From f67f0e3e6441edaaf495e19ebb8325c72abd034d Mon Sep 17 00:00:00 2001
From: DragonQuestHero <DragonQuestHero@gmail.com>
Date: Wed, 27 Nov 2024 17:32:37 +0800
Subject: [PATCH] =?UTF-8?q?#=E8=BD=AC=E6=8D=A2=E7=BB=9F=E4=B8=80=E9=A9=B1?=
 =?UTF-8?q?=E5=8A=A8=E6=96=87=E4=BB=B6=E5=90=8D=20=E8=B7=AF=E5=BE=84?=
 =?UTF-8?q?=E4=B8=BAstring=20=E6=B7=BB=E5=8A=A0SSDT=E5=92=8CSSSDT=E6=9F=A5?=
 =?UTF-8?q?=E7=9C=8B=E5=8A=9F=E8=83=BD?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Medusa/EzPdb/EzPdb.cpp        |   6 +
 Medusa/IOCTLScanner.cc        |  32 ++---
 Medusa/KernelModules.cc       | 230 ++++++++++++++++++++++++++++++++--
 Medusa/KernelModules.h        | 112 ++++++++++++++++-
 Medusa/Medusa.cpp             | 164 ++++++++++++------------
 Medusa/Medusa.h               |  45 +++++++
 Medusa/Medusa.ui              |  34 ++---
 Medusa/Medusa.vcxproj         |   3 +-
 Medusa/Medusa.vcxproj.filters |   7 +-
 Medusa/PDBInfo.cc             |  54 +++++++-
 Medusa/PDBInfo.h              |   1 +
 Medusa/SSDT.cc                |  60 ---------
 Medusa/SSDT.h                 |  37 ------
 Medusa/StackWalk.cc           |  11 +-
 MedusaKernel/IO_Control.cc    |  32 ++++-
 MedusaKernel/SSDT.cc          | 102 +++++++--------
 MedusaKernel/Test.cc          |   2 +-
 Readme.md                     |   2 +
 18 files changed, 629 insertions(+), 305 deletions(-)
 delete mode 100644 Medusa/SSDT.cc
 delete mode 100644 Medusa/SSDT.h

diff --git a/Medusa/EzPdb/EzPdb.cpp b/Medusa/EzPdb/EzPdb.cpp
index c3e8494..3e3b39a 100644
--- a/Medusa/EzPdb/EzPdb.cpp
+++ b/Medusa/EzPdb/EzPdb.cpp
@@ -683,6 +683,12 @@ bool EzPdbLoad(IN std::string pdbPath, OUT PEZPDB Pdb)
 	//SymSetOptions(SYMOPT_UNDNAME | SYMOPT_DEFERRED_LOADS | SYMOPT_AUTO_PUBLICS | SYMOPT_LOAD_ANYTHING);
 
 	DWORD64 SymbolTable = SymLoadModuleEx(GetCurrentProcess(), NULL, pdbPath.c_str(), NULL, EZ_PDB_BASE_OF_DLL, pdbSize, NULL, NULL);
+	if (!SymbolTable && GetLastError() == ERROR_SUCCESS)
+	{
+		SymUnloadModule64(GetCurrentProcess(), EZ_PDB_BASE_OF_DLL);
+		SymCleanup(GetCurrentProcess());
+		SymbolTable = SymLoadModuleEx(GetCurrentProcess(), NULL, pdbPath.c_str(), NULL, EZ_PDB_BASE_OF_DLL, pdbSize, NULL, NULL);
+	}
 	if (!SymbolTable)
 	{
 		SymCleanup(GetCurrentProcess());
diff --git a/Medusa/IOCTLScanner.cc b/Medusa/IOCTLScanner.cc
index 1d99463..c5c0c93 100644
--- a/Medusa/IOCTLScanner.cc
+++ b/Medusa/IOCTLScanner.cc
@@ -156,34 +156,25 @@ bool IOCTLScanner::GetIOCTLFunction(ULONG64 Addr, KernelModules& _KernelModules,
 			_Model->setData(_Model->index(i, 2), ret2.str().data());
 			_Model->setData(_Model->index(i, 3), "");
 
-			std::string module_name;
 			bool found = false;
 			for (auto x : _KernelModules._KernelModuleListR0)
 			{
-				if (x.Check == 1 || x.Check == 2)
-				{
-					module_name = W_TO_C((WCHAR*)x.Name);
-				}
-				else
-				{
-					module_name = (char*)x.Name;
-				}
 				if (temp_list[i].Addr >= (ULONG64)x.Addr &&
 					temp_list[i].Addr < (ULONG64)x.Addr + (ULONG64)x.Size)
 				{
-					if (module_name == "ntoskrnl.exe" && !temp_list[i].Check)
+					if (x.Name == "ntoskrnl.exe" && !temp_list[i].Check)
 					{
 						found = true;
 					}
-					else if (name == module_name)
+					else if (name == x.Name)
 					{
 						found = true;
 					}
-					module_name = module_name + "+";
+					x.Name = x.Name + "+";
 					std::ostringstream ret;
 					ret << std::hex << "0x" << temp_list[i].Addr - x.Addr;
-					module_name = module_name + ret.str();
-					_Model->setData(_Model->index(i, 3), module_name.data());
+					x.Name = x.Name + ret.str();
+					_Model->setData(_Model->index(i, 3), x.Name.data());
 					break;
 				}
 			}
@@ -234,25 +225,16 @@ bool IOCTLScanner::QueryIOCTLHook(ULONG64 Addr, KernelModules& _KernelModules, s
 		for (int i = 0; i < 0x1b + 1; i++)
 		{
 			bool found = false;
-			std::string module_name;
 			for (auto x : _KernelModules._KernelModuleListR0)
 			{
-				if (x.Check == 1 || x.Check == 2)
-				{
-					module_name = W_TO_C((WCHAR*)x.Name);
-				}
-				else
-				{
-					module_name = (char*)x.Name;
-				}
 				if (temp_list[i].Addr >= (ULONG64)x.Addr &&
 					temp_list[i].Addr < (ULONG64)x.Addr + (ULONG64)x.Size)
 				{
-					if (module_name == "ntoskrnl.exe" && !temp_list[i].Check)
+					if (x.Name == "ntoskrnl.exe" && !temp_list[i].Check)
 					{
 						found = true;
 					}
-					else if (name == module_name)
+					else if (name == x.Name)
 					{
 						found = true;
 					}
diff --git a/Medusa/KernelModules.cc b/Medusa/KernelModules.cc
index 9e63158..15dc6ee 100644
--- a/Medusa/KernelModules.cc
+++ b/Medusa/KernelModules.cc
@@ -2,6 +2,8 @@
 
 #include "ntdll.h"
 
+#include "PDBInfo.h"
+
 
 
 bool KernelModules::GetKernelModuleListR3()
@@ -34,13 +36,13 @@ bool KernelModules::GetKernelModuleListR3()
 	for (DWORD i = 0; i < mem->NumberOfModules; i++)
 	{
 		PRTL_PROCESS_MODULE_INFORMATION processModule = &mem->Modules[i];
-		KernelModulesVector temp_list;
-		RtlZeroMemory(&temp_list, sizeof(KernelModulesVector));
+		KernelModulesVector temp_list = { 0 };
 		temp_list.Check = false;
 		temp_list.Addr = (ULONG64)processModule->ImageBase;
 		temp_list.Size = processModule->ImageSize;
-		RtlCopyMemory(temp_list.Path, processModule->FullPathName, 256);
-		RtlCopyMemory(temp_list.Name, processModule->FullPathName + processModule->OffsetToFileName, 256 - processModule->OffsetToFileName);
+		temp_list.Path = (char*)processModule->FullPathName;
+		char* temp_str = (char*)(processModule->FullPathName + processModule->OffsetToFileName);
+		temp_list.Name = temp_str;
 		_KernelModuleListR3.push_back(temp_list);
 	}
 	if (mem)
@@ -48,6 +50,7 @@ bool KernelModules::GetKernelModuleListR3()
 		delete mem;
 		mem = NULL;
 	}
+	_KernelModuleList = _KernelModuleListR3;
 	return true;
 }
 
@@ -74,18 +77,37 @@ bool KernelModules::GetKernelModuleListR0()
 		}
 
 		DWORD dwRet = 0;
-		KernelModulesVector* temp_list = (KernelModulesVector*)new char[process_number * sizeof(KernelModulesVector)];
+		KernelModulesVector2* temp_list = (KernelModulesVector2*)new char[process_number * sizeof(KernelModulesVector2)];
 		if (!temp_list)
 		{
 			break;
 		}
 
