获取NtOpenProcess的当前地址和原函数地址

// 获取当前NtOpenProcess的地址
ULONG GetCurr_Addr()
{
    /*
    LONG *SSDT_Adr,SSDT_NtOpenProcess_Cur_Addr,t_addr; 
    KdPrint(("驱动成功被加载中.............................\n"));
    //读取SSDT表中索引值为0x7A的函数
    //poi(poi(KeServiceDescriptorTable)+0x7a*4)
    t_addr=(LONG)KeServiceDescriptorTable->ServiceTableBase;
    KdPrint(("当前ServiceTableBase地址为%x \n",t_addr));
    SSDT_Adr=(PLONG)(t_addr+0x7A*4);
    KdPrint(("当前t_addr+0x7A*4=%x \n",SSDT_Adr)); 
    SSDT_NtOpenProcess_Cur_Addr=*SSDT_Adr;    
    KdPrint(("当前SSDT_NtOpenProcess_Cur_Addr地址为%x \n",SSDT_NtOpenProcess_Cur_Addr));*/

    /* */
    ULONG SSDT_NtOpenProcess_Cur_Addr;
    //读取SSDT表中 NtOpenProcess当前地址 KeServiceDescriptorTable
    // [[KeServiceDescriptorTable]+0x7A*4] 
    __asm
    {    
        push ebx
        push eax
        mov ebx, KeServiceDescriptorTable
        mov ebx, [ebx]
        mov eax, 0x7A
        shl eax, 2     //imul eax, 4    // shl eax, 2
        add ebx, eax
        mov ebx,[ebx]
        mov SSDT_NtOpenProcess_Cur_Addr, ebx

        pop eax
        pop ebx        
    }

    KdPrint(("SSDT_NtOpenProcess_Cur_Addr=%x\n\n",SSDT_NtOpenProcess_Cur_Addr));

    return SSDT_NtOpenProcess_Cur_Addr;
}

// 获取原函数地址
ULONG GetOld_Addr()
{
    UNICODE_STRING Old_NtOpenProcess;
    ULONG Old_Addr;
    RtlInitUnicodeString(&Old_NtOpenProcess,L"NtOpenProcess");
    Old_Addr = (ULONG)MmGetSystemRoutineAddress(&Old_NtOpenProcess);
    KdPrint(("SSDT_NtOpenProcess_Old_Addr=%x\n\n", Old_Addr));

    return Old_Addr;
}