GetKernelBase

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
.CODE
PUBLIC GetKernelBase
GetKernelBase PROC
    mov     rax, qword ptr gs:[18h]	;KPCR
    mov     rcx, [rax+38h]	;IdtBase
    mov     rax, 0FFFFFFFFFFFFF000h
    and     rax, [rcx+4h]	;(IdtBase + 4) & 0xFFFFFFFFFFFFF000
    jmp      while_start
search_mem_start:
    add     rax, 0FFFFFFFFFFFFF000h
while_start: 
    xor     ecx, ecx
    jmp      search_mem_check
search_mem_next: 
    add     rcx, 1
    cmp     rcx, 0FF9h
    jz       search_mem_start
search_mem_check:  
    cmp     byte ptr[rax+rcx], 48h
    jnz     search_mem_next
    cmp     byte ptr[rax+rcx+1], 8Dh
    jnz     search_mem_next
    cmp     byte ptr[rax+rcx+2], 1Dh
    jnz     search_mem_next
    cmp     byte ptr[rax+rcx+6], 0FFh
    jnz     search_mem_next
    mov     r8d,[rax+rcx+3]
    lea     edx,[rcx+r8]
    add     edx, eax
    add     edx, 7
    test    edx, 0FFFh
    jnz      search_mem_next
    mov     rdx, 0FFFFFFFF00000000h
    and     rdx, rax
    add     r8d, eax
    lea     eax,[rcx+r8]
    add     eax, 7
    or      rax, rdx
    ret     
GetKernelBase ENDP
END
内核
#内核
GetKernelBase
https://rogxo.github.io/2023/02/20/2023-02-20-GetKernelBase/
作者
Rogxo
发布于
2023年2月20日
许可协议
CC BY-NC-SA 4.0