Fix SSDT entry

SSDT entries can be negative, so signed int is used
2020-07-24 21:44:29 +07:00 · 2020-07-24 21:44:29 +07:00 · 967684f140
commit 967684f140
parent 2d7576b1e2
2 changed files with 8 additions and 5 deletions
--- a/src/bin/kernel_module_traverse.rs
+++ b/src/bin/kernel_module_traverse.rs
@ -27,7 +27,7 @@ fn main() -> Result<(), Box<dyn Error>> {
    // }
    println!("=============================================");
    for r in unloaded.iter() {
-        println!("{:#}", r.to_string());
+        println!("{:#}", r);
    }
    println!("=============================================");
    for (idx, func) in ssdt.iter().enumerate() {
@ -65,7 +65,7 @@ fn main() -> Result<(), Box<dyn Error>> {
            println!("\towned by nt!{}", funcname);
        }
        else if let Some(owner_) = owner {
-            println!("\towned by {}", owner_);
+            println!("\\thooked by {}", owner_);
        }
        else {
            println!("\tmissing owner");
--- a/src/lib.rs
+++ b/src/lib.rs
@ -573,12 +573,15 @@ pub fn ssdt_table(driver: &DriverState) -> BoxResult<Vec<u64>> {
    let servicetable = ntosbase.clone() + driver.pdb_store.get_offset_r("KiServiceTable")?;
    let servicelimit_ptr = ntosbase.clone() + driver.pdb_store.get_offset_r("KiServiceLimit")?;
    // TODO: Shifting is wrong, Rust seems to do arithmetic shift
    let servicelimit = driver.deref_addr_new::<u32>(servicelimit_ptr.address()) as u64;
    let ssdt: Vec<u64> = driver
-        .deref_array::<u32>(&servicetable, servicelimit)
+        .deref_array::<i32>(&servicetable, servicelimit)
        .iter()
-        .map(|entry| servicetable.address() + ((*entry as u64) >> 4))
+        .map(|entry| {
            // the entry can be negative, we need to do calculation using signed int
            // and convert back to unsigned int for address
            ((servicetable.address() as i64) + ((*entry >> 4) as i64)) as u64
        })
        .collect();
    Ok(ssdt)
 }