Author: flashcoder
Subject: How find SSDT Shadow address in Windows 10 x86?
Posted: 13 May 2017 at 9:54pm
Edited by flashcoder - 41 minutes ago at 9:55pm
Subject: How find SSDT Shadow address in Windows 10 x86?
Posted: 13 May 2017 at 9:54pm
Based in this article ( http://www.developersite.org/905-42385-service ) i'm using the following code to get address of shadow table and works perfectly from WinXP x86 until Win8.1 x86 (Operating systems that was tested), only on Win10 x86 that cannot found the address.
Thank you by any suggestion.
#include <ntddk.h>
#include "ntapi.h" -> https://pastebin.com/BFwWUvmT
typedef NTPROC * PNTPROC;
typedef struct tag_SYSTEM_SERVICE_TABLE {
PNTPROC ServiceTable; // array of entry points to the calls
int CounterTable; // array of usage counters
ULONG ServiceLimit; // number of table entries
PCHAR ArgumentTable; // array of argument counts
} SYSTEM_SERVICE_TABLE, *PSYSTEM_SERVICE_TABLE, **PPSYSTEM_SERVICE_TABLE;
typedef struct tag_SERVICE_DESCRIPTOR_TABLE {
SYSTEM_SERVICE_TABLE ntoskrnl; // main native API table
SYSTEM_SERVICE_TABLE win32k; // win subsystem, in shadow table
SYSTEM_SERVICE_TABLE sst3;
SYSTEM_SERVICE_TABLE sst4;
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE, **PPSERVICE_DESCRIPTOR_TABLE;
extern "C" NTOSAPI SYSTEM_SERVICE_TABLE KeServiceDescriptorTable;
extern "C" __declspec(dllimport) NTSTATUS NTAPI KeAddSystemServiceTable(ULONG, ULONG, ULONG, ULONG, ULONG);
PSERVICE_DESCRIPTOR_TABLE __stdcall GetServiceDescriptorShadowTableAddress() {
char * check = (char *)KeAddSystemServiceTable;
PSERVICE_DESCRIPTOR_TABLE rc = NULL; int i;
for (i = 0; i < 1024; i++) {
rc = *(PPSERVICE_DESCRIPTOR_TABLE)check;
if (!MmIsAddressValid(rc) || ((PVOID)rc == (PVOID)&KeServiceDescriptorTable)
|| (memcmp(rc, &KeServiceDescriptorTable, sizeof(SYSTEM_SERVICE_TABLE)))) {
check++; rc = NULL;
}
if (rc)
break;
}
return rc;
}
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject) {
DbgPrint("DriverUnload()!\n");
return;
}
extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath) {
NTSTATUS NtStatus = STATUS_SUCCESS;
pDriverObject->DriverUnload = DriverUnload;
DbgPrint("DriverEntry()!\n");
PSERVICE_DESCRIPTOR_TABLE pShadow = GetServiceDescriptorShadowTableAddress();
if (pShadow) {
DbgPrint("SSDT Shadow address found!");
}
else
DbgPrint("Error: Can't get Win32k Address!\n");
return NtStatus;
}
Edited by flashcoder - 41 minutes ago at 9:55pm