From 967684f140e598d125de596983cd5a411e8c7d4b Mon Sep 17 00:00:00 2001 From: nganhkhoa Date: Fri, 24 Jul 2020 21:44:29 +0700 Subject: [PATCH] Fix SSDT entry SSDT entries can be negative, so signed int is used --- src/bin/kernel_module_traverse.rs | 4 ++-- src/lib.rs | 9 ++++++--- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/src/bin/kernel_module_traverse.rs b/src/bin/kernel_module_traverse.rs index 99a8d3c..a80df35 100644 --- a/src/bin/kernel_module_traverse.rs +++ b/src/bin/kernel_module_traverse.rs @@ -27,7 +27,7 @@ fn main() -> Result<(), Box> { // } println!("============================================="); for r in unloaded.iter() { - println!("{:#}", r.to_string()); + println!("{:#}", r); } println!("============================================="); for (idx, func) in ssdt.iter().enumerate() { @@ -65,7 +65,7 @@ fn main() -> Result<(), Box> { println!("\towned by nt!{}", funcname); } else if let Some(owner_) = owner { - println!("\towned by {}", owner_); + println!("\\thooked by {}", owner_); } else { println!("\tmissing owner"); diff --git a/src/lib.rs b/src/lib.rs index 0a91713..6d915a6 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -573,12 +573,15 @@ pub fn ssdt_table(driver: &DriverState) -> BoxResult> { let servicetable = ntosbase.clone() + driver.pdb_store.get_offset_r("KiServiceTable")?; let servicelimit_ptr = ntosbase.clone() + driver.pdb_store.get_offset_r("KiServiceLimit")?; - // TODO: Shifting is wrong, Rust seems to do arithmetic shift let servicelimit = driver.deref_addr_new::(servicelimit_ptr.address()) as u64; let ssdt: Vec = driver - .deref_array::(&servicetable, servicelimit) + .deref_array::(&servicetable, servicelimit) .iter() - .map(|entry| servicetable.address() + ((*entry as u64) >> 4)) + .map(|entry| { + // the entry can be negative, we need to do calculation using signed int + // and convert back to unsigned int for address + ((servicetable.address() as i64) + ((*entry >> 4) as i64)) as u64 + }) .collect(); Ok(ssdt) }