1. 看源码
2. 跟踪初始化流程
3. 用 Windbg 等看看符号信息
0: kd> dd KeServiceDescriptorTableShadow 8055d6c0 80505460 00000000 0000011c 805058d4 8055d6d0 bf999e80 00000000 0000029b bf99ab90 8055d6e0 00000000 00000000 00000000 00000000 8055d6f0 00000000 00000000 00000000 00000000 8055d700 80505460 00000000 0000011c 805058d4 8055d710 00000000 00000000 00000000 00000000 8055d720 00000000 00000000 00000000 00000000 8055d730 00000000 00000000 00000000 00000000
0: kd> ln bf999e80 (bf999e80) win32k!W32pServiceTable | (bf99ab8c) win32k!W32pServiceLimit Exact matches: win32k!W32pServiceTable = <no type information>
0: kd> dd bf999e80 bf999e80 bf936217 bf947dc8 bf88c983 bf93f989 bf999e90 bf9493df bf9364ab bf936550 bf83b471 bf999ea0 bf948d06 bf934cb0 bf9492fe bf90f536 bf999eb0 bf90213b bf809f82 bf9491d0 bf94a9cc bf999ec0 bf900a38 bf893a75 bf9492ae bf94aaff bf999ed0 bf820ed7 bf8dcae3 bf87a214 bf8c28e0 bf999ee0 bf910771 bf80e268 bf8dc78b bf94a7c4 bf999ef0 bf94b6cf bf813a14 bf80cf33 bf8d1783
0: kd> ln bf936217 (bf936217) win32k!NtGdiAbortDoc | (bf93622f) win32k!NtGdiGetLinkedUFIs Exact matches: win32k!NtGdiAbortDoc = <no type information>
|