A forum for reverse engineering, OS internals and malware analysis 

SSDT Shadow Hook

Ask your beginner questions here.

Re: SSDT Shadow Hook

 #8112  by Tigzy
 Thu Aug 18, 2011 12:42 pm
no, actually from export table of the given module.
OK
This code full of perversions and this is the way how they get address of service descriptor table by doing memory scan and then work with a shadow table through acquired pointer.
I suggest carefully review anything from this bsod-generator source code.
Do you know a better way to do so? :geek:

EDIT: Missing a word...
Last edited by Tigzy on Thu Aug 18, 2011 1:03 pm, edited 1 time in total.

Re: SSDT Shadow Hook

 #8113  by EP_X0FF
 Thu Aug 18, 2011 12:54 pm
Tigzy wrote:Do you know a better to do so? :geek:
I'm not getting this question. You have all possible hints in this thread, including even this bsod-generator source code.
You know how to hook usual service table, so what is the problem?

Re: SSDT Shadow Hook

 #8114  by Tigzy
 Thu Aug 18, 2011 1:07 pm
Edited the previous post.

Hooking isn't the problem.
The only thing I don't understand is how to get the SSDT Shadow adress. It seems not to be as simple as it is with the "not shadow" SSDT.
Or maybe I don't understand at all... :D

Re: SSDT Shadow Hook

 #8115  by EP_X0FF
 Thu Aug 18, 2011 1:39 pm
Code: Select all
PVOID GetKeServiceDescriptorTableShadow()
{
	for (PBYTE c = (PBYTE)&KeAddSystemServiceTable; c < (PBYTE)&KeAddSystemServiceTable + PAGE_SIZE; c++)
	{
		if ( *(PUSHORT)c == 0x888d )
			return *(PVOID *)(c + 2);
	}
	return NULL;
}
you can put here additionally length disassember and more checks, but this code works all around 2000 - 7 for years without problems.
Code: Select all
PSERVICE_DESCRIPTOR_ENTRY p = GetKeServiceDescriptorTableShadow();
p[0] -system table, p[1] - shadow table.

Remember that to modify/read win32k.sys table you need to attach to GUI process (if not). There also some hints but you don't need to know about them for now.

Re: SSDT Shadow Hook

 #8116  by Tigzy
 Thu Aug 18, 2011 2:13 pm
Many thanks, It really helps :!:

EDIT.

I would like to understand, may you explain your code?
if ( *(PUSHORT)c == 0x888d )
return *(PVOID *)(c + 2);
What are these values?
Last edited by Tigzy on Thu Aug 18, 2011 2:52 pm, edited 1 time in total.

Re: SSDT Shadow Hook

 #8117  by EP_X0FF
 Thu Aug 18, 2011 2:22 pm
It is LEA.

[syntax="asm"]lea ecx, _KeServiceDescriptorTableShadow[eax][/syntax]

Re: SSDT Shadow Hook

 #8118  by Tigzy
 Thu Aug 18, 2011 2:51 pm
Can you develop?
if ( *(PUSHORT)c == 0x888d )
return *(PVOID *)(c + 2);
Why we compare with 0x888d ?
Why we return c + 2?

Re: SSDT Shadow Hook

 #8119  by EP_X0FF
 Thu Aug 18, 2011 2:53 pm
To get lea instruction and extract from it address of _KeServiceDescriptorTableShadow.
+2 because of lea ecx (88 8D)

Re: SSDT Shadow Hook

 #8121  by Tigzy
 Thu Aug 18, 2011 3:16 pm
does that loop travels through the ASM code of KeAddSystemServiceTable API?
Is this the aim of the loop?
for (PBYTE c = (PBYTE)&KeAddSystemServiceTable; c < (PBYTE)&KeAddSystemServiceTable + PAGE_SIZE; c++)
 Return to “Newbie Questions”