読者です 読者をやめる 読者になる 読者になる

Twitterに書ききれないこと

イベントや技術的なことを記したい・・・

Windows10 64bitのKiServiceTableとRVAの取得

WinDbgを使ってWindows10のKiServiceTableを確認するしたときのメモ。

環境

設定

VmWare Playerの設定

設定からシリアルポートの追加する. VmWare Playerでは,シリアルポート2が割り当てられる. f:id:pinksawtooth:20160614165634p:plain

f:id:pinksawtooth:20160614165625p:plain 仮想プリンタを環境設定で有効にする必要がありますと言われたら,%programdata%\VMware\VMware Workstation以下のsettings.iniの内容をTRUEに変更する.

printers.enabled = "TRUE"

Windows10

msconfigからデバッグ用の設定,デバッグポートはVmWare Playerと合わせてCOM2にする. f:id:pinksawtooth:20160614165612p:plain

WinDbg

Ctrl-kでカーネルデバッグの設定. \.\pipe\com_1にpipeにチェックを入れて接続. f:id:pinksawtooth:20160614170535p:plain

KiServiceTableの取得

Windows Internals, Part 1 (6th Edition) によると 32bitだと

dds KiServiceTable

で取得できる

64bitだとシステムコールの相対ポインタ(オフセット)を使用するため,lnコマンドを使ってオフセットと関数をマッピングする.4ビット右シフトし,KiServiceTableのベースに足して求める.

0: kd> ln @@c++(((int *)@@(nt!KiServiceTable))[3] >> 4) + nt!KiServiceTable
Browse module
Set bu breakpoint

(fffff800`03577a80)   nt!NtReadFile   |  (fffff800`035781bc)   nt!FsRtlCurrentBatchOplock
Exact matches:
    nt!NtReadFile (<no parameter info>)

KiServiceTableとオフセットを確認する方法は以下で見つけた.

