[整理]一份很标准的MmGetSystemRoutineAddressEx（兼容32/64）

amd64驱动

获得任意模块任意导出函数的地址，不再受限于MmGetSystemRoutineAddress的鸡肋功能。
(一般 Kixxx 都是未导出的 API，而 Kexxx 则是导出的 API)

//传入：导出函数所属模块的基址，函数名称（跟GetProcAddress一样）
PVOID MmGetSystemRoutineAddressEx(SIZE_T uModBase, CHAR *cSearchFnName)
{
        IMAGE_DOS_HEADER *doshdr;
        #ifdef AMD64
        IMAGE_OPTIONAL_HEADER64 *opthdr;
        #else
        IMAGE_OPTIONAL_HEADER32 *opthdr;
        #endif
        IMAGE_EXPORT_DIRECTORY *pExportTable;
        ULONG *dwAddrFns, *dwAddrNames;
        USHORT *dwAddrNameOrdinals;
        ULONG dwFnOrdinal,i;
        SIZE_T uFnAddr=0;
        char *cFunName;
        doshdr = (IMAGE_DOS_HEADER *)uModBase;
        if (NULL == doshdr)
        {
                goto __exit;
        }
        #ifdef AMD64
        opthdr = (IMAGE_OPTIONAL_HEADER64 *)(uModBase + doshdr->e_lfanew + sizeof(ULONG)+sizeof(IMAGE_FILE_HEADER));
        #else
        opthdr = (IMAGE_OPTIONAL_HEADER32 *)(uModBase + doshdr->e_lfanew + sizeof(ULONG)+sizeof(IMAGE_FILE_HEADER));
        #endif
        if (NULL == opthdr)
        {
                goto __exit;
        }
        pExportTable = (IMAGE_EXPORT_DIRECTORY *)(uModBase + opthdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
        if (NULL == pExportTable)
        {
                goto __exit;
        }
        dwAddrFns = (ULONG *)(uModBase + pExportTable->AddressOfFunctions);
        dwAddrNames = (ULONG *)(uModBase + pExportTable->AddressOfNames);
        dwAddrNameOrdinals = (USHORT *)(uModBase + pExportTable->AddressOfNameOrdinals);
        for (i = 0; i < pExportTable->NumberOfNames; ++i)
        {
                cFunName = (char *)(uModBase + dwAddrNames[i]);
                if (!_strnicmp(cSearchFnName, cFunName, strlen(cSearchFnName)))
                {
                        dwFnOrdinal = pExportTable->Base + dwAddrNameOrdinals[i] - 1;
                        uFnAddr = uModBase + dwAddrFns[dwFnOrdinal];
                        break;
                }
        }
__exit:
        return (PVOID)uFnAddr;
}

来源：http://www.vbasm.com/thread-8053-1-1.html

另外一份，功能一样：

ULONG GetFunctionAddress
    (
    IN ULONG FirstFeature,
    IN ULONG SecondFeature,
    IN ULONG ThirdFeature,
    IN ULONG FourthFeature
    )
{
    NTSTATUS NtStatus=STATUS_SEVERITY_SUCCESS;
    ULONG SystemInformationLength=0;
    ULONG Index=0;
    ULONG Loop=0;
    ULONG ModuleBegin=0;
    ULONG ModuleFinish=0;
    PULONG SystemInformationBuffer=NULL;
    PSYSTEM_MODULE_INFORMATION SystemModulePointer=NULL;
    ULONG Value=0;
    ZwQuerySystemInformation(SystemModuleInformation,NULL,0,&SystemInformationLength);
    SystemInformationBuffer=ExAllocatePool(PagedPool,SystemInformationLength);
    if (SystemInformationBuffer==NULL)
    {
        return NtStatus;
    } 
    NtStatus=ZwQuerySystemInformation
        (
        SystemModuleInformation,
        SystemInformationBuffer,
        SystemInformationLength,
        NULL
        );
    if (!NT_SUCCESS(NtStatus))
    {
        ExFreePool(SystemInformationBuffer);
        return NtStatus;
    }
    if (MmIsAddressValid(SystemInformationBuffer)==False)
    {
        ExFreePool(SystemInformationBuffer);
        return NtStatus;
    }
    SystemModulePointer=(PSYSTEM_MODULE_INFORMATION)(SystemInformationBuffer+1);
    for (Index=0;Index<*(ULONG*)SystemInformationBuffer;Index++)
    {
        ModuleBegin=(ULONG)SystemModulePointer[Index].Base;
        ModuleFinish=(ULONG)SystemModulePointer[Index].Base+SystemModulePointer[Index].Size;    
        for (Loop=ModuleBeginAddress;Loop<ModuleFinishAddress;Loop++)
        {
            if 
                (
                *(ULONG*)(Loop+0)==FirstFeature&&
                *(ULONG*)(Loop+4)==SecondFeature&&
                *(ULONG*)(Loop+8)==ThirdFeature&&
                *(ULONG*)(Loop+12)==FourthFeature
                )
            {
                Value=Loop;
            } 
        }
    }
    ExFreePool(SystemInformationBuffer);
    return Value;
}

来源：http://blog.csdn.net/dormancy_elife/article/details/6072842