A forum for reverse engineering, OS internals and malware analysis 

SSDT hook strange problem

Ask your beginner questions here.

SSDT hook strange problem

 #24992  by QQemka
 Sun Jan 18, 2015 7:51 pm
Hello. I hooked one funtion in SSDT. In the hook i get caller Process id from EPROCESS structure by calling PsGetCurrentProcess(), then i call NtQuerySystemInformation by SSDT index to get list of processes (i need to get this information inside hook for own purpose), but for some reason, NtQuerySystemInformation fails in about 30% cases. I see in DbgView all log with detailed processes information, but sometimes call returns "NtStatus error C0000005, bufsize 00002000, bytes written 000018DF"

The part of code which generates this strange error is
Code: Select all
PSYSTEM_PROCESS_INFORMATION pCurr, pNext;
	NTSTATUS ntStatus = STATUS_INFO_LENGTH_MISMATCH;
	int bufsize = 0x1000;
	int cbWritten;
	PVOID buffer = MmAllocateNonCachedMemory(bufsize);
	while(ntStatus == STATUS_INFO_LENGTH_MISMATCH){
		//DbgPrint("Double bufsize");
		MmFreeNonCachedMemory(buffer, bufsize);
		bufsize *= 2;
		buffer = MmAllocateNonCachedMemory(bufsize);
		ntStatus = NtQuerySystemInformation(5, buffer, bufsize, &cbWritten);
	}
	if (!NT_SUCCESS(ntStatus)){
		DbgPrint("NtStatus error %p %p %p", ntStatus, bufsize, cbWritten);
		MmFreeNonCachedMemory(buffer, bufsize);
		return 2;
	}
	//below is table parsing which works ok
Whats wrong?
Last edited by EP_X0FF on Mon Jan 19, 2015 4:05 am, edited 1 time in total. Reason: use code tags

Re: SSDT hook strange problem

 #24995  by EP_X0FF
 Mon Jan 19, 2015 9:12 am
then i call NtQuerySystemInformation by SSDT index
And why are you doing this unexplained perversion? If it called with PreviousMode == UserMode this routine will expect input buffer to be in usermode. Since you are doing it from SSDT hook this function will generate you fail/success etc. Use ZwQuerySystemInformation instead.
 Return to “Newbie Questions”