我已经获得了SSDT地址并将其附加到csrss.exe; 但是蓝屏,我该怎么办?
PEPROCESS getProcessByName(PCSZ processName)
{
PEPROCESS process = NULL;
SIZE_T processNameLen = strlen(processName);
ULONG pid = 4;
PCSZ processNameGet;
while (pid < 0x186a0)
{
if (NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)pid, &process)))
{
processNameGet = (PCSZ)PsGetProcessImageFileName1(process);
ObDereferenceObject(process);
if (_strnicmp(processName, processNameGet, processNameLen) == 0)
return process;
}
pid += 4;
}
return NULL;
}
PVOID getShadowSSDTFunction(unsigned int id)
{
PVOID shadowSSDT = (PVOID)GetKeServiceDescriptorTableShadow64();
if (!shadowSSDT)
return NULL;
PKPROCESS csrss = getProcessByName("csrss.exe");
if (!csrss)
return NULL;
KAPC_STATE apc;
PVOID function;
KeStackAttachProcess(csrss, &apc);
ULONG64 shadowSSDTTable = *(ULONG64 *)((PCHAR)shadowSSDT + 0x20);
LONG32 *shadowSSDTEntry = (LONG32 *)shadowSSDTTable;
LONG32 offset = shadowSSDTEntry[id] >> 4;
function = (PVOID)(offset + shadowSSDTTable);
KeUnstackDetachProcess(&apc);
return function;
}
我已经获得了SSDT地址并将其附加到csrss.exe; 但是蓝屏,我该怎么办?