in ssdt hooking we hook Zw** OR Nt** ?

in ssdt hooking we hook Zw OR Nt ?

#5373 by R00tKit
Wed Mar 09, 2011 10:01 am

hi

in hook SSDT we use

#define SYSTEMSERVICE(_name)  KeServiceDescriptorTable.ServiceTable[*(DWORD *) ((unsigned char *)_name + 1)]

why in above code we use " +1 " ?

in ssdt hook we hook Zw** or Nt** version finally ? when we pass Zw as parameter to above marco

i know the Zw** change pervious mode and call Nt** but what about hooking ?

SSDT store address of ZW or Nt* ? dps nt! KiServiceTable show only Nt* why?

i confused please help

@R00tkitSMM

Username

R00tKit

Posts

129

Joined

Tue Nov 16, 2010 8:23 pm

Contact

Re: in ssdt hocking we hook Zw OR Nt ?

#5374 by EP_X0FF
Wed Mar 09, 2011 10:15 am

geek1982 wrote:hi

in hook SSDT we use
Code: Select all
#define SYSTEMSERVICE(_name)  KeServiceDescriptorTable.ServiceTable[*(DWORD *) ((unsigned char *)_name + 1)]
why in above code we use " +1 " ?

To get index of service.

.text:00429768 ZwOpenTimer proc near
.text:00429768
.text:00429768 TimerHandle = dword ptr 4
.text:00429768 DesiredAccess = dword ptr 8
.text:00429768 ObjectAttributes= dword ptr 0Ch
.text:00429768
.text:00429768 mov eax, 83h
.text:0042976D lea edx, [esp+TimerHandle]
.text:00429771 pushf
.text:00429772 push 8
.text:00429774 call sub_46A451
.text:00429779 retn 0Ch
.text:00429779 ZwOpenTimer endp

where first instruction is

00429768: B8 83 00 00 00

You hook service routine because their table exported via KeServiceDescriptorTable

There is no sense in hooking Zw* functions.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: in ssdt hocking we hook Zw OR Nt ?

#5375 by R00tKit
Wed Mar 09, 2011 10:22 am

thanks for brief and useful

@R00tkitSMM

Username

R00tKit

Posts

129

Joined

Tue Nov 16, 2010 8:23 pm

Contact