-		DeviceIoControl(m_hDevice, TEST_GetALLKernelModule, 0, 0, temp_list, sizeof(KernelModulesVector) * process_number, &dwRet, NULL);
+		DeviceIoControl(m_hDevice, TEST_GetALLKernelModule, 0, 0, temp_list, sizeof(KernelModulesVector2) * process_number, &dwRet, NULL);
 		if (dwRet)
 		{
 			for (int i = 0; i < process_number; i++)
 			{
-				_KernelModuleListR0.push_back(temp_list[i]);
+				KernelModulesVector temp_list2;
+				if (temp_list[i].Check)
+				{
+					temp_list2.Addr = temp_list[i].Addr;
+					temp_list2.Check = temp_list[i].Check;
+					temp_list2.DriverObject = temp_list[i].DriverObject;
+					temp_list2.Size = temp_list[i].Size;
+					temp_list2.Name = W_TO_C(temp_list[i].Name);
+					temp_list2.Path = temp_list[i].Path;
+				}
+				else
+				{
+					temp_list2.Addr = temp_list[i].Addr;
+					temp_list2.Check = temp_list[i].Check;
+					temp_list2.DriverObject = temp_list[i].DriverObject;
+					temp_list2.Size = temp_list[i].Size;
+					temp_list2.Name = (char*)(temp_list[i].Name);
+					temp_list2.Path = temp_list[i].Path;
+				}
+				_KernelModuleListR0.push_back(temp_list2);
 			}
 		}
 		delete temp_list;
@@ -95,7 +117,7 @@ bool KernelModules::GetKernelModuleListR0()
 	} while (false);
 
 
-
+	_KernelModuleList = _KernelModuleListR0;
 
 
 	CloseHandle(m_hDevice);
@@ -184,4 +206,196 @@ bool KernelModules::DumpDriver(ULONG64 Address, ULONG64 Size,void*buffer)
 	} while (false);
 	CloseHandle(m_hDevice);
 	return false;
+}
+
+
+
+
+#define TEST_GetSSDTList CTL_CODE(FILE_DEVICE_UNKNOWN,0x7123,METHOD_BUFFERED ,FILE_ANY_ACCESS)
+#define TEST_GetSSDTListNumber CTL_CODE(FILE_DEVICE_UNKNOWN,0x7124,METHOD_BUFFERED ,FILE_ANY_ACCESS)
+
+#define TEST_GetSSSDTList CTL_CODE(FILE_DEVICE_UNKNOWN,0x7125,METHOD_BUFFERED ,FILE_ANY_ACCESS)
+#define TEST_GetSSSDTListNumber CTL_CODE(FILE_DEVICE_UNKNOWN,0x7126,METHOD_BUFFERED ,FILE_ANY_ACCESS)
+
+std::vector<SSDT_STRUCT2> KernelModules::GetALLSSDT(bool Setting_SSDT_SSSDT_PDB)
+{
+	if (!_KernelModuleList.size())
+	{
+		GetKernelModuleListR3();
+	}
+	_SSDTALL.clear();
+
+	HANDLE m_hDevice = CreateFileA("\\\\.\\IO_Control", GENERIC_READ | GENERIC_WRITE, 0,
+		NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+	if (INVALID_HANDLE_VALUE == m_hDevice)
+	{
+		return _SSDTALL;
+	}
+	do
+	{
+		DWORD process_number = 0;
+		DeviceIoControl(m_hDevice, TEST_GetSSDTListNumber, 0, 0, 0, 0, &process_number, NULL);
+		if (!process_number)
+		{
+			break;
+		}
+
+		DWORD dwRet = 0;
+		SSDT_STRUCT* temp_list = (SSDT_STRUCT*)new char[process_number * sizeof(SSDT_STRUCT)];
+		if (!temp_list)
+		{
+			break;
+		}
+
+		DeviceIoControl(m_hDevice, TEST_GetSSDTList, 0, 0, temp_list, sizeof(SSDT_STRUCT) * process_number, &dwRet, NULL);
+		if (dwRet)
+		{
+			ModuleExportFunc _ModuleExportFunc;
+
+			int index = GetDriversListIndexFromAddress(temp_list[0].Addr);
+
+			bool use_pdb = false;
+			PDBInfo _PDBInfo;
+			if (index != -1 && (_PDBInfo.QueryDownLoad(ConvertSystemRootPath(_KernelModuleList[index].Path)) || Setting_SSDT_SSSDT_PDB))
+			{
+				_PDBInfo.DownLoad(ConvertSystemRootPath(_KernelModuleList[index].Path), _KernelModuleList[index].Addr);
+				_PDBInfo.GetALL();
+				use_pdb = true;
+			}
+			std::vector<ExportFunc> ntos_func;
+			if (index != -1 && use_pdb == false)
+			{
+				ntos_func = _ModuleExportFunc.GetExportFunc(
+					_KernelModuleList[index].Addr, ConvertSystemRootPath(_KernelModuleList[index].Path));
+			}
+			for (int i = 0; i < process_number; i++)
+			{
+				SSDT_STRUCT2 temp_SSDT_STRUCT;
+				temp_SSDT_STRUCT.Addr = temp_list[i].Addr;
+				temp_SSDT_STRUCT.Index = temp_list[i].Index;
+				temp_SSDT_STRUCT.FuncName = "";
+				temp_SSDT_STRUCT.Modules = "";
+				if (index != -1)
+				{
+					if (use_pdb)
+					{
+						for (auto x : _PDBInfo._Symbol)
+						{
+							if (temp_list[i].Addr == x.Addr)
+							{
+								temp_SSDT_STRUCT.FuncName = x.Name;
+								break;
+							}
+						}
+					}
+					else
+					{
+						for (auto x : ntos_func)
+						{
+							if (x.Addr == temp_SSDT_STRUCT.Addr)
+							{
+								temp_SSDT_STRUCT.FuncName = x.Name;
+								break;
+							}
+						}
+					}
+					temp_SSDT_STRUCT.Modules = _KernelModuleList[index].Name;
+				}
+				_SSDTALL.push_back(temp_SSDT_STRUCT);
+			}
+		}
+		delete temp_list;
+	} while (false);
+	CloseHandle(m_hDevice);
+	return _SSDTALL;
+}
+
+
+std::vector<SSDT_STRUCT2> KernelModules::GetALLShadowSSDT(bool Setting_SSDT_SSSDT_PDB)
+{
+	if (!_KernelModuleList.size())
+	{
+		GetKernelModuleListR3();
+	}
+	_SSDTALL.clear();
+
+	HANDLE m_hDevice = CreateFileA("\\\\.\\IO_Control", GENERIC_READ | GENERIC_WRITE, 0,
+		NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+	if (INVALID_HANDLE_VALUE == m_hDevice)
+	{
+		return _SSDTALL;
+	}
+	do
+	{
+		DWORD process_number = 0;
+		DeviceIoControl(m_hDevice, TEST_GetSSSDTListNumber, 0, 0, 0, 0, &process_number, NULL);
+		if (!process_number)
+		{
+			break;
+		}
+
+		DWORD dwRet = 0;
+		SSDT_STRUCT* temp_list = (SSDT_STRUCT*)new char[process_number * sizeof(SSDT_STRUCT)];
+		if (!temp_list)
+		{
+			break;
+		}
+
+		DeviceIoControl(m_hDevice, TEST_GetSSSDTList, 0, 0, temp_list, sizeof(SSDT_STRUCT) * process_number, &dwRet, NULL);
+		if (dwRet)
+		{
+			ModuleExportFunc _ModuleExportFunc;
+			//Ã»·ûºÅµÄÇé¿öÏÂ²»Ö§³Ö²é¿´ÁË
+			/*std::vector<ExportFunc> win32k_func = _ModuleExportFunc.GetExportFunc(
+				_KernelModuleList[GetDriversListIndexFromName("win32k.sys")].Addr, 
+				ConvertSystemRootPath(_KernelModuleList[GetDriversListIndexFromName("win32k.sys")].Path));*/
+
+			int index = GetDriversListIndexFromAddress(temp_list[0].Addr);
+			bool use_pdb = false;
+			PDBInfo _PDBInfo;
+			if (index != -1 && (_PDBInfo.QueryDownLoad(ConvertSystemRootPath(_KernelModuleList[index].Path)) || Setting_SSDT_SSSDT_PDB))
+			{
+				_PDBInfo.DownLoad(ConvertSystemRootPath(_KernelModuleList[index].Path), _KernelModuleList[index].Addr);
+				_PDBInfo.GetALL();
+				use_pdb = true;
+			}
+
+
+			for (int i = 0; i < process_number; i++)
+			{
+				SSDT_STRUCT2 temp_SSDT_STRUCT;
+				temp_SSDT_STRUCT.Addr = temp_list[i].Addr;
+				temp_SSDT_STRUCT.Index = temp_list[i].Index;
+				temp_SSDT_STRUCT.FuncName = "";
+				temp_SSDT_STRUCT.Modules = "";
+				if (GetDriversListIndexFromAddress(temp_list[0].Addr))
+				{
+					/*for (auto x : win32k_func)
+					{
+						if (x.Addr == temp_SSDT_STRUCT.Addr)
+						{
+							temp_SSDT_STRUCT.FuncName = x.Name;
+							break;
+						}
+					}*/
+					temp_SSDT_STRUCT.Modules = _KernelModuleList[GetDriversListIndexFromAddress(temp_list[0].Addr)].Name;
+				}
+				if (use_pdb)
+				{
+					for (auto x : _PDBInfo._Symbol)
+					{
+						if (temp_list[i].Addr == x.Addr)
+						{
+							temp_SSDT_STRUCT.FuncName = x.Name;
+							break;
+						}
+					}
+				}
+				_SSDTALL.push_back(temp_SSDT_STRUCT);
+			}
+		}
+		delete temp_list;
+	} while (false);
+	CloseHandle(m_hDevice);
+	return _SSDTALL;
 }
\ No newline at end of file
diff --git a/Medusa/KernelModules.h b/Medusa/KernelModules.h
index b67b152..217d6bf 100644
--- a/Medusa/KernelModules.h
+++ b/Medusa/KernelModules.h
@@ -13,9 +13,10 @@
 #include <vector>
 #include <string>
 
