|
@mr.exodia
If you want a more robust implementation, I would recommend that you let your driver determine the OS specific offset by itself, i.e. let it disassemble the kernel function PsGetProcessDebugPort. You could do that like this:
a) determine function boundaries, i.e. disassemble all instructions from start of the function until ret.
b) go backwards starting at ret until you find the first instruction that writes to eax/rax. The immediate in the source operand expression should be the offset you're looking for.
|