|
阅读:1407回复:0
谁说硬编码不好的,show代码
typedef enum
{ VERSION_2K, VERSION_XP, VERSION_2K3, VERSION_2K3_SP1, VERSION_MAX } WINDOWS_VERSION; typedef enum { EPROCESS_NAME, EPROCESS_PEB, EPROCESS_FLINK, EPROCESS_SECTION, ETHREAD_WIN32_START_ADDRESS, KTHREAD_LIST_ENTRY, KTHREAD_ALERTABLE, KTHREAD_APC_STATE, KTHREAD_APC_QUEUEABLE, OS_FIELD_MAX } OS_OFFSET_FIELD; extern WORD g_OsOffset[VERSION_MAX][OS_FIELD_MAX]; #define GetFieldOffset(field) (g_WindowsVer[g_OsOffset][field]) WORD g_OsOffset[VERSION_MAX][OS_FIELD_MAX] = { {0x1FC, 0x1B0, 0xA0, 0x1AC, 0x234, 0x1A4, 0x158, 0x34, 0x15A}, //2K {0x174, 0x1B0, 0x88, 0x138, 0x228, 0x1B0, 0x164, 0x34, 0x166}, //XP {0x154, 0x190, 0x88, 0x114, 0x230, 0x1AC, 0x058, 0x34, 0x109}, //2K3 {0x164, 0x1A0, 0x98, 0x124, 0x220, 0x1A8, 0x058, 0x28, 0x03F} //2K3_SP1 }; DWORD g_WindowsVer; WINDOWS_VERSION GetWindowsVersion() { PEPROCESS pSystemProcess = PsGetCurrentProcess(); WORD offset; for (offset=0; offset < PAGE_SIZE; offset++) { if(strncmp("System", (PCHAR)pSystemProcess + offset, 6) == 0) { if (g_OsOffset[VERSION_2K][EPROCESS_NAME] == offset) { KdPrint(("WINDOWS_VERSION_2K\n")); return VERSION_2K; } if (g_OsOffset[VERSION_XP][EPROCESS_NAME] == offset) { KdPrint(("WINDOWS_VERSION_XP\n")); return VERSION_XP; } if (g_OsOffset[VERSION_2K3][EPROCESS_NAME] == offset) { KdPrint(("WINDOWS_VERSION_2K3\n")); return VERSION_2K3; } if (g_OsOffset[VERSION_2K3_SP1][EPROCESS_NAME] == offset) { KdPrint(("WINDOWS_VERSION_2K3_SP1\n")); return VERSION_2K3_SP1; } return VERSION_MAX; } } return VERSION_MAX; } NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { g_WindowsVer = GetWindowsVersion(); KdPrint(("PEB Offset:%08x\n", GetFieldOffset(EPROCESS_PEB))); } |
|