KiServiceTable · GitHub

KiServiceLimitは0x1b9h

kd> dw nt!KiServiceLimit
fffff800`0410c408  01b9

KiServiceTableとアドレス

.for(r $t0=0; @$t0<dwo(nt!KiServiceLimit); r $t0=@$t0+1){.printf "%y\n", nt!KiServiceTable+(dwo(nt!KiServiceTable+@$t0*4)>>4)}
fffff801`5dcf9364
fffff801`5dcfc850
nt!NtAcceptConnectPort (fffff801`4e13766c)
nt!NtMapUserPhysicalPagesScatter (fffff801`4e2aad00)
nt!NtWaitForSingleObject (fffff801`4e02b420)
fffff801`5dd587d0
nt!NtReadFile (fffff801`4e028d10)
nt!NtDeviceIoControlFile (fffff801`4e036a00)
nt!NtWriteFile (fffff801`4e028100)
nt!NtRemoveIoCompletion (fffff801`4e1115b0)
nt!NtReleaseSemaphore (fffff801`4e0f93a0)
nt!NtReplyWaitReceivePort (fffff801`4e01db6c)
nt!NtReplyPort (fffff801`4e11be04)
nt!NtSetInformationThread (fffff801`4e01e400)
nt!NtSetEvent (fffff801`4e034410)
nt!NtClose (fffff801`4e029f90)
nt!NtQueryObject (fffff801`4e09f4e0)
nt!NtQueryInformationFile (fffff801`4e033860)
nt!NtOpenKey (fffff801`4e08b2f4)
nt!NtEnumerateValueKey (fffff801`4e09e520)
nt!NtFindAtom (fffff801`4e0c2bac)
nt!NtQueryDefaultLocale (fffff801`4e0be834)
nt!NtQueryKey (fffff801`4e03a750)
nt!NtQueryValueKey (fffff801`4e03b0b0)
nt!NtAllocateVirtualMemory (fffff801`4e00fd30)
nt!NtQueryInformationProcess (fffff801`4e0aeed0)
nt!NtWaitForMultipleObjects32 (fffff801`4e111170)
nt!NtWriteFileGather (fffff801`4e128c90)
nt!NtSetInformationProcess (fffff801`4e04f3d0)
nt!NtCreateKey (fffff801`4e1139a8)
nt!NtFreeVirtualMemory (fffff801`4e00f370)
nt!NtImpersonateClientOfPort (fffff801`4e2a21cc)
nt!NtReleaseMutant (fffff801`4e045690)
nt!NtQueryInformationToken (fffff801`4e093370)
nt!NtRequestWaitReplyPort (fffff801`4e120d08)
nt!NtQueryVirtualMemory (fffff801`4e011af8)
nt!NtOpenThreadToken (fffff801`4e0acf04)
nt!NtQueryInformationThread (fffff801`4e040310)
nt!NtOpenProcess (fffff801`4e091dc0)
fffff801`5dc9bd30
nt!NtMapViewOfSection (fffff801`4e015500)
nt!NtAccessCheckAndAuditAlarm (fffff801`4e04cb28)
nt!NtUnmapViewOfSection (fffff801`4e1294fc)
nt!NtReplyWaitReceivePortEx (fffff801`4e01db80)
nt!NtTerminateProcess (fffff801`4e0aa210)
nt!NtSetEventBoostPriority (fffff801`4e2f25a0)
nt!NtReadFileScatter (fffff801`4e131c8c)
nt!NtOpenThreadTokenEx (fffff801`4e0acf20)
nt!NtOpenProcessTokenEx (fffff801`4e112dd0)
nt!NtQueryPerformanceCounter (fffff801`4e11bb98)
nt!NtEnumerateKey (fffff801`4e09c170)
nt!NtOpenFile (fffff801`4e08b204)
nt!NtDelayExecution (fffff801`4e0aaa50)
nt!NtQueryDirectoryFile (fffff801`4e028020)
nt!NtQuerySystemInformation (fffff801`4e08bc40)
nt!NtOpenSection (fffff801`4e11b080)
nt!NtQueryTimer (fffff801`4e2f2444)
nt!NtFsControlFile (fffff801`4e088684)
nt!NtWriteVirtualMemory (fffff801`4e1303e8)
nt!NtCloseObjectAuditAlarm (fffff801`4e125c1c)
nt!NtDuplicateObject (fffff801`4e0c49e0)
nt!NtQueryAttributesFile (fffff801`4e1135b0)
nt!NtClearEvent (fffff801`4e112d50)
nt!NtReadVirtualMemory (fffff801`4e044754)
nt!NtOpenEvent (fffff801`4e1223a4)
nt!NtAdjustPrivilegesToken (fffff801`4e04c098)
nt!NtDuplicateToken (fffff801`4e0494f4)
fffff801`5dd562a0
nt!NtQueryDefaultUILanguage (fffff801`4e151590)
nt!NtQueueApcThread (fffff801`4e0be424)
fffff801`5dce83c0
nt!NtAddAtom (fffff801`4e2fa228)
nt!NtCreateEvent (fffff801`4e091e40)
nt!NtQueryVolumeInformationFile (fffff801`4e087ad0)
nt!NtCreateSection (fffff801`4e017400)
nt!NtFlushBuffersFile (fffff801`4e12db54)
nt!NtApphelpCacheControl (fffff801`4e0a1eac)
nt!NtCreateProcessEx (fffff801`4e140bbc)
nt!NtCreateThread (fffff801`4e2c211c)
nt!NtIsProcessInJob (fffff801`4e0aa64c)
nt!NtProtectVirtualMemory (fffff801`4e011910)
nt!NtQuerySection (fffff801`4e12a420)
nt!NtResumeThread (fffff801`4e0bee10)
nt!NtTerminateThread (fffff801`4e0bec80)
nt!NtReadRequestData (fffff801`4e2a22a8)
nt!NtCreateFile (fffff801`4e08b270)
nt!NtQueryEvent (fffff801`4e1299f0)
nt!NtWriteRequestData (fffff801`4e2a23cc)
nt!NtOpenDirectoryObject (fffff801`4e11c3d0)
nt!NtAccessCheckByTypeAndAuditAlarm (fffff801`4e04cbac)
nt!NtQuerySystemTime (fffff801`4e2ef858)
nt!NtWaitForMultipleObjects (fffff801`4e029e60)
nt!NtSetInformationObject (fffff801`4e10e180)
nt!NtCancelIoFile (fffff801`4e0a511c)
fffff801`5dcafea0
nt!NtPowerInformation (fffff801`4e076150)
nt!NtSetValueKey (fffff801`4e01b3a0)
fffff801`5dd045e4
fffff801`5dd0e9d4
fffff801`5dcfe80c
fffff801`5de44de8
nt!NtAccessCheckByTypeResultListAndAuditAlarm (fffff801`4e16adf8)
nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle (fffff801`4e2d730c)
nt!NtAddAtomEx (fffff801`4e122448)
