.rdata:00000001402DE4C0 KiServiceTable dq offset NtAccessCheck ; DATA XREF: KiInitializeKernel+5EF o
.rdata:00000001402DE4C8 dq offset NtWorkerFactoryWorkerReady
.rdata:00000001402DE4D0 dq offset NtAcceptConnectPort
.rdata:00000001402DE4D8 dq offset NtMapUserPhysicalPagesScatter
And in w10 build 14342 like:
.rdata:00000001402E1380 KiServiceTable dd 0DECCCh ; DATA XREF: KiInitializeKernel+600 o
.rdata:00000001402E1384 dd 0E44ECh
.rdata:00000001402E1388 dd 4E3470h
.rdata:00000001402E138C db 20h
.rdata:00000001402E138D db 0AFh ; ï
.rdata:00000001402E138E db 64h ; d
.rdata:00000001402E138F db 0
so I had to write a IDC script to convert this offsets to normal view:
#include<idc.idc> static get_pe_base() { auto addr, segm; addr = GetLongPrm(INF_MIN_EA); segm = SegByName("HEADER"); if ( segm != BADADDR ) return addr; return addr - 0x1000; // ditry hack } static main(void) { auto base, cnt, addr, tab, i; base = get_pe_base(); addr = LocByName("KiServiceLimit"); if ( addr == BADADDR ) { Warn("Cannot find KiServiceLimit"); return; } cnt = Dword(addr); tab = LocByName("KiServiceTable"); if ( tab == BADADDR ) { Warn("Cannot find KiServiceTable"); return; } for ( i = 0; i < cnt; i++, tab = tab + 4 ) { MakeDword(tab); addr = Dword(tab); MakeComm(tab, sprintf("%x", addr + base)); add_dref(tab, addr + base, dr_O); } }
KiServiceLimit .eq. 0x1c2
