Anti rootkit SSDT

I am working with windows 7 x64. I understand that patchguard is enabled and should prevent write access to the SSDT structure in ntoskrnl.exe. However for learning purposes, I was wondering if my driver can call a function like ZwXxxx directly.

By directly i mean, obtain the kernel base. Lets say the offset to the function is 0xDeadBeef. Can I just create a typedef'd function pointer to that location and call it like that? Without going through the SSDT? I know this is how I would be in user-mode, not sure if its the same case in kerne开发者_运维技巧l mode.

Thanks.

As you said patchguard prevents SSDT modification. So, reading is ok. And if you have a function address you can call it. There is no difference how did you manage to obtain the function address: from SSDT, by signature, hardcoded value or else.