 mspaint 画图工具
2.在windbg中中断.
3.输入命令.查看系统所有简要信息
!process 0 0 4.找到mspaint的EPROCESS结构.切换到这个进程上下文
.process /p EPROCESSADDRESS5.使用x命令查找ShadowsSSDT
x nt!*kes*des*table*如下:
6.查看shodowSSDT
shodowSSDT 跟SSDT挨着.上面查看SSDT的时候 shodowSSDT没有加载
所以没有.所以现在看一看下.如上图. 有起始地址.跟大小.
不管是SSDT还是shodowSSDT表.都是有这个表的大小.
在32位下.函数地址是4个字节. 所以用表的大小 / 4 = 函数个数.
这个表中的函数都是做绘图用的.
三丶工具介绍
Process Monitor
工具是进程监控工具.可以监视所有进程活动.
现在的火绒剑也是可以.
如下图;
微软下载地址:
https://docs.microsoft.com/zh-cn/sysinternals/downloads/procmon
工具界面
可以设置过滤器.进行过滤.比如我只想看进程创建.如何操作.
Process Explorer
微软下载地址:
https://docs.microsoft.com/zh-cn/sysinternals/downloads/process-explorer
这个工具则可以实时查看进程.并且可以挂起进程.等操作进程.