+#include "ModuleExportFunc.h"
 
 
-struct KernelModulesVector
+struct KernelModulesVector2
 {
 	ULONG64 Addr;
 	ULONG64 Size;
@@ -25,6 +26,16 @@ struct KernelModulesVector
 	USHORT Check;
 };
 
+struct KernelModulesVector
+{
+	ULONG64 Addr;
+	ULONG64 Size;
+	ULONG64 DriverObject;
+	std::string Name;
+	std::string Path;
+	USHORT Check;
+};
+
 struct KernelUnloadModules
 {
 	ULONG64 Addr;
@@ -34,6 +45,20 @@ struct KernelUnloadModules
 	USHORT Check;
 };
 
+struct SSDT_STRUCT
+{
+	ULONG64 Index;
+	ULONG64 Addr;
+};
+
+struct SSDT_STRUCT2
+{
+	ULONG64 Index;
+	ULONG64 Addr;
+	std::string FuncName;
+	std::string Modules;
+};
+
 class KernelModules
 {
 public:
@@ -44,11 +69,96 @@ class KernelModules
 	bool GetKernelModuleListR0();
 	bool GetUnLoadKernelModuleListR0();
 	bool DumpDriver(ULONG64 Address, ULONG64, void*);
+	std::vector<SSDT_STRUCT2> GetALLSSDT(bool);
+	std::vector<SSDT_STRUCT2> GetALLShadowSSDT(bool);
+public:
+	bool KernelModules::IsAddressInAnyDriversList(ULONG64 Address)
+	{
+		for (auto x : _KernelModuleList)
+		{
+			if (Address >= x.Addr && Address < x.Addr + x.Size)
+				return true;
+		}
+		return false;
+	}
+	int KernelModules::GetDriversListIndexFromAddress(ULONG64 Address)
+	{
+		int i = 0;
+		for (auto x : _KernelModuleList)
+		{
+			if (Address >= x.Addr && Address < x.Addr + x.Size)
+			{
+				return i;
+			}
+			i++;
+		}
+		return -1;
+	}
+	int KernelModules::GetDriversListIndexFromName(std::string name)
+	{
+		int i = 0;
+		for (auto x : _KernelModuleList)
+		{
+			if (name == x.Name)
+			{
+				return i;
+			}
+			i++;
+		}
+		return -1;
+	}
+	bool KernelModules::IsAddressInDriversList(KernelModulesVector KernelModule, ULONG64 Address)
+	{
+		if (Address >= (ULONG64)KernelModule.Addr &&
+			Address < (ULONG64)KernelModule.Addr + (ULONG64)KernelModule.Size)
+		{
+			return true;
+		}
+		return false;
+	}
 public:
 	std::vector<KernelModulesVector> _KernelModuleListR3;
 	std::vector<KernelModulesVector> _KernelModuleListR0;
+	std::vector<KernelModulesVector> _KernelModuleList;
 	std::vector<KernelUnloadModules> _KernelUnLoadModuleListR0;
+	std::vector<SSDT_STRUCT2> _SSDTALL;
+	std::vector<SSDT_STRUCT2> _SSSDTALL;
 private:
+	std::wstring C_TO_W(std::string str)
+	{
+		std::wstring result;
+		DWORD strsize = MultiByteToWideChar(CP_ACP, 0, str.data(), -1, NULL, 0);
+		wchar_t* pwstr = new wchar_t[strsize];
+		MultiByteToWideChar(CP_ACP, 0, str.data(), -1, pwstr, strsize);
+		result = pwstr;
+		delete[] pwstr;
+		return result;
+	}
+	std::string W_TO_C(std::wstring str)
+	{
+		std::string result;
+		DWORD strsize = WideCharToMultiByte(CP_ACP, 0, str.data(), -1, NULL, 0, NULL, NULL);
+		char* pstr = new char[strsize];
+		WideCharToMultiByte(CP_ACP, 0, str.data(), -1, pstr, strsize, NULL, NULL);
+		result = pstr;
+		return result;
+	}
+	std::string ConvertSystemRootPath(const std::string& path) {
+		// »ñÈ¡ÏµÍ³Ä¿Â¼
+		char systemDir[MAX_PATH];
+		GetSystemDirectoryA(systemDir, MAX_PATH);
+
+		// »ñÈ¡ Windows Ä¿Â¼
+		char windowsDir[MAX_PATH];
+		GetWindowsDirectoryA(windowsDir, MAX_PATH);
+
+		// ¼ì²éÂ·¾¶ÊÇ·ñÒÔ \SystemRoot ¿ªÍ·
+		if (path.find("\\SystemRoot") == 0) {
+			// Ìæ»»Îª Windows Ä¿Â¼
+			return std::string(windowsDir) + path.substr(strlen("\\SystemRoot"));
+		}
 
+		return path; // Èç¹û²»Æ¥Åä£¬·µ»ØÔ­Â·¾¶
+	}
 };
 
diff --git a/Medusa/Medusa.cpp b/Medusa/Medusa.cpp
index 0320cec..f359fc5 100644
--- a/Medusa/Medusa.cpp
+++ b/Medusa/Medusa.cpp
@@ -23,7 +23,8 @@ Medusa::Medusa(QWidget *parent)
 	DriverUI();
 	UnloadDriverUI();
 	CallBackListUI();
-
+	SSDTListUI();
+	ShadowSSDTListUI();
 