nt!NtAddBootEntry (fffff801`4e2f5e64)
nt!NtAddDriverEntry (fffff801`4e2f5e84)
nt!NtAdjustGroupsToken (fffff801`4e1282b0)
nt!NtAdjustTokenClaimsAndDeviceGroups (fffff801`4e1a9ce4)
nt!NtAlertResumeThread (fffff801`4e2c928c)
nt!NtAlertThread (fffff801`4e2c9398)
nt!NtAlertThreadByThreadId (fffff801`4e0c9440)
nt!NtAllocateLocallyUniqueId (fffff801`4e116a20)
nt!NtAllocateReserveObject (fffff801`4e2c2810)
nt!NtAllocateUserPhysicalPages (fffff801`4e2a9bdc)
nt!NtAllocateUuids (fffff801`4e13a3ac)
nt!NtAlpcAcceptConnectPort (fffff801`4e0478e8)
nt!NtAlpcCancelMessage (fffff801`4e13b0fc)
nt!NtAlpcConnectPort (fffff801`4e0479ac)
nt!NtAlpcConnectPortEx (fffff801`4e047064)
nt!NtAlpcCreatePort (fffff801`4e12b2fc)
nt!NtAlpcCreatePortSection (fffff801`4e046b4c)
nt!NtAlpcCreateResourceReserve (fffff801`4e0db7d0)
nt!NtAlpcCreateSectionView (fffff801`4e118cf4)
nt!NtAlpcCreateSecurityContext (fffff801`4e042184)
nt!NtAlpcDeletePortSection (fffff801`4e1277b0)
nt!NtAlpcDeleteResourceReserve (fffff801`4e2a31e8)
nt!NtAlpcDeleteSectionView (fffff801`4e125548)
nt!NtAlpcDeleteSecurityContext (fffff801`4e04204c)
nt!NtAlpcDisconnectPort (fffff801`4e0f67d8)
nt!NtAlpcImpersonateClientContainerOfPort (fffff801`4e2a3414)
nt!NtAlpcImpersonateClientOfPort (fffff801`4e01fe50)
nt!NtAlpcOpenSenderProcess (fffff801`4e125070)
nt!NtAlpcOpenSenderThread (fffff801`4e12a5c4)
nt!NtAlpcQueryInformation (fffff801`4e10d210)
nt!NtAlpcQueryInformationMessage (fffff801`4e11dc00)
nt!NtAlpcRevokeSecurityContext (fffff801`4e2a3894)
nt!NtAlpcSendWaitReceivePort (fffff801`4e0224d0)
nt!NtAlpcSetInformation (fffff801`4e08804c)
nt!NtAreMappedFilesTheSame (fffff801`4e0a680c)
nt!NtAssignProcessToJobObject (fffff801`4e0a7b94)
fffff801`5dc8b7f0
nt!NtCancelIoFileEx (fffff801`4e0a4ba4)
nt!NtCancelSynchronousIoFile (fffff801`4e278d48)
fffff801`5dd068b8
fffff801`5dc8b498
fffff801`5dc0a018
fffff801`5dc0a020
fffff801`5dc0a028
nt!NtCompactKeys (fffff801`4e25589c)
nt!NtCompareObjects (fffff801`4e2afff4)
nt!NtCompareTokens (fffff801`4e0f2324)
nt!ArbPreprocessEntry (fffff801`4e13812c)
nt!NtCompressKey (fffff801`4e255ab8)
nt!NtConnectPort (fffff801`4e11facc)
nt!NtCreateDebugObject (fffff801`4e26cbb4)
nt!NtCreateDirectoryObject (fffff801`4e128a74)
nt!NtCreateDirectoryObjectEx (fffff801`4e128a6c)
fffff801`5dc0a030
nt!NtAdjustTokenClaimsAndDeviceGroups (fffff801`4e1a9ce4)
nt!NtCreateIRTimer (fffff801`4e167f14)
nt!NtCreateIoCompletion (fffff801`4e0477dc)
nt!NtCreateJobObject (fffff801`4e06fa90)
nt!ArbAddReserved (fffff801`4e1a9cd4)
nt!NtCreateKeyTransacted (fffff801`4e11384c)
nt!NtCreateKeyedEvent (fffff801`4e19c15c)
nt!NtCreateLowBoxToken (fffff801`4e0f3f44)
nt!NtCreateMailslotFile (fffff801`4e12d7e0)
nt!NtCreateMutant (fffff801`4e103250)
nt!NtCreateNamedPipeFile (fffff801`4e12d8d8)
nt!NtCreatePagingFile (fffff801`4e197bc8)
nt!NtCreatePartition (fffff801`4e2a7f74)
nt!NtCreatePort (fffff801`4e167280)
nt!NtCreatePrivateNamespace (fffff801`4e12c4f4)
nt!NtCreateProcess (fffff801`4e2c20a0)
nt!NtCreateProfile (fffff801`4e2fba70)
nt!NtCreateProfileEx (fffff801`4e2fbb44)
fffff801`5dc0a038
nt!NtCreateSemaphore (fffff801`4e043b44)
nt!NtCreateSymbolicLinkObject (fffff801`4e0f2c94)
nt!NtCreateThreadEx (fffff801`4e0c0d78)
nt!NtCreateTimer (fffff801`4e044e90)
nt!NtCreateTimer2 (fffff801`4e047a20)
nt!NtCreateToken (fffff801`4e2d7dc8)
nt!NtCreateTokenEx (fffff801`4e04b474)
fffff801`5dc0a040
fffff801`5dc0a048
nt!NtCreateUserProcess (fffff801`4e0bce1c)
nt!NtCreateWaitCompletionPacket (fffff801`4e11c6b8)
nt!NtCreateWaitablePort (fffff801`4e167cfc)
nt!NtCreateWnfStateName (fffff801`4e07a59c)
nt!NtCreateWorkerFactory (fffff801`4e047484)
nt!NtDebugActiveProcess (fffff801`4e26cd7c)
nt!NtDebugContinue (fffff801`4e26cf74)
nt!NtDeleteAtom (fffff801`4e0c9280)
nt!NtDeleteBootEntry (fffff801`4e2f5ea4)
nt!NtDeleteDriverEntry (fffff801`4e2f60c0)
nt!NtDeleteFile (fffff801`4e1a0fd8)
nt!NtDeleteKey (fffff801`4e064e30)
nt!NtDeleteObjectAuditAlarm (fffff801`4e00644c)
nt!NtDeletePrivateNamespace (fffff801`4e2b1bd8)
nt!NtDeleteValueKey (fffff801`4e0d5f54)
nt!NtDeleteWnfStateData (fffff801`4e1a1f1c)
nt!NtDeleteWnfStateName (fffff801`4e07164c)
nt!NtDisableLastKnownGood (fffff801`4e171f70)
nt!NtDisplayString (fffff801`4e2f18f8)
fffff801`5de5887c
nt!NtEnableLastKnownGood (fffff801`4e170754)
nt!NtEnumerateBootEntries (fffff801`4e2f62dc)
nt!NtEnumerateDriverEntries (fffff801`4e2f6940)
nt!NtEnumerateSystemEnvironmentValuesEx (fffff801`4e2f6e90)
