[Tigzy]

Hello

I just ran into a problem with Windows 8, crash when trying to map the SSDT.
Does someone succeed to get the SSDT Object in Win 8?

[EP_X0FF]

Hello,

my crystal ball is broken. Show your code.

[Tigzy]

Sorry for your crystal ball :D

I use what everybody uses, and what always worked since XP to 7

Code: Select all

void MapSSDT()
{
	// Map the memory into our domain so we can change the permissions on the MDL
	g_pmdlSystemCall=IoAllocateMdl(KeServiceDescriptorTable.ServiceTable, KeServiceDescriptorTable.ServiceLimit*4, 0, 0, NULL);
	if(!g_pmdlSystemCall)
		return STATUS_UNSUCCESSFUL;

	//The MmBuildMdlForNonPagedPool routine receives an MDL that specifies a virtual memory buffer in nonpaged pool,
	//and updates it to describe the underlying physical pages. 
	MmBuildMdlForNonPagedPool(g_pmdlSystemCall);

	//The MmMapLockedPages routine maps the physical pages that are described by a given MDL.
	MappedSystemCallTable=MmMapLockedPages(g_pmdlSystemCall, KernelMode);
		
	if (dispDBG) DbgPrint("SSDT mapped into nonpaged area\n");
}

I'm not at home, but AFAIR this is a BSoD related to invalid_process_attach_attempt

[Vrtule]

Hello,

I know about existence of this piece of code (I think that something similar was present in the old rootkits book written by Hoglund and Butler), however, I hardly doubt it is legal.

First, there is a call to MmBuildMdlForNonPagedPool which (I think) can be called only with MDLs describing nonpaged pool memory. But SSDT is pageable. Because this data structure can hardly be ever paged out, nothing wrong usually happens.

Second, documentation of MmMapLockedPagesSpecifyCache says:

Code: Select all

A driver must not try to create more than one system-address-space mapping for an MDL. Additionally, because an MDL that is built by the MmBuildMdlForNonPagedPool routine is already mapped to the system address space, a driver must not try to map this MDL into the system address space again by using the MmMapLockedPagesSpecifyCache routine (although creating user-address-space mappings is allowed). If it is not known whether a locked-down MDL already has a system-address-space mapping, a driver can use the MmGetSystemAddressForMdlSafe macro instead of MmMapLockedPagesSpecifyCache. If the MDL is already mapped into the system address space, MmGetSystemAddressForMdlSafe will return the existing system-address-space mapping instead of creating a new mapping.

So it seems that you should map SSDT into usermode part of the address space. System process might be ideal place for this operation.

I know that the code works well on current versions of Windows (except Windows 8, you say). But it seems that it works only because implementation of Mm routines was quite liberal.

[Tigzy]

Thanks for the reply, I'll have a look on how MDL really work cause actually I didn't tried to know what this piece of code was really doing as it worked well since now.

[lorddoskias]

I'd suggest instead of using MmMapLockedPages etc, to just use MmGetSystemAddressForMdlSafe macro which would either:

a) call MmMapLockedPagesSpecifyCache OR
b) give you the current address, since it is already mapped to system space.

That is of course if you want to just have an MDL in kernel-space, now if you want to just map system space component to user space you must perform the MmMapLockedPagesSpecify cache in the context of the user process to whose address space you want to map the SSDT.

This article explains such use case and what actually happens behind the scenes: http://www.osronline.com/article.cfm?article=39
This article also sheds light on how MDL actually operate and what each of the aforementioned functions do: http://www.osronline.com/custom.cfm?nam ... cfm&id=423