 
 	ProcessRightMenuUI();
@@ -216,16 +217,28 @@ void Medusa::PdbMenu(QAction* action)
 		_PDBView.show();
 		return;
 	}
+	if (action->text().toStdString().find("SSDT& SSSDT Use PDB") != std::string::npos)
+	{
+		_Setting_SSDT_SSSDT_PDB = !_Setting_SSDT_SSSDT_PDB;
+		if (_Setting_SSDT_SSSDT_PDB)
+		{
+			action->setText(u8"¡Ì SSDT& SSSDT Use PDB");
+		}
+		else
+		{
+			action->setText(u8"¡Á SSDT& SSSDT Use PDB");
+		}
+	}
 	if (action->text().toStdString().find("Use microsoft server") != std::string::npos)
 	{
-		action->setText(u8"Use microsoft server ¡Ì");
-		ui.actionUse_order_server->setText(u8"Use Order Server ¡Á");
+		action->setText(u8"¡Ì Use microsoft server");
+		ui.actionUse_order_server->setText(u8"¡Á Use Order Server");
 		_PDBView._PDBInfo._SymbolServer = "https://msdl.microsoft.com/download/symbols/";
 	}
 	if (action->text().toStdString().find("Use Order Server") != std::string::npos)
 	{
-		action->setText(u8"Use Order Server ¡Ì");
-		ui.actionUse_microsoft_server->setText(u8"Use microsoft server ¡Á");
+		action->setText(u8"¡Ì Use Order Server");
+		ui.actionUse_microsoft_server->setText(u8"¡Á Use microsoft server");
 		_PDBView._PDBInfo._SymbolServer = "https://msdl.szdyg.cn/download/symbols/";
 	}
 	if (action->text() == "SendPDBInfo")
@@ -620,18 +633,9 @@ void Medusa::DriverRightMenuIOCTLScanner(QAction* action)
 		{
 			if (x.DriverObject)
 			{
-				std::string module_name;
-				if (x.Check == 1 || x.Check == 2)
-				{
-					module_name = W_TO_C((WCHAR*)x.Name);
-				}
-				else
+				if (_IOCTLScanner.QueryIOCTLHook(x.DriverObject, _KernelModules, x.Name))
 				{
-					module_name = (char*)x.Name;
-				}
-				if (_IOCTLScanner.QueryIOCTLHook(x.DriverObject, _KernelModules, module_name))
-				{
-					ret = ret + module_name + "\r\n";
+					ret = ret + x.Name + "\r\n";
 				}
 			}
 		}
@@ -674,6 +678,14 @@ void Medusa::ChangeTab()
 	{
 		GetALLCallBackList();
 	}
+	else if (ui.tabWidget->currentIndex() == 4)
+	{
+		GetSSDT();
+	}
+	else if (ui.tabWidget->currentIndex() == 5)
+	{
+		GetShadowSSDT();
+	}
 }
 
 
@@ -1202,14 +1214,7 @@ void Medusa::GetKernelModuleList()
 			{
 				_Model_Driver->setVerticalHeaderItem(i, new QStandardItem);
 				_Model_Driver->setData(_Model_Driver->index(i, 0), i);
-				if (x.Check == 1 || x.Check == 2)
-				{
-					_Model_Driver->setData(_Model_Driver->index(i, 1), QString::fromWCharArray((WCHAR*)x.Name));
-				}
-				else
-				{
-					_Model_Driver->setData(_Model_Driver->index(i, 1), (char*)x.Name);
-				}
+				_Model_Driver->setData(_Model_Driver->index(i, 1), x.Name.data());
 				
 				std::ostringstream ret;
 				ret << std::hex << "0x" << (ULONG64)x.Addr;
@@ -1217,49 +1222,23 @@ void Medusa::GetKernelModuleList()
 				std::ostringstream ret2;
 				ret2 << std::hex << "0x" << (ULONG64)x.Size;
 				_Model_Driver->setData(_Model_Driver->index(i, 3), ret2.str().data());
-				if (x.Check == 1 || x.Check == 2)
-				{
-					std::wstring temp_wstr = (WCHAR*)x.Path;
-					temp_wstr = ReplaceStr(temp_wstr, L"\\SystemRoot\\", L"C:\\Windows\\");
-					temp_wstr = ReplaceStr(temp_wstr, L"\\??\\", L"");
-					_Model_Driver->setData(_Model_Driver->index(i, 4), QString::fromWCharArray(temp_wstr.data()));
-				}
-				else
-				{
-					std::string temp_str = x.Path;
-					temp_str = ReplaceStr2(temp_str, "\\SystemRoot\\", "C:\\Windows\\");
-					temp_str = ReplaceStr2(temp_str, "\\??\\", "");
-					_Model_Driver->setData(_Model_Driver->index(i, 4), temp_str.data());
-				}
-				if (x.Check == 1 || x.Check == 2)
+				
+				std::string temp_str = x.Path;
+				temp_str = ReplaceStr2(temp_str, "\\SystemRoot\\", "C:\\Windows\\");
+				temp_str = ReplaceStr2(temp_str, "\\??\\", "");
+				_Model_Driver->setData(_Model_Driver->index(i, 4), temp_str.data());
+
+				std::wstring retStr;
+				std::wstring temp_wstr = C_TO_W(x.Path);
+				temp_wstr = ReplaceStr(temp_wstr, L"\\SystemRoot\\", L"C:\\Windows\\");
+				temp_wstr = ReplaceStr(temp_wstr, L"\\??\\", L"");
+				if (_Process.QueryValue(L"FileDescription", temp_wstr.data(), retStr))
 				{
-					std::wstring retStr;
-					std::wstring temp_wstr = (WCHAR*)x.Path;
-					temp_wstr = ReplaceStr(temp_wstr, L"\\SystemRoot\\", L"C:\\Windows\\");
-					temp_wstr = ReplaceStr(temp_wstr, L"\\??\\", L"");
-					if (_Process.QueryValue(L"FileDescription", temp_wstr.data(), retStr))
-					{
-						_Model_Driver->setData(_Model_Driver->index(i, 5), QString::fromWCharArray(retStr.data()));
-					}
-					else
-					{
-						_Model_Driver->setData(_Model_Driver->index(i, 5), "");
-					}
+					_Model_Driver->setData(_Model_Driver->index(i, 5), QString::fromWCharArray(retStr.data()));
 				}
 				else
 				{
-					std::wstring retStr;
-					std::wstring temp_wstr = C_TO_W(x.Path);
-					temp_wstr = ReplaceStr(temp_wstr, L"\\SystemRoot\\", L"C:\\Windows\\");
-					temp_wstr = ReplaceStr(temp_wstr, L"\\??\\", L"");
-					if (_Process.QueryValue(L"FileDescription", temp_wstr.data(), retStr))
-					{
-						_Model_Driver->setData(_Model_Driver->index(i, 5), QString::fromWCharArray(retStr.data()));
-					}
-					else
-					{
-						_Model_Driver->setData(_Model_Driver->index(i, 5), "");
-					}
+					_Model_Driver->setData(_Model_Driver->index(i, 5), "");
 				}
 
 				std::ostringstream ret3;
@@ -1303,7 +1282,7 @@ void Medusa::GetKernelModuleList()
 			{
 				_Model_Driver->setVerticalHeaderItem(i, new QStandardItem);
 				_Model_Driver->setData(_Model_Driver->index(i, 0), i);
-				_Model_Driver->setData(_Model_Driver->index(i, 1), (char*)x.Name);
+				_Model_Driver->setData(_Model_Driver->index(i, 1), x.Name.data());
 				std::ostringstream ret;
 				ret << std::hex << "0x" << (ULONG64)x.Addr;
 				_Model_Driver->setData(_Model_Driver->index(i, 2), ret.str().data());
@@ -1338,7 +1317,6 @@ void Medusa::GetKernelModuleList()
 void Medusa::GetUnLoadKernelModuleList()
 {
 	_Model_UnloadDriver->removeRows(0, _Model_UnloadDriver->rowCount());
-	KernelModules _KernelModules;
 	_KernelModules.GetUnLoadKernelModuleListR0();
 	if (!_KernelModules._KernelUnLoadModuleListR0.size())
 	{
@@ -1408,15 +1386,7 @@ void Medusa::GetALLCallBackList()
 			if (x.PreOperation >= (ULONG64)y.Addr &&
 				x.PreOperation < (ULONG64)y.Addr + (ULONG64)y.Size)
 			{
-				if (y.Check == 1 || y.Check == 2)
-				{
-					module_name = W_TO_C((WCHAR*)y.Name);
-				}
-				else
-				{
-					module_name = (char*)y.Name;
-				}
-
+				module_name = y.Name;
 				found = true;
 				module_name = module_name + "+";
 				std::ostringstream ret;
@@ -1427,15 +1397,7 @@ void Medusa::GetALLCallBackList()
 				x.PostOperation >= (ULONG64)y.Addr &&
 				x.PostOperation < (ULONG64)y.Addr + (ULONG64)y.Size)
 			{
-				if (y.Check == 1 || y.Check == 2)
-				{
-					module_name = W_TO_C((WCHAR*)y.Name);
-				}
-				else
-				{
-					module_name = (char*)y.Name;
-				}
-
+				module_name = y.Name;
 				module_name = module_name + "+";
 				std::ostringstream ret;
 				ret << std::hex << "0x" << x.PostOperation - y.Addr;
@@ -1489,6 +1451,42 @@ void Medusa::GetALLCallBackList()
 		_Model_CallBackList->item(i, 4)->setBackground(temp_color);
 		_Model_CallBackList->item(i, 5)->setBackground(temp_color);
 