fffff801`5dc0a050
nt!NtExtendSection (fffff801`4e2a82c8)
nt!NtFilterBootOption (fffff801`4e2d8fa4)
nt!NtFilterToken (fffff801`4e0f1328)
nt!NtAdjustTokenClaimsAndDeviceGroups (fffff801`4e1a9ce4)
nt!NtFlushBuffersFileEx (fffff801`4e12db70)
nt!NtFlushInstallUILanguage (fffff801`4e1a3dd0)
nt!ArbPreprocessEntry (fffff801`4e13812c)
nt!NtFlushKey (fffff801`4e0efbc4)
fffff801`5dc7874c
nt!NtFlushVirtualMemory (fffff801`4e10eb98)
nt!NtFlushWriteBuffer (fffff801`4e2ab438)
nt!NtFreeUserPhysicalPages (fffff801`4e2aa304)
fffff801`5dddb084
fffff801`5dc0a058
nt!NtGetCachedSigningLevel (fffff801`4e2d33ec)
nt!NtGetCompleteWnfStateSubscription (fffff801`4e072b58)
nt!NtGetContextThread (fffff801`4e1375d0)
nt!NtGetCurrentProcessorNumber (fffff801`4e2c2960)
nt!NtGetCurrentProcessorNumberEx (fffff801`4e2c2990)
nt!NtGetDevicePowerState (fffff801`4e2bb3fc)
nt!NtGetMUIRegistryInfo (fffff801`4e1225fc)
nt!NtGetNextProcess (fffff801`4e14c324)
nt!NtGetNextThread (fffff801`4e1395c4)
nt!NtGetNlsSectionPtr (fffff801`4e0f1bdc)
fffff801`5dc0a060
fffff801`5dc6c9f0
nt!NtImpersonateAnonymousToken (fffff801`4e0f2758)
nt!NtImpersonateThread (fffff801`4e1002f4)
nt!NtInitializeNlsFiles (fffff801`4e0dd764)
nt!NtInitializeRegistry (fffff801`4e1670dc)
nt!NtInitiatePowerAction (fffff801`4e14975c)
nt!NtIsSystemResumeAutomatic (fffff801`4e14dfa4)
nt!NtIsUILanguageComitted (fffff801`4e140680)
nt!NtListenPort (fffff801`4e1a5264)
nt!NtLoadDriver (fffff801`4e155874)
nt!NtLoadKey (fffff801`4e14311c)
nt!NtLoadKey2 (fffff801`4e167eec)
nt!NtLoadKeyEx (fffff801`4e063ec4)
nt!NtLockFile (fffff801`4e121028)
nt!NtLockProductActivationKeys (fffff801`4e18f518)
nt!NtLockRegistryKey (fffff801`4e19aa70)
fffff801`5dc77734
nt!NtMakePermanentObject (fffff801`4e149308)
nt!NtMakeTemporaryObject (fffff801`4e0eed54)
nt!NtManagePartition (fffff801`4e2a816c)
nt!NtMapCMFModule (fffff801`4e1229b4)
nt!NtMapUserPhysicalPages (fffff801`4e2aa81c)
nt!NtModifyBootEntry (fffff801`4e2f7274)
nt!NtModifyDriverEntry (fffff801`4e2f7290)
nt!NtNotifyChangeDirectoryFile (fffff801`4e1274b0)
nt!NtNotifyChangeKey (fffff801`4e0efe88)
nt!NtNotifyChangeMultipleKeys (fffff801`4e0efef0)
nt!NtNotifyChangeSession (fffff801`4e13e908)
fffff801`5dc0a068
nt!NtAdjustTokenClaimsAndDeviceGroups (fffff801`4e1a9ce4)
nt!NtOpenIoCompletion (fffff801`4e278b08)
nt!NtOpenJobObject (fffff801`4e2c6fb8)
nt!NtOpenKeyEx (fffff801`4e08bc2c)
nt!NtOpenKeyTransacted (fffff801`4e255c38)
nt!NtOpenKeyTransactedEx (fffff801`4e1338bc)
nt!NtOpenKeyedEvent (fffff801`4e2fbeec)
nt!NtOpenMutant (fffff801`4e11b100)
nt!NtOpenObjectAuditAlarm (fffff801`4e118428)
nt!NtOpenPartition (fffff801`4e2a81d4)
nt!NtOpenPrivateNamespace (fffff801`4e04b150)
nt!NtOpenProcessToken (fffff801`4e112db8)
fffff801`5dc0a070
nt!NtOpenSemaphore (fffff801`4e133e34)
nt!NtOpenSession (fffff801`4e148e30)
nt!NtOpenSymbolicLinkObject (fffff801`4e119368)
nt!NtOpenThread (fffff801`4e08bc00)
nt!NtOpenTimer (fffff801`4e2f23a0)
fffff801`5dc0a078
fffff801`5dc0a080
nt!NtPlugPlayControl (fffff801`4e0b220c)
fffff801`5dc0a088
fffff801`5dc0a090
fffff801`5dc0a098
fffff801`5dc0a0a0
nt!NtPrivilegeCheck (fffff801`4e04f1b0)
nt!NtPrivilegeObjectAuditAlarm (fffff801`4e164000)
nt!NtPrivilegedServiceAuditAlarm (fffff801`4e137304)
fffff801`5dc0a0a8
fffff801`5dc0a0b0
nt!NtPulseEvent (fffff801`4e03fc6c)
nt!NtQueryBootEntryOrder (fffff801`4e2f72ac)
nt!NtQueryBootOptions (fffff801`4e2f75a8)
fffff801`5dc919f8
nt!NtQueryDirectoryObject (fffff801`4e1107e0)
nt!NtQueryDriverEntryOrder (fffff801`4e2f7934)
nt!NtQueryEaFile (fffff801`4e121bc8)
nt!NtQueryFullAttributesFile (fffff801`4e1133c0)
nt!NtQueryInformationAtom (fffff801`4e0c81a4)
fffff801`5dc0a0b8
nt!NtQueryInformationJobObject (fffff801`4e0f4d08)
nt!NtQueryInformationPort (fffff801`4e2a21ec)
fffff801`5dc0a0c0
fffff801`5dc0a0c8
fffff801`5dc0a0d0
fffff801`5de5b214
nt!NtQueryInstallUILanguage (fffff801`4e133a04)
nt!NtQueryIntervalProfile (fffff801`4e1453b8)
nt!NtQueryIoCompletion (fffff801`4e168160)
nt!NtQueryLicenseValue (fffff801`4e00804c)
nt!NtQueryMultipleValueKey (fffff801`4e0d73e4)
nt!NtQueryMutant (fffff801`4e004060)
nt!NtQueryOpenSubKeys (fffff801`4e255e30)
nt!NtQueryOpenSubKeysEx (fffff801`4e256078)
nt!NtQueryPortInformationProcess (fffff801`4e2c2a1c)
nt!NtQueryQuotaInformationFile (fffff801`4e27a274)
nt!NtQuerySecurityAttributesToken (fffff801`4e092f40)
nt!NtQuerySecurityObject (fffff801`4e0a1140)
nt!NtQuerySemaphore (fffff801`4e004480)
