一、脚本 

• x86环境

 1 aS ufLinkS "";
 2 aS ufLinkE "";
 3  
 4 r $t1 = nt!KeServiceDescriptorTable;
 5 r $t2 = poi(@$t1 + 0x8);
 6 r $t1 = poi(@$t1);
 7  
 8 .printf "\n\nKeServiceDescriptorTable->KiServiceTable:  %p\nKeServiceDescriptorTable->Count: %d\n", @$t1, @$t2;
 9 .printf "\nOrd   Address   fnAddr   Symbols\n";
10 .printf "--------------------------------\n\n";
11  
12 .for (r $t0 = 0; @$t0 != @$t2; r $t0 = @$t0 + 1)
13 {
14     r @$t3 = (poi(@$t1 + @$t0 * 4)) 
15  
16        
17     .printf /D "[%3d] ${ufLinkS}%p${ufLinkE} (%y)\n", @$t0, @$t3, @$t3, @$t3, @$t3;
18 }
19  
20 .printf "\n- end -\n";

•  x64环境

 1 aS ufLinkS "";
 2 aS ufLinkE "";
 3  
 4 r $t1 = nt!KeServiceDescriptorTable;
 5 r $t2 = poi(@$t1 + 0x10);
 6 r $t1 = poi(@$t1);
 7  
 8 .printf "\n\nKeServiceDescriptorTable->KiServiceTable:  %p\nKeServiceDescriptorTable->Count: %d\n", @$t1, @$t2;
 9 .printf "\nOrd   Address   fnAddr   Symbols\n";
10 .printf "--------------------------------\n\n";
11  
12 .for (r $t0 = 0; @$t0 != @$t2; r $t0 = @$t0 + 1)
13 {
14     r @$t3 = (poi(@$t1 + @$t0 * 4)) & 0x00000000`FFFFFFFF;
15     $$.printf "2. %p\n", @$t3;
16        
17     .if ( @$t3 & 0x80000000 )
18        {
19                r @$t3 = (@$t3 >> 4) | 0xFFFFFFFF`F0000000;
20                r @$t3 = 0 - @$t3;
21                r @$t3 = @$t1 - @$t3;
22        }
23        .else
24        {
25            r @$t3 = (@$t3 >> 4);
26                r @$t3 = (@$t1 + @$t3);
27        }
28        
29     .printf /D "[%3d] ${ufLinkS}%p${ufLinkE} (%y)\n", @$t0, @$t3, @$t3, @$t3, @$t3;
30 }
31  
32 .printf "\n- end -\n";

二、测试效果

• x86(Win7 x86)

• x64(Win10 x64)