+		i++;
+	}
+}
+
+void Medusa::GetSSDT()
+{
+	_Model_SSDT->removeRows(0, _Model_SSDT->rowCount());
+	std::vector<SSDT_STRUCT2> temp_vector = _KernelModules.GetALLSSDT(_Setting_SSDT_SSSDT_PDB);
+	int i = 0;
+	for (auto x : temp_vector)
+	{
+		_Model_SSDT->setVerticalHeaderItem(i, new QStandardItem);
+		_Model_SSDT->setData(_Model_SSDT->index(i, 0), i);
+		_Model_SSDT->setData(_Model_SSDT->index(i, 1), x.FuncName.data());
+		std::ostringstream ret;
+		ret << std::hex << "0x" << (ULONG64)x.Addr;
+		_Model_SSDT->setData(_Model_SSDT->index(i, 2), ret.str().data());
+		_Model_SSDT->setData(_Model_SSDT->index(i, 3), x.Modules.data());
+		i++;
+	}
+}
+
+void Medusa::GetShadowSSDT()
+{
+	_Model_SSSDT->removeRows(0, _Model_SSSDT->rowCount());
+	std::vector<SSDT_STRUCT2> temp_vector = _KernelModules.GetALLShadowSSDT(_Setting_SSDT_SSSDT_PDB);
+	int i = 0;
+	for (auto x : temp_vector)
+	{
+		_Model_SSSDT->setVerticalHeaderItem(i, new QStandardItem);
+		_Model_SSSDT->setData(_Model_SSSDT->index(i, 0), i);
+		_Model_SSSDT->setData(_Model_SSSDT->index(i, 1), x.FuncName.data());
+		std::ostringstream ret;
+		ret << std::hex << "0x" << (ULONG64)x.Addr;
+		_Model_SSSDT->setData(_Model_SSSDT->index(i, 2), ret.str().data());
+		_Model_SSSDT->setData(_Model_SSSDT->index(i, 3), x.Modules.data());
 		i++;
 	}
 }
\ No newline at end of file
diff --git a/Medusa/Medusa.h b/Medusa/Medusa.h
index 5eaf220..3fd28f6 100644
--- a/Medusa/Medusa.h
+++ b/Medusa/Medusa.h
@@ -59,6 +59,8 @@ public slots:
 	void GetKernelModuleList();
 	void GetUnLoadKernelModuleList();
 	void GetALLCallBackList();
+	void GetSSDT();
+	void GetShadowSSDT();
 public:
 	void DriverLoad(QAction*);
 	void RightMenuDLLInject(QAction*);
@@ -72,6 +74,7 @@ public slots:
 	void RightMenuR3ModuleScanner(ULONG64 PID);
 private:
 	bool _Driver_Loaded = false;
+	bool _Setting_SSDT_SSSDT_PDB = false;
 private:
     Process _Process;
 	Driver_Load _Driver_Load;
@@ -95,6 +98,8 @@ public slots:
 	QStandardItemModel* _Model_Driver;
 	QStandardItemModel* _Model_UnloadDriver;
 	QStandardItemModel* _Model_CallBackList;
+	QStandardItemModel* _Model_SSDT;
+	QStandardItemModel* _Model_SSSDT;
 private:
 	QMenu _TableView_Menu_Inject;
 	QAction _TableView_Action_Inject;
@@ -228,6 +233,46 @@ public slots:
 		ui.tableView_CallBackList->setColumnWidth(5, 200);
 		ui.tableView_CallBackList->setHorizontalScrollBarPolicy(Qt::ScrollBarAlwaysOff);
 	}
+	void SSDTListUI()
+	{
+		_Model_SSDT = new QStandardItemModel();
+		ui.tableView_SSDT->setModel(_Model_SSDT);
+		ui.tableView_SSDT->setEditTriggers(QAbstractItemView::NoEditTriggers);
+		ui.tableView_SSDT->horizontalHeader()->setSectionsClickable(false);
+		ui.tableView_SSDT->verticalHeader()->setDefaultSectionSize(25);
+		ui.tableView_SSDT->setSelectionBehavior(QAbstractItemView::SelectRows);
+
+		_Model_SSDT->setColumnCount(4);
+		_Model_SSDT->setHeaderData(0, Qt::Horizontal, u8"Index");
+		_Model_SSDT->setHeaderData(1, Qt::Horizontal, u8"Name");
+		_Model_SSDT->setHeaderData(2, Qt::Horizontal, u8"Addr");
+		_Model_SSDT->setHeaderData(3, Qt::Horizontal, u8"Moudle");
+		ui.tableView_SSDT->setColumnWidth(0, 50);
+		ui.tableView_SSDT->setColumnWidth(1, 400);
+		ui.tableView_SSDT->setColumnWidth(2, 300);
+		ui.tableView_SSDT->setColumnWidth(3, 300);
+		ui.tableView_SSDT->setHorizontalScrollBarPolicy(Qt::ScrollBarAlwaysOff);
+	}
+	void ShadowSSDTListUI()
+	{
+		_Model_SSSDT = new QStandardItemModel();
+		ui.tableView_SSSDT->setModel(_Model_SSSDT);
+		ui.tableView_SSSDT->setEditTriggers(QAbstractItemView::NoEditTriggers);
+		ui.tableView_SSSDT->horizontalHeader()->setSectionsClickable(false);
+		ui.tableView_SSSDT->verticalHeader()->setDefaultSectionSize(25);
+		ui.tableView_SSSDT->setSelectionBehavior(QAbstractItemView::SelectRows);
+
+		_Model_SSSDT->setColumnCount(4);
+		_Model_SSSDT->setHeaderData(0, Qt::Horizontal, u8"Index");
+		_Model_SSSDT->setHeaderData(1, Qt::Horizontal, u8"Name");
+		_Model_SSSDT->setHeaderData(2, Qt::Horizontal, u8"Addr");
+		_Model_SSSDT->setHeaderData(3, Qt::Horizontal, u8"Moudle");
+		ui.tableView_SSSDT->setColumnWidth(0, 50);
+		ui.tableView_SSSDT->setColumnWidth(1, 400);
+		ui.tableView_SSSDT->setColumnWidth(2, 300);
+		ui.tableView_SSSDT->setColumnWidth(3, 300);
+		ui.tableView_SSSDT->setHorizontalScrollBarPolicy(Qt::ScrollBarAlwaysOff);
+	}
 public:
 	void ProcessRightMenuUI()
 	{
diff --git a/Medusa/Medusa.ui b/Medusa/Medusa.ui
index 50e99a1..bcca2ae 100644
--- a/Medusa/Medusa.ui
+++ b/Medusa/Medusa.ui
@@ -74,11 +74,11 @@
       </property>
      </widget>
     </widget>
-    <widget class="QWidget" name="tab_4">
+    <widget class="QWidget" name="tab_3">
      <attribute name="title">
-      <string>SSDT</string>
+      <string>UnloadDriver</string>
      </attribute>
-     <widget class="QTableView" name="tableView_SSDT">
+     <widget class="QTableView" name="tableView_UnloadDriver">
       <property name="geometry">
        <rect>
         <x>10</x>
@@ -98,11 +98,11 @@
       </property>
      </widget>
     </widget>
-    <widget class="QWidget" name="tab_5">
+    <widget class="QWidget" name="CallBackList">
      <attribute name="title">
-      <string>SSSDT</string>
+      <string>CallBackList</string>
      </attribute>
-     <widget class="QTableView" name="tableView_SSSDT">
+     <widget class="QTableView" name="tableView_CallBackList">
       <property name="geometry">
        <rect>
         <x>10</x>
@@ -122,11 +122,11 @@
       </property>
      </widget>
     </widget>
-    <widget class="QWidget" name="tab_3">
+    <widget class="QWidget" name="tab_4">
      <attribute name="title">
-      <string>UnloadDriver</string>
+      <string>SSDT</string>
      </attribute>
-     <widget class="QTableView" name="tableView_UnloadDriver">
+     <widget class="QTableView" name="tableView_SSDT">
       <property name="geometry">
        <rect>
         <x>10</x>
@@ -146,11 +146,11 @@
       </property>
      </widget>
     </widget>
-    <widget class="QWidget" name="CallBackList">
+    <widget class="QWidget" name="tab_5">
      <attribute name="title">
-      <string>CallBackList</string>
+      <string>SSSDT</string>
      </attribute>
-     <widget class="QTableView" name="tableView_CallBackList">
+     <widget class="QTableView" name="tableView_SSSDT">
       <property name="geometry">
        <rect>
         <x>10</x>
@@ -265,6 +265,7 @@
     <addaction name="actionUse_microsoft_server"/>
     <addaction name="actionUse_order_server"/>
     <addaction name="actionSendPDBInfo_2"/>
+    <addaction name="actionSSDT_SSSDT_Use_PDB"/>
    </widget>
    <widget class="QMenu" name="menuViewKernelMemory">
     <property name="title">
@@ -369,12 +370,12 @@
   </action>
   <action name="actionUse_microsoft_server">
    <property name="text">
-    <string>Use microsoft server âˆš</string>
+    <string>âˆš Use microsoft server</string>
    </property>
   </action>
   <action name="actionUse_order_server">
    <property name="text">
-    <string>Use Order Server Ã—</string>
+    <string>x Use Order Server</string>
    </property>
   </action>
   <action name="actionSendPDBInfo_2">
@@ -392,6 +393,11 @@
     <string>INFO</string>
    </property>
   </action>
+  <action name="actionSSDT_SSSDT_Use_PDB">
+   <property name="text">
+    <string>Ã— SSDT&amp; SSSDT Use PDB</string>
+   </property>
+  </action>
  </widget>
  <layoutdefault spacing="6" margin="11"/>
  <resources>
diff --git a/Medusa/Medusa.vcxproj b/Medusa/Medusa.vcxproj
index 67dcadb..48ef6bd 100644
--- a/Medusa/Medusa.vcxproj
+++ b/Medusa/Medusa.vcxproj
@@ -159,7 +159,6 @@
     <ClCompile Include="PDBInfo.cc" />
     <ClCompile Include="PDBView.cc" />
     <ClCompile Include="Process.cc" />
-    <ClCompile Include="SSDT.cc" />
     <ClCompile Include="StackWalk.cc" />
     <ClCompile Include="SymParser.cpp" />
     <ClCompile Include="Threads.cc" />
@@ -188,7 +187,6 @@
     <ClInclude Include="EzPdb\EzPdb.h" />
     <ClInclude Include="FileCheck.h" />
     <QtMoc Include="ModuleExportFunc.h" />
-    <ClInclude Include="SSDT.h" />
     <ClInclude Include="SymParser.h" />
     <QtMoc Include="UserMemoryList.h" />
     <QtMoc Include="UserMemory.h" />
@@ -214,6 +212,7 @@
     <MASM Include="asm64.asm">
       <FileType>Document</FileType>
     </MASM>
+    <None Include=".editorconfig" />
     <None Include="SysCall.asm" />
   </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
diff --git a/Medusa/Medusa.vcxproj.filters b/Medusa/Medusa.vcxproj.filters
index 6209a6c..38a5588 100644
--- a/Medusa/Medusa.vcxproj.filters
+++ b/Medusa/Medusa.vcxproj.filters
@@ -193,9 +193,6 @@
     <ClCompile Include="UserMemoryList.cc">
       <Filter>Source Files</Filter>
     </ClCompile>
-    <ClCompile Include="SSDT.cc">
-      <Filter>Source Files</Filter>
-    </ClCompile>
     <ClCompile Include="ModuleExportFunc.cc">
       <Filter>Source Files</Filter>
     </ClCompile>
@@ -249,14 +246,12 @@
     <ClInclude Include="SymParser.h">
       <Filter>Header Files\SymParser</Filter>
     </ClInclude>
-    <ClInclude Include="SSDT.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <None Include="SysCall.asm">
       <Filter>Source Files</Filter>
     </None>
+    <None Include=".editorconfig" />
   </ItemGroup>
   <ItemGroup>
     <QtUic Include="Medusa.ui">
diff --git a/Medusa/PDBInfo.cc b/Medusa/PDBInfo.cc
index 72fac4a..da2551a 100644
--- a/Medusa/PDBInfo.cc
+++ b/Medusa/PDBInfo.cc
@@ -1,4 +1,4 @@
-#include "PDBInfo.h"
+ï»¿#include "PDBInfo.h"
 #include <Shlwapi.h>
 