nt!NtQuerySymbolicLinkObject (fffff801`4e116c10)
nt!NtQuerySystemEnvironmentValue (fffff801`4e2f7d88)
nt!NtQuerySystemEnvironmentValueEx (fffff801`4e167b44)
nt!NtQuerySystemInformationEx (fffff801`4e127400)
nt!NtQueryTimerResolution (fffff801`4e139fbc)
nt!NtQueryWnfStateData (fffff801`4e0ae8dc)
nt!NtQueryWnfStateNameInformation (fffff801`4e132cd8)
nt!NtQueueApcThreadEx (fffff801`4e0be44c)
fffff801`5dd564e0
nt!NtRaiseHardError (fffff801`4e2f9a14)
fffff801`5dc0a0d8
fffff801`5dc0a0e0
fffff801`5dc0a0e8
fffff801`5dc0a0f0
fffff801`5dc0a238
nt!NtRegisterThreadTerminatePort (fffff801`4e13f338)
nt!NtReleaseKeyedEvent (fffff801`4e137c04)
fffff801`5dcd1f40
nt!NtRemoveIoCompletionEx (fffff801`4e12aea0)
nt!NtRemoveProcessDebug (fffff801`4e26d1dc)
nt!NtRenameKey (fffff801`4e256514)
fffff801`5dc0a240
nt!NtReplaceKey (fffff801`4e256b0c)
fffff801`5de67c88
nt!NtReplyWaitReplyPort (fffff801`4e2a232c)
nt!NtRequestPort (fffff801`4e129da0)
nt!NtResetEvent (fffff801`4e086828)
fffff801`5dcbadb0
nt!NtRestoreKey (fffff801`4e256fdc)
nt!NtResumeProcess (fffff801`4e0062d8)
fffff801`5de39f5c
fffff801`5dc0a0f8
fffff801`5dc0a100
fffff801`5dc0a108
fffff801`5dc0a248
nt!NtSaveKey (fffff801`4e257450)
nt!NtSaveKeyEx (fffff801`4e257824)
nt!NtSaveMergedKeys (fffff801`4e257c60)
nt!NtSecureConnectPort (fffff801`4e11fb14)
nt!NtSerializeBoot (fffff801`4e1a40a0)
nt!NtSetBootEntryOrder (fffff801`4e2f8158)
nt!NtSetBootOptions (fffff801`4e2f83e4)
nt!NtSetCachedSigningLevel (fffff801`4e170514)
nt!NtSetContextThread (fffff801`4e2c6e8c)
nt!NtSetDebugFilterState (fffff801`4e18c4c0)
nt!NtSetDefaultHardErrorPort (fffff801`4e1a4230)
nt!NtSetDefaultLocale (fffff801`4e150e20)
nt!NtSetDefaultUILanguage (fffff801`4e150e0c)
nt!NtSetDriverEntryOrder (fffff801`4e2f8678)
nt!NtSetEaFile (fffff801`4e279ac8)
nt!NtAdjustTokenClaimsAndDeviceGroups (fffff801`4e1a9ce4)
nt!NtAdjustTokenClaimsAndDeviceGroups (fffff801`4e1a9ce4)
fffff801`5dd0ad74
nt!NtSetInformationDebugObject (fffff801`4e26d324)
fffff801`5dc0a110
nt!NtSetInformationJobObject (fffff801`4e0a69ec)
nt!NtSetInformationKey (fffff801`4e09e950)
fffff801`5dc0a118
nt!NtSetInformationSymbolicLink (fffff801`4e2ae08c)
nt!NtSetInformationToken (fffff801`4e04cc54)
fffff801`5dc0a120
fffff801`5dc0a250
nt!NtSetInformationVirtualMemory (fffff801`4e11d39c)
fffff801`5dcd2a10
nt!NtSetIntervalProfile (fffff801`4e145458)
nt!NtSetIoCompletion (fffff801`4e088b24)
nt!NtSetIoCompletionEx (fffff801`4e278c18)
fffff801`5dd4416c
nt!NtAdjustTokenClaimsAndDeviceGroups (fffff801`4e1a9ce4)
nt!NtAdjustTokenClaimsAndDeviceGroups (fffff801`4e1a9ce4)
nt!NtSetQuotaInformationFile (fffff801`4e27ab50)
nt!NtSetSecurityObject (fffff801`4e11e260)
nt!NtSetSystemEnvironmentValue (fffff801`4e2f8904)
nt!NtSetSystemEnvironmentValueEx (fffff801`4e2f8cd0)
nt!NtSetSystemInformation (fffff801`4e051d70)
nt!NtSetSystemPowerState (fffff801`4dfe9ef8)
nt!NtSetSystemTime (fffff801`4e2ef8c4)
nt!NtSetThreadExecutionState (fffff801`4e1483f4)
fffff801`5dc0dbd4
fffff801`5dc47dd0
nt!NtSetTimerResolution (fffff801`4e12e224)
nt!NtSetUuidSeed (fffff801`4e19cc94)
nt!NtSetVolumeInformationFile (fffff801`4e14405c)
nt!NtSetWnfProcessNotificationEvent (fffff801`4e12d388)
nt!NtShutdownSystem (fffff801`4e2f1a9c)
fffff801`5dd05680
fffff801`5de29068
fffff801`5dc0a258
nt!NtStartProfile (fffff801`4e2fbba0)
nt!NtStopProfile (fffff801`4e2fbe04)
nt!NtSubscribeWnfStateChange (fffff801`4e071fb8)
nt!NtSuspendProcess (fffff801`4e005684)
nt!NtSuspendThread (fffff801`4e12f1b0)
nt!NtSystemDebugControl (fffff801`4e2fd570)
nt!NtTerminateJobObject (fffff801`4e12c1d4)
nt!NtTestAlert (fffff801`4e0c0584)
fffff801`5dddb0d8
fffff801`5dc0a128
nt!NtTraceControl (fffff801`4e0aac30)
nt!NtTranslateFilePath (fffff801`4e2f8f3c)
nt!NtUmsThreadYield (fffff801`4e29e140)
nt!NtUnloadDriver (fffff801`4e27e044)
nt!NtUnloadKey (fffff801`4e1a57d4)
nt!NtUnloadKey2 (fffff801`4e1644e4)
nt!NtUnloadKeyEx (fffff801`4e1194c0)
nt!NtUnlockFile (fffff801`4e125d5c)
fffff801`5dc62c70
nt!NtUnmapViewOfSectionEx (fffff801`4e0158f0)
nt!NtUnsubscribeWnfStateChange (fffff801`4e070e00)
nt!NtUpdateWnfStateData (fffff801`4e073448)
nt!NtAdjustTokenClaimsAndDeviceGroups (fffff801`4e1a9ce4)
nt!NtWaitForAlertByThreadId (fffff801`4e112934)
nt!NtWaitForDebugEvent (fffff801`4e26d51c)
nt!NtWaitForKeyedEvent (fffff801`4e137a24)
fffff801`5dc4b850
nt!NtAdjustTokenClaimsAndDeviceGroups (fffff801`4e1a9ce4)
nt!NtAdjustTokenClaimsAndDeviceGroups (fffff801`4e1a9ce4)

