Obtaining KeServiceDescriptorTableShadow address
2008-06-30 23:06
330 查看
In Windows NT based operating system every system call originated
in user mode which is to be processed by the system抯 kernel must go through the
gate to the kernel itself where it would be dispatched and executed. This gate
is an interrupt INT 2Eh. While on the user side library ntdll.dll handles a
system call, after passing the gate ntoskrnl.exe takes over invoking an internal
function KiSystemService() and passing the original system call into it. Then,
KiSystemService uses a lookup table for the information on which Native API call
to assign the original call to. This lookup table is called System Service Table
(SST), it has the following structure:[code]typedef NTSTATUS (NTAPI * NTPROC) ();
typedef NTPROC * PNTPROC;
#define NTPROC_ sizeof (NTPROC)
typedef struct _SYSTEM_SERVICE_TABLE
{
PNTPROC ServiceTable; // array of entry points to the calls
PDWORD CounterTable; // array of usage counters
DWORD ServiceLimit; // number of table entries
PBYTE ArgumentTable; // array of arguments
}
SYSTEM_SERVICE_TABLE,
*PSYSTEM_SERVICE_TABLE,
**PP SYSTEM_SERVICE_TABLE;System Service Table itself is a member of another structure
called Service Descriptor Table:
typedef struct _SERVICE_DESCRIPTOR_TABLE
{
SYSTEM_SERVICE_TABLE ntoskrnl; //SST used by ntoskrnl.exe - Native API
SYSTEM_SERVICE_TABLE win32k; // SST used by win32k.sys - gdi/user support
SYSTEM_SERVICE_TABLE Table3; // reserved
SYSTEM_SERVICE_TABLE Table4; // reserved
}
SERVICE_DESCRIPTOR_TABLE,
*PSERVICE_DESCRIPTOR_TABLE,
**PPSERVICE_DESCRIPTOR_TABLE;System Service Table structure is used by two different
handles in the Kernel:
KeServiceDescriptorTable()
KeServiceDescriptorTableShadow()
While KeServiceDescriptorTable is readily available for kernel
mode drivers to access, KeServiceDescriptorTableShadow is not. Moreover,
KeServiceDescriptorTable does not have the System Service Table for win32k calls
support.
Unfortunately, different versions of Windows NT have these two
tables placed in different order. For example, on Windows 2000,
KeServiceDescriptorTableShadow follows immediately after
KeServiceDescriptorTable, while on Windows XP it appears right before
KeServiceDescriptorTable.
Several different ways have been proposed to obtain the correct
address of the Shadow table. In this example I shall demonstrate an approach to
obtain the KeServiceDescriptorTableShadow address on Windows 2000 and Windows XP
(incl. SP1) operating systems.
The idea behind this method (originally introduced in the book
Undocumented Windows NT) is to use a function called KeAddSystemServiceTable as
an indicator. This function is used by win32k.sys and therefore it just has to
address the Shadow table since KeServiceDescriptorTable does not support win32k
calls. Another assumption to be made is that the first entry in both
KeServiceDescriptorTable and KeServiceDescriptorTableShadow is the same. Since
it is relatively simple to obtain the address of KeServiceDescriptorTable, we
may try to compare its first entry with the one obtained from
KeAddSystemServiceTable. If they match, we consider the corresponding address to
be the correct address of KeServiceDescriptorTableShadow. There is no guaranty
that the very first valid address, produced by KeAddSystemServiceTable will
match, thus we have to go through several addresses to find the right one.