 #include "KernelModules.h"
@@ -9,15 +9,19 @@
 
 bool PDBInfo::DownLoadNtos()
 {
+	if (_Pdb.hPdbFile)
+	{
+		EzPdbUnload(&_Pdb);
+	}
 	_BaseAddr = 0;
 	_Symbol.clear();
 	std::string pe_file_path = std::string(std::getenv("systemroot")) + "\\System32\\ntoskrnl.exe";
 
 	KernelModules _KernelModules;
 	_KernelModules.GetKernelModuleListR3();
-	for (auto x : _KernelModules._KernelModuleListR3)
+	for (auto x : _KernelModules._KernelModuleList)
 	{
-		if (std::string((char*)x.Name) == "ntoskrnl.exe")
+		if (x.Name == "ntoskrnl.exe")
 		{
 			_BaseAddr = x.Addr;
 			break;
@@ -77,6 +81,10 @@ bool PDBInfo::DownLoadNtos()
 
 bool PDBInfo::DownLoad(std::string path, bool use_bassaddr)
 {
+	if (_Pdb.hPdbFile)
+	{
+		EzPdbUnload(&_Pdb);
+	}
 	_BaseAddr = 0;
 	_Symbol.clear();
 
@@ -94,7 +102,7 @@ bool PDBInfo::DownLoad(std::string path, bool use_bassaddr)
 			_KernelModules.GetKernelModuleListR3();
 			for (auto x : _KernelModules._KernelModuleListR3)
 			{
-				if (Case_Upper((char*)x.Name) == Case_Upper(std::string(fname) + ext))
+				if (Case_Upper(x.Name) == Case_Upper(std::string(fname) + ext))
 				{
 					_BaseAddr = x.Addr;
 					break;
@@ -176,6 +184,39 @@ bool PDBInfo::DownLoad(std::string path, bool use_bassaddr)
 	return false;
 }
 
+bool PDBInfo::QueryDownLoad(std::string path)
+{
+	std::string symbolpath;
+	if (std::getenv("_NT_SYMBOL_PATH"))
+	{
+		symbolpath = std::getenv("_NT_SYMBOL_PATH");
+		if (symbolpath.find("SRV") != std::string::npos)
+		{
+			std::vector<std::string> temp_vector = Split(symbolpath, "*");
+			for (auto x : temp_vector)
+			{
+				if (PathFileExistsA(x.c_str()))
+				{
+					symbolpath = x;
+					break;
+				}
+			}
+		}
+	}
+	std::string pdb_path = symbolpath + "\\" + GetPdbPath(path);
+	if (PathFileExistsA(pdb_path.c_str()))
+	{
+		return true;
+	}
+	char szDownloadDir[MAX_PATH] = { 0 };
+	GetCurrentDirectoryA(sizeof(szDownloadDir), szDownloadDir);
+	pdb_path = std::string(szDownloadDir) + "\\" + GetPdbPath(path);
+	if (PathFileExistsA(pdb_path.c_str()))
+	{
+		return true;
+	}
+	return false;
+}
 
 struct MyStruct
 {
@@ -205,7 +246,7 @@ BOOL PsymEnumeratesymbolsCallback(
 	NTOSSYMBOL temp_list;
 	RtlZeroMemory(&temp_list, sizeof(NTOSSYMBOL));
 	temp_list.Addr = pSymInfo->Address - pSymInfo->ModBase + _MyStruct->_BaseAddr;
-	temp_list.Name = GBK_To_UTF8(pSymInfo->Name);//Ä¬ÈÏÖÐÎÄ»·¾³
+	temp_list.Name = GBK_To_UTF8(pSymInfo->Name);//é»˜è®¤ä¸­æ–‡çŽ¯å¢ƒ
 	temp_list.RVA = pSymInfo->Address - pSymInfo->ModBase;
 	temp_list.Size = pSymInfo->Size;
 	_MyStruct->temp_vector->push_back(temp_list);
@@ -214,6 +255,7 @@ BOOL PsymEnumeratesymbolsCallback(
 
