[k_hook::initialize] call back ptr is 0xFFFFF80B7FBA2A80
[k_hook::initialize] build number is 14393
[k_hook::initialize] ntoskrnl address is 0xFFFFF803A901C000
[k_hook::initialize] etwp debugger data is 0xFFFFF803A930EE58
[k_hook::initialize] etwp debugger data silo is 0xFFFFBF0723441390
[k_hook::initialize] ckcl wmi logger context is 0xFFFFBF0725835040
[k_hook::initialize] get cpu clock is 0xFFFFF803A905477C
[k_hook::initialize] syscall table is 0xFFFFF803A9170000
[k_hook::start] start ckcl fail
kx500
commented
2 years ago
win10 版本1067 hook ZwQuerySystemInformation函数失败
[k_hook::initialize] call back ptr is 0xFFFFF80B7FBA2A80 [k_hook::initialize] build number is 14393 [k_hook::initialize] ntoskrnl address is 0xFFFFF803A901C000 [k_hook::initialize] etwp debugger data is 0xFFFFF803A930EE58 [k_hook::initialize] etwp debugger data silo is 0xFFFFBF0723441390 [k_hook::initialize] ckcl wmi logger context is 0xFFFFBF0725835040 [k_hook::initialize] get cpu clock is 0xFFFFF803A905477C [k_hook::initialize] syscall table is 0xFFFFF803A9170000 [k_hook::start] start ckcl fail
用法: UNICODE_STRING str; RtlInitUnicodeString(&str, L"ZwQuerySystemInformation"); fnZwQuerySystemInformation = (pfnZwQuerySystemInformation)MmGetSystemRoutineAddress(&str);