ここからstart addressを引くとRVAになる

kd> lmDvmnt
Browse full module list
start             end                 module name
fffff801`4dc09000 fffff801`4e45b000   nt         (pdb symbols)          c:\symbols\ntkrnlmp.pdb\C68EE22FDCF6477895C54A862BE165671\ntkrnlmp.pdb
    Loaded symbol image file: ntkrnlmp.exe
    Image path: ntkrnlmp.exe
    Image name: ntkrnlmp.exe
    Browse all global symbols  functions  data
    Timestamp:        Fri Jul 10 12:29:30 2015 (559F3C1A)
    CheckSum:         007AFB58
    ImageSize:        00852000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

pythonで書いた

import re

with open("KiServiceTable.txt", "r") as f:
    str_list = f.readlines()

for str in str_list:
    if str.find('nt!') != -1 :
        sprit_str =str.split('(')
        print "%s %x" % (sprit_str[0].strip('nt!').replace('\n',''), int(sprit_str[1].replace(')','').replace('`',''),16)-0xfffff8014dc09000)
python systable.py
NtAcceptConnectPort  52e66c
NtMapUserPhysicalPagesScatter  6a1d00
NtWaitForSingleObject  422420
NtReadFile  41fd10
NtDeviceIoControlFile  42da00
NtWriteFile  41f100
NtRemoveIoCompletion  5085b0
NtReleaseSemaphore  4f03a0
NtReplyWaitReceivePort  414b6c
NtReplyPort  512e04
NtSetInformationThread  415400
NtSetEvent  42b410
NtClose  420f90
NtQueryObject  4964e0
NtQueryInformationFile  42a860
NtOpenKey  4822f4
NtEnumerateValueKey  495520
NtFindAtom  4b9bac
NtQueryDefaultLocale  4b5834
NtQueryKey  431750
NtQueryValueKey  4320b0
NtAllocateVirtualMemory  406d30
NtQueryInformationProcess  4a5ed0
NtWaitForMultipleObjects32  508170
NtWriteFileGather  51fc90
NtSetInformationProcess  4463d0
NtCreateKey  50a9a8
NtFreeVirtualMemory  406370
NtImpersonateClientOfPort  6991cc
NtReleaseMutant  43c690
NtQueryInformationToken  48a370
NtRequestWaitReplyPort  517d08
NtQueryVirtualMemory  408af8
NtOpenThreadToken  4a3f04
NtQueryInformationThread  437310
NtOpenProcess  488dc0
NtMapViewOfSection  40c500
NtAccessCheckAndAuditAlarm  443b28
NtUnmapViewOfSection  5204fc
NtReplyWaitReceivePortEx  414b80
NtTerminateProcess  4a1210
NtSetEventBoostPriority  6e95a0
NtReadFileScatter  528c8c
NtOpenThreadTokenEx  4a3f20
NtOpenProcessTokenEx  509dd0
NtQueryPerformanceCounter  512b98
NtEnumerateKey  493170
NtOpenFile  482204
NtDelayExecution  4a1a50
NtQueryDirectoryFile  41f020
NtQuerySystemInformation  482c40
NtOpenSection  512080
NtQueryTimer  6e9444
NtFsControlFile  47f684
NtWriteVirtualMemory  5273e8
NtCloseObjectAuditAlarm  51cc1c
NtDuplicateObject  4bb9e0
NtQueryAttributesFile  50a5b0
NtClearEvent  509d50
NtReadVirtualMemory  43b754
NtOpenEvent  5193a4
NtAdjustPrivilegesToken  443098
NtDuplicateToken  4404f4
NtQueryDefaultUILanguage  548590
NtQueueApcThread  4b5424
NtAddAtom  6f1228
NtCreateEvent  488e40
NtQueryVolumeInformationFile  47ead0
NtCreateSection  40e400
NtFlushBuffersFile  524b54
NtApphelpCacheControl  498eac
NtCreateProcessEx  537bbc
NtCreateThread  6b911c
NtIsProcessInJob  4a164c
NtProtectVirtualMemory  408910
NtQuerySection  521420
NtResumeThread  4b5e10
NtTerminateThread  4b5c80
NtReadRequestData  6992a8
NtCreateFile  482270
NtQueryEvent  5209f0
NtWriteRequestData  6993cc
NtOpenDirectoryObject  5133d0
NtAccessCheckByTypeAndAuditAlarm  443bac
NtQuerySystemTime  6e6858
NtWaitForMultipleObjects  420e60
NtSetInformationObject  505180
NtCancelIoFile  49c11c
NtPowerInformation  46d150
NtSetValueKey  4123a0
NtAccessCheckByTypeResultListAndAuditAlarm  561df8
NtAccessCheckByTypeResultListAndAuditAlarmByHandle  6ce30c
NtAddAtomEx  519448
NtAddBootEntry  6ece64
NtAddDriverEntry  6ece84
NtAdjustGroupsToken  51f2b0
NtAdjustTokenClaimsAndDeviceGroups  5a0ce4
NtAlertResumeThread  6c028c
NtAlertThread  6c0398
NtAlertThreadByThreadId  4c0440
NtAllocateLocallyUniqueId  50da20
NtAllocateReserveObject  6b9810
NtAllocateUserPhysicalPages  6a0bdc
NtAllocateUuids  5313ac