 bool PDBInfo::GetALL()
 {
+	_Symbol.clear();
 	MyStruct _MyStruct;
 	_MyStruct._BaseAddr = _BaseAddr;
 	_MyStruct.temp_vector = &_Symbol;
@@ -331,7 +373,7 @@ std::vector<SYMBOLSTRUCT> PDBInfo::PdbGetStruct(IN PEZPDB Pdb, IN std::string St
 //				if (SymGetTypeInfo(Pdb->hProcess, EZ_PDB_BASE_OF_DLL, typeId, TI_GET_TYPEID, &pointedTypeId)) {
 //					DWORD pointedSymTag;
 //					if (SymGetTypeInfo(Pdb->hProcess, EZ_PDB_BASE_OF_DLL, pointedTypeId, TI_GET_SYMTAG, &pointedSymTag)) {
-//						// ´¦ÀíÖ¸ÏòµÄÀàÐÍ
+//						// å¤„ç†æŒ‡å‘çš„ç±»åž‹
 //						if (pointedSymTag == SymTagBaseType) 
 //						{
 //							DWORD baseType;
diff --git a/Medusa/PDBInfo.h b/Medusa/PDBInfo.h
index ac71ac1..43c10e5 100644
--- a/Medusa/PDBInfo.h
+++ b/Medusa/PDBInfo.h
@@ -45,6 +45,7 @@ class PDBInfo
 	}
 	~PDBInfo() = default;
 public:
+	bool QueryDownLoad(std::string);
 	bool DownLoadNtos();
 	bool DownLoad(std::string, bool);
 	bool GetALL();
diff --git a/Medusa/SSDT.cc b/Medusa/SSDT.cc
deleted file mode 100644
index 47732ce..0000000
--- a/Medusa/SSDT.cc
+++ /dev/null
@@ -1,60 +0,0 @@
-#include "SSDT.h"
-
-
-
-
-#define TEST_GetSSDTList CTL_CODE(FILE_DEVICE_UNKNOWN,0x7123,METHOD_BUFFERED ,FILE_ANY_ACCESS)
-#define TEST_GetSSDTListNumber CTL_CODE(FILE_DEVICE_UNKNOWN,0x7124,METHOD_BUFFERED ,FILE_ANY_ACCESS)
-
-#define TEST_GetSSSDTList CTL_CODE(FILE_DEVICE_UNKNOWN,0x7125,METHOD_BUFFERED ,FILE_ANY_ACCESS)
-#define TEST_GetSSSDTListNumber CTL_CODE(FILE_DEVICE_UNKNOWN,0x7126,METHOD_BUFFERED ,FILE_ANY_ACCESS)
-
-
-
-
-void SSDT::GetALLSSDT()
-{
-	/*__KernelCallBackListR0.clear();
-
-	HANDLE m_hDevice = CreateFileA("\\\\.\\IO_Control", GENERIC_READ | GENERIC_WRITE, 0,
-		NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
-	if (INVALID_HANDLE_VALUE == m_hDevice)
-	{
-		return __KernelCallBackListR0;
-	}
-	do
-	{
-		DWORD process_number = 0;
-		DeviceIoControl(m_hDevice, TEST_GetCallBackListNumber, 0, 0, 0, 0, &process_number, NULL);
-		if (!process_number)
-		{
-			break;
-		}
-
-		DWORD dwRet = 0;
-		ObjectCallBackList* temp_list = (ObjectCallBackList*)new char[process_number * sizeof(ObjectCallBackList)];
-		if (!temp_list)
-		{
-			break;
-		}
-
-		DeviceIoControl(m_hDevice, TEST_GetCallBackList, 0, 0, temp_list, sizeof(ObjectCallBackList) * process_number, &dwRet, NULL);
-		if (dwRet)
-		{
-			for (int i = 0; i < process_number; i++)
-			{
-				__KernelCallBackListR0.push_back(temp_list[i]);
-			}
-		}
-		delete temp_list;
-	} while (false);
-	CloseHandle(m_hDevice);
-	return __KernelCallBackListR0;*/
-}
-
-void SSDT::GetALLShadowSSDT()
-{
-	
-}
-
-
diff --git a/Medusa/SSDT.h b/Medusa/SSDT.h
deleted file mode 100644
index d73502a..0000000
--- a/Medusa/SSDT.h
+++ /dev/null
@@ -1,37 +0,0 @@
-#pragma once
-#include <QtWidgets/QMainWindow>
-#include <QStandardItemModel>
-#include <QFileDialog>
-#include <QMessageBox>
-#include <QTextCodec>
-
-#include <fstream>
-#include <windows.h>
-#include <TlHelp32.h>
-#include <Psapi.h>
-
-#include <vector>
-#include <string>
-#include <sstream>
-
-
-struct SSDT_STRUCT
-{
-	ULONG64 Index;
-	ULONG64 Addr;
-	std::string FuncName;
-	std::string Modules;
-};
-
-class SSDT
-{
-public:
-	SSDT() = default;
-	~SSDT() = default;
-public:
-	void GetALLSSDT();
-	void GetALLShadowSSDT();
-private:
-
-};
-
diff --git a/Medusa/StackWalk.cc b/Medusa/StackWalk.cc
index 4ad9bcf..752650c 100644
--- a/Medusa/StackWalk.cc
+++ b/Medusa/StackWalk.cc
@@ -98,15 +98,8 @@ void StackWalk::ShowStackWalkThreadR0(ULONG64 TID)
 					std::wstringstream ret;
 					ret << std::hex << "0x" << offset;
 
-					if (x.Check == 0)
-					{
-						Module = C_TO_W((char*)x.Name);
-						Module = Module + std::wstring(L"+") + ret.str();
-					}
-					else
-					{
-						Module = x.Name + std::wstring(L"+") + ret.str();
-					}
+					Module = C_TO_W(x.Name);
+					Module = Module + std::wstring(L"+") + ret.str();
 					found = true;
 					break;
 				}
diff --git a/MedusaKernel/IO_Control.cc b/MedusaKernel/IO_Control.cc
index b7c207b..4dce15e 100644
--- a/MedusaKernel/IO_Control.cc
+++ b/MedusaKernel/IO_Control.cc
@@ -403,14 +403,40 @@ NTSTATUS IO_Control::Code_Control_Center(PDEVICE_OBJECT  DeviceObject, PIRP  pIr
 		IoCompleteRequest(pIrp, IO_NO_INCREMENT);
 		return STATUS_SUCCESS;
 	}
+	else if (Io_Control_Code == TEST_GetSSDTList)
+	{
+		int i = 0;
+		for (auto x : _This->_SSDT._SSDTALL)
+		{
+			RtlCopyMemory(Input_Buffer + i * sizeof(SSDT_STRUCT), &x, sizeof(SSDT_STRUCT));
+			i++;
+		}
+		pIrp->IoStatus.Status = STATUS_SUCCESS;
+		pIrp->IoStatus.Information = _This->_SSDT._SSDTALL.size() * sizeof(SSDT_STRUCT);
+		IoCompleteRequest(pIrp, IO_NO_INCREMENT);
+		return STATUS_SUCCESS;
+	}
 	else if (Io_Control_Code == TEST_GetSSSDTListNumber)
 	{
-		if (_This->_SSDT._SSDTALL.size() == 0)
+		if (_This->_SSDT._SSSDTALL.size() == 0)
 		{
-			_This->_SSDT.GetAllSSDT();
+			_This->_SSDT.GetAllShadowSSDT();
 		}
 		pIrp->IoStatus.Status = STATUS_SUCCESS;
-		pIrp->IoStatus.Information = _This->_SSDT._SSDTALL.size();
+		pIrp->IoStatus.Information = _This->_SSDT._SSSDTALL.size();
+		IoCompleteRequest(pIrp, IO_NO_INCREMENT);
+		return STATUS_SUCCESS;
+	}
+	else if (Io_Control_Code == TEST_GetSSSDTList)
+	{
+		int i = 0;
+		for (auto x : _This->_SSDT._SSSDTALL)
+		{
+			RtlCopyMemory(Input_Buffer + i * sizeof(SSDT_STRUCT), &x, sizeof(SSDT_STRUCT));
+			i++;
+		}
+		pIrp->IoStatus.Status = STATUS_SUCCESS;
+		pIrp->IoStatus.Information = _This->_SSDT._SSSDTALL.size() * sizeof(SSDT_STRUCT);
 		IoCompleteRequest(pIrp, IO_NO_INCREMENT);
 		return STATUS_SUCCESS;
 	}
diff --git a/MedusaKernel/SSDT.cc b/MedusaKernel/SSDT.cc
index e504a0b..c349955 100644
--- a/MedusaKernel/SSDT.cc
+++ b/MedusaKernel/SSDT.cc
@@ -74,79 +74,81 @@ PSYSTEM_SERVICE_TABLE2 GetKeServiceDescriptorTableAddress(int SearchType)
 
