Calling unexported syscalls from Kernel Driver

#1970 by Mehdi
Sat Aug 14, 2010 11:25 am

Hello everyone
I want to call ZwQueryVirtualMemory in Windows XP SP2 (This syscall is not exported from ntoskrnl.exe in Win XP)
I've succeeded with using the hard-coded address (for proof of concept), now I want a better and more stable solution.

Code: Select all

MyZwQueryVirtualMemory zwQVM = (MyZwQueryVirtualMemory)0x805ACD0E;

How I can reliably find the address of ZwQueryVirtualMemory and call it ?
(I've read that using unexported system calls from kernel mode is not recommended, but for my utility which is a Kernel mode memory dumper I need it)

Thank you very much

We work in the dark, we do what we can, we give what we have.
Our doubt is our passion and our passion is our task.
The rest is the madness of art

Username

Mehdi

Posts

27

Joined

Sun Jun 20, 2010 6:04 am

Location

SSDT

Contact

Re: Calling unexported syscalls from Kernel Driver

#1971 by cjbi
Sat Aug 14, 2010 11:40 am

Try this.

Code: Select all

GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwQueryVirtualMemory");

Username

cjbi

Posts

92

Joined

Sun Mar 14, 2010 7:16 am

Re: Calling unexported syscalls from Kernel Driver

#1972 by Mehdi
Sat Aug 14, 2010 11:43 am

Thanks, but
1- my code is kernel mode.
2- And ZW* functions are in ntoskrnl (not ntdll)

We work in the dark, we do what we can, we give what we have.
Our doubt is our passion and our passion is our task.
The rest is the madness of art

Username

Mehdi

Posts

27

Joined

Sun Jun 20, 2010 6:04 am

Location

SSDT

Contact

Re: Calling unexported syscalls from Kernel Driver

#1973 by GamingMasteR
Sat Aug 14, 2010 11:45 am

Code: Select all

#define SYSCALL_INDEX(_address) *(PULONG)((PUCHAR)_address+1)

VOID GetNtQueryVirtualMemory(VOID)
{
    ASSERT(Irql <= APC_LEVEL)
    Ntdll = GetNtdllImageBase(); // Ntdll.dll is mapped into all processes VM by default
    if (Ntdll == NULL)
        return;
    lpNtQueryVirtualMemory =  KeServiceDescriptorTable[SYSCALL_INDEX(GetProcAddress(NtDll, "ZwQueryVirtualMemory"))].ServiceRoutine;
}

Or you can send the service index from the application to the driver while initializing .

Last edited by GamingMasteR on Sat Aug 14, 2010 1:48 pm, edited 1 time in total. Reason: Zw -> Nt, thanks EP for correction

Username

GamingMasteR

Rank

Global Moderator

Posts

228

Joined

Sun Mar 07, 2010 10:52 am

Re: Calling unexported syscalls from Kernel Driver

#1974 by Mehdi
Sat Aug 14, 2010 1:09 pm

Thanks. Your post was very helpful
First I tried using MmGetSystemRoutineAddress, but it returns NULL for ZwQueryVirtualMemory.
Now I'm using this code (I've hardcoded the index, because it only runs on XP SP0-SP2) and it works.

Code: Select all

DWORD* systemCallTable              = (DWORD*)KeServiceDescriptorTable.KiServiceTable;
MyZwQueryVirtualMemory	zwQVM = (MyZwQueryVirtualMemory)(systemCallTable[0xB2]);

One question: GetProcAddress is a user mode function. How can we run it in kernel ?

We work in the dark, we do what we can, we give what we have.
Our doubt is our passion and our passion is our task.
The rest is the madness of art

Username

Mehdi

Posts

27

Joined

Sun Jun 20, 2010 6:04 am

Location

SSDT

Contact

Re: Calling unexported syscalls from Kernel Driver

#1975 by EP_X0FF
Sat Aug 14, 2010 1:15 pm

For a beginner, more efficient solution is to hardcode NtQueryVirtualMemory SSDT index inside driver.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Calling unexported syscalls from Kernel Driver

#1976 by cjbi
Sat Aug 14, 2010 1:28 pm

Mehdi wrote:One question: GetProcAddress is a user mode function. How can we run it in kernel ?

Implementation of GetProcAddress and GetModuleHandle for Windows NT3.51/NT4/2000/XP/2003/Vista kernel mode, both 32 and 64 bit platforms
http://alter.org.ua/docs/nt_kernel/procaddr/

Username

cjbi

Posts

92

Joined

Sun Mar 14, 2010 7:16 am