The following code shows a correct solution for obtaining a
KeServiceDescriptorTableShadow address on windows XP, it will work for a kernel
mode device driver:
/*
define structure for the system service table
*/
struct SYS_SERVICE_TABLE {
void **ServiceTable;
unsigned long CounterTable;
unsigned long ServiceLimit;
void **ArgumentsTable;
};
/*
Define KeServiceDescriptorTable based on the SST structure
*/
extern struct SYS_SERVICE_TABLE *KeServiceDescriptorTable;
/*
Declare function GetServiceDescriptorShadowTableAddress()
*/
static struct SYS_SERVICE_TABLE * GetServiceDescriptorShadowTableAddress ();
/*
Declare the KeAddSystemServiceTable. This is just a
handle to the call function, it will be used by the function
above to obtain the correct address of the KeServiceDescriptorShadowTable
*/
__declspec(dllimport) KeAddSystemServiceTable (ULONG, ULONG, ULONG, ULONG, ULONG);
static struct SYS_SERVICE_TABLE * GetServiceDescriptorShadowTableAddress ()
{
// First, obtain a pointer to KeAddSystemServiceTable
unsigned char *check = (unsigned char*)KeAddSystemServiceTable;
int i;
//Initialize an instance of System Service Table, will be used to
//obtain an address from KeAddSystemServiceTable
struct SYS_SERVICE_TABLE *rc=0;
// Make 100 attempts to match a valid address with that of KeServiceDescriptorTable
for (i=0; i<=99; i++) {
__try {
// try to obtain an address from KeAddSystemServiceTable
rc = *(struct SYS_SERVICE_TABLE**)check;
// if this address is NOT valid OR it itself is the address of
//KeServiceDescriptorTable OR its first entry is NOT equal
//to the first entry of KeServiceDescriptorTable
if (!MmIsAddressValid (rc) || (rc == KeServiceDescriptorTable)
|| (memcmp (rc, KeServiceDescriptorTable, sizeof (*rc)) != 0)) {
// Proceed with the next address
check++;
// don't forget to reset the old address
rc = 0;
}
} __except (EXCEPTION_EXECUTE_HANDLER) { rc = 0; }
// when the loop is completed, check if it produced a valid address
if (rc)
// because if it didn't, we failed to find the address of KeServiceDescriptorTableShadow
break;
}
// otherwise, there is a valid address! So return it!
return rc;
}Note, that if you by some reason failed to find the correct
address, your number of iterations (100 in my example) was not enough. Try to
increase it slightly, I would not recommend to have the number of iterations
larger than 4096, if you failed again even with the number that high, there are
definitely other problems, most likely the assumptions mentioned above are no
longer true for the operation system you use.
To call this function, simply create a new pointer to System
Service Table with the same structure the function returns its address with, and
then assign this address to it:
/*
define structure for the system service table
*/
struct SYS_SERVICE_TABLE {
void **ServiceTable;
unsigned long CounterTable;
unsigned long ServiceLimit;
void **ArgumentsTable;
};
static struct SYS_SERVICE_TABLE *ShadowTable;
ShadowTable = GetServiceDescriptorShadowTableAddress();Needless to say, that all these tricks can only be done with
administrator rights. More over, if you plan to continue manipulating
KeServiceDescriptorTableShadow, you will also need to enable Debug Privileges,
even for the administrator.
[/code]
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 在XP内核模式下如何获得KeServiceDescriptorTableShadow的地址
- [转载]恢复2k/xp win32k.sys的KeServiceDescriptorTableShadow
- 关于windbg不能正确显示KeServiceDescriptorTableShadow的问题
- KeServiceDescriptorTableShadow的获取
- #define SYSTEMSERVICE(_func) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_func+1) 这
- #define SYSTEMSERVICE(_func) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_func+1) 这
- windebug查看KeServiceDescriptorTable
- KeServiceDescriptorTable 结构及获取
- 编译器报错: error LNK2001: unresolved external symbol "struct _ServiceDescriptorTable * KeServiceDescript
- 编译器报错: error LNK2001: unresolved external symbol "struct _ServiceDescriptorTable * KeServiceDescript
- Notes on Logical Address: segment selector/descriptor/table
- X64系统下的KeServiceDescriptionTable
- ORA-12514, TNS:listener does not currently know of service requested in connect descriptor
- 《Orange’s 一个操作系统的实现》3.保护模式4----LDT(Local Descriptor Table)
- WINCE4.2smdk2410的oemaddresstable在WINCE5.0中的位置
- Understanding the linux kernel-ch4-Initializing the Interrupt Descriptor Table
- Resolving www.linuxde.net... failed: Name or service not known. wget: unable to resolve host address
- OEMAddressTable介绍
- centos: ORA-12514: TNS:listener does not currently know of service requested in connect descriptor
- OEMAddressTable 内存映射表是怎么被wince使用的(作者:wogoyixikexie@gliet)