 bool SSDT::GetAllSSDT()
 {
+	PSYSTEM_SERVICE_TABLE2 temp_table = nullptr;
 	if (_KeServiceDescriptorTableShadow)
 	{
-
+		PSYSTEM_DESCRIPTOR_TABLE temp_descriptor_table = (PSYSTEM_DESCRIPTOR_TABLE)_KeServiceDescriptorTableShadow;
+		temp_table = &temp_descriptor_table->win32k;
 	}
 	else
 	{
-		PSYSTEM_SERVICE_TABLE2 temp_table = GetKeServiceDescriptorTableAddress(0);
-		if (!temp_table || !MmIsAddressValid(temp_table) || 
-			!MmIsAddressValid(temp_table->ServiceTable) || !MmIsAddressValid((ULONG64*)temp_table->ArgumentTable))
-		{
-			return false;
+		temp_table = GetKeServiceDescriptorTableAddress(0);
+	}
+	if (!temp_table || !MmIsAddressValid(temp_table) ||
+		!MmIsAddressValid(temp_table->ServiceTable) || !MmIsAddressValid((ULONG64*)temp_table->ArgumentTable))
+	{
+		return false;
+	}
+	for (int i = 0; i < temp_table->ServiceLimit; i++)
+	{
+		uint32_t dwOffset = temp_table->ServiceTable[i];
+		uint64_t result;
+		// ÓÒÒÆ 4 Î»²¢´¦Àí¸ßÎ»
+		if (dwOffset & 0x80000000) {
+			// µ±¸ßÎ»Îª 1 Ê±£¬ÉèÖÃ¸ß 32 Î»Îª 0xFFFFFFFF
+			result = (static_cast<uint64_t>(dwOffset) >> 4) | 0xFFFFFFFFF0000000;
+		}
+		else {
+			// ·ñÔòÖ±½ÓÓÒÒÆ²¢À©Õ¹Îª 64 Î»
+			result = static_cast<uint64_t>(dwOffset >> 4);
 		}
-		for (int i = 0; i < temp_table->ServiceLimit; i++)
-		{
-			uint32_t dwOffset = temp_table->ServiceTable[i];
-			uint64_t result;
-			// ÓÒÒÆ 4 Î»²¢´¦Àí¸ßÎ»
-			if (dwOffset & 0x80000000) {
-				// µ±¸ßÎ»Îª 1 Ê±£¬ÉèÖÃ¸ß 32 Î»Îª 0xFFFFFFFF
-				result = (static_cast<uint64_t>(dwOffset) >> 4) | 0xFFFFFFFFF0000000;
-			}
-			else {
-				// ·ñÔòÖ±½ÓÓÒÒÆ²¢À©Õ¹Îª 64 Î»
-				result = static_cast<uint64_t>(dwOffset >> 4);
-			}
-			
 
-			SSDT_STRUCT temp_ssdt = { 0 };
-			temp_ssdt.Index = 0;
-			temp_ssdt.Addr = (ULONG64)temp_table->ServiceTable + result;
 
-			_SSDTALL.push_back(temp_ssdt);
-		}
+		SSDT_STRUCT temp_ssdt = { 0 };
+		temp_ssdt.Index = 0;
+		temp_ssdt.Addr = (ULONG64)temp_table->ServiceTable + result;
+
+		_SSDTALL.push_back(temp_ssdt);
 	}
 	return true;
 }
 
 bool SSDT::GetAllShadowSSDT()
 {
+	PSYSTEM_DESCRIPTOR_TABLE temp_descriptor_table = nullptr;
 	if (_KeServiceDescriptorTableShadow)
 	{
-
+		temp_descriptor_table = (PSYSTEM_DESCRIPTOR_TABLE)_KeServiceDescriptorTableShadow;
 	}
 	else
 	{
-
-		PSYSTEM_DESCRIPTOR_TABLE temp_descriptor_table = (PSYSTEM_DESCRIPTOR_TABLE)GetKeServiceDescriptorTableAddress(1);
-		PSYSTEM_SERVICE_TABLE2 temp_table = &temp_descriptor_table->win32k;
-		if (!temp_table || !MmIsAddressValid(temp_table) || !MmIsAddressValid(temp_table->ServiceTable))
-		{
-			return false;
+		temp_descriptor_table = (PSYSTEM_DESCRIPTOR_TABLE)GetKeServiceDescriptorTableAddress(1);
+	}
+	PSYSTEM_SERVICE_TABLE2 temp_table = &temp_descriptor_table->win32k;
+	if (!temp_table || !MmIsAddressValid(temp_table) || !MmIsAddressValid(temp_table->ServiceTable))
+	{
+		return false;
+	}
+	for (int i = 0; i < temp_table->ServiceLimit; i++)
+	{
+		uint32_t dwOffset = temp_table->ServiceTable[i];
+		uint64_t result;
+		// ÓÒÒÆ 4 Î»²¢´¦Àí¸ßÎ»
+		if (dwOffset & 0x80000000) {
+			// µ±¸ßÎ»Îª 1 Ê±£¬ÉèÖÃ¸ß 32 Î»Îª 0xFFFFFFFF
+			result = (static_cast<uint64_t>(dwOffset) >> 4) | 0xFFFFFFFFF0000000;
+		}
+		else {
+			// ·ñÔòÖ±½ÓÓÒÒÆ²¢À©Õ¹Îª 64 Î»
+			result = static_cast<uint64_t>(dwOffset >> 4);
 		}
-		for (int i = 0; i < temp_table->ServiceLimit; i++)
-		{
-			uint32_t dwOffset = temp_table->ServiceTable[i];
-			uint64_t result;
-			// ÓÒÒÆ 4 Î»²¢´¦Àí¸ßÎ»
-			if (dwOffset & 0x80000000) {
-				// µ±¸ßÎ»Îª 1 Ê±£¬ÉèÖÃ¸ß 32 Î»Îª 0xFFFFFFFF
-				result = (static_cast<uint64_t>(dwOffset) >> 4) | 0xFFFFFFFFF0000000;
-			}
-			else {
-				// ·ñÔòÖ±½ÓÓÒÒÆ²¢À©Õ¹Îª 64 Î»
-				result = static_cast<uint64_t>(dwOffset >> 4);
-			}
 
 
-			SSDT_STRUCT temp_ssdt = { 0 };
-			temp_ssdt.Index = 0;
-			temp_ssdt.Addr = (ULONG64)temp_table->ServiceTable + result;
+		SSDT_STRUCT temp_ssdt = { 0 };
+		temp_ssdt.Index = 0;
+		temp_ssdt.Addr = (ULONG64)temp_table->ServiceTable + result;
 
-			_SSSDTALL.push_back(temp_ssdt);
-		}
+		_SSSDTALL.push_back(temp_ssdt);
 	}
 	return true;
 }
\ No newline at end of file
diff --git a/MedusaKernel/Test.cc b/MedusaKernel/Test.cc
index f283a6b..641e514 100644
--- a/MedusaKernel/Test.cc
+++ b/MedusaKernel/Test.cc
@@ -132,7 +132,7 @@ void TestSSDT()
 {
 	DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "TestSSDT start\n");
 	DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "=====================================\n");
-	SSDT _SSDT(0);
+	SSDT _SSDT;
 	_SSDT.GetAllSSDT();
 	DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "_SSDT._SSDTALL.size():%llx\n", _SSDT._SSDTALL.size());
 	_SSDT.GetAllShadowSSDT();
diff --git a/Readme.md b/Readme.md
index eb11be5..fd68ef9 100644
--- a/Readme.md
+++ b/Readme.md
@@ -4,6 +4,8 @@
 
 ##### æ›´æ–°æ—¥å¿—:
 
+###### 11-5 æ·»åŠ äº†ä¸€ä¸ªIOCTLåªè¯»çš„èœå• æ–¹ä¾¿ä½¿ç”¨ æ·»åŠ äº†å³é”®æŸ¥çœ‹å¯¼å‡ºè¡¨å‡½æ•° ä»¥åŠæŸ¥çœ‹SSDTå’ŒSSSDT
+
 ###### 9-12 æ·»åŠ äº†åº”ç”¨å±‚å†…å­˜æŸ¥çœ‹å’Œæ£€ç´¢åˆ—è¡¨ ç±»ä¼¼ä¹‹å‰çš„å†…æ ¸æŸ¥çœ‹ å’Œä¸€äº›ç»†èŠ‚ä¼˜åŒ–
 
 <h1 align="center">