流沙团
[驱动开发] 遍历IDT表
2018-12-6 流沙团


没啥技术含量



主要就是指令 sidt 







详细代码







#include <ntddk.h>



#define  WORD USHORT

#define  DWORD ULONG



#define MAKELONG(a,b) ((DWORD)((USHORT)a))|(((DWORD)b)<<16)



typedef struct _IDTR{

	USHORT   IDT_limit;

	USHORT   IDT_LOWbase;

	USHORT   IDT_HIGbase;

}IDTR, *PIDTR;



typedef struct _IDTENTRY

{

	unsigned short LowOffset;

	unsigned short selector;

	unsigned char retention : 5;

	unsigned char zero1 : 3;

	unsigned char gate_type : 1;

	unsigned char zero2 : 1;

	unsigned char interrupt_gate_size : 1;

	unsigned char zero3 : 1;

	unsigned char zero4 : 1;

	unsigned char DPL : 2;

	unsigned char P : 1;

	unsigned short HiOffset;

} IDTENTRY, *PIDTENTRY;



void readIDTinfo()

{

	IDTR idt;

	ULONG idtBase;

	ULONG uIndex;

	PIDTENTRY PIdtData;

	__asm{

		SIDT idt

	}

	DbgPrint("idtbase: 0x%X%X, limit: %x", idt.IDT_HIGbase, idt.IDT_LOWbase, idt.IDT_limit/8);

	idtBase = MAKELONG(idt.IDT_LOWbase, idt.IDT_HIGbase);

	DbgPrint("base: 0x%X", idtBase);



	//依次列出所有的idt表数据

	PIdtData = (PIDTENTRY)idtBase;

	DbgPrint("sizeof(IntData): %d", sizeof(PIdtData[0]));

	for (uIndex = 0; uIndex<(ULONG)idt.IDT_limit/8; uIndex++)

	{

		DbgPrint("%d, 0x%X", uIndex, MAKELONG(PIdtData[uIndex].LowOffset,PIdtData[uIndex].HiOffset));

	}

}





VOID DriverUnload(IN PDRIVER_OBJECT pDriverObject)

{

	

	DbgPrint("DriverUnload");

}





NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath)

{

	readIDTinfo();



	pDriverObject->DriverUnload = DriverUnload;

	DbgPrint("DriverEntry");

	return STATUS_SUCCESS;

}

发表评论:
昵称

邮件地址 (选填)

个人主页 (选填)

内容