NtAlpcAcceptConnectPort  43e8e8
NtAlpcCancelMessage  5320fc
NtAlpcConnectPort  43e9ac
NtAlpcConnectPortEx  43e064
NtAlpcCreatePort  5222fc
NtAlpcCreatePortSection  43db4c
NtAlpcCreateResourceReserve  4d27d0
NtAlpcCreateSectionView  50fcf4
NtAlpcCreateSecurityContext  439184
NtAlpcDeletePortSection  51e7b0
NtAlpcDeleteResourceReserve  69a1e8
NtAlpcDeleteSectionView  51c548
NtAlpcDeleteSecurityContext  43904c
NtAlpcDisconnectPort  4ed7d8
NtAlpcImpersonateClientContainerOfPort  69a414
NtAlpcImpersonateClientOfPort  416e50
NtAlpcOpenSenderProcess  51c070
NtAlpcOpenSenderThread  5215c4
NtAlpcQueryInformation  504210
NtAlpcQueryInformationMessage  514c00
NtAlpcRevokeSecurityContext  69a894
NtAlpcSendWaitReceivePort  4194d0
NtAlpcSetInformation  47f04c
NtAreMappedFilesTheSame  49d80c
NtAssignProcessToJobObject  49eb94
NtCancelIoFileEx  49bba4
NtCancelSynchronousIoFile  66fd48
NtCompactKeys  64c89c
NtCompareObjects  6a6ff4
NtCompareTokens  4e9324
ArbPreprocessEntry  52f12c
NtCompressKey  64cab8
NtConnectPort  516acc
NtCreateDebugObject  663bb4
NtCreateDirectoryObject  51fa74
NtCreateDirectoryObjectEx  51fa6c
NtAdjustTokenClaimsAndDeviceGroups  5a0ce4
NtCreateIRTimer  55ef14
NtCreateIoCompletion  43e7dc
NtCreateJobObject  466a90
ArbAddReserved  5a0cd4
NtCreateKeyTransacted  50a84c
NtCreateKeyedEvent  59315c
NtCreateLowBoxToken  4eaf44
NtCreateMailslotFile  5247e0
NtCreateMutant  4fa250
NtCreateNamedPipeFile  5248d8
NtCreatePagingFile  58ebc8
NtCreatePartition  69ef74
NtCreatePort  55e280
NtCreatePrivateNamespace  5234f4
NtCreateProcess  6b90a0
NtCreateProfile  6f2a70
NtCreateProfileEx  6f2b44
NtCreateSemaphore  43ab44
NtCreateSymbolicLinkObject  4e9c94
NtCreateThreadEx  4b7d78
NtCreateTimer  43be90
NtCreateTimer2  43ea20
NtCreateToken  6cedc8
NtCreateTokenEx  442474
NtCreateUserProcess  4b3e1c
NtCreateWaitCompletionPacket  5136b8
NtCreateWaitablePort  55ecfc
NtCreateWnfStateName  47159c
NtCreateWorkerFactory  43e484
NtDebugActiveProcess  663d7c
NtDebugContinue  663f74
NtDeleteAtom  4c0280
NtDeleteBootEntry  6ecea4
NtDeleteDriverEntry  6ed0c0
NtDeleteFile  597fd8
NtDeleteKey  45be30
NtDeleteObjectAuditAlarm  3fd44c
NtDeletePrivateNamespace  6a8bd8
NtDeleteValueKey  4ccf54
NtDeleteWnfStateData  598f1c
NtDeleteWnfStateName  46864c
NtDisableLastKnownGood  568f70
NtDisplayString  6e88f8
NtEnableLastKnownGood  567754
NtEnumerateBootEntries  6ed2dc
NtEnumerateDriverEntries  6ed940
NtEnumerateSystemEnvironmentValuesEx  6ede90
NtExtendSection  69f2c8
NtFilterBootOption  6cffa4
NtFilterToken  4e8328
NtAdjustTokenClaimsAndDeviceGroups  5a0ce4
NtFlushBuffersFileEx  524b70
NtFlushInstallUILanguage  59add0
ArbPreprocessEntry  52f12c
NtFlushKey  4e6bc4
NtFlushVirtualMemory  505b98
NtFlushWriteBuffer  6a2438
NtFreeUserPhysicalPages  6a1304
NtGetCachedSigningLevel  6ca3ec
NtGetCompleteWnfStateSubscription  469b58
NtGetContextThread  52e5d0
NtGetCurrentProcessorNumber  6b9960
NtGetCurrentProcessorNumberEx  6b9990
NtGetDevicePowerState  6b23fc
NtGetMUIRegistryInfo  5195fc
NtGetNextProcess  543324
NtGetNextThread  5305c4
NtGetNlsSectionPtr  4e8bdc
NtImpersonateAnonymousToken  4e9758
NtImpersonateThread  4f72f4
NtInitializeNlsFiles  4d4764
NtInitializeRegistry  55e0dc
NtInitiatePowerAction  54075c
NtIsSystemResumeAutomatic  544fa4
NtIsUILanguageComitted  537680
NtListenPort  59c264
NtLoadDriver  54c874
NtLoadKey  53a11c
NtLoadKey2  55eeec
NtLoadKeyEx  45aec4
NtLockFile  518028
NtLockProductActivationKeys  586518
NtLockRegistryKey  591a70
NtMakePermanentObject  540308
NtMakeTemporaryObject  4e5d54
NtManagePartition  69f16c
NtMapCMFModule  5199b4
NtMapUserPhysicalPages  6a181c
NtModifyBootEntry  6ee274
NtModifyDriverEntry  6ee290
NtNotifyChangeDirectoryFile  51e4b0
NtNotifyChangeKey  4e6e88
NtNotifyChangeMultipleKeys  4e6ef0
NtNotifyChangeSession  535908
NtAdjustTokenClaimsAndDeviceGroups  5a0ce4
NtOpenIoCompletion  66fb08
NtOpenJobObject  6bdfb8
NtOpenKeyEx  482c2c
NtOpenKeyTransacted  64cc38
NtOpenKeyTransactedEx  52a8bc
NtOpenKeyedEvent  6f2eec
NtOpenMutant  512100
NtOpenObjectAuditAlarm  50f428
NtOpenPartition  69f1d4
NtOpenPrivateNamespace  442150
NtOpenProcessToken  509db8
NtOpenSemaphore  52ae34
NtOpenSession  53fe30
NtOpenSymbolicLinkObject  510368
NtOpenThread  482c00
NtOpenTimer  6e93a0
NtPlugPlayControl  4a920c
NtPrivilegeCheck  4461b0
NtPrivilegeObjectAuditAlarm  55b000
NtPrivilegedServiceAuditAlarm  52e304
NtPulseEvent  436c6c
NtQueryBootEntryOrder  6ee2ac
NtQueryBootOptions  6ee5a8
NtQueryDirectoryObject  5077e0
NtQueryDriverEntryOrder  6ee934
NtQueryEaFile  518bc8
NtQueryFullAttributesFile  50a3c0
NtQueryInformationAtom  4bf1a4
NtQueryInformationJobObject  4ebd08
NtQueryInformationPort  6991ec
NtQueryInstallUILanguage  52aa04
NtQueryIntervalProfile  53c3b8
NtQueryIoCompletion  55f160
NtQueryLicenseValue  3ff04c
NtQueryMultipleValueKey  4ce3e4
NtQueryMutant  3fb060
NtQueryOpenSubKeys  64ce30
NtQueryOpenSubKeysEx  64d078
NtQueryPortInformationProcess  6b9a1c
NtQueryQuotaInformationFile  671274
NtQuerySecurityAttributesToken  489f40
NtQuerySecurityObject  498140
NtQuerySemaphore  3fb480
NtQuerySymbolicLinkObject  50dc10
NtQuerySystemEnvironmentValue  6eed88
NtQuerySystemEnvironmentValueEx  55eb44
NtQuerySystemInformationEx  51e400
NtQueryTimerResolution  530fbc
NtQueryWnfStateData  4a58dc
NtQueryWnfStateNameInformation  529cd8
NtQueueApcThreadEx  4b544c
NtRaiseHardError  6f0a14
NtRegisterThreadTerminatePort  536338
NtReleaseKeyedEvent  52ec04
NtRemoveIoCompletionEx  521ea0
NtRemoveProcessDebug  6641dc
NtRenameKey  64d514
NtReplaceKey  64db0c
NtReplyWaitReplyPort  69932c
NtRequestPort  520da0
NtResetEvent  47d828
NtRestoreKey  64dfdc
NtResumeProcess  3fd2d8
NtSaveKey  64e450
NtSaveKeyEx  64e824
NtSaveMergedKeys  64ec60
NtSecureConnectPort  516b14
NtSerializeBoot  59b0a0
NtSetBootEntryOrder  6ef158
NtSetBootOptions  6ef3e4
NtSetCachedSigningLevel  567514
NtSetContextThread  6bde8c
NtSetDebugFilterState  5834c0
NtSetDefaultHardErrorPort  59b230
NtSetDefaultLocale  547e20
NtSetDefaultUILanguage  547e0c
NtSetDriverEntryOrder  6ef678
NtSetEaFile  670ac8
NtAdjustTokenClaimsAndDeviceGroups  5a0ce4
NtAdjustTokenClaimsAndDeviceGroups  5a0ce4
NtSetInformationDebugObject  664324
NtSetInformationJobObject  49d9ec
NtSetInformationKey  495950
NtSetInformationSymbolicLink  6a508c
NtSetInformationToken  443c54
NtSetInformationVirtualMemory  51439c
NtSetIntervalProfile  53c458
NtSetIoCompletion  47fb24
NtSetIoCompletionEx  66fc18
NtAdjustTokenClaimsAndDeviceGroups  5a0ce4
NtAdjustTokenClaimsAndDeviceGroups  5a0ce4
NtSetQuotaInformationFile  671b50
NtSetSecurityObject  515260
NtSetSystemEnvironmentValue  6ef904
NtSetSystemEnvironmentValueEx  6efcd0
NtSetSystemInformation  448d70
NtSetSystemPowerState  3e0ef8
NtSetSystemTime  6e68c4
NtSetThreadExecutionState  53f3f4
NtSetTimerResolution  525224
NtSetUuidSeed  593c94
NtSetVolumeInformationFile  53b05c
NtSetWnfProcessNotificationEvent  524388
NtShutdownSystem  6e8a9c
NtStartProfile  6f2ba0
NtStopProfile  6f2e04
NtSubscribeWnfStateChange  468fb8
NtSuspendProcess  3fc684
NtSuspendThread  5261b0
NtSystemDebugControl  6f4570
NtTerminateJobObject  5231d4
NtTestAlert  4b7584
NtTraceControl  4a1c30
NtTranslateFilePath  6eff3c
NtUmsThreadYield  695140
NtUnloadDriver  675044
NtUnloadKey  59c7d4
NtUnloadKey2  55b4e4
NtUnloadKeyEx  5104c0
NtUnlockFile  51cd5c
NtUnmapViewOfSectionEx  40c8f0
NtUnsubscribeWnfStateChange  467e00
NtUpdateWnfStateData  46a448
NtAdjustTokenClaimsAndDeviceGroups  5a0ce4
NtWaitForAlertByThreadId  509934
NtWaitForDebugEvent  66451c
NtWaitForKeyedEvent  52ea24
NtAdjustTokenClaimsAndDeviceGroups  5a0ce4
NtAdjustTokenClaimsAndDeviceGroups  5a0ce4